R J, then~x,x|Γ`XR J.
Renaming If~x,x | Γ `XR J, then~x,x0 | [x↔x0]·Γ `RX [x↔ x0]·J for any x0 ∈ X/ ,~x.
Substitution If~x,x|Γ`XR Janda ∈ B[X,~x], then~x|[a/x]Γ`XR [a/x]J. (It is left implicit in the principle of substitution that sorts are to be re- spected in that the substituting object must be of the same sort as the vari- able which is being substituted.) Proliferation is guaranteed by the inter- pretation of rule schemes as ranging over all expansions of the universe. Renaming is built into the meaning of the generic judgment. Substitution holds as long as the rules themselves are closed under substitution. This need not be the case, but in practice this requirement is usually met.
Parametric derivability is defined analogously to generic derivability, albeit by generalizing over parameters, rather than variables. Parametric derivability is defined by
~u;~x |Γ`RU;X J iff ∀ρ:~u↔~u0 ∀π :~x↔~x0 ρ·π·Γ`U,~u 0;X,~x0
R ρ·π·J. Evidence for parametric derivability consists of a derivation∇ involving the parameters~uand variables~xeach of whose fresh renamings is a deriva- tion of the corresponding renaming of the underlying hypothetical judg- ment.
Recalling from Chapter1that parameters admit disequality, we cannot expect any substitution principle for parameters to hold of a parametric derivability. It does, however, validate the structural properties of prolif- eration and renaming, because the presence of additional parameters does not affect the formation of an abt, and parametric derivability is defined to respect all fresh renamings of parameters.
3.4
Generic Inductive Definitions
Ageneric inductive definitionadmits generic hypothetical judgments in the premises of rules, with the effect of augmenting the variables, as well as the rules, within those premises. Ageneric rulehas the form
~x~x1|Γ Γ1 ` J1 . . . ~x~xn |Γ Γn` Jn
~x|Γ` J . (3.12)
The variables~xare theglobal variablesof the inference, and, for each 1≤i≤ n, the variables~xi are thelocal variablesof theith premise. In most cases a
3.4 Generic Inductive Definitions 35
rule is stated forallchoices of global variables and global hypotheses. Such rules may be given inimplicit form,
~x1|Γ1 ` J1 . . . ~xn |Γn` Jn
J . (3.13)
A generic inductive definition is just an ordinary inductive definition of a family offormal generic judgmentsof the form~x | Γ ` J. Formal generic judgments are identified up to renaming of variables, so that the latter judg- ment is treated as identical to the judgment~x0 |π·Γ` π·Jfor any renam- ingπ :~x ↔~x0. IfRis a collection of generic rules, we write~x | Γ`R J to mean that the formal generic judgment~x |Γ` Jis derivable from rulesR. When specialized to a collection of generic rules, the principle of rule induction states that to showP(~x |Γ ` J)whenever~x |Γ`R J, it is enough to show thatP is closed under the rulesR. Specifically, for each rule inR of the form (3.12), we must show that
ifP(~x~x1 |Γ Γ1` J1) . . . P(~x~xn|Γ Γn ` Jn)thenP(~x |Γ` J). By the identification convention (stated in Chapter1) the propertyP must respect renamings of the variables in a formal generic judgment.
To ensure that the formal generic judgment behaves like a generic judg- ment, we must always ensure that the followingstructural rulesare admis- sible: ~x|Γ,J ` J (3.14a) ~x|Γ` J ~x |Γ,J0 ` J (3.14b) ~x|Γ` J ~x,x|Γ` J (3.14c) ~x,x0 |[x ↔x0]·Γ`[x↔x0]·J ~x,x|Γ` J (3.14d) ~x|Γ` J ~x|Γ,J ` J0 ~x|Γ` J0 (3.14e) ~x,x |Γ` J a∈ B[~x] ~x |[a/x]Γ`[a/x]J (3.14f) The admissibility of Rule (3.14a) is, in practice, ensured by explicitly in- cluding it. The admissibility of Rules (3.14b) and (3.14c) is assured if each
36 3.5 Notes
of the generic rules is uniform, because we may assimilate the additional parameter, x, to the global parameters, and the additional hypothesis, J, to the global hypotheses. The admissibility of Rule (3.14d) is ensured by the identification convention for the formal generic judgment. Rule (3.14f) must be verified explicitly for each inductive definition.
The concept of a generic inductive definition extends to parametric judg- ments as well. Briefly, rules are defined on formal parametric judgments of the form~u;~x |Γ` J, with parameters~u, as well as variables,~x. Such formal judgments are identified up to renaming of its variables and its parameters to ensure that the meaning is independent of the choice of variable and parameter names.
3.5
Notes
The concepts of entailment and generality are fundamental to logic and programming languages. The formulation given here builds onMartin-L ¨of
(1983,1987) andAvron(1991). Hypothetical and general reasoning are con- solidated into a single concept in the AUTOMATH languages (Nederpelt et al.,1994) and in the LF Logical Framework (Harper et al.,1993). These systems permit arbitrarily nested combinations of hypothetical and general judgments, whereas the present account considers only general hypotheti- cal judgments over basic judgment forms.
The failure to distinguish parameters from variables is the source of many errors in language design. The crucial distinction is that whereas it makes sense to distinguish cases based on whether two parameters are the same or distinct, it makes no sense to do so for variables, because disequal- ity is not preserved by substitution. Adhering carefully to this distinction avoids much confusion and complication in language design (see, for ex- ample, Chapter41).
Part II
Chapter 4
Statics
Most programming languages exhibit aphase distinctionbetween thestatic and dynamic phases of processing. The static phase consists of parsing and type checking to ensure that the program is well-formed; the dynamic phase consists of execution of well-formed programs. A language is said to besafeexactly when well-formed programs are well-behaved when exe- cuted.
The static phase is specified by astaticscomprising a collection of rules for derivingtyping judgmentsstating that an expression is well-formed of a certain type. Types mediate the interaction between the constituent parts of a program by “predicting” some aspects of the execution behavior of the parts so that we may ensure they fit together properly at run-time. Type safety tells us that these predictions are accurate; if not, the statics is con- sidered to be improperly defined, and the language is deemed unsafefor execution.
In this chapter we present the statics of the languageL{num str}as an illustration of the methodology that we shall employ throughout this book.
4.1
Syntax
When defining a language we shall be primarily concerned with its abstract syntax, specified by a collection of operators and their arities. The abstract syntax provides a systematic, unambiguous account of the hierarchical and binding structure of the language, and is therefore to be considered the official presentation of the language. However, for the sake of clarity, it is also useful to specify minimal concrete syntax conventions, without going through the trouble to set up a fully precise grammar for it.
40 4.2 Type System
We will accomplish both of these purposes with asyntax chart, whose meaning is best illustrated by example. The following chart summarizes the abstract and concrete syntax ofL{num str}.
Typ τ ::= num num numbers
str str strings Exp e ::= x x variable num[n] n numeral str[s] ”s” literal plus(e1;e2) e1+e2 addition times(e1;e2) e1∗e2 multiplication cat(e1;e2) e1^e2 concatenation len(e) |e| length let(e1;x.e2) letxbee1ine2 definition
This chart defines two sorts,Typ, ranged over byτ, andExp, ranged over bye. The chart defines a collection of operators and their arities. For exam- ple, the operatorlethas arity(Exp,(Exp)Exp), which specifies that it has two arguments of sortExp, and binds a variable of sortExpin the second argument.
4.2
Type System
The role of a type system is to impose constraints on the formations of phrases that are sensitive to the context in which they occur. For exam- ple, whether or not the expressionplus(x;num[n])is sensible depends on whether or not the variablexis restricted to have typenumin the surround- ing context of the expression. This example is, in fact, illustrative of the general case, in that theonlyinformation required about the context of an expression is the type of the variables within whose scope the expression lies. Consequently, the statics ofL{num str}consists of an inductive defi- nition of generic hypothetical judgments of the form
~x|Γ`e: τ,
where~x is a finite set of variables, and Γ is atyping contextconsisting of hypotheses of the formx:τ, one for eachx∈ X. We rely on typographical conventions to determine the set of variables, using the lettersxandyfor variables that serve as parameters of the typing judgment. We writex ∈/ dom(Γ)to indicate that there is no assumption inΓof the formx:τfor any typeτ, in which case we say that the variablexisfreshforΓ.
4.2 Type System 41
The rules defining the statics ofL{num str}are as follows:
Γ,x:τ` x:τ (4.1a) Γ`str[s]:str (4.1b) Γ`num[n]:num (4.1c) Γ` e1 :num Γ`e2:num Γ`plus(e1;e2):num (4.1d) Γ` e1 :num Γ`e2:num Γ`times(e1;e2):num (4.1e) Γ` e1 :str Γ`e2:str Γ`cat(e1;e2):str (4.1f) Γ`e:str Γ`len(e):num (4.1g) Γ`e1:τ1 Γ,x :τ1 `e2:τ2 Γ`let(e1;x.e2):τ2 (4.1h)
In Rule (4.1h) we tacitly assume that the variable,x, is not already declared inΓ. This condition may always be met by choosing a suitable representa- tive of theα-equivalence class of theletexpression.
It is easy to check that every expression has at most one type byinduc- tion on typing, which is rule induction applied to Rules (4.1).
Lemma 4.1(Unicity of Typing). For every typing contextΓ and expression e, there exists at most oneτsuch thatΓ` e:τ.
Proof. By rule induction on Rules (4.1), making use of the fact that variables have at most one type in any typing context.
The typing rules aresyntax-directedin the sense that there is exactly one rule for each form of expression. Consequently it is easy to give necessary conditions for typing an expression that invert the sufficient conditions ex- pressed by the corresponding typing rule.
Lemma 4.2(Inversion for Typing). Suppose thatΓ` e:τ. If e=plus(e1;e2),
then τ = num, Γ ` e1 : num, and Γ ` e2 : num, and similarly for the other
constructs of the language.
Proof. These may all be proved by induction on the derivation of the typing judgmentΓ`e:τ.
In richer languages such inversion principles are more difficult to state and to prove.
42 4.3 Structural Properties
4.3
Structural Properties
The statics enjoys the structural properties of the generic hypothetical judg- ment.
Lemma 4.3(Weakening). If Γ ` e0 : τ0, then Γ,x : τ ` e0 : τ0 for any x ∈/ dom(Γ)and any typeτ.
Proof. By induction on the derivation ofΓ ` e0 : τ0. We will give one case here, for rule (4.1h). We have thate0 =let(e1;z.e2), where by the conven-
tions on parameters we may assumezis chosen such thatz ∈/ dom(Γ)and z6= x. By induction we have
1. Γ,x :τ`e1 :τ1,
2. Γ,x :τ,z:τ1 `e2:τ0,
from which the result follows by Rule (4.1h).
Lemma 4.4(Substitution). IfΓ,x:τ` e0 :τ0 andΓ` e:τ, thenΓ` [e/x]e0 : τ0.
Proof. By induction on the derivation ofΓ,x : τ ` e0 : τ0. We again con- sider only rule (4.1h). As in the preceding case,e0 =let(e1;z.e2), wherez
may be chosen so thatz 6= x andz ∈/ dom(Γ). We have by induction and Lemma4.3that
1. Γ`[e/x]e1: τ1,
2. Γ,z:τ1`[e/x]e2 :τ0. By the choice ofzwe have
[e/x]let(e1;z.e2)=let([e/x]e1;z.[e/x]e2).
It follows by Rule (4.1h) thatΓ` [e/x]let(e1;z.e2):τ, as desired.
From a programming point of view, Lemma4.3allows us to use an ex- pression in any context that binds its free variables: if e is well-typed in a context Γ, then we may “import” it into any context that includes the assumptionsΓ. In other words the introduction of new variables beyond those required by an expression,e, does not invalidatee itself; it remains
4.3 Structural Properties 43
well-formed, with the same type.1 More significantly, Lemma4.4expresses the concepts of modularity and linking. We may think of the expressions e and e0 as two components of a larger system in which the component e0 is to be thought of as a client of theimplementation e. The client declares a variable specifying the type of the implementation, and is type checked knowing only this information. The implementation must be of the spec- ified type in order to satisfy the assumptions of the client. If so, then we may link them to form the composite system, [e/x]e0. This may itself be the client of another component, represented by a variable, y, that is re- placed by that component during linking. When all such variables have been implemented, the result is aclosed expression that is ready for execu- tion (evaluation).
The converse of Lemma 4.4 is calleddecomposition. It states that any (large) expression may be decomposed into a client and implementor by introducing a variable to mediate their interaction.
Lemma 4.5 (Decomposition). IfΓ ` [e/x]e0 : τ0, then for every typeτ such thatΓ`e :τ, we haveΓ,x :τ`e0 :τ0.
Proof. The typing of[e/x]e0 depends only on the type ofewherever it oc- curs, if at all.
This lemma tells us that any sub-expression may be isolated as a sepa- rate module of a larger system. This is especially useful when the variable x occurs more than once in e0, because then one copy ofe suffices for all occurrences ofxine0.
The statics of L{num str}given by Rules (4.1) exemplifies a recurrent pattern. The constructs of a language are classified into one of two forms, theintroductoryand theeliminatory. The introductory forms for a type de- termine the values, orcanonical forms, of that type. The eliminatory forms determine how to manipulate the values of a type to form a computation of another (possibly the same) type. InL{num str}the introductory forms for the typenumare the numerals, and those for the typestrare the literals. The eliminatory forms for the typenumare addition and multiplication, and those for the typestrare concatenation and length.
The importance of this classification will become apparent once we have defined the dynamics of the language in Chapter5. Then we will see that 1This may seem so obvious as to be not worthy of mention, but, suprisingly, there are useful type systems that lack this property. Because they do not validate the structural principle of weakening, they are calledsub-structuraltype systems.
44 4.4 Notes
the eliminatory forms are inverse to the introductory forms in that they “take apart” what the introductory forms have “put together.” The coher- ence of the statics and dynamics of a language expresses the concept oftype safety, the subject of Chapter6.
4.4
Notes
The concept of the static semantics of a programming language was histori- cally slow to develop, perhaps because the earliest languages had relatively few features and only very weak type systems. The concept of a static se- mantics in the sense considered here was introduced in the definition of the Standard ML programming language (Milner et al.,1997), building on much earlier work by Church and others on the typedλ-calculus (Baren-
dregt, 1992). The concept of introduction and elimination, and the asso- ciated inversion principle, was introduced by Gentzen in his pioneering work on natural deduction (Gentzen,1969). These principles were applied to the structure of programming languages byMartin-L ¨of(1984,1980).
Chapter 5
Dynamics
Thedynamicsof a language is a description of how programs are to be ex- ecuted. The most important way to define the dynamics of a language is by the method ofstructural dynamics, which defines atransition systemthat inductively specifies the step-by-step process of executing a program. An- other method for presenting dynamics, calledcontextual dynamics, is a vari- ation of structural dynamics in which the transition rules are specified in a slightly different manner. An equational dynamicspresents the dynamics of a language equationally by a collection of rules for deducing when one program isdefinitionally equalto another.
5.1
Transition Systems
Atransition systemis specified by the following four forms of judgment:
1. s state, asserting thatsis astateof the transition system. 2. s final, wheresstate, asserting thatsis afinalstate. 3. s initial, wheresstate, asserting thatsis aninitialstate.
4. s 7→s0, wheresstateands0 state, asserting that statesmay transition to states0.
In practice we always arrange things so that no transition is possible from a final state: ifsfinal, then there is nos0 statesuch thats 7→s0. A state from which no transition is possible is sometimes said to be stuck. Whereas all final states are, by convention, stuck, there may be stuck states in a tran- sition system that are not final. A transition system is deterministiciff for
46 5.1 Transition Systems
every statesthere exists at most one state s0 such thats 7→ s0, otherwise it isnon-deterministic.
Atransition sequenceis a sequence of statess0, . . . ,snsuch thats0 initial,
andsi 7→si+1for every 0≤ i<n. A transition sequence ismaximaliff there
is nossuch thatsn 7→s, and it iscompleteiff it is maximal and, in addition, sn final. Thus every complete transition sequence is maximal, but maximal sequences are not necessarily complete. The judgments↓means that there is a complete transition sequence starting froms, which is to say that there existss0 finalsuch thats7→∗ s0.
Theiterationof transition judgment, s 7→∗ s0, is inductively defined by the following rules:
s7→∗ s (5.1a)
s7→ s0 s0 7→∗ s00
s7→∗ s00 (5.1b)
When applied to the definition of iterated transition, the principle of rule induction states that to show thatP(s,s0)holds whenevers 7→∗s0, it is enough to show these two properties ofP:
1. P(s,s).
2. ifs7→ s0 andP(s0,s00), thenP(s,s00).
The first requirement is to show thatPis reflexive. The second is to show