Intensional Analysis of Higher-Kinded Recursive Types?

Intensional Analysis of Higher-Kinded Recursive Types

^?

Technical Report YALEU/DCS/TR- 

Gregory D. Collins Zhong Shao Department of Computer Science, Yale University

New Haven, CT-, USA {gcollins,shao}@cs.yale.edu

Abstract. Recursive types are ubiquitous in modern programming languages, as they occur when typing constructs such as datatype definitions. Any type- theoretic framework must effectively deal with recursive types if it purports to be applicable to real languages such as ML and Haskell. Intensional Type Analy- sis [] and Certified Binaries [] are two such type-theoretic frameworks. Previ- ous work in these areas, however, has not adequately supported recursive types.

In this paper we present a new formulation of recursive types which subsumes the traditional one. We show that intensional analysis over these types (includ- ing higher-kinded recursive types) can be supported via inductive elimination.

Our solution is simple, general, and extensible; the typing rules for higher-kinded recursive types are concise and very easy to understand.

 Introduction

Recursive types are ubiquitous in modern programming languages, as they occur when typing constructs such as ML-like datatype definitions. Recursive data structures can be mutually recursive, generic (i.e., polymorphic), or type-dependent []; typing them would require the use of higher-kinded recursive types. Any type-theoretic framework must effectively deal with all forms of recursive types if it purports to be applicable to a language such as Standard ML (

sml

^{) [}] or Haskell [].

Intensional Type Analysis (

ita

^{) [}] and Certified Binaries (

cb

^{) [}] are two such type-theoretic frameworks. Intensional type analysis is a framework for reasoning (ei- ther at the type level or the term level) about the structure of types in a program. Cer- tified binaries is a framework for reasoning about advanced properties on programs written in typed intermediate or assembly languages.

Previous work [,,] has attempted to solve these problems by defining the type constructors of term languages as constructors of aninductivekindΩ. Defining types this way allows the use of inductive elimination to reason about the structure of types.

?This work is supported in part by

darpa oasis

^grant

f

^{---,}

nsf

^grant

ccr

^-

, and

nserc

^fellowship

pgsa

^--. Any opinions, findings, and conclusions contained in this document are those of the authors and do not reflect the views of these agen- cies.

Using inductive elimination is a natural way to think about doing

ita

, as well as en- abling one to reason about complex propositions and proofs of properties of programs, which is necessary for proof-carrying code []. Previous work has been able to represent mosttypes used by a modern programming language such as Standard ML (

sml

^{) using}

these inductive definitions [].

Both

ita

^and

cb

are designed to reason about the properties of programs written in a modern programming language such as

sml

. Thusfar, however, all of the work in this area of which we are aware (for example [,,,,]) has either completely ignored or poorly supported recursive types.

In this paper we will show a formulation of the recursive type constructorµwhich can be defined inductively. We show that this approach is more general than the standard formulation of recursive types and how

sml

-style datatypes may be represented in our system. We also show how our scheme can be used to support intensional analysis of higher-kinded recursive types.

Because our scheme allows the inductive definition of theµtype constructor, we are able to use inductive elimination to reason about the structure of recursive types. In contrast to other type-theoretic formulations of recursive types, it works over type terms of higher kinds. This means that in the context of a certified binary (see, for instance, Shao et al. []), we could reason about recursive types over kinds likeNat →Ω. Our solution to this problem also has the advantage of elegance and simplicity; the typing rules for ourµconstructor are small and very easy to understand.

. Recursive Types

The standard approach to recursive types in the context of modern programming lan- guages such as

sml

(as presented in Harper and Stone []) is to present a higher- kinded type constructorµ:(κ→κ)→κ. The unrolling of a recursive typeµ(λt :κ.τ) is thenτ[t/µ(λt :κ.τ)]. Unfortunately (unlessκ= Ω), the result of applying this type constructorµdoes not belong to the “ground kind”Ω, which we define as the kind of all type constructors of terms. In other words, in general we cannot type an expression in the term language with a recursive type. Instead, we would employ Harper/Stone’s solution, which is to use a “projection” operator to take the result back toΩ. Consider the following simple example (in

sml

^syntax):

datatype tree= Leafof unit

|Node offorest∗int and forest= Trees oftree∗tree

(.) In a standard presentation, since the types mutually recurse, we would package them together using afixpointfunction:

λ(tree,forest):Ω~Ω.hunit+ (forest(t)∗int),tree(t)∗tree(t)i. Applying the recursive type constructorµ(and cleaning up the syntax), the type of this definition then becomes:

τ:=µ(λt:(Ω~Ω).hunit+ (π₂(t)∗int),π₁(t)∗π₁(t)i).



We could then project this result back to obtain the type oftreeasπ₁(τ)and the type offorestasπ₂(τ).

This approach is not especially general; in particular, in [], projections ofκ₁⇒κ₂ back toΩare handled differently in the static semantics from projections ofκ₁~κ₂, and it is not clear how their mechanism may be applied to higher kinds. This is not surprising, since the system was designed to be just powerful enough to formalize

sml

datatypes.

Our solution is to explicitly combine the fixpoint function and the projection op- eration into one type, writing a recursive type overκasµ_κ(f , g). For instance, if we let F=λt :(Ω~Ω).hunit+ (π₂(t)∗int),π₁(t)∗π₁(t)ias above, then we can writetree as

µ_Ω~Ω(F,λt :(Ω~Ω).π₁(t)), andforestas

µ_Ω~Ω(F,λt :(Ω~Ω).π₂(t)).

Ourµcan thus be viewed as a constructor

µ:Πk:Set.(k→k)→(k→Ω)→Ω.

We note that this definition is inductive inΩ. Using this definition has several benefits.

It is general, it fits into a comprehensive framework of typechecking using inductive definitions, and it allows inductive reasoning on recursive types. Key operations such as roll/unroll can be expressed using type-level reasoning, by way of inductive elimination.

We will show that this formulation of recursive types is at least as general as the standard one.

 A Language using Traditional Recursive Types: λ

_M1

We will begin by showing a minimal language which uses a more traditional formulation of recursive types. We’ll call this languageλ_M1. To simplify our analysis we only consider constants representing natural numbers (n). We present only pairs, not tuples (tuples may be defined as a “syntactic sugar” on pairs). The term language also lacks function polymorphism and existential types. See Figurefor the syntax of this language.

A ground-level type (i.e., a type which we can type terms with)τ inλ_M1 can be the integer type (int), the unit type (unit), the function type (τ₁ → τ₂), the sum type (τ₁+τ₂), or the tuple type (τ₁∗τ₂). In addition,λ_M1has higher-order types such as lambda abstraction (λt : κ.τ), type variables t, and type tuples (hτ₁,τ₂i). The type system ofλ_M1essentially contains a computation language consisting of a simply-typed lambda calculus; thus we also have type-function application (τ₁ τ₂) and type-tuple projectionπ_i(τ). We (of course) also have the recursive typeµt : κ.τ, which will be explained later. The types ofλ_M1are kinded;Ωis the kind of all ground terms,κ₁⇒κ₂ is the kind of type-functions, andκ₁~κ₂is the kind of type-tuples.

The term language ofλ_M1 is completely standard: we have variables (x), integer constants (n), if statements, function definitions and applications, tuple creation and projection, sum-type injection (inl,inr) and elimination (case), and recursive roll and unroll.



(kinds) κ::= Ω|κ₁⇒κ₂|κ₁~κ₂

(types) τ::=int|unit|τ₁→τ₂|τ₁∗τ₂|τ₁+τ₂|µt:κ.τ

|t|λt:κ.τ|τ₁(τ₂)|π_i(τ)| hτ₁,τ₂i (expr) e::=x|n|op(e1, e2)|ifethene1elsee2fi

|funf(x:τ₁):τ₂ iseend|e1(e2)|(e1, e2)|()|fst(e)|snd(e)

|rollτ(e)|unroll(e)|inlτ1+τ2(e₁)|inrτ1+τ2(e₂)

|caseτ₁+τ₂eof inl(x:τ₁)⇒e1 orelse inr(x:τ₂)⇒e2end (oper) op::= +| − |. . .

Fig..A lightweight language using traditionalµ:λ_M1

type environment ∆ term environment Γ

well-formed∆ `∆type env well-formedΓ ∆`Γterm env well-formed kind `κkind

well-formed types ∆`τ:κ type-equivalence ∆`τ₁≡τ₂:κ well-formed term Γ;∆`e:τ term evaluation e₁,→e₂

Fig..Summary of formal properties ofλ_M1

Forλ_M1we use a standard small-step operational semantics. The values of the lan- guage are as follows:

(values)v::=n|funf(x:τ₁):τ₂ iseend|inl_τ1+τ2(v)|inr_τ1+τ2(v)

|()|(v₁, v₂)|roll_τ(v)

Figurecontains a summary of the formal judgments ofλ_M1. For the complete for- mal properties ofλ_M1, including dynamic semantics, static semantics, and type-safety theorems, see Appendix A.

. Recursive Types

This language uses a standard presentation of recursive types; that is,µhas the form µt :κ.τ, whereτends up having kindκ. The typing judgments forrollandunrollare as follows: (taken from Harper and Stone [])

∆, t:κ`τ:κ

∆`µt :κ.τ:κ (Well-formedµ)



p=π_i| · s=τ⁰⁰ | ·

∆`τ≡(p(µt :κ.τ<sup>0</sup>))(s):Ω Γ;∆`e:τ

Γ;∆`unroll(e):(p(τ⁰[t:=µt:κ.τ⁰]))(s) (Unroll) p=π_i| ·

s=τ⁰⁰ | ·

∆`τ≡(p(µt :κ.τ<sup>0</sup>))(s):Ω Γ;∆`e:(p(τ⁰[t:=µt :κ.τ⁰]))(s)

Γ;∆`roll_τ(e) (Roll)

In the rules above,pandsare “optional”, and are required to coerce theµ-type back toΩ. The fact that they are necessary indicates a fault in this formulation of recursive types; we have to resort to “tricks” such as this to typecheckrollandunroll. A worse problem is that these rules only work for a limited set of kinds; it is completely unclear how to extend this mechanism to be more general.

Therollandunrollterms act ascoercionson the typing of variables; the values end up unchanged. This is evidenced by the following rule taken from the operational semantics ofλ_M1:

unroll(roll(v)),→v

. Examples

We will now consider some illustrative examples. We’ll relax our formalism for a mo- ment and extendλ_M1to include tuples of arbitrary size. Consider the following set of datatypes (from Okasaki []):

datatype αQuad= Q ofα∗α∗α∗α andαSquare= Zeroofα

| Succof(α Quad)Square

(.) We can type this datatype (erasing the constructor names) as:

τ=µt :(Ω⇒Ω)~(Ω⇒Ω).

hλα:Ω.(α∗α∗α∗α),λα:Ω.(α+ (π₂(t) (π₁(t)α))i

In order to create a value of typeintQuad, we need to coerce the recursive type back to Ω:

roll_(π

1(τ))(int)(1,2,3,4)

Similarly, to create the valueSucc(Zero(Q(1,2,3,4)))of typeintSquare, abbreviating Quad=π₁(τ),T =Quad(int), andSquare=π₂(τ), we do the following:

rollSquare(int)(inrint+Square(Quad(int))(roll_Square(T) (inlT+Square(Quad(T))(roll_T(1,2,3,4)))))

Unrolling a value of typeintSquaregives us thesamevalue (since unrolling a re- cursive type is essentially a coercion) of typeint+ (π₂(τ) (π₁(τ)int)). We will revisit these examples when we discuss our new formulation of recursive types in Section.



(kinds) κ::= Ω|κ₁⇒κ₂|κ₁~κ₂

(types) τ::=int|unit|τ₁→τ₂|τ₁∗τ₂|τ₁+τ₂|µ_κ(f,g)

|t|λt:κ.τ|τ₁(τ₂)|π_i(τ)| hτ₁,τ₂i (expr) e::=x|n|op(e1, e2)|ifethene1elsee2fi

|funf(x:τ₁):τ₂ iseend|e1(e2)|(e1, e2)|()|fst(e)|snd(e)

|roll_µκ(f,g)(e)|unroll(e)|inlτ1+τ2(e₁)|inrτ1+τ2(e₂)

|caseτ1+τ2eof inl(x:τ₁)⇒e1 orelse inr(x:τ₂)⇒e2end (oper) op::= +| − |. . .

Fig..A lightweight language using newµ:λ_M2, changed parts inbold

 A Language Using our Proposed Recursive Types: λ

_M2

We continue now by modifyingλ_M1to use our new formulation of recursive types. We’ll call this languageλ_M2. The only differences betweenλ_M1andλ_M2involve the handling of recursive types. Figurecontains the syntax for this language, with the changed parts in bold. For a full discussion of the formal properties of this language, including static semantics, dynamic semantics, and type-safety theorems, see Appendix B.

. Recursive Types

This language uses our proposed presentation of recursive types. Hereµis a constructor of kind(κ⇒κ)⇒(κ⇒Ω)⇒Ω. The relevant portions of the static semantics of this language are as follows:

∆`f :κ⇒κ ∆`g:κ⇒Ω

∆`µ_κ(f , g):Ω (Well-formedµ)

∆`µ<sub>κ</sub>(f , g):Ω Γ;∆`e:µ_κ(f , g)

Γ;∆`unroll(e):K(κ, f , g) (Unroll)

∆`µ<sub>κ</sub>(f , g):Ω Γ;∆`e:K(κ, f , g)

Γ;∆`roll_{µκ(f ,g)}(e):µκ(f , g) (Roll) These last two rules deserve some explanation. Sincef : κ ⇒ κ, and we have refor- mulatedµ-types to belong toΩ, we cannot unroll types by applyingf to theµ-type itself, as we might do in a more standard presentation. Instead we need to analyze the structure ofκto determine how we should unroll theµ-type. This analysis is performed by the macroKabove. We note that the choice ofKdoes not influence the type-safety



properties of the language (see Appendix B). It is conceivable that one might choose an appropriateKon an application-to-application basis. For this paper, we would like the unroll operator to be as close as possible to the standard one. So, for instance, if κ= Ω~Ω, then we would want the unrolling ofµ_κ(f , g)to be:

f(hµ_κ(f ,λk:κ.π₁(k)),µ_κ(f ,λk:κ.π₂(k))i),

which is of kindκ. We would then coerce this, usingg, back toΩ. With this in mind, we defineKas follows (assuming that we have the ability to perform a meta-leveltypecase operation):

K(κ, f :κ⇒κ, g :κ⇒Ω):=

g(f(H(κ,κ,λx:κ.x, f))), whereHis defined as follows:

H(κ⁰,κ, Q:κ⇒κ⁰, f :κ⇒κ):=











µ_κ(f , Q) whenκ= Ω

hH(κ₁,κ,λh:κ.(π1(Q h)), f),

H(κ₂,κ,λh:κ.(π₂(Q h)), f)i whenκ=κ₁~κ₂ λg:κ₁.H(κ₂,κ,λh:κ.(Q h)(g), f) whenκ=κ₁⇒κ₂.

TheKmacro takes three arguments: the kindκwhich we’re working over, the fixpoint functionf : κ ⇒ κ, and the coercion functiong : κ ⇒ Ω. The macro returns the unrolling ofµκ(f , g). To do this it passes the arguments to theHmacro. The purpose of this macro is to expand the recursive type from something belonging toΩto something belonging toκso thatf may be applied to it. It takes four parameters: the kindκ⁰which is the kind of the result, the kindκwhich is the kind of the whole expression (necessary for when we create typesµ_κ(f , . . .), the functionf which is copied verbatim to anyµ- types we generate, and a functionQ. TheQfunction works to take a value fromκtoκ⁰

— we keep this around to build up the new coercion functions when we createµ-types in the recursive calls.

Revisiting Example.from the introduction, we specified the type oftreeto be µ_Ω~Ω(f ,λt:(Ω~Ω).π₁(t)),

where

f =λt:(Ω~Ω).hunit+ (π₂(t)∗int),π₁(t)∗π₁(t)i. If we were to unroll this type, we would first apply

H(Ω~Ω,Ω~Ω,λx:Ω~Ω.x, f).

Substituting once, this leaves:

hH(Ω,Ω~Ω,λh:Ω~Ω.π₁(h), f),H(Ω,Ω~Ω,λh:Ω~Ω.π₂(h), f)i. ApplyingH(Ω,Ω~Ω,λh:Ω~Ω.π1(h), f)gives usµ_Ω~Ω(f ,λh:Ω~Ω.π1(h)), which (not coincidentally) is the type oftreeitself. The full unrolling oftree, then, is

g(f(hµ_Ω~Ω(f ,λh:Ω~Ω.π₁(h)),µ_Ω~Ω(f ,λh:Ω~Ω.π₂(h))i)),



which evaluates to

unit+ (µ_Ω~Ω(f ,λx:Ω~Ω.π₂(x))∗int), which is precisely what one would expect.

. Examples

We will look again at the example from Okasaki’s paper, given in Equation.: datatype αQuad= Q ofα∗α∗α∗α

andαSquare= Zeroofα

| Succof(α Quad)Square Letκ= (Ω⇒Ω)~(Ω⇒Ω). We will typeαQuadas

Quad=λt:Ω.µκ(f ,λx:κ.(π₁(x)t)), and we’ll typeαSquareas

Square=λt:Ω.µκ(f ,λx:κ.(π₂(x)t)), where

f =λx:κ.hλt:Ω.t∗t∗t∗t,λt :Ω.t+π₂(x) (π₁(x)t)i. In order to create a value of typeintQuad, we would write the following:

roll_Quad(int)(1,2,3,4).

Similarly, to create the valueSucc(Zero(Q(1,2,3,4)))of typeintSquare, abbreviating T=Quad(int):

rollSquare(int)(inrint+Square(T)

(roll_Square(T)(inlT+Square(Quad(T))(roll_T(1,2,3,4))))) Unrolling the typeintSquaregives us the typeint+τ₂(τ₁int).

 Translation from λ

_M1

to λ

_M2

In this section we will give a translation fromλ_M1toλ_M2. The purpose of giving such a translation is to demonstrate that our new formulation of recursive types is backwards- compatible with the traditional one. To do this, we show that the result of translating a well-typedλ_M1term is itself well-typed inλ_M2. After inspecting the translation, this should be enough to convince the reader that our new formulation of recursive types is at least as generalas the traditional one.

We want to embed old-style typesµt:κ.τand their associatedrollandunrollterms into terms of typeµ_κ(f , g).

The translation ofµwill preserve kinds. To accomplish this we translateµtypes into types having the same kind in which theµis “pushed” inward. For example, the type

µt :Ω~Ω.τ would be translated as:

hµ_Ω~Ω(λt:Ω~Ω.τ,λs:Ω~Ω.π1(s)),µ_Ω~Ω(λt:Ω~Ω.τ,λs:Ω~Ω.π2(s))i.



. Translation

The translation is as follows:

Jµt:κ.τK=H(κ,κ,λx:κ.x,λt:κ.τ), (.) where theHfunction is defined in Section.. The translation of other types is trivial;

see for example the translation of the lambda-type:

Jλt :κ.τK=λt:κ.JτK (.) Type environments stay the same; term environments have their types translated.

J∆K= ∆ (.)

J·K=· (.)

JΓ, x:τK=JΓK, x:JτK (.) Here are the translations forrollandunroll:

p=π_i| · t=τ⁰⁰| · ∆`τ≡(p(µt:κ.τ⁰))(t):Ω Jroll_τ(e)K=roll_p(

Jµt:κ.τ⁰K)(JtK)(JeK) (.) Junroll(e)K=unroll(JeK) (.) The following theorem demonstrates the well-typedness of the translation:

Theorem. IfΓ;∆`e:τ, thenJΓK;J∆K`JeK:JτK. Proof. In Appendix C.

 Adding ML-style Datatypes

We now add to our language (in abstract syntax) the ability to define ML-style datatypes, using the treatment in []:

(type declarations) δ::=datatypeβ

(datatype bindings)β::= (t₁, . . . , t_n)γhhandβii (datatype constructors)γ::=τhhor γii,

where the syntaxhhXiimeansX is repeated zero or more times. We note that this is essentially ML syntax, except with identifiers erased (constructors may be accessed by number) and with no restriction on type variables. This presentation is given to simplify the discussion of the type theory.

In a Harper/Stone-style presentation, the type of thei-th datatype in the declaration datatype(t₁₁, . . . , t_1n1)T₁ =τ₁₁ or . . . orτ_1m1

and(t₂₁, . . . , t_2n2)T₂ =τ₂₁ or . . . orτ_2m2 and . . .

and(tp1, . . . , t_pnp)T_p =τ_p1 or . . . orτ_pmp



is given by π_i

µλ(T₁, . . . , T_p).

λ(t₁₁, . . . , t_1n1).(τ₁₁+· · ·+τ_1m1)

, . . . , λ(t_p1, . . . , t_pnp).(τ_p1+· · ·+τ_pmp) . We’ll now show the typing for this datatype using our new presentation (with a slight change in syntax to accommodaten-ary tuples and sums). First we’ll define the typeσ_i associated with the type parameters of thei-th datatype

(t_i1, . . . , t_ini)T_i=τ_i1 or . . . orτ_imi as

σ_i= Ω~· · ·~Ω

| {z }

n_itimes

⇒Ω.

Likewise, we define for thei-th datatype clause the sum typeΣ_i=τ_i1+· · ·+τ_imi. Now we can define the functionF:(σ₁~· · ·~σ_p)⇒(σ₁~· · ·~σ_p)as:

F:=λ(T1 :σ₁, . . . , Tp:σ_p).hΣ₁, . . . ,Σ_ni.

Now that we’ve definedF, we’re in a position to type the entire datatype declarationT_i with the type:

λ(t_i1:Ω, . . . , t_ini :Ω).µσ₁~···~σ_p(F,λt:σ₁~· · ·~σ_p.(#i(t)(t_i1, . . . , t_ini))).

 Intensional Type Analysis

. Introduction

Supporting type analysis type-safely has been an active area of research in past years, since Harper and Morrisett [] introduced theintensionaltype analysis (

ita

^{) frame-}

work — that is, analysis of the structure of types. Intensional type analysis was novel in that it allows for the inspection of types in a type-safe manner. The Harper/Morrisett framework, however, only supports primitive recursion over themonotypesof their lan- guageλ^ML_i , cannot express general recursion at all, and cannot support analysis of types with binding structure (such as polymorphic or existential types).

Existing work in this area [,,] either ignores or does not fully support analysis of recursive types. Trifonov et al. [] present a framework which ostensibly supports fully reflexive

ita

— by “fully reflexive”, meaning that type-analyzing operations are ap- plicable to the type of any runtime value in the language. Their framework’s support of recursive types is severely limited, however. In this section we build upon this result and present a lightweight language which fully supports the type-level analysis of recursive types.



(exp) e ::=x|n|op(e₁, e₂)|ifethene₁ elsee₂ fi

|funf(x:τ₁):τ₂iseend|e1(e2)|(e1, e2)|()|#i(e)

|caseτ₁+τ₂eof inj⁽¹⁾(x:τ₁)⇒e1 or inj⁽²⁾(x:τ₂)⇒e2

|inj⁽ⁱ⁾_τ1+τ2(ei)|rollτ(e)|unroll(e) (oper) op::= +| − |. . .

Fig..Syntax of the term languageλ^R_i

. CiC

To typecheck this term language, we will use the calculus of inductive constructions (CiC) [], which is implemented in theCoqproof assistant [].CiCis an extension of the calculus of constructions (CC) [], which is a higher-order typed lambda calculus.

The syntax of CC is as follows:

A, B::=Set|Type|X |λX:A.B|AB|ΠX:A.B

Thelambdaterm denotes a function abstraction, and theΠterm denotes a dependent product type. WhenXdoes not occur inB, the termΠX : A.Bis usually abbreviated A→B.

CiCextends the calculus of constructions with inductive definitions. An inductive definition is usually written in a syntax similar to that of an ML datatype definition; the following is a snippet ofCoqcode defining the set of natural numbers:

InductiveNat:Set:=zero:Nat|succ:Nat→Nat

Inductive definitions in CiCmay be parameterized, and the calculus provides elimi- nation constructs for inductive definitions, which combine case analysis with a fixpoint operation. To maintain the soundness of the calculus, restrictions are placed on the con- structors of inductive definitions, to ensure that the inductive type being created occurs onlypositivelyin the definition of the constructor. A full discussion of inductive types is beyond the scope of this paper. Elimination on inductive definitions generalizes the Typerecoperator used in previous

ita

^{papers [},,].

. Term Language

We are now in a position to present our term language. See Figurefor the syntax ofλ^R_i. To simplify our analysis we only consider constants representing natural numbers (n).

We present only pairs, not tuples (tuples may be defined as a “syntactic sugar” on pairs).

The term language also lacks function polymorphism and existential types, as

ita

^on

these types has been dealt with in previous papers [,].



Static Semantics We’ll be typecheckingλ^R_i usingCiC. We define the type constructors of the term language as constructors of an inductive kindΩas follows:

InductiveΩ:Set::= int :Ω

|unit :Ω

| →→ :Ω→Ω→Ω

|pair :Ω→Ω→Ω

|sumty:Ω→Ω→Ω

|µ :Πk:Set.(k→k)→(k→Ω)→Ω

In other words, all terms inλ^R_i have a typeτwhich belongs toΩ. To improve readability, we define the following syntactic sugars:

A₁→A₂≡ →→A₁A₂ A₁∗A₂≡pairA₁A₂ A₁+A₂≡sumtyA₁A₂

µ_κ(f , g)≡µ[κ]f g

In order to be able to unroll recursive types, we need to restrict the kinds upon which a recursive type may operate. Hence we define the inductive kind (usingCoqsyntax^):

Inductive Kind:Set::=ω :Kind

|To :Kind→Kind→Kind

|Pair:Kind→Kind→Kind

To simplify the presentation, here we have only defined pair kinds; however, this may be extended to tuple kinds without much trouble. Given this inductive definition, we would like to coerce elements of this kind back to their representations:

FixpointtoSet[K:Kind]:Set:=

CasesK of ω⇒Ω

|(Tok₁k₂)⇒(toSetk₁)→(toSetk₂)

|(Pairk₁k₂)⇒(toSetk₁)∗(toSetk₂) end.

Here the arrow and star in the right-hand side of the case clauses are the type-level arrow and cartesian product types (where cartesian product is also defined as an inductive type). We define the following syntactic sugars for these kinds:

A₁⇒A₂≡ ToA₁A₂ A₁~A₂≡PairA₁A₂

For a full discussion of the formal properties ofλ^R_i, including static semantics, dynamic semantics, and type-safety theorems, please see Appendix D.

Coqincludes syntactic sugars for fixpoint operations and inductive eliminations. Lambda ab- stractions are written as[X:A]B, andΠ-terms are written as(X:A)B.



. An Application: CPS Conversion

In this section we will show how to perform CPS conversion onλ^R_i using intensional type analysis. CPS conversion transforms all unconditional control transfers, including function invocation and return, to function calls and gives explicit names to all interme- diate computations. To perform CPS conversion, we will need a target language which we will callλ_K, with syntax:

(val) v ::=x|n|()|(v₁, v₂)|roll_τ(v)

|fixx⁰[X₁:A₁, . . . , X_n:A_n](x:A).e|inj⁽ⁱ⁾_τ

1+τ₂(v) (exp) e ::=v[A₁, . . . , A_n](v⁰)|letx=v ine|letx=#i(v)in e

|letx=op(v₁, v₂)ine|letx=unroll(v)in e

|ifv thene₁ elsee₂

|letx=case_τ1+τ2vof inj⁽¹⁾(x:τ₁)⇒e1 or inj⁽²⁾(x:τ₂)⇒e2 ine (oper) op ::= +| − |. . .

Expressions inλ_Kconsist of a series ofletbindings followed by a function application or a conditional branch. There is only one abstraction mechanism,fix, which combines type and value abstraction.

Theλ_Klanguage uses the same type language asλ^R_i. The ground types forλ_Kall have kindΩ_K, which, as before, is an inductive kind defined inCiC. TheΩ_Klanguage has all the constructors ofΩ. Functions in CPS do not return values, so inΩ_Kwe rede- fine the→→constructor to have kind:

→→:Ω_K→Ω_K.

We use the more conventional syntaxA→ ⊥in place of→→A.

Typed CPS conversion involves translating both types and computation terms. To translate types, we require a functionK_typ : Ω → Ω_K, and to translate terms we re- quire a meta-level functionK_exp. Since we have usedCiCas a general framework using inductive definitions, we can writeK_typas a type-level function of kindΩ→Ω_K. This allows us to show thatK_typJ[A/X]BKand[A/X](K_typJBK)are equivalent. This would prove very difficult ifK_typwere defined at the meta-level.

We can defineK_typthen as follows (using pattern-matching syntax):

K_typ(int) = int K_typ(unit) = unit

K_typ(→→ t₁t₂) = (K_typ(t₁)∗K_c(t₂))→ ⊥ K_typ(pairt₁t₂) = pair K_typ(t₁)K_typ(t₂) K_typ(sumtyt₁t₂) = sumty K_typ(t₁)K_typ(t₂) K_typ(µ[k]f g) = µ[k]f λx:k.(K_typ(g x))

K_c = λt:Ω.Ktyp(t)→ ⊥

The complete CPS-conversion algorithm is given in Section D.. The handling of the µconstructor in this example deserves some illumination. We note firstly that when we translate arollterm fromλ^R_i to λ_K, that thef function is unchanged inµ_κ(f , g).

This means that in the static semantics forλ_K, thef function is still limited to kinds



matchingtoSet(k), which work overΩin the base case. What happens, then, when we unroll such a term? TheK_typfunction composes the coercion functiongwith itself, so when we unrollµ_κ(f , g⁰), we obtain

K_typ(g(f(H(. . .)))),

and any instances ofµin the unrolled type have their coercion functions likewise altered.

 Related Work and Conclusions

Harper and Morrisett [] introduced intensional type analysis and pointed out the ne- cessity for type-level type analysis operators which inductively traverse the structure of types. The domain of their analysis is restricted to a predicative subset of the type lan- guage and it does not cover quantified types and recursive types.

Crary and Weirich [] proposed the use of deBruijn indices (i.e. natural numbers) to represent quantifier-bound variables. To analyze recursive types, the iterator carries an environment that maps indices to types. When the iterator reaches a type variable, which is now represented as just another constructed type (encoding a natural number), it returns the corresponding type from the environment. This method works well on recursive types of kindΩbut would be difficult, if not impossible, to extend to higher kinds. Papers by Trifonov et al. [] and Weirich [] exhibit the same problem.

The original motivation for this paper was to develop a formulation of recursive types which fit into a pre-existing framework which made pervasive use of inductive definitions. We believe, however, that the solution we have presented in this paper is applicable in a far more general context. Our goal for this paper is to put recursive types on a more rigorous, or at least more consistent, footing. The technique that we have proposed is simple, general, and extensible. It is consistent enough with standard approaches to type theory that we could, for instance, replace the recursive types in Harper’s

sml

type theory paper [] with ours with minimal effort. We believe that our paper is the first one to successfully attack the problem of fitting mutually recursive types in the context of intensional type analysis.

. Future work

Whereas other approaches to higher-order intensional type analysis [,,] support runtimeintensional type analysis, (also known aspolytypic programming), our treatment here, because of space restrictions, only considers type-level analysis. We are confident that we will be able to extendλ^R_i to support a term-leveltypecaseoperator with little difficulty.

Acknowledgements. Thanks to Hai Fang, Andrew McCreight, and Stefan Monnier for their helpful suggestions.



Bibliography

[] Robert Harper and Greg Morrisett. Compiling polymorphism using intensional type analy- sis. InProc. POPL ’:nd ACM Symposium on Principles of Programming Languages, pages

–, San Francisco, CA, USA,.

[] Zhong Shao, Bratin Saha, Valery Trifonov, and Nikolaos Papaspyrou. A type system for certified binaries. InProc. POPL ’:th ACM Symposium on Principles of Programming Languages, pages–, Portland, OR, USA, January.

[] Hongwei Xi and Frank Pfenning. Dependent types in practical programming. InProc.

Twenty-Sixth Annual ACM SIGPLAN-SIGACT Symp. on Principles of Programming Lan- guages, pages–. ACM Press,.

[] Robin Milner, Mads Tofte, Robert Harper, and David MacQueen.The Definition of Standard ML (Revised). MIT Press, Cambridge, Massachusetts,.

[] Paul Hudak, Simon Peyton Jones, Philip Wadler, andet al. Report on the programming language Haskell, a non-strict, purely functional language version.. SIGPLAN Notices,

(), May.

[] Valery Trifonov, Bratin Saha, and Zhong Shao. Fully reflexive intensional type analysis. In Proc. ICFP ’: ACM SIGPLAN International Conference on Functional Programming, pages

–, September.

[] Bratin Saha, Valery Trifonov, and Zhong Shao. Intensional analysis of quantified types.ACM Transactions on Programming Languages and Systems (TOPLAS),. To appear.

[] George C. Necula. Proof-carrying code. InProc. POPL ’: ACM SIGPLAN-SIGACT Sym- posium on Principles of Programming Languages, pages–, Paris, January.

[] Karl Crary and Stephanie Weirich. Flexible type analysis. InProc. ICFP ’: ACM SIGPLAN International Conference on Functional Programming, pages–,.

[] Robert Harper and Christopher Stone. An interpretation of Standard ML in type theory.

Technical Reportcmu-cs-97-147, Carnegie Mellon University, June.

[] Bratin Saha, Valery Trifonov, and Zhong Shao. Fully reflexive intensional type analysis in type erasure semantics. Technical Report YALEU/DCS/TR-, Dept. of Computer Science, Yale University, New Haven, CT, USA, June.

[] Bratin Saha, Valery Trifonov, and Zhong Shao. Fully reflexive intensional type analysis. Tech- nical Report YALEU/DCS/TR-, Dept. of Computer Science, Yale University, New Haven, CT, USA, March.

[] Chris Okasaki. From fast exponentiation to square matrices: An adventure in types. In Proc. ICFP ’: ACM SIGPLAN International Conference on Functional Programming, pages

–,.

[] C. Paulin-Mohring. Inductive Definitions in the System Coq - Rules and Properties. In M. Bezem and J.-F. Groote, editors,Proceedings of the conference Typed Lambda Calculi and Applications, numberin Lecture Notes in Computer Science,. LIP research report

-.

[] The Coq Development Team.The Coq Proof Assistant Reference Manual Version.. INRIA- Rocquencourt-CNRS-ENS Lyon, October.

[] Thierry Coquand and Gerard Huet. The calculus of constructions. InInformation and Computation, volume, pages–,.

[] Stephanie Weirich. Higher-order intensional type analysis. InEuropean Symposium on Pro- gramming, pages–,.

[] Felix Joachimski and Ralph Matthes. Short proofs of normalization for the simply- typed lambda-calculus, permutative conversions and G¨odel’s T. Accepted for publication

in the Archive for Mathematical Logic. Available fromhttp://www.tcs.informatik.

uni-muenchen.de/~matthes/abstracts.html.,.

[] Benjamin Werner.Une Th´eorie des Constructions Inductives. PhD thesis, L’Universit´e Paris, May.

A Formal Properties of λ

_M1

A. Static semantics

Environments We define two environments,∆andΓ. The∆environment is atype en- vironmentmapping type variables to their kinds, andΓis aterm environmentmapping term variables to their types. Typing a termewith a typeτis denoted asΓ;∆` e:τ.

The static semantics for these environments are as follows:

`Ωkind (A.)

`κ<sub>1</sub>kind `κ₂kind

`κ₁⇒κ₂kind (A.)

`κ<sub>1</sub>kind `κ₂kind

`κ₁~κ₂kind (A.)

` ·type env (A.)

`∆type env `κkind

`∆, t:κtype env (A.)

∆` ·term env (A.)

∆`Γterm env ∆`τ:Ω

∆`Γ, x:τterm env (A.)

Type formation ∆`τ:κ

t∈∆

∆`t:∆(t) (A.)

∆`int:Ω (A.)

∆`unit:Ω (A.)

∆`τ<sub>1</sub>:Ω ∆`τ₂:Ω

∆`τ₁→τ₂:Ω (A.)

∆`τ<sub>1</sub>:Ω ∆`τ₂:Ω

∆`τ₁+τ₂:Ω (A.)

∆`τ<sub>1</sub>:Ω ∆`τ₂:Ω

∆`τ₁∗τ₂:Ω (A.)

∆, t:κ₁`τ:κ₂

∆`λt:κ1.τ:κ₁⇒κ₂ (A.)

∆`τ<sub>1</sub>:κ<sub>1</sub>⇒κ<sub>2</sub> ∆`τ₂:κ₁

∆`τ₁τ₂:κ₂ (A.)

∆`τ<sub>1</sub>:κ<sub>1</sub> ∆`τ₂:κ₂

∆` hτ1,τ2i:κ1~κ2 (A.)

∆`τ:κ₁~κ₂

∆`π_i(τ):κ_i (A.)

∆, t:κ`τ:κ

∆`µt:κ.τ:κ (A.)

∆`Γ(x):Ω (∀x∈Dom(Γ))

∆`Γ (A.)

Type equality ∆`τ₁ ≡τ₂:κ

∆`τ:κ

∆`τ≡τ:κ (A.)

Rule A.: reflexivity.

∆`τ₁≡τ₂:κ

∆`τ₂≡τ₁:κ (A.)



Rule A.: symmetry.

∆`τ<sub>1</sub>≡τ<sub>2</sub>:κ ∆`τ₂≡τ₃:κ

∆`τ₁≡τ₃:κ (A.) Rule A.: transitivity.

∆`τ<sub>1</sub>≡τ<sub>1</sub><sup>0</sup>:Ω ∆`τ₂≡τ₂⁰:Ω

∆`τ₁→τ₂≡τ₁⁰→τ₂⁰ :Ω (A.) We note here that the function type is only de- fined for types of kindΩ; see rule A..

∆`τ<sub>1</sub>≡τ<sub>1</sub><sup>0</sup> :Ω ∆`τ₂≡τ₂⁰ :Ω

∆`τ₁+τ₂≡τ₁⁰+τ₂⁰ :Ω (A.) Note that the sum type is only defined for types of kindΩ; see rule A..

∆`τ1≡τ<sub>1</sub><sup>0</sup>:Ω ∆`τ2≡τ₂⁰:Ω

∆`τ₁∗τ₂≡τ₁⁰∗τ₂⁰ :Ω (A.) Note, again, that the pair type is only defined for types of kindΩ; see rule A..

∆`τ<sub>1</sub>≡τ<sub>1</sub><sup>0</sup> :κ<sub>1</sub> ∆`τ₂≡τ₂⁰ :κ₂

∆` hτ₁,τ₂i ≡ τ₁⁰,τ₂⁰

:κ₁~κ₂ (A.)

∆, t:κ`τ1≡τ2[s:=t]:κ t6 ∈FV(τ2)

∆`µt:κ.τ1≡µs:κ.τ2:κ (A.)

∆`τ<sub>1</sub>≡λt:κ.τ:κ⇒κ<sup>0</sup> ∆`τ₂:κ

∆`τ₁τ₂≡τ₁[t:=τ₂]:κ⁰

(A.)

∆`τ<sub>1</sub>≡τ<sub>1</sub><sup>0</sup> :κ<sub>1</sub>⇒κ<sub>2</sub> ∆`τ₂≡τ₂⁰ :κ₁

∆`τ₁(τ₂)≡τ₁⁰(τ₂⁰):κ₂

(A.)

∆, t:κ`τ≡τ⁰[s:=t]:κ⁰ t6 ∈FV(τ⁰)

∆`λt:κ.τ≡λs:κ.τ⁰:κ⇒κ⁰ (A.)

∆` hτ1,τ2i:κ1~κ2

∆`π_i(hτ₁,τ₂i)≡τ_i:κ_i (A.)

∆`τ₁≡τ₂:κ₁~κ₂

∆`π_i(τ₁)≡π_i(τ₂):κ_i (A.)

Term formation Γ;∆`e:τ

x∈Γ

Γ;∆`x:Γ(x) (A.)

∆`τ<sub>1</sub>≡τ<sub>2</sub> Γ;∆`e:τ₁

Γ;∆`e:τ2 (A.) Γ;∆`n:int (A.) Γ;∆`e1:int Γ;∆`e2:int

Γ;∆`op(e1, e2):int (A.) Γ, f :τ<sub>1</sub>→τ<sub>2</sub>, x:τ<sub>1</sub>; ∆`e:τ₂ Γ;∆`funf(x:τ₁):τ₂iseend: τ₁→τ₂

(A.) Γ;∆`e1:τ<sub>1</sub>→τ<sub>2</sub> Γ;∆`e2:τ₁

Γ;∆`e1(e2):τ<sub>2</sub> (A.) Γ;∆`():unit (A.) Γ;∆`e1:τ<sub>1</sub> Γ;∆`e2:τ₂

Γ;∆`(e1, e2):τ<sub>1</sub>∗τ<sub>2</sub> (A.) Γ;∆`e:int Γ;∆`e1:τ Γ;∆`e2:τ

Γ;∆`ifethene1elsee2fi:τ (A.) Γ;∆`e:τ₁∗τ₂

Γ;∆`fst(e):τ₁ (A.)

Γ;∆`e:τ₁∗τ₂

Γ;∆`snd(e):τ<sub>2</sub> (A.) Γ;∆`e:τ₁

Γ;∆`inlτ1+τ2(e):τ<sub>1</sub>+τ<sub>2</sub> (A.) Γ;∆`e:τ₂

Γ;∆`inrτ1+τ2(e):τ<sub>1</sub>+τ<sub>2</sub> (A.) Γ, x<sub>2</sub>:τ<sub>2</sub>;∆`e₂:τ

Γ, x1:τ₁;∆`e1:τ Γ;∆`e:τ₁+τ₂

Γ;∆`case_τ1+τ2eof inl(x1:τ₁)⇒e1

orelse inr(x2:τ₂)⇒e2 end:τ (A.) p=π_i| ·

s=τ⁰⁰| ·

∆`τ≡(p(µt:κ.τ<sup>0</sup>))(s):Ω Γ;∆`e:τ

Γ;∆`unroll(e):(p(τ⁰[t:=µt:κ.τ⁰]))(s) (A.) p=π_i| ·

s=τ⁰⁰| ·

∆`τ≡(p(µt:κ.τ<sup>0</sup>))(s):Ω Γ;∆`e:(p(τ⁰[t:=µt:κ.τ⁰]))(s)

Γ;∆`rollτ(e) (A.)



A. Dynamic semantics

The values of the language are as follows:

(values)v::=n|funf(x:τ₁):τ₂ iseend|inl_τ1+τ2(v)|inr_τ1+τ2(v)

|()|(v1, v2)|rollτ(v) Primitive evaluation rules

op(v1, v2),→v1opv2 (A.) v₁=funf(x:τ₁):τ₂ iseend

v1(v2),→e[f :=v1, x:=v2] (A.) fst(v1, v2),→v1 (A.) snd(v1, v2),→v2

(A.) v=inl_τ1+τ2(v⁰)

caseτ1+τ2vof inl(x:τ₁)⇒e₁ orelse inr(x:τ₂)⇒e2 end

,→e1[x:=v⁰]

(A.)

v=inrτ1+τ2(v⁰) caseτ1+τ2vof inl(x:τ₁)⇒e₁

orelse inr(x:τ₂)⇒e2end ,→e2[x:=v⁰]

(A.)

unroll(rollτ(v)),→v (A.) v6 =0

ifvthene1 elsee2 fi,→e1 (A.) v=0

ifvthene1elsee2fi,→e2

(A.)

Search rules

e1,→e⁰₁

op(e1, e2),→op(e⁰₁, e2) (A.) e2,→e⁰₂

op(v, e2),→op(v, e⁰₂) (A.)

e1,→e⁰₁

e1(e2),→e⁰₁(e2) (A.) e2,→e⁰₂

v(e2),→v(e⁰₂) (A.) e1,→e⁰₁

(e1, e2),→(e⁰₁, e2) (A.) e2,→e⁰₂

(v1, e2),→(v1, e₂⁰) (A.) e,→e⁰

fst(e),→fst(e⁰) (A.) e,→e⁰

snd(e),→snd(e⁰) (A.) e,→e⁰

inlτ1+τ2(e),→inlτ1+τ2(e⁰) (A.) e,→e⁰

inrτ₁+τ₂(e),→inrτ₁+τ₂(e⁰) (A.) e,→e⁰

caseτ₁+τ₂eof inl(x:τ₁)⇒e1

orelse inr(x:τ₂)⇒e₂ end ,→caseτ₁+τ₂e⁰of inl(x:τ₁)⇒e1

orelse inr(x:τ₂)⇒e2 end

(A.)

e,→e⁰ ifethene1elsee2fi ,→ife⁰ thene1elsee2fi

(A.)

e,→e⁰

unroll(e),→unroll(e⁰) (A.) e,→e⁰

rollτ(e),→rollτ(e⁰) (A.) A. Soundness and safety

Properties of static semantics

Proposition (Strong normalization).Type reduction for the language given above is strongly normalizing.

Proof (sketch).Rules A.through A.describe a simply-typed lambda calculus with pair types and constants. Proofs of strong normalization forλ→are familiar in the literature (see [], for instance.)



Corollary (Decidability).Type-checking the language given above is decidable.

Proof. Judgments for the formations of kinds (A.–A.), type environments (A.–A.), term environments (A.–A.), and type formation are all syntax-directed and hence decidable.

Type equivalence, however, is not syntax-directed. Since type reductions are strongly normalizing (Proposition), we can determine whetherτ₁≡τ₂by reducing bothτ₁and τ₂to normal form, then testing whether the normal forms are syntactically congruent.

Term formation is syntax-directed, excepting the type-equivalence rule A.. How- ever, if the type-checker always reduces types to normal form, then rule A.can be omitted.

Soundness

Lemma (Substitution).

. If Γ;∆`e<sup>0</sup>:τ<sup>0</sup>andΓ, x:τ<sup>0</sup>;∆`e:τ, thenΓ;∆`e[x:=e⁰]:τ.

. If ∆`τ<sup>0</sup>:κandΓ;∆, t:κ`e:τ, thenΓ[t:=τ⁰];∆`e[t:=τ⁰]:τ[t:=τ⁰].

Proof.

. By induction on the derivation ofΓ, x:τ⁰;∆`e:τ.

. By induction on the derivation ofΓ;∆, t:κ`e:τ.

Lemma (Type Inversion).

. If Γ;∆`x:τ, then∆`Γ(x)≡τ:Ω.

. If Γ;∆`n:τ, then∆`τ≡int:Ω.

. If Γ;∆`op(e<sub>1</sub>, e<sub>2</sub>):τ, then∆`τ≡int:Ω,Γ;∆`e<sub>1</sub>:int, andΓ;∆`e₂:int.

. If Γ;∆`funf(x:τ<sub>1</sub>):τ<sub>2</sub> is eend:τ, thenΓ, f :τ<sub>1</sub> →τ<sub>2</sub>, x:τ<sub>1</sub>;∆`e:τ₂and

∆`τ≡τ₁→τ₂:Ω.

. If Γ;∆ ` e1(e2) :τ, then there existsτ<sub>2</sub>such thatΓ;∆ ` e1 :τ₂ →τandΓ;∆ ` e2 :τ₂.

. If Γ;∆ ` (e1, e2) : τ, then there exist τ<sub>1</sub> andτ<sub>2</sub>such that∆ ` τ ≡ τ₁∗τ₂ : Ω, Γ;∆`e1:τ<sub>1</sub>, andΓ;∆`e2 :τ₂.

. If Γ;∆`():τ, then∆`τ≡unit:Ω.

. If Γ;∆`fst(e):τ, then there existsτ<sub>2</sub>such thatΓ;∆`e:τ∗τ₂, and similarly for snd.

. If Γ;∆`inlτ<sub>1</sub>+τ<sub>2</sub>(e<sub>1</sub>):τ, then∆`τ≡τ₁+τ₂ :ΩandΓ;∆`e₁ :τ₁. Theinrcase is similar.

. If Γ;∆ ` caseτ<sub>1</sub>+τ<sub>2</sub> eof inl(x : τ<sub>1</sub>) ⇒ e<sub>1</sub> orelse inr(x : τ<sub>2</sub>) ⇒ e<sub>2</sub> end : τ, then Γ;∆`e:τ₁+τ₂,Γ, x₁:τ₁;∆`e<sub>1</sub> :τ, andΓ, x<sub>2</sub> :τ<sub>2</sub>;∆`e₂:τ.

. IfΓ;∆` ifethene<sub>1</sub> elsee<sub>2</sub> fi:τ, thenΓ;∆` e:int,Γ;∆ `e<sub>1</sub> :τ, andΓ;∆ ` e₂ :τ.

. Letp=· |π_i, and lett=· |τ⁰⁰⁰. If Γ;∆`roll<sub>τ</sub>(e):τ<sup>0</sup>, then∆`τ≡τ⁰ ≡p(µt : κ.τ⁰⁰)(t):ΩandΓ;∆`e:p(τ⁰⁰[t :=µt :κ.τ⁰⁰])(t).

. Letp=· |π_i, and lett =· |τ⁰⁰. If Γ;∆`unroll(e):τ, then∆`τ ≡(p(τ⁰[t :=

µt:κ.τ⁰]))(t)andΓ;∆`e:(p(µt:κ.τ⁰))(t).

