=Paper=
{{Paper
|id=Vol-3860/paper_6
|storemode=property
|title=Isomorphic Transfer Infrastructure for Nested Types in Isabelle/HOL (Work in Progress)
|pdfUrl=https://ceur-ws.org/Vol-3860/paper_6.pdf
|volume=Vol-3860
|authors=Gergely Buday,Andrei Popescu
|dblpUrl=https://dblp.org/rec/conf/ifm/Buday024
}}
==Isomorphic Transfer Infrastructure for Nested Types in Isabelle/HOL (Work in Progress)==
https://ceur-ws.org/Vol-3860/paper_6.pdf
Isomorphic Transfer Infrastructure for Nested Types in
Isabelle/HOL (Work in Progress)
Gergely Buday1 , Andrei Popescu1
1
School of Computer Science, University of Sheffield, Sheffield, UK
Abstract
This paper addresses (part of) the problem of simplifying reasoning with proof assistants by transferring theorems
that are stated in a heavy form, using explicit invariants, to lightweight counterparts where the invariants are
handled implicitly by the type system. Specifically, we provide some abstract assumptions that allow one to
establish isomorphisms for nested applications of defined types in Gordonβs Higher-Order Logic (HOL). This
allows the seamless isomorphic transfer of results across type definitions in the presence of nesting. Our results
have been formalized in the Isabelle/HOL theorem prover, and we plan to integrate them with Isabelleβs Lifting
and Transfer tool.
Keywords
Higher-Order Logic (HOL), type definitions, theorem proving, Isabelle/HOL
1. Introduction
The definition of new types by carving out subsets of existing types, known as typedef, is a fundamental
mechanism in Higher-Order Logic (HOL), a logic that provides the foundation for several interactive
theorem provers, including HOL4 [1], HOL Light [2] and Isabelle/HOL [3]. While most of the uses of
typedef are hidden under the (automated) definition of (co)inductive datatypes [4, 5, 6, 7] and therefore
not directly invoked by the users, there still remains an important scenario where typedef is invoked
explicitly.
Namely, say one has a type (perhaps an algebraic datatype) π that does not capture precisely the
intended concept (because it contains too many elements), but only via an invariant defined in terms of
a predicate on π, or equivalently, a set πΌ that has type π set.1 Then one defines the more precise type π
as a typedef, to consist of exactly the inhabitants of π that belong to the set πΌβi.e., πΌ is effectively turned
into a type.
Let us consider two examples, which will act as our running examples throughout this paper.
Example 1. (Distinct Lists) Polymorphic lists are introduced as the following datatype, where we
use ML-style notation feature by Isabelle/HOL as well as all the HOL-based provers (in particular, πΌ
denotes a type variable):
datatype πΌ list = Nil β£ Cons πΌ (πΌ list)
For a list xs, we let length xs be its length and, given a natural number π < length, we let xs!π be the (πβ1)βth
element in xs (so the indexing starts from 0). In some developments, one may be interested in working
with nonrepetitive (βdistinctβ) lists, i.e., lists whose elements do not repeatβto this end, one defines the
(polymorphic) predicate distinct βΆ πΌ list β bool by distinct xs β‘ βπ π. π < π β§ π < length xs βΆ xs!π β xs!π.
The new (polymorphic) type πΌ dlist of distinct lists is defined as a typedef:
typedef πΌ dlist = {xs βΆ πΌ list β£ distinct xs}
This command introduces the new type πΌ dlist together with an abstraction-representation pair of
(polymorphic) constants2 (Repdlist , Absdlist ) with Repdlist βΆ πΌ dlist β πΌ list and Absdlist βΆ πΌ list β πΌ dlist
PhD Symposium of the 19th International Conference on Integrated Formal Methods (iFM)
at the University of Manchester, UK, 12 November 2024.
Envelope-Open g.buday@sheffield.ac.uk (G. Buday); a.popescu@sheffield.ac.uk (A. Popescu)
Β© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
1
The type π set of sets of elements of a type π is a copy of the type π β bool, where set is a type operator.
2
In HOL, items that have a fixed interpretation, including fixed values such as 0 or defined functions, are called βconstantsβ;
they are to be contrasted with βvariablesβ, which do not have a fixed interpretation but range over given types.
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�and the following axioms stating that these functions are mutually inverse bijections between the new
type πΌ dlist and the subset {xs βΆ πΌ list β£ distinct xs} of the base type πΌ list.3 In Isabelle/HOL, these axioms
are actually packed into a single axiom:
type_definition Repdlist Absdlist {xs βΆ πΌ list β£ distinct xs}
where the (polymorphic) predicate type_definition βΆ (π½ β πΌ) β (πΌ β π½) β (πΌ set) β bool is defined as
follows: type_definition π π π΄ β‘ (βπ₯. π π₯ β π΄) β§ (βπ¦ βΆ π½. π (π π¦) = π¦) β§ (βπ₯ βΆ πΌ. π₯ β π΄ βΆ π (π π₯) = π₯).
Thus, in this example π is πΌ list, πΌ is {xs βΆ πΌ list β£ distinct xs}, and π is πΌ dlist. β‘
Example 2. (Discrete Distributions) A (discrete) distribution is a positive function to the real
numbers of countable support such that its values sum up to to 1. The polymorphic type πΌ distrib of
distributions on πΌ is introduced as a typedef having base type πΌ β real (the type of functions from πΌ to
real ):
typedef πΌ distrib = {π βΆ πΌ β real β£ dist xs}
where the predicate dist βΆ (πΌ β real) β bool is defined by dist π β‘ (βπ₯ βΆ πΌ. π π₯ β₯ 0) β§ countable {π₯ βΆ
πΌ β£ π π₯ β 0} β§ βπ₯βΆπΌ π π₯ = 1.
As before, the above command introduces a new type πΌ distrib , an abstraction-representation pair
of constants (Repdlist , Absdlist ) with (Repdistrib , Absdistrib ) with Repdistrib βΆ πΌ distrib β πΌ list, and the
axiom type_definition Repdistrib Absdistrib {π βΆ πΌ β real β£ dist π } saying that Absdistrib and Repdistrib are
mutually inverse bijections between πΌ distrib and {π βΆ πΌ β real β£ distrib xs}.
Thus, in this example π is πΌ β real, πΌ is {π βΆ πΌ β real β£ dist xs}, and π is πΌ distrib. β‘
In a formal development that follows the above scheme, one usually distinguishes between:
β’ developing the βinternalβ mathematical theory, which usually proceeds without defining π, but
instead working with π and stating the theorems relativized to πΌβfor example, proving facts of
the form βπ‘ βΆ π . π‘ β πΌ βΆ . . .
β’ at the end, defining π and βsealingβ the library for export by transferring from π to π all the
constants and all the main (exportable) facts that have been proved proved relative to πΌβfor
example, turning facts of the form βπ‘ βΆ π . π‘ β πΌ βΆ . . . into facts of the form βπ‘ β² βΆ π. . . .
The process of βisomorphicallyβ transferring πΌ-relativized constants and results on π to corresponding
constants and results on π, while seemingly conceptually straightforward, turns out to be quite subtle
in the presence of higher-order constants. It requires infrastructure for lifting relations along type
constructors (known as relators), which allows the automated proofs of the transferred theorems from
the original onesβthis is facilitated in Isabelle/HOL by various dedicated tools [8, 9, 10].
In this short work-in-progress paper, we study a fairly common pattern: the isomorphic transfer in
the presence of nested type constructors. We start with motivation in terms of a standard construction
applied to our running examples (Β§2), which leads to formulating the wider scope of the problem. We
then work out the solution to the problem in an ad hoc manner on the running examples Β§3. After that,
we are ready to describe our main result: some abstract general structure and conditions that enable
this pattern, in that they allow constructing a back-and-forth bijection for transfer (Β§4), and show how
it instantiates to our examples. We conclude with related work and future plans, notably the planned
integration of our work into Isabelleβs Lifting and Transfer package (Β§5). Our concepts and results apply
to Higher-Order Logic, hence are in principle relevant to any HOL-based provers. We have formalized
them in the Isabelle/HOL theorem prover, and the formal scripts are publicly available [11].
3
These are sometimes called an βembedding-projection pairβ; here we prefer terminology that is closer to HOL, referring to a
representation function (indicating how elements of the new type are represented/implemented in terms of those of the old
one) and an opposite abstraction function.
�2. The Concrete Problem
Consider the problem of proving that the type constructors (polymorphic types) πΌ dlist and πΌ distrib
constitute monads [12, 13] or at least monad-like structuresβwhich are very useful properties to have
for any (data)type, whenever possible.
According to the above pattern, one wishes to first prove the properties for the underlying
(representing types) πΌ list and πΌ β real relative to the defining predicates distinct and dist, and then
transfer them to the defined types πΌ dlist and πΌ distrib. (Not only is this good practice, but in some
sense it is the only way to proceed, at least initially when βbootstrappingβ a theory for the defined
types, given that initially our only means to prove a property on the defined type is to trace it back
to a property on the underlying type.)
Some of the monadic structure and properties involve nesting the application of type constructors,
for example we want to have a map (functorial-action) operator mapdistrib βΆ (πΌ β π½) β (πΌ distrib β
π½ distrib) and join (counit) operator joindistrib βΆ (πΌ distrib) distrib β πΌ distrib satisfying (among others)
the associativity law joindistrib β (mapdistrib joindistrib ) = joindistrib β joindistrib .
How to define such structure and prove such properties on the defined types? Let us start with a simple
example that does not involve nesting, namely defining the map operator on (πΌ β π½) β (πΌ distrib β
π½ distrib) and proving that it preserves identities, in that βπ βΆ πΌ distrib. mapdistrib (id βΆ πΌ β πΌ) π = π
where id denotes the identity function. We define mapdistrib on any π βΆ πΌ β π½ and π βΆ πΌ distrib by
mapdistrib π π = Absdistrib (ππ βΆ π½. βπβπ β1 π Repdistrib π π). Notice that the definition requires a back-
and-forth application of the abstraction and representation functions Absdistrib and Repdistrib , with some
specific manipulation of items of the underlying type πΌ β real. (In this case, the specific manipulation
happens to involve taking the sum of a function in πΌ β real over all the elements of the π-preimage of
π, but the exact nature of such manipulations is not important here.) Now, to prove the desired fact,
fix π βΆ πΌ distrib. In order to show mapdistrib id π = π, by the injectivity of Repdistrib it suffixes to show
Repdistrib (mapdistrib id π) = Repdistrib π. Using the definition of mapdistrib and the fact that Repdistrib is
left-inverse to Absdistrib , the above is equivalent to ππ βΆ π½. βπβidβ1 π Repdistrib π π = Repdistrib π, i.e.,
to ππ βΆ π½. βπ=π Repdistrib π π = Repdistrib π, which follows from the properties of sums and function
extensionality.
We thus have the following pattern: To define constants on the defined type and prove properties for
them, we need to move back and forth via the abstraction-representation pair and use consequences of the
associated type_definition axiom.
But how to do this in the presence of nested defined type constructors (where the abstraction-
representation pairs stemming from type definitions no longer work out of the box)? In the next section,
we discuss in an ad hoc manner how to tackle the nested isomorphic transfer problem in the presence
of nested types for our two running examples. After that, we will introduce an abstract solution, which
covers these two cases and many others.
3. The Solution for Two Concrete Instances
Now let us come back to the original more complex problem, of defining joindistrib βΆ (πΌ distrib) distrib β
πΌ distrib (in addition to mapdistrib which we have already defined) and proving the associativity law.
In order to define joindistrib , which operates on the nested defined type (πΌ distrib) distrib, we need
an understanding of how a counterpart of this operator should act on the (nested application of) the
underlying type, i.e., on (πΌ β real)real. To be more exact, we donβt need to consider the behavior of
such a counterpart on all functions πΉ βΆ (πΌ β real) β real, but seemingly only on functions that act
like distributions, i.e., satisfy distrib πΉ (i.e., are positive, have countable support and sum to 1). In fact,
upon a closer look we see that the functions of interest are not really distributions on the entire type
πΌ β real, but on the subset of πΌ β real that consists of distributions only, i.e., distributions on the set
{π βΆ πΌ β real β£ distrib π }. In other words, we need a relativized version of the predicate distrib, let us
�denote it by distOn βΆ πΌ set β πΌ distrib β bool, defined by
distOn π΄ π β‘ (βπ₯ βΆ πΌ. π₯ β π΄ βΆπ π₯ β₯ 0) β§ countable {π₯ βΆ πΌ β£ π₯ β π΄ β§π π₯ β 0} β§ β ππ₯=1
π₯βπ΄
where we have highlighted the difference from the original predicate distβin that the conditions are not
applied to the entire type πΌ, but to a parameter subset π΄ βΆ πΌ set. Note that we can recover the original
predicate as dist = distOn UNIV, where UNIV is the βuniversalβ set covering the entire type.
With this relativized predicate at hand, the picture becomes clear: Given a function πΉ βΆ (πΌ β real) β
real that acts like a distribution on distributions on πΌ, i.e., such that distOn {π βΆ πΌ β real β£ dist π } πΉ holds,
we have the formal means to turn it into a βflatβ distribution, let us call it join πΉ, on πΌ β real, namely by
summation (applying of course a well-known mathematical construction): join πΉ π₯ β‘ βπ β{π β£ dist π } πΉ π π₯.
Now, to define joindistrib from join, we need to able to move back and forth between πΌ distrib distrib
and and (πΌ β real) β real, ideally using a similar infrastructure as the abstraction-representation pair
(Absdistrib , Repdistrib ) and predicate distrib that allowed us to move between πΌ distrib and πΌ β real. And
indeed, this is possible:
β’ We define dist2 βΆ ((πΌ β real) β real) β bool to be distOn {π βΆ πΌ β real β£ dist π }.
β’ We define Absdistrib,2 βΆ ((πΌ β real) β real) β (πΌ distrib) distrib by
Absdistrib,2 πΉ = Absdistrib (π π βΆ πΌ distrib. πΉ (Repdistrib π)).
β’ We define Repdistrib,2 βΆ (πΌ distrib) distrib β ((πΌ β real) β real) by
Repdistrib,2 π· = ππ βΆ πΌ β real. Repdistrib π· (Absdistrib π ).
Note that we defined distrib2 in line with the above analysis, and defined Absdistrib,2 and Repdistrib,2
with the aim of achieving a bijective correspondence between (πΌ distrib) distrib and the elements of
(πΌ β real) β real satisfyig dist2 . Therefore, we can prove that type_definition Absdistrib,2 Repdistrib,2 {π· β£
dist2 π·} holds.
It now remains to prove the associativity of joindistrib , which we can rephrase as
βπ· βΆ ((πΌ distrib) distrib) distrib. joindistrib (mapdistrib joindistrib π·) = joindistrib (joindistrib π·) .
This involves further level of nesting of distrib; to this end, by essentially iterating one more step the
above construction, we obtain dist3 βΆ (((πΌ β real) β real) β real) β bool , Absdistrib,3 βΆ (((πΌ β
real) β real) β real) β ((πΌ distrib) distrib) distrib and Repdistrib,3 βΆ ((πΌ distrib) distrib) distrib β
(((πΌ β real) β real) β real) such that type_definition Absdistrib,3 Repdistrib,3 {π· β£ dist3 π·} holds. Now
we can easily prove associativity similarly to how we proceeded in the non-nested case, but using the
appropriate back and forth infrastructure in each case, depending on the level of nesting.
A somewhat similar discussion applies to distinct lists, though the details differ:
β’ We define distinct2 βΆ (πΌ list) list β bool by
distinct2 xss β‘ distinct xss β§ (βπ < length xss. distinct (xss!π)).
β’ We define Absdlist,2 βΆ (πΌ list) list β (πΌ dlist) dlist by
Abslist,2 xss = Abslist (map Abslist xss).
β’ We define Repdlist,2 βΆ (πΌ dlist) dlist β (πΌ list) list by
Replist,2 xss = Replist (map Replist xss).
where map is the standard mapping operator for lists. Again, we have that
type_definition Absdlist,2 Repdlist,2 {xss β£ distinct2 xss} holds.
With the goal of a general solution in mind, let us note some similarities and commonalities of the
above two cases. While for distinct lists the definitions of the one-level-up abstraction and representation
functions involve entities of the same kind (namely abstractions for abstractions and representations for
representations), in the case of distributions the definitions combine the two, for example the definition
of the one-level-up abstraction uses outer abstraction together with inner representation. This is a
reflection of lists being a covariant functor and function-space-to-reals being a contravariant functor.
�The common pattern of the two is, however, the fact that the one-level-up operators employ composition
between an (1) operator and (2) the map function for the given functor applied to an operator. This is
manifestly clear for distinct lists, for example the one-level-up abstraction Absdlist,2 is the composition
of Absdlist with maplist Repdlist ; for distributions, this is also seen to be the case, if we note that the map
function for the contravariant functor πΌ β real is ππ βΆ πΌ β π½. ππ βΆ π½ β real. π β π.
Another discrepancy between the two cases is the definition of the one-level-up characteristic
predicates (distrib2 versus distinct2 ); as we will see next, we will be able to uniformly capture both cases
under a more general set-lifting operator.
4. An Abstract Formulation of the Problem and a General Solution
We formulate the problem abstractly as follows: How to lift the abstraction-representation properties
characteristic of type definitions to nested applications of the defined type constructor? In technical terms:
Given a polymorphic type πΌ π and a polymorphic operator πΌ βΆ (πΌ π ) set such that πΌ β β
which produce
a type definition
typedef πΌ π = {π₯ βΆ πΌ π β£ π₯ β πΌ }
what structure and properties are in general required for π and πΌ in order to be able to lift the operator
πΌ and abstraction-representation pair (Absπ , Repπ ), for any π, to π-level operator πΌπ βΆ (πΌ π π ) set and
abstraction-representation pair (Absπ,π , Repπ,π ) with Absπ,π βΆ πΌ π π β πΌ π π and Repπ ,π βΆ πΌ π π β πΌ π π
such that type_definition Absπ,π Repπ ,π {π₯ βΆ πΌ π β£ πΌ π₯} holds? (Above, πΌ π π denotes the πβth iteration of
the type constructor π, in particular πΌ π 1 = πΌ π and πΌ π 2 = (πΌ π ) π; and similarly for π.) Indeed, this
would allow us to seamlessly apply to the nested case the same back and forth techniques as in the
non-nested case.
In the previous section, we have discussed solutions to two instances of this problem. The first
instance is representayive of a wide class of situations, namely polymorphic inductive datatypes (which
are all covariant functors) with invariants; the second also has some cousins in the formalization and
specification literature, for example the defined types topological filters and of mutisets, as well as
variations such as discrete subdistributions. In what follows, we introduce a generalization that covers
all these cases.
Assumptions. We assume that the underlying type constructor πΌ π comes equipped with an
operator Trel βΆ πΌ set β π½ set β (πΌ β π½ β bool) β (πΌ π β π½ π β bool) for lifting relations to π that for
bijective relations commutes with composition; namely, letting bijBetw π΄ π΅ π
express that the relation
π
is a bijection between π΄ and π΅:
(A1) bijBetw π΄ π΅ π and bijBetw π΅ πΆ π implies Trel π΄ πΆ (π β π) = Trel π΄ π΅ π β Trel π΅ πΆ π for all
π΄, π΅, πΆ, π, π
Moreover, we assume that there exists an operator Iset βΆ πΌ set β (πΌ π ) set for lifting sets to π, which
is an extension of πΌ in that
(A2) Iset UNIV = πΌ
and the following hold, where eqOn π΄ π
says that the restriction of π
to π΄ is the equality on (i.e., the
diagonal of) π΄:
(A3) bijBetw π΄ π΅ π
implies bijBetw (Iset π΄) (Iset π΅) (Trel π΄ π΅ π
) for all π΄, π΅, π
(A4) bijBetw π΄ π΄ π
and eqOn π΄ π
implies eqOn (Iset π΄) (Trel π΄ π΄ π
) for all π΄, π
π together with the operator Trel forms a relator-like structure [14, 15], similar to those that underlie
Isabelle/HOLβs transfer tool [8] and datatype specification mechanism [6]. However, this concept comes
with an explicit indication of the domain and codomain sets and targets bijections between these sets. In
particular, (A1) only requires Trel to commute with (relation) composition when restricted to bijective
�relations. While we think of Trel as being associated to π, we think of Iset as being associated to the
invariant πΌ (which it generalizes via (A2)). For example, if π is list, then it is reasonable to take Trel to
be the list relator (relating lists position-wise), but we have no reason to commit to Iset as being the
standard set operator associated to lists (returning the set of all elements of a list)βrather, the choice of
Iset will depend on what invariant we want to consider on lists. Of course, as the axiom (A2) suggests,
the Iset parameter of our abstract framework is reminiscent of the relativized version of the predicate
dist that we employed in the case of distributions.
Trel and Iset are connected by the assumptions (A3) and (A4). Thus, (A3) states that Trel lifts bijections
between two sets to bijections between the Iset-liftings of these sets, which roughly means that Iset
partially acts like a subrelator of (π , Trel). Finally, (A4) is an Iset-relativization of the standard property
of relators of preserving equalitiesβnamely, here we say Trel preserves partial equalities w.r.t. Iset.
Let us see how to instantiate this framework to our running examples. To this end, we first note that
having chosen our assumptions in terms of relations rather than functions allows us to capture both
covariant and contravariant cases. For the case of the distribution type πΌ distrib, we take:
β’ πΌ π to be πΌ β real;
β’ Trel π΄ π΅ π
π π to be βreal (ππ, π. π β π΄ β§ π β π΅ β§ π
π π) π π β§ (βπ β π΄. π π = β₯) β§ (βπ β π΅. π π =
β₯), where β₯ is a (polymorphic) fixed βundefinedβ element (which is available in HOL on each
type via Hilbert choice) and βreal is the real-instance of the function-space relator, defined by
βreal π π π β‘ βπ, π. π π π βΆ π π = π π;
β’ Iset to be given by the relativized form of the distOn predicate, namely Iset π΄ β‘ {π β£ distOn π΄ π }.
For the case of the distinct-list type πΌ dlist, we take:
β’ πΌ π to be πΌ list;
β’ Trel π΄ π΅ to be the list relator list_all, where list_all π
relates two lists just in case they have the
same length and their elements are position-wise related (thus, the domain and codomain sets
are ignored by Trel);
β’ Iset to be defined as Iset π΄ β‘ {xs β£ distinct xs β§ set xs β π΄}, where set βΆ πΌ list β πΌ set is the support
operator for lists (returning the set of all elements of a list).
Note the two flavors of instantiating the relativized operator Iset, depending on whether we deal
with a contravariant or covariant functor, namely : (1) either, in the contravariant case, by relativizing
the original predicate dist to distOn; (2) or, in the covariant case, by intersecting the original predicate
distinct with the adjoint of the support operator (which is usually available for covariant functors, and
in particular is available for all container types)βindeed, the righthand side of the definition of Iset π΄
can be written as {xs β£ distinct xs} β© {π₯π β£ set xs β π΄}, and the operator πΏ = ππ΄. {π₯π β£ set xs β π΄} is the
right adjoint4 of the support operator set in the sense that xs β πΏ π΄ iff set xs β π΄. It is relatively easy to
check that these instances satisfy our assumptions. For example, (A3) in the case of the distribution
instantiation says that a bijection between two sets π΄ and π΅ induces a bijection the sets of distributions
on π΄ and π΅ respectively, which are constant β₯ outside π΄ and π΅ respectively.
Our main result is that these abstract assumptions are sufficient for solving our problem, thus
generalizing the constructions in the above particular cases (and in many other cases, e.g., any datatypes
with invariants turned into typedefs).
Theorem: Under the assumptions (A1)β(A4) above, we have a solution to our problem for all
π β₯ 1, in that there exist πΌπ βΆ (πΌ π π ) set, Absπ,π βΆ πΌ π π β πΌ π π and Repπ ,π βΆ πΌ π π β πΌ π π such that
type_definition Absπ,π Repπ ,π πΌπ holds.
A formal proof in Isabelle/HOL of the core of this theorem can be found in [11]; due to the HOL
type system limitations, the formal proof is restricted to the case when π = 2, but also indicates how to
iterate the argument for arbitrary π and shows the iterations for 3 and 4.
4
Incidentally, in Isabelle/HOL the operator πΏ is called listsβa suggestive name given that this operator is the set-based
counterpart of the list type constructor: it takes any set π΄ to the set of lists formed with elements of π΄.
� Proof sketch. We proceed by induction on π. For π = 1, we simply take πΌπ = πΌ, Absπ,π = Absπ and
Repπ,π = Repπ , so the desired fact holds by our assumptions.
For the induction step, assume that we have πΌπ βΆ (πΌ π π ) set, Absπ,π βΆ πΌ π π β πΌ π π and Repπ ,π βΆ
πΌ π π β πΌ π π such that type_definition Absπ,π Repπ ,π πΌπ holds. We define πΌπ+1 βΆ (πΌ π π+1 ) set, Absπ,π+1 βΆ
πΌ π π+1 β πΌ π π+1 and Repπ ,π+1 βΆ πΌ π π+1 β πΌ π π+1 as follows: πΌπ+1 β‘ Iset πΌπ ; Absπ,π+1 = Absπ β
funOf (Trel (relOf Absπ,π )); Repπ,π+1 = Repπ β funOf (Trel (relOf Repπ,π )).
Above, the operators relOf βΆ (πΌ β π½) β (πΌ β π½ β bool) and funOf βΆ (πΌ β π½ β bool) β (πΌ β π½)
provide back and forth conversions between bijective relations and (partially) bijective functins. Namely,
we have the following properties for them, where bij_betw π΄ π΅ π says that the restriction of the
function π βΆ πΌ β π½ to π΄ βΆ πΌ set is a bijection between π΄ and π΅ βΆ π½ set: (1) If bij_betw π΄ π΅ π, then
bijBetw π΄ π΅ (relOf π ) and funOf (relOf π ) = π; (2) If bijBetw π΄ π΅ π
, then bij_betw π΄ π΅ (funOf π
) and
relOf (funOf π π
= π
.
To prove type_definition Absπ,π+1 Repπ ,π+1 πΌπ+1 compositionally (along the definitions of the ab-
straction ad represenations operators), we introduce a generalization of type_definition that does not
assume one of its argument functions (namely the representation function) to operate on the en-
tire domain, but on an additional parameter set. Namely, we define bij_pair βΆ (π½ β πΌ) β (πΌ β
π½) β π½ set β πΌ set β bool as follows, where we highlight the differences from type_definition:
bij_pair π π π΅π΄ β‘ (βπ¦. π¦ β π΅ βΆ π π¦ β π΄) β§ (βπ₯. π₯ β π΄ βΆ π π₯ β π΅) β§ (βπ¦ βΆ π½. π¦ β π΅ βΆ π (π π¦) =
π¦) β§ (βπ₯ βΆ πΌ. π₯ β π΄ βΆ π (π π₯) = π₯). Thus, bij_pair π π π΅ π΄ says that π and π are mutually inverse
bijections between π΄ and π΅; in particular, we have (3) bij_pair π π π΅ π΄ = type_definition π π UNIV π΄.
Next, we define the relational counterpart of bij_pair, namely bijPair βΆ (π½ β πΌ β bool) β (πΌ β π½ β
bool) β π½ set β πΌ set β bool, such that bijPair π π π΅ π΄ says that π and π are mutually inverse (rela-
tional) bijections between π΄ and π΅. The operators bij_pair and bijPair correspond to each other via the
translations between functions and relations: (4) If bij_pair π π π΅ π΄ then bijPair (relOf π) (relOf π) π΅ π΄;
(5) If bijPair π π π΅ π΄ then bij_pair (funOf π) (funOf π) π΅ π΄. They also commute with relation and
function composition: (6) If bij_pair π π π΅ π΄ and bij_pair π β² πβ² π΄ πΆ then bij_pair (π β² β π) (πβ² β π) π΅ πΆ; (7)
If bijPair π π π΅ π΄ and bij_pair π β² π β² π΄ πΆ then bijPair (π β π β² ) (π β π β² ) π΅ πΆ.
Finally, using (A1), (A3) and (A4), we can prove the crucial property that Trel βliftsβ the bijPair property
relative to Iset: (8) If bijPair π π π΄ π΅ then bijPair (Trel π΄ π΅ π) (Trel π΅ π΄ π) (Iset π΄) (Iset π΅). β‘
Note that the theorem asserts the existence of π-level predicates πΌπ and abstraction-representation
pairs (Absπ , Repπ ) which extend the original ones, πΌ and (Abs, Rep). But the question arises on whether
these are the βrightβ extensions. The answer relies only on the suitability of πΌπ , since once that is
decided than any projection pair (Absπ , Repπ ) satisfying type_definition Absπ,π Repπ ,π πΌπ would doβ-
mirroring the fact that in a type definition (at level 1) only πΌ matters and any (Abs, Rep) satisfying
type_definition Absπ Repπ πΌ is as good as any other.
Now, concerning the suitability of πΌπ , we note from the proof that πΌπ = Isetπ UNIV; so it all hinges upon
whether Iset is the βrightβ way of lifting sets of elements of πΌ to sets of elements of πΌ π that respects the
intended meaning of the subset πΌ of πΌ π. In other words, whatever concept πΌ is supposed to represent, we
want that Iset provides a correct relativization of that concept from the entire type πΌ to a subset π΄ βΆ πΌ π ππ‘.
Our assumptions (A2)β(A4) are sanity properties for such a relativization, but whether this is the correct
relativization needs to be established in each particular caseβin other words, it is the responsability
of the user of our framework to provide a correct and meaningful Iset operator. This is easily seen
to be the case in our two examples, where the move from πΌ to Iset clearly represents the move from
distributions on the whole type to distributions on a given subset, and from distinct lists on the whole
type to distinct lists on a given subset, respectively. Moreover, the scheme that worked for distinct lists
(of intersecting with the support operator) works for essentially the same reason for any container type.
Finally, a remark on the generality of the theorem: While we have formulated it in reference
to the (possibly iterated) nesting of a single type constructor, the construction and proof can be
straightforwardly (albeit tediously) extended to cope with combining / nesting different type constructors
(which can also have more than one argument).
�5. Related Work and Future Work
Isomorphic transfer is an important topic in formal reasoning, and is one of the main motivations of
major recent developments such as Homotopy Type Theory [16]. Transfer along ismorphisms, as well
as along quotient projections and refinements, is also well represented in the world of HOL-based
provers (and especially Isabelle/HOL), e.g., [17, 18, 19, 8, 20, 21]. In dependent type theory, problems
similar to the ones we address here are formulated in the context of (partial) setoids [22, 23], and proof
assistants such as Coq [24] (via SSReflect [25]) and Lean [26] offer quasi-automated mechanisms to
address them, thus mitigating what is referred to as βsetoid hellβ, i.e., the need to prove over and over
again that certain (partial) equivalence relations are preserved by the defined functions. Note that the
problem we addressed in this paper, which has to do with relativization to sets, is a particular case of
relativization to partial equivalence relationsβand in fact dealing with the former at higher-order types
quickly escalates to having to deal with the latter, even in the absence of dependent types [10].
Another technical part of our setting concerns the HOL defined types, which are not included in their
base types but only injected into them. Other formalisms offer pure subtyping / inclusion mechanisms,
notably PVS [27], Fβ [28], and logical frameworks featuring refinement types [29]βwhere the goal of
isomorphic transfer is replaced by corresponding goals concerning automating aspects of type checking.
Next, we will focus on the most closely related work, namely Isabelleβs Lifting and Transfer package
[30, 8]. From the very beginning, the authors of this tool have been aware of the potential difficulties
raised by nested type constructors, and have implemented a solution based on parameterized transfer
relations. For example, in the case of distrib, the current implementation defines automatically a relation
in (πΌ β real) β π½ distrib β bool (thus using different type variables πΌ and π½) as the composition
between the relator βreal and the relational version of Absdistrib . This does not guarantee an isomorphic
relationship between nested applications of (_ β real) and distrib like our framework does (exported
as a type_definition theorem), but offers enough infrastructure in order to allow the user to βliftβ the
definition of constants from (_ β real) to distrib even in the presence of nesting. Since the relativized
defining set is not provided explicitly (like in our framework, as the operator Iset), the proof goals arising
when transferring theorems containing such constants are quite intricate and convoluted, in sharp
contrast to the non-nested case. On the other hand, at the expense of asking the user to provide more
information (not just the relator Trel but also the operator Iset) and proving some sanity properties,
our approach really flattens everything to the βfirst-orderβ non-nesting caseβwith the potential of
simplifying the proof goals. Moreover, currently the transfer package relies on a parametricity theorem
for the defined typeβs underlying predicate, which our approach does not. Overall, our approach requires
some more initial effort from the user upon introducing a new type, but this has the potential to pay off
in the later stages of the developments.
This having been said, our work addresses only a subproblem of the overall lifting and transfer
problem, which the Lifting and Transfer package addresses quite comprehensively. So we do not
envision our development as an alternative to this mature tool, but as a possible βadd-onβ that can
improve the usability and automation of the toolβs handling of nested types. Since what we produce
for nested types are type_definition theorems, these can in principle be directly integrated into the
Lifting and Transfer package (via the βsetup_liftingβ command), save for one difficulty caused by the
fact that any provided abstraction operators are currently required to be registered as dataype-like
constructorsβaddressing this formal engineering problem is ongoing work. (Of course, the integration
will involve the fully general case, of different type constructors of possible multiple arguments nested
in arbitrary ways.)
Another short-term plan is to provide some generic infrastructure that automates our inferred result
for arbitrary type constructors, which can then be instantiated to different cases. This is being tackled
(in joint work with Dmitriy Traytel) with the help of a quasi-foundational developement of polymorphic
locales, generalizing Isabelleβs standard (monomorphic) locales [31, 32] in a manner that does not impair
the meta-properties of the logic and definitional mechanisms underlying Isabelle/HOL [33, 34, 35, 36].
Acknowledgments. We thank the three anonymous reviewers for their valuable comments and sug-
gestions, which led to the improvement of the presentation and to the discussion of more related work.
�References
[1] The HOL Team, The HOL4 Theorem Prover, 2024. Http://hol.sourceforge.net/.
[2] J. Harrison, HOL light: An overview, in: S. Berghofer, T. Nipkow, C. Urban, M. Wenzel (Eds.),
TPHOLs 2009, volume 5674 of LNCS, Springer, 2009, pp. 60β66. doi:10.1007/978- 3- 642- 03359- 9\
_4 .
[3] T. Nipkow, L. C. Paulson, M. Wenzel, Isabelle/HOL β A Proof Assistant for Higher-Order Logic,
volume 2283 of LNCS, Springer, 2002. doi:10.1007/3- 540- 45949- 9 .
[4] S. Berghofer, M. Wenzel, Inductive datatypes in HOL β lessons learned in formal-logic engineering,
in: Y. Bertot, G. Dowek, A. Hirschowitz, C. Paulin-Mohring, L. ThΓ©ry (Eds.), TPHOLs 1999, volume
1690 of LNCS, Springer, 1999, pp. 19β36. doi:10.1007/3- 540- 48256- 3\_3 .
[5] D. Traytel, A. Popescu, J. C. Blanchette, Foundational, compositional (co)datatypes for higher-order
logic: Category theory applied to theorem proving, in: LICS 2012, IEEE Computer Society, 2012,
pp. 596β605. doi:10.1109/LICS.2012.75 .
[6] J. C. Blanchette, J. HΓΆlzl, A. Lochbihler, L. Panny, A. Popescu, D. Traytel, Truly modular
(co)datatypes for isabelle/hol, in: G. Klein, R. Gamboa (Eds.), ITP 2014, volume 8558 of LNCS,
Springer, 2014, pp. 93β110. doi:10.1007/978- 3- 319- 08970- 6\_7 .
[7] J. C. Blanchette, F. Meier, A. Popescu, D. Traytel, Foundational nonuniform (co)datatypes for
higher-order logic, in: 32nd Annual ACM/IEEE Symposium on Logic in Computer Science,
LICS 2017, Reykjavik, Iceland, June 20-23, 2017, IEEE Computer Society, 2017, pp. 1β12. URL:
https://doi.org/10.1109/LICS.2017.8005071. doi:10.1109/LICS.2017.8005071 .
[8] B. Huffman, O. Kuncar, Lifting and Transfer: A Modular Design for Quotients in Isabelle/HOL,
in: G. Gonthier, M. Norrish (Eds.), CPP 2013, volume 8307 of LNCS, Springer, 2013, pp. 131β146.
doi:10.1007/978- 3- 319- 03545- 1\_9 .
[9] O. KunΔar, A. Popescu, From types to sets by local type definition in higher-order logic, J. Autom.
Reason. 62 (2019) 237β260. doi:10.1007/s10817- 018- 9464- 6 .
[10] A. Popescu, D. Traytel, Admissible types-to-pers relativization in Higher-Order Logic, Proc. ACM
Program. Lang. 7 (2023) 1214β1245. URL: https://doi.org/10.1145/3571235. doi:10.1145/3571235 .
[11] G. Buday, A. Popescu, Supplementary material associated to this paper, https://www.andreipopescu.
uk/suppl/iFM2024.zip, 2024.
[12] R. Godement, Topologie algΓ©brique et thΓ©orie des faisceaux, Publications de lβInstitut de MathΓ©ma-
tique de lβUniversitΓ© de Strasbourg, Hermann, Paris, 1958.
[13] E. Moggi, Notions of computation and monads, Inf. Comput. 93 (1991) 55β92. URL: https:
//doi.org/10.1016/0890-5401(91)90052-4. doi:10.1016/0890- 5401(91)90052- 4 .
[14] J. C. Reynolds, Types, abstraction and parametric polymorphism, in: R. E. A. Mason (Ed.), IFIP
1983, North-Holland/IFIP, 1983, pp. 513β523.
[15] P. Wadler, Theorems for free!, in: J. E. Stoy (Ed.), FPCA 1989, ACM, 1989, pp. 347β359. doi:10.
1145/99370.99404 .
[16] T. Univalent Foundations Program, Homotopy Type Theory: Univalent Foundations of Mathemat-
ics, https://homotopytypetheory.org/book, Institute for Advanced Study, 2013.
[17] P. V. Homeier, A design structure for higher order quotients, in: J. Hurd, T. F. Melham (Eds.),
Theorem Proving in Higher Order Logics, 18th International Conference, TPHOLs 2005, volume
3603 of Lecture Notes in Computer Science, Springer, 2005, pp. 130β146.
[18] C. Kaliszyk, C. Urban, Quotients revisited for Isabelle/HOL, in: W. C. Chu, W. E. Wong, M. J.
Palakal, C. Hung (Eds.), Proceedings of the 2011 ACM Symposium on Applied Computing (SAC),
TaiChung, Taiwan, March 21 - 24, 2011, ACM, 2011, pp. 1639β1644. URL: https://doi.org/10.1145/
1982185.1982529. doi:10.1145/1982185.1982529 .
[19] P. Lammich, Automatic data refinement, in: S. Blazy, C. Paulin-Mohring, D. Pichardie (Eds.),
Interactive Theorem Proving - 4th International Conference, ITP, volume 7998 of Lecture Notes in
Computer Science, Springer, 2013, pp. 84β99.
[20] A. Schropp, A. Popescu, Nonfree datatypes in Isabelle/HOL - animating a many-sorted metatheory,
in: G. Gonthier, M. Norrish (Eds.), Certified Programs and Proofs - Third International Conference,
� CPP, volume 8307 of LNCS, Springer, 2013, pp. 114β130.
[21] M. Milehins, An extension of the framework types-to-sets for Isabelle/HOL, in: A. Popescu,
S. Zdancewic (Eds.), CPP 2022, ACM, 2022, pp. 180β196. doi:10.1145/3497775.3503674 .
[22] G. Barthe, V. Capretta, O. Pons, Setoids in type theory, J. Funct. Program. 13 (2003) 261β293.
doi:10.1017/S0956796802004501 .
[23] T. Altenkirch, S. Boulier, A. Kaposi, N. Tabareau, Setoid type theory - A syntactic translation,
in: G. Hutton (Ed.), Mathematics of Program Construction - 13th International Conference,
MPC 2019, Porto, Portugal, October 7-9, 2019, Proceedings, volume 11825 of Lecture Notes in
Computer Science, Springer, 2019, pp. 155β196. URL: https://doi.org/10.1007/978-3-030-33636-3_7.
doi:10.1007/978- 3- 030- 33636- 3\_7 .
[24] Y. Bertot, P. CastΓ©ran, Interactive Theorem Proving and Program Development - CoqβArt:
The Calculus of Inductive Constructions, Texts in Theoretical Computer Science. An
EATCS Series, Springer, 2004. URL: https://doi.org/10.1007/978-3-662-07964-5. doi:10.1007/
978- 3- 662- 07964- 5 .
[25] G. Gonthier, A. Mahboubi, An introduction to small scale reflection in coq, J. Formaliz. Reason. 3
(2010) 95β152. URL: https://doi.org/10.6092/issn.1972-5787/1979. doi:10.6092/ISSN.1972- 5787/
1979 .
[26] L. M. de Moura, S. Kong, J. Avigad, F. van Doorn, J. von Raumer, The lean theorem prover (system
description), in: A. P. Felty, A. Middeldorp (Eds.), CADE-25, volume 9195 of LNCS, Springer, 2015,
pp. 378β388. doi:10.1007/978- 3- 319- 21401- 6\_26 .
[27] J. M. Rushby, S. Owre, N. Shankar, Subtypes for specifications: Predicate subtyping in PVS, IEEE
Trans. Software Eng. 24 (1998) 709β720. URL: https://doi.org/10.1109/32.713327. doi:10.1109/32.
713327 .
[28] N. Swamy, C. Hritcu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan, C. Fournet,
P. Strub, M. Kohlweiss, J. K. Zinzindohoue, S. Z. BΓ©guelin, Dependent types and multi-monadic
effects in F, in: R. BodΓk, R. Majumdar (Eds.), Proceedings of the 43rd Annual ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, FL,
USA, January 20 - 22, 2016, ACM, 2016, pp. 256β270. URL: https://doi.org/10.1145/2837614.2837655.
doi:10.1145/2837614.2837655 .
[29] W. Lovas, F. Pfenning, Refinement types for logical frameworks and their interpretation as proof
irrelevance, Log. Methods Comput. Sci. 6 (2010). URL: https://doi.org/10.2168/LMCS-6(4:5)2010.
doi:10.2168/LMCS- 6(4:5)2010 .
[30] O. KunΔar, Types, Abstraction and Parametric Polymorphism in Higher-Order Logic, Ph.D. thesis,
FakultΓ€t fΓΌr Informatik, Technische UniversitΓ€t MΓΌnchen, 2016. URL: http://www21.in.tum.de/
~kuncar/documents/kuncar-phdthesis.pdf.
[31] F. KammΓΌller, M. Wenzel, L. C. Paulson, Locales - A sectioning concept for Isabelle, in: Y. Bertot,
G. Dowek, A. Hirschowitz, C. Paulin-Mohring, L. ThΓ©ry (Eds.), Theorem Proving in Higher Order
Logics, 12th International Conference, TPHOLsβ99, Nice, France, September, 1999, Proceedings,
volume 1690 of Lecture Notes in Computer Science, Springer, 1999, pp. 149β166. URL: https://doi.
org/10.1007/3-540-48256-3_11. doi:10.1007/3- 540- 48256- 3\_11 .
[32] C. Ballarin, Locales and locale expressions in isabelle/isar, in: S. Berardi, M. Coppo, F. Dami-
ani (Eds.), Types for Proofs and Programs, International Workshop, TYPES 2003, Torino, Italy,
April 30 - May 4, 2003, Revised Selected Papers, volume 3085 of Lecture Notes in Computer Sci-
ence, Springer, 2003, pp. 34β50. URL: https://doi.org/10.1007/978-3-540-24849-1_3. doi:10.1007/
978- 3- 540- 24849- 1\_3 .
[33] O. Kuncar, A. Popescu, Comprehending Isabelle/HOLβs consistency, in: H. Yang (Ed.), Programming
Languages and Systems - 26th European Symposium on Programming, ESOP 2017, Held as Part
of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala,
Sweden, April 22-29, 2017, Proceedings, volume 10201 of Lecture Notes in Computer Science,
Springer, 2017, pp. 724β749. URL: https://doi.org/10.1007/978-3-662-54434-1_27. doi:10.1007/
978- 3- 662- 54434- 1\_27 .
[34] O. Kuncar, A. Popescu, A consistent foundation for Isabelle/HOL, J. Autom. Reason. 62 (2019)
� 531β555. URL: https://doi.org/10.1007/s10817-018-9454-8. doi:10.1007/S10817- 018- 9454- 8 .
[35] O. Kuncar, A. Popescu, Safety and conservativity of definitions in HOL and Isabelle/HOL, Proc.
ACM Program. Lang. 2 (2018) 24:1β24:26. URL: https://doi.org/10.1145/3158112. doi:10.1145/
3158112 .
[36] A. Gengelbach, T. Weber, Proof-theoretic conservative extension of HOL with ad-hoc overloading,
in: V. K. I. Pun, V. Stolz, A. SimΓ£o (Eds.), Theoretical Aspects of Computing - ICTAC 2020 - 17th
International Colloquium, Macau, China, November 30 - December 4, 2020, Proceedings, volume
12545 of Lecture Notes in Computer Science, Springer, 2020, pp. 23β42. URL: https://doi.org/10.1007/
978-3-030-64276-1_2. doi:10.1007/978- 3- 030- 64276- 1\_2 .
�