A Linear Logical Framework

Iliano Cervesato and Frank Pfenning∗ Department of Computer Science Carnegie Mellon University Pittsburgh, PA 15213-3891 {iliano|fp}@cs.cmu.edu

Abstract tuitionistic framework. Consequently the adequacy of the representation is difficult to prove and the formal We present the linear type theory LLF as the for- meta-theory quickly becomes intractable. mal basis for a conservative extension of the LF logical Linear logic [7] provides a view of context formulas framework. LLF combines the expressive power of de- as resources, which can be exploited to model the no- pendent types with linear logic to permit the natural and tion of state, as described for example in [4, 10, 12, 22]. concise representation of a whole new class of deductive The current proposals put the emphasis on the issue of systems, namely those dealing with state. As an exam- representing imperative constructs and resource-based ple we encode a version of Mini-ML with references in- logics, but appear inadequate for reasoning effectively cluding its type system, its operational semantics, and about these representations. On the other hand, intu- a proof of type preservation. Another example is the itionistic type-theoretic frameworks such as LF make encoding of a sequent calculus for classical linear logic the representation of meta-reasoning easy, but do not and its cut elimination theorem. LLF can also be given have any notion of linearity built in. an operational interpretation as a logic programming As a concrete example, consider the problem of rep- language under which the representations above can be resenting a cut-elimination procedure for linear logic. used for type inference, evaluation and cut-elimination. Given the derivation D foralinearsequent∆−→ Θ, this procedure produces an equivalent cut-free derivation D0. Since it operates linearly on the formulas ap- 1 Introduction pearing in it, D would be adequately represented by atermpDqin a linear λ-calculus; the same holds for D0 A logical framework is a formal system designed to . This problem was encoded in LF by representing provide effective representations of deductive systems sequents as types and derivations as proof terms [18]. pDq and their properties. Proposals based on intuitionistic LF is intuitionistic and therefore the linearity of pDq logic and intuitionistic type theory, such as the logical needed to be checked explicitly as a property of , framework LF [9], have been widely used to study log- complicating the meta-theory to the extent that it be- ical formalisms [19] and programming languages [11]. came infeasible and only the cut-elimination algorithm Unfortunately, many constructs and concepts needed in without the linearity check was implemented. On the common programming practice cannot be represented other hand, encoding the same problem in Miller’s lin- in a satisfactory way in these meta-languages. In par- ear meta-logic Forum [12] would map linear sequent ticular, constructs based on the notion of state as found derivations to linear derivations in the meta-language. in imperative languages often escape an elegant formal- But since Forum lacks proof terms, no internal nota- ization by means of these tools. Similarly, logical sys- tion for those entities is provided and cut-elimination tems that, by definition (e.g. substructural logics) or cannot be implemented in this manner. by presentation (e.g. Dyckhoff’s contraction-free intu- In this paper, we propose a conservative extension itionistic sequent calculus [5]), rely on destructive con- of the logical framework LF that permits representing text reductions require awkward encodings in an in- linear objects and reasoning about them. This formal- ∗ ism, that we call Linear LF,orLLF for short, is a This work was supported by NSF Grant CCR-9303383. The type theory featuring linear function types (−◦ ), ad- second author was supported by the Alexander-von-Humboldt- > Stiftung when this paper was completed, during a visit to the De- ditive pairing (&), unit type ( ), and intuitionistic partment of Mathematics of the Technical University Darmstadt. dependent function types (Π). LLF extends the ob-

This extended abstract will appear on the proceedings of the Eleventh Annual IEEE Symposium on Logic in Computer Science — LICS’96, New Brunswick, NJ, July 27–30 1996. jects of LF with linear functional abstraction, additive The language of objects is augmented accordingly with pairs and unit, the corresponding destructors, and their the respective constructors and destructors. Linear equational theory. In order to keep the system simple types operate on linear assumptions which we repre- we restrict the indices of type families to be linearly sent as distinguished declarations of the form xˆ: A in closed so that a type can depend only on intuitionis- the context; we write x: A for context elementsala ` LF tic assumptions, but not on linear variables. While at and call them intuitionistic assumptions.Thesyntax first this may appear to be a strong restriction, the re- of LLF is given by the following grammar (constructs sulting system is surprisingly expressive, allowing the not present in LF are separated by a double bar || ): faithful implementation of cut elimination for classical Objects: M ::= c | x | λx:A. M | M1 M2 linear logic, translations between linear natural deduc- || h i | h M 1 ,M2i|fst M | snd M tion and sequent calculus, and properties of imperative | λxˆ :A. M | M1 ˆM2 languages such as type preservation. Families: P ::= a | PM LLF also maintains the computational nature of LF | and is amenable to an efficient implementation as a Types: A ::= P Πx:A1.A2 || > | | −◦ logic programming language in the style of Elf [15, 17]. A 1 & A 2 A 1 A 2 The experience gained with linearity in the language Kinds: K ::= type | Πx:A. K Lolli [10, 2] applies directly to our formalism. Contexts: Ψ ::= ·|Ψ,x:A || Ψ ,xˆ:A The principal contributions of this work are: (1) the Signatures: Σ ::= ·|Σ,a:K | Σ,c:A definition of a uniform type theory admitting linear en- Here x, c and a range over object-level variables, object tities in conjunction with dependent types; (2) the use constants and type family constants, respectively. In of this system as a logical framework to represent and addition to the names displayed above, we will often reason about problems that are not handled well by use N and B to range over objects and types respec- previous formalisms, either linear or intuitionistic; (3) tively. Moreover, we denote generic terms, i.e. objects, the description of an operational system which consti- types or kinds, with the letters U and V , possibly sub- tutes the first step towards an implementation of this scripted. As usual, we write A → U for Πx : A. U formalism as a linear constraint logic programming lan- whenever x does not occur in the type or kind U. guage. To our knowledge, this is the first linear type The notions of free and bound variables are adapted theory that goes beyond simple types. Our work was from LF (notice the presence of a new binding con- inspired by ideas in [14]. struct: linear λ-abstraction). As usual, we identify The paper is organized as follows. Section 2 de- terms that differ only in the name of their bound vari- scribes LLF and presents major results in its meta- ables and write [M/x]U for the capture-avoiding sub- theory, such as the decidability of type-checking. Sec- stitution of M for x in the term U. Finally we require tion 3 indicates that efficient proof search in the style variables and constants to be declared at most once in of logic programming can be achieved in LLF . Sec- a context and in a signature, respectively. tion 4 illustrates the expressiveness of LLF on an ex- Below we will often need to access the intuitionistic ample featuring imperative computations. Section 5 part of a context. Therefore, we introduce the function presents cut-elimination for classical linear logic as an- Ψdefinedasfollows: other example. Finally, Section 6 assesses the results   · = · and outlines future work.  Ψ,x:A = Ψ,x:A Ψ,xˆ:A = Ψ 2 The Linear Logical Framework LLF We overload this notation and use Ψ to express the fact that the linear portion of the denoted context is In order to facilitate the description of LLF in the constrained to be empty (e.g. in the all rules for type available space, we must assume that the reader is fa- families in Figure 1). miliar with both the logical framework LF [9] and var- The meaning of the syntactic entities of LLF can ious presentations of linear logic [7, 8]. We will also be presented in various forms. Figures 1 and 2 show sparingly take advantage of the natural extension of the a version of the type system for LLF that we call Curry-Howard isomorphism to linear logic by viewing pre-canonical and that is particularly well-suited for types as formulas. proving meta-theoretic properties about this formal- LLF extends the logical framework LF with three ism. The system relies on the following seven judg- connectives from linear logic, seen in this context as ments: type constructors, namely multiplicative implication ` Σ ⇑– Sig (Σ is a pre-canonical signature) −◦ > ( ), additive conjunction (&) and additive truth ( ). `Σ Ψ ⇑– Ctx (Ψ is a pre-canonical context)

2 Signatures ` Σ ⇑– Sig ·`Σ A⇑–type ` Σ ⇑– Sig ·`Σ K⇑–Kind s dot s obj s fam `·⇑–Sig ` Σ,c:A⇑–Sig ` Σ,a:K ⇑–Sig

Contexts

` Σ ⇑– Sig `Σ Ψ ⇑– Ctx Ψ `Σ A ⇑– type `Σ Ψ ⇑– Ctx Ψ `Σ A ⇑– type c dot c int c lin `Σ ·⇑–Ctx `Σ Ψ,x:A⇑– Ctx `Σ Ψ,xˆ:A⇑– Ctx

Kinds `Σ Ψ ⇑– Ctx Ψ,x:A`Σ K ⇑– Kind kc type kc dep

Ψ `Σ type ⇑– Kind Ψ `Σ Πx:A. K ⇑– Kind

Types/type families Ψ `Σ P –↓ type `Σ Ψ ⇑– Ctx Ψ `Σ A ⇑– type Ψ `Σ B ⇑– type fc a fc top fc with Ψ `Σ P ⇑– type Ψ `Σ >⇑–type Ψ `Σ A & B ⇑– type

Ψ `Σ A ⇑– type Ψ `Σ B ⇑– type Ψ,x:A`Σ B⇑– type fc limp fc dep

Ψ `Σ A −◦ B ⇑– type Ψ `Σ Πx:A. B ⇑– type ...... 0 0 Ψ `Σ A –↓ KK≡K Ψ`ΣK⇑–Kind (No fc eq,nofa c) fa eq 0 Ψ `Σ A –↓ K

` 0 ⇑ Σ,a:K,Σ Ψ – Ctx Ψ `Σ P –↓ Πx:A. K Ψ `Σ N ⇑– A fa con fa iapp ` 0 ↓ ` ↓ Ψ Σ,a:K,Σ a – K Ψ Σ PN–[N/x]K

Figure 1. A Pre-canonical Deduction System for LLF, kinds and types

Ψ `Σ K ⇑– Kind (K is a pre-canonical kind) the fact that the interplay of the rules for pre-canonical Ψ `Σ A ⇑– type (A is a pre-canonical type) and pre-atomic objects in Figure 2 guarantees that a Ψ `Σ A –↓ K (A is a pre-atomic family of kind K) pre-canonical object is always in η-long form. More- Ψ `Σ M ⇑– A (M is a pre-canonical obj. of type A) over, it is easy to show that this property is hereditarily Ψ `Σ M –↓ A (M is a pre-atomic object of type A) maintained when substituting a pre-canonical object plus the three judgments for deﬁnitional equality in a pre-canonical type or kind, and by β-reduction. Therefore, all terms satisfying the judgments above U ≡ V (U is deﬁnitionally equal to V ) are in η-long form, although they might contain β- and a judgment for non-deterministically splitting (or redices, and therefore are not necessarily in normal merging, depending on the point of view) the context form. Distinguishing two object-level forms of judg- 0 00 0 00

Ψ=Ψ 1 Ψ (Ψ splits into Ψ and Ψ ). ments instead of just defining one typing judgment is Whenever a property holds uniformly for the five judg- essential in order to achieve this property. It has the ments concerning objects, types and kinds above, we practical effects of avoiding the meta-theoretic complications introduced by explicitly considering the η- take the liberty of writing Ψ `Σ U ⇑––↓ V and then re- ferring to the generic terms U and V . conversion rules. Moreover, it lays the basis for an A few remarks on these judgments are in order prior efficient implementation strategy in which η-expansion to describing the rules in Figures 1–2. The notion of takes place in a preprocessing phase but is not required definitional equality that we consider is the equivalence during the execution. Normalization is then simply β- constructed on the congruence relation built out of the reduction. Instead, a direct extension of the current following β-reduction rules: implementation techniques for LF [17] would require carrying types around in order to handle properly ob- β : fst hM, Ni−→M fst jects of type >. To our knowledge, this is the first β : snd hM, Ni−→N snd formulation of a type theory that focuses uniquely on β :(λxˆ:A. M)ˆN −→ [ N/x]M lapp long forms. It was inspired by Felty’s canonical LF [6]. βiapp :(λx:A. M) N −→ [ N/x]M. The omission of the rules for η-expansion is justified by Traditional presentations of linear logic define the

3 Context splitting/merging 0 00

Ψ=Ψ 1 Ψ s dot s lin1

0 00 · 1 · = · 1 (Ψ,xˆ:A)=(Ψ,xˆ:A) Ψ

0 00 0 00 1 Ψ=Ψ 1 Ψ Ψ=Ψ Ψ s int s lin2

0 00 0 00 1 (Ψ,x:A)=(Ψ,x:A) 1 (Ψ ,x:A) (Ψ,xˆ:A)=Ψ (Ψ ,xˆ:A)

Objects Ψ `Σ M –↓ P Ψ `Σ M ⇑– BA≡BΨ`ΣA⇑–type oc a oc eq Ψ `Σ M ⇑– P Ψ `Σ M ⇑– A

`Σ Ψ ⇑– Ctx Ψ `Σ M ⇑– A Ψ `Σ N ⇑– B oc unit oc pair Ψ `Σ hi ⇑– > Ψ `Σ hM,Ni⇑–A&B ` ⇑ Ψ,xˆ:A Σ M – B Ψ ,x:A`Σ M ⇑–B oc llam oc ilam Ψ `Σ λxˆ :A. M ⇑– A −◦ B Ψ `Σ λx:A. M ⇑– Πx:A. B ...... Ψ`Σ M ⇑– A Ψ `Σ M –↓ BA≡BΨ`ΣA⇑–type oa c oa eq Ψ `Σ M –↓ A Ψ `Σ M –↓ A

0 0 `Σ,c:A,Σ0 Ψ ⇑– Ctx `Σ Ψ,xˆ:A, Ψ ⇑– Ctx `Σ Ψ,x:A, Ψ ⇑– Ctx oa con oa lvar oa ivar 0 0 ` 0 ↓ ` ↓ ` ↓ Ψ Σ,c:A,Σ c – A Ψ,xˆ:A, Ψ Σ x – A Ψ,x:A, Ψ Σ x – A

Ψ `Σ M –↓ A & B Ψ `Σ M –↓ A & B (No rule for >) oa fst oa snd Ψ `Σ fst M –↓ A Ψ `Σ snd M –↓ B 0 00 0 00 ` ↓ ` ⇑ Ψ `Σ M –↓ A −◦ B Ψ `Σ N ⇑– A Ψ=Ψ 1 Ψ Ψ Σ M – Πx:A. B Ψ Σ N – A oa lapp oa iapp Ψ `Σ M ˆN –↓ B Ψ `Σ MN–↓[N/x]B

Figure 2. A Pre-canonical Deduction System for LLF, objects

context ∆ of an intuitionistic sequent ∆ −→ A as ing the commutativity properties of multisets, we use a a multiset of linear formulas. More recent works separate judgment in rule oa lapp to specify that the [8, 10, 18] prefer to refine it as a pair Γ; ∆ of multi- linear context in the conclusion should be split among sets so that the sequent Γ; ∆ −→ A is equi-provable the premisses of this rule. The rules in the upper part with (!Γ, ∆) −→ A in the traditional formulation. The of Figure 2 define it. two components of Γ; ∆ are called the intuitionistic The rules concerning linear objects in Figure 2 define and the linear context, respectively. Our presentation the behavior of linear types. If we ignore the objects adopts the latter strategy by distinguishing intuitionis- and the distinction between the two judgments, they tic (x: A) and linear (xˆ: A) variable declarations. How- correspond to the specification of the familiar rules for ever, in LLF as in LF, an assumption can depend on the linear connectives >,&and−◦ ,presentedinanat- previous declarations; their order is therefore critical ural deduction style. It is easy to prove the equivalence and we must adopt sequences as the representation for to the usual sequent formulation. The objects that ap- contexts. pear on the left of these types record the structure of The constraints on the structure of an LLF con- a natural deduction proof for the corresponding linear text lead to small notational complications. The axiom formulas. rules of linear logic, which close a proof tree, are ap- The dependent function type Πx : A. B that LLF plicable only if the linear context is empty, or if it only inherits from LF generalizes both intuitionistic impli- consists of the formula to be proved. The correspond- cation A → B (customarily defined as !A −◦ B )and ing LLF rules (oa con, oa lvar and oa ivar)relyon the universal quantifier ∀x. B,whereAplays the role the notation ··· to express the same conditions. An- of the type of the (intuitionistic) variable x. other complication arises when it comes to representing With the interpretation above, LLF makes available context splitting for multiplicative connectives. Lack- all the connectives and quantifiers of the freely gener-

4 ated fragment of the language of linear hereditary Har- the computational interpretation of section 3, any LF rop formulas, on which the programming language Lolli program is a valid LLF program and will behave in is based [10]. Additionally, LLF offers the character- exactly the same way. istic features of a type theory: higher-order functions, From the explanation above, it should be clear that proof terms, and type families indexed by arbitrary ob- the normal form of a pre-canonical term is indeed jects, possibly higher-order and linear. canonical (that is, in long βη-normal form). A canoni- In the rules in Figures 1–2, types and kinds are al- cal proof system for LLF can easily be obtained from ways checked using a purely intuitionistic context. This the calculus in Figures 1–2: we replace the equiva- prevents valid types from containing free linear vari- lence rules fa eq, oc eq and oa eq with applications of ables. Loosening this restriction would require admit- the normalization function NF( ) in the rules involving ting linear dependent function types in our language, substitution. NF( ) exists by virtue of strong normal- corresponding to linear quantifiers. Although this in- ization; moreover, by removing the rule oa c,weguar- clusion appears beneficial for certain applications, pre- antee that derivable objects do not contain β-redices, liminary investigations seem to indicate that the conse- and are therefore canonical. We write the canonical quent complications might outweigh the potential ad- derivability judgments in the form Ψ `Σ U ⇑ V (no- vantages. tice the different arrow shape). LLF enjoys the same meta-theoretic properties that hold for LF . The principal results are summarized as 3 Logic Programming with LLF follows:

Theorem The canonical system outlined at the end of the last section is adequate for checking that an object ≡ 0 1. (Church-Rosser property) Whenever U U , has a given type, but not for generating a (canoni- −→ ∗ there is a term V such that U V and cal) term of that type. Similarly to the case of LF,this 0 −→ ∗ −→ ∗ U V ,where is the transitive closure problem, proof-search under the Curry-Howard isomor- −→ of the reduction congruence . phism, can be efficiently mechanized in LLF .Thislays ` ⇑↓ 2. (Unicity of types and kinds) If Ψ Σ U –– V and the basis for converting our formalism into a linear con- ` ⇑↓ 0 ≡ 0 Ψ Σ U –– V are both derivable, then V V . straint logic programming language. 3. (Strong normalization) If Ψ `Σ U ⇑––↓ V is deriv- For the purpose of motivating this statement, let able, then U is strongly normalizing. us cast our system into the usual terminology of logic 4. (Decidability of type checking) It can be recur- programming. We use ‘formula’ instead of ‘type’ and, sively decided whether there exist derivations for given the judgment Ψ `Σ M ⇑ A,wecallAits goal the judgments Ψ `Σ U ⇑––↓ V , `Σ Ψ ⇑– Ctx and and adopt the name ‘program’ for the combined con- ` Σ ⇑– Sig. text Σ, Ψ (overloading ‘,’ to denote concatenation). We 5. (Conservativity over LF ) If Σ, Ψ, U and V do aim at finding a derivation, encoded as M, of the goal not mention linear constructs, then Ψ `Σ U ⇑––↓ V A from the program Σ, Ψ. For this purpose, we want to `LF ⇑↓ is derivable iff Ψ Σ U –– V is derivable in the be able to interpret the connectives (type constructors LF type theory, and similarly for contexts and sig- in our context) of A as search directives and the dec-

natures. 2 larations in Σ, Ψ as partial definitions for the atomic formulas that might appear in the goal, so that pro- The proofs of these results adapt the techniques out- gram formulas need to be accessed only when the goal lined in [9] for LF . However, differently from that is atomic. A proof is goal-oriented if the program is treatment, our ability to work uniquely with η-long accessed only after the goal has been reduced to an forms permits obtaining precisely the canonical terms atomic formula. A proof is focused if every time a pro- that are needed for meta-representation and proof- gram formula is considered, it can be processed up to search. The reader is invited to consult [1] for details. the atoms it defines without needing to access any other Since type checking for LLF is decidable, we can program formula. A proof having both these properties effectively determine if a given term is the represen- is uniform, and a formalism such that every provable tation of a valid derivation from a (potentially linear) goal has a uniform proof is called an abstract logic pro- object logic, which is crucial in applications of a log- gramming language [13]. ical framework. Being a conservative extension over LLF is an abstract logic programming language and LF is important, since all representation techniques, Figure 3 describes a uniform proof system for it. The u adequacy theorems, and examples developed for LF rules for the uniform provability judgment Ψ −→ Σ M : remain valid for LLF . This also means that, under A , in the upper part, process the goal up to an atomic

5 Uniform provability u 0 u 0 u −→ 0 Ψ Σ ,c:A,Σ c : A M : P Ψ,x:A, Ψ −→ Σ x : A M : P Ψ , Ψ −→ Σ x : A M : P ou con ou ivar ou lvar u 0 u 0 u Ψ −→ Σ ,c:A,Σ0 M : P Ψ,x:A, Ψ −→ Σ M : P Ψ,xˆ:A, Ψ −→ Σ M : P

u u Ψ −→ Σ M : A Ψ −→ Σ N : B ou unit ou pair u u Ψ −→ Σ hi : > Ψ −→ Σ h M,Ni : A&B

u u Ψ `Σ A ⇑ type Ψ,xˆ:A−→ Σ M : B Ψ ` Σ A ⇑ type Ψ,x:A−→ Σ M : B ou llam ou ilam u u Ψ −→ Σ λxˆ :A. M : A −◦ B Ψ −→ Σ λx:A. M :Πx:A. B

Immediate entailment oi atm u Ψ −→ Σ M : P M : P

u u Ψ −→ Σ fst M : A N : P Ψ −→ Σ snd M : B N : P oi fst oi snd u u Ψ −→ Σ M : A & B N : P Ψ −→ Σ M : A & B N : P

00 u 0 0 u 0 0 00

Ψ −→ Σ M ˆM : B N : P Ψ −→ Σ M : A Ψ=Ψ 1 Ψ oi lapp u Ψ −→ Σ M : A −◦ B N : P

u 0 0 0 Ψ −→ Σ MM :NF([M/x]B) N : P Ψ `Σ M ⇑ A oi iapp static u Ψ −→ Σ M :Πx:A. B N : P

u 0 0 u 0 Ψ −→ Σ MM :NF([M/x]B) N : P Ψ −→ Σ M : A oi iapp dynamic u Ψ −→ Σ M :Πx:A. B N : P

Figure 3. A Uniform Deduction System for LLF

formula, then select an assumption from the program We should stress that this is just the first step to- (rules ou con, ou lvar and ou ivar) and pass it to wards the specification of LLF as a logic programming u the immediate entailment judgment Ψ −→ Σ M : A language. In particular, a number of non-deterministic N : P that decomposes it until it matches the goal choices remain implicit in Figure 3. Specifically, no (rule oi atm). The term A in the program formula strategy is provided to split the context in rule oi lapp Πx:A. B can be viewed either as the type of the term (resource management non-determinism); no execution M 0 to which the variable x should be instantiated (rule order is specified for the premisses of rule oi lapp and oi iapp static), or as a formula to be proved by proof- oi iapp (conjunctive non-determinism); no criterion search (rule oi iapp dynamic); a complete discussion is given in order to pick a program formula when a on this aspect can be found in [1]. Notice that types goal is atomic in rules ou con, ou lvar and ou ivar in Figure 3 are checked for being canonical in rules (disjunctive non-determinism); and finally, no recipe 0 ou llam, ou ilam and oi iapp static, therefore this is given to choose the instantiating object M in rule deduction system does not replace, but extends the full oi iapp static (existential non-determinism). We ex- canonical system. pect to be able to adapt standard techniques [16] to our This system is sound and complete with respect to linear setting in order to handle these issues effectively. the canonical calculus outlined at the end of Section 2. 4 An Example: Reasoning about Im- u Theorem Ψ −→ Σ M : A iff Ψ `Σ M ⇑ A perative Computations

Proof: After a proper generalization to handle atomic In [4] Chirimar demonstrates how Forum [12], a derivability and immediate entailment, we proceed by meta-logic based on classical linear logic, can serve as structural induction on the derivations in the hypothe- a natural meta-language for specifying UML,aver-

ses. See [1] for details. 2 sion of Mini-ML with references and continuations. In

6 Γ ` e : τ Γ ` e : τ ref Γ ` e1 : τ ref Γ ` e2 : τ (References ) ofe ref ofe deref ofe assign Γ ` ref e : τ ref Γ ` ! e : τ Γ ` e1 := e2 :1

Γ ` [v/x]e : τ Γ ` e1 : τ1 Γ,x:τ1 è2 :τ2 (Definitions) ofe letv ofe let Γ ` letv x = v in e : τ Γ ` let x = e1 in e2 : τ2 0 ∆`S:∆ ∆`v:τ (Cells) ofc empty ofc cell ∆ `·:· ∆ ` (S, c = v):(∆0,c:τ) 0 ∆ ` S :∆ ∆`v:τ ∆,c:τ `w :τ (Answers) off loc off new ∆ ` (S, v):τ ∆ ` new c. w : τ

Figure 4. Some Typing Rules for MLR

this section we sketch a similar (and executable) spec- Values v ::= ...|x|ref c ification of Mini-ML with references (MLref )inLLF States S ::= ·|S, c = v and then show how to implement the proof of type Answers w ::= (S, v) | new c. w preservation for MLref . Among other things, our en- To express the basic judgments we also need contin- coding indicates that the classical operators of Forum uations and contexts. Contexts declare types for vari- are not essential in this example; this observation ex- ables and reference cells, store contexts only for cells. tends to a broad class of applications in the theory of programming languages. It furthermore demonstrates Contexts Γ ::= ·|Γ,x:τ |Γ,c:τ how the combination of linear and dependently typed Store contexts ∆ ::= ·|∆,c:τ terms can be employed to mechanize the meta-theory Continuations K ::= init | K; λx. e of languages with state at a very high level of abstrac- A continuation is either initial or constructed by adding tion which is not achievable in other frameworks. an instruction to a continuation. We can think of con- The complete LLF code for this example can be tinuations functionally (in which case init is the iden- found in [3]. There and in this section, we adopt a tity and “;” is function composition) or as a stack of concrete syntax analogous to that of Elf [17]. In par- instructions. MLref is represented using standard tech- ticular, we use {x:A}B for Πx : A. B, simplifying it to niques of higher-order abstract syntax; no linearity is A->Bor B<-Awhenever possible. We adopt -o or needed at this level. An important point about the o- for −◦ , & for & and for >. We denote the ob- representation is that the spaces of expressions exp, ˆ jects hi, hM, Ni, λx:A. M, λx:A. M and MˆN as (), values val, cells cell,answersfinal, and continua- (M,N), [x:A]M, [xÂ]M and M^N, respectively. When- tions cont are all separate types, with some explicit ever possible, we keep the types implicit in the binding coercions between them. This is necessary since the constructs. framework lacks subtyping. Note also that there are ref The polymorphism in ML is restricted to val- no constructors of type cell in the signature: they are ues [21] which seems to be generally accepted as supe- only introduced as parameters during the execution of rior to SML’s imperative type variables. We achieve a program when storage cells are allocated. this by distinguishing two forms of let.Weusex We have four typing judgments: to stand for variables and c to stand for addresses of Γ ` e : τ (e has type τ) cells which may be updated imperatively. In the in- Γ ` K : τ ⇒ τ (K maps values in τ to answers in τ ) formal presentation we think of values as a subset of 1 2 1 2 ∆ ` S :∆0 (Cells of S have types prescribed in ∆0) all possible expressions and overload constructors be- ∆ ` w : τ (Answer w has type τ) tween values and expressions as usual. The implementation distinguishes them as different LLF types. We respectively represented, following the usual elide the standard expression and value constructors judgments-as-types methodology of LF,asthe and destructors for natural numbers, unit, pairs, func- type families tions and recursion. ofe: exp -> tp -> type. Types τ ::= nat | 1 | τ1 × τ2 | τ1 → τ2 | τ ref ofk: cont -> tp -> tp -> type. Expressions e ::= v | ...|ref e | ! e | e1 := e2 ofc: cell -> tp -> type. | let x = e1 in e2 | letv x = v in e off: final -> tp -> type.

7 S.K;λx. ref x ` e,→w S, c = v.K`ref c,→w ex ref ex ref1 S.K`ref e,→w S.K`ref v,→new c. w

0 00 0 00 S ,c=v, S .K`v,→w S ,c=v2,S .K`hi,→w ex deref1 ex assign2 0 00 0 00 S ,c=v, S .K`!(ref c) ,→ w S ,c=v1,S .K`ref c := v2 ,→ w S.K`[v/x]e,→w S.K`[v/x]e,→w ex letv ex return ex init S.K`letv x = v in e,→w S.K;λx. e ` v,→w S.init ` v,→(S, v)

Figure 5. Some Evaluation Rules for MLR

The type of the store is represented in a distributed type exec pKq (ev peq) pwq,whereev is merely a fashion with a separate typing assumptions for each coercion from expressions exp to machine instructions cell. We show some of the critical rules defining these inst which also encompass values v, which are coerced judgments in Figure 4. as (return pvq). The state S is represented by an LLF In the rule for letv it may be desirable to also check context with a linear hypothesis for every cell in S: that v has at least some type, but this is not necessary p·q = · to prove type preservation. In practice, one would of pS, c = vq = pSq,c:cell,c0ˆ:contains c pvq course implement this rule by computing a principal A derivation of a judgment is represented by a canoni- type scheme for v, but we consider this an optimiza- cal object of the corresponding type under the context tion which is orthogonal to our declarative system. The obtained by translating the state. So if Ex :: (S.K` sample declarations below implement the first four in- e,→w)then ference rules in Figure 4. Free variables in a declaration p q` pE q⇑ p q p q p q are implicitly Π-quantified with a type which is deter- S Σ x exec K (ev e ) w mined during LLF type reconstruction. Conversely, a canonical object of such a type in a ofe_ref: ofe (ref E) (rf T) context of this form always represents a derivation of <- ofe E T. the corresponding judgment. In fact, the representa- ofe_deref: ofe (deref E) T tion function pq is a compositional bijection between <- ofe E (rf T). canonical LLF objects of the type above and deriva- ofe_assign: ofe (assign E1 E2) 1 tions of the evaluation judgment. In this way LLF <- ofe E1 (rf T) objects directly represent imperative computations. <- ofe E2 T. As an example, we show the concrete represen- ofe_letv: ofe (letv V ([x:val] E x)) T tations of the rules that create cells (ex_ref1), <- ofe (E V) T. derefence cells (ex_deref1), and change their value The continuation-based operational semantics eval- (ex_assign2). We use a single auxiliary judgment uates an expression e given a state S and a continuation read with exactly one rule to obtain the contents of K to an answer w which encapsulates the final state. a cell without changing the state. We write S.Kè,→w. Weshowsomeofthecriti- exec : cont -> inst -> final -> type. cal rules concerned with state in Figure 5. Recall that contains : cell -> val -> type. ref v is not a value, but that ref c is. The last two read : cell -> val -> type. rules show that values are returned by applying the rd : read C V o- contains C V o- . continuation or constructing the final answer. In rule ex ref1, the cell c must be new, that is, not ex_ref1 : exec K (ref1 V1) (new* W) occur in S, K,orv. Note that the evaluation rule o- ({c:cell} contains c V1 for the polymorphic let, letv, matches the typing rule, -o exec K (return (ref* c)) (W c)). which is critical in the proof of the type preservation ex_deref1 : exec K (deref1 (ref* C)) W theorem below. o- read C V1 & exec K (return V1) W. The representation of the evaluation judgment once ex_assign2 : exec K (assign2 (ref* C1) V2) W again follows the judgments-as-types methodology, but o- contains C1 V1 we treat the state S specially as will be discussed be- o- (contains C1 V2 low. A judgment S.Kè,→wis encoded as the -o exec K (return unit*) W).

8 Thecompletesignaturemaybeexecutedasa Note that in this representation the first index ob- logic program with queries of the form Ex : ject of tpex (i.e., a derivation of exec K I W)islinear. exec init (ev peq) W for a closed expression e.Ifsuc- In other words, we need the full power of the linear log- cessful, W will be instantiated to the final answer and ical framework for this representation. Note that the Ex to its computation; if it fails (which may happen meta-reasoning is also linear which stands in contrast if e is not well-typed in MLref ) or does not terminate, to the cut elimination example given below, where the then e has no value in the given operational semantics. index objects (linear sequent derivations) are linear, The last inference rule in the evaluation judgment in but the meta-theory is implemented completely intu- Figure 5 pairs up the state S with a value v to obtain itionistically. the final answer (S, v). Since the state is represented in In the example above, the variable et2 bound by a distributed fashion, this must be implemented by a the dependent type {et2:contains C1 V2} is quan- new type family, close, which transfers each cell from tified intuitionistically because the framework lacks a the context to the final answer. linear quantifier. The application (Ex2 ^ et2) in the The type preservation theorem relates the type of first argument of tpex is nonetheless well-typed, since an expression to be evaluated to the type of the final we can apply a linear function (Ex2) to intuitionistic answer. It is stated as follows: arguments (et2), but not vice versa. For closed computations (and these are the ones we are ultimately in- ` → Theorem (Type Preservation) If S.K e, w terested in) this is irrelevant and thus the intuitionistic ` ` ⇒ ` and ∆ S :∆,∆ K:τ σ,and∆ e:τthen quantifier suffices for this and many other examples we ` ∆ w : σ. have examined. Proof: The proof proceeds by structural induction on the derivation Ex :: (S.KÈ,→w), applying in- 5 Another Example: Cut Elimination version to obtain the typing derivations necessary to in Classical Linear Logic

appeal to the induction hypothesis. 2 While our development differs in some aspects from A structural proof of the cut-elimination theorem for the formulations and proofs given in the literature (see, classical linear logic was given in [18], together with an for example, [21] or [23]), our main contribution is LF formulation of a sequent calculus for it. Since LF is not the proof itself, but its high-level implementation. intuitionistic, the first step of this encoding consisted We can indeed capture its computational contents but, in representing the inference rules of this logic with- as usual in LF, the fact that our code represents a out concern for the restrictions they impose on the use proof needs to be checked as an external property [20]. of context formulas. Only in a second phase were the The encoding takes the form of a relation between the resulting derivations checked for linearity. The com- derivations involved in the statement of type preser- plications originating from this indirection prevented a vation. No lemmas or auxiliary judgments regarding direct formalization of linear cut-elimination: the en- state are required (except in the proof of the ade- coding of this procedure applied to generic derivations. quacy theorem for the representation) since the linear Fortunately, the specific proof under consideration had framework provides the necessary mechanisms inter- the property that each case in it maintained linearity. D nally. Space does not permit a detailed discussion, so Therefore, given a linear derivation , the represented we only show the declaration of the type family and the procedure yielded an equivalent (and linear) cut-free D0 D most complicated case. Each declaration in the full sig- derivation . The linearity of had however to be nature corresponds to exactly one case in the induction checked explicitly. proof. The case given below treats the updating of a In this section, we encode the same problem in LLF . reference cell. The novel features of our framework permit a faithful representation of the linearity constraints each infer- tpex : exec K I W -> ofk K T S -> ofi I T -> off W S -> type. ence rule imposes on its context formulas. Therefore, only correct linear derivations can be built, so that tpex_assign2 : we can dispense with encoding the tedious linearity tpex (ex_assign2 ^ ([et2^contains C1 V2] Ex2êt2) ^ Et1) Ok (ofi_assign2 Ov2 (ofv_ref Oc)) Of check. The cut-elimination procedure is implemented o- tpct Et1 Oc Ov1 as in [18], with the difference that it operates on the o- ({et2:contains C1 V2} representation of linear derivations as linear LLF ob- tpct et2 Oc Ov2 jects, and that its correctness does not depend on side- -o tpex (Ex2 ^ et2) Ok conditions. The complete code for this example can be (ofi_return (ofv_unit)) Of). found in [3].

9 Axioms I Ψ; A −→ A ;Θ ...... Connectives Ψ; Γ −→ ∆; Θ 1 1r 1l Ψ; ·−→1;Θ Ψ; Γ, 1 −→ ∆; Θ

Ψ; Γ1 −→ A, ∆1;Θ Ψ;Γ2 −→ B,∆2;Θ Ψ; Γ,A,B −→ ∆; Θ ⊗ ⊗r ⊗l Ψ; Γ1, Γ2 −→ A ⊗ B,∆1,∆2;Θ Ψ; Γ,A ⊗ B −→ ∆; Θ

> >r (No > l) Ψ; Γ −→ > , ∆; Θ Ψ; Γ −→ A, ∆; Θ Ψ; Γ −→ B,∆; Θ Ψ; Γ,A−→ ∆; Θ Ψ; Γ,B −→ ∆; Θ & &r &l1 &l2 Ψ; Γ −→ A & B,∆; Θ Ψ; Γ,A&B −→ ∆; Θ Ψ; Γ,A&B −→ ∆; Θ Ψ; Γ,A−→ ∆; Θ Ψ; Γ −→ A, ∆; Θ ⊥ ⊥ ⊥ r l ⊥ ⊥ Ψ; Γ −→ A , ∆; Θ Ψ; Γ,A −→ ∆; Θ Ψ; ·−→A;Θ Ψ,A;Γ−→ ∆; Θ ! !r !l Ψ; ·−→!A;Θ Ψ; Γ, !A −→ ∆; Θ Ψ; Γ −→ ∆; A, Θ Ψ; A −→ · ;Θ ? ?r ?l Ψ; Γ −→ ? A, ∆; Θ Ψ; ?A −→ · ;Θ ...... Structural rules Ψ,A;Γ,A−→ ∆; Θ Ψ; Γ −→ A, ∆; A, Θ !d ?d Ψ,A;Γ−→ ∆; Θ Ψ; Γ −→ ∆; A, Θ

Cut rules Ψ; Γ1 −→ A, ∆1;Θ Ψ;Γ2,A−→ ∆ 2 ;Θ cut Ψ; Γ1, Γ2 −→ ∆ 1 , ∆ 2 ;Θ Ψ; ·−→A;Θ Ψ,A;Γ−→ ∆; Θ Ψ; Γ −→ ∆; A, ΘΨ;A−→ · ;Θ cut! cut? Ψ; Γ −→ ∆; Θ Ψ; Γ −→ ∆; Θ

Figure 6. The Sequent Calculus System LV

We consider the fragment of propositional classical giveninFigure6.TheLV sequent above is equiprov- linear logic defined by the following grammar: able to the more traditional !Ψ, Γ −→ ∆ , ?Θ, as shown ⊥ in [18]. This presentation isolates the intuitionistic rea- A ::= P | 1 | A ⊗ A |>|A &A |A |!A |?A 1 2 1 2 soning in the outer zones of the sequents rather than where P ranges over propositional letters. The remain- restricting the structural rules of contraction and weak- ing connectives are all definable. A direct treatment ening to exponential formulas only. The removal of would increase the length of proofs and encodings, but these rules is central to our proof of cut elimination. not their difficulty. A straightforward extension to en- Notice that the distinction between linear and intu- compass quantifiers adapts the techniques presented itionistic zones in LV causes the refinement of the fa- in [19] and is included in [3]. We encode formulas as miliar cut rule into three rules. As we will see, all are canonical LLF objects of type o. As in the previous admissible. example, the linear aspects of our meta-language are We represent the occurrence of a formula in each not needed at this level. zone of the sequent above by means of the following As in [18, 19], we rely on the four-zoned sequents type families, respectively: Ψ; Γ −→ ∆; Θ neg! : o -> type. neg : o -> type. to capture the notion of derivability. Here, Ψ, Γ, ∆ and pos : o -> type. pos? : o -> type. Θ are multisets of implicitly labeled formulas. A de- Derivability itself is captured by the type # with the ductive system for this formulation, that we call LV,is intent that if D is a cut-free derivation of the sequent

10 A1,...,Ai;B1,...,Bj −→ C 1 ,...,Ck;D1,...,Dl, We transliterate the statement of the admissibility with propositional letters among p1,...,p n,then lemma as the type families p1:o, ..., pn:o, ad : (pos A -o #) -> (neg A -o #) -> # -> type.   a1:neg! pA1q, ..., ai:neg! pAiq,  ad!: (pos A -o #) -> (neg! A -> #) -> # -> type.   ad?: (pos? A -> #) -> (neg A -o #) -> # -> type. b1ˆ: neg pB1q, ..., bjˆ:neg pBj q,  `Σ pDq ⇑ #   c1ˆ: pos pC1q, ..., ckˆ:pos pCkq, Each case in the proof above is represented by an d1 :pos? pD1q, ..., dl:pos? pDlq LLF declaration of the appropriate type. We show is derivable in LLF . Notice that the formulas in the three declarations: linear zones are represented as linear LLF assumptions ad_times : while the formulas in the outer zones correspond to ad ([p^]timesr ^ ([p1^]D1^p1) ^ ([p2^]D2^p2) ^p) intuitionistic hypotheses. In order to achieve the rep- ([n^]timesl ^ ([n1^]E1^n1^n)) F resentation above for derivations, we encode each in- <- ({n2}ad ([p1^]D1^p1) ([n1^]E1^n1^n2) (E1’^n2)) ference rule so that it respects the zones policy. We <- ad ([p2^]D2^p2) ([n1^]E1’^n1) F. show the LLF declarations corresponding to rules ⊗ r, ad!_d : ?l and !d: ad! ([p^]D!^p) ([n!] !d ^ ([n^]E1 n!^n) n!) F <- ({n1}ad! ([p^]D!^p) ([n!]E1 n!^n1) (E1’^n1)) timesr : (pos A -o #) -o (pos B -o #) <- ad ([p^]D!^p) ([n1^]E1’^n1) F. -o (pos (A times B) -o #). adl_withr : ?l : (neg A -o #) !d : (neg A -o #) ad ([p^]withr^([p1^]D1^p^p1,[p2^]D2^p^p2)^P) -> (neg (? A) -o #). -o (neg! A -> #). ([n^]E^n) (withr^([p1^]D1’^p1,[p2^]D2’^p2)^P) Notice that −◦ at the level of derivations (i.e. just be- <- ({p1} ad ([p^]D1^p^p1) ([n^]E^n) (D1’ ^ p1)) & ({p2} ad ([p^]D2^p^p2) ([n^]E^n) (D2’ ^ p2)) fore #) implements access to the linear part of the context. In other positions, it permits the flow of linear As usual, the cut elimination theorem follows by a assumptions among the premisses and conclusion of simple structural induction from admissibility. It can the represented rule. Instead, → allows accessing in- also be formalized in LLF as shown in [3]; we omit the tuitionistic hypotheses and enforces constraints on the straightforward details here. contents of the linear context (e.g. in !d). The critical step in proving cut elimination is show- 6 Conclusion and Future Work ing that the cut rules are admissible, i.e. that any (cut- free) derivation of their premisses can be transformed In this paper, we have developed an LF -style type into a cut-free derivation of their conclusion. Formally, theory based on linear logic and provided examples of we have the following theorem: its use as a logical framework in the theories of programming languages and substructural logics. Addi- Theorem (Admissibility of cut, cut! and cut?) tional substantial case studies we have completed in- i. Given cut-free derivations D :: Ψ; Γ1 −→ A, ∆1;Θ clude translations between minimal linear natural de- and E :: Ψ; Γ2,A−→ ∆ 2 ;Θ, there exists a cut-free duction and sequent calculus, as well as a number of derivation F of Ψ; Γ1, Γ2 −→ ∆ 1 , ∆ 2 ;Θ; puzzles and solitaires. The interested reader may ac- ii. Given cut-free derivations D :: Ψ; ·−→A;Θ and cess them on the World-Wide Web at [3]. E :: Ψ,A;Γ −→ ∆; Θ, there exists a cut-free LLF conservatively extends LF with constructs derivation F of Ψ; Γ −→ ∆; Θ; from linear logic. We can think of it as the type the- iii. Given cut-free derivations D :: Ψ; Γ −→ ∆; A, Θ ory freely generated from the type constructors >,&, and E :: Ψ; A −→ · ;Θ, there exists a cut-free −◦ , and Π. This choice of constructors is complete in derivation F of Ψ; Γ −→ ∆; Θ. the sense that they suffice to represent full intuitionistic or classical linear logic, as our example in Section Proof: The three parts of this statement are proved 5 shows. Further, adding any other linear connective simultaneously by induction on the lexicographic order as a free type constructor destroys the property that defined by 1) the structure of A, 2) the convention that canonical forms exist. This property is crucial in the (i)issmallerthanboth(ii)and(iii), 3) the structure proofs of adequacy theorems for encodings and also for of D and E inthecaseof(i), of only E for (ii), and the completeness of uniform derivations and thus the of only D inthecaseof(iii). In order to make this view of LLF as a logic programming language. induction truly structural we have to consider linear LLF generalizes other formalisms based on linear proof terms instead of full derivations D and E;further logic such as Forum [12] by making linear objects avail-

technical details are given in [18]. 2 able for representations, by permitting proof terms and

11 by providing linear types. Our approach is orthogonal [9] R. Harper, F. Honsell, and G. Plotkin. A framework to general logics in the style of LU [8]. for defining logics. Journal of the Association for Com- A slightly unpleasant feature of the type theory in puting Machinery, 40(1):143–184, Jan. 1993. its current form, from the practical point of view, is [10] J. S. Hodas and D. Miller. Logic programming in the insistence on dealing only with pre-canonical forms. a fragment of intuitionistic linear logic. Information and Computation, 110(2):327–365, 1994. Extended ab- Ideally the input would be η-expanded to long form, stract in the Proceedings of the Sixth Annual Sympo- say, concurrently with type reconstruction and then the sium on Logic in Computer Science, Amsterdam, July long form would be maintained throughout the com- 15–18, 1991. putation as proposed here. We plan to consider such [11] S. Michaylov and F. Pfenning. Natural semantics and an extension in future work. Another possible exten- some of its meta-theory in Elf. In L.-H. Eriksson, sion we intend to investigate is a generalization of & L. Hallnäs, and P. Schroeder-Heister, editors, Proceed- and −◦ to linear Σ and Π types, respectively. It cur- ings of the Second International Workshop on Exten- rently appears that this would greatly complicate the sions of Logic Programming, pages 299–344, Stock- type theory while it is not clear how much would be holm, Sweden, Jan. 1991. Springer-Verlag LNAI 596. gained. We would also like to explore the possibility of [12] D. Miller. A multiple-conclusion meta-logic. In S. Abramsky, editor, Ninth Annual Symposium on automatically verifying that a signature implements a Logic in Computer Science, pages 272–281, Paris, meta-proof of a meta-theorem analogously to schema- France, July 1994. IEEE Computer Society Press. checking for LF [20]. [13] D. Miller, G. Nadathur, F. Pfenning, and A. Scedrov. In the more immediate future, we plan to release a Uniform proofs as a foundation for logic programming. concrete implementation of LLF as a conservative ex- Annals of Pure and Applied Logic, 51:125–157, 1991. tension of the logic programming language Elf (which [14] D. Miller, G. Plotkin, and D. Pym. A relevant analysis mechanizes LF ) and to augment our already rich li- of natural deduction. Talk given at the Workshop on brary of LLF examples. Logical Frameworks, B˚astad, Sweden, May 1992. [15] F. Pfenning. Logic programming in the LF logical framework. In G. Huet and G. Plotkin, editors, Logi- References cal Frameworks, pages 149–181. Cambridge University Press, 1991. [16] F. Pfenning. Computation and deduction. Unpub- [1] I. Cervesato. A Linear Logical Framework.PhDthe- lished lecture notes, revised May 1994, May 1992. sis, Dipartimento di Informatica, Università di Torino, [17] F. Pfenning. Elf: A meta-language for deductive sys- Feb. 1996. tems. In A. Bundy, editor, Proceedings of the 12th [2] I. Cervesato, J. S. Hodas, and F. Pfenning. Efficient International Conference on Automated Deduction, resource management for linear logic proof search. In pages 811–815, Nancy, France, June 1994. Springer- R. Dyckhoff, H. Herre, and P. Schroeder-Heister, ed- Verlag LNAI 814. System abstract. itors, Proceedings of the 5th International Workshop [18] F. Pfenning. Structural cut elimination in linear on Extensions of Logic Programming, pages 67–81, logic. Technical Report CMU-CS-94-222, Depart- Leipzig, Germany, Mar. 1996. Springer-Verlag LNAI ment of Computer Science, Carnegie Mellon Univer- 1050. sity, Dec. 1994. [3] I. Cervesato and F. Pfenning. The linear logical frame- [19] F. Pfenning. Structural cut elimination. In D. Kozen, work LLF. Accessible on the World-Wide Web as editor, Proceedings of the Tenth Annual Symposium on http://www.cs.cmu.edu/~iliano/LLF/. Logic in Computer Science, pages 156–166, San Diego, [4] J. L. Chirimar. Proof Theoretic Approach to Specifica- California, June 1995. IEEE Computer Society Press. tion Languages. PhD thesis, Department of Computer [20] E. Rohwedder. Verifying the Meta-Theory of Deduc- and Information Science, University of Pennsylvania, tive Systems. PhD thesis, Carnegie Mellon University, 1995. 1996. Forthcoming. [5] R. Dyckhoff. Contraction-free sequent calculi for intu- [21] M. Tofte. Type inference for polymorphic references. itionistic logic. Journal of Symbolic Logic, 57(3):795– Information & Computation, 89:1–34, November 1990. 807, Sept. 1992. [22] P. Wadler. Linear types can change the world. In M. Broy and C. B. Jones, editors, IFIP TC 2 Work- [6] A. Felty. Encoding dependent types in an intuitionis- ing Conference on Programming Concepts and Meth- tic logic. In G. Huet and G. D. Plotkin, editors, Logi- ods, pages 561–581, Sea of Gallilee, Israel, Apr. 1990. cal Frameworks, pages 214–251. Cambridge University North-Holland. Press, 1991. [23] A. K. Wright and M. Felleisen. A syntactic ap- [7] J.-Y. Girard. Linear logic. Theoretical Computer Sci- proach to type soundness. Information & Computa- ence, 50:1–102, 1987. tion, 115(1):38–94, November 1994. [8] J.-Y. Girard. On the unity of logic. Annals of Pure and Applied Logic, 59:201–217, 1993.