Modular Inference of Linear Types for Multiplicity-Annotated Arrows

Bernardy et al. [2018] proposed a linear type system \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda ^q_\rightarrow $$\end{document}λ→q as a core type system of Linear Haskell. In the system, linearity is represented by annotated arrow types \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$A \rightarrow _m B$$\end{document}A→mB, where m denotes the multiplicity of the argument. Thanks to this representation, existing non-linear code typechecks as it is, and newly written linear code can be used with existing non-linear code in many cases. However, little is known about the type inference of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda ^q_\rightarrow $$\end{document}λ→q. Although the Linear Haskell implementation is equipped with type inference, its algorithm has not been formalized, and the implementation often fails to infer principal types, especially for higher-order functions. In this paper, based on OutsideIn(X) [Vytiniotis et al., 2011], we propose an inference system for a rank 1 qualified-typed variant of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda ^q_\rightarrow $$\end{document}λ→q, which infers principal types. A technical challenge in this new setting is to deal with ambiguous types inferred by naive qualified typing. We address this ambiguity issue through quantifier elimination and demonstrate the effectiveness of the approach with examples.


Introduction
Linearity is a fundamental concept in computation and has many applications. For example, if a variable is known to be used only once, it can be freely inlined without any performance regression [29]. In a similar manner, destructive updates are safe for such values without the risk of breaking referential transparency [32]. Moreover, linearity is useful for writing transformation on data that cannot be copied or discarded for various reasons, including reversible computation [19,35] and quantum computation [2,25]. Another interesting application of linearity is that it helps to bound the complexity of programs [1,5,13] Linear type systems use types to enforce linearity. One way to design a linear type system is based on Curry-Howard isomorphism to linear logic. For example, in Wadler [33]'s type system, functions are linear in the sense that their arguments are used exactly once, and any exception to this must be marked by the type operator (!). Such an approach is theoretically elegant but cumbersome in programming; a program usually contains both linear and unrestricted code, and many manipulations concerning (!) are required in the latter and around the interface between the two. Thus, there have been several proposed approaches for more practical linear type systems [7,21,24,28].
Among these approaches, a system called λ q → , the core type system of Linear Haskell, stands out for its ability to have linear code in large unrestricted code bases [7]. With it, existing unrestricted code in Haskell typechecks in Linear Haskell without modification, and if one desires, some of the unrestricted code can be replaced with linear code, again without any special programming effort. For example, one can use the function append in an unrestricted context as λx.tail (append x x), regardless of whether append is a linear or unrestricted function. This is made possible by their representation of linearity. Specifically, they annotate function type with its argument's multiplicity ("linearity via arrows" [7]) as A → m B, where m = 1 means that the function of the type uses its argument linearly, and m = ω means that there is no restriction in the use of the argument, which includes all non-linear standard Haskell code. In this system, linear functions can be used in an unrestricted context if their arguments are unrestricted. Thus, there is no problem in using append : List A → 1 List A → 1 List A as above, provided that x is unrestricted. This promotion of linear expressions to unrestricted ones is difficult in other approaches [21,24,28] (at least in the absence of bounded kind-polymorphism), where linearity is a property of a type (called "linearity via kinds" in [7]).
However, as far as we are aware, little is known about type inference for λ q → . It is true that Linear Haskell is implemented as a fork 1 of the Glasgow Haskell Compiler (GHC), which of course comes with type inference. However, the algorithm has not been formalized and has limitations due to a lack of proper handling of multiplicity constraints. Indeed, Linear Haskell gives up handling complex constraints on multiplicities such as those with multiplications p · q; as a result, Linear Haskell sometimes fails to infer principal types, especially for higher-order functions. 2 This limits the reusability of code. For example, Linear Haskell cannot infer an appropriate type for function composition to allow it to compose both linear and unrestricted functions.
A classical approach to have both separated constraint solving that works well with the usual unification-based typing and principal typing (for a rank 1 fragment) is qualified typing [15]. In qualified typing, constraints on multiplicities are collected, and then a type is qualified with it to obtain a principal type. Complex multiplicities are not a problem in unification as they are handled by a constraint solver. For example, consider app = λf.λx.f x. Suppose that f has type a → p b, and x has type a (here we focus only on multiplicities). Let us write the multiplicities of f and x as p f and p x , respectively. Since x is passed to f , there is a constraint that the multiplicity p x of x must be ω if the multiplicity p of the f 's argument also is. In other words, p x must be no less than p, which is represented by inequality p ≤ p x under the ordering 1 ≤ ω. (We could represent the constraint as an equality p x = p · p x , but using inequality is simpler here.) For the multiplicity p f of f , there is no restriction because f is used exactly once; linear use is always legitimate even when p f = ω. As a result, we obtain the inferred type ∀p p f p x a b. p ≤ p x ⇒ (a → p b) → p f a → px b for app. This type is a principal one; it is intuitively because only the constraints that are needed for typing λf.λx.f x are gathered. Having separate constraint solving phases itself is rather common in the context of linear typing [3,4,11,12,14,23,24,29,34]. Qualified typing makes the constraint solving phase local and gives the principal typing property that makes typing modular. In particular, in the context of linearity via kinds, qualified typing is proven to be effective [11,24].
As qualified typing is useful in the context of linearity via kinds, one may expect that it also works well for linearity via arrows such as λ q → . However, naive qualified typing turns out to be impractical for λ q → because it tends to infer ambiguous types [15,27]. As a demonstration, consider a slightly different version of app defined as app = λf.λx.app f x. Standard qualified typing [15,31] infers the type by the following steps: -The polymorphic type of app is instantiated to (a → q b) → q f a → qx b and yields a constraint q ≤ q x (again we focus only on multiplicity constraints). -Since f is used as the first argument of app, f must have type a → q b. Also, since the multiplicity of app's first argument is q f , there is a restriction on the multiplicity of f , say p f , that q f ≤ p f . -Similarly, since x is used as the second argument of app, x must have type a, and there is a constraint on the multiplicity of x, say p x , that q x ≤ p x .
This inference is unsatisfactory, as the inferred type leaks internal details and is ambiguous [15,27] in the sense that one cannot determine q f and q x from an instantiation of (a → q b) → p f a → px b. Due to this ambiguity, the types of app and app' are not judged as equivalent; in fact, the standard qualified typing algorithms [15,31] reject app : We conjecture that the issue of inferring ambiguous types is intrinsic to linearity via arrows because of the separation of multiplicities and types, unlike the case of linearity via kinds, where multiplicities are always associated with types. Simple solutions such as rejecting ambiguous types are not desirable as this case appears very often. Defaulting ambiguous variables (such as q f and q x ) to 1 or ω is not a solution either because it loses principality in general.
In this paper, we propose a type inference method for a rank 1 qualified-typed variant of λ q → , in which the ambiguity issue is addressed without compromising principality. Our type inference system is built on top of OutsideIn(X) [31], an inference system for qualified types used in GHC, which can handle local assumptions to support let, existential types, and GADTs. An advantage of using OutsideIn(X) is that it is parameterized over theory X of constraints. Thus, applying it to linear typing boils down to choosing an appropriate X. We choose X carefully so that the representation of constraints is closed under quantifier elimination, which is the key to addressing the ambiguity issue. Specifically, in this paper: -We present a qualified typing variant of a rank-1 fragment of λ q → without local definitions, in which manipulation of multiplicities is separated from the standard unification-based typing (Sect. 2).
-We give an inference method for the system based on gathering constraints and solving them afterward (Sect. 3). This step is mostly standard, except that we solve multiplicity constraints in time polynomial in their sizes. -We address the ambiguity issue by quantifier elimination under the assumption that multiplicities do not affect runtime behavior (Sect. 4). -We extend our technique to local assumptions (Sect. 5), which enables let and GADTs, by showing that the disambiguation in Sect. 4 is compatible with OutsideIn(X). -We report experimental results using our proof-of-concept implementation (Sect. 6). The experiments show that the system can infer unambiguous principal types for selected functions from Haskell's Prelude, and performs well with acceptable overhead.
The prototype implementation is available as a part of a reversible programming system Sparcl, available from https://bitbucket.org/kztk/partially-reversible-lang-impl/. Due to space limitation, we omit some proofs from this paper, which can be found in the full version [20].
2 Qualified-Typed Variant of λ q → In this section, we introduce a qualified-typed [15] variant of λ q → [7] for its rank 1 fragment, on which we base our type inference. Notable differences to the original λ q → include: (1) multiplicity abstractions and multiplicity applications are implicit (as type abstractions and type applications), (2) this variant uses qualified typing [15], (3) conditions on multiplicities are inequality based [6], which gives better handling of multiplicity variables, and (4) local definitions are excluded as we postpone the discussions to Sect. 5 due to their issues in the handling of local assumptions in qualified typing [31].

Syntax of Programs
Programs and expressions, which will be typechecked, are given below. of this section, we shall postpone the discussions of local bindings (i.e., let) to Sect. 5. Expressions consist of variables x, applications e 1 e 2 , λ-abstractions λx.e, constructor applications C e, and (shallow) pattern matching case e 0 of {C i x i → e i } i . For simplicity, we assume that constructors are fully-applied and patterns are shallow. As usual, patterns C i x i must be linear in the sense that each variable in x i is different. Programs are assumed to be appropriately α-renamed so that newly introduced variables by λ and patterns are always fresh. We do not require the patterns of a case expression to be exhaustive or no overlapping, following the original λ q → [7]; the linearity in λ q → cares only for successful computations. Unlike the original λ q → , we do not annotate λ and case with the multiplicity of the argument and the scrutinee, respectively.
Constructors play an important role in λ q → . As we will see later, they can be used to witness unrestrictedness, similarly to ! of !e in a linear type system [33].

Types
Types and related notations are defined in Fig. 1. Types are separated into monotypes and polytypes (or, type schemes). Monotypes consist of (rigid) type variables a, datatypes D µ τ , and multiplicity-annotated function types τ 1 → µ τ 2 . Here, a multiplicity µ is either 1 (linear), ω (unrestricted), or a (rigid) multiplicity variable p. Polytypes have the form ∀pa.Q ⇒ τ , where Q is a constraint that is a conjunction of predicates. A predicate φ has the form of M ≤ M , where M and M are multiplications of multiplicities. We shall sometimes treat Q as a set of predicates, which means that we shall rewrite Q according to contexts by the idempotent commutative monoid laws of ∧. We call both multiplicity (p) and type (a) variables type-level variables, and write ftv(t) for the set of free type-level variables in syntactic objects (such as types and constraints) t.
We assume a fixed set of constructors given beforehand. Each constructor is assigned a type of the form ∀pa. τ 1 → µ1 . . . → µn 1 τ n → µn D p a where each τ i and µ i do not contain free type-level variables other than {pa}, i.e., i ftv(τ i , µ i ) ⊆ {pa}. For simplicity, we write the above type as ∀pa. τ → µ D p a. We assume that types are well-kinded, which effectively means that D is applied to the same numbers of multiplicity arguments and type arguments among the constructor types. Usually, it suffices to use constructors of linear function types as below because they can be used in both linear and unrestricted code.
In general, constructors can encapsulate arguments' multiplicities as below, which is useful when a function returns both linear and unrestricted results.
MkUn : ∀a. a → ω Un a MkMany : ∀p a. a → p Many p a For example, a function that reads a value from a mutable array at a given index can be given as a primitive of type readMArray : ∀a. MArray a → 1 Int → ω (MArray a ⊗ Un a) [7]. Multiplicity-parameterized constructors become useful when the multiplicity of contents can vary. For example, the type IO L p a with the constructor MkIO L : (World → 1 (World ⊗ Many p a)) → 1 IO L p a can represent the IO monad [7] with methods return : ∀p a. a → p IO L p a and

Typing Rules
Our type system uses two sorts of environments A typing environment maps variables into polytypes (as usual in non-linear calculi), and a multiplicity environment maps variables into multiplications of multiplicities. This separation of the two will be convenient when we discuss type inference. As usual, we write x 1 : A 1 , . . . , x n : A n instead of {x 1 → A 1 , . . . , x n → A n } for typing environments.
For multiplicity environments, we use multiset-like notation as x 1 M1 , . . . , x n Mn . We use the following operations on multiplicity environments: 3 because this condition means that x is used in two places. Operation ∆ 1 ∆ 2 is used for case branches. Suppose that a branch e 1 uses variables as ∆ 1 and another branch e 2 uses variables as ∆ 2 . Then, putting the branches together, variables are used as ∆ 1 ∆ 2 . The definition says that x is considered to be used linearly in the two branches put together if and only if both branches use x linearly, where non-linear use includes unrestricted use (∆ i (x) = ω) and non-use (x ∈ dom(∆)).
We write Q |= Q if Q logically entails Q . That is, for any valuation of multiplicity variables θ(p) ∈ {1, ω}, Q θ holds if Qθ does. For example, we have p ≤ r ∧ r ≤ q |= p ≤ q. We extend the notation to multiplicity environments and write Q |= We then have the following properties.
Constraints Q affect type equality; for example, under Q = p ≤ q ∧ q ≤ p, σ → p τ and σ → q τ become equivalent. Formally, we write Q |= τ ∼ τ if τ θ = τ θ for any valuation θ of multiplicity variables that makes Qθ true. Now, we are ready to define the typing judgment for expressions, Q; Γ ; ∆ e : τ , which reads that under assumption Q, typing environment Γ , and multiplicity environment ∆, expression e has monotype τ , by the typing rules in Fig. 2. Here, we assume dom(∆) ⊆ dom(Γ ). Having x ∈ dom(Γ ) \ dom(∆) means that the multiplicity of x is essentially 0 in e.
Rule Eq says that we can replace τ and ∆ with equivalent ones in typing. Rule Var says that x is used once in a variable expression x, but it is safe to regard that the expression uses x more than once and uses other variables ω times. At the same time, the type ∀pa.

Γ ε Empty
Rule Abs says that λx.e has type σ → µ τ if e has type τ , assuming that the use of x in e is µ. Unlike the original λ q → [7], in our system, multiplicity annotations on arrows must be µ, i.e., 1, ω, or a multiplicity variable, instead of M . This does not limit the expressiveness because such general arrow types can be represented by type σ → p τ with constraints p ≤ M ∧ M ≤ p.
Rule App sketches an important principle in λ q → ; when an expression with variable use ∆ is used µ-many times, the variable use in the expression becomes µ∆. Thus, since we pass e 2 (with variable use ∆ 2 ) to e 1 , where e 1 uses the argument µ-many times as described in its type σ → µ τ , the use of variables in e 2 of e 1 e 2 becomes µ∆ 2 . For example, for (λy.42) x, x is considered to be used ω times because (λy.42) has type σ → ω Int for any σ.
Rule Con is nothing but a combination of Var and App. The ω∆ 0 part is only useful when C is nullary; otherwise, we can weaken ∆ at leaves.
Rule Case is the most complicated rule in this type system. In this rule, µ 0 represents how many times the scrutinee e 0 is used in the case. If µ 0 = ω, the pattern bound variables can be used unrestrictedly, and if µ 0 = 1, the pattern bound variables can be used according to the multiplicities of the arguments of the constructor. 4 Thus, in the ith branch, variables in x i can be used as represents the multiplicities of the arguments of the constructor C i . Other than x i , each branch body e i can contain free variables used as ∆ i . Thus, the uses of free variables in the whole branch bodies are summarized as i ∆ i . Recall that the case uses the scrutinee µ 0 times; thus, the whole uses of variables are estimated as Then, we define the typing judgment for programs, Γ prog, which reads that program prog is well-typed under Γ , by the typing rules in Fig. 3. At this place, the rules Bind and BindA have no significant differences; their difference will be clear when we discuss type inference. In the rules Bind and BindA, we assumed that Γ contains no free type-level variables. Therefore, we can safely generalize all free type-level variables in Q and τ . We do not check the use ∆ in both rules as bound variables are assumed to be used arbitrarily many times in the rest of the program; that is, the multiplicity of a bound variable is ω and its body uses variable as ω∆, which maps x ∈ dom(∆) to ω and has no free type-level variables.

Metatheories
Lemma 4 is the standard weakening property. Lemma 5 says that we can replace Q with a stronger one, Lemma 6 says that we can replace ∆ with a greater one, and Lemma 7 says that we can substitute type-level variables in a term-in-context without violating typeability. These lemmas state some sort of weakening, and the last three lemmas clarify the goal of our inference system discussed in Sect. 3. We have the following form of the substitution lemma: Subject Reduction We show the subject reduction property for a simple call-byname semantics. Consider the standard small-step call-by-name relation e −→ e with the following β-reduction rules (we omit the congruence rules): Then, by Lemma 8, we have the following subjection reduction property: Lemma 9 (Subject Reduction). Q; Γ ; ∆ e : τ and e −→ e implies Q; Γ ; ∆ e : τ . Lemma 9 holds even for the call-by-value reduction, though with a caveat.
For a program f 1 = e 1 ; . . . ; f n = e n , it can happen that some e i is typed only under unsatisfiable (i.e., conflicting) Q i . As conflicting Q i means that e i is essentially ill-typed, evaluating e i may not be safe. However, the standard call-by-value strategy evaluates e i , even when f i is not used at all and thus the type system does not reject this unsatisfiability. This issue can be addressed by the standard witness-passing transformation [15] that converts programs so that Q ⇒ τ becomes W Q → τ , where W Q represents a set of witnesses of Q. Nevertheless, it would be reasonable to reject conflicting constraints locally.
We then state the correspondence with the original system [7] (assuming the modification [6] for the variable case 5 ) to show that the qualified-typed version captures the linearity as the original. While the original system assumes the call-by-need evaluation, Lemma 9 could be lifted to that case. Theorem 1. If ; Γ ; ∆ e : τ where Γ contains only monotypes, e is also well-typed in the original λ q → under some environment. The main reason for the monotype restriction is that our polytypes are strictly more expressive than their (rank-1) polytypes. This extra expressiveness comes from predicates of the form · · · ≤ M ·M . Indeed, f = λx.case x of {MkMany y → (y, y)} has type ∀p q a. ω ≤ p · q ⇒ MkMany p a → q a ⊗ a in our system, while it has three incomparable types in the original λ q → .

Type Inference
In this section, we give a type inference method for the type system in the previous section. Following [31,Section 3], we adopt the standard two-phase approach; we first gather constraints on types and then solve them. As mentioned in Sect. 1, the inference system described here has the issue of ambiguity, which will be addressed in Sect. 4.

Inference Algorithm
We first extend types τ and multiplicities µ to include unification variables.
Besides Q, the algorithm will generate equality constraints τ ∼ τ . Formally, the sets of generated constraints C and generated predicates ψ are given by Then, we define type inference judgment for expressions, Γ e : τ ; ∆; C, which reads that, given Γ and e, type τ is inferred together with variable use ∆ and constraints C, by the rules in Fig. 4. Note that ∆ is also synthesized as well as τ and C in this step. This difference in the treatment of Γ and ∆ is why we separate multiplicity environments ∆ from typing environments Γ .
Gathered constraints are solved when we process top-level bindings. Figure 5 defines type inference judgment for programs, Γ prog, which reads that the inference finds prog well-typed under Γ . In the rules, manipulation of constraints is done by the simplification judgment Q simp C ; Q ; θ, which simplifies C under the assumption Q into the pair (Q , θ) of residual constraints Q and substitution θ for unification variables, where (Q , θ) is expected to be equivalent in some sense to C under the assumption Q. The idea underlying our simplification is to solve type equality constraints in C as much as possible and then remove predicates that are implied by Q. Rules s-Fun, s-Data, s-Uni, and S-Triv are responsible for the former, which decompose type equality constraints and yield substitutions once either of the sides becomes a unification variable. Rules S-Entail and S-Rem are responsible for the latter, which remove predicates implied by Q and then return the residual constraints. Rule S-Entail checks Q |= φ; a concrete method for this check will be discussed in Sect. 3.2.
Example 1 (app). Let us illustrate how the system infers a type for app = λf.λx.f x. We have the following derivation for its body λf.λx.f x: The highlights in the above derivation are: -In the last two steps, f is assigned to type α f and multiplicity π f , and x is assigned to type α x and multiplicity π x .
no other rules can apply Q simp Q ; Q ; ∅ S-Rem -Then, in the third last step, for f x, the system infers type β with constraint α f ∼ (α x → π β). At the same time, the variable use in f x is also inferred as f 1 , x π . Note that the use of x is π because it is passed to f : α x → π β. -After that, in the last two steps again, the system yields constraints π x ≤ π and 1 ≤ π f .
As a result, the type Then, we try to assign a polytype to app by the rules in Fig. 4. By simplification, we have we obtain the following type for app: Correctness We first prepare some definitions for the correctness discussions. First, we allow substitutions θ to replace unification multiplicity variables as well as unification type variables. Then, we extend the notion of |= and write C |= C if C θ holds when Cθ holds. From now on, we require that substitutions are idempotent, i.e., τ θθ = τ θ for any τ , which excludes substitutions [α → List α] and [α → β, β → Int] for example. Let us write Q |= θ = θ if Q |= τ θ ∼ τ θ for any τ . The restriction of a substitution θ to a domain X is written by θ| X .
Lemma 11 (Completeness of Simplification). If (Q , θ) is a solution for (Q, C) where Q is satisfiable, then Q simp C ; Q ; θ for some Q and θ .
Note that the constraint generation Γ e : τ ; ∆; C always succeeds, whereas the generated constraints may possibly be conflicting. Theorem 3 states that such a case cannot happen when e is well-typed under the rules in Fig. 2.
Incompleteness in Typing Programs. It may sound contradictory to Theorem 3, but the type inference is indeed incomplete for checking type-annotated bindings. Recall that the typing rule for type-annotated bindings requires that the resulting constraint after simplification must be . However, even when there exists a solution of the form ( , θ) for (Q, C), there can be no guess-free solution of this form. For example, ( , π ≤ π ) has a solution ( , [π → π ]), but there are no guess-free solutions of the required form. Also, even though there exists a guessfree solution of the form ( , θ), the simplification may not return the solution, as guess-free solutions are not always unique. For example, for ( , π ≤ π ∧ π ≤ π), ( , [π → π ]) is a guess-free solution, whereas we have simp π ≤ π ∧ π ≤ π ; π ≤ π ∧ π ≤ π; ∅. The source of the issue is that constraints on multiplicities can (also) be solved by substitutions.
Fortunately, this issue disappears when we consider disambiguation in Sect. 4. By disambiguation, we can eliminate constraints for internally-introduced multiplicity unification variables that are invisible from the outside. As a result, after processing equality constraints, we essentially need only consider rigid multiplicity variables when checking entailment for annotated top-level bindings.
Promoting Equalities to Substituions. The inference can infer polytypes ∀p. p ≤ 1 ⇒ Int → p Int and ∀p 1 p 2 . (p 1 ≤ p 2 ∧ p 2 ≤ p 1 ) ⇒ Int → p1 Int → p2 Int, while programmers would prefer more simpler types Int → 1 Int and ∀p. Int → p Int → p Int; the simplification so far does not yield substitutions on multiplicity unification variables. Adding the following rule remedies the situation:

S-Eq
This rule says that if π = µ must hold for Q w ∧ C to hold, the simplification yields the substitution [π → µ]. The condition π ∈ fuv(Q) is required for Lemma 10; a solution cannot substitute variables in Q. Note that this rule essentially finds an improving substitution [16]. Using the rule is optional. Our prototype implementation actually uses S-Eq only for Q w for which we can find µ easily: M ≤ 1, ω ≤ µ, and looping chains µ 1 ≤ µ 2 ∧ · · · ∧ µ n−1 ≤ µ n ∧ µ n ≤ µ 1 .

Entailment Checking by Horn SAT Solving
The simplification rules rely on the check of entailment Q |= φ. For the constraints in this system, we can perform this check in quadratic time at worst but in linear time for most cases. Specifically, we reduce the checking Q |= φ to satisfiability of propositional Horn formulas (Horn SAT), which is known to be solved in linear time in the number of occurrences of literals [10], where the reduction (precisely, the preprocessing of the reduction) may increase the problem size quadratically. The idea of using Horn SAT for constraint solving in linear typing can be found in Mogensen [23].
First, as a preprocess, we normalize both given and wanted constraints by the following rules: -Replace M · 1 and 1 · M with M , and M · ω and ω · M with ω.
After this, each predicate φ has the form µ ≤ i ν i .
After the normalization above, we can reduce the entailment checking to satisfiability. Specifically, we use the following property: Here, the constraint Q ∧ i (ν i ≤ 1) ∧ (ω ≤ µ) intuitively asserts that there exists a counterexample of Q |= µ ≤ i ν i .
Then, it is straightforward to reduce the satisfiability of Q to Horn SAT; we just map 1 to true and ω to false and accordingly map ≤ and · to ⇐ and ∧, respectively. Since Horn SAT can be solved in linear time in the number of occurrences of literals [10], the reduction also shows that the satisfiability of Q is checked in linear time in the size of Q if Q is normalized. The normalization of constraints can duplicate M of · · · ≤ M , and thus increases the size quadratically in the worst case. Fortunately, the quadratic increase is not common because the size of M is bounded in practice, in many cases by one. Among the rules in Fig. 2, only the rule that introduces non-singleton M in the right-hand side of ≤ is Case for a constructor whose arguments' multiplicities are non-constants, such as MkMany : ∀p a. a → p Many p a. However, it often suffices to use non-multiplicity-parameterized constructors, such as Cons : ∀a. a → 1 List a → 1 List a, because such constructors can be used to construct or deconstruct both linear and unrestricted data.

Issue: Inference of Ambiguous Types
The inference system so far looks nice; the system is sound and complete, and infers principal types. However, there still exists an issue to overcome for the system to be useful: it often infers ambiguous types [15,27] in which internal multiplicity variables leak out to reveal internal implementation details.
Consider app = λf.λx.app f x for app = λf.λx.f x from Example 1. We would expect that equivalent types are inferred for app and app. However, this is not the case for the inference system. In fact, the system infers the following type for app (here we reproduce the inferred type of app for comparison): We highlight why this type is inferred as follows.
-By abstractions, f is assigned to type α f and multiplicity π f , and x is assigned to type α x and multiplicity π x . -By its use, app is instantiated to type (α → π β ) → π f α → π x β with constraint π ≤ π x .
There are two problems with this inference result: -The type of app is ambiguous in the sense that the type-level variables in the constraint cannot be determined only by those that appear in the type [15,27]. Usually, ambiguous types are undesirable, especially when their instantiation affects runtime behavior [15,27,31]. -Due to this ambiguity, the types of app and app are not judged equivalent by the inference system. For example, the inference rejects the binding app : ∀p p f p x a b. (p ≤ p x ) ⇒ (a → p b) → p f a → px b = app because the system does not know how to instantiate the ambiguous type-level variables q f and q x , while the binding is valid in the type system in Sect. 2.
Inference of ambiguous types is common in the system; it is easily caused by using defined variables. Rejecting ambiguous types is not a solution for our case because it rejects many programs. Defaulting such ambiguous type-level variables to 1 or ω is not a solution either because it loses principality in general. However, we have no other choices than to reject ambiguous types, as long as multiplicities are relevant in runtime behavior.
In the next section, we will show how we address the ambiguity issue under the assumption that multiplicities are irrelevant at runtime. Under this assumption, it is no problem to have multiplicity-monomorphic primitives such as array processing primitives (e.g., readMArray : ∀a. MArray a → 1 Int → ω (MArray a ⊗ Un a)) [31]. Note that this assumption does not rule out all multiplicity-polymorphic primitives; it just prohibits the primitives from inspecting multiplicities at runtime.

Disambiguation by Quantifier Elimination
In this section, we address the issue of ambiguous and leaky types by using quantifier elimination. The basic idea is simple; we just view the type of app as is logically equivalent to q ≤ p x , and thus we can infer the equivalent types for both app and app . Fortunately, such quantifier elimination is always possible for our representation of constraints; that is, for ∃p.Q, there always exists Q that is logically equivalent to ∃p.Q. A technical subtlety is that, although we perform quantifier elimination after generalization in the above explanation, we actually perform quantifier elimination just before generalization, or more precisely, as a final step of simplification, for compatibility with the simplification in OutsideIn(X) [31], especially in the treatment of local assumptions.

Elimination of Existential Quantifiers
The elimination of existential quantifiers is rather easy; we simply use the wellknown fact that a disjunction of a Horn clause and a definite clause can also be represented as a Horn clause. Regarding our encoding of normalized predicates (Sect. 3.2) that maps µ ≤ M to a Horn clause, the fact can be rephrased as: Here, we extend constraints to include ∨ and write ≡ for the logical equivalence; that is, Q ≡ Q if and only if Q |= Q and Q |= Q.
As a corollary, we obtain the following result: There effectively exists a quantifier-free constraint Q , denoted by elim(∃π.Q), such that Q is logically equivalent to ∃π.Q.
Proof. Note that ∃π.Q means Q[π → 1] ∨ Q[π → ω] because π ranges over {1, ω}. We safely assume that Q is normalized (Sect. 3.2) and that Q does not contain a predicate π ≤ M where π appears also in M , because such a predicate trivially holds. We define Φ 1 , Φ ω , and Q rest as Here, we abused the notation to write φ ∈ Q to mean that Q = i φ i and φ = φ i for some i. In the construction of Φ 1 , we assumed the monoid laws of (·); the definition says that we remove π from the right-hand sides and M becomes 1 if the right-hand side is π. By construction, Q[p → 1] and Q[p → ω] are equivalent to ( Φ 1 ) ∧ Q rest and ( Φ ω ) ∧ Q rest , respectively. Thus, by Lemma 12 and by the distributivity of ∨ over ∧ it suffices to define Q as ; this is the constraint obtained from λf.λx.app f x (Sect. 3.3). Since π f and π x do not appear in the inferred type (α → π β ) → π f α → πx β, we want to eliminate them by the above step. There is a freedom to choose which variable is eliminated first. Here, we shall choose π f first.
First, we have elim(∃π f .Q) = π ≤ π x ∧ π x ≤ π x because for this case we have Φ 1 = ∅, Φ ω = {ω ≤ π f }, and Q rest = π ≤ π x ∧ π x ≤ π x . We then have elim(∃π x .π ≤ π x ∧ π x ≤ π x ) = π ≤ π x because for this case we have In the worst case, the size of elim(∃π.Q) can be quadratic to that of Q. Thus, repeating elimination can make the constraints exponentially bigger. We believe that such blow-up rarely happens because it is usual that π occurs only in a few predicates in Q. Also, recall that non-singleton right-hand sides are caused only by multiplicity-parameterized constructors. When each right-hand side of ≤ is a singleton in Q, the same holds in elim(∃π.Q). For such a case, the exponential blow-up cannot happen because the size of constraints in the form is at most quadratic in the number of multiplicity variables.

Modified Typing Rules
As mentioned at the begging of this section, we perform quantifier elimination as the last step of simplification. To do so, we define Q τ simp C ; Q ; θ as follows: Here, τ is used to determine which unification variables will be ambiguous after generalization. We simply identify variables (π above) that are not in τ as ambiguous [15] for simplicity. This check is indeed conservative in a more general definition of ambiguity [27], in which ∀p r a. (p ≤ r, r ≤ p) ⇒ a → p a for example is not judged as ambiguous because r is determined by p.
Then, we replace the original simplification with the above-defined version.
Here, the changed parts are highlighted for readability.
, which is obtained after simplification of the gathered constraint. Following Example 2, eliminating variables that are not in τ θ = (α → π β ) → π f α → πx β yields the constraint π ≤ π x . As a result, by generalization, we obtain the polytype for app , which is equivalent to the inferred type of app.
Note that (Q , θ) of Q τ simp C ; Q ; θ is no longer a solution of (Q, C) because C can have eliminated variables. However, it is safe to use this version when generalization takes place, because, for variables q that do not occur in τ , ∀pqa. Q ⇒ τ and ∀pa. Q ⇒ τ have the same set of monomorphic instances, if ∃q.Q is logically equivalent to Q . Note that in this type system simplification happens only before (implicit) generalization takes place.

Extension to Local Assumptions
In this section, following OutsideIn(X) [31], we extend our system with local assumptions, which enable us to have lets and GADTs. We focus on the treatment of lets in this section because type inference for lets involves a linearity-specific concern: the multiplicity of a let-bound variable.

"Let Should Not Be Generalized" for Our Case
We first discuss that even for our case "let should not be generalized" [31]. That is, generalization of let sometimes results in counter-intuitive typing and conflicts with the discussions so far.
Consider the following program: Suppose for simplicity that f and x have types (a → π1 b) → π2 c and a → π3 b, respectively (here we only focus on the treatment of multiplicity). Then, f (λx.k x) has type c with the constraint π 3 ≤ π 1 . Thus, after generalization, y has type π 3 ≤ π 1 ⇒ c, where π 3 and π 1 are neither generalized nor eliminated because they escape from the definition of y. As a result, h has type ∀p 1 p 2 p 3 a b c.
there is no constraint p 3 ≤ p 1 because the definition of y does not yield a constraint. This nonexistence of the constraint would be counter-intuitive because users wrote f (λx.k x) while the constraint for the expression is not imposed. In particular, it does not cause an error even when f : (a → 1 b) → 1 c and k : a → ω b, while f (λx.k x) becomes illegal for this case. Also, if we change 0 to y, the error happens at the use site instead of the definition site. Moreover, the type is fragile as it depends on whether y occurs or not; for example, if we change 0 to const 0 y where const = λa.λb.a, the type of h changes to ∀p 1 p 2 p 3 a b c.
In this discussion, we do not consider type-equality constraints, but there are no legitimate reasons why type-equality constraints are solved on the fly in typing y.
As demonstrated in the above example, " let should not be generalized" [30,31] in our case. Thus, we adopt the same principle in OutsideIn(X) that let will be generalized only if users write a type annotation for it [31]. This principle is also adopted in GHC (as of 6.12.1 when the language option MonoLocalBinds is turned on) with a slight relaxation to generalize closed bindings.

Multiplicity of Let-Bound Variables
Another issue with let-generalization, which is specific to linear typing, is that a generalization result depends on the multiplicity of the let-bound variable. Let us consider the following program, where we want to generalize the type of y (even without a type annotation): g = λx.let y = λf.f x in y not Suppose for simplicity that not has type Bool → 1 Bool and x has type Bool already in typing let. Then, y's body λf.f x has a monotype (Bool → π r) → π r with no constraints (on multiplicity). There are two generalization results depending on the multiplicity π y of y because the use of x also escapes in the type system.
-If π y = 1, the type is generalized into ∀q r. (Bool → π r) → q r, where π is not generalized because the use of x in y's body is π. -If π y = ω, the type is generalized into ∀p q r. (Bool → p r) → q r, where π is generalized (to p) because the use of x in y's body is ω.
A difficulty here is that π y needs to be determined at the definition of y, while the constraint on π y is only obtained from the use of y. Our design choice is the latter; the multiplicity of a generalizable let-bound variable is ω in the system. One justification for this choice is that a motivation of polymorphic typing is to enhance reusability, while reuse is not possible for variables with multiplicity 1. Another justification is compatibility with recursive definitions, where recursively-defined variables must have multiplicity ω; it might be confusing, for example, if the multiplicity of a list-manipulation function changes after we change its definition from an explicit recursion to foldr .

Inference Rule for Lets
In summary, the following are our criteria about let generalization: -Only lets with polymorphic type annotations are generalized.
-Variables introduced by let to be generalized have multiplicity ω.
This idea can be represented by the following typing rule: (We do not discuss non-generalizable let because they are typed as (λx.e 2 ) e 1 .) Constraints like ∃πα.(Q |= τ1 C 1 ∧ τ ∼ τ 1 ) above are called implication constraints [31], which states that the entailment must hold only by instantiating unification variables in πα. There are two roles of implication constraints. One is to delay the checking because τ 1 and C 1 contain some unification variables that will be made concrete after this point by solving C 2 . The other is to guard constraints; in the above example, since the constraints C 1 ∧ τ ∼ τ 1 hold by assuming Q, it is not safe to substitute variables outside πα in solving the constraints because the equivalence might be a consequence of Q; recall that Q affects type equality. We note that there is a slight deviation from the original approach [31]; an implication constraint in our system is annotated by τ 1 to identify for which subset of {πα} the existence of a unique solution is not required and thus quantifier elimination is possible, similarly to Sect. 4.

Solving Constraints
Now, the set of constraints is extended to include implication constraints.
C ::= i ψ i ψ i ::= · · · | ∃πα.(Q |= τ C) As we mentioned above, an implication constraint ∃πα.(Q |= τ C) means that Q |= C must hold by substituting π and α with appropriate values, where we do not require uniqueness of solutions for unification variables that do not appear in τ . That is, Q τ simp C ; ; θ must hold with dom(θ) ⊆ {πα}. Then, following OutsideIn(X) [31], we define the solving judgment πα.Q τ solv C ; Q ; θ, which states that we solve (Q, C) as (Q , θ) where θ only touches variables in πα, where τ is used for disambiguation (Sect. 4). Let us write impl(C) for all the implication constraints in C, and simpl(C) for the rest. Then, we can define the inference rules for the judgment simply by recursive simplification, similarly to the original [31].
Here, πα. Q τ simpl C ; Q r ; θ is a simplification relation defined similarly to Q τ simp C ; Q r ; θ except that we are allowed to touch only variables in πα. We omit the concrete rules for this version of simplification relation because they are straightforward except that unification caused by S-Uni and S-Eq and quantifier elimination (Sect. 4) are allowed only for variables in {πα}.
Accordingly, we also change the typing rules for bindings to use the solving relation instead of the simplification relation.
The definition of the solving judgment and the updated inference rules for programs are the same as those in the original OutsideIn(X) [31] except τ for disambiguation. This is one of the advantages of being based on OutsideIn(X).

Implementation and Evaluation
In this section, we evaluate the proposed inference method using our prototype implementation. We first report what types are inferred for functions from Prelude to see whether or not inferred types are reasonably simple. We then report the performance evaluation that measures efficiency of type inference and the overhead due to entailment checking and quantifier elimination.

Implementation
The implementation follows the present paper except for a few points. Following the implementation of OutsideIn(X) in GHC, our type checker keeps a natural number, which we call an implication level, corresponding to the depth of implication constraints, and a unification variable also accordingly keeps the implication level at which the variable is introduced. As usual, we represent unification variables by mutable references. We perform unification on the fly by destructive assignment, while unification of variables that have smaller implication levels than the current level is recorded for later checking of implication constraints; such a variable cannot be in πα of ∃πα.Q |= τ C. The implementation supports GADTs because they can be implemented rather easily by extending constraints Q to include type equalities, but does not support type classes because the handling of them requires another X of OutsideIn(X).
Although we can use a linear-time Horn SAT solving algorithm [10] for checking Q |= φ, the implementation uses a general SAT solver based on DPLL [8,9] because the unit propagation in DPLL works efficiently for Horn formulas. We do not use external solvers, such as Z3, as we conjecture that the sizes of formulas are usually small, and overhead to use external solvers would be high.

Functions from Prelude
We show how our type inference system works for some polymorphic functions from Haskell's Prelude. Since we have not implemented type classes and I/O in our prototype implementation and since we can define copying or discarding functions for concrete first-order datatypes, we focus on the unqualified polymorphic functions. Also, we do not consider the functions that are obviously unrestricted, such as head and scanl , in this examination. In the implementation of the examined functions, we use natural definitions as possible. For example, a linear-time accumulative definition is used for reverse. Some functions can be defined by both explicit recursions and foldr /foldl ; among the examined functions, map, filter , concat, and concatMap can be defined by foldr , and reverse can be defined by foldl . For such cases, both versions are tested. Fig. 7 shows the inferred types for the examined functions. Since the inferred types coincide for the two variations (by explicit recursions or by folds) of map, filter , append , reverse, concat, and concatMap, the results do not refer to these variations. Most of the inferred types look unsurprising, considering the fact that the constraint p ≤ q is yielded usually when an input that corresponds to q is used in an argument that corresponds to p. For example, consider foldr f e xs. The constraint q ≤ r comes from the fact that e (corresponding to r) is passed as the second argument of f (corresponding to q) via a recursive call. The constraint p ≤ s comes from the fact that the head of xs (corresponding to s) is used as the first argument of f (corresponding to p). The constraint q ≤ s comes from the fact that the tail of xs is used in the second argument of f . A little explanation is needed for the constraint r ≤ s in the type of foldl , where both r and s are associated with types with the same polarity. Such constraints usually come from recursive definitions. Consider the definition of foldl : foldl = λf.λe.λx.case x of {Nil → e; Cons a y → foldl f (f e a) y} Here, we find that a, a component of x (corresponding to s), appears in the second argument of fold (corresponding to r), which yields the constraint r ≤ s.
Note that the inference results do not contain → 1 ; recall that there is no problem in using unrestricted inputs linearly, and thus the multiplicity of a linear input can be arbitrary. The results also show that the inference algorithm successfully detected that append , reverse, and concat are linear functions.
It is true that these inferred types indeed leak some internal details into their constraints, but those constraints can be understood only from their extensional behaviors, at least for the examined functions. Thus, we believe that the inferred types are reasonably simple. We measured the elapsed time for type checking and the overhead of implication checking and quantifier elimination. The following programs were examined in the experiments: funcs: the functions in Fig. 7, gv: an implementation of a simple communication in a session-type system GV [17] taken from [18,Section 4] with some modifications, 6 app1: a pair of the definitions of app and app , and app10: a pair of the definitions of app and app10 = λf.λx. app . . . app The experiments were conducted on a MacBook Pro (13-inch, 2017) with Mac OS 10.14.6, 3.5 GHz Intel Core i7 CPU, and 16 GB memory. GHC 8.6.5 with -O2 was used for compiling our prototype system. Table 1 lists the experimental results. Each elapsed time is the average of 1,000 executions for the first two programs, and 10,000 executions for the last two. All columns are self-explanatory except for the # column, which counts the number of 6 We changed the type of fork : Dual s s →ω (Ch s →1 Ch End) →1 (Ch s →1 Un r) →1 r, as their type Dual s s ⇒ (Ch s →1 Ch End) →1 Ch s is incorrect for the multiplicity erasing semantics. A minor difference is that we used a GADT to witness duality because our prototype implementation does not support type classes.

Performance Evaluation
executions of corresponding procedures. We note that the current implementation restricts Q w in S-Entail to be and removes redundant constraints afterward. This is why the number of SAT solving in app1 is four instead of two. For the artificial programs (app1 and app10), the overhead is not significant; typing cost grows faster than SAT/QE costs. In contrast, the results for the latter two show that SAT becomes heavy for higher-order programs (funcs), and quantifier elimination becomes heavy for combinator-heavy programs (gv), although we believe that the overhead would still be acceptable. We believe that, since we are currently using naive algorithms for both procedures, there is much room to reduce the overhead. For example, if users annotate most general types, the simplification invokes trivial checks i φ i |= φ i often. Special treatment for such cases would reduce the overhead.

Related Work
Borrowing the terminology from Bernardy et al. [7], there are two approaches to linear typing: linearity via arrows and linearity via kinds. The former approaches manage how many times an assumption (i.e., a variable) can be used; for example, in Wadler [33]'s linear λ calculus, there are two sort of variables: linear and unrestricted, where the latter variables can only be obtained by decomposing let !x = e 1 in e 2 . Since primitive sources of assumptions are arrow types, it is natural to annotate them with arguments' multiplicities [7,12,22]. For multiplicities, we focused on 1 and ω following Linear Haskell [6,7,26]. Although {1, ω} would already be useful for some domains including reversible computation [19,35] and quantum computation [2,25], handling more general multiplicities, such as {0, 1, ω} and arbitrary semirings [12], is an interesting future direction. Our discussions in Sect. 2 and 3, similarly to Linear Haskell [7], could be extended to more general domains with small modifications. In contrast, we rely on the particular domains {1, ω} of multiplicities for the crucial points of our inference, i.e., entailment checking and quantifier elimination. Igarashi and Kobayashi [14]'s linearity analysis for π calculus, which assigns input/output usage (multiplicities) to channels, has similarity to linearity via arrows. Multiplicity 0 is important in their analysis to identify input/output only channels. They solve constraints on multiplicities separately in polynomial time, leveraging monotonicity of multiplicity operators with respect to ordering 0 ≤ 1 ≤ ω. Here, 0 ≤ 1 comes from the fact that 1 in their system means "at-most once" instead of "exactly once". The "linearity via kinds" approaches distinguish types of which values are treated linearly and types of which values are not [21,24,28], where the distinction usually is represented by kinds [21,28]. Interestingly, they also have two function types-function types that belong to the linear kind and those that belong to the unrestricted kind-because the kind of a function type cannot be determined solely by the argument and return types. Mazurak et al. [21] use subkinding to avoid explicit conversions from unrestricted values to linear ones. However, due to the variations of the function types, a function can have multiple incompatible types; e.g., the function const can have four incompatible types [24] in the system. Universal types accompanied by kind abstraction [28] address the issue to some extent; it works well for const, but still gives two incomparable types to the function composition (•) [24]. Morris [24] addresses this issue of principality with qualified typing [15]. Two forms of predicates are considered in the system: Un τ states that τ belongs to the unrestricted kind, and σ ≤ τ states that Un σ implies Un τ . This system is considerably simple compared with the previous systems. Turner et al. [29]'s type-based usage analysis has a similarity to the linearity via kinds; in the system, each type is annotated by usage (a multiplicity) as (List Int ω ) ω . Wansbrough and Peyton Jones [34] extends the system to include polymorphic types and subtyping with respect to multiplicities, and have discussions on multiplicity polymorphism. Mogensen [23] is a similar line of work, which reduces constraint solving on multiplicities to Horn SAT. His system concerns multiplicities {0, 1, ω} with ordering 0 ≤ 1 ≤ ω, and his constraints can involve more operations including additions and multiplications but only in the left-hand side of ≤.
Morris [24] uses improving substitutions [16] in generalization, which sometimes are effective for removing ambiguity, though without showing concrete algorithms to find them. In our system, as well as S-Eq, elim(∃π.Q) can be viewed as a systematic way to find improving substitutions. That is, elim(∃π.Q) improves Q by substituting π with min{M i | ω ≤ M i ∈ Φ ω }, i.e., the largest possible candidate of π. Though the largest solution is usually undesirable, especially when the right-hand sides of ≤ are all singletons, we can also view that elim(∃π.Q) substitutes π by µi≤1∈Φ1 µ i , i.e., the smallest possible candidate.

Conclusion
We designed a type inference system for a rank 1 fragment of λ q → [7] that can infer principal types based on the qualified typing system OutsideIn(X) [31]. We observed that naive qualified typing infers ambiguous types often and addressed the issue based on quantifier elimination. The experiments suggested that the proposed inference system infers principal types effectively, and the overhead compared with unrestricted typing is acceptable, though not negligible.
Since we based our work on the inference algorithm used in GHC, the natural expectation is to implement the system into GHC. A technical challenge to achieve this is combining the disambiguation techniques with other sorts of constraints, especially type classes, and arbitrarily ranked polymorphism.