Computational Higher Type Theory (CHTT)

Robert Harper
Lecture Notes of Week 4 by Yue Niu and Charles Yuan

Thus far in the course, we have covered a typed lambda calculus augmented with inductively
defined positive types such as natural numbers, booleans, products, and sums, as well as
how they may be formulated in a negative fashion. Instead of delving deeper into negatively
defined coinductive types, we will now examine quantification.

1 Quantification

Type-level quantification, as seen in System F and its variants, allow us to write types and
expressions containing type variables, which assert validity over all types α, or over some
type α.
∀X.A ∃X.A

The theory of type polymorphism was largely developed by Gordon, Milner [1978], and
Wadsworth, and has been adopted in languages such as ML. It enables innovations such as
the polymorphic identity function:
id : ∀X.X → X

To begin, consider the following syntax for types, incorporating variables, a positive answer
type ans, functions, and a universal type quantifier.
A ::= X | ans | A1 → A2 | ∀X.A

The expressions are defined correspondingly, with a mechanism for type lambdas:
M ::= x | M1 M2 | λx:A. M | ΛX. M | M [A] | ↑ | ↓

The typing judgment is defined as follows:

Γ, x : A1 ` A2 : M2
Γ, x : A ` x : A Γ `↑: ans Γ `↓: ans Γ ` λx:A1 . M2 : A1 → A2

Γ ` M 1 : A1 → A2 Γ ` M 2 : A1 Γ, X type ` M : A
Γ ` M 1 M 2 : A2 Γ ` ΛX. M : ∀X.A

Γ ` M : ∀X.A Γ ` B type
Γ ` M [B] : [B/X]A

1.1 Context Splitting

Now that both expressions and types are allowed to vary, we split the judgment context into
two components: Θ, a finite set of type variables, and Γ, a finite set of variables as before.
We use both contexts in a judgment, as:
Θ, Γ ` M : A

1
Lecture Notes Week 4 Lecture Notes Week 4

1.2 Erasure

So far, we have expressed the claim that

M : A implies M termβ

that is,
(Γ ` M : A and HTΓ (γ)) imply HTA (γ̂(M ))

Now that we have type lambdas and variables, we recognize that semantics about expressions
should not need to specially account for type lambda abstraction and application. We
should instead erase this polymorphic type information before reasoning about hereditary
termination, etc. There are two logical approaches to performing erasure:

1. Full erasure. Here, we simply elide all type lambda application and abstraction from
I
the expression. We will use the notation |M | for this, i.e.:

...
I I
|ΛX. M | = |M |
I I
|M [A]| = |M |

where every other erasure rule simply erases each component of M in the expected
fashion.

2. Delayed erasure. Here, we replace type lambdas with classical lambdas and type
applications with classical applications. The expression argument is a dummy, and
given a choice for its type we arbitarily select the answer type (and ↑ as its value).

...
II II
|ΛX. M | = λ . |M |
II II
|M [A]| = |M | (↑)

Note that in full erasure, it is possible for a value (a type lambda) to become a non-value after
erasure (the body of the lambda), whereas this is impossible in delayed erasure. Allowing
values to become non-values has negative consequences later, and can make the result
unsound. From now we will use the notation for erasure, |M |, to refer to delayed erasure
II
|M | .

2 Termination

Our goal is to prove, for the language augmented with quantifiers:

M : A =⇒ |M | termβ

Let us begin with the obvious attempt. We will use hereditary termination, HTA (M ), taking
erasure into account.

Proof Attempt.

• HTX (M ). We’re not sure how to proceed here yet. Moving on for a moment...

• HTans (M ) ⇐⇒ M 7→∗β ↑ or M 7→∗β ↓. This is straightforward.

2
Lecture Notes Week 4 Lecture Notes Week 4

• HTA1 →A2 (M ) ⇐⇒ HTA1 (M1 ) =⇒ HTA2 (M M2 ). We’ve seen this before.

• HT∀X.A (M ) ⇐⇒ for all closed B, we have HT[B/X]A (M [B]).
Let’s think about this case. First, observe that M [B] should actually be written
as M (↓), due to erasure. Next, there is a central issue! The substitution of B into
A may result in a type that is structurally larger than ∀X.A. For example, let
B = (∀X.X → A) → (∀X.X → X), which clearly will not yield a result that is smaller
than A. This scheme is not inductive, and it fails.

X
At this point, we may be frustrated enough to try a desperate move: defining some alternative
measure of size that means the substitution may not become larger than A, and would allow
us to move forward with the previous attempt. This would be difficult, as we would not
know where to start in defining such a measure, and it likely does not exist at all.

2.1 Next Attempt

Having been thwarted by the substitution, let us try to factor it out. Define

HTA (M )[δ : Θ]

as the hereditary termination of M at A with a closing type substitution δ with respect to

Θ. Now A can be open (which also allows us to deal with the first case from earlier). In
particular, Θ ` A type. We restate the problematic cases from before:

• HTX (M )[δ : Θ] ⇐⇒ HTδ(X) (M ).

This relates the new definition to the old one for type variables, given some closing
substitution.
• HT∀X.A (M )[δ : Θ] ⇐⇒ for all closed B, we have HTA (M (↓))[δ[X 7→ B] : Θ, X].
Now, we allow X to be free in A, and record the substitution and X into the context.
Surely the proof will go through this time?

As pleased as we are that we have reorganized the proof, have we really done anything?
B is still a menace as before, and even if we first allow X to be free, eventually we must
attempt to close over it, at which point B resurfaces. We must find some way of truly ridding
ourselves of it.

2.2 A Step Further

Here is an idea: instead of dealing with B directly, define some interpretation of a type
variable. Namely, try:
HTA (M )[δ; η : Θ]

where η is an interpretation, or a set of predicates, of variables, given δ, and η(X) is an

interpretation of X. From here on, when Θ is clear from context we will leave it out.
We restate the cases again:

• HTX (M )[δ[X 7→ A]; η[X 7→ T ]] ⇐⇒ T (M ), where T is a predicate. Letting

η 0 = η[X 7→ T ], we have T = η 0 (X).

3
Lecture Notes Week 4 Lecture Notes Week 4

• HT∀X.A (M )[δ; η] ⇐⇒ for all closed B, we have HTA (M (↓))[δ[M 7→ B]; η[X 7→
HTB (−)[δ; η]]].
So the predicate we wish to use is HTB (−)[δ; η], which we denote the standard interpre-
tation of B. In the proof checking, we eventually check X for hereditary termination
under B.

We now seem to be much closer, but the proof is still flawed because checking HTB (−)[δ; η]
is still not inductive. This framework requires only one final leap before it is correct. The
final leap is a statement not only about our claim, but about the logic in which we are trying
to prove it!

2.3 A Leap of Faith

We said that HTB (−)[δ; η] is the standard interpretation of B, and that checking it is not
inductive in nature. Throughout this whole time we have been pestered by the fact that
we need to pick some specific B, and admit that it may be larger than A in the first place.
For every type B there is a corresponding standard interpretation. That leaves the question
open: do there exist non-standard interpretations?

HTB (−)
T2

T3 C

We know that a type is a collection of terms, and indeed so is a predicate like HTB (−).
In the diagram above, each circle represents some collection of terms. Some of the circles,
including T1 and T2 , are standard interpretations of types. On the other hand, C is not.
Let us call collections of terms type candidates, or possible types. (We will need to impose
some other conditions later, but in general not every type candidate is actually a type).
So each circle above is a type candidate. Of these, the shaded ones are actually standard
interpretations, though some are not inductively checkable. Now that we have this larger
picture of the world, can we somehow indirectly reach HTB (−)?
Instead of pursuing HTB (−) directly, we can recognize any type candidate as the predicate.
Since one of the type candidates is HTB (−), this is at least as strong as the original claim.
And instead of ever explicitly substituting B, we need only to define convenient properties
holding over all type candidates to use in the proof.
However, this means we need to quantify over all type candidates, appealing to the existence
of the set of all type candidates. This is an appeal to a higher-ordered logic, which we have
not seen so far in the proof!
Let’s step back for a minute. Types themselves are “sets” (quantifications) over terms.
Previously we proved the termination of Gödel’s T using the hereditary termination predicates,
which are second-order quantifications over terms, each corresponding to a type in T. Now,

4
Lecture Notes Week 4 Lecture Notes Week 4

according to Gödel’s second incompleteness theorem, first-order Peano arithmetic (and

System T, which contains it) cannot prove its own consistency (computationally speaking,
its termination), so the second-order proof was the best we could do.
By analogy, System F operates on types the way that System T operates on terms, allowing
us to abstract over and apply them. It has become clear that proving termination for System
F requires us to move one level higher, to third-order comprehension. We must produce the
set of all type candidates in order to finish the proof, which can only be done in third-order
logic.
There is a question of whether this is bending the axioms. Were we examining the logical
system itself, this might be a sore point, as a higher-order comprehension principle is a
controversial assumption. However, having already completed the termination proof for
System T, we are content with accepting it. We are computer scientists seeking to prove a
fact about the real System F, and will be happy with a proof in third-order logic.
With this machinery in place, we are finally ready to redefine the problematic case one last
time:
HT∀X.A (M )[δ; η] ⇐⇒ for all closed B, for all type candidates T , HTA (M (↓))[δ[X 7→
B]; η[X 7→ T ]].
Here, we quantify over all type candidates, among which is HTB (−), the type candidate
corresponding to the interpretation of B. Note the consequence of this claim on the nature
of a polymorphic computation. For an expression to be polymorphic it must be uniform in
non-expressible properties of the system. Some of these properties, like quantification over all
type candidates, can only be stated in a higher-order logic. We demand more of programs
than is evidently required. This makes our understanding of polymorphism much richer than
“generics” in conventional programming languages.

3 Girard’s Method

The new definition of hereditary termination, as we discovered through several trials, is:

HTA (M )[δ; η : Θ]

read as: M is hereditarily terminating at A, where δ is a closing type variable substitution

and η is a candidate assignment, all with respect to Θ. Since it’s usually clear from context,
we drop Θ unless it’s required.
To make precise the argument of type candidates, we need to make precise what they mean:
Type candidates are any collection C of closed, erased terms such that:

1. C is closed under head expansion, and possibly

2. T ∈ C and T (M ) =⇒ M termβ

Before presenting the FTLR for system F, we will need the following lemma:
Lemma 1 (Compositionality). HT[A/X]B (M )[δ; η] iff HTB (M )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]

Proof. Induction on B.

• B=X
For the forward direction, suppose HT[A/X]X (M )[δ; η]. We need to show that HTX (M )[δ[X 7→
A]; η[X 7→ HTA (−)[δ; η]]]. By definition, it suffices to show (η[X 7→ HTA (−)[δ; η]])(X)(M ),
or that HTA (M )[δ; η], which follows from the assumption.

5
Lecture Notes Week 4 Lecture Notes Week 4

For the backward direction, suppose HTX (M )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. We
need to show that HT[A/X]X (M )[δ; η], or HTA (M )[δ; η], which follows by unfolding
the assumption.

• B = X 0 where X 6= X 0
For the forward direction, suppose HT[A/X]X 0 (M )[δ; η]. We need to show that HTX 0 (M )[δ[X 7→
A]; η[X 7→ HTA (−)[δ; η]]]. By definition, it suffices to show (η[X 7→ HTA (−)[δ; η]])(X 0 )(M ).
Since X 6= X 0 , it suffices to show η(X 0 )(M ), which holds by assumption.

For the backward direction, suppose HTX 0 (M )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. We
need to show that HT[A/X]X 0 (M )[δ; η], or HTX 0 (M )[δ; η]. By definition, it suffices to
show that η(X 0 )(M ). By assumption, we know (η[X 7→ HTA (−)[δ; η]])(X 0 )(M ) holds.
Since X 6= X 0 , (η[X 7→ HTA (−)[δ; η]])(X 0 ) = η(X 0 ), and we have that η(X 0 )(M ) holds.

• B = A1 → A2
For the forward direction, suppose HT[A/X]B (M )[δ; η]. We need to show that HTB (M )[δ[X 7→
A]; η[X 7→ HTA (−)[δ; η]]]. Suppose HTA1 (N )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. It suf-
fices to show then HTA2 (M N )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. By IH, we have
HT[A/X]XA1 (N )[δ; η]. Further, from assumption we get HT[A/X]A1 →[A/X]A2 (M )[δ; η].
By the definition of hereditary termination, we get HT[A/X]A2 (M N )[δ; η], and the
result follows from the IH.
For the backward direction, suppose HTA1 →A2 (M )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]].
We need to show that HT[A/X]A1 →A2 (M )[δ; η], or HT[A/X]A1 →[A/X]A2 (M )[δ; η]. Sup-
pose HT[A/X]A1 (N )[δ; η]. It suffices to show HT[A/X]A2 (M N )[δ; η]. By IH, we have
HTA1 (N )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. Along with the assumption, we get
HTA2 (M N )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]], and the result follows from IH.

• B = ∀Z.B 0
For the forward direction, suppose HT[A/X]∀Z.B 0 (M )[δ; η]. We need to show that
HT∀Z.B 0 (M )[δ[X 7→ A]; η[X 7→ HTa (−)[δ; η]]]. Let C be a closed type, and T a type
candidate. Letting δ 0 = δ[X 7→ A] and η 0 = η[X 7→ HTA (−)[δ; η]], it suffices to show
HTB 0 (|M | ↓)[δ 0 [Z 7→ C]; η 0 [Z 7→ T ]]. Reordering the mappings, we have to show
that HTB 0 (|M | ↓)[δ 00 [X 7→ A]; η 00 [X 7→ HTa (−)[δ 00 ; η 00 ]]]], where δ 00 = δ[Z 7→ C] and
η 00 = η[Z 7→ T ]. By the assumption (and capture-avoiding substitution), we have
HT∀Z.[A/X]B 0 (M )[δ; η]. Now instantiate the RHS definition with C and T , obtaining
HT[A/X]B 0 (|M | ↓)[δ[Z 7→ C]; η[Z 7→ T ]]. By IH, we have HTB 0 (|M | ↓)[δ 00 [X 7→
A]; η 00 [X 7→ HTA (−)[δ 00 ; η 00 ]]], which is what was needed.
For the backward direction, suppose HT∀Z.B 0 (M )[δ[X 7→ A]; η[X 7→ HTA (−)[δ; η]]]. We
need to show that HT[A/X]∀Z.B 0 (M )[δ; η], or HT∀Z.[A/X]B 0 (M )[δ; η]. Let C be a closed
type, and T a type candidate. By definition, it suffices to show HT[A/X]B 0 (|M | ↓)[δ[Z 7→
C]; η[Z 7→ T ]]. Instantiating the assumption with C and T , we have HTB 0 (|M | ↓
)[δ[X 7→ A][Z 7→ C]; η[X 7→ HTA (−)[δ; η]][Z 7→ T ]]. Swapping X and Z in δ and η
as in the forward direction and applying the IH, we have HT[A/X]B 0 (|M | ↓)[δ[Z 7→
C]; η[Z 7→ T ]].

Lemma 2 (Head expansion). If Θ ` A type, δ : Θ, η : Θ, then HTA (−)[δ; η] is a type

candidate.

Proof. Induction on A.

• A=X
Suppose HTA (M 0 )[δ; η] and M 7→ M 0 . We need to show that HTA (M )[δ; η]. By

6
Lecture Notes Week 4 Lecture Notes Week 4

assumption, we have η(X)(M 0 ). Since η is a candidate assignment, η(X) is closed

under head expansion, and so η(X)(M ) holds.

• A = A1 → A2
Suppose HTA1 →A2 (M 0 )[δ; η] and M 7→ M 0 . We need to show that HTA1 →A2 (M )[δ; η].
Suppose HTA1 (N )[δ; η]. It suffices to show that HTA2 (M N )[δ; η]. Instantiating the
assumption, we get HTA2 (M 0 N )[δ; η]. Since M N 7→ M 0 N , by IH, we have our result.

• A = ∀X.B
Suppose HT∀X.B (M 0 )[δ; η] and M 7→ M 0 . We need to show HT∀X.B (M )[δ; η]. Let C be
a closed type, T a type candidate. It suffices to show HTB (|M | ↓)[δ[X 7→ C]; η[X 7→ T ]].
Instantiating the assumption with C and T , we have HTB (|M 0 | ↓)[δ[X 7→ C]; η[X 7→
T ]]. Since |M | ↓7→ |M 0 | ↓, by IH, we have our result.

Theorem 3 (FTLR for System F). If Θ; Ω ` M : A, and

1. δ : Θ is a closing type substitution

2. η : Θ is a candidate assignment
3. γ : · → Γ is a closing term substitution
4. HTΓ (γ)[δ; η]

then HTA (γ̂(|M |))[δ; η].

Proof. Induction on typing.

Θ, X; Γ ` M : B
•
Θ; Γ ` ΛX. M : ∀X.B
Fix δ : Θ, η : Θ and HTΓ (γ)[δ; η]. We need to show that HT∀X.B (γ̂(|ΛX. M |))[δ; η : Θ],
or that HT∀X.B (λ . γ̂(|M |))[δ; η : Θ]. Let C be a closed type, T a type candidate, δ 0 =
δ[X 7→ C], η 0 = η[X 7→ T ], and Θ0 = Θ, X. We need to show that HTB (λ . γ̂(|M |) ↓
)[δ 0 ; η 0 : Θ0 ]. By head expansion, it suffices to show that HTB (γ̂(|M |))[δ 0 ; η 0 : Θ0 ], which
follows from IH.

Θ; Γ ` M : ∀X.B Θ ` C type
•
Θ; Γ ` M [C] : [C/X]B
Fix δ : Θ, η : Θ and HTΓ (γ)[δ; η]. We need to show that HT[C/X]B (γ̂(|M [C]|))[δ; η],
or that HT[C/X]B (γ̂(|M |) ↓)[δ; η]. By compositionality, it suffices to show that
HTB (γ̂(|M |) ↓)[δ[X 7→ C]; η[X 7→ HTC (−)[δ; η]]]. By IH, we have HT∀X.B (γ̂(|M |))[δ; η].
Instantiating the RHS with C and HTC (−)[δ; η] (which by Lemma 2 is a type candidate),
we get HTB (γ̂(|M |) ↓)[δ[X 7→ C]; η[X 7→ HTC (−)[δ; η]]].

Corollary 4. HTans (M )[∅; ∅] =⇒ M termβ .

In order to extend this to all types, we need to stipulate termination for all type candidates
and formulate hereditary termination positively.

7
Lecture Notes Week 4 Lecture Notes Week 4

4 Equality

The plan from now on:

1. Equality: formal vs semantic

2. Parametricity / data abstraction by “binarizing” Girard’s method
3. Propositions as types and dependent types

4. CTT / HDTT

Recall definitional (structural) equality (equivalence) in formal type theory, originating from
Gentzen’s inversion principles. D.E. can be charaterized as follows:

1. RST (is a equivalence relation)

2. Compatible with the term formers (is a congruence)

3. “Calculates” via beta-reduction (but is not directed)

D.E. is a very strong “equality”, and doesn’t support hypothetical reasoning. For instance, if
we defined plus in Gödel’s T (by recursion on one of the arguments), we will not be able to
prove x : nat, y : nat ` x + y ≡ y + x : nat, even though for all numerals n̄, m̄, we can derive
` n̄ + m̄ ≡ m̄ + n̄ : nat.

References

Robin Milner. A theory of type polymorphism in programming. Journal of Computer and

System Sciences, 1978.