4 Ways of Proving Theoremscsetzer/lectures/intertheo/03/... · Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 5 4 Ways of Proving Theorems 2. Theorem proving with some

CS_336 Interactive Theorem Proving

Dr. Anton Setzer

Lent Term 2004

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 1

0. Overview(a)

(b)

(c)


(a) What is Interact. Theorem Proving

(d) Need for Theorem Proving

We need to prove theorems in order to establishmathematical theorems.

E.g. that certain problems are decidable,undecidable, polynomial computable etc.

We need them as well in order to establish thecorrectness of software and hardware.

Is floating point division for the Intel processorcorrect?Is a railway control system safe?

When verifying the Swedish railway system, lots ofbugs were found.


Need for Theorem ProvingConcentration on the latter in this module.


4 Ways of Proving Theorems1. Theorem proving by hand.

What mathematicians do all the time.Will remain in the near future the main way forproving theorems.Problem: Errors.

As in programs after a certain amount of linesthere is a bug, after a certain amount of lines aproof has a bug.The problem can only be reduced by careful proofchecking, but not eliminated completely.

Unsuitable for verifying large software and hardwaresystems.

Data usually too large.Likely that one makes the same mistakes as in thesoftware.


4 Ways of Proving Theorems2. Theorem proving with some machine support.

Machine checks the syntax of the statements,creates a good layout, translates it into differentlanguages.Theorem proving still to be done by hand.Example: most systems for specification of software(e.g. CSP-CASL, as used by Dr. Roggenbach).Advantages:

Less errors.User is forced to obey a certain syntax.Specifications can be exchanged more easily.

Disadvantage: Similar to 1.


4 Ways of Proving Theorems3. Interactive Theorem Proving.

Proofs are fully checked by the system.Proof steps have to be carried out by the user.Advantages:

Correctness guaranteed (provided the theoremprover is correct).Everything which can be proved by hand, shouldbe possible to be proved in such systems.


4 Ways of Proving Theorems(Interactive theorem proving)

Disadvantages:It takes much longer than proving by hand.· Similar to programming:

To say in words what a program should do,doesn’t take long.To write the actual program, can take a longtime, since much more details are involved thanexpected.

Requires experts in theorem proving.


4 Ways of Proving Theorems4. Automated Theorem Proving.

The theorem is shown by the machine.It is the task of the user to

state the theorem,bring it into a form so that it can be solved,usually adapt certain parameters so that thetheorem proving solves the problem withinreasonable amount of time.

Espec. Dr. Kullmann is an expert in this area.


4 Ways of Proving Theorems(Automated theorem proving)

AdvantagesLess complicated to “feed the theorem into themachine” rather than actually proving it.Might be done by non-specialists.Sometimes faster than interactive theoremproving.


4 Ways of Proving Theorems(Automated theorem proving)

DisadvantagesMany problems cannot be proved automatically.Can often deal only with finite problems.· We can show the correctness of one particular

processor.· But we cannot show a theorem, stating the

correctness of a parametric unit (like a genericn-bit adder for arbitrary n.· In some cases this can be overcome.Limits on what can be done (some hardwareproblems can be verified as 32 bit versions, but notas 64 bit versions).


(b) Administrative IssuesAddress:Dr. A. SetzerDept. of Computer ScienceUniversity of Wales SwanseaSingleton ParkSA2 8PPUK

Room Room 211, Faraday Building

Tel. (01792) 513368

Fax. (01792) 295651

Email


Assessment80% Exam.

20% coursework:4 small assignments. Each counts 5% (Plan, mightbe changed).

Handed out approx. every 2nd week.Due two weeks later.


Timetable, Course MaterialTwo lectures per week.

Tuesday, 11:00, Faraday J.Thursday, 10:00, Vivian 112.

Web page contains overhead slides from the lectures.Course material will be continually updated.


(c) Plan0.

1.

2.

3.

4. Interactive programs in dependent type theory.

5. Cayenne – A programming language with dependenttypes.

The plan might be changed slightly.


(d) LiteratureIn general, the module is self-contained.


Main Course LiteratureB. Nordström, K. Peterson, J. M. Smith:Programming in Martin-Löf’s type theory. Available via.Course book, although a little bit too high level.

B. Nordström, K. Peterson, J. M. Smith:Martin-Löf’s type theory. Handbook of ComputerScience, Vol 5, 1-37. Oxford Univ. Press, 2000.Available via

Similar as the previous book, but shorter.


Other Introductory BooksMartin-Löf, Per: Intuitionistic Type theory. Bibliopolis,Naples, 1984.Relatively easy short book, from the father of the typetheory we are using. Intended for philosophers.

Aarne Ranta: Type-theoretic grammar. ClarendonPress, 1995.Use of type theory in linguistics and for translationbetween languages. Has a good and simpleintroduction into type theory.


More advanced BooksTroelstra, A. S. and van Dalen, D.:Constructivism in mathematics. Vol. I. North Holland,1988.Contains some material of interest (e.g. BHKinterpretation of logical connective). Postgraduate level.

Chapter 11 of Troelstra, A. S. and van Dalen, D.:Constructivism in mathematics. Vol. II. North Holland,1988.Book on postgraduate level. Deviates from “officialMartin Löf type theory”.


1. Introduction(a)

(b)

(c)

(d)

(e)

(f)

(g)


(a) Approaches to Verified SoftwareWe consider 4 principal approaches towards writing verifiedsoftware.

(h)(i) First a program is written.Then its correctness is verified.

Most common approach, when formal methods areapplied.Main advantage:Ordinary programming languages can be used.Disadvantage: all or most considerations of theprogrammers are lost.Requires advanced automated theorem provingtechnologies.Dr. Kullmann is an expert on the theorem provingtechniques used there.


Approaches to Verified Software(ii) Prove that a solution for the problem exists.

Extract a program from it.E.g. from a proof of the statement

For every list there exists a sorted listhaving the same elements

one can extract a program, which computes from alist a sorted list having the same elements.The correctness is guaranteed.Technology not yet far developed.Dr. Berger is an expert in this area of research.


Approaches to Verified Software(iii) Programs written in a language which allows to

state properties of the program.Example: “This program sorts a list”.Properties should be verified when compiling theprogram

Advantages:Programmer is forced to think very clearly.Programs will be very well documented.The information about properties needed mightguide the programmer.In some cases parts of the program can even befound automatically.


Approaches to Verified SoftwareDisadvantages of (iii):

Requires new programming languages.Still essentially area of research. Howeveradvanced tools exist already.Might be too difficult for ordinary programmers.

Effect:Proving and programming will be the same.


Approaches to Verified Software(iv) Mixtures between (i), (iii).

E.g. SPARK Ada.

In this lecture, we will follow the approach of (iii), based on

dependent type theory.


(b) The Theorem Prover AgdaThere are several implementations of dependent typetheory:

NuPrl (Cornell, USA), the technically most advancedsystem.

Uses so called “extensional type theory”.Coq (INRIA, France), as well technically veryadvanced.LEGO (Edinburgh), about to be replaced.

Both use so called “impredicative type theory”.


The Theorem Prover AgdaImplementations of dependent type theory (Cont.)

The “Alf-family” (Gothenburg, Sweden) – hasprobably the clearest concepts.

Alf (developed by Lena Magnusson)Half (= Haskell Alf), developed by ThierryCoquand, Dan Synek.Agda developed by Catarina Coquand.Alfa, a graphical user interface for Agda,developed by Thomas Hallgren.

“Cayenne” (Gothenburg, Sweden) is a dependentlytyped programming language (not intended as atheorem prover).

In this module we will use Agda and briefly considerCayenne, but Alfa can be used to create Agda code.


Proofs in AgdaHalf, Agda, Alf are written in Haskell.

Half and Agda have an Emacs mode, which makes itquite convenient to develop proofs in it.

In most theorem provers, one has to follow one orseveral goals, and derive proofs for them.This is close to the way, proofs are carried out by hand.


Proofs in Agda (Cont.)The Alf-family has a different approach ofsuccessive refinement.

One starts writing the proof code similarly to writingfunctional programs.What cannot be done without machine assistancecan be left open in the form of holes (

:::::::

goals).Now one can successively, assisted by the system,fill in those goals.Therefore proof/program development in the Alffamily is very close to ordinary programming.


Installation of AgdaAgda is installed in the Linux lab.

Follow the item “Getting started with Agda” on thehome page of this module.Please check whether the installation works.

Agda is most easily installed under Linux or otherversions of Unix.

It can as well be installed under CYGWIN, a UNIXemulation under Windows.

See information from the course home page.

The source code for the examples given in this lecturewill be available from the course home page.


Thierry Coquand

The main theoretician behind Agda (which wasimplemented by his wife, of whom I have no picture).


(c) Concept of a Type

Typed vs. untyped languages

Examples of typed languages:Pascal, C,C++,Java, C#, Haskell, ML, . . .

Examples of untyped languages:Perl, Python, Visual Basic, Lisp, . . .


Advantages/DisadvantagesAdvantage of untyped languages:Greater freedom in programming.

Advantages of typed languages:

Many errors are avoided, especially when usingoperations defined somewhere else. To find sucherrors in untyped languages can be very difficult.Types are very natural comments to programs, whichexpress the basic functionality of a program.Typed languages enforce this kind of comments, andtherefore better documentation.


Concept of a Type (Cont.)In order to guarantee correctness of software, wemake use of a much more refined type system.

It will allow to specify any property of a program,which can be defined as a formula, as a type.


Need for Rich Type StructuresIn general programming, one wants a veryrich type structure.

The richer the type structure, themore data types one can define,the more flexibility one has when writing programs,

without loosing the advantages of types (preventingerrors).

In this lecture we will mainly focus on theorem proving.

Greater flexibility touched at the end.


Types used in other Languages

::::::::

Scalar::::::::

types:Booleans, integers, floating point numbers, characters,enumeration types.

:::::::::

Simple::::::::::::::

compound::::::::

types:Arrays, strings, record types, lists, sets.

In functional programming additionally:Function types, algebraic types (= what can be definedusing “data”).

In object-oriented programming (not relevant here):interfaces (and classes).


Types used in Dep. Type TheoryFunction types.Let NatList the type of lists of natural numbers.Then NatList→ NatList is the type of functions mappinglists of natural numbers to lists of natural numbers.

E.g. sorting functions (without any correctnessconditions) are elements of this type.


Types used in Dep. Type TheoryProducts (essentially records).Int× Char is the type of pairs 〈r, s〉, where r is aninteger and s is a character.

E.g. 〈2,′ c′〉 : Int× Char.In Haskell notation, products are written as follows:

Haskell notation for A×B is (A,B),Haskell noatation for 〈a, b〉 is (a, b).

e.g. (2, 3) :: (Int, Int).Agda notation will be that of a record type in otherlanguages.


Types used in Dep. Type TheoryAlgebraic types. More about this later.

Dependent versions of the above.


Per Martin-Löf

Professor at Stockholm University.Philosopher, mathematician and computer scientist.The Father of Martin-Löf Type Theory, the variant ofdependent type theory used in this module.


(d) The λ-CalculusBasic idea of the λ-calculus:We want to define functions “on the fly” (so called“:::::::::::::::::

anonyomous:::::::::::::

functions”).

Example:We want to apply a function to all elements of a list.For instance, we want to upgrade a list of studentnumbers to one with one extra digit.


Example for need of λ

Can be done by multiplying each student number by10.Let f : N→ N, f(x) := x ∗ 10.In many languages (e.g. C++, Perl, Python, Haskell)there is a pre-defined operation map, which takes afunction f , and a list l, and applies f to each elementof the list.So for the above f we have

map(f, [210345, 345698, 296458])

= [2103450, 3456980, 2964580] .


Introduction to λ-TermsOften the f is only needed once, and introducing first anew name f for it is tedious.

So one needs a short notation for “the function f , s.t.f(x) = x ∗ 10”.

Notation is λx.x ∗ 10.

So we have

map(λx.x ∗ 10, [210345, 345698, 296458])

= [2103450, 3456980, 2964580] .

In general λx.t stands for the function f s.t. f(x) = t,where t might depend on x.

above t = x ∗ 10.


NotationOne writes in functional programming usually s t for theapplication of s to t instead of s(t) as usual.

This is used since we have often to apply a functionseveral times, writing something like f(a)(b)(c).Instead we write f a b c.

As indicated by the example, r s t stands for (r s) t, ingeneral r0 r1 r2 · · · rn stands for (· · · ((r0 r1) r2) · · · rn).


Infix OperatorsWe use + and ∗ infix.The corresponding operators are written as (+), (∗).

So x + y stands for (+) x y,x ∗ y stands for (∗) x y.

+ and ∗ will bind less than any non-infix constants.Therefore S x + Sy stands for (S x) + (S y).

∗ binds more than +.Therefore x + y ∗ z stands for x + (y ∗ z),and S x + S y ∗ z stands for (S x) + ((S y) ∗ z).

These are the same conventions as in Agda.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 44a

Scope of λx.

How do we read λx.x + 5?As (λx.x) + 5?Or as λx.(x + 5)?

Convention: The scope of λx. is as long as possible.So λx.x + 5 reads as λx.(x + 5).λx.(λy.y) 5 reads as λx.((λy.y) 5).


Scope of λx.

In (λx.x) 5, the scope λx. cannot be extendedbeyond the closing bracket.

So it is “x”,not “x) 5”, which doesn’t make sense.

In f(λx.x + 5, 3), the scope of λxis “x + 5”,not “x + 5, 3)”, which doesn’t make sense.

In (λx.x + 5) 3, the scope of λxis x + 5not x + 5) 3, which doesn’t make sense.


λ without a DotSometimes, λx t (without a dot) is used, if one wants tohave the scope of λx as short as possible.

E.g. λx x y would denote (λx.x) y.

In this lecture we don’t use this notation.


Bound and Free VariablesWe have now bound and free variables:

::::::

Free::::::::::::

variables are variables x, which don’t occur inthe scope of a λ-abstraction “λx.”.

:::::::::

Bound::::::::::::

variables are the other variables:they are variables x that occur in the scope of aλ-abstraction “λx.”.

In λx.x + y,· x is bound (since in the scope of λx),· y is free (since it is not in the scope of λy).


Bound and Free VariablesIn (λy.y + z) y,

the first occurrence of y, y is bound,the second occurrence of y, y is free,z is free.

In (λy.((λz.z) y)) x, we havez is bound,y is bound (in the scope of λy),x is free.


Bound and Free VariablesNote that being bound and free has something to dowith an occurrence of a variable in a term, not with thevariable itself.

By the:::::

free::::::

and:::::::::

bound::::::::::::

variables of a term t we meanthe variables x which occur free or bound, respectively,in t.


Evaluation of λ-TermsHow do we evaluate (λx.x ∗ 10) 5?

We first replace in x ∗ 10, the variable x by 5.We obtain 5 ∗ 10.Then we reduce this further, using other reductionrules (not introduced yet).Using suitable rules, we would reduce 5 ∗ 10 to 50.We will first look only at the pure λ-calculus withoutany additional reduction rules.There (λx.x ∗ 10) 5 reduces to 5 ∗ 10, which cannot bereduced any further.


Basics of the λ-CalculusIn general, the result of applying λx.t to r, is obtained bysubstituting in t the variable x by r.E.g.

(λx.x + 10) 5 evaluates to 5 + 10,If we substitute in x + 10 the variable x by 5, weobtain 5 + 10.

(λx.x) ”Student” evaluates to ”Student”.If we substitute in x, the variable x by “Student”,we obtain “Student”.

(λx.x) (λy.y) evaluates to λy.y.If we substitute in x the variable x by λy.y, weobtain λy.y.


ReductionsWe write −→

::::(read as “

::::::::::

reduces::::

to”) for a one

step-reduction as above. So we have(λx.x + 10) 5 −→ 5 + 10,(λx.x) ”Student” −→ ”Student”,(λx.x) (λy.y) −→ λy.y.In general(λx.t) s −→ t[x := s].


Substitutiont[x := s] denotes the result of substituting in t thevariable x by s, e.g.

(x + 10)[x := 5] = 5 + 10,x[x := ”Student”] = ”Student”,x[x := λy.y] = λy.y.


β-ReductionThe reduction

(λx.t) s −→ t[x := s]

is called:::::::::::::::

β-reduction.


β-ReductionWe might apply β-reduction to a subterm.Examples:

((λx.x + 5) 3) + 7 −→ (3 + 5) + 7,since

(λx.x + 5) 3 −→ 3 + 5 .

Assume we have a pairing operation 〈s, t〉 for the pairs, t, then

〈(λx.x + 5) 3, 7〉 −→ 〈3 + 5, 7〉 ,

We can apply β-reduction under a λ term as well:

λx.((λy.y + 5) 3) −→ λx.3 + 5 .


β-RedexI subterm of the form (λx.r) s of a λ-term t is called a::::::::::

β-redex“Redex” is short for

::::::::::::

reducible:::::::::::::::

expression.

So β-reduction means reducing one β-redex.

A λ-term might have several β-redexe:E.g. In (λx.xx) ((λy.y) z) we have

one redex (λx.xx) ((λy.y) z)and one redex (λy.y) z.


Multiple RedexeTherefore a term might have two different reductions:

In the example we have(λx.xx) ((λy.y) z) −→ ((λy.y) z) ((λy.y) z)(λx.xx) ((λy.y) z) −→ (λx.xx) z.

We will discuss later that the λ-calculus is confluent, so,if we have two different reducts of a λ-term, then thereexists a term t s.t. both reducts reduce (possibly usingseveral reduction steps) to t.

In the example, we have((λy.y) z) ((λy.y) z) reduces in two steps to z zand (λx.xx) z reduces in one step to the sameterm.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 55b

α-ConversionWe identify λ-terms, which only differ in the choice ofthe bound variables (variables abstracted by λ):

So λx.x + 5 and λy.y + 5 are identified.Makes sense, since they both denote the samefunction f s.t. f(x) = x + 5.

(λx.x + 5) 3 + 7 and (λy.y + 5) 3 + 7 are identified.λx.λy.y and λy.λx.x are identified.

This equality is called:::::::::::::

α-equality, and the step from oneterm to another α-equal term is called

:::::::::::::::::

α-conversion.

So λx.λy.y and λy.λx.x are::::::::::

α-equal, written asλx.λy.y=α

:::

λy.λx.x.


α-ConversionNote that λx.λx .x =α λy.λx.x.

The x refers to the second lambda abstraction λx ,not the first one (λx.).Therefore, when changing the variable of the firstλ-abstraction, x remains unchanged.


Substitution and Bound VariablesIf we carry out a substitution in a λ-term, we have to becareful.

(λx.x + 7) [x := 3] = λx.x + 7.It doesn’t make sense to substitute the x in λx.x + 7,since x is bound by λx..x is a bound variable, which is not changed by thesubstitution.

In general, in s[x := t] we only substitute freeoccurrences of x in s by t.

All bound occurrences remain unchanged.


Substitution and Bound VariablesMore examples:

(λx.x)[x := ”Student”] = λx.x.The x in λx.x is bound by λx, so no substitution iscarried out.

((λx.x) x)[x := ”Student”] = (λx.x) ”Student”.The first x is bound, so no substitution is carriedout.The second x is free, so substitution is carried out.

(λy.x + y)[x := 3] = λy.3 + y.x in λy.x + y is free, so it will be substituted by 3 inthe above example.


Substitution and α-ConversionWhen substituting in λ-terms, we sometimes have tocarry out an α-conversion first:

If we substitute in λy.y + x, the variable x by 3, weobtain correctly λy.y + 3, the function f s.t.f(y) = y + 3.If we substitute in λy.y + x, the variable x by y, weshould obtain a function f s.t. f(z) = z + y.If we did this naively, we would obtain λy.y + y.

So the free variable y, which we substituted for x,has become, when substituting it in λy.y + x, to abound variable.

This is not the correct way of doing it.


Substitution and α-ConversionThe correct way is as follows:

First we α-convert λy.y + x, so that the bindingvariable y is different from the free variable we aresubstituting x by:Replace for instance λy.y + x by λz.z + x.Now we can carry out the substitution:

(λy.y + x)[x := y] =α (λz.z + x)[x := y] = λz.z + y .

Similarly, we compute (λy.y + x)[x := y + y] asfollows:

(λy.y+x)[x := y+y] =α (λz.z+x)[x := y+y] = λz.z+(y+y) .


Substitution and α-ConversionIn general, the substitution t[x := s] is carried out asfollows:

α-convert t s.t.if x occurs in t free and is in the scope of some λu,then u doesn’t occur free in s.In other words, α-convert t s.t. one never wouldsubstitute for x the s in such a way that one of thefree variables of s becomes bound.

Then carry out the substitution.


Examples(λx.λy.z)[z := x] =α (λu.λy.z)[z := x] = (λu.λy.x) ,

(λx.λy.z)[z := y] =α (λx.λu.z)[z := y] = (λx.λu.y) ,

(λx.(λy.y) z)[z := y] = λx.(λy.y) y .There is no problem in substituting the z by y, since it isnot in the scope of λy.


Examples(λx.z)[z := λx.x] = λx.λx.x.There is no problem with this substitution, since xdoes not occurr free in λx.x.Note that the x in λx.λx.x refers to the second λ-bindingλx.

(λx.z)[z := (λx.x) x] =α (λu.z)[z := (λx.x) x] =λu.((λx.x) x).Now x occurs free in (λx.x) x (the second occurrence isfree), so we need to α-convert it.


Substitution and α-ConversionIf you have problems understanding this, you canproceed as follows, and are on the safe side:

α-convert t so that all bound variable in t aredifferent from all free variables in s.Then carry out the substitution.

An unnecessary α-conversion doesn’t hurt.


λ-termsNow we can define the untyped λ-calculus as follows:

λ terms are:Variables x,If r and s are λ-terms, so is (r s).If x is a variable and r is a λ-term, so is λx.r.

As usual brackets can be omitted, usingthe above mentioned conventions about the scope ofλx,and that r s t is read as (r s) t.


λ-termsExamples:

λx.x,λx.((λy.y) x),λx.x x,(λx.x x x) (λx.x x x),(λf.λx.f (f x)).


λ-termsOne might need additional constants to thelanguage, then we have additionally:

Any constant is a λ-term.So for instance,

If c is a constant, then λx.c, (λx.x) c are λ-terms,If + is a constant, then λx. + x x is a a λ-term.

For standard operators like +, ∗ we usually writex + y instead of + x y,x ∗ y instead of ∗ x y,etc.


α-Conv, β-ReductionWe identify as before α-equivalent λ-terms,

and define β-reduction as before.


AbbreviationsWe write λx, y. · · · for λx.λy. · · · .

Similarly for λx, y, z. etc.

E.g. λx, y, z.x (y z) stands for λx.λy.λz.x (y z) .


Examples of β-Reduction

(λx.λy.x) y −→ (λy.x)[x := y] =α (λu.x)[x := y] = λu.y

(λz.λx.λy.z) x −→ (λx.λy.z)[z := x]=α (λu.λy.z)[z := x]

= λu.λy.x

(λx.(λy.y) z) y −→ (λx.(λy.y) z)[z := y] = λx.(λy.y) y

λx.(λy.y) y −→ λx.y


Examples (Longer Reduction)

(λx, y.x (x y)) (λu, v.u (u v))

−→ λy.(λu, v.u (u v)) ((λu, v.u (u v)) y)

−→ λy.(λu, v.u (u v)) (λv.y (y v))

−→ λy.λv.(λv.y (y v)) ((λv.y (y v)) v)

−→ λy.λv.(λv.y (y v)) (y (y v))

−→ λy.λv.y (y (y (y v)))

= λy, v.y (y (y (y v)))

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68c

Examples of Non-TerminationReproduction (Term reduces to itself).Let ω := λx.x x, Ω := ω ω. Then

Ω = ω ω = (λx.x x) ω −→ ω ω = Ω .

Expansion (Term reduct becomes bigger).Let Ω := λx.x (x x).Then

Ω Ω = (λx.x (x x)) Ω

−→ Ω (Ω Ω)

−→ Ω (Ω (Ω Ω))

−→ · · ·

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 68d

Reduction SystemsWe want to study certain properties of the relation −→on the set of λ-terms, like

Termination: Is there an infinite reduction

t0 −→ t1 −→ t2 −→ · · · ?

We want to consider as well λ-terms, with someadditional reductions, like s + 0 −→ s.

Behind Agda there is such an extended reductionmechanism, which is essentially terminating (theexact details follow later), and used in order todetermine equality between expressions like 0 + S 0and S 0.

Therefore we introduce the more general notions ofreduction systems and term rewriting systems.


Reduction SystemsA

::::::::::::

reduction::::::::::

system is a pair (T,−→) consisting of aset T (of terms) and a binary relation −→ on T .

We write s −→ t for “s, t are in relation −→” and sayusually “s reduces to t”.

Example: The set of λ-terms with β-reduction forms areduction system:

T is the set of λ-terms,More precisely, we take λ-terms identified moduleα-conversion.−→ is β-reduction.


Example 1 (Reduction System)A simple reduction system is N with reductionsn + 1 −→ n for n ∈ N:

2 30 1 4 5

So we have reductions of the form:

5 −→ 4 −→ 3 −→ 2 −→ 1 −→ 0 .


Example 2 (Reduction System)Another one is N with reductionsn −→ m for n,m ∈ N s.t. n > m:

2 30 1 4


23 −→ 11 −→ 3 −→ 1 −→ 0 .


Example 3 (Reduction System)A third one is T = N ∪ ∗, with reductionsn + 1 −→ n for n ∈ N,and ∗ −→ n for n ∈ N:

2 30 1 4

*


∗ −→ 5 −→ 4 −→ 3 −→ 2 −→ 1 −→ 0 .


Term Rewriting SystemsTerm rewriting systems are special cases of reductionsystems.

They are reduction systems, which are generated by a(in many cases finite) set of rules (i.e. basic reductions).


Example of a Term Rewriting SystemTake T = set of arithmetic expressions formed fromvariables, 0 by using the successor operation S (whereS n stands n + 1), +, ∗ and brackets.

So the following are elements of T :x + S 0,(S 0 + z) ∗ (S (S x) + 0),(S y) ∗ (S 0 + (S x ∗ 0)).

Take as rules the following:

x + 0 −→Rule x ,

x + S y −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ S y −→Rule (x ∗ y) + x .


Term Rewriting Systems

x + 0 −→Rule x ,

x + S y −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ S y −→Rule (x ∗ y) + x .

The reduction relation generated by these rules allowsto replace in a term

any subterm of the form s + 0 by s,any subterm of the form s + S t by S (s + t),any subterm of the form s ∗ 0 by 0,any subterm of the form s ∗ (S t) by (s ∗ t) + s.


Term Rewriting Systems

x + 0 −→Rule x ,

x + (S y) −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ (S y) −→Rule (x ∗ y) + x .

So we have for instance the following reductions:0 + S (S 0) −→ S (0 + S 0),

Reduce 0 + S s to S (0 + s) using s = S 0.S (0 + S 0 ) −→ S (S (0 + 0 )),

Reduce s + S t to S (s + t), using s = t = 0,S (S (0 + 0 )) −→ S (S 0 ) .


Definition of Term Rewriting SystemsA term rewriting system consists of

a set of terms T built from variables, constants andsome function symbols,a relation −→Rule between terms

(if r −→Rule s we say hat r −→Rule s is a:::::

rule),s.t., if s −→Rule t, then

s is not a variable, andall free variables in t occur in s.


Reduction generated by −→Rule

Don’t worry if you don’t understand the followingdefinition.

For most of the module it suffices to have an intuitiveunderstanding of how to reduce terms.



If we have a term rewriting system (T,−→Rule) weobtain a reduction relation −→ on T as follows:

First we construct a relation −→′ obtained fromreductions rules r −→Rule r′ by substituting the freevariables in both r and r′ by some terms.

So the same substitutions are carried out in both rand r′.If s −→′ s′ is obtained by carrying out such asubstitution in r −→Rule r′, then s −→′ s′ is called:::

an::::::::::::

instance:::

of::::::

rule::::::::::::::

r −→Rule r′.



Then s −→ s′, if there exists an instance t −→′ t′ of arule s.t. s contains subterm t, and s′ is the result ofsubstituting in s the term t by t′.

The subterm s is called a:::::::

redex w.r.t. the termrewriting system used.

The reductions s −→ s′ obtained this way are thereductions

:::::::::::::

generated by the term rewriting system.


Example 1

x + 0 −→Rule x ,

x + S y −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ S y −→Rule (x ∗ y) + x .

0 + S (S 0) −→ S (0 + S 0) is obtained as follows:The rule used is

x + S y −→Rule S (x + y) .

By substituting x by 0 and y by S 0 we obtain theinstance

0 + S (S 0) −→′ S (0 + S 0) .

In this example, the full term is reduced.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 82

Example 2

x + 0 −→Rule x ,

x + S y −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ S y −→Rule (x ∗ y) + x .

S (0 + S 0 ) −→ S (S (0 + 0 )) is obtained as follows:The rule used is x + S y −→Rule S (x + y) .

By substituting x and y by 0 we obtain the instance

0 + S 0 −→′ S (0 + 0 ) .

The left hand side of our reduction S (0 + S 0 )contains now the subterm 0 + S 0 .

By substituting it by S (0 + 0 ) we obtain the righthand side of the reduction, S (S (0 + 0 )) .


Example 3

x + 0 −→Rule x ,

x + S y −→Rule S (x + y) ,

x ∗ 0 −→Rule 0 ,

x ∗ S y −→Rule (x ∗ y) + x .

S (S (0 + 0 )) −→ S (S 0 ).The rule used is x + 0 −→Rule x .

By substituting 0 for x, we obtain the instance

0 + 0 −→′ 0 .

The left hand side of the reduction S (S (0 + 0 ))contains subterm 0 + 0 .By substituting it by 0 we obtain the right hand sideof the reduction S (S 0 ).


−→∗

If (T,−→) is a reduction system, we define

a−→∗:::::

b iff there exists a (possibly empty) sequence of

reductions

a = a0 −→ a1 −→ a2 −→ · · · −→ an = b

By empty reduction we mean: if a = b, then we havea −→∗ b.


−→∗

In order to express the above shorter, one says that−→∗ is the transitive and reflexive closure of −→, i.e.the least transitive and reflexive relation containing −→:

a −→ b implies a −→∗ b.−→∗ is reflexive, i.e. for all a we have a −→∗ a.−→∗ is transitive, i.e. a −→∗ b −→∗ c implies a −→∗ c.If there is any relation −→′ with the above 3properties, then x −→′ y implies x −→∗ y.


ExampleIf we take N with reductionsn + 1 −→ n for n ∈ N:

2 30 1 4 5

Then 5 −→ 4 −→ 3 −→ 2, therefore 5 −→∗ 2.

In general n −→∗ m⇔ n ≥ m.


←→∗

If (T,−→) is a reduction system, we define

a←→∗:::::

b iff there exists a (possibly empty) sequence of

reductions

a = a0 ←→ a1 ←→ a2 ←→ · · · ←→ an = b

wherea←→ b :⇔ (a −→ b ∨ b −→ a) .


←→∗

In order to express the above shorter, one says that←→∗ is the transitive, symmetric and reflexive closure of−→, i.e. the least transitive, symmetric and reflexiverelation containing −→:

a −→ b implies a −→∗ b.−→∗ is reflexive, and transitive.−→∗ is symmetric, i.e. a −→∗ b implies b −→∗ a.If there is any relation −→′ with the above properties,then x −→′ y implies x −→∗ y.


ExampleIf have the following reduction system:

0 1 2

3 4

Then 0←− 3 −→ 1←− 4 −→ 2, therefore 0←→∗ 2.


Identification of ElementsIf we have a reduction system (A,−→), one writesa =−→ b or sometimes a = b for a←→∗ b.

In case of the λ-calculus, we define a =β b⇔ a←→∗β b,

where←→β is the reflexive, symmetric and transitiveclosure of β-reduction −→.

More precisely one allows arbitrary α-conversions inbetween:a =β b iff there exists a sequence a0, . . . , an, a′0, . . . , a

′n

(n = 0 is allowed) s.t.

a =α a0 ←→β a1 =α a′1 ←→β a2 =α a′2 ←→β · · ·

←→β an =α b .


Determination of←→∗

In general it is infeasible to determine whether a←→∗ bholds.

One has to check all possible ways of getting from ato b, by both using −→ and←−.

In many cases this can be determined by:Simply reducing a as long as possible to some terma′ s.t. a −→∗ a′ and s.t. a′ has no further reductions,

i.e. by “evaluating a”.Doing the same with b to some term b′.Checking whether a′ is identical to b′.

This is possible, if −→ is confluent and stronglynormalising (see next slides).


AgdaThe underlying reduction system of Agda is“essentially” strongly normalising.

The equality derived from this reduction system is usedin order to typecheck terms.


Strong NormalisationA reduction system (A,−→) is

:::::::::::::::

terminating or

:::::::::::

strongly::::::::::::::::

normalising, iff there is no infinite sequence

a0 −→ a1 −→ a2 −→ a3 −→ · · ·


ExamplesThe following reduction system is terminating:

2 30 1 4 5

Any reduction sequence will end in 0 and terminate.

The following reduction system is not terminating:

2 30 1 4 5

(Take 0 −→ 1 −→ 2 −→ 3 −→ · · · ).


ExamplesThe following reduction system is terminating, but thereare arbitrarily long reduction sequences starting with ∗:

2 30 1 4

*

. ..

We have ∗ −→ n −→ (n− 1) −→ (n− 2) −→ · · · −→ 0.

The untyped λ-calculus is not terminating, since wehave

Ω −→ Ω −→ Ω −→ · · ·


Normal Form and IrreducibilityLet (A,−→) be a reduction system.

a ∈ A is::::::::::::::

irreducible, if there exists no b ∈ A s.t. a −→ b.

b is a:::::::::

normal:::::::

form:::

of::

a iff a −→∗ b and b is irreducible.

(A −→) is:::::::::

weakly::::::::::::::::

normalising or:::::::::::::::

normalising, if everya ∈ A has a normal form.


ExampleThe following system is weakly normalising, but not stronglynormalising:

0 1 2 3 5 . . .

*

Every a has a normal form, namely ∗.

But there exists an infinite sequence

0 −→ 1 −→ 2 −→ 3 −→ · · ·


LemmaLet (A,−→) be a strongly normalising reduction system.Then (A,−→) is weakly normalising.

Proof:A normal form of a can be obtained by simply reducing a aslong as possible:Since (A,−→) is strongly normalising, the reductionsequence terminates in some b ∈ A.

b is a normal form of A.


ConfluenceA reduction system (A,−→) is confluent, iff for allx, y, z ∈ A we have

if x −→∗ y and x −→∗ z,then there exists an u s.t. y −→∗ u and z −→∗ u.

x

y z

**

* *exists u


Church-RosserIf (A,−→) is confluent, then it has the Church-Rosserproperty:If a←→∗ b iff there exists a c s.t.

a −→∗ c ∧ b −→∗ c

a b

exists c

*

* *


Proof of Church-RosserDefine a ↓ b :⇔ ∃c.(a −→∗ c ∧ b −→∗ c).

We show that ↓ contains −→ and is reflexive, symmetricand transitive.Therefore it contains←→∗, and we get a←→∗ b⇒ a ↓ b.

In the other direction, a ↓ b clearly implies a←→∗ b.


Proof of Church-Rosser↓ contains −→:a −→ b implies a ↓ b.

a b

b

Formally: If a −→ b then we have with c := b thata −→∗ c and b −→∗ c.


Proof of Church-Rosser↓ is reflexive,

a a

a

Formally: We have a −→∗ a and a −→∗ a, thereforea ↓ a.


Proof of Church-Rosser↓ is symmetric:

a b b a

c c* * * *

=>

Formally: If a ↓ b by a −→∗ c and b −→∗ c, then b ↓ a byb −→∗ c and a −→∗ c,


Proof of Church-Rosser↓ is transitive:

a b c

d e* * * *a b c

d e* * * *

f* *

=>

Formally:Assume a ↓ b and b ↓ c by a −→∗ d, b −→∗ d, b −→∗ e,c −→∗ e.Then by confluence there exists an f s.t. d −→∗ f ,e −→∗ f .But then a −→∗ f and c −→∗ f , a ↓ c.


λ-CalculusFact: The λ-calculus is confluent (if we identifyα-equivalent terms), and fulfills therefore theChurch-Rosser property.

Note that this doesn’t give yet an easy way ofdetermining whether a =β b holds:

One needs to find a c s.t. a −→∗ c and b −→∗ c.But simply reducing a might never terminate.


Unique Normal FormsLemma:Let (A,−→) be a confluent reduction system.If a ∈ A has a normal form a′, then it is unique:

If a′′ is another normal form, then a′ = a′′.

Proof:

We have a −→∗ a′ and a −→∗ a′′.

By confluence, there exists a b s.t. a′ −→∗ b anda′′ −→∗ b.

But since a′ and a′′ are normal forms, it follows a′ = band a′′ = b.


LemmaLet (A,−→) be a strongly normalising and confluentreduction system. Then

a←→∗ b iff the normal forms of a and b coincide.

Proof:

“⇒”: By Church Rosser a←→∗ b implies the existenceof a c s.t. a −→∗ c and b −→∗ c.Reduce c further in order to obtain a normal form of aand b.Then c is a normal form of both a and b.Since by the above lemma, normal forms are unique, cis the normal form of a and b.

“⇐”: If the normal forms c coincide, then we havea −→∗ c←−∗ b, therefore a←→∗ c.


Towards the Typed λ-CalculusProblem of the untyped λ-calculus:

Non-Termination, therefore =β difficult to check.In fact =β is semi-decidable (r.e.), but notdecidable (recursive).

Caused by the possibility of self-application, whichallows to write essentially fully recursive programs.Avoided by the simply typed λ-calculus, which isstrongly normalising.


Main Idea of the λ-Calculusλx.x + 5 is a function,

taking an x : int,and returning x + 5 : int.

Therefore, we say that (λx.x + 5) : int→ int.In words, “λx.x + 5 is of type int arrow int”.

In order to clarify the type of x, we write instead ofλx.x + 5

λx : int.x + 5 .


Basics of the Typed λ-Calculusλx : int.x + 5 is

only applicable to some s : int,therefore not applicable to elements of other types,e.g. to “Student” (: String).

So(λx : int.x + 5) 3 is allowed,(λx : int.x + 5) “Student” is not allowed.


Simple TypesThe

:::::::::

simple:::::::

types used in the simply typed λ-calculusare defined inductively as follows:

The:::::::::

ground:::::::

type o is a type.If σ, τ are types, so is (σ → τ).

“Inductively” means that the set of simple types is theleast set containing the ground type, and which closedunder→.

One sometimes modifies the set of ground types,especially when adding constants to the λ-terms.

E.g. when using arithmetic expressions, one can sayfor instance that the ground types are int and float.Then we talk about the:::::::::

simple:::::::

types:::::::::

based::::

on::::::::::

ground::::::::

types::::

int:::::

and::::::

float.


Simple TypesUsually we denote types by Greek letters,

e.g. α (“alpha”), β (“beta”), γ (“gamma”), σ (“sigma”),τ (“tau”).

We omit brackets as usual using the convention thatα→ β → γ stands for α→ (β → γ).

Examples types:o,o→ o,(o→ o)→ o,((o→ o)→ o→ o)→ (o→ o)→ o→ o,

which stands for(((o→ o)→ (o→ o))→ ((o→ o)→ (o→ o))).


AbbreviationIn order to make writing down such types easier, onecan use sometimes the following abbreviations (theseare non-standard abbreviations, and should be definedexplicitly when using outside this lecture.

o2 := o→ o,o3 := o2→ o2,etc.

Soan element of type o2 can be applied to an elementof type o and one obtains an element of type o.an element of type o3 can be applied to an elementof type o2 and one obtains an element of type o2.etc.


ContextsTo determine the type of a term makes only sense, if weknow the types of its variables.

For instance, in case of the λ-term x y, we couldhave

x : o→ o, y : o and therefore x y : o,or x : o→ o, y : (o→ o)→ o→ o, and thereforex y : o→ o.

Therefore we will give a type to λ terms in a context,which determines the types of the variables.


ContextsA

::::::::::

context is an expression of the formx1 : σ1, . . . , xn : σn where

xi are variables,σi are simple types,(when considering other type theories, σi will betypes of that theory).xi are different.

n = 0 is allowed, and we write ∅:

for the empty

context.


Contexts:::::::::::::

Examplesx : o, y : o→ o is a context.x : o→ o, x : o is not a context.

Note that contexts are lists of elements of the formx : σ, so the order matters.

In case of the simply typed λ-calculus, it wouldn’tmake a difference to have as context unordered setsof expressions of the form x : σ.However, when moving later to dependent typetheory, the order of the expressions x : σ will berelevant.


ContextsIn the following, the capital Greek letters Γ

:(“Gamma”),

∆::

(“Delta”) denote contexts.

We write Γ⇒ s : σ::::::::::

for “in context Γ, s has type σ”.

Expressions of this form are called:::::::::::::::

judgements.

Examples:x : o→ o, y : o⇒ x y : o,x : float→ int, y : float⇒ x y : int(assuming ground types float and int),x : (o→ o)→ o→ o, y : o→ o⇒ x y : o→ o.

In case Γ is empty, we write s : σ instead of ∅ ⇒ s : σ.


ContextsIf Γ, ∆ are contexts, Γ,∆

::::

denotes the concatenation of

both contexts, e.g. ifΓ = x : o, y : o→ o,∆ = z : o

thenΓ,∆ denotes x : o, y : o→ o, z : o,∆,Γ denotes z : o, x : o, y : o→ o,Γ, u : o denotes x : o, y : o→ o, u : o.


Simply Typed λ-CalculusDefinition of the

:::::::::

simply::::::::

typed::::::::::

λ-terms, depending on acontext, together with their type.

1.::::::::::::::::

Assumption.Variables, occurring in the context, are terms having thetype they have in the context:

Γ, x : σ,∆⇒ x : σ

Note that Γ, x : σ,∆ stands for any context, in whichx : σ occurs.Explanation:

From the assumption x : σ we can derive x : σ.


Simply Typed λ-Calculus2.

:::::::::::::::

Application.If s is of type σ → τ and t of type σ, depending oncontext Γ, then s t is of type τ under context Γ:

Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)Γ⇒ s t : τ

Explanation:Assume we have s of type σ → τ .· So s is a function, taking an x : σ and returning

an element of type τ .Assume we have t is an element of type σ.Then we can apply the function s to this t, writtenas s t, and obtain an element of type τ .


Simply Typed λ-Calculus3.

:::::::::::::::

Abstraction.If t is a term of type τ , depending on context Γ, x : σ,then λx : σ.t is a term of type σ → τ depending oncontext Γ:

Γ, x : σ ⇒ t : τ(Abs)

Γ⇒ (λx : σ.t) : σ → τ

Explanation:If we have under assumption x : σ shown that t : τ ,then we can form a new λ-term by binding that x,and form λx : σ.t.The result is a function taking as input x : σ andreturning t : τ , so we obtain an element of σ → τ .


RulesWe had three

::::::

rules:1. Γ, x : σ,∆⇒ x : σ

2.Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)

Γ⇒ s t : τ

3.Γ, x : σ ⇒ t : τ

(Abs)Γ⇒ (λx : σ.t) : σ → τ


Rules(1) Γ, x : σ,∆⇒ x : σ

is a special kind of rule, an axiom.Axioms derive typing judgements without having toprove something first (no premises).

(2) The next rule is a genuine rule:

Γ⇒ s : σ → τ Γ⇒ t : σ (Ap)Γ⇒ s t : τ

It expresses:Whenever we have derived Γ⇒ s : σ → τ

(for arbitrary context Γ, types σ, τ , term s)and whenever we derived Γ⇒ t : σ

(for the same Γ, σ, but arbitrary term t),then we can derive Γ⇒ s t : τ .


Rules(3) The next rule is similar:

Γ, x : σ ⇒ t : τ(Abs)

Γ⇒ (λx : σ.t) : σ → τ

It expresses:Whenever we have derived Γ, x : σ ⇒ t : τ

(for arbitrary context Γ, types σ, τ , variable x andterm t),

then we can derive from this Γ⇒ (λx : σ.t) : σ → τ .


DerivationsUsing rules we can derive more complex judgements:

We start with axioms, and use rules with premises inorder to derive further judgements.

Example 1:

x : o⇒ x : o (Abs)(λx : o.x) : o→ o


Example 2

x : o→ o, y : o⇒ x : o→ o x : o→ o, y : o⇒ y : o(Ap)

x : o→ o, y : o⇒ x y : o(Abs)

x : o→ o⇒ (λy : o.x y) : o→ o(Abs)

(λx : o→ o.λy : o.x y) : (o→ o)→ o→ o

Note that we have the following dependencies in thederived λ-term:

(λx : o→ o.λy : o. x︸︷︷︸:o→o

y︸︷︷︸:o︸︷︷︸

:o

) : (o→ o)→ o→ o


Self-ApplicationIn the simply typed λ-calculus we cannot assign a typeto λx.x x, i.e. there are no types σ, τ s.t. (λx : σ.x x) : τ .

Assume we could derive this.The only way to derive (λx : σ.x x) : τ is by the rule ofλ-abstraction.Then τ must be equal to σ → τ1 for some τ1, and thederivation reads then

x : σ ⇒ x x : τ1 (Abs)(λx : σ.x x) : σ → τ1


Self-Applicationx : σ ⇒ x x : τ1 (Abs)

(λx : σ.x x) : σ → τ1

x : σ ⇒ x x : τ must have been derived by the rule ofapplication, so the derivation must look like this:

x : σ ⇒ x : τ2 → τ1 x : σ ⇒ x : τ2 (Ap)x : σ ⇒ x x : τ1 (Abs)

(λx : σ.x x) : σ → τ1


Self-Applicationx : σ ⇒ x : τ2 → τ1 x : σ ⇒ x : τ2 (Ap)

x : σ ⇒ x x : τ1 (Abs)(λx : σ.x x) : σ → τ1

The only way to derive x : σ ⇒ x : τ2 → τ1 andx : σ ⇒ x : τ2 is by using the assumption rule.In order for x : σ ⇒ x : τ2 → τ1 to be derivable by theassumption rule, we need σ = τ2 → τ1.Similarly, in order to derive x : σ ⇒ x : τ2, we needτ2 = σ.So we have τ2 → τ1 = σ = τ2.But τ2 = τ2 → τ1 cannot be fulfilled, since τ2 → τ1 islonger than τ2.So we cannot find types σ, τ s.t. (λx : σ.x x) : τ .


Remark (Weakening)If we have derived t : σ under some context, then thesame holds for any other context, which expands theoriginal one.

Formally, this means: Assume

Γ,∆⇒ t : σ .

Then we have as well

Γ, x : τ,∆⇒ t : σ ,

provided Γ, x : τ,∆ is a context (i.e. provided x does notoccur in Γ,∆).

The process of extending the context is called::::::::::::::

weakening.


Weakening in LogicWeakening occurs in many logic calculi as well.

It occurs in natural language reasoning as well:For instance from “I am living an Swansea” and “InSwansea the sun is shining” follows “Where I amliving, the sun is shining”.However, we can the above as well from theadditional (unused) assumption “Assuming that I ama lecturer”.So we have as well “Under the assumption that I ama lecturer, where I am living the sun is shining”,which is a weaker statement.


Proof of the RemarkAssume a derivation of Γ,∆⇒ t : σ.

Insert at all corresponding positions in the contexts inthe derivation x : τ .

One needs to rename variables, in order to avoidconflicts with x.

The result is a derivation of Γ, x : τ,∆⇒ t : σ.


Example (Weakening)From the derivation

y : o, x : o⇒ x : o(Abs)

y : o⇒ (λx : o.x) : o→ o y : o⇒ y : o(Ap)

y : o⇒ (λx : o.x) y : o

we obtain a derivation of

y : o, x : o⇒ (λx : o.x) y : o

as follows:


Example (Weakening)

y : o, x : o⇒ x : o(Abs)

y : o⇒ (λx : o.x) : o→ o y : o⇒ y : o(Ap)

y : o⇒ (λx : o.x) y : o

First rename in this derivation x by u in order to avoidconflicts (note that λx : o.x is α-equivalent to λu : o.u):

y : o, u : o⇒ u : o(Abs)

y : o⇒ (λu : o.u) : o→ o y : o⇒ y : o(Ap)

y : o⇒ (λu : o.u) y : o


Example (Weakening)

y : o, u : o⇒ u : o(Abs)

y : o⇒ (λu : o.u) : o→ o y : o⇒ y : o(Ap)

y : o⇒ (λu : o.u) y : o

Now we obtain the following derivation ofy : o, x : o⇒ (λx : o.x) y : o

y : o, x : o, u : o⇒ u : o(Abs)

y : o, x : o⇒ (λu : o.u) : o→ o y : o, x : o⇒ y : o(Ap)

y : o, x : o⇒ (λu : o.u) y : o

Note that λx : o.x and λu : o.u are identified.


WeakeningBecause of the possibility of weakening, we will usuallyomit unused parts of contexts.

So a derivation of x : o→ o, y : o⇒ x (x y) : o, which infull reads as follows

x:o→o,y:o⇒x:o→o

x:o→o,y:o⇒x:o→o x:o→o,y:o⇒y:o(Ap)

x : o→ o, y : o⇒ x y : o(Ap)

x : o→ o, y : o⇒ x (x y) : o

will usually be presented as follows:

x:o→o⇒x:o→o

x:o→o⇒x:o→o y:o⇒y:o(Ap)

x : o→ o, y : o⇒ x y : o(Ap)

x : o→ o, y : o⇒ x (x y) : o


β-Reductionβ-reduction for typed λ-terms is defined as for untypedλ-terms.

One has only to carry around the types as well.Formally we have

(λx : σ.t) s −→ t[x := s]

And as before β-reduction can be applied to anysubterm.

A subterm (λx : σ.t) s of a term s is called a

::::::::::

β-redex of s.


Example

(λx:(o→o)→o→o.λy:o→o.x (x y)) (λx:o→o.λy:o.x (x y))

−→λy:o→o.(λx:o→o.λy:o.x (x y)) ((λx:o→o.λy:o.x (x y)) y)

−→ λy : o→ o.(λx : o→ o.λy : o.x (x y)) (λz : o.y (y z))

=α λy : o→ o.(λx : o→ o.λu : o.x (x u)) (λz : o.y (y z))

−→ λy : o→ o.λu : o.(λz : o.y (y z)) ((λz : o.y (y z)) u)

−→ λy : o→ o.λu : o.(λz : o.y (y z)) (y (y u))

−→ λy : o→ o.λu : o.y (y (y (y u)))


TheoremAs for the untyped λ-calculus, the simply typedλ-calculus is confluent.

The simply typed λ-calculus is strongly normalising.

Therefore every typed λ-term has a unique normalform, which can be obtained by β-reducing the term bychoosing arbitrary β-redexe.

Furthermore, two λ-terms are β-equal, if their normalforms are equal (up to α-conversion).


η-RuleIf we have a function f : σ → τ , then this functionapplied to x : σ gives result f x.

Therefore f is as a function the same as λx.f x (wherex is fresh).

However, if for instance f is a variable, we don’t havef =β λx.f x.

Especially, when working later in dependent type theorywe want to identify as many terms as possible, whichare equal.This will make it easier to prove certain goals.

Therefore we introduce a rule, which expresses that f isalways equal to λx.f x w.r.t. β, η-reduction (where x isfresh).


η-RuleThe η-rule expresses that subterms t : σ → τ can beη-expanded to λx.t x (where x does not occur free in t).

However, we need to impose some restrictions, in orderto avoid circularities:

If t is of the form λy.s, then

λx.t x = λx.(λy.s) x −→β λx.s[y := x] =α t ,

so if we allowed to expand t, we would obtain acircularity.If t occurs in the form t r, then we get(λx.t x) r −→β t r.Again expanding t would result in a circularity.All other terms can be expanded without obtaining anew redex.


η-Expansion

::::::::::::::::

η-expansion (or:::::::

η-rule) is the rule which expands onesubterm of a λ-term

of the form r : σ → τ

s.t. r is not of the form λy : σ.t

and such that r is not applied to some other termto λx : σ.r x, where x does not occur free in r.

We writer −→η s:::::::::

for s is obtained from r by the η-rule,

r −→β,η s:::::::::::

for s is obtained from r by using

β-reduction or η-expansion.Notions like −→∗

β,η:::::::

, =β,η::::

,::::::::::::::

β, η-normal:::::::

form, etc.

are to be understood correspondingly.


Example

(λf : (o→ o)→ o→ o.λx : o→ o.f x) f

−→β λx : o→ o.f x

−→η λx : o→ o.λy : o.f x y

−→η λx : o→ o.λy : o.f (λz : o.x z) y

λx : o→ o.λy : o.f (λz : o.x z) y is therefore the

::::::::::::::


form of(λf : (o→ o)→ o→ o.λx : o→ o.f x) f .

Since f −→η λx : o→ o.f x, this is as well theβ, η-normal form of f : (o→ o)→ o→ o.


Example 2If we replace in the above example o by o→ o we obtain

(λf :((o→o)→o→o)→(o→o)→o→o.λx:(o→o)→o→o.f x) f

−→βλx:(o→o)→o→o.f x

−→ηλx:(o→o)→o→o.λy:o→o.f x y

−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f x y z

−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.x u) y z

−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x u v) y z

−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x (λw:o.u w) v) y z

−→ηλx:(o→o)→o→o.λy:o→o.λz:o.f (λu:o→o.λv:o.x (λw:o.u w) v) (λu:o.y u) z


TheoremThe typed λ-calculus with β-reduction and η-expansionis confluent and strongly normalising.


η-RuleWith the η-rule we obtain now that if r : σ → τ , thenr =β,η λx : σ.r x.

If r : σ → τ is of the form λy : σ.t then we haver =β λx : σ.r x:

λx : σ.r x = λx : σ.(λy : σ.t) x

−→β λx : σ.t[y := x]

=α λy : σ.t

= r

Otherwise r −→η λx.σ.r x.

Therefore, every function is of the form λx.something.


η-ReductionIn the literature one often uses instead of η-expansion:::::::::::::::

η-reduction, which allows to reduce λx : σ.r x to r, if x

doesn’t occur free in r.The computation of η-reduction is more difficult thanη-expansion, since one has to check, whether xdoesn’t occur free in r.Therefore in the context of interactive theoremproving, we prefer η-expansion.


ProductsOne can expand the set of λ-types and λ-terms asfollows:

Types are defined as before, but we haveadditionally:

If σ, τ are types, so is σ × τ .


ProductsThe set of typed-λ-terms are defined as before butwe have:

If s : σ, t : τ then 〈s, t〉 : σ × τ :

Γ⇒ s : σ Γ⇒ t : τΓ⇒ 〈s, t〉 : σ × τ

If s : σ × τ , then π0(s) : σ and π1(s) : τ :

Γ⇒ s : σ × τΓ⇒ π0(s) : σ

Γ⇒ s : σ × τΓ⇒ π1(s) : τ


β-Reduction for Pairsβ-reduction for the pairs is the rule which allows toreplace

any subterm of the form π0(〈r0, r1〉) by r0,any subterm of the form π1(〈r0, r1〉) by r1.

The subterms πi(〈r0, r1〉) are as before called:::::::::::

β-redexeof the term in question.

β-reduction for the typed λ-calculus with productsincludes both β-reduction for functions and β-reductionfor pairs.


η-Expansion for ProductsIf we have a product r : σ × τ , then its projections areβ-equal to the projections of 〈π0(r), π1(r)〉:

π0(〈π0(r), π1(r)〉) =β π0(r),π1(〈π0(r), π1(r)〉) =β π1(r).

Therefore, similarly to functions, we would like to havethat every term r : σ × τ is equal to 〈π0(r), π1(r)〉.


η-Rule for ProductsThe η-rule expresses that subterms t : σ × τ can beη-expanded to 〈π0(t), π1(t)〉

However, as for functions, we need to impose somerestrictions, in order to avoid circularities:

If t is of the form 〈r0, r1〉,

〈π0(t), π1(t)〉 −→β 〈r0, r1〉 = t

so if we allowed to expand t, we would obtain acircularity.


η-Rule for ProductsIf t occurs in the form πi(t), then we get

πi(〈π0(t), π1(t)〉) −→β πi(t) ,

expanding t would result in a circularity.All other terms can be expanded without obtaining anew redex.


η-Expansion for Productsη-expansion for products is the rule which allows toreplace in a typed λ-term t

one subterm s : σ × τ ,which is not of the form 〈r0, r1〉,and does not occur in the form π0(s) or π1(s)

by 〈π0(s), π1(s)〉.

η-expansion for the typed λ-calculus with productsincludes both η-expansion for functions and for pairs.


Example

(λf : (o× o)→ o.λx : o× o.f x) f

−→β λx : o× o.f x

−→η λx : o× o.f 〈π0(x), π1(x)〉

λx : o× o.f 〈π0(x), π1(x)〉 is therefore the::::::::::::::


formof

(λf : (o× o)→ o.λx : o× o.f x) f


TheoremThe typed λ-calculus with products, β-reduction andwith (or without) η-expansion is confluent and stronglynormalising.

We can introduce products as well for the untypedλ-calculus. Then we obtain a confluent (but of coursenon normalising) reduction system.


η-RuleWith the η-rule we obtain now that if r : σ × τ , thenr =β,η 〈π0(r), π1(r)〉.

If r : σ × τ is of the form 〈r0, r1〉 then we haver =β 〈π0(r), π1(r)〉:

〈π0(r), π1(r)〉 = 〈π0(〈r0, r1〉), π1(〈r0, r1〉)〉

−→ 〈r0, r1〉

= r

Otherwise r −→η 〈π0(r), π1(r)〉.

Therefore, every element of a product type is of theform 〈something0, something1〉.


λ-Calculus and Term RewritingOne can combine the λ-calculus with term writing.

Consider the λ-calculus with terms using additionalconstants.

Assume some term rewriting rules as before (whichmight involve some λ-terms).

As in case of ordinary term rewriting, we forminstantiations −→′ of the rules by replacing variables byarbitrary λ-terms (in the extended language).


λ-Calculus and Term RewritingThen s −→ t, if

s β-reduces (or η-expands, if one allows the η-rule)to tor there exists an instantiation s′ −→ t′ s.t. s′ is asubterm of s and t is the result of replacing thissubterm in s by t′.· s′ is called as usual a

:::::::

redex of s.


λ-Calculus and Term RewritingAssume for instance the rule

double −→ λx.x + x

Then we have

(λf.λx.f (f x)) double

−→ λx. double (double x)

−→ λx. double ((λx.x + x) x)

−→ λx. double (x + x)

−→ λx. (λx.x + x) (x + x)

−→ λx. (x + x) + (x + x)


What does Subterm Mean?When referring to ordinary term rewriting rules, then fora term t to have subterm s meant essentially that thereis a term t′ in which a new variable x occurs exactlyonce, and t = t′[x := s].

Replacing this subterm by s′ means that we replace tby t′[x := s′].


What does Subterm Mean?When referring to λ-terms, this is no longer the case:

Assume for instance the rewrite rule x + 0 −→Rule x.λx.x + 0 has subterm x + 0, but there is no term t s.t.λx.x + 0 = t[y := x + 0]:If we substitute for instance in λx.y y by x + 0 weobtain λz.x + 0.

The reason is that when matching a rewrite rule, freevariables in the instantation of the rule used mightbecome bound.

So we can apply x + 0 −→Rule x to λx.x + 0 and havetherefore λx.x + 0 −→ λx.x.

Replacing a subterm by another subterm is to beunderstood verbally.


Higher Order Rewrite SystemsThe full definition of so called higher order termrewriting systems imposes more restrictions on thereduction rules.

For our purposes the naive interpretation just presentedsuffices.


Reduction to Closed TermsOne can always replace term rewriting rules for theλ-calculus by one in which for all rules s −→Rule t wehave that s, t are closed.

This can be done in such a way that equality (modulothe rewriting rules, β and possibly η) in both systemscoincide:

Assume a rules −→Rule t

and let x1, . . . , xn be the free variables in s.

Then replace this rule by

λx1, . . . , xn.s −→Rule′ λx1, . . . , xn.t .

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156d

ProofWe write in the following ~x for x1, . . . , xn.

Assume a term r reduces using this rule in the originalsystem to a term u:

Then r contains a subterm of the form s′ where s′ is theresult of substituting in s xi by some terms ti.

Let t′ be the result of subsituting in t xi by ti. Then u isthe result of replacing s′ in r by t′.

Let then r′ be the result of replacing s′ by(λ~x.s) t1, . . . , tn, and u′ be the result of replacing in s s′

by (λ~x.t) t1, . . . , tn.

Then we have r =β r′ −→Rule′ u′ =β u, so the reductioncan be simulted in the second system.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156e

ProofOn the other hand, if r −→ u by using in the secondsystem the rule λ~x.s −→Rule′ λ~x.t, then r −→ u in theprevious system by using the rule s −→Rule t

r contains a subterm equal to λ~x.s and u is the resultof substituting this subterm in r by λ~x.t.But then r contains the subterm s and t is the resultof substituting this subterm in r by t.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156f

ExampleWe can replace the rewriting rules

x + 0 −→ x

x + S y −→ S (x + y)

by λx.x + 0 −→ λx.x

λx, y.x + S y −→ λx, y.S (x + y)

ThatS (0 + S 0) −→ S (S (0 + 0)) −→ S (S 0)

becomes in the new system

S (0 + S 0) =β S ((λx, y.x + S y) 0 0)

−→ S ((λx, y.S(x + y)) 0 0) =β S (S (0 + 0))

=β S (S ((λx.x + 0) 0)) −→ S (S ((λx.x) 0)) =β S (S 0)

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 156g

Extended Typed λ-CalculusFinally, we can combine the typed λ-calculus (with orwithout products, with or without η-expansion) with termrewriting rules.

We have to make the following adaptions:We assign a type to each additional constant.The set of typed λ-terms is then introduced by thesame rules as before, but we have as additional rule:

If c is a constant of type σ, then we have

Γ⇒ c : σ


ExampleAssuming (+) : nat→ nat→ nat, and writing as usualr + s for (+) r s we have the following derivation ofλx : nat.x + x : nat→ nat:

x:nat⇒(+):nat→nat→nat x:nat⇒x:nat

x:nat⇒(+) x:nat→nat x : nat⇒ x : nat

x : nat⇒ (+) x x : nat

(λx : nat.x + x) : nat→ nat

The left most leaf in this derivation follows by the rulefor the constant (+).


ExampleThen we have

(λf : nat→ nat.λx : nat.f (f x)) double

−→ λx : nat. double (double x)

−→ λx : nat. double ((λx : nat.x + x) x)

−→ λx : nat. double (x + x)

−→ λx : nat. (λx : nat.x + x) (x + x)

−→ λx : nat. (x + x) + (x + x)


Extended Typed λ-CalculusReduction rules should now be of the formΓ⇒ s −→Rule t : σ (instead of s −→Rule t) where wehave Γ⇒ s : σ and Γ⇒ t : σ.

As before, s shouldn’t be a variable, and allvariables in t should occur in s.· Best guaranteed by demanding that all variables

in Γ occur free in s.One usually omits Γ, σ, if it is clear from thecontext.

Very often, the reduction rules will be of the formc −→Rule t : σ where c is a constant and therefore t aclosed term.


Extended Typed λ-CalculusInstantiations of a rule Γ⇒ s −→Rule t : σ are nowobtained by replacing variables x of type τ by termsr : τ (possibly depending on some context ∆).

Reductions w.r.t. the rules are obtained by replacingsubterms r : σ, which coincide with the left hand side ofan instantiation of a rule r −→′ r′ : σ by the right handside r′.


ExampleAssume

ground type nat,constants (+) : nat→ nat→ nat (written infix, i.e.r + s for (+) r s),and double : nat→ nat.and the reduction ruledouble −→ (λx : nat.x + x) : nat→ nat.


ExampleThen we have

(λf : nat→ nat.λx : nat.f (f x)) double

−→ λx : nat. double (double x)

−→ λx : nat. double ((λx.x + x) x)

−→ λx : nat. double (x + x)

−→ λx : nat. (λx.x + x) (x + x)

−→ λx : nat. (x + x) + (x + x)


Products with many ComponentsWe write σ1 × · · · × σn for (· · · ((σ1 × σ2)× σ3) · · · × σn).

Define a1 : σ1, . . . , an : σn

〈a1, . . . , an〉 := 〈· · · 〈〈a1, a2〉, a3〉, · · · an〉 : σ1 × · · · × σn

One can easily define corresponding projectionsπn

i : (σ1 × · · · × σn)→ σi, s.t.

πni (〈a1, . . . , an〉) =β ai .


Curried/Uncurried FunctionsIn the λ-calculus with products, there are two versionsof a function f taking two integers and returning aninteger:

f1 : (int× int)→ int

f2 : int→ int→ int.

We saythat f1 is in

:::::::::::::

Uncurried form,and f2 is in

::::::::::

Curried from.

The name “Curry” honours Haskell Curry.

The application of these two functions to arguments xand y is written

f1〈x, y〉,f2 x y.


Haskell Brooks Curry

Haskell Brooks Curry(1900 - 1982)


Curried/Uncurried FunctionsThe above generalizes to functions with arbitrarily (butfinitely) many arguments of different type.

The::::::::::

Curried::::::::::

version of a function f with argumentsof types σ1, . . . , σn and result type ρ is of type

σ1 → · · · → σn → ρ .

The:::::::::::::

Uncurried::::::::::

version of it has type

(σ1 × · · · × σn)→ ρ .


UncurryingWe can obtain from the Curried form fCurry of a functionits Uncurried form fUncurry by

fUncurry = λx.fCurry π0(x) · · · πn(x)

where πni : (σ1 × · · · × σn)→ σi are the projections.

One can as well define a λ-term

Uncurry:::::::::

: (σ1 → · · · σn → ρ)→ (σ1 × · · · × σn)→ ρ

Uncurry := λf, x.f π0(x) · · · πn(x)

s.t. Uncurry fCurry −→β fUncurry.

This transformation is called::::::::::::::

Uncurrying.


CurryingWe can obtain from the Uncurried form fUncurry of afunction its Curried form fCurry by

fCurry = λx1, . . . , xn.fUncurry 〈x1, . . . , xn〉

Again we can define

Curry::::::

: ((σ1 × · · · × σn)→ ρ)→ σ1 → · · · → σn → ρ

Curry := λf, x1, . . . , xn.f 〈x1, . . . , xn〉

s.t. Curry fUncurry −→β fCurry.

This transformation is called:::::::::::

Currying.

It is an easy exercise to show Curry (Uncurry f) =β,η f

and Uncurry (Curry f) =β,η f .


(Un)Currying in ProgrammingThe Uncurried form of a function corresponds to theform functions are presented usually outside functionalprogramming.

In functional programming one often prefers the Curriedform.

This allows to apply a functional partially to itsarguments.E.g. if we take (+) as usual in Curried form, then(+) 3 : int→ int is the function taking x and returningx + 3.For instance map ((+) 3) [1, 2, 3] = [4, 5, 6]:If we apply the function increasing every x by 3 to thelist [1, 2, 3], we obtain the result of incrementing eachlist element by 3, i.e. [4, 5, 6].


(Un)Currying in ProgrammingOne usually avoids in functional programming (and aswell in Agda) the formation of products (or recordtypes).

The packing and unpacking of products makesprogramming often harder.E.g. instead of defining a function f : σ → (ρ× τ) it isusually better to form two functions f1 : σ → ρ andf2 : σ → τ , (which are often defined simultaneously).


(e) Basic Derivations in AgdaAgda is based on dependent type theory.

This extends the simply typed λ-calculus.


Notations in AgdaIn type theory, one uses single colons “:” for “has type”,as we did above.

In Haskell and as well in Cayenne, “:” is used in lists,and “::” is used for “has type”.

In order to be close to Haskell and Cayenne, it wasdecided to use in Agda as well “::” (although listshaven’t been introduced yet).

In this lecture we willusually use “:”,except when referring to explicit Agda code (then “::”is used).


Notations in AgdaIn Agda one writes \(x :: A)− > r for λx : A.r.

A can often be inferred by Agda automatically, usingmenuSolve (C-c =)(When presenting keyboard-macros, “C-c” stands for“Control-c”.)

When presenting Agda code we will write λ(x :: A)→ rfor the above, so λ means \ and→ means -> in realAgda code.

When reasoning in type theory itself (outside Agda), weuse standard type theoretic notation λx : A.r.

We sometimes omit A, and write simply λx.r.


PostulateIn Agda one has no predefined types, all types have tobe defined explicitly (e.g. the type of natural numbers,the type of Booleans, etc.).

In order to obtain ground types with no specificmeaning (like o above), we have to postulate suchtypes, (or use packages as introduced later).

In Agda the lowest type level, which corresponds totypes in the simply typed λ-calculus, is called for historicreasons Set.

So in order to introduce a ground type A we write:

postulate A :: Set


PostulateWe can now introduce other constants.For instance, in order to introduce a function from A toB where A and B are ground types, and an element oftype A, we write the following:

postulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.

See examplePostulate1.agda


Basic Usage of AgdaInstructions on how to install Agda can be found underhttp://www-compsci.swan.ac.uk/∼csetzer/othersoftware/agda/agdainstallation.html

The installation will provide an Emacs/XEmacs modefor agda files.

If a file with extension .agda is loaded intoEmacs/XEmacs, then this mode is invoked.


Basic Usage of AgdaThere are two menus:

One from the top menu line of Emacs/XEmacs,invoked with a right mouse click.One which is activated at any position in the buffer,again invoked by a right mouse click.(Under Emacs, this menu is only active when one isinside a goal – see below).The latter one depends on where one is in the buffer.


Basic Usage of AgdaOn the menu, with each menu a keyboard short cut ispresented.It is advisiable to learn the most frequently used ones.

In order to type check the buffer, useLoad-Buffer (C-c C-x C-b).

Agda allows to load several buffers in sequence, and tokeep the old definitions.

E.g. one has one file, containing the definition of thenatural numbers, and one main file using it.Then one first loads the file containing the naturalnumber definitions, and then the main file.


Basic Usage of AgdaDefinitions introduced must be consistent – eachdefinition can occur only once.

When moving to a different file, which associates withthe same identifier the same or a different definition,one gets an error, since the other definition from theprevious file is still present.

In order to get rid of the previuos definition, one hasto restart Agda first, using(Re)start Agda (C-c C-x C-c).‘

Can be used as well in case Agda crashes (whichhappens sometimes, since evaluation of terms canbe very time and space intensive).

Then one has to load the buffer.


Basic λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.

Assuming the above postulates, we can now introducenew terms.

We have to give a name and a type to each newdefinition.

Example:Using the above postulates, we can define b := f a : Bas follows:b :: B

= f a


Basic λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.b :: B

= f a

We can as well introduce g := λx : A.x : A→ A asfollows:g :: A→ A

= λ(x :: A)→ x



λ-Termspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.

Instead of defining λ-terms by using λ directly, it isusually more convenient to use a notation of thefollowing kind:g (a :: A)

:: A

= a

Note that in the above example, the local a overridesthe global a.



Goalspostulate A :: Setpostulate B :: Set.postulate f :: A→ B.postulate a :: A.

In Agda one can leave terms or types, which onedoesn’t know yet, open.

The part left open is written as ! !, and we say“goal” for it.

Example:g (x :: A)

:: A

= ! !

exampleGoal1.agda


GoalsWhen the buffer is loaded, the goal will be shown in adifferent colour, and one can only edit inside or outsidethe goal.

Each goal gets a number.

When inside a goal, the menu active from inside thebuffer,

when using XEmacs, changes to the::::::::::::::

goal-menu;when using Emacs, is activated and becomes thegoal-menu. (Outside a goal this menu doesn’t exist).

If one wants to edit the buffer in a way which isimpossible because of the restrictions of editing goals,one can do so by using menu Text State.

When reloading the buffer one gets back to the statein which goals have special status.


GoalsUsing the goal-menu, we can find out

what type is expected:Type of Goal C-c C-t.Agda shows: ?0 :: AThere is as well a variantType of Goal (unfolded) C-c C-x C-r.It evaluates the type of the goal using reduction rules(see later).

Using the main menu we can always show the types ofall goals (show-goals).

We can as well jump to the next and previous goalusing menu items Next Goal and Previous Goal.


GoalsInside a goal we can as well find out the current context:

Using menu Context.In our example Agda shows:a :: A

g :: (x :: A)→ A

a :: A

f :: A→ B

B :: Set

A :: Set

.


Indentation SensitivityAgda is indentation sensitive.

So often instead of having parentheses “〈Code〉”, asin other languages, all lines belonging to 〈Code〉 have tobe intended more then the surrounding code, andusually in the same way.

Therefore top level definitions have to start in column1.Otherwise they are considered as being an extension ofa previous definition.

All code belonging to such a definition in later columnshas to be intended at least once.


Indentation SensitivityExample: The following causes an error:postulate A :: Setpostulate B :: Set

We have to type instead:postulate A :: Setpostulate B :: Set

The following causes an error:a′ :: A= a

We have to type instead:a′ :: A

= A.


Derivations in AgdaIn Agda, rules are implicit.

The rulef : A→ B a : A

f a : B

corresponds to the following:

Assume we have introduced:g :: D → E, d :: D.

and want to solve the goal! ! :: E.

exampleSimpleDerivation4.agda


Derivations in Agda (Cont.)Then we can fill this goal by typing in g d:

! g d ! :: E

If we then choose goal-menu Refine (C-c C-r), thesystem shows:

g d :: E.


RefinementAssume in the above situation that we don’t know whatto insert.We only guess that it has to be of the form g applied tosome arguments.

We can see this since the result type of g is E(g : D → E).

Then we can insert g and use menu Refine (C-c C-r)

The system shows g ! ! :: E.

We can ask for the type of the new goal ! !, and get:! ! :: D

Now we can solve this goal by filling in d and usingrefine: g d :: E.


JudgementsIn ordinary functional programming, it is easy todetermine the correctly formed types.In dependent type theory the type structure is richerand more complicated.

Proof steps are required to conclude that something isa type.


JudgementsTherefore we have not only the judgement as infunctional programming

a : A

but as well a typing judgement A is a type, written (aswe have already seen)

A : Set

Before deriving a : A, where A is a constant, we firsthave to show A : Set.


Equality JudgementsAgda will identify terms which have the same normalform.E.g. s := (λ(x : A).x) r and r will be identified.

If one needs at some place r, one can insert s insteadof r and vice versa.

In Agda this is done automatically, the user doesn’t seesuch equalities.

There is not even a direct command available inAgda, which allows to check whether two terms areequal (this could probably be added easily).


Examplepostulate A :: Setpostulate a :: Apostulate f :: A→ Set

g (a :: A)

:: A

= a

a′ :: A

= ga

p (x :: fa)

:: (fa′)

= ! !

exampleSimpleEquality2.agda

Since a′ = g a = a, we can solve the goal by using x.


Equality JudgementsWhen using the simply typed λ-calculus, we couldseparate the derivation of λ-terms, from reductions.

When using dependent type theory as in Agda,reductions and derivations have to be integrated.

Traditionally, instead of introducing reductions, oneintroduces in dependent type theory equalities betweenterms.

Written asr = s : A

for r and s are equal elements of set A.


ExampleThe rule expressing that π0(〈a, b〉) −→ a reads in thisstyle as follows:

a : A b : Bπ0(〈a, b〉) = a : A

= is not directed, so we have as well the rule

a = b : Ab = a : A

We can therefore derive:

a : A b : Bπ0(〈a, b〉) = a : A

a = π0(〈a, b〉) : A


Equality Judgements (Cont.)We will have as well equality between types, written as

A = B : Set

This is something novel in dependent type theory.In simple type theory, there is only one way of writinga type.

For instance if we assume f : A→ Set, then if a = a′ : Athen f a = f a′ : Set.


Four JudgementsSo we have the following 4 types of judgements:

A : Set “A is a type”.a : A “a is of type A”.A = B : Set “A and B are equal types”.a = b : A “a and b are equal elements of type A”.

In Agda, only A : Set and a : A are explicit.


(f) Dependent JudgementsAs for the simply typed λ-calculus, in dependent typetheory, judgements might depend on a context.

So we obtain judgements of the form

x1 : A1, . . . , xn : An ⇒ A : Set

x1 : A1, . . . , xn : An ⇒ A = B : Set

x1 : A1, . . . , xn : An ⇒ s : A

x1 : A1, . . . , xn : An ⇒ s = t : A


Need for Context Rulesx1 : A1, . . . , xn : An ⇒ A : Set

· · ·

To derive such judgements requires that we know

A1 : Set

x1 : A1 ⇒ A2 : Set

x1 : A1, x2 : A2 ⇒ A3 : Set

· · ·

x1 : A1, x2 : A2, . . . , xn−1 : An−1 ⇒ An : Set


Context RuleNote that we didn’t require derivations as above in thesimply typed λ-calculus, since it was easy to veryifywhether something is a valid type.

In case of dependent types A : Set requires a derivation.

It can be as complicated to derive A : Set as it is toderive a judgement b : B:One can compute from an unchecked judgement a : Aan unchecked type expression B s.t. a : A holds iffB : Set holds.


Context RuleIn order to organise this in a better way we introduce anadditional judgement Γ⇒ Context for “Γ is a validcontext”.

That x1 : A1, . . . , xn : An ⇒ Context holds means exactlywhat we had above, i.e.:

A1 : Set

x1 : A1 ⇒ A2 : Set

x1 : A1, x2 : A2 ⇒ A3 : Set

· · ·

x1 : A1, x2 : A2, . . . , xn−1 : An−1 ⇒ An : Set


Five Dependent JudgementsSo we have therefore 5 dependent judgements:

x1 : A1, . . . , xn : An ⇒ A : Set

x1 : A1, . . . , xn : An ⇒ A = B

x1 : A1, . . . , xn : An ⇒ s : A

x1 : A1, . . . , xn : An ⇒ s = t : A

x1 : A1, . . . , xn : An ⇒ Context


ExampleThe assumption rule, which in case of the simply typedλ-calculus read:

Γ⇒ x : σ (if x : σ occurs in Γ)

reads in dependent type theory as follows (assumingthat x : A occurs in Γ:

Γ⇒ ContextΓ⇒ x : A

Similarly we have to deal with the rule introducingconstants.


Notations for Judgements, Contextsθ will in the following denote an arbitrary non dependentjudgement, i.e. one of the following :

A : Set,A = B : Set,a : A,a = b : A.

Γ, ∆ will usually denote contexts.

We have the same notations as before, i.e.Γ,∆ is the result of concatenating contexts Γ, ∆,Γ, x : A is the result of extending the context Γ byx : A,∅ is the empty context.We write for ∅ ⇒ θ usually simply θ.


Contexts in AgdaIn Agda, we have no explicit judgements depending oncontexts.

Not needed, since we don’t derive judgments usingrules directly.

However, if we have the open judgement

f (x :: B)

:: A

= ! !

Then we can make use of x :: B for refining the goal.

So we have to solve the goal in context x :: B.

This context can be shown using goal menu Context.

See exampleShowContext.agda.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 1 206

Example: Derivation of double(See exampleDoubleString2.agda.)

We derivedouble := (λx.concat x x) : ((x : String)→ String) inAgda, assuming definitions of String and concat.

We start withdouble (x :: String)

:: String

= ! !

We can insert into the goal concat:

double (x :: String)

:: String

= ! concat !


Example: Derivation of doubleWhen using goal-menu refine, we obtain:


:: String

= concat ! ! ! !

We can check now using goal-menu Type of Goal (orType of Goal (unfolded) that the two new goals requireboth type String.

We can check using goal-menu Context that thecontext of both goals contain x :: String.


Example: Derivation of doubleWe insert x into the first goal and refine:


:: String

= concat x ! !

Doing the same with the second goal gives:


:: String

= concat x x

We are done.


double in Type TheoryA derivation of

double := λx : String.double x x

in Type Theory, assuming global constants

String : Set ,

concat : String→ String→ String ,

is as follows:We first derive x : String⇒ Context:

∅ : Context String : Setx : String⇒ Context


double in Type TheoryThe remaining derivation is as follows (using the abovederivation):

x:String⇒Context

x:String⇒concat:String→String→String

x:String⇒Context

x:String⇒x:String

x:String⇒concat x:String→String

x:String⇒Context

x:String⇒x:String

x:String⇒concat x x:String

double:=λx:String.concat x x:String→String


(g) Dependent TypesAssume we want to assign a type to a sorting functionsort on lists of natural numbers.

In most programming language, the type of it isessentially

sort : NatList→ NatList

for the type of lists of natural numbers NatList.

In dependent type theory, we can demand morecorrectness, namley that its type is

sort : NatList→ SortedList .

We assume some notion of NatList (list of naturalnumbers).


SortedListWhat is SortedList?

An element of SortedList is a list which is sorted.It is a pair 〈l, p〉 s.t.

l is a NatList.p is a proof or verification that l is sorted:· p : Sorted(l).


Sorted ListsFor the moment, ignore what is meant by Sorted(l) as atype.

Only important: Sorted depends on l.Sorted(l) is a predicate expressed as a type.

Elements of SortedList are pairs 〈l, p〉 s.t.l : NatList.p : Sorted(l).

Sorted(l) is a dependent type.


Sorted Lists (Cont.)An element of Sorted(l) will be a proof that l is sorted.

If l is sorted, then Sorted(l) will be provable, andtherefore will have an element.

It is possible to write a program which computes anelement of Sorted(l).

If l is not sorted, then Sorted(l) will have no proof and itwill therefore no element.

Then it is not possible to write a program whichcomputes an element of Sorted(l).


The Dependent ProductThen the pair 〈l, p〉 will be an element of

SortedList := (l : NatList)× Sorted(l) .

SortedList is the type of pairs 〈l, p〉 s.t.l : NatList,p : Sorted(l).

called the::::::::::::::

dependent::::::::::

product

sort : NatList→ ((l : NatList)× Sorted(l)) expresses:sort converts lists into sorted lists.


The Dependent Function TypeFrom a sorting function we know more:

It takes a list and converts it into a sorted listwith the same elements.

Assume a type (or predicate) EqElements(l, l′) standingfor

l and l′ have the same elements.


The Dependent Function TypeA refined version of sort has type

(l : NatList)→ ((l′ : NatList)×Sorted(l′)×EqElements(l, l′))

“sort(l) is a list, which is sorted and has the sameelements”.

“sort is a program, which takes a list and returns asorted list with the same elements.”

The type of sort is an instance of the::::::::::::::

dependent:::::::::::

function::::::

type:The result type depends on the arguments.


(h) Dependent Types in ProgrammingDependent types are often needed in programming, evenif no verification is needed.We give some examples:

In Java, a relatively big library of “collection classes” isavailable.

Provides implementations of lists, sets, hash tables,etc.It would be nice to have “lists of type A”.However this is a dependent type, depending on atype A.Cannot be expressed in Java.Instead, in Java only lists of elements of typeObject are available.


Dependent Types in Programming(Collection classes in Java, Cont.)

Elements of other types have to be upcasted toObjectElements of the list have then to be downcasted totheir original type.

Type checking happens at run time rather than atcompile time.


ExampleAssume a class StudentEntry.

If we have a list listOfStudentEntries, and add to it anelement studentEntry of type StudentEntry, this element willfirst be converted (upcasted) to type Object.

If we retrieve an element (e.g. the first element) oflistOfStudentEntries, we obtain an element of Object.

If it was originally a StudentEntry, we can cast thiselement down to StudentEntry.However, whether we have an element ofStudentEntry, cannot be determined at compiletime, only at run time.


PolymorphismWhat is needed is a weak form of dependent types,called

:::::::::::::::::::

polymorphism.Types might depend on other types but not onelements of types.

In C++, this form of dependency is available (called:::::::::::::

templates).One writes for instance List<A> for lists of type A.

In Java, it might be available in the next release 1.5.

In C#, it will be available in the next release.

In Haskell and ML it is available.E.g. \ x→x :: α⇒ α→ α,which means that λx.x is of type α→ α for everytype α.


Dependent Types in ProgrammingMatrix multiplication is an operation, which takesthree natural numbers n,m, k, an n×m-matrix and anm× k-matrix, and has as result an n× k-matrix.The type of this function is a dependent type: Thetypes of n×m-matrices, of m× k-matrices and ofn× k-matrices depend on n, m, k.


Matrix MultiplicationUsually, this problem is solved by

taking matrices which are big enough and restrictingthe operation to n×m, m× k and n× k sub-matrices,

waste of memoryor by dynamically allocating arrays.

This means memory allocation has to be done atrun time.

In both solutions, checking that the dimensions arein accordance has to be done at run-time.


Type of Matrix MultiplicationLet N be the type of natural numbers(i.e. 0, 1, . . . ,; N will be introduced later).

Let Mat(n,m) be the type of n×m-matrices.(Will be introduced later).Then matrix multiplication has type

(n : N)

→ (m : N)

→ (k : N)

→ Mat(n,m)

→ Mat(m, k)

→ Mat(n, k)


Type of Matrix Multiplication (Cont.)A shorter notation for this type is

(n,m, k : N)

→ Mat(n,m)

→ Mat(m, k)

→ Mat(n, k)


Dependent Types in ProgrammingDigital Components.

A digital component (e.g. a logic gate) with n inputs andm outputs can be considered as a functionBooln → Boolm.

In general such a component is a triple consisting ofn, the number of inputs,m, the number of outputs,a function f : Booln → Boolm.

The type of f depends on n and m, an example of adependent type.


Dependent Types in ProgrammingPredicates are dependent types.

See the types of sort above.


Dependent Types in LinguisticsAarne Ranta has used dependent types in linguistics:

In a sentence like “The man goes home”, thepredicate

in grammar the predicate is “what is said about thesubject of a sentence”;it consists essentially of the verb and whatcompletes the verb;here it is “goes home”

depends on, whether the subjectin grammar the subject is the noun or itsequivalent about which a sentence is predicated;here it is “The man”

is singular (then the predicate is “goes home”)or plural (then the predicate is “go home”).


Dependent Types in LinguisticsAarne Ranta constructed grammars based ondependent types, and used them for translatingsentences between different languages automatically.


2. The Logical Framework(a)

(b)

(c)

(d)

(e)

(f)


(a) Basic Form of Rules

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(a) 227

Four Kinds of Rules(g) For each type construction we have usually 4 kinds of

rules:(1) Formation Rules.(2) Introduction Rules.(3) Elimination Rules.(4) Equality Rules.

Additionally there are equality versions of theformation, introduction and elimination rules.


(1) Formation RulesThe

::::::::::::

formation::::::::

rules introduce new types.

Each type construction has one such rule.

The conclusion of such a rule will have the form:

C(a1, · · · , an) : Set .

where C is a::::::::::::::::::::::

type-constructor,a1, . . . , an are its arguments.

n = 0 is possible, in which case we write C instead ofC().

Later, we will introduce higher levels Type,Kind, . . ..Then we have formation rules with conclusionC(a1, . . . , an) : Type (or : Kind, etc.).


Logical FrameworkPreliminarily, we will be using type theory without thelogical framework.

For instance, below we will introduce

List(A) : Set

for any A : Set, the set of lists of elements of A.


Logical FrameworkUntil we have introduced the full logical framework, itdoesn’t make sense to talk about List itself, which wouldhave type

List : Set→ Set .

The problem is that Set→ Set doesn’t make sensewithout the logical framework.

The full logical framework is conceptually more difficult,that’s why we delay its introduction.


Logical FrameworkWhen working later with the full logical framework,constructors will have their own type.

Then what is now

C(a1, . . . , an)

will be written asC a1 · · · an ,

namely the application of the constructor C toarguments a1, . . . , an.

For instance we will write then List A instead of List(A).


Logical FrameworkAgda has the logical framework built in, so in Agda Listwill be a function Set→ Set, in Agda notation:

List (A :: Set)

:: Set

= · · ·


Example 1: The Set of Lists

A : Set (List-F)List(A) : Set

The type-constructor is List.

List(A) is the type of lists of type A.


Ex. 2: The Set of Natural NumbersFormation rule for the type of natural numbers:

N : Set (N-F)

The type-constructor is N.Note that the formation rule for N has 0 premises(therefore the fraction bar is omitted).


Ex. 3: The Non-Dependent ProductFormation rule for the non-dependent product:

A : Set B : Set (×-F)A×B : Set

A×B stands for (×)(A,B).The type-constructor is (×).


Formation Rules in AgdaThe formation of a type is usually done by introducing aconstant of a certain type.

Example 1:

List (A :: Set)

:: Set

= · · ·


Example 2: (×)

Agda syntax for introducing thenon-dependent product:

(×) (A :: Set)

(B :: Set)

:: Set

= · · ·

· · · is an Agda definition of this type (more about thislater).× is ASCII symbol 215 (not the letter x).

There are as well predefined versions of the product(and of the function type) in Agda (see later).


(2) Introduction RulesThe

::::::::::::::::

introduction:::::

rule introduces elements of a type.

The conclusion of such a rule will have the form

C(a1, . . . , an) : A

whereA is a type introduced by the correspondingformation rule,C is a constructor or term-constructor,a1, . . . , an are terms.


Introduction Rule, Example 1aThe set NatList of lists of natural numbers withformation rule

NatList : Set (NatList-F)

has two introduction rules:

nil : NatList (N-Inil)

n : N l : NatList (NatList-Icons)cons(n, l) : NatList


Introduction Rule, Example 1bWe generalise the previous example to lists of arbitrarytype.

Lists of type A have two introduction rules:

A : Set (List-Inil)nilA : List(A)

a : A l : List(A)(List-Icons)

consA(a, l) : List(A)

In case of the rule for nil, we needed the premiseA : Set in order to guarantee that we can form the typeList(A).

In case of the rule for cons, this premise is implicit inthe premise a : A.


Conflicting ConstructorsWe shouldn’t use the same constructors for differentsets. So if we want to use both NatList and List(A), wehave to choose a notation like natnil instead of nil : N,similarly for cons.

We will usually ignore this distinction, if it doesn’t causeconfusion.


Example 2: Natural Numbers.The natural numbers N can be considered as beingformed from two operations:

0,S where S(n) = n + 1.

Using these two operations we can form 0, S(0) = 1,S(1) = 2, . . . and therefore all natural numbers.

So the constructors of N are 0 and S.

The introduction rules of N are:

0 : N (N-I0)

n : N (N-IS)S(n) : N


Canonical Elements:::::::::::::

Canonical::::::::::::

elements of a type are those introduced byan introduction rule.

Canonical elements therefore always start with aconstructor.

Examples:0, S(2 + 3) in case of N.

Here 2 stands for S(S(0)) and 3 for S(S(S(0))).nil, cons(1 + 1, concat cons(0, nil) nil) in case ofNatList.


Non-Canonical ElementsTerms can usually be reduced further

Example:

2 + 3 = 2 + S(2) −→ S(2 + 2) .

The underlying reduction system is essentially a termrewriting system combined with the λ-calculus.

Therefore we can apply reductions to subterms.

A term is a::::::::::::::::::

non-canonical:::::::::::

element of a type, if itreduces to a canonical element of that type.

Each element of a type (depending on the emptycontext) in dependent type theory will either be acanonical or a non-canonical element of that type.

Consequence of the normalisation theorem.


Non-Canonical ElementsE.g. 2 + 3 is a non-canonical element of N, sinceS(2 + 2) is a canonical element of N.

However, we have

x : N⇒ x : N

and x doesn’t reduce to a canonical element of N.However, if we substitute for x any closed element ofN, we get a canonical or non-canonical element of N.


Constructors in AgdaIn Agda the constructor C of type A is written as C@(A).

If A can be inferred automatically, we can replace theabove by C@_.

As type-constructors, in Agda constructors are as independent type theory with the logical framework,i.e. we have

nil@(List N) :: List N

cons@(List N) :: (n :: N)

→ (l :: List N)

→ List N


Constructors in AgdaSince notations like nil@(List N) are usually toocumbersome, it is better to introduce abbreviations:

nil :: List N

= nil@_

cons (n :: N)

(l :: List N)

:: List N

= cons@_ n l

Note that the above introduces nil, cons for List N, andnot for the general case List A for any type A. (Thatwould require an extra argument A : Set).


(3) Elimination RulesElimination rules allow to take an element of a typeand compute from it an element of another type.

Example 1: The introduction rule for the non-dependentproduct is

a : A b : B (×-I)〈a, b〉 : A×B

The elimination rules are the first and secondprojections:

c : A×B(×-El0)

π0(c) : A

c : A×B(×-El1)

π1(c) : B

The equality rules will express π0(〈a, b〉) = a,π1(〈a, b〉) = b.


Example 2: Addition in N

n : N m : N (N-El+)n + m : N

Equality rules will expressn + 0 = n.n + S(m) = S(n + m).

The equality rules show that n is only a parameter,we are eliminating the second argument m.Proceeding like this would require one eliminationrule for each function from N we want to define.Instead we will later introduce one generalelimination rule, which will allow to introduce allfunctions we expect to be definable, including allprimitive-recursive ones.


Elimination vs. Introduction RulesElimination rules invert the introduction rules.

In case of A×B, the canonical elements are of theform 〈a, b〉 for a : A, b : B.

A non-canonical element of type A×B mustreduce to a canonical element.


Elimination in AgdaElimination for builtin types has special notation.

For user defined types, elimination is realized bycase distinction.

Example: Definition of addition in N:

(+) (n,m :: N)

:: N

= case m of

(Z)→ n;

(S m′)→ S (n + m′)


(4) Equality RulesThe canonical element for an element, which is theresult of an elimination, can always be computed asfollows:

Reduce the element to be eliminated to canonicalform.Then make one reduction step (Red).The result will be a canonical or non-canonicalelement of the target type.Reduce it to canonical form.

For instance in case of A×B, (Red) are the reductionsπ0(〈a, b〉) −→ a.π1(〈a, b〉) −→ b.


Equality RulesIn case of (+), (Red) are the reductions

n + 0 −→ n.n + S(m) −→ S(n + m).Note that the second argument is the argumentwhich we are “eliminating”.

So the computation of 0 + (1 + 1) is as follows:

0+(1+1) = 0+(S(0)+S(0)) −→ 0+S(S(0+0)) −→ S(0+S(0+0))

The result is already in canonical form (but not innormal form since it can be reduced further).


Equality RulesEquality rules express (Red) type theoretically.

They describe what happens, if onefirst introduces an element and then immediatelyeliminates it.


Example (Equality Rule)The first equality rule for A×B is as follows:

a : A b : B (×-Eq0)π0(〈a, b〉) = a : A

In the first judgement we can derive π0(〈a, b〉) : A asfollows:

a : A b : B (×-I)〈a, b〉 : A×B

(×-El0)π0(〈a, b〉) : A

So it is derived by first introducing 〈a, b〉 and theneliminating it immediately.

The equality rule explains how to reduce that element(namely to a : A).


Example (Equality Rule, Cont)The second equality rule for × is similar:

a : A b : B (×-Eq1)π1(〈a, b〉) = b : B


Example 2 (Equality Rule)The first equality rule for + is as follows:

n : N (N-Eq+,0)n + 0 = n : N

n + 0 : N can be derived by first introducing 0 : N andthen by eliminating it using +.

(The right hand side is an axiom, the left hand sidehas to be concluded using some derivation.)

n : N 0 : N (N-El+)n + 0 : N

The equality rule explain how to reduce n + 0.


Example 3 (Equality Rule)The second equality rule for + is a s follows:

n : N m : N (N-Eq+,S)n + S(m) = S(n + m) : N

n + S(m) : N can be derived by first introducing S(m) : Nand then by eliminating it using +:

n : N

m : N (N-IS)S(m) : N

(N-El+)n + S(m) : N


Equality Rules in AgdaEquality Rules in Agda are implicit.

The notation for elimination however indicates alreadyhow the reductions take place.

(+) (n,m :: N)

:: N

= case m of

(Z)→ n;

(S m′)→ S (n + m′)

Functions corresponding to elimination are defined bytelling how elimination operates.


Equality Versions of the RulesWe have equality versions of the formation,introduction, and elimination rules.

These express: if we replace the terms in thepremises by equal ones, we obtain equal results.

Example: Equality version of the formation rule for List:

A = B : Set (List-F=)List(A) = List(B)

Example: Equality version of the formation rule for N(degenerated):

N = N : Set (N-F=)


Equality Versions of RulesExample: Equality version of the introduction rules forList (rule for nil is degenerated):

A : Set (List-I=nil)nilA = nilA : List(A)

a = a′ : A l = l′ : List(A)(List-I=cons)

consA(a, l) = consA(a′, l′) : List(A)

Example: Equality version of the elimination rule for(+), N:

n = n′ : N m = m′ : N (N-El=+)n + m = n′ + m′ : N


Equality Versions of RulesThe equality versions of the rules in questions can beformed in a straight-forward way, once one knowsthe non-equality version.

We will often not mention them.

In Agda they are implicit (part of the reductionmachinery).


(b) Nondep. Funct. Type and ProductWe introduce in the following non-dependent versions of the

product and the function type.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 264

The Non-Dependent Product

Formation Rule A : Set B : Set (×-F)A×B : Set

Introduction Rule a : A b : B (×-I)〈a, b〉 : A×B

Elimination Rulesc : A×B

(×-El0)π0(c) : A

c : A×B(×-El1)

π1(c) : B

Equality Rules a : A b : B (×-Eq0)π0(〈a, b〉) = a : A

a : A b : B (×-Eq1)π1(〈a, b〉) = b : B


The η-RuleThe η-rule does not fit into the above schema:

c : A×B(×-η)

c = 〈π0(c), π1(c)〉 : A×B


Equality Versions of the ×-RulesEquality Version of the Formation Rule

A = A′ : Set B = B′ : Set (×-F=)A×B = A′ ×B′ : Set

Equality Version of the Introduction Rule

a = a′ : A b = b′ : B (×-I=)〈a, b〉 = 〈a′, b′〉 : A×B

Equality Versions of the Elimination Rules

c = c′ : A×B(×-El=0 )

π0(c) = π0(c′) : A

c = c′ : A×B(×-El=1 )

π1(c) = π1(c′) : B


The Product in AgdaIn Agda, the product is represented as a record type.

Assume we have introduced A,B :: SetThen we can introduce the record type

D :: Set

= siga :: A; b :: B

One can introduce longer record types as well, e.g.

siga :: A; b :: B; c :: C; e :: E


The Product in AgdaD = siga :: A; b :: B

Elements of a record type are introduced as follows:Assume we have a′ :: A, b′ :: B.Then we can introduce in the above situation

c :: D

= structa = a′; b = b′ :: D


The Product in AgdaD = siga :: A; b :: B

Elimination of elements of the record type is recordselection.Assume d :: D. Then we have

d.a :: A

d.b :: B

If c = structa = a′; b = b′, then we have:

c.a is equal to a′

c.b is equal to b′


The Product in AgdaUnfortunately, the builtin product (record type) in Agdadoes not behave very well.

This is due to the fact that Agda doesn’t support theη-rule.In this setting η-equality would assert that if

c :: siga :: A; b :: B

thenc = structa = c.a; b = c.b

In most cases one can avoid this, by using theinductively defined Σ-type, which will be treated later.


Problem of the η-RuleThe exact problem of the missing η-rule is as follows:

Assume we have s :: siga :: N; b :: N.If we then make case distinction on s.a : N, we knowin case of s.a = Z not that s = structa = Z; b = s.b.

This is since we don’t know without the η-rule,whether s = structa = s.a; b = s.b.If we had the η-rule we would gets = structa = s.a; b = s.b = structa = Z; b = s.b

If we use instead of sig the inductively definedproduct, we can make case distinction on anelement, e.g. s = p a b, and if we then make casedistinction on a, we get in case a = Z, that s = p Z b.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 271a

Expensiveness of the η-RuleThe reason for not having the η-rule is that it iscomputationally expensive.

Whether we can expand s to structa = s.a; b = s.bdepends on, whether s :: siga :: A; b :: B.All other reductions can be applied to terms withoutknowing the exact type of the term –in case of η, we need to know this type.So, in order to allow η-rule as part of the reductionsystem, we need to carry along with each term (andas well with each subterm) its type, which requiresan enormous additional overhead.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 271b

Indentation SensitivityFor sig, struct and some other constructs to beintroduced later (let, case, packages, probably somemore) there are two versions for determining the scopeof the construct:

Using “” and “”.The scope is what is enclosed in those brackets.The selections must be separated by “;”.In case of let (see below), “” and “” can beomitted.For instancestructa = a0; b = b0 :: siga :: A; b :: B


Indentation SensitivityUsing indentation.

The scope are the following lines which areindented more than the keyword “struct”, “sig” etc.The first characters in each line must be indentedin the same way as the first line following the“struct”, “sig” etc.What forms the definition, must be more indentedthan the rest.Example:siga :: Ab :: B

is the indentation sensitive version ofsiga :: A; b :: B.

Both versions are equivalent.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 273

Indentation SensitivityInternally, first the indentation sensitive version istranslated to a version using curly brackets and then itis type checked.

Error messages refer to the version using curlybrackets.

One has to interpret such error messages as if one hadactually written a version using curly brackets, even ifone is using indentation sensitivity.


IntroUsually, we don’t have to spell out

structa = a′; b = b′

in full.

Assume we have a goal, the type of which is a sig-type,e.g.

AB :: Set = siga :: A; b :: B

ab :: AB = ! !


IntroAB :: Set = siga :: A; b :: B

ab :: AB = ! !

Then, when the point is inside the goal, we can usegoal-menu Intro and obtain:

ab :: AB = struct

a = ! !

b = ! !


Let expressions in AgdaWhen introducing products, let expressions are oftenuseful.They allow to introduce temporary variables.

Let-expressions have the form

let a1 :: A1

= s1

a2 :: A2

= s2

· · ·

an :: An

= sn

in t


Let expressions in Agda (Cont.)This means that we introduce new local constantsa1 :: A1 = s1,a2 :: A2 = s2,. . .,an :: An = sn,which can now be used locally.

si can refer to all aj defined before, including ai itself,i.e. it can refer to a0, . . . , ai.

Reference to ai might result in non-termination;termination will be discussed below.


Let expressions in Agda (Cont.)If we are in a goal, we can use the goal menuMake let expression.

We have to insert into the goal the variables,separated by blanks, e.g. “a1 a2 · · · an”.Agda will construct a template of the form:

let a1 :: ! !

= ! !

a2 :: ! !

= ! !

· · ·

an :: ! !

= ! !

in ! !Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 278

Simple ExampleThe following function computes (n + n) ∗ (n + n) for n :: N:

f (n :: N)

:: N

= let m :: N

= n + n

in m ∗m

See exampleLetExpression.agdaNote that this version is computationally cheaper than thefunction computing directly (n + n) ∗ (n + n):

Using let, n + n is computed only once,

without let, we have to compute it twice.


Example Using the ProductAs an example we want to define in Agda, dependingon functions a_c : A→ C, b_d : B → D and an elementab : A×B and element f(ab, a_c, b_d) : C ×D.

This means that f is a function which takes argumentsa_c, b_d and ab as above and returns an element ofC ×D.


Example Using the ProductSo the type of f in Agda is as follows:


CD :: Set = sigc :: C; d :: D

f (a_c :: A→ C)

(b_d :: B → D)

(ab :: AB)

:: CD

= ! !


Example Using the ProductThe idea for this function is as follows:

We first project ab to elements a : A, b : B.Then we apply a_c to a and obtain an element c : C,and b_d to b and obtain an element d : D.Finally we form the pair 〈b, d〉.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279c

Example Using the ProductA diagram is as follows:

ab:A×B

a:A b:B

c′:C d′:D

〈·,·〉

〈c′, d′〉 :C×D

π0 π1

a_c b_d

C × D

a_b c_df a_c b_d

A × B

We will use let-expressions in order to compute theintermediate values a, b, c′, d′.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(b) 279d

Agda Code for the Above


CD :: Set = sigc :: C; d :: D

f (a_c :: A→ C)

(b_d :: B → D)

(ab :: AB)

:: CD

= let a :: A = ab.a

b :: B = ab.b

c′ :: C = a_c a

d′ :: D = b_d b

in structc = c′; d = d′

See exampleLetExpressionSig.agda.


Open ExpressionOpen abbreviates the unpacking of pairs.Assume e :: siga1 :: A1; a2 :: A2; . . .

Then open e use x1 :: A1 = a1,

x2 :: A2 = a2,

. . .

in · · ·

is equivalent to let x1 :: A1 = e.a1;

x2 :: A2 = e.a2;

· · ·

in · · ·


Open ExpressionSo the above example readsf(a_c :: A→ C)(b_d :: B → D)(ab :: AB):: CD= open ab

use a :: A = a,b :: B = b

in let c′ :: C = a_c ad′ :: D = b_d b

in structc = c′; d = d′

See exampleOpenExpression1.agda.


Open ExpressionIf we want to use the selectors directly,i.e. assuming

e :: siga1 :: A1; a2 :: A2; . . .

to use the names a1, a2, . . ., we can write more briefly

open e use a1, a2, . . .

in · · ·


Open ExpressionSo the above example reads more brieflyf(a_c :: A→ C)(b_d :: B → D)(ab :: AB):: CD=open ab use a, bin let c′ :: C = a_c a

d′ :: D = b_d bin structc = c′; d = d′

See exampleOpenExpression2.agda.


Termination CheckerThe type checker in Agda allows recursive definitions.For instance, the following passes the type checker:

a :: A = a

Necessary, since for instance the definition of + isnecessarily recursive, i.e. will make use of +:

(+) (n,m :: N)

:: N

= case m of

Z → n

S m′ → n + m′


Termination Check (Cont.)In order to avoid mistakes, Agda has a builtintermination checker:Menu Check Termination.

One should use this command at the end of asession, in order to avoid black hole recursion.

If the termination check succeeds, all programschecked will terminate.

If the termination check fails, it might still be thecase that all programs terminate.(One cannot write a universal termination checker,since the Turing halting problem is undecidable).


Termination CheckThe termination check can avoid non-obvious mistakes.

Assume for instance we have defined a :: A and b :: B,and AB = siga :: A; b :: B.

If we define

ab :: AB = structa = a; b = b

we havenot defined an element ab s.t. ab.a = a and ab.b = b,but defined an element ab s.t. ab.a = ab.a andab.b = ab.b.That is a black-hole recursion, and will not pass thetermination checker.


Termination CheckEspecially, when later proving theorems, we don’t knowwhether what we have proved is true unless we haveused the termination checker.

Any formula A (which is just a type), whether it istrue or false, can be shown using black-holerecursion by using the following Agda code:

a :: A = a

Only if a theorem has passed the termination checker,we know it holds.


The Non-Dependent Function Type

Formation Rule A : Set B : Set (→ -F)A→ B : Set

Introduction Rule x : A⇒ b : B (→ -I)(λx : A.b) : A→ B

Elimination Rulef : A→ B a : A

(→ -El)f a : B

Equality Rule x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B


β-Reductionb[x := a] was as for the simply typed λ-calculus theresult of substituting in b every occurrence of variable xby the term a (after renaming of bound variables asusual).

The equality rule is a symmetric version of β-reduction

(λx : A.b) a −→ b[x := a]


α-EquivalenceAs for the simply typed λ-calculus, terms which differ inthe choice of bound variables are identified:

E.g. λx : A.x and λy : A.y are identified.E.g. λx : N.x + x and λy : N.y + y are identified.A similar rule applies to bound variables in types(see later).


The η-RuleAgain the η-rule does not fit into the above schema:

f : A→ B(→ -η)

f = (λx : A.f x) : A→ B


Equality Versions of the→-RulesEquality Version of the Formation Rule

A = A′ : Set B = B′ : Set (→ -F=)A→ B = A′ → B′ : Set


x : A⇒ b = b′ : B (→ -I=)λx : A.b = λx : A.b′ : A→ B

Equality Version of the Elimination Rule

f = f ′ : A→ B a = a′ : A(→ -El=)

f a = f ′ a′ : B


The Function Type in AgdaIn Agda one writes A -> C for the nondependentfunction type.We write on our slides→ instead of ->.

There are two ways of introducing an element ofA→ C:

We can writef (x:: A)

:: C= · · ·

Requires the · · · is an element of type C, possiblymaking use of x.

The above introducesf :: A→ C


The Function Type in Agda (Cont.)Alternatively, one can use the λ-notation:

Remember that \ is used instead of λ in Agda.In our slides we will use λ.

The above can be rewritten as

f :: A→ C= λ(x:: A)→ · · ·


Equivalence of the two NotationsBoth ways of introducing functions are equivalent.

One can check this by defining two versions:

postulate A :: Set

f :: A→ A→ A

= λ(a, b :: A)→ a

g (a, b :: A)

:: A

= a

See exampleEquivalenceLambdaNotations.agda


Equivalence of the two NotationsIf one then introduces an arbitrary goal, e.g.

Test :: A− > A− > A

= ! !

inserts into it the value f , uses goal-menuCompute WHNF, (for compute weak head normalform), and does the same with g, one obtains twice thesame result, namely

λ(a, b :: A)→ a

This is a general method for evaluating terms (e.g. forevaluating the result of a applying a function to somearguments).


λ-Notation in AgdaIn most cases, it is easier to use the first way ofintroducing λ-terms.

However, λ-notation allows to introduceanonymous functions (i.e. functions without givingthem names):A typical example from functional programming is themap function, which applies a function to eachelement of a list:

map (λ(x::N)→ S x)(cons two (cons three nil))

The result would becons three (cons four nil)

See exampleMapAppliedToList.agda.


AbbreviationsWe can write

λ(n,m::N)→ · · ·

instead of

λ(n::N)→ λ(m::N)→ · · ·


Abbreviations (Cont.)Similarly we can write

f (n,m::N):: N= · · ·

instead of

f (n::N)(m::N):: N= · · ·


The Function Type in Agda (Cont.)Application has the same syntax as in the rules ofdependent type theory: If we have

f :: A→ B ,

a :: A ,

then we can conclude f a :: B.

And we have that

(λ(x :: A)→ b) a

andb[x := a]

are identified.


η-Rule in Agda (Cont.)In Agda syntax, the η-rule would state that if

f :: A→ B

thenf = λ(x :: A)→ f x .

η-rule is computationally expensive and thereforenot implemented.(This is similar to what was said about the η-rule forthe product).The lack of the η-rule causes sometimesproblems.


IntroWhen introducing λ-terms, there is no need to introducethe λ-term by hand.

Assume for instance the following goal:

f :: A→ A

= ! !

If the position is inside the goal, we can use thegoal-menu Intro, in order to obtain a template for theλ-term:

f :: A→ A

= λ(h :: ! !)→ ! !


SolveWe usually don’t have to introduce the types of theλ-variables, they can usually be solved automaticallyusing Agda-menu Solve.

Applied in the above situation we obtain:

f :: A→ A

= λ(h :: A)→ ! !

It is recommended to rename the automaticallygenerated variable h to something more meaningful:

f :: A→ A

= λ(a :: A)→ ! !


SolveIn some cases, the types inferred can be simplified. Forinstance if we start with

g:: ((A→ A)→ A)→ A

= λ(h :: ! !)→ ! !

we obtain using solve

g:: ((A→ A)→ A)→ A

= λ(h :: (h :: (h :: A)→ A)→ A)→ ! !

which can be simplified to

g:: ((A→ A)→ A)→ A

= λ(a_a_a :: (A→ A)→ A)→ ! !


SolveIn general, solve will solve goals, for which there is onlyone solution in the current context.

Uniqueness is up to equality in Agda, which isequality of the normal forms.Therefore one can often replace the solution givenby Agda by some more readable term, but it willalways be the same term up to equality in Agda.


Common ContextsThe convention is that all rules can as well beweakened by a common context.

This means that when introducing a rule

Γ1 ⇒ θ1 · · · Γn ⇒ θn

Γ⇒ θ

we implicitly introduce as well the following rules

∆,Γ1 ⇒ θ1 · · · ∆,Γn ⇒ θn

∆,Γ⇒ θ

This convention will not apply to the context rules(Context0) and (Context1) (see later).


ExampleFor instance, the formation rule of ×:

A : Set B : Set (×-F)A×B : Set

can be weakened as follows:

Γ⇒ A : Set Γ⇒ B : Set (×-F)Γ⇒ A×B : Set


Example (Cont.)Consider the sample derivation (assuming A : Set):

x : A, y : A⇒ y : A(→ -I)

x : A⇒ (λy : A.y) : A→ A(→ -I)

(λx : A.λy : A.y) : A→ A→ A

The first rule used is the rule for λ-introduction,weakened by the context x : A.

The second rule used is the rule for λ-introductionwithout any weakening.


Weakening of AxiomsIf we have an axiom

θ

for any judgement θ

e.g. θ = N : Set or θ = 0 : N

and we want to weaken it by context Γ, we need tomake sure that Γ⇒ Context holds.

So we need in the weakened form one additionalpremise:

Γ⇒ ContextΓ⇒ θ


ExampleThe formation rule for N

N : Set

will be weakened as follows:

Γ⇒ ContextΓ⇒ N : Set


(c) Structural Rules

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(c) 309

Context RulesThe empty context

∅ ⇒ Context (Context0)

Extending a context

Γ⇒ A : Set (Context1)Γ, x : A⇒ Context

(where in the last rule x must not occur in Γ).

The convention that rules can be weakened by acommon context does not apply to the rules (Context0)and (Context1).


Example Derivation (Context Rules)We assume the following formation rule for the type ofnatural numbers:

N : Set (N-F)

With this rule, following the convention on slide ??,we have as well introduced the rules

Γ⇒ Context (N-F)Γ⇒ N : Set


Example Derivation (Context Rules)

The following derives x : N, y : N, z : N⇒ Context(Note that N : Set is the same as ∅ ⇒ N : Set):

N : Set (Context1)x : N⇒ Context (N-F)x : N⇒ N : Set (Context1)

x : N, y : N⇒ Context(N-F)

x : N, y : N⇒ N : Set(Context1)

x : N, y : N, z : N⇒ Context


Assumption Rule

Γ, x : A,Γ′ ⇒ Context(Ass)

Γ, x : A,Γ′ ⇒ x : A


Example Deriv. (Assumpt. Rule)We extend the derivation of slide ?? to a derivation ofx : N, y : N, z : N⇒ y : N:

x : N, y : N, z : N⇒ Context(Ass)

x : N, y : N, z : N⇒ y : N

Similarly we can derive x : N, y : N, z : N⇒ z : N:


x : N, y : N, z : N⇒ z : N


Example Deriv. (Assumpt. Rule)

The full derivation of first judgement on the previousslide is as follows:

N : Set (Context1)x : N⇒ Context (N-F)x : N⇒ N : Set (Context1)

x : N, y : N⇒ Context(N-F)

x : N, y : N⇒ N : Set(Context1)


x : N, y : N, z : N⇒ y : N


Assumption Rule in AgdaWhen we define a function:

f (a::A)::B= ! !

we can make use of a :: A when solving the goal! !.

This is an application of the assumption rule:When solving ! ! we essentially defineunder the assumption a :: A an element ! ! :: B.


Assumption Rule in Agda (Cont.)

The above corresponds to a derivation

a : A⇒ ! ! : B(→ -I)

(λa : A.! !) : A→ B

If B is equal to A we can use the assumption ruledirectly

a : A⇒ a : A (→ -I)(λa : A.a) : A→ A

in order to solve this goal.


Assumption Rule in Agda (Cont.)

More generally we might in the derivation ofa : A⇒ ! ! : B make anywhere use of a : A, as longas this is in the context.

· · · (Ass)a : A⇒ a : A

···

a : A⇒ s : B (→ -I)(λa : A.s) : A→ B


Assumption Rule in Agda (Cont.)Similarly, when solving the goalf :: A→ B= λ(a :: A)→ ! !

in ! ! we can make use of a :: A.In fact when solving the above, we implicitly use therule

a : A⇒ ! ! : B(→ -I)

(λa : A.! !) : A→ B

So we have to solve a : A⇒ ! ! : B in order toderive

(λa : A.! !) : A→ B


Weakening Rule

Γ,Γ′ ⇒ θ Γ,∆,Γ′ ⇒ Context(Weak)

Γ,∆,Γ′ ⇒ θ

θ:

stands for an arbitrary non-dependent judgement.

This rule allows to add an additional context piece(∆) to the context of a judgement.

The judgement Γ,Γ′ ⇒ θ is:::::::::::::

weakened by ∆.


Weakening Rule (Cont.)

Remark: One can in fact show that the weakening rulecan be weakly derived.

:::::::::

Weakly:::::::::::

derived means: whenever the assumptionsof the rule can be derived in the complete set ofrules we provide, then as well the conclusion.However, this can’t be derived from the premise theconclusion directly.

An exception is when we additionally assume somejudgements for instance A : Set (corresponding to“postulate” in Agda).

Then Γ⇒ A : Set doesn’t follow without theweakening rule.


Example Deriv. (Weak. Rule)We derive a : A, b : B ⇒ a : A from global assumptionsA : Set, B : Set:

A:Set (Context1)a:A⇒Context (Ass)

a:A⇒a:A

B:Set

A:Set (Context1)a:A⇒Context (Weak)

a:A⇒B:Set (Context1)a:A,b:B⇒Context

(Weak)a:A,b:B⇒a:A


Example Deriv.2 (Weak. Rule)We derive x : A→ (B × C), a : A⇒ x : A→ (B × C)from global assumptions A : Set, B : Set, C : Set:

A : Set

A : Set

B : Set C : Set (×-F)B × C : Set

(→ -F)A→ (B × C) : Set

(Context1)x : A→ (B × C)⇒ Context

(Weak)x : A→ (B × C)⇒ A : Set

(Context1)x : A→ (B × C), a : A⇒ Context

(Ass)x : A→ (B × C), a : A⇒ x : A→ (B × C)


General Equality Rules

::::::::::::::

ReflexivityA : Set (ReflSet)

A = A : Set

a : A (ReflElem)a = a : A

(Reflexivity can be weakly derived, except for globalassumptions).:::::::::::::

SymmetryA = B : Set (SymSet)B = A : Set

a = b : A (SymElem)b = a : A


General Equality Rules (Cont.)

::::::::::::::

Transitivity

A = B : Set B = C : Set (TransSet)A = C : Set

a = b : A b = c : A (TransElem)a = c : A

:::::::::::

Transfer

a : A A = B : Set (TransferSet)a : B

a = b : A A = B : Set (TransferElem)a = b : B


Example Deriv. (Gen. Equal. Rules)

N:Set(Context1)

y:N⇒Context(Ass)

y:N⇒y:N(N-Eq+,0)

y:N⇒y+0=y:N

N:Set(Context1)

y:N⇒Context(N-F)

y:N⇒N:Set(Context1)

y:N,x:N⇒Context(Ass)

y:N,x:N⇒x:N

N:Set(Context1)

y:N⇒Context(Ass)

y:N⇒y:N(→-Eq)

y:N⇒(λx:N.x) y=y:N(SymElem)

y:N⇒y=(λx:N.x) y:N(TransElem)

y:N⇒y+0=(λx:N.x) y:N(→-I=)

(λy:N.y+0)=(λy:N.(λx:N.x) y):N→N


Example Deriv. (Gen. Equal. Rules)In the previous derivation, the most complicated stepwas:

y : N, x : N⇒ x : N y : N⇒ y : N

y : N⇒ (λx : N.x) y = y : N

This is an example of the equality rule for thenon-dependent function type (slide ??):

x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B

with A := B := N, b := x, a := y.Therefore b[x := a] = y.

This instance of the rule was weakened by anadditional context y : N.


Example Deriv. (Gen. Equal. Rules)

Note that from the premises of that rule

y : N, x : N⇒ x : N y : N⇒ y : N

y : N⇒ (λx : N.x) y = y : N

we can derive using the introduction and eliminationrule

y : N⇒ (λx : N.x) y : N

as follows:

y : N, x : N⇒ x : N

y : N⇒ (λx : N.x) : N→ N y : N⇒ y : N

y : N⇒ (λx : N.x) y : N


Example Deriv. (Gen. Equ. Rules)

The equality rule expresses how the function λx : N.xapplied to y is evaluated as follows:

We evaluate the body of the function (x) by settingfor x the argument of the function (y).This is the same as substituting in the body for x theargument of the function, i.e. y.

This explains how the detour above of first introducingand then eliminating an expression can be reduced(namely to y or in general to b[x := a]).


Substitution RulesThe following rules can be weakly derived:

Substitution 1

Γ, x : A,Γ′ ⇒ θ Γ⇒ a : A(Subst1)

Γ,Γ′[x := a]⇒ θ[x := a]

(Γ′[x := a] is the result of substituting in Γ′ all occurrences ofx by a).

Substitution 2

Γ, x : A,Γ′ ⇒ B : Set Γ⇒ a = a′ : A(Subst2)

Γ,Γ′[x := a]⇒ B[x := a] = B[x := a′] : Set


Substitution RulesSubstitution 3

Γ, x : A,Γ′ ⇒ b : B Γ⇒ a = a′ : A(Subst3)

Γ,Γ′[x := a]⇒ b[x := a] = b[x := a′] : B[x := a]


Example Deriv. (Substitution)···

(Ass)

x:N,y:N⇒x:N

···(Ass)

x:N,y:N⇒y:N(N-I+)

x : N, y : N⇒ x + y : N 0 : N(Subst1)

y : N⇒ 0 + y : N(→-I)

(λy : N.0 + y) : N→ N


Example Deriv. 2 (Substitution)

···z:N,x:N,y:N⇒x+y:N

N:Set (Context1)z:N⇒Context (N-F)z:N⇒N:Set (Context1)

z:N,u:N⇒Context(Ass)

z:N,u:N⇒u:N(N-IS)

z:N,u:N⇒S(u):N

N:Set (Context1)z:N⇒Context (Ass)

z:N⇒z:N (N-Eq0)z:N⇒z+0=z:N

(Subst3)z:N⇒S(z+0)=S(z):N

(Subst3)z:N,y:N⇒(S(z)+0)+y=S(z)+y:N

(→-I=)z:N⇒(λy:N.(S(z)+0)+y)=(λy:N.S(z)+y):N→N

(→-I=)(λz:N.λy:N.(S(z)+0)+y)=(λz:N.λy:N.S(z)+y):N→N→N


(d) Dep. Funct. Set and ProductWe introduce in the following the dependent versions of the

product and the function type.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 334

The Dependent ProductThe dependent product is similar as the non-dependentproduct (e.g. A×B), but now the second set dependson an element of the first set.

The type theoretic notation is

(a : A)×B

Elements of (a : A)×B are pairs

〈a′, b′〉

s.t.a′ : A

b′ : B[a := a′].


Example 1 (Dep. Products)One example for its use are the set of sorted lists:

Sorted(l) is a predicate on NatList expressing that l issorted.An element of

SortedList := (l : NatList)× Sorted(l)

is a pair〈l, p〉

s.t.l : NatList,p : Sorted(l), i.e. p is a proof that l is sorted.

So elements of SortedList are lists l together with aproof that l is sorted.


Example 2 (Dep. Products)Let G be the set of genders,informally written

G = male, female .

Let for g : G the setNames g

be the collection of names of that gender, e.g.informally written

(Names male) = Tom, Jim,(Names female) = Jill, Sara.


Example 2 (Dep. Products)The set of names with their gender is the set of pairs〈g, n〉 s.t. g is a Gender and n : (Names g).

This set is written as

AllNames := (g : G)× (Names g)


Rules of the Dependent Product

Formation Rule

A : Set x : A⇒ B : Set (×-I)(x : A)×B : Set

Introduction Rule

x : A⇒ B : Set a : A b : B[x := a](×-I)

〈a, b〉 : (x : A)×B


ExampleAssuming we have defined the set of genders G : Setand the set of names g : G⇒ (Names g) : Set, we canintroduce the set

AllNames := (g : G)× (Names g) : Set

by using the formation rule:

G : Set g : G⇒ (Names g) : Set(×-I)

(g : G)× (Names g) : Set

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 339a

Extra Premise in the Introd. RuleIn the last introduction rule, an extra premisex : A⇒ B : Set was required.

This is required in order to guarantee that we canform the type (x : A)×B.In case of the non-dependent product, this premisewas not necessary:a : A and b : B indirectly implies that we know A : Setand B : Set from which it follows A×B : Set.


ExampleFurthermore we can introduce

〈male,Tom〉 : AllNames

as follows:

g : G⇒ (Names g) : Set male : G Tom : (Names male)(×-I)

〈male,Tom〉 : (g : G)× (Names g)

Note that we need the premise

g : G⇒ (Names g) : Set

Otherwise we only know that (Names male) : Set, but notthat (Names female) : Set.


ExampleNote that we don’t have

〈female,Tom〉 : AllNames

since we don’t have

Tom : (Names female)

So here dependent types prevent errors. In an ordinaryprogramming language without dependent types, wecan’t define a corresponding type AllNames whichallows at compile time to define

〈male,Tom〉 : AllNames

but not〈female,Tom〉 : AllNames

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 340b

Rules of the Dependent ProductElimination Rules

c : (x : A)×B(×-El0)

π0(c) : A

c : (x : A)×B(×-El1)

π1(c) : B[x := π0(c)]

Equality Rules

x : A⇒ B : Set a : A b : B[x := a](×-Eq0)

π0(〈a, b〉) = a : A

x : A⇒ B : Set a : A b : B[x := a](×-Eq1)

π1(〈a, b〉) = b : B[x := a]

Note that the last two rules require the extra premise x : A⇒

B : Set (which is not implied by the premises).


ExampleIn the “Names-example we have that, if a : AllNames,then π0(a) : G and π1(a) : (Names π0(a)):

a : (g : G)× (Names g)(×-El0)

π0(a) : G

a : (g : G)× (Names g)(×-El1)

π1(a) : (Names π0(a))


Rules of the Dependent ProductWe have the following η-rule:

c : (x : A)×B(×-η)

c = 〈π0(c), π1(c)〉 : (x : A)× C

As before, the η-rule expresses that every element of(x : A)×B is of the form 〈something0, something1〉.

The η-rule cannot be derived, if the element in questionis a variable.


Equality Versions of the aboveEquality Version of the Formation Rule

A = A′ : Set x : A⇒ B = B′ : Set (×-F=)(x : A)×B = (x : A′)×B′ : Set


x : A⇒ B : Set a = a′ : A b = b′ : B[x := a](×-I=)

〈a, b〉 = 〈a′, b′〉 : (x : A)×B

Equality Versions of the Elimination Rules

c = c′ : (x : A)×B(×-El=0 )

π0(c) = π0(c′) : A

c = c′ : (x : A)×B(×-El=1 )

π1(c) = π1(c′) : B[x := π0(c)]


The Non-Dep. Product as an Abbrev.The non-dependent product A×B can now be seen asan abbreviation for (x : A)×B for some fresh variablex.

Taking A×B as an abbreviation, we can see that therules for the non-dependent product are specialcases of the rules for the dependent product.


The Non-Dep. Product as an Abbrev.More precisely this can be seen as follows:

From A : Set and B : Set we can derivex : A⇒ B : Set using the weakening rule.Therefore the premises of the formation rule forthe non-dependent product imply those of theformation rule for the non-dependent product.From a derivation of a : A we can derive A : Set (weneed the concept of presupposition for that, asintroduced later).Therefore the premises of the introduction rule forthe non-dependent product imply those of thedependent product.Similarly for the elimination, equality and η-rule.


The Dependent Product in AgdaIn Agda, the record type allows already dependenciesof later sets on previous ones:

Assume A :: Set, and B :: Set, posssibly dependingon a :: A.Then we can form siga :: A; b :: B.Elements of this type can be introduced in the sameway as before, i.e. if a′ :: A and b′ :: B[a := a′] then wecan form

structa = a′; b = b′ :: siga :: A; b :: B .

Note that b′ :: B[a := a′], so the type of b′ depends ona′.Furthermore, if c : siga :: A; b :: B, then c.a :: A andc.b :: B[a := c.a].


The “Names”-Example in AgdaAlthough we haven’t introduced yet a notation foralgebraic data types, the following is readable for thosefamiliar with Haskell:

data G = male | female

data maleNames = Tom | Jim

data femaleNames = Jill | Sara


The “Names”-Example in Agda

Names (g :: G):: Set= case g of

(male) → maleNames(female) → femaleNames

AllNames :: Set= sig

g :: Gn :: Names g

See exampleAllNames.agda.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(d) 349

The “Names”-Example in AgdaNote that in the above example we have

Names male = maleNames = data Tom | JimNames female = femaleNames = data Jill | Sara

Further we have for instance

structg=male,n=Tom :: AllNames

whereas we don’t have

structg=male,n=Jill :: AllNames


The Dependent Function SetIn the presence of dependent types we have as well adependent function set, where the type of the resultdepends on the argument of the function.

Notation: (x : A)→ B, for the set of functions f whichmap an element a : A to an element of B[x := a].

In set-theoretic notation this is:

f | f function

∧dom(f) = A

∧∀a ∈ A.f(a) ∈ B[x := a]


Example (Dep. Function Set)Consider the “Names example” as above(G : Set set of genders, Names g set of names for genderg).

Define

select : (g : G)→ (Names g)

select male = Tom

select female = Jill

select selects for every gender a name.

select male will be an element of(Names male) = (Names g)[g := male].

It wouldn’t make sense to say (select male) : (Names g),without knowing what g is.


Example (Dep. Function Set)Note that for instance we don’t have

(λg : G.Tom) : (g : G)→ (Names g)

since we don’t have

((λg : G.Tom) female) : (Names female)


Rules of the Dep. Funct. SetFormation Rule

A : Set x : A⇒ B : Set (→ -F)(x : A)→ B : Set

Introduction Rule

x : A⇒ b : B (→ -I)(λx : A.b) : (x : A)→ B


Rules of the Dep. Funct. SetElimination Rule

f : (x : A)→ B a : A(→ -El)

f a : B[x := a]

Equality Rule

x : A⇒ b : B a : A (→ -Eq)(λx : A.b) a = b[x := a] : B[x := a]


The η-RuleThe η-rule has a special status:

η-Rule

f : (x : A)→ B(→ -η)

f = (λx : A.f x) : (x : A)→ B

As before, the η-rule expresses that every element of(x : A)→ B is of the form λx : A.something.

The η-rule cannot be derived, if the element in questionis a variable.


Equality Versions of the aboveEquality Version of the Formation Rule

A = A′ : Set x : A⇒ B = B′ : Set (→ -F=)(x : A)→ B = (x : A′)→ B′ : Set


x : A⇒ b = b′ : B (→ -I=)(λx : A.b) = (λx : A.b′) : (x : A)→ B

Equality Version of the Elimination Rule

f = f ′ : (x : A)→ B a = a′ : A(→ -El=)

f a = f ′ a′ : B[x := a]


Non-Dep. Funct. Set as an Abbrev.The non-dependent function type

A→ B

can be regarded as an abbreviation for thedependent function type

(x : A)→ B ,

where B does not depend on x.

As for the product one can see that the rules for thenon-dependent function set are special cases of therules for the dependent function set.


The Dep. Function Set in AgdaWe have seen that the non-dependent function type iswritten as A→ B in Agda.

The notation for the dependent function set is(x:: A)→ C.


The Dep. Function Set in AgdaElements of (x :: A)→ C are introduced as before byusing

either λ-abstraction, i.e.λ(x :: A)→ t :: (x :: A)→ B.

Requires that t :: B depending on x :: A.Note that the type B of t depends on x :: A.

or by writingf(x :: A) :: C = · · ·

Elimination is application using the same notation asbefore.

E.g., if f :: (x :: A)→ C and a :: A, thenf a :: C[x := a].


The Dep. Function Set in AgdaInternally, Agda has only the dependent function set.

That’s why one often sees in code generated by Agda(e.g. when showing context, when using solve) types ofthe form

(h :: A)→ B

where one could use as well

A→ B


AbbreviationsWe can write

(n,m::N)→ A(n,m)

instead of

(n::N)→ (m::N)→ A(n,m)


The “select”-Name Example in AgdaHere follows the code for the select-Name example inAgda, which should be readable for those familiar withHaskell:

data G = male | female

data maleNames = Tom | Jim

data femaleNames = Jill | Sara


The “select”-Name Example in Agda

Names (g :: G):: Set= case g of

(male) → maleNames(female) → femaleNames

select :: (g:: G)→ Names g= λ (g:: G)→ case g of

(male) → Tom(female) → Jill

See exampleNamesFunction2.agda.


The “select”-Name Example in AgdaAn attempt to define select s.t. select male is not inmaleNames, e.g.

select male = Jill

or that select female is not in femaleNames, e.g.

select female = Tom

will result in a type error.


(e) Derivations vs. Agda CodeIn this subsection we look at the relationship betweenAgda code and the corresponding derivations.

We consider various examples.First we will go through the development of theAgda code.Then we will look at, how the correspondingderivations are developed, following each step inthe development of the Agda code.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(e) 363

Example 1We want to derive in Agda

λ(a :: A).a :: A→ A

(See example file exampleIdentity.agda)

Step 1:We need to introduce the type A first.Since we want to to have the definition for anarbitrary type A, we postulate (i.e. assume) one typeA:

postulate A :: Type


Example 1 (Cont.)Step 2: We state our goal:

f :: A→ A

= ! !

Agda is an indentation-sensitive language.The complete definition of f must be intendedotherwise Agda regards this as a new definition.


Example 1 (Cont.)Step 3:

We want to derive an element of function typeA→ A.Elements of the function type A→ A are introducedby using λ-terms.If introduced as a λ-term, the term in question will beof the form λ(a :: A)→ something.Agda has a command agda-intro (Intro) which doesthis step automatically.

Has to be executed while the cursor is inside onegoal.


Example 1 (Cont.)Step 3 (Cont)

After executing it we get:

f :: A→ A

= λ(h :: ! !)→ ! !

(The precise Agda code uses \ instead of λ, and− > instead of→).



The first goal, the type of the variable h can besolved automatically.Use agda-solve (Solve )We obtain:

f :: A→ A

= λ(h :: A)→ ! !



It is a good idea to rename the variable tosomething, for instance to a:This can be done by simple editing.

We can always edit the current code.If one wants to edit parts involving goals, one firsthas to execute:agda-restart ( (Re)Start Agda)Then one is in a mode where the goals areconverted to ordinary symbols and can editeverything.At the end of any editing one should execute:agda-load-buffer (Load Buffer)Otherwise the changes will not be known by Agda.



We obtain:f :: A→ A

= λ(a :: A)→ ! !



In order for λ(a :: A)→ ! ! to be of type A→ A,! ! must be of type A.

Then this λ-term computes an element of type Adepending on some a of type A, which means it isa function of type A→ A.So the type of the goal is A.This can be inspected by using the menuagda-goalType-of-meta-reduced(Type of goal (unfolded)),which shows the type of the current goal.· Has to be executed while the cursor is inside

one goal.It shows A.


Example 1 (Cont.)Step 5 (Cont.)

We can inspect the context.The context contains everything we can use whensolving our goal. It contains:

A :: Set.f :: A→ A.See next slide.a :: A.· Since we are defining a an element of type A

depending on a :: A, we can use a.


Termination CheckOn the last slide we had f :: A→ A in the context.

This appears, since the type checker allows to definefunctions recursively, independently of whether therecursion terminates or not.

For the type checker a definition b :: A = b would belegal, although evaluating b doesn’t terminate (blackhole recursion).


Termination Check (Cont.)Agda has a commandagda-term-check-buffer (Check Termination), whichchecks, whether recursive definitions are done properly.

One shoulduse this command at the end of a session, to avoidblack hole recursion.

If the termination check succeeds, all programschecked will terminate.

If the termination check fail, it might still be the casethat all programs terminate.(One cannot write a universal termination checker,since the Turing halting problem is undecidable).



Now everything with:::::::

result:::::::

type A (i.e. which has atthe right side of the arrow A) can be used in order tosolve the goal.

f would result in black-hole recursion.So we take a.

We type in a into the goal and then use the commandagda-refine (Refine)We obtain:

f :: A→ A

= λ(a :: A)→ a

and are done.


Example 1, Using RulesIn Agda step 1 we postulated A :: Set.This corresponds in the rule system, that we canassume A : Set, i.e. can write this down without anyderivation.

In Agda step 2 we stated our goal:

f :: A→ A

= ! !

In terms of rules this means that we want to derivesomething of type A→ A.We write for this something d0 and get as conclusion ofour derivation:

d0 : A→ A


Example 1, Using Rules (Cont.)In Agda step 3 and 4 we replaced ! ! byλ(a :: A)→ ! !:

f :: A→ A

= λ(a :: A)→ ! !

In terms of rules this means that we replace d0 byλ(a : A).d1 which is derived by an introduction rule

a : A⇒ d1 : A

(λa : A.d1) : A→ A


Example 1, Using Rules (Cont.)In Agda step 5 we replaced ! ! in λ(a :: A)→ ! ! bya:

f :: A→ A

= λ(a :: A)→ a

In terms of rules this means that we replace d1 by a.a : A⇒ a : A follows by an assumption rule:

a : A⇒ a : A(λa : A.a) : A→ A

The assumption rule will be discussed later.Essentially it allows to derive if x : B occurs in thecontext that x : B holds.


Example 2We consider a derivation of

λ(x :: (A→ A)→ A).x (λ(a :: A)→ a)

:: ((A→ A)→ A)→ A

(See example exampleSampleDerivation2.agda).

Step 1:We postulate A:

postulate A :: Type

We state our goal:

f :: ((A→ A)→ A)→ A

= ! !



The type of the goal is a function type, and we canuse agda-intro (Intro):We obtain

f :: ((A→ A)→ A)→ A

= λ(h :: ! !)→ ! !

Using agda-solve (Solve ) we obtain:

f :: ((A→ A)→ A)→ A

= λ(h :: (A→ A)→ A)→ ! !


Example 2 (Cont.)Step 2 (Cont.):

We rename the variable h to x and useagda-load-buffer (Load Buffer)so that Agda realizes this change:

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ ! !



The type of the new goal is A, which is the resulttype of the function we are defining.The context contains f (for recursive definitions), Aand x.x is a function of result type A. Applying it to itsargument would have as result the type of the goal inquestion.


Example 2 (Cont.)Step 3 (Cont):

Therefore we type into the goal x and useagda-refine (Refine).

Agda will then apply x to as many goals as neededin order to obtain an element of the desired type.In our case it is one (of type A→ A).We obtain

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ x ! !



The type of the new goal is A→ A.This is since x :: (A→ A)→ A needs to be appliedto an element of type A→ A in order to obtain anelement of type A.We try agda-intro (Intro) and obtain:

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ x (λ(h :: ! !)→ ! !)



Using agda-solve (Solve ) we obtain:

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ x (λ(h :: A)→ ! !)

We wanted to define an element of A→ A, so thedomain of the λ term will be A.



We rename h by a, reload the buffer, and obtain:

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ x (λ(a :: A)→ ! !)


Example 2 (Cont.)Step 5

The new goal has type A.The complete expression λ(a :: A)→ ! ! shouldhave type A→ A, so ! ! must have type A.

The context contains A :: Set, f , x and a.We can use both x and a here.

There is usually more than one solution forproceeding in Agda.This means that we sometimes have to backtrackand try a different solution.



We try a :: A. After inserting it and usingagda-refine (Refine) we obtain the following and aredone.

f :: ((A→ A)→ A)→ A

= λ(x :: (A→ A)→ A)→ x (λ(a :: A)→ a)


Example 2, Using RulesPostulating A :: Set corresponds to assuming A : Set inthe rules without deriving it.

Stating the goal means that we have as last line of thederivation:

d0 : ((A→ A)→ A)→ A


Example 2, Using RulesThe next step in the Agda-derivation was to replace thegoal byλ(x :: (A→ A)→ A)→ ! !.

This corresponds to replacing d0 byλ(x :: (A→ A)→ A).d1 and having as last step anintroduction rule:

x : (A→ A)→ A⇒ d1 : A

(λx : ((A→ A)→ A).d1) : ((A→ A)→ A)→ A


Example 2, Using RulesThe next step in the Agda-derivation used refine.! ! was replaced by x ! !.

This corresponds to replacing d1 by x d2, and using oneelimination rule in order to derive it:

x:(A→A)→A⇒x:(A→A)→A x:(A→A)→A⇒d2:A→A

x:(A→A)→A⇒x d2:A

(λx:((A→A)→A).x d2):((A→A)→A)→A

The left top judgement can be derived by anassumption rule (more about this later).


Example 2, Using RulesWe then used intro on the goal which was thenreplaced by λ(x :: A)→ ! !.

This corresponds to replacing d2 by λx : A.d3 which canbe introduced by an introduction rule:

x:(A→A)→A⇒x:(A→A)→A

x:(A→A)→A,a:A⇒d3:A

x:(A→A)→A⇒(λa:A.d3):A→A

x:(A→A)→A⇒x (λa:A.d3):A

(λx:((A→A)→A).x) (λa:A.d3):((A→A)→A)→A


Example 2, Using Rules

Finally we used refine with a, which replaced the goalby a.

This corresponds to replacing d3 by a.

x:(A→A)→A⇒x:(A→A)→A

x:(A→A)→A,a:A⇒a:A

x:(A→A)→A⇒(λa:A.a):A→A

x:(A→A)→A⇒x (λa:A.a):A

(λx:((A→A)→A).x) (λa:A.a):((A→A)→A)→A

The right hand derivation can again be derived by anassumption rule (more about this later).


Example 3We derive an element of type

A→ B → AB

where AB is the product of A and B.(See exampleProductIntro.agda).


Example 3 (Cont.)

Step 1:We postulate types A, B:

postulate A :: Set

postulate B :: Set

We introduce the product of A, B:This will be a record with element a : A, b : B.

AB:: Set

= siga :: A;

b :: B


Example 3 (Cont.)

Step 2:Our goal is:

f :: A→ B → AB

= ! !


Example 3 (Cont.)

Step 3:We use intro.

An element of A→ B → AB will be of the form

λ(a′ :: A)→ λ(b′ :: B)→ ! !

which is introduced by two introduction steps.Agda will immediately carry out both of them.We choose to use a′ instead of a, b′ instead of b,since a, b are used as labels of AB.


Example 3 (Cont.)

Step 3 (Cont)After applying intro we get

f :: A→ B → AB

= λ(h :: ! !)→ λ(h′ :: ! !)→ ! !

After applying agda-solve and renaming of variableswe get

f :: A→ B → AB

= λ(a′ :: A)→ λ(b′ :: B)→ ! !


Example 3 (Cont.)

Step 4:The new goal is of type AB which is a record type.An element of it can be introduced by an introductionrule.Elements of type AB introduced by the introductionprinciple will have the form

structa = ! !;

b = ! !


Example 3 (Cont.)

Step 4 (Cont):When using intro we get:

f :: A→ B → AB

= λ(a′ :: A)→ λ(b′ :: B)→ structa = ! !;

b = ! !


Example 3 (Cont.)

Step 5:The first goal has as context:

A,B : Set,AB : Set,f : A→ B → AB,a′ : A,b′ : B,a : A,b : B.

a : A, b : B are the projections of the record we aredefining, which might be used recursively.Using a and b would in our example result innon-termination.


Example 3 (Cont.)

Step 5 (Cont)We insert a, use refine and solve the first goal:

f :: A→ B → AB

= λ(a′ :: A)→ λ(b′ :: B)→ structa = a′;

b = ! !


Example 3 (Cont.)

Step 6:Similarly we can solve the second one:

f :: A→ B → AB

= λ(a′ :: A)→ λ(b′ :: B)→ structa = a′;

b = b′


Example 3, Using RulesThe definition of AB means that AB abbreviates A×B,which can be derived as follows(using assumptions A : Set, B : Set):

A : Set B : SetA×B : Set

We won’t use this however, since it is required for theassumption rules only, the treatment of which will bedelayed until later.


Example 3, Using Rules (Cont.)

Stating the goal corresponds to having as last line ofthe derivation:

d0 : A→ B → (A×B)

Using intro means that we replace d0 byλa′ : A.λb′ : B.d1 which is introduced by two introductionrules:

a′ : A, b′ : B ⇒ d1 : A×B

a′ : A⇒ (λb′ : B.d1) : B → (A×B)

(λa′ : A.λb′ : B.d1) : A→ B → (A×B)



Using intro again means that we replace d1 by 〈d2, d3〉,which can be introduced by an introduction rule:

a′ : A, b′ : B ⇒ d2 : A a′ : A, b′ : B ⇒ d3 : B

a′ : A, b′ : B ⇒ 〈d2, d3〉 : A×B

a′ : A⇒ (λb′ : B.〈d2, d3〉) : B → (A×B)

(λa′ : A.λb′ : B.〈d2, d3〉) : A→ B → (A×B)



Solving the goals by refining them with a′, b′ means thatwe replace d2 by b, d3 by c:

a′ : A, b′ : B ⇒ a′ : A a′ : A, b′ : B ⇒ b′ : B

a′ : A, b′ : B ⇒ 〈a′, b′〉 : A×B

a′ : A⇒ (λb′ : B.〈a′, b′〉) : B → (A×B)

(λa′ : A.λb′ : B.〈a′, b′〉) : A→ B → (A×B)

The premises require an assumption rule (which willuse the derivation of A×B), see later for details.


Example 4We derive an element of type

(A→ BC)→ A→ B

where BC is the product of B and C. (SeeexampleProductElim.agda).


Example 4 (Cont.)

Step 1:We postulate types A, B, C:

postulate A :: Set

postulate B :: Set

postulate C :: Set

We introduce the product of B, C:

BC:: Set

= sigb :: B;

c :: C


Example 4 (Cont.)

Step 2:Our goal is:

f :: (A→ BC)→ A→ B

= ! !


Example 4 (Cont.)

Step 3:We use intro and get (after using agda-solve andrenaming of variables):

f :: (A→ BC)→ A→ B

= λ(x :: A→ BC)→ λ(a :: A)→ ! !


Example 4 (Cont.)

Step 4:The context has no element with result type B(except of f which results in a circular definition).However, x has function type with result type BC,which can be projected to B.We introduce first an element of type BC by alet-expression, and then derive from it the desiredelement of type B:


Example 4 (Cont.)

Step 4 (Cont):Using agda-let (Make let expression) with variablebc we obtain:

f :: (A→ BC)→ A→ B

= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: ! !

= ! !

in ! !


Example 4 (Cont.)

Step 5:We insert as type of variable bc the type BC (usingrefine) and obtain:

f :: (A→ BC)→ A→ B

= λ(x :: A→ BC)→ λ(a :: A)→ let bc :: BC

= ! !

in ! !


Example 4 (Cont.)

Step 6:For solving the first goal (definition of bc) we canrefine x, which has as result type BC.

f :: (A→ BC)→ A→ B


= x ! !

in ! !


Example 4 (Cont.)

Step 7:The new goal can be solved by refining it withvariable a:

f :: (A→ BC)→ A→ B


= x a

in ! !


Example 4 (Cont.)

Step 8:Currently, Agda doesn’t have any direct support forrefining bc to an element of type B.We have to do this by hand, insert bc.b, choose refineand obtain:

f :: (A→ BC)→ A→ B


= x a

in bc.b


Example 4 (Cont.)

In our rule calculus we don’t introduce a let construction(we could add this).

In order to get close to the derivations, we omit in theAgda derivation the let expression, and replace in thebody of it bc by its definition (x a).

We get

f :: (A→ BC)→ A→ B

= λ(x :: A→ BC)→ λ(a :: A)→ (x a).b


Example 4, Using RulesUsing rules we start with our goal

d0 : (A→ (B × C))→ A→ B



The intro step amounts to replacing d0 by

λx : (A→ (B × C)).λa : A.d1

introduced by two applications of an introduction rule:

x : A→ (B × C), a : A⇒ d1 : A

x : A→ (B × C)⇒ (λa : A.d1) : A→ B

(λx : A→ (B × C).λa : A.d1) : (A→ (B × C))→ A→ B



In Agda, we then replace the goal corresponding to d1

by (x a).b.

In our rule calculus, this reads π0(x a).

This can be introduced by two applications ofelimination rules:

x:A→(B×C),a:A⇒x:A→(B×C) x:A→(B×C),a:A⇒a:A

x:A→(B×C),a:A⇒x a:B×C

x:A→(B×C),a:A⇒π0(x a):B

x:A→(B×C)⇒(λa:A.π0(x a)):A→B

(λx:(A→(B×C)).λa:A.π0(x a)):(A→(B×C))→A→B

The two initial judgements can be introduced byassumption rules.


(f) PresuppositionsIn order to derive x : A, y : B ⇒ C : Set we need to show:

A : Set.x : A⇒ B : Set

So the judgement

x : A, y : B ⇒ C : Set

implicitly contains the judgements

A : Set ,

x : A⇒ B : Set .

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(f) 422

Presuppositions (Cont.)

A : Set and x : A⇒ B : Set are:::::::::::::::::::::

presuppositions of thejudgement

x : A, y : B ⇒ C : Set .


Presuppositions (Cont.)

A : Set and B : Set are:::::::::::::::::::::

presuppositions of thejudgement

A→ B : Set .

and of the judgement

A×B : Set .

The next slide shows the presuppositions ofjudgements.


Presuppositions

Judgement Presuppositions

Γ, x : A⇒ Context Γ⇒ A : Set.

Γ⇒ A : Set Γ⇒ Context

Γ⇒ A = B : Set Γ⇒ A : Set,Γ⇒ B : Set.


Presuppositions


Γ⇒ a : A Γ⇒ A : Set.

Γ⇒ a = b : A Γ⇒ a : A,Γ⇒ b : A.

Γ⇒ (x : A)×B : Set Γ, x : A⇒ B : Set.


Presuppositions


Γ⇒ (x : A)→ B : Set Γ, x : A⇒ B : Set.


PresuppositionsFurthermore, presuppositions of presuppositions of

Γ⇒ θ

are as well presuppositions of

Γ⇒ θ .


Example of Presuppositionsx : A, y : B ⇒ a = b : (z : C)×D presupposes:∅ ⇒ Context,A : Set,x : A⇒ Context,x : A⇒ B : Set,x : A, y : B ⇒ Context,x : A, y : B ⇒ C : Set,x : A, y : B, z : C ⇒ Context,x : A, y : B, z : C ⇒ D : Set,x : A, y : B ⇒ (z : C)×D : Set,x : A, y : B ⇒ a : (z : C)×D,x : A, y : B ⇒ b : (z : C)×D.


Remark on A→ B, A×B

Note that A→ B is an abbreviation for (x : A)→ B forsome fresh x.

Similarly A×B is an abbreviation for (x : A)×B forsome fresh x.

Therefore the presupposition of A→ B : Set(which abbreviates ∅ ⇒ A→ B : Set) are:∅ ⇒ Context,A : Set,x : A⇒ Context,x : A⇒ B : Set.


(g) The Full Logical FrameworkWe would like to add operations on types, such as

prod : Set→ Set→ Set

which should take two sets and form the product of it.

The problem is that for this we need

Set→ Set→ Set : Set

and our rules allow this only if we hadSet: Set

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 431

SetAdding

Set : Set

as a rule results however in an inconsistent theory:using this rule we can prove everything, especiallyfalse formulas.The corresponding paradox is called::::::::::

Girard’s:::::::::::

paradox.


Jean-Yves Girard


Set (Cont.)Instead we introduce a new level on top of Set calledType.

So besides judgements A : Set we have as welljudgements of the form

A : Type

One rule will especially express

Set : Type

Elements of Type are types, elements of Set aresmall types.


Set (Cont.)We add rules asserting that if A: Set then A: Type.

Further we add rules asserting that Type is closedunder the dependent function type and product.

Since Set : Type we get therefore (by closure under thefunction type)

Set→ Set→ Set : Type

and we can assign to prod above the type

prod : Set→ Set→ Set

(The definition of prod will be given later.)


SetSet −> Set

N −> SetN −> N

Type

Set

N


Set (Cont.)However, we cannot use prod in order to form theproduct of two sets, ie. we cannot introduce

prod Set Set : Set ,

since Set : Set does not hold.


Rules for SetFormation Rule for Set

Set : Type

Every Set is a Type

A : Set (Set2Type)A : Type


Closure of TypeFurther we add rules stating that Type is closed underthe dependent function type and the dependentproduct:

Closure of Type under the dependent product

A : Type x : A⇒ B : Type(×-FType)

(x : A)×B : Type

Closure of Type under the dependent function type

A : Type x : A⇒ B : Type(→ -FType)

(x : A)→ B : Type


Nondependent CaseA special case of the above rule is the closure underthe non-dependent function type and product.This rule can be derived (e.g. from the premises onecan derive using the other rules the conclusion).

Closure of Type under the non-dependent product

A : Type B : Type(×-FType)

A×B : Type

Closure of Type under the non-dependent function type

A : Type B : Type(→ -FType)

A→ B : Type


Equality Versions of the RulesFormation Rule for Set

Set = Set : Type (SetIsType=)

Every Set is a Type

A = B : Set (Set2Type=)A = B : Type


Equality Versions of the RulesClosure of Type under the dependent product

A = A′ : Type x : A⇒ B = B′ : Type(×-F=,Type)

(x : A)×B = (x : A′)×B′ : Type

Closure of Type under the dependent function type

A = A′ : Type x : A⇒ B = B′ : Type(→ -F=,Type)

(x : A)→ B = (x : A′)→ B′ : Type

Similarly for the non-dependent versions of the above.


Context RulesThe types in the contexts, which were before onlyelements of Set, can now be as well elements of Type.

Therefore we need an additional context rule

Γ⇒ A : Type(ContextType

1 )Γ, x : A⇒ Context

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 442a

Example: prodWe can now introduce prod : Set→ Set→ Set:First we derive X : Set, Y : Set⇒ X : Set:

Set : TypeX : Set⇒ Context

X : Set⇒ Set : TypeX : Set, Y : Set⇒ ContextX : Set, Y : Set⇒ X : Set

Similarly we derive X : Set, Y : Set⇒ Y : Set.


Example: prod (Cont.)Now we can derive our desired judgement:

X : Set, Y : Set⇒ X : Set X : Set, Y : Set⇒ Y : SetX : Set, Y : Set⇒ X × Y : Set

X : Set⇒ (λY : Set.X × Y ) : Set→ Set

(λX, Y : Set.X × Y ) : Set→ Set→ Set

So defineprod := λX, Y : Set.X × Y


Hierarchies of TypesIf one wants to form

prod′ : Type→ Type→ Type ,

one needs to have a further level Kind above Type, s.t.

Type : Kind .

ThenType→ Type→ Type : Kind .


SetSet −> Set

N −> SetN −> N

N

Type

Set

Kind

Type

Type−> Type


Rules for Type as a KindType is a Kind

Type : Kind

Every Type is a Kind

A : Type(Type2Kind)

A : Kind


Closure of KindClosure of Kind under the dependent product

A : Kind x : A⇒ B : Kind (×-FKind)(x : A)×B : Kind

Closure of Kind under the dependent function type

A : Kind x : A⇒ B : Kind (→ -FKind)(x : A)→ B : Kind

Plus equality versions of the above rules.


Context RulesAgain, the context rules have to be expanded:

Γ⇒ A : Kind(ContextKind

1 )Γ, x : A⇒ Context

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 2(g) 448a

Hierarchies of Types (Cont.)

This can be iterated further, formingType = Type1,Kind = Type2,Type3,Type4 · · ·

Agda has a hierarchy of types built in, written as #0(which is Set), #1 (which is Type), #2 (in the rulecalculus called Kind), #3 etc.

So we have#0 = Set : Type,#0 = Set : #2, #1 = Type : #2,#0 = Set : #3, #1 = Type : #3, #2 : #3,#0 = Set : #4, #1 = Type : #4, #2 : #4, #3 : #4,etc.


Type_3 = #3

Type = Type_1 = #1

Kind = Type_2 = #2

Set = #0


3. Data Types(a)(b)(c)(d)(e)(f)(g)(h)(i)(j)


(a) The Set of BooleansFormation Rule

Bool : Set

Introduction Rules

tt : Bool ff : Bool

Elimination Rule

C : Bool→ Set ic : C tt ec : C ff cond : BoolCaseBool C ic ec cond : C cond


The Set of Booleans (Cont.)Equality Rules

C : Bool→ Set ic : C tt ec : C ffCaseBool C ic ec tt = ic : C tt

C : Bool→ Set ic : C tt ec : C ffCaseBool C ic ec ff = ec : C ff


RemarksIn the above

tt:

stands for true, ff:

stands for false.

ic:

stands for “if-case”, ec::

for “else-case”.

cond:::::

for “condition”.


Remarks (Cont.)The argument C : Bool→ Set denotes the set into whichwe are eliminating.

Instead of C : Set, we have C : Bool→ Set, since theset into which we are eliminating might depend onthe Boolean value.That is necessary in order to define functionsf : (b : Bool)→ D where D depends on b.If we define

f := λ(b : Bool).CaseBool C ic ec b

we have:f tt : C tt.f ff : C ff.f : (b : Bool)→ C b.


Remarks (Cont.)The argument C above has no computational content.

It is not needed in order to computeCaseBool C ic ec tt and CaseBool C ic ec ff.

C is only needed in order to get to allow decidable typechecking:

In the presence of arguments like this we can decidewhether a judgement a : B is derivable.


Remarks (Cont.)We can write the elimination rule in a more compactbut less readable way:

CaseBool : (C : Bool→ Set)

→ (ic : C tt)

→ (ec : C ff)

→ (cond : Bool)

→ C cond

.

tt, ff are the constructors of Bool.


Remarks (Cont.)Notice that we then get for C : Bool→ Set,ic : C tt, ec : C ff

f := CaseBool C ic ec

: (cond : Bool)→ C cond

,

f tt = CaseBool C ic ec tt = ic : C tt,f ff = CaseBool C ic ec ff = ec : C ff.

So we obtain functions from Bool into other setswithout having to write λ(b : Bool). · · · .

That’s why we choose the argument to eliminate fromas the last one.


Remarks (Cont.)This is similar to the definition of for instance (+) incurried form in Haskell

(+) : int→ int→ int.(+) 3 is the function which takes an integer and addsto it 3.

Shorter than writing λx.3 + x.


Remarks (Cont.)Note that we have the following order of thearguments of CaseBool:

First we have the set into which we eliminate.Then follow the cases, one for each constructor.Finally we put the element which we areeliminating.

In some sense CaseBool is a “then _else _if ” – thecondition (if . . .) is the last one.


Example: ANDWe want to introduce conjunction

AND : Bool→ Bool→ Bool .

This will be of the form

AND = λb, c : Bool.t

for some term t.

t will be defined by case distinction on b, so we get

AND = λb, c.CaseBool C e f b

for some e, f .

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460a

Example: ANDAND = λb, c.CaseBool C e f b

C will be the set into which we are eliminating,depending on a Boolean value.

It need to be an element of Bool→ Set.Therefore we have C = λd : Bool.D for some Dwhich might depend on d.The set, into which we are eliminating, is always thesame, namely Bool.So D = Bool and therefore we have

C = λd : Bool.Bool .

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460b

Example: ANDNote that in

λd : Bool.Bool

Bool occurs in two different meanings:The first occurrence is that of a set.

d is chosen here as an element of that set.The second occurrence is that as an element ofanother type, namely Set.

So here Bool is a term.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460c

Two Meanings of Elements of SetAll elements A of Set have these two meanings:

They can be used as terms, which are elements ofthe type Set.

The corresponding judgements are A : Set,A = A′ : Set.

And they can be used as sets, which have elements.The corresponding judgements are a : A anda = a′ : A.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460d

Example: ANDSo

AND = λb, c.CaseBool (λd : Bool.Bool) e f b

for some e, f .

For conjunction we have:If b is true then

b ∧ c = tt ∧ c = c

So the if-case e above is c.If c is false then

b ∧ c = ff ∧ c = ff

So the else-case f above is ff.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 460e

Example: ANDIn total we define therefore

::::::

AND = λ(b, c : Bool).CaseBool (λ(d : Bool).Bool) c ff b

: Bool→ Bool→ Bool

We verify the correctness of this definition:AND tt c = CaseBool (λ(d : Bool).Bool) c ff tt = c.as desired.AND ff c = CaseBool (λ(d : Bool).Bool) c ff ff = ff.Correct as desired.


Select ExampleAssume we have introduced in type theory

Names : Bool→ Set ,

Names tt = MaleNames ,

Names ff = FemaleNames .


Select ExampleThen we can define the function

SelectBool : (b : Bool)→ Names b

SelectBool tt = Tim

SelectBool ff = Sara

as follows:

SelectBool = CaseBool Names Tim Sara

Note that by using twice the η-rule we get that

SelectBool

= λb : Bool.CaseBool (λd : Bool.Names d) Tim Sara b


Select ExampleWe verify the correctness of SelectBool:

SelectBool tt = CaseBool Names Tim Sara tt = Tim ,

SelectBool ff = CaseBool Names Tim Sara ff = Sara .


Derivation of ANDWe derive in the following AND : Bool→ Bool→ Bool.

We write Bool, if itis a type in boldface red,and if it is a term, in italic blue.


Derivation of ANDFirst we deriveb : Bool, c : Bool⇒ λ(d : Bool).Bool : Bool→ Set:

Bool : Setb : Bool⇒ Context

b : Bool⇒ Bool : Setb : Bool, c : Bool⇒ Context

b : Bool, c : Bool⇒ Bool : Set

b : Bool, c : Bool, d : Bool⇒ Context

b : Bool, c : Bool, d : Bool⇒ Bool : Set

b : Bool, c : Bool⇒ λ(d : Bool).Bool : Bool→ Set


Derivation of ANDWe derive

b : Bool, c : Bool⇒ Bool = (λ(d : Bool).Bool) tt : Set

(using part of the derivation above):

· · ·b:Bool,c:Bool,d:Bool⇒Context

b:Bool,c:Bool,d:Bool⇒Bool :Set

· · ·b:Bool,c:Bool⇒Context

b:Bool,c:Bool⇒tt:Bool

b:Bool,c:Bool⇒(λ(d:Bool).Bool) tt=Bool :Set

b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) tt:Set


Derivation of ANDSimilarly follows

b : Bool, c : Bool⇒ Bool = (λ(d : Bool).Bool) ff : Set


Derivation of ANDUsing part of the proof above, we derive

b : Bool, c : Bool⇒ c : (λ(d : Bool).Bool) tt


b:Bool,c:Bool⇒c:Bool

· · ·b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) tt:Set

b:Bool,c:Bool⇒c:(λ(d:Bool).Bool) tt

We derive

b : Bool, c : Bool⇒ ff : (λ(d : Bool).Bool) ff


b:Bool,c:Bool⇒ff:Bool

· · ·b:Bool,c:Bool⇒Bool=(λ(d:Bool).Bool) ff:Set

b:Bool,c:Bool⇒ff:(λ(d:Bool).Bool) ff


Derivation of ANDWe derive b : Bool, c : Bool⇒ b : Bool using part of theproof above:

· · ·b : Bool, c : Bool⇒ Context

b : Bool, c : Bool⇒ b : Bool


Derivation of ANDFinally we obtain our judgement (we stack thepremises of the rule because of lack of space):

b:Bool,c:Bool⇒λ(d:Bool).Bool :Bool→Set

b:Bool,c:Bool⇒c:(λ(d:Bool).Bool) tt

b:Bool,c:Bool⇒ff:(λ(d:Bool).Bool) ff

b:Bool,c:Bool⇒b:Bool

b:Bool,c:Bool⇒CaseBool (λ(d:Bool).Bool) c ff b:Bool

b:Bool⇒λ(c:Bool).CaseBool (λ(d:Bool).Bool) c ff b:Bool→Bool

λ(b,c:Bool).CaseBool (λ(d:Bool).Bool) c ff b:Bool→Bool→Bool


Elimination into TypeWe can extend add elimination and equality rules, havingas result Type:Elimination Rule into Type

C : Bool→ Type ic : C tt ec : C ff cond : Bool

CaseTypeBool C ic ec cond : C cond

Equality Rules into Type

C : Bool→ Type ic : C tt ec : C ff

CaseTypeBool C ic ec tt = ic : C tt

C : Bool→ Type ic : C tt ec : C ff

CaseTypeBool C ic ec ff = ec : C ff


Elimination into Type (Cont.)We can extend this into an elimination rule

into Kind or other higher types.


Bool in AgdaWe introduce Bool by simply listing its constructors(similarly to Haskell syntax):

data Bool = tt | ff

This introduces as well constantstt :: Bool

ff :: Bool

With this syntax, each constructorcan occur at most once in a data type,

i.e. we cannot define a second type havingconstructor tt,e.g. for defining True (which is used later):

data True = tt


Bool in Agda (Cont.)The definition of Bool above is treated in Agda as anabbreviation for the following three more fundamentalAgda definitions:

Bool :: Set

= data tt | ff

tt :: Bool

= tt@Bool

ff :: Bool

= ff@Bool


Notation for ConstructorsThe official notation for a constructor of a set A is

C@A .

The notation C@A is, what is displayed, whenevaluating expressions in Agda.This notation is necessary, since a constructor mightbelong to different sets.

For instance we can introduce both

Bool :: Set = data tt | ff

True :: Set = data tt

In this situation we need to be able to distinguishbetween tt@Bool and tt@True in order to getdecidable type checking.


Notation for ConstructorsForcing the user to use different names for constructorsdoesn’t help since we will later introdue as well sets ofthe form

D (a :: A)

:: Set

= data C · · ·

Now C@(D a) can be a constructor of D a for anya : A.

Using C alone would cause problems withdecidable type checking.

If Agda can resolve the type itself, one can write C@_instead of C@A.


Notation for ConstructorsIt is still recommended to avoid the use of the symbol @,and for instance define in the above situation by hand

C (a :: A)

:: D

= C@_

The abbreviation

data Bool = tt | ff

does this automatically.


Notation for ConstructorsHowever the abbreviation

data A = C | D | · · ·

can be used only ifone is defining a set A (and not a type A),and if the set one is defining has no parameter.

So it cannot be use in order to define

D (a :: A)

:: Set

= data C · · ·

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(a) 472d

Bool in Agda (Cont.)The definition of Bool as

Bool :: Set

= data tt | ff

introduces Bool as a set having constructors tt@Bool

and [email protected] tt, and ff have to be defined separately.If it is clear that the element in question is of typeBool, then one can replace tt@Bool by tt@_

:::::

.


Bool in Agda (Cont.)The definition of Bool as above doesn’t prevent thedefinition of another set with constructors tt or ff.This syntax is the only one allowed, if one defines aset using the data keyword depending onarguments.More about this later.


Bool in Agda (Cont.)Internally, tt will always be represented as tt@Bool,similarly for ff.

So Agda evaluates tt to [email protected] can be seen when using of the agda methodsfor evaluating a term.


Evaluation of terms in AgdaAgda has several methods for evaluating expressions:

agda-compute-whnf, “Compute weak head normalform”,agda-compute-whnfs, “Compute weak headnormal form strict”,agda-nfC, “Compute to a depth”,agda-nfC100, “Compute to depth 100”.


Evaluation of terms in AgdaThe above mentioned methods can be executed(directly or by using the goal-menu), while in a goal.

An expression typed into the goal will be taken asdefault input to that function.But that can be modified.

The methods follow different evaluating strategies.Compute weak head normal form reduces a termuntil it starts with a constructor or the outer mostfunction doesn’t reduce any further, even if itsarguments are evaluated.Compute to depth 100 seems to work best in mostcases.


Case DistinctionElimination in Agda is based on case distinction.

Assume we want to definef : Bool→ Bool, s.t.f tt = ff,f ff = tt.

So we have the goal:

f (x :: Bool)

:: Bool

= ! !


Case Distinction (Cont.)We can then type into the goal x and choose the menuitem “agda-case” .

This introduces a case distinction by theconstructor used for introducing x:x could have been introduced as tt or ff.

The goal expands to:

f (x :: Bool)

:: Bool

= case x of

(tt) → ! !

(ff) → ! !


Case Distinction (Cont.)The value of x in the first goal can be tested asfollows:

Position the cursor in the first goal and choose oneof the methods for evaluating expressions, e.g.compute weak head normal form strict.Then type into the mini-buffer x.One gets the answer

tt@_.


Case Distinction (Cont.)Alternatively, check, the cursor being in that goal,the context

(use goal-menu “agda-context” ):It contains

x :: Bool = tt@_.

Similarly one finds that in the second goal x is ff@_.


Case Distinction (Cont.)Now we can solve the new goals by inserting

ff into the first one,tt into the second one.

We obtain a function:

f (x :: Bool)

:: Bool

= case x of

(tt) → ff

(ff) → tt

f x is the negation of x.


Testing the Defined FunctionWe can test our function by using one of the evaluationmethods of Agda, e.g.compute weak head normal form strict.

We have to create a goal for this.The reduction machinery is context dependent.The context depends on where in the buffer we are.

See the above example where x was dependingon the goal tt or ff.

Not every place in the buffer is a good place.Good places for context are goals, and that’sthe only place where Agda allows us to computethe weak head normal form of expressions.


Testing the Defined FunctionSo we

type in a dummy goal:

test :: Set

= ! !

move to the new goalchoose compute weak head normal form strict oranother evaluation method of Agda,and type into the mini-buffer f tt.

The result shown is ff@_.


(b) The Finite SetsBool can be generalised to sets having n elements (n afixed natural number):

Formation RuleFinn : Set

Introduction RulesAn

k : Finn

(for k = 0, . . . , n− 1)


Rules for Finn

Elimination Rule

C : Finn → Sets0 : C An

0s1 : C An

1· · ·

sn−1 : C Ann−1

a : Finn

Casen C s0 . . . sn−1 a : C a


The Finite Sets (Cont)Equality Rules

C : Finn → Sets0 : C An

0s1 : C An

1· · ·

sn−1 : C Ann−1

Casen C s0 . . . sn−1 Ank = sk : C An

k

(for k = 0, . . . , n− 1).

Remark: Note that we have just introduced infinitely manyrules (for each n ∈ N and k = 0, . . . , n− 1).


Omitting Premises in Equality RulesSince the premises of the equality rule can in mostcases be determined from the introduction andelimination rules, we will usually omit them, whenwriting down equality rules.

So we write for instance for the previous rule:

Casen C s0 . . . sn−1 Ank = sk : C An

k

We sometimes even omit the type:

Casen C s0 . . . sn−1 Ank = sk


More Compact Elimination Rules

Casen : (C : Finn → Set)

→ (s0 : C An0 )

→ · · ·

→ (sn−1 : C Ann−1)

→ (a : Finn)

→ C a

.


Elimination into TypeSimilarly as for Bool we can write downelimination rules, whereC : Finn → Type (instead of C : Finn → Set).

This can be done for all sets defined later as well.


Rules for TrueTrue is the special case Finn for n = 1 (we write true for A1

0):Formation Rule

True : Set

Introduction Rulestrue : True

Elimination Rule

C : True→ Set c : C true t : TrueCaseTrue c t : C t

Equality Rule

C : True→ Set c : C trueCaseTrue c true = c : C true


Rules for True (Cont.)CaseTrue is computationally not very interesting.

CaseTrue c is the untyped function λx.c.However, in Agda we might not be able to derive

λ(t : True).c : (t : True)→ C t

From a logic point of view, it expresses:From an element of C true we obtain an element of C tfor every t : True.

So there is no C : True→ Set s.t. C true is inhabited,but C x is not inhabited for some other x : True.This means that all elements of x of type True areindistinguishable from true, i.e. they areidentical to true.This equality is called

::::::::::

Leibnitz:::::::::::

equality.


Formulae as TypesIn type theory, formulas are certain types.

A formula expressed as a type, is::::::::::::::::::::::

type-theoretically::::::

true, if it has an element.

The elements of such a type are proofs of thisformula.

ThereforeTruth in type theory means provability.

True has exactly one proof, and corresponds thereforeto the always always true formula.


Rules for FalseFalse is the special case Finn for n = 0:

Formation RuleFalse : Set

There is no Introduction Rule

Elimination Rule

C : False→ Set f : False

CaseFalse f : C f

There is no Equality Rule


FalseFalse has no elements.

It is the formula, which is always false, since it has noproofs.

Often called falsum or absurdity.


FalseCaseFalse expresses: from an element f of False weobtain an element of any set (which might depend onf ).

Considered as a formula, this means: from a proof ofFalse we obtain a proof of every other formula.I.e. False implies everything.In logic this principle is called:::::

“Ex:::::::::

falsum::::::::::::::

quodlibet” (from the absurdity followsanything).E.g. A false formula like “0 = 1” or “Swansea lies inGermany” implies everything.


False (Cont.)CaseFalse has no computational meaning, since thereis no element it can be applied to.

Applies of course only if we are working in aterminating type theory.If we had full recursion, we could define f : False byf = f .However that f doesn’t reduce to canonical form.That’s why it’s important to carry out thetermination check in Agda, otherwise one obtainsfor instance elements of False


Finite Sets in AgdaFinite sets can be introduced by giving oneconstructor for each element. E.g.

data Colour = blue | red | green

With this we obtain red :: Colour


Finite Sets in AgdaElimination is done via case distinction.

In the “Colour” example above for instance, we candefine

is_red (c :: Colour)

:: Bool

= case c of

(red) → tt

(green) → ff

(blue) → ff


False in AgdaIn Agda we can define the empty set as a “data”-setwith no constructors:

data False =

If we want to solve

g (x :: False)

:: Bool

= ! !

we can insert into the goal x and choose menu-item“agda-case” .


False in Agda (Cont.)The result is

g (x :: False)

:: Bool

= case x of

If we make case distinction on x there isno case to choose from, so we don’t have to defineanything.


Example for the Use of FalseAssume the type of trees:

data Tree = oak | pine | spruce

Below we will show, how to introduce a function

IsConifer :: Tree→ Set

s.t.IsConifer oak = False

IsConifer pine = True

IsConifer spruce = True


Example for the Use of FalseIf we want to define a function from trees, which areconifers, into another set, we can do so by requiringan additional argument “IsConifer”:

f (t :: Tree)

(p :: IsConifer t)

:: A

= case t of

oak → case p of

pine → · · ·

spruce → · · ·


Example for the Use of FalseIn order to use f we have to know that t is a conifer,

i.e. we have to provide an argument p whichexpresses the fact that we know this.

Note that we don’t have to invent a result of f in caset is an oak tree.


Example 2 for the Use of FalseSimilarly we can introduce a stack, together with apredicate

NonEmpty :: Stack→ Set

s.t.NonEmpty s = False

if s is the empty stack.

Now we can define

pop (s :: Stack)

(p :: NonEmpty s)

:: Stack

= · · ·


Example 2 for the Use of FalseAgain we don’t have to provide a result, in case s isempty.


True in AgdaThe definition of True in Agda is straightforward:

data True = true

Case distinction will require to solve the case true:

g (x :: True)

:: Bool

= case x of

(true)→ ! !


(c) Atomic FormulaeFull title of this section:Atomic formulae and the Traffic Light Example.

We have introduced two formulae:True, the always true formula.

Corresponds to truth value tt : Bool.False, the always false formula.

Corresponds to truth value ff : Bool.


Atomic FormulaeA formula expressing equality between two elements ofFinn (for fixed n) can now be introduced as follows:

Define a function

Eqn,Bool : Finn → Finn → Bool

s.t.

Eqn,Bool Ain Ai

n = true

Eqn,Bool Ain Aj

n = false for i 6= j

Eqn,Bool can be defined easily (for fixed n) by casedistinction on its two arguments.


Atomic FormulaeNow apply an operation

atom : Bool→ Set

which maps the truth value to the correspondingformula, i.e. define now

Eqn : Finn → Finn → Set

Eqn x y = atom(Eqn,Bool x y)


Atomic Formulaeatom is defined s.t.

atom tt = True

atom ff = False

So we get for Eqn above

Eqn Ain Ai

n = True

Eqn Ain Aj

n = False for i 6= j

SoEqn Ai

n Ain is inhabited, has a proof, is true;

for i 6= j, Eqn Ain Aj

n is not inhabited, has not a proof,is false.


Atomic Formulaeatom can be defined as follows:

atom = CaseTypeBool (λb : Bool.Set) True False

: Bool→ Set


atom in Agda

atom (b :: Bool)

:: Set

= case b of

(tt) → True

(ff) → False


Decidable PredicatesIn general, atom allows us to define decidablepredicates on sets.

A predicate is::::::::::::

decidable if it can be decided by aBoolean valued function.

E.g. equality on natural numbers is decidable,since we can define a functionEqN,Bool : N→ N→ Bool which decides it.Equality on functions N→ N is undecidable,since we cannot define such a function – in orderto check equality between f and g we need tocheck equality between f n and g n for all n : N.


Decidable Predicates (Cont.)Assume we have a set of states of a system A.

E.g. the set of states a railway controller can choose.

Assume we have a function f : A→ Bool.E.g. f a means: state a is safe.

Let now g : A→ Set, g a = atom(f a).If f a is true (e.g. a is safe), g a is inhabited.If f a is false (e.g. a is unsafe), g a is not inhabited.

Now, the existence of a h : (a : A)→ g a means:For all a : A we have g a is inhabited,ie. for all a : A, f a is true,e.g. for all a : A, a is safe.

.


The Traffic Light ExampleAssume a road crossing, controlled by traffic lights:

A

A’

B

B’


The Traffic Light ExampleAssume from each direction A, A’, B, B’ there is onetraffic light,

but A and A’ always coincide, similarly B and B’.


The Set of Physical StatesFor simplicity assume that each traffic light is eitherred or green:

data Colour = red | green

The set of physical states of the system is given by apair, determining the colour of A (and therefore as wellA’) and of B (and B’)

Phys_State :: Set

= sig

sigA :: Colour

sigB :: Colour


The Set of Control StatesThe set of control states is a set of states of thesystem, a controller of the system can choose.

Each of these states should be safe.In our example, all safe states will be captured(this can usually be only achieved in smallexamples).

A complete set of control states consists of:Allred – all signals are red.Agreen – signal A (and A’) is green, signal B is red.Bgreen – signal B is green, signal A is red.


The Set of Control States (Cont.)We therefore define

data Control_State = Allred | Agreen | Bgreen


Control States to Physical StatesWe define the state of signals A, B depending on acontrol state:

toSigA (s :: Control_State)

:: Colour

= case s of

(Allred) → red

(Agreen) → green

(Bgreen) → red


Control States to Physical States

toSigB (s :: Control_State)

:: Colour

= case s of

(Allred) → red

(Agreen) → red

(Bgreen) → green


Control States to Physical StatesNow we can define the physical state correspondingto a control state:

phys_state (s :: Control_State)

:: Phys_State

= struct

sigA = toSigA s

sigB = toSigB s


Safety PredicateWe define now when a physical state is safe:

It is safe iff not both signals are green.We define now a corresponding predicate directly,without defining first a Boolean function.We first define a predicate depending on two signals:

CorAux (a, b :: Colour)

:: Set

= case a of

(red) → True

(green) → case b of

(red) → True

(green) → False


Safety Predicate (Cont.)Now we define

Cor (s :: Phys_State)

:: Set

= CorAux s.sigA s.sigB

Remark: In some cases in order to define a functionfrom some product (i.e. a sig-set) into some other set,it is better first to introduce an auxiliary function,depending on the components of that product.

In the current example this wouldn’t have causedproblems, but in more complex examples it does(due to the lack of the η-rule).


Safety of the SystemNow we show that all control states are safe:

cor_proof (s :: Control_State)

:: Cor(phys_state s)

= case s of

(Allred) → true

(Agreen) → true

(Bgreen) → true


Safety of the System (Cont.)The first element true was an element ofCor(phys_state Allred), which reduces to True.

Similarly for the other two elements.

This works only because each control statecorresponds to a correct physical state.

If this hadn’t been the case, we would have gotteninstances where the goal to solve is False, which wecan’t solve.


Safety of the System (Cont.)If one makes a mistake which results in an unsafesituation

e.g. sets toSigB Agreen = green,then in the last step we obtain one goal of type False.

Then we can’t solve this goal directly and cannotprove the correctness.(We could in Agda solve this goal by usingfull recursion,

e.g. solve this goal as cor_proof Agreen,but this would be rejected by the termination check.)


(d) The Disjoint Union of SetsThe disjoint union A + B of two sets A and B is theunion of A and B,

but defined in such a way that we can decidewhether an element of this union is originally from Aor B.This is distinguished by having constructorsinl : A→ A + B and inr.

Elements from a : A are inserted into A + B asinl a : A + B.elements from b : B are inserted into A + B asinr b : A + B.inl stands for “in-left”, inr for “in-right”.

If we have a : A and a : B, then a is represented bothas inl a and inr a in A + B.


Disjoint UnionInformally, if

A = 1, 2

andB = 3, 4, 5 ,

then

A + B = inl(1), inl(2), inr(3), inr(4), inr(5)

Each element of A + B iseither of the form inl(a) for some a : Aor of the form inr(b) for b : B.


Comparison with the ProductNote that if we have again

A = 1, 2

andB = 3, 4, 5 ,

then for the product we have informally

A×B = p(1, 3), p(1, 4), p(1, 5), p(2, 3), p(2, 4), p(2, 5)

Each element of A×B is of the form p(a, b) wherea : A and b : B.So each element of A×B contains both an elementof A and an element of B.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527b

Disjoint Union vs. ProductNote that, if A is empty, then

A + B = inr(b) | b : B, which has a copy of eachelement of B,A×B is empty, since we cannot form a pair p(a, b)where a : A, b : B, since there is no element a : A.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(d) 527c

Rules for A + B

Formation RuleA : Set B : Set

A + B : Set

Introduction Rules

A : Set B : Set a : Ainl A B a : A + B

A : Set B : Set b : Binr A B b : A + B


Rules for A + B

Elimination Rules

A : SetB : Set

C : (A + B)→ Setcl : (a : A)→ C (inl A B a)cr : (b : B)→ C (inr A B b)

d : A + BCase+ A B C cl cr d : C d

Equality Rules

Case+ A B C cl cr (inl A B a) = cl a : C (inl A B a)

Case+ A B C cl cr (inr A B b) = cr b : C (inr A B b)

(cl, cr stand for “case left”, “case right”).


Logical Framework VersionA more compact notation is:

(+) : Set→ Set→ Set, written infix.inl : (A,B : Set)→ A→ (A + B).inr : (A,B : Set)→ B → (A + B).

Case+ : (A,B : Set)

→ (C : (A + B)→ Set)

→ ((a : A)→ C (inl A B a))

→ ((b : B)→ C (inr A B b))

→ (d : A + B)

→ C d .


Disjoint Union in AgdaThe disjoint union can be defined as a “data”-set havingtwo constructors inl (in-left) and inr (inright):

(+) (A :: Set)

(B :: Set)

:: Set

= data inl(a :: A) | inr(b :: B)


Disjoint Union in Agda (Cont.)The notation (+) means, that + can be used infix.

Now we have, if A,B :: Set:inl@(A + B) :: A→ (A + B)

inr@(A + B) :: B → (A + B)

This can be checked using the menu “infer type” ina dummy goal.Note that we cannot assign a type to inl@_ or inr@_.(+) cannot be defined using the abbreviated datanotation(which would be of the formdata (+) = · · · ).


Disjoint Union in Agda (Cont.)Elimination is again represented by case distinction.So if want to define for A,B :: Set for instance

f (c :: A + B)

:: Bool

= ! !

we can type into the goal c and choose menu“agda-case”.


Disjoint Union in Agda (Cont.)We obtain

f (c :: A + B)

:: Bool

= case c of

(inl a) → ! !

(inr b) → ! !

and insert into the first goal e.g. true and the secondone false


Use of Concrete Disjoint SetsIt is usually more convenient to define concretedisjoint unions directly with more intuitive names forconstructors, e.g.

data Plant = tree(t :: Tree) | flower(f :: Flower)

Now one can define for instance

isFlower (p :: Plant)

:: Bool

= case p of

(tree t) → ff

(flower f) → tt


(e) The Σ-SetThe Σ-set is a second version of the dependentproduct of two sets.

It depends ona set A,and a second set B depending on A, i.e. onB : A→ Set.

Similar to the standard product (x : A)× (B x).

In Agda(x : A)× (B x) is a in Agda a builtin construct,the Σ-set is introduced by the user using aconstructor, similar to the previous sets.

The Σ-set behaves sometimes better than the standardproduct.


Rules for Σ

Formation Rule

A : Set B : A→ SetΣ A B : Set

Introduction Rule

A : SetB : A→ Set

a : Ab : B a

p A B a b : Σ A B


Rules for Σ

Elimination Rule

A : SetB : A→ Set

C : (Σ A B)→ Setc : (a : A)→ (b : B a)→ C (p A B a b))

d : Σ A BCaseΣ A B C c d : C d

Equality Rule

CaseΣ A B C c (p A B a b) = c a b : C (p A B a b)


The Σ-Set using the Log. Framew.The more compact notation is:

Σ : (A : Set)

→ (A→ Set)

→ Set .

p : (A : Set)

→ (B : A→ Set)

→ (a : A)

→ (B a)

→ Σ A B .


The Σ-Set using the Log. Framew.

CaseΣ :

(A : Set)

→ (B : A→ Set)

→ (C : (Σ A B)→ Set)

→ ((a : A, b : B a)→ C (p A B a b))

→ (d : Σ A B)

→ C d .


The Σ-Set and the Dep. Prod.Both the Σ-set and the dep. product have similarintroduction rules.

For the Σ-set, the constructors have additionalarguments A, B necessary for bureaucratic reasonsonly.

One can define the projections π0, π1 using CaseΣ:

π0 = CaseΣ A B (λx.A) (λ(x : A).λ(y : B x).x)

π1 = CaseΣ A B (λx.B π0(x)) (λ(x : A).λ(y : B x).y)

On the other hand, from π0, π1 we can define CaseΣ asfollows:

λA,B,C, s, d.s π0(d) π1(d) .


The Σ-Set and the Dep. Prod.However the dependent product has the η-rule (whichis however not implemented in Agda).

Because of the lack of η-rule, Σ works usuallybetter than the dependent product in Agda.

I personally don’t use the dependent product ofAgda much.


The Σ-Set in AgdaΣ can be defined as a “data”-set with a constructor, e.g.p:

Sigma (A :: Set)

(B :: A→ Set)

:: Set

= data p (a :: A) (b :: Ba)

Elimination uses case-distinction:

f (c :: Sigma A B)

:: D

= case c of

(p a b) → · · ·


The Σ-Set in Agda (Cont.)Again one usually defines concrete Σ-sets more directly.

Example: Assume we have defineda set Plant_Group for groups of plants (e.g. “tree”,“flower”),depending on g :: Plant_Group, setsPlants_in_group g) for plants in that group.

The set of plants can then be defined as

data Plant = plant (g :: Plant_Group)(pg :: Plants_in_group g)


The Σ-Set in Agda (Cont.)Not surprisingly, for elimination we usecase distinction, e.g.:

f (p :: Plant)

:: Plant_group

= case p of

(plant g pg) → g


(f) Formulae in Dep. Type TheoryWe have seen how to represent atomic decidableformulae.

Now treatment of complex formulae constructed usinglogical connectives.


ConjunctionA ∧B is true iff both A is true and B is true.

Therefore a proof of A ∧B consists of a proof of A anda proof of B.

It is therefore a pair 〈p, q〉 consisting of a proof p of Aand a proof q of B.

Therefore the set of proofs of A ∧B is the set of pairs ofelements of A and B, i.e. A×B.

We can identify A ∧B with A×B.


Conjunction (Cont.)With this identification, the introduction rule for theproduct allows to form a proof of A∧B from a proof of Aand a proof of B:

p : A q : B

〈p, q〉 : A ∧B

This means that we can derive A ∧ B from A and B.


Conjunction and Natural Ded.In so called natural deduction, one has rules forderiving and eliminating formulas formed using thestandard connectives.

There the rule for introducing proofs of A ∧B is

A BA ∧B

The type theoretic introduction rule corresponds exactlyto this rule.


Example 1For instance, assume we want to prove that a functionsort from lists to lists is a sorting algorithm.

Then we have to show that for every list l the applicationof sort to l is sorted, and has the same elements of l.

In order to show this, one would assume a list l andshow

first that sort l is sorted,then, that sort l has the same elements as l

and finally conclude that it fulfills the conjunction ofboth properties.The last operation uses the introduction rule for ∧.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 549a

Conjunction (Cont.)The elimination rule for ∧ allows to project a proof ofA ∧B to a proof of A and a proof of B:

p : A ∧B

π0(p) : A

p : A ∧B

π1(p) : B

This means that we can derive from A ∧ B both A andB.

This corresponds to the natural deduction eliminationrule for ∧:

A ∧BA

A ∧BB


Example 2Assume we have defined a function f , which takes a listof natural numbers l, a proof that l is sorted, and anatural number n, and returns the Boolean value tt or ffindicating whether n is in this list or not.

Assume now a sorting function sort from lists of naturalnumbers to natural numbers, plus a proof that it is asorting function, i.e. that sort l is sorted and has thesame elements as l for every list l.

We want to apply f to sort l and need therefore a proofthat sort l is sorted.

We have that the conjunction of “sort l is sorted” and“sort l has the same elements as l” holds.

Using the elimination rule for ∧ one can conclude thedesired property, that sort l is sorted.


Example 3Assume a proof of A ∧B.

We want to show B ∧ A.By ∧-elimination we obtain from A ∧B that B holds.Similarly we conclude that A holds.Using ∧-introduction we conclude B ∧ A.In natural deduction, this proof is as follows:

A ∧BB

A ∧BA

B ∧ A

Below we will see how to show this in Agda.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 550b

DisjunctionA ∨B is true iff A is true or B is true.

Therefore a proof of A ∨ B consists of a proof of Aor a proof of B, plus the information which one.

It is therefore an element inl p for a proof p : A or anelement inr q for a proof q : B.

Therefore the set of proofs of A ∨B is thedisjoint union of A and B, i.e. A + B.

We can identify A ∨B with A + B.


Disjunction (Cont.)With this identification, the introduction rules for +allows to form a proof of A ∨B from a proof of A or froma proof of B.

A : Set B : Set p : A

inl A B p : A + B

A : Set B : Set p : Binr A B p : A + B

Omitting the premises A,B : Set and omitting themas arguments of inl and inr (which is needed only forbureaucratic reasons) we get:

p : A

inl p : A + Bp : B

inr p : A + B


Disjunction (Cont.)This means that we can derive A ∨ B from A and fromB.

This is what is expressed by the natural deductionintroduction rules for ∨:

AA ∨B

BA ∨B


Example 1Assume we want to show that every prime number isequal to 2 or odd.

In order to show this one assumes a prime number.If it is 2, it is trivially equal to 2.

Using the introduction rule for ∨ one concludesthat it is equal to 2 or odd.

Otherwise, one argues (using some proof) that it isodd.

Using the introduction rule for ∨ one concludesagain that it is equal to 2 or odd.


Disjunction (Cont.)The elimination rule for + allows to form from anelement of A + B an element of any set C provided wecan compute such an element from A and from B:

A : SetB : Set

C : (A ∨B)→ Setsl : (a : A)→ C (inl A B a)sr : (b : B)→ C (inr A B b)

d : A ∨BCase+ A B C sl sr d : C d


Disjunction (Cont.)Omitting the dependency of C on A ∨B and omittingthe bureaucratic premises and arguments A, B and Cwe get:

d : A ∨B sl : A→ C sr : B → CCase+ sl sr d : C

This means that we can derive from A ∨ B a formulaC, if we can derive C from A and from B.


Disjunction (Cont.)This is what is expressed by the natural deductionelimination rules for ∨:

A ∨B

A···C

B···C

C

(Note that in the natural deduction elimination rule, fromthe premise “C derivable from A” we obtain “A→ C”,similarly for “C derivable from B” we get B → C.)


Example 2Assume we want to show that every prime number isequal to 2, equal to 3, or ≥ 5.

We want to make use of the proof above that everyprime number is equal to 2 or odd.

We assume a prime number.We know that it is equal to 2 or odd.In case it is equal to 2 we conclude that it is equal to2, equal to 3, or ≥ 5.In case it is odd, we conclude using the fact that it isprime and 1 is not prime, that it is equal to 3 or ≥ 5.Therefore it is equal to 2, equal to 3, or ≥ 5.Now from the elimination rule for ∨ we conclude thatthe prime number chosen is equal to 2, equal to 3, or≥ 5.


Example 3Assume a proof of A ∨B.

We want to show B ∨ A.We have A ∨B.From assumption A we obtain A and therefore by∨-introduction B ∨ A.From assumption B we obtain B and therefore by∨-introduction B ∨ A.By ∨-elimination we obtain from these threepremises B ∨A without any premises.


Example 3 (Cont.)In natural deduction, this proof is as follows (we writeA1, . . . , An ` B for B follows under assumptionsA1, . . . , An):

A ∨BA ` A

A ` B ∨AB ` B

B ` B ∨ AB ∨ A

Below we will see how to show this in Agda.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 556c

ImplicationWe write temporarily ⊃ for logical implication, in order todistinguish it from the function type→.

Below we see that ⊃ can be identified with→.

A ⊃ B is true iff, whenever A is true then B is true.

Therefore if there is a proof of A, there must be aproof of B.

Therefore a proof of A ⊃ B is a function, which takesa proof of A and computes a proof of B.

Therefore the set of proofs of A ⊃ B is the functiontype A→ B.

We can identify A ⊃ B with A→ B.


Implication (Cont.)With this identification, the introduction rule for →allows to form a proof of A ⊃ B from a proof of Bdepending on a proof p of A:

p : A⇒ q : B

λ(p : A).q : A ⊃ B

This means that, if we, from assumptions p:A canprove B

(i.e. we can make use of a context p : A for provingq : B)

then we can derive A ⊃ B without assuming p:A.


Implication (Cont.)This is what is expressed by the natural deductionintroduction rule for ⊃:

A···B

A ⊃ B


ExampleWe extend the proof that from a proof of A ∨B it followsB ∨A to a proof of

(A ∨B)→ (B ∨ A)

The previous proof can be easily transformed into aproof of A ∨B ` B ∨ A.

By→-introduction, it follows (A ∨B)→ (B ∨ A).


ExampleThe complete proof in natural deduction is as follows isas follows.

A ∨B ` A ∨BA ` A

A ` B ∨ AB ` B

B ` B ∨ AA ∨B ` B ∨ A

(A ∨B)→ (B ∨ A)


Implication (Cont.)The elimination rule for ⊃ allows to apply a proof p ofA ⊃ B to a proof of q of A in order to obtain a proof of B:

p : A ⊃ B q : Ap q : B

This means that we can derive from A ⊃ B and A thatB holds.

This is what is expressed by the natural deductionelimination rule for ⊃:

A ⊃ B AB


ExampleAssume we want to show A→ (A→ B)→ B.

We can show this as follows:From assumptions A and A→ B we can concludeA→ B.From assumptions A and A→ B we can conclude aswell A.Using the elimination rule for→, we conclude thatunder the same assumptions we get B.Using the introduction rule for→ we conclude fromassumption A that (A→ B)→ B holds.Using again the introduction rule for→ we concludethat A→ (A→ B)→ B holds without anyassumptions.


ExampleA proof in natural deduction is as follows:

A,A→ B ` A→ B A,A→ B ` A

A,A→ B ` B

A ` (A→ B)→ B

A→ (A→ B)→ B


Negation¬A has the same meaning as A ⊃ ⊥(where ⊥ is absurdity or the set False):

If there is no proof of A, then we can prove A ⊃ ⊥.If from any proof of A we can create a proof ofabsurdity, then there cannot be a proof of A, A mustbe false.

Therefore we can identify ¬A with A→ False.


Universal QuantificationSince we have many types, we have to write whenusing quantifiers explicitly the type, the bound variableis ranging over:We write therefore ∀x : A.B, ∃x : A.B.

∀x : A.B is true iff, for all x : A there exists a proof of B(with that x).

Therefore a proof of ∀x : A.B is a function, whichtakes an x:A and computes an element of B.

Therefore the set of proofs of ∀x : A.B is the dependentfunction type (x : A)→ B.

We can identify ∀x : A.B with (x : A)→ B.


Universal Quantification (Cont.)With this identification, the introduction rule for thedependent function type allows to form a proof of∀x : A.B from a proof of B depending on an elementx : A:

x : A⇒ p : B

λ(x : A).p : (∀x : A.B)

This means that, if we, from x:A can prove B, then weget a proof of ∀x : A.B which doesn’t depend on x : A.


Universal Quantification (Cont.)This is what is expressed by the natural deductionintroduction rule for ∀:

B∀x : A.B

wherex might not occur free in any assumption of theproof.

This is guaranteed in type theory, since x : A mustbe the last element of the context, so any otherassumptions must be located before it and cantherefore not depend on x:A.


Universal Quantification (Cont.)The conclusion will no longer depend on freevariables x.

This corresponds in type theory to the fact thatx:A does no longer occur in the context of theconclusion.


ExampleAssume one wants to show that for every naturalnumber n n + 0 == n.

In order to show this one assumes a natural number nand shows then that n + 0 == n.

then using the introduction rule for ∀ one concludes∀n : N.n + 0 == n.

In natural deduction, this proof is as follows (where theprove of n + 0 == n is not carried out):

n + 0 == n∀n : N.n + 0 == n


Universal Quantification (Cont.)The elimination rule for the dependent function typeallows to apply a proof p of ∀x : A.B to an element a : Ain order to obtain a proof of B[x := a]:

p : (∀x : A.B) a : A

p a : B[x := a]

This means that we can derive from ∀x:A.B and anelement of a:A that B[x:=a] holds.


Universal Quantification (Cont.)This is what is expressed by the natural deductionelimination rule for ∀

For the simple languages used in natural deduction,there is no need to derive that a : A;in more complex type theories we have to carryout this derivation.

∀x : A.B a : AB[x := a]


ExampleAssume a proof of ∀n : N.0 + n == n.

We want to condude that∀n,m : N.0 + (n + m) == (n + m).

This can be done as follows:One assumes n,m : N.Then one can conclude n + m : N.Using ∀n : N.0 + n == n and the elimination rule for ∀one concludes 0 + (n + m) == (n + m) underassumption n,m : N.Now using the introduction rule for ∀ twice it follows∀n,m : N.0 + (n + m) == (n + m).


ExampleIn natural deduction, this proof is written as follows:

∀n : N.0 + n == n

n : N,m : N ` n : N n : N,m : N ` m : N

n : N,m : N ` n + m : N

n : N,m : N ` 0 + (n + m) == (n + m)

n : N ` ∀m : N.0 + (n + m) == (n + m)

∀n,m : N.0 + (n + m) == (n + m)


Existential Quantification∃x : A.B is true iff there exists an a : A such thatB[x := a] is true.

Therefore a proof of ∃x : A.B is a pair 〈a,p〉 consistingof an element a : A and a proof p of B[x := a].

Therefore the set of proofs of ∃x : A.B is the dependentproduct (x : A)×B.

We can identify ∃x : A.B with (x : A)×B.


Existential Quantification (Cont.)With this identification, the introduction rule for thedependent product allows to form a proof of ∃x : A.Bfrom an element a : A and a proof p : B[x := a]:

a : A p : B[x := a]

〈a, p〉 : (∃x : A.B)

This is what is expressed by the natural deductionintroduction rule for ∃:

a : A B[x := a]

∃x : A.B


ExampleAssume we want to show ∀n : N.∃m : N.m > n.

In order to prove this one assumes first n : N.Then one concludes S n : N and S n > n.Using the introduction rule for ∃ one concludes∃m : N.m > n under the assumption n : N.Using the introduction rule for ∀ one concludes∀n : N.∃m : N.m > n.


ExampleIn natural deduction, this proof reads as follows:

n : N ` n : Nn : N ` S n : N n : N ` S n > n

n : N ` ∃m : N.m > n∀n : N.∃m : N.m > n


Existential Quantification (Cont.)The elimination rule for the dependent product allowsto project a proof p of ∃x : A.B to an element π0(p) : Aand proof π1(p) : B[x := π0(p)].

This kind of rule works only if we have explicit proofs.

From this we can derive a rule which is essentially thatused in natural deduction (in which one doesn’t haveexplicit proofs):

Assume:C : Set, which does not depend on x : A,p : (∃x : A.B) andx : A, y : B ⇒ c : C.

Then we have c[x := π0(p),y := π1(p)] : C, notdepending on x:A or y:B.


Existential Quantification (Cont.)Therefore the rule in natural deduction follows fromthe type theoretic rules:

∃x : A.B

x : AB···C

C

where the conclusion does not depend on x : A and B.

.


ExampleAssume we have shown∀n : N.∃m : N.m > n ∧ Prime(m).

We want to show that for all n there exist two primesabove it, i.e.

∀n : N.∃m : N.∃k : N.m > k∧k > n∧∧Prime(m)∧Prime(k) .

We can derive this as follows:Assume n : N.We have ∃m : N.m > n ∧ Prime(m).So assume m : N and m > n ∧ Prime(m).We have as well ∃k : N.k > m ∧ Prime(k).So assume k : N and k > m ∧ Prime(k).


ExampleThen we can conclude

m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)

and therefore as well

∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)

Now by ∃-elimination twice follows

n : N ` ∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)

without assuming m, k as above.By ∀-introduction follows

∀n : N.∃m, k : N.m > k ∧ k > n ∧ Prime(m) ∧ Prime(k)


ExampleThe formal proof in natural deduction is as follows(some of the primeses can be shown easily in naturaldeduction):


ExampleFirst step: Under the global assumption

n : N,m : N,m > n ∧ Prime(m), k : N, k > m ∧ Prime(k)

we prove the following

m : N

k : N m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

∃k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

So we have shown

n : N,m : N,m > n ∧ Prime(m), k : N, k > m ∧ Prime(k) `


Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571d

ExampleSecond step: Under the assumption

n : N,m : N,m > n ∧ Prime(m)

we can conclude

∃k : N.k > m ∧ Prime(k)

and then conclude by ∃-elimination and Step 1

∃k : N.k > m ∧ Prime(k)

k : N, k > m ∧ Prime(k) ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)


Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571e

ExampleThird step: Again we can conclude

n : N ` ∃m : N.m > n ∧ Prime(m)

and then conclude by ∃-elimination and Step 2

n : N ` ∃m : N.m > n ∧ Prime(m)

n:N,m:N,m>n∧Prime(m) ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

n : N ` ∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

∀n : N.∃m, k : N.m > n ∧ k > m ∧ Prime(m) ∧ Prime(k)

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 571f

Construct. (or Intuit.) LogicFrom type theoretic proofs we can directly extractprograms.

For instance, if p : (∀x : A.∃y : B.C(x, y)), then we havefor x : A it follows b := π0(p x) : B and π1(p x) : C(x, b).Therefore f := λx : A.π0(p x) is a function A→ B,and we have

λ(x : A).π1(p x) : (∀x : A.C(x, f x))

i.e. we have a proof that ∀x : A.C(x, f x) holds.Therefore, from a proof of ∀x : A.∃y : B.C(x, y), wecan extract a function, which computes the y fromthe x.


Constructive Logic (Cont.)We can derive as well a function which depending onp : A + B decides whether p= inl(a) or p = inr(b).

Therefore we can decide, from a proof of a disjunction,which of the disjuncts holds.

Now:Any function in type theory is recursive.We cannot decide the Turing Halting problem, i.e.we cannot decide for a Turing machine whether ithalts or not.Therefore we cannot prove in type theory

∀x : Turing_Machine.(x halts ∨ ¬(x halts))


Constructive Logic (Cont.)In classical logic we can prove the above, since wecan derive A ∨ ¬A (tertium non datur) for any formulaA.

In type theory, this law cannot hold, unless we don’twant that all programs can be evaluated.

The logic of type theory is intuitionistic(constructive) logic, in which A ∨ ¬A and ¬¬A→ Adon’t hold for all formulae A.


Constructive Logic (Cont.)In classical logic,∃x : A.B is equivalent to ¬∀x : A.¬B,A ∨B is equivalent to ¬(¬A ∧ ¬B).

If we take decidable atomic formulae only and replace∃x : A.B and A ∨B by the above formulae, then allformulae provable in classical logic are derivable.

This requires (¬¬A)→ A, which can be shown for allformulae built from decidable atomic formulae using¬,→, ∧, ∀.The formula A ∨ ¬A translates into ¬(¬A ∧ ¬¬A),which trivially holds, since ¬A and ¬¬A implies ⊥.

In this sense, type theory contains classical logic,but is richer, since it has as well so called strongdisjunction and existential quantification.


Constructive Logic (Cont.)

Proof (using classical logic) of

∃x : A.B↔ (¬∀x : A.¬B) :

We have classically:

¬¬A→ A :

If A is true, then ¬¬A→ A holds.If A is false, then ¬¬A is false, therefore ¬¬A→ Aholds.


Constructive Logic (Cont.)We show intuitionistically(¬∃x : A.B)↔ (∀x : A.¬B) :

Assume ¬∃x : A.B, x : A and show ¬B.If we had B, then we had ∃x : A.B, contradicting¬∃x : A.B. Therefore ¬B.Assume ∀x : A.¬B. Show ¬∃x : A.B:Assume ∃x : A.B. Assume x s.t. B holds.By ∀x : A.¬B we get ¬B, therefore a contradiction.

Now it follows (classically):

(∃x : A.B)↔ (¬¬∃x : A.B)↔ (¬∀x : A.¬B)


Constructive Logic (Cont.)Proof of

A ∨B↔ ¬(¬A ∧ ¬B) :

We show intuitionistically ¬(A ∨B)↔ (¬A ∧ ¬B) :Assume ¬(A ∨B). If A then A ∨B, a contradiction,therefore ¬A.Similarly we get ¬B, therefore ¬A ∧ ¬B.Assume ¬A ∧ ¬B, show ¬(A ∨B).Assume A ∨B. If A then a contradiction with ¬A,similarly with B.

Now it follows (classically):

(A ∨B)↔ ¬¬(A ∨B)↔ ¬(¬A ∧ ¬B)


Constructive Logic (Cont.)Weak disjunction and existential quantification isexpressed by the formulae ¬(¬A ∧ ¬B) and ¬∀x : A.¬B.

When using only weak disjunction, existentialquantification and decidable atomic formulae, weobtain classical logic.

Strong disjunction and existential quantificaton isexpressed by the original type theoretic formulae.


The Logical Connectives in AgdaImplication is represented by→ in Agda.

We can introduce the formula (or set) expressingA→ (A→ B)→ B as follows:

Lemma1 :: Set

= A→ (A→ B)→ B

A proof of Lemma1 is an element lemma1 of it.

So in order to prove Lemma1 we make the followinggoal:

lemma1 :: Lemma1

= ! !


The Logical Connectives in AgdaLemma1 :: Set = A→ (A→ B)→ B

lemma1 :: Lemma1

= ! !

The type of the goal is A→ (A→ B)→ B.

When the type of goal is an implication, it is usuallyshown

unless one has an assumption which matches thegoal directly

by λ-abstracting from the premises of the implication.

If one uses goal-menu intro, this is done automaticallyand Agda abstracts λ(a : A) and λ(ab : (A→ B)).


The Logical Connectives in AgdaOne obtains

lemma1 :: Lemma1

= λ(a :: A)→ λ(ab :: A→ B)→ ! !

Lemma1 was A→ (A→ B)→ B,

we have abstracted from A and A→ B,

so the type of the goal is the conclusion of theimplication, namely B.


The Logical Connectives in Agda

lemma1 :: Lemma1

= λ(a :: A)→ λ(ab :: A→ B)→ ! !

Type of goal is B

At the position of the goal we have context a :: A andab :: A→ B, because we have λ-abstracted thosevariables.

Can be checked by using goal-menu context.

We can take ab :: A→ B and apply it to a :: A in order toobtain ab a :: B, which solves the goal.


The Logical Connectives in AgdaWe obtain the following proof:

lemma1 :: Lemma1

= λ(a :: A)→ λ(ab :: A→ B)→ ab a

This is exactly the same as introducing a λ-term of typeA→ (A→ B)→ B.

See exampleproofproplogic1.agda


Implication in AgdaNote that in the previous example

ab is an element of the function type A→ B.a is an element of A

therefore ab a is an elment of B,therefore the typing is correct.


Implication in AgdaAs for λ-terms, the following is equivalent to thedefinition of lemma1 above, and therefore an equivalentproof of A→ (A→ B)→ B:

lemma1 (a :: A)

(ab :: A→ B)

:: B

= ab a



Conjunction in AgdaConjunction is represented as a product.

There are two products in Agda, therefore as well twoways of representing conjunction:

One using the logical framework product:

AND1 (A,B :: Set)

:: Set

= sig

and1 :: A

and2 :: B


Conjunction in AgdaOr using the product formed using data.We use a more meaningful name for the constructor:

AND2 (A,B :: Set)

:: Set

= data and(a :: A)(b :: B)



Conjunction in AgdaOne can write as well /\ for one of the versions ofconjunction, and use it infix.We write on slides ∧ for it, and get therefore:

(∧) (A,B :: Set)

:: Set

= data and(a :: A)(b :: B)

AB :: Set

= A ∧B


On the blackboard A→ A ∧A and A ∧B → A will nowbe shown in Agda.


Example (Conjunction)We prove (A ∧B)→ (B ∧ A) using both versions of theconjunction (see exampleproofproplogic6.agda):

lemma2a (ab :: AND1 A B)

:: AND1 B A

= struct

and1 = ab.and2

and2 = ab.and1

lemma2b (ab :: AND2 A B)

:: AND2 B A

= case ab of

(and a b) → and@_ b a


Conjunction with more Args.If one has a conjunction with more than oneconjunctions, e.g. A ∧B ∧ C, one can always express itusing the binary ∧:

As (A ∧B) ∧ C or A ∧ (B ∧ C).

But it is often more convenient to use a trinary versionof conjunction in one of the two versions.

Similarly one can introduce conjunctions of 4 or moreconjuncts.


Conjunction with more Args.

AND3a (A,B,C :: Set)

:: Set

= sig

and1 :: A

and2 :: B

and3 :: C

AND3b (A,B,C :: Set)

:: Set

= data and3 (a :: A) (b :: B) (c :: C)



Disjunction in AgdaOr is represented as disjoint union in type theory.

In Agda we can write \/ for it (on slides we write ∨) anddefine it as follows:

(∨) (A,B :: Set)

:: Set

= data or1(a :: A) | or2(b :: B)

See exampleproofproplogic7.agda.

On the blackboard A→ A ∨B and A ∨ A→ A will nowbe shown in Agda.


Example (Disjunction)The following derives (A ∨B)→ (B ∨ A):

lemma3 (ab :: A ∨B)

:: B ∨ A

= case ab of

(or1 a) → or2@_ a

(or2 b) → or1@_ b



Disjunction with more Args.As for the conjunction, it is useful to introduce specialternary versions of the disjunction (and versions withhigher arities):

OR3 (A,B,C :: Set)

:: Set

= data or1 (a :: A) | or2 (b :: B) | or3 (c :: C)



∀ in Agda∀x : A.B is represented by (x : A)→ B in Agda.

As an example,we define a <-operation on Bool using ff < tt

and show ∀x : Bool.¬(x < x).



Example (∀, Cont.)ff < tt should be true,

therefore as a formula equivalent to True,this is obtained by defining it as True.

tt < ff should be false,therefore as a formula equivalent to False,this is obtained by defining it as False.

Similarly tt < tt and ff < ff will be defined as False.


Example (∀, Cont.)First (<) is defined as follows:

(<) (a, b :: Bool)

:: Set

= case a of

(tt) → False

(ff) → case b of

(tt) → True

(ff) → False


Example (∀, Cont.)We introduce Not A:

Not (A :: Set)

:: Set

= A→ False

The statement that (<) is antireflexive is

∀a : Bool.¬(a < a)

which is represented in Agda as follows:

Lemma4 :: Set

= (a :: Bool)→ Not(a < a)


Example (∀, Cont.)

Lemma4 :: Set

= (a :: Bool)→ Not(a < a)

Since Not (a < a) = (a < a)→ False, we have

Lemma4 = (a :: Bool)→ Not (a < a)

= (a :: Bool)→ (a < a)→ False



Lemma4 = (a :: Bool)→ (a < a)→ False

We want to prove Lemma4.A proof of Lemma4 will be an elementlemma4::Lemma4.

So we have to solve the following goal:

lemma4 :: Lemma4

= ! !

The type of the goal is

Lemma4 = (a :: Bool)→ (a < a)→ False



lemma4 :: Lemma4

= ! !

Type of goal is Lemma4 = (a :: Bool)→ (a < a)→ False.

An element of (a :: Bool)→ (a < a)→ False can beintroduced by λ-abstracting λ(a :: Bool) andλ(aa :: (a < a)):

lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

! !

The type of goal is now the conclusion of(a :: Bool)→ (a < a)→ False, namely False.



lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

! !

Type of goal is False.

We need to make use of our assumptions, namelya :: Bool and aa :: a < a.

a < b is defined by case disjinction on a and b.Unless we know that a = tt or a = ff, we don’tknow much about a < a.So it seems to be a good step to make casedistinction on a.



lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

case a of

(tt) → ! !

(ff) → ! !

The type of both goals is the same as before, namelyFalse, since it wasn’t dependent on a.



lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

case a of

(tt) → ! !

(ff) → ! !

However, we know now more about the assumptionsaa :: a < a.

In case of a = tt, we have a < a = (tt < tt) = False

In case of a = ff, we have a < a = (ff < ff) = False



lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

case a of

(tt) → ! !

(ff) → ! !

Since in both goals we have a :: (a < a) = False, we cancan make case distinction on aa, which is the emptycase distinction.


Example (∀, Cont.)We finish our proof as follows:

lemma4 :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

case a of

(tt) → case aa of

(ff) → case aa of


Example (∀, Cont.)In the previous example,

the type of goal was False,and aa : False.

So we could instead of using the empty case distinctiondirectly inserted aa in those goals:

lemma4a :: Lemma4

= λ(a :: Bool)→

λ(aa :: a < a)→

case a of

(tt) → aa

(ff) → aa


∃ in Agda∃x : A.B is represented by one of the two dependentproducts in Agda.

Using meaningful names, we can define ∃x : A.B asfollows:

Version1 :: Set

= sig

a :: A

b :: B[x := a]

Version2 :: Set

= data exists (a :: A)(b :: B[x := a])


∃ in AgdaAbove B[x := a] is the result of substituting in B for x thevariable a.


Example (∃)As an example,

we define negation ¬ on Bool,define an equality (==) on Bool,and show ∀a : Bool.∃b : Bool.a == ¬ b.



Example (∃)First (==) is defined as follows:

(==) (a, b :: Bool)

:: Set

= case a of

(tt) → case b of

(tt) → True

(ff) → False

(ff) → case b of

(tt) → False

(ff) → True


Example (∃, Cont.)¬ is defined as follows:

neg (a :: Bool)

:: Bool

= case a of

(tt) → ff

(ff) → tt


Example (∃, Cont.)In order to introduce the statement, we introduce firstthe formula ∃b : Bool.a == ¬ b depending on a : Bool:

Lemma5aux (a :: Bool)

:: Set

= sig

b :: Bool

ab :: a == neg b

The statement ∀a : Bool.∃b : Bool.a == ¬b is now asfollows:

Lemma5 :: Set

= (a :: Bool)→ Lemma5aux a


Example (∃, Cont.)A proof of Lemma5 is an element

lemma5 :: Lemma5

and we get the goal

lemma5 :: Lemma5

= ! !

The type of goal is

Lemma5 = (a :: Bool)→ Lemma5aux a

Any goal of funtion type is usually best solved by usingλ-abstracting.


Example (∃, Cont.)

Lemma5 :: Set

= (a :: Bool)→ Lemma5aux a

We get

lemma5 :: Lemma5

= λ(a :: Bool)

→ ! !

The type of the goal is

Lemma5aux a = sig

b :: Bool

ab :: a == neg b



lemma5 :: Lemma5

= λ(a :: Bool)

→ ! !

Type of goal is

sig

b :: Bool

ab :: a == neg b

We cannot show this goal universally for all a directly.We have to provide a different b depending onwhether a = tt or a = ff.So we need to make case distinction on a.


Example (∃, Cont.)We get

lemma5 :: Lemma5

= λ(a :: Bool)

→ case a of

(tt) → ! !

(ff) → ! !



lemma5 :: Lemma5

= λ(a :: Bool)→ case a of (tt) → ! !

(ff) → ! !

In case of a = tt, the type of goal is

Lemma5aux tt = sigb :: Bool;

ab :: tt == neg b

So we can use goal menu intro and obtain:



lemma5 :: Lemma5

= λ(a :: Bool)→ case a of

(tt) → struct

b = ! !

ab = ! !

(ff) → ! !

The first goal can be solved by setting b := ff.

Then the type of the second goal is(tt == neg b) = (tt == neg ff)

= (tt == tt)

= True

which can be solved by setting ab := true.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 602

Example (∃, Cont.)So we get:lemma5 :: Lemma5


(tt) → struct

b = ff

ab = true

(ff) → ! !

In case a = ff, we use again intro and obtain:



lemma5 :: Lemma5


(tt) → struct

b = ff

ab = true

(ff) → struct

b = ! !

ab = ! !

The case a = ff can be solved in a similar way bysetting b = tt, ab = true.


Example (∃, Cont.)The resulting proof is as follows:lemma5 :: Lemma5


(tt) → struct

b = ff

ab = true

(ff) → struct

b = tt

ab = true


Complex ExampleWe assume A,B : Set and equality relations on A,B:

postulate A :: Set

postulate EqA :: A→ A→ Set

postulate B :: Set

postulate EqB :: B→ B→ Set

We will introducethe disjoint union AB of A and B

an equality EqAB on AB

and show that if EqA and EqB are symmetric, so isEqAB.

See exampleDisjointUnionEqual.agda.


Equality SetsEqA (and EqB) could be decidable equalities,

i.e. EqA = λ(a, b :: A)→ atom (eqboolA a b),where eqboolA :: A→ A→ Bool,

Or an undecidable equality.E.g. the equality on N→ N is in standard logic

f = g :⇔ ∀n : N.f(n) = g(n)

which reads in Agda as follows:

EqN_N (f, g :: N→ N)

:: Set

= (n :: N)→ f n == g n

where == is the equality on N.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 605a

Undecidable EqualitiesThe last equality is undecidable, since in order to checkwhether EqN_N f g holds we have to check for all n : Nwhether f n = g n holds


Complex Example (Cont.)The formation of A + B is straightforward:

(+) (A,B :: Set)

:: Set

= data inl(a :: A) | inr(b :: B)


Complex Example (Cont.)We define the equality EqAB on A + B as follows:

Assume ab, ab′ : A + B.If one is of the form inl a and the other of the forminr b, then EqAB ab ab′ should be false, so we define

EqAB (inl a) (inr b) = EqAB (inr a) (inl a) = False .

If they are of the form inl a and inl a′, respectively,then EqAB ab ab′ should be true if EqA a a′ holds.

This can be achieved by defining

EqAB (inl a) (inla′) = EqA a a′ .


Complex Example (Cont.)If they are of the form inr b and inr b′, respectively,then EqAB ab ab′ should be true if EqB b b′ holds.

This can be achieved by defining in this case

EqAB (inr b) (inr b′) = EqB b b′ .

The above equations will be definitional equalities, i.e.for instance EqAB (inl a) (inl a′) will rewrite to EqA a a′.


Complex Example (Cont.)The definition of EqAB is as follows:

EqAB :: (A + B)→ (A + B)→ Set

= λ(ab, ab′ :: A + B)→

case ab of

(inl a) → case ab′ of

(inl a′) → EqA a a′

(inr b′) → False

(inr b) → case ab′ of

(inl a′) → False

(inr b′) → EqB b b′


Complex Example (Cont.)The following code is equivalent to the previous code:

EqAB (ab, ab′ :: A + B)

:: Set

= case ab of


(inl a′) → EqA a a′

(inr b′) → False


(inl a′) → False

(inr b′) → EqB b b′


Complex Example (Cont.)We introduce the formulae expressing that EqA, EqB,EqAB are symmetric:

Symmetry of EqA is the formula

∀a, a′ : A.EqA a a′ → EqA a′ a

which translates as follows:

SymA :: Set

= (a, a′ :: A)→ EqA a a′ → EqA a′ a


Complex Example (Cont.)The others are similar:

SymB :: Set

= (b, b′ :: B)→ EqB b b′ → EqB b′ b

SymAB :: Set

= (ab, ab′ :: A + B)→ EqAB ab ab′ → EqAB ab′ ab


Formulae vs. ProofsNote that SymA is the statement expressing that EqA issymmetric.

It is not a proof that EqA is symmetric.We can define SymA independently of whether EqAis symmetric or not.A proof that EqA is symmetric is an element ofSymA, i.e a term symA s.t.

symA :: SymA

Note that we don’t have to show that SymA holds.We have to show that if SymA and SymB hold, thenSymAB holds.


Complex ExampleWhat we want to show is that SymA and SymB impliesSymAB.

So we need to solve

symAB :: SymA→ SymB→ SymAB

= ! !

As pointed out before, it is equivalent and moreconvenient to define symAB as follows:

symAB (symA :: SymA)

(symB :: SymB)

:: SymAB

= ! !


Complex Example


(symB :: SymB)

:: SymAB

= ! !

The type of the goal is SymAB which is(ab, ab′ :: A + B)→ EqAB ab ab′ → EqAB ab′ ab.

An element of this type can be introduced by a λ-term,and using agda-goal-menu “intro” results in the code onthe next slide.


Complex Example


(symB :: SymB)

:: SymAB

= λ(ab, ab′ :: A + B)→

λ(abab′ :: EqAB ab ab′)→

! !

The type of the goal is now EqAB ab′ ab.

We make case distinction on ab and ab′ and obtain thefollowing:


Complex Example


(symB :: SymB)

:: SymAB

= λ(ab, ab′ :: A + B)→


case ab of


(inl a′) → ! !

(inr b′) → ! !


(inl a′) → ! !

(inr b′) → ! !


Complex Example (Cont.)In case ab = inl a and ab′ = inl a′ we

have to show

EqAB ab′ ab , which is equal to EqA a′ a

and have as assumption

abab′ :: EqAB ab ab′ , which is equal to EqA a a′ .

So we have to derive from abab′ : EqA a a′ anelement of EqA a′ a.We have

symA : (a, a′ :: A)→ EqA a a′ → EqA a′ a .

Therefore we can apply symA to a, a′ and abab′.


Complex Example (Cont.)(Case ab = inl a, ab′ = inl a′)

We obtain

symA a a′ abab′ : EqA a′ a

Since EqA a′ a = EqAB ab′ ab we get as well

symA a a′ abab′ : EqAB ab′ ab

and can use this to solve our first goal.


Complex Example


(symB :: SymB)

:: SymAB

= λ(ab, ab′ :: A + B)→


case ab of


(inl a′) → symA a a′ abab′

(inr b′) → ! !


(inl a′) → ! !

(inr b′) → ! !


Complex Example (Cont.)In case ab = inr b and ab′ = inr b′ we can similarly use

symB b b′ abab′

in order to solve our goal.

In case ab = inl a, and ab′ = inr b

we have EqAB ab ab′ = False,therefore

abab′ : False ,

therefore empty case distinction on abab′ solves thegoal.


Complex Example (Cont.)Similarly, in case ab = inl a, and ab′ = inr b we have that

abab′ : False

and again empty case distinction on abab′ solves thegoal.

The complete solution is on the next slide.


Complex Example


(symB :: SymB)

:: SymAB

= λ(ab, ab′ :: A + B)→


case ab of



(inr b′) → case abab′ of


(inl a′) → case abab′ of

(inr b′) → symB b b′ abab′


Complex ExamleWhen we made the empty case distinctions, our goalwas of type False.

Since in those cases abab′ : False, we could have solvedthe goal as well by directly inserting abab′ in thosecases.

On the next slide is this alternative solution.


Alternative SolutionsymAB′ (symA :: SymA)

(symB :: SymB)

:: SymAB

= λ(ab, ab′ :: A + B)→


case ab of



(inr b′) → abab′


(inl a′) → abab′

(inr b′) → symB b b′ abab′


Remark on Case DistinctionCase distinction over complex expressions causesproblems in Agda.

Example(exampleCaseDistinctionComplexExpression.agda):

Assume we have defined ProdBool as the product oftwo Boolean values:

ProdBool :: Set

= sig

first :: Bool

snd :: Bool


Remark on Case DistinctionAssume we want to define a function as follows:

f (pair :: ProdBool)

(p :: atom(and pair.first pair.snd))

:: atom pair.first

= case pair.first of

(tt) → ! !

(ff) → ! !

Although in the case distinctionwe know that pair.first = tt,therefore the type of the goal should beatom pair.first = True,Agda won’t accept to insert true there.


Remark on Case DistinctionThe reason is that Agda will use in its reductionmechanism

only reductions from variables to other expressions,but no reductions of complex expressions toother expressions.

It would be very expensive to check reductions forcomplex expressions:

This would mean to check whether anysubexpression of an expression matches the leftside of any of those reductions.Checking whether a variable which reduces occursin a expression is instead a cheap operation.


WorkaroundOne can work around this problem by defining anauxiliary function, which depends on a variablerepresenting the complex expression.

Then make case distinction on this single variable.

In the example above define:

h (a, b :: Bool)

(p :: atom(and a b))

:: atom a

= case a of

(tt) → true

(ff) → case p of


WorkaroundNow one can define the function in question in terms ofthe auxiliary function:

f (pair :: ProdBool)

(p :: atom(and pair.first pair.snd))

:: atom pair.first

= h pair.first pair.second

In the example h had only as arguments thesubexpressions of the complex expression in question.

In general it might depend on other variables whichform the context of the complex expression inquestion.


(x::A)→ B vs. λ(x::A)→ sThere seems to be a confusion about the twoexpressions

(x :: A)→ B vs. λ(x :: A)→ s

(x :: A)→ B is the dependent function set.It is a set (or a type or a kind or a higher kind).Because it is a set, it makes sense to talk aboutr :: ((x :: A)→ B).

r :: C makes only sense if C is a set or a type or akind or a higher kind.

λ(x :: A)→ s is a function, which applied to x :: Areturns s.

a :: (λ(x :: A)→ s) never makes sense, sinceλ(x :: A)→ s is not a set or type or (higher) kind.


(x::A)→ B vs. λ(x::A)→ sEspecially, λ(x :: A)→ Set is a function which returns forx :: A the type Set.

Note thatA (b :: B)

:: Set

= d

is an abbreviation for

A :: (b :: B)→ Set

= λ(b :: B)→ d

So A defined as such is a function, not a set.It does not make sense to talk about c :: A.

Would be the same as c :: (λ(b :: B)→ d).Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(f) 632

(x::A)→ B vs. λ(x::A)→ s

A (b :: B)

:: Set

= d

It does make sense to talk about

c :: (b :: B)→ A b

Since (b :: B)→ A b is a set.


(g) The Set of Natural NumbersThe set N is the type theoretic representation of the setN := 0, 1, 2, , . . . , .

N can be generated bystarting with the empty set,adding 0 to it, andadding, whenever we have x in it x + 1 to it.


The Set of Natural Numbers (Cont.)Let S be a type theoretic notation for the operationx 7→ x + 1.

Then the type theoretic rules are

N : Set

0 : N

n : NS n : N


Primitive RecursionPrimitive Recursion expresses:Assume we have

a : N.and, if n : N, x : N then g n x : N.

Then we can define f : N→ N, s.t.f 0 = a,f (S n) = g n (f n).


Primitive Recursion (Cont.)The computation of f n proceeds now as follows:

Compute n.If n = 0, then the result is a.Otherwise n = S n′.

We assume that we have determined already howto compute f n′.Now f n reduces to g n′ (f n′).g n′ (f n′) can be computed, since we know how tocompute· g· f n′.


ExampleThe function f : N→ N with f n = 2 · n can be definedprimitive recursively by:

f 0 = 0.f (S n) = S (S (f n)).

Therefore take in the definition above:a = 0,g n x = S (S x).


Generalized Primitive RecursionWe can generalize primitive recursion as follows:

First we can replace the range of f by an arbitraryset C

i.e. we allow for any set C

f : N→ C

Further, C can now depend on N.

We obtain the following set of rules:


Rules for the Natural NumbersFormation Rule

N : Set

Introduction Rules0 : N

n : NS n : N


Rules for the Natural NumbersElimination Rule

C : N→ Seta : C 0

f : (x : N)→ C x→ C (S x)n : N

P C a f n : C n

Equality RulesP C a f 0 = a

P C a f (S n) = f n (P C a f n)


Rules for the Natural NumbersNote that if we define in the elimination rule g := P C fthen

The conclusion of the elimination rule reads:

g n : C n

which means that

λ(n : N).g n : (n : N)→ C n .

The equality rules read:

g 0 = a

g (S n) = f n (g n)


Logical Framework Rules for NThe more compact notation is:

N : Set,0 : N,S : N→ N,

P : (C : N→ Set)

→ C 0

→ ((x : N)→ C x→ C (S x))

→ (n : N)

→ C n .


Natural Numbers in AgdaN is defined using data:

data N = Z | S(n :: N)

(Unfortunately, 0 is not an acceptable name in Agda).

Therefore we have

Z :: N

S :: N→ N


Elimination Rules for N in AgdaElimination is represented in Agda as before via casedistinction.

Assume we want to define

f (n :: N)

:: A

= ! !

A possibly depending on n,

Then we can type into the goal n and use the menuagda-case.


Elimination Rules for N in AgdaWe get

f (n :: N)

:: A

= case n of

(Z) → ! !

(S n′) → ! !


Elimination Rules for N in AgdaFor solving the goals, we can now make use of f.That will be accepted by the type checker.

However, if we use of full f , and then use menu item“check-termination” , we might obtain anerror-message.

If wedo not make use of f in the case n=Z andonly use of f n′ in case n = S n′.

then check-termination succeeds.


Elimination Rules for N in AgdaIf check-termination succeeds, the definition shouldbe correct.

(The lecturer hasn’t checked the algorithm).

However, if check-termination fails, the definitionmight still be correct.


Power of Termination CheckThe following definition of the Fibonacci numbers can’tbe defined this way directly using the rules of typetheory, but it can be defined in Agda as follows andcheck-termination accepts it:(one := S Z):

fib (n :: N)

:: N

= case n of

(Z) → one

(S n′) → case n′ of

(Z) → one

(S n′′) → fib n′ + fib n′′


Limitations of Termination CheckerAssume we define the predecessor function

pred (n :: N)

:: N

= case n of

(Z) → Z

(S n′) → n′

i.e

pred(n) =

0 if n = 0

n− 1 otherwise.


Limitations of Termination CheckerThen the function

f (n :: N)

:: N

= case n of

(Z) → Z

(S n′) → f (pred n)

terminates always(it returns for all n : N the value Z).

However, check-termination fails.


Limitations of Termination CheckerBecause of the undecidability of the Turing haltingproblem

it is undecidable whether a recursively definedfunction terminates or not

there is no extension of check-termination, whichaccepts exactly all in Agda definable functions,which terminate for all inputs.


Limitations of Termination CheckerUnfortunately, Agda does currently not deal withsimultaneous recursion

i.e. the situation, where we decrease in one casew.r.t. one variable, in another case w.r.t. anothervariable.

In order to deal with this situation, one has to rearrangeproofs.

On next slide there is an example of a proof whichresults in non-termination, although each recursive calldescends.

Refers to a definition of (<) :: (n,m :: N)→ Set whichwill be introduced below.


Example

mono (n, k,m :: N)(p :: n < k) :: (n + m) < (k + m)

= case n of

(Z) → case k of

(Z) → case p of

(S k′) → case m of

(Z) → true

(S m′) → mono n k m′ p

(S n′) → case k of

(Z) → case p of


(Z) → mono n′ k′ m p



Version accepted by AgdaThe following version will be accepted by thetermination checker:

(this version corresponds exactly to induction on m)

mono (n, k,m :: N)

(p :: n < k)

:: n + m < k + m

= case m of

(Z) → p



Amendment of Non-Termin. VersionIf one cannot reduce a non-terminating version directlyin one with only one descend, one can use auxiliarylemmata instead.

For instance in the previous non-terminating version, ifone doesn’t observe the previous much better solution,one can

replace the first reference to mono by a reference toa lemma.

(this change is not really necessary, since only thesecond reference is responsible for rejection bythe termination checker)

and observe that the second reference can bereplaced by p.


Amendment of Non-Termin. Version

lemma (m, k :: N)

:: Z + m < S k + m

= case m of

(Z) → true

(S m′) → lemma m′ k


mono (n, k,m :: N)(p :: n < k) :: (n + m) < (k + m)

= case n of

(Z) → case k of

(Z) → case p of


(Z) → true

(S m′) → lemma m′ k′

(S n′) → case k of

(Z) → case p of


(Z) → p



Example: AdditionDefinition of + in Agda:

(+) (n,m :: N)

:: N

= case m of

(Z) → n

(S m′) → S (n + m′)

The definition expresses:

n + 0 = n

n + (m′ + 1) = (n + m′) + 1


Example: AdditionNote that (+) is used infix, i.e. we write n + m for(+) n m.

If m = Sm′, the definition of (+) n m refers to (+) n m′,(+) n m′ is defined before (+) n m sincem′ is introduced before m.


Example: MultiplicationDefinition

(∗) (n,m :: N)

:: N

= case m of

(Z) → Z

(S m′) → n ∗m′ + n

The definition expresses:

n · 0 = 0

n · (m′ + 1) = (n ·m′) + n


Example: Multiplication (Cont.)Again ∗ is treated infix.

Agda has built in that ∗ binds more than +.n ∗m′ + n is treated as (n ∗m′) + n.

Note that the definition of ∗ requires, that+ is already defined.


Equality on NThe equality (n == m) ::Set for n,m :: N can be definedusing the equations:

(Z == Z) = True.(Z == S n) = (S n == Z) = False.(S n == S m) = (n == m).


Equality on N (Cont.)From this one can now derive a definition in Agda:

(==) (n,m :: N)

:: Set

= case n of

(Z) → case m of

(Z) → True

(S m′) → False

(S n′) → case m of

(Z) → False

(S m′) → (n′ == m′)


Reflexivity of ==Reflexivity of == is the formula:

∀n : N.n == n

Type theoretically this means that we have to define afunction refl:

refl (n : N)

:: n == n

= ! !


Reflexivity of == (Cont.)This can now be shown using case distinction:

refl (n : N)

:: n == n

= case n of

(Z) → ! !

(S n′) → ! !


Reflexivity of == (Cont.)Case n = Z is trivial.

Case n = S n′ can be solved using refl n′ (which isdefined before refl n′).


Symmetry of ==Symmetry of == is the formula:

∀n,m : N.n == m→ m == n

Type theoretically this means that we have to define afunction sym:

sym (n,m : N)

(p :: n == m)

:: m == n

= ! !


Symmetry of == (Cont.)This can now be shown using case distinction:

sym (n,m : N)

(p :: n == m)

:: m == n

= case n of

(Z) → case m of

(Z) → ! !

(S m′) → ! !

(S n′) → case m of

(Z) → ! !

(S m′) → ! !


Symmetry of == (Cont.)The first goal can be solved by using true (since(Z == Z) = True).

For the second goal we know p is an element ofZ == S m′ which is False.

Therefore if we make case distinction on p we get

case p of

and have solved the second goal.

Similarly the third goal can be solved.


Symmetry of == (Cont.)In the fourth goal, we have as type of goal S m′ == S n′

which is identical to m′ == n′.The type of p is S n′ == S m′ which is identical ton′ == m′.

The goal can be solved by using sym n′ m′ p.Note that we can use here p since it is oftype n′ == m′.

It is correct to use it sincen′ is introduced before n.· Therefore

sym n′ can be defined before sym n.This definition will beaccepted by check-termination.


Example: < on NThe following introduces < on N:

(<) (n,m :: N)

:: Set

= case m of

(Z) → False

(S m′) → case n of

(Z) → True

(S n′) → n′ < m′


Example: Tuples of Length nWe define tuples (or vectors) of length n in Agda.

Define first

data Nil = nil

Cons (A,B :: Set)

:: Set

= data cons(a :: A)(b :: B)


Tuples of Length nNow we can define

Tuple (A :: Set)

(n :: N)

:: Set

= case n of

(Z) → Nil

(S m′) → Cons A (Tuple A m′)


Tuples of Length nTherefore (with the obvious definition of two),

Tuple A n = Cons A (Cons A · · · (Cons A︸︷︷︸n times

Nil) · · · )) .

The elements of Tuple A n are

cons a1 (cons a2 · · · (cons an nil) · · · )

for elements a1, . . . , an of A.

In ordinary mathematical notation, we would write〈a1, . . . , an〉 for such an element.


Remarks on Tuples of Length nIn ordinary mathematics, we would define

Tuple(A, 0) := 〈〉 ,

Tuple(A, n + 1) := 〈a1, . . . , an+1〉 | a1, . . . , an+1 ∈ A .


Remarks on Tuples of Length nIf we define

nil := 〈〉 ,

cons(a1, 〈a2, . . . , an+1〉) := 〈a1, . . . , an+1〉 ,

then this reads:

Tuple(A, 0) := nil ,

Tuple(A, n + 1) := cons(a, b) | a ∈ A ∧ b ∈ Tuple(A, n) .


Remarks on Tuples of Length nIn the type theoretic definition we have constructors

nil :: Tuple A Z

cons@(Tuple A (S n)) :: A→ Tuple A n→Tuple A (S n).

This is the type theoretic analogue of the previousdefinitions.


Example: Sum of n-TuplesDefine

NTuple (n :: N)

:: Set

= Tuple N n

NTuple n are tuples of natural numbers of length n.


Componentwise Sum of n-TuplesWe define component-wise sum of tuples of lengthn.

Using mathematical notation, this sum for instanceas follows:

〈2, 3, 4〉 + 〈5, 6, 7〉 = 〈7, 9, 11〉 .


Componentwise Sum of n-Tuples

sumNTuple (n :: N)

(avec, bvec :: NTuple n)

:: NTuple n

= case n of

(Z) → nil

(S n′) →

case avec of

(cons a avec′) →

case bvec of

(cons b bvec′) →

cons@_ (a + b)

(sumNTuple n′ avec′ bvec′)


(h) ListsWe define the set of lists of elements of type A in Agda.

We have two constructors:nil, generating the empty list.cons, adding an element of A in front of a list

So we define lists as:

list (A :: Set)

:: Set

= data nil

| cons(a :: A) (l :: list A)

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(h) 682

Elimination Rule for ListsElimination rule uses list-recursion:Assume

A : Set

C :: Set, depending on l :: list A.Then we can define

f (l :: list A)

:: C

= case l of

(nil) → ! !

(cons a l′) → ! !

and in the second goal we can make use of f l′.


Example: Length of a List

length (l :: list N)

:: N

= case l of

(nil) → Z

(cons a l′) → S (length l′)


Example: sumlistsumlist l will compute the sum of the elements of list l.

sumlist (l :: list N)

:: N

= case l of

(nil) → Z

(cons n l′) → n + sumlist l′


Interesting ExerciseDefine

append : (A : Set)→ (list A)→ (list A)→ list A ,

s.t. append A l l′ is the result of appending the list l′ atthe end of list l.

E.g., if a, b, c, d are elements of A,and if we define cons := cons@(list A), nil := nil@(list A),then:

append A (cons a (cons b nil)) (cons c (cons d nil))

= cons a (cons b (cons c (cons d nil)))


(i) UniversesA universe U is a set, the elements of which are codesfor sets.

So we haveU : Set,T : U→ Set (the decoding function).

We consider in the following a universe closed underFin0, Fin1, Bool,N,+,Σ,the dependent function type.

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(i) 687

Rules for the UniverseFormation Rule

U : Set

a : UT a : Set


Rules for the UniverseIntroduction and Equality Rules

Fin0 : U T(Fin0) = Fin0 : Set

Fin1 : U T(Fin1) = Fin1 : Set

Bool : U T(Bool) = Bool : Set


Rules for the UniverseIntroduction and Equality Rules (Cont.)

a : U b : Ua + b : U

T(a + b) = T(a) + T(b) : Set

a : U b : T(a)→ U

Σ(a, b) : U

T(Σ(a, b)) = Σ T(a) (λx.T (b x)) : Set


Rules for the UniverseIntroduction and Equality Rules (Cont.)

a : U b : T(a)→ U

Π(a, b) : U

T(Π(a, b)) = (x : T(a))→ T (b x) : Set


Elimination and Equality RulesThere exist as well elimination rules and correspondingequality rules for the universe.

They are very long (one step for each of constructor ofU) and are not very much used.

They follow the principles present in previous rules.


Applications of the UniverseOrdinary elimination rules don’t allow to eliminate intoSet.

However often, one can verify, that all sets needed are“elements of a universe”,

i.e. there are codes in the universe representingthem.

Then one can eliminate into the universe instead of Setand use T to obtain the required function.


Applications of the UniverseExample: Define

atom : Bool→ U ,

atom := CaseBool (λ(x : Bool).U) Fin1 Fin0 ,

atom : Bool→ Set ,

atom : λ(x : Bool).T (atom x) ,

Thenatom tt = Fin1,atom ff = Fin0.


Universes in AgdaU and T need to be defined simultaneously.

Usually Agda type checks definitions in sequence,so no reference to later definitions possible.Special construct mutual.

Everything in the scope of it is type checkedsimultaneously.Scope determined by indentation.


Universes in Agda (Cont.)

mutual

U :: Set

= data Nhat

| Finzerohat

| Finonehat

| Boolhat

| Sigmahat (a :: U)(b :: T a→ U)

| Pihat (a :: U)(b :: T a→ U)


Universes in Agda (Cont.)T in the following is to be intended the same as U:

T (u :: U)

:: Set

= case u of

(Nhat) → N

(Finzerohat) → Finzero

(Finonehat) → Finone

(Boolhat) → Bool

(Sigmahat a b) → Sigma (T a)

(λ(x :: T a)→ T (b x))

(Pihat a b) → (x :: T a)→ T (b x)


(j) Algebraic TypesThe construct “data” in Agda is much more powerfulthan what is covered by type theoretic rules.

In general we can define now sets having arbitrarilymany constructors with arbitrarily many arguments ofarbitrary types.

A :: Set

= data C1(a11 :: A11)· · ·(a1n1 :: A1n1)

| C2(a21 :: A21)· · ·(a2n2 :: A2n2)

· · ·

| Cm(am1 :: Am1)· · ·(amnm:: Amnm)

Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 698

Meaning of “data”The idea is that A as before is the least set A s.t. wehave constructors:

Ci@A :: (ai1 :: Ai1)-> · · ·-> (aini :: Aini)-> A

where a constructor always constructs new elements.

In other words the elements of A are exactly thoseconstructed by those constructors.


Strictly Positive Algebraic TypesIn the types Aij we can make use of A.

However, it is difficult to understand A, if we havenegative occurrences of A.Example:A :: Set

= data C (f :: A -> A)What is the least set A having a constructorC@A :: (f :: A -> A)

-> A ?


Strictly Positive Algebraic TypesIf we

have constructed some part of A already,find a function f:: A -> A, andadd C@ f to A,

then f might no longer be a function A -> A.(f applied to the new element C@ f might not bedefined).In fact, “agda-check-termination” issues a warning, ifwe define A as above.We shouldn’t make use of such definitions.


Strictly Positive Algebraic TypesA “good” definition is the set of lists of natural numbers,defined as follows:

Nlist :: Set= data nil

| cons (a:: N)(l :: Nlist)

The constructor cons@ of N-lists refers to Nlist, butin a positive way:We have: if a :: N and l :: Nlist, then we havecons@ a l :: Nlist.


Strictly Positive Algebraic TypesIf we add cons@ a l to Nlist, the reason foradding it (namely l:: Nlist) is not destroyed bythis addition.So we can “construct” the set Nlist by

starting with the emptyset,adding nil@ andclosing it under cons@ whenever possible.

Because we can “construct” Nlist, the above is anacceptable definition.


Strictly Positive Algebraic TypesIn general:A :: Set= data C1 (a11:: A11) · · · (a1n1:: A1n1)

| C2 (a21:: A21) · · · (a2n2:: A2n2)· · ·| Cm (am1:: Am1) · · · (amnm:: Amnm)

is a strictly positive algebraic type, if all Aij are

either types which don’t make use of Aor are A itself.

And if A is a strictly positive algebraic type, then A isacceptable.

The definitions of finite sets, Σ A B, A + B and N werestrictly positive algebraic types.


One further ExampleThe set of binary trees can be defined as follows:Bintree :: Set

= data leaf| branch (left :: Bintree)

(right :: Bintree)

This is a strictly positive algebraic type.


Extensions of Strict.Pos. Alg. TypesAn often used extension is to define several setssimultaneously inductively.

Example: the even and odd numbers:mutualEven :: Set

= data Z | S (n:: Odd)

Odd :: Set= data S (n::Even)

In such examples the constructors refer strictly positiveto all sets which are to be defined simultaneously.


Extensions of Strict.Pos. Alg. TypesWe can even allow Aij = B1− > A or evenAij = B1− > · · · − > Bl− > A, where A is one of thetypes introduced simultaneously.

Example (called “Kleene’s O”:

O:: Set= data leaf

| succ (o::O)| lim (f :: N -> O)

The last definition is unproblematic, since, if we have f:: N -> O and construct lim@ f out of it, addingthis new element to O doesn’t destroy the reason foradding it to O.

So again O can be “constructed”.Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 3(j) 707

Elimination Rules for dataFunctions from strictly positive algebraic types can nowbe defined by case distinction as before.

For termination we need only that in the definition of f ,when have to define f (C@ a1 · · · an), we can referonly to f applied to elements used in C@ a1 · · · an.


ExamplesFor instance

in the Bintree example, when defining

f :: Bintree− > A

by case-distinction, then the definition of

f (branch@_ left right)

can make use of f left and f right.


ExamplesIn the example of O, when defining

g :: O− > A

by case-distinction, then the definition of

g (lim@_ f)

can make use of g (f n) for all n:: N.


Revision Lecture1.2.3.

Interactive Theorem Proving, CS 336, Lentterm 2004, Revision Lecture 711

GeneralAccording to my data, exam Wednesday 19 May, 2 pm,Arts Hall.

Please check.

Essentially everything needed should be containedin the notes.

I will come to the exam in the first half hour (approx.; ifyou have questions ask then).

All three courseworks are preparation for the exam.


Structure of the Exam3 Questions.

Question 1, 2, 3 will be related to coursework 1, 2, 3,respectively.

Question 1 will be mainly on the λ-calculus, termrewriting and reduction systems (mainly Sect. 1 (d)).

Question 2 will be mainly on the dependent functionset and the dependent product in Agda (Sect. 2).

Question 3 will be on Sect. 3, and of the material thereon

data typesfinite sets, Bool, and atom,product and disjoint union

and simple definitions and proofs in Agda.


Structure of the ExamAgda questions will be in such a way that they caneasily be solved by hand.

Derivations only forthe λ-calculus as in Cwk 1,the dependent λ-calculus as in Cwk2, Qu. 6.


1 Introduction4 Principal approaches for writing verified software.

Concept of a type.Advantages of typed, of untyped languages.Why are types good for writing correct software?

Examples of types in other languagesScalar types (e.g. Booleans, Integers).Simple compound types (records, arrays).Function types, algebraic types (“data”)Interfaces.


Introduction (Cont.)4 kinds of judgements in dependent type theory:

A : Set, A = B : Set, a : A, a = b : A.Only A : Set, a : A are visible in Agda.

Examples of dependent types in programming.Templates (e.g. in C++) ie. parametric types.Matrix multiplication.Predicates.Dependent grammars in linguistics.


λ-CalculusThe untyped λ-Calculus:

Bound and free variables,α-, β-conversion.

The typed λ-calculus:Types,rules,product types,η-rule.

But nothing to be “learned by heart” about the (un)typedλ-calculus – only how to use it as in the Cwk.


Reduction SystemsNotions

Reduction system,strongly normalising, weakly normalising,normal form, irreducible,confluence.

Too complicated for the exam:definition of term rewriting system and how to obtainthe reduction system,definition of −→∗,←→∗.(But intuitive understanding of these notions isrequired).


Cwk 1Typical questions as in Qu 1, 3, 4, 5 and Qu 6 (a), 6 (b),and part (i) of 6 (c) - 6 (e).


2 The Logical Framework.4 kinds of rules (formation, introduction, elimination,equality).

Constructors and canonical elements.

Dependent function type, dependent product.Rules only up to the level of Cwk2, Qu. 6.Mainly how to use them in Agda (Cwk 2, Qu 1 - 3).Notion of Set vs. Type (how to use Set, Type).

Let expressions.


3. Data TypesBasic data types (Booleans, finite sets, disjoint union)

Only how to introduce and use them in Agda.

Two versions of the nondependent/dependentproduct in Agda

using “sig”,using “data”.

Atomic formulae (atom).

How to represent other formulae in type theory.

How to carry out simple proofs in type theory.

Questions like in Cwk 3, all questions (only simpleones feasible in the exam).


Proofs in AgdaMainly proofs related to equality and <-relation.

Definition of these relations in Bool, disjoint union,nondependent product as in the Cwk or similar tothat.Simple proofs about them (notions like reflexive,anti-reflexive, transitive, symmetric; proofs of suchproperties).


RestrictionsConstructive logic, natural numbers, lists not treated inthe lecture.

No natural deduction.

No formal derivations, rules in this section.


Documents

4 Ways of Proving Theoremscsetzer/lectures/intertheo/03/... · Interactive Theorem Proving, CS 336, Lentterm 2004, Sec. 0 5 4 Ways of Proving Theorems 2. Theorem proving with some