Twelf:The Quintessential Proof Assistant for

Language Metatheory

Karl CraryCarnegie Mellon University

Joint work with Robert Harper andMichael Ashley-Rollman

Poplmark meeting, January 2006

2

Outline

• LF– Higher-order abstract syntax– Adequacy– Subordination

• Metatheory using LF

• Twelf implementation– Meta-proof checking

3

What do we want?

• Framework for encoding deductive systems adequately.

• The encoding should serve as a substitute for the original system for all (formalist) purposes.

4

What is LF?

• Primarily, a methodology for encoding deductive systems.

• Secondarily, the language that methodology employs.

• Specifically:– A technique for encoding object languages.– A rigorous account of adequacy.– A language that makes everything work.

5

Higher-order abstract syntax

• Identify OL and ML variables.

• Represent binding using abstractions.

• Represent substitution using application.

6

Example: simply-typed lambda calculus

exp : type.lam : (exp -> exp) -> exp.app : exp -> exp -> exp.

d x.y.x ye=

lam(x.lam(y.app x y))

7

Example: simply-typed lambda calculus

of : exp -> tp -> type.

of_lam : of (lam E) (arrow T1 T2) Ã (x:exp. of x T1

! of (E x) T2)

of_app : of (app E1 E2) T2

à of E1 (arrow T1 T2) à of E2 T1

8

Adequacy

• A correct encoding must establish an isomorphism between the OL and its encoding.

• For syntax:– Bijection between OL syntax and ML

canonical forms of appropriate type.– The bijection should respect substitution

(compositionality).

• Not concerned with cosmetic matters.

9

Canonical forms

• Beta-normal, eta-long.

• Theorem: every LF term has a unique canonical form.

10

LF

• Dependently typed lambda calculus.

• User-specified “signature” provides type- and term-level constants.

• Principal virtue is that it provides the right notion of canonical form.– No case analysis on user-specified types!– The “weakness” of LF is its strength.

11

Example: adequacy

Define:– d{ x1,..., xn }e = x1 : exp,..., xn : exp

– dx.ee = lam (x.dee)

– de1 e2e = app de1e de2e

Then d¢e defines an isomorphism between lambdaterms (with free variables contained in X) andLF canonical forms C such thatdXe ` C : exp.

12

Example: adequacy

Define:– dx1:1,...,xn:ne =

x1:exp, d1:of x1 d1e,..., xn:exp, dn:of xn dne

Then there exists a bijection between derivations of ` e : and LF canonical forms C such thatde ` C : of dee de.

13

Example: elims are bad

Suppose we have elimination forms. Then consider:lam (x.case x of app y z => y | lam f => x)

• This does not represent any lambda-calculus expression!

• Parametricity is essential: the body of the lambda must not analyze its argument.

14

Subordination

• Type family a is subordinate to type family b (written a ≤ b) if a canonical form of a can appear within a canonical form of b.

• Particularly interested in the negation.

• Useful for considering when extensions to the context are irrelevant.

15

Subordination example

• of ≤ exp– terms can appear in typing derivations, but

not vice versa

• Adding assumptions with type of is irrelevant to syntactic considerations.

• For example, adequacy for syntax still holds with typing assumptions in play.

/

16

Metatheory in LF, a simple case

Theorem (type preservation)if ` e1 : and e1 e2 then ` e2 :

Proof• Suppose ` e1 : and e1 e2

• By adequacy, there exists canonical d1 such that ` d1 : of de1e de

• By adequacy, there exists canonical d2 such that ` d2 : step de1e de2e

17

Simple example, continued

• It follows (the real work happens here) that there exists canonical d3 such that` d3 : of de2e de

• By adequacy, we have ` e2 :

18

Metatheory in LF, with contexts

Theorem (subject reduction)if ` e1 : and e1 ! e2 then ` e2 :

Proof• Suppose ` e1 : and e1 ! e2

• Let X = FV(e1)• By adequacy, there exists canonical d1 such

that de ` d1 : of de1e de• By adequacy, there exists canonical d2 such

that dXe ` d2 : reduce de1e de2e

19

Context example, continued

• By weakening, de ` d2 : step de1e de2e

• It follows that there exists canonical d3 such that de ` d3 : of de2e de

• By adequacy, we have ` e2 :

20

Metatheory in LF, general case

Theorem (normalization)if ` e1 : then e1 normalizes to some e2

Proof• Suppose ` e : • By adequacy, there exists canonical d1 such

that de ` d1 : of de1e de• It follows that there exists canonical E2, d2

such that de ` d2 : normalize de1e E2

• By adequacy, E2 = de2e (for some e2)

21

General example, continued

• Thus, de ` d2 : normalize de1e de2e

• Issue: normalize is untyped, so its adequacy uses X = FV(e1), not

• Since of ≤ normalize, typing assumptions cannot contribute to normalize derivations.

• Thus, dXe ` d2 : normalize de1e de2e

• By adequacy, e1 normalizes to e2

/

22

Twelf

• Type checker for LF

• Proof search

• Meta-proof checker

23

Meta-proofs in Twelf

• Define a relation between derivations of interest:sr : reduce E1 E2 -> of E1 T -> of E2 T -> type.

...

• Indicate inputs and outputs:%mode sr +D1 +D2 –D3.

24

Meta-proofs in Twelf, continued

• Specify world (set of contexts) by indicating permissible assumption blocks.%block bind : some {t:tp} block {x:exp} {d:of x t}.

%worlds (bind) (sr _ _ _).

• Indicate an induction strategy.

25

Meta-proofs in Twelf, continued

Twelf proves that sr is total:• For all 2 W,• For all canonical

• ` E1, E2 : exp• ` T : tp• ` D1 : reduce E1 E2• ` D2 : of E1 T

• There exists canonical• ` D3 : of E2 T• ` D : sr D1 D2 D3. (Don’t care about this one)

26

Totality checking

• Type checking• Mode checking

• Outputs are ground (well-specified) if inputs are ground.

• World checking• Recursive calls preserve the world invariant.

• Termination• Coverage checking

• All cases are covered.

27

How we use Twelf

• TALT: first foundational certified code system

• Definition of Standard ML

• Poplmark challenge (in a few days)

• Nearly everything we do