Type-Theoretic Methodology for Practical Programming Languages

TYPETHEORETIC METHODOLOGY FOR PRACTICAL

PROGRAMMING LANGUAGES

A Dissertation

Presented to the Faculty of the Graduate Scho ol

of Cornell University

in Partial Fulllmentofthe Requirements for the Degree of

Do ctor of Philosophy

Karl Fredrick Crary August

Karl Fredrick Crary

TYPETHEORETIC METHODOLOGY FOR PRACTICAL PROGRAMMING

LANGUAGES

Karl FredrickCrary PhD

Cornell University

The signicance of typ e theory to the theory of programming languages has long been recog

nized Advances in programming languages have often derived from understanding that stems

from typ e theory However these applications of typ e theory to practical programming lan

guages have b een indirect the dierences between practical languages and typ e theory have

prevented direct connections b etween the two

This dissertation presents systematic techniques directly relating practical programming

languages to typ e theory These techniques allow programming languages to b e interpreted in

h mathematical domain of typ e theory Suchinterpretations lead to semantics that are the ric

at once denotational and op erational combining the advantages of each and they also lay the

foundation for formal verication of computer programs in typ e theory

Previous typ e theories either have not provided adequate expressiveness to interpret prac

tical languages or haveprovided such expressiveness at the exp ense of essential features of the

typ e theory In particular no previous typ e theory has supp orted a notion of partial functions

needed to interpret recursion in practical languages and a notion of total functions and ob

jects needed to reason ab out data values and an intrinsic notion of equality needed for most

interesting results This dissertation presents the rst typ e theory incorp orating all three and

discusses issues arising in the design of that typ e theory

This typ e theory is used as the target of a typ etheoretic semantics for a expressive pro

gramming calculus This calculus may serveasaninternal language for a variety of functional

stated as a syntaxdirected emb edding of the pro programming languages The semantics is

gramming calculus into typ e theory

A critical p oint arising in b oth the typ e theory and the typ etheoretic semantics is the issue

of admissibility Admissibilitygoverns what typ es it is legal to form recursive functions over To

build a useful typ e theory for partial functions it is necessary to have a wide class of admissible

typ es In particular it is necessary for all the typ es arising in the typ etheoretic semantics to

be admissible In this dissertation I present a class of admissible typ es that is considerably

wider than any previously known class

Biographical Sketch

Karl Crary was born in Madison Wisconsin in In he moved with his family to

Seattle Washington where he grew up He started college at Carnegie Mellon University in

and earned bachelors degrees in Computer Science and Economics in He then

b egan graduate scho ol at Cornell University where he remained until iii

Acknowledgements

I wish to thank my parents Fred and Betsy for their constant love and supp ort throughout

my childho o d and adultho o d More than anyone else they have shap ed the way I see and

think ab out the world Iwant to thank Ross Willard for intro ducing me to logic and mo dern

mathematics and John Reynolds for intro ducing me to the world of typ e theory I also am

very grateful to Rob ert Harp er for serving as my undergraduate thesis advisor for teaching me

so much and for all his encouragement while I was his student and continuing even to day

Particular thanks go to Rob ert Constable my graduate advisor and to Greg Morrisett

The least they did was to teach me most of the material on which this dissertation and the

rest of mywork is based More imp ortantly they were a constant source of ideas sound advice

and encouragement I also wish to thanks Dexter Kozen for all his help and inuence

I also wish to thank all the many teachers family and friends who help ed me get where I

am to day and who made it pleasant getting here Finally I want to thank Go d for creating

the world and for showing me the life b eyond iv

Table of Contents

Intro duction

The KML Programming Language

Features

Comparison

The Role of Typ e Theory in the Design

Principals

Typ e Theory

LambdaK

Overview

Lamb daK

The Core Calculus

The Mo dule Calculus

Static Semantics

Design Issues

The Phase Distinction

Top and Bottom Typ es

Typ eTheoretic Semantics

A Computational Denotational Semantics

The Language of Typ e Theory

Domain and Category Theory

ATyp eTheoretic Semantics

Basic Emb edding

Emb edding Recursion

Emb edding Kinds

Emb edding Mo dules

Prop erties of the Emb edding

Prosp ects for Extension

Conclusions

Foundational Typ e Theory

Nuprl

Basic Typ es and Op erators

EqualityandWellformedness

Prop ositions as Typ es

Equality Subtyping and Inequality v

Constructivity

Constructing New Typ es using Logic

Computation

P artial Typ es

Sequents and Pro of

Functionality

ExtractStyle Pro of

Issues in Partial Ob ject Typ e Theory

Partial Computation

Computation in ActivePositions

Fixp oint Induction

Computational Induction

Other Contributions

Semantics

Typ e Semantics

Judgement Semantics

Classical Reasoning

Admissibility

The Fixp oint Principle

Computational Lemmas

Computational Approximation

Finite Approximations

Least Upp er Bound Theorem

Admissibility

PredicateAdmissibility

Monotonicity

Set and QuotientTyp es

Summary

Conclusions

Conclusion

A Lamb daK Typing Rules

B Nuprl Pro of Rules

C Pro ofs

Bibliography vi

List of Figures

Lamb daK Syntax

Lamb daK Shorthand

Higher Order Power and Singleton Kinds

ATypical Mo dule Enco ding

Typ e Theory Syntax

The Typ e Triangle

Emb edding Kinds and Typ es

Emb edding Terms

Emb edding Signatures

Emb edding Mo dules

Basic Nuprl Typ es

Derived Forms

Op erational Semantics for Nuprl

Primitive Nuprl Typ es

Typ e Sp ecications

Typ e Denitions Data Typ es

Typ e Denitions Assertions

Typ e Denitions Set and Quotient

Admissibility coadmissibility and monotonicity conditions vii

Chapter

Intro duction

The distance between theory and practice is shorter in theory than in practice

Unknown

The development of practical programming languages has lagged far b ehind the stateofthe

art of theoretical programming language study Examples ab ound of programming language

techniques and metho ds that havebeenwell known and understo o d for years but still haveyet

to app ear in any practical programming system This can be frustrating to the programming

language theoretician who also writes co de and that frustration is not diminished by the

knowledge that the gap b etween theory and practice is common to many if not most elds of

study

The main reason that the gap between theory and practice is often so wide is the issue

of elegance Programming languages can admit extremely elegant theoretical study This

elegance is partly resp onsible for the rapid progress of results in theoretical programming lan

guages and it is partly resp onsible for the attractiveness of programming languages as a eld

of study However such elegance is usually achieved by abstracting away from the details of

real languagesdetails that are essential for real languages to b e usable

In my thesis research I set out to design and implement a practical programming language

to incorp orate unutilized developments in programming language theory The result was a

dialect of ML that came to be called KML Not surprisingly I was so on grappling with the

elegance gap b etween theory and practice To manage the complexity of a real system I allowed

typ e theory to drive the design That is I adopted the strategy of cho osing at every design

p oint an option that was easily represented and justied in an underlying foundation of typ e

theory

This strategy proved remarkably eective and resulted in a language design that was versa

tile and p owerful but also relatively simple However allowing typ e theory to drive the design

of KML paid another dividend which had wider applications than to the KML language alone

The typ etheoretic design of KML led me to explore not only how typ e theory can motivate

language design informally but also to explore how and why to draw formal connections

between practical programming languages and foundational typ e theory

This dissertation fo cuses on the latter asp ect of my thesis research formal connections

between practical programming languages and foundational typ e theory In this thesis we will

see various sp ecic applications of such connections but from a broader standp oint the aim

of the work I discuss here is to draw theory and practice closer together The constructs that

makeuptyp e theory are p owerful and uniform making it p ossible to reason ab out issues facing

real languages without sacricing elegance

The KML Programming Language

A complete discussion of the KML programming language is b eyond the scop e of this disserta

tion I give here a brief and informal intro duction to KML and its contributions

Features

The main ob jective of KML was rst to incorp orate into a practical dialect of the ML pro

gramming language a number of useful language features not present in preceding dialects of

ML while building the entire language on a solid theoretical foundation KML is structured to

greatly resemble Standard ML for the most part Standard ML is a strict subset of KML The

dierences b etween KML and Standard ML lie in the way KML is sp ecied and in the addi

tional language features supp orted byKMLob jectoriented programming subtyping a more

expressive mo dule system and rstclass p olymorphism These features are chosen b ecause they

can assist in a real and practical way with the task of programming

A KML compiler is implemented that consists of a KMLsp ecic front end which compiles

KML to an intermediate language based on the p olymorphic lamb da calculus and a back end

that compiles that intermediate language to Typ ed Assembly Language

At the time of this writing the design of KML is substantially complete but is still changing

in a number of areas Therefore the reader should take the following descriptions of KMLs

features as tentative

Ob jects Ob jectoriented programming is supp orted in KML through a primitive ob ject cal

culus that is substantially similar to that of Abadi and Cardelli Ob jects are seen as

collections of metho d functions each of whichtakes the entire ob ject as an argument and com

putes a result A metho ds results may b e a new ob ject of the same typ e such results are

usually pro duced by up dating one of the elds of the ob ject with a new metho d implementation

In the present design primitive ob jects are the extent of the supp ort for ob jectoriented

programming From primitive ob jects it is p ossible to co de more complicated artices like

classes and inheritance I plan builtin syntactic supp ort for classes and inheritance in a future

version of the design

Subtyping The KML typ e system completely integrates supp ort for subtyping Subtyping

arises by dropping metho ds from ob jects and elds from records and also from stated deni

tions Denitional subtyping happ ens in b ounded quantication where co de is written to be

p olymorphic over all typ es that are subtyp es of a given typ e and in abstract subtyping where

a typ e in a mo dule is sp ecied to be a subtyp e of some other typ e KML allows unrestricted

subsumption that is a memberofasubtyp e may always b e used in place of a memb er of the

sup ertyp e without any mediating syntax such as a co ercion

Expressive Mo dules The KML mo dule system builds on the mo dule system of Standard

ML with two main enhancements The rst is higherorder functors While Standard ML

functors may take and return only structures the KML mo dule system allows functors to take

other functors as arguments and return functors as results Th us the KML mo dule system is

fully featured typ ed lamb da calculus

The second enhancement is to allowtyp e denitions in signatures Allowing typ e denitions

in signatures combined with a typ e system that leaks no typ e information in the absence of

such denitions allows socalled translucent mo dules mo dules that leak exactly the desired

amount of typ e information Translucent mo dules allow the greatest amount of abstraction

p ossible in a system while still p ermitting enough leakage to link mo dules together

FirstClass Polymorphism Most dialects of ML including Standard ML restrict p olymor

phic terms so that they cannot b e placed into data structures passed to functions or returned

by functions Formally this restriction stems from a prenex restriction on quantied typ es

quantiers must app ear all the way out which means that quantied typ es cannot makeupa

comp onentofany larger typ e Thus p olymorphic values are not rst class they must always

be instantiated b efore they may be used In contrast p olymorphic values in KML are rst

class they may b e arguments or results of functions and may b e stored in data structures

KML also p ermits p olymorphic recursion where a p olymorphic function calls itself

recursively with a dierent typ e argument Polymorphic recursion is necessary to make go o d

use of rstclass p olymorphism otherwise all typ e arguments are statically predetermined but

it is also useful in other contexts

Comparison

During the time I was developing KML Xavier Leroy and his colleagues released the Ob jective

CAML system Ob jective CAML shares many of the same goals as KML in particular

the goals of providing supp ort for ob jectoriented programming and a more expressive mo dule

system However Ob jective CAML do es not supp ort rstclass p olymorphism and p ossesses

no formal semantics or denition

The greatest similarity between KML and Ob jective CAML lies in the mo dule systems

which provide almost identical expressiveness despite various technical dierences A greater

contrast exists in the ob ject system The ob ject system of KML is derived from the ob ject

calculus of Crary whichderives its lineage from the ob ject systems of Abadi and Cardelli

and their predecessors In contrast the ob ject system of Ob jective CAML is based on the

ob ject system of Remy and Vouillon which derives its lineage from the record extension

calculi of Remy

The greatest practical dierence b etween the ob ject systems of KML and Ob jective CAML

lies in supp ort for subtyping Unlike KML Ob jectiveCAMLprovides no automatic subsump

tion ob jects must b e co erced to sup ertyp es by an explicit co ercion However by abandoning

subtyping with subsumption Ob jective CAML is able to enjoy feasible typ e inference which

yping is prohibitively dicult for KML Moreover in many cases the practical b enets of subt

are obtained in Ob jective CAML by quantication over rowvariables that extend ob ject typ es

to unsp ecied sup ertyp es details app ear in RemyandVouillon and Leroy

The Role of Typ e Theory in the Design

In order to pro duce an elegant and coherent design for KML Iallowed typ etheoretic consid

erations to drive the design In order to convey the avor of this interaction I briey describ e

two design p oints that were informed bytyp e theory

In a mo dule calculus one imp ortant issue to settle is the equational theory under what

circumstances are mo dules and comp onents of mo dules considered equal to others The de

nition of Standard ML employed a system of unique stamps to dictate when two mo dules

were considered equal This system b ecomes even more involved when extended to higherorder

mo dules In KML I simplied the equational theory by eliminating equality of mo dules

in favor of equality of the typ es that make up those mo dules a similar choice was made for

Standard ML Revised and then ruling that typ es are equal exactly when equivalence

maybeproven from stated typ e denitions in a logic of typ es Leroy made a similar decision

in the design of the Ob jective CAML mo dule system

Another key design p oint was what form supp ort for ob jectoriented programming should

take Rather than b egin with a source level system of ob jects or classes I fo cused on the typ e

theoretic interpretation of ob jects With an theory of ob jects in hand I worked backwards

to the KML ob ject calculus The result was an ob ject system with comparable p ower to that

of Abadi and Cardelli but with a simpler theory and a more ecient implementation

Details app ear in Crary

Principals

Typ e Theory

One may view foundational typ e theory as b eing at its core atyp ed functional programming

language with a very rich typ e system That typ e system is capable of expressing complex

relationships b etween ob jects suciently complex that it may enco de almost any sentence

in logic and mathematics In this waytyp e theory mayserve as a foundation for mathematics

and computation

To some degree this view reects the bias of a computer scientist Typ e theory has b een

used as a foundation for mathematics since b efore the advent of mo dern computers for instance

Whitehead and Russells inuential treatise Principia Mathematica was a typ e theory

in some ways similar to the typ e theory of this dissertation Nevertheless typ e theory has b een

particularly successful as a foundation for computer science This is largely b ecause typ e theory

deals elegantly with structured data and computation the stu of computer science which

must b e painstakingly constructed in most other foundational frameworks

The particular typ e theory I use in this dissertation is a variant of the Nuprl typ e theory

Nuprl traces its lineage back to MartinLof s Intuitionistic Typ e Theory whichwas

rst intended to clarify the syntax and semantics of intuitionistic mathematics The Nuprl

typ e theory adapted Intuitionistic Typ e Theory as a foundation for computer programming by

simplifying its structure and adding a number of new typ e constructors Although my results

are stated in the context of the Nuprl typ e theorymyintention is that the metho dology b ehind

those results b e applicable to typ e theories in general

LambdaK

In order to manage the complexities of a real programming language KML is dened in terms

of a smaller internal language called Lamb daK provides all the expressiveness of the full

complex KML language but is considerably simpler and more elegant b ecause many of the

constructs of KML are broken up by the denition into simpler constructs in

The main thrust of this dissertation then is an exploration of how to draw formal connec

tions between the internal language and the Nuprl typ e theory These formal connections

then apply back to the highlevel language KML by way of its denition However I wish to

view the KML particulars as only a case study in the general metho dology I explore Similar

results can b e drawn for other languages for example Harp er and Stone giveaninterpre

tation of Standard ML in terms of an internal language very much like Thus with some

Standard ML as well Accordingly I do not minor mo dications my results would apply to

present the formal denition of KML in in this dissertation to do so would unduly fo cus

on the particulars and distract from the broader metho dology

The Nuprl typ e theory is predicative so in order to draw formal connections to Nuprl from

K K K

it is necessary for to be predicative as well However the used in dening KML

is not predicative Consequently in this dissertation I use a predicative variant of that

drops a number of features Recursive typ es stateful computation and ob jects all dep end on

impredicativity in some way and are regrettably omitted Restoring these is an imp ortant

avenue for future research and I discuss some p ossible ways it might b e done in Section

Overview

After this intro ductory chapter the technical material commences in Chapter with an ex

K K

position KMLs internal language In keeping with the view of as a case study that

chapter is brief The primary original contribution of is a mo dule calculus that combines

contributions from the translucent sums calculi of Harp er and Lillibridge and Leroy

the phasedistinction calculus of Harp er Mitchell and Moggi and the applicative functors

calculus of Leroy

Chapter b egins with an informal description of the Nuprl typ e theory and then con tinues

with an emb edding of into Nuprl the rst of the three main technical contributions of this

dissertation That emb edding provides a typ etheoretic semantics of and therebydraws a

sharp formal connection b etween KML and typ e theory I also discuss at length the applications

and some of the consequences of the semantics

In Chapter I discuss in detail myvariant of the Nuprl typ e theory the second main tech

nical contribution of this dissertation This typ e theory is the rst constructivetyp e theory to

include an intrinsic notion of equality and also to allow reasoning ab out b oth partial and total

functions All three notions are necessary to give an adequate account of practical program

ming languages partiality is clearly necessary for Turingcomplete languages and equalityand

totality are necessary to sayanything interesting ab out such languages once interpreted I also

discuss practical issues that arise when using a typ e theory incorp orating partiality FinallyI

give a rigorous semantics to the typ e theory and show its consistency

Central to the typ e theory is a xp oint rule for typing recursive functions However the

xp oint rule is not valid for recursive functions on every typ e Typ es for which the xp oint

rule is valid are known as admissible In Chapter I give general techniques for showing

typ es to be admissible the third main technical contribution of this dissertation Before this

work typ e theories incorp orating partiality were handicapp ed by a dearth of typ es known

metho d is a elegant least upp er b ound theorem for to be admissible A critical step in the

computational approximation with applications beyond the admissibility results to which I

apply it

Concluding remarks app ear in Chapter Following my concluding remarks the dissertation

closes with three app endices App endix A gives the complete typing rules for App endix

Bgives the complete inference rules for Nuprl pro ofs In the interest of readability throughout

the dissertation dicult pro ofs are removed to App endix C

Chapter

Lamb daK

The KML programming language provides a very expressive language for practical program

ming However exp erience with Standard ML has shown that although direct formal deni

tions of practical programming languages may be written those denitions are to o

unwieldy to be very useful except as a language sp ecication for compiler implementers and

are particularly impractical for theoretical study Simple languages are much more practical

for theoretical study and are useful in implementations as well The rst step of a compiler is

typically to elab orate the external language into a simpler intermediate language

In order to use a simpler and more manageable language than full KML in this thesis I

will be using a simple typ ed calculus called A framework that proved to be workable

was to augment the higherorder p olymorphic lamb da calculus F with p ower

and singleton kinds dep endent function and record kinds and strong sums This design is

discussed at length in this chapter

The syntax of is dened by the rules given in Figure and consists of ve syntactic

classes The class of terms contains the basic constructs of the p olymorphic lambda calculus

with records The class of type constructors which I will usually refer to as constructors

contains the typ es of wellformed terms and a lamb da calculus with records built over them for

computing typ es Typical typ e constructors are actual typ es suchasintegers or rstorder

typ e op erators such as lists The class of kinds then contains the typ es of typ e constructors

The two remaining classes modules and signatures contain the terms and typ es of s mo dule

system The static semantics of also uses contexts which assign kinds typ es and signatures

to constructor variables ranged over by term variables ranged over by x and mo dule

variables ranged over by s Figure contains several convenient abbreviations for use with

I consider two Throughout this thesis in any calculi with binding structure such as

expressions to b e identical if they dier only by alphavariation When two expressions e and

e are alphaequal I write e e Also the simultaneous captureavoiding substitution of

expressions e e for variables x x in e will b e denoted by ee e x x

n n n n

The Denition of Standard ML runs to pages and consists of rules plus many additional implied

rules for propagating exception packets and considerable supp orting machinery The revised Denition is

simpler but still runs to pages and rules

kinds Type j jf gjP c jS c

n n n i i

constructors c j c j c c jf c c gj c j c c j c c j

n n

c jf c c gjh c c ij ext m

n n n n

terms e x j xce j e e j e j ec jf e e gj e j inj e j

n n

case e x e x e j x e j ext m

n n n

signatures hijhhciij s jf s s g

n n n

modules m s jhcijhheiij sm j m m jf m m gj m j m

n n

contexts j j x c j s

Figure Lamb daK Syntax

def

fl ln g

n n

def

he e i fl e ln e g

n n

def

e e

def

hl ln i

n n

def

inj e inj e

i li

def

case e x e x e case e l x e ln x e

n n n n

where l l are distinguished lab els

Figure Lamb daK Shorthand

The Core Calculus

The typ e system of includes functions and records at the term and constructor levels and

p olymorphic functions at the term level using the standard notations Evaluation is intended

to be callbyvalue Records of terms record typ es and records of constructors that dier

only in eld order are considered identical The typ e of functions from to is denoted by

functions that return without computational eects are considered pure functions and

may b e given the pure function typ e for appropriate and The typ e system also

includes the lab elled disjoint union typ e denoted by h c c i memb ers of whichare

n n

y inj e and eliminated by case e x e x e As with records disjoint formed b

n n n

union typ es or case expressions that dier only in eld order are considered identical Recursive

functions are supp orted in the standard waybya x op erator The remaining construct ext m

deals with the mo dule calculus and is discussed in Section

A subtyping relation is dened over the typ es of Intuitively is a subtyp e of

denoted whenevery term b elonging to also b elongs to As usual functions are

contravariant on the left and covariant on the right records are covariant in the eld typ es and

subtyp es are pro duced by adding elds Pure function typ es are subtyp es of the corresp onding

function typ es

Kinds The kind level is more novel Ignoring the i annotations Type contains wellformed

typ es The power kind denoted by P for any typ e contains wellformed typ es that are

subtyp es of the given typ e The singleton kind denoted by S for any typ e contains

The level annotations i which are wellformed typ es that are equivalent to the given typ e

p ositiveintegers restrict the memb erships of these kinds The level of a kind or typ e is dened

to b e the highest level annotation app earing within it The kinds Type P andS contain

i i

def

Rc Type R c

def

Rc Rc

def

Rc f g f R c g

i i i i

R represents either P or S

Figure Higher Order Power and Singleton Kinds

only typ es with levels less than i Thus typ es b elonging to Type cannot contain quantify over

any nontrivial kinds and typ es b elonging to Type can only quantify over level kinds For

P c or S c the level of c must b e less than i

i i

This level annotation mechanism makes predicative which is necessary to p erform Chap

ter s emb edding into the predicativetyp e theory of Nuprl Since these annotations are tedious

to provide I discuss some alternatives in Section In a practical system based on this an

notation mechanism the system would have to infer level annotations for the user

The kind of functions mapping constructors of kind to constructors of kind may be

denoted but since constructors may app ear within kinds it is desirable to allow a more

precise characterization of such functions The kind includes all functions mapping

constructors to constructors where stands for the functions argumentandmay app ear

free in Such kinds are referred to as dependent function kinds since the result kind dep ends

on the argument For example a function with kind Type P when applied to anytyp e

returns a constructor of kind P that is a subtyp e of The independent function kind

is shorthand for when do es not app ear free in

Records of typ e constructors may also be given dep endent kinds The kind f

g contains all records f c c g such that each c has the

n n n n n i

corresp onding kind with the values of preceding elds substituted for the free variables

The external lab els ranged over by That is c must have kind c c

i i i i

must b e kept distinct from the internal binding o ccurrences b ecause variables must alphavary

but lab els must not This is discussed in greater length in Harp er and Lillibridge As a

shorthand I will often omit pronounced as alpha from a dep endent record kind when

do es not app ear free in the following kinds an independent record kind is one that contains

no internal binding o ccurrences at all I consider two dep endent record kinds to be identical

when they dier only in eld order so long as no eld is reordered to app ear after a eld that

dep ends up on it

Although p ower and singleton kinds are made using only typ es not higherorder construc

tors dep endent kinds may be used to build higherorder power and singleton kinds For

example the kind Type P list includes typ e constructors that are p ointwise subtyp es

of list Higherorder p ower and singleton kinds may b e generally dened as in Figure

Just as a subtyping relation was dened over the typ es a subkinding relation is dened over

the kinds This relation is denoted by when is a subkind of Function and record

kinds ob ey similar rules to the subtyping rules Additional subkinding relationships result from

level annotations Type Type and likewise for singleton and power kinds and from

i i

power and singleton kinds for any typ e S P Type and also P P

i i i i

when

These two names may b e burdensome for a programmer to supply so as a practical matter in KML it is

p ermitted to write one name for use as b oth the internal and the external name this p oses no problems so long

as it is p ossible to use separate names when they are needed

sig

tycon foo type

f foo s hType i

module S

fo o

S s

sig

f bar s hType i

tycon bar type

bar

baz s hS ext s ext s i

tycon baz foo bar

baz fo o bar

gnurf hhext s iig

val gnurf baz

baz

ig blap hhext s i

end

bar S

val blap Sbar

end

struct

tycon foo int int

module S

f foo hint int i

struct

tycon bar int

f bar hint i

tycon baz

baz hint int int i

int int int

gnurf hhf int int f iig

val gnurf

blap hhiig

fn f int int f

end

val blap

end

Figure ATypical Mo dule Enco ding

The Mo dule Calculus

Lamb daK mo dules form their own syntactic class and their typ es are called signatures which

also form their own syntactic class A primitive mo dule is either a single constructor hci or a

single term hheii If c has kind then hci has signature hi Likewise if e has typ e thenhheii

has signature hh ii

Mo dules are also formed using lamb daabstractions for functors and records for struc

tures Such mo dules may be given dep endent function signatures and dep endent record sig

natures that are precisely analogous to the dep endent function and dep endent record kind

discussed ab ove Data abstraction is achieved by forgetting typ e information using the con

struct m which co erces the mo dule m to have the signature if that signature is valid

for m any typ e information ab out m not reected in is forgotten As with the subtyping

and subkinding relations over the typ es and kinds the signatures haveasubsignature relation

which ob eys rules similar to the rules governing subtyping and subkinding

Mo dules are used within the core calculus by means of the extraction construct ext m for

hi then the constructor ext m has kind Likewise if m has mo dule m If m has signature

signature hh ii then the term ext m has typ e Exactly what mo dules are legal to extract

from is an issue that is discussed in Section

With the ab ove constructs it is easy to enco de highlevel KML mo dules A KML structure

is constructed by building a record out of its contents with every constructor eld encased in hi

and every term eld encased in hhii Figure shows the enco ding of atypical KML mo dule

with a substructure into Note the use of an internal and an external name in the enco ding

of the blap eld of the signature Functors and their signatures are enco ded using and in

the obvious manner

Since mo dules form their own syntactic class and are not reected directly into the core

calculus mo dules are secondclass This decision is based on issues related to the phase

distinction Section To p ermit rstclass mo dules would require considerably dierent

approaches to these issues that would reduce the expressiveness of the calculus as we will see

shortly Fortunately the rstclass mo dule restriction do es not seem to b e an onerous one the

most commonly cited use for a rstclass mo dule the abilityto select at runtime an ecient

implementation can b e achieved using existential typ es or ob jects

Static Semantics

The static semantics of app ears in App endix A Nine judgements are used six for the core

calculus and three for the mo dule calculus

The kind equality judgement indicates that and are equal in context

The subkinding judgement indicates that every constructor in is in

as discussed previously

The constructor equality judgement c c indicates that c and c are equal

as memb ers of kind

The subtyping judgement c c indicates that every term in c is in c

The typing judgement e c indicates that the term e has the typ e c

The valuability judgement e c indicates that the term e has the typ e c and that

its computation terminates

The subsignature judgement indicates that every mo dule in is in

The mo dule signature judgement m indicates that the mo dule m has signature

The mo dule valuability judgement m indicates that the mo dule m has signature

and that its computation terminates

Four additional judgements are derived from these nine A kind is considered wellformed

when it is equal to itself and similarly a constructor b elongs to a kind exactly when it is equal

to itself in that kind A typ e or signature is wellformed when it is a subtyp e or subsignature

of itself

def

kind

K K

def

c c c

K K

def

c typ e c c

K K

def

sig

K K

Design Issues

The Phase Distinction

An imp ortant decision to be made in the design of any mo dule calculus is how to account

for the phase distinction between compiletime and runtime expressions In the

absence of the mo dule calculus it is easy to say that the evaluation of typ e constructors

is a compiletime activity and the evaluation of terms is a runtime activity However the

mo dule system presents a quandary since mo dules may contain terms and typ e constructors

may contain mo dules through the extraction construct Constructor evaluation cannot be a

runtime activity unless we are willing to sacrice typ e checking at compile time but term

evaluation clearly cannot b e a compiletime activity

The central problem is how to structure the mo dule system and its interactions with the core

calculus so that compiletime expressions kinds and constructors do not contain p ossibly di

vergent or eectful expressions I discuss here two solutions to the problem the phasesplitting

approach prop osed by Harp er Mitchell and Moggi and the value restriction approach pro

posed by Harp er and Lillibridge and Leroy Lamb daK makes use of the phasesplitting

approach

In the phasesplitting approach mo dules including functors are considered to consist of

two comp onents a compiletime comp onent and a runtime comp onent The compiletime

comp onent deals only with the constructor p ortions of mo dules while the runtime comp onent

deals also with the term p ortions Then extraction at the constructor level dep ends only on

the constructor p ortion of a mo dule any problematic b ehavior of the mo dules term p ortion

is irrelevant This approach dep ends on designing the mo dule calculus so that it is imp ossible

to write a mo dule where a constructor eld dep ends on any runtime computation otherwise

constructor elds are runtime computations themselves and cannot be phase split into the

compiletime comp onent

In a system with rst class mo dules it is easy to construct a mo dule that dep ends on the

result of a term expression which rules out the phasesplitting approach In their translucent

sum calculus which has rst class mo dules Harp er and Lillibridge enforce the phase

distinction more directly Syntactic values have no interesting runtime b ehavior and may

therefore safely be treated as compiletime expressions Extraction at the constructor level is

restricted to only valuable expression arbitrary mo dule expressions are not legal for extraction

The phasesplitting approach also has some advantages that counterbalance the imp ossibility

of rstclass mo dules First phasesplitting provides a convenien tmechanism for implementing

the mo dule system Second phasesplitting allows greater exibility in references from

the core language into the mo dule language For example phasesplitting allows extraction

from functor applications which is forbidden by the value restriction approach This can be

quite useful in practice for example it allows the expression of transparent signatures for

functors that is signatures that completely sp ecify the typ e b ehavior of the functor For

example supp ose s has signature s hType i Then the alternative signature s hext ss i

the behavior of s but this signature is valid only if it is p ermissible to extract fully sp ecies

from functor applications Leroy discusses this issue at length

Top and Bottom Typ es

Unlike many subtyping calculi do es not have top and bottom typ es This is not b ecause

they are problematic to add they are not but because a practical language is b etter o

without them The main use for top and b ottom is usually to ensure that there exist meets

and joins for anytwotyp es but it is really only imp ortant to ensure that joins and meets exist

for typ es that have an upp er or lo wer b ound In cases where two typ es have no upp er or

lower b ound it is preferable to generate an error than to allow an articial top or b ottom

b ound For example a program fragment if b then else true is almost certainly a

mistake Similarly a function that makes incompatible demands on its argument could be

given a b ottom domain typ e but again such a useless function is certainly a mistake It is

b etter the notify the programmer of the mistake immediately than to allow the trivial typ e and

postpone the error message delivering it somewhere else instead of at the lo cation where the

mistakewas made

The drawback of this design decision relates to expressions with sideeects When an

expression is evaluated for sideeects it is not uncommon to ignore the result value In

this must be done explicitlyas in the co de if b then f x else g x where f and

g ha ve incompatible return typ es If the language included a top typ e the programmer could

write the marginally simpler if b then f x else g x However even in very impure co de it

is not likely that allowing top and b ottom would save eort for the programmer in this manner

nearly as often as disallowing them would save eort bycatching mistakes Additionally writing

co de to ignore result values explicitly provides useful do cumentation

Chapter

Typ eTheoretic Semantics

Typ e theory has b ecome a p opular framework for formal reasoning in computer science

and has formed the basis for a numb er of automated deduction systems including Automath

Nuprl HOL and Co q among others In addition to formalizing mathematics

these systems are widely used for the analysis and verication of computer programs To do

this one must draw a connection b etween the programming language used and the language of

typ e theory however these connections havetypically b een informal translations diminishing

the signicance of the formal verication results

Formal connections have b een drawn in the work of Reynolds and Harp er and Mitchell

each of whom sought to use typ etheoretic analysis to explain an entire programming

language Reynolds gave a typ etheoretic interpretation of Idealized Algol and Harp er and

Mitc hell did the same for a simplied fragment of Standard ML Recently Harp er and Stone

havegiven suchaninterpretation of full Standard ML Revised However in each of these

cases the typ e theories used were not suciently rich to form a foundation for mathematical

reasoning for example they were unable to express equality or induction principles On the

other hand Kreitz gave an emb edding of a fragment of Ob jective CAML into the

foundational typ e theory of Nuprl However this fragment omitted some imp ortant constructs

such as recursion and mo dules

The diculty has been that the same features of foundational typ e theories that make

them so expressive also highly constrain their semantics thereb y restricting the constructs that

may be intro duced into them For example as I will discuss b elow the existence of induction

principles precludes the typing of x that is typical in programming languages In this chapter

Ishowhowtogive a semantics to practical programming languages in foundational typ e theory

In particular I giveanembedding of into the Nuprl typ e theory This emb edding is simple

and syntaxdirected which has b een vital for its use in practical reasoning

The applications of typ etheoretic semantics are not limited to formal reasoning ab out

programs Using such a semantics it can be considerably easier to prove desirable prop erties

ab out a programming language suchastyp e preservation than with other means We will see

two such examples in Section The usefulness of such semantics is also not limited to one

tics particular programming language at a time If two languages are given typ etheoretic seman

then one may use typ e theory to show relationships b etween the two and when the semantics are

simple those relationships need b e no more complicated than the inherent dierences b etween

the two This is particularly useful in the area of typ edirected compilation

The pro cess of typ edirected compilation consists of in part translations b etween various typ ed

intermediate languages Emb edding eachinto a common foundational typ e theory provides an

ideal framework for showing the invariance of program meaning throughout the compilation

pro cess

This semantics is also useful even if one ultimately desires a semantics in some framework

other than typ e theory MartinLof typ e theory is closely tied to a structured op erational

semantics and has denotational mo dels in many frameworks including partial equivalence re

lations set theory and domain theory Thus foundational typ e theory

maybeusedasasemantic intermediate language

A Computational Denotational Semantics

My main motivation for a typ etheoretic semantics has been to draw formal connections be

tween programming languages and t yp e theory thereby making typetheoryapowerful to ol for

reasoning ab out languages and programs without sacricing any formality However a typ e

theoretic semantics is also valuable in its own right as mathematical mo del of a programming

language

Most programming language semantics are either op erational or denotational A typical

op erational semantics is sp ecied by giving an evaluation relation on program terms or an

evaluation relation on some abstract machine along with a translation into that machine

Op erational semantics have the advantage that they draw direct connections to computation

and explaining how programs compute is one of the prime functions of a semantics However

op erational semantics are typically rather brittle a slight addition or change to an op erational

semantics often requires reworking all pro ofs of prop erties of that semantics

In contrast a denotational semantics sp ecies for every program term a mathematical

ob ject that the program term denotes Typically a terms denotational is determined by com

posing in some way the denotations of its subterms The comp ositionality of denotational

semantics usually makes them more robust to change than a typical op erational semantics

Furthermore the equational theory of a denotational semantics is easier to work with since it

derives directly from the mathematical ob jects without need for an intermediating evaluation

relation and without needing to consider any surrounding context However the connection to

computation in a typical op erational semantics although present is much more remote than

with an op erational semantics

A denotational semantics in typ e theory provides the advantages of both a denotational

semantics The typ etheoretic semantics I present is denotational and accrues all the attendant

advantages of a denotational semantics but typ e theory is in essence a programming language

itself with its own op erational semantics so this semantics also draws a strong connection to

computation

The Language of Typ e Theory

I begin with an informal overview of the programming features of the Nuprl typ e theory It

is primarily those programming features that I will use in the emb edding The logic of typ es

is obtained through the prop ositionsastyp es isomorphism but this will not b e critical to

our purp oses in this chapter I present and discuss the typ e theory in detail in Chapter

As base t yp es the theory contains integers denoted by Z b o oleans denoted by B

strings denoted by Atom the emptytyp e Void the trivial typ e Unit andthetyp e Top which

Bo oleans are actually dened in terms of the disjoint union typ e

contains every wellformed term and in which all wellformed terms are equal Complex typ es

are built from the base typ es using various typ e constructors such as disjoint unions denoted by

T T dep endent pro ducts denoted byxT T and dep endent function spaces denoted

byxT T When x do es not app ear free in T we write T T for xT T and T T

for xT T

This gives an account of most of the familiar programming constructs other than p olymor

phism To handle p olymorphism wewanttohave functions that can take typ es as arguments

a typ e of all typ es These can be typ ed with the dep endenttyp es discussed ab ove if one adds

Unfortunately a single typ e of all typ es is known to make the theory inconsistent

so instead the typ e theory includes a predicative hierarchy of universes U U U etc The

universe U contains all typ es built up from the base typ es only and the universe U contains

all typ es built up from the base typ es and the universes U U In particular no universe

is a memb er of itself

Unlike which has distinct syntactic classes for kinds typ e constructors and terms Nuprl

has only one syntactic class for all expressions As a result typ es are rst class citizens and may

b e computed just as any other term For example the expression if b then Z else Top where

b is a b o olean expression is a valid typ e Evaluation is callbyname but these constructions

may also b e used in a callbyvalue typ e theory with little mo dication

To state the soundness of the embedding of we will require two assertions from the logic

of typ es These are equality denoted by t t in T which states that the terms t and t

are equal as members of typ e T and subtyping denoted by T T which states that every

member of typ e T is in typ e T and that terms equal in T are equal in T A memb ership

assertion denoted by t in T is dened as t t in T The basic judgement in Nuprl is H P

which states that in context H which contains hyp otheses and declarations of variables the

prop osition P is true Often the prop osition P will b e an assertion of equalityormemb ership

in a typ e

The basic op erators discussed ab ove are summarized in Figure Note that the lambda

abstractions of Nuprl are untyp ed unlike those of In addition to the op erators discussed

here the typ e theory contains some other less familiar typ e constructors the partial typ e set

typ e and very dep endent function typ e In order to b etter motivate these typ e constructors

we defer discussion of them until their point of relevance The dynamic semantics of all the

typ etheoretic op erators is given in Figure

Domain and Category Theory

Some of the mechanisms I use in the following section to give the typ etheoretic semantics of

will lo ok similar to mechanisms used to give programming language semantics in domain or

category theory This is not coincidence the three theories are closely related and some of the

mechanisms I use such as the partial typ es of Section are adapted from the folklore of

domain theory

However domain theory and category theory are not interchangeable with typ e theory

for the purp oses in this dissertation Typ e theory provides the highest degree of structure of

the three theories domain theory hides some structure in the interest of greater abstraction

and generality and category theory provides the least structure and the most abstraction and

generality Thus one can easily construct a domain or a category based on the Nuprl typ e

These are sometimes referred to in the literature as dep endent sums but I prefer the terminology to suggest

the connection to the nondep endenttyp e T T

Typ e Formation Intro duction Elimination

universe i U typ e formation

for i op erators

disjoint union T T inj e case e x e x e

inj e

function space xT T xe e e

pro duct space xT T he e i e

integers Z assorted op erations

b o oleans B true false ifthenelse

atoms Atom string literals equality test

void Void

unit Unit

top Top

Figure Typ e Theory Syntax

theory but one cannot easily work backwards although such mo dels of typ e theory do exist

The structure of the Nuprl typ e theory stems from the fact that Nuprl provides direct access

to the primitives of computation and the typ es of Nuprl sp eak directly of the computational

b ehavior of terms This structure is essential for achieving my goal of establishing a direct

computational signicance for this semantics recall Section This structure also allows

typ e theory to address directly issues that pose signicant challenges for domain theory and

or example in typ e theory we may that are not directly meaningful in category theory F

easily include or exclude divergent terms from typ es allowing us to easily distinguish b etween

partial or total functions and more imp ortantlyallowing us to use induction prop erties that

are invalid if one includes divergent terms

A Typ eTheoretic Semantics

Ipresenttheemb edding of into typ e theory in three parts In the rst part I b egin by giving

embeddings for most of the basic typ e and term op erators These emb eddings are uniformly

straightforward Second I examine what happ ens when the emb edding is expanded to include

x There we will nd it necessary to mo dify some of the original embeddings of the basic

op erators In the third part I complete the semantics by giving emb eddings for the kindlevel

constructs of The complete emb edding is summarized in Figures through

The embedding itself could be formulated in typ e theory leaving to metatheory only the

trivial task of enco ding the abstract syntax of the programming language Were this done the

theorems of Section could be proven within the framework of typ e theory For simplicity

however I will state the emb edding and theorems in metatheory

Basic Emb edding

The emb edding is dened as a syntaxdirected mapping denoted by of expressions

to terms of typ e theory Recall that in Nuprl all expressions are terms in particular typ es

and may be computed just as any other term Many expressions are translated are terms

directly into typ e theory

def

x x

def

xce x e

def

e e e e

def

c c c c

Nothing happ ens here except that the typ es are stripp ed out of lamb da abstractions to match

the syntax of Nuprl Functions at the typ e constructor level are equally easy to emb ed but I

defer discussion of them until Section

Since the typ e theory do es not distinguish between functions taking term arguments and

functions taking typ e arguments p olymorphic functions may be emb edded just as easily al

though a dep endenttyp e is required to express the dep endency of c on in the p olymorphic

typ e c

def

e e

def

ec e c

def

c c

Just as the typ e was stripp ed out of the lamb da abstraction ab ove the kind is stripp ed out of

the p olymorphic abstraction The translation of the p olymorphic function typ e ab ove makes

use of the emb edding of kinds but except for the elementary kind Type I defer discussion of

the emb edding of kinds until Section The kind Type which contains leveli typ es is

emb edded as the universe containing leveli typ es

def

Type U

Records and Disjoint Unions A bit more delicate than the ab ove but still fairly simple is

the emb edding of records Field lab els are taken to b e memb ers of typ e Atom and then records

are viewed as functions that map eld lab els to the contents of the corresp onding elds For

example the record fx f xint xg which has typ e fx int f int int gisemb edded

a if a x then else if a f then xx else

A A

where a a is the equality test on atoms which returns a b o olean when a and a are atoms

Since the typ e of this functions result dep ends up on its argumen t this function must be

typ ed using a dep endenttyp e

aAtom if a x then Z else if a f then Z Z else Top

A A

In general records and record typ es are emb edded as follows

def

f e e g a if a then e

n n A

else if a then e

A n n

else

def

e e

def

f c c g aAtom if a then c

n n A

else if a then c

A n n

else Top

Note that this emb edding validates the desired subtyping relationship on records Since fx

int f int int gfx int gwewould liketheemb edding to resp ect the subtyping relationship

fx int f int int g fx int g Fortunately this is the case since every typ e is a subtyp e

typ e relating to the omitted eld if a f then of Top and in particular the part of the

Z Z else Top is a subtyp e of Top The use of a typ e Top to catch extra lab els is essential

for subtyping to work prop erly makes for a particularly elegant emb edding of records but it

is not essential In the absence of Top one could pro duce a slightly less elegant emb edding by

restricting the domain to exclude undesired lab els using a set typ e Section

Disjoint unions are handled in a similar manner The injection term inj is emb edded

as the pair hx i of its lab el and its argument The typ es of this term include the sum typ e

hx int f int int i whichisemb edded using a dep endenttyp e as

aAtom if a x then Z else if a f then Z Z else Void

A A

In general disjoint unions are emb edded as follows

def

h c c i aAtom if a then c

n n A

else if a then c

A n n

else Void

def

inj e h ei

def

case e x e x e if x then e xx

n n n A

else if x then e xx

n A n n

else

Again this relation validates the desired subtyping relationship

Emb edding Recursion

A usual approach to typing general recursive denitions of functions and the one used in

is to add a x construct with the typing rule

H e in T T

H x e in T wrong

In eect this adds recursively dened and p ossibly divergent terms to existing typ es Unfor

tunately such a broad xp oint rule makes MartinLof typ e theories inconsistent b ecause of the

presence of induction principles An induction principle on a typ e sp ecies the memb ership of

that typ e for example the standard induction principle on the natural numb ers sp ecies that

every natural numb er is either zero or some nite iteration of successor on zero The abilityto

add divergent elements to a typ e would violate the sp ecication implied bythattyp es induction

rule

One simple waytoderive an inconsistency from the ab ovetyping rule uses the simplest in

duction principle induction on the emptytyp e Void The induction principle for Void indirectly

sp ecies that it has no members

H e in Void

H e in T

However it would b e easy using xtoderive a member of Void the identity function can b e

given typ e Void Void sox xxwould havetyp e Void Invoking the induction principle

x xx would be a member of every typ e and by the prop ositionsastyp es isomorphism

would b e a pro of of every prop osition It is also worth noting that this inconsistency do es not

stem from the fact that Void is an emptytyp e similar inconsistencies may b e derived with a

bit more work for almost every typ e including function typ es to which the x rule of is

restricted

It is clear then that x cannot be used to dene new memb ers of the basic typ es How

then can recursive functions b e typ ed The solution is to add a new typ e constructor for partial

types For anytyp e T the partial typ e T is a sup ertyp e of T that contains all the

elements of T and also all divergent terms A total typ e is one that contains only convergent

terms The induction principles on T are dierent than those on T so we can safely typ e x

with the rule

T T H T admiss H e in

H x e in T

We use partial typ es to interpret the p ossibly nonterminating computations of When in

a term e has typ e theemb edded term e will havetyp e Moreover if e is valuable

then e can still b e given the stronger typ e Before wecanembed x wemust reexamine

the emb edding of function typ es In Nuprl partial functions are viewed as functions with

partial result typ es

def

c c c c

def

c c c c

def

c c

If partial p olymorphic functions Note that as desired since

were included in they would b e emb edded as c

Now supp ose we wish to x the function f whichin hastyp e and

supp ose for simplicity onlythat f is valuable Then f has typ e

The second subgoal that the typ e T be admissible is a technical condition related to the notion of admis

sibilityinLCF All the typ es used in the emb edding are admissible so I ignore the admissibility condition

in the discussion of this chapter Admissibilityis discussed further in Chapter and is examined in detail in

Chapter

This terminology can b e somewhat confusing A total typ e is one that contains only convergent expressions

The partial function typ e T T contains functions that return p ossibly divergent elements but those functions

themselves converge so a partial function typ e is a total typ e

This typedoesnot quite t the x typing rule which requires the domain typ e to b e partial

so we must co erce f to a xable typ e We do this by etaexpanding f to gain access to its

argument call it g and then etaexpanding that argument g

g f xg x in

Etaexpanding g ensures that it terminates since xg x is a canonical form changing its typ e

from to The former typ e is required bythex rule but the latter typ e

is exp ected byf Since the co erced f tsthex typing rule we get that x g f xg x

has typ e as desired Thus wemayembed the x construct as

def

x e x g exg x

Strictness In a function may be applied to a p ossibly divergent argument but in my

semantics functions exp ect their arguments to be convergent Therefore we must change the

emb edding of application to compute function arguments to canonical form b efore applying the

function This is done using the sequencing construct let x e in e which evaluates e to

canonical form e and then reduces to e e x The sequence term diverges if e or e do es

and allows x be given a total typ e

H e in T H xT e in T

H let x e in e in T

Application is then emb edded in the exp ected way

def

e e let x e in e x

A nal issue arises in regard to records and disjoint unions In the emb edding of Section

the record f eg would terminate even if e diverges This would be unusual in a

callbyvalue programming language so we need to ensure that each member of a record is

evaluated

def

e e g let x e in f

n n

let x e in

n n

a if a then x

else if a then x

A n n

else

A similar change must b e also b e made for disjoint unions

def

inj e let x e in h xi

Polymorphic functions are unaected b ecause all typ e expressions converge Corollary

Emb edding Kinds

The kind structure of contains three rstorder kind constructors Wehave already seen the

emb edding of the kind Type remaining are the p ower and singleton kinds Each of these kinds

represents a collection of typ es so eachwillbeemb edded as something similar to a universe but

unlikethe kind Type which includes all typ es of the indicated level the power and singleton

kinds wish to exclude certain undesirable typ es The p ower kind P contains only subtyp es

of and the singleton kind S contains only typ es that are equal to other typ es must b e

left out

The mechanism for achieving this exclusion is the set type If S is a typ e and P is a

z g contains all elements z of S such that P z is predicate over S then the set typ e fz S j P

true With this typ e wecanembed the power and singleton kinds as

def

P c fT U j T c c in U g

i i i

def

S c fT U j T c in U g

i i i

Among the higherorder typ e constructors functions at the typ e constructor level and their

kinds are handled just as at the term level except that function kinds are p ermitted to have

dep endencies but need not deal with partiality or strictness

def

c c

def

c c c c

def

Dep endent Record Kinds For records at the typ e constructor level the emb edding of the

records themselves is analogous to those at the term level except that there is no issue of

strictness

def

f c c g a if a then c

n n A

else if a then c

A n n

else

def

c c

However the emb edding of this expressions kind is more complicated This is b ecause of the

need to express dep endencies among the elds of the dep endent record kind Recall that the

emb edding of a nondep endent record typ e already required a dep endent typ e to embed a

dep endent record typ e will require expressing even more dep endency Consider the dep endent

P g We might naively attempt to enco de this like the record kind f Type

nondep endent record typ e as

aAtom if a then U else if a then fT U j T in U g else Top wrong

A A

ariable is now unb ound We want to refer to the but this enco ding is not correct the v

contents of eld In the enco ding this means wewant to refer to the value returned by the

function when applied to lab el So wewantatyp e of functions whose return typ e can dep end

not only up on their arguments but up on their own return values

The second clause in the emb edding of the p ower kind c in U is used for technical reasons that require

that wellformedness of P imply that Type

The typ e I will use for this emb edding is Hickeys very dependent function type This

typ e is a generalization of the dep endent function typ e itself a generalization of the ordinary

function typ e and like it the very dep endent function typ es memb ers are just lamb da abstrac

tions The dierence is in the sp ecication of a functions return typ e The typ e is denoted by

ff j xT T g where f and x are binding o ccurrences that may app ear free in T but not in

As with the dep endent function typ e x stands for the functions argument but the addi

tional variable f refers to the function itself A function g b elongs to the typ e ff j xT T g

if g takes an argument from T call it t and returns a member of T t g x f

For example the kind f Type P g discussed ab ove is enco ded as a very

dep endent function typ e as

ff j aAtom if a then U else if a then fT U j T f fin U g else Top g

A A

To understand where this typ e constructor ts in with the more familiar typ e constructors

consider the typ e triangle shown in Figure On the right are the nondep endent typ e

constructors and in the middle are the dep endent typ e constructors Arrows are drawn from

typ e constructors to weaker ones that may be implemented with them Horizontal arrows

indicate when a weaker constructor may b e obtained by dropping a p ossible dep endency from

a stronger one for example the function typ e T T is a degenerate form of the dep endent

function typ e xT T where the dep endent variable x is not used in T Diagonal arrows

indicate when a weaker constructor may be implemented with a stronger one by p erforming

case analysis on a b o olean for example the disjoint union typ e T T is equivalent to the

typ e bB if b then T else T

If we ignore the very dep endent function typ e the typ e triangle illustrates how the basic typ e

constructors may b e implemented by the dep endent function and dep endentproducttyp es The

very dep endent function typ e completes this picture the dep endent function is a degenerate

form where the f dep endency is not used and the dep endent pro duct may be implemented

by switching on a b o olean Thus the very dep endent function typ e is a single unied typ e

constructor from which all the basic typ e constructors may b e constructed

In general dep endent record kinds are enco ded using a very dep endent function typ e as

follows

def

f g ff j a Atom

n n n

if a then

else if a then f

else if a then

A n

f f

n n n

else Top g

Toavoid the apparent circularity in order for ff j xT T g to b e wellformed we require that T may only

use the result of f when applied to elements of T that are less than x with regard to some wellfounded order

This restriction will not b e a problem for this emb edding b ecause the order in which eld lab els app ear in a

dep endent record kind is a p erfectly go o d wellfounded order

By switching on a lab el instead of a b o olean record typ es and tagged varianttyp es could b e implemented

and placed along the diagonals as well

xT T T T ff j xT T g

H H

Hj Hj

T T xT T

T T

Figure The Typ e Triangle

Emb edding Mo dules

As discussed in Section uses a phasesplitting interpretation of mo dules where mo dules

including higherorder mo dules are considered to consist of two comp onents a compiletime

comp onent and a runtime comp onent This is reected in the typ etheoretic semantics byan

emb edding that explicitly phasesplits mo dules The technique used is derived from Harp er et

The emb eddings for mo dules and signatures are given by two syntaxdirected mappings

and one for the compiletime comp onent of the given expression and one for the run

c r

time comp onent Given these the emb edding of a mo dule is a pair of the compiletime and

runtime comp onents

def

m h m m i

c r

In signatures the typ es of runtime elds may dep end up on a compiletime memb er as in

the signature ffoo s hType i bar hhext s iig corresp onding to the KML mo dule sig

fo o fo o

tycon foo type val bar foo end Consequently the emb edding of a signature is the

dep endent pro duct of the compiletime comp onent and the runtime comp onent The runtime

comp onents emb edding is a function that takes as an argument the compiletime member on

which it dep ends In the emb edding of the full signature that function is applied to the variable

standing for the compiletime memb er

def

v v

c r

The emb eddings of basic mo dules and signatures are simple The runtime comp onent is trivial

for hi signatures and hci mo dules and the compiletime comp onent is trivial for hhcii signatures

and hheii Mo dule variables s are split into separate variables s and s for each comp onent

c r

def

hci c mo dule compiletime comp onent

def

hci mo dule runtime comp onenttrivial

def

hi signature compiletime comp onent

def

hi v Top signature runtime comp onenttrivial

def

hheii mo dule compiletime comp onenttrivial

def

hheii e mo dule runtime comp onent

def

hhcii Top signature compiletime comp onenttrivial

def

hhcii v c signature runtime comp onent

def

s s mo dule compiletime comp onent

def

s mo dule runtime comp onent s

For each of the signatures ab ove it is imp ossible for there to b e any dep endency of the runtime

comp onent on the compiletime comp onent since for hi there is no nontrivial runtime to

dep end on anything and for hhcii there is no nontrivial compiletime for anything to dep end

on As a result the variable v is ignored in each case

Functors For function mo dules and signatures everything lo oks familiar in the compiletime

comp onent where the runtime material is ignored

def

s m sm

c c

def

m m m m

c c c

def

s s

c c c

However the runtime comp onent may not similarly ignore the compiletime comp onent be

cause of p ossible dep endencies Therefore the runtime comp onent abstracts over b oth the

compiletime and runtime comp onents of its argument

def

s s m sm

c r

r r

def

let x m in m m m m x

r r r c

The signatures runtime comp onent then takes an argument v representing the compiletime

comp onent and returns a curried function typ e The result typ e is the runtime comp onentof

the result signature and that dep ends on the compiletime comp onent Fortunately the results

compiletime comp onentisavailable as vs since v maps the compiletime comp onent of the

argument to the compiletime comp onent of the result

def

v s s vs s

c c c

c r r r

Structures For dep endent record mo dules and signatures the compiletime comp onent lo oks

like dep endent record kinds and the typ e constructor records that b elong to them

def

a if a then m f m m g

A n n

c c

else if a then m

A n n

else

def

m m

c c

def

f s s g ff j aAtom

n n n

if a then

else if a then f s

A c

else if a then

A n

f f s s

n n c

else Top g

The runtime comp onent of mo dules lo oks much like the emb edding of record terms as with

those a series of op ening lets is necessary to ensure strictness

def

f m m g let x m in

n n

r r

let x m in

n n

a if a then x

else if a then x

A n n

else

where x do es not app ear free in m

i i

def

m m

r r

of signatures is also familiar except that it must deal with dep en The runtime comp onent

dencies on the compiletime comp onent Again the runtime comp onenttakes an argument v

representing the compiletime comp onent The runtime comp onent of each eld is applied

to the compiletime comp onent of that eld which is v Also each eld may have dep en

dencies on the compiletime comp onents of earlier elds These dep endencies will have b een

expressed by free o ccurrences of the variables s into whichwe substitute the corresp onding

compiletime comp onents v It is worthwhile to note that these substitutions for s are the

i ic

only places where dep endencies on the argument v are intro duced

f s s g

n n n

def

v aAtom if a then v

if a then v v s

A c

else if a then

A n

v v v s s

n n n c

else Top

def

Type fT U j T admiss T total g

def

f g ff j aAtom if a then

n n n A

f else if a then

else if a then

A n

f f

n n n

else Top g

where f a do not app ear free in

def

P c fT U j T c c in U T admissg

i i i

where T do es not app ear free in c

def

S c fT U j T c in U g

i i i

where T do es not app ear free in c

def

c c

def

c c c c

def

f c c g a if a then c

n n A

else if a then c

A n n

else

where a do es not app ear free in c

def

c c

def

c c c c

def

c c c c

def

c c

def

f c c g aAtom if a then c

n n A

else if a then c

A n n

else Top

where a do es not app ear free in c

def

h c c i aAtom if a then c

n n A

else if a then c

A n n

else Void

where a do es not app ear free in c

def

ext m m

Figure Emb edding Kinds and Typ es

def

x x

def

xce x e

def

e e let x e in e x

where x do es not app ear free in e

def

e e

def

ec e c

def

f e e g let x e in

n n

let x e in

n n

a if a then x

else if a then x

A n n

else

where x do es not app ear free in e

i j

def

e e

def

inj e let x e in h xi

def

case e x e x e let x e in

n n n

if x then e xx

else if x then e xx

A n n n

else

where x do es not app ear free in e

def

x e x g exg x

where g do es not app ear free in e

def

ext m m

Figure Emb edding Terms

Prop erties of the Emb edding

I conclude my presentation of the typ etheoretic semantics of by examining some of the

imp ortant prop erties of the semantics Wewant the emb edding to validate the intuitive meaning

of the judgements of s static semantics If is a subkind of then wewant the emb edded

kind to be a subtyp e of if c and c are equal in kind we want the emb edded

constructors c and c to be equal in and if e has typ e we want e to have typ e

and if e is valuable Similar prop erties are desired for the mo dule judgements This

is stated in Theorem

Theorem Semantic Soundness For every context let be dened as fol lows

def

x c x c

def

s s s s

c r c

c r

Then the fol lowing implications hold

If then level level and in U

level

def

v v

c r

where v do es not app ear free in

def

hi v Top

def

hhcii Top

def

hhcii v c

where v do es not app ear free in c

def

s s

c c c

def

s v s s vs

c c c

r c r r

where v s do not app ear free in

def

f s s g ff j aAtom if a then

n n n A

c c

else if a then f s

A c

else if a then

A n

f f s s

n n c nc

else Top g

where f a do not app ear free in

def

v aAtom if a then v f s s g

A n n n

r r

if a then v v s

A c

else if a then

A n

n n

v v s s

n c nc

else Top g

where v a do not app ear free in

Figure Emb edding Signatures

If then in U in U

level level

If c c then c c in

If c c then c c

If e c then e in c

If then in U in U

level level

m in m in If m then

c c

If m then m in

Pro of

By induction on the derivations of the judgements

Wemay observetwo immediate consequences of the soundness theorem One is the desirable

prop erty of typ e preservation evaluation do es not change the typ e of a program Figure

gives a smallstep evaluation relation for the Nuprl typ e theory denoted by t t when t

evaluates in one step to t Typ e preservation of Corollary follows directly from

soundness and typ e preservation of Nuprl Prop osition

def

m hm m i

c r

def

s s

def

s s

def

hci c

def

hci

def

hheii

def

hheii e

def

s m s m

c c

def

sm s s m

c r

r r

def

m m m m

c c c

def

m m let x m in m m x

r r r c

x do es not app ear free in m m where

def

f m m g a if a then m

n n A

c c

else if a then m

A n n

else

where a do es not app ear free in m

def

f m m g let x m in

n n

r r

let x m in

n n

a if a then x

else if a then x

A n n

else

where x do es not app ear free in m

i i

def

m m

c c

def

m m

r r

def

m m

c c

def

m m

r r

Figure Emb edding Mo dules

Prop osition If t in T and t t then t in T

Pro of

Direct from Corollary

Corollary Typ e Preservation If e and e t then t in

Another consequence of the soundness theorem is that the phase distinction is

resp ected in all typ e expressions converge and therefore typ es may be computed in a

compiletime phase This is expressed by Corollary

Corollary Phase Distinction If c then there exists canonical t such that

c t

Pro of

For anywellformed kind theemb edded kind can easily b e shown to b e a total typ e

Intuitively every typ e is total unless it is constructed using the partial typ e constructor

which is not used in the emb edding of kinds The conclusion follows directly

Prosp ects for Extension

In order to embed into typ e theory I abandoned impredicativity This was b ecause the

standard semantics for Nuprl discussed in Section do es not supp ort it However Mendler

has develop ed a semantic mo del of Nuprl enhanced with recursivetyp es and some impred

icative p olymorphism In that typ e theoryitisentirely straightforward to handle secondorder

impredicativity I have not used Mendlers typ e theory in this thesis because its semantics is

very complicated and b ecause it is not clear how easily it can b e extended to supp ort partial

typ es An alternative typ e theory to be explored is the Calculus of Constructions

which also supplies impredicative features and could likely supp ort the semantics discussed in

this chapter

Another imp ortant avenue for future work is to extend the semantics in this chapter to

explain stateful computation One promising device for doing this is to enco de stateful com

putations as monads but this raises two diculties In order to enco de references in

monads all expressions that may sideeect the store must take the store as an argument The

problem is howtoassignatyp e to the store Since sideeecting functions may b e in the store

themselves the store must b e typ ed using a recursivetyp e and since sideeecting expressions

take the store as an argument that recursive typ e will include negative o ccurrences of the

variable of recursion Mendlers typ e theory ma y express recursive typ es with only p ositive

o ccurrences but to allow negative o ccurrences is an op en problem

Finally a particularly comp elling direction is to extend the semantics to account for ob jects

and that turns out to require only the same mechanisms discussed ab ove In a weak sense this

semantics can already supp ort ob jects the existential ob ject enco ding of Pierce and Turner

uses only constructs available within the typ e theory used here Unfortunately that enco ding

is not practical in a predicative system b ecause it involves quantication over the typ es of an

ob jects hidden instance variables That quantication results in ob jects always b elonging to

auniverse one level higher than their underlying co de which prevents such ob ject from b eing

rstclass However in an impredicativetyp e theory Pierce and Turners ob ject enco ding can

be used quite satisfactorily In a typ e theory that additionally supplies recursive typ es with

negative o ccurrences a variety of other ob ject enco dings b ecome p ossible as w ell

Alternatively the ob ject enco ding of Hickey works entirely within the existing Nuprl

typ e theory and shows promise of b eing extendable to a practical ob ject system

Conclusions

I have shown how to give a typ etheoretic semantics to an expressive programming calculus

that supp orts mo dular and ob jectoriented features This semantics makes it p ossible to use

formal typ etheoretic reasoning ab out programs and programming languages without informal

emb eddings and without sacricing core expressiveness of the programming language

Formal reasoning aside emb edding programming languages into typ e theory allows a re

searcher to bring the full p ower of typ e theory to b ear on a programming problem For example

er kinds to a in Crary I use a typ etheoretic interpretation to exp ose the relation of pow

nonconstructive set typ e Adjusting this interpretation to make the power kind constructive

See Birkedal and Harp er for a promising approach that may lead to a solution of this problem

However in some contexts it is not necessary for ob jects to b e rst class For example Jackson inde

pendently used an enco ding essentially the same as Pierce and Turners to implement computational abstract

algebra In that context algebras were rarely intermingled with the elements of an algebra and when they were

an increase in the universe level was acceptable

results in the pro ofpassing technique used to implement higherorder co ercive subtyping in

KML

Furthermore the simplicityof the semantics makes it attractive to use as a mathematical

mo del similar in spirit if not in detail to the ScottStrachey program This semantics

works out so neatly b ecause typ e theory provides builtin structure wellsuited for analysis of

programming Most imp ortantlytyp e theory provides structured data and an intrinsic notion

of computation Nontyp etheoretic mo dels of typ e theory can exp ose the scaolding when

one desires the details of how that structure may b e implemented Section

As a theory of structured data and computation typ e theory is itself a very expressive pro

gramming language Practical programming languages are less expressive but oer prop erties

that foundational t yp e theory do es not such as decidable typ e checking I suggest that it is

protable to take typ e theory as a foundation for programming and to view practical pro

gramming languages as tractable approximations of typ e theory The semantics in this chapter

illustrates how to formalize these approximations This view not only helps to explain pro

gramming languages and their features as I have done here but also provides a greater insight

into howwe can bring more of the expressiveness of typ e theory into programming languages

Chapter

Foundational Typ e Theory

In this chapter I present in detail the foundational typ e theory of Nuprl Broadly sp eaking

the intent of the Nuprl typ e theory is to provide a formal foundation for mathematics that

is intrinsically computational Like the simpler typ e theories that provide the sup erstructure

for various programming languages such as Nuprl is a theory of structured data and

computation The essential dierence b etween Nuprl and other foundational typ e theories

and the simpler typ e systems of ordinary programming languages is the expressiveness

of the typ e system Foundational typ e theories provide typ e structure rich enough to enco de

almost arbitrary logical and mathematical prop ositions

This logical character of the Nuprl typ e system is not immediately evident at a rst in

sp ection Instead the constructs that make up Nuprl are those of a fairly simple programming

language data suchasintegers functions and pairs and typ es for classifying such data Those

computational constructs are interpreted as logical statements using the propositionsastypes

corresp ondence discussed in Section This conating of logic and data is one of the inter

esting asp ects of typ e theory and is in contrast to most other mathematical foundations such

as set theory whichdraw sharp distinctions b etween ob jects and logical sentences

Nuprl

The standard Nuprl typ e theory is presented in Constable et al I present here a variant

are of the Nuprl typ e theory with a number of innovations Chief among those innovations

the partial typ e mechanisms added in order to make it p ossible to reason ab out p otentially

nonterminating computations In Section I discuss some of the design decisions for my

version of Nuprl

Basic Typ es and Op erators

At the core of the typ e theory are the basic data typ es summarized in Figure Each of these

data typ es have a collection of intro duction op erators and a collection of analysis or elimi

nation op erators Nuprl do es not have distinct syntactic classes for typ es and terms instead

typ es are ordinary terms that may b e computed using the same op erations for computing data

For example if A and B are typ es then so is if b then A else B The basic typ es of Nuprl are

the following

A tom The collection of intro duction forms for Atom is the set of string literals The sole

elimination form for Atom is the equality test a a whichisequivalentto true when a

Typ e Formation Intro duction Elimination

atoms Atom string literals equalitytest

integers Z assorted op erations

b o oleans B true false if e then e else e

disjoint union T T inj e case e x e x e

inj e

pro duct space xT T he e i e

function space xT T xe e e

verydep endent ff j xT T g xe e e

function

unit Unit

void Void

universe i U typ e formation

for i op erators

Figure Basic Nuprl Typ es

and a are equal atoms and is equivalentto false when a and a are unequal atoms Note

that Atom has considerably less structure than a typ e of strings the essential prop erties

of Atom are only a countably innite set of intro duction forms and an equality test

Integer Z The collection of intro duction forms for Z is the set of integer literals The

elimination forms for integers are boolean equality and inequality tests and

Z Z

and a collection of binary op erations ranged over by such as plus times etc For

convenience these op erators are taken to b e dened on all integer values and return zero

in exceptional cases such as division by zero

Boolean B The intro duction forms for B are true and false Bo oleans are eliminated

by the branching construct if b then e else e For simplicitybooleans will eventually

b e dened in terms of the unit and disjoint union typ es

Disjoint Union A B The intro duction forms of A B are inj a when a is a

term b elonging to A and inj b when b is a term b elonging to B Disjoint unions are

eliminated by the case analysis construct case e x e x e

Dependent Product xAB The intro duction forms of xAB are ha bi when a be

longs to A and b b elongs to B ax Disjoint unions are eliminated by the pro jection

constructs eand e As usual when x do es not app ear free in B I write xAB

as the nondep endent pro duct A B This typ e is also known in the literature as a

dep endent sum general sum or strong sum I cho ose the term dep endent pro duct in

order to emphasize the connection to the nondep endent pro duct

Dep endent Function xAB The intro duction form of xAB is xb when bax

b elongs to B axforevery a b elonging to A Functions are eliminated by the application

construct e e As usual when x do es not app ear free in B I write xAB as the

nondep endent function typ e A B

Very Dependent Function ff j xA B g The very dep endent function typ e due to

has the same intro duction form xb as the ordinary dep endent function Hickey

typ e but allows the result typ e B to dep end not only on the argument x but on the

function itself Thus xb belongs to ff j xA B g when bax b elongs to B xb af x

for every a b elonging to A

To avoid circularity in order for a very dep endent function typ e ff j xAB g to be well

formed we require that B only use f by applying it to elements of A that are less than x

with resp ect to some wellfounded order As discussed in Section the very dep endent

function typ e is sucient to enco de many of the other basic typ es discussed here but it

is convenien t esp ecially in Chapter to retain those other typ es as primitive

Unit The typ e Unit has the intro duction form and no elimination forms For simplicity

Unit will eventually b e dened in terms of the equalitytyp e

Void The typ e Void is empty and therefore has no intro duction forms

Universe U Eachtyp e expression is Nuprl is also an ordinary term and is a member

of a universe typ e The universe U is the typ e containing all smal l typ es those that can

b e built without using a universe The universe U then contains all typ es that can b e

built using no universe higher than U In particular no universe is a member of itself

to include a single typ e that contained all typ es including itself would make the theory

inconsistent The intro duction forms for a universe are the t yp e formation

op erators No elimination form for universes is provided but this is only for simplicity

typ e analysis op erations could easily b e added following Constable and Zlatin

Equality and Wellformedness

Central to the typ e theory are two equality relations one for equalityoftyp es and another for

equality of terms relative to a typ e The typ e equality relation written T T states that

T and T are eachwellformed typ es and are equal to each other The term equality relation

written e e T states that T is a typ e and that e and e are memb ers of T and are equal

when considered as memb ers of T A sp ecication of these two relations app ears in Figure

The reexive forms of these relations are particularly imp ortant Note that T T exactly

when T is a wellformed typ e and that e e T exactly when e is a member of T These

reexive cases are abbreviated as T typ e and e T resp ectively

For example xAB xA B if and only if A A and B ax B a x whenever

a a A and xb xb xAB if and only if xAB typ e and bax b a x

B ax whenever a a A

We will o ccasionally have need of a sp ecial degenerate typ e to serve as a sup ertyp e of all

typ es

Top For any terms e and e e e Top For simplicity Top will eventually be

dened in terms of the every typ e

Notation I write a A P to mean a a A P and a a A P to mean

a a a a A P

Prop ositions as Typ es

In order to use typ e theory for mathematics we need a waytomake logical statements prop o

sitions within the formal theory This is done using the propositionsastypes corresp ondence

also known as the CurryHoward isomorphism In this corresp ondence each logical sen

tence is interpreted as a typ e with the understanding that that the sentence is true exactly

when the corresp onding typ e is inhabited by some term That inhabitant is referred to as the

witness of the prop osition

For example the prop osition False is interpreted as the uninhabited typ e Void The other

logical connectives are interpreted as follows

def

True Unit

def

P Q P Q

def

P Q P Q

def

P Q P Q

def

P Q P Q Q P

def

P P Void

def

xTP xTP

def

xTP xTP

Higherorder logic may be interpreted by this device as well We may state a prop osition

quantied over all small predicates as P P Q This is interpreted in the typ e theory by

dening the typ e of prop ositions P to b e the universe U

i i

Equality Subtyping and Inequality

Although the preceding is sucient to enco de prop ositional and higherorder predicate logic we

are short on atomic prop ositions F or example wewould like to b e able to sp eak ab out equality

within the logic but none of the typ es discussed so far is able to express such a prop osition

To handle this sort of atomic assertion we add new typ es that are dened to b e inhabited by

the trivial term when the prop osition they represent is true and empty otherwise

Equality e e in T The typ e e e in T is wellformed when e T and e T

If e e T then the typ e e e in T has the intro duction form if not then the

t yp e is empty andisinterpreted as a false prop osition Using the equalitytyp e wemay

also dene a memb ership typ e denoted e in T as e e in T

Subtyping T T The typ e T T is wellformed when T and T are well formed

typ es If T is a subtyp e of T ie e e T whenever e e T then T T has

the intro duction form otherwise it is empty and is interpreted as a false prop osition

The typ e n n is wellformed when n Z and n Z and is Inequality n n

inhabited by when the integer valueofisn is less than or equal to that of n

Be careful to note the distinction b etween e e in T atyp e and a prop osition within

the formal typ e theory and e e T a metatheoretical statement outside the theory

Also note that subtyping is dened as typ e inclusion if T T then the memb ers of

T are actual members of T An alternative denition would be that T T when exists a

co ercion from T to T This would provide an apparently more general notion of subtyping

since the identity function could always serve as a co ercion from a typ e to another typ e that

includes it In its greatest generality co ercive subtyping may b e represented by the prop osition

T T which states that there exists a function from T to T Alternatively if the co ercion

interpretation is restricted to use a predetermined collection of co ercions then the two notions

of subtyping may be reconciled in a common typ e system This is done by building a

new typ e system in which a typ e T contains all the members of every typ e T such that T

is co ercible to T Then the equalities on such typ es are constructed so that co ercion results

are deemed equal to the corresp onding co ercion arguments and thus co ercion functions may

formally b e viewed as identity functions

in Atom Certainly it is not true but Negatability Consider the prop osed prop osition

it is not false either Since the wellformedness criterion for the equality typ e requires its

equands to belong to the stated typ e in Atom is illformed and not a typ e at all This

seemingly inno cuous phenomenon has considerable consequences it means that the memb ership

prop osition is not negatable

To understand why consider the prop osition e in T If metatheoretically sp eaking e T

then e in T is wellformed and true ie inhabited On the other hand if e T then e in T

is illformed and unusable This do es not mean that memb ership prop osition is useless on

the contrary it is quite often essential However the memb ership prop osition is useless as the

antecedent of an implication As a simple example the negation e in T is either false or

illformed but never true and hence never useful More generallythe implication e T P

is no easier to prove than P b ecause the wellformedness of the implication cannot be shown

without proving the antecedent rendering the antecedent useless

The nonnegatability phenomenon is not limited to the memb ership prop osition Consider

the prop osition xT x in T This prop osition could b e used to dene the subtyping relation

but like the memb ership prop osition it is wellformed only when true That is why subtyping

is made a builtin typ e b ecause we would like to be able to prove theorems like A B

Z A Z B and U U In Section we will see a few more examples of primitive

typ es included to provide negatability

Constructivity

The interpretation of prop ositions as typ es is convenient but it also restricts the pro of tech

niques that may b e used to prove such prop ositions Consider the prop osition XM P P P

P In classical logic this prop osition is certainly true every prop osition is either true or false

alternatively every typ e is either inhabited or uninhabited However for XM to be valid in

Nuprl there must exist a function f that computes a member of P P for every small

prop osition P This is certainly imp ossible since P may express an undecidable prop osition

The Nuprl logic restricts pro ofs to using only principles of reasoning that are constructive

or intuitionistic This means that any pro of of the existence of an ob ject must showhow

to construct it and any pro of of a disjunction must showhow to determine which case is true

In practice this means that pro ofs may not use the principle of the excluded middle prop osition

XM ab ove or pro of bycontradiction Contradiction mayhowever b e used to prove theorems

of the form P

The dividend of this restriction is that pro ofs maybeinterpreted as programs Supp ose we

x y constructively In so doing wehave constructed a function inhabiting prove xZ y ZP

the corresp onding typ e xZ y ZPx y this function is the computational content of the

pro of The function may be applied to any integer x to compute the desired integer y and a

pro of of P x y More generally whenever we prove the existence of ob jects we may extract

the computational content from that pro of a program to compute those ob jects I discuss this

pro cess of extracting computational content from pro ofs further in Section In Section

I discussed the controlled reintro duction of classical reasoning principles

Prop ositions versus Bo oleans It is imp ortant to be clear on the distinction b etween the

typ e P of prop ositions and the typ e B of b o oleans Prop ositions are typ es that are inhabited

when their intended meaning is true and are empty otherwise Bo oleans are terms that compute

to the value true when their intended meaning is true and to false otherwise Decidable prop o

sitions may also be stated as b o olean expressions for example true false a a n n

A Z

and n n are b o olean forms of the prop ositions True False a a in Atom n n in Z

and n n Undecidable prop ositions can never be stated as boolean expressions b ecause a

computation that resulted in such a b o olean would solve the undecidable problem

Constructing New Typ es using Logic

Wemay also use logical predicates to construct variants of other typ es using two sp ecial typ e

constructors due to Constable

The set type fxT j P g is the subtyp e of T that contains all t T such that P tx is true

ie inhabited

The quotient type xy TE x y when E is an equivalence relation on T is the

sup ertyp e of T that coarsens the equalityon T as follows t t xy TE if and only

if t t T and E t t x y istrueie inhabited

We may use set and quotient typ es to dene a number of imp ortant variants on existing

def def

typ es such as the natural numb ers N fn Z j ng and the integers mo dulo k Z

mnZm nmodk in Z Anumb er of other derived forms app ear in Figure

An imp ortant p oint ab out set and quotienttyp es is that they suppress computational con

tent of their predicate Given that n fx Z j P xg it is certainly the case that P n is

inhabited by some term but there is no way to gain access to that term An an extreme exam

def

ple consider the squashed prop osition P fx Unit j P g Metatheoretically it is easy to see

that P is inhabited exactly when P is and the implication P P can easily b e shown valid

However the converse P P is not valid b ecause it is not p ossible in general to pro duce a

pro of of a prop osition simply from knowing it to be true In order words it is not generally

p ossible to reconstruct suppressed computational content

However whenever the suppressed predicate is recursively enumerable it is p ossible to

reconstruct computational content This covers many uses including those few uses discussed

ab ove On the other hand it often is desirable to suppress computational content For example

a pro of of xZ y ZPx y computes b oth an integer y and a witness to P x y but it may

b e the case that so long as P x y is true the actual witness is not interesting In such cases

witness is cluttersome at b est and computationally exp ense at worst It would returning the

then b e more appropriate to prove the similar prop osition xZfy Z j P x y g

Computation

Intrinsic to the typ e theory is an op erational semantics that denes how Nuprl terms com

pute This computation system is callbyname in contrast to as is dened by a smallstep

evaluation relation t t and a set of canonical forms to which terms evaluate The com

putation system is dened to b e the restriction to closed terms of the evaluation step relation

def

Unit in Z

def

B Unit Unit

def

true inj

def

false inj

def

if b then e else e case b xe xe where x is not free in e e

def

e in T e e in T

def

T typ e T T

def

nm n m

def

N fn Z j ng

def

fn Z Z j ng

def

Z mnZm nmodk in Z

def

Q xy Z Z x y y x in Z

def

P fx Unit j P g where x is not free in P

def

t halts t in E

def

Top xy E Unit

Figure Derived Forms

given in Figure Whether a term is canonical is governed by its outermost op erator the

canonical forms of Nuprl are the typ e formation constructs and the intro duction forms ie

the middle column of Figure Two imp ortant prop erties of evaluation are that evaluation

is deterministic and canonical forms are terminal

Prop osition If t t and t t then t t Moreover if t is canonical then t t for

any t

t and t converges to If t t and t is canonical then we say that t converges abbreviated

t abbreviated t t Note that if t t and t t then t t and that if t is canonical then

t t

The computation system may b e used to dene a computational equivalence relation often

known as applicative bisimulation written t t Computational equivalence will b e formally

dened in Chapter Denition Intuitively two terms are computationally equivalent

if they both converge to canonical forms with the same outermost op erator and the corre

sp onding subterms are computationally equivalent or if they both fail to converge It may

be shown Lemma using Howes metho d that computational equivalence includes

b etaequivalence

The equalities on typ es are constructed to observe computational equivalence that is if

t T and t t then t t T This enables a powerful form of untyp ed reasoning called

direct computation When two terms are computationally equivalent for example a b eta redex

and contractum they are indistinguishable by the typ e theory and may be freely exchanged

for each other in any expression or pro of

Theorem If T typ e and T T then T T If t T and t t then t t T

However unlike the typ e system considered by Howe equality in this typ e theory do es not observe

computational approximation Section This is b ecause of the presence of partial typ es Section

Z For example approximates but it is not the case that in

e e

case e x e x e case e x e x e

case inj ex e x e e ex case inj ex e x e e ex

s s

e e

e e e e xe e e e x e e he e i e

s s s s

e e

e e he e i e

s s

e is a stringinteger literal e e

e e

e e e e e e e e

A Z Z s A Z Z A Z Z s A Z Z

e and e are stringinteger literals i i e e

e and e are integer literals i i e e

e e inj e e inj

A Z s Z

i i

e e

e is canonical

let x e in e let x e in e let x e in e e e x

s s

eisaninteger literal e e

e e

e and e are integer literals e e e

e e e e e e e e e e e

s s s

x e e x e

Figure Op erational Semantics for Nuprl

This theorem is co died in the typ e theory by the direct computation rules Rules through

App endix B Since computational equivalence is undecidable and since we wish to be able

to eectively determine whether an instance of a rule is valid the direct computation rules

approximate computational equivalence with the auxiliary judgement t t where t and t

are p ossibly op en terms

A simple application of Theorem and direct computation is typ e preservation

Corollary

Semantic typ e preservation If t T and t t then t T

in T Syntactic typ e preservation If H t in T and t t then H t

Pro of

If t t then t t Prop osition and t t Rule Semantic preservation follows

directly by Theorem and syntactic preservation follows by application of Rules and

Partial Typ es

Of particular interest in the computation system is the op erator x which allows recursive

computation and is evaluated by the rule x f f x f The primary use of x is to

dene recursiv e functions Unfortunately in the standard Nuprl typ e theory recursion is not

as general to ol as it is in most programming languages All of the basic typ es of Nuprl are

total that is they contain only convergent terms but in general there is no guarantee that

a recursive function converges Thus a recursive function generally a recursively computed

ob ject cannot be given a typ e unless it can be shown to converge and it cannot be used

yp e However it is not always convenient or p ossible to prove that without giving it a t

recursive functions terminate and furthermore it is sometimes interesting to reason ab out

functions that are known not to terminate for all inputs

In order to b e able to assign typ es to partial functions and nonconvergent ob jects we add

anewtyp e constructor

Partial type T The partial typ e T due to Constable and Smith is like a

lifted version of T It contains all members of T plus all nonconvergent terms Terms are

T if they have the same convergence behavior and if they are equal in T when equal in

they converge That is t t T if and only if t t and tt t T

With this typ e available wemay express the typ e of partial functions from A to B as A B

It will also proveconvenienttohaveatyp e of all convergent terms

Every E For any convergent terms e and e e e E

In order to reason ab out termination in the logic we add a new typ e to represent the atomic

prop osition of convergence using the same device that we used to add equality subtyping and

inequalitytyp es

Convergence t in T The typ e t in T is wellformed when t T and is inhabited by

exactly when t

The use of a x op erator greatly simplies some of the results in this thesis particularly the pro of of Theorem

but it could in principle b e eliminated and replaced with the Y combinator

Note that t in T is an inhabited typ e exactly when t in T is A distinct convergence prop osition

is needed in order to provide negatability which is essential for any nontrivial termination

reasoning Observe that t in T is wellformed whenever t T but t T is wellformed only

when it is true

Constable and Smith use an untyp ed convergence assertion in their typ e systems

In this typ e theory I instead use a typ ed convergence assertion as in Constable and Smith

However an untyp ed convergence assertion can be dened as t halts t in E This is the

primary motivation for including the E typ e Unfortunatelyaswe will see in Section in

the presence of equality the untyp ed version is rarely any more useful than the typ ed version

Partial Typ e Formation The convergence typ e raises a somewhat surprising issue ab out the

formation of partial typ es The typ e equality rule for convergence typ es states that t in T and

t in T are equal when t t T and equal typ es should always have the same memb ership

Therefore T should never equate convergent and nonconvergent terms However we desire

that T be a subtyp e of T ie if t t T then t t T so T should never equate convergent

and nonconvergent terms either Since many terms Top for example do equate terms with

dierent convergence behavior we must add this as a restriction to the wellformedness of

partial typ es

To not equate convergent and nonconvergent terms is an awkward condition to maintain

T to be wellformed T must be so instead my theory imp oses the stronger condition that for

total It follows trivially that a total typ e cannot equal convergent and nonconvergent terms

The obvious denition of totality xT x in T turns out to b e nonnegatable since it dep ends

up on the wellformedness of T so I add totality as another primitivetyp e

Totality T total The typ e T total is wellformed when T typ e and is inhabited by

exactly when T contains only terms that converge

The Fixp oint Principle With partial typ es in the typ e theory recursive functions can be

typ ed using the xp oint principle

e in T T x e in T

The use of the xp oint principle was illustrated in Section However the xp oint principle

is not valid for every typ e it is only valid for typ es that are admissible Admissibility is dened

formally in Chapter Denition Intuitivelyatyp e is admissible if it contains a recursive

term whenever it contains a conite set of approximations to that term

This issue do es not arise in most ordinary programming languages b ecause most typ e sys

tems are not rich enough to allow the expression of inadmissible typ es Nuprl is expressive

enough to construct inadmissible typ es but nevertheless most typ es are still admissible Chap

ter discusses admissibilityin detail and presents a number of techniques for showing typ es

to b e admissible

Admissibilityisintro duced into the logic as another atomic prop osition

Admissibility T admiss The typ e T admiss is wellformed when T typ e and is inhabited

exactly when T is admissible by

This completes the set of primitive Nuprl typ es except for four additional atomic prop ositions

intro duced in Chapter The list is summarized in Figure

void Void equality e e in A

atom Atom subtyping A B

integer Z inequality n n

disjointunion A B convergence e in A

totality A total

pro duct space xAB

function space xAB admissibility A admiss

verydep endent function ff j xA B g

set fx A j P g

partial typ e A quotient xy AP

universe U every E

Figure Primitive Nuprl Typ es

Sequencing The nal construct in the partial typ e theory is the sequencing construct let x

e in e This expression evaluates e to canonical form say v then evaluates e vx Hence

the sequence term diverges if either e or e do es Since e is only evaluated if e converges

the e p ortion of the sequencing term may be typ ed under the assumption that x has a total

typ e the syntax for Nuprl sequents is formally dened in the next section

H e in T H xT e in T H T typ e

H let x e in e in T

As an aside if T is reinterpreted as a monad typ e M T then this is precisely the typing rule

for the bind op erator in monad systems A monad system would also have a unit

op erator to co erce T to M T in this theory that is taken care of by subsumption since T T

One may extend the theory to a full typ e theory of monads by disp ensing with T T

adding an explicit unit op erator and adding rules comprising the monadic equalitylaws This

would provide a p owerful mechanism for abstractly managing eects in general not just the

nontermination eects managed by the partial typ es I have not done so in this typ e theory

preferring instead to keep the typ e theory closely tied to its op erational semantics thereby

providing as much structure as p ossible at the exp ense of abstraction recall Section

Sequents and Pro of

The Nuprl inference system has one judgement form written as the sequent

x T x T Ct

n n

This may b e read informally as t is a member of C when x x are memb ers of T T

n n

A more precise in terpretation is discussed in Section and a formal semantics is dened in

Section The bindings x T x T to the left of the turnstile are called hypotheses

n n

C is called the conclusion and t is called the witness

The inference rules for deriving judgements of this form are listed in App endix B By way

of example Rule for applying subtyping amidst the hyp othesis list is

H x T J C s H T T

H x T J C s

Note that in this rule the second subgoal is a subtyping prop osition which is computationally

uninteresting it contains only terms that evaluate to Since that prop osition is compu

tationally uninteresting the statement of the rule suppresses the witness In many rules the

consequent also is computationally uninteresting and the witness is suppressed in such rules as

well In those rules the witness should b e taken to b e An example of such a rule is Rule

for applying subtyping in an equality assertion

H t t in T H T T

H t t in T

Implicitly this stands for the rule

H t t in T t H T T t

H t t in T

Functionality

A sequent x T x T C t asserts not only memb ership of the witness t in the

n n

conclusion typ e C it also asserts that the conclusion and witness are functional over the

hyp othesis variables That is if t t t and t t t are equal substitutions for

x T x T in a manner that will b e made precise in Section then C txC t x

n n

and ttxtt x C tx Toseewhy this interpretation is necessary consider the rule

H A typ e H x A Bb

H A B xb

The consequent states that xb is a function over A that is if a a A then bax

ba x B Under a weaker memb ership onlyinterpretation of sequents the second subgoal

is sucient to conclude that bax B and ba x B but cannot guarantee equality A

functional interpretation of sequents where sequents are seen as functions from hyp otheses to

the conclusion is necessary to validate the many rules of this form

ExtractStyle Pro of

some prop osition P the prop ositionsastyp es corresp ondence dictates that In order to prove

one prove a sequent of the form P t However it is typically the case that one is only

interested in proving the truth inhabitation of a prop osition and is not concerned that witness

b e a particular term Consequently in the Nuprl pro of development system auseris

presented with a sequent that omits the t witness term even in cases when conclusion is

computationally interesting The rules are then stated in a manner that makes it p ossible to

pro of For example consider extract the witness from the pro of This is called extractstyle

again the rule

H A typ e H x A Bb

H A B xb

In extractstyle pro of this rule is applied to a sequent of the form H P Q to pro duce

subgoals H P typ e and H x P Q From the pro of of the second subgoal is extracted

e e

a witness b p ossibly containing free o ccurrences of the variable x and that witness is used to

construct the extract xb of the original sequent In fact since the variable x is only used

In some alternative semantics for typ e theory suchasHowes set theoretic semantics equalityinatyp e

may b e collapsed to actual ob ject equality trivially making the memb ership and functionalityinterpretations

the same Extending the semantics of Howe to account for all the devices in this typ e theory is an op en problem

but one that shows some promise of feasibility

in the extract it may be made invisible to the user as well resulting in the simple subgoal

H P Q

For extractstyle pro of to b e p ossible all the rules in the system must b e of the prop er form

Sp ecically the rules must construct extracts in a b ottomup manner or in other words the

applicabilityofarulemust not dep end on the extract since the extract cannot b e known at the

time the rule is applied However the phrasing of the Nuprl pro of rules that I state in App endix

B is devised in the interest of making the typ e theory as simple as p ossible not supp orting

extractstyle pro of so some rules are not of the prop er form To supp ort extractstyle pro of

those rules must be replaced with extractcompatible rules Fortunately the necessary rules

are all derivable from the existing rules so it is p ossible to supp ort extractstyle pro of without

any additional metatheoretical justication

The necessary condition for extractcompatibility is best understo o d by examining some

rules that violate it and seeing howtheymay b e rewritten to followit

Extract and Memb ership The function typ e inhabitation rule discussed ab ove is not among

the basic rules of the inference system Rather it is derivable from them the equality rule on

function typ es

H x A Bb

H x A b in B H A typ e

H xb in A B

H A B xb

We gain considerable economy in the derivation rules by leaving out such inhabitation rules

and allowing them to b e derived from the others but in an extractstyle system they must be

builtin instead This is b ecause Rule is not appropriate for extractstyle pro of

H Ct

H t in C

For this rule to be applicable the extract t of the subpro of must be the same term t that is

sp ecied in the memb ership prop osition in the consequent and there is no guarantee that it

will Another way of lo oking at this problem is that the rule with witnesses stripp ed out is

unsound it do es not follow from the inhabitation of C that any particular term t b elongs to C

H C

wrong

H t in C

In an extractstyle pro of system Rule must b e omitted and replaced by an inhabitation rule

to mirror each basic equality rule eg However note that the converse rule

Rule do es not p ose problems for extractstyle pro of

Hyp othesis Elimination Another class of rules that imp ose a restriction on the extract

term is the hyp othesis elimination rules The hyp othesis elimination rule for pro ducts requires

Rule that all free o ccurrences of x and y in the extract term must app ear as the pair hx y i

H x A y B J hx y iz C hx y iz shx y iz

x y JCs

H z xAB J Cs

Tomake this rule suitable for extractstyle pro of it must b e rephrased as the derivable rule

H x A y B J hx y iz C hx y iz s

H z xAB J Cs z z x y

Similarly the hyp othesis elimination rule for disjoint unions

H y A J inj y x C inj y x sinj y x

H y B J inj y x C inj y x sinj y x

y JCs

H x A B J Cs

must b e rephrased as the derivable rule

H y A J inj y x C inj y x s

H y B J inj y x C inj y x s

H x A B J C case x y s ys

In contrast to these two rules the hyp othesis elimination rules for typ es with uninteresting

memb erships such as the equalitytyp es Rule do not p ose a problem

H x t t in T J x C x sx

H x t t in T J Cs

In these rules it is not a problem for terms to propagate upwards so such rules may b e applied

simply by assuming that x do es not app ear free in s

Hidden Variables A sp ecial case of hyp othesis elimination that p oses particular diculties

is that of set and quotienttyp es The hyp othesis elimination rule for set typ es Rule is

H x A y B J Cs

y JCs

H x fx A j B g J C s

As b efore y is prohibited from app earing free in the extract term s but in this case the rule

cannot b e rephrased to make the problem disapp ear The essential problem is that y represents

computational content that is not available so the extract cannot dep end up on it in anyway

To enforce this restriction wemust intro duce a new mechanism When the rule is applied the

variable y is marked as hidden establishing the invariant that it may not app ear free in the

extract

H x Ay B J C

H x fx A j B g J C

This invariant is preserved by the inference system and disallows the application of any rule

that would use that variable However when descending into subgoals that do not contribute

to the extract all hiding annotations may b e removed

It is imp ortant to note that this hidden variable mechanism is only a practical syntactic

device and has no metatheoretical signicance The sole metatheoretical issue is addressed in

Rule by the side condition that y not app ear free in the extract

Issues in Partial Ob ject Typ e Theory

eness of the standard Nuprl typ e The typ e theory presented here joins together the expressiv

theorywhich do es not supp ort reasoning ab out partial ob jects that is nonconvergent terms

and the typ e theory of Smith which addresses partial ob jects but do es not supp ort

equality This theory also enhances Smiths theory by a considerably wider class of typ es that

are admissible for xp oint induction discussed at length in Chapter Here I discuss some

issues arising in the design and application of a partial ob ject typ e theory particularly those

resulting from the combination of equality and partial ob jects

Partial Computation

Given two terms a and b each of which b elong to Z it is intuitively clear that the sum a b

Z However the rules for integer expressions deal with convergent terms should also b elong to

H a in Z H b in Z

H a b in Z

An informal argument for the desired memb ership is easy To show that a b in Z supp ose

that a b halts and show a b in Z If a b halts thena halts and b halts Consequently

a in Z and b in Z and therefore a b in Z by the rule

Unfortunately formalizing this argument as a derivation runs into a problem to show

the desired memb ership we incur the additional obligation of showing that the supp osition

a b halts is wellformed as in the derivation b elow and the eventual subgoal a b in E is

no easier to prove than the original goal a b in Z

E H a b in

H a b halts typ e

H a b halts a b halts H x a b halts a b in Z

H a b in Z

This diculty do es not reveal a defect in the logic The problem is that in the presence of

equality as discussed in Section a sequent says much more than its naive reading it

asserts the functionality of the conclusion over equal substitutions for the hyp otheses The

informal argument at the top is p erfectly valid as a metatheoretical argument for closed terms

but it do es not extend to sequents

However it certainly would be a defect in the logic if goals of this form were unprovable

This could b e settled by at by simply adding new partial typing rules for each op erator but

wewould rather a void such a heavyhanded solution I present a more palatable solution in the

next section

Computation in Active Positions

Consider the monadstyle variation of a b obtained by rst computing the summands to

canonical form and them summing their values let x a in let y b in x y This is easily

Z shown to b elong to

H x Z y Z x y in Z

Z H x Z y Z x y in Z H x Z b in

H a in Z H x Z let y b in x y in Z

H let x a in let y b in x y in Z

The desired result then follows by direct computation if it can b e shown that a b let x

a in let y b in x y Of course in general t t x is not equivalent to let x t in t

b ecause the latter necessarily evaluates t but the former might not which would lead to

dierent convergence behavior if t is divergent However in this case the term a b does

evaluate a and b b efore converging

The general principle at work here is that x and y are b oth in active p ositions in the

term x y An active p osition of a term is one that must be evaluated b efore the term can

converge Canonical terms have no active p ositions since they have already converged The

active p ositions of noncanonical terms are dened as follows

Denition Aterm e app ears actively in t if

t e or

t case t xt xt and e appears actively in t or

t t t and e appears actively in t or

t t and e appears actively in t or

t t t or t t t or t t t and e appears actively in t or t or

A Z Z

t let x t in t and e appears actively in t or t or

t t t and e appears actively in t or t or

t x t and e appears actively in t

Lemma If x appears actively in t then tex let x e in t

This lemma is put into practice in the typ e theory as Rule

x app ears actively in t

t t x let x t in t

Another application of this device is for computational inducement Observe that evaluating

a b induces the evaluation of a and b so if a b converges then so do a and b This can be

proven using active p ositions

H a b in Z let x a in x b a b

H let x a in x b in Z H a in Z

H a in Z

Fixp oint Induction

The principal device for reasoning ab out programs in the LCF system was xp oint induc

tion Informally xp oint induction says that if an admissible predicate holds for divergent

terms and it is preserved by f then it holds for the xp ointof f In notation if P and if

P x P f x then P x f

Using the xp oint principle in our typ e theorywemay derive a similar induction rule

H x T y x in T P P

H x T y P z fx in T P fxx

T T H f in

T P typ e H x

H T total

H T admiss

H P admiss x T

H x T y P P e

H P x f x ex f xy

This rule lo oks considerably more complicated than the informal statement so let us examine

it in detail The rst subgoal

H x T y x in T P P

corresp onds to the base case P If one accepts classical reasoning principles in particular

the prop osition x in T x in T then this goal may be proven from the simpler goal

H P x In Section I discuss how classical reasoning principles may be justied

semantically if one takes a classical view of the metatheory However it is usually the case that

x can so classical metho ds are usually the given subgoal can b e proven whenever H P

unnecessary

The second subgoal

H x T y P z fx in T P fxx

corresp onds to the inductive case P x P f x The z hyp othesis indicates that we are not

in the base case ie f x and may b e dropp ed if desired to bring the goal more in line

with the informal statement

The next three subgoals are basic wellformedness conditions The sixth subgoal H

T admiss is also a wellformedness condition whichis needed to take the xp ointof f The

seventh subgoal H P admiss x T is the requirement on the admissibility of the predicate