1 / 17

Higher-Order Encodings in Intensional Type Theory

Higher-Order Encodings in Intensional Type Theory. Edwin Westbrook Rice University. Type Systems Give Correctness. “Correct-by-construction” guarantee (For a specific class of potential bugs) ML, Java, Haskell: No runtime type errors More advanced systems:

gates
Download Presentation

Higher-Order Encodings in Intensional Type Theory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Higher-Order Encodings in Intensional Type Theory Edwin Westbrook Rice University

  2. Type Systems Give Correctness • “Correct-by-construction” guarantee • (For a specific class of potential bugs) • ML, Java, Haskell: No runtime type errors • More advanced systems: • No unwanted aliasing [Wadler ’90] • No deadlocks [Boyapati ‘02] • Many more!

  3. More Guarantees = More Complexity • Type Systems are in the trusted core! • How do we know proofs are correct? • How do we know implementations are correct?

  4. Verified Meta-Programming in CNIC Program PL Implementation Correctness proof Calculus of Nominal Inductive Constructions

  5. Why CNIC? • CNIC = Coq + Higher-Order Encodings (HOEs) • New solution to an open research problem • Coq is a powerful proof assistant • Well studied, proof libraries, proof automation • HOE = technique for encoding name-bindings • Can make a datatype for typed PLs • Get many properties “for free” • The result: CNIC is a language for verified PLs

  6. Outline • Higher-Order Encodings in CNIC • Binding-related features of CNIC • Example: simply-typed λ-calculus • Can only write well-typed terms • Example: substitution for λ-calculus • Type Preservation for free!

  7. What Is a Name-Binding? • Construct that introduces a name • E.g. λx : A . M • Name-bindings have 4 properties: • Freshness: x is distinct from other bound names • α-equivalence: λx : A . x = λy : A . y • Scoping: x cannot be used outside λx • Typing: x has type A, not type B

  8. Name-Bindings Encoded with ν • Equal up to renaming of bound names να : A . M Introduces fresh name α α has type Name A Scope of α limited to M

  9. Example: Simply-Typed λ-Calculus var :: Name T => trm T app :: trm (arrow T1 T2) => trm T1 => trm T2 lam :: (∇α : trm T1 . trm T2) => trm (arrow T1 T2) • E.g. λx : (b -> b) . λy : b . xy encoded as lam (νx : (arrow bb) . lam (νy : b . app (varx) (vary)))

  10. Elimination Form for ∇ • Bindings can be “applied” to fresh names: • Evaluation rule: (να : A . M) @ β -> [β/α]M M @ α M : ∇β:A . B α is fresh for M

  11. Example: Equality of λ-Terms[Felty and Pientka ‘10] eq-var :: eq (varx) (varx) eq-app :: eq t1 t1’ => eq t2 t2’ => eq (app t1 t2) (app t1’ t2’) eq-lam :: (∇α : trm T1 . eq (b1 @ α) (b2 @ α)) => eq (lam b1) (lam b2)

  12. Key Feature: World-Bindings • Bind multiple names in one construct • (NOTE: this is a slight simplification: see paper) ν(α1:A1, …, αn:An).M or νΓ . M

  13. Example: Counting Variables num-vars (νΓ . var (x@Γ)) = 1 num-vars (νΓ . app (t1@Γ) (t2@Γ)) = (num-vars (νΓ . t1@Γ) + (num-vars (νΓ . t2@Γ)) num-vars (νΓ . lam (να : trm T1 . (t@(Γ,α)))) = num-vars (ν(Γ,α) . t@(Γ,α))

  14. Example: Multi-Arity Substitution subst :: (∇Γ .trm (T@Γ)) => trm-list Γ => trm (lift-tp (νΓ . T@Γ)) subst (νΓ . app (t1@Γ) (t2@Γ)) L = app (subst (νΓ . (t1@Γ)) (subst (νΓ . (t2@Γ)) subst (ν(Γ,α) . lam (να . (x@(Γ,α)))) L = lam (να . (subst (ν(Γ,α) . var (x@(Γ,α))) [L,α]))

  15. Example: Multi-Arity Substitution subst :: (∇Γ .trm (T@Γ)) => trm-list Γ => trm (lift-tp (νΓ . T@Γ)) subst (ν() . varβ) [] = varβ subst (ν(Γ,α) . varα) [L, M] = M subst (ν(Γ,α) . var (x@Γ)) [L, M] = subst (νΓ . var (x@Γ)) L

  16. Conclusion • Type Systems are safety-critical • Need to trust proofs and implementations • CNIC allows verified implementations • Technical contribution: CIC + HOEs • Public release available soon!

  17. Thank You!

More Related