Towards a Logic for Reasoning About LF Specifications

# Towards a Logic for Reasoning About LF Specifications

## Abstract

We describe the development of a logic for reasoning about specifications in the Edinburgh Logical Framework (LF). In this logic, typing judgments in LF serve as atomic formulas, and quantification is permitted over contexts and terms that might appear in them. Further, contexts, which constitute type assignments to uniquely named variables that are modelled using the technical device of nominal constants, can be characterized via an inductive description of their structure. We present a semantics for such formulas and then consider the task of proving them. Towards this end, we restrict the collection of formulas we consider so as to ensure that they have normal forms upon which proof rules may be based. We then specifically discuss a proof rule that provides the basis for case analysis over LF typing judgments; this rule is the most complex and innovative one in the collection. We illustrate the proof system through an example. Finally, we discuss ongoing work and we relate our project to existing systems that have a similar goal.

## 1 Introduction

This paper concerns the development of a system for reasoning about specifications written in LF [4]. We aim to do this by designing a logic which allows us to state and prove relationships between the derivability of different typing judgments in LF. Not unexpectedly, the atomic formulas of the logic will be typing judgments in LF. Quantification is permitted over the contexts and terms which appear in these judgments. To facilitate reasoning about formulas involving contexts we characterize them via inductive definitions of their structures. This style of characterization is motivated by context definitions that are used in Abella [2] and has significant similarities to the regular worlds descriptions used in the Twelf system [6]. In essence, they capture the way contexts change dynamically in LF typing derivations. We provide a semantics for our formulas that is based on the derivability of typing judgments in LF. We then outline a proof system for deriving formulas in our logic. A key rule in this logic, the only one we discuss explicitly here, is that of case analysis applied to LF typing judgments that appear as assumptions. A problem that we must solve in developing an effective proof system is that of dealing with quantification over term variables whose types are eventually constrained by atomic judgments that appear within the scope of the quantifier.

The rest of the paper is laid out as follows. In Section 2 we present the formulas of our logic. In Section 3 we describe a semantics for these formulas and outline a calculus that can be used to prove them. We illustrate the proof system we propose through an example in Section 4. In Section 5 we discuss ongoing work that includes proving meta-theoretic properties of our proof system. Section 6 concludes the paper by contrasting our work with existing approaches that have a similar goal.

## 2 Formulas Over LF Typing Judgements and their Semantics

The formulas in our logic build on typing judgments in LF. We assume familiarity with the presentation of LF in [4] and we recall only a few notions that are needed to set up the discussion here. There are three categories of expressions in LF: kinds, type families and objects. Objects are classified by type families and type families are classified by kinds. The construction of type families and objects is parameterized by a signature that, in the intended use, specifies an object system. For example, if our focus is on typing judgments concerning the simply typed -calculus, then we might use the signature shown in Figure 1. The core of LF consists of rules for determining whether expressions of varied kinds are well-formed or well-typed. Our focus is on judgments that take the form , asserting that is a well-formed object that inhabits the (well-formed) type family given the signature and a context that assigns types to variables that might appear free in and . Intrinsic to our applications is the equality of expressions based on -convertibility. The typing rules guarantee the existence of canonical froms under -conversion for well-formed expressions. However, weaker conditions may also suffice to provide such a guarantee, an observation that will be useful in the next section.

Our formulas will permit quantification over LF contexts. Contexts can comprise a generic part and a part that explicitly assigns types to variables. To model the fact that explicit assignments have to be to distinct variables, we use the technical device of nominal constants [3, 9]. These constants are represented using the token possibly with subscripts below. The syntax of context expressions, then, is the following:

 G ::=Γ | ⋅ | G,n:A

The symbol denotes the category of variables that range over contexts here. In typical reasoning scenarios, the contexts that appear in formulas will have to be constrained in order to be able to derive contentful properties. Taking inspiration from Twelf [6, 7], we provide a means for articulating such structure using blocks that describe the types associated with a finite sequence of context variables; the actual context is then understood to be a repetition of such blocks. This idea is formally embodied in declarations given by the following syntax rules.

 Block ::=(x1:A1,…,xn:An)[y1:B1,…,ym:Bm] Blocks ::=Block | Blocks,Block Context Schema ::=id=Blocks

According to these rules, a context schema associates a name with a collection of block descriptions. The sequence of declarations instantiates the block if, for , . A context satisfies a context schema given by if it comprises a collection of declaration sequences that instantiate blocks corresponding to .

The collection of formulas determining the logic is given by the following syntax rule:

 F::={G⊢M:A} | ∀X.F | ∃X.F | ΠidΓ.F | F1∧F2 | F1∨F2 | F1⊃F2 | ⊤ | ⊥

The symbol represents LF object level variables. The key to understanding the meaning of these formulas is understanding the interpretation of formulas of the form that do not contain any object or context level variables. Such a judgment is deemed to be true exactly when is derivable in LF; represents the implicitly assumed signature here. The formula holds just in the case that holds for every valid LF context that satisfies the context schema . The formula holds exactly when holds for every closed expression ; observe that instantiations for the quantified variable are not constrained by types but typing constraints can become relevant to the truth of the overall formula depending on where the variable occurs in . The formula is to be understood similarly and the propositional connectives have the obvious compositional interpretation.

We illustrate the way in which our formulas can be used to encode properties of object systems by considering the statement of uniqueness of typing for the simply typed -calculus. We formulate this property more generally as one about terms that might have free variables in them for which the type assignments are provided in an LF context. The structure of such a context is given by the following context schema definition: The property of interest is then expressed via the following formula:

 ΠtyctxΓ.∀E.∀Ty1.∀Ty2.∀D1.∀D2.{Γ⊢D1:of E Ty1}⊃{Γ⊢D2:of E Ty2}⊃∃D3.{⋅⊢D3:eqTy1Ty2}.

The signature that implicitly governs this statement is that shown in Figure 1 augmented with the following additional declarations: and .

## 3 Proving Formulas in the Logic

Our objective is to develop a calculus that can be used to prove formulas of the kind described in the previous section. The calculus will allow us to prove sequents whose form we present in the first subsection below. Our proof system will build in -conversion over object level expressions in LF. It will do this by basing the rules on normal forms and assuming that expressions have been converted into such a form prior to considering rule applications. We impose a restriction on formulas towards making this approach feasible in the second subsection. In the third subsection we discuss the most intricate and interesting of our proof rules, the one for case analysis applied to atomic judgments that encode LF derivability in formulas. Space restrictions prevent us from presenting the other rules. However, these have a structure that can be easily guessed and we will use their informal understanding in a subsequent illustration.

### 3.1 The Structure of Sequents

The sequents used in the proof system comprise four parts: a collection of eigenvariables that range over terms, a set of partially elaborated contexts, a collection of assumption formulas and a conclusion formula. Denoting these respective parts by , , and , sequents will be written as . The goal of showing that is a theorem then amounts to trying to construct a proof for the sequent , where represents the empty collection.

The only component amongst those constituting a sequent that needs further elaboration is the collection of partially elaborated contexts. These consist of elements of the form where is the name for a context schema and is a finite sequence of block instances. Each such declaration in is said to introduce the variable and to give it the type . The type in such a declaration must satisfy the condition that each is an instantiation of a block in the context schema associated with . Note that variables may appear in the terms in but such variables must be contained in the eigenvariable context as we clarify presently. A variable that is typed in this fashion is intended to be read schematically as where each represents an as yet unelaborated part of the context. An LF context is a valid instance for as per its declaration and under a closed substitution for the variables appearing in if it is a valid LF context that is obtained by replacing (a) each in the schematic view by LF contexts that satisfy the context schema given by and (b) each type assignment in each for by . By a closed substitution we mean one whose range consists of expressions not containing nominal constants or free variables. Further, we use the notation here and below to denote the result of applying in a capture-avoiding way to a type- or object-level expression .

We require all the object-level free variables appearing in in the sequent to be included in . We further require all the free variables ranging over contexts and terms appearing in or to be included in and , respectively. We then associate a semantics with a sequent of this form as follows. First, if and do not contain any free variables, then is said to be valid if all the assumption formulas in holding implies that holds. Now, given and a closed substitution for the variables in , we can generate a variable-free structure of this kind by applying to each formula in and by further replacing each context-level free variable by an LF context that is valid for that variable as per its definition in under . The sequent is said to be valid if it is the case that every structure we can generate in this way for every substitution for the variables is valid.

### 3.2 A Restriction on Formulas

We have permitted an untyped form of quantification over terms in formulas. This does not prevent us from providing a reasonable semantics for formulas because the LF typing judgments that appear as constituents of these formulas will eventually impose relevant typing constraints. However, it does pose a problem from the perspective of constructing proofs for formulas in a situation where we want to build in equality based on -conversion. One important issue is the following: we would like our proof rules to be based on -normal forms for formulas but, in the absence of any form of typing, such forms are not guaranteed to exist. Rectifying this situation by imposing an LF-style typing on quantified variables is not a possibility. The reason for this is that such types can encode dependencies on contexts whose expression should be left to the atomic constituents of a formula and must not be imposed by the enclosing quantifier. An alternative solution is to require formulas to be typeable in a less restrictive fashion that circumvents this issue but that, nevertheless, guarantees the existence of -normal forms.

We adopt the latter solution here. In particular, we adapt the typing rules of LF to use a weakened notion of type matching that ignores dependencies in types: for any type-level constant , the types and match regardless of the values of the arguments provided to in the two cases; and the types and match if and match and so also do and . We say that a context is weakly valid if it is valid under the relevant LF typing rules with the exception that this notion of matching of types is used. Similarly, we say that is weakly well-typed at type in the (explicitly provided) context if is derivable using the weaker notion of type matching. Now, an atomic formula in the logic has the form , where is a variable representing an as yet unspecified part of the context. Such a formula is deemed to be well-typed under an assignment of types to the object-level variables appearing in it if is weakly well-typed at type in the context . Observe that the as yet unspecified part of a context is elided in determining weak well-typing. Finally, the property of being weakly well-typed is extended to arbitrary formulas. This extension works in the obvious way with respect to the propositional connectives. Quantifiers over contexts are elided and quantification over an object-level variable requires that it be possible to associate a type with the quantified variable so that the body of the expression is weakly well-typed in the extended assignment to the (potentially) free variables.

A formula with no free variables is said to be well-formed if it is well-typed under the empty assignment to free variables. The definition of well-formedness also applies to sequents. Suppose that the sequent under consideration is . In the first step, we replace each free variable in and that ranges over contexts and for which a declaration of the form appears in by the sequence . Let the result of this replacement be and respectively. The sequent is then well-formed if there is an assignment of types in the simplified vocabulary to the variables in under which and each member of is weakly well-typed and, for each declaration of the form that appears in , the context is weakly valid.

We will assume that all the closed formulas and sequents we consider are well-formed in the sense described above; one of the requirements for our proof rules will, in fact, be that they preserve the well-formedness of sequents. This weak well-typing property suffices to guarantee that -normal forms exist for all the expressions that will occur in our proofs [5].

### 3.3 The Treatment of Case Analysis

The most intricate issue when searching for a proof for sequents in our logic is how to make use of an atomic assumption formula. Such a formula has the form in which we can assume that and are in -normal form and has a structure that is determined by that of . Since this formula appears as an assumption, we need to consider the different ways in which the judgment it represents in LF might have been derived and show that the corresponding refinement of the sequent in each case must have a proof. If is a non-atomic type, then there would be only one way in which the judgment could have been derived and the refinement that must be made to the goal sequent is obvious. Thus, the only case that we need to consider carefully is when the sequent has the form

From a little reflection, it is clear that the analysis of the atomic formula in question should be driven by the type-level constant and by the declarations in and in the signature that allow us to construct terms that have a type with as head. Let be a constant in or a nominal constant determined by that meets this condition and that the type associated with it is . Each such gives rise to a collection of cases in the case analysis that is determined as follows. We first introduce new eigenvariables and raise them over all the nominal constants determined by the context to yield the terms ; in this sequence would have the form where is a listing of the relevant collection of nominal constants. We then consider the unifiers for the set

 {⟨M,(ut1…tn)⟩,⟨N1,B1[t1/x1,…,tn/xn]⟩,…,⟨Nm,Bm[t1/x1,…,tn/xn]⟩}.

Each unifier in this collection gives rise to the task of ensuring that the sequent

is derivable; applying a substitution to the partially elaborated contexts and the set of assumption formulas here simply amounts to applying it to each term appearing therein and denotes the eigenvariable context obtained by removing variables in the domain of and adding those in its range. It is possible, of course, that no unifiers exist for the set in question. If this is true, would not be relevant to the typing derivation being considered and no further analysis is needed in this case.

The presentation above has blurred one important detail. This analysis described therein is based implicitly on and being, respectively, a well-formed LF term and type. However, the only assurance we have from the form of sequents being considered in the proof system is that these expressions are weakly well-formed. In light of this, when considering unifiers for the set

 {⟨M,(ut1…tn)⟩,⟨N1,B1[t1/x1,…,tn/xn]⟩,…,⟨Nm,Bm[t1/x1,…,tn/xn]⟩}

we ignore possible dependencies in types, i.e. we reduce the problem to unification in the simply typed -calculus. The collection of unifiers that is obtained under this more liberal form of typing will cover all the possibilities when the expressions are restricted to being well-formed in LF and thus the resulting case analysis will be conservative.1 Note also that the unifiers obtained in this way will be weakly well-typed and the application of such unifiers to weakly well-typed expressions preserves weak well-typing. Using these facts, we can show that the premises that we have described for a particular branch in case analysis satisfy the restrictions we have placed on sequents in our proof system.

To complete the picture related to the treatment of case analysis, we need to explain how a context determines the nominal constants relevant to such an analysis. These constants could appear explicitly in . If is of the form and is declared to have the type , then they could also be constants declared in one of the “blocks” . Finally, they could belong to one of the implicit parts in the schematic view of that we described earlier in the section. In this last case, we must make the relevant block explicit in the type declaration for before we can use it. This is done as follows. Suppose that the block definition in the context schema corresponding to that we want to expand has the form . Further, suppose that we want to introduce it right after block in the sequence of blocks in the type associated with . We generate new eigenvariables and create terms that correspond to raising these variables over the nominal constants in the blocks . Then, using fresh nominal constants , we add the block at the desired location in the type of . To encode the required typing constraints we augment the collection of assumption formulas for the sequent with the formula for each . The refinement of the context also introduces new nominal constants that can be used in terms in the sequent. To encode this possibility, we replace all the eigenvariables which appear in the sequent only within the scope of the newly explicit block with terms that raise them over the newly introduced nominal constants. At this stage, the consideration of this case proceeds as previously described.

It may appear from the description above that treating an atomic assumption can be complex in that it might introduce many cases to consider. In practice we expect this not to be the situation because the parts of contexts that need to be made explicit in proofs will be quite limited.

## 4 An Example

We illustrate the logic sketched in the previous section by considering a proof of the formula

 ΠtyctxΓ.∀E.∀Ty1.∀Ty2.∀D1.∀D2.{Γ⊢D1:of E Ty1}⊃{Γ⊢D2:of E Ty2}⊃∃D3.{⋅⊢D3:eq Ty1 Ty2}

presented in Section 2. Such a proof will need induction that is built into our logic in a manner similar to that in Abella [2]: we add the formula that we want to prove to the assumption set of the sequent, marking one of the antecedents in it with the understanding that this antecedent can be matched only by some formula that is obtained by case analysis on the corresponding assumption formula. In this case, we will use induction with respect to the first antecedent, i.e. .

Starting from the initial state , where represents the formula above, using induction and obvious introduction rules will leave us wanting to prove the sequent

 ∃D3.{⋅⊢D3:eq Ty1 Ty2}

in which is a version of to which the interpretation explained above has been attached. At this point we consider case analysis on the formula . There will be three broad categories to consider for the claimed LF derivation: it was concluded using the or constructors drawn from the signature or by using something from the context. The first two cases will result in the structure of the simply-typed term (represented by ) being elaborated and this will constrain the cases in a subsequent case analysis on the premise deriving from the second antecedent in . The proof can then be concluded by using the induction hypothesis.2

Turning to the third case, we see that the context variable is currently completely unspecified. Thus the only possibility for using something from the context would arise if we employed the definition of to introduce the block explicitly into . Specifically, this case will lead to the type of in being refined to and the eigenvariables and being raised over and . Further, will be added as an assumption formula to the sequent. Once this is done the LF judgment we are considering will be of the following form . Only the second declaration in the introduced block can “match” with this case. Using it will result in the substitution of for , for and for . Our state at the end of this will be the sequent

 Ty2,D2,T;Γ:id[(n1:tm,n2:of n1 T)];{IH,{Γ⊢T:ty},{Γ⊢D2 n1 n2:of n1 (Ty2n1n2)}}⟶ ∃D3.{Γ⊢D3:eqT(Ty2n1n2)}.

At this stage, we may try a case analysis on the assumption formula . The only possibility that would work here would correspond to using the second declaration in the only block in the elaborated form for . In this case will be set to . The resulting sequent has an easy proof.

## 5 Further Developments to the Work

This paper has described preliminary work on the development of a logic for reasoning about LF specifications. There are three specific directions in which we plan to continue this work to bring the project to a more complete state.

The first direction involves that of establishing meta-theoretic properties for the logic. The formulas that are permitted by the logic are fairly unrestricted. However, to obtain a handle on mechanical reasoning, we limited formulas and sequents that would be considered by the proof system based on a notion of weak well-typing. We consequently do not expect this system to be complete. However, the logic must be sound in order to be useful. This is a property that we have had in mind in designing the rules but the design considerations need to now be translated into an actual proof. The rule that needs most careful examination in this regard is the one for case analysis, i.e. the only rule we have discussed in some detail here. The key here would be to show that the analysis embodied in the rule covers all possible ways in which an LF derivation encoded in the formula being examined could have been concluded. We believe this to be true—the analysis may actually cover “more cases” than needed because of the use of unification over weakly well-typed terms—but a proof of this fact still has to be completed. Soundness will immediately yield consistency for the proof system since there are obviously formulas in the logic that are not valid.

The remaining directions of work concern the implementation of our logic and understanding its usefulness by experimenting with applications. The former aspect will stimulate the latter: working with sufficiently large and, hence, meaningful examples is impacted significantly by the availability of a mechanical tool. It is therefore a matter of immediate concern and in fact one that is being addressed by our current research.

## 6 Conclusion

This paper has presented work towards defining a logic for reasoning about LF specifications. While this work is not unique in terms of its goal, it does differ from other developments in terms of how it is attempting to achieve its objective. The Twelf system [6] provides a means for reasoning about specifications through checking the totality of relations encoding the desired meta-theoretic property. In contrast, we are proposing a meta-logic for reasoning about LF specifications and so we will be able to make explicit the proofs of the relevant properties. The logic  [7] has also been developed for reasoning about LF specifications. In this logic the context is not made explicit, and so it is not capable of expressing properties which, for example, may involve LF judgments in distinct contexts. The ways of stating properties in and our logic are also distinct, and it is of future interest to understand what these differences imply in terms of capabilities. Finally, there is work on the use of a translation of LF specifications into predicate logic which might be used to reason about these specifications using the Abella system [8]. A drawback with this approach is that it requires the user to understand and to work with the translation that is used. Our goal in this work has been to let the focus reside entirely on the analysis of derivability in LF.

## Acknowledgements

This work has been supported by the National Science Foundation grant CCF-1617771. Opinions, findings and conclusions or recommendations that are manifest in this material are those of the participants and do not necessarily reflect the views of the NSF.

### Footnotes

1. In the implementation, case analysis will be further limited to the situations in which higher-order pattern unification is applicable. The corresponding collection of terms admits the notion of most general unifiers. Thus, the liberalization of type structure we will sometimes cause us to consider a case when dependencies in typing might in fact rule it out.
2. In the case of , to use the induction hypothesis, we would need to recognize also that items introduced into the context satisfy the context schema corresponding to .

### References

1. David Baelde, Kaustuv Chaudhuri, Andrew Gacek, Dale Miller, Gopalan Nadathur, Alwen Tiu & Yuting Wang (2014): Abella: A System for Reasoning about Relational Specifications. Journal of Formalized Reasoning 7(2), doi:http://dx.doi.org/10.6092/issn.1972-5787/4650. Available at http://jfr.unibo.it/article/download/4650/4137.
2. Andrew Gacek, Dale Miller & Gopalan Nadathur (2011): Nominal abstraction. Information and Computation 209(1), pp. 48–73.
3. Robert Harper, Furio Honsell & Gordon Plotkin (1993): A Framework for Defining Logics. Journal of the ACM 40(1), pp. 143–184.
4. Robert Harper & Daniel R. Licata (2007): Mechanizing Metatheory in a Logical Framework. Journal of Functional Programming 17(4–5), pp. 613–673.
5. Frank Pfenning & Carsten Schürmann (2002): Twelf User’s Guide, 1.4 edition.
6. Carsten Schürmann (2000): Automating the Meta Theory of Deductive Systems. Ph.D. thesis, Carnegie Mellon University. CMU-CS-00-146.
7. Mary Southern & Kaustuv Chaudhuri (2014): A Two-Level Logic Approach to Reasoning About Typed Specification Languages. In Venkatesh Raman & S. P. Suresh, editors: 34th International Conference on Foundation of Software Technology and Theoretical Computer Science (FSTTCS 2014), Leibniz International Proceedings in Informatics (LIPIcs) 29, Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, pp. 557–569, doi:http://dx.doi.org/10.4230/LIPIcs.FSTTCS.2014.557. Available at http://drops.dagstuhl.de/opus/volltexte/2014/4871.
8. Alwen Tiu (2006): A Logic for Reasoning about Generic Judgments. In A. Momigliano & B. Pientka, editors: Int. Workshop on Logical Frameworks and Meta-Languages: Theory and Practice (LFMTP’06), ENTCS 173, pp. 3–18.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters