Twelf:The Quintessential Proof Assistant for
Language Metatheory
Karl CraryCarnegie Mellon University
Joint work with Robert Harper andMichael Ashley-Rollman
Poplmark meeting, January 2006
2
Outline
• LF– Higher-order abstract syntax– Adequacy– Subordination
• Metatheory using LF
• Twelf implementation– Meta-proof checking
3
What do we want?
• Framework for encoding deductive systems adequately.
• The encoding should serve as a substitute for the original system for all (formalist) purposes.
4
What is LF?
• Primarily, a methodology for encoding deductive systems.
• Secondarily, the language that methodology employs.
• Specifically:– A technique for encoding object languages.– A rigorous account of adequacy.– A language that makes everything work.
5
Higher-order abstract syntax
• Identify OL and ML variables.
• Represent binding using abstractions.
• Represent substitution using application.
6
Example: simply-typed lambda calculus
exp : type.lam : (exp -> exp) -> exp.app : exp -> exp -> exp.
d x.y.x ye=
lam(x.lam(y.app x y))
7
Example: simply-typed lambda calculus
of : exp -> tp -> type.
of_lam : of (lam E) (arrow T1 T2) Ã (x:exp. of x T1
! of (E x) T2)
of_app : of (app E1 E2) T2
à of E1 (arrow T1 T2) à of E2 T1
8
Adequacy
• A correct encoding must establish an isomorphism between the OL and its encoding.
• For syntax:– Bijection between OL syntax and ML
canonical forms of appropriate type.– The bijection should respect substitution
(compositionality).
• Not concerned with cosmetic matters.
10
LF
• Dependently typed lambda calculus.
• User-specified “signature” provides type- and term-level constants.
• Principal virtue is that it provides the right notion of canonical form.– No case analysis on user-specified types!– The “weakness” of LF is its strength.
11
Example: adequacy
Define:– d{ x1,..., xn }e = x1 : exp,..., xn : exp
– dx.ee = lam (x.dee)
– de1 e2e = app de1e de2e
Then d¢e defines an isomorphism between lambdaterms (with free variables contained in X) andLF canonical forms C such thatdXe ` C : exp.
12
Example: adequacy
Define:– dx1:1,...,xn:ne =
x1:exp, d1:of x1 d1e,..., xn:exp, dn:of xn dne
Then there exists a bijection between derivations of ` e : and LF canonical forms C such thatde ` C : of dee de.
13
Example: elims are bad
Suppose we have elimination forms. Then consider:lam (x.case x of app y z => y | lam f => x)
• This does not represent any lambda-calculus expression!
• Parametricity is essential: the body of the lambda must not analyze its argument.
14
Subordination
• Type family a is subordinate to type family b (written a ≤ b) if a canonical form of a can appear within a canonical form of b.
• Particularly interested in the negation.
• Useful for considering when extensions to the context are irrelevant.
15
Subordination example
• of ≤ exp– terms can appear in typing derivations, but
not vice versa
• Adding assumptions with type of is irrelevant to syntactic considerations.
• For example, adequacy for syntax still holds with typing assumptions in play.
/
16
Metatheory in LF, a simple case
Theorem (type preservation)if ` e1 : and e1 e2 then ` e2 :
Proof• Suppose ` e1 : and e1 e2
• By adequacy, there exists canonical d1 such that ` d1 : of de1e de
• By adequacy, there exists canonical d2 such that ` d2 : step de1e de2e
17
Simple example, continued
• It follows (the real work happens here) that there exists canonical d3 such that` d3 : of de2e de
• By adequacy, we have ` e2 :
18
Metatheory in LF, with contexts
Theorem (subject reduction)if ` e1 : and e1 ! e2 then ` e2 :
Proof• Suppose ` e1 : and e1 ! e2
• Let X = FV(e1)• By adequacy, there exists canonical d1 such
that de ` d1 : of de1e de• By adequacy, there exists canonical d2 such
that dXe ` d2 : reduce de1e de2e
19
Context example, continued
• By weakening, de ` d2 : step de1e de2e
• It follows that there exists canonical d3 such that de ` d3 : of de2e de
• By adequacy, we have ` e2 :
20
Metatheory in LF, general case
Theorem (normalization)if ` e1 : then e1 normalizes to some e2
Proof• Suppose ` e : • By adequacy, there exists canonical d1 such
that de ` d1 : of de1e de• It follows that there exists canonical E2, d2
such that de ` d2 : normalize de1e E2
• By adequacy, E2 = de2e (for some e2)
21
General example, continued
• Thus, de ` d2 : normalize de1e de2e
• Issue: normalize is untyped, so its adequacy uses X = FV(e1), not
• Since of ≤ normalize, typing assumptions cannot contribute to normalize derivations.
• Thus, dXe ` d2 : normalize de1e de2e
• By adequacy, e1 normalizes to e2
/
23
Meta-proofs in Twelf
• Define a relation between derivations of interest:sr : reduce E1 E2 -> of E1 T -> of E2 T -> type.
...
• Indicate inputs and outputs:%mode sr +D1 +D2 –D3.
24
Meta-proofs in Twelf, continued
• Specify world (set of contexts) by indicating permissible assumption blocks.%block bind : some {t:tp} block {x:exp} {d:of x t}.
%worlds (bind) (sr _ _ _).
• Indicate an induction strategy.
25
Meta-proofs in Twelf, continued
Twelf proves that sr is total:• For all 2 W,• For all canonical
• ` E1, E2 : exp• ` T : tp• ` D1 : reduce E1 E2• ` D2 : of E1 T
• There exists canonical• ` D3 : of E2 T• ` D : sr D1 D2 D3. (Don’t care about this one)
26
Totality checking
• Type checking• Mode checking
• Outputs are ground (well-specified) if inputs are ground.
• World checking• Recursive calls preserve the world invariant.
• Termination• Coverage checking
• All cases are covered.