Engineering Aspects of Formal Metatheory Stephanie Weirich joint work with Brian Aydemir, Arthur Chargueraud, and Benjamin Pierce

Why Mechanize PL Metatheory? Many ICFP and POPL papers accompanied by "write-only" technical reports. Difficult to develop and keep consistent From paper: "… we define the subtype relation as the greatest fixpoint of these subtype rules." From tech report: "Proof: by routine induction on the subtype derivation." Solution: replace tech report by machine-checked mathematics But how? Which prover? How to treat binding? 12/3/2018

How to compare systems Transparency Overhead Cost of entry How close are developments to informal conventions? How difficult to know what has been proved? Overhead How much additional work (operations/proof obligations) is necessary? Cost of entry Can non-experts read definitions and theorems? What help is available to get started? 12/3/2018

This work A Coq template for developing programming language metatheory A methodology for representing binding and specifying induction principles Compiles the best ideas of the past Includes our own novel contributions A library that supports this methodology reasoning about freshness representing environments Reference examples & supporting experience multiple calculi (STLC, F<:, CoC) multiple theorems (type soundness, confluence) All currently available online 12/3/2018

Basic datastructure Locally nameless representation Names for free variables de Bruijn indices for bound variables Example: Untyped lambda calculus Inductive exp : Set := | Lam : exp -> exp | App : exp -> exp -> exp | BVar : nat -> exp | FVar : atom -> exp. x. y. (x y) z represented as Lam (Lam (App (App (BVar 1) (BVar 0)) (FVar "z") 12/3/2018

Basic operations Two substitution functions Important special case [k -> u]t replace index k with u [x ~> u]t replace free variable x with u Important special case t ^ x replace index 0 with x Free variable calculation fv t finite set of free atoms in t 12/3/2018

Why locally nameless rep? Transparency: Alpha-equivalent terms have a unique representation Alternative: Pollute semantics or lemmas G |- e : t t = t' G |- e : t' If G |- e : t and e -> e' then G' |- e' : t' for some t' = t and G' = G. 12/3/2018

Why locally nameless rep? Allows name-based reasoning about environments Simple defs for operations, simple proofs about them de Bruijn indices: position-based reasoning Shifting of indices required Requires careful consideration of the environment at all times 12/3/2018

Issues with locally nameless rep Three important issues to resolve Local closure Not all exps are lambda calculus terms Induction principles How to make reasoning close to the "Barendregt Variable Convention" Function definitions How to define semantic functions with Coq functions and reason about them 12/3/2018

Local closure Not all members of type exp are lambda calculus terms Lam (BVar 3)? Predicate term : exp -> Prop Picks out members of type exp that are locally-closed Type { e | term e } Includes only lambda calculus terms Never actually use this type 12/3/2018

Treatment of local closure Definitions respect local closure If term u and term t, then term ([x ~> u]t) If t  t' then term t and term t' Many theorems need not refer to local closure If t  t' and t  t'', then t' = t''. Some theorems require it, tactics discharge assumptions [x ~> u](t ^ y) = ([x ~> u]t) ^ y when x  y, term u 12/3/2018

Local closure and Induction Inductive term : exp -> Prop := | t_var : x. term (FVar x) | t_app : t1 t2. term t1 -> term t2 -> term (App t1 t2) | t_lamE : x t1. x  fv t1 -> term (t1 ^ x) -> term (Lam t1) Can show t.term t -> P(t) when x. P(FVar x) t1 t2. P(t1) -> P(t2) -> P(App t1 t2) x t1. x  fv t1 -> P(t1 ^ x) -> P (Lam t1) [McKinna & Pollack 93] 12/3/2018

Weak principle In Lam case know that P holds for an arbitrary name not already free in t1. x t1. x  fv t1 -> P(t1 ^ x) -> P (Lam t1) Not strong enough for some proofs. 12/3/2018

Substitution Lemma In Lam case, WTP term [y ~> u](Lam t1) Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: for some x  fv t1 term [y ~> u](t1^x) By lemma term ([y ~> u]t1)^x By t_lamE term (Lam [y ~> u]t1) By def of subst term [y ~> u](Lam t1) Uh oh! Only holds if x  y 12/3/2018

A stronger induction principle Show t.term t -> P(t) when x. P(FVar x) t1 t2. P(t1) -> P(t2) -> P(App t1 t2) t1. (x. P(t1 ^ x)) -> P (Lam t1) IH applies to any x. Why is it sound? How to define it? 12/3/2018

Coq definition Change definition of local closure [MP 93] | t_lamA : t1. (x. term (t1 ^ x)) -> term (Lam t1) Soundness from equivalence of relations Lemma t_lamE : x t1. x  fv t1 -> term (t1 ^ x) -> term (Lam t1) Proof relies on swapping operation Definition swap:atom -> atom -> exp Lemma swap_term:t x y, term t -> term (swap x y t) 12/3/2018

Substitution lemma Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: x. term [y ~> u](t1 ^ x) Let x  {y}  fv u  fv t1 be arbitrary By lemma term ([y ~> u]t1) ^ x By t_lamE term (Lam [y ~>u]t1) By def of subst term [y ~>u](Lam t1) 12/3/2018

Swapping and Substitution Must we define and prove properties of both? interaction with opening terms [x ~> u](t ^ y) = ([x ~> u]t) ^ y when x  y, term u swap x z (t ^ y) = (swap x z t) ^ y when x,z  y interaction with free variables x  fv t -> [x ~> u]t = t x  fv t -> y  fv t -> swap x y t = t interaction with local closure term u -> term t -> term ([x ~> u] t) term t -> term (swap x y t) 12/3/2018

A not-so-strong IH New definition of local closure | t_lamC : t1 L. (x. x  L -> term (t1 ^ x)) -> term (Lam t1) Can prove substitution lemma directly. 12/3/2018

Substitution lemma Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: x. x  L -> term [y ~> u](t1 ^ x) Let x  {y}  L be arbitrary By lemma term ([y ~> u]t1) ^ x By t_lamC term (Lam [y ~> u]t1) By def of subst term [y ~> u](Lam t1) 12/3/2018

Soundness without swapping Use substitution to prove t_lamE without swapping. Lemma term_rename : t1 x y. x  fv t1 -> term (t1 ^ x) -> term (t1 ^ y). Lemma t_lamE : x t1. x  fv t1 -> term (t1 ^ x) -> term (Lam t1). 12/3/2018

General Form of Development Def. of syntax Def. of index substitution (t ^ x) Def. of local closure (term t) Def. of free variable substitution ([x ~> u]t) Def. of free variable function (fv t) Interaction lemmas Def. of semantic relations (t -> t', etc.) Show semantic relations respect local closure Substitution lemma for each relation w/ binding Show derived existential form of rules 12/3/2018

Conclusions Can use Coq's standard mechanisms for reasoning (inductive defs, tactics, etc.) Swapping does not appear to be essential. Seldom need to rename during proofs. IH applies to an infinite # of suitably fresh variables. Specialized tactics help local closure obligations fresh variable introduction 12/3/2018

Related work McKinna and Pollack 93 Gordon 94 Urban "Locally-named" representation Local closure def / structural induction Strong ind. principle using forall Gordon 94 Gives a "nominal" interface to a locally-nameless representation Urban Nominal Isabelle package Strengthened induction principle 12/3/2018

Mark your calendars! Using Proof Assistants for Programming Language Research or, How to write your next POPL paper in Coq SIGPLAN sponsored tutorial at POPL San Francisco, CA / January 8, 2008 12/3/2018