TypecheckingA Typechecker for STLC

The has_type relation of the STLC defines what it means for a term to belong to a type (in some context). But it doesn't, by itself, give us an algorithm for checking whether or not a term is well typed.

Fortunately, the rules defining has_type are syntax directed -- that is, for every syntactic form of the language, there is just one rule that can be used to give a type to terms of that form. This makes it straightforward to translate the typing rules into clauses of a typechecking function that takes a term and a context and either returns the term's type or else signals that the term is not typable.

This short chapter constructs such a function and proves it correct.

Set Warnings "-notation-overridden,-parsing".
From Coq Require Import Bool.Bool.
From PLF Require Import Maps.
From PLF Require Import Smallstep.
From PLF Require Import Stlc.
From PLF Require MoreStlc.

Module STLCTypes.
Export STLC.

Comparing Types

First, we need a function to compare two types for equality...

Fixpoint eqb_ty (T₁ T₂:ty) : bool :=
  match T₁,T₂ with
  | Bool, Bool ⇒
      true
  | Arrow T₁₁ T₁₂, Arrow T₂₁ T₂₂ ⇒
      andb (eqb_ty T₁₁ T₂₁) (eqb_ty T₁₂ T₂₂)
  | _,_ ⇒
      false
  end.

... and we need to establish the usual two-way connection between the boolean result returned by eqb_ty and the logical proposition that its inputs are equal.

Lemma eqb_ty_refl : ∀ T₁,
eqb_ty T₁ T₁ = true.

Proof.
  intros T₁. induction T₁; simpl.
    reflexivity.
    rewrite IHT1_1. rewrite IHT1_2. reflexivity. Qed.

Lemma eqb_ty__eq : ∀ T₁ T₂,
eqb_ty T₁ T₂ = true → T₁ = T₂.

Proof with auto.
  intros T₁. induction T₁; intros T₂ Hbeq; destruct T₂; inversion Hbeq.
  - (* T₁=Bool *)
    reflexivity.
  - (* T₁=Arrow T1_1 T1_2 *)
    rewrite andb_true_iff in H₀. inversion H₀ as [Hbeq1 Hbeq2].
    apply IHT1_1 in Hbeq1. apply IHT1_2 in Hbeq2. subst... Qed.

End STLCTypes.

The Typechecker

The typechecker works by walking over the structure of the given term, returning either Some T or None. Each time we make a recursive call to find out the types of the subterms, we need to pattern-match on the results to make sure that they are not None. Also, in the app case, we use pattern matching to extract the left- and right-hand sides of the function's arrow type (and fail if the type of the function is not Arrow T₁₁ T₁₂ for some T₁₁ and T₁₂).

Module FirstTry.
Import STLCTypes.

Fixpoint type_check (Gamma : context) (t : tm) : option ty :=
  match t with
  | var x ⇒
      Gamma x
  | abs x T₁₁ t₁₂ ⇒
      match type_check (update Gamma x T₁₁) t₁₂ with
      | Some T₁₂ ⇒ Some (Arrow T₁₁ T₁₂)
      | _ ⇒ None
      end
  | app t₁ t₂ ⇒
      match type_check Gamma t₁, type_check Gamma t₂ with
      | Some (Arrow T₁₁ T₁₂),Some T₂ ⇒
          if eqb_ty T₁₁ T₂ then Some T₁₂ else None
      | _,_ ⇒ None
      end
  | tru ⇒
      Some Bool
  | fls ⇒
      Some Bool
  | test guard t f ⇒
      match type_check Gamma guard with
      | Some Bool ⇒
          match type_check Gamma t, type_check Gamma f with
          | Some T₁, Some T₂ ⇒
              if eqb_ty T₁ T₂ then Some T₁ else None
          | _,_ ⇒ None
          end
      | _ ⇒ None
      end
  end.

End FirstTry.

Digression: Improving the Notation

Before we consider the properties of this algorithm, let's write it out again in a cleaner way, using "monadic" notations in the style of Haskell to streamline the plumbing of options. First, we define a notation for composing two potentially failing (i.e., option-returning) computations:

Notation " x <- e₁ ;; e₂" := (match e₁ with
                              | Some x ⇒ e₂
                              | None ⇒ None
                              end)
         (right associativity, at level 60).

Second, we define return and fail as synonyms for Some and None:

Notation " 'return' e "
:= (Some e) (at level 60).

Notation " 'fail' "
:= None.

Module STLCChecker.
Import STLCTypes.

Now we can write the same type-checking function in a more imperative-looking style using these notations.

Fixpoint type_check (Gamma : context) (t : tm) : option ty :=
  match t with
  | var x ⇒
      match Gamma x with
      | Some T ⇒ return T
      | None ⇒ fail
      end
  | abs x T₁₁ t₁₂ ⇒
      T₁₂ <- type_check (update Gamma x T₁₁) t₁₂ ;;
      return (Arrow T₁₁ T₁₂ )
  | app t₁ t₂ ⇒
      T₁ <- type_check Gamma t₁ ;;
      T₂ <- type_check Gamma t₂ ;;
      match T₁ with
      | Arrow T₁₁ T₁₂ ⇒
          if eqb_ty T₁₁ T₂ then return T₁₂ else fail
      | _ ⇒ fail
      end
  | tru ⇒
      return Bool
  | fls ⇒
      return Bool
  | test guard t₁ t₂ ⇒
      Tguard <- type_check Gamma guard ;;
      T₁ <- type_check Gamma t₁ ;;
      T₂ <- type_check Gamma t₂ ;;
      match Tguard with
      | Bool ⇒
          if eqb_ty T₁ T₂ then return T₁ else fail
      | _ ⇒ fail
      end
  end.

Properties

To verify that the typechecking algorithm is correct, we show that it is sound and complete for the original has_type relation -- that is, type_check and has_type define the same partial function.

Theorem type_checking_sound : ∀ Gamma t T,
type_check Gamma t = Some T → has_type Gamma t T.

Proof with eauto.
  intros Gamma t. generalize dependent Gamma.
  induction t; intros Gamma T Htc; inversion Htc.
  - (* var *) rename s into x. destruct (Gamma x) eqn:H.
    rename t into T'. inversion H₀. subst. eauto. solve_by_invert.
  - (* app *)
    remember (type_check Gamma t₁) as TO₁.
    destruct TO₁ as [T₁|]; try solve_by_invert;
    destruct T₁ as [|T₁₁ T₁₂]; try solve_by_invert;
    remember (type_check Gamma t₂) as TO₂;
    destruct TO₂ as [T₂|]; try solve_by_invert.
    destruct (eqb_ty T₁₁ T₂) eqn: Heqb.
    apply eqb_ty__eq in Heqb.
    inversion H₀; subst...
    inversion H₀.
  - (* abs *)
    rename s into x. rename t into T₁.
    remember (update Gamma x T₁) as G'.
    remember (type_check G' t₀) as TO₂.
    destruct TO₂; try solve_by_invert.
    inversion H₀; subst...
  - (* tru *) eauto.
  - (* fls *) eauto.
  - (* test *)
    remember (type_check Gamma t₁) as TOc.
    remember (type_check Gamma t₂) as TO₁.
    remember (type_check Gamma t₃) as TO₂.
    destruct TOc as [Tc|]; try solve_by_invert.
    destruct Tc; try solve_by_invert;
    destruct TO₁ as [T₁|]; try solve_by_invert;
    destruct TO₂ as [T₂|]; try solve_by_invert.
    destruct (eqb_ty T₁ T₂) eqn:Heqb;
    try solve_by_invert.
    apply eqb_ty__eq in Heqb.
    inversion H₀. subst. subst...
Qed.

Theorem type_checking_complete : ∀ Gamma t T,
has_type Gamma t T → type_check Gamma t = Some T.

Proof with auto.
  intros Gamma t T Hty.
  induction Hty; simpl.
  - (* T_Var *) destruct (Gamma x₀) eqn:H₀; assumption.
  - (* T_Abs *) rewrite IHHty...
  - (* T_App *)
    rewrite IHHty1. rewrite IHHty2.
    rewrite (eqb_ty_refl T₁₁)...
  - (* T_True *) eauto.
  - (* T_False *) eauto.
  - (* T_If *) rewrite IHHty1. rewrite IHHty2.
    rewrite IHHty3. rewrite (eqb_ty_refl T)...
Qed.

End STLCChecker.

Exercises

练习：5 星, standard (typechecker_extensions)

In this exercise we'll extend the typechecker to deal with the extended features discussed in chapter MoreStlc. Your job is to fill in the omitted cases in the following.

Module TypecheckerExtensions.
(* 请勿修改下面这一行： *)
Definition manual_grade_for_type_checking_sound : option (nat ×string) := None.
(* 请勿修改下面这一行： *)
Definition manual_grade_for_type_checking_complete : option (nat ×string) := None.
Import MoreStlc.
Import STLCExtended.

Fixpoint eqb_ty (T₁ T₂ : ty) : bool :=
  match T₁,T₂ with
  | Nat, Nat ⇒
      true
  | Unit, Unit ⇒
      true
  | Arrow T₁₁ T₁₂, Arrow T₂₁ T₂₂ ⇒
      andb (eqb_ty T₁₁ T₂₁) (eqb_ty T₁₂ T₂₂)
  | Prod T₁₁ T₁₂, Prod T₂₁ T₂₂ ⇒
      andb (eqb_ty T₁₁ T₂₁) (eqb_ty T₁₂ T₂₂)
  | Sum T₁₁ T₁₂, Sum T₂₁ T₂₂ ⇒
      andb (eqb_ty T₁₁ T₂₁) (eqb_ty T₁₂ T₂₂)
  | List T₁₁, List T₂₁ ⇒
      eqb_ty T₁₁ T₂₁
  | _,_ ⇒
      false
  end.

Lemma eqb_ty_refl : ∀ T₁,
  eqb_ty T₁ T₁ = true.
Proof.
  intros T₁.
  induction T₁; simpl;
    try reflexivity;
    try (rewrite IHT1_1; rewrite IHT1_2; reflexivity);
    try (rewrite IHT1; reflexivity). Qed.

Lemma eqb_ty__eq : ∀ T₁ T₂,
  eqb_ty T₁ T₂ = true → T₁ = T₂.
Proof.
  intros T₁.
  induction T₁; intros T₂ Hbeq; destruct T₂; inversion Hbeq;
    try reflexivity;
    try (rewrite andb_true_iff in H₀; inversion H₀ as [Hbeq1 Hbeq2];
         apply IHT1_1 in Hbeq1; apply IHT1_2 in Hbeq2; subst; auto);
    try (apply IHT1 in Hbeq; subst; auto).
Qed.

Fixpoint type_check (Gamma : context) (t : tm) : option ty :=
  match t with
  | var x ⇒
      match Gamma x with
      | Some T ⇒ return T
      | None ⇒ fail
      end
  | abs x₁ T₁ t₂ ⇒
      T₂ <- type_check (update Gamma x₁ T₁) t₂ ;;
      return (Arrow T₁ T₂ )
  | app t₁ t₂ ⇒
      T₁ <- type_check Gamma t₁ ;;
      T₂ <- type_check Gamma t₂ ;;
      match T₁ with
      | Arrow T₁₁ T₁₂ ⇒
          if eqb_ty T₁₁ T₂ then return T₁₂ else fail
      | _ ⇒ fail
      end
  | const _ ⇒
      return Nat
  | scc t₁ ⇒
      T₁ <- type_check Gamma t₁ ;;
      match T₁ with
      | Nat ⇒ return Nat
      | _ ⇒ fail
      end
  | prd t₁ ⇒
      T₁ <- type_check Gamma t₁ ;;
      match T₁ with
      | Nat ⇒ return Nat
      | _ ⇒ fail
      end
  | mlt t₁ t₂ ⇒
      T₁ <- type_check Gamma t₁ ;;
      T₂ <- type_check Gamma t₂ ;;
      match T₁, T₂ with
      | Nat, Nat ⇒ return Nat
      | _,_ ⇒ fail
      end
  | test0 guard t f ⇒
      Tguard <- type_check Gamma guard ;;
      T₁ <- type_check Gamma t ;;
      T₂ <- type_check Gamma f ;;
      match Tguard with
      | Nat ⇒ if eqb_ty T₁ T₂ then return T₁ else fail
      | _ ⇒ fail
      end

  (* Complete the following cases. *)

  (* sums *)
  (* 请在此处解答 *)
  (* lists (the tlcase is given for free) *)
  (* 请在此处解答 *)
  | tlcase t₀ t₁ x₂₁ x₂₂ t₂ ⇒
      match type_check Gamma t₀ with
      | Some (List T) ⇒
          match type_check Gamma t₁,
                type_check (update (update Gamma x₂₂ (List T)) x₂₁ T) t₂ with
          | Some T₁', Some T₂' ⇒
              if eqb_ty T₁' T₂' then Some T₁' else None
          | _,_ ⇒ None
          end
      | _ ⇒ None
      end
  (* unit *)
  (* 请在此处解答 *)
  (* pairs *)
  (* 请在此处解答 *)
  (* let *)
  (* 请在此处解答 *)
  (* fix *)
  (* 请在此处解答 *)
  | _ ⇒ None (* ... and delete this line when you complete the exercise. *)
  end.

Just for fun, we'll do the soundness proof with just a bit more automation than above, using these "mega-tactics":

Ltac invert_typecheck Gamma t T :=
  remember (type_check Gamma t) as TO;
  destruct TO as [T|];
  try solve_by_invert; try (inversion H₀; eauto); try (subst; eauto).

Ltac analyze T T₁ T₂ :=
destruct T as [T₁ T₂| |T₁ T₂|T₁| |T₁ T₂]; try solve_by_invert.

Ltac fully_invert_typecheck Gamma t T T₁ T₂ :=
  let TX := fresh T in
  remember (type_check Gamma t) as TO;
  destruct TO as [TX|]; try solve_by_invert;
  destruct TX as [T₁ T₂| |T₁ T₂|T₁| |T₁ T₂];
  try solve_by_invert; try (inversion H₀; eauto); try (subst; eauto).

Ltac case_equality S T :=
destruct (eqb_ty S T) eqn: Heqb;
inversion H₀; apply eqb_ty__eq in Heqb; subst; subst; eauto.

Theorem type_checking_sound : ∀ Gamma t T,
  type_check Gamma t = Some T → has_type Gamma t T.
Proof with eauto.
  intros Gamma t. generalize dependent Gamma.
  induction t; intros Gamma T Htc; inversion Htc.
  - (* var *) rename s into x. destruct (Gamma x) eqn:H.
    rename t into T'. inversion H₀. subst. eauto. solve_by_invert.
  - (* app *)
    invert_typecheck Gamma t₁ T₁.
    invert_typecheck Gamma t₂ T₂.
    analyze T₁ T₁₁ T₁₂.
    case_equality T₁₁ T₂.
  - (* abs *)
    rename s into x. rename t into T₁.
    remember (update Gamma x T₁) as Gamma'.
    invert_typecheck Gamma' t₀ T₀.
  - (* const *) eauto.
  - (* scc *)
    rename t into t₁.
    fully_invert_typecheck Gamma t₁ T₁ T₁₁ T₁₂.
  - (* prd *)
    rename t into t₁.
    fully_invert_typecheck Gamma t₁ T₁ T₁₁ T₁₂.
  - (* mlt *)
    invert_typecheck Gamma t₁ T₁.
    invert_typecheck Gamma t₂ T₂.
    analyze T₁ T₁₁ T₁₂; analyze T₂ T₂₁ T₂₂.
    inversion H₀. subst. eauto.
  - (* test0 *)
    invert_typecheck Gamma t₁ T₁.
    invert_typecheck Gamma t₂ T₂.
    invert_typecheck Gamma t₃ T₃.
    destruct T₁; try solve_by_invert.
    case_equality T₂ T₃.
  (* 请在此处解答 *)
  - (* tlcase *)
    rename s into x₃₁. rename s₀ into x₃₂.
    fully_invert_typecheck Gamma t₁ T₁ T₁₁ T₁₂.
    invert_typecheck Gamma t₂ T₂.
    remember (update (update Gamma x₃₂ (List T₁₁)) x₃₁ T₁₁) as Gamma'2.
    invert_typecheck Gamma'2 t₃ T₃.
    case_equality T₂ T₃.
  (* 请在此处解答 *)
Qed.

Theorem type_checking_complete : ∀ Gamma t T,
  has_type Gamma t T → type_check Gamma t = Some T.
Proof.
  intros Gamma t T Hty.
  induction Hty; simpl;
    try (rewrite IHHty);
    try (rewrite IHHty1);
    try (rewrite IHHty2);
    try (rewrite IHHty3);
    try (rewrite (eqb_ty_refl T));
    try (rewrite (eqb_ty_refl T₁));
    try (rewrite (eqb_ty_refl T₂));
    eauto.
  - destruct (Gamma x); try solve_by_invert. eauto.
  Admitted. (* ... and delete this line *)
(*
Qed. (* ... and uncomment this one *)
*)
End TypecheckerExtensions.
☐

练习：5 星, standard, optional (stlc_step_function)

Above, we showed how to write a typechecking function and prove it sound and complete for the typing relation. Do the same for the operational semantics -- i.e., write a function stepf of type tm → option tm and prove that it is sound and complete with respect to step from chapter MoreStlc.

Module StepFunction.
Import MoreStlc.
Import STLCExtended.

(* Operational semantics as a Coq function. *)
Fixpoint stepf (t : tm) : option tm
(* 将本行替换成 ":= _你的_定义_ ." *). Admitted.

(* Soundness of stepf. *)
Theorem sound_stepf : ∀ t t',
stepf t = Some t' → t --> t'.
Proof. (* 请在此处解答 *) Admitted.

(* Completeness of stepf. *)
Theorem complete_stepf : ∀ t t',
t --> t' → stepf t = Some t'.
Proof. (* 请在此处解答 *) Admitted.

End StepFunction.
☐

练习：5 星, standard, optional (stlc_impl)

Using the Imp parser described in the ImpParser chapter of Logical Foundations as a guide, build a parser for extended STLC programs. Combine it with the typechecking and stepping functions from the above exercises to yield a complete typechecker and interpreter for this language.

Module StlcImpl.
Import StepFunction.

(* 请在此处解答 *)
End StlcImpl.
☐

(* 2022-03-14 05:28:23 (UTC+00) *)