Strong Normalization of the Calculus of Constructions with Type-Based Termination Benjamin Gr´
advertisement
Strong Normalization of the Calculus of
Constructions with Type-Based Termination
Benjamin Grégoire and Jorge Luis Sacchini
INRIA Sophia Antipolis - Méditerranée, France
{Benjamin.Gregoire,Jorge-Luis.Sacchini}@inria.fr
Abstract. Termination of recursive functions is an important property
in proof assistants based on dependent type theories; it implies consistency and decidability of type checking. Type-based termination is
a mechanism for ensuring termination that uses types annotated with
size information to check that recursive calls are performed on smaller
arguments. Our long-term goal is to extend the Calculus of Inductive
Constructions with a type-based termination mechanism and prove its
logical consistency. In this paper, we present an extension of the Calculus of Constructions (including universes and impredicativity) with sized
natural numbers, and prove strong normalization and logical consistency.
Moreover, the proof can be easily adapted to include other inductive
types.
1
Introduction
Termination of recursive functions is an important property in proof assistants
based on dependent type theory; it implies consistency of the logic, and decidability of type checking. In current implementations, it is common to use syntactic criteria (called guard predicates) to ensure termination. Guard predicates
are applied to the body of recursive functions to check that recursive calls are
performed on structurally smaller arguments. However, these criteria are often
difficult to understand and implement.
An alternative approach is type-based termination. The basic idea is the use
of sized types, i.e., types decorated with size information. Termination is ensured
by typing constraints, restricting recursive calls to smaller arguments. Compared
to guard predicates, type-based termination provides a simple yet expressive
mechanism for ensuring termination.
In previous work by the first author [4], the Calculus of Inductive Constructions (CIC) was extended with a type-based termination mechanism. The
obtained system, called CICb, has many desirable metatheoretical properties,
including complete size inference. However, the logical consistency of CICb is
derived from a conjecture stating strong normalization of well-typed terms.
Our long-term goal is to define a type-based termination mechanism for CIC
that is proved consistent. This paper is a step in that direction. We present a
simplified version of CICb, called CICb− (Sect. 3).
2
Benjamin Grégoire and Jorge Luis Sacchini
Our main contribution is a proof of strong normalization (SN) and logical
consistency for CICb− restricted to one inductive type, namely natural numbers
(Sect. 4). The interpretation of natural numbers is done in a generic way, and
can be extended to other inductive types.
2
A Primer on Type-based Termination
Before giving the details of CICb− , this section introduces briefly the main ideas
of sized types and type-based termination. Consider the type of natural numbers,
defined by
nat : Type := O : nat | S : nat → nat .
With sized types, this defines a family of types of the form nats , where s is a
size (or stage) expression. Size information is used to type recursive functions,
as shown in the following (simplified) typing rule for fixpoint construction:
Γ (f : natı → U ) ` M : natbı → U [ı := bı]
Γ ` (fix f : nat → U := M ) : nats → U [ı := s]
where ı is a stage variable, and b· is the successor function on stages. Intuitively,
natı and natbı denote the type of natural numbers whose size is smaller than ı
and ı + 1, respectively. This intuition is reflected in the subtyping rule, stating
that natı ≤ natbı ≤ nat∞ , where nat∞ denotes the usual type of natural numbers.
In the typing rule above, the body of the fixpoint, M , is a function that takes
an argument of type natbı . The recursive calls to f in M are only allowed on terms
of type natı , that is, smaller than the size of the argument. This ensures that
recursion terminates. Note that the variable ı can appear (positively) in U , which
allows to write size-preserving functions. A typical example is the subtraction of
natural numbers, which has type nats → nat∞ → nats , for any s. We can then
write the division of natural numbers as1 :
fix div : nat → nat → nat :=
λ m n : nat. case mnat(bı) of
| O ⇒ Onat(bı)
| S m0nat(ı) ⇒ S (div (minus m0 n)nat(ı) n)nat(ı)
The type annotations are given for clarification only, and are not written in the
actual syntax. Since minus has type nats → nat∞ → nats , the recursive call in
div is well-typed. The function div also has type nats → nat∞ → nats .
Note in the case expression that m has type natbı , while the recursive argument m0 has a smaller type natı . This mechanism ensures that we can make
recursive calls on the recursive arguments of an inductive type. However, it is
more powerful than guard predicates, thanks to the possibility of typing sizepreserving functions. For example, extending the system with sized lists, typical
1
div m n computes
l
m
n+1
m
Strong Normalization of CC with Type-Based Termination
3
functions can be given more precise types:
map : Π(A B : Type).(A → B) → listı A → listı B
filter : Π(A : Type).(A → bool) → listı A → listı A × listı A
These functions allow to type programs that are not structurally recursive such
as quicksort:
fix qsort : list A → list A :=
λl : list A. case llist(bı) of
| nil ⇒ nil
| cons h tlist(ı) ⇒ let (s, g) = filter (< h) tlist(ı) in
append (qsort slist(ı) ) (cons h (qsort glist(ı) ))
Note that the precise typing of filter allows the recursive calls in the above
definition. However, in this case, qsort has type list∞ A → list∞ A. For further
examples and references, we refer the reader to [4].
3
System CICb−
CICb− is an extension of CIC with a type-based termination mechanism. In this
section we introduce the syntax and typing rules.
In order to treat impredicativity in the proof of SN, terms carry more type
annotations in the case of abstraction and application [2,10]. However, the system we intend to use has a more traditional presentation. In the traditional
presentation, abstractions have the form λx : T ◦ .M and applications have the
form M N . We give here the annotated presentation we use in the proof of SN.
The reduction rules and typing rules are adapted to the traditional presentation
in the obvious way. In App. A we give the complete presentation of CICb− in the
traditional form. In App. C we prove the equivalence between both presentations.
3.1
Syntax
We consider a predicative hierarchy of sorts Typei , for i ∈ N, and an impredicative sort Prop. The set of sorts is denoted U. We assume a denumerable set X of
term variables. We use u to denote sorts, and f , x, y to denote term variables.
Inductive types are annotated with stage expressions.
Definition 1 (Stages). The syntax of stages is given by the following grammar,
where XS denotes a denumerable set of stage variables.
S ::= XS | Sb | ∞
We use ı, to denote stage variables, and s, r to denote stages. The base of
a stage expression is defined by bıc = ı and bb
sc = bsc (the base of a stage
containing ∞ is not defined).
4
Benjamin Grégoire and Jorge Luis Sacchini
The syntax features three classes of terms, whose difference lies in the type of
annotations that inductive types carry. (This helps to ensure subject reduction
and efficient type inference [4].) Bare terms carry no annotation. Position terms
carry either no annotation, or a ?, which is used to indicate recursive positions
in fixpoint functions. Finally, sized terms carry a stage expression.
Definition 2 (Terms). The generic set of terms over the set a is defined by
the grammar:
T [a] ::= X | U | λX :T ◦ .T ◦ T [a] | appX :T ◦ .T ◦ (T [a], T [a]) | ΠX : T [a].T [a]
| nata | O | S(T [a])
caseT ◦ X := T [a] of T [a], T [a] | fix X (X : nat? ) : T ? := T [a]
The set of bare terms, position terms and sized terms are defined by T ◦ ::= T [],
T ? ::= T [{, ?}], and T ::= T [S], respectively. We use M , N , P , T , U , C to
denote terms. Bare terms are usually denoted with a superscript ◦ and position
terms with a superscript ?, as in M ◦ and M ? .
To deal with the different classes of terms, we use two erasure functions: the
function |.| : T ? ∪ T → T ◦ removes all annotations from a term; the function
|.|ı : T → T ? replaces all stage annotations s with ? if bsc = ı, or by otherwise.
Given a term M , we write M ∞ to denote the term M where all size annotations
are replaced with ∞, and SV(M ) to denote the set of stage variables appearing
in M .
We write FV(M ) to denote the set of free term variables in M ; we omit its
definitions, since it is usual.
Definition 3. Reduction → is defined as the compatible closure of β-reduction,
ι-reduction and µ-reduction:
appx:T ◦ .U ◦ (λx:T ◦ .U ◦ M , N ) →β
caseT ◦ x := O of N0 , N1 →ι
caseT ◦ x := S(M ) of N0 , N1 →ι
appx:nat.|U ? | (F, C) →µ
M [x := N ]
N0
appy:nat.T ◦ [x:=S(y)] (N1 , M )
appx:nat.|U ? | (M [f := F ], C)
where F ≡ fix f (x : nat? ) : U ? := M and C is a term in constructor form (i.e.,
O or S(M ) for some term M ). We write ←, →∗ , ≈ and ↓ for the inverse relation, the reflexive transitive closure, the equivalence closure and the associated
joinability relation of →, respectively. (M ↓ N if M →∗ P and N →∗ P for
some P .)
The reduction relation defined above, usually called tight reduction, is not
confluent (on pseudoterms). However, is it confluent for well-typed terms (this
is a consequence of SN). (Note that the reduction in the traditional presentation
is confluent.)
Strong Normalization of CC with Type-Based Termination
5
Subtyping. We consider a subtyping relation derived from a partial order on
stages.
Definition 4 (Substage). The relation s is a substage of s0 , written s v s0 , is
defined by the rules:
svs
svr
rvp
svp
s v sb
sv∞
Definition 5 (Subtyping). The subtyping relation, ≤ ⊆ T × T , is defined by
following rules:
(sub-conv)
(sub-prod)
T ↓U
T ≤U
(sub-nat)
T →∗ Πx : T1 .T2
T →∗ nats
U →∗ Πx : U1 .U2
T ≤U
U →∗ natr
T ≤U
U1 ≤ T1
svr
T2 ≤ U2
We define a notion of positivity with respect to a stage variable. It is used in
the typing rules to restrict the types valid for recursion.
Definition 6. We say that ı is positive in T , written ı pos T , if for every pair
of stages s, r, such that s v r, T [ı := s] ≤ T [ı := r].
Remark: In the traditional presentation, the subtyping relation is defined in a
more standard way, as the reflexive transitive closure of the following rules:
T ≈U
T ≤U
U1 ≤ T1
T2 ≤ U2
Πx : T1 .T2 ≤ Πx : U1 .U2
svr
nats ≤ natr
We cannot use this definition in the annotated presentation, since reduction is
not confluent.
3.2
Typing rules
In the typing rules, we restrict the use of size variables appearing in types.
Intuitively, we only allow types that reduce to a term of the form
Πx1 : T1 .Πx2 : T2 . . . . Πxn : Tn .Tn+1 ,
(*)
where each Ti is of the form (*), or is of the form nats , or satisfies SV(Ti ) = ∅.
We call these types “simple”. Formally, we define a predicate simple with the
following clauses:
SV(T ) = ∅
simple(T )
simple(nats )
simple(T1 )
simple(T2 )
simple(Πx : T1 .T2 )
6
Benjamin Grégoire and Jorge Luis Sacchini
Contexts and judgments. A context is a sequence of the form (x1 : T1 )(x2 :
T2 ) . . . (xn : Tn ), where x1 , x2 , . . . , xn are distinct variables and T1 , T2 , . . . , Tn
are sized terms. We use Γ , ∆, Θ to denote contexts and [] to denote the empty
context.
We define two typing judgments: WF(Γ ) means that context Γ is well formed;
Γ ` M : T means that the term M has type T in Γ . The typing rules are given
in Fig. 1. The side conditions in some of the rules ensure that we restrict to
simple types. If we remove these side conditions, the resulting system is that of
CICb. In rule (fix) the condition ı ∈
/ SV(Γ, M ) is therefore redundant, but we
keep it to emphasize the difference with CICb.
Most of the rules are similar to that of CICb, with exception of the added type
annotations. Note in rules (zero) and (succ) that constructors have a successor
stage as type. In rule (case), as we mentioned in Sect. 2, the argument has type
nat with a successor stage, allowing the recursive arguments to have smaller size.
Note that, because of subtyping, any term of type nat can be given a successor
size. In rule (fix) we introduce a fresh size variable for recursion. Not every type
is valid for recursion, since it might lead to inconsistencies [1]. In our case, we
require the size variable used for recursion to appear positively in the return type.
The body, M , has a product type (function) with domain natbı , while recursive
calls to f can only be performed on terms of type natı .
Simple metatheory. Usual metatheoretic results such as weakening, substitution
and subject reduction can be proved for CICb− in the same way as for CICb. See
App. B.
4
Strong Normalization
In this section we prove the main results of the paper: strong normalization of
CICb− , and logical consistency (Theorem 2). The proof is based on Λ-sets as
introduced by Altenkirch in his PhD thesis [2], and later used by Melliès and
Werner [10] to prove strong normalization for Pure Type Systems.
A Λ-set X is a pair (X◦ , |=), where X◦ is a set, and |= ⊆ SN × X◦ is a realizability relation2 (SN denotes the set of strongly normalizing terms). Intuitively,
we define a set-theoretical interpretation (products are interpreted by function
spaces, abstractions by functions and applications by function application), denoted [·], corresponding to the set part of a Λ-set.
We prove that the interpretation is sound: if Γ ` M : T , then [M ] ∈ [T ]
(Lemma 15). We can then prove that every term realizes its interpretation
(Lemma 17), i.e. M |= [M ]. Strong normalization (Corollary 1) follows from
the fact that every realizers is strongly normalizing by definition.
In the case of CICb− , the interpretation given above does not take size information into account. We therefore define a second (relational) interpretation to
show that terms respect the size information given in the type (Sect. 4.3).
2
Actually, for technical reasons, our definition is slightly different.
Strong Normalization of CC with Type-Based Termination
(empty)
(var)
(type)
(abs)
(app)
(nat)
Γ (x) = T
Γ `x:T
s
WF(Γ )
(prop)
Γ `T :u
Γ ` Prop : Type0
Γ (x : T ) ` U : Typej
Γ ` Πx : T.U : max(u, Typej )
Γ `T :u
Γ (x : T ) ` U : Prop
Γ ` Πx : T.U : Prop
Γ (x : T ) ` M : U
Γ ` λx:|T |.|U | M : Πx : T.U
Γ ` M : Πx : T.U
SV(M ) = ∅
Γ `N :T
Γ ` appx:|T |.|U | (M, N ) : U [x := N ]
WF(Γ )
Γ ` nat : Type0
(case)
WF(Γ )
WF(Γ )
(Π-prop)
simple(T )
WF(Γ (x : T ))
Γ ` Typei : Typei+1
(Π-type)
Γ `T :u
WF(Γ )
(cons)
WF([])
(zero)
WF(Γ )
s
b
Γ ` O : nat
SV(N ) = ∅
(succ)
Γ ` M : natsb
Γ (x : natsb) ` P : u
Γ ` N0 : P [x := O]
Γ ` N1 : Πy : nats .P [x := S(y)]
(fix)
Γ ` case|P | x := M of N0 , N1 : P [x := M ]
T ≡ Π(x : natı ).U
ı pos U
ı∈
/ SV(Γ, M )
Γ `T :u
Γ (f : T ) ` M : T [ı := bı]
Γ ` fix f (x : nat? ) : |U |ı := M : T [ı := s]
(conv)
Γ `M :T
Γ `U :u
T ≤U
Γ `M :U
Fig. 1. Typing rules of CICb−
Γ ` M : nats
Γ ` S(M ) : natsb
SV(M ) = ∅
SV(M ) = ∅
simple(U )
7
8
4.1
Benjamin Grégoire and Jorge Luis Sacchini
Preliminary Definitions
In this section we give the concepts necessary to define the interpretation of
terms. Namely, saturated sets, Λ-sets, and inaccessible cardinals.
Saturated sets. We define saturated sets in terms of elimination contexts:
E[] ::= [] | appX :T ◦ .T ◦ (E[], T ) | caseT ◦ X := E[] of T , T
| appX :T ◦ .T ◦ (fix X (X : nat? ) : T ? := T , E[])
A term is atomic if it is of the form E[x]. We denote the set of atomic
terms with AT, and the set of strongly normalizing terms with SN. Weak-head
reduction is defined as E[M ] →wh E[N ] iff M →βιµ N .
Definition 7 (Saturated set). A set of terms X ⊆ SN is saturated iff it
satisfies the following conditions:
(S1) AT ∩ SN ⊆ X;
(S2) if M ∈ SN and M →wh M 0 and M 0 ∈ X, then M ∈ X.
Λ-sets. As mentioned above, we use Λ-sets [2,10] in the proof. However, our
definition is slightly different, as explained below.
Definition 8 (Λ-set). A Λ-set is a triple X = (X◦ , |=X , ⊥X ) where X◦ is a
non-empty set, witnessed by ⊥X ∈ X◦ , and |=X ⊆ T × X◦ .
X◦ is the carrier-set and the elements of X◦ are called the carriers of X. The
terms M such that M |=X α for some α ∈ X◦ are called the realizers of α. The
element ⊥X is called the atomic element of X. We write α ∈ X for α ∈ X◦ . A
Λ-set X is included in a Λ-set Y , written X ⊆ Y , if X◦ ⊆ Y◦ , |=X ⊆ |=Y , and
⊥X = ⊥Y .
Definition 9 (Saturated Λ-set). A Λ-set X is said to be saturated if
1. every realizer is strongly normalizable;
2. the atomic element ⊥X is realized by any atomic strongly normalizable term;
3. for every α ∈ X◦ , if N |=X α, and M →wh N with M ∈ SN, then M |=X α
(i.e., the set of realizers is closed under weak-head expansion).
The difference between the definition in [2,10] and ours is that the atomic
element of a Λ-set is explicit in the definition. The use of the atomic element
will be evident in the definition of the interpretation of terms. However, the
difference in the definition is not essential in our proof.
We define some operations on Λ-sets.
Definition 10 (Product). Let X be a Λ-set and {Yα }α∈X◦ a X◦ -indexed family of Λ-sets. We define the Λ-set Π(X, Y ) by:
S
– Π(X, Y )◦ = {f ∈ X◦ → α∈X◦ (Yα )◦ : ∀α ∈ X◦ .f (α) ∈ (Yα )◦ };
Strong Normalization of CC with Type-Based Termination
9
– M |=Π(X,Y ) f ⇐⇒ ∀α ∈ X◦ . N |=X α.∀T ◦ , U ◦ ∈ SN.∀x ∈ X .appx:T ◦ .U ◦ (M, N ) |=Yα
f (α);
– ⊥Π(X,Y ) = α ∈ X◦ 7→ ⊥Yα .
Lemma 1. If X and every {Yα }α∈X◦ are saturated Λ-sets, so is Π(X, Y ).
Definition 11 (Cartesian product). Let X, Y be Λ-sets. We define the Λ-set
X × Y by: (X × Y )◦ = X◦ × Y◦ ; M |=X×Y (α, β) ⇐⇒ M |=X α ∧ M |=Y β;
and ⊥X×Y = (⊥X , ⊥Y ).
We write X 2 for X × X.
Lemma 2. If X and Y are saturated Λ-sets, so is X × Y .
Definition 12 (Λ-morphism). Let X and Y be Λ-sets. A Λ-morphism f from
X to Y is a function f : X◦ → Y◦ , such that M |=X α ⇒ M |=Y f (α), and
f (⊥X ) = ⊥Y .
Definition 13 (Λ-iso). Let X and Y be Λ-sets. A Λ-iso f from X to Y is a Λmorphism such that f is a one-to-one function, and M |=X α ⇐⇒ M |=Y f (α).
Inaccessible cardinals. We assume an increasing sequence of inaccessible cardinals {λi }i∈N . Let Vα be the cumulative hierarchy of sets. We define Ui to be the
set of saturated Λ-set whose carrier-set are in Vλi . The set Ui can be viewed as a
Λ-set (Ui , SN × Ui , {∅})3 . Following [9], we interpret the predicative sorts using
large universes.
4.2
The interpretation
Stages. Stages are interpreted by ordinals. We use a, b, . . . to denote ordinals.
Since we have only natural numbers as a sized type, we can safely interpret stages
with the smallest infinite ordinal, ω. If we include higher-order sized types (such
as well-founded trees), we need to interpret stages using higher ordinals.
Definition 14 (Stage interpretation). A stage assignment π is a function
from XS to ω. Given a stage assignment π, the interpretation of a stage s under
π, written LsMπ , is defined by:
LıMπ = π(ı),
L∞Mπ = ω,
Lb
sMπ = LsMπ +̂ 1
where a +̂ 1 = a + 1 if a < ω, and ω +̂ 1 = ω.
We use ∞ to denote the stage assignment such that ∞(ı) = ω for all ı.
Lemma 3 (Stage substitution). For any stages s, r and any stage assignment
π, Lr [ı := s]Mπ = LrMπ(ı:=LsMπ ) .
Proof. By induction on the structure of r.
3
We choose {∅} as atomic element, but any element of Ui will do.
t
u
10
Benjamin Grégoire and Jorge Luis Sacchini
Inductive types. Inductive types are interpreted as the least fixed point of a
monotone operator. For our case, we define a function FN , such that if X is a
Λ-set, FN (X) is also a Λ-set defined by:
– FN (X)◦ = {∅} ∪ {(0, ∅)} ∪ {(1, α) : α ∈ X◦ };
– M |=FN (X) α, with M ∈ SN, iff one the following conditions holds:
• α = ∅ and M →wh ∗ N ∈ AT;
• α = (0, ∅) and M →wh ∗ O; or
• α = (1, α0 ) and M →wh ∗ S(M 0 ) with M 0 |=X α0 .
– ⊥FN (X) = ∅,
It is clear that if X is a saturated Λ-set, then FN (X) is also a saturated Λ-set.
Note that FN is monotone, in the sense that if X ⊆ Y , then FN (X) ⊆ FN (Y ).
k
We write FN
to mean function FN iterated k times.
Consider the Λ-set ⊥ = ({∅}, SN ∩ AT × {∅}, ∅). A fixpoint of FN (X) is
ω
(⊥).
reached by iterating ω times, starting from ⊥. Let N = FN
Impredicativity. Following [10], we interpret the impredicative universe as the
set of degenerated Λ-sets.
Definition 15. A Λ-set X is degenerated, if the carrier-set X◦ is a singleton
{A}, where A is a saturated set, M |=X A iff M ∈ A, and ⊥X = A.
We write A for the degenerated Λ-set corresponding to a saturated set A.
A proposition, i.e. a term T of type Prop, is represented by a degenerated Λ-set,
whose only carrier represents a (possible) canonical proof.
Given a Λ-set X and a function Y such that for each α ∈ X◦ , Yα is a
degenerated Λ-set (with carrier yα ), the carrier-set of Π(X, Y ) is a singleton (the
only element being α ∈ X◦ 7→ yα ). The canonical representation of Π(X, Y ) is
given by the degenerated Λ-set corresponding to the saturated set
↓(X, Y ) = {M ∈ SN : N |=X α ⇒ appx:T ◦ .U ◦ (M, N ) |=Yα yα } .
Note that there is a Λ-iso p(X, Y ) : Π(X, Y ) → ↓(X, Y ).
In the interpretation, we need to convert between the interpretation of a proof
term as an element of Π(X, Y ) (if it needs to be applied), or as the canonical
proof ↓(X, Y ). For this, we use the isomorphism p(X, Y ).
We define the functions ΠΓ `T , ↓Γ `T , ↑Γ `T that give the interpretation of
products, abstractions, and applications (respectively), depending if the type
T is a proposition or not. In the case of proposition, these functions convert
between Π(X, Y ) and the canonical representation ↓(X, Y ). Otherwise, there is
no conversion needed. Their definition is given by:
– if Γ ∞ ` T ∞ : Prop, then ΠΓ `T (X, Y ) = ↓(X, Y ), ↓Γ `T (X, Y ) = p(X, Y ),
and ↑Γ `T (X, Y ) = p−1 (X, Y );
– otherwise, ΠΓ `T (X, Y ) = Π(X, Y ), ↓Γ `T (X, Y ) = idΠ(X,Y ) , and ↑Γ `T
(X, Y ) = idΠ(X,Y ) .
Strong Normalization of CC with Type-Based Termination
11
Terms and contexts. The interpretation of an erased context Γ is denoted [Γ ]
(an erased context is a context formed by erased terms). Assume a stage assignment π. Given an erased context Γ , a term M and a sequence of values γ, the
interpretation of M under Γ is denoted [Γ ` M ]πγ .
We define the interpretation by induction on the structure of terms and
contexts. In the case of fixpoint construction we use Hilbert’s choice operator.
Definition 16 (Interpretation of terms and contexts).
[[]] = {∅}
[Γ (x : T )] = {(γ, α) : γ ∈ [Γ ] ∧ α ∈ [Γ ` T ∞ ]∞
γ }
[Γ ` Typei ]πγ = Ui
[Γ ` Prop]πγ = {X : X is a degenerated Λ-set}
[Γ ` x]πγ = γ(x)
[Γ ` Πx : T.U ]πγ = ΠΓ `Πx:T.U ([Γ ` T ]πγ , [Γ (x : T ) ` U ]πγ, )
[Γ ` λx:T ◦ .U ◦ M ]πγ = ↓Γ `Πx:T ◦ .U ◦ ([Γ (x : T ∞ ) ` M ]πγ, )
[Γ ` appx:T ◦ .U ◦ (M, N )]πγ = ↑Γ `Πx:T ◦ .U ◦ ([Γ ` M ]πγ )([Γ ` N ]πγ )
[Γ ` nats ]πγ = FN
LsMπ
(⊥)
= (0, ∅)
= (1, [Γ ` N ]πγ )
⊥[Γ (x : nat) ` P ∞ ]πγ,⊥
π
x := M of N0 , N1 ]γ = [Γ ` N0 ]πγ
↑Γ `T ([Γ ` N1 ]πγ )(α)
[Γ
[Γ ` caseP ◦
[Γ ` O]πγ
` S(N )]πγ
if [Γ ` M ]πγ = ∅;
if [Γ ` M ]πγ = (0, ∅);
if [Γ ` M ]πγ = (1, α)
where T = Πy : nat.P ◦ [x := S(y)]
[Γ ` fix f (x : nat? ) : U ? := M ]πγ = (F, P )
where F ∈ [Γ ` Πx : nat∞ .U ∞ ]πγ , P is the conjunction of the following properties:
↑(F )∅ = ⊥[Γ (x : nat) ` U ∞ ]πγ,∅ ;
(1)
↑(F )(0, ∅) = ↑([Γ (f : |T |) ` M ]πγ,F )(0, ∅);
↑(F )(1, α) = ↑([Γ (f : |T |) `
M ]πγ,F )(1, α), for
(2)
all (1, α) ∈ N
(3)
where we write |T | for Πx : nat.|U |, and ↑ for ↑Γ `|T | .
We write [Γ (x : T ) ` M ]πγ, as a short hand for
α ∈ [Γ ` T ]πγ 7→ [Γ (x : |T |) ` M ]πγ,α .
The conditions imposed on the interpretation of fixpoint construction ensure
the stability under µ-reductions. In the main soundness theorem, we prove that
the typing rules for fixpoint ensure the existence of a unique function F satisfying
the above conditions.
12
4.3
Benjamin Grégoire and Jorge Luis Sacchini
Interpretation of simple types.
We define a second (relational) interpretation for simple types. The intention of
this second interpretation is to cope with the lack of size annotations in types.
Consider the following derivation:
Γ (x : nats ) ` M : natr
Γ ` λx : nat.M : nats → natr
Note that s and r above could be any size expression. But this size information is
not present in the term λx : nat.M . The interpretation of this term is a function
in the set N → N, specifically α ∈ N 7→ [M ]α . To show that the term respects
the sizes s and r, we use the relational interpretation of the type. In the case of
nats → natr , the relational interpretation, denoted J·K, is
Jnats → natr K = {(f1 , f2 ) ∈ N → N : α < [s] ⇒ f1 α = f2 α < [r]}
Then, the interpretation satisfies ([λx : nat.M ], [λx : nat.M ]) ∈ Jnats → natr K.
The relational interpretation can be extended to simple types. Intuitively, the
soundness judgment says that if Γ ` M : T , then ([M ], [M ]) ∈ JT K.
The relational interpretation also satisfies the contravariance rule. Consider
0
a stage s0 v s; the relational interpretation of nats → natr gives
0
Jnats → natr K = {(f1 , f2 ) ∈ N → N : α < [s0 ] ⇒ f1 α = f2 α < [r]}
0
Since [s0 ] ≤ [s], we have Jnats → natr K ⊆ Jnats → natr K.
Definition. Assume a simple type T such that [Γ ` T ∞ ]πγ1 , [Γ ` T ∞ ]πγ2 , [Γ ` T ]πγ1 ,
and [Γ ` T ]πγ2 are Λ-sets and that [Γ ` T ]πγ1 = [Γ ` T ]πγ2 . The relational interpretation of T , denoted JΓ ` T Kπγ1 ,γ2 , is a Λ-set with a carrier-set included in
[Γ ` T ∞ ]πγ1 × [Γ ` T ∞ ]πγ2 .
It is defined as follows: if Γ ∞ ` T ∞ : Prop, then
JΓ ` T Kπγ1 ,γ2 = (X, |=, ⊥)
where
X = ([Γ ` T ∞ ]πγ1 )◦ × ([Γ ` T ∞ ]πγ2 )◦
M |= (α1 , α2 ) ⇐⇒ M ∈ [Γ ` T ]πγ1
⊥ = (⊥[Γ
, ⊥[Γ ` T ∞ ]πγ )
` T ∞ ]π
γ1
2
(remember that, in this case, the carrier-sets of [Γ ` T ]πγ1 and [Γ ` T ]πγ1 are
singletons); otherwise, it is defined by induction on the structure of T as follows:
Strong Normalization of CC with Type-Based Termination
13
– if T ≡ Πx : T1 .T2 and simple(T1 ) and simple(T2 ). Assume JΓ ` T1 Kπγ1 ,γ2 is
a defined Λ-set (denoted JT1 K), with a carrier-set included in [Γ ` T1∞ ]πγ1 ×
[Γ ` T1∞ ]πγ2 and, for every (α1 , α2 ) ∈ JT1 K, JΓ (x : |T1 |) ` T2 Kπ(γ1 ,α1 ),(γ2 ,α2 ) is a
defined Λ-set (denoted by JT2 K(α1 , α2 ). We define JΓ ` T Kπγ1 ,γ2 = (X, |=, ⊥),
where
X = {(f1 , f2 ) ∈ [Γ ` T ∞ ]πγ1 × [Γ ` T ∞ ]πγ2 :
(α1 , α2 ) ∈ JT1 K ⇒ (f1 (α1 ), f2 (α2 )) ∈ JT2 K(α1 , α2 )};
M |= (f1 , f2 ) ⇐⇒ ∀(α1 , α2 ) ∈ JT1 K.N |=JT1 K (α1 , α2 ).∀T ◦ , U ◦ ∈ SN.x ∈ X .
appx:T ◦ .U ◦ (M, N ) |=JT2 K(α1 ,α2 ) (f1 (α1 ), f2 (α2 ));
⊥ = (⊥[Γ
` T ∞ ]π
γ
1
, ⊥[Γ
` T ∞ ]π
γ
2
);
– if T ≡ nats , we define JΓ ` nats Kπγ1 ,γ2 = ([Γ ` nats ]πγ1 )2 ;
– otherwise, SV(T ) = ∅ and we define JΓ ` T Kπγ1 ,γ2 = ([Γ ` T ]πγ1 )2 .
Note that, intuitively, α1 and α2 are related in Jnats Kπ if they are equal, and the
“height” of α1 is less than LsMπ .
Given a simple type T , such that SV(T ) = ∅, there might be more than one
clause of the above definition that applies. The following lemma states that the
definition does not depend on which clause we use.
Lemma 4. Let T be a term such that simple(T ) and SV(T ) = ∅. If JΓ ` T Kπγ1 ,γ2
is defined and [Γ ` T ]πγ1 = [Γ ` T ]πγ2 , then JΓ ` T Kπγ1 ,γ2 = ([Γ ` T ]πγ1 )2 .
Proof. If Γ ∞ ` T ∞ : Prop, the result follows by definition. Otherwise, we proceed
by induction on the structure of T . The only interesting case is when T ≡ Πx :
T1 .T2 . Since JΓ ` T Kπγ1 ,γ2 is defined, we have that JΓ ` T1 Kπγ1 ,γ2 is defined, and
for every (α1 , α2 ) ∈ JΓ ` T1 Kπγ1 ,γ2 , JΓ (x : |T1 |) ` T2 Kπ(γ1 ,α1 ),(γ2 ,α2 ) is defined.
We write JT K for JΓ ` T Kπγ1 ,γ2 , JT1 K for JΓ ` T1 Kπγ1 ,γ2 and JT2 Kα1 ,α2 for
JΓ (x : |T1 |) ` T2 Kπ(γ1 ,α1 ),(γ2 ,α2 ) .
By IH, JT1 K = ([Γ ` T1 ]πγ1 )2 . Hence, (α1 , α2 ) ∈ JT1 K iff α1 = α2 ∈ [Γ ` T1 ]πγ1 .
Again by IH, JT2 Kα,α = ([Γ (x : |T1 |) ` T2 ]πγ1 ,α )2 for every α ∈ [Γ ` T1 ]πγ1 .
By definition, (f1 , f2 ) ∈ [Γ ` T ∞ ]πγ1 ×[Γ ` T ∞ ]πγ2 iff for all α ∈ JT1 K, (f1 (α), f2 (α)) ∈
JT2 Kα,α . Hence, f1 = f2 . Checking the other conditions is easy.
t
u
4.4
Properties of the interpretation
In this section we prove some simple properties of both interpretations.
Lemma 5 (Soundness of weakening).
1. If [Γ ∆] is defined, and z ∈
/ FV(∆), then [Γ (z : T ◦ )∆] is defined, and
[Γ (z : T ◦ )∆] = {(γ, ν, δ) : (γ, δ) ∈ [Γ ∆], ν ∈ [Γ ` T ∞ ]∞
γ };
2. if [Γ ∆ ` M ]πγ,δ is defined, and z ∈
/ FV(∆, M ), then [Γ (z : T ◦ )∆ ` M ]πγ,α,δ
is, and
[Γ (z : T ◦ )∆ ` M ]πγ,α,δ = [Γ ∆ ` M ]πγ,δ .
14
Benjamin Grégoire and Jorge Luis Sacchini
Proof. By induction on the constructions of [Γ ∆] and [Γ ∆ ` M ]πγ,δ . We treat
some relevant cases.
– We know that [Γ ∆] is defined. Then, either ∆ is empty and [Γ ∆] = [Γ ], or
∆ = ∆0 (y : U ◦ ) and [Γ ∆] is defined as
[Γ ∆0 (y : U ◦ )] = {(γ, δ, ζ) : (γ, δ) ∈ [Γ ∆0 ], ζ ∈ [Γ ∆0 ` U ∞ ]∞
γ,δ } .
In the former case, the result follows trivially. In the latter, by IH we have
[Γ (z : T ◦ )∆0 ] = {(γ, ν, δ) : (γ, δ) ∈ [Γ ∆0 ], ν ∈ [Γ ` T ∞ ]∞
γ }
0
∞ ∞
[Γ (z : T ◦ )∆0 ` U ∞ ]∞
γ,ν,δ = [Γ ∆ ` U ]γ,δ
By definition,
[Γ (z : T ◦ )∆0 (y : U ◦ )] = {(γ, ν, δ, ζ) : (γ, ν, δ) ∈ [Γ (z : T ◦ )∆0 ], ζ ∈ [Γ (z : T ◦ )∆0 ` U ∞ ]∞
γ,ν,δ }
The rhs being equal to
{(γ, ν, δ, ζ) : (γ, δ, ζ) ∈ [Γ ∆0 (y : U ◦ )], ν ∈ [Γ ` T ∞ ]∞
γ }
which is the desired result
– Suppose that M = x, then [Γ ∆] is defined and (γ, δ) ∈ [Γ ∆]. By IH,
[Γ (z : T )∆] is also defined, and, since z is different from x,
[Γ (z : T )∆ ` x]πγ,α,δ = [Γ ∆ ` x]πγ,δ .
– The other cases are similar. Note that in the case of product, abstraction,
application, case and fix, we need to use Weakening for the typing judgment.
Lemma 6 (Soundness of stage substitution). If [Γ ` M [ı := s]]πγ is deπ(ı:=LsMπ )
fined, then [Γ ` M ]γ
is defined, and
[Γ ` M ]γπ(ı:=LsMπ ) = [Γ ` M [ı := s]]πγ .
Proof. By induction on the construction of [Γ ` M [ı := s]]πγ . In the case where
M ≡ natr , we use Lemma 3.
Lemma 7 (Soundness of substitution). If Γ (x : T )∆ ` M : U and Γ `
N : T are derivable, SV(N ) = ∅, γ ∈ [Γ ]π , ν = [Γ ` N ]πγ is defined, (γ, ν, δ) ∈
[Γ (x : T )∆]π , and [Γ (x : T )∆ ` M ]πγ,ν,δ is defined, then [Γ, ∆ [x := N ] ` M [x := N ]]πγ,δ
is defined, and
[Γ, ∆ [x := N ] ` M [x := N ]]πγ,δ = [Γ (x : T )∆ ` M ]πγ,ν,δ .
Proof. By induction on the structure of M .
– M ≡ x. We want to prove that [Γ, ∆ [x := N ] ` N ]πγ,δ is defined, and that
[Γ, ∆ [x := N ] ` N ]πγ,δ = [Γ (x : T )∆ ` x]πγ,ν,δ .
The rhs is, by definition, equal to ν = [Γ ` N ]πγ . The result follows by applying Lemma 5 as many times as the length of ∆.
Strong Normalization of CC with Type-Based Termination
15
– M ≡ λy:P ◦ .Q◦ M 0 . Note that
[Γ (x : T )∆ ` M ]πγ,ν,δ =
↓Γ (x:T )∆`Πy:P ◦ .Q◦ ([Γ (x : T )∆ ` P ∞ ]πγ,ν,δ , [Γ (x : T )∆(y : P ∞ ) ` M 0 ]πγ,ν,δ, ) .
Assume that Γ (x : T )∆ ` Πy : P ∞ .Q∞ : W . By substitution,
Γ ∆ [x := N ] ` Πy : P ∞ [x := N ].Q∞ [x := N ] : W [x := N ] .
In particular, if W ≡ Prop, then W [x := N ] ≡ Prop. Then ↓Γ (x:T )∆`Πx:P.Q =
↓Γ ∆[x:=N ]`Πy:P ∞ [x:=N ].Q∞ [x:=N ] .
By IH on P ∞ , [Γ, ∆ [x := N ] ` P ∞ [x := N ]]πγ,δ is defined, and
[Γ, ∆ [x := N ] ` P ∞ [x := N ]]πγ,δ = [Γ (x : T )∆ ` P ∞ ]πγ,ν,δ .
Take α ∈ [Γ (x : T )∆ ` P ∞ ]πγ,ν,δ . We can also apply the IH on M 0 with
(γ, ν, δ, α) ∈ [Γ (x : T )∆(y : P ∞ )]π . The result follows easily.
– The rest of the cases are similar.
t
u
Lemma 8 (Soundness of subject reduction). Let Γ ` M : T and M → N .
If [Γ ` M ]πγ is defined, then [Γ ` N ]πγ is defined and
[Γ ` M ]πγ = [Γ ` N ]πγ
Proof. By induction on M → N . The key cases are when M is a redex.
β-redex Let M ≡ appx:T ◦ .U ◦ (λx:T ◦ .U ◦ M1 , M2 ), and N ≡ M1 [x := M2 ]. We
have two cases: if Γ ` Πx : T ◦ .U ◦ : Prop, and otherwise. Note that, in both
cases, ↑Γ `Πx:T ◦ .U ◦ ◦ ↓Γ `Πx:T ◦ .U ◦ = idΠ([Γ ` T ∞ ]π, [Γ (x : T ◦ ) ` U ∞ ]πγ, .
Then, [Γ ` M ]πγ = [Γ (x : T ◦ ) ` M1 ]πγ, ([Γ ` M2 ]πγ ). By Lemma 7, this is
equal to [Γ ` M1 [x := M2 ]]πγ which is [Γ ` N ]πγ .
ι-redex The result follows directly from the definition of the interpretation of
M.
µ-redex The result follows by Lemma 7. Note that the conditions imposed to
the interpretation of M ensure the invariance under µ-reductions.
The rest of the cases concern the compatible closure of →. They follow easily
by direct applications of the IH.
t
u
In the following we prove some properties of the relational interpretation:
soundness of weakening, substitution, and subtyping.
Lemma 9 (Soundness of weakening). If JΓ ∆ ` U Kπ(γ1 ,δ1 ),(γ2 ,δ2 ) is defined,
then JΓ (z : T )∆ ` U Kπ(γ1 ,α1 ,δ1 ),(γ2 ,α2 ,δ2 ) is defined and both are equal.
Proof. We consider two cases
If Γ ∞ ∆∞ ` T ∞ : Prop The result follows by Lemma 7.
16
Benjamin Grégoire and Jorge Luis Sacchini
If Γ ∞ ∆∞ 6` T ∞ : Prop We proceed by induction on the structure of U . We consider two cases.
U ≡ Πx : U1 .U2 . By IH, JΓ (z : T )∆ ` U1 Kπ(γ1 ,α1 ,δ1 ),(γ2 ,α2 ,δ2 ) is defined and
JΓ (x : T )∆ ` U1 Kπ(γ1 ,α1 ,δ1 ),(γ2 ,α2 ,δ2 ) = JΓ ∆ ` U1 Kπ(γ1 ,δ1 ),(γ2 ,δ2 ) .
Also, for every (ν1 , ν2 ) ∈ JΓ ∆ ` U1 Kπ(γ1 ,δ1 ),(γ2 ,δ2 ) , JΓ (z : T )∆(x : U1 ) `
U2 Kπ(γ1 ,α1 ,δ1 ,ν1 ),(γ2 ,α2 ,δ2 ,ν2 ) is defined and
JΓ (z : T )∆(x : U1 ) ` U2 Kπ(γ1 ,α1 ,δ1 ,ν1 ),(γ2 ,α2 ,δ2 ,ν2 ) = JΓ ∆(x : U1 ) ` U2 Kπ(γ1 ,δ1 ,ν1 ),(γ2 ,δ2 ,ν2 ) .
The result follows easily from the definition of the relational interpretation.
U ≡ nats The result is trivial, since the interpretation of nats does not depend on the context.
In the rest of the cases, since U is simple, we have SV(U ) = ∅. The result
follows by Lemma 7.
t
u
Lemma 10 (Soundness of stage substitution). If JΓ ` T [ı := s]Kπγ1 ,γ2 is
π(ı:=LsMπ )
defined, then JΓ ` T Kγ1 ,γ2
is defined, and both are equal.
Proof. We consider two cases.
If Γ ∞ ∆∞ ` T ∞ : Prop The result is trivial since both interpretations are defined in the same way.
If Γ ∞ ∆∞ 6` T ∞ : Prop We proceed by induction on the structure of T . All cases
follow easily, applying Lemma 6.
t
u
Lemma 11 (Soundness of substitution). Let Γ (x : U )∆ ` T : W and Γ `
N : U and SV(N ) = ∅. Let γi ∈ [Γ ]π , νi ≡ [Γ ` N ]πγi , (γi , νi , δi ) ∈ [Γ (x : U )∆]π ,
for i = 1, 2, and JΓ (x : U )∆ ` T Kπγ1 ,ν1 ,δ1 ,γ2 ,ν2 ,δ2 are defined. Then
JΓ ∆ [x := N ] ` T [x := N ]Kπ(γ1 ,δ1 ),(γ2 ,δ2 ) = JΓ (x : U )∆ ` T Kπ(γ1 ,ν1 ,δ1 ),(γ2 ,ν2 ,δ2 )
Proof. We follow the same scheme as in the two previous proofs. All cases follow
easily, using Lemma 7.
t
u
Lemma 12 (Soundness of subject reduction). Let Γ ` T : W and T → U .
If JΓ ` T Kπγ1 ,γ2 is defined, then JΓ ` U Kπγ1 ,γ2 is defined and
JΓ ` T Kπγ1 ,γ2 = JΓ ` U Kπγ1 ,γ2
Proof. By induction on the structure of T , using Lemma 8.
Lemma 13 (Soundness of subtyping). Assume Γ ` T, U : u, and simple(T, U )
and T ≤ U . If JΓ ` T Kπγ1 ,γ2 and JΓ ` U Kπγ1 ,γ2 are defined, then JΓ ` T Kπγ1 ,γ2 ⊆
JΓ ` U Kπγ1 ,γ2
Strong Normalization of CC with Type-Based Termination
17
Proof. We proceed by induction on the derivation of T ≤ U . Rule (sub-nat) is
easy. In rule (sub-conv) we use the previous lemma. We consider the case of rule
(sub-prod). Assume that T →∗ Πx : T1 .U1 , U →∗ Πx : U1 .U2 , U1 ≤ T1 and
T2 ≤ U2 . By the previous lemma, applied to T and U , JΓ ` Πx : T1 .T2 Kπγ1 ,γ2
JΓ ` Πx : U1 .U2 Kπγ1 ,γ2 are defined and
JΓ ` T Kπγ1 ,γ2 = JΓ ` Πx : T1 .T2 Kπγ1 ,γ2
JΓ ` U Kπγ1 ,γ2 = JΓ ` Πx : U1 .U2 Kπγ1 ,γ2 .
By IH, JΓ ` U1 Kπγ1 ,γ2 ⊆ JΓ ` T1 Kπγ1 ,γ2 and JΓ ` T2 Kπγ1 ,γ2 ⊆ JΓ ` U2 Kπγ1 ,γ2 . The
result follows from the definition of the relational interpretation of a product.
Note that T1∞ ↓ U1∞ , therefore [Γ ` T1∞ ]πγ1 = [Γ ` U1∞ ]πγ1 .
Lemma 14 (Soundness of stage monotonicity). Let s, r be stages such that
π(ı:=s)
s v r. If JΓ ` T Kπγ1 ,γ2 is defined, and ı pos T , then JΓ ` T Kγ1 ,γ2 ⊆ JΓ `
π(ı:=r)
T Kγ1 ,γ2
Proof. By the previous lemma and the definition of pos.
4.5
t
u
Soundness
We extend the relational interpretation of types to contexts in the following way:
J[]Kπ = {(∅, ∅)}
JΓ (x : T )Kπ = {((γ1 , α1 ), (γ2 , α2 )) : (γ1 , γ2 ) ∈ JΓ Kπ ∧ (α1 , α2 ) ∈ JΓ ` T Kπγ1 ,γ2 }
Below is the main soundness theorem. In the following, we write [Γ ` M ]πγ1 ,γ2
to mean ([Γ ` M ]πγ1 , [Γ ` M ]πγ2 ).
Lemma 15 (Soundness).
1. If Γ ` M : T and (γ1 , γ2 ) ∈ JΓ Kπ , then [Γ ` M ]πγ1 ,γ2 , JΓ ` T Kπγ1 ,γ2 are defined
and
[Γ ` M ]πγ1 ,γ2 ∈ JΓ ` T Kπγ1 ,γ2 .
2. If Γ ` T : u, simple(T ), and (γ1 , γ2 ) ∈ JΓ Kπ , then JΓ ` T Kπγ1 ,γ2 is a defined
Λ-set.
3. If WF(Γ ) and (γ1 , γ2 ) ∈ JΓ Kπ , then (γ1 , γ1 ) ∈ JΓ Kπ and (γ1 , γ1 ) ∈ JΓ K∞ .
Proof. We prove all statements simultaneously, by induction on the type derivation. We consider only the most relevant cases.
(fix) Let M ≡ fix f (x : nat? ) : U ? := N , and T ≡ Π(x : natı ).U , with ı pos U .
We first prove that [Γ ` M ]πγ is defined if (γ, γ) ∈ JΓ Kπ . This means proving
that it satisfies Equations (1), (2) and (3).
Let γ such that (γ, γ) ∈ JΓ Kπ . Then (γ, γ) ∈ JΓ K∞ .
Some notation. We write
– [U ]α for [Γ (x : nat) ` U ]πγ,α ;
18
Benjamin Grégoire and Jorge Luis Sacchini
– [T ] for [Γ ` T ]πγ ;
– ∞(ı := a) for the stage valuation that assigns a to ı and ∞ to every
other stage variable;
∞(ı:=a)
– f1 ∼ı:=a f2 for (f1 , f2 ) ∈ JΓ ` T Kγ,γ
; we use the same notation for
ı:=a
sets of functions: F1 ∼
F2 iff for all f1 ∈ F1 , f2 ∈ F2 , f1 ∼ı:=a f2 ;
– ↑ for ↑Γ `T .
Given a function f ∈ [T ], we define f⊥ as
(
⊥[U ]β if β = ⊥;
f⊥ (β) =
f (β) otherwise
for β ∈ N .
We write F(f ) for [Γ (f : T ) ` N ]πγ,f , and F⊥ (f ) for ([Γ (f : T ) ` N ]πγ,f )⊥ .
The IH gives us:
1. JΓ ` T Kπγ1 ,γ2 is defined;
2. if f1 ∼ı:=a f2 for some ordinal a, then F(f1 ) ∼ı:=a+1 F(f2 );
LaM
3. for all f1 ∼ı:=a f2 and α ∈ FN π , (↑(f1 )(α), ↑(f2 )(α)) ∈ JΓ (x : natı ) `
∞(ı:=a)
U K(γ,α),(γ,α) . Since ı pos U , by IH, ↑(f1 )(α) = ↑(f2 )(α).
We define a sequence of sets F0 , F1 , . . . as follows:
F0 = {f ∈ [T ] : ∀↑(f )(∅) = ⊥[U ]∅ }
Fk+1 = F⊥ (Fk ), for k > 0
T
We prove that there exists a unique function F ∈ k≥0 Fk . (We then define
[Γ ` M ]πγ as F .)
Note that if f1 ∼ı:=a f2 , then (f1 )⊥ ∼ı:=a (f2 )⊥ .
By definition, F1 ⊆ F0 . Then, F2 ⊆ F1 , . . .
We have Fk ∼ı:=0 Fj , for k, j ≥ 0. By 2, Fk+1 ∼ı:=1 Fj+1 . And in general,
Fk+n ∼ı:=n Fj+n .
Since ı pos U , Fk+n and Fj+n coincide for the first n numbers. . We can
then define a function F such that for all α ∈ N ,
F (α) = Fk (α)
k
for some k such that α ∈ FN
. This function is well defined: given k1 , k2 such
k1
k2
that α ∈ FN ∩ FN , Fk1 (α) = Fk2 (α).
We now prove that F satisfies Equations (1), (2) and (3). Eq. (1) is satisfied
by definition. Eq. (2) states that ↑(F )(0, ⊥) = ↑(F(F ))(0, ⊥). Since F ∼ı:=0
F0 , F(F ) ∼ı:=1 F1 . Then ↑(F(F ))(0, ⊥) = ↑(F1 )(0, ⊥) = ↑(F )(0, ⊥).
Finally, Eq. (3) states that for all (1, α) ∈ N , ↑(F )(1, α) = ↑(F(F ))(1, α).
k
We proceed similarly to the previous case. Let k such that α ∈ FN
. Since
ı:=k
ı:=k+1
F ∼
Fk , F(F ) ∼
Fk+1 . Then ↑(F(F ))(1, α) = ↑(Fk+1 )(1, α) =
↑(F )(1, α).
We define [Γ ` M ]πγ = F . This completes the first part of the proof. The
second part is to prove that if (γ1 , γ2 ) ∈ JΓ Kπ , then [Γ ` M ]πγ1 ,γ2 ∈ JΓ `
π(ı:=LsMπ )
T [ı := s]Kπγ1 ,γ2 . Note that JΓ ` T [ı := s]Kπγ1 ,γ2 is the same as JΓ ` T Kγ1 ,γ2
.
Strong Normalization of CC with Type-Based Termination
19
We proceed by induction on LsMπ . The base case is trivial. For the inductive case, assume that the property is valid for LsMπ = k. That is,
π(ı:=k)
π(ı:=k)
[Γ ` M ]γ1 ,γ2 ∈ JΓ ` T Kγ1 ,γ2 .
π(ı:=k)
π(ı:=k)
By IH, [Γ (f : T ) ` N ](γ1 ,[Γ ` M ]π ),(γ2 ,[Γ ` M ]π ) ∈ JΓ (f : T ) ` T [ı := bı]K(γ1 ,[Γ ` M ]π ),(γ2 ,[Γ
γ1
γ2
γ1
That is,
[Γ ` N [f := M ]]γπ(ı:=k+1)
∈ JΓ ` T Kπ(ı:=k+1)
.
γ1 ,γ2
1 ,γ2
k+1
By definition, for all α ∈ FN
,
↑([Γ ` M ]πγi )(α) = ↑([Γ ` N [f := M ]]πγi )(α),
and the result follows.
(abs) By IH, (γ1 , γ1 ) ∈ JΓ K∞ . Take α ∈ [Γ ` T ]πγ1 . Then (α, α) ∈ JΓ ` T K∞
γ1 ,γ1 ,
and ((γ1 , α), (γ1 , α)) ∈ JΓ K∞ . By IH, [Γ (x : T ) ` M ]πγ1 ,α is defined.
The other part follows directly from the IH.
4.6
Strong normalization
In this section we prove our main result: strong normalization of CICb− .
A substitution is a mapping θ from variables to terms, such that θ(x) 6= x
for a finite number of variables x. We use θ to denote substitutions, and ε to
denote the identity substitution. We write θ(x 7→ M ) for the substitution that
gives M when applied to x and θ(y) when applied to y 6= x. We write M θ for
the capture-avoiding substitution of the free variables of M with θ.
Definition 17. Let (γ1 , γ2 ) ∈ JΓ Kπ . We define θ |=Γπ (γ1 , γ2 ) by the following
clauses:
θ |=Γπ (γ1 , γ2 )
M |=JΓ `T Kπγ ,γ (α1 , α2 )
1
ε |=Γπ []
2
θ(x 7→ M ) |=Γπ (x:T ) (γ1 , α1 ), (γ2 , α2 )
Lemma 16. If Γ ` T : u, and simple(T ), and |=Γπ θ, then
`T
N |=Γγ,π
⊥[Γ
` T ]π
γ
for all strongly-normalizing atomic term N .
Lemma 17. If Γ ` M : T and (γ1 , γ2 ) ∈ JΓ Kπ and θ |=Γπ (γ1 , γ2 ), then
M θ |=JΓ `T Kπγ
1 ,γ2
[Γ ` M ]πγ1 ,γ2
Proof. We proceed by induction on the derivation of Γ ` M : T . We consider
only the most relevant cases.
(fix) Let M ≡ fix f (x : nat? ) : |U |ı := N , with T ≡ Π(x : natı ).U and ı pos U .
We want to prove that
`T [ı:=s]
M θ |=Γγ,π
[Γ ` M ]πγ
(4)
.
` M ]π
γ )
2
20
Benjamin Grégoire and Jorge Luis Sacchini
We consider two cases. In the first case, we assume that Γ ` T : Typei for
some i.
Γ `T [ı:=s]
`T
Note that (|=γ,π
) = (|=Γγ,π(ı:=LsM
). We write π 0 for π(ı := LsMπ ). To
π)
prove (4) we need to show that for every
Γ `(x:natı )
Q |=γ,π0
we have
α
Γ (x:natı )`U
appx:nat.|U | (M θ, Q) |=(γ,α),π0
(5)
[Γ ` M ]πγ (α)
(6)
We proceed by induction on LsMπ .
Base case: LsMπ = 0. Take Q, α satisfying (5). Then Q is an atomic strongly
normalizing term, and α = ∅. Then appx:nat.|U | (M θ, Q) is also an atomic
term and [Γ ` M ]πγ (∅) = ⊥[Γ (x : nat) ` U ∞ ]πγ,∅ . Therefore, Eq. (6) is satisfied.
Inductive case: LsMπ = k + 1. We want to prove that
`T
M θ |=Γγ,π(ı=k+1)
[Γ ` M ]πγ
(7)
`T
M θ |=Γγ,π(ı=k)
[Γ ` M ]πγ
(8)
`T
`T
γ, f |=Γγ,π
θ ⇒ N θ |=Γγ,π
[Γ (f : T ) ` N ]πγ,f
(9)
The inner IH says
The outer IH says
π(ı:=k)
Take F ≡ [Γ ` M ]πγ . From soundness we know that [Γ ` F ]γ,γ
π(ı:=k)
.
T ı Kγ,γ
Let us define θf = θ(f 7→ M θ). Then
∈ JΓ `
Γ (f :T )
θf |=π(ı:=k) (γ, F )
By Eq. (9), we have
`T
N θf |=Γγ,π(ı:=k+1)
[Γ (f : T ) ` N ]πγ,F
(10)
Let Q, α satisfy (5). We want to prove that
Γ ∆(x:natı )`U ı
appx:nat.|U | (M θ, Q) |=(γ,δ,α),π(ı:=k+1) F (α)
(11)
`α
We have Q |=Γγ,π(ı:=k+1)
α. If α = ⊥, then we proceed as in the base case.
Otherwise, α = (0, ⊥) or α = (1, α0 ). In both cases, Q →wh ∗ C where C is a
`α
term in constructor form, with C |=Γγ,π(ı:=k+1)
α. Then
appx:nat.|U | (M θ, Q) →wh ∗
appx:nat.|U | (M θ, C) ≡ appx:nat.|U | (fix f (x : nat? ) : |U |ı θ := N θ, C) →wh
appx:nat.|U | (N θ [f := M θ], C) ≡ appx:nat.|U | (N θf , C)
Strong Normalization of CC with Type-Based Termination
21
By Eq. (10),
Γ (x:natı )`U
appx:nat.|U | (N θf , C) |=(γ,α),π(ı:=k+1) [Γ (f : T ) ` N ]πγ,F (α)
Γ (x:natı )`U
Note that [Γ (f : T ) ` N ]πγ,F (α) = F (α), and Eq. (11) follows, since |=(γ,α),π(ı:=k+1)
is closed under weak-head expansion.
Corollary 1. If Γ ` M : T then M is strongly normalizing.
Proof. It is not difficult to see that ε |=Γπ ⊥Γ , where ⊥Γ is the sequence of atomic
elements of relational interpretation the types of Γ . The result follows from the
previous lemma, and the fact that realizers are strongly normalizing.
t
u
As a consequence of soundness and strong normalization, we can easily derive
canonicity and logical consistency. Canonicity is the property that closed terms
of inductive types reduce to canonical forms. In our case, a term N is in canonical
form if N ≡ O, or N ≡ S(N 0 ) and N 0 is in canonical form.
Logical consistency states that there are types that are not inhabited.
Theorem 1 (Canonicity). If Γ ` M : nats and M is closed, then M reduces
to a canonical form.
Theorem 2. There is no term M such that ` M : Πx : Prop.x.
Proof. Assume there exits an M such that ` M : Πx : Prop.x. By strong
normalization, we can assume that M is in normal form. It is not difficult to see
that M must be of the form λx : Prop.N , with (x : Prop) ` N : x. Since N is
in normal form, we can prove that it must be an atomic term, i.e., N ≡ E[x],
for some elimination context E (note that the head variable must be x). By
case analysis on E, we have that either (x : Prop) ` x : nats for some s, or
(x : Prop) ` x : Πx : T1 .T2 for some T1 , T2 . Both cases are impossible.
t
u
5
Related Work
The idea of using sized types to ensure termination and productivity was initiated by Hughes, Pareto and Sabry [7]. Abel [1] extended system Fω with sized
(co-)inductive types. In turn, CICb− is derived from CICb [4]. We refer to these
papers for further information and examples, and focus on work related to strong
normalization.
Our proof of strong normalization closely follows the work of Melliès and
Werner [10]. The authors use Λ-sets to develop a generic proof of strong normalization for Pure Type Systems. They avoid the use of inaccessible cardinals, but
it is unlikely that the same can be achieved in the presence of inductive types.
Λ-sets were introduced by Altenkirch in [2]. He develops a generic model
for the Calculus of Constructions (CC), that can be instantiated with Λ-sets to
obtain a proof of strong normalization. He also extends the proof to include one
inductive type (trees) at the impredicative level.
22
Benjamin Grégoire and Jorge Luis Sacchini
There are in the literature several proofs of strong normalization for (nondependent) typed lambda calculi extended with sized types. We refer the reader
to [1,4] for further references.
On dependent types, an extension with type-based termination was first considered by Giménez [6]. However, stages are not explicitly represented, which
complicates the definition of mutually recursive functions.
Barras [3] has formalized in Coq a proof of consistency CCω extended with
natural numbers. Termination of recursive functions is ensured by a restricted
form of sized types, inspired by the work of Giménez. However, it is not possible
to express size-preserving functions, which prevents the typing of quicksort.
Blanqui [5] uses sized types to ensure termination of CC extended with
higher-order rewrite rules. In our case, we use just fix/case instead of rewrite
rules. However, he makes some assumptions on the confluence and subject reduction of the combination of rewriting and β-reduction. Nevertheless, it is of
interest to see if these techniques can be extended to CICb− .
Finally, let us mention the work of Wahlstedt [11]. He proves weak normalization of a predicative type theory in the style of Martin-Löf type theory.
Termination is ensured using the size-change principle [8]. While this principle
is very powerful, his system cannot express size-preserving functions.
6
Conclusions
We presented CICb− , an extension of CIC with a type-based termination mechanism. We have restricted to one inductive type, namely natural numbers, and
we have proved that the system is strongly normalizing and logically consistent.
The interpretation can be extended to other (positive) inductive types (in the
predicative universes). This is a intermediate result towards our goal of proving logical consistency of an extension of CIC with a type-based termination
mechanism.
There are some issues related with CICb that are present in CICb− and have
not been addressed in this work, namely, global definitions and mutually recursive functions. We have preliminary results in this direction.
Acknowledgments. The authors would like to thank Bruno Barras, Hugo
Herbelin, and Benjamin Werner for many discussions on strong normalization
and type-based termination.
References
1. Andreas Abel. A Polymorphic Lambda-Calculus with Sized Higher-Order Types.
PhD thesis, Ludwig-Maximilians-Universität München, 2006.
2. Thorsten Altenkirch. Constructions, Inductive Types and Strong Normalization.
PhD thesis, University of Edinburgh, November 1993.
3. Bruno Barras. Sets in Coq, Coq in sets. 1st Coq Workshop, August 2009.
Strong Normalization of CC with Type-Based Termination
23
4. Gilles Barthe, Benjamin Grégoire, and Fernando Pastawski. CICb: Type-based
termination of recursive definitions in the Calculus of Inductive Constructions. In
Miki Hermann and Andrei Voronkov, editors, Logic for Programming, Artificial
Intelligence, and Reasoning, 13th International Conference, LPAR 2006, Phnom
Penh, Cambodia, November 13-17, 2006, Proceedings, volume 4246 of Lecture Notes
in Computer Science, pages 257–271. Springer, 2006.
5. Frédéric Blanqui. A type-based termination criterion for dependently-typed higherorder rewrite systems. In Vincent van Oostrom, editor, Rewriting Techniques and
Applications, 15th International Conference, RTA 2004, Aachen, Germany, June
3-5, 2004, Proceedings, volume 3091 of Lecture Notes in Computer Science, pages
24–39. Springer, 2004.
6. Eduardo Giménez. Structural recursive definitions in type theory. In Kim Guldstrand Larsen, Sven Skyum, and Glynn Winskel, editors, Automata, Languages
and Programming, 25th International Colloquium, ICALP’98, Aalborg, Denmark,
July 13-17, 1998, Proceedings, volume 1443 of Lecture Notes in Computer Science,
pages 397–408. Springer, 1998.
7. John Hughes, Lars Pareto, and Amr Sabry. Proving the correctness of reactive
systems using sized types. In POPL, pages 410–423, 1996.
8. Chin Soon Lee, Neil D. Jones, and Amir M. Ben-Amram. The size-change principle
for program termination. In POPL, pages 81–92, 2001.
9. Zhaohui Luo. Computation and reasoning: a type theory for computer science.
Oxford University Press, Inc., New York, NY, USA, 1994.
10. Paul-André Melliès and Benjamin Werner. A generic normalisation proof for pure
type systems. In Eduardo Giménez and Christine Paulin-Mohring, editors, Types
for Proofs and Programs, International Workshop TYPES’96, Aussois, France,
December 15-19, 1996, Selected Papers, volume 1512 of LNCS, pages 254–276.
Springer, 1996.
11. David Wahlstedt. Dependent Type Theory with Parameterized First-Order Data
Types and Well-Founded Recursion. PhD thesis, Chalmers University of Technology, 2007. ISBN 978-91-7291-979-2.
A
The conversion presentation
In this section, we present CICb− in a more traditional form using conversion. The
syntax is similar, except for the application where there are no type annotations,
and the abstraction, where the type annotation include only the domain of the
function.
We refer to the system in the paper as the annotated presentation of CICb− ,
and to the system in this section as the conversion presentation of CICb− .
Definition 18 (Terms). The generic set of terms over the set a is defined by
the grammar:
T [a] ::= X | U | λX : T ◦ .T [a] | T [a] T [a] | ΠX : T [a].T [a]
| nata | O | S(T [a])
caseT ◦ X := T [a] of T [a], T [a] | fix X (X : nat? ) : T ? := T [a]
The set of bare terms, position terms and sized terms are defined by T ◦ ::= T [],
T ? ::= T [{, ?}], and T ::= T [S], respectively.
24
Benjamin Grégoire and Jorge Luis Sacchini
As in the annotated presentation, we use the erasure functions |.| : T ? ∪ T →
T and |.|ı : T → T ? . Given a term M , we write M ∞ to denote the term M
where all size annotations are replaced with ∞, and SV(M ) to denote the set of
stage variables appearing in M .
◦
Definition 19. Reduction →c is defined as the compatible closure of the following relation:
(λx : T ◦ .M )N
caseT ◦ x := O of N0 , N1
caseT ◦ x := S(M ) of N0 , N1
(fix f (x : nat? ) : U ? := M )C
→c
→c
→c
→c
M [x := N ]
N0
N1 M
(M [f := fix f (x : nat? ) : U ? := M ])C
where C is a term in constructor form. We write →c ∗ and ≈c for the reflexivetransitive closure and the equivalence closure of →c , respectively.
Lemma 18. The reduction relation →c defined above is confluent.
The substage relation and the notion of simple types are defined in the same
way, so we do not repeat the definitions here. However, the subtyping relation
is defined in a more standard way.
Definition 20 (Subtyping). Given a relation on terms, R, stable under substitution of terms and stages, the subtyping relation on R, ≤R ⊆ T × T , is
defined by following rules:
T ≤R T
T ≈c U
T ≤R U
T ≤R W
W ≤R U
T ≤R U
U1 ≤R T1
T2 ≤R U2
Πx : T1 .T2 ≤R Πx : U1 .U2
svr
nat ≤R natr
s
We write ≤c for ≤≈c .
The typing rules are very similar, and are given in Fig. 2 for completeness.
We finish this section by proving some properties about the subtyping relation. First, we define an alternative subtyping relation, similarly to the definition
given in Sect. 3, and prove that both relations are equivalent.
An alternative definition of subtyping is the following.
Definition 21 (Subtyping (alternative)). The alternative subtyping relation, denoted by ≤a , is defined by the following rules:
T ↓U
T ≤a U
T →c ∗ Πx : T1 .T2
T →c ∗ nats
U →c ∗ natr
T ≤a U
U →c ∗ Πx : U1 .U2
T ≤a U
U1 ≤a T1
svr
T2 ≤a U2
Strong Normalization of CC with Type-Based Termination
25
We prove that both definitions are equivalent. Note that it is easy to prove
that T ≤a U ⇒ T ≤c U . For the other direction, we first show that ≤a is
transitive. We need first the following lemma.
Lemma 19. If T ≈ T 0 ≤a U 0 ≈ U , then T ≤a U , with a derivation of the same
height.
Proof. We proceed by induction on the derivation of T 0 ≤a U 0 . All cases follow
easily by IH and confluence.
t
u
Lemma 20. If T1 ≤a T2 and T2 ≤a T3 , then T1 ≤a T3 .
Proof. We proceed by induction on the sum of the derivations of T1 ≤a T2 , and
T2 ≤a T3 , and case analysis in the last rule used. For the case when both use
the product rule, we use the previous lemma.
t
u
Lemma 21. If T ≤ U , then T ≤a U
Proof. All rules are admissible, using the previous lemma for the transitive rule.
t
u
Lemma 22. Assume that T ≤≡ U . If T →c T 0 (resp. U →c U 0 ), then there
exists U 0 (resp. T 0 ) such that U →c U 0 (resp. T →c T 0 ) and T 0 ≤≡ U 0 .
Lemma 23. Assume T1 ≤c T2 . Then, there exists U1 and U2 such that T1 →c ∗
U1 ≤≡ U2 ←c ∗ T2 .
Proof. By induction on the derivation of T1 ≤ T2 . The only interesting case is the
transitivity rule. Assume T1 ≤ T2 is derived from T1 ≤ T3 and T3 ≤ T2 . By IH,
there exists P1 , P3 , Q3 and Q2 such that T1 →c ∗ P1 ≤≡ P3 ←c ∗ T3 and T3 →c ∗
Q3 ≤≡ Q2 ←c ∗ T2 . By confluence, there exists N such that P3 →c ∗ N3 ←c ∗ Q3 .
By the previous lemma, there exists N1 and N2 such that P1 →c ∗ N1 ≤≡ N3 and
N3 ≤≡ N2 ←c ∗ Q2 . Then N1 and N2 satisfy the requirements, since N1 ≤≡ N2 .
t
u
The above property is not valid for the annotated system because reduction is
not confluent. However, it is valid for well-typed terms, as proved in Lemma ??.
Lemma 24. Let ≤t≡ be the relation ≤≡ without considering rules (sub-refl) and
(sub-trans). Then, ≤t≡ =≤≡ .
Proof. Rule (sub-refl) is admissible in ≤t≡ , since it is the same as rule (sub-conv).
We now prove that rule (sub-trans)is also admissible.
Consider T1 ≤t≡ T2 and T2 ≤t≡ T3 . We want to prove that T1 ≤≡ T3 . We
proceed by mutual induction on the derivations, and case analysis on the last
rule used.
– If the last rule of T1 ≤t≡ T2 is (sub-conv), then T1 ≡ T2 and the result follows.
Similarly if the last rule of T2 ≤t≡ T3 is (sub-conv).
– If the last rule of both derivations is (sub-prod), the result follows from IH.
26
Benjamin Grégoire and Jorge Luis Sacchini
– If the last rule of both derivations is (sub-nat), the result follows from transitivity of the substage relation.
– The remaining cases (one rule is (sub-prod) and the other is (sub-nat)) are
impossible.
t
u
(empty)
WF([])
(var)
(type)
(abs)
(app)
s
Γ (x) = T
WF(Γ )
(prop)
Γ `c T : u
Γ `c Prop : Type0
Γ (x : T ) `c U : Typej
Γ `c Πx : T.U : max(u, Typej )
Γ `c T : u
Γ (x : T ) `c U : Prop
Γ `c Πx : T.U : Prop
Γ (x : T ) `c M : U
Γ `c λx : |T |.M : Πx : T.U
SV(M ) = ∅
Γ `c N : T
SV(N ) = ∅
Γ `c M N : U [x := N ]
Γ ` nat : Type0
simple(T )
Γ `c x : T
Γ `c M : Πx : T.U
WF(Γ )
(case)
WF(Γ )
WF(Γ )
(Π-prop)
Γ `c T : u
WF(Γ (x : T ))
Γ `c Typei : Typei+1
(Π-type)
(nat)
WF(Γ )
(cons)
(zero)
WF(Γ )
Γ ` O : natsb
(succ)
Γ `c M : nats
Γ `c S(M ) : natsb
Γ `c M : natsb
Γ (x : natsb) `c P : u
Γ `c N0 : P [x := O]
Γ `c N1 : Πy : nats .P [x := S(y)]
Γ `c case|P | x := M of N0 , N1 : P [x := M ]
(fix)
T ≡ Π(x : natı ).U
ı pos U
ı∈
/ SV(Γ, M )
Γ `c T : u
Γ (f : T ) `c M : T [ı := bı]
Γ `c fix f (x : nat? ) : |U |ı := M : T [ı := s]
(conv)
Γ `c M : T
Γ `c U : u
Γ `c M : U
T ≤U
SV(M ) = ∅
SV(M ) = ∅
simple(U )
Fig. 2. Typing rules for the conversion presentation of CICb−
A.1
Metatheory
The metatheory of the system of this section is proved similarly to CICb. We
state the required lemmas without proof.
Strong Normalization of CC with Type-Based Termination
27
Lemma 25 (Inversion of subtyping).
1. If Πx : T1 .T2 ≤c Πx : U1 .U2 , then U1 ≤c T1 and T2 ≤c U2 .
2. If natr ≤c U , then U ≈c nats and r v s.
3. If T ≤c nats , then T ≈c natr and r v s.
Lemma 26 (Weakening). If Γ `c M : T and WF(Γ ∆), then Γ ∆ `c M : T .
Lemma 27 (Stage substitution). If Γ `c M : U , then Γ [ı := s] `c M [ı := s] :
U [ı := s].
Lemma 28 (Substitution). If Γ (x : T )∆ `c M : U , and Γ `c N : T , and
SV(N ) = ∅ then Γ ∆ [x := N ] `c M [x := N ] : U [x := N ].
Lemma 29 (Subject Reduction). If Γ `c M : T and M → M 0 , then Γ `c
M0 : T.
Lemma 30 (Type validity). If Γ `c M : T , then Γ `c T : u and simple(T ).
Lemma 31 (Type uniqueness). If Γ `c M : T and Γ `c M : T 0 , then
|T | ≈ |T 0 |.
B
Simple Metatheory of CICb−
In this section we prove some simple metatheoretical properties of CICb− including weakening, substitution and subject reduction.
Some properties of subtyping:
Lemma 32. Let R1 and R2 be two relations on terms. Then
1. If R1 ⊆ R2 , then ≤R1 ⊆ ≤R2 .
The following lemmas are proved in the same fashion as for CICb.
Lemma 33 (Free variables). If Γ ` M : T , then FV(M ) ⊆ dom(Γ ) and
FV(T ) ⊆ dom(Γ ).
Proof. By induction on the derivation of Γ ` M : T .
Lemma 34 (Context). If Γ ` M : T , then WF(Γ ).
Proof. By induction on the derivation of Γ ` M : T .
Lemma 35 (Weakening). If Γ ` M : T and WF(Γ ∆), then Γ ∆ ` M : T .
Lemma 36 (Stage substitution). If Γ ` M : U , then Γ [ı := s] ` M [ı := s] :
U [ı := s].
Lemma 37 (Substitution). If Γ (x : T )∆ ` M : U , and Γ ` N : T , and
SV(N ) = ∅ then Γ ∆ [x := N ] ` M [x := N ] : U [x := N ].
28
Benjamin Grégoire and Jorge Luis Sacchini
Some properties on simple types:
Lemma 38. If simple(T ) and SV(M ) = ∅, then simple(T [x := M ]).
Proof. By induction on the derivation of simple(T ). Note that SV(T [x := M ]) ⊆
SV(T ) ∪ SV(M ).
Lemma 39. If simple(T [x := M ]) with SV(M ) = ∅, and SV(N ) = ∅, then
simple(T [x := N ]).
Proof. Note that if simple(T [x := M ]), then simple(T ).
Lemma 40. If WF(Γ ), and (x : T ) ∈ Γ , then simple(T ).
Proof. By induction on the derivation of WF(Γ ).
Lemma 41. If Γ ` M : T , then simple(T ).
Proof. By induction on the derivation of Γ ` M : T . We treat two cases.
(fix) By IH, noting that if simple(T [ı := bı]), then T [ı := s] for any stage s.
(case) By IH, using Lemma 39.
To prove Subject Reduction, we need to prove inversion of products for subtyping. While this property is not true for terms that are not well-typed, we can
prove a particular case which is enough to prove Subject Reduction (Cor. 2). We
use some definitions given in App. C. Namely, Def. 22 and Lemma 47.
Lemma 42. Let T and U be two terms such that |T | ≡ |U |, simple(T ), simple(U )
and bT c ≤c bU c. Then, T ≤ U .
Proof. By simultaneous induction on simple(T ) and simple(U ). We proceed by
case analysis.
– If T ≡ Πx : T1 .T2 , then U ≡ Πx : U1 .U2 . The result follows from IH on
(T1 , U1 ) and (T2 , U2 ), using inversion of products for ≤c .
– If T ≡ natr , then U ≡ nats . By inversion of ≤c , we have r v s. Then
natr ≤ nats .
– The only remaining case is SV(T ) = ∅ and SV(U ) = ∅. In this case T ≡ U
and the result follows.
t
u
Corollary 2. If T ≡ Πx : T1 .T2 ≤ . . . ≤ U ≡ Πx : U1 .U2 , simple(T ),
simple(U ), and |T | = |U |, then U1 ≤ T1 and T2 ≤ U2 .
Proof. Note that bT c ≤c bU c, and therefore, bU1 c ≤c bT1 c and bT2 c ≤c bU2 c.
The result follows by applying the previous lemma.
t
u
Lemma 43 (Subject Reduction). If Γ ` M : T and M → M 0 , then Γ `
M0 : T.
In the following lemma, we add the invariant that types are always simple.
Lemma 44 (Type validity). If Γ ` M : T , then Γ ` T : u and simple(T ).
Strong Normalization of CC with Type-Based Termination
C
29
Equivalence between both presentations
In this section we prove that there is an equivalence between both presentations
of the system. As a corollary, we obtain that the conversion presentation is also
strongly normalizing.
There is one side of the equivalence that is easy to establish.
Definition 22. We define the map b.c from terms of the annotated presentation
to terms of the conversion presentation by:
bxc = x
buc = u
bλ
x:T ◦ .U ◦
M c = λx : bT ◦ c.bM cbappx:T ◦ .U ◦ (M, N )c
= bM c bN c
bΠx : T.U c = Πx : bT c.bU c
bcaseP ◦ x := M of N0 , N1 c = casebP ◦ c x := bM c of bN0 c, bN1 c
bfix f (x : nat) : U ? := M c = fix f (x : nat) : bU ? c := bM c
The following lemma is easy to prove.
Lemma 45. If Γ ` M : T , then bΓ c `c bM c : bT c.
The other direction is a bit more complicated to prove. We begin by defining
a loose reduction for the annotated system.
Definition 23. Loose reduction →l is defined as the compatible closure of the
following relation:
appx:T2 ◦ .U2 ◦ (λx:T1 ◦ .U1 ◦ M , N ) →l
caseT ◦ x := O of N0 , N1 →l
caseT ◦ x := S(M ) of N0 , N1 →l
appx:T ◦ .U ◦ (F, C) →l
M [x := N ]
N0
appy:nat.T ◦ [x:=S(y)] (N1 , M )
appx:T ◦ .U ◦ (M [f := F ], C)
where F ≡ fix f (x : nat? ) : U ? := M and C is a term in constructor form. We
write →l ∗ and ≈l for the reflexive-transitive closure and the equivalence closure
of →l , respectively.
Lemma 46. Loose reduction is confluent.
The following lemma states some simple properties of the three reduction
relations defined.
Lemma 47. 1. M ↓ M 0 ⇒ bM c ≈c bM 0 c;
2. M ≈l M 0 ⇒ bM c ≈c bM 0 c;
3. T ≤ U ⇒ bT c ≤c bU c;
4. if bM c →c N , then there exists P such that M →l P and bP c ≡ N ;
We define the grammar for normal terms and neutral normal terms.
30
Benjamin Grégoire and Jorge Luis Sacchini
Definition 24. Normal terms, N , and neutral normal terms, R, are defined by
the following grammars:
N ::= λx:N ◦ .N ◦ N | R | u | O | S(N ) | Πx : N.N | fix f (x : nat? ) : N ? := N
R ::= x | appx:N ◦ .N ◦ (R, N ) | caseN ◦ x := R of N, N
| appx:N ◦ .N ◦ (fix f (x : nat? ) : N ? := N , R)
Lemma 48.
1. Let appx:T2 ◦ .U2 ◦ (λx:T1 ◦ .U1 ◦ M , N ) be a well-typed term in some context Γ .
Then T1 ◦ ≈l T2 ◦ and U1 ◦ ≈l U2 ◦ .
2. Let appx:T1 ◦ .T2 ◦ (fix f (x : nat? ) : U ? := M , N ) be a well-typed term in some
context Γ . Then T1 ◦ ≈l nat and T2 ◦ ≈l |U ? |.
Proof. We prove the first part, since the second part is similar.
By inversion on the type derivation, the term λx:T1 ◦ .U1 ◦ M has type W1 with
|W1 | ≡ Πx : T1 ◦ .U1 ◦ , and it also has type W2 with |W2 | ≡ Πx : T2 ◦ .U2 ◦ and
W1 ≤ . . . ≤ W2 . Therefore, |W1 | ≈l |W2 |. Since →l satisfies inversion of products,
the conclusion follows.
t
u
Lemma 49. Let M and M 0 be two well-typed terms under context Γ . If M ≈l
M 0 and M and M 0 are in normal form (for →), then M ≡ M 0 .
Proof. By mutual induction on the size of M and M 0 . We prove first that M
and M 0 are in normal form for →l . Assume that there is a loose redex in M . We
have two cases:
I. The redex is of the form
appx:T2 ◦ .U2 ◦ (λx:T1 ◦ .U1 ◦ N , P ) .
Then by the previous lemma, T1 ◦ ≈l T2 ◦ and U1 ◦ ≈l U2 ◦ . Since T1∞ and
T2∞ are well-typed in context Γ ∞ , by IH, T1∞ ≡ T2∞ . Hence, T1 ◦ ≡ T2 ◦ .
Similarly, U1 ◦ ≡ U2 ◦ , since U1∞ and U2∞ are well-typed under context
Γ ∞ (x : T1∞ ). But then, the above redex is actually a tight redex, which
contradicts the hypothesis that M is in normal form.
II. The redex is of the form
appx:T1 ◦ .T2 ◦ (fix f (x : nat? ) : U ? := N , C) .
We proceed in the same way as in the previous case.
We have M ≈l M 0 and that both are in normal form for →l . Since →l is
confluent, we conclude that M ≡ M 0 .
t
u
Corollary 3. Let M and M 0 be two well-typed terms under context Γ . If M ≈l
M 0 , then M and M 0 have a common unique normal form.
Strong Normalization of CC with Type-Based Termination
31
Proof. Let N and N 0 be normal forms (for →) of M and M 0 respectively. Then,
N ≈l N 0 . By Subject Reduction, N and N 0 are well-typed in Γ . Applying the
previous lemma, we obtain N ≡ N 0 .
t
u
Corollary 4. Let M be a well-typed term in normal form for →. Then bM c is
in normal form for →c .
Proof. If bM c had a →c -redex, then M would have a →l -redex, but this is
impossible.
t
u
Lemma 50. Assume Γ1 ` M1 : T1 and Γ2 ` M2 : T2 , with |Γ1 | = |Γ2 |. If
bM1 c ≈c bM2 c and M1 and M2 are in normal form (for →), then M1 ≡ M2 .
Proof. From the proof of Lemma 49, M1 and M2 are in normal form for →l .
Therefore, bM1 c ≡ bM2 c. We proceed by induction on the size of M1 and M2 ,
and case analysis on the shape of M1 and M2 .
Most cases are easy consequence of the IH. We treat the most relevant cases
here.
– M1 ≡ λx1 :T1 ◦ .U1 ◦ N1 and M2 ≡ λx2 :T2 ◦ .U2 ◦ N2 . Since M1 and M2 are in
normal form for →l , then T1 ◦ ≈l T2 ◦ , U1 ◦ ≈l U2 ◦ and N1 ≈l N2 .
From IH on T1∞ and T2∞ (well-typed on context Γ1∞ ), we obtain that T1∞ ≡
T2∞ (and T1 ◦ ≡ T2 ◦ ). Similarly, applying IH to U1∞ and U2∞ (well-typed on
context Γ1∞ (x1 : T1∞ )), we obtain U1 ◦ ≡ U2 ◦ .
There exists Wi , for i = 1, 2 such that |Wi | = Ti ◦ , and Ni is well-typed under
context Γi (xi : Wi ). The IH applies, and N1 ≡ N2 .
– M1 and M2 are neutral normal terms. We proceed by induction on the
structure of M1 and M2 . We consider the case M1 ≡ appx1 :T1 ◦ .U1 ◦ (R1 , N1 )
and M2 ≡ appx2 :T2 ◦ .U2 ◦ (R2 , N2 ), where R1 and R2 are neutral normal terms.
By IH, R1 ≡ R2 and N1 ≡ R2 . In context Γ1∞ (≡ Γ2∞ ), R1 has types
Πx : T1∞ .U1∞ and Πx : T2∞ .U2∞ . The IH applies, and both types are equal.
The rest of the cases of neutral normal terms are easy.
t
u
Corollary 5. Let M1 and M2 be well-typed terms under context Γ . If bM1 c ≈c
bM2 c, then M1 ↓ M2 .
Lemma 51. Let M1 and M2 be well-typed terms under context Γ . If bM1 c ≤≡
bM2 c, then M1 ≤ M2 .
Proof. We proceed by induction on bM1 c ≤≡ bM2 c. From Lemma 24 we do
not need to consider the rules (sub-refl) and (sub-trans). In the case of rule
(sub-conv), the result follows from Lemma 50. For rule (sub-prod), the result
follows from IH. Finally, the case of rule (sub-nat) is trivial.
t
u
Corollary 6. Let M1 and M2 be well-typed terms under context Γ . If bM1 c ≤c
bM2 c, then M1 ≤ M2 .
32
Benjamin Grégoire and Jorge Luis Sacchini
Proof. From Lemma 23 we know that there exists P1 and P2 such that bM1 c →c ∗
P1 ≤≡ P2 ←c ∗ bM2 c. Let N1 and N2 be the normal form (for →) of M1 and
M2 respectively. Then, by Corollary 4, bN1 c and bN2 c are also in normal form
(for →c ). Hence, P1 →c ∗ bN1 c, P2 →c ∗ bN2 c and bN1 c ≤≡ bN2 c. To see that
N1 and N2 satisfy the required properties, it remains to prove that N1 ≤ N2 .
We proceed by induction on bN1 c ≤≡ bN2 c. From Lemma 24 we do not need to
consider the rules (sub-refl) and (sub-trans). In the case of rule (sub-conv), the
result follows from Lemma 50. For rule (sub-prod), the result follows from IH.
Finally, the case of rule (sub-nat) is trivial.
t
u
Theorem 3. If Γ `c M : T , then there exists a judgment Γ + ` M + : T + such
that bΓ + c = Γ , bM + c = M and bT + c = T .
Proof. By induction on the derivation of Γ `c M : T . We use the following
properties in the proof:
– SV(T ) = SV(bT c);
– simple(bT c) ⇒ simple(T );
We consider the case (conv). The judgment Γ `c M : T is derived from Γ `c
M : U , Γ ` T : u, simple(U ), and U ≤c T . By IH, there exists Γ + , M + , U + such
that Γ + ` M + : U + . Also by IH, there exists ∆+ , T + such that ∆+ ` T + : u.
Since bΓ + c ≡ b∆+ c, we have Γ + ↓ ∆+ , and Γ + ` T + : u. By Cor. 6, T ≤ U ,
and the result follows by an application of rule (conv).
t
u
Theorem 4. If Γ ` M : T and bM c →c N , then there exists N 0 such that
M →+ N 0 and bN 0 c = N .
Proof. We proceed by induction on bM c →c N . The interesting case is when
bM c is a β-redex. Then M is of the form appx2 :T2 ◦ .U2 ◦ (λx1 :T1 ◦ .U1 ◦ M1 , M2 ) and
N ≡ bM1 [x1 := M2 ]c. By Lemma 48, T1 ◦ ≈l T2 ◦ and U1 ◦ ≈l U2 ◦ . By Cor. 3,
there exists T3 ◦ and U3 ◦ such that T1 ◦ , T2 ◦ →∗ T3 ◦ and U1 ◦ , U2 ◦ →∗ U3 ◦ .
Then, M →∗ appx2 :T3 ◦ .U3 ◦ (λx1 :T3 ◦ .U3 ◦ M1 , M2 ) → M1 [x1 := M2 ] We can take
N 0 = M1 [x1 := M2 ].
t
u
Corollary 7. If Γ `c M : T , then M is strongly normalizing.
Proof. Follows easily from Thm. 3 and Thm. 4.
