arX

iv:1

606.

0110

6v1

[cs.

PL]

3 J

un 2

016

Set-Theoretic Types for Polymorphic Variants

Giuseppe Castagna1 Tommaso Petrucciani1,2 Kim Nguyễn3

1CNRS, Univ Paris Diderot, Sorbonne Paris Cité, Paris, France2DIBRIS, Università degli Studi di Genova, Genova, Italy

3LRI, Université Paris-Sud, Orsay, France

AbstractPolymorphic variants are a useful feature of the OCaml languagewhose current definition and implementation rely on kindingcon-straints to simulate a subtyping relation via unification. This yieldsan awkward formalization and results in a type system whose be-haviour is in some cases unintuitive and/or unduly restrictive.

In this work, we present an alternative formalization of poly-morphic variants, based on set-theoretic types and subtyping, thatyields a cleaner and more streamlined system. Our formalization ismore expressive than the current one (it types more programswhilepreserving type safety), it can internalize some meta-theoretic prop-erties, and it removes some pathological cases of the current imple-mentation resulting in a more intuitive and, thus, predictable typesystem. More generally, this work shows how to add full-fledgedunion types to functional languages of the ML family that usuallyrely on the Hindley-Milner type system. As an aside, our systemalso improves the theory of semantic subtyping, notably by prov-ing completeness for the type reconstruction algorithm.

Categories and Subject DescriptorsD.3.3 [Programming Lan-guages]: Language Constructs and Features—Data types and struc-tures; Polymorphism.

Keywords Type reconstruction, union types, type constraints.

1. IntroductionPolymorphic variants are a useful feature of OCaml, as they balancestatic safety and code reuse capabilities with a remarkablecon-ciseness. They were originally proposed as a solution to adduniontypes to Hindley-Milner (HM) type systems [17]. Union typeshaveseveral applications and make it possible to deduce types that arefiner grained than algebraic data types, especially in languages withpattern matching. Polymorphic variants cover several of the appli-cations of union types, which explains their success; however theyprovide just a limited form of union types: although they offer somesort of subtyping and value sharing that ordinary variants do not, itis still not possible to form unions of values of generic types, butjust finite enumerations of tagged values. This is obtained by super-imposing on the HM type system a system of kinding constraints,which is used to simulate subtyping without actually introducingit. In general, the current system reuses the ML type system—

A reduced version of this work will appear in the proceedingsof ICFP ’16, the 21stACM SIGPLAN International Conference on Functional Programming, ACM, 2016.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted withoutfee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this noticeand the full citation on the first page. Copyrights for components of this work owned by others than ACM must behonored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute tolists, contact the Owner/Author. Request permissions frompermissions@acm.org or Publications Dept., ACM, Inc., fax+1 (212) 869-0481. Copyright 2016 held by Owner/Author. Publication Rights Licensed to ACM.

ICFP ’16 September 18–24, 2016, Nara, JapanCopyright © 2016 ACM 978-1-nnnn-nnnn-n/yy/mm

including unification for type reconstruction—as much as possible.This is the source of several trade-offs which yield significant com-plexity, make polymorphic variants hard to understand (especiallyfor beginners), and jeopardize expressiveness insofar as they forbidseveral useful applications that general union types make possible.

We argue that using a different system, one that departs drasti-cally from HM, is advantageous. In this work we advocate the useof full-fledged union types (i.e., the original motivation of polymor-phic variants) with standard set-theoretic subtyping. In particularwe usesemantic subtyping[15], a type system where(i) types areinterpreted as set of values,(ii) they are enriched with unrestrainedunions, intersections, and negations interpreted as the correspond-ing set-theoretic operations on sets of values, and(iii) subtypingcorresponds to set containment. Using set-theoretic typesand sub-typing yields a much more natural and easy-to-understand systemin which several key notions—e.g., bounded quantification and ex-haustiveness and redundancy analyses of pattern matching—can beexpressed directly by types; conversely, with the current formaliza-tion these notions need meta-theoretic constructions (in the caseof kinding) or they are meta-theoretic properties not directly con-nected to the type theory (as for exhaustiveness and redundancy).

All in all, our proposal is not very original: in order to havethe advantages of union types in an implicitly-typed language, wesimply add them, instead of simulating them roughly and partiallyby polymorphic variants. This implies to generalize notions suchas instantiation and generalization to cope with subtyping(and,thus, with unions). We chose not to start from scratch, but insteadto build on the existing: therefore we show how to add unions asa modification of the type checker, that is, without disrupting thecurrent syntax of OCaml. Nevertheless, our results can be used toadd unions to other implicitly-typed languages of the ML family.

We said that the use of kinding constraints instead of full-fledged unions has several practical drawbacks and that the systemmay therefore result in unintuitive or overly restrictive behaviour.We illustrate this by the following motivating examples in OCaml.

EXAMPLE 1: loss of polymorphism. Let us consider the identityfunction and its application to a polymorphic variant in OCaml (“#”denotes the interactive toplevel prompt of OCaml, whose input isended by a double semicolon and followed by the system response):

# let id x = x;;

val id : α → α = <fun >

# id ‘A;;

- : [> ‘A ] = ‘A

The identity functionid has type1∀α. α → α (Greek letters denotetype variables). Thus, when it is applied to the polymorphicvariantvalue ‘A (polymorphic variants values are literals prefixed by abackquote), OCaml statically deduces that the result will be of

1 Strictly speaking, it is atype scheme: cf. Definition 3.3.

1

type “at least‘A” (noted [> ‘A]), that is, of a type greater than orequal to the type whose only value is‘A. Since the only value oftype [> ‘A] is ‘A, then the value‘A and the expressionid ‘A arecompletely interchangeable.2 For instance, we can useid ‘A wherean expression of type “at most‘A” (noted[< ‘A]) is expected:

# let f x = match x with ‘A → true ;;

val f : [< ‘A ] → bool = <fun >

# f (id ‘A);;

- : bool = true

Likewise‘A andid ‘A are equivalent in any context:

# [‘A; ‘C];;

- : [> ‘A | ‘C ] list = [‘A; ‘C]

# [(id ‘A); ‘C];;

- : [> ‘A | ‘C ] list = [‘A; ‘C]

We now slightly modify the definition of the identity function:

# let id2 x = match x with ‘A | ‘B → x;;

val id2: ([< ‘A | ‘B ] as α) → α = <fun >

Sinceid2 mapsx to x, it still is the identity function—so it hastype α→α—but since its argument is matched against‘A | ‘B,this function can only be applied to arguments of type “at most‘A | ‘B”, where “|” denotes a union. Therefore, the type vari-ableα must be constrained to be a “subtype” of‘A | ‘B, that is,∀(α ≤ A | B). α → α, expressed by the OCaml toplevel asval id2: ([< ‘A | ‘B ] as α) → α.

A priori, this should not change the typing of the applicationof the (newly-defined) identity to‘A, that is,id2 ‘A. It should stillbe statically known to have type “at least‘A”, and hence to be thevalue‘A. However, this is not the case:

# id2 ‘A;;

- : [< ‘A | ‘B > ‘A ] = ‘A

id2 ‘A is given the type[< ‘A | ‘B > ‘A ] which is parsed as[ (< (A|B)) (> A) ] and means “at least‘A” (i.e., [ (> A) ]) and(without any practical justification) “at mostA | B” (i.e.,[ (< (A | B)) ]). As a consequence‘A andid2 ‘A are no longer con-sidered statically equivalent:

# [(id2 ‘A); ‘C];;

Error: This expression has type [> ‘C ] but an

expression was expected of type [< ‘A | ‘B > ‘A ].

The second variant type does not allow tag(s) ‘C

Dealing with this problem requires the use of awkward explicitcoercions that hinder any further use of subtype polymorphism.

EXAMPLE 2: roughly-typed pattern matching. The typing ofpattern-matching expressions on polymorphic variants canproveto be imprecise. Consider:

# let f x = match id2 x with ‘A → ‘B | y → y;;

val f : [ ‘A | ‘B ] → [ ‘A | ‘B ] = <fun >

the typing of the function above is tainted by two approximations:(i) the domain of the function should be[< ‘A | ‘B ], but—sincethe argumentx is passed to the functionid2—OCaml deduces thetype[ ‘A | ‘B ] (a shorthand for[< ‘A | ‘B > ‘A | ‘B ]), whichis less precise: it loses subtype polymorphism;(ii) the return typestates thatf yields either‘A or ‘B, while it is easy to see thatonly the latter is possible (when the argument is‘A the functionreturns‘B, and when the argument is‘B the function returns theargument, that is,‘B). So the type system deduces forf the type[ ‘A | ‘B ] → [ ‘A | ‘B ] instead of the more natural and pre-cise[< ‘A | ‘B ] → [> ‘B ].

2 Strictly speaking,‘A is the only valuein all instancesof [> ‘A]: as shownin Section 3 the type[> ‘A] is actually a constrained type variable.

To recover the correct type, we need to state explicitly thatthesecond pattern will only be used wheny is ‘B, by using the aliaspattern‘B as y. This is a minor inconvenience here, but writing thetype fory is not always possible and is often more cumbersome.

Likewise, OCaml unduly restricts the type of the function

# let g x = match x with ‘A → id2 x | _ → x;;

val g : ([< ‘A | ‘B > ‘A ] as α) → α = <fun >

as it statesg can only be applied to‘A or ‘B; actually, it can beapplied safely to, say,‘C or any variant value with any other tag.The system adds the upper bound‘A | ‘B becauseid2 is applied tox. However, the application is evaluated only whenx = A: hence,this bound is unnecessary. The lower bound‘A is unnecessary too.

The problem with these two functions is not specific to varianttypes. It is more general, and it stems from the lack of full-fledgedconnectives (union, intersection, and negation) in the types, a lackwhich neither allows the system to type a given pattern-matchingbranch by taking into account the cases the previous branches havealready handled (e.g., the typing of the second branch inf), norallows it to use the information provided by a pattern to refine thetyping of the branch code (e.g., the typing of the first branchin g).

As a matter of fact, we can reproduce the same problem as forg, for instance, on lists:

# let rec map f l = match l with

| [] → l

| h::t → f h :: map f t;;

val map : (α → α) → α list → α list = <fun >

This is the usualmap function, but it is given an overly restrictivetype, accepting only functions with equal domain and codomain.The problem, again, is that the type system does not use the infor-mation provided by the pattern of the first branch to deduce thatthat branch always returns an empty list (rather than a generic αlist). Also in this case alias patterns could be used to patch thisspecific example, but do not work in general.

EXAMPLE 3: rough approximations. During type reconstruc-tion for pattern matching, OCaml uses the patterns themselves todetermine the type of the matched expression. However, it mighthave to resort to approximations: there might be no type whichcorresponds precisely to the set of values matched by the patterns.Consider, for instance, the following function [from 18].

# let f x = match x with

| (‘A, _) → 1 | (‘B, _) → 2

| (_, ‘A) → 3 | (_, ‘B) → 4;;

val f : [> ‘A | ‘B ] * [> ‘A | ‘B ] → int

The type chosen by OCaml states that the function can be applied toany pair whose both components have a type greater than‘A | ‘B.As a result, it can be applied to(‘C, ‘C), whose componentshave type‘A | ‘B | ‘C. This type therefore makes matching non-exhaustive: the domain also contains values that are not capturedby any pattern (this is reported with a warning). Other choicescould be made to ensure exhaustiveness, but they all pose differentproblems: choosing[< ‘A | ‘B ] * [< ‘A | ‘B ] → int makesthe last two branches become redundant; choosing instead a typesuch as[> ‘A | ‘B ] * [< ‘A | ‘B ] → int (or vice versa) isunintuitive as it breaks symmetry.

These rough approximations arise from the lack of full-fledgedunion types. Currently, OCaml only allows unions of varianttypes.If we could build a union of product types, then we could pickthe type([< ‘A | ‘B ] * [> ]) | ([> ] * [< ‘A | ‘B ]) (where[> ] is “any variant”): exactly the set we need. More generally, trueunion types (and singleton types for constants) remove the need ofany approximation for the set of values matched by the patterns

2

of a match expression, meaning we are never forced to choose—possibly inconsistently in different cases—between exhaustivenessand non-redundancy.

Although artificial, the three examples above provide a goodoverview of the kind of problems of the current formalization ofpolymorphic variants. Similar, but more “real life”, examples ofproblems that our system solves can be found on the Web [e.g.,8–11, 21, 29].

Contributions. The main technical contribution of this work isthe definition of a type system for a fragment of ML with poly-morphic variants and pattern matching. Our system aims to replacethe parts of the current type checker of OCaml that deal with thesefeatures. This replacement would result in a conservative exten-sion of the current type checker (at least, for the parts thatconcernvariants and pattern matching), since our system types (with thesame or more specific types) all programs OCaml currently does;it would also be more expressive since it accepts more programs,while preserving type safety. The key of our solution is the ad-dition of semantic subtyping—i.e., of unconstrained set-theoreticunions, intersections, and negations—to the type system. By addingit only in the type checker—thus, without touching the current syn-tax of types the OCaml programmer already knows—it is possibleto solve all problems we illustrated in Examples 1 and 2. By a slightextension of the syntax of types—i.e., by permitting unions“|” notonly of variants but of any two types—and no further modificationwe can also solve the problem described in Example 3. We alsoshow that adding intersection and negation combinators, aswellas singletons, to the syntax of types can be advantageous (cf. Sec-tions 6.1 and 8). Therefore, the general contribution of ourwork isto show a way to add full-fledged union, intersection, and differ-ence types to implicitly-typed languages that use HM type system.

Apart from the technical advantages and the gain in expressive-ness, we think that the most important advantage of our system isthat it is simpler, more natural, and arguably more intuitive thanthe current one (which uses a system of kinding constraints). Prop-erties such as “a given branch of amatch expression will be exe-cuted for all values that can be produced by the matched expres-sion, that can be captured by the pattern of the branch, and thatcannot be captured by the patterns of the preceding branches” canbe expressed precisely and straightforwardly in terms of union, in-tersection, and negation types (i.e., the type of the matched expres-sion, intersected by the type of the values matched by the pattern,minus the union of all the types of the values matched by any pre-ceding pattern: see ruleTs-Matchin Figure 2). The reason for thisis that in our system we can express much more information at thelevel of types, which also means we can do without the system ofkinding constraints. This is made possible by the presence of set-theoretic type connectives. Such a capability allows the type sys-tem to model pattern matching precisely and quite intuitively: wecan describe exhaustiveness and non-redundancy checking in termsof subtype checking, whereas in OCaml they cannot be defined atthe level of types. Likewise, unions and intersections allow us toencode bounded quantification—which is introduced in OCamlbystructural polymorphism—without having to add it to the system.As a consequence, it is in general easy in our system to understandthe origin of each constraint generated by the type checker.

Our work also presents several side contributions. First, it ex-tends the type reconstruction of Castagna et al. [6] to pattern match-ing and let-polymorphism and, above all, proves it to be sound andcomplete with respect to our system (reconstruction in Castagnaet al. [6] is only proven sound). Second, it provides a technique fora finer typing of pattern matching that applies to types otherthanpolymorphic variants (e.g., the typing ofmap in Example 2) andlanguages other than OCaml (it is implemented in the developmentbranch ofCDuce [1, 7]). Third, theK system we define in Sec-

tion 3 is a formalization of polymorphic variants and full-fledgedpattern matching as they are currently implemented in OCaml: toour knowledge, no published formalization is as complete asK.

Outline. Section 2 defines the syntax and semantics of the lan-guage we will study throughout this work. Sections 3 and 4 presenttwo different type systems for this language.

In particular, Section 3 briefly describes theK type system wehave developed as a formalization of how polymorphic variantsare typed in OCaml. Section 4 describes theS type system, whichemploys set-theoretic types with semantic subtyping: we first givea deductive presentation of the system, and then we compare it toK

to show thatS can type every program that theK system can type.Section 5 defines a type reconstruction algorithm that is sound andcomplete with respect to theS type system.

Section 6 presents three extensions or modifications of the sys-tem: the first is the addition of overloaded functions; the secondis a refinement of the typing of pattern matching, which we needto type precisely the functionsg andmap of Example 2; the thirdis a restriction which solves a discrepancy between our model andOCaml (the lack of type tagging at runtime in the OCaml imple-mentation).

Finally, Section 7 compares our work with other formalizationsof polymorphic variants and with previous work on systems withset-theoretic type connectives, and Section 8 concludes the presen-tation and points out some directions for future research.

For space reasons we omitted all the proofs as well as somedefinitions. They can be found in the Appendix.

2. The language of polymorphic variantsIn this section, we define the syntax and semantics of the languagewith polymorphic variants and pattern matching that we studyin this work. In the sections following this one we will definetwo different type systems for it (one with kinds in Section 3,the other with set-theoretic types in Section 4), as well as atypereconstruction algorithm (Section 5).

2.1 Syntax

We assume that there exist a countable setX of expression vari-ables, ranged over byx, y, z, . . . , a setC of constants, ranged overby c, and a setL of tags, ranged over bytag. Tags are used to labelvariant expressions.

Definition 2.1 (Expressions). Anexpressione is a term inductivelygenerated by the following grammar:

e ::= x | c | λx. e | e e | (e,e) | tag(e) | match e with (pi→ei)i∈I

wherep ranges over the setP of patterns, defined below. We writeE to denote the set of all expressions.

We definefv(e) to be the set of expression variables occurringfree in the expressione, and we say thate is closedif and onlyif fv(e) is empty. As customary, we consider expressions up toα-renaming of the variables bound by abstractions and by patterns.

The language is aλ-calculus with constants, pairs, variants, andpattern matching. Constants include a dummy constant( ) (‘unit’)to encode variants without arguments; multiple-argument variantsare encoded with pairs. Matching expressions specify one ormorebranches (indexed by a setI) and can be used to encodelet-expressions:let x = e0 in e1

def= match e0 with x → e1 .

Definition 2.2 (Patterns). A patternp is a term inductively gener-ated by the following grammar:

p ::= | x | c | (p, p) | tag(p) | p&p | p|p

such that(i) in a pair pattern(p1, p2) or an intersection patternp1&p2, capt(p1) ∩ capt(p2) = ∅; (ii) in a union patternp1|p2,

3

v/ = [ ]

v/x = [v/x]

v/c =

[ ] if v = c

Ω otherwise

v/(p1, p2) =

ς1 ∪ ς2 if v = (v1, v2) and∀i. vi/pi = ςiΩ otherwise

v/tag(p1) =

ς1 if v = tag(v1) andv1/p1 = ς1Ω otherwise

v/p1&p2 =

ς1 ∪ ς2 if ∀i. v/pi = ςiΩ otherwise

v/p1|p2 =

v/p1 if v/p1 6= Ω

v/p2 otherwise

Figure 1. Semantics of pattern matching.

capt(p1) = capt(p2), wherecapt(p) denotes the set of expressionvariables occurring as sub-terms in a patternp (called thecapturevariablesof p). We writeP to denote the set of all patterns.

Patterns have the usual semantics. A wildcard “” accepts anyvalue and generates no bindings; a variable pattern acceptsanyvalue and binds the value to the variable. Constants only acceptthemselves and do not bind. Pair patterns accept pairs if each sub-pattern accepts the corresponding component, and variant patternsaccept variants with the same tag if the argument matches theinnerpattern (in both cases, the bindings are those of the sub-patterns).Intersection patterns require the value to match both sub-patterns(they are a generalization of the alias patternsp as x of OCaml),while union patterns require it to match either of the two (the leftpattern is tested first).

2.2 Semantics

We now define a small-step operational semantics for this calculus.First, we define the values of the language.

Definition 2.3 (Values). A valuev is a closed expression induc-tively generated by the following grammar.

v ::= c | λx. e | (v, v) | tag(v)

We now formalize the intuitive semantics of patterns that wehave presented above.

Bindings are expressed in terms ofexpression substitutions,ranged over byς: we write [v1/x1, . . . , vn/xn] for the substitutionthat replaces free occurrences ofxi with vi, for eachi. We writeeςfor the application of the substitutionς to an expressione; we writeς1 ∪ ς2 for the union of disjoint substitutions.

The semantics of pattern matching we have described is formal-ized by the definition ofv/p given in Figure 1. In a nutshell,v/pis the result of matching a valuev against a patternp. We have ei-therv/p = ς, whereς is a substitution defined on the variables incapt(p), or v/p = Ω. In the former case, we say thatv matchesp(or thatp acceptsv); in the latter, we say that matching fails.

Note that the unions of substitutions in the definition are alwaysdisjoint because of our linearity condition on pair and intersectionpatterns. The condition that sub-patterns of a union pattern p1|p2must have the same capture variables ensures thatv/p1 andv/p2will be defined on the same variables.

Finally, we describe the reduction relation. It is defined bythefollowing two notions of reduction

(λx. e) v e[v/x]

match v with (pi → ei)i∈I ejςif v/pj = ς and∀i < j. v/pi = Ω

applied with a leftmost-outermost strategy which does not reduceinsideλ-abstractions nor in the branches ofmatch expressions.

The first reduction rule is the ordinary rule for call-by-valueβ-reduction. It states that the application of an abstractionλx. e to avaluev reduces to the bodye of the abstraction, wherex is replacedby v. The second rule states that amatch expression on a valuevreduces to the branchej corresponding to the first patternpj forwhich matching is successful. The obtained substitution isappliedto ej , replacing the capture variables ofpj with sub-terms ofv. Ifno pattern acceptsv, the expression is stuck.

3. Typing variants with kinding constraintsIn this section, we formalizeK, the type system withkindingconstraints for polymorphic variants as featured in OCaml;wewill use it to gauge the merits ofS, our type system withset-theoretic types. This formalization is derived from, and extends,the published systems based on structural polymorphism [17, 19].In our ken, no formalization in the literature includes polymorphicvariants, let-polymorphism, and full-fledged pattern matching (seeSection 7), which is why we give here a new one. While basedon existing work, the formalization is far from being trivial (whichwith hindsight explains its absence), and thus we needed to proveall its properties from scratch. For space reasons we outline just thefeatures that distinguish our formalization, namely variants, patternmatching, and type generalization for pattern capture variables. TheAppendix presents the full definitions and proofs of all properties.

The system consists essentially of the core ML type system withthe addition of a kinding system to distinguish normal type vari-ables fromconstrainedones. Unlike normal variables, constrainedones cannot be instantiated into any type, but only into other con-strained variables with compatible constraints. They are used totype variant expressions: there are no ‘variant types’per se. Con-straints are recorded inkindsand kinds in akinding environment(i.e., a mapping from type variables to kinds) which is includedin typing judgments. An important consequence of using kindingconstraints is that they implicitly introduce (a limited form of) re-cursive types, since a constrained type variable may occur in itsconstraints.

We assume that there exists a countable setV of type variables,ranged over byα, β, γ, . . . . We also consider a finite setB of basictypes, ranged over byb, and a functionb(·) from constants to basictypes. For instance, we might takeB = bool, int, unit, withbtrue = bool, b( ) = unit, and so on.

Definition 3.1 (Types). A typeτ is a term inductively generated bythe following grammar.

τ ::= α | b | τ → τ | τ × τ

The system only uses the types of core ML: all additionalinformation is encoded in the kinds of type variables.

Kinds have two forms: theunconstrained kind“•” classifies“normal” variables, while variables used to type variants are givena constrained kind. Constrained kinds are triples describing whichtags may or may not appear (apresenceinformation) and whichargument types are associated to each tag (atyping information).The presence information is split in two parts, a lower and anupperbound. This is necessary to provide an equivalent to both covariantand contravariant subtyping—without actually having subtyping

4

in the system—that is, to allow both variant values and functionsdefined on variant values to be polymorphic.

Definition 3.2 (Kinds). A kind κ is either theunconstrained kind“ •” or a constrained kind, that is, a triple(L, U, T ) where:

– L is a finite set of tagstag1, . . . , tagn;– U is either a finite set of tags or the setL of all tags;– T is a finite set of pairs of a tag and a type, writtentag1 : τ1,. . . , tagn : τn (its domaindom(T ) is the set of tags occurringin it);

and where the following conditions hold:– L ⊆ U , L ⊆ dom(T ), and, ifU 6= L, U ⊆ dom(T );– tags inL have a single type inT , that is, if tag∈ L, wheneverboth tag: τ1 ∈ T and tag: τ2 ∈ T , we haveτ1 = τ2.

In OCaml, kinds are written with the typing information inlinedin the lower and upper bounds. These are introduced by> and <

respectively and, if missing,∅ is assumed for the lower bound andL for the upper. For instance,[> ‘A of int | ‘B of bool ] as α

of OCaml is represented here by assigning to the variableα the kind(A,B,L, A : int,B : bool); [< ‘A of int | ‘B of bool ] as β cor-responds toβ of kind (∅, A,B, A : int,B : bool); finally [< ‘A of int | ‘B of bool & unit > ‘A ] as γ

corresponds toγ of kind (A, A,B, A : int,B : bool,B : unit).

Definition 3.3 (Type schemes). A type schemeσ is of the form∀A.K ⊲ τ , where:

– A is a finite setα1, . . . , αn of type variables;– K is a kinding environment, that is, a map from type variablesto kinds;

– dom(K) = A.

We identify a type scheme∀∅.∅ ⊲ τ , which quantifies no vari-able, with the typeτ itself. We consider type schemes up to renam-ing of the variables they bind and disregard useless quantification(i.e., quantification of variables that do not occur in the type).

Type schemes single out, by quantifying them, the variablesof a type which can be instantiated. In ML without kinds, thequantified variables of a scheme can be instantiated with anytype.The addition of kinds changes this: variables with constrained kindsmay only be instantiated into other variables withequally strongorstrongerconstraints. This relation on constraints is formalized bythe following entailment relation:

(L,U, T ) (L′, U ′, T ′) ⇐⇒ L ⊇ L′ ∧ U ⊆ U ′ ∧ T ⊇ T ′ ,

whereκ1 κ2 means thatκ1 is a constraint stronger thanκ2. Thisrelation is used to select the type substitutions (ranged over by θ)that areadmissible, that is, that are sound with respect to kinding.

Definition 3.4 (Admissibility of a type substitution). A type sub-stitutionθ is admissiblebetween two kinding environmentsK andK′, written K ⊢ θ : K′, if and only if, for every type variableα such thatK(α) = (L, U, T ), αθ is a type variable such thatK′(αθ) = (L′, U ′, T ′) and(L′, U ′, T ′) (L,U, T θ).

In words, wheneverα is constrained inK, thenαθ must be atype variable constrained inK′ by a kind that entails the substitu-tion instance of the kind ofα in K.

The set of the instances of a type scheme are now obtained byapplying only admissible substitutions.

Definition 3.5 (Instances of a type scheme). The set ofinstancesof a type scheme∀A.K′ ⊲ τ in a kinding environmentK is

instK(∀A.K′ ⊲ τ ) = τθ | dom(θ) ⊆ A ∧ K,K′ ⊢ θ : K .

As customary, this set is used in the type system rule to typeexpression variables:

Tk-Varτ ∈ instK(Γ(x))

K; Γ ⊢Kx : τ

Notice that typing judgments are of the formK; Γ ⊢Ke : τ : the

premises include a type environmentΓ but also, which is new, akinding environmentK (theK subscript in the turnstile symbol isto distinguish this relation from⊢

S, the relation for the set-theoretic

type system of the next section).The typing rules for constants, abstractions, applications, and

pairs are straightforward. There remain the rules for variants andfor pattern matching, which are the only interesting ones.

Tk-TagK; Γ ⊢

Ke : τ K(α) (tag,L, tag: τ)

K; Γ ⊢K

tag(e) : α

The typing of variant expressions uses the kinding environment.RuleTk-Tagstates thattag(e) can be typed by any variableα suchthat α has a constrained kind inK which entails the “minimal”kind for this expression. Specifically, ifK(α) = (L,U, T ), thenwe requiretag ∈ L andtag: τ ∈ T , whereτ is a type fore. NotethatT may not assign more than one type totag, sincetag∈ L.

The typing of pattern matching is by far the most complex partof the type system and it is original to our system.

Tk-Match

K; Γ ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I K ⊢ pi : τ0 ⇒ Γi K; Γ, genK;Γ(Γi) ⊢K ei : τ

K; Γ ⊢Kmatch e0 with (pi → ei)i∈I : τ

Let us describe each step that the rule above implies. First the rulededuces the typeτ0 of the matched expression (K; Γ ⊢

Ke0 : τ0).

Second, for each patternpi, it generates the type environmentΓi

which assigns types to the capture variables ofpi, assumingpiis matched against a value known to be of typeτ0. This is doneby deducing the judgmentK ⊢ pi : τ0 ⇒ Γi, whose inferencesystem is mostly straightforward (see Figure 8 in the Appendix);for instance, for variable patterns we have:

TPk-VarK ⊢ x : τ ⇒ x : τ

The only subtle point of this inference system is the rule forpatterns of the formtag(p)

TPk-Tag

K ⊢ p : τ ⇒ Γ K(α) = (L,U, T )(tag∈ U impliestag: τ ∈ T )

K ⊢ tag(p) : α ⇒ Γ

which—after generating the environment for the capture variablesof p—checks whether the type of the matched expression is avariant type (i.e., a variable) with the right constraints for tag.

Third, the ruleTk-Matchtypes each branchei with typeτ , in atype environment updated withgenK;Γ(Γi), that is, with the gener-alization of theΓi generated byK ⊢ pi : τ0 ⇒ Γi. The definitionof generalization is standard: it corresponds to quantifying all thevariables that do not occur free in the environmentΓ. The subtlepoint is the definition of the free variables of a type (and hence ofan environment), which we omit for space reasons. It must navi-gate the kinding environmentK to collect all variables which canbe reached by following the constraints; hence, thegen functiontakes as argumentK as well asΓ.

Finally, the premises of the rule also include the exhaustivenesscondition τ0 4K pi | i ∈ I , which checks whether everypossible value thate0 can produce matches at least one patternpi.The definition of exhaustiveness is quite convoluted.

Definition 3.6 (Exhaustiveness). We say that a set of patternsPis exhaustivewith respect to a typeτ in a kinding environmentK,and we writeτ 4K P , when, for everyK′, θ, andv,

(K ⊢ θ : K′ ∧K′;∅ ⊢Kv : τθ) =⇒ ∃p ∈ P, ς. v/p = ς .

In words,P is exhaustive when every value that can be typedwith any admissible substitution ofτ is accepted by at least one

5

pattern inP . OCaml does not impose exhaustiveness—it just sig-nals non-exhaustiveness with a warning—but our system does. Wedo so in order to have a simpler statement for soundness and tofa-cilitate the comparison with the system of the next section.We donot discuss how exhaustiveness can be effectively computed; formore information on how OCaml checks it, see Garrigue [18] andMaranget [20].

We conclude this section by stating the type soundness propertyof theK type system.

Theorem 3.1(Progress). Lete be a well-typed, closed expression.Then, eithere is a value or there exists an expressione′ such thate e′.

Theorem 3.2(Subject reduction). Let e be an expression andτ atype such thatK; Γ ⊢

Ke : τ . If e e′, thenK; Γ ⊢

Ke′ : τ .

Corollary 3.3 (Type soundness). Let e be a well-typed, closedexpression, that is, such thatK;∅ ⊢

Ke : τ holds for someτ . Then,

eithere diverges or it reduces to a valuev such thatK;∅ ⊢Kv : τ .

4. Typing variants with set-theoretic typesWe now describeS, a type system for the language of Section 2based on set-theoretic types. The approach we take in its design isdrastically different from that followed forK. Rather than addinga kinding system to record information that types cannot express,we directly enrich the syntax of types so they can express allthenotions we need. Moreover, we add subtyping—using a semanticdefinition—rather than encoding it via instantiation. We exploittype connectives and subtyping to represent variant types as unionsand to encode bounded quantification by union and intersection.

We argue thatS has several advantages with respect to the pre-vious system. It is more expressive: it is able to type some programsthatK rejects though they are actually type safe, and it can derivemore precise types thanK. It is arguably a simpler formalization:typing works much like in ML except for the addition of subtyp-ing, we have explicit types for variants, and we can type patternmatching precisely and straightforwardly. Indeed, as regards pat-tern matching, an advantage of theS system is that it can expressexhaustiveness and non-redundancy checking as subtyping checks,while they cannot be expressed at the level of types inK.

Naturally, subtyping brings its own complications. We do notdiscuss its definition here, since we reuse the relation defined byCastagna and Xu [4]. The use of semantic subtyping makes thedefinition of a typing algorithm challenging: Castagna et al. [5, 6]show how to define one in an explicitly-typed setting. Conversely,we study here an implicitly-typed language and hence study theproblem of type reconstruction (in the next section).

While this system is based on that described by Castagna et al.[5, 6], there are significant differences which we discuss inSec-tion 7. Notably, intersection types play a more limited rolein oursystem (no rule allows the derivation of an intersection of arrowtypes for a function), making our type reconstruction complete.

4.1 Types and subtyping

As before, we consider a setV of type variables(ranged over byα,β, γ, . . . ) and the setsC, L, andB of language constants, tags, andbasic types(ranged over byc, tag, andb respectively).

Definition 4.1 (Types). A type t is a term coinductively producedby the following grammar:

t ::= α | b | c | t → t | t× t | tag(t) | t ∨ t | ¬t | 0

which satisfies two additional constraints:

• (regularity) the term must have a finite number of different sub-terms;

• (contractivity) every infinite branch must contain an infinitenumber of occurrences of atoms (i.e., a type variable or theimmediate application of a type constructor: basic, constant,arrow, product, or variant).

We introduce the following abbreviations:

t1 ∧ t2def= ¬(¬t1 ∨ ¬t2) t1 \ t2

def= t1 ∧ (¬t2) 1

def= ¬0 .

With respect to the types in Definition 3.1, we add several newforms. We introduce set-theoretic connectives (union, intersection,and negation), as well as bottom (the empty type0) and top (1)types. We add general (uniform) recursive types by interpretingthe grammarcoinductively, whileK introduces recursion via kinds.Contractivity is imposed to bar out ill-formed types such asthosefulfilling the equationt = t ∨ t (which does not give any infor-mation on the set of values it represents) ort = ¬t (which cannotrepresent any set of values).

We introduce explicit types for variants. These types have theform tag(t): the type of variant expressions with tagtag and anargument of typet.3 Type connectives allow us to represent allvariant types ofK by combining types of this form, as we describein detail below. Finally, we add singleton types for constants (e.g., atypetrue which is a subtype ofbool), which we use to type patternmatching precisely.

Variant types and bounded quantification.K uses constrainedvariables to type variants; when these variables are quantified ina type scheme, their kind constrains the possible instantiations ofthe scheme. This is essentially a form of bounded quantification:a variable of kind(L,U, T ) may only be instantiated by othervariables which fall within the bounds—the lower bound beingdetermined byL andT , the upper one byU andT .

In S, we can represent these bounds as unions of variant typestag(t). For instance, consider inK a constrained variableα ofkind (A, A,B, A : bool,B : int). If we quantifyα, we can theninstantiate it with variables whose kinds entail that ofα. Using ourvariant types and unions, we write the lower bound astL = A(bool)and the upper one astU = A(bool) ∨ B(int). In our system,αshould be a variable with bounded quantification, which can onlybe instantiated by typest such thattL ≤ t ≤ tU.

However, we do not need to introduce bounded quantification asa feature of our language: we can use type connectives as proposedin [4] (cf. Footnote 4 therein) to encode it. The possible instantia-tions ofα (with the bounds above) and the possible instantiations of(tL ∨β)∧ tU, with no bound onβ, are equivalent. We use the latterform: we internalize the bounds in the type itself by union and in-tersection. In this way, we need no system of constraints extraneousto types.

Subtyping. There exists asubtypingrelation between types. Wewrite t1 ≤ t2 whent1 is a subtype oft2; we write t1 ≃ t2 whent1 and t2 are equivalent with respect to subtyping, that is, whent1 ≤ t2 andt2 ≤ t1. The definition and properties of this relationare studied in Castagna and Xu [4], except for variant types which,for this purpose, we encode as pairs (cf. Footnote 3).

In brief, subtyping is given a semantic definition, in the sensethat t1 ≤ t2 holds if and only ifJt1K ⊆ Jt2K, whereJ·K is an in-terpretation function mapping types to sets of elements from somedomain (intuitively, the set of values of the language). Theinter-pretation is “set-theoretic” as it interprets union types as unions,negation as complementation, and products as Cartesian products.

In general, in the semantic-subtyping approach, we consider atype to denote the set of all values that have that type (we will say

3 We could encodetag(t) by the producttag×t. Although we have preferredto add explicit variant types, we still use this encoding to derive theirsubtyping properties: see Petrucciani [23] for a detailed explanation.

6

Ts-Vart ∈ inst(Γ(x))

Γ ⊢Sx : t

Ts-ConstΓ ⊢

Sc : c

Ts-AbstrΓ, x : t1 ⊢

Se : t2

Γ ⊢Sλx. e : t1 → t2

Ts-ApplΓ ⊢

Se1 : t

′ → t Γ ⊢Se2 : t

′

Γ ⊢Se1 e2 : t

Ts-PairΓ ⊢

Se1 : t1 Γ ⊢

Se2 : t2

Γ ⊢S(e1, e2) : t1 × t2

Ts-TagΓ ⊢

Se : t

Γ ⊢Stag(e) : tag(t)

Ts-Match

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I Γ, genΓ(ti//pi) ⊢S ei : t′i

Γ ⊢Smatch e0 with (pi → ei)i∈I :

∨

i∈I t′i

Ts-SubsumΓ ⊢

Se : t′ t′ ≤ t

Γ ⊢Se : t

Figure 2. Typing relation of theS type system.

that some type “is” the set of values of that type). In particular, forarrow types, the typet1 → t2 is that of function values (i.e.,λ-abstractions) which, if they are given an argument inJt1K and theydo not diverge, yield a result inJt2K. Hence, all types of the form0→ t, for anyt, are equivalent (as only diverging expressions canhave type0); any of them is the type of all functions. Conversely,1 → 0 is the type of functions that (provably) diverge on allinputs: a function of this type should yield a value in the emptytype whenever it terminates, and that is impossible.

The presence of variables complicates the definition of semanticsubtyping. Here, we just recall from Castagna and Xu [4] thatsubtyping is preserved by type substitutions:t1 ≤ t2 impliest1θ ≤ t2θ for every type substitutionθ.

4.2 Type system

We presentS focusing on the differences with respect to the systemof OCaml (i.e.,K); full definitions are in the Appendix. Unlike inK, type schemes here are defined just as in ML as we no longerneed kinding constraints.

Definition 4.2 (Type schemes). A type schemes is of the form∀A. t, whereA is a finite setα1, . . . , αn of type variables.

As in K, we identify a type scheme∀∅. t with the typet itself,we consider type schemes up to renaming of the variables theybind, and we disregard useless quantification.

We writevar(t) for the set of type variables occurring in a typet; we say they are thefree variablesof t, and we say thatt is groundor closedif and only if var(t) is empty. The (coinductive) definitionof var can be found in Castagna et al. [5, Definition A.2].

Unlike in ML, types in our system can contain variables whichare irrelevant to the meaning of the type. For instance,α × 0 isequivalent to0 (with respect to subtyping), as we interpret producttypes into Cartesian products. Thus,α is irrelevant inα × 0.To capture this concept, we introduce the notion ofmeaningfulvariablesin a typet. We define these to be the set

mvar(t) = α ∈ var(t) | t[0/α] 6≃ t ,

where the choice of0 to replaceα is arbitrary (any other closedtype yields the same definition). Equivalent types have exactlythe same meaningful variables. To define generalization, weallowquantifying variables which are free in the type environment but aremeaningless in it (intuitively, we act as if types were in a canonicalform without irrelevant variables).

We extendvar to type schemes asvar(∀A. t) = var(t) \A, anddo likewise formvar.

Type substitutions are defined in a standard way by coinduction;there being no kinding system, we do not need the admissibilitycondition ofK.

We define type environmentsΓ as usual. The operations of gen-eralization of types and instantiation of type schemes, instead, mustaccount for the presence of irrelevant variables and of subtyping.

Generalization with respect toΓ quantifies all variables in a typeexcept for those that are freeand meaningfulin Γ:

genΓ(t) = ∀A. t , whereA = var(t) \ mvar(Γ) .

We extendgen pointwise to sets of bindingsx1 : t1, . . . , xn : tn.The set of instances of a type scheme is given by

inst(∀A. t) = tθ | dom(θ) ⊆ A ,

and we say that a type schemes1 is more generalthan a typeschemes2—writtens1 ⊑ s2—if

∀t2 ∈ inst(s2). ∃t1 ∈ inst(s1). t1 ≤ t2 . (1)

Notice that the use of subtyping in the definition above general-izes the corresponding definition of ML (which uses equality) andsubsumes the notion of “admissibility” ofK by a far simpler andmore natural relation (cf. Definitions 3.4 and 3.5).

Figure 2 defines the typing relationΓ ⊢Se : t of the S type

system (we use theS subscript in the turnstile symbol to distinguishthis relation from that forK). All rules except that for patternmatching are straightforward. Note thatTs-Constis more precisethan inK since we have singleton types, and thatTs-Taguses thetypes we have introduced for variants.

The ruleTs-Matchinvolves two new concepts that we presentbelow. We start by typing the expression to be matched,e0, withsome typet0. We also require every branchei to be well-typed withsome typet′i: the type of the wholematch expression is the union ofall t′i. We type each branch in an environment expanded with typesfor the capture variables ofpi: this environment is generated by thefunctionti//pi (described below) and is generalized.

The advantage of our richer types here is that, given any pattern,the set of values it accepts is always described precisely bya type.

Definition 4.3 (Accepted type). Theaccepted type*p+ of a patternp is defined inductively as:

* + = *x+ = 1 *c+ = c

*(p1, p2)+ = *p1+ × *p2+ *tag(p)+ = tag(*p+)

*p1&p2+ = *p1+ ∧ *p2+ *p1|p2+ = *p1+ ∨ *p2+ .

For well-typed valuesv, we havev/p 6= Ω ⇐⇒ ∅ ⊢Sv : *p+.

We use accepted types to express the condition ofexhaustiveness:t0 ≤

∨

i∈I*pi+ ensures that every valuee0 can reduce to (i.e., everyvalue int0) will match at least one pattern (i.e., is in the acceptedtype of some pattern). We also use them to compute precisely thesubtypes oft0 corresponding to the values which will trigger eachbranch. In the rule,ti is the type of all values which will be selectedby the i-th branch: those int0 (i.e., generated bye0), not in any*pj+ for j < i (i.e., not captured by any previous pattern), and in

7

JαKK =

α if K(α) = •

(lowK(L, T ) ∨ α) ∧ uppK(U, T ) if K(α) = (L,U, T )

JbKK = b

Jτ1 → τ2KK = Jτ1KK → Jτ2KK

Jτ1 × τ2KK = Jτ1KK × Jτ2KK

where: lowK(L, T ) =∨

tag∈L tag(∧

tag: τ∈T JτKK)

uppK(U, T ) =

∨

tag∈U tag(∧

tag: τ∈T JτKK) if U 6= L∨

tag∈dom(T ) tag(∧

tag: τ∈T JτKK) ∨ (1V \∨

tag∈dom(T ) tag(1)) if U = L

Figure 3. Translation ofk-types tos-types.

*pi+ (i.e., accepted bypi). These typesti allow us to expressnon-redundancychecks: ifti ≤ 0 for somei, then the correspondingpattern will never be selected (which likely means the programmerhas made some mistake and should receive a warning).4

The last element we must describe is the generation of types forthe capture variables of each pattern by theti//pi function. Here,our use ofti means we exploit the shape of the patternpi and of theprevious ones to generate more precise types; environment genera-tion inK essentially uses onlyt0 and is therefore less precise.

Environment generation relies on two functionsπ1 and π2

which extract the first and second component of a typet ≤ 1× 1.For instance, ift = (α×β)∨(bool×int), we haveπ1(t) = α∨bool

andπ2(t) = β ∨ int. Given any tagtag, πtag does likewise for vari-ant types with that tag. See Castagna et al. [5, Appendix C.2.1] andPetrucciani [23] for the full details.

Definition 4.4 (Pattern environment generation). Given a patternpand a typet ≤ *p+, the type environmentt//p generated by patternmatching is defined inductively as:

t// = ∅ t//(p1, p2) = π1(t)//p1 ∪ π2(t)//p2

t//x = x : t t//tag(p) = πtag(t)//p

t//c = ∅ t//p1&p2 = t//p1 ∪ t//p2

t//p1|p2 = (t ∧ *p1+)//p1 ∨∨ (t \ *p1+)//p2

where(Γ ∨∨ Γ′)(x) = Γ(x) ∨ Γ′(x).

TheS type system is sound, as stated by the following properties.

Theorem 4.1(Progress). Let e be a well-typed, closed expression(i.e.,∅ ⊢

Se : t holds for somet). Then, eithere is a value or there

exists an expressione′ such thate e′.

Theorem 4.2(Subject reduction). Let e be an expression andt atype such thatΓ ⊢

Se : t. If e e′, thenΓ ⊢

Se′ : t.

Corollary 4.3 (Type soundness). Let e be a well-typed, closedexpression, that is, such that∅ ⊢

Se : t holds for somet. Then,

eithere diverges or it reduces to a valuev such that∅ ⊢Sv : t.

4.3 Comparison withK

Our type systemS extendsK in the sense that every well-typedprogram ofK is also well-typed inS: we say thatS is completewith respect toK.

To show completeness, we define a translationJ·KK which mapsk-types (i.e., types ofK) to s-types (types ofS). The translation

4 We can also exploit redundancy information to exclude certain branchesfrom typing (see Section 6.1), though it is not always possible during typereconstruction.

is parameterized by a kinding environment to make sense of typevariables.

Definition 4.5 (Translation of types). Given ak-typeτ in a non-recursive kinding environmentK, its translationis thes-typeJτKKdefined inductively by the rules in Figure 3.

We define the translation of type schemes asJ∀A.K′ ⊲ τKK =∀A. JτKK,K′ and that of type environments by translating each typescheme pointwise.

The only complex case is the translation of a constrainedvariable. We translate it to the same variable, in union withitslower bound and in intersection with its upper bound. Lowerbounds and finite upper ones (i.e., those whereU 6= L) arerepresented by a union of variant types. InK, a tag inU maybe associated with more than one argument type, in which caseits argument should have all these types. This is a somewhatsurprising feature of the type system in OCaml—for details,see Garrigue [17, 19]—but here we can simply take the in-tersection of all argument types. For instance, the OCaml type[< ‘A of int | ‘B of unit > ‘A ] as α, represented inK by thetype variableα with kind (A, A,B, A : int,B : unit), is trans-lated into(A(int) ∨ α) ∧ (A(int) ∨ B(unit)).

The translation of an upper boundU = L is more involved.Ideally, we need the type

∨

tag∈dom(T ) tag(∧

tag: τ∈T JτKK) ∨∨

tag/∈dom(T ) tag(1)

which states that tags mentioned inT can only appear with argu-ments of the proper type, whereas tags not inT can appear with anyargument. However, the union on the right is infinite and cannot berepresented in our system; hence, in the definition in Figure3 weuse its complement with respect to the top type of variants1V .5

In practice, a type(tL ∨ α) ∧ tU can be replaced by its lower(respectively, upper) bound ifα only appears in covariant (resp.,contravariant) position.

We state the completeness property as follows.

Theorem 4.4(Preservation of typing). Let e be an expression,Ka non-recursive kinding environment,Γ a k-type environment, andτ a k-type. IfK; Γ ⊢

Ke : τ , thenJΓKK ⊢

Se : JτKK .

Notice that we have definedJ·KK by induction. Therefore,strictly speaking, we have only proved thatS deduces all the judge-ments provable for non-recursive types inK. Indeed, in the state-

5 The type1V can itself be defined by complementation as

¬(

(∨

b∈B b) ∨ (0 → 1) ∨ (1× 1))

:

the type of values which are not constants, nor abstractions, nor pairs.

8

TRs-Varx : t ⇒ x ≤ t

TRs-Constc : t ⇒ c ≤ t

TRs-Abstre : β ⇒ C

λx. e : t ⇒ def x : α in C, α → β ≤ t

TRs-Apple1 : α → β ⇒ C1 e2 : α ⇒ C2

e1 e2 : t ⇒ C1 ∪ C2 ∪ β ≤ tTRs-Pair

e1 : α1 ⇒ C1 e2 : α2 ⇒ C2

(e1, e2) : t ⇒ C1 ∪ C2 ∪ α1 × α2 ≤ t

TRs-Tage : α ⇒ C

tag(e) : t ⇒ C ∪ tag(α) ≤ tTRs-Match

e0 : α ⇒ C0 ti = (α \∨

j<i*pj+) ∧ *pi+

∀i ∈ I ti///pi ⇒ (Γi, Ci) ei : β ⇒ C′i

C′0 = C0 ∪ (

⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+

match e0 with (pi → ei)i∈I : t ⇒ let [C′0](Γi in C′

i)i∈I , β ≤ t

Figure 4. Constraint generation rules.

ment we require the kinding environmentK to be non-recursive6.We conjecture that the result holds also with recursive kindings andthat it can be proven by coinductive techniques.

5. Type reconstructionIn this section, we study type reconstruction for theS type system.We build on the work of Castagna et al. [6], who study local typeinference and type reconstruction for the polymorphic version ofCDuce. In particular, we reuse their work on the resolution ofthe tallying problem, which plays in our system the same role asunification in ML.

Our contribution is threefold:(i) we prove type reconstructionfor our system to be both sound and complete, while in Castagnaet al. [6] it is only proven to be sound forCDuce (indeed, we rely onthe restricted role of intersection types in our system to obtain thisresult);(ii) we describe reconstruction with let-polymorphism anduse structured constraints to separate constraint generation fromconstraint solving;(iii) we define reconstruction for full patternmatching. Both let-polymorphism and pattern matching are omittedin Castagna et al. [6].

Type reconstruction for a program (a closed expression)e con-sists in finding a typet such that∅ ⊢

Se : t can be derived: we see it

as finding a type substitutionθ such that∅ ⊢Se : αθ holds for some

fresh variableα. We generalize this to non-closed expressions andto reconstruction of types that are partially known. Thus, we saythat type reconstruction consists—given an expressione, a type en-vironmentΓ, and a typet—in computing a type substitutionθ suchthatΓθ ⊢

Se : tθ holds, if any suchθ exists.

Reconstruction in our system proceeds in two main phases. Inthe first, constraint generation(Section 5.1), we generate froman expressione and a typet a set of constraints that record theconditions under whiche may be given typet. In the second phase,constraint solving(Sections 5.2–5.3), we solve (if possible) theseconstraints to obtain a type substitutionθ.

We keep these two phases separate following an approach in-spired by presentations of HM(X) [25]: we use structured con-straints which contain expression variables, so that constraint gen-eration does not depend on the type environmentΓ thate is to betyped in.Γ is used later for constraint solving.

Constraint solving is itself made up of two steps:constraintrewriting (Section 5.2) andtype-constraint solving(Section 5.3).In the former, we convert a set of structured constraints into asimpler set of subtyping constraints. In the latter, we solve this setof subtyping constraints to obtain a set of type substitutions; thislatter step is analogous to unification in ML and is computed usingthe tallying algorithm of Castagna et al. [6]. Constraint rewriting

6 We sayK is non-recursive if it does not contain any cycleα, α1, . . . ,αn, α such that the kind of each variableαi containsαi+1.

also uses type-constraint solving internally; hence, these two stepsare actually intertwined in practice.

5.1 Constraint generation

Given an expressione and a typet, constraint generation computesa finite set of constraints of the form defined below.

Definition 5.1 (Constraints). A constraintc is a term inductivelygenerated by the following grammar:

c ::= t ≤ t | x ≤ t | def Γ in C | let [C](Γi in Ci)i∈I

whereC ranges overconstraint sets, that is, finite sets of con-straints, and where the range of every type environmentΓ in con-straints of the formdef or let only contains types (i.e., trivial typeschemes).

A constraint of the formt ≤ t′ requirestθ ≤ t′θ to hold for thefinal substitutionθ. One of the formx ≤ t constrains the type ofx(actually, an instantiation of its type scheme with fresh variables)in the same way. A definition constraintdefΓ in C introduces newexpression variables, as we do in abstractions; these variables maythen occur inC. We usedef constraints to introduce monomorphicbindings (environments with types and not type schemes).

Finally,let constraints introduce polymorphic bindings. We usethem for pattern matching: hence, we define them with multiplebranches (the constraint setsCi’s), each with its own environment(binding the capture variables of each pattern to types). Tosolvea constraintlet [C0](Γi in Ci)i∈I , we first solveC0 to obtaina substitutionθ; then, we applyθ to all types in eachΓi and wegeneralize the resulting types; finally, we solve eachCi (in anenvironment expanded with the generalization ofΓiθ).

We define constraint generation as a relatione : t ⇒ C, givenby the rules in Figure 4. We assume all variables introduced bythe rules to be fresh (see the Appendix for the formal treatment offreshness: cf. Definition A.39 and Figures 13 and 14). Constraintgeneration for variables and constants (rulesTRs-Varand TRs-Const) just yields a subtyping constraint. For an abstractionλx. e(rule TRs-Abstr), we generate constraints for the body and wrapthem into a definition constraint bindingx to a fresh variableα;we add a subtyping constraint to ensure thatλx. e has typet bysubsumption. The rules for applications, pairs, and tags are similar.

For pattern-matching expressions (ruleTRs-Match), we use anauxiliary relationt///p ⇒ (Γ, C) to generate the pattern typeenvironmentΓ, together with a set of constraintsC in case theenvironment contains new type variables. The full definition is inthe Appendix; as an excerpt, consider the rules for variableand tagpatterns.

t///x ⇒ (x : t,∅)

α///p ⇒ (Γ, C)

t///tag(p) ⇒ (Γ, C ∪ t ≤ tag(α))

9

∀i ∈ I Γ ⊢ ci Di

Γ ⊢ ci | i ∈ I ⋃

i∈I Di Γ ⊢ t ≤ t′ t ≤ t′

Γ(x) = ∀α1, . . . , αn. tx

Γ ⊢ x ≤ t tx[β1/α1, . . . , βn/αn] ≤ t

Γ,Γ′ ⊢ C D

Γ ⊢ def Γ′in C D

Γ ⊢ C0 D0 θ0 ∈ tally(D0)∀i ∈ I Γ, genΓθ0

(Γiθ0) ⊢ Ci Di

Γ ⊢ let [C0](Γi in Ci)i∈I equiv(θ0) ∪⋃

i∈I Di

Figure 5. Constraint rewriting rules.

The rule for variable patterns produces no constraints (andtheempty environment). Conversely, the rule for tags must introducea new variableα to stand for the argument type: the constraintproduced mirrors the use of the projection operatorπtag in thedeductive system. To generate constraints for a pattern-matchingexpression, we generate them for the expression to be matchedand for each branch separately. All these are combined in alet

constraint, together with the constraints generated by patterns andwith α ≤

∨

i∈I *pi+, which ensures exhaustiveness.

5.2 Constraint rewriting

The first step of constraint solving consists in rewriting the con-straint set into a simpler form that contains only subtypingcon-straints, that is, into a set of the formt1 ≤ t′1, . . . , tn ≤ t′n(i.e., nolet, def, or expression variable). We call such setstype-constraint sets(ranged over byD).

Constraint rewriting is defined as a relationΓ ⊢ C D:between type environments, constraints or constraint sets, and type-constraint sets. It is given by the rules in Figure 5.

We rewrite constraint sets pointwise. We leave subtyping con-straints unchanged. In variable type constraints, we replace the vari-ablex with an instantiation of the type schemeΓ(x) with the vari-ablesβ1, . . . , βn, which we assume to be fresh. We rewritedef

constraints by expanding the environment and rewriting theinnerconstraint set.

The complex case is that oflet constraints, which is whererewriting already performs type-constraint solving. We first rewritethe constraint setC0. Then we extract a solutionθ0—if anyexists—by thetally algorithm (described below). The algorithmcan produce multiple alternative solutions: hence, this step is non-deterministic. Finally, we rewrite each of theCi in an expandedenvironment. We perform generalization, solet constraints mayintroduce polymorphic bindings. The resulting type-constraint setis the union of the type-constraint sets obtained for each branchplusequiv(θ0), which is defined as

equiv(θ0) =⋃

α∈dom(θ0)α ≤ αθ0, αθ0 ≤ α .

We add the constraints ofequiv(θ0) because tallying mightgenerate multiple incompatible solutions for the constraints inD0.The choice ofθ0 is arbitrary, but we must force subsequent steps ofconstraint solving to abide by it. Addingequiv(θ0) ensures thatevery solutionθ to the resulting type-constraint set will satisfyαθ ≃ αθ0θ for everyα, and hence will not contradict our choice.

5.3 Type-constraint solving

Castagna et al. [6] define thetallying problemas the problem—in our terminology—of finding a substitution that satisfies agiventype-constraint set.

Definition 5.2. We say that a type substitutionθ satisfies a type-constraint setD, writtenθ D, if tθ ≤ t′θ holds for everyt ≤ t′

in D. Whenθ satisfiesD, we say it is a solution to thetallyingproblemof D.

The tallying problem is the analogue in our system of the uni-fication problem in ML. However, there is a very significant dif-ference: while unification admits principal solutions, tallying doesnot. Indeed, the algorithm to solve the tallying problem fora type-constraint set produces a finite set of type substitutions. The algo-rithm is sound in that all substitutions it generates are solutions. Itis complete in the sense that any other solution is less general thanone of those in the set: we have a finite number of solutions whichare principal when taken together, but not necessarily a single so-lution that is principal on its own.

This is a consequence of our semantic definition of subtyp-ing. As an example, consider subtyping for product types: with astraightforward syntactic definition, a constraintt1 × t′1 ≤ t2 × t′2would simplify to the conjunction of two constraintst1 ≤ t2 andt′1 ≤ t′2. With semantic subtyping—where products are seen asCartesian products—that simplification is sound, but it is not theonly possible choice: eithert1 ≤ 0 or t′1 ≤ 0 is also enough toensuret1 × t′1 ≤ t2 × t′2, since both ensuret1 × t′1 ≃ 0. The threepossible choices can produce incomparable solutions.

Castagna et al. [6, Section 3.2 and Appendix C.1] define asound, complete, and terminating algorithm to solve the tallyingproblem, which can be adapted to our types by encoding variantsas pairs. We refer to this algorithm here astally (it is Sol∅ in thereferenced work) and state its properties.

Property 5.3 (Tallying algorithm). There exists a terminating al-gorithm tally such that, for any type-constraint setD, tally(D) isa finite, possibly empty, set of type substitutions.

Theorem 5.1(Soundness and completeness oftally). LetD be atype-constraint set. For any type substitutionθ:– if θ ∈ tally(D), thenθ D;– if θ D, then∃θ′ ∈ tally(D), θ′′.∀α ∈ dom(θ).αθ ≃ αθ′θ′′.

Hence, given a type-constraint set, we can usetally to either finda set of solutions or determine it has no solution:tally(D) = ∅occurs if and only if there exists noθ such thatθ D.

5.3.1 Properties of type reconstruction

Type reconstruction as a whole consists in generating a constraintsetC from an expression, rewriting this set into a type-constraintsetD (which can require solving intermediate type-constraint sets)and finally solvingD by thetally algorithm. Type reconstruction isboth sound and complete with respect to the deductive type systemS. We state these properties in terms of constraint rewriting.

Theorem 5.2(Soundness of constraint generation and rewriting).Let e be an expression,t a type, andΓ a type environment. Ife : t ⇒ C, Γ ⊢ C D, andθ D, thenΓθ ⊢

Se : tθ.

Theorem 5.3 (Completeness of constraint generation and rewrit-ing). Let e be an expression,t a type, andΓ a type environment.Letθ be a type substitution such thatΓθ ⊢

Se : tθ.

Let e : t ⇒ C. There exist a type-constraint setD and atype substitutionθ′, with dom(θ) ∩ dom(θ′) = ∅, such thatΓ ⊢ C D and(θ ∪ θ′) D.

10

These theorems and the properties above express soundness andcompleteness for the reconstruction system. Decidabilityis a directconsequence of the termination of the tallying algorithm.

5.3.2 Practical issues

As compared to reconstruction in ML, our system has the disad-vantage of being non-deterministic: in practice, an implementationshould check every solution that tallying generates at eachstepof type-constraint solving until it finds a choice of solution whichmakes the whole program well-typed. This should be done at ev-ery step of generalization (that is, for everymatch expression) andmight cripple efficiency. Whether this is significant in practice ornot is a question that requires further study and experimentation.Testing multiple solutions cannot be avoided since our system doesnot admit principal types. For instance the function

let f(x,y) = (function (‘A,‘A)|(‘B,‘B)→‘C)(x,y)

has both type(‘A,‘A)→‘C and type(‘B,‘B)→‘C (and neither isbetter than the other) but it is not possible to deduce for it their leastupper bound(‘A,‘A)∨(‘B,‘B)→‘C (which would be principal).

Multiple solutions often arise by instantiating some type vari-ables by the empty type. Such solutions are in many cases sub-sumed by other more general solutions, but not always. For in-stance, consider theα list data-type (encoded as the recursivetype X = (α,X)∨[]) together with the classicmap function overlists (the type of which is(α→ β)→α list→ β list). The appli-cation of map to the successor functionsucc : int→ int has typeint list→ int list, but also type[]→ [] (obtained by instantiat-ing all the variables of the type ofmap by the empty type). Thelatter type is correct, cannot be derived (by instantiationand/orsubtyping) from the former, but it is seldom useful (it just statesthatmap(succ) maps the empty list into the empty list). As such, itshould be possible to define some preferred choice of solution (i.e.,the solution that does not involve empty types) which is likely to bethe most useful in practice. As it happens, we would like to try torestrict the system so that it only considers solutions without emptytypes. While it would make us lose completeness with respecttoS,it would be interesting to compare the restricted system with ML(with respect to which it could still be complete).

6. ExtensionsIn this section, we present three extensions or modifications to theS type system; the presentation is just sketched for space reasons:the details of all three can be found in the Appendix.

The first is the introduction of overloaded functions typed viaintersection types, as done inCDuce. The second is a refinementof the typing of pattern matching, which we have shown as partof Example 2 (the functiong and our definition ofmap). Finally,the third is a restriction of our system to adapt it to the semanticsof the OCaml implementation which, unlike our calculus, cannotcompare safely untagged values of different types at runtime.

6.1 Overloaded functions

CDuce allows the use of intersection types to type overloadedfunctions precisely: for example, it can type the negation function

notdef= λx. match x with true → false | false → true

with the type(true → false) ∧ (false → true), which is moreprecise thanbool → bool. We can add this feature by changing therule to typeλ-abstractions to

∀j ∈ J. Γ, x : t′j ⊢ e : tj

Γ ⊢ λx. e :∧

j∈J t′j → tj

which types the abstraction with an intersection of arrow types, pro-vided each of them can be derived for it. The rule above roughly

corresponds to the one introduced by Reynolds for the languageForsythe [26]. With this rule alone, however, one has only the so-calledcoherent overloading[24], that is, the possibility of assign-ing different types to the same piece of code, yielding an intersec-tion type. In full-fledged overloading, instead, differentpieces ofcode are executed for different types of the input. This possibilitywas first introduced byCDuce [1, 14] and it is obtained by typ-ing pattern matching without taking into account the type ofthebranches that cannot be selected for a given input type. Indeed, thefunction “not” above cannot be given the type we want if we justadd the rule above: it can neither be typed astrue → false nor asfalse → true.

To use intersections effectively for pattern matching, we needto exclude redundant patterns from typing. We do so by changingthe ruleTs-Match(in Figure 2): when for some branchi we haveti ≤ 0, we do not type that branch at all, and we do not considerit in the result type (that is, we sett′i = 0). In this way, if we taket′j = true, we can derivetj = false (and vice versa). Indeed, ifwe assume that the argument istrue, the second branch will neverbe selected: it is therefore sound not to type it at all. This typingtechnique is peculiar toCDuce’s overloading. However, functionsin CDuce are explicitly typed. As type reconstruction is undecid-able for unrestricted intersection type systems, this extension wouldmake annotations necessary in our system as well. We plan to studythe extension of our system with intersection types for functionsand to adapt reconstruction to also consider explicit annotations.

6.2 Refining the type of expressions in pattern matching

Two of our motivating examples concerning pattern matching(from Section 1, Example 2) involved a refinement of the typing ofpattern matching that we have not described yet, but which can beadded as a small extension of ourS system.

Recall the functiong defined asλx. match x with A →id2 x | → x, whereid2 has domainA ∨ B. Like OCaml,S re-quires the type ofx to be a subtype ofA ∨ B, but this constraintis unnecessary becauseid2 x is only computed whenx = A. Tocapture this, we need pattern matching to introduce more precisetypes for variables in the matched expression; this is a formofoccurrence typing[28] or flow typing[22].

We first consider pattern matching on a variable. In an expres-sionmatch x with (pi → ei)i∈I we can obtain this increased preci-sion by using the typeti—actually, its generalization—forx whiletyping thei-th branch. In the case ofg, the first branch is typed as-sumingx has typet0 ∧ A, wheret0 is the type we have derived forx. As a result, the constraintt0 ∧ A ≤ A ∨ B does not restrictt0.

We can express this so as to reuse pattern environment genera-tion. LetL·M : E → P be a function such thatLxM = x andLeM =whene is not a variable. Then, we obtain the typing above if weuse

Γ, genΓ(ti//Le0M), genΓ(ti//pi)

as the type environment in which we type thei-th branch, ratherthanΓ, genΓ(ti//pi).

We generalize this approach to refine types also for variablesoccurring inside pairs and variants. To do so, we redefineL·M.On variants, we letLtag(e)M = tag(LeM). On pairs, ideally wewantL(e1, e2)M = (Le1M, Le2M): however, pair patterns cannot haverepeated variables, while(e1, e2) might. We therefore introducea new form of pair pattern〈p1, p2〉 (only for internal use) whichadmits repeated variables: environment generation for such patternsintersects the types it obtains for each occurrence of a variable.

6.3 Applicability to OCaml

A thesis of this work is that the type system of OCaml—specifically,the part dealing with polymorphic variants and pattern matching—

11

could be profitably replaced by an alternative, set-theoretic system.Of course, we need the set-theoretic system to be still type safe.

In Section 4, we stated thatS is sound with respect to thesemantics we gave in Section 2. However, this semantics is notprecise enough, as it does not correspond to the behaviour oftheOCaml implementation on ill-typed terms.7

Notably, OCaml does not record type information at runtime:values of different types cannot be compared safely and constantsof different basic types might have the same representation(as, forinstance,1 andtrue). Consider as an example the two functions

λx. match x with true → true | → false

λx. match x with (true, true) → true | → false .

Both can be given the type1 → bool in S, which is indeed safein our semantics. Hence, we can apply both of them to1, andboth returnfalse. In OCaml, conversely, the first would returntrueand the second would cause a crash. The typesbool → bool andbool×bool → bool, respectively, would be safe for these functionsin OCaml.

To model OCaml more faithfully, we define an alternative se-mantics where matching a valuev against a patternp can have threeoutcomes rather than two: it can succeed (v/p = ς), fail (v/p =Ω), or be undefined (v/p = ). Matching is undefined wheneverit is unsafe in OCaml: for instance,1/true = 1/(true, true) = (see Appendix A.5.3 for the full definition).

We use the same definition as before for reduction (see Sec-tion 2.2). Note that amatch expression on a value reduces to thefirst branch for which matching is successfulif the result isΩ forall previous branches. If matching for a branch is undefined, nobranch after it can be selected; hence, there are fewer possible re-ductions with this semantics.

Adapting the type system requires us to restrict the typing ofpattern matching so that undefined results cannot arise. We definethecompatible type⌈p⌉ of a patternp as the type of valuesv whichcan be safely matched with it: those for whichv/p 6= . Forinstance,⌈1⌉ = int. The rule for pattern matching should requirethat the typet0 of the matched expression be a subtype of all⌈pi⌉.

Note that this restricts the use of union types in the system.Forinstance, if we have a value of typebool ∨ int, we can no longeruse pattern matching to discriminate between the two cases.This isto be expected in a language without runtime type tagging: indeed,union types are primarily used for variants, which reintroduce tag-ging explicitly. Nevertheless, having unions of non-variant types inthe system is still useful, both internally (to type patternmatching)and externally (see Example 3 in Section 1, for instance).

7. Related workWe discuss here the differences between our system and otherformalizations of variants in ML. We also compare our work withthe work onCDuce and other union/intersection type systems.

7.1 Variants in ML: formal models and OCaml

K is based on the framework ofstructural polymorphismand morespecifically on the presentations by Garrigue [17, 19]. There existseveral other systems with structural polymorphism: for instance,the earlier one by Garrigue [16] and more expressive constraint-based frameworks, like the presentation of HM(X) by Pottier andRémy [25]. We have chosen as a starting point the system whichcorresponds most closely to the actual implementation in OCaml.

With respect to the system in Garrigue [17, 19],K differs mainlyin three respects. First, Garrigue’s system describes constraints

7 We can observe this if we bypass type-checking, for instanceby usingObj.magic for unsafe type conversions.

more abstractly and can accommodate different forms of polymor-phic typing of variants and of records. We only consider variantsand, as a result, give a more concrete presentation. Second,wemodel full pattern matching instead of “shallow” case analysis.To our knowledge, pattern matching on polymorphic variantsinOCaml is only treated in Garrigue [18] and only as concerns someproblems with type reconstruction. We have chosen to formalize itto compareK to our set-theoretic type systemS, which admits asimpler formalization and more precise typing. However, wehaveomitted a feature of OCaml that allows refinement of variant typesin alias patterns and which is modeled in Garrigue [17] by asplit

construct. While this feature makes OCaml more precise thanK, itis subsumed inS by the precise typing of capture variables. Third,we did not study type inference forK. SinceS is more expres-sive thanK and since we describe complete reconstruction for it,extending Garrigue’s inference system to pattern matchingwas un-necessary for the goals of this work.

As compared to OCaml itself (or, more precisely, to the frag-ment we consider) our formalization is different because itrequiresexhaustiveness; this might not always by practical inK, but non-exhaustive pattern matching is no longer useful once we introducemore precise types, as inS. Other differences include not consider-ing variant refinement in alias patterns, as noted above, andthe han-dling of conjunctive types, where OCaml is more restrictivethanwe are in order to infer more intuitive types [as discussed in18,Section 4.1].

7.2 S and theCDuce calculus

S reuses the subtyping relation defined by Castagna and Xu [4]and some of the work described in Castagna et al. [5, 6] (notably,the encoding of bounded polymorphism via type connectives andthe algorithm to solve the tallying problem). Here, we explore theapplication of these elements to a markedly different language.

Castagna et al. [5, 6] study polymorphic typing for theCDucelanguage, which features type-cases. Significantly, such type-casescan discriminate between functions of different types; patternmatching in ML cannot (indeed, it cannot distinguish betweenfunctions and non-functional values). As a result, the runtime se-mantics ofCDuce is quite involved and, unlike ours, not type-erasing; our setting has allowed us to simplify the type systemtoo. Moreover, most of the work in Castagna et al. [5, 6] studiesan explicitly-typed language (where functions can be typedwithintersection types). In contrast, our language is implicitly typed.We focus our attention on type reconstruction and prove it soundand complete, thanks to the limited use we make of intersections.We have also introduced differences in presentation to conform oursystem to standard descriptions of the Hindley-Milner system.

7.3 Union types and pattern matching

The use of union and intersection types in ML has been studiedinthe literature ofrefinement typesystems. For example, the thesesof Davies [12] and Dunfield [13] describe systems where declareddatatypes (such as the ordinary variants of OCaml) are refined byfinite discriminated unions. Here we study a very different setting,because we considerpolymorphicvariants and, above all, we focuson providing complete type reconstruction, while the citedworksdescribe forms of bidirectional type checking which require typeannotations. Conversely, our system makes a more limited useof intersection types, since it does not allow the derivation ofintersection types for functions. Refinement type systems are closerin spirit to the work onCDuce which is why we refer the reader toSection 7 on related work in Castagna et al. [5] for a comprehensivecomparison.

For what concerns programming languages we are not aware ofany implicitly-typed language with full-fledged union types. The

12

closest match to our work is probably Typed Racket [27, 28] whichrepresents datatypes as unions of tagged types, as we do. Howeverit does not perform type reconstruction: it is an explicitly-typedlanguage with local type inference, that is, the very same settingstudied forCDuce in Castagna et al. [6] whose Section 6 contains athorough comparison with the type system of Typed Racket. TypedRacket also featuresoccurrence typing, which refines the types ofvariables according to the results of tests (combinations of predi-cates on base types and selectors) to give a form of flow sensitiv-ity. We introduced a similar feature in Section 6.2: we use patternmatching and hence consider tests which are as expressive astheirs,but we do not allow them to be abstracted out as functions.

8. ConclusionThis work shows how to add general union, intersection and dif-ference types in implicitly-typed languages that traditionally usethe HM type system. Specifically, we showed how to improve thecurrent OCaml type system of polymorphic variants in four dif-ferent aspects: its formalization, its meta-theoretic properties, theexpressiveness of the system, and its practical ramifications. Theseimprovements are obtained by a drastic departure from the currentunification-based approach and by the injection in the system ofset-theoretic types and semantic subtyping.

Our approach arguably improves the formalization of polymor-phic variants: in our system we directly encode all meta-theoreticnotions in a core—albeit rich—type theory, while the currentOCaml system must introduce sophisticated “ad hoc” construc-tions (e.g., the definition of constrained kind, cf. Definition 3.2) tosimulate subtyping. This is why, in our approach, bounded poly-morphism can be encoded in terms of union and intersection types,and meta-theoretic properties such as exhaustiveness and redun-dancy in pattern matching can be internalized and expressedinterms of types and subtyping. Likewise, the most pleasant surpriseof our formalization is the definition of the generality relation⊑ ontype schemes (cf. equation (1)): the current OCaml formalizationrequires complicated definitions such as the admissibilityof typesubstitutions, while in our system it turns out to be the straightfor-ward and natural generalization to subtyping of the usual relationof ML. A similar consideration can be done for unification, whichis here generalized by the notion of tallying.

It could be objected that what we have done is just to pushcomplexities down in the theory of semantic subtyping. However,the theory of semantic subtyping is well developed and tested, and,above all, it was defined independently from polymorphic variants.The fact that polymorphic variants can be encoded in semanticsubtyping without any real modification of the latter looks to usas a further proof of the relevance of our solution. In the endwe obtain a type system which is very natural: if we abstract thetechnicalities of the rule for pattern matching, the type systemreally is what one expects it to be: all (and only) the classictypingrules plus a subsumption rule. And even the ruleTs-Match, the mostcomplicated one, is at the end what one should expect it to be:(1)type the matched expressione0, (2) check whether the patterns areexhaustive, (3) for each branch (3.i) compute the set of the resultsof e0 that are captured by the pattern of the branch, (3.ii) use themto deduce the type of the capture variables of the pattern (3.iii)generalize the types of these variables in order to type the bodyof the branch, and (4) return the union of the types of the branches.

The advantages of our approach are not limited to the for-malization. The resulting system is more expressive—it typesmore programs while preserving static type safety—and natu-ral, insofar as it removes the pathological behaviours we out-lined in the introduction as well as problems found in real life[e.g., 21, 29]. The solution can be even more satisfactory ifweextend the current syntax of OCaml types. For instance, Nicol-

let [21] shows the OCaml functionfunction ‘A → ‘B | x → x

which transforms‘A into ‘B and leaves any other constructor un-changed. OCaml gives to this function the somewhat nonsensicaltype([> ‘A | ‘B ] as α) → α. Our reconstruction algorithm de-duces instead the typeα→ (‘B | (α\‘A)): it correctly deducesthat the result can be either‘B or the variant in input, but can neverbe‘A [for further examples of the use of difference types see 8, 11].If we want to preserve the current syntax of OCaml types, thistypeshould be approximated as([> ‘B ] as α) → α; however, if weextend the syntax with differences (that in our system come forfree), we gain the expressiveness that the kinding approachcanonly achieve with explicit row variables and that is needed,forinstance, to encode exceptions [2]. But we can do more: by allow-ing also intersections in the syntax of OCaml types we could typeNicollet’s function by the type(‘A → ‘B) & ((α\‘A) → (α\‘A)),which is exact since it states that the function maps‘A to ‘B andleaves any argument other than‘A unchanged. As an aside, noticethat types of this form provide an exact typing of exception han-dlers as intended by Blume et al. [2] (Nicollet’s function can beseen as a handler that catches the exception‘A yielding ‘B and letsall other values pass through).

Finally, our work improves some aspects of the theory of se-mantic subtyping as well: our type reconstruction copes with let-polymorphism and pattern matching and it is proven to be not onlysound but also complete, all properties that the system in Castagnaet al. [6] does not possess. Furthermore, the refinement we pro-posed in Section 6.2 applies toCDuce patterns as well, and it hasalready been implemented in the development version ofCDuce.

This work is just the first step of a long-term research. Ourshort-term plan is to finish an ongoing implementation and test it,especially as concerns messages to show to the programmer. Wealso need to extend the subtyping relation used here to cope withtypes containing cyclic values (e.g., along the lines of thework ofBonsangue et al. [3]): the subtyping relation of Castagna and Xu[4] assumes that types contain only finite values, but cyclicvaluescan be defined in OCaml.

The interest of this work is not limited to polymorphic variants.In the long term we plan to check whether building on this workit ispossible to extend the syntax of OCaml patterns and types, soas toencode XML document types and provide the OCaml programmerwith processing capabilities for XML documents like those that canbe found in XML-centred programming languages such asCDuce.Likewise we want to explore the addition of intersection types toOCaml (or Haskell) in order to allow the programmer to definerefinement types and check how such an integration blends withexisting features, notably GADTs.

AcknowledgmentsWe want to thank Jacques Garrigue for his invaluable feedback onan early version of this work.

References[1] V. Benzaken, G. Castagna, and A. Frisch.CDuce: an XML-centric

general-purpose language. InACM SIGPLAN International Confer-ence on Functional Programming (ICFP), pages 51–63, 2003.

[2] M. Blume, U. A. Acar, and W. Chae. Exception handlers as extensiblecases. InProceedings of the 6th Asian Symposium on ProgrammingLanguages and Systems (APLAS), LNCS, pages 273–289. Springer,2008.

[3] M. Bonsangue, J. Rot, D. Ancona, F. de Boer, and J. Rutten.A coalge-braic foundation for coinductive union types. InAutomata, Languages,and Programming - 41st International Colloquium (ICALP), volume8573 ofLecture Notes in Computer Science, pages 62–73. Springer,2014.

13

[4] G. Castagna and Z. Xu. Set-theoretic foundation of parametric poly-morphism and subtyping. InACM SIGPLAN International Conferenceon Functional Programming (ICFP), pages 94–106, 2011.

[5] G. Castagna, K.Nguyễn, Z. Xu, H. Im, S. Lenglet, and L. Padovani.Polymorphic functions with set-theoretic types. part 1: Syntax, seman-tics, and evaluation. InACM SIGPLAN-SIGACT Symposium on Prin-ciples of Programming Languages (POPL), pages 5–17, 2014.

[6] G. Castagna, K.Nguyễn, Z. Xu, and P. Abate. Polymorphic func-tions with set-theoretic types. part 2: Local type inference and typereconstruction. InACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages (POPL), Mumbai, India, pages 289–302,2015.

[7] CDuce.http://www.cduce.org.

[8] [CAML -LIST 1]. Polymorphic variant difference.https://goo.gl/WlPgdY, May 2007. OCaml mailing list post.

[9] [CAML -LIST 2]. Variant filtering. https://goo.gl/d7DQhU, Feb.2000. OCaml mailing list post.

[10] [CAML -LIST 3]. Polymorphic variant typing.https://goo.gl/O054v1, Feb. 2005. OCaml mailing list post.

[11] [CAML -LIST 4]. Getting rid of impossible polymorphic variant tagsfrom infered types. https://goo.gl/ELougz, Mar. 2004. OCamlmailing list post.

[12] R. Davies.Practical Refinement-Type Checking. PhD thesis, CarnegieMellon University, May 2005.

[13] J. Dunfield. A Unified System of Type Refinements. PhD thesis,Carnegie Mellon University, Aug. 2007.

[14] A. Frisch, G. Castagna, and V. Benzaken. Semantic Subtyping. InLICS ’02, 17th Annual IEEE Symposium on Logic in Computer Sci-ence, pages 137–146. IEEE Computer Society Press, 2002.

[15] A. Frisch, G. Castagna, and V. Benzaken. Semantic subtyping: dealingset-theoretically with function, union, intersection, and negation types.Journal of the ACM, 55(4):1–67, 2008.

[16] J. Garrigue. Programming with polymorphic variants. In ACM SIG-PLAN Workshop on ML, Baltimore, Maryland, USA, 1998. Informalproceedings.

[17] J. Garrigue. Simple type inference for structural polymorphism. InIn-ternational Workshop on Foundations of Object-Oriented Languages(FOOL), Portland, Oregon, USA, 2002. Informal proceedings.

[18] J. Garrigue. Typing deep pattern-matching in presenceof polymorphicvariants. InJSSST Workshop on Programming and ProgrammingLanguages, Gamagori, Japan, 2004.

[19] J. Garrigue. A certified implementation of ML with structural poly-morphism and recursive types.Mathematical Structures in ComputerScience, 25:867–891, 2015.

[20] L. Maranget. Warnings for pattern matching.Journal of FunctionalProgramming, 17(3):387–421, 2007.

[21] V. Nicollet. Do variant types in OCaml suck?http://goo.gl/FOOwal, Mar. 2011. Blog post.

[22] D. J. Pearce. Sound and complete flow typing with unions,inter-sections and negations. InInternational Conference on Verification,Model Checking, and Abstract Interpretation (VMCAI), pages 335–354, Jan. 2013.

[23] T. Petrucciani. A set-theoretic type system for polymorphic variantsin ML. Master’s thesis, Università degli studi di Genova, 2015.

[24] B. Pierce. Programming with Intersection Types and Bounded Poly-morphism. PhD thesis, Carnegie Mellon University, December 1991.Available as School of Computer Science technical report CMU-CS-91-205.

[25] F. Pottier and D. Rémy. The essence of ML type inference.InB. C. Pierce, editor,Advanced Topics in Types and ProgrammingLanguages, chapter 10, pages 389–489. MIT Press, 2005.

[26] J. C. Reynolds.Algol-like Languages, chapter Design of the Program-ming Language Forsythe, pages 173–233. Birkhäuser, Boston, MA,1997. ISBN 978-1-4612-4118-8. Peter W. O’Hearn and Robert D.Tennent (eds.).

[27] S. Tobin-Hochstadt and M. Felleisen. The design and implementationof typed scheme. InACM SIGPLAN-SIGACT Symposium on Princi-ples of Programming Languages (POPL), San Francisco, California,USA, pages 395–406, 2008.

[28] S. Tobin-Hochstadt and M. Felleisen. Logical types foruntypedlanguages. InACM SIGPLAN International Conference on FunctionalProgramming (ICFP), pages 117–128, 2010.

[29] T. Wegrzanowski. Variant types in OCaml suck.http://goo.gl/bY0bMA, May 2006. Blog post.

14

A. AppendixIn this Appendix, we present full definitions of the languageand type systems we have described,together with complete proofs of all results.

A.1 The language of polymorphic variants

A.1.1 Syntax

We assume that there exist a countable setX of expression variables, ranged over byx, y, z, . . . , asetC of constants, ranged over byc, and a setL of tags, ranged over bytag.

Definition A.1 (Expressions). An expressione is a term inductively generated by the followinggrammar:

e ::= x | c | λx. e | e e | (e, e) | tag(e) | match e with (pi → ei)i∈I

wherep ranges over the setP of patterns, defined below. We writeE to denote the set of allexpressions.

We definefv(e) to be the set of expression variables occurring free in the expressione, and wesay thate is closedif and only if fv(e) is empty.

As customary, we consider expressions up toα-renaming of the variables bound by abstractionsand by patterns.

Definition A.2 (Patterns). A patternp is a term inductively generated by the following grammar:

p ::= | x | c | (p, p) | tag(p) | p&p | p|p

such that

• in a pair pattern(p1, p2) or an intersection patternp1&p2, capt(p1) ∩ capt(p2) = ∅;• in a union patternp1|p2, capt(p1) = capt(p2),

wherecapt(p) denotes the set of expression variables occurring as sub-terms in a patternp (calledthecapture variablesof p).

We writeP to denote the set of all patterns.

A.1.2 Semantics

Definition A.3 (Values). A valuev is a closed expression inductively generated by the followinggrammar.

v ::= c | λx. e | (v, v) | tag(v)

Definition A.4 (Expression substitution). An expression substitutionς is a partial mapping ofexpression variables to values. We write[ vi/xi | i ∈ I ] for the substitution which replaces freeoccurrences ofxi with vi, for eachi ∈ I . We writeeς for the application of the substitution to anexpressione. We writeς1 ∪ ς2 for the union of disjoint substitutions.

Definition A.5 (Semantics of pattern matching). We writev/p for the result of matching a valuev against a patternp. We have eitherv/p = ς, whereς is a substitution defined on the variablesin capt(p), or v/p = Ω. In the former case, we say thatv matchesp (or that p acceptsv); in thelatter, we say that matching fails.

The definition ofv/p is given inductively in Figure 6.

Definition A.6 (Evaluation contexts). Let the symbol[ ] denote a hole. Anevaluation contextE isa term inductively generated by the following grammar.

E ::= [ ] | E e | v E | (E, e) | (v,E) | tag(E) | match E with (pi → ei)i∈I

We writeE[ e ] for the expression obtained by replacing the hole inE with the expressione.

Definition A.7 (Reduction). The reduction relation between expressions is given by the rules inFigure 7.

A.2 Typing variants with kinding constraints

A.2.1 Definition of theK type system

We assume that there exists a countable setV of type variables, ranged over byα, β, γ, . . . . Wealso consider a finite setB of basic types, ranged over byb, and a functionb(·) from constants tobasic types.

Definition A.8 (Types). A typeτ is a term inductively generated by the following grammar.

τ ::= α | b | τ → τ | τ × τ

15

v/ = [ ]

v/x = [v/x]

v/c =

[ ] if v = c

Ω otherwise

v/(p1, p2) =

ς1 ∪ ς2 if v = (v1, v2) and∀i. vi/pi = ςiΩ otherwise

v/tag(p1) =

ς1 if v = tag(v1) andv1/p1 = ς1Ω otherwise

v/p1&p2 =

ς1 ∪ ς2 if ∀i. v/pi = ςiΩ otherwise

v/p1|p2 =

v/p1 if v/p1 6= Ω

v/p2 otherwise

Figure 6. Semantics of pattern matching.

R-Appl(λx. e) v e[v/x]

R-Matchv/pj = ς ∀i < j. v/pi = Ω

match v with (pi → ei)i∈I ejςj ∈ I

R-Ctxe e′

E[ e ] E[ e′ ]

Figure 7. Small-step reduction relation.

Definition A.9 (Kinds). A kind κ is either theunconstrained kind“ •” or a constrained kind, thatis, a triple(L,U, T ) where:

• L is a finite set of tagstag1, . . . , tagn;• U is either a finite set of tags or the setL of all tags;• T is a finite set of pairs of a tag and a type, writtentag1 : τ1, . . . , tagn : τn (its domain

dom(T ) is the set of tags occurring in it);

and where the following conditions hold:

• L ⊆ U , L ⊆ dom(T ), and, ifU 6= L, U ⊆ dom(T );• tags in L have a single type inT , that is, if tag ∈ L, whenever both tag: τ1 ∈ T and

tag: τ2 ∈ T , we haveτ1 = τ2.

Definition A.10 (Kind entailment). The entailment relation· · between constrained kinds isdefined as

(L,U, T ) (L′, U ′, T ′) ⇐⇒ L ⊇ L′ ∧ U ⊆ U ′ ∧ T ⊇ T ′ .

Definition A.11 (Kinding environments). A kinding environmentK is a partial mapping from typevariables to kinds. We write kinding environments asK = α1 :: κ1, . . . , αn :: κn. We writeK,K′ for the updating of the kinding environmentK with the new bindings inK′. It is defined asfollows.

(K,K′)(α) =

K′(α) if α ∈ dom(K′)

K(α) otherwise

We say that a kinding environment isclosedif all the type variables that appear in the typesin its range also appear in its domain. We say it iscanonicalif it is infinite and contains infinitelymany variables of every kind.

Definition A.12 (Type schemes). A type schemeσ is of the form∀A.K ⊲ τ , where:

• A is a finite setα1, . . . , αn of type variables;• K is a kinding environment such thatdom(K) = A.

16

We identify a type scheme∀∅.∅ ⊲ τ , which quantifies no variable, with the typeτ itself. Weconsider type schemes up to renaming of the variables they bind and disregard useless quantification(i.e., quantification of variables that do not occur in the type).

Definition A.13 (Free variables). The set offree variablesvarK(σ) of a type schemeσ with respectto a kinding environmentK is the minimum set satisfying the following equations.

varK(∀A.K′ ⊲ τ ) = varK,K′ (τ ) \A

varK(α) =

α ∪⋃

tag: τ∈T varK(τ ) if K(α) = (L,U, T )

α otherwise

varK(b) = ∅

varK(τ1 → τ2) = varK(τ1) ∪ varK(τ2)

varK(τ1 × τ2) = varK(τ1) ∪ varK(τ2)

We say that a typeτ is groundor closedif and only ifvar∅(τ ) is empty. We say that a type or atype scheme isclosed in a kinding environmentK if all its free variables are in the domain ofK.

Definition A.14 (Type substitutions). A type substitutionθ is a finite mapping of type variables totypes. We write[ τi/αi | i ∈ I ] for the type substitution which simultaneously replacesαi with τi,for eachi ∈ I . We writeτθ for the application of the substitutionθ to the typeτ , which is definedas follows.

αθ =

τ ′ if τ ′/α ∈ θ

α otherwise

bθ = b

(τ1 → τ2)θ = (τ1θ) → (τ2θ)

(τ1 × τ2)θ = (τ1θ)× (τ2θ)

We extend thevar operation to substitutions as

varK(θ) =⋃

α∈dom(θ)

varK(αθ) .

We extend application of substitutions to the typing component of a constrained kind(L,U, T ):Tθ is given by the pointwise application ofθ to all types inT . We extend it to kinding environments:Kθ is given by the pointwise application ofθ to the typing component of every constrained kindin the range ofK. We extend it to type schemes∀A.K ⊲ τ : by renaming quantified variables, weassumeA ∩ (dom(θ) ∪ var∅(θ)) = ∅, and we have(∀A.K ⊲ τ )θ = ∀A.Kθ ⊲ τθ.

We writeθ1 ∪ θ2 for the union of disjoint substitutions andθ1 θ2 for the composition ofsubstitutions.

Definition A.15 (Admissibility of a type substitution). A type substitutionθ is admissiblebetweentwo kinding environmentsK andK′, writtenK ⊢ θ : K′, if and only if, for every type variableα such thatK(α) = (L,U, T ), αθ is a type variable such thatK′(αθ) = (L′, U ′, T ′) and(L′, U ′, T ′) (L, U, T θ).

Definition A.16 (Type environments). A type environmentΓ is a partial mapping from expressionvariables to type schemes. We write type environments asΓ = x1 : σ1, . . . , xn : σn.

We writeΓ,Γ′ for the updating of the type environmentΓ with the new bindings inΓ′. It isdefined as follows.

(Γ,Γ′)(x) =

Γ′(x) if x ∈ dom(Γ′)

Γ(x) otherwise

We extend thevar operation to type environments as

varK(Γ) =⋃

σ∈range(Γ)

varK(σ) .

Definition A.17 (Generalization). We define thegeneralizationof a typeτ with respect to a kindingenvironmentK and a type environmentΓ as the type scheme

genK;Γ(τ ) = ∀A.K′ ⊲ τ

whereA = varK(τ ) \ varK(Γ) andK′ = α :: K(α) | α ∈ A .We extend this definition to type environments which only contain types (i.e., trivial type

schemes) as

genK;Γ(xi : τi | i ∈ I ) = xi : genK;Γ(τi) | i ∈ I .

17

TPk-WildcardK ⊢ : τ ⇒ ∅

TPk-VarK ⊢ x : τ ⇒ x : τ

TPk-ConstK ⊢ c : bc ⇒ ∅

TPk-PairK ⊢ p1 : τ1 ⇒ Γ1 K ⊢ p2 : τ2 ⇒ Γ2

K ⊢ (p1, p2) : τ1 × τ2 ⇒ Γ1 ∪ Γ2

TPk-TagK ⊢ p : τ ⇒ Γ K(α) = (L,U, T ) (tag∈ U impliestag: τ ∈ T )

K ⊢ tag(p) : α ⇒ Γ

TPk-AndK ⊢ p1 : τ ⇒ Γ1 K ⊢ p2 : τ ⇒ Γ2

K ⊢ p1&p2 : τ ⇒ Γ1 ∪ Γ2

TPk-OrK ⊢ p1 : τ ⇒ Γ K ⊢ p2 : τ ⇒ Γ

K ⊢ p1|p2 : τ ⇒ Γ

Figure 8. Pattern environment generation forK.

Tk-Varτ ∈ instK(Γ(x))

K; Γ ⊢Kx : τ

Tk-ConstK; Γ ⊢

Kc : bc

Tk-AbstrK; Γ, x : τ1 ⊢

Ke : τ2

K; Γ ⊢Kλx. e : τ1 → τ2

Tk-ApplK; Γ ⊢

Ke1 : τ

′ → τ K; Γ ⊢Ke2 : τ

′

K; Γ ⊢Ke1 e2 : τ

Tk-PairK; Γ ⊢

Ke1 : τ1 K; Γ ⊢

Ke2 : τ2

K; Γ ⊢K(e1, e2) : τ1 × τ2

Tk-TagK; Γ ⊢

Ke : τ K(α) (tag,L, tag: τ)

K; Γ ⊢K

tag(e) : α

Tk-Match

K; Γ ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I K ⊢ pi : τ0 ⇒ Γi K; Γ, genK;Γ(Γi) ⊢K ei : τ

K; Γ ⊢Kmatch e0 with (pi → ei)i∈I : τ

Figure 9. Typing relation forK.

Definition A.18 (Instances of a type scheme). The set ofinstancesof a type scheme∀A.K′ ⊲ τ ina kinding environmentK is defined as

instK(∀A.K′ ⊲ τ ) = τθ | dom(θ) ⊆ A ∧ K,K′ ⊢ θ : K .

We say that a type schemeσ1 is more generalthan a type schemeσ2 in K, and we writeσ1 ⊑K σ2, if instK(σ1) ⊇ instK(σ2).

We extend this notion to type environments as

Γ1 ⊑K Γ2 ⇐⇒ dom(Γ1) = dom(Γ2) ∧ ∀x ∈ dom(Γ1). Γ1(x) ⊑K Γ2(x) .

Definition A.19 (Pattern environment generation). The environment generated by pattern matchingis given by the relationK ⊢ p : τ ⇒ Γ (the patternp can match typeτ in K, producing the bindingsin Γ), defined by the rules in Figure 8.

Definition A.20 (Exhaustiveness). We say that a set of patternsP is exhaustivewith respect to atypeτ in a kinding environmentK, and we writeτ 4K P , when

∀K′, θ, v. (K ⊢ θ : K′ ∧ K′;∅ ⊢Kv : τθ) =⇒ ∃p ∈ P, ς. v/p = ς .

Definition A.21 (Typing relation). The typing relationK; Γ ⊢Ke : τ (e is given typeτ in the

kinding environmentK and the type environmentΓ) is defined by the rules in Figure 9, where werequireK to be closed andΓ and τ to be closed with respect toK. We also assume thatK iscanonical.

A.2.2 Properties of theK type system

Lemma A.1 (Generation for values). Letv be a value. Then:

• if K; Γ ⊢Kv : b, thenv = c for some constantc such thatbc = b;

• if K; Γ ⊢Kv : τ1 → τ2, thenv is of the formλx. e andK; Γ, x : τ1 ⊢

Ke : τ2;

• if K; Γ ⊢Kv : τ1 × τ2, thenv is of the form(v1, v2), K; Γ ⊢

Kv1 : τ1, andK; Γ ⊢

Kv2 : τ2;

18

• if K; Γ ⊢Kv : α, thenv is of the form tag(v1), K(α) = (L, U, T ), tag∈ L, andK; Γ ⊢

Kv1 : τ1

for the only typeτ1 such that tag: τ1 ∈ T .

Proof. The typing rules are syntax-directed, so the last rule applied to type a value is fixed byits form. All these rules derive types of different forms, thus the form of the type assigned to avalue determines the last rule used. In each case the premises of the rule entail the consequencesabove.

Lemma A.2 (Correctness of environment generation). Let p be a pattern andv a value such thatv/p = ς. If K; Γ ⊢

Kv : τ andK ⊢ p : τ ⇒ Γ′, then, for allx ∈ capt(p), K; Γ ⊢

Kxς : Γ′(x).

Proof. By induction on the derivation ofK ⊢ p : τ ⇒ Γ′. We reason by cases on the last appliedrule.

Cases TPk-Wildcard and TPk-ConstThere is nothing to prove sincecapt(p) = ∅.

Case TPk-Var We have

v/x = [v/x] K ⊢ x : τ ⇒ x : τ

and must proveK; Γ ⊢Kx[v/x] : x : τ(x), which we know by hypothesis.

Case TPk-Pair We have

K ⊢ (p1, p2) : τ1 × τ2 ⇒ Γ′1 ∪ Γ′

2 K ⊢ p1 : τ1 ⇒ Γ′1 K ⊢ p2 : τ2 ⇒ Γ′

2 .

By Lemma A.1,K; Γ ⊢Kv : τ1 × τ2 implies v = (v1, v2) andK; Γ ⊢

Kvi : τi for both i.

Furthermore,(v1, v2)/(p1, p2) = ς = ς1 ∪ ς2, andvi/pi = ςi for both i. For each capturevariablex, we can apply the induction hypothesis to the sub-pattern which containsx andconclude.

Case TPk-TagWe have

K ⊢ tag(p1) : α ⇒ Γ′ K ⊢ p1 : τ1 ⇒ Γ′

K(α) = (L, U, T ) (tag∈ U impliestag: τ1 ∈ T ) .

Sincev/tag(p1) = ς, we knowv = tag(v1). Hence, by Lemma A.1, we havetag ∈ L andK; Γ ⊢

Kv1 : τ

′1 with tag: τ ′

1 ∈ T . Sincetag∈ U , we also havetag: τ1 ∈ T and henceτ1 = τ ′1

(astag is also inL and can only have a single type inT ).We therefore knowK ⊢ p1 : τ1 ⇒ Γ′ andK; Γ ⊢

Kv1 : τ1, as well asv1/p1 = ς. We can

apply the induction hypothesis to conclude.

Cases TPk-And and TPk-OrStraightforward application of the induction hypothesis,to bothsub-patterns for intersections and to the one that is actually selected for unions.

Lemma A.3 (Stability of environment generation under type substitutions). If K ⊢ p : τ ⇒ Γ,thenK′ ⊢ p : τθ ⇒ Γθ for every type substitutionθ such thatK ⊢ θ : K′.

Proof. By induction on the derivation ofK ⊢ p : τ ⇒ Γ. We reason by cases on the last appliedrule.

Cases TPk-Wildcard, TPk-Var, and TPk-ConstStraightforward.

Case TPk-Pair We have

K ⊢ (p1, p2) : τ1 × τ2 ⇒ Γ1 ∪ Γ2 K ⊢ p1 : τ1 ⇒ Γ1 K ⊢ p2 : τ2 ⇒ Γ2 .

By the induction hypothesis we derive bothK′ ⊢ p1 : τ1θ ⇒ Γ1θ andK′ ⊢ p2 : τ2θ ⇒Γ2θ, then we applyTPk-Pairagain to conclude.

Case TPk-TagWe have

K ⊢ tag(p1) : α ⇒ Γ K ⊢ p1 : τ1 ⇒ Γ

K(α) = (L, U, T ) (tag∈ U impliestag: τ1 ∈ T ) .

By the induction hypothesis we deriveK′ ⊢ p1 : τ1θ ⇒ Γθ. SinceK ⊢ θ : K′, αθmust be a variableβ such thatK′(β) = (L′, U ′, T ′). To apply TPk-Tagand conclude,we must establish that, iftag ∈ U ′, thentag: τ1θ ∈ T ′. Since admissibility also implies(L′, U ′, T ′) (L,U, T θ), we haveU ′ ⊆ U andTθ ⊆ T ′. Hence, iftag ∈ U ′, thentag ∈ U ,in which casetag: τ1 ∈ T and thereforetag: τ1θ ∈ Tθ, andtag: τ1θ ∈ T ′.

Cases TPk-And and TPk-OrStraightforward application of the induction hypothesis,analogouslyto the case of pair patterns.

19

Lemma A.4 (Stability of exhaustiveness under type substitutions). If τ 4K P , thenτθ 4K′ P forany type substitutionθ such thatK ⊢ θ : K′.

Proof. We must prove, for everyK′′, θ′ such thatK′ ⊢ θ′ : K′′ and everyv such thatK′′;∅ ⊢K

v : τθθ′, that there exists ap ∈ P which acceptsv. This holds becauseθ′ θ is such thatK ⊢ θ′ θ : K′′: for any α such thatK(α) = (L,U, T ), we haveK′(αθ) = (L′, U ′, T ′)and henceK′′(αθθ′) = (L′′, U ′′, T ′′); we have(L′, U ′, T ′) (L, U, T θ) and(L′′, U ′′, T ′′) (L′, U ′, T ′θ′) and therefore(L′′, U ′′, T ′′) (L,U, T θθ′). The conclusion follows by the defini-tion of τ 4K P .

Lemma A.5. If varK(Γ1) ⊆ varK(Γ2), then, for every typeτ , genK;Γ1(τ ) ⊑K genK;Γ2

(τ ).

Proof. An instance ofgenK;Γ2(τ ) is a typeτθ such thatdom(θ) ⊆ varK(τ ) \ varK(Γ2) and

K ⊢ θ : K. It is also an instance ofgenK;Γ1(τ ), with the sameθ, sincevarK(τ ) \ varK(Γ2) ⊆

varK(τ ) \ varK(Γ1).

Lemma A.6 (Weakening). LetK be a kinding environment andΓ1,Γ2 two type environments suchthatΓ1 ⊑K Γ2 andvarK(Γ1) ⊆ varK(Γ2). If K; Γ2 ⊢

Ke : τ , thenK; Γ1 ⊢

Ke : τ .

Proof. By induction on the derivation ofK; Γ2 ⊢Ke : τ . We reason by cases on the last applied rule.

Case Tk-Var We have:

K; Γ2 ⊢Kx : τ τ ∈ instK(Γ2(x))

and hence, sinceΓ1 ⊑K Γ2, we haveτ ∈ instK(Γ1(x)) and applyTk-Var to conclude.

Case Tk-ConstStraightforward.

Case Tk-Abstr We have:

K; Γ2 ⊢Kλx. e1 : τ1 → τ2 K; Γ2, x : τ1 ⊢

Ke1 : τ2 .

SinceΓ1 ⊑K Γ2, we haveΓ1, x : τ1 ⊑K Γ2, x : τ1, and, sincevarK(Γ1) ⊆ varK(Γ2),we havevarK(Γ1, x : τ1) ⊆ varK(Γ2, x : τ1). Thus we may deriveK; Γ1, x : τ1 ⊢

K

e1 : τ2 by the induction hypothesis and applyTk-Abstrto conclude.

Cases Tk-Appl, Tk-Pair, and Tk-TagStraightforward application of the induction hypothesis.

Case Tk-Match We have

K; Γ2 ⊢Kmatch e0 with (pi → ei)i∈I : τ

K; Γ2 ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I. K ⊢ pi : τ0 ⇒ Γi K; Γ2, genK;Γ2(Γi) ⊢K ei : τ .

By the induction hypothesis, we deriveK; Γ1 ⊢Ke0 : τ0.

For every branch, note that by Lemma A.5varK(Γ1) ⊆ varK(Γ2) impliesgenK;Γ1(τ ) ⊑K

genK;Γ2(τ ) for any τ . Hence, we haveΓ1, genK;Γ1

(Γi) ⊑K Γ2, genK;Γ2(Γi). Additionally,

sincevarK(genK;Γ1(Γi)) ⊆ varK(Γ1), we havevarK(Γ1, genK;Γ1

(Γi)) ⊆ varK(Γ2, genK;Γ2(Γi)).

Hence we may apply the induction hypothesis for alli to deriveK; Γ1, genK;Γ1(Γi) ⊢

K

ei : τ and then applyTk-Matchto conclude.

Lemma A.7 (Stability of typing under type substitutions). Let K, K′ be two closed, canonicalkinding environments andθ a type substitution such thatK ⊢ θ : K′. If K; Γ ⊢

Ke : τ , then

K′; Γθ ⊢Ke : τθ.

Proof. By induction on the derivation ofK; Γ ⊢Ke : τ . We reason by cases on the last applied rule.

Case Tk-Var We have

K; Γ ⊢Kx : τ τ ∈ instK(Γ(x))

Γ(x) = ∀A.Kx ⊲ τx τ = τxθx dom(θx) ⊆ A K,Kx ⊢ θx : K

and must show

K′; Γθ ⊢Kx : τθ .

By α-renaming we can assume thatθ does not involveA, that is,A ∩ dom(θ) = ∅ andA∩ var∅(θ) = ∅, and also thatA∩ (dom(K′)∪ var∅(K

′)) = ∅, that is, that the variables inA are not assigned a kind inK′ nor do they appear in the types in the typing component of thekinds inK′.

Under these assumptions,(Γθ)(x) = ∀A.Kxθ ⊲ τxθ. We must show thatτθ = τxθθ′x for a

substitutionθ′x such thatdom(θ′x) ⊆ A andK′,Kxθ ⊢ θ′x : K′.

20

Let θ′x = [ αθxθ/α | α ∈ A ]. First, we show thatτxθθ′x = τxθxθ = τθ, by showing that, foranyα, αθθ′x = αθxθ. If α ∈ A, thenαθθ′x = αθ′x = αθxθ (θ is not defined on the variablesin A). If α /∈ A, thenαθθ′x = αθ (θ never produces any variable inA) andαθxθ = αθ asα /∈ dom(θx).

Sincedom(θ′x) ⊆ A holds, we only need to establish thatK′,Kxθ ⊢ θ′x : K′. This requires

proving, for eachα such that(K′, Kxθ)(α) = (L, U, T ), thatαθ′x is a type variable such thatK′(αθ′x) = (L′, U ′, T ′) and(L′, U ′, T ′) (L,U, T θ′x).

Such anα can either be in the domain ofKxθ (if and only if it is in A) or in the domain ofK′. In the latter case, we haveαθ′x = α, sinceα /∈ A, and hence its kind inK′ is the same asin K′,Kxθ. We must prove(L,U, T ) (L, U, T θ′x), which holds because the variables inAdo not appear inT since(L, U, T ) ∈ range(K′).

In the former case, we have(Kxθ)(α) = (L, U, T ) and henceKx(α) = (L,U, T1),with T = T1θ. Also, αθ′x = αθxθ. SinceK,Kx ⊢ θx : K, K(αθx) = (L2, U2, T2).Then, sinceK ⊢ θ : K′, K′(αθxθ) = (L′, U ′, T ′). We know(L2, U2, T2) (L,U, T1θx)and (L′, U ′, T ′) (L2, U2, T2θ). Both L′ ⊇ L and U ′ ⊆ U hold by transitivity. WeshowT ′ ⊇ Tθ′x holds as well. Iftag: τ ∈ Tθ′x, sinceT = T1θ, thentag: τ1 ∈ T1 andτ = τ1θθ

′x = τ1θxθ. We thus havetag: τ1θx ∈ T1θx and thereforetag: τ1θx ∈ T2 and

tag: τ1θxθ ∈ T ′.

Case Tk-ConstStraightforward.

Case Tk-Abstr We have:

K; Γ ⊢Kλx. e1 : τ1 → τ2 K; Γ, x : τ1 ⊢

Ke1 : τ2 .

By the induction hypothesis we haveK′; Γθ, x : τ1θ ⊢Ke1 : τ2θ. Then byTk-Abstrwe

deriveK′; Γθ ⊢Kλx. e1 : (τ1 → τ2)θ, since(τ1 → τ2)θ = (τ1θ) → (τ2θ).

Cases Tk-Appl and Tk-PairStraightforward application of the induction hypothesis.

Case Tk-Match For the sake of clarity, we first prove the simpler case corresponding to (theencoding of)let, where—simplifying environment generation—we have

K; Γ ⊢Kmatch e0 with x → e1 : τ K; Γ ⊢

Ke0 : τ0 K; Γ, genK;Γ(x : τ0) ⊢K e1 : τ

and must show

K′; Γθ ⊢Kmatch e0 with x → e1 : τθ

which we prove by establishing, for some typeτ0, that

K′; Γθ ⊢Ke0 : τ0 K′; Γθ, genK′;Γθ(x : τ0) ⊢K e1 : τθ .

Let A = α1, . . . , αn = varK(τ0) \ varK(Γ). We assume that the variables inA do notappear in the kinds of variables not inA, that is, that ifK(α) = (L,U, T ) andα /∈ A, thenvarK(T ) ∩ A = ∅.

This assumption is justified by the following observations.The variables inA only appearquantified in the environment used for the typing derivationfor e1. Therefore we may assumethat they do not appear inτ : if they do, it is because they have been chosen when instantiatingsome type scheme and, sinceK is canonical, we might have chosen some other variable ofthe same kind. As for the occurrences of the variables inA in the derivation fore0, a similarreasoning applies. These variables do not appear free in theenvironment (neither directly in atype inΓ, nor in the kinds of variables which appear free inΓ). Therefore, if they occur inτ0it is because they have been chosen either during instantiation of a type scheme or when typingan abstraction, and in both cases we might have chosen a different variable.

Now we rename these variables so thatθ will not have effect on them. LetB =β1, . . . , βn be a set of type variables such thatB ∩ (dom(θ) ∪ var∅(θ)) = ∅ andB ∩ var∅(Γ) = ∅. Let θ0 = [β1/α1, . . . , βn/αn] and θ′ = θ θ0. SinceK′ is canonical,we can choose eachβi so that, ifK(αi) = •, thenK′(βi) = •, and ifK(αi) = (L,U, T ),thenK(βi) = (L,U, T θ′). As forA, we chooseB so that the kinds inK′ for variables not inB do not contain variables ofB.

We showK ⊢ θ′ : K′. For eachα such thatK(α) = (L,U, T ), if α ∈ A thenα = αi

for somei, αθ′ = βi and kind entailment holds straightforwardly by our choice of βi. Ifα /∈ A, thenαθ′ = αθ and the admissibility ofθ implies K′(αθ) = (L′, U ′, T ′) and(L′, U ′, T ′) (L, U, T θ). We haveTθ = Tθ′ because of our assumption onA.

Sinceθ′ is admissibile, by the induction hypothesis applied toθ′, we deriveK; Γθ′ ⊢K

e0 : τ0θ′. Since the variables inA do not appear inΓ, we haveΓθ′ = Γθ. We chooseτ0 to be

τ0θ′.We apply the induction hypothesis to the derivation fore1, this time usingθ as the substitu-

tion. Now we have:

K′; Γθ ⊢Ke0 : τ0θ

′ K′; Γθ, (genK;Γ(x : τ0))θ ⊢Ke1 : τθ .

21

We apply weakening (Lemma A.6) to derive from the latter the typing we need, that is,

K′; Γθ, genK′;Γθ(x : τ0θ′) ⊢

Ke1 : τθ .

To do so we must show

Γθ, genK′;Γθ(x : τ0θ′) ⊑K′ Γθ, (genK;Γ(x : τ0))θ

varK′(Γθ, genK′;Γθ(x : τ0θ′)) ⊆ varK′ (Γθ, (genK;Γ(x : τ0))θ) .

The latter holds becausevarK′(Γθ, genK′;Γθ(x : τ0θ′)) ⊆ varK′(Γθ).

As for the former, we provegenK′;Γθ(x : τ0θ′) ⊑K′ (genK;Γ(x : τ0))θ. We have

genK;Γ(x : τ0) = ∀A.Kx ⊲ τ0 Kx = α :: K(α) | α ∈ A .

By α-renaming of the quantified variables we can write

genK;Γ(x : τ0) = ∀B.K⋆x ⊲ τ0θ0

K⋆x = βi :: • | αi :: • ∈ Kx ∪ βi :: (L,U, T θ0) | αi :: (L,U, T ) ∈ A

and, sinceθ does not involveB,

(genK;Γ(x : τ0))θ = ∀B.K⋆xθ ⊲ τ0θ0θ = ∀B.K′

x ⊲ τ0θ′

K′x = β :: K′(β) | β ∈ B .

The other type scheme is

genK′;Γθ(τ0θ′) = ∀C.K′

C ⊲ τ0θ′

C = varK′(τ0θ′) \ varK′(Γθ) K′

C = β :: K′(β) | β ∈ C .

We showB ⊆ C, which concludes the proof (because the kinding environments areboth restrictions ofK′). Considerβi ∈ B. We haveαi ∈ varK(τ0) \ varK(Γ). Thenβi = αiθ

′ ∈ varK′(τ0θ′). Furthermoreβi /∈ varK′(Γθ) holds becauseΓθ does not contain

variables inB (Γ does not contain them andθ does not introduce them) and variables inB donot appear in the kinds of other variables which are not themselves inB.

We now consider the ruleTk-Matchin its generality. We have

K; Γ ⊢Kmatch e0 with (pi → ei)i∈I : τ

K; Γ ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I. K ⊢ pi : τ0 ⇒ Γi K; Γ, genK;Γ(Γi) ⊢K ei : τ

and must show

K′; Γθ ⊢Kmatch e0 with (pi → ei)i∈I : τθ

which we prove by establishing, for someτ0 and Γi | i ∈ I , that

K′; Γθ ⊢Ke0 : τ0 τ0 4K′ pi | i ∈ I

∀i ∈ I. K′ ⊢ pi : τ0 ⇒ Γi K′; Γθ, genK′;Γθ(Γi) ⊢K ei : τθ .

For the derivation fore0 we proceed as above and haveτ0 = τ0θ′. By Lemma A.4 we have

τ0θ′ 4K′ pi | i ∈ I . By Lemma A.3, we haveK′ ⊢ pi : τ0θ

′ ⇒ Γiθ′ and thus take

Γi = Γiθ′.

We proceed as before also for the derivations for each branch. The difference is that, toapply weakening, we must prove the two premises for the environments and not forτ0 alone.The condition on variables is straightforward, as before. For the other we prove, for eachx ∈ capt(pi) and assumingΓi(x) = τx,

Γθ, genK′;Γθ(τxθ′) ⊑K′ Γθ, (genK;Γ(τx))θ .

We show it as forτ0 above:varK(τx) is always a subset ofvarK(τ0) because environmentgeneration does not introduce new variables.

Lemma A.8 (Expression substitution). Letx1, . . . ,xn be distinct variables andv1, . . . ,vn values.LetΓ′ = x1 : σ1, . . . , xn : σn andς = [v1/x1, . . . , vn/xn].

If K; Γ,Γ′ ⊢Ke : τ and, for all k ∈ 1, . . . , n and for all τk ∈ instK(σk), K; Γ ⊢

Kvk : τk,

thenK; Γ ⊢Keς : τ .

Proof. By induction on the derivation ofK; Γ,Γ′ ⊢Ke : τ . We reason by cases on the last applied

rule.

Case Tk-Var We have

K; Γ,Γ′ ⊢Kx : τ τ ∈ instK((Γ,Γ′)(x)) .

22

Either x = xk for somek or not. In the latter case,xς = x, x /∈ dom(Γ′) and hence(Γ,Γ′)(x) = Γ(x). Then, sinceτ ∈ instK((Γ,Γ′)(x)), τ ∈ instK(Γ(x)) andTk-Var can beapplied.

If x = xk, then(Γ,Γ′)(x) = Γ′(x) = σk. We must then proveK; Γ ⊢Kvk : τ , which we

know by hypothesis sinceτ ∈ instK(σk).

Case Tk-ConstStraightforward.

Case Tk-Abstr We have

K; Γ,Γ′ ⊢Kλx. e1 : τ1 → τ2 K; Γ,Γ′, x : τ1 ⊢

Ke1 : τ2 .

Byα-renaming we can assumex /∈ dom(Γ′); then(λx. e1)ς = λx. (e1ς) andΓ,Γ′, x : τ1 =Γ, x : τ1,Γ

′. Therefore we haveK; Γ, x : τ1,Γ′ ⊢

Ke1 : τ2 and, by the induction hypothe-

sis,K; Γ, x : τ1 ⊢Ke1ς : τ2. We applyTk-Abstrto conclude.

Cases Tk-Appl, Tk-Pair, and Tk-TagStraightforward application of the induction hypothesis.

Case Tk-Match We have

K; Γ,Γ′ ⊢Kmatch e0 with (pi → ei)i∈I : τ

K; Γ,Γ′ ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I. K ⊢ pi : τ0 ⇒ Γi K; Γ,Γ′, genK;Γ,Γ′(Γi) ⊢K ei : τ .

We assume byα-renaming that no capture variable of any pattern is in the domainof Γ′. Then, (match e0 with (pi → ei)i∈I)ς = match e0ς with (pi → eiς)i∈I andΓ,Γ′, genK;Γ,Γ′(Γi) = Γ, genK;Γ,Γ′(Γi),Γ

′ for anyi.By the induction hypothesis, we deriveK; Γ ⊢

Ke0ς : τ0 andK; Γ, genK;Γ,Γ′(Γi) ⊢K eiς : τ

for all i. From the latter, we proveK; Γ, genK;Γ(Γi) ⊢Keiς : τ by weakening (Lemma A.6):

we havegenK;Γ(Γi) ⊑K genK;Γ,Γ′(Γi) by Lemma A.5—sincevarK(Γ) ⊆ varK(Γ,Γ′)—andclearly we havevarK(Γ, genK;Γ(Γi)) ⊆ varK(Γ, genK;Γ,Γ′(Γi)) sincevarK(genK;Γ(Γi)) ⊆varK(Γ).

Theorem A.9 (Progress). Let e be a well-typed, closed expression. Then, eithere is a value orthere exists an expressione′ such thate e′.

Proof. By hypothesis we haveK;∅ ⊢Ke : τ . The proof is by induction on its derivation; we reason

by cases on the last applied rule.

Case Tk-Var This case does not occur because variables are not closed.

Case Tk-ConstIn this casee is a constantc and therefore a value.

Case Tk-Abstr In this casee is an abstractionλx. e1. Since it is also closed, it is a value.

Case Tk-Appl We have

K;∅ ⊢Ke1 e2 : τ K;∅ ⊢

Ke1 : τ

′ → τ K;∅ ⊢Ke2 : τ

′ .

By the induction hypothesis, each ofe1 ande2 either is a value or may reduce. Ife1 e′1,thene1 e2 e′1 e2. If e1 is a value ande2 e′2, thene1 e2 e1 e

′2.

If both are values then, by Lemma A.1,e1 has the formλx. e3 for somee3. Then, we canapplyR-Applande1 e2 e3[e2/x].

Case Tk-Pair We have

K;∅ ⊢K(e1, e2) : τ1 × τ2 K;∅ ⊢

Ke1 : τ1 K;∅ ⊢

Ke2 : τ2 .

By the induction hypothesis, each ofe1 ande2 either is a value or may reduce. Ife1 e′1,then(e1, e2) (e′1, e2). If e1 is a value ande2 e′2, then(e1, e2) (e1, e

′2). If both are

values, then(e1, e2) is also a value.

Case Tk-TagWe haveK;∅ ⊢

Ktag(e1) : α K;∅ ⊢

Ke1 : τ1 .

Analogously to the previous case, by the induction hypothesis we have that eithere1 isa value ore1 e′1. In the former case,tag(e1) is a value as well. In the latter, we havetag(e1) tag(e′1).

Case Tk-Match We have

K;∅ ⊢Kmatch e0 with (pi → ei)i∈I : τ K;∅ ⊢

Ke0 : τ0 τ0 4K pi | i ∈ I .

By the inductive hypothesis, eithere0 is a value or it may reduce. In the latter case, ife0 e′0, thenmatch e0 with (pi → ei)i∈I match e′0 with (pi → ei)i∈I .

23

If e0 is a value, on the other hand, the expression may reduce by application of R-Match.Sinceτ0 4K pi | i ∈ I ande0 is a value of typeτ0 (and therefore satisfies the premises ofthe definition of exhaustiveness, withθ = [ ] andK = K′), there exists at least ani ∈ I suchthate0/pi = ς for some substitutionς. Let j be the least of thesei andςj the correspondingsubstitution; thenmatch e0 with (pi → ei)i∈I ejςj .

Theorem A.10(Subject reduction). Lete be an expression andτ a type such thatK; Γ ⊢Ke : τ . If

e e′, thenK; Γ ⊢Ke′ : τ .

Proof. By induction on the derivation ofK; Γ ⊢Ke : τ . We reason by cases on the last applied rule.

Cases Tk-Var, Tk-Const, and Tk-AbstrThese cases may not occur: variables, constants, andabstractions never reduce.

Case Tk-Appl We have

K; Γ ⊢Ke1 e2 : τ K; Γ ⊢

Ke1 : τ

′ → τ K; Γ ⊢Ke2 : τ

′ .

e1 e2 e′ occurs in any of three ways:(i) e1 e′1 ande′ = e′1 e2; (ii) e1 is a value,e2 e′2 and e′ = e1 e′2; (iii) both e1 and e2 are values,e1 is of the formλx. e3, ande′ = e3[e2/x].

In the first case, we derive by the induction hypothesis thatK; Γ ⊢Ke′1 : τ

′ → τ and concludeby applyingTk-Applagain. The second case is analogous.

In the third case, we know by Lemma A.1 thatK; Γ, x : τ ′ ⊢Ke3 : τ . We also know that

e2 is a value such thatK; Γ ⊢Ke2 : τ

′. Then, by Lemma A.8,K; Γ ⊢Ke3[e2/x] : τ .

Case Tk-Pair We have

K; Γ ⊢K(e1, e2) : τ1 × τ2 K; Γ ⊢

Ke1 : τ1 K; Γ ⊢

Ke2 : τ2 .

(e1, e2) e′ occurs either becausee1 e′1 ande′ = (e′1, e2), or becausee1 is a value,e2 e′2, ande′ = (e1, e

′2). In either case, the induction hypothesis allows us to derive that

the type of the component that reduces is preserved; therefore, we can applyTk-Pair again toconclude.

Case Tk-TagAnalogously to the previous case, a variant expression onlyreduces if its argumentdoes, so we apply the induction hypothesis andTk-Tagto conclude.

Case Tk-Match We have

K; Γ ⊢Kmatch e0 with (pi → ei)i∈I : τ

K; Γ ⊢Ke0 : τ0 ∀i ∈ I. K ⊢ pi : τ0 ⇒ Γi K; Γ, genK;Γ(Γi) ⊢K ei : τ .

match e0 with (pi → ei)i∈I e′ occurs either becausee0 e′0 ande′ = match e′0 with

(pi → ei)i∈I or becausee0 is a value ande′ = ejς, wheree0/pj = ς and, for alli < j,e0/pi = Ω. In the former case, we apply the induction hypothesis and conclude byTk-Match.

In the latter case,ς is a substitution from the capture variables ofpj to values, and we knowby Lemma A.2 that, for allx ∈ capt(pj), K; Γ ⊢

Kxς : Γj(x). We show that, additionally,

K; Γ ⊢Kxς : τx holds for everyτx ∈ instK(genK;Γ(Γj(x))). Every suchτx is equal to

Γj(x)θ for a θ such thatdom(θ) ⊆ varK(Γj(x)) \ varK(Γ) andK ⊢ θ : K (the kindingenvironment captured by generalization is just a subset ofK). Then,K; Γ ⊢

Kxς : Γj(x)θ holds

by Lemma A.14, sinceΓθ = Γ (the substitution does not change any free variable ofΓ).From K; Γ, genK;Γ(Γj) ⊢

Kej : τ and from the fact that we haveK; Γ ⊢

Kxς : τx for

all x ∈ dom(Γj) and all τx ∈ instK(genK;Γ(Γj(x))), we deriveK; Γ ⊢K

ejς : τ byLemma A.8.

Corollary A.11 (Type soundness). Let e be a well-typed, closed expression, that is, such thatK;∅ ⊢

Ke : τ holds for someτ . Then, eithere diverges or it reduces to a valuev such that

K;∅ ⊢Kv : τ .

Proof. Consequence of Theorem A.9 and Theorem A.10.

A.3 Typing variants with set-theoretic types

A.3.1 Definition of theS type system

We consider a setV of type variables(ranged over byα, β, γ, . . . ) and the setsC, L, andB oflanguage constants, tags, andbasic types(ranged over byc, tag, andb respectively).

Definition A.22 (Types). A typet is a term coinductively produced by the following grammar:

t ::= α | b | c | t → t | t× t | tag(t) | t ∨ t | ¬t | 0

which satisfies two additional constraints:

24

• (regularity) the term must have a finite number of different sub-terms;• (contractivity) every infinite branch must contain an infinite number of occurrences of atoms

(i.e., a type variable or the immediate application of a typeconstructor: basic, constant, arrow,product, or variant).

We introduce the following abbreviations:

t1 ∧ t2def= ¬(¬t1 ∨ ¬t2) t1 \ t2

def= t1 ∧ (¬t2) 1

def= ¬0 .

Definition A.23 (Type schemes). A type schemes is of the form∀A. t, whereA is a finite setα1, . . . , αn of type variables.

We identify a type scheme∀∅. t with the typet itself. Furthermore, we consider type schemesup to renaming of the variables they bind, and we disregard useless quantification.

Definition A.24 (Free variables). We writevar(t) for the set of type variables occurring in a typet; we say they are thefree variablesof t, and we say thatt is groundor closedif and only ifvar(t)is empty.

We extend the definition to type schemes asvar(∀A. t) = var(t) \ A.

The (coinductive) definition ofvar can be found in Castagna et al. [5, Definition A.2].

Definition A.25 (Meaningful variables). We define the setmvar(t) of meaningful variablesof atypet as

mvar(t) = α ∈ var(t) | t[0/α] 6≃ t .

We extend the definition to type schemes asmvar(∀A. t) = mvar(t) \ A.

Definition A.26 (Type substitutions). A type substitutionθ is a finite mapping of type variables totypes. We write[ ti/αi | i ∈ I ] for the type substitution which simultaneously replacesαi with ti,for eachi ∈ I . We writetθ for the application of the substitutionθ to the typet; application isdefined coinductively by the following equations.

αθ =

t′ if t′/α ∈ θ

α otherwise

bθ = b

cθ = c

(t1 → t2)θ = (t1θ) → (t2θ)

(t1 × t2)θ = (t1θ)× (t2θ)

(tag(t))θ = tag(tθ)

(t1 ∨ t2)θ = (t1θ) ∨ (t2θ)

(¬t)θ = ¬(tθ)

0θ = 0

We extend thevar operation to substitutions as

var(θ) =⋃

α∈dom(θ)

var(αθ) .

and we extendmvar likewise.We extend application of substitutions to type schemes∀A. t: by renaming quantified variables,

we assumeA ∩ (dom(θ) ∪ var(θ)) = ∅, and we have(∀A. t)θ = ∀A. tθ.We writeθ1 ∪ θ2 for the union of disjoint substitutions andθ1 θ2 for the composition of

substitutions.

Definition A.27 (Type environments). A type environmentΓ is a partial mapping from expressionvariables to type schemes. We write type environments asΓ = x1 : s1, . . . , xn : sn.

We writeΓ,Γ′ for the updating of the type environmentΓ with the new bindings inΓ′. It isdefined as follows.

(Γ,Γ′)(x) =

Γ′(x) if x ∈ dom(Γ′)

Γ(x) otherwise

We extend thevar operation to type environments as

var(Γ) =⋃

s∈range(Γ)

var(s) ,

and we extendmvar likewise.

25

Definition A.28 (Generalization). We define thegeneralizationof a typet with respect to the typeenvironmentΓ as the type scheme

genΓ(t) = ∀A. t

whereA = var(t) \ mvar(Γ).We extend this definition to type environments which only contain types (i.e., trivial type

schemes) as

genΓ(xi : ti | i ∈ I ) = xi : genΓ(ti) | i ∈ I .

Definition A.29 (Instances of a type scheme). The set ofinstancesof a type scheme∀A. t is definedas

inst(∀A. t) = tθ | dom(θ) ⊆ A .

We say that a type schemes1 is more generalthan a type schemes2, and we writes1 ⊑ s2, if

∀t2 ∈ inst(s2). ∃t1 ∈ inst(s1). t1 ≤ t2 .

We extend this notion to type environments as

Γ1 ⊑ Γ2 ⇐⇒ dom(Γ1) = dom(Γ2) ∧ ∀x ∈ dom(Γ1). Γ1(x) ⊑ Γ2(x) .

Definition A.30 (Accepted type). Theaccepted type*p+ of a patternp is defined inductively as:

* + = *x+ = 1 *c+ = c

*(p1, p2)+ = *p1+ × *p2+ *tag(p)+ = tag(*p+)

*p1&p2+ = *p1+ ∧ *p2+ *p1|p2+ = *p1+ ∨ *p2+ .

The projection operatorsπ1 andπ2 for product types are defined by Castagna et al. [5, AppendixC.2.1]. We do not repeat the definition, but we state below theproperties we need in the proofs.The projection operators for variant types correspond toπ2 if we encode variant types as pairs; wetherefore rephrase the same properties for them.

Property A.31 (Projections of product types). There exist two functionsπ1 andπ2 which, given atypet ≤ 1× 1, yield typesπ1(t) andπ2(t) such that:

• t ≤ π1(t)× π2(t);• if t ≤ t1 × t2, thenπi(t) ≤ ti;• if t ≤ t′ ≤ 1× 1, thenπi(t) ≤ πi(t

′);• for all type substitutionsθ, πi(tθ) ≤ πi(t)θ.

Property A.32 (Projections of variant arguments). For every tag tag there exists a functionπtag

which, given a typet ≤ tag(1), yields a typeπtag(t) such that:

• t ≤ tag(πtag(t));• if t ≤ tag(t′), thenπtag(t) ≤ t′;• if t ≤ t′ ≤ tag(1), thenπtag(t) ≤ πtag(t

′);• for all type substitutionsθ, πtag(tθ) ≤ πtag(t)θ.

Definition A.33 (Pattern environment generation). Given a patternp and a typet ≤ *p+, the typeenvironmentt//p generated by pattern matching is defined inductively as:

t// = ∅

t//x = x : t

t//c = ∅

t//(p1, p2) = π1(t)//p1 ∪ π2(t)//p2

t//tag(p) = πtag(t)//p

t//p1&p2 = t//p1 ∪ t//p2

t//p1|p2 = (t ∧ *p1+)//p1 ∨∨ (t \ *p1+)//p2 ,

where(Γ ∨∨ Γ′)(x) = Γ(x) ∨ Γ′(x).

Definition A.34 (Typing relation). The typing relationΓ ⊢Se : t (e is given typet in the type

environmentΓ) is defined by the rules in Figure 10.

A.3.2 Properties of theS type system

Lemma A.12 (Generation for values). Letv be a value. Then:

• if Γ ⊢Sv : c, thenv = c;

• if Γ ⊢Sv : b, thenv = c for somec such thatbc ≤ b;

• if Γ ⊢Sv : t1 → t2, thenv is of the formλx. e andΓ, x : t1 ⊢

Se : t2;

26

Ts-Vart ∈ inst(Γ(x))

Γ ⊢Sx : t

Ts-ConstΓ ⊢

Sc : c

Ts-AbstrΓ, x : t1 ⊢

Se : t2

Γ ⊢Sλx. e : t1 → t2

Ts-ApplΓ ⊢

Se1 : t

′ → t Γ ⊢Se2 : t

′

Γ ⊢Se1 e2 : t

Ts-PairΓ ⊢

Se1 : t1 Γ ⊢

Se2 : t2

Γ ⊢S(e1, e2) : t1 × t2

Ts-TagΓ ⊢

Se : t

Γ ⊢Stag(e) : tag(t)

Ts-Match

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I Γ, genΓ(ti//pi) ⊢S ei : t′i

Γ ⊢Smatch e0 with (pi → ei)i∈I :

∨

i∈I t′i

Ts-SubsumΓ ⊢

Se : t′ t′ ≤ t

Γ ⊢Se : t

Figure 10. Typing relation of theS type system.

• if Γ ⊢Sv : t1 × t2, thenv is of the form(v1, v2), Γ ⊢

Sv1 : t1, andΓ ⊢

Sv2 : t2;

• if Γ ⊢Sv : tag(t1), thenv is of the form tag(v1) andΓ ⊢

Sv1 : t1.

Proof. By induction on the typing derivation: values must be typed by an application of the rulecorresponding to their form to appropriate premises, possibly followed by applications ofTs-Subsum.

The base cases are straightforward. In the inductive step, we just apply the induction hypothesis;for abstractions, the result follows from the behaviour of subtyping on arrow types.

We state the next three lemmas without proof, as they rely on the model of types which we havenot discussed. Details can be found in Frisch et al. [15] and Castagna and Xu [4], as well as in AlainFrisch’s PhD thesis.8

Lemma A.13. For eachi ∈ I , let pi be a pattern. IfΓ ⊢Sv :

∨

i∈I*pi+, then there exists ani ∈ Isuch thatΓ ⊢

Sv : *pi+.

Lemma A.14. Let t be a type. Lett′ be a type such that eithert′ = *p+ or t′ = ¬*p+, for somepatternp. If Γ ⊢

Sv : t andΓ ⊢

Sv : t′, thenΓ ⊢

Sv : t ∧ t′.

Lemma A.15. Letv be a well-typed value (i.e.,∅ ⊢Sv : t holds for somet) andp a pattern. Then:

• ∅ ⊢Sv : *p+ holds if and only ifv/p = ς for some substitutionς;

• ∅ ⊢Sv : ¬*p+ holds if and only ifv/p = Ω.

Lemma A.16. Let p be a pattern andt, t′ two types. Ift ≤ t′ ≤ *p+, then, for allx ∈ capt(p),(t//p)(x) ≤ (t′//p)(x).

Proof. By structural induction onp.

Casesp = andp = c There is nothing to prove sincecapt(p) = ∅.

Casep = x We must prove(t//x)(x) ≤ (t′//x)(x), that is, t ≤ t′, which we know byhypothesis.

Casep = (p1, p2) Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi);then,(t//p)(x) = (πi(t)//pi)(x) and (t′//p)(x) = (πi(t

′)//pi)(x). Sincet ≤ t′ impliesπi(t) ≤ πi(t

′) by Property A.31, we can apply the induction hypothesis to conclude.

Casep = tag(p) Analogous to the previous case, becauset ≤ t′ impliesπtag(t) ≤ πtag(t′) by

Property A.32.

Casep = p1&p2 Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi);then,(t//p)(x) = (t//pi)(x) and(t′//p)(x) = (t′//pi)(x). We apply the induction hypothesisto conclude.

8 A. Frisch. Théorie, conception et réalisation d’un langage de programmation adapté à XML. PhD thesis,Université Paris 7 – Denis Diderot, 2004.

27

Casep = p1|p2 Every x ∈ capt(p) is both in capt(p1) and in capt(p2). We have that(t//p)(x) = (t∧*p1+//p1)(x)∨(t\*p1+//p2)(x) and likewise fort′. Sincet∧*p1+ ≤ t′∧*p1+andt \ *p1+ ≤ t′ \ *p1+, we can apply the induction hypothesis to both sub-patternsto derive(t∧ *p1+//p1)(x) ≤ (t′ ∧ *p1+//p1)(x) and(t\ *p1+//p2)(x) ≤ (t′ \ *p1+//p2)(x). Then wehave(t ∧ *p1+//p1)(x) ∨ (t \ *p1+//p2)(x) ≤ (t′ ∧ *p1+//p1)(x) ∨ (t′ \ *p1+//p2)(x).

Lemma A.17 (Correctness of environment generation). Letp be a pattern andv a value such thatΓ ⊢

Sv : t for somet ≤ *p+. Then, for allx ∈ capt(p), Γ ⊢

Sx(v/p) : (t//p)(x).

Proof. By structural induction onp.

Casesp = andp = c There is nothing to prove sincecapt(p) = ∅.

Casep = x We must proveΓ ⊢Sx[v/x] : (t//x)(x), which is the hypothesisΓ ⊢

Sv : t.

Casep = (p1, p2) We havet ≤ 1×1, hencet ≤ π1(t)×π2(t); then, sinceΓ ⊢Sv : π1(t)×π2(t)

by subsumption, we have by Lemma A.12 thatv = (v1, v2) and thatΓ ⊢Svi : π1(t) for bothi.

Moreover,t ≤ *(p1, p2)+ = *p1+ × *p2+. Hence, by Property A.31,πi(t) ≤ *pi+ for bothi.Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi); then,

x(v/p) = x(vi/pi) and(t//p)(x) = (πi(t)//pi)(x). We apply the induction hypothesis toconclude.

Casep = tag(p) Analogous to the previous case.

Casep = p1&p2 Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi);then, we can directly apply the induction hypothesis sincet ≤ *p1&p2+ impliest ≤ *p1+ andt ≤ *p2+.

Casep = p1|p2 Eitherv/p = v/p1 or v/p = v/p2 (in which casev/p1 = Ω).

Casev/p = v/p1 By Lemma A.15 we haveΓ ⊢Sv : *p1+; by Lemma A.14 we have

Γ ⊢Sv : t ∧ *p1+. Since t ∧ *p1+ ≤ *p1+, by the induction hypothesis we have, for

all x ∈ capt(p1) = capt(p), Γ ⊢Sx(v/p) : (t ∧ *p1+//p1)(x) and, by subsumption,

Γ ⊢Sx(v/p) : (t ∧ *p1+//p1)(x) ∨ (t \ *p1+//p2)(x).

Casev/p = v/p2 By Lemma A.15 and Lemma A.14, we haveΓ ⊢Sv : t\*p1+. Additionally,

t\*p1+ ≤ *p2+ holds because it is equivalent tot ≤ *p1+∨*p2+. Therefore by the inductionhypothesis we have, for allx ∈ capt(p1) = capt(p), Γ ⊢

Sx(v/p) : (t \ *p1+//p2)(x) and,

by subsumption,Γ ⊢Sx(v/p) : (t ∧ *p1+//p1)(x) ∨ (t \ *p1+//p2)(x).

Lemma A.18. Let p be a pattern,t a type such thatt ≤ *p+, andθ a type substitution. Then, forall x ∈ capt(p), (tθ//p)(x) ≤ ((t//p)(x))θ.

Proof. By structural induction onp.

Casesp = andp = c There is nothing to prove sincecapt(p) = ∅.

Casep = x We must prove(tθ//x)(x) ≤ (t//x)(x)θ, which istθ ≤ tθ.

Casep = (p1, p2) Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi);then,(tθ//p)(x) = (πi(tθ)//pi)(x) and(t//p)(x)θ = (πi(t)//pi)(x)θ.

Sinceπi(tθ) ≤ πi(t)θ, by Lemma A.16 we have(πi(tθ)//pi)(x) ≤ (πi(t)θ//pi)(x). Bythe induction hypothesis we have(πi(t)θ//pi)(x) ≤ (πi(t)//pi)(x)θ.

Casep = tag(p) Analogous to the previous case, sinceπtag(tθ) ≤ πtag(t)θ.

Casep = p1&p2 Eachx ∈ capt(p) is either incapt(p1) or in capt(p2). Assumex ∈ capt(pi);then,(tθ//p)(x) = (tθ//pi)(x) and(t//p)(x)θ = (t//pi)(x)θ. We conclude by the inductionhypothesis.

Casep = p1|p2 Everyx ∈ capt(p) is both incapt(p1) and incapt(p2). We have(tθ//p)(x) =((t ∧ *p1+)θ//p1)(x) ∨ ((t \ *p1+)θ//p2)(x)—pattern types are closed, so we can applyθto them too—and(t//p)(x)θ = (t ∧ *p1+//p1)(x)θ ∨ (t \ *p1+//p2)(x)θ. We conclude byapplying the induction hypothesis to both members of the union.

Lemma A.19. Let t1 andt2 be equivalent types (t1 ≃ t2). Then,mvar(t1) = mvar(t2).

Proof. Since subtyping is preserved by type substitutions, for every α we havet1[0/α] ≃ t2[0/α].If α ∈ mvar(t1), we havet1[0/α] 6≃ t1 by the definition ofmvar. This necessarily impliest2[0/α] 6≃ t2, otherwise we would havet1[0/α] ≃ t1 by transitivity.

28

Lemma A.20. Let t be a type andθ a type substitution such thatdom(θ) ∩ mvar(t) = ∅. Thentθ ≃ t.

Proof. Let t′ = t[0/α1, . . . , 0/αn] whereα1, . . . , αn = var(t) \ mvar(t). We havet ≃ t′ andvar(t′) = mvar(t). Since substitutions preserve subtyping (and hence equivalence), we have alsotθ ≃ t′θ. But t′θ = t′ ≃ t; hence, we reach the conclusion by the transitivity of equivalence.

Lemma A.21. LetΓ1, Γ2 be two type environments such thatmvar(Γ1) ⊆ mvar(Γ2) and t1, t2two types such thatt1 ≤ t2. Then,genΓ1

(t1) ⊑ genΓ2(t2).

Proof. An instance ofgenΓ2(t2) is a typet2θ2 such thatdom(θ2) ⊆ var(t2)\mvar(Γ2). Letθ1 be

the restriction ofθ2 to the variables invar(t1) \mvar(Γ1). Then,t1θ1 is an instance ofgenΓ1(t1).

We havet1θ1 = t1θ2 because the two substitutions differ only on variables invar(t2) \ var(t1)(which do not appear int1 at all) or inmvar(Γ1) \ mvar(Γ2) (which is empty). Finally, we havet1θ2 ≤ t2θ2 because subtyping is preserved by substitutions.

Lemma A.22 (Weakening). Let Γ1, Γ2 be two type environments such thatΓ1 ⊑ Γ2 andmvar(Γ1) ⊆ mvar(Γ2). If Γ2 ⊢

Se : t, thenΓ1 ⊢

Se : t.

Proof. By induction on the derivation ofΓ2 ⊢Se : t. We reason by cases on the last applied rule.

Case Ts-Var We have

Γ2 ⊢Sx : t t ∈ inst(Γ2(x))

and hence, sinceΓ1 ⊑ Γ2, there exists at′ ∈ inst(Γ1(x)) such thatt′ ≤ t. We applyTs-VartoderiveΓ1 ⊢

Sx : t′ andTs-Subsumto conclude.

Case Ts-ConstStraightforward.

Case Ts-AbstrWe have

Γ2 ⊢Sλx. e1 : t1 → t2 Γ2, x : t1 ⊢

Se1 : t2 .

SinceΓ1 ⊑ Γ2, we haveΓ1, x : t1 ⊑ Γ2, x : t1; sincemvar(Γ1) ⊆ mvar(Γ2), we havemvar(Γ1, x : t1) ⊆ mvar(Γ2, x : t1). We deriveΓ1, x : t1 ⊢

Se1 : t2 by the induction

hypothesis and applyTs-Abstrto conclude.

Cases Ts-Appl, Ts-Pair, Ts-Tag, and Ts-SubsumStraightforward application of the inductionhypothesis.

Case Tk-Match We have

Γ2 ⊢Smatch e0 with (pi → ei)i∈I : t

Γ2 ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γ2, genΓ2(ti//pi) ⊢S ei : t

′i t =

∨

i∈I t′i .

By the induction hypothesis, we deriveΓ1 ⊢Se0 : t0.

For any branch, note thatmvar(Γ1) ⊆ mvar(Γ2) implies genΓ1(t) ⊑ genΓ2

(t) for anyt by Lemma A.21. Hence, we haveΓ1, genΓ1

(ti//pi) ⊑ Γ2, genΓ2(ti//pi). Additionally,

sincemvar(genΓ1(ti//pi)) ⊆ mvar(Γ1) ⊆ mvar(Γ2), we havemvar(Γ1, genΓ1

(ti//pi)) ⊆mvar(Γ2, genΓ2

(ti//pi)).Hence we may apply the induction hypothesis for alli to deriveΓ1, genΓ1

(ti//pi) ⊢S ei : t′i

and then applyTs-Matchto conclude.

Lemma A.23(Stability of typing under type substitutions). Letθ be a type substitution. IfΓ ⊢Se : t,

thenΓθ ⊢Se : tθ.

Proof. By induction on the derivation ofΓ ⊢Se : t. We reason by cases on the last applied rule.

Case Ts-Var We have

Γ ⊢Sx : t t ∈ inst(Γ(x)) Γ(x) = ∀A. tx t = txθx dom(θx) ⊆ A

and must showΓθ ⊢Sx : tθ.

By α-renaming we assumeA∩(dom(θ)∪var(θ)) = ∅. Under this assumption,(Γθ)(x) =∀A. txθ. We must show thattθ = txθθ

′x for a substitutionθ′x such thatdom(θ′x) ⊆ A.

Let θ′x = [ αθxθ/α | α ∈ A ]. We show thattθθ′x = txθxθ = tθ, by showing that, for everyα, αθθ′x = αθxθ. If α ∈ A, thenαθθ′x = αθ′x = αθxθ (θ is not defined on the variablesin A). If α /∈ A, thenαθθ′x = αθ (θ never produces any variable inA) andαθxθ = αθ asα /∈ dom(θx).

29

Case Ts-ConstStraightforward.

Case Ts-AbstrWe have

Γ ⊢Sλx. e1 : t1 → t2 Γ, x : t1 ⊢

Se1 : t2 .

By the induction hypothesis we haveΓθ, x : t1θ ⊢Se1 : t2θ. Then byTs-Abstrwe derive

Γθ ⊢Sλx. e1 : (t1θ) → (t2θ), which isΓθ ⊢

Sλx. e1 : (t1 → t2)θ.

Cases Ts-Appl, Ts-Pair, and Ts-TagStraightforward application of the induction hypothesis.

Case Ts-MatchWe have

Γ ⊢Smatch e0 with (pi → ei)i∈I : t

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γ, genΓ(ti//pi) ⊢S ei : t′i t =

∨

i∈I t′i

and must showΓθ ⊢Smatch e0 with (pi → ei)i∈I : tθ.

We prove it by establishing, for some typest0 andti, t′i for eachi, that

Γθ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γθ, genΓθ(ti//pi) ⊢S ei : t′i

∨

i∈I t′i ≤ tθ .

Let A = α1, . . . , αn = var(t0) \ mvar(Γ). Let B = β1, . . . , βn be a set of typevariables such thatB ∩ (dom(θ) ∪ var(θ) ∪ var(Γ)) = ∅. Let θ0 = [β1/α1, . . . , βn/αn] andθ′ = θ θ0.

By the induction hypothesis, usingθ′, we deriveΓθ′ ⊢Se0 : t0θ

′. From it, we deriveΓθ ⊢

Se0 : t0θ

′ by weakening (Lemma A.22); we prove the required premises below. We taket0 = t0θ

′: note that the exhaustiveness condition is satisfied because substitutions preservesubtyping (and all accepted types of patterns are closed). We haveti = tiθ

′ for all i.For all branches, we haveΓ, genΓ(ti//pi) ⊢S ei : t

′i and, by the induction hypothesis using

θ, we can deriveΓθ, (genΓ(ti//pi))θ ⊢Sei : t

′iθ.

We apply Lemma A.22 to deriveΓθ, genΓθ(tiθ′//pi) ⊢

Sei : t

′iθ (we prove the required

premises below). We taket′i = t′iθ.

Proof ofΓθ ⊢Se0 : t0θ

′ fromΓθ′ ⊢Se0 : t0θ

′ We prove this by Lemma A.22, which requiresus to showΓθ ⊑ Γθ′ andmvar(Γθ) ⊆ mvar(Γθ′). We show this by showing, for every(x : ∀Ax. tx) ∈ Γ—assume byα-renamingAx∩(dom(θ)∪var(θ)∪A∪B) = ∅—, txθ ≃txθ

′, which implies both∀Ax. txθ ⊑ ∀Ax. txθ′ andmvar(∀Ax. txθ) ⊆ mvar(∀Ax. txθ

′)(by Lemma A.21 and Lemma A.19).

We havetxθ0 ≃ tx by Lemma A.20:dom(θ0) ∩ mvar(tx) = ∅ because everyα ∈mvar(tx) is either inAx or mvar(Γ), and in both cases this means it cannot be indom(θ0).Hence—since substitutions preserve subtyping—we have also txθ

′ = txθ0θ ≃ txθ.

Proof of Γθ, genΓθ(tiθ′//pi) ⊢

Sei : t

′iθ from Γθ, (genΓ(ti//pi))θ ⊢

Sei : t

′iθ To apply

Lemma A.22, we must show

genΓθ(tiθ′//pi) ⊑ (genΓ(ti//pi))θ

mvar(Γθ, genΓθ(tiθ′//pi)) ⊆ mvar(Γθ, (genΓ(ti//pi))θ) .

The latter holds because every variable inmvar(Γθ, genΓθ(tiθ′//pi)) is in mvar(Γθ).

For the former, we prove that, for everyx ∈ capt(pi),

genΓθ((tiθ′//pi)(x)) ⊑ (genΓ((ti//pi)(x)))θ .

Let

t′x = (tiθ′//pi)(x) tx = (ti//pi)(x) ;

the statement becomes

genΓθ(t′x) ⊑ (genΓ(tx))θ .

We havegenΓ(tx) = ∀Ax. tx, whereAx = var(tx) \ mvar(Γ). Sincevar(tx) ⊆var(ti) = var(t0), Ax ⊆ A. Let J = j | αj ∈ Ax ; thus J ⊆ 1, . . . , n andAx = A|J = αj | j ∈ J . LetB|J = βj | j ∈ J . We havegenΓ(tx) = ∀B|J . txθ0by α-renaming (we are substituting also theαi such thati /∈ J , but it makes no differenceas they not intx). Thus—sinceB ∩ (dom(θ) ∪ var(θ)) = ∅—we have

(genΓ(tx))θ = ∀B|J . txθ0θ = ∀B|J . txθ′ .

The instances of this type scheme are all typestxθ′θx, with dom(θx) ⊆ B|J . Given

such a type, we must construct an instance ofgenΓθ(t′x) that is a subtype of it. Letθ′x be

30

the restriction ofθx to variables invar(t′x) \ mvar(Γθ). Thent′xθ′x is a valid instance of

genΓθ(t′x). We provet′xθ

′x ≤ txθ

′θx.We havet′xθ

′x = t′xθx: the two substitutions differ only on variables inB|J \ var(t′x)

(variables which do not appear in the type at all) and on variables inB|J∩mvar(Γθ) (whichis empty, becauseB was chosen fresh). By Lemma A.16, we havet′x = (tiθ

′//pi)(x) ≤(ti//pi)(x)θ

′: hence,t′xθx = (tiθ′//pi)(x)θx ≤ (ti//pi)(x)θ

′θx = txθ′θx.

Case Ts-SubsumThe conclusion follows from the induction hypothesis sincesubstitutionspreserve subtyping.

Corollary A.24. Let Γ be a type environment andθ a type substitution such thatdom(θ) ∩mvar(Γ) = ∅. If Γ ⊢

Se : t, thenΓ ⊢

Se : tθ.

Proof. From Γ ⊢Se : t we deriveΓθ ⊢

Se : tθ by Lemma A.23. Then, we showΓ ⊑ Γθ and

mvar(Γ) ⊆ mvar(Γθ), which allow us to apply Lemma A.22 to deriveΓ ⊢Se : tθ.

To show the two conditions above, we show that, for every(x : ∀A. t) ∈ Γ—assume byα-renamingA ∩ (dom(θ) ∪ var(θ)) = ∅—, ∀A. t ⊑ ∀A. tθ andmvar(∀A. t) ⊆ mvar(∀A. tθ).

We showt ≃ tθ, which implies both (by Lemma A.21 and Lemma A.19). The equivalenceholds by Lemma A.20:dom(θ) ∩ mvar(t) = ∅ because everyα ∈ mvar(t) is either inA ormvar(Γ), and in both cases this means it cannot be indom(θ).

Lemma A.25(Expression substitution). Letx1, . . . ,xn be distinct variables andv1, . . . ,vn values.LetΓ′ = x1 : s1, . . . , xn : sn andς = [v1/x1, . . . , vn/xn].

If Γ,Γ′ ⊢Se : t and, for all k ∈ 1, . . . , n and for all tk ∈ inst(sk), Γ ⊢

Svk : tk, then

Γ ⊢Seς : t.

Proof. By induction on the derivation ofΓ,Γ′ ⊢Se : t. We reason by cases on the last applied rule.

Case Ts-Var We have

Γ,Γ′ ⊢Sx : t t ∈ inst((Γ,Γ′)(x)) .

Either x = xk for somek or not. In the latter case,xς = x, x /∈ dom(Γ′) and hence(Γ,Γ′)(x) = Γ(x). Then, sincet ∈ inst((Γ,Γ′)(x)), t ∈ inst(Γ(x)) and we can applyTs-Var.

If x = xk, then(Γ,Γ′)(x) = Γ′(x) = sk. We must then proveΓ ⊢Svk : t, which we know

by hypothesis sincet ∈ inst(sk).

Case Ts-ConstStraightforward.

Case Ts-AbstrWe have

Γ,Γ′ ⊢Sλx. e1 : t1 → t2 Γ,Γ′, x : t1 ⊢

Se1 : t2 .

By α-renaming we can assumex /∈ dom(Γ,Γ′); then (λx. e1)ς = λx. (e1ς) andΓ,Γ′, x : t1 = Γ, x : t1,Γ

′. Therefore we haveΓ, x : t1,Γ′ ⊢Se1 : t2 and hence

Γ, x : t1 ⊢Se1ς : t2 by the induction hypothesis. We applyTs-Abstrto conclude.

Cases Ts-Appl, Ts-Pair, Ts-Tag, and Ts-SubsumStraightforward application of the inductionhypothesis.

Case Ts-MatchWe have

Γ,Γ′ ⊢Smatch e0 with (pi → ei)i∈I : t

Γ,Γ′ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γ,Γ′, genΓ,Γ′(ti//pi) ⊢S ei : t′i t =

∨

i∈I t′i .

We assume byα-renaming that no capture variable of any pattern is in the domain ofΓ or Γ′. Then, (match e0 with (pi → ei)i∈I)ς = match e0ς with (pi → eiς)i∈I andΓ,Γ′, genΓ,Γ′(ti//pi) = Γ, genΓ,Γ′(ti//pi),Γ

′ for anyi.By the induction hypothesis, we deriveΓ ⊢

Se0ς : t0 andΓ, genΓ,Γ′(ti//pi) ⊢

Seiς : t

′i for

all i. From the latter, we proveΓ, genΓ(ti//pi) ⊢Seiς : t

′i by weakening (Lemma A.22): we

havegenΓ(ti//pi) ⊑ genΓ,Γ′(ti//pi) by Lemma A.21—sincemvar(Γ) ⊆ mvar(Γ,Γ′) – andclearly we havemvar(Γ, genΓ(ti//pi)) ⊆ mvar(Γ, genΓ,Γ′(ti//pi)) sincemvar(genΓ(ti//pi)) ⊆mvar(Γ).

Theorem A.26(Progress). Let e be a well-typed, closed expression (i.e.,∅ ⊢Se : t holds for some

t). Then, eithere is a value or there exists an expressione′ such thate e′.

Proof. By hypothesis we have∅ ⊢Se : t. The proof is by induction on its derivation; we reason by

cases on the last applied rule.

31

Case Ts-Var This case does not occur because variables are not closed.

Case Ts-ConstIn this casee is a constantc and therefore a value.

Case Ts-Abstr In this casee is an abstractionλx. e1. Since it is also closed, it is a value.

Case Ts-Appl We have

∅ ⊢Se1 e2 : t ∅ ⊢

Se1 : t

′ → t ∅ ⊢Se2 : t

′ .

By the induction hypothesis, each ofe1 ande2 either is a value or may reduce. Ife1 e′1,thene1 e2 e′1 e2. If e1 is a value ande2 e′2, thene1 e2 e1 e

′2.

If both are values then, by Lemma A.12,e1 has the formλx. e3 for somee3. Then, we canapplyR-Applande1 e2 e3[e2/x].

Case Ts-Pair We have

∅ ⊢S(e1, e2) : t1 × t2 ∅ ⊢

Se1 : t1 ∅ ⊢

Se2 : t2 .

By the induction hypothesis, each ofe1 ande2 either is a value or may reduce. Ife1 e′1,then(e1, e2) (e′1, e2). If e1 is a value ande2 e′2, then(e1, e2) (e1, e

′2). If both are

values, then(e1, e2) is also a value.

Case Ts-TagWe have

∅ ⊢Stag(e1) : tag(t1) ∅ ⊢

Se1 : t1 .

Analogously to the previous case, by the induction hypothesis we have that eithere1 isa value ore1 e′1. In the former case,tag(e1) is a value as well. In the latter, we havetag(e1) tag(e′1).

Case Ts-MatchWe have

∅ ⊢Smatch e0 with (pi → ei)i∈I : t ∅ ⊢

Se0 : t0 t0 ≤

∨

i∈I*pi+ .

By the inductive hypothesis, eithere0 is a value or it may reduce. In the latter case, ife0 e′0, thenmatch e0 with (pi → ei)i∈I match e′0 with (pi → ei)i∈I .

If e0 is a value, on the other hand, the expression may reduce by application of R-Match.Sincet0 ≤

∨

i∈I*pi+, ∅ ⊢Se0 :

∨

i∈I*pi+ holds by subsumption. Hence, sincee0 is a value,∅ ⊢

Se0 : *pi+ holds for at least onei (by Lemma A.13); for each suchi we havee0/pi = ςi

(by Lemma A.15). Letj be the least of thesei; thenmatch e0 with (pi → ei)i∈I ejςj .

Case Ts-SubsumStraightforward application of the induction hypothesis.

Theorem A.27 (Subject reduction). Let e be an expression andt a type such thatΓ ⊢Se : t. If

e e′, thenΓ ⊢Se′ : t.

Proof. By induction on the derivation ofΓ ⊢Se : t. We reason by cases on the last applied rule.

Cases Ts-Var, Ts-Const, and Ts-AbstrThese cases do not occur: variables, constants, andabstractions never reduce.

Case Ts-Appl We have

Γ ⊢Se1 e2 : t Γ ⊢

Se1 : t

′ → t Γ ⊢Se2 : t

′ .

e1 e2 e′ occurs in any of three ways:(i) e1 e′1 ande′ = e′1 e2; (ii) e1 is a value,e2 e′2 and e′ = e1 e′2; (iii) both e1 and e2 are values,e1 is of the formλx. e3, ande′ = e3[e2/x].

In the first case, we derive by the induction hypothesis thatΓ ⊢Se′1 : t

′ → t and conclude byapplyingTs-Applagain. The second case is analogous.

In the third case, we know by Lemma A.12 thatΓ, x : t′ ⊢Se3 : t. We also know thate2 is

a value such thatΓ ⊢Se2 : t

′. Then, by Lemma A.25,Γ ⊢Se3[e2/x] : t.

Case Ts-Pair We have

Γ ⊢S(e1, e2) : t1 × t2 Γ ⊢

Se1 : t1 Γ ⊢

Se2 : t2 .

(e1, e2) e′ occurs either becausee1 e′1 ande′ = (e′1, e2), or becausee1 is a value,e2 e′2, ande′ = (e1, e

′2). In either case, the induction hypothesis allows us to derive that

the type of the component that reduces is preserved; therefore, we can applyTs-Pair again toconclude.

Case Ts-TagAnalogously to the previous case, a variant expression onlyreduces if its argumentdoes, so we apply the induction hypothesis andTs-Tagto conclude.

32

R-FixY (λx. e) e[Y (λx. e)/x]

Tk-FixK; Γ ⊢

Ke : τ → τ

K; Γ ⊢KY e : τ

Ts-FixΓ ⊢

Se : t → t

Γ ⊢SY e : t

Figure 11. Rules for the fixed-point combinator.

Case Ts-MatchWe have

Γ ⊢Smatch e0 with (pi → ei)i∈I : t

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γ, genΓ(ti//pi) ⊢S ei : t′i t =

∨

i∈I t′i .

The reductionmatch e0 with (pi → ei)i∈I e′ occurs either becausee0 e′0 ande′ = match e′0 with (pi → ei)i∈I or becausee0 is a value ande′ = ejς, wheree0/pj = ς and,for all i < j, e0/pi = Ω. In the former case, we apply the induction hypothesis and concludeby Ts-Match.

In the latter case,ς is a substitution from the capture variables ofpj to values. We can derive

Γ ⊢Se0 : *pj+ ∀i < j. Γ ⊢

Se0 : ¬*pi+

by Lemma A.15 and thenceΓ ⊢Se0 : tj by Lemma A.14. Therefore, by Lemma A.17, we have

that, for allx ∈ capt(pj), Γ ⊢Sxς : (tj//pj)(x). LetΓ′ = tj//pj .

We show that, additionally,Γ ⊢Sxς : tx holds for everytx ∈ inst(genΓ(Γ

′(x))). Every suchtx is equal toΓ′(x)θ for aθ such thatdom(θ) ⊆ var(Γ′(x))\mvar(Γ). Then,Γ ⊢

Sxς : Γ′(x)θ

holds by Corollary A.24, sincedom(θ) ∩ mvar(Γ) = ∅ (the substitution does not change anymeaningful variable ofΓ).

FromΓ, genΓ(Γ′) ⊢

Sej : t

′j and from the fact that we haveΓ ⊢

Sxς : tx for all x ∈ capt(pj)

and alltx ∈ inst(genΓ(Γ′(x))), we deriveΓ ⊢

Sejς : t

′j by Lemma A.25 and then conclude by

subsumption.

Case Ts-SubsumStraightforward application of the induction hypothesis.

Corollary A.28 (Type soundness). Let e be a well-typed, closed expression, that is, such that∅ ⊢

Se : t holds for somet. Then, eithere diverges or it reduces to a valuev such that∅ ⊢

Sv : t.

Proof. Consequence of Theorem A.26 and Theorem A.27.

A.3.3 Completeness ofS with respect toK

In the proof of completeness, we consider a calculus and typesystems extended with the additionof a fixed-point combinatorY: this simplifies the proof (as it allows us to assume that all arrowtypes are inhabited) and it would be desirable anyway in order to use the system in pratice. We adda new productionY e to the grammar defining expressions, a new productionYE to the grammarof evaluation contexts, and the new reduction ruleR-Fix in Figure 11. We extendK andS with theaddition, respectively, of the rulesTk-FixandTs-Fix in Figure 11.

As mentioned in Section 4.3, we prove completeness ofS with respect toK using inductivetechniques which do not account for the presence of recursion in kinds: we therefore have to restrictourselves to only consider kinding environments which do not feature recursion, (thenon-recursiveenvironments defined below). We conjecture that coinductive techniques could be used instead toprove the result for general kinding environments.

Definition A.35 (Non-recursive kinding environments). We say that a kinding environmentK isnon-recursiveif, for all α such thatK(α) = (L, U, T ), we haveα /∈

⋃

tag: τ∈T varK(τ ).

Definition A.36. We define a functionw which, given ak-type τ in a non-recursive kindingenvironmentK, yields themeasurew(τ,K) of τ in K. It is defined by the following equations.

w(α,K) =

1 +∑

tag: τ∈T w(τ,K) if K(α) = (L,U, T )

1 otherwise

w(b,K) = 1

w(τ1 → τ2,K) = w(τ1,K) + w(τ2,K) + 1

w(τ1 × τ2,K) = w(τ1,K) + w(τ2,K) + 1

Definition A.37 (Translation of types). Given ak-typeτ in a non-recursive kinding environmentK, its translationis thes-typeJτKK defined inductively by the rules in Figure 12.

33

JαKK =

α if K(α) = •

(lowK(L, T ) ∨ α) ∧ uppK(U,T ) if K(α) = (L,U, T )

JbKK = b

Jτ1 → τ2KK = Jτ1KK → Jτ2KK

Jτ1 × τ2KK = Jτ1KK × Jτ2KK

where:

lowK(L, T ) =∨

tag∈L tag(∧

tag: τ∈T JτKK)

uppK(U,T ) =

∨

tag∈U tag(∧

tag: τ∈T JτKK) if U 6= L∨

tag∈dom(T ) tag(∧

tag: τ∈T JτKK) ∨ (1V \∨

tag∈dom(T ) tag(1)) if U = L

Figure 12. Translation ofk-types tos-types.

We define the translation of type schemes asJ∀A.K′ ⊲ τKK = ∀A. JτKK,K′ and of typeenvironments by translating each type scheme pointwise.

Lemma A.29. For anyk-typeτ in a non-recursive kinding environmentK, we havevar(JτKK) ⊆varK(τ ). Likewise, for anyk-schemeσ andk-type environmentΓ, we havevar(JσKK) ⊆ varK(σ)andvar(JΓKK) ⊆ varK(Γ).

Proof. The translation does not introduce new variables, therefore we can showvar(JτKK) ⊆varK(τ ) by induction onw(τ,K). We extend this straightforwardly to type schemes and envi-ronments.

Lemma A.30. Let p be a pattern andt ≤ *p+ an s-type. IfK ⊢ p : τ ⇒ Γ andt ≤ JτKK , then,for all x ∈ capt(p), (t//p)(x) ≤ JΓ(x)KK.

Proof. By structural induction onp.

Casesp = andp = c There is nothing to prove sincecapt(p) = ∅.

Casep = x We have

K ⊢ p : τ ⇒ x : τ t//x = x : t

and must provex : t(x) ≤ Jx : τ(x)KK, that is,t ≤ JτKK , which is true by hypothesis.

Casep = (p1, p2) We have

K ⊢ p : τ1 × τ2 ⇒ Γ Γ = Γ1 ∪ Γ2 ∀i. K ⊢ pi : τi ⇒ Γi

t//p = π1(t)//p1 ∪ π2(t)//p2 .

Sincet ≤ Jτ1KK × Jτ2KK , by Property A.31 we haveπi(t) ≤ JτiKK . Likewise,πi(t) ≤*pi+. We apply the induction hypothesis to conclude.

Casep = tag(p1) We have

K ⊢ p : α ⇒ Γ K ⊢ p1 : τ1 ⇒ Γ

K(α) = (L,U, T ) (tag∈ U impliestag: τ1 ∈ T ) t//p = πtag(t)//p1 .

Sincet ≤ *tag(p1)+ = tag(*p1+), by Property A.32 we haveπtag(t) ≤ *p1+. We next proveπtag(t) ≤ Jτ1KK , which allows us to apply the induction hypothesis and conclude.

The translation ofα is JαKK = (lowK(L, T ) ∨ α) ∧ uppK(U, T ). We havet ≤ JαKKand hencet ≤ uppK(U, T ). Sincet ≤ tag(1), t ≤ uppK(U, T ) ∧ tag(1). We distribute theintersection over the summands ofuppK(U, T ), which is a union.

If tag /∈ U (in which caseU 6= L), then all summands have the formtag1(τ ′) and for eachtag1 we havetag1 6= tag: hence, the intersection is empty and thus we havet ≤ 0 ≃ tag(0).Thenπtag(t) ≤ 0 ≤ Jτ1KK .

If tag ∈ U , then necessarilytag ∈ dom(T ) holds as well. In that case the intersectionuppK(U,T ) ∧ tag(1) is equivalent totag(

∧

tag: τ ′∈T Jτ ′KK). Hencet ≤ tag(∧

tag: τ ′∈T Jτ ′KK)

andπtag(t) ≤∧

tag: τ ′∈T Jτ ′KK . Sincetag: τ1 ∈ T ,∧

tag: τ ′∈T Jτ ′KK ≤ Jτ1KK , from whichfollows πtag(t) ≤ Jτ1KK .

Casep = p1&p2 We directly apply the induction hypothesis to both sub-patterns and conclude.

34

Casep = p1|p2 We have

K ⊢ p : τ ⇒ Γ ∀i. K ⊢ pi : τ ⇒ Γ

t//p = (t ∧ *p1+)//p1 ∨∨ (t \ *p1+)//p2 .

Sincet ∧ *p1+ andt \ *p1+ are subtypes oft, they are also subtypes ofJτKK . We can applythe induction hypothesis and, for eachx, derive both that(t ∧ *p1+//p1)(x) ≤ JΓ(x)KK andthat(t \ *p1+//p2)(x) ≤ JΓ(x)KK . Hence,(t//p)(x) ≤ JΓ(x)KK .

Lemma A.31(Translation of type substitutions). LetK,K′ be two non-recursive kinding environ-ments such thatdom(K′) ∩ (dom(K) ∪ var∅(K)) = ∅. Letθ be ak-type substitution such thatdom(θ) ⊆ dom(K′) andK,K′ ⊢ θ : K.

Let θ′ be thes-type substitution defined as[ JαθKK/α | α ∈ dom(K′) ]. For everyk-typeτ , wehaveJτKK,K′θ′ ≃ JτθKK .

Proof. By complete induction onw(τ, (K,K′)). We proceed by cases onτ and assume that thelemma holds for allτ ′ such thatw(τ ′, (K,K′)) < w(τ, (K,K′)).

Caseτ = α, with (K,K′)(α) = • We haveJαKK,K′ = α, henceJαKK,K′θ′ = αθ′. Eitherα ∈ dom(K) or α ∈ dom(K′) (the domains are disjoint). In the former case,αθ = α andαθ′ = α. Thus we haveJαKK,K′θ′ = α = JαθKK . In the latter,αθ′ = JαθKK holds bydefinition ofθ′.

Caseτ = α, withK(α) = (L,U, T ) andα /∈ dom(K′) We haveJαKK,K′ = JαKK because novariable in the kind ofα is in dom(K′). For the same reason, since the translation does not addvariables,JαKK,K′θ′ = JαKK . Additionally,αθ = α, so alsoJαθKK = JαKK .

Caseτ = α, with K′(α) = (L′, U ′, T ′) BecauseK,K′ ⊢ θ : K, we know thatαθ is somevariableβ such thatK(β) = (L, U, T ) and(L,U, T ) (L′, U ′, T ′θ).

We have

JαθKK = JβKK = (lowK(L, T ) ∨ β) ∧ uppK(U, T )

and

JαKK,K′θ′ =(

(lowK,K′ (L′, T ′) ∨ α) ∧ uppK,K′(U′, T ′)

)

θ′

= (lowK,K′ (L′, T ′)θ′ ∨ αθ′) ∧ uppK,K′(U′, T ′)θ′

=(

lowK,K′ (L′, T ′)θ′ ∨(

(lowK(L, T ) ∨ β) ∧ uppK(U,T ))

)

∧ uppK,K′(U′, T ′)θ′ .

Let us define

l = lowK(L, T ) u = uppK(U, T )

l′ = lowK,K′ (L′, T ′)θ′ u′ = uppK,K′(U′, T ′)θ′

and assume that the following hold (we prove them below):

l ≤ u l′ ≤ u′ l′ ≤ l u ≤ u′ .

Then we have alsol′ ≤ u by transitivity. Whenevert ≤ t′, we havet ∧ t′ ≃ t andt ∨ t′ ≃ t′.Thus we have the following equivalences:

JαKK,K′θ′ = (l′ ∨ ((l ∨ β) ∧ u)) ∧ u′

≃ (l′ ∧ u′) ∨ ((l ∨ β) ∧ u ∧ u′) distributivity

≃ l′ ∨ ((l ∨ β) ∧ u) l′ ≤ u′ andu ≤ u′

≃ (l′ ∨ l ∨ β) ∧ (l′ ∨ u) distributivity

≃ (l ∨ β) ∧ u l′ ≤ l andl′ ≤ u

by which we conclude.We now prove our four assumptions. The first,l ≤ u, holds becauseL ⊆ U and

L ⊆ dom(T ): hence each branch ofl appears inu as well. The second is analogous.For the other assumptions, note thatJτ ′KK,K′θ′ ≃ Jτ ′θKK holds for allτ ′ in the range of

T ′. To provel′ ≤ l, note thatL′ ⊆ L andT ′θ ⊆ T . In l′, we distribute the application ofθ′ over all the summands of the union and inside all variant typeconstructors. Then, we showtag(

∧

tag: τ ′∈T ′Jτ′KK,K′θ′) ≤ l for eachtag ∈ L′. We havetag(

∧

tag: τ ′∈T ′Jτ′KK,K′θ′) ≃

tag(∧

tag: τ ′∈T ′Jτ′θKK) = tag(

∧

tag: τ ′θ∈T ′θJτ′θKK). SinceL′ ⊆ L, there is a summand ofl

with the same tag. Sincetag is in the lower bound, it has a single type in bothT andT ′ and,sinceT ′θ ⊆ T , the type it has inT must beτ ′θ.

To proveu ≤ u′, note thatU ⊆ U ′. If U = L, thenU ′ = L. Then bothu andu′ are unionsof two types: the union of tags mentioned respectively inT andT ′ and the rest. For eachtag, if

35

tag /∈ dom(T ), thentag /∈ dom(T ′), in which case bothu andu′ admit it with any argumenttype. If tag ∈ dom(T ), eithertag ∈ dom(T ′) or not. In the former case,u admits a smallerargument type thanu′ becauseT ′θ ⊆ T . The same occurs in the latter case, sinceu′ admitstagwith any argument type.

If U 6= L, thenU ′ could beL or not. In either case we can prove, for eachtag∈ U , thatu′

admitstagwith a larger argument type thanu does.

Caseτ = b Straightforward, since a basic type is translated into itself and is never affected bysubstitutions.

Caseτ = τ1 → τ2 By the induction hypothesis we haveJτiKK,K′θ′ ≃ JτiθKK for bothi. Then

Jτ1 → τ2KK,K′θ′ = (Jτ1KK,K′θ′) → (Jτ2KK,K′θ′) ≃ Jτ1θKK → Jτ2θKK

= J(τ1θ) → (τ2θ)KK = J(τ1 → τ2)θKK .

Caseτ = τ1 × τ2 Analogous to the previous case.

Lemma A.32. If ∅ ⊢Sv : JτKK , then there exists a valuev′ such thatK;∅ ⊢

Kv′ : τ and, for every

patternp, v/p = Ω ⇐⇒ v′/p = Ω.

Proof. By structural induction onv.Note that values are always typed by an application of the typing rule corresponding to

their form (Ts-Const, Ts-Abstr, Ts-Pair, or Ts-Tag) to appropriate premises, possibly followed byapplications ofTs-Subsum. Hence, if∅ ⊢

Sv : t, there is a typet′ ≤ t such that∅ ⊢

Sv : t′ and that

the last typing rule used to derive∅ ⊢Sv : t′ is one of the four above, given by the form ofv.

Casev = c We haveJτKK ≥ c. Henceτ = bc, as the translation of any otherτ is disjoint fromc. Then we can takev′ = v.

Casev = (v1, v2) We haveJτKK ≥ t1 × t2 for somet1 andt2. Henceτ = τ1 × τ2: any otherτ would translate to a type disjoint from all products. Therefore∅ ⊢

Sv : Jτ1KK × Jτ2KK . By

Lemma A.12 we have∅ ⊢Svi : JτiKK for both i; then by the induction hypothesis we findv′i

for bothi and letv′ = (v′1, v′2).

Casev = tag(v1) We haveJτKK ≥ tag(t1) and∅ ⊢Sv : tag(t1) for somet1 0 (sincet1 types

the valuev1). Therefore, by the same reasoning as above,τ = α with K(α) = (L,U, T ). SinceJτKK ≥ tag(t1), we havetag∈ L and thereforetag: τ1 ∈ T for someτ1 such thatt1 ≤ Jτ1KK .Then we have∅ ⊢

Sv1 : Jτ1KK ; we may apply the induction hypothesis to find a valuev′1 and

let v′ = tag(v′1).

Casev = λx. e Note that an abstraction is only accepted by patterns which accept any value, soany two abstractions fail to match exactly the same patterns.

We have∅ ⊢Sv : t1 → t2 for somet1 → t2 ≤ JτKK . Hence we knowτ is of the

form τ1 → τ2; thus we have∅ ⊢Sv : Jτ1KK → Jτ2KK . We takev′ to be the function

λx. Y (λf. λx. f x) x, which never terminates and can be assigned any arrow type.

Lemma A.33. LetK be a kinding environment,τ a k-type, andP a set of patterns. Ifτ 4K P ,thenJτKK ≤

∨

p∈P *p+.

Proof. By contradiction, assume thatτ 4K P holds butJτKK ∨

p∈P *p+. The latter conditionimplies that there exists a valuev in the interpretation ofJτKK which is not in the interpretationof

∨

p∈P *p+. Because the definition of accepted type is exact with respect to the semantics ofpattern matching, we havev/p = Ω for all p ∈ P . We also have∅ ⊢

Sv : JτKK sincev is in

the interpretation of that type (typing is complete with respect to the interpretation if we restrictourselves to translations ofk-types).

By Lemma A.32, fromv we can build a valuev′ such thatK;∅ ⊢Kv′ : τ and, for every pattern

p, v/p = Ω ⇐⇒ v′/p = Ω. We reach a contradiction, sinceτ 4K P andK;∅ ⊢Kv′ : τ imply

that there exists ap ∈ P such thatv′/p 6= Ω, whereas we havev/p = Ω for all p ∈ P .

Theorem A.34 (Preservation of typing). Let e be an expression,K a non-recursive kindingenvironment,Γ a k-type environment, andτ a k-type. IfK; Γ ⊢

Ke : τ , thenJΓKK ⊢

Se : JτKK .

Proof. By induction on the derivation ofK; Γ ⊢Ke : τ . We reason by cases on the last applied rule.

Case Tk-Var We have

K; Γ ⊢Kx : τ τ ∈ instK(Γ(x)) hence

Γ(x) = ∀A.Kx ⊲ τx τ = τxθ dom(θ) ⊆ A K,Kx ⊢ θ : K

36

and must showJΓKK ⊢Sx : JτKK . SinceJΓKK(x) = ∀A. JτxKK,Kx

, by Ts-Varwe can deriveJτxKK,Kx

θ′ for anys-type substitutionθ′ with dom(θ′) ⊆ A.Consider thes-type substitutionθ′ = [ JαθKK/α | α ∈ A ]. We haveJτxKK,Kx

θ′ ≃ JτxθKKby Lemma A.31 (we can assume the conditions on the domain ofKx to hold by renaming thevariables inA). Hence, we deriveJτxKK,Kx

θ′ by Ts-Varand thenJτxθKK by subsumption.

Case Tk-ConstWe haveK; Γ ⊢

Kc : bc JbcKK = bc

and may deriveJΓKK ⊢Sc : c by Ts-ConstandJΓKK ⊢

Sc : bc by subsumption.

Case Tk-Abstr We have

K; Γ ⊢Kλx. e1 : τ1 → τ2 K; Γ, x : τ1 ⊢

Ke1 : τ2 Jτ1 → τ2KK = Jτ1KK → Jτ2KK .

By the induction hypothesis we deriveJΓKK , x : Jτ1KK ⊢Se1 : Jτ2KK , then we applyTs-

Abstr.

Cases Tk-Appl, Tk-Pair, and Tk-FixStraightforward application of the induction hypothesis.

Case Tk-TagWe have

K; Γ ⊢K

tag(e1) : α K; Γ ⊢Ke1 : τ1 K(α) = (L, U, T ) tag∈ L tag: τ1 ∈ T

JαKK = (lowK(L, T ) ∨ α) ∧ uppK(U, T ) .

We deriveJΓKK ⊢Se1 : Jτ1KK by the induction hypothesis, thenJΓKK ⊢

Stag(e1) : tag(Jτ1KK)

by Ts-Tag. We show thattag(Jτ1KK) ≤ JαKK holds: hence, we may derive the supertype bysubsumption.

Sincetag ∈ L and hencetag ∈ dom(T ), both lowK(L, T ) and uppK(U, T ) contain asummandtag(

∧

tag: τ ′∈T Jτ ′KK). Sincetag: τ1 ∈ T and no other type may be associated totag,the intersection has a single factorJτ1KK . Thus we have bothtag(Jτ1KK) ≤ lowK(L, T ) andtag(Jτ1KK) ≤ uppK(U, T ); hence,tag(Jτ1KK) ≤ JαKK .

Case Tk-Match We have

K; Γ ⊢Kmatch e0 with (pi → ei)i∈I : τ

K; Γ ⊢Ke0 : τ0 τ0 4K pi | i ∈ I

∀i ∈ I. K ⊢ pi : τ0 ⇒ Γi K; Γ, genK;Γ(Γi) ⊢K ei : τ

and must showJΓKK ⊢

Smatch e0 with (pi → ei)i∈I : JτKK

which we prove by establishing, for some typest0 andti, t′i for eachi, that

JΓKK ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. JΓKK , genJΓKK(ti//pi) ⊢S ei : t

′i

∨

i∈I t′i ≤ JτKK .

and then applyingTs-Match, followed byTs-Subsumif necessary.By the induction hypothesis we deriveJΓKK ⊢

Se0 : Jτ0KK and hence havet0 = Jτ0KK . By

Lemma A.33, we havet0 ≤∨

i∈I*pi+. For every branch,ti ≤ t0 andti ≤ *pi+: therefore, wecan apply Lemma A.30 and derive that(ti//pi)(x) ≤ JΓi(x)KK holds for everyx ∈ capt(pi).

For each branch, we deriveJΓKK , JgenK;Γ(Γi)KK ⊢Sei : JτKK by the induction hypothesis.

We deriveJΓKK , genJΓKK(ti//pi) ⊢S ei : JτKK by Lemma A.22 by provingJΓKK , genJΓKK

(ti//pi) ⊑JΓKK , JgenK;Γ(Γi)KK and mvar(JΓKK , genJΓKK

(ti//pi)) ⊆ mvar(JΓKK , JgenK;Γ(Γi)KK).The latter is straightforward. For the former, for eachx ∈ capt(pi)—sayΓi(x) = τx and(ti//pi)(x) = tx—we must showgenJΓKK

(tx) ⊑ JgenK;Γ(τx)KK . This holds becausetx ≤ JτxKK and because, by Lemma A.29,var(JΓKK) ⊆ varK(Γ).

We can thus chooset′i = JτKK for all branches, satisfying∨

i∈I t′i ≤ JτKK .

A.4 Type reconstruction

A.4.1 Definition of type reconstruction forS

Definition A.38 (Constraints). A constraintc is a term inductively generated by the followinggrammar:

c ::= t ≤ t | x ≤ t | def Γ in C | let [C](Γi in Ci)i∈I

whereC ranges overconstraint sets, that is, finite sets of constraints, and where the range ofevery type environmentΓ in constraints of the formdef or let only contains types (i.e., trivial typeschemes).

We give different definitions of constraint generation and rewriting here than those in Section 5,because we keep track explicitly of the new variables introduced during the derivation, rather than

37

t/// ⇒∅ (∅,∅) t///x ⇒∅ (x : t,∅) t///c ⇒∅ (∅,∅)

α1///p1 ⇒A1(Γ1, C1) α2///p2 ⇒A2

(Γ2, C2)

t///(p1, p2) ⇒A1⊎A2⊎α1,α2 (Γ1 ∪ Γ2, C1 ∪ C2 ∪ t ≤ α1 × α2)A1, A2, α1, α2 ♯ t

α///p ⇒A (Γ, C)

t///tag(p) ⇒A⊎α (Γ, C ∪ t ≤ tag(α))A,α ♯ t

t///p1 ⇒A1(Γ1, C1) t///p2 ⇒A2

(Γ2, C2)

t///p1&p2 ⇒A1⊎A2(Γ1 ∪ Γ2, C1 ∪ C2)

(t ∧ *p1+)///p1 ⇒A1(Γ1, C1) (t \ *p1+)///p2 ⇒A2

(Γ2, C2)

t///p1|p2 ⇒A1⊎A2(x : Γ1(x) ∨ Γ2(x) | x ∈ capt(p1) , C1 ∪ C2)

Figure 13. Constraint generation for pattern environments.

TRs-Varx : t ⇒∅ x ≤ t

TRs-Constc : t ⇒∅ c ≤ t

TRs-Abstre : β ⇒A C

λx. e : t ⇒A⊎α,β def x : α in C, α → β ≤ tA, α, β ♯ t

TRs-Apple1 : α → β ⇒A1

C1 e2 : α ⇒A2C2

e1 e2 : t ⇒A1⊎A2⊎α,β C1 ∪ C2 ∪ β ≤ tA1, A2, α, β ♯ t

TRs-Paire1 : α1 ⇒A1

C1 e2 : α2 ⇒A2C2

(e1, e2) : t ⇒A1⊎A2⊎α1,α2 C1 ∪ C2 ∪ α1 × α2 ≤ tA1, A2, α1, α2 ♯ t

TRs-Tage : α ⇒A C

tag(e) : t ⇒A⊎α C ∪ tag(α) ≤ tA, α ♯ t

TRs-Match

e0 : α ⇒A0C0 ti = (α \

∨

j<i*pj+) ∧ *pi+

∀i ∈ I ti///pi ⇒Ai(Γi, Ci) ei : β ⇒A′

iC′

i

C′0 = C0 ∪ (

⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+A = A0 ⊎ (

⊎

i∈I Ai) ⊎ (⊎

i∈I A′i) ⊎ α, β

match e0 with (pi → ei)i∈I : t ⇒A let [C′0](Γi in C′

i)i∈I , β ≤ tA ♯ t

Figure 14. Constraint generation rules with explicit variable introduction.

informally requiring them to be fresh. For instance, ine : t ⇒A C, A is the set of variables whichappear inC but not int. We will omit it for soundness proofs, where it is not relevant.

We use the symbol⊎ to denote the union of two disjoint sets. Therefore, when we writeA1⊎A2,we requireA1 andA2 to be disjoint. When we require this for sets of type variables, the conditionis always satisfiable by an appropriate choice of variables,since there is an infinite supply to choosefrom.

Definition A.39 (Freshness). We say that a type variableα is freshwith respect to a set of typevariablesA, and writeα ♯ A, if α /∈ A. We writeA ♯ A′ if ∀α ∈ A. α ♯ A′.

We extend this to define freshness with respect to types, typeenvironments, and type substitu-tions: we writeα ♯ t if α ♯ var(t), α ♯ Γ if α ♯ var(Γ), andα ♯ θ if α ♯ (dom(θ) ∪ var(θ)).

Definition A.40 (Environment generation for pattern matching). The environment generationrelation for pattern matchingt///p ⇒A (Γ, C) is defined by the rules in Figure 13.

Definition A.41 (Constraint generation). The constraint generation relatione : t ⇒A C is definedby the rules in Figure 14.

38

∀i ∈ I Γ ⊢ ci AiDi

Γ ⊢ ci | i ∈ I ⊎i∈I

Ai

⋃

i∈I Di Γ ⊢ t ≤ t′ ∅ t ≤ t′

Γ(x) = ∀α1, . . . , αn. tx

Γ ⊢ x ≤ t β1,...,βn tx[β1/α1, . . . , βn/αn] ≤ t

Γ,Γ′ ⊢ C A D

Γ ⊢ def Γ′in C A D

Γ ⊢ C0 A0D0 θ0 ∈ tally(D0)

∀i ∈ I Γ, genΓθ0(Γiθ0) ⊢ Ci Ai

Di

A = A0 ⊎ (⊎

i∈I Ai) ⊎ var(θ0)

Γ ⊢ let [C0](Γi in Ci)i∈I A equiv(θ0) ∪⋃

i∈I Di

Figure 15. Constraint rewriting rules with explicit variable introduction.

Note that all rules include a constraint of the form(·) ≤ t. We add this constraint everywhereto streamline the proofs; in practice, it can be dropped fromTRs-ApplandTRs-Matchby usingdirectly t instead ofβ to generate constraints for the sub-expressions.

Definition A.42 (Type-constraint set). A type-constraint setD is a set of constraints of the formt ≤ t′, wheret andt′ are types.

We say that a type substitutionθ satisfies a type-constraint setD, written θ D, if tθ ≤ t′θholds for everyt ≤ t′ in D.

Definition A.43 (Equivalent type-constraint set). Theequivalent type-constraint setequiv(θ) of atype substitutionθ is defined as

equiv(θ) =⋃

α∈dom(θ)α ≤ αθ, αθ ≤ α .

Definition A.44 (Constraint rewriting). The constraint rewriting relationΓ ⊢ c A D betweentype environments, constraints or constraint sets, and type-constraint sets is defined by the rules inFigure 15.

Definition A.45 (Tallying problem). Let D be a type-constraint set. A type substitutionθ is asolution to thetallying problemof D if it satisfiesD, that is, ifθ D.

Property A.46 (Tallying algorithm). There exists a terminating algorithmtally such that, for anytype-constraint setD, tally(D) is a finite, possibly empty, set of type substitutions.

Theorem A.35 (Soundness and completeness oftally). Let D be a type-constraint set. For anytype substitutionθ:

• if θ ∈ tally(D), thenθ D;• if θ D, then∃θ′ ∈ tally(D), θ′′. ∀α /∈ var(θ′). αθ ≃ αθ′θ′′.

Furthermore, ifθ ∈ tally(D), thendom(θ) is the set of variables appearing inD andvar(θ) isa set of fresh variables of the same cardinality. In the completeness property above, forθ′′ we cantakeθ ∪ θ′′′ wheredom(θ′′′) = var(θ′).

A.4.2 Properties of type reconstruction forS

Lemma A.36. Given a constraint setC, we writevar(C) for the set of variables appearing in it.The following properties hold:

• whenevert///p ⇒A (Γ, C), we havevar(C) ⊆ var(t) ∪A, var(Γ) ⊆ var(t) ∪A, andA ♯ t;• whenevere : t ⇒A C, we havevar(C) ⊆ var(t) ∪A andA ♯ t;• wheneverΓ ⊢ C A D, we havevar(D) ⊆ var(C) ∪ var(Γ) ∪A.

Proof. Straightforward proofs by induction on the derivations.

Lemma A.37 (Correctness of environment reconstruction). Letp be a pattern andt, t′ two types,with t′ ≤ *p+. Let t///p ⇒ (Γ, C). If θ is a type substitution such thatθ C and t′ ≤ tθ, then,for all x ∈ capt(p), (t′//p)(x) ≤ Γ(x)θ.

Proof. By structural induction onp.

Casesp = andp = c There is nothing to prove sincecapt(p) = ∅.

Casep = x We havet///x ⇒ (x : t,∅) (t′//x)(x) = t′

and must showt′ ≤ tθ, which we know by hypothesis.

39

Casep = (p1, p2) We have

t///p ⇒ (Γ1 ∪ Γ2, C1 ∪ C2 ∪ t ≤ α1 × α2) ∀i. αi///pi ⇒ (Γi, Ci) .

Eachx ∈ capt(p) is either in capt(p1) or in capt(p2). Let x ∈ capt(pi); then, wemust show(πi(t

′)//pi)(x) ≤ Γi(x)θ. This follows from the induction hypothesis, sincet′ ≤ tθ ≤ α1θ × α2θ impliesπi(t

′) ≤ αiθ by Property A.31.

Casep = tag(p1) We have

t///tag(p) ⇒ (Γ, C ∪ t ≤ tag(α)) α///p ⇒ (Γ, C) .

Analogous to the previous case. We can apply the induction hypothesis, becauset′ ≤ tθ ≤tag(α)θ impliesπtag(t

′) ≤ αθ by Property A.32.

Casep = p1&p2 Everyx ∈ capt(p) is either incapt(p1) or in capt(p2). Let x ∈ capt(pi);then, we apply the induction hypothesis topi to conclude.

Casep = p1|p2 We have

t///p1|p2 ⇒ (x : Γ1(x) ∨ Γ2(x) | x ∈ capt(p1) , C1 ∪ C2)

(t ∧ *p1+)///p1 ⇒ (Γ1, C1) (t \ *p1+)///p2 ⇒ (Γ2, C2) .

By the induction hypothesis applied to bothp1 andp2 we derive, for allx,

(t′ ∧ *p1+//p1)(x) ≤ Γ1(x)θ (t′ \ *p1+//p2)(x) ≤ Γ2(x)θ

from which we can conclude

(t′//p)(x) = (t′ ∧ *p1+//p1)(x) ∨ (t′ \ *p1+//p2)(x) ≤ Γ1(x)θ ∨ Γ2(x)θ .

Lemma A.38 (Precise solution to environment reconstruction constraints). Letp be a pattern,t atype, andθ a type substitution such thattθ ≤ *p+. Lett///p ⇒A (Γ, C), withA ♯ dom(θ).

There exists a type substitutionθ′ such thatdom(θ′) = A, that (θ ∪ θ′) C, and that, for allx ∈ capt(p), Γ(x)(θ ∪ θ′) ≤ (tθ//p)(x).

Proof. By structural induction onp.

Casesp = andp = c In both cases we takeθ′ = [ ].

Casep = x We have

t///x ⇒∅ (x : t,∅) .

We takeθ′ = [ ] and havet(θ ∪ θ′) ≤ tθ.

Casep = (p1, p2) We have

t///(p1, p2) ⇒A1⊎A2⊎α1,α2 (Γ1 ∪ Γ2, C1 ∪ C2 ∪ t ≤ α1 × α2)

α1///p1 ⇒A1(Γ1, C1) α2///p2 ⇒A2

(Γ2, C2) A1, A2, α1, α2 ♯ t .

Let θ⋆ = θ ∪ [π1(tθ)/α1, π2(tθ)/α2]. We havetθ′ = tθ andtθ′ ≤ *(p1, p2)+ = *p1+× *p2+;thus, by Property A.31,πi(tθ

′) ≤ *pi+. We also haveAi ♯ dom(θ⋆), αi for both i, sinceα1, α2 is disjoint from eachAi.

We can therefore apply the induction hypothesis topi, αi, andθ⋆, for both i. We derivefrom each that there is a substitutionθ′i with domainAi, such that(θ⋆ ∪ θ′i) Ci and, for allx ∈ capt(pi), Γi(x)(θ

⋆ ∪ θ′i) ≤ (αiθ⋆//pi)(x).

We takeθ′ = [π1(tθ)/α1, π2(tθ)/α2]∪ θ′1∪ θ′2. We have(θ∪ θ′) C1∪C2∪t ≤ α1×α2since it satisfiesC1 andC2 and sincetθ ≤ (α1 × α2)θ

′ = π1(tθ)× π2(tθ).

Casep = tag(p1) We have

t///tag(p1) ⇒A1⊎α (Γ1, C1 ∪ t ≤ tag(α)) α///p1 ⇒A1(Γ1, C1) A1, α ♯ t .

Analogously to the previous case, we constructθ⋆ = θ ∪ [πtag(tθ)/α] and apply the inductionhypothesis top1, α, andθ⋆. We deriveθ′1 and takeθ′ = [πtag(tθ)/α] ∪ θ′1.

Casep = p1&p2 We have

t///p1&p2 ⇒A1⊎A2(Γ1 ∪ Γ2, C1 ∪ C2) t///p1 ⇒A1

(Γ1, C1) t///p2 ⇒A2(Γ2, C2) .

For bothi, we apply the induction hypothesis topi, t, andθ to deriveθ′i. We takeθ′ =θ′1 ∪ θ′2.

40

Casep = p1|p2 We have

t///p1|p2 ⇒A1⊎A2(x : Γ1(x) ∨ Γ2(x) | x ∈ capt(x) , C1 ∪ C2)

(t ∧ *p1+)///p1 ⇒A1(Γ1, C1) (t \ *p1+)///p2 ⇒A2

(Γ2, C2) .

We apply the induction hypothesis top1, t ∧ *p1+, andθ to deriveθ′1. We apply it top2,t \ *p1+, andθ to deriveθ′2; here, note thattθ ≤ *p1+ ∨ *p2+ impliestθ \ *p1+ ≤ *p2+.

We takeθ′ = θ′1 ∪ θ′2. We have(θ ∪ θ′) C since it satisfiesC1 andC2. Furthermore, forall x, we haveΓ1(x)(θ ∪ θ′1) ≤ (tθ ∧ *p1+//p1)(x) andΓ2(x)(θ∪ θ′2) ≤ (tθ \ *p1+//p2)(x).Then,Γ(x)(θ∪θ′) = Γ1(x)(θ∪θ′)∨Γ2(x)(θ∪θ′) = Γ1(x)(θ∪θ′1)∨Γ2(x)(θ∪θ′2), sinceA1

andA2 are disjoint and both are disjoint fromvar(t). Finally,Γ1(x)(θ∪θ′1)∨Γ2(x)(θ∪θ′2) ≤(tθ//p)(x).

Theorem A.39 (Soundness of constraint generation and rewriting). Let e be an expression,t atype, andΓ a type environment. Ife : t ⇒ C, Γ ⊢ C D, andθ D, thenΓθ ⊢

Se : tθ.

Proof. By structural induction one.

Casee = x We have

x : t ⇒ x ≤ t

Γ ⊢ x ≤ t tx[β1/α1, . . . , βn/αn] ≤ t Γ(x) = ∀α1, . . . , αn. tx .

Let A = α1, . . . , αn. By α-renaming we assumeA ♯ θ; then we have(Γθ)(x) =(∀A. tx)θ = ∀A. (txθ). Consider the substitutionθx = [β1θ/α1, . . . , βnθ/αn]. It has domainA, so we can deriveΓθ ⊢

Sx : txθθx.

We showtxθθx = tx[β1/α1, . . . , βn/αn]θ by showingαθθx = α[β1/α1, . . . , βn/αn]θ holdsfor all α ∈ var(tx). Either α ∈ A or not. In the first case,α = αi for some i; thenαθθx = αθx = βiθ andα[β1/α1, . . . , βn/αn]θ = βiθ. In the latter,α 6= αi for all i; thenαθθx = αθ, sincevar(αθ) ∩ dom(θx) = ∅ andα[β1/α1, . . . , βn/αn]θ = αθ.

Therefore we deriveΓθ ⊢S

x : tx[β1/α1, . . . , βn/αn]θ by Ts-Var. Finally, sinceθ tx[β1/α1, . . . , βn/αn] ≤ t, we deriveΓθ ⊢

Sx : tθ by subsumption.

Casee = c We have

c : t ⇒ c ≤ t Γ ⊢ c ≤ t c ≤ t .

Analogously to the previous case, we first applyTs-Constand then conclude by subsumption.

Casee = λx. e1 We have

λx. e1 : t ⇒ def x : α in C1, α → β ≤ t e1 : β ⇒ C1

Γ ⊢ def x : α in C1, α → β ≤ t D1 ∪ α → β ≤ t Γ, x : α ⊢ C1 D1 .

By the induction hypothesis we deriveΓθ, x : αθ ⊢Se1 : βθ. We applyTs-Abstrto derive

Γθ ⊢Sλx. e1 : (α → β)θ. Sinceθ D, we have(α → β)θ ≤ tθ. Hence, we derive by

subsumptionΓθ ⊢Sλx. e1 : tθ.

Casee = e1 e2 We have

e1 e2 : t ⇒ C1 ∪ C2 ∪ β ≤ t e1 : α → β ⇒ C1 e2 : α ⇒ C2

Γ ⊢ C1 ∪ C2 ∪ β ≤ t D1 ∪D2 ∪ β ≤ t Γ ⊢ C1 D1 Γ ⊢ C2 D2 .

We deriveΓθ ⊢Se1 : (αθ) → (βθ) andΓθ ⊢

Se2 : αθ by the induction hypothesis. Then by

Ts-Applwe deriveΓθ ⊢Se1 e2 : βθ, and finally—sinceβθ ≤ tθ—we conclude by subsumption.

Casee = (e1, e2) We have

(e1, e2) : t ⇒ C1 ∪ C2 ∪ α1 × α2 ≤ t e1 : α1 ⇒ C1 e2 : α2 ⇒ C2

Γ ⊢ C1 ∪ C2 ∪ α1 × α2 ≤ t D1 ∪D2 ∪ α1 × α2 ≤ t

Γ ⊢ C1 D1 Γ ⊢ C2 D2 .

We haveΓθ ⊢Sei : αiθ for both i by the induction hypothesis. Then, we deriveΓθ ⊢

S

(e1, e2) : (α1 × α2)θ by Ts-Pair, and finally conclude by subsumption.

Casee = tag(e1) We have

tag(e1) : t ⇒ C C = C1 ∪ tag(α) ≤ t e1 : α ⇒ C1

Γ ⊢ C D D = D1 ∪ tag(α) ≤ t Γ ⊢ C1 D1 .

Analogous to the previous case. We apply the induction hypothesis, thenTs-Tag, thensubsumption.

41

Casee = match e0 with (pi → ei)i∈I We have

match e0 with (pi → ei)i∈I : t ⇒ C

C = let [C′0](Γi in C′

i)i∈I , β ≤ t

C′0 = C0 ∪ (

⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+ e0 : α ⇒ C0

∀i ∈ I ti = (α \∨

j<i*pj+) ∧ *pi+ ti///pi ⇒ (Γi, Ci) ei : β ⇒ C′i

Γ ⊢ C D

Γ ⊢ C′0 D′

0 Γ ⊢ C0 D0 D′0 = D0 ∪ (

⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+

θ0 ∈ tally(D′0) ∀i ∈ I. Γ, genΓθ0

(Γiθ0) ⊢ C′i D′

i

D = equiv(θ0) ∪ (⋃

i∈I D′i) ∪ β ≤ t

and we must showΓθ ⊢Smatch e0 with (pi → ei)i∈I : tθ.

We prove it by establishing, for some typest0 andti, t′i for eachi, that

Γθ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I. Γθ, genΓθ(ti//pi) ⊢S ei : t′i

∨

i∈I t′i ≤ tθ .

Sinceθ0 ∈ tally(D′0), θ0 D′

0 and thusθ0 D0. Then, from

e0 : α ⇒ C0 Γ ⊢ C0 D0 θ0 D0

we deriveΓθ0 ⊢Se0 : αθ0 by the induction hypothesis.

Let A = var(αθ0) \ mvar(Γθ0) = α1, . . . , αn. Let B = β1, . . . , βn be a set of typevariables such thatB ♯ Γ, θ, θ0 and letθ⋆ = [β1/α1, . . . , βn/αn]. We deriveΓθ0 ⊢

Se0 : αθ0θ

⋆

by Corollary A.24, sinceθ⋆ does not act on meaningful variables ofΓθ0. By Lemma A.23,we deriveΓθ0θ ⊢

Se0 : αθ0θ

⋆θ; by Lemma A.22,Γθ ⊢Se0 : αθ0θ

⋆θ (we prove the requiredpremises below).

We taket0 = αθ0θ⋆θ. We haveαθ0θ⋆θ ≤

∨

i∈I*pi+ becauseθ0 D′0 impliesαθ0 ≤

∨

i∈I*pi+ and because subtyping is preserved by substitutions (recall that the accepted types ofpatterns are closed). We also haveti = tiθ0θ

⋆θ for all i.For each branchi, from

ei : β ⇒ C′i Γ, genΓθ0

(Γiθ0) ⊢ C′i D′

i θ D′i

we deriveΓθ, (genΓθ0(Γiθ0))θ ⊢

Sei : βθ by the induction hypothesis. We derive by Lemma A.22

Γθ, genΓθ(ti//pi) ⊢Sei : βθ (we prove the premises below). Thus we havet′i = βθ for every

branch; we applyTs-Matchto deriveΓθ ⊢Smatch e0 with (pi → ei)i∈I : βθ, then subsumption

to deriveΓθ ⊢Smatch e0 with (pi → ei)i∈I : tθ.

Proof ofΓθ ⊢Se0 : αθ0θ

⋆θ fromΓθ0θ ⊢Se0 : αθ0θ

⋆θ To apply Lemma A.22, we must show

Γθ ⊑ Γθ0θ mvar(Γθ) ⊆ mvar(Γθ0θ) .

To proveΓθ ⊑ Γθ0θ, consider an arbitrary(x : ∀Ax. tx) ∈ Γ. By α-renaming, we assumeAx ♯ θ, θ0; then, we must prove∀Ax. txθ ⊑ ∀Ax. txθ0θ. For everyγ, γθ ≃ γθ0θ sinceθ equiv(θ0). Hence,txθ ≃ txθ0θ.

Sincetxθ ≃ txθ0θ implies mvar(txθ) = mvar(txθ0θ) by Lemma A.19, this also showsmvar(Γθ) ⊆ mvar(Γθ0θ).

Proof ofΓθ, genΓθ(ti//pi) ⊢S ei : βθ fromΓθ, (genΓθ0(Γiθ0))θ ⊢

Sei : βθ By Lemma A.22, we

can prove the result by showing

Γθ, genΓθ(ti//pi) ⊑ Γθ, (genΓθ0(Γiθ0))θ

mvar(Γθ, genΓθ(ti//pi)) ⊆ mvar(Γθ, (genΓθ0(Γiθ0))θ) .

The second condition is straightforward. For the first, we prove, for everyx ∈ capt(pi),genΓθ((ti//pi)(x)) ⊑ (genΓθ0

(Γiθ0(x)))θ. Let Γi(x) = tx. Then, genΓθ0(Γiθ0(x)) =

∀A. txθ0, whereA is var(αθ0) \ mvar(Γθ0) as defined above (not all variables inA appearin txθ0, but schemes are defined disregarding useless quantification). Byα-renaming, we havegenΓθ0

(Γiθ0(x)) = ∀B. txθ0θ⋆ and, sinceB ♯ θ, (genΓθ0

(Γiθ0(x)))θ = ∀B. txθ0θ⋆θ.

Sinceti ≤ t0 = αθ0θ⋆θ and sinceθ θ⋆ θ0 Ci (becauseθ0 Ci), by Lemma A.37

we have(ti//pi)(x) ≤ txθ0θ⋆θ. Then,genΓθ((ti//pi)(x)) ⊑ ∀B. txθ0θ

⋆θ holds because allvariables inB may be quantified when generalizing(ti//pi)(x), since noβi appears inΓθ.

Theorem A.40(Completeness of constraint generation and rewriting). Lete be an expression,t atype, andΓ a type environment. Letθ be a type substitution such thatΓθ ⊢

Se : tθ.

42

Let e : t ⇒A C, with A ♯ Γ, dom(θ). There exist a type-constraint setD, a set of fresh typevariablesA′, and a type substitutionθ′, with dom(θ′) = A ∪ A′, such thatΓ ⊢ C A′ D and(θ ∪ θ′) D.

Proof. By structural induction one.

Casee = x We have

x : t ⇒∅ x ≤ t

Γθ ⊢Sx : tθ (Γθ)(x) = ∀Ax. tx dom(θx) ⊆ Ax txθxθ ≤ tθ .

Given Ax = α1, . . . , αn, we pick a setA′ = β1, . . . , βn of fresh variables. Letθ = [ βi/αi | αi ∈ Ax ]. We haveΓ ⊢ x ≤ t A′ txθ ≤ t.

We pickθ′ = [ αiθxθ/βi | βi ∈ A′ ]. It remains to prove that(θ ∪ θ′) txθ ≤ t, that is,that

txθ(θ ∪ θ′) ≤ t(θ ∪ θ′) = tθ

(the equality above holds because the variables inA′ are fresh).We provetxθ(θ ∪ θ′) = txθxθ (from which we can conclude becausetxθxθ ≤ tθ). We

prove it by showingγθ(θ ∪ θ′) = γθxθ for everyγ ∈ var(tx). If γ ∈ Ax, thenγ = αi forsomei. Then,γθ = βi andγθ(θ∪θ′) = αiθxθ. If γ /∈ Ax, thenγθ(θ∪θ′) = γθ (the variablesθ′ is defined on do not appear intx); likewise,γθxθ = γθ sinceθx is only defined on variablesin Ax.

Casee = c We have

c : t ⇒∅ c ≤ t Γθ ⊢Sc : tθ c ≤ tθ .

We haveΓ ⊢ c ≤ t ∅ c ≤ t. Let θ′ = [ ]. We have(θ ∪ θ′) c ≤ t becausecθ = c ≤ tθ.

Casee = λx. e1 We have

λx. e1 : t ⇒A1⊎α,β def x : α in C1, α → β ≤ t e1 : β ⇒A1C1 A1, α, β ♯ t

Γθ ⊢Sλx. e1 : tθ Γθ, x : t1 ⊢

Se1 : t2 t1 → t2 ≤ tθ .

Let θ⋆ = θ ∪ [t1/α, t2/β]. Note thatΓθ⋆ = Γθ andtθ⋆ = tθ, becauseα1, α2 ♯ Γ, t.We have(Γ, x : α)θ⋆ ⊢

Se1 : βθ

⋆, e1 : β ⇒A1C1, andA1 ♯ dom(θ⋆). By the induction

hypothesis, therefore,Γ, x : α ⊢ C1 A′1D1 and(θ⋆ ∪ θ′1) D1, for someD1, A′

1, θ′1such thatdom(θ′1) = A1 ∪ A′

1 and that the variables inA′1 are fresh.

Γ, x : α ⊢ C1 A′1D1 impliesΓ ⊢ def x : α in C1 A′

1D1. Hence, we have

Γ ⊢ C A′1D = D1 ∪ α → β ≤ t. Let θ′ = [t1/α, t2/β] ∪ θ′1. It is defined on the correct

domain and it solves the constraints, since it solvesD1 and since(α → β)θ′ = t1 → t2 ≤ tθ.

Casee = e1 e2 We have

e1 e2 : t ⇒A1⊎A2⊎α,β C1 ∪ C2 ∪ β ≤ t

e1 : α → β ⇒A1C1 e2 : α ⇒A2

C2 A1, A2, α, β ♯ t

Γθ ⊢Se1 e2 : tθ Γθ ⊢

Se1 : t1 → t2 Γθ ⊢

Se2 : t1 t2 ≤ tθ .

Let θ⋆ = θ ∪ [t1/α, t2/β]. Note thatΓθ⋆ = Γθ andtθ⋆ = tθ, sinceα, β ♯ Γ, t.We haveΓθ ⊢

Se1 : (α → β)θ⋆, e1 : α → β ⇒A1

C1, andA1 ♯ dom(θ⋆). By the inductionhypothesis, therefore,Γ ⊢ C1 A′

1D1 and (θ⋆ ∪ θ′1) D1, for someD1 and θ′1 with

dom(θ′1) = A1 ∪A′1.

Likewise, by applying the induction hypothesis to the derivation for e2, we deriveΓ ⊢C2 A′

2D2 and(θ⋆ ∪ θ′2) D2, for someD2 andθ′2 with dom(θ′2) = A2 ∪A′

2.We can thus conclude thatΓ ⊢ C A′

1∪A′

2D = D1 ∪ D2 ∪ β ≤ t. Let θ′ =

[t1/α, t2/β] ∪ θ′1 ∪ θ′2. It is defined on the correct domain andθ ∪ θ′ solves the constraints:it solves bothD1 andD2, andβ(θ ∪ θ′) = βθ′ = t2 ≤ tθ = t(θ ∪ θ′).

Casee = (e1, e2) We have

(e1, e2) : t ⇒A1⊎A2⊎α1,α2 C1 ∪ C2 ∪ α1 × α2 ≤ t

e1 : α1 ⇒A1C1 e2 : α2 ⇒A2

C2 A1, A2, α1, α2 ♯ t

Γθ ⊢S(e1, e2) : tθ Γθ ⊢

Se1 : t1 Γθ ⊢

Se2 : t2 t1 × t2 ≤ tθ .

Analogous to the previous case. We defineθ⋆ = θ ∪ [t1/α1, t2/α2] and proceed as above.

43

Casee = tag(e1) We have

tag(e1) : t ⇒A1⊎α C1 ∪ tag(α) ≤ t e1 : α ⇒A1C1 A1, α ♯ t

Γθ ⊢Stag(e) : tθ Γθ ⊢

Se1 : t1 tag(t1) ≤ tθ .

Analogous to the two previous cases. Here we defineθ⋆ = θ ∪ [t1/α].

Casee = match e0 with (pi → ei)i∈I We have

match e0 with (pi → ei)i∈I : t ⇒A let [C′0](Γi in C

′i), β ≤ t

e0 : α ⇒A0C0 ti = (α \

∨

j<i*pj+) ∧ *pi+

∀i ∈ I ti///pi ⇒Ai(Γi, Ci) ei : β ⇒A′

iC′

i

C′0 = C0 ∪ (

⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+

A = A0 ⊎ (⊎

i∈I Ai) ⊎ (⊎

i∈I A′i) ⊎ α, β

Γθ ⊢Smatch e0 with (pi → ei)i∈I : tθ

Γθ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ t⋆i = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I Γθ, genΓθ(t⋆i //pi) ⊢S ei : t

′i t′ =

∨

i∈I t′i ≤ tθ .

Let θ⋆ = θ ∪ [t0/α]. Then we have

e0 : α ⇒A0C0 Γθ⋆ ⊢

Se0 : αθ

⋆ A0 ♯ Γ, dom(θ⋆)

and, by the induction hypothesis, we findD0, A′0 (containing fresh variables), andθ′0 such that

Γ ⊢ C0 A′0D0 θ⋆ ∪ θ′0 D0 dom(θ′0) = A0 ∪A′

0 .

FromΓ ⊢ C0 A′0D0 we can derive

Γ ⊢ C′0 A′

0D′

0 = D0 ∪ (⋃

i∈I Ci) ∪ α ≤∨

i∈I*pi+

because subtyping constraints are always rewritten to themselves.For each branchi, note thattiθ⋆ = t⋆i . By Lemma A.38, we can findθ⋆i such that

dom(θ⋆i ) = Ai θ⋆ ∪ θ⋆i Ci ∀x ∈ capt(pi). Γ(x)(θ⋆ ∪ θ⋆i ) ≤ (t⋆i //pi)(x) .

Note also thatθ⋆ α ≤∨

i∈I*pi+. We therefore haveθ⋆ ∪ θ′0 ∪ (⋃

i∈I θ⋆i ) D′

0. Letθ⋆⋆ = θ⋆ ∪ θ′0 ∪ (

⋃

i∈I θ⋆i ).

By the properties of tallying, ifvar(D′0) = α1, . . . , αn and given a setB = α′

1, . . . , α′n

of fresh variables, there exist two substitutionsθ0 ∈ tally(D′0) andθ′′0 such that

dom(θ0) = var(D′0) var(θ0) = B dom(θ′′0 ) = B

∀γ /∈ var(θ0). γθ0(θ⋆⋆ ∪ θ′′0 ) ≃ γθ⋆⋆ .

Let θ⊤ = θ⋆⋆ ∪ [t′/β] ∪ θ′′0 . To apply the induction hypothesis for a branchi, we need

ei : β ⇒A′iC′

i (Γ, genΓθ0(Γiθ0))θ

⊤ ⊢Sei : βθ

⊤ A′i ♯ Γ, genΓθ0

(Γiθ0), dom(θ⊤) .

We derive the typing judgment above by subsumption and by weakening (we prove thepremises below). As for the freshness condition, note that the variables inΓθ0 are all either inΓ or in var(θ0); in the latter case, they are fresh by our choice ofB.

By applying the induction hypothesis to each branchi, we therefore findDi, A′′i (of fresh

variables), andθ′i such that

Γ, genΓθ0(Γiθ0) ⊢ C′

i A′′iDi θ⊤ ∪ θ′i Di dom(θ′i) = A′

i ∪A′′i .

Hence, we have

Γθ ⊢ let [C′0](Γi in C′

i), β ≤ t A′ equiv(θ0) ∪ (⋃

i∈I Di) ∪ β ≤ t ,

whereA′ = A′0 ∪ (

⋃

i∈I A′′i ) ∪ var(θ0).

We takeθ′ = [t0/α, t′/β] ∪ θ′0 ∪ (

⋃

i∈I θ⋆i ) ∪ θ′′0 ∪ (

⋃

i∈I θ′i). It has the correct domain; we

must only show

θ ∪ θ′ equiv(θ0) ∪ (⋃

i∈I Di) ∪ β ≤ t .

The last constraint is satisfied sinceβ(θ ∪ θ′) = t′ ≤ tθ. Constraints inequiv(θ0) are ofthe formα ≤ αθ0 or αθ0 ≤ α, for α ∈ dom(θ0). Since theseα are not invar(θ0), we haveαθ0(θ

⋆⋆∪θ′′0 ) ≃ αθ⋆⋆ and henceαθ0(θ∪θ′) ≃ α(θ∪θ′). For eachi, sinceθ⊤∪θ′i Di, wehave alsoθ ∪ θ′ Di (the other substitutions we add are not defined on the variables inDi).

Proof of(Γ, genΓθ0(Γiθ0))θ

⊤ ⊢Sei : βθ

⊤ fromΓθ, genΓθ(t⋆i //pi) ⊢S ei : t

′i FromΓθ, genΓθ(t

⋆i //pi) ⊢S

ei : t′i, we deriveΓθ, genΓθ(t

⋆i //pi) ⊢

Sei : βθ

⊤ by subsumption, sincet′i ≤ t′ = βθ⊤. We

44

then apply Lemma A.22, which requires us to show the two premises

(Γ, genΓθ0(Γiθ0))θ

⊤ ⊑ Γθ, genΓθ(t⋆i //pi)

mvar((Γ, genΓθ0(Γiθ0))θ

⊤) ⊆ mvar(Γθ, genΓθ(t⋆i //pi)) .

Note thatΓθ = Γθ⊤ since the two substitutions only differ on variables introduced byconstraint generation or tallying. Simplifying, we need toshow

genΓθ0(Γiθ0)θ

⊤ ⊑ genΓθ(t⋆i //pi) mvar((genΓθ0

(Γiθ0))θ⊤) ⊆ mvar(Γθ) .

To prove the former, considerx ∈ capt(pi) and let Γi(x) = tx. We must showgenΓθ0

(txθ0)θ⊤ ⊑ genΓθ((t

⋆i //pi)(x)). We have

genΓθ0(txθ0) = ∀Bx. txθ0 Bx = var(txθ0) \ mvar(Γθ0) .

Note that all variables invar(txθ0) are invar(θ0): this is because all variables invar(tx) occurin D′

0 (α occurs in the exhaustiveness constraint, variables introduced by pattern environmentgeneration occur inCi) and hence are in the domain ofθ0. Then,Bx ⊆ B: its elements aresome of theα′

i in B. Consider a setB′x = α′′

i | α′i ∈ Bx of fresh variables and the renaming

θ = [ α′′i/α′

i| α′

i ∈ Bx ]: we have

genΓθ0(txθ0) = ∀B′

x. txθ0θ Bx = var(txθ0) \ mvar(Γθ0)

and, since the variables inB′x are fresh,

(genΓθ0(txθ0))θ

⊤ = ∀B′x. txθ0θθ

⊤ .

Consider an arbitrary instance(t⋆i //pi)(x)θ of genΓθ((t⋆i //pi)(x)); we havedom(θ) ⊆

var((t⋆i //pi)(x))\mvar(Γθ). We must show that there exists an instance of(genΓθ0(txθ0))θ

⊤

which is a subtype of it. We take the instancetxθ0θθ⊤θ, with θ = [ βiθ

⊤θ/β′i| β′

i ∈ B′x ]. We

havetxθ0θθ⊤θ = txθ0θ⊤θ: for eachα′

i ∈ var(txθ0),

α′iθθ

⊤θ = α′′i θ

⊤θ = α′′i θ

(since allα′′i are fresh), andα′′

i θ = α′iθ

⊤θ. We havetxθ0θ⊤θ ≃ txθ⊤θ and txθ

⊤θ ≤(t⋆i //pi)(x)θ sincetxθ⊤ ≤ (t⋆i //pi)(x).

As for the condition on variables, we havemvar((genΓθ0(Γiθ0))θ

⊤) ⊆ var((genΓθ0(Γiθ0))θ

⊤).Since var(genΓθ0

(Γiθ0)) ⊆ mvar(Γθ0), var((genΓθ0(Γiθ0))θ

⊤) ⊆ mvar(Γθ0θ⊤) =

mvar(Γθ).

A.5 Extensions

We give full definitions for the three variants of theS system that we have sketched in Section 6.

A.5.1 Overloaded functions

To remove the restriction on the use of intersection types for functions, we change the typing ruleTs-Abstr: we allow the derivation of an intersection of arrow types for a λ-abstraction if each ofthese types is derivable. The modified rule is the following.

Ts-Abstr∀j ∈ J. Γ, x : t′j ⊢ e : tj

Γ ⊢ λx. e :∧

j∈J t′j → tj

Furthermore, we change the typing rule for pattern matchingso that redundant branches areexcluded from typing. This is necessary to use intersections effectively for pattern matching: inpractice, to be able to assign to a function defined by patternmatching one arrow type for eachbranch.

Ts-Match

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I

t′i = 0 if ti ≤ 0

Γ, genΓ(ti//pi) ⊢S ei : t′i otherwise

Γ ⊢Smatch e0 with (pi → ei)i∈I :

∨

i∈I t′i

Finally, we also change the ruleTs-Varfor variables: we allow a variable to be typed with anyintersection of instantiations, rather than just with a single instantiation.

Ts-Var∀i ∈ I. ti ∈ inst(Γ(x))

Γ ⊢Sx :

∧

i∈I ti

This allows us to instantiate type schemes which express parametric polymorphism (for instance,∀α. α → α) into types which express ad hoc polymorphism (e.g.,(bool → bool) ∧ (int → int)).

45

A.5.2 Refining the type of expressions in pattern matching

The extension we present here improves the typing of patternmatching by introducing more precisetypes for some variables in the matched expression when typing the branches. These refined typestake into account which patterns have been selected and which have not; they are introduced forvariables that appear in the matched expression, possibly below pairs or variant constructors, butnot inside applications ormatch constructs.

We reuse pattern environment generation to describe the derivation of these refined types.However, we need to introduce a new production for patterns to use when translating expressionsto patterns:

p ::= · · · | 〈p, p〉 .

Patterns of the form〈p, p〉 should not occur in programs; they are only for internal use in the typesystem. Unlike normal pair patterns, these patterns may include repeated variables.

We need not define the dynamic semantics of these patterns, asit won’t be used. We define theiraccepted type as*〈p1, p2〉+ = *p1+ × *p2+ and environment generation as

t//〈p1, p2〉 = π1(t)//p1 ∧∧ π2(t)//p2 ,

where∧∧, defined as

(Γ ∧∧ Γ′)(x) =

Γ(x) if x ∈ dom(Γ) \ dom(Γ′)

Γ′(x) if x ∈ dom(Γ′) \ dom(Γ)

Γ(x) ∧ Γ′(x) if x ∈ dom(Γ) ∩ dom(Γ′)

is the pointwise intersection of type environments.We define a translationL·M of expressions to patterns. It preserves variables and variants, converts

pairs to the new form, and turns everything else into a wildcard.

LeM =

x if e = x

〈Le1M, Le2M〉 if e = (e1, e2)

tag(Le1M) if e = tag(e1)otherwise

We change the typing rule for pattern matching as follows.

Ts-Match

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ∧ *Le0M+ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I Γ, genΓ(ti//Le0M), genΓ(ti//pi) ⊢S ei : t′i

Γ ⊢Smatch e0 with (pi → ei)i∈I :

∨

i∈I t′i

The main difference is the addition of the type environmentgenΓ(ti//Le0M) which providesthe refined types for the variables inLe0M. This environment is added before the usual one for thepatternpi: hence, the capture variables ofpi still take precedence.

We also add the requirementt0 ≤ *Le0M+ to ensureti//*e0+ is well defined. This is notrestrictive because any well-typede can be typed with a subtype of*LeM+.

A.5.3 Applicability to OCaml

We change the semantics of pattern matching to include undefined results. These occur whenmatching constants of different basic types or when matching different constructors (for instance,a constant and a pair). We use the following definition.

Definition A.47 (Semantics of pattern matching). We writev/p for the result of matching a valuev against a patternp. We have eitherv/p = ς, whereς is a substitution defined on the variables incapt(p), v/p = Ω, or v/p = . In the first case, we say thatv matchesp (or thatp acceptsv); inthe second, we say that matching fails; in the third, we say that it is undefined.

The definition ofv/p is given inductively in Figure 16.

Recall that the functionb(·) (used here forv/c) assigns a basic typebc to each constantc.The notions of reduction are unchanged, but the ruleR-Matchis made more restrictive by the

changed definition ofv/p: a match expression reduces only if matching succeeds for a branch andfails—but is never undefined—for all previous branches. Thetype system should therefore ensurethat, in a well-typed expressionmatch v with (pi → ei)i∈I , v/pi = never happens. While this istrue forK, S has to be restricted to ensure this.

We first define thecompatible type⌈p⌉ of a patternp inductively as follows:

⌈ ⌉ = ⌈x⌉ = 1 ⌈c⌉ = bc

⌈(p1, p2)⌉ = ⌈p1⌉ × ⌈p2⌉ ⌈tag(p)⌉ = tag(⌈p⌉) ∨ (1V \ tag(1))

⌈p1&p2⌉ = ⌈p1⌉ ∧ ⌈p2⌉ ⌈p1|p2⌉ = ⌈p1⌉ ∨ ⌈p2⌉ ,

46

v/ = [ ]

v/x = [v/x]

v/c =

[ ] if v = c

Ω if v ∈ C, bv = bc, andv 6= c

otherwise

v/(p1, p2) =

ς1 ∪ ς2 if v = (v1, v2) and∀i. vi/pi = ςiΩ if v = (v1, v2), ∃i. vi/pi = Ω, and∀i. vi/pi 6= otherwise

v/tag(p1) =

ς1 if v = tag(v1) andv1/p1 = ς1Ω if v = tag(v1) andv1/p1 = Ω or if v = tag1(v1) andtag1 6= tag otherwise

v/p1&p2 =

ς1 ∪ ς2 if ∀i. v/pi = ςiΩ if ∃i. v/pi = Ω and∀i. v/pi 6= otherwise

v/p1|p2 =

v/p1 if v/p1 6= Ω

v/p2 otherwise

Figure 16. Semantics of pattern matching including undefined results.

where1V is the top type for variants, defined in Section 4.3, Footnote5. For all well-typed valuesv, Γ ⊢

Sv : ⌈p⌉ holds if and only ifv/p 6= .

We change the rule for pattern matching by requiring the typet0 we assign to the matchedexpression to be a subtype of all compatible types⌈pi⌉.

Ts-Match

Γ ⊢Se0 : t0 t0 ≤

∨

i∈I*pi+ ∧∧

i∈I⌈pi⌉ ti = (t0 \∨

j<i*pj+) ∧ *pi+

∀i ∈ I Γ, genΓ(ti//pi) ⊢S ei : t′i

Γ ⊢Smatch e0 with (pi → ei)i∈I :

∨

i∈I t′i

Note that this condition is somewhat more restrictive than necessary: patterns which follow acatch-all (wildcard or variable) pattern—or in general that are useless because previous patternsalready cover all cases—can be left out of the intersection.The precise condition would be

t0 ≤∨

i∈I

(

*pi+ ∧∧

j<i⌈pj⌉)

,

but we choose the simpler condition since they only differ incase there is redundancy.

47