Content uploaded by Chris Jenkins
Author content
All content in this area was uploaded by Chris Jenkins on Jan 05, 2022
Content may be subject to copyright.
Simulating Large Eliminations in Cedille
Christopher Jenkins !Ï
The University of Iowa, U.S.A.
Andrew Marmaduke !Ï
The University of Iowa, U.S.A.
Aaron Stump !Ï
The University of Iowa, U.S.A.
Abstract
Large eliminations provide an expressive mechanism for arity- and type-generic programming. How-
ever, as large eliminations are closely tied to a type theory’s primitive notion of inductive type, this
expressivity is not expected within polymorphic lambda calculi in which datatypes are encoded
using impredicative quantification. We report progress on simulating large eliminations for data-
type encodings in one such type theory, the calculus of dependent lambda eliminations (CDLE).
Specifically, we show that the expected computation rules for large eliminations, expressed using a
derived type of extensional equality of types, can be proven within CDLE. We present several case
studies, demonstrating the adequacy of this simulation for a variety of generic programming tasks,
and a generic formulation of the simulation allowing its use for any datatype. All results have been
mechanically checked by Cedille, an implementation of CDLE.
2012 ACM Subject Classification Theory of computation →Type theory
Keywords and phrases large eliminations, generic programming, impredicative encodings, Cedille,
Mendler algebra
Supplementary Material https://github.com/cedille/cedille-developments/
1 Introduction
In dependently typed languages, large eliminations allow programmers to define types by
induction over datatypes — that is, as an elimination of a datatype into the large universe
of types. For type theory semanticists, large eliminations rule out two-element models of
types by providing a principle of proof discrimination (e.g., 06= 1)[25, 24]. For programmers,
they give an expressive mechanism for arity- and type-generic programming with universe
constructions [32]. As an example, the type Nary nof n-ary functions (where nis a natural
number) over some type Tcan be defined as Twhen n= 0 and T→Nary n0when n= 1+n0.
Large eliminations are closely tied to a type theory’s primitive notion of inductive type,
and thus this expressivity is not expected within polymorphic pure typed lambda calculi
in which datatypes are impredicatively encoded. The calculus of dependent lambda elimin-
ations (CDLE) [26, 27] is one such theory that seeks to overcome historical difficulties of
impredicative encodings, such as the lack of induction principles for datatypes [13].
Contributions In this paper, we report progress on overcoming another difficulty of impre-
dicative encodings: the lack of large eliminations. We show that the expected definitional
equalities of a large elimination can be simulated using a derived type of extensional equality
for types (where the extent of a type is the set of terms it classifies). In particular, we:
describe a method for simulating large eliminations in CDLE (Section 3), identifying the
features of the theory that enable the development (Section 2);
formulate the method generically (meaning parametrically) for all datatype signatures,
using the framework of Firsov et al. [12] (Section 5);
arXiv:2112.07817v1 [cs.PL] 15 Dec 2021
2 Simulating Large Eliminations in Cedille
demonstrate the adequacy of this simulation by applying it to several generic program-
ming tasks: n-ary functions, a closed universe of datatypes, a decision procedure for the
inhabitation of simple types, and an arity-generic map operation (Sections 3 and 4).
All results have been mechanically checked by Cedille, an implementation of CDLE, and are
available at the code repository associated with this paper.1
Outline The remainder of this paper is structured as follows. Section 2 reviews background
material on CDLE, focusing on the primitives which enable the simulation and the derived
extensional type equality. In Section 3, we carefully explain the recipe for simulating large
eliminations using as an example the type n-ary functions over a given type. Section 4
shows three case studies, presented as evidence of the effectiveness of the simulation in
tackling generic programming tasks. The recipe for concrete examples is then turned into a
generic (that is, parametric) derivation of simulated large eliminations in Section 5. Finally,
Section 6 discusses related work and Section 7 concludes with a discussion of future work.
2 Background on CDLE
In this section, we review CDLE, the kernel theory of Cedille. CDLE extends the impre-
dicative extrinsically typed calculus of constructions (CC), overcoming historical difficulties
of impredicative encodings (e.g., underivability of induction [14]) by adding three new type
constructs: equality of untyped terms; the dependent intersections of Kopylov [19]; and the
implicit products of Miquel [23]. The pure term language of CDLE is untyped lambda cal-
culus, but to make type checking algorithmic terms are presented with typing annotations.
Definitional equality of terms t1and t2is βη-equivalence modulo erasure of annotations,
denoted |t1|=βη |t2|.
The typing and erasure rules for the fragment of CDLE used in this paper are shown
in Figure 1 and described in Section 2.1 (see also Stump and Jenkins [27]); the derived
constructs we use are presented axiomatically in Section 2.2. We assume the reader is
familiar with the type constructs inherited from CC: abstraction over types in terms is
written ΛX. t (erasing to |t|), application of terms to types (polymorphic type instantiation)
is written t·T(erasing to |t|), and application of type constructors to type constructors is
written T1·T2. In code listings, we sometimes omit type arguments to terms when Cedille
can infer them.
2.1 Primitives
Below, we only discuss implicit products and the equality type. Though dependent inter-
sections play a critical role in the derivation of induction for datatype encodings, they are
otherwise not explicitly used in the coming developments.
The implicit product type ∀x:T1. T2of Miquel [23] is the type for functions which accept
an erased (computationally irrelevant) input of type T1and produce a result of type T2.
Implicit products are introduced with Λx. t, and the type inference rule is the same as for
ordinary function abstractions except for the side condition that xdoes not occur free in
the erasure of the body t. Thus, the argument plays no computational role in the function
and exists solely for the purposes of typing. The erasure of the introduction form is |t|. For
1https://github.com/cedille/cedille-developments/tree/master/large- elim-sim
C. Jenkins and A. Marmaduke and A. Stump 3
Γ, x :T1`t:T2x6∈ FV(|t|)
Γ`Λx. t :∀x:T1. T2
Γ`t:∀x:T1. T2Γ`t0:T1
Γ`t-t0: [t0/x]T2
|t1|=βη |t2|
Γ`β:{t1't2}
Γ`t:{λ x. λ y. x 'λ x. λ y. y }
Γ`δ-t:T
Γ`t:{t0't00}Γ`t0:TFV(t00 )⊆dom(Γ)
Γ`ϕ t -t0{t00}:T
|Λx. t|=|t| |t-t0|=|t|
|β|=λ x. x |ϕ t -t0{t00}| =|t00 |
|δ-t|=λ x. x
Figure 1 Typing and erasure for a fragment of CDLE
application, if thas type ∀x:T1. T2and t0has type T1, then t-t0has type [t0/x]T2and erases
to |t|. When xis not free in T2, we write T1⇒T2, similar to writing T1→T2for Πx:T1. T2.
INote. The notion of computational irrelevance here is not that of a different sort of
classifier for types (e.g. Prop in Coq, c.f. [29]) separating terms by whether they can be
used for computation. Instead, it is similar to quantitative type theory [2]: relevance and
irrelevance are properties of binders, indicating how functions may use arguments.
The equality type {t1't2}is the type of proofs that t1is propositionally equal to t2.
The introduction form βproves reflexive equations between βη-equivalence classes of terms:
it can be checked against the type {t1't2}if |t1|=βη |t2|. Note that this means equality is
over untyped (post-erasure) terms. There is also a standard elimination form (substitution),
but it is not used explicitly in the presentation of our results so we omit its inference rule.
Equality types also come with two additional axioms: a strong form of the direct compu-
tation rule of NuPRL (c.f. Allen et al. [1], Section 2.2) given by ϕ, and a principle of proof
discrimination given by δ. The inference rule for an expression of the form ϕ t -t0{t00}
says that the entire expression can be checked against type Tif t0can be, if there are no
undeclared free variables in t00 (so, t00 is a well-scoped but otherwise untyped term), and
if tproves that t0and t00 are equal. The crucial feature of ϕis its erasure: the expression
erases to |t00|, effectively enabling us to cast t00 to the type of t0. Though ϕdoes not appear
explicitly in the developments to come, it plays a central role by enabling the derivation of
extensional type equality.
An expression of the form δ-tmay be checked against any type if tsynthesizes a type con-
vertible with a particular false equation, {λ x. λ y. x 'λ x. λ y. y}. To broaden applicability
of δ, the Cedille tool implements the Böhm-out semi-decision procedure [5] for discrimin-
ating between βη-inequivalent terms. By enabling proofs that datatype constructors are
disjoint, δplays a vital role in our simulation of large eliminations.
4 Simulating Large Eliminations in Cedille
Γ`t1:S→TΓ`t2: Π x:S. {t1x'x}
Γ`intrCast ·S·T-t1-t2:Cast ·S·T
Γ`t:Cast ·S·T
Γ`cast ·S·T-t:S→T
|intrCast ·S·T-t1-t2|=λ x. x |cast ·S·T-t|=λ x. x
Figure 2 Type inclusions
2.2 Derived Constructs
Type inclusions
The ϕaxiom of equality allows us to define a type constructor Cast which internalizes the
notion that the set of all elements of some type Sis contained within the set of all elements
of type T(note that Curry-style typing makes this relation nontrivial). We describe its
axiomatic summary presented in Figure 2; for the full derivation, see Jenkins and Stump [16]
(also Diehl et al. [11]).
The introduction form intrCast takes two erased term arguments, a function t1:S→T,
and a proof that t1behaves extensionally as the identity function on its domain. The
elimination form cast takes evidence that a type Sis included into Tand produces a function
between the same. The crucial property of cast is its erasure: |cast -t|=λ x. x. Thus,
Cast ·S·Tmay also be considered the type of zero-cost type coercions from Sto T— zero
cost because the type coercion is performed in a constant number of β-reduction steps.
INote. When inspecting the introduction and elimination forms, it may seem that Cast
provides a form of function extensionality restricted to identity functions. This is not the
case, however, as it is possible to choose S,T, and t1such that t1is provably extensionally
equal to the identity function on its domain, and at the same time refute {t1'λ x. x}using
δ. Instead, taken together these rules should be read as saying that if t1is extensionally
identity on its domain, then that justifies the assignment of type S→Tto λ x. x.
Γ`t1:Cast ·S·TΓ`t2:Cast ·T·S
Γ`intrTpEq ·S·T-t1-t2:TpEq ·S·T
Γ`t:TpEq ·S·T
Γ`tpEq1·S·T-t:S→T
Γ`t:TpEq ·S·T
Γ`tpEq2·S·T-t:T→S
|intrTpEq ·S·T-t1-t2|=λ x. x |tpEq1 ·S·T-t|=λ x. x
|tpEq2 ·S·T-t|=λ x. x
Figure 3 Extensional type equality
Type equality
The extensional notion of type equality used to simulate large eliminations, TpEq, is merely
the existence of a two-way type inclusion. Strictly speaking, a term of type TpEq ·S·Tis
evidence that λ x. x may be assigned the intersection type (S→T)∩(T→S). However, a
good intuition for understanding the introduction and elimination rules is to think of this
C. Jenkins and A. Marmaduke and A. Stump 5
(a) As a large elimination
Nary : Nat →?
Nary zero = T
Nary (succ n) = T →Nary n
(b) As a GADT
data NaryR : Nat →?→?
= naryRZ : NaryR zero T
| naryRS : ∀n: Nat. ∀Ih: ?.
NaryR n ·Ih →NaryR (succ n) ·(T →Ih)
Figure 4 n-ary functions over T
as the types of pairs of casts t1and t2between Sand T, with the elimination forms being
compositions of the appropriate projection function with cast (the projections would not
appear in the erasures of the elimination forms, as the argument to cast is erased).
IRemark 1. Though we call TpEq extensional type equality, within CDLE it is only an
isomorphism of types. To be considered a true notion of equality, TpEq would need a
substitution principle. The type constructors for dependent function types (both implicit
and explicit) can be proven to permit substitution if the domain and codomain parts do,
as does quantification over types. However, the presence of higher-order type constructors
means that not all closed types allow substitution of types related by TpEq (consider ∀X:
?→?. X ·S, where one has Sand Tsuch that TpEq ·S·T). Nonetheless, the case studies
presented in Sections 3 and 4 show that despite this limitation, our simulation of large
eliminations using TpEq is adequate for dealing with common generic-programming tasks.
INote. In the developments in subsequent sections, refl,sym, and trans refer to the three
proofs that together show TpEq is an equivalence relation. We have omitted their definitions;
their types are as expected.
3n-ary Functions
In this section, we use a concrete example to detail the method of simulating large elim-
inations. Figure 4a shows the definition of Nary, the family of n-ary function types over
some type T, as a large elimination of natural numbers. Our simulation of this begins by
approximating this inductive definition of a function with an inductive relation between Nat
and types, given as the generalized algebraic datatype [34] (GADT) NaryR in Figure 4b.
This approximation is inadequate: we lack a canonical name for the type Nary nbecause
ndoes not a priori determine the type argument of NaryR n. Indeed, without a form of
proof discrimination we would not even be able to deduce that if a given type Nsatisfies
NaryR zero, then Nmust be T. Proceeding by induction, in the naryRS case the goal is
to show that Tis the same as T→Ih for some (arbitrary but fixed) Ih :?. We would
need to derive a contradiction from the absurd equation that {zero 'succ n}for some n.
Fortunately, proof discrimination is available in CDLE in the form of δ, so we are able to
define functions such as extr0 in Figure 5 which require this form of reasoning.
extr0’ : ∀x: Nat. { x 'zero } ⇒ ∀ N: ?. NaryR x ·N→N→T
extr0’ -zero -eqx ·T naryRZ x = x
extr0’ -(succ n) -eqx ·(T →X) (naryRS n ·Xr)x=δ- eqX
extr0 = extr0’ -zero -β
Figure 5 Extracting a 0-ary term
6 Simulating Large Eliminations in Cedille
INote. In code listings such as Figure 5, we present recursive Cedille functions using the
syntax of (dependent) pattern matching in order to aid readability. This syntax is not
currently supported by the Cedille tool. For functions computing terms, the Cedille code
in this paper’s repository uses the datatype system described by Jenkins et al. [15]. For
functions computing types, the repository code uses the simulation to be described next.
Sketch of the Idea
Our task is to show that NaryR defines a functional relation, i.e., for all n:Nat there exists
a unique type Nary nsuch that NaryR n·(Nary n)is inhabited. The candidate definition
for this type family is:
Nary n = ∀X: ?. NaryR n ·X⇒X
For all n, read Nary nas the type of terms contained in the intersection of the family of
types Xsuch that NaryR n·Xis inhabited. For example, every term tof type Nary zero
has type Talso, since Tis in this family (specifically, we have that t·T-naryRZ has type
Tand erases to |t|). Similarly, every term of type Thas type Nary zero by induction on
the assumed proof of NaryR zero ·Xfor arbitrary X, invoking δin the naryRS case (see
Section 3.2 for how certain properties may be proved using induction on erased arguments).
However, at the moment we are stuck when attempting to prove NaryR zero·(Nary zero).
Though we see from the preceding discussion that Tand Nary zero are extensionally equal
types (they classify the same terms), naryRZ requires that they be definitionally equal! We
therefore must modify the definition of NaryR so that it defines a relation that is functional
with respect to extensional type equality. This is shown in Figure 6, with both constructors
now quantifying over an additional type argument Xtogether with evidence that it is
extensionally equal to the type of interest.
data NaryR : Nat →?→?
= naryRZ : ∀X: ?. TpEq ·X·T⇒NaryR zero ·X
| naryRS : ∀Ih: ?.∀n: Nat. NaryR n ·Ih →
∀X: ?. TpEq ·X·(T →Ih) ⇒NaryR (succ n) ·X
Figure 6 NaryR as a relation that is functional with respect to TpEq
3.1 Proof that NaryR is a Functional Relation
Respectfulness
We now detail the proof that NaryR is a functional relation. Having changed our notion
of equality for types to extensional, we must now prove a third property (in addition to
uniqueness and existence): that it respects extensional type equality, i.e., if Nary relates n
to T1and T1is equal to T2, then Nary relates nto T2also. This proof is shown as naryRResp
in Figure 7. Proceeding by case analysis, in both cases we combine the assumed proof that
T1and T2are equal types with the type equality proof given to the constructor.
Uniqueness
Figure 8 shows the proof naryRUnique that Nary nuniquely determines a type (up to type
equality) for all n. To improve readability, this listing omits the two absurd clauses in which
the given Nary proofs differ in their construction; in the code repository, these two cases
C. Jenkins and A. Marmaduke and A. Stump 7
naryRResp : ∀n: Nat. ∀T1: ?. NaryR n ·T1 → ∀ T2: ?. TpEq ·T1 ·T2 ⇒NaryR n ·T2
naryRResp -zero ·T1 (naryRZ ·T1 -eqT1) ·T2 -eq =
naryRZ ·T2 -(trans -(sym -eq) -eqT1)
naryRResp -(succ n) ·T1 (naryRS ·Ih -n r ·T1 -eqT1) ·T2 -eq =
naryRS ·Ih -n r ·T2 -(trans -(sym -eq) -eqT1)
Figure 7 NaryR nrespects type equality
are handled with δ. For the naryRS case, the inductive hypothesis gives us that Ih1and
Ih2are equal types. We combine the lemma arrowTpEqCod (definition omitted) that the
arrow type constructor respects type equality in its codomain with the proofs given to the
constructors that T→Ih1is equal to T1and T→Ih2is equal to T2, concluding the proof.
arrowTpEqCod : ∀D: ?.∀C1: ?.∀C2: ?. TpEq ·C1 ·C2 ⇒TpEq ·(D →C1) ·(D →C2)
naryRUnique : ∀n: Nat. ∀T1: ?. NaryR n ·T1 → ∀ T2: ?. NaryR n ·T2 →TpEq ·T1 ·T2
naryRUnique -zero ·T1 (naryRZ ·T1 -eqT1) ·T2 (naryRZ ·T2 -eqT2) =
trans -eqT2 -(sym -eqT1)
naryRUnique -(succ n) ·T1 (naryRS ·Ih1 -n r1 ·T1 -eqT1) ·T2 (naryRS ·Ih2 -n r2 ·T2 -eqT2) =
trans -eqT1 -(arrowTpEqCod -(naryRUnique -n r1 r2)) -(sym -eqT2)
Figure 8 NaryR ndetermines at most one type
Existence
Compared to the first two properties, the proof of existence, naryREx in Figure 9, is more
involved. We take a top-down approach for its explanation to first impart the main idea.
Proceeding by induction over the natural number argument, the proof relies on two lemmas:
naryZ , which proves that NaryR relates zero to Nary zero, and naryS , which proves that
succ nand Nary (succ n)are related if nand Nary nare. Put another way, to prove
existence we need to specialize the naryRZ and naryRS constructors to the corresponding
members of the Nary family.
naryREx : Πn: Nat. NaryR n ·(Nary n)
naryREx zero = naryZ
naryREx (succ n) = naryS n (naryREx n)
Figure 9 NaryR relates nand Nary nfor all n
The proofs of naryZ and naryS follow a similar three-part structure, so for the sake of
brevity we detail the proof of the latter only (Figure 10). First, with naryRS 0we specialize
the constructor naryRS to the reflexive type equality. Then, with narySEq we prove that the
computation rule for Nary (succ n)(c.f. Figure 4a) holds for all nsuch that NaryR n·(Nary n)
holds. This is proved as a two-way type inclusion.
In the first direction, we assume f:Nary (succ n). Since this type is the intersection of
the family of types Ssuch NaryR (succ n)·Sholds, we conclude by showing T→Nary n
is in this family. By the erasure rules, the first argument to intrCast erases to λ f . f.
In the second direction, we assume f:T→Nary nand an arbitrary type Xsuch that
Nary (succ n)·Xholds, and must cast fto the type X. This is done by appealing to
8 Simulating Large Eliminations in Cedille
naryRS’ : ∀Ih: ?.∀n: Nat. NaryR n ·Ih →NaryR (succ n) ·(T →Ih)
naryRS’ ·Ih -n r = naryRS -n r -(refl ·(T →Ih))
narySEq : ∀n: Nat. NaryR n ·(Nary n) →TpEq ·(Nary (succ n)) ·(T →Nary n)
narySEq -n rn =
intrTpEq
-(intrCast -(λf. f ·(T →Nary n) -(naryRS’ -n rn)) -(λ_. β))
-(intrCast -(λf. ΛX. Λrs.
tpEq1 -(naryRUnique -(succ n) (naryRS’ -n rn) ·X rs) f)
-(λ_. β))
naryS : ∀n: Nat. NaryR n ·(Nary n) →NaryR (succ n) ·(Nary (succ n))
naryS -n rn =
naryRResp -(succ n) ·(T →Nary n) (naryRS’ -n rn) -(sym -(narySEq -n rn))
Figure 10 Nary:succ case
tpEqIrrel : ∀A: ?.∀B: ?. TpEq ·A·B⇒TpEq ·A·B
tpEqIrrel ·A·B -eq =
intrTpEq -(intrCast -(tpEq1 -eq) -(λ_. β)) -(intrCast -(tpEq2 -eq) -(λ_. β))
naryZC : TpEq ·(Nary zero) ·T
naryZC = naryZEq
narySC : ∀n: Nat. TpEq ·(Nary (succ n)) ·(T →Nary n)
narySC -n = tpEqIrrel -(narySEq -n (naryREx n))
Figure 11 Computation laws of Nary as type equalities
uniqueness, as NaryR relates succ nto both Xand T→Nary n. Notice that while
rs :Nary (succ n)·Xmust not occur within the erasure of the body of the Λ-expression
which binds it, the elimination form tpEq1 takes the type equality that naryRUnique
computes from rs as an erased argument, ensuring that this condition holds.
Finally, we prove naryS by appealing to respectfulness.
3.2 Computation Laws as Zero-cost Type Coercions
The proof of existence, naryREx, takes time linear in its argument nto compute a proof of
NaryR n·(Nary n). Therefore, it would seem that any type coercions using this proof could
not be zero-cost (that is, constant time). We now show that this issue is neatly dealt with
by using the fact that type equality is proof-irrelevant.
Proof irrelevance for a type Pis often understood to mean that any two proofs of Pare
equal. While type equalities do satisfy this notion of proof irrelevance, in CDLE (and other
theories with usage restrictions on binders), one can formulate an alternative notion of proof
irrelevance: that one can construct a proof of Pfrom an erased proof of P, i.e., that the
type P⇒Pis inhabited.
The proof of proof-irrelevance for type equality, and the type equalities for the computa-
tion laws of Nary, are shown in Figure 11. In narySC , we invoke the existence proof within
an expression given as an erased argument to tpEqIrrel. Thus, no computation involving n
is performed in the operational semantics of CDLE when using these type coercions.
C. Jenkins and A. Marmaduke and A. Stump 9
appN : ∀n: Nat. Nary n →Vec ·T n →T
appN -zero f vnil = tpEq1 -naryZC f
appN -(succ n) f (vcons -n x xs) = appN -n (tpEq1 -(narySC -n) f x) xs
Figure 12 Application of an n-ary function to narguments
We conclude this section with an example: applying an n-ary function to narguments
of type T, given as a length-indexed list (Vec). In Figure 12, appN is defined by induction
on the list of arguments. In the vcons case, the given natural number is revealed to have
the form succ n, so we may coerce the type of f:Nary (succ n)to T→Nary nto apply it
to the head of the list, then recursively call appN on the tail.
4 Generic Programming Case Studies
In the previous section, we gave a detailed outline of the recipe for simulating a large
elimination, in particular showing explicitly the use of type coercions. For the case studies we
consider next, all code listings are presented in a syntax that omits the uses of type coercions
to improve readability. In our implementation, we must explicitly use these coercions as well
as several lemmas showing that CDLE’s primitive type constructors respect TpEq (except for
quantification over higher-kinded type constructors, as mentioned in Remark 1). As CDLE
is a kernel theory (and thus not ergonomic to program in), the purpose of these examples is
to show that this simulation is indeed capable of expressing common generic programming
tasks, and we leave the task of implementing a high-level surface language for its utilization
as future work. We do, however, remark on any new difficulties that are obscured by this
presentation (such as Remark 5). Full details of all examples of this section can be found in
the repository associated with this paper.
4.1 A Closed Universe of Strictly Positive Datatypes
The preceding section described an example of arity-generic programming. We consider now
atype-generic task: proving the no confusion property [4] of datatype constructors (that is,
they are injective and disjoint) for a closed universe of strictly positive types. For defining
a universe of datatypes, the idea (describe in more detail by Dagand and McBride [9]) is to
define a type whose elements are interpreted as codes for datatype signatures and combine
this with a type-level least fixedpoint operator.
This universe is shown in Figure 13, where Descr is the type of codes for signatures,
Decode the large elimination interpreting them, and C:?and I:C→?are parameters to
the derivation. Signatures comprise the identity functor (idD), a constant functor returning
the unitary type Unit (constD), a product of signatures (pairD), and two forms of sums.
The latter of these, sigD, is to be used to choose one of the datatype constructors. It takes
an argument n:Nat (the number of datatype constructors) and a family of ndescriptions
of the constructor argument types (Fin nis the type of natural numbers less than n). The
former, sumD, is a more generalized form that takes a code c:Cfor a constructor argument
type, and a mapping of values of type I c (where Iinterprets these codes) to descriptions.
Both are interpreted by Decode as dependent pairs which pack together an element of the
indexing type (I c or Fin n) with the decoding of the description associated with that index.
IRemark 2. In order to express a variety of datatypes, our universe is parameterized by codes
Cand interpretations I:C→?for constructor argument types, such as used in Example 4.
10 Simulating Large Eliminations in Cedille
data Descr : ?
= idD : Descr
| constD : Descr
| pairD : Descr →Descr →Descr
| sumD : Πc: C. (I c →Descr) →Descr
| sigD : Πn: Nat. (Fin n →Descr) →Descr
Decode : ?→Descr →?
Decode ·T idD = T
Decode ·T constD = Unit
Decode ·T (pairD d1 d2) = Pair ·(Decode ·T d1) ·(Decode ·T d2)
Decode ·T (sumD c f) = Sigma ·(I c) ·(λi: I c. Decode ·T (f i))
Decode ·T (sigD n f) = Sigma ·(Fin n) ·(λi: Fin n. Decode ·T (f i))
U : Descr →?
Ud=µ(λT: ?. Decode ·T d)
inSig : ∀n: Nat. ∀cs: Fin n →Descr. Πi: Fin n. U (cs i) →U (sigD n cs)
inSig -n -cs i d = in (i , d)
Figure 13 A closed universe of strictly positive types
Unlike much of the literature describing the definition of a closed universe of strictly positive
types [6, 9, 8] wherein the host language is a variation of intrinsically typed Martin-Löf type
theory, CDLE is extrinsically typed — type arguments to constructors can play no role
in computation, even in the (simulated) computation of other types. This appears to be
essential for avoiding paradoxes of the form described by Coquand and Paulin [7], as CDLE
is an impredicative theory in which datatype signatures need not be strictly positive.
Finally, the family of datatypes within this universe is given as U, defined using a type-
level least fixedpoint operator µwhich we discuss in more detail in Section 5. We define a
constructor inSig for datatypes whose signatures are described by codes of the form sigD n cs
(for n:Nat and cs :Fin n→Descr) using the generic constructor in :F µF →µF .
INote. For comparison with Decode, the corresponding relational encoding used in our
implementation is given in Figure 14 as DecodeR. Since the type argument Tdoes not
data DecodeR (T: ?) : Descr →?→?
= decIdR : ∀X: ?. TpEq ·X T ⇒DecodeR idD ·X
| decConstR : ∀X: ?. TpEq ·X·Unit ⇒DecodeR constD ·X
| decPairR : ∀d1: Descr. ∀Ih1: ?. DecodeR d1 ·Ih1 →
∀d2: Descr. ∀Ih2: ?. DecodeR d2 ·Ih2 →
∀X: ?. TpEq ·X·(Pair ·Ih1 ·Ih2) ⇒
DecodeR (pairD d1 d2) ·X
| decSumR : ∀c: C. ∀f: I c →Descr. ∀Ih: I c →?.
(Πi: I c. DecodeR (f i) ·(Ih i)) →
∀X: ?. TpEq ·X·(Sigma ·(I c) ·Ih) ⇒DecodeR (sumD c f) ·X
| decSigR : ∀n: Nat. ∀f: Fin n →Descr. ∀Ih: Fin n →?.
(Πi : Fin n. DecodeR (f i) ·(Ih i)) →
∀X: ?. TpEq ·X·(Sigma ·(Fin n) ·Ih) ⇒DecodeR (sigD n f) ·X
Figure 14 Relational encoding of Decode
C. Jenkins and A. Marmaduke and A. Stump 11
vary through recursive calls in Decode, we have made it a parameter rather than index to
DecodeR (in Cedille, recursive occurrences of the datatype being defined are not written
applied to parameters; one writes e.g. DecodeR id ·Xrather than DecodeR ·Tid ·Xin
the type declarations of constructors). Aside from this, the method of translation from
the syntax of pattern matching and recursion for large eliminations to GADTs with type
equality constraints is the same as used in Section 3.
IExample 3 (Natural numbers).The type of natural numbers can be defined as:
unatSig : Descr
unatSig = sigD 2 (fvcons constD (fvcons idD fvnil))
UNat = U unatSig
where fvcons and fvnil are utilities for expressing functions out of Fin nin a list-like notation.
The constructors of UNat are:
uzero : UNat
uzero = inSig fin0 unit
usuc : UNat →UNat
usuc n = inSig fin1 n
IExample 4 (Lists).Let T:?be an arbitrary type, and let parameters Cand Ibe resp.
Unit and λ_. T . The type of lists containing elements of type Tis defined as:
ulistSig : Descr
ulistSig = sigD 2 (fvcons constD (fvcons (sumD unit (λ_. idD)) fvnil))
UList = U ulistSig
with constructors defined similarly to those of UNat in the preceding example.
Proving No Confusion
Figure 15 shows the statement and proof of the no confusion property of datatype construct-
ors. NoConfusion is defined by case analysis over the two datatype values, and additionally
abstracts over a test of equality between i1 and i2 to determine whether those values were
both formed by the same constructor. The clause for which they are equal corresponds to
the statement of constructor injectivity (the two terms are equal only if equal arguments
were given to the constructor); the clause where i1 6=i2 gives the statement of disjointness
(datatype expressions cannot be equal and also be in the image of distinct constructors). The
proof noConfusion proceeds by abstracting over the same equality test, using the lemma
inSigInj that inSig is injective (definition omitted; it follows from injectivity of both in and
the constructor for pairs) to finish the two cases.
4.2 Type Inhabitation of Simple Types
In this section we describe a decision procedure for type inhabitation for a universe of
simple types. Figure 16 lists the datatype of codes (SimpleTp) and its decoding by the large
elimination (Simple). Like the previous section, the code is parametric in a type Cof codes
for base types and an interpretation I:C→?mapping them to Cedille types.
12 Simulating Large Eliminations in Cedille
NoConfusion : Πn: Nat. Πcs: Fin n →Descr. U (sigD n cs) →U (sigD n cs) →?
NoConfusion n cs (in (i1 , d1)) (in (i2 , d2)) | i1 =? i2
NoConfusion n cs (in (i1 , d1)) (in (i1 , d2)) | yes eq = { d1 'd2 }
NoConfusion n cs (in (i1 , d1)) (in (i2 , d2)) | no neq = False
inSigInj
:∀i1: Fin n. ∀d1: Decode ·U (cs i1). ∀i2: Fin n. ∀d2: Decode ·U (cs i2).
{ inSig i1 d1 'inSig i2 d2 } ⇒Pair ·{ i1 'i2 } ·{ d1 'd2 }
noConfusion : ∀n: Nat. ∀cs: Fin n →Descr.
Πd1: U (sigD n cs). Πd2: U (sigD n cs).
{ d1 'd2 } →NoConfusion d1 d2
noConfusion -n -cs (in (i1 , d1)) (in (i2 , d2)) eq | i1 =? i2
noConfusion -n -cs (in (i1 , d1)) (in (i2 , d2)) eq | yes eq’ =
snd (inSigInj -i1 -d1 -i2 -d2 eq)
noConfusion -n -cs (in (i1 , d1)) (in (i2 , d2)) eq | no neq’ =
neq’ (fst (inSigInj -i1 -d1 -i2 -d2 eq))
Figure 15 Statement and proof of no confusion
data SimpleTp : ?
= baseTp : C →SimpleTp
| arrowTp : SimpleTp →SimpleTp →SimpleTp
Simple : SimpleTp →?
Simple (baseTp c) = I c
Simple (arrowTp a b) = Simple a →Simple b
explode : ∀X: ?. False →X
Not : ?→?
Not A = A →False
decide : Πt: SimpleTp. (Πc: C. Sum ·(I c) ·(Not ·(I c))) →
Sum ·(Simple t) ·(Not ·(Simple t))
decide (baseTp c) ctx = ctx c
decide (arrowTp a b) ctx | decide b ctx | decide a ctx
decide (arrowTp a b) ctx | in1 witB | _ = in1 λ_. witB
decide (arrowTp a b) ctx | in2 notB | in1 witA = in2 λf. notB (f witA)
decide (arrowTp a b) ctx | in2 notB | in2 notA = in1 λx. explode (notA x)
Figure 16 Decision procedure for type inhabitation of a universe of simple types
C. Jenkins and A. Marmaduke and A. Stump 13
κTpVec (n : Nat) = Fin n →?
TVNil : κTpVec zero
TVNil _ = ∀X: ?. X.
TVCons : Πn: Nat. ΠH: ?.ΠL: κTpVec n →κTpVec (succ n)
TVCons n ·H·L zeroFin = H
TVCons n ·H·L (succFin i) = L i
TVHead : Πn: Nat. κTpVec (succ n) →?
TVHead n ·L = L zeroFin
TVTail : Πn: Nat. κTpVec (succ n) →κTpVec n
TVTail n ·L i = L (succFin i)
TVMap : ΠF: ?→?.Πn: Nat. κTpVec n →κTpVec n
TVMap ·F n ·Li=F·(L i)
TVFold : ΠF: ?→?→?.Πn: Nat. κTyVec (succ n) →?
TVFold ·F zero ·L = TVHead zero ·L
TVFold ·F (succ n) ·L=F·(TVHead n ·L) ·(TVFold n ·(TVTail (succ n) ·L))
Figure 17 Vectors of types
When inhabitation of the base types is decidable, to decide inhabitation of a simple type
it suffices to case split on the subdata. This decision procedure is decide in Figure 16. In
the base case (baseTp) the decidability of the base type is by assumption. The proof for the
arrow case (arrowTp) is in the style of classical logic, using the equivalence A→B≡ ¬A∨B.
Thus, we decide inhabitation of an arrow type by performing case analysis on inhabitation
of its domain and codomain types.
4.3 Arity-generic Map Operation
The last case study we consider is an arity-generic vector operation that generalizes map. We
summarize the goal (Weirich and Casinghino [32] give a more detailed explanation): define a
function which, for all nand families of types (Ai)i∈{1···n+1}, takes an n-ary function of type
A1→. . . →An→An+1 and nvectors of type Vec ·Aim(for arbitrary m), and produces a
result vector of type Vec ·An+1 m. Note that when n= 1, this is the usual map operation,
and when n= 2 it is zipWith (when n= 0, we have repeat : Π m:Nat. A1→V ec ·A1m).
4.3.1 Vectors of Types
Our first task is to represent Nat-indexed families — i.e., length-indexed vectors — of types.
For reasons discussed in Remark 2, it is not possible to define vectors of types which support
lookup as a Cedille datatype. Instead, we use simulated large eliminations to define them as
lookup functions directly. This definition, along with some operations, is shown in Figure 17.
The kind of length nvectors of types, κTpVec n, is defined as a function from Fin nto
?. For the empty type vector TVNil, it does not matter what type we give for the right-
hand side of the equation as Fin zero is uninhabited. For TVCons, we use a (non-recursive)
large elimination of the given index, returning the head type Hif it is zero and performing
a lookup in the tail vector Lotherwise. The destructors TVHead and TVTail and the
14 Simulating Large Eliminations in Cedille
data TVFoldR (F: ?→?→?): Πn: Nat. κTyVec (succ n) →?→?
= tvFoldRZ : ∀L: κTyVec num1. ∀X: ?. TpEq ·X·(TVHead zero ·L) ⇒
TVFoldR zero ·L·X
| tvFoldRS : ∀n: Nat. ∀L: κTyVec (add num2 n).
∀Ih: ?. TVFoldR n ·(TVTail (succ n) ·L) ·Ih →
∀X: ?. TpEq ·X·(F ·(TVHead (succ n) ·L) ·Ih) ⇒
TVFoldR (succ n) ·L·X
Figure 18 Relational encoding of TVFold
ArrTp : Πn: Nat. κTpVec (succ n) →?
ArrTp = TVFold ·(λX: ?.λY: ?. X →Y)
ArrTpVec m n ·L = ArrTp n (TVMap ·(λA: ?. Vec ·A m) (succ n) ·L)
vrepeat : ∀A: ?.Πn: Nat. A →Vec ·A n
vapp : ∀A: ?.∀B: ?.∀n: Nat. Vec ·(A →B) n →Vec ·A n →Vec ·B n
nvecMap : Πm: Nat. Πn: Nat. ∀L: κTpVec (succ n). ArrTp n ·L→ArrTpVec m n ·L
nvecMap m n ·Lf=gon·L (vrepeat m f)
where
go : Πn: Nat. ∀L: κTpVec (succ n) →Vec ·(ArrTp n ·L) →ArrTpVec m n ·L
go zero ·L fs = fs
go (succ n) ·L fs = λxs. go n ·(TVTail (succ n) ·L) (vapp -m fs xs)
Figure 19 Arity-generic map
mapping function TVMap are defined as expected. The fold operation, TVFold, is given as
a large elimination of the Nat argument; in the successor case, the recursive call is made on
the tail of the given type vector L.
Unlike the previous examples of large eliminations we have considered, TVFold computes
a type constructor (of kind κTyVec (succ n)→?). We therefore show its relational encoding
as TVFoldR in Figure 18. As the figure suggests, little of the method of simulation described
in Section 3 needs changing to accommodate this higher-kinded type constructor.
INote. As noted in Remark 1, TpEq does not admit a general substitution principle.
Concerning TVFold, this means if Fis not congruent with respect to type equality in its
second argument, then for types of the form TVFold ·F(succ (succ n)) ·Lwe can simulate
only one computation step.
4.3.2 ArrTp and nvecMap
We are now ready to define the arity-generic vector operation nvecMap, shown in Figure 19.
We begin with ArrTp, the large elimination that computes the type A1→ · · · → An→An+1
as a fold over a vector of types L= (Ai)i∈{1···n+1}. The type Vec·A1m→. . . →Vec·Anm→
Vec ·An+1 mis then constructed simply by composing ArrTp nwith a map over Ltaking
each entry Aito the type Vec ·Aim, shown in ArrTpVec.
For nvecMap, we use vrepeat to create mreplicas of the given n-ary function argument f,
then invoke the helper function go which is defined by recursion over n. In the zero case, fs
has type Vec ·(TVHead zero ·L)m, which is equal to the expected type (by the computation
laws for ArrTp; we can prove that Vec respects type equality). In the successor case, fs is a
C. Jenkins and A. Marmaduke and A. Stump 15
RespTpEq2 : ΠF: ?→?→?.?
RespTpEq2 ·F = ∀A1: ?.∀A2: ?. TpEq ·A1 ·A2 ⇒
∀B1: ?.∀B2: ?. TpEq ·B1 ·B2 ⇒
TpEq ·(F ·A1 ·B1) ·(F ·A2 ·B2)
tvFoldZC’ : ∀F: ?→?→?. RespTpEq2 ·F⇒
∀X: ?. TpEq ·(TVFold zero ·(TVCons zero ·X·TVNil)) ·X
tvFoldSC’ : ∀F: ?→?→?. RespTpEq2 ·F⇒
∀n: Nat. ∀X: ?.∀L: κTyVec (succ n).
TpEq ·(TVFold (succ n) ·(TVCons (succ n) ·X·L)) ·(F ·X·(TVFold n ·L))
Figure 20 Variant computation laws for TVFold
vector of functions whose type is equal to
TVHead (succ n)·L→ArrTp n·(TVTail (succ n)·L)
and the expected type is
Vec ·(TVHead (succ n)·L)m→ArrTpVec m n ·(TVTail (succ n)·L)
so we assume such a vector xs, use vapp to apply each function of fs point-wise to the
elements of xs, then recurse to consume the remaining arguments.
IRemark 5. The high-level syntax we use to present TVCons and TVFold obscures the
fact that additional lemmas are needed to effectively use the latter on type vectors built
with the former. These lemmas are tvFoldZC 0and tvFoldSC 0in Figure 20, and they may be
understood as providing alternative computation laws for TVFold when it is applied to type
vectors of the form TVCons n·X·Land to type constructors Fthat respect extensional
type equality in both arguments.
5 Generic Simulation
We now generalize the approach outlined in Section 3 and derive simulated large eliminations
generically (here meaning parametrically) for datatypes. For this, we first review Mender-
style iteration and the generic framework of Firsov et al. [12] for inductive Mendler-style
lambda encodings of datatypes in Cedille. Then, for an arbitrary positive datatype signature
we define a notion of a Mendler-style algebra at the level of types, overcoming a technical
difficulty arising from Cedille’s truncated sort hierarchy, and show a sufficient condition for
type-level algebras to yield a simulated large elimination.
5.1 Mendler-style Iteration and Encodings
We briefly review the datatype iteration scheme à la Mendler. Originally proposed by Mend-
ler [22] as a method of impredicatively encoding datatypes, Uustalu and Vene have shown
that it forms the basis of an alternative categorical semantics of inductive datatypes [30],
and the same have advocated the Mendler style of coding recursion as more idiomatic than
the classical formulation of structured recursion schemes [31].
IDefinition 6 (Mendler-style iteration).Let F:?→?be a positive type scheme. The
datatype with signature Fis µF with constructor in :F·µF →µF. The Mendler-style
iteration scheme for µF is described by the typing and computation law given for fold below:
16 Simulating Large Eliminations in Cedille
Γ`T:?Γ`a:∀R:?. (R→T)→F·R→T
Γ`fold ·T a :µF →Tfold ·T a (in d) a·µF (fold ·T a)d
In Definition 6, the type T(the carrier) is the type of results we wish to compute, and
the term a(the action) gives a single step of a recursive function, and we call the two of them
together a Mendler-style F-algebra. We understand the type argument Rof the action as a
kind of subtype of the datatype µF — specifically, a subtype containing only predecessors
on which we are allowed to make recursive calls. The first term argument of the action, a
function of type R→T, is the handle for making recursive calls; in the computation law, it
is instantiated to fold ·T a. Finally, the last argument is an “F-collections” of predecessors
of the type R; in the computation law, it is instantiated to the collection of predecessors
d:F µF of the datatype value in d.
Monotonic ·F=∀X:?. ∀Y:?. Cast ·X·Y⇒Cast ·(F·X)·(F·Y)
PrfAlg ·F m ·P=∀R:?. ∀c:Cast ·R·µF.
(Π x:R. P (cast -c x)) →Πxs :F·R. P (in -m-cxs)
Γ`F:?→?
Γ`µF :?
Γ`F:?→?Γ`m:Monotonic ·F
Γ`in -m:∀R:?. Cast ·R·µF ⇒F·R→µF
Γ`F:?→?Γ`m:Monotonic ·F
Γ`out -m:µF →F·µF
Γ`F:?→?Γ`m:Monotonic ·F
Γ`ind -m:∀P:µF →?. PrfAlg ·F m ·P→Πx:µF . P x
|ind -m·P a (in -m·R-cxs)|=βη |a·R-c(λ x. ind -m·P a (cast -c x)) xs|
|out -m(in -m·R-cxs)|=βη |xs|
Figure 21 Axiomatic summary of the generic framework of Firsov et al. [12]
Generic framework for Mendler-style datatypes Figure 21 gives an axiomatic summary
of the generic framework of Firsov et al. [12] for deriving efficient Mendler-style lambda
encodings of datatypes with induction. In all inference rules save the type formation rule of
µ, the datatype signature Fis required to be Monotonic (that is, positive).
in is the datatype constructor. For the developments in this section, we find the Mendler-
style presentation given in the figure more convenient than the classical type of in.
out is the datatype destructor, revealing the F-collection of predecessors used to con-
struct the given value.
PrfAlg is a generalization of Mendler-style algebras to dependent types. Compared to
the earlier discussion:
the carrier is a predicate P:µF →?instead of a type;
the informal intuition that Ris a subtype of the datatype µF is made explicit by
requiring a type inclusion of the former into the latter; and
given a handle for invoking the inductive hypothesis on predecessors of type Rand
an F-collection of such predecessors, a P-proof F-algebra action must show that P
holds for the value constructed from these predecessors using in.
C. Jenkins and A. Marmaduke and A. Stump 17
ind gives the induction principle: to prove a property Pfor an arbitrary term of type
µF , it suffices to give a P-proof F-algebra.
5.2 Mendler-style Type Algebras
Like other (well-founded) recursive definitions, a large elimination can be expressed as a fold
of an algebra. In theories with a universe hierarchy, expressing this algebra is no difficult
task: the signature Fcan be universe polymorphic so that its application to either a type
or kind is well-formed. This is not the case for Cedille, however, which has a truncated
hierarchy of sorts and no sort polymorphism. More specifically, there is no way to express
a classical F-algebra on the level of types, e.g., a kind (F ?)→?, as it is not possible to
define a function on the level of kinds (which Fwould need to be).
Thankfully, this difficulty disappears when the type algebra is expressed in the Mendler
style! This is because Fdoes not need to be applied to the kind (?) of previously com-
puted types, only to the universally quantified type R. Instead, types are computed from
predecessors using an assumption of kind R→?.
κAlgTy = ΠR: ?. Cast ·R·µF→(R →?)→F·R→?.
AlgTyResp : κAlgTy →?
=λA: κAlgTy.
∀R1: ?.∀R2: ?.∀c1: Cast ·R1 ·µF. ∀c2: Cast ·R2 ·µF.
∀Ih1: R1 →?.∀Ih2: R2 →?.
(Πr1: R1. Πr2: R2. { r1 'r2 } →TpEq ·(Ih1 r1) ·(Ih2 r2)) →
Πxs1: F ·R1. Πxs2: F ·R2. { xs1 'xs2 } →
TpEq ·(A ·R1 c1 ·Ih1 xs1) ·(A ·R2 c2 ·Ih2 xs2) .
Figure 22 Mendler-style type algebras
Figure 22 shows the definition κAlgTy of the kind of Mendler-style type algebras with
carrier ?(henceforth we will refer to the actions of type algebras simply as algebra). Just
as in the concrete derivation of Section 3, we require that type algebras must respect type
equality. This condition is codified in the figure as AlgTyResp, which says:
given two subtypes R1and R2of µF (which need not be equal),
and two inductive hypotheses Ih1and Ih2for computing types from values of type R1
and R2, resp.,
that return equal types on equal terms, then
we have that the type algebra Areturns equal types on equal F-collections of predecessors
(where the types of predecessors are resp. R1and R2).
IExample 7. Let F·R= 1+Rbe the signature of natural numbers with zeroF :∀R:?. F ·R
and succF :∀R:?. R →F·Rthe signature’s injections. The Mendler-style type algebra for
n-ary functions over type Tis:
NaryAlg : κAlgTy
NaryAlg ·R c Ih (zeroF ·R) = T
NaryAlg ·R c Ih (succF ·Rn)=T→Ih n
Inspecting this definition, we see it indeed satisfies the above condition on type algebras,
with the proof sketch as follows. Assuming xs1and xs2such that {xs1'xs2}, we may
proceed by considering the cases where both are formed by the same injection. In the
18 Simulating Large Eliminations in Cedille
data FoldR : µF→?→?
= foldRIn
:∀R: ?.∀c: Cast ·R·µF. ∀xs: F ·R.
∀Ih: R →?. (Πx: R. FoldR (cast -c x) ·(Ih x)) →
∀X: ?. TpEq ·X·(A ·R c ·Ih xs) ⇒FoldR (in -c xs) ·X
Fold : µF→?
Fold x = ∀X: ?. FoldR x ·X⇒X .
foldRResp : ∀x: µF. ∀X1: ?. FoldR x ·X1 → ∀ X2: ?. TpEq ·X1 ·X2 ⇒FoldR x ·X2
foldRUnique : ∀x: µF. ∀X1: ?. FoldR x ·X1 → ∀ X2: ?. FoldR x ·X2 →TpEq ·X1 ·X2
foldREx : Πx: µF. FoldR x ·(Fold x)
Figure 23 Generic large elimination
zeroF case, the algebra returns T, which is equal to itself; in the succF case, we have
{succF x1'succF x2}for some x1:R1and x2:R2, so by injectivity of succF we have
{x1'x2}. We conclude by using our assumption to obtain that TpEq ·(Ih1x1)·(Ih2x2)
and a lemma that the arrow type constructor respects type equality.
IRemark 8. We again note that, in the definition of AlgTyResp, the two assumed subtypes
R1and R2need not be equal. As a consequence, in order to satisfy this condition the type
produced by the algebra should not depend on its type argument R. A high-level surface
language implementation for large eliminations in Cedille could require that the bound type
variable Ronly occurs in type arguments of term subexpressions. As definitional equality
of types is modulo erasure of typing annotations in term subexpressions, this would ensure
that the meaning (extent) of the type does not depend on R.
5.3 Relational Folds of Type Algebras
Figure 23 gives the definition of FoldR, a GADT expressing the fold of a type level algebra
A:κAlgTy over µF as a functional relation (Aand Fare parameters to the definition). It
has a single constructor, foldRIn, corresponding to the single generic constructor in of the
datatype, whose type we read as follows:
given a subtype Rof µF and a collection of predecessors xs :F·R, and
a function Ih :R→?that, for every element xin its domain, produces a type related
(by FoldR) to that element, then
the datatype value constructed from xs is related to all types that are equal to A·R c·Ih xs.
Just as in Section 3, to show that the inductive relation given by FoldR determines a
function (from µF to equivalence classes of types), we define a canonical name (Fold) for
the types determined by the datatype elements and prove that the relation satisfies three
properties: it respects type equality, and every datatype element (uniquely) determines a
type. The proofs of respectfulness and existence properties proceed similarly to the concrete
proofs given for n-ary functions (see the code repository for full details). In the proof of
uniqueness, shown in Figure 24, we use the condition on type algebras.
Proof idea (uniqueness). By induction on the two FoldR arguments, we know that the
argument x:µF has the form in ·R1-c1xs1and also the form in ·R2-c2xs2(this is
what the [−,−]notation means), where xs1:F·R1and xs2:F·R2. We therefore have
|xs1|=βη |xs2|(but not that R1and R2are equal).
C. Jenkins and A. Marmaduke and A. Stump 19
foldRUnique : ∀x: µF. ∀T1: ?. FoldR x ·T1 → ∀ T2: ?. FoldR x ·T2 →TpEq ·T1 ·T2
foldRUnique -([in ·R1 -c1 xs1 , in ·R2 -c2 xs2])
·T1 (foldR ·R1 -c1 xs1 ·Ih1 rec1 ·T1 -eqT1)
·T2 (foldR ·R2 -c2 xs2 ·Ih2 rec2 ·T2 -eqT2)
= trans -eqT1 -(trans -eqA -(sym -eqT2))
where
ih : Πr1: R1. Πr2: R2. { r1 'r2 } →TpEq ·(X1 r1) ·(X2 r2)
ih [r1 , r2] r2 β= foldRUnique -(cast -c1 r1) ·(Ih1 r1) (rec1 r1) ·(Ih2 r2) (rec2 r2)
eqA : TpEq ·(A ·R1 c1 ·Ih1 xs1) ·(A ·R2 c2 ·Ih2 xs2)
eqA = AC ·R1 ·R2 -c1 -c2 ·Ih1 ·Ih2 ih xs1 xs2 β
Figure 24 Uniqueness proof for FoldR
To make use of the assumption AC :κAlgTyResp ·A(a parameter to the derivation), we
must show that all equal terms of the two subtypes R1and R2are mapped by Ih1and Ih2
to equal types. This is obtained by invoking the inductive hypothesis on values returned by
each reci: Π x:Ri.FoldR (cast -ci)·(Ihix)(for 1≤i≤2) revealed by pattern matching
(in ih, we again use the notation [r1, r2]to indicate that pattern matching on the proof of
equality gives us that r1and r2are equal, but not that R1and R2are). J
IRemark 9. At present, we are unable to express in a single definition folds over type-
constructor algebras with arbitrarily kinded carriers. Thus, while this result is parametric in
a datatype signature, it must be repeated once for each type constructor kind. This process
is however entirely mechanical, so an implementation of a higher-level surface language
for large eliminations in Cedille could elaborate each variant of the derivation as needed,
removing the burden of writing boilerplate code.
6 Related Work
CDLE In an earlier formulation of CDLE [26], Stump proposed a mechanism called lifting
which allowed simply typed terms to be lifted to the level of types. While adequate for
both proving constructor disjointness for natural numbers and enabling some type-generic
programming (such as formatted printing in the style of printf), its presence significantly
complicated the meta-theory of CDLE and its expressive ability was found to be incom-
plete [27]. Lifting was subsequently removed from the theory, replaced with the simpler δ
axiom for proof discrimination.
Marmaduke et al. [21] described a method of encoding datatype signatures that enables
constructor subtyping (à la Barthe and Frade [3]) with zero-cost type coercions. A key
technique for this result was the use of intersection types and equational constraints to
simulate (again with type coercions) the computation of types by case analysis on terms —
that is, non-recursive large eliminations. Their method of simulation is therefore suitable
for expressing type algebras, but not their folds.
MLTT and CC Smith [25] showed that disjointness of datatype constructors was not prov-
able in Martin-Löf type theory without large eliminations by exhibiting a model of types
with only two elements — a singleton set and the empty set. In the calculus of construc-
tions, Werner [33] showed that disjointness of constructors would be contradictory by using
an erasure procedure to extract System Fωterms and types, showing that a proof of 16= 0 in
20 Simulating Large Eliminations in Cedille
CC would imply a proof of (∀X:?. X →X)→ ∀ X:?. X in Fω.Proof irrelevance is central
to both results. Since in CDLE proof relevance is axiomatized with δ, this paper can be
viewed as a kind of converse to these results: large eliminations enable proof discrimination,
and proof discrimination together with extensional type equality enable the simulation of
large eliminations.
GADT Semantics Our simulation of large eliminations rests upon a semantics of GADTs
which (intuitively) interprets them as the least set generated by their constructors. How-
ever, the semantics of GADTs is a subject which remains under investigation. Johann and
Polonsky [18] recently proposed a semantics which makes them functorial, but in which
the above-given intuition fails to hold. In subsequent work, Johann et al. [17] explain that
GADTs whose semantics are instead based on impredicative encodings (in which case they
are not in general functorial) may be equivalently expressed using explicit type equalities.
Though they exclude functorial semantics for GADTs in CDLE, the presence of type equalit-
ies (both implicit in the semantics and the explicit uses of derived extensional type equality)
are essential for defining a relational simulation of large eliminations.
7 Conclusion and Future Work
We have shown that large eliminations may be simulated in CDLE using a derived exten-
sional type equality, zero-cost type coercions, and GADTs to inductively define functional
relations. This result overcomes seemingly significant technical obstacles, chiefly CDLE’s
lack of primitive inductive types and universe polymorphism, and is made possible by an
axiom for proof discrimination. To demonstrate the effectiveness of the simulation, we ex-
amine several case studies involving type- and arity-generic programming. Additionally, we
have shown that the simulation may be derived generically (that is, parametric in a datatype
signature) with Mendler-style type algebras satisfying a certain condition with respect to
type equality.
Syntax In this paper, we have chosen to present code examples using a high-level syntax
to improve readability. While the current version of Cedille [10] supports surface language
syntax for datatype declarations and recursion, syntax for large eliminations remains future
work. Support for this requires addressing (at least) two issues. First, it requires a sound
criterion for determining when the type algebra denoted by the surface syntax satisfies
the condition AlgTyResp (Section 5.2). We conjecture that a simple syntactic occurrence
check, along the lines outlined in Remark 8, for erased arguments will suffice. Second, it is
desirable that the type coercions that simulate the computation laws of a large elimination
be automatically inferred using a subtyping system based on coercions [20, 28].
Semantics As discussed in Remark 1, the derived form of extensional type equality used
in our simulation lacks a substitution principle. However, we claim that such a principle is
validated by CDLE’s semantics [27], wherein types are interpreted as sets of (βη-equivalence
classes of) terms of untyped lambda calculus. Under this semantics, a proof of extensional
type equality in the syntax implies equality of the semantic objects. We are therefore optim-
istic that CDLE may be soundly extended with a kind-indexed family of type constructor
equalities with an extensional introduction form and substitution for its elimination form,
removing all limitations of the simulation of large eliminations.
C. Jenkins and A. Marmaduke and A. Stump 21
References
1Stuart F. Allen, Mark Bickford, Robert L. Constable, Richard Eaton, Christoph Kreitz, Lori
Lorigo, and E. Moran. Innovations in computational type theory using Nuprl. J. Applied
Logic, 4(4):428–469, 2006. doi:10.1016/j.jal.2005.10.005.
2Robert Atkey. Syntax and semantics of quantitative type theory. In Anuj Dawar and
Erich Grädel, editors, Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in
Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, pages 56–65. ACM, 2018.
doi:10.1145/3209108.3209189.
3Gilles Barthe and Maria João Frade. Constructor subtyping. In S. Doaitse Swierstra,
editor, Programming Languages and Systems, 8th European Symposium on Programming,
ESOP’99, Held as Part of the European Joint Conferences on the Theory and Prac-
tice of Software, ETAPS’99, Amsterdam, The Netherlands, 22-28 March, 1999, Proceed-
ings, volume 1576 of Lecture Notes in Computer Science, pages 109–127. Springer, 1999.
doi:10.1007/3-540-49099-X\_8.
4Rod M Burstall and Joseph A Goguen. Algebras, theories and freeness: An introduction for
computer scientists. In Theoretical Foundations of Programming Methodology, pages 329–349.
Springer, 1982.
5C. Böhm, M. Dezani-Ciancaglini, P. Peretti, and S.Ronchi Della Rocca. A discrim-
ination algorithm inside λ-β-calculus. Theoretical Computer Science, 8(3):271 – 291,
1979. URL: http://www.sciencedirect.com/science/article/pii/0304397579900148,
doi:https://doi.org/10.1016/0304-3975(79)90014-8.
6James Chapman, Pierre-Évariste Dagand, Conor McBride, and Peter Morris. The gentle art of
levitation. In Proceeding of the 15th ACM SIGPLAN international conference on Functional
programming, ICFP 2010, Baltimore, Maryland, USA, September 27-29, 2010, pages 3–14,
2010. doi:10.1145/1863543.1863547.
7Thierry Coquand and Christine Paulin. Inductively defined types. In Per Martin-Löf and
Grigori Mints, editors, COLOG-88, International Conference on Computer Logic, Tal linn,
USSR, December 1988, Proceedings, volume 417 of Lecture Notes in Computer Science, pages
50–66. Springer, 1988. doi:10.1007/3-540-52335-9\_47.
8Pierre-Évariste Dagand. A cosmology of datatypes : reusability and depend-
ent types. PhD thesis, University of Strathclyde, Glasgow, UK, 2013. URL:
http://oleg.lib.strath.ac.uk/R/?func=dbin-jump-full&object_id=22713.
9Pierre-Evariste Dagand and Conor McBride. Elaborating inductive definitions, 2012.
arXiv:1210.6390.
10 Cedille development team. Cedille v1.2.1. https://github.com/cedille/cedille.
11 Larry Diehl, Denis Firsov, and Aaron Stump. Generic zero-cost reuse for depend-
ent types. Proc. ACM Program. Lang., 2(ICFP):104:1–104:30, jul 2018. URL:
http://doi.acm.org/10.1145/3236799,doi:10.1145/3236799.
12 Denis Firsov, Richard Blair, and Aaron Stump. Efficient Mendler-style lambda-encodings
in Cedille. In Jeremy Avigad and Assia Mahboubi, editors, Interactive Theorem Prov-
ing - 9th International Conference, ITP 2018, Held as Part of the Federated Logic Con-
ference, FloC 2018, Oxford, UK, July 9-12, 2018, Proceedings, volume 10895 of Lecture
Notes in Computer Science, pages 235–252, Cham, 2018. Springer International Publishing.
doi:10.1007/978-3-319-94821-8\_14.
13 Denis Firsov and Aaron Stump. Generic derivation of induction for impredicative encodings
in cedille. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified
Programs and Proofs, CPP 2018, page 215–227, New York, NY, USA, 2018. Association
for Computing Machinery. URL: https://doi-org.proxy.lib.uiowa.edu/10.1145/3167087,
doi:10.1145/3167087.
14 Herman Geuvers. Induction is not derivable in second order dependent type theory. In Samson
Abramsky, editor, International Conference on Typed Lambda Calculi and Applications, pages
166–181, Berlin, Heidelberg, 2001. Springer.
22 Simulating Large Eliminations in Cedille
15 Christopher Jenkins, Colin McDonald, and Aaron Stump. Elaborating inductive definitions
and course-of-values induction in cedille, 2019. arXiv:1903.08233.
16 Christopher Jenkins and Aaron Stump. Monotone recursive types and recursive data repres-
entations in Cedille. To appear in Mathematical Structures for Computer Science, 2021.
17 Patricia Johann, Enrico Ghiorzi, and Daniel Jeffries. Gadts, functoriality, parametri-
city: Pick two. CoRR, abs/2105.03389, 2021. URL: https://arxiv.org/abs/2105.03389,
arXiv:2105.03389.
18 Patricia Johann and Andrew Polonsky. Higher-kinded data types: Syntax and semantics. In
34th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2019, Vancouver,
BC, Canada, June 24-27, 2019, pages 1–13. IEEE, 2019. doi:10.1109/LICS.2019.8785657.
19 Alexei Kopylov. Dependent intersection: A new way of defining records in type theory.
In Proceedings of 18th IEEE Symposium on Logic in Computer Science (LICS 2003), 22-
25 June 2003, Ottawa, Canada, LICS ’03, pages 86–95. IEEE Computer Society, 2003.
doi:10.1109/LICS.2003.1210048.
20 Zhaohui Luo. Coercive subtyping. J. Logic and Computation, 9(1):105–130, 1999.
doi:10.1093/logcom/9.1.105.
21 Andrew Marmaduke, Christopher Jenkins, and Aaron Stump. Zero-cost constructor subtyp-
ing. In IFL 2020: Proceedings of the 32nd Symposium on Implementation and Application
of Functional Languages, IFL 2020, page 93–103, New York, NY, USA, 2020. Association for
Computing Machinery. doi:10.1145/3462172.3462194.
22 N. P. Mendler. Recursive types and type constraints in second-order lambda calculus. In
Proceedings of the Symposium on Logic in Computer Science, (LICS ’87), pages 30–36, Los
Alamitos, CA, June 1987. IEEE Computer Society.
23 Alexandre Miquel. The implicit calculus of constructions: Extending pure type systems with
an intersection type binder and subtyping. In Proceedings of the 5th International Conference
on Typed Lambda Calculi and Applications, TLCA’01, page 344–359, Berlin, Heidelberg, 2001.
Springer-Verlag. doi:10.1007/3-540-45413-6\_27.
24 Jan M. Smith. An interpretation of Martin-Löf’s type theory in a type-free theory of propos-
itions. J. Symb. Log., 49(3):730–753, 1984. doi:10.2307/2274128.
25 Jan M. Smith. The independence of Peano’s fourth axiom from Martin-Lof’s type theory
without universes. J. Symb. Log., 53(3):840–845, 1988. doi:10.2307/2274575.
26 Aaron Stump. The calculus of dependent lambda eliminations. J. Funct. Program., 27:e14,
2017. doi:10.1017/S0956796817000053.
27 Aaron Stump and Christopher Jenkins. Syntax and semantics of Cedille. Manuscript, 2018.
URL: http://arxiv.org/abs/1806.04709,arXiv:1806.04709.
28 Nikhil Swamy, Michael W. Hicks, and Gavin M. Bierman. A theory of typed coercions
and its applications. In Graham Hutton and Andrew P. Tolmach, editors, Proceeding
of the 14th ACM SIGPLAN international conference on Functional programming, ICFP
2009, Edinburgh, Scotland, UK, August 31 - September 2, 2009, pages 329–340. ACM, 2009.
doi:10.1145/1596550.1596598.
29 The Coq Development Team. The Coq Reference Manual, version 8.13, 2021. Available
electronically at https://coq.github.io/doc/v8.13/refman/.
30 Tarmo Uustalu and Varmo Vene. Mendler-style inductive types, categor-
ically. Nordic Journal of Computing, 6(3):343–361, Sep 1999. URL:
http://dl.acm.org/citation.cfm?id=774455.774462.
31 Tarmo Uustalu and Varmo Vene. Coding recursion a la Mendler (extended abstract). In Proc.
of the 2nd Workshop on Generic Programming, WGP 2000, Technical Report UU-CS-2000-19,
pages 69–85. Dept. of Computer Science, Utrecht University, 2000.
32 Stephanie Weirich and Chris Casinghino. Generic programming with dependent types. In
Jeremy Gibbons, editor, Generic and Indexed Programming - International Spring School,
SSGIP 2010, Oxford, UK, March 22-26, 2010, Revised Lectures, volume 7470 of Lecture Notes
in Computer Science, pages 217–258. Springer, 2010. doi:10.1007/978- 3-642- 32202-0\_5.
C. Jenkins and A. Marmaduke and A. Stump 23
33 Benjamin Werner. A normalization proof for an impredicative type system with large elimin-
ation over integers. In Bengt Nordström, Kent Petersson, and Gordon Plotkin, editors, Proc.
of the 1992 Workshop on Types for Proofs and Programs, pages 341–357, June 1992.
34 Hongwei Xi, Chiyan Chen, and Gang Chen. Guarded recursive datatype constructors. In Alex
Aiken and Greg Morrisett, editors, Conference Record of POPL 2003: The 30th SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, New Orleans, Louisisana,
USA, January 15-17, 2003, pages 224–235. ACM, 2003. doi:10.1145/604131.604150.