1 Introduction

The functorial structure of type constructors forms the basis for many definition and proof principles in proof assistants. Examples include datatype and codatatype definitions [3, 9, 37], program synthesis [13, 19, 24], generalized term rewriting [36], and reasoning based on representation independence [6, 19, 23] and about effects [26, 27].

A type constructor becomes a functor through a mapper operation that lifts functions on the type arguments to the constructed type. The mapper must be functorial, i.e., preserve identity functions (\(\textsf {id}\)) and distribute over function composition (\(\circ \)). For example, the list type constructor \(\_\;\textit{list}\)Footnote 1 has the well-known mapper \(\textsf {map}\,{:}{:}\,(\alpha \rightarrow \beta ) \rightarrow \alpha \;\textit{list} \rightarrow \beta \;\textit{list}\), which applies the given function to every element in the given list. It is functorial:

$$\begin{aligned} \textsf {map}\;\textsf {id} = \textsf {id} \qquad \qquad \textsf {map}\;g \circ \textsf {map}\;f = \textsf {map}\;(g \circ f) \end{aligned}$$

Most applications of functors can benefit from even richer structures. In this paper, we focus on bounded natural functors (BNFs) [37] (Sect. 2.1). A BNF comes with additional setter operators that return sets of occurring elements, called atoms, for each type argument. The setters must be natural transformations, i.e., commute with the mapper, and bounded, i.e., have a fixed cardinality bound on the sets they return. For example, \(\textsf {set}\,{:}{:}\,\alpha \;\textit{list} \rightarrow \alpha \;\textit{set}\) returns the set of elements in a list. It satisfies \(\textsf {set}\circ \textsf {map}\;f = f\langle \_\rangle \circ \textsf {set}\), where \(f\langle \_\rangle \) denotes the function that maps a set X to \(f\langle X\rangle = \{f\;x\mid x \in X\}\), i.e., the image of X under f. Moreover, since lists are finite sequences, \(\textsf {set}\; xs \) is always a finite set.

Originally, BNFs were introduced for modularly constructing datatypes and codatatypes [9] in the Isabelle/HOL proof assistant. Although (co)datatypes are still the most important use case, the BNF structure is used nowadays in other contexts such as reasoning via free theorems [29] and transferring theorems between types [22, 28].

Several type definition principles in HOL preserve the BNF structure: composition (e.g., \((\alpha \;\textit{list})\;\textit{list}\)), datatypes and codatatypes [37], and—under certain conditions—subtypes [7, 28]. Subtypes include records and type copies. Accordingly, when a new type constructor is defined via one of these principles from an existing BNF, then the new type automatically comes with a mapper and setters and with theorems for the BNF properties.

One important type definition principle is missing above: quotients [18, 19, 21, 34, 35] (Sect. 2.2). A quotient type identifies elements of an underlying type according to a (partial) equivalence relation \({\sim }\). That is, the quotient type is isomorphic to the equivalence classes of \({\sim }\). For example, unordered pairs \(\alpha \;\textit{upair}\) are the quotient of ordered pairs \(\alpha \times \alpha \) and the equivalence relation \({\sim _{\textit{upair}}}\) generated by \((x, y) \sim _{\textit{upair}} (y, x)\). Similarly, finite sets, bags, and cyclic lists are quotients of lists where the equivalence relation permutes or duplicates the list elements as needed.

In this paper, we answer the question when and how a quotient type inherits its underlying type’s BNF structure. It is well known that a quotient preserves the functorial properties if the underlying type’s mapper preserves \({\sim }\); then the quotient type’s mapper is simply the lifting of the underlying type’s mapper to equivalence classes [3]. For setters, the situation is more complicated. We discovered that if the setters are defined as one would expect, the resulting structure may not preserve empty intersections, i.e., it is unsound in Adámek et al.’s [2] terminology. All BNFs, however, are sound. To repair the situation, we characterize the setters in terms of the mapper and identify a definition scheme for the setters that results in sound functors. We then derive sufficient conditions on the equivalence relation \({\sim }\) for the BNF properties to be preserved for these definitions (Sect. 3). With few exceptions, we omit proofs and refer to our technical report [15], which contains them.

Moreover, we have implemented an Isabelle/HOL command that automates the registration of a quotient type as a BNF (Sect. 4); the user merely needs to discharge the conditions on \({\sim }\). One of the conditions, subdistributivity, often requires considerable proof effort, though. We therefore developed a novel sufficient criterion using confluent relations that simplifies the proofs in our case studies (Sect. 3.4). Our implementation is distributed with the Isabelle2020 release.

Contributions. The main contributions of this paper are the following:

  1. 1.

    We identify sufficient criteria for when a quotient type preserves the BNF properties of the underlying type. Registering a quotient as a BNFs allows (co)datatypes to nest recursion through it. Consider for example node-labeled unordered binary trees

    $$\begin{aligned} \texttt {datatype}\;\textit{ubtree} = \textsf {Leaf} \mid \textsf {Node}\;\textit{nat}\; (\textit{ubtree}\;\textit{upair}) \end{aligned}$$

    BNF use cases beyond datatypes benefit equally.

  2. 2.

    In particular, we show that the straightforward definitions would cause the functor to be unsound, and find better definitions that avoid unsoundness. This problem is not limited to BNFs. The lifting operations for Lean’s QPFs [3] also suffer from unsoundness and our repair applies to them as well (Sect. 5.2).

  3. 3.

    We propose a sufficient criterion on \({\sim }\) for subdistributivity, which is typically the most difficult BNF property to show. We show with several examples that the criterion is applicable in practice and yields relatively simple proofs.

  4. 4.

    We have implemented an Isabelle/HOL command to register the quotient as a BNF, once the user has discharged the conditions on \({\sim }\). The command also generates proof rules for transferring theorems about the BNF operations from the underlying type to the quotient (Sect. 4.2). Several case studies demonstrate the command’s usefulness. Some examples reformulate well-known BNFs as quotients (e.g., unordered pairs, distinct lists, finite sets). Others formally prove the BNF properties for the first time, e.g., cyclic lists, the free idempotent monoid, and regular expressions modulo ACI. These examples become part of the collection of formalized BNFs and can thus be used in datatype definitions and other BNF applications.

Example 1

To illustrate our contribution’s usefulness, we consider linear dynamic logic (LDL) [14], an extension of linear temporal logic with regular expressions. LDL’s syntax is usually given as two mutually recursive datatypes of formulas and regular expressions [5, 14]. Here, we opt for nested recursion, which has the modularity benefit of being able to formalize regular expressions separately. We define regular expressions \(\alpha \;\textit{re}\):

datatype   \(\alpha \,\textit{re} = \textsf {Atom}\;\alpha \mid \textsf {Alt}\;(\alpha \,\textit{re})\;(\alpha \,\textit{re}) \mid \textsf {Conc}\;(\alpha \,\textit{re})\;(\alpha \,\textit{re}) \mid \textsf {Star}\;(\alpha \,\textit{re})\)

Often, it is useful to consider regular expressions modulo some syntactic equivalences. For example, identifying expressions modulo the associativity, commutativity, and idempotence (ACI) of the alternation constructor \(\textsf {Alt}\) results in a straightforward construction of deterministic finite automata from regular expressions via Brzozowski derivatives [32]. We define the ACI-equivalence \({\sim _\textit{aci}}\) as the least congruence relation satisfying:

\(\textsf {Alt}\;(\textsf {Alt}\;r\;s)\;t \sim _\textit{aci} \textsf {Alt}\;r\;(\textsf {Alt}\;s\;t)\)      \(\textsf {Alt}\;r\;s \sim _\textit{aci} \textsf {Alt}\;s\;r\)      \(\textsf {Alt}\;r\;r \sim _\textit{aci} r\)

Next, we define the quotient type of regular expressions modulo ACI \(\alpha \;\textit{re}_\textit{aci}\) and the datatype of LDL formulas \(\textit{ldl}\), which uses nested recursion through \(\alpha \;\textit{re}_\textit{aci}\).

quotient_type \(\alpha \;\textit{re}_\textit{aci} = \alpha \;\textit{re} / {\sim _\textit{aci}}\)

datatype \(\textit{ldl} = \textsf {Prop}\;\textit{string} \mid \textsf {Neg}\;\textit{ldl} \mid \textsf {Conj}\;\textit{ldl}\;\textit{ldl} \mid \textsf {Match}\;(\textit{ldl}\;\textit{re}_\textit{aci})\)

For the last declaration to succeed, Isabelle must know that \(\alpha \;\textit{re}_\textit{aci}\) is a BNF. We will show in Sect. 3.4 how our work allows us to lift \(\alpha \;\textit{re}\)’s BNF structure to \(\alpha \;\textit{re}_\textit{aci}\).   \(\diamondsuit \)

2 Background

We work in Isabelle/HOL, Isabelle’s variant of classical higher-order logic—a simply typed theory with Hilbert choice and rank-1 polymorphism. We refer to a textbook for a detailed introduction to Isabelle/HOL [31] and only summarize relevant notation here.

Types are built from type variables \(\alpha ,\,\beta ,\,\ldots \) via type constructors. A type constructor can be nullary (nat) or have some type arguments (\(\alpha \;\textit{list}\), \(\alpha \;\textit{set}\), \((\alpha ,\,\beta )\;\textit{upair}\)). Type constructor application is written postfix. Exceptions are the binary type constructors for sums (\(+\)), products (\(\times \)), and functions (\(\rightarrow \)), all written infix. Terms are built from variables \(x,\,y,\,\ldots \) and constants \(\textsf {c},\,\textsf {d},\,\ldots \) via lambda-abstractions \(\lambda x.\; t\) and applications \(t\;u\). The sum type’s embeddings are \(\textsf {Inl}\) and \(\textsf {Inr}\) and the product type’s projections are \(\textsf {fst}\) and \(\textsf {snd}\).

The primitive way of introducing new types in HOL is to take a non-empty subset of an existing type. For example, the type of lists could be defined as the set of pairs \((n {:}{:}\textit{nat},\,f {:}{:}\textit{nat} \rightarrow \alpha )\) where n is the list’s length and \(f\;i\) is the list’s ith element for \(i < n\) and some fixed unspecified element of type \(\alpha \) for \(i \ge n\). To spare the users from such low-level encodings, Isabelle/HOL offers more high-level mechanisms for introducing new types, which are internally reduced to primitive subtyping. In fact, lists are defined as an inductive \(\texttt {datatype}\;\alpha \;\textit{list} = [] \mid \alpha \mathbin \# \alpha \;\textit{list}\), where [] is the empty list and \(\#\) is the infix list constructor. Recursion in datatypes and their coinductive counterparts may take place only under well-behaved type constructors, the bounded natural functors (Sect. 2.1). Quotient types (Sect. 2.2) are another high-level mechanism for introducing new types.

For n-ary definitions, we use the vector notation \(\overline{x}\) that denotes \(x_1, \ldots , x_n\) where n is clear from the context. Vectors spanning several variables indicate repetition with synchronized indices. For example, \(\textsf {map}_F\;\overline{(g\circ f)}\) abbreviates \(\textsf {map}_F\;({g_1\circ f_1})\;\ldots \;({g_n\circ f_n})\). Abusing notation slightly, we write \(\overline{\alpha } \rightarrow \beta \) for the n-ary function type \(\alpha _1 \rightarrow \cdots \rightarrow \alpha _n \rightarrow \beta \).

To simplify notation, we identify the type of binary predicates \(\alpha \rightarrow \beta \rightarrow \mathbb {B}\) and sets of pairs \((\alpha \times \beta )\;\textit{set}\), and write \(\alpha \otimes \beta \) for both. These types are different in Isabelle/HOL and the BNF ecosystem works with binary predicates. The identification allows us to use set operations, e.g., the subset relation \(\subseteq \) or relation composition \(\mathbin {\bullet }\) (both written infix).

2.1 Bounded Natural Functors

A bounded natural functor (BNF) [37] is an n-ary type constructor \(\overline{\alpha }\;F\) equipped with the following polymorphic constants. Here and elsewhere, i implicitly ranges over \(\{1,\,\ldots ,\,n\}\):

figure a

The shape and content intuition [37] is a useful way of thinking about elements of \(\overline{\alpha }\;F\). The mapper \(\textsf {map}_F\) leaves the shape unchanged but modifies the contents by applying its function arguments. The n setters \(\textsf {set}_{F,i}\) extract the contents (and dispose of the shape). For example, the shape of a list is given by its length, which \(\textsf {map}\) preserves. The cardinal bound \(\textsf {bd}_F\) is a fixed bound on the number of elements returned by \(\textsf {set}_{F,i}\). Cardinal numbers are represented in HOL using particular well-ordered relations [10]. Finally, the relator \(\textsf {rel}_F\) lifts relations on the type arguments to a relation on \(\overline{\alpha }\;F\) and \(\overline{\beta }\;F\). Thereby, it only relates elements of \(\overline{\alpha }\;F\) and \(\overline{\beta }\;F\) that have the same shape.

The BNF constants must satisfy the following properties:

figure b

Properties map_id and map_comp capture the mapper’s functoriality; set_map the setters’ naturality. Moreover, the mapper and the setters must agree on what they identify as content (map_cong). Any set returned by \(\textsf {set}_{F,i}\) must be bounded (set_bd); the operator \(\le _o\) compares cardinal numbers [10]. The bound is required to be infinite (bd), which simplifies arithmetics. The relator can be expressed in terms of the mapper and the setter (in_rel) and must distribute over relation composition (rel_comp). The other inclusion, namely \(\textsf {rel}_F\;\overline{(R \mathbin {\bullet }S)} \subseteq \textsf {rel}_F\;\overline{R} \mathbin {\bullet }\textsf {rel}_F\;\overline{S}\), follows from these properties. We refer to rel_comp as subdistributivity because it only requires one inclusion.

A useful derived operator is the action on sets \({\fbox {F}}{:}{:}\overline{\alpha \;\textit{set}} \rightarrow \overline{\alpha }\;F\;\textit{set}\), which generalizes the type constructor’s action on its type arguments. Formally, \({\fbox {F}}\;\overline{A} = \{x \mid \forall i.\; \textsf {set}_{F,i}\;x\subseteq A_i\}\). Note that we can write \(z \in {\fbox {F}}\;\overline{R}\) to replace the equivalent \(\forall i.\;\textsf {set}_{F,i}\;z\subseteq R_i\) in in_rel.

Most basic types are BNFs, notably, sum and product types. BNFs are closed under composition, e.g., \(\mathsf {1}+ \alpha \times \beta \) is a BNF with the mapper \(\lambda f\; g.\;\textsf {map}_{\mathsf {1}+}\;(\textsf {map}_\times \;f\;g)\), where \(\mathsf {1}\) is the unit type (consisting of the single element \(\star \)) and \(\textsf {map}_{\mathsf {1}+}\;h = \textsf {map}_{+}\;\textsf {id}\;h\). Moreover, BNFs support fixpoint operations, which correspond to (co)datatypes, and are closed under them [37]. For instance, the datatype command internally computes a least solution for the fixpoint type equation \(\beta = \mathsf {1}+ \alpha \times \beta \) to define the \(\alpha \;\textit{list}\) type. Closure means that the resulting datatype, here \(\alpha \;\textit{list}\), is equipped with the BNF structure, e.g., the mapper \(\textsf {map}\). Also subtypes inherit the BNF structure under certain conditions [7]. For example, the subtype \(\alpha \;\textit{nelist}\) of non-empty lists \(\{ xs {:}{:}\alpha \;\textit{list} \mid xs \ne []\}\) is a BNF.

2.2 Quotient Types

An equivalence relation \({\sim }\) on a type T partitions the type into equivalence classes. Isabelle/HOL supports the definition of the quotient type \(Q = T / {\sim }\), which yields a new type Q isomorphic to the set of equivalence classes [21]. For example, consider \({\sim _{\textit{fset}}}\) that relates two lists if they have the same set of elements, i.e., \( xs \sim _{\textit{fset}} ys \) iff \(\textsf {set}\; xs = \textsf {set}\; ys \). The following command defines the type \(\alpha \;\textit{fset}\) of finite sets as a quotient of lists:

\(\texttt {quotient\_type }\alpha \;\textit{fset} = \alpha \;\textit{list} / {\sim _{\textit{fset}}}\)

This command requires a proof that \({\sim _{\textit{fset}}}\) is, in fact, an equivalence relation.

The Lifting and Transfer tools [19, 22] automate the lifting of definitions and theorems from the raw type T to the quotient Q. For example, the image operation on finite sets can be obtained by lifting the list mapper \(\textsf {map}\) using the command

\(\texttt {lift\_definition }\textsf {fimage} {:}{:}(\alpha \rightarrow \beta ) \rightarrow \alpha \;\textit{fset} \rightarrow \beta \;\textit{fset}\texttt { is }\textsf {map}\)

Lifting is only possible for terms that respect the quotient. For \(\textsf {fimage}\), respectfulness states that \(\textsf {map}\;f\; xs \sim _{\textit{fset}} \textsf {map}\;f\; ys \) whenever \( xs \sim _{\textit{fset}} ys \).

Lifting and Transfer are based on transfer rules that relate two terms of possibly different types. The lift_definition command automatically proves the transfer rule

$$\begin{aligned} (\textsf {map},\textsf {fimage}) \in ((=) \Mapsto \textsf {cr}_{\textit{fset}} \Mapsto \textsf {cr}_{\textit{fset}}) \end{aligned}$$

where \(A \Mapsto B\) (right-associative) relates two functions iff they map A-related arguments to B-related results. The correspondence relation \(\textsf {cr}_{\textit{fset}}\) relates a list with the finite set that it represents, i.e., the set whose corresponding equivalence class contains the list. Every quotient is equipped with such a correspondence relation. The meaning of the above rule is that applying \(\textsf {map}\;f\) to a list representing the finite set X results in a list that represents \(\textsf {fimage}\;f\;X\), for all f. The transfer rule’s relation \((=) \Mapsto \textsf {cr}_{\textit{fset}} \Mapsto \textsf {cr}_{\textit{fset}}\) is constructed according to the types of the related terms. This enables the composition of transfer rules to relate larger terms. For instance, the Transfer tool automatically derives

$$\begin{aligned} (\forall x.\;\textsf {set}\;(\textsf {map}\;\textsf {id}\;x) = \textsf {set}\;x) \longleftrightarrow (\forall X.\;\textsf {fimage}\;\textsf {id}\;X = X) \end{aligned}$$

such that the equation \(\forall X.\;\textsf {fimage}\;\textsf {id}\;X = X\) can be proved by reasoning about lists.

3 Quotients of Bounded Natural Functors

We develop the theory for when a quotient type inherits the underlying type’s BNF structure. We consider the quotient \(\overline{\alpha }\;Q = \overline{\alpha }\;F / {\sim }\) of an n-ary BNF \(\overline{\alpha }\;F\) over an equivalence relation \({\sim }\) on \(\overline{\alpha }\;F\). The first idea is to define \(\textsf {map}_Q\) and \(\textsf {set}_{Q,i}\) in terms of F’s operations:

\(\texttt {quotient\_type}\;\overline{\alpha }\;Q = \overline{\alpha }\;F / {\sim }\)

\(\texttt {lift\_definition}\;\textsf {map}_Q {:}{:}\overline{(\alpha \rightarrow \beta )} \rightarrow \overline{\alpha }\;Q \rightarrow \overline{\beta }\;Q\;\;\texttt {is}\;\;\textsf {map}_F\)

\(\texttt {lift\_definition}\;\textsf {set}_{Q,i} {:}{:}\overline{\alpha }\;Q \rightarrow \alpha _i\;\textit{set}\;\;\texttt {is}\;\;\textsf {set}_{F,i}\)

These three commands require the user to discharge the following proof obligations:

figure c

The first two conditions are as expected: \({\sim }\) must be an equivalence relation, by (1), and compatible with F’s mapper, by (2), i.e., \(\textsf {map}_F\) preserves \({\sim }\). The third condition, however, demands that equivalent values contain the same atoms. This rules out many practical examples including the following simplified (and therefore slightly artificial) one.

Example 2

Consider \(\alpha \;F_P = \alpha + \alpha \) with the equivalence relation \({\sim _P}\) generated by \(\textsf {Inl}\;x \sim _P \textsf {Inl}\;y\), where \(\textsf {Inl}\) is the sum type’s left embedding. That is, \({\sim _P}\) identifies all values of the form \(\textsf {Inl}\;z\) and thus \(\alpha \;Q_P = \alpha \;F_P / {\sim _P}\) is isomorphic to the type \(\mathsf {1}+ \alpha \). However, \(\textsf {Inl}\;x\) and \(\textsf {Inl}\;y\) have different sets of atoms \(\{x\}\) and \(\{y\}\), assuming \(x\ne y\).    \(\diamondsuit \)

We derive better definitions for the setters and conditions under which they preserve the BNF properties. To that end, we characterize setters in terms of the mapper (Sect. 3.1). Using this characterization, we derive the relationship between \(\textsf {set}_{Q,i}\) and \(\textsf {set}_{F,i}\) and identify the conditions on \({\sim }\) (Sect. 3.2). Next, we do the same for the relator (Sect. 3.3). We thus obtain the conditions under which \(\overline{\alpha }\;Q\) preserves F’s BNF properties. One of the conditions, the relator’s subdistributivity over relation composition, is often difficult to show directly in practice. We therefore present an easier-to-establish criterion for the special case where a confluent rewrite relation \({\rightsquigarrow }\) over-approximates \({\sim }\) (Sect. 3.4).

3.1 Characterization of the BNF Setter

We now characterize \(\textsf {set}_{F,i}\) in terms of \(\textsf {map}_F\) for an arbitrary BNF \(\overline{\alpha }\;F\). Observe that F’s action \({\fbox {F}}\;\overline{A}\) on sets contains all values that can be built with atoms from \(\overline{A}\). Hence, \(\textsf {set}_{F,i}\;x\) is the smallest set \(A_i\) such that x can be built from atoms in \(A_i\). Formally:

$$\begin{aligned} \textsf {set}_{F,i}\;x = \bigcap \{A_i \mid x \in {\fbox {F}}\;\overline{\textsf {UNIV}}\;A_i\;\overline{\textsf {UNIV}}\} \end{aligned}$$
(4)

Only atoms of type \(\alpha _i\) are restricted; all other atoms \(\alpha _j\) may come from \(\textsf {UNIV}\), the set of all elements of type \(\alpha _j\). Moreover, \({\fbox {F}}\) can be defined without \(\textsf {set}_{F,i}\), namely by trying to distinguish values using the mapper. Informally, x contains atoms not from \(\overline{A}\) iff \(\textsf {map}_F\;\overline{f}\;x\) differs from \(\textsf {map}_F\;\overline{g}\;x\) for some functions \(\overline{f}\) and \(\overline{g}\) that agree on \(\overline{A}\). Hence, we obtain:

$$\begin{aligned} {\fbox {F}}\;\overline{A} = \{x \mid \forall \overline{f}\;\overline{g}.\;(\forall i.\;\forall a\in A_i.\; f_i\; a = g_i\; a) \longrightarrow \textsf {map}_F\;\overline{f}\;x = \textsf {map}_F\;\overline{g}\;x\} \end{aligned}$$
(5)

Proof

From left to right is trivial with map_cong. So let x be such that \(\textsf {map}_F\;\overline{f}\;x = \textsf {map}_F\;\overline{g}\;x\) whenever \(f_i\;a = g_i\;a\) for all \(a \in A_i\) and all i. By the definition of \({\fbox {F}}\), it suffices to show that \(\textsf {set}_{F,i}\;x \subseteq A_i\). Set \(f_i\;a = (a \in A_i)\) and \(g_i\;a = \textsf {True}\). Then,

figure d

Therefore, \(\forall a \in \textsf {set}_{F,i}\;x.\;f_i\;a\), i.e., \(\textsf {set}_{F,i}\;x \subseteq A_i\).    \(\square \)

Equations  4 and 5 reduce the setters \(\textsf {set}_{F,i}\) of a BNF to its mapper \(\textsf {map}_F\). In the next section, we will use this characterization to derive a definition of \(\textsf {set}_{Q,i}\) in terms of \(\textsf {set}_{F,i}\). Yet, this definition does not give us naturality out of the box.

Example 3

([2, Example 4.2, part iii]). Consider the functor \(\alpha \;F_{ae} = \textit{nat} \rightarrow \alpha \) of infinite sequences with \(x \sim _{ae} y\) whenever \(\{n \mid x\; n \ne y\; n\}\) is finite. That is, two sequences are equivalent iff they are equal almost everywhere. Conditions (1) and (2) hold, but not the naturality for the corresponding \(\textsf {map}_Q\) and \(\textsf {set}_Q\).    \(\diamondsuit \)

Gumm [16] showed that \(\textsf {set}_F\) as defined in terms of (4) and (5) is a natural transformation iff \({\fbox {F}}\) preserves wide intersections and preimages, i.e.,

$$\begin{aligned} {\fbox {F}}\;\overline{(\bigcap \mathscr {A})} = \bigcap \{{\fbox {F}}\; \overline{A} \mid \forall i.\; A_i \in \mathscr {A}_i\} \end{aligned}$$
(6)
$$\begin{aligned} {\fbox {F}}\;\overline{(f^{-1}\langle A\rangle )} = (\textsf {map}_F\ \overline{f})^{-1}\langle {\fbox {F}}\;\overline{A}\rangle \end{aligned}$$
(7)

where \(f^{-1}\langle A\rangle = \{ x \mid f\ x \in A \}\) denotes the preimage of A under f. Then, \({\fbox {F}}\;\overline{A} = \{ x \mid \forall i.\;\textsf {set}_{F,i}\;x \subseteq A_i\}\) holds. The quotient in Example 3 does not preserve wide intersections.

In theory, we have now everything we need to define the BNF operations on the quotient \(\overline{\alpha }\;Q = \overline{\alpha }\;F / {\sim }\): Define \(\textsf {map}_Q\) as the lifting of \(\textsf {map}_F\). Define \({\fbox {Q}}\) and \(\textsf {set}_{Q,i}\) using (5) and (4) in terms of \(\textsf {map}_Q\), and the relator via in_rel. Prove that \({\fbox {Q}}\) preserves preimages and wide intersections. Prove that \(\textsf {rel}_Q\) satisfies subdistributivity (rel_comp).

Unfortunately, the definitions and the preservation conditions are phrased in terms of Q, not in terms of F and \({\sim }\). It is therefore unclear how \(\textsf {set}_{Q,i}\) and \(\textsf {rel}_Q\) relate to \(\textsf {set}_{F,i}\) and \(\textsf {rel}_F\). In practice, understanding this relationship is important: we want to express the BNF operations and discharge the proof obligations in terms of F’s operations and later use the connection to transfer properties from \(\textsf {set}_F\) and \(\textsf {rel}_F\) to \(\textsf {set}_Q\) and \(\textsf {rel}_Q\). We will work out the precise relationships for the setters in Sect. 3.2 and for the relator in Sect. 3.3.

3.2 The Quotient’s Setter

We relate Q’s setters to F’s operations and \({\sim }\). We first look at \({\fbox {Q}}\), which characterizes \(\textsf {set}_{Q,i}\) via (4). Let \([x]_\sim = \{y \mid x \sim y\}\) denote the equivalence class that \(x {:}{:}\overline{\alpha }\;F\) belongs to, and \([A]_\sim = \{ [x]_\sim \mid x \in A\}\) denote the equivalence classes of elements in A. We identify the values of \(\overline{\alpha }\;Q\) with \(\overline{\alpha }\;F\)’s equivalence classes. Then, it follows using (1), (2), and (5) that where

(8)

Equation   8 differs from (5) only in that the equality in \(\textsf {map}_F\;\overline{f}\;x = \textsf {map}_F\;\overline{g}\;x\) is replaced by \({\sim }\). Clearly . The converse does not hold in general, as shown next.

Example 2 (continued)

For the example viewing \(\mathsf {1}+ \alpha \) as a quotient of \(\alpha \;F_P = {\alpha + \alpha }\) via \({\sim _P}\), we have because \(\textsf {map}_{F_P}\;f\;(\textsf {Inl}\;x) = \textsf {Inl}\;(f\;x) \sim _P \textsf {Inl}\;(g\;x) = \textsf {map}_{F_P}\;g\;(\textsf {Inl}\;x)\) for all f and g. Yet, is empty, and so is .    \(\diamondsuit \)

This problematic behavior occurs only for empty sets \(A_i\). To avoid it, we change types: Instead of \(\overline{\alpha }\;F / {\sim }\), we consider the quotient \(\overline{(\mathsf {1}+ \alpha )}\;F / {\sim }\), where \(\mathsf {1}+ \alpha _i\) adds a new atom to the atoms of type \(\alpha _i\). We write \(\mathfrak {e}{:}{:}\alpha \rightarrow \mathsf {1}+ \alpha \) for the embedding of \(\alpha \) into \(\mathsf {1}+ \alpha \) (i.e., \(\mathfrak {e}= \textsf {Inr}\)). Then, we have the following equivalence:

Lemma 1

.

Proof

From left to right: Let and set \(f_i\;y = \mathfrak {e}\;y\) for \(y \in A_i\) and for \(y \notin A_i\). Then, \(\textsf {set}_{F,i}\;(\textsf {map}_F\;\overline{f}\;x) = f_i\langle \textsf {set}_{F,i}\;x\rangle \) by the naturality of \(\textsf {set}_{F,i}\) and by \(f_i\)’s definition for any B. Hence as \({\fbox {F}}\;\overline{A} = \{ x \mid \forall i.\;\textsf {set}_{F,i}\; x \subseteq A_i \}\) by the BNF properties. So, because \(\textsf {map}_F\;\overline{\mathfrak {e}}\;x \sim \textsf {map}\;\overline{f}\;x\) by (8) and .

From right to left: Let x such that \(\textsf {map}_F\;\overline{\mathfrak {e}}\;x \sim y\) for some . Let \(\overline{f}\) and \(\overline{g}\) such that \(f_i\;a = g_i\;a\) for all \(a \in A_i\) and all i. Then, \(\textsf {map}_F\;\overline{f}\;x \sim \textsf {map}_F\;\overline{g}\;x\) holds by the following reasoning, where \(\mathfrak {e}^{-1}\) denotes the left-inverse of \(\mathfrak {e}\) and \(\textsf {map}_{\mathsf {1}+{}}\;h\) satisfies \(\textsf {map}_{\mathsf {1}+{}}\;h\;(\mathfrak {e}\;a) = \mathfrak {e}\;(h\;a)\) and :

figure e

Lemma 1 allows us to express the conditions (6) and (7) on \({\fbox {Q}}\) in terms of \({\sim }\) and \({\fbox {F}}\). For wide intersections, the condition is as follows (the other inclusion holds trivially):

$$\begin{aligned} \forall i.\;\mathscr {A}_i \ne \{\} \wedge (\bigcap \mathscr {A}_i \ne \{\}) {\implies } \bigcap \{[{\fbox {F}}\;\overline{A}]_\sim \mid \forall i.\;A_i \in \mathscr {A}_i\} \subseteq \left[ \bigcap \{{\fbox {F}}\;\overline{A} \mid \forall i.\;A_i \in \mathscr {A}_i\}\right] _\sim \end{aligned}$$
(9)

The conclusion is as expected: for sets of the form \({\fbox {F}}\;\overline{A}\), taking equivalence classes preserves wide intersections. The assumption is the interesting part: preservation is needed only for non-empty intersections. Non-emptiness suffices because Lemma 1 relates to and all intersections of interest therefore contain . (The condition does not explicitly mention because Lemma 1 holds for any element that is not in A.)

Condition 9 is satisfied trivially for equivalence relations that preserve \(\textsf {set}_{F,i}\), i.e., satisfy (3). Examples include permutative structures like finite sets and cyclic lists.

Lemma 2

Suppose that \({\sim }\) satisfies (3). Then, \([{\fbox {F}}\;\overline{A}]_\sim = {\fbox {F}}\;\overline{A}\) and condition (9) holds.

In contrast, the non-emptiness assumption is crucial for quotients that identify values with different sets of atoms, such as Example 2. In general, such quotients do not preserve empty intersections (Sect. 5).

We can factor condition (9) into a separate property for each type argument i:

$$\begin{aligned} \mathscr {A}_i \ne \{\} \wedge (\bigcap \mathscr {A}_i \ne \{\}) {\implies } \bigcap \nolimits _{A \in \mathscr {A}_i} [\{x \mid \textsf {set}_{F,i}\;x \subseteq A\}]_\sim \subseteq \left[ \{x \mid \textsf {set}_{F,i}\;x \subseteq \bigcap \mathscr {A}_i\}\right] _\sim \end{aligned}$$
(10)

This form is used in our implementation (Sect. 4). It is arguably more natural to prove for a concrete functor F because each property focuses on a single setter.

Lemma 3

Suppose that \({\sim }\) satisfies (1) and (2). Then, (9) holds iff (10) holds for all i.

Preservation of preimages amounts to the following unsurprising condition:

$$\begin{aligned} \forall i.\;f_i^{-1}\langle A_i\rangle \ne \{\} \implies (\textsf {map}_F\;\overline{f})^{-1}\left\langle \bigcup [{\fbox {F}}\;\overline{A}]_\sim \right\rangle \subseteq \bigcup \left[ (\textsf {map}_F\;\overline{f})^{-1}\langle {\fbox {F}}\;\overline{A}\rangle \right] _\sim \end{aligned}$$
(11)

As for wide intersections, taking equivalence classes must preserve non-empty preimages (the inclusion from right to left holds trivially). Again, non-emptiness comes from being contained in all sets of interest. We do not elaborate on preimage preservation any further as it follows from subdistributivity, which we will look at in the next subsection.

Under conditions (9) and (11), we obtain the following characterization for \(\textsf {set}_Q\):

Theorem 1 (Setter characterization)

\(\textsf {set}_{Q,i}\,[x]_\sim \,{=}\, \bigcap _{y \in [\textsf {map}_F\,\mathfrak {e}\,x]_\sim }\) \(\{a \mid \mathfrak {e}\,a \,{\in }\, \textsf {set}_{F,i}\,y\}\).

3.3 The Quotient’s Relator

In the previous section, we have shown that it is not a good idea to naively lift the setter and a more general construction is needed. We now show that the same holds for the relator. The following straightforward definition

\(\texttt {lift\_definition}\;\textsf {rel}_Q {:}{:}\overline{(\alpha \otimes \beta )} \rightarrow \overline{\alpha }\;Q \otimes \overline{\beta }\;Q\; \texttt {is}\; \textsf {rel}_F\)

relates two equivalence classes \([x]_\sim \) and \([y]_\sim \) iff there are representatives \(x' \in [x]_\sim \) and \(y' \sim [y]_\sim \) such that \((x', y') \in \textsf {rel}_F\;\overline{R}\). This relator does not satisfy in_rel.

Example 2 (continued)

By the lifted definition, \(([\textsf {Inl}\;x]_{\sim _P},[ \textsf {Inl}\;y]_{\sim _P}) \notin \textsf {rel}_{Q_P}\;\{\}\) because there are no \((x', y')\) in the empty relation \(\{\}\) that could be used to relate using \(\textsf {rel}_{F_P}\) the representatives \(\textsf {Inl}\;x'\) and \(\textsf {Inl}\;y'\). However, the witness \(z = [\textsf {Inl}\;(x, y)]_{\sim _P}\) satisfies the right-hand side of in_rel as \({\fbox {Q}}\;\{\} = \{[\textsf {Inl}\;\_]_{\sim _P}\}\).    \(\diamondsuit \)

So what is the relationship between \(\textsf {rel}_Q\) and \(\textsf {rel}_F\) and under what conditions does the subdistributivity property rel_comp hold? Like for the setter, we avoid the problematic case of empty relations by switching to \(\mathsf {1}+ \alpha \). The relator \(\textsf {rel}_{\mathsf {1}+{}}\) adds the pair to every relation R and thereby ensures that all relations and their compositions are non-empty. Accordingly, we obtain the following characterization:

Theorem 2 (Relator characterization)

$$\begin{aligned} ([x]_\sim , [y]_\sim ) \in \textsf {rel}_Q\;\overline{R} \longleftrightarrow (\textsf {map}_F\;\overline{\mathfrak {e}}\;x, \textsf {map}_F\;\overline{\mathfrak {e}}\;y) \in ({\sim } \mathbin {\bullet }\textsf {rel}_F\;\overline{(\textsf {rel}_{\mathsf {1}+{}}\;R)} \mathbin {\bullet }{\sim }) \end{aligned}$$

Moreover, the following condition on \({\sim }\) characterizes when \(\textsf {rel}_Q\) satisfies rel_comp. Again, the non-emptiness assumptions for \(R_i \mathbin {\bullet }S_i\) come from \(\textsf {rel}_{\mathsf {1}+{}}\) extending any relation R with the pair .

$$\begin{aligned} (\forall i.\; R_i \mathbin {\bullet }S_i \ne \{\}) \implies \textsf {rel}_F\;\overline{R} \mathbin {\bullet }{\sim } \mathbin {\bullet }\textsf {rel}_F\;\overline{S} \subseteq {\sim } \mathbin {\bullet }\textsf {rel}_F\;\overline{(R \mathbin {\bullet }S)} \mathbin {\bullet }{\sim } \end{aligned}$$
(12)

It turns out that this condition implies the respectfulness of the mapper (2). Intuitively, the relator is a generalization of the mapper. Furthermore, it is well known that subdistributivity implies preimage preservation [17]. Since our conditions on \({\sim }\) characterize these preservation properties, it is no surprise that the latter implication carries over.

Lemma 4

Condition (12) implies respectfulness (2) and preimage preservation (11).

In summary, we obtain the following main preservation theorem:

Theorem 3

The quotient \(\overline{\alpha }\;Q = \overline{\alpha }\;F / {\sim }\) inherits the structure from the BNF \(\overline{\alpha }\;F\) with the mapper \(\textsf {map}_Q\;\overline{f}\;[x]_\sim = [\textsf {map}_F\;\overline{f}\;x]_\sim \) if \({\sim }\) satisfies the conditions (1), (9), and (12). The setters and relator are given by Theorems 1 and 2, respectively.

Example 4

A terminated coinductive list \((\alpha ,\beta )\;\textit{tllist}\) is either a finite list of \(\alpha \) values terminated by a single \(\beta \) value, or an infinite list of \(\alpha \) values. They can be seen as a quotient of pairs \(\alpha \;\textit{llist} \times \beta \), where the first component stores the possibly infinite list given by a codatatype \(\textit{llist}\) and the second component stores the terminator. The equivalence relation identifies all pairs with the same infinite list in the first component, effectively removing the terminator from infinite lists.Footnote 2 Let \(( xs ,b) \sim _{\textit{tllist}} ( ys ,c)\) iff \( xs = ys \) and, if \( xs \) is finite, \(b = c\). Like \({\sim _P}\) from Example 2, \({\sim _{\textit{tllist}}}\) does not satisfy the naive condition (3).

\(\texttt {codatatype }\alpha \;\textit{llist} = \textsf {LNil} \mid \textsf {LCons}\;\alpha \;(\alpha \;\textit{llist})\)

\(\texttt {quotient\_type }(\alpha ,\beta )\;\textit{tllist} = (\alpha \;\textit{llist} \times \beta ) / {\sim _{\textit{tllist}}}\)

Our goal is the construction of (co)datatypes with recursion through quotients such as \((\alpha ,\beta )\;\textit{tllist}\). As a realistic example, consider an inductive model of a finite interactive system that produces a possibly unbounded sequence of outputs \(\textit{out}\) for every input \(\textit{in}\):

\(\texttt {datatype }\textit{system} = \textsf {Step}\;(\textit{in} \rightarrow (\textit{out}, \textit{system})\;\textit{tllist})\)

This datatype declaration is only possible if \(\textit{tllist}\) is a BNF in \(\beta \). Previously, this had to be shown by manually defining the mapper and setters and proving the BNF properties. Theorem 3 identifies the conditions under which \(\textit{tllist}\) inherits the BNF structure of its underlying type, and it allows us to automate these definitions and proofs. For \(\textit{tlllist}\), the conditions can be discharged easily using automatic proof methods and a simple lemma about \(\textit{llist}\)’s relator (stating that related lists are either both finite or infinite).    \(\diamondsuit \)

3.4 Subdistributivity via Confluent Relations

Among the BNF properties, subdistributivity (rel_comp) is typically the hardest to show. For example, distinct lists, type \(\alpha \;\textit{dlist}\), have been shown to be a BNF. The manual proof requires 126 lines. Of these, the subdistributivity proof takes about 100 lines. Yet, with the theory developed so far, essentially the same argument is needed for the subdistributivity condition (12). We now present a sufficient criterion for subdistributivity that simplifies such proofs. For \(\textit{dlist}\), this shortens the subdistributivity proof to 58 lines. With our lift_bnf command (Sect. 4), the whole proof is now 64 lines, half of the manual proof.

Equivalence relations are often (or can be) expressed as the equivalence closure of a rewrite relation \({\rightsquigarrow }\). For example, the subdistributivity proof for distinct lists views \(\alpha \;\textit{dlist}\) as the quotient \(\alpha \;\textit{list} / {\sim _{\textit{dlist}}}\) with \( xs \sim _{\textit{dlist}} ys \) iff \(\textsf {remdups}\; xs = \textsf {remdups}\; ys \), where \(\textsf {remdups}\; xs \) keeps only the last occurrence of every element in \( xs \). So, \({\sim _{\textit{dlist}}}\) is the equivalence closure of the following relation \({\rightsquigarrow _{\textit{dlist}}}\), where \({\mathbin {\cdot }}\) concatenates two lists:

$$\begin{aligned} xs \mathbin {\cdot }[x] \mathbin {\cdot } ys \rightsquigarrow _{\textit{dlist}} xs \mathbin {\cdot } ys \text { if } x \in \textsf {set}\; ys \end{aligned}$$

We use the following notation: \({\leftsquigarrow \leftsquigarrow }\) denotes the reverse relation, i.e., \(x \leftsquigarrow \leftsquigarrow y\) iff \(y \rightsquigarrow x\). Further, \({\overset{*}{\rightsquigarrow }}\) denotes the reflexive and transitive closure, and \({\overset{*}{\leftrightsquigarrow }}\) the equivalence closure. A relation \({\rightsquigarrow }\) is confluent iff whenever \(x \overset{*}{\rightsquigarrow } y\) and \(x \overset{*}{\rightsquigarrow } z\), then there exists a u such that \(y \overset{*}{\rightsquigarrow } u\) and \(z \overset{*}{\rightsquigarrow } u\)—or, equivalently in pointfree style, if \((\overset{*}{\leftsquigarrow \leftsquigarrow } \mathbin {\bullet }\overset{*}{\rightsquigarrow }) \subseteq (\overset{*}{\rightsquigarrow } \mathbin {\bullet }\overset{*}{\leftsquigarrow \leftsquigarrow })\).

Fig. 1.
figure 1

Proof diagram for Theorem 4

Full size image

Theorem 4 (Subdistributivity via confluent relations)

Let an equivalence relation \({\sim }\) satisfy (2) and (3). Then, it also satisfies (9) and (12) if there is a confluent relation \({\rightsquigarrow }\) with the following properties:

  1. (i)

    The equivalence relation is contained in \({\rightsquigarrow }\)’s equivalence closure: \((\sim ) \subseteq (\overset{*}{\leftrightsquigarrow })\).

  2. (ii)

    The relation factors through projections: If \(\textsf {map}_F\;\overline{\textsf {fst}}\;x \rightsquigarrow y\) then there exists a \(y'\) such that \(y = \textsf {map}_F\;\overline{\textsf {fst}}\;y'\) and \(x \sim y'\), and similarly for \(\textsf {snd}\).

Proof

The wide intersection condition (9) follows from (3) by Lemma 2. The proof for the subdistributivity condition (12) is illustrated in Fig. 1. The proof starts at the top with \((x, z) \in (\textsf {rel}_F\;\overline{R} \mathbin {\bullet }{\sim } \mathbin {\bullet }\textsf {rel}_F\;\overline{S})\), i.e., there are y and \(y'\) such that \((x, y) \in \textsf {rel}_F\;\overline{R}\) and \(y \sim y'\) and \((y', z) \in \textsf {rel}_F\;\overline{S}\). We show \((x, z) \in ({\sim } \mathbin {\bullet }\textsf {rel}_F\;\overline{(R \mathbin {\bullet }S)} \mathbin {\bullet }{\sim })\) by establishing the path from x to z via \(x'\) and \(z'\) along the three other borders of the diagram.

First , by in_rel, there is a \(u \in {\fbox {F}}\;\overline{R}\) such that \(x = \textsf {map}_F\;\overline{\textsf {fst}}\;u\) and \(y = \textsf {map}_F\;\overline{\textsf {snd}}\;u\). Similarly, \(\textsf {rel}_F\;\overline{S}\;y'\;z\) yields a v with the corresponding properties  .

Second, by (i), \(y \sim y'\) implies \(y \overset{*}{\leftrightsquigarrow } y'\). Since \({\rightsquigarrow }\) is confluent, there exists a w such that \(y \overset{*}{\rightsquigarrow } w\) and \(y' \overset{*}{\rightsquigarrow } w\) . By induction on \({\overset{*}{\rightsquigarrow }}\) using (ii), \(y \overset{*}{\rightsquigarrow } w\) factors through the projection \(y = \textsf {map}_F\;\overline{\textsf {snd}}\;u\) and we obtain a \(u'\) such that \(u \sim u'\) and \(w = \textsf {map}_F\;\overline{\textsf {snd}}\;u'\)  . Analogously, we obtain \(v'\) corresponding to \(y'\) and v . Set \(x' = \textsf {map}_F\;\overline{\textsf {fst}}\;u'\) and \(z' = \textsf {map}_F\;\overline{\textsf {snd}}\;v'\). As \(\textsf {map}_F\) preserves \({\sim }\) by (2), we have \(x \sim x'\) and \(z \sim z'\) .

Next, we focus on the two triangles at the bottom . By Lemma 2 and (3), \(u \sim u'\) and \(u \in {\fbox {F}}\;\overline{R}\) imply \(u' \in {\fbox {F}}\;\overline{R}\); similarly \(v' \in {\fbox {F}}\;\overline{S}\). Now, \(u'\) and \(v'\) are the witnesses to the existential in in_rel for \(x'\) and w, and w and \(z'\), respectively. So \((x', w) \in \textsf {rel}_F\;\overline{R}\) and \((w, z') \in \textsf {rel}_F\;\overline{S}\), i.e., \((x', z') \in (\textsf {rel}_F\;\overline{R} \mathbin {\bullet }\textsf {rel}_F\;\overline{S})\). Finally, as F is a BNF, \((x', z') \in \textsf {rel}_F\;\overline{(R \mathbin {\bullet }S)}\) follows with subdistributivity rel_comp .    \(\square \)

Example 5

For distinct lists, we have \((\sim _{\textit{dlist}}) = (\overset{*}{\leftrightsquigarrow }_{\textit{dlist}})\) and \({\rightsquigarrow _{\textit{dlist}}}\) is confluent. Yet, condition of Theorem 4 does not hold. For example, for \(x = [(1, a), (1, b)]\), we have \(\textsf {map}_{\textit{list}}\;\textsf {fst}\;x = [1, 1] \rightsquigarrow _{\textit{dlist}} [1]\). However, there is no y such that \(x \sim _{\textit{dlist}} y\) and \(\textsf {map}_{\textit{list}}\;\textsf {fst}\;y = [1]\). The problem is that the projection \(\textsf {map}_{\textit{list}}\;\textsf {fst}\) makes different atoms of x equal and \({\rightsquigarrow _{\textit{dlist}}}\) removes equal atoms, but the removal cannot be mimicked on x itself. Fortunately, we can also add equal atoms instead of removing them. Define \({\rightsquigarrow '_{\textit{dlist}}}\) by

$$\begin{aligned} xs \mathbin {\cdot } ys \rightsquigarrow '_{\textit{dlist}} xs \mathbin {\cdot }[x] \mathbin {\cdot } ys \text { if } x \in \textsf {set}\; ys \end{aligned}$$

Then, \({\rightsquigarrow '_{\textit{dlist}}}\) is confluent and factors through projections. So distinct lists inherit the BNF structure from lists by Theorem 4.    \(\diamondsuit \)

Example 6

The free monoid over atoms \(\alpha \) consists of all finite lists \(\alpha \;\textit{list}\). The free idempotent monoid \(\alpha \;\textit{fim}\) is then the quotient \(\alpha \;\textit{list} / {\sim _{\textit{fim}}}\) where \({\sim _{\textit{fim}}}\) is the equivalence closure of the idempotence law for list concatenation

$$\begin{aligned} xs \mathbin {\cdot } ys \mathbin {\cdot } zs \rightsquigarrow _{\textit{fim}} xs \mathbin {\cdot } ys \mathbin {\cdot } ys \mathbin {\cdot } zs \end{aligned}$$

We have oriented the rule such that it introduces rather than removes the duplication. In term rewriting, the rule is typically oriented in the other direction [20] such that the resulting rewriting system terminates; however, this classical relation \({\leftsquigarrow \leftsquigarrow _{\textit{fim}}}\) is not confluent: ababcbabc has two normal forms \(a\underline{babcbabc} \leftsquigarrow \leftsquigarrow _{\textit{fim}} \underline{abab}c \leftsquigarrow \leftsquigarrow _{\textit{fim}} abc \) and \(\underline{abab}cbabc \leftsquigarrow \leftsquigarrow _{\textit{fim}} abcbabc \) (redexes are underlined). In contrast, our orientation yields a confluent relation \({\rightsquigarrow _{\textit{fim}}}\), although the formal proof requires some effort. The relation also factors through projections. So by Theorem 4, the free idempotent monoid \(\alpha \;\textit{fim}\) is also a BNF.    \(\diamondsuit \)

Example 7

A cyclic list is a finite list where the two ends are glued together. Abbot et al. [1] define the type of cyclic lists as the quotient that identifies lists whose elements have been shifted. Let \({\rightsquigarrow _{\textit{rotate}}}\) denote the one-step rotation of a list, i.e.,

$$\begin{aligned}{}[] \rightsquigarrow _{\textit{rotate}} [] \qquad \qquad [x] \mathbin {\cdot } xs \rightsquigarrow _{\textit{rotate}} xs \mathbin {\cdot }[x] \end{aligned}$$

The quotient \(\alpha \;\textit{cyclist} = \alpha \;\textit{list} / {\overset{*}{\leftrightsquigarrow }_{\textit{rotate}}}\) is a BNF as \({\rightsquigarrow _{\textit{rotate}}}\) satisfies the conditions of Theorem 4.    \(\diamondsuit \)

Example 1 (continued)

We prove the fact that \(\alpha \;\textit{re}_\textit{aci}\) is a BNF using Theorem 4. The confluent rewrite relation \({\rightsquigarrow _\textit{aci}}\) that satisfies the conditions of Theorem 4 and whose equivalence closure is \({\sim _{\textit{aci}}}\) is defined inductively as follows.

figure n

   \(\diamondsuit \)

4 Implementation

We provide an Isabelle/HOL command that automatically lifts the BNF structure to quotient types. The command was implemented in 1590 lines of Isabelle/ML. It requires the user to discharge our conditions on the equivalence relation. Upon success, it defines the mapper, setters, and the relator, and proves the BNF axioms and transfer rules. All automated proofs are checked by Isabelle’s kernel. Eventually, the command registers the quotient type with the BNF infrastructure for use in future (co)datatype definitions.

4.1 The lift_bnf command

Our implementation extends the interface of the existing lift_bnf command for subtypes [7]. Given a quotient type \(\overline{\alpha }\;Q = \overline{\alpha }\;F / {\sim }\),

\(\texttt {lift\_bnf }\overline{\alpha }\;Q\)

asks the user to prove the conditions (9) and (12) of Theorem 3, where (9) is expressed in terms of (10) according to Lemma 3. Since the quotient construction already requires that \({\sim }\) be an equivalence relation, the remaining condition (1) holds trivially.

After the assumptions have been proved by the user, the command defines the BNF constants. Their definitions use an abstraction function \(\textsf {abs}_Q {:}{:}\overline{\alpha }\;F \rightarrow \overline{\alpha }\;Q\) and a representation function \(\textsf {rep}_Q {:}{:}\overline{\alpha }\;Q \rightarrow \overline{\alpha }\;F\), as in HOL Q is distinct from (but isomorphic to) the set of equivalence classes. Concretely, we define the quotient’s mapper by

$$\begin{aligned} \textsf {map}_Q\;\overline{f} = \textsf {abs}_Q \circ \textsf {map}_F\;\overline{f} \circ \textsf {rep}_Q \end{aligned}$$

The quotient’s setters use the function \(\textsf {set}_{\mathsf {1}+{}}\), which maps \(\mathfrak {e}\;a\) to \(\{a\}\) and to \(\{\}\):

$$\begin{aligned} \textsf {set}_{Q,i} = \left( \lambda x.\; \bigcap \nolimits _{y \in [\textsf {map}_F\;\overline{\mathfrak {e}}\;x]_\sim } \bigcup \textsf {set}_{\mathsf {1}+{}}\langle \textsf {set}_{F,i}\;y\rangle \right) \circ \textsf {rep}_Q \end{aligned}$$
(13)

This definition is equivalent to the characterization in Theorem 1. The relator (Theorem 2) is lifted similarly using \(\textsf {rep}_Q\).

4.2 Transfer Rule Generation

The relationship of a quotient’s BNF structure to its underlying type allows us to prove additional properties about the former. This is achieved by transfer rules, which drive Isabelle’s Transfer tool [19] (Sect. 2.2). Our command automatically proves parametrized transfer rules for the lifted mapper, setters, and relator. Parametrized transfer rules are more powerful because they allow the refinement of nested types [22, Section 4.3]. They involve a parametrized correspondence relation \(\textsf {pcr}_Q\;\overline{A} = \textsf {rel}_F\;\overline{A} \mathbin {\bullet }\textsf {cr}_Q\), where the parameters \(\overline{A}\) relate the type arguments of F and Q.

Since \(\textsf {map}_Q\) is lifted canonically, its transfer rule is unsurprising:

$$\begin{aligned} (\textsf {map}_F, \textsf {map}_Q) \in \smash {\left( \overline{(A \Mapsto B)} \Mapsto \textsf {pcr}_Q\;\overline{A} \Mapsto \textsf {pcr}_Q\;\overline{B} \right) } \end{aligned}$$

Setters are not transferred to \(\textsf {set}_F\) but to the more complex function from (13):

$$\begin{aligned} \smash {\left( \lambda x.\; \bigcap \nolimits _{y \in [\textsf {map}_F\;\overline{\mathfrak {e}}\;x]_\sim } \bigcup \textsf {set}_{\mathsf {1}+{}}\langle \textsf {set}_{F,i}\;y\rangle ,\;\textsf {set}_{Q,i}\right) } \in (\textsf {pcr}_Q\;\overline{A} \Mapsto \textsf {rel}_{\textsf {set}}\;A_i) \end{aligned}$$

where \((X,Y) \,{\in }\, \textsf {rel}_{\textsf {set}}\;A \longleftrightarrow (\forall x \,{\in }\, X.\;\exists y \,{\in }\, Y.\; (x,y)\,{\in }\, A) \wedge (\forall y \,{\in }\, Y.\;\exists x \,{\in }\, X.\; (x,y) \,{\in }\, A)\). Similarly, the rule for Q’s relator follows its definition in Theorem 2.

Example 4 (continued)

Recall that terminated coinductive lists satisfy the conditions for lifting the BNF structure. Thus, we obtain the setter \(\textsf {set}_{\textit{tllist},2} {:}{:}(\alpha ,\beta )\;\textit{tllist} \rightarrow \beta \;\textit{set}\) among the other BNF operations. We want to prove that \(\textsf {set}_{\textit{tllist},2}\;x\) is empty for all infinite lists x. To make this precise, let the predicate \(\textsf {lfinite} {:}{:}\alpha \;\textit{llist} \rightarrow \textit{bool}\) characterize finite coinductive lists. We lift it to \((\alpha ,\beta )\;\textit{tllist}\) by projecting away the terminator:

\(\texttt {lift\_definition }\textsf {tlfinite} {:}{:}(\alpha ,\beta )\;\textit{tllist} \rightarrow \textit{bool}\texttt { is }(\lambda x.\;\textsf {lfinite}\;(\textsf {fst}\;x))\)

Therefore, we have to show that \(\forall x.\;\lnot \,\textsf {tlfinite}\; x \implies \textsf {set}_{\textit{tllist},2}\;x = \{\}\). Using the transfer rules for the setter and the lifted predicate \(\textsf {tlfinite}\), the transfer proof method reduces the proof obligation to

$$\begin{aligned} \forall x'.\; \lnot \,\textsf {lfinite}\;(\textsf {fst}\;x') \implies \smash {\bigcap \nolimits _{y \in [\textsf {map}_F\;\overline{\mathfrak {e}}\;x']_{\sim _\textit{tllist}}}} \bigcup \textsf {set}_{\mathsf {1}+{}}\langle \textsf {set}_{F,2}\;y\rangle = \{\} \end{aligned}$$

where \(x' {:}{:}(\alpha ,\beta )\;F\), and \((\alpha ,\beta )\;F = (\alpha \;\textit{llist} \times \beta )\) is the underlying functor of tllist. The rest of the proof, which need not refer to \(\textit{tllist}\) anymore, is automatic.    \(\diamondsuit \)

We have also extended lift_bnf to generate transfer rules for subtypes. There, the setters and the relator do not change: if T is a subtype of F, e.g., then \(\textsf {set}_{T,i}\) is transferred to \(\textsf {set}_{F,i}\).

5 Related Work

Quotient constructions have been formalized and implemented, e.g., in Isabelle/HOL [19, 21, 34, 35], HOL4 [18], Agda [40, 41], Cedille [30], Coq [11, 12], Lean [3], and Nuprl [33]. None of these works look at the preservation of functor properties except for Avigad et al. [3] (discussed in Sect. 5.2) and Veltri [41]. Veltri studies the special case of when the delay monad is preserved by a quotient of weak bisimilarity, focusing on the challenges that quotients pose in intensional type theory.

Abbot et al. [1] introduce quotient containers as a model of datatypes with permutative structure, such as unordered pairs, cyclic lists, and multisets. The map function of quotient containers does not change the shape of the container. Quotient containers therefore cannot deal with quotients where the equivalence relation takes the identity of elements into account, such as distinct lists, finite sets, and the free idempotent monoid. Overall our construction strictly subsumes quotient containers.

5.1 Quotients in the Category of Sets

BNFs are accessible functors in the category of Sets. We therefore relate to the literature on when quotients preserve functors and their properties in Set.

Trnková [38] showed that all Set functors preserve non-empty intersections: in our notation \({\fbox {F}}\;A \cap {\fbox {F}}\;B = {\fbox {F}}\;(A \cap B)\) whenever \(A \cap B \ne \{\}\). Empty intersections need not be preserved though. Functors that do are called regular [39] or sound [2]. All BNFs are sound as \({\fbox {F}}\;A = \{ x \mid \textsf {set}_F\;x \subseteq A \}\). As shown in Example 2, the naive quotient construction can lead to unsound functors.

Every unsound functor can be “repaired” by setting \({\fbox {F}}\;\{\}\) to the distinguished points \(\textsf {dp}_F\). We write \({\fbox {F}}\,'\) for the repaired action.

$$\begin{aligned} {\fbox {F}}\,'\;A = {\left\{ \begin{array}{ll} \textsf {dp}_F &{} \text {if } A = \{\} \\ {\fbox {F}}\;A &{} \text {otherwise} \end{array}\right. } \end{aligned}$$
(14)

Trnková characterizes the distinguished points \(\textsf {dp}_F\) as the natural transformations from \(C_{1,0}\) to F where and for . Barr [4] and Gumm [16] use equalizers instead of natural transformations to define the distinguished points of univariate functors:

$$\begin{aligned} \textsf {dp}_F = \{ x \mid \textsf {map}_F\;(\lambda \_.\; \textsf {True})\;x = \textsf {map}_F\;(\lambda \_.\; \textsf {False})\; x \} \end{aligned}$$
(15)

The case distinction in (14) makes it hard to work with repaired functors, especially as the case distinctions proliferate for multivariate functors. Instead, we repair the unsoundness by avoiding empty sets altogether: Our characterization in Lemma 1 effectively derives the quotient from \((\mathsf {1}+ \alpha )\;F\) instead of \(\alpha \;F\). Moreover, our characterization of \({\fbox {F}}\;\overline{A}\) generalizes Barr and Gumm’s definition of distinguished points: for \(\overline{A} = \{\}\), (5) simplifies to (15). The resulting quotient is the same because if \(A_i \ne \{\}\) for all i.

Given the other BNF properties, subdistributivity is equivalent to the functor preserving weak pullbacks. Adámek et al. [2] showed that an accessible Set functor preserves weak pullbacks iff it has a so-called dominated presentation in terms of flat equations E over a signature \(\Sigma \). This characterization does not immediately help with proving subdistributivity, though. For example, the finite set quotient \(\alpha \;\textit{fset} = \alpha \;\textit{list} / {\sim _{\textit{fset}}}\) comes with the signature \(\Sigma = \{ \sigma _n \mid n \in \mathbb {N} \}\) and the equations \(\sigma _n(x_1,\ldots x_n) = \sigma _m(y_1,\ldots ,y_m)\) whenever \(\{x_1,\ldots ,x_n\} = \{y_1,\ldots ,y_m\}\). Proving domination for this presentation boils down to proving subdistributivity directly. Our criterion using a confluent relation (Theorem 4) is only sufficient, not necessary, but it greatly simplifies the actual proof effort.

5.2 Comparison with Lean’s Quotients of Polynomial Functors

Avigad et al. [3] proposed quotients of polynomial functors (QPF) as a model for datatypes. QPFs generalize BNFs in that they require less structure: there is no setter and the relator need not satisfy subdistributivity. Nevertheless, the quotient construction is similar to ours. Without loss of generality, we consider in our comparison only the univariate case \(\alpha \;Q = \alpha \;F / {\sim }\).

The main difference lies in the definition of the liftings \(\textsf {lift}_F\) of predicates \(P {:}{:}\alpha \rightarrow \mathbb {B}\) and relations \(R {:}{:}\alpha \otimes \beta \). In our notation, \(\textsf {lift}_F\;P\) corresponds to \(\lambda x.\; x \in {\fbox {F}}\;\{ a \mid P\;a \}\) and \(\textsf {lift}_F\;R\) to \(\textsf {rel}_F\; R\). QPF defines these liftings for the quotient Q as follows:

$$\begin{aligned} \textsf {lift}_Q\;P\;[x]_\sim = (\exists x' \,{\in }\, [x]_\sim .\; P\; x') \qquad \textsf {lift}_Q\;R\;[x]_\sim \;[y]_\sim = (\exists x' \,{\in }\, [x]_\sim .\; \exists y' \,{\in }\, [y]_\sim .\;R\;x'\;y') \end{aligned}$$

That is, these definitions correspond to the naive construction \({\fbox {Q}}\;A = [{\fbox {F}}\;A]_\sim \) and \(\textsf {rel}_Q\;R = [\textsf {rel}_F\;R]_\sim \) where \([(x, y)]_\sim = ([x]_\sim , [y]_\sim )\). As discussed above, the resulting quotient may be an unsound functor. Consequently, lifting of predicates does not preserve empty intersections in general. This hinders modular proofs. For example, suppose that a user has already shown \(\textsf {lift}_Q\;P_1\;x\) and \(\textsf {lift}_Q\;P_2\;x\) for some value x and two properties \(P_1\) and \(P_2\). Then, to deduce \(\textsf {lift}_F\;(\lambda a.\;P_1\; a \wedge P_2\;a)\;x\), they would have to prove that the two properties do not contradict each other, i.e., \(\exists a.\;P_1\;a \wedge P_2\;a\). Obviously, this makes modular proofs harder as extra work is needed to combine properties.

QPF uses \(\textsf {lift}_F\;P\) in the induction theorem for datatypes. So when a datatype recurses through \(\textit{tllist}\), this spreads to proofs by induction: splitting a complicated inductive statement into smaller lemmas is not for free. Moreover, \(\textsf {lift}_Q\) holds for fewer values, as the next example shows. Analogous problems arise in QPF for relation lifting, which appears in the coinduction theorem.

Example 4 (continued)

Consider the infinite repetition \(\textsf {repeat}\;a {:}{:}(\alpha , \beta )\;\textit{tllist}\) of the atom a as a terminated lazy list. As \(\textsf {repeat}\;a\) contains only as, one would expect that \(\textsf {lift}_\textit{tllist}\;(\lambda a'.\; a' = a)\;(\lambda \_.\;\textsf {False})\;(\textsf {repeat}\;a)\) holds. Yet, this property is provably false.    \(\diamondsuit \)

These issues would go away if \(\textsf {lift}_Q\) was defined following our approach for and \(\textsf {rel}_Q\) as in Theorem 2. These definitions do not rely on the additional BNF structure; only \(\textsf {map}_Q\) is needed and QPF defines \(\textsf {map}_Q\) like we do. The repair should therefore work for the general QPF case, as well.

6 Conclusion

We have described a sufficient criterion for quotient types to be able to inherit the BNF structure from the underlying type. We have demonstrated the effectiveness of the criterion by automating the BNF “inheritance” in the form of the lift_bnf command in Isabelle/HOL and used it (which amounts to proving the criterion) for several realistic quotient types. We have also argued that our treatment of the quotient’s setter and relator to avoid unsoundness carries over to more general structures, such as Lean’s QPFs.

As future work, we plan to investigate quotients of existing generalizations of BNFs to co- and contravariant functors [28] and functors operating on small-support endomorphisms and bijections [8]. Furthermore, we would like to provide better automation for proving subdistributivity via confluent rewrite systems as part of lift_bnf.