Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman Poplmark meeting, January 2006

2 Outline LF –Higher-order abstract syntax –Adequacy –Subordination Metatheory using LF Twelf implementation –Meta-proof checking

3 What do we want? Framework for encoding deductive systems adequately. The encoding should serve as a substitute for the original system for all (formalist) purposes.

4 What is LF? Primarily, a methodology for encoding deductive systems. Secondarily, the language that methodology employs. Specifically: –A technique for encoding object languages. –A rigorous account of adequacy. –A language that makes everything work.

5 Higher-order abstract syntax Identify OL and ML variables. Represent binding using abstractions. Represent substitution using application.

6 Example: simply-typed lambda calculus exp : type. lam : (exp -> exp) -> exp. app : exp -> exp -> exp. d x. y.x y e = lam( x.lam( y.app x y))

7 Example: simply-typed lambda calculus of : exp -> tp -> type. of_lam : of (lam E) (arrow T 1 T 2 ) Ã (  x:exp. of x T 1 ! of (E x) T 2 ) of_app : of (app E 1 E 2 ) T 2 Ã of E 1 (arrow T 1 T 2 ) Ã of E 2 T 1

8 Adequacy A correct encoding must establish an isomorphism between the OL and its encoding. For syntax: –Bijection between OL syntax and ML canonical forms of appropriate type. –The bijection should respect substitution (compositionality). Not concerned with cosmetic matters.

9 Canonical forms Beta-normal, eta-long. Theorem: every LF term has a unique canonical form.

10 LF Dependently typed lambda calculus. User-specified “signature” provides type- and term-level constants. Principal virtue is that it provides the right notion of canonical form. –No case analysis on user-specified types! –The “weakness” of LF is its strength.

11 Example: adequacy Define: – d { x 1,..., x n } e = x 1 : exp,..., x n : exp – d x.e e = lam ( x. d e e ) – d e 1 e 2 e = app d e 1 e d e 2 e Then d¢e defines an isomorphism between lambda terms (with free variables contained in X) and LF canonical forms C such that d X e ` C : exp.

12 Example: adequacy Define: – d x 1 :  1,...,x n :  n e = x 1 :exp, d 1 :of x 1 d  1 e,..., x n :exp, d n :of x n d  n e Then there exists a bijection between derivations of  ` e :  and LF canonical forms C such that d  e ` C : of d e e d  e.

13 Example: elims are bad Suppose we have elimination forms. Then consider: lam ( x.case x of app y z => y | lam f => x) This does not represent any lambda- calculus expression! Parametricity is essential: the body of the lambda must not analyze its argument.

14 Subordination Type family a is subordinate to type family b (written a ≤ b) if a canonical form of a can appear within a canonical form of b. Particularly interested in the negation. Useful for considering when extensions to the context are irrelevant.

15 Subordination example of ≤ exp –terms can appear in typing derivations, but not vice versa Adding assumptions with type of is irrelevant to syntactic considerations. For example, adequacy for syntax still holds with typing assumptions in play. /

16 Metatheory in LF, a simple case Theorem (type preservation) if ` e 1 :  and e 1  e 2 then ` e 2 :  Proof Suppose ` e 1 :  and e 1  e 2 By adequacy, there exists canonical d1 such that ` d 1 : of d e 1 e d  e By adequacy, there exists canonical d2 such that ` d 2 : step d e 1 e d e 2 e

17 Simple example, continued It follows (the real work happens here) that there exists canonical d 3 such that ` d 3 : of d e 2 e d  e By adequacy, we have ` e 2 : 

18 Metatheory in LF, with contexts Theorem (subject reduction) if  ` e 1 :  and e 1 ! e 2 then  ` e 2 :  Proof Suppose  ` e 1 :  and e 1 ! e 2 Let X = FV(e 1 ) By adequacy, there exists canonical d1 such that d  e ` d 1 : of d e 1 e d  e By adequacy, there exists canonical d2 such that d X e ` d 2 : reduce d e 1 e d e 2 e

19 Context example, continued By weakening, d  e ` d 2 : step d e 1 e d e 2 e It follows that there exists canonical d3 such that d  e ` d 3 : of d e 2 e d  e By adequacy, we have  ` e 2 : 

20 Metatheory in LF, general case Theorem (normalization) if  ` e 1 :  then e 1 normalizes to some e 2 Proof Suppose  ` e :  By adequacy, there exists canonical d 1 such that d  e ` d 1 : of d e 1 e d  e It follows that there exists canonical E 2, d 2 such that d  e ` d 2 : normalize d e 1 e E 2 By adequacy, E 2 = d e 2 e (for some e 2 )

21 General example, continued Thus, d  e ` d 2 : normalize d e 1 e d e 2 e Issue: normalize is untyped, so its adequacy uses X = FV(e 1 ), not  Since of ≤ normalize, typing assumptions cannot contribute to normalize derivations. Thus, d X e ` d 2 : normalize d e 1 e d e 2 e By adequacy, e 1 normalizes to e 2 /

22 Twelf Type checker for LF Proof search Meta-proof checker

23 Meta-proofs in Twelf Define a relation between derivations of interest: sr : reduce E1 E2 -> of E1 T -> of E2 T -> type.... Indicate inputs and outputs: %mode sr +D1 +D2 –D3.

24 Meta-proofs in Twelf, continued Specify world (set of contexts) by indicating permissible assumption blocks. %block bind : some {t:tp} block {x:exp} {d:of x t}. %worlds (bind) (sr _ _ _). Indicate an induction strategy.

25 Meta-proofs in Twelf, continued Twelf proves that sr is total: For all  2 W, For all canonical  ` E1, E2 : exp  ` T : tp  ` D1 : reduce E1 E2  ` D2 : of E1 T There exists canonical  ` D3 : of E2 T  ` D : sr D1 D2 D3. (Don’t care about this one)

26 Totality checking Type checking Mode checking Outputs are ground (well-specified) if inputs are ground. World checking Recursive calls preserve the world invariant. Termination Coverage checking All cases are covered.

27 How we use Twelf TALT: first foundational certified code system Definition of Standard ML Poplmark challenge (in a few days) Nearly everything we do