Proof pearl: Abella formalization of λ-calculus cube property Beniamino Accattoli INRIA (Parsifal) & Ecole polytechnique (LIX) Carnegie Mellon University
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
1 / 26
3 mini-pearls
This proof pearl consists of three more or less independent mini-pearls: 1
Representing and reasoning about untyped terms in Abella.
2
A beautiful definition of residuals, due to G´erard Huet.
3
A clean and simple proof of the cube property for residuals.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
2 / 26
Outline
1
1) Representing untyped terms in Abella, and the diamond property
2
2) Representing residuals
3
3) The cube property
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
3 / 26
Abella
Abella is a recent proof assistant, developed by Andrew Gacek. It is based on work of Gacek, Miller, Nadathur, and Tiu. It is maintained by Kaustuv Chaudhuri at INRIA (Parsifal team). Its features: Higher-Order Abstract Syntax (HOAS); Nominal quantifier ∇, called nabla; Induction and co-induction.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
4 / 26
Untyped terms in Abella
HOAS: handles naturally binders and capt.-avoiding substitution. HOAS-based tools usually do not naturally manage free variables. Nabla: handles free variables very naturally.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
5 / 26
λ-calculus in HOAS Encoding of λ-calculus in HOAS: app : tm -> tm -> tm. abs : (tm -> tm) -> tm. The predicate M is a term: Define is_a_term : tm -> prop by nabla x, is_a_term x; is_a_term (abs M) := nabla x, is_a_term (M x); is_a_term (app M N) := is_a_term M /\ is_a_term N. A β-redex (λx.M)N is given by app (abs M) N. M is a function, and M N denotes function application. Hence, the reduct M{x/N} is simply noted M N. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
6 / 26
Confluence for λ-calculus A rewriting system (S, →) if confluent when: *
t
u1
*
t
u1
implies ∃s s.t. *
*
u2
u2
*
s
*
Confluence in general is difficult to prove. It is easy if the system has the diamond property: t
u1
t
u1
u2
s
implies ∃s s.t. u2
λ-calculus is not an easy case. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
7 / 26
Parallel reductions
Confluence for λ-calculus by Tait-Martin-L¨ of’s technique. Idea: find a new reduction ⇒ s.t.: 1
⇒ extends →β : →β ⊆ ⇒ ⊆ →∗β .
2
⇒ is confluent because it has the diamond property.
By (1) we get ⇒∗ = →∗β . So →β is confluent. We focus on the diamond property, of which residuals are a generalization.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
8 / 26
Parallel reduction Let’s define ⇒: x ⇒x
t ⇒ t0 λx.t ⇒ λx.t 0
t ⇒ t0 u ⇒ u0 tu ⇒ t 0 u 0
t ⇒ t0 u ⇒ u0 (λx.t)u ⇒ t 0 {x/u 0 }
In Abella: Define pred : tm -> tm -> prop by nabla x, pred x x; pred (abs T) (abs T’) := nabla x, pred (T x) (T’ x); pred (app T U) (app T’ U’) := pred T T’ /\ pred U U’; pred (app (abs T) U) (T’ U’) := nabla x, pred (T x) (T’ x) /\ pred U U’.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
9 / 26
Proof of the diamond property Lemma (Substitution lemma for ⇒) If t ⇒ t 0 and u ⇒ u 0 then t{x/u} ⇒ t 0 {x/u 0 }.
Proof. By induction on t ⇒ t 0 . The formal proof is as it would be on the blackboard: Theorem pred_sub : forall T T’ U U’, nabla x, pred (T x) (T’ x) -> pred U U’ -> pred (T U) (T’ U’). induction on 1. intros. case H1. search. % Base case (T x) = x search. % Base case (T x) = y apply IH to H3 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
10 / 26
Proof of the diamond property 2 Theorem (Diamond property) t
u1
t
u1
u2
s
implies ∃s s.t. u2
Proof. By induction on t ⇒ u1 and case analysis of t ⇒ u2 . Theorem diamond : forall T U1 U2, pred T U1 -> pred T U2 -> exists S, pred U1 S /\ pred U2 S. induction on 1. intros. case H1. case H2. search. case H2. apply IH to H3 H4. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. case H3. apply IH to H4 H5. apply IH to H7 H6. apply pred_sub to H11 H9. search. case H2. case H5. apply IH to H3 H6. apply IH to H4 H7. apply pred_sub to H10 H8. search. apply IH to H3 H5. apply IH to H4 H6. apply pred_sub to H9 H7. apply pred_sub to H10 H8. search. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
11 / 26
Outline
1
1) Representing untyped terms in Abella, and the diamond property
2
2) Representing residuals
3
3) The cube property
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
12 / 26
Residuals Residuals are a refinement of parallel reduction. The refinement consist in: R
1
Expliciting the set of redexes R reduced in a parallel step ⇒, and
2
Adding a tracing system for redexes satisfying the
3
Parallel moves property: the redexes reduced to close (local) diagrams can be traced back to the starting term: t
P
u1
R
u2
t
implies ∃s, R/P, P/R s.t.
P
u1 R/P
R
u2
P/R
s
R/P is the set of redexes which are residuals of R after P. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
13 / 26
Examples in λ-calculus Let I := λx.x. P/R is the empty set: P
(λx.y )( II ) R
y
P/R
(λx.y )I R/P
y
P/R has more than one element: (λx.xx)( II )
P
(λx.xx)I R/P
R P/R
( II )( II )
Accattoli (INRIA & CMU)
II
Proof pearl: Abella formalization of λ-calculus cube property
14 / 26
Representing sets of redexes
A set of redexes R of a term t is a decoration of t, where the redexes in R have been underlined: R, P, S :: x | λx.R | RP | (λx.R)P Example: the four possible sets of redexes of (λx.(II ))I are (λx.(II ))I
(λx.(II ))I
(λx.(II ))I
(λx.(II ))I
Simplification: redexes—and not applications—are marked. Consequence: no notion of well-formed term is required (called regular terms in Huet’s paper).
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
15 / 26
Huet’s pearl Idea: residuals as parallel reduction indexed by a set of redexes. A set of residuals R/P is a set of redexes, i.e. a marked term. P
R/P is defined as the term R 0 s.t. R ⇒ R 0 , where: S
R ⇒ R0
x
x ⇒ x
λx.S
λx.R ⇒ λx.R 0 Q
P
R ⇒ R0
S ⇒ S0 PQ
RS ⇒ R 0 S 0 Q
P
R ⇒ R0 (λx.R)S
Accattoli (INRIA & CMU)
S ⇒ S0
(λx.P)Q
⇒
(λx.R 0 )S 0
Q
P
R ⇒ R0 (λx.R)S
S ⇒ S0
(λx.P)Q
⇒
Q
P
R ⇒ R0 (λx.R)S
R 0 {x/S 0 } S ⇒ S0
(λx.P)Q
⇒
R 0 {x/S 0 }
Proof pearl: Abella formalization of λ-calculus cube property
16 / 26
Outline
1
1) Representing untyped terms in Abella, and the diamond property
2
2) Representing residuals
3
3) The cube property
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
17 / 26
The diamond property: t
u1
u2
s
Lifts via residuals to the parallel moves property: t
P
u1 R/P
R
u2
P/R
s
For the cube property (due to J.J. L´evy) just replace t with S: S
P
S/P
R
S/R
R/P P/R
Q
The cube is a contextual refinement of the parallel moves: P R/P
R P/R
⇒ ⇒ and ⇒ ⇒ act in the same way on any set of redexes S Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
18 / 26
The substitution lemma
Residuals satisfy a substitution property:
Lemma (substitution lemma for residuals) P
Q
If R ⇒ R 0 and S ⇒ S 0 then R{x/S}
P{x/Q}
⇒
R 0 {x/S 0 }.
Proof. P
By induction on R ⇒ R 0 . Compare with parallel reduction: If t ⇒ t 0 and u ⇒ u 0 then t{x/u} ⇒ t 0 {x/u 0 }.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
19 / 26
Cube property The cube property can be proved exactly as the diamond property:
Theorem (Diamond property) S
P
S/P
S
implies ∃Q s.t.
R
S/R
P
S/P
R
S/R
R/P P/R
Q
Proof. P
R
By induction on S ⇒ S/P and case analysis of S ⇒ S/R. 1 def., 1 lemma, 1 theorem: much simpler than Huet’s development.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
20 / 26
Cube and prism Huet’s proof uses a more fundamental prism property. In the abstract theory of residuals (van Oostrom-de Vrijer) the cube is an axiom, not the prism. Our proof does not use the prism, but we can include it, revisiting Huet’s approach. Define the union R ∪ S as the term with the marks in R or S. The cube-prism property: S
P
R∪P
R
S/R
S/P
P/R
R/P
S/(R∪P)
proved exactly as the cube property. Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
21 / 26
Abella development The formalization: 2 definitions, 1 lemma, and 1 theorem: Define res : mtm -> mtm -> mtm -> prop by nabla x, res x x x; res (mabs R) (mabs P) (mabs R’) := nabla x, res (R x) (P x) (R’ x); res (mapp R S) (mapp P Q) (mapp R’ S’) := res R P R’ /\ res S Q S’; res (mredex R S) (mapp (mabs P) Q) (mredex R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’; res (mapp (mabs R) S) (mredex P Q) (R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’; res (mredex R S) (mredex P Q) (R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’. Define res_union : mtm -> mtm -> mtm -> prop by nabla x, res_union x x x; res_union (mabs R) (mabs P) (mabs Q) := nabla x, res_union res_union (mapp R S) (mapp P T) (mapp Q U) := res_union R P Q /\ res_union S T U; res_union (mredex R S) (mredex P T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S res_union (mapp (mabs R) S) (mredex P T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S res_union (mredex R S) (mapp (mabs P) T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S
Accattoli (INRIA & CMU)
(R x) (P x) (Q x);
T U; T U; T U.
Proof pearl: Abella formalization of λ-calculus cube property
22 / 26
Theorem res_subst : forall R P R’ S Q S’, nabla x, res (R x) (P x) (R’ x) -> res S Q S’ -> res (R S) (P Q) (R’ S’). induction on 1. intros. case H1. search. search. apply IH to H3 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. Theorem prism_cube : forall Q P R Q’ Q’’, res Q R Q’’ -> res Q P Q’ -> exists P’ R’ RunionP S, res P R P’ /\ res R P R’ /\ res Q’ R’ S /\ res Q’’ P’ S /\ res Q RunionP S /\ res_union P R RunionP. induction on 1. intros. case H1. case H2. search. case H2. apply IH to H3 H4. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. case H3. apply IH to H4 H6. apply IH to H7 H5. apply res_subst to H16 H10. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. search. case H2. case H5. apply IH to H3 H7. apply IH to H4 H6. apply res_subst to H11 H17. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. apply res_subst to H10 H16. search. case H2. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H10 H16. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. apply res_subst to H10 H16. search.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
23 / 26
Complete developments A form of prism property is also true for parallel reduction: t
u1
u2
s
The proof of the diamond property via complete developments (by Takahashi) is an instance. Let t ◦ be the complete development of t. Then: t
u1
u2
t◦
Once again, the proof structure is the same. Randy Pollack’s formalization in Abella has 18 lemmas, mine has 2! Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
24 / 26
Conclusions
Abella is an excellent tool for untyped calculi with binders. Formalized proofs faithfully reflect pen-and-paper proofs. Our case study: a strikingly simple formalization of λ-calculus cube property. Work in progress: formalization of Bohm’s separation theorem.
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
25 / 26
THANKS!
Accattoli (INRIA & CMU)
Proof pearl: Abella formalization of λ-calculus cube property
26 / 26
