Definitional Functoriality for Dependent (Sub)Types

Abstract

Dependently typed proof assistant rely crucially on definitional equality, which relates types and terms that are automatically identified in the underlying type theory. This paper extends type theory with definitional functor laws, equations satisfied propositionally by a large class of container-like type constructors \(F : {\text {Type}}\rightarrow {\text {Type}}\), equipped with a \(\textrm{map}_{F} {{\,\mathrm{:}\,}}(A \rightarrow B) \rightarrow F\,A \rightarrow F\,B\), such as lists or trees. Promoting these equations to definitional ones strengthens the theory, enabling slicker proofs and more automation for functorial type constructors. This extension is used to modularly justify a structural form of coercive subtyping, propagating subtyping through type formers in a map-like fashion. We show that the resulting notion of coercive subtyping, thanks to the extra definitional equations, is equivalent to a natural and implicit form of subsumptive subtyping. The key result of decidability of type-checking in a dependent type system with functor laws for lists has been entirely mechanized in Coq.

1 Introduction

Dependent type theory is the foundation of many proof assistants: Coq [53], Lean [43], Agda [5], Idris [14], F\(^{\star }\) [51]. At its heart lies definitional equality, an equational theory that is automatically decided by the implementation of these proof systems. The more expressive definitional equality is, the less work is requested from users to identify objects. However, there is a fundamental tension at play: making the equational theory too rich leads to both practical and theoretical issues, the most prominent one being the undecidability of definitional equality. This default plagues the otherwise appealing Extensional Type Theory (ETT) [39], a type theory which makes every provable equality definitional, thus making ETT rather impractical as a basis for a proof assistant [15]. As a result, to design usable proof assistants we need to carve out a well-behaved equational theory, that strikes the right balance between expressivity and decidability. In this paper, we show that we can maintain this subtle balance while extending intensional type theory with \(\textrm{map}\) operations making the functorial character of type formers explicit, and satisfying definitional functor laws. We prove in particular that definitional equality and type-checking remain decidable in this extension, that we dub .

The \(\textrm{map}\) primitives introduced in have a computational behaviour reminiscent of structural subtyping, which propagates existing subtyping structurally through type-formers, and should satisfy reflexivity and transitivity laws similar to the functor laws. Guided by the design of , we devise a second system, , with explicit coercions witnessing structural subtyping. To gauge the expressivity of , we relate it to a third system, , where subtyping is implicit, as users of a type system should expect. A simple translation \(\left| \cdot \right| \) from to erases coercions. We show that this erasure can be inverted, elaborating coercions back. For this to be type preserving, it is crucial that satisfies our new definitional equalities, which allows us to reflect the equations implicitly satisfied in due to coercions being transparent. Fig. 1 synthesizes the three theories that we introduce and their relationships. They all extend Martin-Löf Type Theory (MLTT) [39]. Let us now explore in more detail these three systems.

Fig. 1.

Relation between MLTT, , and . Arrows denote type-and-conversion-preserving translations between type theories. The dashed arrow is conjectural.

Functors and Their Laws The notion of functor is pervasive both in mathematics [38] and functional programming [34], capturing the concept of a parametrized construction applying to objects and their transformations. Reformulated in type theory, a type former \(F : \textrm{dom}(F) \rightarrow {\text {Type}}\) is a functor when it is equipped with an operation \(\textrm{map}_{F}\,f : F\,A \rightarrow F\,B\) for any morphism \(f : \textrm{hom}_{F}(A,B)\) between two objects A,B in the domain \(\textrm{dom}(F)\) of F. Here, \(\textrm{dom}(F)\) must be endowed with the structure of a category¹, with specified composition \(\circ ^{F}\) and identities \({\text {id}}^{F}\), and \(\textrm{map}_{F}\) must preserve those:

These two equations are known as the functor laws. For many container-like functors, such as \({{\,\mathrm{{\textbf {List}}}\,}}A\), lists of elements taken in a type A, a \(\textrm{map}\) function can be defined in vanilla type theory such that these equations can be shown propositionally, e.g. by induction. Such propositional equations need however to be used explicitly, putting an extra burden on users and possibly causing coherence issues typical when working with propositional equalities [54]. This is not acceptable: such simple and natural identifications should hold definitionally!

Example 1 (Representation Change)

Consider a dataset of pairs of a number and a boolean, represented as a list. For compatibility purpose, we may need to embed these pairs into a larger dataset using

Going from one dataset to the other amounts to mapping either glue or its left inverse glue_retr, which forgets the extra field:

$$\begin{aligned} \textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,\texttt {glue} \quad &: {{\,\mathrm{{\textbf {List}}}\,}}~\{ a : {{\,\mathrm{{{\textbf {N}}}}\,}}; b : {{\,\mathrm{{\textbf {B}}}\,}}\} \rightarrow {{\,\mathrm{{\textbf {List}}}\,}}~\{ x : {{\,\mathrm{{\textbf {B}}}\,}}; y : {{\,\mathrm{{{\textbf {N}}}}\,}}; z : {{\,\mathrm{{{\textbf {N}}}}\,}}\}, \\ \textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,\texttt {glue\_retr} \quad &: {{\,\mathrm{{\textbf {List}}}\,}}~\{ x : {{\,\mathrm{{\textbf {B}}}\,}}; y : {{\,\mathrm{{{\textbf {N}}}}\,}}; z : {{\,\mathrm{{{\textbf {N}}}}\,}}\} \rightarrow {{\,\mathrm{{\textbf {List}}}\,}}~\{ a : {{\,\mathrm{{{\textbf {N}}}}\,}}; b : {{\,\mathrm{{\textbf {B}}}\,}}\}. \end{aligned}$$

If the functor laws only hold propositionally, each consecutive simplification of back and forth changes of representation needs to be explicitly lifted to lists, and applied. The uncontrolled accumulation of repetitive proof steps, even as simple as these, can quickly burden proof development. In presence of definitional functor laws, instead, any sequence of representation changes will reduce to a single \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\): the boilerplate of explicitly manipulating the functor laws is handled automatically by the type theory. Moreover, observe that in this example the retraction \(\texttt {glue\_retr} \circ \texttt {glue} \cong {\text {id}}\) is definitional thanks to surjective pairing. Combined with definitional functor laws, the following simplification step is discharged automatically by the type-checker:²

$$\begin{aligned} \textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,\texttt {glue\_retr}~(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,\texttt {glue} ~ l) \cong \textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,{\text {id}}~l \cong l \end{aligned}$$

Note that these equations are valid in any context, in particular under binders, whereas for propositional identifications, rewriting under binders is only possible in presence of the additional axiom of function extensionality.

Example 2 (Coherence of Coercions)

Proof assistants may provide the ability for users to declare automatically-inserted functions acting as glue code (coercions in Coq, instance arguments in Agda, has_coe typeclass in Lean). Working with natural (\({{\,\mathrm{{{\textbf {N}}}}\,}}\)), integer (\(\textbf{Z}\)) and rational (\(\textbf{Q}\)) numbers, we want every \({{\,\mathrm{{{\textbf {N}}}}\,}}\) to be automatically coerced to an integer, and so declare a \({{\,\mathrm{\texttt {natToZ}}\,}}{}\) coercion. Similarly, we can also declare a \({{\,\mathrm{\texttt {ZToQ}}\,}}{}\) coercion. If we write 0 (a \({{\,\mathrm{{{\textbf {N}}}}\,}}\)) where a \(\textbf{Q}\) is expected, this is accepted, and 0 is silently transformed to \({{\,\mathrm{\texttt {ZToQ}}\,}}\ ({{\,\mathrm{\texttt {natToZ}}\,}}\ 0)\).

Now, if we want the same mechanism to apply when we pass the list to a function expecting a \({{\,\mathrm{{\textbf {List}}}\,}}\textbf{Q}\), we need to provide a way to propagate the coercions on lists. We can expect to solve this problem by declaring \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\) as a coercion, too: whenever there is a coercion \(f : A \rightarrow B\), then \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}f\) should be a coercion from \({{\,\mathrm{{\textbf {List}}}\,}}A\) to \({{\,\mathrm{{\textbf {List}}}\,}}B\). However, by doing so, we would cause more trouble than we solve, as there would be two coercions from \({{\,\mathrm{{\textbf {List}}}\,}}{{\,\mathrm{{{\textbf {N}}}}\,}}\) to \({{\,\mathrm{{\textbf {List}}}\,}}\textbf{Q}\), \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}({{\,\mathrm{\texttt {ZToQ}}\,}}\circ {{\,\mathrm{\texttt {natToZ}}\,}})\) and \((\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}{{\,\mathrm{\texttt {ZToQ}}\,}}) \circ (\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}{{\,\mathrm{\texttt {natToZ}}\,}})\). In the absence of definitional functor laws for \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\), these two are not definitionally equal. To add insult to injury, coercions are by default not printed to the user, yielding puzzling error messages like “l and l are not convertible” (!), because one is secretly \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}({{\,\mathrm{\texttt {ZToQ}}\,}}\circ {{\,\mathrm{\texttt {natToZ}}\,}})\ l\) while the other is \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}{{\,\mathrm{\texttt {ZToQ}}\,}}\ (\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}{{\,\mathrm{\texttt {natToZ}}\,}}\ l)\). This makes \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\) virtually unusable with coercions.

Structural Subtyping This last example suggests a connection with subtyping. Subtyping equips the collection of types with a subtyping order \(\preccurlyeq \) that allows to seamlessly transport terms from a subtype to a supertype, i.e. from A to \(A'\) when \(A \preccurlyeq A'\). An important aspect of subtyping is structural subtyping, i.e. how subtyping extends structurally through type formers of the type theory. Typically, we want to have \({{\,\mathrm{{\textbf {List}}}\,}}A \preccurlyeq {{\,\mathrm{{\textbf {List}}}\,}}A'\) whenever \(A \preccurlyeq A'\). In the context of the F\(^{\star }\) program verification platform that heavily uses refinement subtyping, the inability to propagate subtyping on inductive datatypes such as lists has been a long-standing issue that never got solved properly [25]. The absence of structural subtyping also has a history of causing difficulties to Agda [16, 22].

Definitional Equalities for Subtyping From the perspective of users of interactive theorem prover, subtyping should be implicit, transparently providing the expected glue to smoothen the writing of complex statements. From a meta-theoretical perspective, on the other hand, it is useful to explicitly represent all the necessary information of a typing derivation, including where subtyping is used. The first approach is known as subsumptive subtyping, on the left, whereas the latter is embodied by coercive subtyping, on the right:

We want to present subsumptive subtyping to users, but ground the system on the algebraic, better-behaved coercive subtyping. Informally, an application of Sub in the subsumptive type theory should correspond to an application of Coe in the coercive type theory . However, given a derivation \(\mathcal {D}\) of we can apply Sub together with a reflexivity proof to yield a new derivation \(\mathcal {D'}\) with the same conclusion . \(\mathcal {D}\) and \(\mathcal {D'}\) should respectively correspond to terms and in . Since \(t'\) and \(\text {coe}_{A,A}{t'}\) both erase to the same term t, they need to be equated if we want both type theories to be equivalent. Similarly, transitivity of subtyping implies that coercions should compose definitionally, that is should always hold in .

Functor Laws Meet Structural Subtyping Luo et al. [36] showed that the functorial composition law comp-eq is enough to make structural coercive subtyping compose definitionally, because a coercion between lists \(\text {coe}_{{{\,\mathrm{{\textbf {List}}}\,}}A,{{\,\mathrm{{\textbf {List}}}\,}}B}\) behaves just as the function obtained by mapping \(\text {coe}_{A,B}\) on every element of the list. We further investigate this bridge between coercive subtyping and functoriality of type formers, in particular the identity functor law id-eq needed to handle reflexivity of subtyping, and extend Luo et al. [36]’s limited type system to full-blown Martin-Löf Type Theory (MLTT), with universes and large elimination. This understanding leads to a modular design of subtyping: structural subtyping for a type former relies on a functorial structure, and can be considered orthogonally to other type formers of the theory or to the base subtyping. Moreover, definitional functor laws are sufficient to make structural coercive subtyping for any type former expressive and flexible enough to interpret subsumptive subtyping.

Contributions We make the following contributions:

• we design , an extension of MLTT exhibiting the functorial nature of standard type formers (\(\mathop {\Pi },\Sigma ,{{\,\mathrm{{\textbf {List}}}\,}},{{\,\mathrm{{\textbf {W}}}\,}},{{\,\mathrm{{\textbf {Id}}}\,}}, +\)), with definitional functor laws (Section 3);

• we mechanize the metatheory of a substantial fragment of in Coq, extending a formalization of MLTT  [3], proving it is normalizing and has decidable type-checking (Section 4);

• we develop bidirectional presentations for and , which extend MLTT respectively with subsumptive and coercive subtyping;

• we leverage these presentations and the extra functorial equations satisfied by \(\text {coe}\) in to give back and forth, type-preserving translations between the two systems (Section 5).

Detailed proofs and complete typing rules can be found in the extended version of this paper [32]. The mechanized metatheory of Section 4 is provided in [31], completed with a note describing further formalization details.

2 Type Theory and Its Metatheory

We work in the setting of dependent type theories à la Martin-Löf (MLTT) [39], an ideal abstraction of the type theories underlying existing proof assistants such as Agda, Coq, F\(^{\star }\) or Lean. MLTT employs five categories of judgements, characterizing the well-formed contexts (\({\vdash \Gamma }\)), types (\({\Gamma }\vdash {T}\)) and terms (\(\Gamma \vdash {t}: T \)), and providing the equational theory on types (\({\Gamma }\vdash {A}\cong {B}\)) and terms (\({{\Gamma }\vdash {t}\cong {u}:A}\)). Two terms related by this equational theory are said to be definitionally equal or convertible.

Negative Types: Dependent Products and Sums Dependent function types, noted \({\mathop {\Pi }x : A.B}\), are introduced using \(\lambda \)-abstraction \(\lambda x : A. t\) and eliminated with application \(t\,u\). We also include dependent sum types \(\Sigma x : A.B\), introduced with pairs \(({t},{u})_{x.B}\) and eliminated through projections \(\pi _1\,p\) and \(\pi _2\,p\). Both come with an \(\eta \)-law.

Universes of Types Our type theories feature a countable hierarchy of universes \(\textrm{Type}_{i}\). Any inhabitant of a universe is a well-formed type, and, in order to make the presentation compact, we do not repeat rules applying both for universes and types, implicitly assuming that a rule given for terms of some universe \(\textrm{Type}_{i}\) has a counterpart as a type judgement whenever it makes sense.

Positive Types: Inductives As we study the functorial status of type formers, parametrized inductive types are our main focus. Our running example is the type of lists \({{\,\mathrm{{\textbf {List}}}\,}}A\), parametrized by a type A, and inhabited by the empty list \(\varepsilon _{A}\) and the consing of a head \(hd {{\,\mathrm{:}\,}}A\) onto a tail \(tl {{\,\mathrm{:}\,}}{{\,\mathrm{{\textbf {List}}}\,}}A\). Lists are eliminated using the dependent eliminator , which performs induction on the scrutinee s, returning a value in \({P}{\left[ s\right] }\), using the two branches and \(b_{\varepsilon }\). More generally, strictly positive recursive datatypes are often presented in MLTT via \({{\,\mathrm{{\textbf {W}}}\,}}x: A. B\), the type of well-founded trees with nodes labelled by \(a {{\,\mathrm{:}\,}}A\) of arity \(B\,a\). Finally, Martin-Löf’s identity type \({{\,\mathrm{{\textbf {Id}}}\,}}\,A\,x\,y\) represents equalities between two elements x, y : A. A general inductive type scheme is outside the scope of this paper, but the specific types we treat (\({{\,\mathrm{{\textbf {List}}}\,}}\), \({{\,\mathrm{{\textbf {W}}}\,}}\), \({{\,\mathrm{{\textbf {Id}}}\,}}\) and \(+\)) cover all aspects of inductive types: recursion, branching, parameters, and indices. Moreover, they can emulate all indexed inductive types [1, 7, 26], although we will see in Section 3.1 that this encoding interacts poorly with functor laws.

Rules in the Paper Due to space constraints, we focus in the text on the most interesting rules, and on two types: dependent functions and lists. Together, they cover the interesting points of our work: dependent product types have a binder and come with an \(\eta \)-law; lists are a parametrized datatype, for which definitional functor laws are challenging. Complete rules are given in the appendix of [32].

2.1 Metatheoretical Properties

In order to show that the extensions of MLTT from Figure 1 are well-behaved, we establish the following meta-theoretical properties.

In order to be logically sound, a type theory should have no closed term of the empty type, i.e. there should be no t such that \(\vdash {}{t}:{{\,\mathrm{{\textbf {0}}}\,}}\). This consistency property is an easy consequence of canonicity, which characterizes the inhabitants of inductive types in the empty context as those obtained by repeated applications of constructors, up to conversion. Consistency follows, as \({{\,\mathrm{{\textbf {0}}}\,}}\) has no constructor.

A proof assistant should also be able to check whether a proof is valid, i.e. whether a typing judgement is derivable. In a dependent type system where terms essentially encode the structure of derivations, the main obstacle to decidability of typing is that of conversion.

In order to establish both consistency and decidability, we exhibit a function computing normal forms of terms. Inspecting the possible normal forms in the empty context entails canonicity. Moreover, conversion of normal forms is easily decided, and so we can build on normalization to decide conversion. Finally, we can go further, and use normalization to build canonical representatives of typing and conversion derivations, which we rely on to relate our different systems.

A more technical, but equally important property is injectivity of type constructors, for instance that whenever \(\mathop {\Pi }x : A.B \cong \mathop {\Pi }x : A'.B'\), then \(A \cong A'\) and \(B \cong B'\). For dependent type theories, injectivity of type constructors is the main stepping stone towards subject reduction, the fact that reduction is type-preserving, and thus included in conversion.

Fig. 2.

Weak-head reduction and normal forms (t stands for an arbitrary term)

2.2 Neutrals, Normals, and Reduction

Before getting to how we establish these properties, we must introduce a last element: computation. Indeed, most conversion rules can be seen not just as equalities but be oriented as computations to be performed. This leads to the definition of weak-head reduction \(\leadsto ^{\star }\) in Figure 2. Weak-head reduction is the only reduction that is used throughout this article.

The normal forms (\({{\,\textrm{nf}\,}}\)) for weak-head reduction, i.e. the terms that cannot reduce, are inductively characterized at the bottom of Figure 2, together with the companion notion of neutral forms (\({{\,\textrm{ne}\,}}\)). Normal forms can be either a canonical term, starting with a head constructor (for instance, a \(\lambda \)-abstraction or \(\varepsilon \)), or a neutral term. Neutrals are stuck computations, blocked by a variable, e.g. x u is stuck on x and cannot reduce further.

2.3 Proof techniques

Logical Relations Logical relations are our main tool to obtain normalization and canonicity results. At a high-level, we follow the approach of Abel et al. [2], where the logical relation is based on reducibility, a complex predicate on types and terms, which in particular entails the existence of a weak-head normal form. The key property is the fundamental lemma, stating that every well-typed term is reducible, i.e. that the logical relation is a model of MLTT. The existence of (deep) normal forms is obtained through the inspection of reducibility derivations for a term, since they contain iterated reduction steps to a normal form.

We use the logical relation not only to characterize the normal forms of terms but also the conversion between them, showing that a proof of convertibility between two terms can be transformed to a canonical shape interleaving weak-head reduction sequences and congruence steps between weak-head normal forms. We detail in Section 4 the novel challenges we encountered when adapting the approach of Abel et al. [2] to parametrized inductive types.

Fig. 3.

Algorithmic conversion

Fig. 4.

Well-formed inputs (for \(\cong _{\text {h}},\approx _{\text {h}},\rhd _{\text {h}}\), similar to their non-reduced variants)

Bidirectional Typing and Algorithmic Conversion Our second tool is a presentation of conversion and typing that, while still inductively defined, is as close as possible to an actual implementation. Typing is bidirectional [30, 44], i.e. decomposed into type inference and type checking, and essentially follows Lennon-Bertrand [30].³ We use bidirectional typing for its rigid, canonical derivation structure, rather than for its ability to cut down type annotations on terms. Thus, although we use bidirectional judgements, all our terms infer a type, in contrast to what is common in the bidirectional literature [20, 41].

Algorithmic conversion, presented in Figure 3 combines ideas from both bidirectional typing and the presentation of Abel et al. [2]. Crucially, it gets rid entirely of the generic transitivity rule for conversion, and instead uses term-directed reduction, intertwined with comparison of the heads of weak-head normal forms. Algorithmic conversion is mutually defined with a second relation, dedicated to comparing weak-head neutral forms, called when encountering neutrals at positive types. General conversion is “checking”, i.e. taking a type as input, while neutral comparison is “inferring”, i.e. the type is an output. In turn, conversion is used in the following typing rule to compare the inferred type for t with the one it should check against.

Using the consequences of the logical relation, we can show that this algorithmic presentation has many desirable properties. For instance, transitivity is admissible, even though there is no dedicated rule. Collecting the properties derived from the logical relation, we can obtain our second main objective: equivalence between the algorithmic and declarative presentations.

Property 1 (Equivalence of the Presentations)

If \({{\Gamma }\, \vdash \,{t}\, :\, T}\), then \( {\Gamma \, {\vdash } \,t \,{\lhd } \,T}\). Conversely, if \(\vdash {\Gamma }\), \({\Gamma }\vdash {T}\) and \({\Gamma \,{\vdash } \,t \,{\lhd }\, T}\), then \({\Gamma }\, \vdash \, {t}\, :\, T\).

Note that the implication from the bidirectional judgement to the declarative one only holds if the context and type are well-formed. In general, our algorithmic presentations are “garbage-in, garbage-out”: they maintain well-formation of types and contexts, but do not enforce them. Thus, most properties of the algorithmic derivations only hold if their inputs are well-formed, in the sense of Figure 4. Note that in checking and inference modes, while the term is an input, it is of course not assumed to be well-formed in advance, since this is what the judgement itself asserts. This algorithmic, syntax-directed presentation is well suited for implementations and to establish relationships between type systems.

3 A Functorial Type Theory

We develop an extension of MLTT with primitive \(\textrm{map}_{F}\) operations for each parametrized type former F of MLTT, that is \(\mathop {\Pi }\), \(\Sigma \),\(+\), \({{\,\mathrm{{\textbf {List}}}\,}}\), \({{\,\mathrm{{\textbf {W}}}\,}}\), and \({{\,\mathrm{{\textbf {Id}}}\,}}\). These \(\textrm{map}\) operations internalize the functorial character of the type formers,⁴ and by design definitionally satisfy the functor laws for each type former F:

Section 3.1 describes the structure needed on type formers to state their functoriality in . In Section 3.2 we show how definitionally functorial \(\textrm{map}_{F}\) are definable in vanilla MLTT for type formers with an \(\eta \)-law. Section 3.3 introduces the main content of this paper, required to enforce the functor laws on inductive type formers: the extension of the equational theory on neutral terms. We explain the technical design choices needed to define and use the logical relations for and obtain as a consequence that the theory enjoys consistency, canonicity, and decidable conversion and type-checking. We implement these design choices in Coq for a simplified but representative version of , with one universe and the \(\mathop {\Pi }\), \(\Sigma \), \({{\,\mathrm{{\textbf {List}}}\,}}\) and \({{\,\mathrm{{{\textbf {N}}}}\,}}\) type formers, with their respective \(\textrm{map}\) operators. This formalization is detailed in Section 4.

3.1 Functorial Structure on Type Formers

In order to state the functor laws for a type former F, such as \(\mathop {\Pi }, \Sigma , {{\,\mathrm{{\textbf {List}}}\,}}, {{\,\mathrm{{\textbf {W}}}\,}}, {{\,\mathrm{{\textbf {Id}}}\,}}\), we must specify the categorical structures involved. A type former F is parametrized by a telescope of parameters that we collectively refer to as \(\textrm{dom}(F)\), and produces a type. We will always equip the codomain \({\text {Type}}\) of a type former F with the category structure of functions between types, with the standard identity and composition. Note that composition is associative and unital up to conversion, thanks to \(\eta \)-laws on function types.

The domain \(\textrm{dom}(F)\) of a type former must also be equipped with the structure of a category. We introduce the judgement to stand for a substitution in context \(\Delta \) of the telescope of parameters of F. Then, given two such instances \(X_1\) and \(X_2\) of parameters for F, morphisms between \(X_1\) and \(X_2\) are classified by the judgement . We require \(\textrm{dom}(F)\) to be also equipped with identities and a definitionally associative and unital composition:

For instance, for dependent products, \(\textrm{dom}(\mathop {\Pi })\) and \(\hom _{\mathop {\Pi }}\) are given by

with identity and composition .

Fig. 5.

Domain and categorical structure on type formers

The domain and morphism for each type former are described in Figure 5. Identities and compositions are given by the categorical structure on \({\text {Type}}\) for \({{\,\mathrm{{\textbf {List}}}\,}}\) and \({{\,\mathrm{{\textbf {Id}}}\,}}\), and are defined componentwise, for \(\Sigma \), \({{\,\mathrm{{\textbf {W}}}\,}}\) and \(+\), similarly to \(\mathop {\Pi }\). Figure 6 presents the conversion rules of , extending those of MLTT with general functoriality rules and specific rules for each type former. For each type former F, \(\textrm{map}_{F}\) is introduced using Map and witnesses the functorial nature of F, that is F maps morphisms \(\varphi \) in its domain between two instances of its parameters X, Y (left implicit) to functions between types

These mapping operations obey the two functor laws, as stated by MapId and MapComp.

The computational behaviour of maps, as defined by weak-head reduction, depends on the type former. On \(\mathop {\Pi }\) and \(\Sigma \), \(\textrm{map}\) is defined by its observation, namely application for \(\mathop {\Pi }\) and first and second projections for \(\Sigma \). On inductive types such as \({{\,\mathrm{{\textbf {List}}}\,}}\), \({{\,\mathrm{{\textbf {W}}}\,}}\), \({{\,\mathrm{{\textbf {Id}}}\,}}\) and \(+\), \(\textrm{map}\) traverses constructors, applying the provided morphism on elements of the parameter type(s), and itself to recursive arguments. This corresponds to the usual notion of \(\textrm{map}\) on lists. On \({{\,\mathrm{{\textbf {W}}}\,}}\)-types, the map operation relabels the nodes of the trees using its first component, and reorganizes the subtrees according to its second component. On identity types, the reflexivity proof \(\textrm{refl}_{{A_1},a}\) at a point \(a {{\,\mathrm{:}\,}}A_1\) is mapped to the reflexivity proof at \(f\,a {{\,\mathrm{:}\,}}A_2\) for \(f {{\,\mathrm{:}\,}}A_1 \rightarrow A_2\). On sum types \(A +B\), either the first or second component of the morphism (f, g) is employed depending on the constructor \(\textrm{inj}^{l}\) or \(\textrm{inj}^{r}\). Each reduction rule has a corresponding conversion rule in .

Fig. 6.

  (extends Figures 2 and 3)

Functorial Maps and Type Former Encodings Positive sum types \(A + B\) can be simulated in MLTT by the type \(\Sigma b : {{\,\mathrm{{\textbf {B}}}\,}}. \delta (b,A,B)\), using the branching operation . This encoding admits the adequate introduction and elimination rules. It induces a mapping from \(\textrm{dom}(+)\) to \(\textrm{dom}(\Sigma )\), sending a morphism to the morphism where \(f\oplus g\) is

We can show by case analysis on \({{\,\mathrm{{\textbf {B}}}\,}}\) that this mapping satisfies the propositional functor laws. However, it falls short from satisfying the definitional ones.⁵ It is thus not enough to compose \(\textrm{map}_{\Sigma }\) with this mapping to obtain a functorial action on sum types \(A +B\), and explains why we add \(+\) primitively.

This obstruction to inductive encodings would motivate a general definition of functorial map for a scheme of indexed inductive types. However, it seems already non-trivial to specify the categorical structure on the domain of an arbitrary inductive type, let alone generate the type and equations for the corresponding \(\textrm{map}\) operation. Thus, we rather concentrate on understanding the theory on quintessential examples, leaving out a general treatment to future work.

3.2 Extensional Types and Map

A type A is extensional when its elements are characterized by their observation, i.e. any element is convertible to its \(\eta \)-expansion, an elimination followed by an introduction - an equation usually called \(\eta \)-law. For extensional type formers, it is possible to define a \(\textrm{map}{}\) operation satisfying the functor laws. In MLTT and , both (strong) dependent sums \(\Sigma \) and dependent products \(\mathop {\Pi }\) have such extensionality laws, and so their \(\textrm{map}\) operations are definable.

Lemma 1

\(\textrm{map}_{\Pi }\) and \(\textrm{map}_{\Sigma }\) satisfy the definitional functor laws MapId and MapComp.

The proof is immediate by unfolding the definitions of \(\textrm{map}_{\Pi }, \textrm{map}_{\Sigma }\), applications of \(\beta \)-reduction and the \(\eta \)-rules for the preservation of identity. The accompanying artifact also shows that the functor laws hold for Coq’s \(\mathop {\Pi }\) and \(\Sigma \) types.⁶ The specific rules of Figure 6 hold by \(\beta \)-reduction.

3.3 New Equations for Neutral Terms in Dependent Type Theory

Inductive types in MLTT do not satisfy a definitional \(\eta \)-law. For identity types, the \(\eta \)-law is equivalent to the equality reflection principle of extensional MLTT, whose equational theory is undecidable [15, 27]. Extensionality principles for inductive types with recursive occurrences as \({{\,\mathrm{{\textbf {List}}}\,}}\) or \({{\,\mathrm{{\textbf {W}}}\,}}\) are also likely to break the decidability of the equational theory, by adapting an argument for streams [40]. The result of the previous section hence does not apply, and it is instructive to look at the actual obstruction. Consider the case of \({{\,\mathrm{{\textbf {List}}}\,}}\), and the equation for preservation of identities:

If we were to define \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\) by induction on lists as is standard, we would get

We can observe that Eq. (\(\star \)) is validated on closed canonical terms of type \({{\,\mathrm{{\textbf {List}}}\,}}\):

However, on neutral terms, typically variables, we are stuck as long as we stay within the equational theory of MLTT:

$$\begin{aligned} A : \textrm{Type}_{i}, x : {{\,\mathrm{{\textbf {List}}}\,}}\,A \not \vdash \textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,{\text {id}}_{A}\,x \cong x {{\,\mathrm{:}\,}}{{\,\mathrm{{\textbf {List}}}\,}}A. \end{aligned}$$

In order to validate Eq. (\(\star \)), must thus at the very least extend the equational theory on neutral terms. Allais et al. [6] show in the simply-typed case that these equations between neutral terms are actually the only obstruction to functor laws, and in the remainder of this section we discuss how to adapt MLTT to this idea.

Map Composition and Compacted Neutrals The first step in order to validate the functor laws is to get as close as possible to a canonical representation during reduction. In order to deal with composition of maps, we extend reduction with RedMapComp, merging consecutive stuck maps. In order to preserve the deterministic nature of weak-head reduction, \(\textrm{map}\) compaction should only apply when no other rule does. To achieve this, the type former F should not be extensional, because \(\textrm{map}_{\Pi }\) is already handled through the \(\eta \)-expansion of CFun, and similarly for \(\textrm{map}_{\Sigma }\). Moreover, the mapped term should be neither a canonical form where \(\textrm{map}\) already has a computational behaviour, nor a \(\textrm{map}\) itself that could fire the same rule. To control this, we separate neutrals, which cannot contain a \(\textrm{map}\) as their head, and compacted neutrals, which can start with at most one \(\textrm{map}\), as shown in Figure 7 alongside normal forms. Allais et al. [6] also features a similar decomposition of normal forms into three different classes, although their normal forms for lists are more complex than ours as they validate more definitional equations than functor laws.

Fig. 7.

Weak-head normal and neutrals for (extends Figure 2)

Map on Identities For identities, using a similar reduction-based approach is difficult: turning the equation into a reduction raises issues similar to those encountered with \(\eta \)-laws. Orienting it as an expansion \(l \leadsto ^{\star }{}\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,{\text {id}}_A\,l\) requires knowledge of the type to ensure the expansion only applies to lists, and is potentially non-terminating. Accommodating type-directed reduction would require a deep reworking of our setting.

As a result, just like for \(\eta \) on functions in rule CFun, we implement this rule as part of conversion, rather than as a reduction. We also incorporate it carefully in the notion of reducible conversion in the logical relation, where we do have access to enough properties of the type theories. Since the equation is always validated by canonical forms, we only need to enforce it on compacted neutrals. The logical relation for an inductive type I (\({{\,\mathrm{{\textbf {List}}}\,}}\), \({{\,\mathrm{{\textbf {W}}}\,}}\), \({{\,\mathrm{{\textbf {Id}}}\,}}\), \(+\)) thus specifies that a neutral n is reducibly convertible to a compacted neutral \(\textrm{map}_{I}\,f\,m\), whenever the neutrals n and m are convertible and f agrees with the identity of \({\textrm{dom}}(I)\) on any neutral term. See MapNeConvRedL in the next section for the exact rule.

4 Formalizing New Equations for Neutral Lists

In this section we expose the main components of the accompanying Coq formalization, which covers normalization, equivalence of declarative and algorithmic typing, decidability of type-checking, and canonicity for a subset of with \({{\,\mathrm{{\textbf {0}}}\,}}, {{\,\mathrm{{{\textbf {N}}}}\,}}, \mathop {\Pi }, \Sigma , {{\,\mathrm{{\textbf {List}}}\,}}\) and a single universe. The formalization extends a port to Coq [3] of a previous Agda formalization [2], which has already been extended multiple times [23, 45, 46]. We focus on the challenges to establish the functor laws on lists, and direct the reader either to the Coq code, or to Abel et al. and Adjedj et al. for other details. The formalization spans ~26k lines of code, approximately 9k of which are specific to our extension with lists and definitionally functorial \(\textrm{map}\)s and are new compared to Adjedj et al. Text in blue refer to files in the companion artifact.

4.1 A Logical Relation with Functor Laws on List

The Coq development defines both declarative and algorithmic presentations of and proves their equivalence through a logical relation parametrized by a generic typing interface⁷ instantiated by both presentations. Beyond generic variants of the typing and conversion judgement, the interface uses two extra judgements: stating that t reduces to \(t'\) and that they are both well typed at type A in context \(\Gamma \); and stating that n and \(n'\) are convertible neutral terms.

Definition of the Logical Relation In presence of dependent types, the standard strategy of reducibility proofs defining reducibility of terms by induction on their types fails. Rather, reducibility of types and of terms are define mutually mutually, the latter defined out of a witness of the former, and the former reusing the latter for the universe. Following Abel et al. [2], we thus first define for each type former F what it means to be a type reducible as F, and then what it means to be a reducible term and reducibly convertible terms at such a type reducible as F. A type is then reducible if it is reducible as F for some type former F. As we extend the logical relation to handle \({{\,\mathrm{{\textbf {List}}}\,}}\) and \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\), we focus on a high level description of the reducibility of types as lists and the reducible convertibility of terms of type \({{\,\mathrm{{\textbf {List}}}\,}}\), the most challenging elements in the definition.⁸ Two points required specific attention with respect to prior work. First, to handle the fact that constructors contain their parameters, we need to impose reducible conversions between these and the parameters coming from the type. Second, in order to validate composition of \(\textrm{map}\) on neutrals that may contain a \(\textrm{map}\), we need to equip neutrals with additional reducibility data, rather than pure typing information.

A type X is reducible as a list in context \(\Gamma \), written \({\Gamma }\Vdash _{{{\,\mathrm{{\textbf {List}}}\,}}} {X}\), if it weak-head reduces to \({{\,\mathrm{{\textbf {List}}}\,}}A\) for some parameter type A reducible in any context \(\Delta \) extending \(\Gamma \) via a weakening \(\rho {{\,\mathrm{:}\,}}\texttt {Wk}(\Delta , \Gamma )\). If \(\mathfrak {R} {{\,\mathrm{:}\,}}{\Gamma }\Vdash _{{{\,\mathrm{{\textbf {List}}}\,}}} {X}\) is a witness that X is reducible as a list, then \(\mathbb {P}(\mathfrak {R})\) stands for the parameter type A of this witness, and is its witness of reducibility.

Reducible conversion of terms as lists \(\Gamma \Vdash t \cong t' {{\,\mathrm{:}\,}}A \mid \mathfrak {R}\) is defined in Figure 8. Two terms t and \(t'\) are reducibly convertible as lists with respect to the witness of reducibility \(\mathfrak {R} : {\Gamma } \Vdash _{{{\,\mathrm{{\textbf {List}}}\,}}} {X}\) if they reduce to normal forms \(v, v'\) that are reducibly convertible as normal forms of type list \(\Gamma \Vdash _{{{\,\textrm{nf}\,}}{}} v \cong v' {{\,\mathrm{:}\,}}A \mid \mathfrak {R}\) (ListRed). Straightforwardly, two canonical forms are convertible if they are both \(\varepsilon \) (NilRed) or both (ConsRed) with reducibly convertible heads and tails.

For compacted neutral forms, we need to consider four cases according to whether each of the left or the right hand-side term is a \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\). NeRed provides the easy case where both terms are actually neutral, with a single premise requiring that these are convertible as neutrals for the generic typing interface. MapMapConvRed gives the congruence rule for stuck \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\), relating \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,f\,n\) and \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,f'\,n'\) when the mapped lists n and \(n'\) are convertible as neutrals and the bodies \(f\,x\) and \(f'\,x\) of the functions are reducibly convertible. Note that at this point of the logical relation, we do not know that the domain of the functions f and \(f'\) is reducible, only that their codomain is, as provided by \(\mathbb {P}_\Vdash (\mathfrak {R})\). This constraint motivates both the \(\eta \)-expansion of the functions on the fly before comparing them, and the necessity of a Kripke-style quantification on larger contexts for the reducibility of the parameter type \(\mathbb {P}_\Vdash (\mathfrak {R})\), together ensuring that the recursive reducible conversion happens at a reducible type, namely an adequate instance of \(\mathbb {P}(\mathfrak {R})\). Finally, the symmetric rules NeMapConvRedR and MapNeConvRedL deal with the comparison of a \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\) against a neutral n, that can be morally thought as \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\,{\text {id}}\,n\), and indeed the premises correspond to what one would obtain with MapMapConvRed in that case, up to an inlined \(\beta \)-reduction step.

Fig. 8.

Reducible convertibility of lists (where \(\mathfrak {R}\) is a proof of \({\Gamma } \Vdash _{{{\,\mathrm{{\textbf {List}}}\,}}} {X}\))

Validity of the Functor Laws All the expected properties extend to this new logical relation: reflexivity, symmetry, transitivity, irrelevance with respect to reducible conversion, stability by weakening and anti-reduction.⁹ These properties are essential in order to show that the logical relation validates the functor laws on any reducible term. The proof proceeds through an usual argument for logical relations: on canonical forms, the functor laws hold as observed already in Section 3.3; on compacted neutrals and neutral forms, we need to show that any compositions of \(\textrm{map}_{{{\,\mathrm{{\textbf {List}}}\,}}}\) reduce to a single map of a function with a reducible body, which amounts to show that composing reducible functions produces reducible outputs on reducible inputs. This last step in the proof reflect our assumption that the categorical structure equipping domains of type formers, here \(\textrm{dom}({{\,\mathrm{{\textbf {List}}}\,}})\), should be definitionally associative and unital.

4.2 Deciding Conversion and Typechecking for

Instantiating the generic typing interface of the logical relation with declarative typing provides metatheoretic consequences of the existence of normal forms, among which normalization, injectivity of type constructors and subject reduction. Using those, we can show that algorithmic typing is sound directly by induction, and also that it fits the generic typing interface of the logical relation, which lets us derive that it is complete with respect to declarative typing.

This part of the proof is close to Abel et al. [2] and Adjedj et al. [3]. The main change is that we adapt algorithmic conversion to reflect the addition of compacted neutrals in our definition of normal forms, by introducing a third mutually defined relation to compare these compacted neutrals. The main idea is summed up in rules LNConv and LNMap below: when comparing compacted neutrals, we use the new relation , which simulates the behaviour of the logical relation from Figure 8 on compacted neutrals.

Using this second, algorithmic, instance as a specification, we can show the soundness and completeness of a conversion-checking function extending that of Adjedj et al. [3] with lists and neutral compaction. Thus, via the equivalence of declarative and algorithmic conversion, we obtain decidability of the rich equational theory of (declarative) .

5 Subtyping, Coercive and Subsumptive

The main application we develop for our definitional functor laws is structural subtyping. More precisely, we describe two extensions of MLTT. The first, , has subsumptive subtyping: whenever , then also , leaving subtyping implicit. The second, , features coercive subtyping, witnessed by an operator \(\text {coe}_{A,A'}{t}\) explicitly marking where subtyping is used and well-typed whenever . The computational behaviour of \(\text {coe}\) on each type former is informed by the corresponding \(\textrm{map}\) in . Structural coercions can hence be studied modularly in and tied together in .

In Section 5.1, we give algorithmic presentations of and . In the context of a proof assistant or dependently typed programming language, would be the flexible, user-facing system, and its well-behaved specification. We do not develop the equivalence between this algorithmic presentation of and its declarative variant, as its proof is similar to the one for .

Section 5.2 relates and : there is a simple erasure \(\left| \cdot \right| \) from the former to the latter which removes coercions, and we show it is type-preserving; conversely, we show that any well-typed term can be elaborated to a well-typed term. The extra definitional functor laws are essential at this stage, to ensure that all equalities valid in still hold in . Since we are in a dependently typed system, if equations valid in failed to hold in , elaboration could not be type-preserving. Finally, Section 5.3 discusses the implications of this equivalence for coherence.

5.1 The Type Systems and

We focus on the structural aspect of subtyping, and a base case would be needed to have a non-trivial subtyping relation, i.e. to relate more types than conversion. We do not present a base case for subtyping due to space constraints, but refinement types with subtyping induces by the implication orders on formulas or record types with width and depth subtyping are typical instances for such base case. The latter is presented in  [32].

Fig. 9.

Algorithmic subtyping between reduced types (extends Figure 3)

Algorithmic This system replaces Check with the following rule, which uses subtyping instead of conversion:

Subtyping, defined in Figure 9, orients type-level conversion from Figure 3, taking into account co- and contravariance. It relies on neutral comparison and term-level conversion, both of which are not altered with respect to Figure 3: subtyping is a type-level concept only.

Fig. 10.

Weak-head reduction rules for coercion (extends Figure 2)

Algorithmic In contrast with , rule Check in is not altered. Instead, subtyping is only allowed when explicitly marked by \(\text {coe}\), as follows:

Reduction must of course be extended to give an operational behaviour to \(\text {coe}\), and is given in Figure 10 , together with normal forms. Operationally, \(\text {coe}_{A,A'}{t}\) reduces the types A and \(A'\) to head normal forms, then behaves like the relevant \(\textrm{map}\), propagating \({{\,\textrm{coe}\,}}{}\) recursively. Since \(\text {coe}_{A,A'}{t}\) is well-typed only when A is a subtype of \(A'\), the type formers of their head normal forms have to agree, ensuring that we can always rely on this behaviour to enact structural subtyping. As for \(\textrm{map}\), rule CoeCoe lets us compact a succession of stuck \(\text {coe}\). This only applies to positive types (characterized by \({{\,\textrm{nf}\,}}^{\oplus }\)): we do not compact coercions between negative/extensional types, but wait for the term to be observed to trigger further reduction.

Neutral conversion is described at the top of Figure 11 and features an additional comparison between compacted neutrals similar to (LNConv). Rule NCoe is a congruence for coercions, where the source and target types necessarily agree by typing invariants, and are thus not compared. Rules NCoeL and NCoeR handle identity coercions. Accordingly, is carefully used whenever normal forms can be compacted neutrals, e.g. at neutral and positive types, as shown at the bottom of Figure 11. Apart from this change, conversion at the term and type level and subtyping are similar to those of .

Fig. 11.

Algorithmic comparison of neutrals in (extends Figure 3)

5.2 Elaboration and Erasure

We can now turn to the correspondence between and . The translation in the forward direction, erasure \(\left| \cdot \right| \), removes coercions \({\left| \text {coe}_{A,A'}{t} \right| = t}\) and is otherwise a congruence. It is lifted pointwise to contexts. We first show that erasure is sound, meaning that it preserves typing and conversion, and then that it is also invertible, i.e. that any well-typed term \(t'\) elaborates to a well-typed term t whose erasure is \(t' = \left| t \right| \).

Soundness of Erasure Erasure translates from a constrained system to a more liberal one. Establishing its soundness, e.g.that conversion and typing are preserved, is relatively easy, as long as the reduction rules of Figure 10 are designed so that erasure preserves them. Indeed, the key point is that reduction rules for \({{\,\textrm{coe}\,}}\) do not change the structure of the erased term, and so erase to exactly zero steps of reduction. In contrast, the rule below is inadequate, as it would \(\eta \)-expand terms at function types more in than in :

The two terms remain nonetheless convertible. By induction on ’s typing derivation, one can then show that erasure preserves conversion and subtyping, and finally typing.

Theorem 1

(Erasure Preserves Typing). If holds and its inputs are well-formed, then .

Elaboration Elaborating back from to is more challenging: as we add annotations, we must ensure that these do not hinder conversion. We follow the proof strategy of a similar proof of elaboration soundness in Lennon-Bertrand et al. [33]. The core of the argument are so-called “catch-up lemmas”, which ensure that annotations never block redexes. As an example, here is the one for function types.

Lemma 2 (Catch up, Function Type)

If and \(\left| f \right| = \mathop {\lambda } x : A'.\ t'\), then there exists t such that \(\left| t \right| = t'\) and \(f~a \leadsto ^{\star }{t}\left[ a\right] \).

From these catch-up lemmas it follows that erasure is a backward simulation, therefore that it preserves subtyping, and finally that it is type-preserving. Proofs are all by induction, and given in [32].

Lemma 3 (Erasure is a Backward Simulation)

Assume that . If \(\left| t \right| \leadsto ^{\star }u'\), with \(u'\) a weak-head normal form, then \(t \leadsto ^{\star }u\), with u a weak-head normal form such that \(\left| u \right| = u'\).

Lemma 4 (Elaboration Preserves Subtyping)

The following implications hold whenever the inputs of the conclusions are well-formed:

1. 1.

   if , then ;

2. 2.

   if , then ;

3. 3.

   if , then ;

4. 4.

   and similarly for the other judgements.

Finally, the main theorem states that we can elaborate terms using implicit subtyping to explicit coercions, in a type-preserving way.

Corollary 1 (Elaboration)

If , and , then there exists t such that , and \({|t|} = t'\).

Importantly, to establish this equivalence we do not need to develop any meta-theory for : having the meta-theory of is enough!

Nonetheless, now that the equivalence between the two systems has been established, we can use it to transport meta-theoretic properties, such as normalization, from to .

5.3 Coherence

An important property of elaboration is coherence, stating that the elaboration of a well-typed term does not depend on its typing derivation. In our algorithmic setting, a term has at most one typing derivation and so at most one elaboration. However, multiple well-typed terms in can still erase to the same term. While only one of them is the result of elaboration as defined in Corollary 1, all these distinct terms should still behave similarly. The following is a direct consequence of Lemma 4, and shows that the equations imposed on \(\text {coe}\) are enough to give us a very strong form of coherence: it holds up to definitional equality, rather than in a weaker, semantic way. Another way to look at this is that the scenario of Example 2 cannot happen, thanks to our new equations: if two terms erase to the same coercion-free one in , then they must be convertible in . Hidden coercions cannot be responsible for failures of conversion.

Theorem 2

(Coherence). If t, u are such that and , with and , and moreover \(\left| t \right| = \left| u \right| \) (i.e. t and u correspond to the same term), then .

Proof

By reflexivity, (obtained through the equivalence with the declarative system), . Using Theorem 1 (soundness of erasure), we get , and so also . But then by Lemma 4 (elaboration preserving conversion), we can come back, and obtain .

As particular cases of this coherence theorem, we can now exhibit the necessity of the functor laws, sharpening the informal argument in the introduction. For the identity law, any well-typed term \(\text {coe}_{A,A}{t}\) erases to \(\left| \text {coe}_{A,A}{t} \right| = \left| t \right| \) in , and by coherence we obtain that the conversion is required in . For the composition law, we have for adequately well-typed terms that \(\left| \text {coe}_{B,C}{\text {coe}_{A,B}{t}} \right| = \left| t \right| = \left| \text {coe}_{A,C}{t} \right| \), hence by coherence the conversion must hold in as well.

6 Related and Future Work

Adding Definitional Equations to Dependent Type Theory Strub [50] endows a dependent type theory with additional equations from first order decidable theories, with further extensions to a universe hierarchy and large eliminations in Jouannaud et al. [28] and Barras et al. [11]. Equational theories can sometimes be presented by a confluent set of rewrite rules, a case advocated by Cockx et al. [17]. They show through counter-examples that ensuring type preservation in dependent type theory is a subtle matter and do not ensure normalization of the resulting theory. On the theoretical side, categorical tools are being developed to prove general conservativity and strictification results for type theories [12, 13] extending the seminal work of Hofmann [24] on conservativity of extensional type theory with respect to intensional type theory [57].

Formalized Metatheory with Logical Relations. Allais et al. [6] propose to add a variety of fusion laws for lists, including our functor laws, to a simply typed \(\lambda \)-calculus, only sketching an extension to dependent types. The three classes of normal forms (see Figures 7 and 10) is inspired from their work. While we depart from their normalization by evaluation approach to obtain fine-grained results on convergence of iterated weak-head reduction, we expect that the original strategy should extend to dependent types. Formalizing logical relations for MLTT is a difficult exercise, pioneered by Abel et al. [2] in Agda using inductive-recursive definitions, and Wieczorek et al. [55] in Coq using impredicativity. We build upon and extend a Coq reimplementation of the former [3].

Cast and Coercion Operators Pujet et al. [45, 46] extend Abel et al. [2] to establish the metatheory of observational type theory [8]. Their work features a cast operator behaving similarly to \(\text {coe}\), but guarded by an internal proof of equality instead of an external subtyping derivation. Their cast does not satisfy definitional transitivity, and we give evidence in [32] that such an extension would break metatheoretical properties. Another cast primitive with a similar operational behaviour appears in cast calculi for gradual typing [47], and indeed our proof that elaboration is type preserving in Section 5.2 is inspired by a similar one for GCIC, which combines gradual and dependent types [33]. In this case, casting is allowed between any two types, but the absence of guard is compensated by the possibility of runtime errors, making the type theory inconsistent.

Functorial Maps for Inductive Type Schemes Luo et al. [36] describe the construction of map for a class of strictly positive operators on paper, but do not implement it. Deriving \(\textrm{map}\)-like construction is a typical example of metaprogramming frameworks for proof assistants, e.g. Coq-Elpi [19, 52] in Coq, and the generics Agda library [21] derives a fold operation, from which \(\textrm{map}\) can be easily obtained. In a simply typed setting, Barral et al. [10] employ rewriting techniques, in particular rewriting postponement, to show that an oriented variant of the functor laws are confluent and normalizing. These techniques rely on normalization, and could not be easily adapted to the dependent setting, however the idea of postponing the reduction step for identity appears in our logical relation as well. In a short abstract, McBride et al. [42] investigate a notion of functorial adapters that generalizes and unifies both the Check rule from bidirectional typing and the Coe rule from .

Subtyping, Dependent Types and Algorithmic Derivations Coherence of coercions in presence of structural subtyping is a challenging problem. To address the issue, Luo et al. [37] introduce a notion of weak transitivity, weakening the coherence of the transitivity up to propositional equality. This solution does not interact well with dependency, forcing them to restrict structural subtyping to a class of non-dependent inductives, e.g. excluding (positive) \(\Sigma \). Luo et al. [36] show that the transitivity of coercions is admissible in presence of definitional compositions – called \(\chi \)-rules there – for inductive schemata. They rely on a conjecture that strong normalization and subject reduction hold in presence of these \(\chi \)-rules, explicitly mentioning that the metatheory with those additional equality rules is “largely unknown”. We provide such results, and have formalized them for \({{\,\mathrm{{\textbf {List}}}\,}}\). We use a completely different proof technique, that scales to a theory with universes and large elimination. Both aforementioned papers employ a strict order for subtyping and do not consider the functor law for the identity, nor tackle decidability of type-checking.

Aspinall et al. [9] investigate the relationship between subtyping and dependent types using algorithmic derivations to control the subtyping derivations for a variant of \(\lambda P\), a type theory logically much weaker than MLTT. Lungu et al. [35] study an elaboration of a subsumptive presentation into coercive one in presence of a coherent signature of subtyping relations between base types. Assuming normalization, they show that subtyping extends to \(\mathop {\Pi }\) types, setting aside other parametrized types. While they work over an abstract signature of coercions, the functor laws we study are needed to instantiate this signature with meaningful datatypes while respecting their assumptions. We explain the relation of these algorithmic system with bidirectional systems, notably the one of Abel et al. [2], contributing to a sharper picture.

Integration with Other Forms of Subtyping As we mentioned in Section 5, our design of base subtyping was guided by simplicity. Our work on structural subtyping should integrate mostly seamlessly with other, more ambitious forms of subtyping. Coercions between dependent records form the foundation of hierarchical organizations of mathematical structures [4, 18, 56], and should be a simple extension of our framework. This could lead to vast simplification of the complex apparatus currently needed to deal with these hierarchies.

Refinement subtyping is heavily used in F\(^{\star }\) but also in Coq’s Program [48] to specify the behaviour of programs. Relativizing any result of decidability of type-checking to that of the chosen fragment of refinements, an implementation of refinement subtyping using definitionally irrelevant propositions [23] to preserve coherence¹⁰ should be within reach.

Our techniques for structural subtyping should also apply well in the context of algebraic approaches to cumulativity between universes [29, 49]. Cumulativity goes beyond mere subtyping, as it also involves definitional isomorphisms between two copies of the same type at different universe levels. Our definitional functor laws already allow these to interact well with \(\textrm{map}\) operations, but it would be interesting to investigate which extra definitional equations are needed - and can be realized - to make structural cumulativity work seamlessly, hopefully obtaining a translation from Russel-style to Tarski-style universes similar to our elaboration from to .

Data Availability Statement

An archive containing the formalization presented in Section 4 is available at [31]. The Coq code is supplemented with a report and a Docker image.