Twelf The Quintessential Proof Assistant for Language Metatheory
- Slides: 27
Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman Poplmark meeting, January 2006
Outline • LF – Higher-order abstract syntax – Adequacy – Subordination • Metatheory using LF • Twelf implementation – Meta-proof checking 2
What do we want? • Framework for encoding deductive systems adequately. • The encoding should serve as a substitute for the original system for all (formalist) purposes. 3
What is LF? • Primarily, a methodology for encoding deductive systems. • Secondarily, the language that methodology employs. • Specifically: – A technique for encoding object languages. – A rigorous account of adequacy. – A language that makes everything work. 4
Higher-order abstract syntax • Identify OL and ML variables. • Represent binding using abstractions. • Represent substitution using application. 5
Example: simply-typed lambda calculus exp : type. lam : (exp -> exp) -> exp. app : exp -> exp. d x. y. x ye = lam( x. lam( y. app x y)) 6
Example: simply-typed lambda calculus of : exp -> type. of_lam : of (lam E) (arrow T 1 T 2) Ã ( x: exp. of x T 1 ! of (E x) T 2) of_app : of (app E 1 E 2) T 2 Ã of E 1 (arrow T 1 T 2) Ã of E 2 T 1 7
Adequacy • A correct encoding must establish an isomorphism between the OL and its encoding. • For syntax: – Bijection between OL syntax and ML canonical forms of appropriate type. – The bijection should respect substitution (compositionality). • Not concerned with cosmetic matters. 8
Canonical forms • Beta-normal, eta-long. • Theorem: every LF term has a unique canonical form. 9
LF • Dependently typed lambda calculus. • User-specified “signature” provides typeand term-level constants. • Principal virtue is that it provides the right notion of canonical form. – No case analysis on user-specified types! – The “weakness” of LF is its strength. 10
Example: adequacy Define: – d{ x 1, . . . , xn }e = x 1 : exp, . . . , xn : exp – d x. ee = lam ( x. dee) – de 1 e 2 e = app de 1 e de 2 e Then d¢e defines an isomorphism between lambda terms (with free variables contained in X) and LF canonical forms C such that d. Xe ` C : exp. 11
Example: adequacy Define: – dx 1: 1, . . . , xn: ne = x 1: exp, d 1: of x 1 d 1 e, . . . , xn: exp, dn: of xn d ne Then there exists a bijection between derivations of ` e : and LF canonical forms C such that d e ` C : of dee d e. 12
Example: elims are bad Suppose we have elimination forms. Then consider: lam ( x. case x of app y z => y | lam f => x) • This does not represent any lambdacalculus expression! • Parametricity is essential: the body of the lambda must not analyze its argument. 13
Subordination • Type family a is subordinate to type family b (written a ≤ b) if a canonical form of a can appear within a canonical form of b. • Particularly interested in the negation. • Useful for considering when extensions to the context are irrelevant. 14
Subordination example • of ≤/ exp – terms can appear in typing derivations, but not vice versa • Adding assumptions with type of is irrelevant to syntactic considerations. • For example, adequacy for syntax still holds with typing assumptions in play. 15
Metatheory in LF, a simple case Theorem (type preservation) if ` e 1 : and e 1 e 2 then ` e 2 : Proof • Suppose ` e 1 : and e 1 e 2 • By adequacy, there exists canonical d 1 such that ` d 1 : of de 1 e d e • By adequacy, there exists canonical d 2 such that ` d 2 : step de 1 e de 2 e 16
Simple example, continued • It follows (the real work happens here) that there exists canonical d 3 such that ` d 3 : of de 2 e d e • By adequacy, we have ` e 2 : 17
Metatheory in LF, with contexts Theorem (subject reduction) if ` e 1 : and e 1 ! e 2 then ` e 2 : Proof • Suppose ` e 1 : and e 1 ! e 2 • Let X = FV(e 1) • By adequacy, there exists canonical d 1 such that d e ` d 1 : of de 1 e d e • By adequacy, there exists canonical d 2 such that d. Xe ` d 2 : reduce de 1 e de 2 e 18
Context example, continued • By weakening, d e ` d 2 : step de 1 e de 2 e • It follows that there exists canonical d 3 such that d e ` d 3 : of de 2 e d e • By adequacy, we have ` e 2 : 19
Metatheory in LF, general case Theorem (normalization) if ` e 1 : then e 1 normalizes to some e 2 Proof • Suppose ` e : • By adequacy, there exists canonical d 1 such that d e ` d 1 : of de 1 e d e • It follows that there exists canonical E 2, d 2 such that d e ` d 2 : normalize de 1 e E 2 • By adequacy, E 2 = de 2 e (for some e 2) 20
General example, continued • Thus, d e ` d 2 : normalize de 1 e de 2 e • Issue: normalize is untyped, so its adequacy uses X = FV(e 1), not • Since of ≤/ normalize, typing assumptions cannot contribute to normalize derivations. • Thus, d. Xe ` d 2 : normalize de 1 e de 2 e • By adequacy, e 1 normalizes to e 2 21
Twelf • Type checker for LF • Proof search • Meta-proof checker 22
Meta-proofs in Twelf • Define a relation between derivations of interest: sr : reduce E 1 E 2 -> of E 1 T -> of E 2 T -> type. . • Indicate inputs and outputs: %mode sr +D 1 +D 2 –D 3. 23
Meta-proofs in Twelf, continued • Specify world (set of contexts) by indicating permissible assumption blocks. %block bind : some {t: tp} block {x: exp} {d: of x t}. %worlds (bind) (sr _ _ _). • Indicate an induction strategy. 24
Meta-proofs in Twelf, continued Twelf proves that sr is total: • For all 2 W, • For all canonical • • ` E 1, E 2 : exp ` T : tp ` D 1 : reduce E 1 E 2 ` D 2 : of E 1 T • There exists canonical • ` D 3 : of E 2 T • ` D : sr D 1 D 2 D 3. (Don’t care about this one) 25
Totality checking • Type checking • Mode checking • Outputs are ground (well-specified) if inputs are ground. • World checking • Recursive calls preserve the world invariant. • Termination • Coverage checking • All cases are covered. 26
How we use Twelf • TALT: first foundational certified code system • Definition of Standard ML • Poplmark challenge (in a few days) • Nearly everything we do 27