A Type Theory for Defining Logics and Proofs

Home , Dependent type, Function application, Logical framework

arXiv:1905.02617v1 [cs.LO] 7 May 2019 978-1-7281-3608-0/19/$31.00 ucinapiain n e-xrsin sn type functions, a of using consisting let-expressions OL and simple application, a function 19 encode al., we et example, (Harper for LF framework logical the In substitution. smdle hog Fapiain o ntne h att fact the substitution instance, OL for application; binding. (( LF model through to modelled abstractions is LF the using uu samt-agaet ersn omlsses Under systems. formal represent to cal- meta-language lambda dependently-typed a the as use culus we syn example, represent for adequately LF, to In universes and types, inductive intensional systems formal mechanize meta-theory. to their easier mor with is are together it encodings the abstraction, hence infrastructure, of and mathematical higher-level compact, a basic at not the work do up can build programmers benefits: to substantial need offer can approach noe as encoded u betlnug O)t h ucinsaei meta- a in in space structures function binding the uniformly to inheriting map thereby (OL) language to rules. language inference object is gen- and our idea more axioms basic and via given syntax The systems encoding formal of erally idea simple deceptively sepesdas expressed is ok nossessc sAd n rde h longstanding the bridges worlds. and two Agda these fr as between logical such gap of systems methodology into the normalizati works incorporate the wor to Our foundation From consistency. and the normalization. reduction subject prove C derive for we to proof, model us Kripke-style con a allows main of that providi development Our the thereby reflection. is tribution computation (small-scale) univer of type-level and hierarchy metaprogramming supports infinite an hence supports and also t tha theory modal type contextual space HO Our using function between computations abstr mediate and extensional higher-order We representations the computations. represent (recursive) with to describes trees used (HOAS) is syntax that space C function called theory, rgtePetaDvdThibodeau David Pientka Brigitte lam h Lterm OL The oee,ti prahrle ntefc htw s an use we that fact the on relies approach this However, ihrodrasrc ytx(OS sa lgn and elegant an is (HOAS) syntax abstract Higher-order Abstract ev tm tm letv: : (tm app : lam lam yeTer o enn oisadProofs and Logics Defining for Theory Type A colo optrScience Computer of School x.M λ x.lam W ecieaMartin-L a describe —We ) cilUniversity McGill ucinsaeta ak euso,cs analysis, case recursion, lacks that space function N → → → ) OCON λ ( (tm tm ap(a )N) M) (lam (app eue to reduces .ev(p y) x (app y.letv lam tm) → .I I. → htalw st i h intensional the mix to us allows that , x. → tm.

lam NTRODUCTION tm) c tm. 09IEEE 2019 α [ N/x y. rnmn n capture-avoiding and -renaming → let tm. ] M w euigto reducing λ fsyedpnettype dependent of-style = ¨ norojc language object our in .p y w w.app y x et fCmue cec n Eng. and Science Computer of Dept. in y w ohnugUniversity Gothenburg MN) (M ) nra Abel Andreas tm sthen is This . OCON lays k ypes. ame- as: 93), tax. hat AS act ses on ng y e - t utv ye,ltu osdra nutv type in- inductive using an trees consider HOAS-style us defining let vs. types, LF ductive in box. to trees black functions a HOAS as on treated matching are pattern Functions bodies. use for their they functions inspect two can compare nor cannot equality functions programmers view, and this Under opaque the space. on function relies type-theoretic computation (recursive) contrast, In ecno rt eusv rgasaotsc syntactic such about programs However recursive transparent. write structures are cannot functions synta we represent and functions structures LF-style binding intensional view, this constructor uhadfiiini yeter?–I ucinlML-like like functional types and In possible, – course, theory? of type is, this in languages, definition a such lsrtgte.Dseru ta.(97 aetekyob- key the views made (1997) extensional al. and et intensional Despeyroux together. the closer bringing in remain progress to theory type within structures not definitions consistent? HOAS syntactic seemingly on up model are give simply they to to have if we definitions, Do inductive? extensional LF the about to inductively theories. contrasted type in and exists LF that spac space to function function LF-style attributed intensional we the that with confused s typ intensional be equality hence intensional not an (and of notion equality have This definitional decidable. checking) still the keeping may theory type we functions, type-theoretic i what violates restriction. positivity it as the constructor forbidden, as a be known of would work definition previously given The to as terminating. afford program are cannot all that write we demand we we Agda, on and or system based inconsistent Coq assistants an within as proof such In theory problem. th type fundamental But such more out 1995). rule a al., to we is et need language may (Despeyroux object we representations consequence, the “exotic” a in As term model. to a try to correspond uniquely not ..teeaetrso type of is terms adequate some be that are to not it there tree would applying i.e. also syntax by encoding it the argument resulting observe The of only the argument. can structure on We it. and deeper by shape match described pattern the to inspect able to be not would ucinagmn oteconstructor the th However, to 1976). argument (Scott, function theory domain using explained be oudrtn h udmna ifrnebtendefining between difference fundamental the understand To vrteps w eae,w aemd substantial made have we decades, two past the Over reason we can How questions: two begs example above The extensional have we although that stressing worth is It within a:(D lam: meilCleeLondon College Imperial F sw aktepwro recursion. of power the lack we as LF, et fComputing of Dept. rnic Ferreira Francisco → D) D → htaei omlfr u do but form normal in are that D hti h rbe with problem the is What . lam eec Zucchini Rebecca N ai Saclay Paris ENS soau n we and opaque is D extensional ihone with D hould lam ctic can are ere e e e s s , , servation that we can mediate between the weak LF and the (2015) and Jacob-Rao et al. (2018). Moreover, COCON is a strong computation-level function space using a box modality. predicative type theory and supports an infinite hierarchy of The authors describe a simply-typed lambda calculus with universes. This allows us to write type-level computation, iteration and case constructs which preserves the adequacy i.e. we can compute types whose shape depends on a given of HOAS encodings. The well-known paradoxes are avoided value. Such recursively defined types are sometimes called through the use of a modal box operator which obeys the laws large eliminations (Werner, 1992). Due to the presence of of S4. In addition to being simply typed, all computation had type-level computations, dependencies cannot be erased from to be on closed HOAS trees. Despeyroux and Leleu (1999) the model. As a consequence, the simpler proof technique sketch an extension to dependent type theory – however it of Harper and Pfenning (2005), which considers approximate lacks a normalization proof. shape of types and has been used to prove completeness BELUGA (Pientka and Dunfield, 2010; Pientka and Cave, of the equivalence algorithm for LF’s type theory, cannot 2015) took another important step towards writing inductive be used in our setting. Instead, we follow recent work by proofs about HOAS trees by generalizing the box-modality to a Abel and Scherer (2012) and Abel et al. (2018) in defining contextual modal type (Nanevski et al., 2008; Pientka, 2008). a Kripke-style semantic model for computations that is de- For example, we characterize the OL term let w = xy in wy fined recursively on its semantic type. Our model highlights as a contextual LF object ⌈x, y ⊢ letv (app xy) λw.app wy⌉ the intensional character of the LF function space and the pairing the LF term together with its LF context. Its contextual extensional character of computations. Our main contribution type is ⌈x:tm,y:tm ⊢ tm⌉. Here, ⌈ ⌉ is a generalization of the is the design of the Kripke-style model for the dependent type box modality described in Despeyroux et al. (1997). In par- theory COCON that allows us to establish normalization. From ticular, elements of type ⌈x:tm,y:tm ⊢ tm⌉ can be described the normalization proof, we derive type uniqueness, subject as a set of terms of type tm that may contain variables x reduction, and consistency. and y. This allows us to adapt standard case distinction and We believe COCON lays the foundation to incorporate the recursion principles to analyze contextual HOAS trees. This is methodology of logical frameworks into systems such as in contrast to recursion principles on open LF terms (see for Agda (Norell, 2007) or Coq (Bertot and Castéran, 2004). This example Hofmann (1999)) that are non-standard. finally allows us to combine the world of type theory and However, the gap to dependent type theories with recursion logical frameworks inheriting the best of both worlds. and universes such as Martin-Löf type theory still remains. II. MOTIVATION In particular, BELUGA cleanly separates representing syntax from reasoning about syntax. The resulting language is an To motivate why we want to combine the power of LF with indexed type system in the tradition of Zenger (1997) and a full dependent type theory, we sketch here the translation of Xi and Pfenning (1999) where the index language is contex- the simply typed lambda calculus (STLC) into cartesian closed tual LF. This has the advantage that meta-theoretic proofs categories (CCC) using our framework. To begin, we encode are modular and only hinge on the fact that equality in the simple types in LF using the type family obj. index domain is decidable. However, this approach also is obj : type. limited in its expressiveness: there is no support for type-level one : obj. cross : obj → obj → obj. computation or higher-ranked polymorphism, and we lack the arrow : obj → obj → obj. power to express properties of computations. This prevents us from fully exploiting the power of metaprogramming and We then encode STLC using the indexed type family tm to reflection. only capture well-typed terms. As before we use the intrinsic In this paper, we present the Martin-Löf style dependent LF function space to encode STLC using HOAS. type theory COCON where we mediate between intensional tm :obj → type. LF objects and extensional type-theoretic computations using tUnit : tm one. tPair : tm A → tm B → tm (cross A B). contextual types. As in BELUGA, we can write recursive tFst : tm (cross A B) → tm A. programs about contextual LF objects. However, in contrast to tSnd : tm (cross A B) → tm B. BELUGA, we also allow computations to be embedded within tLam : (tm A → tm B) → tm (arrow A B). tApp : tm (arrow A B) → tm A → tm B. LF objects. For example, if a program t promises to compute a value of type ⌈x:tm,y:tm ⊢ tm⌉, then we can embed t directly As is common practice in implementations of LF, we into an LF object writing lam λx.lam λy.app ⌊t⌋ x, unboxing treat free variables A and B as implicitly Π-quantified at the t. If helpful, one might think of boxing (⌈⌉) as quoting syntax outside; they can typically be reconstructed. Our goal is to and unboxing (⌊ ⌋) as unquoting computation and embedding translate between well-typed terms in STLC and morphisms its value within the syntax tree. and also state some of the equivalence theorems. Morphisms Allowing computations within LF objects might seem like are relations between objects. The standard morphisms in CCC a small change syntactically, but it has far reaching conse- can be encoded directly where we define the composition of quences. To establish consistency of the type theory, we cannot morphisms using @ as an infix operation for better readability. consider normalization of LF separately from normalization mor : obj → obj → type. of computations anymore, as it is done in Pientka and Abel id : morA A. @ :morBC → mor A B → mor A C. makes a clear distinction between contextual LF types (and drop : mor A one. LF objects) and functions about them. fst : mor (cross A B) A. snd : mor (cross A B) B. rec itm : {γ : ctx} ⇒ {A : ⌈ ⊢ obj⌉} ⇒ pair : mor A B → mor A C → mor A (cross B C). (m : ⌈γ ⊢ tm (⌊A⌋ with ·)⌉) ⇒ app : mor (cross (arrow B C) B) C. ⌈ ⊢ mor ⌊ictx γ⌋ ⌊A⌋⌉ = cur : mor (cross A B) C mor A (arrow B C). → fn (p : ⌈γ ⊢# tm (⌊A⌋ with ·)⌉) = ivar γ p | ⌈γ ⊢ tUnit⌉ = ⌈ ⊢ drop⌉ To translate well-typed terms in STLC, we need to traverse | ⌈γ ⊢ tFst ⌊e⌋⌉ = ⌈ ⊢ fst @ ⌊itm e⌋⌉ terms under binders. Following BELUGA, we introduce a | ⌈γ ⊢ tSnd ⌊e⌋⌉ = ⌈ ⊢ snd @ ⌊itm e⌋⌉ context schema, ctx, that classifies contexts containing decla- | ⌈γ ⊢ tPair ⌊e1⌋ ⌊e2⌋⌉ = ⌈ ⊢ pair ⌊itm e1⌋ ⌊itm e2⌋⌉ rations of type tm A for some object A (see page 4 and also | ⌈γ ⊢ tLam λx.⌊e⌋⌉ = ⌈ ⊢ cur ⌊itm e⌋⌉ Pientka and Dunfield (2008)). Before we can interpret STLC | ⌈γ ⊢ tApp ⌊e1⌋ ⌊e2⌋⌉ = into CCC, we must describe how to interpret a context as ⌈ ⊢ app @ pair ⌊itm e1⌋ ⌊itm e2⌋⌉; an object in CCC. This is what the function ictx does. It We implement the interpretation of STLC as morphisms has type (γ : ctx) ⇒ ⌈ ⊢ obj⌉. Here we write ⇒ for the by pattern matching on m considering all the constructors to extensional function space in contrast to → which we use for build lambda terms plus the variable case, i.e. when we have a the intensional LF function space. For better readability, we variable from γ. In the latter case, we use the pattern variable write our function using pattern matching, although the core p with contextual type ⌈γ ⊢ tm (⌊A⌋ with ·)⌉ which can type theory we present subsequently uses recursors. # only be instantiated with a variable from γ. We omit here the rec ictx : (γ : ctx) ⇒ ⌈ ⊢ obj⌉ = implementation of ivar for lack of space. It simply looks up fn · = ⌈ ⊢ one⌉ | γ, x:tm (⌊A⌋ with ·) = ⌈ ⊢ cross ⌊ictx γ⌋ ⌊A⌋⌉; a variable in the LF context γ and builds the corresponding projection. The most interesting case is ⌈γ ⊢ tLam λx.⌊e⌋⌉, ictx The function takes as input a context γ which we where e has type ⌈γ, x:tm ⌊B⌋ ⊢ tm ⌊C⌋⌉. The recursive call analyze via pattern matching. Intuitively, γ is built like lists itm e returns a morphism from ⌊ictx (γ, x:tm ⌊B⌋)⌋ to ⌊C⌋ and we can pattern match on γ considering the empty context, which matches what is expected by cur, since ⌊ictx (γ, x: written as ·, and the context that contains at least one decla- tm ⌊B⌋)⌋ evaluates to (cross ⌊ictx γ⌋ ⌊B⌋). ration x:tm (⌊A⌋ with ·). Both γ and A are pattern variables; Next we translate a morphism to a STL term. Given a they are bound on the computation level. This is in contrast morphism between A and B, we build a term of type B with to LF variables that occur inside a box and are bound by LF one variable of type A. As our types are closed, we again lambda-abstraction or by the LF context associated with an LF employ the weakening substitution whenever we refer to B in object. As A denotes a closed object and does not depend on γ, a non-empty context. we unbox it together with the weakening substitution (written as ·) which moves A from the empty LF context to the LF rec imorph : {A : ⌈ ⊢ obj⌉} ⇒ {B : ⌈ ⊢ obj⌉} ⇒ (m : ⌈ ⊢ mor ⌊A⌋ ⌊B⌋⌉) ⇒ context γ. In general, we write ⌊t⌋ with σ for the unboxing ⌈x:tm ⌊A⌋ ⊢ tm (⌊B⌋ with ·)⌉ = of a computation-level term t together with an LF substitution fn ⌈ ⊢ id⌉ = ⌈x:tm _ ⊢ x⌉ σ (see also page 4). We omit the with keyword and the LF | ⌈ ⊢ drop⌉ = ⌈x:tm _ ⊢ tUnit⌉ | ⌈ ⊢ fst⌉ = ⌈x:tm _ ⊢ tFst x⌉ substitution associated with unboxing, if it is the identity. | ⌈ ⊢ snd⌉ = ⌈x:tm _ ⊢ tSnd x⌉ The function ictx returns a closed object which we indicate | ⌈ ⊢ pair ⌊f⌋ ⌊g⌋⌉ = by ⌈ ⊢ obj⌉. Note that we do not simply return an LF ⌈x:tm _ ⊢ tPair ⌊imorph f⌋ ⌊imorph g⌋⌉ | ⌈ ⊢ cur ⌊f⌋⌉ = object of type obj, as we mediate between LF objects and ⌈x:tm _ ⊢ tLam λy.(⌊imorph f⌋ with tPair x y)⌉ computations using box and unbox. | ⌈ ⊢ ⌊f⌋ @ ⌊g⌋⌉ = The ideas so far follow closely BELUGA, a programming ⌈x:tm _ ⊢ ⌊imorph f⌋ with ⌊imorph g⌋⌉ | ⌈ ⊢ app⌉ = environment that supports writing recursive programs about LF ⌈x:tm _ ⊢ tApp (tFst x) (tSnd x)⌉; specifications. (However, in contrast to BELUGA, we inline the recursive call using unbox, written as ⌊ictx γ⌋, as opposed to The translation is mostly straightforward. The most inter- require a let-style binding.) esting cases are the case for currying and composition. In the The real power of having a Martin-Löf style type theory, former, given cur ⌊f⌋ of type ⌈ ⊢ mor ⌊A⌋ (arrow ⌊B⌋ ⌊C⌋)⌉, where we can embed computations within contextual types, we recursively translate f:⌈ ⊢ mor (cross ⌊A⌋ ⌊B⌋) C⌉. It becomes apparent when we define the interpretation of STLC yields a STL term of type ⌈x:tm (cross ⌊A⌋ ⌊B⌋)⊢ tm _⌉. We into CCC. The type of the interpretation function itm concisely now need to replace the LF variable x that occurs in the result specifies that it translates a well-typed lambda term m, that has of the recursive call imorph f with tPair x y to build a STL type A in the context γ, to a morphism from ictx γ to A. Here term ⌈x:tm ⌊A⌋ ⊢ tm (arrow ⌊B⌋ ⌊C⌋)⌉. We hence unbox the we rely on the function ictx that translates a context γ to result of the recursive call with the substitution tPair x y. an object. Adopting Agda’s approach, we use curly braces This is written as ⌊imorph f⌋ with tPair x y. Here we do to indicate implicit arguments and round braces for explicit not write the domain of the substitution explicitly, however arguments. In BELUGA we would not be able to refer to the the type of imorph f tells us that the result of translating f function ictx inside the type declaration of itm, as BELUGA contains one LF variable. In general, we write LF substitutions as lists whose domain is determined by the contextual object LF kinds K ::= type | Πx:A.K we unbox. LF types A, B ::= a M1 ...Mn | Πx:A.B To translate a morphism ⌈ ⊢ ⌊f⌋ @ ⌊g⌋⌉, we recursively LF terms M, N ::= λx.M | M N | x | c | ⌊t⌋σ translate f and g where imorph f returns a STL term of type LF contexts Ψ, Φ ::= · | ψ | Ψ,x:A ⌈x:tm ⌊B⌋ ⊢ tm ⌊C⌋⌉ and imorph g returns a STL term of type LF context (erased) Ψˆ , Φˆ ::= · | ψ | Ψˆ ,x ⌈x:tm ⌊A⌋ ⊢ tm ⌊B⌋⌉. To produce the desired STL term of LF substitutions σ ::= · | wkΨˆ | σ, M LF signature Σ ::= · | Σ, a:K | Σ, c:A type ⌈x:tm ⌊A⌋ ⊢ tm ⌊C⌋⌉, we replace the LF variable x in the translation of f with the result of the translation of g. This Contextual types T ::= Ψ ⊢ A | Ψ ⊢# A is simply done by ⌈x:tm ⌊A⌋ ⊢ ⌊imorph f⌋ with ⌊imorph g⌋⌉. Contextual objects C ::= Ψˆ ⊢ M imorph g We note that is unboxed with the identity substitu- Sorts u ::= Uk tion and hence the LF variable that occurs in the result of Domain of discourse τ˘ ::= τ | ctx ⌊imorph g⌋ is implicitly renamed and bound by x. Types and τ, I, ::= u | ⌈T ⌉ | (y :τ ˘1) ⇒ τ2 I Finally, we sketch the equivalence between STLC and CCC Terms t,s | y | ⌈C⌉ | rec B~ Ψ ~t fn to illustrate what new possibilities COCON opens up. We do | y ⇒ t | t1 t2 Branches B ::= Γ ⇒ t not show the concrete implementation, since this would go Contexts Γ ::= · | Γ,y :τ ˘ beyond this paper. Assuming that we have defined convertibility of lambda- Fig. 1. Syntax of COCON terms (conv) and equality (˜) between morphism, we can now state the equivalence between STLC and CCC succinctly. definition of a recursor for contextual objects of type ⌈Ψ ⊢ A⌉ rec stlc2ccc : {γ : ctx} ⇒ {A : ⌈ ⊢ obj⌉} ⇒ to characterize the base case where we consider an LF variable {M : ⌈γ ⊢ tm ⌊A⌋ with ·⌉} ⇒ {N : ⌈γ ⊢ tm ⌊A⌋ with ·⌉} ⇒ of LF type A. For simplicity and lack of space, we focus on (e : ⌈γ ⊢ conv ⌊M⌋ ⌊N⌋⌉) ⇒ Ψ ⊢ A in the subsequent development. Intuitively, Ψ ⊢# A is ⌈ ⊢ ⌊itm M⌋ ˜ ⌊itm N⌋ ⌉ a special case restricted to variables from Ψ inhabiting A. rec ccc2tm : {A : ⌈ ⊢ obj⌉} ⇒ {B : ⌈ ⊢ obj⌉} ⇒ b) LF contexts: LF contexts are either empty or are built {f : ⌈ ⊢ mor ⌊A⌋ ⌊B⌋⌉} ⇒ by extending a context with a declaration x:A. We may also {g : ⌈ ⊢ mor ⌊A⌋ ⌊B⌋⌉} ⇒ use a (context) variable ψ that stands for a context prefix (m : ⌈ ⊢ ⌊f⌋ ˜ ⌊g⌋⌉) ⇒ ⌈x:tm A ⊢ conv ⌊imorph f⌋ ⌊imorph g⌋⌉ and must be declared on the computation-level. In particular, we can write functions where we abstract over (context) We hope this example provides a glimpse of what COCON variables. Consequently, we can pass LF contexts as arguments has to offer. In the rest of the paper, we develop the dependent to functions. We classify LF contexts via schemata – for this type theory for COCON that supports both defining HOAS paper, we pre-define the schema ctx. Such context schemata trees using the intensional function space of LF and defining are similar to adding base types to computation-level types. (type-level) computations using the extensional function space. We often do not need to carry the full LF context with the III. ATYPE THEORY FOR DEFINING LOGICS AND PROOFS type annotations, but it suffices to simply consider the erased LF context. Erased LF contexts are simply lists of variables COCON combines the logical framework LF with a full possibly with a context variable at the head. We sometimes dependent type theory that supports recursion over HOAS ob- abuse notation and write Ψˆ for the result of erasing type jects and universes. We split COCON’s grammar into different information from an LF context Ψ. syntactic categories (see Fig. 1). c) LF substitutions: LF substitutions allow us to move A. Syntax between LF contexts. The compound substitution σ, M extends ˆ a) Logical framework LF with embedded computations: substitution σ with domain Ψ to a substitution with domain ˆ As in LF, we allow dependent kinds and types; LF terms can Ψ, x, where M replaces x. However, following Nanevski et al. ˆ be defined by LF variables, constants, LF applications, and (2008), we do not store the domain (like Ψ) in the substitu- LF lambda-abstractions. In addition, we allow a computation tion, it will be supplied when applying the substitution to a term (see Section III-B). The empty substitution · provides t to be embedded into LF terms using a closure ⌊t⌋σ. Once computation of t produces a contextual object M in an a mapping from an empty LF context to any LF context Ψ, LF context Ψ, we can embed the result by applying the including a context variable ψ, hence, has weakening built in. The weakening substitution, written as wk , describes the substitution σ to M, moving M from the LF context Ψ to the −−→ Ψˆ current context Φ. In the source level syntax that we previously weakening of the domain Ψ to Ψ, x:A. We simply write id −−→ ˆ used in the code examples, this was written as ⌊t⌋ with σ. when |x:A| =0. Unless Ψ is a context variable ψ, weakening We distinguish between computations that characterize a wkΨˆ is a redex where wk(·) reduces to the empty substitution general LF term M of type A in a context Ψ, using the and wkΨˆ ,x reduces to the compound substitution wkΨˆ , x (see contextual type Ψ ⊢ A, and computations that are guaranteed also figures 3 and 7). Note, however, that wk(·) only describes −−→ to return a variable in a context Ψ of type A, using the weakening of the empty context to a concrete context ·, x:A contextual type Ψ ⊢# A. This distinction is exploited in the and, thus, does not subsume the empty substitution. From a de Bruijn perspective, the weakening substitution wk(·) which maps the empty context to ·, xn:An,...,x1:A1 [σ/Ψ](ˆ λx.M) = λx.M ′ where [σ, x/Ψˆ ,x](M)= M ′ can be viewed as a shift by n. Further, like in the de provided that x∈ / FV(σ) and x 6∈ Ψˆ Bruijn world, wk · can be expanded and is ′ ′ ′ ( ,xn:An,...,x1:A1) [σ/Ψ](ˆ M N) = M N where [σ/Ψ](ˆ M)= M ′ equivalent to the substitution ·, xn,...,x1. While our theory and [σ/Ψ](ˆ N)= N lends itself to an implementation with de Bruijn indices, we ′ ′′ [σ/Ψ](ˆ ⌊t⌋ ′ ) = ⌊t⌋ ′′ where [σ/Ψ](ˆ σ )= σ formulate our type theory using a named representation of σ σ ˆ ˆ variables. This not only simplifies our subsequent definitions [σ/Ψ](x) = M where lookup x [σ/Ψ] = M of substitutions, but also leaves open how variables are realized [σ/Ψ]ˆ c = c in an implementation. [σ/Ψ](ˆ ·) = · d) Contextual objects and types: We mediate between LF ′ ′ [σ/Ψ](ˆ wk ) = σ where trunc (σ/Ψ)ˆ = σ and computations using contextual types. Here, we concentrate Φˆ Φ ˆ ′ ′′ ′ ˆ ′ ′′ on contextual LF terms that have type Ψ ⊢ A. However, others [σ/Ψ](σ , M) = σ , M where [σ/Ψ](σ )= σ ˆ ′ may be added (Cave and Pientka, 2013). and [σ/Ψ](M)= M e) Computations and their types: Computations are Let us comment on a few cases. When applying the LF formed by extensional functions, written as fn y ⇒ t, substitution σ to the LF closure ⌊t⌋σ′ we leave t untouched, applications, written as t1 t2, boxed contextual objects, written I since t cannot contain any free LF variables and compose σ as , and the recursor, written as rec ~ ~, where ′ ⌈C⌉ B Ψ t and σ . Composition of LF substitutions is straightforward. ~ . We annotate the recursor with the typing t = tn ...t0 When we apply σ to wk , we truncate σ and only keep those invariant . We may either recurse over directly or we Φˆ I Ψ entries corresponding to the LF context Φ. Recall that wk recurse over the values computed by the term . The LF Φˆ t0 provides a weakening substitution from a context Φ to another context Ψ describes the local LF world in which the value −−→ context Ψ=(Φ, x:A). Intuitively, truncation throws away the computed by t makes sense. The arguments t ...t describe 0 n 1 entries of σ corresponding to the ~x; for the formal definition, in general the implicit arguments t might depend on. Finally, 0 please consult the long version (Pientka et al., 2019). B~ describes the different branches that we can take depending on the value computed by t0. A covering set of branches can C. Computation-level Substitution Operation be generated generically following Pientka and Abel (2015). The computation-level substitution operation {t/x}t′ tra- In this paper, we will subsequently work with a recursor for verses the computation t′ and replaces any free occurrence of the LF type tm which we encountered in the introduction, the computation-level variable x in t′ with t. The interesting together with two LF constants lam : Πy:(Πx:tm.tm).tm and case is {t/x}⌈C⌉. Here we push the substitution into C app : Πx:tm.Πy:tm.tm to keep the development compact. and we will further apply it to objects in the LF layer. Computation-level types consist of boxed contextual types, ′′ When we encounter a closure such as ⌊t ⌋σ, we continue ′′ written as ⌈T ⌉, and dependent types, written as (y :τ ˘1) ⇒ τ2. to push it inside σ and also into t . When substituting an We overload the dependent function space and allow as LF context Ψ for the variable ψ in a context Φ, we rename domain of discourse both computation-level types and the the declarations present in Φ. This is a convention; it would schema ctx of LF context. We use fn y ⇒ t to introduce equally work to rename the variable declarations in Ψ. For functions of both kinds. We also overload function application example, in {(x:tm,y:tm)/ψ}(ψ,ˆ x ⊢ lam λy.app x y ), t s to eliminate dependent types (y : τ1) ⇒ τ2 and we rename the variable x in (ψ,ˆ x) and replace ψ with (y : ctx) ⇒ τ2, although in the latter case s stands for an (x:tm,y:tm) in (ψ,ˆ w ⊢ lam λy.app w y). This results in LF context. We separate LF contexts from contextual objects, x, y, w ⊢ lam λy.app w y. When type checking this term we as we do not allow functions that return an LF context. will eventually also α-rename the λ-bound LF variable y. COCON has an infinite hierarchy of predicative universes, Last, we define simultaneous computation-level substitution N ′ written as Uk where k ∈ . The universes are not cumulative. using the judgment Γ ⊢ θ :Γ . For simplicity, we overload Adopting PTS-style notation, we can define COCON and its the typing judgment, just writing Γ ⊢ t :τ ˘, although when N universes using sorts u ∈ S = {Ui | i ∈ }, axioms A = τ˘ = ctx, then t stands for an LF context. {(Ui, Ui+1) | i ∈ N}, and rules R = {(Ui, Uj , Umax(i,j)) | ′ ′ i, j ∈ N}. ⊢ Γ′ Γ ⊢ θ :Γ Γ ⊢ t : {θ}τ˘ Γ′ ⊢ · : · Γ′ ⊢ θ,t/x :Γ, x :τ ˘ B. LF Substitution Operation We distinguish between a substitution θ that provides in- Our type theory distinguishes between LF variables and stantiations for variables declared in the computation context computation variables and we define substitution for both. We Γ, and a renaming substitution ρ which maps variables in the ′ define LF substitutions uniformly using a simultaneous sub- computation context Γ to the same variables in the context Γ ′ −→ ′ ′ stitution operation written as [σ/Ψ]ˆ M. As an LF substitution where Γ = Γ, x:˘τ and Γ ⊢ ρ : Γ. We write Γ ≤ρ Γ for the σ is simply a list of terms, we need to supply its domain Ψˆ latter. We note that the weakening and substitution properties to look up the instantiation for an LF variable x in σ. for simultaneous substitutions also hold for renamings. context; so does the empty substitution ·. Similarly, wkx1,...xn Γ;Ψ ⊢ M : A LF term M has LF type A is equivalent to the substitution wk(·), x1,...,xn. in the LF context Ψ and context Γ

Γ ⊢ Ψ : ctx x:A ∈ Ψ Γ ⊢ Ψ : ctx c:A ∈ Σ LF term is deﬁnitionally equal Γ;Ψ ⊢ x : A Γ;Ψ ⊢ c : A Γ;Ψ ⊢ M ≡ N : A M to LF term N at LF type A Γ;Ψ ⊢ M :Πx:A.B Γ;Ψ ⊢ N : A Γ;Ψ,x:A ⊢ M : B Γ;Ψ ⊢ M N : [N/x]B Γ;Ψ ⊢ λx.M :Πx:A.B Γ;Ψ ⊢ M :Πx:A.B

Γ ⊢ t : [Φ ⊢ A] or Γ ⊢ t : [Φ ⊢# A] Γ;Ψ ⊢ σ : Φ Γ;Ψ ⊢ M ≡ λx.M x :Πx:A.B

Γ;Ψ ⊢ ⌊t⌋σ : [σ/Φ]ˆ A Γ;Ψ,x:A ⊢ M1 : B Γ;Ψ ⊢ M2 : A Γ;Ψ ⊢ M : B Γ;Ψ ⊢ B ≡ A : type Γ;Ψ ⊢ (λx.M1) M2 ≡ [M2/x]M1 : [M2/x]B Γ;Ψ ⊢ M : A Γ; Φ ⊢ N : A Γ;Ψ ⊢ σ : Φ Γ;Ψ ⊢ ⌊⌈Φˆ ⊢ N⌉⌋ ≡ [σ/Φ]ˆ N : [σ/Φ]ˆ A Γ; Φ ⊢ σ :Ψ LF substitution σ provides a mapping σ from the LF context Ψ to Φ ′ Γ;Ψ ⊢ σ ≡ σ : Φ LF substitution σ is deﬁnitionally equal −−→ to LF substitution σ′ Γ ⊢ Ψ, x:A : ctx Γ ⊢ Φ : ctx −−→ −−→ Γ ⊢ Φ,x:A, y:B : ctx Γ;Ψ, x:A ⊢ wk :Ψ Γ; Φ ⊢ · : · ctx Ψˆ Γ ⊢ Ψ : −−→ Γ;Ψ ⊢ wk · ≡ · : · Γ; Φ,x:A, y:B ⊢ wk ≡ (wk ,x):(Φ,x:A) Γ; Φ ⊢ σ :Ψ Γ;Φ ⊢ M : [σ/Ψ]ˆ A ( ) Φˆ,x Φ

Γ; Φ ⊢ σ, M :Ψ,x:A Fig. 3. Reduction and Expansion for LF Terms and LF Substitutions

Fig. 2. Typing Rules for LF Terms and LF Substitutions F. Contextual LF Typing and Definitional Equivalence We lift typing and definitional equality on LF terms to con- D. LF Typing textual objects. For example, two contextual objects Ψˆ ⊢ M We concentrate here on the typing rules for LF terms, LF and Ψˆ ⊢ N are equivalent at LF type ⌈Ψ ⊢ A⌉, if M and N substitutions and LF contexts (see Fig. 2) and skip the rules are equivalent in Ψ. for LF types and kinds. All of the typing rules have access G. Computation Typing to an LF signature Σ which we omit to keep the presentation compact. Typing of variables x, constants c, application MN We describe well-typed computations in Fig. 4 using the and abstraction λx.M is as usual. The conversion rule is typing judgment Γ ⊢ t : τ. Computations only have access important and subtle. We only allow conversion of types – to computation-level variables declared in the context Γ. We conversion of the LF context is not necessary, as we do not use the judgment ⊢ Γ to describe well-formed contexts where allow computations to return an LF context. Importantly, given every declaration x:˘τ in Γ is well-formed. a computation t that has type ⌈Ψ ⊢ A⌉ or ⌈Ψ ⊢# A⌉, we can embed it into the current LF context Φ by forming the closure Γ ⊢ t : τ and Γ ⊢ τ : u Typing and kinding judg. for comp. ⌊t⌋σ where σ provides a mapping for the variables in Ψ. This formulation generalizes previous work which only allowed y :τ ˘ ∈ Γ ⊢ Γ ⊢ Γ (u1, u2) ∈ A variables declared in Γ to be embedded in LF terms. Previous Γ ⊢ y :τ ˘ Γ ⊢ u1 : u2 work enforced a strict separation between computations and Γ ⊢ τ˘1 : u1 Γ,y:˘τ1 ⊢ τ2 : u2 (u1, u2, u3) ∈ R LF terms. Γ ⊢ (y :τ ˘1) ⇒ τ2 : u3 The typing rules for LF substitutions are as expected. Γ ⊢ t :(y :τ ˘ ) ⇒ τ Γ ⊢ s :τ ˘ The typing rules for LF contexts simply analyze the struc- Γ ⊢ T 1 2 1 ture of an LF context. When we reach the head, we either Γ ⊢ ⌈T ⌉ : u Γ ⊢ t s : {s/y}τ2 encounter an empty LF context or a context variable y which Γ,y :τ ˘1 ⊢ t : τ2 Γ ⊢ (y :τ ˘1) ⇒ τ2 : u must be declared in the computation-level context Γ. The rules Γ ⊢ fn y ⇒ t :(y :τ ˘1) ⇒ τ2 can be found in the long version. ′ ′ Γ ⊢ C : T Γ ⊢ t : τ Γ ⊢ τ ≡ τ : u E. Definitional LF Equality Γ ⊢ ⌈C⌉ : ⌈T ⌉ Γ ⊢ t : τ

For LF terms, equality is βη. In addition, we can reduce Fig. 4. Typing Rules for Computations (Without Recursor) ⌊Ψ ⊢ M⌋σ by simply applying σ to M. We omit the transitive closure rules as well as congruence rules, as they To avoid duplication of typing rules, we overload the typing are straightforward. judgment and write τ˘ instead of τ, if the same judgment is For LF substitutions, we take into account that weakening used to check that a given LF context is of schema ctx. For substitutions are not unique. For example, the substitution wk· example, to ensure that (y :τ ˘1) ⇒ τ2 has kind u3, we check may stand for a mapping from the empty context to another LF that τ˘1 is well-kinded. For compactness, we abuse notation writing Γ ⊢ ctx : u although the schema ctx is not a proper Recursor over LF terms I =(ψ : ctx) ⇒ (y : ⌈ψ ⊢ tm⌉) ⇒ τ type whose elements can be computed. In the typing rules for computation-level (extensional) functions, the input to the Γ ⊢ t : ⌈Ψ ⊢ tm⌉ Γ ⊢I : u Γ ⊢ b : I Γ ⊢ bapp : I Γ ⊢ blam : I function which we also call domain of discourse may either be v I Γ ⊢ rec (b | bapp | blam) Ψ t : {Ψ/ψ, t/y}τ of type τ1 or ctx. To eliminate a term t of type (y : τ1) ⇒ τ2, v we check that s is of type τ1 and then return {s/y}τ2 as Branches where I =(ψ : ctx) ⇒ (y : ⌈ψ ⊢ tm⌉) ⇒ τ the type of t s. To eliminate a term of type (y : ctx) ⇒ τ, we overload application simply writing t s, although s stands Γ, ψ : ctx,p : ⌈ ψ ⊢# tm⌉⊢ tv : {p/y}τ for an LF context and check that s is of schema ctx. This Γ ⊢ (ψ,p ⇒ tv) : I distinction between the domains of discourse is important, as Γ, ψ : ctx, we only allow LF contexts to be built either by a context m:⌈ψ ⊢ tm⌉, n:⌈ψ ⊢ tm⌉ variable or an LF type declaration, but do not compute an LF fm:{m/y}τ, fn:{n/y}τ ⊢ tapp : {⌈ψ ⊢ app⌊m⌋ ⌊n⌋⌉/y}τ context recursively. We can embed contextual object C into Γ ⊢ (ψ,m,n,fn, fm ⇒ tapp) : I computations by boxing it and transitioning to the typing rules Γ,φ : ctx, for LF. We eliminate contextual types using a recursor, see m:⌈φ,x:tm ⊢ tm⌉, Fig. 5. Here, we define an iterator over t of type ⌈Ψ ⊢ tm⌉ to fm:{(φ,x:tm)/ψ, m/y}τ ⊢ tlam : {φ/ψ, ⌈φ ⊢ lam λx.⌊m⌋⌉/y}τ keep the exposition compact. For a deeper discussion on how Γ ⊢ ψ,m,fm ⇒ tlam : I to generate recursors for contextual objects of type Ψ ⊢ A and LF contexts, we refer the reader to Pientka and Abel (2015). Fig. 5. Typing Rules for Recursors In general, the output type of the recursor may depend on the argument we are recursing over. We hence annotate the substitution and subsequently boxing it, i.e. t is equivalent to recursor itself with an invariant I. Here, the recursor over tm ⌈Ψˆ ⊢⌊t⌋ ⌉ . is annotated with I = (ψ : ctx) ⇒ (y : ⌈ψ ⊢ tm⌉) ⇒ τ. To wkΨˆ I check that the recursor rec B Ψ t has type {Ψ/ψ,t/y}τ, we IV. ELEMENTARY PROPERTIES check that each of the three branches has the specified type I. In the base case, we may assume in addition to ψ : ctx For the LF level, we can establish well-formedness of LF context, LF substitution and weakening properties. In addition, that we have a variable p : ⌈ψ ⊢# tm⌉ and check that the body has the appropriate type. If we encounter a contextual we have LF context conversion and equality conversion for LF LF object built with the LF constant app, then we choose the types. As usual, we can also prove directly functionality and injectivity of Pi-types for the LF level. branch bapp. We assume ψ:ctx, m:⌈ψ ⊢ tm⌉, n:⌈ψ ⊢ tm⌉, as well as and which stand for the recursive calls on fn fm m Lemma IV.1 (Functionality of LF Typing). Let Γ;Ψ ⊢ σ1 :Φ and respectively. We then check that the body is well- n tapp and Γ;Ψ ⊢ σ2 :Φ, and Γ;Ψ ⊢ σ1 ≡ σ2 :Φ. typed. If we encounter an LF object built with the LF constant ′ ′ 1) If Γ;Φ ⊢ σ :Φ then Γ;Ψ ⊢ [σ /Φ]ˆ σ ≡ [σ /Φ]ˆ σ :Φ . lam, then we choose the branch b . We assume ψ:ctx and 1 2 lam 2) If Γ;Φ ⊢ M : A then m:⌈ψ, x:tm ⊢ tm⌉ together with the recursive call f on m m Γ;Ψ ⊢ [σ /Φ]ˆ M ≡ [σ /Φ]ˆ M :[σ /Φ]ˆ A. in the extended LF context ψ, x:tm. We then check that the 1 2 1 ′ body tlam is well-typed. Proof. By induction on Γ;Φ ⊢ M : A (resp. Γ;Φ ⊢ σ : Φ ) followed by another inner induction on Γ;Ψ ⊢ σ1 ≡ σ2 : Φ H. Definitional Equality for Computations to prove (1). Concerning definitional equality for computations (Fig. 6), we concentrate on the reduction rules. We omit the transitive Lemma IV.2 (Injectivity of LF Pi-Types). If Γ;Ψ ⊢ Πx:A.B ≡ Πx:A′.B′ : type closure and congruence rules, as they are as expected. ′ ′ We consider two computations to be equal if they evaluate then Γ;Ψ ⊢ A ≡ A : type and Γ;Ψ, x:A ⊢ B ≡ B : type. to the same result. We propagate values through computations Proof. By equality inversion. and types relying on the computation-level substitution operation. When we apply a term s to a computation fn y ⇒ t, For the computation level, we also know that computation we β-reduce and replace y in the body t with s. We unfold context Γ is well-formed; in addition, weakening and substitu- the recursor depending on the value passed. If it is ⌈Ψˆ ⊢ tion properties hold. However, proving functionality of typing lam λx.M⌉, then we choose the branch tlam. If the value is and injectivity of Pi-types on the computation-level must be ⌈Ψˆ ⊢ app MN⌉, we continue with the branch tapp. If it is postponed. ⌈Ψˆ ⊢ x⌉, i.e. the variable case, we continue with tv. Note that if Ψ is empty, then the case for variables is unreachable, since V. WEAK HEAD REDUCTION there is no LF variable of type tm in the empty LF context The operational semantics of COCON uses weak head and hence the contextual type ⌈· ⊢# tm⌉ is empty. reduction and mirrors declarative equality. It proceeds lazily. We also include the expansion of a computation t at type We characterize weak head normal forms (whnf) for both, ⌈Ψ ⊢ A⌉; it is equivalent to unboxing t with the identity (contextual) LF and computations. They are mutually defined. Γ ⊢ fn y ⇒ t :(y:˘τ1) ⇒ τ2 Γ ⊢ s :τ ˘1 Γ ⊢ t : ⌈Ψ ⊢ A⌉ ˆ Γ ⊢ (fn y ⇒ t) s ≡ {s/y}t : {s/y}τ2 Γ ⊢ t ≡ ⌈Ψ ⊢ ⌊t⌋wkΨˆ ⌉ : ⌈Ψ ⊢ A⌉

let B =(ψ,p ⇒ tp | ψ,m,n,fm, fn ⇒ tapp | ψ,m,fm ⇒ tlam) and I =(ψ : ctx) ⇒ (y : ⌈ψ ⊢ tm⌉) ⇒ τ Γ ⊢ Ψ : ctx Γ;Ψ,x:tm ⊢ M : tm Γ ⊢I : u I Γ ⊢ rec B Ψ ⌈Ψˆ ⊢ lam λx.M⌉ ≡ {θ}tlam : {Ψ/ψ, ⌈Ψˆ ⊢ lam λx.M⌉/y}τ I where θ =Ψ/ψ, ⌈Ψˆ ,x ⊢ M⌉/m, rec B (Ψ,x:tm) ⌈Ψˆ ,x ⊢ M⌉/f

Γ ⊢ Ψ : ctx Γ;Ψ ⊢ M : tm Γ;Ψ ⊢ N : tm Γ ⊢I : u I Γ ⊢ rec B Ψ⌈Ψˆ ⊢ app M N⌉ ≡ {θ}tapp : {Ψ/ψ, ⌈Ψˆ ⊢ app M N⌉/y}τ I I where θ =Ψ/ψ, ⌈Ψˆ ⊢ M⌉/m, ⌈Ψˆ ⊢ N⌉/n, rec B Ψ ⌈Ψˆ ⊢ M⌉/fm, rec B Ψ ⌈Ψˆ ⊢ N⌉/fn

x:tm ∈ Ψ Γ ⊢ Ψ : ctx Γ ⊢I : u I Γ ⊢ rec B Ψ ⌈Ψˆ ⊢ x⌉ ≡ {Ψ/ψ, ⌈Ψˆ ⊢ x⌉/p}tp : {Ψ/ψ, ⌈Ψ ⊢ x⌉/y}τ

Fig. 6. Deﬁnitional Equality for Computations

Deﬁnition V.1 (Whnf of LF). M ցLF N : LF term M weak head reduces to N s.t. whnf N • An LF term M is in whnf, whnf M, iff M = λx.N, or ′ ′ M is neutral, i.e. wne M, or M = ⌊t⌋σ and t is neutral M ցLF λx.M [N/x]M ցLF R M ցLF R wne R

(i.e. wne t). M N ցLF R M N ցLF R N • An LF term M is neutral, wne M, iff M is of the form ˆ ˆ whnf M t ց ⌈Ψ ⊢ M⌉ [σ/Ψ]M ցLF N t ց n wne n h M1 ...Mn where h is either an LF variable or a constant c. M ցLF M ⌊t⌋σ ցLF N ⌊t⌋σ ցLF ⌊n⌋σ ′ ′ ′ σ ցLF σ : LF subst. σ weak head reduces to σ s.t. whnf σ LF substitutions of the form σ, M, wkψ or · are in whnf. LF types are also always considered to be in whnf, as computation whnf σ · may only produce a contextual LF term, but not a contextual σ ցLF σ wk ցLF · wk(Ψˆ ,x) ցLF wkΨˆ ,x LF type. Last, (erased) LF contexts are in whnf, as we do not allow computations to return an LF context. Fig. 7. Weak Head Reductions for LF Terms and LF Substitutions Computation-level expressions are in whnf, if they do not trigger any further computation-level reductions. I recursor rec B~ Ψ t, either t reduces to a neutral term, then Definition V.2 (Whnf of Computations). we cannot proceed; or, t reduces to ⌈Ψˆ ⊢ M⌉, and then we ′ ′ • A term t is in whnf, whnf t, if t is a (fn y ⇒ s) or proceed to further reduce M. If the result is ⌊t ⌋σ, where t is neutral, then we cannot proceed; if the result is N where N is (y : τ1) ⇒ τ2 or u, t is ⌈C⌉ or ⌈T ⌉, or t is neutral. neutral, then we choose the appropriate branch in B using the • A term t is neutral, wne t, if t is a variable, t = s1 s2 I judgment B ≪ (Ψ) (Ψˆ ⊢ N) ց v. We note that weak head where wne s1, t = (rec B Ψ s) where either wne s or reduction for LF and computation is deterministic and stable s = ⌈Ψˆ ⊢⌊t⌋σ⌉ and wne t. under weakening and LF substitutions. We consider boxed objects ⌈C⌉ and boxed types ⌈T ⌉ in To ease the technical development, we introduce notational whnf, as the contextual object C will be further reduced when abbreviations for well-typed whnfs in Fig. 9. we use them and have to unbox them. The remaining definition of whnf characterizes terms that do not trigger any further VI. KRIPKE-STYLE LOGICAL RELATION reductions. We note that weakening preserves whnfs. We construct a Kripke-logical relation that is defined We now define weak head reductions (Fig. 7 and Fig. 8). If on well-typed terms to prove weak head normalization. an LF term is not already in whnf, we have two cases: either Our semantic definitions for computations follow closely we encounter an LF application M N and we may need to Abel and Scherer (2012) to accommodate type-level compu- beta-reduce or we find an embedded computation ⌊t⌋σ. If t is tation. neutral, then we are done; otherwise t reduces to a contextual We start by defining semantic equality for LF terms of type object ⌈Ψˆ ⊢ M⌉, and we continue to reduce [σ/Ψ]ˆ M. tm (Fig. 10), as these are the terms the recursor eliminates If a computation-level term t is not already in whnf , we and it illustrates the fact that we are working with syntax have either an application t1 t2 or a recursor. For an application trees. To define semantic equality for LF terms M and N, t1 t2, we reduce t1. If it reduces to a function, we continue to we consider different cases depending on their whnf: 1) if beta-reduce, otherwise, we build a neutral application. For the they reduce to app M1 M2 and app N1 N2 respectively, then t ց r : Term t weak head reduces to r s.t. whnf r Γ;Ψ ⊢ M ցLF ⌊t1⌋σ1 : tm typeof(Γ ⊢ t1)= ⌈Φ1 ⊢ tm⌉ Γ;Ψ ⊢ N ցLF ⌊t2⌋σ2 : tm typeof(Γ ⊢ t2)= ⌈Φ2 ⊢ tm⌉ tm ctx whnf t t1 ց fn y ⇒ t {t2/y}t ց v t1 ց w wne w Γ ⊢ t1 ≡ t2 : ⌈Φ1 ⊢ ⌉ Γ;Ψ σ1 = σ2 : Φ1 Γ ⊢ Φ1 ≡ Φ2 :

t ց t t1 t2 ց v t1 t2 ց w t2 Γ;Ψ M = N : tm ′ t ց s wne s Γ;Ψ ⊢ M ցLF lam M : tm I I ′ ′ ′ rec B Ψ t ց rec B Ψ s Γ;Ψ ⊢ N ցLF lam N : tm Γ;Ψ,x:tm M x = N x : tm ′ ′ Γ;Ψ M = N : tm t ց ⌈Ψˆ ⊢ M⌉ M ցLF ⌊t ⌋σ wne t I I ′ rec B Ψ t ց rec B Ψ (Ψˆ ⊢ ⌊t ⌋σ) Γ;Ψ ⊢ M ցLF app M1 M2 : tm Γ;Ψ M1 = N1 : tm Γ;Ψ ⊢ N ցLF app N1 N2 : tm Γ;Ψ M2 = N2 : tm t ց ⌈Ψˆ ⊢ M⌉ M ցLF N wne N B ≪ (Ψ) (Ψˆ ⊢ N) ց v Γ;Ψ M = N : tm I rec B Ψ t ց v Γ;Ψ ⊢ M ցLF x : tm Γ;Ψ ⊢ N ցLF x : tm let B =(ψ,p ⇒ t | ψ,m,n,f , f ⇒ tapp | ψ,m,f ⇒ tlam) v m n m Γ;Ψ M = N : tm {Ψ/ψ, ⌈Ψˆ ⊢ M⌉/m, ⌈Ψˆ ⊢ N⌉/n, I I rec B Ψ ⌈Ψˆ ⊢ M⌉/f , rec B Ψ ⌈Ψˆ ⊢ N⌉/f }tappց v m n Fig. 10. Semantic Equality for LF Terms: Γ; Ψ M = N : A B ≪ (Ψ) (Ψˆ ⊢ app M N) ց v {Ψ/ψ, ⌈Ψˆ ,x ⊢ M⌉/m, I rec B (Ψ,x:tm) ⌈Ψˆ ,x ⊢ M⌉/fm}tlam ց v deﬁnitional equal. However, what type should we choose? – As the computation t is neutral, we can infer a unique type B ≪ (Ψ) (Ψˆ ⊢ lam λx.M) ց v i ⌈Φ ⊢ tm⌉ which we can use. This is deﬁned as follows:

{Ψ/ψ, ⌈Ψˆ ⊢ x⌉/p}tv ց v B ≪ (Ψ) (Ψˆ ⊢ x) ց v Type inference for neutral computations t : typeof(Γ ⊢ t)= τ typeof(Γ ⊢ t)= τ τ ց (y:τ ) ⇒ τ Γ ⊢ s : τ Fig. 8. Weak Head Reductions for Computations 1 2 1 typeof(Γ ⊢ t s)= {s/y}τ2

x:τ ∈ Γ I =(ψ : ctx) ⇒ (y : ⌈ψ ⊢ tm⌉) ⇒ τ Γ;Ψ ⊢ M : A I typeof(Γ ⊢ x)= τ typeof(Γ ⊢ rec B Ψ t)= {Ψ/ψ, t/y}τ Γ;Ψ ⊢ N : A Γ;Ψ ⊢ M ≡ N : AM ցLF N Γ;Ψ ⊢ M ցLF N : A Semantic equality for LF substitutions is also deﬁned by Γ;Ψ ⊢ σ1 :Φ considering different whnfs (Fig. 11). As we only work Γ;Ψ ⊢ σ2 :Φ Γ;Ψ ⊢ σ1 ≡ σ2 :Φ σ1 ցLF σ2 with well-typed LF objects, there is only one inhabitant for an empty context. Moreover, given an LF substitution with Γ;Ψ ⊢ σ1 ցLF σ2 :Φ ′ ′ ′ domain Φ, x:A, we can weak head reduce the LF substitutions Γ ⊢ t : τ Γ ⊢ t : τ Γ ⊢ t ≡ t : τ t ց t σ and σ′ and continue to recursively compare them. An LF ′ Γ ⊢ t ց t : τ substitution with domain ψ, a context variable, reduces to wkψ.

Fig. 9. Well-Typed Whnf ′ Γ;Ψ ⊢ σ ցLF · : · Γ;Ψ ⊢ σ ցLF · : · ′ Γ;Ψ σ = σ : · Mi must be semantically equal to Ni; 2) if they reduce to ′ ′ ′ lam M and lam N respectively, then the bodies of M and −−→ −−→ ′ Γ; ψ, x:A ⊢ σ ցLF wkψ : ψ Γ; ψ, x:A ⊢ σ ցLF wkψ : ψ N ′ must be equal. To compare their bodies, we apply both ′ ′ ′ ′ −−→ ′ M and N to an LF variable x and consider M x and N x Γ; ψ, x:A σ = σ : ψ in the extended LF context Ψ, x:tm. This has the effect of opening up the body and replacing the bound LF variable Γ;Ψ ⊢ σ ցLF σ1, M : Φ,x:A Γ;Ψ σ1 = σ2 : Φ ′ ˆ with a fresh one. This highlights the difference between the Γ;Ψ ⊢ σ ցLF σ2, N : Φ,x:A Γ;Ψ M = N : [σ1/Φ]A ′ intensional LF function space and the extensional nature of the Γ;Ψ σ = σ : Φ,x:A computation-level functions. In the former, we can concentrate on LF variables and continue to analyze the LF function body; Fig. 11. Semantic Equality for LF Substitutions: Γ; Ψ σ = σ′ :Φ in the latter, we consider all possible inputs, not just variables; 3) if the LF terms M and N may reduce to the same LF Deﬁning semantic kinding and semantic equality is intricate, variable in Ψ, then they are obviously also semantically equal; as they depend on each other and we need to ensure our

4) last, if M and N reduce to ⌊ti⌋σi respectively. In this definitions are well-founded. Following Abel et al. (2018), we case ti is neutral and we only need to semantically compare first define semantic kinding, i.e. Γ τ˘ : u (Fig. 12) which the LF substitutions σi and check whether the terms ti are technically falls into two parts: Γ τ : u and Γ ctx : u where the latter is simply notation, as ctx is not a computation- 1) Γ;Ψ M1 = M1 : A. level type. Function types (y :τ ˘1) ⇒ τ2 are semantically 2) Γ;Ψ M2 = M1 : A. well-kinded if τ˘1 is semantically well-kinded in any extension 3) If Γ;Ψ M2 = M3 : A then Γ;Ψ M1 = M3 : A. ′ ′ ′ Γ of Γ and {s/y}τ2 is well-kinded for any term s that has 4) If Γ;Ψ ⊢ A ≡ A : type then Γ;Ψ M1 = M2 : A . semantic type τ˘ . In our definition, we make the renaming ρ 1 Proof. Reflexivity follows directly from symmetry and transi- that allows us to move from Γ to Γ′ explicit. The definition tivity. For LF terms (and LF substitutions), we prove symmetry of semantic kinding is inductively defined on τ˘. and conversion by induction on the derivation Γ;Ψ M = N : A and Γ;Ψ σ = σ′ :Φ respectively. For transitivity, we ′ ′ use lexicographic induction. The proofs relies on symmetry of Γ ⊢ τ ց ⌈T ⌉ : u Γ ⊢ T ≡ T Γ ⊢ τ ց u : u u < u declarative equality (≡), determinacy of weak head reductions, Γ τ : u Γ τ : u and crucially relies on well-formedness of semantic equality Γ ⊢ τ ց x ~t : u wne (x ~t) ⊢ Γ and functionality of LF typing (Lemma IV.1). Γ τ : u Γ ctx : u ′ ′ B. Semantic Properties of Computations Γ ⊢ τ ց (y :τ ˘1) ⇒ τ2 : u ∀Γ ≤ρ Γ. Γ {ρ}τ˘1 : u1 ′ ′ ′ ∀Γ ≤ρ Γ. Γ s = s : {ρ}τ˘1 =⇒ Γ {ρ,s/y}τ2 : u If a term is semantically well-typed, then it is also syntacti- Γ τ : u cally well-typed. Furthermore, our definition of semantic typ- where (u1, u2, u) ∈ R ing is stable under weakening. Our semantic equality definition is symmetric and transitive. It is also reflexive – however, note Fig. 12. Semantic Kinding for Types Γ τ˘ : u (inductive) that we prove a weaker reflexivity statement which says that if t1 is semantically equivalent to another term t2 then it is also Semantic kinding (Fig. 12) is used as a measure to define equivalent to itself. This suffices for our proofs. We also note the semantic typing for computations. In particular, we define that our semantic equality takes into account extensionality Γ τ˘ =τ ˘′ : u and Γ t = t′ :τ ˘ recursively on the semantic for terms at function types and contextual types; this is in fact kinding of τ˘. i.e. Γ τ˘ : u. For better readability, we simply baked into our semantic equality definition. write for example ′ instead of ′ Γ t = t : ⌈T ⌉ Γ t = t : τ Lemma VII.3 (Symmetry, Transitivity, and Conversion of where τ ց ⌈T ⌉, and Γ ⊢ T ≡ T in proofs. The extensional ′ Semantic Equality). Let Γ τ˘ : u and Γ τ˘ : u and character of function types is apparent in the semantic equality ′ Γ τ˘ =τ ˘ : u and Γ t = t :τ ˘. Then: for terms at function type. Semantic equality at type ⌈Ψ ⊢ A⌉ 1 2 1) (Reflexivity) . falls back to semantic equality on LF terms at type A in the Γ t1 = t1 :τ ˘ 2) (Symmetry) . LF context Ψ. Γ t2 = t1 :τ ˘ 3) (Transitivity) If Γ t2 = t3 :τ ˘ then Γ t1 = t3 :τ ˘. ′ VII. SEMANTIC PROPERTIES 4) (Conversion:) Γ t1 = t2 :τ ˘ . A. Semantic Properties of LF Proof. Reflexivity follows directly from symmetry and transi- If an LF term is semantically well-typed, then it is also syn- tivity. We prove symmetry and transitivity for terms using a tactically well-typed. Furthermore, our definition of semantic lexicographic induction on u and Γ τ : u; we appeal to the LF typing is stable under renaming and semantic LF equality induction hypothesis and use the corresponding properties on is preserved under LF substitution and allows for context types if the universe is smaller; if the universe stays the same, conversion. then we may appeal to the property for terms if Γ τ : u is smaller; to prove conversion and symmetry for types, we Lemma VII.1 (Backwards Closure for LF Terms). may also appeal to the induction hypothesis if Γ τ ′ : u is

If Γ;Ψ Q = N : A (or Γ;Ψ N = Q : A) smaller. and Γ;Ψ ⊢ M ցLF Q : A then Γ M = N : A Finally we establish various elementary properties about our

Proof. By case analysis on Γ;Ψ Q = N : A and the fact semantic definition that play a key role in the fundamental that Q is in whnf . lemma which we prove later. Our semantic definitions are reflexive, symmetric, and tran- Lemma VII.4 (Neutral Soundness). sitive. Further they are stable under type conversions. We state If Γ τ˘ : u and Γ ⊢ t :τ ˘ and Γ ⊢ t′ :τ ˘ and Γ ⊢ t ≡ t′ :τ ˘ the lemma below only for terms, but it must in fact be proven and wne t,t′ then Γ t = t′ :τ ˘. mutually with the corresponding property for LF substitutions.

We first establish these properties for LF and subsequently Proof. By induction on Γ τ : u. for computations. Establishing these properties is tricky and Lemma VII.5 (Backwards Closure for Computations). intricate. All proofs can be found in the long version. ′ If Γ t1 = t2 :τ ˘ and Γ ⊢ t1 ց w :τ ˘ and Γ ⊢ t1 ց w :τ ˘ ′ Lemma VII.2 (Reflexivity, Symmetry, Transitivity, and Con- then Γ t1 = t2 :τ ˘. . version of Semantic Equality for LF) Let Ψ M1 = M2 : A. Proof. By case analysis of Γ t1 = t2 :τ ˘ considering Then: different cases of Γ τ˘ : u. ′ Semantic equality for types: Γ τ˘ =τ ˘ : u defined by recursion on Γ τ : u ′ Semantic equality for terms: Γ t = t :τ ˘ defined by recursion on Γ τ˘ : u

′ ′ ′ ′ ′ ′ Γ ⊢ τ ց u : u Γ ⊢ τ ց ⌈T ⌉ : u Γ ⊢ T ≡ T Γ ⊢ τ ց x ~s : u Γ ⊢ x ~t ≡ x ~s : u ′ ′ ′ Γ ctx = ctx : u Γ u = τ : u Γ ⌈T ⌉ = τ : u Γ x ~t = τ ′ : u ′ ′ ′ ′ ′ ′ ′ Γ ⊢ τ ց (y :τ ˘1) ⇒ τ2 : u ∀Γ ≤ρ Γ. Γ {ρ}τ˘1 = {ρ}τ˘1 : u1 ′ ′ ′ ′ ′ ′ ′ ∀Γ ≤ρ Γ. Γ s = s : {ρ}τ˘1 =⇒ Γ {ρ, s/y}τ2 = {ρ,s /y }τ2 : u2 ′ (u1, u2, u) ∈ R Γ (y :τ ˘1) ⇒ τ2 = τ : u ′ ′ ′ ′ Γ ⊢ Ψ ≡ Ψ : ctx Γ ⊢ t ց w : ⌈Ψ ⊢ A⌉ Γ ⊢ t ց w : ⌈Ψ ⊢ A⌉ Γ;Ψ ⌊w⌋id = ⌊w ⌋id : A ′ ′ Γ Ψ=Ψ : ctx Γ t = t : ⌈Ψ ⊢ A⌉ ′ ′ ′ ′ Γ ⊢ t ց n : x ~s Γ ⊢ t ց n : x ~s wne n, n Γ ⊢ n ≡ n : x ~s ′ Γ t = t : x ~s ′ ′ ′ ′ ′ ′ ′ ′ Γ ⊢ t ց w :(y :τ ˘1) ⇒ τ2 Γ ⊢ t ց w :(y :τ ˘1) ⇒ τ2 ∀Γ ≤ρ Γ. Γ s = s : {ρ}τ˘1 =⇒ Γ {ρ}w s = {ρ}w s : {ρ,s/y}τ2 ′ Γ t = t :(y :τ ˘1) ⇒ τ2

Fig. 13. Semantic Equality for Computations

Lemma VII.6 (Typed Whnf Is Backwards Closed). declarations is valid, we can always generate Γ id(Γ) = If Γ ⊢ t ց w : (y :τ ˘1) ⇒ τ2 and Γ ⊢ s :τ ˘1 id(Γ) : Γ, where id is the identity substitution. and Γ ⊢ w s ց v : {s/y}τ2 then Γ ⊢ t s ց v : {s/y}τ2. Last, we define validity of LF objects, types, and terms (Fig. 14). Our notion of validity generalizes our definition Proof. By unfolding the definitions and considering different of semantic typing and equality. Intuitively, we say that a cases for w. term t is valid, if for any semantic substitution θ, {θ}t is Lemma VII.7 (Semantic Application). semantically well-typed. This allows us to define compactly ′ ′ the fundamental lemma which now states that well typed terms If Γ t = t : (y :τ ˘1) ⇒ τ2 and Γ s = s :τ ˘1 then ′ ′ correspond to valid terms in our model. Γ t s = t s : {s/y}τ2. Note that we do not work directly with semantically well- Proof. Using well-formedness of semantic equality, Back- typed terms. Instead we say that a term is semantically well- wards closed properties (Lemma VII.6 and VII.5), and Sym- typed, if it is semantically equal to itself. Our definition of metry of semantic equality (Lemma Prop. 2). validity is built on the same idea. Concretely, we say that two terms t and t′ are equal in our model, i.e. Γ |= t = t′ :τ ˘, VIII. VALIDITYINTHE MODEL ′ if for all semantically equal substitutions θ and θ , we have For normalization, we need to establish that well-typed that {θ}t and {θ′}t are semantically equal. Our definition of terms are logically related. In other words, we show that validity is symmetric and transitive. syntactically well-typed terms are also semantically well- Lemma VIII.1 (Function Type Injectivity Is Valid). If typed. However, as we traverse syntactically well-typed terms, Γ |= (y :τ ˘ ) ⇒ τ = (y :τ ˘′ ) ⇒ τ ′ : u , then Γ|=τ ˘ =τ ˘′ :u they do not remain closed. Hence, we need to prove a 1 2 1 2 3 1 1 1 and Γ,y:˘τ |= τ = τ ′ : u and (u , u , u ) ∈ R. generalization where we show that every syntactically well- 1 2 2 2 1 2 3 typed term in a context Γ is semantically well-typed in an Proof. Proof by unfolding the semantic definitions. extension of Γ. As is customary, we extend our logical relation to substitutions defining semantic substitutions which allow us The fundamental lemma (Lemma VIII.1) states that well- to move between Γ and Γ′. typed terms are valid. The proof proceeds by mutual induction on the typing derivation for LF-objects and computations. It relies on the validity of type conversion, computation-level ′ ′ Γ θ = θ :Γ functions, applications, and recursion. To establish these prop- ′ ′ ′ ′ Γ θ = θ :Γ Γ {θ}τ˘ = {θ }τ˘ : u erties, we require symmetry, transitivity of semantic equality, ′ ′ ′ ⊢ Γ′ Γ {θ}τ˘ : u Γ t = t : {θ}τ˘ and semantic type conversion (Lemma VII.3). ′ ′ ′ ′ Γ · = · : · Γ θ,t/x = θ ,t /x :Γ, x:˘τ Theorem VIII.1 (Fundamental Theorem). Semantic substitutions are well-formed (i.e. they imply 1) If ⊢ Γ then |=Γ. that substitutions are well-typed), stable under weakening and 2) If Γ;Ψ ⊢ M : A then Γ;Ψ |= M = M : A. preserve equivalences. They are also reflexive, symmetric, and 3) If Γ;Ψ ⊢ σ :Φ then Γ;Ψ |= σ = σ :Φ. transitive. Further, given a valid context where each of the 4) If Γ;Ψ ⊢ M ≡ N : A then Γ;Ψ |= M = N : A. Last but not least, the fundamental lemma allows us to show Validity of LF objects : Γ;Ψ |= M = N : A where |=Γ that not every type is inhabited and thus COCON can be used ′ ′ ′ ′ ∀Γ ,θ,θ .Γ θ = θ :Γ as a logic. To establish this stronger notion of consistency, we ′ ′ =⇒ Γ ; {θ}Ψ {θ}M = {θ }N : {θ}A first prove that we can discriminate type constructors. Γ;Ψ |= M = N : A Lemma VIII.3 (Type Constructor Discrimination). Neutral

′ types, sorts, and function types can be discriminated. Validity of LF substitutions : Γ;Ψ |= σ = σ : Φ where |=Γ Proof. To show for example that Γ ⊢ x ~t 6= (y :τ ˘ ) ⇒ τ , ′ ′ ′ ′ 1 2 ∀Γ , θ, θ .Γ θ = θ :Γ ~ ′ ′ ′ we assume Γ ⊢ x t ≡ (y :τ ˘1) ⇒ τ2 : u. By the fundamental =⇒ Γ ; {θ}Ψ {θ}σ1 = {θ }σ : {θ}Φ lemma (Lemma VIII.1), we have Γ x ~t ≡ (y :τ ˘1) ⇒ τ2 : u ′ Γ;Ψ |= σ = σ : Φ (choosing the identity substitution for θ and θ′); but this is impossible given the semantic equality definition. ′ Validity of types : Γ |=τ ˘ =τ ˘ : u and Γ |=τ ˘ : u Theorem VIII.3 (Consistency). x : u0 6⊢ t : x. ′ ′ ′ ′ ∀Γ , θ, θ .Γ θ = θ :Γ ′ ′ ′ =⇒ Γ {θ}τ˘ = {θ }τ˘ : u Γ |=τ ˘ =τ ˘ : u Proof. Assume Γ ⊢ t : x where Γ = (x:u0). By subject ′ reduction (Lemma VIII.2), there is some w such that t ց w Γ |=τ ˘ =τ ˘ : u Γ |=τ ˘ : u and Γ ⊢ t ≡ w : x and in particular, we must have Γ ⊢ w : x. ′ Validity of terms : Γ |= t = t :τ ˘ and Γ |= t :τ ˘ As x is neutral, it cannot be equal to u, (y :τ ˘1) ⇒ τ2, or ⌈T ⌉ (Lemma VIII.3). Thus w can also not be a sort, function, or ′ ′ ′ ′ |=Γ ∀Γ ,θ,θ .Γ θ = θ :Γ ′ ′ ′ contextual object. Hence, w can only be neutral, i.e. given the Γ |=τ ˘ : u =⇒ Γ {θ}t = {θ }t : {θ}τ˘ Γ |= t = t :τ ˘ assumption x : u0, the term w must be x. This implies that ′ Γ |= t = t :τ ˘ Γ |= t :τ ˘ Γ ⊢ x : x and implies Γ ⊢ x ≡ u0 : u0 by inversion on typing. But this is impossible by Lemma VIII.3. Fig. 14. Validity Definition An extended version with the full technical development is available at Pientka et al. (2019). 5) If Γ;Ψ ⊢ σ ≡ σ′ :Φ then Γ;Ψ |= σ = σ′ :Φ. IX. CONCLUSION 6) If Γ ⊢ t : τ then Γ |= t : τ. 7) If Γ ⊢ t ≡ t′ : τ then Γ |= t = t′ : τ. COCON is a first step towards integrating LF methodology into Martin-Löf style dependent type theories and and bridges Proof. By induction on the first derivation using validity of the longstanding gap between these two worlds. We have application, functions, recursion, and type conversion, Back- established normalization and consistency. The next immediate wards Closed (VII.5), Well-formedness of Semantic Typing, step is to derive an equivalence algorithm based on weak head Semantic Weakening. reduction and show its completeness. We expect that this will follow a similar Kripke-style logical relation as the one we Theorem VIII.2 (Normalization and Subject Reduction). If described. This would allow us to justify that type checking Γ ⊢ t : τ then t ց w and Γ ⊢ t ≡ w : τ COCON programs is decidable. Proof. By the Fundamental theorem (Lemma VIII.1), we have It should be possible to implement COCON as an extension ′ Γ t = t : τ (choosing the identity substitution for θ and θ ). to BELUGA– from a syntactic point of view, it would be a This includes a definition t ց w. Since w is in whnf (i.e. small change, however in practice this requires revisiting type whnf w), we have w ց w. Therefore, we can easily show that reconstruction, type checking, unification, and conversion. It also Γ t = w : τ. By well-formedness, we also have that also seems possible to extend existing implementation of Γ ⊢ t ≡ w : τ and more specifically, Γ ⊢ w : τ. Agda, however this might be more work, as in this case one needs to implement the LF infrastructure. Using the fundamental lemma, we can also show function type injectivity, which is the basis for implementing a type ACKNOWLEDGMENTS checker. Brigitte Pientka was supported by NSERC (Natural Science and Engineering Research Council) Grant 206263. David Thi- Lemma VIII.2 (Injectivity of Function Type). ′ ′ ′ bodeau was supported by NSERC’s Alexander Graham Bell If Γ ⊢ (y :τ ˘ ) ⇒ τ ≡ (y :τ ˘ ) ⇒ τ : u then Γ⊢ τ˘ ≡ τ˘ :u 1 2 1 2 1 1 1 Canada Graduate Scholarships – Doctoral Program (CGS D). and Γ,y :τ ˘ ⊢ τ ≡ τ : u and (u ,u ,u) ∈ R. 1 2 2 2 1 2 Andreas Abel was supported by the Swedish Research Coun- Proof. By the Fundamental theorem (Lemma VIII.1) we have cil through VR Grant 2014-04864 Termination Certificates ′ ′ Γ (y :τ ˘1) ⇒ τ2 ≡ (y :τ ˘1) ⇒ τ2 : u (choosing the for Dependently-Typed Programs and Proofs via Refinement identity substitution for θ and θ′). By the sem. equality def., Types and the EU COST Action CA 15123 EUTYPES: Types ′ ′ we have Γ τ˘1 =τ ˘1 : u1 and Γ,y :τ ˘1 τ2 = τ2 : u2 and for Programming and Verification. Francisco Ferreira wants (u1,u2,u) ∈ R. By well-formedness of semantic typing, we to acknowledge the support received from EPSRC grants ′ ′ have Γ ⊢ τ˘1 ≡ τ˘1 : u1 and and Γ,y :τ ˘1 ⊢ τ2 ≡ τ2 : u2. EP/K034413/1 and EP/K011715/1. REFERENCES on Principles of Programming Languages (POPL’08), pages 371–382. ACM Press. Abel, A., Ohman,¨ J., and Vezzosi, A. (2018). Decidabil- Pientka, B. and Abel, A. (2015). Structural recursion over ity of conversion for type theory in type theory. 35th contextual objects. In 13th International Conference on ACM SIGPLAN-SIGACT Symposium on Principles of Pro- Typed Lambda Calculi and Applications (TLCA’15), pages gramming Languages (POPL’18), PACMPL 2(POPL):23:1– 273–287. Leibniz International Proceedings in Informatics 23:29. (LIPIcs) of Schloss Dagstuhl. Abel, A. and Scherer, G. (2012). On irrelevance and algorith- Pientka, B., Abel, A., Ferreira, F., Thibodeau, D., and Zuc- mic equality in predicative type theory. Logical Methods in chini, R. (2019). Cocon: Computation in contextual type Computer Science, 8(1). theory. https://arxiv.org/abs/1901.03378. Bertot, Y. and Castéran, P. (2004). Interactive Theorem Pientka, B. and Cave, A. (2015). Inductive Beluga: Program- Proving and Program Development. Coq’Art: The Calculus ming Proofs (System Description). In 25th International of Inductive Constructions. Springer. Conference on Automated Deduction (CADE-25), Lecture Cave, A. and Pientka, B. (2013). First-class substitutions in Notes in Computer Science (LNCS 9195), pages 272–281. contextual type theory. In 8th ACM SIGPLAN International Springer. Workshop on Logical Frameworks and Meta-Languages: Pientka, B. and Dunfield, J. (2008). Programming with Theory and Practice (LFMTP’13), pages 15–24. ACM. proofs and explicit contexts. In ACM SIGPLAN Symposium Despeyroux, J., Felty, A. P., and Hirschowitz, A. (1995). on Principles and Practice of Declarative Programming Higher-order abstract syntax in Coq. In 2nd International (PPDP’08), pages 163–173. ACM. Conference on Typed Lambda Calculi and Applications Pientka, B. and Dunfield, J. (2010). Beluga: a framework (TLCA ’95), Lecture Notes in Computer Science (LNCS for programming and reasoning with deductive systems 902), pages 124–138. Springer. (System Description). In 5th International Joint Conference Despeyroux, J. and Leleu, P. (1999). Primitive recursion on Automated Reasoning (IJCAR’10), Lecture Notes in for higher order abstract syntax with dependent types. In Artificial Intelligence (LNAI 6173), pages 15–21. Springer. International Workshop on Intuitionistic Modal Logics and Scott, D. S. (1976). Data types as lattices. SIAM Journal on Applications (IMLA). Computing, 5(3):522–587. Despeyroux, J., Pfenning, F., and Schürmann, C. (1997). Werner, B. (1992). A normalization proof for an impredica- Primitive recursion for higher-order abstract syntax. In tive type system with large elimination over integers. In 3rd International Conference on Typed Lambda Calculus International Workshop on Types for Proofs and Programs and Applications (TLCA’97), pages 147–163. Springer. Ex- (TYPES), pages 341–357. tended version available as Technical Report CMU-CS-96- Xi, H. and Pfenning, F. (1999). Dependent types in practical 172, Carnegie Mellon University. programming. In 26th ACM SIGPLAN-SIGACT Symposium Harper, R., Honsell, F., and Plotkin, G. (1993). A framework on Principles of Programming Languages (POPL’99), pages for defining logics. Journal of the ACM, 40(1):143–184. 214–227. ACM Press. Harper, R. and Pfenning, F. (2005). On equivalence and Zenger, C. (1997). Indexed types. Theoretical Computer canonical forms in the LF type theory. ACM Transactions Science, 187(1-2):147–165. on Computational Logic, 6(1):61–101. Hofmann, M. (1999). Semantical analysis of higher-order abstract syntax. In 14th Annual IEEE Symposium on Logic in Computer Science (LICS’99), pages 204–213. IEEE Computer Society. Jacob-Rao, R., Pientka, B., and Thibodeau, D. (2018). Index- stratified types. In 3rd International Conference on For- mal Structures for Computation and Deduction (FSCD’18), LIPIcs, pages 19:1–19:17. Schloss Dagstuhl - Leibniz- Zentrum für Informatik. Nanevski, A., Pfenning, F., and Pientka, B. (2008). Contextual modal type theory. ACM Transactions on Computational Logic, 9(3):1–49. Norell, U. (2007). Towards a practical programming language based on dependent type theory. PhD thesis, Department of Computer Science and Engineering, Chalmers University of Technology. Technical Report 33D. Pientka, B. (2008). A type-theoretic foundation for programming with higher-order abstract syntax and first-class substitutions. In 35th ACM SIGPLAN-SIGACT Symposium