Functional And Logic Programming 10th

International Symposium Flops 2010 Sendai Japan

April 1921 2010 Proceedings 1st Edition Brigitte
Pientka Auth download
https://ebookbell.com/product/functional-and-logic-
programming-10th-international-symposium-flops-2010-sendai-japan-
april-1921-2010-proceedings-1st-edition-brigitte-pientka-
auth-1720276

Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Functional And Logic Programming 10th International Symposium Flops

2010 Sendai Japan April 1921 2010 Proceedings 1st Edition Brigitte
Pientka Auth

https://ebookbell.com/product/functional-and-logic-programming-10th-
international-symposium-flops-2010-sendai-japan-
april-1921-2010-proceedings-1st-edition-brigitte-pientka-auth-4141844

Functional And Logic Programming 15th International Symposium Flops

2020 Akita Japan September 1416 2020 Proceedings 1st Ed Keisuke Nakano

https://ebookbell.com/product/functional-and-logic-programming-15th-
international-symposium-flops-2020-akita-japan-
september-1416-2020-proceedings-1st-ed-keisuke-nakano-22497182

Functional And Logic Programming 11th International Symposium Flops

2012 Kobe Japan May 2325 2012 Proceedings 1st Edition Michael Codish
Auth

https://ebookbell.com/product/functional-and-logic-programming-11th-
international-symposium-flops-2012-kobe-japan-
may-2325-2012-proceedings-1st-edition-michael-codish-auth-4141846

Functional And Logic Programming 12th International Symposium Flops

2014 Kanazawa Japan June 46 2014 Proceedings 1st Edition Michael
Codish

https://ebookbell.com/product/functional-and-logic-programming-12th-
international-symposium-flops-2014-kanazawa-japan-
june-46-2014-proceedings-1st-edition-michael-codish-4697296
Functional And Logic Programming 13th International Symposium Flops
2016 Kochi Japan March 46 2016 Proceedings 1st Edition Oleg Kiselyov

https://ebookbell.com/product/functional-and-logic-programming-13th-
international-symposium-flops-2016-kochi-japan-
march-46-2016-proceedings-1st-edition-oleg-kiselyov-5355856

Functional And Logic Programming 14th International Symposium Flops

2018 Nagoya Japan May 911 2018 Proceedings 1st Ed John P Gallagher

https://ebookbell.com/product/functional-and-logic-programming-14th-
international-symposium-flops-2018-nagoya-japan-
may-911-2018-proceedings-1st-ed-john-p-gallagher-7151012

Functional And Logic Programming 16th International Symposium Flops

2022 Kyoto Japan May 1012 2022 Proceedings Michael Hanus

https://ebookbell.com/product/functional-and-logic-programming-16th-
international-symposium-flops-2022-kyoto-japan-
may-1012-2022-proceedings-michael-hanus-50738266

Functional And Logic Programming 17th International Symposium Flops

2024 Kumamoto Japan May 1517 2024 Proceedings Jeremy Gibbons

https://ebookbell.com/product/functional-and-logic-programming-17th-
international-symposium-flops-2024-kumamoto-japan-
may-1517-2024-proceedings-jeremy-gibbons-232418430

Functional And Constraint Logic Programming 18th International

Workshop Wflp 2009 Brasilia Brazil June 28 2009 Revised Selected
Papers 1st Edition Roberto Ierusalimschy Auth

https://ebookbell.com/product/functional-and-constraint-logic-
programming-18th-international-workshop-wflp-2009-brasilia-brazil-
june-28-2009-revised-selected-papers-1st-edition-roberto-
ierusalimschy-auth-4141840
Lecture Notes in Computer Science 6009
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max-Planck Institute of Computer Science, Saarbruecken, Germany
Matthias Blume Naoki Kobayashi
Germán Vidal (Eds.)

Functional and
Logic Programming

10th International Symposium, FLOPS 2010

Sendai, Japan, April 19-21, 2010
Proceedings

13
Volume Editors

Matthias Blume
Google
20 West Kinzie Street, Chicago, IL 60610, USA
E-mail: [email protected]

Naoki Kobayashi
Tohoku University, Graduate School of Information Sciences
6-3-9 Aoba, Aramaki, Aoba-ku, Sendai-shi, Miyagi 980-8579, Japan
E-mail: [email protected]

Germán Vidal
Universidad Politécnica de Valencia, DSIC, MiST
Camino de Vera, S/N, 46022 Valencia, Spain
E-mail: [email protected]

Library of Congress Control Number: 2010923409

CR Subject Classification (1998): F.3, D.2, D.3, D.2.4, F.4.1, D.1

LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

ISSN 0302-9743
ISBN-10 3-642-12250-7 Springer Berlin Heidelberg New York
ISBN-13 978-3-642-12250-7 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
springer.com
© Springer-Verlag Berlin Heidelberg 2010
Printed in Germany
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper 06/3180
 Preface

This volume contains the proceedings of the 10th International Symposium on

Functional and Logic Programming (FLOPS 2010), held in Sendai, Japan, April
19–21, 2010 at Aoba Memorial Hall, Tohoku University.
FLOPS is a forum for research on all issues concerning declarative program-
ming, including functional programming and logic programming, and aims to
promote cross-fertilization and integration between the two paradigms. The pre-
vious FLOPS meetings were held in Fuji Susono (1995), Shonan Village (1996),
Kyoto (1998), Tsukuba (1999), Tokyo (2001), Aizu (2002), Nara (2004), Fuji
Susono (2006), and Ise (2008). Since its 1999 edition, FLOPS proceedings have
been published by Springer in its Lecture Notes in Computer Science series, as
volumes 1722, 2024, 2441, 2998, 3945, and 4989, respectively.
In response to the call for papers, 49 papers were submitted. Each paper
was reviewed by at least three Program Committee members, with the help
of expert external reviewers. The Program Committee meeting was conducted
electronically, for a period of two weeks, in December 2009. After careful and
thorough discussion, the Program Committee selected 21 papers for presentation
at the conference. In addition to the 21 contributed papers, the symposium
included talks by three invited speakers: Brigitte Pientka (McGill University,
Canada), Kostis Sagonas (National Technical University of Athens, Greece),
and Naoyuki Tamura (Kobe University, Japan).
On behalf of the Program Committee, we would like to thank the invited
speakers, who agreed to give talks and contribute papers, and all those who sub-
mitted papers to FLOPS 2010. As Program Committee Chairs, we would like
to sincerely thank all the members of the FLOPS 2010 Program Committee for
their excellent job, and all the external reviewers for their invaluable contribu-
tion. We are also grateful to Andrei Voronkov for making EasyChair available to
us. The support of our sponsors is acknowledged. We are indebted to the Japan
Society for Software Science and Technology (JSSST) SIG-PPL, the CERIES
Global COE Program (Tohoku University Electro-Related Departments), the
Graduate School of Information Sciences (Tohoku University), the International
Information Science Foundation, the Asian Association for Foundation of Soft-
ware (AAFS), the Association for Computing Machinery (ACM) SIGPLAN, and
the Association for Logic Programming (ALP). Finally, we would like to thank
Naoki Kobayashi (Symposium Chair), Eijiro Sumii (Local Chair) and all the
members of the Local Arrangements Committee for their invaluable support
throughout the preparation and organization of the symposium.

February 2010 Matthias Blume

Germán Vidal
 Symposium Organization

Program Chairs
Matthias Blume Google, Chicago, USA
Germán Vidal Universidad Politécnica de Valencia, Spain

Symposium Chair
Naoki Kobayashi Tohoku University, Sendai, Japan

Program Committee
Nick Benton Microsoft Research, Cambridge, UK
Manuel Chakravarty University of New South Wales, Australia
Michael Codish Ben-Gurion University of the Negev, Israel
Bart Demoen Katholieke Universiteit Leuven, Belgium
Agostino Dovier University of Udine, Italy
John P. Gallagher Roskilde University, Denmark
Maria Garcia de la Banda Monash University, Australia
Michael Hanus University of Kiel, Germany
Atsushi Igarashi Kyoto University, Japan
Patricia Johann Rutgers University, USA
Shin-ya Katsumata Kyoto University, Japan
Michael Leuschel University of Düsseldorf, Germany
Francisco López-Fraguas Complutense University of Madrid, Spain
Paqui Lucio University of the Basque Country, Spain
Yasuhiko Minamide University of Tsukuba, Japan
Frank Pfenning Carnegie Mellon University, USA
Francois Pottier INRIA, France
Tom Schrijvers Katholieke Universiteit Leuven, Belgium
Chung-chieh “Ken” Shan Rutgers University, USA
Zhong Shao Yale University, USA
Jan-Georg Smaus University of Freiburg, Germany
Nobuko Yoshida Imperial College London, UK

Local Chair
Eijiro Sumii Tohoku University, Sendai, Japan
VIII Symposium Organization

External Reviewers
Andreas Abel Javier Álvez
Kenichi Asai Demis Ballis
Dariusz Biernacki Bernd Braßel
Francisco Bueno Dario Campagna
James Cheney Markus Degen
Michael Elhadad Andrzej Filinski
Sebastian Fischer Marc Fontaine
Jacques Garrigue Raffaela Gentilini
Neil Ghani Silvia Ghilezan
Mayer Goldberg Clemens Grelck
Kevin Hammond Hugo Herbelin
Montserrat Hermo Petra Hofstedt
Andrew Kennedy Neelakantan Krishnaswami
Barbara König Sean Lee
Roman Leshchinskiy Pedro López-Garcı́a
Michael Maher Mircea Marin
Koji Nakazawa Marisa Navarro
Monica Nesi Christopher Okasaki
Dominic Orchard Matthieu Petit
Carla Piazza Benjamin Pierce
Morten Rhiger Adrián Riesco
Claudio Russo Fernando Sáenz-Pérez
Pietro Sala Alan Schmitt
Peter Schneider-Kamp Antonis Stampoulis
Christian Sternagel Don Stewart
Peter Stuckey Eijiro Sumii
Alexander Summers Jaime Sánchez-Hernández
Akihiko Tozawa Janis Voigtländer
Mark Wallace Hongwei Xi
Toshiyuki Yamada Noam Zeilberger
 Table of Contents

Invited Talks
Beluga: Programming with Dependent Types, Contextual Data, and
Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Brigitte Pientka
Using Static Analysis to Detect Type Errors and Concurrency Defects
in Erlang Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Konstantinos Sagonas
Solving Constraint Satisfaction Problems with SAT Technology . . . . . . . . 19
Naoyuki Tamura, Tomoya Tanjo, and Mutsunori Banbara

Refereed Papers

Types
A Church-Style Intermediate Language for MLF . . . . . . . . . . . . . . . . . . . . . 24
Didier Rémy and Boris Yakobowski
ΠΣ: Dependent Types without the Sugar . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Thorsten Altenkirch, Nils Anders Danielsson, Andres Löh, and
Nicolas Oury
Haskell Type Constraints Unleashed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Dominic Orchard and Tom Schrijvers

Program Analysis and Transformation

A Functional Framework for Result Checking . . . . . . . . . . . . . . . . . . . . . . . . 72
Gilles Barthe, Pablo Buiras, and César Kunz
Tag-Free Combinators for Binding-Time Polymorphic Program
Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Peter Thiemann and Martin Sulzmann
Code Generation via Higher-Order Rewrite Systems . . . . . . . . . . . . . . . . . . 103
Florian Haftmann and Tobias Nipkow

Foundations
A Complete Axiomatization of Strict Equality . . . . . . . . . . . . . . . . . . . . . . . 118
Javier Álvez and Francisco J. López-Fraguas
X Table of Contents

Standardization and Böhm Trees for Λμ-Calculus . . . . . . . . . . . . . . . . . . . . 134

Alexis Saurin

An Integrated Distance for Atoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Vicent Estruch, César Ferri, José Hernández-Orallo, and
M. José Ramı́rez-Quintana

Logic Programming
A Pearl on SAT Solving in Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Jacob M. Howe and Andy King

Automatically Generating Counterexamples to Naive Free Theorems . . . 175

Daniel Seidel and Janis Voigtländer

Applying Constraint Logic Programming to SQL Test Case

Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Rafael Caballero, Yolanda Garcı́a-Ruiz, and Fernando Sáenz-Pérez

Evaluation and Normalization

Internal Normalization, Compilation and Decompilation for
System Fβη . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Stefano Berardi and Makoto Tatsuta

Towards Normalization by Evaluation for the βη-Calculus of

Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Andreas Abel

Defunctionalized Interpreters for Call-by-Need Evaluation . . . . . . . . . . . . . 240

Olivier Danvy, Kevin Millikin, Johan Munk, and Ian Zerny

Term Rewriting
Complexity Analysis by Graph Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Martin Avanzini and Georg Moser

Least Upper Bounds on the Size of Church-Rosser Diagrams in Term

Rewriting and λ-Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Jeroen Ketema and Jakob Grue Simonsen

Proving Injectivity of Functions via Program Inversion in Term

Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Naoki Nishida and Masahiko Sakai
 Table of Contents XI

Parallelism and Control

Delimited Control in OCaml, Abstractly and Concretely:
System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Oleg Kiselyov

Automatic Parallelization of Recursive Functions Using Quantifier

Elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Akimasa Morihata and Kiminori Matsuzaki

A Skeleton for Distributed Work Pools in Eden . . . . . . . . . . . . . . . . . . . . . . 337

Mischa Dieterle, Jost Berthold, and Rita Loogen

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

 Beluga: Programming with Dependent Types,
Contextual Data, and Contexts

Brigitte Pientka

McGill University, Montreal, Canada

[email protected]

Abstract. The logical framework LF provides an elegant foundation

for specifying formal systems and proofs and it is used successfully in a
wide range of applications such as certifying code and mechanizing meta-
theory of programming languages. However, incorporating LF technology
into functional programming to allow programmers to specify and reason
about formal guarantees of their programs from within the programming
language itself has been a major challenge.
In this paper, we present an overview of Beluga, a framework for
programming and reasoning with formal systems. It supports specifying
formal systems in LF and it also provides a dependently typed functional
language that supports analyzing and manipulating LF data via pattern
matching. A distinct feature of Beluga is its direct support for reason-
ing with contexts and contextual objects. Taken together these features
lead to a powerful language which supports writing compact and elegant
proofs.

1 Introduction
Formal systems given via axioms and inference rules play a central role in de-
scribing and verifying guarantees about the runtime behavior of programs. While
we have made a lot of progress in statically checking a variety of formal guaran-
tees such as type or memory safety, programmers typically cannot define their
own safety policy and reason about it within the programming language itself.
This paper presents an overview of a novel programming and reasoning frame-
work, called Beluga [Pie08, PD08]. Beluga uses a two-level approach: on the data-
level, it supports specifications of formal systems within the logical framework
LF [HHP93]. The strength and elegance of LF comes from supporting encodings
based on higher-order abstract syntax (HOAS), in which binders in the object
language are represented as binders in LF’s meta-language. As a consequence,
users can avoid implementing common and tricky routines dealing with variables,
such as capture-avoiding substitution, renaming and fresh name generation. Be-
cause of this, one can think of HOAS encodings as the most advanced technology
for specifying and prototyping formal systems which leads to very concise and
elegant encodings and provides the most support for such an endeavor.
On top of LF, we provide a dependently typed functional language that sup-
ports analyzing and manipulating LF data via pattern matching. A distinct

M. Blume, N. Kobayashi, and G. Vidal (Eds.): FLOPS 2010, LNCS 6009, pp. 1–12, 2010.

c Springer-Verlag Berlin Heidelberg 2010
2 B. Pientka

feature of Beluga is its explicit support for contexts to keep track of hypothesis,
and contextual objects to describe objects which may depend on them. Contex-
tual objects are characterized by contextual types. For example, A[Ψ ] describes
a contextual object Ψ.M where M has type A in the context Ψ and hence may
refer to the variables declared in the context Ψ . These contextual objects are
analyzed and manipulated naturally by pattern matching.
Furthermore, Beluga supports context variables which allow us to write generic
functions that abstract over contexts. As types classify terms, context schemas
classify contexts. Contexts whose schemas are superficially incompatible can be
reasoned with via context weakening and context subsumption.
The main application of Beluga at the moment is to prototype formal systems
together with their meta-theory. Formal systems given via axioms and inference
rules are common in the design and implementation of programming languages,
type systems, authorization and security logics, etc. Contextual objects concisely
characterize hypothetical and parametric derivations. Inductive proofs about a
given formal system can be implemented as recursive functions that case-analyze
some given (possibly hypothetical) derivation. Hence, Beluga serves as a proof
checking framework. At the same time, Beluga provides an experimental frame-
work for programming with proof objects. Due to its powerful type system, the
programmer can not only enforce strong invariants about programs statically,
but also to create, manipulate, and analyze certificates (=proofs) which guaran-
tee that a program satisfies a user-defined safety property. Therefore, Beluga is
ideally suited for applications such as certified programming and proof-carrying
code [Nec97].
Beluga is an implementation in OCaml based on our earlier work [Pie08, PD08].
It provides an re-implementation of LF [HHP93] including type reconstruction,
constraint-based higher-order unification and type checking. On top of LF, we de-
signed and implemented a dependently typed functional language that supports
explicit contexts and pattern matching over contextual objects. To support rea-
soning with contexts, we support context weakening and subsumptions. A key
step towards a palatable, practical source-level language was the design and imple-
mentation of a bidirectional type reconstruction algorithm for dependently typed
Beluga functions. While type reconstruction for LF and Beluga is in general un-
decidable, in practice, the performance is competitive. Beluga also provides an
interpreter to execute programs using an environment-based semantics.
Our test suite includes many specifications from the Twelf repository [PS99].
We also implemented a broad range of proofs as recursive Beluga functions,
including proofs of the Church-Rosser theorem, proofs about compiler transfor-
mations, subject reduction, and a translation from natural deduction to Hilbert
style proofs. To illustrate the expressive power of Beluga, our test suite also in-
cludes simple theorems about structural relationships between expressions and
proofs about the paths in expressions. These latter theorems are interesting since
they require nested quantifiers and implications, placing them outside the frag-
ment of propositions expressible in systems such as Twelf. The Beluga system,
 Beluga 3

including source code, examples, and a tutorial discussing key features of Beluga,
is available from

http://complogic.cs.mcgill.ca/beluga/.

Overview. To provide an intuition for what Beluga accomplishes and how it

is used, we concentrate on implementing normalization for the simply-typed
lambda-calculus where lambda-terms are indexed with their types (Section 2).
In Section 3, we discuss the implementation of Beluga and focus in particular on
issues surrounding type reconstruction. Finally, in Section 4 we compare Beluga
to related systems with similar ambition and outline future work in Section 5.

2 Example: Normalizing Lambda-Terms

To illustrate the core ideas behind Beluga, we show how to implement a normal-
izer for the simply-typed lambda-calculus. We begin by introducing the simply-
typed lambda calculus. We will write T for types which consist of the base type
nat and function types T1 → T2 . For lambda-terms, we use M and N . We begin
by introducing it.

Types T ::= nat | T1 → T2

Term M, N ::= y | lam x . M | app M1 M2

Next, we will define normalization of simply-typed lambda-terms using the judg-

ment Γ  M −→ N which states that given the term M we can compute its
normalform N in the context Γ . The context Γ here is simply keeping track of
the list of bound variables in M and N and can be defined as follows:

Context Γ ::= · | Γ, x

We now define a normalization algorithm for the lambda-calculus where we

impose a call-by-name strategy.

x∈Γ Γ, x  M −→ N
Γ  x −→ x Γ  lam x . M −→ lam x . N

Γ  M1 −→ lam x . M  Γ  [M2 /x]M  −→ N

Γ  app M1 M2 −→ N

Γ  M1 −→ N1 Γ  M2 −→ N2 N1  = lam x . M 
Γ  app M1 M2 −→ app N1 N2

Finally, we show how to represent terms and types in the logical framework
LF, and implement the normalization algorithm as a recursive program in
Beluga.
4 B. Pientka

Representation of simply-typed lambda-terms in LF. We will represent types and

terms in such a way in the logical framework LF that we will only characterize
well-typed terms. The definition for types in LF is straightforward and since
several excellent tutorials and notes exist already [Pfe97, Twe09], we will keep
this short.
We introduce an LF type tp and define type constructors nat and arr. Next, we
represent terms with the goal to only characterize well-typed lamda-terms. We
will achieve this by indexing the type of expressions with their type using a de-
pendent type. In addition, we will employ higher-order abstract syntax to encode
the binder in the object-language by binders in the meta-language, namely LF.
Hence, the constructor lam takes in a meta-level abstraction of type (exp T1 →
exp T2). To illustrate, consider the object-level lambda-term lam x . lam y . x y.
It is represented as lam λx. lam λy. app x y in LF.
tp: type . exp: tp → type .
nat: tp. lam : (exp T1 → exp T2) → exp (arr T1 T2).
arr: tp → tp → tp. app : exp (arr T2 T) → exp T2 → exp (arr T2 T).

Implementation of normalization in Beluga. The specification of simply-typed

lambda-terms in LF is standard up to this point. We now concentrate on imple-
menting the normalization algorithm described by the judgement Γ  M −→ N .
Intuitively, we will implement a function which when given a lambda-term M in
a context Γ , it produces a lambda-term N in the same context Γ which will be
in normal form.
The statement relies on a generic context Γ since the context of variables
which we will encounter when we traverse a lambda-abstraction grows.

Defining contexts using context schemas. We begin by defining the shape of

contexts using context schemas in Beluga as follows:
schema ctx = exp T;
Schemas classify contexts just as types classify terms. The schema ctx describes
a context which contains assumptions x:exp T for some type T. In other words,
all declarations occurring in a context of schema ctx are instances of exp T for
some T.

Defining a recursive function for normalizing lambda-terms. Next, we will rep-

resent the judgment Γ  M −→ N as a computation-level type in Beluga. Since
we index expressions with their types, our statement will naturally enforce that
types are preserved. The type will state that “for all contexts Γ , given an ex-
pression M of type T in the context Γ , we return an expression N of type T in
the context Γ ”. In Beluga, this is written as follows:
{g:(ctx)*} (exp T)[g] → (exp T)[g]
Writing {g:(ctx)*} in concrete syntax corresponds to quantifying over the con-
text variable g which has schema ctx. We annotate the schema name ctx with
* to indicate that declarations matching the given schema may be repeated.
The contextual type (exp T)[g] directly describes an expression M with type
 Beluga 5

T in the context g. The element inhabiting the computation-level type (exp T)

[g] is called a contextual object, since they may refer to variables listed in the
context g and hence only make sense within the context g. For example, the
contextual object [x:exp] lam λy. app x y has type exp [x:exp] and describes
an expression which may refer to the bound variable x.
The variable T which is free in the specified computation-level type is implicitly
quantified at the outside and has type tp[ ] denoting a closed object of type tp.
Type reconstruction will infer the type of T and abstract over it.
We will now show the recursive function which implements the normalization
algorithm given earlier. The function proceeds by pattern matching on elements
of type (exp T)[g] and every inference rule will correspond to one branch in the
case-expression.
rec norm : {g:(ctx)*} (exp T)[g] → (exp T)[g] =
Λ g ⇒ fn e ⇒ case e of
| [g] #p ... ⇒ [g] #p ... % Variable
| [g] lam (λx. M ... x) ⇒ % Abstraction
let [g,x:exp _ ] N ... x = norm [g, x:exp _ ] ([g,x] M ... x) in
[g] lam λx. N ... x
| [g] app (M1 ... ) (M2 ... ) ⇒ % Application
(case norm [g] ([g] M1 ... ) of
[g] lam (λx. M’ ... x) ⇒ norm [g] ([g] M’ ... (M2 ... ) )
| [g] N1 ... ⇒
let [g] N2 ... = norm [g] ([g] M2 ... ) in
[g] app (N1 ... ) (N2 ... )
)
;

The Beluga syntax follows ideas from ML-like languages with a few extension.
For example, Λg ⇒... introduces abstraction over the context variable g cor-
responding to quantification over the context variable g in the type of norm. We
then split on the object e which has contextual type (exp T)[g]. As in the defini-
tion we gave earlier, there are three cases to consider for e: either it is a variable
from the context, it is a lambda-abstraction, or it is an application. Each pattern
is written as a contextual object, i.e. the object itself together with its context.
For the variable case, we use a parameter variable, written as #p ... and write
[g] #p ... . Operationally, it will match any declaration from the context g once
g is concrete. The parameter variable #p is associated with the identity substi-
tution (written in concrete syntax with ... ) to explicitly state its dependency on
the context g.
The pattern [g] lam λx. M... x describes the case where the object e is a lambda-
abstraction. We write M... x for the body of the lambda-abstraction which may
refer to all the variables from the context g (written as ... ) and the variable x.
Technically, ... x describes the identity substitution which maps all the variables
from g, x:exp T to themselves. We now recursively normalize the contextual object
[g,x] M... x. To accomplish this, we pass to the recursive call the extended context
g, x:exp _ together with the contextual object [g,x] M... x. We write an underscore
for the type of x in the context g, x:exp _ and let type reconstruction determine
6 B. Pientka

it. Note, that we cannot write x:exp T1 since T1 would be free. Hence, supporting
holes is crucial to be able to write the program compactly and avoid unnecessary
type annotations. The result of the recursive call is a contextual object [g,x] N... x
which we will use to assemble the result. In the case for applications, we recursively
normalize the contextual object [g] M1... and then pattern match on its result. If it
returned a lambda-abstraction lam λx. M’... x, we simply replace x with M2... . Sub-
stitution is inherently supported in Beluga and... (M2... ) describes the substitution
which maps all variables in g to themselves (written as ... ) and x is mapped to
M2... . In the case where normalizing [g] M1... does not return a lambda-abstraction,
we continue normalizing [g] M2... and reassemble the final result. In conclusion,
our implementation yields a natural, elegant, and very direct encoding of the for-
mal description of normalization.

2.1 Summary of the Main Ideas

Beluga supports a two-level approach for programming with and reasoning about
HOAS encodings. The data-level supports specifications of formal systems in the
logical framework LF. On top of it, we provide an expressive computation lan-
guage which supports dependent types and recursion over HOAS encodings. A
key challenge is that we must traverse a λ-abstractions and manipulate objects
which may contain bound variables. In Beluga, we solve this problem by using
contextual types which characterize contextual objects and by introducing con-
text variables to abstract over concrete contexts and parameterize computation
with them. By design, variables occurring in contextual objects can never es-
cape their scope, a problem which often arises in other approaches. While in
our previous example, all contextual types and objects shared the same context
variable, our framework allows the introduction of different context variables, if
we wish to do so.
Beluga’s theoretical basis is contextual modal type theory which has been
described in [NPP08]. We later extended contextual modal type theory with
context variables which allow us to abstract over concrete contexts and param-
eter variables which allow us to talk abstractly about elements of contexts. The
foundation for programming with contextual data objects and contexts was first
described in [Pie08] and subsequently extended with dependent types in [PD08].

3 Implementation

The Beluga system is implemented in OCaml. It consists of a re-implementation

of the logical framework LF [HHP93] which supports in general specifying formal
systems given via axioms and inference rules. Similar to the core of the Twelf
system [PS99], we support type reconstruction for LF signatures based on higher-
order pattern unification with constraints.
On top of the logical framework LF, we provide a dependently-typed func-
tional language which allows the user to declare context schemas, write recursive
functions using pattern matching on contextual data and abstract over concrete
 Beluga 7

contexts using context variables and context abstraction. Designing a palatable,

usable source language for Beluga has been challenging. Subsequently, we will
list some of the challenges we addressed:

3.1 Higher-Order Unification with Constraints

Higher-order unification is in general undecidable [Gol81], however a decidable
fragment, called higher-order patterns [Mil91, Pfe91b] exist. A higher-order pat-
tern is a meta-variable which is applied to distinct bound variables. In our
implementation, we associate meta-variables with explicit substitutions which
represents the distinct bound variables which may occur in the instantiation of
the meta-variable and employ de Bruijn indices [DHKP96]. Our implementation
of higher-order pattern unification is based on the development in [Pie03].
Since concentrating on higher-order patterns only is too restrictive, we adopt
ideas from the Twelf system and solve higher-order pattern problems eagerly
and delay non-pattern cases using constraints which are periodically revisited.
Beluga also supports parameter variables which can be instantiated with either
bound variables or other parameter variables and we extended unification to
account for them. The main difficulty in handling parameter variables lies in the
fact that their type may be a Σ-type (dependent product). In general, higher-
order unification for Σ-types is undecidable. Fortunately, if we restrict Σ-types
to only parameter variables or bound variables, then unique solution exists.

3.2 Type Reconstruction for Beluga

Dependently typed systems can be extremely verbose since dependently typed
objects must carry type information. For this reason, languages supporting de-
pendent types such as Twelf [PS99], Delphin [PS08], Coq [BC04] , Agda [Nor07],
or Epigram [MM04] all support some form of type reconstruction. However, there
are hardly any concise formal description on how this is accomplished, what is-
sues arise in practice, and what requirements the user-level syntax should satisfy.
Formal foundations and correctness guarantees are even harder to find. This is a
major obstacle if we want this technology to spread and dependent types are to
reach mainstream programmers and implementors of programming languages.
In the setting of Beluga, we must consider two forms of type reconstruction:
(1) type reconstruction for the logical framework LF, which allows us to specify
formal systems, and (2) type reconstruction for the computation language which
support writing recursive programs using pattern matching on LF objects.

Type reconstruction for LF. We illustrate briefly the problem. Consider the expres-
sion lam x . lam y . app x y which is represented as lam λx. lam λy. app x y in LF.
However, since expressions are indexed by types to ensure that we only represent
well-typed expressions, constructors lam and app take in also two index
arguments describing the type of the expression. Type reconstruction needs to in-
fer them. The reconstructed, fully explicit representation is
lam (arr T S) (arr T S) λx. lam S T λy. app T S x y
8 B. Pientka

We adapted the general principle also found in [Pfe91a]: We may omit an index
argument when a constant is used, if it was implicit when the type of the constant
was declared. An argument is implicit to a type if it either occurs as a free variable
in the type or it is an index argument in the type. Following the ideas in the
Twelf system, we do not allow the user to supply an implicit argument explicitly.
Type reconstruction is, in general, undecidable for the LF. Our algorithm
similar to its implementation in the Twelf system reports a principal type, a
type error, or that the source term needs more type information.

Type reconstruction for dependently typed recursive functions. Type reconstruc-

tion for Beluga functions begins by reconstructing their specified computation-
level type. For example, the type of norm was declared as {g:(ctx)*} (exp T)[g]
→(exp T)[g] where the variable T is free. Type reconstruction will infer its type
as tp[ ] and yield {g:(ctx)*}{T::tp[ ]}(exp T)[g] →(exp T)[g]. Note, that we
do not attempt to infer the schema of the context variable at this point. This
could only be done by inspecting the actual program and performing multiple
passes over it. Since the type of inferred variables may depend on the context
variable g, we insert their abstractions just after the context variable has been
introduced.
Beluga functions, as the function norm, may be dependently typed and we ap-
ply the same principle as before. An index argument is implicit to a computation-
level type if it either occurs as a free meta-variable in the computation-level type
or it is an index argument in the computation-level type. Hence, we may omit
passing an index argument to a Beluga function, if it was implicit when the type
of the function was declared. Considering the program norm again this means
whenever we call norm recursively we may omit passing the concrete type for T.
Let us describe reconstruction of recursive function step-by-step. Reconstruc-
tion of the recursive function norm is guided by its type which is now fully known.
For example, we know that after introducing the context with Λg ⇒... , we
must introduce the meta-variable T and the beginning of the norm function will
be: Λg ⇒mlam T ⇒fn e ⇒case e of ....
Reconstruction of the function body may refer to T and cannot leave any
free meta-variables. It must accomplish three tasks: (1) We must insert missing
arguments to recursive calls to norm. For example in the application case, we
have norm [g] ([g] M1 ... ), but norm must in fact also take as a second input
the actual type of (M1 ... ). (2) We must infer the type of meta-variables and
parameter variables occurring in patterns. (3) We must infer the overall type of
the pattern and since patterns may refine dependent types, we must compute a
refinement. For example, in the case for abstractions, the type of the scrutinee
is (exp T)[g], but the type of the pattern is (exp (arr T1 T2))[g]. Hence, we
must infer the refinement which state T = (arr T1 T2).
One major challenge is that omitted arguments, which we need to infer,
may depend on context variables, bound variables, and other meta-variables.
To accomplish this we extended our unification algorithm to support meta2 -
variables which allow us to track dependencies on contexts and other bound
meta-variables.
 Beluga 9

Type reconstruction for the computation level is undecidable. For our com-
putation language, we check functions against a given type and either succeed,
report a type error, or fail by asking for more type information if no ground in-
stantiation can be found for an omitted argument or if we cannot infer the type
of meta-variables occurring in patterns. It is always possible to make typing
unambiguous by adding more annotations.

4 Related Work
In our discussion on related work, we will concentrate on programming languages
supporting HOAS specifications and reasoning about them. Most closely related
to our work is the Twelf system [PS99], a proof checking environment based
on the logical framework LF. Its design has strongly influenced the design of
Beluga. While both Twelf and Beluga support specifying formal systems using
HOAS in LF, Twelf supports implementing proofs as relations. To verify that
the relation indeed constitutes a proof, one needs to prove separately that it
is a total function. Twelf is a mature system providing termination checking
as well as an implementation of coverage checking. Both features are under
development for Beluga. One main difference between Twelf and Beluga lies in
the treatment of contexts. In Twelf, the actual context of hypotheses remains
implicit. As a consequence, instead of a generic base case, base cases in proofs
are handled whenever an assumption is introduced. This may lead to scattering
of base cases and adds some redundancy. World declarations, similar to context
schema declarations, check that assumptions introduced are of the expected form
and that appropriate base cases are indeed present. Because worlds in the Twelf
system also carry information about base cases, manual weakening is required
more often when assembling larger proofs using lemmas. Explicit contexts in
Beluga, make the meta-theoretic reasoning about contexts, which is hidden in
Twelf, explicit. We give a systematic comparison and discuss the trade-offs of
this decision together with illustrative examples in [FP10].
Another important difference between Twelf and Beluga is its expressive
power. To illustrate, consider the following simple statement about lambda-
terms: If for all N , N is a subterm of K implies that N is a subterm of M , then K
must be a subterm of M . Because this statement requires nested quantification
and implication, especially in a negative position, it is outside Twelf’s meta-logic
which is used to verify that a given relation constitutes a proof. While this has
been known, we hope that this simple theorem illustrates this point vividly.
More recently, we see a push towards incorporating logical framework technol-
ogy into mainstream programming languages to support the tight integration of
specifying program properties with proofs that these properties hold. The Del-
phin language [PS08] is most closely related to Beluga. Both support writing
recursive functions over LF specifications, but differ in the theoretical founda-
tion. In particular, contexts to keep track of assumptions are implicit in Delphin.
It hence lacks the ability to distinguish between closed objects and objects de-
pending on bound variables on the type-level. Delphin’s implementation utilizes
as much of the Twelf infrastructure as possible.
10 B. Pientka

Licata and Harper [LH09] developed a logical framework supporting datatypes

that mix binding and computation, implemented in the programming language
Agda [Nor07, Agd09]. Their system does not explicitly support context vari-
ables and abstraction over them, but interprets binders as pronouns which refer
to a designated binding site. Structural properties such as weakening, contrac-
tion, and substitution are not directly supported by the underlying theoretical
foundation, but implemented in a datatype-generic manner. Finally, the current
implementation does not support dependent types.
A different more pragmatic approach to allow manipulation of binding struc-
tures is pursued in nominal type systems which serve as a foundation of FreshML
[SPG03]. In this approach names and α-renaming are supported but implement-
ing substitution is left to the user. Generation of a new name and binding names
are separate operations which means it is possible to generate data which con-
tains accidentally unbound names since fresh name generation is an observable
side effect. To address this problem, Pottier [Pot07] describes pure FreshML
where we can reason about the set of names occurring in an expression via a
Hoare-style proof system. These approaches however lack dependent typing and
hence are not suitable for programming with proofs.

5 Conclusion and Future Work

Over the past year, we designed an implemented Beluga based on our type-
theoretic foundation described in [Pie08, PD08]. Our current prototype has been
tested on a wide variety of examples, including proofs of the Church-Rosser the-
orem, proofs about compiler transformations, subject reduction, and translation
from natural deduction to Hilbert style proofs. We also used Beluga to imple-
ment proofs for theorems about structural relationships between expressions and
proofs about the paths in expressions. Both of these statements require nested
quantifiers and implications, placing them outside the fragment of propositions
expressible in systems such as Twelf. In the future, we plan to concentrate on
the following two aspects:

Guaranteeing totality of functions. While type-checking guarantees local con-

sistency and partial correctness, it does not guarantee that the implemented
function is total. Thus, while we can implement, partially verify, and execute
the functions, at present Beluga cannot guarantee that these functions are total
and that their implementation constitutes a valid proof. The two missing pieces
are coverage and termination. In previous work [DP09], we have described an
algorithm to ensure that all cases are covered and we are planning an imple-
mentation of coverage during the next few months. Verifying termination of a
recursive function will essentially follow similar ideas from the Twelf system
[RP96, Pie05] to ensure that arguments passed to the recursive call are indeed
smaller.

Automating induction proofs. Our framework currently supports the implemen-

tation of induction proofs as recursive functions. It however lacks automation. In
 Beluga 11

the future, we plan to explore how to connect our framework to a theorem prover
which can fill in parts of the function (= proof) automatically and where the
user can interactively develop functions in collaboration with a theorem prover.

References

[Agd09] Agda wiki (2009), http://wiki.portal.chalmers.se/agda/

[BC04] Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program
Development. In: Coq’Art: The Calculus of Inductive Constructions.
Springer, Heidelberg (2004)
[DHKP96] Dowek, G., Hardin, T., Kirchner, C., Pfenning, F.: Unification via ex-
plicit substitutions: The case of higher-order patterns. In: Maher, M.
(ed.) Proceedings of the Joint International Conference and Sympo-
sium on Logic Programming, Bonn, Germany, pp. 259–273. MIT Press,
Cambridge (1996)
[DP09] Dunfield, J., Pientka, B.: Case analysis of higher-order data. In: Interna-
tional Workshop on Logical Frameworks and Meta-Languages: Theory
and Practice (LFMTP 2008). ENTCS, vol. 228, pp. 69–84. Elsevier,
Amsterdam (2009)
[FP10] Felty, A.P., Pientka, B.: Reasoning with higher-order abstract syntax
and contexts: A comparison. Technical report, School of Computer Sci-
ence, McGill University (January 2010)
[Gol81] Goldfarb, W.D.: The undecidability of the second-order unification prob-
lem. Theoretical Computer Science 13, 225–230 (1981)
[HHP93] Harper, R., Honsell, F., Plotkin, G.: A framework for defining logics.
Journal of the ACM 40(1), 143–184 (1993)
[LH09] Licata, D.R., Harper, R.: A universe of binding and computation. In:
Hutton, G., Tolmach, A.P. (eds.) 14th ACM SIGPLAN International
Conference on Functional Programming, pp. 123–134. ACM Press,
New York (2009)
[Mil91] Miller, D.: Unification of simply typed lambda-terms as logic program-
ming. In: Eighth International Logic Programming Conference, Paris,
France, pp. 255–269. MIT Press, Cambridge (1991)
[MM04] McBride, C., McKinna, J.: The view from the left. Journal of Functional
Programming 14(1), 69–111 (2004)
[Nec97] Necula, G.C.: Proof-carrying code. In: 24th Annual Symposium on Prin-
ciples of Programming Languages (POPL 1997), pp. 106–119. ACM
Press, New York (1997)
[Nor07] Norell, U.: Towards a practical programming language based on depen-
dent type theory. PhD thesis, Department of Computer Science and
Engineering, Chalmers University of Technology, Technical Report 33D
(September 2007)
[NPP08] Nanevski, A., Pfenning, F., Pientka, B.: Contextual modal type theory.
ACM Transactions on Computational Logic 9(3), 1–49 (2008)
[PD08] Pientka, B., Dunfield, J.: Programming with proofs and explicit con-
texts. In: ACM SIGPLAN Symposium on Principles and Practice of
Declarative Programming (PPDP 2008), pp. 163–173. ACM Press,
New York (2008)
12 B. Pientka

[Pfe91a] Pfenning, F.: Logic programming in the LF logical framework. In: Huet,
G., Plotkin, G. (eds.) Logical Frameworks, pp. 149–181. Cambridge Uni-
versity Press, Cambridge (1991)
[Pfe91b] Pfenning, F.: Unification and anti-unification in the Calculus of Con-
structions. In: Sixth Annual IEEE Symposium on Logic in Computer
Science, Amsterdam, The Netherlands, July 1991, pp. 74–85 (1991)
[Pfe97] Pfenning, F.: Computation and deduction (1997)
[Pie03] Pientka, B.: Tabled higher-order logic programming. PhD thesis, De-
partment of Computer Science, Carnegie Mellon University, CMU-CS-
03-185 (2003)
[Pie05] Pientka, B.: Verifying termination and reduction properties about
higher-order logic programs. Journal of Automated Reasoning 34(2),
179–207 (2005)
[Pie08] Pientka, B.: A type-theoretic foundation for programming with higher-
order abstract syntax and first-class substitutions. In: 35th Annual ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Lan-
guages (POPL 2008), pp. 371–382. ACM Press, New York (2008)
[Pot07] Pottier, F.: Static name control for FreshML. In: 22nd IEEE Sympo-
sium on Logic in Computer Science (LICS 2007), pp. 356–365. IEEE
Computer Society, Los Alamitos (2007)
[PS99] Pfenning, F., Schürmann, C.: System description: Twelf — a meta-
logical framework for deductive systems. In: Ganzinger, H. (ed.) CADE
1999. LNCS (LNAI), vol. 1632, pp. 202–206. Springer, Heidelberg (1999)
[PS08] Poswolsky, A.B., Schürmann, C.: Practical programming with higher-
order encodings and dependent types. In: Drossopoulou, S. (ed.) ESOP
2008. LNCS, vol. 4960, pp. 93–107. Springer, Heidelberg (2008)
[RP96] Rohwedder, E., Pfenning, F.: Mode and termination checking for higher-
order logic programs. In: Riis Nielson, H. (ed.) ESOP 1996. LNCS,
vol. 1058, pp. 296–310. Springer, Heidelberg (1996)
[SPG03] Shinwell, M.R., Pitts, A.M., Gabbay, M.J.: FreshML: programming with
binders made simple. In: 8th International Conference on Functional
Programming (ICFP 2003), pp. 263–274. ACM Press, New York (2003)
[Twe09] Twelf wiki (2009), http://twelf.plparty.org/wiki/Main_Page
Using Static Analysis to Detect Type Errors and
Concurrency Defects in Erlang Programs

Konstantinos Sagonas

[email protected]

Abstract. This invited talk will present the key ideas in the design and
implementation of Dialyzer, a static analysis tool for Erlang programs.
Dialyzer started as a defect detection tool using a rather ad hoc dataflow
analysis to detect type errors in Erlang programs, but relatively early in
its development it adopted a more disciplined approach to detecting def-
inite type clashes in dynamically typed languages. Namely, an approach
based on using a constraint-based analysis to infer success typings which
are also enhanced with optional contracts supplied by the programmer.
In the first part of the talk, we will describe this constraint-based
approach to type inference and explain how it differs with past and recent
attempts to type check programs written in dynamic languages. In the
second part of the talk, we will present important recent additions to
Dialyzer, namely analyses that detect concurrency defects (such as race
conditions) in Erlang programs. For a number of years now, Dialyzer
has been part of the Erlang/OTP system and has been actively used by
its community. Based on this experience, we will also critically examine
Dialyzer’s design choices, show interesting cases of Dialyzer’s use, and
distill the main lessons learned from using static analysis in open source
as well as commercial code bases of significant size.

1 Introduction

Erlang [1] is a strict, dynamically typed functional programming language that

comes with built-in support for message-passing concurrency, interprocess com-
munication, distribution, and fault-tolerance. Although the syntax of Erlang
is heavily influenced by logic programming languages such as Prolog, its core
is similar to those of modern functional programming languages such as ML
and Haskell. For example, Erlang features single-assignment variables, pattern
matching extended with guards, function closures, list comprehensions, etc. The
Erlang/OTP (Open Telecom Platform) system from Ericsson is its standard im-
plementation and has been released as open source since 1998. Erlang’s primary
application area has been that of large-scale embedded control systems such as
those developed by the telecommunications industry, though recent years have
witnessed an increased interest in the language. In particular, Erlang has been
successfully used to develop a variety of applications which require concurrency
and/or fault-tolerance (e.g., distributed fault-tolerant instant messaging servers,
high performance web servers, event-driven web frameworks, and distributed,

M. Blume, N. Kobayashi, and G. Vidal (Eds.): FLOPS 2010, LNCS 6009, pp. 13–18, 2010.

c Springer-Verlag Berlin Heidelberg 2010
14 K. Sagonas

fault-tolerant and schema-free document-oriented databases). Nowadays, appli-

cations written in Erlang are significant, both in number and code size, making
Erlang one of the most industrially relevant functional programming languages.
Program development needs tools tailored to the characteristics of the lan-
guage that detect common programmer pitfalls and errors (so called “bugs”)
in programs. Erlang is no exception in this respect. For example, in sequential
programs, the absence of static type checking makes Erlang programs suscepti-
ble to type errors which remain undetected by the compiler. Things get worse
when concurrency enters the picture, as the number of possible interleavings be-
tween processes introduces possibilities for subtle errors which are hard for the
programmer to reason about and reproduce during testing.
To ameliorate the situation, we have created a static analysis tool, called
Dialyzer (DIscrepancy AnaLYZer for ERlang programs), that automatically de-
tects and reports to its user various kinds of software defects in large applications
written in Erlang. Defects that are detected by Dialyzer range from identifying
code points that will definitely raise an exception due to a type clash, code that
has become unreachable due to some logical error, code that has a data race
if executed concurrently by more than one processes, function definitions which
do not respect the APIs that are specified in the published documentation of
Erlang/OTP, etc. Since 2007, Dialyzer is part of the Erlang/OTP distribution.
Nowadays, Dialyzer is used extensively in the Erlang programming community
and is often integrated in the build environment of many applications. A survey
of tools for developing and testing Erlang programs [2], conducted in the spring
of 2008, reported that Dialyzer was by a wide margin the software tool most
widely known (70%) and used (47%) by Erlang developers.
This invited talk will present the techniques used in Dialyzer. The next two
sections of this paper review these techniques but do so very briefly. For more
information, the reader is referred to the relevant publications that describe these
techniques in detail [3,4,5] and to a paper which reports early experiences from
developing and using Dialyzer [6]. All these papers are accessible from Dialyzer’s
homepage: http://www.it.uu.se/research/group/hipe/dialyzer.

2 Techniques to Detect Type Errors in Erlang

As Erlang is a dynamically typed functional language, the first kind of errors

that Dialyzer aimed to detect were definite type errors, i.e., source code points
that would always raise a runtime exception due to a type mismatch if the code
in that particular program point was ever executed.
It should be pointed out that this was not the first attempt to detect type
errors in Erlang programs. Among published such attempts, Marlow and Wadler
had previously proposed a subtyping system for Erlang programs [7] that was
never adopted, mainly due to the fact that it failed to type and unnecessarily
rejected valid programs, while Nyström had proposed a soft typing system for
Erlang [8] that never matured to the point of handling the complete language
and being practical. The approach taken by Dialyzer differs significantly from
 Using Static Analysis to Detect Type Errors and Concurrency Defects 15

these works, both in the techniques that were used but more importantly in the
fact that Dialyzer aimed to detect definite type errors instead of possible ones.
To detect this kind of errors, Dialyzer initially used a relatively ad hoc path-
insensitive dataflow analysis [3]. Even though this approach was quite weak in
principle, it turned out surprisingly effective in practice. Dialyzer managed to
detect a significant number of type errors in heavily used libraries and appli-
cations, errors which remained hidden during many years of testing and use of
the code. The analysis was fast and scalable allowing it to be used in programs
of significant size (hundreds of thousand lines of code). More importantly, the
analysis was sound for defect detection: it modelled the operational semantics
of Erlang programs accurately and never reported a false alarm. We believe this
was a key factor in Dialyzer’s adoption by the Erlang community, even before
the tool was included in the Erlang/OTP distribution. Early experiences using
this analysis were reported in Bugs’05 [6].
Despite Dialyzer’s success, there was a clear limit to the kind of type errors
that could be detected using a purely dataflow-based analysis. To ameliorate
the situation, Dialyzer’s analysis was redesigned, pretty much from scratch. We
opted for a more disciplined and considerably more powerful analysis that in-
fers success typings of functions using a constraint-based inference algorithm [4].
Informally, a success typing is a type signature that over-approximates the func-
tion’s dynamic semantics. More concretely, it over-approximates the set of terms
for which the function can evaluate to a value. The domain of the type signature
includes a type-level representation of all possible terms that the function could
accept as parameters, and its range includes all possible return values for this
domain. In effect, success typings approach the type inference problem from a
direction opposite to that of type systems for statically typed languages. For ex-
ample, while most type systems have to restrict the set of terms that a function
can accept in order to prove type safety, success typings, which are intended to
locate definite type clashes, only need to be careful not to exclude some term
for which the function can be used without raising some runtime exception. The
analogy can be taken further. The well-known slogan that “well-typed programs
never go wrong” has its analogue “ill-typed programs always fail”, meaning that
use of a function in a way which is incompatible with its success typing will
surely raise a runtime exception if encountered.
Slogans aside, success typings allow for compositional, bottom-up, constraint-
based type inference which appears to scale well in practice. Moreover, by
taking control and data flow into account and by exploiting properties of the
language such as its module system, which allows for specializing success typ-
ings of module-local functions based on their actual instead of their possible uses,
success typings can be refined using a top-down algorithm [4]. This refinement
process often makes success typings as accurate as the types inferred by stati-
cally typed functional languages. Given these so called refined success typings,
Dialyzer employs a function-local dataflow analysis that locates type clashes and
other errors (e.g., case clauses that can never match, guards that will always fail,
etc.) in programs.
16 K. Sagonas

Once there was a solid basis for detecting discrepancies between allowed and
actual uses of functions, the obvious next step was to design a specification
language for Erlang. This language is nowadays a reality and allows Erlang
programmers to express their intentions about how certain functions are to be
used, thereby serving both as important documentation for the source code and
providing additional constraints to the analysis in the form of type contracts [9].
These contracts are either success typings which are automatically generated
and inserted into the source code or user-specified refinements of the inferred
refined success typings. In many respects, this approach of adding contracts is
similar to that pioneered by other dynamically typed functional languages such
as PLT Scheme [10]. Nowadays, many of Erlang/OTP’s libraries as well as open
source applications written in Erlang come with type contracts for functions;
especially in those which are part of a module’s API.
The presence of such information has allowed Dialyzer to detect even more
type errors and subtle interface abuses in key functions of Erlang/OTP. A paper
describing in detail the approach we advocate and experiences from applying it
in one non-trivial case study was published in the 2008 Erlang workshop [11].

3 Techniques to Detect Concurrency Defects in Erlang

Relatively recently, Dialyzer was enhanced with a precise and scalable analysis
that automatically detects data races. In pure Erlang code, data races are impos-
sible: the language does not provide any constructs for processes to create and
modify shared memory. However, the Erlang/OTP implementation comes with
key libraries and built-ins, implemented in C as part of the runtime system, that
do create and manipulate data structures which are shared between processes.
Unrestricted uses of these built-ins in code run by different processes may lead
to data races.
To detect such situations, we have designed a static analysis that detects
some of the most common kinds of data races in Erlang programs: races in the
process registry, in the Erlang Term Storage (ETS) facility, and in the mnesia
database management system. This analysis integrates smoothly with the rest of
Dialyzer’s analyses targetting the sequential part of the language. The analysis
is non-trivial as the built-ins accessing shared data structures may be spatially
far apart, they may even be located in the code of different modules, or even
worse, hidden in the code of higher-order functions. For this reason, the analysis
takes control flow into account. Also, it has to be able to reason about data flow:
if at some program point the analysis locates a call to a built-in reading a shared
data structure and from that point on control reaches a program point where a
call to a built-in writing the same data structure appears, the analysis needs to
determine whether the two calls may possibly be performed on the same data
item or not. If they may, it has detected a race condition, otherwise there is none.
Because data races are subtle and difficult to locate, Dialyzer departs from the
“report only definite errors” principle: for the first time its user can opt for an
analysis that is sound either for defect detection or for correctness. The former
 Using Static Analysis to Detect Type Errors and Concurrency Defects 17

analysis completely avoids false alarms by ignoring any unknown higher-order

calls it may encounter, while the latter finds all data races with the risk of also
producing some false alarms depending on the precision of the information about
these calls.
A recently published paper [5] describes in detail the steps of the analysis,
the optimizations that it employs, and measurements evaluating its effectiveness
and performance on a suite of widely used industrial and open source programs
of considerable size. As reported there, the analysis was able to detect a signif-
icant number of previously unknown race conditions in these programs. More
importantly, since November 2009 it is part of Erlang/OTP, it has already been
put to test by its users, and has helped application programmers discover subtle
data races in their code bases.

4 Concluding Remarks

Although many of the ideas of Dialyzer can be traced as far back as 2003,
this line of research is active and far from complete. We are currently working
on various extensions and additions to the core of Dialyzer’s analysis that will
enable it to detect many more kinds of errors in programs. Chief among them
are those related to detecting defects in concurrent programs that use message-
passing for concurrency, which arguably is Erlang’s most salient feature. No
matter how many analyses one designs and employs, programmers somehow
seem to be continuously stepping upon interesting new cases of bugs which are
beyond the reach of these analyses. Although it is clearly impossible to catch all
software bugs, it’s certainly fun to try!

Acknowledgements

This research has been supported in part by grant #621-2006-4669 from the
Swedish Research Council. Tobias Lindahl and Maria Christakis have contributed
enormously to Dialyzer; both to the design of the analyses employed by the tool,
by fine-tuning their actual implementation and making Dialyzer not only effec-
tive in discovering bugs, but also efficient and scalable.
The author wishes to thank both the Program Committee of FLOPS 2010 for
their invitation and the program chairs of the Symposium for their patience in
receiving answers to their e-mails and the camera-ready version of this paper.

References

1. Armstrong, J.: Programming Erlang: Software for a Concurrent World. The Prag-
matic Bookshelf, Raleigh (2007)
2. Nagy, T., Nagyné Vı́g, A.: Erlang testing and tools survey. In: Proceedings of the
7th ACM SIGPLAN Workshop on Erlang, pp. 21–28. ACM, New York (2008)
18 K. Sagonas

3. Lindahl, T., Sagonas, K.: Detecting software defects in telecom applications

through lightweight static analysis: A war story. In: Wei-Ngan, C. (ed.) APLAS
2004. LNCS, vol. 3302, pp. 91–106. Springer, Heidelberg (2004)
4. Lindahl, T., Sagonas, K.: Practical type inference based on success typings. In:
Proceedings of the 8th ACM SIGPLAN International Conference on Principles
and Practice of Declarative Programming, pp. 167–178. ACM, New York (2006)
5. Christakis, M., Sagonas, K.: Static detection of race conditions in Erlang. In: Carro,
M., Peña, R. (eds.) PADL 2010. LNCS, vol. 5937, pp. 119–133. Springer, Heidelberg
(2010)
6. Sagonas, K.: Experience from developing the Dialyzer: A static analysis tool detect-
ing defects in Erlang applications. In: Proceedings of the ACM SIGPLAN Work-
shop on the Evaluation of Software Defect Detection Tools (2005)
7. Marlow, S., Wadler, P.: A practical subtyping system for Erlang. In: Proceedings
of the ACM SIGPLAN International Conference on Functional Programming, pp.
136–149. ACM, New York (1997)
8. Nyström, S.O.: A soft-typing system for Erlang. In: Proceedings of ACM SIGPLAN
Erlang Workshop, pp. 56–71. ACM, New York (2003)
9. Jimenez, M., Lindahl, T., Sagonas, K.: A language for specifying type contracts in
Erlang and its interaction with success typings. In: Proceedings of the 6th ACM
SIGPLAN Workshop on Erlang, pp. 11–17. ACM, New York (2007)
10. Findler, R.B., Clements, J., Flanagan, C., Flatt, M., Krishnamurthi, S., Steckler,
P., Felleisen, M.: DrScheme: A programming environment for Scheme. Journal of
Functional Programming 12(2), 159–182 (2002)
11. Sagonas, K., Luna, D.: Gradual typing of Erlang programs: A Wrangler experience.
In: Proceedings of the 7th ACM SIGPLAN Workshop on Erlang, pp. 73–82. ACM,
New York (2008)
 Solving Constraint Satisfaction Problems with
SAT Technology

Naoyuki Tamura1 , Tomoya Tanjo2 , and Mutsunori Banbara1

1
Information Science and Technology Center, Kobe University, Japan
{tamura,banbara}@kobe-u.ac.jp
2
Graduate School of Engineering, Kobe University, Japan

Abstract. A Boolean Satisfiability Testing Problem (SAT) is a combi-

natorial problem to find a Boolean variable assignment which satisfies all
given Boolean formulas. Recent performance improvement of SAT tech-
nologies makes SAT-based approaches applicable for solving hard and
practical combinatorial problems, such as planning, scheduling, hard-
ware/software verification, and constraint satisfaction.
Sugar is a SAT-based constraint solver based on a new encoding
method called order encoding which was first used to encode job-shop
scheduling problems by Crawford and Baker. In the order encoding, a
comparison x ≤ a is encoded by a different Boolean variable for each
integer variable x and integer value a. The Sugar solver shows a good
performance for a wide variety of problems, and became the winner of
the GLOBAL categories in 2008 and 2009 CSP solver competitions.
The talk will provide an introduction to modern SAT solvers, SAT
encodings, implementation techniques of the Sugar solver, and its per-
formance evaluation.

1 SAT and SAT Encodings

A Boolean Satisfiability Testing Problem (SAT) is a combinatorial problem to find
a Boolean variable assignment which satisfies all given Boolean formulas [1]. Re-
cent performance improvement of SAT technologies makes SAT-based approaches
applicable for solving hard and practical combinatorial problems, such as plan-
ning, scheduling, hardware/software verification, and constraint satisfaction.
A (finite) Constraint Satisfaction Problem (CSP) is a combinatorial problem
to find an integer variable assignment which satisfies all given constraints on
integers. A SAT-based constraint solver is a program which solves constraint
satisfaction problems (CSP) by encoding them to SAT and searching solutions
by a SAT solver.
There have been several proposed methods to encode CSP into SAT.
Direct encoding is the most widely used one in which a Boolean variable
p(x = i) is defined as true if and only if the CSP variable x has the domain
value i [2,3]. A constraint is encoded by enumerating its conflict points as SAT
clauses.
Support encoding also uses a Boolean variable p(x = i) as in the direct encod-
ing [4,5]. While a constraint is encoded by considering its support points.

M. Blume, N. Kobayashi, and G. Vidal (Eds.): FLOPS 2010, LNCS 6009, pp. 19–23, 2010.

c Springer-Verlag Berlin Heidelberg 2010
20 N. Tamura, T. Tanjo, and M. Banbara

Log encoding uses a Boolean variable p(x(i) ) for each i-th bit of each CSP
variable x [6,7]. A constraint is encoded by enumerating its conflict points as
SAT clauses as in the direct encoding.
Log-support encoding also uses a Boolean variable p(x(i) ) for each i-th bit
of each CSP variable x as in the log encoding [8]. A constraint is encoded by
considering its support points.
Order encoding uses a Boolean variable p(x ≤ i) for each integer variable x
and domain value i where p(x ≤ i) is defined as true if and only if the CSP
variable x is less than or equal to i [9]. This encoding was first used to encode
job-shop scheduling problems by Crawford and Baker [10] and studied by Inoue
et al. [11,12]. This encoding shows a good performance for a wide variety of
problems, It succeeded to solve previously undecided problems, such as open-
shop scheduling problems [9] and two-dimensional strip packing problems [13].

1.1 Order Encoding

Let x be an integer variable whose domain is {l..u}. Boolean variables p(x ≤ l),
p(x ≤ l + 1), . . . , p(x ≤ u − 1) and the following SAT clauses are introduced to
encode each integer variable x. Please note that p(x ≤ u) is unnecessary because
x ≤ u is always true.

¬p(x ≤ i − 1) ∨ p(x ≤ i) (l < i < u)

Constraints are encoded by enumerating conflict regions. When all points

(x1 , . . . , xk ) in the region i1 < x1 ≤ j1 , . . . , ik < xk ≤ jk violate the constraint,
the following SAT clause is added.

p(x1 ≤ i1 ) ∨ ¬p(x1 ≤ j1 ) ∨ · · · ∨ p(xk ≤ ik ) ∨ ¬p(xk ≤ jk )

The following is an example of encoding of x+ y ≤ 7 when x, y ∈ {2, 3, 4, 5, 6}.

0 1 2 3 4 5 6 7 x

Fig. 1. Order encoding of x + y ≤ 7

 Solving Constraint Satisfaction Problems with SAT Technology 21

The following six SAT clauses are used to encode the variables x and y.

¬p(x ≤ 2) ∨ p(x ≤ 3) ¬p(x ≤ 3) ∨ p(x ≤ 4) ¬p(x ≤ 4) ∨ p(x ≤ 5)

¬p(y ≤ 2) ∨ p(y ≤ 3) ¬p(y ≤ 3) ∨ p(y ≤ 4) ¬p(y ≤ 4) ∨ p(y ≤ 5)

The following five SAT clauses are used to encode the constraint x + y ≤ 7
(Fig. 1)
p(y ≤ 5) p(x ≤ 2) ∨ p(y ≤ 4) p(x ≤ 3) ∨ p(y ≤ 3) p(x ≤ 4) ∨ p(y ≤ 2) p(x ≤ 5)

2 SAT-Based Constraint Solver Sugar

Sugar1 is a SAT-based constraint solver based on the order encoding [14,15,16].

It can solve CSP, COP (Constraint Optimization Problem), and Max-CSP by
translating the problem instance to a SAT instance and then solving the trans-
lated SAT instance with an external efficient SAT solver such as MiniSat [17]
and PicoSAT [18].

Table 1. Comparison of CSP solvers for 556 global category instances

Series Sugar Sugar Mistral Choco bpsolver

+MiniSat +PicoSAT
BIBD ( 83) 76 77 76 58 35
Costas Array ( 11) 8 8 9 9 9
Latin Square ( 10) 10 9 5 5 5
Magic Square ( 18) 8 8 13 15 11
NengFa ( 3) 3 3 3 3 3
Orthogonal Latin Square ( 9) 3 3 3 2 3
Perfect Square Packing ( 74) 54 53 40 47 36
Pigeons ( 19) 19 19 19 19 19
Quasigroup Existence ( 35) 30 29 29 28 30
Pseudo-Boolean (100) 68 75 59 53 70
BQWH ( 20) 20 20 20 20 20
Cumulative Job-Shop ( 10) 4 4 2 1 0
RCPSP ( 78) 78 78 78 77 75
Cabinet ( 40) 40 40 40 40 40
Timetabling ( 46) 25 42 39 14 1
Total (556) 446 468 435 391 357

Sugar showed a good performance in the recent International CSP Solver

Competitions held in 2009 2 . It became the winner in 3 categories out of 7 cat-
egories. These 3 categories are the widest ones which can contain all of global,
intensional, and extensional constraints. Table 1 shows the number of solved
1
http://bach.istc.kobe-u.ac.jp/sugar/
2
http://www.cril.univ-artois.fr/CPAI09/
22 N. Tamura, T. Tanjo, and M. Banbara

instances in these categories by Sugar and other top ranked solvers Mistral3 ,
Choco4 , and bpsolver5 .
Through those results, it is shown that a SAT-based solver can have a compet-
itive performance with other state-of-the-art solvers in difficult CSP benchmark
instances. We hope the order encoding used in Sugar is becoming popular in
other SAT-based systems.
This research was partially supported by JSPS (Japan Society for the Promo-
tion of Science), Grant-in-Aid for Scientific Research (A), 2008–2011, 20240003.

References
1. Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.): Handbook of Satisfiability.
Frontiers in Artificial Intelligence and Applications (FAIA), vol. 185. IOS Press,
Amsterdam (2009)
2. de Kleer, J.: A comparison of ATMS and CSP techniques. In: Proceedings of the
11th International Joint Conference on Artificial Intelligence (IJCAI 1989), pp.
290–296 (1989)
3. Walsh, T.: SAT v CSP. In: Dechter, R. (ed.) CP 2000. LNCS, vol. 1894, pp. 441–
456. Springer, Heidelberg (2000)
4. Kasif, S.: On the parallel complexity of discrete relaxation in constraint satisfaction
networks. Artificial Intelligence 45, 275–286 (1990)
5. Gent, I.P.: Arc consistency in SAT. In: Proceedings of the 15th European Confer-
ence on Artificial Intelligence (ECAI 2002), pp. 121–125 (2002)
6. Iwama, K., Miyazaki, S.: SAT-variable complexity of hard combinatorial problems.
In: Proceedings of the IFIP 13th World Computer Congress, pp. 253–258 (1994)
7. Gelder, A.V.: Another look at graph coloring via propositional satisfiability. Dis-
crete Applied Mathematics 156, 230–243 (2008)
8. Gavanelli, M.: The log-support encoding of CSP into SAT. In: Bessière, C. (ed.)
CP 2007. LNCS, vol. 4741, pp. 815–822. Springer, Heidelberg (2007)
9. Tamura, N., Taga, A., Kitagawa, S., Banbara, M.: Compiling finite linear CSP into
SAT. Constraints 14, 254–272 (2009)
10. Crawford, J.M., Baker, A.B.: Experimental results on the application of satisfi-
ability algorithms to scheduling problems. In: Proceedings of the 12th National
Conference on Artificial Intelligence (AAAI 1994), pp. 1092–1097 (1994)
11. Inoue, K., Soh, T., Ueda, S., Sasaura, Y., Banbara, M., Tamura, N.: A competitive
and cooperative approach to propositional satisfiability. Discrete Applied Mathe-
matics 154, 2291–2306 (2006)
12. Nabeshima, H., Soh, T., Inoue, K., Iwanuma, K.: Lemma reusing for SAT based
planning and scheduling. In: Proceedings of the International Conference on Au-
tomated Planning and Scheduling 2006 (ICAPS 2006), pp. 103–112 (2006)
13. Soh, T., Inoue, K., Tamura, N., Banbara, M., Nabeshima, H.: A SAT-based method
for solving the two-dimensional strip packing problem. Journal of Algorithms in
Cognition, Informatics and Logic (2009) (to appear)
14. Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding.
In: Proceedings of the 2nd International CSP Solver Competition, pp. 65–69 (2008)
3
http://www.4c.ucc.ie/~ehebrard/Software.html
4
http://choco.emn.fr
5
http://www.probp.com
 Solving Constraint Satisfaction Problems with SAT Technology 23

15. Tamura, N., Tanjo, T., Banbara, M.: System description of a SAT-based CSP solver
Sugar. In: Proceedings of the 3rd International CSP Solver Competition, pp. 71–75
(2008)
16. Tanjo, T., Tamura, N., Banbara, M.: Sugar++: a SAT-based Max-CSP/COP
solver. In: Proceedings of the 3rd International CSP Solver Competition, pp. 77–82
(2008)
17. Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella,
A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004)
18. Biere, A.: PicoSAT essentials. Journal on Satisfiability, Boolean Modeling and
Computation 4, 75–97 (2008)
 A Church-Style Intermediate Language for MLF

Didier Rémy1 and Boris Yakobowski2

1
INRIA Paris - Rocquencourt
2
CEA, LIST, Laboratoire Sureté des Logiciels,
Boı̂te 94, 91191 Gif-sur-Yvette Cedex, France

Abstract. MLF is a type system that seamlessly merges ML-style im-

plicit but second-class polymorphism with System-F explicit first-class
polymorphism. We present x MLF, a Church-style version of MLF with
full type information that can easily be maintained during reduction. All
parameters of functions are explicitly typed and both type abstraction
and type instantiation are explicit. However, type instantiation in x MLF
is more general than type application in System F. We equip x MLF with
a small-step reduction semantics that allows reduction in any context
and show that this relation is confluent and type preserving. We also
show that both subject reduction and progress hold for weak-reduction
strategies, including call-by-value with the value-restriction.

Introduction
MLF (Le Botlan and Rémy 2003, 2007; Rémy and Yakobowski 2008b) is a type
system that seamlessly merges ML-style implicit but second-class polymor-
phism with System-F explicit first-class polymorphism. This is done by enriching
System-F types. Indeed, System F is not well-suited for partial type inference, as
illustrated by the following example. Assume that a function, say choice, of type
∀ (α) α → α → α and the identity function id, of type ∀ (β) β → β, have been
defined. How can the application choice to id be typed in System F? Should
choice be applied to the type ∀ (β) β → β of the identity that is itself kept
polymorphic? Or should it be applied to the monomorphic type γ → γ, with
the identity being applied to γ (where γ is bound in a type abstraction in front
of the application)? Unfortunately, these alternatives have incompatible types,
respectively (∀ (α) α → α) → (∀ (α) α → α) and ∀ (γ) (γ → γ) → (γ → γ):
none is an instance of the other. Hence, in System F, one is forced to irreversibly
choose between one of the two explicitly typed terms.
However, a type inference system cannot choose between the two, as this would
sacrifice completeness and be somehow arbitrary. This is why MLF enriches types
with instance-bounded polymorphism, which allows to write more expressive
types that factor out in a single type all typechecking alternatives in such cases
as the example of choice. Now, the type ∀ (α  τ ) α → α, which should be
read “α → α where α is any instance of τ ”, can be assigned to choice id, and
the two previous alternatives can be recovered a posteriori by choosing different
instances for α.

M. Blume, N. Kobayashi, and G. Vidal (Eds.): FLOPS 2010, LNCS 6009, pp. 24–39, 2010.

c Springer-Verlag Berlin Heidelberg 2010
 A Church-Style Intermediate Language for MLF 25

Currently, the language MLF comes with a Curry-style version iMLF where no
type information is needed and a type-inference version eMLF that requires par-
tial type information (Le Botlan and Rémy 2007). However, eMLF is not quite in
Church’s style, since a large amount of type information is still implicit and par-
tial type information cannot be easily maintained during reduction. Hence, while
eMLF is a good surface language, it is not a good candidate for use as an internal
language during the compilation process, where some program transformations,
and perhaps some reduction steps, are being performed. This has been a problem
for the adoption of MLF in the Haskell community (Peyton Jones 2003), as the
Haskell compilation chain uses an explicitly-typed internal language.
This is also an obstacle to proving subject reduction, which does not hold
in eMLF. In a way, this is unavoidable in a language with non-trivial partial
type inference. Indeed, type annotations cannot be completely dropped, but
must at least be transformed and reorganized during reduction. Still, one could
expect that eMLF be equipped with reduction rules for type annotations. This
has actually been considered in the original presentation of MLF, but only with
limited success. The reduction kept track of annotation sites during reduction;
this showed, in particular, that no new annotation site needs to be introduced
during reduction. Unfortunately, the exact form of annotations could not be
maintained during reduction, by lack of an appropriate language to describe their
computation. As a result, it has only been shown that some type derivation can
be rebuilt after the reduction of a well-typed program, but without exhibiting
an algorithm to compute them during reduction.
Independently, Rémy and Yakobowski (2008b) have introduced graphic con-
straints, both to simplify the presentation of MLF and to improve its type infer-
ence algorithm. This also lead to a simpler, more expressive definition of MLF.
In this paper, we present x MLF, a Church-style version of MLF that contains
full type information. In fact, type checking becomes a simple and local ver-
ification process—by contrast with type inference in eMLF, which is based on
unification. In x MLF, type abstraction, type instantiation, and all parameters
of functions are explicit, as in System F. However, type instantiation is more
general and more atomic than type application in System F: we use explicit type
instantiation expressions that are proof evidences for the type instance relations.
In addition to the usual β-reduction, we give a series of reduction rules for
simplifying type instantiations. These rules are confluent when allowed in any
context. Moreover, reduction preserves typings, and is sufficient to reduce all
typable expressions to a value when used in either a call-by-value or call-by-name
setting. This establishes the soundness of MLF for a call-by-name semantics for
the first time. Notably, x MLF is a conservative extension of System F.
The paper is organized as follows. We present x MLF, its syntax and its static
and dynamic semantics in §1. We study its main properties, including type
soundness for different evaluations strategies in §2. We discuss possible varia-
tions, as well as related and future works in §3. All proofs are omitted, but can
be found in (Yakobowski 2008, Chapters 14 & 15).
26 D. Rémy and B. Yakobowski

α, β, γ, δ Type variable x, y, z Term variable

τ ::= Type a ::= Term
| α Type variable | x Variable
| τ →τ Arrow type | λ(x : τ ) a Function
| ∀ (α  τ ) τ Quantification | aa Application
| ⊥ Bottom type | Λ(α  τ ) a Type function
φ ::= Instantiation | aφ Instantiation
| τ Bottom | let x = a in a Let-binding
| !α Abstract Γ ::= Environment
| ∀ ( φ) Inside | ∅ Empty
| ∀ (α ) φ Under | Γ, α  τ Type variable
|  ∀-elimination | Γ, x : τ Term variable
|  ∀-introduction
| φ; φ Composition
| ½ Identity

Fig. 1. Grammar of types, instantiations, and terms

1 The Calculus

Types, instantiations, terms, and typing environments. All the syntactic

definitions of x MLF can be found in Figure 1. We assume given a countable
collection of variables ranged over by letters α, β, γ, and δ. As usual, types
include type variables and arrow types. Other type constructors will be added
later—straightforwardly, as the arrow constructor receives no special treatment.
Types also include a bottom type ⊥ that corresponds to the System-F type
∀α.α. Finally, a type may also be a form of bounded quantification ∀ (α  τ ) τ  ,
called flexible quantification, that generalizes the ∀α.τ form of System F and,
intuitively, restricts the variable α to range only over instances of τ . The variable
α is bound in τ  but not in τ . (We may write ∀ (α) τ  when the bound τ is ⊥.)
In Church-style System F, type instantiation inside terms is simply type appli-
cation, of the form a τ . By contrast, type instantiation a φ in x MLF details every
intermediate instantiation step, so that it can be checked locally. Intuitively, the
instantiation φ transforms a type τ into another type τ  that is an instance of
τ . In a way, φ is a witness for the instance relation that holds between τ and
τ  . It is therefore easier to understand instantiations altogether with their static
semantics, which will be explained in the next section.
Terms of x MLF are those of the λ-calculus enriched with let constructs, with
two small differences. Type instantiation a φ generalizes System-F type appli-
cation. Type abstractions are extended with an instance bound τ and written
Λ(α  τ ) a. The type variable α is bound in a, but not in τ . We abbreviate
Λ(α  ⊥) a as Λ(α) a, which simulates the type abstraction Λα. a of System F.
We write ftv(τ ) and ftv(a) the set of type variables that appear free in τ and a.
We identify types, instantiations, and terms up to the renaming of bound
variables. The capture-avoiding substitution of a variable v inside an expression
s by an expression s is written s{v ← s }.
 A Church-Style Intermediate Language for MLF 27

Inst-Under Inst-Abstr
Inst-Bot Γ, α  τ  φ : τ1 ≤ τ2 ατ ∈Γ
Γ τ :⊥≤τ Γ  ∀ (α ) φ : ∀ (α  τ ) τ1 ≤ ∀ (α  τ ) τ2 Γ  !α : τ ≤ α
Inst-Inside Inst-Intro
Γ  φ : τ1 ≤ τ2 α∈/ ftv(τ )
Γ  ∀ ( φ) : ∀ (α  τ1 ) τ ≤ ∀ (α  τ2 ) τ Γ   : τ ≤ ∀ (α  ⊥) τ
Inst-Comp
Γ  φ 1 : τ1 ≤ τ2
Γ  φ2 : τ2 ≤ τ3 Inst-Elim Inst-Id
Γ  φ 1 ; φ 2 : τ1 ≤ τ3  
Γ   : ∀ (α  τ ) τ ≤ τ {α ← τ } Γ ½:τ ≤τ

Fig. 2. Type instance

As usual, type environments assign types to program variables. However, in-

stead of just listing type variables, as is the case in System F, type variables are
also assigned a bound in a binding of the form α  τ . We write dom(Γ ) for the
set of all terms and type variables that are bound by Γ . We also assume that
typing environments are well-formed, i.e. they do not bind twice the same vari-
able and free type variables appearing in a type of the environment Γ must be
bound earlier in Γ . Formally, the empty environment is well-formed and, given
a (well-formed) environment Γ , the relations α  ∈ dom(Γ ) and ftv(τ ) ⊆ dom(Γ )
must hold to form environments Γ, α  τ and Γ, x : τ .

Instantiations. Instantiations φ are defined in Figure 1. Their typing, described

in Figure 2, are type instance judgments of the form Γ φ : τ ≤ τ  , stating
that in environment Γ , the instantiation φ transforms the type τ into the type
τ .
The bottom instantiation τ expresses that (any) type τ is an instance of the
bottom type. The abstract instantiation !α, which assumes that the hypothesis
ατ is in the environment, abstracts the bound τ of α as the type variable α. The
inside instantiation ∀ ( φ) applies φ to the bound τ  of a flexible quantification
∀ (α  τ  ) τ . Conversely, the under instantiation ∀ (α ) φ applies φ to the type
τ under the quantification. The type variable α is bound in φ; the environment
in the premise of the rule Inst-Under is increased accordingly. The quantifier
introduction 1 introduces a fresh trivial quantification ∀ (α⊥). Conversely, the
quantifier elimination  eliminates the bound of a type of the form ∀ (ατ ) τ  by
substituting τ for α in τ  . This amounts to definitely choosing the present bound
τ for α, while the bound before the application could be further instantiated by
some inside instantiation. The composition φ; φ witnesses the transitivity of
type instance, while the identity instantiation ½ witnesses reflexivity.

1
The choice of  is only by symmetry with the elimination form  described next,
and has no connection at all with linear logic.
28 D. Rémy and B. Yakobowski

τ (!α) = α τ  = ∀ (α  ⊥) τ α∈
/ ftv(τ )
⊥ τ = τ (∀ (α  τ ) τ  )  = τ  {α ← τ }
τ ½ = τ (∀ (α  τ ) τ  ) (∀ ( φ)) = ∀ (α  τ φ) τ 
τ (φ1 ; φ2 ) = (τ φ1 ) φ2 (∀ (α  τ ) τ  ) (∀ (α ) φ) = ∀ (α  τ ) (τ  φ)

Fig. 3. Type instantiation (on types)

Example. Let τmin , τcmp , and τand be the types of the parametric minimum and
comparison functions and of the conjunction of boolean formulas:
τmin  ∀ (α  ⊥) α → α → α τcmp  ∀ (α  ⊥) α → α → bool
τand  bool → bool → bool
Let φ be the instantiation ∀ ( bool); . Then, φ : τmin ≤ τand and φ :
τcmp ≤ τand hold. Let τK be the type ∀ (α  ⊥) ∀ (β  ⊥) α → β → α (e.g. of
the λ-term λ(x) λ(y) x) and φ be the instantiation2 ∀ (α ) (∀ ( α); ). Then,
φ : τK ≤ τmin .

Type application. As above, we often instantiate a quantification over ⊥ and

immediately substitute the result. Moreover, this pattern corresponds to the
System-F unique instantiation form. Therefore, we define τ as syntactic sugar
for (∀ ( τ ); ). The instantiations φ and φ can then be abbreviated as bool
and ∀ (α ) α . More generally, we write φ for the computation (∀ ( φ); ).

Properties of instantiations. Since instantiations make all steps in the instance

relation explicit, their typing is deterministic.
Lemma 1. If Γ φ : τ ≤ τ1 and Γ  φ : τ ≤ τ2 , then τ1 = τ2 .
The use of Γ  instead of Γ may be surprising. However, Γ does not contribute
to the instance relation, except in the side condition of rule Inst-Abstr. Hence,
the type instance relation defines a partial function, called type instantiation 3
that, given an instantiation φ and a type τ , returns (if it exists) the unique type
τ φ such that φ : τ ≤ τ φ. An inductive definition of this function is given in
Figure 3. Type instantiation is complete for type instance:
Lemma 2. If Γ φ : τ ≤ τ  , then τ φ = τ  .
However, the fact that τ φ may be defined and equal to τ  does not imply that
Γ φ : τ ≤ τ  holds for some Γ . Indeed, type instantiation does not check the
premise of rule Inst-Abstr. This is intentional, as it avoids parametrizing type
instantiation over the type environment. This means that type instantiation is
not sound in general. This is never a problem, however, since we only use type
instantiation originating from well-typed terms for which there always exists
some context Γ such that Γ φ : τ ≤ τ  .
2
The occurrence of α in the inside instantiation is bound by the under instantiation.
3
There should never be any ambiguity with the operation a φ on expressions; more-
over, both operations have strong similarities.
 A Church-Style Intermediate Language for MLF 29

Var Let App

x:τ ∈Γ Γ a:τ Γ, x : τ  a : τ  Γ  a1 : τ2 → τ 1 Γ  a 2 : τ2
Γ x:τ Γ  let x = a in a : τ  Γ  a 1 a 2 : τ1
Abs TAbs TApp
Γ, x : τ  a : τ  Γ, α  τ   a : τ α∈ / ftv(Γ ) Γ a:τ Γ  φ : τ ≤ τ
Γ  λ(x : τ ) a : τ → τ  Γ  Λ(α  τ  ) a : ∀ (α  τ  ) τ Γ  a φ : τ

Fig. 4. Typing rules for x MLF

We say that types τ and τ  are equivalent in Γ if there exist φ and φ such that
Γ φ : τ ≤ τ  and Γ φ : τ  ≤ τ . Although types of x MLF are syntactically the
same as the types of iMLF—the Curry-style version of MLF (Le Botlan and Rémy
2007)—they are richer, because type equivalence in x MLF is finer than type
equivalence in iMLF, as will be explained in §3.

Typing rules for x MLF. Typing rules are defined in Figure 4. Compared with
System F, the novelties are type abstraction and type instantiation, unsurpris-
ingly. The typing of a type abstraction Λ(α  τ ) a extends the typing environ-
ment with the type variable α bound by τ . The typing of a type instantiation
a φ resembles the typing of a coercion, as it just requires the instantiation φ to
transform the type of a into the type of the result. Of course, it has the full
power of the type application rule of System F. For example, the type instan-
tiation a τ has type τ  {α ← τ } provided the term a has type ∀ (α) τ  . As in
System F, a well-typed closed term has a unique type—in fact, a unique typing
derivation.
A let-binding let x = a1 in a2 cannot entirely be treated as an abstraction for
an immediate application (λ(x : τ1 ) a2 ) a1 because the former does not require a
type annotation on x whereas the latter does. This is nothing new, and the same
as in System F extended with let-bindings. (Notice however that τ1 , which is the
type of a1 , is fully determined by a1 and could be synthesized by a typechecker.)
Example. Let id stand for the identity Λ(α  ⊥) λ(x : α) x and τid for the
type ∀ (α  ⊥) α → α. We have id : τid . The function choice mentioned
in the introduction, may be defined as Λ(β  ⊥) λ(x : β) λ(y : β) x. It has
type ∀ (β  ⊥) β → β → β. The application of choice to id, which we refer to
below as choice id, may be defined as Λ(β  τid ) choice β (id (!β)) and has type
∀ (β  τid ) β → β. The term choice id may also be given weaker types by type
instantiation. For example, choice id  has type (∀ (α  ⊥) α → α) → (∀ (α  ⊥)
α → α) as in System F, while choice id (; ∀ (γ ) (∀ ( γ ); )) has the ML
type ∀ (γ  ⊥) (γ → γ) → γ → γ.
Reduction. The semantics of the calculus is given by a small-step reduction
semantics. We let reduction occur in any context, including under abstractions.
That is, the evaluation contexts are single-hole contexts, given by the grammar:
E ::= [ · ] | E φ | λ(x : τ ) E | Λ(α  τ ) E
| E a | a E | let x = E in a | let x = a in E
30 D. Rémy and B. Yakobowski

(λ(x : τ ) a1 ) a2 −→ a1 {x ← a2 } (β)
let x = a2 in a1 −→ a1 {x ← a2 } (βlet )
a½ −→ a (ι-Id)
a (φ; φ ) −→ a φ (φ ) (ι-Seq)
a −→ Λ(α  ⊥) a α∈
/ ftv(a) (ι-Intro)
(Λ(α  τ ) a)  −→ a{!α ← ½}{α ← τ } (ι-Elim)
(Λ(α  τ ) a) (∀ (α ) φ) −→ Λ(α  τ ) (a φ) (ι-Under)
(Λ(α  τ ) a) (∀ ( φ)) −→ Λ(α  τ φ) a{!α ← φ; !α} (ι-Inside)
E[a] −→ E[a ] if a −→ a (Context)

Fig. 5. Reduction rules

The reduction rules are described in Figure 5. As usual, basic reduction steps
contain β-reduction, with the two variants (β) and (βlet ). Other basic reduc-
tion rules, related to the reduction of type instantiations and called ι-steps, are
described below. The one-step reduction is closed under the context rule. We
write −→β and −→ι for the two subrelations of −→ that contains only Con-
text and β-steps or ι-step, respectively. Finally, the reduction is the reflexive
and transitive closure −→ → of the one-step reduction relation.

Reduction of type instantiation. Type instantiation redexes are all of the form
a φ. The first three rules do not constrain the form of a. The identity type
instantiation is just dropped (Rule ι-Id). A type instantiation composition is
replaced by the successive corresponding type instantiations (Rule ι-Seq). Rule
ι-Intro introduces a new type abstraction in front of a; we assume that the
bound variable α is fresh in a. The other three rules require the type instantiation
to be applied to a type abstraction Λ(α  τ ) a. Rule ι-Under propagates the
type instantiation under the bound, inside the body a. By contrast, Rule ι-
Inside propagates the type instantiation φ inside the bound, replacing τ by τ φ.
However, as the bound of α has changed, the domain of the type instantiations
!α is no more τ , but τ φ. Hence, in order to maintain well-typedness, all the
occurrences of the instantiation !α in a must be simultaneously replaced by
the instantiation (φ; !α). Here, the instantiation !α is seen as atomic, i.e. all
occurrences of !α are substituted, but other occurrences of α are left unchanged
(see the appendix for the formal definition). For instance, if a is the term
Λ(α  τ ) λ(x : α → α) λ(y : ⊥) y (α → α) (z (!α))
then, the type instantiation a (∀ ( φ)) reduces to:
Λ(α  τ φ) λ(x : α → α) λ(y : ⊥) y (α → α) (z (φ; !α))
Rule ι-Elim eliminates the type abstraction, replacing all the occurrences of α
inside a by the bound τ . All the occurrences of !α inside τ (used to instantiate τ
into α) become vacuous and must be replaced by the identity instantiation. For
example, reusing the term a above, a  reduces to λ(x : τ → τ ) λ(y : ⊥) y (τ →
τ ) (z ½). Notice that type instantiations a τ and a (!α) are irreducible.
 A Church-Style Intermediate Language for MLF 31

Examples of reduction. Let us reuse the term choice id defined in §1 as

Λ(β  τid ) choice β (id (!β)). Remember that τ stands for the System-F
type application τ and expands to (∀ ( τ ); ). Therefore, the type instantia-
tion choice β reduces to the term λ(x : β) λ(y : β) x by ι-Seq, ι-Inside and
ι-Elim. Hence, the term choice id reduces by these rules, Context, and (β) to
the expression Λ(β  τid ) λ(y : β) id (!β).
Below are three specialized versions of choice id (remember that ∀ (α) τ and
Λ(α) a are abbreviations for ∀ (α  ⊥) τ and Λ(α  ⊥) a). Here, all type instan-
tiations are eliminated by reduction, but this is not always possible in general.
choice id int : (int → int) → (int → int)
−→
→ λ(y : int → int) (λ(x : int) x)
choice id  : (∀ (α) α → α) → (∀ (α) α → α)
−→
→ λ(y : ∀ (α) α → α) (Λ(α) λ(x : α) x)
choice id (; ∀ (γ ) (∀ ( γ ); )) : ∀ (γ) (γ → γ) → (γ → γ)
−→
→ Λ(γ) λ(y : γ → γ) (λ(x : γ) x)

System F as a subsystem of x MLF. System F can be seen as a subset of

x MLF, using the following syntactic restrictions: all quantifications are of the
form ∀ (α) τ and ⊥ is not a valid type anymore (however, as in System F, ∀ (α) α
is); all type abstractions are of the form Λ(α) a; and all type instantiations are
of the form a τ .
The derived typing rule for Λ(α) a and a τ are exactly the System-F typ-
ing rules for type abstraction and type application. Hence, typechecking in this
restriction of x MLF corresponds to typechecking in System F.
Moreover, the reduction in this restriction also corresponds to reduction
in System F. Indeed, a reducible type application is necessarily of the form
(Λ(α) a) τ and can always be reduced to a{α ← τ } as follows:
(Λ(α) a) τ = (Λ(α  ⊥) a) (∀ ( τ ); ) (1)
−→ (Λ(α  ⊥) a) (∀ ( τ )) () (2)
−→ (Λ(α  ⊥τ ) a{!α ← τ ; !α}) () = (Λ(α  τ ) a) () (3)
−→ a{!α ← ½}{α ← τ } = a{α ← τ } (4)
Step (1) is by definition; step (2) is by ι-Seq; step (3) is by ι-Inside, step (4)
is by ι-Elim and equality steps (3) and (4) are by type instantiation and by
assumption as a is a term of System F, thus in which !α does not appear.

2 Properties of Reduction
The reduction has been defined so that the type erasure of a reduction sequence
in x MLF is a reduction sequence in the untyped λ-calculus. Formally, the type
erasure of a term a of x MLF is the untyped λ-term a defined inductively by
x = x let x = a1 in a2  = let x = a1  in a2 
a φ = a λ(x : τ ) a = λ(x) a
a1 a2  = a1  a2  Λ(α  τ ) a = a
32 D. Rémy and B. Yakobowski

It is immediate to verify that two terms related by ι-reduction have the same
type erasure. Moreover, if a β-reduces to a , then the type erasure of a β-reduces
to the type erasure of a in one step in the untyped λ-calculus.

2.1 Subject Reduction

Reduction of x MLF, which can occur in any context, preserves typings. This relies
on weakening and substitution lemmas for both instance and typing judgments.

Lemma 3 (Weakening). Let Γ, Γ  , Γ  be a well-formed environment.

If Γ, Γ  φ : τ1 ≤ τ2 , then Γ, Γ  , Γ  φ : τ1 ≤ τ2 .
If Γ, Γ  a : τ  , then Γ, Γ  , Γ  a : τ  .
Lemma 4 (Term substitution). Assume that Γ a : τ  holds.
If Γ, x : τ  , Γ  φ : τ1 ≤ τ2 then Γ, Γ  φ : τ1 ≤ τ2 .
If Γ, x : τ  , Γ  a : τ , then Γ, Γ  a{x ← a } : τ
The next lemma, which expresses that we can substitute an instance bound
inside judgments, ensures the correctness of Rule ι-Elim.
Lemma 5 (Bound substitution). Let ϕ and θ be respectively the substi-
tutions {α ← τ } and {!α ← ½}{α ← τ }.
If Γ, α  τ, Γ  φ : τ1 ≤ τ2 then Γ, Γ  ϕ φθ : τ1 ϕ ≤ τ2 ϕ.
If Γ, α  τ , Γ  a : τ  then Γ, Γ  ϕ aθ : τ  ϕ.
Finally, the following lemma ensures that an instance bound can be instantiated,
proving in turn the correctness of the rule ι-Inside.
Lemma 6 (Narrowing). Assume Γ φ : τ ≤ τ  . Let θ be {!α ← φ; !α}.
If Γ, α  τ , Γ  φ : τ1 ≤ τ2 then Γ, α  τ  , Γ  φ θ : τ1 ≤ τ2 .
If Γ, α  τ, Γ  a : τ  then Γ, α  τ  , Γ  aθ : τ 
Subject reduction is an easy consequence of all these results.
Theorem 1 (Subject reduction). If Γ a : τ and a −→ a then, Γ a : τ .

2.2 Confluence
Theorem 2. The relation −→β is confluent. The relations −→ι and −→ are
confluent on the terms well-typed in some context.

This result is proved using the standard technique of parallel reductions

(Barendregt 1984). Thus β-reduction and ι-reduction are independent; this al-
lows for instance to perform ι-reductions under λ-abstractions as far as possible
while keeping a weak evaluation strategy for β-reduction.
The restriction to well-typed terms for the confluence of ι-reduction is due to
two things. First, the rule ι-Inside is not applicable to ill-typed terms in which
τ φ cannot be computed (for example (Λ(α  int) a) (∀ ( ))). Second, τ φ can
 A Church-Style Intermediate Language for MLF 33

sometimes be computed, even though Γ φ : τ ≤ τ  never holds (for example

if φ is !α and τ is not the bound of α in Γ ). Hence, type errors may be either
revealed or silently reduced and perhaps eliminated, depending on the reduction
path. As an example, let a be the term
  
Λ(α  ∀ (γ) γ) (Λ(β  int) x) (∀ ( !α)) (∀ ( ))
 
We
 have both a −→ Λ(α 
 ⊥) (Λ(β  int) x) (∀ ( ; !α)) −→, and a −→

Λ(α  ∀ (γ) γ) Λ(β  α) x (∀ ( )) −→ Λ(α  ⊥) Λ(β  α) x  −→.
The fact that ill-typed terms may not be confluent is not new: for instance,
this is already the case with η-reduction in System F. We believe this is not
a serious issue. In practice, this means that typechecking should be performed
before any program simplification, which is usually the case anyway.

2.3 Strong Normalization

We conjecture, but have not proved, that all reduction sequences are finite.

2.4 Accommodating Weak Reduction Strategies and Constants

In order to show that the calculus may also be used as the core of a programming
language, we now introduce constants and restricts the semantics to a weak
evaluation strategy.
We let the letter c range over constants. Each constant comes with its arity |c|.
The dynamic semantics of constants must be provided by primitive reduction
rules, called δ-rules. However, these are usually of a certain form. To characterize
δ-rules (and values), we partition constants into constructors and primitives,
ranged over by letters C and f , respectively. The difference between the two lies
in their semantics: primitives (such as +) are reduced when fully applied, while
constructors (such as cons) are irreducible and typically eliminated when passed
as argument to primitives.
In order to classify constructed values, we assume given a collection of type
constructors κ, together with their arities |κ|. We extend types with constructed
types κ (τ1 , . . . τ|κ| ). We write α for a sequence of variables α1 , . . . αk and ∀ (α) τ
for the type ∀ (α1 ) . . . ∀ (αk ) τ . The static semantics of constants is given by
an initial typing environment Γ0 that assigns to every constant c a type τ of
the form ∀ (α) τ1 → . . . τn → τ0 , where τ0 is a constructed type whenever the
constant c is a constructor.
We distinguish a subset of terms, called values and written v. Values are term
abstractions, type abstractions, full or partial applications of constructors, or
partial applications of primitives. We use an auxiliary letter w to character-
ize the arguments of functions, which differ for call-by-value and call-by-name
strategies. In values, an application of a constant c can involve a series of type
instantiations, but only evaluated ones and placed before all other arguments.
Moreover, the application may only be partial whenever c is a primitive. Eval-
uated instantiations θ may be quantifier eliminations or either inside or under
34 D. Rémy and B. Yakobowski

(general) instantiations. In particular, a τ and a (!α) are never values. The gram-
mar for values and evaluated instantiations is as follows:
v ::= λ(x : τ ) a
| Λ(α : τ ) a
| C θ1 . . . θk w1 . . . wn n ≤ |C|
| f θ1 . . . θk w1 . . . wn n < |f |
θ ::= ∀ ( φ) | ∀ (α ) φ | 
Finally, we assume that δ-rules are of the form f θ1 . . . θk w1 . . . w|f | −→f a (that
is, δ-rules may only reduce fully applied primitives).
In addition to this general setting, we make further assumptions to relate the
static and dynamic semantics of constants.
Subject reduction: δ-reduction preserves typings, i.e., for any typing context
Γ such that Γ a : τ and a −→f a , the judgment Γ a : τ holds.
Progress: Well-typed, full applications of primitives can be reduced, i.e., for
any term a of the form f θ1 . . . θk w1 . . . wn verifying Γ0 a : τ , there
exists a term a such that a −→f a .

Call-by-value reduction. We now specialize the previous framework to a

call-by-value semantics. In this case, arguments of applications in values are
themselves restricted to values, i.e. w is taken equal to v. Rules (β) and (βlet )
are limited to the substitution of values, that is, to reductions of the form (λ(x :
τ ) a) v −→ a{x ← v} and let x = v in a −→ a{x ← v}. Rules ι-Id, ι-Comp and
ι-Intro are also restricted so that they only apply to values (e.g. a is textually
replaced by v in each of these rules). Finally, we restrict rule Context to call-
by-value contexts, which are of the form
Ev ::= [ · ] | Ev a | v Ev | Ev φ | let x = Ev in a
We write −→ →v the resulting reduction relation. It follows from the above restric-
tions that the reduction is deterministic. Moreover, since δ-reduction preserves
typings, by asumption, the relation −→ →v also preserves typings by Theorem 1.
Progress holds for call-by-value. In combination with subject-reduction, this
ensures that the evaluation of well-typed terms “cannot go wrong”.
Theorem 3. If Γ0 →v a for some a .
a : τ , then either a is a value or a −→

Call-by-value reduction and the value restriction. The value-restriction is

the most standard way to add side effects in a call-by-value language. It is thus
important to verify that it can be transposed to x MLF.
Typically, the value restriction amounts to restricting type generalization to
non-expansive expressions, which contain at least value-forms, i.e. values and
term variables, as well as their type-instantiations. Hence, we obtain the following
revised grammar for expansive expressions b and for non-expansive expressions u.
b ::= u | b b | let x = u in b
u ::= x | λ(x : τ ) b | Λ(α : τ ) u | u φ
| C θ1 . . . θk u 1 . . . u n n ≤ |C|
| f θ 1 . . . θk u 1 . . . u n n < |f |
 A Church-Style Intermediate Language for MLF 35

As usual, we restrict let-bound expressions to be non-expansive, since they im-

plicitly contain a type generalization. Notice that, although type instantiations
are restricted to non-expansive expressions, this is not a limitation: b φ can al-
ways be written as (λ(x : τ ) x φ) b, where τ is the type of a, and similarly for
applications of constants to expansive expressions.
Theorem 4. Expansive and non-expansive expressions are closed by call-by-
value reduction.

Corollary 1. Subject reduction holds with the value restriction.

It is then routine work to extend the semantics with a global store to model side
effects and verify type soundness for this extension.

Call-by-name reduction. For call-by-name reduction semantics, we can ac-

tually increase the set of values, which may contain applications of constants to
arbitrary expressions; that is, we take a for w. The ι-reduction is restricted as
for call-by-value. However, evaluation contexts are now En ::= [ · ] | En a | En φ.
We write −→ →n the resulting reduction relation. As for call-by-value, it is deter-
ministic by definition and preserves typings. It may also always progress.
Theorem 5. If Γ0 →n a for some a .
a : τ , then either a is a value or a −→

3 Discussion

Elaboration of graphical eMLF into x MLF. To verify that, as expected,

x MLF can be used as an internal language for eMLF, we have exhibited a type-
preserving type-erasure-preserving translation from eMLF to x MLF. Technically,
this translation is based on the presolutions of type inference problems in the
graphic constraint framework of MLF. An important corollary is the type sound-
ness of eMLF—in its most expressive4 version (Rémy and Yakobowski 2008b).
By lack of space, this translation is however not presented in this paper, but can
be found in (Rémy and Yakobowski 2008a). We also expect that x MLF could be
used as an internal language for HML, another less expressive but simpler surface
language for iMLF that has been recently proposed (Leijen 2009).

Expressiveness of x MLF. The translation of eMLF into x MLF shows that x MLF
is at least as expressive as eMLF. However, and perhaps surprisingly, the converse
is not true. That is, there exist programs of x MLF that cannot be typed in MLF.
While, this is mostly irrelevant when using MLF as an internal language for eMLF,
the question is still interesting from a theoretical point of view, as understanding
x MLF on its own, i.e. independently of the type inference constraints of eMLF,
could perhaps suggest other useful extensions of x MLF.
4
So far, type-soundness has only been proved for the original, but slightly
weaker variant of MLF (Le Botlan 2004) and for the shallow, recast version of
MLF (Le Botlan and Rémy 2007).
36 D. Rémy and B. Yakobowski

For the sake of simplicity, we explain the difference between x MLF and iMLF,
the Curry-style version of MLF (which has the same expressiveness as eMLF).
Although syntactically identical, the types of x MLF and of syntactic iMLF differ
in their interpretation of alias bounds, i.e. quantifications of the form ∀ (β α) τ .
Consider, for example, the two types τ0 and τid defined as ∀ (ατ ) ∀ (β α) β →
α and ∀ (α τ ) α → α. In iMLF, alias bounds can be expanded and τ0 and τid are
equivalent. Roughly, the set of their instances (stripped of toplevel quantifiers)
is {τ  → τ  | τ ≤ τ  }. In contrast, the set of instances of τ0 is larger in x MLF and
at least a superset of {τ  → τ  | τ ≤ τ  ≤ τ  }. This level of generality cannot
be expressed in iMLF.
The current treatment of alias bounds in x MLF is quite natural in a Church-
style presentation. Surprisingly, it is also simpler than treating them as in eMLF.
A restriction of x MLF without alias bounds that is closed under reduction and in
closer correspondence with iMLF can still be defined a posteriori, by constraining
the formation of terms, but the definition is contrived and unnatural. Instead of
restricting x MLF to match the expressiveness of iMLF, a question worth further
investigation is whether the treatment of alias bounds could be enhanced in
iMLF and eMLF to match the one in x MLF without compromising type inference.

Related works. A strong difference between eMLF and x MLF is the use of ex-
plicit coercions to trace the derivation of type instantiation judgments. A similar
approach has already been used in a language with subtyping and intersection
types, proposed as a target for the compilation of bounded polymorphism (Crary
2000). In both cases, coercions are used to make typechecking a trivial process.
In our case, they are also exploited to make subject reduction easy—by introduc-
ing the language to describe how type instance derivations must be transformed
during reduction. (We believe that the use of explicit coercions for simplifying
subject-reduction proofs has been neglected.) In both approaches, reduction is
split into a standard notion of β-reduction and a new form of reduction (which
we call ι-reduction) that only deals with coercions, preserves type-erasures, and
is (conjectured to be) strongly normalizing. There are also important differ-
ences. While both coercion languages have common forms, our coercions intend-
edly keep the instance-bounded polymorphism form ∀ (α  τ ) τ  . On the oppo-
site, coercions are used to eliminate the subtype-bounded polymorphism form
∀ (α ≤ τ ) τ  in (Crary 2000), using intersection types and contravariant arrow
coercions instead, which we do not need. It would be worth checking whether
union types, which are propsoed as an extension in (Crary 2000), could be used
to encode away our instance-bounded polymorphism form.
Besides this work and the several papers that describe variants of MLF, there
are actually few other related works. Both Leijen and Löh (2005) and Leijen
(2007) have studied the extension of MLF with qualified types, and as a subcase,
the translation of MLF without qualified types into System F. However, in order
to handle type instantiations, a term a of type ∀ (α  τ  ) τ is elaborated as a
function of type ∀ (α) (τ → α) → τ , where τ is a runtime representation of τ .
The first argument is a runtime coercion, which bears strong similarities with
our instantiations. However, an important difference is that their coercions are at
 A Church-Style Intermediate Language for MLF 37

the level of terms, while our instantiations are at the level of types. In particular,
although coercion functions should not change the semantics, this critical result
has not been proved so far, while in our settings the type-erasure semantics
comes for free by construction. The impact of coercion functions in a call-by-
value language with side effects is also unclear. Perhaps, a closer connection
between their coercion functions and our instantiations could be established and
used to actually prove that their coercions do not alter the semantics. However,
even if such a result could be proved, coercions should preferably remain at the
type level, as in our setting, than be intermixed with terms, as in their proposal.

Future works. The demand for an internal language for MLF was first made
in the context of using the eMLF type system for the Haskell language. We
expect x MLF to better accommodate qualified types than eMLF since no evidence
function would be needed for flexible polymorphism, but it remains to be verified.
Type instantiation, which changes the type of an expression without changing
its meaning, goes far beyond type application in System F and resembles retyping
functions in System Fη —the closure of F by η-conversion (Mitchell 1988). Those
functions can be seen either at the level of terms, as expressions of System F
that βη-reduces to the identity, or at the level of types as a type conversion.
Some loose parallel can be made between the encoding of MLF in System F
by Leijen and Löh (2005) which uses term-level coercions, and x MLF which uses
type-level instantiations. Additionally, perhaps Fη could be extended with a
form of abstraction over retyping functions, much as type abstraction ∀ (α  τ )
in x MLF amounts to abstracting over the instantiation !α of type τ → α. (Or
perhaps, as suggested by the work of Crary (2000), intersection and union types
could be added to Fη to avoid the need for abstracting over coercion functions.)
Regarding type soundness, it is also worth noticing that the proof of subject
reduction in x MLF does not subsume, but complements, the one in the original
presentation of MLF. The latter does not explain how to transform type annota-
tions, but shows that annotation sites need not be introduced (only transformed)
during reduction. Because x MLF has full type information, it cannot say anything
about type information that could be left implicit and inferred. Given a term in
x MLF, can we rebuild a term in iMLF with minimal type annotations? While this
should be easy if we require that corresponding subterms have identical types in
x MLF and iMLF, the answer is unclear if we allow subterms to have different types.
The semantics of x MLF allows reduction (and elimination) of type instan-
tiations a φ through ι-reduction but does not operate reduction (and simpli-
fication) of instantiations φ alone. It would be possible to define a notion of
reduction on instantiations φ −→ φ (such that, for instance, ∀ ( φ1 ; φ2 ) −→
∀ ( φ1 ); ∀ ( φ2 ), or conversely?) and extend the reduction of terms with a con-
text rule a φ −→ a φ whenever φ −→ φ . This might be interesting for more
economical representations of instantiation. However, it is unclear whether there
exists an interesting form of reduction that is both Church-Rosser and large
enough for optimization purposes. Perhaps, one should rather consider instanti-
ation transformations that preserve observational equivalence, which would leave
more freedom in the way one instantiation could be replaced by another.
38 D. Rémy and B. Yakobowski

Extending x MLF to allow higher-order polymorphism is another interesting

research direction for the future. Such an extension is already under investigation
for the type inference version eMLF (Herms 2009).

Conclusion. We have completed the MLF trilogy by introducing the Church-

style version x MLF, that was still desperately missing for type-aware compilation
and from a theoretical point of view. The original type-inference version eMLF,
which requires partial type annotations but does not tell how to track them dur-
ing reduction, now lies between the Curry-style presentation iMLF that ignores
all type information and x MLF that maintains it during reduction. We have
shown that x MLF is well-behaved: reduction preserves well-typedness, and the
calculus is sound for both call-by-value and call-by-name semantics.
Hence, x MLF can be used as an internal language for MLF, with either call-by-
value or call-by-name semantics, and also for the many restrictions of MLF that
have been proposed, including HML. Indeed, the translation of partially typed
eMLF programs into fully typed x MLF ones, presented in (Rémy and Yakobowski
2008a), preserves well-typedness and the type erasure of terms, and therefore
ensures the type soundness of eMLF. Hopefully, this will help the adoption of
MLF and maintain a powerful form of type inference in modern programming
languages that will necessarily feature first-class polymorphism.
Independently, the idea of enriching type applications to richer forms of type
transformations might also be useful in other contexts.

References
Barendregt, H.P.: The Lambda Calculus: Its Syntax and Semantics. North-Holland,
Amsterdam (1984), ISBN: 0-444-86748-1
Crary, K.: Typed compilation of inclusive subtyping. In: ICFP 2000: Proceedings of
the fifth ACM SIGPLAN international conference on Functional programming, pp.
68–81. ACM, New York (2000)
Herms, P.: Partial Type Inference with Higher-Order Types. Master’s thesis, University
of Pisa and INRIA (2009) (to appear)
Le Botlan, D.: MLF: An extension of ML with second-order polymorphism and implicit
instantiation. PhD thesis, Ecole Polytechnique (June 2004) (english version)
Le Botlan, D., Rémy, D.: MLF: Raising ML to the power of System-F. In: Proceedings
of the Eighth ACM SIGPLAN International Conference on Functional Programming,
August 2003, pp. 27–38 (2003)
Le Botlan, D., Rémy, D.: Recasting MLF. Research Report 6228, INRIA, Rocquen-
court, BP 105, 78 153 Le Chesnay Cedex, France (June 2007)
Leijen, D.: A type directed translation of MLF to System F. In: The International
Conference on Functional Programming (ICFP 2007). ACM Press, New York (2007)
Leijen, D.: Flexible types: robust type inference for first-class polymorphism. In: Pro-
ceedings of the 36th annual ACM Symposium on Principles of Programming Lan-
guages (POPL 2009), pp. 66–77. ACM, New York (2009)
Leijen, D., Löh, A.: Qualified types for MLF. In: ICFP 2005: Proceedings of the tenth
ACM SIGPLAN international conference on Functional programming, pp. 144–155.
ACM Press, New York (2005)
 A Church-Style Intermediate Language for MLF 39

Mitchell, J.C.: Polymorphic type inference and containment. Information and Compu-
tation 2/3(76), 211–249 (1988)
Jones, S.P.: Haskell 98 Language and Libraries: The Revised Report. Cambridge Uni-
versity Press, Cambridge (2003), ISBN: 0521826144
Rémy, D., Yakobowski, B.: A church-style intermediate language for MLF (extended
version) (September 2008a),
http://gallium.inria.fr/~ remy/mlf/xmlf.pdf
Rémy, D., Yakobowski, B.: From ML to MLF: Graphic type constraints with efficient
type inference. In: The 13th ACM SIGPLAN International Conference on Func-
tional Programming (ICFP 2008), Victoria, BC, Canada, September 2008, pp. 63–74
(2008b)
Yakobowski, B.: Graphical types and constraints: second-order polymorphism and in-
ference. PhD thesis, University of Paris 7 (December 2008)

A Appendix: Definition of a{!α0 ← φ0 }

Formally, a θ where θ is {!α0 ← φ0 } is defined recursively as follows (we assume
α = α0 ). The interesting lines are the two first ones of the second column; other
lines are just lifting the substitution from the leaves to types, type instantiations,
and terms in the usual way.

Types Type instantiations

τθ=τ !α θ = !α
Terms !α0 θ = φ0
xθ =x (τ ) θ = (τ θ)
(a1 a1 ) θ = (a1 θ) (a1 θ) (∀ ( φ)) θ = ∀ ( φ θ)
(a φ) θ = a (φ θ) (∀ (α ) φ) θ = ∀ (α ) (φ θ)
(λ(x : τ ) a) θ = λ(x : τ θ) a θ (φ; φ ) θ = (φ θ); (φ θ)
(Λ(α  τ ) a) θ = Λ(α : τ θ) a θ θ = 
θ = 
½θ = ½
 ΠΣ: Dependent Types without the Sugar

Thorsten Altenkirch1 , Nils Anders Danielsson1 ,

Andres Löh2 , and Nicolas Oury3
1
School of Computer Science, University of Nottingham
2
Institute of Information and Computing Sciences, Utrecht University
3
Division of Informatics, University of Edinburgh

Abstract. The recent success of languages like Agda and Coq demon-
strates the potential of using dependent types for programming. These
systems rely on many high-level features like datatype definitions, pat-
tern matching and implicit arguments to facilitate the use of the lan-
guages. However, these features complicate the metatheoretical study
and are a potential source of bugs.
To address these issues we introduce ΠΣ, a dependently typed core
language. It is small enough for metatheoretical study and the type
checker is small enough to be formally verified. In this language there is
only one mechanism for recursion—used for types, functions and infinite
objects—and an explicit mechanism to control unfolding, based on lifted
types. Furthermore structural equality is used consistently for values and
types; this is achieved by a new notion of α-equality for recursive defini-
tions. We show, by translating several high-level constructions, that ΠΣ
is suitable as a core language for dependently typed programming.

1 Introduction
Dependent types offer programmers a flexible path towards formally verified pro-
grams and, at the same time, opportunities for increased productivity through
new ways of structuring programs (Altenkirch et al. 2005). Dependently typed
programming languages like Agda (Norell 2007) are gaining in popularity, and
dependently typed programming is also becoming more popular in the Coq com-
munity (Coq Development Team 2009), for instance through the use of some re-
cent extensions (Sozeau 2008). An alternative to moving to full-blown dependent
types as present in Agda and Coq is to add dependently typed features without
giving up a traditional view of the distinction between values and types. This
is exemplified by the presence of GADTs in Haskell, and by more experimental
systems like Ωmega (Sheard 2005), ATS (Cui et al. 2005), and the Strathclyde
Haskell Enhancement (McBride 2009).
Dependently typed languages tend to offer a number of high-level features for
reducing the complexity of programming in such a rich type discipline, and at
the same time improve the readability of the code. These features include:
Datatype definitions. A convenient syntax for defining dependently typed
families inductively and/or coinductively.

M. Blume, N. Kobayashi, and G. Vidal (Eds.): FLOPS 2010, LNCS 6009, pp. 40–55, 2010.

c Springer-Verlag Berlin Heidelberg 2010
 ΠΣ: Dependent Types without the Sugar 41

Pattern matching. Agda offers a very powerful mechanism for dependently

typed pattern matching. To some degree this can be emulated in Coq by
using Sozeau’s new tactic Program (2008).
Hidden parameters. In dependently typed programs datatypes are often in-
dexed. The indices can often be inferred using unification, which means that
the programmer does not have to read or write them. This provides an al-
ternative to polymorphic type inference à la Hindley-Milner.

These features, while important for the usability of dependently typed languages,
complicate the metatheoretic study and can be the source of subtle bugs in the
type checker. To address such problems, we can use a core language which is
small enough to allow metatheoretic study. A verified type checker for the core
language can also provide a trusted core in the implementation of a full language.
Coq makes use of a core language, the Calculus of (Co)Inductive Constructions
(CCIC, Giménez 1996). However, this calculus is quite complex: it includes the
schemes for strictly positive datatype definitions and the accompanying recursion
principles. Furthermore it is unclear whether some of the advanced features of
Agda, such as dependently typed pattern matching, the flexible use of mixed
induction/coinduction, and induction-recursion, can be easily translated into
CCIC or a similar calculus. (One can argue that a core language is less useful if
the translation from the full language is difficult to understand.)
In the present paper we suggest a different approach: we propose a core lan-
guage that is designed in such a way that we can easily translate the high-level
features mentioned above; on the other hand, we postpone the question of to-
tality. Totality is important for dependently typed programs, partly because
non-terminating proofs are not very useful, and partly for reasons of efficiency:
if a certain type has at most one total value, then total code of that type does not
need to be run at all. However, we believe that it can be beneficial to separate
the verification of totality from the functional specification of the code. A future
version of our core language may have support for independent certificates of to-
tality (and the related notions of positivity and stratification); such certificates
could be produced manually, or through the use of a termination checker.
The core language proposed in this paper is called ΠΣ and is based on a small
collection of basic features:1

– Dependent function types (Π-types) and dependent product types (Σ-types).

– A (very) impredicative universe of types with Type : Type.
– Finite sets (enumerations) using reusable and scopeless labels.
– A general mechanism for mutual recursion, allowing the encoding of ad-
vanced concepts such as induction-recursion.
– Lifted types, which are used to control recursion. These types offer a conve-
nient way to represent mixed inductive/coinductive definitions.
– A definitional equality which is structural for all definitions, whether types or
programs, enabled by a novel definition of α-equality for recursive definitions.
1
The present version is a simplification of a previous implementation, described in an
unpublished draft (Altenkirch and Oury 2008).
Random documents with unrelated
content Scribd suggests to you:
WALK ON THE WILD SIDE.

THE WARRIOR EMPRESS.

WATCHA WATCHIN'?

WATER SPORTS CHAMPS.

A WEEKEND WITH LULU.

WE'LL BURY YOU!

WHERE ANGELS GO TROUBLE FOLLOWS.

WHO WAS THAT LADY?

WHO'S MINDING THE MINT.

THE WILD WESTERNERS.

WINTER A-GO-GO.

WOLF HOUNDED.

WOLF IN SHEEP DOG'S CLOTHING.

WONDERFUL AFRICA.

WONDERFUL AUSTRIA.

WONDERFUL BEAULIEU.

WONDERFUL CARIBBEAN.

WONDERFUL GREECE.
WONDERFUL HONG KONG.

WONDERFUL ISRAEL.

WONDERFUL NEW YORK.

WONDERFUL SARDINIA.

WONDERFUL SCOTLAND.

WONDERFUL SWITZERLAND.

WONDERS OF ARKANSAS.

WONDERS OF DALLAS.

WONDERS OF KENTUCKY.

WONDERS OF MIAMI BEACH.

WONDERS OF ONTARIO.

WONDERS OF PHILADELPHIA.

WORLD WITHOUT SUN.

THE WRECKING CREW.

THE WRONG BOX.

YOU MUST BE JOKING.

THE YOUNG AMERICANS.

ZOO IS COMPANY.
 ZOTZ!

Columbia Pictures Industries, Inc.

CASTLE KEEP.

Columbia University Press.

ALBERTO GIACOMETTI.

EERO SAARINEN, ARCHITECT.

ERIC BENTLEY.

HIDE AND SEEK.

TWELVE DANCING PRINCESSES.

Columbia University Press. Center for

Mass Communication.

ONE DAY A WEEK.

SMOKE, ANYONE?

Columbia World of Sports.

RASSLIN' CHAMPS.

SWINGING DOWN THE LANES.

Columbus (Ohio) Dental Society. Women's

Auxiliary.

SONNY'S LUCKY DREAM.

Columbus Productions, Inc.

LENNY BRUCE.

Comedic Productions, Inc.

THE SMOTHERS BROTHERS COMEDY HOUR.

Comet Rice Mills, Inc.

COMET RICE TELEVISION COMMERCIALS.

THE COMET RICE 20 DAY-20 POUND, NO

HUNGER DIET, TV COMMERCIAL.

Commager, Henry Steele.

OUR SCHOOLS HAVE KEPT US FREE.

Commercial & Industrial Division, Westinghouse

Learning Corp. SEE Westinghouse
Learning Corp. Commercial &
Industrial Division.

Committee for Scientific Communication

in Dermatology, Washington, D.C.

COCCIDIOIDOMYCOSIS.

CREEPING ERUPTION.

CUTANEOUS VASCULAR PHENOMENON ASSOCIATED

WITH FUNCTIONING.

DEMODEX FOLLICULORUM.
DERMATOSES OCCURRING MAINLY IN
JAPANESE.

DISSEMINATED ANERGIC LEISHMANIASIS.

EARLY CUTANEOUS LEISHMANIASIS.

GENERALIZED KERATOACANTHOMA.

GIANT LICHENIFICATION.

HYDROA VACCINIFORME WITH REACTIVE

PORPHYRINURIA, DWARFISM, PROGRESSIVE
FEEBLE-MINDEDNESS, & CENTRAL NERVOUS
ABNORMALITIES.

ICHTHYOSIS LINEARIS CIRCUMFLEXA.

KERATODERMIA PALMARIS ET PLANTARIS.

LATE CUTANEOUS LEISHMANIASIS.

MAL DE MELEDA.

MALIGNANT ATROPHYING PAPULOSIS.

MYELOMATOSIS WITH CUTANEOUS MANIFESTATIONS.

NORTH AMERICAN BLASTOMYCOSIS TREATED

WITH AMPHOTERICIN B.

ONCHOCERCIASIS.

PEUTZ-JEGHERS' SYNDROME.

PRETIBIAL MYXOEDEMA WITH ACROPACHY.

 RHINOSCLEROMA.

SILICA GRANULOMA.

SUBCORNEAL PUSTULAR DERMATOSIS.

TUBERCULOSIS CUTIS LUPOSA.

URTICARIA PIGMENTOSA.

Commonwealth Edison Co.

THE WORLD OF ANDREW WYETH.

Commonwealth United Corp.

CERVANTES.

Commonwealth United Entertainment.

A FACE OF WAR.

Commonwealth United Entertainment, Inc.

THE DESPERATE ONES.

Commonwealth United Releasing Organization,

Inc.

A FACE OF WAR.

Compagnie Francais de Distribution

Cinematographique.

LES BICHES.
Company of Artists, Inc.

BELOVED INFIDEL.

LET'S MAKE LOVE.

THE STORY ON PAGE ONE.

WILD IN THE COUNTRY.

Compton/Sir Nigel Films Production.

A STUDY IN TERROR.

Computer Methods Corp.

DATA COMMUNICATIONS.

Comstock Productions.

HOLLYWOOD TALENT SCOUTS.

Concepts Unlimited, Inc.

ALL THIS AND 702.

FUSION.

Concordia Films.

RECLAIMED.

Condon, Richard.

THE HAPPY THIEVES.

 THE MANCHURIAN CANDIDATE.

Condor Films, Inc.

SAINT LOUIS: GATEWAY TO THE WEST.

Connaught Productions, Inc.

BUONA SERA, MRS. CAMPBELL.

Connecticut Films, Inc.

LONDON BRIDGE IS FALLING DOWN.

TO MARKET, TO MARKET.

Connor, Richard M., Sr.

EARLY LOGGING SCENES, 1930.

Conrad, Joseph.

LORD JIM.

Conrad, Lawrence H.

PATTERNS OF GOOD TEACHING—HIGH

SCHOOL LEVEL.

Conservation Foundation, Washington, D.C.

THE HOUSE OF MAN, PART II: OUR CROWDED

ENVIRONMENT.

Consortium Pathe.
 LES BICHES.

Constantin-Film.

HOUSE OF A THOUSAND DOLLS.

PER QUALCHE DOLLARO IN PIU.

Consumers Power Co.

THE DEPENDABLE FLAME.

ENERGY FOR A BRIGHTER TOMORROW.

HEADSTART ON TOMORROW.

MICHIGAN YEAR.

NUCLEAR POWER FOR MICHIGAN'S FUTURE.

ONLY IF YOU CARE.

PIPELINE PEOPLE.

THE RIVER THAT CAME BACK.

WHAT'S IT GOING TO COST YOU?

WHEN MICHIGAN WAS YOUNG.

Contemporary Films, Inc.

YOUTH DANCES.

Contemporary Productions, Inc.

 H.M.S. PINAFORE.

THE PIRATES OF PENZANCE.

THE YOUNG SAVAGES.

Continental Illinois National Bank &

Trust Co. of Chicago.

SELLING TACTICS, INSIDE AND OUT.

Continenza, Alessandro.

HANNIBAL.

Cooga Mooga Films Productions, Inc.

JOURNEY TO THE CENTER OF THE EARTH.

Cooga Mooga Production.

THE YELLOW CANARY.

Cook, James A.

THE COMPUTER IN THE CLASSROOM.

Cook, Peter.

BEDAZZLED.

Cook, Will.

TWO RODE TOGETHER.

Cooney, Ray.

THE HAND.

Cooper (Jackie) Productions, Inc.

HENNESEY.

Cooper (Peter H.) Inc.

CONNIE.

Coppel, Alec.

THE BLISS OF MRS. BLOSSOM.

THE GAZEBO.

MOMENT TO MOMENT.

Coppel, Myra.

THE GAZEBO.

Corlou Films.

SUCCESSFUL BREAST FEEDING.

Corman Co., Inc.

THE SECRET INVASION.

TOBRUK.

Corn Products Co. Best Foods Division.

 COLOR FOR JOY.

Corning Glass Works.

THE WORLD IN YOUR KITCHEN.

Corona Film Production.

THE WORLD IN MY POCKET.

Coronado Productions (England) Ltd.

PLAY IT COOL.

Coronet Film Museum.

TRIUMPH DES WILLENS.

Coronet Films.

NETHERLANDS: PAST AND PRESENT.

Coronet Films. SEE Coronet Instructional

Films.

Coronet Instructional Films.

ACCOUNTING: BASIC PROCEDURES.

ACTING WITH MATURITY.

ADDITION FOR BEGINNERS.

ADJUSTING YOUR READING SPEEDS.

THE AEGEAN AGE.

AFRICAN CONTINENT: AN INTRODUCTION.

AFRICAN CONTINENT: NORTHERN REGION.

AFRICAN CONTINENT: SOUTHERN REGION.

AFRICAN CONTINENT: TROPICAL REGION.

THE AGE OF ABSOLUTE MONARCHS IN EUROPE.

THE AGE OF ENLIGHTENMENT IN EUROPE.

AIRPLANES: PRINCIPLES OF FLIGHT.

ALEXANDER HAS A GOOD DAY.

ALEXANDER THE GREAT AND THE HELLENISTIC

AGE.

ALGEBRA: A WAY OF THINKING ABOUT

NUMBERS.

ALGEBRA: RELATIONS, FUNCTIONS AND

VARIATION.

AN ALPHABET OF BIRDS.

AMERICAN INDIANS BEFORE EUROPEAN

SETTLEMENT.

ANCIENT PAESTUM: CITY OF THE GREEKS

AND ROMANS.

ANCIENT PALESTINE.
ANCIENT PERSIA.

ANCIENT WORLD INHERITANCE.

ANDREW JACKSON AT THE HERMITAGE.

ANGLES AND THEIR MEASUREMENTS.

ANIMAL BABIES GROW UP.

ANIMAL COMMUNITIES AND GROUPS.

ANIMAL HIDE AND SEEK: CAMOUFLAGE FOR

BEGINNERS.

ANIMALS AND HOW THEY COMMUNICATE.

ANIMALS ARE DIFFERENT AND ALIKE.

ANIMALS PROTECT THEMSELVES.

ANIMALS WITHOUT BACKBONES.

THE ANT AND THE DOVE.

THE ANT AND THE GRASSHOPPER.

THE ANT COLONY THROUGH THE YEAR.

APTITUDES AND OCCUPATIONS.

AQUATIC INSECTS.

ARISTOTLE AND THE SCIENTIFIC METHOD.

ARITHMETIC: ESTIMATING AND CHECKING

 ANSWERS.

ARITHMETIC IN THE FOOD STORE.

ARITHMETIC: UNDERSTANDING THE PROBLEM.

ARTHROPODS: INSECTS AND THEIR RELATIVES.

ASIA: A CONTINENTAL OVERVIEW.

AUSTRIA, PAST AND PRESENT.

AUTOMATION: WHAT IT IS AND WHAT IT DOES.

THE BAGWORM.

BALANCE YOUR DIET FOR HEALTH AND

APPEARANCE.

BARDELL VS. PICKWICK.

THE BARN SWALLOW.

BASIC SKILLS.

BASKETBALL FUNDAMENTALS.

THE BEETLE.

BEGINNING RESPONSIBILITY: BEING A

GOOD SPORT.

BEGINNING RESPONSIBILITY: DOING

THINGS FOR OURSELVES IN SCHOOL.

BEGINNING RESPONSIBILITY: GETTING

 READY FOR SCHOOL.

BEGINNING RESPONSIBILITY: LEARNING TO

FOLLOW INSTRUCTIONS.

BEGINNING RESPONSIBILITY: LUNCHROOM

MANNERS.

BEGINNING RESPONSIBILITY: RULES AT

SCHOOL.

BEGINNING RESPONSIBILITY: USING

MONEY WISELY.

BEGINNINGS AND GROWTH OF INDUSTRIAL

AMERICA.

BILLY'S HELICOPTER RIDE.

BIOLOGY IN SPACE SCIENCE.

BIOLOGY IN TODAY'S WORLD.

BIRDS AND THEIR CHARACTERISTICS.

BIRDS AND THEIR HOMES.

BIRDS: HOW WE IDENTIFY THEM.

BIRDS OF THE COUNTRYSIDE.

BIRDS OF THE DOORYARD.

BIRDS OF THE INLAND WATERWAYS.

BIRDS OF THE MARSHES.

BIRDS OF THE SEA.

BIRDS OF THE WOODLANDS.

BIRDS THAT MIGRATE.

THE BIRTH OF PUPPIES.

BOLIVAR: SOUTH AMERICAN LIBERATOR.

A BOOK IS TO CARE FOR.

BOY OF JAPAN: ITO AND HIS KITE.

THE BOYHOOD OF ABRAHAM LINCOLN.

THE BOYHOOD OF THOMAS EDISON.

THE BRITISH COMMONWEALTH OF NATIONS.

BRUSHING UP ON DIVISION.

BRUSHING UP ON MULTIPLICATION.

THE BUDDHIST WORLD.

BUILD YOUR VOCABULARY.

BUILDING BETTER SENTENCES.

BULGARIA: THE LAND AND THE PEOPLE.

THE BUSY AIRPORT.

A BUSY DAY AT THE COUNTY FAIR.

THE BUSY HARBOR.

BUTTERFLY AND MOTH LIFE CYCLES.

THE BYZANTINE EMPIRE.

CAMOUFLAGE IN NATURE THROUGH FORM AND

COLOR MATCHING.

CAMOUFLAGE IN NATURE THROUGH PATTERN

MATCHING.

CANADA'S HISTORY: COLONY TO COMMONWEALTH.

CARL SANDBURG DISCUSSES HIS WORK.

CARL SANDBURG DISCUSSES LINCOLN.

CAUSES OF THE SEASONS.

CELL BIOLOGY: LIFE FUNCTIONS.

CELL BIOLOGY: MITOSIS AND DNA.

CELL BIOLOGY: STRUCTURE AND

COMPOSITION.

CELLS OF PLANTS AND ANIMALS.

CENTRIPETAL FORCE AND SATELLITE

ORBITS.

CHARLEMAGNE AND HIS EMPIRE.

CHEMICAL BOND AND ATOMIC STRUCTURE.

CHEMICAL CHANGES ALL ABOUT US.

CHEMICAL PROPERTIES OF WATER.

CHEMISTRY LABORATORY SERIES.

CHILDREN ON THE MOVE.

CHRISTIANITY IN WORLD HISTORY (TO

1000 A.D.)

A CHRISTMAS CAROL.

CITIZENSHIP AND YOU.

CIVIL WAR: BACKGROUND ISSUES.

THE CIVIL WAR: 1863-1865.

CIVIL WAR: FIRST TWO YEARS.

THE CIVIL WAR: POSTWAR PERIOD.

CLASSIFYING PLANTS AND ANIMALS.

CLEANLINESS AND HEALTH.

CLIMATES OF THE UNITED STATES.

CLOTHES AROUND THE WORLD.

COLONIAL LIFE ON A DUTCH MANOR.

COLOR AND LIGHT: AN INTRODUCTION.

COLOR AND PIGMENT IN ART.

COLOR FOR BEGINNERS.

THE COLORADO RIVER.

THE COLUMBIA RIVER.

COMMUNICATION FOR BEGINNERS.

COMMUNICATION: STORY OF ITS DEVELOPMENT.

COMMUNITIES DEPEND ON EACH OTHER.

COMMUNITIES KEEP CLEAN.

COMPETITION IN BUSINESS.

CONSERVATION FOR BEGINNERS.

CONSERVING OUR FORESTS TODAY.

CONSERVING OUR MINERAL RESOURCES

TODAY.

CONSERVING OUR SOIL TODAY.

CONSERVING OUR WATER RESOURCES TODAY.

CONSERVING OUR WILDLIFE TODAY.

CONTINENTS OF THE WORLD.

COTTON IN TODAY'S WORLD.

THE COUNTRY MOUSE AND THE CITY MOUSE.

COURTESY FOR BEGINNERS.

THE CRANE'S MAGIC GIFT, A JAPANESE

FAIRY TALE.

CRAYFISH: LIFE CYCLE.

CREATING WITH COLOR.

THE CRICKET AND GRASSHOPPER.

CRYSTALS AND THEIR GROWTH.

CURRENT EVENTS: UNDERSTANDING AND

EVALUATING THEM.

CUTTING AND PASTING.

THE DAIRY FARM.

DANIEL BOONE IN AMERICA'S STORY.

DARWIN AND THE THEORY OF NATURAL

SELECTION.

DAVID AND BETSEY TROTWOOD.

DAVID AND DORA.

DAVID AND DORA MARRIED.

DAVID AND HIS MOTHER.

DAVID AND MR. MICAWBER.

DAWN OF THE AMERICAN REVOLUTION: A
LEXINGTON FAMILY.

DENTAL HEALTH: HOW AND WHY.

DESERT DWELLERS: PLANTS AND ANIMALS.

DEVELOPING READING MATURITY: COMPARATIVE

READING.

DEVELOPING READING MATURITY: CRITICAL

EVALUATION.

DEVELOPING READING MATURITY: INTERPRETING

MEANING.

DEVELOPING READING MATURITY: THE MATURE

READER.

DEVELOPING READING MATURITY: UNDERSTANDING

STYLE.

DIFFUSION AND OSMOSIS.

DIGESTION IN OUR BODIES.

DIVISION FOR BEGINNERS.

EARS: THEIR STRUCTURE AND CARE.

THE EARTH: CHANGES IN ITS SURFACE.

THE EARTH: ITS ATMOSPHERE.

THE EARTH: ITS OCEANS.

THE EARTH: ITS STRUCTURE.

THE EARTH: RESOURCES IN ITS CRUST.

THE EARTH'S MOVEMENTS.

EARTHWORM: ANATOMY AND DISSECTION.

EASTERN EUROPE: AN INTRODUCTION.

EAT WELL, GROW WELL!

ECHINODERMS AND MOLLUSKS.

ELECTRICITY FOR BEGINNERS.

ELECTRICITY FROM CHEMICALS.

ELECTRICITY: HOW IT IS GENERATED.

ELECTRICITY: PRINCIPLES OF SAFETY.

ELECTROCHEMICAL REACTIONS.

ELECTROMAGNETIC INDUCTION.

ELECTRONS AND ELECTRONICS: AN

INTRODUCTION.

ELECTROSTATIC CHARGES AND FORCES.

ENERGY AND ITS FORMS.

ENERGY DOES WORK.

ENGLAND: BACKGROUND OF LITERATURE.

ENGLISH HISTORY: NINETEENTH CENTURY
REFORMS.

THE ENGLISH LANGUAGE: HOW IT CHANGES.

EQUATIONS: NUMBER SENTENCES.

THE EUROPEAN ECONOMIC COMMUNITY.

EVERYDAY COURAGE AND COMMON SENSE.

EVERYDAY COURTESY.

EVOLUTION OF MAN.

EXPLORING THE ATOMIC NUCLEUS.

FARM ANIMALS IN RHYME.

FEDERAL TAXATION.

FILING PROCEDURES IN BUSINESS.

FILM HIGHLIGHTS OF MODERN HISTORY:

THE EARLY 1900'S.

FIRE AND OXIDATION.

FISH AND THEIR CHARACTERISTICS.

FIVE COLORFUL BIRDS.

FLOWERS: STRUCTURE AND FUNCTION.

FLUTE, CLARINET AND BASSOON.

FOLK SONGS OF AMERICA'S HISTORY.

FOLKSONGS OF THE WESTERN MOVEMENT,

1787-1853.

FOLKSONGS OF THE WESTERN SETTLEMENT,

1865-1900.

THE FOOD CYCLE AND FOOD CHAINS.

FOOD THAT BUILDS GOOD HEALTH.

FOODS AROUND THE WORLD.

FOODS FROM GRAINS.

FORCES: COMPOSITION AND RESOLUTION.

FORMS OF MUSIC: INSTRUMENTAL.

FRACTIONS: FINDING THE COMMON

DENOMINATOR.

FRED MEETS A BANK.

FRICTION AND ITS EFFECTS.

FUN WITH WORDS: WORDS THAT ADD MEANING.

FUN WITH WORDS: WORDS THAT NAME AND DO.

FUN WITH WORDS: WORD TWINS.

GALILEO.
GENETICS: CHROMOSOMES AND GENES (MEIOSIS).

GENETICS: FUNCTIONS OF DNA AND RNA.

GENETICS: HUMAN HEREDITY.

GENETICS: IMPROVING PLANTS AND ANIMALS.

GENETICS: MENDEL'S LAWS.

GEOGRAPHY OF SOUTH AMERICA: ARGENTINA,

PARAGUAY, URUGUAY.

GEOGRAPHY OF SOUTH AMERICA: BRAZIL.

GEOGRAPHY OF SOUTH AMERICA: COUNTRIES

OF THE ANDES.

GEOGRAPHY OF SOUTH AMERICA: THE CONTINENT.

GEOMETRY: INDUCTIVE AND DEDUCTIVE

REASONING.

GERMS AND WHAT THEY DO.

GETTING ALONG WITH OTHERS.

GETTING INTO COLLEGE.

GETTING THE BIG IDEAS.

THE GLOBE AND OUR ROUND EARTH.

GRAPHING LINEAR EQUATIONS.

GRAPHS: UNDERSTANDING AND USING THEM.

GRASSHOPPER: ANATOMY AND DISSECTION.

GRAVITY AND WHAT IT DOES.

GROUPING THINGS IN SCIENCE.

GROWTH OF BIG BUSINESS IN AMERICA,

1865-1900.

GROWTH OF FARMING IN AMERICA, 1865-1900.

THE HALOGENS.

HANDWRITING FOR BEGINNERS: MANUSCRIPT.

HEALTH HEROES: THE BATTLE AGAINST

DISEASE.

HEART, LUNGS AND CIRCULATION.

HEARTS AND CIRCULATORY SYSTEMS.

HEAT AND ITS BEHAVIOR.

HEAT AND TEMPERATURE.

HELPERS AT OUR SCHOOL.

THE HELPFUL LITTLE FIREMAN.

THE HINDU WORLD.

THE HISTORY OF LIVING THINGS.

THE HOLY ROMAN EMPIRE.

HOMES AROUND THE WORLD.

THE HOUSEFLY AND ITS CONTROL.

HOW AIR HELPS US.

HOW FLOWERS MAKE SEEDS.

HOW MATERIALS ARE ALIKE AND DIFFERENT.

HOW POWER DRIVES MACHINES.

HOW SIMPLE MACHINES MAKE WORK EASIER.

HOW SOUND HELPS US.

HOW SUNSHINE HELPS US.

HOW TO READ A BOOK.

HOW TO STUDY.

HOW WE ELECT OUR REPRESENTATIVES.

HOW WHEELS HELP US.

THE HUMAN BODY: EXCRETORY SYSTEM.

THE HUMAN BODY: MUSCULAR SYSTEM.

THE HUMAN BODY: NUTRITION AND METABOLISM.

THE HUMAN BODY: RESPIRATORY SYSTEM.

THE HUMAN BODY: SENSE ORGANS.

THE HUMAN BODY: THE BRAIN.

THE HUMAN BODY: THE CHEMISTRY OF

DIGESTION.

HYDROCARBONS AND THEIR STRUCTURES.

IMMIGRATION IN AMERICA'S HISTORY.

IMPERIALISM AND EUROPEAN EXPANSION.

IMPROVE YOUR ORAL REPORTS.

IMPROVE YOUR PUNCTUATION.

IMPROVE YOUR STUDY HABITS.

IMPROVING AMERICA'S HEALTH.

IMPROVING YOUR VOCABULARY.

THE INCAS.

INDIAN INFLUENCES IN THE UNITED STATES.

INERTIAL MASS AND THE LAWS OF MOTION.

INFECTIOUS DISEASES AND MAN-MADE

DEFENSES.

INFECTIOUS DISEASES AND NATURAL BODY

DEFENSES.

INSECT ENEMIES AND THEIR CONTROL.

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookbell.com