-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproofs.tex
executable file
·254 lines (227 loc) · 9.8 KB
/
proofs.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
\subsection{Correctness of Declarative Subtyping}\label{sec:declsub-correct}
%% -----------------------------------------------------------------------------
\begin{figure}
\begin{mathpar}
\fbox{$\bjmtch{\ty}{\ty'}$}\\
\inferrule*[right=MT-CName]
{ }
{ \bjmtch{\cname}{\cname} }
\\
\inferrule[MT-IntReal]
{ }
{ \bjmtch{\tyint}{\tyreal} }
\inferrule[MT-FltReal]
{ }
{ \bjmtch{\tyflt}{\tyreal} }
\\
\inferrule[MT-IntNum]
{ }
{ \bjmtch{\tyint}{\tynum} }
\inferrule[MT-FltNum]
{ }
{ \bjmtch{\tyflt}{\tynum} }
\inferrule[MT-CmplxNum]
{ }
{ \bjmtch{\tycmplx}{\tynum} }
\\
\inferrule*[right=MT-Pair]
{ \bjmtch{\vty_1}{\ty_1} \\ \bjmtch{\vty_2}{\ty_2} }
{ \bjmtch{\typair{\vty_1}{\vty_2}}{\typair{\ty_1}{\ty_2}} }
\\
\inferrule*[right=MT-Union1]
{ \bjmtch{\vty}{\ty_1} }
{ \bjmtch{\vty}{\tyunion{\ty_1}{\ty_2}} }
\inferrule*[right=MT-Union2]
{ \bjmtch{\vty}{\ty_2} }
{ \bjmtch{\vty}{\tyunion{\ty_1}{\ty_2}} }
\end{mathpar}
\caption{Matching relation in \BetaJulia}
\label{fig:bjsem-match}
\end{figure}
In order to show correctness of declarative subtyping,
we need to prove that the declarative definition of subtyping
is sound and complete with respect to the semantic definition.
Formally, we write this statement as:
\begin{equation}\label{eq:declsub-correct-truesemsub}
\forall \ty_1, \ty_2.\ (\bjsub{\ty_1}{\ty_2} \iff \bjtruesemsub{\ty_1}{\ty_2}).
\end{equation}
Instead of directly proving~\eqref{eq:declsub-correct-truesemsub},
it is more convenient to prove the equivalence of declarative subtyping
to the following relation
(referred to as \defemph{matching-based semantic subtyping}):
\begin{equation}\label{eq:semsub-def}
\bjsemsub{\ty_1}{\ty_2} \quad \defsign \quad
\forall \vty.\ (\bjmtch{\vty}{\ty_1} \implies\ \bjmtch{\vty}{\ty_2}).
\end{equation}
The definition~\eqref{eq:semsub-def}
relies on the relation $\bjmtch{\vty}{\ty}$
(defined in~\figref{fig:bjsem-match}), read ``tag~\vty matches type~\ty'',
which we call the \defemph{matching relation}.
Tag-based and matching-based semantic subtyping relations
are equivalent:
%\begin{equation}
\[
\forall \ty_1, \ty_2.\
(\bjsemsub{\ty_1}{\ty_2} \iff \bjtruesemsub{\ty_1}{\ty_2}).
\]
%\end{equation}
To see why, let us recall that tag-based semantic subtyping~\eqref{eq:truesemsub-def}
is defined as $\interpty{\ty_1} \subseteq \interpty{\ty_2}$
and the subset relation $X \subseteq Y$ as
$\forall x.\ (x \in X \implies x \in Y)$.
Therefore, the definition~\eqref{eq:truesemsub-def} can be
rewritten as:
\begin{equation}\label{eq:truesemsub-def-new}
\bjtruesemsub{\ty_1}{\ty_2} \;\defsign \;
%\interpty{\ty_1} \subseteq \interpty{\ty_2} \; \defsign \;
\forall \vty.\ (\vty \in \interpty{\ty_1} \implies \vty \in \interpty{\ty_2}).
\end{equation}
It is easy to show by induction on \ty that the matching relation
is equivalent to the belongs-to relation $\vty \in \interpty{\ty}$.
Therefore, the definitions~\eqref{eq:semsub-def}
and~\eqref{eq:truesemsub-def-new} are also equivalent.
Since $\bjtruesemsub{\ty_1}{\ty_2}$ is equivalent to $\bjsemsub{\ty_1}{\ty_2}$
and the equivalence relation $\iff$ is transitive,
it suffices to prove the following theorem
to show~\eqref{eq:declsub-correct-truesemsub}.
\begin{theorem}[Correctness of Declarative Subtyping]\label{thm:declsub-correct}
\[
\forall \ty_1, \ty_2.\ (\bjsub{\ty_1}{\ty_2} \iff\ \bjsemsub{\ty_1}{\ty_2})
\]
\end{theorem}
The full proof of~\thmref{thm:declsub-correct} is
Coq-mechanized~\cite{bib:MiniJlCoq},
so we only discuss some key aspects and leave details to the proof.
First, subtyping a value type coincides with matching:
\begin{equation}\label{eq:mtch-eq-declsub}
\forall \vty, \ty.\ (\bjsub{\vty}{\ty} \iff\ \bjmtch{\vty}{\ty}).
\end{equation}
Having that, we can prove
$\bjsub{\ty_1}{\ty_2} \implies \bjsemsub{\ty_1}{\ty_2}$,
i.e. the soundness direction of~\thmref{thm:declsub-correct}
(below, we embed the definition~\eqref{eq:semsub-def} of
matching-based semantic subtyping):
\begin{equation}\label{eq:declsub-imp-semsub}
\forall \ty_1, \ty_2.\
(\bjsub{\ty_1}{\ty_2} \implies\
\forall \vty.\ [\bjmtch{\vty}{\ty_1} \implies\ \bjmtch{\vty}{\ty_2}]).
\end{equation}
Knowing $\bjsub{\ty_1}{\ty_2}$ and $\bjmtch{\vty}{\ty_1}$,
we need to show that $\bjmtch{\vty}{\ty_2}$.
First, by applying~\eqref{eq:mtch-eq-declsub} to $\bjmtch{\vty}{\ty_1}$,
we get $\bjsub{\vty}{\ty_1}$.
Then, $\bjsub{\vty}{\ty_2}$ follows from $\bjsub{\vty}{\ty_1}$
and $\bjsub{\ty_1}{\ty_2}$ by transitivity.
Finally, by applying~\eqref{eq:mtch-eq-declsub} again,
we get $\bjmtch{\vty}{\ty_2}$. \qed
The other direction of~\thmref{thm:declsub-correct} is more challenging:
\begin{equation}\label{eq:declsub-complete}
\forall \ty_1, \ty_2.\
(\bjsemsub{\ty_1}{\ty_2} \implies\ \bjsub{\ty_1}{\ty_2}).
\end{equation}
The key observation here is that~\eqref{eq:declsub-complete} can be shown
for $\ty_1$ in \emph{normal form},
i.e. $\ty_1 \equiv \vty_1 \cup \vty_2 \cup \ldots \cup \vty_n$
(formally, this fact is denoted by predicate $\InNF(\ty_1)$
defined in~\figref{fig:bjsem-innf}, \appref{app:nf}):
\begin{equation}\label{eq:nf-declsub-complete}
\forall \ty_1, \ty_2 \Alt \InNF(\ty_1).\
(\bjsemsub{\ty_1}{\ty_2} \implies\ \bjsub{\ty_1}{\ty_2}).
\end{equation}
In this case, in the definition~\eqref{eq:semsub-def}
of $\bjsemsub{\ty_1}{\ty_2}$, the only
value types $\vty$ that match $\ty_1$ and $\ty_2$ are $\vty_i$ of $\ty_1$.
By~\eqref{eq:mtch-eq-declsub}, we know that matching implies subtyping,
so we conclude that all $\bjsub{\vty_i}{\ty_2}$.
From the latter, it is easy to show that
$\bjsub{(\vty_1 \cup \vty_2 \cup \ldots \cup \vty_n)}{\ty_2}$ because,
according to the \RD{UnionL} rule,
subtyping of the left-hand side union amounts to subtyping its components.
To show~\eqref{eq:declsub-complete}, we need several more facts
in addition to~\eqref{eq:nf-declsub-complete}.
\begin{itemize}
\item Function $\NF$ produces a type in normal form:
\begin{equation}\label{eq:nf-innf}
\forall \ty.\ \InNF(\NF(\ty)).
\end{equation}
\item Normalized type is equivalent to the source type:
\begin{equation}\label{eq:nf-declsub-eq}
\forall \ty.\;\ \bjsub{\NF(\ty)}{\ty}\ \land\ \bjsub{\ty}{\NF(\ty)}.
\end{equation}
\item Normalization preserves the subtyping relation:
\begin{equation}\label{eq:nf-semsub}
\forall \ty_1, \ty_2.\
(\bjsemsub{\ty_1}{\ty_2} \implies\ \bjsemsub{\NF(\ty_1)}{\ty_2}).
\end{equation}
\end{itemize}
To prove~\eqref{eq:declsub-complete}, we need to show $\bjsub{\ty_1}{\ty_2}$
given $\bjsemsub{\ty_1}{\ty_2}$.
For this, we first apply~\eqref{eq:nf-semsub} to $\bjsemsub{\ty_1}{\ty_2}$,
which gives $\bjsemsub{\NF(\ty_1)}{\ty_2}$.
Then we can apply~\eqref{eq:nf-declsub-complete} to the latter
because of~\eqref{eq:nf-innf} to get $\bjsub{\NF(\ty_1)}{\ty_2}$.
Finally, \eqref{eq:nf-declsub-eq} and transitivity
gives $\bjsub{\ty_1}{\ty_2}$. \qed
\subsection{Reductive Subtyping}\label{sec:redsub-correct}
%% -----------------------------------------------------------------------------
Since we have already shown that declarative subtyping is
equivalent to semantic subtyping, it suffices to show that
reductive subtyping is equivalent to declarative subtyping:
\begin{theorem}[Correctness of Reductive Subtyping]\label{thm:redsub-correct}
\[
\forall \ty_1, \ty_2.\ (\bjsubr{\ty_1}{\ty_2} \iff\ \bjsub{\ty_1}{\ty_2})
\]
\end{theorem}
The proof is split into two parts: soundness and completeness.
For soundness (completeness),
%by induction on $\bjsubr{\ty_1}{\ty_2}$ ($\bjsub{\ty_1}{\ty_2}$),
we show that for each \RR{}\!rule (\RD{}\!rule) it is possible to build
a corresponding declarative (reductive) derivation
using \RD{}\!rules (\RR{}\!rules).
The soundness direction is mostly straightforward, as most \RR{}\!rules
have an immediate \RD{}\!counterpart (or require one extra application
of transitivity).
In the case of \RR{NF}, the induction hypothesis of the proof,
$\bjsub{\NF(\ty_1)}{\ty_2}$,
and the fact that $\bjsub{\ty_1}{\NF(\ty_1)}$
according to~\eqref{eq:nf-declsub-eq},
allow to conclude $\bjsub{\ty_1}{\ty_2}$.
The challenging part of the proof is to show completeness,
as this requires proving that the reductive definition
is \emph{reflexive}, \emph{transitive}, and \emph{distributive}
(\appref{app:proofs}).
%To prove transitivity and distributivity,
%we need several auxiliary statements:
%\begin{enumerate}
% \item $\bjsubr{\ty}{\ty'}\ \implies\ \bjsubr{\NF(\ty)}{\ty'}$,
% \item $\bjsubr{\NF(\ty_1)}{\NF(\ty_2)}\;\;\ \land\;\; \bjsubr{\NF(\ty_2)}{\ty_3}$\\
% $\implies \bjsubr{\NF(\ty_1)}{\ty_3}$,
% \item $\bjsubr{\NF(\ty)}{\NF(\ty')}\ \implies\ \bjsubr{\ty}{\ty'}$.
%\end{enumerate}
%Having all the facts, we can prove completeness by induction
%on a derivation of $\bjsub{\NF(\ty_1)}{\ty_2}$.
%For details, the reader can refer to the full Coq-proof.
\begin{theorem}[Decidability of Reductive Subtyping]\label{thm:redsub-decidable}
\[
\forall \ty_1, \ty_2.\
(\bjsubr{\ty_1}{\ty_2}\quad \lor\quad \lnot [\bjsubr{\ty_1}{\ty_2}])
\]
\end{theorem}
To prove the theorem,
it suffices to show that reductive subtyping is decidable
when $\ty_1$ is in normal form.
This is done by induction on a derivation of $\InNF(\ty_1)$.
We refer the reader to \appref{app:proofs} for more details.
% By induction on a derivation of $\InNF(\ty_1)$, we can show
% that the reductive subtyping is decidable for $\ty_1 | \InNF(\ty_1)$.
% In this case, $\ty_1$ is either a value type or a union of normalized types.
% If it is a value type, subtyping is equivalent to matching,
% and matching is decidable.
% If $\ty_1$ is a union $\tyunion{\ty_a}{\ty_b}$,
% we use induction hypothesis for components and the fact that
% subtyping union on the left-hand side
% $\bjsubr{\tyunion{\ty_a}{\ty_b}}{\ty'}$ implies $\bjsubr{\ty_a}{\ty'}$
% and $\bjsubr{\ty_b}{\ty'}$.
% Since $\InNF(\NF(\ty_1))$, we can use the decidability
% of $\bjsubr{\NF(\ty_1)}{\ty_2}$ to prove decidability
% of $\bjsubr{\ty_1}{\ty_2}$.