BRNO UNIVERSITY OF TECHNOLOGY. Specifying and reasoning in the calculus of objects

Transcription

1 BRNO UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Information Systems Ondrej Rysavy Specifying and reasoning in the calculus of objects Short Version of Ph.D. Thesis Study Field: Supervisor: Opponents: Information Systems prof. Ing. Miroslav Sveda, CSc. prof. RNDr. Josef Slapal, CSc. doc. RNDr. Lubos Brim, CSc. Presentation Date: September?, 2005

2 Contents 1 Introduction Motivations and Overview of the Thesis Related work Core Calculus of Objects The Language of CCO The Inference System Metatheoretical properties Church-Rosser property Derivability Principal types Strong normalization Environment Saturated sets Levels of types The system CCO n ξ Proof of quasi normalization Proof of strong normalization Equality Specification and development of programs Basic specifications Extension Refinement Generic specifications Composition and Sharing Conclusions and Further Work 32 References 34 2

3 Abstract The present thesis introduces and studies a type theoretic system equipped with the type constructor of a simple form of objects and justifies the development by showing a capability of the system for specification and refinement of functional programs. The invented interpretation of an object type requires rather a nontrivial extension of the underlaying lambda calculus. The notion of box, which is the content containment structure equipped with a marker variable, is added to the syntax of the term calculus. The acquired overall simpler notation is a justification of the need for this extraordinary extension. The objectives of this thesis are mainly to give the formal representation of a simple object form and to show its significant metatheoretical properties. We also show the capabilities of the acquired system for specifying and reasoning about programs by defining the basic concepts for program specifications and refinement and techniques for reasoning about the correctness of programs. To achieve this goals we introduce and formally define a type theoretic system called Core Calculus of Objects and study its basic metatheoretical properties. The significant theorems of the calculus, in particular, confluence of computations, subject reduction, strong normalization, and the reflection of equality, are established herein. These properties are important for the logical consistency of the calculus and the existence of a decidable type-checking algorithm. Finally, a demonstration of the pragmatic use of the Calculus of Objects for specifying program modules is provided. Refinement and reuse techniques are formulated by means of specification operations known from algebraic specification languages.

4 1 Introduction Formal methods are a collection of notations and techniques for describing and analyzing systems. Deductive software verification was one of the main formal methods techniques studied. According to this technique the programs are supposed to be refined in a stepwise manner, starting from their initial formal specification, and ending with actual code. As this technique requires a lot of time and expertise it was demonstrated mainly for rather small examples. To provide an adequate support for real development of software systems we must be able to cope with the complexity of large-scale specifications. On this account various techniques, which support sound modular design and reusability of specifications, have been adopted for algebraic specification languages. The similar techniques have also been developed for programming languages where this trend later culminated in the invention of object-oriented methodology. The idea of object orientation then engaged the attention of many computer scientists researching formal methods. They provided us with formal models for various object-oriented programming languages and incorporated object-oriented techniques in the several specification and development methods. Both directions of development have helped us to better understand many aspects related to the phenomena of object orientation. Type theory is the powerful and sophisticated tool that offers a general computational and logical language suitable for many applications in computer science. In particular, it is a uniform language for programming, specification and reasoning. As such, it should provide an adequate expressive power for all intented purposes. Several variants of type theories have been proposed in the literature to be meant for various applications. Type systems equipped with polymorphic types have been studied for their high expressivity that allows to definition of abstract data type declarations. For programming languages it means that existing code can be easily reused by means of type parametric modules. The type theoretic system F ω has been proposed as a core calculus for object-oriented programming languages. It is sufficiently expressive to capture the essential object-oriented mechanisms, namely subtyping, encapsulation, class inheritance, and late binding. The consequent research has led to the establishment of the comprehensive theory of objects. On this account, many variants of object-oriented calculus based on records and record subtyping have been invented (cf. [Aba94], [AC96], [CM91], [KR94], [EST95]). Current research in the area aims at transfering the theoretical achievements to design of practical type systems for programming languages. The principle of proposition-as-types is the key idea for embedding an intutitionistic logic in the type theory and thus obtaining an expressive specification language with the powerfull verification method. The consistency of the logic, nevertheless, requires that certain properties are guaranteed by the system. 4

5 The delicacy of the consistency causes that type systems used in specification languages and in programming languages differ in complexity and in expressiveness. This thesis presents and studies an intepretation of a simple form of objects in a system of intutionistic type theory. There are several reasons for doing this. Firstly, type theoretic systems are genuine environments for specification, refinement, and implementation of programs because they are equipped with a uniform and highly expressive language. Secondly, object orientation is a proven technology for decomposing a problem into several simpler subproblems that may, by separating concerns, significantly simplify the development of programs. Finally, object-oriented programming languages have introduced numerous fresh ideas, structures, and techniques. We believe that the attempt to transfer some of them to the environment of an intutitionist type theory can reveal possible directions of the further research in this area. 1.1 Motivations and Overview of the Thesis As type theory merges constructive logic with functional programming language it appears a very promising system for doing mathematics on the one hand and developing programs from their formal specifications on the other. The present thesis refines this idea for the type theory containing a simple form of objects that stand for an interesting concepts from the world of objectoriented programming. To name the most significant gains, we can expect that the encapsulation of information could provide an adequate mechanism for writing and reasoning about abstract specifications because of a separation of an implementation from a public interface or by the identification of the concept of module and the provided object type with the notion of first-class modules, which is the basis for the reuse of specifications in the several possible ways, for instance, through inheritance, encapsulation or refining. The objectives of this thesis is to present a type theoretic system equipped with object types and to show its significant metatheoretical properties. Beside this, the aim is also focused on establishing the formal basis that provides us the suitable environment for further study of notations related to the object orientation. The body of the thesis comprises sections of the following content: Section 2 presents the original research carried out by the author. It introduces the Core Calculus of Objects, which is the calculus based on ECC extended with object types. Contrary to ECC, the Σ-types are stripped out, in order to work with the system of reasonable complexity in which properties of object types can be studied. In Section 3 we investigate basic metatheoretical properties of the Core Calculus of Object. The significant theorems of the calculus are proved 5

6 therein, in particular the confluence of computations, subject reduction, strong normalization, and the reflection of equality. These properties are important for the logical consistency of the calculus and the existence of a decidable type-checking procedure. Section 4 demonstrates the pragmatic use of the Calculus of Objects for specification and verification of program modules. The specification and refinement operations and techniques are adapted from operations given for algebraic specification methods. The thesis is concluded in Section 5 by providing a summary of the major achievements, evaluating the contributions and indicating future research directions. 1.2 Related work There are numerous work dealing with concepts related to object orientation within the environment of type theory. Majority of them, nevertheless, deal with definition of formal models for object-like constructions and data structures of programming languages. Although it is not possible to directly incorporate the ideas presented therein they represent a fruitful repository of knowledge providing solutions to many issues related to formalization of various object-oriented concepts. The line of research started with Cardelli and Wegner s proposal [CW58] for the typed object-oriented language based on the second order λ-calculus with subtypes. They proposed to model objects as records of their methods. An extension of this model led to the collection of record calculi with recursive types (cf. [Mit90], [Bru92], [AC93], [FM94], [FHM94]). The complications involved in the accurate interpretation of objects caused to originate the novel theory of objects [AC96] with the specialized underlaying calculus. This calculus possesses self application and method update operations as its language primitives avoiding thus their problematic interpretation in lambda calculi that much simplifies the presentation and allows authors to establish a very comprehensive theory. Pierce and Turner proposed an alternative representation of objects that do not require recursive types. Their formulation is based again on the second order system with subtypes F ω, but existential types are used to model objects rather then recursive record. A more detailed account of representing objectoriented programs in that system can be found in [PT93a, PT93b, PT94, Pie03]. The increased interest in studying intersection types has reflected in the recent research on this area as well. Crary [Cra99] presents a simple typetheoretic encoding of objects based on existential and intersection types that in 6

7 a relatively easy metatheory provides complete representation of objects including self types and method updates while still validates the expected subtyping relations. Kopylov [Kop03, Kop04] used dependent form of intersection to define record types, which involves some features of object type, in the predicative type theory. The repesentation of solely dependent record types was studied by Betarte [Bet98], Harper and Lillibridge [HL94], Courant [Cou97] and Pollack [Pol00, CPT03] for various type theoretic systems and logical frameworks. As observed by Kopylov in his thesis [Kop04] there are some fundamental restrictions that avoid to use the usual object encoding within the type theory. In particular, self-application is the problem for strong normalization property. It is because the expressivity of self application is the same as the expressivity of general recursion. Moreover many concepts require impredicative interpretation which is dangerous for consistency of the internal logic of type theory. Hofmann et.el. [HNSS98] take an advantage of the existential representation of object type to establish an environment in which proofs can be manage along object specifications. They showed how new objects can be created using the inheritance mechanism that deals properly with the accompanied proofs. An object is interpreted as a collection of operations working on its internal state. This encoding is essentially akin to the existential interpretation presented by Pierce and Turner [PT94]. A different encoding of object types in the constructive type theory was proposed by Hickey. He considered to use the very-dependent function types [Hic97] invented by himself and described in [Hic96]. Informally, a type of very dependent functions is a collection of functions {f x : A B f,x } with domain A and range B f,a indexed by f and a A. In this settings, it is possible to directly encode dependent record types using the very dependent function types putting A to be the set of labels of records. The dependency between functions requires well-ordered collection of functions. 2 Core Calculus of Objects In this section we introduce the calculus of objects (CCO) which is essentially the calculus of constructions enriched with universes and object types. Understanding of a role of the universes and a presentation of type cumulativity debts in many to Luo s development of the Extended Calculus of Constructions (cf. [Luo89], [Luo90], [Luo94]). The language possesses an impredicative type universe Prop, which purpose is to collect logical propositions and a hierarchy of predicative type universes Type i (i ω), in which data types can reside. To avoid a logical inconsistency the only propositional types can be constructed using the impredicative version of a dependent product type constructor. This nevertheless gives the internal 7

8 logic the full expressivity of a higher-order intuitionistic logic. The cumulative type hierarchy increases the expressiveness so that we can adequate formalize abstract specifications and it also provides strong and flexible form of polymorphisms. An object type represents a powerful concept for the modularization of specifications by means of dividing internal implementations from exposed interface definitions. The section is divided into two parts. First part introduces the underlaying term calculus together with the computation and convertibility notations. Second part deals with the type inference system of the calculus. It formalizes general concepts, such as context, judgement, and derivation, required for the understanding specific inference rules of the calculus introduced thereafter. 2.1 The Language of CCO There are two classes of expressions in the language: type expressions and object expressions. Nevertheless akin to many type theoretic languages, such as Martin-Löf s type theory or Calculus of Constructions, types and objects may be mixed in the terms of the language. The elementary constructs of the language consist of the impredicative type universe Prop, an infinite collection of the predicative universes Type i, i ω and the variables from a set of variables V. Non elementary terms comprise syntactical forms of dependent product type, function abstraction, function application, object type, object abstraction, box term, and object use. Definition 2.1 (terms). The basic expressions of term calculus, called terms, forming the set T are inductively defined by the following clauses: The constants Prop and Type i (i ω), called kinds, are terms; Variables (x, y,... ) V are terms; If A 1, A 2 and A 3 are terms, so are Π(x : A 1 ).A 2, λ(x : A 1 ).A 2, A 1 A 2, ς(x : A 1 ).A 2, ς(x : A 1, A 2 ).A 3, A 1 x and A 1!. A box term contains the occurence of a variable at the position of box marker. Independently whether the variable stands individually or in the position of a box marker it is the subject of variable binding operation, which is slightly complicated by the presence of ς-form and ς-form of terms. Next definition uses functions FV : T 2 V and FM : T 2 V, which enumerate free individual variables and free box marker variables, respectively. Definition 2.2. An occurrence of a variable x or a box M x in term A is free if and only if x FV(A) or x FM(A), respectively. A variable x or a box M x is bound variable or bound box, respectively, within a subterm B of 8

9 terms (Π(x : A 1 ).B), (λ(x : A 1 ).B), (ς(x : A 1 ).B) and (ς(x : A 1, A 2 ).B). A term A with no free variables or boxes, FV(A) = FM(A) =, is called closed term, otherwise it is called open term. In order to give a formal meaning for contraction operations of the calculus we introduce renaming and substitution operations in the form of syntactic functions. We distinguish between variable renaming operations and variable substitution operations because they give different results when applied on box terms. This fact prevents us from using substitution even for renaming of individual variables as it is usual for lambda calculi. Both renaming operations work as expected, which means that the variable renaming operation [x y]a renames all free occurrences of an individual variable x in term A to some fresh variable y and the marker variable renaming operation {x y}a renames all free occurrences of a marker variable x in term A to some fresh variable y, respectively. The variable substitution operation [B/x]A replaces all free occurrences of an individual variable x in term A by term B. If applied to a box term, [B/x] A x, it yields a term A. This means the variable substitution operation discards box terms in which the substituting variable is at the position of a marker variable. Box substitution operation {B/x}A replaces free occurrences of boxes A x in term A with a term [A /x]b. Term B can contain free occurrences of variable x. The definition of α-conversion schemes relies on both renaming operations. The order in which the renaming operations are used is insignificant. Definition 2.3 (α-conversion). Let Ω {Π, λ, ς}. Then α-conversion relation ( α ) is defined by the following contraction schemes: (Ω(x : A 1 ).B) α (Ω(y : A 1 ).[x y]{x y}b) (ς(x : A 1, A 2 ).B) α (ς(y : A 1, A 2 ).[x y]{x y}b) The terms on the left-hand side of the contraction operator are called α-redexes, the variable x stands for the renamed variable in these terms and the variable y is a new variable, such that y FV(B). The syntactic identity relation is used for relating expressions that are the same up to α-conversions. The notion of syntactic identity reflects the irrelevance of names of bound variables in the terms of the calculus. Definition 2.4 (syntactic identity). Syntactic identity relation ( ) is the reflexive, symmetric and transitive binary relation over T, such that A A if and only if A and A are exactly the same terms or we can obtain term A from term A by performing α-conversions on arbitrary α-redexes in A. The following contraction schemes encode a computation notion of the term calculus. The β-contraction scheme is the usual rule of the lambda calculus. The ς-contraction rule allows to reduce terms of the form A!. 9

10 Definition 2.5 (contraction schemes). A term of the form (λ(x : A 1 ).A 2 ) A 3 ) is called β-redex and its subterm (λ(x : A 1 ).A 2 ) is called a major term of the redex. The β-contraction scheme is defined as follows: (λ(x : A 1 ).A 2 ) A 3 ) β [A 3 /x]a 2 A term of the form (ς(x : A 1, A 2 ).A 3 )! is called ς-redex. scheme is defined as follows: The ς-contraction (ς(x : A 1, A 2 ).A 3 )! ς [A 2 /x]{ς(x : A 1, x).a 3 /x}a 3 The notions of reduction and conversion are defined as usual with respect to βς-contractions. These facts are precisely summed up by the next definition. Definition 2.6 (reduction and conversion). Let M, M are terms, then we say that M one-step reduces to M, notation M 1 M, if a term M contains an occurrence of a redex R and we replace that occurrence by its contractum yielding term M. Term M reduces to term M, notation M M, if and only if there exists M 1,..., M n such that M M 1, M M n and M i 1 M i+1 for i = 1,..., n 1. Two terms are convertible (or computational equal), notation M M, if and only if there exists M 1,..., M n such that M M 1, M M n and 1 1 M i M i+1 or M i+1 M i, for i = 1,..., n 1. The notion of termination can be viewed in terms of notions of normal form and strong normalization. Definition 2.7 (normal form). A term is in normal form if and only if it does not contain any β-redex of ς-redex. A term M 1 is strongly normalizable if and only if there is not an infinite reduction sequence M 1 M 2 M The cumulativity relation is a partial order over terms with respect to conversions. It subsumes the conversion relation and reflects the type inclusion between the universes. Definition 2.8 (cumulativity relation). The cumulativity relation is defined such that it satisfies the following properties: 1. cumulativity relation respects conversion, that is, (a) if A B, then A B; (b) if A B and B A, then A B; and (c) if A B and B C, then A C. 2. Prop Type 0 Type 1... ; 3. if A 1 B 1 and A 2 B 2, then Π(x : A 1 ).A 2 Π(x : B 1 ).B 2 4. if A 1 B 1 and A 2 B 2, then ς(x : A 1 ).A 2 ς(x : B 1 ).B 2. 10

11 2.2 The Inference System Formalization of the type inference system of CCO requires to introduce the general notations of context, judgement, and derivations, which provide basis for understanding the concrete inference rules of the calculus. In these rules the notions of computation and type cumulativity stand for side conditions that is primarily a design decision. A context is an ordered collection of assignments that track the types of variables. The set of free variables of a context Γ x 1 : A 1,..., x n : A n is defined as FV(Γ) = 1 i n ({x i} FV(A i )). Definition 2.9 (contexts). A context is a finite sequence of assignments x 1 : M 1,..., x n : M n, where x i is a variable and M i is a term. A term M i may contain free variables provided that FV(M i ) {x j 1 j < i}. The empty context, written, contains no assignments. A judgement Γ M A consists of a context Γ and an assertion M A stating that term M has type A, or alternatively, if A is a propositional type then M is a proof of the proposition A. All free variables of terms M and A of the judgement have to be declared in the context Γ. Depending on the context, we distinguish between hypothetical judgements and non-hypothetical judgements as stated in the next definition. Definition 2.10 (judgements). A judgement is a triple consists of a context, and two terms, written in the form Γ M A where Γ is a context and M and A are terms. If Γ is the empty context then the judgment is called not-hypothetical judgment, shortly written as M : A, otherwise the judgement is called hypothetical judgement. Type rules assert the validity of certain judgement on the basis of other judgements that are already known to be valid. The general form of type rules is as follows: J 1... J n (side conditions) J where J 1... J n are judgements called premises, and J is a judgement called the conclusion. The type inference rules for the CCO is shown in Figure 1. The formation rule (Π1) is needed for interpreting universal quantifier in the system, in particular, for any proposition P possibly containing free variable x of type A we can form a proposition Π(x : A).P that corresponds to the universal quantifier (x : A).P. The quantification is impredicative since a type of term A is not 11

12 (Ax) P rop T ype 0 (C) (x FV(Γ), FM(A) ) Γ A T ype i Γ, x : A P rop T ype 0 (var) Γ, x : A, Γ P rop T ype 0 Γ, x : A, Γ x A (T ) Γ P rop T ype 0 Γ T ype i T ype i+1 (cum) (A A ) Γ M A Γ A T ype i Γ M A (Π1) Γ, x : A P P rop Γ Π(x : A).P P rop (Π2) Γ A T ype i Γ, x : A B T ype i Γ Π(x : A).B T ype i (λ) Γ, x : A M B Γ λ(x : A).M Π(x : A).B (app) Γ M Π(x : A).B Γ M N [N/x]B Γ N A (ς ) Γ, x : T ype i B T ype i Γ ς (x : T ype i).b T ype i ( ) Γ, x : A, Γ M A Γ, x : A, Γ M x A x ( ) Γ, x : A, Γ A Type i Γ, x : A, Γ A x Type i+1 (ς) Γ A Type i Γ M A Γ, x : A N [ A x/x]b Γ ς(x : A, M).N ς (X : Type i+1).b (use) Γ M ς (X : T ype i).b Γ M! [ς (X : T ype i).b/x]b Figure 1: Type inference rules 12

13 explicitly specified. The rule (Π2) forms the usual dependent product type in an arbitrary predicative type universe Type j. Types A and B are limited to be the inhabitants of a type universe Type j that ensures the predicativity of the formation. Nevertheless, because of an arrangement of type universes and the possibility of lifting a type into a higher universe (by force of rule (cum)) the types A and B can, in fact, occupy lower universes than Type i, i.e. A Type k, B Type l where k, l j. The rule (ς) is the formation rule of object types. Term B of type Type i can contain free occurrences of variable x of type Type i. This means that the type of a ς-term correlates with the type of its binding variable. This type agreement causes that the structure of term B cannot look arbitrary. In particular, all occurrences of type variable x in term B are limited only to the strict positive positions. Box terms and types are introduced using rules ( ) and ( ). The former is intended to construct a box term within the corresponding box type. The latter admits to create a box type for an arbitrary type of the predicative universe thus allowing to define function types of the form Πx 1 : A 1... Πx n : A n. B y Type i. An introduction rule for ς-terms looks more complicated as it needs to derive the type for a ς-term from the type of term N. To be able to say which judgements are valid in a type theoretic system we have to formalize the notions of derivation and derivability. Definition 2.11 (derivations). A derivation of a judgement J is a finite sequence of judgements J 1,..., J n with J J n such that, for all 1 i n, J i is the conclusion of some instance of an inference rule whose premises are in {J j j < i}. A judgement J is derivable if there is a derivation of J. We shall write Γ M : A for Γ M : A is derivable, and Γ M : A for Γ M : A is not derivable. 3 Metatheoretical properties In this chapter, we show that CCO has nice proof-theoretic properties. In particular, we prove that CCO is confluent, preserves subject reduction property, and enjoys the strong normalization property. 3.1 Church-Rosser property Before we show that CCO has the Church-Rosser property (Theorem 3.2), we establish some basic facts about substitution operations. Lemma 3.1. Let M 1, M 2, N be terms and x be a variable. Then the following holds: 1. If M 1 1 M 2 then [N/x]M 1 1 [N/x]M 2. 13

14 1 2. If M 1 M 2 then [M 1 /x]n 1 [M 2 /x]n. 3. If M 1 1 M 2 then {N/x}M 1 1 {N/x}M If M 1 1 M 2 then {M 1 /x}n 1 {M 2 /x}n. Theorem 3.2 (confluence). For any term M if M M 1 and M M 2, then there exists term M, such that, M 1 M and M 2 M. Proof. At first, the local confluence property needs to be shown. It can be done by induction over the structure of term M and using the statements of lemma 3.1. The proof of the theorem is then by induction over the length of a computation using the proved local confluence property (cf. [ML75] or [HS87] for details). The following corollary expresses the important property of the calculus which is the direct consequence of the Church-Rosser property. Corollary 3.3 (uniqueness of normal forms). The normal form of a term is unique (up to the syntactical identity ), if it exists. 3.2 Derivability In this section we show the various properties relating to the derivability of judgement. The most important results comprise the subject reduction theorem and the cut theorem. The former ensures that all computations in the calculus preserve the type assignment. Stating this theorem is important for showing strong normalization and the necessary condition for the existence of a type checking algorithm. The cut theorem asserts that a type-preserving substitution substains the derivability of a judgment. In particular, it allows us to understand and explain the meaning of hypothetical judgements. First we need to establish some lemmas that show basic properties of the derivation relation. Lemma 3.4. The following facts holds for the system of type inference rules of CCO. 1. Any derivation of Γ M A has a subderivation of Γ P rop T ype Any derivation of Γ, Γ M A has a subderivation of Γ P rop T ype Any derivation of Γ, x : A, Γ M B has a subderivation of Γ A K for some sort K. 14

15 Proof. All statements of the lemma are provable by complete induction on the length of derivation. Lemma 3.5 (free variables). Suppose Γ M A. Then, 1. F V (M) F V (A) F V (Γ), and 2. Γ has the form x 1 : A i,..., x n : A n such that x 1,..., x n are distinct and F V (A i ) {x 1,..., x i 1 } for i = 1,..., n. Proof. Both statements are provable by induction on the length of derivation. Lemma 3.6 (weakening). If Γ M A and Γ contains every component of Γ, then Γ M A. is a valid context which Proof. By induction on the length of derivation and using lemma 3.4. Lemma 3.7 (context replacement). If Γ, x : A, Γ M C and B A is a Γ-type, then Γ, x : B, Γ M C. Proof. By induction on derivations of Γ, x : A, Γ M : C and using lemma 3.5, lemma 3.4(3), and lemma 3.6. Theorem 3.8 (cut). If Γ, x : A, Γ N B and Γ M A, then Γ, [M/x]Γ [M/x]N [M/x]B. Proof. By induction on the length of derivation of Γ, x : A, Γ N B. Cases for rules other then (var) are by simply by induction hypothesis and application of the rule. For (var) there are two subcases: 1. Γ, x : A, Γ x A and we must show that Γ, [M/x]Γ M A which is true by induction hypothesis and lemma Γ 1, y : B, Γ 2 y B and x : N occurs in Γ 1 or Γ 2. By lemma 3.5 x y. Then using induction hypothesis and application of rule (var) yields the result. Next theorem shows that each type has to be an inhabitant of some kind. Theorem 3.9 (type reflection). If Γ M A, then Γ A K for some kind K. Proof. By induction on derivations of Γ M A. The cases for (Ax), (C), (var),(t ),(cum),(π1),(π2),(ς), and ( ) are trivial by induction hypothesis. The cases for (λ), (ς), and ( ) are by induction hypothesis and then application of rule (Π1), (ς), and ( ), respectively. The cases for (app) and (use) are by induction hypothesis and using lemma

16 Theorem 3.10 (subject reduction). If Γ M A and M N, then Γ N A. Proof. We show that if Γ M A and M 1 N, then Γ N A by induction on derivations of Γ M A. For the rules (Ax),(C),(var) and ( ), the arguments are either trivial or straightforward. For the rules (Π1),(Π2),(λ),(ς), and (ς) the proof is similar in which lemma 3.7 and(or) lemma 3.4(2) and (or) theorem 3.8 are used. For the rules ( ) and ( ) the use of lemma 3.7 suffices. For the rules (app) and (use) theorem 3.2 and lemma 3.7 are used. The following lemma shows that removing redundant assumptions from a context preserves derivability. Lemma 3.11 (strengthening). If Γ, y : Y, Γ M A and y / FV(M) FV(A) FV(Γ ) and y / FM(M) FM(A), then Γ, Γ M A. Proof. The proof of this lemma follows the development given in [Luo94, p.60]. 3.3 Principal types Type uniqueness fails to hold because of a presence of the type cumulativity between terms. Nevertheless, among all types of a term we can find the most general one, called the principal type. Definition 3.12 (principal types). A is called the principal type of M (under Γ) if Γ M A and, for all A such that Γ M A, A A. Similarly to ECC we can prove the following lemmmas. The proofs of these statements are similar or the same as given in [Luo94, pp.61 64]. Lemma The following statements holds for CCO. 1. If A and B are both well-typed under Γ, then, A B if, and only if, Γ, x : A x B, where x F V (Γ). (type cumulativity) 2. Let A and B be Γ-types. If A B, then, for any term M, Γ M A implies Γ M B. 3. If Γ M A and Γ M B, then there exists a term C such that C A, C B and M C. (diamond property of ) 4. Let M be an Γ-object and T = {A Γ M A}. Then, there exists A T such that A A for all A T. (existence of minimum types) 5. Let A and B be Γ-types. If A is Γ-inhabited and, for any a, Γ a A implies Γ a B, then, A B. 16

17 Theorem 3.14 (existence of principal types). Every well-typed term M (under a context Γ) has a principal type. Proof. Let A be the minimum type of M with respect to. Then, γ M A. For any A such that Γ M A, we have A A and A is a Γ-type by theorem 3.9. Suppose A is a Γ-type such that A A. By 3.13(2), we have Γ M A. 3.4 Strong normalization In this section we carry out the proof of strong normalization for CCO. We follow a proof schema invented by Tait and Girard, and later used by many others to show the strong normalization of various typed lambda calculi. The proof plan can be divided into several parts that involve these main points: Definition of CCO n ξ system which meaning is twofold. Firstly, it suppresses the impredicativity of ς-types by controlled expansion of ς-terms. Secondly, it represents a system equipped exactly with n predicative universes, which allows us to define quasi-normalization of terms and the prove quasi-normalization theorem. Definition of saturated sets. By the definition, a saturated set contains only strong normalizable terms and is closed under the certain operations. Definition of the quasi-normal form of terms. The notation of quasinormal form can effectively deal with the hierarchy of type universes showing that each term can be reduced to some quasi-normal form. Proof of strong normalization. It can be carried through by providing a suitable interpretation of terms and showing that all types form saturated sets and if M A then an interpretation of A is a set that contains an interpretation of M Environment An environment is a technical tool that simplifies the treatment of a variable binding. The idea of environment was introduced by Pottinger [Pot87]. Definition 3.15 (Environment). An environment E is an infinite sequence E e e : E 1, e 2,... where e i is a variable and E i is a term, such that, for any i ω, 1. E i e 1 : E 1,..., e i : E i is a valid context, and 17

18 2. for any E i -type A, there are infinitely many k such that E k A. From now on, we shall write E M A for E i M A for some i ω. A term M is called an E-object, E-type, E-proposition, and E-proof if there is i ω for which the term M is E i -object, E i -type, E i -proposition, and E i -proof, respectively Saturated sets The definition of saturated sets as given by Luo [Luo94] is parametrized with the notions of base terms and key redex, which allows us to easily extend the definition to our needs. Definition 3.16 (base terms). Base terms and the key variable if a base term are inductively defined on the structure of terms as follows: 1. A variable is a base term and is the key variable of itself; 2. If M is a base term, so are M N, M!, and their key variable is that of M. Definition 3.17 (key redex). The notion of key redex of a term M is defined as follows: 1. If M is a redex, then M has key redex and it is the key redex of itself. 2. If M has a key redex, then so do M N and M!, and their key redexes are that of M. Let A be an E-type. Then, SN(A) is the set of strongly normalizable terms M such that E M A. The notation of saturated set is defined bellow. Note that Sat (A) is not empy, because Sat (A) Sat (A). Definition 3.18 (saturated sets). Let A be an E-type. S is an A-saturated set if and only if (S1) S SN(A); (S2) if M SN(A) is a base term, then M S; (S3) if M SN(A) has key redex and red k (M) S, then M S. Sat(A) is defined to be the set of A-saturated sets. 18

19 3.4.3 Levels of types The notion of levels of E-types stands for the first dimension of the complexity measure of types. The accompanying lemma states that the definition respects the relations of type equivalence and type cumulativity. Definition 3.19 (levels of E-types). The level of an E-type A, L(A), is defined as follows: If A is an E-proposition, then L(A) 1. If A is not an E-proposition, then L(A) is defined to be the minimum j ω such that E B T ype j for some B A. Lemma The levels of E-types have the following properties: 1. If A B are E-types, then L(A) = L(B). 2. If A B are E-types, then L(A) L(B). 3. Let A Π(x : A 1 ).A 2 be a non-propositional E-type. Then L(A) = j ω if and only if (a) L(A 1 ) j and L(A 2 ) j; and (b) either L(A 1 ) = j or L(A 2 ) = j The system CCO n ξ For definition of a system CCO n ξ we assume a function ξ that expands all terms of ς-form as many times as needed. Informally, it means that we can never reach a term of the form M x! during any reduction. Definition An expansion function ξ : T T is defined as following: 1. if M ς(x : M 1, M 2 ).M 3 is in ς-form then ξ(m) ς(x : M 1, M 2 ).{ς(x : M 1, x).m 3 /x}m 3 ; 2. if M is not in ς-form then ξ(m) = M, and M is obtained from M by application of ξ on all subterms of M. Definition A system CCO n ξ, n ω is obtained from CCO via the following changes: 1. Every term of CCO is transformed such that all terms of ς-form in it are expanded using the function ξ. Types of expanded terms are modified accordingly, it means the substitution [ς(x : A 1 ).A 2 /X]A 2 is used for unfolding the object types and the substitution [X /X]A 2 is used for marking the useless type variables with blank symbols. 19

20 2. The constants Type k, k > n are removed from T. 3. The following side conditions are added to inference rules: 0 i n for rules (C)(Π2)(ς)( ), 0 i < n for rule (T )( ), and B Type n for rule (λ)(ς). 4. The following new inference rule is added: Proof of quasi normalization Γ M U Γ M Type n (U Type n ). An inductive definition of the quasi-normal form of terms requires to simultaneously define and prove the properties of the notion of degree of types. The definitions and proofs are given for the system CCO n ξ of a particular n. To cover all systems for an arbitrary n we proceed by induction over the number of universes. Let j be a global induction variable. We put j = n as the basis and move downwards ending with j = 0. The most important points bellow include the definition of degree of E-types (Definition 3.23), the definition of i-quasi-normal form (Definition 3.26), and the theorem of quasi-normalization (Theorem 3.27). The degree of types is defined directly only for quasi-normal terms. By showing the well-definedness property (lemma 3.24), the degree of types can be computed for other terms as well (definition 3.29). Definition 3.23 (degree of E-types). Let A be an E-type which is in i quasinormal form for i > j. The j-degree D j (A) of an E-type A, such that A A, is defined as follows: 1. If L(A ) j then D(A ) 0; 2. If L(A ) = j then (a) If A T ype j 1 and j > 0 then D(A ) 1; (b) If A P rop and j = 0 then D(A ) 1; (c) If A X for any variable X then D(A ) 1; (d) If A is a base term then D(A ) 1; (e) If A Π(x : A 1 ).A 2 then D(A ) max{d(a 1 ), D(A 2 )} + 1. (f) If A ς(x : A 1 ).A 2 then D(A ) D(A 2 ) + 1. Put D j (A) = D j (A ). 20

21 Since the quasi-normal form does not have to be unique for the given term, the next lemma is needed in order to justify the above definition. Lemma 3.24 (well-definedness of j-degrees). D j is a function from E-types to natural numbers and respects conversion, i.e. D j (A) = D j (B) if A B are E-types. Notation Let E-term R 1 M N be a β-redex and E-term R 2 M! be a ς-redex. We define δ j (R 1 ) and δ j (R 2 ) to be the j-degree of the principal type of their major terms: δ j (R 1 ) D j (T E (M)), δ j (R 2 ) D j (T E (M)). Next, define γ j (M) to be the largest δ j -value of the redexes occurring in an E-term M: γ j (M) max{δ j (R) R is a redex occurring in M}. Next, we define j-quasi-normal form of E-terms. A term is in a j-quasinormal form if it does not contain a certain kind of redexes. Definition 3.26 (j-quasi-normal E-terms). An E-term M is j-quasi-normal if and only if M does not contain any redex such that the level of the principal type of its major term is j, i.e. γ j (M) = 0. The quasi-normalization theorem states that it is possible to reduce any E-term in the j-quasi-normal form for any j ω. Theorem 3.27 (j-quasi-normalization). Every E-term in CCO n can be reduced to some E-term which is i-quasi-normal for every i such that j i n. Proof. We only need to show these two statements 1. M M and M is j-quasi-normal, and 2. M preserves i-quasi-normalness of M for all j < i n. The first statement is proved by double induction driven by the values of γ j (M) and the numbers of maximal redexes in M. The second statement is proved by induction on the structure of M. The complete proof can be found in [Rys05]. Lemma Let A be an E-type in CCO n ξ and L(A) = n. Then either A T ype n 1 (P rop if n = 0) or A has form of Πx : A 1.A 2 or ςx : A 1.A 2. Definition 3.29 (complexity of E-types, β). LetA be an E-type. Then define the complexity of A, β(a) as follows: β(a) (L(A) + 1, D L(A) (A) where L(A) is the level of A and D j (A) is the j-degree of A. ordered by the lexicographic ordering. β-values are 21

22 3.4.6 Proof of strong normalization The proof of strong normalization is based on the existence of an interpretation of terms, Eval ρ, that has the following properties: An interpretation of E-type is a saturated set, and every term M of type A is a member of the set interpreting type A, i.e. M Eval ρ (A), which by the definition of saturated set means that a term M is strongly normalizable. We first define sets of possible denotations of E-objects that stand for the range of values of the interpretation function. In the following definition we assume π 1, π 2, π 3 and π are projection functions, such that, if M ς(x : M 1, M 2 ).M 3 and N N 1 x, then π 1 (M) = M 1, π 2 (M) = M 2, π 3 (M) = λ(x : M 1 ).M 3, π (N) = N 1. Definition 3.30 (value-sets of E-terms). The set of possible values of an E- term M, V (M), is defined by considering the form of its principal type T E (M), which is assumed to be in quasi-normal form, and by induction on the complexity measure β(t E (M)). Simultaneously we define a function ξ with domain dom (ξ) V. 1. If T E (M) is a kind, then V (M) Sat (M). 2. If T E (M) is an E-proposition, then V (M) {θ}. 3. If T E (M) is a base term, then V (M) {θ}. 4. If T E (M) Πx : A 1.A 2 is a non-propositional E-type, then define V (M) as the set of functions f such that the domain of f, dom (f) = {(N, v) E N A 1, v V (N)}, f(n, v) V (M N) for (N, v) dom (f), and f(n, v) = f(n, v) for (N, v), (N, v) dom (f) such that N N. 5. If T E (M) A x then V (M) = {η x (N, v) E N A, v V (N)}. 6. If T E (M) ς(x : A 1 ).A 2 then (v, f) V (M) and f ξ(x) for all f, w such that w = dom (f) = {(N, w) E N π 1 (M), v V (N)}, and f(n, v) = V (π 3 (M)N). The corresponding function, ξ(x), defined over the value-sets is used to give a definition of value-sets morphism that allows to generate value-sets by means of expansion of box terms. 22

23 Definition Define Φ ξ(x) (v) to be a morphism over value-sets that every expands η x (v ) values within a value-set v according to the given ξ(x) function, that is Φ ξ(x) (η x (V )) = {(v, f) v V, f ξ(x)}. Definition Let V (M) be a value-set of a term M according the definition Then Vx 1 (M) be a value-set of a term M generated from V (M) by the use of Φ ξ(x) morphism, i.e. Vx i+1 (M) = Φ ξ(x) (Vx(M)) i and Vx 0 (M) = V (M) where i ω. Next, we write V i (M) for the i-th expansion proceeded through all x dom (ξ), that is V i (M) = dom (ξ) x Vx(M). i Lemma Let M be an E-term of ς-form. If Ξ x (M) M then V (φ(m )) = V 1 x (φ(m)). Lemma Let M and N be E-terms. If M N, then V (M) = V (N). Proof. By the induction on the complexity of principal type T E (M). Lemma 3.35 (simultaneous substitution). If E k M A and, for all i k, E N i [N 1,..., N i 1 /e 1,..., e i 1 ]E i, then E [N 1,..., N k /e 1,..., e k ]M [N 1,..., N k /e 1,..., e k ]A. Definition 3.36 (E-assignment). An E-assignment is a function φ : FV(E k ) T for some k ω such that E φ(e i ) [φ(e 1 ),..., φ(e i 1 )/e 1,..., e i 1 ]E i for each 1 i k, where E i e i : E i. Definition 3.37 (E-valuation). An E-valuation is a pair of functions ρ = (φ, ξ, val, use ) such that φ is an E-assignment and val is a function with dom (φ) as its domain such that, for each e i dom (φ), val (e i ) V (φ(e i )). The domain of ρ is the domain of φ. An E-valuation ρ with domain FV(E k ) covers an E-term M if and only if E k M A for some A. Lemma 3.38 (extensibility of E-valuations). Let A E m be an E k -type, where m k. If E N j [N 1,..., N j 1 /e 1,..., e j 1 ]E j for 1 j k and E N [N 1,..., N k /e 1,..., e k ]A, then there exists variables y k+1,..., y m 1 such that E y k+i [N 1,..., N k, y k+1,..., y k+i 1 /e 1,..., e k+i 1 ]E k+i, for i = 1,..., m k 1, and E N [N 1,..., N k, y k+1,..., y m 1 /e 1,..., e m 1 ]A. Definition 3.39 (Evaluation Eval ρ ). Let ρ = (φ, val ) be an E-valuation. The evaluation function Eval ρ of E-terms which are covered by ρ is defined as follows: 1. If M is an E-proof, then Eval ρ (M) θ. 2. If M is not an E-proof, then the definition is by induction on the structure of M: 23

24 (a) M is a kind. Then Eval ρ (M) SN (M). (b) M is a variable. Then Eval ρ (M) val (M). (c) M Πx : M 1.M 2. Then Eval ρ is defined to be the set of terms F such that i. E F φ(m), and ii. F N Eval ρ (M 2 ) for every E-valuation ρ = (φ, val ) which extends ρ such that φ (x) = N, where N Eval ρ (M 1 ). (d) N λx : M 1.M 2. Then Eval ρ is defined to be the function f such that i. dom (f) = {(N, v) E N φ(m 1 ), v V (N)}, and ii. f(n, v) = Eval ρ (M 2 ) for (N, v) dom (f), where ρ extends ρ such that ρ (x) = (N, v). (e) M M 1 M 2. Then Eval ρ (M) Eval ρ (M 1 )(φ(m 2 ), Eval ρ (M 2 )). (f) M ς(x : M 1 ).M 2. Then Eval ρ is defined to be the set of terms F such that i. E F φ(m), and ii. F! Eval ρ (M 2 ) for every E-valuation ρ = (φ, val ) which extends ρ such that φ (x) = ς(x : M 1 ).M 2. (g) M ς(x : M 1, M 2 ).M 3. Then Eval ρ (M) is a tuple (w, f) such that i. w = (φ(m 2 ), Eval ρ (M 2 )), ii. dom (f) = {(N, v) E N φ(m 1 ), v V (N)}, and iii. f(n, v) = Eval ρ(m 3 ), where ρ extends ρ such that ρ (x) = w. (h) M M 1 x and M 1 is an E-object. Then Eval ρ (M) = η x (φ(m 1 ), Eval ρ (M 1 )). (i) M M 1 x and M 1 is an E-type. Then Eval ρ (M) is defined to be the set of terms F such that i. F φ(m), and ii. π (F ) Eval ρ (M 1 ). (j) M M 1!. Then Eval ρ (M 1 ) = (w, f) and Eval ρ (M) = f(w). Lemma 3.40 (well definedness of Eval ρ ). Let ρ = (φ, val ) be an E-valuation which covers E-term M. 1. If E-valuation ρ = (φ, val ) covers M, and φ(x) φ (x) and val (x) = val (x) for every x FV(M), then Eval ρ (M) = Eval ρ (M). 2. Eval ρ (M) V (φ(m)). 24

25 Proof. The proof is by mutual induction on the structure of term M. complete proof can be found in [Rys05]. The Lemma 3.41 (substitution property). Suppose ρ = (φ, val ) is an E-valuation which covers N and [N/x]M, where x / dom(ρ), and ρ = (φ, val ) is an extension of ρ which covers M such that ρ (x) = (φ(n), Eval ρ (N)). Then, Eval ρ ([N/x]M) = Eval ρ (M). Proof. Proof of the lemma is by induction on the structure of term M. Lemma Let ρ = (φ, val ) be an E-valuation and M and N be E-terms covered by ρ, then 1. Eval ρ (M) = Eval ρ (N) if M N. 2. Eval ρ (M) Eval ρ (N) if M N. Proof. Both statements can be proved by the induction on the structure of term M. Theorem 3.43 (soundness). Let ρ = (φ, val ) be an E-valuation with FV(E k ) as domain such that φ(e i ) Eval ρ (E i ) for e i dom(ρ). If E k M A, then φ(m) Eval ρ (A). Proof. By induction on the structure of term M. The complete proof can be found in [Rys05]. Theorem 3.44 (strong normalization). If Γ M A then M is strongly normalizable. Proof. We first show that M A implies that M is strongly normalizable. Let ρ = (φ, val ) be any E-valuation. If M A then 1. FV(M) = FV(A) =, by lemma 3.5; 2. φ(m) Eval ρ (A), by theorem 3.43 (soundness); 3. A is an E-type, by theorem 3.9; and 4. Eval ρ (A) V (φ(a)), by lemma 3.40 (well-definedness of Eval ρ ). So, we have M φ(m) Eval ρ (A) V (φ(a)) = V (A) = Sat (A). By definition of saturated sets, M Eval ρ (A) SN (A) is strongly normalizable. For the arbitrary case, if Γ M A, Γ x 1 : A 1,..., x m : A m by lemma 3.5. By applying rule (λ), we have λx 1 : A 1,..., λx m : A m.m Πx 1 : A 1,..., Πx m : A m.a. So, λx 1 : A 1,..., λx m : A m.m is strongly normalizable; and this implies that M is strongly normalizable. 25

26 3.5 Equality We define a notation of propositional equality for CCO on the basis of the Leibnitz principle. It means that two objects of the same type are equal if and only if they cannot be distinguished by any property. As the Leibnitz equality reflects computational equality of the underlaying term calculus we have a simple notation of propositional equality which can be naturally used in the specifications of programs. On the other side Leibnitz equality suffers with the incompleteness, which means that for some kind of expressions it is not possible to prove the inequality of nonconvertible terms. Definition 3.45 (Leibnitz equality). Let A be a type. The Leibnitz equality over A, is the binary relation defined as follows: Eq A λx : Aλy : A. P : A Prop.P(x) P(y) We shall write a= A b for Eq A a b. refleq A (x) λ(p : A Prop ).λ(p : P x).p Eq A x x Theorem 3.46 (equality reflection). Suppose a 1 A and a 2 A. Then a 1 a 2 if and only if M a 1 = A a 2 for some term M. Proof. We extend the proof in [Luo94, p.110] to deal also with ς-types. The details of the proof can be found in [Rys05]. 4 Specification and development of programs The pragmatic considerations that led us to a development of the Calculus of Objects, the formal specification language presented in the thesis, are discussed in this section. It mainly shows the use of a newly devised object type for a modular development of specifications, specification refinement and partial reuse. The material of this chapter is heavily based on concepts presented in [Luo94], [BM04], and [BC04, pp ]. We follow mainly the idea of the development of a specification as a collection of declaration and axioms that restrict the set of possible interpretations for declared symbols. In this approach a specification corresponds to a type and the realizations corresponds to objects, which is often called type-as-specification correspondence. 26