Type Theory and Functional Programming (Simon Thompson)

Type Theory & Fun
tional
Programming
Simon Thompson
Computing Laboratory, University of Kent
Mar h 1999
Simon Thompson, 1999
Not to be reprodu ed
i
ii
To my parents
Prefa e
Constru tive Type theory has been a topi of resear h interest to omputer
s ientists, mathemati ians, logi ians and philosophers for a number of years.
For omputer s ientists it provides a framework whi h brings together logi
and programming languages in a most elegant and fertile way: program
development and veri ation an pro eed within a single system. Viewed
in a dierent way, type theory is a fun tional programming language with
some novel features, su h as the totality of all its fun tions, its expressive
type system allowing fun tions whose result type depends upon the value
of its input, and sophisti ated modules and abstra t types whose interfa es
an ontain logi al assertions as well as signature information. A third
point of view emphasizes that programs (or fun tions) an be extra ted
from proofs in the logi .
Up until now most of the material on type theory has only appeared in
pro eedings of onferen es and in resear h papers, so it seems appropriate
to try to set down the urrent state of development in a form a essible to
interested nal-year undergraduates, graduate students, resear h workers
and tea hers in omputer s ien e and related elds { hen e this book.
The book an be thought of as giving both a rst and a se ond ourse in
type theory. We begin with introdu tory material on logi and fun tional
programming, and follow this by presenting the system of type theory itself,
together with many examples. As well as this we go further, looking at
the system from a mathemati al perspe tive, thus elu idating a number
of its important properties. Then we take a riti al look at the profusion
of suggestions in the literature about why and how type theory ould be
augmented. In doing this we are aiming at a moving target; it must be
the ase that further developments will have been made before the book
rea hes the press. Nonetheless, su h an survey an give the reader a mu h
more developed sense of the potential of type theory, as well as giving the
ba kground of what is to ome.
iii
iv PREFACE
Outline
It seems in order to give an overview of the book. Ea h hapter begins with
a more detailed introdu tion, so we shall be brief here. We follow this with
a guide on how the book might be approa hed.
The rst three hapters survey the three elds upon whi h type theory
depends: logi , the - al ulus and fun tional programming and onstru -
tive mathemati s. The surveys are short, establishing terminology, notation
and a general ontext for the dis ussion; pointers to the relevant literature
and in parti ular to more detailed introdu tions are provided. In the se ond
hapter we dis uss some issues in the - al ulus and fun tional program-
ming whi h suggest analogous questions in type theory.
The fourth hapter forms the fo us of the book. We give the formal
system for type theory, developing examples of both programs and proofs
as we go along. These tend to be short, illustrating the onstru t just
introdu ed { hapter 6 ontains many more examples.
The system of type theory is omplex, and in hapter whi h follows we
explore a number of dierent aspe ts of the theory. We prove ertain results
about it (rather than using it) in luding the important fa ts that programs
are terminating and that evaluation is deterministi . Other topi s examined
in lude the variety of equality relations in the system, the addition of types
(or ùniverses') of types and some more te hni al points.
Mu h of our understanding of a omplex formal system must derive
from out using it. Chapter six overs a variety of examples and larger
ase studies. From the fun tional programming point of view, we hoose to
stress the dieren es between the system and more traditional languages.
After a lengthy dis ussion of re ursion, we look at the impa t of the quan-
tied types, espe ially in the light of the universes added above. We also
take the opportunity to demonstrate how programs an be extra ted from
onstru tive proofs, and one way that imperative programs an be seen as
arising. We on lude with a survey of examples in the relevant literature.
As an aside it is worth saying that for any formal system, we an really
only understand its pre ise details after attempting to implement it. The
ombination of symboli and natural language used by mathemati ians is
surprisingly suggestive, yet ambiguous, and it is only the dis ipline of having
to implement a system whi h makes us look at some aspe ts of it. In the
ase of T T , it was only through writing an implementation in the fun tional
programming language Miranda1 that the author ame to understand the
distin tive role of assumptions in T T , for instan e.
The system is expressive, as witnessed by the previous hapter, but
are programs given in their most natural or eÆ ient form? There is a
1 Miranda is a trade mark of Resear h Software Limited
v
host of proposals of how to augment the system, and we look at these in

hapter 7. Cru ial to them is the in orporation of a lass of subset types, in
whi h the witnessing information ontained in a type like (9x : A) : B (x) is
suppressed. As well as des ribing the subset type, we lay out the arguments
for its addition to type theory, and on lude that it is not as ne essary as
has been thought. Other proposals in lude quotient (or equivalen e lass)
types, and ways in whi h general re ursion an be added to the system
without its losing its properties like termination. A parti ularly elegant
proposal for the addition of o-indu tive types, su h as innite streams,
without losing these properties, is examined.
Chapter eight examines the foundations of the system: how it ompares
with other systems for onstru tive mathemati s, how models of it are
formed and used and how ertain of the rules, the losure rules, may be
seen as being generated from the introdu tion rules, whi h state what are
the anoni al members of ea h type. We end the book with a survey of
related systems, implemented or not, and some on luding remarks.
Bibliographi information is olle ted at the end of the book, together
with a table of the rules of the various systems.
We have used standard terminology whenever were able, but when a
subje t is of urrent resear h interest this is not always possible.
Using the book

In the hope of making this a self- ontained introdu tion, we have in luded
hapters one and two, whi h dis uss natural dedu tion logi and the -
al ulus { these hapters survey the elds and provide an introdu tion to
the notation and terminology we shall use later. The ore of the text is
hapter four, whi h is the introdu tion to type theory.
Readers who are familiar with natural dedu tion logi and the - al ulus
ould begin with the brief introdu tion to onstru tive mathemati s pro-
vided by hapter three, and then turn to hapter four. This is the ore of
the book, where we lay out type theory as both a logi and an fun tional
programming system, giving small examples as we go. The hapters whi h
follow are more or less loosely oupled.
Someone keen to see appli ations of type theory an turn to hapter
six, whi h ontains examples and larger ase studies; only o asionally will
readers need to need to refer ba k to topi s in hapter ve.
Another option on on luding hapter four is to move straight on to
hapter ve, where the system is examined from various mathemati al per-
spe tives, and an number of important results on the onsisten y, express-
ibility and determina y are proved. Chapter eight should be seen as a
ontinuation of this, as it explores topi s of a foundational nature.
vi PREFACE
Chapter seven is perhaps best read after the examples of hapter six,
and digesting the deliberations of hapter ve.
In ea h hapter exer ises are in luded. These range from the routine
to the hallenging. Not many programming proje ts are in luded as it
is expe ted that readers will to be able to think of suitable proje ts for
themselves { the world is full of potential appli ations, after all.
A knowledgements
The genesis of this book was a set of notes prepared for a le ture series on
type theory given to the Theoreti al Computer S ien e seminar at the Uni-
versity of Kent, and subsequently at the Federal University of Pernambu o,
Re ife, Brazil. Thanks are due to olleagues from both institutions; I am
espe ially grateful to David Turner and Allan Grimley for both en ourage-
ment and stimulating dis ussions on the topi of type theory. I should also
thank olleagues at UFPE, and the Brazilian National Resear h Coun il,
CNPq, for making my visit to Brazil possible.
In its various forms the text has re eived detailed ommment and riti-
ism from a number of people, in luding Martin Henson, John Hughes, Ni
M Phee, Jerry Mead and various anonymous reviewers. Thanks to them
the manus ript has been mu h improved, though needless to say, I alone
will a ept responsibility for any infeli ities or errors whi h remain.
The text itself was prepared using the LaTeX do ument preparation
system; in this respe t Tim Hopkins and Ian Utting have put up with nu-
merous queries of varying omplexity with unfailing good humour { thanks
to both of them. Dun an Langford and Ri hard Jones have given me mu h
appre iated advi e on using the Ma intosh.
The editorial and produ tion sta at Addison-Wesley have been most
helpful; in parti ular Simon Plumtree has given me exa tly the right mix-
ture of assistan e and dire tion.
The most important a knowledgements are to Jane and Ali e: Jane has
supported me through all stages of the book, giving me en ouragement
when it was needed and oping so well with having to share me with this
enterprise over the last year; without her I am sure the book would not
have been ompleted. Ali e is a joy, and makes me realise how mu h more
there is to life than type theory.
Contents
Prefa e iii
Introdu tion 1
1 Introdu tion to Logi 7
1.1 Propositional Logi . . . . . . . . . . . . . . . . . . . . . . . 8
1.2 Predi ate Logi . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.2.1 Variables and substitution . . . . . . . . . . . . . . . 18
1.2.2 Quantier rules . . . . . . . . . . . . . . . . . . . . . 21
1.2.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . 24
2 Fun tional Programming and -Cal uli 29
2.1 Fun tional Programming . . . . . . . . . . . . . . . . . . . . 30
2.2 The untyped - al ulus . . . . . . . . . . . . . . . . . . . . 32
2.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4 Convertibility . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.5 Expressiveness . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.6 Typed - al ulus . . . . . . . . . . . . . . . . . . . . . . . . 42
2.7 Strong normalisation . . . . . . . . . . . . . . . . . . . . . . 45
2.8 Further type onstru tors: the produ t . . . . . . . . . . . . 50
2.9 Base Types: Natural Numbers . . . . . . . . . . . . . . . . 53
2.10 General Re ursion . . . . . . . . . . . . . . . . . . . . . . . 55
2.11 Evaluation revisited . . . . . . . . . . . . . . . . . . . . . . 56
3 Constru tive Mathemati s 59
4 Introdu tion to Type Theory 67
4.1 Propositional Logi : an Informal View . . . . . . . . . . . . 69
4.2 Judgements, Proofs and Derivations . . . . . . . . . . . . . 71
4.3 The Rules for Propositional Cal ulus . . . . . . . . . . . . . 73
vii
viii CONTENTS
4.4 The Curry Howard Isomorphism . . . . . . . . . . . . . . . 78

4.5 Some examples . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.5.1 The identity fun tion; A implies itself . . . . . . . . 83
4.5.2 The transitivity of impli ation; fun tion omposition 83
4.5.3 Dierent proofs. . . . . . . . . . . . . . . . . . . . . . 84
4.5.4 . . . and dierent derivations . . . . . . . . . . . . . . 85
4.5.5 Conjun tion and disjun tion . . . . . . . . . . . . . 86
4.6 Quantiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.6.1 Some example proofs . . . . . . . . . . . . . . . . . . 92
4.7 Base Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.7.1 Booleans . . . . . . . . . . . . . . . . . . . . . . . . 96
4.7.2 Finite types . . . . . . . . . . . . . . . . . . . . . . . 98
4.7.3 > and ? . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.8 The natural numbers . . . . . . . . . . . . . . . . . . . . . . 100
4.9 Well-founded types | trees . . . . . . . . . . . . . . . . . . 105
4.10 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.10.1 Equality over base types . . . . . . . . . . . . . . . . 113
4.10.2 Inequalities . . . . . . . . . . . . . . . . . . . . . . . 114
4.10.3 Dependent Types . . . . . . . . . . . . . . . . . . . . 114
4.10.4 Equality over the I-types . . . . . . . . . . . . . . . 116
4.11 Convertibility . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.11.1 Denitions; onvertibility and equality . . . . . . . . 117
4.11.2 An example { Adding one . . . . . . . . . . . . . . . 119
4.11.3 An example { natural number equality . . . . . . . . 121
5 Exploring Type Theory 125
5.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . 126
5.2 Naming and abbreviations . . . . . . . . . . . . . . . . . . . 130
5.2.1 Naming . . . . . . . . . . . . . . . . . . . . . . . . . 131
5.2.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . 132
5.3 Revising the rules . . . . . . . . . . . . . . . . . . . . . . . . 133
5.3.1 Variable binding operators and disjun tion . . . . . 133
5.3.2 Generalising _ . . . . . . . . . . . . . . . . . . . . . 135
5.3.3 The Existential Quantier . . . . . . . . . . . . . . . 136
5.4 Derivability . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5.4.1 A is a type is derivable from a : A . . . . . . . . . . . 140
5.4.2 Unique types . . . . . . . . . . . . . . . . . . . . . . 142
5.5 Computation . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.5.1 Redu tion . . . . . . . . . . . . . . . . . . . . . . . . 144
5.5.2 The system T T0 . . . . . . . . . . . . . . . . . . . . 146
5.5.3 Combinators and the system T T0 . . . . . . . . . . . 148
5.6 T T0 : Normalisation and its orollaries . . . . . . . . . . . . 153
CONTENTS ix
5.6.1 Polymorphism and Monomorphism . . . . . . . . . . 162

5.7 Equalities and Identities . . . . . . . . . . . . . . . . . . . . 163
5.7.1 Denitional equality . . . . . . . . . . . . . . . . . . 163
5.7.2 Convertibility . . . . . . . . . . . . . . . . . . . . . . 164
5.7.3 Identity; the I type . . . . . . . . . . . . . . . . . . . 165
5.7.4 Equality fun tions . . . . . . . . . . . . . . . . . . . 165
5.7.5 Chara terising equality . . . . . . . . . . . . . . . . 167
5.8 Dierent Equalities . . . . . . . . . . . . . . . . . . . . . . . 168
5.8.1 A fun tional programming perspe tive . . . . . . . . 168
5.8.2 Extensional Equality . . . . . . . . . . . . . . . . . . 169
5.8.3 Dening Extensional Equality in T T0 . . . . . . . . 171
5.9 Universes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.9.1 Type families . . . . . . . . . . . . . . . . . . . . . . 176
5.9.2 Quantifying over universes . . . . . . . . . . . . . . . 177
5.9.3 Closure axioms . . . . . . . . . . . . . . . . . . . . . 178
5.9.4 Extensions . . . . . . . . . . . . . . . . . . . . . . . 179
5.10 Well-founded types . . . . . . . . . . . . . . . . . . . . . . . 179
5.10.1 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
5.10.2 The general ase - the W type. . . . . . . . . . . . . 181
5.10.3 Algebrai types in Miranda . . . . . . . . . . . . . . 187
5.11 Expressibility . . . . . . . . . . . . . . . . . . . . . . . . . . 189
5.12 The Curry Howard Isomorphism? . . . . . . . . . . . . . . . 191
5.12.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . 191
5.12.2 Normal Forms of Proofs . . . . . . . . . . . . . . . . 192
6 Applying Type Theory 195
6.1 Re ursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
6.1.1 Numeri al fun tions . . . . . . . . . . . . . . . . . . 197
6.1.2 Dening propositions and types by re ursion . . . . 200
6.1.3 Re ursion over lists { 1 . . . . . . . . . . . . . . . . 202
6.1.4 Re ursion over lists { 2 . . . . . . . . . . . . . . . . 205
6.2 A Case Study { Qui ksort . . . . . . . . . . . . . . . . . . . 207
6.2.1 Dening the fun tion . . . . . . . . . . . . . . . . . . 207
6.2.2 Verifying the fun tion . . . . . . . . . . . . . . . . . 209
6.3 Dependent types and quantiers . . . . . . . . . . . . . . . 214
6.3.1 Dependent Types . . . . . . . . . . . . . . . . . . . . 214
6.3.2 The Existential Quantier . . . . . . . . . . . . . . . 216
6.3.3 The Universal Quantier . . . . . . . . . . . . . . . 217
6.3.4 Implementing a logi . . . . . . . . . . . . . . . . . . 217
6.3.5 Quanti ation and Universes { 8 . . . . . . . . . . . 220
6.3.6 Quanti ation and Universes { 9 . . . . . . . . . . . 223
6.4 A Case Study { Ve tors . . . . . . . . . . . . . . . . . . . . 226
x CONTENTS
6.4.1 Finite Types Revisited . . . . . . . . . . . . . . . . . 226

6.4.2 Ve tors . . . . . . . . . . . . . . . . . . . . . . . . . 228
6.5 Proof Extra tion; Top-Down Proof . . . . . . . . . . . . . . 230
6.5.1 Propositional Logi . . . . . . . . . . . . . . . . . . . 230
6.5.2 Predi ate Logi . . . . . . . . . . . . . . . . . . . . . 232
6.5.3 Natural Numbers . . . . . . . . . . . . . . . . . . . . 233
6.6 Program Development { Polish National Flag . . . . . . . . 234
6.7 Program Transformation . . . . . . . . . . . . . . . . . . . . 238
6.7.1 map and fold . . . . . . . . . . . . . . . . . . . . . . 239
6.7.2 The Algorithm . . . . . . . . . . . . . . . . . . . . . 243
6.7.3 The Transformation . . . . . . . . . . . . . . . . . . 244
6.8 Imperative Programming . . . . . . . . . . . . . . . . . . . 247
6.9 Examples in the literature . . . . . . . . . . . . . . . . . . . 249
6.9.1 Martin-Lof . . . . . . . . . . . . . . . . . . . . . . . 250
6.9.2 Goteborg . . . . . . . . . . . . . . . . . . . . . . . . 250
6.9.3 Ba khouse et al. . . . . . . . . . . . . . . . . . . . . 250
6.9.4 Nuprl . . . . . . . . . . . . . . . . . . . . . . . . . . 251
6.9.5 Cal ulus of Constru tions . . . . . . . . . . . . . . . 251
7 Augmenting Type Theory 253
7.1 Ba kground . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
7.1.1 What is a spe i ation? . . . . . . . . . . . . . . . . 256
7.1.2 Computational Irrelevan e; Lazy Evaluation . . . . . 258
7.2 The subset type . . . . . . . . . . . . . . . . . . . . . . . . . 261
7.2.1 The extensional theory . . . . . . . . . . . . . . . . . 264
7.3 Propositions not types . . . . . . . . . . . . . . . . . . . . . 265
7.3.1 `Squash' types . . . . . . . . . . . . . . . . . . . . . 265
7.3.2 The subset theory . . . . . . . . . . . . . . . . . . . 266
7.3.3 Godel Interpretation . . . . . . . . . . . . . . . . . . 268
7.4 Are subsets ne essary? . . . . . . . . . . . . . . . . . . . . . 268
7.5 Quotient or Congruen e Types . . . . . . . . . . . . . . . . 273
7.5.1 Congruen e types . . . . . . . . . . . . . . . . . . . . 276
7.6 Case Study { The Real Numbers . . . . . . . . . . . . . . . 278
7.7 Strengthened rules; polymorphism . . . . . . . . . . . . . . 281
7.7.1 An Example . . . . . . . . . . . . . . . . . . . . . . 281
7.7.2 Strong and Hypotheti al Rules . . . . . . . . . . . . 283
7.7.3 Polymorphi types . . . . . . . . . . . . . . . . . . . 284
7.7.4 Non-termination . . . . . . . . . . . . . . . . . . . . 285
7.8 Well-founded re ursion . . . . . . . . . . . . . . . . . . . . . 286
7.9 Well-founded re ursion in type theory . . . . . . . . . . . . 292
7.9.1 Constru ting Re ursion Operators . . . . . . . . . . 292
7.9.2 The A essible Elements . . . . . . . . . . . . . . . . 296
CONTENTS xi
7.9.3 Con lusions . . . . . . . . . . . . . . . . . . . . . . . 298

7.10 Indu tive types . . . . . . . . . . . . . . . . . . . . . . . . . 298
7.10.1 Indu tive denitions . . . . . . . . . . . . . . . . . . 298
7.10.2 Indu tive denitions in type theory . . . . . . . . . . 301
7.11 Co-indu tions . . . . . . . . . . . . . . . . . . . . . . . . . . 303
7.11.1 Streams . . . . . . . . . . . . . . . . . . . . . . . . . 308
7.12 Partial Obje ts and Types . . . . . . . . . . . . . . . . . . . 309
7.13 Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
8 Foundations 315
8.1 Proof Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 315
8.1.1 Intuitionisti Arithmeti . . . . . . . . . . . . . . . . 316
8.1.2 Realizability . . . . . . . . . . . . . . . . . . . . . . 319
8.1.3 Existential Elimination . . . . . . . . . . . . . . . . 321
8.2 Model Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 321
8.2.1 Term Models . . . . . . . . . . . . . . . . . . . . . . 322
8.2.2 Type-free interpretations . . . . . . . . . . . . . . . 322
8.2.3 An Indu tive Denition . . . . . . . . . . . . . . . . 323
8.3 A General Framework for Logi s . . . . . . . . . . . . . . . 324
8.4 The Inversion Prin iple . . . . . . . . . . . . . . . . . . . . 326
9 Con lusions 331
9.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 331
9.1.1 The Nurpl System . . . . . . . . . . . . . . . . . . . 331
9.1.2 TK: A theory of types and kinds . . . . . . . . . . . 332
9.1.3 PX: A Computational Logi . . . . . . . . . . . . . . 333
9.1.4 AUTOMATH . . . . . . . . . . . . . . . . . . . . . . 334
9.1.5 Type Theories . . . . . . . . . . . . . . . . . . . . . 335
9.2 Con luding Remarks . . . . . . . . . . . . . . . . . . . . . . 337
Rule Tables 360
xii CONTENTS
Introdu tion
Types are types and propositions are propositions; types ome from pro-
gramming languages, and propositions from logi , and they seem to have
no relation to ea h other. We shall see that if we make ertain assumptions
about both logi and programming, then we an dene a system whi h is
simultaneously a logi and a programming language, and in whi h proposi-
tions and types are identi al. This is the system of onstru tive type theory,
based primarily on the work of the Swedish logi ian and philosopher, Per
Martin-Lof. In this introdu tion we examine the ba kground in both logi
and omputing before going on to look at onstru tive type theory and its
appli ations. We on lude with an overview of the book proper.
Corre t Programming
The problem of orre tness is ever-present in omputing: a program is
written with a parti ular spe i ation in view and run on the assumption
that it meets that spe i ation. As is all too familiar, this assumption
is unjustied: in most ases the program does not perform as it should.
How should the problem be ta kled? Testing annot ensure the absen e
of errors; only a formal proof of orre tness an guarantee that a program
meets its spe i ation. If we take a nave view of this pro ess, we develop
the program and then, post ho , give a proof that it meets a spe i ation. If
we do this the possibility exists that the program developed doesn't perform
as it ought; we should instead try to develop the program in su h a way
that it must behave a ording to spe i ation.
A useful analogy here is with the types in a programming language. If we
use a typed language, we are prevented by the rules of syntax from forming
an expression whi h will lead to a type error when the program is exe uted.
We ould prove that a similar program in an untyped language shares this
property, but we would have to do this for ea h program developed, whilst
in the typed language it is guaranteed in every ase.
1
2 INTRODUCTION
Our aim, then, is to design a language in whi h orre tness is guaran-

teed. We look in parti ular for a fun tional programming language with
this property, as semanti ally the properties of these languages are the
most straightforward, with a program simply being a value of a parti ular
expli it type, rather than a state transformer.
How will the new language dier from the languages with whi h we are
familiar?
The type system will have to be more powerful. This is be ause we
will express a spe i ation by means of a statement of the form
p:P
whi h is how we write `the value p has the type P '. The language of
types in urrent programming languages an express the domain and
range of a fun tion, say, but annot express the onstraint that for
every input value (of numeri type), the result is the positive square
root of the value.
If the language allows general re ursion, then every type ontains
at least one value, dened by the equation x = x. This mirrors the
observation that a non-terminating program meets every spe i ation
if we are only on erned with partial orre tness. If we require total
orre tness we will need to design a language whi h only permits the
denition of total fun tions and fully-dened obje ts. At the same
time we must make sure that the language is expressive enough to be
usable pra ti ally.
To summarise, from the programming side, we are interested in develop-
ing a language in whi h orre tness is guaranteed just as type- orre tness is
guaranteed in most ontemporary languages. In parti ular, we are looking
for a system of types within whi h we an express logi al spe i ations.
Constru tive Logi

Classi al logi is a epted as the standard foundation of mathemati s. At
its basis is a truth-fun tional semanti s whi h asserts that every proposition
is true or false, so making valid assertions like A _ :A, ::A ) A and
:8x::P (x) ) 9x:P (x)
whi h an be given the gloss
If it is ontradi tory for no obje t x to have the property P (x),
then there is an obje t x with the property P (x)
3
This is a prin iple of indire t proof, whi h has formed a ornerstone of mod-
ern mathemati s sin e it was rst used by Hilbert in his proof of the Basis
Theorem about one hundred years ago. The problem with the prin iple is
that it asserts the existen e of an obje t without giving any indi ation of
what the obje t is. It is a non- onstru tive method of proof, in other words.
We an give a dierent, onstru tive, rendering of mathemati s, based on
the work of Brouwer, Heyting, Bishop and many others, in whi h every
statement has omputational ontent; in the light of the dis ussion above
it is ne essary to reje t lassi al logi and to look for modes of reasoning
whi h permit only onstru tive derivations.
To explain exa tly what an be derived onstru tively, we take a dier-
ent foundational perspe tive. Instead of giving a lassi al, truth-fun tional,
explanation of what is valid, we will explain what it means for a parti ular
obje t p to be a proof of the proposition P . Our logi is proof-fun tional
rather than truth-fun tional.
The ru ial explanation is for the existential quantier. An assertion
that 9z:P (z ) an only be dedu ed if we an produ e an a with the property
P (a). A proof of 9z:P (z ) will therefore be a pair, (a; p), onsisting of an
obje t a and a proof that a does in fa t have the property P . A universal
statement 8z:Q(z ) an be dedu ed only if there is a fun tion taking any
obje t a to a proof that Q(a). If we put these two explanations together, a
onstru tive proof of the statement
8x:9y:R(x; y)
an be seen to require that there is a fun tion, f say, taking any a to a
value so that
R(a; f a)
Here we see that a onstru tive proof has omputational ontent, in the
shape of a fun tion whi h gives an expli it witness value f a for ea h a.
The other proof onditions are as follows. A proof of the onjun tion
A ^ B an be seen as a pair of proofs, (p; q), with p a proof of A and q of B .
A proof of the impli ation A ) B an be seen as a proof transformation:
given a proof of A, we an produ e a proof of B from it. A proof of the
disjun tion A _ B is either a proof of A or a proof of B , together with
an indi ation of whi h (A or B ). The negation :A is dened to be the
impli ation A ) ?, where ? is the absurd or false proposition, whi h has
no proof but from whi h we an infer anything. A proof of :A is thus a
fun tion taking a proof of A to a proof of absurdity.
Given these explanations, it is easy to see that the law of the ex luded
middle will not be valid, as for a general A we annot say that either A or
:A is provable. Similarly, the law of indire t proof will not be valid.
4 INTRODUCTION
Having given the ba kground from both omputing and logi , we turn
to examining the link between the two.
The Curry Howard Isomorphism

The entral theme of this book is that we an see propositions and types
as the same, the propositions-as-types notion, also known as the Curry
Howard isomorphism, after two of the (many) logi ians who observed the
orresponden e.
We have seen that for our onstru tive logi , validity is explained by
des ribing the ir umstan es under whi h `p is a proof of the proposition
P '. To see P as a type, we think of it as the type of its proofs. It is then
apparent that familiar onstru ts in logi and programming orrespond to
ea h other. We shall write
p:P
to mean, inter hangeably, `p is of type P ' and `p is a proof of proposition
P '.
The proofs of A ^ B are pairs (a; b) with a from A and b from B |
the onjun tion forms the Cartesian produ t of the propositions as types.
Proofs of A ) B are fun tions from A to B , whi h is lu ky as we use the
same notation for impli ation and the fun tion spa e. The type A _ B is
the disjoint union or sum of the types A and B , the absurd proposition,
?, whi h has no proofs, is the empty type, and so on.
The orresponden e works in the other dire tion too, though it is slightly
more arti ial. We an see the type of natural numbers N as expressing
the proposition `there are natural numbers', whi h has the ( onstru tive!)
proofs 0; 1; 2; : : :.
One elegant aspe t of the system is in the hara terisation of indu tive
types like the natural numbers and lists. Fun tional programmers will
be familiar with the idea that fun tions dened by re ursion have their
properties proved by indu tion; in this system the prin iples of indu tion
and re ursion are identi al.
The dual view of the system as a logi and a programming language
an enri h both aspe ts. As a logi , we an see that all the fa ilities of
a fun tional programming language are at our disposal in dening fun -
tions whi h witness ertain properties and so forth. As a programming
language, we gain various novel features, and in parti ular the quantied
types give us dependent fun tion and sum types. The dependent fun tion
spa e (8x : A) : B (x) generalises the standard fun tion spa e, as the type
of the result B (a) depends on the value a : A. This kind of dependen e is
usually not available in type systems. One example of its use is in dening
5
array operations parametrised on the dimension of the array, rather than

on the type of the array elements. Dependent sum types (9x : A) : B (x)
an be used to represent modules and abstra t data types amongst other
things.
More radi ally, we have the possibility of ombining veri ation and
programming, as types an be used to represent propositions. As an ex-
ample onsider the existential type again. We an think of the elements
of (9x : A) : B (x) as obje ts a of type A with the logi al property B (a),
witnessed by the proof b : B (a). We an give a third interpretation to p : P ,
in the ase that P is an existential proposition:
(a; b) : (9x : A) : B (x)
an be read thus:
a of type A meets the spe i ation B (x), as proved by b : B (a)
This fullls the promise made in the introdu tion to logi that we would
give a system of types strong enough to express spe i ations. In our ase
the logi is an extension of many-sorted, rst-order predi ate logi , whi h is
ertainly suÆ ient to express all pra ti al requirements. The system here
integrates the pro ess of program development and proof: to show that a
program meets a spe i ation we provide the program/proof pair.
As an aside, note that it is misleading to read p : P as saying `p meets
spe i ation P ' when P is an arbitrary proposition, an interpretation whi h
seems to be suggested by mu h of the literature on type theory. This is
be ause su h statements in lude simple typings like
plus : N )N )N
in whi h ase the right-hand side is a woeful under-spe i ation of addition!
The spe i ation statement is an existential proposition, and obje ts of that
type in lude an expli it witness to the obje t having the required property:
in other words we an only state that a program meets its spe i ation
when we have a proof of orre tness for it.
We mentioned that one motivation for re-interpreting mathemati s in
a onstru tive form was to extra t algorithms from proofs. A proof of a
statement like
8x: 9y: R(x; y)
ontains a des ription of an algorithm taking any x into a y so that R(x; y).
The logi we des ribed makes expli it the proof terms. On the other hand
it is instead possible to suppress expli it mention of the proof obje ts,
and extra t algorithms from more su in t derivations of logi al theorems,
6 INTRODUCTION
taking us from proofs to programs. This idea has been used with mu h
su ess in the Nuprl system developed at Cornell University, and indeed in
other proje ts.
Ba kground
Our exposition of type theory and its appli ations will make ontinual refer-
en e to the elds of fun tional programming and onstru tivism. Separate
introdu tions to these topi s are provided by the introdu tion to hapter 2
and by hapter 3 respe tively. The interested reader may are to refer to
these now.
Se tion 9.2 ontains some on luding remarks.
Chapter 1
Introdu tion to Logi
This hapter onstitutes a short introdu tion to formal logi , whi h will
establish notation and terminology used throughout the book. We assume
that the reader is already familiar with the basi s of logi , as dis ussed in
the texts [Lem65, Hod77℄ for example.
Logi is the s ien e of argument. The purposes of formalization of logi al
systems are manifold.
The formalization gives a lear hara terisation of the valid proofs
in the system, against whi h we an judge individual arguments, so
sharpening our understanding of informal reasoning.
If the arguments are themselves about formal systems, as is the ase
when we verify the orre tness of omputer programs, the argument
itself should be written in a form whi h an be he ked for orre tness.
This an only be done if the argument is formalized, and orre tness
an be he ked me hani ally. Informal eviden e for the latter require-
ment is provided by Prin ipia Mathemati a [RW10℄ whi h ontains
numerous formal proofs; unfortunately, many of the proofs are in-
orre t, a fa t whi h all too easily es apes the human proof-reader's
eye.
As well as looking at the orre tness or otherwise of individual proofs
in a formal theory, we an study its properties as a whole. For ex-
ample, we an investigate its expressive strength, relative to other
theories, or to some sort of meaning or semanti s for it. This work,
whi h is predominantly mathemati al in nature, is alled mathemat-
i al logi , more details of whi h an be found in [Men87a℄ amongst
others.
7
8 CHAPTER 1. INTRODUCTION TO LOGIC
As we said earlier, our aim is to provide a formal system in whi h arguments

for the validity of parti ular senten es an be expressed. There are a number
of dierent styles of logi al system { here we look at natural dedu tion
systems for rst propositional and then predi ate logi .
1.1 Propositional Logi

Propositional logi formalises arguments whi h involve the onne tives su h
as ànd', òr', `not', ìmplies' and so on. Using these onne tives we build
omplex propositions starting from the propositional variables or atomi
propositions.
Denition 1.1 Our syntax is given formally by stating that a formula is
either
a propositional variable X0 ; X1 ; X2 ; : : :, or
a ompound formula of the form
(A ^ B ) (A ) B ) (A _ B )
? (A , B ) (:A)
where A and B are formulas.
The ompound formulas above are intended to represent the following in-
formal ombinations
A and B A implies B A or B
F alse A if and only if B not A
We shall adopt the onvention that apital itali letters A, B ,. . . stand for
arbitrary formulas. (In more formal terms these are variables in the meta-
language whi h is used to dis uss the obje t language introdu ed by the
syntax denition above.) We shall also omit bra kets from formulas when
no ambiguity an result.
There are two parts to the des ription of a logi al system. We have
just introdu ed the language in whi h the assertions or propositions are
written, we must now des ribe what are the valid arguments. The valid
arguments are alled the proofs or derivations of the system.
The general form of an argument is to infer a on lusion on the basis
of some (or possibly no) assumptions. Larger derivations are built up in-
du tively from smaller ones by the appli ation of dedu tion rules. The
1.1. PROPOSITIONAL LOGIC 9
simplest derivations are introdu ed by the rule of assumptions, whi h states

that any formula A an be derived from the assumption of A itself.
Assumption Rule
The proof
A
is a proof of the formula A from the assumption A.
More omplex derivations are built by ombining simpler ones. The
rst example of a rule whi h builds a omposite derivation is the rule of
onjun tion introdu tion. Derivations of the two halves of the onjun tion
are ombined by this rule to give a derivation of the onjun tion itself.
^ Introdu tion
From proofs of A and B we an infer A ^ B by the rule of onjun tion in-
trodu tion. The rule is written
A B
(Î )
A^B
The assumptions upon whi h the proof of A ^ B depends are those of the
proofs of A and B ombined.
A simple proof an be built from the two rules we have seen so far
A B A C
(Î ) (Î )
(A ^ B ) (A ^ C )
(Î )
((A ^ B ) ^ (A ^ C ))
At the leaves of the tree whi h represents the proof we nd the assumptions,
A, appearing twi e, and B and C appearing on e. Applying the introdu -
tion rule for onjun tion three times, we have inferred the onjun tion from
its onstituent parts.
The rule above was alled the ^-introdu tion rule, sin e it shows how
a formula whose top-level onne tive is a onjun tion an be introdu ed.
The rule states that we an introdu e a onjun tion when we have proofs
of its two omponent halves. Conversely, we have a rule whi h states what
we an infer on the basis of a onjun tion; in other words it tells us when
we an eliminate a onjun tion.
^ Elimination
From a proof of A^B we an infer both A and B by the rules of onjun tion
elimination. The rules are written
A^B A^B
(Ê1 ) (Ê2 )
A B
The assumptions upon whi h the proofs of A and B depend are those of
the proof of A ^ B .
We have another example whi h ombines the use of the rules of introdu -
tion and elimination. From the assumption (A ^ B ) ^ C we have
(A ^ B ) ^ C
(Ê1 )
A^B (Ê1 )
A
and
(A ^ B ) ^ C
(Ê1 ) (A ^ B ) ^ C
A^B (Ê2 ) (Ê2 )
B C (Î )
B^C
Putting these proofs together we have
(A ^ B ) ^ C (A ^ B ) ^ C
.. ..
. .
A B^C
(Î )
A ^ (B ^ C )
This proof exhibits the asso iativity of the onjun tion operation, a fa t
with whi h we are familiar. Note that the single assumption upon whi h
the proof depends is the formula (A^B )^C , with the assumption appearing
at three dierent points in the proof.
There is another way in whi h we an read the elimination rules. Note
that the introdu tion rule states that we an infer A ^ B from A and B .
The elimination rules state that this is (essentially) the only way we an
infer it, sin e it states that if we an prove A ^ B then we an prove ea h
of the omponent formulae.
In giving the rules for impli ation, ), we rst take an informal look at
what the onne tive is meant to mean. We think of A ) B as expressing A
implies B or that we an dedu e B from A. In other words we would like to
on lude A ) B when we have a dedu tion of B assuming A. What are the
assumptions upon whi h this new proof of A ) B depends? All those on
whi h the proof of B depends, ex ept the assumption A itself. The reason
that we no longer depend upon A is that A has be ome the hypothesis in
the formula A ) B | this expresses through a formula of the logi that
we an dedu e B from A.
This is reinfor ed by the elimination rule for )whi h states that given
proofs of A and A ) B , we an infer B . Now we state the rules.
) Introdu tion
From a proof of the formula B , whi h may depend upon the assumption
A amongst others, we an infer the formula A ) B from the same set of
assumptions with A removed. We write this thus
[A℄
..
.
B
() I )
A)B
where the square bra kets around the A indi ate that all o urren es of the
assumption A in the proof of B are to be dis harged. It should be stressed
that the proof of the formula B need not ontain the assumption A for this
rule to be applied. We shall see an example of this in the proof of
B ) (A ) B )
whi h appears later in this se tion.
In a substantial proof there will be many o urren es of rules whi h
dis harge assumptions. In order to make the link between the dis harged
assumption and the instan e of the rule dis harging it, we use labels , as in
the s hemati
[A℄1
..
.
B
() I )1
A)B
We shall see further examples of the use of labels after seeing the rule for
impli ation elimination.
) Elimination
From proofs of the formulas A and A ) B we an infer the formula B .
The assumptions upon whi h the proof of B depends are those of the proofs
of A and A ) B ombined. The rule is written
A A)B
() E )
B
Now we an onsider a more ompli ated example,
A B
(Î ) (A ^ B ) ) C
A^B () E )
C
We an dis harge the three assumptions B , A and (A ^ B ) ) C in turn,

giving rst
A [B ℄1
(Î ) (A ^ B ) ) C
A^B () E )
C () I )1
B)C
and nally
[A℄2 [B ℄1
(Î ) [(A ^ B ) ) C ℄3
A^B () E )
C () I )1
B)C () I )2
A ) (B ) C )
() I )3
((A ^ B ) ) C ) ) (A ) (B ) C ))
In this example, we see how a dedu tion an be free of assumptions. As the
dedu tion pro eeds, we eliminate all the assumptions we have introdu ed.
Other formulas we an derive in this way in lude A ) A, derived thus:
[A℄
() I )
A)A
and the formula B ) (A ) B ), \if B is true then it is a onsequen e of any
formula A", whi h is dedu ed as follows. First observe that in des ribing
the introdu tion rule, we said that the dedu tion of B from A may involve
the assumption A. It is not for ed to, and we an infer A ) B from a
proof of B not involving A. In proving B ) (A ) B ) we rst introdu e
the assumption B , then dis harge the assumption A, and nally dis harge
the assumption B . It is written thus
[B ℄2
() I )1
A)B () I )2
B ) (A ) B )
Note that there is no o urren e of an assumption labelled 1 | this indi-
ates that the dis harge of A is trivial, as we dis ussed above.
The third onne tive we onsider is the disjun tion operator, the formula
A _ B meaning A or B . How an we introdu e a disjun tion? When one of
the disjun ts is valid.
_ Introdu tion
We an introdu e A _ B if we have either a proof of A or a proof of B .
The assumptions of the proof of A _ B are those of the proof of A or B .

We write the rules thus:
A B
(_I1 ) (_I )
A_B A_B 2
Suppose we know that a parti ular formula C is a onsequen e of A and
is a onsequen e of B | it should then be a onsequen e of A _ B . This
gives the law of _ elimination
_Elimination
If we have a proof of A _ B , a proof of C from A (i.e. a proof of C
whi h might have A amongst its assumptions) and a proof of C from B
then we an infer C . The assumption of A in the rst proof of C , and the
assumption of B in the se ond are dis harged. This is written:
[A℄ [B ℄
.. ..
. .
A_B C C
(_E )
C
A further example is given by the following derivation in whi h we see
dis harge of assumptions due to both () I ) and (_E ). We look at a proof
in whi h we have a disjun tive assumption A _ B . The elimination rule is
one way to use the assumption: we prove a result assuming A and then
assuming B , from these proofs we get a proofs from A _ B . Suppose that
we also assume (A ) C ) ^ (B ) C ), now
(A ) C ) ^ (B ) C )
A (Ê1 )
(A ) C )
() E )
C
and in an analogous way we have the result from the assumption B ,
(A ) C ) ^ (B ) C )
B (Ê2 )
(B ) C )
() E )
C
Using disjun tion elimination, we have
[A℄1 [B ℄1
(A ) C ) ^ (B ) C ) (A ) C ) ^ (B ) C )
.. ..
. .
A_B C C
(_E )1
C
and now we dis harge the remaining assumptions to give

[A _ B ℄2 ; [(A ) C ) ^ (B ) C )℄3
..
.
C
() I )2
((A _ B ) ) C )
() I )3
((A ) C ) ^ (B ) C )) ) ((A _ B ) ) C )
The nal onne tive we introdu e is àbsurdity', or `the false proposi-
tion', , ?, using whi h we an dene negation. How is ? hara terised?
The fa t that ?means ontradi tion or absurdity suggests that there is no
way of introdu ing the proposition and so no introdu tion rule. How do
we eliminate ?? If it o urs, then we have absurdity, implying everything.
This rule is sometimes known under the Latin èx falso quodlibet'.
?Elimination
From a proof of ? we an infer any formula A. The assumptions of the
latter proof are those of the former. This is written thus:
? (?E )
A
We dene the negation of A, :A by
:A df (A ) ?)
We an show that the standard introdu tion and elimination rules for :
whi h follow
[A℄ [A℄
.. ..
. .
B :B (:I ) A :A (:E )
:A B
an be derived from the denition and the rules given above. In a similar
way we dene the bi-impli ation, A , B by
(A , B ) df (A ) B ) ^ (B ) A)
and we an derive rules for A , B from this.
Exer ises
1.1. Give a proof of the transitivity of impli ation, by showing that we an
derive A ) C from the assumptions A ) B and B ) C .
1.2. Give a proof of ((A _ B ) ) C ) ) ((A ) C ) ^ (B ) C )).

1.3. Give a proof of (A ) (B ) C )) ) ((A ^ B ) ) C ).
1.4. Give proofs of (A ) B ) ) (B ) A) and A ) ::A.
1.5. From the assumption (B _ C ) prove :(:A ^ :B ).
1.6. Give derivations of the rules (:I) and (:E) given above. In other
words
Show that from proofs of B and :B from the assumption A among
others, we an nd a proof of :A without the assumption A.
Show that from proofs of A and :A we an nd a proof of any propo-
sition B .
The system introdu ed above is intuitionisti , onstru tive. Su h sys-

tems form the main fo us of this book, but it is worth remarking on the
means by whi h we extend the system to a lassi al one. Classi al logi is
based on a truth-fun tional theory of meaning, in whi h every proposition is
onsidered to be either true or false. This means that it is a general truth
that for every proposition A, A _ :A is true | the law of the ex luded
middle. To put this in the form of the rules above, we have a rule with no
hypotheses:
(EM )
A _ :A
Alternative rules whi h hara terise lassi al logi (as an extension of the
intuitionisti logi above) are the rule of double negation
::A (DN )
A
and the ( lassi al) rule of proof by ontradi tion
[:A℄ [:A℄
.. ..
. .
B :B (CC )
A
Exer ises
1.7. Show that the three hara terisations of lassi al logi (as an extension
of the intuitionisti system above) are equivalent.
1.8. Using one of the lassi al systems, give a derivation of the formula
((A ) B ) ) A) ) A, whi h is known as Pier e's Law.
1.2 Predi ate Logi

In this se tion we look at predi ate logi , that is the logi of properties or
predi ates. In our exploration of propositional logi , the simplest proposi-
tions were \atomi " or unanalysed. Here we build a system in whi h the
propositions are built up from statements to the ee t that ertain obje ts
have ertain properties, or that ertain obje ts are equal.
Synta ti ally, our language will have two ategories, formulas and terms.
Denition 1.2 Terms are intended to denote obje ts, and have one of
the forms below:
individual variables or simply variables, v0 ; v1 ; v2 ; : : :. We shall write
x; y; z; u; v; : : : for arbitrary individual variables in the following ex-
position.
individual onstants 0 ; 1 ; 2 ; : : :. We shall use a; b; ; : : : for arbitrary
onstants below.
omposite terms These are formed by applying fun tion symbols to other
terms .Ea h fun tion symbol has an arity, 1,2,. . . ; an n-ary fun tion
symbol fn;m takes n argument terms t1 ; : : : ; tn in forming the term
fn;m (t1 ; : : : ; tn )
We will use f; g; h : : : to denote arbitrary fun tion symbols in what
follows.
We will use s; t; t1 ; : : : as a notation for arbitrary terms.
Note that we an think of onstants as 0-ary fun tion symbols, if we so
wish, and also that the variables we have introdu ed here are intended to
stand for obje ts, and not for propositions as did our propositional variables
above. Our propositions are formed as follows.
Denition 1.3
Atomi formulas are of two forms. The rst is

Pn;m (t1 ; : : : ; tn )
where Pn;m is an n-ary predi ate symbol and t1 ; : : : ; tn are terms.
This formula is intended to express the fa t that the relation rep-
resented by predi ate symbol Pn;m holds of the sequen e of values
1.2. PREDICATE LOGIC 17
denoted by t1 ; : : : ; tn . We will use P; Q; R; : : : for arbitrary predi ate

symbols.
Equality is taken to be a primitive of the system, so another lass of
formulas are the equalities
t1 = t2
where t1 and t2 are terms.
Propositional ombinations of formulas under the propositional on-
ne tives _; ^; ); ,; :.
Quantied formulas
8x:A 9x:B
where as in the propositional ase we use A; B; : : : for arbitrary for-
mulas, as well as using x for an arbitrary variable.
The quantiers 8 | for all | and 9 | there exists | are intended to
express the assertions that a parti ular formula holds for all obje ts and for
some obje t, respe tively. (Hen e the name `quantier'; quantied formulas
express the quantity of obje ts with a parti ular property.)
To reinfor e the intuitive interpretation of the quantiers, we now look
at their use in expressing various properties. In ea h parti ular ase, there
will be an intended domain of appli ation of the quantiers, so that \for
all" will mean \for all sh", \for all real numbers" and so on. We assume
for these examples that our domain of dis ourse is the natural numbers, so
that the quantiers will range over 0; 1; 2; : : :. Moreover, we assume that
the (inx) predi ate symbol < is hosen so that x < y expresses
` y is greater than x '
Suppose rst that f is a fun tion. We say that a value is in the range
of f if it is the value of f at some argument. How an we state in logi al
terms that m is the maximum value in the range? First we say that m is
in the range
9i:(f (i) = m)
and then that m is greater than or equal to every element in the range
8j:(f (j ) m)
The omplete property is expressed by the onjun tion of the formulas:

9i:(f (i) = m) ^ 8j:(f (j ) m)
A se ond example shows that the order in whi h we write dierent quan-
tiers is signi ant. What does
8x:9y:(x < y)
express intuitively? For every x, there is a y greater than x. Clearly this is
true, as given a parti ular x we an hoose y to be x + 1. The ys asserted
to exist an, and in general will, be dierent for dierent xs | y an be
thought of as a fun tion of x, in fa t. On the other hand
9y:8x:(x < y)
asserts that there is a single number y with the property that
8x:(x < y)
That is, this y is greater than every number (in luding itself!), learly a
falsehood.
Exer ises
1.9. With the same interpretation for the predi ate x < y as above, ex-
press the property that \between every distin t pair of numbers there is a
number".
1.10. How would you express the following properties of the fun tion f
(from natural numbers to natural numbers, for example)
f is a one-to-one fun tion
f is an onto fun tion
the fun tion f respe ts the relation <?
1.2.1 Variables and substitution

Before we supply the rules for the quantiers, we have to onsider the rôle of
variables, and in parti ular those whi h are involved in quantied formulas.
Remember that when we dene a pro edure in a programming language like
Pas al, the formal parameters have a spe ial property: they are `dummies'
in the sense that all the o urren es of a formal parameter an be repla ed
by any other variable, so long as that variable is not already ìn use' in the
program. Quantied variables have a similar property. For instan e, the
formula
8x:8y:(P (x; y) ) P (y; x))
expresses exa tly the same property as

8w:8q:(P (w; q) ) P (q; w))
Now we introdu e some terminology.
Denition 1.4 An o urren e of a variable x within a sub-formula 8x:A
or 9x:A is bound; all other o urren es are free. We say that a variable x
o urs free in a formula A if some o urren e of x is free in A. A variable
x is bound by the synta ti ally innermost en losing quantier 8x or 9x,
if one exists, just as in any blo k-stru tured programming language.
The same variable may o ur both bound and free in a single formula.
For example, the se ond o urren e of x is bound in
8y:(x > y ^ 8x:(P (x) ) P (y)) ^ Q(y; x))
whilst the rst and third o urren es are free.
In what follows we will need to substitute arbitrary terms, t say, for
variables x in formulas A. If the formula A is without quantiers, we simply
repla e every o urren e of x by t, but in general, we only repla e the free
o urren es of x by t | the bound variable x is a dummy, used to express
a universal or existential property, not a property of the obje t named x.
There is a problem with the denition of substitution, whi h has not
always been dened orre tly by even the most respe ted of logi ians! The
term t may ontain variables, and these may be ome bound by the quan-
tiers in A. This is alled variable apture. Consider the parti ular
example of
9y:(y > x)
This asserts that for x we an nd a value of y so that x < y holds. Suppose
that we substitute the term y + 1 for x. We obtain the expression
9y:(y > y + 1)
(`+' is an inx fun tion symbol | an addition to the notation whi h we
shall use for larity). The y in the term y +1 whi h we have substituted has
been aptured by the 9y quantier. The name of the quantied variable was
meant to be a dummy; be ause of this we should ensure that we hange its
name before performing the substitution to avoid the apture of variables.
In the example we would rst substitute a new variable, z say, for the
bound variable y, thus:
9z:(z > x)
and after that we would perform the substitution of y + 1 for x,

9z:(z > y + 1)
We shall use the notation A[t=x℄ for the formula A with the term t
substituted for x. The denition is by indu tion over the synta ti stru ture
of the formula A. First we dene substitution of t for x within a term s,
for whi h we use the notation s[t=x℄. In the denition we also use `' for
ìs identi al with'.
Denition 1.5 The substitution s[t=x℄ is dened thus:
x[t=x℄ df t and for a variable y 6 x, y[t=x℄ df y
For omposite terms
(fn;m (t1 ; : : : ; tn ))[t=x℄ df fn;m (t [t=x℄; : : : ; tn [t=x℄)
1
Denition 1.6 The substitution A[t=x℄ is dened as follows

For atomi formulas,
(Pn;m (t1 ; : : : ; tn ))[t=x℄ df Pn;m (t [t=x℄; : : : ; tn [t=x℄)
1
(t1 = t2 )[t=x℄ df (t [t=x℄ = t [t=x℄)

1 2
Substitution ommutes with propositional ombinations, so that

(A ^ B )[t=x℄ df (A[t=x℄ ^ B [t=x℄)
and so on
If A 8x:B then A[t=x℄ df A.
If y 6 x, and A 8y:B then
{ if y does not appear in t, A[t=x℄ df 8y:(B [t=x℄).
{ if y does appear in t,
A[t=x℄ df 8z:(B [z=y℄[t=x℄)
where z is a variable whi h does not appear in t nor B . (Note
that we have an innite olle tion of variables, so that we an
always nd su h a z .)
Substitution into A 9x:B is dened in an analogous way to 8x:B .
In general, it is easy to see that if x is not free in A then A[t=x℄ is A

We shall use the notation above for substitution, but also on o asions
use a more informal notation for substitution. If we use the notation A(t)
we intend this to mean A[t=x℄ where the variable x should be understood
from the ontext. Note that in writing A(x), say, we neither mean that x
o urs in the formula A nor that it is the only variable o urring in A if it
o urs; it is simply used to indi ate suÆ ient ontextual information.
Throughout the book we shall identify formulas whi h are the same
after hange of bound variables.
Exer ises
1.11. Identify the free and bound variables in the formula
8x:(x < y ^ 8z:(y > z ) 9x:(x > z )))
and show to whi h quantier ea h bound variable is bound.
1.12. Suppose we want to rename as y the variable z in the formula
8z:9y:(z < y ^ y < z )
explain how you would hange names of bound variables to avoid variable
apture by one of the quantiers.
1.2.2 Quantier rules

The rules for the quantiers will explain how we are to introdu e and elim-
inate quantied formulas. In order to nd out how to do this we look at
the ways in whi h we use variables. There are two distin t modes of use,
whi h we now explain.
First, we use variables in stating theorems. We intend free variables to
be arbitrary values, su h as in the trigonometri al formula
sin2x + os2 x = 1
and indeed we ould equally well make the formal statement
8x:(sin2x + os2 x = 1)
This is a general phenomenon; if x is arbitrary then we should be able to
make the inferen e
A
8x:A
This will be our rule for introdu ing 8, on e we have de ided what we mean
by àrbitrary'.
On the other hand, in the pro ess of proving a theorem we may use
variables in a dierent way. If we make an assumption with a free x, x > 0
say, and then prove a result like
8z:(z x _ z 0)
then this result is not true for all x. (Try x = 1!). This is pre isely
be ause the x is not arbitrary | we have assumed something about it:
that it is greater than zero. In other words, we an say that x is arbitrary
if and only if x does not appear free in any of the assumptions of the proof
of the result.
We an now state formally our introdu tion rule for the universal quan-
tier:
8 Introdu tion
For any formula A, whi h may or may not involve the free variable x, we
an from a proof of A infer 8x:A if x is arbitrary, that is if x does not o ur
free in any of the assumptions of the proof of A(x). This is alled the side
ondition of the rule.
A
8x:A (8I )
The assumptions of the proof derived are the same as those of the proof of
A. Note that the formula A may or may not involve the free variable x,
and may involve free variables other than x.
The elimination rule for 8 is easier to state. It says that a universally
quantied formula is true for an arbitrary obje t, and so is true of any term.
We express this by substituting the term for the quantied variable.
8 Elimination
From a proof of 8x:A(x) we an infer A(t) for any term t.
8x:A(x) (8E )
A(t)
With our notation for substitution as above, we would write
8x:A (8E )
A[t=x℄
Now we turn to the existential quantier. There is a ertain duality
between the two quantiers and we nd it re e ted in the rules. The
simpler of the rules to state is the existential introdu tion rule: it states
that if we an prove a substitution instan e of a formula, then we an infer
the existentially quantied statement.
9 Introdu tion
If for a parti ular term t we an prove A(t) then learly we have demon-
strated that there is some obje t for whi h A is provable.
A(t)
9x:A(x) (9I )
Alternatively, we write
A[t=x℄
9x:A (9I )
In order to frame the existential elimination rule we have to de ide what
we are able to dedu e on the basis of 9x:A. Let us return to the informal
dis ussion we started on page 21. We looked there at an argument whi h
had an assumption of the form
x>0
What is the for e of su h an assumption? It is to assume the existen e of
an obje t greater than zero, and to name it x. Now, suppose that on the
basis of this we an prove some B whi h does not mention x; if we also
know that indeed the existential assumption is valid, that is we know that
9x:(x > 0)
then we an infer B outright, dis harging the assumption.
9Elimination
[A℄
..
.
9x:A B
(9E )
B
where x is not free in B or any of the assumptions of the proof of B , ex ept
for A itself, in whi h it may be free. (This stipulation is the side ondition
for the appli ation of the rule.) The assumption A is dis harged by the
appli ation of this rule, so that the assumptions of the resulting proof are
those of the proof of 9x:A together with all those from the proof of B apart
from A.
Thinking of the rule in programming terms, we an think of it as intro-
du ing a temporary (or `lo al') name x for the obje t asserted to exist by
the formula 9x:A.
Returning to our informal dis ussion a se ond time, we an perhaps see
more learly a duality between the two quantiers and their treatment of
formulas with free variables.
The formula A involving the free variable x has universal ontent

when x is arbitrary, that is when it o urs in the on lusion of an
argument (and not in the assumptions.)
The formula A has existential ontent when it o urs as an assump-
tion, introdu ing a name for the obje t assumed to have the property
A.
We an give another informal reading of the quantiers. 8 and 9 behave
like a large (in fa t innite) onjun tion and disjun tion:
8x:A(x) A(a) ^ A(b) ^ : : :
9x:A(x) A(a) _ A(b) _ : : :
if the obje ts in the domain of dis ourse are a; b; : : :. We an see the rules
for 8 elimination and 9 introdu tion agree with this analogy immediately,
and in fa t the same is true of the other rules. To introdu e C ^ D we have
to have proofs of C and D. To introdu e
A(a) ^ A(b) ^ : : :
we need proofs for A(a); A(b); : : : and so on. In other words, we need a
proof for arbitrary x, whi h is exa tly what the rule states. The rule for
elimination of _ suggests the following for existential elimination:
[A(a)℄ [A(b)℄
.. ..
. .
9x:A(x) B B :::
B
We obtain our rule by repla ing all the individual proofs of B from A(a),
A(b) and so forth by a proof from A(x) for an arbitrary x.
1.2.3 Examples
Now we put these rules to some use in a series of examples.
For the rst example we assume
df 8x:(P (x) ) Q(x))
9x:P (x)
and try to prove that
9x:Q(x)
Informally the inferen e is lear, but what do we do in our system? We

have a universal assumption, , and the rule of universal elimination tells
us that we an use any instan e
P (x) ) P (x)
of in our proof. If we adopt a ba kwards reading of the rule of existential
elimination, then we see how to use an existential assumption.
To use an existential assumption 9x:P (x) , use the instan e
P (x) and nally dis harge this using the rule (9E ).
Pro eeding thus we have
P (x)
8x:(P (x) ) Q(x)) (8E )
(P (x) ) Q(x))
() E )
Q(x)
From this we an infer 9x:Q(x) (even though x is free in one of the assump-
tions | there are no restri tions on the rule (9I )), and nally by existential
elimination we have:
[P (x)℄1
8x:(P (x) ) Q(x)) (8E )
(P (x) ) Q(x))
() E )
9x:P (x) Q(x) (9I )
9x:Q(x) (9E )1
9x:Q(x)
For our se ond example, suppose we make the assumption that every
obje t is either an apple or a banana:
8x:(A(x) _ B (x))
and that both apples and bananas are tasty:
8x:(A(x) ) T (x))
8x:(B (x) ) T (x))
We will show that everything is tasty, 8x:T (x).
Applying the universal elimination rule three times we have
(A(y) _ B (y))
(A(y) ) T (y))
(B (y) ) T (y))
and then we an infer T (y) on the basis of the se ond of these and the
assumption A(y), using () E ).
A(y)
8x:(A(x) ) T (x)) (8E )
(A(y) ) T (y))
() E )
T (y)
We an similarly infer T (y) from B (y) and the universal statement, and
are then in a position to apply (_E ). (In the diagram whi h follows the
hypotheses of the entral proof are listed verti ally.)
[A(y)℄1 [B (y)℄1
8x:(A(x) ) T (x)) :::
.. ..
8x:(A(x) _ B (x)) (8E ) . .
T (y) T (y)
(A(y) _ B (y))
(_E )1
T (y)
8 introdu tion is then applied, giving
..
.
8x:T (x) (8I )
Our nal example on erns the proof of
9y:8x:A(x; y) ) 8x:9y:A(x; y)
The reader might like to refer ba k to the dis ussion on page 18 above.
Remembering the rule of impli ation introdu tion, it is suÆ ient to prove
8x:9y:A(x; y)
on the assumption of
9y:8x:A(x; y)
We have an existential assumption, so stripping o the quantier we an
by the rule (9E ) use instead the assumption
8x:A(x; y)
Using (8E ) we have
8x:A(x; y) (8E )
A(x; y)
and by (9I )
..
.
9y:A(x; y) (9I )
Now, we an dedu e
..
.
8x:9y:A(x; y) (8I )
using (8I ), sin e x is not free in the assumptions (and therefore arbitrary).
We omplete the proof with appli ations of (9E ) and () I ):
[8x:A(x; y)℄1
(8E )
A(x; y)
[9y:8x:A(x; y)℄2
9y:A(x; y) (9I ) (8I )
8x:9y:A(x; y) (9E )1
8x:9y:A(x; y) () I )2
9y:8x:A(x; y) ) 8x:9y:A(x; y)
Exer ises
1.13. Explain how the side onditions in the proof rules prevent the on-
stru tion of a proof of
8x:9y:A(x; y) ) 9y:8x:A(x; y)
analogous to the proof of
9y:8x:A(x; y) ) 8x:9y:A(x; y)
above.
1.14. Assuming that the variable x is not free in B , prove that the following
formulas are equivalent, i.e. ea h an be proved on the assumption of the
other
8x:(A(x) ) B )
((9x:A(x)) ) B )
1.15. Using the previous exer ise, or otherwise, argue that the following
formulas are equivalent:
:(9x:A(x)) 8x::A(x)
and show that
9x::A(x) ) :8x:A(x)
Would you expe t the onverse of the nal result to be provable?
Chapter 2
Fun tional Programming

and -Cal uli
Type theory has aspe ts of both a logi and a fun tional programming lan-
guage. We have seen a brief introdu tion to logi in hapter 1; here we
rst survey urrent pra ti e in fun tional programming and then look at a
number of - al uli, whi h are formal theories of fun tions. The - al ulus
was invented in the nineteen thirties by Chur h as a notation for fun tions,
with the aim of developing a foundation for mathemati s. As with mu h of
the work of that time, the original aim was not met, but the subje t itself
has be ome an obje t of study in its own right. Interest in the - al ulus
has grown again in the last two de ades as it has found a role in the foun-
dations of omputing s ien e, in parti ular through its model theory, whi h
underpins mu h of denotational semanti s. The theory usually studied is
the untyped - al ulus, and we look at this rst. We are lu ky to have
the en y lopaedi [Bar84℄ to refer to for proofs, bibliographi and histori al
information and so forth. Any important result in the untyped - al ulus
is to be found there, together with (at least!) one proof of it.
Running through our material, we rst look at variable binding and sub-
stitution, whi h are entral to the - al ulus. Variables are bound when
a fun tion is formed by abstra tion, and when a fun tion is applied, the
formal parameters are repla ed by their a tual ounterparts by substitu-
tion. We then look at the relations of evaluation, or redu tion, `! !' and
onvertibility ` $
$ ', the latter of whi h represents a form of equality over
the -expressions. We dis uss these from a general standpoint, whi h will
form a foundation for similar dis ussions for type theory. In parti ular
we look at the determina y of omputation (the Chur h-Rosser property)
29
30 CHAPTER 2. FUNCTIONAL PROGRAMMING AND -CALCULI
and termination properties of evaluation, or as they are more ommonly

known, the normalisation properties of expressions. We draw a distin tion
between dierent kinds of redu tion rule | the omputation and equiv-
alen e rules | whi h again we will arry through into the body of the
book. After a short look at the expressiveness of the untyped system, we
turn to an examination of typed theories, whi h more losely re e t urrent
fun tional programming pra ti e. We highlight the dieren e between the
typed and untyped by showing that the former is strongly normalising |
all evaluation sequen es are nite, meaning that, in parti ular, every pro-
gram terminates. We give a proof of this theorem, whi h forms a model
for other results of this sort in its proof by indu tion over types and its
formulation of a strong indu tion hypothesis, a method rst introdu ed by
William Tait. Augmenting the type stru ture with produ t types and nat-
ural numbers, we nish by returning to the dis ussion of omputation and
equivalen e rules in the ontext of a typed language.
The survey [Hue90b℄ gives a useful overview of typed - al uli.
2.1 Fun tional Programming

The fun tional style of programming has been growing in popularity over
the last thirty years, from its beginnings in early diale ts of LISP, to the
present day and the availability of a number of produ tion-quality lan-
guages like Haskell, Hope, Miranda, and Standard ML (SML) amongst
others [HW90, BMS80, Tur85, Har86℄. Although there are dieren es be-
tween them, there is a wide degree of onsensus about the form of the
systems, whi h provide
First- lass fun tions: Fun tions may be passed as arguments to and re-
turned as results of other fun tions; they may form omponents of
omposite data stru tures and so on. An example is the map fun -
tion. It takes a fun tion, f say, as argument, returning the fun tion
whi h takes a list, x say, as argument and returns the list resulting
from applying f to every item in x.
Strong type systems: The language ontains distin tions between dif-
ferent values, lassing similar values into types. The typing of values
restri ts the appli ation of operators and data onstru tors, so that
errors in whi h, for example, two boolean values are added, will not
be permitted. Moreover, and this is what is meant by the adje tive
`strong', no run-time errors an arise through type mismat hes.
Polymorphi types: A potential obje tion to strong typing runs thus:
in an untyped language we an re-use the same ode for the identity
2.1. FUNCTIONAL PROGRAMMING 31
fun tion over every type, after all it simply returns its argument. Sim-
ilarly we an re-use the ode to reverse a linked list over stru turally
similar lists (whi h only dier in the type of entries at ea h node)
as the ode is independent of the ontents. We an a ommodate
this kind of generi ity and retain strong typing if we use the Hindley-
Milner type system, [Mil78℄, or other sorts of polymorphi type. The
type of the identity fun tion be omes * -> *, where * is a type vari-
able, indi ating that the type of the fun tion is a fun tional type, in
whi h the domain and range type are the same. This means that it
an be used on booleans, returning a boolean, on numeri fun tions
returning a numeri fun tion, and so on.
Algebrai types: Lists, trees, and other types an be dened dire tly
by re ursive denitions, rather than through pointer types. The
me hanism of algebrai types generalises enumerated types, (variant)
re ords, ertain sorts of pointer type denitions, and also permits type
denitions (like those of lists) to be parametrised over types (like the
type of their ontents). Pattern mat hing is usually the means by
whi h ase analyses and sele tions of omponents are performed.
Modularity: The languages provide systems of modules of varying degrees
of omplexity by means of whi h large systems an be developed more
easily.
One area in whi h there are dieren es is in the me hanism of evaluation.
The SML system in orporates stri t evaluation, under whi h s heme ar-
guments of fun tions are evaluated before the instantiated fun tion body,
and omponents of data types are fully evaluated on obje t formation. On
the other hand, Miranda and Haskell adopt lazy evaluation, under whi h
fun tion arguments and data type omponents are only evaluated when
this be omes ne essary, if at all. This permits a distin tive style of pro-
gramming based on innite and partially-dened data stru tures. There
are advantages of ea h system, and indeed there are hybrids like Hope+
[Per89℄ whi h ombine the two.
This is not the pla e to give a omplete introdu tion to fun tional pro-
gramming. There is a growing number of good introdu tory textbooks
on the subje t [BW88, Rea89, Wik87℄, as well as books looking at the
foundations of the subje t [Hue90a℄ and at urrent resear h dire tions
[Pey87, Tur90℄. We shall look at the topi s des ribed above as we de-
velop our system of type theory; rst, though, we investigate the lambda
al ulus, whi h is both a pre ursor of urrent fun tional programming lan-
guages, having been developed in the nineteen thirties, and an abstra t
version of them.
In what follows we use the phrase `languages like Miranda' { it is meant

to en ompass all the languages dis ussed above rather than simply Miranda.
2.2 The untyped - al ulus

The original version of the - al ulus was developed by Chur h, and studied
by a number of his ontemporaries in luding Turing, Curry and Kleene. It
provides a skeletal fun tional programming language in whi h every obje t
is onsidered to be a fun tion. (An alternative view of this, propounded
by [S o80℄ amongst others, is of a typed theory ontaining a type whi h is
isomorphi with its fun tion spa e.) The syntax ould not be simpler.
Denition 2.1
There are three kinds of -expression (we use e; f; e1 ; e2 ; : : : for arbitrary
-expressions). They are:
Individual variables or simply variables, v0 ; v1 ; v2 ; : : :. We shall write
x; y; z; u; v; : : : for arbitrary individual variables in the following.
Appli ations (e1 e2 ). This is intended to represent the appli ation of ex-
pression e1 to e2 .
Abstra tions (x : e) This is intended to represent the fun tion whi h
returns the value e when given formal parameter x.
The notation above an be ome heavy with bra kets, so we introdu e the
following synta ti onventions.
Denition 2.2 The syntax of the system is made more readable by the
following synta ti onventions:
C1 Appli ation binds more tightly than abstra tion, so that x : xy means
x : (xy) and not (x : x)y.
C2 Appli ation asso iates to the left, implying that xyz denotes (xy)z and
not x(yz ).
C3 x1 : x2 : : : : xn : e means x1 : (x2 : : : : (xn : e))
The rux of the al ulus is the me hanism of -abstra tion. The ex-
pression
x : e
is the general form that fun tions take in the system. To spe ify a fun tion
we say what is its formal parameter, here x, and what is its result, here e.
2.2. THE UNTYPED -CALCULUS 33
In a fun tional language like Miranda we give these denitions by equations

whi h name the fun tions, su h as
fx = e
and in mathemati al texts we might well talk about the fun tion f given
by
f (x) = e
In the - al ulus we have an anonymous notation for the fun tion whi h
introdu es the fun tion without giving it a name (like f ). The parameter
x is a formal parameter and so we would expe t that the fun tion
x : y : xy
would be indistinguishable from
u : v : uv
for instan e. Formally, as we saw in the hapter on logi , su h variables x
are alled bound, the being the binding onstru t.
How do we asso iate a tual parameters with the formals? We form
appli ations
(x : e1 ) e2
To evaluate these appli ations, we pass the parameter: we substitute the
a tual parameter for the formal, whi h we denote
e1[e2 =x℄
As for the binding onstru ts of logi , the quantiers, we have to be areful
about how we dene substitution, whi h we do, after saying formally what
it means to be bound and free.
Denition 2.3 An o urren e of a variable x within a sub-expression x : e
is bound; all other o urren es are free. The o urren e of x in x: is the
binding o urren e whi h introdu es the variable { other o urren es are
alled applied. We say that a variable x o urs free in an expression f if
some o urren e of x is free in f . A variable x is bound by the synta ti ally
innermost en losing , if one exists, just as in any blo k-stru tured pro-
gramming language. An expression is losed if it ontains no free variables,
otherwise it is open .
The same variable may o ur both bound and free in an expression. For
example, the rst applied o urren e of x in
(x : y : yx)((z : zx)x)
is bound, but the se ond and third applied o urren es are free.
Denition 2.4 The substitution of f for the free o urren es of x in e,
written e[f=x℄, is dened thus:
x[f=x℄ df f and for a variable y 6 x, y[f=x℄ df y
For appli ations, we substitute into the two parts:
(e1 e2 )[t=x℄ df (e [t=x℄ e [t=x℄)
1 2
If e x : g then e[f=x℄ df e.

If y is a variable distin t from x, and e y : g then
{ if y does not appear free in f , e[f=x℄ df y : g[f=x℄.
{ if y does appear free in f ,
e[f=x℄ df z : (g[z=y℄[f=x℄)
where z is a variable whi h does not appear in f or g. (Note
that we have an innite olle tion of variables, so that we an
always nd su h a z .)
In general, it is easy to see that if x is not free in e then e[f=x℄ is e
Convention on Expression Equivalen e: We shall not distinguish be-

tween expressions whi h are equivalent up to hange of bound variable
names in what follows. (As an aside, this onvention whi h is easy to state,
and indeed for us to follow, is surprisingly diÆ ult to implement.)
As we said, we evaluate expressions by passing parameters in fun tion
appli ations. We formalise this by the following redu tion or omputation
rules.
Denition 2.5 The rule of -redu tion states that for all x, e and f , we
an redu e the appli ation
(x : e)f ! e[f=x℄
2.2. THE UNTYPED -CALCULUS 35
Denition 2.6 A sub-expression of a lambda expression of the form (x : e)f

is alled a (-)redex. We write g ! g0 if g0 results from applying -
redu tion to a redex within g. Alternatively we an say that if e ! e0
then
(fe) ! (fe0 )
(eg) ! (e0 g)
y : e ! y : e0
Denition 2.7 We write e !
!f if there is a sequen e of zero or more
redu tions so that
e e ! ! en f
0
representing a sequen e of redu tion steps. We all su h an f a redu t of

e.
In the se tion whi h follows we look further at the redu tion relation !
!.
One point is worthy of note before we do that. We have only introdu ed
one argument fun tions into our theory; is this a restri tion? It is not, as
we an represent a two argument fun tion by a fun tion whi h takes its
arguments one at a time. The addition fun tion, for example, would be
represented by
x : y : (x + y)
where we assume (purely for illustrative purposes) that the language on-
tains the + operator. This form of representation is known as the urried
form in honour of Haskell B. Curry, and has the property that it is sensible
to pass to it one of its arguments only. In this ase, for instan e,
(x : y : (x + y)) 4
is the fun tion whi h adds four to its argument.
Exer ises
2.1. Investigate the redu tion behaviour of the following terms
(x : x)((y : (z : z ))(x : x))
(x : xxx)(x : xxx)
2.3 Evaluation
The redu tion relation, ! !, of the previous se tion embodies what it is for
one expression to redu e to another by a number of elementary omputation
steps. We an ask a number of fundamental questions about this relation.
It is somewhat arti ial to examine evaluation in the ontext of the
untyped - al ulus, sin e all we have in this ontext are fun tions, and
we do not usually onsider fun tions to be obje ts whi h an be evaluated
themselves, rather we work in typed systems and print only the results of
evaluating expressions of ground type , like numbers, pairs of booleans and
so forth. Nonetheless we an both establish some terminology and begin
dis ussions here, even if we will have more to say later.
First, if the relation des ribes evaluation, what is it that expressions
evaluate to? There are a number of answers to this.
Denition 2.8
Normal Form: An expression is in normal form if it ontains no redexes.

Head Normal Form: All expressions of the form
x1 : : : : xn : ye1 : : : em
where y is a variable, e1 ; : : : ; em are arbitrary expressions and n and

m are greater than or equal to zero, are in head normal form.
Weak Head Normal Form: All expressions whi h are either -abstra tions
or of the form
ye1 : : : em
where y is a variable, e1 ; : : : ; em are arbitrary expressions and m is

greater than or equal to zero, are in weak head normal form.
Denition 2.9 We say that e0 is a normal form (head normal form, et .)
! e0 and e0 is in normal form (head normal form, et .).
of e if e !
The three denitions above are given in in lusion order: normal forms
are head normal forms whi h are themselves weak head normal forms.
Neither of the onverses holds; x : (x((x : xx)(x : xx))) is in head nor-
mal form but not in normal form (and indeed has no normal form) whilst
2.3. EVALUATION 37
y : ((x : xx)(x : xx)) is a weak head normal form with no head normal
form. Both these examples use the term

df (x : xx)(x : xx)
whi h has the property that
!
and only to
, thus proving that it has
no normal form; indeed it has no weak head normal form. Whatever the
notion of answer, an attempt to evaluate
results in an undened answer,
sin e omputation fails to terminate.
It is lear why we an think of a normal form as being the result of
a omputation, but how do the other denitions arise? It might at rst
be thought that any expression without a normal form is in some sense
equivalent to
in being undened, but the position is not so simple. A
ru ial example is the fun tion
F df f : ((x : f (xx))(x : f (xx)))
whi h has the following properties. It has no normal form, so omputation
of it fails to terminate, yet when applied to an argument f it returns a xed
point of the fun tion f , that is an obje t with the property
(F f ) !! f (F f )
In many ases the omputation of the appli ation will terminate { onsider
the ase that f is a onstant fun tion whose value is a normal form. We
an hara terise the property of F as being able to yield an answer (normal
form) in some ontext, even though it has no normal form itself. Wadsworth
has shown that it is pre isely those fun tions whi h have a head normal
form, so in evaluating fun tions it seems more sensible only to ompute to
normal form, if we wish omputations on `meaningful' obje ts to terminate.
More details on this analysis an be found in the useful dis ussion of se tion
2 of [Bar84℄. Not every fun tional expression has a head normal form, the
simplest ase being x:
.
In evaluating fun tional expressions we might hoose to halt evaluation
as soon as a fun tional form x:e is rea hed { this gives rise to the notion of
weak head normal form whi h has re ently been dis ussed in [Pey87, Abr90℄.
The ontext for this dis ussion about termination, the untyped - al ulus,
is somewhat arti ial sin e it ontains no true printable values su h as num-
bers or hara ters. We therefore defer dis ussion of the form that results
(or anoni al values) take until se tion 2.11.
Whi hever notion we hoose, we an see that there are expressions whose
evaluation fails to terminate. No sequen e of redu tions starting from
ends in a weak head normal form.

Another problem is of determina y: do dierent sequen es of redu tions
give the same nal value if they terminate? An important result here is the
Theorem 2.10 (Chur h-Rosser) For all e,f and g, if e !

! f and e !
!g
then there exists h su h that f !
! h and g !
! h.
A proof of the Chur h-Rosser theorem is found in [Bar84℄. The proofs
use a form of indu tion over the synta ti stru ture of terms, usually alled
stru tural indu tion.
Denition 2.11 The method of stru tural indu tion states:
To prove the result P (e) for all -expressions e it is suÆ ient to
Prove P (x) for all variables x.
Prove P (e f ) assuming that P (e) and P (f ) hold.
Prove P (x : e) assuming that P (e) holds.
The Chur h-Rosser theorem has the important orollary that.
Theorem 2.12 If a term has a normal form then it is unique.
Proofs of these results an be found in the en y lopaedi [Bar84℄. Note
that neither head normal forms nor weak head normal forms of expressions
are unique.
The result on unique normal forms tells us that terminating redu tion
sequen es all end in the same normal form. There are expressions with
normal forms whi h have non terminating redu tion sequen es, an example
being
(x : y : y)
The whole expression forms a redex whi h redu es to y : y, in normal form.

If we hoose repeatedly to redu e the redex
we have a non-terminating
redu tion sequen e. Can we always nd a terminating sequen e if one
exists?
Denition 2.13 If an expression ontains more than one redex, then we
say that the leftmost outermost redex is that found by sear hing the
parse tree top-down, going down the left hand subtree of a non-redex ap-
pli ation before the right. In other words we make a preorder traversal of
the parse tree looking for the rst node whi h is a redex.
In the following expressions the leftmost-outermost redex is marked by
a bra e, with the others marked by a bar.
(x : xx)((y : y)(z : z ))
| {z }
2.3. EVALUATION 39
((w : w)(x : xx))((y : y)(z : z ))

| {z }
((w : w)((x : xx)(x : x)))((y : y)(z : z ))
| {z }
Theorem 2.14 (Normalisation) indexNormalisation theorem!untyped -
al ulus The redu tion sequen e formed by hoosing for redu tion at ea h
stage the leftmost-outermost redex will result in a normal form, head nor-
mal form or weak head normal form if any exists.
Proofs of the normalisation theorem an be found in [Bar84℄.
The strategy of hoosing the leftmost-outermost redex at ea h stage
orresponds to the lazy evaluation me hanism, although the latter is opti-
mised to avoid dupli ation of evaluation aused by dupli ation of redexes.
The stri t or appli ative order dis ipline will not always lead to termina-
tion, even when this is possible: arguments may not terminate even if their
values are not needed for the evaluation of the expression as a whole.
There is a se ond basi rule of redu tion, alled -redu tion. It states
that
Denition 2.15 -redu tion. For all x and e, if x is not free in e then
we an perform the following redu tion.
x : (ex) ! e
It is not lear that this is stri tly a rule of omputation . The expressions
on the two sides of the redu tion symbol have the same omputational
behaviour on all arguments, sin e
(x : (ex)) y ! e y
for arbitrary y. The rule identies ertain (terms for) fun tions whi h
have the same behaviour, yet whi h are represented in dierent ways. In
a ontext in whi h we distinguish printable values from others, the beta
rule will be suÆ ient, omputationally , to ensure the same results from the
appli ation of -equivalent fun tions.
We generally onsider -redu tion as an adjun t to -redu tion, and we
dene their joint transitive losure in the obvious way. We an prove a
Chur h-Rosser theorem for this relation (see, again, [Bar84℄ for details).
It seems more appropriate to read the rule as symmetri al, equating
its two sides. We look at this idea in the next se tion.
Exer ises
2.2. Show that if we write I for x : x then
x : x(II ) x : xI
are both head normal forms of x : (Ix)(II )

2.3. Prove theorem 2.12 from theorem 2.10.
2.4. By showing that the leftmost-outermost redu tion sequen e is innite,
argue that the following expressions fail to have normal form.

(f : ((x : f (xx))(x : f (xx))))(x : y : x)
2.4 Convertibility
Our introdu tion to the - al ulus has fo ussed so far on the omputation
relations ! , ! ! and ! . We an also ask the more general question
of whi h expressions have the same omputational behaviour. This se tion
introdu es a number of onvertibility relations, that is equivalen e rela-
tions whi h are also substitutive: equivalent expressions substituted into
equivalent ontexts are equivalent.
The relations ` ! ' and ` ! ' are asymmetri al: the left hand side is (in
some sense) simplied in transition to the right hand side. The relations
generate two onvertibility relations, $ $ and $ $ :
Denition 2.16 . ` $ $ ' is the smallest equivalen e relation extending `! !'
Expli itly, e $
$ f if and only if there is a sequen e e0 ; ; en with n 0
e e0 , en f and for ea h i, 0 i < n, ei ! ! ei+1 or ei+1 ! ! ei .
A similar relation based on and redu tion together is alled - onvertibility.
As a onsequen e of the Chur h-Rosser theorems, two expressions e and
f will be (-) onvertible if and only if there exists a ommon (-)redu t
of e and f . If one of them has a normal form then the other has the same.
Two fun tions with normal forms are onvertible if and only if they have
the same normal form; in parti ular we fail to identify
y : (x : (yx)) y : y
Applied to an argument z , the fun tions give equivalent results, as they
-redu e to
(x : (zx)) z
whi h themselves have the same behaviour as fun tions. It is for this reason
that - onvertibility is dened. - onvertibility is the smallest substitu-
tive equivalen e relation R extending $ $ whi h is extensional , meaning
that if (f y) R (g y) for y a variable, then f R g. This result is again found
in the en y lopaedi [Bar84℄.
The onvertibility relations are not ne essary to explain the omputa-
tional behaviour of -expressions; they are used when we reason about the
2.5. EXPRESSIVENESS 41
behaviour of expressions, in parti ular they an tell us whi h fun tions have
the same behaviour, and whi h transformations (of one expression into an-
other) are permissible. We shall return to this topi in se tion 2.11, after
dis ussing typed - al uli.
Exer ises
2.5. Show that if e has the form y : e0 where x is not free in e0 then
(x : ex) ! e
2.5 Expressiveness
The untyped - al ulus is a simple theory of (pure) fun tions, yet ompu-
tationally it is as strong as other fundamental theories of omputation. It
is Turing- omplete, exhibiting an equivalen e with Turing omputability.
One half of this equivalen e onsists in showing that obje ts su h as the
natural numbers, booleans and so forth an be represented as terms, and
that re ursive fun tions an be dened over them. Yet again, Barendregt
provides a suitable referen e for this material. One representation of the
natural numbers is as the iterators, n being represented by
f : x : f (f : : : f (f x) : : :)
| {z }
n
whi h are in normal form. To derive re ursive fun tions, with denitions
like
f x df : : : f : : :
whi h an be written
f df x: : : : f : : :
we need to be able to solve equations of the form
f df R f
where R is a term. In fa t we an dene operations, F , alled xed
point ombinators whi h solve these equations thus:
FR!
! R (F R)
Two examples are the expressions:
where df a : b : (b(aab)))
F df f : ((x : f (xx))(x : f (xx)))

Ea h of these expressions has a head normal form, but neither has a normal
form. This is a general property of xed point ombinators, sin e
x : (F x) ! x : (x (F x))
! x : (x (x (F x)))
! : : :
and F has a normal form if and only if x : (F x) has. This is an interesting
point: here we have meaningful fun tions whi h annot be represented by
expressions in normal form, showing that the lass of meaningful expres-
sions extends beyond those with normal form.
2.6 Typed - al ulus

The untyped - al ulus is powerful, ontaining as it does the xed point
ombinators, representatives of all the ommon base types and their ombi-
nations under standard type-forming operations. The disadvantage of this
power is the fa t that our programs an ontinually break the stipulations
of our on eptual type system, whi h permits only numbers to be added
and so forth.
Another aspe t of the system is the presen e of non-termination: we
have seen that not every term has even a weak head normal form. Any
attempt to evaluate
results in a non-terminating omputation.
does
not have a legitimate type in any type system, ex ept those whi h in lude a
re exive type C isomorphi to its fun tion spa e (C ) C ). Terms with the
omputational behaviour of
are introdu ed by a xed point ombinator:
F (x : x) ! (x : x) (F (x : x))
! (F (x : x))
! : : :
and the existen e of su h a ombinator does not ontradi t the type dis i-
pline, despite the fa t that the denitions of the previous se tion are not
typeable, ontaining as they do appli ations of obje ts to themselves.
We now examine a number of typed - al uli of diering expressive
strength whi h will ulminate in the system of onstru tive type theory
itself.
In this hapter we are able to develop separately rst the types and
then the terms of the theory. We begin by dening a system with fun tion
types (and a number of base types), progressively adding further types and
obje ts.
2.6. TYPED -CALCULUS 43
Denition 2.17 Given a set B of base types, we form the set S of simple
types losing under the rule of fun tion type formation. This states that
if and are types then so is ( ) ). We assume that `)' is right
asso iative, and omit bra kets a ordingly.
In typed lambda al uli ea h -expression (or term, we use these inter-
hangeably) has a type. We shall write
e:
for è is a -expression of type '. We spe ify the type of ea h dened
-expression below.
Denition 2.18 The expressions of the typed - al ulus have three forms.
Individual variables or simply variables, v;0 ; v;1 ;;2 ; : : :, for ea h type
.
v;i :
We shall write x ; y ; z ; : : :, with or without type subs ripts for ar-
bitrary individual variables in what follows.
Appli ations If e1 :( ) ) and e2 : then
(e1 e2 ):
We an only form an appli ation when the type of the argument is
the same as the type of the domain of the fun tion.
Abstra tions If x : and e : then
(x : e) : ( ) )
The type of an abstra tion is a fun tion type, whose domain is the
type of the formal parameter and whose range is the type of the
fun tion body (or result).
Many notions dened in the untyped ase arry over to here. These
in lude the substitution me hanism, - and -redu tion and onvertibil-
ity and the notions of anoni al element: normal form, head normal form
et etera. It is easy to see that onvertible expressions must be of the same
type.
Many results arry over too. The Chur h-Rosser theorems for and
-redu tion have the same proofs. Given a variable x , we are unable to
form the appli ation x x and thus unable to dene
and the xed point
ombinators we saw above. This is no a ident, as we an prove
Theorem 2.19 (Strong Normalisation) Every redu tion sequen e ter-

minates.
This important result is proved in the next se tion, and also in [FLO83℄.
Clearly the system is less expressive than the untyped al ulus; pre ise
details are also found in [FLO83℄.
We an present the al ulus in a slightly dierent form, loser to the
pra ti e in programming languages. Instead of there being an innite lass
of variables for ea h type we an simply take one (innite) lass of variables.
When we use a variable we assume it is asso iated with a type: we all this a
type assumption but it might be more familiar as a de laration in a language
like Pas al. We then assign types to expressions in the type ontext of a
number of type assumptions. We will write ; : : :for su h ontexts, using
; x : for the ontext with the type assumption x : added. We assume
throughout that all ontexts are onsistent in ontaining at most one
o urren e of ea h variable { we an give any expression a type using the
appropriate in onsistent ontext. Writing
` e:
for è has the type in the ontext ', the syntax rules be ome
Denition 2.20
Individual variables For any ontext ,

; x: ` x:
Appli ations If
` e :( ) )
1
and
` e : 2
then
` (e e ):
1 2
As before, we an only form an appli ation when the type of the

argument is the same as the type of the domain of the fun tion.
2.7. STRONG NORMALISATION 45
Abstra tions If
; x: ` e:
then
` (x : e) : ( ) )
The type of an abstra tion is a fun tion type, whose domain is the
type of the formal parameter and whose range is the type of the
fun tion body (or result).
The rule giving the type of an abstra tion has one unusual aspe t. The
assumption that x : is used in typing the body of the fun tion, e, but is
not needed to give a type to the fun tion itself. Why is this? In general
the variable x will appear free in the expression e | we annot type an
expression ontaining a free variable without knowing the type for the vari-
able, and this is given by the assumption. On the other hand, in (x : e)
x is bound and asso iated with the type it is assumed to have in the ex-
pression e, whi h is the s ope of that parti ular de laration of the variable
x.
Exer ises
2.6. Show that
x : y : z : (xz )(yz ) : ( ) ) ) ) ( ) ) ) ( ) )
2.7. Explain why x : xx and the xed point ombinator F are not terms
of the typed - al ulus.
2.7 Strong normalisation

This se tion introdu es a result whi h is important both in itself and be-
ause of its method of proof. This method, introdu ed in [Tai67℄ and known
as the redu ibility method, is a general means of proof for systems whi h
are typed. It involves an indu tion over the omplexity of the types, rather
than over synta ti omplexity, whi h we saw was the major method of
proof for untyped systems.
Theorem 2.21 (Strong Normalisation) For all expressions e of the sim-
ply typed - al ulus, all redu tion sequen es beginning with e are nite.
How should the proof pro eed? One method we annot use is a straight-
forward stru tural indu tion, as a proof using this alone would arry over
to the untyped ase, where we know that not even the terms with normal
form are strongly normalising. The method we use will involve an indu tion
over the stru ture of types:
Denition 2.22 The method of Indu tion over Types states that to
prove the result P ( ) for all types it is suÆ ient to
Prove P () for all base types 2 B . This is alled the base ase.
Prove P ( ) ) assuming that P () and P ( ) hold. This is alled
the indu tion step.
As is ommon in proofs by indu tion, in order to prove a property
R(e) of every expression e we in fa t prove a strengthening R0 of R. This is
be ause the obvious indu tion hypothesis will not be strong enough to work
at the indu tion step. This is the ase with the property of e is strongly
normalising whi h we abbreviate è is SN': two terms e and e0 may be
strongly normalising without it being lear that the appli ation (e e0) is so.
(It will of ourse be strongly normalising by the proof we onstru t, but
that begs the question of how we establish it.)
Denition 2.23 We say that an expression e of type is stable, written

e 2 k k if
If e is of base type and e is SN, or
If e is of type ) and for all e0 in kk, (e e0) 2 k k
Stability is designed to be preserved by appli ation, so that it is easier
to see that it will be arried through that ase of the indu tion. Note also
that we use the type system in an essential way in this denition: we dene
stability for a fun tion type in terms of stability for its domain and range
types.
Before we begin the proof of the theorem, we note the following prop-
erties of the lass of strongly normalising terms.
Lemma 2.24 If x is a variable then
(a) x 2 SN
(b) If e1 ; : : : ; ek 2 SN then xe1 : : : ek 2 SN .
( ) If ex 2 SN then e 2 SN .
(d) If e 2 SN then (x : e) 2 SN

Proof: (a) This is obvious, as the variable ontains no redex.
(b) Any redu tion sequen e from xe1 : : : ek will have the form
xe1 : : : ek ! : : :
! xf : : : fk ! xg : : : gk ! : : :
1 1
where at ea h stage for exa tly one index j , fj ! gj and for the others,
fi gi . This means that if there is an innite redu tion sequen e from
xe1 : : : ek then there must be one from one of the ei s, a ontradi tion to
their being SN.
( ) A redu tion sequen e from ex will either have the form
ex ! e1 x ! e2 x ! : : : ! en x ! : : :
or the form
ex ! e1 x ! : : : ! (y : f ) x ! f [x=y℄ ! f [x=y℄ ! f [x=y℄ ! : : :
1 2
where
y : f ! y : f1 ! y : f2 ! : : :
is a redu tion sequen e ontinuing e ! e1 ! : : :. In either ase an innite
sequen e starting at ex gives rise one starting at e.
(d) A redu tion sequen e starting at x : e will have the form
y : e ! y : e1 ! y : e2 ! : : :
where
e ! e1 ! e2 ! : : :
and so an innite sequen e starting at y : e gives rise to another starting
at e. 2
The proof of the theorem itself is based on two further lemmas. In
the rst we show that stable obje ts are strongly normalising (at the same
time showing that variables are stable), and in the se ond we show that all
obje ts are stable.
Lemma 2.25 (a) If e 2 k k then e 2 SN
(b) If xe1 : : : en : and e1 ; : : : ; en 2 SN then xe1 : : : en 2 k k
( ) If x : then x 2 k k.
Proof: We prove (a), (b) and ( ) by a simultaneous indu tion over the
type .
Base ase: is a base type. The property (a) is true by denition of
stability for a base type.
For (b), if e1 ; : : : ; en 2 SN then by lemma 2.24, part (b), xe1 : : : ek will be
strongly normalising, and sin e is a base type, the expression is stable.
Finally, to prove ( ) observe that any variable is strongly normalising and
therefore stable if it is of base type.
Indu tion step: We assume that is the type ( ) ) and that the
results (a), (b) and ( ) hold for the types ; .
To prove (a) we assume that e 2 k k. We have to prove that e is SN. Take
x of type . By ( ) for , x is stable, and so by the denition of stability
for e, ex will be stable. ex is of type and so by (a) for , ex is SN. Using
lemma 2.24 part ( ), e is therefore SN.
Now we show (b). To prove that xe1 : : : en 2 k k we need to show that
xe1 : : : en f is in kk, if f 2 kk. By hypothesis e1 ; : : : ; en 2 SN and by (a)
for , f is also SN. The expression xe1 : : : en f is of type and so by (b) for
,
xe1 : : : en f 2 kk
as required.
Finally, we show ( ). Suppose that f in kk. By (a) for , f is SN, and
sin e the expression (xf ) has type , by (b) for , (xf ) is in kk, so x is
stable. 2
Our task now is to show that all expressions are stable. We aim to do this
by stru tural indu tion over the expressions. We know that variables are
stable by the previous result, and we prove easily that appli ation preserves
stability: indeed this was a motivation of the denition. The ase of -
abstra tion is more tri ky. We aim to prove that x : f is stable, assuming
f is, and so we have to prove that for all stable g of the appropriate type,
(x : f ) g
is stable. This expression redu es to f [g=x℄. We need to dedu e the sta-
bility of the former from that of the latter. In fa t we need to prove a
generalisation of this to get the indu tion to work, whi h readers an see
for themselves by trying a dire t proof. The generalisation is lause (b) of
the next lemma.
Before we state the lemma, we give another denition.
Denition 2.26 A s-instan e e0 of an expression e is a substitution in-
stan e e0 e[g1=x1 ; : : : ; gr =xr ℄ where the gi are stable expressions.
Lemma 2.27 (a) If e and f are stable then so is (ef ).

(b) For all k 0, if f [g=x℄h1 : : : hk 2 k k and g 2 SN then
(x : f )gh1 : : : hk 2 k k
( ) All s-instan es e0 of expressions e are stable.
Proof: We prove the lauses one at a time.
(a): If e 2 k ) k and f 2 kk then by denition of stability for the
fun tion spa e, (ef ) 2 k k, in other words (ef ) is stable.
(b): This we prove by indu tion over the type .
Base ase: Suppose rst that is of base type. We need to prove that
(x : f )gh1 : : : hk is strongly normalising assuming that f [g=x℄h1 : : : hk and
g are.
Consider the general form of a redu tion sequen e starting from
(x : f )gh1 : : : hk
Redexes will either be ontained in f , g and h1 ,. . . hk or onsist of the head
redex (x : f )g. All sequen es will take either the form
! (x : f 0 )g0 h01 : : : h0k
(x : f )gh1 : : : hk !
! f 0 [g0 =x℄h0 : : : h0
1 k
! : : :
or the form
(x : f )gh1 : : : hk ! (x : f 0 )g0 h0 : : : h0k
! 1
! : : :
in whi h the top-level redex is not redu ed in subsequent omputation. In
the rst ase, sin e
! f 0 [g0 =x℄h0 : : : h0
f [g=x℄h1 : : : hk ! 1 k
the sequen e must be nite, as f [g=x℄h1 : : : hk is strongly normalising. In
the se ond ase, an we have an innite redu tion sequen e without ever
redu ing the top-level redex? A sequen e of this form will onsist of a
number of parallel sequen es, for f , g and h1 , . . . , hk . Su h a sequen e an
be fa tored into two separate sequen es, one starting with g and the other
ontaining no g redu tions. The sequen e of g redu tions will be nite, as
g is SN, and the other sequen e will be nite as it an be transformed into
a orresponding sequen e of redu tions of the term f [g=x℄h1 : : : hk in whi h

no g redu tions take pla e. Any su h sequen e must also be nite, so the
expression (x : f )gh1 : : : hk is SN.
Indu tion step: Suppose that is the fun tional type ( ) ). To show
that (x : f )gh1 : : : hk 2 k k we need to show that
(x : f )gh1 : : : hk h 2 kk
for every h in kk. Now, sin e f [g=x℄h1 : : : hk 2 k k,
f [g=x℄h1 : : : hk h 2 kk
and so by (b) for the type , we have (x : f )gh1 : : : hk h 2 kk as required.
This ompletes the proof of (b).
( ): We prove ( ) by stru tural indu tion over the expressions e. There
are three ases.
Case: Variables. For variables x, x0 will either be the stable expression
g, when the substitution has the form [: : : ; g=x; : : :℄, or when x is not the
target of a substitution, x0 is x whi h is stable by lemma 2.25, part ( ).
Case: Appli ation. If e has the form (e1 e2 ) then an s-instan e of e will
have the form (e01 e02 ) where e0i is an s-instan e of ei . By indu tion, ea h of
e0i is stable, and by lemma 2.27, part (a), the appli ation (e01 e02 ) is stable.
Case: Abstra tion. Suppose that e has the form x : f . We need to show
that every substitution instan e of this is stable. These instan es have the
form x : f 0 where f 0 is a substitution instan e of f . Now, how do we prove
the stability of x : f 0 ? We have to show that
(x : f 0 ) g
is stable for stable g. By lemma 2.25, part (a), g is SN, so applying lemma
2.27, part (b) with k = 0 it is suÆ ient to show that f 0 [g=x℄ is stable. This
is also an s-instan e of f and by indu tion it is stable. This ompletes the
proof of this ase, part ( ) of the proof and therefore the proof itself. 2
Proof: (Theorem 2.21)
By part ( ) of lemma 2.27, every expression is stable (as it is the trivial
substitution instan e of itself), and by lemma 2.25(a), all stable expressions
are strongly normalising. 2
2.8 Further type onstru tors: the produ t

The simply typed - al ulus ould not be simpler: we have only some
unspe ied base types, arrying no operations, and a single form of type
2.8. FURTHER TYPE CONSTRUCTORS: THE PRODUCT 51
onstru tion, the fun tion spa e. We an extend the system in two dierent
ways, adding both new base types and new onstru tors. First we look at
type onstru tors.
Familiar type onstru tors in lude the produ t type and the disjoint
sum (or disjoint union). In Pas al these together are embodied in the
variant re ord type. The addition of these is standard; we review brie y
the addition of the produ t type to the simply typed - al ulus now.
To the denition of types we add the third lause that is a type
if and are.
We add two lauses to the denition of expressions:
Pairs If x : and y : then
(x; y) :
The pair (x; y) is a member of the produ t type.
Proje tions If p : then fst p : and snd p : . The operations
fst and snd proje t a pair onto its omponents.
To the rules of omputation we add the rules
fst (p; q) ! p snd (p; q) ! q
whi h show that fst and snd do indeed behave as proje tion opera-
tions, and we ask also that redu tion is preserved by pairing, so that
if
p ! p0
then
(p; q) ! (p0 ; q) (q; p) ! (q; p0 )
To the rules we an also add
(fst p; snd p) ! p
for p of produ t type. This implies the extensionality rule that an
element of a produ t type is hara terised by its omponents, sin e if
fst p $
$ fst q snd p $
$ snd q
then
p $
$ (fst p; snd p) $
$ (fst q; snd q) $
$q
We have added the operations fst and snd as primitives. Alternatively

we ould think of them as onstants, belonging to parti ular types. For this
to work here we need to add a olle tion of onstants, one for ea h produ t
type, thus:
fst; : ( ) )
snd; : ( ) )
Our notation is made unwieldy by this addition; ommon pra ti e in su h
situations is to omit the type subs ripts from these onstants | in any
expression generated by the rules above we an dedu e the type of ea h
instan e from the ontext.
A se ond alternative is to add two onstants, but to allow ea h of them
to have many types. fst would have the type ( ) ) for all the
types and . This is the idea of polymorphism whi h we mentioned in
our introdu tion to fun tional programming on page 30. To make this
introdu tion in a dis iplined way we need to strengthen the type system
to allow polymorphi types | a further extension of the al ulus. The
literature on polymorphism is extensive: [Mil78, Rey90℄.
A se ond distin tion, tou hed upon in 2.4 was the distin tion between
and redu tion. We have a similar distin tion between the two rules
and the rule
(fst p; snd p) ! p
We shall all rules of the rst sort omputation rules and those of the
latter kind equivalen e rules, as their main purpose is to develop a on-
vertibility relation. A ommon distin tion between the two pairs derives
from an examination of the types of the obje ts they relate: the omputa-
tion rules relate obje ts of arbitrary type:
(x : e)f !
! e[f=x℄
fst (p; q) ! p
where e and p are of arbitrary type. On the other hand, the equivalen e
rules relate elements of restri ted type. In the ase of redu tion
x : (ex) ! e
2.9. BASE TYPES: NATURAL NUMBERS 53
for the left hand side to be a term of the typed al ulus, e must be of a
fun tion type. Similarly, in
(fst p; snd p) ! p
for fst p and snd p to be well-formed, p must be of produ t type. We will
take up this dis ussion further below, after adding a base type.
Exer ises
2.8. Show that
x : y : z : (x (y; z )) : (( ) ) ) ) ( ) ) )
and that
x : y : (x (fst y) (snd y)) : ( ) ) ) ) (( ) ) )
2.9 Base Types: Natural Numbers

Computations are usually performed over on rete types, su h as numbers,
booleans, hara ters and so forth. Here we look at how the natural numbers
an be added to the typed - al uli above.
We add the type N to our set of base types (we may have B = fN g).
To the syntax of expressions we add two lauses
Numbers 0 is of type N , and if n : N then su n : N .
Primitive Re ursion For all types , if
e0 : f :(N ) ) )
then
P re e0 f : N )
P re is alled the primitive re ursor, and the term above is
intended to be the primitive re ursive fun tion F dened by the
equations
F 0 df e0
F (n + 1) df f n (F n)
To ensure the term does represent the fun tion we add ompu-
tation rules for P re , thus:
The redu tion rules for P re are

P re e0 f 0 ! e0
P re e0 f (n + 1) ! f n (P re e0 f n)
We an also dene equivalen e rules for P re . Given a fun tion

h:N )
we an give a denition of a fun tion taking exa tly the same values
as h by primitive re ursion thus:
F 0 df h 0
F (n + 1) df f n (F n)
where
f n m df h (n + 1)
h and the fun tion just dened take the same values at every numeral
0, su 0, su (su 0) and so on: we state that the two fun tions are
themselves equivalent by adding the redu tion rule:
P re (h 0) (n : m : h (n + 1)) !h
for h of type N ) . Again, it is worth noting that the types of
the obje ts related by this rule are not ompletely arbitrary: they are
fun tions over the domain N .
We an extend the strong normalisation result of se tion 2.7 to a system
ontaining produ t types and a base type of natural numbers. We retain the
notion that expressions of type N are stable if and only if they are strongly
normalising, and add the lause that pairs p are stable if and only if their
omponents fst p and snd p are. It is not hard to show that all stable
obje ts are strongly normalising; we then have to show that all obje ts are
stable.
To do this we need an auxiliary result analogous to lemma 2.27, part
(b), stating that if all the expressions a essible by a single redu tion from
the expression P re e0 f t are stable, then so is the expression itself. We
prove this by a type indu tion.
2.10. GENERAL RECURSION 55
Given this result, the proof of stability of all terms pro eeds by a stru -
tural indu tion, with an auxiliary indu tion over the natural numbers in
the proof that
P re e0 f t
is stable for stable e0 , f and t.
Further details of this proof an be found in [Tai67, GLT89, Tro73℄
Exer ises
2.9. Give primitive re ursive denitions of addition and multipli ation.
2.10 General Re ursion

A further step is to add an operator R for general re ursion. This should
have the property that
R f ! f (R f )
so that (R f ) is a xed point of the fun tional term f . This is a mu h
stronger notion than primitive re ursion (whi h is denable in terms of R
and a number of primitive operations | details an be found in [Cut81℄)
and introdu es non-terminating omputations. In general, any re ursively
dened obje t will have at least one non terminating redu tion sequen e,
Rf ! f (R f )
! f (f (R f ))
! :::
! f n (R f )
! :::
and some have all su h sequen es non terminating:
R (x : x) ! (x : x) (R (x : x))
! R (x : x)
! :::
we an see that although there are many xed points of the identity fun -
tion, omputationally we have the `least dened', whi h simply loops for-
ever.
The semanti explanation of general re ursion in the denition of obje ts
and types has lead to the development of denotational semanti s, whi h was
initiated by the work of S ott and Stra hey in the late sixties. The values
omputed by general re ursive fun tions are members of domains, whi h
reify the ideas of approximation and limit by whi h we an give an informal
explanation of re ursion. More details an be found in the ex ellent [S h86℄.
In type theory we adopt a dierent approa h, keeping to systems in
whi h normalisation, at least in some form, is assured.
2.11 Evaluation revisited

This se tion allows us to round o earlier dis ussions, in se tions 2.3, 2.4
and 2.8, about evaluation, the various kinds of (head,. . . ) normal form and
omputation and equivalen e rules.
In a (typed) fun tional programming language like Miranda, we an
ask for the system to evaluate expressions of any type. If the obje t is a
fun tion, the result of the evaluation is simply the message
<fun tion>
This re e ts the fa t that we an print no representation of the fun tion
qua transformation, but only in some intensional way by a normal form for
its ode.
In addition to this, the ultimate values omputed by programs will be
nite | as nite beings we annot wait an innite time for a omplete
print-out, however lose we feel we ome sometimes! We would therefore
argue that the values whi h we seek as nal results of programs are non-
fun tional.
Denition 2.28 The order of a type is dened thus, writing ( ) for the
order of :
( ) = 0 if 2 B
( ) = max( ( ); ())
( ) ) = max( ( ) + 1; ())
Denition 2.29 The terms we evaluate are not only zeroth-order, i.e. of
ground type, they also have the se ond property of being losed ontaining
as they do no free variables. The results will thus be losed ( -)normal
forms of zeroth-order type. It is these that we all the printable values.
In our example - al ulus, the losed normal forms in N are
0; su 0; su (su 0); : : :
2.11. EVALUATION REVISITED 57
in other words are 0 and su n where n itself is in normal form.

For a pair of printable types, ( ), the losed normal forms will be
(t; s)
where t,s are losed normal forms of type and .
How do we prove that these are the only printable values of these types?
We onsider the (notationally) simpler ase omitting produ t types. An
indu tion over the stru ture of numeri al terms suÆ es:
A variable is not losed.
0 is a normal form
su t We argue by indu tion for t.
(f e) where f is of fun tional type. Closed terms of this type have
three forms
{ x : t or P re t1 t2 If f has either of these forms, we have a
ontradi tion, sin e (f e) will form a redex (by indu tion for e
in the ase of P re ).
{ (g h) where g is an appli ation. First we expand g fully as an
appli ation, writing the term as
g1 g2 : : : gk h
Ea h of the gi is losed, and g1 must be of fun tion type. Also
g1 is not an appli ation so g1 g2 must be a redex in ontradi tion
to f , (that is g h), being in normal form
A similar argument establishes the result when produ t types are added.
What is important to note here is that we have no redexes for the equiv-
alen e rules here: we have rea hed a normal form ex luding su h redexes
without applying the redu tion rules. Clearly this depends upon our twin
assumptions of
Closure This ex ludes terms of the form
(fst p; snd p)
where p is a variable of type N N , say.
Printable types This ex ludes the obvious -redexes, su h as
x : y : (xy)
whi h an o ur within losed terms of fun tional type.
We therefore feel justied in making the distin tion between the two kinds
of rule whi h we alled omputation and equivalen e rules above. The
omputation rules suÆ e for the evaluation of parti ular terms, whilst the
equivalen e rules are used when reasoning about the general behaviour of
fun tions (applied to terms whi h may ontain variables).
Chapter 3
Constru tive Mathemati s
The aim of this brief hapter is to introdu e the major issues underlying the
on i t between ` onstru tive' and ` lassi al' mathemati s, but it annot
hope to be anything other than an hors d'oeuvre to the substantial and
lengthy dialogue between the two s hools of thought whi h ontinues to
this day.
Lu kily, there are other sour es. Bishop gives a rousing all to the
onstru tive approa h in the prologue to [BB85℄, whi h is followed by a
losely argued `Constru tivist Manifesto' in the rst hapter. Indeed the
whole book is proof of the viability of the onstru tivism, developing as it
does substantial portions of analysis from su h a standpoint. It ontains a
bibliography of further work in the eld.
An invaluable histori al a ount of the basis of the on i t as well as
subsequent a tivity in the eld an be found in the histori al appendix
of [Bee85℄. The rst part of [Bee85℄, entitled `Pra ti e and Philosophy of
Constru tive Mathemati s', also gives a most apable summary of both the
s ope and the foundations of onstru tive mathemati s. [Dum77℄ is also a
good introdu tion, looking in detail at the philosophy of intuitionism, and
the re ent survey [TvD88℄ also serves its purpose well.
Bishop identies onstru tivism with realism, ontrasting it with the
idealism of lassi al mathemati s. He also says that it gives mathemati al
statements èmpiri al ontent', as opposed to the purely `pragmati ' nature
of parts of lassi al mathemati s, and sums up the programme of [BB85℄
thus `to give numeri al [i.e. omputational ℄ meaning to as mu h as possible
of lassi al abstra t analysis'.
A onstru tive treatment of mathemati s has a number of interlinked
aspe ts. We look at these in turn now.
59
60 CHAPTER 3. CONSTRUCTIVE MATHEMATICS
Existen e and Logi

What onstitutes a proof of existen e of an obje t with ertain properties?
A mathemati ian will learn as a rst-year undergraduate that to prove
9x:P (x) it is suÆ ient to prove that 8x::P (x) is ontradi tory. The on-
stru tivist would argue that all this proof establishes is the ontradi tion:
the proof of existen e must supply a t and show that P (t) is provable.
Proofs of existential statements abound in mathemati s: the fundamental
theorem of algebra states that a polynomial of degree n has n omplex
roots; the intermediate value theorem asserts that ontinuous fun tions
whi h hange sign over a ompa t real interval have a zero in that interval,
just to take two examples.
San tion for proof by ontradi tion is given by the law of the ex luded
middle
A _ :A
whi h states in parti ular that
9x:P (x) _ :9x:P (x)
If 8x::P (x), whi h is equivalent to :9x:P (x), is ontradi tory, then we
must a ept 9x:P (x). Our view of existen e thus leads us to reje t one
of the lassi al logi al laws, whi h are themselves justied by an idealisti
view of truth: every statement is seen as true or false, independently of any
eviden e either way. If we are to take the strong view of existen e, we will
have to modify in a radi al way our view of logi and parti ularly our view
of disjun tion and existential quanti ation.
Bishop gives the interesting example that the lassi al theorem that ev-
ery bounded non-empty set of reals has a least upper bound, upon whi h
results like the intermediate value theorem depend, not only seems to de-
pend for its proof upon non- onstru tive reasoning, it implies ertain ases
of the law of the ex luded middle whi h are not onstru tively valid. Con-
sider the set of reals frn j n 2 N g dened by
rn df 1 if P (n)
df 0 if not
The least upper bound of this set is 1 if and only if 9x:P (x); we an ertainly
tell whether the upper bound is 1 or not, so
9x:P (x) _ :9x:P (x)
As a onsequen e of this, not only will a onstru tive mathemati s depend
upon a dierent logi , but also it will not onsist of the same results. One
61
interesting ee t of onstru tivising is that lassi ally equivalent results

often split into a number of onstru tively inequivalent results, one or more
of whi h an be shown to be valid by onstru tive means.
The onstru tive view of logi on entrates on what it means to prove
or to demonstrate onvin ingly the validity of a statement, rather than on-
entrating on the abstra t truth onditions whi h onstitute the semanti
foundation of lassi al logi . We examine these proof onditions now.
To prove a onjun tion A ^ B we should prove both A and B ; to prove
A _ B we should prove one of A,B , and know whi h of the two we have
proved. Under this interpretation, the law of the ex luded middle is not
valid, as we have no means of going from an assertion to a proof of either
it or its negation. On the other hand, with this strong interpretation, we
an extra t omputationally meaningful information from a proof of A _ B ,
as it allows us to de ide whi h of A or B is proved, and to extra t the
information ontained in the proof of whi hever of the two statements we
have.
How might an impli ation A ) B be given a onstru tive proof? The
proof should transform the information in a proof of A into similar infor-
mation for B , in other words we give a fun tion taking proofs of A into
proofs of B . A proof of a universally quantied formula 8x:P (x) is also a
transformation, taking an arbitrary a into a proof of the formula P (a). We
shall have more to say about the exa t nature of fun tions in the se tion
to ome.
Rather than thinking of negation as a primitive operation, we an dene
the negation of a formula :A to be an impli ation,
A)?
where ? is the absurd proposition, whi h has no proof. A proof of a negated
formula has no omputational ontent, and the lassi al tautology ::A )
A will not be valid | take the example where A is an existential statement.
Finally, to give a proof of an existential statement 9x:P (x) we have to
give two things. First we have to give a witness , a say, for whi h P (a) is
provable. The se ond thing we have to supply is, of ourse, the proof of
P (a). Now, given this explanation, we an see that a onstru tive proof of
9x:P (x) _ :9x:P (x)
onstitutes a demonstration of the limited prin iple of omnis ien e. It gives
a de ision pro edure for the predi ates P (x) over the natural numbers, say,
and an be used to de ide the truth or otherwise of the Goldba h Conje -
ture, as well as giving a solution to the halting problem. It therefore seems
not to be valid onstru tively, or at least no onstru tive demonstration of
its validity has so far been given!
Given the explanation of the logi above, we an see that we have to

abandon many lassi al prin iples, like ::A ) A, :(:A ^ :B ) ) (A _ B ),
:8x::P (x) ) 9x:P (x) and so on.
We shall see in the se tion to ome that as well as modifying our logi
we have to modify our view of mathemati al obje ts.
Mathemati al obje ts
The nature of obje ts in lassi al mathemati s is simple: everything is a
set. The pair of obje ts a and b ìs' the set ffag; fa; bgg and the number 4
ìs' the set onsisting of
; ; f;g ; f ;; f;g g ; f ;; f;g; f ;; f;g g g
Fun tions are represented by sets of pairs onstituting their graph, so that
the su essor fun tion on the natural numbers is
f (0; 1); (1; 2); (2; 3); : : : g
whi h is itself shorthand for
f ff;g; f;; f;ggg ; fff;gg; ff;g; f;; f;g ggg : : :
Obje ts like this are innite, and an arbitrary fun tion graph will be in-
nitary, that is it will have no nite des ription. Su h obje ts fail to have
omputational ontent: given the nitary nature of omputation, it is im-
possible ompletely to spe ify su h an obje t to an algorithm. This is an
example of a fundamental tenet of onstru tive mathemati s:
Every obje t in onstru tive mathemati s is either nite, like
natural or rational numbers, or has a nitary des ription, su h
as the rule
x : x + 1
whi h des ribes the su essor fun tion over the natural numbers
The real numbers provide an interesting example: we an supply a des rip-
tion of su h a number by a sequen e of approximations, (an )n say. This
sequen e is nitary if we an write down an algorithm or rule whi h allows
us to ompute the transformation
n 7! an
for all n. (We shall return to the example of the reals below.)
63
A se ond aspe t of the set theoreti representation is the loss of distin -

tion between obje ts of dierent on eptual type. A pair is a set, a number
is a set, a fun tion is a set, and so on. We are quite justied in forming a
set like
(3; 4) [ 0 [ su
although its signi an e is less than rystal lear! This does not re e t
usual mathemati al pra ti e, in whi h the a priori distin tions between
numbers, fun tions and so on are respe ted. In other words, the obje ts of
mathemati s are quite naturally thought of as having types rather than all
having the trivial type `set'. We summarise this by saying that
Constru tive mathemati s is naturally typed.
One obvious onsequen e of this is that quanti ation in a onstru tive
setting will always be typed.
If we a ept that a typed system is appropriate, what exa tly do we
mean by saying that òbje t a has type A'? To understand what this
means, we must explain type-by-type what are the obje ts of that type,
and what it means for two obje ts of the type to be equal. For instan e,
for the type of fun tions, A ) B , we might say that obje ts of the type
are (total) algorithms taking obje ts of A to obje ts of B , and that two
algorithms are deemed equal if they give the same results on every input
(the extensional equality on the fun tion spa e).
Ea h obje t a should be given in su h a way that we an de ide whether
it is a member of the type A or not. Consider an example. Suppose that
we say that the real numbers onsist of the lass of sequen es (an )n whi h
are onvergent, that is whi h satisfy
8n:9m:8i m:8j m : jai aj j < 1=n
When presenting su h a sequen e it is not suÆ ient to give the sequen e,
it must be presented with the witness that it has the property required.
In this ase the witnessing information will be a modulus of onvergen e
fun tion together with a proof that
8n:8i (n):8j (n) : jai aj j < 1=n
This is an example of the general prin iple:
Prin iple of Complete Presentation. Obje ts in onstru -
tive mathemati s are ompletely presented, in the sense that if
an obje t a is supposed to have type A then a should ontain
suÆ ient witnessing information so that the assertion an be
veried.
This is a prin iple to whi h Bishop adheres in prin iple, but to smooth the
presentation of the results, he adopts a poli y of systemati suppression
of the eviden e, invoking it only when it is ne essary. This s hizophreni
attitude will also pervade the systems we shall introdu e.
There is a relationship between this view and the lassi al. The on-
stru tive model of obje ts like the reals an be seen as related to the lassi-
al; witnessing eviden e whi h an always be provided by a non- onstru tive
existen e proof in the lassi al setting is in orporated into the obje t itself
by the onstru tivist.
A nal area of note is equality over innite obje ts like the reals. For
the natural numbers, we an judge whether two obje ts are equal or not,
simply by examining their form. For the reals, we are not interested so
mu h in the synta ti form of two numbers as their respe tive limits. Two
reals (an )n , (bn )n (we suppress the eviden e!) have the same limit, and so
are deemed equal, if
8n:9m:8i m:8j m : jai bj j < 1=n
We annot expe t that for an arbitrary pair of reals that we an de ide
whether a = b or a 6= b,as one onsequen e of this is the limited prin iple
of omnis ien e. A nal pre ept whi h is useful here is
Negative assertions should be repla ed by positive assertions
whenever possible.
In this ontext we repla e `6=' by a notion of àpartness'. Two real numbers
(an )n , (bn )n are separated, a#b, if
9n:9m:8i m:8j m : jai bj j > 1=n
This is a strong enough notion to repla e the lassi ally equivalent inequal-
ity. We shall return to the topi of the real numbers in se tion 7.6.
Formalizing Constru tive Mathemati s

The reader should not on lude from the foregoing dis ussion that there is a
`Golden Road' to the formalization of onstru tive mathemati s. The type
theory whi h we explore below represents one important s hool of many,
and we should say something about them now. [Bee85℄ provides a very
useful survey addressing pre isely this topi , and we refer the reader to this
for more detailed primary referen es. The text overs theories like Intu-
itionisti set theory (IZF), Feferman's theories of operations and lasses,
[Fef79℄, as well as various formalized theories of rules, all of whi h have
been proposed as foundations for a treatment of onstru tive mathemati s.
65
One area whi h is overlooked in this study is the link between ategory
theory and logi , the topi of [LS86℄. This link has a number of threads,
in luding the relationship between the - al ulus and artesian losed at-
egories, and the ategory-theoreti models of intuitionisti type theory pro-
vided by toposes. The interested reader will want to follow up the primary
referen es in [LS86℄.
Con lusion
We have seen that onstru tive mathemati s is based on prin iples quite
dierent from lassi al mathemati s, with the idealisti aspe ts of the latter
repla ed by a nitary system with omputational ontent. Obje ts like
fun tions are given by rules, and the validity of an assertion is guaranteed
by a proof from whi h we an extra t relevant omputational information,
rather than on idealist semanti prin iples. We lose some theorems, su h
as
Theorem 3.1 (Intermediate Value Theorem - Classi al)
Suppose that f is ontinuous on [0; 1℄ with f (0) < 0 and f (1) > 0, then
there is an r 2 [0; 1℄ with f (r) = 0.
All is not lost, and we an prove the weaker
Theorem 3.2 (Intermediate Value Theorem - Constru tive)
Suppose that f is ontinuous on [0; 1℄ with f (0) < 0 and f (1) > 0, then
for all " > 0 there is an r 2 [0; 1℄ with jf (r)j < ".
The onstru tive version states that we an get arbitrarily lose to the
root, and of ourse, that is all we ould expe t to do, from a omputational
point of view. In this respe t, we have in the latter theorem a truer pi ture
of our èmpiri al' apabilities.
For other examples, and more ogent pleading of the onstru tivist ase,
we would heartily re ommend the opening passages of [BB85℄. Indeed, the
whole book will repay detailed study. We now pass on to looking at our
formal system for type theory.
Chapter 4
Introdu tion to Type

Theory
This hapter forms the fo us of the book, drawing together the three themes
of logi , fun tional programming and onstru tive mathemati s into a single
system, whi h we investigate, develop and riti ise in the hapters to ome.
The short dis ussion of onstru tive mathemati s introdu ed the idea that
proofs should have omputational ontent; we saw that to a hieve this goal,
the underlying logi of the system needed to be hanged to one in whi h
we only assert the validity of a proposition when we have a proof of the
proposition. Be ause of this, the system we dene is dierent from those
of the rst hapter, deriving as it does statements of the form
`p is a proof of the proposition P ',
whi h we write thus:
p:P
Central to type theory is the duality between propositions and types, proofs
and elements: a proof of a proposition T an be seen as a member of the
type T , and onversely. Ideas whi h ome from one side of the divide an
be re-interpreted on the other, enri hing both elds. We rst present type
theory as a logi al system, and then re-interpret the derivation rules as
rules for program onstru tion in a typed fun tional language, with p : P
read as
`p is a member of the type P '
67
68 CHAPTER 4. INTRODUCTION TO TYPE THEORY
The hapter begins with an informal examination of what it means for some-
thing to be a proof of a formula of propositional logi . Before introdu ing
the formal system itself, we look at the general form that the rules will take,
and establish some important terminology whi h will distinguish between
the formal proof obje ts, like p above, and derivations of the statements,
or judgements , like p : P .
With ea h onne tive or type forming operation we asso iate four kinds
of rule. The familiar rules of introdu tion and elimination des ribe how
ertain propositions an be proved. From the programming point of view
they assert the existen e of ertain obje ts of ertain types; in other words,
they spe ify the syntax of a programming language. To des ribe a language
we need to supply not only the syntax but also also to explain how to
evaluate or run programs written in the language. The omputation rules
explain this, with
e1 ! e2
denoting è1 redu es to e2 in one step of omputation'; their logi al inter-
pretation is a des ription of how proof obje ts may be simplied. We also
give a formation rule whi h embodies the syntax of the onne tive: this
presentation of the syntax together with the rules of the system is one of
the distin tive features of type theory, and it is ne essary be ause of the
interdependen e in the denitions of types and values.
The formal presentation of the logi al rules for propositional al ulus is
followed by a number of examples, in whi h we see standard fun tions like
omposition serving as proofs of familiar statements like
(A ) B ) ) (B ) C ) ) (A ) C )
After this we introdu e the logi al notions of universal and existential quan-
tiers, whi h when given a programming interpretation, dene dependent
fun tion spa es and modules, amongst other things.
Programming is dependent on the presen e of data types su h as the
booleans, the nite types and the natural numbers, whi h are introdu ed
next. The one and zero element types are also representatives of the logi al
statements T ruth and F alsity, truth having the trivial proof, and falsity
having none. Innite data types are hara terised by prin iples of denition
by re ursion and proof by indu tion; as we annot dene every ase of a
fun tion or examine every ase in a proof, we need these indire t methods.
The two methods go hand-in-hand, as we dene an obje t by re ursion
and then prove any property of the obje t by indu tion. One of the most
elegant aspe ts of the type theoreti approa h is that the two are identi al
| a proof by indu tion is nothing other than a proof obje t dened using
re ursion.
4.1. PROPOSITIONAL LOGIC: AN INFORMAL VIEW 69
This re ursive hara terisation arries over to other types, and we look
at binary trees as an example of a general well-founded type onstru tion.
The primitive propositions introdu ed thus far are the types bool, N
and so on. The assertion of the identity
a =A b
of two values a and b of type A forms a fundamental atomi proposition, or
type. Here we an see the interdependen e between the denitions of types
and values in the language: a =A b is a type of the language if a and b are
values of type A.
There is another relation linking items, generated by ` ! ': two ex-
pressions are onvertible if a sequen e of forwards or ba kwards redu tions
using ` ! ' leads from the rst to the se ond: as ea h step leads from equals
to equals, onvertible expressions are deemed to be equal internally, so that
we an use the relation `=' to reason about the omputational behaviour
of programs. This means that our system gives an integrated treatment of
programming and veri ation: we an prove a program orre t, or develop
it from a spe i ation, in the same system in whi h the program is written.
4.1 Propositional Logi : an Informal View

Our rst view of the material is an informal a ount of what it is to have
a proof of a proposition built using the onne tives ^; ); _ and ?. Re all
that we use the notation p : P for `p is a proof (or demonstration) of the
proposition P '.
Looking at the onne tives in turn, we have.
A ^ B A proof of A ^ B will be a pair of proofs p and q, p : A

and q : B . The reasons for this should be obvious. In or-
der to demonstrate that A ^ B is valid we have to be able
to demonstrate the validity of both A and B separately, and
from a proof of the onjun tion we an extra t proofs of the
omponent propositions. (It is interesting to observe that this
property will hold for lassi al systems as well as for onstru -
tive ones.)
A ) B A proof of A ) B onsists of a method or fun tion whi h
transforms any proof of A into a proof of B . Clearly, then,
given proofs a of A and f of A ) B we an derive a proof of
B by applying the proof transformer f to a.
A _ B A proof of A _ B will either be a proof of A or be a proof

of B , together with an indi ation of whi h formula the proof
is of. This is quite dierent from the lassi al reading of _.
A lassi al logi ian an assert (or prove, depending upon the
parti ular system) the proposition A _ :A as a general result.
However, there are ases in whi h it is lear that we an prove
neither the proposition A nor its negation :A. Note that from
a onstru tive proof of A _ B we an read o a proof of one
of A,B and moreover know whi h it proves. This is not the
ase for the lassi al disjun tion; witness the lassi ally valid
A _ :A.
? There is no proof of the ontradi tory proposition ?.
Denition 4.1 Impli it in these des riptions is a des ription of proofs of
:A and A , B , sin e we hoose to dene them by:
:A df A ) ?
A,B df (A ) B ) ^ (B ) A)
We see that a proof of :A is a fun tion whi h transforms proofs of A into
proofs of ?. A proof of A , B is a pair of fun tions, one transforming
proofs of A into proofs of B , and the other taking proofs of B to proofs of
A.
To give a avour of the approa h, let us develop a proof of the propo-
sition
(A ^ B ) ) (B ^ A)
This proof will be a fun tion, taking proofs of A ^ B to proofs of B ^ A.
Suppose we are given a proof p of A ^ B | we know that it onsists of two
halves, p1 : A and p2 : B . Given these omponent parts we an build
the proof of B ^ A: it is simply (p2 ; p1 ). If we write fst and snd for the
fun tions whi h extra t the rst and se ond omponents, then the proof of
the impli ation takes the form
p:(snd p; fst p)
A se ond example is provided by a proof of
( ( (A _ B ) ) C ) ^ A ) ) C
Our proof will again be a fun tion, taking a proof of
( (A _ B ) ) C ) ^ A (4.1)
4.2. JUDGEMENTS, PROOFS AND DERIVATIONS 71
into a proof of C . What does a proof of (4.1) look like? It is a pair of

proofs, the rst, q say, is of
(A _ B ) ) C
and the se ond, r say, of A. Now, from a proof of A we an build a proof
of A _ B , simply by labelling it as a proof of the left-hand formula, inl r.
Now, q is a proof of (A _ B ) ) C and so is a fun tion from proofs of A _ B
to proofs of C . We an therefore apply it to the proof inl r to get a proof
of C , as required. The full proof an be written
(q; r):q(inl r)
where we use a lambda abstra tion over a pattern to indi ate that the
argument will be a pair.
Clearly, if we are to build more omplex proofs along these lines then
we must give a formal notation for these proofs, and for the way that we
derive the proof obje ts.
4.2 Judgements, Proofs and Derivations

Re all the form that our logi took in hapter 1. There we gave rules whi h
took the form of the example whi h follows.
A B
(Î )
A^B
The rule above should be read, in full,
If A is valid and B is valid then A ^ B is valid
or more generally under a set of assumptions,
If A is valid assuming and B is valid assuming then A ^ B
is valid assuming .
S hemati ally, it should be written
A is valid B is valid
(Î )
(A ^ B ) is valid
The rules tell us how one judgement, (A ^ B ) is valid , an be inferred
from a number of others.
The system of rules we introdu e here is similar, ex ept that the form
of the judgements is dierent. Our onstru tive approa h to mathemati s
means that we are not interested in validity alone, but in expli it demon-
strations or proofs of propositions. The judgements we introdu e therefore
have the form `p : P ' whi h should be read `the obje t p is a proof of the
proposition P '.
The rule to introdu e onjun tions, a ording to the explanation in the
previous se tion, will be
p:A q :B
(Î )
(p; q) : (A ^ B )
The rules are to be used just as were the logi al rules in hapter 1, to
produ e derivations of judgements: a rule is applied to derivations of the
judgements above the line to produ e a derivation of the judgement below
the line. Note that this is a hange of terminology from the earlier hapter;
there we used rules to give proofs of judgements | here we use rules to
derive judgements whi h themselves ontain proof obje ts or onstru tions.
To re-iterate, proofs and propositions form the obje t language; derivations
are the means by whi h we infer judgements on erning the obje t language.
Derivations are built indu tively by applying the dedu tion rules. If we now
introdu e the rules for onjun tion elimination, we will be able to look at
an example whi h we examined informally a little earlier.
r : (A ^ B ) r : (A ^ B )
(Ê1 ) (Ê2 )
fst r : A snd r : B
Here we see a derivation of the judgement (snd r; fst r) : (B ^ A)
r : (A ^ B ) r : (A ^ B )
(Ê2 ) (Ê1 )
snd r : B fst r : A (Î )
(snd r; fst r) : (B ^ A)
The proof obje t derived is the pair (snd r; fst r) whi h is shown to prove
(B ^ A) assuming that r is a proof of (A ^ B ).
As in our earlier treatment of logi , derivations an be based on assump-
tions, and these assumptions an be dis harged by ertain of the rules. We
will use the same notation for dis harge as we did earlier.
Note that as there is no possibility of ambiguity, we have used the same
names for the proof rules, (Î), (Ê) and so on, as we did in the hapter
overing logi .
Some of our rules will involve another judgement, whi h asserts that a
parti ular sequen e of symbols is a formula:
A is a formula
4.3. THE RULES FOR PROPOSITIONAL CALCULUS 73
For onjun tion, for instan e, we write

A is a formula B is a formula
(^F )
(A ^ B ) is a formula
Rules of this sort are alled formation rules as they explain the ir um-
stan es under whi h a parti ular formula an be formed. In other words,
they are the rules of syntax for the language of propositions. We might
think it simpler to state the rules quite separately (by means of BNF for
example), but we shall see later, in se tion 4.10, that some formulas are
only well-formed if ertain judgements are derivable, linking syntax and
derivations inextri ably.
For ea h onne tive we shall spe ify four dierent kinds of rule. Ea h
will have introdu tion and elimination rules, whi h are used to introdu e
and eliminate formulae involving the parti ular onne tive. As we dis ussed
above, we shall also have the formation rule. Finally, ea h onne tive will
have omputation rules whi h tell us how proofs of formulas involving
that onne tive an be simplied. This is a new idea, and we look at a
brief example of it now. Re all the way that we treated ^ in the previous
se tion. If p was a proof of A and q a proof of B , then (p; q) is a proof
of A ^ B . Now, given su h a proof we an extra t proofs of A and B by
applying fst and snd. All that these do is to extra t the rst and se ond
omponents of the pair, so we want to say that
and it is this omputational information about the operations fst and snd
whi h appears in the omputation rules. The symbol ` ! ' is read `redu es
to' (and should be ompared to the redu tion symbol of the lambda al ulus
from se tion 2.2.) We use the symbol ! ! for the losure of this relation, see
se tion 4.11 below.
4.3 The Rules for Propositional Cal ulus

We rst give the rules for the ^ onne tive, as we set them out above.
Formation Rule for ^
(^F )
(A ^ B ) is a formula
Introdu tion Rule for ^
p:A q :B
(Î )
(p; q) : (A ^ B )
Elimination Rules for ^

r : (A ^ B ) r : (A ^ B )
(Ê1 ) (Ê2 )
fst r : A snd r : B
Computation Rules for ^
fst (p; q) !p snd (p; q) !q
these are simply the rules we introdu ed informally in our dis ussion above.
Re all that we hara terised proofs of the onjun tion as pairs of proofs.
We an read the introdu tion and elimination rules as expressing pre isely
this. The introdu tion rule states that all pairs of proofs are proofs of the
onjun tion, but leaves open the possibility of other kinds of proof. The
elimination rule ex ludes any other sort of proof of the onjun tion, sin e
it states that we an extra t two omponent proofs from any proof of the
pair. In other words we an read the elimination rule as a ` losure' rule.
This duality will be true for all introdu tion-elimination pairs. We take a
formal look at the duality in se tion 8.4 below.
The next set of rules on erns impli ation. The formation rule is standard.
Formation Rule for )
() F )
(A ) B ) is a formula
Re all that we dis harged an assumption in a proof when we introdu ed
the onne tive. A proof of an impli ation is a fun tion transforming an
arbitrary proof of A into a proof of B . We form that transformation by
building a proof e of B assuming that we have an (arbitrary) proof, x say,
of A. The fun tion itself is formed by lambda abstra tion over the variable,
giving (x : A) : e This expression is independent of the variable x, sin e
this is bound, re e ting the dis harge of the assumption x : A.
Introdu tion Rule for )
[x : A℄
..
.
e:B
() I )
(x : A) : e : (A ) B )
The notation [x : A℄ is used to re ord the fa t that the assumption x : A
whi h will in general appear in the derivation of e : B is dis harged from the
derivation of (x : A) : e : (A ) B ) whi h results from applying the rule to
the given derivation of e : B .
In the dual ase, we eliminate an impli ation by supplying a proof of

the hypothesis. The proof of the impli ation is applied to the proof of the
hypothesis to give a proof of the onsequent, re alling the des ription of
proofs of A ) B above. The elimination rule an also be read as saying
that all proofs of A ) B are fun tions, sin e they an all be applied (to
proofs of the right `type', A).
Elimination Rule for )
q : (A ) B ) a : A
() E )
(q a) : B
Finally, what happens if we apply the proof (x : A) : e of A ) B to the
proof a : A? Re all that e was a proof of B , on the assumption that x was
a proof of A. Now, we have su h a proof, a, and so we get a proof of B by
repla ing x by a throughout e. We say,
Computation Rule for )
((x : A) : e) a ! e[a=x℄
where the notation e[a=x℄ means the expression e in whi h every free o -
urren e of x is repla ed by a, and where this is done in su h a way as to
avoid free variables be oming bound (exa tly as we stipulated in se tion
2.2 above.)
What are the rules for disjun tion, _? We have straightforward formation
and introdu tion rules,
Formation Rule for _
(_F )
(A _ B ) is a formula
Introdu tion Rules for _
q :A r :B
(_I1 ) (_I )
inl q : (A _ B ) inr r : (A _ B ) 2
The operator inl registers the fa t that the proof available is for the left
hand disjun t, and inr registers that it is for the right, as in general we
may not be able to dierentiate between the two dierent kinds of proof
without these `tags' to distinguish between them.
The elimination rule for _ in hapter 1 was rather more omplex, in-
volving the dis harge of two premisses | we present a slight variant of it
here, but we an see that it has exa tly the same motivation as our earlier
rule.
Elimination Rule for _

p : (A _ B ) f : (A ) C ) g : (B ) C )
(_E )
ases p f g : C
ases p f g is a proof of C whi h is built from a proof p of A _ B and from
proofs f : (A ) C ) and g : (B ) C ). How does it work? The proof p
omes either from a proof q of A, and has the form inl q or from a proof
r of B , and has the form inr r. In the rst ase we get a proof of C by
applying f to q, and in the se ond by applying g to r. Hen e the name
` ases' and the omputation rules:
Computation Rules for _
ases (inl q) f g ! fq
ases (inr r) f g ! g r
Ea h elimination rule has a major premiss, ontaining the onne tive to
be eliminated. The remainder are known as minor premisses. The rule
orresponding dire tly to the rule in hapter 1 has as its two minor premisses
proofs of C from assumptions x : A and y : B . As these two assumptions
are to be dis harged the ases operation will have to bind the variables x
and y, just as the variable in the assumption is bound in an ()I) by the
lambda. This variant of the rule is given in se tion 5.3 below.
Finally, what rules do we asso iate with absurdity, ?? First we have
the formation rule,
Formation Rule for ?
? is a formula (?F )
and we have no introdu tion rule asso iated with ?, as we know of no
way of forming proofs of the absurd proposition. We an eliminate it freely,
thus,
Elimination Rule for ?
p:?
(?E )
abortA p : A
This rule says that if we an prove absurdity (with p), then the proof
abortA p proves A. This is the se ond half of our hara terisation of ? as
absurdity. Not only do we give no method by whi h ? an be introdu ed,
but in order to show that we did not simply forget to give these rules we
say that given any su h proof our system must rash, and prove everything,
the rule of ex falso quodlibet. There are no omputation rules asso iated
with su h an obje t | it simply registers the fa t that the obje t is proved
dire tly from absurdity.
The rule for impli ation introdu tion dis harges an assumption of the
form x : A where x is a variable. How do these assumptions be ome parts
of derivations? In order for an assumption x : A to be sensible, we need A
to be a formula. This is a suÆ ient ondition too, so we have
Rule of Assumption
A is a formula
(AS )
x:A
We make the impli it (informal!) assumption that our sets of assump-
tions will always be onsistent: we will not assume that any variable is a
proof of more than one formula. We elaborate on the details of this in the
hapter to ome.
This rule is unusual, in that it shows that our assumptions do not appear
at the leaves of derivations, but rather only after a derivation that the
expression whi h follows the olon is indeed a formula.
In many of our examples we will relax this onstraint, omitting the
derivation of À is a formula'; this will only be done when the derivation
is trivial, or we simply assume, informally, that the derivation has been
performed prior to the derivation at issue.
This ompletes our exposition of the propositional part of type theory
| in the next se tion we get to the heart of our exposition, and tie the link
between fun tional programming (as represented by the lambda al ulus)
and logi .
Exer ises
4.1. Show that onjun tion is asso iative by deriving a proof of the formula
(A ^ B ) ^ C ) A ^ (B ^ C )
4.2. Show that the formula (:A _ B ) ) (A ) B ) is valid by exhibiting a
proof obje t for it. Do you expe t the onverse, (A ) B ) ) (:A _ B ), to
be provable?
4.3. Show that from the assumption x : (A _ :A) that you an derive a
proof obje t for the formula (::A ) A). Show that you an nd a proof
obje t for the onverse, (A ) ::A) without this assumption.
4.4. Show that from the assumptions x : ((A ^ B ) ) C ) and y : A you
an derive a proof of B ) C . What is the formula whi h results from the
dis harge of the two assumptions, and what proof obje t of this formula is
given by your onstru tion?
4.4 The Curry Howard Isomorphism

This se tion forms the heart of our development of type theory. In it we
look at a remarkable orresponden e, or isomorphism, linking the typed
lambda al ulus and onstru tive logi . It has be ome known as the Curry
Howard Isomorphism, in tribute to Haskell B. Curry and W. Howard who
were among those rst to observe it [CF58, How80℄. Others in lude S ott,
Lau hli and Martin-Lof himself. Under the isomorphism, types orrespond
to propositions and members of those types, like pairs, fun tions and so
on, to proofs. We were prepared for su h a oin iden e by the development
of onstru tive logi in the last se tion, be ause the proofs we introdu ed
there were familiar obje ts like pairs and fun tions. In the se tions and
hapters whi h follow, we shall see the extent of this orresponden e, and
the degree to whi h it an illuminate our understanding of both logi and
programming. This se tion illustrates the ore of the isomorphism by giving
a reinterpretation of the rules of logi above as rules of program formation.
The rules are then seen to explain
Formation rule What the types of the system are,

Introdu tion and whi h expressions are members of
Elimination rules whi h types, and
Computation rule how these obje ts an be redu ed to simpler
forms, i.e. how we an evaluate expressions.
Another way of looking at the rules is to say that the formation rules
explain the types of the language and that the introdu tion and elimination
rules explain the typing rules for expressions (and so explain how type
he king for the system should pro eed) | together these des ribe the stati
part of a traditional language, with the omputation rules explaining the
dynami s of its behaviour. We shall see in se tion 4.10 that the distin tion
between the stati and the dynami be omes blurred in the full system, as
type he king and omputation be ome inextri ably linked.
We now run through the rules onne tive by onne tive, hanging the
judgement ` is a formula' to ` is a type' to re e t our dierent orientation.
Formation Rule for ^
A is a type B is a type
(^F )
(A ^ B ) is a type
4.4. THE CURRY HOWARD ISOMORPHISM 79
Introdu tion Rule for ^

p:A q :B
(Î )
(p; q) : (A ^ B )
Elimination Rules for ^
r : (A ^ B ) r : (A ^ B )
(Ê1 ) (Ê2 )
fst r : A snd r : B
Computation Rules for ^
fst (p; q) !p snd (p; q) !q
Read as a type, A ^ B is the produ t of the two types, whose formation
is permitted by the formation rule. The introdu tion rule tells us that
members of the type in lude pairs (p; q) of obje ts, where p is taken from
the rst type and q is taken from the se ond. The elimination rule states
that from an obje t of the produ t type we an extra t obje ts of the two
omponent types, and the omputation rule shows that the obje ts thus
extra ted are indeed the two omponents of the pair. These two rules
therefore state that all obje ts of the produ t type are pairs.
Alternatively, we an read the elimination rules as giving the type of the
two proje tion operators whi h take us from the produ t type to the two
omponents. The omputation rules give the omputational denitions of
these operators. In terms of traditional programming languages, the prod-
u t type is usually alled a re ord type. Nearly every modern programming
language features a re ord type.
As we suggested above, we an think of members of A ) B as fun tions
from A to B . This is perhaps not surprising, as not only do we already see
proofs of impli ations as fun tions, but also the arrow notation is suggestive
in itself. Just to re-iterate the rules,
Formation Rule for )
() F )
(A ) B ) is a type
Introdu tion Rule for )
[x : A℄
..
.
e:B
() I )
(x : A) : e : (A ) B )
This rule dis harges the assumption x : A.

This is the rule whi h introdu es a lambda-abstra tion, or fun tion, as
we explained in hapter 2. It is by a use of the lambda symbol that we form
fun tions. We have modied the notation slightly so that the expression
in ludes the type of the domain of the fun tion formed. The rule whi h
gives the type of fun tion appli ations is
Elimination Rule for )
q : (A ) B ) a : A
() E )
(q a) : B
Finally, with the following rule we see our justi ation of the phrase
`Computation Rule':
Computation Rule for )
((x : A) : e) a ! e[a=x℄
This is pre isely the rule of -redu tion, by whi h an a tual parameter is
substituted for the formal parameter.
Two notes on notation:
The notation we have given for fun tions is omplete, in that it arries
the type of the hypothesis (or domain); it is unwieldy, however. In
most ases we shall indi ate the type by a subs ript, thus:
xA : e
and in situations where there is no danger of ambiguity, we shall
simply write
x : e
As is traditional, we shall assume that fun tion appli ation is left
asso iative and that `)' is right asso iative, meaning that
fgx
abbreviates (f g) x and that
A)B)C
abbreviates A ) (B ) C ).
4.4. THE CURRY HOWARD ISOMORPHISM 81
What type operation does _ orrespond to? Again, we should re-

examine the rules for the operator:
Formation Rule for _
(_F )
(A _ B ) is a type
Introdu tion Rules for _
q :A r :B
(_I ) (_I )
inl q : (A _ B ) 1 inr r : (A _ B ) 2
Given a member q of A we have a orresponding member of A _ B , namely
inl q. Similarly, if r is in B then inr r is in A _ B . This introdu tion rule
tells us that among the members of the type A _ B are members of either
A or B , labelled a ording to their origin. As previously, the elimination
rule will ensure that only these obje ts are members of the type. This kind
of type is often known as a disjoint union of the two types A and B . Su h
a onstru tion appears in Pas al in the variant re ord onstru tion, where
a parti ular re ord type an ontain dierent kinds of re ord, a ording
to the value of a tag eld. Pas al does not handle this onstru tion very
happily, and it an lead to run-time type errors. In handling a variable
of variant re ord type the user is allowed to treat its ontents as though
they are of one parti ular variant, rather than having to deal with all the
possible variants. As the parti ular variant that a value will have annot
be predi ted at ompile time, errors an result.
Is there a type-se ure way of dealing with su h disjoint unions? Yes,
and it is given by the ases operator, spe ied in the elimination rule
Elimination Rule for _
p : (A _ B ) f : (A ) C ) g : (B ) C )
(_E )
ases p f g : C
ases p f g is a member of C whi h is built from a member p of A _ B , and
from fun tions f : (A ) C ) and g : (B ) C ).
What is the ee t of this ase statement? We know that the obje t p
should either be a (tagged) member of A, and have the form inl q or will
be a (tagged) member of B , having the form inr r. The fun tions f and
g are suÆ ient to give us a member of C in either ase | in the rst ase
we get a member of C by applying f to q, and in the se ond by applying g
to r. This omputational information is expressed by:
Computation Rules for _
ases (inl q) f g ! f q
ases (inr r) f g ! gr
The last rules we gave were for the type ?, the absurd proposition. We
hara terised this as a formula without proofs, so under our other view, it
is a type without members, the empty type.
Formation Rule for ?
? is a type (?F )
Elimination Rule for ?
p:?
(?E )
abortA p : A
This rule says that if we an nd a member p of the empty type then
our program should abort | we express this by saying that for any A at
all, the obje t abortA p is a member of A.
The nal rule we saw was the rule of assumption; in order for the as-
sumption that x is a member of A to make sense, A must be a type.
Rule of Assumption
A is a type
(AS )
x:A
As we said earlier, in many of our examples we shall omit the derivation
of À is a type', assuming it has already been performed. Nonetheless, the
system does not make sense without this ondition.
That ompletes our se ond reading of the rules, and shows that they
an equally well be read as
rules for the types and obje ts of a typed fun tional programming
system and as
rules for the propositions and proofs of a logi .
We shall explore the orresponden e further in the oming se tions, seeing
some of the rami ations of the orresponden e in propositional logi , and
also how extensions to both the logi and the fun tional language have their
analogues. Finally we will explore the onsequen es of this orresponden e
for programming methodology. Note also that we have not yet introdu ed
any dependent types | we do this with the identity or I types of se tion
4.10.
4.5. SOME EXAMPLES 83
Exer ises
4.5. Given a fun tion of type A ) (B ) C ) how would you dene a
fun tion of type (A ^ B ) ) C from it? How would you do the reverse?
4.6. Show that from obje ts x : A and y :(B _ C ) you an derive an obje t
of type (A ^ B ) _ (A ^ C ).
4.7. Show how to dene a fun tion of type
(A ^ B ) ) (C ^ D)
from fun tions f : A ) C and g : B ) D.
4.5 Some examples

In this se tion we look at a number of examples of derivations within type
theory. We an see how these form both proofs of propositions and ob-
je ts of parti ular type, depending on our parti ular point of view. We
assume throughout this se tion that we have already derived the various
type hypotheses, A is a type and so forth.
4.5.1 The identity fun tion; A implies itself

One of the simplest fun tions we know is the identity fun tion, xA : x.
How does it appear in our system?
Assuming x : A allows us to dedu e that x : A. Using the rule for )
introdu tion we have that
[x : A℄
() I )
xA : x : (A ) A)
giving us that the identity fun tion has type A ) A if its parameter has
type A. At the same time we have shown that the identity fun tion is a
proof of the impli ation A ) A.
4.5.2 The transitivity of impli ation; fun tion ompo-

sition
Here we show that given A ) B and B ) C we an dedu e that A ) C ,
in other words that impli ation is transitive. We rst examined this as an
exer ise in hapter 1 | here we build an expli it proof obje t. We assume
that
a :(A ) B ) b :(B ) C )
and we make a third assumption, x : A whi h will be dis harged during the
proof.
x : A a :(A ) B )
() E ) b :(B ) C )
(a x): B
() E )
(b (a x)): C
This gives an element of C , depending upon the element x of A. We now
abstra t over this to give
[x : A℄1 a :(A ) B )
() E ) b :(B ) C )
(a x): B
() E )
(b (a x)): C () I )1
xA : (b (a x)) : (A ) C )
We have on the last line a derivation of a fun tion of type A ) C , as was
required.
The fun tion derived here is the omposition of the fun tions b and a.
If we abstra t over these, we form the omposition fun tion
a(A)B) : b(B)C ) : xA : (b (a x))
whi h has type
(A ) B ) ) (B ) C ) ) (A ) C )
Note that we have assumed that the `)' is right-asso iative in writing the
type above.
A standard result in logi is
(A ) B ) ) (:B ) :A)
Re all that we dened :A to be A ) ?, so expanding the denitions we
have
(A ) B ) ) ((B ) ?) ) (A ) ?))
It is pre isely the omposition operator whi h gives this proof.
4.5.3 Dierent proofs. . .

In general, types have more than one element and a proposition an be
proved in more than one way. Taking a simple example,
x(AÂ) : x : ((A ^ A) ) (A ^ A))
as we have seen above. Also,

x :(A ^ A) x :(A ^ A)
(Ê2 ) (Ê1 )
snd x : A fst x : A (Î )
(snd x; fst x) : (A ^ A)
() I )1
x(AÂ) : (snd x; fst x) : ((A ^ A) ) (A ^ A))
This proof is not the same as the earlier one: it swaps the two halves of
the proof of A ^ A about, rather than leaving them alone as is done by the
identity fun tion.
4.5.4 . . . and dierent derivations

Note also that dierent derivations an give rise to the same proof obje t,
if we apply the omputation rules to the derived obje t. If we name the
omposition fun tion
omp df f((AÂ))(AÂ)) : g((AÂ))(AÂ)) : x(AÂ) : (g (f x))
and the swap fun tion
swap df x(AÂ) : (snd x; fst x)
then it is not hard to nd a derivation of
omp swap swap (a1 ; a2 ) : (A ^ A)
if we assume that a1 : A and a2 : A. Sin e the expression is an iterated
appli ation of fun tions, the derivation will onsist of a series of impli a-
tion eliminations. (Note that we have used our assumption that fun tion
appli ation is left asso iative here.)
Applying the omputation rules we have
omp swap swap (a1 ; a2 )
df (f : g : x : (g (f x))) swap swap (a1 ; a2 )
! (g : x : (g (swap x))) swap (a1 ; a2 ) by (C ))
! (x : (swap (swap x))) (a1 ; a2 ) by (C ))
! (swap (swap (a1 ; a2 ))) by (C ))
df (swap ((x : (snd x; fst x)) (a1 ; a2 )))
! swap (snd (a1 ; a2 ); fst (a1 ; a2 )) by (C ))
! swap (a2 ; a1 ) by (C ^)
df x : (snd x; fst x) (a2 ; a1 )
! (snd (a2 ; a1 ); fst (a2 ; a1 )) by (C ))
! (a1 ; a2 ) by (C ^)
There is a mu h simpler derivation of (a1 ; a2 ) : (A ^ A) from the two as-
sumptions; we simply use (Î ). We shall return to the dis ussion of whi h
proof obje ts are to be onsidered to be the same in se tion 4.11 below.
4.5.5 Conjun tion and disjun tion

Let us onsider one relationship between onjun tion and disjun tion now.
We rst look at a proof of an earlier exer ise from page 15.
((A _ B ) ) C ) ) ((A ) C ) ^ (B ) C ))
First we show how to prove A ) C from (A _ B ) ) C :
[x : A℄1
(_I ) y : (A _ B ) ) C
inl x : A _ B 1 () E )
(y (inl x)) : C () I )1
xA : (y (inl x)) : A ) C
Similarly we prove B ) C from (A _ B ) ) C :
y : (A _ B ) ) C
..
.
wB : (y (inr w)) : B ) C
Finally we an put the proofs together,
.. ..
. .
(Î )
( xA : (y (inl x)) ; wB : (y (inr w)) ) : ((A ) C ) ^ (B ) C ))
and if lastly we abstra t over the variable y we obtain an obje t of the
requisite type.
Now we look at a onverse to the last result, onstru ting a proof of
(A _ B ) ) C
on the basis of the assumption
p : (A ) C ) ^ (B ) C )
The proof is simpler than the version we saw in the rst hapter of the
book, on page 13. This is be ause in the form we saw there we would have
to make the ases operator into a binding operator | here we hoose to
perform the bindings (of the hypotheti al proofs of A and B ) prior to the
invo ation of the ases operator.
z : (A _ B ) (fst p) : (A ) C ) (snd p) : (B ) C )
(_E )
ases z (fst p) (snd p) : C
This is a straightforward appli ation of the rule of disjun tion elimination,

whi h we follow with two abstra tions, rst over z and then over p.
..
.
() I )
z: ( ases z (fst p) (snd p)) : (A _ B ) ) C
() I )
p:z: ( ases z (fst p) (snd p)) :
((A ) C ) ^ (B ) C )) ) ((A _ B ) ) C )
This ompletes the required derivation.
We dened the negation operator in terms of impli ation and absurdity.
If we repla e the C above with ? we an see that we have proved the
equivalen e of the two propositions
:(A _ B ) (:A ^ :B )
whi h is one of the de Morgan laws of lassi al Boolean algebra. The other
states the equivalen e of
:(A ^ B ) (:A _ :B )
Only one half of this is valid onstru tively, the impli ation
(:A _ :B ) ) :(A ^ B )
We an see why it is implausible that the onverse is valid onstru tively.
We would need to extra t a proof of (:A _ :B ) from a proof of :(A ^ B ).
To nd a proof of a disjun tion we need to be able to prove one of the
disjun ts, but there is no way of seeing whi h of :A and :B is valid given
an arbitrary proof of :(A ^ B ).
Exer ises
4.8. Show that the following formulas are valid, by giving a proof obje t
for ea h of them.
A ) ::A
(B _ C ) ) :(:B ^ :C )
(A ) B ) ) ((A ) C ) ) (A ) (B ^ C )))
4.9. Show that the following formulas are equivalent, by proving ea h
assuming the other. Can you think of what is going on in terms of the
fun tions involved here?
(A ^ B ) ) C A ) (B ) C )
4.10. Show that the de Morgan formula

(:A _ :B ) ) :(A ^ B )
is valid by giving an obje t of type
((A ) C ) _ (B ) C )) ) ((A ^ B ) ) C )
4.11. Giving appropriate types to the variables a, b and , give derivations
of the following judgements.
a:b:a : A ) (B ) A)
and
a:b: :(a )(b ) : (A ) (B ) C )) ) ((A ) B ) ) (A ) C ))
4.6 Quantiers

In this se tion we introdu e the rules whi h govern the behaviour of the
universal and existential quantiers in onstru tive type theory. The dif-
feren es between lassi al and onstru tive logi are most apparent when
investigating the meaning of `9', the existential quantier. To assert
9x:P
onstru tively, we need to have some obje t x so that
P
is valid. Be ause our language is typed, we shall only on ern ourselves
with typed or bounded quanti ations, of the form
(9x : A) : P
where A is a type, the quantiers being labelled with their domain of dis-
ourse. A proof of an existential statement (9x : A) : P onsists of two items.
These are the witness of the property, w : A, together with a proof that
P holds of the witness, i.e. that P [w=x℄ holds. Re all that the notation
P [w=x℄ was introdu ed in hapter 1 for the substitution of the term w for
the variable x in the formula P .
How do we explain the universal quantier? A proof of
(8x : A) : P
should express the fa t that P [a=x℄ is valid for every a in A. A proof will
therefore be a transformation or fun tion whi h takes us from any a in A
to a proof of P [a=x℄.
4.6. QUANTIFIERS 89
As for the propositional onne tives, our rules are of four kinds. We
start by giving the rules for the universal quantier.
Formation Rule for 8
[x : A℄
..
.
A is a formula P is a formula
(8F )
(8x : A) : P is a formula
This shows a rather more subtle formation rule than we have seen so
far. There are two hypotheses
The rst is that A is a formula, or type.
The se ond, that P is a formula, on the assumption that x is a variable
of type A.
This is an analogue, at the level of types, of the rule of -abstra tion, in
whi h the typing of the expression forming the body of the fun tion depends
upon the hypothesis whi h types the bound variable. We have not yet seen
how to build type expressions (or propositions) whi h depend upon free
variables; these result from our introdu ing the atomi propositions of the
system, in luding equality in se tion 4.10, and through re e tion prin iples
whi h are onsequen es of the introdu tion of universes (see se tion 5.9).
If we an prove P by a proof p whi h may depend upon the assumption
of the existen e of a variable, x say, of type A, then we are entitled to
assert the universal generalisation, abstra ting over the variable x, as long
as x is not free in any other of the assumptions upon whi h the proof
depends. This is just the ondition of being arbitrary whi h we dis ussed
in our introdu tion to logi earlier. Note also that formally any remaining
o urren es of x in the assumptions would be a `dangling referen e' to an
obje t outside its s ope, as it were.
Introdu tion Rule for 8
If in a proof p of P no assumptions other than x : A ontain x free, then
we an infer the universal generalisation of P by means of the lambda
abstra tion of p over x. This abstra tion dis harges the assumption x.
[x : A℄
..
.
p:P
(8I )
(x : A) : p : (8x : A) : P
As is to be expe ted, when we eliminate a universal quantier, we go to

a parti ular instan e,
Elimination Rule for 8
a : A f : (8x : A) : P
(8E )
f a : P [a=x℄
Now, we have seen that our two rules respe tively form parametri
proofs of universal generalisations and apply su h proofs to individual el-
ements of A. The result of su h an appli ation should be the substitution
of a for x in the parametri proof:
Computation Rule for 8
((x : A) : p) a ! p[a=x℄
It is interesting to see that we have naturally thought of some formulas
as formulas, P being an example, and others, su h as A, as types. Thus
the dual interpretations an be mixed. Note also that the rules are similar
to those for the onne tive `)'. Indeed if the formula P is repla ed by B
whi h does not involve the variable x, we have exa tly the rules as stated
on page 74, be ause we shall not need to use the assumption that x : A
in the proof of `B is a formula' if B has already been established to be a
formula.
As a type, we also have a generalisation of the fun tion spa e. This
is one in whi h the type of the result, P [a=x℄ depends upon the value of
the argument a in A. This is not permitted in almost all the type systems
of existing programming languages, be ause apparently it would break the
stati nature of the type system whi h allows type he king to pro eed
separately from program exe ution. In this ase, the situation is dierent;
even though the stati and dynami are mixed, we avoid the risk of non-
termination. We will say more about appli ations of the dependent fun tion
spa e, as the universally quantied type has be ome known, in se tion 6.3
below.
Another important use of the dependent produ t type is in representing
forms of type polymorphism. This arises when we have types whose members
are themselves types, su h types often being known as universes.
Now we turn to the existential quantier. The formation rule is the
exa t analogue of the rule for the universal quantier.
Formation Rule for 9
[x : A℄
..
.
A is a formula P is a formula
(9F )
(9x : A) : P is a formula
4.6. QUANTIFIERS 91
We an introdu e an existential quantier when we have an obje t with

the appropriate property:
a : A p : P [a=x℄
(9I )
(a; p) : (9x : A) : P
The pre ise formulation of the rule of existential elimination is ompli-
ated. The most straightforward version from the point of view of the type
(9x : A):P is to view it as a type of pairs. The obvious elimination rules
are those whi h proje t a pair onto its rst and se ond omponents.
Elimination Rules for 9 (Proje tions)
p : (9x : A) : P p : (9x : A) : P
(9E10 ) (9E 0 )
Fst p : A Snd p : P [Fst p=x℄ 2
This rule is unusual in mentioning a proof, in this ase p, on the right hand
side of a ` olon' judgement. We look at variants of the rule below in se tion
5.3.
The omputation rules for Fst and Snd generalise the rules for on-
jun tion.
Computation Rules for 9
Fst (p; q) !p Snd (p; q) !q
If the formula P does not ontain the variable x free, then the rules outlined
here an be seen to be the same (modulo trivial synta ti hanges) to those
for the onjun tion. If we wish, we an read A ^ B as a synta ti shorthand
for (9x : A) : B in the ase that B does not depend on x.
How do we interpret (9x : A) : P as a type? There are a number of
readings, whi h we shall explore at some length below. These in lude
A generalisation of the binary produ t type, in whi h the type of the
se ond omponent P [a=x℄ depends upon the value of the rst, a.
An (innitary) sum type. We an think of the type as the union of
the types P [a=x℄ for all a in A, in whi h obje ts in the type P [a=x℄
are paired with the `tag' a indi ating from whi h of the summands
the element omes. This interpretation gives rise to the nomen lature
`dependent sum type' whi h is used for the type.
A subset of the type A, onsisting of those elements a whi h have the
property P . In keeping with the onstru tivist philosophy, we pair
ea h obje t a with the eviden e P [a=x℄ that it belongs to the subset.
A type of modules, ea h of whi h provides an implementation (of type

A) of the spe i ation P , together with eviden e that the implemen-
tation meets the spe i ation.
We will look at these interpretations further below, in se tion 6.3.
We have yet to see how to form formulas with free variables; we will
have to wait until we onsider the equality type and universes below. Before
we do that we look at some example proofs using the quantiers and then
investigate `base' types su h as booleans and natural numbers.
4.6.1 Some example proofs

In this se tion we present three examples of the use of the quantier rules.
First we examine a standard result from the logi of the universal quan-
tier. Let us assume that
r : (8x : A) : (B ) C )
and that
p : (8x : A) : B
(Re all that in general the variable x will be free in B and C ). We aim to
prove the formula (8x : A) : C , that is to onstru t an element of this type.
First, instantiating both hypotheses using the assumption x : A we have
x : A r : (8x : A) : (B ) C )
(8E )
rx : B)C
and
x : A p : (8x : A) : B
(8E )
px : B
Putting the two together, eliminating the impli ation and eliminating the
assumption x : A by a 8 introdu tion, we have
[x : A℄1 [x : A℄1
r : (8x : A) : (B ) C ) p : (8x : A) : B
.. ..
. .
rx : B )C px : B
() E )
(r x)(p x) : C
(8I )1
(x : A) : ((r x)(p x)) : (8x : A) : C
4.6. QUANTIFIERS 93
In the proof above the assumptions of the two hypotheti al proofs are listed
one above the other, rather than next to ea h other; this makes the repre-
sentation of the derivation easier to read. If we now abstra t over both the
hypotheses (and omit the typings on the variables) we have
r:p:x:(r x)(p x)
whi h is of type
(8x : A) : (B ) C ) ) (8x : A) : B ) (8x : A) : C
if we hoose to omit the type annotations on the variables. This fun tion is
familiar to fun tional programmers as the S ombinator, as well as proving
the formula
(A ) (B ) C )) ) (A ) B ) ) (A ) C )
in the ase that B and C do not involve the variable x.
Next we prove the equivalen e between the following pair of formulae
((9x : X ) : P ) ) Q (8x : X ) : (P ) Q)
in the ase that x is not free in Q. (It is not valid in general | think of the
ase when P and Q are the same.) Reading the rule (8I ) ba kwards, we
see that to nd an obje t of type (8x : X ) : (P ) Q) it is suÆ ient to nd
an obje t in (P ) Q) assuming we have an x in X . To nd an obje t of
type (P ) Q) it is enough to nd an obje t of type Q assuming an obje t
of type P (as well as the obje t of type X we assumed earlier). Building
the proof tree ba kwards we have
?? : Q
() I )
pP : ?? : (P ) Q)
(8I )
xX : pP : ?? : (8x : X ) : (P ) Q)
There are onstraints on the form of proof of ?? here. We an only introdu e
a universal quantier or an impli ation abstra ting over the variable y, say,
in the ase that y is free only in the assumption dis harged. How are we to
infer Q? Pro eeding from the assumptions we have
x:X p:P
(9I )
(x; p) : (9x : X ) : P
and then by modus ponens, we have
x:X p:P
(9I ) e : ((9x : X ) : P ) ) Q
(x; p) : (9x : X ) : P
() E )
e (x; p) : Q
Putting the parts together, and repla ing the unknown terms ?? with a tual
values, we have
[x : X ℄2 [p : P ℄1
(9I ) e : ((9x : X ) : P ) ) Q
(x; p) : (9x : X ) : P
() E )
e (x; p) : Q
() I )1
pP : (e (x; p)) : (P ) Q)
(8I )2
xX : pP : (e (x; p)) : (8x : X ) : (P ) Q)
The rst abstra tion, over p, is legitimate as p is free in none of the other
assumptions, and the se ond is OK as there is only one a tive assumption
at this stage. Note, however, that we annot dis harge the assumptions
in the opposite order, sin e x will in general be free in P and thus in the
assumption p : P .
How does the onverse proof pro eed?
To nd a proof of an impli ation, we pro eed with an assumption of the
ante edent formula, in this ase p : (9x : X ) : P , and try to nd ?? : Q.
Pro eeding forward from the assumption p, we have
p : (9x : X ) : P
(9E 0 )
Snd p : P [Fst p=x℄ 2
Using the other assumption, whi h is e : (8x : X ) : (P ) Q), we an mat h
the hypothesis of this impli ation with P [Fst p=x℄ by universal elimination
p : (9x : X ) : P
(9E10 ) e : (8x : X ) : (P ) Q)
Fst p : X (8E )
(e(Fst p)) : P [Fst p=x℄ ) Q
Note that in the on lusion we have Q and not Q[Fst p=x℄, sin e we have
assumed that x is not free in Q, and we noted that Q[t=x℄ Q (for any
t) in su h a ase. We now apply impli ation elimination, and omplete as
above.
[p : (9x : X ) : P ℄1
[p : (9x : X ) : P ℄ 1
e : (8x : X ) : (P ) Q)
.. ..
. .
Snd p : P [Fst p=x℄ (e(Fst p)) : P [Fst p=x℄ ) Q
() E )
(e(Fst p))(Snd p) : Q
p : ((e(Fst p))(Snd p)) : ((9x : X ) : P ) ) Q () I )1
Is there a fun tional interpretation of the equivalen e we have seen above?
If we onsider the ase in whi h P does not ontain x free, we have the
types
(X ^ P ) ) Q X ) (P ) Q)
4.6. QUANTIFIERS 95
These two fun tion spa es give two dierent representations of binary fun -
tions. In the rst, the fun tion takes a pair of arguments, of type (X ^ P ),
to a result of type Q. The other representation, whi h is often alled the
urried form in honour of Haskell B. Curry, the - al ulus pioneer, makes
the fun tion higher order. By this we mean that on being passed an argu-
ment of type X , the fun tion returns a fun tion of type (P ) Q) whi h
expe ts an argument of type P , the se ond half of the pair. (We often all
the rst representation the un urried form, in ontrast to the latter.)
The pair of fun tions we derived above an be seen to map from one
fun tion representation to another
xX : pP : (e (x; p))
takes separately the two arguments x and p, forms a pair from them and,
applies the un urried fun tion e to the result. Conversely,
p : ((e(Fst p))(Snd p))
takes a pair p as argument, and splits the pair into its omponents Fst p
and Snd p, and applies the urried fun tion e to the two halves one at a
time.
The fun tions perform a similar fun tion in the general ase that P
depends upon x, and we deal with dependent sum and produ t types.
Exer ises
4.12. Give a derivation of a proof obje t of the formula
(9x : X ) : :P ) :(8x : X ) : P
Would you expe t the reverse impli ation to be derivable?
4.13. Show that the formulas (8x : X ) : :P and :(9x : X ) : P are equivalent
by deriving two fun tions mapping ea h into the other.
4.14. Derive an obje t of type
(8x : X ) : (A ) B ) ) ((9x : X ) : A ) (9x : X ) : B )
What is this formula in the ase that A and B are independent of the
variable x?
4.15. Derive an obje t of type
(9y : Y ) : (8x : X ) : P ) (8x : X ) : (9y : Y ) : P
where in general P will ontain x and y free. Under what ir umstan es
an you derive an obje t of the onverse type?
(8x : X ) : (9y : Y ) : P ) (9y : Y ) : (8x : X ) : P
Can you give a simpler reading of the formula in ases when P does not
ontain both x and y free?
4.7 Base Types

The material in the hapter so far has had dierent emphases. The propo-
sitional part of the system an be viewed as both a logi and a typed
- al ulus; the quantiers are logi al onstru ts, but have a natural pro-
gramming interpretation. Now we introdu e some base types, whose origins
lie in programming, but we shall see that they have a logi al interpretation
too.
In this and subsequent se tions we introdu e a number of familiar types:
the booleans as an example of a nite type, nite types in general, with the
spe ial ase of the one element type, the natural numbers, and nally trees
as an example of an algebrai type.
4.7.1 Booleans
The system we are building here is one in whi h propositions, or formulas,
are identied with types, and vi e versa. Amongst these propositions are
the propositions ?, or \false", >, or \true" (whi h we introdu e below),
and ombinations of the propositions using logi al onne tives su h as ^
and _. Ea h of these propositions is a type: the olle tion of proofs of that
proposition.
Consider the ase in whi h we want to return one of two results ondi-
tional on some property. We need, informally, to be able to ask the question
and re eive the answer Yes or the answer No, so we need a parti ular type
whi h ontains these two values. We all this the type bool of boolean val-
ues and for the sake of tradition all the two values T rue and F alse. The
type bool is simply a nite type ontaining two values. The rôle of the type
is omputational: we an build the expression if : : : then : : : else : : :
(where the ondition is a boolean expression) in our language, allowing ase
swit hes in omputations. The value of if b then e else f is e if b evaluates
to T rue, otherwise it is f .
To re ap, T rue and F alse are values of the type bool, whilst ? and >
are the false and true propositions. Readers may be familiar with similar
distin tions between boolean values and propositions from program veri-
ation. Languages su h as Pas al ontain a boolean type | if we reason
about these programs we use an external logi al language to onstru t state-
ments about the language, we are not onstru ting expressions of type bool
whi h are expressions of the language.
We should also note that these denitions form a template for the de-
nition of any type with a nite set of members.
4.7. BASE TYPES 97
Formation Rule for bool

(bool F )
bool is a type
Introdu tion Rules for bool
(bool I1 ) (bool I2 )
T rue : bool F alse : bool
The two rules above require no explanation. We eliminate a boolean
value by a two-way ase swit h, onventionally alled a onditional expres-
sion. In the ase of dening a nite type with n elements, we shall introdu e
an n-way swit h instead.
Elimination Rule for bool
tr : bool : C [T rue=x℄ d : C [F alse=x℄
(bool E )
if tr then else d : C [tr=x℄
This is stronger than the onventional ase swit h, as the type of the result
an depend upon the value of the boolean. This of ourse depends upon
our being able to dene types C whi h ontain free variables, whi h we an
think of as families of types; we have not yet done so, but will do in due
ourse. For the present, we an just onsider the simplied form:
tr : bool : C d : C
(bool E )
if tr then else d : C
We embody the ase swit hing me hanism in the following rules. The `then'
or èlse' ase is sele ted, a ording to the value of the boolean:
Computation Rules for bool
if T rue then else d !
if F alse then else d ! d
Consider the example
if tr then F alse else T rue
This has the type bool if we assume that tr : bool. Now, by ) introdu tion,
trbool : ( if tr then F alse else T rue ) : (bool ) bool)
and this is the (Classi al) negation operator on the boolean type. Similarly,
x(bool^bool) : ( if (fst x) then (snd x) else F alse )
whi h has type

(bool ^ bool) ) bool
is the (Classi al) onjun tion operation on bool. We leave it as an exer ise
for the reader to identify the other boolean operations.
Again, we should note the distin tion between these fun tions over the
boolean type, whi h represent the lassi al boolean operations, and the
onne tives ^, _, et . whi h form propositions from other propositions, or
alternatively, whi h are type onstru tors forming types from other types.
Exer ises
4.16. Dene fun tions whi h behave as the disjun tion (òr') and material
impli ation (ìmplies') operations over the boolean type.
4.17. Dene the fun tion
equiv : bool ) bool ) bool
so that equiv b1 b2 is T rue if and only if b1 and b2 are equal. This is an
equality fun tion on the boolean type and also represents the ìf and only
if' onne tive.
4.7.2 Finite types

For n a natural number, the type Nn has n elements,
1n ; 2n ; : : : ; nn
the subs ript showing the type from whi h the element omes. We have
already seen a two element type, where we identify 12 with T rue and 22
with F alse.
The formation and introdu tion rules are
Formation Rule for Nn
(N F )
Nn is a type n
Introdu tion Rules for Nn
(N I ) : : : (N I )
1n : Nn n nn : Nn n
We eliminate an element of an n element type by an n-way ase swit h.
Elimination Rule for Nn
e : Nn 1 : C [ 1 =x℄ : : : n : C [ n =x℄
(Nn E )
asesn e 1 : : : n : C [e=x℄
4.7. BASE TYPES 99
and the omputation rules hoose the appropriate ase from the hoi e.
Computation Rules for Nn
asesn 1n 1 : : : n ! 1
asesn 2n 1 : : : n ! 2
:::
asesn nn 1 : : : n ! n
Exer ises
4.18. Explain how to dene the equality fun tion
equaln : Nn ) Nn ) bool
4.19. The su essor and prede essor of mn are (m + 1)n and (m 1)n ,
ex ept for the prede essor of 0n , whi h is nn and the su essor of nn whi h
is 0n . Give formal denitions of the fun tions su n and predn of type
Nn ) Nn and prove that for all 0n ; : : : ; nn
su (pred mn ) !
! mn
4.7.3 > and ?
If we have a one element type, the rules may be spe ialised. We express
the results in a slightly dierent syntax, repla ing N1 by >, 11 by T riv and
Cases1 by ase. We obtain.
Formation Rule for >
> is a type (>F )

Introdu tion Rule for >
T riv : > (>I )

Elimination Rule for >
x : > : C (T riv)
(>E )
ase x : C (x)
Computation Rule for >
ase x !
The one element type, >, has a logi al interpretation. Just as the false
proposition `falsity' (whi h should not be onfused with the obje t F alse
of type bool) was represented by the empty type, so the true proposition is
represented by the one element type. Why one element? The intuition is
that the proposition is valid for obvious reasons, so there is only one trivial
proof T riv of it.
The rules an also be interpreted in the ase that n = 0, yielding the
rules for ?.
Exer ise
4.20. Show that in the ase n = 0 the rules for Nn redu e to those for ?.
4.8 The natural numbers

We have already seen the natural numbers as a base type of our - al ulus
in hapter 2.
Formation Rule for N
(NF )
N is a type
Natural numbers are either zero or a su essor.
Introdu tion Rules for N
n:N
(NI1 ) (NI2 )
0:N (su n) : N
We eliminate natural numbers by means of denition by primitive re-
ursion. Modifying the rule we saw earlier, we have
Elimination Rule for N (Spe ial Case)
n : N : C f : (N ) C ) C )
(NE )
prim n f : C
If we dis harge the assumption that n : N , then
:C f : (N ) C ) C )
nN : (prim n f ) : (N ) C )
whi h is the familiar rule for primitive re ursion whi h we saw in se tion
2.9. Why is the rule we have presented above a spe ial ase? To answer
this we turn to our logi al view of the type.
The proof prin iple whi h goes along with primitive re ursion is (\math-
emati al") indu tion. Suppose that we wanted to show that, for example,
4.8. THE NATURAL NUMBERS 101
all the fa torials of natural numbers are stri tly positive. This assertion
takes the form
(8n : N )(fa n > 0) df (8n : N )C (n)
What do we have to do to prove this? First of all we show that C (0) is
valid, that is we supply some with
: C (0)
and then we show that C (n + 1) is valid, assuming that C (n) is. In this
ase we supply some
f 0 : \C (n) ) C (n + 1)"
In fa t, the f 0 an be slightly more general,
f : \N ) C (n) ) C (n + 1)"
Note that we have en losed the types in inverted ommas | they are not
part of our system. We an make them so, using the dependent type on-
stru tor:
f : (8n : N )(C (n) ) C (su n))
Given these we produ e the proof:
Elimination Rule for N (General Case)
n : N : C [0=x℄ f : (8n : N ) : (C [n=x℄ ) C [su n=x℄)
(NE )
prim n f : C [n=x℄
Again, if we dis harge the assumption n : N , we have
: C [0=x℄ f : (8n : N ) : (C [n=x℄ ) C [su n=x℄)
nN : (prim n f ) : (8n : N ) : C [n=x℄
whi h is the familiar proof of the universal statement.
The omputation rule is exa tly the same in the two ases. Thinking
of a omputation of a re ursive fun tion we inspe t the argument and then
unfold the denition a ording to whether we are at the base ase or not.
Computation Rules for N
prim 0 f !
prim (su n) f ! f n (prim n f )
What do the rules mean in the logi al ase? They tell us how to build a
proof for any parti ular natural number that we might supply. This is, of
ourse, how we justify the rule in the rst pla e. Using C (k) for C [k=x℄, we
argue that C (2) is valid thus: \C (0) is valid outright, and by the indu tive
ase for n = 0, C (0) ) C (1) and applying modus ponens, we have C (1). In
a similar way, we have C (1) ) C (2), and so we an get C (2)."
This rule is one of the high points of type theory. Intuitively, we an
appre iate that there is an aÆnity between the rules for primitive re ursion
and mathemati al indu tion. Fun tions introdu ed by primitive re ursion
have their properties proved by mathemati al indu tion. What is so elegant
here, with our identi ation of propositions and types, is that they are
exa tly the same rule.
Let us onsider some examples. The su essor fun tion is dened to be
(x : N )(su x)
For the purposes of illustration, without re ommeding this as an eÆ ient
algorithm, we now examine the behaviour of a su essor fun tion dened
by primitive re ursion:
addone 0 = 1
addone (n + 1) = (addone n) + 1
whi h is formalised thus:
addone df xN : (prim x (su 0) f )
where
f df nN : (yN : (su y))
What happens when we apply addone to the formal representative of 2,
that is su (su 0)?
((x : N )(prim x(su 0)f )) (su (su 0))
! (prim (su (su 0)) (su 0) f )
! f (su 0)(prim (su 0) (su 0) f )
((n : N )(y : y)(su y)) (su 0) (prim (su 0) (su 0) f )
! su (prim (su 0) (su 0) f )
By a similar pro ess we see that
prim (su 0) (su 0) f !
! (su (su 0))
and so nally we see that
addone(su (su 0)) !
! (su (su (su 0)))
4.8. THE NATURAL NUMBERS 103
where ` !! ' is generated from ! a la denition 2.7. We shall look at the

su essor fun tion again when we ome to look at equality, and in parti ular
equality of fun tions.
Note that to make the denition above readable, we used the devi e of
naming it, addone and giving expli it re ursion equations for it. This helps
us to read these denitions, and it is quite possible for an implementation
either to de ide whether a parti ular set of re ursion equations onstitutes
a denition by primitive re ursion, or to provide a \pretty printed" version
of any primitive re ursive denition. We shall ontinue to give these equa-
tional versions of fun tions dened in this and similar ways. We shall also
use `(n + 1)' instead of `(su n)' whenever this an ause no onfusion.
Primitive re ursion is a powerful method of denition. We an dene
addition thus:
add m 0 = m
add m (n + 1) = su (add m n)
so formally we say
add df m : n : prim m (p : q : (su q)) n
In a similar way
mult m 0 = 0
mult m (n + 1) = add m (mult m n)
whi h may be rendered formally thus:
mult df m : n : prim 0 (p : q : (add m q)) n
There are standard expositions about what an be dened by primitive re-
ursion over the natural numbers, a good referen e being [Cut81℄. Among
the fun tions are: the usual arithmeti operations; bounded sear h, pro-
viding sear h within a nite range for an obje t with a property dened
by a primitive re ursive fun tion with boolean values; denition by ourse-
of-values re ursion and so forth. We shall look again at the various forms
of re ursion available within the system below; see se tions 4.9 and 5.10 as
well as 6.1.
The fun tions we see above are rst order in that their arguments are
numbers. It is well known that there are limits to the expressibility of rst
order primitive re ursion. A kermann gave a graphi example of this with
his `fast-growing' fun tion, whi h is proved to be non (rst order) primitive
re ursive in [P67℄. The system here is more powerful, sin e arguments an
be higher order, and here we give a version of the A kermann fun tion. The
two argument version of the fun tion is given by the re ursion equations
a k 0 n = n + 1
a k (m + 1) 0 = 1
a k (m + 1) (n + 1) = a k m (a k (m + 1) n)
We an take a higher-order view of this, dening the fun tions thus:
a k 0 = su
a k (m + 1) = iter (a k m)
Where the fun tion iter, of type
(N ) N ) ) (N ) N )
iterates its argument, having the denition
iter f 0 = 1
iter f (n + 1) = f (iter f n)
This fun tion is given by the term
f(N )N ) : nN : prim n 1 (p : q : (f q))
whi h we shall all iter, and the A kermann fun tion itself will be given by
nN : (prim n su p : g : (iter g))
There is a limit to the expressibility of primitive re ursion, even at higher or-
ders. All fun tions dened by primitive re ursion are total, and so there are
intuitively omputable fun tions whi h are not primitive re ursive. Among
these are the fun tions whi h ode an interpreter for the pro ess of omputa-
tion of primitive re ursive fun tions. We return to the issue of expressibility
below.
We are not in a position to give any non-trivial examples of proof by
indu tion as we still have not dened any predi ates whi h ontain free
variables, a situation whi h we remedy in due ourse (in se tion 4.10, in
fa t).
Exer ises
4.21. Dene the equality fun tion
equalN : N ) N ) bool
4.9. WELL-FOUNDED TYPES | TREES 105
4.22. Dene the fun tion geq of type

geq : N ) N ) bool
so that geq n m is T rue if and only if n is greater than or equal to m.
[Hint: the best way to do this is to dene the fun tions geq n by indu tion,
that is to dene geq 0 outright (by indu tion) and to dene geq (n +1) using
geq n.℄
4.23. Using geq or otherwise show how to dene the bounded sear h fun -
tion
sear h : (N ) bool) ) N ) N
so that sear h p n is the smallest l less than n so that (p l) is T rue, and
whi h is n if no su h l exists.
4.24. Give a formal denition of the fun tion sumf given by
m
X
sumf f n m df (f i)
i=n
What is its type? What type has the partial appli ation
sumf id
where id x df x is the identity fun tion?
4.9 Well-founded types | trees

In this se tion we look at an example of how to in orporate re ursive data
types like lists and trees into the system. The me hanism is similar to
the Miranda algebrai type me hanism. Martin-Lof has proposed a general
s heme to a hieve this; we examine it in full generality in the following
hapter.
We all the types well-founded as they are types over whi h we an
dene obje ts by re ursion and prove properties by indu tion, as we did for
the natural numbers; informally, for this to be possible we need to be sure
that when we make a re ursive denition (or an indu tive proof) we never
en ounter an innite sequen e of simpli ations, as in the simpli ation
from (n + 1) to n. If we have one of these innite sequen es, then the
fun tion will be dened on none of the values in that sequen e, as ea h
value depends upon an earlier value; there is no foundation to the sequen e
or the re ursion, in other words.
We shall again see that the prin iples of indu tion and re ursion are
embodied by exa tly the same rule.
Miranda type denitions for booleans and natural numbers might be given
by
bool ::= True | False
nat ::= Zero | Su nat
The example of a general algebrai type whi h we shall take here is a type
of numeri al trees, dened by
tree ::= Null |
Bnode nat tree tree
As we mentioned above, a ompanying a denition like this we have the
two prin iples of proof by stru tural indu tion and denition by primitive
re ursion.
Denition 4.2 Stru tural indu tion states that in order to prove P(t)
for every tree, t, it is suÆ ient to prove it outright for Null,
P(Null)
and to prove
P(Bnode n u v)
assuming P(u) and P(v), that is assuming the validity of the result for the
immediate prede essors u and v of the node (Bnode n u v).
Compare this with the prin iple of indu tion over the natural numbers;
we prove the result outright at 0, and prove it at (n + 1) assuming it is
valid at the (immediate) prede essor n.
Denition 4.3 Primitive re ursion is a prin iple of denition for fun -
tions. In order to dene a (total) fun tion
f : tree -> P
we need only supply a starting value,
a : P
whi h will be the value of f Null and a means of dening
f (Bnode n u v)
in terms of the previous values (f u) and (f v), the subtrees u and v and
the entry at the node, n. We will represent this as a fun tion
4.9. WELL-FOUNDED TYPES | TREES 107
F : nat -> tree -> tree -> P -> P -> P
so that
f (Bnode n u v) = F n u v (f u) (f v)
In other words we dene the value of (f t) in terms of the values of f on

the prede essors of t, together with the omponents of the node itself. This
is similar to the prin iple of primitive re ursion over the natural numbers,
N , where we spe ify outright the value at 0 and spe ify how the value at
(n + 1) is omputed from the value at n, together with n itself.
As we might expe t from what we have seen above, in a onstru tive set-
ting the prin iples of proof and denition are identi al. The proofs required
by stru tural indu tion will be obje ts
a : P(Null)
and F of type
(n:nat)->(u:tree)->(v:tree)->P(u)-P(v)->P(Bnode n u v)
The pre eding type is en losed in inverted ommas as it is not a Miranda

type. In type theory this kind of type, in whi h the type of the result
depends upon the value of an argument, is represented using the dependent
fun tion spa e, thus.
F : (8n : N )(8u : tree)(8v : tree)(P (u) ) P (v) ) P (Bnode n u v))
Let us now look at the expli it form taken by the rules for trees. For-
mation is simple
Formation Rule for tree
(tree F )
tree is a type
There are two kinds of tree. A null node and a non-null node with two
immediate prede essors, a binary node, hen e Bnode.
Introdu tion Rules for tree
n : N u : tree v : tree
(tree I1 ) (tree I2 )
Null : tree (Bnode n u v): tree
Indu tion and re ursion are embodied by the elimination rule.
Elimination Rule for tree

t : tree
: C [Null=x℄
f : (8n : N ) : (8u : tree) : (8v : tree) :
(C [u=x℄ ) C [v=x℄ ) C [(Bnode n u v)=x℄)
(tree E )
tre t f : C [t=x℄
To make the rule above more readable, we have listed the three hypotheses
verti ally instead of in a horizontal line. We shall do this where presentation
is thus improved.
There are two omputation rules for the re ursion operator tre ; the
rst eliminates a Null tree and the se ond a non-null Bnode tree.
Computation Rules for tree
tre Null f !
tre (Bnode n u v) f ! f n u v (tre u f ) (tre v f )
As an example, we an present the fun tion whi h sums the ontents of
a tree. It is dened thus
sumt Null = 0
sumt (Bnode n u v) = n + (sumt u) + (sumt v)
If we dene
f df n : t1 : t2 : s1 : s2 : (n + s1 + s2 )
then
ttree : (tre t 0 f )
denes the sumt fun tion formally.
It behoves us to t this kind of onstru tion into a uniform framework.
Martin-Lof has done this, and indeed given an innitary generalisation of
the onstru tion; we postpone this until we have given an a ount of the
equality type.
Exer ises
4.25. Dene the fun tion whi h returns the left subtree of a tree if it has
one, and the Null tree if not.
4.26. Dene the equality fun tion over trees.
4.27. We say that a tree (Bnode n u v) is ordered if and only if all obje ts
in u are smaller than or equal to n, all obje ts in v are greater than or
4.10. EQUALITY 109
equal to n and the trees u and v are themselves ordered. The tree Null is
ordered. Dene a fun tion
ordered : tree ) bool
whi h returns T rue if and only if its argument is ordered. You an assume
that the fun tion
leq : N ) N ) bool
represents the ordering relation over N . How might you dene this by
primitive re ursion?
4.28. Dene fun tions insert and delete of type
N ) tree ) tree
whi h, respe tively, insert an obje t into an ordered tree, preserving the
order of the tree and delete an obje t, if present, from the tree, preserving
the ordered property. (If in either ase the tree argument is not ordered, it
is not spe ied how the fun tion should behave.)
4.10 Equality
We have introdu ed a number of type onstru tors or logi al operations
whi h an bind variables whi h are free in formulas, but as yet we have
no formulas ontaining free variables; we have no primitive predi ates, in
other words. We remedy that de ien y here, introdu ing the equality
proposition. To assert that
à and b are equal elements of the type A'
we write either
a =A b
or to remind us for ibly that this is a proposition or type of the system we
sometimes use Martin-Lof's notation of
I (A; a; b)
instead of using the (often overused) equality symbol `='.
The I types have a drasti ee t on the behaviour of the system, both
formally and intuitively. We shall see why as we introdu e the type and
look at examples whi h use it.
We now introdu e the rules governing the I-proposition. First the for-
mation rule. If a and b are both elements of the type A, then I (A; a; b) is
a type.
Formation Rule for I
A is a type a : A b : A
(IF )
I (A; a; b) is a type
This is dierent from the type (or formula) formation rules we have seen
so far. These take the form
: : : is a type : : : is a type
(: : : F )
: : : is a type
whi h means that with these rules alone, we an say what are the formu-
las or types of the system independently of whi h elements o upy those
types. The rule of I formation breaks this rule, sin e a ne essary ondition
for I (A; a; b) to be a type is that a : A. This means that the rules generat-
ing the formulas are inextri ably mixed up with the rules for derivations,
whi h explains our de ision not to express the syntax of formulas (or types)
separately.
Now, the presen e of an element in the type I (A; a; b) will indi ate that
the obje ts a and b are taken to be equal. When an we on lude that?
The obje t a is equivalent to itself, so
Introdu tion Rule for I
a:A
(II )
r(a) : I (A; a; a)
We an derive rules whi h look stronger than this, a subje t we defer
until the next se tion.
What is the ontent of this rule, and more to the point, what is the
stru ture of r(a)? This obje t has no internal stru ture, and at rst sight
this seems to render it useless. However, its mere presen e an allow us
to do things whi h would not be possible without it | we shall amplify
this after we have onsidered the elimination and omputation rules, and
espe ially in our ase studies.
The essen e of equality is that
equals an be substituted for equals
and this is known as Leibnitz's law, after the logi ian who oined it. Sup-
pose that we have some proof p of a proposition P involving a, and also
that we know that : I (A; a; b). We should be able to infer the proposition
4.10. EQUALITY 111
P 0 resulting from us repla ing some of the o urren es of a in P by b. To

apture the idea of substituting for some of the o urren es we think of P
as the formula
C [a=x; a=y℄
in whi h a repla es two free variables x and y. In the result of our substi-
tution we repla e the o urren es of y by b, thus
C [a=x; b=y℄
We an of ourse repla e all the o urren es of a by making sure that x is
not free in C . We shall use also the informal notation C (a; b) for C [a=x; b=y℄
when no onfusion an result. There is one extra renement in our rule |
we allow the formula C to mention the equality proof obje t r too.
Elimination Rule for I
: I (A; a; b) d : C (a; a; r(a))
(IE )
J ( ; d) : C (a; b; )
Theorem 4.4 Leibnitz's law is derivable
Proof: Take
C (a; b; ) df P (b)
and suppose that
d : P (a)
that is
d : C (a; a; r(a))
Assuming that : I (A; a; b), we an on lude that
J ( ; d) : P (b)
as desired. 2
How do we eliminate the J operator? If we eliminate an r(a) we simply
return the obje t d
Computation Rule for I
J (r(a); d) ! d
Let us onsider some further properties of equality. The introdu tion
rule means that equality is re exive. If a : A then the type I (A; a; a) is
inhabited by r(a).
Theorem 4.5 Equality is symmetri

Proof: We want to prove
I (A; b; a)
on the basis of
I (A; a; b)
so we have to show that the former has an element on the basis of having
an element of the latter. Let
C (a; b; ) df I (A; b; a)
now, as
C (a; a; r(a)) I (A; a; a)
and as we have
r(a) : I (A; a; a)
we an apply the I -elimination rule,
z : I (A; a; b) r(a): I (A; a; a)
(IE )
J (z; r(a)): I (A; b; a)
whi h gives the result we desire. 2
Finally we show that it is transitive, making it an equivalen e relation.
Theorem 4.6 Equality is transitive

Proof: Choose
C (b; ; r) df I (A; a; )
then substituting for b in C (b; b; r) takes us from I (A; a; b) to I (A; a; ).
Formally,
z : I (A; b; ) w : I (A; a; b)
(IE )
J (z; w): I (A; a; )
ending the proof. 2
4.10. EQUALITY 113
4.10.1 Equality over base types

When we rst talked about the dierent sorts of rule, we observed that it
was the elimination rules whi h spe ied that all the elements of a type had
the form introdu ed by the introdu tion rules. We now show this formally,
by proving that
(8x : bool) : (x =bool T rue _ x =bool F alse)
is inhabited. Re all the rule for bool-elimination
tr : bool : C [T rue=x℄ d : C [F alse=x℄
(bool E )
if tr then else d : C [tr=x℄
Suppose we assume that x : bool, and take the formula C to be
(x =bool T rue _ x =bool F alse)
Now, r(T rue) : T rue =bool T rue so that
( df ) inl r(T rue) : C [T rue=x℄
and similarly
(d df ) inr r(F alse) : C [F alse=x℄
By the elimination rule we have
if x then else d : C
and so
x : if x then else d : (8x : bool) : (x =bool T rue _ x =bool F alse)
In a similar way, we an show that for the natural numbers, every number
is either zero or a su essor, in other words that the type
(8x : N ) : (x =N 0 _ (9y : N ) : (x =N su y))
is inhabited.
Exer ise
4.29. Prove the result above for the natural numbers. Formulate and prove
a similar result for the type tree of trees of natural numbers.
4.10.2 Inequalities
Nothing we have spe ied in the system so far prevents there being a single
element at ea h type. In order to make the system non-trivial we an add
an axiom to the ee t that
ax : :(T rue =bool F alse)
so that T rue and F alse are distin t. This is suÆ ient to imply the non-
triviality of other types; we an show that 0 is not the su essor of any
natural number using a denition by primitive re ursion of the fun tion
f0 df T rue
f (n + 1) df F alse
This proof follows a further dis ussion of onvertibility and equality in the
next se tion.
4.10.3 Dependent Types

With the introdu tion of the equality predi ate we are able to dene non-
trivial dependent types. A simple example is a family of types over a
boolean variable x whi h is N when that variable is T rue and bool when
the variable is F alse. Using the type onstru tors, we an represent the
type by
(x = T rue ^ N ) _ (x = F alse ^ bool)
Elements of this type are either
inl(r; n)
with r :(x = T rue) and n : N , or
inr(r; b)
with r :(x = F alse) and b : bool. An alternative representation of this type
is given by
(x = T rue ) N ) ^ (x = F alse ) bool)
whose members onsist of pairs of fun tions (f; g) with
f : ((x = T rue) ) N )
and
g : ((x = F alse) ) bool)
4.10. EQUALITY 115
In se tion 5.9 below we shall see a more dire t means of dening dependent
types.
From programming, an interesting example is the prede essor fun tion
over the natural numbers. Only the positive natural numbers, (n +1), have
a prede essor, n. In traditional programming languages, we usually give
the prede essor an arbitrary value, like 0, at 0. In our language we an
represent its type thus:
(8x : N ) : ((x 6=N 0) ) N )
where we use x 6=N 0 as an abbreviation for :(x =N 0).
To dene the fun tion we need to nd an element of
(x 6=N 0) ) N
for ea h x in N . We do this by primitive re ursion, and so rst we have to
nd an element of
(0 6=N 0) ) N
Now, we have r(0) : (0 =N 0). Suppose we have z : (0 6=N 0). The appli a-
tion of z to r(0) is in ?, sin e 0 6=N 0 is an abbreviation of
(0 =N 0) ) ?
From this we an onstru t abortN (z r(0)) : N , giving the element in the
ase of 0. This trivial element simply re e ts the fa t that at zero we have
no true prede essor.
In the indu tion step, we have to dene the prede essor of the element
(n + 1) from the prede essor of n and n itself. We simply hoose the
latter. Putting these together into a formal dedu tion and writing C for
(x 6=N 0) ) N , we have rst for the two ases
r(0):(0 =N 0) [z :(0 6=N 0)℄1
() E )
(z r(0)): ?
(?E )
abortN (z r(0)): N
() I )1
z : abortN (z r(0)) : C [0=x℄
and
[n : N ℄1
() I )
q : n : C [su n=x℄ () I )
p : q : n : (C [n=x℄ ) C [su n=x℄) () I )1
n : p : q : n : (8n : N ) : (C [n=x℄ ) C [su n=x℄)
we put these together using the N elimination rule, whi h introdu es a

primitive re ursion term, in the standard way. The prede essor fun tion is
dened by
pred df n : prim n f g
where
f df z : abortN (z r(0))
and
g df n : p : q : n
4.10.4 Equality over the I-types

What is the general form of elements of an I-type? For ea h a : A, the type
I (A; a; a) has the element r(a), but are there any other elements? We an
use the rule(IE ) to show that they are all equal. Suppose that a : A, then
r(a): I (A; a; a)
and by the rule of I-formation,
r(r(a)) : I (I (A; a; a); r(a); r(a))
Suppose we also have
p : I (A; a; a)
by the rule (IE ) we an repla e o urren es of r(a) by p. If we repla e the
se ond o urren e only, we have
J (p; r(r(a))) : I (I (A; a; a); r(a); p)
showing that all elements of an I-type an be proved to be equal.
Exer ise
4.30. The fun tions insert and delete dened in the exer ises on page 109
are designed to be applied to ordered trees. Redene them so that they are
dened only over ordered trees, in a similar way to the restri ted type of
the prede essor fun tion above.
4.11. CONVERTIBILITY 117
4.11 Convertibility
In this se tion we examine the rules of omputation together with the re-
lation of equivalen e or onvertibility generated by them.
The rules of our system have two quite distin t forms and purposes. The
formation, introdu tion and elimination rules des ribe how derivations of
judgements are onstru ted. If we are simply interested in nding out from
the logi al point of view whi h propositions have proofs, or are inhabited ,
then this ategory of rules would seem to suÆ e. This would be the ase if
we were to omit the equality rules, but in the full system the derivability of
equality propositions is losely linked with the omputability rules through
the onvertibility relation and the rules of substitution.
On the other hand, if we read the rules as those of a programming
language, then the rst three kinds of rule express only the syntax of the
language, spe ifying as they do whi h expressions have whi h type. In
programming the pro ess of exe ution or evaluation is entral, and it is this
that the rules express. We might ask what it is in logi that orresponds to
evaluation? It is the idea of simpli ation of proof obje ts. For example,
suppose we hoose the following (partial) proof for A. `Given proofs a : A
and b : B , build the proof (a; b) of A ^ B , then onstru t a proof of A by
taking the rst omponent'. This is the proof fst (a; b) and the proof obje t
we have onstru ted an be redu ed simply to the obje t a.
4.11.1 Denitions; onvertibility and equality

First we give some denitions whi h generalise those of the simply typed
- al ulus.
Denition 4.7 We all a sub-expression f of an expression e a free subex-
pression of the expression e if none of the free variables in f is bound within
e.
A free sub-expression of an expression e is exa tly the kind of sub-
expression of an expression whi h ould arise by substitution into e |
sub-expressions whi h ontain variables bound within e annot arise thus.
Denition 4.8 The rules for omputation ! have been introdu ed
onstru t-by- onstru t above. We all a sub-expression of an expression
a redex if it mat hes the left-hand sides of these rules. We extend the
relation ! so that we write e1 ! e2 when a free sub-expression f1 of e1
is a redex, and e2 results from e1 by repla ing f1 with the orresponding
right-hand side, or redu t.
Note that this is more restri tive than the denition of redu tion we
had earlier, sin e the redu tion an take pla e within a variable-binding
operator like x : : : only when the expression redu ed has nothing bound
by the lambda { in other words it does not ontain x free. This restri tion
is reasonable for the sorts of reasons we dis ussed in hapter 2, and makes
the redu tion relation more amenable to analysis.
Denition 4.9 We dene the re exive, transitive losure of ! , the re-

du tion relation ! ! as follows. e !
! f if and only is there is a sequen e of
terms e0 ; : : : en so that
e e ! ! en f
0
Denition 4.10 The relation of onvertibility,`$ $', is the smallest equiv-

alen e relation extending `! !'. Expli itly, e $
$ f if and only if there is a
sequen e e0 ; ; en with e e0, en f so that for ea h i, ei !! ei+1
or ei+1 !
! ei .
Be ause type expressions (or formulas) an ontain embedded obje t (or

proof) expressions we extend the onvertibility relation to type expressions
in the obvious way.
As we argued when we looked at the simply typed - al ulus, we an
see the relation $$ as a relation of equivalen e. The rules of omputation
repla e terms with other terms whi h mean the same thing, a ording to our
intuitive idea of what the rules are intended to apture. This thus means
that two inter onvertible terms have the same intended meaning, so that
they should be inter hangeable as far as the judgements of the system are
on erned. We express this by means of the following rules of substitution,
whi h li en e substitutions of inter onvertible obje t and type expressions.
Substitution Rules
a $
$ b B (a) is a type (S ) a $
$ b p(a): B (a) (S )
B (b) is a type 1
p(b): B (b) 2
A $
$ B A is a type (S ) A $
$ B p : A (S )
B is a type 3
p:B 4
(In writing these rules we have used our informal notation for substitution.
The reader may be happier to repla e B (a) by B [a=x℄ and so on.)
There are two orresponding rules whi h permit substitution for a free
variable. They an be derived from the rules above.
[x : A℄ [x : A℄
.. ..
. .
a : A B is a type a:A b:B
B [a=x℄ is a type (S5 ) b[a=x℄: B [a=x℄ (S6 )
There is one other point we should emphasise about substitution and as-
sumptions. If we make a substitution of a, say, for a free variable x in
a derivation, then we should substitute a for any o urren e of x in the
assumptions other than in the assumption on x itself.
On the basis of the substitution rules we an give a strengthened version
of the rule of equality introdu tion. From a : A we an derive I (A; a; a). If
a$ $ b then we an substitute b for the se ond o urren e of a in I (A; a; a),
giving I (A; a; b). We write this
Introdu tion Rule for I
a $
$ b a : A b : A (II 0 )
r(a): I (A; a; b)
This makes plain that inter onvertible expressions are not only equal a -
ording to a relation of onvertibility external to the system, but also an
be proved equal (by the trivial proof obje t r(a)).
With this strengthening of the equality proposition we an reason about
the omputational behaviour of expressions inside the system. We give an
example in the next subse tion.
4.11.2 An example { Adding one

In this subse tion we show that two methods of adding one over the natural
numbers have the same result for all arguments. We shall be slightly infor-
mal in our syntax, but this is only done to make the exposition more read-
able; nothing signi ant is being omitted. Re all our denition of addone
from page 102.
addone df x: prim x 1 su 0
where we write 1 for su 0 and su 0 for y:z:su z . Our aim is to prove
that
addone x =N su x
is inhabited for every x in N . We do this by indu tion, of ourse, and we

begin by looking at the base ase.
su 0
is in normal form
addone 0
(x:prim x 1 su 0 ) 0
! prim 0 1 su 0
! 1
su 0
so that the expressions su 0 and addone 0 are inter onvertible, and so by
(II 0 ) the type (addone 0 =N su 0) is inhabited, establishing the base ase.
Now assuming that
z : addone x =N su x (4.2)
we want to show that the type
addone (su x) =N su (su x) (4.3)
is inhabited. Note that
addone (su x)
(x:prim x 1 su 0 ) (su x)
! prim (su x) 1 su 0)
! su 0 x (prim x 1 su 0 )
!! su (prim x 1 su 0 )
By (II 0 ) we an on lude that the following type is inhabited
addone (su x) =N su (addone x)
In order, therefore, to on lude that equation 4.3 is inhabited, it will be
suÆ ient to on lude that the following type is inhabited
su (addone x) =N su (su x)
and to use the transitivity of equality, whi h we derived in the previous
se tion. In order to do that, we apply the I elimination rule to allow us to
on lude
su (addone x) =N su (su x)
on the basis of the assumption 4.2 and a substitution of su x for the

se ond o urren e of addone x in
su (addone x) =N su (addone x)
Let us lay this out as a derivation in whi h we elide some information,
like the element part of the r identity witnesses, and the pre ise obje t
derived by the transitivity (derived) rule, and in whi h we abbreviate the
fun tion names addone and su by their initial letters.
a (s x) $
$ s (a x) z : (a x =N s x)
.. ..
. .
r : (a (s x) =N s (a x)) J (z; r) : (s (a x) =N s (s x))
(I trans)
: (a (s x) =N s (s x))
We have shown that the two fun tions take the same values at every
point in their ( ommon) domain. Can we on lude that they are equal,
that is an we on lude that
x:(su x) =N )N x:(addone x) (4.4)
is inhabited? The answer is no, sin e the two terms are obviously not them-
selves onvertible. We an, of ourse, assert the universal generalisation of
the equality statement for the appli ations,
(8x : N )(su x =N addone x)
and indeed that was pre isely what the indu tion proof established. It is
interesting that we annot within the system as it stands infer that 4.4
holds. We shall dis uss what we an do about this further in se tion 5.8
below.
4.11.3 An example { natural number equality

Here we show that not all natural numbers are equal. First, we prove the
simpler result that zero is not equal to a su essor. Let us dene a fun tion
whi h is T rue on 0 and F alse o it, by re ursion, thus:
[n : N ℄1 T rue : bool
() I )
n : b : F alse : (N ) bool ) bool)
(NE )
prim n T rue f : bool () I )
nN : (prim n T rue f ) : (N ) bool) 1
where we write f for n : b : F alse.

Now, if we write
dis rim df nN : (prim n T rue f )
then we an see that
dis rim 0 nN : (prim n T rue f ) 0
! prim 0 T rue f
! T rue
and
dis rim (su n) nN : (prim n T rue f ) (su n)
! prim (su n) T rue f
! f n (prim n T rue f )
(n : b : F alse) n (prim n T rue f )
! (b : F alse) (prim n T rue f )
! F alse
so that by (II 0 ) the types
(dis rim 0 = T rue)
and
(dis rim (su n) = F alse)
will be inhabited. Now, if (0 = (su n)) is also inhabited, we have by
substitution that
(dis rim 0 = dis rim (su n))
will be inhabited. Using the transitivity and symmetry of equality, we an
show that (T rue = F alse) is inhabited, whi h leads to ? by our axiom
(ax) to the ee t that the booleans are distin t.
Using the prede essor fun tion from se tion 4.10.3 we an also show
that the formula
((su n) =N (su m)) ) (n =N m)
is valid. (Its onverse is valid by the substitution rules.) We investigate the
appli ation
pred (su n) : ((su n) 6=N 0) ) N
By the above, we have for all n, the type ((su n) 6=N 0) is inhabited, by
tsn , say. Then,
pred (su n) tsn : N
How does this behave under redu tion?
pred (su n) tsn : N (n : prim n f g) (su n) tsn
! (prim (su n) f g) tsn
! g n (prim n f g) tsn
(n : p : q : n) n (prim n f g) tsn
! (p : q : n) (prim n f g) tsn
! (q : n) tsn
! n
If we know that n and m have equal su essors, then by the above al u-
lation and the substitutivity of equality, we have the equality of m and n
themselves.
To re ap, we have shown that the su essor fun tion is 1-1 and that zero
is not a su essor. These are standard properties of the natural numbers
whi h we have proved using primitive re ursion over the natural numbers,
together with the fa t that the two booleans are distin t.
This short dis ussion of onversion ompletes our exposition of the ore
system of type theory, together with some small examples of the system in
use. In the hapter whi h follows we will step ba k from the system and
survey some alternative formulations of rules; look at some of the properties
of the system; examine the various identity relations in the theory, and so
on.
Exer ises
4.31. Show that
x : ((y : y)x) ! x : x
but argue that we annot generate x : ((y : y)x) by substituting (y : y)x
for z in x : z .
4.32. Show that the substitution rules whi h follow are derivable from the
other rules of the system.
[x : A℄ [x : A℄
.. ..
. .
B [a=x℄ is a type b[a=x℄: B [a=x℄
We say that a rule is derivable if whenever we an derive the hypotheses of

a rule then we an derive the on lusions of the orresponding instan e of
the rule, with the appropriate hypotheses dis harged.
4.33. Formulate a hara terisation of equality on tree similar to that on N
formulated above.
4.34. Formulate and prove the results that the insert and delete fun tions
dened on page 109 preserve the ordering of their tree arguments.
4.35. Formulate and prove that result that the fa torial of any natural
number is greater than zero.
This on ludes our introdu tion to type theory. We shall all the system
introdu ed here T T0, and in the next hapter we explore some of the prop-
erties of the system, after larifying some of the more te hni al points of the
presentation. In fa t, the system T T0 is dened in full in se tion 5.3 below,
where we give a generalisation of the elimination rules for disjun tion (_)
and the existential quantier (9).
Chapter 5
Exploring Type Theory
The last hapter was taken up with the introdu tion of the system of type
theory T T0. It is a ompli ated system, with many of its aspe ts deserving
of further study | this we do here.
As type theory is a formal system, it is amenable to study as an obje t
in its own right. In se tion 5.4 we show that from some derivations, like
a : A we an dedu e others, like A is a type. Following that, we show that
the derivable types of obje ts are unique, and that the substitution rules
an be derived.
An important aspe t of type theory is its omputational behaviour, and
we study this for two systems related to T T0. We introdu ed the basi
questions in our earlier introdu tion to the - al ulus | here we ask them
of the system of type theory. First we give (in se tion 5.5) a strong nor-
malisation result for the system T T0, whi h unfortunately fails to have the
Chur h-Rosser property. We then present T T0 whi h was rst introdu ed
by Martin-Lof in [ML75b℄. This diers from T T0 in the way in whi h ab-
stra tion is performed. After explaining the abstra tion me hanism and
showing that T T0 is an extension of T T0, we prove a normalisation theo-
rem for it. From the proof we obtain a number of important orollaries,
in luding the Chur h-Rosser property for T T0 and the de idability of ` $ $'
and of judgements in general. It is interesting to note that the pre ise form
of -abstra tion in T T0 is very lose to the way in whi h it is performed in
modern ` ompiled' implementations of fun tional programming languages,
[Pey87℄.
We begin the hapter by looking at some more te hni al aspe ts of the
system whi h merit more attention than they re eived in the introdu tion.
These in lude the pre ise role played by assumptions and ways in whi h
terms an be made more readable by naming and abbreviation. Naming
125
126 CHAPTER 5. EXPLORING TYPE THEORY
is a fundamental part of any programming language; we look at how our

programs and proofs an be made more omprehensible by judi ious abbre-
viations. The version of disjun tion elimination given in the last hapter
was simplied somewhat; here we give the general version. We also give a
variant formulation of the existential elimination rule, as well as mentioning
a weaker version, whi h is more akin to the traditional rule of the rst-order
predi ate al ulus.
Our introdu tion to the system involves the use of four dierent notions
of equality: denitional equality is as lose as we get to literal identity: two
expressions being denitionally equal if they are identi al up to hange of
bound variables after all denitions have been expanded out. Convertibility
is external to the system, with the I -type giving an internal representation
of it as a proposition, so allowing it to be ombined into omplex proposi-
tions. Lastly, there are equality fun tions, whi h return values in the type
bool when given two elements of a parti ular type; these are used in om-
putations, giving the onditional expressions familiar to programmers. In
se tions 5.7 and 5.8 we ompare these dierent relations, and then exam-
ine how a truly extensional equality an be added to the system without
destroying its admirable formal properties.
The system T T0 an be augmented in a number of ways; we look at two
means of strengthening it in se tions 5.9 and 5.10. The notion of a type of
types is in onsistent, roughly be ause it allows the impredi ative denition
of lasses in terms of themselves, a la Russell's paradox, but we show how
a sequen e of ùniverses' of types an be added in a oherent way. Then
we give the general me hanism by whi h well-founded types are dened,
in identally giving the rules for lists as well.
We on lude the hapter with a se ond look at the Curry Howard iso-
morphism, parti ularly at the treatment of assumptions and the pro ess of
proof normalisation, both ases where the isomorphism seem less than one
hundred per ent happy.
5.1 Assumptions
The derivations we onstru t using the rules of type theory depend in gen-
eral upon olle tions of assumptions. In this se tion we look at the pre ise
form that these olle tions take, together with onsisten y riteria that
they should obey, and re-examine the rules and tighten up their statement
in some ases.
A useful exer ise for anyone interested in a formal system is to make an
implementation of it. Many of the issues dis ussed here be ame apparent
to the author while writing an implementation of type theory in the fun -
5.1. ASSUMPTIONS 127
tional programming language Miranda. It is easy in a written presentation

simply to overlook aspe ts of a system without whi h an implementation is
impossible; mathemati al notation is a powerful tool, not least be ause it
admits ambiguity, and also be ause an imaginative reader is used to lling
gaps in an exposition in the obvious way. (The utility and breadth of the
adje tive `similarly' annot be over-estimated!)
An important referen e here is [Tro87℄ whi h addresses a number of
lower-level but nonetheless important aspe ts of Martin-Lof's systems of
type theory.
A rst pe uliarity of the system is that the assumptions do not appear
at the leaves of a derivation. In order to make the assumption x : A we have
to establish that A is itself a type, the assumption only appearing below
this derivation.
The assumptions of a derivation do not simply form a set: there is an
ordering of dependen y between them, as the types in some assumptions
may depend upon variables introdu ed by others. To see an example of
this, we might re onsider the proof of the symmetry of equality. Suppose
we have derived
A is a type
then we may make the assumptions
a:A b:A
Then we an on lude that
a =A b
is a type, and so introdu e a variable
x : (a =A b)
whose type ontains the variables a and b introdu ed by other assumptions.
This is written as a derivation thus:
.. ..
.. . .
. A is a type A is a type
A is a type (AS ) (AS )
a:A b:A (IF )
(AS )
x : I (A; a; b)
These prior assumptions appear above the assumption x : (a =A b) in the
derivation tree. The I -elimination rule allows us to on lude that
x : I (A; a; b) r(a): I (A; a; a)
(IE )
J (x; r(a)): I (A; b; a)
We an then dis harge the assumptions, a : A, b : A and x : (a =A b), but

not in any order.
We may only dis harge an assumption a : A if the variable a
does not appear free in any other assumption.
The reason for this is lear. If, for example, we rst dis harge the assump-
tion a : A, we have an expression a : J (x; r(a)) whi h ontains the variable
x free. We expe t subsequently to bind that variable, forming a produ t
over the type of x | but what is that type? It is I (A; a; b), but the a
in the type is bound within the expression a : J (x; r(a)) (and in the type
of that expression (8a : A) : I (A; b; a)). We have a use of the variable a
outside its s ope, in the terminology of omputer s ien e, and su h a use
is meaningless. To avoid that, we make the stipulation above. In this par-
ti ular example, we must therefore dis harge the assumption on x, before
dis harging either of the assumptions on a and b.
We now present the derivation after dis harge of the assumptions x and
b.
A is a type ; a : A ; [b : A℄2 A is a type ; a : A

.. ..
. .
[x : I (A; a; b)℄1 r(a): I (A; a; a)
(IE )
J (x; r(a)): I (A; b; a) () I )1
(x : I (A; a; b)) : J (x; r(a)) : I (A; a; b) ) I (A; b; a)
(b : A) : (x : I (A; a; b)) : J (x; r(a)) : (8b : A) : (I (A; a; b) ) I (A; b; a)) (8I )2
There is an interesting aspe t to this proof as we see it now. The
assumption a : A appears in two pla es in the derivation, and this is what
happens in the general ase. If we are to have multiple assumptions about
the same variable, how should they be treated? We ask that when there are
multiple assumptions then they should be onsistent: all assumptions about
the variable a should assume that it has the same type, (up to hange of
bound variable names in types). While onstru ting a derivation we should
enfor e this requirement at every o urren e of a rule with more than one
hypothesis, as ea h derivation of a hypothesis will ontain assumptions, in
general.
Returning to the derivation, dis harging the assumption a will dis harge
every assumption in the tree, giving the losed derivation.
5.1. ASSUMPTIONS 129
A is a type ; [a : A℄3 ; [b : A℄2 A is a type ; [a : A℄3

.. ..
. .
[x : I (A; a; b)℄1 r(a): I (A; a; a)
(IE )
J (x; r(a)): I (A; b; a)
() I )1
(x : I (A; a; b)) : J (x; r(a)) : I (A; a; b) ) I (A; b; a)
(8I )2
(b : A) : (x : I (A; a; b)) : J (x; r(a)) : (8b : A) : (I (A; a; b) ) I (A; b; a)) (8I )3
(a : A) : (b : A) : (x : I (A; a; b)) : J (x; r(a)) :
(8a : A) : (8b : A) : (I (A; a; b) ) I (A; b; a))
Another point to observe is that when we dis harge an assumption a :
A we dis harge every o urren e of that assumption (above the node of
dis harge). Failure so to do leaves an o urren e of a variable outside its
s ope. Note that we have not ne essarily dis harged every assumption of
the formula A (in other words every variable of type A), only those named
a.
An alternative presentation of the theory gives an expli it listing of the
undis harged assumptions at every node.
Denition 5.1 A list of one or more assumptions
x1 : A1 ; : : : ; xn : An
is known as a ontext, if it satises the following onditions
xi may only appear free in assumptions xj : Aj for j > i.
Aj+1 is a type should be a onsequen e of x1 : A1 ; : : : ; xj : Aj for ea h
0 < j < n.
The variables xj are distin t.
If we write ; 0 ; : : : for ontexts, and ` J for a judgement together
with its assumption list, then we an explain the ir umstan es in whi h a
derivation is onsistent.
Denition 5.2 Two ontexts , 0 are onsistent if and only if for every
variable x, if x appears in both ontexts, it is assumed to have the same
type in ea h.
A derivation d is onsistent if
In an appli ation of a rule taking, for example, the form
` J 0 ` J0
00 ` J 00
the ontexts and 0 must be onsistent, and the list 00 whi h results
from merging the ontexts is itself a ontext.
We may only dis harge an assumption xj : Aj from a ontext if xj

does not o ur free in any assumption xk : Ak (k > j ) of .
The rules above may best be understood by realizing that the linear
ordering of the assumptions in a valid ontext is simply an (arbitrary) ex-
tension of the partial ordering on the assumptions indu ed by their position
in a derivation tree onstru ted a ording to the restri tions we outlined
above, and whi h we summarise now.
We may only dis harge an assumption x : A if the variable x appears
free in the (types of) no other assumptions.
In applying a rule with at least two hypotheses, the assumptions

should be onsistent: a variable x must be assumed to have the same
type, up to hange of bound variable names, in all the derivations of
the hypotheses.
We might ask whether we ould relax the restri tion on onsisten y of
assumptions to their types being onvertible, rather than the same. In fa t
by the rules of substitution this is no stronger; see the exer ises below. Note
however that to perform the test for onvertibility as part of the pro ess of
derivation onstru tion would require that onvertibility was de idable.
Exer ises
5.1. Show that if we have derivations of p : P and q : Q from the assumptions
x : A and x : A0 respe tively, then we an onstru t derivations of P _ Q
from either x : A or x : A0 .
5.2. From a logi al point of view, do we ever require two or more assump-
tions x : A; y : A; : : : of the same formula A? From the programming side,
why do we need them?
5.3. Give a version of the derivation of the symmetry of equality above in
whi h the ontexts are made expli it at ea h point.
5.4. What is the ee t on the system of relaxing the onsisten y ondition?
5.2 Naming and abbreviations

In order to make the expressions and derivations of the system more read-
able, we allow expressions to be named and allow ertain forms of abbrevi-
ation in derivations, judgements and expressions.
5.2. NAMING AND ABBREVIATIONS 131
5.2.1 Naming
The pure system, just like the pure - al ulus, is a al ulus of expressions
without names. In using a system like this, we need some primitive no-
tion of naming expressions, both to make them more readable and more
abbreviated. We say, simply, that
name df expression
when we want to use the name name as a shorthand for the expression
expression, the two being treated as identi al. We all df the deni-
tional equality symbol. We do not permit re ursive namings, or the use
of a name before its denition, thereby avoiding indire t mutual re ursions;
we just require a shorthand.
To make sum types more readable we allow the renaming of the inje tion
fun tions inl and inr, so we might say
numOrBool df num N + boo bool
with the intention that obje ts of this type look like num n and boo b where
n : N and b : bool. We an extend this notation to n-ary sums, if we represent
them in some standard form { a left asso iated form, say. We will also use
the n-tuple notation for iterated produ ts when this is appropriate.
Again, disallowing re ursive denitions, we shall sometimes write
f x df e
instead of a denition
f df xA : e
An elegant form of denition in Miranda uses pattern mat hing. For a
simple ase analysis over the type numOrBool we use the operator ases,
with
df p : ases p g h : (A _ B ) ) C
if g : A ) C and h : B ) C . Suppose that
g n df e
h b df f
then we an write the denition of dire tly thus:
(num n) df e
(boo b) df f
An example is provided by
toNum (num n) df n
toNum (boo b) df if b then 1 else 0
whi h is shorthand for the denition
toNum df p : ( ases p (n : n) (b : if b then 1 else 0 ))
We an allow onstrained forms of re ursion, too, as long as they onform
to the re ursion operation over the type in question. Over the natural
numbers, we allow denitions like
fa 0 df 1
fa (su n) df mult (su n) (fa n)
In the rst lause we permit no re ursive all. In the se ond we an all
only fa n and n itself. This orresponds to the formal denition
fa df n : (prim n 1 (p; q : (mult (su p) q)))
Of ourse, in all these abbreviations, we assume that the derivations of
the hypotheses of the appropriate rule, like (NE ) here, have been de-
rived. In this ase, we assume that we an already derive 1 : N and that
(mult (su p) q): N assuming that p; q : N .
We will look at a system based on naming of abstra tions in se tion
5.5.3 below.
5.2.2 Abbreviations
There are various pla es in the system where we an abbreviate derivations
without problems. In any situation where the same judgement forms more
than one hypothesis of a rule we may supply a single derivation of that
judgement. Examples are
A is a type A is a type a:A a:A
(^F ) (Î )
A ^ A is a type (a; a): A ^ A
and the ommon ase
A is a type a : A a : A
(IF )
I (A; a; a) is a type
5.3. REVISING THE RULES 133
Often the same derivation will appear as two or more sub-derivations of a

parti ular derivation. For instan e, in any ase where we use the number
2 df (su (su 0)), its use will be prefa ed by the derivation
(NI1 )
0: N (NI2 )
(su 0): N
(NI2 )
(su (su 0)): N
whi h establishes that it is a term of type N . We will omit these repeated
derivations, for brevity.
Any system for fun tional programming based upon type theory will
need to in lude the naming me hanisms above as an absolute minimum.
With naming ome a number of other issues, su h as equality between types.
We do not intend to look at these issues any further here. We intend to
dis uss the relevan e of the system as we pro eed, and will mention further
naming issues as we pro eed.
Exer ises
5.5. Suggest naming onventions for fun tions dened over the algebrai
type tree introdu ed in the previous hapter.
5.6. Explain the naming onventions used in the denition
merge x [ ℄ df x
merge [ ℄ y df y
merge (a :: x) (b :: y) df a :: (merge x (b :: y)) if a < b
df a :: (merge x y) if a = b
df b :: (merge (a :: x) y) if a > b
5.3 Revising the rules

For pedagogi al reasons we have simplied or modied some of the rules of
type theory in the introdu tion of hapter 4; here we give the rules in their
full generality and look at alternative versions of them.
5.3.1 Variable binding operators and disjun tion

In our original exposition we hoose to in orporate a single binding opera-
tion, the for fun tion formation by lambda abstra tion. In Martin-Lof's
system [ML85℄ there are a number of binding operators. As an example we
shall onsider _-Elimination, and go ba k to the form we saw in hapter 1.
There we had the rule

[A℄ [B ℄
.. ..
. .
(A _ B ) C C
(_E )
C
in whi h we produ ed a proof of C from two hypotheti al proofs of C , the
rst based on the assumption A and the se ond on the assumption B . These
assumptions are dis harged (from their respe tive sub-proofs) in the proof
thus formed. In the version we gave above, we supplied instead proofs of the
formulas A ) C and B ) C : these orrespond to the hypotheti al proofs
through the rules of () I ) and () E ). The alternative type-theoreti rule
has the form
[x : A℄ [y : B ℄
.. ..
. .
p :(A _ B ) u : C v :C
(_E 0 )
v ases0x;y p u v : C
The operator v ases0x;y binds the variable x in its se ond argument and y
in its third. How does this new operator behave omputationally?
Computation Rules for v ases0
v ases0 (inl a) u v ! u[a=x℄
x;y
v ases0x;y (inr b) u v ! v[b=y℄
It seems lear that the rules (_E ), (_E 0 ) are in some sense equivalent,
and moreover give rise to the same omputational behaviour. Can we make
this pre ise?
Any formula derived by (_E ) an be derived by using (_E 0 ) and vi e
versa. For suppose we have f : (A ) C ) and g : (B ) C ), we an form
hypotheti al proofs, based on the assumptions x : A and y : B respe tively,
thus:
f x:C
g y :C
we then form a proof
v ases0x;y p (f x) (g y) : C
Now onsider the omputational behaviour of this:

v ases0x;y (inl a) (f x) (g y) ! (f x)[a=x℄ f a
v ases0 (inr b) (f x) (g y) ! (g y)[b=y℄ g b
x;y
so that not only is derivability preserved, but also the omputational be-
haviour, in the sense that for every losed term p of the sum type, the
expression v ases0x;y p (f x) (g y) behaves in exa tly the same way as
ases p f g. It is an exer ise for the reader to prove the onverse of this
result.
In a similar vein, there is a form of the rule of existential elimination
whi h introdu es a variable binding operator. We look at this in se tion
5.3.3 below.
Exer ise
5.7. Show that the rule (_E 0 ) an be derived from the rule (_E ) in a way
whi h preserves omputational behaviour as above.
5.3.2 Generalising _
One reason for presenting the rule for _ as we did in the previous se tion
is that in this form it naturally suggests a generalisation. The type C an
be a type family, dependent upon a variable z of type A _ B . Stated in this
form, we have
[x : A℄ [y : B ℄
.. ..
. .
p :(A _ B ) u : C [inl x=z ℄ v : C [inr y=z ℄
(_E 00 )
v ases00x;y p u v : C [p=z ℄
In the se ond hypothesis we have an obje t x of type A, from whi h we
form the obje t inl x of type A _ B ; this is substituted for the variable
z in the formula C as this ase overs those elements from the left hand
summand. In the third hypothesis we have y : B , giving inr y : A _ B .
In the result, the obje t P of type A _ B is substituted for the variable z .
The rule of omputation is exa tly the same as the rule for v ases0 . The
operator v ases00x;y binds o urren es of the variables x and y.
We an, in fa t, give a version of this rule in whi h the operator is
not binding, but it involves our using the quantiers; this is the reason we
deferred its introdu tion originally. It is
p :(A _ B ) q :(8x : A) : C [inl x=z ℄ r :(8y : B ) : C [inr y=z ℄
(_E y )
asesy p q r : C [p=z ℄
The omputation rule for asesy is the same as for ases | a generalisation
of type need not alter the dynami behaviour of an operator.
How is this generalisation useful? The operator ases an be seen as
a way of ombining fun tions f and g with domains A and B and om-
mon odomain C into a single fun tion on the sum domain A _ B . The
generalised operator will do the same for dependent fun tions for whi h
the type of the result depends upon the value of the input. The families
whi h are the result type of the dependent fun tions must t together in
the appropriate way: we ensure this by asking that ea h is a spe ialisation
to a family over A, i.e. C [inl x=z ℄, or over B (C [inr y=z ℄) of a family C
over A _ B .
From the logi al point of view, we have a way of lifting proofs of universal
results over A and B separately into universal results over A _ B . We might,
for example, hoose to represent the integers by the sum N _ N , or using
a more suggestive notation
integers df poszro N + neg N
(We think of neg n as representing (n + 1).) We would then be able to
prove results for the integers by means of twin indu tions over the non-
negative and the negative integers. If we dene the fa torial of an integer
by
fa 0 df 1
fa (su n) df mult (su n) (fa n)
fa 1 df 1
fa ( (su n)) df mult (su n) (fa ( n))
a proof that for all integers p, fa p > 0 would take the form suggested
above.
Exer ises
5.8. Expand out the denition of fa torial given above, and using the
expanded denition give a proof that fa p is positive for all integers p.
5.9. Give a denition of subtra tion over the integers, and prove for all a
and b that
(a + b) b = a
5.3.3 The Existential Quantier

The existential elimination rule we stated in hapter 1 dis harged an as-
sumption. In its type theoreti form, we have

[x : A; y : B ℄
..
.
p : (9x : A) : B :C
(9E 0 )
Casesx;y p : C
Computation Rule for 9

Casesx;y (a; b) ! [a=x; b=y℄
How are these justied? An arbitrary obje t of type (9x : A) : B will be a
pair (x; y) with x : A and y : B (whi h in general ontains x free). If we an
onstru t an obje t in C assuming the existen e of the omponents x and
y, we an build an obje t of that type from an obje t p of type (9x : A) : B ,
repla ing the assumptions x and y by the two omponents of p. The obje t
thus formed we all Casesx;y p , and this operator binds the variables x
and y in .
When Casesx;y is applied to a pair (a; b), we substitute the ompo-
nents for the appropriate omponent variables, x and y, whi h explains the
omputation rule.
As with the rule for _-elimination, we an ask the question of whether
the type C an in fa t be variable, and indeed it an. We derive the rule
[x : A; y : B ℄
..
.
p :(9x : A) : B : C [(x; y)=z ℄
(9E )
Casesx;y p : C [p=z ℄
In the hypothesis, the type of depends upon the pair (x; y), the arbitrary
member of the existential type. In the on lusion we substitute the a tual
value p for this arbitrary one. The omputation rule is un hanged.
How are the various rules for existential elimination related? From the
rule (9E 0 ) we an derive the term Fst thus: Make df x and C df A, we
then have
Casesx;y p x : A
if p :(9x : A) : B . Moreover,
Casesx;y (a; b) x ! x[a=x; b=y℄ a
as required. We therefore dene
Fst df p : Casesx;y p x
The term Snd is more problemati , as the type of its result depends upon
the value of the rst omponent of its argument. It an be shown that Snd
is not derivable from (9E 0 ), as a onsequen e of the hara terisation of the
various existential elimination rules by Swaen, examined in se tion 8.1.3.
Obviously, if Fst is derivable from (9E 0 ) then it is derivable from the
stronger (9E ). We now show that Snd is also derivable from (9E ). To do
this we need to be able to ast the judgement
y :B
in the form : C [(x; y)=z ℄. an be y, but we need to ast B as a formula
dependent on the pair (x; y) and not simply on the variable x. The way
out is provided by Fst , and we write B in the form
B [(Fst (x; y))=x℄
so that to meet the rule, we have C df B [(Fst z )=x℄, giving
C [(x; y)=z ℄ B [(Fst z )=x℄[(x; y)=z ℄ B [(Fst (x; y))=x℄
We then have,
Casesx;y p y : C [p=z ℄ B [(Fst p)=z ℄
and
Casesx;y (a; b) y ! y[a=x; b=y℄ b
whi h justies the denition
Snd df p : Casesx;y p y
In the opposite dire tion, we now show that every instan e of the rule
(9E ) an be derived from (9E10 ) , introdu ing Fst and (9E20 ) , introdu ing
Snd . Suppose that we have a derivation
[x : A; y : B ℄
..
.
: C [(x; y)=z ℄
and p :(9x : A) : B . By the rules (9E10 ) and (9E20 ) we have
Fst p : A Snd p : B [Fst p=x℄
5.4. DERIVABILITY 139
and so by the rule of substitution (S6 ), applied twi e, we have

[Fst p=x℄[Snd p=y℄ : C [p=z ℄
If we substitute (a; b) for p, the judgement be omes
[a=x; b=y℄ : C [p=z ℄
as we require.
We shall use whi hever of the rules is most onvenient in what follows.
Denition 5.3 We all T T0 the system of hapter 4 together with the
rules (_E 00 ) or (_E y ) for disjun tion elimination.
Exer ise
5.10. Using the rule (9E ) amongst others, give a proof of the axiom of
hoi e:
(8x : A) : (9y : B ) : C (x; y) ) (9f :(A ) B )) : (8x : A) : C (x; (f x))
Can you use (9E 0 ) instead of (9E )?
5.4 Derivability
In this se tion we take a general look at derivability in variants of the
system T T0. These results will be proved by indu tion over derivations.
Before looking at parti ular results, it is worth noting a parti ular property
of the system of type theory we have adopted.
In the system T T0 any parti ular judgement, like
fst (a; b): A
an be derived in two dierent ways. First we might use the rule whi h
introdu es that parti ular pie e of syntax, in this ase (Ê1 ). Alternatively,
we might use one of the substitution rules, su h as (S2 ),to derive the same
result:
a $
$ b fst (a; a): A (S )
fst (a; b): A 2
The main results we prove are that in an appropriately modied system

A is a type is derivable from a : A and that types are unique.
Denition 5.4 We say that a rule

J1 : : : Jk
(R)
J
is derivable if whenever we have derivations d1 ; : : : ; dk of the judgements
J1 : : : Jk then we an onstru t a derivation d of the judgement J . In the
ase that appli ation of the rule R dis harges any assumptions, then the ap-
propriate assumptions should be dis harged in the derivation d onstru ted.
5.4.1 A is a type is derivable from a : A

One property we might expe t of the system is that the rule
a:A
A is a type
should be derivable; we should not be able to derive elements of non-types
or proofs of non-formulas. For this to be the ase we have to modify the
rules slightly. If we think about how to prove this property by indu tion
over the derivation tree for a : A then we see how the rules need to be
hanged. The proof will be onstru tive in that we dene a derivation of
A is a type in ea h ase.
The base ase for the indu tion is the derivation
A is a type
(AS )
x:A
introdu ing the variable x, whi h an only be introdu ed if A is a type is
derivable.
For a derivation ending with (Î ), for instan e, we pro eed by indu tion,
a:A b:B
(Î )
(a; b):(A ^ B )
If we assume the result for the hypotheses, then we an derive A is a type
and B is a type, so using (^F ) we derive (A ^ B ) is a type.
There are ases for whi h the rules as they stand are inadequate; we
have to add to them additional hypotheses of the form `: : : is a type'. We
look at these in turn now.
The rst andidate is the rule of _-introdu tion:
q :A r :B
(_I ) (_I )
inl q : (A _ B ) 1 inr r : (A _ B ) 2
In ea h of these rules we have a new type expression (B or A) appearing

below the line | we should only introdu e su h an expression if it is a type.
We therefore revise the rules to
q : A B is a type r : B A is a type
(_I10 ) (_I20 )
inl q : (A _ B ) inr r : (A _ B )
We an see now that the judgement (A _ B ) is a type an be onstru ted
from a derivation of : : : : (A _ B ) if the last line of a derivation is a
_-introdu tion.
In most ases we shall in fa t omit the se ond premiss, as it will be lear
from the ontext that it is derivable.
The next rule we look at is existential introdu tion
a : A p : P [a=x℄
(9I )
(a; p) : (9x : A) : P
In order to see that (9x : A) : P is a type we need to know that the family
P is a type, assuming that x : A. We make this a third premiss of the rule.
[x : A℄
..
.
a : A p : P [a=x℄ P is a type
(9I 0 )
(a; p) : (9x : A) : P
Again, we shall in pra ti e suppress this third premiss.
Other rules whi h require additional premisses are the variant rules for
disjun tion, (_E 00 ) and existential elimination (9E ), in whi h we substitute
into a type family C . The revised rules are
[x : A℄ [y : B ℄ [z :(A _ B )℄
.. .. ..
. . .
p :(A _ B ) u : C [inl x=z ℄ v : C [inr y=z ℄ C is a type
(_E 00 )
[x : A; y : B ℄ [z :(9x : A) : B ℄
.. ..
. .
p :(9x : A) : B : C [(x; y)=z ℄ C is a type
(9E )
Casesx;y p : C [p=z ℄
where the additional hypotheses are that C is a type family of the appro-
priate kind. In pra ti e we shall suppress these extra hypotheses.
The nal ase we should onsider is one in whi h the last rule applied
is a substitution. Consider rst the ase of (S2 ):
$
$ a p( ): B ( ) (S )
p(a): B (a) 2
By indu tion we have a derivation of B ( ) is a type. Applying the instan e

of (S1 ) whi h follows, the result is lear.
$
$ a B ( ) is a type (S )
B (a) is a type 1
An instan e of (S4 ) is similarly repla ed by an instan e of (S3 ).
Theorem 5.5 Using the modied system of rules outlined above, given a
derivation of a : A we an onstru t a derivation of A is a type.
Proof: The proof pro eeds by indu tion over the derivation of a : A and
follows the outline sket hed above. 2
We managed to prove the property above by adding suÆ ient type hy-
potheses to the rules so that ea h element derivation ontains embedded
derivations of the typehood of its various type expressions. In a pra ti al
system based on type theory, we would expe t to separate these on erns
as mu h as possible; on e a type had been derived, we ould onstru t
elements of that type without an expli it re-derivation of the type.
Exer ise
5.11. Complete the proof of theorem 5.5 above.
5.4.2 Unique types

In a language like Pas al, or indeed Miranda, the types of expressions are
unique. Can we expe t this to be the ase for our system T T0? In fa t as
the system is onstru ted at the moment, there are a number of reasons
why this fails. We show why this is so, and how to build a system in whi h
the property holds. The reasons the result fails for T T0 are
The dupli ation of the fun tion spa e and produ t types, sin e these
types an be seen as spe ial ases of the universal and existential
types. In future we take A ) B and A ^ B as shorthand for the
quantier forms.
The inje tion operators inl and inr do not have unique ranges. In-
deed,
inl 0
is a member of (N _ A) for any type A. We remedy this by labelling
the inje tion operators with their range type, so that
inl(N _A) 0 : (N _ A)
We an now see the unlabelled operators as shorthand for these op-
erators.
Theorem 5.6 In the theory T T0, if from a onsistent olle tion of assump-
tions we an derive the judgements a : A and a : B then A $
$ B.
Proof: The proof is performed by indu tion over the derivation of a : A.
Consider rst the ase of a variable x : A. Judgements of this sort will
be derived in one of two ways. First we may use the rule of assumptions,
in whi h ase there is only one hoi e of type A by the onsisten y of the
assumption set. Alternatively, we an use the substitution rule (S4 ) or (S2 ).
In the former ase, we have a derivation ending in
C $ $ A x : C (S )
x:A 4
Appealing to indu tion, the type of x is unique up to onvertibility, and the

nal step simply gives an equivalent typing to x. The ase of (S2 ) is similar.
For ea h synta ti form we have the possibility of using a substitution rule:
it is handled in the same way ea h time.
At the indu tion step we perform a ase analysis over the rule forming
the nal dedu tion of the derivation. We take as an example the rules for
disjun tion. If the expression has the form inl(A_B) q then this has type
(A _ B ) if and only if q : A, and B is a type. If the expression has two
types then the se ond type will be of the form (A0 _ B ), in ontradi tion to
the unique type of q, whi h we assume by indu tion. In a similar way, for
the elimination rule, the ( ases p f g) expression an only have two types
if both f and g have two, a ontradi tion. 2
Exer ises
5.12. Complete the proof of the previous result.
5.13. Show that the rules (S3 ) and (S4 ) are derivable in the system whi h
results from T T0 by deleting them. Can the rules (S1 ) and (S2 ) be derived
in a system entirely without substitution rules?
5.5 Computation
Up to now we have devoted the major part of our exposition to the stati
properties of the system, in looking at how the various judgements are
derived. Whilst doing this we have introdu ed omputation rules whi h are
of fundamental importan e from the point of view of programming, sin e
it is these rules whi h dene the dynami behaviour of the system; how the
programs are exe uted, in other words. This se tion looks at the rules from
a general perspe tive.
The redu tion rules are also used to generate a relation of onversion,
whi h is an equivalen e relation; onvertible obje ts are seen as being the
same, and this allows the substitution of one for the other in any ontext.
The issues of interest for redu tion will be those we dis ussed rst in
se tions 2.3, 2.4 and 2.11. Does evaluation terminate (along all paths)? |
is the system (strongly) normalising? Can any two evaluation sequen es be
extended to yield a ommon expression | the Chur h-Rosser Property?
This will be the ase for the system T T0; in this se tion we present
two variants for whi h there are the results we require in the literature.
The rst, T T0, is one in whi h redu tion, ` ! ' is limited. This system
possesses normalisation properties, but has the drawba k that it is not
Chur h-Rosser.
The se ond system, alled T T0 , is based on a quite dierent way of
introdu ing fun tions, and types, though it is equivalent to T T0. Instead
of introdu ing binding operators like , or type forming operators like 8
and so on, fun tions are introdu ed as onstants, ea h onstant having a
orresponding redu tion rule. Types are introdu ed in a similar way. This
bears a striking resemblan e not only to the top-level form of languages
like Miranda, but also in its details to the methods of -lifting [Joh85℄ and
super ombinators [Hug83℄ used in fun tional language implementations.
5.5.1 Redu tion

When we evaluate an expression written in a fun tional programming lan-
guage, we expe t the nal result to be presented in some printable form.
We are familiar with Arabi notation for numbers, and lists, trees and so on
an be represented in synta ti form. How is a fun tion from (for example)
N to N to be printed? Two options present themselves.
A fun tion is des ribed extensionally if we say what is its value
on every argument | an innite amount of information needs to be
printed, whi h is infeasible.
5.5. COMPUTATION 145
The alternative is to print some representation of a program for the

fun tion. Dierent results will not ne essarily denote dierent fun -
tions, yet sin e (extensional) equality between fun tions an't be im-
plemented, we annot give a standard representation to ea h fun tion.
The diÆ ulty with implementing extensional equality is that in order
to on lude that two fun tions are equal, an innite amount of data
has to be surveyed, and this operation is simply not omputable.
In a sense, this is not a problem, be ause the results we will be inter-
ested in will be nite. (This approa h does not ignore the ìnnitary' lists
of languages like Miranda | these are a sequen e of nite results, pro-
du ed one-by-one, rather than a single innite result.) We say that a type
is ground if it involves no (embedded) fun tion or universally quantied
types, and we identify the printable values to be those of ground type. The
evaluation of an obje t of fun tional type is de lined politely, at least by
the Miranda system.
In the untyped - al ulus, everything interesting has to be represented
by a fun tion, and the unrestri ted rule of -redu tion is invaluable. In
the untyped ontext we have to extra t meaningful information pre isely
from representations of fun tions. ([Abr90℄ gives a penetrating analysis
of the untyped - al ulus from the point of view of making it onsistent
with evaluation in untyped fun tional languages). For this reason, the rule
that if e ! f then x : e ! x : f , even with x free in e and f , is
of entral importan e. (We all a redex within an expression like x : e a
redex within a lambda.)
Evaluation of printable values in the typed situation is quite dierent.
Fun tions are ultimately applied to their arguments, and so any redu tion
within the body of a -abstra tion an be deferred until the argument has
repla ed the bound variable. In a simple ase we an see this in a tion
(x : (II )x) 2 ! (x : Ix) 2 ! (x : x) 2 ! 2
an alternatively be redu ed thus:
(x : (II )x) 2 ! (II )2 ! I 2 ! 2
Indeed, it is not hard to see that there will be no redu tions within a lambda
on the leftmost-outermost redu tion sequen e ( .f. se tion 2.3). This is
be ause if the leftmost-outermost redex ever lies within a lambda then the
lambda will never be redu ed, sin e altering the internal redex will hange
nothing outside the lambda. (This is illustrated by the example above,
where the se ond sequen e is the leftmost outermost.)
The argument we have given is to motivate the denition of redu tion
for the system T T0 whi h we introdu e next.
Exer ise
5.14. In the untyped - al ulus, the natural number n is represented by
the fun tion \apply n times", that is
f : x : f (f : : : f (f x) : : :)
| {z }
n
and addition is represented by the fun tion
add df f : g : h : x : f h(g h x)
Show that add 2 3 redu es to 5, but observe that the unrestri ted -
redu tion rule must be used to a hieve the result.
5.5.2 The system TT0

The system T T0 ontains the same rules of formation, introdu tion, elim-
ination and omputation. We only hange the denition of the relation
` ! ', with the onsequent ee t on `!
!' and ` $$ ', as follows:
Denition 5.7 We say that one expression e redu es to another f in a
single step if the following onditions hold. First, e an be represented thus:
e g[e0=z ℄, with the additional property that this z o urs within none of
the binding onstru ts of the language whi h appear in the expression. We
also require that e0 redu es to f 0 a ording to one of the omputation rules,
and nally that f is the result of substituting this redu ed form into g, that
is f g[f 0=z ℄.
This weaker notion of redu tion is related to the idea of weak head
normal form whi h we dis ussed earlier. We have rea hed a similar notion
by hanging the denition of redu tion itself, rather than the denition of
normal form, whi h we leave alone.
The important result about this system follows.
Theorem 5.8 (Troelstra) The system T T0 is strongly normalising.
Proof: The proof, given in [Tro87℄, is by means of a translation into
another system entirely, for whi h the strong normalisation theorem is a
simple generalisation of our proof in se tion 2.7.
The system in question is that of intuitionisti nite-type arithmeti ,
whi h is known as N HA! in the en y lopaedi [Tro73℄. The system
ontains the type stru ture of produ ts and fun tion spa es built over the
type N . The normalisation result for the system without produ ts is in
[Tro73℄, 2.2.30, and it is shown in [Tro86℄ how produ ts may be eliminated

from the system.
The translations of the type A and the term a are written A and a .
The ru ial property of the translation is that although some of the power
of T T0 is lost in the translation, redu tion is preserved, so that if a ! b
in T T0 then a ! b in N HA! . A non-terminating sequen e in the
original system will give rise to one in the target system, ontradi ting its
strong normalisation property.
The translation goes as follows: (note that `0' is used for the type N in
[Tro73℄ | we shall use N ),
N df N
whi h is the obvious translation. The identity types, whi h have one ele-
ment, are represented thus also:
(I (A; a; b)) df N
with its single element being represented by 0. In a similar way we an also
represent the booleans, and indeed all the nite types.
In hoosing to represent the I -types by a onstant type N we have
removed any dependen y of the types on values, so that we say
((8x : A) : B ) df A ) B ((9x : A) : B ) df A B
representing the quantied types by their non-variable spe ial ases. The
elements of these types have images given by
(x : e) df x : (e )
(a; b) df (a ; b )
The only slight tri k is in oding the sum type, whi h is mapped into a
produ t
(A _ B ) df N A B
We represent (inl a) by (0; a; 0B ) and (inr b) by (1; 0A ; b). The values
0A ; 0B are xed `dummy' values whi h are onstant zero fun tions or
produ ts of same, depending on the form of the types A, B et . The
operation of primitive re ursion over N is suÆ ient to implement the ases
operator over the disjoint sum.
To omplete the proof we simply need to he k that if a ! b then
a ! b , whi h we leave as an exer ise for the reader. 2
We should remark that the system N HA! is simpler than T T0 as
it does not ontain dependent types. As an be seen from the proof, the
redu tion properties of the system are preserved by a translation whi h

loses these dependen ies, redu ing the universal and existential types to
fun tion spa e and produ t respe tively.
There is a problem with the system T T0. The Chur h Rosser property
fails for it, as an be seen from the following, fun tional term.
(x : (y : x)) (II ) ! (x : (y : x)) I
! y : I
On the other hand if we redu e the outer redex rst,
(x : (y : x)) (II ) ! y : (II )
The nal terms of these sequen es are normal forms, sin e no redu tion
is permitted inside a , and distin t, so there is no term to omplete the
diamond between the two.
This failure is for a term with a fun tional type, so we might ask whether
we an laim a limited result for ground types. It looks as though there
should be su h a result, but quite how it would be established is an open
question. The failure at the fun tional type is, in fa t, still distressing for
reasons whi h will be ome learer as we pro eed. Without the Chur h-
Rosser property we annot establish the uniqueness of normal forms, whi h
has in turn the onsequen e that the relation ` $ $ ' is de idable: we redu e
two terms to their normal forms, and then see if the two are identi al. The
system whi h follows will have these desirable properties.
Exer ises
5.15. Show that in the proof of theorem 5.8 the translation respe ts redu -
tion, so that if a ! b then a ! b.
5.16. Argue that obje ts in normal form in the system T T0 are in weak
head normal form in a system with unrestri ted -redu tion.
5.5.3 Combinators and the system TT0

In the last se tion we modied the denition of ` ! ', disallowing redu tion
under the ; here we modify the system giving an entirely dierent a ount
of fun tional abstra tion and type formation.
All the systems we have looked at so far have shared one aspe t: ea h
has used -abstra tion as a means of forming terms of fun tional type.
Given a term e generally involving the variable x amongst others, we an
form the term x : e with the property that
(x : e) a ! e[a=x℄
Instan es of this might be the term x : (x + y), and the term x : (II ), in
whi h the redex (II ) is still visible.
An alternative is to make a fun tion or ombinator denition for the
term, saying
fx !e
but there is a problem with doing simply this, exemplied by the addition
example we saw above. Our denition would state
fx ! (x + y)
whi h ontains an unbound variable on the right-hand side. To make a
proper denition of a fun tion we need to in lude the variable y amongst
the arguments, and say
fyx ! (x + y)
The term x : (x + y) will now be repla ed by the term (f y), as it is this
appli ation whi h represents the abstra tion over x. In general, a fun -
tion onstant formed in this way needs to have as arguments not only the
abstra ted variable, but also all the other variables free in the expression.
These variables an be alled the parameters of the denition. In order to
form the abstra tion of interest, these parameters must then be passed to
the onstant to form the required abstra tion. In the ase of the addition
fun tion above, the abstra tion over x is given by the term (f y) and not
the `bare' onstant f .
For our se ond example above, x : (II ), the denition is simpler, we
just have to write
x ! (II )
and form the term . Note that in the onstant there is no redex. This
method of onstant denitions hides from view the redexes within the bod-
ies of fun tions, only making them visible when the fun tion is applied to
suÆ iently many arguments.
Denition 5.9 Combinator abstra tion. Suppose that the derivation
of the judgement
e:B
depends upon the assumptions
x1 : A1 ; : : : ; xk : Ak ; x : A
then we an form a new fun tion onstant f whi h will take arguments of
the types A1 ; : : : ; Ak (as `parameters') and A, giving a result of type B . In
other words, we an introdu e the term
fx1 : : : xk
of type (8x : A) : B . The omputation rule for the term f is given by
fx1 : : : xk x !e
We an give the type of the new onstant f dire tly:
(8x1 : A1 ) : : : : (8xk : Ak ) : (8x : A) : B
whi h, when none of the dependen ies are exhibited by B , redu es to
A1 ) : : : ) Ak ) A ) B
The introdu tion rule an be written in a familiar form, thus
[x : A℄
..
.
e:B
(8I )
f x1 : : : xk : (8x : A) : B
where the undis harged assumptions of the derivation of the hypothesis are
x1 : A1 ; : : : ; xk : Ak , and the new onstant to be introdu ed is alled f . The
omputation rule is stated above and the formation and elimination rules
for the type (8x : A) : B (and therefore for the impli ation A ) B ) are as
before.
Let us onsider a simple example. Assuming we have derived that A
and B are types then on the basis of the assumptions
x:A ; y :B
we an derive
x:A
Suppose we wish to form the (informal) expression x : y : x, we rst have
to abstra t over y. In doing this we produ e a binary fun tion onstant, f ,
whi h will take the free variable x as an argument as well as the variable y
whi h is the variable bound by the denition
f xy !x
and we form the term

f x : (B ) A)
whi h is based on the assumption of x : A. Now we an abstra t over x,
giving the onstant g, with the property
gx ! fx
and the type
g : A ) (B ) A)
(In fa t in this ase f and g have the same properties, but in general the
se ond and subsequent abstra tions are non-trivial). We an onsider the
example of the term, whi h gives a ounter-example to the Chur h Rosser
property for the system T T0,
(x : (y : x)) (II )
This is now represented by the term (g (II )), whi h redu es thus:
g (II ) ! f (II ) ! f I
The whole term f (II ) does not itself form a redex sin e the fun tion on-
stant f has two formal arguments in its redu tion rule, and in this situation
it is presented with only one | the Chur h Rosser theorem is not violated
in this parti ular ase. It is in fa t never violated, as we shall see in the
next se tion.
It appears from what we have said so far that no redu tion an take
pla e inside an abstra tion. In the example of x : (II ) we saw that it was
rendered by the onstant with the redu tion rule
x ! (II )
so that no redu tion of the fun tional term itself, given by , is possible.
The ru ial observation to be made here is that the same -expression may
be represented in dierent ways by onstant abstra tion. The lue to this
is to see the expression II as an instan e of a parameter, in whi h ase we
see the whole expression as an instan e of the expression
x : y
with y of the appropriate type. Abstra tion here leads to the onstant
0 y x ! y
with the parti ular expression represented by

0 (II )
In this representation of x : (II ) the redex (II ) is visible, and so may be
redu ed, yielding 0 I , whi h represents x : I .
Denition 5.10 A proper subexpression f of a lambda expression e is a
free subexpression of e with respe t to x if the variable x does not appear
free in f . Su h an expression is a maximal free expression (or mfe) with
respe t to x if it is free with respe t to x and moreover is maximal su h: it
is not a proper sub-expression of an mfe with respe t to x.
Denition 5.11 Super ombinator abstra tion To form the super om-
binator abstra tion of e over x we rst identify the mfes f1 ; : : : ; fl of e with
respe t to x. We now introdu e a new onstant g with the redu tion rule
g k1 : : : kl x ! e[k =f ; : : : ; kl =fl ℄
1 1
The abstra tion of e over x is given by

g f1 : : : fl
The formal parameters k1 : : : kl repla e the maximal free expressions, to
whi h the fun tion onstant is then applied.
Now we look at a parti ular example, the super ombinator abstra tion
x : y : ((II )x)
First we form the super ombinator abstra tion
y : ((II )x)
There is a single mfe in the body, ((II )x), so we form the onstant whose
redu tion rule is
k1 y !k 1
with the expression

((II )x)
forming the super ombinator abstra tion over y. Now we abstra t over
x. There is a single mfe in the expression above, (II ), and we form the
onstant d with redu tion rule
d k1 x ! (k x) 1
5.6. T T0C : NORMALISATION AND ITS COROLLARIES 153
the nal abstra tion being

d (II )
It is important to observe that the redex (II ) is visible in this super ombi-
nator abstra tion. This is the ase in general.
Denition 5.12 The system T T0 is dened from T T0 as follows. All the
type forming rules are modied so that types are introdu ed as onstants.
The parameters may be hosen to make ertain redexes visible and others
invisible. The rules of fun tion and universal quantier introdu tion are
modied as above, as is the rule (_E 00 ) whi h uses the binding operator
v ases:;:.
Lemma 5.13 If we use the super ombinator abstra tion algorithm to give
fun tional abstra tion in T T0 , then all the redexes whi h ould be redu ed
in the system T T0, that is all redexes whi h are free, an be redu ed in T T0
There is therefore an embedding of the system T T0 within T T0 whi h
preserves the redu tion and omputation properties of the former. We shall
investigate these properties for T T0 in the following se tion, and laim the
obvious orollaries for T T0 there too.
Note that for readability we shall retain the old notation of type forming
operations, but we should always re all that it is a shorthand for a notation
whi h is more expressive in allowing a parti ular expression to be des ribed
in dierent ways, making redexes visible or invisible.
Exer ises
5.17. Give the ombinator and super ombinator abstra tions for the term
h df a : b : : (ab )
5.18. Follow the evaluation behaviour of the expression h (II ) (II ) 3 using
the two versions of the ode ompiled in the previous exer ise.
5.19. Give a proof of lemma 5.13 above.
5.6 T T0 : Normalisation and its orollaries

In this se tion we shall prove that every term of the type theory T T0 has a
normal form, a result whi h an be strengthened to a strong normalisation
result. The proof is a Tait-style proof, as rst seen in se tion 2.7, and
it is based on Martin-Lof's proof of normalisation for his 1975 system, in
[ML75b℄. Its exposition is simpler in omitting the proof information whi h
Martin-Lof's proof arries | this was done originally to make the proof
lo ally formalizable in the [type℄ theory itself ([ML75a℄, se tion 2.1.4) |
the approa h here is not so formal. The result is proved in su h a way
that it has a number of important orollaries for the system, in luding
the fa ts that normal forms are unique, and the Chur h-Rosser property
for redu tion holds. Martin-Lof observes that the Chur h-Rosser property
does not have a dire t ombinatorial proof to his knowledge, this route
providing the only means of proof.
As we have seen a number of times up to now, the fa t that in type
theory the types and the obje ts are dened by a simultaneous indu tion
means that we have to prove things in a dierent manner than in the typed
- al ulus. In se tion 2.7 we were able rst to dene stability by indu tion
over the types, and then to show all elements are stable. Here we work by
indu tion over the derivations of losed judgements
a:A A is a type
(a losed judgement is one whi h depends upon no assumptions, and so in
parti ular one for whi h a and A are losed). The indu tion denes
A0 , a losed normal form of A.
a0 , a losed normal form of a so that a !
! a0 . a0 is also a member of
the set kAk.
kAk, the set of stable terms of type A, whi h are members of the
type A0 . Our proof will show that ea h losed term is redu ible to a
stable term, and these terms are learly seen to be losed and normal.
Be ause assumptions in open derivations an be dis harged, we need also
to look at open judgements and derivations. For the open judgement a : A,
made in the ontext
x1 : A1 ; : : : ; xn : An
we also dene fun tions a0 and A0 , depending upon (meta-)variables
x0 ; : : : ; x0
1 n
whi h range (respe tively) over losed normal terms of type
A0 ; : : : ; A0 (x0 ; : : : x0 )
1 n 1 n 1
It is important to note that these fun tions are not dened by terms of
the system, in general: they are the operations whi h assign losed normal
forms depending upon the losed normal forms whi h are their parameters.
To hoose a on rete example, if a : N depends upon x : N , then a0 will be a

fun tion from numerals to numerals, sin e numerals are the losed normal
forms of natural number type.
We require two onditions of the fun tions a0 and A0
First we require that for all losed normal forms
a01 : A01 ; : : : ; a0n : A0n

we have the property
a[a01 =x01 : : : ; a0n =x0n ℄ !

! a0 [a01 =x01 : : : ; a0n =x0n ℄
(There is a similar denition for A0 .)
We also require that the denitions ommute with substitution. Given
derivations of
a1 : A1 ; : : : ; an : An [a1 =x1 ; : : : ; an 1 =xn 1 ℄

we require that
(a(a1 ; : : : ; an ))0 a0 (a01 ; : : : ; a0n )
with a similar denition for A0 . (Re all that we use to mean ìden-
ti al up to hange of bound variable'). In the proof we say that a0 is
parametri if it has this pair of properties.
Theorem 5.14 (Normalisation for T T0 ) Every losed term b of type
theory has a normal form b0 , and moreover if b $
$ then b0 0 .
Proof: As outlined above we use indu tion over the length of derivations
of judgements. We must go through the onstru ts of the theory in turn.
We must also verify at ea h step that the normal forms assigned to the two
sides of a omputability rule like
fst (a; b) !a
are equal | this is used in proving that the normal forms given to onvert-
ible terms are identi al. We shall not over the ases of fun tion spa es or
onjun tions as they are simply spe ial ases of universally and existentially
quantied types.
Before we look at the ases in turn, it is worth examining the exa t

me hanism for type formation in T T0 . Suppose we want to form a type
like
(8x : N ) : I (N; f x; 0 + 0)
then there are a number of ways of so doing. In the rst we simply form
a new type onstant on this basis, but we may also form a type operator
whi h is parametrised over y, yielding
(8x : N ) : I (N; f x; y)
In our parti ular ase we apply this to the (free) expression 0 + 0, allowing
this to be redu ed. If an expression is so parametrised, then in the nor-
mal form parameters will themselves be redu ed to normal form. In the
following we assume that types are not parametrised, but this is simply for
notational larity.
Case x a variable
We dene x0 to be the (informal) variable x0 . Obviously this is parametri .
Case 8
The formation rule introdu es a new onstant, for whi h we use the short-
hand ((8x : A) : B ). As we said above, we shall assume that the type is not
parametrised, and so we dene
((8x : A) : B )0 df (8x : A) : B
We make similar denitions for the other type forming operations, apart
from the I -types. The set of stable terms of this type, k((8x : A) : B )k, on-
tains all those losed normal terms 0 of type (8x : A) : B with the property
that for all losed normal forms ( nfs) a0 in A0 , ( 0 a0 ) redu es to a losed
normal form in B 0 [a0 =x℄.
8 introdu tion gives a -abstra tion, x : e. If we use super ombinator
abstra tion, we have a new onstant f
f k1 : : : kl x ! e[k =f ; : : : ; kl =fl ℄
1 1
where f1 : : : fl are the maximal free expressions of e with respe t to x. The

abstra tion itself is dened to be
f f1 : : : fl
Now, the normal form of f is
f 0 df f
and the normal form for the expression (f f1 : : : fl ) is given by the lause
for 8 elimination below.
If we restri t ourselves to the simple ase of no parameters ki , then f 0
is stable sin e for any nf a0 ,
f 0 a0 ! e[a0 =x℄ !
! e0 [a0 =x℄ (e[a=x℄)0
the equivalen e holding by the parametri ity property for e, whi h we as-
sume by indu tion. For the general ase we argue in a similar way, also
invoking the ase for 8 elimination below.
8 elimination gives an appli ation. We dene (f a)0 to be the losed
normal form to whi h (f 0 a0 ) redu es, whi h exists by indu tion and the
denition of onvertibility for the universal type. The omputation rule for
8 states that
fa ! e[a=x℄
now observe that
(f a)0 e0 [a0 =x℄ (e[a=x℄)0
The rst equivalen e holds by the denition of onvertibility for the -
abstra tion and the se ond by parametri ity for e0 .
It is not hard to see that the denitions for 8-introdu tion and elimina-
tion are parametri .
Case 9
As for the universal type, we dene
((9x : A) : B )0 df (9x : A) : B
The stable terms of this type are pairs of stable terms, (a0 ; b0 ), with a : A0
and b0 : B 0 [a0 =x℄. The introdu tion rules introdu e a pair, we say that
(a; b)0 df (a0 ; b0)
The elimination rules (9E10 ) and (9E20 ) introdu e the proje tion operators.
If we have terms
Fst p Snd p
then p0 , the nf of p, will be a pair (q0 ; r0 ). We therefore set
(Fst p)0 df q0 (Snd p)0 df r0
A pair of parametri terms will be parametri , as will be the omponents of
a parametri pair, so the two onstru ts preserve parametri ity. This will
apply similarly in all other ases of non-variable-binding onstru ts.
Finally we should he k that the normal forms of the two sides of the
omputation rules are identi al. The rules state that
Fst (q; r) !q Snd (q; r) !r
By the denitions above
(Fst (q; r))0 (Fst (q0 ; r0 )) q0
as we require. A similar proof shows the result for Snd .
Case _
We dene
(A _ B )0 df (A0 _ B 0 )
and take the set of stable elements, k(A _ B )k to be (kAk _ kB k).
In introdu ing an element of a disjun tion we inje t the obje t into
either the left-hand or right-hand side. We dene
(inl a)0 df inl a0 (inr b)0 df inr b0
in eliminating an element by means of (_E 0 ) we use the v ases0 onstru t,
v ases0x;y p u v. p0 will take the form of (inl q0 ) or (inr r0 ). In the rst ase,
let
( ases p u v)0 df u0[q0 =x℄
and in the se ond
( ases p u v)0 df v0 [r0 =x℄
The forms dened are stable by the parametri ity property, whi h is also
preserved by the denition. It is also easy to he k that the denitions
respe t the omputation rules for v ases.
Case ?
The nf of ?, ?0 is ? itself, and the set of stable terms is the empty
set. There are no introdu tion rules for terms of type ?, but there is the
elimination rule. We write
(abortA p)0 df abortA0 p0
This learly satises parametri ity. As there is no introdu tion rule, there
is no omputation rule, and therefore no ondition to he k. In fa t this
ase is a spe ial ase of the nite types, whi h follow.
Case Nn
The nf of Nn is Nn , and the stable terms are
1n; : : : ; nn
so that it is easy to see that for the introdu tion rules we have
1n0 df 1n ; : : : ; nn 0 df nn
For the elimination rule we have the n-way ase statement
asesn e 1 : : : n
The nf of e will be mn for some 1 m n. We dene
( asesn mn 1 : : : n )0 df m 0
Again, parametri ity is plain. The omputation rule sele ts the appropriate
ase a ording to the value of the obje t of type Nn | this is respe ted by
the denition.
Note that this also overs the spe ial ases of >, bool, and indeed ?.
Case N
N 0 is dened to be N , and the olle tion of stable terms is dened by
(meta-theoreti al) indu tion thus:
0 is a stable term.
(su n) is a stable term if n is.
It should be lear how we dene the nfs for the introdu tion rules:
00 df 0 (su n)0 df (su n0 )
In the ase of elimination, we have terms of the form
prim m f
The nf m0 will be either 0 or (su n) for some n. By an indu tion over
the nf we say that
(prim 0 f )0 df 0
(prim (su n) f )0 df y
where y is the nf of the term given by the appli ation
f 0 n (prim n f )0
whi h exists by the denition of the nfs f 0 of fun tional type together with
the fa t that n and (prim n f )0 are themselves nfs. Parametri ity and
respe ting the omputation rule follow.
We treat the type tree in an analogous way.
Case I
We say that
I (A; a; b)0 df I (A0 ; a0 ; b0 )
and that the set of stable terms onsists of r(a0 ). The introdu tion rule
introdu es r, and we say
(r(a))0 df r(a0 )
In an elimination we form J ( ; d) : C (a; b; ). The only normal form an
have is r(a0 ), and we say
(J (r(a0 ); d))0 df d0
Sin e in the omputation rule, we redu e J (r(a); d) to d, we see that this rule
is respe ted by the denition of the nf. Again, parametri ity is preserved.
This exhausts all the ases, and so we have shown all losed normal terms
have a losed normal form. We have also veried that for ea h redu tion
rule b ! , the nfs are equal: b0 0 An indu tion over the relation ` $ $'
is enough to show that if b $$ then b0 0 .
This ompletes the proof of the normalisation theorem. 2
The normalisation result is important in itself, showing that all expres-
sions have a value, and in parti ular that all expressions of ground type
have a printable value, but also the proof itself an yield other results.
Corollary 5.15 There is a model of the system T T0 .
Proof: Using the proof of the theorem, types may be modelled by the
sets kAk, and losed terms a by their ( losed) normal forms a0 , whi h are
members of the sets kAk. 2
Corollary 5.16 If a and b are losed normal terms whi h are inter onvert-
ible then they are identi al.
Proof: Martin-Lof attributes this result to Peter Han o k. a and b redu e
to a0 and b0 respe tively, but as a and b are normal, a a0 and b b0 . Also,
we know from the proof that if a $ $ b then a0 b0 , whi h gives the result
by the transitivity of `'. 2
Corollary 5.17 Normal forms are unique

Proof: If a has two normal forms b and , they are inter onvertible, and
so by orollary 5.16 they are identi al. 2
Theorem 5.18 (Chur h Rosser) If a and b are losed terms, then a $ $b
if and only if a and b have a ommon redu t.
Proof: The ìf' part is obvious. If a $ $ b then the normal forms a0 and
0
b will be inter onvertible, and so identi al. This normal form is a ommon
redu t. 2
Theorem 5.19 The normal forms in T T0 take the following forms:
Type Normal Form
A ^ B ; (9x : A) : B (a0 ; b0 )
A ) B ; (8x : A) : B f0
A_B (inl a0 ) ; (inr b0)
I (A; a; b) r(a0 )
Nn mn
N 0 ; (su n0 )
tree Null ; Bnode n0 u0 v0
where a0 ; b0 ; : : : are themselves losed normal forms.
Proof: The normal forms a0 given in the normalisation theorem have the
forms above. By orollary 5.17 any normal form will be identi al with one
of the forms produ ed in 5.14. 2
Theorem 5.20 The onvertibility relation is de idable | there is a me-
hani al pro edure whi h de ides for arbitrary a, b whether a $
$ b.
Proof: To de ide, redu e a and b to their normal forms, as in 5.14. a and
b are onvertible if and only if a0 and b0 are identi al. 2
This is a desirable result. We ordained earlier that we would treat
inter onvertible expressions as denoting the same obje t, and that we would
be able to substitute onvertible elements for ea h other. With this result
we are able to de ide when two derivations are identi al, in that we an
he k when the terms and types appearing in them an be taken to denote
the same obje t.
Martin-Lof also argues that we an de ide whether a given judgement
a : A an be derived or not.
Theorem 5.21 Derivability is de idable for T T0 .

Proof: Given A and a, we rst redu e the type symbol A to normal form,
and then we an de ide whether it is indeed a normal form of a type. If it
is we then redu e the expression a in a similar way, and ask whether a0 is
a normal form of the type A0 . 2
The way that the system is presented, derivability is plainly semi-
de idable: a judgement is derivable if and only if there is a derivation
of it. It is a surprise that the relation is in fa t de idable, but it should not
be so. Re all that we derive judgements of the form
a is a proof of the proposition A
or
a is an obje t of type A
and in many ases these relations are de idable. It is for these properties
that we hose to dis uss Martin-Lof's earlier intensional system, [ML75b℄,
rather than the more re ent extensional [ML85℄. In the following se tion
we look in more detail at the various equalities of the system, and explain
our approa h to extensionality in more detail.
Exer ises
5.20. Complete the proof sket h for the normalisation theorem above.
5.21. What are the terms a0 and b0 dened in the normalisation proof for
the terms
a df y : x
b df x : y : x
5.6.1 Polymorphism and Monomorphism
In this short se tion we omment on another aspe t of the system T T0 :
in the terminology of [Sal89b℄ it is monomorphi . Ea h o urren e of a
fun tion su h as x : x will be a notational shorthand for a fun tion onstant
of type A ) A for a parti ular type A, with these fun tions being dierent
for dierent types A. In formalising our theory T T0 we should therefore
label all subexpressions of expressions with their type, so that no typi al
ambiguity an arise. We shall suppress this information systemati ally as
we ontinue, but note that it should always be thought of as being present.
An obvious question, raised for example in [Tro87℄, is whether we an
re-generate the type information if it is suppressed. In other words whether
we an think of the polymorphi system, in whi h fun tions su h as x : x
5.7. EQUALITIES AND IDENTITIES 163
an be given dierent types at dierent o urren es, as simply a shorthand

for the monomorphi . Salvesen gives a negative answer to this question,
showing by a number of ounterexamples the dieren es between the poly-
morphi and monomorphi theories. For instan e, in [Sal89b℄ it is shown
that the derivations
0: N [x : N ℄
() I ) () I )
yN )N : 0 : (N ) N ) ) N xN : x : N ) N () E )
(yN )N : 0) (xN : x) : N
0: N [x : B ℄
() I ) () I )
yB)B : 0 : (B ) B ) ) N xB : x : B ) B
() E )
(yB)B : 0) (xB : x) : N
both give rise to derivations of identi al on lusions
(y : 0) (x : x) : N
and it is simply impossible to derive a single monomorphi type for the
variables x and y in this derivation. Building on top of this simple exam-
ple, there is a derivation in the polymorphi theory whi h, it is argued,
annot arise from a monomorphi derivation by suppressing type informa-
tion. More ompli ated examples show how a Milner-style ([Mil78℄) system
of prin ipal types is not possible.
Finally, we should note that the polymorphism mentioned here is im-
pli it polymorphism; we an give denitions whi h are expli itly polymor-
phi , even in the monomorphi system, by introdu ing (type) variables
whi h range over the universes Un .
5.7 Equalities and Identities

In the dis ussion thus far an be found four dierent notions of equality
or identity. We survey their diering roles in this se tion, and after a
dis ussion of the purpose of these various notions, propose the denition of
an extensional equality relation.
5.7.1 Denitional equality

Our rst relation is in the meta-language, that is the language in whi h we
dis uss the various systems. We say that two terms e and f are identi al
ef
if they are identi al up to hange of bound variable after all the dened
terms, introdu ed by means of the denitional equality ` df ', have been
expanded out. We simply treat identi al expressions as identi al | there
are no ontexts in whi h we wish to distinguish between two identi al ex-
pressions.
As an aside, it is worth noting that although it is obvious what this
relation is, we have to do some work in a omputer implementation to
ensure that we an de ide exa tly when two expressions are identi al.
5.7.2 Convertibility
Two expressions are onvertible if the omputation steps embodied in the
omputation rules for the system are suÆ ient to bring them together.
Formally we build the relation ` $ $ ' by taking the re exive, symmetri
transitive and substitutive losure of the relation ` ! '. In other words, we
ask that, for all expressions a; b; ; : : : and variables x,
Computation If a ! b then a $
$ b.
Re exivity a $
$ a.
Symmetry If a $ $ b then b $
$ a.
Transitivity If a $
$ b and b $
$ then a $
$ .
Substitutivity If a $
$ b and $
$ d then a[ =x℄ $
$ b[d=x℄.
We saw in the last se tion that two terms were onvertible if and only if they
have the same normal form, this means that the relation of onvertibility
is de idable.
The denition of onvertibility is external to the system | a $ $ b is
intended to embody the fa t that the two expressions a and b denote the
same obje t. In the light of the hara terisation above, we an identify this
obje t as the normal form of the expression, if we wish.
In se tion 4.11 we introdu ed the rules of substitution whi h allow in-
ter onvertible expressions to be substituted for ea h other in derivations of
judgements. This emphasizes the fa t that judgements are intended to be
about the obje ts denoted by the expressions, rather than the expressions
themselves. We shall ome ba k to this important distin tion below.
Be ause à $ $ b' is not a proposition of the system, we are unable to
build more omplex assertions on the basis of it. To do this we turn to our
third relation, the identity predi ate.
5.7.3 Identity; the I type

As a primitive proposition (or type) forming operator we have the I oper-
ation, forming a type thus:
(IF )
The type is also written a =A b or even a = b when no onfusion an result.
I (A; a; b) is provable, by the obje t r(a), when a $
$ b, so we an see the
type as an internalisation of onvertibility. On top of the I type we an
build more omplex assertions, su h as
(8x; y : A) : ((x =A y) ) ((f x) =B (g y)))
where f and g are fun tions of type A ) B . Proof that I is the internali-
sation of ` $
$ ' is given by the result
Theorem 5.22 For losed a and b, the judgement I (A; a; b) is derivable if
and only if a $
$ b.
Proof: Clearly the ìf' part is valid. Suppose that p : I (A; a; b) is derivable;
taking normal forms a la theorem 5.14 we have
p0 : I (A0 ; a0 ; b0 )
but for this to be derivable, it must be the ase that a0 b0 , whi h means
that a $$b 2
The expression x =A y denotes a proposition or type of the system. In
order to test for identity in a omputation we require a fun tion or operation
whi h returns not a type but rather a value T rue or F alse of boolean type.
5.7.4 Equality fun tions

An equality fun tion is a boolean valued fun tion whi h an be used in a
omputation to test for the equality of two obje ts.
Denition 5.23 An equality fun tion (or equality operation) over
the type A is a term equalA of type equalA : A ) A ) bool su h that the
following propositions are valid
(8a; b : A) : (a =A b ) equalA a b =bool T rue)
(8a; b : A) : (a 6=A b ) equalA a b =bool F alse)
Note that one onsequen e of the denition is that for losed a,b if a $
$b
then
equalA a b $
$ T rue
but on the other hand the non-derivability of a $
$ b does not imply that
equalA a b $
$ F alse
Over whi h types do we have an equality operation? We start our dis ussion
with two denitions.
Denition 5.24 A predi ate P (x1 ; : : : ; xk ) is formally de idable if and
only if the following proposition is derivable
(8x1 : A1 ) : : : : (8xk : Ak ) : (P (x1 ; : : : ; xk ) _ :P (x1 ; : : : ; xk )) (5.1)
Denition 5.25 A predi ate P (x1 ; : : : ; xk ) is representable if and only
if for some term r the following propositions are derivable
(8x1 : A1 ) : : : : (8xk : Ak ) : (5.2)
(r x1 : : : xk =bool T rue ) P (x1 ; : : : ; xk ))
(8x1 : A1 ) : : : : (8xk : Ak ) : (5.3)
(r x1 : : : xk =bool F alse ) :P (x1 ; : : : ; xk ))
Theorem 5.26 A predi ate is representable if and only if it is formally
de idable.
Proof: To prove that a representable predi ate is de idable, note rst that
using the axiom of bool elimination we an derive
(8b : bool) : (b =bool T rue _ b =bool F alse)
(a proof of this appears in se tion 4.10.1). By means of the propositions
5.2, 5.3, we an derive the formula 5.1, as required.
To prove the onverse, we need to take the derivation given by 5.1,
d : (8x1 : A1 ) : (8xk : Ak ) : (P (x1 ; : : : ; xk ) _ :P (x1 ; : : : ; xk ))
The term d is a fun tion, whi h we ompose with the fun tion dened over
a disjun tion whi h returns T rue over the rst disjun t and F alse over the
se ond. This fun tion is given by the term
x : ( ases x (x : T rue) (x : F alse))
The resulting fun tion will form a representation of the predi ate. 2
Corollary 5.27 A type A arries an equality fun tion if and only if the
equality over that type is formally de idable.
Proof: The equality fun tion is a representation of equality over the type.
The theorem therefore applies the result immediately. 2
Theorem 5.28 A ground type A arries an equality fun tion.
Proof: By the previous orollary it is suÆ ient to show that equality
over the type is formally de idable. We an prove by indu tion over the
onstru tion of ground types that equality is de idable for them. Indeed,
we have given dire t denitions of equality fun tions in the exer ises in the
previous hapter. 2
Will equality over any other types be de idable? It seems highly unlikely
that this is so. Two losed terms of type N ) N an be proved equal if
and only if they have the same normal form, but there is no way, internally
to type theory to ompare normal forms. An extensional equality, to whi h
we turn in the following se tion, has other drawba ks. From an extensional
de idability predi ate over a fun tional type we are able to prove a result
like
((8x : N ) : f x =N 0) _ :((8x : N ) : f x =N 0)
whi h is not in general a eptable to the onstru tivist, breaking as it does
the onstraint that properties be nitary.
5.7.5 Chara terising equality

The elimination rules for the various type onstru tors allow us to derive
hara terisations of equality for types in terms of their omponent parts.
In se tion 4.10.1 we saw that
(8b : bool) : (b =bool T rue _ b =bool F alse)
and we argued that other similar results ould also be proved. In parti ular,
we gave as an exer ise the proof of
(8x : N ) : (x =N 0 _ (9y : N ) : (x =N su y))
We would also mention the other hara terisations
(8x : A ^ B ) : (9y : A) : (9z : B ) : (x = (y; z ))
and
(8x : A _ B ) : ((9y : A) : (x = (inl y)) _ (9z : B ) : (x = (inr z )))
and for the nite types

(8x : Nn ) : (x = 1n _ : : : _ x = nn )
with the spe ial ase that
(8x : >) : x = T riv
These results are all proved in similar ways, using the axiom of elimination
for the type in question.
Exer ises
5.22. Complete the proof of theorem 5.26 by exhibiting the term r expli itly.
5.23. Give a denition of the equality fun tion over the tree type.
5.24. Prove the hara terisations of equality for onjun tion (produ t) and
disjun tion (sum) types given above.
5.8 Dierent Equalities

As we saw in the last se tion, there are a number of diering notions of
equality for a system like type theory. Here we take a longer view and
ask both what is the exa t purpose of an equality relation, and propose
modied denitions based on the results of these ruminations.
5.8.1 A fun tional programming perspe tive

When we rst learn arithmeti at s hool, we write down al ulations like
(2 + 3) + (4 + 5) = 5 + (4 + 5)
= 5+9
= 14
whi h an be thought of as proofs that parti ular equations are true. In a
similar way, when we reason about the behaviour of fun tional programs,
we might write hains like
map id (a:x) = id a : map id x
= a : map id x
= a : x
where map is the fun tion whi h applies its rst argument, a fun tion, to
every element of its se ond, a list, and id is the identity fun tion.
5.8. DIFFERENT EQUALITIES 169
For the fun tional programmer (or the primary s hool hild) the interest
of su h a proof is that two expressions whi h are not prima fa ie equivalent
in fa t have the same meaning.
These proofs have in ommon the fa t that they would be onsidered
trivial in the ontext of type theory; they simply involve showing that two
expressions are onvertible, and this is formalised outside the theory in the
onvertibility relation.
In order to extend the theory to embra e this kind of equality reasoning,
we have radi ally to modify the theory. The proof obje ts of the equality
(I ) types will no longer have the trivial form r(a), but will need to re e t
the hains of equalities as above. Also the proposition
(2 + 3) + (4 + 5) = 14
must be distinguished from the proposition
14 = 14
sin e the latter is trivial, whilst the former re e ts three non-trivial om-
putation steps; proof obje ts of the two types will be ompletely dierent.
The departure here is to onsider proofs to be about linguisti expres-
sions (su h as (2 + 2)) rather than about mathemati al obje ts (like the
number 4). It would be interesting to see a omplete development of a
theory analogous to type theory along the lines proposed here.
5.8.2 Extensional Equality

As we said above, type theory addresses itself to obje ts and their relations,
so that we identify expressions whi h are onvertible, allowing their inter-
substitution in any ontext. This is be ause we take onvertible expressions
to have the same meaning, and this is surely orre t. What is more, as a
orollary of the normalisation theorem we saw that the relation of onvert-
ibility was de idable, so that separately from the system itself questions of
equivalen e ould be de ided.
There remains the question whether onvertibility aptures fully what
it is for two expressions to mean the same thing. For obje ts of ground type
there is no question that this is so, but for fun tions the question is more
omplex. We saw in se tion 4.11.2 that two dierent ways of adding one to
an arbitrary natural number gave the same value on every argument, and
an extensional equality would deem them to be equal. Can we augment
the system to make equality extensional? We shall review a number of
proposals now.
A rst attempt might be made to augment the onvertibility rules, with

a rule like onversion, whi h we saw rst in se tion 2.3:
x : (f x) !f
if the variable x is not free in the expression f . Given the denition of
onvertibility in hapter 2 whi h allows onversion under the , we an say
that if
fx $
$ gx (5.4)
then by two onversions we have
f $
$ x : (f x) $
$ x : (g x) $
$g
so it appears that we have an extensional onvertibility.
This is not the ase, however, as the equivalen e (5.4) is a weak one,
based as it is on onvertibility between two expressions involving an arbi-
trary value represented by the variable x. In our proof of the equivalen e
of the two fun tions adding one, we inferred
(8x : N ) : f x = g x
by indu tion, a proof-theoreti te hnique based on a ase analysis over the
variable x, rather than simply a rewriting a la (5.4). It appears then that
we annot apture a fully extensional equality as a onversion relation.
Martin-Lof proposes a rule in his 1979 system, [ML85℄, whi h ontains a
fully extensional onversion, by means of the rule
: I (A; a; b)
a$ $ b (IEext )
This addition has unfortunate onsequen es for the general properties of
the system: onvertibility is unde idable, the system fails to be strongly
normalising and so on, and it is for these reasons that we have hosen
to adopt Martin-Lof's earlier system as the basis of ours here. It is no
surprise that these are the onsequen es of the rule (IEext ), sin e it makes
the relation of onversion have a proof-theoreti link whi h it fails to have
in the earlier system. Before we leave the topi of onvertibility, it is worth
referring ba k to our ommments of se tion 2.11 on the super uity of the
(so- alled) onversion rules like -redu tion. In parti ular the remark that
these rules are not needed to redu e losed terms of ground type to normal
form still applies in the ontext of T T0.
Is there an alternative to Martin-Lof's method of in luding an exten-
sional equality in the system?
Turner has proposed in the unpublished [Tur89℄ that an extensional I

type an be dened. He argues that the type
I (N ) N; f; g)
an be inhabited by terms other than r | a proof of the equality of all the
values of the fun tion, in other words an obje t p of type
(8n : N ) : (f n = g n)
an be inje ted into the type also, giving
ext p : I (N ) N; f; g)
If we add new anoni al elements to a type we require new rules of elim-
ination and omputation if the lasses of anoni al obje ts of other types
are not to be enlarged with spurious members. Some rules to a omplish
this are to be found in [Tur89℄, and it appears that a system in whi h no
spurious anoni al forms are introdu ed ould be built on the basis of the
system there. The omplete presentation might involve a theory of stru -
tured equality obje ts, so that proofs of equality of pairs would be pairs
of equality proofs, equalities between fun tions would be fun tions proving
the equality of all results, et .
A variant of this approa h suggests itself, and that is to introdu e an
element of the equality thus
p :(8x : A) : (f x =B g x) 0
(II )
r : I (A ) B; f; g)
but this means that the proof-theoreti information ontained in the obje t
p is lost. This happens in the standard introdu tion rule, yet in that ase
the information lost is onvertibility information, whi h an be re overed by
the de ision pro edure for onversion. If we are to adhere to the prin iple
of omplete presentation, then we should reje t this ourse; if not, this
presents a way to pro eed.
5.8.3 Dening Extensional Equality in TT0

The option we explore here is to dene expli itly the relation of extensional
equality within the theory T T0 whose equality is intensional. We retain
the de idability of ` $
$ ', as well as adhering to the prin iple of omplete
presentation.
Denition 5.29 By indu tion over the onstru tion of the type A we an
dene the operator 'A embodying extensional equality over A. For-
mally, we have the derived rule
(EEF )
(a 'A b) is a type
For base types N , Nn , bool, I (T; n; m) and so on we dene
a 'A b df I (A; a; b)
Omitting the type subs ripts from now on, for fun tion types we say
f 'g df (8x; y : A) : ((x ' y) ) (f x ' g y))
For produ t types,
u'v df (fst u ' fst v) ^ (snd u ' snd v)
and similarly for disjun tions.
For f and g of the universally quantied type
(8x : A) : B
the proposition
(8x; y : A) : ((x ' y) ) (f x ' g y))
is only well formed if the type family B is itself extensional, that is if x ' x0
then B $ $ B [x0 =x℄.
The relation `'' is a partial equivalen e relation, in that
Lemma 5.30 The relation `'A ' has the following properties
Symmetry If f ' g is derivable, then so is g ' f .
' g and g ' h are derivable, then so is f ' h.
Transitivity If f
Semi-Re exivity If f ' g is derivable, then so is f ' f .
Proof: The proof is by indu tion over onstru tion of the type A. The
interesting ase is that of the fun tion type B ) C . We look at the various
properties in turn. First suppose that we have f ' g, that is
(8x; y : B ) : ((x ' y) ) (f x ' g y))
by the symmetry of `'' for the type C we have
(8x; y : B ) : ((x ' y) ) (g y ' f x))
as required. Now suppose that we have f ' g and g ' h, and suppose that
x 'B y. By the rst proposition, we have
fx'gy
Sin e x ' y, we have by symmetry and semi-re exivity for B that y ' y,
so by g ' h we an derive
gy 'hy
and nally by transitivity for ' over C we have
f x'hy
whi h establishes transitivity. Semi-re exivity is a onsequen e of symme-
try and transitivity. 2
Denition 5.31 If a is an open term with free variables x1 ; : : : ; xk then
its losure is the term x1 ; : : : ; xk : a.
Denition 5.32 We all a losed term a of type A extensional if a 'A a.
If a is open, we all it extensional if its losure is.
Not all terms are extensional. Take the fun tion
h df x : (x; r(x)) : (A ) (9x : A) : I (A; x; x))
Suppose that we take the type A to be N ) N , and hoose two fun tions
f and g of this type so that f ' g yet f $6$ g. The two addition fun tions
of se tion 4.11.2 will do for f and g. Now,
hf !
! (f; r(f ))
hg !
! (g; r(g))
These two values are not extensionally equal, as the obje ts r(f ) and r(g)
are of dierent types, sin e the family I (A; x; x) is not extensional.
We ould leave the development here, with a denition of what it is for
two terms to be extensionally equal. Unfortunately, what we have devel-
oped thus far is not very useful | we have no way of using the dened
relation dire tly, and instead we must expand out its denition to use it.
The equality relation I (A; a; b) is hara terised by its elimination rule, stat-
ing that a and b may be substituted for ea h other in any ontext. `'' is a
weaker relation than identity, and so we annot expe t to substitute exten-
sionally equal terms for ea h other in all ontexts. Instead, we prove that
substitution an be performed safely in a large lass of ontexts.
Denition 5.33 We all a proposition P extensional if it satises the

following. Any sub-term of P of the form I (A; a; b) must satisfy
A is a ground type, and
the terms a and b are extensional
Theorem 5.34 If P is extensional, f ' g and we an derive p : P [f=x℄
then we an nd p0 so that p0 : P [g=x℄ is derivable.
Proof: We prove this result by indu tion over the derivation p. 2
We would also onje ture that any losed term of an extensional type is
itself extensional. This would in lude in parti ular all terms of types whi h
do not involve the identity types I (A; a; b), whi h would in lude all the
types of a traditional fun tional programming language su h as Miranda.
We an prove the more limited theorem whi h follows.
Theorem 5.35 The lass of extensional terms is losed under the opera-
tions of pairing, proje tion, inje tion (into sum types), ase analysis, prim-
itive re ursion over natural numbers and trees, abstra tion, appli ation,
fun tion omposition and so on.
Proof: The proof is simply a matter of he king the denitions in ea h
ase. 2
To summarise this se tion, we have shown that within an intensional
system of type theory (with pleasant metamathemati al properties) we an
build an identity relation whi h is extensional. Moreover we an prove that
we an substitute extensionally equal terms for ea h other in a wide variety
of ontexts. This approa h seems to ombine the advantages of both the
extensional and intensional theories, without anything being sa ri ed.
Exer ise
5.25. Complete the proofs of theorems 5.34 and 5.35 above.
5.9 Universes
The system T T0 makes a rigid distin tion between types, su h as N , A ^ B
and I (A; a; b), and the obje ts whi h inhabit them, 0, (a; b), r(a) and so
on. There are situations in whi h this distin tion an usefully be blurred.
We may wish to make an obje t depend upon a type parameter |
this is often alled type polymorphism.
5.9. UNIVERSES 175
We might want to assert the existen e of a type with ertain properties

| this is the ontent of an abstra t type denition.
Some fun tions are most naturally dened over the olle tion of all
obje ts of all types.
For these and other reasons, we an see the merit of introdu ing a type T
of all types, and this was indeed what Martin-Lof did in an early version
[ML71℄ of his type theory. It was later shown by Girard [Gir72℄ that this
addition made the logi of type theory in onsistent, in the sense that every
proposition be ame provable. Girard's proof is based on the set-theoreti
Burali-Forti paradox, whi h proves the in onsisten y of the set of all well-
founded sets, whi h is a member of itself, and therefore not well-founded.
A ommon thread to paradoxes su h as this and Russell's is the impred-
i ativity of the obje ts dened: in des ribing what the members of T are,
we have to mention T itself. This is one point at whi h the logi al and pro-
gramming interpretations of type theory diverge; the logi al in onsisten y
of the system means in programming terms that every type has a member.
This inhabitation is something we are used to in languages su h as Miranda,
sin e every type ontains an undened element, identied by the semanti s
with the bottom element of a domain. Of ourse, also, the self-referen e in
the denition of T is simply that of general re ursion, and in onsisten y
be omes partiality. For detailed analysis of the omputational behaviour of
the paradox, see [MR86℄ and Howe's analysis in [How88, Chapter 4℄ of the
paradox in the related system Nuprl.
If it is our aim to maintain a oherent logi al interpretation of the
system, T must be avoided. Instead of introdu ing a single universe, we
introdu e a hierar hy of universes, Un for n = 0; 1; 2; : : :. The types given
by the formation rules of T T0 are in U0 ; hen e the subs ript of T T0. If we
then add U0 as a type, using the same formation rules we form types in U1 ,
and so on, through the hierar hy.
Formally, we obtain the system T T by modifying the formation rules as
follows. O urren es of the judgements A is a type are repla ed by
A : Un
and the rule
A1 is a type Ak is a type
(T F )
T (A1; : : : ; Ak ) is a type
is repla ed by
A1 : Un1 Ak : Unk
(T F )
T (A1; : : : ; Ak ) : Umax(n1 ;:::;nk )
In other rules whi h have premisses of the form A is a type, those premisses
are repla ed by A : Un . We also add the following formation rule
Formation Rule for U
(UF )
Un : Un+1
The system of universes is not umulative; ea h type is a member of
exa tly one universe, Uk say, rather than being a member of all the universes
Uk ; Uk+1 ; : : :.
We end this introdu tion by remarking that the results of se tion 5.6
arry over to T T with no modi ation, so that
Theorem 5.36 T T is strongly normalising, has the Chur h-Rosser prop-
erty, and both onvertibility and the derivability of judgements of the form
a : A are de idable.
Proof: Exa tly as se tion 5.6. 2
5.9.1 Type families
Be ause the universes are types just like any other, we an form new obje ts
of these types. For example, we have
x : bool ? : U0 > : U0
(bool E )
if x then ? else > : U0
The term B df ( if tr then ? else > ) is a type family over the variable
x : bool, with the property that
B (T rue) ! ?
B (F alse) ! >
This gives a more dire t denition of type family than that des ribed in
se tion 4.10.3 above.
Now we prove a theorem using the universe U0 to give a result we annot
prove in T T0.
Theorem 5.37 In T T we an derive :(T rue =bool F alse).
Proof: Suppose that we have p : T rue =bool F alse. Applying the fun tion
x : ( if x then ? else > )
to the two sides, and redu ing, we nd
p0 : ? =U0 >
5.9. UNIVERSES 177
If we then perform the substitution of ? for > in

T riv : >
we have the result
T riv : ?
Dis harging the original assumption, we have an element of
:(T rue =bool F alse)
whi h we assumed as an axiom in T T0. 2
Smith gives a formal proof that the result annot be derived in (an
extension of) T T0 in his paper [Smi87℄
5.9.2 Quantifying over universes

Many fun tions an be derived for arbitrary types; among the examples
are all the fun tions of se tion 4.5. We an rewrite the derivation of the
identity fun tion thus
(UF )
U0 : U1 (AS )
[A : U0℄2
(AS )
[x : A℄1
() I )1
xA : x : (A ) A)
(8I )2
AU0 : xA : x : (8A : U0 ) : (A ) A)
The informal assumption that A is a type had been derived is repla ed here
by the formal assumption A : U0 , whi h is subsequently dis harged. The
fun tion dened will give the identity fun tion over any type A in U0 when
applied to that type. For example,
(AU0 : xA : x) N ! xN : x : (N ) N )
This gives a form of polymorphism; the identity fun tion is thus dened for
all `small' types (as we all the members of U0 ) uniformly.
If we are given an abstra t type, this usually means that we are given
a type whi h we an a ess only through ertain operations over that type,
rather than all the operations available over the type.
Consider a type like
(9A : U0 ) : P (A)
What do obje ts of this type look like? They are pairs (A; p) of obje ts,
A : U0 and p : P (A)
A is a (small) type, and p is a proof that it has the property P (A). Suppose
we have dened P (A) to be
(A ) A) ^ (A ) A)
then an obje t of the existential type will be a type A together with
p : (A ) A) ^ (A ) A)
that is a pair of fun tions from A to itself. An obje t of this type is equiv-
alent to an implementation of an abstra t type, with signature (written in
Miranda notation)
abstype A
with f1 :: A -> A
f2 :: A -> A
where f1 and f2 are the rst and se ond proje tions of p, of ourse.
We shall have more to say about quantied types in the following hap-
ter, where we look at a series of examples.
5.9.3 Closure axioms

The usual way that we hara terise the members of a type is by a pair of
rules: the introdu tion rule explains what obje ts are permitted to be ele-
ments of the type, and the elimination rule (together with the omputation
rule) hara terises these elements as the only elements of the type. We
ould all the latter rules the losure axioms for the type. It is the losure
axioms for a type A whi h allow us to prove properties for all elements of
A, and to dene fun tions by re ursion over A.
The rules we have given for universes orrespond to introdu tion rules; if
we wish to dene fun tions by re ursion over the universe we need a losure
axiom to that ee t. In Martin-Lof's treatment of the system, these axioms
have been omitted deliberately; for philosophi al reasons he has hosen to
make the universes open-ended, so that other type forming operations an
be added to the system without violating the losure axioms.
The losure axioms permit us to dene polymorphi fun tions whi h fail
to be parametri ([Str67℄). We ould, for instan e, dene a fun tion whi h
was the identity fun tion on all types but N , and whi h was the su essor
fun tion n : (su n) on N . This would have the type
(8A : U0 ) : (A ) A)
just as did the polymorphi identity fun tion, whi h had a parametri def-
inition | we did not perform any analysis on the type variable A in the
denition of the identity fun tion, it was simply a parameter.
5.10. WELL-FOUNDED TYPES 179
5.9.4 Extensions
Why do we stop with a hain of universes U0 ; U1; : : :, when there are natural
fun tions whi h annot be dened in the system? The obvious one whi h
springs to mind is
(n : N ) : Un
whi h learly inhabits none of the Un . To give this a type we need to
add the rst transnite universe U! , whi h is itself a member of U!+1 ,
and so we an iterate through the onstru tive ordinals. Whether this
extension is interesting, either proof theoreti ally or from the point of view
of programming, is open to question, but the interested reader may wish
to onsult [And65℄ for a similar transnite theory.
Another possible dire tion is to distinguish between the types whi h are
sets, su h as N and tree, and the propositions, and to try to extend the
type theory with a type of propositions. This has itself been shown to be
in onsistent in [Ja 89℄.
If one is prepared to limit the type forming operations, then systems
with a type of types an be built onsistently. The work of Girard on system
F [Gir80℄ and of Huet and Coquand [CH85℄ testies to this. More details
of these systems are given in se tion 9.1.5 below.
5.10 Well-founded types

When we rst introdu ed algebrai types in the previous hapter, se tion
4.9, we des ribed what we meant by an algebrai type, and then introdu ed
the rules for a parti ular type, tree, of binary trees. It is not diÆ ult to
see how we might form the rules for a type of lists along similar lines; we
do that in a moment.
There is a general framework into whi h we an t the types dened in
this way. By an analysis of the tree type we nd the rules for a general
well-founded type, and this we do in the se tion whi h follows.
5.10.1 Lists
A list is either empty, [ ℄, or an be thought of as having a rst element,
or head, a and a remainder, or tail, x. The list with head a and tail x is
written
(a :: x)
The double olon `::' is often pronoun ed ` ons'. Denitions by re ursion

take the form
sum [ ℄ df 0
sum (a :: x) df a + (sum x)
where in this ase we look at a fun tion dened over a numeri al list. (Note
that we have used the reverse onvention to Miranda, in whi h a single olon
denotes the ` ons' operator, and the double olon is used for `has the type'
| the onvention is that of the SML language, in fa t.) Elements of lists
an have any type, as long as we keep the lists homogeneous | all the
elements of any parti ular list should be of the same type, otherwise many
denitions, su h as those of the standard fun tions map, filter and foldr
simply annot be stated. Lists form one of the standard data types in
fun tional programming; denitions of these standard fun tions and many
other examples an be found in the textbooks [BW88℄ and [Rea89℄.
With this introdu tion, we should now be able to understand the rules,
in whi h we write [A℄ for the type of lists with elements of type A.
Formation Rule for list
A is a type
(list F )
[A℄ is a type
Introdu tion Rules for list
a : A l :[A℄
(list I1 ) (list I2 )
[ ℄ : [A℄ (a :: l) : [A℄
Elimination Rule for list
l :[A℄
s : C [ [ ℄ =x℄
f :(8a : A) : (8l :[A℄) : (C [l=x℄ ) C [(a :: l)=x℄)
(list E )
lre l s f : C [l=x℄
Computation Rules for list
lre [ ℄ s f ! s
lre (a :: l) s f ! f a l (lre l s f )
`::' is taken to be right asso iative, and the shorthand [a1 ; : : : an ℄ will be
used for the list (a1 :: : : : :: an :: [ ℄). We all fun tions dened using the
elimination rule primitive re ursive.
y
y ?y?y su y
g g R yR y
ons y?y
ons 1
?y
0 su 1 ons ons 0
0 0 nil nil
Figure 5.1: Natural numbers and lists.
Exer ises
5.26. Using lre dene the fun tion map whi h takes as arguments a fun -
tion f and a list [a1 ; : : : an ℄, and returns the list [f a1 ; : : : f an ℄.
5.27. Dene the fun tion segs of type [A℄ ) [[A℄℄ with the property that
segs [n1 ; : : : ; nm ℄ df [ [ ℄ ; [n1 ℄ ; [n1 ; n2 ℄ ; : : : ; [n1 ; : : : ; nm℄℄
5.28. Using segs or otherwise, dene the fun tion sums of type [N ℄ ) [N ℄
with the property that
sums [n1 ; : : : ; nm ℄ df [0 ; n1 ; n1 + n2 ; : : : ; n1 + + nm ℄
What is a suitable value for the empty list [ ℄?
5.29. Formulate what it means for one list to be a sublist of another, and
dene the fun tion
sublists : [A℄ ) [[A℄℄
whi h returns the list of all sublists of a list. How would you remove
dupli ate entries from the list if ne essary?
5.30. How is the equality operation on the list type [A℄ dened from the
equality operation on A?
5.10.2 The general ase - the W type.

In general, we an think of the elements of any algebrai type as trees. In
gure 5.1 we see trees representing the natural numbers 0 and 2, that is
su (su 0), and the list [1; 0℄, shown in two slightly dierent forms. In
the rst, we show the numeri al omponents as pointed to by a node; in
the se ond we show them as omponents of the ons node itself. Figure 5.2
shows an example from our type tree of binary numeri trees.
The general form of these types is that ea h node is built from a ertain
olle tion of prede essors of the same type. Considering our type tree, a

3
~ R

0
~ R ~
Figure 5.2: A binary tree of type tree.
Null node, illustrated by a bla k dis , has no prede essors, whereas a node
of sort Bnode 0; Bnode 1; : : :, shown in white, has two prede essors. (The
terminology immediate prede essor is sometimes used for our `prede essor'.)
For a general algebrai type we will have a type A of sorts of node. In
the ase of trees this type is best thought of as a sum type,
A df (> _ N )
where > is the one element type, for the Null node, and the other summand,
N , is for the Bnode nodes, whi h arry numbers. To make the subsequent
a ount more readable, we rename the inje tion fun tions nu and bnode,
and use null for the appli ation(nu T riv). This means that we an think
of the elements of A as null together with (bnode n) for natural numbers n.
Dierent kinds of nodes have dierent numbers of prede essors. For a
parti ular kind of node a : A we spe ify what form the prede essors of the
node take by supplying a type B (a), whi h we an think of as the type of
names of prede essor pla es.
For a parti ular node of that sort we spe ify the olle tion of prede es-
sors of the node by a fun tion from B (a) to the type in question.
Considering the parti ular ase of the type tree, sin e the Null node
has no prede essors, we say
B (null) df ?
and for the binary nodes (Bnode n), we have two prede essors, so we dene
B (bnode n) df N2
We ould make N2 more readable by repla ing 12; 22 by Left and Right, as
we would expe t for the names of the two prede essor pla es of the Bnode.
To dene the family B (x) in this way requires the use of the universe U0 ;
without using a universe we an say
B (x) df ((isnull x = T rue) ^ ?) _ ((isnull x = F alse) ^ N2 )
where the fun tion isnull of type A ) bool is dened thus:
isnull x df ( ases x y : T rue z : F alse)
The type we build is determined by the lass of sorts of node, A, and
the family determining the nature of the set of prede essors of ea h sort of
node, B (x). The type thus onstru ted is alled (W x : A) : B (x), the W
being used as a reminder that the type is well-founded.
Formation Rule for W
[x : A℄
..
.
A is a type B (x) is a type
(W F )
(W x : A) : B (x) is a type
As far as our type tree is on erned, it is lear that we have satised
the hypotheses of the rule with our denitions of A and B (x).
A general node of type (W x : A) : B (x) an be built from a node sort,
a : A, and a olle tion of prede essors
f : B (a) ) (W x : A) : B (x)
The node given by f and a is alled
node a f : (W x : A) : B (x)
This is formalised in the introdu tion rule
Introdu tion Rule for W
a : A f : (B (a) ) (W x : A) : B (x))
(W I )
node a f : (W x : A) : B (x)
Going ba k to our example tree type, how do we form nodes? Choose
rst the element null of A. The set of prede essor names is B (null), whi h
is the empty type, ?. For any type T there is a fun tion from the type ?
to T , given by the abort onstru t,
efun df x : abortT x
taking T to be (W x : A) : B (x) itself, we produ e one element of the W
-type:
node null efun
This is the representative of the node Null, whi h has no prede essors, and
the argument above onstitutes an informal derivation of the rule (treeI1 ).
How an we derive the other tree introdu tion rule from (W I )? The hy-
potheses of (treeI2 ) are that n : N , u : tree and v : tree. The term
fu;v df x : ( ases2 x u v)
is of type (N2 ) tree), and N2 B (bnode n), whi h means that this is
a prede essor fun tion for a (bnode n) node. Formally, (W I ) allows the
formation of
node (bnode n) fu;v
whi h represents the node (Bnode n u v). Using the notation Null for the
term (node null efun), the node
node (bnode 3) fNull;g
where g (node (bnode 0) fNull;Null ), represents the tree
Bnode 3 Null (Bnode 0 Null Null)
as illustrated in gure 5.2.
We eliminate a node by the operator whi h performs re ursion or in-
du tion, whi h we shall all Re . The idea of an indu tion is to prove
C (node a f )
on the basis of proofs of
C (p)
for all the prede essors p of the node. Remember that the prede essors
are given by the values of the fun tion f over the type B (a), so that this
olle tion of proofs will have the form
pr : (8y : B (a)):C (f y)
The obje t whi h performs the proof transformation, i.e. the indu tion step
of the proof, for a parti ular node (node a f ) is therefore an obje t tra;f of
type
tra;f : (8y : B (a)):(C (f y) ) C (node a f ))
Finally, this should be parametrised over f and a, giving our general proof
transformer or indu tion step as an obje t of type
(8a : A)(8f : (B (a) ) (W x : A) : B (x)))
((8y : B (a))C (f y) ) C (node a f ))
whi h we shall abbreviate Ind(A; B; C ). Now we an state our rule

Elimination Rule for W
w :(W x : A) : B (x) R : Ind(A; B; C )
(W E )
(Re w R) : C (w)
Note that on the basis of this, if we dis harge the rst assumption, we have
w:(Re w R) : (8w :((W x : A) : B (x))) : C (w)
showing that the rule (W E ) denes a fun tion over the well-founded type
(W x : A) : B (x) by indu tion. What is the omputation rule for these
obje ts? The value at a node (node a f ) is omputed from the values at the
prede essors, and those prede essors themselves, using the R operator.
Computation Rule for W
Re (node a f ) R ! R a f (x : Re (f x) R)
Observe that as x ranges over B (a), (f x) ranges over the prede essors of
node a f , so that
x : Re (f x) R
ranges over the values of the re ursive fun tion on the prede essors of the
node node a f . Also the parameter f spe ies the prede essors themselves.
Consider the type tree again. How do the elimination and omputation
rules for the W type generalise those for tree? In the ase of tree, re all
that
A df (> _ N )
B (null) df ?
B (bnode n) df N 2
How an we dene an operator R
R : (8a : A)(8f : (B (a) ) (W x : A) : B (x)))
((8y : B (a))C (f y) ) C (node a f ))
for these types? We need to dene R(a) for ea h a in A. Starting with
null, we have to dene an obje t of type
(8f : (? ) (W x : A) : B (x)))((8y : ?)C (f y) ) C (node a f ))
What are the fun tions f of type (? ) (W x : A) : B (x))? If we adopt an
extensional approa h there is but one, the fun tion efun, sin e the domain
of the fun tion is the empty type. In that ase we have to dene an obje t
of type
((8y : ?)C (f y) ) C (Null))
(where we repla e (node null efun) with Null). What is the domain type
here? Again it is easy to argue that there is a single fun tion in the de-
pendent type (8y : ?)C (f y), so that the fun tion type above ollapses
to
C (Null)
In other words, our starting value for the indu tion is a single value of
type C (Null), just as it is in the rule (treeE ). A similar argument, with
fewer simpli ations, allows us to see that the ase of the nodes
(Bnode n u v)
is also overed by R applied to the elements (bnode n) | we leave this as
an exer ise for the reader.
Finally, we look at the omputation rule in the ase of the Null node.
We assume that R is determined for tree as outlined above, and note that
the general rule is
In the ase of (node null efun), it be omes
Re Null R ! R null efun (x : Re (efun x) R)
but re alling the denition above, the right hand side is simply the value
: C (null). A similar argument applies in the Bnode ase.
It is worth observing that we needed to move to an extensional equality
between fun tions to prove the uniqueness of the fun tion from an empty
domain. If it is wished to remain in an intensional system, the alterna-
tive seems to be to introdu e the rules expli itly, type-by-type. Another
alternative is to introdu e a type of nite fun tions, whi h an be treated
extensionally in an intensional system; this would only work for a limited
lass of W types, in whi h A is nite and B (a) is nite for ea h a : A.
Making the argument above more formal, we an say that we have
established that ertain types are extensionally isomorphi , where this is
dened thus.
Denition 5.38 Two types A and B are extensionally isomorphi if
there are two fun tions
f :A ) B g :B ) A
so that the following proposition is derivable.

(8x : A) : (g(f x) 'A x) ^ (8y : B ) : (f (g y) 'B y)
The two fun tions f; g form an isomorphism pair, up to extensional equality.
We an simplify some of the notation above when we are looking at the
re ursive denitions of fun tions of non-dependent type | in these ases C
will not be parametrised. Note that in proofs, though, it is ru ial that C is
parametrised, as otherwise we are proving the same proposition repeatedly,
whi h is safe but not very useful.
As we remarked earlier, these re ursions and indu tions are made mu h
more readable by the introdu tion of names. This is learly a feature whi h
has to be added to the W -types as `synta ti sugar' if they are to be used
in a real programming environment.
Denition 5.39 We all the system of T T with the full rules for W T T +,
retaining the name T T for the system ontaining just tree or equivalently
all W types for whi h all the prede essor types B (a) are nite.
Theorem 5.40 T T + is strongly normalising, has the Chur h-Rosser prop-
erty, and both onvertibility and the derivability of judgements of the form
a : A are de idable.
Proof: Exa tly as se tion 5.6. 2
5.10.3 Algebrai types in Miranda
Our method here has been adopted for two reasons. It provides a simple way
of writing down obje ts like trees without our having to introdu e names
for onstru tors, whi h is what we do in (e.g.) Miranda. We also see that
it provides a non-trivial generalisation of nite àlgebrai ' types. There was
no stipulation that the sets of prede essor pla es, B (a), need be nite, and
so we an have innitely bran hing trees as obje ts of our language. This
allows us to dene, for example, the ountable ordinal numbers. In fa t,
we an do a similar thing in Miranda, thus:
ordinal ::= Zero |
Su ordinal |
Limit (nat -> ordinal)
In fa t, in Miranda we an dene more general types still.
We an dene a number of types by denitions whi h are mutually
re ursive. These, if they are well-founded, an be modelled in T T by
a denition of a sum type, from whi h we proje t the types of interest.
The Miranda me hanism allows denitions in whi h the type under

onstru tion an appear in the domain position of a fun tion spa e,
su h as
model ::= Atom nat |
Fun tion (model -> model)
Su h a type an be seen as a model of the untyped - al ulus | it
is not a well-founded type, however, and it annot be tted into the
W -type framework. If we wish to in lude only well-founded types in
the Miranda algebrai type me hanism, we would have to disallow the
type under denition from appearing in the domain type of a fun tion
spa e whi h is the argument to a onstru tor. (In fa t we ould
be more liberal than this, only disallowing the type being dened
from negative o urren es: the polarity of an o urren e is reversed,
re ursively, for an o urren e in the domain position of a fun tion
spa e onstru tor.)
Reasoning about general non-well-founded types and obje ts is per-
formed by so- alled xed-point indu tion [Sto77℄.
In Miranda we are also able to dene mutually re ursive types. They
an be given a type-theoreti treatment similar to that of trees and lists
above. For more details see [BCMS89, Se tion 6℄, or the paper [PS87℄.
Exer ises
5.31. Argue that in the ase of a (bnode n), for whi h B (a) N2 , the
type
(8f : (N2 ) tree))((8y : N2 )C (f y) ) C (node a f ))
is extensionally isomorphi to the type
(8u : tree) : (8v : tree) : (C [u=x℄ ) C [v=x℄ ) C [(Bnode n u v)=x℄)
It might be useful to think of the f as one of the fu;v dened above. You
should then argue that the types
(8y : N2 )C (fu;v y) ) C (node a f )
and
(C [u=x℄ ) C [v=x℄ ) C [(Bnode n u v)=x℄)
are extensionally isomorphi .
5.32. Show that the omputation rule for R spe ialises to that for tre for
the nodes (Bnode n u v).
5.33. Show that the natural numbers an be represented as a W type.
5.11. EXPRESSIBILITY 189
5.11 Expressibility
This se tion gives a hara terisation of the fun tions whi h an be written
in the system T T0.
Denition 5.41 A term e of T T0 (or T T , T T +) represents the fun tion
f over the natural numbers if and only if for all natural numbers n1 ; : : : ; nk ,
e n1 : : : nk !
! f n1 : : : nk
where n is the representation of the natural number n, given by
su (su : : : (su 0))
| {z }
n
How an we hara terise the fun tions f whi h are representable? First we
know by the normalisation theorem that they are re ursive, sin e for ea h
term e, to nd the value of
e n1 : : : nk
we simply have to redu e the expression to normal form, and the appli ation
of the rules is ertainly a me hani al pro ess. It is equally lear that we
annot represent all re ursive fun tions in this way, sin e if we ould a
diagonalisation argument would lead to a ontradi tion. (For an exposition
of the elementary details of omputability theory see, for example, [Cut81,
Rog67℄.)
We thus have that the lass of fun tions is properly ontained between
the lasses of primitive re ursive fun tions and total re ursive fun tions. A
lue to the pre ise hara terisation lies in the normalisation result, and the
formalisation of its proof term by term.
Theorem 5.42 For ea h term e of T T0, the proof of normalisation of e
an be formalised in the theory of rst-order intuitionisti arithmeti , HA,
or its lassi al ounterpart P A.
Proof: The proof uses a oding (or Godel numbering) of the system T T0
within the theory of arithmeti . It involves he king that the steps of the
proof outlined in se tion 5.6 an be en oded thus. 2
Note that the result does not laim that the omplete normalisation
proof an be oded as a whole | the oding is uniform, but the individual
results annot be ombined into a single proof, as the logi al omplexity
of the individual proofs grows unboundedly with the omplexity of the
expression e.
Just as we explained what it was for a fun tion f to be representable in
one of our type theories, we an dene how a fun tion is representable in
P A.
Denition 5.43 The term g of P A represents a k-ary fun tion f if and

only if for all n1 ; : : : ; nk ,
PA ` g n : : : nk = f n : : : nk
1 1
where n is the representation of the natural number n in P A.
Denition 5.44 A representable k-ary fun tion f is provably total in

P A (HA) if and only if we an prove in P A (HA) that its representative
is total, i.e.
PA ` (8 x ; : : : ; xk )(9 y)(g x : : : xk
1 1 = y)
Theorem 5.42 an be seen now in a slightly dierent light, showing that

every fun tion representable in T T0 is provably total in P A. We an also
prove a onverse to this, whi h shows that all fun tions provable total in
P A an be represented in T T0. The origins of this result lie with Godel's
Diale ti a interpretation of P A in a theory of fun tions whi h itself an
be viewed as a subtheory of T T0 [G58℄. More details of this and many
other topi s relating to the metamathemati s of intuitionism an be found
in [Tro73℄.
Theorem 5.45 A fun tion f over the natural numbers is representable in

T T0 if and only if it is provably total in P A (or HA).
The author is unaware of pre ise hara terisations of the fun tions repre-
sentable in the stronger theories T T and T T +, although [Bee85℄ gives some
partial results, in luding one for a system with a single universe. Whatever
the ase, the lass of fun tions representable in the type theories is very
large, and indeed it an be argued that this more than en ompasses all the
fun tions we might ever wish to program. In terms of sheer omputation
time all the fun tions we program are primitive re ursive, in the sense that
by suitable transformation any more omplex al ulations an be bounded
by primitive re ursive bounds. This is not the most natural way to pro-
eed; in the next hapter we look at the ways in whi h fun tions are most
naturally implemented in the language.
Exer ise
5.34. One fun tion whi h annot be written in T T is an interpreter for the
expressions of T T itself. Dis uss how a bounded interpreter for the language
an be written.
5.12. THE CURRY HOWARD ISOMORPHISM? 191
5.12 The Curry Howard Isomorphism?

The identi ation of propositions and types, proofs and obje ts has been
fundamental to our investigation so far. In this se tion we look at two
aspe ts of the system whi h seem not to t with this identi ation.
5.12.1 Assumptions
Suppose we have a proof p of the proposition B depending upon the as-
sumption A. The rule of )introdu tion allows us to derive A ) B without
the assumption of A. There may be a number of o urren es of A in p;
without loss of generality all these are dis harged by the impli ation in-
trodu tion. This intuitive a ount is not an a urate a ount of the rule
() I ); only the assumptions of A named x are dis harged in the appli ation
[x : A℄
..
.
e:B
() I )
x : e : A ) B
and if e also ontains y : A, the proof of A ) B still depends upon A. The
alternative rule, whi h we all () I )alt would dis harge all assumptions of
A. It might be argued that the rule () I ) allows the user of the system more
freedom in proof onstru tion. This is the ase, but nonetheless it allows
no more theorems to be proved, for we an simply repla e all o urren es
of () I ) by () I )alt , some of the appli ations of the latter resulting in
va uous dis harges of the hypothesis of the impli ation.
On the other hand, named variables are ru ial, as an be seen by the
derivation
[x : N ℄2 [y : N ℄1
(x + y) : N
() I )1
y : (x + y) : N ) N () I )2
x : y : (x + y) : N ) N ) N
For the obje t x : y : (x + y) to have the proper omputational behaviour,
it is ru ial that the two assumptions x : N and y : N are distin t, and
that x : N is not identied with y : N . As far as the inhabitation of the
proposition N ) N ) N is on erned, it is irrelevant, naturally.
The mismat h here an be tra ed to the divergen e of interests between
the users of a logi al system, who are primarily interested in proving theo-
rems, that is in showing that parti ular types are inhabited, and the users
of a programming language who are interested in the behaviour of many
dierent obje ts of a given type. On the other hand, the proof theorist
who studies the general behaviour of logi al systems is interested in su h
behaviour. We look at this next.
5.12.2 Normal Forms of Proofs

When we dis ussed omputation and redu tion in se tion 5.5 the emphasis
was from the programming point of view: we argued that the expressions
we were interested in studying were losed expressions of ground type: these
are the printable values of a fun tional language. If we think of the expres-
sions as denoting proofs of formulas, then neither assumption is tenable.
We are interested in proofs of expressions like
(A ) B ) ) (A ) C )
whi h are not of ground type, and whi h may depend upon assumptions
(in this ase, on A ) (B ) C ) say).
Proof theorists, su h as Prawitz in his pioneering study of Natural De-
du tion, [Pra65℄, are interested in showing that
[The℄ rules allow the dedu tion to pro eed in a ertain dire t
fashion, aording an interesting normal form for dedu tions.
[Pra65℄ shows the normal form theorem for proofs in a number of dierent
systems of dedu tion, in luding rst- and se ond-order lassi al and intu-
itionisti logi . The ru ial redu tion to ensure `dire tness of proof' is that
embodied in our omputation rules: the elimination of a formula just intro-
du ed an be avoided. For example, the rule of -redu tion is interpreted
as saying that the natural dedu tion proof
[A℄
..
.. .
. B
A () I )
A)B () E )
B
an be transformed to
..
.
A
..
.
B
in whi h the proof of A repla es the assumption(s) of A in the proof of B .
5.12. THE CURRY HOWARD ISOMORPHISM? 193
The omputation rules are not the only simpli ations possible. For the
reasons above, the arguments of 2.11 do not apply, and so we have another
mismat h. The extra rules ome in two dierent forms. Instead of repla ing
ìntrodu tion then elimination' we an also repla e èlimination then intro-
du tion'. These are examples of the equivalen e rules we dis ussed earlier.
For example, we might en ounter the following steps in a proof.
[A℄ A ) B A^B A^B
() E ) (Ê1 ) (Ê2 )
B () I ) A B (Î )
A)B A^B
both of whi h are ompletely irrelevant to the result of the proof. The
orresponding redu tion rules in type theory are
x : (f x) ! f if x not free in f
(fst p; snd p) ! p
and for ea h type we an devise a similar rule. The reading we have given to
the rules above shows that as far as proofs are on erned, they do perform
a simpli ation.
The other lass of ommutation rules are in luded in the system stud-
ied by Prawitz for more te hni al reasons, whi h are dis ussed by him and
also in [GLT89, Se tion 10℄. The simplest is the equivalen e between
P 1 P 2
P 2
P
9x:B F P F 3
(R)
(E 9) P 1
F 3
(R)
9x:B D
(E 9)
D D
in whi h we an see that the proof of D from F and the proof P3 an be
performed before or after the existential elimination. Any orientation of
this equivalen e into a redu tion rule will be arbitrary. Prawitz hooses to
redu e the left-hand to the right-hand side.
These onsiderations seem to be motivated by proof-theoreti onsider-
ations, but a nal twist is added by their link with the dis ussion of the
omputational eÆ ien y (or otherwise) of ertain rules, and in parti ular
the onsiderations whi h lead us to the strong elimination rules of se tion
7.7.
Chapter 6
Applying Type Theory
This hapter investigates the dierent ways in whi h the system of type
theory an be used.
We are already familiar with type theory as a onstru tive logi , and
have seen a number of examples of proofs being built in, for example,
se tions 4.5 and 4.6.1.
We have also seen that T T an be seen as a fun tional programming
language, with a number of novel features, su h as:
{ Every expression has a dened value; every program terminates.
{ The system of types is more expressive than those in ommon
use, allowing as it does dependent produ t and fun tion spa es.
{ The fun tional language is integrated with a logi in whi h to
reason about the programs.
Another view of program development is provided by the insight that
in T T we an think of programs as being extra ted from onstru -
tive proofs. This ombines the two interpretations in an elegant and
powerful way.
Not only an we use the logi al system to reason about the prop-
erties of programs, we an also use to system to support program
transformation.
Finally, we show how we an develop imperative programs within a
type-theoreti framework.
195
196 CHAPTER 6. APPLYING TYPE THEORY
We begin our dis ussion by looking at T T as a fun tional language. We

assume that the reader is familiar with the elements of fun tional program-
ming as overed in [BW88℄ and [Rea89℄, so that in hoosing examples we
look for distin tive features of programming in T T , rather than running
through the traditional repertoire of fun tional programming te hniques.
In se tion 6.1 we show how primitive re ursion is used to dene fun tions
and types (or propositions). Be ause the language is terminating, a number
of familiar fun tions, like the fun tion taking the head of a list, need to be
dened in novel ways. Using the more expressive type system we are able to
give the head fun tion its `proper' type, as a fun tion a ting over the type of
non-empty lists. T T ontains only primitive re ursion over ea h primitive
type; we show how more omplex forms of re ursion, like ourse-of-values
re ursion, an be programmed in T T .
In se tion 6.2 we investigate a larger example, that of the qui ksort
fun tion over lists. Here we develop the program rst and then prove that
it meets its spe i ation, showing that we have a system in whi h program-
ming and veri ation are integrated. We follow this with a more detailed
survey of the uses of dependent types, espe ially in the presen e of uni-
verses. These give dependent fun tion and sum types, whi h an be seen
to support polymorphi fun tions, abstra t data types, type lasses (a la
Haskell, [HW90℄) and modules. In se tion 6.4 we apply these ideas in de-
veloping a type of ve tors.
We look at how programs an be extra ted from a number of simple
derivations in se tion 6.5, before dis ussing a general strategy for program
derivation in se tion 6.6. We also use this opportunity to give a novel view
of spe i ations in type theory, and examine the ideas in the ontext of the
well-known problem of the Dut h (or Polish) National Flag.
Our view of programming has been ex lusively fun tional up to this
point. In se tion 6.8 we argue that imperative programs an be seen as
fun tional programs of a parti ularly restri ted sort, the tail-re ursive fun -
tions. We an thus view T T as extending an imperative programming lan-
guage and we give a general result about the transformation of primitive
re ursive programs into tail-re ursive form, after looking at various on rete
examples.
We on lude the hapter with a survey of other examples dis ussed in
the literature of type theory.
6.1 Re ursion
One of the properties of the systems of type theory T T0, T T and T T + is
strong normalisation: every omputation sequen e terminates. This means
6.1. RECURSION 197
that the system does not permit full general re ursion to be used, as in an
unrestri ted form this an lead to non-termination. A simple example is
given by
f0 df 0
f (n + 1) df f (n + 2) + 1
and other, less obvious, examples an be onstru ted.
As a ounterbalan e to the weaker re ursion operation, we have a more
powerful type system than is ommon in programming languages. We are
able thus to express more pre isely the true types of fun tions, using for
instan e the existential quantier to build a subset type, over whi h the
fun tion is total.
In some ases, the denition of the fun tion itself depends upon an
indu tive proof that it terminates; the ee t of this is to give fun tions
whose denitions manipulate information witnessing ertain fa ts, as well as
the omputational data. This intermingling of veri ation and omputation
is hara teristi of type theory.
We on entrate on examples over the natural numbers and lists in this
se tion, with some introdu tion of quantied types as we go along. We look
in more depth at these types in the next se tion.
Before examining parti ular examples of denitions, it is worth men-
tioning that two general methods present themselves.
Theorem 5.45 shows that anything provably total in P A an be pro-
grammed in T T0, and indeed the proof will provide a term. This
does beg the question of how the fun tion is proved total; we would
argue that the system T T0 provides exa tly the right environment in
whi h to give su h proofs, as it allows a onstru tive derivation of the
fun tion whi h assures its totality.
Proof theorists have hara terised lasses of provably total fun tions
by means of the well-orderings whi h an be used in dening these
fun tions by re ursion [S h77℄. We ould use this hara terisation to
give fun tions in T T0, but again would argue for the natural nature
of the system itself. There have been a number of proposals for in-
orporating prin iples of well-founded or general re ursion; we look
at these in se tion 7.9.
6.1.1 Numeri al fun tions

We look at some examples embodying ommon patterns of re ursion, and
show how they are oded in T T0. First, onsider the nave addition algo-
rithm,
add a 0 df a
add a (n + 1) df add (a + 1) n
This appears to be primitive re ursive, ex ept for the fa t that the argument
a is in reased on the re ursive all. To make a properly primitive re ursive
denition, we observe that we an dene the values add a n simultaneously
for all a, by indu tion on n. In other words, we dene the fun tions
a : (add a n)
by indu tion over n. That this is possible is due to the fa t that in the
denition of adda (n +1) we appeal to a value of add with se ond argument
n. Formally, if we let C df (N ) N ), then at the base ase we dene
df a : a : C
To give the re ursion step, we say
f n h a df h (a + 1)
where n; a : N and h : C . This gives
f : (N ) C ) C)
and so by a simplied form of (NE ) in whi h C is onstant,
n : N : C f : (N ) C ) C )
(NE )
prim n f : C
with the redu tion properties
prim 0 f a ! a
(a : a) a
! a
prim (n + 1) f a ! f n (prim n f ) a
! (prim n f ) (a + 1)
We therefore have the denition
add df a : n : (prim n f a)
There is an analogy between the generalisation we had to make here, from
dening one fun tion to dening a lass of fun tions simultaneously, and
the generalisations of indu tion hypotheses we often have to make when
6.1. RECURSION 199
we prove a result by indu tion. If + is the usual addition operator and we

wish to prove that
add a n = (a + n)
by indu tion, then the hypothesis we shall have to take is that
(8a : N ) : (add a n = (a + n))
rather than the `bare' equation with a as a parameter.
Primitive re ursion denes a value at (n + 1) from the value at the
immediate prede essor n | sometimes it is natural to use a value at a
number m smaller than n. A ase in point is the power fun tion
power k 0 df 1
power k n df (power k (n div 2))2 k(n mod 2)
where the value at positive n is derived from that at (n div 2). (Note that
we are not using the power fun tion in the se ond multipli and: this is
either 1 or k depending upon whether n is even or odd. Observe also that
in ontrast to the rst argument of add that here k is simply a parameter
of the denition | its value is un hanged on the re ursive all.)
This denition provides an example of a general phenomenon, alled
ourse-of-values re ursion. To give a sket h of the method, we repla e a
denition of the form
f 0 df a
f (n + 1) df : : : f 0 : : : f 1 : : : f n : : :
by a denition of the fun tion
g n df [f 0 ; : : : ; f n℄
whi h has as its value at n the list of values of f on numbers up to n. The
denition of g (n + 1) is made by dening f (n + 1) from the list g n and
appending the value to the list. We obtain the value f n by taking the last
value in the list g n. We shall show how to realise this form of denition in
type theory after looking at lists.
Exer ises
6.1. Show how to dene the `natural subtra tion' operation over the natural
numbers
natsub m n df max 0 (m n)
where (m n) is intended to denote integer subtra tion.
6.2. In se tion 5.3 we gave a denition of the type of integers: how would
you dene the arithmeti operations of addition, subtra tion and multipli-
ation over the integers dened in that way?
6.1.2 Dening propositions and types by re ursion

Using the universes U0 ; U1 ; : : : we an make denitions of parametri types
or propositions by re ursion. Consider the predi ate `non-zero' over the
natural numbers. One way to dene it is to use the equality relation over
N and say
nonzero n df :(n =N 0)
If n is zero then an element of this type will be a fun tion
(0 =N 0) ) ?
whi h when applied to the equality witness will yield ?, so this type is
inhabited if and only if every type is. On the other hand it an be shown
that for every other element of N , the type will be inhabited, a onsequen e
of the axiom whi h asserts that the two boolean values are distin t:
ax : :(T rue =bool F alse)
whi h was introdu ed in hapter 4.
Rather than dening the predi ate in terms of other predi ates, we an
simply give a dire t denition of it, as a fun tion with result in U0 . We say
that
nz 0 df ?
nz (n + 1) df >
The proof obje ts in this ase are either non-existent, in the ase of 0 or
T riv, the trivial proof, in the ase of (n + 1). Re alling the type of lists
introdu ed earlier, we an give a similar denition of the predi ate for non-
empty lists:
nonempty : [A℄ ) U0
nonempty [ ℄ df ?
nonempty (a :: x) df >
Given this predi ate we an dene the type of non-empty lists thus:
nelist A df (9l :[A℄) : (nonempty l)
elements of whi h will be pairs
(l; p)
with p : (nonempty l). In the ase that l is empty, this p will be a proof of
? and in any other ase it will be T riv.
6.1. RECURSION 201
In the ases above we have simply used the ase analysis aspe t of
primitive re ursion in making the denitions. Now we look at an example
whi h uses the full power of re ursion in dening the `less than' relation
over the natural numbers.
Informally, nothing is smaller than zero, zero is smaller than n + 1,
and m + 1 is smaller than n + 1 if and only if m is smaller than n. Two
possibilities suggest themselves for the representation of the relation. We
an dene the boolean fun tion
lt1 : N ) N ) bool
lt1 m 0 df F alse
lt1 0 (n + 1) df T rue
lt1 (m + 1) (n + 1) df lt m n
1
The proposition that m is smaller than n is given by the equality

I (bool; lt1 m n ; T rue)
The alternative is dire t.
lt2 : N )N )U
0
lt2 m 0 df ?
lt2 0 (n + 1) df >
lt2 (m + 1) (n + 1) df lt m n
2
so that for m and n in N

lt2 m n
is itself a proposition. (Note that in both these ases, we have to make the
denitions simultaneously on all the values of the rst argument.) In what
follows we shall use the se ond of these denitions, so that lt df lt2 and
we shall write lt m n thus: m < n.
Exer ises
6.3. Show that, given the axiom asserting that the boolean values are
distin t, the proposition
(8x : N ) : ((x =N 0) _ :(x =N 0))
is inhabited.
6.4. Show that for all natural numbers n and m the propositions lt1 m n
and lt2 m n are equivalent.
6.5. How would you formulate the relation `less than or equal to' by analogy
with the formulations above?
6.6. Give a re ursive denition of the iterated artesian produ t operator,
whi h maps a type A and a natural number n to the produ t
A ^ (A ^ : : : (A ^ A) : : :)
| {z }
n
where the produ t of zero opies of A is dened to be >. How would you
dene the proje tion operations on these types?
6.1.3 Re ursion over lists { 1

Lists were introdu ed in se tion 5.10 as an example of a well-founded type,
whi h arries a re ursion/indu tion operator, lre . In this se tion some of
the more ommon list-manipulating fun tions are dis ussed. A number of
these ome from the standard environment of Miranda whi h is a library of
fun tion denitions made available to the Miranda user. As we mentioned
above a non-empty list, (a :: x), has a head, a, and a tail, x. Can we
dene fun tions returning these values? There is a problem here | what
are we to do with the empty list, [ ℄, whi h has neither head nor tail? The
solutions we present here an be applied to many examples of ostensibly
partial fun tions.
We an supply an extra parameter to the fun tion, whi h is to be
returned in the ase that the list argument is the empty list. For
example
head1 A ) [A℄ ) A
:
head1 h [ ℄ df h
head1 h (a :: x) df a
In some situations, there is a `natural' hoi e for this element, as the
ase of the tail fun tion:
tail1 : [A℄ ) [A℄
tail1 [ ℄ df [ ℄
tail1 (a :: x) df x
We an make the result type of the fun tion a sum type. Re alling
our naming onventions from se tion 5.2.1, we an write
error A df ok A + err >
6.1. RECURSION 203
where we abbreviate (err T riv) by error. Now we an dene

head2 [A℄ ) error A
:
head2 [ ℄ df error
head2 (a :: x) df ok a
and similarly,
tail2 : [A℄ ) error [A℄
tail2 [ ℄ df error
tail2 (a :: x) df ok x
Instead of enlarging the range of the fun tion, we an restri t the
domain, whi h is perhaps the most natural thing to do. We want to
apply the fun tions to non-empty lists, so we dene
as we did in se tion 6.1.2. The head fun tion an be given the type
head3 : nelist A )A
so we aim to derive the head of the list l on the basis of the pair (l; r).
Working by ases, if l is (a :: x) then the head is a, and we are done.
If, on the other hand, l is [ ℄, we have
nonempty l df ?
so that r : ?. We then have
abortA r : A
whi h gives us the element of A whi h was required. A similar deriva-
tion gives us
tail3 : nelist A ) [A℄
We an dene fun tions head4 and tail4 of type
(8l :[A℄) : (ne l ) A) and (8l :[A℄) : (ne l ) [A℄)
with the appropriate properties sin e these types are extensionally
isomorphi with the types of head3 and tail3 respe tively, a property
we proved in se tion 4.6.1.
Whi hever hoi e of denition we make there will be a proof-theoreti obli-

gation to show that the argument is non-empty, as if it is not then
if we are using head1 we may get the default value as a result;
if we are using head2 we may get the value error as the result rather
than an òk' value; and nally,
if we are using head3 we need a proof that the list is non-empty in
order to apply the fun tion itself.
In what follows we shall use the third denition, so that hd df head3 and
tl df tail3. We leave the denition of the fun tion whi h returns the last
element of a non-empty list,
last : nelist A ) A
as an exer ise
Two standard fun tions whi h we an dene without diÆ ulty are the
fun tion returning the length of a list, usually written #, and the fun tion
whi h joins two lists together, ++. Equationally they are given by
# [ ℄ df 0
# (a :: x) df #x + 1
[ ℄ ++ y df y
(a :: x) ++ y df a :: (x ++ y)
the reader should have no problem putting them in lre form.
With the example of ourse-of-values re ursion in mind, we need to
dene a fun tion whi h will extra t one of the values from a list. Informally,
[a0 ; : : : ; an 1 ℄ ! m df am
What do we do when m is out of the range 0; : : : ; n 1? One option is to
return a default value, or the last value in the ase of a non-empty list, but
we an dene the fun tion so that its type is suÆ iently restri ted not to
allow indexing whi h is òut of range'. Given a list l the permissible indi es
are those less than the length # l. The next subse tion explores various
options for this.
Exer ises
6.7. Give a denition of the fun tion last mentioned in the se tion above.
6.8. Give an expli it denition of the fun tion
head4 : (8l :[A℄) : (ne l ) A)
6.1. RECURSION 205
dis ussed above.

6.9. A type of non-empty lists an be dened in a similar way to [A℄. For-
mulate the rules of formation, introdu tion, elimination and omputation
for this type, and dene the head, last and tail fun tions for this type.
6.10. Formulate a version of the indexing fun tion `!' for the type of non-
empty lists whi h will return the last element in the list as a default if the
index is òut of range'.
6.1.4 Re ursion over lists { 2

In this se tion we look at the list indexing fun tion and return to the issue
of ourse-of-values re ursion over the natural numbers.
Re all the denition of < in se tion 6.1.2. We dene the fun tion index
to have the type
(8l :[A℄) : (8n : N ) : ((n < #l) ) A)
Given a list l, a natural number n, and a proof that n is smaller than the
length of l we return the nth element of l. How is index dened?
index [ ℄ n p df abortA p
index (a :: x) 0 p df a
index (a :: x) (n + 1) p df index x n p
The se ond and third lauses are lear. What is happening in the rst? p
is a proof that (n < #[ ℄) that is (n < 0), whi h is ? | we an dene an
element of A from p using abortA .
It is interesting to see that the denition of index an be made either
by indu tion over N with a subsidiary indu tion over [A℄, or vi e versa |
the two arguments are independent of ea h other.
Now we an return to the example of ourse-of-values re ursion, as we
have dened all the auxiliary fun tions that are needed. Taking a spe ial
ase of the power fun tion, we have
pow 0 df 1
pow n df (pow (n div 2))2 2(n mod 2)
whi h an be rewritten thus, where h is a primitive re ursive fun tion,
pow 0 df 1
pow (n + 1) df h (pow (n +1 div 2)) n
Transforming this into a list denition, we have
g 0 df [1℄
g (n + 1) df (g n) ++[h ((g n) ! (n +1 div 2)) n℄
The subexpression g ! (n+1 div 2) is informal; index takes a third argument

whi h is a proof obje t, legitimising the appli ation. The appli ation will
be legitimate if we an show that
(n +1 div 2) < #(g n)
This will follow from proofs of
(0 < m) ) (m div 2 < m)
whi h is standard, and
#(g n) = (n + 1) (6.1)
whi h we have to establish by indu tion, simultaneously with the denition
itself. Transforming again, we dene a fun tion whi h returns a pair
( g n ; pn )
where pn proves the assertion (6.1). To extra t the result (f n) from the
value (g n) we apply the head fun tion. Remember that to do this we need
a proof that the list is non-empty. We an use (6.1) again here to show
this, as it states that all the values (g n) have positive length, and so none
of them an be empty.
We an see from the derivation of the fun tion above that the system is
quite dierent from a traditional fun tional programming system, in that
the denition of a fun tion annot be separated from a proof that it termi-
nates. In fa t, this is not quite a urate | if we had adopted the approa h
whi h gives default or error values to head and index we ould perform
the derivation without the inferen es we needed above, but on e derived
we would have to prove that the values returned by the fun tion are òk'
and not error or default values.
Exer ises
6.11. Using indu tion over m : N prove that (m div 2) < m for all m > 0.
6.12. Formalise the derivation of the fun tions g and pow above.
6.13. Give a proof that for all lists l and m,
#l + #m = #(l ++m)
6.14. Consider the example of `Russian multipli ation' given by the deni-
tion
mul a 0 df 0
mul a b df (mul (2 a) (b div 2)) + a (b mod 2)
6.2. A CASE STUDY { QUICKSORT 207
How would you argue that this is denable in type theory?

6.15. Show how the following fun tions, dened informally, an be given
denitions in type theory
merge : [N ℄ ) [N ℄ ) [N ℄
merge [ ℄ y df y
merge (a :: x) [ ℄ df (a :: x)
merge (a :: x) (b :: y) df a :: (merge x (b :: y)) if less a b
df b :: (merge (a :: x) y) if not
foldl : (A ) B ) A) ) A ) [B ℄ ) A
foldl f a [ ℄ df a
foldl f a (b :: y) df foldl f (f a b) y
6.2 A Case Study { Qui ksort

This se tion surveys the general area of sorting numeri al lists and gives a
omplete development and veri ation of the qui ksort fun tion over these
lists. In the ourse of the development we will have o asion to dene other
useful fun tions and dis uss proofs of general theorems.
6.2.1 Dening the fun tion

The fun tion qui ksort over numeri al lists an be dened in a fun tional
language language like Miranda thus:
qsort [N ℄ ) [N ℄
:
qsort [ ℄ df [ ℄
qsort (a :: x) df qsort (filter (lesseq a) x)
++ [a℄ ++
qsort (filter (greater a) x)
where the fun tion filter, whi h sele ts the elements of a list whi h have
the property p :(A ) bool), has the type-theoreti denition
filter : (A ) bool) ) [A℄ ) [A℄
filter p [ ℄ df [ ℄
filter p (a :: x) df a :: (filter p x) if (p a)
filter p (a :: x) df filter p x if not
whi h is by an indu tion over the list argument.
The fun tion lesseq, of type (N ) N ) bool), is dened thus

lesseq 0 x df T rue
lesseq (n + 1) 0 df F alse
lesseq (n + 1) (m + 1) df lesseq n m
whi h is formalised as a primitive re ursive denition of the fun tions
m : (lesseq n m)
over the variable n : N . The fun tion greater is dened in the analogous
way.
We shall also use a proposition (m n) asserting `less than or equal
to'. It is dened by the analogous re ursion thus:
0x df >
(n + 1) 0 df ?
(n + 1) (m + 1) df n m
How an we give a type theoreti version of the denition of qsort? The
ru ial observation is that the length of the lists on whi h the re ursive all
is made is smaller than the length of (a :: x), so the re ursion is justied
by ourse-of-values re ursion over N .
The modied denition of qui ksort is by means of a fun tion with three
arguments. This rst is a number n, the se ond a list l to be sorted and
the third a proof that (#l n). The fun tions
l : p : qsort0 n l p
are dened by re ursion over n:
qsort0 : (8n : N ) : (8l :[N ℄) : ((#l n) ) [N ℄)

qsort0 n [ ℄ p df [ ℄
qsort0 0 (a :: x) p df abort[N ℄ p0
qsort0 (n + 1) (a :: x) p df qsort0 n (filter (lesseq a) x) p1
++ [a℄ ++
qsort0 n (filter (greater a) x) p2
What are the proof obje ts p0 ; p1 ; p2 ?
By assumption p :(#(a :: x) 0) and we an also prove (0 < #(a :: x)).
These two proof obje ts are ombined to give an element p0 of 0 < 0, whi h
is the type ?.
Suppose that p :(#(a :: x) (n + 1)). Sin e

#(a :: x) $
$ #x + 1
we have
(#(a :: x) (n + 1)) $
$ #x n
so by the substitution rules,
p :(#x n)
Now we note a general result.
Lemma 6.1 For all lists x and properties p,
#(filter p x) #x
Proof: Straightforward indu tion over the list x. 2
Now, by the transitivity of the relation , whose proof we also leave to
the reader, we an dene proofs of
#(filter (lesseq a) x) n #(filter (greater a) x) n
These are the obje ts p1 and p2 . We leave it as an exer ise to dene these
values formally, to be the results of fun tions hi , where the type of h1 is,
for instan e,
(8a : N ) : (8n : N ) :
(8x :[N ℄) : (8p :(#(a :: x) (n + 1))) :
(#(filter (lesseq a) x) n)
We must dene these values pi in order for the re ursive appli ation of
qsort0 to be properly typed.
The fun tion qsort itself is dened by
qsort l df qsort0 (#l) l T riv
sin e T riv onstitutes the anoni al proof that (#l #l).
6.2.2 Verifying the fun tion

We have implemented the qui ksort algorithm before having spe ied its
purpose: we expe t it to sort a list, so that it should
return a result whi h is sorted, and,
return a result whi h is a permutation of its argument
A list is sorted if and only if for ea h pair of elements hosen from the
list, the element whi h lies to the left is smaller than or equal to the other.
Formally,
(8m : N ) : (8n : N ) :
(8p :(m < n)) : (8q :(n < #l)) :
(index l m p0 index l n q)
where p0 is the proof of (m < #l) derived from p and q by transitivity of the
ordering relation. List indexing was dened above, the reader might re all
that in order for an appli ation of the fun tion to be legitimate, there needs
to be eviden e that the index is less than the length of the list argument.
The proof an be developed for this hara terisation, but we hoose
instead to dene sorting in an indu tive way, over the stru ture of the list.
sorted : [N ℄ ) U0
sorted [ ℄ df >
sorted [a℄ df >
sorted (a :: b :: x) df (a b) ^ (sorted (b :: x))
We say that one list is a permutation of another if the number of o urren es
of any possible element is the same in both the lists.
perm l l0 df (8a : N ) : (o s a l =N o s a l0)
The fun tion ounting the o urren es is given by
o s a [ ℄ df 0
o s a (b :: x) df 1 + o s a x if eqN a b
o s a (b :: x) df o s a x if not
In stating a number of auxiliary results we will need one further denition:
mem :: A ) [A℄ ) U0
mem a [ ℄ df ?
mem a (b :: x) df (a = b) _ (mem a x)
The lemma whi h follows enumerates a number of basi properties of
the oredering relation, the fun tions o s, mem and the relation perm.
Lemma 6.2 The following types are inhabited.
1. (8x; y : N ) : (lesseq x y = T rue ) x y)
2. (8x; y : N ) : (lesseq x y = T rue _ greater x y = T rue)
3. (8x; y : N ) : :(lesseq x y = T rue ^ greater x y = T rue)

4. (8p : N ) bool) : (8l :[N ℄) : (8x : N ) : (mem x (filter p l) ) p x = T rue)
5. (8l :[N ℄) : (8a; x : N ) : (mem x (filter (lesseq a) l) ) x a)
6. (8x : N ) : (8l :[N ℄) : (mem x l , o s x l > 0)
7. (8l; l0 :[N ℄) : (perm l l0 ) (8x : N ) : (mem x l , mem x l0 ))
8. (8a : N ) : (8l; m :[N ℄) : (o s a (l ++m) = o s a l + o s a m)
9. (8l; m; x :[N ℄) : (8a : N ) : (perm(l ++m)x ) perm(l ++[a℄++m)(a :: x))
10. (8l; l0; m; m0 :[N ℄) : perm l l0 ^ perm m m0 ) perm (l ++m) (l0 ++m0 )
11. (8l :[N ℄) : (8a : N ) : perm l (filter (lesseq a) l ++filter (greater a)l)
12. perm is an equivalen e relation.
Proof: Results 1{3 are proved by indu tion over N ; 4,6 by indu tion over
the list l. 5 is a orollary of 1 and 4. 7 is a orollary of 6; 8{10 are again
proved by indu tion over the list l. 11 is a onsequen e of 2, 3 and 8. 12 is
a simple onsequen e of the denition of permutation. 2
The ru ial lemma on erning sorting is
Lemma 6.3 The following proposition is inhabited.
(8l; m :[N ℄) : (sorted l ^ sorted m ^ (8b : N ) : (mem b l ) b a) ^
(8b : N ) : (mem b m ) a b) ) sorted (l ++[a℄ ++m))
Proof: The result is established by an indu tion over the list l, with an
auxiliary ase analysis over the list m in the ase that l is [ ℄. 2
We an now assert the theorem on the orre tness of qui ksort.
Theorem 6.4 The following proposition is provable.
(8m : N ) : (8l :[N ℄) : (8p :(#l m)) :
sorted ( qsort0 m l p ) ^ perm l ( qsort0 m l p )
Proof: The proof is by indu tion over the variable m, just as the fun tion
was dened by re ursion over this variable. In ea h part of the proof we use
a ase analysis over lists: su h a form of proof is a spe ial ase of indu tion
in whi h the indu tion hypothesis is not used.
Case m 0
There are two sub- ases a ording to whether the list is empty or not. In
the former, the result is [ ℄ and this is both sorted and a permutation of
itself, giving the result. Suppose we have a non-empty list; just as when we
were dening the fun tion, from the proof p we an extra t a proof of ?
and then e a proof of anything, in luding the orre tness onditions. This
ompletes the proof in the base ase.
Case m (n + 1)
Again there are two sub- ases. In the ase of an empty list we pro eed
exa tly as above, so suppose that we have a non-empty list l (a :: x).
Now
qsort0 (n + 1) (a :: x) p l1 ++[a℄ ++l2
where
l1 df qsort0 n (filter (lesseq a) x) p1
l2 df qsort0 n (filter (greater a) x) p2
By indu tion we know that
sorted l1 ^ sorted l2 (6.2)
perm (filter (lesseq a) x) l1 ^ perm (filter (greater a) x) l 2 (6.3)
We aim to use lemma 6.3 to show that l1 ++[a℄++l2 is sorted. The sortedness
hypotheses are given by (6.2), so we need to show that every element of l1
is less than or equal to a, and to show that every element of l2 is greater
than or equal to a. By (6.3) and lemma 6.2 (parts 5 and 7) we an dedu e
(8x : N ) : (mem x l1 ) x a)
and a similar proof establishes
(8x : N ) : (mem x l2 ) a x)
Now, by lemma 6.3 we an dedu e that the result is sorted.
To prove that
perm (a :: x) ( l1 ++[a℄ ++l2 )
we use a series of lemmas. By lemma 6.2(11) the list x is a permutation
of the two halves of the partition, whi h have permutations l1 and l2 by
(6.3). Using lemma 6.2, parts 9, 10 and 12, we have the desired result. This
ompletes the indu tion step and the proof itself. 2
Corollary 6.5 For all lists l,
sorted (qsort l) ^ perm l (qsort l)
Proof: Simply take the appropriate ase of the theorem. 2

A number of remarks are in order.
In most ases of program veri ation, the indu tion used in verifying
the result is of the same form as that used in the denition of the
fun tion; the proof we have given is no ex eption. qsort is dened
to be a spe ial ase of qsort0 , and we veried a generalisation of the
result using the same indu tion as we used to derive qsort0 .
The fun tion qsort0 appears to be less eÆ ient than the Miranda
algorithm, as the former ontains the proof-theoreti information,
transmitted through the re ursive alls. This is the ase if we use
appli ative order evaluation, whi h for es the evaluation of fun tion
arguments prior to evaluation of the body. On the other hand, if
we use lazy evaluation, it an be seen that the terms p1 , p2 in the
re ursive alls will never be evaluated. We ome ba k to this point in
hapter 7.
The presentation of sorting we have given here presents the algorithm
rst and the veri ation se ond. It is possible to reverse this, deriving
the result that
(8l :[N ℄) : (9l0 :[N ℄) : ( sorted l0 ^ perm l l0 ) (6.4)
and extra ting the qui ksort fun tion from the proof. This seems
highly arti ial in this ase where the fun tion is well-known, but the
reader may wish to re onstru t the result in this way.
The denition of qui ksort is an example of a general phenomenon, in whi h
a general re ursive denition of a fun tion g over a type A
g x df : : : g (h x) : : :
is justied by appeal to indu tion over another type B , where there is a
fun tion
f : A)B
so that
f (h x)
is a prede essor of (f x) in . The re ursion g is justied by the inverse
image of re ursion over B using the fun tion f . In the ase of qui ksort,
we use the inverse image of indu tion over N under the length fun tion. In
related areas this fun tion is often alled a norm. This method justies
many important denitions, some of whi h are in luded in the exer ises
whi h follow.
Exer ises
6.16. There are many other sorting algorithms over lists, amongst whi h are
insertion sort and tree sort. Show rst how these expressed in type theory
and then show how they meet the spe i ation of a sorting algorithm.
Alternatively prove the result (6.4) in su h a way as to make the fun tion
extra ted from the proof the algorithm you wish to express.
6.17. How would you show that the greatest ommon divisor fun tion
dened by
g d n m df n if n = m
g d n m df g d m n if n < m
g d n m df g d (n m) m if n > m > 0
g d n 0 df 0 if not
an be dened in type theory?
6.18. Show how the algorithm for the permutations of a list, whi h uses
the Miranda list omprehension notation, an be oded in type theory.
perms [ ℄ df [[℄℄
perms x df [ (a :: p) j a x; p perms (x a) ℄
6.3 Dependent types and quantiers

One of the features of T T whi h distinguishes it from traditional program-
ming languages is its ability to express dependent types. These are types,
or more orre tly type expressions, whi h depend upon the value of one
or more variables whi h they ontain. The operations 8, 9 and W form
types from these families of types, namely the dependent produ t type,
the dependent sum or subset type and a well-founded type. This se tion
on entrates on the two quantiers, 8 and 9, after a dis ussion of how
dependent types, or type families, an be dened.
6.3.1 Dependent Types

By a dependent type we mean any type (expression) whi h ontains one or
more free variables. Under the logi al interpretation su h types are simply
predi ates, of ourse. Dependen y is introdu ed in two ways.
6.3. DEPENDENT TYPES AND QUANTIFIERS 215
The rule of I formation introdu es values into the types. Re all the rule
(IF )
whi h forms the atomi equality proposition whi h is also written a =A b.
Clearly the expressions a and b an ontain free variables, and thus are
variables introdu ed into the types; depending on the omplexity of a and
b we build more or less omplex propositions. Other dependent types are
then formed using the propositional onne tives and quantiers, but these
introdu e no additional dependen y. We have already seen examples of
this, in se tions 4.10 and 6.1.2; another atomi example is the type
(#l =N n)
where l and n are variables of type [A℄ and N , and from this we an form
the dependent type
(9l :[A℄) : (#l =N n)
whi h ontains the variable n free. For a xed value of n, this is the type
of lists of that length, or more stri tly, pairs
(l; r)
where r is a witness to (or proof of) the proposition (#l =N n).
One general lass of propositions we an dene in this way are those
whi h are representable by a boolean-valued fun tion, su h as the `less
than' relation by
lt1 : (N ) N ) bool)
This is turned into a proposition by forming
I (bool ; lt1 m n ; T rue)
with n,m free. Propositions representable by boolean-valued fun tions are
de idable, and so this lass of propositions is not losed under quanti ation
over innite domains. On e we have turned su h a representation into a
proposition as above its universal and existential losure as a proposition
an be formed. This method of forming propositions is indire t: we dene
a boolean-valued fun tion, by re ursion say, and then make a proposition
by equating its appli ation to T rue or F alse.
Using the universes U0 ; : : : we an dene dependent propositions di-
re tly. The `small' types are members of the type U0 , and so we an use
the expression forming operators, su h as ases and re ursion, to form type
expressions. This approa h is not restri ted to the members of U0 ; we an

make the same onstru tions at ea h level Un, and from an informal point
of view these onstru tions are often uniform in n. We have already seen a
number of examples of these denitions in se tion 6.1.2.
It has been proposed that a fa ility be added to T T0 whi h allows the
denition of types (or propositions) indu tively without using the universe
U0 { we return to this topi in se tion 7.10 below.
6.3.2 The Existential Quantier

The type (9x : A) : B onsists of pairs (a; b) with a : A and b : B [a=x℄. If
B [a=x℄ is thought of as a type, then the onstru t looks like a sum of the
types B (x) as x ranges over A. On the other hand if B is a predi ate,
then the onstru t an be seen as a subset of A, onsisting of those a in
A with the property B [a=x℄. Consistent with the prin iple of omplete
presentation, the obje ts a are paired with the proofs b of the property
B [a=x℄. We saw an appli ation of the subset type in the denition of the
type of non-empty lists earlier.
An interesting lass of subsets of [A℄ is given by the family
[A℄n df (9l :[A℄) : (#l = n)
of lists of length n, where n : N . Taking the sum over N , we have
(9n : N ) : (9l :[A℄) : (#l = n)
whi h is isomorphi to [A℄, by the fun tions
f : [A℄ ) (9n : N ) : (9l :[A℄) : (#l = n)
f l df (#l; (l; r(#l)))
where r(#l) is the anoni al member of (#l = #l), and
g : (9n : N ) : (9l :[A℄) : (#l = n) ) [A℄
g (n; (l; s)) df l
This division of the type seems arbitrary, and indeed we ould have divided
the type a ording to any fun tion
h : [A℄ ) : : :
but in this ase it is interesting that many standard fun tions on lists an be
made to ommute with this strati ation, sin e they preserve the lengths
of the lists to whi h they are applied. One example is the map fun tion,
mentioned on page 181, and we have a family of fun tions
mapn : (A ) B ) ) [A℄n ) [B ℄n
so that
mapn f (l; r) df (map f l ; r)
whi h is legitimate sin e #(map f l) = #l is provable for all l, by indu tion.
These mapn fun tions behave like map, ex ept that they arry along the
proof-theoreti information about the length of the list, whi h an be used
by fun tions that use the result.
We usually read a judgement a : A as either asserting that the obje t a
has type A, or that a is a proof of A. There is a parti ular ase in whi h
both interpretations are used. This is the assertion that
(a; p) : (9x : A) : P
whi h we an read as saying that obje t a, of type A, meets the spe i ation
P (x), witnessed by the proof p : P [a=x℄ | we shall ome ba k to this topi
later.
6.3.3 The Universal Quantier

The universal quantier 8denes a dependent fun tion spa e, so that if
f :(8x : A) : B then
f a : B [a=x℄
We have already seen this used to good ee t in the qui ksort fun tion
above, amongst others. We shall see it used again in the oming example
of ve tors, in whi h the operations over ve tors are parametrised over the
size of the ve tor.
Both quantiers have interesting properties when quanti ation is over
a universe; before we look at that we examine a slightly larger-s ale appli-
ation, the implementation of a logi .
6.3.4 Implementing a logi

We take as an example the propositional logi of ànd' and ìmplies'. Using
our earlier notation, we have a well-founded type whi h des ribes the syntax
of the formulas, thus:
fmla df V bl var + T +F +
And fmla fmla + Imp fmla fmla
where T and F represent the propositions `true' and `false', and var is a
type representing the propositional variables, perhaps by hara ter strings.
A denition by primitive re ursion over fmla will give outright denitions
for variables and the two onstant propositions, and at Andf1 f2, Impf1 f2
will make re ursive alls to the values at f1 and f2.
There are two approa hes to dening the proofs of the logi . The rst
is to make an embedding into the logi of T T itself, by means of a fun tion
from formulas to types.
proof : fmla ) U0
proof (V bl v) df fAssum vg
proof T df >
proof F df ?
proof (And f1 f2 ) df (proof f ) ^ (proof f )
1 2
proof (Imp f1 f2 ) df (proof f ) ) (proof f )

1 2
fAssum vg is intended to denote the type with the single element Assum v.
Proofs are to be onstru ted in this system using the me hanisms of T T
itself; unfortunately, the method is awed. Consider the proof (Assum v)
of the propositional variable (V ar v). In order to onstru t a proof of the
tautology
Imp (V ar v) (V ar v)
we need to be able to build a fun tion from the one element type to itself:
this is trivial, but so is nding a fun tion of type
Imp (V ar v) (V ar v0 )
for any variable v0 in the system! This is not a sound representation. The
diÆ ulty is that the proofs of assumptions are not really variables of the
system T T , whi h they would have to be for the embedding to be sound.
Nonetheless, the embedding is sound if we leave out the variables, giving a
system with onstants and onne tives.
In order to a hieve a sound implementation in general, we look at the
traditional `LCF' approa h to the problem [Pau87℄. Under this approa h we
build an abstra t type of proofs, with ea h dedu tion rule represented by a
fun tion over the type. The T T me hanism for abstra t types is dis ussed
in the se tion to ome, here we look at the implementation of the proof
type. We dene
proof df T r + ConjI proof proof +
ConjE1 proof + ConjE2 proof +
ImpI proof fmla + ImpE proof proof
The type an be interpreted ase-by- ase
T r is the trivial proof of T .

ConjI p1 p2 is a proof of (And f1 f2 ) if the pi are proofs of fi .
ConjE1 p is a proof of f1 if p is a proof of the pair (f1 ; f2 ). If p does
not have this form, the obje t does not represent a proof. A similar
analysis applies to ConjE2 .
ImpI p g is a proof of the formula (Imp g f ), if p is a proof of f .
ImpE p1 p2 is a proof of f if p1 proves g and p2 proves (Imp g f ). If not,
the obje t does not represent a proof.
The ases of ConjE and ImpE are diÆ ult. Some appli ations of the
onstru tors do not produ e proofs. In the LCF approa h, this gives rise
to an error, or an ex eption if the SML language is used. We an use
the dependent type me hanism to make proof onstru tion se ure without
raising errors or ex eptions.
First we dene a fun tion
proves : proof ) (fmla + dummy)
whi h returns the obje t proved by an element of the type proof , giving
the dummy value when one of the ex eptional ases above arises. Then we
dene the subtypes
prf f df (9p : proof ) : (proves p = f )
Using these we an give types to the fun tions whi h eliminate onjun tions
onjE1 : (8f : fmla) : (8g : fmla) : (prf (And f g) ) prf f )

and impli ations.
impE : (8f : fmla) : (8g : fmla) : (prfg ) prf (Imp g f ) ) prf f )
The essential ee t of the fun tions onjE and impE is to apply the or-
responding onstru tor. We know that their appli ation is only permitted
when it will take legitimate proofs into a legitimate proof, and thus the
possibility of raising errors is ex luded.
We an dene fun tions tr, onjI and impI orresponding to the a tion
of the onstru tors T r, ConjI and ImpI , and then build on top of the type
proof an abstra t type of se ure proofs, se proof , whose signature onsists
of these fun tions only. The type se proof will only ontain legitimate
proofs.
Exer ises
6.19. Give denitions of the fun tions proves, onjE1 and impE introdu ed
above.
6.20. Give types for and then dene the fun tions tr, onjI and impI .
6.21. Prove that the type se proof ontains only legitimate proofs, and
that all su h proofs are ontained therein.
6.3.5 Quanti ation and Universes { 8

Quanti ation over the universes U0 ; : : : ; Un ; : : : allows us to assert the ex-
isten e of types with ertain properties, and to make denitions whi h are
parametrised by a type parameter. To take the latter example rst, we saw
in se tion 5.9.2, that a form of polymorphism was given by denitions su h
as
AU0 : xA : x : (8A : U0 ) : (A ) A)
in whi h the rst parameter ranges over the universe U0. Su h denitions
are not restri ted to the rst universe, and we an derive uniformly in n
the judgements
(A : Un ) : (x : A) : x : (8A : Un ) : (A ) A)
sin e the role played by the A is purely that of a parameter.
We have already seen how the qui ksort fun tion qsort an be dened
over lists of numbers. In fa t, it an be dened over any type A whi h
arries a fun tion
lesseq : A ) A ) bool
so the denition may be onstrued thus:
qsort : (8A : U0 ) : ((A ) A ) bool) ) ([A℄ ) [A℄))
This parametrisation is possible in a language like Miranda, but with the
more expressive type system of T T we an go further and demand that the
fun tion supplied is an ordering. This we dene thus:
Ordering(A) df (9 lesseq :(A ) A ) bool)) : (8a : A) :
( lesseq a a = T rue ^
(8a; b : A) : lesseq a b = lesseq b a ^
(8a; b; : A) : lesseq a b = lesseq b = T rue )
lesseq a = T rue )
The subtype of sorted elements of [A℄ is given by

Slist(A) df (9l :[A℄) : (sorted l)
where the predi ate sorted was dened above, and we an then show that
there is a veried version of qui ksort
vsort : (8A : U0 ) : (Ordering(A) ) ([A℄ ) Slist(A)))
The examples we have seen so far resemble the parametri polymorphi
fun tions permitted by the Hindley-Milner type system [Mil78℄ whi h is
used in the languages Miranda and SML. Milner polymorphi types ontain
free type variables whi h resemble the A : U0 of the examples above; there
is no operation under whi h these variables are bound { a free type variable
is equivalent to a variable bound at the top level. A polymorphi typing
under the Hindley-Milner system an be seen as a shorthand for a lass of
monomorphi typings: those whi h arise as substitution instan es of the
polymorphi type.
In the system T T we an express dierent types. One of the simplest
examples is the type
(8A : U0 ) : (A ) A) ) (8A : U0 ) : (A ) A)
this type annot be seen as a shorthand for a olle tion of monotypes: it is
the type of fun tions from a polymorphi type to itself. A fun tion of this
type is given by
f : ( if f bool (eqN (f N 0) (f N 1)) then f else id )
In the ondition f bool (eqN (f N 0) (f N 1)) the fun tion f is used on both
the booleans and on the natural numbers. The fun tion must therefore be
of the polymorphi type (8A : U0) : (A ) A). The result returned is either
the fun tion f itself or the identity fun tion
id df AU0 : xA : x
Quantiers over a universe an be used to dene weak versions of various
familiar type onstru tors. For example, the type
P rod A B df (8C : U0 ) : ((A ) B ) C ) ) C )
resembles the produ t of the types A and B (whi h we assume inhabit the
universe U0). Given elements a : A and b : B we an dene
Fa;b : P rod A B
Fa;b df (C : U0 ) : (f : A ) B ) C ) : (f a b)
and we an also dene two `proje tions' thus:

p : P rod A B ) A
pF df F A (xA : yB : x)
q : P rod A B ) B
qF df F B (xA : yB : y)
Observe that
p Fa;b df Fa;b A (xA : yB : x)
df (C : U ) : (f : A ) B ) C ) : (f a b) A (xA : yB : x)
0
! (f : A ) B ) A) : (f a b) (xA : yB : x)

! (xA : yB : x) a b
! yB : a b
! a
In a similar way, q Fa;b !
! b. This shows that the fun tion Fa;b an be
thought of as representing the pair formed from a and b. P rod A B is a
weak representative of the pair as it is not possible to prove from the rules
of T T that every member of the type is su h a pair: we fail to have a general
enough elimination or losure ondition.
Other representations of types su h as the disjun tion (or sum type)
and algebrai types an be found in Chapter 11 of [GLT89℄.
Exer ises
6.22. Give a derivation of the veried qui ksort fun tion above.
6.23. Show that the type
(8C : U0 ) : ((A ) C ) ) (B ) C ) ) C )
an be thought of as a weak sum type, and that the type
(8C : U0 ) : (C ) (C ) C ) ) C )
an be seen as a representation of the type of natural numbers.
6.24. Compare the weak representations of types given in the se tion and
exer ise above with the elimination rules for the types represented { an
you see a general pattern emerging?
6.3.6 Quanti ation and Universes { 9

Existential quanti ation over a universe oers a ri h olle tion of examples.
In se tion 5.9.2 it was explained that obje ts of type (9A : U0 ) : P were pairs
(A; p) with A a (small) type and p a member of the type P , whi h depends
upon A. In the simplest ase, of P A, we have a sum of the types in U0 .
An important ase is when P (A) is a onjun tion of types
P1 ^ : : : ^ Pn
Obje ts of the existential type onsist of a type A, together with elements
pi : Pi . We an think of P1 ^: : :^Pn as a signature and the tuple (p1 ; : : : ; pn )
as an implementation of the signature. A traditional example in su h ases
is
A ^ (N ) A ) A) ^ (A ) A) ^ (A ) N )
whi h gives elements whi h an usefully be named thus:
empty : A
push : (N ) A ) A)
pop : (A ) A)
top : (A ) N )
The type (9A : U0) : P an therefore be thought of as an abstra t type, or
more pre isely the olle tion of implementations of an abstra t type, in this
ase the type of sta ks.
We observed earlier, in se tion 5.3.3, that the rule (9E 0 ) was weaker
than the rule (9E ) or the equivalent pair (9E10 ) and (9E20 ). We dis uss
their formal dieren es in se tion 8.1.3, but we ought to look here at how
their dieren e ae ts the abstra t data type or module onstru t.
The weak rule has been hara terised by Ma Queen in [Ma 86℄ as giving
only a hypotheti al witness to the existential statement. It is this inter-
pretation whi h underlies the Miranda abstype, [Tur85℄, and onstru ts
in a number of other languages. This interpretation has the disadvantage
that the en apsulation annot be re-opened on e formed, making it diÆ-
ult to extend the fun tionality of the abstype on e formed, a basi tenet of
obje t-oriented design. Spe i examples an be found in Ma Queen's pa-
per and in the survey [CW85℄. Ma Queen therefore argues in [Ma 86℄ and
[Ma 90℄, whi h dis usses the module me hanism in Standard ML, that the
appropriate notion is the strong one, whi h makes the witnesses transpar-
ent, allowing both the underlying type and the implementation fun tions
to be extra ted, and thus permitting su h extensions of types. Naturally,
there are advantages to ea h approa h, and perhaps both ould usefully be

in luded in a programming language, ea h serving its own purpose.
We an interpret existential quanti ation over a universe in a dierent
way. The Haskell programming language uses Wadler and Blott's idea of
type lasses, rst introdu ed in [WB89℄. The motivation behind type
lasses is to give a leaner treatment of the quasi-polymorphism of the
equality operation in languages su h as Miranda and SML. In the former, an
equality is dened over every type, despite the fa t that it is the undened
fun tion on all but ground types. In SML a spe ial kind of type variable
is introdu ed to range over only those types bearing an equality. Type
lasses are dened to be olle tions of types ea h member of whi h must
have fun tions over it implementing the signature whi h denes the type.
For instan e, every type t in the Eq lass must arry a fun tion eq of type
eq : t -> t -> bool
In type theory, a type lass will be given by
(9t : U0 ) : S
where S is the signature dening the lass, in the ase of Eq this being
t ) t ) bool. An example using Eq is the fun tion whi h removes every
o urren e of an element from a list
remove [ ℄ b df [ ℄
remove (a :: x) b df remove x b if eq a b
remove (a :: x) b df a :: (remove x b) if not
whi h has the spe ial Haskell type
remove : (Eq t) => [t℄ -> t -> [t℄
whi h is intended to mean that remove is only dened over elements of the
lass Eq. If we write
Eqt df (9A : U0 ) : (A ) A ) bool)
then we an model the fun tion remove in T T thus:
remove :(8(A; eq): Eqt) : ([A℄ ) A ) [A℄)
where we use the pattern (A; eq) to range over elements of the existential
type purely for readability. The restri ted polymorphism is expressed ex-
pli itly, sin e the type variable A ranges only over those A whi h possess a
fun tion of type (A ) A ) bool).
Instead of the predi ate part P of the type (9A : U0 ) : P being simply a
type, it an ontain proof information as well. For instan e we might want
to stipulate that any implementation of the sta k signature satises
(8n : N ) : (8a : A) : (pop (push n a) = a)
(8n : N ) : (8a : A) : (top (push n a) = n)
We do this by forming a subtype of
A ^ (N ) A ) A) ^ (A ) A) ^ (A ) N )
thus:
(9 (empty; push; pop; top): A ^ (N ) A ) A) ^ (A ) A) ^ (A ) N )) :
((8n : N ) : (8a : A) : (pop (push n a) = a)^
(8n : N ) : (8a : A) : (top (push n a) = n))
In exa tly the same way we an form logi al type lasses for whi h we
spe ify not only the existen e of obje ts of a ertain type, but also demand
that they have ertain properties. In the ase of Eq, we might ask for
the relation to be an equivalen e relation, rather than an arbitrary binary
boolean valued fun tion. The extra information supplied in one of these
type lasses would allow us to infer properties of the fun tions dened over
the lass.
It is interesting to observe that abstra t data types and type lasses are
modelled by exa tly the same onstru tion in type theory. In Haskell the
dieren e between the two lies in their use. In a Miranda abstype de la-
ration, we see a signature dened and bound immediately to a parti ular
implementation. Any ode whi h uses the abstype must be apable of us-
ing any implementation of the signature, and so an be thought of as a
fun tion over the appropriate type lass. The novel feature of type lasses
is that these fun tions over lasses an be de lared expli itly and an be
applied to more than one implementation of the spe i ation within a given
s ope.
Type lasses an be thought of as adding one aspe t of obje t-oriented
programming to a fun tional language. A member of a type lass might be
thought of as an obje t. From this perspe tive, it is interesting to see that
there is support for (multiple) inheritan e. A sub lass of the lass
C1 df (9t : U0 ) : S1
is dened by extending the signature part by adding more operations (or
in the ase of a logi al type lass more operations or properties) to give the
signature S2 and the orresponding lass C2 . Be ause S2 extends S1 there

will be a proje tion fun tion
2;1 : S2 ) S1
whi h an be extended to
forget2;1 : C )C 2 1
forget2;1 df p : (Fst p; (Snd p))

Any fun tion F : C ) R dened over the
1 lass C1 an be applied to
members of C2 by omposing with the fun tion forget2;1
F Æ forget2;1 : C2 ) R
Multiple inheritan e is supported by dierent extensions to signatures: the
forget fun tions will be dened uniquely by the signatures involved.
6.4 A Case Study { Ve tors

Ve tors are xed-length sequen es of values from a given type. One way
to model them is using the subtypes [A℄n of the list type [A℄; this se tion
explores a dierent treatment, representing ve tors as fun tions over nite
types. First we dene the nite types, then the ve tors and nally we show
how fun tions an be dened uniformly over the dierent sizes of ve tor.
6.4.1 Finite Types Revisited

T T ontains the nite types Nn, whi h are an obvious andidate for the
domains of the ve tors | why are they unsuitable? The diÆ ulty is that
they are not dened in a uniform way; in other words the mapping
n 7! Nn
annot be dened in type theory. We now show how the nite types an
be dened as subtypes of N in a uniform way. Re all the denition of the
`less than' relation in se tion 6.1.2
m<0 df F alse
0 < (n + 1) df T rue
(m + 1) < (n + 1) df m < n
We rst establish that the relation is a total ordering on the natural
numbers.
6.4. A CASE STUDY { VECTORS 227
Theorem 6.6 The relation `<' is a total ordering over the natural num-
bers, as ea h of the following propositions is inhabited.
1. Re exivity. x 6< x
2. Symmetry. :(x < y ^ y < x)
3. Transitivity. (x < y) ) (y < z ) ) (x < z )
4. Totality. (x < y) _ (x = y) _ (x > y)
5. Su essor. x < (x + 1)
Proof: Ea h of the parts is proved by indu tion. We look at the rst and
the penultimate. For re exivity, we work by indu tion over x. The base
ase 0 6< 0 is given by the lause m < 0 df F alse of the denition. Now
suppose that (n + 1) < (n + 1). By the third lause of the denition we
have n < n, whi h gives ? by indu tion, so (n + 1) 6< (n + 1).
To prove totality, we work by indu tion on x with a subsidiary indu tion
over y. Take x to be 0 | if y is zero then x = y, otherwise by the se ond
lause of the denition x < y. The indu tion step is analogous. 2
Denition 6.7 The nite types Cn are dened thus
Cn df (9m : N ) : (m < n)
This denition is uniform in the variable n.
We an view the transitivity of `<' as asserting the existen e of anoni al
embeddings
fp;q : Cp ) Cq
when p q. If p = q the fun tion is simply the identity, whilst if p < q,
for any (m; r) : Cp , m < p and p < q gives m < q and thus (m; s) : Cq for
some proof s of the inequality.
We an also establish a hara terisation like that of the types Nn .
Theorem 6.8 For ea h Cn we an show that the following proposition is
provable.
(8x : Cn ) : ( x = 0 _ x = 1 _ : : : _ x = n 1 )
where by n we mean the pair
( su (su : : : (su 0) : : :) ; T riv )
| {z }
n
Proof: The proof is by a meta-theoreti indu tion over n. We annot

formalise in a uniform way the sequen e of formulas asserted, and so we
annot formalise the argument. 2
Do the Cn have exa tly the properties of the Nn ? Given the last propo-
sitions, the rules for introdu ing elements of the two types are equivalent.
The asesn onstru t an be represented by a fun tion with domain Cn ,
where we an take a ount of the dierent types of the various values by
mapping into a sum type. Spe i ally, to model
(m : Nn ) : ( asesn m a1 : : : an )
with ai : Ai we dene the fun tion
(x : Cn ) : ( if (eqn x 0) then (in1 a1 ) else
if (eqn x 1) then (in2 a2 ) : : : else (inn an ) )
of type
Cn ) (A1 _ : : : _ An )
where we use ink for the inje tion of the omponent type Ak into the n-ary
sum (A1 _ : : : _ An ), and eqn for the equality fun tion over Cn
The onstru t ( asesn m a1 : : : an ) is hara terised by the values m and
a1 ; : : : ; an . For a fun tion modelling this to be thus hara terised, we need
to adopt an extensional approa h, as outlined in se tion 5.8.
Exer ise
6.25. Show that given denitions of addition and multipli ation the follow-
ing propositions are inhabited
(a < b) ^ ( < d) ) (a + < b + d)
(a < b) ^ (0 < ) ) (a < b )
6.4.2 Ve tors
Using the nite types of the previous se tion we are in a position to dene
the ve tor types.
Denition 6.9 The type of ve tors of length n over type A, V e A n is

dened thus
V e A n df (Cn ) A)
6.4. A CASE STUDY { VECTORS 229
The denition of V e A n is uniform in A and n, and so denitions of

ve tor operations an be made parametri in either A, n or both. We now
give a number of denitions of ve tor operations.
A onstant ve tor is formed by
onst : (8A : U0 ) : (8n : N ) : (A ) V e A n)
onst A n a df x : a
A ve tor v is updated in position m with b by
update A n : V e A n ) Cn ) A ) V e A n
update A n v m b df x : ( if (eqn m x) then b else (v x) )
A permutation of the indi es Cn is represented by a fun tion p :(Cn )
Cn ), and the elements of the ve tor v are permuted by omposing the
permutation p with v.
Given a binary operator on the type A, , we redu e the ve tor
< a1 ; : : : ; a n >
using to form
(: : : (a1 a2 ) : : : an )
The type of redu e is given by
(8A : U0 ) : (8n : P os) : ((A ) A ) A) ) V e A n ) A)
where P os is the set of positive natural numbers (9n : N ) : (0 < n). The
denition is by indu tion over the positive natural numbers. For ve tors of
length one, we return the single value, and for the ve tor v
< a1 ; : : : ; an ; an+1 >
we redu e v0 df < a1 ; : : : ; an > giving r, say, whi h is then used to form
r an+1 . To make the denition above pre ise we need to explain how an
element of a ve tor is a essed. If m : Cn and w : V e A n then the mth
element is given by the appli ation (w m). How is the ve tor v0 : Cn formed
from v : Cn+1 ? We simply dene the omposition
v Æ fn;n+1 : (Cn ) A) V e A n
where fn;n+1 is the anoni al embedding given by theorem 6.6.
Exer ises
6.26. Give a type and denition for the fun tion giving the inner produ t
of a numeri al ve tor.
6.27. How would you dene a general sorting fun tion for ve tors?
6.28. Explain how the model above an be extended to treat re tangular
arrays of any dimension.
6.29. Using the types dened in the previous question, dene the array
produ t and inversion operations. In the latter ase you an use a subtype
to restri t the domain to those arrays whi h possess inverses.
6.5 Proof Extra tion; Top-Down Proof

Up to now in these examples, we have treated the system as a fun tional
programming language, reasoning about obje ts, their types and their om-
putational behaviour. It is possible to give a dierent presentation of the
rules in whi h some of the information about the proof obje ts is suppressed.
The information an be used to extra t a proof obje t from the derivation
given. This approa h underlies the Nuprl system [C+ 86a℄. The rst two
examples are dis ussed in [C+ 86a, Se tions 4.3 and 4.4℄ | the reader an
ompare the two treatments.
6.5.1 Propositional Logi

If we look at the rules for propositional logi , taking (_E 0 ) as the rule of
disjun tion elimination, they have an interesting hara teristi : there is no
link between the right-hand and left-hand sides of the judgements
proof : proposition
whi h they involve. Taking the rule (_E 0 ) as an example, we an strip the
proof information from the rule, leaving
[A℄ [B ℄
.. ..
. .
(A _ B ) C C
(_E 0 )
C
Of ourse, we still know that given the appropriate proofs of the hypotheses
we an form the proof obje t v ases0x;y p u v whi h proves the on lusion,
C.
Without the proof information, the rule admits of a se ond reading:
In order to derive C (from hypotheses ) it is suÆ ient to derive
(A _ B ) (from ) and to derive C in the two ases that A and
B are assumed (together with ).
6.5. PROOF EXTRACTION; TOP-DOWN PROOF 231
whi h we all the ba kwards or top-down interpretation. Other rules

admit a similar reading. () I ) an be onstrued as saying
In order to derive (A ) B ) it is suÆ ient to derive B from the
(additional) assumption A.
We now use these ideas to give a `proof-free' derivation of the formula
(P _ :P ) ) (:P ) :Q) ) (Q ) P )
Using () I ) top-down three times, it is suÆ ient to derive the formula P
from the assumptions
(P _ :P ) ; (:P
) :Q) ; Q
The ba kwards reading of (_E 0 ) above suggests how to use a disjun tive
assumption. To derive P from (P _ :P ); (:P ) :Q); Q it is enough to
derive P from the two sets of assumptions
P ; (:P ) :Q) ; Q and :P ; (:P ) :Q) ; Q
The derivation from the rst set is trivial, as P is a member. In the se ond
ase, we apply modus ponens to the rst two formulas, giving :Q, and
from this and Q, modus ponens gives ?, whi h by ex falso quodlibet gives
us any formula, and in parti ular P . It is interesting to note that, as
is often the ase, a top-down onstru tion rea hes a point beyond whi h
it yields to a bottom-up approa h. Making the des ription above into a
formal derivation, we have
[:P ℄1
:P ) :Q () E )
Q
:Q () E )
P _ :P [P ℄1 ? (?I )
P (_E 0 )
P 1
From this we an dis harge the assumptions thus

[Q℄2 ; [:P ℄1 ; [:P ) :Q℄3
..
.
[P _ :P ℄4 [P ℄1 P
(_E 0 )1
P () I )2
Q)P () I )3
(:P ) :Q) ) (Q ) P )
() I )4
(P _ :P ) ) (:P ) :Q) ) (Q ) P )
We an now extra t the proof information, naming the assumptions and

forming terms as des ribed by the full proof rules.
[v : :P ℄1 y :(:P ) :Q)
z :Q () E )
(y v): :Q
() E )
((y v) z ): ?
x :(P _ :P ) [u : P ℄ 1
(?I )
abortP ((y v) z ): P (_E 0 )1
ases0u;v x u (abortP ((y v) z )) : P
If we write e for ases0u;v x u (abortP ((y v) z )), we obtain nally
[z : Q℄2; [v : :P ℄1 ; [y :(:P ) :Q)℄3
..
.
[x :(P _ :P )℄4 [u : P ℄1 P
(_E 0 )1
e:P () I )2
z : e : (Q ) P )
() I )3
y : z : e : (:P ) :Q) ) (Q ) P ) () I )4
x : y : z : e : (P _ :P ) ) (:P ) :Q) ) (Q ) P )
whi h gives the proof obje t
x : y : z : ( ases0u;v x u (abortP ((y v) z )) )
as a witness of the proof of the formula.
6.5.2 Predi ate Logi

The proof extra tion te hnique an be extended to some of the rules of
predi ate logi . For the universal quantier we obtain
[x : A℄
..
.
P a : A (8x : A) : P
(8I ) and (8E )
(8x : A) : P P [a=x℄
whilst for the existential quantier we have
[x : A; B ℄
..
.
a : A P [a=x℄ (9x : A) : B C
(9I ) and (9E 0 )
(9x : A) : P C
Some proof information seems to remain here, in the judgement a : A of
(9I ) for instan e. Sin e the logi is typed, this minimum of type information
6.5. PROOF EXTRACTION; TOP-DOWN PROOF 233
must be retained to ensure the well-formedness of propositions. An example

of a `proof-less' derivation of (8x : A) : (9y : B ) : P from (9y : B ) : (8x : A) : P
follows.
[x : A℄1 [(8x : A) : P ℄2
[y : B ℄2 (8E )
P (9I )
(9y : B ) : P
(9y : B ) : (8x : A) : P (8I )1
(8x : A) : (9y : B ) : P
(9E 0 )2
(8x : A) : (9y : B ) : P
The derivation an now have the proof obje t extra ted from it, if we name
p and q the proofs of (9y : B ) : (8x : A) : P and (8x : A) : P whi h are assumed
to exist. The q will be dis harged, as we shall see.
[x : A℄1 [q :(8x : A) : P ℄2
[y : B ℄2 (8E )
(q x): P
(9I )
(y; q x) : (9y : B ) : P
p : (9y : B ) : (8x : A) : P (8I )1
x : (y; q x) : (8x : A) : (9y : B ) : P
(9E 0 )2
Casesy;q p (x : (y; q x)) : (8x : A) : (9y : B ) : P
The only free variable in the proof obje t is p whi h represents the undis-
harged assumption (9y : B ) : (8x : A) : P .
We have only onsidered the weak existential elimination rule in this
way as the stronger rule, in either the forms (9E20 ) or (9E ) introdu es a
proposition as a on lusion whi h depends upon the proof obje t of the
proposition above the line. To use these rules, whi h we need to do to
prove the axiom of hoi e,
(8x : A) : (9y : B ) : P ) (9f : A ) B ) : (8x : A) : P [(f x)=y℄
for instan e, we need to reason about the proof terms expli itly. Similar
remarks apply to the hoi e of disjun tion elimination rule.
6.5.3 Natural Numbers

We an extend this proof-less derivation to results involving data types like
the natural numbers. Obviously the introdu tion rules still need to mention
the elements of N , and so are un hanged, but we an restate the (NE ) rule
thus:
n : N C [0=x℄ (8n : N ) : (C [n=x℄ ) C [su n=x℄)
(NE )
C [n=x℄
An example we might prove thus is (8n : N ) : (0 < fa n) where the propo-

sition (m < n) was rst dened in se tion 6.1.2, and fa has the denition
fa 0 df 1
fa (n + 1) df (n + 1) (fa n)
We rst have to derive (0 < 1) whi h is a spe ial ase of (0 < n + 1), whi h
is itself trivially derivable. In the se ond ase we have to derive
(8n : N ) : ((0 < fa n) ) (0 < fa (n + 1)))
for whi h, using the rules (8I ) and () I ) top-down, it is suÆ ient to derive
(0 < fa (n + 1)) on the assumption that n : N and (0 < fa n). Sin e
fa (n + 1) is the produ t
(n + 1) (fa n)
and as it is a standard result (and exer ise!) that a produ t of positive
numbers is positive, the result is derived.
Exer ises
6.30. Give `proof-less' derivations of the formulas (B _ C ) ) :(:B ^ :C ),
A ) ::A and (:A _ :B ) ) :(A ^ B ), and from your derivations extra t
the orresponding proof obje ts.
6.31. Find a `proof-less' derivation of the formula
(8x : X ) : (A ) B ) ) ((9x : X ) : A ) (9x : X ) : B )
and extra t a proof obje t from the derivation.
6.32. Formalise the `proof-less' derivation of the fa t that all values of
fa are positive, assuming the lemma on multipli ation, and give the proof
obje t that it generates.
6.33. Making a suitable denition of the multipli ation operation `' over
N , give a `proof-less' derivation of the lemma that a produ t of positive
numbers is positive.
6.6 Program Development { Polish National

Flag
This se tion addresses the problem of the Polish National Flag, whi h is an
inessential simpli ation of the problem of the Dut h National Flag. This
was rst addressed in [Dij76℄. In the ontext of type theory it was rst
investigated in [PS85℄ and later in se tion 22.2 of [NPS90℄. The problem,
6.6. PROGRAM DEVELOPMENT { POLISH NATIONAL FLAG 235
baldly stated, is this: given a sequen e of items whi h are either red or
white, return a permuted sequen e in whi h all the red items pre ede the
white.
Our approa h diers from that in [NPS90℄ in two ways. First, we ex-
press the spe i ation in a dierent way, so as to separate the omputational
from the proof-theoreti ; se ondly, we es hew the use of the subset type.
We shall dis uss this type in some detail in hapter 7. We also use an èqua-
tional' notation whi h is loser to that in use in the majority of fun tional
programming languages.
Our development depends upon some of the fun tions and predi ates
whi h were introdu ed earlier; in parti ular we shall use ++, the list on-
atenation operator, the predi ate perm l m, whi h expresses the fa t that
the list l is a permutation of the list m, together with the auxiliary o s a l,
whi h ounts the number of o urren es of a in the list l. We assume that
the olours are represented by the boolean type, bool (whi h we shall ab-
breviate C , for olour), with the value T rue representing the olour red.
We therefore say isRed a df a = T rue and similarly for isW hite. Also, we
dene
allRed : [bool℄ ) U 0
allRed [ ℄ df >

allRed (a :: x) df isRed a ^ allRed x
with the orresponding denition for allW hite. One way to express the
spe i ation of the problem is then to say
(8l :[C ℄) : (9(l0 ; l00 ):[C ℄ ^ [C ℄) : (6.5)
(allRed l0 ^ allW hite l00 ^ perm l (l0 ++l00))
What we seek is, in fa t, a fun tion whi h returns the pair of lists (l0 ; l00 )
orresponding to ea h l, so we modify the spe i ation to read
(9f :[C ℄ ) [C ℄ ^ [C ℄) : (8l :[C ℄) :
allRed (fst (f l)) ^ allW hite (snd (f l))^ (6.6)
perm l ((fst (f l)) ++(snd (f l)))
What will a proof of this formula onsist of? It will be a pair (f; p) with
f :[C ℄ ) [C ℄ ^ [C ℄
and p a proof that for all lists l
allRed (fst (f l)) ^ allW hite (snd (f l))^ (6.7)
perm l ((fst (f l)) ++(snd (f l)))
This pair onsists pre isely of the fun tion required together with a proof
that is has the property required of it. This is the general form that a
spe i ation in type theory should take { we return to this topi in hapter
7. Note that the transformation of the rst spe i ation into the se ond
is by no means ad ho { we have applied the axiom of hoi e to the rst
to obtain the se ond; indeed given this axiom the two spe i ations are
logi ally equivalent. The axiom of hoi e is the statement
(8x : A) : (9y : B ) : P (x; y) ) (9f : A ) B ) : (8x : A) : P (x; f x)
It is not hard to show that this type is inhabited; it is left as an exer ise
for the reader, who will be able to nd a proof in [ML85℄.
There are two distin t ways of proving a statement like 6.6.
We an prove the statement by giving a term f and proving the
formula 6.7. This method orresponds to traditional program devel-
opment in a fun tional programming language: we rst dene the
fun tion we think has the desired property and separately we prove
that it does have the property, an exer ise in program veri ation.
This was the method we used in developing qui ksort in se tion 6.2.
Alternatively, we an develop the proof from the top down, redu ing
the existential statement 6.6 to 6.5. We then try to prove this formula
dire tly and from the proof we extra t a fun tion by applying the
axiom of hoi e. This program extra tion te hnique is the one whi h
we follow here: note that both methods an lead to the same denition
of the required fun tion.
Using the rst method we would dene the fun tion
split : [C ℄ ) [C ℄ ^ [C ℄
split [ ℄ df ([ ℄; [ ℄)
split (a :: m) df (a :: l0 ; l00 ) if a
df (l0 ; a :: l00 ) if not
where
(l0 ; l00 ) split m
and then attempt to verify, by indu tion, that split has the property (6.7).
Alternatively we try to prove the result (6.5) dire tly; this we do now.
Theorem 6.10 For all lists l : [C ℄,
(9(l0 ; l00 ):[C ℄ ^ [C ℄) : (6.8)
(allRed l0 ^ allW hite l00 ^ perm l (l0 ++l00))
6.6. PROGRAM DEVELOPMENT { POLISH NATIONAL FLAG 237
Proof: We prove the result by indu tion over the list l. We shall all the
statement (6.8) P (l).
Case: l [ ℄
It is immediate that the types allRed [ ℄ and allW hite [ ℄ are inhabited.
Also [ ℄ ++ [ ℄ [ ℄ and as perm is re exive (see lemma 6.2, part 12) we
have
perm l (l0 ++l00)
is inhabited. Putting the proof obje ts together we have some p0 ,
p0 : P ([ ℄)
as required in an indu tive proof.
Case: l (a :: m)
Suppose that pm : P (m). Now,
pm ((l0 ; l00 ); q)
where q (q1 ; q2 ; q3 ) and
(q1 ; q2 ; q3 ) : (allRed l0 ^ allW hite l00 ^ perm m (l0 ++l00))
Now, sin e there are only two booleans, a will be either red or white. The
proof pro eeds now by a ase analysis. Suppose that
sw : isW hite a
It is not hard to see that
q20 df ( sr ; q2 ) : allW hite (a :: l00 )
and ertainly
q1 : allred l0
Now, by an earlier result on the simple properties of perm, lemma 6.2, parts
9 and 11, we an nd
q30 : perm (a :: m) (l0 ++(a :: l00))
where q30 depends upon the proof obje t q3 . Pulling this together, we have
qw df (q1 ; q20 ; q30 ) :
(allRed l0 ^ allW hite (a :: l00 ) ^ perm m (l0 ++(a :: l00 )))
and so
pw df ( (l0 ; (a :: l00 )) ; qw ) : P (a :: m)
In a similar way if we assume

sr : isRed a
then we an nd
pr df ( ((a :: l0 ); l00 ) ; qr ) : P (a :: m)
Sin e every element a is either red or white, we have
p0 df if a then pr else pw : P (a :: m)
This gives us an indu tive onstru tion of an element of P (a :: m) from
obje ts a : C , m : [C ℄ and a proof q : P (m), and so amounts to the proof of
the indu tion step.
Formalising the derivation, we have
l : (lre l p0 a : m : q : p0 ) : (8l :[C ℄) : P (l)
whi h ompletes the derivation of an obje t of the type required. 2
We an see that the fun tion extra ted from the proof by the method
whi h was outlined above will be exa tly the fun tion split dened earlier.
6.7 Program Transformation

We have so far seen a number of approa hes to program onstru tion in
type theory. In this se tion we onsider the transformational approa h
to program development. We show how a program may be transformed
within the system T T into another program whi h has the same behaviour
yet whi h has other desirable properties like time or spa e eÆ ien y or
parallelisability.
How might the starting point of a sequen e of transformations arise?
Two ways suggest themselves:
A program may be written dire tly to re e t the spe i ation, an
exe utable spe i ation in the popular jargon.
A program may be extra ted from a proof: often a proof will use
`brute for e' rather than subtlety to a hieve its result.
The example we look at in this se tion an be thought of arising in either
way, in fa t. Our example has been examined in a number of pla es in-
luding [Tho89a℄ and the ex ellent [Ben86℄, Column 7. It is the problem of
6.7. PROGRAM TRANSFORMATION 239
nding the maximum sum of a ontiguous segment of a nite sequen e of

integers. For the sequen e
2 |3 4 {z 3 5} 2 1
9
the segment indi ated has the maximum value.

The essen e of program transformation is to take a program into another
with the same appli ative behaviour, yet improved in some aspe t like time
eÆ ien y or spa e usage. Two fun tions have the same behaviour when
they return the same results for all arguments, when they are extensionally
equal, in other words. In T T program transformation will therefore involve
the repla ement of an obje t by an extensionally equivalent one, through a
series of simple steps of the same kind.
In the dis ussion of the problem here, a list of integers is used to imple-
ment the sequen e. One implementation of the integers was given on page
136.
We begin our dis ussion by introdu ing the operators map and fold,
and examining some of their properties, in luding how they are modied to
operate over non-empty lists. Readers who are familiar with these fun tions
may prefer to move straight on to the transformation, returning to the next
subse tion when and if ne essary.
6.7.1 map and fold

Two of the most useful operations over lists are map and fold. map ap-
plies a fun tion to every element of a list, and has the primitive re ursive
denition
map : (A ) B ) ) [A℄ ) [B ℄
map f [ ℄ df [ ℄
map f (a :: x) df (f a) :: (map f x)
whi h an be written formally
f : l : lre l [ ℄ hf
where
hf a l p df (f a) :: p
By the rule of I introdu tion and the omputation rules for lre , we an
see that for all f , the types
map f [ ℄ = [ ℄ (6.9)
map f (a :: x) = (f a) :: (map f x) (6.10)
are inhabited. The omposition operator Æ, whi h is written in an inx

form for readability, has the denition
(g Æ f ) df x : (g (f x)) (6.11)
Re all also that the ++ operator joins two lists together.
The transformations we give later are based on the appli ation of a small
number of general `laws' embodying properties of the standard fun tions.
The rst law relates map and the append operation
Theorem 6.11 map f (l ++m) = (map f l) ++(map f m) for all lists l and
m.
Proof: The proof is by indu tion over l. 2
The se ond law relates map and omposition
Theorem 6.12 map g Æ map f ' map (g Æ f ) for all fun tions f and g.
Proof: We show that for all x
(map g Æ map f ) x = map (g Æ f ) x
whi h we do by indu tion over the list argument x. In the base ase we
have to prove that
(map g Æ map f ) [ ℄ = map (g Æ f ) [ ℄
By 6.11
(map g Æ map f ) [ ℄ = map g (map f [ ℄)
whi h by 6.9
= map g [ ℄
whi h by 6.9 again is [ ℄. A single appli ation of the same equation shows
that the right hand side also equals [ ℄.
At the indu tion step, we aim to show
(map g Æ map f ) (a :: x) = map (g Æ f ) (a :: x) (6.12)
using
(map g Æ map f ) x = map (g Æ f ) x (6.13)
Expanding the left hand side of 6.12 rst by 6.11 and then by 6.10 twi e,
we have
= map g (map f (a :: x))
= map g ((f a) :: (map f x))
= (g (f a)) :: (map g (map f x))
By 6.11, twi e, this is

= (g (f a)) :: ((map g Æ map f ) x)
= ((g Æ f ) a) :: ((map g Æ map f ) x)
and by the indu tion hypothesis 6.13
= ((g Æ f ) a) :: (map (g Æ f ) x)
By 6.10 for (g Æ f ), this is
= map (g Æ f ) (a :: x)
whi h is the right hand side of 6.12. This ompletes the indu tion step and
therefore the proof itself. 2
The elements of a non-empty list an be ombined together using the
operator fold. For instan e, we get the produ t of the elements of a list by
folding in the multipli ation operator.
fold : (A ) A ) A) ) (nel A) ) A
fold f ( [ ℄; p ) df abortA p
fold f ( (a :: [ ℄); p ) df a
fold f ( (a :: (b :: x)); p ) df f a (fold f ( (b :: x); T riv ))
where the type of non-empty lists, (nel A) is dened by
(nel A) df (9l :[A℄) : (nempty l)
where
nempty [ ℄ df ?
nempty (a :: x) df >
We would like to use the standard fun tions map and ++ over non-
empty lists as well as over the usual list type. We annot use the fun tions
dire tly, but we an dene analogues of them, map0 and ++0 operating over
the type (nel A) be ause of the following lemma.
Lemma 6.13 If l and m are non-empty, then so are map f l and l ++m.
Proof: The proofs are by indu tion. 2
Formally, the last lemma gives fun tions mapp , appp of type
mapp : (8l :[A℄) : ( (nempty l) ) (nempty (map f l)) )
appp : (8l :[A℄) : (8l :[A℄) : ( (nempty l) )
(nempty m) ) (nempty (l ++m)) )
The fun tions map0 and ++0 are now dened

map0 : (A ) A) ) (nel A) ) (nel A)
map0 f (l; p) df (map f l ; mapp l p)
++0 : (nel A) ) (nel A) ) (nel A)
0
(l; p)++ (m; q) df (l ++m ; appp l m p q)
These fun tions ombine omputation with proof, as they transmit the
information witnessing the non-emptiness of the argument(s) to the same
information about the result.
We also have analogues of theorems 6.11 and 6.12,
Theorem 6.14 For all fun tions f , and non-empty lists l0 , m0
map0 f (l0 ++0 m0 ) = (map0 f l0 ) ++0(map0 f m0 )
Theorem 6.15 For all fun tions f , g,
map0 g Æ map0 f ' map0 (g Æ f )
Proofs: As the theorems above. 2
Theorem 6.16 If f is an asso iative fun tion, that is for all a, b and ,
f a(f b ) = f (f a b)
then for non-empty l0 and m0
fold f (l0 ++0m0 ) = f (fold f l0) (fold f m0 )
Proof: The proof is by indu tion over the non-empty list l0 . 2
The nal law we give relates the a tion of fold and map0, and shows
a ase in whi h a map before a fold is transformed into a single fun tion
appli ation following a fold.
Theorem 6.17 If f and g satisfy f (g a) (g b) = g (f a b) then
(fold f ) Æ (map0 g) ' g Æ (fold f )
The analogue of fold over [A℄ is alled foldr. It takes an extra parame-
ter, whi h is the value returned on the empty list; a starting value, in other
words. It is dened by
foldr : (A ) B ) B ) ) B ) [A℄ ) B
foldr f st [ ℄ df st
foldr f st (a :: x) df f a (foldr f st x)
This is in fa t a spe ialisation of the re ursion operator lre , whi h omits

to use the tail of the list, x, in the re ursive all at (a :: x). Using foldr we
an dene many operations over lists, in luding
sum df foldr (+) 0
where () denotes the prex form of the inx operator .
Theorem 6.18 For all f and st,
(foldr f st) Æ ((::) a) ' (f a) Æ (foldr f st)
Proof: This is proved without indu tion, simply by expanding both sides
when applied to an argument x. 2
6.7.2 The Algorithm
The problem we aim to solve is nding the maximum sum of a segment of
a nite list of integers. There is a nave solution, whi h forms the starting
point of the transformation. In this we
Take all the ( ontiguous) sublists of the list,
nd the sum of ea h, and
take the maximum of these sums.
We an write this as the omposition
maxsub df (fold bimax) Æ (map0 sum) Æ sublists0
where bimax is the binary maximum fun tion over the integers and sublists0
is the fun tion of type [A℄ ) (nel [A℄), returning the non-empty list of
sublists of a list. The result is non-empty sin e even an empty list has itself
as a sublist. We then apply map0 sum to the result, transmitting the proof
information, and so permitting the appli ation of fold whi h demands a
non-empty argument.
How is the fun tion sublists0 to be dened? We dene a fun tion
sublists whi h returns a list of the sublists, and then ombine its result
with a proof that it is non-empty. This proof is an indu tive one, whi h
it is not hard to onstru t given the denitions whi h follow. To explain
them, observe that a sublist of (a :: x) is either a sublist of x, or in ludes a,
in whi h ase a must be followed by a sublist of x whi h starts at the front
of x; these lists are returned by frontlists x.
sublists : [A℄ ) [ [A℄ ℄

sublists [ ℄ df [[℄℄
sublists (a :: x) df map ((::) a) (frontlists x)
++ sublists x
where
frontlists [A℄ ) [ [A℄ ℄
:
frontlists [ ℄ df [ [ ℄ ℄
frontlists (a :: x) df map ((::) a) (frontlists x)
++ [ [ ℄ ℄
We have presented this solution as a dire t implementation of the spe -
i ation. Su h a program might also be extra ted from a proof of the
existen e of a maximum segment sum: maxima of nite olle tions exist
simply by exhaustion arguments, and su h a strategy would give rise to an
algorithm as we have just dened.
So, derived in whatever way, we have our nave solution, whi h is un-
satisfa tory for two reasons. The rst is an eÆ ien y onsideration: to
ompute the result, we use time (and spa e) quadrati in the length of the
list, as we examine all the ( ontiguous) sublists of the list, and the number
of these grows as the square of the length of the list. Se ondly, we arry
proof-theoreti information through the omputation, whi h seems to be
unne essary. The transformation remedies both these diÆ ulties.
6.7.3 The Transformation

We transform the program for maxsub beginning with a ase analysis. Take
the argument [ ℄
maxsub [ ℄
= ((fold bimax) Æ (map0 sum) Æ sublists0) [ ℄
= (fold bimax) ( (map0 sum) ( sublists0 [ ℄ ) )
= (fold bimax) ( (map0 sum) ( [ [ ℄ ℄ ; T riv ) )
= (fold bimax) ( 0 ; T riv )
= 0
where ea h of the steps above is justied by the denition of the appropriate
fun tion. Now we examine the ase of (a :: x).
((fold bimax) Æ (map0 sum) Æ sublists0) (a :: x)
= (fold bimax) ( (map0 sum) ( sublists0 (a :: x) ) )

= (fold bimax) ( (map0 sum) (l1 ++0l2 ) )
where
l1 df map0 ((::) a) (frontlists0 x)
l2 df sublists0 x
both of whi h are non-empty. By theorem 6.14, the expression equals
(fold bimax) ( (map0 sum l1 ) ++0(map0 sum l2 ) )
whi h by theorem 6.16 is
bimax (fold bimax (map0 sum l1 ))
(fold bimax (map0 sum l2 ))
Re alling that l2 df sublists0 x, and the denition of maxsub, this is
bimax (fold bimax (map0 sum l1 )) (6.14)
(maxsub x)
We now on entrate on the rst argument in the expression, whi h when
expanded is
(fold bimax) (map0 sum (map0 ((::) a) (frontlists0 x))) (6.15)
| {z }
The sub-expression indi ated is a omposition of two map0 s, so we repla e
it with
map0 (sum Æ ((::) a)) (frontlists0 x)
Now, by theorem 6.18, sin e sum = foldr (+) 0 we have
sum Æ ((::) a) ' ((+) a) Æ sum
so this gives
map0 (((+) a) Æ sum) (frontlists0 x)
whi h by theorem 6.15 is
( (map0 ((+) a)) Æ (map0 sum) ) (frontlists0 x)
This means that 6.15 be omes, using the asso iativity of `Æ',
( (fold bimax) Æ (map0 ((+) a)) Æ (map0 sum) ) (frontlists0 x)
Here we have an intera tion between fold and map0 , and as the onditions
of theorem 6.17 apply, we have
a + ( ((fold bimax) Æ (map0 sum) Æ frontlists0) x)
If we now write
maxfront df (fold bimax) Æ (map0 sum) Æ frontlists0
we have the original expression 6.14 equal to
bimax (a + maxfront x) (maxsub x)
A similar transformation of maxfront yields
maxfront [ ℄ = 0
maxfront (a :: x) = bimax 0 (a + maxfront x)
and for the original fun tion we have the nal form
maxsub [ ℄ = 0
maxsub (a :: x) = bimax (maxsub x) (a + maxfront x)
We an make these equations a denition of the maxsub fun tion, and it
an be seen that its omplexity dependent on the length of the list. Also,
the fun tions are free of any of the proof information whi h appeared in
the original algorithm, be ause it used non-empty lists.
Exer ises
6.34. What is the prin iple of indu tion for the type of integers int intro-
du ed above? [Hint: it an be derived from the prin iples of indu tion on
the omponent parts of the type int.℄
6.35. In the proof of theorem 6.11 why is the indu tion over the list l and
not the list m?
6.36. Complete the proofs whi h were only sket hed in the text.
6.37. State and prove the theorem orresponding to theorem 6.16 for the
operator foldr rather than fold.
6.38. Give a formal derivation of the fun tion
sublists0 : [A℄ ) (nel A)
6.39. Explain why the original denition of maxsub has quadrati om-
plexity and why the nal one is linear.
6.8. IMPERATIVE PROGRAMMING 247
6.8 Imperative Programming

Our programming fo us has been fun tional in the development so far.
Can similar te hniques be brought to bear on imperative programs? The
full answer to this is a topi of urrent resear h, but a partially positive
answer an be given, via an identi ation of a parti ular lass of fun tional
programs, the tail re ursive fun tions, with imperative programs.
Denition 6.19 A fun tion is tail re ursive if its denition takes the
form
f a1 : : : an df f (g1;1 ~a) : : : (g1;n ~a) if 1 ~a
df : : : if : : :
df f (gk;1 ~a) : : : (gk;n ~a) if k ~a
df h ~a if not
where ~a denotes the sequen e a1 : : : an , and ea h of the fun tions 1 ; : : : ; k ,
g1 ; : : : ; gk and h does not mention f .
First note that these fun tions are alled tail re ursive sin e the only re-
ursive alls the right hand sides make to f are in the tail of the ode, after
evaluating all the fun tion arguments (assuming appli ative order evalua-
tion of the ode, of ourse). Why should these fun tions be identied with
imperative programs? Take the simple ase of
f a1 : : : an df f (g1 ~a) : : : (gn ~a) if ~a
df h ~a if not
If the ondition ~a is true, we make a re ursive all whi h transforms the
argument ai to gi ~a, if not we return the result h~a. Rephrasing this slightly,
while the ondition ~a is true, we perform the parallel assignment
a1 ; : : : ; an := (g1 ~a) ; : : : ; (gn ~a)
and so in an imperative pseudo- ode we have
while ~a do
a1 ; : : : ; an := (g1 ~a) ; : : : ; (gn ~a) ;
return h ~a ;
To illustrate the point, there follows a tail re ursive version of the fa torial
fun tion
fa n df tfa n 1
tfa 0 p df p
tfa (n + 1) p df tfa n ((n + 1) p)
This is not an isolated phenomenon; every primitive re ursive fun tion an

be given a tail re ursive denition using the fun tion tprim
tprim : N ) C ) (N ) C ) C) ) N ) C ) C
tprim n f 0 v df v
tprim n f (m + 1) v df tprim n f m (f (n m 1) v)
if (m < n)
df v if not
where we assert that for all n, and f ,
prim n f = tprim n f n
The idea of the transformation is that the last argument starts o at ,
whi h is prim 0 f , and is transformed by the su essive appli ation of
f 0, f 1, . . . into prim 1 f , prim 2 f , . . . . The result is a orollary of the
following theorem.
Theorem 6.20 For all n, , f and m n,
tprim n f (n m) (prim m f ) = prim n f
Proof: The proof is by indu tion over the dieren e n m whi h is non-
negative by hypothesis. The base ase is that of n m = 0. In that ase
tprim n f (n m) (prim m f )
= tprim n f 0 (prim n f )
= (prim n f )
the se ond equality being an immediate onsequen e of the denition of
tprim. At the indu tion step, suppose that n m = p + 1 and that the
result holds for a dieren e of p.
tprim n f (n m) (prim m f )
= tprim n f (p + 1) (prim m f )
= tprim n f p (f m (prim m f ))
= tprim n f p (prim (m + 1) f )
By the indu tion hypothesis, sin e n (m + 1) = p,
= prim n f
whi h ompletes the indu tion step and the proof itself. 2
6.9. EXAMPLES IN THE LITERATURE 249
Corollary 6.21 For all n, and f ,
tprim n f n = prim n f
Proof: Take m = 0 in the theorem. 2

Note that in the a tion of tprim the rst three arguments are not mod-
ied in the re ursive alls | they a t as parameters or onstants of the
program, and no storage lo ations need to be allo ated to them; the other
two parameters do of ourse need to be allotted spa e.
The orollary justies the transformation of any primitive re ursive
fun tion into a tail re ursive one, and thus into an imperative form. We
an prove similar theorems for the other re ursion operators in the system,
so a fun tional program an form an intermediate step in the development
of an imperative program, as long as the imperative target language an
support all the higher order data types of T T . In the ase that it annot,
other oding te hniques an be found, but the orresponden e is less dire t.
If we take any imperative program there will be a fun tional form for
it, in whi h the only re ursion is tail re ursion. However that tail re ursion
may not be formalizable in T T , sin e it may lead to non-termination. If
we an supply a proof of termination for the imperative program, and the
proof an be formalised in rst-order arithmeti (see se tion 5.11), then
there will be an equivalent of the program in T T .
Exer ises
6.40. Give tail re ursive forms of the re ursion operators over lists and
trees.
6.41. Comment on the spa e eÆ ien y of the tail re ursive form of the fa -
torial fun tion. Does your observation depend upon the form of evaluation
hosen for terms of T T ?
6.9 Examples in the literature

This se tion provides a survey of examples in the published literature of
proof and program development in theories similar to T T . Many of the
examples use the subset type; we shall dis uss this and its relevan e to
program development in the hapter to ome, whi h ontains examples of
new on epts as they are introdu ed.
6.9.1 Martin-Lof
In Martin-Lof's work there are few examples. The extensional version of
the theory, [ML85℄, ontains a proof of the axiom of hoi e,
(8x : A) : (9y : B ) : C ) (9f :(8x : A) : B ) : (8x : A) : C [(f x)=y℄
whi h involves the strong existential elimination rule, (9E ), in an essential
way. As well as a proof of the axiom of hoi e, the Padova notes [ML84℄,
ontain small examples but nothing large-s ale. Martin-Lof's notes on on-
stru tive mathemati s, [ML70℄, ontain examples of mathemati al proofs
developed from a onstru tive standpoint, but it is fair to say that they
bear little formal relation to proofs in T T .
6.9.2 Goteborg
A sour e of many examples is the Programming Methodology Group at the
University of Goteborg and Chalmers University of Te hnology, in Sweden.
In [Dyb87℄ type theory is examined as one of a number of systems applied
to the example of the derivation of an algorithm to normalise the synta ti
form of propositional expressions.
Generalising the idea of a multilevel array, as used in VDL and VDM,
is the type of multilevel fun tions, whi h also en ompasses the types of
ve tors, natural numbers, lists and others. A formal presentation of this
type as an addition to T T is given in [Nor85℄. The types ould also be
developed using the W -types of T T + but the authors argue that it is more
natural to add the new rules to embody the type dire tly.
In [NP85℄ there is a dis ussion of how the quantiers and dependent
types of T T an be used to provide spe i ations of modules.
6.9.3 Ba khouse et al.
Roland Ba khouse and his o-workers at the Universities of Groningen and

Eindhoven have written widely on the topi of type theory. We shall look at
their work later when we look at extensions of the theory, but there are a
number of sour es we should mention now. The tutorial notes [Ba 87a℄
ontain a number of shorter examples, hosen to illustrate the system
onstru t-by- onstru t. The paper [BCMS89℄, whi h introdu es a num-
ber of additions, also ontains useful examples, su h as the Boyer-Moore
majority vote algorithm and a olle tion of game playing operations, similar
to those in [Hug90℄.
6.9. EXAMPLES IN THE LITERATURE 251
A substantial derivation of a parsing algorithm is given in [Chi87℄. The

parser is spe ied by the assertion
(8w : W ord) : P arse w _ :P arse w
where the proposition P arse w is an assertion of the fa t that the string w
is a senten e of the language. Proofs of this proposition onsist of showing
that there is a valid parse tree for the word, as expressed by
w = spell pt
spell being the fun tion to `spell out' the word oded by a parse tree pt. The
implementation is ompared with the result of an earlier eort to derive a
program using the LCF system, [CM82℄.
6.9.4 Nuprl
Constable's group at Cornell University have on entrated in their Nuprl
system, whi h we shall dis uss in more detail in se tion 9.1.1 on Ìmple-
menting Mathemati s', whi h is indeed the title of their exposition of Nuprl,
[C+ 86a℄. The system is suÆ iently lose to type theory for the majority
of their examples to be omprehensible if not translatable. [C+ 86a℄ on-
tains short expository examples, of ourse, but also develops a number of
libraries of mathemati al obje ts in Chapter 11.
Howe's thesis, [How88℄, gives a detailed analysis of Girard's paradox in
Chapter 4. Se tions 3.10 and 3.11 ontain a number-theoreti example, and
a saddleba k sear h, and hapter 5 addresses the issue of re e tion, whi h
is taken up by [KC86℄. The addition of partial obje ts to type theory is
dis ussed in [CS87℄
A more on rete appli ation to hardware spe i ation and veri ation
is presented in [BdV89℄. The spe i omponent investigated is the front
end of a oating point adder/subtra tor.
6.9.5 Cal ulus of Constru tions

One other system whi h bears a rather less lose relation to T T is Huet and
Coquand's Cal ulus of Constru tions, [CH85℄. An example of algorithm de-
velopment is to be found in [PM87℄ and the extra tion of programs from
proofs in the al ulus is examined in [PM89℄. An analysis of Girard's para-
dox is given in [Coq86℄.
Chapter 7
Augmenting Type Theory
Using type theory as a program development system has lead a number of

people to propose that new onstru ts be added to the theory. Although we
have seen that in theory the system is highly expressive, there are questions
of whether it expresses what is required in either a natural or an eÆ ient
way. This hapter ontains an a ount of the proposals on erning ways in
whi h the system may be augmented.
An important point whi h should be made before we embark is that
ea h of the additions, whilst arguably adding to the power of the system
in some way, also makes it more ompli ated, either from a user's point of
view, or for foundational reasons, su h as the loss of strong normalisation.
We shall dis uss the pros and ons of ea h proposal se tion-by-se tion, and
shall in the on lusion to the book have something more to say on the topi .
Central to the proposals is the notion of a subset type, distin t from the
existential type, whose members are simply those elements of the base type
with the required property, rather than su h obje ts paired with a witness
to that property. To set the dis ussion in its proper ontext, we begin in
se tion 7.1 by looking at the exa t nature of spe i ations, a topi we rst
examined when we looked at the ase study of the Polish National Flag.
What pre isely are spe i ations in type theory has been the subje t of
some onfusion in the literature; we hope to have to laried the issue here.
Another general topi onne ted with the introdu tion of the subset type
is that of omputational relevan e: some parts of expressions seem to have a
purely logi al role, rather than ontributing to the result of a omputational
pro ess. We dis uss two approa hes to apturing this intuition, and also
look at how it is linked with lazy evaluation. Naturally, any argument
about omputational relevan e or eÆ ien y an only be ondu ted relative
to some evaluation s heme, and we argue that many of the reasons advan ed
253
254 CHAPTER 7. AUGMENTING TYPE THEORY
for a more ompli ated type system in view of omputational eÆ ien y are
irrelevant in ase the system is implemented using lazy evaluation.
After this ba kground dis ussion, in se tion 7.2 we introdu e the nave
denition of the subset type, and examine some of its theoreti al draw-
ba ks. As we said above, mu h of the motivation for subsets is to a hieve
a separation between logi al and omputational aspe ts of type theory; in
se tion 7.3 we look at how subsets an properly be expressed only in a
system in whi h propositions and types are no longer identied.
We give a review of the proposals in se tion 7.4 where we argue that
all the examples of subsets in the literature an be handled quite smoothly
within T T , without re ourse to the new type. This is a hieved by a lazy
implementation together with a judi ious hoi e of types in spe i ations:
we hoose to spe ify a fun tion by asserting its existen e rather than by
a 89-formula, for instan e. We provide a number of general and on rete
examples by way of illustration.
The primitive type forming operation, W , onstru ts free data types,
whilst there are examples in whi h an abstra t obje t an best be repre-
sented by a olle tion of on rete items: a set represented as a list is one
ase. To reason and program most simply with su h a type it is argued that
a quotient type, onsisting of equivalen e lasses, be formed. We examine
two variants of this idea in se tion 7.5.
An important appli ation area for onstru tive mathemati s is real anal-
ysis. Se tion 7.6 gives the beginnings of a treatment of the topi , and also
serves as a ase study in whi h to examine the utility of the subset and
quotient type.
Various infeli ities have been shown in the rules for elimination | the
following se tion examines proposals to over ome these by means of the
strong elimination rules. A generalisation of these, the polymorphi types
of Ba khouse et. al. are also introdu ed. It is interesting to observe that
an addition of this sort an lead to a term whi h has no normal form
and indeed no weak head normal form: a genuine non-termination is thus
present in the augmented system. This will maybe underline the fa t the
`reasonable' additions to a system made in an ad ho way an lead to
unforeseen ir umstan es, and that we should make quite ertain that any
addition we make does not destroy something more important than it adds.
As we saw in the last hapter, re ursions an be oded in type theory
only in terms of the primitives provided. The most general form of termi-
nating re ursion is alled well-founded re ursion. We rst look at what this
is in a set-theoreti ontext in se tion 7.8, and then in the following se tion
we look at two dierent ways that well-founded re ursion an be added
to type theory. The general me hanism provided derives on e-and-for-all
the prin iples of whi h parti ular ases, like qui ksort, were derived in the
7.1. BACKGROUND 255
ourse of the proof developments of the last hapter.

A dierent approa h again is to provide new methods of dening types,
together with denition me hanisms. Equivalent to well-founded re ursion
we an add types dened by a general prin iple of indu tion, whi h we do in
se tion 7.10. We dis uss the relation between these types and the W types
of T T , and argue that the latter an be used to provide a representation of
the former.
A novel idea, at least from the programming point of view, is to de-
ne the o-indu tive types, whi h are the largest solutions of ertain type
equations. If we solve the equation hara terising lists, then the smallest
solution ontains simply the nite elements, whilst the largest ontains in-
nite elements also. The presen e of innite lists is not a surprise to the lazy
fun tional programmer, but remarkable is the absen e of partial lists. We
show how a general s heme of o-indu tion is introdu ed, and then exam-
ine in more detail the type of innite lists or streams. In this ontext it is
interesting to note that if we use innite lists as models for ommuni ations
between ommuni ating pro esses (a la Kahn and Ma Queen) then in type
theory we an be sure that if a re ursion is possible it give a ompletely
dened list, ruling out the possibility of deadlo k.
Consisten y of T T as a logi al system will be lost if partial obje ts are
permitted to inhabit every type, sin e then the undened element will be
a member of ea h type, whi h from a logi al point of view means that
every theorem is provable. There are other ways for partial obje ts to be
added, however { a proposal for the in orporation of a representation of
su h obje ts is given in se tion 7.12. This is done without sa ri ing the
Curry Howard isomorphism or the onsisten y of the logi al system.
The proposals thus far are general, but another kind of extension is
possible. Martin-Lof has always stressed the open-endedness of the system,
and in the nal se tion we look at how a parti ular kind of obje t, the semi-
group, an be modelled by adding a set of new rules governing its behaviour.
We ontrast this approa h with that of forming an expli it model of the type
within the theory. Naturally, this approa h is not limited to semi-groups
but an be used in any parti ular appli ation area.
7.1 Ba kground
This se tion explores some of the ba kground to the introdu tion of the
subset type into T T , before we go on to dis uss exa tly how this might be
done, and indeed whether it is ne essary.
7.1.1 What is a spe i ation?

We rst examined this question in se tion 6.6 above in the parti ular on-
text of the Polish National Flag problem. Here we re onsider it from a
more general point of view.
The judgement a : A an be thought of as expressing à proves the
proposition A' and à is an obje t of type A', but it has also been proposed,
in [ML85, PS85℄ for example, that it be read as saying
a is a program whi h meets the spe i ation A (y)
This interpretation does not apply in general to every judgement a : A.
Take for instan e the ase of a fun tion f whi h sorts lists; this has type
[A℄ ) [A℄, and so,
f : [A℄ ) [A℄
Should we therefore say that it meets the spe i ation [A℄ ) [A℄? It
does, but then so do the identity and the reverse fun tions! The type of
a fun tion is but one aspe t of its spe i ation, whi h should des ribe the
relation between its input and output. This hara terisation takes the form
The result (f l) is ordered and a permutation of the list l
for whi h we will write S (f ). To assert that the spe i ation an be met
by some implementation, we write
(9x :[A℄ ) [A℄) : S (x)
What form do obje ts of this type take? They are pairs (f; p) with f :
[A℄ ) [A℄ and p a proof that f has the property S (f ). The onfusion in
(y) is thus that the obje t a onsists not only of the program meeting the
spe i ation, but also of the proof that it meets that spe i ation.
In the light of the dis ussion above, it seems sensible to suggest that
we on eive of spe i ations as statements (9o : T ) : P , and that the formal
assertion
(o; p) : (9o : T ) : P
be interpreted as saying
The obje t o, of type T is shown to meet the spe i ation P by
the proof obje t p.
an interpretation whi h ombines the logi al and programming interpre-
tations of the language in an elegant way. This would be obvious to a
7.1. BACKGROUND 257
onstru tivist, who would argue that we an only assert (y) if we have the
appropriate eviden e, namely the proof obje t.
In developing a proof of the formula (9o : T ) : P we onstru t a pair on-
sisting of an obje t of type T and a proof that the obje t has the property
P . Su h a pair keeps separate the omputational and logi al aspe ts of the
development, so that we an extra t dire tly the omputational part simply
by hoosing the rst element of the pair.
There is a variation on this theme, mentioned in [NPS90℄ and examined
in se tion 6.6, whi h suggests that a spe i ation of a fun tion should be
of the form
(8x : A) : (9y : B ) : P (x; y) (7.1)
Elements of this type are fun tions F so that for all x : A,
F x : (9y : B ) : P (x; y)
and ea h of these values will be a pair (yx ; px) with
yx : B and px : P (x; y)
The pair onsists of value and proof information, showing that under this
approa h the program and its veri ation are inextri ably mixed. It has
been argued that the only way to a hieve this separation is to repla e
the inner existential type with a subset type, whi h removes the proof
information px . This an be done, but the intermingling an be avoided
without augmenting the system. We simply have to give the intended
fun tion a name . That su h a naming an be a hieved in general is a
simple onsequen e of the axiom of hoi e, whi h states that
(8x : A) : (9y : B ) : P (x; y) ) (9f : A ) B ) : (8x : A) : P (x; f x)
and applying modus ponens to this and (7.1) we dedu e an èxistential'
spe i ation as above. Note that the onverse impli ation to that of the
axiom of hoi e is easily derivable, making the two forms of the spe i ation
logi ally equivalent.
The equivalent spe i ations an be thought of as suggesting dierent
program development methods: using the 98 form, we develop the fun tion
and its proof as separate entities, either separately or together, whilst in
the 89 form we extra t a fun tion from a proof, post ho .
This analysis of spe i ations makes it lear that when we seek a pro-
gram to meet a spe i ation, we look for the rst omponent of a mem-
ber of an existential type; the se ond proves that the program meets the
onstraint part of the spe i ation. As long as we realise this, it seems
irrelevant whether or not our system in ludes a type of rst omponents,
whi h is what the subset type onsists of. There are other arguments for
the introdu tion of a subset type, whi h we review now.
Exer ises
7.1. How would you spe ify the operations + and over the natural num-
bers N ? In general, how would you spe ify fun tions whose natural spe i-
ations are their primitive re ursive denitions?
7.2. How would you spe ify the head and tail fun tions, ++, and the length
and sorting fun tions over lists?
7.3. When we dis ussed qui ksort, we spe ied permutation by means of
the predi ate perm, whi h used the equality fun tion eqN over the type N .
Give a denition of permutation whi h does not depend upon the existen e
of an equality fun tion and whi h an therefore be used over any type of
lists.
7.4. Dis uss ways in whi h spe i ations an be made modular, using the
universal and existential quantiers.
7.1.2 Computational Irrelevan e; Lazy Evaluation

Re all our dis ussion in se tion 6.1 of the `head' fun tion over lists. It is
dened only over those lists whi h have a head, the non-empty lists, where
we say
(nelist A) df (9l :[A℄) : (nonempty l)
where the predi ate nonempty has the indu tive denition
nonempty [ ℄ df ?
and the head fun tion, hd, itself is given by
hd : (nelist A) ) A
hd ([ ℄; p) df abortA p
hd ((a :: x); p) df a
(This is formalised in T T by a list indu tion over the rst omponent of a
variable of the existential type.) Given an appli ation
hd ((2 :: : : :); : : :)
omputation to 2 an pro eed with no information about the elided por-
tions. In parti ular, the proof information is not ne essary for the pro ess
7.1. BACKGROUND 259
of omputation to pro eed in su h a ase. Nonetheless, the proof informa-

tion is ru ial in showing that the appli ation is properly typed; we annot
apply the fun tion to a bare list, as that list might be empty. There is
thus a tension between what are usually thought of as the dynami and
stati parts of the language. In parti ular it is thought that if no separa-
tion is a hieved, then the eÆ ien y of programs will be impaired by the
welter of irrelevant information whi h they arry around { see se tion 3.4
of [BCMS89℄ and se tion 10.3 (page 213) of [C+ 86a℄.
Any on lusion about the eÆ ien y of an obje t or program is predi ated
on the evaluation me hanism for the system under onsideration, and we
now argue that a lazy or outermost rst strategy has the advantage of not
evaluating the omputationally irrelevant, a topi we rst dis ussed at the
end of se tion 6.2.
Re alling the results of se tion 5.6, sin e the system is strongly normal-
ising, any sequen e of redu tions will lead us to a result. Sin e we also
have the Chur h Rosser property, every redu tion sequen e leads to the
same result. We an therefore hoose how expressions are to be evaluated.
There are two obvious hoi es. Stri t evaluation is the norm for imper-
ative languages and many fun tional languages (Standard ML, [Har86℄, is
an example). Under this dis ipline, in an appli ation like
f a1 : : : an
the arguments ai are evaluated fully before the whole expression is evalu-
ated. In su h a situation, if an argument ak is omputationally irrelevant,
then its evaluation will degrade the eÆ ien y of the program. The alter-
native, of normal order evaluation is to begin evaluation of the whole
expression, prior to argument evaluation: if the value of an argument is
unne essary, then it is not evaluated.
Denition 7.1 Evaluation in whi h we always hoose the leftmost outer-
most redex ( .f. denition 2.13) is alled normal order evaluation. If in
addition we ensure that no redex is evaluated more than on e we all the
evaluation lazy.
In a language with stru tured data su h as pairs and lists, there is a
further lause to the denition: when an argument is evaluated it need
not be evaluated to normal form; it is only evaluated to the extent that
is ne essary for omputation to pro eed. This will usually imply that it
is evaluated to weak head normal form. This means that, for example,
an argument of type A ^ B will be redu ed to a pair (a; b), with the sub-
expressions a and b as yet unevaluated. These may or may not be evaluated
in subsequent omputation.
Re ent resear h has shown that eÆ ient lazy implementations of fun -

tional languages like Miranda are feasible, and there is every reason that
the same te hniques ould be used for an implementation of T T . It would
take us away from our theme to go into this any further; the interested
reader an onsult the book [Pey87℄ whi h is an ex ellent introdu tion to
the topi .
Under lazy evaluation omputationally irrelevant obje ts or omponents
of stru tured obje ts will simply be ignored, and so no additional ompu-
tational overhead is imposed. Indeed, it an be argued that the proper
denition of omputational relevan e would be that whi h hose just that
portion of an expression whi h is used in al ulating a result under a lazy
evaluation dis ipline.
There is another possible approa h to omputational relevan e, and that
involves an examination of the dierent forms that types (i.e. propositions)
an take.
Sin e there are no losed normal forms in ? and there is only the trivial
T riv in >, omputation of obje ts of these types will never be important.
What is of importan e is whether the type is inhabited or not in any par-
ti ular ase. This is exa tly the role played by these types in the denition
of the head fun tion hd, where we should re all that
with
nonempty : [A℄ ) U0
nonempty [ ℄ df ?
An appli ation of hd to a list l is only possible if we an pair l with a
proof p that l is nonempty; the proof will ontribute nothing to further
evaluation, rather it ensures (through the type system of the language)
that the appli ation is to a non-empty list.
It an be argued that this sort of omputational irrelevan e is preserved
when ombinations are taken using the onne tives ^, ) and 8. A dierent
perspe tive on the topi in the ontext of the extensional theory of [ML85℄
is given in se tion 3.4 of [BCMS89℄.
Exer ises
7.5. Compute the result of the expression hd ((2 :: a); b) using the lazy
evaluation strategy dis ussed above.
7.6. Dis uss why ombination of formulas by the onne tives ^, ) and 8
should preserve omputational irrelevan e.
7.2. THE SUBSET TYPE 261
7.7. Examine the examples of the previous hapter to nd ases of ompu-

tational irrelevan e.
7.2 The subset type

How should we represent the olle tion of obje ts of type A with the prop-
erty B ? A ording to the prin iple of omplete presentation, we would form
the type
(9x : A) : B
onsisting of pairs of obje ts and the proofs that they have the property
P . This is how we have dealt with the type so far in this exposition. An
alternative approa h is to build the `subset' type
f x:A j B g
whose members onsist of those a in A whi h have the property B [a=x℄,
i.e. those for whi h the type B [a=x℄ is inhabited. This has the onsequen e
that we lose the uniqueness of types in the system T T ; an obje t a will be
a member of the type f x : A j B g for every B whi h is a property of a.
What are the formal rules for the subset type? The rules we give now
are those rst proposed in [NP83℄, and used in [C+ 86a℄, page 167, and
[BCMS89℄, se tion 3.4.2. Formation is ompletely standard
Formation Rule for Set
[x : A℄
..
.
f x : A j B g is a type (SetF )
and obje ts are introdu ed as we des ribed above,
Introdu tion Rule for Set
a : A p : B [a=x℄
(SetI )
a : f x:A j B g
How should a set be eliminated? If we know that a : f x : A j B g then
we ertainly know that a : A, but also that B [a=x℄. What we don't have
is a spe i proof that B [a=x℄, so how ould we en apsulate this? We
an modify the existential elimination rule (9E ) so that the hypotheti al
judgement : C is derived assuming some y : B [a=x℄, but that and C
annot depend upon this y. We use the fa t that B [a=x℄ is provable, but
we annot depend on the proof y itself:
Elimination Rule for Set
[x : A; y : B ℄
..
.
a : f x : A j B g (x): C (x)
(SetE )
(a) : C (a)
Sin e no new operator is added by the elimination rule, there is no ompu-
tation rule for the subset type. We should note that this makes these rules
dierent from the others in type theory. This is also evident from the fa t
that they fail to satisfy the inversion prin iple of se tion 8.4.
We shall write T T0S for the system T T0 with the above rules for subsets
added. How are T T0 and T T0S related? The following theorems are proved
in [Chi88a℄.
Theorem 7.2 From a derivation d in T T0S of the judgement p : (9x : A) : B
a derivation of
fst p : f x : A j B g
from the same set of assumptions an be onstru ted.
Proof: Use the rule (SetI ). 2
Theorem 7.3 If in T T0S we an derive p : f x : A j B g from the assumptions
, then from this derivation we an, for some q : B , onstru t a derivation
in T T0 of
(p; q) : (9x : A) : B
from the assumptions 0 . The assumptions 0 result from by repla ing
assumptions of the form y : f y : C j D g by y : C ; y0 : D where y0 is hosen
to be a new variable.
Proof: The proof is by indu tion over the size of the derivation of the
judgement p : f x : A j B g; details an be found in [Chi88a℄. 2
Neither of these results should be a surprise. The rst simply uses
subset introdu tion, whilst the se ond shows that if we are able to derive
membership of a subset type then impli it in that derivation is a proof that
the element has the property required of it. Examining the derivation allows
us to extra t that proof obje t. On the other hand, Smith and Salvesen
show by an elaboration of Martin-Lof's normalisation proof (in se tion 5.6
and [ML75b℄) that
7.2. THE SUBSET TYPE 263
Theorem 7.4 If the judgement

t : (8x : f z : A j P (z ) g) : P (x) (7.2)
is derivable in T T0S , and A and P do not ontain the subset type, then for
some term t0 ,
t0 :(8x : A) : P (x) (7.3)
an be derived.
Proof: See [SS89℄. 2
This shows that the rules for subsets are very weak. In the judgement
(7.2) the term t witnesses the property P of the obje ts in the subset type.
The result says that we an only extra t this information when (7.3) is
derivable, in other words when all the elements of the type A have the
property P ! Wherein lies the weakness of the rules for subset? Examining
the rule (SetE ), we should look at the hypothesis
x : A; y : B
..
.
(x): C (x)
we are allowed to use the assumption y : B , but y annot o ur free in
or C . Examining the rules for T T0, if any of the rules ontains a variable
free in an undis harged hypothesis, then this variable will appear free in
the on lusion. In other words, if we use the assumption, and it is not
dis harged, then it will appear free in the on lusion.
The theorem shows that many fun tions are not derivable in T T0S . Look-
ing rst at lists, suppose that we an derive fun tions
head0 : f l :[A℄ j nonempty l g ) A
tail0 : f l :[A℄ j nonempty l g ) [A℄
with the property that for a non-empty list l
l = (head0 l :: tail0l)
From this we an onstru t a proof of (nonempty l). This is the hypothesis
(7.2) and so we an infer
(8l :[A℄) : (nonempty l)
resulting in a ontradi tion.
7.2.1 The extensional theory

The ase of the extensional theory, [ML85℄, is dierent, sin e the proof
rule (IEext ) (introdu ed on page 170) together with the rule (II ) allow the
derivation of r(a) : I (A; a; b) from e : I (A; a; b) for any expression e. Sin e
r(a) is a onstant, this results in a proof obje t of type I (A; a; b) ontaining
no free variables. This in turn makes it possible to give a derivation of
a proof obje t whi h ontains a number of variables in its hypotheses, yet
with these variables not appearing free in the proof obje t: this ondition is
exa tly what is required for the appli ation of the rule (SetE ). In [Sal89a℄
there is a derivation of
(8x :[N ℄) : (8n : f z : N j ( z in x ) g) : ( n in x )
where ( n in x ) is the indu tively dened proposition expressing that n is a
member of the list x. This derivation is by no means straightforward, using
the type U0 and the type substitution rule in an essential way, but this is
not an isolated phenomenon.
Denition 7.5 A formula P over A is stable if
(8x : A) : (::P ) P )
Salvesen and Smith show that for all stable formulas,
(8x : f z : A j P (z ) g) : P (x)
is derivable in the extensional version of type theory.
A synta ti hara terisation of (some of) the stable formulas was rst
given by Harrop in [Har60℄, and similar hara terisations of omputation-
ally irrelevant formulas an be found in [BCMS89℄. (Note that as is re-
marked in [Sal89a℄ it is more diÆ ult to re ognise the stable formulas when
universes are present, as non-normal type expressions an be introdu ed
with the aid of a universe.) The result on stable formulas is in some sense
the best possible, as it is also shown in [SS89℄ that (8x : f z : A j P (z ) g) : P (x)
annot be proved for all formulas. Their proof is based on an idea of Troel-
stra's for the refutation of Chur h's Thesis in an extensional ontext.
This limitation has lead to a re-evaluation of the subset type by the
Goteborg group, with a dierent approa h being adopted. We look at this
in se tion 7.3 below.
Exer ises
7.8. Complete the proof of theorem 7.3 above.
7.9. Formalise the argument above that the existen e of the head0 and tail0
fun tions leads to an in onsisten y.
7.3. PROPOSITIONS NOT TYPES 265
7.10. Can the fun tions head0 and tail0 be dened in the extensional version
of type theory dis ussed above?
7.11. Show that the propositions N , Nn, are stable, and that if equality
over A is formally de idable then x =A y is stable. Show that if A and B
are stable, then so are A ^ B , A ) B and (8x : A) : B .
7.12. Give examples of formulas whi h are not stable using disjun tion and
existential quanti ation.
7.3 Propositions not types

Immediately after introdu ing the rules for subsets in se tion 7.2 we saw in
theorem 7.4 that they were unsatisfa tory. The question remains of how to
improve the representation of subsets in type theories. The proposed res-
olutions all involve a representation of propositions as distin t from types.
There is intuitive sense in this; prima fa ie the user of a logi is interested
in establishing judgements of the form
A is true
rather than in showing that a parti ular proof obje t makes the proposition
true.
7.3.1 `Squash' types

The rst approa h to representing the proposition is to onsider the `squash'
type, dened in [C+ 86a℄ to be
kAk df f t : > j A g
whi h will be inhabited by the obje t T riv if and only if there is some proof
obje t a : A. It is alled the squash type, as all the information about the
proof is `squashed' out of it. We should ask whether the judgement
T riv : kAk
gives a reasonable representation of the judgement À is true'. What would
this entail? We would expe t that all the rules of onstru tive logi , as
presented in T T0 say, would remain true when judgements of the form b : B
are repla ed by others stating B is true. For example, we should have
A is true B is true (7.4)
A ^ B is true
This we an prove. Suppose that we assume, in a ordan e with (SetE ),
x:> ; p:A
and
y :> ; q :B
From these we an infer (p; q) : (A ^ B ), and so by the law (SetI ),
T riv : f t : > j A ^ B g
a judgement in whi h neither p nor q is free. This means that by subset
elimination twi e, we have the same result on the assumption
T riv : f t : > j A g ; T riv : f t : > j B g
whi h is pre isely (7.4).
This programme omes to grief when we try to prove that
[x : A℄
..
. (7.5)
B (x) is true
(8x : A) : B (x) is true
as it is not diÆ ult to show that a derivation of this will ontradi t rule 7.4;
see [Sal89a, Se tion 3℄. Intuitively we might argue that knowing that B is
true at ea h instan e is not suÆ ient to establish in a uniform way that it
is true universally. This is the only rule for whi h the riterion fails, but it
shows that a dierent approa h must be adopted if we are to nd a proper
representation of the judgement A is true in type theory.
7.3.2 The subset theory

If the representation of the judgement is to be an improvement on T T , as
far as subsets are on erned, it is desirable that the system validates the
rule
[x : A ; P is true℄
..
.
a : f x:A j P g Q(x) is true
(SetE 0 )
Q(a) is true
whi h has the onsequen e, setting P and Q the same, that
a : f x:A j P g
P (a) is true
For this to be valid, we need to move to a system in whi h propositions
and types are distin t, for we annot have this rule if P is a type, as seen
by theorem 7.4.
7.3. PROPOSITIONS NOT TYPES 267
In [NPS90℄ the Goteborg group, `following ideas of Martin-Lof', have

introdu ed a system alled the subset theory in whi h the new judgements
P prop and P is true
are added to the system, together with a set of logi al onne tives, distin t
from the type forming operations introdu ed in their extensional version
of T T . Their system uses the names ; +; ; : : : for the type forming op-
erations, reserving ^; _; 8; : : : for the operations on propositions. They
introdu e the rules, whi h looking at the example of the logi al 8, state
[x : A℄ [x : A℄
.. ..
. .
A prop P (x) prop P (x) is true
(8x : A) : P (x) prop (8x : A) : P (x) is true
(8x : A) : P (x) is true a : A
P (a) is true
As well as this, they give the following rules for subsets,
[x : A℄
.. a : A P (a) is true
.
A is a type P (x) prop a : f x : A j P (x) g
f x : A j P (x) g prop
[x : A ; P (x) is true℄
..
.
a : f x : A j P (x) g (x): C (x)
(a): C (a)
[x : A ; P (x) is true℄
..
.
a : f x : A j P (x) g Q(x) is true
Q(a) is true
There are two elimination rules for subsets: the rst for types, as previously,
and the se ond for propositions, whi h is (SetE 0 ), the rule we wanted to be
valid. These rules an be seen to satisfy the inversion prin iple of 8.4.
An elegant aspe t of the subset theory is its justi ation. It an be
given an interpretation in the `basi ' type theory, an extensional version of
T T along the lines of [ML85℄, thus:
Types are pairs A, A0 in the basi theory, where A is a type in the theory,
and A0 a predi ate over A.
Propositions in the new theory are propositions, i.e. types in the old the-
ory, whi h may of ourse ontain quanti ations over the new types,
and so not all propositions of the old theory are propositions of the
new. The interpretation is dened onstru t-by- onstru t.
Under this interpretation, all the rules for the propositions are derivable in
the basi system, so that the onsisten y of the basi system lifts to the
subset theory.
7.3.3 Godel Interpretation

A se ond representation of propositions as distin t from types is given by
[Sal89a, Se tion 4℄. Motivated by the results on Harrop formulas in [SS89℄,
propositions are interpreted as a ertain sub lass of types, arising by means
of the Godel double negation interpretation of lassi al logi in intuitionisti
logi ; see [Dum77℄ for details. Informally, the interpretation is given by
prefa ing ea h existential quanti ation, disjun tion and equality type by
::, weakening its onstru tive ontent. We an derive rules similar to those
above in luding (SetE 0 ), as well as the lassi al
A prop
A _ :A is true
whi h requires a derivation of ::(A _ :A) in T T .
Exer ises
7.13. Give the proof-less version of (NE ), and show that if we use the
judgement T riv : kAk to represent A is true, this version of the rule is
valid.
7.14. Show how the validity of (7.5) ontradi ts theorem 7.4.
7.15. Derive the result ::(A _ :A) in T T0.
7.4 Are subsets ne essary?

Is the introdu tion of a subset type ne essary for a usable proof and program
development system? We began this dis ussion in se tion 7.1, where we saw
that the major argument for its introdu tion was to provide some means
of separating (to some degree) the omputational and logi al aspe ts of the
system from ea h other. This is ironi , as one of the most appealing aspe ts
7.4. ARE SUBSETS NECESSARY? 269
of type theory is its identi ation of propositions and types, proofs and
programs, but it was argued that it was ne essary for two major reasons.
Spe i ations and fun tions are made more ompli ated by the pres-
en e of proof theoreti information. It is argued in [NPS90℄, page 125,
that the inhabitants of a type like
(8x : A) : (9y : B ) : P (x; y)
should be fun tions whi h solve the problem of nding, for ea h a

in A, an element b of B with the property P (a; b). This is not the
ase, sin e for ea h a we will have a pair (b; pb ) onsisting of su h a b
together with a proof that it indeed has the required property. Using
the subset type,
(8x : A) : f y : B j P (x; y) g
we obtain a fun tion giving only the b without the witnessing infor-
mation.
In general, the development of many well-known fun tions, like qui k-
sort in se tion 6.2, involves the introdu tion of proof information into
the fun tions, and this will have a deleterious ee t on the evalua-
tion eÆ ien y of the fun tion, ompared to a `purely omputational'
version.
Any dis ussion of eÆ en y, like the latter point above, rests on the imple-
mentation envisaged, and we would argue, as we did in se tion 7.1.2, that a
lazy implementation of type theory will result in only the omputationally
relevant information being evaluated. Now we examine the rst argument
in more detail.
The idea is that we should be able to separate from a omplex derivation
exa tly the part whi h is omputationally relevant, and that this is to be
done by repla ing some o urren es of existential types by subset types,
from whi h the witnessing information is absent. We would propose an
alternative whi h we believe is superior for two reasons:
it is a solution whi h requires no addition to the system of type theory,
and
it allows for more deli ate distin tions between proof and omputa-
tion.
The solution is simply to name the appropriate operations and obje ts

sought, whi h in the ase ited above involves us in invoking the axiom of
hio e to hange the spe i ation to
(9f : A ) B ) : (8x : A) : P (x; (f x))
Now, inhabitants of this type are pairs, (f; p) whi h are the fun tion sought
together with a proof that it has the required property. Giving this fun tion
an expli it name, whi h is known as Skolemizing the quantiers in a logi al
ontext, has resulted in a spe i ation whi h expresses more naturally what
is required. This method applies to more omplex spe i ations as well.
Take as an example a simpli ation of the spe i ation of the Pol-
ish/Dut h national ag problem as given in [NPS90℄. We now show how it
may be written without the subset type. The original spe i ation has the
form
(8x : A) : f y : f y0 : B j C (y0 ) g j P (x; y) g
with the intention that for ea h a we nd b in the subset f y0 : B j C (y0 ) g of
B with the property P (a; b). If we repla e the subsets by existential types,
we have
(8x : A) : (9y :(9y0 : B ) : C (y0 )) : P (x; y)
This is logi ally equivalent to
(8x : A) : (9y : B ) : ( C (y) ^ P (x; y) ) (7.6)
and by the axiom of hoi e to
(9f : A ) B ) : (8x : A) : ( C (f x) ^ P (x; (f x)) )
whi h is inhabited by fun tions together with proofs of their orre tness.
It an be argued that this expresses in a lear way what was rather more
impli it in the spe i ation based on sets { the formation of an existential
type bundles together data and proof, the transformation to (7.6) makes
expli it the unbundling pro ess.
As a nal example, onsider a problem in whi h we are asked to produ e
for ea h a in A with the property D(a) some b with the property P (a; b).
There is an important question of whether the b depends just upon the a,
or upon both the a and the proof that it has the property D(a). In the
latter ase we ould write the spe i ation thus:
(8x :(9x0 : A) : D(x0 )) : (9y : B ) : P (x; y)
and Skolemize to give
(9f :(9x0 : A) : D(x0 ) ) B ) : (8x :(9x0 : A) : D(x0 )) : P (x; (f x))
7.4. ARE SUBSETS NECESSARY? 271
If we use the Curry equivalen e, rst proved in se tion 4.6.1, page 93, whi h
repla es existential quantiers in the domain position of a fun tion type,
we have
(9f :(8z : A) : (D(z ) ) B )) : (8x0 : A) : (8p : D(x0 )) : P ((x0 ; p); (f x0 p))
whi h makes manifest the fun tional dependen e required. Observe that
we ould indeed have written this formal spe i ation dire tly on the basis
of the informal version from whi h we started.
If we do not wish the obje t sought to depend upon the proof of the
property D, we an write the following spe i ation:
(9f : A ) B ) : (8x0 : A) : (8p : D(x0 )) : P ((x0 ; p); (f x0 )) (7.7)
in whi h it is plain that the obje t (f x0 ) in B is not dependent on the proof
obje t p : D(x0 ). Observe that there is still dependen e of the property P
on the proof p; if we were to use a subset type to express the spe i ation,
thus, we would have something of the form
(8x0 : f x0 : A j D(x0 ) g) : (9y : B ) : P 0 (x0 ; y)
where the property P 0 (x; y) relates x0 : A and y : B . This is equivalent to
the spe i ation
(9f : A ) B ) : (8x0 : A) : (8p : D(x0 )) : P 0 (x0 ; (f x0 ))
in whi h the property P 0 must not mention the proof obje t p, so that with
our more expli it approa h we have been able to express the spe i ation
7.7 whi h annot be expressed under the nave subset dis ipline.
It is instru tive to examine examples from the literature in whi h the
subset type has been used. We have already dis ussed the Polish ag prob-
lem, a se ond example is the parsing algorithm of [Chi87℄. In fa t we nd
that in Chisholm's derivation of the parsing algorithm, the subset type is
not used in an essential way: the solution is presented as a member of the
type
(8w : W ord) : (P arse w) _ :(P arse w)
where
P arse w df f pt : P T j w = spell pt g
the fun tion spell giving the word spelt out by the parse tree pt whi h is a
member of the algebrai type P T of parse trees. The subset type is used
nowhere else in the derivation, and it is used here only be ause the proof
obje t for w = spell pt an be ignored `be ause it has no omputational

ontent'. It makes no dieren e to the derivation to repla e the set by
(9pt : P T ) : (w = spell pt)
whi h arries the proof obje ts expli itly. Our remarks in se tion 7.1.2
would apply as far as the eÆ ien y of the nal algorithm is on erned.
As a nal example, onsider the problem of nding a root of a fun -
tion. It is argued, in [C+ 86a℄ se tion 2.4 for example, that the natural
spe i ation for su h a fun tion is
(8f : f f : N ) N j (9n : N ) : (f n) = 0 g) : ( (9n : N ) : (f n) = 0 )
whi h might be read `given a fun tion for whi h a root exists, we an nd
a root'. It is a simple onsequen e of theorem 7.4 that the existen e of an
obje t of this type leads to a ontradi tion.
In any ase, this spe i ation seems to miss the point about root nding.
The sort of algorithms we nd used in pra ti e are those embodied by
theorems of the form
(8f : N ) N ) : ( C (f ) ) (9n : N ) : (f n) = 0 )
whi h we would read ìf f satises the ondition C (f ) then we an nd
a root'. Many of the most important and diÆ ult theorems of number
theory and numeri al analysis are pre isely theorems of this kind, from
whi h algorithms are derived. In ontrast, the spe i ation above begs the
question of where the proof of existen e of the root omes from.
To summarise, there are two responses to the omputationally irrele-
vant. We an rst ignore it, exploiting lazy evaluation. The se ond expedi-
ent is to transform the spe i ation so that the omputation and veri ation
are separated. We did this above by a simple series of transformations; in
general, simply naming the fun tion we aim to ompute and writing the
spe i ation and derivation in terms of that fun tion an a hieve the de-
sired ee t. This approa h seems to a hieve the separation between the
logi al and the omputational to the appropriate degree, without introdu -
ing the subset type. We have found no example in the literature whi h is
not amenable to this kind of treatment.
Using the subset type to represent a subset brings problems; as we saw
in the previous se tion, it is not possible in general to re over the witnessing
information from a subset type, espe ially in an intensional system like T T ,
and so in these ases, the existential type should be used, retaining the
witnessing information.
7.5. QUOTIENT OR CONGRUENCE TYPES 273
7.5 Quotient or Congruen e Types

An important tool for the programmer and the mathemati ian is the apa-
bility to dene an equality relation over a lass of obje ts. For instan e in
this a ount we stipulated that we would onsider as the same two expres-
sions whi h dier only in their bound variables. In a program we might
hoose to represent nite sets by nite lists, by taking as equal those lists
whi h have the same elements, irrespe tive of their multipli ity or ordering.
In both ases we an be seen to dene a new type by taking the quotient of
a type by an equivalen e relation (a relation whi h is re exive, symmetri
and transitive).
These types are a part of the Nuprl system, [C+ 86a℄, and a variant
of them, ongruen e types, appear in the type theory of [BCMS89℄. We
start with an exposition of the quotient type adapted to the ontext of T T ,
and then ompare it with the ongruen e type. Be ause of the number of
hypotheses in the following rule, we write them in a verti al list.
Formation Rule for A==Ex;y
A is a type
x : A ; y : A ` E is a type
x : A ` r : E [x=x; x=y℄
x : A ; y : A ; r : E ` s : E [y=x; x=y℄
x:A ; y :A ; z :A ;
r : E ; s : E [y=x; z=y℄ ` t : E [x=x; z=y℄
(QF )
A==Ex;y is a type
In this rule we have written hypotheti al judgements su h as
[x : A ; y : A℄
..
.
E is a type
in the horizontal form
In ea h ase the hypotheses to the left of the ``' are dis harged by the
appli ation of the rule.
In forming the type, we have to verify that the predi ate is an equiva-
len e relation | that is the purpose of the nal three premisses of the rule.
We use the subs ript of x; y to indi ate that it is these two variables, free in
E , whi h are bound by the type onstru t. When no onfusion an result,
they will be omitted.
The introdu tion rule breaks uni ity of typing. An alternative would be
to `tag' variables in some way to indi ate to whi h type they belong.
Introdu tion Rule for A==Ex;y
a:A
(QI )
a : A==Ex;y
If we dene a fun tion over a quotient type, then the value on equivalent
elements has to be equal, otherwise the fun tion is not well-dened, giving
dierent values when dierent representatives of the same equivalen e lass
are hosen. The elimination rule for the quotient type, whi h is the rule
introdu ing fun tions over the type must re e t this.
In eliminating an element of a quotient type, we behave in the same
way as for the an element of type A, produ ing some obje t (x) : C (x),
ex ept that for the elimination to be well-dened, should give the same
values for equivalent elements. This gives an extra hypothesis in the rule.
Elimination Rule for A==Ex;y
[x : A℄ [x : A ; y : A ; p : E ℄
.. ..
. .
a : A==Ex;y (x): C (x) t : I (C (x); (x); (y))
(QE )
(a) : C (a)
There is no separate omputation rule for the quotient type, but there is a
rule indi ating that equivalent elements are deemed to be equal, so making
the equivalen e relation the equality over the type.
Equality rule for A==Ex;y
a : A b : A p : E [a=x; b=y℄
(Q =)
r(a) : I (A==Ex;y ; a; b)
This has the ee t of allowing equivalent elements to be substituted for
equivalents in any ontext involving elements of the type A==Ex;y , and so
it is by this rule that the new equality is dened on the type. Given the
judgement r(a) : I (A==Ex;y ; a; b) we an substitute b for a in any ontext
where a is onsidered to be of type A==Ex;y | su h ontexts are of ourse
restri ted to those where these substitutions an be performed safely. Note
that it is not asserted that the type I (A; a; b) is inhabited, so that we annot
substitute b for a in every ontext.
If it is thought onfusing that a has both the type A and the type
A==Ex;y we ould introdu e a label to suggest when a is being onsidered
as an element of the quotient type. There is no inverse to this operation,
in general, unless ea h equivalen e ontains a ` anoni al' member, su h as

the representatives
0; 1; : : : ; k 1
of the equivalen e lasses for the relation jx yj mod k = 0.
A typi al example of a quotient type is that of the rationals, whi h an
be represented by pairs (n; m) with n an integer and m a positive integer.
(We suggested a representation of the integers in se tion 6.7 above.) Two
pairs are equivalent
(n; m) (n0 ; m0 )
if n m0 = n0 m. The sum of two rationals n=m and p=q is dened to be
nq+pm
mq
It is an exer ise for the reader to verify that this respe ts the relation .
Similarly, if we dene the `less than' relation over the integers by analogy
with the denition of lt2 over N in se tion 6.1.2, then dening
(n; m) (n0 ; m0 ) df (n m0 < n0 m)
then the predi ate is well-dened. (In the Nuprl development, [C+ 86a, p.
210℄ this is not true, be ause a stronger version of type equality is adopted
than that here.) A denition whi h fails is the fun tion
denom (n; m) df m
but we an give a denition,
denom (n; m) df m div (g d n m)
based on the anoni al representative (n div g ; m div g) of the rational
(n; m), where g = g d n m.
A se ond example is given by the extensional equality of se tion 5.8. In
that se tion we des ribed `'' as a partial equivalen e relation, sin e it is not
in general re exive. It will be re exive on the domain onsisting of those
fun tions whi h are themselves extensional. The substitution he k in the
elimination rule for the type means that we only perform substitutions in
what we alled extensional propositions. An advantage of our approa h
there is that we have a synta ti riterion for extensionality of propositions
whi h obviates the ne essity of he king the onditions time after time. We
shall look a further example in the following se tion on ongruen e types.
What is the advantage of the quotient type, over a simple denition
of an equivalen e relation with whi h we work expli itly? The major one
is to arry over the rules for substitution et . to the equivalen e relation,

when the formula in whi h the substitution is being made is insensitive to
the representative of the equivalen e lass hosen. We examine the real
numbers as a further ase study in se tion 7.6.
7.5.1 Congruen e types

A similar onstru tion is given in the paper [BCMS89℄, where they all it
the ongruen e type onstru tion. When introdu ing a (free) algebrai
type, su h as that of nite lists, we introdu e the onstru tors [ ℄ and :: and
the obje ts built from these are distin t unless they are identi al. If we want
to represent nite bags, we might hoose nite lists as a representation, but
we shall identify two lists whi h ontain the same elements, in dierent
orders. This identi ation is an equivalen e relation, and so we ould just
write down the equivalen e relation, and form the quotient type as above.
The approa h of ongruen e types is slightly dierent, as we an simply
state that the equation
abx=bax (7.8)
should hold for all a, b and x, where is the (inx) list onstru tor for this
type. The requirement (7.8) is onsiderably simpler to express than the
expli it form for the equivalen e relation generated by that equation, and
the property of respe ting su h an equation, as is required in the elimination
rule, is also easier to express. Apart from this the rules for su h algebrai
types are exa tly as for the quotient type.
Can we express a general quotient A==Ex;y by these means? We an
indeed, by means of the trivial onstru tor, ? say. We have the formation
rule
StarE A is a type
and the introdu tion rule
a:A
? a : StarE A
In eliminating the type, we have
[a : A℄ [x : A ; y : A ; p : E ℄
.. ..
. .
s : StarE A (a) : C (? a) t : I (C (? x); (x); (y))
? elimx( ; s) : C (s)
with the omputation rule

? elimx( ; ? a) ! (a)
We have simply repla ed the equation with a general requirement that
the formula introdu ed by the elimination respe ts the relation E . One
advantage of the approa h here is that the elements are `tagged' with the
onstru tor `?' so that we an distinguish between an obje t a : A and its
equivalen e lass ? a in the ongruen e type.
The example of the type of binary numerals implemented as a ongru-
en e type appears in [BCMS89, Se tion 5℄.
This method is similar to the idea of laws in early versions of the Mi-
randa language; on introdu ing an algebrai type by means of its onstru -
tors, the user was allowed to write down rewrite rules whi h would be
applied to any expression of the type. To implement the type of ordered
lists, one was allowed to write
O ons a (O ons b x) => O ons b (O ons a x) , if a>b
whi h would swap any pairs whi h were out of order. This is more limited
than the general type theoreti onstru t both be ause the language in
whi h the equivalen es ould be written was mu h simpler, and also be ause
ea h of the rules had to be oriented, so that rewriting would only take pla e
in one dire tion. Further details of the types and the te hniques available
to reason about them an be found in [Tho86, Tho90℄.
As a oda to this dis ussion, we should mention [Chi88b℄, in whi h it is
shown that the subset type an be used to advantage with the ongruen e
type, redu ing the proof burden whi h arises in he king the onditions for
the elimination rule. The author shows the dieren e between the deriva-
tions of the ardinality fun tion over types of nite sets implemented with
and without using the subset onstru t. The example hosen is one in
whi h the equivalen e lasses under the equivalen e relation fail to have
anoni al members, and it is in this sort of example that the advantage is
most marked.
Exer ises
7.16. Complete the arguments that + and are well-dened over the
rationals.
7.17. How would you dene the division fun tion over the rationals?
7.18. Give an expli it denition of the equivalen e relation generated by
the equation (7.8).
7.6 Case Study { The Real Numbers

Nowhere is the dieren e between lassi al and onstru tive mathemati s
more evident than in the treatment of the real numbers and real analy-
sis. The lassi al mathemati ian is happy to treat the reals as equivalen e
lasses of onvergent (or Cau hy) sequen es of rationals, hoosing arbitrary
representatives of equivalen e lasses when ne essary. He or she is also
a ustomed to using non- onstru tive prin iples su h as that whi h states
that every in reasing sequen e of rationals has a least upper bound, whi h
as we saw in hapter 3 numbers the law of the ex luded middle amongst
its onsequen es. Attention is paid to omputation only in numeri al anal-
ysis, whi h an only use the results of lassi al analysis in a most indire t
manner.
In a onstru tive setting we an dene the reals to be onvergent se-
quen es of rational numbers (written Q). We dene RealC to be the type
(9s : N ) Q) : (9m : Q ) N ) :
(8q : Q) : (8n : N ) : (q 0 ^ n > (m q) ) jsn s(m q) j q)
where we have used the subs ript sn instead of a fun tion appli ation for
readability. What are elements of this type? They have the form
(s; (m; p))
where s is a sequen e, m is a modulus of ontinuity for s and p is a proof
of this fa t, whi h is an element of
(8q : Q) : (8n : N ) : (q 0 ^ n > (m q) ) jsn s(m q) j q)
In omputing with reals, this latter proof information will be omputation-
ally irrelevant, but nonetheless has to be dealt with { as we dene new
reals, that is a new sequen es and its modulus of ontinuity, we are for ed
to show that the latter is indeed a modulus fun tion.
There is a slightly more streamlined approa h whi h has been adopted
in [BB85℄ amongst other pla es. We an take the sequen es whi h have a
xed modulus of ontinuity, the regular sequen es, and write
Real df (9s : Seq) : Reg(s)
where Seq df (N ) Q) and
1 1
Reg(s) df (8m; n : N ) : (jsn sm j + )
m+1 n+1
Elements of this type will be pairs
(s; p)
7.6. CASE STUDY { THE REAL NUMBERS 279
with s a sequen e and p a proof that s is regular. As we said earlier, the

information p is omputationally irrelevant.
How an addition be dened? Given two reals (s; p) and (t; q) we an
dene a sum sequen e thus:
xn df s2n+1 + t2n+1
but we also need proof that this sequen e is regular. Note that
jxn xm j
js2n+1 + t2n+1 s2m+1 t2m+1 j
js2n+1 s2m+1 j + jt2n+1 t2m+1 j
and using the proofs p and q we have that this is
2m+1+1
1
+ 2n+1+1
1
+ 2m+1+1
1
+ 2n+1+1
1
m+1 + n+1
1 1
From this we an build an obje t v whi h proves that x is regular, giving

a real (x; v). This has been an informal development, but it is not hard to
see that we an on the basis of this write a fun tion add0 of type
Real ) Real ) Real
This denition mixes the omputationally relevant with the irrelevant, and
we an in fa t write, following Bishop, a version add of type
(9f :(Seq ) Seq ) Seq)) :
(8s; t : Seq) : (Reg(s) ^ Reg(t) ) Reg(f s t))
whose members onsist of a (sequen e) fun tion of type Seq ) Seq ) Seq
together with a veri ation that it preserves regularity. We shall write addS
for the sequen e fun tion dened above. We an develop other arithmeti
operations in a similar way. We have used our earlier strategy of naming
fun tions appropriately rather than using a subset type. Other approa hes,
su h as that in se tion 11.5 of [C+ 86b℄, dene the reals thus:
RealSet df f s : Seq j Reg(s) g
In this ontext it seems more appropriate to use our approa h, whi h makes
expli it the proofs, yet whi h separates them from the omputation opera-
tions over sequen es.
Ea h number on the real line has an innite number of representatives in
the type Real. Consider zero for instan e: it is represented by the onstant
zero sequen e, as well as by the sequen e
1
zn df
k+2n+3
for ea h natural number k. We say that two reals (s; p) and (t; q) are equal
if the following type is inhabited
1
Eq(s; t) df (8n : N ) : (jsn tn j )
2n+1
Note that this denition depends only upon s and t and not on the proof
information p and q.
We leave it as an exer ise for the reader to prove that this equality is an
equivalen e relation over the type Real. It is not diÆ ult to see that ea h
of the representatives of zero above is equal, and to see that the denition
of addition above respe ts equality, so that the following type is inhabited.
Eq(s; s0 ) ^ Eq(t; t0 ) ) Eq(addS s t ; addS s0 t0 )
As Eq is an equivalen e relation over Real, it seems sensible to investigate
the quotient Realq df Real==Eqs;t. We have already seen that addition
respe ts the relation Eq, so we an dene a version of addition
addq : Realq ) Realq ) Realq
In many appli ations we need to sele t a parti ular representative sequen e
for a real. A lassi example is to sele t, given a real r and a positive ratio-
nal x, a rational within a distan e x of r. This is trivial given a parti ular
representative sequen e, but the rational hosen will depend upon the par-
ti ular sequen e, dierent sequen es giving dierent approximations. This
means that for a general treatment of the reals we need to use the type Real;
as is remarked in [C+ 86b℄, the type Realq an provide a useful framework
for substitution if nothing else.
It is no surprise that our onstru tive approa h to the reals is quite
dierent from a lassi al one, fo using as it does on onvergent sequen es
of rationals. When we ompute with `real numbers' we do pre isely this { it
is only in the idealised framework of lassi al mathemati s that we are able
to deal with innitary obje ts like equivalen e lasses of innite sequen es.
For further material we would refer the reader to [C+ 86b℄, on whi h we
have relied here, whi h develops the theory a little further, and of ourse
to [BB85℄ whi h gives a re-development of mu h of lassi al analysis, in a
rigorous but informal way.
Exer ises
7.19. Show that equality as dened above is an equivalen e relation, and
give denitions of subtra tion, absolute value and multipli ation whi h re-
spe t this relation.
7.7. STRENGTHENED RULES; POLYMORPHISM 281
7.20. How would you dene equality and the arithmeti operations over the
type of Cau hy reals, RealC ? How would you separate the omputational
from the proof theoreti in making these denitions?
7.21. Give denitions of onvergen e of sequen es of reals, and so of ontinu-
ity of fun tions, and using this give a proof of theorem 3.2, the onstru tive
intermediate value theorem.
7.7 Strengthened rules; polymorphism

Experien ed users of type theoreti systems, su h as Roy Dy kho, the
Cornell group and Ba khouse and his o-workers, have noti ed that a num-
ber of proofs seem to ontain steps whi h though ne essary seem less than
ìntuitive'. After examining an example of this, we look at Dy kho's
strong elimination rules and Ba khouse's `hypotheti al hypotheses', a topi
to whi h we return in 8.4. We on lude with a dis ussion of the polymor-
phi type A 7! B dened in [MC88℄, whi h an be seen to generalise the
other rules introdu ed in this se tion.
7.7.1 An Example
In [Dy 87℄ the example of the proof of
(9z : A _ B ) : P (z ) ) ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) ) (7.9)
is ited as the motivation for a re-examination of the rules of type theory.
How does the proof pro eed? Working top-down we assume
p :(9z : A _ B ) : P (z )
and aim to show that the onsequent of the impli ation above is inhabited.
We have an existential assumption, whi h is used by means of the rule (9E ).
We should therefore try to prove
( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )
on the basis of the assumptions
z : A _ B ; r : P (z ) (7.10)
To use the disjun tive assumption z : A _ B , we would like to reason in the
two ases that z is in the left and right hand sides of the sum; we annot
do this as the variable z is free in the se ond assumption. In order to be
able to perform the ase analysis, we have to make this extra assumption
a part of the goal: we make it the hypothesis of an impli ation, so we aim

to prove
Q(z ) df P (z ) ) ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )

from the single assumption that z : A _ B . This pro eeds thus
x : A [q : P (inl x)℄1
(9I )
(x; q) : (9x : A) : P (inl x)
(_I )
inl (x; q) : ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) ) 1 () I )
q : inl (x; q) : Q(inl x) 1
By a similar argument we show that s : inr (y; s) is a member of Q(inr y)

and so by (_E 00 ),
v df v ases00x;y z q : inl (x; q) s : inr (y; s)

is a member of
P (z ) ) ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )

assuming that z : A _ B . Also assuming r : P (z ), we have
v r : ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )

and by a nal appli ation of (9E ),
Casesx;y p (v r) : ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )

Commentators have argued that the abstra tions q : : : : ; s : : : : in the
term v and the appli ation of this term to the proof r are spurious as they
arise by our need to transfer the assumption p : P (z ) into the goal so that
the ee t of the ase analysis on the z takes ee t.
It would be preferable when we perform a ase analysis on the z in 7.10
for that ase analysis to per olate through to the other assumptions whi h
depend upon it, to give the two sets of assumptions
x : A ; p : P (inl x) and y : B ; p : P (inr y)

It is essentially this whi h is a hieved by the strong rule of [Dy 87℄, whi h
we present now.
7.7.2 Strong and Hypotheti al Rules

The stronger version of the elimination rule for disjun tion is
[x : A [y : B
r :(p = inl x)℄ r :(p = inr y)℄
.. ..
. .
(_SE )
de idex;y p u v : C [p=z ℄
with the omputation rules
de idex;y (inl a) u v ! u[a=x℄
de idex;y (inr b) u v ! v[b=y℄
The terminology `de ide' is used for the operator, as this is the Nuprl
terminology, [C+ 86a℄, and the Nuprl rules for the union and the existential
type indeed are strong versions of the rules of T T .
With the extra hypotheses, it is easy to build a proof of 7.9 without
the spurious abstra tions and appli ation. We start as before, from the
assumptions 7.10, but now we an perform a ase analysis, giving the two
sets of assumptions
x : A ; p : P (z ) ; r :(z = inl x) and y : B ; p : P (z ) ; r :(z = inr y)
From the rst set, we have by substitution
p : P (inl x)
giving in a dire t fashion rst
(x; p) : (9x : A) : P (inl x)
and then
inl (x; p) : ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )
We derive in a similar way from the se ond
inr (y; p) : ( (9x : A) : P (inl x) _ (9y : B ) : P (inr y) )
and by an appli ation of (_E 00 ) we have the required result, with no spurious
abstra tions.
An alternative way of expressing these stronger rules is by rules whi h
ontain `hypotheti al hypotheses'. Up to now, the hypotheses of a rule have
been judgements, su h as p : A _ B or u : C [inl x=z ℄, from the derivations
of whi h ertain assumptions may be dis harged on the appli ation of the
rule.
A hypotheti al hypothesis should be thought of as the hypothesis that
a parti ular judgement an be derived on the basis of ertain assumptions,
rather than being derivable outright. In an adaptation of Ba khouse's no-
tation, as presented in [Ba 87b℄, where we write the hypotheses in a verti al
list and we use the notation
f J1 ; : : : ; Jk J g
for the hypotheti al hypothesis that J is derivable from the assumptions
J1 to Jk , the stronger rule for disjun tion elimination is
p :(A _ B )
f v :(A _ B ); w : C E is a type g
f x : A; w : C [inl x=w℄ b : E [inl x=w℄ g
f y : B; w : C [inr y=w℄ : E [inr y=w℄ g (_EH )
f w : C [a=w℄ whenx;y a b : E [a=w℄ g
The rules of omputation for when are exa tly the same as those for v ases
and de ide. More details on this material an be found in [MC88℄, and we
shall have more to say in general about derivations ontaining hypotheti al
hypotheses in se tion 8.4 below.
The elimination rules for all onstru ts an be given a hypotheti al form;
some details of this are to be found in [SM87℄, where it is argued that their
use leads to more ompa t proof obje ts, for reasons similar to those whi h
improved the proof above. One slightly unsatisfa tory point about the rules
is the ase of indu tively dened types, like lists, where the rules are less
general than might be hoped (if onsisten y is to be preserved!) In the next
se tion we look at an alternative approa h.
7.7.3 Polymorphi types

Another ase in whi h spurious abstra tions and appli ations appears is
that of the head fun tion over lists. Even if we work in a theory like
the subset theory of se tion 7.3, although the type of the fun tion an be
spe ied to be
f l :[A℄ j l 6= [ ℄ g ) A (7.11)
the best that an be done is to derive a fun tion of type
(8l :[A℄) : (l 6= [ ℄) ) A
whi h is equivalent to the type using the existential representation of the
set of non-empty lists. Again, as in the earlier example, the problem is
how to in orporate information about an argument without making that

information (in this ase the proof that the list is non-empty) an extra
argument of the fun tion.
A new lass of polymorphi types, whi h an be used to over ome this
problem is dened in se tion 3.4.3 of [BCMS89℄.
The non-dependent polymorphi type A 7! B is hara terised by the
rules
[x : A℄
..
.
b:B b : A 7! B a : A
(7! I ) (7! E )
b : A 7! B b:B
where in the introdu tion rule neither b nor B ontains the variable x. b
is thought of as a polymorphi onstant, as although it depends upon the
assumption x : A, the value of b is independent of the value of x.
In an extensional system, like that of [ML85℄, it is possible to derive
that
head l : (l 6= [ ℄) 7! A (7.12)
and then by the elimination rule,
head l : A
This te hnique an be used to derive the stronger rules of elimination of
[Dy 87℄, as well.
7.7.4 Non-termination
There are onsequen es of introdu ing the polymorphi type A 7! B in an
extensional system. It is well-known that not every term of [ML85℄ has a
normal form, as we an derive
(p : ?) : ((x : xx)(x : xx)) : ? ) A (7.13)
for any type A. This is be ause assuming that p : ?, we an dedu e that
r : I (Un ; A; A ) A)
and then
A$ $ (A ) A)
Using substitution of types, from x : A we an dedu e that x :(A ) A) and
so that
(xx) : A
Further dedu tions give (7.13). On the other hand, we an show that every
losed expression has a anoni al value, or weak head normal form ( .f.
se tion 2.3), so that with this weaker notion, the system is terminating. If
we in lude the polymorphi type, then there are terms without anoni al
form, so the system is not terminating. Take the derivation that
((x : xx)(x : xx)) : A
depending upon the assumption p : ?. By (7! I ), we have
((x : xx)(x : xx)) : ? 7! A
depending upon no assumptions. This term has no anoni al form, sin e
((x : xx)(x : xx)) ! e
if and only if e ((x : xx)(x : xx)).
In an intensional theory like T T , there is no diÆ ulty of this kind in
adding the polymorphi type, but note that the polymorphi types will
ontain fewer obje ts sin e as was argued in [SS89℄ none of the rules of T T
lose mention of obje ts mentioned in their hypotheses.
Exer ises
7.22. Give a strengthened elimination rule for the existential quantier,
and an example in whi h its use simplies a proof obje t.
7.23. Show how the strong elimination rule for _ is a onsequen e of the
hypotheti al rule (_EH ).
7.24. Give `hypotheti al' versions of the strengthened rules for 9and N
elimination.
7.25. Give a derivation of the judgement (7.12) and use this to show that
head an be given the type (7.11).
7.26. Complete the derivation of the judgement (7.13).
7.8 Well-founded re ursion

Rather than giving ompletely expli it denitions of fun tions, or proofs of
universal propositions, we often have to use re ursion, whi h allows fun -
tions to be dened in terms of their values at `simpler' arguments, or prop-
erties to be proved assuming that they already hold of `simpler' obje ts.
The re ursions in the system T T are stru tural, that is they are linked
to the indu tive generation of a data type like N , lists, trees and the W
types. For these types we say that the omponent parts of an obje t, su h
as the subtrees u and v of the tree
Bnode n u v
7.8. WELL-FOUNDED RECURSION 287
are simpler than the tree itself. The elimination rule for these types legit-
imises denition by re ursion and proof by indu tion over the types. Su h
re ursions are limited, in that we limit our notion of what is simpler to a
stru tural one: omponent parts are simpler than the whole. The ques-
tion we address in this se tion is whether there is a more general notion of
`simpler than' over whi h we an make re ursive denitions and indu tive
proofs. We shall see that indeed there is, and that some of the examples of
re ursion we have seen in hapter 6 an be ast in a more natural form in
this way.
We shall go on to look at other ways in whi h the re ursive apabilities
of the system may be in reased. In parti ular we shall also examine how
a wider lass of ìndu tive' type denitions an be added to the system,
and also how a treatment of partial fun tions an be in luded, without
breaking the important property of strong normalisation. First, however,
we examine well-founded types and re ursion.
As this se tion is intended to be an introdu tion to the idea of well-
founded re ursion, we shall use ideas and notation of nave set theory, as
dis ussed in [End77℄ for instan e, going on in the next se tion to examine
how these ideas an best be in orporated into type theory.
Denition 7.6 A binary relation is a partial order if for all x, y, z ,
x 6 x
xy^y z )xz
We an think of x y as expressing `x is simpler than y', as we are
ertain by the rst lause that we have no loops x x, and in ombination
with the se ond that we have nothing of the form
xo x1 : : : xn x0
However, being a partial order is insuÆ ient to guarantee that we an
perform re ursion over the ordering, and the lassi example is the relation
n m df m < n
so that
:::n + 1 n ::: 1 0
How would a re ursion over this type work? We would have to dene
the value at 0 in terms of the value at 1; 2; : : :. In turn, the value at 1 is
determined by values at 2; 3; : : :: never at any point do we make a start with
the denition. Consider the on rete ase of the denition f :(N ) N ) by

`re ursion' over :
f n df f (n + 1) 1 (7.14)
The problem with this is that it does not dene a unique fun tion, for the
fun tions fk with
fk n df n + k
are all solutions of the re ursion equation (7.14). Not only is this example
lassi , but it hara terises those orderings over whi h re ursion fails.
Denition 7.7 A partial ordering over A is well-founded if and only
if there are no sequen es <xn>n in A so that
: : : xn+1 xn : : : x1 x0
Su h a sequen e is alled an innite des ending hain.
In any ordering with an innite des ending hain, we an reprodu e the
example above, showing that `re ursive' denitions do not lead to unique
solutions. On the other hand, we an show that re ursive denitions are
well-dened over well-founded orderings.
This hara terisation of well-foundedness has lassi al equivalents whi h
are more suited to a onstru tive ontext, as they are more expli it. The
one we shall use is
Theorem 7.8 A partial ordering is well-founded if and only if it satises
8x(8y(y x ) y 2 z ) ) x 2 z ) ) 8x(x 2 z ) (7.15)
for all sets z .
Proof: Standard set theory; see [End77℄ for example. 2
This hara terisation legitimises proof by indu tion over the ordering.
To prove that P (x) holds for all x, we take z df fy 2 AjP (y)g so that
(7.15) reads, in rule form
8x(8y(y x ) P (y)) ) P (x))
8xP (x)
Every partial ordering has a well-founded, or a essible, part.
Denition 7.9 The well-founded or a essible part A (A; ) of the or-
dering over A is dened to be
fx 2 A j :9 <xn>n su h that x x0 : : : xn xn+1 : : :g
Theorem 7.10 The a essible part of a partial ordering over A is the

smallest subset z of A with the property that
(8y(y x ) y 2 z )) ) x 2 z
Proof: As for theorem 7.8. 2
Corollary 7.11 The prin iple of indu tion over given above holds for
A (A; ).
Theorem 7.10 shows that we an think of dening fun tions either by
re ursion over a well-founded ordering, or by re ursion over the well-founded
part of an arbitrary partial ordering. In the latter ase the denition will
often be linked with a hara terisation of A (A; ), so as to show that
parti ular arguments of interest lie within the a essible part.
How are fun tions dened by re ursion over a well-founded ordering?
We dene the value at an argument a using the values at simpler arguments
x a.
Denition 7.12 The fun tion f is dened by well-founded re ursion
over the relation if it has the form
f a df : : : f a1 : : : f an : : : (7.16)
where ea h ai a
As an example, it is easy to see that the denition of pow from se tion
6.1.4
pow 0 df 1
pow n df (pow (n div 2))2 2(n mod 2)
is justied by indu tion over the well-founded ordering < on N .
The formal treatment of well-founded re ursion is slightly more general.
If we write f #a for the fun tion f restri ted to the domain
fy 2 xjy ag
then the re ursion is dened by a fun tion F , taking the values so far and
a itself to the value at a
F (f #a) a = fa (7.17)
This generalises ourse-of-values re ursion | we dene the value at a using
the values at all the points pre eding a in the ordering, just as we did in
se tion 6.1.1 above for the natural numbers. We now argue that re ursion
is well-dened over well-founded orderings.
Theorem 7.13 For every fun tion F as above, there is a unique solution
to the equation (7.17).
Proof: The proof is by indu tion over the relation . 2
Just to show how the formal treatment works, we look again at the pow
fun tion. The fun tion F dening the re ursion is given by
F h 0 df 1
F h n df (h (n div 2))2 2(n mod 2)
where the fun tion h gives the values of the re ursion on arguments smaller
than the se ond argument. h is only applied to smaller arguments here:
in the rst ase it is not used, and in the se ond it is only applied to
(n div 2) < n when n > 0. The F notation is slightly umbersome, so we
shall tend to present fun tion denitions in the form of (7.16) above.
What examples of well-founded orderings are there? For ea h of the
types A in T T with a re ursion operator we an dene a well-founded
ordering A whi h embodies that re ursion. We an read o the relation
from the introdu tion rules, the elements of the type whi h appear above
the line being the immediate prede essors of those appearing below it.
For instan e, for the type of trees there are two ases as there are two
introdu tion rules. The node Null has no prede essors, and for a Bnode,
we have
u 1 (Bnode n u v) v 1 (Bnode n u v)
and for n + 1 > 1,
t n+1 t0 df 9u(t 1 u ^ u n t0 )
Finally, we say that
t t0 df 9n(t n t0 )
The denition of spe ies the formation of the transitive losure of
the immediate prede essor relation 1 .
Using the original denition of well-foundedness, it is easy to see that
there is a wealth of well-founded orderings. We summarise them now,
leaving proofs to the reader.
The orderings indu ed by the introdu tion rules for the types N , [A℄,
tree and the W types in general are well-founded.
If 0 is a well-founded ordering on B and f : (A ) B ) then the
ordering on A dened by
a a0 df (fa) 0 (fa0 )
is well-founded. We all the ordering the inverse image 0 under

f . An example of this is the ordering on lists given by the length
fun tion, #,
l m df #l < #m
A sub-ordering of a well-founded ordering will be well-founded.
By a sub-ordering we mean that for all a, b,
a b ) a b
Given orderings on A and 0 on B , we an dene a number of
well-founded orderings.
{ The produ t ordering on A B : (a; b) (a0 ; b0 ) if and only if
a a0 and b 0 b0 .
{ The lexi ographi produ t ordering on A B : (a; b) (a0 ; b0) if
and only if either a a0 or a = a0 and b 0 b0 . This is alled the
lexi ographi ordering, as it is the way that words are ordered
in a di tionary, and indeed it an be extended to n-ary produ ts
and lists in general.
{ The sum ordering on A _ B : for whi h we dene
(inl a) (inl a0 ) df a a0
(inr b) (inr b0 ) df b 0 b0
with items from dierent sides of the sum in omparable.
Having introdu ed the general subje t in a free-wheeling way, we must
now show how we an introdu e well-founded re ursion into type theory in
a suitable manner. There are a number of proposals to look at, and we do
this in the se tion to ome.
Exer ises
7.27. Show that the set A (A; ) is downwards losed, i.e. that if y x
and x 2 A (A; ) then y 2 A (A; ).
7.28. Give expli it denitions of the well-founded orderings indu ed on lists
and on a general W type by their stru ture.
7.29. Argue that suborderings, and the produ t, lexi ographi produ t and
sum orderings are well-founded if their omponent orderings are.
7.30. Try to dis over the orderings over whi h denitions in hapter 6 are
most naturally expressed. Look in parti ular at the examples of qui ksort
and the A kermann fun tion.
7.9 Well-founded re ursion in type theory

Having introdu ed the idea of well-founded re ursion, here we look at how
best to add it to our system T T . The most straightforward idea, rst
investigated in [Pau86℄, is to take the hara terisation of well-foundedness
given by theorem 7.8, to translate it into type theory and then to ask
whi h orderings meet the denition. It transpires that all the well-founded
orderings mentioned in the last se tion an be shown to be well-founded
under the type theoreti hara terisation.
A se ond approa h, introdu ed in [Nor88℄ and developed in [SM87℄, is
to permit re ursion along the a essible parts of any partial ordering .
The olle tion of elements A (A; ) has then to be dened in some way,
and this is done by giving type theoreti rules, just as for other types. The
hara terisation is unusual, in that we have to reason about the membership
relation
b:B
to hara terise properly the lass A (A; ), and so some proposition rep-
resenting this judgement has to be introdu ed, analogous to the internal
representation of equality by `='.
7.9.1 Constru ting Re ursion Operators

In our earlier dis ussion, we hara terised the well-foundedness of the or-
dering by
8x(8y(y x ) y 2 z ) ) x 2 z ) ) 8x(x 2 z ) (7.18)
for all sets z . How an we express the quanti ation `for all sets z ' in type
theory? We an think of it as expressing `for all properties P ', where by
a property we mean a predi ate over A. A predi ate P (z ) over A gives a
proposition P (a) for every a : A, so we an think of a predi ate as a member
of
A ) U0
(In fa t, of ourse, there are also predi ates in the larger universes Un , but
we restri t ourselves to the `small' predi ates in U0 .) As the ordering is
a binary relation, we an think of it as a fun tion in A ) A ) U0. We
shall ontinue to write it in inx form.
7.9. WELL-FOUNDED RECURSION IN TYPE THEORY 293
Denition 7.14 A partial ordering is well-founded in T T if and only

if the type
(8P : A ) U0 ) :
( (8x : A) : ((8y : A) : (y x ) P y) ) P x) (7.19)
) (8x : A) : (P x) )
is inhabited by an obje t satisfying
P F x = F (y : r : ( P F y)) (7.20)
It is worth examining the premiss of the impli ation (7.19).
(8x : A) : ((8y : A) : (y x ) P y) ) P x)
An obje t of this type is like the F of (7.20), taking the values on the
prede essors y of x to the value on x, in P x. Given su h a fun tion, we
return a fun tion of type (8x : A) : (P x) that is dened on the whole of
A. Asking purely that we have an obje t of type (7.19) guarantees that we
have proof by indu tion over the type; we add the rider (7.20) to guarantee
that we an also dene fun tions by re ursion. The equation states that the
value at x, P F x, is got by applying F to the values at the prede essors
y : r : ( P F y)
Note that the se ond argument to the fun tion is the proof that y x.
Given the operator we an dene fun tions using the synta ti form
f a df : : : f a1 : : : f an : : :
where ea h ai a and we shall do this in what follows.
To show that the orderings over well-founded types su h as lists, trees
and N are well-founded, we have to show that the ourse-of-values re ursion
operator is dened, where the previous values are presented in the form of
a fun tion of type
(8y : A) : (y x ) P y)
rather than as a list as we did for the natural numbers in se tion 6.1.4.
This is not diÆ ult to a hieve, and we leave it as an exer ise for the reader.
As an example derivation, we show that
Theorem 7.15 If 0 is a well-founded ordering on B , and f : A ) B , then
the ordering dened on A by
y x df f y 0 f x (7.21)
is well-founded.
Proof: We need to onstru t an operator of type (7.19) given an operator

0 of type
(8P 0 : B ) U0 ) :
( (8x0 : A) : ((8y0 : B ) : (y0 0 x0 ) P 0 y0 ) ) P 0 x0 ) (7.22)
) (8x0 : B ) : (P 0 x0 ) )
To onstru t an operator of fun tion type like (7.19) we assume that we
have obje ts of the argument type and aim to derive an obje t of the range
type. We therefore assume we have
P : A ) U0
F : (8x : A) : ((8y : A) : (y x ) P y) ) P x)
and try to dedu e an obje t of type (8x : A) : P x. We will try to use the
operator 0 in this enterprise, and we use this by applying it to P 0 and F 0
of the appropriate type. How should we dene P 0 ? Given f we say
P 0 x0 df (8x : A) : ( f x = x0 ) P x ) (7.23)
saying that P 0 x0 holds if and only if P holds for all elements of the inverse
image of x0 . Note that if we an on lude that
(8x0 : B ) : P 0 x0 (7.24)
then we have in parti ular
(8x : A) : P 0 (f x)
whi h by (7.23) expands to
(8x : A) : (8z : A) : ( f x = f z ) P x )
implying (8x : A) : (P x). Our goal now is therefore to prove (7.24). We an
on lude this if we an dene
F 0 : (8x0 : B ) : ((8y0 : B ) : (y0 0 x0 ) P 0 y0 ) ) P 0 x0 )
To do this we assume that
: (8y0 : B ) : (y0 0 x0 ) P 0 y0 ) (7.25)
and try to nd an obje t of type P 0 x0 , that is of type
(8x : A) : ( f x = x0 ) P x )
so we also assume that x : A and x0 = f x and aim to nd an obje t of type
P x. By substitution into (7.25) we have
: (8y0 : B ) : (y0 0 (f x) ) P 0 y0 )
so that in parti ular,

0 : (8y : A) : ((f y) 0 (f x) ) P 0 (f y))
but then by the denition of P 0 , and of
00 : (8y : A) : (y x ) P y)
We an apply F to this 00 to give the result we required, that is
Px
We extra t from the proof a denition of the fun tion F 0 and so dene
by
P F df 0 P 0 F 0
as we dis ussed above. 2
The produ t and lexi ographi produ t orderings an also be shown to
preserve well-foundedness. We leave these as exer ises for the reader, who
an also nd derivations of them in [Pau86℄.
Theorem 7.15 is important not only in showing that parti ular orderings
are well-founded. It also forms a part of a hara terisation of the well-
founded orderings, proved in se tion 14 of [Pau86℄:
Theorem 7.16 An ordering on A is well-founded if and only if there

is some W type B and a fun tion norm : A ) B so that is logi ally
equivalent to the inverse image under norm of the anoni al ordering on
B.
Exer ises
7.31. Che k that orderings on the types N , lists, trees and so forth are
well-founded a ording to the denition above { this will involve using the
re ursion operators in an essential way.
7.32. Complete the proof of theorem 7.15 by giving an expli it denition
for the expression , and he king that it has the property (7.20).
7.33. Show that the well-founded orderings dened in the previous se tion,
in luding the produ t and lexi ographi produ t, satisfy denition 7.14.
7.34. Can you dene an ordering on A whi h is well-founded a ording to
predi ates A ) U0 but not with respe t to predi ates in A ) U1 ?
7.9.2 The A essible Elements

The approa h taken in [Nor88℄ is to axiomatise denition by re ursion over
the set of a essible elements of the ordering . We rst give the rules
as introdu ed by Nordstrom, and then dis uss them, and their subsequent
elaboration in [SM87℄.
Formation Rule for A
[x : A; y : A℄
..
.
A is a type (x y) is a type
(A F )
A (A; ) is a type
Introdu tion Rule for A
[y : A; y a℄
..
.
a : A y : A (A; )
(A I )
a : A (A; )
Elimination Rule for A

x : A (A; )
z : A; z x (f z ): C (z )
..
.
p : A (A; ) (e x f ): C (x)
(A E )
re e p : C (p)
Computation Rule for A
re e p ! e p (re e)
The formation and omputation rules are standard, but the other two
rules deserve some omment. In the elimination rule, the se ond hypothesis
in the dedu tion of (e x f ) : C (x) is itself hypotheti al; assuming that z is
a prede essor of x, f has a value on z . This f gives the values on the
prede essors whi h are used in the expression e to al ulate the value at x
itself. We shall say more about this form of rule in se tion 8.4.
More unfamiliar is the rule (A I ). To fulll the se ond hypothesis, we
have to infer that
y : A (A; )
on the basis of the assumptions

y : A; y a
This is an unlikely inferen e, and misleading, as what we want to infer is
the proposition that
y 2 A (A; )
on the basis of y 2 A and y a. In order to do this, we have to give an
internal form of the membership relation, just as `=' gives an internalisa-
tion of equality. This an be done, and indeed was done in [SM87℄. The
introdu tion and elimination rules for `2' are
b:B
(2 I )
el : (b 2 B )
: (b 2 B )
(2 E )
b:B
In fa t Saaman and Mal olm use a olle tion of simplied elimination
rules, based on the presen e of the `2' types, of whi h an example is the
rule for N .
[ i : N; v[i=x℄: C [i=x℄ ℄
..
.
n : N v[0=x℄: C [0=x℄ v[su i=x℄: C [su i=x℄
(SNE )
v[n=x℄: C [n=x℄
These rules an be thought of as performing the appropriate redu tions on
the expressions usually introdu ed by the elimination rules, and using these
the `2' type does not need to be dis ussed expli itly.
A relation on a type A will be well-founded if A (A; ) is the whole
set. Saaman and Mal olm derive this result for the examples in [Pau86℄, as
well as showing that the unbounded sear h program, of type
(8f : f f j (9x : N ) : f x = 0 g) : (9x : N ) : ( f x = 0 )
whi h they build using the observation that the ordering m n df m > n
whi h is well-founded on the set
f n : N j (8m : N ) : (m < n ) fm 6= 0) g
Exer ises
7.35. Show that the lass of elements a essible under the ordering `<' on
N is N itself.
7.36. Given orderings and 0 on A and A0 , how would you hara -
terise the elments a essible in the produ t, lexi ographi produ t and sum
orderings on A ^ B and A _ B ?
7.9.3 Con lusions

Two alternatives have been suggested to augment the `stru tural' re ur-
sions over types su h as N , lists, trees and so on. In the rst, in [Pau86℄,
the theory T T is shown to be suÆ iently powerful to dene many of the re-
ursion operators over well-founded relations. This has the advantage that
no hanges need to be made to the system, and also the advantage over the
derivations given in hapter 6, in whi h impli itly at least, the derivation
of well-foundedness has to be repeated for ea h fun tion denition. In this
respe t Paulson's approa h adds a useful modularity to the system.
Saaman and Chisholm's proposal is more far-rea hing, involving the
introdu tion of a new predi ate `2' of un ertain ee t on, for example, the
termination properties of the system. On the other hand, they laim that
it simplies onsiderably the proof obje ts given by Paulson's approa h, as
well as allowing the denition of the root-nding program.
7.10 Indu tive types

The idea examined in this se tion is that types an be generated by indu -
tion. We begin with an informal introdu tion, and then turn to a dis ussion
of how the pro ess an be formalised in type theory. [Mos74℄ gives an ele-
gant treatment of indu tive denitions from a set-theoreti standpoint, the
type theoreti -treatment appearing in [Men87b℄ and [Dyb88℄.
7.10.1 Indu tive denitions

We look at the idea of indu tive generation of types using the running
example of nite lists of natural numbers. We have already seen that lists
an be introdu ed by means of the W -type me hanism, but an informal
spe i ation might say
[ ℄ is a list, and if n is a number, and x a list, then (n :: x) is
also a list . . .
7.10. INDUCTIVE TYPES 299
The type of lists L, has to ontain [ ℄, and if it ontains x it must ontain

(n :: x) also. Moreover, the intention of the denition is that L is the
smallest su h set, as the informal spe i ation has the impli it on lusion
. . . and lists an only arise in this way.
We an formalise by saying that L is the smallest solution of the equation
L df f[ ℄g _ (N ^ L)
if we represent the list (n :: x) by the pair (n; x). We shall in fa t ontinue
to use the familiar notation (n :: x) instead of the pair. Not every equation
T T
has a solution or a least solution: a suÆ ient ondition for a least solution
is that the operator is monotoni , so that if S T then
ST
The least solution of the equation is alled the least xed point of the
operator , and we write it F ix . To show that the equation has a solution
we onsider the sequen e of sets
0 df ; : : : +1 df : : :
Assuming that we are working in some universe set, this sequen e must
have a xed point, +1 = . In general, the supers ript may be an
innite ordinal number, re e ting the omplexity of the type thus dened.
This xed point is the least xed point of , but we an also dedu e that
a least xed point exists from the fa t that for a monotoni operator, the
interse tion of all the solutions is itself a solution, and that will be the least
su h.
We shall use the notation L for the operator of whi h L is the least xed
point:
L T df f[ ℄g _ (N ^ T )
The equation
L f[ ℄g _ (N ^ L)
hara terises that L is a xed point of L. How do we hara terise that L
is the least solution?
We need to express that elements only go in by the a tion of the operator
L. We do this by giving an elimination rule whi h onstru ts a fun tion by
re ursion over L. To make su h a denition it is ne essary and suÆ ient
to state a value at [ ℄ and a way of going from a value at x to a value at

(n :: x). Looking at this in a slightly dierent way, we have give a way of
going from a value at an obje t of type T to a value at an obje t of type
L T , sin e a value of type
L T f[ ℄g _ (N ^ T )
will be either [ ℄ or (n :: x) with x : T .
Abstra ting from this, to dene a fun tion
fix g : F ix L ) R
we give a fun tion
g : (T ) R) ) (L T ) R)
Consider the example of the sum fun tion, whi h returns the sum of a
numeri al list. This is hara terised by the fun tion g,
g f [ ℄ df 0
g f (n; x) df n + (f x)
sin e if we dene its xed point, fix g, it will satisfy
fix g [ ℄ 0
fix g (n; x) n + (fix g x)
In the general ase this is en apsulated by the omputation rule
(fix g) ! g (fix g)
Before we give a type theoreti treatment of indu tive denitions, we ob-
serve that there is a link between indu tively dened sets and well-founded
orderings. Every indu tive set has an ordering given by omparing the
stages at whi h the elements go into the set. We dene
kxk df the su h that x 2 +1
Now we say that x y if and only if kxk < kyk; this ordering is well-
founded as it is the inverse image of the ordering of the ordinal numbers.
This hara terisation also suggests that we an give a representation of
indu tively dened sets by means of well-founded re ursion, and ultimately
by means of the W -types.
Exer ises
7.37. Show that the type of nite and innite lists of natural numbers is a
solution of the equation
L df f[ ℄g _ (N ^ L)
7.10. INDUCTIVE TYPES 301
How would you argue that it does not meet the indu tive hara terisation
of the least xed point?
7.38. Argue that the operator whi h sends T to f1g if 0 2 T , and to f0g if
not has no xed point.
7.39. Show that the interse tion of a non-empty set of xed points of a
monotoni operator is a xed point of , and therefore that a least xed
point exists.
7.40. Give xed point denitions of the types of natural numbers and trees.
7.41. How would you dene a type of lists whose elements are either natural
numbers or lists themselves?
7.42. Give a xed point denition of a type of nite and ountable ordinal
numbers.
7.10.2 Indu tive denitions in type theory

Formation of indu tive types is permitted when we have a monotoni op-
eration
: T ype ) T ype
There are two approa hes to verifying the monotoni ity of an operator.
In the rst, whi h is adopted in [Dyb88℄, a meta-theorem guarantees that
operations of a restri ted synta ti form are monotoni . If the symbol T
does not appear embedded in the domain part of any fun tion or universal
type in T , then the operation
: T 7! T
is alled positive, and an readily be shown to be monotoni . We an
rene this to san tion negative appearan es of T in the domain part, where
su h appearan es have the dual denition to positive ones.
In [Men87b℄, an expli it he k for monotoni ity is added to the rule,
for ing the veri ation of a statement like
T1 T2 T [T1=T ℄ T [T2 =T ℄
To fa ilitate this, various straightforward rules for the new judgement form
T1 T2 have to be added to the system. The two approa hes are om-
plementary, and there is no reason at all why they should not be used
together.
The rules for the indu tive type take the form
Formation Rule for Ind
monotoni
(IndF )
F ix is a type
There is no introdu tion rule for the type, rather we have a rule of type
equality.
Type equality rule for Ind:
F ix ! (F ix ) (7.26)
This rule is suÆ ient to give the usual introdu tion rule in the ase of the
operator L. We have
[℄ : L (F ix L)
so that by (7.26), [ ℄ : F ix L. Similarly, if n : N and x : F ix L then
(n :: x) : L (F ix L)
and thus (n :: x) is in F ix L itself.
The elimination rule an be written in a number of forms. Giving it the
full parametri ity, we have
Elimination Rule for Ind
[ T F ix ℄
..
.
g : (8x : T ) : C ) (8y : T ) : C [y=x℄
(IndE )
fix g : (8z : F ix ) : C [z=x℄
and the omputation rule is
Computation Rule for Ind
fix g ! g (fix g)
Examples of types thus denable are lists, trees, and the general W -
types. Mendler augments the me hanism by allowing the denitions to be
parametri . This means that types an be dened by simultaneous re ur-
sion, and in this ontext the types an readily be thought of as predi ates.
For instan e, the denition
Root f n df (f n = 0) _ (Root f (n + 1))
denes a family of types by a simultaneous re ursion over n : N . The
predi ate dened expresses the property that f has a root greater than or
equal to n. Note that here we have a predi ate whi h depends upon a value
n but whi h is dened without using the universes Ui . Using the re ursion
operator over this type and the subset type to hide information, Mendler
is able to give a fun tion implementing unbounded sear h.
7.11. CO-INDUCTIONS 303
[Dyb88℄ argues than in many ases, the traditional introdu tion and
elimination rules of the types an be read o from the operator , as indeed
we saw for the operator L above. Certainly if it is a sum of produ ts of
expressions, it is easy to see that this bears a resemblan e to, say, the
Miranda algebrai types
ty ::= on1 t11 ... t1k |
on2 t21 ... t2l |
...
with one onstru tor per summand, and one sele tor per onstru tor argu-
ment, or produ t omponent. This paper also explores a representation of
these indu tively dened sets in T T , by means of the W -types. This rep-
resentation is proved to be an isomorphism in ase the type theory arries
an extensional equality.
One drawba k to the addition of these types is that equality between
types is made unde idable: we an adopt a tighter notion of equality, like
name equality (see, for example, [Ten79℄) but this seems to be in on i t
with the remainder of the system, for whi h a stru tural equality of types
an be maintained.
Exer ises
7.43. What is the rule of indu tion for lists given by (IndE )? Compare it
with the rule given earlier in se tion 5.10.
7.44. Using the rules for sets given in se tion 7.2, derive a root-nding
program of type
f f : N ) N j (9n : N ) : (Root f n) g ) (9n : N ) : I (N; (f n); 0)
7.45. Give indu tive denitions of the transitive losure of R and of the
smallest equivalen e relation extending R when R is a binary relation over
a type A, say.
7.46. (For logi ians) Given a formal system F for rst-order arithmeti ,
give an indu tive denition of the set of theorems provable in the system.
Explain how to give an interpretation of the system over the type N of type
theory, and write down an indu tive denition of the formulas of F whi h
are valid under that interpretation.
7.11 Co-indu tions

Readers who are familiar with languages whi h feature lazy evaluation of
all fun tion appli ations, in luding those of onstru tor fun tions su h as
the (inx) ons, `::' will see the type of lists as sadly de ient, ontaining
as it does only the nite lists. The Miranda programmer is a ustomed to
being able to dene innite lists su h as
2::3::5::7::11::...
The approa h in su h a language is to evaluate any stru tured expression

only to the extent that is ne essary for omputation to pro eed. In om-
bination with general re ursion, this means that lists may be ompletely
undened, or more subtly, partially dened. If we write
lis1 = 3 :: undef
where undef=undef is the denition of the tail of the list, this list has a
head of 3; only if we examine the tail do we nd that it is undened. We an
see that the ombination of unrestri ted re ursion and lazy evaluation leads
naturally to these partial lists, whi h we obviously annot a ommodate in
a hereditarily total type theory. Is there any way that we an retain some
of the power of programming with lazy lists, whi h is des ribed so learly in
[Hug90℄, se tion 4? We shall see that by looking at the lass of o-indu tive
denitions, i.e. denitions of greatest xed points of operators, we an build
types with innite obje ts without adding partially-dened data items. We
pursue the example of the type of innite lists of numbers as a running
illustration.
Innite lists are des ribed in quite a dierent way to their nite oun-
terparts. Instead of saying what are the omponent parts, [ ℄; 0; 1; : : :, and
the `glue', ::, from whi h they are built, by introdu tion rules, all we an
say is that given an innite list, we an split it up into a head and a tail,
whi h is again innite. The equation
I df N ^ I (7.27)
des ribes this in another way, for it says if l : I then
l:N ^ I
so that l (n :: l0 ), with n : N and l0 : I . The equation (7.27) has many
solutions, the smallest of whi h is ;! Surely anything whi h de omposes
l ! (n :: l0 ) has a right to be alled an innite list, so we should hoose
the largest and not the smallest of the solutions of (7.27), that is the largest
xed point of the operator I ,
I I df N ^ I
How an we guarantee that we have hosen the largest xed point? We

should ensure that any denition of a list is a member of the type, be-
ing areful not to introdu e any partiality. As a guide to the form of the
equations, think of how the innite list of ones an be dened. We an say
ones df 1 :: ones
where on the right hand side of the equation we have ensured that we have
given a learly dened head to the list. Assuming the same about the
re ursive all means that we are ertain of being able to ùnfold' ones any
nite number of times. Using su h a form of denition we an make the
radi al step of dening all the onstant innite lists! To make any further
progress, su h as dening the list 1 :: 2 :: 3 :: : : : we need to be a bit more
ingenious, and think of dening a whole olle tion of lists simultaneously.
fromn df n :: fromn+1
is a denition of the lists fromn enumerating the natural numbers staring
from n : N . Again, the right hand side guarantees that ea h list has a head,
re ursion supplying the tail. A nal example along these lines is a fun tion
making a list from a fun tion f :(N ) N )
makelf df (f 0) :: makelf 0
where the fun tion f 0 is dened by
f 0 n df f (n + 1)
This denes (N ) N )-many innite lists simultaneously, ea h of whi h is
guaranteed to have a head by the form of the denition. How are these
re ursions stru tured?
There is a domain D, from whi h the parameter is taken. How do we
form the right hand side of the denitions we saw above? We an use the
parameter, all it y, and the lists themselves, z : D ) T , say. From these
we have to form a list, but this must be a list with a dened head. Re alling
the denition (7.27), the right hand side must be a member of the type I T ,
rather than simply the type T itself. Given su h a term, we an form the
xed point, whi h will be the obje t dened as above.
Let us set this down as a rule, using for the general monotoni oper-
ator.
Introdu tion Rule for Coin
[y : D ; z : D ) T ℄
..
.
d:D b : T
(CoinI )
xify;z b d : Xif
where we need also the rules

Formation Rule for Coin
monotoni
(CoinF )
(Xif ) is a type
Computation with the xif obje t is straightforward,
Computation Rule for Coin
xify;z b d ! b[d=y ; w : (xify;z b w)=z ℄
where we an see that in the unfolded re ursion the fun tion z is repla ed
by the whole family of re ursively dened obje ts w : (xify;z b w), as we
des ribed the re ursion above.
In the ase of a o-indu tion, the role of the dening equation (7.27) is
that of an elimination rule, for if we know that l :(Xif I ) then
l: I (Xif I ) (7.28)
eliminating the (bare) type (Xif I ).
The nature of re ursion over a o-indu tive type is quite dierent from
that over an indu tive type, where the denition is grounded by the fa t
that at ea h appeal we make a all to the value of the fun tion at a simpler
obje t. Here re ursion does not dire tly explain how a fun tion is dened
over the type Xif , rather it explains how individual obje ts of the type
are dened. How are su h fun tions dened? There are two methods.
First, by (7.28) we have the sele tor fun tions head and tail over the type.
Given the sele tors we an dene su h fun tions as
sum27 [a0 ; a1 ; : : : ; an ; : : :℄ df a0 + a1 + + a27
We an give fully re ursive denitions to standard operators over innite
lists using the sele tors in ombination with (CoinI ). An example is
mapi : (N ) N ) ) (Xif I ) ) (Xif I )
mapi f (a :: x) df (f a) :: mapi f x
whi h denes the value of mapi f l simultaneously for all innite lists l.
Fun tions of the form
sumi n [a0 ; a1 ; : : : ; an ; : : :℄ df a + a
0 1 + + an
index n [a0 ; a1 ; : : : ; an ; : : :℄ df an
an either be dened by tail re ursion over the parameter n : N , or by a
simultaneous re ursion over all innite lists.
Other types whi h an be dened in this way are the type of nite and
innite lists, the largest xed point of the operator L, innite trees and the
like.
We an dene sophisti ated fun tions over the type of innite lists if
we are prepared to in orporate some proof-theoreti information into the
domain. One example might be a fun tion whi h splits a stream of har-
a ters into a stream of words, splitting at ea h white spa e hara ter. We
annot dene this fun tion over all the innite lists, but only those with
white spa e o urring innitely often. We an des ribe exa tly this lass
as an existential or subset type, and therefore dene the fun tion.
Equality over these types is interesting also. If it is intensional, then we
will only identify (for example) two innite lists if they are dened in the
same way. An alternative is to adopt an extensional approa h, saying that
l ' l0 , (8n : N ) : ( index n l = index n l0 )
This approa h is adopted in a logi for Miranda, [Tho89b℄, where it ax-
iomatises equality of innite lists. Using the denotational semanti s for
Miranda, we an of ourse prove that this is the ase.
In on lusion, we would suggest that many of the advantages advan ed
for lazy lists a rue here also. In parti ular, the examples of [Hug90, Se tion
4℄ seem to arry over with no diÆ ulty.
Exer ises
7.47. Give formal denitions of the fun tions mapi, sumi and index dened
above.
7.48. Dene the fun tions
iterate f st df [ st ; f st ; f (f st) ; : : :℄
infold f st [a0 ; a1 ; : : : ; an ; : : :℄ df [ st ; f st a0 ; f (f st a0 ) a1 ; : : :℄
7.49. A natural number greater than one is alled a Hamming number if
its only prime fa tors are 2, 3 and 5. Show how to dene a fun tion whi h
will merge two innite lists, removing dupli ate o urren es whi h appear
in both lists and preserving order in the ase that the lists are ordered.
Using this fun tion and the iterate fun tion above give a denition of the
list of Hamming numbers, enumerated in as ending order. (This problem
is des ribed in more detail in [Dij76℄.)
7.50. Give a denition of the list of prime numbers.
7.51. Write a denition of a general map fun tion over the nite and innite
lists.
i
i i i
2
0
R 1 i i
l2 0 l0
2
l1
R 1
Figure 7.1: Three ommuni ating pro esses
7.52. Why annot an analogue of the filter fun tion over nite lists be
dened over the innite lists? Can you dene one over the type of nite
and innite lists?
7.53. Give a type and denition to the splitting fun tion dis ussed above.
7.11.1 Streams
One of the most prominent appli ations of the innite lists of Miranda is
to streams between intera ting pro esses. We model a system su h as that
in gure 7.1 by giving expli it denitions of the ommuni ations along the
three hannels. These ommuni ations form lists l0 ; l1 ; l2 , and we an in the
liberal environment of Miranda write denitions of networks of pro esses
whi h will result in deadlo k | just dene ea h of the pro esses to opy
its input to its output. What happens if we look at an example like this
in the ontext of type theory, using the innite lists of the last se tion?
We will have in the ase above to dene the three lists l0 ; l1 ; l2 by a mutual
re ursion, and moreover by one whi h ensures that ea h of the lists li has at
least a head. In other words, the ondition on innite lists ensures that we
never have deadlo k in networks of pro esses that we dene | the pro ess
of denition itself prevents that.
In a similar way, we an model streams whi h an lose down by taking
the streams to be in the greatest xed point of L whi h gives the type of
nite and innite lists | the absen e of partial lists again shows that if
a system an be dened, then it will not deadlo k: it will either ontinue
forever, or will lose down.
Exer ise
7.54. Give a solution to the dining philosophers problem using the innite
lists of type theory.
7.12. PARTIAL OBJECTS AND TYPES 309
7.12 Partial Obje ts and Types

The literature ontains a number of proposals for adding non-terminating
or `partial' obje ts to type theory. The nave proposal would be simply
to allow unrestri ted re ursion and thus non-terminating omputations in
the systems T T0 et . As a programming language this results in something
mu h loser to urrent systems like Miranda and Haskell, but we also ap-
pear to lose the logi al interpretation of the system. Sin e the undened
obje t, ", or bottom (whi h is onfusingly denoted ? in the literature on
denotational semanti s) is a member of every type, the logi al interpreta-
tion is in onsistent, as every formula is provable, by the proof ". Moreover,
prin iples su h as indu tion have to be modied to take a ount of the ad-
ditional members of types like N . (Details of how this is done an be found
in [Pau87, Tho89b℄.)
Can a logi al interpretation be given to su h a system? It would seem
that there is at least a han e of so doing, if we an identify pre isely
those obje ts whi h represent `total' and not `partial' proofs. The logi for
Miranda alluded to earlier shows how the total obje ts an be identied
at simple types, but there is a hoi e in what should be deemed the total
obje ts at type
(N ) N ) ) (N ) N )
say. It would be an interesting resear h proje t to see pre isely how su h a
logi al interpretation would work.
A quite dierent approa h is suggested in [CS87℄, whi h supersedes the
earlier version of partial types dis ussed in [C+ 86a℄, se tion 12.2. This pro-
poses the addition of types T whi h onsist of omputations of elements
of T , the partial obje ts whi h may or may not result in values in the type
T itself. The advantage of this approa h over the nave one is the degree
of des riptive power that it aords. For instan e, we an distinguish the
following types of numeri al fun tions
N )N N )N N )N N )N N )N N )N
ea h of whi h is sensible and embodies a dierent notion of fun tion from N
to N . It is a revealing exer ise to dis over the relations between the types
by nding whi h embeddings exist between them, and by showing whi h do
not exist by nding the appropriate ounterexamples. A basi relationship
between types is that members of T are members of T , and in the onverse
dire tion, if an element of T is shown to have a anoni al form then it is
in T . So as to allow expli it reasoning about termination, we will have to
introdu e the membership predi ate, a 2 A, as in se tion 7.9.2 above.
Elements of partial types are introdu ed by parametrised general re ur-

sion, with an obje t f of type A ) B being dened in terms of itself:
[q : A ) B ℄
..
.
f :A ) B
(re I )
re q f : A ) B
with the asso iated omputation rule
re q f ! f [(re q f )=q℄
There are a number of indu tion rules whi h li en e proofs about these
re ursively dened fun tions. They fall into two lasses: rst we an reason
over the stru ture of the omputation whi h leads to a result, and this rule
admits a number of formalisations, whi h have obvious links with the rules
of 7.9 above. Se ond, we an add the rule of xed point indu tion whi h an
only be applied to admissible predi ates (see [Pau87℄). This is not so easy
in type theory where in the presen e of universes we an have non- anoni al
forms for types. Further dis ussion of these points, the justi ation for the
addition of the types and their links with lassi al re ursion theory an be
found in [CS87℄ and [Smi88℄.
7.13 Modelling
Thus far we have looked at generi extensions of the system; for the indi-
vidual, the problem at hand will normally be to model a small number of
spe i kinds of obje t, su h as groups, sta ks, re ords and so forth. Two
approa hes suggest themselves:
A model of the obje ts is built within type theory, as a series of
abstra t data types, for instan e.
The system is itself augmented with new rules des ribing the obje ts.
The ontrast between these approa hes is investigated in [Dy 85℄, whi h
examines how to model elementary ategory theory up to the level of natural
transformations. We look at a simpler ase here, that of semigroups.
Denition 7.17 A semigroup is a set A together with an asso iative
operation ? over A. An identity element is an element so that for all
a 2 A,
a?=a=?a
7.13. MODELLING 311
and an inverse a 1 of a satises

a?a 1 ==a 1?a
We an model the lass of semigroups as an abstra t data type as
follows. First we dene the formula Semi A ? to be
(8a; b; : A) : ( (a ? b) ? = a ? (b ? ) )
Elements of this type are fun tions f with f a b providing the proof of
asso iativity at the triple a; b; . We then dene the lass of semigroups
thus:
Semigroup df (9A : U0 ) : (9? : A ) A ) A) : ( Semi A ? )
Elements of this type are triples (A; (?; f )), with f as above.
An elementary result about semigroups is that the identity is unique.
We show this formally now. Using the notational onventions of se tion
5.2.1, we write set, op and asso for the three proje tion fun tions from the
triples above.
Theorem 7.18 Given a parti ular member S : Semigroup we shall write
A; ?; f for the three proje tions set S , op S and asso S . If we assume that
(8a : A) : a ? = a ^ a = ? a (8a : A) : a ? 0 = a ^ a = 0 ? a
are inhabited, then we an show that
= 0
is inhabited. This shows that the identity is unique if it exists.
Proof: Take
g : (8a : A) : a ? = a ^ a = ? a
apply it to 0 , and take the rst proje tion. We have
fst (g 0 ) : 0 ? = 0 (7.29)
Similarly, if we take
h : (8a : A) : a ? 0 = a ^ a = 0 ? a
apply it to , and take the se ond proje tion, we obtain
snd (h ) : = 0 ? (7.30)
By (7.29), (7.30) and the transitivity of equality, we have that
= 0
is inhabited, as required. 2
Theorem 7.19 Using the same onvention as above, if for a parti ular
element a of A it is the ase that
a ? a0 = ^ = a0 ? a
a ? a00 = ^ = a00 ? a
are both inhabited, then a0 = a00 is inhabited, proving that inverses are
unique if they exist.
Proof: Exer ise: the proof uses the fa t that the operation `?' is asso ia-
tive. 2
The results depend upon us repeatedly unpa king the triples (A; (?; f ))
and upon the system having the apability of giving temporary names to
obje ts. Dy kho found that as this was diÆ ult in the implementation
available to him, it would be more appropriate to axiomatise the theory
dire tly. For semigroups, axioms would take the form.
Formation Rule for Semigroup
(SemiF )
Semigroup is a type
Writing the three hypotheses in a verti al list, we have the introdu tion
rule
Introdu tion Rule for Semigroup
A istype
? : A)A)A
r : (8a; b; : A) : ( (a ? b) ? = a ? (b ? ) )
(SemiI )
SG A ? r : Semigroup
Elimination Rules for Semigroup
S : Semigroup (SemiE )
set S is a type 1
S : Semigroup (SemiE2 )
op S : setS ) set S ) set S
S : Semigroup (SemiE )
asso S : (8a; b; : set S ) : ( (a (op S ) b)(op S ) 3
= a (op S )(b (op S ) ) )

The omputation rules show that set, op and asso behave as proje tions
7.13. MODELLING 313
Computation Rules for Semi

set (SG A ? r) ! A
op (SG A ? r) ! ?
asso (SG A ? r) ! r
Using these rules we an prove results su h as theorems 7.18, 7.19 in a
similar way to those above.
In omparing the two approa hes, it is lear that they are very lose. The
positive ee t of moving to rules is that we have a ess to a naming fa ility,
but we have shown that this an be integrated with a representational
approa h. A disadvantage of adding rules to the system is that we may
well disturb the formal properties of the system, su h as logi al onsisten y
or strong normalisation. In this ase there is no diÆ ulty, as we ould
read the rules as being derived from the representation, providing a leaner
interfa e to the parti ular data abstra tion. This possible disruption of the
formal properties of the system by the addition of rules is something whi h
might be said of all the additions of this hapter; we shall look into it in
more depth in the hapter to ome.
[Dy 85℄, on whi h this se tion is based, gives a similar omparison of
approa hes for the more signi ant example of ategories.
Exer ises
7.55. What are the types of the proje tion fun tions set , op and asso ?
7.56. Prove theorem 7.19.
7.57. Prove versions of the theorems 7.18, 7.19 using the rules for the new
type Semigroup.
Chapter 8
Foundations
This hapter marks a return to looking at the system as a whole, rather

than at parti ular examples of terms and proofs derivable in it, or at pos-
sible extensions. We investigate various questions about the mathemati al
foundations of the system. From the point of view of traditional proof the-
ory, we an ompare its strength with other formal systems for arithmeti
| this we do in the rst se tion. The te hnique used here is that of realiz-
ability, whi h forms one sort of model of the formal system. We dis uss the
motivation for developing a model theory of T T in the subsequent se tion,
giving other methods of model onstru tion.
The topi of realizability is interesting not just from the proof-theoreti
point of view: it provides a general me hanism for extra ting the ompu-
tational ontent of a derivation, and as su h may give a means of deriving
more eÆ ient programs from type theoreti derivations.
We on lude the dis ussion with an overview of S hroeder-Heister and
Dybjer's work on the inversion of proof rules. At an intuitive level, if we
are given the introdu tion rules for a type then we seem to know all the
forms that elements an take, and this really hara terises the type. The
inversion prin iple gives a formal des ription of how an introdu tion rule
an be inverted to generate the elimination and omputation rules. We also
look at a primitive justi ation of the inversion prin iple itself.
8.1 Proof Theory

In this se tion we look at the relationship between the systems T T0; : : : and
more traditional presentations of onstru tive arithmeti . In parti ular we
examine the system HA of rst-order intuitionisti arithmeti and its gen-
315
316 CHAPTER 8. FOUNDATIONS
eralisation to the simple types, HA! . The `H ' in these titles is in honour of
the intuitionist Heyting, who was one of the rst onstru tivists. We follow
this with a dis ussion of the te hnique of realizability, whi h is used to give
interpretations of intuitionisti systems, and whi h an form the basis of a
more exible algorithm extra tion dis ipline than that of type theory. We
on lude with a dis ussion of the various rules for existential elimination,
and what onsequen es the hoi e of rules has for our implementation of
modules.
8.1.1 Intuitionisti Arithmeti

Denition 8.1 A full denition the system of First Order Heyting
Arithmeti , HA, is given in [Tro73℄, se tion I.3. The system onsists
of a rst order theory of the natural numbers, with a fun tion onstant
for ea h primitive re ursive fun tion. Axioms assert the basi properties of
equality; the standard Peano axioms stating that zero is not a su essor,
that the su essor is 1-1 and the axiom s heme of indu tion
(0) ^ 8n:((n) ) (n + 1)) ) 8n:(n)
for every formula `'; and nally the dening equations of ea h of the
primitive re ursive fun tions.
The rules of dedu tion are the standard set for onstru tive predi ate
al ulus, whi h an be derived, by omitting the proof obje ts, from our
introdu tion and elimination rules for ^, _, ), ?, 8, 9, hoosing the weak
rules for the elimination of disjun tion and the existential quantier, viz.
(_E ) and (9E 0 ).
Denition 8.2 The system of Heyting Arithmeti at Finite Types,
HA! , and alled N HA! in the denition [Tro73℄ se tion I.6, is similar
to HA, ex ept that obje ts an be of any of the nite types formed from N
by the fun tion spa e onstru tor. An operator whi h embodies denition
by primitive re ursion is in luded at ea h type. Quantiers range over
parti ular types, rather than the whole domain.
These systems have been studied extensively, and their relation with
T T0 an tell us something about the system itself. Obviously the system
HA! is an extension of HA in a sense to be made learer by the next
denition. We write S ` for ` is a theorem of the formal system S '.
Denition 8.3 Given two formal systems S1 and S2 , a fun tion f from
the formulas of S1 to those of S2 is an embedding of the rst system in
the se ond if for all formulas ,
S1 ` implies S2 ` (f )
8.1. PROOF THEORY 317
If the relationship above is an equivalen e, then S2 is alled a onservative

extension of S1 , and we an all the fun tion f an interpretation of S1
in S2 .
The system S2 is a onservative extension of S1 if the two theories prove
the same theorems in the language of the smaller, S1 ; they give onsistent
pi tures of their ommon domain.
Obviously there is an embedding of HA in HA! . We an also embed
the formulas of HA! as formulas of T T0, and prove the result that
Theorem 8.4 For any formula , if HA! ` then for some term t, we
an derive in T T0 the judgement t : .
Proof: The term t is a oding of the proof of in HA! . More details are
given in [Bee85℄, theorem XI.17.1. 2
Moreover, if we add to HA! the axiom of hoi e over nite types, ACF T ,
8x:9y:A(x; y) ) 9f:8x:A(x; f x)
this is also validated by T T0. Showing that the Axiom of Choi e is derivable
in type theory is one of Martin-Lof's few on essions to examples in his
papers. See [ML85, ML84℄, and observe that the derivation does not use
extensionality. If we adopt the extensional theory of [ML85℄, then our type
theory extends the extensional version HA! + Ext + ACF T .
What results an we derive on the basis of this relationship?
Our rst result, due to Troelstra, is typi al of the gain we an get by
looking at these inter-relationships: we are able to transfer a negative result
from HA! to type theory. First we give another denition.
Denition 8.5 A fun tion F from N ) N to N is alled ontinuous if

for all f : (N ) N ) there is an n, so that if f i = g i for all i n, then
F f = F g. The value n is alled a modulus of ontinuity of F at f .
Continuity is an assertion of the nitary nature of the fun tions over
N ) N : the value of su h a fun tion at f is determined by a nite amount
of information about f . We would therefore expe t that this would be true
of all the fun tions F denable in T T0. However, we an show that T T0
does not prove the formal statement of this,
(8F :(N ) N ) ) N ) : Cont(F )
This itself follows from the theorem
Theorem 8.6 The theory

HA! + ACF T + Ext + (8F :(N ) N ) ) N ) : Cont(F )
is in onsistent (i.e. derives ?)
Proof: See [Bee85℄, theorem XI.19.1. Using the axiom of hoi e, we an

dene a fun tion returning the modulus of ontinuity of a fun tion F
at the argument f . Extensionality means that this modulus is determined
by fun tion values rather than representations, and this an be shown to
lead to a nite pro edure solving the limited prin iple of omnis ien e, a
ontradi tion. 2
Corollary 8.7 The theory T T0 does not prove
(8F :(N ) N ) ) N ) : Cont(F )
Proof: If T T0 proves this, then the extensional version of type theory
proves it also and, as it also derives the axiom of hoi e, by the theorem is
in onsistent. We have a proof of onsisten y, and so the original assumption
is untrue. 2
Can we hara terise the arithmeti al theorems provable in type theory?
Again, the answer is yes,
Theorem 8.8 T T0 is a onservative extension of HA, where we say that

T T0 makes a proposition A valid when we an derive t : A for some expres-
sion t.
Proof: This is due to a number of authors, in luding Beeson and Renardel,

[Bee85, DT84℄. The proof uses the te hnique of realizability, to whi h we
turn in the next se tion. 2
It is worth noting what the theorem says. It asserts that the system of
T T0 | whi h extends rst-order arithmeti by embedding it in a system of
types, for whi h the axiom of hoi e is assumed to hold (and whi h might
be made extensional as far as this result is on erned) | is no stronger
than rst-order arithmeti as far as arithmeti al statements are on erned.
We have said nothing about the theories T T , T T + and T T0+. Ea h of
these is stronger than T T0. We have already shown that T T is stronger
than T T0, other remarks about this an be found in [Bee85℄, se tion XIII.5.
We know of no results for the theories with the full W -type.
8.1. PROOF THEORY 319
8.1.2 Realizability
We remarked that the proof of theorem 8.8 was by the realizability method.
We take the opportunity of explaining that method here, as it forms the
foundation of an important pie e of resear h whi h we also des ribe.
Realizability was introdu ed by Kleene in 1945 as a way of forming re-
ursive models of intuitionisti theories. Given the informal explanations
of the onne tives whi h we rst en ountered in hapter 3, we an see that
entral to any explanation of a onstru tive system is a notion of transfor-
mation, as it is thus that impli ation and universal quanti ation are in-
terpreted. Kleene's idea was to use re ursive fun tions as the transforming
fun tions. Of ourse, re ursive fun tions an be oded by natural numbers,
and so we shall dene a relation
ek
with e a natural number and a formula. We also write feg(q) # for `the
re ursive fun tion e terminates on argument q'. Now we dene realizability
as originally given in [Kle45℄:
Denition 8.9 Realizability for arithmeti (r-realizability, in fa t) is de-
ned by the following lauses.
e k (A ) B ) i 8q:(q k A ) feg(q) # ^ feg(q) k B )
e k 8x:A i 8x:(feg(x) # ^ feg(x) k B )
e k 9x:A i first e k A(se ond e)
ek A^B i first e k A ^ se ond e k B
ek A_B i (first e = 0 ) se ond e k A) ^
(first e 6= 0 ) se ond e k B )
Finally, any number realizes a true atomi formula.
We an think of the interpretation as giving a model of the logi al sys-
tem, with the valid formulas those for whi h some e k . The important
point about realizability is the theorem
Theorem 8.10 (Soundness) If HA proves then there is some natural
number e whi h realizes , that is e k .
Proof: Is by indu tion over the size of the proof of . A detailed proof is
given in [Bee85℄, se tion VII.1. 2
This an be read as saying that for any theorem , we have a term whi h
gives the formula a omputational interpretation, as is seen by examining
a formula like
8x:9y:P (x; y)
where P is atomi .
e k 8x:9y:P (x; y)
i 8x:(feg(x) # ^feg(x) k 9y:P (x; y))
i 8x:(feg(x) # ^first feg(x) k P (x ; se ond feg(x)))
whi h means in parti ular that there is a re ursive fun tion g su h that
8x:P (x; g x)
There are a number of notable aspe ts of realizability. First observe
that the right-hand sides of the denitions 8.9 are themselves expressions
of arithmeti . This is ru ial to the earlier result that type theory gives a
onservative extension of HA. Be ause of this identi ation, we an study
the relation between a formula and the formal expression of its realizability:
it transpires that for r-realizability the formulas whi h are equivalent to
the statement of their own realizability 9e:(e k ) are those whi h have
no existential import: those with no omputational signi an e, in other
words.
Se ondly we should note how general the denition is: all we need to
give a dierent notion of realizability is a dierent olle tion of realizing
fun tions, or a slightly dierent right-hand lause. Given a soundness the-
orem, we an extra t some omputational information from a proof of a
formula. This applies equally well to target theories: the denition above
is for rst-order arithmeti , but in general we might look at other theories,
su h as higher-order versions of arithmeti .
Given this, our theory T T0 begins to look like a parti ular version of re-
alizability for a higher-order type system. Might some disadvantages a rue
from too intimate a link between the logi and the notion of realizability
whi h an be used to give omputational ontent to the theorems of the sys-
tem? One area whi h we looked at in se tion 7.1.2 is that of ` omputational
relevan e', where we saw that in ertain ir umstan es our proof obje ts
ontained information whi h was unne essary from a omputational point
of view. A de oupling of the logi al rules from the fun tion extra tion
me hanism ould well result in more eÆ ient extra ted obje ts, without
modi ation of the logi itself.
The major advantage of su h an approa h is that the logi in whi h
proofs are written an remain xed whilst dierent proof extra tion te h-
niques (i.e. notions of realizability) are applied to the proofs. This ontrasts
with the ompli ations introdu ed by the augmented versions of T T in the
previous hapter.
This de oupling lies at the heart of investigations into the system T K
by Henson and Turner, to whi h we turn in the following hapter.
8.2. MODEL THEORY 321
8.1.3 Existential Elimination

We observed earlier, in se tion 5.3.3, that the rule (9E 0 ) was weaker than
the rule (9E ) or the equivalent pair (9E10 ) and (9E20 ). These rules are
investigated in depth in the thesis [Swa89℄, where it is shown that the use
of (9E ) in the proof of the axiom of hoi e is essential:
Theorem 8.11 The strong rule (9E ) is equivalent to the weak rule, to-
gether with the axiom of hoi e.
Moreover, onservation results analogous to those above apply to this
theory.
Theorem 8.12 T T0w , that is T T0 with the weakened rule of existential
elimination, is onservative over HA! .
The system T T0w is dis ussed in its own right in [Dil80℄.
8.2 Model Theory

Model theory attempts to give a meaning to formal systems like T T0 and
T T . In order to avoid ir ularity and the attendant problems of ambigu-
ity or in oheren e, the semanti s should explain the system using notions
outside the system itself.
Why is a semanti s important?
The simplest reason is that a ompletely uninterpreted system is of no
interest to anyone. Every system has an informal semanti s, investing
its symbols with deeper meaning than simply marks on paper.
A semanti s an show that a system is onsistent, or more stri tly,
onsistent relative to the theory in whi h its semanti s lies. This is
not of idle interest, as it is quite possible to write down intuitively
plausible systems, like Martin-Lof's earliest version of type theory, or
the formal theory
HA! + ACF T + Ext + (8F :(N ) N ) ) N ) : Cont(F )

whi h subsequently turn out to be in onsistent. A semanti s gives the
assuran e that this does not happen (assuming that a more primitive
system is itself onsistent). Moreover, a semanti s may prove other
meta-theoreti al results, su h as the Chur h-Rosser property.
A semanti s an delimit the proof-theoreti strength of a system, thus

showing that the system will prove some theorems and not others.
A semanti s an not only establish that parti ular additions to the
system maintain onsisten y but also it an suggest that ertain strength-
enings of the system (extending it by ertain operations in the seman-
ti s, say) are also legitimate.
What forms an the semanti s of T T0 take? We look at the explanations
given by Martin-Lof, Smith, Beeson and Allen in turn. First we should
mention an important referen e [ML75a℄ whi h examines the general notion
of a onstru tive model for an intuitionisti theory, whi h ts those models
introdu ed by Martin-Lof himself, Smith and Beeson.
8.2.1 Term Models

The most dire t explanation is that given in [ML75b℄, whi h is given a
gloss in both [ML85℄ and [NPS90℄. The model is one of a lass alled term
models. These models depend upon the notions of redu tion and normal
form, ideas external to the system itself.
The interpretation of a losed expression a : A is as a anoni al form
a0 in A0 , the anoni al form of the type A. For the theories T T0 and T T
we interpret ` anoni al form' as `normal form', and se tion 5.6 ontains
a proof that the olle tions of losed normal terms form a model of the
theory. Whilst making plain the meaning of losed expressions, we should
say exa tly how an expression b(x) : B (x) is given a meaning. b(x) is a
anoni al term of type B (x) if for all anoni al a, b(a) redu es to a anoni al
term in B (a).
Term models form the anoni al(!) model of type theory: the distin t
nature of the normal forms attests to its non-triviality, and an informal
explanation of the term model forms the basi intuitive semanti s of the
system, a ording to [ML85℄. By examining the model we were able to
show a number of additional properties of the system, in luding the Chur h-
Rosser theorem and the de idability of judgements.
Be ause a term model is bound so tightly to the synta ti form of the
system, it is diÆ ult to use it to derive results su h as onservation results,
or to justify extensions to a theory: in this ase a new term model formed
from a wider lass of expressions has to be shown to exist.
8.2.2 Type-free interpretations

It an be argued that one of the ompli ations of the systems T T0, T T is
in their omplex type systems, with a simpler theory being provided by
8.2. MODEL THEORY 323
a type-free system. This an be said of the simple - al ulus as against

the typed - al ulus, and for type theory, a type-free theory of logi and
omputation as given in [Smi84℄ or by the Frege stru tures of [A z80℄ are
suitable andidates.
Smith gives su h an interpretation in [Smi84℄, and he hara terises this
interpretation on page 730 as
The interpretation we will give . . . is based on the semanti al
explanation of type theory given in [ML85℄. Indeed it may be
viewed as a metamathemati al version of the semanti al expla-
nation, formalized in the logi al theory.
It also has relationships with realizability, and in parti ular the model M of
[Bee85℄, se tion XI.20; Smith uses type-free -terms as realizing fun tions
whilst Beeson uses numbers, and of ourse Smith's theory is formalised.
As we saw above, one advantage of realizability models is that they an
be used in hara terising the proof-theoreti strength of a theory. Beeson
used the model M in showing that T T0 is onservative over HA.
The models of A zel, Beeson and Smith are all general: a number of
diering notions of realizability exist, and it an be shown that every model
of the type-free - al ulus an be extended to a Frege Stru ture, whi h in
turn an provide a model of type theory.
8.2.3 An Indu tive Denition

An alternative approa h to the semanti s of the system is des ribed in
[All87a, All87b℄ and is summarised in [CS87, Se tion 2.2℄. Allen examines
the denition of the system [ML85℄, aiming to give an indu tive denition
of the types as equivalen e lasses of sets of (untyped) expressions. That
two expressions t and t0 denote equivalent obje ts at type T is denoted
t = t0 2 T
and t 2 T is shorthand for t = t 2 T . An important lause is that for
membership of the type (8x : A) : B . t is in this type if (8x : A) : B is a type
and
9u; b: t ! u : b ^ (8.1)
8a; a0(a = a0 2 A ) b[a=u℄ = b[a0 =u℄ 2 B )
A general referen e on indu tive denitions is [Mos74℄, where we an dis-
over that not all indu tive denitions have least solutions (or indeed so-
lutions at all). There is always a least solution of a monotone indu tive
denition, and a suÆ ient ondition for monotoni ity is for the dening
formula (8.1) to be positive in the relation
::: = ::: 2 :::
This is not the ase, as the relation appears in the hypothesis of an impli-
ation. This failure means that the denition annot be given simply as an
indu tive denition in this form.
Instead, Allen denes his system in a more ompli ated way, spe ifying
a denition of an operator M, whi h an be thought of as a monotone
operator on type theories. In turn, a type theory is seen as a two pla e
relation T where
T A A
holds if and only if A is a type, arrying the equality relation A in the type
theory T . Sin e the operator M is monotone, a semanti s is then given by
the least xed point of the operator.
In both [All87a℄ and [All87b℄ it is argued that this approa h is lose to
that of Beeson, with Allen's more faithful to the lazy evaluation in Martin-
Lof's informal semanti s of the system.
An advantage of an indu tive denition is that it an readily be extended
to augmented systems. In [CS87℄ it is shown how to extend the semanti s to
the partial types of that paper. Allen himself argues that it an be used in
justi ation of some of the `dire t omputation rules' of Nuprl, whi h allow
the redu tion of terms under fewer hypotheses than would be permitted in
TT.
8.3 A General Framework for Logi s

Our introdu tion to the theories T T0 and T T has been somewhat infor-
mal as far as syntax is on erned, and in this se tion we review how the
presentation an be formalised.
The operations whi h form types and elements have a denite metathe-
oreti al type. For example, ) is of meta-type
T ype ! T ype ! T ype
where we write `!' for the fun tion spa e onstru tor at the meta-level, and
T ype is the meta-type of types. Similarly, the inje tion inl an be given
the meta-type
(t : T ype):(s : T ype):( El(s) ! El(s _ t) )
8.3. A GENERAL FRAMEWORK FOR LOGICS 325
where `' is the dependent fun tion spa e onstru tor in the meta-language,
and El is a onstant of meta-type
(t : T ype):Elem
whi h asso iates with a type expression the olle tion of elements it is
intended to denote. These two examples suggest that as a meta-theory we
an use a typed - al ulus with dependent produ t types, with rules
of - and - onversion.
All the operations of the system T T , in luding those su h as whi h
bind variables, an be presented as onstants in the meta-theory, taking
advantage of the binding in the meta-language. The operator over the
non-dependent types an be des ribed by
:: (t : T ype):(s : T ype):( (El(t) ! El(s)) ! El(t ) s) )
where è :: ' means è has meta-type '. The appli ation operator is a
onstant of type
app :: (t : T ype):(s : T ype):( El(t ) s) ! El(t) ! El(s) )
The omputation rule for the fun tion spa e is, of ourse, -redu tion.
Using the subs ripted form appt;s for the appli ation of the operator app
to the types t; s, this is des ribed by the equation between terms
appt;s (t;s f ) a = f a
Sin e f is a meta-fun tion, i.e. an element of type
El(t) ! El(s)
substitution in the obje t language is thus des ribed by -redu tion in
the meta-language. A similar approa h is equally ee tive with the other
variable-binding operations.
The origins of this approa h seem to lie in Martin-Lof's theory of ar-
ities , [ML85℄ and his work on ategories of the philosophi al and not the
mathemati al sort, reported in [ML83℄. Expli it dis ussions of the presen-
tation of type theory in this form are to be found in [Dyb88℄ and in Part
III of [NPS90℄.
This approa h has been used in the Edinburgh Logi al Framework,
whi h provides a ma hine environment for general logi al reasoning, [HHP87℄,
and has shown itself apable of expressing a variety of dierent logi s
[AHM87℄. A onsequen e of des riptions of this sort is that the omplexity
of logi s like Hoare's logi for imperative languages like Pas al is greater
than might at rst be thought; the ee t is similar to the omplexity of
languages revealed by their omplete denotational semanti denition.
8.4 The Inversion Prin iple

When des ribing a type in T T we give four kinds of rule. First we give the
formation rule whi h introdu es the new type expression, building a new
type from onstituent parts. An example is
(_F )
(A _ B ) is a formula
The elements of the type are then des ribed by a number of introdu tion
rules, su h as
q :A r :B
(_I1 ) (_I )
inl q : (A _ B ) inr r : (A _ B ) 2
Now, the elimination and omputation rules are needed to hara terise the
fa t that the elements of the type are only those given by the introdu tion
rules. These are the losure or indu tion rules. It appears that no more
information about the type need be supplied to hara terise these rules, as
the elements exhausting the type have already been spe ied, so the losure
rules should be denable by inversion.
This idea, whi h an be tra ed ba k to Gentzen and [Pra65℄, has been
pursued by a number of investigators. The rst of these is S hroeder-Heister
who investigated the problem of generating the elimination rules from the
introdu tion rules in rst-order intuitionisti logi ; see [SH83a, SH83b℄.
Con entrating for the present on the example of `_', how do we sum-
marise the fa t that a proof of A _ B is either a proof of A or a proof of
B ? We do it thus: given hypotheti al proofs of C from A and from B , we
an dedu e C from A _ B . This means that any proof of A _ B must have
been a proof either of A or of B . This gives us the logi al rule
[A℄ [B ℄
.. ..
. .
(A _ B ) C C
(_E 0 )
C
How do we lift this to type theory, in whi h we have expli it proof obje ts
whi h inhabit the propositions?
[x : A℄ [y : B ℄
.. ..
. .
p :(A _ B ) u : C v :C
(_E 0 )
8.4. THE INVERSION PRINCIPLE 327
Given proof obje ts, p; u; v, of the appropriate type we form the new proof
obje t
v ases0x;y p u v
binding the variables x and y in u and v respe tively, sin e the logi al rule
dis harges these assumptions. This is a new expression form, but we an
see how it may be simplied. A proof of A _ B is either inl a or inr b. In
the former ase, we an get a proof of C by substituting a for x in u; in the
latter we substitute b for y in v, giving the familiar omputation rules
v ases0x;y (inl a) u v ! u[a=x℄
v ases0x;y (inr b) u v ! v[b=y℄
We an generalise this inversion thus: If the n introdu tion rules for the
onne tive take the form
Hi;1 : : : Hi;mi
(Ii )
A1 : : : Ak
for i = 1; : : : ; n then there are n and only n dierent ways of introdu ing
the formula A1 : : : Ak (whi h we shall write as ). If we an dedu e a
formula C from ea h of the sets of hypotheses
Hi;1 : : : Hi;mi
then this exhausts all the ways in whi h we ould have introdu ed and
so we an dedu e C from itself. This is written as a rule
[H1;1 : : : H1;m1 ℄ [Hn;1 : : : Hn;mn ℄
.. ..
. .
C ::: C
(E )
C
If we now look at the situation in type-theory, ea h of the introdu tion rules
introdu es a onstru tor Ki for elements of the type , depending upon the
appropriate elements of the hypothesis types,
yi;1 : Hi;1 : : : yi;mi : Hi;mi
(Ii )
Ki yi;1 : : : yi;mi :
We dene a new elimination obje t elim, whi h will bind the variables
yi;j in the hypotheti al proofs pi :
[yi;1 : Hi;1 : : : yi;mi : Hi;mi ℄
..
.
p: : : : pi : C :::
(E )
elim p p1 : : : pn : C
Given a proof Ki a1 : : : ami of , we an simplify the proof of C given by

(E ) by substituting the obje ts aj for the hypotheses yi;j , thus,
elim (Ki a1 : : : ami ) p1 : : : pn ! pi [a1 =yi;1 ; : : : ; ami =yi;mi ℄
Let us now onsider an example of another onne tive, onjun tion. The
introdu tion rule is
a:A b:B
(Î )
(a; b): A ^ B
As we have a single introdu tion rule, the above s heme gives the elimina-
tion rule
[x : A; y : B ℄
..
.
p:A ^ B :C 0
^ elimx;y p : C (Ê )
where we give the subs ript in ^ elimx;y to make plain whi h variables are
bound in by the onjun tion elimination. The omputation rule reads
^ elimx;y (a; b) ! [a=x; b=y℄
How does this rule relate to the usual ones? If we take : C to be x : A, we
have
^ elimx;y (a; b) x ! a : A
so that fst is re overed as p : (^ elimx;y p x); snd is re overed in a
similar way. The rule (Ê 0 ) is no stronger than the usual rules, as given
: C depending upon x : A; y : B , and the element p : A ^ B , we an build the
obje t
[fst p=x; snd p=y℄ : C
whi h behaves exa tly like the obje t ^ elimx;y p when p is a pair.
The inversion prin iple applies to the rules for the existential quantier,
and also to the rules for nite types, Nn , the natural numbers and all well-
founded types like lists and trees. It does not, however, apply to the nave
rule (SetE ) for subset elimination.
There is a diÆ ulty in inverting the rules for impli ation and universal
quanti ation, be ause the introdu tion rules for these onstru ts dis harge
a hypothesis. Taking the example of impli ation,
[A℄
..
.
B
() I )
A)B
8.4. THE INVERSION PRINCIPLE 329
To perform our inversion su essfully, we need to introdu e hypotheti al

hypotheses, whi h we rst saw in se tion 7.7.2 above. These are introdu ed
in [SH83a℄ and [Ba 86℄, whi h seems to have been developed independently
of the earlier paper.
We add to our system terms of the form
f J g (8.2)
where is a ontext and J is a judgement. This is intended to mean that
the statement (8.2) is introdu ed by giving a derivation of the judgement
J in the ontext , that is
[ ℄
..
.
J
f J g (I )
To eliminate su h a hypotheti al hypothesis we have the rule
f J g [t1 =x1 ; : : : ; tn =xn ℄
(E )
J [t1 =x1 ; : : : ; tn =xn ℄
where a derivation of an instan e of a ontext is taken to be a olle tion of
derivations of the instan es of the onstituent judgements. How do we use
these hypotheti al hypotheses in the inversion of the rule for impli ation?
Following the inversion pro edure, we have
[f A B g℄
..
.
A)B C
() E 0 )
C
whi h gives the rule of modus ponens thus:
[f A B g℄ A
A)B (E )
B () E 0 )
B
In order to state orre tly the rule for )-elimination in this form, we need
to be areful about how variables are bound in expressions. The most
perspi a ious statement an be made if we assume a binding operation
in the meta-language, with the obje t language a ting as a onstant as
we explained above. Under this dis ipline the informal abstra tion x : e
will be written (x:x).
If we denote meta-theoreti appli ation by an inx `', we have

[f x : A (e x): B g℄
..
.
f :A ) B ( e) : C
() E 0 )
expand f : C
with the asso iated omputation rule
expand ( g) ! g
Ba khouse gave a number of prin iples for the inversion, but there are
diÆ ulties of de iding when his method produ es a onsistent system, es-
pe ially when re ursive types are involved. In [Dyb89℄ a more general in-
version prin iple is presented, whi h is based on the observation that all
the types of type theory, apart from the universes, an be seen as arising
from systems of indu tive denitions in the appropriate logi al framework.
He shows that the type forming operations may be parametrised, and an
also permit simultaneous denition of types.
Su h a system also has semanti impli ations: if a proposed type an
be presented as a positive indu tive denition then onsistent rules for
its elimination and omputation an be dedu ed automati ally. It would
appear that this san tions additions su h as [Dy 85℄, though not the subset
or quotient onstru tions.
A nal remark is in order. It is well known that in lassi al logi ,
various sets of onne tives su h as :; ) and :; ^ are omplete, in being
able to express all possible propositional fun tions; what is the situation
for intuitionisti logi ? It is shown in [SH83b℄ that the set ^, _, ), :, 9,
8 is suÆ ient to dene all the onne tives dened by the standard forms
of introdu tion and elimination rules, where by this is meant rules whi h
abide by the inversion prin iple des ribed above.
Exer ises
8.1. Show that the inversion prin iple fails to apply to the rule (SetE )
introdu ed in the previous hapter.
8.2. Che k that the inversion prin iple applies to the rules for the nite
types, the natural numbers and to the rules for the type of nite lists.
8.3. Does the inversion prin iple apply to the rules for the indu tive and
o-indu tive types of se tions 7.10 and 7.11? Does it apply to the denitions
of general re ursion given in the previous hapter?
Chapter 9
Con lusions
This hapter gives a survey of a number of approa hes related to some de-
gree to onstru tive type theory; we have tried to stress the major points of
dieren e between these systems and type theory itself, but to do omplete
justi e to them would require another book of this size.
9.1 Related Work

This se tion examines various systems, implemented or theoreti al, whi h
are related to Martin-Lof's Type Theory. Rather than give exhaustive
des riptions, the hapter ontains brief introdu tions to the systems, bib-
liographi referen es and nally a dis ussion of points of similarity and
dieren e between the systems. Throughout our exposition we have on-
entrated on the intensional version of type theory, [ML75b℄; we have dis-
ussed dieren es between this and the extensional version as we have gone
along.
9.1.1 The Nurpl System

For the past fteen years there has been an a tive resear h group in the
Computer S ien e Department of Cornell, lead by Constable and Bates, in-
terested in the implementation of logi s. In parti ular interest has fo ussed
upon logi s for the formalisation of mathemati s and program development,
and this resear h has ulminated in the development of the Nuprl system,
des ribed in the book [C+ 86a℄. Nuprl onsists of an implementation of a
type theory related to the extensional version of T T , [ML85℄, but modied
and augmented in a number of ways, whi h we dis uss presently. Con-
331
332 CHAPTER 9. CONCLUSIONS
stable's book provides the omprehensive referen e on the system, shorter

a ounts of the underlying ideas an be found in [BC85, CKB84℄.
More importantly, the orientation of the system is dierent from our
treatment of type theory in this book, whi h we have viewed prin ipally
as a fun tional programming system. The emphasis of Nuprl is logi al,
in that it is designed to support the top-down onstru tion of derivations
of propositions in a natural dedu tion system. The proof obje ts of type
theory are alled èxtra t terms', the idea being that these are extra ted
post ho from derivations in whi h they appear only impli itly.
Proofs are onstru ted in a top-down way, using the ta ti s and ta ti als
mu h in the same way as the LCF system, [Pau87℄. Indeed the logi is
embedded in the ML metalanguage, exa tly as LCF.
We mentioned earlier that the system diered somewhat from [ML85℄.
In parti ular it features the strong elimination rules of se tion 7.7.2, as
well as the liberal notion of dire t omputation rules, [C+ 86a℄, Appendix
C, whi h allow the rewriting of terms without demanding the usual atten-
dant proofs of well-formedness, whi h are ne essitated by the interlinking
of syntax and derivation in type theoreti systems.
It is also augmented in a number of ways, in luding as it does subsets
(see se tion 7.2), quotient types (se tion 7.5), partial fun tion types (se tion
7.12) and so forth. It should be said that many of the additional onstru ts
are introdu ed with the aim of eliminating omputationally irrelevant in-
formation from the obje ts extra ted, as we dis ussed in se tion 7.1.2. This
is in part due to the impli it nature of the proof obje ts in many of the
derivations.
9.1.2 TK: A theory of types and kinds

The system T K is introdu ed in the paper [HT88℄ whi h ontains a useful
omparison between T T and T K ; the topi of program development in T K
is dis ussed in [Hen89℄. T K is a theory of onstru tive sets `designed with
program development as the major desideratum'.
The prin iple of omplete presentation together with the identi ation
of types and propositions are entral to type theory as we have introdu ed
it here, and Henson and Turner argue that they leads to a number of its
short omings, in luding the unsatisfa tory treatment of subsets and general
re ursion. They propose instead that the system T K should separate the
two, with a simpler olle tion of types (or sets) and a separate olle tion
of logi al assertions. The prin ipal set formation operations are separation
and indu tion. Separation allows denitions like
fxj(x)g
9.1. RELATED WORK 333
whi h ontains pre isely those x whi h have the property . Indu tive
onstru tions are performed along lines similar to se tion 7.10 above. To
in rease expressibility, a hierar hy of universes or kinds are also added to
the set theory { hen e the name T K .
Another dieren e betweem T K and T T is that terms in the former
theory an be partial or undened, whereas in T T they are, of ourse,
total. The merits of the two approa hes an be argued; note that sin e the
logi and the types are no longer identied the presen e of partial obje ts
does not make the logi in onsistent.
Reasoning about the sets is performed in a ri h logi al language, and
sin e the logi is onstru tive, there are realisability models for it. Using
the te hniques outlined in se tion 8.1.2 programs an be extra ted from
onstru tive proofs, and it is this te hnique for program development whi h
the authors stress, espe ially in [Hen89℄. The realizability approa h allows
a lot of exibility in the hoi e of realizing operations: for example, a
onditional assertion an be added to the language and its realizers an be
made quite distin t from those of its usual logi al denition, for example.
Another advantage of the realizability approa h is that omputationally
irrelevant parts of fun tions need not appear, a topi we dis ussed earlier
and whi h is examined in [Hen91℄.
On the other hand, we have seen that in T T both the options of program
extra tion and expli it fun tional programming are available and an be
ombined within a single development { whether they an be ombined so
well in T K is not lear.
Work on the theoreti al foundations of T K and on an implementation
both pro eed, and it seems ertain that our understanding of T T will be
enri hed by these. It remains to be seen whi h, if either, of the two systems
is the superior for pra ti al program development purposes.
9.1.3 PX: A Computational Logi

It is not only from a type theory that proofs an be extra ted; realizability
models of intuitionisti formal systems allow the extra tion of omputations
from the system. A markedly dierent system, alled P X , has been built at
the Resear h Institute of Mathemati al S ien es at Kyoto University, and
is introdu ed in [Hay90℄ and des ribed in detail in the monograph [HN88℄.
P X is a logi for a type-free theory of omputations, based on Fefer-
man's T0 , [Fef79℄, from whi h LISP programs are extra ted by a notion of
realizability alled px-realizability. Hayashi argues the requirement that a
theory like T T be total is too restri tive for pra ti al program development,
in justi ation of his logi being based around a system of possibly non-
terminating omputations. Be ause of this possibility he in orporates two
sorts of variable in the system, one kind ranging over terminating obje ts,
the other over all obje ts, together with a denedness predi ate, E , mu h
as in [S o79℄.
Cru ial to the logi is the prin iple of CIG (for Conditional Indu tive
Generation). This is the means by whi h sub- lasses of the domain are
dened, by whi h re ursions pro eed and by whi h indu tive proofs, in-
luding proofs of termination over a domain, are given. In this respe t it
is analogous to the re ursive denitions given by well-founded re ursion in
se tion 7.9, as well as the indu tive types of se tion 7.10.
Hayashi denes a subset of the language onsisting of the formulas whi h
ontain no _ or 9 and whi h are said to be of Rank 0 . No realising terms
are needed for rank zero formulas, as they have no omputational ontent.
An example of a formula of rank zero is the in lusion A B ; an instan e of
su h a formula might be an assertion of termination: the set A is ontained
in the domain of denition, B , of the fun tion f . It is shown that su h
formulas an be proved using lassi al logi without risking the onsisten y
or omputational interpretation of the system, manifesting the exibility
we dis ussed in the previous se tion.
9.1.4 AUTOMATH
The AUTOMATH proje t was begun at Eindhoven University under the
dire tion of Ni olaas de Bruijn in 1966, with the aim
to develop a system of writing entire mathemati al theories in
su h a pre ise fashion that veri ation of the orre tness an be
arried out by formal operations on the text.
The quotation omes from [dB80℄ whi h gives a survey of the proje t; exam-
ples of the style of presentation of mathemati s in the system an be found
in [dB73℄. A pinna le in the a hievements of the group is the omplete
formalization of Landau's Grundlagen, a text on analysis.
The system itself uses a form of type theory, based on the notion of
propositions as types, to represent logi s of either lassi al or onstru tive
mathemati s. Amongst its te hni al innovations are a dis ussion of the
irrelevan e of proofs when working in a lassi al ontext, whi h is one
of the reasons advan ed by de Bruijn for the separation between the no-
tions of type and prop in the system, an idea anti ipating by some years
dis ussions in the omputing s ien e ommunity, reported in se tion 7.1.2.
In the ourse of implementing the system, the problem of identifying
-expressions whi h agree up to a hange of bound variable names (-
onversion) was found to be a onsiderable overhead. [dB72℄ introdu es
a most useful method of ir umventing the problem. Variable names are
9.1. RELATED WORK 335
repla ed by numeri al indexes; an o urren e of a variable x is repla ed by

the number of 's whi h lie between the o urren e and the x binding it,
so that for example the expression
a : b : : (a )(b )
is repla ed by
:::(20)(10)
This te hnique has found appli ation in the implementation of fun tional
programming languages as well as logi s, see [Hue90a℄, Part I.
9.1.5 Type Theories

The systems T T0 and T T an be seen as extensions of the simply typed -
al ulus, as explored in hapter 2. Other extensions exist, and we examine
the two most important here. The rst is the se ond-order or polymorphi
- al ulus, invented independently by [Rey74℄ and [Gir72℄, the latter alling
the al ulus System F. A short yet omprehensive introdu tion is provided
by [Rey90℄.
The al ulus extends the rst-order lambda al ulus by allowing type
variables ; ; : : : so that a fun tion like
K df x : y : x
an be given the type ) ) , just as is possible in polymorphi lan-
guages like SML and Miranda. The variables in the expression above an be
thought of as being impli itly universally quantied, the fun tion K having
the type ) ) for all instan es of and . This impli it quanti a-
tion is made expli it in the se ond-order - al ulus with the introdu tion
of the type abstra tion operator and the type forming . Given
K; df x : y : x : ) )
we an form
K df : : x : y : x : : : ( ) ) )
In general, if
e:t
then the expression : e is parametrised over the type variable , giving
it the type : t. Type abstra tions are applied just as ordinary ones, and
(: e) : t[=℄
where is an arbitrary type expression. The system is stronger than the

Milner type system, as types an ontain embedded universal quantiers,
su h as
(:( ) )) ) (:( ) ))
but here lies a twist: this type is in the domain of the : : : quanti ation,
so that there is a ir ularity in the denition of the type. Contrast this with
the T T type
((8 : U0) : ( ) )) ) ((8 : U0 ) : ( ) ))
whose denition is not ir ular | the type lies in U1 and not U0 and so is
outside the range of the quantier (8 : U0) : : : :.
We are used to ir ularities in denitions of re ursive fun tions and
types, so we should not abandon hope about the system. Indeed, it an
shown onsistent and strongly normalizing, having the proof theoreti strength
of se ond-order arithmeti , thus making it more expressive than T T0. These
results an be found in [GLT89℄, and a number of papers on the semanti s
of the se ond-order - al ulus an be found in [Hue90a℄, Part II.
The Curry Howard isomorphism extends to this situation, with quan-
ti ation over types having the equivalent of quantifying over all propo-
sitions. This has the interesting orollary that we an dene many of the
propositional onne tives from . For instan e, re alling the simple rule
for disjun tion elimination, we have
(A _ B ) (A ) C ) (B ) C )
(_E )
C
From A _ B we an infer (A ) C ) ) (B ) C ) ) C for all propositions C ,
so that in the terminology of the se ond-order - al ulus, we have
C: ( (A ) C ) ) (B ) C ) ) C )
Given an element a : A we an form an obje t of this type,
C: f : g : (f a)
and of ourse we an do the same with b : B . Are all elements of the
type of this form? This question revolves around quite subtle issues in the
semanti s of the al ulus, dis ussed in [Hue90a℄, Part II.
The se ond-order al ulus provides no means of dening the type trans-
formation
A; B 7! C: ( (A ) C ) ) (B ) C ) ) C )
9.2. CONCLUDING REMARKS 337
as an operation of the al ulus itself. This extension of the system is pro-

vided by the Cal ulus of Constru tions of Coquand and Huet, to whi h
we turn now. The system was introdu ed in [CH85℄, and is dis ussed in the
ontext of other type theories in [Hue90b℄, and it allows dire t denition
of su h operators. One means of so doing is the addition of a new type
Prop of propositions, but we have seen earlier that this leads to logi al
in onsisten y, [Gir72℄. Without allowing this, the theory of onstru tions
allows the denition of these type operators, and thus a large portion of
mathemati s is developed in a very simple foundational theory. One point
to note is the apparent undenability of a strong existential type in the
language, the denition whi h embodies the equivalen e between
(8x : A) : ( C (x) ) B ) and ( (9x : A) : C (x) ) ) B
(when x is not free in B ) denes a weak equality. The diÆ ulty is the way
in whi h the proof obje ts and types are mingled in the elimination rule for
the strong existential type.
A realizability semanti s for the Cal ulus of Constru tions is dis ussed
in [Hue90a℄, Part III.
9.2 Con luding Remarks

It an be seen from the ontents of the last two hapters that resear h into
type theory is still in ux; despite this, the ore of the system has been
shown to be a sound and elegant ombination of logi and fun tional pro-
gramming, and I hope that the reader an share my enthusiasm for the
subje t. One of the keenest intelle tual pleasures is to see onne tions in
the hitherto un onne ted, and I an still remember the thrill on dis overing
that the proof of the dedu tion theorem for a Hilbert-style logi , learned
as a beginning graduate student in logi , is exa tly the same as the bra ket
abstra tion algorithm in the - al ulus, a result used in the implementa-
tion of fun tional programming languages, and whi h I ame upon in a
omputing ontext, years later.
Re e ting on the material in hapter 7, one negative on lusion seems
ines apable: additions to the system are quite possible, but ea h of them
seems to extra t a pri e, either by in reasing the omplexity of the sys-
tem or by hanging some of its metamathemati al properties. We should
therefore be quite ertain that we need to add a feature before doing so.
This on lusion is obvious to anyone familiar with the majority of program-
ming languages, in whi h a jumble of features o-exist in a most pre arious
fashion; perhaps it is something we have to learn for ourselves.
Nonetheless, the plight of imperative programming seems to get ever

more hopeless. Although it is in theory quite possible to develop proofs for
programs written in Pas al and C, it simply doesn't happen. Fun tional
languages oer a mu h brighter prospe t, as their lean semanti s makes
proofs shorter and higher level. The next step seems to be to move to a
system like type theory, whi h an provide a single foundation for a tivities
of program development, transformation and veri ation, just as a LISP
Ma hine supports integrated debugging, proling and the like. There is
still mu h to be done in making type theory a usable and attra tive system
whi h supports programming in the large, but I am ertain that languages
based on type theory will be as popular in a few years years time as on-
temporary fun tional languages like Miranda and ML based on the simply
typed - al ulus.
Bibliography
[Abr90℄ Samson Abramsky. The lazy lambda al ulus. In David A.

Turner, editor, Resear h Topi s in Fun tional Programming.
Addison Wesley, 1990.
[A z80℄ Peter A zel. Frege stru tures and the notions of proposition,
truth and set. In The Kleene Symposium. North-Holland, 1980.
[AHM87℄ Arnon Avron, Furio A. Honsell, and Ian A. Mason. Using typed
lambda al ulus to implement formal systems on a ma hine.
Te hni al Report ECS-LFCS-87-31, LFCS, Department of Com-
puter S ien e, University of Edinburgh, 1987.
[All87a℄ Stuart Allen. A non-type-theoreti denition of Martin-Lof's
types. In Pro eedings of the Se ond Annual Symposium on Logi
in Computer S ien e. IEEE, 1987.
[All87b℄ Stuart Allen. A Non-Type-Theoreti Semanti s for Type-
Theoreti Language. PhD thesis, Cornell University, 1987.
Available as te hni al report TR 87-866 from the Department
of Computer S ien e, Cornell University.
[And65℄ Peter Bru e Andrews. A transnite type theory with type vari-
ables. Studies in logi and the foundations of mathemati s.
North-Holland, 1965.
[Ba 86℄ Roland Ba khouse. On the meaning and onstru tion of the
rules in Martin-Lof's theory of types. Te hni al Report CS 8606,
Department of Mathemati s and Computing S ien e, University
of Groningen, 1986.
[Ba 87a℄ Roland Ba khouse. Notes on Martin{Lof's theory of types.
FACS FACTS, 9(3), O tober 1987. Newsletter of the BCS For-
mal Aspe ts of Computing S ien e Spe ial Interest Group.
339
340 BIBLIOGRAPHY
[Ba 87b℄ Roland Ba khouse. Over oming the mismat h between pro-
grams and proofs. In Peter Dybjer et al., editors, Pro eedings
of the Workshop on Programming Logi . Programming Method-
ology Group, University of Goteborg and Chalmers University
of Te hnology, 1987. Te hni al Report, number 37.
[Bar84℄ Henk P. Barendregt. The lambda al ulus | its syntax and
semanti s, volume 103 of Studies in Logi and Foundations of
Mathemati s. North-Holland, 1984.
[BB85℄ Errett Bishop and Douglas Bridges. Constru tive Mathe-
mati s, volume 279 of Grundlehren der Mathematis hen Wis-
sens haften. Springer-Verlag, 1985.
[BC85℄ Joseph L. Bates and Robert L. Constable. Proofs as programs.
ACM Transa tions on Programming Languages and Systems, 7,
1985.
[BCMS89℄ Roland Ba khouse, Paul Chisholm, Grant Mal olm, and Erik
Saaman. Do-it-yourself type theory. Formal Aspe ts of Com-
puting, 1, 1989.
[BdV89℄ David A. Basin and Peter del Ve hio. Veri ation of omputa-
tional logi in Nuprl. Te hni al Report TR 89-1018, Department
of Computer S ien e, Cornell University, 1989.
[Bee85℄ Mi hael J. Beeson. Foundations of Constru tive Mathemati s.
Springer-Verlag, 1985.
[Ben86℄ Jon Bentley. Programming Pearls. Addison Wesley, 1986.
[BMS80℄ Rod M. Burstall, David B. Ma Queen, and Donald T. Sanella.
HOPE: An experimental appli ative language. Te hni al re-
port, Department of Computer S ien e, University of Edin-
burgh, 1980.
[BW88℄ Ri hard Bird and Philip Wadler. An Introdu tion to Fun tional
Programming. Prenti e-Hall, 1988.
[C+ 86a℄ Robert L. Constable et al. Implementing Mathemati s with the
Nuprl Proof Development System. Prenti e-Hall In ., 1986.
[C+ 86b℄ Robert L. Constable et al. Implementing Mathemati s with the
Nuprl proof development system. Prenti e-Hall, 1986.
BIBLIOGRAPHY 341
[CF58℄ Haskell B. Curry and Robert Feys. Combinatory Logi , vol-

ume I. North-Holland, 1958.
[CH85℄ Thierry Coquand and Gerard Huet. A theory of onstru tions.
In Semanti s of Data Types. Springer-Verlag, 1985.
[Chi87℄ Paul Chisholm. Derivation of a parsing algorithm in Martin{
Lof's theory of types. S ien e of Computer Programming, 8,
1987.
[Chi88a℄ Paul Chisholm. On the relationship between the subset and
sigma types in Martin- Lof's 1979 type theory. Te hni al Report
CS 8802, Department of Mathemati s and Computing S ien e,
University of Groningen, 1988.
[Chi88b℄ Paul Chisholm. Redu ing the proof burden when reasoning with
ongruen e types. Te hni al Report CS 8807, Department of
Mathemati s and Computing S ien e, University of Groningen,
1988.
[CKB84℄ Robert L. Constable, Todd Knoblo k, and Joseph L. Bates.
Writing programs that onstru t proofs. Journal of Automated
Reasoning, 1, 1984.
[CM82℄ Avra Cohn and Robin Milner. On using Edinburgh LCF to
prove the orre tness of a parsing algorithm. Te hni al Report
CSR-113-82, Computer S ien e Department, Edinburgh Uni-
versity, 1982.
[Coq86℄ Thierry Coquand. An analysis of Girard's paradox. In Pro-
eedings of the First Annual Symposium on Logi in Computer
S ien e. IEEE, 1986.
[CS87℄ Robert L. Constable and S ott Fraser Smith. Partial obje ts in
onstru tive type theory. In Pro eedings of the Se ond Annual
Symposium on Logi in Computer S ien e. IEEE, 1987.
[Cut81℄ Nigel J. Cutland. Computability. Cambridge University Press,
1981.
[CW85℄ Lu a Cardelli and Peter Wegner. On understanding types, data
abstra tion and polymorphism. Computing Surveys, 17, 1985.
[dB72℄ Ni olaas G. de Bruijn. Lambda al ulus notation with nameless
dummies, a tool for automati formula manipulation, with an
appli ation to the Chur h Rosser theorem. Indag. Math., 34,
1972.
342 BIBLIOGRAPHY
[dB73℄ Ni olaas G. de Bruijn. AUTOMATH, a language for mathemat-

i s. Te hni al report, Les Presses de l'Universite de Montreal,
1973.
[dB80℄ Ni olaas G. de Bruijn. A survey of the proje t AUTOMATH.
In Jonathan P. Seldin and J. Roger Hindley, editors, To H.
B. Curry: Essays on ombinatory logi , lambda al ulus and
formalism. A ademi Press, 1980.
[Dij76℄ Edsger W. Dijkstra. A Dis ipline of Programming. Prenti e
Hall International, 1976.
[Dil80℄ Justus Diller. Modied realization and the formulae-as-types
notion. In Jonathan P. Seldin and J. Roger Hindley, editors, To
H. B. Curry: Essays on ombinatory logi , lambda al ulus and
formalism. A ademi Press, 1980. A reprint of an unpublished
manus ript from 1969.
[DT84℄ Justus Diller and Anne S. Troelstra. Realizability and intuition-
isti logi . Synthese, 60, 1984.
[Dum77℄ Mi hael Dummett. Elements of Intuitionism. Oxford University
Press, 1977.
[Dyb87℄ Peter Dybjer. From type theory to LCF | a ase study in pro-
gram veri ation (draft). In Peter Dybjer et al., editors, Pro-
eedings of the Workshop on Programming Logi . Programming
Methodology Group, University of Goteborg and Chalmers Uni-
versity of Te hnology, 1987. Te hni al Report, number 37.
[Dyb88℄ Peter Dybjer. Indu tively dened sets in Martin-Lof's type the-
ory. In Pro eedings of the Workshop on General Logi , Edin-
burgh, February 1897, 1988. Report ECS-LFCS-88-52, Labora-
tory for the Foundations of Computer S ien e, Edinburgh Uni-
versity.
[Dyb89℄ Peter Dybjer. An inversion prin iple for Martin-Lof's type the-
ory. In Peter Dybjer et al., editors, Pro eedings of the Work-
shop on Programming Logi . Programming Methodology Group,
University of Goteborg and Chalmers University of Te hnology,
1989. Te hni al Report, number 54.
[Dy 85℄ Roy Dy kho. Category theory as an extension of Martin{Lof
type theory. Te hni al Report CS/85/3, Department of Com-
putational S ien e, University of St Andrews, 1985.
BIBLIOGRAPHY 343
[Dy 87℄ Roy Dy kho. Strong elimination rules in type theory. In Peter
Dybjer et al., editors, Pro eedings of the Workshop on Program-
ming Logi . Programming Methodology Group, University of
Goteborg and Chalmers University of Te hnology, 1987. Te h-
ni al Report, number 37.
[End77℄ Herbert B. Enderton. Elements of Set Theory. A ademi Press,
1977.
[Fef79℄ Solomon Feferman. Constru tive theories of fun tions and
lasses. In M. Boa, D. van Dalen, and K. Ma Aloon, editors,
Logi Colloquium '78. North Holland, 1979.
[FLO83℄ Steven Fortune, Daniel Leviant, and Mi hael O'Donnell. The
expressiveness of simple and se ond-order type stru tures. Jour-
nal of the ACM, 30(1):151{185, 1983.
[G58℄
Kurt Godel. Uber eine bisher no h ni ht benutze Erweiterung
des niten Standpunktes. Diale ti a, 12, 1958.
[Gir72℄ Jean-Yves Girard. Interpretation fon tionelle et elimination des
oupures dans l'arithmetique d'ordre superieure. These d'Etat,
Universite Paris VII, 1972.
[Gir80℄ Jean-Yves Girard. The system F of variable types, fteen years
later. Theoreti al Computer S ien e, 45, 1980.
[GLT89℄ Jean-Yves Girard, Yves Lafont, and Paul Taylor. Proofs and
Types, volume 7 of Cambridge Tra ts in Theoreti al Computer
S ien e. Cambridge University Press, 1989.
[Har60℄ Ronald Harrop. Con erning formulas of the types A ! B _
C , A ! (9x)B (x) in intuitionisti formal systems. Journal of
Symboli Logi , 25, 1960.
[Har86℄ Robert Harper. Introdu tion to Standard ML. Te hni al Re-
port ECS-LFCS-86-14, Laboratory for Foundations of Com-
puter S ien e, Department of Computer S ien e, University of
Edinburgh, November 1986.
[Hay90℄ Susumu Hayashi. An introdu tion to PX. In Gerard Huet, ed-
itor, Logi al Foundations of Fun tional Programming. Addison
Wesley, 1990.
[Hen89℄ Martin C. Henson. Program development in the onstru tive
set theory TK. Formal Aspe ts of Computing, 1, 1989.
344 BIBLIOGRAPHY
[Hen91℄ Martin C. Henson. Information loss in the programming logi

TK. In Pro eedings of the IFIP TC2 Working Conferen e on
Programming Con epts and Methods. Elsevier, 1991.
[HHP87℄ Robert Harper, Furio Honsell, and Gordon Plotkin. A frame-
work for dening logi s. In Pro eedings of the Symposium on
Logi in Computer S ien e. IEEE, 1987.
[HN88℄ Susumu Hayashi and Hiroshi Nakano. PX: A Computational
Logi . The MIT Press, 1988.
[Hod77℄ Wilfrid Hodges. Logi . Penguin Books, 1977.
[How80℄ William A. Howard. The formulae-as-types notion of onstru -
tion. In Jonathan P. Seldin and J. Roger Hindley, editors, To
H. B. Curry: Essays on ombinatory logi , lambda al ulus and
formalism. A ademi Press, 1980. A reprint of an unpublished
manus ript from 1969.
[How88℄ Douglas J. Howe. Automating Reasoning in an Implementation
of Constru tive Type Theory. PhD thesis, Cornell University,
1988. Available as te hni al report TR 88-925 from the Depart-
ment of Computer S ien e, Cornell University.
[HT88℄ Martin C. Henson and Raymond Turner. A onstru tive set
theory for program development. In Pro eedings of the 8th Con-
feren e on FST and TCS, volume 338 of Le ture Notes in Com-
puter S ien e. Springer Verlag, 1988.
[Hue90a℄ Gerard Huet, editor. Logi al Foundations of Fun tional Pro-
gramming. Addison Wesley, 1990.
[Hue90b℄ Gerard Huet. A uniform approa h to type theory. In Gerard
Huet, editor, Logi al Foundations of Fun tional Programming.
[Hug83℄ John Hughes. The Design and Implementation of Programming
Languages. PhD thesis, University of Oxford, 1983.
[Hug90℄ John Hughes. Why Fun tional Programming Matters. In
David A. Turner, editor, Resear h Topi s in Fun tional Pro-
gramming. Addison Wesley, 1990.
[HW90℄ Paul Hudak and Philip Wadler. Report on the fun tional pro-
gramming language Haskell. Draft proposed standard for the
fun tional programming language, designed by the authors and
twelve others., 1990.
BIBLIOGRAPHY 345
[Ja 89℄ Bart Ja obs. The in onsisten y of higher order extensions of

Martin{Lof's type theory. Journal of Philosophi al Logi , 18,
1989.
[Joh85℄ Thomas Johnsson. Lambda lifting { transforming programs to
re ursive equations. In J. P. Jouannaud, editor, Fun tional Pro-
gramming Languages and Computer Ar hite ture, volume 201 of
Le ture Notes in Computer S ien e. Springer-Verlag, 1985.
[KC86℄ Todd B. Knoblo k and Robert L. Constable. Formalized metar-
easoning in type theory. Te hni al Report TR 86-742, Depart-
ment of Computer S ien e, Cornell University, 1986.
[Kle45℄ Stephen C. Kleene. On the interpretation of intuitionisti num-
ber theory. Journal of Symboli Logi , 10, 1945.
[Lem65℄ E. J. Lemmon. Beginning Logi . Thomas Nelson and Sons
Limited, 1965.
[LS86℄ J. Lambek and P. J. S ott. Introdu tion to higher order ate-
gori al logi . Cambridge University Press, 1986.
[Ma 86℄ David Ma Queen. Using dependent types to express modular
stru ture. In Pro eedings of the 13th ACM Symposium on Prin-
iples of Programming Languages. ACM Press, 1986.
[Ma 90℄ David Ma Queen. A higher-order type system for fun tional
programming. In David A. Turner, editor, Resear h Topi s
in Fun tional Programming. Addison Wesley, 1990. First Pub-
lished in The Computer Journal, April 1989.
[MC88℄ Grant Mal olm and Paul Chisholm. Polymorphism and infor-
mation loss in Martin- Lof's type theory. Te hni al Report CS
8814, Department of Mathemati s and Computing S ien e, Uni-
versity of Groningen, 1988.
[Men87a℄ Elliott Mendelson. Introdu tion to Mathemati al Logi .
Wadsworth, third edition, 1987.
[Men87b℄ Paul Fran is Mendler. Indu tive Denition in Type Theory.
PhD thesis, Cornell University, 1987. Available as te hni al
report TR 87-870 from the Department of Computer S ien e,
Cornell University.
[Mil78℄ Robin Milner. A theory of type polymorphism in programming.
Journal of Computer and System S ien es, 17, 1978.
346 BIBLIOGRAPHY
[ML70℄ Per Martin-Lof. Notes on Constru tive Mathemati s. Almqvist

& Wiksell, Sto kholm, 1970.
[ML71℄ Per Martin-Lof. A theory of types. Te hni al Report 71-3,
Department of Mathemati s, University of Sto kholm, 1971.
[ML75a℄ Per Martin-Lof. About models for intuitionisti type theories
and the notion of denitional equality. In Stig Kanger, edi-
tor, Pro eedings of the Third S andinavian Logi Symposium,
Studies in Logi and the Foundations of Mathemati s. North-
Holland, 1975.
[ML75b℄ Per Martin-Lof. An intuitionisti theory of types: Predi ative
part. In H. Rose and J. C. Shepherdson, editors, Logi Collo-
quium 1973. North-Holland, 1975.
[ML83℄ Per Martin-Lof. On the meanings of the logi al onstants and
the justi ations of the logi al laws. Notes taken by Giovanni
Sambin and Aldo Ursini of a short ourse given at the meet-
ing Teoria della Dimostrazione e Filosoa della Logi a, Siena,
April., 1983.
[ML84℄ Per Martin-Lof. Intuitionisti Type Theory. Bibliopolis, Naples,
1984. Based on a set of notes taken by Giovanni Sambin of a
series of le tures given in Padova, June 1980.
[ML85℄ Per Martin-Lof. Constru tive mathemati s and omputer pro-
gramming. In C. A. R. Hoare, editor, Mathemati al Logi and
Programming Languages. Prenti e-Hall, 1985.
[Mos74℄ Yiannis N. Mos hovakis. Elementary Indu tion on Abstra t
Stru tures, volume 77 of Studies in Logi and Foundations of
Mathemati s. North-Holland, 1974.
[MR86℄ Albert R. Meyer and M. B. Reinhold. Type is not a type. In
Pro eedings of the 13th ACM Symposium on Prin iples of Pro-
gramming Languages. ACM Press, 1986.
[Nor85℄ Bengt Nordstrom. Multilevel fun tions in Martin{Lof's type
theory. In Programs as Data Obje ts, volume 217 of Le ture
Notes in Computer S ien e. Springer-Verlag, 1985.
[Nor88℄ Bengt Nordstrom. Terminating general re ursion. BIT, 28,
1988.
BIBLIOGRAPHY 347
[NP83℄ Bengt Nordstrom and Kent Petersson. Types and spe i ations.
In IFIP'83. Elsevier, 1983.
[NP85℄ Bengt Nordstrom and Kent Petersson. The semanti s of module
spe i ations in Martin{Lof's type theory. Te hni al Report 36,
Programming Methodology Group, University of Goteborg and
Chalmers University of Te hnology, 1985.
[NPS90℄ Bengt Nordstrom, Kent Petersson, and Jan M. Smith. Program-
ming in Martin-Lof's Type Theory | An Introdu tion. Oxford
University Press, 1990.
[P67℄ Rosa Peter. Re ursive Fun tions. A ademi Press, 1967.
[Pau86℄ Lawren e C. Paulson. Constru ting re ursion operators in in-
tuitionisti type theory. Journal of Symboli Computation, 2,
1986.
[Pau87℄ Lauren e C. Paulson. Logi and Computation | Intera tive
proof with Cambridge LCF. Cambridge University Press, 1987.
[Per89℄ Nigel Perry. Hope+. Te hni al report, Department of Comput-
ing, Imperial College, London, 1989. Version 6.
[Pey87℄ Simon Peyton Jones. The Implementation of Fun tional Pro-
gramming Languages. Prenti e Hall, 1987.
[PM87℄ Christine Paulin-Mohring. An example of algorithm develop-
ment in the al ulus of onstru tions: Binary sear h for the
al ulation of the lambo fun tion. In Peter Dybjer et al.,
editors, Pro eedings of the Workshop on Programming Logi .
Chalmers University of Te hnology, 1987. Te hni al Report,
number 37.
[PM89℄ Christine Paulin-Mohring. Extra ting F! 's programs from
proofs in the al ulus of onstru tions. In Pro eedings of the 16th
ACM Symposium on Prin iples of Programming Languages.
ACM Press, 1989.
[Pra65℄ Dag Prawitz. Natural Dedu tion | A Proof-Theoreti al Study.
Almqvist & Wiksell, 1965.
[PS85℄ Kent Petersson and Jan Smith. Program derivation in type the-
ory: The Polish ag problem. In Peter Dybjer et al., editors,
Pro eedings of the Workshop on Spe i ation and Derivation
348 BIBLIOGRAPHY
of Programs. Programming Methodology Group, University of

Goteborg and Chalmers University of Te hnology, 1985. Te h-
ni al Report, number 18.
[PS87℄ Kent Petersson and Dan Synek. A set onstru tor for indu -
tive sets in Martin{Lof's type theory. Te hni al Report 48,
Chalmers University of Te hnology, 1987.
[Rea89℄ Chris Reade. Elements of Fun tional Programming. Addison
Wesley, 1989.
[Rey74℄ John C. Reynolds. Towards a theory of type stru ture. In
Colloque sur la Programmation, volume 19 of Le ture Notes in
Computer S ien e. Springer-Verlag, 1974.
[Rey90℄ John C. Reynolds. Polymorphi lambda al ulus { introdu -
tion to part II. In Gerard Huet, editor, Logi al Foundations of
Fun tional Programming. Addison Wesley, 1990.
[Rog67℄ Hartley Rogers. Theory of Re ursive Fun tions and Ee tive
Operations. M Graw Hill, 1967.
[RW10℄ Bertrand Russell and Alfred North Whitehead. Prin ipia Math-
emati a. Cambridge University Press, 1910.
[Sal89a℄ Anne Salvesen. On spe i ations, subset types and interpre-
tation of propositions in type theory. In Peter Dybjer et al.,
editors, Pro eedings of the Workshop on Programming Logi .
Chalmers University of Te hnology, 1989. Te hni al Report,
number 54.
[Sal89b℄ Anne Salvesen. Polymorphism and monomorphism in Martin-
Lof's type theory. Updated version of a Te hni al Report from
the Norwegian Computing Centre, 1988, 1989.
[S h77℄ Kurt S hutte. Proof Theory. Springer-Verlag, 1977.
[S h86℄ David A. S hmidt. Denotational Semanti s. Allyn and Ba on,
1986.
[S o79℄ Dana S. S ott. Identity and existen e in intuitionisti logi . In
M. P. Fourman, C. S. Mulvey, and D. S. S ott, editors, Appli-
ations of Sheaves. Springer Verlag, 1979.
BIBLIOGRAPHY 349
[S o80℄ Dana S. S ott. Relating theories of the lambda al ulus. In

Jonathan P. Seldin and J. Roger Hindley, editors, To H. B.
Curry: Essays on ombinatory logi , lambda al ulus and for-
malism. A ademi Press, 1980.
[SH83a℄ Peter S hroeder-Heister. The ompleteness of intuitionisti logi
with respe t to a validity on ept based on an inversion prin i-
ple. Journal of Philosophi al Logi , 12, 1983.
[SH83b℄ Peter S hroeder-Heister. Generalized rules for quantiers and
the ompleteness of the intuitionisti operators &; _; ; ?; 8; 9.
In Computation and Proof Theory, Pro eedings of Logi Collo-
quium Aa hen. Springer-Verlag, 1983.
[SM87℄ Erik Saaman and Grant Mal olm. Well-founded re ursion in
type theory. Te hni al Report CS 8710, Department of Mathe-
mati s and Computing S ien e, University of Groningen, 1987.
[Smi84℄ Jan M. Smith. An interpretation of Martin-Lof's type theory in
a type-free theory of propositions. Journal of Symboli Logi ,
49, 1984.
[Smi87℄ Jan M. Smith. The independen e of Peano's fourth axiom
from Martin{Lof's type theory without universes. Te hni al Re-
port 31, Programming Methodology Group, University of Gote-
borg and Chalmers University of Te hnology, 1987.
[Smi88℄ S ott Fraser Smith. Partial Obje ts in Type Theory. PhD the-
sis, Cornell University, 1988. Available as te hni al report TR
88-938 from the Department of Computer S ien e, Cornell Uni-
versity.
[SS89℄ Anne Salvesen and Jan Smith. The strength of the subset type
in Martin-Lof's type theory. In Pro eedings of the Third Annual
Symposium on Logi in Computer S ien e. IEEE Computer So-
iety Press, 1989.
[Sto77℄ Joseph E. Stoy. Denotational Semanti s: The S ott-Stra hey
approa h to programming language theory. MIT Press, 1977.
[Str67℄ Christopher Stra hey. Fundamental on epts in programming
languages. In Pro eedings of International Summer S hool in
Computer Programming, 1967.
350 BIBLIOGRAPHY
[Swa89℄ Mar o D. G. Swaen. Weak and Strong Sum-Elimination in In-

tuitionisti Type Theory. PhD thesis, University of Amsterdam,
1989.
[Tai67℄ William W. Tait. Intensional interpretation of fun tionals of
nite type, I. Journal of Symboli Logi , 32, 1967.
[Ten79℄ Robert D. Tennent. Prin iples of Programming Languages.
Prenti e Hall, 1979.
[Tho86℄ Simon Thompson. Laws in Miranda. In Pro eedings of the ACM
Conferen e on LISP and Fun tional Programming. ACM Press,
1986.
[Tho89a℄ Simon Thompson. Fun tional programming: Exe utable spe -
i ations and program transformation. In Pro eedings of Fifth
International Workshop on Software Spe i ation and Design.
IEEE Press, 1989.
[Tho89b℄ Simon Thompson. A Logi for Miranda. Formal Aspe ts of
Computing, 1, 1989.
[Tho90℄ Simon Thompson. Lawful fun tions and program veri ation in
Miranda. S ien e of Computer Programming, 13, 1990.
[Tro73℄ Anne S. Troelstra, editor. Metamathemati al Investigation of
Intuitionisti Arithmeti and Analysis, volume 344 of Le ture
Notes in Mathemati s. Springer-Verlag, 1973.
[Tro86℄ Anne S. Troelstra. Strong normalization for typed terms with
surje tive pairing. Notre Dame Journal of Formal Logi , 27,
1986.
[Tro87℄ Anne S. Troelstra. On the syntax of Martin-Lof's type theories.
Theoreti al Computer S ien e, 51, 1987.
[Tur85℄ David A. Turner. Miranda: a non-stri t fun tional language
with polymorphi types. In J. P. Jouannaud, editor, Fun tional
Programming Languages and Computer Ar hite ture. Springer-
Verlag, 1985.
[Tur89℄ David A. Turner. A new formulation of onstru tive type theory.
In Peter Dybjer et al., editors, Pro eedings of the Workshop on
Programming Logi . Programming Methodology Group, Univer-
sity of Goteborg and Chalmers University of Te hnology, 1989.
Te hni al Report, number 54.
BIBLIOGRAPHY 351
[Tur90℄ David A. Turner. Resear h Topi s in Fun tional Programming.

[TvD88℄ Anne S. Troelstra and D. van Dalen. Constru tivism in Mathe-
mati s, An Introdu tion, volume I and II. North-Holland, 1988.
[WB89℄ Philip Wadler and Stephen Blott. Making ad ho polymorphism
less ad ho . In Pro eedings of the 16th ACM Symposium on
Prin iples of Programming Languages. ACM Press, 1989.
[Wik87℄
Ake Wikstrom. Fun tional Programming in Standard ML.
Prenti e-Hall, 1987.
Index
Fst , see existential quantier absurdity, 14

Snd , see produ t type elimination rule, 76
Xif , see o-indu tive types propositional, 14
8, see universal quantier formation rule, 76
^, see onjun tion A kermann fun tion, 104
,, see bi-impli ation algebrai type, 31, 186, 274
?, see absurdity arithmeti
$
$ , see onvertibility intuitionisti , nite-type, 146,
df , see denitional equality 314
#, see well-founded re ursion, re- intuitionisti , rst-order, 314
alizability arity, 16
[ ℄, see list type assumptions, 9, 10, 126{130, 190
9, see existential quantier onsisten y between, 128
fst , see produ t type ontexts, 129
), see impli ation onsisten y between, 129
inl , see sum type dependen ies between, 127
inr , see produ t type dis harge of, 11, 72, 74, 133
:, see negation labelled, 11
_, see disjun tion labelled, 11
++, see list type order of dis harge, 128
! , see redu tion rule, 9, 77
k , see realizability Automath, 332
, see denitional equality axiom of hoi e, 139, 255
', see extensional equality
snd , see produ t type -redu tion, 34
!!, see redu tion restri ted form, 145
>, see true proposition bi-impli ation, 14, 70
xif , see o-indu tive types bool, see boolean type
boolean type, 96
abstra t type, 176, 221, 308 omputation rules, 97
and type lasses, 223 onditional expression, 96
proof information in, 223 elements unequal, 175
versions of, 221 elimination rule, 97
352
INDEX 353
equality, 113 onservative extension, 315

F alse, 96 onstru tive mathemati s, 59{65
formation rule, 97 formalization, 64
introdu tion rules, 97 ontinuity, 315
T rue, 96 onvertibility, 40, 118, 163, 169
bra ket abstra tion, 335 orre tness, problem of, 1
ourse-of-values re ursion, 197, 287
Cal ulus of Constru tions, 335 Curry Howard isomorphism, 4, 78
examples, 249 and assumptions, 190
anoni al value, see printable value diÆ ulties with, 190
ategory theory, 65
Chur h Rosser theorem de Morgan laws, 87
T T0 , 160 de idibility
failure for T T0, 147 onvertibility for T T0 , 161
untyped - al ulus, 37 derivability for T T0 , 161
losure dedu tion rule, 8, 71
of term, 172 hypotheti al form, 282
o-indu tive types, 301{306 side ondition, 22
omputation rule, 304 dedu tion theorem, 335
elimination rule, 304 denitional equality, 131, 163
formation rule, 303 denitions, 130{132
innite lists, 301 inje tion fun tions, 131
introdu tion rule, 303 pattern mat hing, 131
ombinator, 148 re ursion, 132
ombinator abstra tion, 149 dependent fun tion spa e, see uni-
example, 150 versal quantier
ommutation rule, 192 dependent sum type, see existen-
omplete presentation, prin iple of, tial quantier
63 dependent types, 114, 212{224
omputation, 143{145 examples, 217
omputation rule, 52, 73 derivability, 139
omputational irrelevan e, 256{258, of typehood, 140
262, 277, 318 extra premisses required, 140
synta ti riteria, 258 uniqueness of types, 142
onjun tion, 9 derivation, 72
omputation rules, 74 a general property of, 139
elimination rules, 74 abbreviation of, 132
propositional, 9 disjoint union type, see disjun -
formation rule, 73 tion
introdu tion rule, 73 disjun tion, 12
propositional, 9 ases operator, 81
onne tive, propositional, 8 omputation rules, 76
354 INDEX
alternative (v ases0 ), 134 equivalen e rule, 52, 192

elimination rule, 76 error values, 200
alternative (_E 0 ), 134 -redu tion, 39
equivalent versions, 134 evaluation, 35, 55
general (_E 00 ), 135 lazy, 31, 39, 257
motivation for generalisa- normal order, 257
tion, 135 results of, see printable value
propositional, 13 stri t, 31, 39, 257
formation rule, 75 termination of, 36
introdu tion rule ex falso quodlibet, see absurdity
propositional, 12 elimination
introdu tion rules, 75 examples
double negation, rule, 15 basi , 83{87, 92{95
fun tions over N , 195
eÆ ien y, 211, 242, 267 implementing logi , 215
and lazy evaluation, 258 in the literature, 247{249
elimination rule, 9, 10, 74 innite lists, 301
major premiss, 76 list fun tions, 200{204
minor premiss, 76 maximum segment sum, 241
strong, 279{281 Polish National Flag, 232, 268
embedding, 314 qui ksort, 205
empty type, see absurdity rationals, 272
equality, 270 real numbers, 275
hara terisations, 166 streams, 306
extensional, 63, 169, 237, 273 su essor is one-one, 122
in T T0, 170 ve tors, 226
in fun tional programming, 167 ex luded middle, law of, 15
purpose of, 167 existen e
rule for extensional, 169 onstru tive view of, 60
equality fun tion, 165 witness, 61, 63, 88
existen e of, 166 existential quantier
equality operation, see equality fun - and universes, 221{224
tion omputation rule
equality proposition, 109{116 Cases, 137
omputation rule, 111 proje tion version, 91
elimination rule, 111 elimination rule, 23
elimination rule (extensional), alternate form (9E ), 137
169 proje tion version, 91
equality over, 116 relations between versions,
formation rule, 110 137, 318
introdu tion rule, 110 weaker version (9E 0 ), 136
general version, 119 examples, 214
INDEX 355
formation rule, 90 omputation rule, 75

interpretation as type, 91 elimination rule, 75
introdu tion rule, 23, 91 propositional, 11
expressibility, 188 formation rule, 74
expression equivalen e, onvention, introdu tion rule, 74
34 propositional, 11
extensional equality in T T0, 171 transitivity of, 14
extensional relation, 40 in onsisten y, logi al, 174, 307, 316
extensionality, 184, 226, 262 indire t proof, prin iple of, 3
indu tion over types, 45
false proposition, see absurdity indu tive denitions, in set the-
nite types ory, 296
Cn , subtypes of N , 224 least xed point, 297
omputation rules, 99 monotoni , 297
elimination rule, 98 indu tive types, 296{301
formation rule, 98 and algebrai types, 300
introdu tion rules, 98 omputation rule, 300
xed point, 37, 41 elimination rule, 300
formalization, reasons for, 7 formation rule, 299
formation rule, 73 type equality rule, 300
modi ation for universes, 174 integers, 136
free subexpression, 117, 151 intensionality, 56, 161
fun tion intermediate value theorem, 65
urried, 35, 95 interpretation, 315
provably total, 189 introdu tion rule, 9
representation of, 188, 189 inversion prin iple, 260, 265, 323{
fun tion denition 328
parameters of, 149 and indu tive types, 328
fun tion spa e, see impli ation
fun tional programming, 30{31 judgement, 71
general re ursion, 55, 307 - al ulus, se ond-order, 333
-abstra tion
head normal form, 36 notation for, 80
hypothesis, hypotheti al, 282, 326 laws (in Miranda), 275
Leibnitz's law, 110
I type, see equality proposition list, see list type
idealism, 60 list type
identity, 164 head, tail fun tions, 200
imperative programming, 245 map and fold fun tions, 237
implementation, 126 omputation rules, 179
impli ation, 10 elimination rule, 179
356 INDEX
formation rule, 179 ordering, 199

indexing, 203 primitive re ursion, 100
introdu tion rules, 179 representation in - al ulus,
membership fun tion, 208 41
primitive re ursion, 179 negation, 14, 70
lists, nonempty, 198 elimination rule
map and ++ over, 239 propositional, 14
logi introdu tion rule
lassi al, 15, 276 propositional, 14
framework for, 322 node
intuitionisti , 15 of well-founded type, 180
normal form, 36
mathemati al obje ts, ontrasting normalisation theorem
views of, 62 T T0 , 155
maximal free expression, 151 orollaries, 159
membership relation, as proposi- formalised in P A, 188
tion, 295 notational onventions, 80
model theory, 317, 319{322 Nuprl, 271, 281, 307, 329
importan e of, 319 examples, 249
indu tive denition, 321
term models, 320 obje t-oriented programming, 223
type-free interpretations, 320 omnis ien e,limited prin iple of, 61
modelling, 308{311 one element type, see true propo-
monomorphism sition
of type theory, 162
partial equivalen e relation, 171
Nn , see nite types partial obje ts, type of, 306{308
naming of expressions, see deni- in Nuprl, 307
tions nave proposal, 307
natural numbers, 100{104 partial order, 285
addition, 103 a essible part, 286
omputation rules, 101 pattern mat hing, see denitions
elimination rule polymorphi types (a la Ba khouse),
general ase, 101 282
spe ial ase, 100 head fun tion, 283
equality, 113, 121 disadvantage of, 283
equality of fun tions, 119 polymorphism, 30, 218
formation rule, 100 expli it vs. impli it, 162
introdu tion rules, 100 non parametri , 219
iteration, 104 of type theory, 162
mathemati al indu tion, 100 parametri , 177, 219
multipli ation, 103 universes and, 176
INDEX 357
prede essor quantier, 17, 88{95

immediate, 288 duality, 23
in well-founded type, 180 qui ksort, see sorting
predi ate quotient type, 270{273
formally de idable, 165 ongruen e type, omparison,
representable, 165 274
predi ate logi , 15{27 elimination rule, 272
formulas, 16 equality rule, 272
atomi , 16 formation rule, 271
propositional ombinations, introdu tion rule, 271
17
quantied, 17 real numbers, 62{65, 275{279
predi ate symbol, 16 addition, 277
terms, 16 Cau hy reals, 276
omposite, 16 equality, 64, 278
onstants, 16 quotient type, 278
variables, 16 regular sequen es, 276
printable value, 56, 145 separated, 64
produ t type, see onjun tion realizability, 316{318
pair, 79 89 formula, 318
proje tions, 79 re ursion
program development, 234, 255 inverse image of, 211
program extra tion, 5, 228, 234 stru tural, 284
program transformation, 236{244 redex, 34, 117
proof leftmost outermost, 38
normal form of, 191 visibility, 149, 152
top-down, 229 within a lambda, 145
proof by ontradi tion, rule, 15 redu ibility method, 45
proof onditions, 61, 69 redu t, 35, 117
proof extra tion, 228{232 redu tion, 73, 118
proof theory, 313{319 restri ted version (T T0), 146
proposition relation, transitive losure of, 288
as distin t from type, 263 representation theorem for T T0,
denition by re ursion, 198 189
extensional, 173
representable, 213 semigroup, 308
propositional logi , 8{15 as abstra t type, 308
formula, 8 rules for, 310
ompound, 8 separation of omputation and proof,
proof, 8 233, 266
variable, 8 Skolemizing, 268
PX, a omputational logi , 331 sorting, 205{212
358 INDEX
polymorphi , 219 TK, theory of types and kinds,

qui ksort, orre tness of, 209 330
spe i ation, 5, 234, 254{256, 267{ tree, see tree type
270 tree type, 105
and naming, 255, 268 omputation rules, 108
sorting, 208 elimination rule, 108
squash types, 263 formation rule, 107
strong normalisation theorem, 54 introdu tion rules, 107
T T0, 146 primitive re ursion, 106
typed - al ulus, 43 true proposition
proof, 45{50 omputation rule, 99
strong type system, 30 elimination rule, 99
stru tural indu tion formation rule, 99
over -expressions, 37 introdu tion rule, 99
over trees, 106 T T , 174
subset theory, 264{266 T T +, 186
subset type, 214, 259{270, 277 T T0S , 260
and extensional theory, 262 relation with T T , 260
elimination rule, 260 T T0, 139
formation rule, 259 and intuitionisti arithmeti ,
introdu tion rule, 259 315{316
ne essary?, 266{270 and realizability, 318
stronger rules, see subset the- T T0 , 152
ory T T0 , T T0 relation between, 152
weakness of rules, 261 type
substitution extensionally isomorphi , 185
ground, 56
extensional, 173 order of, 56
in expressions, 34 type lasses, 222
in formulas, 20 type onstru tors, denitions, 219
in terms, 20 type ontext, 44
notation, 21 onsisten y, 44
substitution rules, 118 type family
sum type, see disjun tion denition of, 175, 198
super ombinator abstra tion, 151 extensional, 171
type of all types, 174
tail re ursion, 245 type theory, modes of appli ation,
and primitive re ursion, 246 193
term typed - al ulus, 42{57
extensional, 172 alternative syntax, 44
parametri , 155 expressions
stable, 154 abstra tions, 43
INDEX 359
appli ations, 43 variable binding operators, 133

s-instan e, 48 variable apture, 19
stable, 46 variables, modes of use, 21
strongly normalising (SN),
46 weak head normal form, 36
variables, 43 well-founded ordering, 286
natural numbers, 53 and W types, 293
primitive re ursor, 53 hara terisation in T T , 290
produ t type, 50 examples, 288
simple types, 42 examples in T T , 291
with dependent produ ts, 323 inverse image, 289, 291
well-founded re ursion, 284{296
uniqueness of types, see derivabil- in set theory, 284{289
ity in type theory, 290{296
universal quantier A essible elements, 293
and universes, 218{220 omparing approa hes, 296
omputation rule, 90 well-founded types, 178{187
elimination rule, 22, 90 omputation rule, 184
examples, 215 elimination rule, 184
formation rule, 89 formation rule, 182
interpretation as type, 90 introdu tion rule, 182
introdu tion rule, 22, 89 ordinals, 186
ombinator form (8I ), 150
universes, 173{178
losure axioms, 177
formation rule, 175
quanti ation over, 176
transnite, 178
untyped - al ulus, 32{41
expressions
abstra tions, 32
appli ations, 32
losed, 33
open, 33
variables, 32
synta ti onventions, 32
variable
applied o urren e, 33
binding o urren e, 33
bound, 19, 33
free, 19, 33
360 RULE TABLES
Formation, Introdu tion and Elimination Rules

A is a type B is a type p:A q :B
(A ^ B ) is a type (^F ) (p; q) : (A ^ B ) (Î )
r : (A ^ B ) (Ê ) r : (A ^ B ) (Ê )
fst r : A 1
snd r : B 2
[x : A℄
..
.
A is a type B is a type e:B
(A ) B ) is a type () F ) (x : A) : e : (A ) B ) () I )
q : (A ) B ) a : A
(q a) : B () E )
(A _ B ) is a type (_F )
q :A r :B
inl q : (A _ B ) (_I1 ) inr r : (A _ B ) (_I2 )
p : (A _ B ) f : (A ) C ) g : (B ) C )
(_E )
ases p f g : C
[x : A℄ [y : B ℄
.. ..
. .
p :(A _ B ) u : C v :C
(_E 0 )
[x : A℄ [y : B ℄
.. ..
. .
(_E 00 )
p :(A _ B ) q :(8x : A) : C [inl x=z ℄ r :(8y : B ) : C [inr y=z ℄

(_E y )
asesy p q r : C [p=z ℄
361
p:?
? is a type (?F ) abortA p : A (?E )
A is a type (AS )
x:A
[x : A℄ [x : A℄
.. ..
. .
A is a type P is a type p:P
(8x : A) : P is a type (8F ) (x : A) : p : (8x : A) : P (8I )
a : A f : (8x : A) : P
f a : P [a=x℄ (8E )
[x : A℄
..
.
A is a type P is a type a : A p : P [a=x℄
(9x : A) : P is a type (9F ) (a; p) : (9x : A) : P (9I )
p : (9x : A) : P (9E 0 ) p : (9x : A) : P 0
Fst p : A 1
Snd p : P [Fst p=x℄ (9E2 )
[x : A; y : B ℄
..
.
p : (9x : A) : B :C
Casesx;y p : C (9E 0 )
[x : A; y : B ℄
..
.
p :(9x : A) : B : C [(x; y)=z ℄
Casesx;y p : C [p=z ℄ (9E )
a $
$ b B (a) is a type (S ) a $
$ b p(a): B (a) (S )
B (b) is a type 1
p(b): B (b) 2
A $
$ B A is a type (S ) A $
$ B p : A (S )
B is a type 3
p:B 4
[x : A℄ [x : A℄
.. ..
. .
B [a=x℄ is a type (S5 ) b[a=x℄: B [a=x℄ (S6 )
362 RULE TABLES
bool is a type (bool F ) T rue : bool (bool I1 ) F alse : bool (bool I2 )

tr : bool l : C [T rue=x℄ d : C [F alse=x℄
if tr then l else d : C [tr=x℄ (bool E )
Nn is a type (Nn F ) 1n : Nn (Nn I ) : : : nn : Nn (Nn I )

e : Nn l1 : C [ 1 =x℄ : : : ln : C [ n =x℄
asesn e 1 : : : n : C [e=x℄ (Nn E )
> is a type (>F ) T riv : > (>I )

x : > l : C (T riv)
ase x : C (x) (>E )
n:N
N is a type (NF ) 0 : N (NI1 ) (su n) : N (NI2 )
n : N l : C [0=x℄ f : (8n : N ) : (C [n=x℄ ) C [su n=x℄)
prim n f : C [n=x℄ (NE )
tree is a type (tree F ) Null : tree (tree I1 )

n : N u : tree v : tree
(Bnode n u v): tree (tree I2 )
t : tree
l : C [Null=x℄
f :(8n : N ) : (8u : tree) : (8v : tree) : (C [u=x℄ ) C [v=x℄ ) C [(Bnode n u v)=x℄)
tre t f : C [t=x℄ (tree E )
A is a type a : A b : A a:A
I (A; a; b) is a type (IF ) r(a) : I (A; a; a) (II )
a $
$ b a:A b:A 0 l : I (A; a; b) d : C (a; a; r(a))
r(a): I (A; a; b) (II ) J ( ; d) : C (a; b; ) (IE )
363
A is a type
[A℄ is a type (list F )
a : A l :[A℄
[ ℄ : [A℄ (list I1 ) (a :: l) : [A℄ (list I2 )
l :[A℄
s : C [ [ ℄ =x℄
f :(8a : A) : (8l :[A℄) : (C [l=x℄ ) C [(a :: l)=x℄)
lre l s f : C [l=x℄ (list E )
[x : A℄
..
.
A is a type B (x) is a type
(W x : A) : B (x) is a type (W F )
a : A f : (B (a) ) (W x : A) : B (x))
node a f : (W x : A) : B (x) (W I )
w :(W x : A) : B (x) R : Ind(A; B; C )

(Re w R) : C (w) (W E )
[x : A℄
..
.
A is a type B is a type a : A p : B [a=x℄
f x : A j B g is a type (SetF ) a : f x : A j B g (SetI )
[x : A; y : B ℄
..
.
a : f x : A j B g (x): C (x)
(SetE )
(a) : C (a)
A is a type
x : A ` r : E [x=x; x=y℄
x : A ; y : A ; r : E ` s : E [y=x; x=y℄
x:A ; y :A ; z :A ;
r : E ; s : E [y=x; z=y℄ ` t : E [x=x; z=y℄
(QF )
A==Ex;y is a type
a:A
(QI )
a : A==Ex;y
364 RULE TABLES
[x : A℄ [x : A ; y : A ; p : E ℄
.. ..
. .
a : A==Ex;y (x): C (x) t : I (C (x); (x); (y))
(QE )
(a) : C (a)
a : A b : A p : E [a=x; b=y℄
(Q =)
r(a) : I (A==Ex;y ; a; b)
[x : A; y : A℄
..
.
A is a type (x y) is a type
(A F )
A (A; ) is a type
[y : A; y a℄
..
.
a : A y : A (A; )
(A I )
a : A (A; )

x : A (A; )
z : A; z x (f z ): C (z )
..
.
p : A (A; ) (e x f ): C (x)
(A E )
re e p : C (p)
monotoni
(IndF )
F ix is a type
[T F ix ℄
..
.
g : (8x : T ) : C ) (8y : T ) : C [y=x℄
(IndE )
fix g : (8z : F ix ) : C [z=x℄
monotoni
(CoinF )
(Xif ) is a type
[y : D ; z : D ) T ℄
..
.
d:D b : T
(CoinI )
xify;z b d : Xif
365
Computation Rules
fst (p; q) ! p
snd (p; q) ! q
((x : A) : p) a ! p[a=x℄
ases (inl q) f g ! fq
ases (inr r) f g ! gr
v asesx;y (inl a) u v ! u[a=x℄
v asesx;y (inr b) u v ! v[b=y℄
Fst (p; q) ! p
Snd (p; q) ! q
Casesx;y (a; b) ! [a=x; b=y℄
if T rue then else d !
if F alse then else d ! d
asesn 1n 1 : : : n ! 1
asesn 2n 1 : : : n ! 2
:::
asesn nn 1 : : : n ! n
ase x !
prim 0 f !
prim (su n) f ! f n (prim n f )
tre Null f !
tre (Bnode n u v) f ! f n u v (tre u f ) (tre v f )
J (r(a); d) ! d
lre [ ℄ s f ! s
lre (a :: l) s f ! f a l (lre l s f )
re e p ! e p (re e)
F ix ! (F ix )
fix g ! g (fix g)
xify;z b d ! b[d=y ; w : (xify;z b w)=z ℄

Type Theory and Functional Programming (Simon Thompson)

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Type Theory and Functional Programming (Simon Thompson)

Hochgeladen von

Copyright:

Verfügbare Formate

Type Theory & Fun

Computing Laboratory, University of Kent

Simon Thompson, 1999

host of proposals of how to augment the system, and we look at these in

Using the book

4.4 The Curry Howard Isomorphism . . . . . . . . . . . . . . . 78

5.6.1 Polymorphism and Monomorphism . . . . . . . . . . 162

6.4.1 Finite Types Revisited . . . . . . . . . . . . . . . . . 226

7.9.3 Con lusions . . . . . . . . . . . . . . . . . . . . . . . 298

Our aim, then, is to design a language in whi h orre tness is guaran-

Constru tive Logi

The Curry Howard Isomorphism

array operations parametrised on the dimension of the array, rather than

Introdu tion to Logi

As we said earlier, our aim is to provide a formal system in whi h arguments

1.1 Propositional Logi

simplest derivations are introdu ed by the rule of assumptions, whi h states

We an dis harge the three assumptions B , A and (A ^ B ) ) C in turn,

The assumptions of the proof of A _ B are those of the proof of A or B .

and now we dis harge the remaining assumptions to give

1.2. Give a proof of ((A _ B ) ) C ) ) ((A ) C ) ^ (B ) C )).

The system introdu ed above is intuitionisti , onstru tive. Su h sys-

1.2 Predi ate Logi

Atomi formulas are of two forms. The rst is

denoted by t1 ; : : : ; tn . We will use P; Q; R; : : : for arbitrary predi ate

The omplete property is expressed by the onjun tion of the formulas:

1.2.1 Variables and substitution

expresses exa tly the same property as

and after that we would perform the substitution of y + 1 for x,

De nition 1.6 The substitution A[t=x℄ is de ned as follows

(t1 = t2 )[t=x℄ df (t [t=x℄ = t [t=x℄)

 Substitution ommutes with propositional ombinations, so that

 In general, it is easy to see that if x is not free in A then A[t=x℄ is A

1.2.2 Quanti er rules

 The formula A involving the free variable x has universal ontent

Informally the inferen e is lear, but what do we do in our system? We

Fun tional Programming

and termination properties of evaluation, or as they are more ommonly

2.1 Fun tional Programming

In what follows we use the phrase `languages like Miranda' { it is meant

2.2 The untyped - al ulus

In a fun tional language like Miranda we give these de nitions by equations

 If e  x : g then e[f=x℄ df e.

Convention on Expression Equivalen e: We shall not distinguish be-

De nition 2.6 A sub-expression of a lambda expression of the form (x : e)f

representing a sequen e of redu tion steps. We all su h an f a redu t of

Normal Form: An expression is in normal form if it ontains no redexes.

x1 : : : : xn : ye1 : : : em

where y is a variable, e1 ; : : : ; em are arbitrary expressions and n and

where y is a variable, e1 ; : : : ; em are arbitrary expressions and m is

ends in a weak head normal form.

Theorem 2.10 (Chur h-Rosser) For all e,f and g, if e !

The whole expression forms a redex whi h redu es to y : y, in normal form.

((w : w)(x : xx))((y : y)(z : z ))

are both head normal forms of x : (Ix)(II )

F df f : ((x : f (xx))(x : f (xx)))

2.6 Typed - al ulus

Theorem 2.19 (Strong Normalisation) Every redu tion sequen e ter-

Individual variables For any ontext ,

As before, we an only form an appli ation when the type of the

2.7 Strong normalisation

De nition 2.23 We say that an expression e of type  is stable, written

(d) If e 2 SN then (x : e) 2 SN

Lemma 2.27 (a) If e and f are stable then so is (ef ).

Denition 1.6 The substitution A[t=x℄ is dened as follows

(t1 = t2 )[t=x℄ df (t [t=x℄ = t [t=x℄)

Substitution ommutes with propositional ombinations, so that

In general, it is easy to see that if x is not free in A then A[t=x℄ is A

1.2.2 Quantier rules

The formula A involving the free variable x has universal ontent

2.2 The untyped - al ulus

In a fun tional language like Miranda we give these denitions by equations

If e x : g then e[f=x℄ df e.

Denition 2.6 A sub-expression of a lambda expression of the form (x : e)f

x1 : : : : xn : ye1 : : : em

The whole expression forms a redex whi h redu es to y : y, in normal form.

((w : w)(x : xx))((y : y)(z : z ))

are both head normal forms of x : (Ix)(II )

F df f : ((x : f (xx))(x : f (xx)))

2.6 Typed - al ulus

Denition 2.23 We say that an expression e of type is stable, written

(d) If e 2 SN then (x : e) 2 SN

The redu tion rules for P re are

We an also dene equivalen e rules for P re . Given a fun tion

interesting ee t of onstru tivising is that lassi ally equivalent results

4.5.3 Dierent proofs. . .

4.5.4 . . . and dierent derivations

4.6 Quantiers

As is to be expe ted, when we eliminate a universal quantier, we go to

We an introdu e an existential quantier when we have an obje t with

A type of modules, ea h of whi h provides an implementation (of type

where ` !! ' is generated from ! a la denition 2.7. We shall look at the

4.22. Dene the fun tion geq of type

In other words we dene the value of (f t) in terms of the values of f on

4.11.1 Denitions; onvertibility and equality

Denition 4.9 We dene the re exive, transitive losure of ! , the re-

Denition 4.10 The relation of onvertibility,`$ $', is the smallest equiv-