Skip to content

Define typing relation for commands and prove soundness of typechecker#1335

Draft
joscoh wants to merge 33 commits into
main2from
josh/cmd-type-spec
Draft

Define typing relation for commands and prove soundness of typechecker#1335
joscoh wants to merge 33 commits into
main2from
josh/cmd-type-spec

Conversation

@joscoh

@joscoh joscoh commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Gives a type specification for commands (CmdHasType'), generalized over the LExpr typing relation, and instantiates it with LExpr.hasType (CmdHasType) and LExpr.hasTypeA (CmdHasTypeA). Proves that:

  1. If the command typechecker Cmd.typeCheck succeeds, then the original command was well-typed according to CmdHasType (theorem Cmd.typeCheck_sound).
  2. If Cmd.typeCheck succeeds, then the output command is well-annotated according to CmdHasTypeA (theorem Cmd.typeCheck_annotated_sound).

Core command typing (new files under Strata/Languages/Core/)

  • CmdTypeSpec.lean — the inductive CmdHasType', parameterized over an
    ExprTypingSpec typeclass with two instances: CmdHasType (polymorphic
    HasType, over LTy) and CmdHasTypeA (annotated HasTypeA, over
    LMonoTy).
  • CmdTypeSpecProps.lean — the two top-level soundness theorems,
    Cmd.typeCheck_sound and Cmd.typeCheck_annotated_sound, showing
    Cmd.typeCheck produces commands satisfying the spec.
  • CmdTypeProps.lean — supporting lemmas about preprocess / inferType
    / unifyTypes and context updates that feed the soundness proofs.
  • CmdType.inferType — no longer auto-registers undeclared free variables
    via addInOldestContext. Expressions in init/set/assert/assume/cover
    that reference variables not already in scope are now rejected by freeVarCheck.
    Previously, undeclared variables were silently added, which is not longer needed
    with nondeterministic init.

Rigid type variables (fixes #1345)

  • CmdType.checkAnnotCompat — new checker pass that rejects any unification
    result refining a rigid (skolemized) type variable.
  • ProcedureType.leansetupInputEnv now generates fresh rigid vars for
    type parameters and records them in C.rigidTypeVars; body typechecking
    enforces identity on these vars via checkAnnotCompat.
  • CmdTypeSpec.lean — the init_det/init_nondet constructors use
    RigidAnnotCompat (AnnotCompat restricted to be identity on rigid vars).
  • CmdTypeSpecProps.leanCmd.typeCheck_preserves_rigid_inv proves the
    invariant is preserved; typeCheck_sound uses it.
  • RigidTypeVarsTests.lean — test cases for polymorphic procedures with
    rigid type parameters, including expected-failure cases.

Lambda layer

  • LExprResolveProps.lean (renamed from LExprResolveAnnotated.lean) adds theorem resolve_eqModuloAnnotations (resolution preserves
    expression structure, changing only metadata and annotations).
  • LExprTypeSpec.lean — adds freshness / TEnvWF / well-scoped supporting
    lemmas used by the resolve and command proofs. The HasType relation itself
    is unchanged.
  • LExprTypeEnv.lean — adds TContext.subst and TEnv lemmas
    (substitution lookup, addInNewestContext, free-variable scoping) used by the
    command proofs.
  • Smaller supporting changes in LExprWF.lean and LTyUnify.lean.

Tooling

  • Strata/Util/Tactics.lean — now contains the elim_err / elim_errs tactics for
    discharging error branches when unfolding Except-valued checker code, used
    throughout the soundness proofs.

Josh Cohen and others added 22 commits May 26, 2026 13:42
Add declarative type specifications for Strata Core components
23025e9
Change cmd type spec for poly variables, minor changes
8e3bcb7
Remove ability to initialize variable with nondeterministic variables
76ff4b1
Merge branch 'josh/remove-init-nondet' into josh/type-specs
009eb17
Merge branch 'main2' into josh/type-specs
1b323c5
Prove soundness of Cmd typechecker
c2af49a
Merge branch 'main2' into josh/type-specs
86e4aec
Generalize typing specs to HasType and HasTypeA versions
1f757b2
Extend command proofs to HasTypeA, modulo resolve theorem
a9d907f
Merge branch 'main2' into josh/type-specs
82f39b1
Finish proof, prove eqModuloAnnotation, give ind principle for resolv…
3c0f92b 
…eAux

All resolveAux proofs except hasType converted to use ind principle
Use ind principle for HasType, clean up resolve proofs
84749b7
Add induction principle for resolve and clean up LExprTypeSpec proofs
91ff940
Remove strong variant
0c5e955
Revert some changes not directly needed for this PR
4246dce
Delete hasType_strong, change proof architecture info
6acfb10
@joscoh
Merge branch 'main2' into josh/resolve-ind
b5fbaaa
Merge remote-tracking branch 'origin/josh/resolve-ind' into josh/type…
f62a6ec 
…-specs
@joscoh
Merge branch 'main2' into josh/resolve-ind
444f9ac
Reorganize proofs, split from implementation, add to build
523be13
Remove non-command typing relations for PR
c3c1dfd
Merge branch 'josh/resolve-ind' into josh/cmd-type-spec
392f031
@github-actions github-actions Bot added the Core label Jun 5, 2026
Base automatically changed from josh/resolve-ind to main2 June 5, 2026 22:24
Josh Cohen added 5 commits June 8, 2026 10:28
Merge branch 'main2' into josh/cmd-type-spec
b8b6744
Fix doc build
7c07983
Clean up bit of proofs
10daebe
Remove exposed definitions
19f8c2b
Fix type spec and proofs for rigid type variables
05f35e9 
Unification too permissive: now split into rigid type variables
that cannot be unified, and free type variables which can
Involves changes to typechecker, spec, and proofs
Added test cases for various edge cases
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joscoh