Program extraction from normalization proofs

This paper describes formalizations of Tait’s normalization proof for the simply typed λ -calculus in the proof assistants Minlog, Coq and Isabelle/HOL. From the formal proofs programs are machine-extracted that implement variants of the well-known normalization-by-evaluation algorithm. The case study is used to test and compare the program extraction machineries of the three proof assistants in a non-trivial setting.


Introduction
We formalize a version of Tait's normalization proof for the simply typed λ-calculus and machine-extract a program which turns out to implement the well-known normalization-by-evaluation algorithm [6].On paper, this has already been done by the first author in his contribution [4] to TLCA 1993.However -as is to be expected -the formalization turned out to be not at all a trivial matter, so that it appears to be worthwhile to describe some of the choices which have simplified the task considerably.On the other hand, a full formalization of the proof is necessary for machine extraction of a program.
Here we carry this out for the proof assistants Minlog, Coq and Isabelle/HOL which all have suitable program extraction machineries built in.This provides a useful occasion to test these machineries in a non-trivial setting and to compare the three proof assistants.The crucial questions, on which the formalizations diverge, are how to (1) model the simply typed λcalculus, (2) represent in the given logical system the notions introduced in the proof (i.p.Tait's strong computability predicates), (3) optimize program extraction in order to get as close as possible to normalization-by-evaluation.
The paper is organized as follows.In Section 2 we recall Tait's approachvia so-called strong computability predicates -to a normalization proof and sketch the normalization-by-evaluation algorithm contained in that proof, following [4].Section 3 describes two Minlog formalizations.The first proves weak normalization for λ-terms in de Bruijn notation with a Church-style typing, the second strong normalization for λ-terms with named variables and a Curry-style typing.In order to obtain optimized programs the formalizations use two versions of quantifiers, with and without computational content.Another important detail is the fact that Tait's notion of computability of a term r, SC ρ (r), is defined as ∃aSCr ρ (a, r) where the relation SCr ρ (a, r) is axiomatized such that it expresses "a realizes SC ρ (r)".This has the effect that the computational content of Lemma 2 (stating that computability is closed under reverse head reduction, see Section 2) is the identity.The Coq formalization in Section 4 uses, like the first Minlog formalization, de Bruijn notation and Church-style typing, but takes advantage of the fact that Coq implements dependent type theory and thus is able to define Tait's computability predicate (in contrast, both Minlog formalization need to describe these predicates axiomatically).This formalization is complete in the sense that all auxiliary lemmas are proven (unlike the Minlog and Isabelle/HOL formalizations which take some computationally irrelevant lemmas as axioms).In fact, two formalizations are given, yielding programs for the long respectively short η-normal form.The Isabelle/HOL formalization is described in Section 5; it is based on the second Minlog approach.The complete proof scripts are available at www.minlog-system.de in the directory examples/tait, www.lri.fr/~letouzey/download/tait.tgz and www4.in.tum.de/~berghofe/papers/Tait/.
Related normalization algorithms have been machine-extracted from formal proofs in the type-theoretic proof checker ALF (the precursor of AGDA) [10,9].However, there the main ingredients of normalization-by-evaluation, the evaluation function and its inverse ↓ (see the end of Section 2), show up explicitely in the proofs already, while in our proof these components of the algorithm are implicit in the logical argument and are made explicit by the extraction only.There exist also formalized normalization proofs for systems such as the Calculus of Constructions [1], System F [3], the typed λ-calculus with co-products [2] and λ-calculi with various weak reduction strategies [8] for which however no program extraction by machine has been carried out.

The normalization proof
In this section we recall the normalization proof based on Tait's computability predicates given in [4].The informally presented proof will serve as a template for all formalizations in this paper.At the end, we sketch the well-known normalization-by-evaluation algorithm contained in the proof.
Simple types are built from ground types ι by ρ ⇒ σ.The set Λ of terms is given by x σ , (λx ρ r σ ) ρ⇒σ , (r ρ⇒σ s ρ ) σ ; Λ ρ denotes the set of all terms of type ρ. β-reduction, r → s, and the long normal form, nf(r), are defined as usual.By rθ we denote the (correct) application of a substitution θ to a term r and by θ[z → t] the result of overwriting θ at z to t (if θ is missing the identical substitution is to be inserted).
We will work with the following relations: F (r, k) :⇔ every index of a variable free in r is < k.
The (somewhat strange looking) definition of SN ρ (r) can be motivated by a computational reading: using a large enough index k we can construct a term s such that N ρ (r, s) holds.The point is that we avoid computing k from r (see Ax1 and Ax8 below).Tait's strong computability predicates, SC ρ , are defined by recursion on the type ρ: The main proof, which consists of the traditional three lemmas below, will make use of the following facts: Ax7.
In the Minlog and the Isabelle/HOL formalization these facts will be taken as axioms.This does not affect program extraction because these axioms are all Harrop-formulas, i.e. have no strictly positive occurrence of an existential quantifier, and hence do not have computational content.On the other hand, in the Coq formalization Ax1-11 will be proven.Since Ax1 is not so obvious we give an informal proof (of a generalization of it): Lemma.If N σ (rx, s), where x is not free in r, then N ρ⇒σ (r, λx ρ s).
Proof.Any reduction sequence r → . . .must be finite, since otherwise we had an infinite reduction sequence rx → . . .contradicting the assumption N σ (rx, s).Hence r → . . .→ r where r is in β-normal form.If r is of the form λy t, then r = α λx t y [x], since x is not free in r .Consequently nf(r ) = λx nf(t y [x]) = λx s, because rx → * r x → t y [x] and t y [x] is in βnormal form.If r is of the form y t, then nf(r ) = λx.nf(ytx) = λx s, since x is not free in y t and rx → * y tx where y tx is β-normal.
Proof.Induction on ρ.We will drop type indices if they are not relevant or can be inferred from the context.Case ι.(a) holds by definition.(b).Assume SA(r), that is ∀k.F (r, k) → ∃sA(r, s).We must show SC ι (r), that is ∀k.F (r, k) → ∃sN (r, s).This follows from Ax2.
Proof.Induction on ρ.Case ι.Assume SC ι (r ), H(r, r ) and F (r, k).We must show N (r, s) for some s.Since SC ι (r ) there is s s.t.N (r , s), by Ax11.For the same s we have N (r, s), by Ax5.
Theorem (Strong Normalization).For every typable term r there is a term s such that N (r, s).
A "weak" version of the normalization theorem above is obtained by replacing in the definition of the predicate N the word "every" by "there exists a", the word "ends" by "which ends" and dropping in the definition of the predicate H the premise "SN σ (t)".Then the facts Ax1-11 still hold where in Ax6 the SN-premise has to be dropped.As to be expected, the change from strong to weak normalization does not affect the extracted programs.In the first Minlog, the Coq and the Isabelle/HOL formalization we work with the (slightly simpler) weak version, while the second Minlog formalization is based on the strong version.

Normalization-by-evaluation
The algorithm contained in the proof above can be briefly described as follows.Let Λ ρ be the (meta)type of λ-terms of (object)type ρ and define called "reify" and "reflect"), by ↓ ι (g) := ↑ ι (g) := g and Let [[r ρ ]] ↑ denote the "value" of the term r in C ρ under the variable assignment ↑(x σ ) := ↑ σ (λl x).Then for any k such that F (r, k) holds we have The relations to the proof are as follows: ↓ and ↑ are the computational content of Lemma 1 (a),(b) while the evaluation function, [[.]], is the content of Lemma 3. The content of Lemma 2 is the identity.These relations were established in [4] in a semi formal manner and the algorithm was extended to higher-order rewrite systems in [5].The challenge of this paper is to obtain normalization-by-evaluation fully automatically by machine-extraction.

Minlog formalization
Minlog (www.minlog-system.de) is a proof assistant intended to reason about computable functions of finite type using minimal logic.A major aim of the Minlog project is the development of practically useful tools for the machine-extraction of realistic programs from proofs.In this section we describe two Minlog formalizations of Tait's normalization proof: the weak version based on typed de Bruijn terms and the strong version based on untyped terms with named variables and a Curry-style typing.

Some background on program extraction
Before describing details of the two formalizations we provide some prooftheoretic background on program extraction and its optimization in general and on problems arising in this case study in particular.

Program extraction from constructive proofs
The method of program extraction used in this paper is based on modified realizability as introduced by Kreisel [12].In short, from every constructive proof M of a non-Harrop formula A (in natural deduction or a similar proof calculus) one extracts a program [[M ]] "realizing" A, essentially, by removing computationally irrelevant parts from the proof (proofs of Harrop formulas have no computational content).The extracted program has some simple type τ (A) which depends on the logical shape of the proven formula A only.In its original form the extraction process is fairly straightforward, but usually leads to unnecessarily complex programs.In order to obtain better programs the proof assistants in question offer various optimizations of program extraction.Below we describe such an optimization implemented in Minlog [19].

Quantifiers without computational content
Besides the usual quantifiers, ∀ and ∃, Minlog has so-called non-computational quantifiers, ∀ nc and ∃ nc , which allow for the extraction of simpler programs.The nc-quantifiers, which were first introduced in [4], can be viewed as a refinement of the Set/Prop distinction in constructive type systems like Coq or Agda.Intuitively, a proof of ∀ nc xA(x) (A(x) non-Harrop) represents a procedure that assigns to every x a proof M (x) of A(x) where M (x) does not make "computational use" of x, i.e. the extracted program [[M (x)]] does not depend on x.Dually, a proof of ∃ nc xA(x) is proof of M (x) for some x where the witness x is "hidden", that is, not available for computational use.Consequently, the types of extracted programs for nc-quantifiers are τ In order for the extracted programs to be correct the variable condition for ∀ nc -introduction needs to be strengthened by requiring in addition the abstracted variable x not to occur in the extracted program [[M ]].Note that for a Harrop formula A the formulas ∀ nc xA and ∀xA are equivalent, similarly, ∃ nc xA and ∃xA are equivalent.

The formalization of strong computability
In the previous section we defined the formulas SC ρ (r) by recursion on ρ.Therefore it is most natural to formally introduce SC as a (truly) dependent family of predicates.This can and will be done in the Coq formalization in Section 4 using a definition scheme called "strong elimination".Minlog, however, being based on first-order logic, cannot define the predicate SC directly since the formulas SC ρ (r) are of arbitrarily high logical complexity as ρ varies.Moreover the type C ρ := τ (SC ρ (r)) will depend on ρ, thus a dependently typed programming language would be needed for program extraction.Our solution to this problem will be to define where SCr is a new ternary predicate which is axiomatized in such a way that SCr ρ (a, r) means "a realizes SC ρ (r)".The type of the realizer a, call it ω, has to be equipped with constructor and accessor functions expressing that ω includes all the types C ρ .We will therefore call ω a universal type.Since the two Minlog formalizations will work with different kinds of typed λ-terms (Church vs. Curry) the type ω will be modeled differently as well: in the first formalization as the sum of all C ρ , in the second as the solution of a recursive type equation.Note that, as a side effect of the evasion of dependent types, partial objects will be needed (indicated in Minlog by a hat, ^).An important advantage of formalizing strong computability in the way described above is the fact that the computational content of Lemma 2 in Section 2 will be extremely simple, namely the identity.

Linking realizability with truth
In order to make sure that the above definition of strong computability is equivalent to the one in Section 2 we will work in a theory where each formula is equivalent to its realizability.Normally, this is achieved by the Axioms of Choice and Independence of Premises [21] (AC) ∀x∃y A(x, y) → ∃f ∀x A(x, f (x)), where A(x, y) is arbitrary, In the presence of nc-quantifiers one needs in addition a Uniformity Principle for the universal nc-quantifier (UNC) ∀ nc x∃y A(x, y) → ∃y∀ nc x A(x, y), where A(x, y) is arbitrary.
It easy to see that all three principles are realized by identity functions.

Normalization for terms in de Bruijn notation
We now describe a Minlog formalization of the (weak) normalization proof based on typed de Bruijn terms.We first introduce a variant of de Bruijn terms [11] with typed λ-abstraction, then describe the formalization of the normalization proof, and finally discuss the extracted program (which is a collection of Minlog terms).

Simply typed terms in de Bruijn notation
Terms (in de Bruijn notation) r, s, t are built from variables n -viewed as indices -by application rs and typed abstraction λ ρ r.A context is a list ρ of types.The type of a term r in a context ρ is defined by The correctness of a term r in a context ρ is defined by Cor ρ (λ ρ r) := Cor ρ:: ρ (r).
The typing judgement ρ r : ρ saying that in context ρ the term r has type ρ can now be defined by Lifting r↑ l of a term r from index l is defined by We write r↑ for r↑ 0 .Substitution r[ r ] of the first Lh( r ) variables in a term r by the terms r is defined by We let Λ denote the set of all terms and define the abstraction of the k-th variable by λx ρ k r := λ ρ r[1, . . ., k, 0].Note that the set Λ also contains terms that do not type check.

Formalization
We begin with a description of the formal language.
Types.We have simple types (closed under products, function spaces and the list-type construction) over the base types boole, nat, type, term, ω.While the base types boole, nat, type are introduced (in the proof system Minlog) as free algebras, ω is a type constant representing the infinite disjoint sum of all types C ρ where C ι := nat ⇒ term, C ρ⇒σ := C ρ ⇒ C σ , (see the end of Section 3.1).The type ω can be interpreted semantically by Scott Domains, or Information Systems [13].
Constants.Besides standard functions for natural numbers and lists we have function symbols for constructing, testing and manipulating types and terms (objects of type type and term).There are also "administrative" constants which should be thought as defined from the canonical injections in ρ : C ρ ⇒ ω and a projections in −1 ρ : ω ⇒ C ρ as follows: The functions P and Mod are undefined (= ⊥) at arguments different to the ones shown.
The extra argument "types" is due to the fact that typing takes place in a context.The role of the predicate SCr was explained in Section 3.1; its meaning is expressed by the axioms below.
Formulas are built from the language above as usual, except that in addition to the ordinary quantifiers, ∀, ∃, we have the nc-quantifiers, ∀ nc , ∃ nc .
Axioms.Besides the usual logical axioms and induction axioms for the free algebras involved (boole, nat, type, term) we have the axioms Ax1-11 of Section 2, where typing judgements have to be added at appropriate places and the SN-hypothesis of Ax6 has to be dropped.Furthermore, we have axioms for P , Hat and Mod, and for SCr, We define SC and SN by The definition of SC is in harmony with the informal definition in Section 2, since, using the axioms (AC), (IP) and (UNC), one easily proves Lemma (SC-Lemma).
The formalizations of Lemmas 1, 2, 3, and the Normalization Theorem of Section 2 read as follows: Proof.Induction on ρ, as in Section 2.
Proof.By Lemmas 1, 3, as in Section 2. Note that ρ can be computed from ρ and r, therefore "∀ nc ρ" is correct.

Strong normalization for terms with named variables
Now we describe the second Minlog formalization.After introducing informally untyped terms, substitutions and typing judgements we discuss the formalization and the extracted program, pointing out the main differences to the first Minlog formalization.
Simple types for untyped λ-terms Terms r, s, t are built from variables x, y, z, . . .by application rs and abstraction λx.r (all untyped).A context is a function from variables to types.The typing judgement Γ r : ρ saying that in context Γ the term r has type ρ is defined as usual.A substitution is a function θ from variables to terms.We will not need to formalize bound renaming since it will suffice to define the behaviour of substitution in the uncritical cases only, i.e. yθ = θ(y), (rs)θ = (rθ)(sθ).

Formalization
The formal language is very similar to the first Minlog formalization.We only describe the major changes.
Types.We have the same types as in Section 3.2, however, the universal type ω will now be equipped with functions expressing that it is a solution to the recursive domain equation It is well-known how to solve such kind of type equations semantically.For example, a construction using information systems is described in [13].
Constants.We have the expected functions associated with the data type of untyped λ-terms, a function symbol for applying a substitution to a term and, the expected embeddings and projections for ω as a solution to the domain equation above: Predicate constants.We have again N, A, H, F and SCr, however with simpler arities, and in addition a predicate constant for typing judgements: N, A, H : (term, term), F : (nat, term), SCr : (ω, type, term), : (nat ⇒ type, term, type).
However, the (informal) definition of N needs to be changed since for untyped terms the notion of a long normal form does not make sense.The new definition of the predicate N is: N (r, s) :⇔ every β-reduction sequence r → . . .ends with a term to which s η-reduces.
It is easy to see that the axioms (i.p.Ax1) are still valid under this new interpretation.
Axioms.The axioms Ax1-11 are as in Section 2 except that all type arguments are removed.In addition we have axioms for typing judgements: Note that, despite the type argument ρ, the formula SC ρ (r) does not include a typing statement for r.As before we define SC ρ (r) := ∃aSCr ρ (a, r).
Below, we only list the precise formulations of the lemmas and the normalization theorem.We do not comment on proofs as they are very similar to the proofs in the previous formalization, except that contexts and substitutions are handled differently and there is less involvement of types.

Coq formalization
Coq is a proof assistant based on an higher-order type theory [20].It includes an extraction mechanism, due originally to Christine Paulin [17,18].Recently, this mechanism has been deeply redesigned by the third author [14,15], in order to remove important limitations.

Extraction in Coq
The foundations of Coq extraction are quite different from Minlog's use of Harrop formulas and nc-quantifiers.In Coq, the user decides for each new inductive datatype whether it is computationally relevant or not.For instance, the type nat of unary numbers is relevant, and hence placed into the universe Set of relevant types.On the opposite, the logical propositions True and False, defined in Coq as inductive types, are placed into the universe Prop of computationally irrelevant objects.This system is quite simple.In particular, when stating and proving facts, the user has no further extraction-related action to perform.The system simply verifies, via its typing rules, that the constructions of computationally relevant objects never depend on irrelevant ones.
This system is clearly not as flexible as Minlog extraction.For instance, because of its typing, a nat argument will always be considered relevant and kept.But objects of a same type may well be sometimes relevant and sometimes used only for filling logical annotations.For instance, considering lemma 1 and 3 above, the term argument r is relevant only in the latter.One should notice that such situations are not so common, and that the Prop/Set distinction of Coq, despite its lack of flexibility, is normally sufficient in most applications.

Higher-order logic in action
Distinctions between Coq and Minlog do not only concern extraction.During the formalization, the definition of the SC predicate has been a critical point of divergence.We have seen earlier that formalizing SC in Minlog requires a precise understanding of the domain theory involved.Thanks to the higher-order nature of Coq logic, we can actually define SC: Here, we cannot define SC as an inductive predicate, since it would be non-positive and hence rejected by Coq.The alternative approach is then to see SC as a recursive function.After a case analysis on the type ρ, the two defining equations of SC are used, the second one being recursive over subterms of ρ.This kind of definition, where a new type or predicate is built via the elimination of a term such as ρ, is known as strong elimination.This approach is quite simple and safe: instead of using axioms for each new predicates, we rely on the correctness of Coq's typing rules.
The only delicate point with strong elimination concerns the typability of the extracted code.Using such a dependently typed construct can indeed lead to extracted code that can only be typed in a functional language with dependent types as well.Here, both before and after extraction, an object of type SC can be either a function or not, depending on the value of ρ.Since programming languages with dependent types are not widely spread, we propose some workarounds.A first solution is to use a type-free language like Scheme.Another possibility now offered by the Coq extraction is to use ML-like typing as long as possible and insert some unsafe type coercions when needed: Obj.magic in Ocaml and unsafeCoerce in Haskell.A more detailed description of this mechanism can be found in [15].Finally, there is a last solution currently not proposed by the Coq extraction: we could here use an encoding based on a sum type like the type D of the Isabelle formalization (Section 5).Indeed, this solution leads to ML-typable code, but this is at the cost of additional operations (constructors and destructors like Hat and Mod in Section 3) that are useless from the operational point of view.

Organization of this formalization
The Coq formalization follow the same choices as the first Minlog formalization in Section 3.2.The first part of this work starts with some results about λ-terms in de Bruijn notation: substitution, typing, etc.Then comes the core of the normalization proof: Lemmas 1, 2, 3 and the main theorem.This part is done in a modular way, thanks to the Coq module system.More precisely, this generic core is a functor, i.e. a structure that transforms a module implementing correctly predicates N , A, ... into a module containing a complete normalization proof.
Independently, we provide two implementations of these predicates and their properties.The first corresponds to the meaning of N given in Sect.3.2, that is weak β-normalization and then η-expansion.Then, a second implementation has been done, with η-reduction instead of expansion in N , and with a small change on the abstraction function abstr.As noted in [4], the previous generic core can then be used unchanged, Finally, the two implementations are plugged with the core and then extracted, producing two programs which respectively compute the η-long β-normal form and the βηnormal form.
It should be emphasized that this formalization is complete: no axiom remains at the time of extraction.Having at least one complete implementation is crucial.For instance, proving Ax1 with de Bruijn notation has in fact been a really delicate matter, and has implied some major changes in the main part of the proof, like the use of typing contexts everywhere.

Optimizing the extracted program
The first formalized proof of normalization has been done in a direct, Coqnatural way.But the obtained extracted program, although working, was not so satisfactory.In fact, this was to be expected, since Coq extraction currently uses typing information to discover irrelevant parts in proofs.For instance, while sharing the same type term, the second argument r of lemma 1 is not relevant and leads to dead code after extraction, whereas the first argument r of Lemma 3 is relevant.In Minlog, the distinction between these two r arguments is done by using either the normal ∀ or the noncomputational ∀ nc , leading to shorter and more efficient extracted code.
Recently, Bas Spitters and the third author proposed a method to emulate in Coq, at least partially, this ∀ nc construction of Minlog [16].The idea is to provide an injection nc that goes from the informative universe Set into the extraction-irrelevant universe Prop.Using this injection, any informative datatype like term has now an irrelevant counterpart (nc term).The nc injection itself can be built without modifying of the Coq system.But proving properties of injected objects is currently tedious, and requires in particular the use of an technical axiom.While this axiom seems consistent and harmless for extraction, it is nevertheless unnatural in Coq, since it contradicts the unprovable but popular principle of proof irrelevance.
Anyway, we managed to produce a second version of our formalization taking advantage of this nc construct, with only limited changes, thanks to a specialized tactic written using the rich Ltac macro language of Coq.Finally, the program extracted from this refined version is quite better.Many dead code parts are indeed removed, and some benchmarking shows a speedup of at least 40% and a memory usage decreased by more than 20%.

What Coq cannot do yet
The improved code obtained in the last section is still not perfect.Let  From an operational point of view, the type coercions Obj.magic could be ignored.One can then notice the use of some strange abstractions over anonymous variable and applications to arbitrary constants .These are the remnants of some proof abstractions and arguments.In order to support safely the whole Coq system, the new Coq extraction [15] may have to leave such remnants instead of removing them completely.Then, in an optimization phase, lots of these remnants are simplified.But the implemented optimizations currently fail to remove and in the above code.
In fact, in addition to this cleaning up, a more drastic optimization could be performed here.In the two Minlog formalizations, the program extracted from Lemma 2 is the identity function, due to the introduction of SC via its realizability.Here indeed, when looking closely at the code above, the result of this function is always extensionally equivalent to its second argument.However, taking advantage of this fact is currently out of the reach of Coq's extraction mechanism, which normally produces extracted terms that are faithful to the structure of the original term.Except for some local optimizations, the only difference between the original and extracted code is the pruning of logical parts, and a term built by induction like two will always give a recursive function.After manually implementing these remarks in the extracted code, we have noticed a new improvement of about 40% in speed and 20% in memory.The nc encoding clearly improves the efficiency of the extracted code, but remains slower than the perfect code.
More recently, we noticed that our nc encoding in Coq cannot be used in any situation.We indeed tried to switch to named λ-terms instead of de Bruijn notation, following Section 3.3.But then our nc showed its limitation.In fact, it is still based on typing information, and not on an occur-check of irrelevant variables in the extracted code like in Minlog.In particular, in the lemma 3 of Section 3.3 the simple type ρ can be considered to be without content in Minlog, while in Coq having ρ of type (nc type) forbids the application of ρ to the SC predicate, since it expects a first argument of type type.We hope to be able in the future to implement a more complete, transparent and user-friendly nc mechanism in Coq.However, this would require a modification of the system, unlike our current light nc encoding.

Isabelle/HOL formalization
In this section, we will compare the Coq and Minlog formalizations of the normalization proof with a formalization in the theorem prover Isabelle/HOL, which also has a program extraction facility due to the second author [7].The formalization described here is based on the one described in Section 3.3.The LaTeX code for this section was generated by Isabelle automatically.
The datatypes of types and terms are defined as expected.The judgement stating that t has type τ in context s is denoted by s t : τ .The definition of the typing judgement is as usual.In contrast to Minlog, Isabelle/HOL allows the definition of predicates by recursion over datatypes (also called "strong elimination" in Coq jargon).Thus, we can simply define SC by recursion over the datatype type: However, when it comes to extracting a program from a proof involving SC, we face a similar problem as in the Coq formalization: Since predicates in a proof become types in the extracted program, predicates such as SC defined by recursion on datatypes give rise to programs using dependent types.Such programs can neither be expressed inside Isabelle/HOL, nor can they easily be translated to functional programming languages such as ML.In order to get a program which is typable in a functional programming language without dependent types, we realize the formula SC τ t by a datatype D with two constructors Term and Func (corresponding to the universal type ω and the functions HatL and Hat).The former corresponds to the case where τ is a base type, whereas the latter corresponds to the case where τ is a function type.In ML, one would define the datatype D as follows: datatype D = Term of nat -> trm | Func of trm -> D -> D This datatype is beyond the scope of Isabelle/HOL, since D occurs negatively in the argument type of Func.It is interesting to note that in the logic HOLCF, which is a conservative extension of HOL with LCF, one can actually define the above datatype, provided that the type of partial continuous functions is used instead of the type of total functions.For the moment, we just assert the existence of type D, together with suitable constructors: Here, destTerm and destFunc are destructors inverting the corresponding constructors of the datatype D. These can be implemented using pattern matching.We can now assign realizing terms to the two characteristic equations for SC.Since we can view an equation between propositions as a conjunction of two implications, the equations for SC are realized by pairs, of which the first component is a destructor, and the second component is a constructor: The proof of strong normalization is composed of the following parts:

Conclusion
This case study turned out to be extremely useful for testing and comparing the proving and program extraction machineries of Minlog, Coq and Isabelle/HOL, and it led to numerous cross-fertilizations between the systems.The problems that had to be solved in connection with the representation of data, the formalization of reasoning and the optimization of program extraction pointed us to many possible ways of extending and improving the systems.
A general observation made in this case study is the fact that in order to obtain useful extracted programs, not only an optimized extraction process is needed, but also the possibility to express computational information at the logical level.For example, the virtue of the nc-quantifiers is not only their simplifying effect on the extraction process, but also their ability to make computational independencies visible in the specification and the proof.
s are terms of type ρ and every β-reduction sequence r → . . .ends with a term having s as its long normal form.
A ρ (r, s) :⇔ r, s are terms of type ρ and of the form r = xr 1 ...r n and s = xs 1 ...s n with N ρ i (r i , s i ) for i = 1, ..., n.H ρ (r, s) :⇔ r, s are terms of type ρ and of the form r = (λz σ .r 1 )t t and s = r 1 [z → t] t where t is strongly normalizing, i.e.SN σ (t) holds (see below).
us consider for instance the Ocaml extraction of Lemma 2.