Inductively defined types in the Calculus of Constructions

.


Introduction
The motivation for the this paper comes from two sources: work on the extraction of programs from proofs in the Calculus of Constructions (CoC) [23,24] and work on the implementation of LEAP [25], an explicitly polymorphic ML-like programming language (here we only consider the pure FUJ fragment of LEAP).The former emphasizes the logical aspects of CoC, the latter its computational aspects.The basic relationship is simple: an extraction process relates proofs in CoC to programs in F&.In other words, in F" we can express the computational contents of proofs in CoC.Said yet another way: programs in Fu realize propositions in CoC. 1   Both on the logical and computational level, inductively defined propositions or types play a central role in any applications.Their logical aspect, that is, proving properties by induction, and their computational aspect, that is, defining functions by primitive recursion, are very closely related: the computational content of a proof by induction is a function definition by primitive recursion.Said another way: primitive recursion realizes induction.One of our results is that, even though induction principles are not provable in CoC, their computational content is already definable in Fw.Thus augmenting CoC by induction principles over inductively defined types is in some sense "conservative" over its computational fragment: even though we can prove more specifications, any function which we might be able to extract from such proofs is already definable in pure F^-we just would not be able to show in CoC without induction that it satisfies its specification.
Mendler [19,20] studied inductive types in the setting of the second-order polymorphic Acalculus and the NuPrl type theory.He adds to the system F a new scheme for defining recursive types.The system is extended with new constants for representing the type, its constructor and the primitive recursion operator.The rules of conversion of the system are also extended for each new recursive type.In our presentation the inductive types are internally represented using higher-order quantification and the only reduction rule used is /J-reduction.An advantage of our approach is that types that in some sense "are already there" are not also added artificially.On the other hand, a significant drawback of our approach is the relative weakness of our notion of equality induced by this representation, even if one adds 77-conversion.For example, let R be the closed term for primitive recursion over the natural numbers, defined using iteration and pairing as in Section 5. Then the equality between R/3h'2 h f s (succn) and h f 5 (pairn(R(3h'z h's n)) is not an internal equality (as it is in Mendler's system) but is only provable using induction on n.The types given for primitive recursion in Mendler's work and in this paper are slightly different but equivalent.Work along Mendler's lines for the Calculus of Constructions is presented by Coquand and Paulin-Mohring [9] and for Martin-Lof's type theory by Dybjer [11].
On the purely computational level, we generalize Bohm &: Berarducci's [4] construction of functions on term algebras in the second-order polymorphic A-calculus (F2) to F^.One of their results does not generalize in unmodified form beyond algebraic types: not every closed term of the representation type will be ^-convertible to the representation of a term in the inductive type.This does not appear to be computationally relevant.One can consider alternative definitions of inductive types outside Fw (but still inside CoC) which have the same computational content as our definitions.Another alternative would be to strengthen the notion of equality.We conjecture that one can use Reynolds' condition of parametricity [26] to recover uniqueness of representations at least in the fragment.A facility to generate the definition of inductively defined types, the constructors, and the primitive recursion operator from specifications like the ones in Examples 3 to 9 has been added to the implementation of the Calculus of Constructions V4.10 developed at INRIA.Work on the efficient implementation of inductively defined types and primitive recursion over such types in F^ is currently under way in the framework of the Ergo project at Carnegie Mellon University.

2
The Calculus of Constructions The Calculus of Constructions (CoC) of Coquand & Huet (see [7,6,16,8]) is a very powerful type theory, yet it can be formulated very concisely.It encompasses Girard's system F w (see [13,14]) and the type theory of LF, the Edinburgh Logical Framework (see Harper, Honsell & Plotkin [15]) and may be considered the result of combining these two type theories (see Barendregt [2]).The formulation we present here is a very brief summary of the concrete syntax, notation, and inference system given in [8].
We use M, Ny... for terms in general and x, r/, z for variables (abstractly, though, they are de Bruijn indices [10], where the occurrences of x in (Ax:M) N and [x:M] N are binding occurrences).
We have Following [8] we call [x:M] N a product * is the universe of all types, but is itself not a type.

Contexts
(denoted by T, A) are products over * and thus have the form [xi:Mi].. .[xn:Mn]*, all other terms will be referred to as objects.Contexts serve as types, but do not have types themselves.When it is clear that a term is a context, we sometimes omit the trailing *.
The inference system defines two judgments: T h A means that A is a valid context in the valid context T, and T h M : P means that M is a well-typed term of type P in the valid context T. We use P, Q,... for types, that is, terms which can appear in the place of P in the judgments below.The inference system below entails that a type P will either be a context, or have the property that T h P : *. [N/x]Q is the notation for substituting N for x in Q (abstractly defined using the de Bruijn notation, and therefore avoiding the issues of name clashes).

Valid Contexts. r i-a r h P : • h * T[x:A] h * T[x:P] h *
Product Formation.

T h [x:P]A T h [x:P]N : *
Variables, Abstraction, and Application.The calculus shares the basic properties of the LF type theory and i 7 ^, such as strong normalization, decidability of type-checking, and the Church-Rosser property for well-typed terms.We will make use of the properties in the development below.We formulate the basic induction principle over normal forms of types in CoC separately as a lemma, since we will need it frequently.Its proof is immediate from the Lemmas in [8].
Lemma 1 (Normal forms of types) Given a type R, that is, a term R such that for some T and N we have T \-N : R. Then the (3-normal form of R has the shape NqN\ .. ,Npt *, or [x:R0] R\.In particular, the /3-normal form of R cannot be an abstraction.
We say that a type R is atomic if it is in normal form and does not begin with a product, that is, is not of the form [x:P] Q.
We will use P -• Q as an abbreviation for any [x:P]Q, if x does not occur free in Q.We will sometimes omit the parentheses surrounding applications in which case application is written simply as juxtaposition and associates to the left.Juxtaposition binds tighter than which associates to the right.Abstraction and product also associate to the right and bind less tightly than The equality in the metalanguage is "=".Definitional equality is written as "=" and may be thought of as introducing an abbreviation at the level of the Calculus of Construction as available in its implementation at INRIA.We will use this notion of notational definition in examples without formalizing it.

Inductively Defined Types
Intuitively, an inductively defined type is given by a complete list of constructors for terms of the type.We reason about the type with an appropriate induction principle, and we write functions over the type using iteration, which is powerful enough to define primitive recursive functional over elements of the type.Pu, Mij when we need to refer to the components of a given inductive type definition.Annotating a P% serves only as a reminder that a may be free in Px\, and P § is the result of substituting 3 for a in Pu.We will also use throughout this paper: Besides positivity, we make an additional assumption that greatly simplifies the presentation and holds in all examples we are aware of, but is not essential.We require that for any quantifier [y:Ro] Ri appearing in the definition of a, either y does not occur in R* or a does not occur in Rq.For a development without this restriction see Paulin-Mohring [24].The additional complexity arises primarily in the definition of $ below (Definition 11)-all theorems remain valid when appropriately modified.
We define by simultaneous induction when a variable occurs only positively and only negatively in a type R, where R is in /3-normal form.Since R is a type and assumed to be in normal form the (omitted) case R = (Xz:Ro) R\ cannot arise (see Lemma 1).We begin with some examples for inductively defined types.The first one is algebraic (as in [4]).

Representing Inductively Defined Types
There are two aspects of inductively defined types that we are interested in.The first one might be called the computational aspect, the second the logical aspect When investigating the computational aspect of an inductive type, we consider F" only and assume that we have a new (possibly parameterized) type constant a and new term constructors c t .Functions over a may be defined using primitive recursion at higher type (see Definition 31).
We ask if there is already a type in pure F^ itself that can be used to represent terms built from the constructors such that the functions that are definable by primitive recursion are also definable.
The answer here is "yes", though there will be a delicate point about the exact formulation of the theorem to that effect.
The logical aspect is based on the simple premise that one would like to reason inductively about inductive types.Since the various induction principles themselves are not provable in CoC.they have to be added as primitive constants.What are the properties of such an extension?We do not have a complete answer here, but at least we ascertain one pleasant property: when considering the computational content of proofs of specifications under this extension, it is conservative: we have new theorems (and proofs), but no new functions in F w .
We begin by giving a method for representing inductively defined types.An important property we would like to preserve is that an inductive type in F^ will also be represented in F^.This fact is used vitally in the implementation of LEAP [25].Now assume we are given an inductively defined type a in the notation at the beginning of Section 3. In this section we show that there is actually a closed type a in CoC such that any well-typed term that can be built with the constructors of a and terms in CoC has a representation of type a.The converse, namely that every closed term M of type a can be expressed in terms of the constructors of a is not true if one takes /3^-conversion as the notion of term equality.We conjecture that the converse is true in models that satisfy Reynolds' condition of parametricity [26].This conjecture is based on the intuition that completeness fails because /377-equality is too weak to identify indistinguishable terms, under some reasonable assumptions about when terms should be indistinguishable (see Mitchell and Meyer [21]).Computationally this failure of completeness is not a problem, and the logical characterization of an inductive type in terms of an induction axiom is satisfactory from the logical point of view (though, of course, also incomplete in another sense).
Of course, there may be many ways an inductively defined type could be represented in CoC.We give here a canonical construction in which the representation of an element of the inductive type is its own iteration function.This representation has some drawbacks which we will return to in Section 5, where we show how to define primitive recursion at all types over an inductively defined type.
Before launching into the description of the representation of inductive types, we need an important technical tool.In its simplest form, we define a map $ on terms that lifts a function F : P -* Q to a function $r : RP -» RQ where R : * -• * and R is positive in its argument (that is, R = (Ax:*) R f and x is only positive in R f ).

Case R x is atomic and x does not occur in R x . Then R s = R T and we let $r(N)
= N.

The construction of $ depends on F and its type. If we want to make the dependency explicit, we write $ F for the map $ that is constructed from F.
The term constructed according to this definition will not always be correctly typed.We need an additional restriction that is satisfied in all of our examples and in particular is always satisfied for inductive type in the F^ fragment of CoC.

Lemma 12 In the context of Definition 11 and under the assumption that for any quantifier [z\Rq] R x in R x , either z does not occur in R x or x does not occur in Rq, $ and 9 are welldefined and $ satisfies $r(N) : R T for any N : R s
The proof is by a simple induction on the structure of R x .
The definition of $ and $ with the same property can be made in full generality, but is quite complex.Details can be found in It is easy to see that a : Q.The definition of the representations of the constructors c t will make use of the function ()+ defined below with the property that if N : Rthen N+ : R 0 .
Definition 14 (Representation c t of constructor c t ) Given the property of () + stated above, it is easy to verify that £ t : Pf\ We now define the map ()+ using $ and its properties.

We also extend () homomorphically from a and constructors c x to any term N that is well-formed
in a context A,T a .We sometimes refer to a term in the context T a as a constructor term.
For the adequacy theorem it is convenient to consider 77-conversion in addition to ,3-conversion.

Theorem 17 (Adequacy) For any inductively defined type a and closed terms N\ N m such that T a h aNi .. . N m : *, () is a bisection between fin-equivalence classes of terms N such that T a h iV : a N\ . .. N m and equivalence classes of terms M such that h M \ aN\ ... N m .
Proof sketch: It is easy to verify by calculation as in [4] using Lemma 12 that Q has the injection properties.The inverse map F{M) = M ac\ .. .cn applies the representation M of a term in an inductive type to the constructors of that type to yield the term that it represents. • It is important to note that the inverse map T does not need to examine the structure of its argument M to determine what constructor term M represents.This means that even in an implementation where the intensional structure of functions is inaccessible (for example, when functions are compiled into machine code) we can still extract the constructor term that is represented by a function by applying it to the constructor constants.
The adequacy theorem is somewhat weaker than Bohm and Berarducci's representation theorem.This is because the mappings () and T do not go between /377-equivalence classes: as the following counterexample shows, non-convertible terms may represent the same constructor term.One can recover uniqueness by using dependency: in essence, a term of a constructor type is represented as the proof that it is well-formed.Such a more complex proof term has the same computational contents as our representation (see [24] or [18]).One can also formulate a simple criterion on the types P t of the constructors that ensures uniqueness of the representation under /377-conversion (see [24, page 125]).Finally, one could claim that the failure of uniqueness is due to incompleteness of /Jrj-conversion in the polymorphic A-calculus and that they really should be equivalent.We conjecture that Reynolds' condition of parametricity [26] can be used to justify this claim, but under parametricity even more terms might be identified than under our notion of equivalence that is induced by the function T. For example, under parametricity, the term M in the counterexample would also be equivalent to c ((An:nat) zero).

Counterexample 18 (Non-uniqueness of representation under fin) Consider the following inductively defined type with one constructor, where nat is defined as in
Example  Enriching CoC by inductively defined types must go along with some method for defining recursive functions over these types.We choose iteration rather than primitive recursion since it is a simpler notion and primitive recursion is definable from iteration.For an implementation of a programming language based on an enriched one would probably need to choose primitive recursion, since its implementation through iteration is provably inefficient in some cases (see Colson [5] or

One can then abstract over A and B (discharge them from the context) to obtain the usual, now global definitions
Parigot [22]).
Definition 26 (Definition by iteration) Let an a be an inductively defined data type as in Section 3. Given the basic representation (), how can we define iteration on the representation?A basic insight is that a constructor is implemented as an iterator, thus applying the representation of a constructor term as a function will perform iteration.

where ^ is like x] except that it inserts recursive calls to [_ rather than to f, that is, ^
Proof sketch: By simple inductions as in [4].
Note that we claim convertibility only for terms in the image of the Q translation function, not for any term that represents C{ r x x ... x ki .We conjecture that under the assumption of parametricity Primitive recursion at all types is somewhat more difficult, but as shown in various places for the second-order polymorphic A-calculus (see, for example, Reynolds [27]) it can be reduced to iteration.We briefly state only the form of primitive recursion and the type of the primitive recursive operator pr a over an inductively defined type a. x is the generalized product from Definition Note that the occurrences of Af,-j are not binding occurrences: they are determined by the type of the constructor c t .In the simplest case, x is merely x (if the type of x does not involve a), or the pair of x and fx (if the type of x is a).In general, the variable pr a which generates the definition of / given  One of the motivations behind inductively defined types is that we would like to reason about elements of these types using induction.In particular, we would like to extract provably correct functions from proofs.In this section we state the natural notion of induction over an inductively defined type, and show how induction relates to the notion of primitive recursive functional.Induction principles are not definable (that is, provable) in CoC itself, but one could assume such induction principles and associated reduction rules (see [8,Section 8] or [24,Section 4.4]).Such an extension of the calculus is in some sense "benign."This can be formalized as saying the computational content of a proof that used induction is already present in pure F^.The proof of this fact is surprisingly simple (see Theorem 35).Thus, if one is interested only in the computational content of proofs, the extension of CoC by induction over inductively defined types does not change the set of definable functions.However, with the addition of induction one will in general be able to prove many more specifications.Other conservative extension results for polymorphic A-calculi have been obtained by Breazu-Tannen & Gallier [3].

As a concrete example consider the function tl which takes a list and a default value and returns the tail of the list or the default value (if the list is empty). We could program this as a primitive recursion
Definition 33 (Induction principle ind a for inductively defined a) Let a be an inductively defined type as before.We define ind a , the induction principle over a by " ind.In the simplest case x' will simply turn out to be x' (if the type of x' does not involve q) or dfsta Ax', extracting the element x from the pair consisting of an x and the proof that x satisfies property ,4 (if x' has type a).Coquand Sz Huet define v, the stripping map, which extracts an untyped A-term as the computational content of a proof in CoC.We use a less drastic erasure in the proof of our conservative extension result below, which maps terms in CoC into terms in F u .The partial erasure map £ is defined in detail in [23,24].
Theorem 35 (Primitive recursion realizes induction) We use pind a and ppr a as abbreviation for the types o/ind a and pr a , respectively.

Proof sketch:
The map £ will erase a z x ... z m from the type of A, and all corresponding arguments to A at all occurrences of A (notation as in definition 33).The resulting term is a valid type and (3n-equivalent to the type of pr a (see Definition 31).The crucial observation is that This theorem means that the set of functions that can be extracted from induction proofs over a can already be defined explicitly by primitive recursion at arbitrary types.This corollary generalizes one direction of results obtained by Girard [14], and Fortune, Leivant & O'Donnell [12], and Leivant [17,18] which may be summarized as "The number-theoretic functions representable in F n are exactly the functions provably recursive in n th -order arithmetic." typla*: [A:* *] ([5:*] prog (A B)) -> prog ([5:*] (A B)) typapp : [A:* -*] prog([5:*](A B)) -[5:*] prog (A 5) end All the examples so far lie within the jF w fragment of CoC.The following examples deal with aspects of dependent types in CoC which can be used to define logical notions.
:Qi].. .[zm :Q m ] S Z\ .. ,z m -• T z\...z m .Furthermore, we are given a type R = R x with some free occurrences of x m \z\:Q{\.. .[zm :Q m ] *.We define $r for R x with only positive occurrences of x such that for any term N : R s , $r(N) : R T , and simultaneously we define ^r for R x with only negative occurrences of x such that for any term N : R T ', V r(N) : R s .
Rq since it occurs only positively in R x .Remember that the case R x = (Xz:Rq) R x cannot arise, since R x is a type in normal form (see Lemma 1).Now for R x with x only occurring only negatively, we define: Case R x = x N\.. .iV m .TAis case cannot arise, since x is positive in R x , but we assumed that x occurs only negatively in R x .Case R x is atomic and x does not occur in R x .Then R s = R T and we let $#(iV) = jV.

Paulin-Mohring [ 24 ,Definition 13 (
page 107], Now we are prepared to state and prove the representation of inductive types.Representation a of an inductively defined type a) Given a, defined inductively as in Section 3. We will use the notation P-f for Pu and Pf t for the result of substituting (3 for a in Pu and pf for the result of substituting (3 for a in P t .We let a = (A^iQO ... (Xz m :Q m ) \(3:Q] pfp£ ^ 0 Zl .zm

Example 21 (
Lists) The representation of lists obtained this way is also different from, though equivalent to the encoding in F2 given in [27].list = (\B:*) [C:* -+ *] ([A:*] C A) -([A:*] A -> C A -* C A) -C B As in Example 20, one can obtain the usual definition by uniform parameterization.Computing with Inductively Defined Types : Q and functions /&i:Pf, ..., h n :P£.Then the function f:[zi:Qi]...[zm:Q m] ct z\ ... z m -• (3 Z\ ... z m is defined by iteration over a at type (3 from /ii,..., h n if it satisfies the following equations: f Mn • • • Afim(ci xi.. .xkl ) The idea in the definition of N is to replace occurrences of variables whose type has the form a Ni... N m by recursive calls to /.The map $ is already of the right form to define ().Definition 27 (Map ()) For f : [z x :Qi].. .[zm :Q m ]azi ...z m -+ (3 z x .. .zm and N : R a we define JV such that N

(
for the Fv fragment) a stronger theorem also holds: the equivalence classes of representations from Theorem 17 satisfy the equations for iteration, given the definition of / above.Example 29 (Existential Quantification) For pairs or dependent pairs, the schema of iteration simply allows access to the components of the pair.We show only the dependent case.fAP (exists-intro A P x w) = h x A P x w with types f : [A:*] [P:A -*] exists A P -0 A P and h x : [A:*] [P:A -* *] [x:A] [w:P x] JA P. The first projection function f st for the usual pairs is easily definable, as is the function df st for extracting the first component of a dependent pair shown here.In terms of the notation above we have df st A P (exists-intro A P x w) = x (3 = (AA:*)(AP:A -*) A h x = (AA:*)(AP:A -*) (Ax:A) (Xw:P x) x Example 30 (Programs in F2) We now give definition of reify, reflect and eval in the form of an iteration.These definitions are in the F3 fragment of CoC.The crucial function is reflect : [A:*] prog A -• A. In terms of the above definition, 3 = (AA:*) A reflect A (rep A x) = x reflect (A -* B) (lam A B x) = (Xy:A) reflect B (x y) reflect B (app A B x y) = (reflect (A -• B) x) (reflect A y) reflect ([£:*]( A B)) (typlam A x) = (A5:*) reflect (A B) (x B) reflect (A B) (typappA x B) *] prog A -* prog A eval = (AA:*) (Ax:prog A) reify A (reflect A x) In [25] we give the expanded definition of reflect in F3 using Theorem 28.

Definition 34 (
Map x) Let F be the generalized first projection function (derived easily from dfst.see Example 29) on elements of dependent pair type a ® A. Then F : [z x :Q x ].. .[zm'Qm]exists (a z x ... z m ) (A z x .. .z m ) -+ a z x ... z m and for R x and N : R Cl ® A we define N = *g(iV) : R Q .

Example 36 (
Induction over Lists) Here we obtain a principle of induction over the construction of lists.Since induction is a logical statement, it best to think of [] as universal quantification.indjj st : [P:[A:*] list A -+ *] ([A:*] PA (nil A)) -([A:*] [x:A] [/Exists (list A) (PA)] PA (cons A x (dist A PI')) [A:*] [/:listA] PAlThe induction principle will look more familiar after we curry at the argument V to eliminate the dependent pair and also apply uniform parameterization over the argument A. We then get:

We will consider /^-conversion (=) in the "full" form (see [8, Page 102]) and have the following rule of type conversion:
Th* r ,. pl • r r[x:f ] H N : Q T H M :[x:P]Q T h N : P V\-x.P This notion encompasses the usual notions of free term algebras with associated induction principles, but it is more general and allows the definition of types Such as natural numbers, pairs, lists, ordinal notations, logical quantifiers and connectives, or programs in a significant fragment of CoC of independent interest.
cn : [xi :Pni ]. -. [*kn 'Pnkn ] aAf nl ... Mnm end In such an inductive definition, a may not occur in Qjy nor in any Af,-j.However, a may occur in Pu, but only positively (see Definition 2).Throughout the paper, we will use the names a, c t , Qj,