See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/248499802

Advanced Topics in Types and Programming Languages

Article · January 2004

CITATIONS READS
147 6,505

1 author:

Benjamin C. Pierce
University of Pennsylvania
261 PUBLICATIONS 12,932 CITATIONS

SEE PROFILE

All content following this page was uploaded by Benjamin C. Pierce on 20 August 2014.

The user has requested enhancement of the downloaded file.

Advanced Topics in
Types and Programming Languages

Benjamin C. Pierce, editor

The MIT Press

Cambridge, Massachusetts
London, England
©2005 Massachusetts Institute of Technology

All rights reserved. No part of this book may be reproduced in any form by
any electronic of mechanical means (including photocopying, recording, or
information storage and retrieval) without permission in writing from the
publisher.

This book was set in Lucida Bright by the editor and authors using the LATEX
document preparation system.

Printed and bound in the United States of America.

Library of Congress Cataloging-in-Publication Data

Advanced Topics in Types and programming languages / Benjamin C. Pierce,

editor
p. cm.
Includes bibliographical references and index.
ISBN 0-262-16228-8 (hc.: alk. paper)
1. Programming languages (Electronic computers). I. Pierce, Benjamin C.
QA76.7.A36 2005
005.13—dc22
200457123

10 9 8 7 6 5 4 3 2 1
7 Typed Operational Reasoning

Andrew Pitts

The aim of this chapter is to explain, by example, some methods for reason-
ing about equivalence of programs based directly upon a type system and
an operational semantics for the programming language in question. We will
concentrate on methods for reasoning about equivalence of representations
of abstract data types. This provides an excellent example: it is easy to appre-
ciate why such methods are useful and at the same time non-trivial problems
have to be solved to get a sound reasoning principle in the presence of non-
termination and recursion. Rather than just treat abstract data types, we will
cover full existential types, using a programming language combining a pure
fragment of ML (including records and recursive functions) with System F.

7.1 Introduction

As explained in TAPL, Chapter 24, type systems involving existentially quan-

tified type variables provide a useful foundation for explaining and relating
various features of programming languages to do with information hiding.
To establish the properties of such type-theoretic interpretations of infor-
mation hiding requires a theory of semantic equivalence for expressions of
existential type. Methods involving type-indexed families of relations between
between expressions have proved very useful in this respect. Study of rela-
tional properties of typed calculi goes back to the logical relations for simply
typed lambda calculus in Plotkin (1973) and Statman (1985) and discussed in
Chapter 6, and the notion of relational parametricity for polymorphic types
in Reynolds (1983). More relevant to the kind of example considered in this
chapter is Mitchell’s principle for establishing the denotational equivalence
of programs involving higher-order functions and different implementations
of an abstract datatype in terms of the existence of a simulation relation be-
246 7 Typed Operational Reasoning

tween the implementations (Mitchell, 1991a). This principle was extended by

Plotkin and Abadi (1993) to encompass all the (possibly impredicative) exis-
tential types of the Girard-Reynolds polymorphic lambda calculus.
One feature of these works is that they develop proof principles for deno-
tational models of programming languages. The relevance of such principles
to the operational behavior of programs relies upon ‘goodness of fit’ results
(some published, some not) connecting operational and denotational seman-
tics. Another feature of the above works is that they do not treat the use of
general recursive definitions; and so the languages considered are not Tur-
ing powerful. It is folklore that a proof principle for denotational equality at
existential type, phrased in terms of the existence of certain simulation rela-
tions, is still valid in the presence of recursively defined functions of higher
type, provided one imposes some admissibility conditions on the notion of
relation. In fact using techniques for defining operationally based logical re-
lations developed in Pitts (2000), we will see in this chapter that suitable
admissibility conditions for relations and an associated proof principle for
operational equivalence at existential type can be phrased directly, and quite
simply, in terms of the syntax and operational semantics of a programming
language combining existential types with recursively defined, higher-order
functions. The programming language we work with combines a pure frag-
ment of ML (including records and recursive functions) with the polymorphic
lambda calculus of Girard (1972) and Reynolds (1974).

7.2 Overview

In order to get the most out of this chapter you should have some familiarity
with TAPL, Chapters 23 and 24. The material in this chapter is technically
quite intricate (especially the definition and properties of the logical relation
in §7.6) and it is easy to lose sight of the wood for the trees. So here is an
overview of the chapter.

Equivalence of programs One application of formal semantics of program-

ming languages is to give a mathematically precise definition of what it
means for one program to be semantically equal to another. In this chapter
we use operational semantics and discuss a notion of program equivalence
called contextual equivalence (§7.5).

Extensionality principles In order to reason about program equivalence, it

is useful to establish the validity of proof methods for it. The most basic
method uses the congruence property—reasoning by “replacing equals by
equals”—which holds of contextual equivalence by construction. In §7.1
 7.3 Motivating Examples 247

we discuss informally some methods for proving contextual equivalence

of implementations of abstract datatypes. The discussion culminates with
the Extensionality Principle 7.3.6. One goal of this chapter is to give a
mathematically precise formulation of this principle and to establish its
validity.

Logical relations The Extensionality Principle is phrased in terms of type-

respecting relations between the terms of our example language. In order
to formulate this principle precisely and then prove it we develop an alter-
native characterisation of contextual equivalence in terms of a certain “log-
ical relation” (§7.6). The combination of features in our language—higher-
order recursive functions and fully impredicative polymorphic types—
force us to use a form of logical relation with quite a difficult definition.
Chapter 6 presents another use of logical relations with a simpler defini-
tion; as such, that chapter provides a useful warm-up for this one.

7.3 Motivating Examples

In this section we motivate the use of logical relations for reasoning about
existential types by giving some examples.
To begin, let us recall the syntax for expressions involving existentially
quantified type variables from TAPL, Chapter 24. If T is a type expression and
X is a type variable, then we write {∃X,T} for the corresponding existentially
quantified type. Free occurrences of X in T become bound in this type expres-
sion. We write [X , S]T for the result of substituting a type S for all free
occurrences of X in T, renaming bound type variables as necessary to avoid
capture.1 It t is a term of type [X , S]T, then we can “pack” the type S and
the term t together to get a term
{*S,t} as {∃X,T} (7.1)
of the indicated existential type. To eliminate such terms we use the form
let {*X,x}=t1 in t2 (7.2)
This is a binding construct: free occurrences of the type variable X and the
value variable x in t2 become bound in the term. The typing of such terms
goes as follows:
if t1 has type {∃X,T} and t2 has type T2 when we assume the variable
x has type T, then provided X does not occur free in T2 , we can conclude
that the term in (7.2) has type T2 .

1. Throughout this chapter we will always identify expressions, be they types or terms, up to
renaming of bound variables.
248 7 Typed Operational Reasoning

(Such rules are better presented symbolically, but we postpone doing that
until we give a formal definition of the language we will be using, in the next
section.) The italicized restriction on free occurrences of X in T2 in the above
rule is what distinguishes an existential type from a type-indexed dependent
sum, where there is free access both to the type component as well as the
term component of a “packed” term: see Mitchell and Plotkin (1988), p. 474 et
seq, for a discussion of this point.
Since we wish to consider existential types in the context of an ML-like
language, we adopt an eager strategy for evaluating expressions like (7.1)
and (7.2). Thus to evaluate the first, one evaluates t to canonical form, v say,
and returns the canonical form {*S,v} as {∃X,T}; to evaluate the second,
one evaluates t1 to canonical form, {*S,v} as {∃X,T} say, and then evalu-
ates [X , S][x , v]t2 .

7.3.1 Example: Consider the existentially quantified record type

type Counter = {∃X, {mk:X, inc:X→X, get:X→Int}}

where Int is a type of integers. Values of type Counter consist of some type
together with values of the appropriate types implementing mk, inc, and get.
For example
val counter1 = {*Int, {mk = 0,
inc = λx:Int.x+1,
get = λx:Int.x } as Counter

and
val counter2 = {*Int, {mk = 0,
inc = λx:Int.x-1,
get = λx:Int.0-x } as Counter

are both values of type Counter. The terms

let {*X,x} = counter1 in x.get(x.inc(x.mk))
let {*X,x} = counter2 in x.get(x.inc(x.mk))

(where we use the syntax r.f for selecting field f of record r) are both terms
of type Int which evaluate to 1. By contrast, of the terms
let {*X,x} = counter1 in x.get(x.inc(1))
let {*X,x} = counter2 in x.get(x.inc(1))

the first evaluates to 2, whereas the second evaluates to 0; but in this case
neither term is well-typed. Indeed, it is the case that any well-typed closed
term involving occurrences of the term counter1 will exhibit precisely the
same evaluation behavior if we replace those occurrences by counter2 . In
other words, counter1 and counter2 are equivalent in the following sense. 2
 7.3 Motivating Examples 249

7.3.2 Definition [Contextual equivalence, informally]: We write t1 =ctx t2 :T

to indicate that two terms t1 and t2 of the same type T are contextually equiv-
alent. By definition, this means that for all well-typed terms t[t1 ] containing
instances of t1 , if t[t2 ] is the term obtained by replacing those instances
by t2 , then t[t1 ] and t[t2 ] give exactly the same observable results when
evaluated. 2

This notion of program equivalence assumes we have already fixed upon a

definition of the “observable results” of evaluating terms. It also presupposes
that the meaning of a well-typed term should only depend upon the final
result (if any) of evaluating it. This is reasonable for deterministic and non-
interactive programming even in the presence of computational effects like
side-effecting state or raising exceptions, provided we include those effects as
part of the observable results of evaluation. Certainly, contextual equivalence
is a widely used notion of program equivalence in the literature and it is the
one we adopt here.
For the terms in Example 7.3.1, it is the case that

counter1 =ctx counter2 :Counter (7.3)

but the quantification over all possible contexts t[−] in the definition of =ctx
makes a direct proof of this and similar facts rather difficult. Thus one is
led to ask whether there are proof principles for contextual equivalence that
make proving such equivalences at existential types more tractable. Since
values {*S,v} as {∃X,T} of a given existential type {∃X,T} are specified by
pairs of data S and v, as a first stab at such a proof principle one might
try componentwise equivalence. Equivalence in the second component will of
course mean contextual equivalence; but in the first component, where the
expressions involved are types, what should equivalence mean? If we take
it to mean syntactic identity, =, (which for us includes renaming of bound
variables) we obtain the following proof principle.2

7.3.3 Principle [Extensionality for ∃-types, Version I]: For an existential type
def
E = {∃X,T}, types T1 , T2 , and values v1 , v2 , if T1 = T2 and v1 =ctx v2 :[X ,
T2 ]T, then ({*T1 ,v1 } as E) =ctx ({*T2 ,v2 } as E):{∃X,T}. 2

The hypotheses of Principle 7.3.3 are far too strong for it to be very useful.
For example, it cannot be used to prove (7.3), since in this case T1 = Int = T2 ,
but

2. This and subsequent proof principles for {∃X,T} are called extensionality principles by
analogy with the familiar extensionality principle for functions; it is a convenient terminology,
but perhaps the analogy is a little stretched.
250 7 Typed Operational Reasoning

val v1 = {mk=0, inc=λx:Int.x+1, get=λx:Int.x}

and

val v2 = {mk=0, inc=λx:Int.x-1, get=λx:Int.0-x}

are clearly not contextually equivalent values of the record type

{mk:Int,inc:Int→Int,get:Int→Int}

(for example, we get different integers when evaluating t[v1 ] and t[v2 ] when
t[−] is (−.inc)0). However, they do become contextually equivalent if in
the second term we use a variant of integers in which the roles of positive
and negative are reversed. Such “integers” are of course in bijection with
the usual ones and this leads us to our second version of an extensionality
principle for existential types—in which the use of syntactic identity as the
notion of type equivalence is replaced by the more flexible one of bijection.
A bijection i : T1 › T2 means a closed term i : T1 →T2 for which there is
a closed term i−1 : T2 →T1 which is a two-sided inverse up to contextual
equivalence: i−1 (i x1 ) =ctx x1 : T1 and i(i−1 x2 ) =ctx x2 : T2 .

7.3.4 Principle [Extensionality for ∃-types, Version II]: For each existential
def
type E = {∃X,T}, types T1 , T2 , and values v1 , v2 , if there is a bijection
i : T1 › T2 such that T(i) v1 =ctx v2 : [X , T2 ]T, then

({*T1 ,v1 } as E) =ctx ({*T2 ,v2 } as E) : {∃X,T}.

In stating this principle we have used the notation T(i) for the “action” of
types T on bijections i: given a type T, possibly containing free occurrences
of a type variable X, one can define an induced bijection T(i) : [X , T1 ]T ›
[X , T2 ]T (with inverse T(i−1 )). For example, if T is the type

{mk:X, inc:X→X, get:X→Int}

then T(i) is

λx:{ mk:T1 , inc:T1 →T1 , get:T1 →Int}.

{ mk = i(x.mk),
inc = λx2 :T2 .i(x.inc(i−1 x2 )),
get = λx2 :T2 .x.get(i−1 x2 )) }

and T(i−1 ) is

λx:{ mk:T2 , inc:T2 →T2 , get:T2 →Int}.

{ mk = i−1 (x.mk),
inc = λx1 :T1 .i−1 (x.inc(i x1 )),
get = λx1 :T1 .x.get(i x1 )) }.
 7.3 Motivating Examples 251

(In general, if T is a simple type then the definition of T(i) and T(i−1 ) can
be done by induction on the structure of T; for recursively defined types, the
definition of the induced bijection is not so straightforward.) 2

We can use this second version of the extensionality principle for existen-
tial types to prove the contextual equivalence in (7.3), using the bijection

def
i = (λx:Int.0-x) : Int › Int.

This does indeed satisfy T(i) v1 =ctx v2 : Int when v1 , v2 , and T are de-
fined as above. (Of course these contextual equivalences, and indeed the fact
that this particular term i is a bijection, all require proof; but the methods
developed in this chapter render this straightforward.) However, the use of
bijections between types is still too restrictive for proving many common ex-
amples of contextual equivalence of abstract datatype implementations, such
as the following.

7.3.5 Example: Consider the following existentially quantified record type, where
Bool is a type of booleans.

type Semaphore = {∃X, {bit:X, flip:X→X, read:X→Bool}}

The following terms have type Semaphore:

val semaphore1 =
{*Bool, {bit = true
flip = λx:Bool.not x,
read = λx:Bool.x } as Semaphore;
val semaphore2 =
{*Int, {bit = 1,
flip = λx:Int.0-2*x,
read = λx:Int.x >= 0} as Semaphore

There is no bijection Bool › Int, so one cannot use Principle 7.3.4 to prove

semaphore1 =ctx semaphore2 : Semaphore. (7.4)

Nevertheless, this contextual equivalence does hold. An informal argument

for this makes use of the following relation r : Bool ↔ Int between values
of type Bool and of type Int.

def
r = {(true, m) | m = (−2)n for some even n ≥ 0}
∪ {(false, m) | m = (−2)n for some odd n ≥ 0}.

Write si for the second component of semaphorei (i = 1, 2). Then

252 7 Typed Operational Reasoning

• s1 .bit evaluates to true; s2 .bit evaluates to 1; and (true, 1) ∈ r ;

• if (t1 , t2 ) ∈ r , then (s1 .flip)t1 and (s2 .flip)t2 evaluate to a pair of

values which are again r -related;

• if (t1 , t2 ) ∈ r , then (s1 .read)t1 and (s2 .read)t2 evaluate to the same
boolean value.

The informal argument for the contextual equivalence (7.4) goes as follows:
“any context t[−] which is well-typed whenever its hole ‘−’ is filled with a
term of type Semaphore can only make use of a term placed in its hole by
opening it as an abstract pair {X,x} and applying the methods bit, flip,
and read in some combination; therefore the above observations about r
are enough to show that t[semaphore1 ] and t[semaphore2 ] always have the
same evaluation behavior.” 2

The validity of this informal argument and in particular the assumptions

it makes about the way a context can “use” its hole are far from immediate
and need formal justification. Leaving that for later, at least we can state the
relational principle a bit more precisely.

7.3.6 Principle [Extensionality for ∃-types, Final Version]: For each existen-
def
tial type E = {∃X,T}, types T1 , T2 , and values v1 , v2 , if there is a relation
r : T1 ↔ T2 between terms of type T1 and of type T2 , such that (v1 , v2 ) ∈ T[r ],
then ({*T1 ,v1 } as E) =ctx ({*T2 ,v2 } as E) : {∃X,T}. 2

Evidently this principle presupposes the existence of an “action” of types on

term-relations that sends relations r : T1 ↔ T2 to relations T[r ] : [X ,
T1 ]T ↔ [X , T2 ]T and with certain other properties. It is the definition of
this action that is at the heart of the matter. It has to be phrased with some
care in order for the above extensionality principle to be valid for languages
involving non-termination of evaluation (through the presence of fixpoint re-
cursion for example). We will give a precise definition in §7.6 (Definition 7.6.9)
for a language combining impredicative polymorphism with fixpoint recur-
sion at the level of terms. How best to define such relational actions in the
presence of recursion at the level of types is still a matter for research (see
Exercise 7.8.1).

7.3.7 Note: Principle 7.3.4 generalizes Principle 7.3.3, because if T1 = T2 , then the
def
identity function i = λx:T1 .x is a bijection T1 › T2 satisfying

(T(i) v) =ctx v (for any v)

 7.4 The Language 253

so that v1 =ctx v2 implies (T(i) v1 ) =ctx v2 . Principle 7.3.6 generalizes Prin-

ciple 7.3.4, because each bijection i : T1 › T2 can be replaced by its graph
def
ri = {(u1 , u2 ) | i u1 =ctx u2 }
which in fact has the property that (v1 , v2 ) ∈ T[ri ] if and only if (T(i) v1 ) is
contextually equivalent to v2 . 2
As mentioned in the Introduction, Principle 7.3.6 is an operational gen-
eralization of similar principles for the denotational semantics of abstract
datatypes over the simply typed lambda calculus (Mitchell, 1991a) and rela-
tionally parametric models of the polymorphic lambda calculus (Plotkin and
Abadi, 1993). It permits many examples of contextual equivalence at existen-
tial types to be proved rather easily. Nevertheless, we will see in §7.7 that it is
incomplete for the particular ML-like language we consider here, in the sense
that ({*T1 ,v1 } as E) =ctx ({*T2 ,v2 } as E) : {∃X,T} can hold even though
there is no relation r for which (v1 , v2 ) ∈ T[r ] holds (see Example 7.7.4).

7.4 The Language

In this section we define a small, ML-like programming language that we will

use in the rest of the chapter. It combines Girard’s System F (1972) (in other
words, the polymorphic lambda calculus of Reynolds [1974]) with recursively
defined functions, record types and ground types; in common with ML (Mil-
ner, Tofte, Harper, and MacQueen, 1997), evaluation order is strict (i.e., left-to-
right, call-by-value). We will call the language FML . Its syntax and type system
are specified in Figure 7-1 and its operational semantics in Figure 7-2.

Syntax

In Figure 7-1, X and x respectively range over disjoint countably infinite sets
of type variables and value variables; l ranges over a countably infinite set
of field labels; c ranges over the constants true, false and n (for n ∈ Z);
Gnd is either the type of booleans Bool or the type of integers Int; and op
ranges over a fixed collection of arithmetic and boolean operations (such as
+, =, not, etc).
To simplify the definition of the language’s operational semantics we em-
ploy the now quite common device of using a syntax for terms that is in a
“reduced” (or “A-normal”) form, with all sequential evaluation expressed via
let-expressions. For example, the general form of (left-to-right, call-by-value)
function application is coded by
def
t1 t2 = let x1 =t1 in (let x2 =t2 in x1 x2 ). (7.5)
254 7 Typed Operational Reasoning

Syntax Γ ` c : Typeof (c) (T-Const)

t ::= terms:
Γ , f:T, x:T1 ` t : T2 T = T1 →T2
v value (T-Fun)
Γ ` fun f(x:T1 )=t:T2 : T
if v then t else t conditional
op(vi i∈1..n ) operation (Γ ` vi : Ti ) i∈1..n
(T-Rcd)
vv application Γ ` {li =vi i∈1..n
} : {li :Ti i∈1..n
}
v.l projection Γ, X ` v : T X ∉ ftv(Γ )
vT type application (T-Tabs)
Γ ` λX.v : ∀X.T
let {*X,x}=v in t unpacking
let x=t in t sequencing Γ ` v1 : [X , T1 ]T T0 = {∃X, T}
(T-Pack)
v ::= values: Γ ` {*T1 ,v1 } as T0 : T0
x value variable Γ ` v : Bool
c constant Γ ` t1 : T Γ ` t2 : T
fun x(x:T)=t:T recursive function (T-If)
Γ ` if v then t1 else t2 : T
{li =vi i∈1..n } record value
op:Gnd1 ,...,Gndn →Gnd
λX.v type abstraction
(Γ ` vi : Gndi ) i∈1..n
{*T,v} as {∃X,T} package value (T-Op)
Γ ` op(vi i∈1..n
) : Gnd
T ::= types:
X type variable Γ ` v1 : T1 →T2 Γ ` v2 : T1
(T-App)
Gnd ground type Γ ` v1 v2 : T2
T→T function type Γ ` v : {li :Ti i∈1..n
}
{li :Ti i∈1..n } record type (T-Proj)
Γ ` v.lj : Tj
∀X.T universally quantified type
{∃X,T} existentially quantified type Γ ` v : ∀X.T
(T-Tapp)
Γ ::= typing contexts: Γ ` v T1 : [X , T1 ]T
∅ empty context Γ , X, x:T ` t : T1
Γ , x:T non-empty context X ∉ ftv(Γ , T1 ) Γ ` v : {∃X,T}
Γ, X non-empty context (T-Unpack)
Γ ` let {*X,x}=v in t : T1
Typing terms Γ `t:T Γ ` t1 : T1 Γ , x:T1 ` t2 : T2
x:T ∈ Γ (T-Seq)
(T-Var) Γ ` let x=t1 in t2 : T2
Γ `x:T

Figure 7-1: FML syntax and typing

 7.4 The Language 255

As a further simplification, function abstraction and recursive function dec-

laration have been rolled into the one form fun f(x:T1 ) = t:T2 , which corre-
sponds to the expressions
let fun f (x:T1 ) = t:T2 in f end in Standard ML
or let rec f (x:T1 ) = t:T2 in f in Ocaml.
Ordinary function abstraction can be coded as
def
λx:T1 .t = fun f(x:T1 ) = t:T2 (7.6)

where f does not occur freely in t (and T2 is the type of t, given f has type
T1 →T2 and x has type T1 ). In what follows we shall use the abbreviations (7.5)
and (7.6) without further comment. We shall also use infix notation for appli-
cation of constant arithmetic and boolean operators such as +, =, etc.

7.4.1 Remark [Value-restriction]: Note that the operation λX.(−) of polymor-

phic generalization is restricted to apply only to values. This is a real re-
striction since for a non-value term t, one cannot define λX.t to be the term
let x=t in λX.x, since the latter will in general be an ill-typed term. In an ML-
like language λX.t is not yet fully evaluated if t is a non-value; and thus eval-
uation must go under type abstraction λX.(−) and work on terms at types
with free type variables. By imposing the restriction that λX.t is only well-
formed when t is a value we can restrict attention to the evaluation of closed
terms of closed type, simplifying the technical development. The restriction
does not seem to affect the expressiveness of FML in practice and is compara-
ble to the “value restriction” on let-bound polymorphism used in the 1997
revision of Standard ML (Milner et al., 1997) and in Objective Caml (Leroy,
2000). However, this restriction does have an effect on the properties of FML .
For example, with the restriction the type ∀X.X contains no closed values (see
Exercise 7.7.6); whereas without the restriction there are closed values of that
type, such as λX. (fun f(x:Bool) = f x : X) true. The “emptiness” of ∀X.X
plays a role in the properties explored in Example 7.7.4 and Remark 7.7.7. 2

Operational Semantics

Although we do not do so, the operational semantics of FML could be speci-

fied in the style of the Definition of Standard ML (Milner, Tofte, Harper, and
MacQueen, 1997) as a syntax-directed, inductively defined relation between
terms and values.3 Here we are interested primarily in the notion of contex-

3. That Definition uses environments assigning values to value variables. For reasons of tech-
nical convenience we eliminate the use of environments by substituting them into the term
and only considering the evaluation relation between closed terms and values.
256 7 Typed Operational Reasoning

Frame stack syntax {li =vi i∈1..n

}.j ; vj (R-ProjRcd)
S ::= frame stacks: (λX.v)T ; [X , T]v (R-TappTabs)
Id nil stack
v is {*T1 ,v1 } as {∃X,T}
S ◦ (x.t) stack cons (R-UnpackPack)
let {*X,x}=v in t
Typing frame stacks Γ ` S : T1 Ç T2
; [X , T1 ][x , v1 ]t
Γ ` Id : T Ç T (S-Nil)
Termination hS, ti ↓ and t↓
Γ , x:T1 ` t : T2 Γ ` S : T2 Ç T3
(S-Cons) hId, vi ↓ (S-NilVal)
Γ ` S ◦ (x.t) : T1 Ç T3
hS, [x , v]ti ↓
Primitive reductions t1 ; t2 (S-ConsVal)
hS ◦ (x.t), vi ↓
if true then t1 else t2
(R-IfTrue) hS ◦ (x.t2 ), t1 i ↓
; t1 (S-Seq)
hS, let x=t1 in t2 i ↓
if false then t1 else t2
(R-IfFalse) t1 ; t2 hS, t2 i ↓
; t2
(S-Red)
the value of op(ci i∈1..n
) is c hS, t1 i ↓
(R-Op)
op(ci i∈1..n
);c hId, ti ↓
(Term)
v1 is fun f(x:T1 )=t:T2 t↓
(R-AppAbs)
v1 v2 ; [f , v1 ][x , v2 ]t

Figure 7-2: FML operational semantics

tual equivalence (Definition 7.3.2) that this evaluation relation determines by

observing the results of evaluating terms in context. Because evaluation in
FML is strict and the language has a sufficiently expressive collection of con-
structs for deconstructing values, it turns out that the notion of contextual
equivalence is not affected much by the choice of what to observe of evalua-
tion. Most reasonable choices give rise to the same equivalence as the one we
adopt (see Exercise 7.5.10 below), which is based upon observing termination:
whether or not a term evaluates to some value, we care not which. So instead
of defining the relation of evaluation between terms and values, we proceed
directly to a definition of the termination relation, t ↓, for FML . This is given
in Figure 7-2, using an auxiliary notion of frame stack. (The conventions and
notations used in Figure 7-2 in connection with binding, free variables and
substitution are summarized in Figure 7-3.)
Frame stacks are finite lists of individual “evaluation frames.” They provide
a convenient syntax for the notion of evaluation context E[−] (Felleisen and
Hieb, 1992; Wright and Felleisen, 1994). Every closed term can be decomposed
 7.4 The Language 257

Binding constructs Closed types, terms and frame stacks

let {*X,x}=v in (−)
let x=t in (−)
fun f(x:T1 )=(−:T2 )
λX.(−)
∀X.(−)
{∃X,(−)}
S ◦ (x.(−))
We identify expressions up to renaming of
bound value and type variables.
Notation for free variable sets
ftv(E) is the finite set of free type variables
of the expression E (a type, a term, or a
frame stack);
fv(E) is the finite set of free value variables
of an expression E (a term, or a frame stack,
but not a type, since types do not contain
occurrences of value variables).
A type T is closed if ftv(T) = ∅.
A term or frame stack E is closed if fv(E) =
∅ (even if ftv(E) 6= ∅).
Notation for substitution
[X , T]E denotes the result of capture-
avoiding substitution of a type T for all free
occurrences of a type variable X in E (a type,
a term, or a frame stack);
[x , v]E denotes the result of capture-
avoiding substitution of a value v for all free
occurrences of the value variable x in a term
or frame stack E.
(Note that as their name suggests, value variables
stand for unknown values—the substitution of a
non-value term for a variable makes no sense syn-
tactically, in that it may result in an ill-formed ex-
pression.)

Figure 7-3: Binding, free variables and substitution

uniquely as E[t] where the evaluation context E[−] is a context with a unique
hole (−) occurring in the place where the next step of evaluation (called a
primitive reduction in Figure 7-2), if any, will take place. With FML ’s reduced
syntax, such evaluation contexts turn out to be just nested sequences of the
let-construct

E[−] = let x1 =(...(let xn =(−) in tn )...) in t1 .

The corresponding frame stack

S = Id ◦ (x1 .t1 ) ◦ · · · ◦ (xn .tn )

records this sequence as a list of evaluation frames, xi .ti (with free occur-
rences of xi in ti being bound in xi .ti ). Under this correspondence it can be
shown that E[t] evaluates to some value in the standard evaluation-style (or
“big-step”) structural operational semantics if and only if hS, ti ↓ holds, for
the relation h−, −i ↓ defined in Figure 7-2. Not only does the use of frame
258 7 Typed Operational Reasoning

stacks enable a conveniently syntax-directed inductive definition of termina-

tion, but also frame stacks play a big role in §7.6 when defining the logical
relation that we use to establish properties of FML contextual equivalence.

7.4.2 Exercise [Recommended, ««]: Consider a relation hS1 , t1 i -→ hS2 , t2 i de-

fined by cases according to the structure of the term t1 and the frame stack
S1 , as follows:

• hS ◦ (x.t), vi -→ hS, [x , v]ti

• hS, let x=t1 in t2 i -→ hS ◦ (x.t2 ), t1 i

• hS, t1 i -→ hS, t2 i, if t1 ; t2 .

Show that

hS 0 @S, ti ↓ (∃v) hS, ti -→ hId, vi & hS 0 , vi ↓

∗
a (7.7)

where -→∗ denotes the reflexive-transitive closure of the -→ relation, and

S 0 @S is the frame stack obtained by appending the two lists of evaluation
frames S 0 and S. Deduce that t ↓ holds if and only if there is some value v
with hId, ti -→∗ hId, vi. 2

Typing

We will consider the termination relation only for frame stacks and terms
that are well-typed. A term t is well-typed with respect to a particular typing
context Γ if a typing judgment

Γ `t:T (7.8)

can be derived for some type T using the rules in Figure 7-1. We identify
typing contexts Γ up to rearranging their constituent hypotheses (“X” or “x :
X”) and eliminating duplicates. Thus a typical typing context looks like

Γ = X1 , . . . , Xm , x1 : T1 , . . . , xn : Tn

where the type variables Xi and the value variables xj are all distinct (and
m = 0 or n = 0 is allowed). The typing judgments that are derivable from
the rules all have the property that the free type variables of T and each Tj
occur in the set {X1 , . . . , Xm }, and the free value variables of t occur in the set
{x1 , . . . , xn }. This is ensured by including some explicit side-conditions about
free variable occurrences in the typing rules (T-Abs) and (T-Unpack). In TAPL,
Chapters 23 and 24, such side-conditions are implicit, being subsumed by
 7.4 The Language 259

extra well-formedness conditions for typing judgments. Also, we have chosen

to include sufficient explicit type information in terms to ensure that for any
given Γ and t, there is at most one T for which (7.8) holds. Apart from such
minor differences, the rules in Figure 7-1 for inductively generating the valid
FML typing judgments are all quite standard.
The judgment for typing frame stacks takes the form
Γ ` S : T1 Ç T2 (7.9)
where, in terms of the evaluation context corresponding to S, T2 is the overall
type of the context, given that T1 is the type of the hole. The rules for gen-
erating this judgment are given in Figure 7-2. Unlike for terms, we have not
included explicit type information in the syntax of frame stacks; for example,
Id is not tagged with a type. However, it is not hard to see that, given Γ , S,
and T1 , there is at most one T2 for which (7.9) holds. This property is enough
for our purposes, since the argument type of a frame stack will always be
supplied in any particular situation in which we use it.
7.4.3 Exercise [«, 3]: Write Γ ` hS, ti : T to mean that Γ ` S : T0 Ç T and Γ ` t :
T0 hold for some type T0 . Using the relation -→ from Exercise 7.4.2, show that
if ∅ ` hS1 , t1 i : T and hS1 , t1 i -→ hS2 , t2 i, then ∅ ` hS2 , t2 i : T. 2

Unwinding Recursive Functions

In what follows we will need a finiteness property of recursively defined func-

tions with respect to the termination relation. This unwinding property, as
it is called, is a syntactic analog of the fact that the denotation of a re-
cursively defined function is constructed as the least upper bound (lub) of
finite approximations obtained by successively unfolding its definition start-
ing with the bottom denotation, i.e., the totally undefined partial function.
This gives rise to the useful principle of Scott induction in denotational se-
mantics: given an admissible property of denotations, i.e., one closed under
the formation of lubs of increasing chains, to show that it holds of the deno-
tation of recursively defined data it suffices to show that it holds of bottom
and is closed under application of the function that defines the data as a
fixed point. Here we use a syntactic analog of Scott induction for recursively
defined functions, fun f(x:T1 ) = u:T2 , in order to prove the “fundamental
property” (Lemma 7.6.17) of the logical relation constructed in §7.6.
The proof of the unwinding property that we give here is made easier by
our syntax-directed definition of termination using frame stacks. For state-
ments and proofs of similar properties see for example: Mason, Smith, and
Talcott (1996), Section 4.3, Pitts and Stark (1998), Theorem 3.2, Birkedal and
Harper (1999), Section 3.1, and Lassen (1998), Section 4.5.
260 7 Typed Operational Reasoning

7.4.4 Theorem [Unwinding]: Given any closed recursive function value F of the
form fun f(x:T1 )=u:T2 , define the followings abbreviations4 :

def
F0 = fun f(x:T1 ) = (f x) : T2
def
Fn+1 = fun f(x:T1 ) = [f , Fn ]u : T2

Thus F0 is a closed function value describing a function of type T1 →T2 that

diverges when applied to any argument, and the Fn are obtained from this
by repeatedly substituting for the the value variable f in the body u of the
original function value F. Then for all terms t containing at most f free we
have [f , F]t ↓ if and only if (∃n) [f , Fn ]t ↓. 2

Proof: By definition of the relation t ↓ in terms of the relation hS, ti ↓ (via

rule (Term) in Figure 7-2), it suffices to prove the more general property that
for all terms t and frame stacks S (containing at most f free) we have

h[f , F]S, [f , F]ti ↓ a (∃n) h[f , Fn ]S, [f , Fn ]ti ↓ (7.10)

The proof of (7.10) is via a series of straightforward, if somewhat tedious,

inductions that we leave as an exercise. 2

7.4.5 Exercise [«««, 3]: This exercise leads you through a proof of (7.10). First
prove that

h[f , Fn ]S, [f , Fn ]ti ↓ ⇒ h[f , F]S, [f , F]ti ↓ (7.11)

holds for all n, S and t by induction on the derivation of h[f , Fn ]S, [f ,

Fn ]ti ↓ from the rules in Figure 7-2. Conversely show that

h[f , F]S, [f , F]ti ↓ ⇒ (∃n) h[f , Fn ]S, [f , Fn ]ti ↓ (7.12)

holds for all S and t, by induction on the derivation of h[f , F]S, [f , F]ti ↓
from the rules. To do this, you will first need to prove by induction on n that

h[f , Fn ]S, [f , Fn ]ti ↓ ⇒ h[f , Fn+1 ]S, [f , Fn+1 ]ti ↓ (7.13)

holds for all n, S and t; the base case n = 0 involves yet another induction,
this time over the derivation of h[f , F0 ]S, [f , F0 ]ti ↓ from the rules. 2

4. Note that in the definition of Fn+1 , the outer binding instance of f is a dummy, since f does
not occur free in [f , Fn ]u.
 7.5 Contextual Equivalence 261

7.5 Contextual Equivalence

Definition 7.3.2 gave an informal definition of the notion of contextual equiv-

alence that applies to any (typed) programming language. In giving a precise
definition of this notion for the FML language we will take the more abstract,
relational approach of Gordon (1998) and Lassen (1998) that avoids the ex-
plicit use of program contexts t[−] in favor of congruence relations. For one
thing, program contexts are an inconveniently concrete notion, because sub-
stitution of terms t0 for the hole “−” in a context t[−] to produce a term
t[t0 ] may involve the capture of free variables in t0 by binders in t[−]. For
example, when we replace the hole “−” in the context fun f(x:T) = f [−] by
the term f x, its free value variables are captured by the fun-binder. Con-
sequently, contexts have to be treated more concretely than terms since re-
naming their bound variables may not preserve their meaning. For example,
if we identified fun f(x:T) = f [−] with fun g(x:T) = g [−] (where f and g
are distinct value variables), then we should have to identify the results of
filling the hole with f x, that is, we should have to identify the syntactically
unequal terms fun f(x:T) = f(f x) and fun g(x:T) = g(f x). But more than
this, the abstract treatment of contextual equivalence that we use focuses at-
tention upon the key features of this kind of program equality, namely that it
is a congruence and is “adequate” for observing termination. In a nutshell, we
will define contextual equivalence to be the largest type-respecting congru-
ence relation between FML terms that is adequate for observing termination.

7.5.1 Definition: A type-respecting binary relation between FML terms is a set R

of quadruples (Γ , t, t0 , T), each consisting of a typing context, two terms and
a type satisfying Γ ` t : T and Γ ` t0 : T. Figure 7-4 defines the properties
of reflexivity, symmetry, transitivity, substitutivity, and compatibility for such
relations; R has one of these properties if it is closed under the axioms and
rules under the corresponding heading in the figure. In these figures, and
elsewhere, we write Γ ` t R t0 : T instead of (Γ , t, t0 , T) ∈ R. We say that R is

• an equivalence relation if it has the reflexivity, symmetry and transitivity

properties;

• a congruence relation if it is an equivalence relation with the substitutivity

and compatibility properties;

• adequate (for the termination relation ↓ defined in Figure 7-2) if whenever

∅ ` t R t0 : T holds, then t ↓ holds if and only if t0 ↓ does. 2

7.5.2 Definition: We will need to use the following constructions on type-res-

pecting binary relations.
262 7 Typed Operational Reasoning

Reflexivity Γ , X ` v R v0 : T X ∉ ftv(Γ )
Γ `t:T Γ ` λX.v R λX.v : ∀X.T 0

Γ `tRt:T Γ ` v1 R v01 : [X , T1 ]T
Symmetry Γ ` {*T1 ,v1 } as {∃X,T} R
Γ ` t R t0 : T {*T1 ,v01 } as {∃X,T} : {∃X,T}
Γ ` t0 R t : T Γ ` v R v0 : Bool
Transitivity Γ ` t1 R t01 : T Γ ` t2 R t02 : T
Γ ` t R t0 : T Γ ` t0 R t00 : T Γ ` if v then t1 else t2 R
Γ ` t R t00 : T if v0 then t01 else t02 : T
Substitutivity op:Gnd1 ,...,Gndn →Gnd
Γ ` v R v0 : T1 Γ , x : T1 ` t R t0 : T2 (Γ ` vi R v0i : Gndi ) i∈1..n
Γ ` [x , v]t R [x , v0 ]t0 : T2 Γ ` op(vi i∈1..n
) R op(v0i i∈1..n
) : Gnd
Γ, X ` t R t : T 0 Γ ` v1 R v01 : T1 →T2 Γ ` v2 R v02 : T1
Γ ` [X , T1 ]t R [X , T1 ]t0 : [X , T1 ]T Γ ` v1 v2 R v01 v02 : T2
Compatibility Γ ` v R v0 : {li :Ti i∈1..n
}
(x:T) ∈ Γ Γ ` v.lj R v0 .l j : Tj
Γ `xRx:T 0
Γ ` v R v : ∀X.T

Γ ` c R c : Typeof (c) Γ ` v T1 R v0 T1 : [X , T1 ]T
Γ , X, x:T ` t R t0 : T1
Γ , f:T1 →T2 , x:T1 ` t R t0 : T2
X ∉ ftv(Γ , T1 ) Γ ` v R v0 : {∃X,T}
Γ ` fun f(x:T1 )=t:T2 R
Γ ` let {*X,x}=v in t R
fun f(x:T1 )=t0 :T2 : T1 →T2
let {*X,x}=v0 in t0 : T1
(Γ ` vi R v0i : Ti ) i∈1..n
Γ ` t1 R t01 : T1 Γ , x:T1 ` t2 R t02 : T2
Γ ` {li =vi i∈1..n
}R {li =v0i i∈1..n
}
Γ ` let x=t1 in t2 R let x=t01 in t02 : T2
: {li :Ti i∈1..n
}

Figure 7-4: Properties of a type-respecting relation R between FML terms

def
(i) The identity relation is Id = {(Γ , t, t, T) | Γ ` t : T}.

def
(ii) The reciprocal of the relation R is R op = {(Γ , t0 , t, T) | Γ ` t R t0 : T}.

(iii) The composition of relations R1 and R2 is

def
R1 ◦ R2 = {(Γ , t, t00 , T) | ∃t0 . Γ ` t R1 t0 : T & Γ ` t0 R2 t00 : T}.
 7.5 Contextual Equivalence 263

def
(iv) The transitive closure of the relation R is the countable union R + =
S
i∈N Ri , where R0 = R and Ri+1 = R ◦ Ri .

(v) The open extension of the relation R is denoted R ◦ and consists of all
quadruples (Γ , t, t0 , T) such that ∅ ` σ (t) R σ (t0 ) : σ (T) holds for all
Γ -closing substitutions σ . If Γ = X1 , . . . ,Xm , x1 : T1 , . . . ,xn : Tn , then a Γ -
closing substitution is given by a function [Xi , Ti | i = 1..m] mapping the
type variables Xi to closed types Ti and by a function [xj , vj | j = 1..n]
mapping the value variables xj to closed values vj of appropriate type,
namely satisfying ∅ ` vj : [Xi , Ti | i = 1..m]Tj .
(Note that R ◦ only depends on the quadruples of the form (∅, t, t0 , T) in
R.) 2

We wish to define contextual equivalence to be the largest adequate con-

gruence relation, but it is not immediately clear why a largest such relation
exists. Therefore we give a theorem rather than a definition.

7.5.3 Theorem [FML contextual equivalence, =ctx ]: There exists a largest type-
respecting binary relation between FML terms that is a congruence and ade-
quate. We call it contextual equivalence and write it =ctx . 2

Proof: The proof makes use of the following series of facts, only the last of
which is not entirely straightforward to prove (see Exercise 7.5.4).

(i) The identity relation Id is an adequate congruence relation.

(ii) The collection of adequate relations is closed under taking unions.

(iii) Every compatible relation is reflexive, i.e., contains Id.

(iv) The set of all of compatible relations is closed under the operations
of composition and reciprocation; similarly for the set of all substitutive
relations and the set of all adequate relations.

(v) If the union of a non-empty family of compatible relations is transi-

tive, it is also compatible; similarly, if the union of a non-empty family of
reflexive and substitutive relations is transitive, it is also (reflexive and)
substitutive.

Let =ctx be the union of the family of relations that are adequate, compatible
and substitutive. Note that this family is non-empty by (i). By (ii), =ctx is ad-
equate. So it suffices to show that it is a congruence relation. It is certainly
reflexive by (i); and (iv) implies that it is also symmetric and transitive. So it
just remains to show that it is compatible and substitutive, and this follows
from (v), whose proof needs (iii). 2
264 7 Typed Operational Reasoning

7.5.4 Exercise [««]: Prove properties (iii) and (v) stated in the above proof. 2

It is not easy to use either the formulation in terms of contexts in Defi-

nition 7.3.2 or the more abstract characterisation of Theorem 7.5.3 to prove
that a particular pair of terms are contextually equivalent. For example, it is
not easy to see from these characterisations that terms in the primitive reduc-
tion relation of Figure 7-2 are contextually equivalent (Corollary 7.5.8). That
this is so follows from the coincidence of =ctx with a notion of equivalence
popularized by Mason and Talcott (1991).

7.5.5 Definition [ciu-Equivalence, =ciu ]: Two closed FML terms belonging to the
same (closed) type are ciu-equivalent if they have the same termination be-
havior when they are paired with any frame stack (a “use” of the terms);
the relation is extended to open terms via closing substitutions (or “closed
instantiations”—thus we arrive at an explanation of the rather cryptic name
for this equivalence).
More formally, we define =ciu to be the type-respecting relation R ◦ (us-
ing the operation from Definition 7.5.2(v)), where R consists of quadruples
(∅, t, t0 , T) satisfying ∅ ` t : T, ∅ ` t0 : T, and ∀S. hS, ti ↓ a hS, t0 i ↓. 2

7.5.6 Lemma: For any frame stack S and term t, define a term S[t] by induction of
the length of the stack S as follows:

def
Id[t] = t 
(7.14)
S ◦ (x.t0 )[t] = S[let x=t in t0 ] 
def

Then hS, ti ↓ if and only if S[t] ↓ (i.e., hId, S[t]i ↓). 2

Proof: This is proved by induction on the length of S. The base case S = Id

is trivial. The induction step follows from the fact that hS, let x=t in t0 i ↓
holds if and only if it was derived using rule (S-Seq) in Figure 7-4, if and only
if hS ◦ (x.t0 ), ti ↓ holds. 2

7.5.7 Theorem [CIU Theorem for FML ]: The contextual and ciu-equivalence rela-
tions coincide. 2

Proof: We first show that =ctx is contained in =ciu . Suppose

Γ ` t =ctx t0 : T. (7.15)

Since =ctx satisfies the substitutivity and reflexivity properties from Figure 7-4,
it follows that

∅ ` σ (t) =ctx σ (t0 ) : σ (T) (7.16)

 7.5 Contextual Equivalence 265

for any Γ -closing substitution σ . For any frame stack S, since =ctx satisfies
the compatibility (and reflexivity) properties from Figure 7-4, from (7.16) we
deduce that ∅ ` S[σ (t)] =ctx S[σ (t0 )] : σ (T) (using the notation of (7.14)).
Since =ctx is adequate, this means that S[σ (t)] ↓ if and only if S[σ (t0 )] ↓;
hence by Lemma 7.5.6, hS, σ (t)i ↓ if and only if hS, σ (t0 )i ↓. As this holds for
all σ and S, we have Γ ` t =ciu t0 : T, as required.
To complete the proof of the theorem we have to show conversely that
=ciu is contained in =ctx . We can deduce this as a corollary of a stronger
characterisation of =ctx in terms of logical relations (Theorem 7.6.25) that we
establish later; so we postpone the rest of this proof until then. 2

7.5.8 Corollary [Conversions]: The following are valid contextual equivalences:

(i) Γ ` if true then t1 else t2 =ctx t1 : T and

Γ ` if false then t1 else t2 =ctx t2 : T, where Γ ` ti : T for i = 1, 2.

(ii) Γ ` op(ci i∈1..n ) =ctx c : Gnd, where c is the value of op(ci i∈1..n
) and
Typeof (c) = Gnd.

(iii) Γ ` v1 v2 =ctx [f , v1 ][x , v2 ]t : T2 ,

where v1 = fun f(x:T1 )=t:T2 .

(iv) Γ ` {li =vi i∈1..n }.j =ctx vj : Tj ,

where Γ ` {li =vi i∈1..n } : {li :Ti i∈1..n }.

(v) Γ ` (λX.v)T1 =ctx [X , T1 ]v : [X , T1 ]T, where Γ ` v : ∀X.T.

(vi) Γ ` let {*X,x}=({*T1 ,v1 } as {∃X,T}) in t =ctx [X , T1 ][x , v1 ]t :

T2 , where Γ , X, x:T ` t : T2 with X ∉ ftv(Γ , T2 ).

(vii) Γ ` let x=v in t =ctx [x , v]t : T2 , where Γ ` v : T1 and Γ , x:T1 `

t : T2 .

(viii) Γ ` let x1 =t1 in (let x2 =t2 in t) =ctx

let x2 =(let x1 =t1 in t2 ) in t : T, where Γ ` t1 : T1 ,
Γ , x1 :T1 ` t2 : T2 and Γ , x2 :T2 ` t : T. 2

Proof: These are all ciu-equivalences, so we can just apply Theorem 7.5.7 (us-
ing the difficult half of the theorem whose proof we have postponed to §7.6!).
The ciu-equivalences all follow easily from the definition of the termination
relation (Figure 7-2) except for the last one, where one can apply property (7.7)
from Exercise 7.4.2 to reduce proving (viii) for =ciu to the special case when
t1 is a value: see the following exercise. 2
266 7 Typed Operational Reasoning

7.5.9 Exercise [«, 3]: Given

∅ ` t1 : T1
x1 :T1 ` t2 : T2
x2 :T2 ` t : T

use property (7.7) to show for all frame stacks S that

hS ◦ (x1 .let x2 =t2 in t), t1 i ↓ iff hS ◦ (x2 .t) ◦ (x1 .t2 ), t1 i ↓.

Deduce part (viii) of Corollary 7.5.8. 2

7.5.10 Exercise [««]: Recall from Definition 7.5.1 the notion of an adequate type-
respecting binary relation. Let us call a type-respecting binary relation R
true-adequate if, whenever ∅ ` t R t0 : Bool holds, hId, ti -→∗ hId, truei
holds if and only if hId, t0 i -→∗ hId, truei does. Here -→∗ is the relation de-
fined in Exercise 7.4.2. One can adapt the proof of Theorem 7.5.3 to show that
there is a largest type-respecting binary relation =true
ctx between FML terms that
is a congruence and true-adequate. Show that =true ctx coincides with contex-
tual equivalence, =ctx . 2

7.6 An Operationally Based Logical Relation

We now have a precise definition of contextual equivalence for FML terms. Be-
fore showing that the Extensionality Principle 7.3.6 holds for existential types
in FML , we need a precise definition of the action of types on term-relations,
r , T[r ], mentioned in the principle. That is the topic of this section. We will
end up with a characterisation of =ctx in terms of a logical relation, yielding
several useful extensionality properties of contextual equivalence.

7.6.1 Notation: Let Typ denote the set of closed FML types. Given T ∈ Typ, let

• Term(T) denote the set of closed terms of type T, i.e., those terms t for
which ∅ ` t : T holds;

• Val(T) denote the subset of Term(T) whose elements are values; and

• Stack(T) denote the set of closed frame stacks whose argument type is T,
i.e., those frame stacks S for which ∅ ` S : T Ç T0 for some T0 ∈ Typ.

Given T, T0 ∈ Typ, let

• TRel(T, T0 ) denote the set of all subsets of Term(T) × Term(T0 ); we call

its elements term-relations;
 7.6 An Operationally Based Logical Relation 267

• VRel(T, T0 ) denote the set of all subsets of Val(T) × Val(T0 ); we call its
elements value-relations;

• SRel(T, T0 ) denote the the set of all subsets of Stack(T) × Stack(T0 ); we

call its elements stack-relations. 2

Note that every value-relation is also a term-relation (since values are par-
ticular sorts of term): VRel(T, T0 ) ⊆ TRel(T, T0 ). On the other hand we can
obtain a value-relation from a term-relation just by restricting attention to
values: given r ∈ TRel(T, T0 ), define r v ∈ VRel(T, T0 ) by

def
r v = {(v, v0 ) ∈ Val(T) × Val(T0 ) | (v, v0 ) ∈ r }. (7.17)

We will be particularly interested in term-relations r that are indistinguish-

able, as far as termination properties are concerned, from their value restric-
tions, r v . Definition 7.6.3 makes this precise, using a Galois connection be-
tween term-relations and stack-relations. The definition may appear to be
rather mysterious; its nature will emerge as we develop the action of types
on term-relations and its properties. First we recall for the reader what is
meant in general by a “Galois connection.”

7.6.2 Definition: A Galois connection between partially ordered sets (P , ≤P ) and

(Q, ≤Q ) is specified by a pair of functions f : P → Q and g : Q → P satisfying
q ≤Q f (p) if and only if p ≤P g(q), for all p ∈ P and q ∈ Q. 2

7.6.3 Definition [Closed and valuable term-relations]: Let T ∈ Typ and T0 ∈

Typ be closed types. Given a term-relation r ∈ TRel(T, T0 ), define a stack-
relation r s ∈ SRel(T, T0 ) by

(S, S 0 ) ∈ r s if and only if for all (t, t0 ) ∈ r , hS, ti ↓ holds if and only if
hS 0 , t0 i ↓ does.

Conversely, given a stack-relation s ∈ SRel(T, T0 ), define a term-relation s t ∈

TRel(T, T0 ) by

(t, t0 ) ∈ s t if and only if for all (S, S 0 ) ∈ s, hS, ti ↓ holds if and only if
hS 0 , t0 i ↓ does.

Call a term-relation r ∈ TRel(T, T0 ) closed if it satisfies r = r s t and valuable if

it satisfies r = r v s t . 2

7.6.4 Note: The operator (−)s t is denoted (−)>> in Pitts (1998; 2000). 2
268 7 Typed Operational Reasoning

7.6.5 Lemma: The operations (−)s and (−)t for turning term-relations into stack-
relations and vice versa, form a Galois connection:

s ⊆ rs if and only if r ⊆ st . (7.18)

Hence the operator (−)s t on term-relations is monotone (r1 ⊆ r2 implies

(r1 )s t ⊆ (r2 )s t ), inflationary (r ⊆ r s t ), and idempotent ((r s t )s t = r s t ). 2

Proof: If s ⊆ r s , then for any (t, t0 ) ∈ r we have for all (S, S 0 ) ∈ s that
(S, S 0 ) ∈ r s , so hS, ti ↓ iff hS 0 , t0 i ↓; hence (t, t0 ) ∈ s t . Thus s ⊆ r s implies
r ⊆ s t . The converse implication holds by a similar argument. Once we have
(7.18), the other properties follow by standard arguments true of any Galois
connection, which we give in case the reader has not seen them before.
Thus for any term-relation r , since r s ⊆ r s , from (7.18) we conclude that
r ⊆ r s t ; so (−)s t is inflationary (and symmetrically, so is the operator (−)t s
on stack-relations).
Now we can deduce that (−)s and (−)t are order-reversing. For if r1 ⊆ r2 ,
then r1 ⊆ r2 ⊆ r2s t , so by (7.18), r2s ⊆ r1s . Similarly, s1 ⊆ s2 implies s2t ⊆ s1t .
Hence (−)s t is monotone (and so is (−)t s ).
Finally, for idempotence, in view of the inflationary property we just have to
show (r s t )s t ⊆ r s t . But applying (7.18) to r s t ⊆ r s t we get r s ⊆ (r s t )s ; applying
the order-reversing operator (−)t to this yields (r s t )s t ⊆ r s t , as required. 2

7.6.6 Corollary: Every valuable term-relation is—in particular—a closed term-

relation. 2

Proof: Note that because (−)s t is idempotent (by the above lemma), any
term-relation of the form r s t is closed. Thus valuable term-relations (ones
satisfying r = r v s t ) are in particular closed. 2

The following exercise establishes a supply of valuable term-relations that

we will need later.

7.6.7 Exercise [Recommended, ««]: Given any value-relation r ∈ VRel(T, T0 ), show

that r s t is valuable, i.e., satisfies r s t = (r s t )v s t . 2

Closed term-relations (and hence also valuable term-relations) have excel-

lent “admissibility” properties that we record in the following lemma.

7.6.8 Lemma: If r ∈ TRel(T, T0 ) satisfies r = r s t (and in particular if it is valuable),

then it has the following properties.

Equivalence-respecting If (t, t0 ) ∈ r , ∅ ` t =ciu t1 : T, and ∅ ` t0 =ciu t01 :

T, then (t1 , t01 ) ∈ r .
 7.6 An Operationally Based Logical Relation 269

def
Admissibility Given recursive function values F = fun f(x:T1 )=u:T2 and
def
F0 = fun f(x:T1 )=u0 :T2 , let Fn and F0n (n = 0, 1, . . .) be their “unwindings,”
as in Theorem 7.4.4. If ([x , Fn ]t, [x , F0n ]t0 ) ∈ r for all n = 0, 1, . . ., then
([x , F]t, [x , F0 ]t0 ) ∈ r . 2

Proof: Suppose (t, t0 ) ∈ r , ∅ ` t =ciu t1 : T and ∅ ` t0 =ciu t01 : T. To see

that (t1 , t01 ) ∈ r , since r = (r s )t , it suffices to show for all (S, S 0 ) ∈ r s that
hS, t1 i ↓ iff hS 0 , t01 i ↓. But

hS, t1 i ↓ iff hS, ti ↓ (since ∅ ` t =ciu t1 : T)

0 0
iff hS , t i ↓ (since (S, S 0 ) ∈ r s and (t, t0 ) ∈ r )
iff hS 0 , t01 i ↓ (since ∅ ` t0 =ciu t01 : T).

For the Admissibility property we apply the Unwinding Theorem. Suppose

([x , Fn ]t, [x , F0n ]t0 ) ∈ r holds for all n = 0, 1, . . .. Then for any (S, S 0 ) ∈ r s
we have

hS, [x , F]ti ↓
iff for some n, hS, [x , Fn ]ti ↓ (by Theorem 7.4.4)
iff for some n, hS 0 , [x , F0n ]t0 i ↓ (since (S, S 0 ) ∈ r s and
([x , Fn ]t, [x , F0n ]t0 ) ∈ r )
iff hS, [x , F0 ]t0 i ↓ (by Theorem 7.4.4 again)

and therefore ([x , F]t, [x , F0 ]t0 ) ∈ (r s )t ; but r s t = r . 2

7.6.9 Definition [Action of types on term-relations]: The action of types on

term-relations takes the following form: if T(X) is a type whose free type
variables lie among the list X = X1 , . . . , Xn , then given a corresponding list
of term relations r1 ∈ TRel(T1 , T01 ), . . . , rn ∈ TRel(Tn , T0n ), we define a term
relation T[r ] ∈ TRel([X , T]T, [X , T0 ]T). The definition is by induction on
the structure of T as follows.
def
Xi [r ] = (ri )v s t
def
Gnd[r ] = (Id Gnd )s t
def
(T1 →T2 )[r ] = fun(T1 [r ], T2 [r ])s t
def
{li :Ti i∈1..n
}[r ] = {li =Ti [r ] i∈1..n }s t
def
(∀X.T)[r ] = (λr .T[r , r ])s t
def
{∃X,T}[r ] = {∃r ,T[r , r ]}s t
270 7 Typed Operational Reasoning

Id Gnd ∈ VRel(Gnd, Gnd) λr .R(r ) ∈ VRel(∀X.T, ∀X.T0 ),

is {(c, c) | Typeof (c) = Gnd}. given R(r ) ∈ TRel([X , T1 ]T, [X , T01 ]T0 )) for
r ∈ TRel(T1 , T01 ) and T1 , T01 ∈ Typ,
fun(r1 , r2 ) ∈ VRel(T1 →T2 , T01 →T02 ), is defined by:
given r1 ∈ TRel(T1 , T01 ) and r2 ∈ TRel(T2 , T02 ),
(v, v0 ) ∈ λr .R(r ) if and only if for all
is defined by:
T1 , T01 ∈ Typ and all r ∈ TRel(T1 , T01 ), it
(v, v0 ) ∈ fun(r1 , r2 ) if and only if for all is the case that (v T1 , v0 T01 ) ∈ R(r ).
(v1 , v01 ) ∈ (r1 )v , it is the case that
(v v1 , v0 v01 ) ∈ r2 . {∃r ,R(r )} ∈ VRel({∃X,T}, {∃X,T0 }),
given R(r ) ∈ TRel([X , T1 ]T, [X , T01 ]T0 )) for
} ∈ VRel({li :Ti i∈1..n }, r ∈ TRel(T1 , T01 ) and T1 , T01 ∈ Typ,
i∈1..n
{li =ri
{li :T0i i∈1..n }) is defined by:
0 i∈1..n
given (ri ∈ TRel(Ti , Ti ) ), (v, v0 ) ∈ {∃r ,R(r )} if and only if there
is defined by: exist T1 , T01 ∈ Typ, r ∈ TRel(T1 , T01 ) and
(v, v0 ) ∈ {li =ri i∈1..n } if and only if for all (v1 , v01 ) ∈ R(r ) with
i ∈ 1..n, it is the case that v = {*T1 ,v1 } as {∃X,T} and
(v.li , v0 .li ) ∈ ri . v0 = {*T01 ,v01 } as {∃X,T0 }.

Figure 7-5: Type-directed constructions on term-relations

In addition to the operations on term-, value- and stack-relations given in

Definition 7.6.3, these definitions make use of the operations for constructing
value-relations from term-relations given in Figure 7-5. 2

We can use the action of types on term-relations to define a type-respecting

binary relation between open terms (in the sense of Definition 7.5.1) by in-
sisting that if we substitute related terms for the free value variables, the re-
sulting terms are still related. This “mapping related things to related things”
property is the common characteristic of the wide variety of constructs called
logical relations that have arisen since the seminal work of Plotkin (1973) and
Statman (1985) concerning simply typed λ-calculus; see also Chapter 6.

7.6.10 Definition [Logical relation, ∆]: Given Γ ` t : T and Γ ` t0 : T, with

Γ = X1 , . . . ,Xm , x1 : T1 , . . . ,xn : Tn say, we write Γ ` t ∆ t0 : T to mean that
for all Γ -closing substitutions σ , σ 0 (cf. Definition 7.5.2(v)) and all families of
term-relations r = (ri ∈ TRel(σ (Xi ), σ 0 (Xi )) i∈1..m ), if (σ (xj ), σ 0 (xj )) ∈ Tj [r ]v
holds for each j = 1, . . . , n, then (σ (t), σ 0 (t 0 )) ∈ T[r ]. 2

7.6.11 Remark: Since it is far from straightforward, the form of Definitions 7.6.9
and 7.6.10 deserves some explanation. These definitions embody certain ex-
 7.6 An Operationally Based Logical Relation 271

tensionality and parametricity properties (see §7.7 and Theorem 7.7.8) that
we wish to show hold for FML contextual equivalence: eventually we show
that the above logical relation ∆ coincides with contextual equivalence (Theo-
rem 7.6.25). To get that coincidence we have to formulate the definition of ∆
so that it satisfies the crucial property of Lemma 7.6.17 below (the so-called
fundamental property of the logical relation) and is adequate (Lemma 7.6.24).
The definition of the action of types on term-relations in Definition 7.6.9 is
carefully formulated to ensure these properties hold.
First of all, note the use of closing substitutions to reduce the logical re-
lation for open terms to that for closed ones. This builds in the “instantia-
tion” aspect of ciu-equivalence that we wish to prove of contextual equiva-
lence. (It also means that the logical relation has the “monotonicity” prop-
ertymonotonicity property of logical relations considered in Chapter 6.)
Secondly, we want T[r ] to always be a closed term-relation, because then it
has the equivalence-respecting and admissibility properties noted in Lemma
7.6.8. This accounts for the use of (−)s t in the definition. The (−)s and (−)t
operators build into the logical relation a delicate interplay between terms
and frame stacks. Of course this relies on the formulation of the operational
semantics of FML in §7-3: although more traditional “big-step” or “small-
step” operational semantics lead to the same termination relation (cf. Exer-
cise 7.4.2), the pairing between frame stacks and terms defined in Figure 7-2
is ideal for our purposes.
Lastly, the call-by-value nature of FML dictates that relational parametric-
ity properties of polymorphic types should be with respect to term-relations
that are valuable; but instead of letting r range over such relations in the
definition of (∀X.T)[r ] and {∃X,T}[r ] we have used an equivalent formula-
tion in which r ranges over all term-relations (of appropriate type), but type
variables X are interpreted using the closure of the value-restriction opera-
tor (−)v : for in fact as r ranges over all term-relations, r v s t ranges over all
valuable term-relations. 2

The rest of this section is devoted to showing that contextual equivalence

and ciu-equivalence coincide with the logical relation.

7.6.12 Lemma: Each of the term relations T[r ] defined in Definition 7.6.9 is valuable,
i.e., satisfies T[r ] = T[r ]v s t , and hence in particular by Corollary 7.6.6 is
closed. 2

Proof: It is immediate from the definition that each T[r ] is of the form r s t
for some value-relation r ; so just apply Exercise 7.6.7. 2

The following lemma helps with calculations involving the action on term-
relations of function types. We give its proof in detail since it typifies the kind
272 7 Typed Operational Reasoning

of reasoning needed when working with the Galois connection given by the
(−)s and (−)t operators. (For related properties for record and ∀-types, see
Exercise 7.6.14.)

7.6.13 Lemma: The operation fun(−, −) from Definition 7.6.9(ii) satisfies

fun(r1 , (r2 )s t )s t v = fun(r1 , (r2 )s t ) (7.19)

vst st st
fun((r1 ) , (r2 ) ) = fun(r1 , (r2 ) ). (7.20)

Proof: To prove (7.19), first note that since (−)s t is inflationary (Lemma 7.6.5)
we have fun(r1 , (r2 )s t ) ⊆ fun(r1 , (r2 )s t )s t ; and since fun(r1 , (r2 )s t ) is a value-
relation, it follows that fun(r1 , (r2 )s t ) ⊆ fun(r1 , (r2 )s t )s t v . For the reverse
inclusion it suffices to prove

fun(r1 , (r2 )s t )s t ⊆ fun(r1 , (r2 )s t ) (7.21)

and then apply (−)v to both sides (noting that fun(r1 , (r2 )s t ), being a value-
relation, is equal to fun(r1 , (r2 )s t )v ). For (7.21) we use the following simple
property of the termination relation (Figure 7-2) with respect to application:

hS ◦ (f.f v1 ), vi ↓ a hS, v v1 i ↓

and hence

(hS, v v1 i ↓ a hS 0 , v0 v01 i ↓) a
(hS ◦ (f.f v1 ), vi ↓ a hS 0 ◦ (f.f v01 ), v0 i ↓) (7.22)

If (v, v0 ) ∈ fun(r1 , (r2 )s t ) and (v1 , v01 ) ∈ (r1 )v , then we have (v v1 , v0 v01 ) ∈
(r2s )t by definition of the fun(−, −) operation on term-relations (Figure 7-5).
So if (S, S 0 ) ∈ (r2 )s , then

hS, v v1 i ↓ a hS 0 , v0 v01 i ↓

and hence by (7.22)

hS ◦ (f.f v1 ), vi ↓ a hS 0 ◦ (f.f v01 ), v0 i ↓.

Since this holds for all (v, v0 ) ∈ fun(r1 , (r2 )s t ), we deduce that

(S, S 0 ) ∈ (r2 )s & (v1 , v01 ) ∈ (r1 )v ⇒

(S ◦ (f.f v1 ), S 0 ◦ (f.f v01 )) ∈ fun(r1 , (r2 )s t )s .

So for any (S, S 0 ) ∈ (r2 )s and (v1 , v01 ) ∈ (r1 )v , since

(S ◦ (f.f v1 ), S 0 ◦ (f.f v01 )) ∈ fun(r1 , (r2 )s t )s

7.6 An Operationally Based Logical Relation 273

it follows that if

(v, v0 ) ∈ fun(r1 , (r2 )s t )s t (7.23)

then hS ◦ (f.f v1 ), vi ↓ a hS 0 ◦ (f.f v01 ), v0 i ↓, and hence by (7.22) it fol-

lows that hS, v v1 i ↓ a hS 0 , v0 v01 i ↓. Since this holds for all (S, S 0 ) ∈ (r2 )s ,
it follows that (v v1 , v0 v01 ) ∈ (r2 )s t whenever (v1 , v01 ) ∈ (r1 )v . So (v, v0 ) ∈
fun(r1 , (r2 )s t ) whenever (7.23) holds; thus we have proved the inclusion in
(7.21), as required.
Turning to the proof of (7.20), first note that since since (−)s t is inflation-
ary, we have (r1 )v ⊆ (r1 )v s t . So since fun(−, −) is clearly order-reversing
in its first argument, we have fun((r1 )v s t , (r2 )s t ) ⊆ fun((r1 )v , (r2 )s t ); and
fun((r1 )v , (r2 )s t ) = fun(r1 , (r2 )s t ), because fun(−, −) only depends upon the
values related by its first argument. Thus to prove (7.20), we just have to show

fun(r1 , (r2 )s t ) ⊆ fun((r1 )v s t , (r2 )s t ). (7.24)

For this we use the following fact about termination

hS ◦ (x.v x), v1 i ↓ a hS, v v1 i ↓

which is immediate from the definition in Figure 7-2. From this it follows that

(hS, v v1 i ↓ a hS 0 , v0 v01 i ↓) a
(hS ◦ (x.v x), v1 i ↓ a hS 0 ◦ (x.v0 x), v01 i ↓) (7.25)

If (v, v0 ) ∈ fun(r1 , (r2 )s t ) and (v1 , v01 ) ∈ (r1 )v , then by definition of fun(−, −)
we have (v v1 , v0 v01 ) ∈ (r2 )s t . So if (S, S 0 ) ∈ (r2 )s , then

hS, v v1 i ↓ a hS 0 , v0 v01 i ↓

and hence by (7.25) we have

hS ◦ (x.v x), v1 i ↓ a hS 0 ◦ (x.v0 x), v01 i ↓.

Since this holds for all (v1 , v01 ) ∈ (r1 )v , we deduce that

(S, S 0 ) ∈ (r2 )s & (v, v0 ) ∈ fun(r1 , (r2 )s t ) ⇒

(S ◦ (x.v x), S 0 ◦ (x.v0 x)) ∈ (r1 )v s .

So for any (S, S 0 ) ∈ (r2 )s and (v, v0 ) ∈ fun(r1 , (r2 )s t ), since (S ◦ (x.v x), S 0 ◦
(x.v0 x)) ∈ (r1 )v s , it follows for any (v1 , v01 ) ∈ ((r1 )v s t )v ⊆ ((r1 )v s )t that
we have hS ◦ (x.v x), v1 i ↓ a hS 0 ◦ (x.v0 x), v01 i ↓, and hence by (7.25) that
hS, v v1 i ↓ a hS 0 , v0 v01 i ↓. Since this holds for all (S, S 0 ) ∈ (r2 )s , it follows that
(v v1 , v0 v01 ) ∈ (r2 )s t . Hence (v, v0 ) ∈ fun((r1 )v s t , (r2 )s t ) whenever (v, v0 ) ∈
fun(r1 , (r2 )s t ), as required for (7.24). 2
274 7 Typed Operational Reasoning

7.6.14 Exercise [Recommended, «]: Show that constructions (iii) and (iv) in Defini-
tion 7.6.9 satisfy

{li =(ri )s t i∈1..n

}s t v = {li =(ri )s t i∈1..n
} (7.26)
st st v st
(λr .R(r ) ) = λr .R(r ) . (7.27)

(Cf. the proof of Lemma 7.6.13.) 2

7.6.15 Lemma: For all ground types Gnd, (Id Gnd )s t v = Id Gnd . 2

Proof: Since (−)s t is idempotent (Lemma 7.6.5), we have Id Gnd ⊆ (Id Gnd )s t ;
and since Id Gnd is a value-relation it follows that Id Gnd ⊆ (Id Gnd )s t v . To prove
the reverse inclusion, for each constant c of type Gnd consider

def
diverge = (fun f(b:Bool) = f b : Bool)true
def
Sc = Id ◦ (x. if x=c then true else diverge).

Note that for all constants c0 of type Gnd

hSc , c0 i ↓ a c = c0 . (7.28)

Furthermore, since (c0 , c00 ) ∈ Id Gnd iff c0 = c00 , we have that (Sc , Sc ) ∈ (Id Gnd )s ;
so if the constants c and c0 satisfy (c, c0 ) ∈ (Id Gnd )s t , then we have hSc , ci ↓ a
hSc , c0 i ↓. So by (7.28), (c, c0 ) ∈ (Id Gnd )s t implies c = c0 ; thus (Id Gnd )s t v ⊆
Id Gnd . 2

7.6.16 Lemma: The action of types on term-relations of Definition 7.6.9 has the fol-
lowing substitution property. For any types T and T0 with ftv(T) ⊆ X, X and
ftv(T0 ) ⊆ X, it is the case that ([X , T0 ]T)[r ] = T[T0 [r ], r ]. 2

Proof: This follows by induction on the structure of the type T; for the base
case when T = X, use Lemma 7.6.12. 2

7.6.17 Lemma [Fundamental property of the logical relation]: The logical re-
lation ∆ of Definition 7.6.10 has the substitutivity and compatibility proper-
ties defined in Figure 7-4. 2

Proof: The first substitutivity property in Figure 7-4 (closure under substi-
tuting values for value variables) holds for ∆ because of the way it is de-
fined in terms of closing substitutions. The second substitutivity property
(closure under substituting types for types variables) holds for ∆ because of
Lemma 7.6.16.
7.6 An Operationally Based Logical Relation 275

Now consider the compatibility properties given in Figure 7-4. There is one
for each clause in the grammar of FML terms and values (Figure 7-1). We con-
sider each in turn, giving the details in some cases and setting the others as
exercises (with solutions).
Value variables: This case is immediate from the definition of ∆ in Defini-
tion 7.6.10.
Constants: We have to show for each constant c, with Typeof (c) = Gnd
say, that (c, c) ∈ Gnd[r ] = (Id Gnd )s t . But by definition of Id Gnd (Figure 7-5),
(c, c) ∈ Id Gnd ; and Id Gnd ⊆ (Id Gnd )s t by Lemma 7.6.5.
Recursive functions: Using property (7.19) and the fact that each T[r ] is
valuable and hence closed (Lemma 7.6.12), the compatibility property for re-
cursive functions reduces to proving the property in Exercise 7.6.18.
Record values: This case follows from the property in Exercise 7.6.19.
Type abstractions: This case follows from the property in Exercise 7.6.20.
Package values: This case follows easily from the definition of {∃r ,R(r )}
in Figure 7-5, using Lemma 7.6.16.
Conditionals: This case follows from the property in Exercise 7.6.21.
Operations: In view of Lemma 7.6.15, this compatibility property follows
once we prove (op(ci i∈1..n ), op(ci i∈1..n )) ∈ (Id Gnd )s t for any (suitably typed)
constants ci and operator op. But if the value of op(ci i∈1..n ) is the constant c
say, then for any S

i∈1..n
hS, op(ci )i ↓ a hS, ci ↓.

Hence for any (S, S 0 ) ∈ (Id Gnd0 )s (where Gnd0 = Typeof (c)), we have
i∈1..n
hS, op(ci )i ↓ a hS, ci ↓
a hS 0 , ci ↓ (since (c, c) ∈ Id Gnd0 )
0 i∈1..n
a hS , op(ci )i ↓.

So we do indeed have (op(ci i∈1..n ), op(ci i∈1..n )) ∈ (Id Gnd )s t .

Applications: This case amounts to proving that if recursive function values
v and v0 satisfy (v, v0 ) ∈ fun(r1 , r2 )s t for some closed term-relations r1 and
r2 , then for any (v1 , v01 ) ∈ r1 it is the case that (v v1 , v0 v01 ) ∈ r2 . But this
property follows immediately from the definition of fun(−, −) using the first
part of Lemma 7.6.13: for

(v, v0 ) ∈ fun(r1 , r2 )s t v
= fun(r1 , (r2 )s t )s t v (since r2 is closed)
st
= fun(r1 , (r2 ) ) (by (7.19))
= fun(r1 , r2 ) (since r2 is closed).
276 7 Typed Operational Reasoning

Projections: This case is similar to the previous one, but using property
(7.26) from Exercise 7.6.14 rather than (7.19).
Type applications: This case is similar to the previous one, using property
(7.27) from Exercise 7.6.14.
Unpacking: This case follows from the property in Exercise 7.6.22.
Sequencing: This case follows from the property in Exercise 7.6.23. 2

7.6.18 Exercise [Recommended, «««]: Suppose

def
F = fun f(x:T1 )=t:T2 ∈ Val(T1 →T2 )
def
F0 = fun f(x:T01 )=t0 :T02 ∈ Val(T01 →T02 )
r1 ∈ TRel(T1 , T01 )
r2 ∈ TRel(T2 , T02 )

satisfy r2 = (r2 )s t and

([f , v][x , v1 ]t, [f , v0 ][x , v01 ]t0 ) ∈ r2 , (7.29)

for all (v, v0 ) ∈ fun(r1 , r2 ) and (v1 , v01 ) ∈ (r1 )v .

Use the admissibility property of valuable term-relations established in Lem-

ma 7.6.8 to show that (F, F0 ) ∈ fun(r1 , r2 ). 2

7.6.19 Exercise [««]: Suppose for i ∈ 1..n that vi ∈ Val(Ti ), v0i ∈ Val(T0i ) and ri ∈
TRel(Ti , T0i ) with ri = (ri )s t . Putting

def i∈1..n i∈1..n

v = {li =vi } ∈ Val({li :Ti })
def
v0 = {li =v0i i∈1..n
} ∈ Val({li :T0i i∈1..n
})

show that if (vi , v0i ) ∈ ri for i ∈ 1..n, then (v, v0 ) is in the value-relation
{li =ri i∈1..n } defined in Figure 7-5. 2

7.6.20 Exercise [««]: Let T and T0 be types with at most X free. For each T1 , T01 ∈ Typ
and r ∈ TRel(T1 , T01 ) suppose we are given a closed term-relation R(r ) in
TRel([X , T1 ]T, [X , T01 ]T0 )) (i.e., R(r ) = R(r )s t ). Show that if the values v
and v0 satisfy

X`v:T
X ` v0 : T0
∀T1 , T01 ∈ Typ, r ∈ TRel(T1 , T01 ). ([X , T1 ]v, [X , T01 ]v0 ) ∈ R(r )

then (λX.v, λX.v0 ) is in the value-relation λr .R(r ) defined in Figure 7-5. 2

 7.6 An Operationally Based Logical Relation 277

7.6.21 Exercise [««]: Suppose (v, v0 ) ∈ (Id Bool )s t and (t1 , t01 ), (t2 , t02 ) ∈ r , where
r ∈ TRel(T, T0 ) is closed (i.e., r = (r )s t ). Show that

(if v then t1 else t2 , if v0 then t01 else t02 )

is in r . 2

7.6.22 Exercise [««]: Let T and T0 be types with at most X free. For each T1 , T01 ∈ Typ
and r1 ∈ TRel(T1 , T01 ) suppose we are given a closed term-relation R(r1 ) =
R(r1 )s t in TRel([X , T1 ]T, [X , T01 ]T0 )). Suppose we are also given a closed
term-relation r2 = (r2 )s t ∈ TRel(T2 , T02 ) for some closed types T2 , T02 ∈ Typ.
Show that if the terms t, t0 satisfy

X, x : T ` t : T2
X, x : T0 ` t0 : T02
∀T1 , T01 ∈ Typ, r1 ∈ TRel(T1 , T01 ), (v1 , v01 ) ∈ (r1 )v .
([X , T1 ][x , v1 ]t, [X , T1 ][x , v1 ]t) ∈ r2

then whenever (v, v0 ) ∈ {∃r1 ,R(r1 )}s t v , it is also the case that

(let {*X,x}=v in t, let {*X,x}=v0 in t0 )

is in r2 . 2

7.6.23 Exercise [««]: Suppose we are given r1 ∈ TRel(T1 , T01 ), r2 ∈ TRel(T2 , T02 ) with
r1 valuable (i.e., r1 = (r1 )v s t ) and r2 closed (i.e., r2 = (r2 )s t ). Show that if the
terms t2 , t02 satisfy

x : T1 ` t2 : T2
x : T01 ` t02 : T02
∀(v1 , v01 ) ∈ (r1 )v . ([x , v1 ]t2 , [x , v01 ]t02 ) ∈ r2

then whenever (t1 , t01 ) ∈ r1 , it is also the case that

(let x=t1 in t2 , let x=t01 in t02 )

is in r2 . 2

7.6.24 Lemma [Adequacy]: The logical relation ∆ is adequate (Definition 7.5.1). 2

Proof: Suppose ∅ ` t ∆ t0 : T; we have to show that t ↓ holds iff t0 ↓ does,

or equivalently that

hId, ti ↓ iff hId, t0 i ↓. (7.30)

278 7 Typed Operational Reasoning

Unraveling Definition 7.6.10, the assumption that the closed terms t and t0
of closed type T are ∆-related means that (t, t0 ) ∈ T[], the latter being the
action of the type T on the empty list of term-relations. By Lemma 7.6.12, T[]
is valuable; so (t, t0 ) ∈ T[]v s t . Hence to prove (7.30), it suffices to show that
(Id, Id) ∈ (T[]v )s ; but for any (v, v0 ) ∈ T[]v ,

hId, vi ↓ iff hId, v0 i ↓

holds trivially by axiom (S-NilVal) in Figure 7-2. 2

We are finally able to put all the pieces together and prove the main result
of this section. At the same time we complete the proof of Theorem 7.5.7.

7.6.25 Theorem [=ctx equals ∆ equals =ciu ]: FML contextual equivalence, =ctx , (as
defined in Theorem 7.5.3) coincides with the logical relation ∆ of Defini-
tion 7.6.10 and with ciu-equivalence, =ciu (Definition 7.5.5): Γ ` t =ctx t0 : T
holds if and only if Γ ` t ∆ t0 : T does, if and only if Γ ` t =ciu t0 : T does. 2

Proof: It suffices to show that the following chain of inclusions holds:

(1) (3) (2)

=ctx ⊆ =ciu ⊆ ∆ ⊆ =ctx .

(1) This is the half of Theorem 7.5.7 that we have already proved in §7.5.

(2) We have not yet shown that ∆ is an equivalence relation; and in fact we
will only deduce this once we have shown that it coincides with =ctx and
=ciu (which are easily seen to be equivalence relations). However, we have
shown that ∆ is compatible, substitutive and adequate (Lemmas 7.6.17 and
7.6.24). In the proof of Theorem 7.5.3 we constructed =ctx as the union of
all such type-respecting relations, without regard to whether they were
also equivalence relations; therefore ∆ is contained in =ctx .

(3) Noting how =ciu and ∆ are defined on open terms via substitutions, we
can combine the first part of Lemma 7.6.8 with Lemma 7.6.12 to give

Γ ` t =ciu t0 : T & Γ ` t0 ∆ t00 : T ⇒ Γ ` t ∆ t00 : T. (7.31)

We noted in the proof of Theorem 7.5.3 that every compatible term-relation

is reflexive. (This is easily proved by induction on the structure of terms.)
So since ∆ is compatible (Lemma 7.6.17) it is in particular reflexive. So
we can take t0 = t00 in (7.31) to deduce that Γ ` t =ctx t0 : T implies
Γ ` t ∆ t0 : T. 2
 7.7 Operational Extensionality 279

7.7 Operational Extensionality

In this section we develop some of the consequences of Theorem 7.6.25.

Now that we know that contextual equivalence coincides with ciu-equivalence
(Theorem 7.5.7), when giving general properties of =ctx we restrict attention
to closed terms of closed type where possible, since the corresponding prop-
erty for open terms can be obtained via closing substitutions.

7.7.1 Theorem [Extensionality for values]: We now give extensionality princi-

ples for the various types of value; for package values, the principle is a for-
malization of the final one discussed in the Introduction (Principle 7.3.6).

1. Constants: Given constants c, c0 of the same ground type, Gnd say, ∅ `

c =ctx c0 : Gnd holds if and only if c = c0 .

2. Functions: Given f:T1 →T2 , x:T1 ` t : T2 and f:T1 →T2 , x:T1 ` t0 : T2 ,

writing v and v0 for the recursive function values fun f(x:T1 )=t:T2 and
fun f(x:T1 )=t0 :T2 respectively, then ∅ ` v =ctx v0 : T1 →T2 if and only
if for all ∅ ` v1 : T1 , it is the case that ∅ ` [f , v][x , v1 ]t =ctx [f ,
v0 ][x , v1 ]t0 : T2 .

3. Records: Given values ∅ ` vi : Ti and ∅ ` v0i : Ti for i ∈ 1..n, then

∅ ` {li =vi i∈1..n } =ctx {li =v0i i∈1..n } : {li :Ti i∈1..n } if and only if for each
i ∈ 1..n, ∅ ` vi =ctx v0i : Ti .

4. Type abstractions: Given X ` v : T and X ` v0 : T, then ∅ ` λX.v =ctx

λX.v0 : ∀X.T if and only if for all closed types T0 , ∅ ` [X , T0 ]v =ctx [X ,
T0 ]v0 : [X , T0 ]T.

5. Packages: For any closed existential type {∃X,T}, closed types T1 , T2 , and
values ∅ ` vi : [X , Ti ]T (i = 1, 2),

∅ ` {*T1 ,v1 } as {∃X,T} =ctx {*T2 ,v2 } as {∃X,T} : {∃X,T}

holds if there is some term-relation r ∈ TRel(T1 , T2 ) with (v1 , v2 ) ∈ T[r ]. 2

Proof:

1. The property for constants follows from Lemma 7.6.15 combined with
Theorem 7.6.25.

2. Suppose for all ∅ ` v1 : T1 that

∅ ` [f , v][x , v1 ]t =ctx [f , v0 ][x , v1 ]t0 : T2 (7.32)

280 7 Typed Operational Reasoning

where v and v0 are as in part 2 of the theorem. To show ∅ ` v =ctx

v0 : T1 →T2 , by Theorem 7.6.25 it suffices to show ∅ ` v ∆ v0 : T1 →T2 ,
i.e., that (v, v0 ) ∈ (T1 →T2 )[] = fun(T1 [], T2 [])s t . In fact we show that
(v, v0 ) ∈ fun(T1 [], T2 []). For this we have to prove that if (v1 , v01 ) ∈ T1 []v ,
then (v v1 , v0 v01 ) ∈ T2 []. By Theorem 7.6.25 again, this is the same as
showing: if ∅ ` v1 =ctx v01 : T1 , then ∅ ` v v1 =ctx v0 v01 : T2 . As noted in
Corollary 7.5.8, we can turn the primitive reduction for function applica-
tion into a ciu-equivalence and hence by Theorem 7.6.25 into a contextual
equivalence:

∅ ` v v1 =ctx [f , v][x , v1 ]t : T2 (7.33)

and similarly for v0 v01 . Therefore we just need to show: if ∅ ` v1 =ctx v01 :
T1 , then ∅ ` [f , v][x , v1 ]t =ctx [f , v0 ][x , v01 ]t0 : T2 . But this
follows from the assumption (7.32) using the reflexivity and substitutivity
properties of =ctx . So we have established one half (the difficult half) of
the property in 2. For the converse, if ∅ ` v =ctx v0 : T1 →T2 , then for any
∅ ` v1 : T1 , the compatibility properties of =ctx give ∅ ` v v1 =ctx v0 v1 :
T2 ; and then as before, we can compose with (7.33) to get (7.32).

3. We leave the extensionality property for records as an exercise (7.7.2).

4. For the property for type abstractions, suppose

∀T0 ∈ Typ. ∅ ` [X , T0 ]v =ctx [X , T0 ]v0 : [X , T0 ]T. (7.34)

Note that since ∆ coincides with =ctx (Theorem 7.6.25) it is reflexive and
hence X ` v ∆ v : T holds. According to Definition 7.6.10 this means
that for all T1 , T01 ∈ Typ and r ∈ TRel(T1 , T01 ), ([X , T1 ]v, [X , T01 ]v) ∈
T[r ]. Since T[r ] is closed (Lemma 7.6.12), we can combine (7.34) with the
first part of Lemma 7.6.8 (using =ctx in place of =ciu by virtue of Theo-
rem 7.6.25) to conclude that ([X , T1 ]v, [X , T01 ]v0 ) ∈ T[r ] for all r . Then
using the equivalence in Corollary 7.5.8(v), we have

∀T1 , T01 ∈ Typ, r ∈ TRel(T1 , T01 ). ((λX.v)T1 , (λX.v0 )T01 ) ∈ T[r ]

and hence (λX.v, λX.v0 ) is in λr .T[r ]. Since λr .T[r ] ⊆ (λr .T[r ])s t and
the latter is equal to (∀X.T)[] by definition, we have ∅ ` λX.v ∆ λX.v0 :
∀X.T, and hence by Theorem 7.6.25, ∅ ` λX.v =ctx λX.v0 : ∀X.T. So
we have established one half (the difficult half) of the property in 4. The
argument for the other half is similar to that for property 2, using Corol-
lary 7.5.8(v) and the congruence properties of =ctx .
 7.7 Operational Extensionality 281

5. Finally, let us consider the extensionality property for package values.

(Note that unlike the other four, this only gives a sufficient condition for
contextual equivalence; Example 7.7.4 below shows that the condition is
not necessary.) If (v1 , v2 ) ∈ T[r ], then from Definition 7.6.9 we have

({*T1 ,v1 } as {∃X,T}, {*T2 ,v2 } as {∃X,T}) ∈ {∃r ,T[r ]}

⊆ {∃r ,T[r ]}s t
= {∃X,T}[].

Thus ∅ ` {*T1 ,v1 } as {∃X,T} ∆ {*T2 ,v2 } as {∃X,T} : {∃X,T} and we

can apply Theorem 7.6.25 to get the desired contextual equivalence. 2

7.7.2 Exercise [««, 3]: Use Theorem 7.6.25, Corollary 7.5.8 and the definition of
the term-relation {li =ri i∈1..n } in Definition 7.6.9 to deduce extensionality prop-
erty 3 of Theorem 7.7.1. 2

To see how Theorem 7.7.1(5) can be used in practice, we will apply it to

establish the contextual equivalence of Example 7.3.5 from the Introduction.

7.7.3 Example: Recall the type Semaphore and its values semaphore1 , semaphore2
from Example 7.3.5. To show ∅ ` semaphore1 =ctx semaphore2 : Semaphore
using Theorem 7.7.1(5), it suffices to show that (v1 , v2 ) ∈ T[r ] where

def
T = {bit:X, flip:X→X, read:X→Bool}
def
v1 = {bit=true, flip=λx:Bool.not x, read=λx:Int.x}
def
v2 = {bit=1, flip=λx:Int.0-2*x, read=λx:Int.x >= 0}

and r ∈ VRel(Bool, Int) is

def
r = {(true, m) | m = (−2)n for some even n ≥ 0} ∪
{(false, m) | m = (−2)n for some odd n ≥ 0}.

Since r is a value-relation, we can use Lemma 7.6.13 to slightly simplify T[r ]:

def
T[r ] = {bit=r s t , flip=fun(r s t , r s t )s t , read=fun(r s t , Id sBool
t
)s t }s t
= {bit=r s t , flip=fun(r , r s t )s t , read=fun(r , Id sBool
t
)s t }s t .

So since (−)s t is inflationary, to prove (v1 , v2 ) ∈ T[r ], it suffices to show

(true, 1) ∈ r
(λx:Bool.not x, λx:Int.0-2*x) ∈ fun(r , r s t )
(λx:Int.x, λx:Int.x >= 0) ∈ fun(r , Id sBool
t
).
282 7 Typed Operational Reasoning

These follow from the definition of r —the first trivially and the second two
once we combine the definition of fun(−, −) with the fact (Lemma 7.6.8)
that closed relations such as r s t and Id sBoolt
respect ciu-equivalence. For ex-
ample, if (v1 , v1 ) ∈ r , then (λx:Bool.not x)v1 and (λx:Int.0-2*x)v01 are
0

ciu-equivalent to r -related values v2 and v02 ; then since (v2 , v02 ) ∈ r ⊆ r s t and
the latter is closed, we have ((λx:Bool.not x)v1 , (λx:Int.0-2*x)v01 ) ∈ r s t .
As this holds for all (v1 , v01 ) ∈ r , we have (λx:Bool.not x, λx:Int.0-2*x) in
fun(r , r s t ). 2

Theorem 7.7.1(5) gives a sufficient condition for contextual equivalence of

package values, but the condition is not necessary: it can be the case that
{* T1 , v1 } as {∃X, T} is contextually equivalent to {* T2 , v2 } as {∃X, T}
even though there is no r ∈ TRel(T1 , T2 ) with (v1 , v2 ) ∈ T[r ]. The rest of
this section is devoted to giving an example of this unpleasant phenomenon
(based on a suggestion of Ian Stark arising out of our joint work on logical
relations for functions and dynamically allocated names in Pitts and Stark,
1993).

7.7.4 Example: Consider the following types and terms.

def
P = (X→Bool)→Bool
def
Q = {∃X,P}
def
N = ∀X.X
def
diverge = (fun f(b:Bool) = f b : Bool)true
def
G = fun g(f:N→Bool) = diverge : Bool
def
G0 = fun g(f:Bool→Bool) =
(if f true then
if f false then diverge else true
else diverge) : Bool.

Thus N is a type with no values (Exercise 7.7.6); G is a function that diverges

when applied to any value of type N→Bool; and G0 is a function that diverges
when applied to any value of type Bool→Bool except ones (such as the iden-
tity function) that map true to true and false to false, in which case it
returns true. We claim that

(i) there is no r ∈ TRel(N, Bool) for which (G, G0 ) ∈ P[r ] holds,

(ii) but nevertheless ∅ ` {*N,G} as Q =ctx {*Bool,G0 } as Q : Q. 2

7.7 Operational Extensionality 283

Proof: For (i) note that the definition of N implies that Val(N) = ∅, i.e., there
are no closed values of type N (Exercise 7.7.6). So any r ∈ TRel(N, Bool) satis-
fies r v = ∅. Now
def
P[r ]v = ((X→Bool)→Bool)[r ]v
def
= fun((X→Bool)[r ], Id sBool
t
)s t v
= fun((X→Bool)[r ], Id sBool
t
) using (7.19)
def
= fun(fun(r v s t , Id sBool
t
)s t , Id sBool
t
)
= fun(fun(r v s t , Id sBool
t
)s t v , Id sBool
t
) by definition of fun(−, −)
= fun(fun(r v s t , Id sBool
t
), Id sBool
t
) using (7.19)
= fun(fun(r , Id sBool
t
), Id sBool
t
) using (7.20)
= fun(fun(r v
, Id sBool
t
), Id sBool
t
) by definition of fun(−, −).

Since r v = ∅, we have fun(r v , Id sBool

t
) = Val(N→Bool) × Val(Bool→Bool); and
we know by Theorem 7.6.25 that Id sBool t
is the relation {(t, t0 ) | ∅ ` t =ctx
0
t : Bool}. Therefore

P[r ]v = {(v, v0 ) | ∅ ` v v1 =ctx v0 v01 : Bool

for all v1 ∈ Val(N→Bool) and v01 ∈ Val(Bool→Bool) }.

However, ∅ ` G v1 =ctx G0 v01 : Bool does not hold if we take v1 and v01 to be
the values
def
v1 = fun f(x:N) = diverge : Bool
def
v01 = fun f(x:Bool) = x : Bool

since evaluation of G v1 does not terminate, whereas evaluation of G0 v01 does.

Therefore (G, G0 ) ∉ P[r ]v , for any r ∈ TRel(N, Bool).
Turning to the proof of (ii), now we know that it cannot be deduced from
the extensionality principle for package values in Theorem 7.7.1, we have to
prove this contextual equivalence by brute force. The termination relation
defined in Fig. 7-2 provides a possible strategy (if rather a tedious one) for
proving ciu-equivalences and hence contextual equivalences—by what one
might call termination induction. Thus to prove (ii) it suffices to prove that
the two terms are ciu-equivalent:

∀S. hS, {*N,G} as Qi ↓ a hS, {*Bool,G0 } as Qi ↓.

Attempting to do this by induction on the derivation of terminations h−, −i ↓

(for all S simultaneously), one rapidly realizes that a stronger induction hy-
pothesis is needed: prove for all frame stacks S and terms t that
284 7 Typed Operational Reasoning

h[x , {*N,G} as Q]S, [x , {*N,G} as Q]ti ↓

if and only if h[x , {*Bool,G0 } as Q]S, [x , {*Bool,G0 } as Q]ti ↓.
It is possible to prove this by induction on the definition of the termination
relation in Fig. 7-2 (for all S and t simultaneously). We omit the details except
to note that the only difficult induction step is for the primitive reduction
(R-UnpackPack) in Fig. 7-3 in the case that t is the form let{*X,g}=x in t0 .
For that step, one can first show for all frame stacks S and terms t that
h[X , N][g , G]S, [X , N][g , G]ti ↓
if and only if h[X , Bool][g , G0 ]S, [X , Bool][g , G0 ]ti ↓.
This also is proved by induction on the definition of the termination relation.
Once again we omit the details except to note that now the only difficult in-
duction step is for the primitive reduction (R-AppAbs) in the case that t is of
the form g v for some value v. To prove that step one can use Lemma 7.7.5
below. This lemma lies at the heart of the reason why the contextual equiva-
lence in (ii) is valid: if an argument supplied to G0 is sufficiently polymorphic
(which is guaranteed by the existential abstraction), then when specialized to
Bool it cannot have the functionality (true , true, false , false) needed
to distinguish G0 from the divergent behavior of G. 2

7.7.5 Lemma: For any value v satisfying X, g:P ` v : X→Bool, evaluation of G0 ([X ,
Bool][g , G0 ]v) does not terminate. 2

Proof: To prove this we can use the logical relation from the previous sec-
tion. Consider the following value-relation in VRel(Bool, Bool):
def
r = {(true, true), (false, false), (true, false)}.

Note that
def
(X→Bool)[r ]v = fun(rv s t , Id sBool
t
)s t v
(7.20) (7.19)
= fun(r, Id sBool
t
)s t v = fun(r , Id sBool
t
) (7.35)

and hence
def
P[r ]v = fun((X→Bool)[r ], Id sBool
t
)s t v = fun((X→Bool)[r ]v , Id sBool
t
)s t v
(7.35) (7.19)
= fun(fun(r , Id sBool
t
), Id sBool
t
)s t v = fun(fun(r , Id sBool
t
), Id sBool
t
). (7.36)

If (v1 , v01 ) ∈ fun(r , Id sBool

t
), since (true, true), (false, false) ∈ r and Id sBool
t

is contextual equivalence (Theorem 7.6.25) we get

∅ ` v1 true =ctx v01 true : Bool

∅ ` v1 false =ctx v01 false : Bool.
 7.7 Operational Extensionality 285

So using Corollary 7.5.8(iii) and the congruence properties of =ctx , we have

G0 v1 =ctx (if v1 true then

if v1 false then diverge else true
else diverge)
=ctx (if v01 true then
if v01 false then diverge else true
else diverge)
=ctx G0 v01

Therefore (G0 v1 , G0 v01 ) ∈ Id sBool

t
whenever (v1 , v01 ) ∈ fun(r , Id sBool
t
); and so
0 0 v
(G , G ) ∈ P[r ] , by (7.36). Hence using Lemma 7.6.17 we have

([X , Bool][g , G0 ]v, [X , Bool][g , G0 ]v) ∈ (X→Bool)[r ]v

= fun(r , Id sBool
t
) by (7.35).

So since (true, false) ∈ r , we get

([X , Bool][g , G0 ]v true, [X , Bool][g , G0 ]v false) ∈ Id sBool

t
.

Thus ([X , Bool][g , G0 ]v)true and ([X , Bool][g , G0 ]v)false are

contextually equivalent closed terms of type Bool. Therefore it cannot be
the case that the first evaluates to true and the second to false (cf. Exer-
cise 7.5.10); but in that case, by definition of G0 , it must be that evaluation of
G0 ([X , Bool][g , G0 ]v) does not terminate. 2

7.7.6 Exercise [«, 3]: By considering the possible typing derivations from the rules
in Figure 7-1, show that there is no value v satisfying ∅ ` v : ∀X.X. (Note
that the syntactic restriction on values of universally quantified type men-
tioned in Remark 7.4.1 plays a crucial role here.) 2

7.7.7 Remark [The role of non-termination]: Example 7.7.4 shows that the log-
ical relation presented here is incomplete for proving contextual equivalence
of FML values of existential type. The example makes use of the fact that, be-
cause of the presence of recursive function values, evaluation of FML terms
need not terminate. However, it seems that the source of the incompleteness
has more to do with the existence of types with no values (such as ∀X.X) than
with non-termination. Eijiro Sumii (private communication) has suggested the
286 7 Typed Operational Reasoning

following, “terminating” version of Example 7.7.4:

def
P = (X→Bool)→Bool
def
Q = {∃X,P}
def
N = ∀X.X
def
H = λf:N→Bool. false
def
H0 = λf:Bool→Bool.
(if f true then
if f false then false else true
else false) : Bool.

Consider a version of FML with only non-recursive function abstractions (i.e.

with λx:T.t rather than fun f(x:T) = t:T0 ). Evaluation is terminating in this
version. So to be non-trivial, contextual equivalence should be formulated in
terms of observing convergence to the same ground value in all contexts of
ground type. Making corresponding changes to the definition of the opera-
tions (−)s and (−)t on term- and stack-relations, one could develop a logical
relation for this terminating version of FML . It seems that properties (i) and (ii)
in Example 7.7.4 are also true of H and H0 in this version (the first by the same
argument we gave, but the second by a different argument that nevertheless
hinges on the observation at the end of the proof of Example 7.7.4). We leave
investigating this as an extended exercise for the reader. 2

The proof of Lemma 7.7.5 exploits “relational parametricity” properties of

polymorphic types in FML . In fact Theorem 7.6.25 tells us far more about the
properties of type abstraction values than just the extensionality property of
Theorem 7.7.1(4).

7.7.8 Theorem [Relational parametricity for ∀-types]: Given X ` v : T and

X ` v0 : T, then ∅ ` λX.v =ctx λX.v0 : ∀X.T if and only if for all closed
types T1 , T01 ∈ Typ and all term-relations r ∈ TRel(T1 , T01 ) it is the case that
([X , T1 ]v, [X , T01 ]v0 ) ∈ T[r ]. 2

Proof: By Theorem 7.6.25, we have that ∅ ` λX.v =ctx λX.v0 : ∀X.T iff
∅ ` λX.v ∆ λX.v0 : ∀X.T, i.e., iff (λX.v, λX.v0 ) ∈ (∀X.T)[] = (λr .T[r ])s t .
Since λX.v and λX.v0 are values, the latter is the case iff (λX.v, λX.v0 ) ∈
(λr .T[r ])s t v , and by Lemma 7.6.12 and Exercise 7.6.14 (λr .T[r ])s t v = λr .T[r ].
Hence ∅ ` λX.v =ctx λX.v0 : ∀X.T iff (λX.v, λX.v0 ) ∈ λr .T[r ]. By definition
(Figure 7-5), this is the case iff for all for all closed types T1 , T01 ∈ Typ and
all term-relations r ∈ TRel(T1 , T01 ), ((λX.v)T1 , (λX.v0 )T01 ) ∈ T[r ]; and the
 7.7 Operational Extensionality 287

latter holds iff ([X , T1 ]v, [X , T01 ]v0 ) ∈ T[r ], because (λX.v)T1 =ciu [X ,
T1 ]v and (λX.v0 )T01 =ciu [X , T01 ]v0 (so that we can use Lemmas 7.6.8 and
7.6.12). 2

The force of Theorem 7.7.1(4) is to give a method for establishing that two
type abstraction values are contextually equivalent. By contrast, the force of
Theorem 7.7.8 is to give us useful properties of families of values parameter-
ized by type variables. Given such a value, X ` v : T, since =ctx is reflexive,
we have ∅ ` λX.v =ctx λX.v : ∀X.T; hence the theorem has the following
corollary.

7.7.9 Corollary: Given a value X ` v : T, for all T1 , T01 ∈ Typ and all r ∈
TRel(T1 , T01 ), it is the case that ([X , T1 ]v, [X , T01 ]v) ∈ T[r ]. 2

Such “relational parametricity” properties can often be exploited for prov-

ing contextual equivalences: we already saw an example in the proof of Lem-
ma 7.7.5 and other examples can be found in Pitts (2000), Bierman, Pitts, and
Russo (2000), and Johann (2002). However, the strict nature of function ap-
plication and type abstraction in FML means that it does not satisfy all the
parametricity properties one might expect. For example, in Pitts (2000), §7, it
is shown that

{∃X,T} › ∀Y.(∀X.T→Y)→Y

holds in the polymorphic version of PCF (Plotkin, 1977) studied in that pa-
per (where › is “bijection up to contextual equivalence”—see Principle 7.3.4).
However this bijection does not hold in general for FML (Exercise 7.7.10).
def
7.7.10 Exercise [«««]: Consider the type N = ∀X.X from Example 7.7.4 that you
showed has no closed values in Exercise 7.7.6. Show that there cannot exist
values

i ∈ Val({∃X,N}→∀Y.(∀X.N→Y)→Y)
j ∈ Val((∀Y.(∀X.N→Y)→Y)→{∃X,N})

that are mutually inverse, in the sense that

p:{∃X,N} ` j(i p) =ctx p : {∃X,N}

y:∀Y.(∀X.N→Y)→Y ` i(j y) =ctx y : ∀Y.(∀X.N→Y)→Y. 2

7.7.11 Exercise [«««, 3]: Verify the claim made in Note 7.3.7 that Principle 7.3.4 is
a special case of Principle 7.3.6. To do so, you will first have to give a defini-
tion of the action of FML types on bijections mentioned in Principle 7.3.4. 2
288 7 Typed Operational Reasoning

7.8 Notes

This chapter is a revised and expanded version of Pitts (1998) and also draws
on material from Pitts (2000).
In discussing typed operational reasoning we have focused on reasoning
about contextual equivalence of program phrases. Being by construction a
congruence, contextual equivalence permits us to use the usual forms of
equational reasoning (replacing equals by equals) when deriving equivalences
between phrases. However, its definition does not lend itself to establish-
ing the basic laws that are needed to get such reasoning going. We studied
two characterisations of contextual equivalence in order to get round this
problem: ciu-equivalence (Definition 7.5.5) and a certain kind of operationally
based logical relation (Definition 7.6.10).
contextual equivalence!vs. bisimilarity The informal notion of contextual
equivalence (Definition 7.3.2) has been studied for a wide variety of pro-
gramming languages. If the language’s operational semantics involves non-
determinism—usually because the language supports some form of concur-
rent or interactive computation—then contextual equivalence tends to iden-
tify too many programs and various co-inductive notions of bisimilarity are
used instead (see the textbook by Sangiorgi and David, 2001, for example).
But even if we remain within the realm of languages with deterministic oper-
ational semantics, one may ask to what extent the results of this chapter are
stable with respect to adding further features such as recursive datatypes,
mutable state, and object-oriented features à la Objective Caml.
Ciu-equivalence has the advantage of being quite robust in this respect—
it can provide a characterisation of contextual equivalence in the presence
of such features (Honsell, Mason, Smith, and Talcott, 1995; Talcott, 1998).
However, its usefulness is mainly limited to establishing basic laws such as
the conversions in Corollary 7.5.8; it cannot be used directly to establish ex-
tensionality properties such as those in Theorem 7.7.1 without resorting to
tedious “termination inductions” of the kind we sketched in the proof of Ex-
ample 7.7.4. Ciu-equivalence is quite closely related to some notions of “ap-
plicative bisimilarity” that have been applied to functional and object-based
languages (Gordon, 1995, 1998), in that their congruence properties can both
be established using a clever technique due to Howe (1996). The advantage of
applicative bisimilarity is that it has extensionality built into its definition; so
when it does coincide with contextual equivalence, this provides a method of
establishing some extensionality properties for =ctx (such as (1)–(4) in Theo-
rem 7.7.1, but not, as far as I know, property (5) for package values).
The kind of operationally based logical relation we developed in this chap-
ter provides a very powerful analysis of contextual equivalence. We used it
 7.8 Notes 289

to prove not only conversions and simple extensionality principles for FML ,
but also quite subtle properties of =ctx such as Theorems 7.7.1(5) and 7.7.8.
Similar logical relations can be used to prove some properties of ML-style
references and of linear types: see Pitts and Stark (1998), Bierman, Pitts, and
Russo (2000), and Pitts (2002). Unfortunately, the characteristic feature of
logical relations—that functions are related iff they map related arguments
to related results—makes it difficult to define them in the presence of “recur-
sive features.” I mean by the latter programming language features which in a
denotational semantics lead one to have to solve domain equations in which
the defined domain occurs both positively (to the left of an even number
of function space constructions) and negatively (to the left of an odd num-
ber of function space constructions). Recursive datatypes involving function
types can lead to such domain equations; as does the use of references to
functions in ML. Suitable logical relations can be defined in the denotational
semantics of languages with such features using techniques such as those in
Pitts (1996), but they tell us properties of denotational equality, which is of-
ten a poor (if safe) approximation to contextual equivalence. For this reason
people have tried to develop syntactical analogs of these denotational logi-
cal relations: see Birkedal and Harper (1999). The unwinding theorem (Theo-
rem 7.4.4) provides the basis for such an approach. However, it seems like a
fresh idea is needed to make further progress. Therefore I set a last exercise,
whose solution is not included.

7.8.1 Exercise [««««. . . , 3]: Extend FML with isorecursive types, µX.T, as in Figure
20-1 of TAPL, Chapter 20. By finding an operationally based logical relation as
in §7.6 or otherwise, try to prove the kind of properties of contextual equiv-
alence for this extended language that we developed for FML in this chapter.
(For the special case of iso-recursive types µX.T for which T contains no neg-
ative occurrences of X, albeit for a non-strict functional language, see Johann
(2002). The generalized ideal model of recursive polymorphic in Vouillon and
Melliès (2004) uses the same kind of Galois connection as we used in §7.6 and
may well shed light on this exercise. Recent work by Sumii and Pierce [2005]
is also relevant.) 2
 A Solutions to Selected Exercises 509

come equipped with their own notion of logical equivalence that can be de-
fined independently (i.e., without reference to the general definition of logical
equivalence). Thus, the definition of logical equivalence may refer to arbitrary
candidates and remain well-founded.

7.4.2 Hint: First prove

hS1 , t1 i -→ hS2 , t2 i ⇒ (∀S)(hS@S2 , t2 i ↓ ⇒ hS@S1 , t1 i ↓)

by considering the different cases for -→. Deduce the ‘if’ part of (7.7) from
this. For the ‘only if’ part, show that
∗
{(S, t) | (∃S1 , S2 , v) S = S1 @S2 & hS2 , ti -→ hId, vi & hS1 , vi ↓}

is closed under the axiom and rules in Figure 7-2 inductively defining the
termination relation.

7.5.4 Solution: For property (iii), assuming R is compatible, argue by induction on

the derivation of Γ ` t : T that this typing judgment implies that Γ ` t R t :
S
T holds. For property (v), if R = i∈I Ri with I 6= ∅ and each Ri compatible,
first note that by (iii), R is reflexive since it contains at least one relation Ri .
For each of the compatibility properties in Figure 7-4 with a single hypothesis,
it is clear that R has this property because each of the Ri does. For compat-
ibility properties with multiple hypotheses, we can break them down into a
chain of single-hypothesis compatibilities and appeal to the transitivity of R
(which we are assuming). For example consider the compatibility property for
function application. It suffices to show that R satisfies

Γ ` v1 R v01 : T1 →T2 Γ ` v2 : T1
(A.1)
Γ ` v1 v2 R v01 v2 : T2

and

Γ ` v1 : T1 →T2 Γ ` v2 R v02 : T1
. (A.2)
Γ ` v1 v2 R v1 v02 : T2

For then if Γ ` v1 R v01 : T1 →T2 and Γ ` v2 R v02 : T1 , we get

Γ ` v1 v2 R v01 v2 : T2 by (A.1), since Γ ` v2 : T1

Γ ` v01 v2 R v01 v02 : T2 by (A.2), since Γ ` v01 : T1 →T2 .

and hence Γ ` v1 v2 R v01 v02 : T2 by transitivity. Each of the single-hypothesis

properties (A.1) and (A.2) holds of R because they hold for each Ri : each is
a special case of the compatibility property for function application because
each Ri , being compatible, is also reflexive by (iii).
510 A Solutions to Selected Exercises

7.5.10 Solution: Consider the frame stacks

def
S = Id ◦ (x.(fun f(x0 :Bool) = if x0 then true else f x0 )x)
def
ST = Id ◦ (x.(fun f(x0 :T) = true)x)

Note that ∅ ` S : Bool Ç Bool and ∅ ` ST : T Ç Bool. It is not hard to see

for all ∅ ` b : Bool that
∗
S[b] ↓ iff hId, bi -→ hId, truei (A.3)

and for all ∅ ` t : T that

∗
t ↓ iff hId, ST [t]i -→ hId, truei (A.4)

From (A.3) and the fact that =ctx is a congruence (so that ∅ ` b =ctx b0 : Bool
implies ∅ ` S[b] =ctx S[b0 ] : Bool) it follows that =ctx is true-adequate;
hence it is contained in =true true
ctx . Similarly, (A.4) and the fact that =ctx is a
congruence implies that it is adequate and hence contained in =ctx .

7.6.7 Solution: Since (−)s t is inflationary we have r ⊆ r s t ; and since r only relates
values, this implies r ⊆ r s t v . Then since (−)s t is monotone, we have r s t ⊆
r s t v s t . Conversely, since (r 0 )v ⊆ r 0 for any r 0 , we have r s t v ⊆ r s t ; and then
since (−)s t is monotone and idempotent, r s t v s t ⊆ r s t s t = r s t .

7.6.14 Hint: The proof of (7.26) is just like the proof of (7.21), using the following
property of the termination relation:

(hS, v.li ↓ a hS 0 , v0 .li ↓) iff (hS ◦ (x.x.l), vi ↓ a hS 0 ◦ (x.x.l), v0 i ↓).

Similarly, the proof of (7.27) follows from:

(hS, v Ti ↓ a hS 0 , v0 T0 i ↓) iff (hS ◦ (x.x T), vi ↓ a hS 0 ◦ (x.x T0 ), v0 i ↓).

7.6.18 Solution: It suffices to show

(∀n = 0, 1, . . .) (Fn , F0n ) ∈ fun(r1 , r2 ) (A.5)

where Fn and F0n are the unwindings associated with F and F0 respectively, as
in Theorem 7.4.4. For if (A.5) holds, then using the fact that (−)s t is inflation-
ary

(Fn , F0n ) ∈ fun(r1 , r2 ) ⊆ fun(r1 , r2 )s t

for each n; so by the Admissibility property in Lemma 7.6.8 we have (F, F0 ) ∈

fun(r1 , r2 )s t . Thus (F, F0 ) ∈ fun(r1 , r2 )s t v = fun(r1 , r2 ) by Lemma 7.6.13,
since (r2 )s t = r2 . (A.5) is proved by induction on n:
 A Solutions to Selected Exercises 511

Base case n = 0: By definition of F0 , hS, F0 v1 i ↓ does not hold for any S ∈

Stack(T2 ) and v1 ∈ Val(T1 ); similarly for F00 . Hence for all (v1 , v01 ) ∈ (r1 )v ,
(F0 v1 , F00 v01 ) ∈ s t for any s ∈ SRel(T2 , T02 ) and hence in particular for
s = (r2 )s . So (F0 v1 , F00 v01 ) ∈ (r2 )s t = r2 for all (v1 , v01 ) ∈ (r1 )v . Therefore
(F0 , F00 ) ∈ fun(r1 , r2 ).

Induction step: Suppose (Fn , F0n ) ∈ fun(r1 , r2 ). Then for any (v1 , v01 ) ∈ (r1 )v ,
from (7.29) we have

([f , Fn ][x , v1 ]t, [f , F0n ][x , v01 ]t0 ) ∈ r2 .

By definition of Fn+1 and Corollary 7.5.8 we have ∅ ` Fn+1 v1 =ctx [f ,

Fn ][x , v1 ]t; and similarly, ∅ ` F0n+1 v01 =ctx [f , F0n ][x , v01 ]t0 . So
since r2 is closed, we can apply the Equivalence-respecting property in
Lemma 7.6.8 to conclude that (Fn+1 v1 , F0n+1 v01 ) ∈ r2 . Since this holds for
any (v1 , v01 ) ∈ (r1 )v , we have (Fn+1 , F0n+1 ) ∈ fun(r1 , r2 ).

7.6.19 Solution: To show (v, v0 ) ∈ {li =ri i∈1..n } we must show (v.li , v0 .li ) ∈ ri for
each i ∈ 1..n. Since each ri is closed, this is equivalent to showing (v.li , v0 .li ) ∈
(ri )s t , i.e. that hS, v.li i ↓ a hS 0 , v0 .li i ↓ holds for all (S, S 0 ) in (ri )s . But by
definition of v, hS, v.li i ↓ a hS, vi i ↓; and similarly for v0 . So it suffices to
show hS, vi i ↓ a hS 0 , v0i i; and this holds because by assumption (vi , v0i ) ∈ ri
and (S, S 0 ) ∈ (ri )s .

7.6.20 Solution: To show (λX.v, λX.v0 ) ∈ λr .R(r ) we have to show for each T1 , T01 ∈
Typ and r ∈ TRel(T1 , T01 ) that ((λX.v)T, (λX.v0 )T0 ) ∈ R(r ) . Since each
R(r ) is closed, this is equivalent to showing ((λX.v)T, (λX.v0 )T0 ) ∈ R(r )s t ,
i.e. that hS, (λX.v)Ti ↓ a hS 0 , (λX.v0 )T0 i ↓ holds for all (S, S 0 ) ∈ R(r )s . But
hS, (λX.v)Ti ↓ a hS, [X , T1 ]vi ↓; and similarly for v0 . So it suffices to show
hS, [X , T1 ]vi ↓ a hS, [X , T01 ]v0 i ↓; and this holds because by assumption
([X , T1 ]v, [X , T1 ]v) ∈ R(r ) and (S, S 0 ) ∈ R(r )s .

7.6.21 Hint: To show (if v then t1 else t2 , if v0 then t01 else t02 ) ∈ r = (r )s t it
suffices to show for all (S, S 0 ) ∈ (r )s that

hS, if v then t1 else t2 i ↓ a hS 0 , if v0 then t01 else t02 i ↓

or equivalently that

hS ◦ (x.if x then t1 else t2 ), vi ↓ a

hS 0 ◦ (x.if x then t01 else t02 ), v0 i ↓.

Do this by proving that

(S ◦ (x.if x then t1 else t2 ), S 0 ◦ (x.if x then t01 else t02 ) ∈ (Id Bool )s .
512 A Solutions to Selected Exercises

7.6.22 Solution: For any (S, S 0 ) ∈ (r2 )s it follows from the assumptions on t, t0 and
the definition of {∃r1 ,R(r1 )} (Figure 7-5) that

(S ◦ (y.let {*X,x}=y in t), S 0 ◦ (y.let {*X,x}=y in t0 ))

is in {∃r1 ,R(r1 )}s . Hence if (v, v0 ) ∈ {∃r1 ,R(r1 )}s t v ⊆ ({∃r1 ,R(r1 )}s )t , then

hS ◦ (y.let {*X,x}=y in t), vi ↓ a hS 0 ◦ (y.let {*X,x}=y in t0 ), v0 i ↓

and so hS, let {*X,x}=v in ti ↓ a hS, let {*X,x}=v0 in t0 i ↓. Since this is

true for all (S, S 0 ) ∈ (r2 )s , we deduce that

(let {*X,x}=v in t, let {*X,x}=v in t) ∈ (r2 )s t = r2 .

7.6.23 Solution: For any (S, S 0 ) ∈ (r2 )s it follows from the assumptions on t, t0
that (S ◦ (x.t2 ), S 0 ◦ (x.t02 )) ∈ (r1 )v s . Since ((r1 )v s )t = r1 , if (t1 , t01 ) ∈ r1 then
we get hS ◦ (x.t2 ), t1 i ↓ a hS 0 ◦ (x.t02 ), t01 i ↓, and hence that

hS, let x=t1 in t2 i ↓ a hS 0 , let x=t01 in t02 i ↓.

Since this holds for all (S, S 0 ) ∈ (r2 )s , we deduce that

(let x=t1 in t2 , let x=t01 in t02 ) ∈ (r2 )s t = r2 .

7.7.10 Solution: Since N has no closed values, neither does {∃X,N}. On the other
hand

val v = λY.fun f(x:∀X.N→Y) = (f x):Y

is a closed value of type ∀Y.(∀X.N→Y)→Y. If i and j were to exist with

the stated properties we could use them to construct from v a closed value
of type {∃X,N}, which is impossible. (For i(j v) and v are ciu-equivalent
(Theorem 7.5.7); so since v ↓, we also have i(j v) ↓. Hence by Exercise 7.4.2,
hId, j vi -→∗ hId, v0 i for some v0 , which is a closed value of type {∃X,N}, by
Exercise 7.4.3.)

8.2.1 Solution: As of this writing, the question of how far nominal module sys-
tems can be pushed is wide open. A step in this direction was recently taken
by Odersky, Cremet, Rockl, and Zenger (2003).

8.5.3 Solution: Define m1 to be the module

module m1 = mod {
type X = Int
val c = 0
val f = succ
}
References

Abadi, Martín, Luca Cardelli, Pierre-Louis Curien, and Jean-Jacques Lévy. Explicit sub-
stitutions. Journal of Functional Programming, 1(4):375–416, 1991. Summary in
ACM Symposium on Principles of Programming Languages (POPL), San Francisco,
California, 1990.

Adams, Rolf, Walter Tichy, and Annette Weinert. The cost of selective recompila-
tion and environment processing. ACM Transactions on Software Engineering and
Methodology, 3(1):3–28, January 1994.

Ahmed, Amal, Limin Jia, and David Walker. Reasoning about hierarchical storage.
In IEEE Symposium on Logic in Computer Science (LICS), Ottawa, Canada, pages
33–44, June 2003.

Ahmed, Amal and David Walker. The logical approach to stack typing. In ACM SIG-
PLAN Workshop on Types in Language Design and Implementation (TLDI), New
Orleans, Louisiana, pages 74–85, January 2003.

Aho, Alfred V., Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques,
and Tools. Addison-Wesley, Reading, Massachusetts, 1986.

Aiken, Alexander, Manuel Fähndrich, and Raph Levien. Better static memory man-
agement: Improving region-based analysis of higher-order languages. In ACM SIG-
PLAN Conference on Programming Language Design and Implementation (PLDI),
La Jolla, California, pages 174–185, June 1995.

Aiken, Alexander, Jeffrey S. Foster, John Kodumal, and Tachio Terauchi. Checking
and inferring local non-aliasing. In ACM SIGPLAN Conference on Programming
Language Design and Implementation (PLDI), San Diego, California, pages 129–140,
June 2003.

Aiken, Alexander and Edward L. Wimmers. Solving systems of set constraints. In

IEEE Symposium on Logic in Computer Science (LICS), Santa Cruz, California, pages
329–340, June 1992.
536 References

Aiken, Alexander and Edward L. Wimmers. Type inclusion constraints and type infer-
ence. In ACM Symposium on Functional Programming Languages and Computer
Architecture (FPCA), Copenhagen, Denmark, pages 31–41, June 1993.
Altenkirch, Thorsten. Constructions, Inductive Types and Strong Normalization. PhD
thesis, Laboratory for Foundations of Computer Science, University of Edinburgh,
Edinburgh, Scotland, 1993.
Amadio, Roberto M. and Luca Cardelli. Subtyping recursive types. ACM Transac-
tions on Programming Languages and Systems, 15(4):575–631, 1993. Summary
in ACM Symposium on Principles of Programming Languages (POPL), Orlando,
Florida, pp. 104–118; also DEC/Compaq Systems Research Center Research Report
number 62, August 1990.
Amtoft, Torben, Flemming Nielson, and Hanne Riis Nielson. Type and Effect Systems:
Behaviours for Concurrency. Imperial College Press, 1999.
Ancona, Davide and Elena Zucca. A theory of mixin modules: Basic and derived op-
erators. Mathematical Structures in Computer Science, 8(4):401–446, August 1998.
Ancona, Davide and Elena Zucca. A calculus of module systems. Journal of Functional
Programming, 12(2):91–132, March 2002.
Appel, Andrew W. Foundational proof-carrying code. In IEEE Symposium on Logic in
Computer Science (LICS), Boston, Massachusetts, pages 247–258, June 2001.
Appel, Andrew W. and Amy P. Felty. A semantic model of types and machine instruc-
tions for proof-carrying code. In ACM SIGPLAN–SIGACT Symposium on Principles
of Programming Languages (POPL), Boston, Massachusetts, pages 243–253, January
2000.
Aspinall, David. Subtyping with singleton types. In International Workshop on Com-
puter Science Logic (CSL), Kazimierz, Poland, volume 933 of Lecture Notes in Com-
puter Science, pages 1–15. Springer-Verlag, September 1994.
Aspinall, David and Martin Hofmann. Another type system for in-place update. In
European Symposium on Programming (ESOP), Grenoble, France, volume 2305 of
Lecture Notes in Computer Science, pages 36–52. Springer-Verlag, April 2002.
Augustsson, Lennart. Cayenne—A language with dependent types. In ACM SIGPLAN
International Conference on Functional Programming (ICFP), Baltimore, Maryland,
pages 239–250, 1998.
Baader, Franz and Jörg Siekmann. Unification theory. In D. M. Gabbay, C. J. Hogger,
and J. A. Robinson, editors, Handbook of Logic in Artificial Intelligence and Logic
Programming, volume 2, Deduction Methodologies, pages 41–125. Oxford Univer-
sity Press, 1994.
Baker, Henry G. Lively linear Lisp—look ma, no garbage! ACM SIGPLAN Notices, 27
(8):89–98, 1992.
Barendregt, Henk P. The Lambda Calculus. North Holland, revised edition, 1984.
Barendregt, Henk P. Introduction to generalized type systems. Journal of Functional
Programming, 1(2):125–154, 1991.
References 537

Barendregt, Henk P. Lambda calculi with types. In S. Abramsky, D. M. Gabbay, and

T. Maibaum, editors, Handbook of Logic in Computer Science, volume 2, Computa-
tional Structures. Oxford University Press, 1992.
Barendsen, Erik and Sjaak Smetsers. Conventional and uniqueness typing in graph
rewrite systems. In Foundations of Software Technology and Theoretical Computer
Science (FSTTCS), Bombay, India, volume 761 of Lecture Notes in Computer Science,
pages 41–51. Springer-Verlag, December 1993.
Barras, Bruno, Samuel Boutin, Cristina Cornes, Judicael Courant, Jean-Christophe
Filliatre, Eduardo Gimenez, Hugo Herbelin, Gerard Huet, Cesar Munoz, Chetan
Murthy, Catherine Parent, Christine Paulin-Mohring, Amokrane Saibi, and Benjamin
Werner. The Coq proof assistant reference manual: Version 6.1. Technical Report
RT-0203, INRIA, 1997.
Bauer, Lujo, Andrew W. Appel, and Edward W. Felten. Mechanisms for secure modular
programming in Java. Technical Report TR-603-99, Princeton University, 1999.
Bellantoni, Stephan and Stephan Cook. A new recursion-theoretic characterization of
polytime functions. Computational Complexity, 2(2):97–110, 1992.
Bellantoni, Stephan, K.-H. Niggl, and H. Schwichtenberg. Higher type recursion, rami-
fication and polynomial time. Annals of Pure and Applied Logic, 104:17–30, 2000.
Berardi, Stefano. Towards a mathematical analysis of the Coquand-Huet calculus
of constructions and the other systems in Barendregt’s cube. Technical report,
Department of Computer Science, CMU, and Dipartimento Matematica, Universita
di Torino, 1988.
Berthomieu, Bernard. Tagged types: A theory of order sorted types for tagged expres-
sions. Research Report 93083, LAAS, 7, avenue du Colonel Roche, 31077 Toulouse,
France, March 1993.
Berthomieu, Bernard and Camille le Moniès de Sagazan. A calculus of tagged types,
with applications to process languages. In Workshop on Types for Program Analysis
(TPA), informal proceedings, pages 1–15, May 1995.
Biagioni, Edoardo, Nicholas Haines, Robert Harper, Peter Lee, Brian G. Milnes, and
Eliot B. Moss. Signatures for a protocol stack: A systems application of Stan-
dard ML. In ACM Symposium on Lisp and Functional Programming (LFP), Orlando,
Florida, pages 55–64, June 1994.
Bierman, G. M., A. M. Pitts, and C. V. Russo. Operational properties of Lily, a polymor-
phic linear lambda calculus with recursion. In Workshop on Higher Order Opera-
tional Techniques in Semantics (HOOTS), Montréal, Québec, volume 41 of Electronic
Notes in Theoretical Computer Science. Elsevier, September 2000.
Birkedal, Lars and Robert W. Harper. Constructing interpretations of recursive types
in an operational setting. Information and Computation, 155:3–63, 1999.
Birkedal, Lars and Mads Tofte. A constraint-based region inference algorithm. Theo-
retical Computer Science, 258:299–392, 2001.
538 References

Birkedal, Lars, Mads Tofte, and Magnus Vejlstrup. From region inference to von Neu-
mann machines via region representation inference. In ACM SIGPLAN–SIGACT
Symposium on Principles of Programming Languages (POPL), St. Petersburg Beach,
Florida, pages 171–183, 1996.

Blume, Matthias. The SML/NJ Compilation and Library Manager, May 2002. Available
from http://www.smlnj.org/doc/CM/index.html.

Blume, Matthias and Andrew W. Appel. Hierarchical modularity. ACM Transactions

on Programming Languages and Systems, 21(4):813–847, 1999.

Bonniot, Daniel. Type-checking multi-methods in ML (a modular approach). In Inter-

national Workshop on Foundations of Object-Oriented Languages (FOOL), informal
proceedings, January 2002.

Bourdoncle, François and Stephan Merz. Type-checking higher-order polymorphic

multi-methods. In ACM SIGPLAN–SIGACT Symposium on Principles of Program-
ming Languages (POPL), Paris, France, pages 302–315, January 1997.

Bracha, Gilad and William R. Cook. Mixin-based inheritance. In ACM SIGPLAN Confer-
ence on Object Oriented Programming: Systems, Languages, and Applications (OOP-
SLA)/European Conference on Object-Oriented Programming (ECOOP), Ottawa, On-
tario, pages 303–311, October 1990.

Brandt, Michael and Fritz Henglein. Coinductive axiomatization of recursive type

equality and subtyping. In International Conference on Typed Lambda Calculi and
Applications (TLCA), Nancy, France, volume 1210 of Lecture Notes in Computer
Science, pages 63–81. Springer-Verlag, April 1997. Full version in Fundamenta
Informaticae, 33:309–338, 1998.

Breazu-Tannen, Val, Thierry Coquand, Carl Gunter, and Andre Scedrov. Inheritance
as implicit coercion. Information and Computation, 93(1):172–221, July 1991. Also
in C. A. Gunter and J. C. Mitchell, editors, Theoretical Aspects of Object-Oriented
Programming: Types, Semantics, and Language Design, MIT Press, 1994.

Bruce, Kim B. Typing in object-oriented languages: Achieving expressibility and

safety, 1995. Available through http://www.cs.williams.edu/~kim.

Bruce, Kim B. Foundations of Object-Oriented Languages: Types and Semantics. MIT

Press, 2002.

Bruce, Kim B., Luca Cardelli, Giuseppe Castagna, the Hopkins Objects Group
(Jonathan Eifrig, Scott Smith, Valery Trifonov), Gary T. Leavens, and Benjamin
Pierce. On binary methods. Theory and Practice of Object Systems, 1(3):221–242,
1996.

Bruce, Kim B., Luca Cardelli, and Benjamin C. Pierce. Comparing object encodings.
In International Symposium on Theoretical Aspects of Computer Software (TACS),
September 1997. An earlier version was presented as an invited lecture at the Third
International Workshop on Foundations of Object Oriented Languages (FOOL 3),
July 1996; full version in Information and Computation, 155(1–2):108-133, 1999.
References 539

de Bruijn, Nicolas G. A survey of the project AUTOMATH. In J. P. Seldin and J. R.

Hindley, editors, To H. B. Curry: Essays in Combinatory Logic, Lambda Calculus,
and Formalism, pages 589–606. Academic Press, 1980.
Brus, Tom, Marko van Eekelen, Maarten van Leer, and Marinus Plasmeijer. Clean: A
language for functional graph rewriting. In ACM Symposium on Functional Pro-
gramming Languages and Computer Architecture (FPCA), Portland, Oregon, vol-
ume 274 of Lecture Notes in Computer Science, pages 364–384. Springer-Verlag,
September 1987.
Burstall, Rod and Butler Lampson. A kernel language for abstract data types and
modules. In International Symposium on Semantics of Data Types, Sophia-Antipolis,
France, volume 173 of Lecture Notes in Computer Science, pages 1–50. Springer-
Verlag, June 1984.
Burstall, Rod, David MacQueen, and Donald Sannella. HOPE: an experimental ap-
plicative language. In ACM Symposium on Lisp and Functional Programming (LFP),
Stanford, California, pages 136–143, August 1980.
Calcagno, Cristiano. Stratified operational semantics for safety and correctness of re-
gion calculus. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming
Languages (POPL), London, England, pages 155–165, 2001.
Calcagno, Cristiano, Simon Helsen, and Peter Thiemann. Syntactic type soundness
results for the region calculus. Information and Computation, 173(2):199–221,
2002.
Cardelli, Luca. A polymorphic λ-calculus with Type:Type. Research report 10,
DEC/Compaq Systems Research Center, May 1986.
Cardelli, Luca. Phase distinctions in type theory, 1988a. Manuscript, available from
http://www.luca.demon.co.uk.
Cardelli, Luca. Typechecking dependent types and subtypes. In Foundations of Logic
and Functional Programming, Trento, Italy, (December, 1986), volume 306 of Lec-
ture Notes in Computer Science, pages 45–57. Springer-Verlag, 1988b.
Cardelli, Luca. Program fragments, linking, and modularization. In ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages (POPL), Paris, France,
pages 266–277, January 1997.
Cardelli, Luca, James Donahue, Mick Jordan, Bill Kalsow, and Greg Nelson. The
Modula-3 type system. In Proceedings of the Sixteenth Annual ACM Symposium
on Principles of Programming Languages, pages 202–212, January 1989.
Cardelli, Luca and Xavier Leroy. Abstract types and the dot notation. In IFIP TC2
Working Conference on Programming Concepts and Methods. North Holland, 1990.
Also appeared as DEC/Compaq SRC technical report 56.
Cardelli, Luca and Giuseppe Longo. A semantic basis for Quest. Journal of Functional
Programming, 1(4):417–458, October 1991. Summary in ACM Conference on Lisp
and Functional Programming, pp. 30-43, 1990. Also available as DEC/Compaq SRC
Research Report 55, Feb. 1990.
540 References

Cardelli, Luca and John Mitchell. Operations on records. Mathematical Structures

in Computer Science, 1:3–48, 1991. Also in C. A. Gunter and J. C. Mitchell, edi-
tors, Theoretical Aspects of Object-Oriented Programming: Types, Semantics, and
Language Design, MIT Press, 1994; available as DEC/Compaq Systems Research
Center Research Report #48, August, 1989; and in the Proceedings of Workshop
on the Mathematical Foundations of Programming Semantics (MFPS), New Orleans,
Louisiana, Springer LNCS, volume 442, pp. 22-52, 1989.
Cartmell, John. Generalised algebraic theories and contextual categories. Annals of
Pure and Applied Logic, 32:209–243, 1986.
Cartwright, Robert and Mike Fagan. Soft typing. In ACM SIGPLAN Conference on Pro-
gramming Language Design and Implementation (PLDI), Toronto, Ontario, pages
278–292, June 1991.
Cervesato, Iliano, Joshua S. Hodas, and Frank Pfenning. Efficient resource manage-
ment for linear logic proof search. Theoretical Computer Science, 232(1–2):133–
163, February 2000.
Cervesato, Iliano and Frank Pfenning. A linear logical framework. Information and
Computation, 179(1):19–75, November 2002.
Chaki, Sagar, Sriram K. Rajamani, and Jakob Rehof. Types as models: Model checking
message-passing programs. In ACM SIGPLAN–SIGACT Symposium on Principles of
Programming Languages (POPL), Portland, Oregon, pages 45–57, 2002.
Chirimar, Jawahar, Carl A. Gunter, and Jon G. Riecke. Reference counting as a com-
putational interpretation of linear logic. Journal of Functional Programming, 6(2):
195–244, March 1996.
Christiansen, Morten Voetmann and Per Velschow. Region-based memory manage-
ment in Java. Master’s thesis, University of Copenhagen, Department of Computer
Science, 1998.
Church, Alonzo. The Calculi of Lambda Conversion. Princeton University Press, 1941.
Church, Alonzo. The weak theory of implication. Kontroliertes Denken: Untersuchun-
gen zum Logikkalk ul und zur Logik der Einzelwissenschaften, pages 22–37, 1951.
Clement, Dominique, Joelle Despeyroux, Thierry Despeyroux, and Gilles Kahn. A
simple applicative language: Mini-ML. In ACM Symposium on Lisp and Functional
Programming (LFP), Cambridge, Massachusetts, pages 13–27, August 1986.
Colby, Christopher, Peter Lee, George C. Necula, Fred Blau, Mark Plesko, and Kenneth
Cline. A certifying compiler for Java. ACM SIGPLAN Notices, 35(5):95–107, May
2000.
Comon, Hubert. Constraints in term algebras (short survey). In Conference on Alge-
braic Methodology and Software Technology (AMAST), June, 1993, Workshops in
Computing, pages 97–108. Springer-Verlag, 1994.
Constable, Robert L., Stuart F. Allen, Mark Bromley, Rance Cleaveland, James F. Cre-
mer, Robert W. Harper, Douglas J. Howe, Todd B. Knoblock, Paul Mendler, Prakash
Panangaden, James T. Sasaki, and Scott F. Smith. Implementing Mathematics with
the NuPRL Proof Development System. Prentice-Hall, Englewood Cliffs, NJ, 1986.
References 541

Coquand, Catarina. The AGDA proof system homepage, 1998. http://www.cs.

chalmers.se/~catarina/agda/.
Coquand, Thierry. An analysis of Girard’s paradox. In IEEE Symposium on Logic in
Computer Science (LICS), Cambridge, Massachusetts, pages 227–236, June 1986.
Coquand, Thierry. An algorithm for testing conversion in type theory. In G. Huet
and G. Plotkin, editors, Logical Frameworks, pages 255–279. Cambridge University
Press, 1991.
Coquand, Thierry. Pattern matching with dependent types. In Workshop on
Types for Proofs and Programs (TYPES), Båstad, Sweden, informal proceed-
ings. Available from ftp://ftp.cs.chalmers.se/pub/cs-reports/baastad.
92/proc.ps.Z, June 1992.
Coquand, Thierry and Gérard Huet. The calculus of constructions. Information and
Computation, 76(2–3):95–120, February/March 1988.
Coquand, Thierry, Randy Pollack, and Makoto Takeyama. A logical framework with
dependently typed records. In International Conference on Typed Lambda Calculi
and Applications (TLCA), Valencia, Spain, volume 2701 of Lecture Notes in Com-
puter Science, pages 105–119. Springer-Verlag, June 2003.
Courant, Judicaël. Strong normalization with singleton types. In Workshop on In-
tersection Types and Related Systems (ITRS), Copenhagen, Denmark, volume 70 of
Electronic Notes in Theoretical Computer Science. Elsevier, July 2002.
Crank, Erik and Matthias Felleisen. Parameter-passing and the lambda calculus.
In ACM Symposium on Principles of Programming Languages (POPL), Orlando,
Florida, pages 233–244, January 1991.
Crary, Karl. A simple proof technique for certain parametricity results. In ACM SIG-
PLAN International Conference on Functional Programming (ICFP), Paris, France,
pages 82–89, September 1999.
Crary, Karl. Toward a foundational typed assembly language. In ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages (POPL), New Orleans,
Louisiana, pages 198–212, January 2003.
Crary, Karl, Robert Harper, and Sidd Puri. What is a recursive module? In ACM SIG-
PLAN Conference on Programming Language Design and Implementation (PLDI),
pages 50–63, May 1999.
Crary, Karl, Stephanie Weirich, and Greg Morrisett. Intensional polymorphism in
type-erasure semantics. In ACM SIGPLAN International Conference on Functional
Programming (ICFP), Baltimore, Maryland, pages 301–312, 1998. Full version in
Journal of Functional Programming, 12(6), Nov. 2002, pp. 567–600.
Curtis, Pavel. Constrained Quantification in Polymorphic Type Analysis. PhD thesis,
Cornell University, Ithaca, New York, February 1990.
van Daalen, Diederik T. The Language Theory of Automath. PhD thesis, Technische
Hogeschool Eindhoven, Eindhoven, The Netherlands, 1980.
542 References

Damas, Luis and Robin Milner. Principal type schemes for functional programs. In
ACM Symposium on Principles of Programming Languages (POPL), Albuquerque,
New Mexico, pages 207–212, 1982.
Danvy, Olivier. Functional unparsing. Journal of Functional Programming, 8(6):621–
625, 1998.
DeLine, Rob and Manuel Fähndrich. Enforcing high-level protocols in low-level soft-
ware. In ACM SIGPLAN Conference on Programming Language Design and Imple-
mentation (PLDI), Snowbird, Utah, pages 59–69, June 2001.
Donahue, James and Alan Demers. Data types are values. ACM Transactions on
Programming Languages and Systems, 7(3):426–445, July 1985.
Došen, Kosta. A historical introduction to substructural logics. In K. Došen and
P. Schroeder-Heister, editors, Substructural Logics, pages 1–30. Oxford University
Press, 1993.
Dreyer, Derek, Karl Crary, and Robert Harper. A type system for higher-order mod-
ules. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Lan-
guages (POPL), New Orleans, Louisiana, pages 236–249, New Orleans, January
2003.
Dussart, Dirk, Fritz Henglein, and Christian Mossin. Polymorphic recursion and sub-
type qualifications: Polymorphic binding-time analysis in polynomial time. In Inter-
national Symposium on Static Analysis (SAS) , Paris, France, volume 983 of Lecture
Notes in Computer Science, pages 118–135. Springer-Verlag, July 1995.
Emms, Martin and Hans LeiSS. Extending the type checker for SML by polymor-
phic recursion—A correctness proof. Technical Report 96-101, Centrum für
Informations- und Sprachverarbeitung, Universität München, 1996.
Erhard, Thomas. A categorical semantics of constructions. In IEEE Symposium on
Logic in Computer Science (LICS), Edinburgh, Scotland, pages 264–273, July 1988.
Fähndrich, Manuel. Bane: A Library for Scalable Constraint-Based Program Analysis.
PhD thesis, University of California at Berkeley, Berkeley, California, 1999.
Fähndrich, Manuel and Rob DeLine. Adoption and focus: Practical linear types for
imperative programming. In ACM SIGPLAN Conference on Programming Language
Design and Implementation (PLDI), Berlin, Germany, pages 13–24, June 2002.
Fähndrich, Manuel, Jakob Rehof, and Manuvir Das. Scalable context-sensitive flow
analysis using instantiation constraints. In ACM SIGPLAN Conference on Program-
ming Language Design and Implementation (PLDI), Vancouver, British Columbia,
Canada, pages 253–263, June 2000.
Felleisen, Matthias and Robert Hieb. A revised report on the syntactic theories of
sequential control and state. Theoretical Computer Science, 103(2):235–271, 1992.
Fisher, Kathleen and John H. Reppy. The design of a class mechanism for Moby. In
ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI), Atlanta, Georgia, pages 37–49, May 1999.
References 543

Flanagan, Cormac and Shaz Qadeer. A type and effect system for atomicity. In
ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI), San Diego, California, pages 338–349, June 2003.
Flatt, Matthew and Matthias Felleisen. Units: Cool modules for HOT languages. In
ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI), Montréal, Québec, pages 236–248, 1998.
Fluet, Matthew. Monadic regions. In Workshop on Semantics, Program Analysis and
Computing Environments for Memory Management (SPACE), informal proceedings,
January 2004.
Fluet, Matthew and Riccardo Pucella. Phantom types and subtyping. In IFIP Interna-
tional Conference on Theoretical Computer Science (TCS), pages 448–460, August
2002.
Foster, Jeffrey S., Tachio Terauchi, and Alex Aiken. Flow-sensitive type qualifiers. In
ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI), Berlin, Germany, pages 1–12, June 2002.
Frey, Alexandre. Satisfying subtype inequalities in polynomial space. In International
Symposium on Static Analysis (SAS) , Paris, France, volume 1302 of Lecture Notes
in Computer Science, pages 265–277. Springer-Verlag, September 1997.
Fuh, You-Chin and Prateek Mishra. Type inference with subtypes. In European Sym-
posium on Programming (ESOP), Nancy, France, volume 300 of Lecture Notes in
Computer Science, pages 94–114. Springer-Verlag, March 1988.
Furuse, Jun P. and Jacques Garrigue. A label-selective lambda-calculus with optional
arguments and its compilation method. RIMS Preprint 1041, Kyoto University,
October 1995.
Garcia, Ronald, Jaakko Jarvi, Andrew Lumsdaine, Jeremy Siek, and Jeremia h Will-
cock. A comparative study of language support for generic programming. In ACM
SIGPLAN Conference on Object Oriented Programming: Systems, Languages, and
Applications (OOPSLA), Anaheim, California, pages 115–134, October 2003.
Garrigue, Jacques. Programming with polymorphic variants. In ACM SIGPLAN Work-
shop on ML, informal proceedings, September 1998.
Garrigue, Jacques. Code reuse through polymorphic variants. In Workshop on Foun-
dations of Software Engineering (FOSE), November 2000.
Garrigue, Jacques. Simple type inference for structural polymorphism. In Interna-
tional Workshop on Foundations of Object-Oriented Languages (FOOL), informal
proceedings, January 2002.
Garrigue, Jacques. Relaxing the value restriction. In International Symposium on
Functional and Logic Programming (FLOPS), Nara, Japan, volume 2998 of Lecture
Notes in Computer Science, pages 196–213. Springer-Verlag, April 2004.
Garrigue, Jacques and Hassan Aït-Kaci. The typed polymorphic label-selective
lambda-calculus. In ACM SIGPLAN–SIGACT Symposium on Principles of Program-
ming Languages (POPL), Portland, Oregon, pages 35–47, 1994.
544 References

Garrigue, Jacques and Didier Rémy. Extending ML with semi-explicit higher-order

polymorphism. Information and Computation, 155(1):134–169, 1999.
Gaster, Benedict R. Records, variants and qualified types. PhD thesis, University of
Nottingham, Nottingham, England, July 1998.
Gaster, Benedict R. and Mark P. Jones. A polymorphic type system for extensible
records and variants. Technical Report NOTTCS-TR-96-3, Department of Computer
Science, University of Nottingham, November 1996.
Gay, David and Alexander Aiken. Language support for regions. In ACM SIGPLAN
Conference on Programming Language Design and Implementation (PLDI), Snow-
bird, Utah, pages 70–80, June 2001.
Ghelli, Giorgio and Benjamin Pierce. Bounded existentials and minimal typing,
1992. Circulated in manuscript form. Full version in Theoretical Computer Science,
193(1–2):75–96, February 1998.
Gifford, David K. and John M. Lucassen. Integrating functional and imperative pro-
gramming. In ACM Symposium on Lisp and Functional Programming (LFP), Cam-
bridge, Massachusetts, pages 28–38, August 1986.
Girard, Jean-Yves. Interprétation fonctionnelle et élimination des coupures de l’arith-
métique d’ordre supérieur. Thèse d’état, University of Paris VII, 1972. Summary
in J. E. Fenstad, editor, Scandinavian Logic Symposium, pp. 63–92, North-Holland,
1971.
Girard, Jean-Yves. Linear logic. Theoretical Computer Science, 50:1–102, 1987.
Girard, Jean-Yves. Light linear logic. Information and Computation, 143:175–204,
1998.
Girard, Jean-Yves, Yves Lafont, and Paul Taylor. Proofs and Types, volume 7 of Cam-
bridge Tracts in Theoretical Computer Science. Cambridge University Press, 1989.
Glew, Neal. Type dispatch for named hierarchical types. In ACM SIGPLAN Interna-
tional Conference on Functional Programming (ICFP), Paris, France, pages 172–182,
1999.
GNU. GNU C library, version 2.2.5, 2001. Available from http://www.gnu.org/
manual/glibc-2.2.5/html_mono/libc.html.
Goguen, Healfdene. A Typed Operational Semantics for Type Theory. PhD thesis,
LFCS, University of Edinburgh, Edinburgh, Scotland, 1994. Report ESC-LFCS-94-
304.
Gordon, Andrew D. Bisimilarity as a theory of functional programming. In Workshop
on the Mathematical Foundations of Programming Semantics (MFPS), New Orleans,
Louisiana, volume 1 of Electronic Notes in Theoretical Computer Science. Elsevier,
April 1995.
Gordon, Andrew D. Operational equivalences for untyped and polymorphic object
calculi. In A. D. Gordon and A. M. Pitts, editors, Higher-Order Operational Tech-
niques in Semantics, Publications of the Newton Institute, pages 9–54. Cambridge
University Press, 1998.
References 545

Gordon, Andrew D. and Alan Jeffrey. Authenticity by typing for security protocols. In
IEEE Computer Security Foundations Workshop (CSFW), Cape Breton, Nova Scotia,
pages 145–159, 2001a.
Gordon, Andrew D. and Alan Jeffrey. Typing correspondence assertions for commu-
niation protocols. In Workshop on the Mathematical Foundations of Programming
Semantics (MFPS), Aarhus, Denmark, volume 45 of Electronic Notes in Theoretical
Computer Science, pages 379–409. Elsevier, May 2001b.
Gordon, Andrew D. and Alan Jeffrey. Types and effects for asymmetric cryptographic
protocols. In IEE Computer Security Foundations Workshop (CSFW) , Cape Breton,
Nova Scotia, pages 77–91, 2002.
Gordon, Andrew D. and Don Syme. Typing a multi-language intermediate code.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), London, England, pages 248–260, January 2001.
Gordon, Michael J., Robin Milner, and Christopher P. Wadsworth. Edinburgh LCF,
volume 78 of Lecture Notes in Computer Science. Springer-Verlag, 1979.
Gough, John. Compiling for the .NET Common Language Runtime. .NET series. Pren-
tice Hall, 2002.
Grossman, Dan, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James
Cheney. Region-based memory management in Cyclone. In ACM SIGPLAN Con-
ference on Programming Language Design and Implementation (PLDI), Berlin, Ger-
many, pages 282–293, 2002.
Gustavsson, Jörgen and Josef Svenningsson. Constraint abstractions. In Symposium
on Programs as Data Objects (PADO), Aarhus, Denmark, volume 2053 of Lecture
Notes in Computer Science, pages 63–83. Springer-Verlag, May 2001.
Hallenberg, Niels, Martin Elsman, and Mads Tofte. Combining region inference and
garbage collection. In ACM SIGPLAN Conference on Programming Language De-
sign and Implementation (PLDI), Berlin, Germany, pages 141–152, June 2002.
Hallgren, Thomas and Aarne Ranta. An extensible proof text editor (abstract). In
International Conference on Logic for Programming and Automated Reasoning
(LPAR), Reunion Island, volume 1955 of Lecture Notes in Computer Science, pages
70–84. Springer-Verlag, 2000.
Hamid, Nadeem, Zhong Shao, Valery Trifonov, Stefan Monnier, and Zhaozhong Ni.
A syntactic approach to foundational proof-carrying code. In IEEE Symposium on
Logic in Computer Science (LICS), pages 89–100, July 2002.
Hanson, David R. Fast allocation and deallocation of memory based on object life-
times. Software—Practice and Experience, 20(1):5–12, 1990.
Hardin, Thérèse, Luc Maranget, and Bruno Pagano. Functional runtimes within the
lambda-sigma calculus. Journal of Functional Programming, 8(2):131–172, March
1998.
Harper, Robert, Furio Honsell, and Gordon Plotkin. A framework for defining logics.
Journal of the ACM, 40(1):143–184, 1993. Summary in IEEE Symposium on Logic in
Computer Science (LICS), Ithaca, New York, 1987.
546 References

Harper, Robert and Mark Lillibridge. A type-theoretic approach to higher-order mod-

ules with sharing. In ACM SIGPLAN–SIGACT Symposium on Principles of Program-
ming Languages (POPL), Portland, Oregon, pages 123–137, January 1994.
Harper, Robert and John C. Mitchell. On the type structure of Standard ML. ACM
Transactions on Programming Languages and Systems, 15(2):211–252, April 1993.
An earlier version appeared in ACM Symposium on Principles of Programming Lan-
guages (POPL), San Diego, California, under the title “The Essence of ML” (Mitchell
and Harper), 1988.
Harper, Robert, John C. Mitchell, and Eugenio Moggi. Higher-order modules and the
phase distinction. In ACM Symposium on Principles of Programming Languages
(POPL), San Francisco, California, pages 341–354, January 1990.
Harper, Robert and Frank Pfenning. On equivalence and canonical forms in the LF
type theory. ACM Transactions on Computational Logic, 2004. To appear. An ear-
lier version is available as Technical Report CMU-CS-00-148, School of Computer
Science, Carnegie Mellon University.
Harper, Robert and Robert Pollack. Type checking with universes. Theoretical Com-
puter Science, 89:107–136, 1991.
Harper, Robert and Christopher Stone. A type-theoretic interpretation of Standard
ML. In G. Plotkin, C. Stirling, and M. Tofte, editors, Proof, Language and Interaction:
Essays in Honour of Robin Milner. MIT Press, 2000.
Heintze, Nevin. Set based analysis of ML programs. In ACM Symposium on Lisp and
Functional Programming (LFP), Orlando, Florida, pages 306–317, June 1994.
Heintze, Nevin. Control-flow analysis and type systems. In International Sympo-
sium on Static Analysis (SAS) , Glasgow, Scotland, volume 983 of Lecture Notes in
Computer Science, pages 189–206. Springer-Verlag, 1995.
Helsen, Simon and Peter Thiemann. Syntactic type soundness for the region calculus.
In Workshop on Higher Order Operational Techniques in Semantics (HOOTS), Mon-
tréal, Québec, volume 41(3) of Electronic Notes in Theoretical Computer Science,
pages 1–20. Elsevier, September 2000.
Helsen, Simon and Peter Thiemann. Polymorphic specialization for ML. ACM Trans-
actions on Programming Languages and Systems, 26(4):652–701, July 2004.
Henglein, Fritz. Polymorphic Type Inference and Semi-Unification. PhD thesis, Rutgers
University, April 1989. Available as NYU Technical Report 443, May 1989, from
New York University, Courant Institute of Mathematical Sciences, Department of
Computer Science, 251 Mercer St., New York, NY 10012, USA.
Henglein, Fritz. Type inference with polymorphic recursion. ACM Transactions on
Programming Languages and Systems, 15(2):253–289, 1993.
Henglein, Fritz, Henning Makholm, and Henning Niss. A direct approach to control-
flow sensitive region-based memory management. In ACM SIGPLAN International
Conference on Principles and Practice of Declarative Programming (PPDP), Firenze,
Italy, pages 175–186, September 2001.
References 547

Henglein, Fritz and Christian Mossin. Polymorphic binding-time analysis. In European

Symposium on Programming (ESOP), Edinburgh, Scotland, volume 788 of Lecture
Notes in Computer Science, pages 287–301. Springer-Verlag, April 1994.

Hirschowitz, Tom and Xavier Leroy. Mixin modules in a call-by-value setting. In

European Symposium on Programming (ESOP), Grenoble, France, pages 6–20, April
2002.

Hoare, C. A. R. Proof of correctness of data representation. Acta Informatica, 1:

271–281, 1972.

Hofmann, Martin. A mixed modal/linear lambda calculus with applications to

bellantoni-cook safe recursion. In International Workshop on Computer Science
Logic (CSL), Aarhus, Denmark, pages 275–294, August 1997a.

Hofmann, Martin. Syntax and semantics of dependent types. In A. M. Pitts and

P. Dybjer, editors, Semantics and Logic of Computation, pages 79–130. Cambridge
University Press, 1997b.

Hofmann, Martin. Linear types and non-size-increasing polynomial time computa-

tion. In IEEE Symposium on Logic in Computer Science (LICS), Trento, Italy, pages
464–473, June 1999.

Hofmann, Martin. Safe recursion with higher types and BCK-algebra. Annals of Pure
and Applied Logic, 104(1–3):113–166, 2000.

Honsell, Furio, Ian A. Mason, Scott F. Smith, and Carolyn L. Talcott. A variable typed
logic of effects. Information and Computation, 119(1):55–90, 1995.

Howard, William A. Hereditarily majorizable functionals of finite type. In A. S. Troel-

stra, editor, Metamathematical Investigation of Intuitionistic Arithmetic and Analy-
sis, volume 344 of Lecture Notes in Mathematics, pages 454–461. Springer-Verlag,
Berlin, 1973.

Howard, William A. The formulas-as-types notion of construction. In J. P. Seldin

and J. R. Hindley, editors, To H. B. Curry: Essays on Combinatory Logic, Lambda
Calculus, and Formalism, pages 479–490. Academic Press, 1980. Reprint of 1969
article.

Howe, Douglas J. Proving congruence of bisimulation in functional programming

languages. Information and Computation, 124(2):103–112, 1996.

Huet, Gérard. Résolution d’equations dans les langages d’ordre 1,2, ...,ω. Thèse de
Doctorat d’Etat, Université de Paris 7, Paris, France, 1976.

Igarashi, Atsushi and Naoki Kobayashi. A generic type system for the Pi-calculus.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), London, England, pages 128–141, January 2001.

Igarashi, Atsushi and Naoki Kobayashi. Resource usage analysis. In ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages (POPL), Portland,
Oregon, pages 331–342, January 2002.
548 References

Igarashi, Atsushi and Benjamin C. Pierce. Foundations for virtual types. In European
Conference on Object-Oriented Programming (ECOOP), Lisbon, Portugal, June 1999.
Also in informal proceedings of the Workshop on Foundations of Object-Oriented
Languages (FOOL), January 1999. Full version in Information and Computation,
175(1): 34–49, May 2002.
Ishtiaq, Samin and Peter O’Hearn. BI as an assertion language for mutable data
structures. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming
Languages (POPL), London, England, pages 14–26, January 2001.
Jacobs, Bart. Categorical Logic and Type Theory. Studies in Logic and the Foundations
of Mathematics 141. Elsevier, 1999.
Jategaonkar, Lalita A. ML with extended pattern matching and subtypes. Master’s
thesis, Massachusetts Institute of Technology, August 1989.
Jategaonkar, Lalita A. and John C. Mitchell. ML with extended pattern matching and
subtypes (preliminary version). In ACM Symposium on Lisp and Functional Pro-
gramming (LFP), Snowbird, Utah, pages 198–211, Snowbird, Utah, July 1988.
Jensen, Kathleen and Niklaus Wirth. Pascal User Manual and Report. Springer-Verlag,
second edition, 1975.

Jim, Trevor. What are principal typings and what are they good for? In ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages (POPL), St. Petersburg
Beach, Florida, pages 42–53, 1996.
Jim, Trevor, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and
Yanling Wang. Cyclone: A safe dialect of C. In General Track: USENIX Annual
Technical Conference, pages 275–288, June 2002.
Jim, Trevor and Jens Palsberg. Type inference in systems of recursive types with sub-
typing, 1999. Manuscript, available from http://www.cs.purdue.edu/homes/
palsberg/draft/jim-palsberg99.pdf.
Johann, Patricia. A generalization of short-cut fusion and its correctness proof.
Higher-Order and Symbolic Computation, 15(4):273–300, 2002.
Jones, Mark P. Qualified Types: Theory and Practice. Cambridge University Press,
1994.

Jones, Mark P. Using parameterized signatures to express modular structure. In ACM

SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL),
St. Petersburg Beach, Florida, January 21–24, 1996.

Jones, Mark P. Typing Haskell in Haskell. In ACM Haskell Workshop, informal pro-
ceedings, October 1999.
Jones, Mark P. and John C. Peterson. The Hugs 98 user manual, 1999. Available from
http://www.haskell.org/hugs/.
Jones, Mark P. and Simon Peyton Jones. Lightweight extensible records for Haskell.
In ACM Haskell Workshop, informal proceedings, October 1999.
References 549

Jouannaud, Jean-Pierre and Claude Kirchner. Solving equations in abstract algebras:

a rule-based survey of unification. In J.-L. Lassez and G. Plotkin, editors, Computa-
tional Logic: Essays in honor of Alan Robinson, pages 257–321. MIT Press, 1991.
Jouvelot, Pierre and David Gifford. Algebraic reconstruction of types and effects.
In ACM Symposium on Principles of Programming Languages (POPL), Orlando,
Florida, pages 303–310, January 1991.
Jouvelot, Pierre and David K. Gifford. Reasoning about continuations with control
effects. In ACM SIGPLAN Conference on Programming Language Design and Im-
plementation (PLDI), Portland, Oregon, pages 218–226, June 1989.
Jung, Achim and Allen Stoughton. Studying the fully abstract model of PCF within its
continuous function model. In International Conference on Typed Lambda Calculi
and Applications (TLCA), Utrecht, The Netherlands, volume 664 of Lecture Notes in
Computer Science, pages 230–244. Springer-Verlag, March 1993.
Jutting, L.S. van Benthem, James McKinna, and Robert Pollack. Checking algorithms
for Pure Type Systems. In International Workshop on Types for Proofs and Pro-
grams (TYPES), Nijmegen, The Netherlands, May 1993, volume 806 of Lecture Notes
in Computer Science, pages 19–61. Springer-Verlag, 1994.
Kfoury, Assaf J., Jerzy Tiuryn, and Pawel Urzyczyn. ML typability is dexptime-
complete. In Colloquium on Trees in Algebra and Programming (CAAP), Copen-
hagen, Denmark, volume 431 of Lecture Notes in Computer Science, pages 206–
220. Springer-Verlag, May 1990.
Kfoury, Assaf J., Jerzy Tiuryn, and Pawel Urzyczyn. The undecidability of the semi-
unification problem. Information and Computation, 102(1):83–101, January 1993.
Kfoury, Assaf J., Jerzy Tiuryn, and Pawel Urzyczyn. An analysis of ML typability.
Journal of the ACM, 41(2):368–398, March 1994.
Kirchner, Claude and Francis Klay. Syntactic theories and unification. In IEEE Sympo-
sium on Logic in Computer Science (LICS), Philadelphia, Pennsylvania, pages 270–
277, June 1990.
Knight, Kevin. Unification: a multidisciplinary survey. ACM Computing Surveys, 21
(1):93–124, March 1989.
Kobayashi, Naoki. Quasi-linear types. In ACM SIGPLAN–SIGACT Symposium on Princi-
ples of Programming Languages (POPL), San Antonio, Texas, pages 29–42, January
1999.
Kozen, Dexter, Jens Palsberg, and Michael I. Schwartzbach. Efficient recursive sub-
typing. Mathematical Structures in Computer Science, 5(1):113–125, 1995.
Kuncak, Viktor and Martin Rinard. Structural subtyping of non-recursive types is
decidable. In IEEE Symposium on Logic in Computer Science (LICS), Ottawa, Canada,
pages 96–107, June 2003.
Lafont, Yves. The linear abstract machine. Theoretical Computer Science, 59:157–180,
1988.
550 References

Lambek, Joachim. The mathematics of sentence structure. American Mathematical

Monthly, 65:154–170, 1958.
Lampson, Butler and Rod Burstall. Pebble, a kernel language for modules and abstract
data types. Information and Computation, 76:278–346, February/March 1988.

Lassen, Søren Bøgh. Relational Reasoning about Functions and Nondeterminism. PhD
thesis, Department of Computer Science, University of Aarhus, Aarhus, Denmark,
1998.
Lassez, Jean-Louis, Michael J. Maher, and Kim G. Marriott. Unification revisited. In
J. Minker, editor, Foundations of Deductive Databases and Logic Programming,
pages 587–625. Morgan Kaufmann, 1988.
Lee, Oukseh and Kwangkeun Yi. Proofs about a folklore let-polymorphic type infer-
ence algorithm. ACM Transactions on Programming Languages and Systems, 20
(4):707–723, July 1998.
Leivant, Daniel. Stratified functional programs and computational complexity.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), Charleston, South Carolina, pages 325–333, January 1993.
Leroy, Xavier. Polymorphic typing of an algorithmic language. Research Report 1778,
INRIA, October 1992.
Leroy, Xavier. Manifest types, modules and separate compilation. In ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages (POPL), Portland,
Oregon, pages 109–122, January 1994.
Leroy, Xavier. Applicative functors and fully transparent higher-order modules.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), San Francisco, California, pages 142–153, January 1995.
Leroy, Xavier. A syntactic theory of type generativity and sharing. Journal of Func-
tional Programming, 6(5):667–698, September 1996.
Leroy, Xavier. The Objective Caml system: Documentation and user’s manual, 2000.
With Damien Doligez, Jacques Garrigue, Didier Rémy, and Jérôme Vouillon. Avail-
able from http://caml.inria.fr.
Leroy, Xavier and François Pessaux. Type-based analysis of uncaught exceptions.
ACM Transactions on Programming Languages and Systems, 22(2):340–377, March
2000. Summary in ACM SIGPLAN–SIGACT Symposium on Principles of Program-
ming Languages (POPL), San Antonio, Texas, 1999.

Lillibridge, Mark. Translucent Sums: A Foundation for Higher-Order Module Systems.

PhD thesis, School of Computer Science, Carnegie Mellon University, Pittsburgh,
Pennsylvania, May 1997.
Lindholm, Tim and Frank Yellin. The Java Virtual Machine Specification. The Java
Series. Addison-Wesley, Reading, MA, January 1997.

Liskov, Barbara. A history of CLU. ACM SIGPLAN Notices, 28(3):133–147, 1993.

References 551

Loader, Ralph. Finitary PCF is not decidable. Theoretical Computer Science, 266(1–2):
341–364, September 2001.
Lucassen, John M. Types and Effects towards the Integration of Functional and Impera-
tive Programming. PhD thesis, Massachusetts Institute of Technology, Cambridge,
Massachusetts, August 1987. Technical Report MIT-LCS-TR-408.
Lucassen, John M. and David K. Gifford. Polymorphic effect systems. In ACM Sympo-
sium on Principles of Programming Languages (POPL), San Diego, California, pages
47–57, 1988.
Luo, Zhaohui. Computation and Reasoning: A Type Theory for Computer Science.
Number 11 in International Series of Monographs on Computer Science. Oxford
University Press, 1994.
Luo, Zhaohui and Robert Pollack. The LEGO proof development system: A user’s
manual. Technical Report ECS-LFCS-92-211, University of Edinburgh, May 1992.
MacQueen, David. Modules for Standard ML. In ACM Symposium on Lisp and Func-
tional Programming (LFP), Austin, Texas, pages 198–207, 1984.
MacQueen, David. Using dependent types to express modular structure. In ACM
Symposium on Principles of Programming Languages (POPL), St. Petersburg Beach,
Florida, pages 277–286, January 1986.
MacQueen, David B. and Mads Tofte. A semantics for higher-order functors. In Eu-
ropean Symposium on Programming (ESOP), Edinburgh, Scotland, volume 788 of
Lecture Notes in Computer Science, pages 409–423. Springer-Verlag, April 1994.
Magnusson, Lena and Bengt Nordström. The ALF proof editor and its proof engine. In
International Workshop on Types for Proofs and Programs (TYPES), Nijmegen, The
Netherlands, May, 1993, volume 806 of Lecture Notes in Computer Science, pages
213–237. Springer-Verlag, 1994.
Mairson, Harry G., Paris C. Kanellakis, and John C. Mitchell. Unification and ML type
reconstruction. In J.-L. Lassez and G. Plotkin, editors, Computational Logic: Essays
in Honor of Alan Robinson, pages 444–478. MIT Press, 1991.
Makholm, Henning. Region-based memory management in Prolog. Master’s thesis,
University of Copenhagen, Department of Computer Science, March 2000. Techni-
cal Report DIKU-TR-00/09.
Makholm, Henning. A Language-Independend Framework for Region Inference. PhD
thesis, University of Copenhagen, Department of Computer Science, Copenhagen,
Denmark, 2003.
Makholm, Henning and Kostis Sagonas. On enabling the WAM with region support.
In International Conference on Logic Programming (ICLP), volume 2401 of Lecture
Notes in Computer Science, pages 163–178. Springer-Verlag, July 2002.
Martelli, Alberto and Ugo Montanari. Unification in linear time and space: A struc-
tured presentation. Internal Report B76-16, Istituto di Elaborazione delle Infor-
mazione, Consiglio Nazionale delle Ricerche, Pisa, July 1976.
552 References

Martelli, Alberto and Ugo Montanari. An efficient unification algorithm. ACM Trans-
actions on Programming Languages and Systems, 4(2):258–282, 1982.
Martin-Löf, Per. Intuitionistic Type Theory. Bibliopolis, 1984.
Mason, Ian A., Scott F. Smith, and Carolyn L. Talcott. From operational semantics to
domain theory. Information and Computation, 128(1):26–47, 1996.
Mason, Ian A. and Carolyn L. Talcott. Equivalence in functional languages with effects.
Journal of Functional Programming, 1:287–327, 1991.
McAllester, David. On the complexity analysis of static analyses. Journal of the ACM,
49(4):512–537, July 2002.
McAllester, David. A logical algorithm for ML type inference. In International Con-
ference on Rewriting Techniques and Applications (RTA), Valencia, Spain, volume
2706 of Lecture Notes in Computer Science, pages 436–451. Springer-Verlag, June
2003.
McBride, Conor. Dependently Typed Functional Programs and their Proofs. PhD thesis,
LFCS, University of Edinburgh, Edinburgh, Scotland, 2000.
McBride, Conor and James McKinna. The view from the left. Journal of Functional
Programming, 14(1):69–111, 2004.
McKinna, James and Robert Pollack. Pure Type Sytems formalized. In International
Conference on Typed Lambda Calculi and Applications (TLCA), Utrecht, The Nether-
lands, volume 664 of Lecture Notes in Computer Science, pages 289–305. Springer-
Verlag, March 1993.
Melski, David and Thomas Reps. Interconvertibility of a class of set constraints
and context-free language reachability. Theoretical Computer Science, 248(1–2),
November 2000.
Milner, Robin. A theory of type polymorphism in programming. Journal of Computer
and System Sciences, 17:348–375, August 1978.
Milner, Robin, Mads Tofte, and Robert Harper. The Definition of Standard ML. MIT
Press, 1990.
Milner, Robin, Mads Tofte, Robert Harper, and David MacQueen. The Definition of
Standard ML, Revised edition. MIT Press, 1997.
Minamide, Yasuhiko. A functional representation of data structures with a hole.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), San Diego, California, pages 75–84, January 1998.
Minamide, Yasuhiko, Greg Morrisett, and Robert Harper. Typed closure conversion.
In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), St. Petersburg Beach, Florida, pages 271–283, January 1996.
Miquel, Alexandre. Le calcul des constructions implicite: syntaxe et sémantique. PhD
thesis, University Paris 7, Paris, France, 2001.
Mitchell, John C. Coercion and type inference. In ACM Symposium on Principles
of Programming Languages (POPL), Salt Lake City, Utah, pages 175–185, January
1984.
References 553

Mitchell, John C. Representation independence and data abstraction. In ACM Sympo-

sium on Principles of Programming Languages (POPL), St. Petersburg Beach, Florida,
pages 263–276, January 1986.
Mitchell, John C. On the equivalence of data representations. In V. Lifschitz, editor,
Artificial Intelligence and Mathematical Theory of Computation: Papers in Honor of
John McCarthy, pages 305–330. Academic Press, 1991a.
Mitchell, John C. Type inference with simple subtypes. Journal of Functional Pro-
gramming, 1(3):245–286, July 1991b.
Mitchell, John C. Foundations for Programming Languages. MIT Press, 1996.
Mitchell, John C. and Gordon D. Plotkin. Abstract types have existential types. ACM
Transactions on Programming Languages and Systems, 10(3):470–502, 1988. Sum-
mary in ACM Symposium on Principles of Programming Languages (POPL), New
Orleans, Louisiana, 1985.
Moggi, Eugenio. Computational lambda-calculus and monads. In IEEE Symposium
on Logic in Computer Science (LICS), Asilomar, California, pages 14–23, June 1989.
Full version, titled Notions of Computation and Monads, in Information and Com-
putation, 93(1), pp. 55–92, 1991.
Moh, Shaw-Kwei. The deduction theorems and two new logical systems. Methodos, 2:
56–75, 1950.
Mohring, Christine. Algorithm development in the calculus of constructions. In IEEE
Symposium on Logic in Computer Science (LICS), Cambridge, Massachusetts, pages
84–91, June 1986.
Monnier, Stefan, Bratin Saha, and Zhong Shao. Principled scavenging. In ACM SIG-
PLAN Conference on Programming Language Design and Implementation (PLDI),
Snowbird, Utah, pages 81–91, June 2001.
Morrisett, Greg, Karl Crary, Neal Glew, and David Walker. Stack-based typed assembly
language. Journal of Functional Programming, 12(1):43–88, January 2002.
Morrisett, Greg, David Walker, Karl Crary, and Neal Glew. From System-F to typed
assembly language. ACM Transactions on Programming Languages and Systems,
21(3):527–568, May 1999.
Mossin, Christian. Flow Analysis of Typed Higher-Order Programs. PhD thesis, Uni-
versity of Copenhagen, Department of Computer Science, Copenhagen, Denmark,
1997. Also available as Technical Report DIKU-TR-97/1.
Müller, Martin. A constraint-based recast of ML-polymorphism. In International Work-
shop on Unification, June 1994. Also available as Technical Report 94-R-243, CRIN,
Nancy, France.
Müller, Martin. Notes on HM(X), August 1998. Available from http://www.ps.
uni-sb.de/~mmueller/papers/HMX.ps.gz.
Müller, Martin, Joachim Niehren, and Ralf Treinen. The first-order theory of ordering
constraints over feature trees. Discrete Mathematics and Theoretical Computer
Science, 4(2):193–234, 2001.
554 References

Müller, Martin and Susumu Nishimura. Type inference for first-class messages with
feature constraints. In Asian Computer Science Conference (ASIAN), Manila, The
Philippines, volume 1538 of Lecture Notes in Computer Science, pages 169–187.
Springer-Verlag, December 1998.

Mycroft, Alan. Polymorphic type schemes and recursive definitions. In International

Symposium on Programming, Toulouse, France, volume 167 of Lecture Notes in
Computer Science, pages 217–228, Toulouse, France, April 1984. Springer-Verlag.

Necula, George C. Proof-carrying code. In ACM SIGPLAN–SIGACT Symposium on Prin-

ciples of Programming Languages (POPL), Paris, France, pages 106–119, January
1997.

Necula, George C. Compiling with Proofs. PhD thesis, Carnegie Mellon University,
Pittsburgh, Pennsylvania, September 1998. Technical report CMU-CS-98-154.

Necula, George C. Translation validation for an optimizing compiler. In ACM SIG-

PLAN Conference on Programming Language Design and Implementation (PLDI),
Vancouver, British Columbia, Canada, pages 83–94, June 2000.

Necula, George C. and Peter Lee. Safe kernel extensions without run-time checking.
In USENIX Symposium on Operating Systems Design and Implementation (OSDI),
Seattle, Washington, pages 229–243, October 1996.

Necula, George C. and Peter Lee. The design and implementation of a certifying
compiler. In ACM SIGPLAN Conference on Programming Language Design and
Implementation (PLDI), Montréal, Québec, pages 333–344, June 1998a.

Necula, George C. and Peter Lee. Efficient representation and validation of logical
proofs. In IEEE Symposium on Logic in Computer Science (LICS), Indianapolis, Indi-
ana, pages 93–104, June 1998b.

Niehren, Joachim, Martin Müller, and Andreas Podelski. Inclusion constraints over
non-empty sets of trees. In Theory and Practice of Software Development (TAP-
SOFT), Lille, France, volume 1214 of Lecture Notes in Computer Science, pages
217–231. Springer-Verlag, April 1997.

Niehren, Joachim and Tim Priesnitz. Non-structural subtype entailment in automata

theory. Information and Computation, 186(2):319–354, November 2003.

Nielson, Flemming and Hanne Riis Nielson. From CML to its process algebra. Theo-
retical Computer Science, 155:179–219, 1996.

Nielson, Flemming, Hanne Riis Nielson, and Christopher L. Hankin. Principles of Pro-
gram Analysis. Springer-Verlag, 1999.

Nielson, Flemming, Hanne Riis Nielson, and Helmut Seidl. A succinct solver for ALFP.
Nordic Journal of Computing, 9(4):335–372, 2002.

Nielson, Hanne Riis and Flemming Nielson. Higher-order concurrent programs with
finite communication topology. In ACM SIGPLAN–SIGACT Symposium on Principles
of Programming Languages (POPL), Portland, Oregon, pages 84–97, January 1994.
References 555

Nishimura, Susumu. Static typing for dynamic messages. In ACM SIGPLAN–SIGACT

Symposium on Principles of Programming Languages (POPL), San Diego, California,
pages 266–278, 1998.

Niss, Henning. Regions are Imperative: Unscoped Regions and Control-Flow Sensi-
tive Memory Management. PhD thesis, University of Copenhagen, Department of
Computer Science, Copenhagen, Denmark, 2002.

Nöcker, Erick and Sjaak Smetsers. Partially strict non-recursive data types. Journal
of Functional Programming, 3(2):191–215, 1993.

Nöcker, Erick G. M. H., Sjaak E. W. Smetsers, Marko C. J. D. van Eekelen, and Mari-
nus J. Plasmeijer. Concurrent clean. In Symposium on Parallel Architectures and
Languages Europe, Volume I: Parallel Architectures and Algorithms (PARLE), Eind-
hoven, The Netherlands, volume 505 of Lecture Notes in Computer Science, pages
202–219. Springer-Verlag, June 1991.

Odersky, Martin. Observers for linear types. In European Symposium on Program-

ming (ESOP), Rennes, France, volume 582 of Lecture Notes in Computer Science,
pages 390–407. Springer-Verlag, February 1992.

Odersky, Martin, Vincent Cremet, Christine Rockl, and Matthias Zenger. A nominal
theory of objects with dependent types. In International Workshop on Foundations
of Object-Oriented Languages (FOOL), informal proceedings, 2003.

Odersky, Martin, Martin Sulzmann, and Martin Wehr. Type inference with constrained
types. Theory and Practice of Object Systems, 5(1):35–55, 1999. Summary in Inter-
national Workshop on Foundations of Object-Oriented Languages (FOOL), informal
proceedings, 1997.

O’Hearn, Peter. On bunched typing. Journal of Functional Programming, 13(4):747–

796, 2003.

O’Hearn, Peter and David Pym. The logic of bunched implications. Bulletin of Symbolic
Logic, 5(2):215–244, 1999.

Ohori, Atsushi. A polymorphic record calculus and its compilation. ACM Transac-
tions on Programming Languages and Systems, 17(6):844–895, November 1995.

Ohori, Atsushi and Peter Buneman. Type inference in a database programming lan-
guage. In ACM Symposium on Lisp and Functional Programming (LFP), Snowbird,
Utah, pages 174–183, July 1988.

Ohori, Atsushi and Peter Buneman. Static type inference for parametric classes. In
Conference on Object Oriented Programming: Systems, Languages, and Applica-
tions (OOPSLA), New Orleans, Louisiana, pages 445–456, October 1989. Also in C.
A. Gunter and J. C. Mitchell, editors, Theoretical Aspects of Object-Oriented Pro-
gramming: Types, Semantics, and Language Design, MIT Press, 1994.

Orlov, Ivan E. The calculus of compatibility of propositions (in Russian). Matematich-

eskii Sbornik, 35:263–286, 1928.
556 References

Owre, Sam, Sreeranga Rajan, John M. Rushby, Natarajan Shankar, and Mandayam K.
Srivas. PVS: Combining specification, proof checking, and model checking. In
International Conference on Computer Aided Verification (CAV), New Brunswick,
New Jersey, volume 1102 of Lecture Notes in Computer Science, pages 411–414.
Springer-Verlag, July 1996.
Palsberg, Jens. Efficient inference of object types. Information and Computation, 123
(2):198–209, 1995.
Palsberg, Jens. Type-based analysis and applications. In ACM SIGPLAN–SIGSOFT
Workshop on Program Analysis for Software Tools and Engineering (PASTE), Snow-
bird, Utah, pages 20–27, June 2001.
Palsberg, Jens and Patrick O’Keefe. A type system equivalent to flow analysis. In ACM
SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), San
Francisco, California, pages 367–378, 1995.
Palsberg, Jens and Michael Schwartzbach. Type substitution for object-oriented
programming. In ACM SIGPLAN Conference on Object Oriented Programming:
Systems, Languages, and Applications (OOPSLA)/European Conference on Object-
Oriented Programming (ECOOP), Ottawa, Ontario, volume 25(10) of ACM SIGPLAN
Notices, pages 151–160, October 1990.
Palsberg, Jens and Michael I. Schwartzbach. Object-Oriented Type Systems. Wiley,
1994.
Palsberg, Jens, Mitchell Wand, and Patrick M. O’Keefe. Type inference with non-
structural subtyping. Formal Aspects of Computing, 9:49–67, 1997.
Parnas, David. The criteria to be used in decomposing systems into modules. Com-
munications of the ACM, 14(1):221–227, 1972.
Paterson, Michael S. and Mark N. Wegman. Linear unification. Journal of Computer
and System Sciences, 16:158–167, 1978.
Paulin-Mohring, Christine. Extracting Fω ’s programs from proofs in the calculus
of constructions. In ACM Symposium on Principles of Programming Languages
(POPL), Austin, Texas, pages 89–104, January 1989.
Petersen, Leaf, Perry Cheng, Robert Harper, and Chris Stone. Implementing the TILT
internal language. Technical Report CMU-CS-00-180, Department of Computer Sci-
ence, Carnegie Mellon University, 2000.
Petersen, Leaf, Robert Harper, Karl Crary, and Frank Pfenning. A type theory for
memory allocation and data layout. In ACM SIGPLAN–SIGACT Symposium on Prin-
ciples of Programming Languages (POPL), New Orleans, Louisiana, pages 172–184,
January 2003.
Peyton Jones, Simon. Special issue: Haskell 98 language and libraries. Journal of
Functional Programming, 13, January 2003.
Pfenning, Frank and Rowan Davies. A judgmental reconstruction of modal logic.
Mathematical Structures in Computer Science, 11(4):511–540, 2001.
References 557

Pfenning, Frank and Carsten Schürmann. Algorithms for equality and unification
in the presence of notational definitions. In T. Altenkirch, W. Naraschewski,
and B. Reus, editors, International Workshop on Types for Proofs and Programs
(TYPES), Kloster Irsee, Germany, volume 1657 of Lecture Notes in Computer Sci-
ence. Springer-Verlag, 1998.

Pierce, Benjamin C. Types and Programming Languages. MIT Press, 2002.

Pierce, Benjamin C. and David N. Turner. Object-oriented programming without re-

cursive types. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming
Languages (POPL), Charleston, South Carolina, pages 299–312, January 1993.

Pitts, Andrew M. Relational properties of domains. Information and Computation,

127:66–90, 1996.

Pitts, Andrew M. Existential types: Logical relations and operational equivalence.

In International Colloquium on Automata, Languages and Programming (ICALP),
Aalborg, Denmark, volume 1443 of Lecture Notes in Computer Science, pages 309–
326. Springer-Verlag, 1998.

Pitts, Andrew M. Parametric polymorphism and operational equivalence. Mathemat-

ical Structures in Computer Science, 10:321–359, 2000.

Pitts, Andrew M. Operational semantics and program equivalence. In G. Barthe, P. Dy-

bjer, and J. Saraiva, editors, Applied Semantics, Advanced Lectures, volume 2395 of
Lecture Notes in Computer Science, Tutorial, pages 378–412. Springer-Verlag, 2002.

Pitts, Andrew M. and Ian D. B. Stark. Observable properties of higher order functions
that dynamically create local names, or: What’s new? In International Symposium
on Mathematical Foundations of Computer Science, Gdańsk, Poland, volume 711 of
Lecture Notes in Computer Science, pages 122–141. Springer-Verlag, 1993.

Pitts, Andrew M. and Ian D. B. Stark. Operational reasoning for functions with local
state. In A. D. Gordon and A. M. Pitts, editors, Higher-Order Operational Techniques
in Semantics, Publications of the Newton Institute, pages 227–273. Cambridge Uni-
versity Press, 1998.

Plotkin, Gordon D. Lambda-definability and logical relations. Memorandum SAI–RM–

4, University of Edinburgh, Edinburgh, Scotland, October 1973.

Plotkin, Gordon D. LCF considered as a programming language. Theoretical Computer

Science, 5:223–255, 1977.

Plotkin, Gordon D. Lambda-definability in the full type hierarchy. In J. P. Seldin

and J. R. Hindley, editors, To H. B. Curry: Essays on Combinatory Logic, Lambda
Calculus and Formalism, pages 363–373. Academic Press, 1980.

Plotkin, Gordon D. and Martín Abadi. A logic for parametric polymorphism. In In-
ternational Conference on Typed Lambda Calculi and Applications (TLCA), Utrecht,
The Netherlands, volume 664 of Lecture Notes in Computer Science, pages 361–375.
Springer-Verlag, March 1993.
558 References

Polakow, Jeff and Frank Pfenning. Natural deduction for intuitionistic non-
commutative linear logic. In International Conference on Typed Lambda Calculi
and Applications (TLCA), L’Aquila, Italy, volume 1581 of Lecture Notes in Computer
Science, pages 295–309. Springer-Verlag, April 1999.
Poll, Erik. Expansion Postponement for Normalising Pure Type Systems. Journal of
Functional Programming, 8(1):89–96, 1998.
Pollack, Robert. The Theory of LEGO: A Proof Checker for the Extended Calculus of
Constructions. PhD thesis, University of Edinburgh, Edinburgh, Scotland, 1994.
Popkorn, Sally. First Steps in Modal Logic. Cambridge University Press, 1994.
Pottier, François. A versatile constraint-based type inference system. Nordic Journal
of Computing, 7(4):312–347, November 2000.
Pottier, François. A semi-syntactic soundness proof for HM(X). Research Report
4150, INRIA, March 2001a.
Pottier, François. Simplifying subtyping constraints: a theory. Information and Com-
putation, 170(2):153–183, November 2001b.
Pottier, François. A constraint-based presentation and generalization of rows. In IEEE
Symposium on Logic in Computer Science (LICS), Ottawa, Canada, pages 331–340,
June 2003.
Pottier, François and Vincent Simonet. Information flow inference for ML. ACM Trans-
actions on Programming Languages and Systems, 25(1):117–158, January 2003.
Pottier, François, Christian Skalka, and Scott Smith. A systematic approach to static
access control. In European Symposium on Programming (ESOP), Genova, Italy,
volume 2028 of Lecture Notes in Computer Science, pages 30–45. Springer-Verlag,
April 2001.
Pratt, Vaughan and Jerzy Tiuryn. Satisfiability of inequalities in a poset. Fundamenta
Informaticae, 28(1–2):165–182, 1996.
Pugh, William and Grant Weddell. Two-directional record layout for multiple in-
heritance. In ACM SIGPLAN Conference on Programming Language Design and
Implementation (PLDI), White Plains, New York, pages 85–91, June 1990.
Rajamani, Sriram K. and Jakob Rehof. A behavioral module system for the pi-calculus.
In International Symposium on Static Analysis (SAS) , Paris, France, volume 2126 of
Lecture Notes in Computer Science, pages 375–394. Springer-Verlag, July 2001.
Rajamani, Sriram K. and Jakob Rehof. Conformance checking for models of asyn-
chronous message passing software. In International Conference on Computer
Aided Verification (CAV), Copenhagen, Denmark, pages 166–179, July 2002.
Rehof, Jakob. Minimal typings in atomic subtyping. In ACM SIGPLAN–SIGACT Sym-
posium on Principles of Programming Languages (POPL), Paris, France, pages 278–
291, January 1997.
Rehof, Jakob and Manuel Fähndrich. Type-based flow analysis: From polymorphic
subtyping to CFL reachability. In ACM SIGPLAN–SIGACT Symposium on Principles
of Programming Languages (POPL), London, England, pages 54–66, 2001.
References 559

Reid, Alastair, Matthew Flatt, Leigh Stoller, Jay Lepreau, and Eric Eide. Knit: Com-
ponent composition for systems software. In USENIX Symposium on Operating
Systems Design and Implementation (OSDI), San Diego, California, pages 347–360,
October 2000.

Rémy, Didier. Typechecking records and variants in a natural extension of ML. In

ACM Symposium on Principles of Programming Languages (POPL), Austin, Texas,
pages 242–249, January 1989. Long version in C. A. Gunter and J. C. Mitchell, ed-
itors, Theoretical Aspects of Object-Oriented Programming: Types, Semantics, and
Language Design, MIT Press, 1994.

Rémy, Didier. Algèbres Touffues. Application au Typage Polymorphe des Objets Enreg-
istrements dans les Langages Fonctionnels. PhD thesis, Université Paris VII, 1990.

Rémy, Didier. Extending ML type system with a sorted equational theory. Research
Report 1766, Institut National de Recherche en Informatique et Automatisme, Roc-
quencourt, BP 105, 78 153 Le Chesnay Cedex, France, 1992a.

Rémy, Didier. Projective ML. In ACM Symposium on Lisp and Functional Programming
(LFP), San Francisco, California, pages 66–75, June 1992b.

Rémy, Didier. Syntactic theories and the algebra of record terms. Research Report
1869, Institut National de Recherche en Informatique et Automatisme, Rocquen-
court, BP 105, 78 153 Le Chesnay Cedex, France, 1993.

Rémy, Didier. Programming objects with ML-ART: An extension to ML with abstract

and record types. In International Symposium on Theoretical Aspects of Computer
Software (TACS), Sendai, Japan, volume 789 of Lecture Notes in Computer Science,
pages 321–346. Springer-Verlag, April 1994.

Rémy, Didier and Jérôme Vouillon. Objective ML: An effective object-oriented exten-
sion to ML. Theory And Practice of Object Systems, 4(1):27–50, 1998. Summary
in ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages
(POPL), Paris, France, 1997.

van Renesse, Robbert, Kenneth P. Birman, Mark Hayden, Alexey Vaysburd, and David
Karr. Building adaptive systems using Ensemble. Software: Practice and Experience,
28(9):963–979, August 1998.

Restall, Greg. An Introduction to Substructural Logics. Routledge, February 2000.

Restall, Greg. Relevant and substructural logics. In D. Gabbay and J. Woods, editors,
Handbook of the History and Philosophy of Logic, volume 6, Logic and the Modalities
in the Twentieth Century. Elsevier, 2005. To appear.

Reynolds, John C. Automatic computation of data set definitions. In Information

Processing 68, Edinburgh, Scotland, volume 1, pages 456–461. North Holland, 1969.

Reynolds, John C. Towards a theory of type structure. In Colloque sur la Programma-

tion, Paris, France, volume 19 of Lecture Notes in Computer Science, pages 408–425.
Springer-Verlag, 1974.
560 References

Reynolds, John C. Syntactic control of interference. In ACM Symposium on Principles

of Programming Languages (POPL), Tucson, Arizona, pages 39–46, January 1978.
Reprinted in O’Hearn and Tennent, ALGOL-like Languages, vol. 1, pages 273–286,
Birkhäuser, 1997.
Reynolds, John C. Types, abstraction, and parametric polymorphism. In R. E. A.
Mason, editor, Information Processing 83, Paris, France, pages 513–523. Elsevier,
1983.
Reynolds, John C. Syntactic control of interference, part 2. Report CMU-CS-89-130,
Carnegie Mellon University, April 1989.

Reynolds, John C. Intuitionistic reasoning about shared mutable data structure. In

J. Davies, A. W. Roscoe, and J. Woodcock, editors, Millennial Perspectives in Com-
puter Science: Proceedings of the 1999 Oxford-Microsoft Symposium in honour of
Sir Tony Hoare. Palgrave Macmillan, 2000.
Robinson, J. Alan. Computational logic: The unification computation. Machine Intel-
ligence, 6:63–72, 1971.
Ross, Douglas T. The AED free storage package. Communications of the ACM, 10(8):
481–492, 1967.

Russo, Claudio V. Types for Modules. PhD thesis, Edinburgh University, Edinburgh,
Scotland, 1998. LFCS Thesis ECS–LFCS–98–389.
Russo, Claudio V. Non-dependent types for standard ML modules. In ACM SIGPLAN
International Conference on Principles and Practice of Declarative Programming
(PPDP), Paris France, pages 80–97, September 1999.

Russo, Claudio V. Recursive structures for Standard ML. In ACM SIGPLAN Interna-
tional Conference on Functional Programming (ICFP), Firenze, Italy, pages 50–61,
September 2001.

Sabry, Amr. What is a purely functional language? Journal of Functional Program-

ming, 8(1):1–22, January 1998.
Saha, Bratin, Nevin Heintze, and Dino Oliva. Subtransitive CFA using types. Technical
Report YALEU/DCS/TR-1166, Yale University, Department of Computer Science,
October 1998.

Sangiorgi, Davide and David. The π -Calculus: a Theory of Mobile Processes. Cam-
bridge University Press, 2001.
Sannella, Donald, Stefan Sokolowski, and Andrzej Tarlecki. Toward formal develop-
ment of programs from algebraic specifications: Parameterisation revisited. Acta
Informatica, 29(8):689–736, 1992.
Schneider, Fred B. Enforceable security policies. ACM Transactions on Information
and System Security, 3(1):30–50, February 2000.
Schwartz, Jacob T. Optimization of very high level languages (parts I and II). Com-
puter Languages, 1(2–3):161–194, 197–218, 1975.
References 561

Seldin, Jonathan. Curry’s anticipation of the types used in programming languages.

In Proceedings of the Annual Meeting of the Canadian Society for History and Phi-
losophy of Mathematics, Toronto, Ontario, pages 143–163, May 2002.
Semmelroth, Miley and Amr Sabry. Monadic encapsulation in ML. In ACM SIGPLAN
International Conference on Functional Programming (ICFP), Paris, France, pages
8–17, September 1999.
Sestoft, Peter. Replacing function parameters by global variables. In ACM Sympo-
sium on Functional Programming Languages and Computer Architecture (FPCA),
London, England, pages 39–53, September 1989. Also available as University of
Copenhagen, Department of Computer Science Technical Report 88-7-2.
Sestoft, Peter. Moscow ML homepage, 2003. http://www.dina.dk/~sestoft/
mosml.html.
Severi, Paula and Erik Poll. Pure type systems with definitions. In International Sym-
posium on Logical Foundations of Computer Science (LFCS), St. Petersburg, Russia,
volume 813 of Lecture Notes in Computer Science, pages 316–328. Springer-Verlag,
September 1994.
Shao, Zhong. An overview of the FLINT/ML compiler. In ACM SIGPLAN Workshop on
Types in Compilation (TIC), Amsterdam, The Netherlands, June 1997.
Shao, Zhong. Typed cross-module compilation. In ACM SIGPLAN International Con-
ference on Functional Programming (ICFP), Baltimore, Maryland, pages 141–152,
September 1998.
Shao, Zhong. Transparent modules with fully syntactic signatures. In ACM SIGPLAN
International Conference on Functional Programming (ICFP), Paris, France, pages
220–232, September 1999.
Shao, Zhong, Christopher League, and Stefan Monnier. Implementing typed inter-
mediate languages. In ACM SIGPLAN International Conference on Functional Pro-
gramming (ICFP), Baltimore, Maryland, pages 313–323, September 1998.
Shivers, Olin. Control flow analysis in Scheme. In ACM SIGPLAN Conference on Pro-
gramming Language Design and Implementation (PLDI), Atlanta, Georgia, pages
164–174, June 1988.
Shivers, Olin. Control-Flow Analysis of Higher-Order Languages or Taming Lambda.
PhD thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania, May 1991.
Simonet, Vincent. Type inference with structural subtyping: a faithful formalization
of an efficient constraint solver. In Asian Symposium on Programming Languages
and Systems (APLAS), Beijing, China, pages 283–302, November 2003.
Skalka, Christian and François Pottier. Syntactic type soundness for HM(X). In Work-
shop on Types in Programming (TIP), Dagstuhl, Germany, volume 75 of Electronic
Notes in Theoretical Computer Science. Elsevier, July 2002.
Smith, Frederick, David Walker, and Greg Morrisett. Alias types. In European Sym-
posium on Programming (ESOP), Berlin, Germany, volume 1782 of Lecture Notes in
Computer Science, pages 366–381. Springer-Verlag, April 2000.
562 References

Smith, Geoffrey S. Principal type schemes for functional programs with overloading
and subtyping. Science of Computer Programming, 23(2–3):197–226, December
1994.
Smith, Jan, Bengt Nordström, and Kent Petersson. Programming in Martin-Löf’s Type
Theory: An Introduction. Oxford University Press, 1990.
Statman, Richard. Logical relations and the typed λ-calculus. Information and Con-
trol, 65(2–3):85–97, May–June 1985.
Steele, Guy L., Jr. Common Lisp: The Language. Digital Press, 1990.
Stone, Christopher A. Singleton Kinds and Singleton Types. PhD thesis, Carnegie
Mellon University, Pittsburgh, Pennsylvania, August 2000.
Stone, Christopher A. and Robert Harper. Deciding type equivalence in a language
with singleton kinds. In ACM SIGPLAN–SIGACT Symposium on Principles of Pro-
gramming Languages (POPL), Boston, Massachusetts, pages 214–227, January 2000.
Stone, Christopher A. and Robert Harper. Extensional equivalence and singleton
types. 2005. To appear.
Streicher, Thomas. Semantics of Type Theory. Springer-Verlag, 1991.
Su, Zhendong, Alexander Aiken, Joachim Niehren, Tim Priesnitz, and Ralf Treinen.
The first-order theory of subtyping constraints. In ACM SIGPLAN–SIGACT Sym-
posium on Principles of Programming Languages (POPL), Portland, Oregon, pages
203–216, January 2002.
Sulzmann, Martin. A General Framework for Hindley/Milner Type Systems with Con-
straints. PhD thesis, Yale University, Department of Computer Science, New Haven,
Connecticut, May 2000.
Sulzmann, Martin, Martin Müller, and Christoph Zenger. Hindley/Milner style type
systems in constraint form. Research Report ACRC–99–009, University of South
Australia, School of Computer and Information Science, July 1999.
Sumii, Eijiro and Benjamin C. Pierce. A bisimulation for type abstraction and re-
cursion. In ACM SIGPLAN–SIGACT Symposium on Principles of Programming Lan-
guages (POPL), Long Beach, California, 2005.
Sun. JavaT M 2 Platform Micro Edition (J2MET M ) Technology for Creating Mobile
Devices—White Paper. Sun Microsystems, May 2000. Available from http://java.
sun.com/products/kvm/wp/KVMwp.pdf.
Tait, William W. Intensional interpretations of functionals of finite type I. Journal of
Symbolic Logic, 32(2):198–212, June 1967.
Talcott, C. Reasoning about functions with effects. In A. D. Gordon and A. M. Pitts,
editors, Higher Order Operational Techniques in Semantics, Publications of the
Newton Institute, pages 347–390. Cambridge University Press, 1998.
Talpin, Jean-Pierre and Pierre Jouvelot. Polymorphic type, region and effect inference.
Journal of Functional Programming, 2(2):245–271, 1992.
References 563

Talpin, Jean-Pierre and Pierre Jouvelot. The type and effect discipline. Information
and Computation, 111:245–296, 1994.
Tarditi, David, Greg Morrisett, Perry Cheng, Christopher Stone, Robert Harper, and
Peter Lee. TIL: A type-directed optimizing compiler for ML. In ACM SIGPLAN Con-
ference on Programming Language Design and Implementation (PLDI), Philadephia,
Pennsylvania, pages 181–192, May 1996.

Tarjan, Robert Endre. Efficiency of a good but not linear set union algorithm. Journal
of the ACM, 22(2):215–225, April 1975.
Tarjan, Robert Endre. Applications of path compression on balanced trees. Journal
of the ACM, 26(4):690–715, October 1979.
Terlouw, J. Een nadere bewijstheoretische analyse van GSTTs. Manuscript, University
of Nijmegen, Netherlands, 1989.

Thorup, Kresten Krab. Genericity in Java with virtual types. In European Confer-
ence on Object-Oriented Programming (ECOOP), Jyväskylä, Finland, volume 1241
of Lecture Notes in Computer Science, pages 444–471. Springer-Verlag, June 1997.
Tiuryn, Jerzy. Subtype inequalities. In IEEE Symposium on Logic in Computer Science
(LICS), Santa Cruz, California, pages 308–317, June 1992.

Tiuryn, Jerzy and Mitchell Wand. Type reconstruction with recursive types and
atomic subtyping. In Theory and Practice of Software Development (TAPSOFT),
Orsay, France, volume 668 of Lecture Notes in Computer Science, pages 686–701.
Springer-Verlag, April 1993.
Tofte, Mads. Operational Semantics and Polymorphic Type Inference. PhD thesis,
Computer Science Department, Edinburgh University, Edinburgh, Scotland, 1988.
Tofte, Mads and Lars Birkedal. A region inference algorithm. ACM Transactions on
Programming Languages and Systems, 20(4):724–767, 1998.

Tofte, Mads, Lars Birkedal, Martin Elsman, and Niels Hallenberg. Region-based mem-
ory management in perspective. In ACM SIGPLAN International Conference on
Principles and Practice of Declarative Programming (PPDP), Firenze, Italy, pages
175–186, September 2001a.
Tofte, Mads, Lars Birkedal, Martin Elsman, Niels Hallenberg, Tommy Højfeld Olesen,
and Peter Sestoft. Programming with regions in the ML Kit (for version 4). Technical
report, IT University of Copenhagen, October 2001b.
Tofte, Mads and Jean-Pierre Talpin. Implementing the call-by-value lambda-calculus
using a stack of regions. In ACM SIGPLAN–SIGACT Symposium on Principles of
Programming Languages (POPL), Portland, Oregon, January 1994.
Tofte, Mads and Jean-Pierre Talpin. Region-based memory management. Information
and Computation, 132(2):109–176, February 1997.
Torgersen, Mads. Virtual types are statically safe. In International Workshop on Foun-
dations of Object-Oriented Languages (FOOL), informal proceedings, January 1998.
564 References

Trifonov, Valery and Scott Smith. Subtyping constrained types. In International Sym-
posium on Static Analysis (SAS) , Aachen, Germany, volume 1145 of Lecture Notes
in Computer Science, pages 349–365. Springer-Verlag, September 1996.
Turner, David N. and Philip Wadler. Operational interpretations of linear logic. The-
oretical Computer Science, 227:231–248, 1999. Special issue on linear logic.
Turner, David N., Philip Wadler, and Christian Mossin. Once upon a type. In ACM
Symposium on Functional Programming Languages and Computer Architecture
(FPCA)San Diego, California, pages 1–11, June 1995.
Vouillon, Jerome and Paul-André Melliès. Semantic types: A fresh look at the ideal
model for types. In ACM SIGPLAN–SIGACT Symposium on Principles of Program-
ming Languages (POPL), Venice, Italy, pages 52–63, 2004.
Wadler, Philip. Theorems for free! In ACM Symposium on Functional Programming
Languages and Computer Architecture (FPCA), London, England, pages 347–359,
September 1989.
Wadler, Philip. Linear types can change the world. In IFIP TC 2 Working Conference
on Programming Concepts and Methods, Sea of Galilee, Israel, pages 546–566, April
1990.
Wadler, Philip. The marriage of effects and monads. ACM Transactions on Computa-
tional Logic, 4(1):1–32, 2003.
Wahbe, Robert, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient
software-based fault isolation. In ACM Symposium on Operating Systems Principles
(SOSP), Asheville, North Carolina, pages 203–216, December 1993.
Walker, David, Karl Crary, and Greg Morrisett. Typed memory management via static
capabilities. ACM Transactions on Programming Languages and Systems, 22(4):
701–771, July 2000.
Walker, David and Greg Morrisett. Alias types for recursive data structures. In ACM
SIGPLAN Workshop on Types in Compilation (TIC), Montréal, Québec, September,
2000, volume 2071, pages 177–206. Springer-Verlag, 2001.
Walker, David and Kevin Watkins. On regions and linear types. In ACM SIGPLAN
International Conference on Functional Programming (ICFP), Firenze, Italy, pages
181–192, September 2001.
Wand, Mitchell. Complete type inference for simple objects. In IEEE Symposium on
Logic in Computer Science (LICS), Ithaca, New York, pages 37–44, June 1987a.
Wand, Mitchell. A simple algorithm and proof for type inference. Fundamenta Infor-
maticae, 10:115–122, 1987b.
Wand, Mitchell. Corrigendum: Complete type inference for simple objects. In IEEE
Symposium on Logic in Computer Science (LICS), Edinburgh, Scotland, page 132,
1988.
Wand, Mitchell. Type inference for objects with instance variables and inheritance.
In C. A. Gunter and J. C. Mitchell, editors, Theoretical Aspects of Object-Oriented
References 565

Programming: Types, Semantics, and Language Design, pages 97–120. MIT Press,
1994.
Wang, Daniel C. and Andrew W. Appel. Type-preserving garbage collectors. In ACM
SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL),
London, England, pages 166–178, January 2001.
Wansbrough, Keith and Simon Peyton Jones. Once upon a polymorphic type. In ACM
SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), San
Antonio, Texas, pages 15–28, January 1999.
Wells, Joe B. Typability and type checking in system F are equivalent and undecidable.
Annals of Pure and Applied Logic, 98(1–3):111–156, 1999.
Wells, Joe B. The essence of principal typings. In International Colloquium on Au-
tomata, Languages and Programming (ICALP), volume 2380 of Lecture Notes in
Computer Science, pages 913–925. Springer-Verlag, 2002.
Werner, Benjamin. Une Théorie des Constructions Inductives. PhD thesis, Université
Paris 7, Paris, France, May 1994.
Wirth, Niklaus. Systematic Programming: An Introduction. Prentice Hall, 1973.
Wirth, Niklaus. Programming in Modula-2. Texts and Monographs in Computer Sci-
ence. Springer-Verlag, 1983.
Wright, Andrew K. Simple imperative polymorphism. Lisp and Symbolic Computation,
8(4):343–355, 1995.
Wright, Andrew K. and Robert Cartwright. A practical soft type system for Scheme.
In ACM Symposium on Lisp and Functional Programming (LFP), Orlando, Florida,
pages 250–262, June 1994. Full version available in ACM Transactions on Program-
ming Languages and Systems, 19(1):87–52, January 1997.
Wright, Andrew K. and Matthias Felleisen. A syntactic approach to type soundness.
Information and Computation, 115(1):38–94, November 1994.
Xi, Hongwei. Dependent Types in Practical Programming. PhD thesis, Carnegie Mellon
University, Pittsburgh, Pennsylvania, 1998.
Xi, Hongwei and Robert Harper. A dependently typed assembly language. In ACM SIG-
PLAN International Conference on Functional Programming (ICFP), Firenze, Italy,
pages 169–180, September 2001.
Xi, Hongwei and Frank Pfenning. Dependent types in practical programming. In ACM
SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), San
Antonio, Texas, pages 214–227, January 1999.
Zenger, Christoph. Indexed types. Theoretical Computer Science, 187:147–165, 1997.
Zwanenburg, Jan. Pure type systems with subtyping. In International Conference
on Typed Lambda Calculi and Applications (TLCA), L’Aquila, Italy, volume 1581 of
Lecture Notes in Computer Science, pages 381–396. Springer-Verlag, April 1999.
View publication stats