Holide

Several proof assistants have implemented HOL (see Section 2.3.2) following the LCF approach: a small and simple kernel implements the rules of the logic and exports an abstract type of theorems. The proof assistants of the HOL family usually implementQ₀, a classical presentation of HOL taking only equality and a choice operator as primitives [7].

OpenTheory is a package manager for HOL libraries of proofs developed and maintained by Hurd [99]. Each OpenTheory package is composed of article les containing the proofs.

All proof assistants of the HOL family can import OpenTheory article les and most of them can also export their developments to the OpenTheory article format. OpenTheory standard library is generated by exporting most of HOL Light standard library.

Holide [13] is a translator of HOL to Dedukti. It takes OpenTheory article les with the .art extension as input and produces Dedukti les with the .dk extension as output.

The Dedukti les generated by Holide depend on a small hand-written Dedukti le hol.dk representing HOL type system and logic:

# NAME hol . (; HOL Types ;) def type : Type. bool : type . ind : type .

def arr : type -> type -> type . (; HOL Terms ;)

def term : type -> Type.

[a,b] term ( arr a b) --> term a -> term b.

eq : a : type -> term ( arr a ( arr a bool )).

select : a : type -> term ( arr ( arr a bool ) a).

(; HOL Proofs ;)

def proof : term bool -> Type. (; Axioms of Q0 ;)

REFL : a : type -> t : term a -> proof (eq a t t).

3.5. TRANSLATING LOGICAL SYSTEMS IN DEDUKTI

ABS_THM : a : type ->

b : type ->

f : ( term a -> term b) ->

g : ( term a -> term b) ->

(x : term a -> proof (eq b (f x) (g x ))) ->

proof (eq ( arr a b) f g).

APP_THM : a : type ->

b : type ->

f : term ( arr a b) ->

g : term ( arr a b) ->

x : term a ->

y : term a ->

proof (eq ( arr a b) f g) ->

proof (eq a x y) ->

proof (eq b (f x) (g y )).

PROP_EXT : p : term bool -> q : term bool ->

( proof q -> proof p) ->

( proof p -> proof q) ->

proof (eq bool p q).

EQ_MP : p : term bool -> q : term bool ->

proof (eq bool p q) ->

proof p ->

proof q.

def BETA_CONV (a : type ) (b : type )

(f : term a -> term b) (u : term a) := REFL b (f u).

In this signature, bool represents the type o of propositions, ind represents the type ι of individuals, and arr a b represents the arrow type a → b. Thanks to the rewrite rule [a, b]term (arr a b) --> term a -> term b, we can translate HOL application by Dedukti application and HOL abstraction by Dedukti abstraction. eqrepresents equality, select is the choice symbol and the axiomsREFLto EQ_MP are the axioms ofQ₀ presented in Section 2.3.2. Since Dedukti conversion extends β-conversion, the axiom EQ_MP of Q₀ can be derived.

OpenTheory and Holide have been extended by Shuai to also take implication and universal quantication as primitives. This extension of OpenTheory and Holide is called Holala [171]. Holala requires a slightly bigger presentation of the logic but it leads to smaller proofs and, most importantly for our purpose, to a shallower translation since implication and universal quantication can directly be mapped to Dedukti arrow type and dependent product. The le hol.dk used by Holala extends the previous one as follows:

imp : term bool -> term bool -> term bool .

3.5. TRANSLATING LOGICAL SYSTEMS IN DEDUKTI

forall : a : type -> ( term ( arr a bool ) -> ( term bool )).

[p,q] proof ( imp p q) --> proof p -> proof q.

[a,p] proof ( forall a p) --> x : term a -> proof (p x).

In Part IV, we use the Holala version of OpenTheory and Holide. The article les can be produced from the modied version of HOL Light available at https://github.com/

airobert/holala and the Holala version of Holide needed to translate them to Dedukti is available on the holala branch at https://gforge.inria.fr/projects/holide.

3.5. TRANSLATING LOGICAL SYSTEMS IN DEDUKTI

Part II

Object Calculi in Dedukti

OBJECT CALCULI IN DEDUKTI

Object-oriented programming languages are nowadays the dominant programming paradigm. By regrouping inside objects data and operations on them, object-oriented languages focus on abstraction, maintaining invariants, code reuse through modularity, while also breaking the rigidity of modules thanks to redenition and overloading.

Despite the popularity of object-oriented languages in the programming world, purely functional languages are often preferred in proof systems because it is easier to enforce termination by a typing discipline in the context of purely functional languages. We are aware of two systems mixing object-oriented mechanisms with proof techniques: Yarrow, a type system based on pure type systems with subtyping [176], and FoCaLiZe, an envi- ronment for certied programming that we are going to discuss at length in Parts III and IV.

Dedukti is both a programming language and a dependent type system. Termination in Dedukti is not mandatory and it is a good experimentation platform for the encoding of object-oriented languages. Such encodings can be a starting point for the design of a dependent type system for objects able to express proofs as methods.

With their gain of popularity in the 90s, object-oriented languages raised theoretical interest. They were connected with functional type systems, especially System F^ω_<:, through several encodings [148, 35]. However, encoding simple object-oriented languages into a system as complex as System F^ω_<: was found unsatisfactory and foundational calculi for the object-oriented paradigm started to be designed.

Theλ-calculus of objects [73] is an extension ofλ-calculus with a few object primitives:

calling a method (sending a message), updating a method (replacing its denition by an- other one), and extending an object by a new method. Several, slightly dierent, type systems have been proposed for this calculus: subtyping is proposed in [74], type anno- tations (making type-checking decidable) are added in [116], typing of incomplete objects (objects missing some methods but already usable as prototypes) is added in [32], typing of methods extending the object type is added in [64].

Abadi and Cardeli [2] proposed ς-calculi, a family of purely object-oriented calculi which simplify the λ-calculus of objects by restricting the object primitives to selection

OBJECT CALCULI IN DEDUKTI

and update only and by removingλ-abstraction and application. These calculi correspond to common type systems for functional languages based onλ-calculus. Inς-calculi however, subtyping and recursive types play a more important role than in functional type systems.

λ-abstraction and application are easy to encode inς-calculi but extending an object by a new method cannot be done in a polymorphic way inς-calculi because the type correspond- ing to the notion of the current object with an extra method is not expressible (and adding it would lead to a system very similar toλ-calculus of objects). Hence ς-calculi are a form of restriction of the λ-calculus of objects which lead to smaller foundational calculi. This restriction also allows to consider simpler type disciplines such as simple types, whereas type systems for the λ-calculus of objects require polymorphism.

ς-calculi and theλ-calculus of objects are foundations for object-based (or prototype- based) programming language such as Self and Javascript but they can also encode classes.

A functional class-based core of the Java language, named Featherweight Java [100], has also emerged as a framework for studying extensions of Java independently.

These calculi have been embedded in proof systems such as Isabelle [75, 93] and Coq [120, 49] but none of these embeddings preserves the reduction behaviour for two reasons:

1. these proof systems require all functions to terminate and object calculi do not try to enforce termination

2. the motivation for most of these encodings was to prove properties of the reduction relation such as conuence and subject reduction, which is not possible to do in a semantics-preserving encoding.

Reduction-preserving encodings of objects have been designed in the context of rewrit- ing logic (in theρ-calculus [51, 50] and in the Maude system [52]). However, the resulting object-oriented languages are untyped and the encodings seem not to be easily adaptable to typing.

We propose a shallow encoding of the simply-typedς-calculus in Dedukti. The notion of shallow embedding is generally not precisely dened but in this context we call a translation shallow when it preserves variable binding, typing, and operational semantics.

OBJECT CALCULI IN DEDUKTI

In Chapter 4, we present the simply-typed ς-calculus and its shallow translation in Dedukti. The simply-typed ς-calculus is the simplest of the typed object calculi. It lacks the most interesting feature of type systems for object-oriented languages: subtyping. In Chapter 5, we extend our shallow embedding of the simply-typedς-calculus to subtyping.

The Chapter 6 is devoted to our implementation.

OBJECT CALCULI IN DEDUKTI

Chapter 4

Simply-Typed ς -Calculus in Dedukti

The simply-typedς-calculus is the simplest typedς-calculus. It has been introduced by Abadi and Cardeli in [1]. In this chapter, we rst recall its denition in Section 4.1, then embed it in Dedukti in two steps. The rst step is as shallow as possible while remaining strongly terminating. The second step drops the termination restriction to obtain a fully shallow embedding. The terminating translation is dened in Sections 4.2, 4.3, and 4.4 and the shallow translation is dened in Section 4.5.

4.1 Simply-Typed ς -Calculus

The simply-typedς-calculus is similar to the simply-typedλ-calculus that we presented in Section 2.2 but to be used as a core calculus for object-oriented languages instead of functional languages. In this section, we present the syntax of the types and the terms of the calculus, the typing rules, and the operational semantics. We conclude this section by small examples of encodings of programming constructs in the ς-calculus.