Type Reconstruction for SCI

We present a type reconstruction algorithm for SCIR (cid:0)(cid:1)(cid:2)(cid:3)(cid:4) a type system for a language with syntactic control of interference(cid:5) SCIR guarantees that terms of passive type do not cause any side e(cid:6)ects(cid:4) and that dis(cid:7) tinct identi(cid:8)ers do not interfere(cid:5) A reconstruction algorithm for this type system must deal with di(cid:6)erent kinds (cid:9)passive and general(cid:10) and di(cid:6)erent uses of identi(cid:8)ers (cid:9)passive and active(cid:10)(cid:5) In particular(cid:4) there may not be a unique choiceof kinds for type variables(cid:5) Our work extends SCIR typings with kind constraints (cid:5) We show that principal type schemes exist for this extended system and outline an algorithm for computing them(cid:5) (cid:0)


Introduction
Researchers interested in functional programming languages have recently turned their attention to extending these languages with suitably-controlled state manipulation facilities 2 0 , 9 , 1 , 1 2 , 1 1 ].This e ort has brought i n to focus the pioneering work of Reynolds 16,17,18] in the late 70's and early 80's, devoted to the analysis and re nement of imperative programming languages using \functional programming principles" (lambda calculus and its equivalences).In retrospect, Reynolds's work may be seen to have addressed two signi cant issues.In designing a higher-order programming language with imperative features, (i) how does one retain the functional reasoning principles (such a s t h e equivalences of lambda calculus), and (ii) how does one retain the imperative reasoning principles (such as Hoare logic)?Pa r t o f t h e a n s w er to (i) was already contained in the design of Algol 60 with its call-by-name parameter mechanism, and Reynolds's work brings this to the forefront 17].This part of Reynolds's analysis is adopted ipso facto in the recent w ork in functional programming.The other part of the answer to (i) as well his answer to (ii) are contained in Reynolds's \Syntactic Control of Interference" or SCI 16].Unfortunately, these ideas of Reynolds have had little impact on the afore-mentioned work in functional languages, though they are clearly applicable.We explain the two aspects of SCI in turn.
How does one retain functional reasoning principles?In de ning a function procedure that returns, say a n i n teger, one often wants to use an algorithm that creates local variables and manipulates them internally. 1 To preserve t h e standard reasoning principles of integers, the procedure should only manipulate local variables without making any c hanges to the global variables.But, most programming languages have n o c hecks to ensure this.Consequently, terms of type integer may w ell involve global state changes (often called \side e ects"), thwarting standard reasoning about integers.Reynolds's proposal in SCI contains a comprehensive treatment of this issue via a classi cation of types into active and passive types.Computations of passive t ypes (like i n teger) are guaranteed not to have a n y global side e ects so that standard reasoning is applicable.
How does one retain imperative reasoning principles?The usual reasoning principles of imperative programs tend to assume that distinct identi ers do not interfere, i.e., using one identi er in a computation does not a ect the meaning of the other identi er.Aliasing is a common example of interference where two i d e n ti ers happen to denote the same (mutable) variable.Aliasing is explicitly ruled out in the usual formulations of Hoare logic 5,13].H o wever, other kinds of interference arise in languages with (higher-order) procedures.
For instance, if a procedure p modi es a global variable x, calling p interferes with x.Again, Reynolds gives a comprehensive set of rules to guarantee that distinct identi ers do not interfere.
Unfortunately, Reynolds notes that there is a problem with his rules in that a legal term can be reduced to an illegal term via the standard reduction rules of lambda calculus.(\Subject reduction" fails.)Some of the type systems proposed for functional languages with imperative features 20, 1] have this problem as well.The problem remained unresolved for over a decade until, recently, O'Hearn et al. 10] proposed a revised type system in \Syntactic Control of Interference Revisited" (SCIR).Their proposal uses modern prooftheoretic techniques inherited from linear logic and logic of unity 2, 3], a n d possesses the subject reduction property.W e should note that Reynolds himself presented a solution to this problem 19], but it goes much b e y ond the original proposal by i n volving conjunctive t ypes.We do not pursue the new Reynolds system in this paper as SCIR is a simpler system applicable to a wide range of programming languages and type systems.
Modern functional programming languages, pioneered by Milner's work on ML 8], possess type r econstruction systems, where the programmer is allowed to omit type declarations and the compiler lls in this information in the most general fashion.The adoption of SCI type regimen to these languages necessitates a t ype reconstruction system.In this paper, we present a t ype reconstruction algorithm for SCIR.
The SCIR type system is unorthodox i n t h a t i t i n volves two separate zones (\passive" and \active" zones) in the typing judgements.This corresponds to the fact that the free identi ers of a term are classi ed into two classes.The movement o f t h e i d e n ti ers between zones depends on the types of the subterms where the identi ers occur, which in turn depends upon certain zones being empty.T h us, it is by no means obvious that type reconstruction is possible for SCIR.
Moreover, the type reconstruction algorithm has to account for the fact that there are two kinds of types (general types and passive t ypes) in the type system.Correspondingly, t ype schemes must keep track of the kinds of type variables.The choice between the kinds of type variables is not always unique.For instance, the term f: x: fxx has the \principal" type scheme ( ! ! ) ! !but is legal only if either or is passive.To g e t around this di culty, w e associate kind constraints with type schemes, which are boolean constraints specifying possible kinds of type variables.For example, the type of f: x: fxx may be expressed as: With this adaptation, we s h o w that principal type schemes exist for SCIR and give an algorithm to compute them.

Related Work
W h i l e a l a r g e b o d y o f w ork exists in type reconstruction algorithms, we d o n o t know o f a n y systems where kind constraints are involved.Some work similar to ours is that on type reconstruction for linear logicbased type systems 22, 7] and the related system of single-threaded lambda calculus 4].Constraints like ours occur in these systems, though they are not concerned with kinds.A further di erence is that there is no type rule similar to Passi cation in these systems, but this rule is central in SCIR.
Our research also resembles the work on e ect systems and their reconstruction algorithms 6, 21], but it is hard to make a detailed comparison because those systems are designed for call-by-value languages whereas SCI is designed for lambda calculus-based call-by-name languages.

Issues in SCI
As mentioned in Introduction, SCI is concerned with two issues: 1. ensuring that passive-typed computations have no side e ects, and 2. ensuring that distinct identi ers do not interfere.In this section, we motivate these issues and discuss the challenges they pose for designing a formal type system.
As mentioned in Introduction, we w ould like to permit integer-typed expressions which allocate and manipulate local state.Consider an operator of the form do int] x: C where x is a bound identi er of type var int] a n d C is a command term.Its semantics is to allocate a local variable bound to x, execute C in its context and, nally, return the content o f x as the value of the expression.Such an expression form arises, for example, in the analysis of \function procedures" of Algol 60.Similar expression forms have been proposed for functional languages: the Obs-elim rule of Imperative Lambda Calculus 20], t h e pure operator of var 9] and the runST operator of Glasgow H a s k ell 11].T o ensure that such an expression is well-behaved, one must verify that the embedded command C has no global e ects other than to the variable x.A naive design is to classify types into passive types (like int) a n d active types (like comm and var int]) and then insist that all free identi ers of C other than x are of passive t ypes.Rules similar to this are used in Imperative L a m bda Calculus and the type system for var 20, 1].Unfortunately, t h i s n a i v e design runs into the problem of subject reduction.
Consider the terms: (M 1 ) x: int:do int] r: r := x : int !int where 1 is the rst projection and ! is a dereferencing operator for variables.
Both terms are legal.(The body of do has no free identi ers of active t ypes other than r.) Hence, the application (M 1 N 1 ) should be a legal term.However, beta-reduction of (M 1 N 1 ) y i e l d s : where the body of do contains the free identi er v of active t ype var int].This term is illegal with the naive r u l e f o r do and subject reduction fails.
Intuitively, t h e t e r m P 1 may be considered legal because under a call-byname semantics the assignment v := !v+1 will never be executed, and no global state changes take place during the evaluation of P 1 .
To a void the subject reduction problem, Reynolds classi es occurrences of free identi ers as active or passive.A free occurrence of x in a term is considered passive if it is in a passive-typed subterm otherwise, the occurrence is active.
The term do int] x: C is legal if all free identi er occurrences in C other than x are passive occurrences.Since all occurrences of v in P 1 are in the subterm 1 h!v v:= !v + 1 i which is of passive t ype int, P 1 is legal.
To ensure that distinct identi ers do not interfere, SCI requires that in any application term (M N ), the function term M and the argument term N do not interfere.This means, in essence, that the respective computations of M and N can proceed concurrently and the results are still determinate.One can make this fact explicit by adding a non-interfering parallel composition operator k : comm !comm !comm so that C 1 kC 2 is a command that runs C 1 and C 2 in parallel.
How should we decide if M and N are non-interfering?Since we h a ve already decided to focus on occurrences of free identi ers, we m i g h t insist that all common free identi ers of M and N should have only passive occurrences in these terms.If x is used actively in M, t h e n x may not appear in N (even passively).Yet, this design runs into the subject reduction problem.Consider the terms: The only common free identi er is v and all its occurrences are passive.Hence, the application (M 2 N 2 ) i s l e g a l .H o wever, beta-reduction yields: (P 2 ) r := 1 h!v v:= 0 kw := 1 h!v v:= 1ii Here, the second component v := 0 kw := 1 h!v v := 1i is not legal in Reynolds's system because v has an active occurrence in the subterm v := 0. Again, intuitively, this term should be legal because the assignment v := 0 and the inner assignment v := 1 will never be executed.This problem has proved su ciently intricate that it remained unsolved for over a decade.The solution due to O'Hearn et al. 10] is obtained by using an explicit contraction rule (together with a clear separation of passive and active free identi ers).The term is clearly legal.Since all occurrences of v and v 0 in P 0 2 are are passive occurrences, one can use a Contraction step to rename v 0 to v and obtain the term P 2 .
This example shows how a legal term may h a ve seemingly illegal subterms.
The legality of the subterm v := 0 kw := 1 h!v v:= 1i cannot be decided by looking at the subterm alone.One must appeal to the fact that the subterm occurs in an overall context of a passively-typed term.
The type system is su ciently intricate that its soundness is by no means obvious.One must demonstrate soundness by exhibiting an adequate semantic model that has a re ective subcategory of passive t ypes.Several semantic models with this property are now a vailable 14, 15, 10].So, the soundness is not in question.

The SCIR Type System
The type terms of SCIR have the following context-free syntax: data types ::= int j bool types ::= j var ] j comm j j j !j !p Data types are types for values storable in variables.A data type used as a t ype denotes expressions producing -typed values (sometimes written as exp ]).The type of commands is represented by comm.There are two kinds of product types: the components of a cross pair ( ) m a y i n terfere with each other, but the components of a tensor pair ( ) m a y n o t .T h e t ype var ] c a n be thought of as an abbreviation for ( ! comm) .P assive functions, which do not assign to any global variables, are given a special type constructor !p .
Passive t ypes form a subset of the set of types: A term with a passive t ype cannot modify any global variables, so it cannot a ect the outcome of any other term.
Typing judgements are of the form j ; `M: where M is a term, and its type.The type context is partitioned into the passive zone and the active zone ;, which c o n tain the passive free identi ers and the active free identi ers of M respectively.The passive free identi ers can only be used passively, i .e ., in passive-typed subterms.Note that the types assigned to identi ers by d o not have to be passive.The typing rules are shown in Figure 1.Identi ers can only be moved from ; t o w h e n M has a passive t ype (Passi cation).There are no restrictions Axiom j x: `x: j ; x : `M: Passi cation x : j ; `M: x : j ; `M: 0 Activation j ; x : `M: 0 j ; `M: Weakening 0 j ; ; 0 `M: j ; `M: Exchange ~ j ; `M: x : x 0 : j ; `M: 0 Contraction x : j ; `M x=x 0 ]: 0 j ; `M: 1 j ; `N: 2 I j ; h M Ni: 1 2 j ; `M:  The main issue in type checking for SCIR is the noncompositionality o f t h e t ype system: a term M may b e w ell-typed in some context ;, even if its subterms seemingly are not.For example, given c: comm, the term 1 h3 c kci is typable, but the subterm c kc is not.Our approach i s t o k eep track of the free identi ers in a term M that are used actively, b u t m ust be passi ed (and contracted) because of sharing.If M occurs in the context of a larger passive term, then all its free identi ers have passive occurrences.Otherwise, the sharing is illegal.
An outline of an SCIR type checking algorithm C is shown in Figure 2.
Given a set of type assumptions ; of the form fx 1 : 1 x 2 : 2 : : : x n : n g and a term M, C(; M ) returns either error or a quadruple ( A P E).The type of M is , a n d A, P and E form a partition of the free identi ers of M such that: A contains the non-shared, actively-used identi ers, P is the set of identi ers (which m a y be shared) that are used passively, and E contains shared identi ers that are used actively.A term M is not typable in a context ; if the type checker returns error or if it returns a quadruple where E is not empty.I f E is empty, then all sharing is legal and M is typable.
The algorithm description uses pattern matching to bind va r i a b l e s a s w ell as to express restrictions on values and types.In a recursive call ( A P E) = C(; M), each component of the left side must be uni able with the corresponding component of the right side.The auxiliary function passify moves all free identi ers to P whenever a term has a passive t ype.
As an example, the results of type checking the two terms mentioned above are shown here: The running time of the algorithm depends on the way sets are represented.
Using ordinary lists, for example, results in a running time of O(n 3 ), where n is the length of the term.

Type Reconstruction
Extend the language of terms with untyped lambda terms of the form x: M. Given a term M in the extended language, type reconstruction is the problem of nding a well-typed term M 0 in the original language such t h a t M is obtained by erasing some or all type declarations in M 0 .A s i s w ell-known, such a t e r m M 0 is not unique.One must use type variables to cover all possibilities.
A type scheme is a type term which can possibly contain type variables .Recall that SCIR distinguishes the subset of passive t ypes from the set of all types.How d o w e tell whether or not a type variable represents a passive t ype?We de ne two kinds (second-order types), Passive and Type, corresponding to the two classes.We write :: to indicate that type variable has kind .Given a kind assignment K for the set of type variables occurring in , w e can determine if is passive o r n o t .The SCIR type system can be extended to type schemes using kind assignments.
An SCIR type reconstruction algorithm is responsible for deducing both missing type information as well as a kind assignment for the type variables.Unfortunately, a t yping judgement m a y b e v alid under several kind assignments.For example, the term f: x: fxx can be typed under two di erent kind assignments, as shown in Figure 3.If :: Passive, then x and x 0 can be passi ed immediately after they are introduced.On the other hand, if :: Passive, then x and x 0 can be passi ed after !E. In both cases, the two identi ers can be contracted, so f x xis typable.
To get around this di culty, w e u s e kind constraints, boolean constraints which represent the class of all kind assignments under which a term is typable.
Let p be a unary predicate with the semantics that p( ) means is passive.When is a ground type, p( ) can be simpli ed to true if is a passive t ype, j f: !!`f: !!j x: `x: Pass.x: j x: x: j f: ! !`fx : !j x 0 : `x0 : Pass.
To support type reconstruction, we de ne a modi ed type system SCIR K which m a i n tains kind constraints for type variables.A judgement is of the form A `M: G] where the assumption list A is of the form x 1 : 1 P 1 C 1 ] : : : x n : n P n C n ] and P i , C i and G stand for kind constraints.Sometimes we also use the vector notation x:~ P C] to represent an assumption list.Each i d e n ti er x i in the Axiom x: p( ) true] `x: true] A x: list is associated with a passi cation constraint P i and a contraction constraint C i .The constraint G is called the global constraint.(We also refer to these as the P-constraint, C-constraint, and G-constraint respectively.)A judgement A `M: G] can be read as \The term M has type in the assignment A, as long as the constraint G and all contraction constraints in A hold.Further, all free identi ers x whose passi cation constraints in A hold are passive free identi ers."From this reading, it is clear that the P-constraint is what is needed for an identi er to be passi ed, whereas C-and G-constraints arise from identi ers that have already been passi ed.The di erence between Cand G-constraints is that they typically refer to occurrences of free and bound identi ers respectively.
The type rules of SCIR K are shown in Figure 4.There is some notation that should be explained.For I and I, the environments A 1 and A 2 have disjoint domains.Similarly, ỹ and z are disjoint i n t h e !E rule.Identi ers common to both hypotheses are represented by x, although the type and constraint information may di er in each h ypothesis.Boolean operations on constraint v ectors can be de ned straightforwardly.
Note the following facts about the SCIR K system: 1.The rules are syntax-directed.Given a term M, there is at most one derivation for M. (Although there are two rules !I and !I 0 for deriving x:M, only one is applicable depending on whether or not x occurs free in M.) 2. There are no structural rules.All the identi ers of an assumption list A occur in the term M in a derivable judgement.3.For every identi er x in an assumption list of a derivable judgement, the passi cation constraint logically implies the contraction constraint.
4. For every derivable judgement A `M: G], the constraint p( ) logically implies every passi cation and contraction constraint i n A.
The rst two facts mean that we can devise a type reconstruction algorithm for SCIR K in the standard fashion (using uni cation in the Hindley-Milner style).

Explanation
The passi cation constraint of an identi er speci es the condition necessary for that identi er to be passi ed.The constraint will simplify to true if and only if all occurrences of the identi er appear in passively-typed subterms.This constraint m a y become weaker as the derivation progresses|in particular, through applications of the E i , E i and !E rules.Intuitively, this corresponds to situations where the identi er appears in the context of a larger, passively-typed term.
The contraction constraint of an identi er is similar to its passi cation constraint, but represents conditions arising from occurrences that have already been contracted.Hence, the contraction constraints must necessarily hold for the term to be well-typed.Like passi cation constraints, contraction constraints may become weaker as the derivation progresses.
The global constraint records the conditions that cannot be weakened further in the rest of the derivation.If the global constraint of a term M is false, then there are identi ers in M that must be passi ed but cannot be, regardless of M's context.Neither M nor any term containing M is typable.
The following derivations illustrate the key aspects of SCIR K .First, the term c: comm: 1 h3 c kci can be typed as shown below: The passi cation and contraction constraints of x are di erent because only the rst two occurrences of x are contracted.The third occurrence does not have to be contracted due to the I rule.From this judgement w e can derive the principal typing: Finally we outline a derivation for the term f: x: fxx mentioned at the beginning of this section.The rst application of !E is straightforward and results in the judgement f: !!p( ) true] x : p( ) _ p( ) true] `fx : !true] Applying f xto x and continuing the derivation: f: !!p( ) true] x : p( ) _ p( ) p( ) _ p( )] `fx x : true] !I f: !!p( ) true] ` x: fxx: !p( ) _ p( )] !I ` f: x: fxx: The term is typable in any kind assignment w h i c h maps or (or both) to the kind Passive.

Soundness
A type substitution maps type variables to types.By (A `M: G]) we mean the type judgement obtained by applying to all type terms in the judgement.We call the result an instance of the original judgement.An SCIR judgement j ; `M0 : is said to be an instance of A `M: G] if there is a type substitution such that 1. M = erase(M 0 ), 2. (A `M: G]) is the same as j ; `M0 : except for the constraints and type declarations in M 0 , a n d 3. in (A `M: G]), the global constraint, all the C-constraints, and the P-constraints of all identi ers in dom( ) simplify to true.
An extension of a judgement A `M: G] has the form x:~ ;;! true ;;! true] A M : G] (obtained by adding identi ers with trivial constraints).An SCIR judgement j ; `M0 : is said to be covered by a n S C I R K judgement A M: G] if it is an instance of an extension of the latter.
Theorem 1 (Soundness) If the judgement A `M: G] is derivable in SCIR K and covers an SCIR judgement j ; `M0 : , the latter is derivable in SCIR.

Completeness Lemma 2
If A `M: G] is derivable, then every instance (A `M: G]) is derivable.
Lemma 3 If x: P C] x 0 : P 0 C 0 ] A `M: G] is derivable, then x: P P0 C 00 ] A `M x=x 0 ]: G] is derivable, for some C-constraint C 00 .
Proof: By induction on the derivation of the given judgement.If the last derivation step has two h ypotheses, where x appears in one and x 0 appears in the other, we can substitute x for x 0 and derive the conclusion.
Theorem 4 (Completeness) If j ; `M0 : is derivable in SCIR, then there exists a derivable judgement A `M: G] of SCIR K that covers j ; M0 : .Proof: By induction on the derivation of j ; `M0 : .Consider the last derivation step.Some of the key cases are outlined below.
Passi cation.By induction, j x: 0 ; `M0 : is covered by some x: P C] A `M: G] using a substitution .Since ( ) is passive, (P ) holds by f a c t 4 .T h us, the same SCIR K judgement a l s o c o vers the conclusion x : 0 j ; `M0 : .Since the assumption lists in these judgements both cover ;, there exists a most general type substitution 0 such t h a t 0 (~ ) = 0 ( ~ 0 ).By Lemma 2, 0 (x: ~ P C] A 1 `M: 1 G 1 ]) and 0 (x: ~ 0 P0 C0 ] A 2 `N: 2 G 2 ]) are also derivable.Then we can apply the SCIR K I rule.

Reconstruction Algorithm
It is relatively straightforward to translate the type rules into a reconstruction algorithm K, where K is derivable in SCIR K .Whenever two subterms containing a common identi er x are combined (using !E, I, o r I), K must nd a most general uni er for the types of x in the subterms.If no such uni er exists, then the term cannot be typed.The kind constraints can be simpli ed using the simpli cation rules (1) as well as the laws of boolean algebra.If the G-constraint simpli es to false, then the term cannot be typed.The reconstruction algorithm takes exponential time in the worst case, as in the case of Hindley-Milner type inference.

Comparison with linear type reconstruction
In 22], W adler gives a type reconstruction algorithm for a linear type system based on \standard types."Our reconstruction algorithm is somewhat reminiscent of this algorithm and we h a ve indeed derived signi cant inspiration from Wadler's work.On the other hand our algorithm di ers in more ways than it resembles Wadler's.In the rst place, SCIR is considerably more sophisticated than the linear type system.In addition to the promotion (! p I) a n d dereliction (! p E) rules \on the right," which correspond to !I and !E in the linear type system, SCIR also has promotion and dereliction rules \on the left" (Passi cation and Activation rules).The main challenge of our reconstruction algorithm is in handling the left-rules (which are necessarily implicit in the syntax), while Wadler's algorithm is concerned with making the right-rules implicit.This probably accounts for the di erences in the constraint maintenance in the two algorithms.While we need to associate constraints with individual free identi ers, Wadler's algorithm requires a single global constraint p e r judgement.
On the other hand, it would also be desirable to make the right-promotion and dereliction rules implicit in the SCIR syntax.Were we t o d o s o , o n e w ould expect that some features of the Wadler's algorithm would resurface in the context of SCIR.

Conclusion
We h a ve presented a type reconstruction algorithm for Syntactic Control of Interference.The algorithm is derived in a logical fashion via an inference system SCIR K that has unique derivations for terms.This system is shown sound and complete with respect to the original type system.
We h a ve implemented a prototype of the type reconstruction algorithm in Prolog (using naive boolean simpli cations).As a measure of the complexity of types inferred, we considered the index number of atomic formulas in kind constraints numberoftype variables and found it to be in the range 0{1 for typical library functions.Thus the complexity of inferred types is within practical limits.
A topic for future research is to incorporate let-based polymorphism in the style of ML.This would involve incorporating kind constraints in the syntax of type schemes as in 8 :p( ) _ p( ) ) ].The intriguing feature of such type schemes is that the kind constraint sometimes refers to free type variables ( ) a s w ell as bound type variables ( ).More work is needed to understand the implications of this feature.
Further work also remains to be done in making various coercions implicit.
Programming convenience demands that the derelict operator and the dereferencing operator should be omitted and the same projection operators should be usable for both tensor products and cross products.A more ambitious goal would be to make the promotion operator implicit.All such implicit syntactic features would increase the number of possible typings for terms and, very likely, the complexity o f t h e t ype scheme syntax as well.

Figure 2 :
Figure 2: Type Checking Algorithm for SCIR 4 Type Checking
Axiom c: comm false true] `c:comm true] k ( I) c: comm false false] `ckc:comm true] I c: comm false false] h 3 c kci:int comm true] E 1 c: comm true true] ` 1 h3 c kci:int true] !I ` c: comm: 1 h3 c kci:comm !int true] (Recall that p(comm) is false, while p(int) is true.)The subterm c kc appears to be illegal, but it may safely occur within any passively-typed term, in which case the contraction constraint o n c is weakened and becomes satis able.The next example shows that the term c: comm:(c kc) is illegal independent of its context.Axiom c: comm false true] `c:comm true] k ( I) c: comm false false] `ckc:comm true] !I ` c: comm: (c kc):comm !comm false] Once the identi er c becomes lambda-bound, it is no longer free and cannot be passi ed.The global constraint will be false in any c o n tinuation of this derivation.As an intricate example, consider f: g: x: f( 1 x 1 x) g( 2 x).De ne = !comm and = !comm.The two immediate subterms can betyped as follows: f: false true] x : p( ) p( )] `f( 1 x 1 x): comm true] g: false true] x : p( ) true] `g( 2 x): comm true] Applying I to these two judgements only a ects the constraints of x. f: false true] g : false true] x : p( ) ^p( ) p( )] `f( 1 x 1 x) g( 2 x): comm true]

I.
By induction, the hypotheses of I are covered by x:~ P C] A 1 `M: 1 G 1 ] and x: ~ 0 P0 C0 ] A 2 `N: 2 G 2 ] If 1 and 2 are the substitutions by which t h e S C I R K hypotheses cover the SCIR hypotheses, then 1 2 covers the conclusion.