A concurrent logical framework I: Judgments and properties

The Concurrent Logical Framework, or CLF, is a new logical framework in which concurrent computations can be represented as monadic objects, for which there is an intrinsic notion of concurrency. It is designed as a conservative extension of the hnear logical framework LLF with the synchronous connectives 0, 1, !, and 3 of intuitionistic linear logic, encapsulated in a monad. LLF is itself a conservative extension of LF with the asynchronous connectives -o, & and T. The present report, the first of two technical reports describing CLF, presents the framework itself and its meta-theory. A novel, algorithmic formulation of the underlying type theory concentrating on canonical forms leads to a simple notion of definitional equality for concurrent computations in which the order of independent steps cannot be distinguished. The new formulation of the framework constitutes an original contribution even for the LF fragment. For many additional examples illustrating the use of the framework to specify and reason about object systems of interest, the reader is referred to the companion technical report on applications [CPWW02].

1 Introduction A logical framework [PfeOlb, BMOl] is a meta-language for the specification and implementation of deductive systems, which are used pervasively in logic and the theory of programming languages. A logical framework should be as simple and uniform as possible, yet provide intrinsic means for representing common concepts and operations in its application domain.
The particular lineage of logical frameworks we are concerned with in this paper started with the Automath languages [dB80] which originated the use of dependent types. It was followed by LF [HHP93], crystallizing the judgments-as-types principle. LF is based on a minimal type theory A" with only the dependent function type constructor 11. It nonetheless directly supports concise and elegant expression of variable renaming and capture-avoiding substitution at the level of syntax, and parametric and hypothetical judgments in deductions. Moreover, proofs are reified as objects which allows properties of or relations between proofs to be expressed within the framework [PfeQl].
Representations of systems involving state remained cumbersome until the design of the linear logical framework LLF [CP98] and its close relative RLF [IP98]. For example, LLF allows an elegant representation of Mini-ML with mutable references that reifies imperative computations as objects. LLF is a conservative extension of LF with the linear function type A-oB, the additive product type AkB, and the additive unit type T. This type theory corresponds to the largest freely generated fragment of intuitionistic linear logic [HM94,Bar96] whose proofs admit long normal forms without any commuting conversions. This allows a relatively simple type-directed equality-checking algorithm which is critical in the proof of decidability of type-checking for the framework {CP98, VCOO].
While LLF solved many problems associated with the representation of stateful computations, the encoding of concurrent computations remained unsatisfactory. In this report, we demonstrate that the hmitations of LLF can be overcome by extending the framework with a monad that incorporates the synchronous cormectives <8), 1, !, and 3 of intuitionistic linear logic. We call this new framework Concurrent LF (CLF).
The purpose of this report is to describe the language and meta-theory of CLF. Readers interested in examples of CLF representations can consult the companion report {CPWW02], which demonstrates the expressive power of CLF through a series of examples and, in particular, focuses on CLF's effectiveness for encoding concurrent programming paradigms.
Summary. The remainder of the report is organized as follows. Section 2 introduces the CLF type theory, including its syntax, equality judgments and typing judgments. Section 3 discusses how concurrent systems can be represented in CLF and how such representations improve on what is possible in LLF, and relates CLF to various other similar proposals. Section 4 describes CLF's instantiation and expansion operators, which permit the formulation of the framework without a notion of /37y-conversion, and describes the key meta-theorems on equality and typing. It also compares the formulation of the type theory seen here with previous accounts of LF and related type theories. Finally, Section 5 offers some concluding remarks.

A language of concurrent objects
In the LF tradition, the terms classified by types are called objects, and the terms classified by kinds axe called type constructors, among which are the types. CLF has two categories of types: the asynchronous types A and the synchronous types S. The asynchronous types include all the type constructors of LF and LLF, as well as a new monadic type constructor written {S}. The synchronous types, which are only allowed within the monad constructor, include further type constructors of intuitionistic hnear logic, all of which have let-style elimination rules. Intuitively, the monad restricts the availability of these elimination forms so that the question of commutative conversions between the eliminations and other terms of the type theory does not arise. Sections 2.3 and 3.3 describe this in further detail. The "(a)synchronous" terminology is due to AndreoU [And92]. DEFINITION

(TYPE CONSTRUCTORS)
A,B,C P S

.-A -<i B \Jlx: A. B \ A k B \T \ {S] \P Asynchronous types = a\ P N Atomic type constructors = Si<SiS2\l\Bx:A.S\A Synchronous types
The asynchronous types include the dependent function type Ux: A. B, the hnear function type A-oB, the additive product type AkB, and the additive unit T. The monadic type {S} acts as a coercion from the synchronous types into the asynchronous types. The atomic type constructors P include type constructor constants a and the type-level dependent application P N (where iV is an object).
The synchronous types include the other type constructors new to CLF: the multiplicative product type Si (8)82, the multiplicative unit 1, and the dependent pair type 3x:A. S. There is a trivial coercion from the asynchronous types into the synchronous ones. In addition, the exponential type ! of intuitionistic linear logic can be defined as a trivial dependent pair: \A = Bx:A.l.
The kind language of CLF is identical to that of LF and LLF. The symbol kind is also used on occasion to classify the valid kinds.
The first two categories of object are the normal objects N and the atomic objects R. These correspond to the quasi-canonical and quasi-atomic forms of LF object, respectively, as described by Harper and Pfenning [HPOO]. A normal object is a series of constructors applied to atomic objects, while an atomic object is a series of natural-deduction style destructors applied to a variable x or constant c. They include all the constructors and destructors of LF and LLF: the unrestricted function constructor Xx. N and destructor R N; the linear function constructor Xx. N and destructor R^N; the additive pair constructor (ATi, 7V2) and destructors TTi/i and 7r2i2; and the additive unit constructor ().
In addition, there is a constructor {E} associated with the monadic type. The remaining categories of object, the expressions E and monadic objects M, are associated with the monadic type and the additional linear type constructors 0, 1 and 3. They include the monadic binding form let {p} = i? in E; the multiplicative pair constructor Mi <8) M2 and pattern pi 181P2; the multiplicative unit constructor 1 and pattern 1; and the dependent pair constructor [N, M] and pattern [x,p]. The monadic binding form let {p} = R'\n E binds all the variables occurring in the pattern p within the expression E. Hence, it subsumes the destructors for 1, (g>, and 3. The purpose of the monadic type is to isolate these binding forms, which would otherwise have a catastrophic effect on the LF and LLF fragments of CLF, as explained in Section 3.2.
Terms which differ only in the names of their bound variables are considered to be the same. For the LF and LLF fragments of CLF, this is the only notion of equality: two terms are equal if and only if they are a-equivalent. But expressions differ from the other categories of object in that they are subject to permutative conversions by which the monadic bindings can be reordered: Of course, this rule is subject to the proviso that the bindings be independent: p\ and P2 must bind disjoint sets of variables, no variable bound by pi can appear free in Ri, and vice versa. The reordering of monadic bindings is the mechanism by which CLF admits an intrinsic description of concurrent computations. We think of each let binding as a single computation step. Computation steps appearing in a single expression that are independent in the above sense can be thought of as occurring concurrently.
The notion of equality on CLF objects could be characterized as the least congruence relation including the above equation schema. The reason is that having separate syntactic classes of objects and expressions eliminates any need for commuting conversions. (We do not think of the permutative conversions as being commuting conversions.) But we prefer to define the framework's equality in a slightly different way. The definition relies on the subsidiary concept of a concurrent context. The judgment Ej =c £'2 holds when Ei and E2 represent the same underlying concurrent computation even though their syntactic representations may differ. The rule marked (*) is subject to the side condition that no variable bound by p be free in the conclusion or bound by the context e, and that no variable free in R2 be bound by the context e. (It is always possible to globally a-convert terms being compared for equality in order to avoid running afoul of the side condition.) Then the equality on expressions Ei = E2 is simply defined to be concurrent equality. While the definition of concurrent equality is not presented symmetrically, it turns out to be symmetric. The judgments A^i = ^2, Ri = R2, Mi = M2, and Pi = P2 are characterized by simple congruence rules for each syntactic form, not shown. In Section 4.5 it is shown that equality is an equivalence relation. When it is necessary to refer to a-equivalence, as opposed to the framework's equality, the former will be denoted =.
The main advantage of this concrete definition of equality is that it is syntax directed. The sequence of rules to be applied is determined by the syntax of the term on the left, and the instantiation of the metavariables in the rule schemas is determined up to finitely many possibilities (in considering how to decompose an expression E on the right into €[E']). Hence it is manifestly decidable and lends itself to interpretation as an algorithm.

The type system of CLF
We present first the type system of the LF fragment of CLF, then extend it to the LLF fragment and finally the full language. Before presenting the typing judgments, it is necessary to introduce the notions of signature and context, which record assumptions about the types (or kinds) of constants and variables respectively. It is an invariant that variables added to signatures and contexts must be unique, and the metavariables for contexts always denote contexts with unique variables.
There is a typing judgment for each syntactic category, as well as validity judgments for contexts T and signatures E. Each of these judgments is defined in a completely syntaxdirected manner, so termination and decidability of typing is clear. For normal syntactic categories {N, A, K) the operational interpretation of the type-checking judgment is that a putative type is provided, and the judgment holds if the term can be typed with the given type. In particular, a normal term such as \x. x may have several different types. This stands in contrast to the typical presentation of LF, where type labels are used in abstractions to ensure that every term has a unique type. For the atomic syntactic categories {R, P) the situation is different: the operational meaning of the typing judgment is that it defines a partial function from an atomic term (in a given context and signature) to its unique type. The direction of the arrow -^ or =^ serves as a mnemonic for whether a type is being checked against or inferred, respectively.
In all cases the typing judgment is not considered to have any particular meaning unless the context and signature referred to in the judgment are valid. For the normal syntactic categories, the typing judgment is meaningless unless the type referred to in the judgment is valid as well. For the atomic syntactic categories, it will be proved that whenever a typing is derivable and the context and signature mentioned in the typing are valid, the type mentioned in the judgment is valid. The signature S subscripting the various judgments is often omitted-it is invariant in the course of a typing derivation. DEFINITION  The typing rules [IIKE] and [HE] involve the operation of instantiating a variable in a dependent type (or kind) with an object. In the first-order case, an ordinary captureavoiding substitution will suffice. However, since ;5-redices are not syntactically allowed in CLF, at higher type some computation must occur in order to find the term corresponding to the result of the instantiation. This is achieved by the instantiation operator inst_a^(x.B,7V), which computes the result of instantiating the variable x in the type B with the object N. The instantiation operator is indexed by the type A of the object being substituted. In the first-order case, we have that inst_aa(x.B,iV) = [N/x]B, but at higher type, more complex situations arise: inst_aa_+a(a;. b (Aj/. c (a: (x y))), Az. d z) = b (Ay. c (d (d y))) The instantiation operators for each syntactic category are defined in Section 4.1.
In contrast to the usual presentation of LF typing, there are no type conversion rules (which would fail to be syntax directed). Instead, there is an appeal to the equality judgment in the rule [=>>^] for the coercion from atomic objects to normal objects. In Section 4.5 type conversion for the typing judgments for normal syntactic categories is shown to be admissible.
In order to extend the type system to the LLF fragment, we introduce a new context for linear hypotheses. We depart sfightly from the concrete syntax in adhering to the usual convention that a metavariable like A denotes an equivalence class of hnear contexts up to rearrangement. Note that there is no issue of dependency, as there would be in rearranging an unrestricted context T, because types cannot depend on hnear variables. The typing judgments for objects must be modified in order to account for linear hypotheses-the new formulation depends on a pair of contexts F; A in the style of dual intuitionistic linear logic [Bar96]. The following definition includes all the inference rules from the LF fragment that have to be revised for this reason. Note that type constructors and kinds never depend on linear variables. DEFINITION   There are additional judgments for the validity of pattern contexts and synchronous types, and for typing expressions and monadic objects. Note that pattern contexts '$' are ordered but do not allow dependencies. DEFINITION  A summary of all the judgments and rules of CLF can be found in Appendix A.

Related work
As noted above, CLF includes the LF and LLF frameworks as fragments, where the CLF counterpart of an LF or LLF object is its canonical form with type labels omitted. The CLF extension is conservative; anyone who knows how to use LF or LLF can bring their (canonical) specifications to CLF and use them without modification. There is a further "modularity" property: given an LF or LLF signature Ei and a disjoint CLF signature S2, both of which are vaUd, and a type A well-formed in Si, the set of objects of type A in El, E2 is the same as the set of objects of type A in Ei alone. ^ The LLF framework was motivated as the largest fragment of intuitionistic linear logic having a proof term assignment without commuting conversions [Cer96]. The equational theory that would be associated with commuting conversions was seen as intractable. Pfenning and Davies note that the commuting conversions of Moggi's monadic metalanguage [Mog89, Mog91] can be eliminated by creating a new typing judgment associated with a new class of object, the expressions [PDOl]. They exhibit a compositional translation from the monadic metalanguage into their proof term assignment for lax logic [FM97]. 'The modularity result does not hold for arbitrary disjoint CLF signatures Ei and Ez-It could be recovered by replacing the monadic type constructor with a countably infinite family of "tagged" monadic type constructors and requiring that the sets of tags mentioned in Ei and S2 be disjoint.
The translation takes monadic metalanguage terms related by commuting conversions into identical terms of the target language. CLF exploits their idea to ehminate commuting conversions that would otherwise be associated with the monadic type and the synchronous types. The monadic type constructor {5} would be written OS in lax logic.
Further remarks on how CLF relates to frameworks outside the LF family appear at the end of the following section.
3 Toward a methodology for representing concurrent systems The following are a few remarks on the methodology associated with the CLF language. For further details, the reader may consult the companion report on applications [CPWW02]. A logical framework in the LF tradition is not only a type theory. It is also a methodology for representing the deductive systems of interest within that type theory {Pfe99]. The LF methodology represents object-language judgments by LF types and object-language deductions by LF objects. Other syntactic entities of the object language (propositions, expressions, types, etc.) are also represented by LF objects. In each case an adequacy theorem establishes that there is a compositional bijection between well-formed entities of the object language and well-typed canonical objects in LF (of a certain type). The higher types and dependent types available in LF assist in this task: LF abstraction models objectlanguage binding, a-conversion, and substitution ("higher-order abstract syntax" [PE88]); LF abstraction also models hypothetical and parametric judgments of the object language; and LF dependent function types enforce well-formedness constraints on object-language deductions.
For this reason, LF representations do not need to deal explicitly with matters of variable binding and a-conversion, and certain kinds of errors in specification associated with such binding constructs are impossible to make. Similarly, LF representations do not need to explicitly encode the relation between an object-language deduction and the proposition that it proves--the proposition that a deduction proves becomes an intrinsic part of its (dependent) LF type. In this way, proof chedcing reduces to LF type checking, which is decidable and efiicient.
Linear LF seeks to expand these benefits to the case of linear hypothetical judgments. Linear hypotheses make mutable state an intrinsic part of the framework. When representing an object system involving mutable state, it is not necessary to represent the state as an exphcit object, nor to explicitly specify operations for adding information to the state, changing it, or withdrawing information from it. This idea takes on a particularly simple form when the state consists of the presence or absence of any of a set of discrete resources, as in the following example.

An example; Petri nets with labeled tokens
Here we consider a simple example of an object system involving state: a Petri net {Pet62] with labeled tokens. Such a Petri net consists of a directed bipartite graph of places and transitions. A state of the net consists of a mapping from a finite set of tokens, each uniquely labeled, to the places.^ A computation step consists of choosing a transition, removing a ^One requirement of the LLF representation methodology, when applied to systems involving discrete sets of resources, is that the resources be distinguishable. Hence the tokens of the Petri net must carry token from each of its antecedent places, and adding a fresh token to each of its succedent places. A transition cannot be chosen if any of its antecedent places has no tokens.
For example, Figure 1 shows a labeled Petri net with six places and four transitions. Our simple representation of the net in the LLF fragment of CLF models the places by LLF type constants and the transitions and tokens by LLF objects. Each token has a type corresponding to the place in which it is located. (A more sophisticated representation might model places as objects and introduce a two-place judgment "token x is in place y.") The transitions are linear functions in continuation-passing style, "consuming" linear hypotheses associated with the antecedent places and introducing new linear hypotheses associated with the succedent places. A type G represents the continuation. Thus we have the following signature: The adequacy theorem for this representation states: Final state gi,..., Qn can be reached from initial state pi,...,Pm iff there is an object N such that

Moreover, there is a bijection between sequences of firings of the transition rules of the Petri net and such canonical objects.
Two examples of such objects are as follows. The first represents the firing of R following by the firing of A in the shown initial state. The second shows the same firings in the opposite order. Here the abbreviation %xuX2, ...,Xn.N stands for a curried sequence of hnear A-abstractions. The outermost A-abstractions have been elided, unique labels. It is possible that proof irrelevance (PfeOla] could offer a way of modeling indistinguishability.
n'^r, m^n, 712'?n, ^i^b, ftj^b, 63%, ai^a The benefit of the LLF methodology is clear: it is not necessary to explicitly manage a "list" of tokens and axiomatize operations for adding and removing tokens from the list, as one would have to do in LF. In LF one would also have to prove various interaction laws for the token-list-managing operations; in LLF, the required principles are proved once and for all as structural laws of the framework's linear hypothetical judgment. However, there is also room for improvement. We might have hoped for an adequacy theorem relating LLF objects to concurrent computations of the Petri net, that is, equivalence classes of computations under rearragement of independent steps. But this strengthened adequacy theorem does not hold. For example, the two LLF terms above correspond to computations diflFering only in the order of independent R and A steps: no labeled token indexing the R step is involved in the A step, and vice versa. But the structure of the LLF representation nonetheless requires that the two orderings be represented by different terms. In essence, the continuationpassing style of the representation forces a sequentialization of the computation.

Representing LPNs in CLF
It is tempting to think that this issue can be solved by adding more coimectives to the framework. Why not work with a framework containing a full complement of linear logical operators (including 1, A®B,\A) and replace The underlying problem is that the destructors associated with these synchronous types involve "polymorphic" binding constructs that do not constrain the type of the object 'Examples such as (Ai. let 1 = x in z : 1 -0 nat) show that the term above cannot simply be equal to z. resulting from the binding. CLF's monadic type extracts us from this difficulty by restricting the awkward binding constructs to the monad. This encapsulation protects the pure LF and LLF fragments of CLF from the new constructs. All encodings already devised for LF or LLF remain adequate, and their adequacy proofs can remain exactly the same. Furthermore, as has already been noted, the separation between expressions and object rules out commuting conversions, simplifying the equational theory.
Using CLF's multipUcative conjunction ®, our transition rule can be rewritten as where currying eliminates the use of ® on the left-hand side. The multiplicative unit 1 covers the case n = 0. Though it does not arise here, a modified model of Petri nets might also have transitions generating elements of persistent (umestricted) type. In that case we would have exponentials \q on the right as well. (Exponentials on the left can be curried away using the unrestricted function type.) As an aside, while one might think that the presence of the exponential type constructor! would render the intuitionistic function type A -^ B definable by {\A} -o B, this is not in fact the case. As a simple counterexample we may see that while a -^ a (a being an uninhabited atomic type) is inhabited by Thus, in CLF, the Petri net example is represented almost as in intuitionistic Unear logic, except that the right-hand sides of the linear implications use the monad.
The two example Petri net executions shown above in the LLF encoding correspond to the following objects in the new encoding: A = ri^,ni^n,n2^n,6i'?6,62^6,63^6,01^0 S = c(8>6® 6(8)71® n(8>n(8ip It is now easy to see that the two executions are equal. This idea is crystallized as an improved adequacy theorem: Final state qi,...,qn can be reached from initial state pi,...,Pm iff there is a object N such that Moreover, there is a bijection between concurrent executions of the transition rules of the Petri net and equivalence classes of such objects modulo =.
While at first this may seem a minor modification, it has far-reaching consequences. Experience with logical firameworks has shown many times that natural encodings lead to deeper understanding of the underlying logical and computational principles, while contrived encodings often do not shed much light on the subject of study. These advantages are multiplied when considering algorithms for manipulating the representations, for proof search, and for meta-theoretic reasoning, because the principles embodied in and provided by the framework have been factored out and do not need to be re-implemented for each encoding.
The representation principle for CLF, then, can be summarized by "concurrent computations as monadic expressions." Each computation step in a concurrent computation becomes a binding let {p} = R '\n E possibly "consuming" some linear hypotheses in R and "producing" more linear hypotheses in p, which will be available in the rest of the computation E.
While there is not space here to discuss more interesting examples of CLF representations, the companion technical report (CPWW02] contains examples including a fuller discussion of Petri net encodings; synchronous and asynchronous 7r-calculi; an ML-like language with references and concurrency in the style of CML; and the security protocol language MSR.

Related work
The LF representation methodology is discussed in detail in the handbook article on logical frameworks by Pfeiming [Pfe99]. Further examples of CLF representations, including a full development of the Petri net example, are in the technical report by Cervesato et al. [CPWW02]. The idea of representing Petri nets by linear hypothetical judgments has a long history, going back to Marti-Oliet and Meseguer [M0M91].
Monadic encapsulation in the context of functional programming and type theory begins with Moggi's monadic metalanguage [Mog89, Mog91]. Prawitz describes a proof theory formodal logics [Pra65], from which Moggi's presentation of the monadic metalanguage inherits. Pfenning and Davies [PDOl] revisit the question of proof theory for modal logic, reinterpreting it on the basis of a judgmental approach in the style promulgated by Maxtin-Lof [ML96]. Their approach improves on the original formulation of the monadic metalanguage in that commuting conversions are no longer needed. Their judgmental analysis of the modal operator of lax logic is the basis for CLF's modal type constructor and the associated CLF judgments. They do not, however, consider the existence of canonical forms, and their proof term language, unlike CLF, relies on /JTj-conversion.
There have been many other formalisms proposed for the representation of concurrent systems, many having elements in common with the CLF approach. Abramsky's "proofsas-processes" relates classical linear logic with the synchronous 7r-calculus [Abr93,BS94]. Here concurrent computation corresponds to proof normalization (cut elimination), giving the system a functional flavor. Concurrent computations (traces) are thus not reified as objects, as they are in CLF.
Closer to the CLF view are approaches in which logical formulas are identified with processes and proofs with concurrent computations. Thus, these are nearer to logic programming in the sense of proof search [MNPS91] than to functional programming. For example. Miller outlines a translation firom the 7r-calculus into linear logic: processes become LL propositions and :r-calculus reduction becomes LL entailment [Mil92]. These ideas are generalized and reformulated as a logical framework in Miller's proposal for the specification logic Forum [Mil96, Chi95]. Forum offers a paradigm for viewing logic programming as concurrent computation, and so it is likely that the logic programming interpretation for CLF will draw heavily from it. However, in Forum proofs cannot be manipulated as first-class objects-not even cut elimination is treated, let alone an equational theory on proofs. The same is true of LinLog [And92], LO [AP91], ACL [KY93], Lygon [HPW96], and LLP [HWTK98], all of which treat logic programming over other fragments of classical or intuitionistic linear logic.
Perrier describes how the basic idea of linear logic programming as concurrent computation can be improved by adopting proof nets [Gir87] rather than sequent calculus proofs as the fundamental computational objects [Per98]. Again, however, proof nets are treated only meta-theoretically-they are not first-class terms of the process language. The key foundational idea of Elf, that proofs should be just hke any other objects of the framework, does not apply.
Barber proposes a very general type theory based on hnear operators and proves decidabihty in the general firamework [Bar97]. Since the generahzation includes the DILL type theory and the action calculus as special cases, this immediately entails the decidability of the DILL type theory. However, there is no treatment of dependent types, nor would DILL be adequate for LF-style representations for the reasons outlined in Section 3.2. Also, the presentation does not seem to lend itself to concrete implementation as a mechanized framework. Finally, Barber's reliance on proof nets would seem to render the extension to additive sum types problematic, while for CLF it is straightforward, because the issue of commuting conversions (other than an appropriate generalization of the permutative conversions) does not arise.
Honsell et al develop perhaps the most significant application of a logical framework in the sphere of concurrency [HMSOl]. They present an encoding of the 7r-calculus in the Coq system, a framework based on a higher-order type theory with (co)inductive types, and work out some rather advanced meta-theory using the encoding. But this should be regarded as a tour de force, given that Coq offers no intrinsic support for reasoning about concurrency. Of course, even in CLF, abstract relations like the strong late bisimularity treated in their development would need to be treated explicitly. CLF's concurrent equaUty simplifies such reasoning; it does not obviate the need for it.

Some meta-theoretic results
The design of CLF is based on the idea that every syntactically well-formed term should be "canonical," and that the notion of /?77-conversion should be eliminated, in favor of simple inductively defined instantiation operators for instantiating a variable in a term with an object. Thus, in developing the meta-theory of CLF there is no need to consider issues such as confluence and normalizability per se. Instead, we define the instantiation operators by a manifestly terminating recurrence, and we focus on the simple algebraic laws that the instantiation operators satisfy, and on their interaction with the framework's notion of equality.
Another new element of this approach is an expansion operator taking an atomic object to the corresponding normal object at higher type. This is necessary because the coercion rule [=^<=] from atomic objects to normal objects can only be applied at base type. The expansion operator thus replaces the idea of 77-conversion.
Once the instantiation and expansion operators have been defined, and their algebraic properties characterized, it is possible to describe their relationship to the judgments for typing. It so happens that the instantiation operators witness the familiar substitution principles for typing (the transitivity of entailment, from the proof-theoretic point of view), and the expansion operator witnesses the identity principles for typing (the reflexivity of entailment).

Instantiation
The recurrence defining instantiation is based on the observation, exploited in cut elimination proofs on the logical side [PfeOO], but not so well known on the type theoretic side, that the canonical result of substituting one canonical term into another can be defined by induction on the type of the term being substituted. Accordingly, the instantiation operators are defined as a family parameterized over the type of the object being substituted. In the notation \nst.CA{x. X, N) this type A appears as a subscript. Here c is replaced by a mnemonic for the particular syntactic category to which the instantiation operator applies.
The variable x is to be considered bound within the term X (of whatever category) being substituted into. The operators defined in this section should be thought of as applying to equivalence classes of concrete terms modulo a-equivalence on boimd variables.
Together with the instantiation operators, and defined by mutual recursion with them, is a reduction operator reduce^(x. R, N) that computes the canonical object resulting from the instantiation of x with N in the case that the head variable h.ead{R) of the atomic object R is x. Thus, roughly speaking, it corresponds to the idea of weak head reduction for systems with /^-reduction. The instantiation operator inst_r^(x. il, AT), by contrast, is only defined if the head of R is not x. Another distinguishing feature is that reduction on an atomic object yields a normal object, while instantiation on an atomic object yields an atomic object.
Finally, there is a type reduction operator treduceyi(a:. R) that computes the putative type of R given that the head of i? is x and the type of x is A.'^ Type reduction is used in side conditions that ensure that the recurrence defining instantiation is well-founded.
The first definition covers the LF fragment of CLF. ^Actually, to be more precise, the type of R will be a substitution instance of treducey4(a;. ii). The instantiation operators do not keep tratck of dependencies within the type subscript. The recurrence defining these operators is based on a structural induction. There is an outer induction on the type subscripting the operators, and an inner simultaneous induction on the two arguments. Noting first that if treduceyi(a;. R) is defined, it is a subterm of A, the fact that the recurrence relations respect this induction order can be verified almost by inspection. The only slightly subtle case is the equation for reduceyi(x. R N, No), which is the only case in which the subscripting type changes. Here the side condition treduce^(a;. R) = Ux-.B.C ensures that B must be a strict subterm of A for the reduction to be defined. An instantiation such as inst_n^(a;. x x, Xx. x x) is guaranteed to fail the side condition after only finitely many expansions of the recurrence.
Another way in which an instance of the instantiation operators might fail to be defined would be if the recursive instantiation inst.ryi(a;. R, No) in the same equation failed to result in a manifest lambda abstraction Ay. N'. In fact, this could only happen if the term No failed to have the ascribed type A.^ So instantiation always terminates, regardless of whether its arguments are well typed, but it is not defined in all cases. After the meta-theory is further developed, it can be shown that instantiation is always defined on well-typed terms when the types match in the appropriate way.
No substantially new issues arise in the extension to the LLF fragment. In order to extend this idea to the full CLF language, with its pattern-oriented destructor for the monadic type, it is necessary to introduce matching operators match.cs{p-E,X), where X is either an expression or a monadic object. The matching operator computes the result of instantiating E according to the substitution on the variables of p generated by matching p against X. (The variables in p should be considered bound in E.) In the case that X is a monadic object Mo, this is straightforward: the syntax of monadic objects corresponds precisely to that of patterns. But in the case that X is a let binding, an interesting issue arises: The key is found in Pfenning and Davies' non-standard substitutions for the proof terms of the modal logics of possibility and laxity [PDOl]. These analyze the structure of the object being substituted, not, as in the usual case, the term being substituted into. The effect is similar to a commuting conversion: It is interesting that both non-standard substitution and pattern matching-^the latter not present in Pfenning and Davies' system-^rely in this way on an analysis of the object being substituted rather than the term being substituted into. In a sense, this commonahty is what makes the harmonious interaction between CLF's modality and its synchronous types possible. We interpret these recurrences as inductive definitions (adopting the least solution to the recurrence). The first theorem ensures that type reduction has been properly defined. There are also two lemmas, one of which, mentioned earlier, ensures that type reduction makes a type smaller. All are immediate by structural induction on the argument.

THEOREM 1 (DEFINABILITY OF TYPE REDUCTION)
The recurrence for type reduction uniquely determines a least partial function solving the recurrence.

then B is a subterm of A.
Now we can conclude that instantiation has been properly defined.

THEOREM 4 (DEFINABILITY OF INSTANTIATION)
The recurrence for the reduction, instantiation, and matching operators uniquely determines the least partial functions (up to a-equivalence) solving them.
Proof. The proof is by an outer structural induction on the type subscript, and an inner simultaneous structural induction on the two arguments. D

Expansion
The expansion operator is specified by the following equations. In some cases 2. Given S, there is a pattern p, fresh with respect to any given set of variables, such that pexpand5(p) is defined.

The recurrence for expansion uniquely determines it as a total function up to aequivalence.
Proof. The first part is by induction on S. The second and third parts are by induction on the type subscript, using the first part to ensure that the result of expand{5.j(i?) is unique up to a-equivalence. D

On decidability
The next few meta-theoretic observations are on the decidability of the fundamental operators and judgments of the theory. We begin with equality. Recall that equality is totally independent of typing and is syntax directed.

Given E\ and E2
, it is decidable whether E\ = JS2.

Given Pi and P2, it is decidable whether Pi = P2-
Proof. The proof is by simultaneous structural induction on the subjects of the judgments. The judgments have been placed in the proper order of precedence in view of the trivial coercions from /? to AT to M to E. For example, J?i = R2 is below Ni = N2 only if each of Ri and i?2 is a subterm of either A^i or N2, but A^i = N2 is below Ri = R2 only if each of Ni and N2 is a strict subterm of either Ri or R2. In the case of Ei =c E2 it suffices to note that any E2 can be decomposed as e[£;^] in only finitely many ways. □ The next theorems are on the decidability of instantiation and expansion. Instantiation and expansion are both syntax directed and terminate on arbitrary terms and type subscripts. There is no requirement that the terms or type subscript be valid or that the type subscript have any particular relationship to the terms. The proofs are immediate by the same induction schemes as for the definability theorems.

THEOREM 7 (DECIDABILITY OF INSTANTIATION) It is decidable whether any instance of the instantiation and matching operators is defined, and if so, it can be effectively computed.
THEOREM 8 (DECIDABILITY OF EXPANSION) 1. Given S, a pattern p can be effectively computed such that pexpands(p) is defined and can be effectively computed. The pattern p can be chosen fresh with respect to any given set of variables.

Given A and R, the result 0/expand^(H) can be effectively computed.
The fact that instantiation and equality are decidable leads directly to the decidability of typing in the framework, since the typing rules are syntax directed and appeal only to instantiation and equality. LEMMA 9 (UNICITY OF INFERENCE) 1. There is a partial function typeof(r; A I-J?) such that whenever T; A \-R =^ A holds, A = typeof(r; Ah R). Given T, A, and R, it is decidable whether typeof(r; A\-R) is defined, and if so, it can be effectively computed.

There is a partial function kindof(r h P) such that whenever T \-P =^ K holds, K = kindof(r h P). Given T and P, it is decidable whether kindof(F h P) is defined, and if so, it can be effectively computed.
Proof. Immediate by the facts that typing is syntax directed, instantiation is a partial function, and instantiation is computable. LJ

LEMMA 10 Suppose that for all T' and A' it is decidable whether F'; A'\-E<-S. Then it is decidable
whether T; A; * h £? <-5.
Proof. The induction is on the number of type constructors in ^. □ THEOREM 11 (DECIDABILITY OF TYPING) l. GivenT, A, R, and A, it is decidable whether T;A\-R=^A.

4-Given T, A, E, and S, it is decidable whether T; A \-E <-S.
5. Given T, P, and K, it is decidable whether T\-P =^ K.

Given T and A, it is decidable whether T\-A <= type.
7. Given T and K, it is decidable whether V \-K <= kind.
8. Given E, it is decidable whether f-E ok. 9. Given V, it is decidable whether h F ok.

Given F and ^, it is decidable whether F f-$ ok.
Proof. The proof is by structural induction on the subject of each judgment. In order to decide F; A I-iJ <= P, we test whether typeof It is characteristic of this approach to the type theory that such decidability theorems can be proved before any of the other meta-theory is developed, and that they do not depend in any way on the various terms involved being valid. The most important reason is that every judgment and algorithm of the theory is syntax directed.

Composition
A novel element of the meta-theory is the need for composition theorems for the instantiation and expansion operators. These correspond to the usual categorical axioms of Mt and right identity and associativity (slightly modified because we instantiate a single variable at a time rather than all free variables). In a language admitting non-canonical forms these are trivial, since the identity principle is witnessed trivially, and there is a composition law for syntactic substitution:

[Mi/xi][M2/X2]M3 = [m/xi]M2]{Mi/Xi]M3
The main theorem of this section is a corresponding law for instantiation. We begin with a number of lemmas. Note that the following theorem holds without assuming that the terms involved are well-typed. Proof. The proof has many cases but is straightforward. D

On equality
The following theorems show that the framework's equaJity is an equivalence relation. Proof. The proof is by structural induction on the derivation of the first assumption. For the part involving concurrent equality we appeal to the inversion principle. D It is the restriction to canonical forms inherent in the syntax of CLF that malces it possible to define equality and prove such a result without any reference to the typing judgments.
Now we go on to show that all of the primitive operators and judgments of the theory factor through the equivalence relation on well-typed terms induced by the equality judgment. (Recall that we do not ascribe any particular meaning to the equality judgment unless the terms involved are well-typed.) This licenses us to think of them as being defined on the equivalence classes.
First, however, we introduce a stronger version of concurrent equality, needed to stage the proofs. Strong concurrent equality only allows rearranging let bindings at the top level structure of an expression, rather than deep within it. DEFINITION  Again the rule marked (*) is subject to the side condition that no variable bound by p be free in the conclusion or bound by the context e, and that no variable free in R be bound by the context e. We have that strong concurrent equality is reflexive, symmetric, and transitive, by essentially the same arguments as for the original concurrent equality.

THEOREM 25
Strong concurrent equality is an equivalence relation.
Strong concurrent equality, as the name suggests, is a special case of concurrent equality. This follows from the reflexivity of framework equality.
We also have the following lemmas. LEMMA  Proof. The proof is by induction on Ei. In the case Ei = Mi we appeal to the composition law for instantiation. Otherwise we appeal to the preceding lemma. D The utility of strong concurrent equality is that the following theorem can be proved immediately.

THEOREM 30
In each of the following cases, the resulting equality holds assuming that one side or the other is defined. Proof. The proof is by an outer induction on the type subscript. The first part also uses an inner induction on e, the second part uses an iimer induction on the derivation of E =s E', and the last part uses an inner induction on EQ-D We are now in a position to prove the "functionality" of instantiation with respect to equivalence classes modulo the firamework's equality. We extend equahty to types and kinds by the natural congruence rules.

THEOREM 31 (FUNCTIONALITY FOR INSTANTIATION)
In each of the following cases, the resulting equality holds assuming that one side or the other is defined. Proof. The proof is by induction on A. □ The functionahty of instantiation immediately leads to a similar result for the typeof and kindof operators of Lemma 9. We extend equality to contexts and signatures in the obvious way. LEMMA 33 // E = E', r = r', and A = A', then typeof (F; A Hs fi) = typeof (F'; A' f-^' R) and kindof (F hj; P) = kindof (F' h^/ P), supposing one or the other side is defined.
It is characteristic of the syntax-directed approach that the following theorem holds even when the contexts, etc. Eire not valid.
Proof. The theorem is proved by induction over the assumed typing derivation, using Lemma 9. D

On typing
Now we can go on to prove the substitution and identity principles for CLF, and that they are witnessed by the instantiation and expansion operators. The instantiation operators are extended to contexts in the obvious way. Again, the theorem holds even when the contexts are not valid. This result is mutually dependent on many other substitution theorems for the other syntactic categories. Space considerations preclude the incorporation of the proof here. It is notable that although the theorem as a whole does not assume the contexts are valid, in each case "just enough" information about the validity of various terms is available in order to make the induction go through.
Note that the presence of the type subscript to the instantiation operators is redundant if the objects involved are known to be well typed, since the types generated as reduce decomposes a well-typed object will always be what they are required to be. An optimized type checker can take advantage of this by staging the process of type checking so that it is an invariant that whenever an instantiation is apphed the objects involved are known to be well typed. The fact that this is possible is evident upon examination of the flow of information through the typing rules.
The following theorem can be proved by a simple structural induction.
It is worth recalUng that the substitution and identity principles are are needed to ensure that the type theory makes sense, since the syntatic restrictions inherent in CLF make it impossible to generate proofs of ^ -^ >1 or to compose proofs of A-^ B and J3 -> C in any other way.

Related work
With one exception [Fel91], prior presentations of LF and LLF have been based on a syntax in which not every term is canonical. A difficulty is that equality cannot then be axiomatized in a manifestly decidable, syntax-directed way. In their original presentation of LF, Harper et al. define equality in terms of/3-convertibihty, and do not address 77-conversions [HHP93]. Strong normalization ensures that this notion of equality is decidable. However, the 7?conversions pose a special difficulty because of the lack of confluence for /377-reduction in the case of non-well-typed terms. Since LF typing is dependent on equality, the attempt to define an equality based on /3r/-reduction leads to a Catch-22. Coquand [Coq9l] tests /377-convertibility in LF using untyped /3-reduction and extensionality, which is applied when comparing a A-abstraction to a non-abstraction. However, this method fails when a unit type is present-as in LLF-because it may be necessary to apply extensionality even when neither of the terms being compared is a manifest unit introduction.
Cervesato's presentation of LLF avoids the 77-conversion problem by restricting the syntax to 7?-long terms (Cer96]. The equality of the framework is still defined in terms of /^-reduction. This is possible because the ;5-reducts of 7?-long terms are 77-long. Goguen proposes an elegant theory based on a typed notion of reduction [Gog94,Gog99]. An operational semantics based on this typed reduction is then shown to be decidable, and equivalent to a (not manifestly decidable) axiomatization of equality from first principles such as extensionality. However, being based on 7y-reduction, this approach does not decide equality by an analysis of canonical forms, which are 77-long. This conflicts with the LF representation methodology, which emphasizes the primacy of canonical forms in constructing representations and proving their adequacy.
Ghani [Gha97] uses a typed rewriting relation similar to Goguen's operational semantics but with 7j-expansion rather than 77-reduction. This leads to a more pleasant theory, especially given that normal forms with respect to Ghani's rewrite rule are canonical. Harper and Pfeiming [HPOO] also adopt an approach similar to Goguen's, in that equality is defined axiomatically and shown to be equivalent to a decision procedvu-e. Their method improves on Goguen's in that the decision procedure is based on transforming a pair of terms simultaneously into canonical form. It oflFers the further advantage that the transformation into canonical form is incremental and can be aborted as soon as it is evident that the canonical forms of the two terms being compared will not be the same, an important concern for efficient implementation.
Felty has described a canonical LF in which only canonical forms are well-typed [Fel91]. This offers a number of advantages over other approaches: equality itself need not be axiomatized at all, because terms are equal just when they are identical (up to a-equivalence). And the representation methodology has an attractive simphcity: one establishes a compositional bijection between object-language terms and LF objects of a given tjrpe. One need not restrict the range of the bijection to "canonical LF terms" because every term in canonical LF is "canonical." However, Felty's development falls back on untyped /3-reduction in order to define the typing judgment on canonical terms, so a syntax of non-canonical terms ends up being reintroduced after all, and strong normalization and confluence for the non-canonical forms must be proved. Thus, the canonical language cannot be considered foundational.
Relative to these prior developments, a contribution of this work is to elaborate a foundation for LF and LLF that preserves the attractive features of Felty's canonical LF, while eliminating entirely its dependence on non-canonical terms and j0-reduction, in favor of a instantiation operator taking canonical terms into canonical terms. The key observation is that the instantiation operator can be defined in a manifestly terminating, syntax-directed way, even over ill-typed terms. This essentially eliminates the mutual dependence of typing and equality-since extensionality principles depend on typing-^that is inherent in Goguen's or Harper and Pfenning's work. However, it is important to stress that this approach provides only a foundation. An efficient implementation would need to reintroduce defined constants and explicit substitutions, each of which would make the equality on the LF fragment non-trivial again. But in contrast to previous approaches, the framework is defined without any reference to such "non-canonical" forms: it can scale up to include them, but its foundation is independent of them.

Conclusion
We have seen that representations of concurrent systems can be succinctly and straightforwardly constructed using a logical framework with a notion of equality that models concurrency. We have shown that the framework is decidable and investigated its metatheory. We hope that the result of this work will be a concrete language in which it is as unnecessary to specify or think about the low-level mechanics of the representation of con-current computations as it would be to specify or think about matters of a-conversion and capture-avoiding substitution in LF. Furthermore, it is to be hoped that the direct, modular and scalable account of the type theory proposed here will provide a soUd foundation for future explorations within the LF family of frameworks, of ideas such as proof irrelevance and ordered hypothetical judgments.  The rule marked (*) is subject to the side condition that no variable bound by p be free in the conclusion or bound by the context e, and that no variable free in R2 be bound by the context e.