Efficient Mendler-Style Lambda-Encodings in Cedille
aa r X i v : . [ c s . P L ] M a r Efficient Mendler-Style Lambda-Encodings inCedille
Denis Firsov, Richard Blair, and Aaron Stump
Department of Computer ScienceThe University of IowaIowa City, IA, USA {name-lastname}@uiowa.edu
Abstract.
It is common to model inductive datatypes as least fixedpoints of functors. We show that within the Cedille type theory we canrelax functoriality constraints and generically derive an induction prin-ciple for Mendler-style lambda-encoded inductive datatypes, which ariseas least fixed points of covariant schemes where the morphism lifting isdefined only on identities. Additionally, we implement a destructor forthese lambda-encodings that runs in constant-time. As a result, we candefine lambda-encoded natural numbers with an induction principle anda constant-time predecessor function so that the normal form of a nu-meral requires only linear space. The paper also includes several moreadvanced examples.
Keywords: type theory, lambda-encodings, Cedille, induction principle,predecessor function, inductive datatypes
It is widely known that inductive datatypes may be defined in pure impredicativetype theory. For example, Church encodings identify each natural number n with its iterator λ s. λ z. s n z . The Church natural numbers can be typed inSystem F by means of impredicative polymorphism: cNat ◭ ⋆ = ∀ X : ⋆ . (X → X) → X → X. The first objection to lambda-encodings is that it is provably impossible to derivean induction principle in second-order dependent type theory [1]. As a conse-quence, most languages come with a built-in infrastructure for defining inductivedatatypes and their induction principles. Here are the definitions of natural num-bers in Agda and Coq: data Nat : Set Inductive nat : Type :=zero : Nat | 0 : natsuc : Nat → Nat | S : nat → nat. Denis Firsov, Richard Blair, Aaron Stump
Coq will automatically generate the induction principle for nat , and in Agda itcan be derived by pattern matching and explicit structural recursion.Therefore, we can ask if it is possible to extend the Calculus of Constructionswith typing constructs that make induction derivable for lambda-encodeddatatypes. Stump gave a positive answer to this question by introducing theCalculus of Dependent Lambda Eliminations (CDLE) [2]. CDLE is a Curry-style Calculus of Constructions extended with implicit products, intersectiontypes, and primitive heterogeneous equality. Stump proved that natural numberinduction is derivable in this system for lambda-encoded natural numbers. Later,we generalized this work by deriving induction for lambda-encodings of inductivedatatypes which arise as least fixed points of functors [3]. Moreover, we observedthat the proof of induction for Mendler-style lambda-encoding relied only on theidentity law of functors. In this paper, we exploit this observation to define anew class of covariant schemes, which includes functors, and induces a largerclass of inductive datatypes supporting derivable induction.Another objection to lambda-encodings is their computational inefficiency.For example, computing the predecessor of a Church encoded Peano naturalprovably requires linear time [4]. The situation was improved by Parigot whoproposed a new lambda-encoding of numerals with a constant-time predecessor,but the size of the number n is exponential O (2 n ) [5]. Later, the situation wasimproved further by the Stump-Fu encoding, which supports a constant-timepredecessor and reduces the size of the natural number n to O ( n ) [6]. In thispaper, we show how to develop a constant-time predecessor within CDLE for aMendler-style lambda-encoded naturals that are linear in space.This paper makes the following technical contributions:1. We introduce a new kind of parameterized scheme using identity mappings (function lifting defined only on identities). We show that every functor hasan associated identity mapping, but not vice versa.2. We use a Mendler-style lambda-encoding to prove that every scheme with anidentity mapping induces an inductive datatype. Additionally, we genericallyderive an induction principle for these datatypes.3. We implement a generic constant-time destructor of Mendler-style lambda-encoded inductive datatypes. To the best of our knowledge, we offer a firstexample of typed lambda-encoding of inductive datatypes with derivableinduction and a constant-time destructor where normal forms of data requirelinear space.4. We give several examples of concrete datatypes defined using our develop-ment. We start by giving a detailed description of lambda-encoded naturalswith an induction principle and a constant-time predecessor function thatonly requires linear space to encode a numeral. We also give examples ofinfinitary datatypes. Finally, we present an inductive datatype that arisesas a least fixed point of a scheme that is not a functor, but has an identitymapping. fficient Mendler-Style Lambda-Encodings in Cedille 3 In this section, we briefly summarize the main features of Cedille’s type theory.For full details on CDLE, including semantics and soundness results, please seethe previous papers [2,7]. The main metatheoretic property proved in the previ-ous work is logical consistency: there are types which are not inhabited. CDLEis an extrinsic (i.e., Curry-style) type theory, whose terms are exactly those ofthe pure untyped lambda calculus (with no additional constants or constructs).The type-assignment system for CDLE is not subject-directed, and thus cannotbe used directly as a typing algorithm. Indeed, since CDLE includes Curry-styleSystem F as a subsystem, type assignment is undecidable [8]. To obtain a usabletype theory, Cedille thus has a system of annotations for terms, where the anno-tations contain sufficient information to type terms algorithmically. But true tothe extrinsic nature of the theory, these annotations play no computational role.Indeed, they are erased both during compilation and before formal reasoningabout terms within the type theory, in particular by definitional equality (seeFigure 1).
Γ, x : T ′ ⊢ t : T x FV ( | t | ) Γ ⊢ Λ x : T ′ . t : ∀ x : T ′ . T Γ ⊢ t : ∀ x : T ′ . T Γ ⊢ t ′ : T ′ Γ ⊢ t − t ′ : [ t ′ /x ] TΓ ⊢ t : TΓ ⊢ β : t ≃ t Γ ⊢ t ′ : t ≃ t Γ ⊢ t : [ t /x ] TΓ ⊢ ρ t ′ − t : [ t /x ] TΓ ⊢ t : T Γ ⊢ t : [ t /x ] T ′ Γ ⊢ p : | t | ≃ | t | Γ ⊢ [ t , t { p } ] : ι x : T. T ′ Γ ⊢ t : ι x : T. T ′ Γ ⊢ t. T Γ ⊢ t : ι x : T. T ′ Γ ⊢ t. t. /x ] T ′ | Λ x : T. t | = | t || t − t ′ | = | t || β | = λ x. x | ρ t − t ′ | = | t ′ || [ t , t { p } ] | = | t || t. | = | t || t. | = | t | Fig. 1.
Introduction, elimination, and erasure rules for additional type constructs
CDLE extends the (Curry-style) Calculus of Constructions (CC) with prim-itive heterogeneous equality, intersection types, and implicit products: – t ≃ t , a heterogeneous equality type. The terms t and t are required tobe typed, but need not have the same type. We introduce this with a constant β which erases to λ x. x (so our type-assignment system has no additionalconstants, as promised); β proves t ≃ t for any typeable term t . Combinedwith definitional equality, β proves t ≃ t for any β -equal t and t whosefree variables are all declared in the typing context. We eliminate the equalitytype by rewriting, with a construct ρ t’ - t . Suppose t’ proves t ≃ t and we synthesize a type T for t , where T has several occurrences of termsdefinitionally equal to t . Then the type synthesized for ρ t’ - t is T except Denis Firsov, Richard Blair, Aaron Stump with those occurrences replaced by t . Note that the types of the terms arenot part of the equality type itself, nor does the elimination rule requirethat the types of the left-hand and right-hand sides are the same to do anelimination. – ι x : T. T’ , the dependent intersection type of Kopylov [9]. This is the typefor terms t which can be assigned both the type T and the type [t/x]T’ , thesubstitution instance of T’ by t . In the annotated language, we introducea value of ι x : T. T’ by construct [ t, t’ {p} ] , where t has type T (algorithmically), t’ has type [t/x]T’ , and p proves t ≃ t’ . There arealso annotated constructs t.1 and t.2 to select either the T or [t.1/x]T’ view of a term t of type ι x : T. T’ . – ∀ x : T. T’ , the implicit product type of Miquel [10]. This can be thoughtof as the type for functions which accept an erased input of type x : T , andproduce a result of type T’ . There are term constructs Λ x. t for introducingan implicit input x , and t -t’ for instantiating such an input with t’ . Theimplicit arguments exist just for purposes of typing so that they play nocomputational role and equational reasoning happens on terms from whichthe implicit arguments have been erased.It is important to understand that the described constructs are erased beforethe formal reasoning, according to the erasure rules in Figure 1.We have implemented CDLE in a tool called Cedille, which we have used totypecheck the developments of this paper. The pre-release version is here: http://cs.uiowa.edu/~astump/cedille-prerelease.zip The Cedille code accompanying this paper is here: http://firsov.ee/efficient-lambda/itp2018-code.zip
We skip the details of the lambda-encoded implementation of basic datatypeslike
Unit , Empty , sums (
X + Y ), and dependent products ( Σ x : X. Y x ), forwhich the usual introduction and elimination rules are derivable in Cedille.In this paper, we use syntactical simplifications to improve readability. Inparticular, we hide the type arguments in the cases when they are unambiguous.For example, if x : X and y : Y then we wrtie pair x y instead of fully type-annotated pair X Y x y . The current version of Cedille requires fully annotatedterms. CDLE’s dependent intersection types allow judgementally equal values to beintersected. Given x : X , y : Y x , and a proof p of x ≃ y , we can introduce anintersection value v := [ x, y {p} ] of type ι x : X. Y x . Every intersectionhas two “views”: the first view v.1 has type X and the second view v.2 hastype Y x . The term [ x, y {p} ] erases to x according to the erasure rules inFigure 1. This allows us to see x as having two distinct types, namely X and Y x : fficient Mendler-Style Lambda-Encodings in Cedille 5 subst ◭ ∀ X: ⋆ . ∀ Y: X → ⋆ . Π x: X. ∀ y: Y x. ∀ p: x ≃ y. Y x= Λ X. Λ Y. λ x. Λ y. Λ p. [ x, y { p } ].2. ( Π x : X. T is usual “explicit” dependent function space;) Indeed, the definitionof subst erases to term λ x. x . Hence, subst x -y -p beta-reduces to x andhas type Y x (dash denotes the application of implicitly quantified arguments).
In our setting, it is possible to implement a function of type X → Y so that iterases to term λ x. x where X is different from Y . The simplest example is thefirst (or second) “view” from an intersection value: view1 ◭ ∀ X : ⋆ . ∀ Y : X → ⋆ . ( ι x : X. Y x) → X= Λ X. Λ Y. λ x. x.1. Indeed, according to the erasure rules view1 erases to the term λ x. x . Weintroduce a type Id X Y , which is the set of all functions from X to Y that eraseto the identity function ( λ x. x ): id ◭ ∀ X : ⋆ . X → X = Λ X. λ x. x.Id ◭ ⋆ → ⋆ → ⋆ = λ X : ⋆ . λ Y : ⋆ . Σ f : X → Y. f ≃ id. Introduction
The importance of the previously implemented combinator subst is that it allows to introduce an identity function
Id X Y from any extensionalidentity f : X → Y (i.e., f x ≃ x for any x ): intrId ◭ ∀ X Y : ⋆ . Π f : X → Y. ( Π x : X. f x ≃ x) → Id X Y= Λ X. Λ Y. λ f. λ prf. pair ( λ x. subst x -(f x) -(prf x)) β . Elmination
Given an identity function c : Id X Y and a value x : X we canapply the identity function c to x so that elimId -c x has type Y : elimId ◭ ∀ X Y : ⋆ . ∀ c : Id X Y. X → Y == Λ X. Λ Y. Λ c. λ x. subst x -( π c x) -( ρ ( π c) - β ). The subterm ρ ( π c) - β proves π c x ≃ x , where π i is the i -th projec-tions from a dependent product. Observe that elimId itself erases to λ x. x ,hence elimId -c x ≃ x by beta-reduction. In other words, an identity function Id X Y allows x : X to be seen as having types X and Y at the same time. A scheme
F : ⋆ → ⋆ is a functor if it comes equipped with a function fmap that satisfies the identity and composition laws: Functor ◭ ( ⋆ → ⋆ ) → ⋆ = λ F : ⋆ → ⋆ . Σ fmap : ∀ X : ⋆ . ∀ Y : ⋆ . (X → Y) → F X → F Y.IdentityLaw fmap × CompositionLaw fmap.
Denis Firsov, Richard Blair, Aaron Stump
However, it is simple to define a covariant scheme for which the function fmap cannot be implemented (below, x = x is shorthand for x ≃ x → Empty ): UneqPair ◭ ⋆ → ⋆ = λ X : ⋆ . Σ x : X. Σ x : X. x = x . We introduce schemes with identity mappings as a new class of parameterizedcovariant schemes. An identity mapping is a lifting of identity functions:
IdMapping ◭ ( ⋆ → ⋆ ) → ⋆ = λ F : ⋆ → ⋆ . ∀ X Y : ⋆ . Id X Y → Id (F X) (F Y).
Intuitively,
IdMapping F is similar to fmap of functors, but it needs to be definedonly on identity functions. The identity law is expressed as a requirement thatidentity function
Id X Y is mapped to identity function
Id (F X) (F Y) .Clearly, every functor induces an identity mapping (by the application of intrId to fmap and its identity law): fm2im ◭ ∀ F : ⋆ → ⋆ . Functor F → IdMapping F = <..>
However,
UneqPair is an example of scheme which is not a functor, but has anidentity mapping (see example in Section 6.3).In the rest of the paper we show that every identity mapping
IdMapping F induces an inductive datatype which is a least fixed point of F . Additionally,we generically derive an induction principle and implement a constant-time de-structor for these datatypes. In our previous paper, we used Cedille to show how to generically derive aninduction principle for Mendler-style lambda-encoded datatypes that arise asleast fixed points of functors [3]. In this section, we revisit this derivation toshow that it is possible to relax functoriality constraints and only assume thatthe underlying signature scheme is accompanied by an identity mapping.
In this section, we investigate the standard definitions of Mendler-style F-algebrasthat are well-defined for any unrestricted scheme
F : ⋆ → ⋆ . To reduce the no-tational clutter, we assume that F : ⋆ → ⋆ is a global (module) parameter: module _ (F : ⋆ → ⋆ ) In the abstract setting of category theory, a Mendler-style F-algebra is a pair(
X, Φ ) where X is an object (i.e., the carrier ) in C and Φ : C ( − , X ) → C ( F − , X )is a natural transformation. In the concrete setting of Cedille, objects are types,arrows are functions, and natural transformations are polymorphic functions.Therefore, Mendler-style F-algebras are defined as follows: AlgM ◭ ⋆ → ⋆ = λ X : ⋆ . ∀ R : ⋆ . (R → X) → F R → X. fficient Mendler-Style Lambda-Encodings in Cedille 7 Uustalu and Vene showed that initial Mendler-style F-algebras offer an alter-native categorical model of inductive datatypes [11]. The carrier of an initialF-algebra is an inductive datatype that is a least fixed point of F . It is knownthat if F is a positive scheme then the least fixed point of it may be implementedin terms of universal quantification [12]: FixM ◭ ⋆ = ∀ X : ⋆ . AlgM X → X.foldM ◭ ∀ X : ⋆ . AlgM X → FixM → X = Λ X. λ alg. λ x. x alg. In essence, this definition identifies inductive datatypes with iterators and everyfunction on
FixM is to be computed by iteration.The natural transformation of the initial Mendler-style F-algebra denotes thecollection of constructors of its carrier [11]. In our setting, the initial Mendler-style F-algebra
AlgM FixM is not defineable because F is not a functor [3]. Instead,we express the collection of constructors of datatype FixM as a conventional F-algebra
F FixM → FixM : inFixM ◭ F FixM → FixM = λ x. Λ X. λ alg. alg (fold alg) x. The function inFixM is of crucial importance because it expresses constructorsof
FixM without requirements of functoriality on
F : ⋆ → ⋆ .It is provably impossible to define the mutual inverse of inFixM (destructorof FixM ) without introducing additional constraints on F . Assume the existenceof function outFixM (which need not be an inverse of inFixM ), typed as follows: outFixM ◭ ∀ F : ⋆ → ⋆ . FixM F → F (FixM F) = <..>
Next, recall that in the impredicative setting the empty type is encoded as ∀ X : ⋆ . X (its inhabitant implies any equation). Then, we instantiate F withthe negative polymorphic scheme NegF X := ∀ Y: ⋆ . X → Y , and exploit thefunction outFixM to construct a witness of the empty type: T ◭ ⋆ = FixM NegF.ty ◭ ∀ Y : ⋆ . T → Y = Λ Y. λ t. outFixM NegF t Y t.t ◭ T = ty T (inFixM NegF ty).unsound ◭ ∀ X : ⋆ . X = Λ X. ty X t.
Therefore, the existance of function outFixM contradicts the consistency ofCedille. Hence, the inverse of inFixM can exist only for some restricted classof schemes
F : ⋆ → ⋆ . From this point forward we assume that the scheme F is also accompanied byan identity mapping imap : Denis Firsov, Richard Blair, Aaron Stump module _ (F : ⋆ → ⋆ )(imap : IdMapping F) In our previous work we assumed that F is a functor and showed how tospecify the “inductive” subset of the type FixM F . Then, we generically derivedinduction for this subset. In this section, we update the steps of our previouswork to account for
F : ⋆ → ⋆ not being a functor.The dependent intersection type ι x : X. Y x can be understood as a sub-set of X defined by a predicate Y . However, to construct the value of this typewe must provide x : X and a proof p : Y x so that x and p are provably equal( x ≃ p ). Hence, to align with this constraint we use implicit products to ex-press inductivity of FixM as its “dependently-typed” version. Recall that
FixM is defined in terms of Mendler-style F-algebras:
AlgM ◭ ⋆ → ⋆ = λ X : ⋆ . ∀ R : ⋆ . (R → X) → F R → X. In our previous work, we introduced the
Q-proof F-algebras as a “dependently-typed” counterpart of
AlgM . The value of type
PrfAlgM X Q alg should be un-derstood as an inductive proof that predicate Q holds for every X where X is aleast fixed point of F and alg : F X → X is a collection of constructors of X . PrfAlgM ◭ Π X : ⋆ . (X → ⋆ ) → (F X → X) → ⋆ = λ X : ⋆ . λ Q : X → ⋆ . λ alg : F X → X. ∀ R : ⋆ . ∀ c : Id R X. ( Π r : R. Q (elimId -c r)) → Π fr : F R. Q (alg (elimId -(imap c) fr)). Mendler-style F-algebras (
AlgM ) allow recursive calls to be explicitly stated byproviding arguments R → X and F R , where the polymorphically quantified type R ensures termination. Similarly, Q-proof F-algebras allow the inductive hypothe-ses to be explicitly stated for every R by providing an implicit identity function c : Id R X , and a dependent function of type Π r : R. Q (elimId -c r) (re-call that elimId -c r reduces to r and has type X ). Given the inductive hypoth-esis for every R , the proof algebra must conclude that the predicate Q holds forevery X , which is produced by constructors alg from any given F R that hasbeen “casted” to
F X .Next, recall that
FixM is defined as a function from
AlgM X to X for every X . FixM ◭ ⋆ = ∀ X : ⋆ . AlgM X → X. To retain the analogy of definitions, we express the inductivity of value x : FixM as a dependent function from a Q -proof F -algebra to Q x . IsIndFixM ◭ FixM → ⋆ = λ x : FixM. ∀ Q : FixM → ⋆ . PrfAlgM FixM Q inFixM → Q x.
Now, we employ intersection types to define a type
FixIndM as a subset of
FixM carved out by the “inductivity” predicate
IsIndFixM : FixIndM ◭ ⋆ = ι x : FixM. IsIndFixM x. fficient Mendler-Style Lambda-Encodings in Cedille 9 Finally, we must explain how to construct the values of this type. As in the case of
FixM , the set of constructors of
FixIndM is expressed by a conventional F-algebra
F FixIndM → FixIndM . The implementation is divided into three steps:First, we define a function from
F FixIndM to FixM : tc1 ◭ F FixIndM → FixM = λ x.let c ◭ Id (F FixIndM) (F FixM) = imap (intrId ( λ x. x.1) β ) ininFixM (elimId -c x). The implementation simply “casts” its argument to
F FixM and then appliesthe previously implemented constructor of
FixM ( inFixM ). Because elimId -c x reduces to x , the erasure of tc1 is the same as the erasure of inFixM which is aterm λ x. λ q. q ( λ r. r q) x .Second, we show that the same lambda term could also be typed as a proofthat every tc1 x is inductive: tc2 ◭ Π x : F FixIndM. IsIndFixM (tc1 x)= λ x. ( Λ Q. λ q. (q -(intrId ( λ x. x.1) β ) ( λ r. r.2 q) x)). Indeed, functions tc1 and tc2 are represented by the same pure lambda term.Finally, given any value x : F FixInd we can intersect tc1 x and the proofof its inductivity tc2 x to construct an element of an inductive subset
FixIndM : inFixIndM ◭ F FixIndM → FixIndM = λ x. [ tc1 x, tc2 x { β } ]. Recall that erasure of intersection [ x, y {p} ] equals the erasure of x . There-fore, functions tc1 , tc2 , and inFixIndM all erase to the same pure lambda term.In other words, in Cedille the term λ x. λ q. q ( λ r. r q) x can be extrin-sically typed as any of these functions. We start by explaining why we need to derive induction for
FixIndM , even thoughit is definitionally an inductive subset of
FixM . Indeed, every value x : FixIndM can be “viewed” as a proof of its own inductivity. More precisely, the term x.2 is a proof of the inductivity of x.1 . Moreover, the equational theory of CDLEgives us the following equalities x.1 ≃ x ≃ x.2 (due to the rules of erasure).But recall that the inductivity proof provided by the second view x.2 is typedas follows: ∀ Q : Fix → ⋆ . PrfAlgM FixM Q inFixM → Q x.1
Note that Q is a predicate on FixM and not
FixIndM ! This form of inductivitydoes not allow properties specified directly for
FixIndM to be proven.Therefore, our goal is to prove that every x : FixIndM is inductive in itsown right. We phrase this in terms of proof-algebras parameterized by
FixIndM ,a predicate on
FixIndM , and its constructors ( inFixIndM ): ∀ Q : FixIndM → ⋆ . PrfAlgM FixIndM Q inFixIndM → Q x.
In our previous work, we already made an observation that the derivation of in-duction for Mendler-style encodings relies only on the identity law of functors [3].Therefore, the current setting only requires minor adjustments of our previousproof. For the sake of completeness, we present a main idea of this derivation.The key insight is that we can convert predicates on
FixIndM to logicallyequivalent predicates on
FixM by using heterogeneous equality:
Lift ◭ (FixInd → ⋆ ) → Fix → ⋆ = λ Q : FixInd → ⋆ . λ y : Fix. Σ x : FixInd. x ≃ y × Q x.eqv1 ◭ Π x: FixIndM. ∀ Q: FixIndM → ⋆ . Q x → Lift Q x.1 = <..>eqv2 ◭ Π x: FixIndM. ∀ Q: FixIndM → ⋆ . Lift Q x.1 → Q x = <..>
These properties allow us to convert a Q -proof algebra to a proof algebra for alifted predicate Lift Q , and then derive the generic induction principle: convIH ◭ ∀ Q : FixIndM → ⋆ . PrfAlgM FixIndM Q inFixIndM → PrfAlgM FixM (Lift Q) inFixM = <..>induction ◭ ∀ Q: FixIndM → ⋆ . PrfAlgM FixIndM Q inFixIndM → Π e: FixIndM. Q e = Λ Q. λ p. λ e. eqv2 e (e.2 (convIH p)). Let Q be a predicate on FixIndM and p be a Q -proof algebra: we show that Q holds for any e : FixIndM . Recall that every e : FixIndM can be viewed asa proof of inductivity of e.1 via e.2 : IsIndFixM e.1 . We use this to get aproof of the lifted predicate Lift Q e.1 from the proof algebra delivered by convIH p . Finally, we get
Q e by using eqv2 . An induction principle is needed to prove properties about programs, but prac-tical functional programming also requires constant-time destructors (also calledaccessors) of inductive datatypes. Let us illustrate the problem using the datatypeof natural numbers. In Agda it is easy to implement the predecessor function bypattern matching: pred : Nat → Natpred zero = zeropred (suc n) = n
The correctness of pred trivially follows by beta-reduction: predProp : (n : Nat) → pred (suc n) ≡ npredProp n = refl Let us switch to Cedille and observe that it is much less trivial to implementthe predecessor for the impredicative encoding of Peano numerals. Here is thedefinition of Church encoded Peano naturals and their constructors: fficient Mendler-Style Lambda-Encodings in Cedille 11 cNat ◭ ⋆ = ∀ X : ⋆ . (X → X) → X → X.zero ◭ cNat = Λ X. λ s. λ z. z.suc ◭ cNat → cNat = λ n. Λ X. λ s. λ z. s (n s z). Next, we implement the predecessor for cNat which is due to Kleene: zCase ◭ cNat × cNat = pair zero zerosCase ◭ cNat × cNat → cNat × cNat = λ n. pair ( π n) (suc ( π n)).predK ◭ Nat → Nat = λ n. π (n sC zC). The key to the Kleene predecessor is the function sCase , which ignores the firstitem of the input pair, moves the second natural to the first position, and thenapplies the successor of the second element within the second position. Hence,folding a natural number n with sCase and zCase produces a pair (n-1, n) . Inthe end, predK n projects the first element of a pair.Kleene predecessor runs in linear time. Also, predK (suc n) gets stuck afterreducing to π (pair ( π (n sCase zCase))(suc ( π (n sCase zCase)))) .Hence, we must use induction to prove that predK (suc n) computes to n .Furthermore, Parigot proved that any definition of predecessor for the Church-style lambda-encoded numerals requires linear time [4]. In previous sections we defined a datatype
FixIndM for every scheme F that hasan identity mapping. Then, we implemented the constructors of the datatypeas the function inFixIndM , and defined an induction principle phrased in termsof this function. In this section, we develop a mutual inverse of inFixIndM thatruns in constant time. As a simple consequence, we prove that FixIndM is a leastfixed point of F .Let us start by exploring the computational behaviour of the function foldM .The following property is a variation of the cancellation law for Mendler-styleencoded data [11], and its proof is simply by beta-reduction. foldHom ◭ ∀ X : ⋆ . Π x : F FixM. Π alg : AlgM X.foldM alg (inFixM x) ≃ alg (foldM alg) x = Λ X. λ x. λ a. β . In other words, folding the inductive value inFixM x replaces its outermost“constructor” inFixM with partially applied F-algebra alg (foldM alg) .It is well-known that (computationally) induction can be reduced to iteration(folding). Therefore, we can state the cancellation law for the induction rule interms of proof algebras. indHom ◭ ∀ Q : FixIndM → ⋆ . Π alg : PrfAlgM FixIndM Q inFixIndM. Π x : F FixIndM. Π c : Id FixIndM FixIndM.induction alg (inFixInd x) ≃ alg -c (induction alg) x= Λ Q. λ p. λ x. β . Most importantly, is that the proof of indHom is by reflexivity ( β ), which en-sures that the left-hand side of equality beta-reduces to the right-hand side in aconstant number of beta-reductions.Next, we implement a proof algebra for the constant predicate λ _. F FixIndM . outAlgM ◭ PrfAlgM FixIndM ( λ _. F FixIndM) inFixIndM= Λ R. Λ c. λ f. λ y. elimId -(imap c) y. The identity mapping of F lifts the identity function c : Id R X to an iden-tity function Id (F R) (F FixIndM) , which is then applied to the argument y : F R to get the desired value of
F FixIndM .The proof algebra outAlgM induces the constant-time inverse of inFixIndM : outFixIndM ◭ FixInd → F FixInd = induction outAlgM.
Definitionally, outFixIndM (inFixIndM x) is induction outAlgM (inFixInd x) ,which reduces to outAlgM -c (induction outAlgM) x in a constant numberof steps ( indHom ). Because outAlgM -c erases to λ f. λ y. y , it follows that outFixIndM computes an inverse of inFixIndM in a constant number of beta-reductions: lambek1 ◭ Π x: F FixInd. outFixIndM (inFixIndM x) ≃ x = λ x. β . Furthermore, we show that outFixIndM is a post-inverse: lambek2 ◭ Π x: FixIndM. inFixIndM (outFixIndM x) ≃ x= λ x. induction ( Λ R. Λ c. λ ih. λ fr. β ) x. This direction requires us to invoke induction to “pattern match” on the argu-ment value to get x := inFixIndM y for some value y of type F FixIndM . Then, inFixIndM (outFixIndM (inFixIndM y)) ≃ inFixIndM y because the innerterm outFixIndM (inFixIndM y) is just y by beta reduction ( lambek1 ). In this section, we demonstrate the utility of our derivations on three examples.First, we present a detailed implementation of natural numbers with a constant-time predecessor function. Second, we show examples of infinitary datatypes.Finally, we give an example of a datatype arising as a least fixed point of ascheme that is not a functor, but has an identity mapping.
Natural numbers arise as a least fixed point of the functor NF : NF ◭ ⋆ → ⋆ = λ X : ⋆ . Unit + X.nfmap ◭ Functor NF = <..> fficient Mendler-Style Lambda-Encodings in Cedille 13
Since every functor has an identity mapping then we use our framework to definenatural numbers as shown below: nfimap ◭ IdMapping NF = fm2im nfmap.Nat ◭ ⋆ = FixInd NF nfimap.zero ◭ Nat = inFixIndM (in1 unit).suc ◭ Nat → Nat = λ n. inFixIndM (in2 n). If injections in1 and in2 erase to λ a. λ i. λ j. i a and λ a. λ i. λ j. j a ,respectively, then the natural number constructors have the following erasures: zero ≃ λ alg. (alg ( λ f. (f alg)) ( λ i. λ j. (i ( λ x. x))))suc n ≃ λ alg. (alg ( λ f. (f alg)) ( λ i. λ j. (j n))) Intuitively, Mendler-style numerals have a constant-time predecessor becauseevery natural number suc n contains the previous natural n as its direct subpart(which is not true for Church encoding).We implement the predecessor for Nat in terms of the generic constant-timedestructor outFixIndM : pred ◭ Nat → Nat = λ n. case (outFixIndM n) ( λ _. zero) ( λ m. m). Because elimination of disjoint sums (via case ) and outFixIndM are both constant-time operations, pred is also a constant-time function and its correctness isimmediate (i.e., by beta-reduction): predSuc ◭ Π n : Nat. pred (suc n) ≃ n = λ n. β . We also show that the usual “flat” induction principle can be derived fromour generic induction principle ( induction ) by dependent elimination of NF : indNat ◭ ∀ P : Nat → ⋆ . ( Π n : Nat. P n → P (suc n)) → P zero → Π n : Nat. P n = Λ P. λ s. λ z. λ n. induction P( Λ R. Λ c. λ ih. λ v. case v ( λ u. ρ (etaUnit u) - z)( λ r. s (elimId -c r) (ih r))) n. In Agda, we can give the following inductive definition of infinitary trees: data ITree : Set wherenode : (Nat → Unit + ITree) → ITreeITree is a least fixed point of functor
IF X := Nat → Unit + X . In Cedille,we can implement a functorial function lifting for IF : itfmap ◭ ∀ X Y : ⋆ . (X → Y) → IF X → IF Y= λ f. λ t. λ n. case (t n) ( λ u. in1 u) ( λ x. in2 (f x)). To our best knowledge, it is impossible to prove that itfmap satisfies the func-torial laws without functional extensionality (which is unavailable in Cedille).However, it is possible to implement an identity mapping for the scheme IF : itimap ◭ IdMapping IF= Λ c. pair ( λ x. λ n. elimId -(nfimap -c) (x n)) β . The first element of a pair erases to λ x. λ n. x n , which is λ x. x by the etalaw . Now, since we showed that IF has an identity mapping then our genericdevelopment induces the datatype ITree with its constructor, destructor, andinduction principle.
ITree ◭ ⋆ = FixIndM IF itimap.inode ◭ (Nat → Unit + ITree) → ITree = λ f. inFixIndM f. The specialized induction is phrased in terms of “empty tree” iempty which actsas a base case ( projR “projects” a tree from disjoint sum or returns iempty ): iempty ◭ ITree = inode ( λ _. in1 unit).indITree ◭ ∀ P : ITree → ⋆ . P iempty → ( Π f: Nat → Unit + ITree. ( Π n : Nat. P (projR (f n)) → P (inode f)) → Π t: ITree. P t = <..> Next, let us look at another variant of infinitary datatypes in Agda: data PTree : Set wherepnode : ((PTree → Bool) → Unit + PTree) → PTree
This definition will be rejected by Agda (and Coq) since it arises as a least fixedpoint of the scheme
PF X := Unit + ((X → Bool) → X) → X , which is pos-itive but not strictly positive. The definition is rejected because it is currentlyunclear if non-strict definitions are sound in Agda. For the Coq setting, thereis a proof by Coquand and Paulin that non-strict positivity combined with animpredicative universe and a predicative universe hieararchy leads to inconsis-tency [14]. In Cedille, we can implement an identity mapping for the scheme PF in a similar fashion as the previously discussed UF . Hence, the datatype inducedby PF exists in the type theory of Cedille. Consider the following definition of “unbalanced” binary trees in Agda: Our analysis of CDLE up to now has included only β -equality. It is known that η can cause problems for intrinsic type theories due to non-confluence of βη -reductionon ill-typed terms (cf. [13]). But for extrinsic typing, we can use confluence of βη -reduction on pure lambda terms, and thus we hope that adding η does cause prob-lems. The use of η is confined to the example of infinitary trees only.fficient Mendler-Style Lambda-Encodings in Cedille 15 data UTree : Set whereleaf : Bool → UTreenode : (b : UTree) → (b : UTree) → b = b → UTree
The datatype
UTree arises as a least fixed point of the following scheme: UF ◭ ⋆ → ⋆ = λ X : ⋆ . Bool + ( Σ x : X. Σ x : X. x = x ). Because the elements x and x must be different, lifting an arbitrary function X → Y to UF X → UF Y is impossible. Hence, the scheme UF is not a functor.However, we can show that UF has an identity mapping. We start by produc-ing a function UF X → UF Y from an identity
Id X Y : uimap’ ◭ ∀ X Y : ⋆ . ∀ i : Id X Y. UF X → UF Y = Λ i. λ uf.case uf ( λ u. in1 u)( λ u. in2 (pair (elimId -i ( π u))(pair (elimId -i ( π ( π u))) ( π ( π u))))) We prove that uimap’ -i is extensionally an identity function: uimP ◭ ∀ X Y: ⋆ . ∀ i: Id X Y. Π u: UF X. uimap’ -i u ≃ u = <..> This is enough to derive an identity mapping for UF by using the previouslyimplemented combinator intrId : uimap ◭ IdMapping UF = intrId uimap’ uimP.
Therefore, we conclude that the datatype of unbalanced trees exists in Cedilleand can be defined as a least fixed point of scheme UF : UTree ◭ ⋆ = FixIndM UF uimap. The specialized constructors, induction principle, and a destructor function for
UTree are easily derived from their generic counterparts ( inFixIndM , induction , outFixIndM ). Pfenning and Paulin-Mohring show how to model inductive datatypes usingimpredicative encodings in the Calculus of Constructions (CC) [15]. Becauseinduction is not provable in the CC, the induction principles are generated andadded as axioms. This approach was adopted by initial versions of the Coq proofassistant, but later Coq switched to the Calculus of Inductive Constructions(CIC), which has built-in inductive datatypes.Delaware et al. derived induction for impredicative lambda-encodings in Coqas a part of their framework for modular definitions and proofs (using the `a lacarte technique [16]). They showed that a value v : Fix F is inductive if it isaccompanied by a proof of the universal property of folds [17].
Similarly, Torrini introduced the predicatisation technique, reducing depen-dent induction to proofs that only rely on non-dependent Mendler induction (byrequiring the inductive argument to satisfy extra predicatisation hypothesis) [18].Traytel et al. present a framework for constructing (co)datatypes in HOL [19,20].The main ingredient is a notion of a bounded natural functor (BNF), or a bi-nary functor with additional structure. BNFs are closed under composition andfixed points, which enables support for both mutual and nested (co)recursionwith mixed combinations of datatypes and codatatypes. The authors developeda package that can generate (co)datatypes with their associated proof-principlesfrom user specifications (including custom bounded natural functors). In con-strast, our approach provides a single generic derivation of induction within thetheory of Cedille, but does not address codatatypes. It would be interesting tofurther investigate the exact relationship between schemes with identity map-pings and BNFs.Church encodings are typeable in System F and represent datatypes as theirown iterators. Parigot proved that the lower bound of the predecessor functionfor Church numerals has linear time complexity [4].Parigot designed an impredicative lambda-encoding that is typeable in Sys-tem F ω with positive-recursive type definitions. The encoding identifies datatypeswith their own recursors, allowing constant time destructors to be defined, butthe drawback is that the representation of a natural number n is exponential inthe call-by-value setting [5].The Stump-Fu encoding is also typeable in System F ω with positive-recursivetype definitions. It improves upon the Parigot representation by requiring onlyquadratic space, and it also supports constant-time destructors [6]. In this work, we showed that the Calculus of Dependent Lambda Eliminations isa compact pure type theory that allows a general class of Mendler-style lambda-encoded inductive datatypes to be defined as least fixed points of schemes withidentity mappings. We also gave a generic derivation of induction and imple-mented a constant-time destructor for these datatypes. We used our develop-ment to give the first example (to the best of our knowledge) of lambda-encodednatural numbers with: provable induction, a constant-time predecessor function,and a linear size (in the numeral n ) term representation. Our formal developmentis around 700 lines of Cedille code.For future work, we plan to explore coinductive definitions and to use thecategorical model of Mendler-style datatypes to investigate histomorphisms andinductive-recursive datatypes in Cedille [11]. Acknowledgments.
We gratefully acknowledge NSF support under award1524519, and DoD support under award FA9550-16-1-0082 (MURI program). fficient Mendler-Style Lambda-Encodings in Cedille 17
References
1. Geuvers, H.: Induction Is Not Derivable in Second Order Dependent Type Theory.In: Typed Lambda Calculi and Applications (TLCA). (2001) 166–1812. Stump, A.: The Calculus of Dependent Lambda Eliminations. Journal of Func-tional Programming e143. Firsov, D., Stump, A.: Generic derivation of induction for impredicative encodingsin cedille. In: Proceedings of the 7th ACM SIGPLAN International Conferenceon Certified Programs and Proofs. CPP 2018, New York, NY, USA, ACM (2018)215–2274. Parigot, M.: On the representation of data in lambda-calculus. In B¨orger, E.,B¨uning, H.K., Richter, M.M., eds.: CSL ’89, Springer Berlin Heidelberg (1990)309–3215. Parigot, M. In: Programming with proofs: A second order type theory. SpringerBerlin Heidelberg, Berlin, Heidelberg (1988) 145–1596. Stump, A., Fu, P.: Efficiency of lambda-encodings in total type theory. Journal ofFunctional Programming (2016)7. Stump, A.: From Realizability to Induction via Dependent Intersection. Ann. PureAppl. Logic (2018) to appear.8. Wells, J.B.: Typability and type checking in system F are equivalent and undecid-able. Ann. Pure Appl. Logic (1-3) (1999) 111–1569. Kopylov, A.: Dependent intersection: A new way of defining records in type theory.In: 18th IEEE Symposium on Logic in Computer Science (LICS). (2003) 86–9510. Miquel, A.: The Implicit Calculus of Constructions Extending Pure Type Systemswith an Intersection Type Binder and Subtyping. In Abramsky, S., ed.: TypedLambda Calculi and Applications (TLCA). (2001) 344–35911. Uustalu, T., Vene, V.: Mendler-style inductive types, categorically. Nordic J. ofComputing (3) (September 1999) 343–36112. Wadler, P.: Recursive types for free! (1990)13. Geuvers, H.: Logics and Type Systems. PhD thesis, University of Nijmegen (1993)14. Coquand, T., Paulin, C.: Inductively defined types. In Martin-L¨of, P., Mints, G.,eds.: COLOG-88, Berlin, Heidelberg, Springer Berlin Heidelberg (1990) 50–6615. Pfenning, F., Paulin-Mohring, C.: Inductively defined types in the Calculus ofConstructions. In Main, M., Melton, A., Mislove, M., Schmidt, D., eds.: Proceed-ings of the Fifth Conference on the Mathematical Foundations of ProgrammingSemantics, Tulane University, New Orleans, Louisiana, Springer-Verlag LNCS 442(March 1989) 209–22816. Swierstra, W.: Data types `a la carte. J. Funct. Program.18