Structural Logical Relations∗

Carsten Schurmann¨ Jeffrey Sarnat IT University of Copenhagen Yale University Copenhagen, Denmark New Haven, CT, USA [email protected] [email protected]

Abstract The proof theoretic strength of the different systems vary significantly. Once the proof assistant question is settled Tait’s method (a.k.a. proof by logical relations) is a pow- and a proof development has begun, there is often no turn- erful proof technique frequently used for showing founda- ing back. If unforeseen challenges in the formalization of tional properties of languages based on typed λ-calculi. a meta-theoretic argument arise, one can find oneself in a Historically, these proofs have been extremely difficult to situation where one is seemingly stuck. This might suggest formalize in proof assistants with weak meta-logics, such that the best proof assistant is necessarily the most expres- as Twelf, and yet they are often straightforward in proof as- sive, but such a perspective is too naive with respect to other sistants with stronger meta-logics. In this paper, we propose considerations that influence the choice of proof assistant. structural logical relations as a technique for conducting In this paper we present a technique called structural these proofs in systems with limited meta-logical strength logical relations that avails proofs by logical relations to by explicitly representing and reasoning about an auxiliary systems with limited meta-logical strength by explicitly rep- logic. In support of our claims, we give a Twelf-checked resenting and reasoning about an auxiliary logic. Proofs by proof of the completeness of an algorithm for checking structural logical relations follow the same line of reasoning equality of simply typed λ-terms. as their informal counterparts. The central idea is to formalize the relevant part of the argument in this auxiliary logic, which we refer to as the assertion logic. Structural logi- 1. Introduction cal relations are therefore best employed in proof assistants based on logical frameworks, such as Twelf, that provide When formalizing meta-theoretic proofs about formal adequate, elegant, and convenient to work with encodings systems, one is usually first confronted with choosing a of proofs in the assertion logic. proof assistant. This decision is usually driven by concerns We show how to formalize structural logical relations in regarding the expressive power of the proof assistant, the practice using the meta-logical framework Twelf. But this trust in its logical foundation, performance, the features of paper is not just about the how, it also highlights some in- the tactic language, and the ease with which we can encode sights into the proof itself. For example, we illustrate that the formal system. a proof by logical relations can be viewed as a recipe to re- For example, Thomas Hales has chosen HOL duce the provability of a theorem to the normalizability of Light [Har96] for his work on the formalization of proofs in the assertion logic. We present the results in such a Kepler’s conjecture. George Necula has chosen variants of way that the reader interested in the nature of logical proofs, the LF type theory for his original work on proof-carrying but not in their formalization, should be able to follow this code [Nec97]. Daniel Lee, Karl Crary, and Bob Harper paper by ignoring the formalized material. have chosen the Twelf system for formalizing the proof To best follow the paper, however, it is important that of the soundness of an SML type system [LCH07] and we distinguish carefully between the logical framework, Georges Gonthier has chosen Coq for his formalized proof in our case LF [HHP93] that serves the formalization of of the four color theorem [Gon05]. The solutions posted to judgments, the assertion logic that we will encode in LF, the POPLmark challenge employ a whole range of different and the meta-logic of Twelf, in which we carry out proofs proof assistants, including Twelf, Coq, Isabelle/HOL, by structural logical relations. Our proofs are construc- Matita, Alpha Prolog, and ATS. tive and executable, laying to rest the common miscon- ∗This research has been funded by the National Science Foundation ception that the meta-logical framework Twelf is unable under grant CCR-0325808. to reason with proofs by logical relations. The FOL∆N

1 system [MM97] has a similar distinction between logical proof using structural logical relations for the same property framework and meta-logic; we suspect that structural logi- is given in Section 4. cal relations would be convenient in that setting as well. Taking a step back, we notice that the logical relation This paper is structured as follows: In Section 2 we defined above relies on two things: structural induction on define the term structural logical relation and give a sim- τ, judgments of the form of J, and connectives “for all” ple yet useful example of an assertion logic, namely min- and “if ... then.” Logical relations are typically formulated imal first-order logic, suitable for reasoning about sim- with the understanding that the induction principle, judg- ply typed languages. In Section 3, we briefly comment ments, and connectives live on the same level. The idea of on the formalization of the technique in the proof assis- structural logical relations is to separate these concepts: in- tant Twelf. We give an introductory example of a struc- duction lives on the meta-level, whereas the judgments and tural logical relations proof, namely the weak normaliza- connectives live elsewhere. To this end, we declare a logic, tion for the simply typed λ-calculus in Section 4 before the assertion logic, that is expressive enough to define both we address the goal of this paper, the completeness of a logical relation in terms of logical connectives and atomic equivalence checking in Section 5. An identifying fea- formulas P that represent the judgments J in the logic. The ture of our structural logical relations proofs is the cut- formulas of our assertion logic that we use throughout this elimination property of the assertion logic. Therefore, we paper are defined by the following. study the features and implications of cut-elimination of the τ assertion logic in Section 6. We conclude with Section 7 Formulas F,G ::= P | F ⊃ G | ∀x .F τ where we discuss implications and possible extensions. The Assumptions ∆ ::= · | ∆,F | ∆, x accompanying Twelf source code [SS08] is available at In the definition of expressions, every variable carries its http://www.twelf.org/slr. own type, which means that we can restrict the universal quantifier to range over well-typed expressions even if these 2. Structural Logical Relations contain free variables. We write eτ for an expression e of type τ and omit the superscript τ whenever it can be easily A proof by logical relations (also sometimes referred to inferred. as Tait’s method) relies on an interpretation of types as re- We define the judgment of derivability in a sequent cal- lations between objects. On paper, these interpretations are culus ∆ ` F by the following rules. If ∆ is ·, then we usually formulated in set theory. In the spirit of intuition- simply drop it from the judgment. ism, we not only want to know that a certain property holds, F ∈ ∆ ∆,F ` G but we would like to be able to produce a constructive wit- ax impR ness of this fact. ∆ ` F ∆ ` F ⊃ G Consider the simply typed λ-calculus. ∆,F ⊃ G ` F ∆,F ⊃ G, G ` H impL Types τ ::= o | τ1 ⇒ τ2 ∆,F ⊃ G ` H τ τ Expressions e ::= x | lam x . e | app e1 e2 ∆, xτ ` F ∆, ∀xτ .F, [eτ /x]F ` H We refer to a property that is logic independent as a judg- allR allL τ τ ment. Examples of judgments J include, for example, e ∆ ` ∀x .F ∆, ∀x .F ` H reduces to a normal form, e weak-head reduces to e0, or e The rules are standard. We let the universal quantifier is βη-equivalent to e0. Given some judgment J(e), a unary range over expressions eτ . We write [eτ /x]F for the usual logical relation [[τ]] can be defined as the smallest set that notion of capture-avoiding substitution. satisfies the following two conditions. For practical reasons we will work with the assertion cut logic with cut. The judgment ∆ ` F is defined by infer- e ∈ [[o]] iff J(e) cut ence rules similar to the ones above except with ` instead e ∈ [[τ2 ⇒ τ1]] iff for all e2, if e2 ∈ [[τ2]] of `, plus one additional rule. then app e e2 ∈ [[τ1]] cut cut The hallmark characteristic of a logical relation is the def- ∆ ` F ∆,F ` G cut cut inition at function types: functions are related if they map ∆ ` G related arguments to related results. A proof by logical relations typically proceeds in two stages: first, it is shown that The rules for defining the atomic formulas P vary for e ∈ [[τ]] implies J(e), then it is shown that, for every e of each structural logical relation. Hence they are defined in type τ, e ∈ [[τ]]. A paper proof for the weak normalization Sections 4 and 5, where we discuss concrete applications of of the simply typed λ-calculus can be found in [Pfe92]; a our technique. We show later in the paper that the choice of

2 inference rules cannot be arbitrary: they must not destroy We write -> (infix) if the dependency is vacuous. Further- the cut-elimination property of the sequent-calculus. more, we write [t:tp] for λ-abstraction, t:tp for type Returning to the definition of structural logical relations, ascription, and juxtaposition for application in the logical we can now define [[τ]] more formally by meta-level induc- framework. tion on τ: Next, we define the syntactic category of terms eτ . If τ is represented by T:tp, then we write tm T for the LF type [[o]](e) = P (e) representing simply typed expressions eτ . The definition 0τ2 0 0 [[τ2 ⇒ τ1]](e) = ∀e . [[τ2]](e ) ⊃ [[τ1]](app e e ) takes advantage of the fact that, in LF, type families may be indexed by LF objects. And more generally, the definition of an n-ary structural logic relation is given by the following formula: tm : tp -> type. lam : (tm T1 -> tm T2) -> tm (T1 => T2). [[o]](e1 . . . en) = P (e1 . . . en) app : tm (T2 => T1) -> tm T2 -> tm T1. [[τ2 ⇒ τ1]](e1 . . . en) 0τ2 0τ2 0 0 = ∀e1 .... ∀en . [[τ2]](e1 . . . en) The type of lam illustrates our use of higher-order abstract 0 0 ⊃ [[τ1]](app e1 e1 ... app en en) syntax, which we use pervasively throughout this paper: variables of the simply typed λ-calculus and assumptions An example of a binary structural logical relation can be about the being well-typed are represented by variables of found in Section 5. Next, we derive the proof obligations LF. justifying a proof by structural logical relations in the unary Formulas of the assertion logic are encoded as LF ob- case. jects of type form. We defer the formalization of atomic cut formulas to the subsequent relevant sections in this paper. 1. If eτ then ` [[τ]](e). (Fundamental Theorem)

cut form : type. 2. ` [[τ]](e) ⊃ P (e). (Escape Lemma) forall : (tm T -> form) -> form.

cut ==> : form -> form -> form. 3. If ` P (e) then ` P (e). (Cut-Elimination) %infix right 10 ==>. 4. If ` P (e) then J(e). (Extraction Theorem) Every sequent derivation of F1,...,Fn ` G can be ade- Note that, instead of deﬁning the structural logical rela- quately represented in LF as an object of type conc G in a tion using meta-level induction, we could have chosen to ex- context u1 : hyp F1, . . . , un : hyp Fn. We distinguish two tend the assertion logic axiomatically by an induction prin- variants of the assertion logic, the one without the cut rule ciple over types. However, this would have not only been is depicted ﬁrst. less convenient, but would have also complicated the cut- hyp : form -> type. elimination proof for our assertion logic, which we discuss conc : form -> type. in Sections 4 and 5. ax : hyp F -> conc F. impr : (hyp F -> conc G) 3. The Meta-Logical Framework Twelf -> conc (F ==> G). impl : conc F -> (hyp G -> conc H) Turning to the formalization of a structural logical rela- -> (hyp (F ==> G) -> conc H). tions argument, we follow [Pfe95], and describe adequate forallr: ({x:tm T} conc (F x)) encodings of the simply typed λ-calculus and the sequent -> conc (forall F). calculus in the logical framework LF [HHP93] using Twelf foralll: {E: tm T} (hyp (F E) -> conc H) notation. First we address the formalization of simple types. -> (hyp (forall F) -> conc H).

cut tp : type. Analogously, every derivation of F1,...,Fn ` G can o : tp. be adequately represented in LF as an object of type conc* => : tp -> tp -> tp. %infix right 10 =>. G. We give the encoding of the cut rule, the others are ob- tained from the former by copying and replacing conc by Any LF object made from arrows => and base types o conc*. corresponds to a well-formed simple type, and vice versa. As => is declared inﬁx, o => o => o is the represen- conc* : form -> type. tation of a function type that expects two arguments. In cut : {F: form} conc* F Twelf, we write type for the kind of a type, and use curly -> (hyp F -> conc* G) braces {t:tp} for dependent types and dependent kinds. -> conc* G.

3 In the following two sections, we demonstrate the use of Next, we deﬁne weak head reduction. structural logical relations for the proof of weak normalization of the simply typed λ-calculus and the completeness of whr beta τ whr an equivalence checking algorithm. app (lam x . e1) e2 → e1[e2/x]

whr 0 λ e1 → e1 4. Normalization of Simply Typed -Terms whr cong whr 0 app e1 e2 → app e1 e2 Our first demonstration of a proof by structural logical relations takes place in the setting of the simply typed λ- calculus. We show that every simply typed λ-term is weakly whr beta executes a β-reduction step, and whr cong defines normalizing, by which we mean that it can be reduced to the congruence closure for weak-head reduction. As an ex- a β-short and η-long normal form. This is different from ample, we give an adequate encoding of the weak-head re- the usual statement of weak normalization to η-short forms. duction judgments and rules in LF. We define two judgments for canonical and atomic forms of well-typed terms eτ , written judgmentally as e ⇑ τ and e ⇓ τ. Canonical forms are defined over the structure of τ whr: tm T -> tm T -> type. and atomic forms are defined over the structure of e. whr_beta: whr (app (lam E1) E2) (E1 E2). whr_cong: whr E1 E1’ u -> whr (app E1 E2) (app E1’ E2). x ⇓ τ1 . . e ⇓ o e ⇑ τ2 We give the LF declarations of the remaining judgments, x,u can o can arr without specifying the encoding of their rules. We will refer e ⇑ o lam xτ1 . e ⇑ τ ⇒ τ 1 2 to them, when we specify lemmas and theorems in Twelf

e1 ⇓ τ2 ⇒ τ1 e2 ⇑ τ2 below. The type families atm app app e1 e2 ⇓ τ1 can : tm T -> type. 0 ∗ 0 Next we define three judgments e −→ e , e −→ e , and atm : tm T -> type. whr 0 e → e . red : tm T -> tm T -> type. red beta reds: tm T -> tm T -> type. τ app (lam x . e1) e2 −→ e1[e2/x] exp eta encode the judgments e ⇑ τ, e ⇓ τ, e −→ e0 and e −→∗ e0, τ e −→ lam x .app e x respectively. The complete encoding of the judgment can 0 be found at [SS08]. e1 −→ e1 cong app1 0 app e1 e2 −→ app e1 e2 4.1. The Structural Logical Relation 0 e2 −→ e2 cong app2 app e e −→ app e e0 1 2 1 2 We shall prove that for every derivation of eτ , there ex- τ ∗ e −→ e0 ists a v , s.t. e −→ v and v ⇑ τ via a unary structural cong lamx τ τ 0 logical relation. The challenge, however, is the choice of lam x . e −→ lam x . e a predicate P . It may come as a surprise that it is suffi- red beta and exp eta define the rules for β-reduction and η- cient to characterize the fact that a term has a normal form expansion, respectively, and rules cong app1, cong app2, without making explicit what the normal form actually is and cong lam define the usual congruence rules. The fol- or how to obtain it. This information, as it turns out, can lowing two rules describe the reflexive transitive closure of be derived from the proof of P in the assertion logic. We −→. extend the assertion logic by three families of atomic predicates hcτ (e), haτ (e), and whτ (e, e0), which stand for eτ has ∗ τ τ e1 −→ e2 e2 −→ e3 a canonical form, e has an atomic form, and e weak-head refl trans 0τ ∗ ∗ reduces to e , respectively. The corresponding proof rules e −→ e e1 −→ e3 are declared as follows.

4 3. If e →whr e0 then e −→ e0.

τ2⇒τ1 τ2 ∆ ` ha (e1) ∆ ` hc (e2) Proof: By straightforward structural inductions. ha app τ1 ∆ ` ha (app e1 e2) Theorem 4.2 (Extraction) All derivations in the sequent

τ τ τ calculus are assumed to be cut-free. Let ∆ = ∆, x 1 , ha 1 (x) ` hc 2 (app e x) τ τ τ x 1 , ha 1 (x ), . . . , xτn , ha n (x ) . hc arr 1 1 n n τ1⇒τ2 ∆ ` hc (e) 1. For all derivations of ∆ ` hcτ (e) there exist derivations of ∆ ` who(e, e0) ∆ ` hco(e0) u1 un o hc wh ··· ∆ ` hc (e) x1 ⇓ τ1 xn ⇓ τn . . . ∆ ` hao(e) .. . .. hc atm v ⇑ τ ∆ ` hco(e) and e −→∗ v. wh beta τ τ ∆ ` wh (app (lam x. e1) e2, e1[e2/x]) 2. For all derivations of ∆ ` ha (e) there exist derivations of τ2⇒τ1 0 ∆ ` wh (e1, e1) wh cong u1 ··· un τ1 0 x ⇓ τ x ⇓ τ ∆ ` wh (app e1 e2, app e1 e2) 1 1 n n .. . .. The formulation of the sequent calculus with cut is extended . . . in the same fashion. We formalize this in LF as follows. v ⇓ τ ∗ hc: tm T -> form. and e −→ v. ha: tm T -> form. 3. For all derivations of ∆ ` whτ (e, e0) there exists a wh: tm T -> tm T -> form. derivation of e →whr e0. ha_app : conc (ha E1) -> conc (hc E2) Proof: By mutual induction on the derivations of ∆ ` -> conc (ha (app E1 E2)). τ τ τ 0 hc_arr : ({x: tm T1} hyp (ha x) hc (e), ∆ ` ha (e), and ∆ ` wh (e, e ). 1. follows from -> conc (hc (app E x))) Lemma 4.1 (1), (3) and rules trans, exp eta, and n1, n2. 2. -> conc (hc E). follows from Lemma 4.1 (2) and rule atm app. 3. follows hc_wh : {E:tm o} conc (wh E E’) from the application of rules whr beta, whr cong. -> conc (hc E’) ext1 : conc (hc E) -> conc (hc E). -> {V} can V -> reds E V -> type. hc_atm : {E: tm o} conc (ha E) -> conc (hc E). ext2 : conc (ha E) wh_beta: conc (wh (app (lam E1) E2) (E1 E2)). -> {V} atm V -> reds E V -> type. wh_cong: conc (wh E1 E1’) ext3 : conc (wh E E’) -> whr E V -> type. -> conc (wh (app E1 E2) (app E1’ E2)). The rules extending conc* are analogous. The next We define the logical relation as a predicate in the asser- lemma and theorem illustrate how we can extract the canon- tion logic, by instantiating P (from the general definition of ical form together with a reduction trace from the cut-free a unary logical relation from Section 2) with hco. τ derivation of ` hc (e). In Twelf, theorems are formalized Definition 4.3 (Logical relation) as relations between universally and existentially quantified derivations. We give the relations as LF type families at the o end of selected proofs. The role that each argument to the [[o]](e) = hc (e) τ2 relation plays can always be read out of the informal state- [[τ2 ⇒ τ1]](e) = ∀e2 . [[τ2]](e2) ⊃ [[τ1]](app e e2) ment of the theorem. lr : {T:tp} (tm T -> form)-> type. lr1: lr o (hc: tm o -> form). Lemma 4.1 (Congruence) lr2: lr T2 F -> lr T1 G -> lr (T2 => T1) ([e: tm (T2 => T1)] 1. If e −→∗ e0 then lam xτ . e −→∗ lam xτ . e0. (forall [e_2:tm T2] (F e2) ∗ 0 ∗ 0 2. If e1 −→ e1 and e2 −→ e2 then ==> (G (app e e2)))) ∗ 0 app e1 e2 −→ app e1 e2.

5 4.2. Meta-Theory Case: τ = τ2 ⇒ τ1. By induction hypothesis, we obtain that for all ∆0

All proofs in the remainder of this section are inductive cut 0 τ1 0τ1 τ1 0 0 over the structure of types, typing derivations, and proofs in ∆ ` ∀e . ∀e . wh (e, e ) ⊃ [[τ1]](e ) ⊃ [[τ1]](e) the assertion logics. No definition of simultaneous substitu- The claim follows from Def. 4.3 and rules tions is needed. No extension of the concept of logical rela- allR, impR, allL, impL, cut, and wh cong. tion to simultaneous substitutions is needed. And finally, no Kripke-style explicit contexts are needed in the definition of cwhe: {T: tp} {F: tm T -> form} lr T F the logical relation. This information is already implicitly -> (conc* (forall [e] forall [e’] contained within the assertion logic proofs. wh e e’ ==> F e’ ==> F e)) -> type. Lemma 4.4 (Escape) 1. For all types τ and assumptions cut ∆, there exists a derivation of ∆ ` ∀eτ . [[τ]](e) ⊃ hcτ (e). Theorem 4.6 (Fundamental) For all types τ and assump- 2. For all types τ and assumptions ∆, there exists a τ1 τ τ cut tions ∆ = x , [[τ ]](x ), . . . , x n , [[τ ]](x ) and for all e derivation of ∆ ` ∀eτ . haτ (e) ⊃ [[τ]](e). 1 1 1 n n n with free variables among x1 . . . xn, there exists a deriva- cut Proof: By mutual induction on τ. tion of ∆ ` [[τ]](e). Case: τ = o. Direct, by reasoning using Def. 4.3 and rules Proof: By induction on the structure of e : τ. allR, impR, and ax. Case: τ = τi, e = xi. Direct, by rule ax.

Case: τ = τ2 ⇒ τ1. By induction hypothesis, we obtain 0 Case: e = app e1 e2. The claim follows from the induc- that for all ∆ cut cut tion hypotheses ∆ ` [[τ]](e1) and ∆ ` [[τ]](e2) using cut 0 τ1 τ1 Def. 4.3 and rules ax, allL, impL. ∆ ` ∀e . [[τ1]](e) ⊃ hc (e) (1) cut 0 τ1 τ1 τn+1 0 ∆ ` ∀e . ha (e) ⊃ [[τ1]](e) (2) Case: e = lam x . e . The claim follows from the in- cut cut τ 0 0 0 τ2 τ2 duction hypothesis ∆, xn+1, [[τn+1]](x) ` [[τ ]](e ) us- ∆ ` ∀e . [[τ2]](e) ⊃ hc (e) (3) cut ing Def. 4.3, Lemma 4.5, and rule wh beta. 0 τ2 τ2 ∆ ` ∀e . ha (e) ⊃ [[τ2]](e) (4) fund: {E:tm T} lr T F 1. Follows by induction hypotheses (1) and (4), us- -> conc* (F E) -> type. ing Def. 4.3 and rules allR, impR, allL, impL, cut, and hc arr. 2. Follows by induction hypotheses (2) and (3), us- In order to complete the proof, we need to appeal to a ing rules allR, impR, allL, cut, and ha app. proof normalization technique for our assertion logic: cut- τ esc1: {T:tp} {F:(tm T) -> form} lr T F elimination. For any well-typed e , after applying the Fun- -> (conc* (forall [e] F e damental Theorem 4.6, followed by the Escape Lemma 4.4, ==> hc e)) -> type. followed by a few applications of the rules cut, foralll, and cut τ esc2: {T:tp} {F:(tm T) -> form} lr T F impl, we obtain a cut-full proof of ` hc (e). The Extrac- τ -> (conc* (forall [e] ha e tion Theorem 4.2, however, requires the proof of ` hc (e) ==> F e)) -> type. to be cut-free. It is this step where the true work of the structural logical relation proof takes place, as we need to eliminate all cuts in order to apply the Extraction Theorem. Lemma 4.5 (Closure under weak head expansion) For Theorem 4.7 (Cut-elimination) Let ∆ denote assump- cut all types τ and assumptions ∆, there exists a derivation tions. Any cut-full sequent derivation of ∆ ` F can be cut of ∆ ` ∀eτ . ∀e0τ . whτ (e, e0) ⊃ [[τ]](e0) ⊃ [[τ]](e) in the converted into ∆ ` F . assertion logic. ce : conc* F -> conc F -> type. Proof: By induction on τ. Proof: See: Pfenning [Pfe95]. The extra cases introduced Case: τ = o. Direct, by reasoning using Def. 4.3 and rules by our atomic propositions all fall into the category of “right allR, impR, ax, and hc wh. commutative conversions.”

6 The following theorem summarizes all the work we have u x ≡ y : τ1 done so far. It shows that the simply typed λ-calculus is . weakly normalizing. . 0 app e x ≡ app e y : τ2 qextx,y,u e ≡ e0 : τ ⇒ τ Theorem 4.8 (Weak normalization) Let τ be a type and 1 2 τ τ 0 e a (closed) well-typed expression; then there exists v , e ≡ e : τ e1 ≡ e2 : τ e2 ≡ e3 : τ ∗ qsymm qtrans s.t. v ⇑ τ and e −→ v. 0 e ≡ e : τ e1 ≡ e3 : τ

We remark that this is not the exact definition of e1 ≡ e2 thm : {E:tm T} {V:tm T} can V given in [Cra05]; however, any derivation of e ≡ e in -> reds E V -> type. 1 2 Crary’s sense can be easily mapped into a derivation of e1 ≡ e2 using the rules above. This has been formally proved in [SS08]. 5. Decidability of Equivalence Checking We sketch the implementation in LF by giving an encoding of judgments and theorems, but neither rules nor proofs. The judgment e ≡ e0 : τ is represented as infix operator ==. The POPLmark challenge [ABF+05] aims to compare different proof systems according to their ability to repre- == : tm T -> tm T -> type. sent and reason about the meta-theory of programming lan- %infix right 8 ==. guages. The proof of soundness and completeness of the equivalence checking algorithm described in [Cra05] is a Second, we formally define the algorithm that decides potential POPLmark challenge problem. Out of the two the equality on terms. Recall the definition of weak head directions, the completeness proof is much more interest- reduction from Section 4, for which we wrote e →whr e0. For ing, because it employs a binary logical relation. A for- its complement, which says that eτ does not weak-head re- whr↓ whr↑ malization of this proof in nominal Isabelle was given re- duce to anything, we declare two judgments e 9 and e 9 cently [NU08]. In the remainder of this section, we demon- mimicking the distinction of atomic and canonical forms. strate how this proof can be formalized in Twelf via binary Their meaning is defined by the following set of rules. structural logical relations. Since many of the judgments, axioms, and inference rules are so similar to the ones in the whr↓ e 9 previous section, we have taken the liberty of reusing their nw lam nw o whr↑ whr↑ names. lam x. e 9 e 9

First, we formally define definitional equality on terms. whr↓ τ 0τ e1 9 We say that two terms e and e are definitionally equiv- nw var nw app τ e ≡ e0 : τ whr↓ whr↓ alent at a type , written judgmentally as and x 9 app e1 e2 9 specified by We define the weak head normalization portion of the 0 0 0 algorithm to quasi normal forms as e e : τ below. e1 ≡ e : τ2 ⇒ τ1 e2 ≡ e : τ2 1 2 qapp 0 0 whr whr↑ app e1 e2 ≡ app e1 e2 : τ1 e1 → e2 : τ e2 e3 : τ e qan red 9 qan nor u e1 e3 : τ e e : τ x ≡ y : τ1 . In LF, we declare the type families . 0 e ≡ e : τ2 nwC : tm T -> type. qabsx,y,u 0 nwA : tm T -> type. lam x. e ≡ lam y. e : τ1 ⇒ τ2 qnf : tm T -> tm T -> type. u whr↓ whr↑ 0 x ≡ y : τ2 for the judgments e 9 , e 9 , and e e : τ, respectively. . Next we define the equivalence algorithm for two well- . τ 0τ 0 0 0 typed expressions e and e via two judgments e ∼ e ↑ τ e1 ≡ e1 : τ1 e2 ≡ e2 : τ2 0 betax,y,u and e ∼ e ↓ τ, whose completeness properties we will 0 0 app (lam x. e1) e2 ≡ [e2/y]e1 : τ1 study in this section.

7 ha_app: conc (ha E1 E1’) -> conc (hc E2 E2’) 0 0 0 0 -> conc (ha (app E1 E2) (app E1’ E2’)). e1 e1 e2 e2 e1 ∼ e2 ↓ o qat base hc_arr: ({x: tm T} hyp (ha x x) e1 ∼ e2 ↑ o -> conc (hc (app E x) (app E’ x))) -> conc (hc E E’). u hc_wh : conc (wh (E1 : tm o) E2) x ∼ x ↓ τ -> conc (hc E2 E’) . . -> conc (hc E1 E’). 0 hc_atm: conc (ha (E : tm o) E’) app e x ∼ app e x ↑ τ2 qat arrowx,u -> conc (hc E E’). 0 hc_sym: conc (hc E’ E) -> conc (hc E E’). e ∼ e ↑ τ1 ⇒ τ2 hc_tr : conc (hc E1 E2) -> conc (hc E2 E3) 0 0 e1 ∼ e ↓ τ2 ⇒ τ1 e2 ∼ e ↑ τ2 -> conc (hc E1 E3). 1 2 qap app 0 0 app e1 e2 ∼ app e1 e2 ↓ τ1 The rules for conc* are defined analogously. The next lemma and theorem illustrate how we can extract the ex- We write ecution trace of the equivalence checking algorithm from algC : tm T -> tm T -> type. a cut-free derivation of hcτ (e, e0). The formulation of the algA : tm T -> tm T -> type. extraction theorem and its proof follow roughly the same structure as Theorem 4.2. for e ∼ e0 ↑ τ and e ∼ e0 ↓ τ, respectively. Lemma 5.1 (Congruence) 5.1. The Structural Logical Relation 0 whr 0 1. If e1 ∼ e2 ↑ τ and e1 → e1 then e1 ∼ e2 ↑ τ. We shall prove that if e ≡ e0 : τ then e ∼ e0 ↑ τ. Follow- whr↓ whr↓ ing the example in Section 4, we extend the assertion logic 2. If e1 ∼ e2 ↓ τ then e1 9 and e2 9 . defined in Section 2 by binary versions of the predicates 0 0 haτ (e, e0) and hcτ (e, e0) at types τ, and the corresponding 3. If e ∼ e ↓ τ then e ∼ e ↓ τ. inference rules. As for weak-head reduction, we simply 4. If e ∼ e0 ↑ τ then e0 ∼ e ↑ τ. reuse the definition of the binary predicate whτ (e, e0) and specify the meaning of the new predicates by the following 5. If e ∼ e0 ↓ τ and e0 ∼ e00 ↓ τ then e ∼ e00 ↓ τ. rules. 0 0 00 00 τ2⇒τ1 0 τ2 0 6. If e ∼ e ↑ τ and e ∼ e ↑ τ then e ∼ e ↑ τ. ∆ ` ha (e1, e1) ∆ ` hc (e2, e2) ha app τ1 0 0 Proof: By straightforward structural inductions. ∆ ` ha (app e1 e2, app e1 e2)

τ τ1 τ2 0 Theorem 5.2 (Extraction) All derivations in the sequent ∆, x1 , ha (x, x) ` hc (app e x, app e x) hc arr calculus are assumed to be cut-free. Let ∆ ` hcτ1⇒τ2 (e, e0) τ1 τ1 τn τn o o 0 ∆ = x1 , ha (x1, x1), . . . , xn : , ha (xn, xn). ∆ ` wh (e1, e2) ∆ ` hc (e2, e ) hc wh τ 0 o 0 1. For all derivations of ∆ ` hc (e, e ) there exists a ∆ ` hc (e1, e ) derivation of ∆ ` hao(e, e0) hc atm u1 ··· un ∆ ` hco(e, e0) x1 ∼ x1 ↓ τ1 xn ∼ xn ↓ τn ...... We also give rules for symmetry and transitivity. e ∼ e0 ↑ τ. ∆ ` hcτ (e0, e) hc sym 2. For all derivations of ∆ ` haτ (e, e0) there exists a τ 0 ∆ ` hc (e, e ) derivation of τ τ ∆ ` hc (e1, e2) ∆ ` hc (e2, e3) u1 ··· un τ hc tr x1 ∼ x1 ↓ τ1 xn ∼ xn ↓ τn ∆ ` hc (e1, e3) ...... 0 In LF all of these rules are encoded as follows: e ∼ e ↓ τ.

8 Proof: By induction on the cut-free assertion logic proofs, Lemma 5.5 (Closure under weak head expansion) For using Lemma 5.1. all types τ and assumptions ∆ , there exists a derivation of

cut τ τ 0τ ext1 : conc (hc E E’) ∆ ` ∀e1 . ∀e2 . ∀e . τ 0 0 -> algC E E’ -> type. wh (e1, e2) ⊃ [[τ]](e2, e ) ⊃ [[τ]](e1, e ) ext2 : conc (ha E E’) and cut τ 0τ 0τ -> algA E E’ -> type. ∆ ` ∀e . ∀e1 . ∀e2 . τ 0 0 0 0 wh (e1, e2) ⊃ [[τ]](e, e2) ⊃ [[τ]](e, e1) in the assertion logic. We define the logical relation as a predicate in the assertion logic by instantiating P (from the general definition of Proof: By induction on τ. Again, the proof follows exactly the same structure as the proof of Lemma 4.5. a binary logical relation from Section 2) with hco. cwhe: {T: tp} {F: tm T -> tm T -> form} Definition 5.3 (Binary logical relation) lr T F -> (conc* (forall [e1] forall [e2] forall [e’] wh e1 e2 ==> o [[o]](e, e0) = hc (e, e0) F e2 e’ ==> F e1 e’)) 0 τ2 0τ2 0 [[τ2 ⇒ τ1]](e, e ) = ∀e2 . ∀e2 . [[τ2]](e2, e2) -> (conc* (forall [e] forall [e1’] 0 0 ⊃ [[τ1]](app e e2, app e e2) forall [e2’] wh e1’ e2’ ==> F e e2’ ==> F e e1’)) lr : {T:tp} (tm T -> tm T -> form)-> type. -> type. lr_o: lr o hc. lr_a: lr T2 F -> lr T1 G -> lr (T2 => T1) ([e] [e’] forall [e2] forall [e2’] (F e2 e2’) Lemma 5.6 (Symmetry) For all types τ, we show that

==> (G (app e e2) (app e’ e2’))) cut ∆ ` ∀eτ . ∀e0τ . [[τ]](e, e0) ⊃ [[τ]](e0, e).

5.2. Meta-Theory Proof: By induction on τ, using Def. 5.3, and rules allR, impR, ax, allL, impL, hc sym, and cut.

Next, we extend all theorems from the previous section sym: lr T F to the binary logical relation. -> conc* (forall[e] forall [e’] F e e’ ==> F e’ e) -> type. Lemma 5.4 (Escape) 1. For all types τ and assump- cut tions ∆, there exists a derivation of ∆ ` ∀eτ . ∀e0τ . [[τ]](e, e0) ⊃ hcτ (e, e0). Lemma 5.7 (Transitivity) For all types τ, we show that

2. For all types τ and assumptions ∆, there exists a τ 0τ 00τ cut τ τ τ 0 0 ∆ ` ∀e . ∀e . ∀e . derivation of ∆ ` ∀e . ∀e . ha (e, e ) ⊃ [[τ]](e, e ). [[τ]](e, e0) ⊃ [[τ]](e0, e00) ⊃ [[τ]](e, e00).

Proof: By induction on τ. The proof follows exactly the Proof: By induction on τ using Def. 5.3, Lemma 5.6, and same structure as the proof of Theorem 4.4, and is hence rules ax, hc trans, allR, impR, allL, impL, and cut. omitted. tr: lr T F -> conc* (forall [e] forall [e’] esc1: {T:tp} {F:(tm T) -> (tm T) -> form} forall [e’’] F e e’ ==> lr T F F e’ e’’ ==> F e e’’) -> (conc* (forall [e] forall [e’] -> type. F e e’ ==> hc e e’)) -> type. esc2: {T:tp} {F:(tm T) -> (tm T) -> form} lr T F -> (conc* (forall [e] forall [e’] Theorem 5.8 (Fundamental) For all types τ and assump- ha e e’ ==> F e e’)) -> type. tions

τ1 τ1 τn τn ∆ = x1 , y1 , [[τ1]](x1, y1), . . . , xn , yn , [[τn]](xn, xn)

9 0 and for all e with free variables among x1 . . . xn and e with 6. Cut-Elimination free variables among y1 . . . yn. For every derivation of Godel’s¨ second incompleteness theorem tells us that no u1 ··· un consistent logic can prove its own consistency, provided the x1 ≡ y1 : τ1 xn ≡ yn : τn logic is powerful enough to express some very basic coding ...... machinery. Through the lens of the Curry-Howard isomor- e ≡ e0 : τ phism, any typed λ-calculus can be viewed as a logic. Both of the example theorems in this paper, weak normalization cut there exists a derivation of ∆ ` [[τ]](e, e0). and the completeness of a decidable equivalence checking algorithm, imply the consistency of the simply typed λ- Proof: By structural induction on e ≡ e0 : τ using calculus when viewed as a logic. This is typical: most Def. 5.3, Lemma 5.5, Lemma 5.6, Lemma 5.7, and rules theorems that are proven using logical relations are essen- ax, allL, allR, impR, impL, cut and wh beta. tially consistency theorems. Thus, it will be impossible to completely formalize any such theorem about a λ-calculus fund: {E:tm T}{E’} E == E’ -> lr T F whose proof-theoretic strength exceeds the proof-theoretic -> conc (F E E’) -> type. * strength of the meta-logic. Recall that, after appealing to the Fundamental Theo- rem 4.6 and Escape Lemma 4.4 in the proof of Theorem 4.8, cut τ Theorem 5.9 (Cut-elimination) Let ∆ denote assump- we obtain a cut-full derivation of ` hc (e). We could have cut tions. Any cut-full sequent derivation of ∆ ` F can be stopped here if we were certain that this were a meaning- converted into ∆ ` F . ful witness to the normalization of e; i.e. if we trusted the consistency of the assertion logic. To be sure, we prove Proof: See: Pfenning [Pfe95]. The extra cases introduced cut-elimination and produce a real witness from the cut-free τ by our atomic propositions all fall into the category of “right derivation ` hc (e). In general, if the meta-logic is proof- commutative conversions.” theoretically stronger than the assertion-logic, then it should be possible to prove cut-elimination explicitly. ce : conc* F -> conc F -> type. Our example proofs by structural logical relations re- duce the validity of a consistency theorem to the consistency of the assertion logic. Because these reductions use only primitive-recursive machinery, the proof-theoretic strength The following theorem summarizes all the work we have of the assertion logic must be at least as great as the proof- done so far. It shows that convertible terms considered theoretic strength of the λ-calculus that we are reasoning equal, can always been recognized as such. about. Thus, to scale our examples to Godel’s¨ T, the assertion logic should provide some notion of induction; to Theorem 5.10 (Completeness) For every derivation of System F, the assertion logic should provide some notion of e ≡ e0 : τ there exists a derivation of e ∼ e0 ↑ τ. second-order quantification. It is worth mentioning that logical consistency is usually Proof: proven using either model-theoretic machinery, transfinite e ≡ e0 : τ by assumption induction, or logical relations. Model theoretic machinery cut is justified by the assumption that set-theory is consistent; ` [[τ]](e, e0) by Theorem 5.8 cut transfinite induction is justified by the assumption that a par- ` ∀eτ . ∀e0τ . [[τ]](e, e0) ⊃ hcτ (e, e0) by Lemma 5.4 ticular ordinal is well founded; a typical logical relations cut τ 0 ` hc (e, e ) by ax, allL, impE argument is justified by appealing implicitly to the valid- τ 0 ` hc (e, e ) by Theorem 5.9 ity of the logical connectives used to define the relation. 0 e ∼ e ↑ τ by Theorem 5.2 Structural logical relations bring these assumptions to the surface. thm: {E:tm T} {E’:tm T} eq E E’ -> algC E E’ -> type. 7. Conclusion

In this paper we describe the technique of structural logical relations and show how to use it to prove inter- All proofs presented in this paper are veriﬁed by esting theorems, such as the completeness of the equiva- Twelf [SS08]. lence checking algorithm for the simply typed λ-calculus.

10 Structural logical relations work well when formalizing Melham, editors, Proceedings of the Eighteenth proofs by logical relations in proof assistants with a proof- International Conference on Theorem Proving theoretically weak meta-logic but good representational in Higher Order Logics, pages 50–65, Ox- support for working with complex data structures, such as, ford, UK, August 2005. Springer Verlag, LNCS for example, proof derivations in a sequent calculus. 3603. We do not claim to be the first to characterize a logical relation in terms of the provability of a logical predicate. [Alt93] Thorsten Altenkirch. A formalization of the Indeed, for informal proofs, the idea goes back to Tait’s strong normalization proof for System F in original paper [Tai67]. However, to our knowledge, this is LEGO. In M. Bezem and J.F. Groote, editors, the first work where we separate the roles of the assertion Proceedings of the International Conference on logic and the meta-logic for the purpose of formalization. In Typed Lambda Calculi and Applications, pages proof assistants with strong induction principles, for exam- 13–28, Utrecht, The Netherlands, March 1993. ple Lego or Coq, logical relations are formalized via induc- Springer-Verlag LNCS 664. tive types [Alt93, BW97, DX06], and reasoned about using [BW97] B. Barras and B. Werner. Coq in Coq. Soumis, elimination forms. Structural logical relations provide not 1997. only an alternative, but they make explicit the logical foun- dations a particular proof is based on. [Cra05] Karl Crary. Logical relations and a case study Proofs by logical relations are popular in large part be- in equivalence checking. In Benjamin C. Pierce, cause they tend to scale well. We believe that our technique editor, Advanced Topics in Types and Program- preserves this property. For example, in Section 4 and 5 we ming Languages, pages 223–244. MIT Press, successfully apply our technique to normalization proofs 2005. about the simply typed λ-calculus. Further experiments, such as normalization properties of the monadic λ-calculus [DX06] Kevin Donnelly and Hongwei Xi. A formaliza- (inspired by [LS05]), and about Godel’s¨ T, have shown that tion of strong normalization for simply-typed the basic structure of the proof remains unchanged but the lambda calculus and System F. In Alberto assertion logic needs to be suitably extended by new infer- Momigliano and Brigitte Pientka, editors, Pro- ence rules. ceedings of Workshop on Logical Frameworks Closely related to our work is that of Andreas and Meta-Languages: Theory and Practice, Abel [Abe08]. He also proves weak normalization di- pages 109–125, Seattle, WA, August 2006. El- rectly in Twelf, albeit only for the simply typed λ-calculus. sevier, ENTCS 174, Issue 5. Though he does not use a logical relation, there are strik- ing similarities between the structure of his proof and ours, [Gon05] Georges Gonthier. A computer-checked proof which should be investigated further. of the four colour theorem. unpublished, 2005. Acknowledgments: We would like to thank Frank Pfen- [Har96] John Harrison. HOL Light: A tutorial introduc- ning for pointing out this interesting problem many years tion. In Mandayam Srivas and Albert Camilleri, ago, and we would also like to thank Andrzej Filinski and editors, Proceedings of the First International Alberto Momigliano for many discussions and comments Conference on Formal Methods in Computer- on earlier drafts of this paper. Aided Design, pages 265–269, 1996. [HHP93] Robert Harper, Furio Honsell, and Gordon References Plotkin. A framework for defining logics. Jour- nal of the Association for Computing Machin- [Abe08] Andreas Abel. Normalization for the simply- ery, 40(1):143–184, January 1993. typed lambda-calculus in Twelf. In Carsten Schurmann,¨ editor, Proceedings of the Fourth [LCH07] Daniel K. Lee, Karl Crary, and Robert Harper. International Workshop on Logical Frame- Towards a mechanized metatheory of standard works and Meta-Languages, pages 3 – 16. El- ML. In Proceedings of the 34th Annual Sympo- sevier, ENTCS 199, February 2008. sium on Principles of Programming Languages, pages 173–184, New York, NY, USA, 2007. + [ABF 05] B. Aydemir, A. Bohannon, M. Fairbairn, ACM Press. J. Foster, B. Pierce, P. Sewell, D. Vytiniotis, G. Washburn, S. Weirich, and S. Zdancewic. [LS05] Sam Lindley and Ian Stark. Reducibility Mechanized metatheory for the masses: The and >>-lifting for computation types. In POPLmark challenge. In Joe Hurd and Tom Pawel Urzyczyn, editor, Proceedings of the

11 Seventh International Conference of Typed Lambda Calculi and Applications, pages 262– 277, Nara, Japan, April 2005. Springer-Verlag, LNCS 3461. [MM97] Raymond McDowell and Dale Miller. A logic for reasoning with higher-order abstract syntax: An extended abstract. In Glynn Winskel, editor, Proceedings of the Twelfth Annual Sympo- sium on Logic in Computer Science, pages 434– 445, Warsaw, Poland, June 1997. IEEE Com- puter Society Press.

[Nec97] George C. Necula. Proof-carrying code. In Neil D. Jones, editor, Proceedings of the 24th Annual Symposium on Principles of Program- ming Languages, pages 106–119, Paris, France, January 1997. ACM Press.

[NU08] Julien Narboux and Christian Urban. Formalis- ing in Nominal Isabelle Crary’s completeness proof for equivalence checking. In Brigitte Pientka and Carsten Schurmann,¨ editors, Pro- ceedings of the Second International Workshop on Logical Frameworks and Meta-Languages, pages 3–18. Elsevier, ENTCS 196, January 2008. [Pfe92] Frank Pfenning. Computation and deduction. Unpublished lecture notes, 277 pp. Revised May 1994, April 1996, May 1992. [Pfe95] Frank Pfenning. Structural cut elimination. In D. Kozen, editor, Proceedings of the Tenth An- nual Symposium on Logic in Computer Science, pages 156–166, San Diego, California, June 1995. IEEE Computer Society Press. [SS08] Jeffrey Sarnat and Carsten Schurmann.¨ Struc- tural logical relations. Project page available at http://www.twelf.org/slr, January 2008.

[Tai67] W. W. Tait. Intensional interpretation of func- tionals of ﬁnite type I. Journal of Symbolic Logic, 32:198–212, 1967.