pDOT Type Safety Proof
This repository contains the Coq formalization type-safety proof of the pDOT calculus that generalizes DOT by Amin et al. (2016). with paths of arbitrary length. This allows us to express path-dependent types of the form x.a.b.A as opposed to just x.A.
Compiling the Proof
System requirements (pre-installed here):
- make
- an installation of Coq 8.9.0, preferably through opam
- the TLC library which can be installed through
opam repo add coq-released http://coq.inria.fr/opam/released
opam install -j4 coq-tlcTo compile the proof, open a terminal and type:
cd dot-calculus/src/extensions/paths
makeOverview
This repository formalizes the type-safety proof of the pDOT calculus as presented in our paper. Specifically, it defines the calculus itself (its abstract syntax (paper, Coq), type system (paper, Coq), and operational semantics (paper, Coq)) and its type safety proof. The Type Soundness Theorem (paper, Coq) proves that well-typed terms in pDOT either diverge (i.e. run forever) or reduce to a normal form, which includes values (functions and objects) or paths. Since the operational semantics does not reduce paths we present an Extended Type Soundness Theorem (paper, Coq) defined in terms of the above reduction relation extended with the lookup operation (paper, Coq) that looks up paths in the runtime environment. This theorem states that a well-typed term either diverges or reduces to a value (which does not include paths).
How to Review this Artifact
Inspecting Source files
The documentation can be accessed through the links below in this file, or directly through the dot-calculus/src/extensions/paths/doc directory. This file lists links to pretty printed Coq source files, but the raw .v files can be found in the dot-calculus/src/extensions/paths directory. In the pretty-printed versions, the proof scripts are hidden by default; you may click on Show Proofs at the top of the page to display all the proofs, or click under the Lemma or Theorem statements to display their proofs.
Verifying Correctness and Paper Correspondence
Successful compilation using make indicates a correct proof.
You can grep for strings like admit and Admitted in the proof files to verify that we proved all the theorems.
You can also browse the code in Emacs using the Proof General mode and see what assumptions or hypotheses have used by adding the following Coq command:
Print Assumptions <lemma name>.For example, to see what assumptions the Extended Soundness Theorem uses, add the command Print Assumptions extended_safety. in Safety.v on Line 557 (after the proof of the extended_safety theorem).
Used Libraries and Axioms
The pDOT calculus is a generalization of the simple DOT proof by
Rapoport et al.
The Coq formalization of this proof can be found in the dot-calculus/src/simple-proof/proof folder.
The pDOT calculus is formalized using the locally nameless representation with cofinite quantification in which free variables are represented as named variables, and bound variables are represented as de Bruijn indices. We use the TLC library developed by Arthur Charguéraud that provides useful infrastructure for metatheory proofs. We include the Sequences library by Xavier Leroy into our development to reason about the reflexive, transitive closure of binary relations.
We configure Coq with the following axioms:
functional extensionality
propositional extensionality
indefinite description (Hilbert's epsilon operator)
law of excluded middle
John Major’s equality
dependent induction in Coq.
We inherit the remaining axioms from the TLC library.
Paper Correspondence
Correspondence of Definitions
| Definition | In paper | File | Paper notations | Proof notations | Name in proof |
|---|---|---|---|---|---|
| Abstract Syntax | Fig. 1 | Definitions.v | |||
| - variable | Fig. 1 | Definitions.v | avar |
||
| - term member | Fig. 1 | Definitions.v | trm_label |
||
| - type member | Fig. 1 | Definitions.v | typ_label |
||
| - path | Fig. 1 | Definitions.v | x.a.b.c p.a p.b̅ |
p_sel x (c::b::a::nil) p•ap••b |
path |
| - term | Fig. 1 | Definitions.v | trm |
||
| - stable term | Fig. 1 | Definitions.v | def_rhs |
||
| - value | Fig. 1 | Definitions.v | ν(x: T)ds λ(x: T)t |
ν(T)ds λ(T)t |
val |
| - definition | Fig. 1 | Definitions.v | {a = t} {A = T} |
{a := t}{A ⦂= T} |
def |
| - type | Fig. 1 | Definitions.v | {a: T} {A: T..U} ∀(x: T)U p.A p.type μ(x: T) T ∧ U ⊤ ⊥ |
{a ⦂ T} {A >: T <: U} ∀(T)U p↓A {{p}} μ(T) T ∧ U ⊤ ⊥ |
typ |
| Type System | Fig. 2 | Definitions.v | |||
| - term typing | Fig. 2 | Definitions.v | Γ ⊢ t: T | Γ ⊢ t : T |
ty_trm |
| - replacement operation | Fig. 9 | Definitions.v | T[q/p]=U (replacing path p with q in T yields U) | repl_typ p q T U |
ty_trm |
| - definition typing | Fig. 2 | Definitions.v | p; Γ ⊢ d: T | x; bs; Γ ⊢ d : T (single definition) x; bs; Γ ⊢ d :: T (multiple definitions) Here, p= x.bs, i.e. xis p’s receiver, and bs are p’s fields in reverse order |
ty_def ty_defs |
| - tight bounds | Fig. 2 | Definitions.v | tight_bounds |
||
| - subtyping | Fig. 2 | Definitions.v | Γ ⊢ T <: U | Γ ⊢ T <: U |
subtyp |
| Operational semantics | Fig. 3 | Reduction.v | γ|t ⟼ γ’|t’ γ|t ⟼* γ’|t’ |
(γ, t) ⟼ (γ', t') (γ, t) ⟼* (γ', t') |
red |
| Path lookup | Fig. 4 | Lookup.v | γ ⊢ p ⤳ s γ ⊢ s ⤳* s’ |
γ ⟦ p ⤳ s ⟧ γ ⟦ s ⤳* s' ⟧ |
lookup_step |
| Extended reduction | Sec. 5 | Safety.v | γ|t ↠ γ’|t’ γ|t ↠* γ’|t’ |
(γ, t) ↠ (γ', t') (γ, t) ↠* (γ', t') |
extended_red |
| Inert and record types | Fig. 5 | Definitions.v | inert T inert Γ |
inert_typ inert |
|
| Well-formed environments |
Sec. 5.2.1 | PreciseTyping.v | wf |
||
| Correspondence between a value and type environment |
Sec. 5 | Definitions.v | γ: Γ | γ ⫶ Γ |
well_typed |
Correspondence of Lemmas and Theorems
| Theorem | File | Name in proof |
|---|---|---|
| Theorem 5.1 (Soundness) | Safety.v | safety |
| Theorem 5.2 (Extended Soundness) | Safety.v | extended_safety |
| Lemma 5.3 (Progress) | Safety.v | progress |
| Lemma 5.4 (Preservation) | Safety.v | preservation |
| Lemma 5.5 | CanonicalForms.v | canonical_forms_fun |
Correspondence of Examples
| Example | In paper | File |
|---|---|---|
| List example | Figure 6 a | ListExample.v |
| Compiler example | Figure 6 b | CompilerExample.v |
| Singleton type example | Figure 6 c | SingletonTypeExample.v |
Proof Organization
Safety Proof
The Coq proof is split up into the following modules:
- Definitions.v: Definitions of pDOT’s abstract syntax and type system.
- Reduction.v: Normal forms and the operational semantics of pDOT.
- Safety.v: Final safety theorem through Progress and Preservation.
- Lookup.v: Definition of path lookup and properties of lookup.
- Binding.v: Lemmas related to opening and variable binding.
- SubEnvironments.v: Lemmas related to subenvironments.
- Weakening.v: Weakening Lemma.
- RecordAndInertTypes.v: Lemmas related to record and inert types.
- Replacement.v: Properties of equivalent types.
- Narrowing.v: Narrowing Lemma.
- PreciseFlow.v and PreciseTyping.v: Lemmas related to elimination typing. In particular, reasons about the possible precise types that a path can have in an inert environment.
- TightTyping.v: Defines tight typing and subtyping.
- Substitution.v: Proves the Substitution Lemma.
- InvertibleTyping.v and ReplacementTyping.v: Lemmas related to introduction typing.
- GeneralToTight.v: Proves that in an inert context, general typing implies tight typing.
- CanonicalForms.v: Canonical Forms Lemma.
- Sequences.v: A library of relation operators by Xavier Leroy.
Examples
- CompilerExample.v: The dotty-compiler example that contains paths of length greater than one.
- ListExample.v: A covariant-list implementation.
- SingletonTypeExample.v: Method chaining through singleton types.
- ExampleTactics.v: Helper tactics to prove the above examples.
The following figure shows a dependency graph between the Coq modules:
