Normalization

The step-indexed interpretation from the previous section repairs the problems en- countered in the first two proposed interpretations and can be used to prove nor- malization for the logical fragment. Since our results are formalized in Coq, we give only a high-level overview of the proof here. To begin, we must update the ρ |= Γ judgement to account for steps. We now write Γ |=k ρ when x :θ A ∈ Γ implies ρx ∈ V[[A]]θ_k.

Three key lemmas are needed in the main soundness theorem. The first is a standard “downward closure” property that often accompanies step-indexed logical relations. This lemma captures the idea that we build a more precise interpretation of a type by considering terms that must be valid for more steps.

Lemma 3.3.1 (Downward Closure). For anyA and θ, if j ≤k then V[[A]]θ

k ⊆ V[[A]]θj and C[[A]]θ

k ⊆ C[[A]]θj.

Two lemmas relate the programmatic and logical interpretations, corresponding to the_TMobVal and_TSub typing rules. The first says that the two interpretations agree on mobile types:

Lemma 3.3.2. If Mob(A), thenV[[A]]L_k =V[[A]]P_k.

The second captures the idea that the logical fragment is a subsystem of the programmatic fragment:

Lemma 3.3.3. For any A and k, V[[A]]L

k ⊆ V[[A]]Pk and C[[A]]Lk ⊆ C[[A]]Pk.

The content of the soundness theorem is essentially the same as in our second failed attempt, but we can now state it more directly, using the computational inter- pretation. The theorem is proved by induction on step count k (to handle the case of recursive functions), with a nested induction on the typing derivation. It uses the lemmas outlined above.

Theorem 3.3.4 (Soundness). IfΓ`θ _{a :Aand Γ|=}

k ρ, then ρa ∈ C[[A]]θk.

The normalization of the logical fragment is a direct consequence of this theorem and the definition of the interpretation.

Lemma 3.3.5 (Normalization). If · `L _{a : A then there exists a value v such that} a ∗ v.

Chapter 4

Adding Dependent Types

Head down towards Kansas.

We will get there when we get there, don’t you worry. Feel bad about the things we do along the way, But not really that bad.

Psalms 40:2

The Mountain Goats

In this chapter, we will extend the languageλθ with dependent types and equality. We call this new system LFθ, to reflect that it has roughly the same level of expres- siveness as LF [31]. Like LF, this system has dependent types but not type-level computation or polymorphism. However, there are some important differences.

In being more precise about how LFθ relates to LF, it is convenient to refer to Barendregt’s lambda cube [6]. In particular, LF comprises the (?, ?) and (?,) corners of the lambda cube. The former allows normal term-level functions, while the latter allows type-level functions that take terms as arguments (“dependent types”). It does not include the (, ?) corner (which allows polymorphic functions) or the (,)corner (which allows functions from types to types, and is often referred to as type-level computation). On the other hand, LFθ does not allow arbitrary functions from terms to types via the(?,)rule, but we still say it has dependent types because we include an explicit type constructor that takes terms as arguments (equality) and because the range of an arrow type may refer to the value of its domain (i.e., arrow types have the form (x:A)→B rather than A→B).

Unlike LF, LFθ includes the logical and programmatic fragments we have seen previously, along with a novel equality type. In particular, the elimination of equality is not marked in the syntax of terms, a substantial departure from traditional in- tensional dependently typed languages where equality typically arises as a datatype with a pattern-matching elimination form. We saw in Chapter 2 that this unmarked elimination can be very convenient for programmers, as uses of conversion no longer “clutter” terms. However, as we will see in this chapter and the next two, this notion

Expressions

a, b, A, B ::= ?|(x:A)→B|a=b|Nat|A+B|Σx:A.B |µx.A|A@θ

|x |λx.b|recf x.b|indf x.b|b a|refl|inla|inrb

|scasez a of {inlx ⇒a1;inr y ⇒a2} |pcasez a of {(x, y)⇒b} | ha,bi |Z|Sa|ncasez aof {Z⇒a1;S x ⇒a2} |rolla|unrolla Consistency Classifiers θ ::= L|P Values v ::= ?|(x:A)→B|a=b|Nat|A+B|Σx:A.B |µx.A|A@θ

|x |λx.a|recf x.a|indf x.a|refl|inlv |inrv | hv1,v2i |Z|Sv|rollv

Figure 4.1: LFθ: Syntax

of equality substantially complicates the metatheory of the language.

We begin in Section 4.1 with a specification of LFθ. The type safety of LFθ must be approached slightly differently than that of λθ. In particular, in Section 4.2 we will prove preservation and show that a proof of progress must wait until after we have demonstrated LFθ’s consistency. While LFθ’s notion of equality complicates the proof of type safety, we will see in Section 4.3 that the partially step-indexed technique from Chapter 3 can be extended in a standard way to show that the logical fragment of LFθ normalizes (and is therefore consistent). Finally, in Section 4.4, we show progress for LFθ, completing the proof of type safety.

As was the case in Chapter 3, LFθ and its metatheory have been completely mechanized in Coq. The proofs are available in this thesis’s digital appendix [13]. For this reason, we focus here on a clear explanation of our techniques and the key differences between LFθ and more traditional language, rather than explicitly writing out the details of every lemma.