Mechanizing the Metatheory of LF

Mec hanizing the Metatheory of LF CHRISTIAN URBAN TU Munich and JAMES CHENEY University of Edinburgh and STEF A N BE R GHOFER TU Munich LF is a dependent type theory in which man y other for mal systems can be conv eniently embedded. How ev er, correct use of LF relies on nontrivial metathe oretic developmen ts such as pro ofs of correctness of d ecision pro cedures for LF’ s judgments. Al though detailed informal proof s of these properties ha ve b een publi shed, the y hav e not b een f ormally veriﬁed in a the or em pro ver. W e ha ve formalized these prop erties within Isab elle/HOL using the N ominal D atatype Pa c k age, closely following a recent article by Harp er and Pfenning. In the process, w e identiﬁed and resolv ed a gap i n one of the pr oofs and a small num b er of m inor lacunae in others. W e also formally derive a ve rsion of the type chec king algorithm f rom which Isab el l e/HOL can generat e execut able code. Besides its intrinsic inte rest, our formalization provides a foundation for s tudying the adequacy of LF encodings, the correctness of Tw elf-style metatheoretic reasoning, an d the metatheory of extensions to LF. Categories and Sub ject Descriptors: F.4.1 [ Mathemati cal Logic a nd F ormal Language ]: Mathematical Logic— L amb da c alculus and r elate d sy stems General T erms: Language s, theorem prov ers Additional Key W ords and Phrases: Logical frameworks, Nominal Isab elle 1. INTRODUCTION The (Edinburgh) L ogical F ramework (LF) is a dep enden t t yp e theor y in tro duce d by Har pe r, Honsell and Plotkin [1993] as a fr amework for spec ifying a nd reaso ning ab out for mal systems . It has found many applica tio ns, including pro of-car rying This is a revised and expanded version of a conference pap er [Urban et al. 2008]. Cheney was supported by a Roy al So ciety Universit y Research F ellowship and b y EPSR C grant GR/S63205/ 01. U rban was supported by an Emmy No ether Gran t fr om the DFG. Corresp onding author: J. Cheney , Informatics F orum , 10 Crich ton Street, Edinburgh EH8 9AB, Scotland, email: jcheney@inf .ed.ac.u k . Pe rmission to make digital/hard cop y of all or part of this material wi thout fee for per sonal or classro om use pro vided that the copies are not made or distributed for proﬁt or commercial adv antage, the ACM copyrigh t/server notice, the title of the publication, and its date appear, and notice is given that copying is by permi ssion of the ACM, Inc. T o copy otherwise, to republish, to p ost on servers, or to redistri bute to li sts requires pri or sp eciﬁc p ermission and/or a f ee. c  20YY A CM 1529-3785/20YY/0700 -0001 $5.00 ACM T ransactions on Computational L ogic, V ol. V, No. N, Month 20YY, Pa ges 1–40. 2 · C. Urban et a l. co de [Necula 1997 ]. The Twelf system [P fenning and Sch¨ urmann 1 999] has b een used to mec ha nize r easoning ab out LF sp eciﬁca tions. The co rnerstone of LF is the idea of enco ding judgments-as-typ es and pr o ofs-as- terms whereby judgmen ts of a sp eciﬁed for mal system ar e r epresented as LF- t y pes and the LF-terms inhabiting these LF- t y pes cor resp ond to v alid deductions for these judgment s. Hence, the v alidity of a deduction in a sp eciﬁed system is equiv alent to a type chec king problem in LF. Therefor e co rrect use o f LF to enco de other logics depe nds on the pro ofs of corr e ctness of type chec king algorithms for LF. Type chec king in LF is decida ble, but pro v ing dec idabilit y is non triv ia l b ecaus e t yp e s may contain expressio ns w ith computatio nal b ehavior. This mea ns that type- chec king depends o n equality-tests for LF- terms and LF-types . Several a lg orithms for such equality-tests have b een prop o sed in the literature [Co quand 199 1; Goguen 2005b; Harp er and Pfenning 2005 ]. H arp er a nd Pfenning [2 005] prese nt a type- driven algorithm that is practical a nd also has b een extended to a v ar iet y o f richer languages . The corre c tness of this a lgorithm is pr ov ed by establishing s oundness and completeness with res pect to the deﬁnitional equality rules of LF. These pro ofs are inv olved: Har per and Pfenning’s detailed p encil-a nd-pap er pro of spans mor e than 30 pa ges, y et still o mits many cases a nd lemmas. W e present a fo rmalization of the main results of Harp er and Pfenning ’s ar ticle. T o our knowledge this is the ﬁrst for ma lization of these or compa rable results. While most of the formal pro ofs g o throug h a s descr ibed by Har pe r and Pfenning [20 05], we fo und a few do not go throug h a s describ ed, a nd there is a gap in the pro of of soundness. Although the problem can be a voided easily b y adding to or changing the rule s of Harp er and Pfenning [2005], w e found that it was still po ssible to prove the orig ina l res ults, though the argument was nontrivial. Our formaliza tion was essential not o nly to ﬁnd this ga p in Ha r pe r and P fenning’s a rgument, but also to ﬁnd and v alida te the po s sible r epairs relatively quickly . W e used Is a be lle / HOL [Nipko w et al. 2002 ] and the Nominal Data t y pe Pack- age [Urban et a l. 2007; Urban and T ass on 2 005; Urban 20 08] for o ur formalizatio n. The latter provides an infras tr ucture for rea soning c onv eniently abo ut data t y pes with a built-in notion of alpha-equiv alence: it allows to s pec ify such datatypes, provides appro priate r ecursion co m binators and derives strong induction principles that hav e the usual v ar iable conv e n tion already built-in. The Nominal Datatype Pac k ag e has a lready b e e n us e d to formalize logical relatio n arg umen ts similar to (but m uch simpler than) tho se in Har pe r a nd Pfenning’s completeness pro of [Nar- bo ux and Urban 2007 ]; it is worth noting that logical relations pro ofs are curre ntly not easy to formalize in Twelf itself, despite the recent breakthr ough by Sch¨ urmann and Sa rnat [2008]. Besides proving the corr ectness of their equiv alence algo rithm, Har per and Pfen- ning also sketch ed a pro of of decidability . Unfor tunately , s ince Isab elle/HOL is based on classical lo gic, proving dec ida bilit y results o f this kind is no t straig h tfor- ward. W e have for malized the essential pa rts o f the dec idabilit y pro of b y providing inductive deﬁnitions of the complements of the relations we wish to decide. It is clear by ins p ection that these relations deﬁne recursively en umera ble sets, which implies dec ida bilit y , but we hav e not formalized this part of the pro of. A complete pro of o f decidability would require ﬁr st developing a substantial amount of com- AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · 3 putabilit y theo ry within Is a be lle /HOL, a problem of independent interest we lea ve for future w ork. W e follow ed the arg uments in Harp er and Pfenning’s article very closely using the Nominal Datatype P a ck age for our formalisation, but the c urrent sys tem does not allow us to generate executable co de directly from deﬁnitio ns inv olving nom- inal datatypes. W e therefor e also implement ed a type- checking algorithm based on the lo cally nameless appr o ach for r epresenting binders [McKinna and Pollack 1999; Aydemir et al. 2008]. W e proved that the nominal da tatype fo rmalization of Harp er and Pfenning’s algor ithm is equiv alent to the lo cally nameless formulation. Moreov er, by making the choice o f fresh names explicit, we can ge nerate a working ML implemen tation directly from the v eriﬁed formalization. Outline. W e ﬁrst brieﬂy r eview LF and its representation in the Nominal Datatype Pac k ag e (Sec. 2). In Sec. 3, we rep or t on our formalizatio n. T o ease compar ison, Sec. 3 follows the structure of Harp er and P fenning [2005 ] close ly , although this article is self-contained. Sections 3 .1 –3.5 summarize our formalization of the basic syntactic prop erties of LF a nd soundness and co mpleteness of the equiv alence and t yp e c hecking algorithms. W e disc us s additional lemmas , pr o of details, a nd o ther complications ar ising dur ing the formaliz a tion, and discuss the gap in the soundness pro of a nd its solutions in detail. The remainder of Sec. 3 rep orts up on formaliza- tions of additional r esults whose pro ofs were o nly sketc hed b y Harp er and Pfenning [2005]. These include (1) the admissibility of strengthening and strong extensionality rules (Sec. 3.6 ), (2) a partia l formalization o f decidabilit y o f algor ithmic t y pechecking for LF, and a discussion of the curr ent limitations of Isab elle/HO L in forma lizing pro ofs ab out decida bilit y (Sec. 3 .7), (3) the existence and uniqueness of quasicanonical forms (Sec. 3.8), and (4) a pa rtial formalization o f an example pro o f o f adeq uacy (Sec. 3.9), and a dis- cussion o f complications in the pro of sk etched in [Har per and P fenning 2 005]. In Sec. 4 w e deﬁne and v erify the correctness of a t yp e checking algo r ithm ba s ed on the lo cally nameless representation of binders, from which Isab elle/HOL can generate executable co de. This a mo un ts to a veriﬁed typechec ker for LF, a n o riginal contribution of this article. Sec. 5 s umma r izes the authors’ exp erience w ith the formalization, Sec. 6 discusses related and future work and Sec. 7 co ncludes. Contributions. The metatheory o f LF is well-understo o d: it had b een studied for many years b efor e the deﬁnitiv e pr esentation in Harp er a nd Pfenning [200 5]. Their main r e sults were no t in serious doubt, and formalizing such work might strike some readers as p erverse o r p edantic. Nevertheless, our for ma lization is an origina l and signiﬁcant contribution to the study of logic a l fra meworks a nd mechanized metatheory , bec a use: (1) it tests the capabilities of the Nominal Datatype Pack age for formalizing a lar ge and c omplex metatheoretical developmen t, (2) it provides high conﬁdence in a lgorithms tha t ar e widely trusted but have never bee n mec hanically veriﬁed, (3) it elucidates a few subtle issues in the ba sic meta theory o f LF, a nd (4) it constitutes a re-usable libr ary of formalized r esults ab out LF, providing a AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 4 · C. Urban et a l. foundation for veriﬁcation o f Twelf -style meta -reaso ning ab out LF s peciﬁc a - tions, extensio ns to LF, or related type theories that a re not as well-understo o d. This a r ticle is a rev is ed and e x tended version o f a previous conferenc e pap er presenting our initia l formaliza tion of the metatheory of LF [Urban et a l. 2008 ]. The for mal dev elopment describ ed b y this article can be o bta ined by re q uest fro m the authors, and is av a ilable at ht tp://i sabell e.in.tum.de/nominal/LF/ . 2. BA CKGROUND This ar ticle assumes so me familiarity with for malization in Isa b elle/ HOL and its ML-like nota tion for functions and deﬁnitions. W e used the Nominal Da tat yp e Pac k ag e in Isab elle/HOL [Urban et al. 2007; Urban and T as son 20 05; Urban 2008] to fo rmalize the syntax and judgmen ts of LF. The key features we rely up on are (1) supp ort for n ominal datatyp es with a built-in notion o f binding (i.e. α -e quiv a le nce classes), (2) facilities for deﬁning functions ov er no mina l datatypes (such as substitution) by (nominal) primitive r e cursion , and (3) str ong induction principles for datatypes and inductive deﬁnitions tha t build in Ba rendregt-style renaming conv entions. T ogether, these features make it p ossible to formalize most of the deﬁnitions and pro ofs following their pap er versions c lo sely . W e will not review the features of this system in this article, but will discuss details of the formalization only when they intro duce complicatio ns . The interested r eader is r e fer red to previous work on nominal tec hniques and the Nominal Data t y pe Pack age for further details [Gabbay and Pitts 20 02; P itts 2 0 06; Ur ban et al. 2007; Urba n and T as son 2005 ; Ur ban 200 8]. 2.1 Syntax o f LF The logic a l fra mew ork LF [Harp er et al. 1 993] is a dep endently-t y p ed lambda- calculus. W e pres en t it here following clo sely the article by Ha r pe r and Pfen- ning [2 005], to which w e refer from now on as HP05 for brevity . The syntax of LF includes kinds , typ e families and obje cts deﬁned by the gr a mmar: Kinds K , L ::= typ e | Π x : A . K T yp e families A , B ::= a | Π x : A 1 . A 2 | A M Obje cts M , N ::= c | x | λ x : A . M | M 1 M 2 where v ar iables x a nd consta n ts c and a are drawn from coun tably inﬁnite, disjoin t sets V ar a nd Id of variables a nd identiﬁers , resp ectively . T raditiona lly , LF has included λ -abstraction a t the level of b oth t y pes a nd ob jects. How ever, Geuvers and Barendsen [1999 ] es tablished that type- level λ -abstr action is sup erﬂuo us in LF. Accordingly , HP05 omits t y pe- level λ -a bstraction, and so do w e. W e forma liz e the syntax of LF using nominal datatypes since the co nstructors λ and Π bind v a riables. Substitutions a re re pr esented a s lists of v aria ble-term pair s and we deﬁne capture av oiding s ubstitution in the s tandard wa y a s AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · 5 x [ σ ] = lo okup σ x c [ σ ] = c ( M N )[ σ ] = M [ σ ] N [ σ ] ( λ y : A . M )[ σ ] = λ y : A [ σ ] . M [ σ ] provided y # σ a [ σ ] = a ( A M )[ σ ] = A [ σ ] M [ σ ] (Π y : A . B )[ σ ] = Π y : A [ σ ] . B [ σ ] provided y # σ typ e [ σ ] = typ e (Π y : A . K )[ σ ] = Π y : A [ σ ] . K [ σ ] pro vided y # σ where the v ar iable case is deﬁned in terms of the auxilia r y function lo okup : lo okup [] x = x lo okup (( y , M ):: σ ) x = ( if x = y then M else lo okup σ x ) The s ide-conditions y # σ in the a bove deﬁnitio n a r e freshnes s constr a int s provided automatically by the Nominal Datatype Pac k a ge and stand for y not o ccurring freely in the substitution σ . Substitution for a sing le v ar iable is deﬁned a s a specia l case: ( − )[ x := M ] def = ( − )[( x , M )]. W e use ML-like notation [] fo r the empty list and x :: L for lis t construction. LF includes signatur es Σ and c ontexts Γ , b oth of which we represent as lis ts of pairs. The for mer cons ist of pairs o f the form ( c , A ) or ( a , K ) asso ciating the cons tant c with t yp e A a nd the co nstant a with kind K r esp ectively , a nd the la tter consists of pairs ( x , A ) as so ciating the v ariable x with type A . Accordingly , we write ( x , A ):: Γ for context construction (rather than Γ, x : A ), Γ @ Γ ′ for context concatenatio n a nd ( x , A ) ∈ Γ fo r co n text members hip (similar ly for Σ ). Context inclus ion is deﬁned as follows: Γ 1 ⊆ Γ 2 def = ∀ x A . ( x , A ) ∈ Γ 1 implies ( x , A ) ∈ Γ 2 2.2 V ali dity and Deﬁ nitional Equivalence HP05 deﬁnes tw o judgment s for iden tifying v alid signatures and contexts, which we formalize in Fig. 1. In co n trast with HP 05, we make ex plicit that the new bindings do not oc cur pr eviously in Σ or Γ , using fres hnes s co nstraints such as x # Γ . W e also make the dependence o f all judgments on Σ explicit. Cent ral in HP05 ar e the deﬁnitions of the v alidity and deﬁnitional equiv a lence judgment s for LF, and of alg orithmic judgments for chec king equiv alence. The v a lidit y and deﬁnitional equiv ale nce rules are s hown in Fig. 2 and 3. There ar e three judgments for v a lidit y and three for equiv alence c o rresp onding to ob jects, t yp e families and kinds resp ectively: Ob jects Type families Kinds V alidit y Γ ⊢ Σ M : A Γ ⊢ Σ A : K Γ ⊢ Σ K : kind Equiv alence Γ ⊢ Σ M = N : A Γ ⊢ Σ A = B : K Γ ⊢ Σ K = L : kind These six judgments a re deﬁned simult aneously with s ig nature v a lidit y ( ⊢ Σ sig ) a nd c ontext v alidity ( ⊢ Σ Γ ctx ) by inductio n. W e added explicit v alidity h y - po theses to some of the rules; these are left implicit in HP 05. W e also added so me (redundant) freshness constra in ts to some r ules in order to be able to use strong induction principles [Urban et al. 2007]. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 6 · C. Urban et a l. ⊢ Σ sig ⊢ [] sig ⊢ Σ sig [] ⊢ Σ K : kind a # Σ ⊢ ( a , K ):: Σ sig ⊢ Σ sig [] ⊢ Σ A : typ e c # Σ ⊢ ( c , A ):: Σ sig ⊢ Σ Γ ctx ⊢ Σ sig ⊢ Σ [] ctx ⊢ Σ Γ ctx Γ ⊢ Σ A : typ e x # Γ ⊢ Σ ( x , A ):: Γ ct x Fig. 1. V alidity rules f or signatures and con texts Γ ⊢ Σ M : A ⊢ Σ Γ ctx ( x , A ) ∈ Γ Γ ⊢ Σ x : A ⊢ Σ Γ ctx ( c , A ) ∈ Σ Γ ⊢ Σ c : A Γ ⊢ Σ M 1 : Π x : A 2 . A 1 Γ ⊢ Σ M 2 : A 2 x # Γ Γ ⊢ Σ M 1 M 2 : A 1 [ x := M 2 ] Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ M 2 : A 2 x # ( Γ , A 1 ) Γ ⊢ Σ λ x : A 1 . M 2 : Π x : A 1 . A 2 Γ ⊢ Σ M : A Γ ⊢ Σ A = B : typ e Γ ⊢ Σ M : B Γ ⊢ Σ A : K ⊢ Σ Γ ctx ( a , K ) ∈ Σ Γ ⊢ Σ a : K Γ ⊢ Σ A : Π x : B . K Γ ⊢ Σ M : B x # Γ Γ ⊢ Σ A M : K [ x := M ] Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ A 2 : typ e x # ( Γ , A 1 ) Γ ⊢ Σ Π x : A 1 . A 2 : typ e Γ ⊢ Σ A : K Γ ⊢ Σ K = L : kind Γ ⊢ Σ A : L Γ ⊢ Σ K : kind ⊢ Σ Γ ctx Γ ⊢ Σ typ e : kind Γ ⊢ Σ A : typ e ( x , A ):: Γ ⊢ Σ K : kind x # ( Γ , A ) Γ ⊢ Σ Π x : A . K : kind Fig. 2. V ali dit y rules for kinds, t yp e f ami lies and ob jects. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · 7 Γ ⊢ Σ M = N : A ⊢ Σ Γ ctx ( x , A ) ∈ Γ Γ ⊢ Σ x = x : A ⊢ Σ Γ ctx ( c , A ) ∈ Σ Γ ⊢ Σ c = c : A Γ ⊢ Σ M 1 = N 1 : Π x : A 2 . A 1 Γ ⊢ Σ M 2 = N 2 : A 2 x # Γ Γ ⊢ Σ M 1 M 2 = N 1 N 2 : A 1 [ x := M 2 ] Γ ⊢ Σ A 1 ′ = A 1 : typ e Γ ⊢ Σ A 1 ′ ′ = A 1 : typ e Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ M 2 = N 2 : A 2 x # Γ Γ ⊢ Σ λ x : A 1 ′ . M 2 = λ x : A 1 ′ ′ . N 2 : Π x : A 1 . A 2 Γ ⊢ Σ M : Π x : A 1 . A 2 Γ ⊢ Σ N : Π x : A 1 . A 2 Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ M x = N x : A 2 x # Γ Γ ⊢ Σ M = N : Π x : A 1 . A 2 Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ M 2 = N 2 : A 2 Γ ⊢ Σ M 1 = N 1 : A 1 x # Γ Γ ⊢ Σ ( λ x : A 1 . M 2 ) M 1 = N 2 [ x := N 1 ] : A 2 [ x := M 1 ] Γ ⊢ Σ M = N : A Γ ⊢ Σ N = M : A Γ ⊢ Σ M = N : A Γ ⊢ Σ N = P : A Γ ⊢ Σ M = P : A Γ ⊢ Σ M = N : A Γ ⊢ Σ A = B : typ e Γ ⊢ Σ M = N : B Γ ⊢ Σ A = B : K ⊢ Σ Γ ctx ( a , K ) ∈ Σ Γ ⊢ Σ a = a : K Γ ⊢ Σ A = B : Π x : C . K Γ ⊢ Σ M = N : C x # Γ Γ ⊢ Σ A M = B N : K [ x := M ] Γ ⊢ Σ A 1 = B 1 : typ e Γ ⊢ Σ A 1 : typ e ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : typ e x # Γ Γ ⊢ Σ Π x : A 1 . A 2 = Π x : B 1 . B 2 : typ e Γ ⊢ Σ A = B : K Γ ⊢ Σ B = A : K Γ ⊢ Σ A = B : K Γ ⊢ Σ B = C : K Γ ⊢ Σ A = C : K Γ ⊢ Σ A = B : K Γ ⊢ Σ K = L : kind Γ ⊢ Σ A = B : L Γ ⊢ Σ K = L : kind ⊢ Σ Γ ctx Γ ⊢ Σ typ e = typ e : kind Γ ⊢ Σ A = B : typ e Γ ⊢ Σ A : typ e ( x , A ):: Γ ⊢ Σ K = L : kind x # Γ Γ ⊢ Σ Π x : A . K = Π x : B . L : kind Γ ⊢ Σ K = L : kind Γ ⊢ Σ L = K : kind Γ ⊢ Σ K = L : kind Γ ⊢ Σ L = L ′ : kind Γ ⊢ Σ K = L ′ : kind Fig. 3. Deﬁnitional equiv alence rules for kinds, type families and ob jects. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 8 · C. Urban et a l. 2.3 Algorithmic Equivalence The deﬁnitiona l equiv alenc e judgmen t captures e q uiv ale nc e betw een LF terms, t yp e s a nd kinds declaratively , but it is hig hly no ndeterministic due to the sym- metry , transitivity and conv er sion rules . Accordingly , HP0 5 intro duces algorithmic equiv a lence judgments that a re t yp e - and syntax-directed, and the ma in contri- bution of that ar ticle is the pro of that the algorithmic a nd declar ative systems coincide. A crucial point of the algorithm in HP 05 is tha t it do es not analyze the precise t yp e s o f o b jects o r kinds of type s during equiv alence c hecking; rather it only uses approximate simple typ es τ a nd simple kinds κ deﬁned as follows: τ ::= a − | τ → τ ′ κ ::= typ e − | τ → κ This simpliﬁcation is suﬃcient for obtaining a sound and complete equiv a lence chec king alg orithm, and a lso simpliﬁes the pro of developmen t in a num b er o f pla c es. Similarly , simple c ontext s ∆, Θ consist of lists of pairs ( x , τ ) of v ariables and simple t yp es. W e write ⊢ ∆ sctx to indicate that ∆ is v alid, i.e. has no repea ted v a riables, and write ∆ ≥ ∆ ′ to indicate that ∆ contains all of the bindings of ∆ ′ and ∆ is a v alid simple context. Finally , we also introduce simple signatur es , also written Σ , consisting o f lists of pairs ( c , τ ) or ( a , κ ) of constants and simple kinds or types . W e write ⊢ Σ ssig to indicate that Σ is a w ell- formed simple signature with no r epea ted type or kind assignments. The er asur e function translates families and kinds to simple t yp es and s imple kinds: ( a ) − = a − ( A M ) − = A − (Π x : A 1 . A 2 ) − = A 1 − → A 2 − ( typ e ) − = typ e − (Π x : A . K ) − = A − → K − Similarly , we wr ite Γ − for the simple cont ext resulting from replacing e a ch bind- ing ( x , A ) in Γ with ( x , A − ). Likewise, w e extend the erasur e function to map signatures Σ to simple signatur es Σ − in the natural wa y . The rules for the algo r ithm also emplo y a we ak he ad r e duction relatio n ( − ) whr − → ( − ) which p er forms beta - reductions only at the hea d of the top-level applica tion of a term. It is deﬁned as x # ( A 1 , M 1 ) ( λ x : A 1 . M 2 ) M 1 whr − → M 2 [ x := M 1 ] M 1 whr − → M 1 ′ M 1 M 2 whr − → M 1 ′ M 2 The rules for the equiv alence chec king algorithm ar e given in Fig. 4. There are ﬁve algorithmic equiv alence judgments: Ob jects Type families Kinds Algorithmic ∆ ⊢ Σ M ⇔ N : τ ∆ ⊢ Σ A ⇔ B : κ ∆ ⊢ Σ K ⇔ L : kind − Structural ∆ ⊢ Σ M ↔ N : τ ∆ ⊢ Σ A ↔ B : κ Note that the algor ithmic r ules are type- (or kind-) directed while the structura l rules are syntax-directed. The main results of HP 05 are soundness and co mpleteness of the a lgorithmic judgment s relative to the equiv alence judgment s: AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · 9 ∆ ⊢ Σ M ⇔ N : τ M whr − → M ′ ∆ ⊢ Σ M ′ ⇔ N : a − ∆ ⊢ Σ M ⇔ N : a − N whr − → N ′ ∆ ⊢ Σ M ⇔ N ′ : a − ∆ ⊢ Σ M ⇔ N : a − ∆ ⊢ Σ M ↔ N : a − ∆ ⊢ Σ M ⇔ N : a − ( x , τ 1 )::∆ ⊢ Σ M x ⇔ N x : τ 2 x # (∆ , M , N ) ∆ ⊢ Σ M ⇔ N : τ 1 → τ 2 ∆ ⊢ Σ M ↔ N : τ ( x , τ ) ∈ ∆ ⊢ ∆ sctx ⊢ Σ ssig ∆ ⊢ Σ x ↔ x : τ ( c , τ ) ∈ Σ ⊢ ∆ sctx ⊢ Σ ssig ∆ ⊢ Σ c ↔ c : τ ∆ ⊢ Σ M 1 ↔ N 1 : τ 2 → τ 1 ∆ ⊢ Σ M 2 ⇔ N 2 : τ 2 ∆ ⊢ Σ M 1 M 2 ↔ N 1 N 2 : τ 1 ∆ ⊢ Σ A ⇔ B : κ ∆ ⊢ Σ A ↔ B : typ e − ∆ ⊢ Σ A ⇔ B : typ e − ( x , τ )::∆ ⊢ Σ A x ⇔ B x : κ x # (∆ , A , B ) ∆ ⊢ Σ A ⇔ B : τ → κ ∆ ⊢ Σ A 1 ⇔ B 1 : typ e − ( x , A 1 − )::∆ ⊢ Σ A 2 ⇔ B 2 : typ e − x # (∆ , A 1 , B 1 ) ∆ ⊢ Σ Π x : A 1 . A 2 ⇔ Π x : B 1 . B 2 : typ e − ∆ ⊢ Σ A ↔ B : κ ( a , κ ) ∈ Σ ⊢ ∆ sctx ⊢ Σ ssig ∆ ⊢ Σ a ↔ a : κ ∆ ⊢ Σ A ↔ B : τ → κ ∆ ⊢ Σ M ⇔ N : τ ∆ ⊢ Σ A M ↔ B N : κ ∆ ⊢ Σ K ⇔ L : kind − ⊢ ∆ sctx ⊢ Σ ssig ∆ ⊢ Σ typ e ⇔ typ e : kind − ∆ ⊢ Σ A ⇔ B : typ e − ( x , A − )::∆ ⊢ Σ K ⇔ L : kind − x # (∆ , A , B ) ∆ ⊢ Σ Π x : A . K ⇔ Π x : B . L : kind − Fig. 4. Algorithmic equiv alence rules AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 10 · C. Urban et al. Theorem 1 (Completeness). ( 1 ) If Γ ⊢ Σ M = N : A then Γ − ⊢ Σ − M ⇔ N : A − . ( 2 ) If Γ ⊢ Σ A = B : K then Γ − ⊢ Σ − A ⇔ B : K − . ( 3 ) If Γ ⊢ Σ K = L : kind then Γ − ⊢ Σ − K ⇔ L : kind − . Theorem 2 (Soundness). ( 1 ) If Γ − ⊢ Σ − M ⇔ N : A − and Γ ⊢ Σ M : A and Γ ⊢ Σ N : A t hen Γ ⊢ Σ M = N : A . ( 2 ) If Γ − ⊢ Σ − A ⇔ B : K − and Γ ⊢ Σ A : K and Γ ⊢ Σ B : K t hen Γ ⊢ Σ A = B : K . ( 3 ) If Γ − ⊢ Σ − K ⇔ L : kind − and Γ ⊢ Σ K : kind and Γ ⊢ Σ L : kind t hen Γ ⊢ Σ K = L : kind . In wha t follows, we outline the pro ofs o f these res ults and discuss how we have formalized them, paying particular attention to pla ces where additional lemma s or diﬀerent pro of techniques were needed. W e also disc us s the gap in the so undness pro of of HP05, a long with sev er al solutions. 3. THE FORMALIZA TION 3.1 Syntactic pr op erties The pro of in HP0 5 s tarts by developing of a num b er of useful metatheoretic prop- erties for the v alidity and equa lit y judgments (shown in Fig. 2), such as weak ening, substitution, generaliza tions of the conv er s ion rules and inv ersio n principles. Most of these pro per ties hav e multiple pa r ts cor resp onding to the eig h t diﬀerent judg- men ts in the deﬁnitional theory of LF. W e will list the main prop erties; how ever, to aid readability we will only show the statements of most of these prop erties for the ob ject-level judgment s, and w e omit s ymmetric cases. The full for ma l statements of the syntactic prop erties can b e found in the electro nic a ppendix. T o prove the main syntactic pro p er ties we needed t wo technical lemmas ha ving to do with the implicit freshness and v alidity assumptions that m us t b e handled explicitly in our formaliza tion. Both are straig htforward b y induction, and b oth are needed fr equently . Lemma 1 (Freshness). If x # Γ and Γ ⊢ Σ M : A then x # M and x # A. Similarly, if x # Γ and Γ ⊢ Σ M = N : A then x # M and x # N and x # A. Lemma 2 (Implicit V al idity). If Γ ⊢ Σ M : A or Γ ⊢ Σ M = N : A then ⊢ Σ sig and ⊢ Σ Γ ct x . Lemma 3 (Weakening). Supp ose ⊢ Σ Γ 2 ctx and Γ 1 ⊆ Γ 2 . ( 1 ) If Γ 1 ⊢ Σ M : A then Γ 2 ⊢ Σ M : A. ( 2 ) If Γ 1 ⊢ Σ M = N : A then Γ 2 ⊢ Σ M = N : A. Lemma 4 (Substitution). Supp ose Γ 2 ⊢ Σ P : C and let Γ = Γ 1 @ [( y , C )] @ Γ 2 . ( 1 ) If ⊢ Σ Γ ct x then ⊢ Σ Γ 1 [ y := P ] @ Γ 2 ctx. ( 2 ) If Γ ⊢ Σ M : B then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ M [ y := P ] : B [ y := P ] . ( 3 ) If Γ ⊢ Σ M = N : A then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ M [ y := P ] = N [ y := P ] : A [ y := P ] . Lemma 5 (Context Conversion). Assume that Γ ⊢ Σ B : typ e and Γ ⊢ Σ A = B : typ e. Then: AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 11 ( 1 ) If ( x , A ):: Γ ⊢ Σ M : C t hen ( x , B ):: Γ ⊢ Σ M : C ( 2 ) If ( x , A ):: Γ ⊢ Σ C : K then ( x , B ):: Γ ⊢ Σ C : K Lemma 6 (Functionality f o r Typing). Assume that Γ ⊢ Σ M : C and Γ ⊢ Σ N : C and Γ ⊢ Σ M = N : C. Then if Γ ′ @ [( y , C )] @ Γ ⊢ Σ P : B then Γ ′ [ y := M ] @ Γ ⊢ Σ P [ y := M ] = P [ y := N ] : B [ y := M ] . Since our judgements contain explicit v alidity h y po theses for contexts, the pro o f of Lem. 6 relies on the fact that functionality ho lds also fo r co ntexts, na mely Lemma 7 (Functionality f o r Contexts). If ⊢ Σ Γ ′ @ [( x , C )] @ Γ ctx and Γ ⊢ Σ M : C then ⊢ Σ Γ ′ [ x := M ] @ Γ ctx . This fact c an be established by induction on Γ ′ . Lemma 8 (V alidity). Obje cts , t yp es and kinds app e aring in deriva ble judg- ments ar e valid, t hat is ( 1 ) If Γ ⊢ Σ M : A then Γ ⊢ Σ A : typ e . ( 2 ) If Γ ⊢ Σ M = N : B then Γ ⊢ Σ M : B and Γ ⊢ Σ N : B and Γ ⊢ Σ B : typ e . Lemma 9 (Typing inversion). The validity rules ar e invertible, up t o c onver- sion of typ es a nd kinds. ( 1 ) If Γ ⊢ Σ x : A then ∃ B . ( x , B ) ∈ Γ and Γ ⊢ Σ A = B : typ e . ( 2 ) If Γ ⊢ Σ c : A then ∃ B . ( c , B ) ∈ Σ and Γ ⊢ Σ A = B : typ e . ( 3 ) If Γ ⊢ Σ M 1 M 2 : A then ∃ x A 1 A 2 . Γ ⊢ Σ M 1 : Π x : A 2 . A 1 and Γ ⊢ Σ M 2 : A 2 and Γ ⊢ Σ A = A 1 [ x := M 2 ] : typ e . ( 4 ) If Γ ⊢ Σ λ x : A . M : B and x # Γ then ∃ A ′ . Γ ⊢ Σ B = Π x : A . A ′ : typ e and Γ ⊢ Σ A : typ e and ( x , A ):: Γ ⊢ Σ M : A ′ . Next HP05 esta blished s o me inversion and inv ertibility prop erties for deﬁnitiona l equality: Lemma 10 (Equality inversion). ( 1 ) If Γ ⊢ Σ typ e = L : kind then L = typ e . ( 2 ) If Γ ⊢ Σ A = Π x : B 1 . B 2 : typ e and x # Γ then ∃ A 1 A 2 . A = Π x : A 1 . A 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e . ( 3 ) If Γ ⊢ Σ K = Π x : B 1 . L 2 : kind and x # Γ then ∃ A 1 K 2 . K = Π x : A 1 . K 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ K 2 = L 2 : kind . Finally , we can pr ov e that the pro duct type constructor is injectiv e up to deﬁni- tional equality , which is ne e ded for soundness: Lemma 11 (Product in jectivity) . Supp ose x # Γ . ( 1 ) If Γ ⊢ Σ Π x : A 1 . A 2 = Π x : B 1 . B 2 : t yp e then Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e. ( 2 ) If Γ ⊢ Σ Π x : A . K = Π x : B . L : kind then Γ ⊢ Σ A = B : typ e and ( x , A ):: Γ ⊢ Σ K = L : kind. All the metatheo r etic pro per ties given ab ove can b e pr ov ed as s tated in HP05 (app e aling to Lem. 1 and 2 as necessary); ho wev er, since all o f the deﬁnitional judgment s of LF are interdependent, each inductive pro of must consider all 3 5 cases, making each proof nontrivial as a prac tica l matter (it is o ne of the biggest parts of o ur formalization). AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 12 · C. Urban et al. HP05 or ganize the pro ofs of thes e metatheore tic prop erties very neatly . F o r example as shown in Lem. 8 the v alidity judgmen t of ter ms implies the v a lidit y of the type. How ever, in order to es tablish this a num b er o f auxiliary facts have to be prov ed ﬁrst which dep end on this proper t y . In order to get the pro of through, some o f HP05’s rules given in Fig. 2 a re formulated to explicitly include v alidity constraints such as Γ ⊢ Σ A : t yp e and Γ ⊢ Σ K : kind . After pr oving the ab ov e prop erties, howev er, w e can sho w that these extra h yp othese s ar e not needed, by establishing stronger forms of the r ules: Lemma 12 (Strong versions of rules). The fol lowing rules ar e admissibl e: ( 1 ) Γ ⊢ Σ M 1 : Π x : A 2 . A 1 Γ ⊢ Σ M 2 : A 2 Γ ⊢ Σ M 1 M 2 : A 1 [ x := M 2 ] ( 2 ) Γ ⊢ Σ A : Π x : B . K Γ ⊢ Σ M : B Γ ⊢ Σ A M : K [ x := M ] ( 3 ) ( x , A 1 ):: Γ ⊢ Σ M 2 = N 2 : A 2 Γ ⊢ Σ M 1 = N 1 : A 1 x # Γ Γ ⊢ Σ ( λ x : A 1 . M 2 ) M 1 = N 2 [ x := N 1 ] : A 2 [ x := M 1 ] 3.2 Algorithmic equivalence The main metatheo r etic properties of algorithmic equiv alence proved in Sec. 3 o f HP05 are symmetry and transitivity . Several prop erties of weak head r e ductio n and era s ure needed later in HP0 5 are also pr ov ed. Most o f the pro ofs were straight- forward to fo r malize, giv en the details in HP05 (wher e provided). How ever, there were a few missing lemmas and other co mplications. The algor ithmic system is less well-behaved than the deﬁnitional s y stem b ecaus e deriv able judgments may hav e ill-formed arguments; for example, the judgment [] ⊢ Σ ( λ x : a . c ) y ⇔ c : b − is deriv able, for any ob ject term y , provided that ( c , b ) ∈ Σ since ( λ x : a . c ) y whr − → c . Thus, analogues o f Lem. 1 a nd 2 do no t hold for the a lgorithmic s ystem, a nd in rules involving binding we need to impo se additional freshness constraints. Mor e- ov er, pro o f search in the algor ithmic system is not necessa r ily terminating b ecaus e ( − ) whr − → ( − ) ma y diverge if called on ill-formed terms suc h a s ( λ x : a . x x ) ( λ x : a . x x ). The erasure preserv ation lemma establishes basic pr op erties of era sure which are frequently needed in HP05: Lemma 13 (Erasure preser v a tion). ( 1 ) If Γ ⊢ Σ A = B : K then A − = B − . ( 2 ) If Γ ⊢ Σ K = L : kind then K − = L − . ( 3 ) If ( x , A ):: Γ ⊢ Σ B : typ e then B − = B [ x := M ] − ( 4 ) If ( x , A ):: Γ ⊢ Σ K : kind then K − = K [ x := M ] − How ever, w e found that the hypotheses of parts 3 and 4 ar e unnecessa ry . Indeed, we can easily prov e: Lemma 14 (Erasure cancels substitution). F or any typ e family A, kind K, and substitution σ , we ha ve ( 1 ) A [ σ ] − = A − ( 2 ) K [ σ ] − = K − AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 13 In the pr o ofs of s y mmetry and tr a nsitivity of the algorithmic judgmen ts (Thm. 3 and Thm. 4 ), we a ls o needed the following a lg orithmic erasur e pr eserv ation lemma (it is omitted from HP 05, but straightforw a rd b y induction): Lemma 15 (Algorithmic erasure preser v a tion). ( 1 ) If ∆ ⊢ Σ A ⇔ B : κ then A − = B − . ( 2 ) If ∆ ⊢ Σ A ↔ B : κ then A − = B − . ( 3 ) If ∆ ⊢ Σ K ⇔ L : kind − then K − = L − . The determinacy lemma establis hes several imp ortant prop erties of weak head reduction and algor ithmic equiv alence. Lemma 16 (Determinacy). Su pp ose that ⊢ Σ s s ig and ⊢ ∆ sctx. ( 1 ) If M whr − → M ′ and M whr − → M ′ ′ then M ′ = M ′ ′ . ( 2 ) If ∆ ⊢ Σ M ↔ N : τ then ∄ M ′ . M whr − → M ′ . ( 3 ) If ∆ ⊢ Σ M ↔ N : τ then ∄ N ′ . N whr − → N ′ . ( 4 ) If ∆ ⊢ Σ M ⇔ N : τ and ∆ ⊢ Σ M ⇔ N : τ ′ then τ = τ ′ . ( 5 ) If ∆ ⊢ Σ A ⇔ B : κ and ∆ ⊢ Σ A ⇔ B : κ ′ then κ = κ ′ . How ever, we needed generalized forms of pa r ts 4 and 5 in the pro o f o f transitivity (Thm. 4 ). These prop erties are also later used in Thm. 13 in proving decidability of the algorithmic rules. Lemma 17 (Generalized determina cy). Supp ose t hat ⊢ Σ sig and ⊢ ∆ sctx. ( 1 ) If ∆ ⊢ Σ M ⇔ N : τ and ∆ ⊢ Σ N ⇔ P : τ ′ then τ = τ ′ . ( 2 ) If ∆ ⊢ Σ A ⇔ B : κ and ∆ ⊢ Σ B ⇔ C : κ ′ then κ = κ ′ . V er ifying symmetr y of the alg orithmic judgments is then s tr aightforw a rd, using prop erties established so far. Theorem 3 (Symmetr y of algorithmic equiv alence). 1. If ∆ ⊢ Σ M ⇔ N : τ then ∆ ⊢ Σ N ⇔ M : τ . 2. If ∆ ⊢ Σ M ↔ N : τ then ∆ ⊢ Σ N ↔ M : τ . 3. If ∆ ⊢ Σ A ⇔ B : κ then ∆ ⊢ Σ B ⇔ A : κ. 4. If ∆ ⊢ Σ A ↔ B : κ then ∆ ⊢ Σ B ↔ A : κ. 5. If ∆ ⊢ Σ K ⇔ L : kind − then ∆ ⊢ Σ L ⇔ K : kind − . How ever, verifying transitivity req uired mo re w o rk. Theorem 4 (Transitivity of algorithmic equiv alence). Supp ose that ⊢ Σ ssig and ⊢ ∆ sctx. ( 1 ) If ∆ ⊢ Σ M ⇔ N : τ and ∆ ⊢ Σ N ⇔ P : τ then ∆ ⊢ Σ M ⇔ P : τ . ( 2 ) If ∆ ⊢ Σ M ↔ N : τ and ∆ ⊢ Σ N ↔ P : τ then ∆ ⊢ Σ M ↔ P : τ . ( 3 ) If ∆ ⊢ Σ A ⇔ B : κ and ∆ ⊢ Σ B ⇔ C : κ then ∆ ⊢ Σ A ⇔ C : κ . ( 4 ) If ∆ ⊢ Σ A ↔ B : κ and ∆ ⊢ Σ B ↔ C : κ then ∆ ⊢ Σ A ↔ C : κ . ( 5 ) If ∆ ⊢ Σ K ⇔ L : kind − and ∆ ⊢ Σ L ⇔ L ′ : kind − then ∆ ⊢ Σ K ⇔ L ′ : kind − . Proof. As des crib ed in HP0 5, the pro of is by simultaneous induction on the t wo deriv ations. F or t yp e s a nd k inds , this s im ulta neous induction ca n b e av oided by per forming induction ov er o ne deriv ation and using inv ers ion principles. F or the ob ject-level judgments (cases 1 and 2), w e formalize this ar gument in Isab elle by AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 14 · C. Urban et al. ∆ ⊢ Σ M = N ∈ [ [ a − ] ] = ∆ ⊢ Σ M ⇔ N : a − ∆ ⊢ Σ M = N ∈ [ [ τ → τ ′ ] ] = ∀ ∆ ′ ≥ ∆ , M ′ , N ′ . ∆ ′ ⊢ Σ M ′ = N ′ ∈ [ [ τ ] ] implies ∆ ′ ⊢ Σ M M ′ = N N ′ ∈ [ [ τ ′ ] ] ∆ ⊢ Σ A = B ∈ [ [ typ e − ] ] = ∆ ⊢ Σ A ⇔ B : typ e − ∆ ⊢ Σ A = B ∈ [ [ τ → κ ] ] = ∀ ∆ ′ ≥ ∆ , M ′ , N ′ . ∆ ′ ⊢ Σ M ′ = N ′ ∈ [ [ τ ] ] implies ∆ ′ ⊢ Σ A M ′ = B N ′ ∈ [ [ κ ] ] ∆ ⊢ Σ K = L ∈ [ [ kind − ] ] = ∆ ⊢ Σ K ⇔ L : kind − ∆ ⊢ Σ [] = [] ∈ [ [[] ] ] = T rue ∆ ⊢ Σ ( x , M ):: σ = ( x , N ):: θ ∈ [ [( x , τ )::Θ ] ] = ∆ ⊢ Σ σ = θ ∈ [ [Θ] ] and x # Θ and ∆ ⊢ Σ M = N ∈ [ [ τ ] ] Fig. 5. Logical relation deﬁnition deﬁning ob ject-level algor ithmic judgmen ts instrumen ted with a heigh t argumen t, and prov e parts 1 and 2 by well-founded induction on the sum of the heig hts of the deriv ations. Because we use induction ov er the height of the instrumented deriv ation, we cannot take adv antage of the “stro ng” induction principles for algorithmic deriv a- tions [Urban et a l. 2 0 07]. A s a result, ther e a re several cases where we need to per form so me explicit α -conv ersio n and rena ming steps; these a re plac es in an in- formal pro of whe r e o ne usually app eals to renaming principles “without loss of generality”. In the current v er sion of the nominal datat y pe pa ck age oﬀers strong inv ersion principles that ameliorate this diﬃcult y [B erghofer and Urba n 2008]. The gener a lized determina cy prop erty (Lem. 1 7) is needed her e in the case of structural equiv alence of applications. Str engthening. At this p oint in the de velopment, we ca n a ls o prove that the algo- rithmic judgmen ts s a tisfy s tr engthening ; that is, un used v ar iables can be remov ed from the context without harming deriv ability o f a co nclusion. Strengthening is not discussed in HP05 until later in the article, but we found it helpful in the pro of of soundness. W e ﬁrst need an (ea sily e stablished) freshness-pr eserv ation prop er ty of weak head r eduction. Lemma 18 (Weak head reduction preser ves freshness). If M whr − → N and x # M t hen x # N . With this prop erty in hand, str engthening for algorithmic a nd structural equiv a - lence can b e established by induction o n the structure of judgmen ts, making use o f basic prop erties of fr eshness, v alid co nt exts, and the prev ious lemma as necess a ry . Lemma 19 (Strengthening of algorithmic equiv al ence). Supp ose that x # (∆ ′ , M , N ) . Then: ( 1 ) If ∆ ′ @ [( x , τ ′ )] @ ∆ ⊢ Σ M ⇔ N : τ then ∆ ′ @ ∆ ⊢ Σ M ⇔ N : τ . ( 2 ) If ∆ ′ @ [( x , τ ′ )] @ ∆ ⊢ Σ M ↔ N : τ then ∆ ′ @ ∆ ⊢ Σ M ↔ N : τ . Proof. Straig h tforward induction o n deriv ations, using prop erties of freshnes s. Lem. 18 is needed in the ca s es inv olving weak head reduction to maintain the freshness constraints needed for the induction hypothesis. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 15 3.3 Completeness The pro of of completeness in volves a Kripke-style logical relations argument. W e can deﬁne the logica l relation for ob jects, types, a nd substitutions, by induction on the str ucture of simple t yp e s τ and kinds κ and simple cont exts Θ, resp ectively , as shown in Fig. 5. This kind of log ical relation is called Kripke-style b ecause the ca s e for function types is mo deled on Kripke’s p ossible-worlds semantics for intuitionistic logic: it is indexed b y a v a r iable context ∆ a nd in the case for function types and kinds, we quant ify over a ll v alid e xtensions to ∆ when consider ing the ar gument terms M ′ , N ′ . The k e y steps in proving co mpleteness are sho wing that logically related ter ms are algorithmically equiv alent (Thm. 5) and that deﬁnitionally equiv a lent ter ms are logically related (Thm. 6). Many pro p er ties can b e esta blished by an induction o n the str ucture of types, app e a ling to the prop erties of the algorithmic judgment s established in section 3 of HP 05 and the deﬁnition o f the logica l r elation. Lemma 20 (Logical rela tion weakening). Supp ose ∆ ′ ≥ ∆ . ( 1 ) If ∆ ⊢ Σ M = N ∈ [ [ τ ] ] then ∆ ′ ⊢ Σ M = N ∈ [ [ τ ] ] . ( 2 ) If ∆ ⊢ Σ A = B ∈ [ [ κ ] ] then ∆ ′ ⊢ Σ A = B ∈ [ [ κ ] ] . ( 3 ) If ∆ ⊢ Σ σ = θ ∈ [ [Θ] ] then ∆ ′ ⊢ Σ σ = θ ∈ [ [Θ ] ] . Theorem 5 (Logicall y rela ted terms are algorithmical l y equiv alent). Supp ose ⊢ ∆ s ct x. ( 1 ) If ∆ ⊢ Σ M = N ∈ [ [ τ ] ] then ∆ ⊢ Σ M ⇔ N : τ . ( 2 ) If ∆ ⊢ Σ M ↔ N : τ then ∆ ⊢ Σ M = N ∈ [ [ τ ] ] . ( 3 ) If ∆ ⊢ Σ A = B ∈ [ [ κ ] ] then ∆ ⊢ Σ A ⇔ B : κ . ( 4 ) If ∆ ⊢ Σ A ↔ B : κ then ∆ ⊢ Σ A = B ∈ [ [ κ ] ] . Lemma 21 (Closure under head exp an sio n). ( 1 ) If M whr − → M ′ and ∆ ⊢ Σ M ′ = N ∈ [ [ τ ] ] then ∆ ⊢ Σ M = N ∈ [ [ τ ] ] . ( 2 ) If N whr − → N ′ and ∆ ⊢ Σ M = N ′ ∈ [ [ τ ] ] then ∆ ⊢ Σ M = N ∈ [ [ τ ] ] . Lemma 22 (Logical rela tion symmetr y). ( 1 ) If ∆ ⊢ Σ M = N ∈ [ [ τ ] ] then ∆ ⊢ Σ N = M ∈ [ [ τ ] ] . ( 2 ) If ∆ ⊢ Σ A = B ∈ [ [ κ ] ] then ∆ ⊢ Σ B = A ∈ [ [ κ ] ] . ( 3 ) If ∆ ⊢ Σ σ = θ ∈ [ [Θ ] ] then ∆ ⊢ Σ θ = σ ∈ [ [Θ] ] . Lemma 23 (Logical rela tion transitivity). Supp ose t hat ⊢ Σ sig and ⊢ ∆ sctx. ( 1 ) If ∆ ⊢ Σ M = N ∈ [ [ τ ] ] and ∆ ⊢ Σ N = P ∈ [ [ τ ] ] then ∆ ⊢ Σ M = P ∈ [ [ τ ] ] . ( 2 ) If ∆ ⊢ Σ A = B ∈ [ [ κ ] ] a nd ∆ ⊢ Σ B = C ∈ [ [ κ ] ] then ∆ ⊢ Σ A = C ∈ [ [ κ ] ] . ( 3 ) If ∆ ⊢ Σ σ = θ ∈ [ [Θ] ] and ∆ ⊢ Σ θ = δ ∈ [ [Θ] ] t hen ∆ ⊢ Σ σ = δ ∈ [ [Θ ] ] . The pro of that deﬁnitionally equa l terms are lo gically related r e q uired some ca r e to formalize. The k ey step is showin g that applying log ically related substitutions to deﬁnitionally eq ual terms yields logica lly related terms. E s tablishing this (via the following le mma) req uired identifying and proving a n umber of standard pr op erties of simultaneous substitutions. In co n trast, r easoning a bo ut s ingle substitutions suﬃced almost everywhere else in the fo r malization. Lemma 24. Supp ose ⊢ ∆ sctx and ∆ ⊢ Σ σ = θ ∈ [ [ Γ − ] ] . AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 16 · C. Urban et al. ( 1 ) If Γ ⊢ Σ M = N : A then ∆ ⊢ Σ − M [ σ ] = N [ θ ] ∈ [ [ A − ] ] . ( 2 ) If Γ ⊢ Σ A = B : K then ∆ ⊢ Σ − A [ σ ] = B [ θ ] ∈ [ [ K − ] ] . The last step needed to establis h completeness is to show tha t the identit y substi- tution ov er a g iven context (written id Γ ) is r elated to itself: Lemma 25. If ⊢ Σ Γ ct x then Γ − ⊢ Σ − id Γ = id Γ ∈ [ [ Γ − ] ] . Theorem 6 (Definitionall y equal terms are logicall y rela ted) . ( 1 ) If Γ ⊢ Σ M = N : A then Γ − ⊢ Σ − M = N ∈ [ [ A − ] ] . ( 2 ) If Γ ⊢ Σ A = B : K then Γ − ⊢ Σ − A = B ∈ [ [ K − ] ] . Corollar y 1 (Completeness) . ( 1 ) If Γ ⊢ Σ M = N : A then Γ − ⊢ Σ − M ⇔ N : A − . ( 2 ) If Γ ⊢ Σ A = B : K then Γ − ⊢ Σ − A ⇔ B : K − . ( 3 ) If Γ ⊢ Σ K = L : kind then Γ − ⊢ Σ − K ⇔ L : kind − . Note that part 3 o f Cor. 1 was omitted from HP0 5, but it is stra ightf orward to prov e by induction given parts 1 and 2, and a lgorithmic tra nsitivity and symmetry . 3.4 Soundness Soundness of algorithmic ob ject (or t y pe, o r kind) equiv alence means that if tw o well-formed ob jects (or type families, or kinds resp ectively) a r e alg orithmically equiv a lent then they are als o deﬁnitionally e q uiv ale n t. F or example, for ob jects, Thm. 2(1) states: If Γ − ⊢ Σ − M ⇔ N : A − and Γ ⊢ Σ M : A and Γ ⊢ Σ N : A then Γ ⊢ Σ M = N : A . First, though, since the algorithmic judgments p er form weak hea d reduction, we m ust show that w e a k he a d r eduction pr eserves well-formedness: Lemma 26 (Subject reduction). Supp ose M whr − → M ′ and Γ ⊢ Σ M : A. Then Γ ⊢ Σ M ′ : A and Γ ⊢ Σ M = M ′ : A . Naturally , since algo r ithmic a nd structural equiv alences for ob jects and t yp es are deﬁned by simultaneous induction, we must also prove a simultaneous sound- ness pro pe r t y for the str uctural equiv ale nc e judgmen ts . F or example, to prove Thm. 2(1), w e a lso need to show by simultaneous inductio n that: If Γ − ⊢ Σ − M ↔ N : τ a nd Γ ⊢ Σ M : A and Γ ⊢ Σ N : B then Γ ⊢ Σ M = N : A and Γ ⊢ Σ A = B : typ e and A − = τ and B − = τ . In con trast to completeness, the proo f of s o undness in HP0 5 proceeds by entirely syntactic techniques, by induction ov er the structure of alg orithmic and structural deriv ations, using standar d syntactic pr op erties and s ub ject reduction. Our initial formalization a ttempt follow ed the pro o fs given by HP05. How ever, we encountered t wo diﬃculties which were not addr e ssed in the article. Both diﬃculties hav e to do with algorithmic rules for chec king eq uiv alenc e a t function types (or function kinds) using extensionality . In the res t of this s ection, we ﬁrst discuss and address a minor diﬃculty in volving extensio nality in the pro of o f Thm. 2 (1). W e then discuss a more serious complication in proving s oundness at the level o f t y pes , and show how to ﬁx the problem. W e conc lude by s ummarizing the soundness r esults. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 17 Soundness for algorithmic obje ct e quivalenc e. In pro ving the soundness o f algo- rithmic extensiona lit y for ob jects ar ising in part 1 o f Thm. 2, r ecall that we hav e a deriv ation of the form: ( x , τ 1 ):: Γ − ⊢ Σ M x ⇔ N x : τ 2 x # ( Γ − , M , N ) Γ − ⊢ Σ M ⇔ N : τ 1 → τ 2 and w e also know that Γ ⊢ Σ M : A and Γ ⊢ Σ N : A for some A with A − = τ 1 → τ 2 . In order to apply the induction h yp othesis, we need to know that M x and N x ar e well-formed in an extended context ( x , A 1 ):: Γ . HP05’s pro o f b egins by assuming that Γ ⊢ Σ M : Π x : A 1 . A 2 and Γ ⊢ Σ N : Π x : A 1 . A 2 , and pro ceeding using in version prop erties . How ever, it is not immediately clear that A − = τ 1 → τ 2 implies tha t A = Π x : A 1 . A 2 for so me A 1 and A 2 ; indeed, this ca n fail to b e the case if A is not well-formed. Instead, we ﬁrst need the following inv ersion principles for erasure: Lemma 27 (Erasure inversion). ( 1 ) If Γ ⊢ Σ A : Π x : B . K then ∃ c . A − = c − . ( 2 ) If τ 1 → τ 2 = A − and Γ ⊢ Σ A : typ e and x # A then ∃ A 1 A 2 . A = Π x : A 1 . A 2 . ( 3 ) If τ → κ = K − and x # K t hen ∃ A L . K = Π x : A . L . Proof. Part 1 follo ws by induction on the deriv ation. Parts 2 a nd 3 follow by induction on the structure o f A and K resp ectively . In the case for type applications A M , clearly A has a Π-kind, but by part 1, A erases to a co nstant, co nt radicting the assumption that A − = τ 1 → τ 2 . So the case is v acuo us . The remaining cas e s of part 2 are stra ightf orward, as are the cases for par t 3. Using Lem. 2 7, we can complete the pro of of the ﬁrst part of Thm. 2 as describ ed in HP05: Lemma 28 (Soundness of algorithmic object equiv alence). ( 1 ) If Γ − ⊢ Σ − M ⇔ N : A − and Γ ⊢ Σ M : A and Γ ⊢ Σ N : A then Γ ⊢ Σ M = N : A. ( 2 ) If Γ − ⊢ Σ − M ↔ N : τ and Γ ⊢ Σ M : A and Γ ⊢ Σ N : B then Γ ⊢ Σ M = N : A and Γ ⊢ Σ A = B : typ e and A − = τ and B − = τ . Soundness for algorithmi c typ e e quivalenc e. The second pr o blem we encountered arises in the pro of of soundness for the extensionalit y rule in the algo rithmic t yp e equiv a lence judgmen t (par t 3 of Thm. 2). In this case, we hav e a der iv a tio n of the form: ( x , τ ):: Γ − ⊢ Σ A x ⇔ B x : κ x # ( Γ − , A , B ) Γ − ⊢ Σ A ⇔ B : τ → κ W e c a n ea sily show that the induction h yp othesis applies, using the same tech- nique as ab ove, ultimately deriving ( x , A ′ ):: Γ ⊢ Σ A x = B x : K for so me A ′ and K . How ever, we cannot complete the pro o f of this case in the same w ay as for ob ject extensionality , b eca us e HP05’s v aria nt of LF doe s not include a type-level extensionality rule AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 18 · C. Urban et al. ∆ ⊢ Σ A ⇋ B : κ ( a , κ ) ∈ Σ ⊢ Σ ssig ⊢ ∆ sctx ∆ ⊢ Σ a ⇋ a : κ ∆ ⊢ Σ A ⇋ B : τ → κ ∆ ⊢ Σ M ⇔ N : τ ∆ ⊢ Σ A M ⇋ B N : κ ∆ ⊢ Σ A 1 ⇋ B 1 : typ e − ( x , A 1 − )::∆ ⊢ Σ A 2 ⇋ B 2 : typ e − x # (∆ , A 1 , B 1 ) ∆ ⊢ Σ Π x : A 1 . A 2 ⇋ Π x : B 1 . B 2 : typ e − Fig. 6. W eak al gorithmic type equiv al ence judgment Γ ⊢ Σ A : Π x : C . K Γ ⊢ Σ B : Π x : C . K Γ ⊢ Σ C : typ e ( x , C ):: Γ ⊢ Σ A x = B x : K x # Γ Γ ⊢ Σ A = B : Π x : C . K that would pe r mit us to c o nclude that Γ ⊢ Σ A = B : Π x : A ′ . K . It w as not immediately clear to us whether the o riginal pro of co uld b e repa ired. There app ear to b e several wa ys to ﬁx this problem by changing the deﬁnitional or algorithmic rules. One wa y is simply to add the a b ove extensionality rule for types to the deﬁnitiona l system. Using our formaliz a tion, we w ere easily able to verify that this solves the pr o blem and do es not in tro duce any new co mplications. F or this w e had to ma ke sure that every pro of done earlier is either not aﬀected by this additional rule or can b e extended to include it. A second s olution, suggested b y Har per 1 , is to observe that the orig inal a lgorith- mic rules were unnecessa rily g eneral. In the absence of t ype - level λ -abstra ction, the w eaker, syntax-directed type equiv alence rules shown in Fig. 6 suﬃce. W e can easily prove that these rules ar e sound with r espe ct to deﬁnitiona l t y pe equiv ale nc e : Lemma 29 (Soundness of weak type equiv alence). If Γ − ⊢ Σ − A ⇋ B : κ and Γ ⊢ Σ A : K and Γ ⊢ Σ B : L then Γ ⊢ Σ A = B : K , Γ ⊢ Σ K = L : kind, K − = κ and L − = κ . Proof. Similar to the pro of o f s o undness o f algo rithmic and structura l type equiv a lence from HP0 5. Requires soundness of ob ject equiv a le nc e (Lem. 28). With this change, we can prove completeness using a slightly mo diﬁed logica l relation: the type-level log ical rela tion needs to b e redeﬁned as ∆ ⊢ Σ A = B ∈ [ [ κ ] ] = ∆ ⊢ Σ A ⇋ B : κ . The ﬁrst tw o solutions how ever esta blish soundness only for v ar iants of the def- initions in HP0 5. In pa rticular, the ﬁrst shows that the original alg orithmic rules are sound with resp ect to a stro nger notion of deﬁnitional equa lit y , while the second gives a corre c t mo diﬁed algo rithm for the orig inal deﬁnitional rule s . Either solution app ears reasona ble, but neither tells us whether the original e q uiv ale nc e algo rithm is sound with resp ect to the original deﬁnitional sy s tem in HP05. W e felt it w as impo rtant to determine whether o r not a change to the deﬁnitions is truly necess ary to recov er soundness. In the rest of this se c tio n we sho w that the origina l results hold a s stated. 1 pers onal comm unication AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 19 Since w e already established that weak type equiv alence implies deﬁnitional equiv a lence (for well-formed terms), it suﬃces to show that the original algor ithmic t yp e equiv ale nce judgments imply weak type eq uiv a le nce. T o do so, we need to show that weak type equiv ale nce admits extensionality (Lem. 3 4 b elow). This is nontrivial: we ﬁr st need to develop some syntactic prop erties of algo rithmic equiv a - lence fo r ob jects, in pa r ticular that if ∆ ⊢ Σ x ⇔ x : τ then ( x , τ ) ∈ ∆. This s eems obvious, but the proo f is s lightly s ubtle b ecause the alg o rithmic equiv alence jud g- men t is type-dire cted, not syntax-directed. Indeed, if w e try to pro ve this directly by induction, then in the case whe r e x has function t yp e, the inductive hypothesis do es not apply . Instead, we need to s how something more gener al: for any term M 0 of the form x y 1 · · · y n , if M 0 is algor ithmically equiv alent to itself then every free v ar iable of M 0 app ears in ∆ with an appr opriate type. W e say that such an o b ject M 0 is an applie d variable , deﬁned formally as follows: M 0 ::= x | M 0 x that is, it is a v ariable applied to a sequence of v ariables. Clearly , applied v a riables are weak head no rmal forms: Lemma 30. If M 0 is an appl ie d vari able then M 0 is in we ak he ad normal form. W e then in tro duce a w eak w ell-for medness relation ∆ ⊢ 0 M 0 : τ for applied v ari- ables, deﬁned as follows: ( x , τ ) ∈ ∆ ∆ ⊢ 0 x : τ ∆ ⊢ 0 M 0 : τ 1 → τ 2 ( y , τ 1 ) ∈ ∆ ∆ ⊢ 0 M 0 y : τ 2 It is ea sy to show that tha t ⊢ 0 satisﬁes s trengthening: Lemma 31. If ( y , τ ′ )::∆ ⊢ 0 M 0 : τ and y # M 0 then ∆ ⊢ 0 M 0 : τ . F ur ther more, if an applied v a riable is algorithmically or structurally equiv a len t to itse lf, then it is weakly well-formed: Lemma 32. Supp ose M 0 is an applie d variable and ⊢ ∆ sctx. ( 1 ) If ∆ ⊢ Σ M 0 ⇔ M 0 : τ then ∆ ⊢ 0 M 0 : τ . ( 2 ) If ∆ ⊢ Σ M 0 ↔ M 0 : τ then ∆ ⊢ 0 M 0 : τ . Proof. Induction on deriv ations. Lem. 30 is needed to s how that the cases inv olving weak head reduction are v acuous . The only other in teresting case is the case for an ex tensionality rule ( x , τ 1 )::∆ ⊢ Σ M 0 x ⇔ M 0 x : τ 2 x # (∆ , M 0 , M 0 ) ∆ ⊢ Σ M 0 ⇔ M 0 : τ 1 → τ 2 By induction, we hav e that ( x , τ 1 )::∆ ⊢ 0 M 0 x : τ 2 . By inv ersion, we can show that ( x , τ 1 )::∆ ⊢ 0 M 0 : τ 1 → τ 2 . T o complete the pro of, w e use Lem. 31 to show that ∆ ⊢ 0 M 0 : τ 1 → τ 2 , which follows since x # M 0 . Corollar y 2. If ∆ ⊢ Σ x ⇔ x : τ and ⊢ ∆ sctx then ( x , τ ) ∈ ∆ . W e a ls o need to esta blis h str e ng thening fo r weak alg orithmic t yp e equiv ale nc e : AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 20 · C. Urban et al. Lemma 33 (Strengthening of weak type equiv alence). If ∆ ′ @ [( x , τ )] @ ∆ ⊢ Σ A ⇋ B : κ and x # (∆ ′ , A , B ) t hen ∆ ′ @ ∆ ⊢ Σ A ⇋ B : κ . Proof. Straig h tforward induction o n deriv ations. Note that we need Lem. 1 9 here in the case for s tructural equiv a lence o f type applica tions. W e now es tablish the a dmissibilit y o f extensionality for weak type equiv alence: Lemma 34 (Extensionality of weak type equiv alence). If ( x , τ )::∆ ⊢ Σ A x ⇋ B x : κ and x # (∆ , A , B ) a nd ⊢ ∆ sctx then ∆ ⊢ Σ A ⇋ B : τ → κ . Proof. By in version, we hav e sub deriv a tio ns ( x , τ )::∆ ⊢ Σ A ⇋ B : τ ′ → κ and ( x , τ )::∆ ⊢ Σ x ⇔ x : τ ′ for so me τ ′ . Using Cor . 2 on the second s ubder iv atio n we hav e that ( x , τ ′ ) ∈ ( x , τ )::∆ a nd using the v alidity of ( x , τ )::∆ we know tha t τ = τ ′ . Hence, ( x , τ )::∆ ⊢ Σ A ⇋ B : τ → κ . Using L e m. 33 w e conclude ∆ ⊢ Σ A ⇋ B : τ → κ . Lemma 35. Supp ose ⊢ ∆ sctx. Then: ( 1 ) If ∆ ⊢ Σ A ⇔ B : κ then ∆ ⊢ Σ A ⇋ B : κ . ( 2 ) If ∆ ⊢ Σ A ↔ B : κ then ∆ ⊢ Σ A ⇋ B : κ . Proof. By induction on the structur e of deriv ations. The case for the algor ith- mic t yp e extensionalit y rule requires Lem. 34. The pro of of Thm. 2 is completed as follows. Lemma 36 (Soundness of algorithmic type equiv alence). ( 1 ) If Γ − ⊢ Σ − A ⇔ B : K − and Γ ⊢ Σ A : K and Γ ⊢ Σ B : K then Γ ⊢ Σ A = B : K. ( 2 ) If Γ − ⊢ Σ − A ↔ B : κ and Γ ⊢ Σ A : K and Γ ⊢ Σ B : L then Γ ⊢ Σ A = B : K, Γ ⊢ Σ K = L : kind, K − = κ and L − = κ . Proof. Immediate using Lem. 35 and 29. Lemma 37 (Soundness of algorithmic kind equiv alence). If Γ − ⊢ Σ − K ⇔ L : kind − and Γ ⊢ Σ K : kind and Γ ⊢ Σ L : kind then Γ ⊢ Σ K = L : kind . Proof. As in HP05, using Lem. 36 a s necess ary . Thm. 2 fo llows immediately from Lem. 28, 3 6 and 37 . 3.5 Algorithmic t ypec h ecking After the soundness and completenes s pro of, HP05 int ro duces an algorithmic ver- sion of the typechecking judgment, pr oves additional syntactic prop erties of def- initional equiv alence, sketc hes pro ofs of decida bility , and discusses qua sicanonical forms a nd adequacy of LF encodings of ob ject languages. W e fo r malized many of these results and w e will discuss them in the next few sections. The t yp echec king alg orithm in HP05 trav erses terms, types and kinds in a syntax- directed manner, using the algor ithmic equiv alence judgment in cer tain pla ces. The AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 21 ⊢ Σ ⇒ sig ⊢ [] ⇒ sig ⊢ Σ ⇒ sig [] ⊢ Σ A ⇒ typ e c # Σ ⊢ ( c , A ):: Σ ⇒ sig ⊢ Σ ⇒ sig [] ⊢ Σ K ⇒ kind a # Σ ⊢ ( a , K ) :: Σ ⇒ sig ⊢ Σ Γ ⇒ ctx ⊢ Σ ⇒ sig ⊢ Σ [] ⇒ ctx ⊢ Σ Γ ⇒ ctx Γ ⊢ Σ A ⇒ typ e x # Γ ⊢ Σ ( x , A ):: Γ ⇒ c t x Γ ⊢ Σ M ⇒ A ⊢ Σ Γ ⇒ ctx ( x , A ) ∈ Γ Γ ⊢ Σ x ⇒ A ⊢ Σ Γ ⇒ ctx ( c , A ) ∈ Σ Γ ⊢ Σ c ⇒ A Γ ⊢ Σ M 1 ⇒ Π x : A 2 ′ . A 1 Γ ⊢ Σ M 2 ⇒ A 2 Γ − ⊢ Σ − A 2 ⇔ A 2 ′ : typ e − x # Γ Γ ⊢ Σ M 1 M 2 ⇒ A 1 [ x := M 2 ] Γ ⊢ Σ A 1 ⇒ typ e ( x , A 1 ):: Γ ⊢ Σ M 2 ⇒ A 2 x # ( Γ , A 1 ) Γ ⊢ Σ λ x : A 1 . M 2 ⇒ Π x : A 1 . A 2 Γ ⊢ Σ A ⇒ K ⊢ Σ Γ ⇒ ctx ( a , K ) ∈ Σ Γ ⊢ Σ a ⇒ K Γ ⊢ Σ A ⇒ Π x : A 2 ′ . K 1 Γ ⊢ Σ M ⇒ A 2 Γ − ⊢ Σ − A 2 ⇔ A 2 ′ : typ e − x # Γ Γ ⊢ Σ A M ⇒ K 1 [ x := M ] Γ ⊢ Σ A 1 ⇒ typ e ( x , A 1 ):: Γ ⊢ Σ A 2 ⇒ typ e x # ( Γ , A 1 ) Γ ⊢ Σ Π x : A 1 . A 2 ⇒ typ e Γ ⊢ Σ K ⇒ kind ⊢ Σ Γ ⇒ ctx Γ ⊢ Σ typ e ⇒ kind Γ ⊢ Σ A ⇒ typ e ( x , A ):: Γ ⊢ Σ K ⇒ kind x # ( Γ , A ) Γ ⊢ Σ Π x : A . K ⇒ kind Fig. 7. Algori thmic t yp ec hec king rules deﬁnition o f alg orithmic typechec king in HP05 omitted explicit deﬁnitions of algo- rithmic signa tur e and co n text v alidity . In our formalization, we added these (obvi- ous) rules, as shown in Fig. 7 . The remaining rules are the same a s in HP0 5 e x cept for a trivial typogra phical err o r in the r ule fo r t yp e constants. P roving the sound- ness and completeness of algo rithmic typechecking is a (mostly) straig h tforward exercise using so undness and completeness of algorithmic e quiv a le nce a nd v ar ious syntactic prop erties: Theorem 7 (Soundness of algorithmic typechecking). ( 1 ) If ⊢ Σ ⇒ sig t hen ⊢ Σ s ig . ( 2 ) If ⊢ Σ Γ ⇒ ctx t hen ⊢ Σ Γ ct x . AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 22 · C. Urban et al. ( 3 ) If Γ ⊢ Σ M ⇒ A t hen Γ ⊢ Σ M : A . ( 4 ) If Γ ⊢ Σ A ⇒ K then Γ ⊢ Σ A : K . ( 5 ) If Γ ⊢ Σ K ⇒ kind then Γ ⊢ Σ K : kind . Theorem 8 (Completeness of algorithmic typechecking). ( 1 ) If ⊢ Σ sig then ⊢ Σ ⇒ sig . ( 2 ) If ⊢ Σ Γ ctx then ⊢ Σ Γ ⇒ ctx . ( 3 ) If Γ ⊢ Σ M : A then ∃ A ′ . Γ ⊢ Σ M ⇒ A ′ and Γ ⊢ Σ A = A ′ : t yp e . ( 4 ) If Γ ⊢ Σ A : K then ∃ K ′ . Γ ⊢ Σ A ⇒ K ′ and Γ ⊢ Σ K = K ′ : kind . ( 5 ) If Γ ⊢ Σ K : kind then Γ ⊢ Σ K ⇒ kind . 3.6 Strengthening a nd strong extensionality The strengthening prop erty states that all of the deﬁnitional judgments a re pr e- served by removing an unused v aria ble from the context. W e alr e ady established strengthening for the algo rithmic equiv alence judgments (Lem. 19). In order to establish streng thening for the alg orithmic t yp echec king judgments, w e need a stronger freshness lemma for algor ithmic typechec king, which was not discus s ed in HP05: Lemma 38 (Strong algo rithmic freshness). L et Γ = Γ 1 @ [( x , B )] @ Γ 2 . ( 1 ) If Γ ⊢ Σ M ⇒ A and x # ( Γ 1 , M ) then x # A. ( 2 ) If Γ ⊢ Σ A ⇒ K and x # ( Γ 1 , A ) then x # K. W e can now prov e strengthening for algor ithmic t y pechecking by induction o n deriv ations: Theorem 9 (Strengthening of algorithmic typechecking). L et Γ = Γ 1 @ [( x , B )] @ Γ 2 . ( 1 ) If ⊢ Σ Γ ⇒ ctx and x # Γ 1 then ⊢ Σ Γ 1 @ Γ 2 ⇒ ctx. ( 2 ) If Γ ⊢ Σ K ⇒ kind and x # ( Γ 1 , K ) t hen Γ 1 @ Γ 2 ⊢ Σ K ⇒ kind. ( 3 ) If Γ ⊢ Σ A ⇒ K and x # ( Γ 1 , A ) then Γ 1 @ Γ 2 ⊢ Σ A ⇒ K. ( 4 ) If Γ ⊢ Σ M ⇒ A and x # ( Γ 1 , M ) then Γ 1 @ Γ 2 ⊢ Σ M ⇒ A. Proof. The pro of is stra ightf orward, us ing strengthening for algorithmic equiv - alence; par ts (1–4) need to be proved in the or der s tated ab ov e since we need strengthening for contexts everywhere, we need strengthening for kinds to prove strengthening for types, and so on. Lem. 38 is nee de d in the cases for ob ject a nd t yp e application. Finally , we can prov e s trengthening for the deﬁnitional system. Theorem 10 (Strengthening). L et Γ = Γ 1 @ [( x , B )] @ Γ 2 . ( 1 ) If ⊢ Σ Γ ct x and x # Γ 1 then ⊢ Σ Γ 1 @ Γ 2 ctx. ( 2 ) If Γ ⊢ Σ K : kind and x # ( Γ 1 , K ) t hen Γ 1 @ Γ 2 ⊢ Σ K : kind. ( 3 ) If Γ ⊢ Σ K = L : kind and x # ( Γ 1 , K , L ) then Γ 1 @ Γ 2 ⊢ Σ K = L : kind. ( 4 ) If Γ ⊢ Σ A : K and x # ( Γ 1 , A ) then Γ 1 @ Γ 2 ⊢ Σ A : K. ( 5 ) If Γ ⊢ Σ A = B : K and x # ( Γ 1 , A , B ) then Γ 1 @ Γ 2 ⊢ Σ A = B : K. ( 6 ) If Γ ⊢ Σ M : A and x # ( Γ 1 , M ) then Γ 1 @ Γ 2 ⊢ Σ M : A. ( 7 ) If Γ ⊢ Σ M = N : A and x # ( Γ 1 , M , N ) then Γ 1 @ Γ 2 ⊢ Σ M = N : A. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 23 Proof. The pro of follows the sk e tc h in the article, using a lg orithmic str ength- ening and soundness a nd completeness of the a lgorithmic judgmen ts, but some care is nee ded. Part 1 is straig h tforward, but we m us t prove the remaining cases in the sp eciﬁc order listed: ﬁrst kind v alidity , then kind equiv alence, then type v alidity , etc. The reas o n is that to prove strengthening for the equiv alence judgments, w e need strengthening for the corresp onding v alidity judgments b ecause of the v a lid- it y side-conditions on Thm. 2. In turn, to prove strengthening for the ob ject and t yp e v a lidit y judgments, we need s trengthening for t yp e and kind equiv a lence re- sp ectively , b ecause of the resp ective type a nd kind equiv a le nc e judgments in the conclusions of Thm. 8. Lem. 38 is needed in par ts (4 ) a nd (6). HP05 als o sketched a pro of of admissibility of a s tr onger version of the exten- sionality rule which omits the well-formedness chec ks : ( x , A 1 ):: Γ ⊢ Σ M x = N x : A 2 x # ( M , N ) Γ ⊢ Σ M = N : Π x : A 1 . A 2 How ever, the short pro of sketched in the article a ctually requires a substantial amount of work to formalize. The ﬁrst t wo steps of their infor mal pro of were as follows: (1) By v a lidit y , we have ( x , A 1 ):: Γ ⊢ Σ M x : A 2 . (2) By inv er sion, we have ( x , A 1 ):: Γ ⊢ Σ M : Π x : B 1 . B 2 and ( x , A 1 ):: Γ ⊢ Σ x : B 1 . How ever, s tep (2) ab ov e do es not follow immediately from the inversion lemmas prov ed earlie r. In par ticular, w e only know that M will hav e a type of the form Π y : B 1 . B 2 for some y , B 1 and B 2 such that ( x , A 1 ):: Γ ⊢ Σ M : Π y : B 1 . B 2 and ( x , A 1 ):: Γ ⊢ Σ y : B 1 and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 [ y := x ] : typ e . Mor eov er , in this case we cannot use the strong version of the inv ers ion lemma to avoid this problem, bec ause x is alrea dy in use in the context. Although their pro of lo oks rig orous and detaile d, here Har per and P fenning a p- pea r to employ implicit “without lo ss of generality” reaso ning ab out inversion a nd renaming that is not easy to forma lize directly . I ns tead we needed to show car efully that: Lemma 39. If ( x , A 1 ):: Γ ⊢ Σ M x : A 2 and x # M then Γ ⊢ Σ M : Π x : A 1 . A 2 . Proof. The pro of pro cee ds b y applying v alidity and inv er sion pr inciples, as discussed ab ov e. One s ubtle fres hness s ide- condition is the fact that x is fresh for Π y : B 1 . B 2 , and this is proved by translating to the algo rithmic t yp echec king system and using Lem. 38. Strong extensionality then fo llows esse n tially as in HP05, us ing Lem. 39 to ﬁll the gap iden tiﬁed ab ov e: Theorem 11 (Str ong extensionality). If ( x , A 1 ):: Γ ⊢ Σ M x = N x : A 2 and x # ( M , N ) then Γ ⊢ Σ M = N : Π x : A 1 . A 2 . 3.7 Decidability HP05 a lso sketches pr o ofs of the dec ida bilit y o f the alg orithmic judgments (and hence also the deﬁnitiona l system). Reaso ning abo ut decidabilit y within Isab elle/ HOL AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 24 · C. Urban et al. is not straightf orward b ecause Isab elle/ HOL is base d on class ical logic. Thus, un- like constructiv e logics o r type theo ries, w e canno t infer decidability of P simply by proving P ∨ ¬ P . F urthermore, given a relation R deﬁnable in Isab elle/HO L, it is no t clear how b e st to for malize the informal statemen t “ R is decidable”. As a sanity chec k, we hav e shown that weak head reduction is strongly normaliz- ing for w e ll- formed terms. W e write M ⇓ to indicate that M is str o ngly normalizing under weak head reduction. This pr o of use s techniques and deﬁnitions from the ex- ample forma lization of s trong norma lization for the simply-t yp e d lambda calc ulus in the Nominal Da ta t y pe Pack age. Theorem 12. If Γ ⊢ Σ M : A then M ⇓ . Proof. W e ﬁrst show the (standard) prop erty that if M N ⇓ then M ⇓ . W e then show that if ∆ ⊢ Σ M ⇔ N : τ then M ⇓ b y induction on deriv atio ns. The main result follows by reﬂexivity and Thm. 1. T ur ning now to the issue of for malizing decida bilit y prop er ties in Isab elle/HOL, we considered the following options: F ormalizing c omputability the ory. It should b e p ossible to deﬁne T uring machines (or s ome other univ ersal mo del of computation) within Is ab elle/HOL and derive enough of the theo r y of c o mputation to b e able to prove that the alg orithmic equiv a lence and typechecking r elations are decidable. It app ears to b e a n op en question how to formalize pro o fs of decidability in Isab elle/HOL, esp ecially for algorithms over complex data structures such as nomina l datatypes. Although this would probably b e the most satisfying solution, it w ould also r equire a ma jo r additional for malization eﬀort, including a grea t deal of work that is orthogona l to the issues address ed here. Another p ossibility would be to r estrict Isab elle/HO L to a constructive fragment, but this see ms even more diﬃcult a nd time-consuming since Isab elle/HOL makes extensive use of ch oice pr inciples and the law of e x cluded middle. W e therefore view fully formalizing decidability in this wa y as beyond the scop e of this article. Instead, w e consider o ther tec hniques that stop short of full formalization while providing some convincing evidence for decidability . Bounde d-height derivations. W e could deﬁne height-bounded v ersions o f the al- gorithmic t yp e checking relations and prov e that there is a computable b ound on the heigh t needed to deriv e any der iv able judgment in the system. That is, there exists a computable h suc h that for any inputs x 1 , . . . , x n , ther e is a deriv ation of J ( x 1 , . . . , x n ) if and only if ther e is a deriv a tio n of heig h t at most h ( x 1 , . . . , x n ). This seems r easonable intuitiv ely , but there ar e s e veral problems. First, it is not ob vious ho w to obtain a closed-for m, recursively deﬁned height bound for the nu m be r of steps needed for a lg orithmic eq uiv a le nce for the s ame rea son it is diﬃcult to give an explicit termination measure for weak head nor malization. Second, even if w e could ﬁnd such an h , this approach b eg s the question of how to prov e that h is computable. It is clea rly no t enoug h to simply require that some h exists, b ecaus e the Axiom of C ho ice can be used to deﬁne h nonco nstructively . Finally , inductiv e ly deﬁned judgments in Isabe lle /HOL may themselves inv olve nonconstructive features, including equality a t or quantiﬁcation ov er inﬁnite types , negation o f undecidable prop erties , and ch oice op erators. Althoug h the deﬁnitions AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 25 we hav e in mind do no t use these fac ilities , there is no ea s y wa y to certify this within Isab elle/HOL. Inductive deﬁnabili t y. W e ha ve formalized what w e b elieve is the essence of the decidability pro of using the following metho dology . F o r each inductively deﬁned relation R w e wish to prov e decidable, p ossibly under some constraints P : (1) Inductively deﬁne a complement rela tion R ′ . (2) (Exclusion) Prove that ¬ ( R and R ′ ). (3) (Exhaustion) Prove that P implies R ∨ R ′ . (4) Observe (infor mally) that R and R ′ are recur sively enumerable since they are deﬁned inductiv ely by rules without re c ourse to nonconstructive fea tur es such as negatio n or universal qua n tiﬁcation in the hypothese s. Conclude (informa lly) that P implies R is b oth r.e. and co-r .e., hence decidable. This a pproach exploits an intuit ive connection b etw een inductively deﬁnable predicates and r ecursively enumerable sets in step (4). It is imp ortant to note that this int uition is not rigo rously formalized. W e argue that this appro ach do es force us to p erfor m all of the case a nalysis that would b e necessary in a prop er decidability pro of, but the only wa y to b e cer tain o f this is to fully formalize a substantial amount of computability theory in Isab elle/HO L, which as we hav e discussed ab ov e would b e a ma jor undertaking in its own right. W e call a fo r mu la R quaside cidable if bo th R and its nega tio n are equiv alent to inductively deﬁned relations, as describ ed ab ove. This is an informal (and inten- sional) prop erty; w e hav e not deﬁned quasidecidability explicitly in Isab elle/ HO L. W e have the following lemma, a nalogous to HP 05’s Lemma 6.1: Theorem 13 (Quasidecid ability of algorithmic equiv alence). ( 1 ) If ∆ ⊢ Σ M ⇔ M ′ : τ and ∆ ⊢ Σ N ⇔ N ′ : τ then ∆ ⊢ Σ M ⇔ N : τ is quaside cidable. ( 2 ) If ∆ ⊢ Σ M ↔ M ′ : τ 1 and ∆ ⊢ Σ N ↔ N ′ : τ 2 then ∃ τ 3 . ∆ ⊢ Σ M ↔ N : τ 3 is quaside cidable. ( 3 ) If ∆ ⊢ Σ A ⇔ A ′ : κ and ∆ ⊢ Σ B ⇔ B ′ : κ t hen ∆ ⊢ Σ A ⇔ B : κ is quaside cidable. ( 4 ) If ∆ ⊢ Σ A ↔ A ′ : κ 1 and ∆ ⊢ Σ B ↔ B ′ : κ 2 then ∃ κ 3 . ∆ ⊢ Σ A ↔ B : κ 3 is quaside cidable. ( 5 ) If ∆ ⊢ Σ K ⇔ K ′ : kind − and ∆ ⊢ Σ L ⇔ L ′ : kind − then ∆ ⊢ Σ K ⇔ L : kind − is quaside cidable. W e further proved that the algorithmic typechec k ing judgment s are quasidecid- able, which is the key step in HP05’s Theo rem 6.5. Pr oving ex clusivity required establishing uniqueness of algor ithmic typechec king. Lemma 40 (Uniqueness of algorithmic types). ( 1 ) If Γ ⊢ Σ M ⇒ A and Γ ⊢ Σ M ⇒ A ′ then A = A ′ . ( 2 ) If Γ ⊢ Σ A ⇒ K and Γ ⊢ Σ A ⇒ K ′ then K = K ′ . Equipp ed with Thm. 13 and the uniquenes s le mma a bove, we can show a form of HP05’s Theorem 6.2 . Note that uses o f Thm. 1 3 are s afe b ecause we always call the algor ithmic equiv alence judgments o n terms that a re well-formed, a nd hence (b y Thm. 2) a lgorithmically equiv a lent to themselves. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 26 · C. Urban et al. ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O M whr − → M ′ ∆ ⊢ Σ M ′ ⇔ N : a − ⇑ ¯ ¯ O ∆ ⊢ Σ M ⇔ N : a − ⇑ ¯ ¯ O N whr − → N ′ ∆ ⊢ Σ M ⇔ N ′ : a − ⇑ ¯ ¯ O ∆ ⊢ Σ M ⇔ N : a − ⇑ ¯ ¯ O ∆ ⊢ Σ M ↔ N : a − ↓ ¯ O ∆ ⊢ Σ M ⇔ N : a − ⇑ ¯ O ( x , τ )::∆ ⊢ Σ M x ⇔ N x : τ ′ ⇑ ¯ ¯ O x # (∆ , M , N ) ∆ ⊢ Σ M ⇔ N : τ → τ ′ ⇑ λ x . ¯ ¯ O ∆ ⊢ Σ M ↔ N : τ ↓ ¯ O ( x , τ ) ∈ ∆ ⊢ Σ ssig ⊢ ∆ sctx ∆ ⊢ Σ x ↔ x : τ ↓ x ( c , κ ) ∈ Σ ⊢ Σ ssig ⊢ ∆ sctx ∆ ⊢ Σ c ↔ c : κ ↓ c ∆ ⊢ Σ M 1 ↔ N 1 : τ 2 → τ 1 ↓ ¯ O 1 ∆ ⊢ Σ M 2 ⇔ N 2 : τ 2 ⇑ ¯ ¯ O 2 ∆ ⊢ Σ M 1 M 2 ↔ N 1 N 2 : τ 1 ↓ ¯ O 1 ¯ ¯ O 2 Fig. 8. Algorithmic equiv alence rules instrumen ted to pro duce quasicanonical forms. Theorem 14 (Quasidecid ability of algorithmic typechecking). ( 1 ) F or any Σ , ⊢ Σ ⇒ sig is quaside cidable. ( 2 ) F or any Σ ,Γ , if ⊢ Σ ⇒ sig holds then ⊢ Σ Γ ⇒ ctx is quaside cidable. ( 3 ) F or any Σ ,Γ , M, if ⊢ Σ Γ ⇒ ctx holds then ∃ A . Γ ⊢ Σ M ⇒ A is quaside cidable. ( 4 ) F or any Σ ,Γ , A, if ⊢ Σ Γ ⇒ ctx holds then ∃ K . Γ ⊢ Σ A ⇒ K is quaside cidable. ( 5 ) F or any Σ ,Γ , K, if ⊢ Σ Γ ⇒ ctx holds then Γ ⊢ Σ K ⇒ ki nd is quaside cidable. 3.8 Quasicanonical for ms Section 7 o f HP05 discusses quasic anonic al forms w hich can b e used to study the ad- e quacy , or cor rectness, o f LF enco dings. Qua sicanonical forms a re unt yp ed λ -terms that co rresp ond to the β -normal, η - long forms of well-t y ped LF terms. Quasica no n- ical forms ¯ ¯ O and quasia tomic forms ¯ O are given by the gr a mmar rule s : ¯ ¯ O ::= ¯ O | λ x . ¯ ¯ O ¯ O ::= x | c | ¯ O ¯ ¯ O HP05 introduces instrumented algor ithmic equiv alence judgments that construct quasicanonica l forms for a lgorithmically and s tructurally e q uiv ale n t ter ms, r esp ec- tively . The rules are shown in Fig. 8. It is straight forward to show that quasi-cano nical and quasi- atomic for ms exist and a re unique (provided that Σ and ∆ are v alid). Lemma 41 (Proper ties of quasicano n ical forms). ( 1 ) If ∆ ⊢ Σ M ⇔ N : τ then ∃ QC . ∆ ⊢ Σ M ⇔ N : τ ⇑ Q C . ( 2 ) If ∆ ⊢ Σ M ↔ N : τ then ∃ QA . ∆ ⊢ Σ M ↔ N : τ ↓ QA . ( 3 ) If ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O then ∆ ⊢ Σ M ⇔ N : τ . ( 4 ) If ∆ ⊢ Σ M ↔ N : τ ↓ ¯ O then ∆ ⊢ Σ M ↔ N : τ . ( 5 ) If ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O and M whr − → M ′ then ∆ ⊢ Σ M ′ ⇔ N : τ ⇑ ¯ ¯ O. ( 6 ) If ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O and N whr − → N ′ then ∆ ⊢ Σ M ⇔ N ′ : τ ⇑ ¯ ¯ O. Theorem 15 (Uniqueness of quasicanonical f orms). ( 1 ) If ⊢ ∆ sctx and ⊢ Σ ssig and ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O 1 and ∆ ⊢ Σ M ⇔ N : τ ⇑ ¯ ¯ O 2 then ¯ ¯ O 1 = ¯ ¯ O 2 . AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 27 ( 2 ) If ⊢ ∆ sctx and ⊢ Σ s sig and ∆ ⊢ Σ M ↔ N : τ ↓ ¯ O 1 and ∆ ⊢ Σ M ↔ N : τ ′ ↓ ¯ O 2 then τ = τ ′ and ¯ O 1 = ¯ O 2 . Proof. By induction on deriv ations, using Lem. 41(5,6 ) in the c a ses in volving weak head reduction. The main result ab out these for ms in HP05 is that well-formed LF terms can be recov e r ed from quas ic anonical forms and t yp e infor mation. T o show this, w e wr ite N ⇑ ¯ ¯ O or N ↓ ¯ O for the re la tions that re late ob jects N with their quasicanonical forms ¯ ¯ O or qua siatomic forms ¯ O , resp ectively , where the type-lab els hav e b een erased. (HP05 deﬁned this no tion as a partial function, which would be diﬃcult to deﬁne with the Nominal Datatype Pac k ag e at the time of writing.) These relations are deﬁned as follows: x ↓ x c ↓ c M ↓ ¯ O N ⇑ ¯ ¯ O ( M N ) ↓ ¯ O ¯ ¯ O M ⇑ ¯ ¯ O ( λ x : A . M ) ⇑ λ x . ¯ ¯ O M ↓ ¯ O M ⇑ ¯ O In the pro of of the Quasica nonical F or ms theorem (Theor em 7.1 of HP05) we found it neces sary to prov e several no n trivial auxiliary lemmas such as the admis- sibility of η -equiv alence (which was no t discuss e d in HP05): Lemma 42 (Et a-equiv alence). If x # Γ and Γ ⊢ Σ M : Π x : A 1 . A 2 then Γ ⊢ Σ M = λ x : A 1 . M x : Π x : A 1 . A 2 . The following theorem is stated slig ht ly diﬀerently than the corr esp onding theo- rem in HP05 (Theorem 7.1), but their version follows immediately from this version. Theorem 16 (Quasicanonical f o rm s ) . ( 1 ) If Γ − ⊢ Σ − M 1 ⇔ M 2 : A − ⇑ ¯ ¯ O and Γ ⊢ Σ M 1 : A and Γ ⊢ Σ M 2 : A then ∃ N . N ⇑ ¯ ¯ O and Γ ⊢ Σ N : A and Γ ⊢ Σ M 1 = N : A and Γ ⊢ Σ M 2 = N : A . ( 2 ) If Γ − ⊢ Σ − M 1 ↔ M 2 : τ ↓ ¯ O and Γ ⊢ Σ M 1 : A 1 and Γ ⊢ Σ M 2 : A 2 then Γ ⊢ Σ A 1 = A 2 : t yp e and A 1 − = τ and A 2 − = τ and ( ∃ N . N ↓ ¯ O and Γ ⊢ Σ N : A 1 and Γ ⊢ Σ M 1 = N : A 1 and Γ ⊢ Σ M 2 = N : A 2 ) . 3.9 Adequacy Conv entionally , adequac y is the prop erty that the terms o f the ob ject language are in a bijective corres p ondence with the well-formed LF terms of a given t yp e, mo dulo LF equa lit y . Moreover, the bijection s hould be c omp ositional 2 in the sense that substitution for the o b ject language is pr eserved and reﬂected by subs titution in LF. The exact s tatement of the adequa cy theorem for a given language dep ends on the languag e a nd its deﬁnition of s ubstitution. T o illus trate how qua s icanonical forms co uld b e used for reaso ning ab out adeq uacy , HP05 introduces a s mall example language of ﬁr st-order terms t a nd formulas ϕ , similar to the following: t , u ::= x | f ( t , u ) ϕ,ψ ::= t = u | ϕ ∧ ψ | ∀ x .ϕ along with an appropriate LF signature Σ F O with types ι for ﬁr st-order ter ms, o for ﬁrst-order formulas, and constants 2 This term i s used in HP05 without b eing deﬁned, but this is the deﬁnition used in other articles which discuss adequac y , for example [Harp er et al. 1993; Pf enning 2001]. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 28 · C. Urban et al. Γ ⊢ t ! ¯ ¯ M : ι ( x , ι ) ∈ Γ Γ ⊢ x ! x : ι Γ ⊢ t 1 ! ¯ ¯ M 1 : ι Γ ⊢ t 2 ! ¯ ¯ M 2 : ι Γ ⊢ f ( t 1 , t 2 ) ! c f ¯ ¯ M 1 ¯ ¯ M 2 : ι Γ ⊢ ϕ ! ¯ ¯ M : o Γ ⊢ t 1 ! ¯ ¯ M 1 : ι Γ ⊢ t 2 ! ¯ ¯ M 2 : ι Γ ⊢ t 1 = t 2 ! c = ¯ ¯ M 1 ¯ ¯ M 2 : o Γ ⊢ ϕ 1 ! ¯ ¯ M 1 : o Γ ⊢ ϕ 2 ! ¯ ¯ M 2 : o Γ ⊢ ϕ 1 ∧ ϕ 2 ! c ∧ ¯ ¯ M 1 ¯ ¯ M 2 : o ( x , ι ):: Γ ⊢ ϕ ! ¯ ¯ M : o x # Γ Γ ⊢ ∀ x .ϕ ! c ∀ λ x . ¯ ¯ M : o Fig. 9. Adequacy translation c f : ι → ι → ι c = : ι → ι → o c ∧ : o → o → o c ∀ : ( ι → o ) → o . HP05 then deﬁnes translatio n judgmen ts Γ ⊢ t ! M : ι and Γ ⊢ ϕ ! M : o relating LF terms M with ﬁrst-o r der terms and for m ula s t : ι and ϕ : o . Note that unlike mos t other judgments in this article, the tra nslations are not implicitly parametrized by a signatur e Σ since they only r efer to cons tant s from the ﬁxed signature Σ F O . The rules for the tra nslation are shown in Fig . 9. Harp er and P fenning then form ula te the adequacy prop erty for this languag e in their Theorem 7.2 as fo llows: Theorem 17 (Adequacy for synt ax of first-order logic). L et Γ b e a c ontext of the form x 1 : ι, . . . , x n : ι fo r some n ≥ 0 . ( 1 ) The r elation Γ ⊢ t ! ¯ ¯ M : ι is a c omp ositional bije ction b etwe en terms t of ﬁrst-or der lo gic over variables x 1 , . . . , x n and quasi-c anonic al forms ¯ ¯ M of typ e ι r elative to Γ . ( 2 ) The r elation Γ ⊢ ϕ ! ¯ ¯ M : o is a c omp ositional bije ction b etwe en formulas t of ﬁrst -or der lo gic over variable s x 1 , . . . , x n and quasi-c anonic al forms ¯ ¯ M of typ e o r elative to Γ . Their proo f sketc h in volves ﬁrst s howing that (for all appropriate Γ ) the trans- lations a re bijections, and then proving comp ositionality by inductio n over the structure of terms and for mu las. Unfortunately , the statement of this theorem is a mbiguous or at leas t incom- plete. The r eason is that Har per a nd Pfenning do no t explicitly deﬁne what it means for a bijection to b e compositiona l. E ven a ssuming the standard deﬁnition of comp ositiona lit y a s substitution preserv atio n, HP05 did not provide a deﬁnition of substitution for quasicanonica l forms. If we wish to substitute a quas icanonical form for a v aria ble y in another quas i- canonical form, the r esult is not always quasica nonical. F or ex a mple, if we substi- tute λx.M for y in y N , we get ( λx.M ) N , whic h is not quasicanonica l. This illus- trates tha t quasicano nic a l forms a re not closed under s ubstitution of quasicano nical forms for v ariables , b ecause v ar iables are quasiatomic forms and substituting a λ - expression for a v ar iable may in tro duce β -re dexes. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 29 It has b een obse rved else w her e (apparently ﬁrst by W atk ins et al. [20 03]) that substitution can be deﬁned for w ell- formed quasicanonical expressions in a her e d- itary wa y that recursively reno rmalizes any β -redexes int ro duced by s ubs titution. Harp er and Licata [2 007] have shown how this idea ca n b e used as the basis for a v a r iant of LF called Canonic al LF in which all expr essions are maintained in canonical form. In our initial forma lization (rep orted in [Urban et al. 2008 ]) w e misinterpreted the de ﬁnitio n o f the translation slightly b y deﬁning the adequacy translations to relate ﬁrs t-order terms and formulas to quasiatomic forms. It is eas y to de ﬁne substitution o f quasia to mic fo r ms for v ariables s ince no reduction ca n b e int ro duced in doing s o . Conse quent ly , we proved a v ar iant of HP05’s Theorem 7.2 with the word “quasicano nical” repla c e d by “ quasiatomic”. How ever, even with this modiﬁca tion, the formal pro o f is not as ea sy a s the sketc h in HP 0 5 suggests; for example, we needed to prov e weakening, exchange, and substitution lemmas for the translation judgment in order to establish comp ositionality . After we disc overed and corrected the mismatch b etw een our deﬁnition and the original tra nslation, we were still able to prove that the transla tions are bijections. T o esta blish comp ositionality , we also formalized hereditary substitution (using a simple form o f Harp er and Licata ’s deﬁnition) and show ed that the tr a nslation maps ob ject-language substitution to hereditary substitution. F o r malizing HP05’s Theorem 7.2 thus app ears to require either changing their translation or introducing her editary s ubstitution, a no nt rivial concept that was not men tioned in HP05. The Canonic a l LF approach now app ears to b e the preferred starting p oint for r esearch on extensions to LF. Developing a full a nd sa tisfying formalization of hereditary substitutions and adequacy prop erties (and r elating HP05’s v ersion o f LF to Harp er and Lica ta’s development of Cano nical LF [2007 ]) would b e a s ig niﬁcant indep endent under taking. T her efore, w e pr efer to leave further study of adequacy based o n hereditary substitution for future work. 4. CODE GE N ERA TION Since type checking in LF can b e part o f the trusted co de ba se of pro of-c a rrying co de, Appel et al. [200 3] w e r e very careful to implement it as cleanly a s p ossible and in as few lines of co de as p ossible. Their motiv ation w as that a small and clea n implemen tation can be manually inspected and hence can b e made robust a g ainst, for example, Thompson- st yle attac ks [Thompson 1984]. F or this they explicitly set out to minimize the num b er of library functions they hav e to tr ust in o rder for their implementation to be co rrect. Ho wev er , they relied upon the corr ectness of the t y pe- ch ecking algorithm in HP 05. In this pap er we hav e fo rmally proved that b oth the equiv a lence chec king and t yp e -chec king algor ithms fr o m HP05 are so und and complete. Consequent ly , we can remov e this asp ect from our “trusted co de bas e”. In this section we show how to obtain a veriﬁed executable ML- implemen ta tion o f the t yp e-checking algor ithm from our pro of o f correctness. Isab elle/HOL contains a co de gener ator implement ed by B e r ghofer and Nipkow [2002] which c a n transla te inductive deﬁnitions in to executable pure ML-co de au- tomatically . T o b e a ble to use this co de gener ator, how ever, w e need to inv est AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 30 · C. Urban et al. some further work. The present v e r sion o f this co de g enerator c a n only deal with rules inv o lving datatypes, not nominal datatypes . T o surmo un t this pr oblem we translate our no minal r epresentation of kinds , types and terms into a loca lly name- less represe ntation [McKinna a nd P ollack 1999 ; Aydemir et al. 200 8], which can b e implemen ted a s an ordinar y Is ab elle/HOL datatype. F or the LF-syn ta x this gives rise to the deﬁnition: L o c al ly Nameless Kinds ::= typ e | Π A . K L o c al ly Nameless T yp es ::= a | Π A 1 . A 2 | A M L o c al ly Nameless Obje cts ::= c | x | n | λ A . M | M 1 M 2 where terms contain de Bruijn indices n for b ound v aria bles [de Br uijn 1972]. In compariso n with “pure” de Br uijn repr esentations, in the lo cally nameless repr e- sentation free v a r iables still hav e names . This means we can contin ue using our implemen tation of signatures a nd co n tex ts in judgmen ts. With a “ pure” de Bruijn representation, contexts would need to b e referenced by num b ers and p ositions. While the lo c ally nameles s r epresentation is str aightforw a rd to implement in Isab elle/HOL, the transla tio ns b etw een the nominal and loc a lly nameless represen- tation in volv e quite a lot of formalisation work. First we have to deﬁne a well- formedness predicate that e ns ures tha t there a re no lo ose de Bruijn indices. W e also need thr e e substitution op er a tions, namely substituting (w e ll-formed) terms for fr e e v a riables, written ( − )[ x := M ], substituting terms for de Bruijn indices, written ( − )[ n := M ], and s ubstituting de Bruijn indices for v aria bles, written ( − )[ x := n ]. In the la tter we ha ve to increase the de Bruijn index whenever the substi- tution mo ves under a binder. Also the translation functions b etw een the no minal and lo cally nameless representations ar e no n-trivial to deﬁne. In o ne dire ction the translation is a partial function and only tota l over well-formed lo cally na mele ss terms. I n the other direction we use a translation depending on an explicit list of v a riables. The idea is to push a v a riable onto the list whenever the translation g o es under a λ - o r a Π-abstraction. Now the de Bruijn index for a v aria ble o ccurrence is the po sition o f the v a riable in this list. The tr anslation, written |−| xs , can b e formally deﬁned as | typ e | xs = typ e | Π x : A . K | xs = Π | A | xs . | K | ( x :: xs ) provided x # xs | a | xs = a | A M | xs = | A | xs | M | xs | Π x : A 1 . A 2 | xs = Π | A 1 | xs . | A 2 | ( x :: xs ) provided x # xs | c | xs = c | x | xs = index x xs 0 | M N | xs = | M | xs | N | xs | λ x : A . M | xs = λ | A | xs . | M | ( x :: xs ) provided x # xs where the v ar iable case is deﬁned in terms of the auxilia r y function index x xs n : index x [] n = x index x ( y :: ys ) n = ( if x = y then n else index x ys ( Suc n )) The problem with this deﬁnition arise s from the fact that inductio ns need to b e appropria tely gener alised in order to ta ke the p otentially g rowing lis t of v aria bles AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 31 int o a ccount. This is sometimes easy to do , but sometimes we needed a lo t of ingenuit y to ﬁnd the right lemmas to g et inductions thro ugh. Having translated all our ter ms int o the lo cally nameles s representation, we solved the technical problem with the co de gener ator in Isab elle/ HOL. How ever, there is a further problem that needs to solved: the algo rithms s pec iﬁe d so far are not yet concrete e no ugh to b e translated directly into r unnable ML- c o de. F or this cons ider again the a lgorithmic equiv alence rule ( x , τ 1 )::∆ ⊢ Σ M x ⇔ N x : τ 2 x # (∆ , M , N ) ∆ ⊢ Σ M ⇔ N : τ 1 → τ 2 from Fig. 4. This rule decides the equiv a lence betw een the terms M and N having function type. When read b ottom-up, it states that we need to in tr o duce a v a riable x (any will do) that is fr esh for ∆, M and N . ML do es not have any built-in facilities for choosing such a fres h na me (unlik e, for ex ample, F res hML by Shin well et al. [2003]). This means for a n ML-implementation of type and equiv ale nce chec king that we need to make explicit which fre s h name should b e chosen. An o b vious choice is to insp ect a ll free v ar iables o ccur ring in ∆, M and N , and pro duce a v a r iable with a higher index. In our case, it suﬃces to compute the maximum index o f all v a riables in scop e and increa se by one to obtain a fresh v a riable index. W e are able to compute this index because names in the Nomina l Datatype Pac k a g e hav e a natural nu mber as index and thus can be ordere d. This allo w s us to for m ula te algorithmic equiv a lence rules as follows ( x , τ 1 )::∆ ln ⊢ Σ M x ⇔ N x : τ 2 x = maxi ( fv ∆ @ fv M @ fv N ) ∆ ln ⊢ Σ M ⇔ N : τ 1 → τ 2 where fv is a p olymor phic fun ction pro ducing a list of free v ariables of a term or context, and the function maxi s cans through a list of v aria bles and re tur ns the highest v ar iable increased by one. In Fig . 10 we s how the rules for t yp e checking in the lo ca lly nameless represen- tation and with the explicit choice o f fresh v ar ia bles. The lo cally na mele s s v ar iants of these judgments are ma r ked b y the s ubscript l n . W e omit the lo cally nameless versions of the algo rithmic equiv ale nc e rules but they ar e similar . T he functions ﬁ ( − ) and fv ( − ) calc ula te the free identiﬁers and free v ariables of their arguments, resp ectively . It is impo rtant to note that it would b e extr e mely inconvenien t to build the concrete choice for a fresh v ar iable into the rules that are used in the so undness and completeness pr o ofs describ ed in the ear lier sectio ns. The r eason is that s e veral of the pro ofs would not go through as sta ted in HP0 5 since the choice is not fresh enough for a ll entities considered in so me lemmas (an ex ample is the weak ening prop erty , wher e the v ar iable x is a ssumed to b e not just fresh for ∆, M and N , but also for a larger context ∆ ′ ). It is howev er r elatively straightforw ard to show the equiv a le nce (i.e., they derive the same judgments, modulo tr a nslation) b etw een the original rules and the rules w ith the concrete c ho ice for fresh v ar iables. W e can show: Lemma 43 (Equiv alence). ( 1 ) ⊢ Σ ⇒ sig if and only if ln ⊢ | Σ | [] ⇒ s ig. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 32 · C. Urban et al. ln ⊢ Σ ⇒ sig ln ⊢ [] ⇒ sig ln ⊢ Σ ⇒ sig [] ln ⊢ Σ A ⇒ typ e c / ∈ ﬁ Σ ln ⊢ ( c , A ):: Σ ⇒ sig ln ⊢ Σ ⇒ sig [] ln ⊢ Σ K ⇒ kind a / ∈ ﬁ Σ ln ⊢ ( a , K ):: Σ ⇒ sig ln ⊢ Σ Γ ⇒ ctx ln ⊢ Σ ⇒ sig ln ⊢ Σ [] ⇒ ctx ln ⊢ Σ Γ ⇒ ctx Γ ln ⊢ Σ A ⇒ typ e x / ∈ fv Γ ln ⊢ Σ ( x , A ):: Γ ⇒ c t x Γ ln ⊢ Σ M ⇒ A ln ⊢ Σ Γ ⇒ ctx ( x , A ) ∈ Γ Γ ln ⊢ Σ x ⇒ A ln ⊢ Σ Γ ⇒ ctx ( c , A ) ∈ Σ Γ ln ⊢ Σ c ⇒ A Γ ln ⊢ Σ M 1 ⇒ Π A 2 ′ . A 1 Γ ln ⊢ Σ M 2 ⇒ A 2 Γ − ln ⊢ Σ − A 2 ⇔ A 2 ′ : typ e − Γ ln ⊢ Σ M 1 M 2 ⇒ A 1 [ 0 := M 2 ] Γ ln ⊢ Σ A 1 ⇒ typ e ( x , A 1 ):: Γ ln ⊢ Σ M 2 [ 0 := x ] ⇒ A 2 x = maxi ( fv Γ @ fv M 2 @ fv A 1 ) A 2 ′ = A 2 [ x : = 0 ] Γ ln ⊢ Σ λ A 1 . M 2 ⇒ Π A 1 . A 2 ′ Γ ln ⊢ Σ A ⇒ K ln ⊢ Σ Γ ⇒ ctx ( a , K ) ∈ Σ Γ ln ⊢ Σ a ⇒ K Γ ln ⊢ Σ A ⇒ Π A 2 ′ . K 1 Γ ln ⊢ Σ M ⇒ A 2 Γ − ln ⊢ Σ − A 2 ⇔ A 2 ′ : typ e − Γ ln ⊢ Σ A M ⇒ K 1 [ 0 := M ] Γ ln ⊢ Σ A 1 ⇒ typ e ( x , A 1 ):: Γ ln ⊢ Σ A 2 [ 0 := x ] ⇒ ty p e x = maxi ( fv Γ @ fv A 1 @ fv A 2 ) Γ ln ⊢ Σ Π A 1 . A 2 ⇒ typ e Γ ln ⊢ Σ K ⇒ kind ln ⊢ Σ Γ ⇒ ctx Γ ln ⊢ Σ typ e ⇒ kind Γ ln ⊢ Σ A ⇒ typ e ( x , A ):: Γ ln ⊢ Σ K [ 0 := x ] ⇒ kind x = maxi ( fv Γ @ fv A @ fv K ) Γ ln ⊢ Σ Π A . K ⇒ ki nd Fig. 10. Algorithmic t yp ec hec king r ules used f or generating executable code. ( 2 ) ⊢ Σ Γ ⇒ ctx if and only if ln ⊢ | Σ | [] | Γ | [] ⇒ ctx. ( 3 ) Γ ⊢ Σ M ⇒ A if and only if | Γ | [] ln ⊢ | Σ | [] | M | [] ⇒ | A | [] . ( 4 ) Γ ⊢ Σ A ⇒ K if and only if | Γ | [] ln ⊢ | Σ | [] | A | [] ⇒ | K | [] . ( 5 ) Γ ⊢ Σ K ⇒ kind if and only if | Γ | [] ln ⊢ | Σ | [] | K | [] ⇒ kind. F r om the rules in Fig. 1 0 the co de gener ator of Isa belle/ HOL can g enerate ML-co de. Of co urse the corr ectness of this c o de dep ends on the cor rectness o f the generato r. How ever it is rela tiv ely easy to insp ect the generated ML-co de and we ar e conﬁdent that it implements corr ectly the inductiv e deﬁnitions that hav e b een pr ov ed to b e AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 33 sound and complete with r esp ect to their sp eciﬁcation. W e ha ve used the extracted ML-co de to t ype -chec k s e veral LF example s ignatures. 5. DISCUSSION It is diﬃcult to a rgue ob jectively ab out the eﬃcacy or usability of to ols for mech- anized metatheor y ab out la nguages with name-binding, sinc e there are substa n tial diﬀerences a mong systems, there ar e few ex p er ts in the use of mo r e than one sys- tem, and ea ch such formalization is a ma jor undertaking. Nevertheless, we b elieve it is w o rthwhile to mak e some sub jective obser v atio ns a bo ut our ex per ience formal- izing LF using Nominal Isab elle/HOL, and identify asp ects of the t wo systems that aided or hindered formalization. Metho dolo gic al observa t ions. The for malization w as p erformed by tw o of the a u- thors; one is a develop er of the No minal Da tat yp e Pack age and exp ert Isab elle/HOL user and the o ther had r oughly three months’ expe r ience with these tools pr io r to starting the for malization. W e estimate tha t the to tal eﬀor t inv olved in conducting the formalizations in Sec. 3 w a s at most three perso n-months. W e w orked on the co de generation part intermitten tly and therefore do not hav e detailed infor mation ab out the time r equired. Althoug h there is still r o om for improv ement in b oth Isab elle/HOL a nd the Nominal Datatype Pack age, our ex per ience sugges ts that these to o ls ca n now b e us e d to p erform s igniﬁcant formalizatio ns within rea sonable time-frames, at least by exp erienced users. It to ok approximately six per son-weeks to formalize everything up to the sound- ness pro of (including p ondering why the omitted cas e for type extensio nality did not go through). H ow ever, once Ha rp er and Pfenning conﬁrmed tha t this case was indee d not handled correc tly in their pro of, one of the authors was able to chec k within 2 hours that a dding a type-extensionality r ule solves the pr oblem. Re- chec king the pro o f o n pap er would hav e meant reviewing approximately 31 pages of pro o fs. Subsequently we chec ked the v alidity of a so lution suggested by Harp er and found ano ther solution for the problem. As a practical matter, the a bilit y to rapidly ev a lua te the eﬀects of changes to the system w as essential for ﬁnding these solutions and ev alua ting other p ossibilities. In a similar formalization pro ject, the ﬁrst author show ed that a central lemma in the informal pro of in his PhD-thesis can be r e paired [Urban a nd Zhu 2008]. Comp aring t he formalization and informal pr o of. In our fo rmalization, we at- tempted to follow the synt ax, deﬁnitions and pro ofs given in HP0 5 as c lo sely as we could, and resisted the temptation to change their rules to make o ur task ea s ier. W e found that nominal tec hniques were usually able to state results almost ex a ctly as they ar e presented on pap er; the main diﬀerences tended to involv e freshness or v a lidit y side-co nditions that were left implicit in HP05. T o illustrate this p oint, we hav e prepar ed this paper using Isab elle’s do cumentation fa c ilities [Nipko w et al. 2002]. Most le mmas, theorems, and deﬁnitions in this pap er hav e b een generated directly from the forma liz ation (the main exceptions are the quas idecidability and adequacy prop erties, which are paraphra s ed). In this a rticle, we have fo cused on the high-lev e l ide a s of the formalization and, in the main, downpla yed the low-level details o f pro o fs using the Nominal Datat yp e AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 34 · C. Urban et al. Pac k ag e. This is not because these details are em barras sing, but b ecause (with a few clearly - marked exceptions ) they are prosaic. F or ex ample, as one would exp ect, our forma lization also req uir ed formally pr oving ma n y pro per ties of substitution, swapping, freshness , contexts, era sure and so on. W e hav e not discussed these bec ause they are ro utine, and rely up on techniques already covered in pr evious work on no mina l techniques [Urban 2008 ]. H ow ever, we w ould like to p oint out here that the capability to deﬁne functions such as substitution and er a sure as (nominal) primitive r ecursive functions, and use Is ab elle/HOL’s built-in simpliﬁer to rewr ite formulas inv olving these functions, was absolutely ess en tial. This is not to say that these pro ofs were alwa ys easy , but tha t diﬃculties involving name-binding were usually not the dominant factor. W e hav e not explicitly s tated when feature s such as strong nomina l inductio n or in version principles [Urban et al. 20 07; Be r ghofer a nd Urba n 2 008] have been used (nor have w e given complete explana tio ns of these techniques), but our for- malization relies up on them extens ively . When these principle s could b e used, the pap er pro of was usua lly eas y to transla te to a formal pro of step-by-step (although as is often the ca se with forma lizations, an informal pro o f step often trans lated to many for ma l steps or necess itated a dditional lemmas). On the other hand, in a few cases nominal induction principles could no t be applied, often beca us e o f subtleties inv olving binding. When this w a s the ca se, pro of cases inv o lving binding were often m uch mo re labo r -intensiv e b eca use they require d explicit reasoning ab o ut choo sing fresh na mes, alpha-equiv alence, swapping and substitution (see, for ex a mple, the pro of of transitivity of algorithmic equiv ale nc e ). Many of our pro ofs hav e b een b e written to match cor resp onding informal pro ofs closely using the Isa r pro of-lang ua ge, as in an exa mple by Urba n [2008, Sec. 6] of a typical substitution prop erty . Ho wever, writing readable Isa r pro ofs is lab or - int ensive; the pr o of-script tactic la nguage of cla ssic Isab elle/HOL tends to b e m uch easier to write but ha r der to r ead. The interested, or skeptical, rea der is w elcome to consult the formalizatio n for these details, re play the pro o fs o f key prop erties, compare them with those in HP0 5, and fo rm his o r her own opinion. Metrics ab ou t the formalization. In T a ble I, w e r epo rt some simple metrics ab out our formaliza tion such a s the s izes, num ber of lines of text, and num b er of lem- mas in each theory in the main formalization. As T able I shows, the core LF theory accounts for ab o ut 20% of the development . Thes e sy ntactic pr op erties are mostly straightforward, and their pro o fs merit only cursory discussion in HP05, but so me lemmas have many cases which m ust each b e handled individually . The Decida bilit y theo ry a ccounts for another 15 %; the quasidecida bilit y pro ofs ar e verbose but larg ely straig htforward. The Lo callyN theor y prov es that the nom- inal data t y pes version of LF is equiv alent to a lo c ally nameless formulation; this accounts for a bo ut 25% of the development. The eﬀort inv o lved in this par t was therefore quite substantial: it ca n b e expla ined by the lack of automatic infras- tructure for the lo ca lly namele s s r epresentation of binders in Isab elle/ HOL, but also b y the inherent subtleties when w or k ing with this represe ntation. A n umber of lemmas need to b e carefully stated, and in a few c a ses in rather non-intuit ive wa ys. The remaining theories account for at most 5– 10% of the fo r malization ea ch; AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 35 T able I. Summary of the f ormalization Theory Description Size (bytes) Lines Lemmas LF Syntax and deﬁ n itional judgments of LF 125,975 2,631 103 Erasure Simple typ es and kind s, era- sure 14,860 463 35 PairOrderi ng P air ordering used for t ran - sitivit y 962 29 3 EquivAlg Algorithmic equiv alence judgments and properties 47,480 1,015 46 Completene ss Logical relation, complete- ness pro of 54,575 778 22 WeakEquivA lg W eak algorithmic typ e- chec king 9,373 219 7 Soundness Sub ject reduction, sound- ness pro ofs 31,235 562 8 TypeAlg Algorithmic typechec k ing 13,139 244 5 Decidabili ty Quasidecidabilit y 104,939 2,087 50 Strengthen ing S trengthening and strong extensionalit y 28,940 591 15 Canonical Quasicanonical forms 27,702 556 13 Adequacy Adequ acy example 29,777 736 45 LocallyN T ranslation to lo cally name- less syntax 179,148 4,674 223 T otal 668,105 14,58 5 575 the We akAlgo rithm theory deﬁnes the weak algor ithmic equiv alenc e judgment and prov es the additio na l prop erties needed for the third solution, a nd acco unts for only around 2% of the total development. The merit of metr ics suc h as pr o of size or n umber of lemmas is deba table. W e hav e not attempted to distinguish b etw een meaningful lines of pro of vs. blank or comment lines; no r hav e we distinguished b e t ween signiﬁcant and trivial lemmas. Nevertheless, this information sho uld a t least conv ey an idea of the r elative eﬀort inv olved in each part of the pr o of. Corr e ct ness of t he r epr esentation. The facilities for deﬁning and r easoning ab out languages with binding provided by the Nominal Datat y pe Pac k age are conv enient, but their use may no t b e per suasive to readers unfamiliar with nomina l logic and abstract syntax. Thus, a skeptical r eader might as k whether these r epresentations, deﬁnitions and re a soning pr inciples are rea lly c orr e ct ; that is, whether they a r e equiv a lent to the deﬁnitions in HP 05, as formalized using some more con ven tio nal approach to binding sy n tax. F or higher-order abstr act syntax representations, this prop erty is often ca lled ade quacy ; this term app ear s to hav e b een coined in the con- text of LF [Harp er et al. 1993], due to the p otential problems in volved in rea soning ab out higher-or der terms mo dulo a lpha, b eta a nd eta-equiv alence. Adequacy is als o important for nominal techniques and deserves further study . W e b elieve that the techniques explo red in ex isting work on the semantics of nomi- nal abstr act syntax and its implement ation in the Nominal Datatype Pack age [Gab- AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 36 · C. Urban et al. bay and P itts 2 002; Pitts 2 003; Cheney 20 0 6; Pitts 20 0 6; Urban 2008 ] suﬃces for informally judging the correctness of our formalization. There has also b een some prior work o n for malizing adequa c y results fo r nominal da tat yp es via isomor phisms. Urban [2008] prov es a bijective corresp ondence betw een nominal datatypes and a conv entional named implementation of the λ -calculus modulo α - equiv a lence. Nor- rish and V estergaa rd [2007 ] hav e formaliz ed iso morphisms b etw een nominal and de Bruijn representations, and they pr ovide further citatio ns to sev er al other iso- morphism results. Our pro of of equiv a le nce to a lo ca lly nameless r epresentation describ ed in Sec. 4 also gives evidence for the corr ectness of the nominal datatype representation. In any cas e, o ur for malization has exp osed some subtle issues which make sense in the context of LF, indep endently of whether or no t nominal datatypes in Is - ab elle/HOL really capture our informal intuitions ab out abstract syntax with bind- ing. R eﬂe cting on formalizing LF. It has b een o bserved (as discuss ed, for example, by Pientk a [20 07]) that the pro cess of forma liz ation can sugges t changes tha t b oth ease formalization and clar ify the original system. Likewise, o ur fo r malization provides a basis for reﬂecting on ho w the LF metatheo ry might b e adapted to make it easier to formalize. Mo st o bviously , many of the pro blems we encountered with soundnes s disapp ear if we simply add the omitted extensionality rule or change the equiv alence algorithm. A mor e subtle complication we enco unt ered w as that since the alg orithmic rules in HP 05 do not enforce well-formedness, it is not ev en guaranteed tha t a v a riable app earing in one of the terms being compared als o app ears in the context ∆. This necessitates extr a freshness conditions on many rules and inductio n h yp otheses to ensure that strong nominal induction principles can b e used safely . Building these constraints into the algor ithmic rules might ma ke several of the pro ofs ab out the equiv a lence algorithm cleaner. Another pra ctical consider ation was that the syntax and rules of L F in HP 05 exhibit redundancy , which leads to additional (alb eit str aightforw a rd) formalization eﬀort. F or example, cons tant s, dependent pro ducts, and applications eac h app ear at mor e than o ne level of the syntax, resulting in pr o ofs with r edundant ca ses. Similarly , b ecause ob jects, kinds and types are deﬁned b y mutual recursion, each inductive pr o of ab out syntax needs to have three inductive hypothese s and ten cases. Lik e w is e, any pro o f concerning the deﬁnitional judgments needs to state eight simult aneous inductio n hypo theses and thirty-ﬁv e cases. Colla psing the three levels of LF syntax in to one lev el, and collapsing the ma n y deﬁnitional judgmen ts int o a smaller num b er could ma ke the for malization m uch less verbos e , as in Pure Type Systems [McKinna and Pollack 1999], at the cost o f incr easing the distance betw een the pap er version and the for malization. On the other hand, such a n approach could a lso make it easier to g e neralize pro ofs ab out LF to richer type theories. 6. RELA TED AND FUT URE W ORK McKinna and Pollac k [1999]’s LEGO formalizatio n of Pure Type Systems is prob- ably the most extens ive formaliza tion of a dep endent type theor y in a theorem AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 37 prov er . Their formaliza tion int ro duced the lo cally nameless v ariant of de Bruijn’s name-free a pproach [de Bruijn 1972 ] and co nsidered prima rily syntactic pr op erties of pure type systems with β -equiv alence, including a pro of of strengthening. P ol- lack [19 95] subsequently v e r iﬁed the par tial corr ectness of typechec king a lgorithms for certain classes o f Pure Type Sy s tems including L F. Completely formalizing meta theoretic and syntactic pro o fs ab out languages and logics with name- binding has b een a long- s tanding o pe n problem in computatio na l logic. W e will not give a detailed s urvey of all of these techniques here, but men- tion a few r ecent developments. In the last ﬁve years, ca talyzed b y the POPLMa rk Challenge [Aydemir et al. 2 005], there has b een renewed interest in this ar ea. Ay- demir et al. [20 08] have developed a metho dology for for malizing metatheo ry in Co q using the lo cally nameless r epresentation to ma nage binding, and using coﬁnite quantiﬁcation to handle fresh names. Chlipala ’s p ar ametric higher-or der abstr act syntax is another re c en tly developed technique for r e asoning a bo ut abstr act syntax in Co q, and has b een applied to g o o d eﬀect in reasoning ab out compiler transfor - mations [Chlipala 2 008]. W estbro ok et a l. [2 009] are developing CINIC, a v ar iant of Co q that pr ovides built-in suppo rt for nominal abstrac t syntax (generalizing a simple no minal type theory de velop ed b y Cheney [200 9]). Gacek et al. [200 8] hav e develop ed Abella, a pro o f assista n t for reaso ning ab out higher-order abstract syntax, inductive deﬁnitions, and gener ic quantiﬁcation (simila r to no minal lo gic’s fresh-name quantiﬁer). Sc h¨ ur mann and Sarnat [2008 ] hav e recently dis cov ered tech- niques for p erforming logica l relatio ns pro o fs in Twelf [Pfenning and Sch¨ urmann 1999]. F orma lizing the results in this ar ticle us ing these or other emer ging to ols would provide a use ful compariso n of these approaches, par ticularly concerning decidability pro ofs, which ought to b e easier in constructive logics . Algorithms fo r equiv a lence and cano nicalization for dep endent type theor ies have bee n studied by several autho r s. P rior work on equiv alence chec king fo r LF has fo cused on ﬁrst c he cking well-formedness with resp ect to simple t yp es, then β - or β η - normalizing; these approaches are discus sed in detail b y Harp er and Pfenning [2005]. C o q uand’s algorithm [1 991] is s imilar to Ha rp er and P fenning’s but op- erates on un t yp e d terms. Goguen’s approach [200 5b] inv olves ﬁrst type- dir ected η -expansio n and then β -normalizatio n, a nd relies o n standar d prop erties such as the Churc h-Ro sser theorem, strong normaliza tion of β -reduction and str engthening. Goguen [2005 a] extends this pro of technique to show termination o f Co quand’s and Harp er and Pfenning’s alg orithms, and gives a terminating type-dir e cted algor ithm for c hecking β η -equiv alence in System F. It may be interesting to formalize these algorithms and pro ofs a nd compare with Har pe r and Pfenning’s pr o of. Our formaliza tion provides a foundation for several p oss ible future inv estigations. W e are in terested in extending our formaliza tion to include verifying Twelf-st yle meta-reaso ning ab out L F sp eciﬁcations, following Harp er and Lica ta’s detailed in- formal developmen t of Canonica l LF [2007 ]. Doing so could ma ke it p os sible to extract Isab elle/HOL theorems from Twelf pro ofs, but a s discus sed earlier, formal- izing Canonical LF, hereditary substitutions, and the rest of Harper a nd Licata’s work app ears to be a substantial challenge. It would also b e interesting to extend our formalizatio n to acco mmo date ex- tensions to L F involving (ordered) linea r lo g ic, concurrency , pro o f-irrelev ance, or AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 38 · C. Urban et al. singleton kinds , as discus s ed b y Harp er a nd Pfenning [2 005, Sec. 8]. W e hop e tha t any one who prop ose s an extensio n to LF will b e able to use our for malization a s a starting p oint for verifying its metatheory . 7. CONCLUSIONS LF is an extremely conv enie nt tool for deﬁning logics a nd other calculi inv olving binding syntax. It has many comp elling a pplications and underlies the system Twelf, which has a prov en record in formalizing ma n y pro g ramming la nguage cal- culi. Hence, it is of in trins ic in tere s t to v e rify k e y prope rties of LF’s metatheory , such as the correctness a nd decidabilit y of the t yp echec king algor ithms. W e hav e done so, using the Nominal Datatype Pack age fo r Isab elle/HOL. The infrastr uc- ture provided by this pack age allow ed us to follow the pro o f o f Har p er and Pfenning closely . F o r o ur formalization w e had the adv antage of working from Harper and Pfen- ning’s carefully-wr itten informal pro of, which withstoo d r igorous mech anical for- malization rather well. Still w e found in this informal pro of one ga p and numerous minor complications. W e hav e shown that they can b e repair ed. W e have also partially veriﬁed the decida bilit y of the equiv alenc e and typechecking algo rithms, although so me work rema ins to for mally prov e decidability p er se. F or malizing decidability pro ofs of any kind in Isab elle/HOL a ppea rs to b e an o pen problem, so we leav e this fo r future work. While verifying co r rectness of pro ofs is a cen tral motiv atio n for doing for maliza- tions, it is no t the only one. There is a second imp or tant b eneﬁt—they can be used to e x per imen t with changes to the system ra pidly . By r eplaying a modiﬁed formalization in a theorem pro ver one can immediately focus on pla ces where the pro of fails and attempt to repair them rather tha n r e-chec king the many case s that are unchanged. This capability was essential in ﬁxing the so undness pro of, and it illustrates one of the distinctive adv antages o f p erfor ming such a formalizatio n. Had w e attempted to r e pa ir the gap using only the pa per pro o f, exper iment ing with diﬀerent so lutions w o uld hav e requir ed ma nually re-checking the roughly 31 pa ges of pap er pro ofs for e ach change. Our for malization is not an end in itself but also pr ovides a foundation for further study in several directions. Resea r chers developing extens ions to LF may ﬁnd our for malization useful as a s tarting p oint for verifying the meta theory o f such extensions. W e plan to further inv estig a te her editary substitutions and adequacy pro ofs in LF and Canonical LF. More ambitiously , w e contemplate formalizing the meaning and cor rectness of metatheoretic reasoning a b out LF sp eciﬁcations (a s provided by the Tw elf system) inside Isab elle/HOL , and extracting Is a be lle /HOL theorems from Tw elf pro ofs. ELECTRONIC APPENDIX The electronic a ppendix for this article can be accessed in the ACM Digita l Libr ary by v isiting the following URL: h ttp://www.acm.org /pubs/citations/ journals/ t ocl/20YY-V-N/p1-URLend . AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing th e Metatheor y of LF · 39 AC KNOWLEDGMENTS W e are extremely grateful to Bob Harp er for discussions a bo ut LF and the pro of. Benjamin Pier c e a nd Stephanie W eirich hav e also made helpful c omment s on drafts of this pa per . REFERENCES Appel, A. , Michael, N. , Stump, A. , an d Virga, R. 2003. A trustw orthy pro of chec ker. J. Au - tom. R e asoning 31 , 231–260. A ydemir, B. , Chargu ´ eraud, A. , Pierce, B. C. , Pollack, R. , an d Weirich, S. 2008. Engineer- ing f or mal metatheo ry . In POPL . A CM , 3–15. A ydemir, B. E. , Bohannon, A. , F airba irn, M . , Foster, J. N. , Pierce, B. C. , Sewell, P. , Vy - tiniotis, D. , W a shb urn, G . , Weirich, S. , and Zdancewic , S. 2005. Mec hanized metatheo ry for the m asses: The poplmar k ch allenge. In TPHO Ls . 50–65. Berghofer, S. a nd Nipkow, T. 2002. Executing higher order l ogic. In Pr o c. of the International Workshop on T y p e s for Pr o ofs and Pr o gr ams . Number 2277 in LNCS. 24–40. Berghofer, S. and Urban , C. 2008. Nominal inv ersi on principles. In TPHOL s . 71–85. Cheney, J. 2006. Completeness and Herbrand theorems for nominal logic. Journal of Symbo lic L o gic 71, 1, 299–320. Cheney, J. 2009. A sim ple nominal t yp e theory . Ele ctr. Notes The or. Comput. Sc i. 228 , 37–52. LFMTP ’08: Proceedings of the F ourth In ternational W orkshop on Logical F rameworks and Meta-Languages. Chlip ala, A. J. 20 08. Pa rametric highe r-order abst ract syn tax for m echanized seman tics. In ICFP , J. Hook and P . Thiemann, Eds. A CM, 143–156. Coquand, T. 1991. An algorithm for testing con version in t yp e theory . In L o gic al F r ameworks , G. Huet and G. Plotkin, Eds. Cambridge Universit y Press, 255–279. de Bruijn, N. G. 1972. Lambda-calculus notat i on with nameless dummies, a tool for automatic formula manipulation. Indagationes Mathematic ae 34, 5, 381–392. Gabbay, M . J. and Pitts, A. M. 2002. A new approach to abstract synt ax with v ariable binding. F ormal Asp e cts of Computing 13 , 341–363. Gacek, A. , M iller, D. , an d Nada thur, G. 2008. Combining generic judgments with recursive deﬁnitions. In LICS . 33–44. Geuvers, H. an d Barendsen, E. 1999. Some logical and syntac tical observ ations concerning the ﬁr st-order dependent type s ystem λ P. Mathematic al Structur es in Computer Sc i enc e 9, 4, 335–359. Goguen, H. 2005a. Justifyi ng algorithms for β - η -con version. In F oSSaCS , V . Sassone, Ed. LNCS, v ol. 3441. Springer, 410–424. Goguen, H. 2005b. A syntact i c approach to eta equality i n type theory . In POPL . ACM, 75–84. Harper, R. , Honsell, F. , and Plotkin, G. 1993. A fr amew ork f or deﬁning logics. Journal of the ACM 40, 1, 143–184. Harper, R. an d Lica t a, D. 200 7. Mec hanizing m etathe ory i n a logical fr amew ork. J. F unct. Pr o gr am. 17, 4- 5, 613–673. Harper, R. and Pfenn in g, F. 2005. On equiv alence and canonical for ms in the LF type theory . ACM T r ansactions on Computationa l L o gic 6, 1, 61–101 . McKinna, J. and Pollack, R. 1999 . Some lambda calculus an d t ype theory f or malized. J. Au tom. R e asoning 23, 3-4, 373–409 . Narboux, J . an d Urban, C. 2007. F ormali sing in Nominal Isab el l e Crary’s completen ess pro of for equiv alence c hecking. In LFMTP . ENTCS, vol. 196. Necula, G. C. 1997. Pr oof- carrying co de. In POPL . ACM, 106–119. AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. 40 · C. Urban et al. Nipko w, T. , P aulson, L. C. , and Wenzel, M. 2002. Isab el le HO L: A Pr o of Assistant for Higher-Or der L o gic . LNCS, vol. 2283. Spri nger. Norrish, M. an d Vestergaard, R. 2007. Proof p earl: de Br ui jn terms r eally do work. I n TPHOLs . LNCS, v ol . 4732. Springer, 207–222. Pfenning, F. 2001. Logical framewo rks. In Handb o ok of Automa t e d R e asoning , J. A. Robinson and A. V oronk o v, Eds. Elsevier and MIT Press, 1063–1147. Pfenning, F. and Sch ¨ urmann, C. 1999. System description: Twe lf–a meta-logical f ramewo rk for deductiv e systems. In CADE . LNAI, vo l. 1632. 202–206. Pientka, B. 2007. Pro of p earl: The p ow er of higher-order enco dings in the logical f ramewo rk lf. In TPHOLs . 246–261 . Pitts, A. M. 2003. Nominal logic, a ﬁrst order theory of names and binding. Information and Computation 183 , 165–193 . Pitts, A. M. 2006. A lpha-structural recursion and induction. Journal of the A CM 53, 3 (Ma y), 459–506. Pollack, R. 1995. A veriﬁed t yp eche c k er. In TLCA , M . Dezani-Ciancaglini and G. D. Pl otkin, Eds. LNCS, v ol. 902. Spr inger, 365–380. Sch ¨ urmann, C. and Sarn a t, J. 200 8. Structural l ogical relations. In LICS . IEEE Computer Society , 69–80. Shinwell, M. R. , Pitts, A. M. , and Ga bba y, M. J. 2003. F reshML: Programming with binders made simple. In Eighth ACM SIGPLAN International Confer enc e on F unct ional Pr o g r amming (ICFP 2003), Uppsala, Swe den . ACM Press, 263–274. Thompson, K. 1984. Reﬂect ions on trusting trust. Communic ations of the ACM 27, 8, 761–763. Urban, C. 2008. N omi nal tec hniques in Isabell e/HOL. Journal of Automatic R e asoning 40, 4, 327–356. Urban, C. , Ber gh ofer, S . , and Norrish, M. 2007. Barendregt’s v ari able conv ention i n r ule inductions. In CADE . LNAI, vo l. 4603. 35–50. Urban, C. , Cheney, J. , and Berghofer, S. 2008. Mech anizing the metatheory of LF. In Pr o c e e dings of the 23r d Annual IEEE Symp osium on L o gic i n Computer Scienc e (LICS 2008) . 45–56. Urban, C. and T asson, C. 2005. Nominal technique s in Isab elle/HOL. In CADE . LNCS, v ol. 3632. 38–53. Urban, C. a n d Zhu, B. 2008. Revisiting cut-elimination: One diﬃcult pro of is really a pro of. In R T A , A. V oronk o v, Ed. Lecture Notes in Computer Science, vol. 5117. Spr inger, 409–424. W a tkins, K. , Cer vesa to, I. , Pfenning , F. , a nd W alker, D. 2003. A concurrent logical fr ame- wo rk I: Judgmen ts and prop erties. T ech. Rep. CMU-CS-02-101, Carnegie Mellon Universit y . May . Westbrook, E. , Stum p, A. , and A u stin, E. 2009. The calculus of nominal inductive construc- tions: an intensional approach to encoding name-bindings. In LFMTP ’09: Pr o ce e dings of the F ourth International Workshop on L o gica l F r ameworks and Me ta-L anguages . ACM, New Y ork, NY, USA, 74–83. Receiv ed October 2009; revised April 2010; accepted Apr il 2010 AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · App–1 This document is the online-onl y appendix to: Mechanizing the Metatheory of LF CHRISTIAN URBAN TU Munich and JAMES CHENEY University of Edinburgh and STEF AN BER GHOFER TU Munich ACM T ransactions on Computational Logic, V ol. V, No. N, Month 20YY, Pa ges 1–40. A. FULL ST A T EMENTS OF SYNT ACTIC R E SUL T S Lemma 1 (Freshness). ( 1 ) If ⊢ Σ sig then x # Σ . ( 2 ) If ⊢ Σ Γ ctx then x # Σ . ( 3 ) If Γ ⊢ Σ M : A and x # Γ then x # M and x # A . ( 4 ) If Γ ⊢ Σ A : K and x # Γ t hen x # A and x # K . ( 5 ) If Γ ⊢ Σ K : kind and x # Γ then x # K . ( 6 ) If Γ ⊢ Σ M = N : A and x # Γ t hen x # M and x # N and x # A . ( 7 ) If Γ ⊢ Σ A = B : K and x # Γ then x # A and x # B and x # K . ( 8 ) If Γ ⊢ Σ K = L : kind and x # Γ then x # K and x # L . Lemma 2 (Implicit V al idity). ( 1 ) If ⊢ Σ Γ ctx then ⊢ Σ sig . ( 2 ) If Γ ⊢ Σ M : A then ⊢ Σ Γ ct x and ⊢ Σ sig . ( 3 ) If Γ ⊢ Σ A : K then ⊢ Σ Γ ct x and ⊢ Σ sig . ( 4 ) If Γ ⊢ Σ K : kind then ⊢ Σ Γ ct x and ⊢ Σ sig . ( 5 ) If Γ ⊢ Σ M = N : A then ⊢ Σ Γ ct x and ⊢ Σ sig . ( 6 ) If Γ ⊢ Σ A = B : K then ⊢ Σ Γ ct x and ⊢ Σ sig . ( 7 ) If Γ ⊢ Σ K = L : kind then ⊢ Σ Γ ct x and ⊢ Σ sig . Lemma 3 (Implicit V al idity). If Γ ⊢ Σ M : A then ⊢ Σ sig and ⊢ Σ Γ ctx. Lemma 4 (Weakening). Supp ose ⊢ Σ Γ 2 ctx and Γ 1 ⊆ Γ 2 . ( 1 ) If Γ 1 ⊢ Σ M : A then Γ 2 ⊢ Σ M : A. ( 2 ) If Γ 1 ⊢ Σ A : K t hen Γ 2 ⊢ Σ A : K. ( 3 ) If Γ 1 ⊢ Σ K : kind then Γ 2 ⊢ Σ K : kind. Pe rmission to make digital/hard cop y of all or part of this material wi thout fee for per sonal or classro om use pro vided that the copies are not made or distributed for proﬁt or commercial adv antage, the ACM copyrigh t/server notice, the title of the publication, and its date appear, and notice is given that copying is by permi ssion of the ACM, Inc. T o copy otherwise, to republish, to p ost on servers, or to redistri bute to li sts requires pri or sp eciﬁc p ermission and/or a f ee. c  20YY A CM 1529-3785/20YY/0700 -0001 $5.00 AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. App–2 · C. Urba n et al. ( 4 ) If Γ 1 ⊢ Σ M = N : A then Γ 2 ⊢ Σ M = N : A. ( 5 ) If Γ 1 ⊢ Σ A = B : K then Γ 2 ⊢ Σ A = B : K. ( 6 ) If Γ 1 ⊢ Σ K = L : kind then Γ 2 ⊢ Σ K = L : kind. Lemma 5 (Substitution). Supp ose Γ 2 ⊢ Σ P : C and let Γ = Γ 1 @ [( y , C )] @ Γ 2 . ( 1 ) If ⊢ Σ Γ ct x then ⊢ Σ Γ 1 [ y := P ] @ Γ 2 ctx. ( 2 ) If Γ ⊢ Σ M : B then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ M [ y := P ] : B [ y := P ] . ( 3 ) If Γ ⊢ Σ B : K then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ B [ y := P ] : K [ y := P ] . ( 4 ) If Γ ⊢ Σ K : kind then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ K [ y := P ] : kind. ( 5 ) If Γ ⊢ Σ M = N : A then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ M [ y := P ] = N [ y := P ] : A [ y := P ] . ( 6 ) If Γ ⊢ Σ A = B : K then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ A [ y := P ] = B [ y := P ] : K [ y := P ] . ( 7 ) If Γ ⊢ Σ K = L : kind then Γ 1 [ y := P ] @ Γ 2 ⊢ Σ K [ y := P ] = L [ y := P ] : kind. Lemma 6 (Context Conversion). Assume that Γ ⊢ Σ B : typ e and Γ ⊢ Σ A = B : typ e. Then: ( 1 ) If ( x , A ):: Γ ⊢ Σ M : C t hen ( x , B ):: Γ ⊢ Σ M : C ( 2 ) If ( x , A ):: Γ ⊢ Σ C : K then ( x , B ):: Γ ⊢ Σ C : K ( 3 ) If ( x , A ):: Γ ⊢ Σ K : kind then ( x , B ):: Γ ⊢ Σ K : kind ( 4 ) If ( x , A ):: Γ ⊢ Σ C = D : K then ( x , B ):: Γ ⊢ Σ C = D : K ( 5 ) If ( x , A ):: Γ ⊢ Σ K = L : kind then ( x , B ):: Γ ⊢ Σ K = L : kind Lemma 7 (Functionality f o r Typing). Assume that Γ ⊢ Σ M : C and Γ ⊢ Σ N : C and Γ ⊢ Σ M = N : C. Then: ( 1 ) If Γ ′ @ [( y , C )] @ Γ ⊢ Σ P : B then Γ ′ [ y := M ] @ Γ ⊢ Σ P [ y := M ] = P [ y := N ] : B [ y := M ] ( 2 ) If Γ ′ @ [( y , C )] @ Γ ⊢ Σ B : K then Γ ′ [ y := M ] @ Γ ⊢ Σ B [ y := M ] = B [ y := N ] : K [ y := M ] ( 3 ) If Γ ′ @ [( y , C )] @ Γ ⊢ Σ K : kind then Γ ′ [ y := M ] @ Γ ⊢ Σ K [ y := M ] = K [ y := N ] : kind Lemma 8 (V alidity). Obje cts , t yp es and kinds app e aring in deriva ble judg- ments ar e valid, t hat is ( 1 ) If Γ ⊢ Σ M : A then Γ ⊢ Σ A : typ e . ( 2 ) If Γ ⊢ Σ A : K then Γ ⊢ Σ K : kind . ( 3 ) If Γ ⊢ Σ M = N : B then Γ ⊢ Σ M : B and Γ ⊢ Σ N : B and Γ ⊢ Σ B : typ e . ( 4 ) If Γ ⊢ Σ A = B : K then Γ ⊢ Σ A : K and Γ ⊢ Σ B : K and Γ ⊢ Σ K : kind . ( 5 ) If Γ ⊢ Σ K = L : kind then Γ ⊢ Σ K : kind and Γ ⊢ Σ L : kind . Lemma 9 (Typing inversion). The validity rules ar e invertible, up t o c onver- sion of typ es a nd kinds. ( 1 ) If Γ ⊢ Σ x : A then ∃ B . ( x , B ) ∈ Γ and Γ ⊢ Σ A = B : typ e . ( 2 ) If Γ ⊢ Σ c : A then ∃ B . ( c , B ) ∈ Σ and Γ ⊢ Σ A = B : typ e . ( 3 ) If Γ ⊢ Σ M 1 M 2 : A then ∃ x A 1 A 2 . Γ ⊢ Σ M 1 : Π x : A 2 . A 1 and Γ ⊢ Σ M 2 : A 2 and Γ ⊢ Σ A = A 1 [ x := M 2 ] : typ e . ( 4 ) If Γ ⊢ Σ λ x : A . M : B and x # Γ then ∃ A ′ . Γ ⊢ Σ B = Π x : A . A ′ : typ e and Γ ⊢ Σ A : typ e and ( x , A ):: Γ ⊢ Σ M : A ′ . ( 5 ) If Γ ⊢ Σ Π x : A 1 . A 2 : K and x # Γ then Γ ⊢ Σ K = typ e : kind and Γ ⊢ Σ A 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ A 2 : t yp e . ( 6 ) If Γ ⊢ Σ c : K then ∃ L . ( c , L ) ∈ Σ and Γ ⊢ Σ K = L : kind . AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY. Mechanizing the Metatheory of LF · App–3 ( 7 ) If Γ ⊢ Σ A M : K then ∃ x A1 K2 . Γ ⊢ Σ A : Π x : A1 . K2 and Γ ⊢ Σ M : A1 and Γ ⊢ Σ K = K2 [ x := M ] : ki nd . ( 8 ) If Γ ⊢ Σ Π x : A 1 . K 2 : kind and x # Γ then Γ ⊢ Σ A 1 : typ e and ( x , A 1 ):: Γ ⊢ Σ K 2 : kind . Lemma 10 (Equality inversion). ( 1 ) If Γ ⊢ Σ typ e = L : kind then L = typ e . ( 2 ) If Γ ⊢ Σ L = typ e : kind then L = typ e . ( 3 ) If Γ ⊢ Σ A = Π x : B 1 . B 2 : typ e and x # Γ then ∃ A 1 A 2 . A = Π x : A 1 . A 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e . ( 4 ) If Γ ⊢ Σ Π x : B 1 . B 2 = B : typ e and x # Γ then ∃ A 1 A 2 . B = Π x : A 1 . A 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e . ( 5 ) If Γ ⊢ Σ K = Π x : B 1 . L 2 : kind and x # Γ then ∃ A 1 K 2 . K = Π x : A 1 . K 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ K 2 = L 2 : kind . ( 6 ) If Γ ⊢ Σ Π x : B 1 . L 2 = L : kind and x # Γ then ∃ A 1 K 2 . L = Π x : A 1 . K 2 and Γ ⊢ Σ A 1 = B 1 : t yp e and ( x , A 1 ):: Γ ⊢ Σ K 2 = L 2 : kind . Lemma 11 (Product in jectivity) . Supp ose x # Γ . ( 1 ) If Γ ⊢ Σ Π x : A 1 . A 2 = Π x : B 1 . B 2 : typ e then Γ ⊢ Σ A 1 = B 1 : typ e and ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e. ( 2 ) If Γ ⊢ Σ Π x : A . K = Π x : B . L : kind then Γ ⊢ Σ A = B : typ e and ( x , A ):: Γ ⊢ Σ K = L : kind. Lemma 12 (Strong versions of rules). The fol lowing rules ar e admissi- ble: ( 1 ) Γ ⊢ Σ M 1 : Π x : A 2 . A 1 Γ ⊢ Σ M 2 : A 2 Γ ⊢ Σ M 1 M 2 : A 1 [ x := M 2 ] ( 2 ) Γ ⊢ Σ A : Π x : B . K Γ ⊢ Σ M : B Γ ⊢ Σ A M : K [ x := M ] ( 3 ) ( x , A 1 ):: Γ ⊢ Σ M 2 = N 2 : A 2 Γ ⊢ Σ M 1 = N 1 : A 1 x # Γ Γ ⊢ Σ ( λ x : A 1 . M 2 ) M 1 = N 2 [ x := N 1 ] : A 2 [ x := M 1 ] ( 4 ) Γ ⊢ Σ A 1 = B 1 : t yp e ( x , A 1 ):: Γ ⊢ Σ A 2 = B 2 : t yp e x # Γ Γ ⊢ Σ Π x : A 1 . A 2 = Π x : B 1 . B 2 : t yp e ( 5 ) Γ ⊢ Σ A = B : typ e ( x , A ):: Γ ⊢ Σ K = L : kind x # Γ Γ ⊢ Σ Π x : A . K = Π x : B . L : kind AC M T ransacti ons on Comp utational Logic , V ol. V, No. N, Month 20YY.

Mechanizing the Metatheory of LF

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment