Temporal Refinements for Guarded Recursive Types

We propose a logic for temporal properties of higher-order programs that handle infinite objects like streams or infinite trees, represented via coinductive types. Specifications of programs use safety and liveness properties. Programs can then be proven to satisfy their specification in a compositional way, our logic being based on a type system. The logic is presented as a refinement type system over the guarded \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda $$\end{document}λ-calculus, a \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda $$\end{document}λ-calculus with guarded recursive types. The refinements are formulae of a modal \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mu $$\end{document}μ-calculus which embeds usual temporal modal logics such as LTL and CTL. The semantics of our system is given within a rich structure, the topos of trees, in which we build a realizability model of the temporal refinement type system.


Introduction
Functional programming is by now well established to handle infinite data, thanks to declarative definitions and equational reasoning on high-level abstractions, in particular when infinite objects are represented with coinductive types. In such settings, programs in general do not terminate, but are expected to compute a part of their output in finite time. For example, a program expected to generate a stream should produce the next element in finite time: it is productive.
Our goal is to prove input-output temporal properties of higher-order programs that handle coinductive types. Logics like LTL, CTL or the modal μcalculus are widely used to formulate, on infinite objects, safety and liveness properties. Safety properties state that some "bad" event will not occur, while liveness properties specify that "something good" will happen (see e.g. [9]). Typically, modalities like P (always) or Q (eventually) are used to write properties of streams or infinite trees and specifications of programs over such data.
We consider temporal refinement types {A | ϕ}, where A is a standard type of our programming language, and ϕ is a formula of the modal μ-calculus. Using refinement types [22], temporal connectives are not reflected in the programming language, and programs are formally independent from the shape of their temporal specifications. One can thus give different refinement types to the same program. For example, the following two types can be given to the same map function on streams: the function (map f ) takes a stream with infinitely many (resp. ultimately all) elements satisfying ψ to one with infinitely many (resp. ultimately all) elements satisfying ϕ. For ϕ a formula over A, [hd]ϕ is a formula over streams of A's which holds on a given stream if ϕ holds on its head element. It is undecidable whether a given higher-order program satisfies a given inputoutput temporal property written with formulae of the modal μ-calculus [41]. Having a type system is a partial workaround to this obstacle, which moreover enables to reason compositionally on programs, by decomposing a specification to the various components of a program in order to prove its global specification.
Our system is built on top of the guarded λ-calculus [18], a higher-order programming language with guarded recursion [52]. Guarded recursion is a simple device to control and reason about unfoldings of fixpoints. It can represent coinductive types [50] and provides a syntactic compositional productivity check [5].
Safety properties (e.g. P[hd]ϕ) can be correctly represented with guarded fixpoints, but not liveness properties (e.g. Q [hd]

ϕ, QP[hd]ϕ, PQ[hd]ϕ).
Combining liveness with guarded recursion is a challenging problem since guarded fixpoints tend to have unique solutions. Existing approaches to handle temporal types in presence of guarded recursion face similar difficulties. Functional reactive programming (FRP) [21] provides a Curry-Howard correspondence for temporal logics [32,33,17] in which logical connectives are reflected as programming constructs. When combining FRP with guarded recursion [44,7], and in particular to handle liveness properties [8], uniqueness of guarded fixpoints is tempered by specific recursors for temporal types.
Our approach is different from [8], as we wish as much as possible the logical level not to impact the program level. We propose a two level system, with the lower or internal level, which interacts with guarded recursion and at which only safety properties are correctly represented, and the higher or external one, at which liveness properties are correctly handled, but without direct access to guarded recursion. By restricting to the alternation-free modal μ-calculus, in which fixpoints can always be computed in ω-steps, one can syntactically reason on finite unfoldings of liveness properties, thus allowing for crossing down the safety barrier. Soundness is proved by a realizability interpretation based on the semantics of guarded recursion in the topos of trees [13], which correctly represents the usual set-theoretic final coalgebras of polynomial coinductive types [50].
Organization of the paper. We give an overview of our approach in §2. Then §3 presents the syntax of the guarded λ-calculus. Our base temporal logic (without liveness) is introduced in §4, and is used to define our refinement type system in §5. Liveness properties are handled in §6. The semantics is given in §7, and §8 presents examples. Finally, we discuss related work in §9 and future work in §10. Table 4 ( §8) gathers the main refinement types we can give to example functions, most of them defined in Table 3. Omitted material is available in [28].

Outline
Overview of the Guarded λ-Calculus. Guarded recursion enforces productivity of programs using a type system equipped with a type modality , in order to indicate that one has access to a value not right now but only "later". One can define guarded streams Str g A over a type A via the guarded recursive definition Str g A = A × Str g A. Streams that inhabit this type have their head available now, but their tail only one step in the future. The type modality is reflected in programs with the next operation. One also has a fixpoint constructor on terms fix(x).M for guarded recursive definitions. They are typed with This allows for the constructor and basic destructors on guarded streams to be defined as in Fig. 1, where fold(−) and unfold(−) are explicit operations for folding and unfolding guarded recursive types. In the following, we use the infix notation a :: g s for Cons g a s. Using the fact that the type modality is an applicative functor [49], we can distribute over the arrow type. This is represented in the programming language by the infix applicative operator . With it, one can define the usual map function on guarded streams as in Fig. 1.
Compositional Safety Reasoning on Streams. Given a property ϕ on a type A, we would like to consider a subtype of Str g A that selects those streams whose elements all satisfy ϕ. To do so, we use a temporal modal formula P[hd]ϕ, and consider the refinement type {Str g A | P[hd]ϕ}. Suppose for now that we can give the following refinement types to the basic stream operations: By using the standard typing rules for λ-abstraction and application, together with the rules to type fix(x).M and , we can type the function map g as A Manysorted Temporal Logic. Our logical language, taken with minor adaptations from [30], is manysorted : for each type A we have formulae of type A (notation ϕ : A), where ϕ selects inhabitants of A.
We use atomic modalities ([π i ], [fold], [next], . . . ) in refinements to navigate between types (see Fig. 5, §4). For instance, a formula ϕ of type A 0 , specifying a property over the inhabitants of A 0 , can be lifted to the formula [π 0 ]ϕ of type A 0 × A 1 , which intuitively describes those inhabitants of A 0 × A 1 whose first component satisfy ϕ. Given a formula ϕ of type A, one can define its "head lift" [hd]ϕ of type Str g A, that enforces ϕ to be satisfied on the head of the provided stream. Also, one can define a modality such that given a formula ψ : Str g A, the formula ψ : Str g A enforces ψ to be satisfied on the tail of the provided stream. These modalities are obtained resp. as [ We also provide a deduction system A ϕ on temporal modal formulae. This deduction system is used to define a subtyping relation T ≤ U between refinement types, with {A | ϕ} ≤ {A | ψ} when A ϕ ⇒ ψ. The subtyping relation thus incorporates logical reasoning in the type system.
In addition, we have greatest fixpoints formulae ν αϕ (so that formulae can have free typed propositional variables), equipped with Kozen's reasoning principles [43]. In particular, we can form an always modality as Pϕ := ν α. ϕ ∧ α, with Pϕ : Str g A if ϕ : Str g A. The formula Pϕ holds on a stream s = (s i | i ≥ 0), iff ϕ holds on every substream (s i | i ≥ n) for n ≥ 0. If we rather start with ψ : A, one first need to lift it to [hd]ψ : Str g A. Then P[hd]ψ means that all the elements of the stream satisfies ψ, since all its suffixes satisfy [hd]ψ. Table 1 summarizes the different judgments used in this paper.
Beyond Safety. In order to handle liveness properties, we also need to have least fixpoints formulae μαϕ. For example, this would give the eventually modality Qϕ := μα. ϕ ∨ α. With Kozen-style rules, one could then give the following two types to the guarded stream constructor: Internal Semantics in the Topos of Trees. The types of the guarded λcalculus can be interpreted as sequences of sets (X(n)) n>0 where X(n) represents the values available "at time n". In order to interpret guarded recursion, one also needs to have access to functions r X n : X(n + 1) → X(n), which tell how values "at n+1" can be restricted (actually most often truncated) to values "at n". This means that the objects used to represent types are in fact presheaves over the poset (N \ {0}, ≤). The category S of such presheaves is the topos of trees [13]. For instance, the type Str g B of guarded streams over a finite base type B is interpreted in S as (B n ) n>0 , with restriction maps taking (b 0 , . . . , b n−1 , b n ) to (b 0 , . . . , b n−1 ). We write A for the interpretation of a type A in S.
The Necessity of an External Semantics. The topos of trees cannot correctly handle liveness properties. For instance, the formula Q[hd][b] cannot describe in S the set of streams that contain at least one occurrence of b. Indeed, the interpretation of Q[hd] [b] in S is a sequence (C(n)) n>0 with C(n) ⊆ B n . But any element of B n can be extended to a stream which contains an occurrence of b. Hence C(n) should be equal to B n , and the interpretation of Q[hd][b] is the whole Str g B . More generally, guarded fixpoints have unique solutions in the topos of trees [13], and Qϕ = μα. ϕ ∨ ϕ gets the same interpretation as ν α. ϕ ∨ α.
We thus have a formal system with least and greatest fixpoints, that has a semantics inside the topos of trees, but which does not correctly handle least fixpoints. On the other hand, it was shown by [50] that the interpretation of guarded polynomial (i.e. first-order) recursive types in S induces final coalgebras for the corresponding polynomial functors on the category Set of usual sets and functions. This applies e.g. to streams and colists. Hence, it makes sense to think of interpreting least fixpoint formulae over such types externally, in Set.

Fig. 2. Internal and External Semantics
The Constant Type Modality. Figure 2 represents adjoint functors Γ : S → Set and Δ : Set → S. To correctly handle least fixpoints μαϕ : A, we would like to see them as subsets of Γ A in Set rather than subobjects of A in S. On the other hand, the internal semantics in S is still necessary to handle definitions by guarded recursion. We navigate between the internal semantics in S and the external semantics in Set via the adjunction Δ Γ . This adjunction induces a comonad ΔΓ on S, which is represented in the guarded λ-calculus of [18]  Approximating Least Fixpoints. For proving liveness properties on functions defined by guarded recursion, one needs to navigate between e.g. [box]Qϕ and Qϕ, while Qϕ is in general unsafe. The fixpoint Qϕ = μα.ϕ ∨ α is alternation-free (see e.g. [16, §4.1]). This implies that Qϕ can be seen as the supremum of the m ϕ for m ∈ N, where each m ϕ is safe when ϕ is safe. More generally, we can approximate alternation-free μαϕ by their finite unfoldings ϕ m (⊥),à la Kleene. We extend the logic with finite iterations μ k αϕ, where k is an iteration variable, and where μ k αϕ is seen as ϕ k (⊥). Let Q k ϕ := μ k α. ϕ∨ α. If ϕ is safe then so is Q k ϕ. For safe ϕ, ψ, we have the following refinement typings for the guarded recursive map g and its coinductive lift map:

The Pure Calculus
Our system lies on top of the guarded λ-calculus of [18]. We briefly review it here. We consider values and terms from the grammar given in Fig. 3 (left). In v ::= M, N : . We consider the weak call-by-name reduction of [18], recalled in Fig. 3 (right).
Pure types (notation A, B, etc.) are the closed types over the grammar where, (1) in the case Fix(X).A, each occurrence of X in A must be guarded by a , and (2) in the case of A, the type A is closed (i.e. has no free type variable). Guarded recursive types are built with the fixpoint constructor Fix(X).A, which allows for X to appear in A both at positive and negative positions, but only under a . In this paper we shall only consider positive types. Example 3.2. Besides streams (Str g A), colists (CoList g A), conatural numbers (CoNat g ) and infinite binary trees (Tree g A), we consider a type Res g A of resumptions (parametrized by I, O) adapted from [44], and a higher-order recursive type Rou g A, used in Martin Hofmann's breadth-first tree traversal (see e.g. [10]): Some typing rules of the pure calculus are given in Fig. 4, where a pure type A is constant if each occurrence of in A is guarded by a . The omitted rules are the standard ones for simple types with finite sums and products [28, §A].   Figure 1 defines some operations on guarded streams. On other types of Ex. 3.2, we have e.g. the constructors of colists Nil g := fold(in 0 ) : These definitions follow a general pattern to lift a function over a guarded recursive type into one over its coinductive version, by performing an η-expansion with some box and unbox inserted in the right places. For example, one can define the map function on coinductive streams as:

A Temporal Modal Logic
We present here a logic of (modal) temporal specifications. We focus on syntactic aspects. The semantics is discussed in §7. For the moment the logic has only one form of fixpoints (ν αϕ). It is extended with least fixpoints (μαϕ) in §6.
Manysorted Modal Temporal Formulae. The main ingredient of this paper is the logical language we use to annotate pure types when forming refinement types. This language, that we took with minor adaptations from [30], is manysorted : for each pure type A we have formulae ϕ of type A (notation ϕ : A). The formulation rules of formulae are given in Fig. 5.   ϕ should hold on a tree t over A iff the root label of t satisfies ϕ, and ϕ (resp. r ϕ) should hold on t iff ϕ holds on the left (resp. right) immediate subtree of t.

A Temporally Refined Type System
Temporal refinement types (or types), notation T, U, V, etc., are defined by: where ϕ : A and, in the case of T , the type T has no free type variable. So types are built from (closed) pure types A and temporal refinements {A | ϕ}. They allow for all the type constructors of pure types. As a refinement type {A | ϕ} intuitively represents a subset of the inhabitants of A, it is natural to equip our system with a notion of subtyping. In addition to the usual rules for product, arrow and sum types, our subtyping relation is made of two more ingredients. The first follows the principle that our refinement type system is meant to prove properties of programs, and not to type more programs, so that (say) a type of the form {A | ϕ} → {B | ψ} is a subtype of A → B. We formalize this with the notion of underlying pure type |T | of a type T . The second ingredient is the modal theory A ϕ of §4. The subtyping rules concerning refinements are given in Fig. 7, where T ≡ U enforces both T ≤ U and U ≤ T . The full set of rules is given in [28, §C]. Notice that subtyping does not incorporate (un)folding of guarded recursive types.
Typing for refinement types is given by the rules of Fig. 8  Example 5.1. Since ϕ ⇒ ψ ⇒ (ϕ ∧ ψ) and using two times the rule (MP), we get the first derived rule below, from which we can deduce the second one: Example 5.2. We have the following derived rules: Example 5.4 (" Always" (P) on Guarded Streams). The refined types of Cons g , hd g , tl g and map g mentioned in §2 are easy to derive. We also have the type for the merge g function which takes two guarded streams and interleaves them: .λs 0 .λs 1 . (hd g s 0 ) :: g next (hd g s 1 ) :: g (g (tl g s 0 ) (tl g s 1 ))

The Full System
The system presented so far has only one form of fixpoints in formulae (ν αϕ).
We now present our full system, which also handles least fixpoints (μαϕ) and thus liveness properties. A key role is played by polynomial guarded recursive types, that we discuss first.  ϕ and α guarded in ϕ). The Full Temporal Modal Logic. We assume given a first-order signature of iteration terms (notation t, u, etc.), with iteration variables k, , etc., and for each iteration term t(k 1 , . . . , k m ) with variables as shown, a given primitive recursive function t : N m → N. We assume a term 0 for 0 ∈ N and a term k+1 for the successor function n ∈ N → n + 1 ∈ N.
The formulae of the full temporal modal logic extend those of Fig. 5 with least fixpoints μαϕ and with approximated fixpoints μ t αϕ and ν t αϕ where t is an iteration term. The additional formation rule for formulae are given in Fig. 9. We use θ as a generic notation for μ and ν. Least fixpoints μαϕ are equipped with their usual Kozen axioms. In addition, iteration formulae ν t αϕ(α) and μ t αϕ(α) have axioms expressing that they are indeed iterations of ϕ(α) from resp. and ⊥. A fixpoint logic with iteration variables was already considered in [63]. On trees, we have the CTL-like ∃Qϕ := μα. ϕ ∨ ( α ∨ r α) and ∀Qϕ := μα. ϕ ∨ ( α ∧ r α). The formula ∃Qϕ is intended to hold on a tree if there is a finite path which leads to a subtree satisfying ϕ, while ∀Qϕ is intended to hold if every infinite path crosses a subtree satisfying ϕ. Remark 6.4. On finitary trees (as in Ex. 6.1 but with A i , B i finite base types), we have all formulae of the modal μ-calculus. For this fragment, satisfiability is decidable (see e.g. [16]), as well as the classical theory c by completeness of Kozen's axiomatization [68] (see [58] for completeness results on fragments of the μ-calculus).

The Safe and Smooth Fragments.
We now discuss two related but distinct fragments of the temporal modal logic. Both fragments directly impact the refinement type system by allowing for more typing rules.
The safe fragment plays a crucial role, because it reconciles the internal and external semantics of our system (see §7). It gives subtyping rules for (Fig. 11), which makes available the comonad structure of on [box]ϕ when ϕ is safe.
Our notion of alternation freedom is adapted from [16], in which propositional (fixpoint) variables are always positive. Note that the smooth restriction imposes no further conditions on approximated fixpoints θ t α. In the smooth fragment, greatest and least fixpoints can be thought about resp. as Iteration terms allow for formal reasoning about such unfoldings. Assuming t = m ∈ N, the formula ν t αϕ(α) (resp. μ t αϕ(α)) can be read as ϕ m ( ) (resp. ϕ m (⊥)). This gives the rules (ν-I) and (μ-E) (Fig. 11 The Full System. We extend the types of §5 with universal quantification over iteration variables (∀k · T ). The type system of §5 is extended with the rules of Fig. 11.
Example 6.10. The logical rules of Fig. 10 give the following derived typing rules (where β Pos γ):

Semantics
We present the main ingredients of the semantics of our type system. We take as base the denotational semantics of guarded recursion in the topos of trees.
Denotational Semantics in the Topos of Trees. The topos of trees S provides a natural model of guarded recursion [13]. Formally, S is the category of presheaves over (N \ {0}, ≤). In words, the objects of S are indexed sets X = (X(n)) n>0 equipped with restriction maps r X n : X(n + 1) → X(n). Excluding 0 from the indexes is a customary notational convenience ( [13]). The morphisms from X to Y are families of functions f = (f n : X(n) → Y (n)) n>0 which commute with restriction, that is f n •r X n = r Y n •f n+1 . As any presheaf category, S has (pointwise) limits and colimits, and is Cartesian closed (see e.g. [47, §I.6]). We write Γ : S → Set for the global section functor, which takes X to S [1, X], the set of morphisms 1 → X in S, where 1 = ({•}) n>0 is terminal in S. A typed term E M : T is to be interpreted in S as a morphism . , x n : T n . In particular, a closed term M : T is to be interpreted as a global section M ∈ Γ |T | . The ×/ + / → fragment of the calculus is interpreted by the corresponding structure in S. The modality is interpreted by the functor : S → S of [13]. This functor shifts indexes by 1 and inserts a singleton set 1 at index 1. The term constructor next is interpreted by the natural map with component next X : X → X as in The guarded fixpoint combinator fix is interpreted by the morphism fix X : X X → X of [13,Thm. 2.4].
The constant type modality is interpreted as the comonad ΔΓ : S → S, where the left adjoint Δ : Set → S is the constant object functor, which takes a set S to the constant family (S) n>0 . In words, all components A (n) are equal to Γ A , and the restriction maps of A are identities. In particular, a global section x ∈ Γ A is a constant family (x n ) n describing a unique global section x n+1 (•) = x n (•) ∈ Γ A . We refer to [18] and [28, §D] for the interpretation of prev, box and unbox. Just note that the unit η : Id Set → Γ Δ is an iso.
Together with an interpretation of guarded recursive types, this gives a denotational semantics of the pure calculus of §3. See [13,18] for details. We write fold :

A[Fix(X).A/X] → Fix(X).A and unfold : Fix(X).A → A[Fix(X).A/X] for the two components of the iso Fix(X).A A[Fix(X).A/X] .
External Semantics. Møgelberg [50] has shown that for polynomial types such as Str g B with B a constant type, the set of global sections Γ Str g B is equipped with the usual final coalgebra structure of streams over B in Set. To each polynomial recursive type Fix(X).P (X), we associate a polynomial functor P Set : Set → Set in the obvious way.
We devise a Set interpretation {|ϕ|} ∈ P(Γ A ) of formulae ϕ : A. We rely on the (complete) Boolean algebra structure of powersets for propositional connectives and on Knaster-Tarski Fixpoint Theorem for fixpoints μ and ν. The interpretations of ν t αϕ(α) and μ t αϕ(α) (for t closed) are defined to be the interpretations resp. of ϕ t ( ) and ϕ t (⊥), where e.g. ϕ 0 ( ) := and ϕ n+1 ( ) := ϕ(ϕ n ( )). We give the cases of the atomic modalities in Fig. 12 (where for simplicity we assume formulae to be closed). It can be checked that, when restricting to polynomial types, one gets the coalgebraic semantics of [30] (with sums as in [31]) extended to fixpoints.
Internal Semantics of Formulae. We would like to have adequacy w.r.t. the external semantics of formulae, namely that given M : {A | ϕ}, the global section M ∈ Γ A satisfies {|ϕ|} ∈ P(Γ A ) in the sense that M ∈ {|ϕ|}. But in general we can only have adequacy w.r.t. an internal semantics ϕ ∈ Sub( A ) of formulae ϕ : A. We sketch it here. First, Sub(X) is the (complete) Heyting algebra of subobjects of an object X of S. Explicitly, we have S = (S(n)) n ∈ Sub(X) iff for all n > 0, S(n) ⊆ X(n) and r X n (t) ∈ S(n) whenever t ∈ S(n + 1). For propositional connectives and fixpoints, the internal − is defined similarly as the external {|−|}, but using (complete) Heyting algebras of subobjects rather than (complete) Boolean algebras of subsets.
As Our semantics are both correct w.r.t. the full modal theories of Def. 6.2.

Lemma 7.2. If
The Safe Fragment. For α (positive and) guarded in ϕ, the internal semantics of θαϕ is somewhat meaningless because S has unique guarded fixpoints [13, §2.5]. In particular, the typing fix(s).Cons g a s : This leads to the expected coincidence of the two semantics for safe formulae. The Realizability Semantics. The correctness of the type system w.r.t. its semantics in S is proved with a realizability relation.

Definition 7.5 (Realizability). Given a type T without free iteration variable, a global section
x ∈ Γ |T | and n > 0, we define the realizability relation x n T by induction on lexicographicaly ordered pairs (n, T ) in Fig. 13.

Examples
We exemplified basic manipulations of our system over §3-6. We give further examples here. The functions used in our main examples are gathered in Table 3, with the following conventions. We use the infix notation a :: g s for Cons g a s and write [] g for the empty colist Nil g . Moreover, we use some syntactic sugar for pattern matching, e.g. assuming s : CoList g A we write case s of ([] g → N |x :: g xs → M ) for case(unfold s) of (y.N [ /y]|y.M [π 0 (y)/x , π 1 (y)/xs]). Most of the  Table 3 are obtained from usual recursive definitions by inserting and next at the right places. We often write ψ → ϕ for [ev(ψ)]ϕ. Table 4 Table 3. We use intermediate typings requiring iteration terms whenever a Q is involved. Below, "Γ M satisfies ϕ" means Γ M ∈ {|ϕ|} (modulo Γ Δ Id Set , see §7). We refer to [28, §E] for details.

Example 8.1 (The Append Function on CoLists).
Our system can derive that Γ append returns a non-empty colist if one of its argument is non-empty. Using Q [nil] (which says that a colist is finite), we can derive that Γ append returns a finite colist if its arguments are both finite. This involves the intermediate typing In addition, if the first argument of Γ append has an element which satisfies ϕ, then the result has an element which satisfies ϕ. The same holds if the first argument is finite while the second one has an element which satisfies ϕ [28, §E.6].

Example 8.2 (The Map Function on Streams). The composite modalities PQ
and QP over streams are read resp. as "infinitely often" and "eventually always". Provided with a function f : Γ B → Γ A taking b ∈ Γ B satisfying ψ to f (b) ∈ Γ B satisfying ϕ, the function Γ map on set-theoretic streams returns a stream which infinitely often (resp. eventually always) satisfies ϕ if its stream argument infinitely often (resp. eventually always) satisfies ψ [28, §E.3].

Example 8.3 (The Diagonal Function). Consider a stream of streams s. We have
. Note that s i,i = hd(tl i (hd(tl i (s))). Indeed, tl i (s) is the stream of streams (s k | k ≥ i), so that hd(tl i (s)) is the stream s i and tl i (hd(tl i (s))) is the stream (s i,k | k ≥ i). Taking its head thus gives s i,i . In the diag function of Table 3, the auxiliary higher-order function diagaux g iterates the coinductive tl over the head of the stream of streams s. We write • for function composition, so that assuming s : Str g (Str A) and t : Str A → Str A, we have (on the coinductive type Str A), (hd g s) : Str A and The expected refinement types for diag (Table 4) say that if its argument is a stream whose component streams all satisfy Pϕ, then Γ diag returns a stream whose elements all satisfy ϕ. Also, if the argument of Γ diag is a stream such that eventually all its component streams satisfy Pϕ, then it returns a stream which eventually always satisfies ϕ. See [28, §E.4] for details.

Related Work
Type systems based on guarded recursion have been designed to enforce properties of programs handling coinductive types, like causality [45], productivity [5,50,18,6,25,24], or termination [62]. These properties are captured by the type systems, meaning that all well-typed programs satisfy these properties.
In an initially different line of work, temporal logics have been used as type systems for functional reactive programming (FRP), starting from LTL [32,33] to the intuitionistic modal μ-calculus [17]. These works follow the Curry-Howard "proof-as-programs" paradigm, and reflect in the programming languages the constructions of the temporal logic.
The FRP approach has been adapted to guarded recursion, e.g. for the absence of space leaks [44], or the absence of time leaks, with the Fitch-style system of [7]. This more recently lead [8] to consider liveness properties with an FRP approach based on guarded recursion. In this system, the guarded λ-calculus (presented in a Fitch-style type system) is extended with a delay modality (written ) together with a "until type" A Until B. Following the Curry-Howard correspondence, A Until B is eliminated with a specific recursor, based on the usual unfolding of Until in LTL, and distinct from the guarded fixpoint operator.
In these Curry-Howard approaches, temporal operators are wired into the structure of types. This means that there is no separation between the program and the proof that it satisfies a given temporal property. Different type formers having different program constructs, different temporal specifications for the same program may lead to different actual code.
We have chosen a different approach, based on refinement types, with which the structure of formulae is not reflected in the structure of types. This allows for our examples to be mostly written in a usual guarded recursive fashion (see Table 3). Of course, we indeed use the modality at the type level as a separation between safety and liveness properties. But different liveness properties (e.g. Q, QP, PQ) are uniformly handled with the same -type, which is moreover the expected one in the guarded λ-calculus [18].
Higher-order model checking (HOMC) [54,39] has been introduced to check automatically that higher-order recursion schemes, a simple form of higher-order programs with finite data-types, satisfy a μ-calculus formula. Automatic verification of higher-order programs with infinite data-types (integers) has been explored for safety [40], termination [46], and more generally ω-regular [51] properties. In presence of infinite datatypes, semi-automatic extensions of HOMC have recently been proposed [69]. In contrast with this paper, most HOMC approaches do not consider input-output behaviors on coalgebraic data. A notable exception is [41,23], but it does not handle higher-order functions (such as map), nor polynomial types such as Str(Str A) (Ex. 8.3) or non-positive types such as Rou A (Ex. 8.6) and imposes a strong linearity constraint on pattern matching.
Event-driven approaches consider effects generating streams of events [61], which can be checked for temporal properties with algorithms based on (HO)MC [26,27], or, in presence of infinite datatypes, with refinement type systems [42,53]. Our iteration terms can be seen as oracles, as required by [42] to handle liveness properties, but we do not know if they allow for the non-regular specifications of [53]. While such approaches can handle infinite data types with good levels of automation, they do not have coinductive types nor branching time properties, such as the temporal specification of sched on resumptions (Ex. 8.5) Along similar lines, branching was approached via non-determinism in [64], which also handles universal and existential properties on traces. This framework can handle CTL-like properties of the form ∃/∀-P/Q (with our notation of Ex. 8.5), but not nested combinations of these (as e.g. ∃P∀Q for sched in Ex. 8.5). It moreover does not handle coinductive types.

Conclusion and Future Work
We have presented a refinement type system for the guarded λ-calculus, with refinements expressing temporal properties stated as (alternation-free) μ-calculus formulae. As we have seen, the system is general enough to prove precise behavioral input/output properties of coinductively-typed programs. Our main contribution is to handle liveness properties in presence of guarded recursive types. As seen in §2, this comes with inherent difficulties. In general, once guarded recursive functions are packed into coinductive ones using , the logical reasoning is made in our system directly on top of programs, following their shape, but requiring no further modification. We thus believe to have achieved some separation between programs and proofs.
We provided several examples. While they demonstrate the flexibility of our system, they also show that more abstraction would be welcomed when proving liveness properties. In addition, our system lacks expressiveness to prove e.g. liveness properties on breadth-first tree traversals.
We believe that our approach could be generalized to other programming languages with inductive or coinductive types. The key requirement are: (1) modalities in the temporal logic to navigate through the types of the languages, (2) a semantics to indicate when a program satisfies a formula of the temporal logic, which is sufficiently closed to the set-theoretic one for liveness properties to get their expected meaning, and (3) inference rules to reason over this realizability semantics.
Extensions of the guarded λ-calculus with dependent types have been explored [14,11,6,24]. It may be possible to extend our work to these systems. This would require to work in a Fitch-style presentation of the modality, as in [7,12], since it is not known how to extend delayed substitutions to dependent types while retaining decidability of type-checking [15]. Also, it is appealing to investigate the generalization of our approach to sized types [1], in which guarded recursive types are representable [67].
We plan to investigate type checking. For instance, in a decidable fragment like the μ-calculus on streams, one can check that a function of type Hence, we expect that some automation is possible for fragments of our logic. In presence of iteration terms, arithmetic extensions of the μ-calculus [37,38] may provide interesting backends. An other direction is the interaction with HOMC. If (say) a stream over A is representable in a suitable format, one may use HOMC to check whether it can be argument of a function expecting e.g. a stream of type {Str g A | PQ [hd]ϕ}. This might provide automation for fragments of the guarded λ-calculus. Besides, the combination of refinement types with automatic techniques like predicate abstraction [57], abstract interpretation [34], or SMT solvers [66,65] has been particularly successful. More recently, the combination of refinement types inference with HOMC has been investigated [59].
We would like to explore temporal specification of general, effectful programs. To do so, we wish to develop the treatment of the coinductive resumptions monad [55], that provides a general framework to reason on effectful computations, as shown by interaction trees [70]. It would be interesting to study temporal specifications we could give to effectful programs encoded in this setting. To formalize reasoning on such examples, we would like to design an embedding of our system in a proof assistant like Coq.
Following [3], guarded recursion has been used to abstract the reasoning on step-indexing [4] that has been used to design Kripke Logical Relations [2] for typed higher-order effectful programming languages. Program logics for reasoning on such logical relations [19,20] uses this representation of step-indexing via guarded recursion. It is also found in Iris [36], a framework for higher-order concurrent separation logic. It would be interesting to explore the incorporation of temporal reasoning, especially liveness properties, in such logics.