2.7.1
Definitional and propositional equalities
In Mathematics, equality is a proposition, e.g. we can disprove an equality or assume an equality as a hypothesis. Since in type theory, propositions are seen as types [25], the proposition that two elements x and y are equal corresponds to a type. Thus, if x and y are of type a, then the type Ida(x,y) represents the proposition “x is equal to y". If this type
is inhabited, then x is said to be provably equal toy. Thus, Id is a type family (parametrised by the type a) indexed over two elements of a, giving Id (a:Type) : a→a→Type. For convenience, we write(Ida x y)
as (x =a y), or even simply as (x = y). This equality is the equality
which can be manipulated in the language.
There is another, more primitive, notion of equality in Intensional Type Theory, called judgemental equality, or definitional equality. This second equality means “equal by definition”. The judgemental equality cannot be negated or assumed; we cannot talk about this primitive equality inside the theory. Whether or not two expressions are equal by definition is a matter of evaluating the definitions. For example, if f : N → Nis defined by f x ≡ x + 2, then f 5 is definitionally equal to 7. Definitional equality entails unfolding of functions and reductions, until no more reduction can be performed. We denote the definitional equality by≡.
The judgemental equality has to be included in the propositional equal, because what is equal by definition must be provably equal. This is accomplished by giving a constructor for the type Id(a,a) and nothing when “a is not b". In these theories, Idis therefore implemented with the following type with one constructor :
data Id : a → a → Type where
The only way for(Ida x y) to be inhabited is therefore thatx andy
are equal by definition. In this case, the constructor Reflhelps to create a proof of this equality : (Refl x) is precisely the proof which says that x=a x. Here, we are using the notation of Idris where unbound
variables like a in the definition of Id are implicitly quantified, as a
concise programming notation.
2.7.2
Equality proofs in non-empty contexts
When reading these definitions, one could wrongly think that because the propositional equality captures exactly the judgemental equality, it will be impossible to prove the equality between syntactically different terms, like a+b and b+a for any a and b. In fact, the propositional and the judgemental equality only coincide in an empty context. When proving
∀a b, a+b=b+a, the variables a and b are first abstracted, and the equality goal a+b=b+amakes sense in a context that contains these abstracted variablesaandb. It is then possible to finish the proof because in these type theories a principle of induction is associated with each inductive type. An inductive principle says that if a proposition holds for the base cases (i.e. the constant constructors), and if it can be showed that when it holds for some terms then it will also hold for the bigger terms obtained by using the recursive constructors, then this proposition will hold for any term of this type. More formally, if a type T is an inductive type with a constant constructor and a recursive constructor, i.e. T=1+T, defined in idris as :
data T : Type where T0 : T
T1 : T → T
then we have :
T_ind:∀P:T→Type, (P T0)→(∀t:T, P t→P(T1t))→(∀t:T, P t).
An aside about the axioms of the underlying theory : The induction principles are not necessary pure axioms of the theory. For each type, the associated principle of induction can be proven by the use of a recursive
definition10. Therefore, we can either take the inductive principles as the primitive brick, and consider that the theory automatically adds such an axiom every time that a new inductive type is defined, or we can consider that the theory allows the computation of fixpoints through well-founded recursive definitions and that this is the primitive construction. The first way to see things is the standard logical point of view where we see the internal type theory as a logic with clear axioms that are easy to state, and the second formalisation is acomputationalpoint of view, where the internal mechanisms of recursive definitions enabled by the language become part of the trusted kernel of the theory. The important thing is that either way, we now have the possibility to prove the equality of terms containing universally quantified variables. For the rest of the text, we will consider that we have these induction principles, and we will talk about them asaxiomsbecause they are either pure axioms, or they directly follow from the ability to write well-founded recursive definitions.
These principles of induction can be used for proving any proposition, so they also work for the propositional equality. For example, we can prove thatn+0=nfor all nby induction on theNatn, even if n+06≡n
(in a context containingn) with the usual definition of +, recursive on its first argument. So, the axiom of induction enables us to prove the equality between terms that are not definitionally equal in non-empty contexts. Proving equalities is therefore in these theories something which isn’t automatically decidable by the type-checker in the general case : when some variables x, y, etc are abstracted, evaluating completely the left and right hand sides L(x,y, ...) andR(x,y, ...) is not enough because the reductions will be stuck until actual values are passed for the variables x,
y, etc.
Because of the dependent pattern-matching that Idris has, given an equality proof p of L= R (with L and R potentially containing free variables), it is possible to prove that necessarily p is Re f l by pattern- matching on p. Said differently, the only acceptable shape of an equality proof isRe f l, which means that axiom K is provable in Idris. That means that even for a universally quantified formulae like ∀x y, L(x,y, ...) =
R(x,y, ...), when given a proofpof it, palways reduces toRe f l when fully applied, which means it can be used as a definitional equality. Therefore, we can manipulate asdefinitionallyequal things which have been proven to be propositionallyequal.
The problem is that when trying to prove a lemma of the shape
∀x y, L(x,y, ...) =R(x,y, ...), after abstracting the universally quantified variables, we are left with the goal L(x,y, ...) =R(x,y, ...) that might not be provable by using directly Re f l because until we get actual values for the abstract variables x, y, etc, we have two things that might not be judgmentally equal. As an example, when trying to prove ∀x y, x+ y = y+x, after the abstraction of x and y, we are left with the goal
x+y = y+x that cannot be proven by Re f l. But since we have these variablesxandyin the context, we can use the induction principles (here either on xor on y) to make some progress in the proof and ultimately to finish it. However, using the induction principle requires to make proofs (for the base case and the induction step), which, as explained in 2.4 is not fully automatically doable and is therefore the programmer’s role.
However, it is often possible to indicate a normalisation procedure that transforms each term into the canonical representative of its equival- ence class. This is often possible when the considered datatype and its operations happen to have some classical properties, like the associativity or the commutativity of an operator, or the existence of a neutral ele- ment. For example, the type Natand its operation of addition+, defined recursively on its first argument, verifies these three properties:
• associativity:∀(x y z:Nat), (x+y) +z=x+ (y+z),
• commutativity:∀(x y:Nat), x+y=y+xand
• neutral_element:∀x:Nat, x+0=0+x=x.
For such datatypes, it will be possible to automatically decide the equality between two terms. In chapter 3 we will implement such a decision procedure for Nat and the property of associativity, and in
chapter 4 we will see how this can be generalized to any datatype for various algebraic structures.
Prior to that and in the next subsection, we will talk about proof engineering and we will review the current state of the art in the area of proof automation.