Complete Bidirectional Typing for the Calculus of Inductive Constructions
CComplete Bidirectional Typing for the Calculus ofInductive Constructions
Meven Lennon-Bertrand ! ˇ LS2N, Université de Nantes — Gallinette Project Team, Inria, France
Abstract
This article presents a bidirectional type system for the Calculus of Inductive Constructions (CIC).It introduces a novel judgement intermediate between the usual inference and checking, dubbedconstrained inference, to handle the presence of computation in types. The key property is thecompleteness of the system with respect to the usual undirected one, which has been formally provenin Coq as a part of the MetaCoq project. Although it plays a central role in an ongoing completenessproof for a realistic typing algorithm, the interest of bidirectionality is much wider, as it clarifiesprevious works in the area and gives strong insights and structure when trying to prove propertieson CIC or design variations and extensions.
Theory of computation → Type theory
Keywords and phrases
Bidirectional Typing, Calculus of Inductive Constructions, Coq, ProofAssistants
Digital Object Identifier
Supplementary Material
Software (Formalization) : https://github.com/MevenBertrand/metacoq/tree/itp-artefact In logical programming, a very important information about judgements is the mode ofthe objects involved, i.e., which ones are considered inputs or outputs. When examiningthis distinction for a typing judgement Γ ⊢ t : T , both the term t under inspection andthe context Γ of this inspection are known, they are thus inputs. The mode of the type T ,however, is much less clear: should it be inferred based upon Γ and t , or do we merely wantto check whether t conforms to a given T ? Both are sensible approaches, and in fact typingalgorithms for complex type systems usually alternate between them during the inspectionof a single term/program. The bidirectional approach makes this difference between modesexplicit, by decomposing undirected typing Γ ⊢ t : T into two separate judgments Γ ⊢ t ▷ T (inference) and Γ ⊢ t ◁ T (checking) , that differ only by modding. This decomposition allowstheoretical work on practical typing algorithms, but also gives a finer grained structure totyping derivations, which can be of purely theoretical interest even without any algorithm insight.Although those seem appealing, and despite advocacy by McBride [9, 10] to adopt thisapproach when designing type systems, most of the dependent typing world to this dayremains undirected. Some others than McBride’s appeal to bidirectionality, starting withCoquand [7] and continuing with Norell [12] or Abel [1]. However, all of these considerunannotated λ -abstractions. This lack of annotations, although sensible for lightness, posesan inherent completeness problem, as a term like ( λ x.x ) 0 does not type-check against type N in those systems. Very few have considered the case of annotated abstractions, apart We call anything related to the Γ ⊢ t : T judgement undirected by contrast with the bidirectional typing. We chose ▷ and ◁ rather than the more usual ⇒ and ⇐ to avoid confusion with implication on paper,and with the Coq notation for functions in the development. © Meven Lennon-Bertrand;licensed under Creative Commons License CC-BY 4.042nd Conference on Very Important Topics (CVIT 2016).Editors: John Q. Open and Joan R. Access; Article No. 23; pp. 23:1–23:17Leibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . P L ] F e b from Asperti and the Matita team [3], who however concentrate mostly on specific problemspertaining to unification and implementation of the Matita elaborator, without giving ageneral bidirectional framework. They also do not consider the problem of completeness withrespect to a given undirected system, as it would fail in their setting due to the undecidabilityof higher order unification.Thus, we wish to fill a gap in the literature, by describing a bidirectional type system thatis complete with respect to the (undirected) Calculus of Inductive Constructions (CIC). Bycompleteness, we mean that any term that is typable in the undirected system should also infera type in the bidirectional one. This feature is very desirable when implementing kernels forproof assistants, whose algorithms should correspond to their undirected specification, nevermissing any typable term. The bidirectional systems we describe thus forms intermediatesbetween actual algorithms and undirected type systems. This step has proven useful in anongoing completeness proof of MetaCoq’s [17] type-checking algorithm : rather than provingthe algorithm complete directly, the idea is to prove it equivalent to the bidirectional typesystem, separating the implementation problems from the ones regarding the bidirectionalstructure.But having a bidirectional type system equivalent to the undirected one has other purelytheoretical interests. First, the structure of a bidirectional derivation is more constrainedthan that of an undirected one, especially regarding the uses of computation. This finerstructure can make proofs easier, while the equivalence ensures they can be transported tothe undirected world. For instance, in a setting with cumulativity/subtyping, the inferredtype for a term t should by construction be smaller than any other types against which t checks. This provides an easy proof of the existence of principal types in the undirectedsystem. The bidirectional structure also provides a better base for extensions. This wasactually the starting point for this investigation: in [8], we quickly describe a bidirectionalvariant of CIC, as the usual undirected CIC is unfit for the gradual extension we envisiondue to the too high flexibility of a free-standing conversion rule. This is the system we wishto thoroughly describe and investigate here.Our main technical contributions are twofold. First the identification of a new constrainedinference judgement introduced in Section 2 together with general ideas around bidirectionaltyping in the rather simple setting of pure type systems. Secondly, a formalized proof ofequivalence between PCUIC – the extension of CIC nowadays at the heart of Coq – and abidirectional type system described on a high level in Section 3, built on top of MetaCoq.We next turn to less technical considerations, as we believe that the bidirectional structureis of general interest. Section 4 thus describes the interest of basing an extension of CICon the bidirectional system directly rather than on the equivalent undirected one. FinallySection 5 investigates in length the related work, and in particular identifies the implicitpresence of the bidirectional structure in various earlier articles, showing how making thisstructure explicit clarifies those. A completeness bug in that algorithm – also present in the Coq kernel – has already been found, seeSection 3 for details. A version frozen as described in this article is available in the following git branch: https://github.com/MevenBertrand/metacoq/tree/itp-artefact . . Lennon-Bertrand 23:3 ⊢ Γ ⊢ · Empty ⊢ Γ Γ ⊢ A : □ i ⊢ Γ , x : A Ext Γ ⊢ t : T ⊢ ΓΓ ⊢ □ i : □ i +1 Sort ⊢ Γ Γ ⊢ A : □ i Γ , x : A ⊢ x : A Var Γ ⊢ x : A Γ ⊢ B : □ i Γ , y : B ⊢ x : A Weak Γ ⊢ A : □ i Γ , x : A ⊢ B : □ j Γ ⊢ Π x : A.B : □ i ∨ j Prod Γ ⊢ Π x : A.B : □ i Γ , x : A ⊢ t : B Γ ⊢ λ x : A.t : Π x : A.B
Abs Γ ⊢ t : Π x : A.B Γ ⊢ u : A Γ ⊢ t u : B [ x := u ] App Γ ⊢ t : A Γ ⊢ B : □ i A ≡ B Γ ⊢ t : B Conv
Figure 1
Undirected typing for CC ω – PTS-style ω ω As a starting point, let us consider CC ω . It is the backbone of CIC, and we can alreadyillustrate most of our methodology on it. CC ω belongs to the wider class of pure type systems(PTS), that has been thoroughly studied and described, see for instance [4]. Since there aremany presentational variations, let us first give a precise account of our conventions. Terms in CC ω are given by the grammar t ::= x | □ i | Π x : t.t | λ x : t.t | t t where the letter x denotes a variable (so will letters y and z ), and the letter i is an integer(we will also use letters j , k and l for those). All other Latin letters will be used for terms,with the upper-case ones used to suggest the corresponding terms should be though of astypes — although this is not a syntactical separation. We abbreviate Π x : A.B by A → B when B does not depend on x , as is customary. On those terms, reduction → is defined asthe least congruence such that ( λ x : T.t ) u → t [ x := u ], where t [ x := u ] denotes substitution . Conversion ≡ is the symmetric, reflexive, transitive closure of reduction. Finally, contexts arelists of variable declarations x : t and are denoted using capital Greek letters. We write · forthe empty list, Γ , x : T for concatenation, and ( x : T ) ∈ Γ if ( x : T ) appears in Γ. Combiningthose, we can define typing Γ ⊢ t : T as in Figure 1, where i ∨ j denotes the maximum of i and j . We use well-formed to denote ⊢ Γ for a context, the existence of i such that Γ ⊢ T : □ i for a type T (in an implicit context), or the existence of T such that Γ ⊢ t : T for a term t (again in an implicit context). We also say t is well-typed for the latter.As any PTS, CC ω has many desirable properties. We summarize the ones we need here,see [4] for proofs. C V I T 2 0 1 6 ▶ Proposition 1 (Properties of CC ω ) . The type system CC ω as just described enjoys thefollowing properties: Confluence
Reduction → is confluent. As a direct consequence, two terms are convertiblejust when they have a common reduct: t ≡ u if only if there exists t ′ such that t → ∗ t ′ and u → ∗ t ′ . Transitivity
Conversion is transitive.
Subject reduction If Γ ⊢ t : T and t → t ′ then Γ ⊢ t ′ : T . Validity If Γ ⊢ t : T then T is well-formed, e.g. there exists some i such that Γ ⊢ T : □ i . ω Bidirectional
McBride’s discipline.
To design our bidirectional type system, we follow a discipline exposedby McBride [9, 10]. The central point is to distinguish in a judgment between the subject,whose well-formedness is under scrutiny, from inputs, whose well-formedness is a conditionfor the judgment to behave well, and outputs, whose well-formedness is a consequence ofthe judgment. For instance, in inference Γ ⊢ t ▷ T , the subject is t , Γ is an input and T isan output. This means that one should consider whether Γ ⊢ t ▷ T only in cases where ⊢ Γis already known, and if the judgment is derivable it should be possible to conclude thatboth t and T are well-formed. All inference rules are to preserve this invariant. This meansthat inputs to a premise should be well-formed whenever the inputs to the conclusion andoutputs and subjects of previous premises are. Similarly the outputs of the conclusion shouldbe well-formed if the inputs of the conclusion and the subjects and outputs of the premisesare assumed to be so.This distinction also applies to the computation-related judgments, although those haveno subject. For conversion testing T ≡ T ′ both T and T ′ are inputs, and thus should beknown to be well-formed beforehand. For reduction T → ∗ T ′ , T is an input and T ′ is anoutput, so only T needs to be well-formed, with the subject reduction property of the systemensuring that the output T ′ is also well-formed. Constrained inference.
Beyond the already described inference and checking judgementsanother one appears in the bidirectional typing rules of Figure 2: constrained inference ,written Γ ⊢ t ▷ h T , where h is either Π or □ – and will be extended once we introduceinductive types. Constrained inference is a judgement (or, rather, a family of judgementsindexed by h ) with the exact same modding as inference, but where the type output is notcompletely free. Rather, as the name suggests, a constraint is imposed on it, namely thatits head constructor can only be the corresponding element of h . This is useful to handlethe behaviour absent in simple types that some terms might not have a desired type “onthe nose”. This is exemplified by the first premise Γ ⊢ t ▷ Π Π x : A.B of the
App rule for t u .Indeed, it would be too much to ask t to directly infer a Π-type, as some reduction mightbe needed on T to uncover this Π. Checking also cannot be used, because the domain andcodomain of the tentative Π-type are not known at that point: they are to be inferred from t . Structural rules.
To transform the rules of Figure 1 to those of Figure 2, we start byrecalling that we wish to present a obtain bidirectional typing. Therefore any term shouldinfer a type, and thus all structural rules (i.e. all rules where the subject of the conclusionstarts with a term constructor) should give rise to an inference rule. It thus remains to chosethe judgements for the premises, which amounts to choosing how to mod them. If a termin a premise appears as input in the conclusion or output of a previous premise, then it . Lennon-Bertrand 23:5
Inference: Γ ⊢ t ▷ T Γ ⊢ □ i ▷ □ i +1 Sort ( x : T ) ∈ ΓΓ ⊢ x ▷ T Var Γ ⊢ A ▷ □ □ i Γ , x : A ⊢ B ▷ □ □ j Γ ⊢ Π x : A.B ▷ □ i ∨ j Prod Γ ⊢ A ▷ □ □ i Γ , x : A ⊢ t ▷ B Γ ⊢ λ x : A.t ▷ Π x : A.B
Abs Γ ⊢ t ▷ Π Π x : A.B Γ ⊢ u ◁ A Γ ⊢ t u ▷ B [ x := u ] App
Checking: Γ ⊢ t ◁ T Γ ⊢ t ▷ T ′ T ′ ≡ T Γ ⊢ t ◁ T Check
Constrained inference: Γ ⊢ t ▷ h T Γ ⊢ t ▷ T T → ∗ □ i Γ ⊢ t ▷ □ □ i Sort-Inf Γ ⊢ t ▷ T T → ∗ Π x : A.B Γ ⊢ t ▷ Π Π x : A.B
Prod-Inf
Figure 2
Bidirectional typing for CC ω can be considered an input, otherwise it must be an output. Moreover, if a type output isunconstrained, then inference can be used, otherwise we must resort to constrained inference.This applies straightforwardly to most rules but the PST-style Abs rule. Indeed, if onelooks at the undirected premises, the premise Γ ⊢ Π x : A.B : □ i needs A and B to be known,and only A is known from the conclusion, thus it cannot be the first premise. However, onealso cannot put Γ , x : A ⊢ t : B as the first premise, because A is not known to be well-formedat that point, thus Γ , x : A cannot be used as an input. The solution is to split the premiseΓ ⊢ Π x : A.B : □ i into the equivalent Γ ⊢ A : □ j and Γ , x : A ⊢ B : □ j ′ . The former canbecome the first premise, ensuring that type inference for t is done in a well-formed context,and the latter can be simply dropped based upon our invariant that outputs – here the type B inferred for t — can be assumed to be well-formed.Similarly, as the context is always supposed to be well-formed as an input to the conclusion,it is not useful to re-check it, and thus the premise to Var can be dropped, and undirectedrules
Var and
Weak can be fused into one single
Var . This is in line with implementations,where the context is not re-checked at leaves of a derivation tree, with performance issues inmind. The well-formedness invariants ensure that any derivation starting with the emptycontext will only use well-formed contexts.
Computation rules.
We are now left with the non-structural conversion rule. As weobserved, there are two ways to mode computation: if both sides are inputs, conversion canbe used, but if only one is known one must resort to conversion, and the other side becomesan output instead. Rule
Check corresponds to the first case, while rules
Prod-Inf and
Sort-Inf both are in the second case. This difference in turn introduces the need to separatebetween checking, that calls for the first rule, and constrained inference, that requires theothers.
C V I T 2 0 1 6
To the best of our knowledge, this difference in modding of conversion and the resultingintroduction of constrained inference have never been described on paper, although theyappear in the typing and elaboration algorithms of proof assistants based upon dependenttype theory, such as Coq, Lean or Agda. Instead, in presentations in print, constrainedinference has been inlined in some way, as is also often the case for checking, so that Γ ⊢ t : T is used where we use Γ ⊢ t ▷ T , the bidirectional structure being left implicit. This is sensiblesince in Figure 2 there is only one rule to derive checking and constrained inference. However,as soon as typing features appear that complicate conversion, such as unification [3], coercions[3, 16] or graduality [8], having singled out those judgements makes the structure clearer andexplains the choices made for the modification of typing that could appear ad-hoc otherwise.We come back to this more in length in Section 5.1. Let us now state the two main properties relating the bidirectional system to the undirectedone: it is both correct (terms typable in the bidirectional system are typable in the undirectedsystem) and complete (all terms typable in the undirected system are also typable in thebidirectional system).
A bidirectional derivation can be seen as a refinement of an undirected derivation. Indeed, thebidirectional structure can be erased – replacing each bidirectional rule with the correspondingundirected rule – to obtain an undirected derivation, but for missing sub-derivations, whichcan be retrieved using the invariants on well-formedness of inputs and outputs. Thus,we get the following correctness theorem – note how McBride’s discipline manifests aswell-formedness hypothesis on inputs. ▶ Theorem 2 (Correctness of bidirectional typing for CC ω ) . If Γ is well-formed and Γ ⊢ t ▷ T or Γ ⊢ t ▷ h T then Γ ⊢ t : T . If Γ and T are well-formed and Γ ⊢ t ◁ T then Γ ⊢ t : T . Proof.
The proof is by mutual induction on the bidirectional typing derivation.Each rule of the bidirectional system can be replaced by the corresponding rule of theundirected system, with all three
Check , Prod-Inf and
Sort-Inf replaced by
Conv , Abs using an extra
Prod rule, and
Var using a succession of
Weak and a final
Var . In allcases, the induction hypothesis can be used on sub-derivations of the bidirectional judgmentbecause the context is extended using types that are known to be well-formed, and similarlychecking is done against a type that is known to be well-formed by previous premises.Some sub-derivations of the undirected rules that have no counterpart in the bidirectionalones are however missing. In rules
Sort and
Var the hypothesis that ⊢ Γ is enough toget the required premise. For rule
Check , the well-formedness hypothesis on the type isneeded to get the second premise of rule
Conv . As for
Prod-Inf and
Sort-Inf , that secondpremise is obtained by subject reduction. Finally, the missing premise on the codomain ofthe product type in rule
Abs is obtained by validity of the undirected system, but could beinstead handled by strengthening the theorem to incorporate the well-formedness of typeswhen they are outputs. ◀ . Lennon-Bertrand 23:7 Let us now state the most important property of our bidirectional system: it does not missany undirected derivation. ▶ Theorem 3 (Completeness of bidirectional typing for CC ω ) . If Γ ⊢ t : T then there exists T ′ such that Γ ⊢ t ▷ T ′ and T ′ ≡ T . Proof.
The proof is by induction on the undirected typing derivation.Rules
Sort and
Var are base cases, and can be replaced by the corresponding rulesin the bidirectional world. Rules
Weak and
Conv are both direct consequences of theinduction hypothesis on their first premise, together with transitivity of conversion for thelatter.For rule
Prod , we need the intermediate lemma that if T is a term such that T ≡ □ i ,then also T → ∗ □ i . This is a consequence of confluence of reduction. In turn, it implies thatif Γ ⊢ t ▷ T and T ≡ □ i then Γ ⊢ t ▷ □ □ i , and is enough to conclude for that rule.In rule Abs , the induction hypothesis gives Γ ⊢ Π x : A.B ▷ T for some T , and an inversionon this gives Γ ⊢ A ▷ □ □ i for some i . Combined with the second induction hypothesis, it givesΓ ⊢ λ x : A.t ▷ Π x : A.B ′ for some B ′ such that B ≡ B ′ , and thus Π x : A.B ≡ Π x : A.B ′ asdesired.We are finally left with the App rule. We know that Γ ⊢ t ▷ T with T ≡ Π x : A.B .Confluence then implies that T → ∗ Π x : A ′ .B ′ for some A ′ and B ′ such that A ≡ A ′ and B ≡ B ′ . Thus Γ ⊢ t ▷ Π Π x : A ′ .B ′ . But by induction hypothesis we also know that Γ ⊢ u ▷ A ′′ with A ′′ ≡ A and so by transitivity of conversion Γ ⊢ u ◁ A ′ . We can thus apply App toconclude. ◀ Contrarily to correctness, which kept a similar derivation structure, completeness is ofa different nature. Because in bidirectional derivations the conversion rules are much lessliberal than in undirected derivations, the bulk of the proof is to ensure that conversions canbe permuted with structural rules, in order to concentrate them in the places where they areauthorized in the bidirectional derivation. In a way, composing completeness with conversiongives a kind of normalization procedure that produces a canonical undirected derivation bypushing all conversions down as much as possible.
The judgements of Figure 2 are syntax-directed, in the sense that there is always at mostone rule that can be used to derive a certain typing judgements. But with the rules asgiven there is still some indeterminacy. Indeed when appealing to reduction no strategy isfixed, thus two different reducts give different uses of the rule, resulting in different inferredtypes – although those are still convertible. However, a reduction strategy can be imposedto completely eliminate indeterminacy in typing, leading to the following. ▶ Proposition 4 (Reduction strategy) . If → ∗ is replaced by weak-head reduction in rules Sort-Inf and
Prod-Inf , then given a well-formed context Γ and a term t there is at mostone derivation of Γ ⊢ t ▷ T and Γ ⊢ t ▷ h T , and so in particular such a T is unique. Similarly,given well-formed Γ and T and a term t there is at most one derivation of Γ ⊢ t◁T . Moreover,the existence of those derivations is decidable. The algorithm for deciding the existence of the derivations is straightforward from themodded rules, it amounts to structural recursion on the subject.
C V I T 2 0 1 6 ω to PCUIC CC ω is already a powerful system, but today’s proof assistants rely on much more complexfeatures. The Predicative Calculus of Cumulative Inductive Constructions (PCUIC), the typetheory nowadays behind the Coq proof assistant, for instance features the impredicative sortProp, the sort SProp of irrelevant propositions, algebraic universes, cumulativity, polymorphicand mutual inductive and co-inductive types, (co-)fixpoints, primitive projections. . . This isa good stress test for the bidirectional approach: being able to adapt seamlessly to thosefeatures is a good sign that the methodology we presented should be able to handle otherextensions. In this section, we present some modifications and additions to the system ofSection 2 needed to treat the most usual features of PCUIC.Bidirectional judgments incorporating the elements described is this section have beenformally proven correct and complete with respect to the description of PCUIC in theMetaCoq project [17]. While working on this, we were able to uncover an incompleteness bugin the current kernel of Coq regarding pattern-matching of cumulative inductive types. Thisbug had gone unnoticed until our formalization, but was causing subject reduction failuresin corner cases with inductive types .As a demonstration of the use of bidirectionality for reasoning, the formalization alsocontains a proof of the uniqueness of inferred types and of the existence of principal types asa direct corollary. PCUIC incorporates a limited form of subtyping. Conversion ≡ is replaced by cumulativity ⪯ , a very similar relation, but with the difference that it relaxes the constraint on universes:for conversions □ i ≡ □ j only when i = j , but for cumulativity □ i ⪯ □ j whenever i ≤ j . Theconversion rule is accordingly replaced by the following cumulativity ruleΓ ⊢ t : A Γ ⊢ B : □ i A ⪯ B Γ ⊢ t : B Cumul
This reflects the view that universes □ i should be included one in the next when going up inthe hierarchy. In CC ω , all types for a given term t in a fixed context Γ are equally good, asthey are all convertible. This is not the case any more in presence of cumulativity, as we canhave T ⪯ T ′ but not T ≡ T ′ . Of particular interest are principal types, defined as follows. ▶ Definition 5 (Principal type) . The term T is called a principal type for term t in context Γ if it is a least type for t in Γ , that is if Γ ⊢ t : T and for any T ′ such that Γ ⊢ t : T ′ wehave T ⪯ T ′ . The existence of such principal types is no so easy to prove directly but quite useful, asthey are in a sense the best types for any terms. Indeed, if T is a principal type for t inΓ and T ′ is any other type for t , the Cumul rule can be used to deduce Γ ⊢ t : T ′ fromΓ ⊢ t : T , which in general is not the case if T is not principal. Similarly, if T and T ′ are twotypes for a term t , then they are not directly related, but the existence of principal types The formalized theorem is at line 419 and following of BDToPCUIC.v. The formalized theorem is at line 387 and following of BDFromPCUIC.v. The precise technical problem is described in the following git issue: https://github.com/coq/coq/issues/13495 . The corresponding theorems are respectively at line 347 and 355 of BDUnique.v. . Lennon-Bertrand 23:9 ensures that there exists some T ′′ that is a type for t and such that T ⪯ T ′ and T ⪯ T ′′ ,indirectly relating T ′ and T ′′ .Reflecting this modification in the bidirectional system of course calls for an update tothe computation rules. The change to the Check rule is direct: simply replace conversionwith cumulativity: Γ ⊢ t ▷ A A ⪯ B Γ ⊢ t ◁ B Cumul
As to the constrained inference rules, there is no need to modify them. Intuitively, this isbecause there is no reason to degrade a type to a larger one when it is not needed. Weonly resort to cumulativity when it is forced by a given input. In that setting, completenessbecomes the following: ▶ Theorem 6 (Completeness with cumulativity) . If Γ ⊢ t : T using rules of Figure 1 replacing Conv with
Cumul , then Γ ⊢ t ▷ T ′ is derivable with rules of Figure 2 replacing Check with
Cumul for some T ′ such that T ′ ⪯ T . In that setting, even without fixing a reduction strategy as in Proposition 4, thereis a weaker uniqueness property for inference types, that is vacuous in a setting withoutcumulativity, where all types are convertible. ▶ Proposition 7 (Uniqueness of inferred type) . If Γ is well-formed, Γ ⊢ t ▷ T and Γ ⊢ t ▷ T ′ then T ≡ T ′ . Similarly if Γ is well-formed, Γ ⊢ t ▷ h T and Γ ⊢ t ▷ h T ′ then T ≡ T ′ . Proof.
Mutual induction on the first derivation. It is key that constrained inference rulesonly reduce a type, so that the type in the conclusion is convertible to the type in the premise,rather than merely in cumulativity relation. ◀ In particular, those two properties with a correctness property akin to Theorem 2, we canprove that any inferred type is principal, and so that they both exist and are computable sincethe bidirectional judgement can still be turned into an algorithm in the spirit of Proposition 4. ▶ Proposition 8 (Principal types) . If Γ is well-formed and Γ ⊢ t ▷ T then T is a principaltype for t in Γ . Proof.
If Γ ⊢ t : T ′ , then by completeness there exists some T ′′ such that Γ ⊢ t ▷ T ′′ andmoreover T ′′ ⪯ T ′ . But by uniqueness T ≡ T ′′ ⪯ T ′ and thus T ⪯ T ′ , and T is indeed aprincipal type for t in Γ. ◀ Reasoning on the bidirectional derivation thus makes proofs easier, with the correctnessand completeness properties ensure they can be carried to the undirected system. Anotherway to understand this is that seeing completeness followed by correction as a normalizationprocedure on derivations, the produced canonical derivation is more structured and thusmore amenable to proofs. Here for instance the uniqueness of the inferred type translates tothe existence of principal types via completeness, and the normalization of the derivationsoptimizes it to derive a principal type.
Sum type.
Before we turn to the general case of inductive types of the formalization, let uspresent a simple inductive type: dependent sums. The undirected rules are given in Figure 3,and are inspired from the theoretical presentation of such dependent sums, such at the one
C V I T 2 0 1 6 Γ ⊢ A : □ i Γ , x : A ⊢ B : □ j Γ ⊢ Σ x : A.B : □ i ∨ j Σ -type Γ ⊢ A : □ i Γ , x : A ⊢ B : □ j Γ ⊢ a : A Γ ⊢ b : B [ x := a ]Γ ⊢ ( a, b ) A,x.B : Σ x : A.B Σ -cons Γ , z : Σ x : A.B ⊢ P : □ i Γ , x : A, y : B ⊢ b : P [ z := ( x, y )] Γ ⊢ s : Σ x : A.B Γ ⊢ rec Σ ( z.P, x.y.p, s ) : P [ z := s ] Σ -rec Figure 3
Undirected sum type of the Homotopy Type Theory book [19]. In particular, we use the same convention towrite y.P when variable y is bound in P . Note however that contrarily to [19], some typinginformation is kept on the pair constructor. Exactly as for the abstraction, this is to beable to infer a unique, most general type in the bidirectional system. Indeed, without thatinformation a pair ( a, b ) could inhabit multiple types Σ x : A.B because there are potentiallymany incomparable types B such that B [ x := a ] is a type for b , as even if B [ x := a ] and B ′ [ x := a ] are convertible B and B ′ may be quite different, depending of which instances of a in B [ x := a ] are abstracted to x .To obtain the bidirectional rules of Figure 4, first notice that all undirected rules arestructural and must thus become inference rules if we want the resulting system to becomplete, just as in Section 2. Thus the question is which modes to choose for the premises.For Σ -type and Σ -cons this is straightforward: when the type appears in the conclusion,use checking, otherwise (constrained) inference. The case of the destructors is somewhatmore complex. Handling the subterms of the the destructor in the order in which they usuallyappear (predicate, branches and finally scrutinee) is not possible, as the context parametersof the inductive type are needed to construct the context for the predicate. However thosecan be inferred from the scrutinee. Thus, a type for the scrutinee is obtained first using anew constrained inference judgment, forcing the inferred type to be a Σ-type, but leavingits parameters free. Next, the obtained arguments can be used to construct the context totype the predicate. Finally, once the predicate is known to be well-formed, it can be used totype-check the branch.This same approach can be readily extended to other usual inductive types, with recursionor indices posing no specific problems, see Figure 5. Polymorphic, Cumulative Inductive Types.
The account of inductive types in PCUIC isquite different from the one we just gave. On the theoretical side, the main addition isuniverse polymorphism [18], which means that inductive types and constructors come withexplicit universe levels. The Σ-type of the previous paragraph, for instance, would contain anexplicit universe level i , and both A and B would be checked against □ i rather than havingtheir level inferred. This makes the treatment of general inductive types easier, at the costof possibly needless annotations, as here with Σ-types. To make that polymorphism moreseamless, those polymorphic inductive types are also cumulative [20]: in much the same wayas □ i ⪯ □ j if i ≤ j , also N @ i ⪯ N @ j , where @ i and @ j are two different universe levels of thepolymorphic inductive N . This enables lifting from a lower inductive type to a higher one, so . Lennon-Bertrand 23:11 Γ ⊢ t ▷ T Γ ⊢ A ▷ □ □ i Γ , x : A ⊢ B ▷ □ □ j Γ ⊢ Σ x : A.B ▷ □ i ∨ j Σ -type Γ ⊢ A ▷ □ □ i Γ , x : A ⊢ B ▷ □ □ j Γ ⊢ a ◁ A Γ ⊢ b ◁ B [ x := a ]Γ ⊢ ( a, b ) A,x.B ▷ Σ x : A.B Σ -cons Γ ⊢ s ▷ Σ Σ x : A.B Γ , z : Σ x : A.B ⊢ P ▷ □ □ i Γ , x : A, y : B ⊢ b ◁ P [ z := ( x, y )]Γ ⊢ rec Σ ( z.P, x.y.b, s ) ▷ P [ z := s ] Σ -rec Γ ⊢ t ▷ h T Γ ⊢ t ▷ T T → ∗ Σ x : A.B Γ ⊢ t ▷ Σ Σ x : A.B Σ -Inf Figure 4
Bidirectional sum type that for instance ⊢ i : N j if i ≤ j .Apart from that difference, PCUIC as presented in MetaCoq has constructors andinductive types as functions, rather than requiring them to be fully applied. It also separatesrecursors into a pattern-matching and a fixpoint construct, the latter coming with a specificguard condition to keep the normalization property enjoyed by a system with recursors.All those choices aim at making the system more flexible and practically usable, but theycome with a price: the complexity of the structure of terms is much higher. In particular,contrarily to what happens in Σ -rec , the information needed to type the predicate P andbranch b cannot be simply inferred from the scrutinee s – thinking erroneously that thiswas the case led to the incompleteness bug we mentioned. Instead the case constructormust contain the universe instance and parameters that are used to type the predicate andscrutinee.A sketch of the resulting rules is given in Figure 6, for a generic inductive I . We use boldcharacters to denote lists – for instance a is a list of terms – and indexes to denote a specificelement – so that a k is the k -th element of the previous. The considered inductive I hasparameters of type X , indices of type Y and inhabits some universe □ l . Its constructors c k are of types Π( x : X )( y : Y k ) , I x u . Because we are considering a cumulative inductivetype, all of those actually have to be instantiate with universe levels, an operation we denotewith @ i ,. Apart from the extra checking that the parameters given in the match constructhave the correct type, and the extra cumulativity check to compare the parameters obtainedfrom the scrutinee and the ones in the node, the structure of the match construct is quitesimilar to that of the sum type. Concerning the fixpoint construct, the most important partthere is the guard condition, but as the bidirectional approach has nothing to add here weleave it out. C V I T 2 0 1 6 Γ ⊢ t ▷ T Γ ⊢ N ▷ □ Γ ⊢ ▷ N Γ ⊢ n ◁ N Γ ⊢ S( n ) ▷ N Γ ⊢ s ▷ N N Γ , z : N ⊢ P ▷ □ □ i Γ ⊢ b ◁ P [ z := 0] Γ , x : N , p : P [ z := x ] ⊢ b S ◁ P [ z := S( x )]Γ ⊢ rec N ( z.P, b , x.p.b S , s ) ▷ P [ z := s ]Γ ⊢ A ▷ □ □ i Γ ⊢ a ◁ A Γ ⊢ a ′ ◁ A Γ ⊢ Id A a a ′ ▷ □ i Γ ⊢ A ▷ □ □ i Γ ⊢ a ◁ A Γ ⊢ refl A a ▷ Id A a a Γ ⊢ s ▷ Id A a a ′ Γ , x : A, z : Id A a x ⊢ P ▷ □ □ i Γ ⊢ b ◁ P [ z := Id A a a ][ x := a ]Γ ⊢ rec Id ( x.z.P, b, s ) ▷ P [ z := s ][ x := a ′ ]Γ ⊢ t ▷ h T Γ ⊢ t ▷ T T → ∗ N Γ ⊢ t ▷ N N Γ ⊢ t ▷ T T → ∗ Id A a a ′ Γ ⊢ t ▷ Id Id A a a ′ Figure 5
Other bidirectional inductive types
The use of our bidirectional structure is not limited to CIC or PCUIC. On the contrary, itforms a solid basis for extensions, as we illustrate now.
The free-standing conversion rule
Conv is very powerful, but sometimes too much. Indeed,the ability to stack as many conversion rules as desired at any place in an undirectedderivation is reasonable only when types are compared using a transitive relation. Whenthis is not the case, for instance when conversion is replaced by a unification-flavouredrelation, the undirected system becomes inadequate, because repeated uses of
Conv candrastically change a type in an undesired fashion. In such a setting, the equivalence betweenthe undirected and the bidirectional system is lost. In such a setting, contrarily to theundirected system, the bidirectional system is still viable, as it enforces a localized use ofconversion: only once, at the interface between inference and checking.This is exactly what happens in [8]. In that paper, the conversion relation is relaxed toaccommodate for an additional term ? that behaves as a wildcard and should be consideredconvertible to any term. Conversion is therefore completely non-transitive, and the extensionneeds to be based on the bidirectional type system rather than the undirected one in orderto ensure that the conversion rule is used in a meaningful way.More generally, since the equivalence between the undirected and directed variants relies . Lennon-Bertrand 23:13 Γ ⊢ t ▷ T Γ ⊢ I @ i ▷ Π( x : X @ i )( y : Y @ i ) , □ l @ i Γ ⊢ c @ i k ▷ Π( x : X @ i )( y : Y k @ i ) , I @ i x u @ ik Γ ⊢ s ▷ I I @ i ′ a b Γ ⊢ p k ◁ X k [ x := p ] Γ , y : Y @ i [ p := x ] , z : I @ i p y ⊢ P ▷ □ □ j I @ i ′ a b ⪯ I @ i p b Γ , y : Y k @ i [ p := x ] ⊢ t k ◁ P [ z := c @ i k p y ][ y := u k @ i ]Γ ⊢ match s in ( I, i , p ) return P with [ t ] ▷ P [ z := s ][ y := b ]Γ ⊢ T ▷ □ □ i Γ , f : T ⊢ t ◁ T guard conditionΓ ⊢ fix f : T := t ▷ T Γ ⊢ t ▷ I T Γ ⊢ t ▷ T T → I a b Γ ⊢ t ▷ I I a b Figure 6
Bidirectional inductive type – PCIC style on all properties of Proposition 1, when one of those fails the equivalence between theundirected and bidirectional systems is endangered. This can be a sign that the bidirectionalsystem should be adapted, but it can also signal that the undirected system has becomemeaningless and that the bidirectional version should be studied instead.
The fact that the unique conversion rule gives rise to multiple bidirectional ones is important:it signals that there are in fact two ways to consider conversion, although the differencebetween both is invisible in undirected presentations. But this difference might not be soeasily overlooked in extensions of CIC, which then need different treatment for them.Taking again the example of [8], the
Check can be kept as such, because the conversionrelation is directly modified in the new system. But this is not the case for partial inference.In fact, rule
Sort-Inf has to be supplemented by another rule to treat the case when theinferred type reduces to the wildcard ?, because such a term can be used as a type – withsome care taken. The same happens for all constrained inference rules.Thus, the bidirectional structure clarifies a fact that might be overlooked by those whodo not dwell in the implementation of proof assistants: reduction does not only serve as asubroutine of conversion checking, it is also directly needed to determine if a given type is asort, a product, an inductive. . . Which is quite different from checking that it is convertibleto a given sort or product type. Of course one could replace reduction by another machineryto accomplish this task, but if one wishes to modify conversion, this specific role of reductionmust be accounted for. Otherwise, rules for ◁ and ▷ h would come out of sync, bringingtroubles down the road. C V I T 2 0 1 6
In works such as [15, 3, 8], the procedure described is not typing but rather elaboration: thesubject of the derivation t is in a kind of source syntax and the aim is not only to inspect t , but also to output a correspond t ′ in some kind of target syntax. The term t ′ is a moreprecise account of term t , for instance with solved meta-variables, inserted coercions, and soon. The structure we describe readily adapts to those settings, the extra term t ′ is simplyconsidered as an output of all judgements. Since it is an output, McBride’s discipline asdescribed in Section 2.2 demands that when Γ ⊢ t ⇝ t ′ ▷ T (with input context Γ, the subject t elaborates to t ′ and infers type T ) we must ensure that Γ ⊢ t ′ : T , and similarly for all othertyping judgements. Having all rules locally preserve this invariant ensures that elaboratedterms are always well-typed. Although explicit and systematic description of constrained inference in a bidirectional settingis new, traces of it in diverse seemingly ad-hoc workarounds can be found in various worksaround typing for CIC, illustrating that this notion, although overlooked, is of interest.In [14], Γ ⊢ t : T is used for what we write Γ ⊢ t ▷ T , but another judgment writtenΓ ⊢ t : ≥ T and denoting type inference followed by reduction is used to effectively inline thetwo hypothesis of our constrained inference rules. Checking is similarly inlined.Saïbi [15] describes an elaboration mechanism inserting coercions between types. Thoseare inserted primarily in checking, when both types are known. However he acknowledges thepresence of two special classes to handle the need to cast a term to a sort or a function typewithout more informations, exactly in the places where we resort to constrained inferencerather than checking.More recently, Sozeau [16] describes a system where conversion is augmented to handlecoercion between subset types. Again, Γ ⊢ t : T is used for inference, and the other judgmentsare inlined. Of interest is the fact that reduction is not enough to perform constrainedinference, because type head constructors can be hidden by the subset construction: a termof subset type such as { f : N → N | f } should be usable as a function of type N → N .An erasure procedure is therefore required on top of reduction to remove subset types in theplaces where we use constrained inference.These traces can also be found in the description of Matita’s elaboration algorithm [3].Indeed, the presence of meta-variables on top of coercions as in the two previous works makesit even clearer that specific treatment of what we identified as constrained inference is required.The authors introduce a special judgement they call type-level enforcing corresponding exactlyto our ▷ □ judgement. As for ▷ Π , they have two rules to apply a function, one where itsinferred type reduces to a product, corresponding to Prod-Inf , and another one to handlethe case when the inferred type instead reduces to a meta-variable. As Saïbi, they alsoneed a special case for coercions of terms in function and type position. However, theirsolution is different. They rely on unification, which is available in their setting, to introducenew meta-variables for the domain and codomain of a product type whenever needed. For ▷ □ though this solution is not viable, as one would need a kind of universe meta-variable.Instead, they rely on backtracking to test multiple possible universe choices.Finally, we have already mentioned [8] in Section 4, where the bidirectional structureis crucial in describing a gradual extension to CIC. In particular, and similarly to what . Lennon-Bertrand 23:15 happens with meta-variables in [3], all constrained inference rules are duplicated: there is onerule when the head constructor is the desired one, and a second one to handle the gradualwildcard. Quite a few articles tackle the problem of bidirectional typing in a setting with an untyped– so called Curry-style – abstraction. This is the case of early work by Coquand [7], thetype system of Agda as described in [12], the systems considered by Abel for instance [1],and much of the work of McBride [11, 9, 10] on the topic. In such systems, λ -abstractionscan only be checked against a given type, but cannot infer one, so that only terms with no β -redexes are typable. Norell argues in [12] that such β -redexes are uncommon in real-lifeprograms, so that being unable to type them is not a strong limitation in practice. Tocircumvent this problem, McBride also adds the possibility of typing annotations to retainthe typability of a term during reduction. While this approach is adapted to programminglanguages, where the emphasis is on lightweight syntax, it is not tenable for a proof assistantkernel, where all valid terms should be accepted. Indeed, debugging a proof that is rejectedbecause the kernel fails to accept a perfectly well-typed term the user never wrote – as mostproofs are generated rather than written directly – is simply not an option.In a setting with typed – Church-style – abstraction, if one wishes to give the possibilityfor seemingly untyped abstraction, another mechanism has to be resorted to, typicallymeta-variables. This is what is done in Matita [3], where the authors combine a rule similarto Abs – where the type of the abstraction is inferred – with another one, similar to theCurry-style one – where abstraction is checked – looking like this: T → ∗ Π x : A ′ .B Γ ⊢ A ▷ □ □ i A ≡ A ′ Γ , x : A ⊢ t ◁ B Γ ⊢ λ x : A.t ◁ T
While such a rule would make a simple system such as that of Section 2 “over-complete”,it is a useful addition to enable information from checking to be propagated upwards inthe derivation. This is crucial in extensions where completeness is lost, such as Matita’selaboration. Similar rules are described in [3] for let-bindings and constructors of inductivetypes.Although only few authors consider the problem of a complete bidirectional algorithm fortype-checking dependent types, we are not the first to attack it. Already Pollack [14] does,and the completeness proof for CC ω of Section 2 is very close to one given in his article.Another proof of completeness for a more complex CIC-like system can be found in [16].None of those however tackle as we do the whole complexity of PCUIC. We already credited the discipline we adopt on well-formedness of inputs and outputs toMcBride [9, 10]. A similar idea has also appeared independently in [5]. Bauer and hisco-authors introduce the notions of a (weakly) presuppositive type theory [5, Def. 5.6] andof well-presented premise-family and rule-boundary [5, Def. 6.16 and 6.17] to describe adiscipline similar to ours, using what they call the boundary of a judgment as the equivalentof our inputs and outputs. Due to their setting being undirected, this is however morerestrictive, because they are not able to distinguish inputs from outputs and thus cannotrelax their condition to only demand inputs to be well-formed but not outputs.
C V I T 2 0 1 6
We have described a judgmental presentation of the bidirectional structure of typing al-gorithms in the setting of dependent types. In particular, we identified a new family ofjudgements we called constrained inference. Those have no counterpart in the non-dependentsetting, as they result from a choice of modding for the conversion rule, which is specific tothe dependent setting. We proved our bidirectional presentation equivalent to an undirectedone, both on paper on the simple case of CC ω , and formally in the much more complexand realistic setting of PCUIC. Finally, we gave various arguments for the usefulness of ourpresentation as a way to ease proofs, an intermediate between undirected type-systems andtyping algorithms, a solid basis to design extensions, and a tool to re-interpret previous workon type systems in a clearer way.Regarding future work, a type-checking algorithm is already part of MetaCoq, and weshould be able to use our bidirectional type system to give a pleasant completeness proof byseparating the concerns pertaining to bidirectionality from the algorithmic problems, such asimplementation of an efficient conversion check or proof of termination. More broadly, ourbidirectional type system should be an interesting tool in the feat of incorporating in a proofassistant features that have been satisfactorily investigated on the theoretical level whilekeeping a complete and correct kernel, avoiding the pitfall of cumulative inductive type’sincomplete implementation in Coq. A first step would be to investigate the discrepanciesbetween the presentations of Section 3, and in particular if all informations currently storedin the case node are really needed, or if a more concise presentation can be given. But wecould go further and study how to handle cubical type theory [21], rewrite rules [6], setoidtype theory [2], exceptional type theory [13], η -conversion. . . Finally, we hope that ourmethodology will be adapted as a base for other theoretical investigations. As a way to easethis adoption, studying it in a general setting such as that of [5] might be a strong argumentfor adoption. References Andreas Abel, Joakim Öhman, and Andrea Vezzosi. Decidability of conversion for type theoryin type theory.
Proc. ACM Program. Lang. , 2(POPL), December 2017. doi:10.1145/3158111 . Thorsten Altenkirch, Simon Boulier, Ambrus Kaposi, and Nicolas Tabareau. Setoid typetheory - a syntactic translation. In
MPC 2019 - 13th International Conference on Mathematicsof Program Construction , volume 11825 of
LNCS , pages 155–196. Springer. doi:10.1007/978-3-030-33636-3\_7 . Andrea Asperti, Wilmer Ricciotti, Claudio Sacerdoti Coen, and Enrico Tassi. A Bi-DirectionalRefinement Algorithm for the Calculus of (Co)Inductive Constructions. Volume 8, Issue 1.URL: https://lmcs.episciences.org/1044 , doi:10.2168/LMCS-8(1:18)2012 . Henk Barendregt. Lambda calculi with types. In
Handbook of Logic in Computer Science . Andrej Bauer, Philipp G. Haselwarter, and Peter LeFanu Lumsdaine. A general definition ofdependent type theories. 2020. arXiv:2009.05539 . Jesper Cockx, Nicolas Tabareau, and Théo Winterhalter. The Taming of the Rew: A TypeTheory with Computational Assumptions.
Proceedings of the ACM on Programming Languages ,2021. URL: https://hal.archives-ouvertes.fr/hal-02901011 . Thierry Coquand. An algorithm for type-checking dependent types.
Science of ComputerProgramming , 26(1), 1996. URL: , doi:https://doi.org/10.1016/0167-6423(95)00021-6 . . Lennon-Bertrand 23:17 Meven Lennon-Bertrand, Kenji Maillard, Nicolas Tabareau, and Éric Tanter. Gradualizingthe calculus of inductive constructions, 2020. URL: https://arxiv.org/abs/2011.10618 , arXiv:2011.10618 . Conor McBride. Basics of bidirectionalism. URL: https://pigworker.wordpress.com/2018/08/06/basics-of-bidirectionalism/ . Conor McBride. Check the box! In . Conor McBride.
I Got Plenty o’ Nuttin’ , pages 207–233. Springer International Publishing,2016. doi:10.1007/978-3-319-30936-1_12 . Ulf Norell.
Towards a practical programming language based on dependent type theory . PhDthesis, Department of Computer Science and Engineering, Chalmers University of Technology,SE-412 96 Göteborg, Sweden, September 2007. Pierre-Marie Pédrot and Nicolas Tabareau. Failure is not an option an exceptional type theory.In
ESOP 2018 - 27th European Symposium on Programming , volume 10801 of
LNCS , pages245–271. Springer. doi:10.1007/978-3-319-89884-1\_9 . R. Pollack. Typechecking in Pure Type Systems. In
Informal Proceedings of the 1992Workshop on Types for Proofs and Programs, Båstad, Sweden , pages 271–288, June 1992. URL: http://homepages.inf.ed.ac.uk/rpollack/export/BaastadTypechecking.ps.gz . Amokrane Saïbi. Typing algorithm in type theory with inheritance. doi:10.1145/263699.263742 . Matthieu Sozeau. Subset coercions in coq. In Thorsten Altenkirch and Conor McBride,editors,
Types for Proofs and Programs , pages 237–252, Berlin, Heidelberg, 2007. SpringerBerlin Heidelberg. Matthieu Sozeau, Abhishek Anand, Simon Boulier, Cyril Cohen, Yannick Forster, FabianKunze, Gregory Malecha, Nicolas Tabareau, and Théo Winterhalter. The MetaCoq Project.
Journal of Automated Reasoning , February 2020. URL: https://hal.inria.fr/hal-02167423 , doi:10.1007/s10817-019-09540-0 . Matthieu Sozeau and Nicolas Tabareau. Universe polymorphism in coq. In Gerwin Klein andRuben Gamboa, editors,
Interactive Theorem Proving , pages 499–514. Springer InternationalPublishing. The Univalent Foundations Program.
Homotopy Type Theory: Univalent Foundations ofMathematics . https://homotopytypetheory.org/book . Amin Timany and Matthieu Sozeau. Cumulative Inductive Types In Coq. In Hélène Kirchner,editor, , volume 108 of
Leibniz International Proceedings in Informatics (LIPIcs) , pages29:1–29:16, Dagstuhl, Germany, 2018. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.URL: http://drops.dagstuhl.de/opus/volltexte/2018/9199 , doi:10.4230/LIPIcs.FSCD.2018.29 . Andrea Vezzosi, Anders Mörtberg, and Andreas Abel. Cubical agda: A dependently typedprogramming language with univalence and higher inductive types.
Proc. ACM Program.Lang. , 3(ICFP), July 2019. doi:10.1145/3341691 ..