Verification of programs on truly nested datatypes in intensional type theory

Nested datatypes are families of datatypes that are indexed over all types such that the constructors may relate different family members (unlike the homogeneous lists). Moreover, even the family name may be involved in the expression that gives the index the argument type of the constructor refers to. Especially in this case of true nesting, termination of functions that traverse these data structures is far from being obvious. A joint article with A. Abel and T. Uustalu (TCS 333(1-2), pp. 3-66, 2005) proposes iteration schemes that guarantee termination not by structural requirements but just by polymorphic typing. And they are generic in the sense that no specific syntactic form of the underlying datatype "functor" is required. However, there have not been induction principles for the verification of the programs thus obtained although they are well-known in the usual model of initial algebras on endofunctor categories. 
 
The new contribution is a representation of nested datatypes in intensional type theory (more specifically, in the Calculus of Inductive Constructions) that is still generic, guarantees termination of all expressible programs and has induction principles that allow to prove functoriality of monotonicity witnesses (maps for nested datatypes) and naturality properties of iteratively defined polymorphic functions.


INTRODUCTION
The algebra of programming [3] shows the benefits of programming recursive functions in a structured fashion, in particular with iterators: there are equational laws that allow a calculational way of verification.Also for nested datatypes [4], already intuitively introduced in the abstract, laws have been important from the beginning.
In previous work, the author concentrated on polymorphic lambda-calculi with nested datatypes that guarantee termination of all functions that follow the proposed iteration schemes.See, in particular, the comprehensive article with Abel and Uustalu [1].Laws were not given.But the schemes were more general than previous work in that they impose minimal conditions on the datatype "functor" F of rank 2 whose least fixed point µF is still a type transformation and not just a type.There is no need to require continuity properties or that F belongs to some given set of higher-order functors that is generated from some closure properties.Since the ambient calculus is not a category, and the "functors" are no functors since no functoriality laws are required, the laws of program transformation and verification were not considered.The present article proposes a combination of both worlds: the world of terminating programs known from type theory and the categorical laws used in advanced functional programming.
The advantages of Mendler's style [15] are once more demonstrated (for inductive types, i. e., not inductive families, this is amply demonstrated in [17]): The approach is very flexible since no syntactic criterion is applied for termination checking.It is type-based termination: the types of the recursive calls ensure that there is no infinite reduction sequence starting with a well-typed term.But there has not been any contribution on the verification of programs in Mendler's style for nested datatypes.For truly nested datatypes, this is even more important since there, termination is very unintuitive while plain heterogeneous families can be used well in the conventional style of Workshop on Mathematically Structured Functional Programming, MSFP 2006 iteration that directly follows the concept of initial algebras and that is available in Coq (and other systems).
We want to do verification in the same system in which we write our programs, and we want a termination guarantee.Moreover, we insist on decidable type-checking.Thus, as our ambient calculus, we have chosen the Calculus of Inductive Constructions (CIC), in the current form in which it is implemented in the Coq theorem proving environment [7].We will only need concepts and features of Coq that are explained in the Coq textbook [2].
It will turn out that, after having introduced non-canonical elements into Mendler's style (following [19]), Coq supports reasoning very well.Unfortunately, this does not hold for nested datatypes since one programs polymorphic functions on them for which naturality laws are needed if more serious verification is aimed at.In order to enrich Mendler's style, one has to leave the realm of inductive families towards simultaneous inductive-recursive definitions that have been proposed by Dybjer since 1991.The final journal paper is [9] while Dybjer and Setzer found a finite axiomatization [8].The single inductive-recursive definition we will use will not directly be an instance of these proposals due to the use of impredicativity.It will neither be an instance of Capretta's unpublished note [6] since the simultaneously defined map function involves the inductive family not only in the source type constructor but also in the target type constructor.The idea for our construction is nevertheless taken from Capretta, but the induction principle for the inductive family is genuinely new work.
The next section introduces the important concepts for this article and discusses how Mendler's style for nested datatypes can also be used in the Coq theorem prover.The problems will be discussed and partial solutions sketched.Section 3 contains the precise description of the extension of the CIC we propose under the name LNMIt for "logic of natural Mendler-style iteration".It will be proven in LNMIt that the iterator only produces natural transformationsunder well-motivated assumptions, and that the computation rule for the Mendler-style iterator uniquely determines that iterator (again under reasonable assumptions).Section 4 proves that LNMIt can be defined within CIC plus proof-irrelevance, while in Section 5, we look back at the canonical elements with which we started in Section 2. Some conclusions are drawn and further work indicated.Coq vernacular files for the results are provided on the author's web page [13].

TOWARDS THE SYSTEM
In this article, the only nested datatypes we study are fixed points of endofunctions on type transformations.More precisely, this will mean the following.Let κ0 stand for the universe of (mono-)types that will be interpreted as sets of computationally relevant objects.In impredicative CIC, this will be the sort Set.Hence, κ0 := Set.Then, let κ1 be the kind of type transformations, hence κ1 := κ0 → κ0.Finally, the endofunctions on type transformations shall be the type constructors of kind κ2 := κ1 → κ1.
In this section, we fix a type constructor F of kind k2.It need not be closed and might even just be a variable. 1We are interested in its least fixed point µF of kind κ1.This type transformation µF is to be seen as the inductive family (µF A) A:κ0 where the index runs through all types.
There are different possibilities to specify µF .We follow the Mendler-style formulation for higher kinds that has been embodied in system MIt ω [1] (that system contains nested datatypes of arbitrary ranks, here we concentrate on the case κ = κ1 and therefore omit the superscripts altogether).First, we need an abbreviation for polymorphic function space: For X, Y : κ1, define the type The expression X ⊆ Y is of kind κ0 since we work in impredicative CIC, i. e., with impredicative κ0. 2F is specified by an introduction rule for constructing elements of µF A, an elimination rule for using elements of µF A in a disciplined fashion-in our case, this is plain iteration-and a reduction rule for computing the iteration.Introduction and elimination are provided by two constants:

The reduction rule is
Here, t : F (µF )A and s : ∀X : κ1.X ⊆ G → F X ⊆ G.The latter is called the step term of the iteration since it provides the inductive step that extends the function from the type transformation X that is to be viewed as approximation to µF , to a function from F X to G.
Here, function means an inhabitant of the universally quantified implication, hence a polymorphic function.
In what follows, constructor arguments will be omitted if they may be reconstructed mechanically.
In Coq, this will be possible by the mechanism of implicit arguments that is available since Version 8.0.The reduction rule is thus written as However, it should be kept in mind that the formal parameter X in the type of s is instantiated with µF .In [1], a direct definition within F ω [10] of a slight reformulation, using a function symbol of arity 1 instead of the constant MIt, is shown.That translation also simulates the reduction rule, in the sense that a reduction step with our new rule is transformed into at least one rewrite step of F ω .Thus, since this mentioned transformation behaves well with respect to both type and term substitution, strong normalization follows from that of F ω .
The aim of this work would have been to find a dependently-typed analogue of the elimination rule: a rule in the format of an induction principle that, given some predicate P : ∀A : κ0.µF A → P rop with P rop the sort of propositions in CIC, would have allowed to conclude that P holds universally, i. e., proved the proposition ∀A : κ0 ∀r : µF A. P A r from a suitable inductive step (the argument A is written as an index to P for enhanced clarity; for this purpose, indexing will often be done in the sequel).The author does not have a proposal for such an induction principle that would be justifiable in CIC or a consistent extension thereof.
The way out will be a more liberal datatype constructor than in.The straightforward generalization of the rule µI in [18] (later used as the introduction rule of system U V IT in [12] and called mapwrap in [19]) to nested datatypes would have a datatype constructor in of type If in is instantiated with X := µF and given the polymorphic identity on µF as an argument, the result type is F (µF ) ⊆ µF which previously was the type of in.By further instantiation to a type A and application to a term of type F (µF )A, we get elements of µF A that will be called canonical.
This single datatype constructor in specifies the inductive family µF in CIC since the reference to µF in the antecedent is strictly positive.Then, CIC will have canonical elimination rules associated with µF , and Coq will generate them.The minimality scheme for sort Set will be typed by This is the lifting of the type of Mendler's recursor [15] to nested datatypes.And the generated induction principle has a type that supports the following reasoning: Given a predicate P as above, i. e., P : ∀A : κ0.µF A → P rop, we may deduce P holds universally, i. e.,∀A : κ0 ∀r : µF A. P A r, if, for every X : κ1 and every j : X ⊆ µF , from the inductive hypothesis ∀A : κ0 ∀x : XA.P A (j A x) Workshop on Mathematically Structured Functional Programming, MSFP 2006 we can infer (this is called the inductive step) ∀A : κ0 ∀t : F XA. P A (in j t) .
What does the inductive step require in the case of canonical elements, i. e., for X := µF and j the polymorphic identity on µF ?The inductive hypothesis in this case is-after normalizing away the β-redex that is implicitly done in the CIC-the proposition ∀A : κ0 ∀r : µF A. P A r, which amounts to the conclusion of the whole induction principle.The induction step in this case is thus a triviality.Therefore, the case that is dedicated to deal with the canonical elements of the family µF does in no way contribute to the induction step.Hence, the conclusion of the induction principle can only be justified from the induction step in the cases that produce non-canonical elements.We conclude that our reasoning is entirely based on non-canonical elements.
By ignoring the additional hypothesis X ⊆ µF in the step term of the above-mentioned minimality scheme, we can get back MIt with the original type, and the following equation holds even with respect to convertibility: where s : ∀X : κ1.X ⊆ G → F X ⊆ G, j : X ⊆ µF , t : F XA, and g • f denotes function composition λx.g(f x) (for types of f and g that fit together).So, here X is instantiated with X itself and the shown first argument to s gets type X ⊆ G, hence both sides of the equation get type GA.Note also that we no longer indicate the type Set of bound variables named A, B or C.
With these iteration and induction principles, one may try to program and verify functions on nested datatypes.This will be especially interesting in the case of truly nested datatypes since they are not directly supported by the CIC.Here, truly nested datatype shall mean: The inductive family has at least one datatype constructor for which one of the argument types has a nested call to the family name, i. e., the family name appears somewhere inside the type argument of the family name occurrence in the argument type of that datatype constructor.A well-known example of true nesting is given by Bush, specified as follows [4]: The second argument to bcons has type Bush(Bush A).Here Bush occurs with argument Bush A that makes a reference to Bush.Another canonical example is a higher-order representation of deBruijn terms with an explicit notion of flattening, see [1].Another extension of deBruijn terms that yields a truly nested datatype T ermE is described in [5].[1] shows some programs on nested datatypes (including on truly nested datatypes) but does not at aim at verifying them.It turns out, however, that the induction principle of the system just described would be too weak for that purpose.Here is an intuitive argument why this is so: One of the first programs for a nested datatype is a map function that applies some function f : A → B to all elements of type A contained in the data structure of type µF A: And, certainly, one would like to establish the categorical laws for map, namely that map behaves as the morphism part of a functor whose object part is just µF .With our induction principle, this will not be possible since we do not know anything about the parameter X itself.
The first main idea here is to require that X is accompanied by some map term m : mon X where and require that m is functorial: It satisfies The equality sign = means propositional equality (Leibniz equality) that is just an inductive definition in the CIC.It is the basis of the rewriting mechanism of Coq that goes beyond the built-in and automatic convertibility relation which is implemented as one fixed strongly normalizing and confluent rewrite system.Universally quantified equations such as f ct 1 m and f ct 2 m have the impredicative kind P rop of computationally irrelevant types.Since Set is sufficiently impredicative, we may place such equations as further premisses into our datatype declarations.This will not be sufficient, though.
Rewriting in Coq with Leibniz equality cannot take place under binders such as λ-abstraction, unlike convertibility that can be applied to arbitrary subterms: Propositional equality is not extensional since the CIC is an intensional type theory.Since the additional functoriality conditions are just equations and therefore do not affect convertibility, truly nested datatypes with their tendency to favour programming with functional arguments (see [1]) call for a special attention to means to ensure that rewriting can nevertheless take place.The second main idea here is that most of the functionals that occur during programming only depend of the extension of their function arguments.This is typically so for map terms, hence we define With these definitions, we might now define µF by This time, it is much harder to obtain canonical elements: When instantiating X to µF , then we first need to find a map term map µF : mon(µF ) and then show extensionality and functoriality for map µF , before the polymorphic identity on µF can be given as a further argument to in .
In order to avoid overly long formulae in the sequel, the map term m and the three proofs e, f 1 , f 2 of ext m, f ct 1 m and f ct 2 m are organized as a dependently typed record ef ct X (expressing that X is an extensional functor) where the type of the fields e, f 1 , f 2 depends on the field m.Given a record ef , i. e., an element of type ef ct X, Coq's notation for its field m is m ef , and likewise for the other fields.We adopt this notation instead of the more common ef.m.
Canonical elements can now the obtained from the following preservation property for F : There has to be a term Fpefct : ∀X : κ1.ef ct X → ef ct(F X).
Note that it would be too demanding to require that monotone X's were transported to monotone F X's and that extensionality and the functoriality properties were each preserved separately.In particular, advanced examples require extensionality in order to establish functoriality.
With Fpefct and the Mendler recursor (the minimality scheme for sort Set generated from in by Coq), one gets map µF , and one does not even need the possibility to make recursive calls (but the argument of type X ⊆ µF of the step term is essential).Then, induction simultaneously establishes the three properties for map µF , always using the preservation property of F embodied in Fpefct.Notice that this just requires preservation of properties.Functoriality of F is not expressed at all.
However, this approach will not allow to prove that, for a monotone target constructor G-with map term mG : mon G-and a step term s : to (G, mG).In general, for X, Y : κ1, mX : mon X, mY : mon Y and j : X ⊆ Y , we define the proposition which just says that j is a natural transformation from (X, mX) to (Y, mY ).Note that functoriality of either side is not required.
The "reasonable" property above would have been Any inductive proof of MIt s ∈ NAT (map µF , mG) will break down since there is no information available about the argument of type X ⊆ µF of in .Let us call this argument j.Then, we would need j ∈ NAT (m, map µF ) in order to complete that proof attempt.Hence, we want a datatype constructor In of type This constructor declaration cannot define µF since map µF : mon(µF ) refers to the µF defined through in .So, this map µF has to be defined anew, by recursion on the fixed point µF about to be defined by In.The situation is thus: The inductive family µF has to be given simultaneously with the recursive function map µF whose type is isomorphic with µF ⊆ G, where So, we may say that µF is the source type constructor of map µF , and that the recursion is over µF .Unfortunately, the target type constructor G involves µF again, which excludes this situation from being covered by [6].Nevertheless, it is a simultaneous inductive-recursive definition in a broad sense, and Capretta's idea is applicable.

THE SYSTEM
We will call LNMIt ("logic for natural Mendler-style iteration of rank 2") 4 the extension of CIC by the following ingredients and later prove that they can already be defined in CIC plus proof-irrelevance (in sort P rop, every proposition has at most one proof): Assume F : κ2 and Fpefct : ∀X : κ1.ef ct X → ef ct(F X).
Then there are µF : κ1 and map µF : mon(µF ) with datatype constructor In of the type (already shown above) with iterator M It of type (the one shown before) with the induction principle µF Ind of type ∀P : ∀A.µF A → P rop.∀X : κ1∀ef : ef ct X ∀j : X ⊆ µF ∀n : j ∈ NAT (m ef, map µF ).
∀A∀x : XA.P A (j A x) → ∀A∀t : F XA. P A (In ef j n t) → ∀A∀r : µF A. P A r and the following equations that are contained in the convertibility relation: In LNMIt, we can now prove the following theorem that is not provable in the systems of Section 2: Theorem 1 (Naturality of MIt s) Assume G : κ1, mG : mon G, s : ∀X : κ1.X ⊆ G → F X ⊆ G and that the following holds: Then MIt s ∈ NAT (map µF , mG), hence MIt s is a natural transformation for the respective map terms.
Proof.This is done by induction with Assume X, ef, j, n as prescribed.The induction hypothesis is Further assume A, t, B, f .It remains to show MIt s (map µF f (In ef j n t)) = mG f (MIt s (In ef j n t)) .
Abbreviate aux := λA.(MIt s) A • j A .By the equational rules for map µF and MIt, the previous equation is equivalent to We want to apply the assumption of the theorem.It suffices to show aux ∈ NAT (m ef, mG).Assume A, B, f, t.Show aux B (m ef f t) = mG f (aux A t).Its left-hand side is equivalent to where we used the assumption n of type j ∈ NAT (m ef, map µF ) for the last step.Now, the induction hypothesis is applicable. 2 Moreover, under reasonable assumptions, MIt s is uniquely characterized by the equation above: Assume finally that h satisfies the equation for MIt s: Then, ∀A∀r : µF A. h A r = MIt s r.
Proof.Induction is used with the evident P := λAλr : µF A. h A r = MIt s r.Then assume the appropriate X, ef, j, n.The inductive hypothesis is ∀A∀x : XA. h A (j A x) = MIt s (j A x). Assume further A, t and show h A (In ef j n t) = MIt s (In ef j n t).
Applying the hypothesis on h and the computation rule for MIt yields the following equivalent equation: The extensionality assumption on s finishes the proof if we can show but this is the induction hypothesis. 2 Note that this uniqueness theorem would have been available also in the theory in Section 2 that did not integrate naturality into the approximations to µF .

JUSTIFICATION Theorem 3 (Main Theorem)
The system LNMIt can be defined within the CIC, extended by the principle of proof irrelevance, i. e., by ∀P : P rop ∀p 1 , p 2 : P. p 1 = p 2 .
The proof will occupy the remainder of this section.First, assume F : κ2.Capretta's idea [6] is to introduce first something bigger than the desired µF , i. e., a type transformation µ + F such that, later, there is a function of type µF ⊆ µ + F .In fact, µF will be defined as the restriction of µ + F by some predicate, and the mentioned function will just be the first projection out of that strong sum type.While µ + F will not be a "real" recursive type-there is no recursive call to µ + F , hence it is just a record-that predicate is defined inductively with induction hypotheses that are in no way a priori smaller than the The inductive family µ + F is defined by the datatype constructor Certainly, the idea is that G should be µF , m should be map µF and it should be MIt.
Unfortunately, the method requires that the iteration principle has to be encoded into the construction from the very beginning onwards.In this sense, this treatment of simultaneous inductive-recursive definitions is closed in that it does not allow any other functions that are defined by recursion on the family afterwards.
The minimality scheme for sort Set generated from In + by Coq is just case analysis on this record-like µ + F .By its help, we can immediately define map µ + F : mon µ + F with that holds even w.r. t. convertibility.Similarly, one defines MIt + : MItP retype(µ + F ) such that MIt + s (In + ef m it j n t) = s (λA.(it s) A • j A ) t again also holds within the convertibility relation.Evidently, this has nothing to do with iteration since there is no recursive call whatsoever.
With map µ + F and MIt + in place, it can now be defined what is a "good" element of µ + F .Following Capretta [6], this is done by way of an inductive predicate chk µ + F : ∀A.µ + F A → P rop for which there is a single inductive clause Inchk of type This is a strictly-positive inductive definition, hence Coq generates an induction principle as follows.Given a predicate P : ∀A.µ + F A → P rop, P holds universally, if the following induction step is provided: The premise ∀A∀t : GA. chk µ + F (j A t) yields the inversion principle for chk µ + F , the premise ∀A∀t : GA.P A (j A t) is the induction hypothesis.
Note that the η-expansion λAλt : GA. j A t of j is needed for the later proof.Note also that no recursion principle is possible for chk µ + F since it would inject elements of P rop into the realm of Set.
Slightly sloppily, we can say that an element of µ + F A is "good" if it is of the form In + . . .where the argument m is replaced by map µ + F and it is replaced by MIt + and all the j-images are already "good".Finally, set µF A := {r : This notation stands for the inductively defined sig of Coq which is a strong sum in the sense that the first projection yields the element r and the second projection the proof that chk µ + F r.
The map function map µF for µF can now be defined as follows: Assume A, r : µF A, B and f : A → B. We have to define map µF f r of type µF B. r consists of a term r : µ + F A and a proof p : chk µ + F r.The first component of our result will be map µ + F f r , the second component has to be a proof that chk µ + F (map µ + F f r ).Now we do inversion on p, i. e., induction on chk µ + F where the induction hypothesis will be used in the induction step.This is immediate with the computation rule for map µ + F and the introduction rule for chk µ + F , using the other hypothesis that yields the inversion principle.
Since map µ + F is not recursive at all, map µF is recursive neither.The required recursive behaviour will only come from a definition of In that involves map µ + F .In order to define In of the required type, assume X : κ1, ef : ef ct X, j : X ⊆ µF , n : j ∈ NAT (m ef, map µF ), A and t : F XA. We have to define In ef j n t : µF A. Its first component of type µ + F A is given by In + ef map µ + F MIt + j n t with j : X ⊆ µ + F defined by typewise composing the first projection out of µF with j, and n its canonical naturality proof that depends on n and the fact that the first projection of map µF f r is defined to be map µ + F , applied to f and the first projection of r.The second component, i. e., the proof part, again direct follows from the introduction rule for chk µ + F since, by the very definition of µF , we have ∀A∀t : XA. chk µ + F (j A t). 5Even w. r. t. convertibility, this construction fulfills the required equation for map µF .To understand better why this equation can be recursive now, note that it is not just an equation about map µF but a relation between map µF and In.Since map µ + F entered both parts, the possible "miracle" happens.
The same peculiarity occurs with the definition of MIt, but this is easier than for map µF .Just define, given s : ∀X : κ1.X ⊆ G → F X ⊆ G and r : µF A, the term MIt s r : GA as MIt + , applied to s and the first projection of r.The desired equality for MIt holds even as convertibility since composition is associative also in this sense.
For the induction principle µF Ind, we currently need proof-irrelevance.This is needed for two purposes: • A simple consequence is the following principle of irrelevance of the proof in elements of type µF A: If the first projections of r 1 and r 2 of type µF A are equal, then r 1 = r 2 .This could possibly be remedied by changes to CIC that affect the convertibility relation for strong sums (see the presentation of Benjamin Werner at the TYPES 2006 conference).• We need that any two proofs of naturality for the same parameters are equal.The author does not see yet how this could be reduced to the specific instance of proof-irrelevance where only all proofs of the same equation are identified (up to Leibniz equality).The problem here is that naturality is a universally quantified equation, and equational reasoning does not reach under binders in intensional type theory.
However, it is well-known that there are models of CIC that are proof-irrelevant, and this does by no means degenerate the computational world inside sort Set.
The following proof has no counterpart in Capretta's work [6].It seems that it profits from our very special situation while Capretta intended to give a general method for simultaneous inductiverecursive definitions.
In order to prove µF Ind, assume the predicate P , the term s representing the inductive step and A : Set, r : µF A. We have to show P A r.The term r decomposes into a term : µ + F A and a proof p : chk µ + F r .We do induction on p.We write cons for the opposite operation of this decomposition, hence cons : ∀A∀r : µ + F A. chk µ + F r → µF A. Thus, we want to show P A (cons r p) by induction on p.As such, this is not covered by the given induction principle for chk µ + F .But Coq may also generate a more dependent version (induction scheme for sort P rop): Given a predicate P : ∀A∀r : µ + F A. chk µ + F r → P rop, P holds universally, i. e., ∀A∀r : µ + F A∀p : chk µ + F r .P A r p, if ∀G : κ1∀ef : ef ct G ∀j : G ⊆ µ + F ∀n : j ∈ NAT (m ef, map µ + F ) ∀k : ∀A∀t : GA. chk µ + F (j A t) .∀A∀t : GA.P A (j A t)(k A t) → ∀A∀t : F GA.
P A In + ef map µ + F MIt + λAλt : GA. j A t n t (Inchk ef j n k t) .
Here, P A r p := P A (cons r p).Assume G, ef, j, n, k according to this induction principle.Define j := λAλt : GA. cons(j A t)(k A t) of type G ⊆ µF .Assume H : ∀A∀t : GA.P A (j A t) , A : Set and t : F GA. We have to prove First show j ∈ NAT (m ef, map µF ).For this, one has to remove the outer quantifiers and then use proof-irrelevance in showing the equation only for the first projections.But this follows by a short calculation from our naturality proof n.Let n 1 be this proof of j ∈ NAT (m ef, map µF ).We deduce P A (In ef j n 1 t) from the general assumption s and our assumption H.

It also holds that
In + ef map µ + F MIt + λAλt : GA. j A t n t is Leibniz-equal to the first projection of In ef j n 1 t.This is a simple calculation for the "j argument", and we identify all naturality proofs in our system.Since we identify elements of µF A with the same first component, the two arguments of P A in this proof development are equal, hence we may pass from the validity of the second such statement to that of the first one.Again, all the details can be found in the Coq development [13]. 2

BACK TO CANONICAL ELEMENTS
Why did we require for LNMIt not only a map-preserving function that takes m : mon X to some term of type mon (F X)? Up to now, only the m components of the extensional functors ef have been used.Since we want to construct canonical elements, we also need the properties-just as in the preliminary system in section 2.

Theorem 4 (Canonical Elements in LNMIt)
There is a term InCan : F (µF ) ⊆ µF (the canonical datatype constructor that constructs canonical elements) such that the following equations are even contained in the convertibility relation: for some term ef µF : ef ct µF .Thus, for canonical elements, we get back the ordinary behaviour.
Proof.We want to take µF as its own approximation, with map µF as the map term, hence with a term ef µF : ef ct µF s. t. m ef µF = map µF .Therefore, we need to establish ext, f ct 1 and f ct 2 for map µF .Then, trivially, the polymorphic identity on µF serves as argument j to In, and (lambda-abstracted) reflexivity of equality yields the respective proof of naturality.Then, the claimed equations follow from those of LNMIt and the fact that MIt s is a λ-abstraction, hence composition with the identity can be β-reduced away.
Let us establish extensionality; the functoriality properties are proved analogously.The statement ext map µF is logically equivalent with universal validity of the predicate P := λAλr : µF A∀B∀f, g : A → B. (∀a : A. f a = ga) → map µF f r = map µF g r .This is proven by inversion on µF , i. e., by using µF Ind without the induction hypothesis.Then, it remains to show ∀A∀t : F XA. P A (In ef j n t) in the usual context with X, ef, j, n.So, assume A, t, B, f, g with ∀a : A. f a = ga.Show map µF f (In ef j n t) = map µF g (In ef j n t) .

By convertibility, this amounts to
In ef j n (m (Fpefct ef ) f t) = In ef j n (m (Fpefct ef ) g t) , which follows from e (Fpefct ef ) : ext(m (Fpefct ef )). 2 It should be noted that the term m (Fpefct ef µF ) in the behaviour of map µF can usually be simplified to Fpmon map µF , namely when there is a map-transforming function Fpmon of type ∀X : κ1.mon X → mon (F X) such that for all X and ef : ef ct X, m (Fpefct ef ) = F pmon (m ef ), i. e., when the map term for F X does not depend on the properties of the map term for X.This is usually the case and leads to the standard behaviour of map µF that is programmed in functional programming languages that do not guarantee termination, unlike our approach.

CONCLUSIONS
It is now possible to combine the following benefits: • termination of all functions following the recursion schemes • recursion schemes are type-based and not syntax-driven • genericity: no specific shape of the datatype functors required • no continuity properties required • includes truly nested datatypes

• categorical laws for program verification • program execution within the convertibility relation of Coq
In fact, the whole development has been formalized in Coq, and it has been tested with the example of 3-bushes [14].However, the final version of that article does no longer use Mendlerstyle iteration but confines itself to conventional style (motivated from initial algebras).A fortiori, these little algorithms can be presented in Mendler's style, and the "reasonable" application conditions of our theorems are met.
In practice, one often uses refined forms of iteration that are also known under the names of efficient folds [11,16].In [1], some more general forms in the spirit of Mendler's style are studied, e. g., the system MIt ω = .Its iterator can be expressed by MIt of this article, but only at the expense of some right Kan extension as target type constructor G.Although our Theorem 1 would apply, its application condition would speak about equality of functions, and that is usually not provable.With some more refined notions of extensionality and more careful use of quantification, it is nevertheless possible to prove a theorem for MIt that will yield a naturality property for MIt = that precisely captures the map fusion law.This can even be extended to treat GM It, a more liberal form of MIt = introduced in [1].
Certainly, more and more difficult examples have to be verified.It does not seem possible to extend the construction with the inductive-recursive definition from iteration to primitive recursion.A further goal would be reasoning principles for conventional style without non-canonical elements that can treat truly nested datatypes.
Finally, it should be mentioned that the present work does not restrict the system to one single nested datatype or only the introduction of one such datatype after the other.All the constructions are fully parametric so that arbitrary interleaving of such families (in the style of generalized rose trees) is admissible.

Theorem 2 (
Uniqueness of MIt s) AssumeG : κ1, s : ∀X : κ1.X ⊆ G → F X ⊆ G and h : µF ⊆ G (the candidate for being MIt s).Assume further the following extensionality property of s (s only depends on the extension of its function argument):∀X : κ1∀f, g : X ⊆ G. (∀A∀x : XA. f x = g x) → ∀A∀y : F XA. s f y = s g y .