sign in sign up
<<
Home , Unit type

arXiv:1808.04006v1 [cs.PL] 12 Aug 2018 08Cprgthl yteonrato() ulcto rights Publication owner/author(s). the by held Copyright 2018 © oki o otasaetesuc yesse ue for rules type-system source the translate to how is work ihtetp-ytmrlsfrraoigaotrun-time about reasoning for rules type-system the with SN978-1-4503-5698-5/18/06...$15.00 ISBN ACM btatn ihcei spritd ocp tews,o republis or otherwise, copy To permitted. is credit with Abstracting oteAscainfrCmuigMachinery. Computing for Association the to USA PA, Philadelphia, 2018, 18–22, June [email protected]. PLDI’18, from permissions specific Request prior fee. requires a lists, to and/or redistribute to or servers on post hps://doi.org/10.1145/3192366.3192372 hono be must author(s) the fo than Copyrights others page. by first owned the work on this citation of full ponents c the f that and work and notice advantage this this commercial cop or bear of that profit provided part for fee distributed or or without made all granted not of is use copies classroom hard or or personal digital make to Permission color. in printed or viewed when read to easier is paper black-and-w in distinguishable are languages the Although guages. ∗ rectness C Concepts CCS compilat separate of to correctness addition prove In we CC. prove in preservation, type model we a giving rules, by these CC-CC of justify soundness To closures. for about rules type-system reasoning target into functions this about reasoning in challenge central The CC-CC. named language intermedi- ate compiler typed dependently type-safe, a Coq—to ainfo h aclso osrcin C)wt strong with ( (CC) pairs Constructions dependent of Calculus the from lation interferes compilation terms. but checking, type decide to sys- abstrac- tions type compositional high-level dependent around that designed is are problem tems the essence, In hard. is Un- types dependent programs. of compilation target-language type-preserving fortunately, generated the com- into through correctness pilation of proofs and specifications pro- these preserve source to used of be correctness can compilation functional Type-preserving grams. full spec- the to verify used and are ify Coq as such languages typed Dependently Abstract pilers eueacmiaino oosadfnst itnus ieetlan- different distinguish to fonts and colors of combination a use We edvlpatp-rsrigcouecneso trans- closure-conversion type-preserving a develop We • ; hoyo computation of Theory ; ye lsr ovrinfrteCluu of Calculus the for Conversion Closure Typed ucinllanguages Functional • Σ [email protected] otaeadisengineering its and Software ye)asbe ftecr agaeof language core the of subset types)—a otesenUniversity Northeastern ila .Bowman J. William ni Paris Inria France USA ; Polymorphism → yetheory Type Constructions permission ; → ; licensed ie the hite, Com- e are ies com- r Cor- opies ,to h, red. or ion. ila .Bwa n mlAmd 08 ye lsr Conver Closure Typed 2018. Ahmed. Amal and Bowman J. William ehv hl rga fe ikn l opnnsi a in components all linking after program whole a have we C eeec Format: Reference ACM eie oplrfrCqi o,aeago rtse.Unfor- step. first good a are Coq, in Coq for compiler verified nswe ikn agtporm.Wt type-preserving compile invari- could With check we programs. compilation, to target them linking use when similarly ants can we source and in programs, invariants enforcing for useful are Types problem. careful. be to link efut ic o ye r o rsre noOCaml, check into type preserved to not way no are is types there Coq Since segfault. a hciga iktm ovrf htalcmoet match components all that that verify invariants type to the use time could we link Then at language. checking target typed a into tions component pro- Coq correct proven a gram similar extract we A when linking. occurs when problem respected are invariants the programs that verified ensure of to difficult it makes This com- before pilation. information type out throws CertiCoq tunately, hns rjcssc sCrio [ CertiCoq as such ma- on Projects running chines. up end actually that compilers, by generated IPA ofrneo rgamn agaeDsg n Impl and (PLDI’18). mentation Design Language Programming on Conference In SIGPLAN Constructions. of Calculus the for sion oplto,coueconversion closure compilation, Keywords grams [ 8 protocols and primitives cryptographic of plementations CompCert [ the correctness compiler functional C full spec- the to prove used and been ify has Coq ver- software. formal the large-scale on of impact ification tremendous had have Coq as languages such programming typed dependently Full-spectrum Introduction 1 .Tepolmi htteepof r about are proofs these that is problem The ]. yepeevn oplto stekyt ovn this solving to key the is compilation Type-preserving f e u ene urnesaotthe about guarantees need we but , with oOal hnln ihsm neie OCaml unverified some with link then OCaml, to e f eedn ye,tp hoy type-preserving theory, type types, Dependent ∗ h tt fteati otl h programmer the tell to is art the of state The . 27 htvoae h nainsof invariants the violates that ,teCriO Skre [ kernel OS CertiKOS the ], otesenUniversity Northeastern [email protected] C,NwYr,N,USA, NY, York, New ACM, mlAhmed Amal e a rgnlyvrfidaant Once against. verified originally was ni Paris Inria France USA f e n a htw hudnot should we that flag and n rsreisspecifica- its preserve and 5 ,wiham obida build to aims which ], rceig f3t ACM 39th of Proceedings 15 agtprograms target 20 pages. , e 21 n causes and orepro- source ,adim- and ], hps://doi.org/10.1145/3192366.3192372 6 e- - , , PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed low-level typed—perhaps dependently typed—assembly lan- Universes U ::= ⋆ |  guage, there would no longer be a need to enforce invari- Expressions e, A, B ::= x | ⋆ | let x = e : Aine | Π x : A. B ants, so types could be erased to generate (untyped) ma- | λ x : A. e | ee | Σ x : A. B chine code. Preserving full-spectrum dependent types has | he1, e2i as Σ x : A. B | fste | snde additional benefits—we could preserve proofs of full func- Environments Γ ::= · | Γ, x : A | Γ, x = e : A tional correctness into the generated code! Figure 1. CC Syntax The goal in type-preserving compilation is not to develop the values of the free variables. There are two major chal- new compiler translations, but to adapt existing translations lenges in designing new type-system rules for closures, which so that they perform the same function but also preserve we discuss at a high-level in Section 3 before we formally typing invariants. Unfortunately, these two goals are in con- present our results. In short, we need new type-system rules flict, particularly as the typing invariants become richer. The for reasoning about closures, and a way to synchronize the richer the invariants the can express, the less type of a closure, which depends on free variables, with the freedom the compiler is permitted, and the more work re- type of (closed) code, which cannot depend on free vari- quired to establish typing invariants in the transformed code. ables. In the case of full-spectrum dependently typed languages, type-preserving compilation is hard. The essential problem Contributions We make the following contributions: is that compiler transformations disrupt the syntactic rea- 1. We design and prove the consistency of CC-CC, a full- soning used by the type system to decide type checking. spectrum dependently typed compiler IL with support for With full-spectrum dependent types, any runtime term can statically reasoning about closures, Section 4. The proof appear in types, so the type system includes rules for rea- of consistency also guarantees type safety of any pro- soning about equivalence and sometimes partially evaluat- gramsin CC-CC—i.e., linking any two components in CC- ing runtime terms during type checking. This works well in CC is guaranteed to have well-defined behavior. high level, functional languages such as the core language 2. We give a typed closure-conversion translation from CC of Coq, but when compilers transform high-level language to CC-CC Section 5. concepts into low-level machine concepts, we need new rules 3. Leveraging the type-preservation proof, we prove that for how to reason about terms during type checking. this translation is correct with respect to separate com- In the case of closure conversion, the problem is that, un- pilation, i.e., linking components in CC and then running like in simply typed languages, free term variables are bound to a value is equivalent to first compiling the components in types as well as terms. Intuitively, we translate a simply separately and then linking in CC-CC. typed function Γ ⊢ λx : A.e : A → B into a closure Γ ⊢ hh(λΓ,x : A.e), dom(Γ)ii : A → B where the code of the function Next, we introduce CC (Section 2), both to introduce our is paired with its environment, and the code now receives source language and to formally introduce dependent types, its environment as an explicit argument. Note that the en- before presenting the central problem with typed closure vironment is hidden in the type of the closure so that two conversion, and the main idea behind our solution (Section 3). functions of the same type but with different environment Elided parts of figures and proofs are included in our online still have the same type.1 With dependent types, the type of technical appendix [14]. a closure may refer to free variables from the environment. That is, in Γ ⊢ λx : A.e : Πx : A.B, variables from Γ can appear 2 Source: Calculus of Constructions (CC) in A and B. After closure conversion, how can we keep the Our source language is a variant of the Calculus of Construc- environment hidden in the type when the type must refer to tions (CC) extended with strong dependent pairs (Σ types) the environment? That is, in the closure converted version and η-equivalence for functions, which we typeset in a non- of the above example Γ ⊢ hh(λΓ,x : A.e),envii : Πx : A.B, how bold, blue, sans-serif font. Thismodelis based on theCICspec- can A and B refer to env if env must remain hidden in the ification used in Coq [44, Chapter 4]. For brevity, we omit type? base types from this formal system but will freely use base We solve this problem for type-preserving closure conver- types like natural numbers in examples. sion of the Calculus of Constructions with Σ types (CC)—a We present the syntax of CC in Figure 1. Universes, or subset of thecorelanguageof Coq,and acalculusthat is rep- sorts, U are essentially the types of types. CC includes one resentative of full-spectrum dependently typed languages. impredicative universe ⋆, and one predicative universe . Closure conversion transforms first-class functions with free Expressions have no explicit distinction between terms, types, variables into closures that pair closed, statically allocated or kinds, but we usually use the meta-variable e to evoke a code with a dynamically allocated environment containing term expression and A or B to evoke a type expression. Ex- pressions include names x, the universe ⋆, functions λ x:A. e, 1Normally, we use existential types to hide the environment, but as we will application e1 e2, dependent function types Π x : A. B, depen- see in Section 3, existential types cause problems with dependent types. dent let let x = e : Aine′, Σ types Σ x : A. B, dependent pairs Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

Γ ⊢ e ⊲ e′ Γ ⊢ e : A ⊲ = x δ e where x e : A ∈ Γ ⊢ Γ (x : A ∈ Γ or x = e : A ∈ Γ) ⊢ Γ let x = e : Aine1 ⊲ζ e1[e/x] [Ax-*] [Var] λ ⊲ Γ ⊢ ⋆ :  Γ ⊢ x : A ( x : A. e1) e2 β e1[e2/x] fst he , e i ⊲ e 1 2 π1 1 = ′ ⊲ Γ ⊢ e : A Γ, x e : A ⊢ e : B snd he1, e2i π2 e2 [Let] Γ ⊢ let x = e : Aine′ : B[e/x] Γ ⊢ e ≡ e′ ∗ ∗ Γ ⊢ e1 ⊲ e Γ ⊢ e2 ⊲ e [≡] Γ, x : A ⊢ B : ⋆ Γ, x : A ⊢ B :  Γ ⊢ e ≡ e [Prod-*] [Prod-] 1 2 Γ ⊢ Π x : A. B : ⋆ Γ ⊢ Π x : A. B :  ⊲∗ λ ⊲∗ ′ ′ Γ ⊢ e1 x : A. e Γ ⊢ e2 e2 Γ, x : A ⊢ e ≡ e2 x [≡-η1] Γ, x : A ⊢ e : B Γ ⊢ e ≡ e [Lam] 1 2 Γ ⊢ λ x : A. e : Π x : A. B ⊲∗ ′ ⊲∗ λ ′ Γ ⊢ e1 e1 Γ ⊢ e2 x : A. e Γ, x : A ⊢ e1 x ≡ e ′ ′ ′ [≡-η2] Γ ⊢ e : Π x : A . B Γ ⊢ e : A Γ ⊢ e ≡ e [App] 1 2 Γ ⊢ ee′ : B[e′/x] Figure 2. CC Conversion and Equivalence Γ ⊢ A : ⋆ Γ, x : A ⊢ B : ⋆ [Sig-*] Γ ⊢ Σ x : A. B : ⋆ he1, e2i as Σ x : A. B, first projections fste and second projec- tions snde. The universe  is only used by the type system Γ, x : A ⊢ B :  Γ ⊢ e : Σ x : A. B and is not a valid term. As syntactic sugar, we omit the type [Sig-] [Fst] Γ ⊢ Σ x : A. B :  Γ ⊢ fste : A annotations on dependent let let x = eine′ and on dependent pairs he , e i when they are irrelevant or obvious from con- 1 2 Γ ⊢ e : Σ x : A. B text. We also write function types as A→B when the result B [Snd] does not depend on the argument. Environments Γ include Γ ⊢ snde : B[fste/x] assumptions x : A that a name x has type A, and definitions Γ ⊢ e : A Γ ⊢ B : U Γ ⊢ A ≡ B x = e : A that name x refers to e of type A. [Conv] We define conversion, or reduction, and definitional equiv- Γ ⊢ e : B alence for CC in Figure 2. Conversion here is defined for Figure 3. CC Typing deciding equivalence between types (which include terms), but it can also be viewed as the operational semantics of CC Nat. Π _:y > 0. Nat, which statically ensures that we never di- terms. The small-step reduction Γ ⊢ e⊲e′ reduces the expres- vide by zero by requiring a proof that its second argument sion e to the term e′ under the local environment Γ, which is greater than zero. we usually leave implicit for brevity. The local environment Applications e1 e2 have type B[e2/x] ([App]), i.e., the result is necessary to convert a name to its definition. Each conver- type B of the function e1 with the argument e2 substituted sion rule is labeled, and when we refer to conversion with for the name of the argument x. Using this rule and our ex- an unlabeled arrow e ⊲ e′, we mean that e reduces to e′ by ample of the division function div : Π x : Nat. Πy : Nat. Π _: ⊲ ⊲ ⊲ ⊲ ⊲ some reduction rule, i.e., either δ , ζ , β , π1 , or π2 . We y > 0. Nat, wetypechecktheterm div4 2 : Π _: 2 > 0. Nat. No- write Γ ⊢ e ⊲∗ e′ to mean the reflexive, transitive, contextual tice that the term variable y in the type has been replaced closure of the relation Γ ⊢ e⊲e′. Essentially, e ⊲∗ e′ runs e us- with the value of the argument 2. ⊲ ing the relation any number of times, under any arbitrary Dependent pairs he1, e2i have type Σ x:A. B ([Pair]). Again, context. this type is a binding form. The type B of the second com- We define equivalence Γ ⊢ e ≡ e′ as reduction in the ⊲∗ rela- ponent of the pair can refer to the first component of the tion up to η-equivalence, as in Coq [44, Chapter 4]. pair by the name x. We see in the rule [Snd] that the type of In Figure 3, we present the typing rules. The type system snde is B[fste/x], i.e., the type B of the second component of is standard. the pair with the name x substituted by fste. We can use this Functions λ x : A. e have dependent Π x : A. B to encode refinement types, such as the describing positive ([Lam]). The dependent function type describes that the func- numbers by Σ x : Nat. x > 0, i.e., a pair of a number x with a tion takes an argument, x, of type A, and returns something proof that x is greater than 0. of type B where B may refer to, i.e., depends on, the value of Since types are also terms, we have typing rules for types. the argument x. We can use this to write polymorphic func- The type of ⋆ is . We call ⋆ the universe of small types and tions, such as the polymorphic identity function described  the universe of large types. Intuitively, small types are the by the type ΠA:⋆. Π x:A. A, or functions with pre/post condi- types of programs while large types are the types of types tions, such as the division function described by Π x:Nat. Πy: and type-level computations. Since no user can write down PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed

⊢ Γ of the code, we bind the names of all free variables by pro- ⊢ Γ Γ ⊢ A : U jecting from this environment n. To call a closure, we apply [W-Empty] [W-Assum] ⊢· ⊢ Γ, x : A the code to its environment and its argument. This translation is not type preserving since the structure ⊢ Γ Γ ⊢ e : A Γ ⊢ A : U of the environment shows up in the type. For example, the [W-Def] ⊢ Γ, x = e : A following two functions have the same type in the source, but end up with different types in the target. Figure 4. CC Well-Formed Environments + (λx.y) : ((Nat × Nil)→ Nat → Nat)×(Nat × Nil) + , we need not worry about the type of . In[Prod-*], we (λx.x) : (Nil → Nat → Nat)× Nil assign the type ⋆ to the dependent function type when the This is a well-known problem with typed closure conver- result type is also ⋆. This rule allows impredicative functions, sion, so we could try the well-known solution [30, 34, 35, 2, since it allows forming a function that quantifies over large 41, 37]. (Spoiler alert: it won’t work for CC.) We represent types but is in the universe of small types. The rule [Prod- closures as an existential package of a pair of the function ] looks similar, but is implicitly predicative, since there is and its environment, whose type is hidden. The existential no universe larger than  to quantify over. (We could com- type hides the structure of the environment in the type. + bine the rules for Π, but explicit separation helps clarify the (λx.y) : ∃α.(α → Nat → Nat)× α + issue of predicativity when compared with the rules for Σ (λx.x) : ∃α.(α → Nat → Nat)× α Σ types, which cannot be combined.) Formation rules for This works well for simply typed and polymorphic lan- types have an important restriction: it is unsound to allow guages, but when we move to a dependently typed language, impredicativity in strong dependent pairs [17, 23]. The[Sig- we have new challenges. First, the environment must now *] rule only allows quantifying over a small type when form- be ordered since the type of each new variable can depend  ing a small dependent pair. The [Sig- ] rule allows quanti- on all prior variables. Second, types can now refer to vari- fying over either small or large types when forming a large ables in the closure’s environment. Recall the polymorphic Σ . As usual in models of dependent , we exclude identity function from earlier. base types, although they are simple to add. λ A : ⋆. λ x : A. x : ΠA : ⋆. Π x : A. A Therule [Conv] allows resolving type equivalence and re- ducing terms in types. For instance, if we want to show that This function takes a type variable, A, whose type is ⋆. It e : Σ x:Nat. x = 2 but we have e : Σ x:Nat. x = 1 + 1,the[Conv] returns a function that accepts an argument x of type A and rule performs this reduction. Note while our equivalence re- returns it. There are two closures in this example: the outer lation is untyped, the [Conv] rule ensures that A and B are closure has no free variables, and thus will have an empty well-typed before appealing to equivalence, ensuring decid- environment, while the inner closure λ x:A. x has A free, and ability. (It is a standard lemma that if Γ ⊢ e : A, then Γ ⊢ A : U [28].)thus A will appear in its environment. Finally, we extend well-typedness to well-formedness of Below, we present the translation of this example using environments ⊢ Γ in Figure 4. the previous translation. We typeset target language terms produced by our translation in a bold, red, serif font. We 3 MainIdeas produce two closures, one nested in the other. Note that we Closure conversion makes the implicit closures from a func- translate source variables x to x. In the outer closure, the tional language explicit to facilitate statically allocating func- environment is empty hi, and the code simply returns the tions in memory. The idea is to translate each first-class inner closure. The inner closure has the argument A from function into an explicit closure, i.e., a pair of closed code the outer code in its environment. Since the inner code takes and an environment containing the values of an argument of type A, we project A from the environment the free variables. We use code to refer to functions with no in the type annotation for x. That is, the inner code takes an free variables, as in a closure-converted language. The envi- environment n2 that contains A, and the type annotation for ronment is created dynamically, but the closed code can be x is x : fst n2. The type fst n2 is unusual, but is no problem lifted to the top-level and statically allocated. Consider the since dependent types allow computations in types. following example translation. hhλ (n1 : 1, A : ⋆). hhλ (n2 : ⋆ × 1, x : fst n2). x, hA, hiiii, hiii : + ∃ ⋆. (Π ( , ⋆). (λx.y) = h(λn x. lety = (π1 n) in y), hyii α 1 : n1 : α 1 A : + ∃ . Π , . ((λx.y) true) = let hf ,ni = h(λn x. lety = (π1 n) in y), hyii in α 2 : ( (n2 : α 2 x : fst n2) fst n2) × α 2) × α 1 f n true We see that the inner code on its own is well typed with + We write e to indicate the translation of an expression e. the closed type Π (n2 : ⋆ × 1, x : fst n2). fst n2. That is, the We translate each function into a pair of code and its envi- code takes two arguments: the first argument n2 is the en- ronment. The code accepts its free variables in an environ- vironment, and the second argument x is a value of type ment argument, n (since n sounds similar to env).Inthebody fst n2. The result type of the code is also fst n2. As discussed Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

+ + above, we must hide the type of the environment to en- n, x : A ). B , the typing rule for pa‡ requires that we show + + sure type preservation. That is, when we build the closure e : Code (n′ : A′, y : n′ = v, x : A ). B ; notice that the variable hhλ (n2 : ⋆ × 1, x : fst n2). x, hA, hiiii, we must hide the type of n has been replaced by the value of the environment v. The the environment hA, hii. We use an existential type to quan- equality n′ = v essentially unifies projections from n′ with tify over the type α 2 of the environment, and we produce projections from v, the list of free variables representing the the type Π (n2 : α 2, x : fst n2). fst n2 for the code in the inner actual environment. closure. But this type is trying to take the first projection The problem with this translation is that it relies on im- of something of type α 2. We can only project from pairs, predicativity. That is, if (Π x : A. B) : ⋆, then we require that + and something of type α 2 isn’t a pair! In hiding the type of (Π x : A. B) : ⋆. Since the existential type quantifies over a the environment to recover type preservation, we’ve broken type in an arbitrary universe U but must be in the base uni- type preservation for dependent types. verse ⋆, the existential type must be impredicative. Impred- A similar problem also arises when closure converting icative existential types (weak dependent sums) are consis- System F, since System F also features type variables [30, 35]. tent on their own, but impredicativity causes inconsistency To understand our solution, it is important to understand when combined with other features, including computational why the solutions that have historically worked for System relevance and Coq’s universe hierarchy. In Coq by default, F do not scale to CC. We briefly present these past results the base computationally relevant universe is predica- and why they do not scale before moving on to the key idea tive, so this translation would not work. There is a flag to behind our translation. Essentially, past work using existen- enable impredicative Set, but this can introduce inconsis- tial types relies on assumptions about computational rele- tency with some axioms, such as a combination of the law vance, parametricity, and impredicativity that do not neces- of excluded middle plus the axiom of choice, or ad-hoc poly- sarily hold in full-spectrum systems. morphism [12]. Even with impredicative Set, there are com- putationally relevant universes higher in Coq’s universe hi- 3.1 Why the Well Known Solution Doesn’t Work erarchy, and it would not be safe to allow impredicativity Minamide et al. [30] give a translation that encodes closure at more than one universe. Furthermore, some dependently types using existential types, a standard type-theoretic fea- typed languages, such as Agda, do not allow impredicativ- ture that they use to make environment hiding explicit in ity at all since it is the source of paradoxes, such as Girard’s the types. In essence, they encode closures as objects; the paradox. environment can be thought of as the private field of an ob- A second problem arises in developing an η principle, be- ject. Since then, the use of existential types to encode clo- cause the existential type encoding relies on parametricity sure types has been standard in all work on typed closure to hide the environment. So, any η principle would need to conversion. be justified by a parametric relation on environments. In- However, the use of existential types to encode closures in ternalizing parametricity for dependent type theory is an a dependently typed setting is problematic. First, let us just active area of research [11, 25, 26, 38] and not all dependent consider closure conversion for System F. As Minamide et al. type theories admit parametricity [12]. [30] observed, there is a problem when code must be closed Later, Morrisett et al. [35] improved the existential-type with respect to both term and type variables. This problem translation for System F, avoiding translucency and kinds is similar to the one discussed above: when closure environ- by relying on type erasure before runtime, which meant that ments contain type variables, since those type variables can their code didn’t have to close over type variables. This trans- also appear in the closure’s type, the closure’s type needs to lation does not apply in a dependently typed setting, since project from the closure’s (hidden) environment which has now types can contain term variables not just “type erasable” type α. To fix the problem, they extend their target language type variables. with translucency (essentially, a of type-level equiva- lence that we now call singleton types), type-level pairs, and 3.2 Our Translation kinds. All of these features can be encoded in CC, so we could extend their translation essentially as follows. To solve type-preserving closure conversion for CC, we avoid existential types altogether and instead take inspiration from + def + + (Π x : A. B) = ∃ α : U. ∃ n : α . Code (n′ : α, y : n′ = n, x : A ). B the so-called “abstract closure conversion” of Minamide et al. In this translation, we would existentially quantify over [30]. They add new forms to the target language to represent the type of the environment α, the value of the environment code and closures for a simply typed source language. We n, and generate code that requires an environment n′ plus a scale the design of these forms to dependent types. proof that the code is only ever given the environment n as Adapting and scaling even a well-known translation to the argument n′. The typing rule for an existential package dependent typetheoryis complex. Recallfrom Section 1 that copies the existential value into the type. That is, for a clo- the goal of our compiler is to implement the same function- sure pa‡ hA′, v, ei of type ∃ α : U. ∃ n : α . Code (n′ : α, y : n′ = ality as standard closure conversion, but preserve the typing PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed invariants. Operationally, our translation will do the obvi- from the free variables of the body of the function, namely ous thing, but the complexity of our translation comes from e, and, due to dependent types, the type annotation A. the types. In the case of dependent types, the complexity The question is: what should the type translation of Π (and usefulness) of the type system comes from the ability types be? Let’s return to our polymorphic identity function to interpret terms as logical formulas that are capable of ex- (just the inner closure). If we apply the above translation, pressing mathematical theorems and proofs. When we add we produce the following for the inner closure. We know its new typing rules to the target language, we must justify that type by following the typing rules [Clo] and [Code] above. the new system is still consistent when interpreted as a logic. hhλ (n2 : ⋆ × 1, x : fst n2). x, hA, hiiii : Moreover, we must design new equivalence rules for terms Π (x : (fst n2)[hA, hii/n2]). (fst n2)[hA, hii/n2] and, ideally, ensure that equivalence is still decidable. λ In the case of closure conversion, we are transforming the We know that the code (n2 : ⋆ × 1, x : fst n2). x has type fundamental feature of dependent type theory: functions Code (⋆ × 1, x : fst n2). fst n2. Following [Clo], we substitute and Π types. Functions can be interpreted as proofs of uni- the environment into this type, so we get: Π versal properties represented by types. This transforma- Π (x : (fst n2)[hA, hii/n2]). (fst n2)[hA, hii/n2] tion requires dependent types for both code and closures, and a novel equivalence principle for closures. But in prov- So how do we translate the function type Π x : A. A into the Π ing the new rules consistent, we must not just prove that closure type (x:(fst n2)[hA, hii/n2]). (fst n2)[hA, hii/n2]? Note we do not allow proofs of False in the new system, but also that this type reduces to Π x : A. A.Sobytherule[Conv], we establish that all universal properties and their proofs that simply need to translate Π x : A. A to Π x : A. A! were representable and provable in the source language are The key translation rules are given below. still representable and provable in the target language. We + def= Π + + leave the proofs of these properties until Section 4.1, but (Π x : A. B) x : A . B + def + + present the key typing and equivalence rules now. (λ x : A. e) = hh(λ (n : Σ (xi : A ... ), x : let hxi ...i = n in A ). i + We extend our type system with primitive types for code let hxi ...i = n in e ), hxi ...iii ′ where x : A ... are the free variables of e and A and closures. We represent code as λ (n : A , x : A). e1 of the i i ′, . code type Code (n : A x : A) B. These are still dependent A final challenge remains in the design of our target lan- types, so n may appear in both A and B, and x may appear guage: we need to know when two closures are equivalent. in B. Code must be well typed in an empty environment, As we just saw, CC partially evaluates terms while type check- i.e., when it is closed. For simplicity, code only takes two ing. If two closures get evaluated while resolving type equiv- arguments. alence, we may inline a term into the environment for one ·, n : A′, x : A ⊢ e : B [Code] closure but not the other. When this happens, two closures Γ ⊢ λ n : A′, x : A. e : Code (n : A′, x : A). B that were syntactically identical and thus equivalent become inequivalent. We discuss this problem in detail in Section 5, We represent closures as hhe, e′ii of type Π x:A[e′/n]. B[e′/n], but essentially we need to know when two syntactically dis- where e is code and e′ is its environment. We continue to use tinct closures are equivalent. Our solution is simple: get rid Π types to describe closures; note that “functions” in CC are of the closures and keep inlining things! implicit closures. The typing rule for closures is: ′ ′ ′ Γ, ′ ′ Γ ⊢ e : Code (n : A , x : A). B Γ ⊢ e : A x : A ⊢ e1[e1/n]≡ e2[e2/n] ′ ′ ′ [Clo] Γ λ ′, . , ′ λ ′, . , ′ Γ ⊢ hhe, e ii : Π x : A[e /n]. B[e /n] ⊢ hh( (n : A x : A) e1) e1ii ≡ hh( (n : A x : A) e2) e2ii

We should think of a closure hhe, e′ii not as a pair, but as a de- Two closures are equivalent when we inline the environ- layed partial application of the code e to its environment e′. ment, freevariables ornot, and run thebodyof thecode. We This intuition is formalized in the typing rule since the en- leave the argument free, too. We run the bodies of the code vironment is substituted into the type, just as in dependent- to normalforms,then compare thenormal forms.Recallthat function application in CC. equivalence runs terms while type checking and does not To understand our translation, let us start with the trans- change the program, so the free variables do no harm. lation of functions. This equivalence essentially corresponds to an η-principle for closures. From it, we can derive a normal form for clo- λ . + def= λ Σ + ... , ... = + . ( x : A e) hh( (n : (xi : Ai ) x : let hxi i n in A ) sures hhe, e′ii that says the environment e′ contains only free h ...i = +), h ...iii let xi n in e xi variables, i.e., e′ = hx ...i. ... i where xi : Ai are the free variables of e and A The above is an intuitive, declarative presentation, but is The translation of functions is simple to construct. We know incomplete without additional rules. We use an algorithmic we want to produce a closure containing code and its envi- presentation that is similar to the η-equivalence rules for ronment. We know the environment should be constructed functions in CC, which we show in Section 4. Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

= ′ ′ Expressions e, A, B :: ··· | 1 | hi | Code (x : A , x : A). B Γ ⊢ e : t | λ (x′ : A′, x : A). e | Π x : A. B | hhe, eii Γ, x′ : A′, x : A ⊢ B : ⋆ ′ ′ [T-Code-*] Figure 5. CC-CC Syntax (excerpts) ··· Γ ⊢ Code (x : A , x : A). B : ⋆

Γ, x′ : A′, x : A ⊢ B :  ′  Γ ⊢ e ⊲ e . ′ ′ [T-Code- ] . Γ ⊢ Code (x : A, x : A ). B :  ′ ′ ′ ′ ′ hhλ x : A , x : A. e1, e ii e ⊲β e1[e /x ][e/x] ·, x′ : A′, x : A ⊢ e : B Γ ⊢ e ≡ e′ [Code] Γ ⊢ λ (x′ : A′, x : A). e : Code (x′ : A′, x : A). B Γ ⊲∗ λ ′ ′ ′ ′ ⊢ e1 hh (x : A , x : A). e1, e ii Γ ⊲∗ ′ Γ ′ ′ ′ ⊢ e2 e2 , x : A ⊢ e1[e /x ]≡ e2 x Γ ′ ′, . Γ ′ ′ [≡-Clo ] ⊢ e : Code (x : A x : A) B ⊢ e : A Γ 1 [Clo] ··· ⊢ e1 ≡ e2 Γ ⊢ hhe, e′ii : Π x : A[e′/x′]. B[e′/x′] Γ ⊲∗ λ ′ ′ ′ ′ ⊢ e2 hh (x : A , x : A). e2, e ii Figure 7. CC-CC Typing (excerpts) ∗ ′ ′ ′ ′ ′ Γ ⊢ e1 ⊲ e Γ, x : A ⊢ e x ≡ e [e /x ] 1 1 2 [≡-Clo ] it is closed. This rule captures the entire point of typed clo- Γ 2 ⊢ e1 ≡ e2 sure conversion and gives us static machine-checked guar- Figure 6. CC-CC Conversion and Equivalence (excerpts) antees that our translation produces closed code. The typing rule [Clo] for closures hhe, e′ii substitutes the environment e′ into the type of the closure, as discussed in Section 3. This is similar to the CC rule [App] that substitutes a function ar- 4 Target: CC, Closure-Converted (CC-CC) gument into the result type of a function. As we discussed The target language CC-CC is based on CC, but first-class in Section 3, this is also critical to type preservation, since functions are replaced by closed code and closures. We add our translation must generate closure types with free vari- a primitive unit type 1 to support encoding environments. ables and then synchronize the closure type containing free We extend the syntax of expressions, Figure 5, with a unit variables with a closed code type. As with Π types in CC, we ′ value hi and its type 1, closed code λ n : A , x : A. e and de- have two rules for well typed Code types.Therule[T-Code-*] ′ pendent code types Code (n : A , x : A). B, and closure values allows impredicativity in ⋆, while [T-Code-] is predicative. hhe, e′ii and dependent closure types Π x : A. B. The syntax of application e e′ is unchanged, but it now applies closures 4.1 Type Safety and Consistency instead of functions. We prove that CC-CC is type safe when interpreted as a pro- We define additional syntactic sugar for sequences of terms, gramming language and consistent when interpreted as a to support writing environments whose length is arbitrary. logic. Type safety guarantees that all programs in CC-CC We write a sequence of terms ei ... to mean a sequence of have well-defined behavior, and consistency ensures that ,..., length |i| of expressions ei0 ein . We extend the notation when interpreting types as propositions and programs as to patterns such as xi : Ai ..., which implies two sequences proofs, we cannot prove False in CC-CC. We prove both the- ,..., ,..., xi0 xin and A0 Ain each of length |i|. We define envi- orems by giving a model of CC-CC in CC, i.e., by encoding Σ ronments as dependent n-, written hei ...i as (xi : Ai ... ). the target language in the source language. The model re- We encode dependent n-tuples as nested dependent pairs duces type safety and consistency of CC-CC to that of CC, followed by a unit value, i.e., he0, h..., hei, hiiii. We omit the which is known to be type safe and consistent. This standard annotation on n-tuples hei ...i when it is obvious from con- technique is well explained by Boulier et al. [12]. text. We also define pattern matching on n-tuples, written We construct a model essentially by “decompiling” clo- = ′ let hxi ...i e in e, to perform the necessary nested projec- sures, translating code to functions and closures to partial = ′ = ′ tions, i.e., letx0 fst e in ... letxi fst snd ... snd e in e. application. To show this translation is a model, we need to In Figure 6 we present the additional conversion and equiv- show that it preserves falseness—i.e., that we translate False alence rules for CC-CC. Code cannot be applied directly, but to False—and show that the translation is type-preserving— must be part of a closure. Closures applied to an argument i.e., we translate any well-typed CC-CC program (valid proof) β-reduce, applying the underlying code to the environment into a well-typed program in CC. To extend the model to and the argument. All the other conversion rules remain type safety, we must also show that the translation preserves unchanged. For equivalence, we no longer have the usual reduction semantics—i.e., that reducing an expression in CC- η rules, since functions have been turned into closures. In- CC is essentially equivalent to reducing the translated term stead, we need η rules for closures. in CC. Since our type system includes reduction, we already We give the typing rules in Figure 7. All unspecified rules prove this to show type preservation. are unchanged from the source language. The most interest- We then prove consistency and type safety of CC-CC by ing rule is [Code], which that code only type checks when contradiction. If CC-CC were inconsistent, then we could PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed

Γ ⊢ e : A {◦ e Γ ⊢ A : U {◦ A Γ, x : A ⊢ B : ⋆ {◦ B [M-Prod-*] ··· Γ ⊢ Π x : A. B : ⋆ {◦ Π x : A. B

′ ′ ′ ′ ′ ′ ′ Γ ⊢ A : U {◦ A Γ, x : A ⊢ A : U {◦ A Γ, x : A , x : A ⊢ B : ⋆ {◦ B ′ ′ ′ ′ [M-T-Code-*] Γ ⊢ Code (x : A , x : A). B : ⋆ {◦ Π x : A . Π x : A. B

Γ ⊢ A′ : U′ { A′ Γ, x′ : A′ ⊢ A : U { A Γ, x′ : A′, x : A ⊢ B :  { B ◦ ◦ ◦  ′ ′ ′ ′ [M-T-Code- ] Γ ⊢ Code (x : A , x : A). B :  {◦ Π x : A . Π x : A. B

′ ′ ′ ′ ′ ′ ′ ′ ′ Γ ⊢ A : U {◦ A Γ, x : A ⊢ A : U {◦ A Γ, x : A , x : A ⊢ B : U {◦ B Γ, x : A , x : A ⊢ e : B {◦ e ′ ′ ′ ′ ′ ′ [M-Code] Γ ⊢ λ (x : A , x : A). e : Code (x : A , x : A). B {◦ λ x : A . λ x : A. e

′ ′ ′ ′ ′ ′ ′ Γ ⊢ e : Code (x : A , x : A). B {◦ e Γ ⊢ e : A {◦ e Γ ⊢ e : Π x : A. B {◦ e Γ ⊢ e : A {◦ e ′ ′ ′ ′ [M-Clo] ′ ′ ′ [M-App] Γ ⊢ hhe, e ii : Π x : A[e /x]. B[e /x] {◦ ee Γ ⊢ e e : B[e /x] {◦ ee Figure 8. Translation from CC-CC to CC (excerpts) prove the proposition False in CC-CC, and translate that To prove type preservation, we split the proof into three proof into a valid proof of False in CC. But since CC is consis- key lemmas. First, we show compositionality, i.e., that the tent, we can never produce a proof of False in CC, therefore translation from CC-CC to CC commutes with substitution. we could not have constructed one in CC-CC. A similar ar- Then we prove preservation of reduction semantics and equiv- gument applies for type safety. Since we preserve reduction alence, which essentially follows from compositionality. Fi- semantics in CC-CC, if a term had undefined behavior, we nally, we prove type preservation, which relies on preserva- could translate the term into a CC term with undefined be- tion of equivalence and on compositionality. The proofs are havior. However, CC has no terms with undefined behavior, straightforward, since the typing rules in CC-CC essentially hence neither does CC-CC. correspond to partial application already, so we elide them The translation from CC-CC to CC, Figure 8, is defined here. They follow the same structure as our type preser- on typing derivations. We use the following notation. vation proof for closure conversion, which we present in ◦ def Section 5. For complete details, see our online technical ap- e = e where Γ ⊢ e : A {◦ e pendix [14]. ◦ The CC expression e refers to the expression produced by Compositionality is an important lemma since the type translating the CC-CC expression e, with the typing deriva- system and conversion relations are defined by substitution. tion for e as an implicit argument. ′ ◦ ◦ ′◦ The rule [M-Code] translates a code type Code (n : A′, x : Lemma 4.2 (Compositionality). (e[e /x]) = e [e /x] . ′◦. ◦. ◦ A) B to the curried function type Π n : A Π x : A B . The Next we show that the translation preserves reduction, λ ′, . rule [M-Code] models code n : A x : A e as a curried func- or that our model in CC weakly simulates reduction in CC- λ ′◦. λ ◦. ◦ tion n : A x : A e . Observe that the inner function pro- CC. This is used both to show that equivalence is preserved, duced in CC is not closed, but that is not a problem since the since equivalence is defined by reduction, and to show type model only exists to prove type safety and consistency. It is safety. only in CC-CC programs that code must be closed. The rule [M-Clo] models a closure hhe, e′ii as the application e◦ e′◦— Lemma 4.3 (Pres. of Reduction). If e ⊲ e′ then e◦ ⊲∗ e′◦ i.e., the application of the function e◦ to its environment Now we show that reduction sequences are preserved. This e′◦. We model Unit, omitted for brevity, with the standard essentially follows from preservation of single-step reduc- Church encoding as the polymorphic identity function. All tion, Lemma 4.3. other rules simply recursively translate subterms. We first prove that this translation preserves falseness. Lemma 4.4 (Preservation of Reduction Sequences). If e ⊲∗ We encode False in CC-CC as Π A:⋆. A. This encoding repre- e′ then e◦ ⊲∗ e′◦ sents a function that takes any arbitrary proposition A and Next, we show coherence, i.e., that the translation preserves returns a proof of A. Similar, in CC False as ΠA:⋆. A.Itisclear equivalence. The proof essentially follows from Lemma 4.4, from [M-Prod-*] that the translation preserves falseness. We but we must show that our η rule for closures is preserved. use = as the terms are not just definitionally equivalent, but ◦ ◦ syntactically identical. Lemma 4.5 (Coherence). If e1 ≡ e2 then e1 ≡ e2 Lemma 4.1 (False Preservation). False◦ = False We can now show our final lemma: type preservation. Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

Lemma 4.6 (Type Preservation). the sequence with respect to both a term and its type. How- 1. If ⊢ Γ then ⊢ Γ◦ ever, in all recursive applications of this metafunction—e.g., 2. If Γ ⊢ e : A then Γ◦ ⊢ e◦ : A◦ FV(A0, _, Γ)—the type of A0 must be a universe and cannot have any free variables. Finally, we can prove the desired consistency and type safety theorems. 5.1 Type Preservation First we prove type preservation, using the same staging Theorem 4.7 (Consistency of CC-CC). There does not exist as in Section 4. After we show type preservation, we show a closed expression e such that ·⊢ e : False. correctness of separate compilation. In CC, the lemmas re- Type safety tells us that there is no undefined behavior quired for type preservation do most of the work to allow that causes a program to get stuck before it produces a value, us to prove correctness of separate compilation, since type and all programs terminate. checking includes reduction and thus we prove preservation of reduction sequences. Theorem 4.8 (Type Safety of CC-CC). If · ⊢ e : A, then We first show compositionality. This lemma, which estab- e ⊲∗ v and v 6⊲ v′. lishes that translation commutes with substitution, is the key difficulty in our proof of type preservation because clo- 5 Closure Conversion sure conversion internalizes free variables. Whether we sub- We present the closure conversion translation in Figure 9. stitute a term for a variable before or after translation can We define the following notation for this translation. drastically affect the shape of closures produced by the trans- ′ + def lation. For instance, consider the term (λ y : A. e)[e /x]. If we e = e where Γ ⊢ e : A { e perform this substitution before translation, then we will + The CC-CC expression e refers to the translation of the generate an environment with the shape hxi ..., xj ...i, i.e., well-typed CC term e, with typing derivation for e as an im- with only free variables and without x in the environment. plicit parameter. However, if we translate the individual components and then Every case of the translation except for functions is triv- perform the substitution, then the environment will have ′+ ial, including application [CC-App], since application is still the shape hxi ..., e , xj ...i—that is, x would be free when the elimination form for closures after closure conversion. we create the environment and substitution would replace + In the nontrivial case [CC-Lam], we translate CC functions it by e′ . We use our η-principle for closures to show that to CC-CC closures, as described in Section 3. The transla- closures that differ in this way are still equivalent. λ tion of a function x : A. e produces a closure hhe1, e2ii. We + + + (e [e /x]) ≡ e [e /x] compute the free variables (and their type annotations) of Lemma 5.1 (Compositionality). 1 2 1 2 λ the function x : A. e, xi : Ai ..., using the metafunction Proof. By induction on the typing derivation for e1. We give FV(λ x : A. e, Π x : A. B, Γ) defined shortly. The first component the key cases. e1 is closed code. Ignoring the type annotation for a moment, + Case [Ax-Var] the code λ (n, x). let hxi ...i = n in e projects each of the |i| ′ ′ We know that e1 is some free variable x , so either x = free variables xi ... from the environment n and binds them + + ′ , ′+ ′+ + x, hence e2 ≡ e2 , or x x, hence x ≡ x . inthescopeofthebody e . But CC-CC is dependently typed, Case [T-Code-*] so we also bind the free variables from the environment in ′ ′ We know that e1 = Π x : A. B. W.l.o.g., assume x , x. + + + the type annotation for the argument x, i.e., producing the We must show (Π x′:A[e /x]. B[e /x]) ≡(Π x′ : A. B) [e /x]. + + 2 2 2 x : let hx ...i = n in A x : A annotation i instead of just . Next ′ + + (Π x : A[e2/x]. B[e2/x]) (1) we produce the environment type Σ (xi : A ... ), from the = Π ′ + + free source variables xi ... of types Ai .... We create the envi- x : (A[e2/x]) . (B[e2/x]) (2) ronment e2 by creating the dependent n- hxi ...i; these by definition of the translation + + + + free variables will be replaced by values at run time. = Π x′ : (A [e /x]). (B [e /x]) (3) To compute the sequence of free variables and their types, 2 2 by the inductive hypothesis for A and B we define the metafunction FV(e, B, Γ) in Figure 10. Just from = Π ′ +. + + the syntax of terms e, B, we can compute some sequence ( x : A B )[e2 /x] (4) of free variables x0,..., xn = fv(e, B). However, the types of by definition of substitution A ,..., A = ′ + + these free variables 0 n may contain other free vari- (Π x : A. B) [e2 /x] (5) ables, and their types may contain still others, and so on! by definition of translation We must, therefore, recursively compute the a sequence of Case [Lam] free variables and their types with respect to an environ- We know that e1 = λ y : A. e. W.l.o.g., assume that y , x. ment Γ. Note that because the type B of a term e may con- λ . + λ . + + We must show that (( y : A e)[e2/x]) ≡( y : A e) [e2 /x]. tain different free variables than the term, we must compute Recall that by convention we have that Γ ⊢ λ y : A. e : PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed

Γ ⊢ e : t { e where Γ ⊢ e : t Γ ⊢ e : A { e Γ ⊢ A : U { A Γ, x : A ⊢ e′ : B { e′ [CC-*] [CC-Var] [CC-Let] Γ ⊢ ⋆ :  { ⋆ Γ ⊢ x : A { x Γ ⊢ let x = e : Aine′ : B[e/x] { letx = e : A in e′

Γ ⊢ A : U { A Γ, x : A ⊢ B : ⋆ { B Γ ⊢ A : U { A Γ, x : A ⊢ B :  { B [CC-Prod-*] [CC-Prod-] Γ ⊢ Π x : A. B : ⋆ { Π x : A. B Γ ⊢ Π x : A. B :  { Π x : A. B

Γ, x : A ⊢ e : B { e Γ ⊢ A : U { A Γ, x : A ⊢ B : U { B xi : Ai ... = FV(λ x : A. e, Π x : A. B, Γ) Γ ⊢ Ai : U { Ai ... [CC-Lam] Γ ⊢ λ x : A. e : Π x : A. B { hh(λ (n : Σ (xi : Ai ... ), x : let hxi ...i = n in A). let hxi ...i = n in e), hxi ...i as Σ (xi : Ai ... )ii

Γ ⊢ e1 : Π x : A. B { e1 Γ ⊢ e2 : A { e2 Γ ⊢ A : ⋆ { A Γ, x : A ⊢ B : ⋆ { B [CC-App] [CC-Sig-*] Γ ⊢ e1 e2 : B[e2/x] { e1 e2 Γ ⊢ Σ x : A. B : ⋆ { Σ x : A. B

Γ ⊢ A :  { A Γ, x : A ⊢ B :  { B Γ ⊢ e : Σ x : A. B { e Γ ⊢ e : Σ x : A. B { e [CC-Sig-] [CC-Fst] [CC-Snd] Γ ⊢ Σ x : A. B : ⋆ { Σ x : A. B Γ ⊢ fste : A { fst e Γ ⊢ snde : B[fste/x] { snd e

Γ ⊢ e : A { e [CC-Conv] Γ ⊢ e : B { e ⊢ Γ { Γ where ⊢ Γ ⊢ Γ { Γ Γ ⊢ A : _ { A ⊢ Γ { Γ Γ ⊢ A : _ { A Γ ⊢ e : A { e [W-Empty] [W-Assum] [W-Def] ⊢· { · ⊢ Γ, x : A { Γ, x : A ⊢ Γ, x = e : A { Γ, x = e : A Figure 9. Closure Conversion

def FV(e, B, Γ) = Γ0,..., Γn, x0 : A0,..., xn : An + Therefore, the environment we generate contains e where x0,..., xn = fv(e, B) 2 in position j . Γ ⊢ x0 : A0,..., Γ ⊢ xn : An i = , , By [≡-Clo1], it suffices to show that Γ0 FV(A0 _ Γ) + let hx ...i = hx ...i in (e[e /x]) ≡ f y f . i i 2 where is the . closure from Equation (9). = Γn FV(An, _, Γ) + + f y ≡ let hx ... x, x ... i = hx ..., e , x ...i in e (11) Figure 10. CC Dependent Free Variable Sequences j0 ji+1 j0 2 ji+1 by ⊲ in CC-CC . β Πy : A B. + + ≡ e [e /x] (12) λ . + 2 (( y : A e)[e2/x]) (6) ⊲ + by |j| applications of ζ , since only x has a value = (λ y : (A[e2/x]). e[e2/x]) (7) + ≡(e[e2/x]) (13) by substitution + + by the inductive hypothesis applied to the derivation for e = hh(λ n : Σ (x : A ... ), y : let hx ...i = n in (A[e /x]) . + i i i 2 h ...i = h ...i + (8) ≡ let xi xi in (e[e2/x]) (14) let hxi ...i = n in (e[e2/x]) ), hxi ...iii by |i| applications of ⊲ζ , since no variable has a value  by definition of the translation = λ Next we show that if a source term e takes a step, then its where xi : Ai ... FV( y : (A[e2/x]). e[e2/x], Γ). Note + translation e reduces in some number of steps to a defini- that x is not in the sequence (xi ... ). On the other hand, we have tionally equivalent term e. This proof essentially follows by Lemma 5.1. Then we show by induction on the length of the = λ . + + f ( y : A e) [e2 /x] (9) reduction sequence that the translation preserves reduction = λ Σ + = + hh( n : (xj : Aj ... ), y : let hxj ...i n in A . sequences. Note that since Lemma 5.1 relies on our η equiv- + + (10) let hx ...i = n in e ), hx ..., e , x ...iii alence rule for closures, we can only show reduction up to j j0 2 ji+1 + + e ⊲∗ e′ by definition of the translation definitional equivalence. That is, we cannot show . This is not a problem; we reason about source programs to where xj : Aj ... = FV(λ y : A. e, Γ). Note that x is in equivalence anyway, and not up to syntactic equality.

xj ...; we can write the sequence as (xj0 ... x, xji+1 ... ). Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

Lemma 5.2 (Preservation of Reduction). If Γ ⊢ e ⊲ e′ then Lemma 5.5 (Type Preservation (technical)). + + ∗ ′+ + Γ ⊢ e ⊲ e and e ≡ e 1. If ⊢ Γ then ⊢ Γ + + + Proof. By cases on Γ ⊢ e ⊲ e′. Most cases follow easily by 2. If Γ ⊢ e : A then Γ ⊢ e : A Lemma 5.1, since most cases of reduction are defined by sub- Proof. Parts 1 and 2 proven simultaneously by induction on stitution. We give representative cases; see our online tech- the mutually defined judgments ⊢ Γ and Γ ⊢ e : A. nical appendix [14]. Part 1 follows easily by induction and part 2. We give the λ ⊲ Case ( x : A. e1) e2 β e1[e2/x] key cases for part 2. + ∗ + We must show that ((λ x:A. e1) e2) ⊲ e and (e2[e1/x]) ≡ Case [Lam] def= + + ⊢ λ . . e. Let e e1 [e2 /x]. We have that Γ x:A e : Π x:A B. We must show that λ . + = + + λ + + By definition of the translation, (( x : A e1) e2) f e2 , Γ ⊢( x : A. e) : (Π x : A. B) . where By definition of the translation, we must show that + + λ Σ + ... , ... = + . Π +. + f = hh(λ n : Σ (xi : A ... ), x : let hxi ...i = n in A . (15) hh( (n : (xi : Ai ) x : let hxi i n in A ) : x : A B i = + + let hxi ...i n in e1 ), hxi ...iii let hxi ...i = n in e ), hxi ...iii (16) 1 where xi : Ai ... = FV(λ x : t. e1, Γ). = λ and where xi : Ai ... FV( x : A. e1, Γ). Notice that the annotation in the term x : let hxi ...i = + To complete the proof, observe that, n in A , does not match the annotation in the type x : + + ⊲ = + + A . However, by [Clo], we can derive that the closure f e2 β let hxi ...i hxi ...i in e1 [e2 /x] (17) |i | + + has type: ⊲ e [e /x] (18) + + ζ 1 2 Π (x:let hxi ...i = hxi ...i in A ). (let hxi ...i=hxi ...i in B ), + + + + ≡(e1[e2/x]) by Lemma 5.1 (19) This is equivalent to Π x:A . B (under Γ ), since (let hxi ...i= + +  hxi ...i in A )≡ A as we saw in earlier proofs. So, by Lemma 5.3 (Preservation of Reduction Sequences). If Γ ⊢ [Clo] and [Conv], it suffices to show that the environ- + + + + e ⊲∗ e′ then Γ ⊢ e ⊲∗ e and Γ ⊢ e ≡ e′ . ment and the code are well-typed. By part 1 of the induction hypothesis applied (since We can now show coherence, i.e., that equivalent terms each of xi : Ai ... come from Γ), we know the environ- are translated to equivalent terms. As equivalence is defined + + ment is well-typed: Γ ⊢ hxi ...i : Σ (xi : A ... ). ⊲∗ i primarily by , the only interesting part of the next proof Now we show that the code is preserving η equivalence. To show that η equivalence is + + (λ (n : Σ (xi : A ... ), x : let hxi ...i = n in A ). i + preserved, we require our new η rules for closures. let hxi ...i = n in e ) 1 + + + + Code (n, x). let hx ...i=n in B Lemma 5.4 (Coherence). If Γ ⊢ e ≡ e′, then Γ ⊢ e ≡ e′ . has type i . For brevity, we omit the duplicate type annotations on n and x. Proof. By induction on the e ≡ e′ judgment. Observe that by the induction hypothesis applied to Case [≡-η1] Γ ⊢ A : U and by weakening ⊲∗ λ ′ ⊲∗ Σ + ...... = + + By assumption, e x : t. e1, e e2 and e1 ≡ e2 x. n : (xi : Ai )⊢ let hxi i n in A : U . + + Must show e ≡ e′ . Hence, by [Code], it suffices to show + ⊲∗ λ + , , ... = + ... = + By Lemma 5.3, e e and e ≡ ( x : t. e1) , and simi- · n x ⊢ let hxi i n in e1 : let hxi i n in B ′+ ⊲∗ ′ ′ + which follows by the inductive hypothesis applied to larly e e and e ≡ e2 . λ . + + Γ, x : A ⊢ e : B, and by weakening, since x ... are the By transitivity of ≡, it suffices to show ( x:t e1) ≡ e2 . 1 i By definition of the translation, free variables of e1, A, and B. λ + = λ Σ + = + Case [App] ( x : t. e1) hh( n : (xi : Ai ... ), x : let hxi ...i n in A . Γ ⊢ e e : B[e /x] = + We have that 1 2 2 . We must show that let hxi ...i n in e1 ), hxi ...iii + + + + Γ ⊢ e1 e2 : (B[e2/x]) . By Lemma 5.1, it suffices to where x : A ... = FV(λ x : t. e , Γ). + + + + + i i 1 show Γ ⊢ e1 e2 : B [e2 /x],whichfollowsby[App] and By [≡-Clo1] in CC-CC, it suffices to show that the inductive hypothesis applied to e1, e2 and B.  = + + + + let hxi ...i hxi ...i in e1 (20) Theorem 5.6 (Type Preservation). If Γ ⊢ e : t then Γ ⊢ e : t . + ≡ e1 (21) ⊲ 5.2 Correctness by |i| applications of ζ + ≡ e x (22) We prove correctness of separate compilation and whole pro- 2 gram correctness. These two theorems follow easily from by the inductive hypothesis applied to e ≡ e x  1 2 Lemma 5.3, but requires a little more work to state formally. Now we can prove type preservation. We give the tech- First, we need an independent specification that relates nical version of the lemma required to complete the proof, source values to target values in CC-CC. We do this by adding followed by the desired statement of the theorem. ground types, such as Bool, to both languages and consider PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed results related when they are the same boolean: true ≈ true There is also work on typed compilation of restricted forms and false ≈ false. It is well known how specify more so- of dependency, which avoid the central type theoretic diffi- phisticated notions of observations, and we discuss these culties we solve. Chen et al. [16] develop a type-preserving in Section 6. compiler from Fine, an ML-like language with refinement Next, we define components and linking. Components in types, to a version of the .NET intermediate language with both CC and CC-CC are well-typed open terms, i.e., Γ ⊢ e : type-level computation. This system lacks full spectrum types A. We implement linking by substitution, and define valid and can rely on computational irrelevance of type-level ar- closing substitutions γ as follows. guments, unlike our setting as discussed in Section 3. Shao def Γ ⊢ γ = ∀x : A ∈ Γ.·⊢ γ (x) : A et al. [42] use CIC as an extrinsic type system over an ML- + like language, so that CIC terms can be used as specifica- We extend the compiler to closing substitutions γ by point- tions and proofs, but restrict arbitrary terms from appear- wise application of the translation. ing in types. They develop a type-preserving closure con- Our separate compilation guarantee is that the transla- version translation for this language. Their closure conver- tion of the source component e linked with substitution γ is sion is simpler to develop than ours, because the extrinsic equivalent to first compiling e and then linking with some + type system avoids the issues of computational relevance by γ that is definitionally equivalent to γ . disallowing terms from appear in types. Instead, a separate Theorem 5.7 (Correctness of Separate Compilation). If Γ ⊢ type-level representation of a subset of terms can appear + e : A and A is a ground type, Γ ⊢ γ , Γ ⊢ γ, γ (e) ⊲∗ v, and in types. This can increase the burden of proving programs + + + γ ≡ γ then γ(e ) ⊲∗ v′ and v ≈ v′ correct compared to an intrinsic system such as CC because the programmer is required to duplicate programs into the Proof. Since the translation commutes with substitution, pre- type-level representation. serves equivalence, reduction implies equivalence, and equiv- alence is transitive, the following diagram commutes. Separate and Compositional Compilation In this work, + ≡ + (γ (e)) γ(e ) we prove Theorem 5.7 (Correctness of Separate Compilation) This is similar to the guarantees of SepCompCert [24]. We ≡ ≡ could support a compositional compiler correctness result + ≡ v v′ by developing a relation independent of the compiler be- Since ≡ on ground types implies ≈, we know that v ≈ v′.  tween source and target components to classify which com- ponents are safe to link with. There are well known tech- As a simple corollary, our compiler must also be whole- niques for developing such relations which we think will program correct. If a whole-program e evaluates to a value + + extend to CC [13, 36, 37, 41, 43]. v, then the translation e runs to a value equivalent to v . Type-Preserving Compilation Type-preserving compila- Corollary 5.8 (Whole-Program Correctness). If · ⊢ e : A + + tion has been widely used to rule out linking errors, and and A is a ground type, and e ⊲∗ v then e ⊲∗ v and v ≈ v even extended to statically rule out security attacks intro- duced by linking. The seminal work by Morrisett et al. [35] 6 Related Work and Discussion uses type-preserving compilation and give a safe linking se- Preserving Dependent Types Barthe et al. [9] study the mantics to Typed Assembly Languages (TAL): linking any call-by-name (CBN) CPS translation for the Calculus of Con- two TAL components—regardless of whether they were gen- structions without Σ types. In 2002, when attempting to ex- erated by a correct compiler or hand-written—is guaranteed tend the translation to CIC, Barthe and Uustalu [10] noticed to be type and memory safe. Our target language CC-CC that in the presence of Σ types, the standard typed CPS trans- provides similar guarantees to TAL, although it is still a lation fails. In recent work, Bowman et al. [15] show how to high-level language by comparison. recover type preservation for both CBN and call-by-value CPS. Bowman et al. [15] add a new typing rule that keeps track of additional contextual information while type check- 7 Future Work ing continuations, similar to our [Clo] typing rule that keeps The Calculus of Inductive Constructions As future work, track of the environment (via substitution) while type check- we plan to scale our translation to the Calculus of Inductive ing closures. In CPS, a term e is evaluated to values indi- Constructions (CIC), the core language of Coq. There are rectly, by a continuation λ x. e′. When resolving type equiv- two key challenges in scaling to CIC. alence, they end up requiring that e is equivalent to x. An First, we need to scale our work to recursive functions. essentially similar problem arises in the translation Π types Our translation should scale easily, but adding recursion to described in Section 3. In closure conversion, we need show CC-CC will be challenging. In CIC, recursive functions must that a free variable x is the same as a projection from an always terminate to ensure consistency. Coq enforces this environment fst n when resolving type equivalence. with a syntactic guard condition that cannot be preserved by Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA closure conversion, as it relies on the structure of free vari- have been used to allow cycles in the heap but still guar- ables. Instead, we intend to investigate two alternatives to antee strong normalization [4]. Unfortunately, linear types ensuring termination in CC-CC. One is to compile the guard and dependent types are difficult to integrate [29]. condition to inductive eliminators—essentially a primitive The design of a dependently typed assembly language form that folds over the tree structure of an inductive type will be hard. Assembly language will make machine-level and is terminating by construction, which has been stud- concepts explicit, such as registers, word sizes, and first-class ied in Coq [18], but it is not clear how to encode this in a control. We will need typing and equivalence rules to rea- typed assembly. A more theoretically appealing technique is son about these machine-level concepts. First-class control to design CC-CC with semantic termination concepts such presents a particular challenge, since it is been shown incon- as sized types [19]. However, it is not clear how to compile sistent with dependent type theory [22]. This is related to Coq programs based on the guard condition to sized types. the problem of CPS and dependent types, so we anticipate Recursion also introduces an important performance con- that we can build on the work of Bowman et al. [15] to re- sideration. Abstract closure conversion introduces additional strict control and regain consistency. Even if control is not allocations and dereferences compared to the existential type a problem, the consistency proof will introduce new chal- translation [30, 34] To solve this, we need to adapt our def- lenges. In this work, we develop a model of the CC-CC in CC inition of closures to enable environments to be separated to prove type safety and consistency. This relies critically on from the closures, but still hide their type. compositionality. Assembly languages are typically not com- The second challenge is how to address computational positional, so this proof architecture may not scale to the relevance. In CC, it is simple to make a syntactic distinc- assembly language. However, in recent work on interoper- tion between relevant and irrelevant terms [9] based on the ability between a high-level functional language and a typed universes ⋆ and , although we avoid doing so for simplic- assembly language, Patterson et al. [40] successfully defined ity of the presentation. Coq features an infinite hierarchy of a compositional assembly language, and we are hopeful that universes, so the distinction is not easy to make. We would we can extend this work to the dependently typed setting. need to design a source language in which computational relevance has already been made explicit so that we can eas- Secure Compilation Type preservation has been widely ily decide which terms to closure-convert. Some work has studied to statically enforce secure compilation, i.e., to stat- been done on the design of such languages [7, 31–33], but ically guarantee that compiled code cannot be linked with to our knowledge none of the work has been used to encode components (attackers) that violate data hiding, abstraction, Coq’s computational relevance semantics. and information flow security properties [2, 3, 13, 37]. These compilers typically prove that the translation preserves and reflects contextual equivalence, i.e., that the compiler is fully Full-Spectrum Dependently Typed Assembly Language abstract. As future work, we plan to investigate what secu- Our ultimate goal is to compile to a dependently typed assembly- rity guarantees can be implied just from preservation and like language in which we can safely link and then generate reflection of definitional equivalence, which we conjecture machine code. We imagine the assembly could be targeted holds of our translation. from many languages, such as Coq and OCaml, and type In our model, we prove Lemma 4.5 (Coherence), i.e., that checking in this assembly would serve to ensure safe link- we can translate any two definitionally equivalent CC-CC ing. This would require a general purpose typed assembly, terms into definitionally equivalent CC terms. In our com- with support for interoperating between pure code and ef- piler, we prove Lemma 5.4 (Coherence), i.e., that we trans- fectful code [39] and different type systems [1]. late any two definitionally equivalent CC terms into defini- A minimal compiler for a functional language performs tionally equivalent CC-CC terms. These two lemmas resem- CPS translation, closure conversion, heap allocation, and ble the statements of preservation and reflection, although assembly-code generation. Recent work solves CPS [15] and in terms of definitional equivalence instead of contextual we solve closure conversion, so two passes remain. equivalence. Since Lemma 4.5 is not stated in terms of our Heap allocation makes memory and allocation explicit, compiler, we need the following condition to complete the + ◦ so we need new typing and equivalence rules that can rea- proof of preservation and reflection: e ≡(e ) , i.e., that com- son about memory and allocation. This seems straightfor- piling to CC-CC and then translating back to CC is equiv- ward for CC,but we anticipate further challengesforCIC. In alent to the original term; we conjecture this equivalence CIC, we must allow cycles in the heap to support recursive holds. functions but still ensure soundness and termination. As dis- Definitional equivalence in dependently typed languages cussed earlier, ensuring terminating recursion alone will in- is sound, but not necessarily complete, with respect to con- troduce new challenges, but other techniques may help us textual equivalence, so even if the above conjecture holds, solve the problem once the heap is explicit. Linear types more work remains to prove full abstraction. Typed closure conversion based on the existential-type encoding is well PLDI’18,June18–22,2018,Philadelphia,PA,USA WilliamJ.Bowman and Amal Ahmed known to be fully abstract [2, 37]. We conjecture that our [11] Jean-philippe Bernardy, Patrik Jansson, and Ross Paterson. translation is also fully abstract; the essential observation 2012. Proofs for Free: Parametricity for Dependent Types. is that CC-CC does not include any constructs that would Journal of (JFP) 22, 02 (March 2012). hps://doi.org/10.1017/S0956796812000056 allow an attacker to inspect the environment. [12] Simon Boulier, Pierre-Marie Pédrot, and Nicolas Tabareau. 2017. The Next 700 Syntactical Models of Type The- Acknowledgments ory. In Conference on Certified Programs and Proofs (CPP). We gratefully acknowledge the valuable feedback provided hps://doi.org/10.1145/3018610.3018620 by Greg Morrisett, Stephanie Weirich, and the anonymous [13] William J. Bowman and Amal Ahmed. 2015. Noninterference for Free. In International Conference on Functional Programming (ICFP). reviewers. We also give special thanks to Dan Grossman, hps://doi.org/10.1145/2784731.2784733 without whom this paper would not have been. Part of this [14] William J. Bowman and Amal Ahmed. 2018. Typed Closure Conversion workwasdoneatInriaParisin Fall2017,while AmalAhmed for the Calculus of Constructions (Technical Appendix). Technical Re- was a Visiting Professor and William J. Bowman held an port. hps://www.williamjbowman.com/resources/cccc-techrpt.pdf internship. This material is based upon work supported by [15] William J. Bowman, Youyou Cong, Nick Rioux, and Amal Ahmed. 2018. Type-preserving CPS Translation of Σ and Π Types Is Not the National Science Foundation under grants CCF-1422133 Not Possible. Proceedings of the ACM on Programming Languages and CCF-1453796, and the European Research Council un- (PACMPL) 2, POPL (Jan. 2018). hps://doi.org/10.1145/3158110 der ERC Starting Grant SECOMP (715753). Any opinions, [16] Juan Chen, Ravi Chugh, and Nikhil Swamy. 2010. Type-preserving findings, and conclusions or recommendations expressed in Compilation of End-to-end Verification of Security Enforcement. In this material are those of the authors and do not necessarily International Conference on Design and Imple- mentation (PLDI). hps://doi.org/10.1145/1806596.1806643 reflect the views of our funding agencies. [17] Thierry Coquand. 1986. An Analysis of Girard’s Para- dox. In Symposium on Logic in (LICS). References hps://hal.inria.fr/inria-00076023 [18] Eduardo Giménez. 1995. Codifying Guarded Definitions with Recur- [1] Amal Ahmed. 2015. Verified Compilers for a Multi-language World. sive Schemes. In International Workshop on Types for Proofs and Pro- In Summit on Advances in Programming Languages (SNAPL), Vol. 32. grams (TYPES). hps://doi.org/10.1007/3-540-60579-7_3 hps://doi.org/10.4230/LIPIcs.SNAPL.2015.15 [19] Benjamin Grégoire and Jorge Luis Sacchini. 2010. On Strong [2] Amal Ahmed and Matthias Blume. 2008. Typed Closure Normalization of the Calculus of Constructions with Type- Conversion Preserves Observational Equivalence. In In- based Termination. In International Conferences on Logic for ternational Conference on Functional Programming (ICFP). Programming, Artificial Intelligence and Reasoning (LPAR). hps://doi.org/10.1145/1411204.1411227 hps://doi.org/10.1007/978-3-642-16242-8_24 [3] Amal Ahmed and Matthias Blume. 2011. An Equivalence- [20] Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, preserving CPS Translation Via Multi-language Semantics. Xiongnan (newman) Wu, Shu-chun Weng, Haozhong Zhang, and In International Conference on Functional Programming (ICFP). Yu Guo. 2015. Deep Specifications and Certified Abstraction Lay- hps://doi.org/10.1145/2034773.2034830 ers. In Symposium on Principles of Programming Languages (POPL). [4] Amal Ahmed, Matthew Fluet, and Greg Morrisett. 2007. L3: A Linear hps://doi.org/10.1145/2775051.2676975 Language with Locations. Fundamenta Informaticae 77, 4 (Dec. 2007). [21] Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung hps://doi.org/10.1007/11417170_22 Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Exten- [5] Abhishek Anand, A. Appel, Greg Morrisett, Zoe Paraskevopoulou, sible Architecture for Building Certified Concurrent OS Kernels. In Randy Pollack, Olivier Savary Bélanger, Matthieu Sozeau, and Symposium on Operating Systems Design and Implementation (OSDI). Matthew Weaver. 2017. CertiCoq: A Verified Compiler for Coq. In hps://www.usenix.org/conference/osdi16/technical-sessions/presentation/gu International Workshop on Coq for Programming Languages (CoqPL). [22] Hugo Herbelin. 2005. On the Degeneracy of Σ-types hp://www.cs.princeton.edu/~appel/papers/certicoq-coqpl.pdf in Presence of Computational Classical Logic. In Interna- [6] Andrew W. Appel. 2015. Verification of a Cryptographic Primitive: tional Conference on Typed Lambda Calculi and Applications. SHA-256. ACM Transactions on Programming Languages and Systems hps://doi.org/10.1007/11417170_16 (TOPLAS) 37, 2 (April 2015). hps://doi.org/10.1145/2701415 [23] James G. Hook and Douglas J. Howe. 1986. Impredicative Strong Exis- [7] Bruno Barras and Bruno Bernardo. 2008. The Implicit Cal- tential Equivalent to Type:Type. Technical Report. Cornell University. culus of Constructions As a Programming Language with hp://hdl.handle.net/1813/6600 Dependent Types. In International Conference on Founda- [24] Jeehoon Kang, Yoonseung Kim, Chung-Kil Hur, Derek Dreyer, and tions of Software Science and Computation Structures (FoSSaCS). Viktor Vafeiadis. 2016. Lightweight Verification of Separate Compi- hps://doi.org/10.1007/978-3-540-78499-9_26 lation. In Symposium on Principles of Programming Languages (POPL). [8] Gilles Barthe, Benjamin Grégoire, and Santiago Zanella-Béguelin. hps://doi.org/10.1145/2837614.2837642 2009. Formal Certification of Code-based Cryptographic Proofs. [25] Chantal Keller and Marc Lasson. 2012. Parametricity in an Impredica- In Symposium on Principles of Programming Languages (POPL). tive Sort. In International Workshop on Computer Science Logic (CSL). hps://doi.org/10.1145/1480881.1480894 hps://hal.inria.fr/hal-00730913 [9] Gilles Barthe, John Hatcliff, and Morten Heine B. Sørensen. [26] Neelakantan R. Krishnaswami and Derek Dreyer. 2013. Internal- 1999. CPS Translations and Applications: The Cube and Be- izing Relational Parametricity in the Extensional Calculus of Con- yond. Higher-Order and Symbolic Computation 12, 2 (Sept. 1999). structions. In International Workshop on Computer Science Logic (CSL). hps://doi.org/10.1023/a:1010000206149 hps://doi.org/10.4230/LIPIcs.CSL.2013.432 [10] Gilles Barthe and Tarmo Uustalu. 2002. CPS Translating In- [27] Xavier Leroy. 2009. A Formally Verified Compiler Back- ductive and Coinductive Types. In Workshop on Partial Eval- end. Journal of Automated Reasoning 43, 4 (Nov. 2009). uation and Semantics-based Program Manipulation (PEPM). hps://doi.org/10.1007/s10817-009-9155-4 hps://doi.org/10.1145/509799.503043 Typed Closure Conversion for the Calculus of Constructions PLDI’18, June 18–22, 2018, Philadelphia, PA, USA

[28] Zhaohui Luo. 1989. ECC, an Extended Calculus of Con- [37] Max S. New, William J. Bowman, and Amal Ahmed. 2016. structions. In Symposium on Logic in Computer Science (LICS). Fully Abstract Compilation Via Universal Embedding. In In- hps://doi.org/10.1109/lics.1989.39193 ternational Conference on Functional Programming (ICFP). [29] Conor McBride. 2016. I Got Plenty o’ Nuttin’. In A List hps://doi.org/10.1145/2951913.2951941 of Successes That Can Change the World - Essays Dedi- [38] Andreas Nuyts, Andrea Vezzosi, and Dominique Devriese. 2017. Para- cated to Philip Wadler on the Occasion of His 60th Birthday. metric Quantifiers for Dependent Type Theory. Proceedings of the hps://doi.org/10.1007/978-3-319-30936-1_12 ACM on Programming Languages (PACMPL) 1, ICFP (Aug. 2017). [30] Yasuhiko Minamide, Greg Morrisett, and Robert Harper. 1996. Typed hps://doi.org/10.1145/3110276 Closure Conversion. In Symposium on Principles of Programming Lan- [39] Daniel Patterson and Amal Ahmed. 2017. Linking Types guages (POPL). hps://doi.org/10.1145/237721.237791 for Multi-Language Software: Have Your Cake and Eat It Too. [31] Alexandre Miquel. 2001. The Implicit Calculus of Constructions. In In Summit on Advances in Programming Languages (SNAPL). International Conference on Typed Lambda Calculi and Applications hps://doi.org/10.4230/LIPIcs.SNAPL.2017.12 (TLCA). hps://doi.org/10.1007/3-540-45413-6_27 [40] Daniel Patterson, Jamie Perconti, Christos Dimoulas, and [32] Nathan Mishra-Linger and Tim Sheard. 2008. Erasure and Polymor- Amal Ahmed. 2017. FunTAL: Reasonably Mixing a Func- phism in Pure Type Systems. In International Conference on Foun- tional Language with Assembly. In International Conference dations of Software Science and Computation Structures (FoSSaCS). on Programming Language Design and Implementation (PLDI). hps://doi.org/10.1007/978-3-540-78499-9_25 hps://doi.org/10.1145/3062341.3062347 [33] Richard Nathan Mishra-linger. 2008. Irrelevance, Polymorphism, and [41] James T. Perconti and Amal Ahmed. 2014. Verifying an Open Com- Erasure in Type Theory. Ph.. Dissertation. Portland State University. piler Using Multi-language Semantics. In European Symposium on Pro- hp://pdxscholar.library.pdx.edu/cgi/viewcontent.cgi?article=3678&context=open_access_etdsgramming (ESOP). hps://doi.org/10.1007/978-3-642-54833-8_8 [34] Greg Morrisett and Robert Harper. 1998. Typed Closure [42] Zhong Shao, Valery Trifonov, Bratin Saha, and Nikolaos Papaspy- Conversion for Recursively-defined Functions. Electronic rou. 2005. A Type System for Certified Binaries. ACM Transactions Notes in Theoretical Computer Science 10 (June 1998), 230–241. on Programming Languages and Systems (TOPLAS) 27, 1 (Jan. 2005). hps://doi.org/10.1016/s1571-0661(05)80702-9 hps://doi.org/10.1145/1053468.1053469 [35] Greg Morrisett, David Walker, Karl Crary, and Neal Glew. [43] Gordon Stewart, Lennart Beringer, Santiago Cuellar, and An- 1998. From System F to Typed Assembly Language. In drew W. Appel. 2015. Compositional CompCert. In Sym- Symposium on Principles of Programming Languages (POPL). posium on Principles of Programming Languages (POPL). hps://doi.org/10.1145/268946.268954 hps://doi.org/10.1145/2676726.2676985 [36] Georg Neis, Chung-Kil Hur, Jan-Oliver Kaiser, Craig McLaugh- [44]The Coq Development Team. 2017. The lin, Derek Dreyer, and Viktor Vafeiadis. 2015. Pilsner: A Com- Coq Proof Assistant Reference Manual. positionally Verified Compiler for a Higher-order Imperative Lan- hps://web.archive.org/web/20170109225110/hps://coq.inria.fr/doc/Reference-Manual006.html guage. In International Conference on Functional Programming (ICFP). hps://doi.org/10.1145/2784731.2784764