Encoding Agda Programs Using Rewriting

We present in this paper an encoding in an extension with rewriting of the Edimburgh Logical Framework (LF) [13] of two common features: universe polymorphism and eta-convertibility. This encoding is at the root of the translator between Agda and Dedukti developped by the author. 2012 ACM Subject Classiﬁcation Theory of computation → Equational logic and rewriting; Theory of computation → Type theory


Introduction
With the multiplication of proof assistants, interoperability has became a main obstacle preventing the dissemination of formally verified software among industrial companies.Indeed, a lot of mathematical results have been formalized, using many different proof assistants.Hence, if one want to use two already proved theorems in her development, there is a high risk that these two proofs are in different systems.
To avoid the community the burden of redevelopping the same proofs in each system, the Logipedia project aims at building an encyclopedia of formal proofs, agnostic in the system they were developped in.To do so, the logics of the proof assistants can be encoded in the same Logical Framework: Dedukti, which is based of the λΠ-calculus modulo rewriting.Once all the logics are encoded in the same framework, it becomes easier to compare them, and so to export to a target system proofs originally made in another system.
In this article, we present an encoding of two common features, shared by many proof assistants.
The first one is universe polymorphism.Introduced by Harper and Pollack [14], this allows the user to declare a symbol only once for all universe levels, and then to instantiate it several times with concrete levels.
The second one is equality modulo η.In set theory, a function is identified with its graph, hence two functions outputing the same result when fed with the same data are equal.In type theory, it is not the case.η-conversion is a weak form of this principle of extensionality, which just states that f is equal to the function associating to any x the result of f applied to x.

31:2 Encoding Agda Programs Using Rewriting
Developped for twenty years, Agda is a dependently-typed functional programming language based on an extension Martin-Löf's type theory.Thanks to Curry-Howard correspondence, it is often used as a proof assistant.Furthermore, it features the two ingredients this article focuses on.Hence, the author developed, in collaboration with Jesper Cockx, an automatic translator from a fragment of Agda to Dedukti.

Outline
After a brief presentation of the λΠ-calculus modulo rewriting, Section 2 introduces the Cousineau-Dowek's encoding of Pure Type Systems.Section 3 presents a general encoding of universe polymorphism and an instantiation of this encoding in the special case of the predicative two-ladder universe system behind Agda.The main theorem of this section is the preservation of typability of this encoding.Then, Section 4 explains how to encode η-conversion using rewriting.Preservation of the conversion is the main result of this section.Finally, after a presentation of the implementation in Section 5, Section 6 summarizes our result and provides hints on future extensions.

2
Encoding Pure Type Systems in λΠ-modulo Rewriting In [3], Barendregt presents the λ-cube, a classification of eight widely used type systems, distinguishing themselves from each other by the possibility they offer (or not) to quantify on a type, a term to construct a type, or a term.Those constructions of systems in the λ-cube were generalized by Terlouw and Berardi [5], giving birth to what they called "generalized type system", nowadays more often called Pure Type Systems (PTS).
Every PTS shares the same typing rules.The only difference between them are the relations A and R. A, called axioms, states inhabitation between sorts and R, called rules, controls on which sort one can quantify.
Definition 1 (Syntax and typing of PTS).Let X be an infinite set of variables and S be the set of sorts.

t, u
The typing rules include 5 introduction rules related to the syntax, and 2 structural rules. (var) Definition 3 (Full Pure Type System).A PTS is called full if axioms and rules are total functions, respectively from S and S × S to S.
Example 4 (P ∞ and C ∞ ).The predicative and impredicative infinite hierarchies, are two full PTS: Definition 5 (Embedding of PTS).Given P 1 = (S 1 ; A 1 ; R 1 ) and P 2 = (S 2 ; A 2 ; R 2 ) two PTS, f : S 1 → S 2 is an embedding of P 1 in P 2 if for all (s, s ) ∈ A 1 , we have (f (s), f (s )) ∈ A 2 and for all (s, s , s f is extended to terms of P 1 , by: Proposition 6 (Soundness of the Embedding).If f is an embedding from a PTS P Proof.By induction on the proof tree.Since f preserves A and R, the (ax) and (prod) cases are satisfied.All the other cases are direct, since f does not act on the shape of terms.
The Edimburgh Logical Framework [13] (LF), denoted λP in Barendregt's λ-cube is the minimal PTS including dependent types.It has two sorts S = { , }, with the axioms A = {( , )} and the rules R = {( , , ), ( , , )}.It is well-known to be "a framework for defining logics", since it allows to encode most of the proof systems.One can note, LF is not a Full PTS, since is the left-hand side of no axioms.
The logic behind the Logical Framework Dedukti is the λΠ-calculus modulo rewriting [2,6], an extension of the Edimburg Logical Framework with user-defined rewrite rules used not only to define functions, but also types, allowing for shallow embedding of various type systems.Indeed, even if one can encode many logics in LF, those encodings are deep, meaning that applications, λ-abstractions and variables of the encoded system are not translated directly by their equivalent in LF, but by using explicit symbols App, Lam and Var.Using rewriting, the introduction of those extra symbols can be avoided, allowing for more reasonable size translations.Definition 7 (Signature in λΠ-modulo rewriting).A signature in λΠ-modulo rewriting is (Σ, Θ, R) where Σ is a set of symbols, disjoint of X , Θ is a function from Σ to terms and R is a set of rewriting rules, i.e. a set of pair of terms of the form f l → r, with f ∈ Σ and all l i 's are Miller's pattern [16].
We say that t rewrites to u, denoted t u if there is a rule f l → r, a substitution σ and a "term with a hole" is the smallest relation containing → and stable by substitution and context.We denote by * the reflexive transitive closure of and by * the convertibility relation, which is the reflexive symmetric and transitive closure of .Definition 8 (Typing rules of λΠ-modulo rewriting).They are the one of LF (those of Def. 1, instantiated with S = { , }, A = {( , )} and R = {( , , ), ( , , )}.), but with a rule to introduce symbols of Σ and enrichment of the conversion, to include both β-reduction and the user-defined rewriting rules.
The encoding of products and its decoding rewrite rule.(Simulates the rule (prod) of a PTS).Then the peculiarity of each PTS is reflected in the encoding of the elements of S as terms of Sort, and in the implementation of axiom and rule to encode A and R respectively.

Universe Polymorphism and its Encoding
It is quite common to enrich PTS with Universe Polymorphism [14], which consists in allowing the user to quantify over universe levels, allowing to declare simultaneously a symbol for several sorts.For instance, if the sorts are { Set i | i ∈ N}, then one want to declare List in ∀ , (A : Set ) → Set .Indeed, just like polymorphism was used to avoid declaring a type of lists for each type of elements, one want to avoid one declaration of a new type of lists for each universe level.
We present here a definition of universe polymorphism inspired by the one given by Sozeau and Tabareau [19] for the proof assistant Coq.In this setting, the context contains three lists: a list Σ called signature, a list Θ of level variables, and a list Γ called local context.Both Σ and Γ contain pairs of a variable name and a type, but the variables in Γ can contain free level variables (those occuring in Θ), whereas all the level variables are bound by a prenex quantifier ∀ in the signature Σ.Unlike [19], we do not need to store constraints between universe levels, since those constraints are related to cumulativity, a feature we are not trying to encode here.Definition 9 (Uniform Universe Polymorphic Full PTS).We consider a set L of levels and a finite set H of sort constructors.Then the sorts are {s } s∈H, ∈L .
In addition to functionality and totality of A and R, we assume a uniformity in the hierarchy.Meaning that for all s ∈ H, there is a s ∈ H, such that for all ∈ L, there is a ∈ L, such that (s , s ) ∈ A and for all s (1) , s (2) ∈ H, there is a s (3) ∈ H, such that for all 1 , s (2) 3 ) ∈ R. We denote by Ā the function (s, s ) ∈ H 2 ∃ , , (s , s ) ∈ A and for all s by A s the function ( , ) ∈ L 2 ∃s , (s , s ) ∈ A .
Analogously R is the function (s (1) , s (2) , s 2 , s ) ∈ R and for all (s (1) , s (2) The typing rules are: In all those typing rules, s, s ∈ H and i, x ∈ X .Furthermore, we allowed ourselves to simply write x / ∈ Σ, Γ, rather than "for all A, x : A is not in Σ, Γ".
One typical case of use, is to have only one hierarchy: H = {Set} and to use natural numbers for levels: L = N.But we do not want to restrict ourselves to have only one hierarchy, since some proof assistants feature several.For instance, in Agda and Coq, there are 2, called Set and Prop, and Type and SProp respectively.
The two rules modifying the signature Σ, allows to completely change the set Θ of names of local variables.Changing this set during the proof is not necessary, however, without this renewal of Θ, all the symbols in the signature would have been quantified over the same set Θ, no matter which variables occur really in it.
The universe polymorphism we are interested in is purely prenex.Furthermore, universally quantified types are not typed themselves and are only inhabited by variables.This form of universe polymorphism only provides ease of use, but it does not allow to prove more, meaning that it does not compromise the consistency of the logic.

Encoding Agda Programs Using Rewriting
To prove this, one can construct a new PTS (S Θ , A Θ , R Θ ) simply by adding a brand new sort for every expression containing a level variable (such expressions are in L + Θ ).Then embedding this newly-constructed PTS in the original one is defined just by interpreting level variables.Then using this interpretation of the variables, one can mimic the proofs done using universe polymorphism in the original PTS.
Proposition 10 (Conservativity of the universe polymorphism).Let P = (L, H, A, R) be a uniform universe polymorphic full PTS and Θ be a subset of X .
Let L + Θ be the smallest subset such that: n and P Θ be the PTS: a.There is an embedding from P Θ to the underlying PTS of P .b.If Σ; Θ; Γ t : A in P and A is not a universal quantification, then there is a Proof sketch.a.The embedding consists in just chosing a level for each variable in Θ. b.Since A is not a universal quantification, in the proof of Σ; Θ; Γ t : A, all the (sig) are followed directly by an arbitrary number of weakenings and a (inst).The weakenings can be anticipated and to create a proof in P Θ , the (sig) and (inst) are compressed in a single introduction of a variable of Σ.
In a PTS, if Γ t : A, then there is a sort s such that A = s or Γ A : s.In a full PTS, A is a total function, hence, all sorts inhabit a sort, allowing us to refer to s as the sort of a A. However, in the presentation of universe polymorphism of Def. 9, this property is lost because universally quantified types have no type.To overcome this issue, we assign artificially a type to those quantified types, using a brand new sort Sort ω , which is not typable, is the type of no sort and over which one cannot quantify.Its only purpose is to make "the sort of A" well-defined whenever A is inhabited.It must be noted that Sort is not in H and ω is not a level.
To encode Universe Polymorphic Full PTS, one introduce a symbol sortOmega and a quantification symbol ∀ L which takes as first argument the sort in which the term will live once instanciated.The definition of the decoding function Term is enriched with a new rule, specifying its behaviour when applied to a ∀ L .

Definition 11 (Encoding).
constant sortOmega : Sort .constant For instance, the encoding of ∀ , Set is ∀ L (λ l, axiom (set l)) (λ l, code (set l)), if set is a sort constructor in the encoding.And its decoding (when applying Term sortOmega) is, as expected, (l:L) ⇒ Univ (set l).

Definition 13 (Translation). We translate well-typed terms in a Universe Polymorphic Full
Pure Type System by: x = x;

And the translation of levels is |i|
Wherever they are used, s A and s B are respectively the sorts of A and B.
It can be noted that the translation | | L for ∈ L is not given, since in general the number of level is infinite, hence, we do not want to introduce one new symbol per level.Furthermore, with universe polymorphism, universe levels are open terms, hence, convertibility between universe levels is now an issue.Fortunately, it is the last one, since once this issue is overcome, the encoding has one of the expected properties: we type check at least as much terms as in the original system.
To state this, we start with two useful lemmas: Proof.a and b are proved by induction on the the term t. c is because a β-redex is translated as a β-redex.
The proof of this property is only sketched, since Section 4 will contain detailled proofs on the conversion specifically.

Lemma 15 (Shape-preservation of type
Proof.The three rules on Term are crafted to ensure those properties.By Lem. 15, the product obtained is convertible with ∀Θ.A , hence one can introduce a variable of this type.One must then use the weakening, to Re-invent the variables of type L corresponding to the Θ .(inst) Lem. 15 tells us that, after conversion, the induction hypothesis is Σ; Θ; Γ A : hence, we can apply the γ i 's without type issues.(prod) By induction hypothesis, we have Σ; Θ; Γ λΠ/P A : Univ s γ and also Σ; Θ; Γ, x : A λΠ/P B : Univ s γ , so Σ; Θ; Γ , x : Term |s γ | S A λΠ/P B : Univ s γ and we can conclude by introducing the lambda and applying prod.(ctx-weak) As before, we have Σ; Θ; Γ λΠ/P A : Univ s γ , so Σ; Θ; Γ λΠ/P Term |s γ | S A : TYPE, so one can weaken with a variable of this type.(∀weak) Like for the (sig) rule, one can empty the context of the variables of type L by applying the rule (prod) of λΠ-modulo rewriting.Then, one can weaken with a variable of this type and variables of type L to translate the Θ .Now, we will more specifically focus on a specific hierarchy of levels, where L = N and all the A s are the successor function and all R ss are the maximum function.This is the predicative hierarchy of P ∞ (Expl.4), used in Agda for instance.
The grammar of universe level we are interested in is: t, u ∈ L : And finally we give rewrite rules for the symbols of the syntax: This encoding is not confluent, as the following example illustrates: But this is not an issue, since we are only interested in reducts of elements of the syntax, meaning that all the variables are of type L.
Proposition 18.The absence of variable of type N or LvlSet ensures the uniqueness of normal form (modulo AC) property.
Proof.Since there are no variables of type N and LSet, the function max N , + N and mapPlus are fully defined and cannot occur in the normal forms.
Hence, normal forms contain only 0 N , s N , Max, ∅, ⊕ and ∪.Among it, the only constructor of a L is Max, hence every level is either a variable or headed by Max.
If it contains a Max, there is one at the head.Hence the terms are of the form Max n s with n a closed natural and s a LSet.If there are more than one Max, it means that the LSet contains a level which is not a variable.This one, is headed by Max, so one of the rewrite rule regarding the interaction between Max and ⊕ can be applied.
Hence all normal forms are either a variable or of the form Max n s, with n closed natural and s a LSet where all levels are variable.The non-linear rule ensures us that the variables are all distinct.
One can check that the invariant that every natural which is the first argument of a ⊕ is smaller or equal to the first argument of the Max directly above the ⊕ is preserved by every rule and verified by the reducts of the syntax.
So, we can conclude that the normal forms have the shape announced.
To check that a term cannot have two distinct normal forms, the definition of the interpretation is extended to the symbols we introduced and one can verify that all the rules preserve the interpretation and that all the terms of the shape we decribed have a different interpretation.

Eta-conversion
Many proof assistants implement, among other conversion rules, the η rule, which state that if f is a function, f ≡ η λx.f x.
At first sight, this conversion might look quite harmless, and one can hope to just add the corresponding rewrite rule.However, this conversion is an important issue for translation of systems in Dedukti.Indeed, the contraction rule cannot be stated, since λx.f x is not a Miller pattern: It requires to match on the fact that f x is an application, which would be "meta-matching" and is not in the definition of λΠ-modulo rewriting.Furthermore, we could replace it by λx.f [x], but f is not a valid right-hand side anymore, since it is of arity one.On the other hand, to preserve typing, the expansion rule has to match on the type of a variable, and is not syntax-directed anymore.
Another natural solution could be to define λΠ-modulo rewriting as a logical framework with η hard-coded in the conversion (just like β is).But this is a path logical frameworks want to avoid.Indeed, if η is hard-coded, it is impossible to have a shallow encoding of the λ-calculus without η-conversion.
One could expect that η-expanding every term during the translation phase, could allow us to completely ignore η-conversion in the λΠ-calculus modulo rewriting.Indeed, with dependent types it might happen than an η-long term has a non-η-long type.A situation that often breaks the type preservation of the translation.
Example 19.To illustrate this, we start by defining a type, whose number of arrows depends on a natural number, with a constructor for this type.We then define a new type depending on the first one and its constructor.Now, the term e 1 is η-long and has type E 1 (d 1), but not E 1 (λ x, d 1 x) which is the η-long form of the type.
To overcome this issue, we propose to postpone η-expansion, until the type is fully instantiated.For this, we introduce in the translation a symbol ηE, which purpose is to tag with their types the subterms which may become η-expandable.Then some rewrite rules pattern match on this type annotation to decide when and how the expansion can be performed.
Definition 20 (Eta-expansion rewrite rules).ηE annotates terms with their types, to do so, it takes as arguments a sort, a code of type in this sort and the term to annotate.The rules state that η-expansion is the identity for inhabitant of sorts (ηS), and genesrates λ's for inhabitants of products (ηP ).Furthermore, a rule state that η-expansion is an idempotent operation (ηI).To prove that adding those annotations in the encoding enriches enough the conversion to simulate η-equality, we will also add those annotations in the system we are translating, just like what is done in [12,11].
For sake of readibility, we will study in this section, terms typed in a full PTS embeddable in C ∞ , like P ∞ and C ∞ defined in Expl.4, in order to directly reuse the induction principle defined in [4].

FDefinition 16 (
To state properly the Correctness Theorem, one first has to define the translation of contexts: Context Translation).If Σ = x 1 : T 1 , . . ., x l : T l , Θ = i 1 , . . ., i m and Γ = y 1 : A 1 , . . ., y n : A n , then the translation is Σ; Θ; Γ = x 1 : Term sortOmega T 1 , . . ., x l : Term sortOmega T l , i 1 : L, . . ., i m : L, y 1 : Term |s A1 | S A 1 , . . ., y n : Term |s An | S A n .Theorem 17 (Correctness).Given a correct criterion for equality of levels (i.e. if two levels 1 and 2 are equals, their translations | i | L are convertible), for a Universe Polymorphic Full Pure Type System P , if Σ; Θ; Γ t : A, then Σ; Θ; Γ λΠ/P t : Term |s| S A , where s is the sort of A. Proof.By induction on the derivation.We assume that if Θ γ isLvl, then []; Θ; [] λΠ/P |γ| L : L, a property which can be proved by induction on the derivation, with the assumption that for all ∈ L, λΠ/P | | L : L. We then consider the 10 remaining cases: (var) By induction hypothesis, Σ; Θ; Γ λΠ/P A :Univ |s γ | S Hence Σ; Θ; Γ λΠ/P Term |s γ | S A : TYPE, so one can introduce a variable of this type.(ax) The translation of s γ is code (s |γ| L ) which lives in Univ (s' (ax_s |γ| L )), which is the reduct of the translation as type of s As(γ) .(abs) By induction hypothesis, Σ; Θ; Γ ,x : Term |s| S A λΠ/P t : Term |s | S B , hence, one has that λ(x : Term|s| S A ).t inhabits (x : Term |s| S A ) →Term |s | S B , which is the reduct of the translation as type of (x : A) → B. The other induction hypothesis Σ; Θ; Γ λΠ/P (x : A) → B : Univ |s γ | S ensures us that Term |s| S A lives in TYPE.(app) By the induction hypothesis and the Lem.15, one can apply the translation of t to the translation of u.The result lives in the translation of B [ u / x ] thanks to Lem. 14. (conv) This is a direct consequence of Lem. 14 and the induction hypotheses.(sig) By induction hypothesis, Σ; Θ; [] λΠ/P A : Univ |s γ | S .Hence, one can use the (prod) rule of λΠ-modulo rewriting to move all the i : L from the context to the term.