Download - Coherence and Transitivity of Subtyping as Entailment · Coherence and Transitivity of Subtyping as Entailment 495 rule for! are the ﬁrst requests for a logic of subtyping: (ax)

Coherence and Transitivity of Subtypingas Entailment

GIUSEPPE LONGO,LIENS(CNRS) and DMI, Ecole Normale Superieure,45 rue d’Ulm, 75005 Paris, France.E-mail: [email protected]

KATHLEEN MILSTED, NET, France Telecom, 28 chemin du Vieux Chene,BP 98, 38243 Meylan Cedex, France.E-mail: [email protected]

SERGEI SOLOVIEV,IRIT, Universite de Toulouse-III, 118 route deNarbonne, 31062 Toulouse, France.E-mail: [email protected]

AbstractThe relation ofinclusion between types has been suggested by the practice of programming as it enriches the poly-morphism of functional languages. We propose a simple (and linear) sequent calculus for subtyping as logical en-tailment. This allows us to derive a complete and coherent approach to subtyping from a few, logically meaningfulsequents. In particular, transitivity and anti-symmetry will be derived from elementary logical principles.

Keywords: Second-order logic, Gentzen sequent calculus, polymorphism, coercive subtyping, cut-elimination.

1 Introduction

The word ‘coercion’ occurs in varying contexts. For example, in imperative and object-oriented programming languages such as C and C++, coercions are known as ‘casting func-tions’, whereby variables of one datatype (e.g. Boolean) are ‘converted’ or ‘cast’ to anotherdatatype (e.g. integer). In some languages, such conversions may actually change the un-derlying representation of the variable’s contents, in which case the conversion is done atrun-time when the contents are known. More semantic interpretations characterize coercionswith respect to identity functions, which do not imply a change to underlying representations.Coercions are used in this sense in [24] for example, where they are known as ‘retyping func-tions’. In practice, the conversions implied by such coercions are performed statically atcompile-time, for type-checking, etc. This paradigm is very relevant in functional program-ming.

In recent years, several extensions of core functional languages have been proposed to dealwith the notion of subtyping; see, for example, [9, 24, 4, 2, 8, 6, 25, 30, 31, 10, 11, 22, 16].These extensions were suggested by the practice of various programming styles. In particu-lar, they were inspired by the notion of inheritance as used in object-oriented programminglanguages, or by other concrete implementations of the following form of polymorphism:data living in a type�, which is a subtype of� , may also be seen as living in type� , in somesuitable sense. So, an integer is also a real, modulo an obvious ‘almost identical’ coercion

J. Logic Computat., Vol. 10 No. 4, pp. 493–526 2000 c Oxford University Press

494 Coherence and Transitivity of Subtyping as Entailment

from integers to reals.However, subtyping, in the presence of functional arrow! (and second-order universal

quantification8) presents some semantic and logical problems. In all functional approachesto subtyping, arrow is formalized as being contravariant or antimonotone in the first argument.More formally:

(!)� � � � � �0

� ! � � � ! �0

where� � � is read ‘� is a subtype of� ’. The contravariant behaviour of! (on the left)intuitively fits with the categorical notion of (contravariant) Hom functor, as well as with theintuitive understanding of programs as transformations acting on inputs: if a programM actson inputsN in � , then it can take as input any element in a subtype� of � . This is where thechallenge arises: is it possible to give a precise mathematical meaning to the (!) rule anduniversal quantification, in the sense, say, of denotational semantics or of logical calculi?

In this paper, we propose a sequent calculus of subtyping, as a fragment of intuitionis-tic (linear) second-order propositional calculus. In particular, we focus on the introductionand elimination rules for8, which are at the core of second-order systems, and on a ‘cut-elimination’ theorem. This is a relevant property for the partial order of subtyping, as the‘cut’ rule corresponds to transitivity.

The idea is that one can give an obvious logical (constructive) understanding of ‘� is asubtype of� ’ as ‘� implies� ’, or more precisely, as ‘� entails� ’ (� ` � ). Note first that, withthis interpretation, the (!) rule makes perfect sense: if� entails� and� entails�0, then� ! �entails� ! �0. Moreover, if terms in� may also be in� , then this embedding should bedescribed by some sort of effective transformation: either the identity or a ‘suitable’ coercion,as an effective map from� to � . Thus, by the Curry–Howard isomorphism, subtyping is aspecial case of intuitionistic implication: a computation from� to � is a proof of� ` � . Butwhich special case? And how to characterize it?

As we shall see, a characterization in terms of erasure (that is, after erasing all type in-formation, coercions become identity maps in the untyped calculus) also has some semanticflavor.

The main results of this paper (except the part about base types) appeared without proofsin a previously published paper [20] on a calculus for subtyping as logical entailment. Thecomplete proofs related to that presentation may be found in a technical report [21], wherenormalization for the simple, but impredicative, logical system presented here is dealt withby a direct argument — see the discussion in Section 6.4. Those proofs have been deeplyrevised and simplified in this paper.

Since its publication, the calculus of subtyping in [20] has been studied and developed byseveral authors (see, for example, [30, 31, 10, 11]). Another approach to coercive subtyp-ing, where ‘almost arbitrary’ functions may be taken as coercions, was suggested by ZhaohuiLuo and further investigated with the participation of one of the authors of the present pa-per [22, 16]; that approach is more general but, because of its generality, it lacks the semanticmotivation and the connection between coercions and logical deductions at the heart of thework presented here.

1.1 Subtyping as restricted linear implication

The logical frame we use here is intuitionistic second-order propositional logic. The intendedmeaning of� ` � is that� is a subtype of� . An obvious axiom and the contra(co)-variance

Coherence and Transitivity of Subtyping as Entailment495

rule for! are the first requests for a logic of subtyping:

(ax) � ` � (!)�0 ` � � ` � 0

� ! � ` �0 ! � 0

Consider now a logical interpretation of second-order8. Assume that� containsX freeand that from a specific instance of� (with � substituted forX say), one can deduce� .Then, from8X:� one can,a fortiori, deduce� . This is the (8 left) rule of Gentzen’s sequentcalculus. A semantic understanding of this second-order deduction can be given in the PERmodel of subtyping (see Section 6.2 for a discussion and references): informally, if a specificinstance of a family of types is a subtype of� , then, in the model, the intersection of the entirefamily is a subtype of� .

(8 left)[�=X ]� ` �

8X:� ` �

where[�=X ]� stands for the type resulting from the (capture-avoiding) substitution of type�for X in type�.

Moreover, if� entails� , and� does not containX free, then� also entails8X:� . This isGentzen’s (8 right) rule. Semantically, if� is a subtype of� and� does not depend onX ,then� is also a subtype of the intersection of all�s overX :

(8 right)� ` �

� ` 8X:�� for X notfree in �

Recall now that the principal idea here is that the embedding of a type into another shouldbe very simple: indeed, as close to the identity as possible in a typed language. Identities arelinear maps, to say the least, as our system will be a fragment of the linear sequent calculus.Even more so: we allow only one premiss in a sequent� ` � , as even the swapping of inputsis forbidden. Thus, in order to deal with nested implications, we generalize (8 right) to:

(8n�0 right)� ` �1 ! : : : (�n ! �) : : :)

� ` �1 ! : : : (�n ! 8X:�) : : :)� for X notfree in � norin �1; : : : ; �n

(8n right) is a family of rules indexed byn � 0. Note that, if more than one premiss wasallowed, (8n right) would be the curried variant of (8 right) with n premisses.

These four rules are all we need. Observe that8 is introduced to the left and to the right ofentailment by two separate rules while! is symmetrically introduced both to the left and tothe right of entailment by a single rule, the familiar (!) rule defined previously.

The reader may wonder what happened to a fundamental property of subtyping, that is,to transitivity. Indeed, we willprove that ` is a partial order, thus, in particular that it istransitive and anti-symmetric. But transitivity is just a (cut) rule:

(cut)� ` � � ` �

� ` �

Proving transitivity will thus be the proof of admissibility for the rule (cut), that is, eachtime the premisses are derivable, the consequence is derivable too. Or, equivalently, that the


system extended with (cut) has the cut-elimination property. Notice that the proof that onecan ‘eliminate cuts’ is non-trivial for weak systems (as we will discuss in Section 6.4) as, ingeneral, these results and proofs are not inherited by subsystems.

Cut-elimination is a fundamental property in constructive logical systems. It guaranteesconsistency as it shows that each derivation can be given a ‘minimal’ structure. In the variouslambda-calculi, it relates deductions to computations as cut-elimination corresponds to�-reduction. In those systems, (cut) is a non-primitive rule, as it corresponds to the sequentialapplication of (!-introduction) and (!-elimination) rules; moreover, it is usually consideredas a (side) consequence of normalization. In contrast to this, for the purposes of subtyping,(cut) is as basic as transitivity.

The seemingly simple logical system above will be shown to be complete and coherent asa logic for deriving subtyping relations. By completeness, we mean that� ` � is derivableiff there is a term of type� ! � that erases to the identity (cf. Section 3.1). Such a term is acoercion from � to � . By a result in [24], this characterization also guarantees completenesswith respect to subtyping in all PER models, in the sense of [4].

Coherence will mean that derivability of� ` � implies the existence of aunique coercionfrom � to � . One of its consequences will be anti-symmetry. Coherence will be easilyshown in the simple four-rule system, while it requirescut-elimination if proved in the systemextended with (cut).

Once the formal system is fully written down, with proof-terms displayed (Section 2.2),the next thing to be described is term equality. The notion of equality we use here may beviewed as the ‘generalized dual’ of an early result of Girard[12]: in system F, there is nodefinable term that discriminates between types. Namely, there is no definable termJ� suchthatJ� applied to type� is 1 if � = �, and is0 if � 6= �. This idea was taken up in [19] byextending system F with the following axiom:

(Axiom C)M : 8X:�

M�1 =M�2�for X notfree in �

Intuitively, as there are no type discriminators, (Axiom C) forces terms of universally quan-tified type, whose outputs live in the same type, to be constant. System F extended with(Axiom C) satisfies the Genericity Theorem [19], which states that if two second-order func-tions (of the same type) coincide on an input type, then they are, in fact, the same function.Equivalently, types are generic inputs to second-order functions.

(Axiom C) was proposed following [12] and independently of [8]. The latter defines thesystemF�, which includes the following inference rule, a generalization of (Axiom C) tosubtyping:

(eq appl2)M : 8X:� [�1=X ]� � � [�2=X ]� � �

M�1 = M�2 : �

This rule is sound within a context with Cardelli’s rule ofsubsumption [9]: if N : � and� � � then alsoN : � . Observe thatM gives outputs in (possibly) different types[�1=X ]�and [�2=X ]�. Then, intuitively, (eq appl2) says that if these two types (of outputs) havea common supertype�, then the outputs are equalwhen seen as elements of �. Thus, inparticular, if� does not containX free, one obtains (Axiom C).

Note that (Axiom C) is valid in all proper models of system F, in particular in all ‘paramet-ric models’ in the sense of Reynolds [23, 1]. Moreover, (eq appl2) holds in the only semantic


models of system F with subtyping, namely in PER models with the intended coercions (seeSection 6.2). The relevance of (eq appl2) is that it allows one to prove the (categorical)uni-versality of key definable constructs in System F (binary products, coproducts, existentials,etc.).

However, (eq appl2) relies implicitly on the subsumption rule, i.e., ifM : � and� � � ,thenM : � . And, as we will discuss in Section 6.2, subsumption has neither type-theoreticnor categorical meaning, even though it may have solid practical motivations and intuitivemeaning. Subsumption may be avoided in (eq appl2) if coercions are used explicitly alongthe lines of the following informal rule where the termsN1; N2 represent coercions:

M : 8X:� y1 : [�1=X ]� ` N1 : � y2 : [�2=X ]� ` N2 : �

[M�1=y1]N1 = [M�2=y2]N2

This will be formalized in our system as as the rule (eq appl2 co)) and that ‘coercion version’of (eq appl2) will be used in our type-theory as an interplay between subtyping and equality.

In conclusion then, our logic of subtyping will be based on the simple four-rule sequentcalculus presented previously, and the proof terms will satisfy the usual equational rules plusa coercion version of (eq appl2).

The paper is organized as follows. In Section 2.1, we recall System F and describe our logicof subtyping, referred to as SystemCo` (where ‘co’ stands for coercions). We also prove inthis section some lemmas about derivations in F andCo` to help establish the relationshipbetween these two systems, and notably thatCo` can be regarded as a subsystem of SystemF. Some aspects of the definition of cut (transitivity) in SystemCo` are discussed and somesyntactic conventions used in the paper are established.

Section 3 then presents the main results of paper: completeness of SystemCo` with re-spect to the semantics provided by interpretation in the type-free calculus, admissibility oftransitivity, and coherence. We postpone to this section a discussion about equality of coer-cions since it will be more natural after the completeness result is established. At the end ofthis section, the consequences for the relation of bicoercibility are also considered.

In Section 4,Co` is proved equivalent to a system of subtyping formulated by Mitchell [24]in the sense that a subtyping judgement is derivable in Mitchell’s system iff the correspondingentailment is derivable inCo`. Section 5 describes systemCo` extended with base types,and proves relevant properties of the extended system including conservativity, complete-ness, admissibility of transitivity and coherence. Finally, Section 6 describes related workconcerning other proof-theoretic analyses and models of subtyping, along with a discussionof equality and a discussion of second-order cut-elimination proofs. Section 7 ends withsome conclusions.

2 System F and coercions

2.1 System F

We first recall System F [12]. Then we define a sequent calculus of subtypingCo` that maybe regarded as a subsystem of System F.

The language of System F has two kinds of expressions,types andterms, defined by thefollowing syntax:

(Types) � ::= X j � ! � j 8X:�(Terms) M ::= x j �x :�:M j MN j �X:M j M�


We will use:�; �; �; � for types M;N;P;Q;R for termsX;Y; Z for type variables x; y; z for term variables

An environment � is a set of term variables with their types. We write�; x : � to extend� with a new term variablex of type�, wherex must not already occur in�. We use thenotation� F M : � for type assignment in system F. The following rules define valid typeassignments.

System F

(ax) �; x :� F x : �

(! intro)�; x :� F M : �

� F �x :�:M : � ! �(! elim)

� F M : � ! � � F N : �

� F MN : �

(8 intro)� F M : �

� F �X:M : 8X:�(8 elim)

� F M : 8X:�

� F M� : [�=X]�� for X not free in the type of

any free term variable in M

We writeFV (M) for the set of free type and term variables inM , and[N=x] and[�=X ]in prefix position for term and type substitution, respectively, with usual renaming of boundvariables to avoid capture. Reduction of terms is defined as usual by the closure of thefollowing rules:

(�1) (�x :�:M)N �!�1 [N=x]M (�2) (�X:M)� �!�2 [�=X ]M

(�1) �x :�:Mx �!�1 M� for x =2 FV (M)

(�2) �X:MX �!�2 M� for X =2 FV (M)

We will write �!�� for the transitive closure of all four reductions,�!� for the closureof just �1 and�2, and�!� for the closure of�1 and�2. We will also write ‘��-nf’ fornormal form with respect to all four reduction relations, and ‘�-nf’ or ‘nf � ’ for normal formwith respect to�1 and�2.

Different equality relations on terms are defined by the symmetric, reflexive and transitiveclosure of the different reduction relations. In particular, we will writeM =�� N for equalitywith respect to�!��, andM =� N for equality with respect to�!� . We reserve thenotationM � N for syntactic identity of terms up to�-conversion, and for types, equality,written� = � , is just syntactic identity up to�-conversion.

2.2 System Co`

We now define our sequent calculus of subtyping, referred to as SystemCo` or justCo`. Wewill use co for entailment in this system.

We give two presentations ofCo`. The first presentation gives only the types involved ineach judgment, which are of the form� co � . This presentation emphasizes the intendedsubtyping relation between types (� co � can be read ‘� is a subtype of� ’) but, of course,the calculus may be considered independently of this interpretation by referring just to itslogical structure.


System Co` (unlabelled)

(ax) � co � (!)�0 co � � co � 0

� ! � co �0 ! � 0

(8 left)[�=X]� co �

8X:� co �(8n right)

� co �1 ! : : : (�n ! �) : : :)

� co �1 ! : : : (�n ! 8X:�) : : :)� for 0 � n, X not free

in � nor in �1; : : : ; �n

In the second presentation of the system, we label each type with a term, yielding judg-ments of the formx :� co M : � . We will refer to the first presentation as the ‘unlabelled’system, to the second as the ‘labelled’ system.

System Co` (labelled)

(ax) x :� co x : �

(!)x0 :�0 co M : � y :� co N : � 0

x :�! � co �x0 :�0 : [xM=y]N : �0 ! � 0

(8 left)y : [�=X]� co M : �

x :8X:� co [x�=y]M : �

(8n right, 0 � k � n)

x :� co �x1 :�1 : : : �xk :�k:M : �1 ! : : : (�n ! �) : : :)

x :� co �x1 :�1 : : : �xk :�k : : : �xn :�n:�X:Mxk+1 : : : xn: �1 ! : : : (�n ! 8X:�) : : :)� for X not free in �

nor in �1; : : : ; �n ,M not of the form �y:M 0,and xk+1; : : : ; xn fresh

(8n right, 0 � n < k)

x :� co �x1 :�1 : : : �xk :�k:M : �1 ! : : : (�n ! �) : : :)

x :� co �x1 :�1 : : : �xn :�n:�X:�xn+1 :�n+1 : : : �xk :�k:M: �1 ! : : : (�n ! 8X:�) : : :)� for X not free in �

nor in �1; : : : ; �n ,M not of the form �y:M 0

and � � �n+1 ! : : : (�k ! � 0) : : :)

The rule8n-right has two cases in the labelled system.1 In both cases, the premiss hasexactly the same form but we will shortly see that the two cases are disjoint.

In the rest of the paper, we will refer to judgments of either presentation (labelled andunlabelled) ofCo` as ‘sequents’. We will useS for sequents and�; for derivations ofsequents.

Obviously a sequent� ` � is derivable in unlabelled systemCo` iff � `M : � is derivable

1Tiuryn, in [30], presents (8n right) in another, slightly simpler form.


in the labelled system for some termM . If only the derivability of subtyping judgements isstudied, then it is enough to consider the unlabelled system.

Many of the proofs in this paper are by induction on thesize of a derivation. This notionof size is defined as the total number of applications of rules in a derivation.

In this work, a coercion is defined as follows:

DEFINITION 2.1 (Coercion)A sequentx :� co M : � is a coercion from� to � iff it is derivable inCo`.

As a linguistic shorthand, we will also refer to the termM as a coercion when the sequentx :� co M : � is derivable.

To illustrateCo`, observe that? = 8X:X (the empty type) is provably a subtype of alltypes. The corresponding coercion is obtained from the following derivation:

y : [�=X ]X co y : �(8 left)

x :8X:X co x� : �

2.3 Some structural lemmasLEMMA 2.2 (Structure of coercions)Assume thatx : � co M : � . Then,M has exactly one free term variable which isx,andx occurs exactly once inM and always at head position. Furthermore, each bound termvariable occurs exactly once in the body ofM .

PROOF. By induction on the size of the derivation ofx :� co M : � .

This lemma shows that coercions are linear terms (in the usual sense).

LEMMA 2.3 (Coercions are functions of System F)If x :� co M : � then x :� F M : � .

PROOF. By induction on the size of the derivation ofx :� co M : � .

LEMMA 2.4 (Coercions are in�-nf)If x :� co M : � then M is in �-nf.

PROOF. By induction on the size of the derivation ofx : � co M : � , as no inference rulecreates a�-redex.

This lemma shows that the terms labelling the two cases of (8n right) are unambiguouslydefined sinceM , in the assumption, must be in�-nf.

We need the following lemma about subterms in System F to prove two invertibility lem-mas below.

LEMMA 2.5Let � ` P : � . Consider an occurrence of a subtermQ of P . Let �0 be the environmentthat consists of all term variables free inQ. (Observe that�0 includes free variables ofPthat occur inQ, as well as bound variables ofP bound by a� with scope including thisoccurrence ofQ; the types of these free and bound variables ofP are defined by� and by thecorresponding� binders). Then:

1. �0 F Q : � with � uniquely determined by�0 andQ.


2. LetP 0 be some term containing at least one free occurrence ofy. If P � [Q=y]P 0, then,since substitution excludes capture of free variables,�0 F Q : � and�1; y :� F P 0 : � ,with �0 consisting of all free variables ofQ, �1 consisting of all free variables ofP 0

excludingy, and� uniquely determined by�0 andQ.

PROOF. By structural induction on some F-derivation of� ` P : � . In some places, weuse also the well-known facts of admissibility of weakening and strengthening of F-contexts.Uniqueness of� follows from the uniqueness of typing in F.Base case for 1 and 2: axiom�; x : � ` x : �. Then,� � �;Q � P � x, �0 � x : �.Inductive step for 1: ifP � Q then�0 � �; � � � , and we use strengthening of F-contexts.If not, consider the last rule of the derivation.(i) (! elim):

� F M : � ! � � F N : �

� F MN : �

Since we consider a single occurrence ofQ, it belongs toM orN . �0 is not changed. Applythe inductive hypothesis.(ii) (! intro):

�; x :� F M : �

� F �x :�:M : � ! �

Observe that�0 is not changed. Ifx 2 FV (Q) the reason for its inclusion in�0 is changed,else it doesn’t belong. Apply the inductive hypothesis.(iii) ( 8 intro):

� F M : �

� F �X:M : 8X:�� for X not free in the type of

any free term variable in M

Q is a subterm ofM , �0 is not changed. Apply the inductive hypothesis.(iv) (8 elim):

� F M : 8X:�

� F M� : [�=X ]�

Since� is not a subterm,Q is a subterm ofM . �0 is not changed. Apply the inductivehypothesis.Inductive step for 2: by 1) applied to each occurrence ofQ, � is determined by�0. If P � Qthen� � �; P 0 � y, and the derivation�1; y :� ` y : � is an axiom.

If not, we consider the last rule of the derivation as above.(i) (! elim):

� F M : � ! � � F N : �

� F MN : �

M andN have the structureM � [Q=y]M 0; N � [Q=y]N 0 and in at least one of twocases, the substitution is not dummy.�0 is not changed. By inductive hypothesis, we obtain�0 F Q : �.

Let � � �1 and� � �1 be the lists of free variables ofM 0; N 0 respectively. Notethat if one ofM 0; N 0 does not containy, it is identical toM;N , respectively. Ify 2FV (M 0); FV (N 0), then by inductive hypothesis,�; y : � F M 0 : � ! � , �; y : � F

N 0 : �. Using weakening and (! elim), we have�1; y :� F M 0N 0 : � .


If one of the substitutionsM � [Q=y]M 0; N � [Q=y]N 0 is dummy, we don’t need theinductive hypothesis for this term but for the other, proceed as above.(ii) (! intro):

�; x :� F M : �

� F �x :�:M : � ! �

Observe that�0 is not changed. In this case, becausex cannot belong toFV (P ). Apply theinductive hypothesis and proceed as above.(iii) and (iv) (8 intro) and (8 elim): proceed as in the previous cases.

The following lemmas show more clearly the relationship between derivations in system Fand inCo`.

LEMMA 2.6 (F-invertibility with respect to the rules ofCo`)Let x : � ` M : � be a sequent and assume that it is obtained from some other sequent(s)S1 � y1 : �1 ` M1 : �1; : : : ; Sn � yn : �n ` Mn : �n by application of one of therules ofCo`, whereyi does occur and is the only free variable ofMi. (Note thatSi arenot necessarily derivable in eitherCo` or F.) Then, ifx : � ` M : � is derivable in F, thenS1; : : : ; Sn are also derivable in F.

PROOF. First, note that ifx : � ` M : � is derivable in F, thenM cannot contain any freevariables other thanx. Proceed by case analysis of the three SystemCo` rules.(i) (!):

x0 :�0 `M : � y :� ` N : � 0

x :� ! � ` �x0 :�0 : [xM=y]N : �0 ! � 0

By assumption, the conclusion of this rule is derivable in System F, and thus also the follow-ing sequent:x : � ! �; x0 :�0 F [xM=y]N : � 0. Apply Lemma 2.5 to this sequent takingP � [xM=y]N , Q � xM andP 0 � N .�0 = fx : � ! �; x0 : �0g, �1 = ; andx : � ! �; x0 : �0 F xM : � , y : � F N : � 0.

Lemma 2.5 may be applied again tox :� ! �; x0 :�0 F xM : � takingM asQ. Note thatx0 :�0 is the only free variable ofM , and we havex0 :�0 F M : �.(ii) (8 left):

y : [�=X ]� `M : �

x :8X:� ` [x�=y]M : �

By assumption, the conclusion of this rule is derivable in System F. Apply Lemma 2.5 takingP � [x�=y]M , Q � x� andP 0 � M . �0 = fx : 8X:�g, �1 = ; andx : 8X:� F x� :[�=X ]�, y : [�=X ]� F M : � .(iii) ( 8 right): it suffices to use properties of�-introduction in F; Lemma 2.5 is not needed.

LEMMA 2.7 (One case of invertibility inCo`)If x : � co �x1 : �1 : : : �xk : �k:S� : �1 ! : : : (�n ! [�=Y ]�) : : :) thenx : � co �x1 :�1 : : : �xk :�k:S : �1 ! : : : (�n ! 8Y:�) : : :)

PROOF. By induction on theCo` derivation of the judgement containingS�.Base case: since the axiom does not have the form described in the assumption of the lemma,the lemma is vacuously true.Inductive step: analysis of the rules ofCo` shows thatx : � co �x1 : �1 : : : �xk : �k :S� :�1 ! : : : (�n ! [�=Y ]�) : : :) cannot be the conclusion of8n right.


If it is the conclusion of(!), then its right premiss must be of the formy : � co �x2 :�2 : : : �xk : �k:S

0� : �2 ! : : : (�n ! [�=Y ]�) : : :). Apply the inductive hypothesis and thesame rule.

If it is the conclusion of (8 left), then if S is different from the variablex, apply theinductive hypothesis and the same rule. SupposeS � x. The term�x1 : �1 : : : �xk : �k:ycannot be obtained by one of the rules ofCo` if the prefix is non-empty. Thus, the prefix isempty and the premiss of (8 left) is the axiomy : [�=X ]� co y : [�=Y ]� . The judgementx :8X:� co x : 8X:� is also an axiom. This proves the lemma.

Clearly,Co` is strictly weaker than System F. Consider, for example:

x :8X:X F x(8X:X ! 8X:X)x : 8X:X

butx :8X:X 6 co x(8X:X ! 8X:X)x : 8X:X

Even restricting terms to linear ones, and environments to those containing exactly onevariable, is not enough to produce a coercion. For example,

x :� ! (� ! �) F �y :�:�z :�:(x z y) : � ! (� ! �)

is not a coercion. Theorem 3.3 (completeness) will characterize those System F functionsthat are coercions.

By the Curry–Howard isomorphism,Co` is thus a proper subsystem of intuitionistic (lin-ear) second-order propositional logic. This is only natural since coercions are intended torepresent ‘inclusions’ of types. Clearly, there is no reason why arbitrary F-entailment (oreven isomorphisms of types) should be interpreted as inclusion.

2.4 Special forms of derivationsDEFINITION 2.8 (Pure variable derivation)A pure variable derivation is a derivation in which no type variable occurs both free andbound in the same sequent.

This notion of a pure variable derivation is comparable with that used by Kleene [17].

LEMMA 2.9Every derivation inCo` is equal, up to=, to any derivation obtained by safely renamingbound type variables in types and terms, without capturing free type variables.

PROOF. By induction on the size of the derivation. In the case of (8 left), use the identity[�=X ]� = [�=X 0]([X 0=X ]�) whereX 0 does not occur free in� (otherwiseX 0 would becaptured), and in the case of (8n right), uniformly substitute[X 0=X ] in the derivation of thepremiss and then use (8n right) with X 0 instead ofX (the side-condition is used). For (!),it is enough to use the induction hypothesis.

LEMMA 2.10Every derivation inCo` is equal, up to=, to a pure variable derivation.

PROOF. By induction and using the previous lemma (always choosing fresh bound variables).


To illustrate the utility of pure variable derivations, consider the following derivation:

�l

x0 :�0 co M : �

�r

y :� co N : � 0

(80 right)y :� co �X:N : 8X:� 0

(!)x :� ! � co �x0 :�0 : �X : [xM=y]N : �0 ! 8X:� 0

By the side-condition on (80 right), we know thatX is not free in� . Our aim now is topermute the applications of (80 right) and (!) as follows:

�l

x0 :�0 co M : �

�r

y :� co N : � 0

(!)x :� ! � co �x0 :�0 : [xM=y]N : �0 ! � 0

(81 right)x :� ! � co �x0 :�0 : �X : [xM=y]N : �0 ! 8X:� 0

However, this second derivation is only possible if the variableX is not free in� nor in�0,as required by (81 right). This is the case if the first derivation is a pure variable one, for thentheX bound in8X:� 0 would be fresh.

From now on, we will work exclusively with pure variable derivations, referring to themas just ‘derivations’.

LEMMA 2.11The following pairs of derivations are equal inCo` up to=:

1.�

(8n right)S1

(8 left)S2

=�

(8 left)S01

(8n right)S2

2.�l

�r(8n right)

S1(!)

S2

=�l �r

(!)S01

(8n+1 right)S2

PROOF. By simple consideration of the types and terms involved in each sequent. Case 1applies to any kind of derivation whereas case 2 requires a pure variable derivation. Indeed,the proof of case 2, permuting (8n right) forn = 0 and (!), is given by the examples of purevariable derivations above. It is checked directly that the terms labelling the end sequents ofboth the left and right derivations above, are identical (thus, the derivations are equal up to=).

Note that (8n right) becomes (8n+1 right) when it is permuted downwards with (!). Notealso that case 1 applies only when (8n right) is permuted downwards with (8 left), not con-versely.

DEFINITION 2.12 (Atomic derivation)An atomic derivation is one in which all axioms are of the formx :X co x : X .

LEMMA 2.13Every derivation� in Co` is equal, up to=� , to some atomic derivation�0.2

2It will be shown in the next section that coercions are closed under�-conversion.


PROOF. Let � be a derivation ofx : � co M : � . If � is not atomic then an axiom of theform x : � co x : � where� is not a type variable, is used at a leaf. It suffices to prove thethesis for such axioms by induction on the length of types. The base case, when� is a typevariable, is obvious.

Inductive case:� = 8X:�0. Construct the following derivation:

y : [X=X ]�0 co y : �0

(8 left)x :8X:�0 co xX : �0

(80 right)x :8X:�0 co �X:xX : 8X:�0

where�X:xX =� x and apply induction toy :�0 co y : �0.Inductive case:� = �1 ! �2. Construct the following derivation:

y :�1 co y : �1 y0 :�2 co y0 : �2(!)

x :�1 ! �2 co �y :�1:xy : �1 ! �2

where�y :�1:xy =� x and apply induction toy :�1 co y : �1 andy0 :�2 co y0 : �2.

In the following lemma, we ‘transform’ atomic derivations to a useful form (for later pur-poses) by permuting rules as appropriate.

LEMMA 2.14Let � be an atomic derivation ofx : � co M : �1 ! (: : : (�n ! 8X:�) : : :). Then, thereexists an atomic derivation�0 = �, with � and�0 of equal size, and where (8n right) is thelast rule used in�0.

PROOF. Proceed by induction on the derivation of�. Clearly, (ax) cannot have been used,and if (8n right) was used last in�, then we are done. In the other two cases, use Lemma 2.11to permute rules as follows:

Case: (8 left) used last. Apply the induction hypothesis to the premiss then permute (8left) with (8n right) (Lemma 2.11, case 1).

Case: (!) used last. Apply the induction hypothesis to the left premiss then permute (!)with (8n�1 right), the latter becoming (8n right) in the final derivation (Lemma 2.11, case2).

LEMMA 2.15Let �1 and�2 be two atomic derivations ofx :� co M : � andx :� co N : � respectively.Then, there exist atomic derivations�01 = �1 and�02 = �2 such that�01 and�02 end with the


2.5 The transitivity problem

In section 3.3, we will show thatco is a transitive relation. That is, in the unlabelled system,the rule:

(cut)� co � � co �

� co �

is admissible.Its labelled version needs some discussion. A ‘naive’ variant would be:

x :� co M : � y :� co N : �

x :� co [M=y]N : �

But note that the term[M=y]N may not be a coercion; in particular, it may not be in�-nf (cf. Lemma 2.4). However,without making use of the strong normalization property ofSystem F, we can prove that[M=y]N normalizes:

LEMMA 2.16Assume thatx :� co M : � andy : � co N : �. Then, there exists a unique, finite path of�-reductions from[M=y]N . Consequently, there exists a unique�-nf of [M=y]N .

PROOF. By the linearity of coercions (Lemma 2.2),M andN are linear, and so the term[M=y]N is also linear (remember that the only free term variable ofM is x and ofN is y).Observe then that, becauseM andN are in�-nf (Lemma 2.4), only one�-redex may existin [M=y]N . And each subsequent�-reduction from[M=y]N preserves linearity and mayintroduce only one new�-redex. Furthermore, each such�-reduction decreases the numberof �s, sayn, originally in [M=y]N . Thus, there is a unique path, with at mostn steps, of�-reductions from[M=y]N .

The existence and unicity of the�-nf of [M=y]N now motivates the following alternativeversion of the labelled (cut)-rule, where nf�([M=y]N) means the�-nf of [M=y]N :

(cut)x :� co M : � y :� co N : �

x :� co nf�([M=y]N) : �

Our aim will be to show thatx : � co nf�([M=y]N) : � is actually a coercion (i.e.derivable inCo`). In other words, that the rule above is admissible.

Note that (cut) is a ‘cut’ rule in the usual sense of sequent calculi. Thus, proving theadmissibility of (cut) is equivalent to proving acut-elimination theorem for the extendedsystemCo` plus (cut). Observe too that subject reduction is vacuously true in the extendedsystem: all terms inCo` plus (cut) are in�-nf.

3 Completeness, transitivity and coherence

3.1 Completeness of Co`

The standard notion of erasure, defined as follows, will serve to characterize coercions.

DEFINITION 3.1 (Erasure)The erasure of a polymorphic term to a type-free term is defined by:erase(x) � xerase(�x :�:M) � �x:erase(M) erase(MN) � erase(M)erase(N)erase(�X:M) � erase(M) erase(M�) � erase(M)


By straightforward induction on derivations, one shows that the erasure of a coercion�-reduces to the identity (in the type-free�-calculus).

LEMMA 3.2If x :� co M :� thenerase(M)�!� x.

Conversely, we will now show that any System F term in�-nf whose erasure�-reducesto a term variable is a coercion. This will give a complete characterization of coercions.Moreover, it will be a key step in the proof of transitivity ofco and in relating our systemto that of Mitchell [24] (Section 4). The proof proceeds by syntactic analysis of the normalform.

THEOREM 3.3 (Completeness)Let M be a term in�-nf such that x : � F M : � and erase(M) �!� x. Then,x :� co M : � .

PROOF. By the assumption thatM is in �-nf,M must have the following structure:

M � �~Y1 : �y1 :�1 : : : : �~Yk : �yk :�k : �~Yk+1 : x0~�1M1 : : : ~�nMn~�n+1

with each subtermMi, for 1 � i � n, in �-nf. Furthermore, the assumptionerase(M) �!�

x implies thatx0 � x, k = n and erase(Mi) �!� yi for 1 � i � n. The fact thaterase(Mi) �!� yi means thatyi is the only free term variable inMi. So, by lemma 2.5:yi :�i F Mi : �i. (The concrete form of�i may be found but we don’t need it.)

We thus have that the subtermsMi, 1 � i � n, are in�-nf with erase(Mi) �!� yi andyi :�i F Mi : [~�1= ~X1; : : : ; ~�i= ~Xi]�i. The proof now proceeds by induction on the size ofM .Base case:M � x is trivial.Inductive step: three cases as follows.(a) Case: at least one of the lists~Yk is non-empty.M then has the form

M � �y1 :�1 : : : : �yi�1�~Yi : �yi :�i : : : : �~Yn:�yn : �~Yn+1 : x~�1M1 : : : ~�nMn~�n+1

where~Yi is the leftmost of such lists. The type� of M is

� = (�1 ! : : : ! 8~Yi:(�i ! : : : 8~Yn:(�n ! 8~Yn+1:�0) : : :):

Consider the termM 0 obtained by erasing only�~Yi and the type� 0 of M 0:

� 0 = (�1 ! : : : ! (�i ! : : : 8~Yn:(�n ! 8~Yn+1:�0) : : :):

The judgementx :� `M : � is derivable from the judgementx :� `M 0 : � 0 by repeated (8iright). By Lemma 2.6,x :� F M : � impliesx :� F M 0 : � 0. Obviouslyerase(M 0) �erase(M) �!� x. Thus, by inductive hypothesis,x : � co M 0 : � 0. Now, by (8i right),x :� co M : � .(b) Case: all~Yi are empty but~�1 is non-empty. The termM has the structure

M � �y1 :�1 : : : �yn : : x~�1M1 : : : ~�nMn~�n+1:

Notice thatx :� F x~�1 : �0 for certain�0 sincex~�1 is a subterm of an F-term (Lemma 2.5).Moreover,x : � co x~�1 : �0 (it may be derived by8left in Co` ). LetM 0 be obtained byreplacement ofx�1 by a fresh variablez.


The judgementx :� F M : � is derived by (8 left) from z :�0 `M 0 : � . By Lemma 2.6,z :�0 F M 0 : � . Obviously,erase(M 0) �!� z becauseerase(M) �!� x. By inductivehypothesis,z :�0 co M 0 : � and by (8 left), x :� co M : � .(c) Case: all~Yi are empty and~�1 is empty butn � 0 (else we have the base case). The type� of M is

� = (�1 ! : : : ! (�n ! �0) : : :):

We need also the type� 0

� 0 = (�2 ! : : : ! (�n ! �0) : : :):

By inductive hypothesis, we may assume that the subtermM1 is a coercion:y1 :�1 co M1 :�1.

Consider the termM 0 obtained by erasure of�y1 and replacement ofxM1 by a freshvariablez; the type ofz is easily derived sincexM1 is an F-term. The type ofx must besome� � �1 ! �01 andx : � F xM1 : �01. The judgementx : � F M : � is derivedby the rule! from z : �01 ` M 0 : � 0. Thus, by Lemma 2.6z : �01 F M 0 : � 0. Obviously,erase(M 0) �!� z. By inductive hypothesis,z : �01 co M 0 : � 0 and by the rule (!),x :� co M : � .

Since�-reductions and expansions do not affect the propertyerase(M) �!� x, we havethe following corollary.

COROLLARY 3.4ForM in �-nf, assume thatx :� F M : � and M �!� M 0. Then,x : � co M : � iffx :� co M 0 : � .

Since coercions are in�-normal form, this amounts to the subject reduction property forcoercions.

3.2 Equality=�co

Equality of coercions is defined, essentially, by�-equality plus a coercion version of theF� [8] rule (eq appl2). Since coercions are in�-normal form,�-equality need not be con-sidered and we showed previously that coercions are closed with respect to�-equality. Thecorecion version of (eq appl2) is motivated by Mitchell’s system and semantical considera-tions based for example on PER models (see Section 6.3).

Let us write x :� co M =�co N : � to mean thatM andN are equal coercions from�to � . This relation is defined as follows.

DEFINITION 3.5 (Equality of coercions)=�co is the least equivalence relation generated by�-convertibility and the two rules

(eq�)x :� co M : � x :� co M 0 : � M =� M

0

x :� co M =�co M0 : �

(eq appl2 co)y1 : [�1=X ]� co N1 : � y2 : [�2=X ]� co N2 : �

x :8X:� co [x�1=y1]N1 =�co [x�2=y2]N2 : �


3.3 Transitivity of co

We now prove thatco is a transitive relation. More formally, we will prove that:

(cut)x :� co M : � y :� co N : �

x :� co nf�([M=y]N) : �

is an admissible rule inCo`.

LEMMA 3.7Assume thatx :� co M : � and y :� co N : �.Thenerase (nf� ([M=y]N)) =� nf� (erase ([M=y]N)).

PROOF. Note first that, by an argument similar to the proof of Lemma 2.16, there existsa unique�-nf of erase([M=y]N), i.e. nf�(erase([M=y]N)) does indeed exist. The onlydifference is that there will be no�2-reductions in the path fromerase([M=y]N). Next, byLemma 2.16 directly, nf�([M=y]N) exists. Finally, the erasure of nf�([M=y]N) is clearly�-equivalent to the unique�-nf of erase([M=y]N).

THEOREM 3.8 (Transitivity)(cut) is an admissible rule inCo`.

PROOF. Assume thatx : � co M : � andy : � co N : �. By Lemma 2.16, nf�([M=y]N)exists. Sincex : � F [M=y]N : �, then, by subject reduction in System F,x : � F

nf�([M=y]N) : �. Furthermore, since coercions erase to the identity (Lemma 3.2),erase(M)�!� x anderase(N)�!� y. Then:

erase(nf�([M=y]N)) =� nf�(erase([M=y]N)) by Lemma 3.7� nf�([erase(M)=y]erase(N))=� x:

Finally, by completeness ofCo` (Theorem 3.3),x :� co nf�([M=y]N) : �.

Notice that proving the admissibility of (cut) for the systemCo` is equivalent to proving acut-elimination theorem for the extended systemCo`+(cut). See Section 6.4 for a discussionof second-order cut-elimination proofs.

As pointed out in the introduction, if we had taken (cut) as a primitive of the system,then we would have had to eliminate it in any case in order to prove coherence. Moreover,(cut) as primitive would imply that coercions could ‘compute on themselves’ (even withoutinputs), whereas the coercions provided byCo` are guaranteed to be in�-nf. Thus, they onlytransform an element of a type to a supertype without any other kind of computation.

3.4 Coherence of Co`

By coherence, we mean that a coercion from type� to type� is independent of its derivationin Co`in the sense that, if a coercion from� to � exists, then it is unique, up to=�co.

We are now in a position to prove the coherence ofCo` derivations. Note that this is where=�co is used, and thus the strength of the rule (eq appl2 co); we display it first in a lemma.

LEMMA 3.9Let �1 and�2 be two derivations ofx :� co M : � andx :� co N : � ending with (8 left).Then,�1 =�co �2.


PROOF. Let� � 8X:�0, M � [x�1=y1]N1 andN � [x�2=y2]N2. The final steps in�1 and�2 are respectively:

�l

y1 : [�1=X ]�0 co N1 :�(8 left)

x :8X:�0 co [x�1=y1]N1 :�

�r

y2 : [�2=X ]�0 co N2 :�(8 left)

x :8X:�0 co [x�2=y2]N2 :�

Now, use (eq appl2 co) on both premisses:

�l

y1 : [�1=X ]�0 co N1 :�

�r

y2 : [�2=X ]�0 co N2 :�(eq appl2 co)

x :8X:�0 co [x�1=y1]N1 =�co [x�2=y2]N2 : �

Hence, by definition,�1 =�co �2.

THEOREM 3.10 (Coherence ofCo` derivations)Let �1 and�2 be two derivations ofx : � co M : � andx : � co N : � respectively. Then,�1 =�co �2.

PROOF. By Lemma 2.13, we may assume�1 and�2 to be atomic derivations, up to=�. Theproof then proceeds by induction onn = maxfsize(�1); size(�2)g. By Lemma 2.15, thereexist atomic derivations�01 = �1, �02 = �2 such that�01 and�02 end with the same rule andhave the same size as�1 and�2 (respect.). Notice that, if the final rule applied is (!) or (8nright), then the premisses in both derivations are the same.Base case,n = 0: Both derivations are atomic axioms (trivial).Inductive step,n � 1: There are three subcases:Case: (8 left) is used last. Then, Lemma 3.9 suffices. Note that, in this case, we do not needto apply the induction hypothesis.Cases: (!) or (8n right) are used last, the same in both derivations. Then, the respectivepremisses of the last rule in both derivations coincide. Use then the induction hypothesis onthese premisses, followed by the equality rules (eq!) or (eq8n right).Thus�1 =�co �2.

It will be an easy corollary of coherence and the transitivity ofco (Section 3.3) thatx :� co M : � and x : � co N : � implies that� is isomorphic to� . In other words, co isanti-symmetric up to isomorphism.

3.5 Bicoercibility

Consider now the term modeljCo` j of Co`, i.e., the structure whose objects are types andarrows are coercions.jCo` j is a category. Indeed, by (ax), it contains all identities. By thetransitivity of co , coercions (arrows) compose: just observe that if

x :� co M : � and y :� co N : �

then there existsP such thatx :� co P : � andP is unique by coherence. As for associativ-ity, this is again given by coherence.j Co` j is even a partial order: by the corollary below, anti-symmetry ofco is a con-

sequence of coherence and transitivity of entailment. Define first the following relation ofbicoercibility between types:


DEFINITION 3.11 (Bicoercibility)Two types� and� are bicoercible, written� �

=

b� , iff � co � and � co �.

For example,� �=

b8X:� for X not free in� . Now, recall that, in a category, two objects

A andB are isomorphic, A �= B, if there are mapsf : A ! B andg : B ! A such thatg Æ f = id andf Æ g = id. Thus, one can prove the following:

COROLLARY 3.12 (Anti-symmetry)If � �

=

b� then � �= � in jCo` j.

PROOF. By assumption,x :� co M : � and y : � co N : �. By (cut), we obtainx :� co

nf�([M=y]N) : � andy : � co nf�([N=x]M) : � , then, by coherence, nf�([M=y]N) =�co

x and nf�([N=x]M) =�co y.

Note that bicoercibility is strictly stronger than isomorphism: the type� ! (� ! �) isisomorphic to� ! (� ! �) (see [28, 3] for a characterization) but it is clearly not a subtype,and so not bicoercible. Tiuryn in [29] has shown that bicoercibility is decidable, while Tiurynand Urzyczyn [31] have shown that coercibilityco , that is, subtyping, is undecidable.

As pointed out,j Co` j is a category and a partial order. This allows a preliminary ob-servation on adding base types (int, real, etc.) with axioms introducingco between thesetypes (e.g.int co real). In short, one obtains the freely generated partial order, from thesebase types, by our axioms and rules. A proof-theoretic analysis of this fact will be given inSection 5.

4 Mitchell’s subtyping system

In [24], a ‘retyping function’ is defined as a typed term in System F whose erasure�-reducesto the identity. In [24, Lemma 9], it is then shown that� is a subtype of� in all ‘simpleinference models’ (as defined in [24, Section 4.2]) if and only if there is a retyping functionfrom � to � . Thus, our Theorem 3.3 also yields semantic completeness, in the sense ofMitchell, forCo`. In this section, we give a direct comparison ofCo` to Mitchell’s axiomaticapproach to subtyping, presented here in a revised (but clearly equivalent) way.

Mitchell’s Subtyping System

(ax) � � � (trans)� � � � � �

� � �

(!)�0 � � � � � 0

(� ! �) � (�0 ! � 0)(8 subst)

� � �

8X:� � 8X:�

(8 intro) � � 8X:� (8 elim) 8X:� � [�=X ]�� for X not

free in �

(8! distr) 8X:(� ! �) � (8X:�)! (8X:�)


It is not hard to show that the unlabelled systemCo` and Mitchell’s system are equivalent.

THEOREM 4.1� � � iff � co � .

Proof. Clearly, rules (ax) and (!) are identical in the two systems (withco for �). For theimplication from left to right, the rule (trans) in Mitchell’s system above corresponds to theCo` rule (cut) which, by Theorem 3.8, is admissible forCo`; the other cases in this directionare proven as follows:Case: (8 intro) is derivable inCo` sinceX is not free in�

� co �

� co 8X:�(80 right)

Case: (8 elim) is derivable inCo`

[�=X ]� co [�=X ]�

8X:� co [�=X ]�(8 left)

Case: (8 subst) is derivable inCo`

[X=X ]� co �

8X:� co �(8 left)

8X:� co 8X:�(80 right)

Case: (8! distr) is derivable inCo`+(cut)

8X:� co � � co �(!)

8X:(� ! �) co � ! � � ! � co (8X:�)! �

8X:(� ! �) co+cut (8X:�)! �(cut)

8X:(� ! �) co+cut (8X:�)! (8X:�)(81 right)

Conversely, the remaining cases of the implication from right to left are proven as follows:Case: (8 left) is derivable in Mitchell’s system by

8X:� � [�=X ]� � �

using (trans) on (8 elim) and the premiss of (8 left), i.e.,[�=X ]� � � .Case: (8n right) is derivable in Mitchell’s system as follows:

� � 8X:� by (8 intro) and(8n right) side-conditionX not free in�� 8X:(�1 ! : : : (�n ! �) : : :) by (8 subst) on (8n right) premiss� (8X:�1)! 8X:(�2 ! : : : (�n ! �) : : :) by (8! distr)� (8X:�1)! ((8X:�2)! 8X:(�3 ! : : : (�n ! �) : : :)by (8! distr) and(!)

�...

� (8X:�1)! ((8X:�2)! : : : ((8X:�n)! (8X:�) : : :)by (8! distr) and(!)

� �1 ! (8X:�2)! : : : (8X:�n)! (8X:�) : : :)by (!); (8 intro) and(8n right) side-conditionX not free in�1

�...

� �1 ! (�2 ! : : : (�n ! 8X:�) : : :)by (!); (8 intro) and(8n right) side-conditionX not free in�n.


5 Coercions and base types

This section extends the results of the previous sections to subtyping systems containingcoercions between base types.

5.1 Systems F+B and Co`+B

Consider extending the language ofCo` with type constants�1; �2; �3; ::: For example, thesecould be base types such asbool, int, real. As in the case ofCo`, the extended system willbe considered together with the corresponding extension of System F.

SystemF+B is obtained by adding to the language of System F type constants�1; �2;�3; ::: and term constantsci;j for eachi; j such that a subtyping relation holds between�i; �j ,and adding an axiom (with� an arbitrary context)

� F+B ci;j : �i ! �j :

SystemCo`+B is defined in its labelled and unlabelled versions, with the language ex-tended in the same way as for System F. In the labelledCo`+B system, the followingGentzen-style rule is added:

(�i � �j)x :� `M : �i

x :� ` ci;j M : �j

It is a derivable rule with respect to systemF+B. In its unlabelled version, this rule takesthe form:

(�i � �j)� ` �i

� ` �j

Let co+B denote entailment in this extended system. What happens then to the subtypingpartial order and the coherence and transitivity properties of the ‘pure’ calculusCo`?

First, observe that the expected subtyping judgmentx :�i co ci;j x : �j is easy to derive:just take� = �i andM � x in the above rule. Indeed, as we now show, the new constantsand rules introduce no new subtyping judgments beyond those expected. In a sense, basecoercions act like variables; they do not compute.

LEMMA 5.1 (Conservativity ofCo`+B with respect toCo`)Assume that types� and� do not contain occurrences of base types. Considerx : � co+B

M : � (in the labelled system). IfM contains neither base types norci;j , thenx :� co M : � .In the unlabelled system, if� co+B � then � co � .

PROOF. First, let� be aCo`+B derivation (labelled or unlabelled) of a sequentS, whereS may contain base types. Observe that by uniformly substituting in�, a fresh variableXfor all base types�1; : : : �n and omitting the (�i � �j) rules, we obtain aCo` derivation of[X=�1; : : : ; X=�n]S. This is easily shown by induction onCo`+B derivations. The lemmathen holds as a corollary of this observation.

5.2 Structural lemmas concerning base types

We will require notions of equality onCo`+B derivations, defined similarly to the equalitiesonCo` derivations (see Section 3.2), and for which we will use the same symbols:=, =�,


=�co. At the moment, we need only=. (Recall that two derivations are= when the proofterms labelling their final sequents are syntactically identical.)

LEMMA 5.2A (�i � �j) rule cannot be applied at any point after an application of either (8n right) or(!).

LEMMA 5.3A (�i � �j) rule can be permuted with (8 left) in both directions (the labels are not changedand the size of the new derivation is the same as the original one):

S1S2

(�i � �j)

S3(8 left)

=

S1S02

(8 left)

S3(�i � �j)

LEMMA 5.4Assume� co+B � with derivation�.(1) If � contains neither! nor8, then� may contain applications of only (ax), (�i � �j),and (8 left).(2) If � contains neither! nor8, then� may contain applications of only (ax), (�i � �j),and (80 right).

PROOF. By induction on the size of� in both cases. Note that, in both cases, the derivationshave just one branch.

LEMMA 5.5 (Subtypes and supertypes of a base type)(1) Let � co+B �. Then,� = 8Xl : : :8X1:�

0, for somel � 0 with �0 either a base type�0

or a variableXi for i 2 1 : : : l.(2) Let � co+B � . Then,� = 8Xm : : :8X1:�

0 for some base type�0 andm � 0.

PROOF. Consider statement (1). By Lemma 5.4 case 1, the derivation of� co+B � consistsof applications of only (ax), (�i � �j), and (8 left). The derivation is linear, not a tree. Theapplications of (�i � �j) can be permuted by Lemma 5.3 with the applications of (8 left),if any. Furthermore, (ax) must be of the form�0 co+B �0. Thus, an equal derivation of� co+B � may be constructed with the following structure:

�0 co+B �0 (ax)(8 left)...

...

8Xl : : :8X1:�0 co+B �0(8 left)

8Xl : : :8X1:�0 co+B �p(�0 � �p)

...

...

8Xl : : :8X1:�0 co+B �q

...

8Xl : : :8X1:�0 co+B �(�q � �)

wherek � 0 is the number of applications of (�i � �j) rules, i.e., (�0 � �p), . . . , (�q � �),andl0 � 0 is the number of applications of (8 left). Note thatl � l0.


Consider statement (2). By Lemma 5.4 case 2, the derivation of� co+B � can containapplications of only (ax), (�i � �j), and (80 right). By Lemma 5.2, all the applications ofthe (�i � �j) rules must appear before those of (80 right). Furthermore, (ax) must be of theform � co+B �. Hence, the derivation has the following structure:

� co+B � (ax)

� co+B �p(� � �p)

......

...

� co+B �q

...

� co+B �0(�q � �0)

� co+B 8X1:�0(80 right)

......

...

� co+B 8Xm : : :8X1:�0(80 right)

wherek � 0 is the number of applications of (�i � �j) rules, i.e., (� � �p), . . . , (�q � �0),andm � 0 is the number of applications of (80 right).

COROLLARY 5.6(1) Let x :� co+B M :�. Then,M � ck(: : : c1(x�l0 : : : �1) : : :) wherec1; : : : ; ck denoteci;j for correspondingi; j and[�l0=Xl] (: : : ([�1=X ]�) : : :) = �0 3.(2) Let x :� co+B M :� . Then,M � �Xm : : : �X1 : ck(: : : c1x) : : :)

Note that the permutations of rules described in the lemma change neither labels nor thesize of the derivations.

Lemma 5.5 shows that adding extra base types and base coercions changes the subtypingpartial order in a reasonable way: each base type has only itself, the empty type, or otherbase types, given by the extra subtyping rules, as its subtypes (up to bicoercibility, of course).Indeed, for case 1 of Lemma 5.5,� �

=

b�0 or � �

=

b8X:X , while for case 2,� �

=

b�0.

Modifications to structural lemmas of Section 2.3Adding base types changes little of most of the formulations and proofs of Section 2.2. Sys-temsCo` andF should be replaced everywhere byCo`+B andF+B respectively. Some-times an extra case should be considered in the proof: for example, Lemma 2.5 for the casewhen the ruler is a base type rule.

The definition of an atomic derivation (Definition 2.12) is modified as follows.

DEFINITION 5.7 (Atomic derivation with base types)An atomic derivation is one in which, for any base type�, all axioms are of the formx :X co+B x : X or x :� co+B x : � in the labelled system, and of the formX co+B X or� co+B � in the unlabelled system, respectively.

Only Lemma 2.15 is modified more seriously as follows.

3The numberl0 need not be equal tol since the types� may themselves contain8.


LEMMA 5.8Let �1 and�2 be two atomic derivations ofx : � co+B M : � andx : � co+B N : �respectively. Then, there exist atomic derivations�01 = �1 and�02 = �2 such that�01 and�02have the same size as�1 and�2, respectively, and

� either both end with the same rule,

� or at least one ends with a base type rule.

PROOF. In the case when both derivations end with some rule that is not a base type rule, themodified versions of Lemma 2.11 and Lemma 5.2 should be used instead of Lemma 2.11. Ifat least one ends with a base type rule, then Lemma 5.5 is applied.

To the modified version of Lemma 2.16 (which asserts that ifM;N areCo`+B terms, thenthe�-nf of [M=x]N exists and the reduction is linear), one may add the following obviousobservation: ifM � ci;jM

0 then[M=x]N is �-normal.

5.3 Completeness of Co`+B

The definition of erasure (see Section 3.1) must also be extended to account for base coer-cions.

DEFINITION 5.9 (Erasure of base coercions)erase(ci;j M) � erase(M).

LEMMA 5.10If x :� co+B M :� thenerase(M)�!� x.

THEOREM 5.11 (Completeness ofCo`+B)Let M be a term in�-nf such thatx : � F+B M : � and erase(M) �!� x. Then,x : � co+B M : � .

PROOF. Almost identical to the proof of completeness for the pure systemCo` (Theorem 3.3).Sinceci;j has the typeki ! kj , M , in �-nf, has the following general structure:

M � �~Y1 : �y1 :�1 : : : �~Yk : �yk :�k : �~Yk+1 : c1(: : : (cl(x~�1M1 : : : ~�nMn~�n+1)) : : :):

First the same cases as in Theorem 3.3 are considered (using modified lemmas). Then if noneof them apply, Lemma 5.5 and its Corollary 5.6 may be used.

Corollary 3.4 holds forCo`+B (i.e. one has the subject reduction property forCo`+B).

5.4 Transitivity

The fact that modified Lemma 2.16 holds forCo`+B terms justifies the definition ofcut(transitivity) for the labelled system as the following rule:

(cut)x :� co M : � y :� co N : �

x :� co nf�([M=y]N) : �

Recall that reduction to normal form is linear.The proofs of the following lemma and theorem are similar to the proofs of Lemma 3.7

and Theorem 3.8.


THEOREM 5.14 (Weak coherence ofCo`+B)Assume that bothci;j anddi;j are coercion constants between base types�i and�j . Ify :� co+B M :�i, then x :8X:� co+B ci;j ([xX=y]M) =�co di;j ([xX=y]M) : �j .

PROOF. The assumption means that the following two rules have been added:

x :� co+B M : �i

x :� co+B ci;j M : �j

x :� co+B M : �i

x :� co+B di;j M : �j

Construct then the following derivation:

y :� co+B M : �iy :� co+B ci;j M : �j

y :� co+B M : �iy :� co+B di;j M : �j

x :8X:� co+B ci;j ([xX=y]M) =�co di;j ([xX=y]M) : �j(eq appl2 co)

In particular, sincex :8X:�i co+B xX :�i, this weak coherence theorem implies equalityof the composition ofci;j anddi;j with the coercionxX : just take� = �i andM � y.Clearly though, the theorem does not imply the equality ofci;j anddi;j .

In order to prove full coherence forCo`+B, we need to force unicity of coercions (co-herence) on base types. This may be done by adding a rule for equality on base types asfollows.

DEFINITION 5.15=�coB is the least equivalence relation generated by=�co plus the following rule:

(eq base co)x :�i co+B M : �j x :�i co+B N : �j

x :�i co+B M =�coB N : �j

Note that, by the corollary to Lemma 5.5, the termsM andN must have the structureci(: : : (c1x) : : :) andc0j(: : : (c

01x) : : :), respectively.

The condition on coercions between base types may be compared with the condition ofcoherence on basic coercions in [16].

THEOREM 5.16 (Coherence ofCo`+B)Let �1 and�2 be two derivations ofx : � co+B M : � andx : � co+B N : � respectively.Then,M =�coB N .

PROOF. The proof is similar to the proof of coherence for the pure systemCo` (Theo-rem 3.10) but instead of Lemma 2.15, we have to use its modified version (Lemma 5.8).

An extra case has to be considered: at least one of�1, �2 ends with a(base) rule. Inthis case,� = � for some base type�. By Lemma 5.4 case 1, both�1 and�2 may containapplications of only (ax), (�i � �j), and (8 left) rules. Apply Lemma 5.3 to both derivations,permuting all applications of (�i � �j) rules before those of (8 left), thus obtaining thefollowing two derivations:


�0 co+B �0 (ax)

�0 co+B �p(�0 � �p)

...

...

�0 co+B �q

...

x :�0 co+B M : �(�q � �)

(8 left)......

8Xl : : :8X1:�0 co+B �(8 left)

�0 co+B �0 (ax)

�0 co+B �p0(�0 � �p0)

...

...

�0 co+B �q0

...

x :�0 co+B N : �(�q0 � �)

(8 left)......

8Xl : : :8X1:�0 co+B �(8 left)

Note that the applications of (8 left) are the same in both derivations but the applicationsof (�i � �j) rules, and their number, may differ.

Ignore now the applications of (8 left) and consider the (sub)derivations ofx : �0 co+B

M : � andx :�0 co+B N : � in each derivation. By simple application of the equality rule(eq base co) above, obtainx : �0 co+B M =�coB N : �. Then, since (8 left) preservesequality of coercions (implied by (eq appl2 co); see remarks Section 3.2), we are done.

COROLLARY 5.17Each (�i � �j) rule preserves equality of coercions.

PROOF. Assume that a rule (� � �0) has been added to the system, and assume that theequality x :� co+B M =�coB N : � has been derived.

The equality implies thatx :� co+B M : � and x :� co+B N : �. By application of therule (� � �0), we obtain bothx :� co+B ci;j M : �0 and x :� co+B ci;j N : �0 whereci;jis the base coercion given by the rule. Use now the same proof technique as in Theorem 5.16to derivex :� co+B ci;j M =�coB ci;j N : �0.

Coherence guarantees unicity of coercions on all types. As in the pure systemCo`, itimplies that bicoercible types are isomorphic. And, as inCo`, coherence implies the asso-ciativity of coercion composition, as given by transitivity of entailment.

6 Related work on subtyping

6.1 Proof-theoretic analyses

In light of the proof-theoretic investigations that the problem of subtyping has stimulated, itis fair to say that ‘the notion of subtyping is one of the most important concepts introducedrecently into the theory of functional languages’ [30].

Let’s quote some relevant papers. [6] solves the difficult problems of coherence and mini-mum typing in a different context. Clearly, if a term belongs to a type and to any larger type,then it has no unique type nor does it code a unique proof (or type derivation). Of course,the contravariant behaviour of! (on the left) and second-order quantification complicate theproblem. Yet, in [6], it is shown that each proof reduces to a unique ‘normal’ one, whichalso yields the minimum type of its coding term (see also [25]). Other extensions of vari-ous lambda-calculi further clarified the issue of subtyping at a syntactic level. The approachin [2] significantly departs from the ‘intended’ meaning in the previous papers: the subtyping


In PER models, coercions are not arbitrary maps; nor are they identities. Indeed, this makesno sense in typed frameworks: if� � � but� and� are different, there is no identity from�to � . This is so both in models and in theories. Note that PER models are constructed over anunderlying model of the type-free lambda calculus. Any model of partial combinatory logicmay suffice, see [15] say, and in particular Kleene’s(!; :): in this case,n:m stays for thenthindex or Turing Machine applied tom.

Thus, in the PER model, terms are interpreted as equivalence classes of elements of!.More precisely, define the erasure of a typed term to be the type-free term obtained by erasingall type information. Then, a term is interpreted by the equivalence class of (the interpretationof) its erasure. This allows second-order quantification to be interpreted as intersection, sincethe intersection is isomorphic to a categorical product [18]. In short, in the model in [4](more precisely in the variant of it in [7, Section 4], a coercionc from� to � transforms eachfng� into fng� , wherefng� denotes the equivalence class ofn in � andfng� is generallysmaller thanfng� . Thus,c is computed, in particular, by any indexi of the identity function;equivalently,c is represented byfig�!� , sincefig�!� :fng� = fi:ng� = fng� . Clearly,fig�!� contains many more elements than the indices of the identity function on!, when�or � are different from!. Using erasures in order to interpret typed terms, then this suggeststhat syntactic coercions are typed terms, different, in general, from the identity, but whoseerasure is equal to the identity�x:x. This idea is nicely used in [24]. It gives the syntacticcompleteness theorem for our ‘logic of subtyping’, systemCo`.

6.3 Semantics of equality, =�co

The semantics, indeed the consistency, of (eq appl2 co) deserves close attention. The follow-ing remarks are likewise intended for the reader familiar with PER models.

Rule (eq appl2 co) is valid in the PER model of subtyping [4]. More precisely, it is valid inthe interpretation of subtyping with explicit coercions, given in [7] for the systemQuestC .This can be seen as follows. Recall that, under an environment�, the interpretation ofM : �is given by the equivalence classf[[erase(M)�]]g�, where, by an abuse of language, we usethe same name for both a type� and its meaning as a p.e.r.. (See the introduction and [7] onhow type-free and typed environments are related; in short, a type-free environment� ‘picksout’ an element of the equivalence class of the typed�0.) Assume now thatyi : [�i=X ]� fori = 1; 2, andx : 8X:�. If both [�i=X ]� for i = 1; 2 are subtypes of�, then the equivalenceclassesf�(yi)g[�i=X]� are coerced to the (larger) equivalence classesf�(yi)g� for i =1; 2. Note now that, forx : 8X:�, one hasx�i : [�i=X ]� anderase(x�i) = erase(x) =x. Then, by the interpretation of polymorphic application (see [18]),f�(x)g8X:� : �i =f�(x)g[�i=X]� , which is also equal to the interpretation ofx�i : [�i=X ]�.

The validity of the premisses of (eq appl2 co) means that, in the model,Ni coerces themeaning of any term in[�i=X ]� into an equivalence class of�. In particular, both interpreta-tions f�(x)g[�i=X]� of x�i : [�i=X ]�, i = 1; 2, are coerced byNi to thesame equivalenceclass f�(x)g�, which does not depend oni. This is exactly the validity of the consequenceof (eq appl2 co).

As recalled in the introduction, the coercionsN1; N2 are interpreted by functions com-puted (also) by indexes of the identity function. In general, though, they are not them-selves identities andf�(yi)g[�i=X]� may be strictly smaller thanf�(yi)g� (and each ofthe f�(x)g[�i=X]� may be strictly smaller thanf�(x)g�). In [8], it is said that (eq appl2),which contains no coercions, is valid in PER models. This is correct but only modulo ‘forget-


ting’ the coercions in the model (as was suggested in [4]). However, this does not correspondexactly to the structure of PER models, where coercions are non-identical maps (see [7] fora more detailed discussion). Thus, (eq appl2 co) is a more precise formalization of ‘truth’, asgiven in PER models, than (eq appl2).

6.4 Second-order cut-elimination proofs

The reader may wonder why the cut-elimination proof (Theorem 3.8) is so simple for a sys-tem which contains higher-order types and/or why we couldn’t just derive it from the proofsof more expressive systems. It is known that impredicative second-order logic requires pow-erful tools to yield cut-elimination or normalization proofs [12, 13]. Yet, in [21], we giveanother direct proof of cut-elimination forCo` plus (cut) by a proof that does not rely oncompleteness: a non-obvious exercise. For the reader interested in the issue, we analyse herethe key difficulties of a direct proof and some analogies and differences with respect to othercalculi. We use [13] as a reference.

For a first-order system, the proof of cut-elimination considered in Chapter 13 of [13] isdivided into two main parts: Sections 13.1 and 13.2. The first part is the basis for an inductionon the size of derivations: ‘cuts’ are permuted with other rules and, when possible, they aremoved up. Among the key cases, there are two crucial ones: cases 6 and 7 (or 8). Case 6 hasan arrow as the cut formula, and the point there is that if one ‘swaps’ the cut rule with theright and left-arrow rules, the cut rule is, unlike the preceding cases, NOT moved up, and astraightforward induction would then fail. This is the reason for introducing (in Section 13.2)the notion of ‘degree’Æ of a formula and using a combined induction on derivations ANDdegrees: in case 6, Section 13.1, the degree of the cut formula does decrease (not the size ofthe derivation).

Fortunately, in the first-order case, the notion of degree of a formula does not present anyproblems (Section 13.2): it is preserved under instantiation of a term variable by a term (e.g.Æ(A[t=x]) = Æ(A)). By this, the degree of the cut formulae in case 7 (and 8) of Section 13.1does not change when moving up the cut rule. And the combined induction goes through.

However, this form of combined induction cannot be used in the presence of higher-order(impredicative) formulae: no degree or measure on formulae is preserved by instantiation ingeneral. Girard and Tait’s proof by ‘candidates of reducibility’ employs a powerful techniqueto overcome this crucial difficulty of impredicative systems. The heavy inductive loadingused (conditions CR 1,2,3 of chapters 6 and 14) requires the intended set of terms (candi-dates of reducibility) to be closed under reductions and expansions. In our case of a directproof [21], the difficulties of case 6 (Section 13.1 of [13]) are easily handled: that case corre-sponds to (!) occurring simultaneously on the left and on the right, where an arrow formulais eliminated, by cut. This gives a symmetric situation and allows one to move up the last cutrule, in contrast to case 6 in [13]. Thus, we do not need to introduce an induction on degreesof formulae, which would, in turn, cause problems in an impredicative system, like ours.Moreover, we can neither refer to nor use the candidates of reducibility, even thoughCo` isa subsystem of System F: the terms of our system with the cut rule are not closed under�-expansions (CR3), as pointed out before Lemma 2.16. Note that, in general, cut-eliminationcannot automatically be applied to subsystems: there are easy counter-examples.

In the present approach, we used a simpler technique. The linearity of terms gives an im-mediate normalization theorem; then the completeness result (Theorem 3.3: coercions are ex-actly those F terms that erase to the identity) allows us to avoid a step-by-step cut-elimination


and refer to the ‘evaluation’ (nf�) of a term’s erasure (cf. recent results on ‘normalization-by-evaluation’ [5]).

7 Conclusions

The purpose of the calculusCo` presented in this paper is to give a coherent logical meaningto the notion of subtyping:� is a subtype of� if � implies (entails)� . This meaning isthe most obvious relation between logical implication and naive set-theoretic inclusion. Themain advantage of our approach is thatCo` has a sound logical ‘status’, independently of itsintended meaning for subtyping. This is obtained by presenting entailment in the frame ofa second-order sequent calculus, where quantification is introduced and eliminated by rightand left rules. We could then state and prove relevant properties such as coherence and theadmissibility of (cut), which is equivalent to a cut-elimination theorem.

It should be clear why we do not take the (cut) rule as part of the definition of our sub-typing system. In order to obtain coherence, we would need to eliminate it anyway. Andcoherence is used to prove anti-symmetry. Moreover, without (cut), all our proof-terms (de-finable coercions) are in normal form, as only (cut) may introduce redexes, exactly as in the�-calculus.

In view of its formal relation to (cut), it may be fair to say that our system of subtyping isthe least but still meaningful system for implication that also handles second-order universalquantification. Indeed, what weaker but still meaningful computation is there than ‘takean input and transform it into an element of a larger type’? And, intuitionistically, logicalimplications are computations. By our system, we characterized the logical implicationswhich are coercions and explicitly used this characterization in the main results.

In the final section, we extendedCo` with base types. Transitivity and coherence holdin this extended calculus, which is conservative overCo`. In view of the work in [2, 8, 6],further extensions can be studied, in particular, with a Top type, records, variants and boundedquantification. Moreover, a joint system F+Co` could also be relevant for investigatinggeneral polymorphic subtyping.

Acknowledgements

We would like to thank Jerzy Tiuryn for his close analysis and critical insight into our work.We also acknowledge the comments of an anonymous referee on a previous version of thispaper, as well as the referees of the present version.

Sergei Soloviev was supported by a British EPSRC grant GR/K79130 while working atDurham University (1996–98); his work was also funded by HCM Project CHRX-CT93-0046 ‘Typed Lambda Calculus’ (while visiting ENS, Paris) and ‘CLICS II’. Giuseppe Longo’swork was partially supported by HCM Project CHRX-CT93-0046 ‘Typed Lambda Calculus’.

References[1] M. Abadi, L. Cardelli and P.-L. Curien. Formal parametric polymorphism,Theoretical Computer Science, 121,

9–58, 1993.[2] V. Breazu-Tannen, T. Coquand, C. Gunter and A. Scedrov. Inheritance as implicit coercion,Information and

Computation, 93, 172–221, 1991.[3] K. Bruce, R. Di Cosmo and G. Longo. Provable isomorphisms of types,Mathematical Structures in Computer

Science, 2, 231–247, 1992.


[4] K. Bruce and G. Longo. A modest model of records, inheritance, and bounded quantification,Information andComputation, 87, 196–240, 1990.

[5] U. Berger and H. Schwichtenberg. An inverse of the evaluation functional for typed�-calculus. InProceedingsof the 6th IEEE Symposium on Logic in Computer Science (LICS), pp. 203–213, IEEE Computer Society Press,1991.

[6] P.-L. Curien and G. Ghelli. Coherence of subsumption, minimum typing and type-checking inF�, Mathemat-ical Structures in Computer Science, 2, 55–92, 1992.

[7] L. Cardelli and G. Longo. A semantic basis for Quest,Journal of Functional Programming, 1, 417–458, 1991.[8] L. Cardelli, S. Martini, J. Mitchell and A. Scedrov. An extension of system F with subtyping,Information

and Computation, 94, 4–56, 1994. First appeared inProceedings of the Conference on Theoretical Aspectsof Computer Software, (Sendai, Japan), T. Ito and R. Meyer, eds., pp. 750–770, Lecture Notes in ComputerScience 526, Springer, 1991.

[9] L. Cardelli and P. Wegner. On understanding types, data abstraction, and polymorphism,ACM ComputingSurveys, 17, 471–522, 1985.

[10] G. Chen. Dependent type system with subtyping. Technical Report LIENS-96-27, Ecole Normale Supérieure,Paris. Revised version to appear inJournal of Computer Science and Technology.

[11] G. Chen. Sous-typage, conversion de types et élimination de la transitivité. Doctoral thesis, Laboratoired’Informatique de l’Ecole Normale Supérieure, Paris. December 1998.

[12] J.-Y. Girard. Une extension de l’interprétation de Gödel a l’analyse, et son application à l’elimination descoupures dans l’analyse et la théorie des types.Proceedings of the 2nd Scandinavian Logic Symposium, J.E.Fenstad, ed., pp. 63–92, North-Holland, 1971.

[13] J.-Y. Girard, Y. Lafont and P. Taylor.Proofs and Types. Cambridge Tracts in Theoretical Computer Science 7,Cambridge University Press, 1989.

[14] J. Hyland. The effective topos. InProceedings of The L. E. J. Brouwer Centenary Symposium, A.S. Troelstraand D.S. van Dalen, eds., pp. 165–216, North-Holland, 1982.

[15] J. Hyland. A small complete category,Annals of Pure and Applied Logic, 40, 135–165, 1988.[16] A. Jones, Z. Luo and S. Soloviev. Some algorithmic and proof-theoretical aspects of coercive subtyping. Se-

lected papers of theInternational TYPES’96 Workshop (Aussois, France, December 1996), E. Giménez and C.Paulin-Mohring, eds., Lecture Notes in Computer Science 1512, pp. 173–196, Springer, 1998.

[17] S. Kleene.Mathematical Logic, Wiley, 1967.[18] G. Longo and E. Moggi. Constructive natural deduction and its!-set interpretation.Mathematical Structures

in Computer Science 1:2, pages 215–253, 1991.[19] G. Longo, K. Milsted, and S. Soloviev. The genericity theorem and the notion of parametricity in the polymor-

phic�-calculus,Theoretical Computer Science, 121, 323–349, 1993.[20] G. Longo, K. Milsted and S. Soloviev. A logic of subtyping (extended abstract). InProceedings of the 10th

IEEE Symposium on Logic in Computer Science (LICS), IEEE Computer Society Press, 1995.[21] G. Longo, K. Milsted and S. Soloviev. A logic of subtyping. Complete version of the previous paper; available

by anonymous ftp from ftp.ens.fr as/pub/dmi/users/longo/logicSubtyping.ps.Z or ... /logicSubtyping.dvi.Z

[22] Zhaohui Luo. Coercive subtyping in type theory. InCSL’96, the 1996 Annual Conference of the EuropeanAssociation for Computer Science Logic, Utrecht, Lecture Notes in Computer Science, v. 1258, 1996.

[23] Q. Ma and J. Reynolds. Types, abstraction, and parametric polymorphism, part 2. InProceedings of the Confer-ence on Mathematical Foundations of Programming Semantics, S. Brookes, M. Main, A. Melton, M. Mislove,and D. Schmidt, eds., pp. 1–40. Lecture Notes in Computer Science 598, Springer, 1992.

[24] J. Mitchell. Polymorphic type inference and containment,Information and Computation, 76, 211–249, 1988.Also appeared inLogical Foundations of Functional Programming, G. Huet, ed., pp. 153–193, Addison-Wesley,1990.

[25] B. Pierce and M. Steffen. Higher-order subtyping,Theoretical Computer Science, 176, 235–282, 1997. A pre-liminary version appeared inProceedings of the IFIP Working Conference on Programming Concepts, Methodsand Calculi (PROCOMET), June 1994, and as University of Edinburgh technical report ECS-LFCS-94-280 andUniversitat Erlangen-Nürnberg Interner Bericht IMMD7-01/94, January 1994.

[26] A. Pitts. Non-trivial power types can’t be subtypes of polymorphic types. InProceedings of the 4th IEEESymposium on Logic in Computer Science (LICS), pp. 6–13, IEEE Computer Society Press, 1989.

[27] J. Reynolds. Polymorphism is not set-theoretic. Proceedings ofSemantics of Data Types, G. Kahn et al., eds.,pp. 145–156. Lecture Notes in Computer Science 173, Springer, 1984.


[28] S. Soloviev. The category of finite sets and Cartesian closed categories,Journal of Soviet Mathematics, 22,1387–1400, 1983.

[29] J. Tiuryn. Equational axiomatization of bicoercibility for polymorphic types. InProceedings of the 15th Con-ference on the Foundations of Software Technology and Theoretical Computer Science, P. S. Thiagarajan, ed.,pp. 166–179. Lecture Notes in Computer Science 1026, Springer, 1995.

[30] J. Tiuryn. A sequent calculus for subtyping polymorphic types. InProceedings of the Conference on Mathe-matical Foundations of Computer Science, Springer, 1996.

[31] J. Tiuryn and P. Urzyczyn. The subtyping problem for second-order types is undecidable. InProceedings of the11th IEEE Symposium on Logic in Computer Science (LICS), IEEE Computer Society Press, 1996.

AppendixThe following rules complete the definition of=�co (Section 3.2); they just say that rules (!) and (8n right) pre-serve equality of coercions:

(eq !)x0 :�0 co M =�co M

0 : � y :� co N =�co N0 : � 0

x :�! � co �x0 :�0 : [xM=y]N =�co �x0 :�0 : [xM 0=y]N 0 : �0 ! � 0

(eq80�k�n right)

x :� co �x1 :�1 : : : �xk :�k:M =�co �x1 :�1 : : : �xk :�k:N: �1 ! : : : (�n ! �) : : :)

x :� co �x1 :�1 : : : �xk :�k : : : �xn :�n:�X:Mxk+1 : : : xn=�co �x1 :�1 : : : �xk :�k : : : �xn :�n:�X:Nxk+1 : : : xn

: �1 ! : : : (�n ! 8X:�) : : :)� for X not free in �

nor in �1; : : : ; �n,for M not of the form �y:M 0,for xk+1; : : : ; xn fresh

(eq80�n<k right)

x :� co �x1 :�1 : : : �xk :�k:M =�co �x1 :�1 : : : �xk :�k:N: �1 ! : : : (�n ! �) : : :)

x :� co �x1 :�1 : : : �xn :�n:�X:�xn+1 :�n+1 : : : �xk :�k:M=�co �x1 :�1 : : : �xn :�n�X:�xn+1 :�n+1 : : : �xk :�k:N

: �1 ! : : : (�n ! 8X:�) : : :)� for X not free in �

nor in �1; : : : ; �n,for M not of the form �y:M 0

for � � �n+1 ! : : : (�k ! � 0) : : :)

Received 2 December 1996

Download - Coherence and Transitivity of Subtyping as Entailment · Coherence and Transitivity of Subtyping as Entailment 495 rule for! are the ﬁrst requests for a logic of subtyping: (ax)

Top Related