Encoding Monomorphic and Polymorphic Types

. Most automatic theorem provers are restricted to untyped logics, and existing translations from typed logics are bulky or unsound. Recent research proposes monotonicity as a means to remove some clutter. Here we pursue this approach systematically, analysing formally a variety of encodings that further improve on efﬁciency while retaining soundness and completeness. We extend the approach to rank-1 polymorphism and present alternative schemes that lighten the translation of polymorphic symbols based on the novel notion of “cover”. The new encodings are implemented, and partly proved correct, in Isabelle/HOL. Our evaluation ﬁnds them vastly superior to previous schemes.


Introduction
Specification languages, proof assistants, and other theorem proving applications are typically based on polymorphism formalisms, but state-of-the-art automatic provers support only untyped or monomorphic logics. The existing sound (proof-reflecting) and complete (proof-preserving) translation schemes for polymorphic types, whether they revolve around functions (tags) or predicates (guards), produce clutter that severely hampers the proof search [22], and lighter approaches based on type arguments are unsound [22,29]. As a result, application authors face a difficult choice between soundness and efficiency when interfacing with automatic provers.
The fourth author, together with Claessen and Lillieström [16], designed a pair of sound, complete, and efficient translations from monomorphic many-typed to untyped first-order logic with equality. The key insight is that monotonic types-types whose domain can be extended with new elements while preserving satisfiability-can be merged. The remaining types can be made monotonic by introducing suitable protectors. In the monkey village of Example 1.1, the type banana is monotonic, because any model with b bananas can be extended to a model with b ′ > b bananas. In contrast, monkey is nonmonotonic, because there can live at most ⌊b/2⌋ monkeys in a village with a finite supply of b bananas. Syntactically, the monotonicity of banana is inferable from the absence of a positive equality B ≈ t or t ≈ B, where B is a variable of type banana and t is arbitrary; such a literal would be needed to make the type nonmonotonic.
The example can be encoded as follows, using the predicate g monkey to guard against ill-typed instantiations of M, M 1 , and M 2 : ∃M. The first axiom states the existence of a monkey; this is necessary for completeness, since model carriers are required to be nonempty. Thanks to monotonicity, it is sound to omit all type information regarding bananas. The intuition behind this is that the g monkey predicate makes the problem fully monotonic, and for such problems it it possible to synchronise the cardinalities of the different types and to merge the types, yielding an equisatisfiable untyped (or singly typed) problem. For example, a model M of the typed problem with m monkeys and b bananas will give rise to a model M ′ of the untyped problem with b "bananamonkeys," among which m are monkeys according to the interpretation of g monkey ; conversely, from a model of the untyped problem with b "bananamonkeys" including m values for which g monkey is true (with m > 0 thanks to the first axiom), it is easy to construct a model of the typed problem with b bananas and m monkeys.
Monotonicity is not decidable, but it can often be inferred using suitable calculi. In this article, we exploit this idea systematically, analysing a variety of encodings based on monotonicity: some are minor adaptations of existing ones, while others are novel encodings that further improve on the size of the translated formulae.
In addition, we generalise the monotonicity approach to a rank-1 polymorphic logic, as embodied by the typed first-order form TFF1 of the TPTP (Thousand of Problems for Theorem Provers) [7], a de facto standard implemented by a number of reasoning tools. Unfortunately, the presence of a single equality literal X ≈ t or t ≈ X , where X is a polymorphic variable of type α, will lead the analysis to classify all types as possibly nonmonotonic and force the use of protectors everywhere, as in the traditional encodings. A typical example is the list axiom ∀X : α, Xs : list(α). hd(cons(X, Xs)) ≈ X . We solve this issue through a novel scheme that reduces the clutter associated with nonmonotonic types, based on the  Figure 1: The main encodings observation that protectors are required only when translating the particular formulae that prevent a type from being inferred monotonic. This contribution improves the monomorphic case as well: for the monkey village example, our scheme detects that the first two axioms are harmless and translates them without the g monkey guards. (In fact, by appealing to a more general notion of monotonicity, it is possible to eliminate all type information in the monkey village problem in a sound fashion.) Encoding types in an untyped logic is an old problem, and several solutions have been proposed in the literature. We start by reviewing four main traditional approaches (Section 3), which prepare the ground for the more advanced encodings presented in this article. Next, we present improvements of the traditional encodings that aim at reducing the clutter associated with polymorphic symbols, based on the novel notion of "cover" (Section 4). Then we move our attention to monotonicity-based encodings, which try to minimise the number of added tags or guards. We first present known and novel monotonicity-based schemes that handle only ground types (Section 5); these are interesting in their own right and serve as stepping stones for the full-blown polymorphic encodings (Section 6). Proofs of correctness accompany the descriptions of the new encodings. The proofs explicitly relate models of unencoded and encoded problems. Figure 1 presents a brief overview of the main encodings. The traditional encodings are identified by single letters (e for full type erasure, a for type arguments, t for type tags, g for type guards). The nontraditional encodings append a suffix to the letter: @ (= cover-based), ? (= monotonicity-based, lightweight), or ?? (= monotonicity-based, featherweight). The decoration identifies the monomorphic version of an encoding. Among the nontraditional schemes, t? and g? are due to Claessen et al. [16]; the other encodings are novel.
A formalisation [8] of the monomorphic part of our results has been developed in the proof assistant Isabelle/HOL [24,25]. The encodings have been implemented in Sledgehammer [3,22], which provides a bridge between Isabelle/HOL and automatic theorem provers (Section 7). They were evaluated with Alt-Ergo, E, SPASS, Vampire, and Z3 on a benchmark suite consisting of proof goals from existing Isabelle formalisations (Section 8). Our comparisons include the traditional encodings as well as the provers' native support for monomorphic types where it is available. Related work is considered at the end (Section 9).
We presented an earlier version of this work at the TACAS 2013 conference [5]. The current text extends the conference paper with detailed proofs and a discussion of implementational issues (Section 7). It also corrects the side conditions of two encoding definitions, which resulted in an unexpected incompleteness. Convention 1.2. Given a name, such as t, that ranges over a certain domain, such as the set of terms, its overlined versiont ranges over lists (tuples) of items in this domain, and |t| denotes the length oft. We also write |A| for the cardinal of a set A. A set is countable if Proof. Immediate by induction on t.
Convention 2.8. We write t σ to indicate that the term t is well typed and its (unique) type is σ. This convention is consistent with the notation X σ for term variables of type σ. • if f : ∀α 1 , . . . , α m . σ 1 × · · · × σ n σ, then f M : D ∈D m σ 1 M θD × · · · × σ n M θD → σ M θD , where θD is a type variable valuation mapping each α i to D i ; • if p : ∀α 1 , . . . , α m . σ 1 × · · · × σ n o, then p M ⊆ D ∈D m σ 1 M θD × · · · × σ n M θD , where θD is as above. As expected from the arity of f , the interpretation f M is a function first taking m type arguments and then n data (element) arguments. Similarly, the interpretation p M is a predicate respecting the arity of p.
Given a type variable valuation θ and a compatible term variable valuation ξ : V σ∈Type σ M θ , the interpretation of terms and formulae by the structure M is as follows: We omit irrelevant subscripts to , writing σ M if σ is ground and ϕ M if ϕ is a sentence.
A structure M is a model of a problem Φ if ϕ M is true for every ϕ ∈ Φ. A problem that has a model is satisfiable.
We are interested in encoding polymorphic problems Φ in a manner that preserves and reflects their satisfiability. It will be technically convenient to assume that their signatures have at least one nullary type constructor, so that the set of ground types is nonempty. It is obvious that this assumption is harmless: if it is not satisfied, we simply extend the signature with a distinguished nullary type constructor ι :: 0. Since ι does not appear in the formulae of Φ and since in models the set of domains is assumed to be nonempty, this signature extension does not affect its satisfiability: given a model of Φ in the original signature, we obtain one in the extended signature by interpreting ι as an arbitrary domain; given a model in the extended signature, we obtain one in the original signature by omitting the interpretation of ι.
Convention 2.11. For all polymorphic signatures Σ = (K , F , P ) that we consider, we assume that K contains at least one nullary type constructor.
The following lemma shows that, in structures, the collection of domains can be regarded as a copy of the ground types.
Lemma 2.12. If a polymorphic Σ-problem Φ has a model, it also has a model M = D, (k M ) k∈K , _, _ such that the following conditions are met : (3) the type interpretation function M is a bijection between GType and D; (4) D is countable; (5) D is disjoint from each D ∈ D, and any distinct D 1 , D 2 ∈ D are disjoint.
Proof. Assume Φ has a model M . To prove (1), we construct a model M ′ from M by tagging the domains with types, i.e. by defining D ′ = {D × {σ} | D ∈ D ′ ∧ σ ∈ GType Σ } and maintaining types across the application of type constructors: The interpretations of the function and predicate symbols are adjusted accordingly. It is easy to prove that M and M ′ satisfy the same polymorphic formulae; in particular, M ′ is a model of Φ. For (2), we define a model M ′′ = (D ′′ , (k M ′′ ) k∈K , _, _) from M ′ by taking D ′′ ⊆ D ′ to be the image of M ′ : GType Σ → D ′ and by taking k M ′′ and s M ′′ to be the restrictions of k M ′ and s M ′ . Thanks to Convention 2.11, D ′′ is nonempty, and moreover k M ′′ is well defined on D. Again, it is easy to prove that M ′′ satisfies all the polymorphic formulae that M ′ satisfies. In particular, M ′′ is a model of Φ. Points (3) and (4) follow from (1) and (2). Finally, we prove (5) by replacing the domains with disjoint copies of them.

2.2.
Monomorphic First-Order Logic. Monomorphic first-order logic, more commonly known as many-sorted first-order logic and corresponding to TPTP TFF0 [32], has signatures Σ = (Type, F , P ), where Type is a countable set of types (or sorts) ranged over by σ, F is a countable set of function symbols f :σ → σ with arities, and P is a countable set of predicate symbols p :σ → o with arities.
interpret the types as sets and the function and predicate symbols as functions and predicates of the suitable arities. Given a model M and a valuation ξ : V → σ∈Type D σ , the interpretations of terms and formulae, t M ξ and ϕ M ξ , are defined as expected. Monomorphic first-order logic can be viewed as a special case of polymorphic first-order logic, with a polymorphic signature considered monomorphic when all its type constructors are nullary and the arities of its function and predicate symbols contain no type variables.
Example 2.13. A monomorphised version of the algebraic list problem of Example 2.10, with α instantiated by b, follows: The final target logic for all our encodings, untyped first-order logic, coincides with the TPTP first-order form FOF [30]. This is the logic traditionally implemented in automatic theorem provers and finite model finders. An untyped signature is a pair Σ = (F, P ), where F and P are countable sets of function and predicate symbols with arities, where the arities are natural numbers. The notation s n indicates that the symbol s has arity n. The untyped syntax is identical to that of the monomorphic logic, except that variable terms do not contain types and quantification is written ∀X . ϕ and ∃X . ϕ. The structures for Σ = (F, P ) are triples is the domain and f M and p M are n-ary functions and predicates on D, with n being the symbol's arity.
2.4. Type Encodings. The type encodings discussed in this article are given by functions that take problems Φ in a logic L to problems Φ ′ in a logic L ′ , where L and L ′ are among the three logics introduced above.
Convention 2.14. Each of the considered encodings will be specified by the following data: • a function that maps L-signatures Σ to L ′ -signatures Σ ′ ; • for all L-signatures Σ and problems Φ over Σ: a (possibly empty) set Ax Φ of sentences over Σ, the axioms, added by the translation; -a function between formulae over Σ and formulae over Σ ′ , the formula translation. The formula translation is typically based on a term translation . The encoding Φ of a problem Φ is given by the union between the axioms and the componentwise translations: Central to this article are the notions of soundness and completeness of an encoding: Definition 2.15 (Correctness). An encoding as above is sound for a class of problems C if satisfiability of Φ ∈ C implies satisfiability of Φ ; it is complete for C if, given Φ ∈ C , satisfiability of Φ implies satisfiability of Φ; it is correct for C if it is both sound and complete (i.e. Φ and Φ are equisatisfiable). In case C is the class of all problems, we omit it and simply call the encoding sound, complete, or correct.

Traditional Type Encodings
There are four main traditional approaches to encoding polymorphic types: full type erasure, type arguments, type tags, and type guards [18,22,29,36]. Before introducing them, we first establish some conventions that will be useful throughout the article.
Convention 3.1. We will often need to extend signatures Σ with one or more of the following distinguished symbols. Whenever we employ them, we assume they are fresh with respect to Σ and have the indicated arities: • a nullary type constructor ϑ; • a function symbol t : ∀α. α α; • a predicate symbol g : ∀α. α o.
Terms of type ϑ will be used to represent the types of Σ, t will be used to tag terms with type information, and g will be used to guard formulae with type information.
Convention 3.2. Since the sets of type and term variables, A and V , are countably infinite, we can fix a function from A to V , α → V (α), such that (1) it is injective, i.e. V (α 1 ) = V (α 2 ) implies α 1 = α 2 ; (2) it allows for an infinite supply of term variables that do not correspond to type variables, i.e. the set of term variables not having the form V (α) is infinite; This function can be used to encode types as terms. Thanks to (2), we can safely assume that the source problems Φ do not contain variables of the form V (α).
3.1. Full Type Erasure. The easiest way to translate a typed problem into an untyped logic is to erase all its type information, which means omitting all type arguments, type quantifiers, and types in term quantifiers. We call this encoding e. Definition 3.3 (Full Erasure e). The full type erasure encoding e translates a polymorphic problem over Σ = (K , F , P ) into an untyped problem over Σ ′ = (F ′ , P ′ ), where the symbols in Σ ′ have the same term arities as in Σ (but without type arguments). Thus, if f : ∀ᾱ. σ 1 × . . . × σ n σ and p : ∀ᾱ. σ 1 × . . . × σ n o are in F and P , respectively, then f and p have arities n in F ′ and P ′ , respectively. The encoding adds no axioms, and the term and formula translations e are defined as follows: X σ e = X p σ (t ) e = p( t e ) ∀X : σ. ϕ e = ∀X . ϕ e ¬ p σ (t ) e = ¬ p( t e ) ∃X : σ. ϕ e = ∃X . ϕ e ∀α. ϕ e = ϕ e Here and elsewhere, we omit the trivial cases where the function is simply applied to its subterms or subformulae, as in ϕ 1 ∧ ϕ 2 e = ϕ 1 e ∧ ϕ 2 e . Recall that, according to Section 2.4, the e translation of a problem Φ is simply the componentwise translation of its formulae: Φ e = { ϕ e | ϕ ∈ Φ}.
Example 3.4. Encoded using e, the monkey village axioms of Example 1.1 become Like the original axioms, the encoded axioms are satisfiable: the requirement that each monkey possesses two bananas of its own can be met by taking an infinite domain (since 2k = k for any infinite cardinal k).
However, full type erasure is generally unsound in the presence of equality because equality can be used to encode cardinality constraints on domains. For example, the axiom ∀U : unit. U ≈ unity forces the domain of unit to have only one element. Its erasure, ∀U . U ≈ unity, effectively restricts all types to one element; a contradiction is derivable from any disequality t ≈ u or any pair of clauses p(t) and ¬ p(ū). An expedient proposed by Meng and Paulson [22, §2.8], which they implemented in Sledgehammer, is to filter out all axioms of the form ∀X : σ. X ≈ a 1 ∨ · · · ∨ X ≈ a n , but this makes the translation incomplete and generally does not suffice to prevent unsound cardinality reasoning.
An additional issue with full type erasure is that it confuses distinct monomorphic instances of polymorphic symbols. The formula q a (f a ) ∧ ¬ q b (f b ) is satisfiable, but its type erasure q(f) ∧ ¬ q(f) is unsatisfiable. A more intuitive example might be N ≈ 0 → N > 0, which we would expect to hold for the natural number versions of 0 and > but not for integers or real numbers.
Nonetheless, full type erasure is complete, and this property will be useful later.
Theorem 3.5 (Completeness of e). Full type erasure is complete.
where α is any type variable. (The choice of α is irrelevant because θ maps all type variables to D, the only element of D.) The next facts follow by structural induction on t and ϕ (for arbitrary θ and ξ): ξ ′ . In particular, for sentences, we have ϕ M = ϕ e M ′ ; and since M ′ is a model of Φ e , it follows that M is a model of Φ.
By way of composition, the e encoding lies at the heart of all the encodings presented in this article. Given n encodings x 1 , . . . , x n , we write x 1 ;...; x n for the composition x n • · · · • x 1 . Typically, n will be 2 or 3 and x n will be e. Moreover, x i will be correct and will transform the problem so that it belongs to a fragment for which x i+1 is also correct. This will ensure that the whole composition is correct. Finally, because x 2 , . . . , x n will always be fixed for a given x 1 , we will call the entire composition x 1 ;...; x n the " x 1 encoding".
3.2. Type Arguments. A natural way to prevent the (unsoundness-causing) confusion arising with full type erasure is to encode types as terms in the untyped logic. Instances of polymorphic symbols can be distinguished using explicit type arguments, encoded as terms: n-ary type constructors k become n-ary function symbols k, and type variables α become term variables A. A polymorphic symbol with m type arguments is passed m additional term arguments. The example given in the previous subsection is translated to q(a, f (a)) ∧ ¬ q(b, f (b)), and a fully polymorphic instance f α would be encoded as f(A) (with A a term variable). We call this encoding a. We now proceed with first encoding the types in isolation and then the typed terms.
Definition 3.6 (Term Encoding of Types). Let K be a finite set of n-ary type constructors.
The term encoding of a polymorphic type over K is a term over the signature ({ϑ}, K ′ , ∅), where K ′ contains a function symbol k : ϑ n ϑ for each k ∈ K with k :: n. The encoding is specified by the following equations: Definition 3.7 (Traditional Arguments a). We first define the encoding function a , which translates polymorphic problems over Σ = (K , F , P ) to polymorphic problems over (K ⊎ {ϑ}, F ⊎ K ′ , P ), where ϑ and K ′ are as in Definition 3.6. It adds no axioms, and its term and formula translations are defined as follows: (Again, we omit the trivial cases, e.g. ∀X : σ. ϕ a = ∀X : σ. ϕ a .) The traditional type arguments encoding a is defined as the composition a ; e . It follows from the definition that a translates a polymorphic problem over Σ = (K , F, P ) into an untyped problem over Σ ′ = (F ′ ⊎ K ′ , P ′ ), where the symbols in F ′ , P ′ are the same as those in F , P ; and for each symbol s : ∀ᾱ.σ ς ∈ F ⊎ P , the arity of s in Σ ′ is |ᾱ| + |σ|. The a encoding coincides with e for monomorphic problems and suffers from the same unsoundness with respect to equality and cardinality constraints. Nonetheless, a will form the basis of all the sound polymorphic encodings in a slightly generalised version, called a x , for suitable instances of x . Definition 3.9 (Type Argument Filter). Given a signature Σ = (K , F, P ), a type argument filter x maps any s : ∀α 1 , . . . , α m .σ ς to a subset x s = {i 1 , . . . , i m ′ } ⊆ {1, . . . , m} of its type argument indices. Given a listz of length m, x s (z) denotes the sublist z i 1 , . . . , z im ′ , where i 1 < · · · < i m ′ . Filters are implicitly extended to {1} for the distinguished symbols t, g / ∈ F ⊎ P introduced in Convention 3.1.
Definition 3.10 (Generic Arguments a x ). Given a type argument filter x, we first define the encoding a x that translates polymorphic problems over Σ = (K , F , P ) to polymorphic problems over (K ⊎ {ϑ}, F ⊎ K ′ , P ), where ϑ and K ′ are as in Definition 3.6. It adds no axioms, and its term and formula translations are defined as follows: The generic type arguments encoding a x is the composition a x ; e . It translates a polymorphic problem over Σ = (K , F, P ) into an untyped problem over Σ ′ = (F ′ ⊎ K , P ′ ), where the symbols in F ′ , P ′ are the same as those in F, P ; and for each symbol s : ∀ᾱ.σ ς ∈ F ⊎ P , the arity of s in Σ ′ is |x s | + |σ|.
The e and a encodings correspond to the special cases of a x where x returns none or all of the type arguments, respectively. Proof. Recall that a x is defined as the composition of a x and e . Since e is complete by Theorem 3.5, it suffices to show that We will construct a structure M = D, (k M ) k∈K , ( f M ) f ∈F , (p M ) p∈P for the signature of Φ by taking the same domains as M ′ , interpreting the type constructors other than ϑ in the same way, and interpreting the function and predicate symbols s as in M ′ , but supplying, for the extra arguments, a suitable tuple from ϑ M ′ that reflects the type arguments.
To this end, we first apply Lemma 2.12 to obtain that every element of D ′ is uniquely represented as τ M ′ with τ ∈ GType Σ ′ . We define where n is the length of x s (τ). Note how the tuple x s (τ) M ′ reflects the x s -selection from the type arguments τ M ′ .
The next facts follow by structural induction on t and ϕ (for arbitrary θ and ξ): (The reason why for formula interpretation we have only implication and not equality is the ∀α case: when encoding a universally quantified formula ∀α. ϕ, the result ∀α. ∀ α : ϑ. ϕ a x introduces quantification over two variables, α and α , whose interpretations need not be synchronised. As a result, ∀α. ∀ α : ϑ. ϕ a x could be stronger than ∀α. ϕ.) In particular, 3.3. Type Tags. An intuitive approach to encode type information soundly (and completely) is to wrap each term and subterm with its type using type tags. For polymorphic type systems, this scheme relies on a distinguished binary function t( σ , t) that "annotates" each term t with its type σ encoded as a term σ . The tags make most type arguments superfluous. We call this scheme t, after the tag function of the same name. It is defined as a two-stage process: the first stage adds tags t σ (t) while preserving the polymorphism; the second stage encodes t's type argument as well as any phantom type arguments.
The traditional type tags encoding t is the composition t ; a phn ; e . It translates a polymorphic problem over Σ into an untyped problem over Σ ′ = (F ′ ⊎ K ′ ⊎ {t 2 }, P ′ ), where K ′ , F ′ , P ′ are as for a phn (i.e. a x with x = phn).
Since there are no phantoms in this example, a phn adds no extra arguments. All type information is carried by the t function's first argument.
The α variable in linorder's arity declaration is a phantom. The t encoding preserves it as an explicit term argument: , t(A, X )) As the formula suggests, phantom type arguments can be used to encode predicates on types, mimicking type classes [35].
We postpone the proof of the following theorem to Section 4.2, in the context of our improved encodings: Theorem 3.16 (Correctness of t). The traditional type tags encoding t is correct.
3.4. Type Guards. Type tags heavily burden the terms. An alternative is to introduce type guards, which are predicates that restrict the range of variables. They take the form of a distinguished predicate g( σ , t) that checks whether t has type σ. The terms are smaller than with tags, but the formulae contain more disjuncts.
With the type tags encoding, only phantom type arguments need to be encoded; here, we must encode any type arguments that cannot be read off the types of the term arguments. Thus, the type argument is encoded for nil α (which has no term arguments) but omitted for cons α (X, Xs), hd α (Xs), and tl α (Xs).
type argument α j is inferable if it occurs in some of the term arguments' types, i.e. if there exists an index i such that α j occurs in σ i . Given a listz ≡ z 1 , . . . , z m , let inf s (z) denote the sublist z i 1 , . . . , z im ′ corresponding to the positions inᾱ of the inferable type arguments, and let ninf s (z) denote the sublist for noninferable type arguments.
Observe that a phantom type argument is in particular noninferable, and a noninferable nonphantom type argument is one that appears in ς but not inσ. Definition 3.18 (Traditional Guards g). We first define the encoding g , which translates a polymorphic problem over Σ = (K , F , P ) into an untyped problem over (K , F , P ⊎ {g : ∀α. α → o}). Its term and formula translations are defined as follows: The encoding also adds the following typing axioms: ∀ᾱ.X :σ.
(Following Convention 2.14, the translation of a problem is given by where Ax are the typing axioms.) The traditional type guards encoding g is defined as the composition g ; a ninf ; e . It translates a polymorphic problem over Σ into an untyped The last typing axiom in the above definition witnesses inhabitation of every type. It is necessary for completeness, in case some of the types do not appear in the result type of any function symbol.
Example 3.19. The g encoding translates the algebraic list problem of Example 2.10 into the following: In this and later examples, we push guards inside past quantifiers and group them in a conjunction to enhance readability.
The typing axioms must in general be guarded. Without the guards, any cons, hd, or tl term could be typed with any type, defeating the purpose of the guard predicates.
Example 3.20. Consider the following formula, where inl : ∀α, β. α sum(α, β) and inr : The β variable in inl's arity declaration and the α in inr's are noninferable. The g encoding preserves them as explicit term arguments: Theorem 3.21 (Correctness of g). The traditional type guards encoding g is correct.
Proof. This will be a consequence of Theorem 4.7 for our parameterised cover-based encoding g@, since g is a particular case of g@.
Remark 3.22. The above encodings, as well as those discussed in the next sections, all lead to an untyped problem. An increasing number of automatic provers support monomorphic types, and it may seem desirable to exploit such support when it is available. With such provers, we can replace the e encoding with a variant that enforces a basic type discipline by distinguishing two types, ϑ (for encoded types) and ι (for encoded terms). An incomplete (non-proof-preserving) alternative is to perform heuristic monomorphisation (Section 5.6). Hybrid schemes that exploit monomorphic types, including interpreted types, are also possible and have been studied by other researchers (Section 9).

Cover-Based Encodings of Polymorphism
Type tags and guards considerably increase the size of the problems passed to the automatic provers, with a dramatic impact on their performance. A lot of the type information generated by the traditional encodings t and g is redundant. For example, t translates cons α (X, Xs) to t(list(A), cons(t(A, X ), t(list(A), Xs))), but intuitively only one of the three tags is necessary to specify the right type for the expression if we know the arity of cons. The cover-based encodings capitalise on this, by supplying only a minimum of protectors and adding typing axioms that effectively compute the type of function symbols from a selection of their term arguments' types-the "cover". Let us first rigorously define this notion of term arguments "covering" type arguments.
. . , |σ|} for s is a set of term argument indices such that any inferable type argument can be inferred from a term argument whose index belongs to C, i.e. for all j, if α j appears in σ, it also appears in some . . , |σ|}. We let Cover s denote an arbitrary but fixed cover for s.
In practice, we would normally take a minimal cover for Cover s to reduce clutter. Accordingly, {1} and {2} are minimal covers for cons : ∀α. α × list(α) list(α), whereas {1, 2} is a maximal cover. The cover-based encoding g@ introduced below is a generalisation of the traditional encoding g. The two encodings coincide if Cover s is chosen to be maximal for all symbols s. In contrast, the cover-based encoding t@ is not exactly a generalisation of t, although they share many ideas. For this reason, we momentarily depart from our general policy of considering tags before guards so that we can present the easier case first.
Intuitively, g@ and t@ ensure that each term argument position that is part of its enclosing function or predicate symbol's cover has a unique type associated with it, from which the omitted type arguments can be inferred. Thus, t@ translates cons α (X, Xs) to cons(t(A, X ), Xs) with a type tag around X , effectively protecting the term from an ill-typed instantiation of X that would result in the wrong type argument being inferred for cons.
There is no need to protect the second argument, Xs, since it is not part of the cover. We call variables that occur in their enclosing symbol's cover (and hence that "carry" some type arguments) "undercover variables". It may seem dangerous to allow ill-typed terms to instantiate Xs, but this is not an issue because such terms cannot contribute meaningfully to a proof. At most, they can act as witnesses for the existence of terms of given types, but even in that capacity they are not necessary.
where ⌊t ⌋ s = {t j | j ∈ Cover s } ∩ V typed and UV(t ) = j UV(t j ).

4.1.
Cover-Based Type Guards. The cover-based encoding g@ is similar to the traditional encoding g, except that it guards only undercover occurrences of variables.
Definition 4.4 (Cover Guards g@). The encoding g@ is defined similarly to the encoding g (used for the traditional g encoding) except for the ∀ case in its formula translation and the typing axioms. Namely, the ∀ case adds guards only for universally quantified variables that are undercover: Moreover, the typing axioms take the cover into consideration: ∀ᾱ.X :σ.
The cover-based type guards encoding g@ is defined as the composition g@; a ninf ; e . It translates a polymorphic problem Φ over Σ into an untyped problem Φ g@; a ninf ; e over Example 4.5. If we choose the cover for cons as in Convention 4.2, the g@ encoding of the algebraic list problem is identical to the g encoding (Example 3.19), except that the guard g(list(A), Xs) is omitted in typing axiom and one of the problem axioms: ∀A, X, Xs. g(A, X ) → g(list(A), cons(X, Xs)) ∀A, X, Xs. g(A, X ) → nil(A) ≈ cons(X, Xs) By leaving Xs unconstrained, the typing axiom for cons gives a type to some "ill-typed" terms, such as cons(0 nat , 0 nat ). Intuitively, this is safe because such terms cannot be used to prove anything useful that could not be proved with a "well-typed" term. What matters is that "well-typed" terms are associated with their correct type and that "ill-typed" terms are given at most one type.
p∈P be a model of Φ. By Lemma 2.12, we may assume that D is disjoint from each of its elements, its elements are mutually disjoint, and the type constructors k M satisfy distinctness and injectivity.
as follows. D ′ is the union of the domains of M and their elements, g M ′ is the set membership relation, and the symbols of M ′ common to those of M try to emulate the M interpretation as closely as possible: k M ′ acts like k M on the D subset of D ′ , and similarly for function and predicate symbols s whose noninferable type arguments in M become regular (term) arguments in M ′ . The reason why we can omit the inferable type arguments of s is their recoverability from the type of s and the domains of the genuine term arguments. Additionally, when applying s M ′ to inputs outside s's cover that do not belong to their proper domains in M , we correct these inputs by replacing them with arbitrary inputs from the proper domains. We do this because, in formulae, these inputs will not be guarded by the encoding, but we will nevertheless want to infer the encoded formula holding in M ′ from the original formula holding in M .
if the domain condition fails and s ∈ F if the domain condition fails and s ∈ P We will show that M ′ is a model of Φ g@; a ninf ; e . Let ξ ′ : V → D ′ be a valuation that respects types, in the sense that ξ ′ (V (α)) ∈ D for all α ∈ A. We define θ : (1)-(3) below follow by induction on σ, t or ϕ (for arbitrary ξ ′ ), and (1 ′ ) is a consequence of (1) and the definition of g M ′ : Let us detail a few interesting cases in these proofs: Inductive case for (2): If t i ∈ V typed , then the induction hypothesis applies to it, yielding , and we have two cases: • Otherwise, by the assumptions i / ∈ Cover f , and hence the definition of f M ′ effectively replaces the argument ξ ′ (X ) by ε( σ M θ ), which also equals ξ(X )(σ). The above shows t g@; a ninf ; e (3): The subcase when one of the terms is a variable and the other is not. Assume ϕ has the form Universal quantifier case for (3): • Assume X ∈ UV(ϕ). Then we assume g( σ , with (A), this implies ϕ M θ,ξ 1 , and hence the desired fact follows from the induction hypothesis.
θ , then the argument goes the same as above.
; with (A), this implies ϕ M θ,ξ 1 , and hence the desired fact follows from the induction hypothesis.
From (1 ′ ) and the definition of f M ′ , it follows that M ′ satisfies the necessary axioms, namely, ϕ a ninf ; e for each typing axiom ϕ. It remains to show that M ′ satisfies ϕ g@; a ninf ; e for each ϕ ∈ Φ. So let ϕ ∈ Φ. Then ϕ M . We pick any ξ ′ that respects types and has the property that ξ ′ (X ) ∈ σ M θ for all X σ ∈ UV(ϕ); by (3) and the fact that ϕ and ϕ g@; a ninf ; e are sentences, it follows that ϕ M ξ,θ , hence ϕ g@; a ninf ; e Complete: This part is easy. By Theorem 3.11, it suffices to show that g@ is complete.
(p M ) p∈P by restricting the domains according to the guards and restricting the operations correspondingly. Namely, for each Thanks to the typing axioms, each D ′ is nonempty. Since the domains are disjoint, each D ′ determines its D uniquely; together with the typing axioms, this also ensures that each where U is first a term and then a formula, follows by induction on U (for arbitrary θ and ξ). From this, we obtain that M is a model of Φ g@ by the usual route.

4.2.
Cover-Based Type Tags. The cover-based encoding t@ is similar to the traditional encoding t, except that it tags only undercover occurrences of variables and requires typing axioms to add or remove tags around function terms.
Definition 4.8 (Cover Tags t@). The encoding t@ translates polymorphic problems over . Its term and formula translations are the following: The auxiliary function ⌊(t σ 1 1 , . . . , t σn n )⌋ s returns a vector (u 1 , . . . , u n ) such that The encoding adds the following typing axioms: The cover-based type tags encoding t is the composition t@; a ninf ; e . It translates a polymorphic problem over Σ into an untyped problem over Example 4.9. The t@ encoding of Example 2.10 is as follows (again, choosing the cover for cons as in Convention 4.2): Theorem 4.10 (Correctness of t@). The cover-based type tags encoding t@ is correct.
Proof. Let Σ = (K , F , P ) be the signature of a polymorphic problem Φ.
By Lemma 2.12, we may assume that D is disjoint from each of its elements, its elements are mutually disjoint, and the type constructors k M satisfy distinctness and injectivity. We intended to be a model of Φ t@; a ninf ; e . The construction of M ′ proceeds very similarly to the case of guards from the proof of Theorem 4.7: D ′ , k M ′ for k ∈ K ′ , and s M ′ for s ∈ F ′ ⊎ P ′ are all defined in the same way as in that proof. It remains to define t M ′ : To show that M ′ is a model of Φ t@; a ninf ; e , we proceed almost identically to the proof of Theorem 4.7. Starting with a valuation ξ ′ : V → D ′ that respects types, we define ξ and θ in the same way and state facts (1)-(3) as for guards, but adding a condition about the "well-typedness" of the existential variables interpretation, since only universal variables (i.e. variables in V ∀ typed ) are tagged by t@: ξ ′ . Moreover, (1 ′ ) from the proof of Theorem 4.7 is replaced with the following two facts: follow by induction on the involved type, term, or formula; (1 ′ ) and (1 ′′ ) follow from (1) and the definition of t M ′ (and are in turn used to establish (2) and (3)). The fact that M ′ satisfies ϕ t@; a ninf ; e for each ϕ ∈ Φ follows in the same way as in Theorem 4.7. It remains to show that M ′ satisfies the necessary axioms, namely, the a ninf ; e -translations of the t@ typing axioms. This follows from (1 ′ ) and the definition of f M ′ . Complete: This part is again similar to the corresponding one for guards. By Theorem 3.11, it suffices to show Unlike in the case of guards, the traditional type tag encoding t is not a particular case of the cover-based encoding t@, since only t@ introduces typing axioms, and also t further restricts the type arguments to phantom arguments. Nevertheless, we can provide a somewhat similar argument for t's correctness. Although the encoding is well known, we are not aware of any soundness proof in the literature.

Proof of Theorem 3.16 (Correctness of t).
Sound: Let M be as in the proof of Theorem 4.10. We define M ′ similar to there, but with the following difference: D ′ contains not only the domains in D and their elements, but also the set P of "polymorphic values", i.e. functions that take a domain D ∈ D and return an element of D. The reason for the polymorphic values is that, due to the switch from noninferable arguments to phantom arguments, the domain of the result for f M ′ with f : ∀ᾱ.σ → σ in F will no longer be completely inferable from the arguments, but will miss precisely the nonphantom noninfrebale arguments, which correspond to type variables belonging to the result type σ but not to the argument typesσ. Consequently, the result of applying f M ′ to "well-typed" arguments will be polymorphic values that wait for the result domain D and, if it has the form σ θ for an appropriate θ, return the result from σ θ according to the interpretation of f M ′ . Then the interpretation of the tag applied to polymorphic values will select the desired element by providing the domain. The reason why this approach works with t but not with t@ is that in t tags are applied everywhere, thus resolving immediately any polymorphic value emerging from an application of f M ′ . where the polymorphic value πD ,d,ē ∈ P is defined as follows: To show that M ′ is a model of Φ t ; a phn ; e , we proceed almost identically to the proof of Theorem 4.10. Starting with a valuation ξ ′ : V → D ′ that respects types (as in the proofs of Theorems 4.7 and 4.10). We define θ : . Facts (1)-(3) below follow by induction on σ, t, or ϕ (for arbitrary ξ ′ ): It follows by the usual route that M ′ is a model of each ϕ t ; a phn ; e with ϕ ∈ Φ, hence of Φ t ; a phn ; e .
Complete: By Theorem 3.11, it suffices to show Notice that T D adds no tags around an existing tag: We define the components of M as follows: within f (X σ ), f should add a tag around X σ , as well as one around f (X σ ); however, when interpreted in M within f (g(X σ )), f should not add a tag around g(X σ ), since g already adds one.
. The next facts follow by induction on σ, t, or ϕ (for arbitrary θ and ξ ′ ): ϕ M , also holds, as desired.

4.3.
Polymorphic Löwenheim-Skolem. The previous completeness results can be used to prove Löwenheim-Skolem-like properties for polymorphic first-order logic by appealing to the more manageable (and better known) monomorphic first-order logic. Proof. Assume Φ has a model, and recall that by definition the polymorphic signatures that we consider are countable. By the soundness of g@ (Theorem 4.7), Φ g@ also has a model and its signature is countable; hence by classical Löwenheim-Skolem [19], Φ g@ has a countable model M ′ . It follows from the proof of completeness of g@ that Φ has a model M = (D, _, _, _) constructed from M ′ in such a way that each D ∈ D is countable-hence M ′ satisfies (1). Now, (2)-(6) follow by applying the same reasoning as in Lemma 2.12 and noticing that all the structure modifications from there do not alter the countability of the domains D ∈ D.

Monotonicity-Based Type Encodings -The Monomorphic Case
The cover-based encodings of Section 4 removed some of the clutter associated with type arguments, which are in general necessary to encode polymorphism soundly. Another family of encodings focuses on the quantifiers and exploit monotonicity. For types that are inferred monotonic, the translation can omit the type information on term variables of these types. Informally, a type is monotonic in a problem when, for any model of that problem, we can increase the size of the domain that interprets the type while preserving satisfiability. This section focuses on the monomorphic case, where the input problem contains no type variables or polymorphic symbols. This case is interesting in its own right and serves as a stepping stone towards polymorphic monotonicity-based encodings (Section 6).
Before we start, we need to define variants of the traditional e, t, and g encodings that operate on monomorphic problems. Since the monomorphic e is essentially identical to the polymorphic e restricted to monomorphic signatures, we use the same notation for both. The monomorphic encodings t and g coincide with t and g except that the polymorphic function t σ (t) and predicate g σ (t) are replaced by type-indexed families of unary functions t σ (t) and predicates g σ (t), as is customary in the literature [ Their notion, which we call finite monotonicity, is designed to ensure that it is possible to produce a model having all types interpreted by countably infinite sets, and finally a model having all types interpreted as the same set, so that type information can be soundly erased. In this article, we take directly the infiniteinterpretation property as definition of monotonicity and extend the notion to sets of types: Full type erasure is sound for monotonic monomorphic problems. The intuition is that a model of such a problem can be extended into a model where all types are interpreted as sets of the same cardinality, which can be merged to yield an untyped model. Example 5.2. The monkey village of Example 1.1 is monotonic because any model with finitely many bananas can be extended to a model with infinitely many, and any model with infinitely many bananas and finitely many monkeys can be extended to one where monkeys and bananas have the same infinite cardinality (cf. Example 3.4). However, the type of monkeys is not monotonic on its own, as we argued intuitively in Example 1.1, nor is it finitely monotonic. Proof. Let Φ be such a problem, let Σ = (Type, F , P ) be its signature, and let Σ ′ = (F ′ , P ′ ) be the target signature of e. If Φ is satisfiable, it has a model where all domains are infinite by definition of monotonicity. Since Σ is countable, by the downward Löwenheim-Skolem theorem [19], Φ also has a model where all domains are countably infinite, hence also a model . The next facts follow by induction on t and ϕ (for It follows by the usual route that M ′ is a model of Φ e . Remark 5.4. An alternative to invoking the Löwenheim-Skolem theorem would have been to require countable infinity in the definition of monotonicity. Although it makes no difference in this article, the more general definition would also apply in the presence of uncountable interpreted types (e.g. for the real numbers). The proof of Theorem 5.3 can be adapted to go beyond countable infinity if desired.
It is often convenient to determine the monotonicity of single types separately, viewed as singleton sets. This is enough to make the set of all types, i.e. the problem, monotonic: Lemma 5.5 (Global Monotonicity from Separate Monotonicity). If σ is monotonic in Φ for each type σ, then Φ is monotonic.
Proof. Let Σ = (Type, F , P ) be the signature of Φ, and assume Φ is satisfiable. Let σ 1 , σ 2 , . . . be an enumeration of Type, and let ϕ k be a formula stating that for all i ∈ {1, . . . , k}, σ i 's domain has at least k elements. Finally, let Φ ′ = {ϕ i | i ∈ N}. By the monotonicity of the individual types, it follows by induction on k that each Φ ∪ {ϕ i | i ∈ {1, . . . , k}} is satisfiable, and hence that each finite subset of Φ ∪ Φ ′ is satisfiable. By the compactness theorem [19], it follows that Φ ∪ Φ ′ is itself satisfiable, and hence Φ has a model with only infinite domains.

Monotonicity
Inference. Claessen et al. introduced a simple calculus to infer finite monotonicity for monomorphic first-order logic [16, §2.3]. The definition below generalises it from clause normal form to negation normal form. The generalisation is straightforward; we present it because we later adapt it to polymorphism. The calculus is based on the observation that a type σ must be monotonic if the problem expressed in NNF contains no positive literal of the form X σ ≈ t or t ≈ X σ , where X is universal. We call such an occurrence of X a naked occurrence. Naked variables are unavoidable to express upper bounds on the cardinality of types in first-order logic.
Definition 5.6 (Naked Variable). The set of naked variables NV(ϕ) of a formula ϕ is defined as follows: We see from the ∃ case that existential variables never occur naked in sentences.
Variables of types other than σ are irrelevant when inferring whether σ is monotonic; a variable is problematic only if it occurs naked and has type σ. Annoyingly, a single naked variable of type σ, such as X on the right-hand side of the equation hd b (cons b (X, Xs)) ≈ X from Example 2.13, will cause us to classify σ as possibly nonmonotonic. We regain some precision by extending the calculus with an infinity analysis, as suggested by Claessen et al.: trivially, all types with no finite models are monotonic.
Convention 5.7. Abstracting over the specific analysis used to detect infinite types (e.g. Infinox [15]), we fix a set Inf(Φ) of types whose interpretations are guaranteed to be infinite in all models of Φ, More precisely, the following property is assumed to hold: if τ ∈ Inf(Φ) and M = (D σ ) σ∈Type , _, _ is a model of Φ, then D τ is infinite.
The monotonicity calculus consists of the following rules: Claessen et al. designed a second, more powerful calculus that extends their first calculus to detect predicates that act as guards for naked variables. Whilst the calculus proved successful on a subset of the TPTP benchmarks [30], we assessed its suitability on about 1000 problems generated by Sledgehammer and found no improvement on the simple calculus. For this reason, we restrict our attention to the first calculus. τ ∈ Inf(Φ), which means the second rule of the calculus must have been applied and no variables of type τ occur naked, i.e. NV(Φ) ∩ {X τ | X ∈ V } = ∅. We define D ′ τ by extending D τ with an infinite number of fresh elements e 1 , e 2 , . . . and define the functions and predicates of M ′ to treat these in the same way as ε(D τ ). Intuitively, M ′ also satisfies Φ because, since no variables of type τ occur naked, the formulae of Φ cannot tell the difference between a "clone" e i and the original ε(D τ ) except for the case of disequality-and there the formula instantiated with clones is more likely to be true than the one instantiated with ε(D τ ) (since clones are mutually disequal and disequal to ε(D τ )).
Formally, we let E = {e 1 , e 2 , . . .} be an infinite set disjoint from D τ , and define The next facts follow by induction on t or ϕ (for arbitrary ξ ′ ): (2) is an implication, not an equivalence. An inductive proof of the converse would fail for the case of disequalities.) In particular, thanks to the absence of naked variables of type τ in all ϕ ∈ Φ, M ′ is the desired model of Φ.
In the light of the above soundness result, we will allow ourselves to write that σ is monotonic if σ ⊲ Φ and possibly nonmonotonic if σ ⊲ Φ.

Encoding Nonmonotonic Types.
Monotonic types can be soundly erased when translating to untyped first-order logic, by Theorem 5.3. Nonmonotonic types in general cannot. Claessen et al. [16, §3.2] point out that adding sufficiently many protectors to a nonmonotonic problem will make it monotonic, at which point its types can be erased. Thus the following general two-stage procedure translates monomorphic problems to untyped firstorder logic: 1. Selectively introduce protectors (tags or guards) without erasing any types: 1.1. Infer monotonicity to identify the possibly nonmonotonic types in the problem. 1.2. Introduce protectors for the universal variables of possibly nonmonotonic types. 1.3. If necessary (depending on the encoding), generate typing axioms for any function symbol whose result type is possibly nonmonotonic, to make it possible to remove protectors for terms with the right type.
2. Erase all the types.

ENCODING MONOMORPHIC AND POLYMORPHIC TYPES 29
The purpose of stage 1 is to make the problem monotonic while preserving satisfiability. This paves the way for the sound type erasure of stage 2. The following lemmas will help us prove such two-stage encodings correct.
Lemma 5.10 (Correctness Conditions). Let Φ be a monomorphic problem, and let x be a monomorphic encoding. The problems Φ and Φ x ; e are equisatisfiable provided that the following conditions hold: Mono: Φ x is monotonic.

5.4.
Monotonicity-Based Type Tags. The monotonicity-based encoding t? specialises the above procedure for tags. It is similar to the traditional encoding t (the monomorphic version of t), except that it omits the tags for types that are inferred monotonic. By wrapping all naked variables (in fact, all terms) of possibly nonmonotonic types in a function term, stage 1 yields a monotonic problem.
Definition 5.11 (Lightweight Tags t t?). The encoding t? translates monomorphic problems over Σ = (Type, F , P ) to monomorphic problems over (Type, F ⊎ {t σ : σ → σ | σ ∈ Type}, P ). It adds no axioms, and its term and formula translations are defined as follows: The monomorphic lightweight type tags encoding t? is the composition t?; e . It translates a monomorphic problem over Σ into an untyped problem over Σ ′ = (F ′ ⊎ {t 1 σ | σ ∈ Type}, P ′ ), where F ′ , P ′ are as for e. Example 5.12. For the algebraic list problem of Example 2.13, the type list_b is monotonic by virtue of being infinite, whereas b cannot be inferred monotonic. The t? encoding of the problem follows: The t? encoding treats all variables of the same type uniformly. Hundreds of axioms can suffer because of one unhappy formula that uses a type nonmonotonically (or in a way that cannot be inferred monotonic). To address this, we introduce a lighter encoding: if a universal variable does not occur naked in a formula, its tag can safely be omitted. 2 This new encoding, called t??, protects only naked variables and introduces equations t σ ( f (X ) σ ) ≈ f (X ) to add or remove tags around each function symbol f whose result type σ is possibly nonmonotonic, and similarly for existential variables. problems over Σ = (Type, F , P ) to monomorphic problems over (Type, F ⊎ {t σ : σ → σ | σ ∈ Type}, P ). Its term and formula translations are defined as follows: The encoding adds the following typing axioms: The monomorphic featherweight type tags encoding t?? is the composition t??; e . The target signature for t?? is the same as for t?.
The axioms are necessary for the completeness of t??. They would have been harmless for t?: for soundness, we can think of the t σ functions as identities. The side condition of the last axiom is a minor optimisation: it avoids asserting that σ is inhabited if the symbols in F already witness σ's inhabitation.
Example 5.14. The t?? encoding of Example 2.13 requires fewer tags than t?, at the cost of a typing axiom for hd and typing equations for the existential variables of type b: Theorem 5.15 (Correctness of t t?, t t??). The monomorphic type tags encodings t? and t?? are correct.
Proof. It suffices to show the three conditions of Lemma 5.10.
Sound: This is immediate for both t? and t?? : given a model of Φ, we extend it to a model of the encoded Φ by interpreting all type tags as the identity.
Complete for t? : The proof is analogous to the corresponding case for t (Theorem 3.16), the differences being that here we do not face the complication of interpreting polymorphic types, and only terms of certain types are tagged.
σ so as to apply t M ′ σ only if the element is not already in its image: The next facts follow by induction on t or ϕ (for arbitrary ξ ′ ): we define a model M of Φ as follows, where the typing axioms ensure that each D σ is nonempty and each s M is well defined: The next facts follow by induction on t or ϕ (for arbitrary ξ : V → σ∈Type D σ ): Then, by the usual route, it follows that M is a model of Φ.

5.5.
Monotonicity-Based Type Guards. The g? and g?? encodings are defined analogously to t? and t?? but using type guards. The g? encoding omits the guards for types that are inferred monotonic, whereas g?? omits more guards that are not needed to make the intermediate problem monotonic.
Definition 5.16 (Lightweight Guards g g?). The encoding g? translates monomorphic problems over Σ = (Type, F , P ) to monomorphic problems over (Type, F , P ⊎ {g σ : σ → o | σ ∈ Type}). Its term and formula translations are defined as follows: The encoding adds the following typing axioms: for σ ⊲ Φ that is not the result type of a symbol in F The monomorphic lightweight type guards encoding g? is the composition g?; e . It translates a monomorphic problem over Σ into an untyped problem over Example 5.17. The g? encoding of Example 2.13 is as follows: Notice that the tl b equation is needlessly in the scope of the guard. The encoding is more precise if the problem is clausified.
Our novel encoding g?? omits the guards for variables that do not occur naked, regardless of whether they are of a monotonic type.
Definition 5.18 (Featherweight Guards g g??). The monomorphic featherweight type guards encoding g?? is identical to the lightweight encoding g? except that the condition "if σ ⊲ Φ" in the ∀ case is weakened to "if σ ⊲ Φ or X / ∈ NV(ϕ)".
Example 5.19. The g?? encoding of the algebraic list problem is identical to g? except that the nil b ≈ cons b axiom does not have any guard.
Theorem 5.20 (Correctness of g g?, g g??). The monomorphic type guards encodings g? and g?? are correct.
Proof. It suffices to show the three conditions of Lemma 5.10.
Mono: By Lemma 5.5, it suffices to show that each type τ such that σ ⊲ Φ is monotonic in the encoded problem. By Theorem 5.9, types are monotonic unless they are possibly finite and variables of their types occur naked in the original problem. Both encodings guard all such variablesg?? guards exactly those variables, while g? guards more. The typing axioms contain no naked variables. We cannot use Theorem 5.9 directly, because guarding a naked variable does not make it less naked-but we can generalise the proof slightly to exploit the guards. Given a model M of the encoded problem with all types infinite as in the proof of Theorem 5.9, but defining the τ-guard interpretation to be false on newly added elements (recall that D ′ τ = D τ ⊎ E for some countably infinite set E): The encoded problem has the form Φ 1 ∪ Φ 2 , where Φ 1 are the added axioms and Φ 2 are the formula translations from Φ. It is easy to check that M ′ satisfies Φ 1 . We say that a formula is τ-guarded if all its subformulae of the form ∀X : τ. ϕ have ϕ of the form ¬ g τ (X τ ) ∨ χ and all its subformulae of the form ∃X : τ. ϕ have ϕ of the form g τ (X τ ) ∧ χ. All the formulae in Φ 2 are clearly guarded. The next facts follow by induction on t or ϕ (for arbitrary ξ ′ ): It follows that M ′ satisfies Φ 2 as well. Hence it is the desired model of the encoded problem.
Sound: Just like for tags, this is immediate for both g? and g?? : given a model of Φ, we extend it to a model of the encoded Φ by interpreting all type guards as everywhere-true predicates. A simpler but less instructive way to prove Mono is to observe that the second monotonicity calculus by Claessen et al. [16, §2.4] can infer monotonicity of all problems generated by g, g?, and g??.
Remark 5.21. The proofs of Theorems 5.15 and 5.20 remain valid as they are even if the generated problems contain more tags or guards than inferred as unnecessary by the monotonicity calculus, i.e. if in the definitions of t? , t?? , g? , and g?? we replace the condition "σ ⊲ Φ" by "σ ∈ J ", where J ⊆ {σ ∈ Type Σ | σ ⊲ Φ}. (The replacement should be done everywhere, including in the axioms.) 5.6. Heuristic Monomorphisation. Section 6 will show how to translate polymorphic types soundly and completely. If we are willing to sacrifice completeness, an easy way to extend t?, t??, g?, and g?? to polymorphism is to perform heuristic monomorphisation on the polymorphic problem: 1. Heuristically instantiate all type variables with suitable ground types, taking finitely many copies of each formula if desired.
2. Map each ground occurrence s ᾱρ of a polymorphic symbol s : ∀ᾱ.σ σ to a fresh monomorphic symbol sᾱ ρ : ⌊σρ⌋ ⌊σρ⌋, where ρ is a ground type substitution (a function from type variables to ground types) and ⌊ ⌋ is an injection from ground types to nullary type constructors (e.g. {b → b, list(b) → list_b}). Heuristic monomorphisation is generally incomplete [12, §2] and often overlooked in the literature, but by eliminating type variables it considerably simplifies the generated formulae, leading to very efficient encodings. It also provides a simple and effective way to exploit the native support for monomorphic types in some automatic provers.

Complete Monotonicity-Based Encodings of Polymorphism
Heuristic monomorphisation is simple and effective, but its incompleteness can be a cause for worry, and its nonmodular nature makes it unsuitable for some applications that need to export an entire polymorphic theory independently of any conjecture. Here we adapt the type encodings to a polymorphic setting.
We start by defining a correct but infinitary translation of a polymorphic into a monomorphic problem, called complete monomorphisation. Then we address the genuinely polymorphic issue of encoding type arguments, proving conditions under which composition of an encoding x with the type arguments encoding a is correct: x must be complete and produce monotonic problems. Finally, we define polymorphic counterparts of the guard and tag encodings and show that they satisfy the required conditions by reducing (most of) the problem to the monomorphic case via complete monomorphisation.
6.1. Complete Monomorphisation. The main insight behind complete monomorphisation is that a polymorphic formula having all its type quantification at the top is equisatisfiable to the (generally infinite) set of its monomorphic instances. Complete monomorphisation does not obey our convention about encodings, since it translates each polymorphic formula not into a single monomorphic formula but into a set of formulae. Definition 6.1 (Instance Type and Most General Instance). A type τ is an instance of a type σ if there exists a type substitution ρ such that τ = σρ. If this is the case, we also say that τ is less general than σ and that σ is more general than τ, and we write τ ≤ σ. Given two types σ and τ, if they have a common instance (i.e. a unifier), then they also have a most general common instance, which we denote by mgi(σ, τ). Definition 6.2 (Complete Monomorphisation ∞). We define the encoding ∞ that translates polymorphic problems over Σ = (K , F , P ) to monomorphic problems over • for each s : ∀ᾱ.σ → ς in F ⊎ P and each ρ such that each α i is mapped to a ground type τ i ∈ GType Σ , F ′ ⊎ P ′ contains a symbol sτ :σρ → σρ.
We first define the translation of terms and formulae that contain no type variables, i.e. that have no type quantifiers and such that all the occurring types in applications of the function or predicate symbols are ground: Now, given a sentence ∀ᾱ. ϕ whereᾱ indicates all its universally quantified types, we encode it as the set of encodings of its monomorphic instances (via ground type substitutions ρ): Finally, the encoding of a problem is the union of the encoding of its formulae: 3. Whenever we write a polymorphic formula as ∀ᾱ. ϕ, we implicitly assume thatᾱ indicates all its universally quantified types, so that ϕ has no type quantifiers.
Proof. First, observe that in any model M of a polymorphic signature, the interpretation M θ,ξ of a term or formula that does not contain type variables does not depend on θ and, from ξ, it only depends on the restriction of ξ to ground types, ξ ′ : Sound: Assume Φ is satisfiable and let Σ = (K , F , P ) be its polymorphic signature. By Lemma 4.11, Φ also has a model M = D, ( f M ) f ∈F , (p M ) p∈P for which M : GType Σ → D is a bijection-let v : D → GType Σ be its inverse. We define a structure M ′ = p∈P ′ for Σ ′ as follows: • if s : ∀ᾱ.σ → ς is in F ⊎ P andτ = (τ 1 , . . . , τ m ) are ground instances ofᾱ = (α 1 , . . . , α m ) via ρ, we define by s M ′ τ (d) = s M (v(τ 1 ), . . . , v(τ m ))(d).
The next fact follows by induction on the term or formula δ (for arbitrary ξ : V → τ∈Type Σ ′ D ′ τ ): (1) If δ contains no type variables, then δ ∞ Since M is a model of ∀ᾱ. ϕ, M is also a model of all its groundtype instances ϕρ, and hence, since ϕ ∞ • ifᾱ = (α 1 , . . . , α m ), s : ∀ᾱ.σ → ς ∈ F ⊎ P , andD ∈ D m , we define s M (D) = s M ′ (v(D 1 ),...,v(Dm)) . The next fact follows by induction on τ: The next fact follows by induction on the term or formula δ (for arbitrary ξ : V → τ∈GType Σ τ M ): (2) If δ contains no type variables, then δ M ξ = δ ∞ M ′ ξ ′ . In particular, for a sentence ϕ, we have ϕ M = ϕ ∞ M ′ . Now let ∀ᾱ. ϕ ∈ Φ, and assume by absurdity that M is not a model of ∀ᾱ. ϕ. Then, since by (1) and the definition of D we have that M : GType → D is surjective, we obtain a ground-type instance ϕρ of ϕ such that M is not a model of ϕρ. By ϕ M = ϕ ∞ M ′ , M ′ is not a model of ϕρ ∞ M ′ , hence not a model of ∀ᾱ. ϕ ∞ , which is a contradiction. Therefore M is a model of ∀ᾱ. ϕ. We obtain that M is a model Φ, as desired.

6.2.
Monotonicity. The definition of monotonicity from Section 5.1 (Definition 5.1) must be adapted to the polymorphic case.  Proof. Let Φ be such a problem and Σ = (K , F , P ) be its signature, and assume Φ is satisfiable. By monotonicity and Lemma 4.12, it also has a model M where all D ∈ D are countably infinite. From this model, we construct a model M ′ of Φ a ; e with a countably infinite domain E that interprets the encoded types as distinct elements of E. The function and predicate tables for M ′ are based on those from M , with encoded type arguments corresponding to actual type arguments.
More precisely, let E be an countably infinite set and consider the following functions: • the mutually inverse bijections u : D → E and v : E → D; • for each D ∈ D, the mutually inverse bijections u D : D → E and v D : E → D.
Let Σ ′ = (F ′ ⊎ K ′ , P ′ ) be the target untyped signature of a. We define the structure M ′ for Σ ′ as follows: • Assume k is an n-ary function in K ′ , meaning k :: n is in K . Then k M ′ (ē) = u(k M (v(ē))).

Lemma 6.9 (Monotonicity Preservation and Reflection by ∞).
A polymorphic problem Φ is monotonic iff its monomorphic encoding Φ ∞ is monotonic.
6.3. Monotonicity Inference. The monotonicity inference of Section 5.2 must be adapted to the polymorphic setting. We start by generalising the notion of naked variable. Definition 6.10 (Polymorphic Naked Variable). The set of naked variables NV(ϕ) of a polymorphic formula ϕ is defined similarly to the monomorphic case (Definition 5.6). The following equations are new or slightly different from there: Again, we take NV(Φ) = ϕ∈Φ NV(ϕ).
Note from Definitions 5.6 and 6.10 that the naked variables of a polymorphic formula occur at the same positions as in all its monomorphic instances. Moreover, the types of the naked variables in the completely monomorphised problem are simply the ground instances of the types of the naked variables in the original problem: Lemma 6.11. NV( Φ ∞ ) = {X τ | τ ∈ GType and there exists σ ≥ τ such that X σ ∈ NV(Φ)}.
The calculus presented below captures the insight that a polymorphic type is monotonic if each of its common instances with the type of any naked variable is an instance of an infinite type. Similarly to its monomorphic counterpart, it is parameterised by a fixed set Inf(Φ) of (not necessarily ground) types for which any interpretation σ M θ (for any type valuation θ) in any model M of Φ is known to be infinite.
Definition 6.13 (Polymorphic Monotonicity Calculus ⊲). A judgement σ ⊲ Φ indicates that the type σ is inferred monotonic in Φ. The monotonicity calculus consists of the single rule for all X σ ′ ∈ NV(Φ), if σ and σ ′ have a common instance, then mgi(σ, Example 6.14. For the algebraic list problem of Example 2.10, the only naked variables are X α and Xs list(α) , i.e.
The type list(α) is inferred monotonic by ⊲ because its most general common instance with α (the type of X ) and list(α) (the type of Xs) is in both cases list(α), which is known to be infinite. In contrast, α and b cannot be inferred monotonic: each of them is its most general common instance with α, and neither of them is among the types that are known to be infinite.
Note that property (1) of the above lemma states that if a type is inferred monotonic in the polymorphic calculus, all its ground instances can be inferred monotonic in the monomorphic calculus associated to the completely monomorphised problem. This allows us to prove soundness of the former from soundness of the latter: Theorem 6.16 (Soundness of ⊲). Let Φ be a polymorphic problem. If σ ⊲ Φ for all σ ∈ Type Σ , then Φ is monotonic.
6.4. General Strategy. We will define polymorphic versions of the featherweight and lightweight tags and guard encodings, altogether four encodings: t?, t??, g?, and g??. If x ranges over the polymorphic encodings, x ∈ { t?, t??, g?, g??} denotes its monomorphic counterpart. We base the correctness of each x on the correctness of x , by proving the problems Φ ∞; x and Φ x ;∞ equisatisfiable in a monotonicity-preserving way. The following lemma implicitly assumes that the signatures of Φ ∞; x and Φ x ;∞ coincide, which is easy to check for each encoding x . Lemma 6.17 (Correctness Conditions via Complete Monomorphisation). Let Φ be a polymorphic problem and let x ∈ {t?, t??, g?, g??}. The problems Φ and Φ x ; a ; e are equisatisfiable provided that the following conditions hold : Sound: If Φ ∞; x has a model, Φ x ;∞ has a model with the same interpretation of the type constructors.
Complete: If Φ x ;∞ has a model, Φ ∞; x has a model with the same interpretation of the type constructors.
Proof. By the correctness of ∞ (Lemma 6.4) and the corresponding correctness theorems for x (more precisely, from the Sound and Complete statements from the proofs of Theorems 5.15 and 5.20), we have that Φ and Φ ∞; x are equisatisfiable. Together with the assumptions, this implies that (A) Φ and Φ x ;∞ are equisatisfiable. Moreover, from Lemma 6.9 and monotonicity of x (more precisely, from the Mono statements from the proofs of Theorems 5.15 and 5.20), we know that Φ ∞; x is monotonic. Hence, by the assumptions, (B) Φ x ;∞ is also monotonic. The desired fact follows from (A), (B), and Lemma 6.8 (with x instantiated with x ; ∞).
To apply the above lemma, we need to provide an x such that the equation Φ x ;∞ = Φ ∞; x almost holds, in the sense that the two problems are equisatisfiable without changing the type constructor interpretation, but possibly changing some of the function or predicate symbol interpretation. Given x , we will come up with an encoding x in a systematic way. But first we need to define some relevant sets of types for a polymorphic Σ-problem Φ: Here is how we proceed with the definition of x : (1) We emulate the definition of x , using the polymorphic monotonicity calculus instead of the monomorphic one. (2) Step (1) will cause Φ x ;∞ to introduce more protectors than Φ ∞; x . This is because the former protects all ground types τ that are instances of types σ ∈ Type Φ such that σ ⊲ Φ (namely, T Φ ), whereas the latter protects all ground types τ that are instances of types in Type Φ and satisfy τ ⊲ Φ ∞ (namely, S Φ ). We have S Φ ⊆ T Φ but generally not vice versa. To repair this mismatch, we add axioms that semantically eliminate the protectors for the types in T Φ but not in S Φ . To achieve this, we must characterise T Φ −S Φ (which is an infinite set even for finite problems Φ) as the set of ground instances of a set U Φ of types so that U Φ is finite whenever Φ is. We define U Φ next: . Given a set of types S , a cap for it is a set S ′ ⊆ S such that all types in S are instances of types in S ′ . A cap is minimal if it contains no two distinct types σ and σ ′ such that σ ≤ σ ′ . For each σ, let U σ be a minimal cap of the set such that σ ′ and σ ′′ have a common instance} We let U Φ be an arbitrary cap of {U σ | σ ∈ Type Φ and σ ⊲ Φ}.
The set U Φ is both a subset of the monotonic types and a precise characterisation of the sets of types whose ground instances give our difference of interest, Lemma 6.20. The following properties hold : Proof. (1): Assume τ ∈ S Φ and let σ ≥ τ as in the definition of S Φ . By Lemma 6.15(2), we have τ ⊲ Φ, and hence by Lemma 6.15(3) we have σ ⊲ Φ, ensuring that τ ∈ T Φ .
(2): It is clear that the condition defining U ′ σ is a strengthening of that defining σ ⊲ Φ. (4): Immediate from the definitions of S Φ and T Φ .
The following results will hold for any choice of set V Φ between U Φ and {σ ∈ Type Σ | σ ⊲ Φ}. The smaller the chosen set, the lighter the encoding.
6.5. Monotonicity-Based Type Tags. We are now equipped to present the definitions of the polymorphic monotonicity-based encodings and prove their correctness. The polymorphic t? encoding can be seen as a hybrid between traditional tags (t) and monomorphic lightweight tags ( t?): as in t, tags take the form of a function t σ (t); as in t?, tags are omitted for types that are inferred monotonic.
The main novelty concerns the typing axioms. The t? encoding omits all typing axioms for monotonic types. In the polymorphic case, the monotonic type σ might be an instance of a more general, potentially nonmonotonic type for which tags are generated. For example, if α is tagged (because it is possibly nonmonotonic) but its instance list (α) is not (because it is infinite and hence monotonic), there will be mismatches between tagged and untagged terms. Our solution is to add the typing axiom t list(α) (Xs) ≈ Xs, which allows the prover to add or remove a tag for the infinite type list(α). Such an axiom is sound for any monotonic type.
The encoding adds the following typing axioms: The polymorphic lightweight type tags encoding t? is the composition t?; a; e . It translates a polymorphic problem over Σ into an untyped problem over Σ ′ = (F ′ ⊎ {t 2 }, P ′ ), where F ′ , P ′ are as for a.
The typing axiom allows any term to be typed as list(α), which is sound because list(α) is infinite. It would have been equally correct to provide separate axioms for nil, cons, and tl. Either way, the axioms are needed to remove the t(A, X ) tags in case the proof requires reasoning about list(list(α)).
The lighter encoding t?? protects only naked variables and introduces equations of the form t σ ( f ᾱ (X )) ≈ f ᾱ (X ) to add or remove tags around each function symbol f of a possibly nonmonotonic type σ, and similarly for existential variables. Its term and formula translations are defined as follows: The encoding adds the typing axioms of t? (from Definition 6.22) and the following: for σ ∈ Type Φ such that σ ⊲ Φ and σ is not an instance of the result type of some f ∈ F The polymorphic featherweight type tags encoding t?? is the composition t??; a ; e . The target signature of t?? is the same as that of t?. Proof. First we discuss the case of t?. The following property can be routinely checked: where GInst(V Φ ) denotes the set of ground instances of types in V Φ and ϕ # denotes the modification of ϕ obtained by adding, for each τ ∈ T Φ − S Φ , a tag t τ around every term of type τ. Recall that U Φ ⊆ V ϕ ⊆ {σ ∈ Type Σ | σ ⊲ Φ}. We have the following: Complete: Any model of Φ t?;∞ is also a model of Φ ∞; t? , since, thanks to (1) The case of t?? is similar, with the following modifications: where Ax consists of all ground instances ϕ ρ of the additional axioms ∀ᾱ. ϕ from Definition 6.24 where the occurring t τ is such that τ ∈ T Φ − S Φ . What we retain about Ax is that Ax is satisfied by any structure that interprets as identity each t τ with τ ∈ T Φ − S Φ , and hence, by (1), we have (4) Ax is satisfied by any structure that interprets as identity each t τ with τ ∈ GInst(V Φ ). Moreover, ϕ # is modified to add tags to ϕ in fewer places-not to arbitrary terms, but only to naked universal variables. Then the proof for t? works here too, additionally invoking (4) in the proof of soundness. 6.6. Monotonicity-Based Type Guards. Analogously to t?, the g? encoding is best understood as a hybrid between traditional guards (g) and monomorphic lightweight guards ( g?): as in g, guards take the form of a predicate g σ (t); as in g?, guards are omitted for types that are inferred monotonic.
Once again, the main novelty concerns the typing axioms. The g? encoding omits all typing axioms for monotonic types. In the polymorphic case, the monotonic type σ might be an instance of a more general, potentially nonmonotonic type for which guards are generated. Our solution is to add the typing axiom g σ (X ), which allows the prover to discharge any guard for the monotonic type σ. Definition 6.27 (Lightweight Guards g?). The encoding g? translates polymorphic problems over Σ = (Type, F , P ) to polymorphic problems over (Type, F , P ⊎ {g : ∀α. α → o}).
Its term and formula translations g?; a ; e are defined as follows: The encoding adds the following typing axioms: for f : ∀ᾱ.σ σ ∈ F such that σ ⊲ Φ ∀TVars(σ). ∃X : σ. g σ (X σ ) for σ ∈ Type Φ such that σ ⊲ Φ and σ is not an instance of the result type of some f ∈ F The polymorphic lightweight type guards encoding g? is the composition g?; a; e . It translates a polymorphic problem over Σ into an untyped problem over Σ ′ = (F ′ , P ′ ⊎ {g 2 }), where F ′ , P ′ are as for a.
The featherweight cousin is a straightforward generalisation of g? along the lines of the generalisation of g? into g??.
More specifically, the monotonicity inference is run on the entire problem and maintains two finite sets of polymorphic types: the surely infinite types J and the possibly nonmonotonic types N. Every type of a naked variable in the problem is tested for infinity. If the test succeeds, the type is inserted into J; otherwise, it is inserted into N. Simplifications are performed: there no need to insert σ to J or N if it is an instance of a type already in the set; when inserting σ to a set, it is safe to remove any type in the set that is an instance of σ. The monotonicity check then becomes To guard against bugs in the external provers, Sledgehammer reconstructs machine-generated proofs in Isabelle. This is usually accomplished by the metis proof method [26], supplying it with the short list of facts referenced in the proof found by the prover. The proof method is based on the Metis prover [20], a complete resolution prover for untyped first-order logic. The metis call is all that remains from the Sledgehammer invocation in the Isabelle theory, which can then be replayed without external provers. Given only a handful of facts, metis usually succeeds within milliseconds.
Prior to our work, a large share of the reconstruction failures were caused by typeunsound proofs found by the external provers, due to the use of the unsound encoding a [13, §4.1]. We now replaced the internals of Sledgehammer and metis so that they use a translation module supporting all the type encodings described in this article.
Nonetheless, despite the typing information, individual inferences in Metis can be illtyped when types are reintroduced, causing the metis proof method to fail. There are two main failure scenarios.
First, the prover may in principle instantiate variables with "ill-typed" terms at any point in the proof. Fortunately, this hardly ever arises in practice, because like other resolution provers Metis heavily restricts paramodulation from and into variables [1].
An issue that is more likely to plague users concerns the infinite types Inf(Φ). In the theoretical part of the paper, we required infinity to be a consequence of the problem Φ. The implementation is less rigorous; it will happily treat types that are known to be infinite in the Isabelle background theories even if Φ itself does not imply infinity of the types. For example, assuming nat is known to be infinite, the implementation of the monotonicitybased encodings will not introduce any protectors around the naked variables M and N when translating the problem on ≈ off state ∧ (∀X, Y : nat . X ≈ Y ) (where the second conjunct is presumably the negation of a conjecture stating that there exist two distinct natural numbers). That problem is satisfiable on its own but unsatisfiable with respect to the background theory. Untyped provers will instantiate X and Y with on and off to derive a contradiction; and no "type-sound" proof is possible unless we also provide characteristic theorems for nat. In general, we would need to provide infinity axioms for all types in Inf(Φ) to make the encoding sound irrespective of the background theory; for example: Although this now makes a sound proof possible (by instantiating X and Y with zero and suc(zero)), it does not prevent the prover from discovering the spurious proof with on and off, which cannot be reconstructed by metis.
Although the above scenarios rarely occur in practice, it would be more satisfactory if proof reconstruction were always possible. A solution would be to connect our formalised soundness proofs with a verified checker for untyped first-order proofs. This remains for future work.

Evaluation
To evaluate the type encodings described in this article, we put together two sets of 1000 polymorphic first-order problems originating from 10 existing Isabelle theories, translated with Sledgehammer's help (100 problems per theory). 3 Nine of the theories are the same as in a previous evaluation [3]; the tenth one is an optimality proof for Huffman's algorithm. Our test data are publicly available [4].
The problems in the first benchmark set include about 50 heuristically selected facts (before monomorphisation); that number is increased to 500 for the second set, to reveal how well the encodings scale with the problem size.
We evaluated each type encoding with five modern automatic theorem provers: the resolution provers E 1.8 [28], SPASS 3.8ds [9], and Vampire 3.0 (revision 1803) [27] and the SMT solvers Alt-Ergo 0.95.2 [10] and Z3 4.3.2 (revision 944dfee008) [23]. To make the evaluation more informative, we also tested the provers' native support for types where it is available; it is referred to as n (monomorphic) and n (polymorphic). Only Alt-Ergo supports polymorphic types natively.
Each prover was invoked with the set of options we had previously determined worked best for Sledgehammer. 4 The provers were granted 15 seconds of CPU time per problem on one core of a 3.06 GHz Dual-Core Intel Xeon processor. Most proofs were found within a few seconds; a higher time limit would have had a restricted impact on the success rate [13, §4]. To avoid giving the unsound encodings (e and a) an unfair advantage, for these proof search was followed by a certification phase that attempted to re-find the proof using a combination of sound encodings, based on its referenced facts. This phase slightly penalises the unsound encodings by rejecting a few sound proofs, but such is the price of unsoundness in practice. Figures 2 and 3 give, for each combination of prover and encoding, the number of solved problems from each problem set. Rows marked with concern the monomorphic encodings. The encodings a, t@, and g@ are omitted; the first two coincide with e, whereas t@ and g@ are identical to degenerate versions of t?? and g?? that treat all types as possibly nonmonotonic. We observe the following: • Among the encodings to untyped first-order logic, the monomorphic monotonicity-based encodings (especially g?? but also t??, g?, and t?) performed best overall. Their performance is close to that of the provers' native support for simple types ( n). Polymorphic encodings lag behind; this is likely due in part to the synergy between the monomorphiser and the translation of higher-order constructs (cf. Section 7.2). 3 The TPTP benchmark suite [30], which is customarily used for evaluating theorem provers, has just begun collecting polymorphic (TFF1) problems. 4 The setup for E was suggested by Stephan Schulz and includes the little known "symbol offset" weight function. We ran Alt-Ergo with the default setup, SPASS in Isabelle mode, Vampire in CASC mode, and Z3 through the z3_tptp wrapper but otherwise with the default setup.  • Among the polymorphic encodings, our novel cover-based and monotonicity-based encodings (t@, t?, t??, g@, g?, and g??), with the exception of t@, constitute a substantial improvement over the traditional sound schemes (t and g).
• As suggested in the literature, there is no clear winner between tags and guards. We expected monomorphic guards to be especially effective with SPASS, since they are internally mapped to soft sorts (an optimised representation of unary predicates [34]), but this is not corroborated by the data.
• Despite the proof reconstruction phase, the unsound encoding a achieved similar results to the sound polymorphic encodings. In contrast, its monomorphic cousin e is generally no match for the sound monomorphic schemes.
• Oddly, the polymorphic prover Alt-Ergo performs significantly better on monomorphised problems than on the corresponding polymorphic ones. This raises serious doubts about the quality of the prover's heuristics for instantiating type variables. For the first benchmark set, Figure 4 presents the average number of clauses, literals per clause, symbols per atom, and symbols for clausified problems (using E's clausifier), to give an idea of each encoding's overhead. The striking point is the lightness of the monomorphic encodings, as witnessed by the number of symbols. Because monomorphisation generates several copies of the same formulae, we could have expected it to lead to larger problems, but this underestimates the cost of encoding types as terms in the polymorphic encodings. 5 The strong correlation between the success rates in Figure 3 and the average number of symbols in Figure 4 confirms the expectation that clutter (whether type arguments, tags, or guards) slows down automatic provers.
Independently of these empirical results, the new type encodings made an impact at the 2012 edition of CASC, the annual automatic prover competition [31]. Isabelle's automatic proof tools, including Sledgehammer, compete against the automatic provers LEO-II, Satallax, and TPS in the higher-order division. Largely thanks to the new schemes (but also to improvements in the underlying first-order provers), Isabelle moved from the third place it had occupied since 2009 to the first place.

Related Work
The earliest descriptions of type tags and type guards we are aware of are due to Enderton [18, §4.3] and Stickel [29, p. 99]. Wick and McCune [36, §4] compare type arguments, tags, and guards in a monomorphic setting. Type arguments are described by Meng and Paulson [22], who also consider full type erasure and polymorphic type tags and present a translation of axiomatic type classes. As part of the MPTP project, Urban [33] extended the untyped TPTP FOF syntax with dependent types to accommodate Mizar and designed translations to plain FOF. The intermediate verification language and tool Boogie 2 [21] supports a restricted form of higher-rank polymorphism (with polymorphic maps), and Why3 [11] provides rank-1 polymorphism. Both define translations to a monomorphic logic and rely on proxies to handle interpreted types [12,17,21]. One of the Boogie translations [21, §3.1] uses SMT triggers to prevent ill-typed instantiations in conjunction with type arguments; however, this approach is risky in the absence of a semantics for triggers. Bouillaguet et al. [14, §4] showed that full type erasure is sound if all types can be assumed to have the same cardinality and exploit this in the verification system Jahob.
An alternative to encoding polymorphic types or monomorphising them away is to support them natively in the prover. This is ubiquitous in interactive theorem provers, but perhaps the only production-quality automatic prover that supports polymorphism is Alt-Ergo [10].
Blanchette and Krauss [6] studied monotonicity inferences for higher-order logic without polymorphism. Claessen et al. [16] were first to apply them to type erasure.

Conclusion
This article introduced a family of translations from polymorphic into untyped first-order logic, with a focus on efficiency. Our monotonicity-based encodings soundly erase all types that are inferred monotonic, as well as most occurrences of the remaining types. The best translations outperform the traditional encoding schemes.
We implemented the new translations in the Sledgehammer tool for Isabelle/HOL, thereby addressing a recurring user complaint. Although Isabelle certifies external proofs, unsound proofs are annoying and often conceal sound proofs. The same translation module forms the core of Isabelle's TPTP exporter tool, which makes entire theorem libraries available to first-order reasoners. Our refinements to the monomorphic case have made their way into the Monotonox translator [16]. Applications such as Boogie [21], LEO-II [2], and Why3 [11] also stand to gain from lighter encodings.
The TPTP family recently welcomed the addition of TFF1 [7], an extension of the monomorphic TFF0 logic with rank-1 polymorphism. Equipped with a concrete syntax and translation tools, we can turn any popular automatic theorem prover into an efficient polymorphic prover. Translating the untyped proof back into a typed proof is usually straightforward, but there are important corner cases that call for more research. It should also be possible to extend our approach to interpreted arithmetic.
From both a conceptual and an implementation point of view, the encodings are all instances of a general framework, in which mostly orthogonal features can be combined in various ways. Defining such a large number of encodings makes it possible to select the most appropriate scheme for each automatic prover, based on empirical evidence. In fact, using strategy scheduling or parallelism, it is advantageous to have each prover employ a combination of encodings with complementary strengths.