Under Consideration for Publication in J. Functional Programming Correctness of Compiling Polymorphism to Dynamic Typing

The connection between polymorphic and dynamic typing was originally considered by Curry, et al. in the form of " polymorphic type assignment " for untyped λ-terms. Types are assigned after the fact to what is, in modern terminology, a dynamic language. Interest in type assignment was revitalized by the proposals of Bracha, et al. and Bank, et al. to enrich Java with polymorphism (generics), which in turn sparked the development of other languages, such as Scala, with similar combinations of features. In that setting it is desirable to compile polymorphism to dynamic typing in such a way that as much static typing as possible is preserved, relying on dynamics only insofar as genericity is actually required. The basic approach is to compile polymorphism using embeddings from each type into a universal 'top' type, dyn, and partial projections that go in the other direction. This scheme is intuitively reasonable, and, indeed, has been used in practice many times. Proving its correctness, however, is non-trivial. This paper studies the compilation of System F to an extension of Moggi's computational metalanguage with a dynamic type and shows how the compilation may be proved correct using a logical relation.


Abstract
The connection between polymorphic and dynamic typing was originally considered by Curry et al. (1972, Combinatory Logic, vol. ii) in the form of "polymorphic type assignment" for untyped λ-terms. Types are assigned after the fact to what is, in modern terminology, a dynamic language. Interest in type assignment was revitalized by the proposals of Bracha et al. (1998, OOPSLA) and Bank et al. (1997, POPL) to enrich Java with polymorphism (generics), which in turn sparked the development of other languages, such as Scala, with similar combinations of features. In such a setting, where the target language already has a monomorphic type system, it is desirable to compile polymorphism to dynamic typing in such a way that as much static typing as possible is preserved, relying on dynamics only insofar as genericity is actually required. The basic approach is to compile polymorphism using embeddings from each type into a universal "top" type, D, and partial projections that go in the other direction. This scheme is intuitively reasonable, and, indeed, has been used in practice many times. Proving its correctness, however, is non-trivial. This paper studies the compilation of System F to an extension of Moggi's computational meta-language with a dynamic type and shows how the compilation may be proved correct using a logical relation.
This research is sponsored in part by the National Science Foundation under Grant Number 1116703. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. Interest in polymorphic type assignment was revitalized by the proposals of Bracha et al. (1998) and Bank et al. (1997) to enrich Java with polymorphism (generics), which then inspired similar treatment of generics in languages such as C and Scala. Such languages are statically typed, but feature a universal type (Object in Java, but herein called D) of dynamically typed values. The question arose as to how to compile these extensions, given that little or no change could be made to the language's established monomorphic run-time structure. Abstracting from the language-specific details, the question may be re-phrased as: How to compile System F to a simply typed language D with a type of dynamically typed values while preserving static type information as much as possible?
Classical type assignment effectively erases static types, mapping everything to the universal type D, which is unsatisfactory. We would rather, for example, translate the monomorphic doubling function λx:nat.x + x to essentially the same typed code λx: N.x + x in the target, reserving dynamic typing, and its associated run-time costs, to the translation of code that actually uses polymorphism. The ideal translation of a System F type A into a D type A † will preserve the structure of A, except that source language type variables, X, will be mapped to the target type D. This immediately raises the question of how to relate (A[B/X]) † to A † , which is to say how to manage polymorphic instantiation. Indeed, this is the heart of the translation given by the aforementioned authors.
The translation relies on the existence of an embedding, i, of each D type into the type D, equipped with a corresponding projection, j, which recovers the embedded object, which is to say that j is post-inverse (left-inverse) to i, up to observational equivalence, j • i ∼ = id. In the case of compiling to the JVM, i would be realized by an upcast to Object and j by a (possibly failing) downcast from Object. Notice that j is not also pre-inverse (right-inverse) to i, that is, i • j ∼ = id, because there is no reason to expect that an arbitrary value of type D lies in the image of the embedding i. In order-theoretic terms, every D type is a retract of D, with retraction given by the idempotent composition i • j : D → D.
The embedding of every D type into D lifts functorially into an embedding, I, from (A[B/X]) † to A † , accompanied by a corresponding projection, J, going in the other direction. These lifted embeddings and projections are used to mediate polymorphic instantiation. Consider the polymorphic identity function ΛX.λx:X.x of type ∀X.X → X in System F which is then translated to λx:D.x of type D → D in the target language. An instantiation of this polymorphic function at the type N is translated to the following function of type N → N: where i nat and j nat are, respectively, the embedding and the projection for N. The pre-and post-compositions with the embeddings and projections arise from the functorial action of the type constructor X → X, thought of as a function of X. The projection to type N → N requires that we embed the argument into D, execute the translation of the polymorphic identity, and project the result back to N. This function is observationally equivalent to the identity on N, because the context may only provide natural numbers as arguments, and expect natural numbers as results.

Our contribution: correctness proof
At a very high level, the form of our proof is that of an adequacy theorem for a paradigmatic denotational metalanguage with dynamic typing (which we call D) with respect to an operational semantics (represented by conversion rules) of a paradigmatic polymorphic calculus (which is System F).
Using embeddings and projections, as sketched above, we can give a straightforward translation of System F into D. The goal of the correctness proof is to show that an expression and its compilation are appropriately related. The contribution of this work is in the method of proof. In the literature, we identified two relevant results, neither of which are readily applicable to the present problem: • Meyer & Wand (1985) give a logical relation argument for correctness of continuation-passing style translation for the simply typed lambda calculus, but our projection j is not an pre-inverse (right-inverse) of i as in their work. • Igarashi et al. (2001) show the correctness of compiling generics in (core) Java, but their treatment seems inextricable from the source language, Featherweight Java, which involves a number of object-oriented concepts such as a class table.
Here, we present a carefully formulated parametric logical relation that directly relates terms with their translations, together with a key lemma that captures the way in which the relation respects the embeddings and projections. This is, to our knowledge, the first correctness proof of this method of compiling polymorphism in System F to dynamic typing. Compared to the bisimulation theorem by Igarashi et al. (2001), our logical relation (cf. Lemma 7) additionally permits foreign functions as long as they follow the embedding and projection invariants specified in the logical relation, which may be seen as a technical advantage.

Languages
Throughout the paper, we work modulo α-conversion. So bound variables are assumed to be renamed if collision would happen in substitutions, and variables appearing in contexts are always distinct.

Source language
Our source language is System F, the Girard-Reynolds polymorphic lambda calculus. As in Girard's original formulation, we include a base type of natural numbers. In our case, they provide the observable outcomes that are used to distinguish programs. The syntax, the typing rules, and the conversion rules are shown in Figure 2. We say a type A is closed if · A. The calculus is presented with β-conversions (≡ β ), a thin abstraction over reductions or the operational semantics. It is compatible with both the call-by-value and call-by-name reductions, or any reasonable operational semantics because the calculus is strongly normalizing.

Target language
Our source language is pure and strongly normalizing, but the target language has to have some effects. First, the presence of a universal type that will essentially be a model of an untyped lambda calculus means, because one can express fixed point combinators, that the target has to include non-terminating expressions. Second, there needs to be some error mechanism in the target, which we can invoke when projections from the universal type should fail.
Once the target has side-effects, we have to decide how eager to make the translation. For System F, any sensible translation will have a corresponding correctness theorem that shows, among other things, that the translation of a closed source program actually never exhibits any effects, but different translations can nevertheless translate a source term into ones that can be distinguished in the target. Here, we choose to work with a call-by-value translation, as that is what one would want to use in the most common real-world situation, in which the source language also has some effects, and has a call-by-value semantics.
We could take the target to be a monomorphic ML-like language with a particular universal type and notion of error. That would work out perfectly well, but we instead translate directly into a slightly more explicit metalanguage for the semantics of such a language, namely a version of Moggi's (1991) computational metalanguage, λML T . The computational metalanguage is a simply typed lambda calculus with a type constructor, T(·), corresponding to a strong monad with an injective unit; we further add a universal type and errors. See Figure 3 for the relevant fragment of its syntax, typing rules, and equations.
The equations for D should be understood as real denotational equalities. The source language System F is treated more syntactically: The translation is defined structurally on actual terms (just modulo α-conversion) and we only later show that it respects β-conversions in the source language as a separate lemma. (We say a relation is admissible if it respects β-conversions (Equation (1) on page 12), and the admissibility of the translation relation is stated as Lemma 4.) Taking D to be the computational meta-language is largely a matter of taste, but has some advantages. We will be doing a great deal of equational reasoning and, unlike a call-by-value lambda calculus, λML T satisfies unrestricted β and η laws. The fastidious distinction between value types, D, and computation types, T(D), means that the type system makes it clear where there is a possibility of an error or divergence and where there is not, so various erroneous definitions one might make simply will not typecheck. And finally, we can be generic in exactly what the monad is-the proof will work for any T(·) that satisfies the equations we use.
As mentioned above, the monad is used to account for the possibility of divergence that is forced by the presence of a universal type, and also for the runtime errors that should arise, for example, when one injects a function value into the universal type and then attempts to project (cast) it back out as a natural number. We will require that T(·) comes equipped with a polymorphic constant err : T(D) for any D, but there are many concrete examples of monads that will suit our purposes. For example, in the category of ω-cpos (predomains) 1. take T(D) = D ⊥ , the lifting monad, and err = ⊥, so dynamic errors are just modeled by divergence; 2. take T(D) = (1 + D) ⊥ , the lifted error (maybe, option) monad, and err = [inl( * )], so dynamic errors are modeled by a terminating, failing computation.
But everything that follows works for any monad that satisfies our conditions. We write [·] for the unit of the monad and also abbreviate the usual monadic bind construct let x ⇐ d in e by just x ← d; e. The target language D has a base type N for the natural numbers. If n : N is a numeral, we write n for the corresponding System F normal form suc(. . . (suc(z)) . . .). subject to the equations listed in Figure 3. We know these requirements are consistent, as they can be canonically satisfied by taking D to be the least solution to the where roll(·) and unroll(·) are the components of the isomorphism in the solution of the equation for D. However, nothing that follows relies on any domain theory: We just need the equations. It is interesting to observe that the correctness of the translation does not actually require any interesting properties of errors. In particular, we do not need to specify that err is natural, that the monad is strict in errors (i.e. that x ← err; d = err), or even that errors are disjoint from values (∀d, err = [d]), though these properties do hold for our examples of concrete monads. Indeed, one could remove errors entirely, replacing them with arbitrary default values, without materially affecting what follows. The reason for this is that the correctness theorem only talks about error-free behavior-if everything in the context is error-free then the translated term is also error-free-so the precise nature of errors is not very important. But in a more practical setting, one would want to use a well-structured error mechanism.

Translation
The translation and interpretation of types follows Moggi's (1991) call-by-value translation, with type variables interpreted as the universal type, D. This is shown in Figure 4.

Embeddings and projections
Before we can define the translation of terms, we need some auxiliary definitions on the target side. First, we have an embedding, i, and a projection, j, mapping between A † and D for each source type A. The definitions are shown in Figure 5. Note that the embedding is total (any value of type A † can be mapped into the universal domain), although the projection is partial, which is why the monad appears in the return type. Only well-behaved elements of D may be mapped back to A † ; projecting an ill-behaved value may fail immediately or, in the case of function types, when the projected value is later actually applied.
An embedding followed by the corresponding projection is always morally the identity (actually, the unit of the monad):

Lemma 1
For any System F type A and D term x : A † ,

Proof
Induction on the structure of A.

Lifted embeddings and projections
The translation A † of a type A with a free type variable X has D in positions corresponding to the occurrences of X in A. Type application in the source involves substitution of a type B for those occurrences of X; translating the application requires the use of functions J B X.A from A † to T(A[B/X] † ), the monad applied to the translation of the substituted type. The result is wrapped in the monad because Dvalues produced by the argument in places corresponding to positive occurrences of X in A are not necessarily well-behaved. Just as with the embeddings and projections of the previous section, the definition of J B X.A is not only inductive on A, but mutually inductive with that of a function going in the other direction, The definitions are shown in Figure 6.
The following is a lifted version of Lemma 1.

Lemma 2
If Δ, X A and Δ B, then for any D term d : .

Proof
Induction on the structure of A.

Term translation
Just as was the case for types, the translation (·) * of terms in context is Moggi's usual call-by-value translation, extended to use J B X.A to translate type application. The formal definition is shown in Figure 7.
Note that uniqueness of typing in the source language ensures that the type A appearing on the right-hand side of the application case is uniquely determined, so this is indeed a good definition. It is also appropriately typed:

Logical relation
If B is a closed source type, write CT(B) = {M | ·; · M : B} for the set of closed terms of type B. Given R ⊆ CT(B) × D, a relation between closed source terms of type B and elements of D, then we say R is admissible if it respects the equivalence of the source language; that is We write Δ w to mean that the type environment w is a map from the finite set of type variables Δ to pairs comprising a closed type and an admissible relation on that type. Formally, If Δ = ·, X 1 , . . . , X n and w(X j ) = (B j , R j ) for each 1 6 j 6 n, then we define the for each A such that Δ A, by mutual induction on A as shown in Figure 8. The relation T R w A is a particular choice of "monadic lifting" of the relation R w A . Figure 8 also defines Fig. 8. Logical relations the shorthand R w A , which relates source terms to target values of type D. We will have (A[B j /B j ], R w A ) ∈ F . Observe that, as in previous work on relationally parametric models of polymorphism (Reynolds, 1983), the clause for polymorphic types involves quantification over all relations from a pre-defined set. This enforces parametricity and also avoids the potential circularity due to impredicativity, which would arise were one to consider instantiating just with R w B for each B; an instance of ∀X.A, say A[B/X], could be "larger" than ∀X.A and break the naive induction ordering. A more detailed discussion about the potential impredicativity issues can be found in Chapter 48 of the third author's text (Harper, 2012).

Lemma 4 (Admissibility)
For all w and A, R w A and T R w A are admissible.
Lemma 5 (Weakening) If Δ A and Δ w, then for any B and R, The crucial lemma is the following, which connects the logical relation at a substituted type, A[B/X], with the relation at the type A in an extended type environment, mediated by the lifted embeddings and projections. The statement involves instantiating a type variable with a particular, well chosen, relation.
Lemma 6 (Type substitution) Let Δ B, Δ w, and w(X j ) = (B j , R j ) for each j. Define the extended type environment w = w, X → (B[B j /X j ], R w B ). Then, for any A and M, with Δ, X A, ·; · M : (A[B/X])[B j /X j ], the following hold: A natural first attempt at a logical relations proof would replace "implies" by "iff" in the above, strengthening the lemma significantly. Our proof of Lemma 6 almost works for this stronger version, except for the second case of function types. That is, it is unclear how to show the following statement: Ignoring monads for the moment, the problem is that at some point, we want I (J (d)) = d, which is false in general. Lemma 6 is carefully formulated so that we no longer need this false statement, and yet is still strong enough to derive the correctness theorem for the translation. Here is a failed proof attempt of the strengthened version of Lemma 6.

Proof Attempt
From the assumption (M, Moreover, by inductive hypothesis applied to (M 2 , d 2 ) ∈ R w A 1 , we know (M 2 , J B Comparing this to the goal, we wish to show the following equation: which would be true if I B X.A 1 were a post-inverse (left-inverse) of J B X.A 1 , or that I B X.A 1 (d 2 ) = d 2 , which does not hold.
We now present the proof of the correct version of Lemma 6, which evades the difficulty and yet is sufficient for our main result.

Proof
The two parts are proved by simultaneous induction on A. Note that the type environment w remains free (universally quantified) in the induction hypothesis because in the case A = ∀Y .A , the environment will be extended.
• Case X: Therefore, by the definition of R w B , (M, i B (d)) ∈ R w B . Then, by the construction of w , R w B = R w X , and also I B X.X = i B , and thus 2. By the construction of w , R w X = R w B , and thus (M, d) ∈ R w B .
By the definition of R w B , and also the fact that J B X.
• Case Y (a variable different from X): • Case nat:  )) ∈ T R w A 2 . By the equations in D, this is the same as Then, we can simplify the D expression further: A 1 (a)); J B X.A 2 (r)] and we will show this obvious choice of d works: By inductive hypothesis applied to (M 2 , d 2 ) ∈ R w A 1 [B/X] , which means there exists r such that d(I B X.A 1 (d 2 )) = [r ] and (M [M 2 /x], r ) ∈ R w A 2 . Therefore, and thus it suffices to show which is the inductive hypothesis applied to In either part ,M ≡ β ΛY .M for some M .
1. Expanding the definition, we know it is sufficient to show for any (C, R C ) ∈ F . Fix a pair (C, R C ). By the definition of R w A [B/X] , and by induction By Lemma 5 (weakening), and by exchange (implicit in the treatment of type environments as maps), we have the goal We claim that we can swap the universal quantifier of (C, R C ) and the existential quantifier of d . The reason is that [·] is injective and so d is uniquely determined by J B X.∀Y .A (d). After the swapping, the goal is then for which is exactly the definition of Note that J B X.∀Y .A = J B X.A and thus this is also equivalent to Fix the (C, R C ) ∈ F . From the assumption (M, d) ∈ R w ∀Y .A and the definition of the extended type environment w , we have By Lemma 5 (weakening), and therefore, together with exchange, Applying the inductive hypothesis, we have the desired statement . Armed with Lemma 6, we are now in a position to show the "Fundamental Property": that each (open) source term is logically related to its translation. The relation is defined on closed terms, so the statement of the lemma involves substituting arbitrary types and relations for free type variables, and arbitrary-but related-closed source and target terms for free term variables.
Lemma 7 (Fundamental property) Suppose Δ; Γ M : A, where Δ = ·, X 1 , . . . , X m and Γ = ·, x 1 :A 1 , . . . , x n :A n . Let w be such that Δ w and w(X j ) = (B j , R j ) for each 1 6 j 6 m. Then, for any list of source terms V i : A i [B j /X j ] and target terms t i : A † i , 1 6 i 6 n, such that

Proof
Induction on the derivation of Δ; Γ M : A. We first define some abbreviations, writing w for the type substitution [B j /X j ], V for the source term substitution [V i /x i ], andt for the target term substitution [t i /x i ].
-If n = n + 1, then V ( w(ifz(M; N 0 ; x.N 1 ))) ≡ β V ( w(N 1 ))[n /x]. Since (n , n ) ∈ R w nat , induction gives  ( w(N)), e) ∈ R w A . Thus, we know V ( w(M)) ≡ β λx:A.M for some M such that Unfolding the logical relation for quantified types and instantiating with By the second part of Lemma 6, the key type substitution property, this implies An immediate consequence of Lemma 7 is that the behavior of a program (closed term of ground type) and its translation agree:

Discussion
Using logical relations, it is possible to prove the correctness of the compilation of polymorphic types to dynamic types in such a way that overhead is imposed only insofar as polymorphism is actually used. This compilation method lies at the heart of the implementation of generic extensions to Java, and of polymorphic languages such as Scala, on the Java Virtual Machine, with the type Object playing the role of our D. As far as we are aware, this is the first correctness proof of this compilation strategy for System F, and is novel insofar as it only relies on an embedding into D, rather than a stronger condition such as isomorphism. In this respect, the proof may be useful in other situations where the correctness of a compilation method is required.
Semantically, the underlying idea of interpreting types as retracts of a universal domain is an old one, going back to work of Scott (1976) and McCracken (1979). It has been adapted and used for various purposes in programming, including by Benton (2005) and Ramsey (2011) for interfacing typed languages with untyped ones, and by many authors studying run-time enforcement of contracts (Findler & Felleisen, 2002) in dynamic languages, and the correct assignment of blame should violations occur (Ahmed et al., 2011).
The broad shape of the proof presented here is that of adequacy: Showing agreement between an operational and a denotational (translational) semantics via a logical relation (Plotkin, 1977;Amadio, 1993). Similar logical relations have also been used for the closely related task of establishing the correctness of compilers (Minamide et al., 1996;Benton & Hur, 2010;Hur & Dreyer, 2011).
One possible extension to this work is to consider the extension of System F with general recursion at the expression level, or, more generally, with recursive types. It appears that handling general recursion is straightforward, following directly the strategy outlined in Chapter 48 of the third author's text (Harper, 2012), which requires that admissible relations be closed under limits of suitable chains, and which employs fixed point induction in establishing the main theorem. The extension to product and sum types is entirely straightforward. Recursive types require more sophisticated techniques pioneered by Pitts (1996), and adapted to the operational setting by Crary & Harper (2007).
Step-indexed methods, such as those introduced by Appel & McAllester (2001), Ahmed (2006) may also be useful in this respect.
Another possible extension is to consider System F with higher order polymorphism, namely System F ω , which enables programmers to abstract over even type constructors, such as lists or trees which themselves are polymorphic in their element type. Such higher order polymorphism has been materialized in dynamic typing, for example, in Scala, by Moors (2008), and it is conceivable, for studying the correctness, to migrate the method to System F ω as we did to System F. Together with the work by Rossberg et al. (2010) which compiles ML modules to System F ω , an alternative account for the dynamics of ML modules, in terms of dynamic typing, can possibly be made.