Bounded Quantification

Bounded quantification allows types to be abstracted by type variables with a subtyping constraint (or bound). The standard calculus with bounded quantification, $F_{\le}$ (Cardelli & Wegner, Reference Cardelli and Wegner1985; Curien & Ghelli, Reference Curien and Ghelli1992; Cardelli et al., Reference Cardelli, Martini, Mitchell and Scedrov1994), has two common variants when it comes to subtyping universal types. The $\textrm{full}~F_{\le}$ variant (Curien & Ghelli, Reference Curien and Ghelli1992; Cardelli et al., Reference Cardelli, Martini, Mitchell and Scedrov1994) compares bounded quantifiers with the following rule:

The most significant characteristic of $\textrm{full}~F_{\le}$ is that it allows two bounded quantifiers to be contravariant on their bound types $A_{1}$ and $A_2$ when being compared. However, the rich expressive power of $\textrm{full}~F_{\le}$ results in an undecidable subtyping relation (Pierce, Reference Pierce1994), which is undesirable. In addition, as Ghelli (Reference Ghelli1993) demonstrates, the S-fullall may even prevent conservative extensions of $F_{\le}$ in the presence of additional features.

There are several ways to restrict bounded quantification to a fragment with decidable subtyping, such as removing top types, or assuming no bounds when comparing type abstraction bodies (Castagna & Pierce, Reference Castagna and Pierce1994). Among those the most widely used variant is the $\textrm{kernel}~F_{\le}$ calculus. In $\textrm{kernel}~F_{\le}$ , bounded quantifiers can only be subtypes when their bound types are identical (Cardelli & Wegner, Reference Cardelli and Wegner1985), which is stated in the S-kernelall.

In our paper, we will show how iso-recursive subtyping can be integrated with both kernel and full variants of $F_{\le}$ . However, for the kernel variant, differently from $\textrm{kernel}~F_{\le}$ , we will generalize the S-kernelall to a S-equivall that accepts equivalent bounds instead. The main motivation for using S-equivall is to enable more subtyping involving records. While typically $\textrm{kernel}~F_{\le}$ is presented without records, in this paper, we include records in the calculus and we wish to consider types such as $\{x :\textsf{nat}, y : \textsf{nat}\}$ and $\{y : \textsf{nat}, x : \textsf{nat}\}$ , to be equivalent (despite being syntactically different). Note that, while in plain $F_{\le}$ the subtyping relation is antisymmetric (Baldan et al., Reference Baldan, Ghelli and Raffaetà1999) (i.e. if two types are equivalent then they must be equal), the addition of records breaks antisymmetry since there are equivalent types that are not equal. The S-equivall is more general than the kernel rule with identical bounds but retains decidability, as we shall see in Section 4.3.

Recursive Types

Recursive types ${\mu{\alpha}}.{A}$ can be traced back to Morris (Reference Morris1968). There are two basic approaches to recursive types: equi-recursive types and iso-recursive types. The essential difference between them is how they consider the relationship between a recursive type $\mu \alpha.~A$ and its unfolding $[\alpha \mapsto {\mu{\alpha}}.{A} ]~A$ . In equi-recursive types, a recursive type is equal to its unfolding. That is, ${\mu{\alpha}}.{A} = [\alpha \mapsto {\mu{\alpha}}.{A}]~A$ . In other words, recursive types and their unfoldings are interchangeable in all contexts. Equi-recursive types also allow for more general equalities than unfoldings. For example, the types ${\mu{\alpha}}.{\textsf{int} \to \alpha}$ and ${\mu{\alpha}}.{\textsf{int} \to \textsf{int} \to \alpha}$ are considered equivalent in the equi-recursive setting, since they have the same infinite unfolding (Amadio & Cardelli, Reference Amadio and Cardelli1993).

In iso-recursive types, a recursive type and its one-step unfolding are not equal but only isomorphic. To convert between ${\mu{\alpha}}.{A}$ and $[\alpha \mapsto {\mu{\alpha}}.{A}]~A$ , we need explicit $\textsf{unfold}$ and $\textsf{fold}$ operators. A fold expression constructs a recursive type, while an $\textsf{unfold}$ expression opens a recursive type, as typing-fold and typing-unfold illustrate:

Despite being less convenient, iso-recursive types are known to have the same expressive power as equi-recursive types (Abadi & Fiore, Reference Abadi and Fiore1996; Zhou et al., Reference Zhou, Wan and Oliveira2024). We will focus next on iso-recursive types.

Recursive Subtyping

Subtyping between recursive types has been studied for many years (Cardelli, Reference Cardelli1985; Amadio & Cardelli, Reference Amadio and Cardelli1993; Ligatti et al., Reference Ligatti, Blackburn and Nachtigal2017). The most widely used subtyping rules for recursive types are the Amber rules, first introduced in 1985 by Cardelli (Reference Cardelli1985) in a manuscript describing the Amber language (Cardelli, Reference Cardelli1985). The iso-recursive Amber rules deal with recursive subtyping with three rules: rule S-amber, S-assmp, and rule S-refl.

The Amber rules are simple, but their metatheory is troublesome. For example, transitivity is hard to prove (Bengtson et al., Reference Bengtson, Bhargavan, Fournet, Gordon and Maffeis2011; Zhou et al., Reference Zhou, Oliveira and Zhao2020, Reference Zhou, Oliveira and Fan2022). Furthermore, due to the reliance on the reflexivity rule (rule S-refl), the Amber rules are problematic for subtyping relations that are not antisymmetric (Ligatti et al., Reference Ligatti, Blackburn and Nachtigal2017). Recently, Zhou et al. (Reference Zhou, Oliveira and Zhao2020, Reference Zhou, Oliveira and Fan2022) proposed a new specification for iso-recursive subtyping and some equivalent algorithmic variants (Zhou & Oliveira, Reference Zhou and Oliveira2025). For this paper, we use one of those algorithmic variants, called the nominal unfolding rules (Zhou et al., Reference Zhou, Oliveira and Fan2022). The main reason for choosing the nominal unfolding rules is that they are easy to work with formally: indeed, Zhou et al. (Reference Zhou, Oliveira and Fan2022) have a full Coq development, including proofs of decidability, that we will reuse and extend.

Nominal Unfolding Rules

The nominal unfolding rules provide a formal mechanism for handling iso-recursive subtyping. These rules are designed to address the challenges posed by contravariant occurrences of recursive type variables. For recursive types, it is expected that if two recursive types ${\mu{\alpha}}.{A}$ and ${\mu{\alpha}}.{B}$ are subtypes, then their unfolding $[\alpha \mapsto {\mu{\alpha}}.{A} ]~A$ and $[\alpha \mapsto {\mu{\alpha}}.{B} ]~B$ should also be subtypes. This property can be tricky to achieve with contravariant occurrences of recursive variables. The Amber rules deal with this issue by remembering pairs of recursive variables as subtyping assumptions, as can be seen in S-amber. In contrast, the nominal unfolding rules unfold the recursive body twice to ensure the correctness of the subtyping relation.

For example, consider the subtyping statement ${\mu{\alpha}}.{\alpha \to\textsf{nat}} \le {\mu{\alpha}}.{\alpha \to \top}$ . If we unfold the recursive types twice, we obtain:

\[(({\mu{\alpha}}.{\alpha \to \textsf{nat}}) \to \textsf{nat}) \to \textsf{nat} \le (({\mu{\alpha}}.{\alpha \to \top}) \to \top) \to \top\]

This statement requires both $\textsf{nat} \le \top$ (which is true) and $\top \le \textsf{nat}$ (which is false), thus correctly rejecting the subtyping statement. Unfolding once would not expose the invalid $\top \le \textsf{nat}$ comparison.

The nominal unfolding rules simulate this double-unfolding process by replacing recursive types with labeled types ():

In rule S-nominal, every time two recursive types are compared, a fresh label $\color{red}{\alpha}$ is used to label the unfolded parts. Labeled types can only be compared to other labeled types with the same label, which ensures that they arise from the same recursive type, as shown in rule S-label. The bound type variable $\alpha$ in the recursive body becomes free variable after unfoldingFootnote ¹ . For instance, to compare ${\mu{\alpha}}.{\alpha \to \textsf{nat}}$ and ${\mu{\alpha}}.{\alpha \to \top}$ , the subtyping statement becomes:

The one-time unfolding is captured by the labels, since if we ignore the body of the labeled types, $\alpha \to \textsf{nat}$ and $\alpha \to \top$ are compared. On the other hand, when ignoring the labels, the double-unfolding statement is obtained, which exposes the invalid $\top \le \textsf{nat}$ comparison. The key design in the nominal unfolding rules is to use labels as a syntactic device to ensure that recursive types are compared correctly. Without labels providing distinct identities to recursive types, unsound subtyping statements such as ${\mu{\alpha}}.{\textsf{nat} \to \alpha} \le {\mu{\alpha}}.{\textsf{nat} \to \textsf{nat} \to \top}$ , which unfolds to $\textsf{nat} \to \textsf{nat} \to \alpha \le \textsf{nat} \to \textsf{nat} \to \top$ , may be accepted.

The nominal unfolding rules are formally proven to be type sound and have the same expressive power as the iso-recursive Amber rules (Zhou et al., Reference Zhou, Oliveira and Fan2022). They are also easier to work with formally, enabling the development of sound and complete algorithmic formulations of subtyping. Additionally, these rules are modular, allowing the extension of existing calculi with iso-recursive types without significant changes to existing definitions and proofs.

Object Encodings

A simple and well-known typed encoding of objects is the recursive records encoding (Canning et al., Reference Canning, Cook, Hill and Olthoff1989; Cook et al., Reference Cook, Hill and Canning1989; Bruce et al., Reference Bruce, Cardelli and Pierce1999). In this encoding, the idea is that object types are encoded as recursive record types, and objects are encoded as records.Footnote ² For example, we can define a type $\textsf{Point}$ :

$$\textsf{Point} {\triangleq} \mu \ \textsf{pnt}. \{ \textsf{x}: \textsf{Int},~ \textsf{y} :\textsf{Int},~ \textsf{move}: \textsf{Int} \to \textsf{Int} \to \textsf{pnt} \}$$

which consists of its coordinates and a $\textsf{move}$ function. We use a recursive type because move should return an updated point. To implement $\textsf{Point}$ , we define some auxiliary functions:

then a constructor $\textsf{mkPoint}$ can be defined as:

Note that the auxiliary functions above would not be needed in a source language, since a source language would treat $\textsf{p.x}$ as syntactic sugar for $\textsf{(unfold [Point] p).x}$ . Similarly, the source language would automatically insert a $\textsf{fold}$ in the object constructor. In other words, in a source language with iso-recursive subtyping, the $\textsf{fold}$ ’s and $\textsf{unfold}$ ’s do not need to be explicitly written and are automatically inserted by the compiler. For instance, this is what Abadi et al. (Reference Abadi, Cardelli and Viswanathan1996)’s translation of a language with objects into an iso-recursive extension of $F_{\le}$ does.

With subtyping, we can develop subtypes of $\textsf{Point}$ , such as:

$$\begin{array}{l}\textsf{ColorPoint} {\triangleq} \mu \ \textsf{pnt}. \{ \textsf{x}: \textsf{Int},~ \textsf{y}:\textsf{Int},~ \textsf{move}: \textsf{Int} \to \textsf{Int} \to \textsf{pnt},~\textsf{color}: \textsf{String} \}\\\textsf{EqPoint} {\triangleq} \mu \ \textsf{pnt}. \{ \textsf{x}: \textsf{Int},~ \textsf{y}:\textsf{Int},~ \textsf{move}: \textsf{Int} \to \textsf{Int} \to \textsf{pnt},~\textsf{eq}: \textsf{pnt} \to \textsf{Bool} \}\end{array}$$

Now, suppose we wish to translate the coordinates by one unit for a point, but we do not want to write such a translation function for each subclass of $\textsf{Point}$ . As a first attempt, this is achieved with a polymorphic function:

The type of this $\textsf{translate}$ function is $\forall({\textsf{P}}\le{\textsf{Point}}).{~ \textsf{P} \to}\textsf{Point}$ , which is obtained from the following typing derivation (some parts omitted):

However, this type is unsatisfying because it loses precision: it returns a $\textsf{Point}$ instead of a $\textsf{P}$ . The type that we want instead is:

$$\forall({\textsf{P}}\le{\textsf{Point}}).{ \textsf{P} \to \textsf{P}}$$

Unfortunately, we cannot obtain this more general type with only bounded quantification and the usual unfolding rule typing-unfold. In the rule typing-unfold, the unfold annotation must be a recursive type. However, if we wish to return $\textsf{P}$ , then we should use $\textsf{unfold}$ with the annotation $\textsf{P}$ , which is not a recursive type, but a type variable.

Some advanced techniques, such as F-bounded quantification (Canning et al., Reference Canning, Cook, Hill and Olthoff1989; Baldan et al., Reference Baldan, Ghelli and Raffaetà1999), address this issue. In F-bounded quantification, the bounded variables are allowed to appear in the bound, and universal types take the form $\forall({\alpha}\le{F[\alpha]}).{B}$ , where F is a type-level function applied to the bound variable $\alpha$ . For the example above, the bound in the $\textsf{translate}$ function is no longer the closed recursive type $\textsf{Point}$ but would have the form $F[\alpha] = \{ x: \textsf{Int},~y:\textsf{Int},~ \textsf{move}: \textsf{Int} \to \textsf{Int} \to \alpha \}$ . Therefore, with F-bounded quantification, the translate function could have the type:

$$\forall({\alpha}\le{\{ x: \textsf{Int},~y:\textsf{Int},~ \textsf{move}: \textsf{Int} \to \textsf{Int} \to \alpha \}}).{\alpha \to \alpha}$$

Then the $\alpha$ can be instantiated to $\textsf{Point}$ or subtypes of $\textsf{Point}$ , since $\textsf{Point} \le F[\textsf{Point}]$ . Note that to satisfy the F-bounded constraints $\alpha \le F[\alpha]$ , the subtyping statements must be interpreted in an equi-recursive setting. $F_{\le}^{\mu}$ uses a less intrusive approach to achieve the same effect for typing the $\textsf{translate}$ function, without requiring recursive bounds or equi-recursive types. This is achieved by using the structural unfolding rule (Abadi et al., Reference Abadi, Cardelli and Viswanathan1996), which we will discuss in Section 2.3.

Encoding Positive F-Bounded Quantification

Fortunately, with the structural rules, we can use a type variable as an annotation for $\textsf{unfold}$ . This enables us to encode forms of F-bounded quantification with positive occurrences of recursive variables, which is the case for $\textsf{Point}$ . We can change the $\textsf{unfold}$ annotation in $\textsf{translate}$ from the recursive type $\textsf{Point}$ to its subtype, the type variable $\textsf{P}$ :

In Section 2.3, we will discuss the typing of this program via the structural unfolding rule in detail. After this change, the type of $\textsf{translate}$ is $\forall({\textsf{P}}\le{\textsf{Point}}).{\textsf{P} \to \textsf{P}}$ . Then we can apply $\textsf{translate}$ to $\textsf{Point}$ or any of its subtypes, without losing static precision. Thus, if we call $\textsf{translate [EqPoint] (mkEqPoint 0 0)}$ , then we obtain an $\textsf{EqPoint}$ object at (1,1). Here, $\textsf{mkEqPoint}$ is a constructor for objects with type $\textsf{EqPoint}$ , which contain a binary method (Bruce et al., Reference Bruce, Cardelli, Castagna, Group, Leavens and Pierce1995) $\textsf{eq}$ :

Encoding Objects with Bounded Existentials

Recursive types are not the only way to encode objects. Another common encoding is to use bounded existentials (Cardelli & Wegner, Reference Cardelli and Wegner1985). Existential types can be used to encode objects (Pierce & Turner, Reference Pierce and Turner1994), or they can be employed together with recursive types (Bruce, Reference Bruce1994). Since the intentional behavior of existential types can be encoded by universal types, we can obtain a form of bounded existentials for free in $F_\le$ (Cardelli & Wegner, Reference Cardelli and Wegner1985):

(2.1) \begin{equation}\begin{array}{c}\begin{array}{rcl} \exists (\alpha \le A).B &\triangleq& \forall({\beta}\le{\top}).{(\forall({\alpha}\le{A}).{B \to \beta \to \beta })} \\ \textsf{pack}~[C, e]~\textsf{as}~({\exists (\alpha \le A).B}) &\triangleq& \Lambda (\beta \le\top).~\lambda (f: \forall({\alpha}\le{A}).{\alpha \to \beta}). f \ C \ e \\ \textsf{unpack}~e_1~\textsf{as}~[\alpha, x]~\textsf{in}~e_2 &\triangleq& e_1 \ C \ (\Lambda (\alpha \le A).~\lambda (x: B). e_2) \\ & & \text{where } e_1 : \exists (\alpha \le A).B \text{ and } e_2 : C\end{array}\end{array}\end{equation}

Abadi et al. (Reference Abadi, Cardelli and Viswanathan1996) presented an encoding of objects using a combination of recursive types and bounded existential quantification, called the ORBE encoding. In their work, an interface $I(\alpha)$ is defined as a record of type-level functions, each having a self variable $\alpha$ argument ( $\{l_i : I_i(\alpha)^{i\in 1\ldots n}\}$ ). For example, the interface for the $\textsf{Point}$ object is:

$$\begin{array}{l}I_{\textsf{Point}}(\alpha) {\triangleq} \{ \textsf{x} : \textsf{Int}, \textsf{y} : \textsf{Int}, \textsf{move} : \textsf{Int} \to \textsf{Int} \to \alpha \}\end{array}$$

The general ORBE encoding for an interface $I(\alpha)$ is:

$$\textit{ORBE}(I) \triangleq \mu \alpha. ~ \exists (\beta \le \alpha). ~ \left\{ \begin{array}{l}\textsf{self}: \beta, \\{\textsf{l}_i^{\textsf{sel}}: \beta \to I_i(\beta)}^{\, i \in 1,\ldots, n }, \\{\textsf{l}_i^{\textsf{upd}}: (\beta \to I_i(\beta)) \to \beta}^{\, i \in 1,\ldots, n }\end{array}\right\}$$

The bounded existential quantification ( $\exists (\beta \le \alpha)$ ) is used to indicate that the true type of an object can be a subtype of the object type $\alpha$ . Intuitively, it allows the object implementation to contain more fields, such as private variables, than the interface specifies. The field $\textsf{self}$ is the object itself with all its methods including private ones so that the listed methods can access the object’s private fields. Through fields $\textsf{l_i}^{\textsf{sel}}$ , users of the object can access the object’s public methods. The fields $\textsf{l_i}^{\textsf{upd}}$ are optional in the encoding. They allow users to update method $l_i$ by taking a new function of $\textsf{self}$ and returning a new object with the updated method, which is a feature not supported in many other object encodings. For example, the $\textsf{Point}$ object from above can be encoded with the ORBE encoding as follows:

$$\begin{array}{l}\textsf{Point}_{\textit{ORBE}} {\triangleq} \mu \ \textsf{pnt}.~ \exists (\beta \le \textsf{pnt}).~\left\{\begin{array}{l}\textsf{self}: \beta, \\\textsf{x}^\textsf{sel} : \beta \to \textsf{Int}, \quad \textsf{x}^\textsf{upd}: (\beta \to \textsf{Int}) \to \beta, \\\textsf{y}^\textsf{sel}: \beta \to \textsf{Int}, \quad\textsf{y}^\textsf{upd}: (\beta \to \textsf{Int}) \to \beta, \\\textsf{move}^\textsf{sel}: \beta \to \textsf{Int} \to \textsf{Int} \to \beta, \\\textsf{move}^\textsf{upd}: (\beta \to \textsf{Int} \to \textsf{Int} \to \beta) \to \beta\end{array}\right\}\end{array}$$

We can implement the $\textsf{Point}$ object with the ORBE encoding as follows:

Method calls are encoded by unfoldings of iso-recursive types and unpacking of bounded existentials. For example, accessing the $\textsf{x}$ field of a $\textsf{Point}$ object can be implemented as:

We omit the encodings for the method update fields in the $\textsf{mkPointORBE}$ function for brevity, but they can also be written using $F_{\le}^{\mu}$ . More details about the encoding can be found in the original work (Abadi et al., Reference Abadi, Cardelli and Viswanathan1996). As we can see, the ORBE encoding requires both recursive types and bounded existentials. By rewriting all bounded existentials into universal quantification using (2.1), we are able to write all the programs and types in the ORBE encoding presented above in our $F_{\le}^{\mu}$ calculus. Therefore, $F_{\le}^{\mu}$ can serve as a target language for the ORBE encoding.

When it comes to subtyping, as Bruce et al. (Reference Bruce, Cardelli and Pierce1999) observe, the ORBE encoding requires $\textrm{full}~F_{\le}$ for the bounded quantification subtyping rule. Consider the encoding for the object $\textsf{ColorPoint}$ , which has more fields than $\textsf{Point}$ . should extend the record in with $\textsf{color}^\textsf{sel}$ and $\textsf{color}^\textsf{upd}$ fields. When we try to compare the two encodings, we see that the bounds in $(\beta \le \textsf{pnt})$ for the two types are not the same – the recursive variable $\textsf{pnt}$ in stands for more fields than in . As a result, contravariant subtyping is needed for comparing the bound in the existential type, which in turn requires $\textrm{full}~F_{\le}$ instead of $\textrm{kernel}~F_{\le}$ . Therefore, we also study the $\textrm{full}~F_{\le}^{\mu}$ calculus in this paper in order to support subtyping between objects in the ORBE encoding.

Encodings of Algebraic Datatypes with Subtyping

It is well known that, in the polymorphic lambda calculus (System F) (Reynolds, Reference Reynolds1974), we can use Church (Reference Church1932) encodings to encode algebraic datatypes (Böhm & Berarducci, Reference Böhm and Berarducci1985). However, Church encodings make it hard to encode some operations, or worse they prevent encoding certain operations with the correct time complexity. A well-known example (Church, Reference Church1932) is the encoding of the predecessor function on natural numbers, which is linear with Church encodings instead of being constant time.

An alternative encoding that captures the intentional behavior of datatypes in the untyped lambda calculus and avoids the issues of Church encodings is due to Scott (Reference Scott1962). Unfortunately, Scott encodings cannot be encoded in plain System F. The addition of recursive types to a polymorphic lambda calculus allows a typed Scott encoding (Parigot, Reference Parigot1992). Moreover, in the presence of subtyping, we can also encode algebraic datatypes with subtyping, enabling certain forms of reuse that are not possible without subtyping. Oliveira (Reference Oliveira2009) has shown this assuming a $F_{\le}$ -like language with recursive types and records, but he has not formalized such a language. Here, we revisit Oliveira’s example. A similar encoding for datatypes can be achieved in $F_{\le}^{\mu}$ . For example, one may define a datatype $\textsf{Exp}_1$ for mathematical expressions, with constant, addition, and subtraction constructors:

The encoding in $F_{\le}^{\mu}$ of this datatype can be defined as follows:

$$\textsf{Exp}_1 {\triangleq} \mu \textsf{E}. \ \forall \textsf{A}. \ \left\{ \textsf{num}: \textsf{Int} \to \textsf{A},~ \textsf{add}: \textsf{E} \to \textsf{E} \to \textsf{A},~ \textsf{sub}: \textsf{E} \to \textsf{E} \to \textsf{A}\right\} \to \textsf{A}$$

If we unfold the recursive type, this encoding is a polymorphic higher-order function that takes a record with three fields ( $\textsf{num}$ , $\textsf{add}$ , and $\textsf{sub}$ ) as input. Each field corresponds to a constructor in the datatype definition. This encoding is particularly useful for case analysis, since the polymorphic function essentially encodes case analysis directly. To write a function that performs case analysis on this datatype, one can unfold the recursive type, instantiate $\textsf{A}$ with the result type, and then provide a record that maps each case to an implementation function that takes the constructor components as input and returns a result of type $\textsf{A}$ . For example, given an expression $\textsf{e}$ with type $\textsf{Exp}_1$ , a case analysis-based evaluation function can be written as:

where we use $[\ldots]$ to represent type instantiation. Here, $\textsf{Exp}_1$ is instantiated with the evaluation result type $\textsf{Int}$ . A record of three functions is supplied to implement case analysis. The $\textsf{num}$ field implements a function that returns the integer $\textsf{n}$ of the $\textsf{Num}$ constructor directly, while the functions in $\textsf{add}$ and $\textsf{sub}$ fields perform the evaluation process recursively. To construct concrete instances of the datatype, each constructor also comes with a corresponding encoding in the calculus:

One can easily check, using typing-fold, that the result type of each constructor encoding becomes $\textsf{Exp}_1$ after a recursive type folding. Therefore, in this encoding, the use of constructors and case analysis functions is natural: one can construct the expression $1 + 2$ directly with the encoded constructors as $\textsf{Add}_1~(\textsf{Num}_1 \ 1) \ (\textsf{Num}_1 \ 2)$ and get its evaluation result by calling $\textsf{eval} \ (\textsf{Add}_1~(\textsf{Num}_1 \ 1) \ (\textsf{Num}_1 \ 2))$ .

Subtyping Between Datatypes

Now consider a larger datatype $\textsf{Exp}$ $_2$ , which extends the $\textsf{Exp}$ $_1$ datatype with a new constructor $\textsf{Neg}$ , for denoting negative numbers.

This datatype is encoded in $F_{\le}^{\mu}$ as:

$$\textsf{Exp}_2 {\triangleq} \mu \textsf{E}. \ \forall \textsf{A}. \ \left\{ \textsf{num}: \textsf{Int} \to \textsf{A},~ \textsf{add}: \textsf{E} \to \textsf{E} \to \textsf{A},~ \textsf{sub}: \textsf{E} \to \textsf{E} \to \textsf{A}, \textsf{neg}: \textsf{E} \to \textsf{A}\right\} \to \textsf{A}$$

The datatype $\textsf{Exp}_2$ differs from $\textsf{Exp}_1$ only in the new constructor: the other constructors are just the same. To reduce code duplication, it is desired that the constructor functions such as $\textsf{Add}_1$ can be polymorphic and used for both datatypes. Note that $\textsf{Exp}_2$ has more constructors than $\textsf{Exp}_1$ , so it should be safe to coerce $\textsf{Exp}_1$ expressions into $\textsf{Exp}_2$ expressions, that is, $\textsf{Exp}_1 \le \textsf{Exp}_2$ . Therefore, we would like the $F_{\le}^{\mu}$ encoding for the $\textsf{Add}$ constructor to have the following type so that both encodings of $\textsf{Exp}_1$ and $\textsf{Exp}_2$ can use this constructor function:

$$\textsf{Add}_{\forall} : \forall({\textsf{E}}\ge{\textsf{Exp}_1}).{\ \textsf{E} \to \textsf{E} \to \textsf{E}}$$

There are two problems here. First, similarly to the issue that we have faced in the translate function, we would like to use a type variable in the fold’s of the constructors. This way we can make the constructors polymorphic. Second, as evidenced by the desired type for Add, we need lower bounded quantification, but in $F_{\le}^{\mu}$ (and $F_{\le}$ ) we only have upper bounded quantification.

Polymorphic Constructors with Lower Bounded Quantification

For applications such as encodings of algebraic datatypes, the dual form of bounded quantification (lower bounded quantification) seems to be more useful. Thus, we have an extended system, called $F_{\le\ge}^{\mu\wedge}$ , that also supports lower bounded quantification. Polymorphic datatype constructors become typeable with the structural folding rule. For example, we can encode the polymorphic Add constructor as:

Other polymorphic constructors such as $\textsf{Num}_\forall$ and $\textsf{Sub}_\forall$ can be encoded similarly, enabling more useful programming patterns. For example, if we want to implement a compiler that uses $\textsf{Exp}_1$ as its core language, but also want to support richer datatype constructors in a source language like $\textsf{Exp}_2$ does, we would like to be able to reduce code duplication across the two similar languages. For instance, if we define a pretty printer function for $\textsf{Exp}_2$

we can use this function to print $\textsf{Exp}_1$ expressions as well: all the constructors in $\textsf{Exp}_1$ are also in $\textsf{Exp}_2$ and have their pretty printing methods defined in the above function.

Suppose also that we wish to implement a simple desugaring function that transforms $\textsf{Exp}_2$ into $\textsf{Exp}_1$ , by transforming negative numbers $-n$ into subtractions $0-n$ . This function should do case analysis on $\textsf{Exp}_2$ and use only the constructors in $\textsf{Exp}_1$ to produce the result, that is, it should have a type $\textsf{Exp}_2 \to \textsf{Exp}_1$ . The following code, with polymorphic constructors, has the desired typing:

In contrast, in many practical programming languages, this task involves either code duplication or loss of type precision. In a typical functional language, we can define both $\textsf{Exp}_1$ and $\textsf{Exp}_2$ and also obtain precise static typing guarantees for the desugar function. But this comes at the cost of duplication, since the constructors for the two datatypes are different, and many operations, such as pretty printing, need to be essentially duplicated. In $F_{\le\ge}^{\mu\wedge}$ , in addition to polymorphic constructors, we would just need to define the pretty printer for $\textsf{Exp}_2$ , and that function would also work for $\textsf{Exp}_1$ . Alternatively, in a typical functional language, one could define only $\textsf{Exp}_2$ and type desugar with the imprecise type $\textsf{Exp}_2 \to \textsf{Exp}_2$ , which does not statically guarantee that the Neg constructor has been removed. This solution avoids the duplication at the cost of static typing guarantees. In $F_{\le\ge}^{\mu\wedge}$ , we do not need such compromises: we can avoid code duplication and preserve the static typing guarantees.

Kernel $F_{\le}$ with Iso-Recursive Types

Our type system directly combines $\textrm{kernel}~F_{\le}$ and the nominal unfolding rules together. The addition of the nominal unfolding rules has almost no effect on the original proofs in $\textrm{kernel}~F_{\le}$ . That is, the proofs for important lemmas, such as transitivity, are nearly the same as those in $\textrm{kernel}~F_{\le}$ , except that we need a new case to deal with recursive types. Thus, proofs that have been very hard in the past, such as transitivity, are very simple in $F_{\le}^{\mu}$ .

The more challenging aspect in the metatheory of $F_{\le}^{\mu}$ lies in the unfolding lemma:

$$\Gamma \vdash {\mu{\alpha}}.{A} \le {\mu{\alpha}}.{B} \quad\Rightarrow\quad\Gamma \vdash [\alpha \mapsto {\mu{\alpha}}.{A} ]~A \le [\alpha \mapsto {\mu{\alpha}}.{B} ]~B$$

which reveals an important property for iso-recursive types: if two iso-recursive types are subtypes, then their one-step unfoldings are also subtypes. To prove the unfolding lemma, a generalized lemma is needed (Zhou et al., Reference Zhou, Oliveira and Fan2022). In $F_{\le}^{\mu}$ , we show that the previous generalized approach is insufficient due to bounded quantification. Therefore, an even more general lemma is proposed.

Another challenge is decidability. Although both $\textrm{kernel}~F_{\le}$ and the nominal unfolding rules (for simple calculi) have been independently proved decidable, their decidability proofs use very different measures. A natural combination is problematic; thus, we need a new approach.

After overcoming those challenges, we show that kernel $F_{\le}^{\mu}$ is transitive, decidable, conservative, and modular. Furthermore, there is a simple, sound, and complete algorithmic type system to enable implementations and to provide important help in the proofs of results such as conservativity of typing.

Full $F_{\le}$ with Iso-Recursive Types

We have also integrated $\textrm{full}~F_{\le}$ with iso-recursive subtyping. The most significant challenge compared to the kernel variant is proving the unfolding lemma. As we will discuss in Section 4.3, the method used to prove the generalized unfolding lemma for the kernel variant does not apply to the full variant due to the contravariance of the bounds. Therefore, a yet more sophisticated adaptation of the generalized unfolding lemma is required. Additionally, we establish several other properties for full $F_{\le}^{\mu}$ , such as type soundness, conservativity, and undecidability.

Structural Folding and Unfolding Rules

In our work, instead of standard rules for fold/unfold expressions, we use structural rules:

The key point about the structural rules is that the annotations are generalized to be a subtype/supertype of a recursive type, instead of exactly a recursive type. In particular, this generalization enables annotating fold/unfold with a bounded type variable. This is forbidden in the traditional rules. In the typing-sunfold, it is worthwhile to mention that when we have $A \le {\mu{\alpha}}.{B}$ where $\alpha$ appears negatively in B, then there are very limited choices to what A can be. Essentially, it can be ${\mu{\alpha}}.{B}$ itself and little else. In other words, negative recursive types have very restricted subtyping, which is why the structural unfolding rule can be type safe. Note also that, since the structural unfolding rules provide almost no flexibility for negative recursive subtyping, they are insufficient to fully express F-bounded quantification for negative recursive types.

The structural unfolding rule was presented by Abadi et al. (Reference Abadi, Cardelli and Viswanathan1996) for supporting structural updates in the object calculus that was being encoded into $F_{\le}$ with iso-recursive types. In their work, the structural unfolding rule is presented with an informal explanation. We provide structural rules for both unfold and fold expressions, together with the formalization of the type soundness for both rules. With the structural unfolding rule we can, for instance, obtain the desired typing for the translate function.

Readers can compare this derivation to the one in Section 2.2, where the conventional unfolding rule and the subsumption rule are used instead. The use of typing-sunfold enables us to give a more precise type for the translate function.

Lower Bounded Quantification and $F_{\le\ge}^{\mu\wedge}$

We have also formalized an extension of $F_{\le}^{\mu}$ with both upper and lower bounded quantification, called $F_{\le\ge}^{\mu\wedge}$ . All the same results that are proved for $F_{\le}^{\mu}$ are also proved for $F_{\le\ge}^{\mu\wedge}$ , including transitivity, decidability, and type soundness. The structural folding rules become more useful in $F_{\le\ge}^{\mu\wedge}$ . With lower bounded quantification and the structural folding rules, we can get the correct typing for the polymorphic Add constructor:

Records as Intersection Types

It is well known that multi-field records can be encoded using intersection types and single-field records (Reynolds, Reference Reynolds1988; Dunfield, Reference Dunfield2012). In $F_{\le\ge}^{\mu\wedge}$ , we follow this alternative approach to type record expressions. The record type $\{\textsf{x} : \textsf{nat}, \textsf{y} : \textsf{nat}\}$ in $F_{\le}^{\mu}$ is now simply syntactic sugar in $F_{\le\ge}^{\mu\wedge}$ for the intersection type $\{\textsf{x} : \textsf{nat}\} \& \{\textsf{y} : \textsf{nat}\}$ . To avoid records with duplicate labels being intersected, we restrict the labels in the intersection types to be disjoint. For instance, $\{x : \textsf{nat}\} \,\&\, \{x : \textsf{nat} \to \textsf{nat}\}$ is not a valid type in $F_{\le\ge}^{\mu\wedge}$ . We will further discuss such design choice in Section 5. The combination of unrestricted intersection types and iso-recursive subtyping was studied by Zhou et al. (Reference Zhou, Oliveira and Fan2022). Our work models a restricted form of intersection types. In $F_{\le\ge}^{\mu\wedge}$ , only types that are formed by intersecting single-field record types are considered, and the disjointness relation discussed in Zhou et al. (Reference Zhou, Oliveira and Fan2022) is in turn simplified to a compatibility relation for checking well-formedness of intersection types. The intersection type operator $\&$ is commutative and associative in terms of type equivalence so that record permutations are obtained for free.

The typing rules for record expressions and projections in $F_{\le\ge}^{\mu\wedge}$ are shown below:

With intersection types, record expressions are now typed using rule typing-srcd. As a result, we no longer need a dedicated rule for subtyping multi-field record types, which has a complicated definition since it needs to decide the subset inclusion of record fields and check the subtyping relation for common fields. Instead, we can now rely on the subtyping relation for intersection types and a direct subtyping rule for subtyping types in single-field records. Moreover, record projections can be defined in terms of subtyping now, as rule typing-sproj shows. When projecting a field from a record expression e, we can simply check if the record type of e is a subtype of the expected record type.

The treatment of records in $F_{\le\ge}^{\mu\wedge}$ aligns closely with the way DOT (Rompf & Amin, Reference Rompf and Amin2016) deals with object types. Rule typing-dot-object shows the typing rule for object expressions in DOT. In DOT, object expressions are a record with a self reference variable x bounded to the object itself, containing a list of labeled declarations $d_1 \ldots d_n$ . When type checking objects, each declaration is checked on its own, and the intersection of all the declaration types forms the type of the object.

$F_{\le\ge}^{\mu\wedge}$ and DOT share the same idea of using intersection types to type record expressions or objects and both require the labels to be disjoint. Due to the use of path-dependent types (Amin et al., Reference Amin, Rompf and Odersky2014) in DOT, the treatment of recursive types is different. In $F_{\le\ge}^{\mu\wedge}$ , we do not have a self reference variable in record expressions or types, and $F_{\le\ge}^{\mu\wedge}$ lacks some DOT features. On the other hand, $F_{\le\ge}^{\mu\wedge}$ has key properties, such as decidability, transitivity of subtyping, and being a conservative extension of $F_{\le}$ , which are partly missing in DOT. Despite these differences, we hope that $F_{\le\ge}^{\mu\wedge}$ can provide insights into the design of DOT-like calculi with bounded quantification and recursive types and complement the existing work in terms of the design space.

Syntax and Well-Formedness

The syntax of types and contexts for $F_{\le}^{\mu}$ is shown in Figure 1. Meta-variables A, B, C, D range over types. Types consist of natural numbers ( $\textsf{nat}$ ), the top type ( $\top$ ), function types ( $A \to B$ ), type variables ( $\alpha$ ), recursive types ( ${\mu{\alpha}}.{A}$ ), labeled types (), universal types ( $\forall({\alpha}\le{A}).{B}$ ), and record types ( $\{ l_i : A_i ~ ^{i \in 1\cdots n} \}$ ). Labeled types are types that are annotated with a label. They enable distinguishing between otherwise structurally compatible types (equal types or subtypes). That is if the two types being compared have different labels or one of the types is unlabeled, then the two types will not be related, even when, ignoring the labels, they would be structurally compatible. Expressions, denoted by the meta-variable e, include term variables (x), natural numbers ( $\textsf{i}$ ), applications ( $e_1~e_2$ ), abstractions ( $\lambda x:A .~ e$ ), type applications ( $e~A$ ), type abstractions ( $\Lambda (\alpha \le A) .~ e$ ), fold expressions ( $\textsf{fold}~[A]~e$ ), unfold expressions ( $\textsf{unfold}~[A]~e$ ), records ( $\{ l_i = e_i ~ ^{i \in 1\cdots n} \}$ ), and record selection ( $e.l$ ). Among them, natural numbers, abstractions, and type abstractions are values. Fold expressions and records can be values if their inner expressions are also values. The context is used to store type variables with their bounds and term variables with their types. Note that it is not necessary to distinguish recursive variables and universal variables.

Fig. 1. Syntax of $F_{\le}^{\mu}$ .

The definition of a well-formed environment $\vdash \Gamma$ is standard, ensuring that all variables in the environment are distinct and all types in the environment are well formed. A type is well formed if all of its free variables are in the context. The well-formedness rules for types are shown at the top of Figure 2.

Fig. 2. Well-formedness and subtyping rules for kernel $F_{\le}^{\mu}$ .

Subtyping for Kernel $F_{\le}^{\mu}$

The bottom of Figure 2 shows the subtyping judgment. Our subtyping rules are mostly standard. The rules essentially include the rules of the algorithmic version of $\textrm{kernel}~F_{\le}$ (Cardelli & Wegner, Reference Cardelli and Wegner1985; Cardelli et al., Reference Cardelli, Martini, Mitchell and Scedrov1994), but the rule for bounded quantification is generalized. The rules S-var,S-vartrans are standard $F_{\le}$ rules. Since we do not distinguish universal and recursive variables, those rules apply also to recursive type variables. The rule for function types (rule S-arrow) is contravariant on the input types and covariant on the output types. We have placed well-formedness checks on all the base cases of the subtyping rules, which ensures that the context and types in a subtyping relation are well formed, as shown in Lemma 3.1. Note that for this regularity property to hold, in rule S-rcd we require the left record type to be well formed but not the right one, since the well-formedness of the right type can be derived from the subtyping relation on record fields, while there might be extra fields in the left record type that are not compared in the subtyping relation.

Subtyping Bounded Quantification

The rule for bounded quantification is interesting, stating that two universal types are subtypes if their bounds are equivalent (i.e. they are subtypes of each other) and the bodies are subtypes. Rule S-equivall is more general than rule S-kernelall since the latter requires the bounds to be equal. The reason to have the more general rule using equivalent bounds is that, for records, we wish to accept subtyping statements such as:

\[\forall(\alpha\le{\{x : \textsf{nat}, y : \textsf{nat}\}}).{\alpha \to \alpha} \le \forall(\alpha\le{\{y : \textsf{nat}, x : \textsf{nat}\}}.{\alpha \to \alpha}\]

where the bounds can be syntactically different, but equivalent, types. In the presence of records or other features, such as intersection and union types (Pottinger, Reference Pottinger1980; Coppo et al., Reference Coppo, Dezani-Ciancaglini and Venneri1981; Barbanera et al., Reference Barbanera, Dezani-Ciancaglini and de’Liguoro1995), we can have such equivalent but not syntactically equal types. Therefore, we should generalize the rule for bounded quantification to deal with those cases. This generalization to equivalent bounds retains decidable subtyping just as $\textrm{kernel}~F_{\le}$ as we shall see in Section 4.3.

Subtyping Recursive Types

For dealing with iso-recursive subtyping, we employ the recent nominal unfolding rules (Zhou et al., Reference Zhou, Oliveira and Fan2022), which have equivalent expressive power to the well-known (iso-recursive) Amber rules (Cardelli, Reference Cardelli1985). The nominal unfolding rules have been discussed in Section 2.1. The reason for choosing the nominal unfolding rules is that they enable us to prove important metatheoretical results, such as transitivity, and develop an algorithmic formulation of subtyping.

We extend the rule S-nominal to the rule S-rec in $F_{\le}^{\mu}$ , by bounding recursive variables with $\top$ when they are introduced into the context. Therefore, recursive variables are also treated as universal variables, and we do not need to adjust the form of contexts in $F_{\le}$ for $F_{\le}^{\mu}$ . Apart from this, no other changes are necessary, making the addition of recursive types mostly noninvasive. Consequently, the proofs of narrowing, reflexivity, and transitivity are the same as the original one for $F_{\le}$ , except for the new cases dealing with recursive types and minor adjustments to the rule of bounded quantification due to the generalization to equivalent bounds. For those new cases, the proofs are all straightforward from the induction hypothesis.

The Unfolding Lemma

Another important lemma is the unfolding lemma, which reveals that, if two recursive types are subtypes, then their unfoldings are also subtypes. The unfolding lemma is important for proving type preservation in a calculus with iso-recursive subtyping. A key difficulty in the formalization of $F_{\le}^{\mu}$ is proving the unfolding lemma which, due to the presence of bounded quantification, requires a different proof technique compared to the proofs by Zhou et al. (Reference Zhou, Oliveira and Fan2022). We discuss the proof of the unfolding lemma in Section 4.1.

Syntax and Subtyping

The syntax of the full $F_{\le}^{\mu}$ is identical to that of the kernel $F_{\le}^{\mu}$ (Section 3.1). As for the subtyping rules, rule S-equivall is replaced by rule S-fullall in full $F_{\le}^{\mu}$ .

The only distinction between these two rules lies in the variance of the bounds: rule S-fullall permits contravariance, allowing $A_2$ to be a subtype of $A_1$ , whereas rule S-equivall demands $A_2$ to be equivalent to $A_1$ . The change to the subtyping rules in full $F_{\le}^{\mu}$ does not impact many subtyping lemmas, such as reflexivity (Theorem 3.3) and transitivity (Theorem 3.4), which remain provable by reusing proof techniques from $\textrm{full}~F_{\le}$ . However, as we shall see in Section 4.1, the unfolding lemma (Lemma 3.5) needs a different proof technique due to the presence of contravariant bounds in full $F_{\le}^{\mu}$ . In Section 4.1, we will present a new generalized unfolding lemma that can be proved in both kernel and full $F_{\le}^{\mu}$ . With this new lemma, we can prove the unfolding lemma (Lemma 3.5) for full $F_{\le}^{\mu}$ .

Structural Unfolding Lemma

Since the typing rules that we adopt for fold/unfold expressions are the structural rules, which generalize the conventional rules, we need a more general form for the unfolding lemma. The generalization of the lemma is necessary for the type preservation proof with the structural folding/unfolding rules. We call the new lemma the structural unfolding lemma:

In this lemma, in the one-step unfolding the recursive types substituted in the bodies are, respectively, a supertype and a subtype of ${\mu{\alpha}}.{A}$ and ${\mu{\alpha}}.{B}$ . In contrast, in the unfolding lemma proposed by Zhou et al. (Reference Zhou, Oliveira and Fan2022), the recursive types that get substituted in the bodies are the same. As Sections 4.1 and 5.3 will discuss, both forms of the unfolding lemma can be proved using a more general lemma.

Type Soundness

To see how the structural unfolding lemma is used in the proof of type preservation, let us consider the typing derivation of an expression $\textsf{unfold}~[D']~(\textsf{fold}~[C']~e)$ in Figure 4. Starting from a closed expression, both C’ and D’ must be recursive types; thus, we assume that C’ is ${\mu{\alpha}}.{C}$ and D’ is ${\mu{\alpha}}.{D}$ . The type of $\textsf{unfold}~[D']~(\textsf{fold}~[C']~e)$ becomes $[\alpha \mapsto {\mu{\alpha}}.{D} ]~B$ , and it should be a subtype of $[\alpha \mapsto {\mu{\alpha}}.{C} ] ~A$ , which is the type of reduction result e.

Fig. 4. Structural unfolding derivation.

The other parts of the type soundness proof are standard; thus, we have:

The Generalized Unfolding Lemma for Iso-Recursive Subtyping

We first review the unfolding lemma for the special case of iso-recursive subtyping without bounded quantification. Because the premise of the unfolding lemma is restricted to a subtyping relation between two recursive types ${\mu{\alpha}}.{A} \le {\mu{\alpha}}.{B}$ instead of two generic types A and B, a direct induction on the premise is problematic, as it fails to provide a useful induction hypothesis for reasoning with nominal unfoldings like , where the type after substitution may not be a recursive type. In Zhou et al. (Reference Zhou, Oliveira and Fan2022)’s work, the unfolding lemma is generalized to the following form:

1. 1. implies $\Gamma_1, \Gamma_2 \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]~A \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B $ ;

2. 2. implies $\Gamma_1, \Gamma_2 \vdash [\alpha \mapsto {\mu{\alpha}}.{D}]~A \le [\alpha \mapsto {\mu{\alpha}}.{C}]~B $ .

Due to the tricky interaction between rule S-var and S-arrow, in the generalized unfolding lemma we need two mutually dependent lemmas: one for covariant cases (1) and the other for contravariant cases (2). The proof for Lemma 4.1 proceeds by induction on $\Gamma_1, \alpha, \Gamma_2, \vdash A \le B$ . In the inductive proof, we need to switch between covariance and contravariance. In particular, in the rule S-arrow case for functions, we need an induction hypothesis that arises from conclusion (2) to prove the contravariant premise $\Gamma \vdash B_1 \le A_1$ relating the input types of the function.

The Generalized Unfolding Lemma for $\textrm{kernel}~F_{\le}^{\mu}$

When bounded quantification is taken into account, Lemma 4.1 is unfortunately not general enough. The key difference is that now the contexts are no longer just a list of type variables but also associate a type bound with each type variable. Moreover, the bounds are dependent on the type variables in the order they appear so that in the context $\Gamma_2$ , the bounds may contain the type variable $\alpha$ . Since rule S-vartrans may look up a bound in the context $\Gamma_2$ , and compare it with the right-hand side of the subtyping relation, to apply the induction hypothesis, the bound type in the context should be equal to the substitution form as in the subtyping relation. To address this issue, Zhou et al. (Reference Zhou, Zhou and Oliveira2023) extend the unfolding lemma to the following form:

1. 1. implies $\Gamma_1,~ \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ]~A \le [\alpha \mapsto {\mu{\alpha}}.{D} ]~B$ ;

2. 2. implies $\Gamma_1,~ \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{D} ]~A \le [\alpha \mapsto {\mu{\alpha}}.{C} ]~B$ .

We explain a few key points in the proof of Lemma 4.2 together with some proof sketches below.

Firstly, the context $\Gamma_2$ now comes with a substitution. Here, the syntax $\Gamma[\alpha \mapsto S]$ denotes that all the occurrences of $\alpha$ in context $\Gamma$ will be replaced by a specified type S. With substitutions in the context $\Gamma_2$ , in case S-vartrans,S-equivall, the premise from inversion can have the same form as the original premise and thus the induction hypothesis can be applied. For example, in case S-vartrans, assume that $A:=\beta$ , $B:=B$ , and $\Gamma_2$ contains a bound $\beta \le U$ . We need to prove the following goal:

$$\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash \beta \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B$$

By analyzing the context we know that $\beta \le [\alpha \mapsto {\mu{\alpha}}.{S}]~U \in \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ]$ , so we only need to show

$$\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{S}]~U \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B.$$

This can be proved by instantiating the induction hypothesis with $C:=S$ and $D:=D$ . In this way, we overcome the issue with the substitutions in the context $\Gamma_2$ .

Second, note that the substituted type is neither C nor D, but an intermediate type S that lies between C and D. This is to ensure that the induction hypothesis can be applied to both the contravariant and covariant subgoals in case S-arrow. Otherwise, consider an alternative lemma where S is fixed to be D. In case S-arrow, assume that $A:=A_1 \to A_2$ and $B:=B_1 \to B_2$ . We need to prove two subgoals:

1. 1. $\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{D} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]~A_2 \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B_2 $

2. 2. $\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{D} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{D}]~B_1 \le [\alpha \mapsto {\mu{\alpha}}.{C}]~A_1 $

If one follows the original proof steps in Lemma 4.1, the induction hypothesis has to be instantiated with $C:=D$ and $D:=C$ so that the substitution matches with the two types in the subtyping relation for the contravariant subgoal (2). In that case, the substituted type in the context $\Gamma_2$ becomes ${\mu{\alpha}}.{C}$ , which cannot be used to prove the subgoal (2). Therefore, in Lemma 4.2 an intermediate type S is introduced to decouple the substitution in the context and in the subtyping relation for the function case. In other words, the invariant substitution with type ${\mu{\alpha}}.{S}$ to the context makes the induction hypothesis applicable to both subgoals, regardless of the substitution in the subtyping relation.

Finally, having the intermediate type S will not affect the inductive proof for case S-equivall in $\textrm{kernel}~F_{\le}^{\mu}$ . We assume that $A:=\forall({\beta}\le{A_1}).{A_2}$ and $B:=\forall({\beta}\le{B_1}).{B_2}$ . The goal would look like:

$$\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]~\forall({\beta}\le{A_1}).{A_2} \le [\alpha \mapsto {\mu{\alpha}}.{D}]~\forall({\beta}\le{B_1}).{ B_2 }$$

After simplification and applying rule S-equivall, one of the goals becomes:

$$\Gamma_1, \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ],~ \beta \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B_1 \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]~ A_2 \le [\alpha \mapsto {\mu{\alpha}}.{D}]~ B_2$$

To apply the induction hypothesis, we need to unify the new bound $\beta \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B_1$ and the existing context $\Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ]$ into the same substitution form. In other words, we need to show the following two environments are equivalent:

(4.1) \begin{equation} \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ],~ \beta \le [\alpha \mapsto {\mu{\alpha}}.{D}]~B_1 \equiv (\Gamma_2, \beta \le B_1) [\alpha \mapsto {\mu{\alpha}}.{S} ]\end{equation}

This can be done by showing that ${\mu{\alpha}}.{S}$ is equivalent to ${\mu{\alpha}}.{D}$ . To prove this, we rely on the fact that the bounds and are equivalent, and the following inversion lemma on substitution:

For the first case we get from Lemma 4.3, by the fact that S lies in the middle of C and D, we can show that all the three types ${\mu{\alpha}}.{C}$ , ${\mu{\alpha}}.{S}$ , and ${\mu{\alpha}}.{D}$ are equivalent. For the second case, since $\alpha$ is not in $A_1$ nor $A_2$ , we can freely rewrite the substituted types to any types in the context. In either case, the rewriting in (4.1) can be achieved, so that the induction hypothesis can be applied to the subgoal. The critical point here is that, although the substitution form in the context is indeed affected by the new bound introduced by rule S-equivall, since $\textrm{kernel}~F_{\le}^{\mu}$ requires all pairs of the bounds in the subtyping relation to be equivalent, the type S will converge into the types C and D in the end.

The Generalized Unfolding Lemma for Kernel $F_{\le\ge}^{\mu}$

In Zhou et al. (Reference Zhou, Zhou and Oliveira2023)’s work, an extension to $\textrm{kernel}~F_{\le}^{\mu}$ is proposed, called $F_{\le\ge}^{\mu}$ , which extends $\textrm{kernel}~F_{\le}^{\mu}$ with lower bounded quantification and bottom types. It is worth noting that these new features will break the proof of Lemma 4.2 we have discussed above. The interaction of lower bounds and upper bounds invalidates the following inversion lemma for S-vartrans, which has been used to prove Lemma 4.2:

In Lemma 4.2, there is more than one subtyping statement on the premises related to type A and B. During the proof we do induction on the premise (1), and use the inversion lemma to match the subderivation of with the induction hypothesis we get from the premise (1). Lemma 4.4 holds when the bounds in the context can only have one direction. However, when we have both kinds of bounds in the context, a counterexample can be found as follows:

$$x \le \top, y \ge x \vdash x \le y \quad \Longrightarrow\mkern-24mu\backslash\mkern+12mu \quad x \le \top, y \ge x \vdash \top \le y$$

To avoid using this inversion lemma in the proof of unfolding lemma, we need to refine the generalized unfolding lemma for $\textrm{kernel}~F_{\le}^{\mu}$ :

1. 1. $\Gamma_1,~\alpha \le \top,~\Gamma_2 \vdash A$ and $\Gamma_1,~\alpha \le \top,~\Gamma_2 \vdash B$ ;

2. 2. ;

3. 3. G differs from only in the components labeled by , where can be replaced by that satisfies $\Gamma_2 \vdash {\mu{\alpha}}.{S} \le {\mu{\alpha}}.{T}$ and $\Gamma_2 \vdash {\mu{\alpha}}.{T} \le {\mu{\alpha}}.{S}$ ,

then

1. 1. $\Gamma_1 \vdash {\mu{\alpha}}.{C} \le {\mu{\alpha}}.{S}$ and $\Gamma_1 \vdash {\mu{\alpha}}.{S} \le {\mu{\alpha}}.{D}$ implies $\Gamma_1,~ \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ]~A \le [\alpha \mapsto {\mu{\alpha}}.{D} ]~B$ ;

2. 2. $\Gamma_1 \vdash {\mu{\alpha}}.{D} \le {\mu{\alpha}}.{S}$ and $\Gamma_1 \vdash {\mu{\alpha}}.{S} \le {\mu{\alpha}}.{C}$ implies $\Gamma_1,~ \Gamma_2[\alpha \mapsto {\mu{\alpha}}.{S} ] \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ]~A \le [\alpha \mapsto {\mu{\alpha}}.{D} ]~B$ .

In the refined generalized unfolding lemma, we integrate the two subtyping statements into one statement, by having the premise (1) in Lemma 4.2 induced implicitly. This can be justified by the fact that the one-time unfolding is implicitly derived from the nominal unfolding:

To accommodate this change, the context is also refined to be more general, by allowing the substitution type in the subtyping context of premise (2) to be any type T equivalent to S. We omit the detailed proof for this lemma, since it was done in the appendix of Zhou et al. (Reference Zhou, Zhou and Oliveira2023) and is no longer used in the generalized unfolding lemma for $\textrm{full}~F_{\le}^{\mu}$ and $F_{\le\ge}^{\mu\wedge}$ we will present in this paper. However, the idea of using Lemma 4.6 to avoid the issue of using Lemma 4.4 still applies, as we will show next.

The Generalized Unfolding Lemma for $\textrm{full}~F_{\le}^{\mu}$

It is not straightforward to generalize the unfolding lemma to $\textrm{full}~F_{\le}^{\mu}$ . As we have seen in the last observation of Lemma 4.2, the proof relies on the fact that the bounds in the subtyping relation are equivalent, so that during the proof, the intermediate type ${\mu{\alpha}}.{S}$ can be rewritten to ${\mu{\alpha}}.{C}$ or ${\mu{\alpha}}.{D}$ . However, in $\textrm{full}~F_{\le}^{\mu}$ we use rule S-fullall, which fails to maintain the equivalence of the bounds. We need to consider a new approach to generalize the unfolding lemma for $\textrm{full}~F_{\le}^{\mu}$ .

If we revisit the use of the generalized substitution type S in the context $\Gamma_2$ in Lemma 4.2, we can see that, during the proof, in most cases we just pass the same type S around in the induction hypothesis. The exception is for the case of S-vartrans, where the type S is instantiated to C or D. This suggests that the issues with the unfolding lemma in $\textrm{full}~F_{\le}^{\mu}$ can be solved if we can find a different approach to the S-vartrans case and remove the intermediate type S from the generalized unfolding lemma. In that case, the requirement for the equivalent bounds can also be lifted.

To this end, we note that the introduction of the type S in Lemma 4.2 is essentially an over-generalization, since throughout the derivation of , only the substitution C or D will be introduced into the context. Thus, the generalized unfolding lemma can focus only on the substitution of C or D. However, in $\textrm{full}~F_{\le}^{\mu}$ , it can happen that we cannot find a uniform substitution type for the variable $\alpha$ in the context $\Gamma_2$ . Due to the contravariant subtyping in rule S-ARROW, the substitutions can flip between the two sides of the subtyping relation, so both C and D can be introduced into the context. Therefore, we define the following notion of related contexts to characterize such contexts:

Definition 4.7 (Related contexts). Given a type variable $\alpha$ , an initial context $\Gamma_0$ , and two types ${\mu{\alpha}}.{C}$ , ${\mu{\alpha}}.{D}$ , two contexts $\Gamma$ and $\Gamma_\mu$ are related, written , if they can be derived using the following rules:

The definition of related contexts is parameterized by a type variable $\alpha$ and a subtyping relation $\Gamma_0 \vdash {\mu{\alpha}}.{C} \le \mu \alpha. ~D$ .Footnote ³ As we will see, the two contexts $\Gamma$ and $\Gamma_\mu$ are essentially the subtyping contexts that will be used in the generalized unfolding lemma for the premise and the conclusion, respectively. They extend the context $\Gamma_0$ with new bindings that are either under the substitution C or D. Moreover, each pair of bindings in the two contexts should be matched in terms of the substitution type C or D and the base type A should be the same. For example, consider the following instance of the unfolding lemma we aim to prove:

By definition, $\Gamma_1$ and $\Gamma_2$ are related under the subtyping relation $\cdot \vdash {\mu{\alpha}}.{C} \le {\mu{\alpha}}.{D}$ , that is, . When proving the above goal, for the contravariant case of function types, we need to show that the following holds:

To prove this by induction, $\Gamma_1$ and $\Gamma_2$ should be related under the subtyping relation $\cdot \vdash {\mu{\alpha}}.{D} \le {\mu{\alpha}}.{C}$ , which flips the order of ${\mu{\alpha}}.{C}$ and ${\mu{\alpha}}.{D}$ in the parameter of the related contexts. This is possible because the related contexts are defined to be symmetric in terms of the substitution types C and D. This flexibility allows us to prove the generalized unfolding lemma for $\textrm{full}~F_{\le}^{\mu}$ without the need for the intermediate type S as in Lemma 4.2 to handle the contravariance.

With the notion of related contexts, we can prove inversion lemmas for looking up the bounds in the related contexts:

1. 1. there exists U’, s.t. and $\beta \le [\alpha \mapsto {\mu{\alpha}}.{C} ] U' \in \Gamma_\mu$ , or

2. 2. there exists U’, s.t. and $\beta \le [\alpha \mapsto {\mu{\alpha}}.{D} ] U' \in \Gamma_\mu$ .

We can now state the generalized unfolding lemma for $\textrm{full}~F_{\le}^{\mu}$ :

1. 1. implies $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]A \le [\alpha \mapsto {\mu{\alpha}}.{D}]B$

2. 2. implies $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{D}]A \le [\alpha \mapsto {\mu{\alpha}}.{C}]B$

3. 3. implies $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{C}]A \le [\alpha \mapsto {\mu{\alpha}}.{C}]B$

4. 4. implies $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{D}]A \le [\alpha \mapsto {\mu{\alpha}}.{D}]B$

Compared to previous versions of the unfolding lemma, in addition to conclusion (1) and (2), which talk about the covariant and contravariant substitutions, now we add two more conclusions (3) and (4) for the case where the substitutions are the same as C or D. As we will show in the proof sketch below, these two additional conclusions generate useful induction hypotheses for the proof of rule S-vartrans so that we no longer need to rely on the intermediate type S as we did in Lemma 4.2. Moreover, we follow the same approach as in Lemma 4.9 to drop the premise of $A \le B$ and avoid the use of inversion lemmas.

• • Rule S-vartrans: We show the proof goal (1) here. Assume $A = \beta$ , where $\beta \le U \in \Gamma$ , and , by Lemma 4.8 we get two cases:

  1. • There exists U’, and $\beta \le [\alpha \mapsto {\mu{\alpha}}.{C} ] U' \in \Gamma_\mu$ . We need to show $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ] U' \le [\alpha \mapsto {\mu{\alpha}}.{D} ] B$ . We can apply IH(1) directly.

  2. • There exists U’, and $\beta \le [\alpha \mapsto {\mu{\alpha}}.{D} ] U' \in \Gamma_\mu$ . We need to show $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{D} ] U' \le [\alpha \mapsto {\mu{\alpha}}.{D} ] B$ . We can apply IH(4) directly. Note that in this case, the substituted type on both sides is D, which motivated us to state cases (3) and (4) in the lemma.

The proof for the other cases is similar to this one, by first applying Lemma 4.8 to get the corresponding cases, and then choosing the induction hypothesis that applies to complete the proof.

• • Rule S-arrow: Assume $A = A_1 \rightarrow A_2$ and $B = B_1 \rightarrow B_2$ , for proof goal (1), we need to prove two subgoals:

  1. • $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{D} ] B_1 \le [\alpha \mapsto {\mu{\alpha}}.{C} ] A_1$

  2. • $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ] A_2 \le [\alpha \mapsto {\mu{\alpha}}.{D} ] B_2$

The covariant subgoal (2) follows from IH(1) directly. In subgoal (1), due to the contravariant subtyping, the substituted types are flipped in the subtyping relation. Therefore, we need to apply IH(2) to complete the proof. The proof of subgoal (2) is similar to the proof of subgoal (1), by applying IH(1) to the contravariant subgoal, and IH(2) to the covariant subgoal. For subgoals (3) and (4), the induction hypothesis can be applied directly since the substituted types are the same on both sides.

• • Rule S-fullall: Assume $A = \forall({\beta}\le{B_1}).{A_1}$ and $B = \forall({\beta}\le{B_2}).{A_2}$ . We show the proof of goal (1) here. In this case, we need to prove two subgoals:

  1. • $\Gamma_\mu \vdash [\alpha \mapsto {\mu{\alpha}}.{D} ] B_2 \le [\alpha \mapsto {\mu{\alpha}}.{C} ] B_1$

  2. • $\Gamma_\mu, \beta \le [\alpha \mapsto {\mu{\alpha}}.{D} ] B_2 \vdash [\alpha \mapsto {\mu{\alpha}}.{C} ] A_1 \le [\alpha \mapsto {\mu{\alpha}}.{D} ] A_2$

The proof of subgoal (1) is similar to the proof of subgoal (1) in the S-arrow case, by applying IH(2) to the contravariant subgoal. Next, in order to apply IH(1) to the covariant subgoal (2), we need to show that the context and $(\Gamma_\mu, \beta \le [\alpha \mapsto {\mu{\alpha}}.{D} ] B_2)$ are related, which follows from the definition of related contexts. Therefore, we can apply IH(1) to complete the proof. The proof of other goals is similar to the proof of goal (1). Thanks to our definition of related contexts, we do not need to worry about whether the substituted type is C or D when we add a new binding into the context in the proof of subgoal (2).

To conclude, in this generalized unfolding lemma, we introduce two more conclusions for the case where the substitutions are the same as C or D, and we define related contexts to characterize the contexts that will be used in the proof. In this way, we prove the case of rule S-vartrans without the need for an intermediate type S, so that rule S-fullall can be handled as well. In fact, the proof technique we use here is quite general. We also redevelop a generalized unfolding lemma for $\textrm{kernel}~F_{\le}^{\mu}$ using the same approach as in $\textrm{full}~F_{\le}^{\mu}$ . As we will see, this generalized unfolding lemma can also be used to prove $F_{\le\ge}^{\mu\wedge}$ , without the need for significant changes.

Conservativity of Subtyping

Our conservativity result for subtyping is relatively easy to establish:

Here, the well-formedness conditions ensure that $\Gamma$ , A, and B must be respectively a valid $F_\le$ environment, and valid $F_\le$ types. That is they cannot contain recursive types (or record types). Therefore, the lemma states that for environments and types without recursive types, the two subtyping relations (for $F_\le$ and $F_{\le}^{\mu}$ ) are equivalent, accepting the same statements.

The proof of this lemma is straightforward, except for the case of rule S-equivall from $F_{\le}^{\mu}$ to $F_{\le}$ , as the rule S-kernelall in $F_{\le}$ requires the two types to be exactly the same instead of being equivalent. This is easy to fix, given that $\textrm{kernel}~F_{\le}$ subtyping is antisymmetric. This property was shown by Baldan et al. (Reference Baldan, Ghelli and Raffaetà1999) for a restricted form of F-bounded quantification, and we adapt their proof to our setting. The antisymmetry property is stated as follows:

Conservativity of Typing

It is straightforward to obtain one direction of the conservativity result, from a typing relation in $F_{\le}$ to a typing relation in $F_{\le}^{\mu}$ . As for the reverse direction, the situation is more complicated. If we want to derive $\Gamma \vdash_F e : A $ from $\Gamma \vdash e : A $ , when doing induction, for the subsumption case (rule typing-sub), we need to guess an intermediate type. However, we do not know if it involves recursive types or not. Consider the following example:

Although the final judgment $\vdash \lambda x.~x : \top$ does not involve recursive types, the typing subderivations can contain recursive types. As a result, the induction hypothesis cannot be applied.

This problem can be addressed by employing the algorithmic formulation of $F_{\le}^{\mu}$ , shown in Section 3.4. With algorithmic typing, we can have more precise information about the types of an expression, since algorithmic typing always gives the minimum type. Therefore, it can be proved that, for expressions that do not use fold/unfold constructors, their minimum types do not contain recursive types either. We state this property as the conservativity lemma for subtyping:

Now, given a typing relation $\Gamma \vdash e:A$ in $F_{\le}^{\mu}$ , we first use the minimum typing property (Theorem 3.10) to obtain its minimum type B such that $\Gamma \vdash_a e:B$ and $\Gamma \vdash B \le A$ . Applying Lemmas 4.12 and 4.10, we complete the conservativity proof for the declarative version of $F_{\le}^{\mu}$ .

Decidability of $\textrm{kernel}~F_{\le}$

It is well known that bounded quantification for $\textrm{full}~F_{\le}$ is undecidable (Pierce, Reference Pierce1994). However, for $\textrm{kernel}~F_{\le}$ , identical bounds make the system decidable. A common practice is to define a weight function to compute the size of a type (Pierce, Reference Pierce2002):

For a universal type, we store its bound into a context $\Gamma$ , and when we meet the universal variable, we retrieve its bound from the context and compute the size recursively. Since the size of a conclusion is always greater than any premise, this measure can be used to show that the subtyping algorithm in $\textrm{kernel}~F_{\le}$ terminates for all inputs.

Decidability of Nominal Unfoldings

The nominal unfolding rule in simple calculi with subtyping is also decidable (Zhou et al., Reference Zhou, Oliveira and Fan2022). Compared with $\textrm{kernel}~F_{\le}$ , the decidability proof of nominal unfoldings is trickier. Based on the substitution of the type body, after every unfolding, the size of types will increase. Thus, a straightforward induction on the size of types does not work. Zhou et al. (Reference Zhou, Oliveira and Fan2022) choose a size measure based on an over-approximation of the height of the fully unfolded tree. Concretely, the height of a type A in a measure context $\Psi$ ( $\Psi := \cdot ~|~ \Psi,\alpha \mapsto i$ , where i is a natural number) is defined as:

The size measure of a type A is defined as $\textit{height}(A)$ where the context is empty. In contrast to $\textrm{kernel}~F_{\le}$ , the context here is used to store the size of the corresponding recursive variables. The key design in the height function is that the measure of a recursive type ${\mu{\alpha}}.{A}$ is computed by first setting the measure of the recursive variable to 0 and then computing the measure of the body, which achieves the effect of measuring the type body A considering $\alpha$ as a free variable. The computed measure is then incremented by one to account for the labeled type , then $\textit{height}(A)$ is computed again with the context updated for the recursive variable, so that intuitively the result of $\textit{height}({\mu{\alpha}}.{A})$ measures the size of plus one. Zhou et al. (Reference Zhou, Oliveira and Fan2022) prove that such height measure works well with nominal unfolding rules, as the height of a type will precisely decrease by one for every nominal unfolding.

Decidability of Kernel $F_{\le}^{\mu}$

To combine these two approaches, we need to extend the measure of nominal unfoldings with the measure of $\textrm{kernel}~F_{\le}$ in a seamless manner. One easy fix to unify the two measures is to use the maximum function for both measures, as the nominal unfolding measure does. However, there are three remaining main challenges that we must address:

• • Inconsistent measures for variables: In the height function, type variables are treated as base cases, whereas in the weight function, the computation continues by retrieving the variable’s bound from the context. In kernel $F_{\le}^{\mu}$ , we do not distinguish between recursive and universal variables, so we need to find a unified way to measure variables.

• • Different purposes of contexts: The context in the weight function straightforwardly keeps track of universal bounds, which are later retrieved to compute the measure of a universal variable. This ensures that the premises in rule S-vartrans have smaller type measures than the conclusion. However, this trick does not work for nominal unfoldings, as shown by the case $\textit{height}_{\Psi}({\mu{\alpha}}.{A})$ , where the context is extended with two different measures for the same variable at different points in the computation to simulate the nominal unfolding. This discrepancy complicates the unification of the two measures.

• • Loss of measure information with equivalent bounds: We use rule S-equivall instead of the standard rule S-kernelall for $F_{\le}$ . Given the equivalent bounds in $\textrm{kernel}~F_{\le}$ , the measure for the subtyping relation $\Gamma \vdash \forall({\alpha}\le{A_1}).{B_1} \le \forall({\alpha}\le{A_2}).{B_2}$ includes the measures of $A_1$ , $A_2$ , $B_1$ , and $B_2$ . However, the measure for the premise $\Gamma,\alpha\le A_2 \vdash B_1 \le B_2$ loses the measure of $A_1$ because it is not stored.

We first show the measure used for the decidability of kernel $F_{\le}^{\mu}$ and then discuss how it addresses the concerns above. The measure is relatively simple and based on the approach from Zhou et al. (Reference Zhou, Oliveira and Fan2022). We use the same context $\Psi :=\cdot \mid \Psi, \alpha \mapsto i$ and now it is used to store the measures of (both universal and recursive) variables during the measure computation. Then, a measure function $\textit{size}_{\Psi}(A)$ , is defined on types as follows:

The formulation of the size function is very similar to the height function. We have an extra rule for universal types and slightly adjust the variable and recursive cases. The measure of universal types is the sum of the measure of the bound and the measure of the body. For variables, one is added when they are retrieved. Accordingly, we do not need to add one when storing the size of recursive variables into the context. For atomic constructs, we follow the weight function and measure them as 1.

We solve the first challenge in a straightforward way: there is no need to distinguish between recursive and universal variables. The fact that all recursive variables in the context are bounded by a top type whose measure is simply the one that fits our needs naturally.

As for the second concern, despite the different purposes of contexts, the key ideas of measuring types in $\textrm{kernel}~F_{\le}$ and nominal unfoldings are the same: they both relate the measure of a variable to what the variable will be substituted with in the context of the subtyping rule, either its unfolded form as a labeled type or its bound type. A slight modification is made based on the definition of weight. In the weight function, for a universal variable, its bound is first retrieved and then the measure is computed. To align with the “pre-computation” mechanism of measuring nominal unfoldings ( $i := \textit{size}_{\Psi, \alpha \mapsto 1}(A)$ ), we also pre-compute the measure of the bound ( $i := \textit{size}_{\Psi}(A)$ ) in the size function so that we retrieve the measure instead of the type bound from the context. In a well-formed type, variables are guaranteed to be unique, so we can use a single context $\Psi$ to store the measures for both recursive variables and universal variables.

A subtler issue arises with variables in the initial subtyping context. When measuring nominal unfoldings, the context in a subtyping relation is simply a list of variables, without any bound information, so variables that occur freely can be counted as 0 in the height function. In contrast, now the subtyping context stores the bound information, and the measures of bounds play a role in deciding the subtyping relation. To address this issue, we need to make sure that the bound information is pre-computed in the measure function. We transform a subtyping context into an environment containing measures $\Psi$ , which track universal variables. In our decidability proof statement (Lemma 4.14), $\Psi$ is computed from the subtyping context $\Gamma$ by an evaluation function $eval : \Gamma \hookrightarrow \Psi$ , defined as:

$$\begin{array}{l c l} \textit{eval}(\cdot) &=& \cdot \\ \textit{eval}(\Gamma',~x : A) &=& \textit{eval}(\Gamma') \\ \textit{eval}(\Gamma',~\alpha \le A) &=& \textrm{let } \Psi' = \textit{eval}(\Gamma') \textrm{ in } \Psi', \alpha \mapsto \textit{size}_{\Psi'}(A) \\\end{array}$$

With both eval and size, we can then state the decidability theorem:

As for the third concern, note that in $F_{\le}$ , the subtyping relation is antisymmetric (Baldan et al., Reference Baldan, Ghelli and Raffaetà1999). Adding recursive types does not change the property of antisymmetry. However, the addition of records makes the subtyping relation not antisymmetric: two equivalent record types may be syntactically different. The lack of antisymmetry poses a challenge to our decidability proof, particularly for rule S-equivall. Nevertheless, for $\textrm{kernel}~F_{\le}^{\mu}$ two equivalent records must have the same set of fields, and the two types for each field must be equivalent. Therefore, the measures of two equivalent record types remain the same. As a result, the measure of two equivalent bounds $A_1$ and $A_2$ is equal, as Lemma 4.17 describes. The measure information of type $A_1$ can therefore be reconstructed from type $A_2$ , addressing the final concern with decidability.

Undecidability of Subtyping $\textrm{full}~F_{\le}^{\mu}$

It is well known that the $\textrm{full}~F_{\le}$ subtyping relation is undecidable (Pierce, Reference Pierce1994). Although the original formulation of $\textrm{full}~F_{\le}$ includes the transitivity rule, it can be reformulated into a syntax-directed version (Curien & Ghelli, Reference Curien and Ghelli1992) that eliminates the transitivity rule, as we have adopted in $F_{\le}^{\mu}$ . The syntax-directed version of $F_{\le}$ naturally forms a subtype checking algorithm. However, for $\textrm{full}~F_{\le}$ , Ghelli (Reference Ghelli1993) demonstrated a non-terminating example for the subtyping algorithm. Furthermore, Pierce (Reference Pierce1994) proved the undecidability of $\textrm{full}~F_{\le}$ by encoding a Turing machine using $\textrm{full}~F_{\le}$ . Since we have shown in Section 4.2 that $\textrm{full}~F_{\le}^{\mu}$ is conservative over the syntax-directed version of $\textrm{full}~F_{\le}$ , Ghelli (Reference Ghelli1993)’s counterexample for $\textrm{full}~F_{\le}$ also applies to $\textrm{full}~F_{\le}^{\mu}$ . Therefore, the undecidability of $\textrm{full}~F_{\le}^{\mu}$ is a corollary of the undecidability of $\textrm{full}~F_{\le}$ and the conservativity of $\textrm{full}~F_{\le}^{\mu}$ over $\textrm{full}~F_{\le}$ .

Subtyping, Typing and Reduction

The well-formedness for the additional bottom types, single-field record types, and universal types with lower bounds are standard, as shown in Figure 6. For intersection types, we only allow single-field record types, or intersections of record types with distinct labels to be well formed. This can be characterized by a compatibility relation $A\,\#\,B$ between types. We make this simplified design choice to avoid the complexity of general unrestricted intersection types, which would cause trouble in the two key properties of the type system, namely the structural unfolding lemma (Lemma 5.11) and the decidability of subtyping (Theorem 5.14), as we will discuss in Section 5.3.

Fig. 6. Additional well-formedness and subtyping rules for $F_{\le\ge}^{\mu\wedge}$ with respect to $F_{\le}^{\mu}$ .

As for the subtyping rules, compared with $F_{\le}^{\mu}$ , we add rules S-bot,S-vartranslb,S-equivalllb for subtyping with bottom types and lower bounded quantification. The record subtyping rule S-rcd in $F_{\le}^{\mu}$ is now replaced by rule S-srcd for subtyping single-field record types together with S-andla,S-andlb,S-andr for subtyping intersection types. Note that in the subtyping rule for intersection types, we also add the compatibility restriction in the premise, to ensure the regularity of the subtyping relation (Lemma 5.1).

The new subtyping relation is reflexive and transitive:

Figure 7 shows the changes of $F_{\le\ge}^{\mu\wedge}$ with respect to $F_{\le}^{\mu}$ in terms of typing and reduction. For lower bounded quantification, we add rules typing-tapplb,typing-tabslb for typing and rule step-tabslb for reduction, which are simply dual forms of rules typing-tapp,typing-tabs, and step-tabs, respectively. For records, since the syntax of record expressions is unchanged, there are no further changes in the reduction rules. The typing rule for record projections is also simplified. Since record types are now represented by single-field record types, the projection of a record can be directly modeled by the subtyping relation. typing-rcdnil,typing-srcd form the typing rules for record expressions.

Fig. 7. Additional typing and reduction rules for $F_{\le\ge}^{\mu\wedge}$ with respect to $F_{\le}^{\mu}$ .

Structural Folding and Lower Bounded Quantification

The structural folding rule typing-sfold on recursive types has already been shown for $F_{\le}^{\mu}$ . Note that this rule is not strictly necessary for $F_{\le}^{\mu}$ , because a recursive type can only be a subtype of another recursive type or the $\top$ type. Thus, the effect of structural folding in $F_{\le}^{\mu}$ can be subsumed by other subtyping/typing rules. Perhaps for this reason, Abadi et al. (Reference Abadi, Cardelli and Viswanathan1996) have only considered a structural unfolding rule. However, in $F_{\le\ge}^{\mu\wedge}$ , a recursive type can also be a subtype of a type variable. In this case, the structural folding rule can give the desired typings to the $\textsf{Add}_{\forall}$ constructors of the $\textsf{Exp}_1$ and $\textsf{Exp}_2$ datatypes that we have presented in Section 2.2, while the standard folding rule cannot. The rule typing-sfold has the same form in $F_{\le\ge}^{\mu\wedge}$ as in $F_{\le}^{\mu}$ . Therefore, we believe that the structural folding rule that we have proposed, together with the structural unfolding lemma in the metatheory, is broadly applicable to various type system extensions to $F_{\le}^{\mu}$ .

Type Soundness

Our type soundness proof for $F_{\le\ge}^{\mu\wedge}$ is standard:

Record Exposure

Furthermore, for typing record projections, recall that in the declarative rule typing-sproj, the lookup of the field label l is implied by the implicit subtyping between the expression type and the single-field record type for $\{l:A\}$ . In the algorithmic system, we need to find a mechanism to find such A. Therefore, we define a new exposure relation for record types in $F_{\le\ge}^{\mu\wedge}$ . The record exposure relation $\Gamma \vdash A \Rightarrow_l B$ indicates that from the type A we can lookup the field label l and get the type B. We show the full definition of the record exposure relation in Figure 9. Note that, in addition to single-field record types (rule XR-srcd) and intersection types (Rules XR-anda,XR-andb,XR-andr), one can also lookup $\bot$ from $\bot$ (XR-bot), as well as upper bounds from upper bounded variables (XR-promote). With the record exposure relation, we define atyp-sproj for record projections to replace atyp-proj in $F_{\le}^{\mu}$ . The record exposure relation is sound and complete for the subtyping relation $A \le \{l:B\}$ .

1. 1. If $\Gamma \vdash A \Rightarrow_l B$ then $\Gamma \vdash A \le \{l:B\}$ .

2. 2. If $\Gamma \vdash A \le \{l:B\}$ then there exists C such that $\Gamma \vdash A \Rightarrow_l C$ and $\Gamma \vdash C \le \{l:B\}$ .

With these considerations in the algorithmic typing rules, we prove the soundness and completeness of the algorithmic typing system with respect to the declarative typing rules defined in Figure 7.

Unfolding Lemma

As discussed in Section 4.1, in a type system that simultaneously allows introducing lower and upper bounded types, the inversion lemma for rule S-vartrans (Lemma 4.4) is not valid. This is exactly the case for $F_{\le\ge}^{\mu\wedge}$ . To resolve this issue, the unfolding lemmas should only state the subtyping relation between the nominal unfoldings and remove the one-step unfolding relation $A \le B$ from the premise. Therefore, we use the same statement of the generalized unfolding lemma as in $\textrm{full}~F_{\le}^{\mu}$ (Lemma 4.9), under an extended version of related contexts (Definition 4.7) that takes lower bounded bindings into account. It turns out that, with only changes of the proof in cases S-equivall and S-equivalllb, the generalized unfolding lemma can be proved for $F_{\le\ge}^{\mu\wedge}$ as well, which results in the following unfolding lemma for $F_{\le\ge}^{\mu\wedge}$ .

To prove type soundness, we need to show the structural unfolding lemma. If we check the typing derivation with structural folding and unfolding illustrated in Figure 4 again in $F_{\le\ge}^{\mu\wedge}$ , we can see that by inversion on the subtyping relation $\cdot \vdash {\mu{\alpha}}.{A} \le C'$ and $\cdot \vdash D' \le {\mu{\alpha}}.{B}$ , we can no longer guarantee that C’ and D’ are recursive types, since they can also be intersection types. To remedy this, the compatibility relation $A \,\#\,\, B$ is enforced by the well-formedness of intersection types so that intersection types can only be formed from single-field record types, not by recursive types. We can prove the following lemma to derive a contradiction for the case of intersection types and recover the structural unfolding lemma as well as type soundness for $F_{\le\ge}^{\mu\wedge}$ .

Decidability

The interaction between bottom types and rule S-equivall breaks the measure-based decidability proof in Section 4.3. The bottom type in $F_{\le\ge}^{\mu\wedge}$ brings a new form of equivalent types: when $ \alpha \le \bot \in \Gamma$ , one can derive that $\Gamma \vdash \alpha \le \bot$ and $\Gamma \vdash \bot \le\alpha$ , as observed by Pierce (Reference Pierce1997). Simply extending the measure function with $\textit{size}_{\Psi}(\bot) = 1$ will not work. For type variables, the measure function will recursively look up its bound in the context and add one to the measure of its bound, making a variable equivalent to $\bot$ to have a larger measure than $\bot$ . Therefore, replacing two equivalent types into the abstracted type body may not produce the same measures. We can construct derivations of rule S-equivall that have a larger measure in the premise than that of the conclusion, which makes the decidability proof fail with the current measure. For example, consider the following subtyping derivation:

If we follow the measure function defined in Section 4.3, the measure for the third premise is:

while the measure for the goal is

which can be less than the measure of the premise since $\gamma$ is assigned a smaller measure in the goal. A similar issue arises when a variable is lower bounded by $\top$ , making it equivalent to top types but with a different measure.

This issue can be resolved by replacing all the types whose supertype is $\bot$ with $\bot$ , and all the types whose subtype is $\top$ with $\top$ before computing the measure. That way, the subtyping relation $\alpha \le \bot,~\beta \le \alpha \vdash \forall({\gamma}\le{\alpha}).{A} \le \forall({\gamma}\le{\beta}).{B}$ becomes

$$\alpha \le \bot,~\beta \le \bot \vdash \forall({\gamma}\le{\bot}).{A} \le \forall({\gamma}\le{\bot}).{B}$$

and the measure works again. This idea can be implemented by modifying the measure function to identify upper/lower bounded variables that are equivalent to bottom/top types, as can be seen in Figure 10. The new bindings $\alpha \mapsto \bot$ and $\alpha \mapsto \top$ are used to store the measure of variables or indicate them as upper bounded by $\bot$ or lower bounded by $\top$ . Figure 10 shows the measures needed for the decidability of $F_{\le\ge}^{\mu\wedge}$ . The primary measure function is $\textit{size}_\Psi(A)$ . The main changes are in the cases for bounded quantification where we now use $\textit{isTop}$ and $\textit{isBot}$ functions to detect whether the bounds are, respectively, equivalent to top or bottom.

Fig. 10. The measures for the decidability of $F_{\le\ge}^{\mu\wedge}$ .

The $\textit{isTop}$ and $\textit{isBot}$ functions use the information in the measure context $\Psi$ to check whether the bound type A is equivalent to $\top$ or $\bot$ . If so, when the variable bounded by A is looked up in the context, it will have a measure of 1. The example above will now be resolved by the new measure function as follows:

In this way, we retain the important property that equivalent types have the same measure.

Note that in the proof of Lemma 5.12, in the case of intersection types, we make use of the compatibility relation $A \,\#\, B$ to ensure that any equivalent types have the same measure. Without the compatibility restriction, the labels may be duplicated within the intersection type, which will lead to a different measure for equivalent types. By limiting compatible types to single-field records and their intersections only, we also rule out the occurrence of $\top$ in intersection types, which will cause the same problem. With the new measure function, we can prove the decidability of subtyping and typing in $F_{\le\ge}^{\mu\wedge}$ .

Conservativity

The proof of conservativity for $F_{\le\ge}^{\mu\wedge}$ follows the same pattern as the proof for $F_{\le}^{\mu}$ . To prove conservativity of typing, we need the help of the algorithmic typing rules to obtain the minimum type of an $F_{\le}$ term. We have defined the algorithmic typing rules for $F_{\le\ge}^{\mu\wedge}$ and proved the completeness of the algorithmic typing rules in Section 5.2. With the algorithmic typing rules, conservativity for $F_{\le\ge}^{\mu\wedge}$ is straightforward.