1. Higher-Order Encodings in Intensional Type Theory Edwin Westbrook Rice University

2. Type Systems Give Correctness “Correct-by-construction” guarantee – (For a specific class of potential bugs) ML, Java, Haskell: No runtime type errors More advanced systems: – No unwanted aliasing [Wadler ’90] – No deadlocks [Boyapati ‘02] – Many more!

3. More Guarantees = More Complexity Type Systems are in the trusted core! How do we know proofs are correct? How do we know implementations are correct?

4. Verified Meta-Programming in CNIC Calculus of Nominal Inductive Constructions Calculus of Nominal Inductive Constructions PL Implementation Correctness proof Program

5. Why CNIC? CNIC = Coq + Higher-Order Encodings (HOEs) – New solution to an open research problem Coq is a powerful proof assistant – Well studied, proof libraries, proof automation HOE = technique for encoding name-bindings – Can make a datatype for typed PLs – Get many properties “for free” The result: CNIC is a language for verified PLs

6. Outline Higher-Order Encodings in CNIC Binding-related features of CNIC Example: simply-typed λ-calculus – Can only write well-typed terms Example: substitution for λ-calculus – Type Preservation for free!

7. What Is a Name-Binding? Construct that introduces a name – E.g. λx : A. M Name-bindings have 4 properties: – Freshness: x is distinct from other bound names – α-equivalence: λx : A. x = λy : A. y – Scoping: x cannot be used outside λx – Typing: x has type A, not type B

8. Name-Bindings Encoded with ν Equal up to renaming of bound names να : A. M Introduces fresh name α Scope of α limited to M α has type Name A

9. Example: Simply-Typed λ-Calculus var:: Name T => trm T app :: trm (arrow T1 T2) => trm T1 => trm T2 lam :: ( ∇ α : trm T1. trm T2) => trm (arrow T1 T2) E.g. λx : (b -> b). λy : b. x y encoded as lam (νx : (arrow b b). lam (νy : b. app (var x) (var y)))

10. Elimination Form for ∇ Bindings can be “applied” to fresh names: Evaluation rule: (να : A. M) @ β -> [β/α]M M @ α M : ∇ β:A. B α is fresh for M

11. Example: Equality of λ-Terms [Felty and Pientka ‘10] eq-var:: eq (var x) (var x) eq-app:: eq t1 t1’ => eq t2 t2’ => eq (app t1 t2) (app t1’ t2’) eq-lam:: ( ∇ α : trm T1. eq (b1 @ α) (b2 @ α)) => eq (lam b1) (lam b2)

12. Key Feature: World-Bindings Bind multiple names in one construct – (NOTE: this is a slight simplification: see paper) ν(α 1 :A 1, …, α n :A n ).M or νΓ. M

13. Example: Counting Variables num-vars (νΓ. var (x@Γ)) = 1 num-vars (νΓ. app (t1@Γ) (t2@Γ)) = (num-vars (νΓ. t1@Γ) + (num-vars (νΓ. t2@Γ)) num-vars (νΓ. lam (να : trm T1. (t@(Γ,α)))) = num-vars (ν(Γ,α). t@(Γ,α))

14. Example: Multi-Arity Substitution subst :: ( ∇ Γ. trm (T@Γ)) => trm-list Γ => trm (lift-tp (νΓ. T@Γ)) subst (νΓ. app (t1@Γ) (t2@Γ)) L = app (subst (νΓ. (t1@Γ)) (subst (νΓ. (t2@Γ)) subst (ν(Γ,α). lam (να. (x@(Γ,α)))) L = lam (να. (subst (ν(Γ,α). var (x@(Γ,α))) [L,α]))

15. Example: Multi-Arity Substitution subst :: ( ∇ Γ. trm (T@Γ)) => trm-list Γ => trm (lift-tp (νΓ. T@Γ)) subst (ν(). var β) [] = var β subst (ν(Γ,α). var α) [L, M] = M subst (ν(Γ,α). var (x@Γ)) [L, M] = subst (νΓ. var (x@Γ)) L

16. Conclusion Type Systems are safety-critical – Need to trust proofs and implementations CNIC allows verified implementations Technical contribution: CIC + HOEs Public release available soon!

17. Thank You!