The Primitive Proof Theory

of the -Calculus
Rene Vestergaard
School of Mathematical and Computer Sciences,
Heriot-Watt University, Edinburgh, Scotland
Magritte: La Preuve Mysterieuse, 1927. c _ADAGP Paris 2003.
(homme ` a demi tourne ` a droite, vase de cristal, montagne)
Thesis submitted for the degree of Doctor of Philosophy, 2003.
c _The copyright of all parts of this thesis rests with the author, unless
otherwise stated. The thesis may be used, referenced, and quoted exclusively
for scholarly, non-commercial purposes; proper attribution (in the form of
[64], for example) must be included at least in the case of written works.
Other usage requires the express consent of the copyright holder.
Abstract
We consider formal provability with structural induction and related
proof principles in the -calculus seen as a (functional) programming lan-
guage, i.e., presented with rst-order abstract syntax over one-sorted vari-
able names. Structural induction is the principal primitive proof principle
of that particular syntactic framework and it is, indeed, near-ubiquitously
employed in informal proofs in the wider programming-language theory com-
munity. In spite of substantial eorts in the theorem-proving community,
these informal proofs have unfortunately been neither formalised nor consid-
ered formalisable so far. This impasse must naturally raise uncomfortable
questions about the formal validity of the proof principles.
The highlights of the results we establish formally by structural means
are the relative renaming freeness of -residual theory, decidability of -
equivalence, -conuence, -conuence, -conuence, residual comple-
tion (aka strong weakly-nite -development), residual -conuence, -over-
postponement, and notably -standardisation. Interestingly, our uniform
proof methodology, which has relevance beyond the -calculus, properly con-
tains pen-and-paper proof practices in a precise sense except for the cases
of -decidability and -standardisation where the known proofs fail in in-
structive ways. Our notion of residual completion, furthermore, presents a
simplied treatment of residual theory compared to established practice, be
it for strong nite development or for Huets Prism theorem/Levys Cube
lemma. Overall, our approach makes precise what is the full algebraic proof
burden of the considered results and our proofs, in fact, appear to be the
rst complete developments in the literature.
Our results are relevant for researchers in programming language the-
ory, rewriting, proof theory, and mechanised theorem proving/automated
reasoning.
i
ii
I would like to dedicate this thesis to my wife, aMunde.
Her all-transcending love truly is prodigious.
Thanthwe, aMayi a Yaya.
iii
iv
Acknowledgements
Special mentioning and profound thanks go to Olivier Danvy who
suggested academia to me in the rst place. True to form, Olivier has
remained a valuable source of support and guidance.
Joe Wells has crucially impacted on my PhD work and on my formation
as an academic. Talking to Joe is always a learning experience. I hope his
inuence can be recognised in this thesis and beyond. My sincerest thanks
for his professionalism and inspiration.
I would like to extend my thanks and respect to James Brotherston for
his contributions to, in particular, Chapter 2 and Section 4.2. James worked
very hard and with great dedication and resourcefulness on verifying the
proofs in there (along with the proofs they depend on) in Isabelle/HOL [6,
65, 66, 67, 68]. Thanks also to LFCS, University of Edinburgh for supporting
James nancially during part of the work and to the LINEAR network for
supporting him on a visit to Marseille while I was there.
Gordon Plotkin, Rob Pooley, and Ian Stark have made many things a
lot easier for me than they could have been. For that, and their unrelenting
support and interest, I thank them wholeheartedly.
Thanks also to Samson Abramsky, Henk Barendregt, Jamie Gabbay,
Jean-Yves Girard, Roger Hindley, Martin Hofmann, Gerard Huet, Martin
Hyland, Felix Joachimski, Stefan Kahrs, Ralph Matthes, James McKinna,
Vincent van Oostrom, Andy Pitts, Randy Pollack, Femke van Raamsdonk,
Laurent Regnier, Don Sannella, Carsten Sch urmann, and Helmut Schwicht-
enberg for interesting discussions and e-mail exchanges that directly or in-
directly pertain to the present work. And, to the anonymous referees that
kindly have commented on the published articles that the thesis incorporates
[65, 66, 67, 68].
I gratefully acknowledge the nancial support and hospitality of the Dan-
ish Research Academy, the Department of Computing Science at the Uni-
versity of Glasgow, the School of Mathematical and Computer Sciences at
Heriot-Watt University, the Mathematisches Institut at the Ludwig Maxim-
ilians Universit at in M unchen, the Laboratory for Foundations of Computer
Science (LFCS) at the University of Edinburgh, the Centre National de la
Recherche Scientique at lInstitut de Mathematiques de Luminy (CNRS-
IML) in Marseille, and the Japan Advanced Institute of Science and Tech-
nology (JAIST), Hokuriku.
Last, but not least, thanks to Roger Hindley, Greg Michaelson, and Rob
Pooley for being on the assessment committee for the thesis.
I am also grateful to the sta of Louisiana Museum, DK for help with
obtaining the rights to reproduce the Magritte artwork on the frontpage and
to La succession de Rene Magritte, represented by ADAGP for granting it.
v
Contents
Introduction 2
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
I Fundamentals 49
1 The Structure of the -Calculus 51
1.1 The Algebra of Simple Syntax . . . . . . . . . . . . . . . . . . . . . . 51
1.2 Relational Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1.3 Reduction, Substitution, and their Problems . . . . . . . . . . . . . . 63
1.4 The Barendregt Variable Convention . . . . . . . . . . . . . . . . . . 67
1.5 The (Orthonormal)
var
-Calculus . . . . . . . . . . . . . . . . . . . . 68
1.6 Renaming-Free Substitution Explored . . . . . . . . . . . . . . . . . 76
2 A Renaming-Free
var
-Fragment 81
2.1 The Residual
var
-Theory . . . . . . . . . . . . . . . . . . . . . . . . 81
2.2 The Commutation Proof-Layer Hierarchy . . . . . . . . . . . . . . . 85
2.3 BCF-Initial Residual Theory is Renaming-Free . . . . . . . . . . . . 88
3 -Equivalence 93
3.1 -Substitutivity and Variable Monotonicity . . . . . . . . . . . . . . 93
3.2 Fresh-naming Reduction . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.3 -Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
3.4 ==

-Generation Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . 108

II Divergence Commutation 111
4 - and
var
-Conuence 113
4.1 Structural Collapses and Diamond Properties . . . . . . . . . . . . . 113
4.2 -Conuence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.3 Variants of -Conuence . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.4 -Conuence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.5 -Conuence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
vi
5 Residual Theory Revisited 133
5.1 Conuence vs Residual Conuence . . . . . . . . . . . . . . . . . . . 133
5.2 -Residual Completion . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.3 Strong (Weakly-)Finite Development . . . . . . . . . . . . . . . . . . 136
III Composition Commutation 141
6 -over- Postponement 143
6.1 Parallel Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.2 Postponement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
7 -Standardisation 149
7.1 Denitions and Basic Properties . . . . . . . . . . . . . . . . . . . . 149
7.2 (Hereditary) Semi-Standardisation . . . . . . . . . . . . . . . . . . . 151
7.3 Absorptive Weak-Head Standardisation . . . . . . . . . . . . . . . . 158
7.4 (Failing) Progression Standardisation . . . . . . . . . . . . . . . . . . 162
IV End Matter 165
Conclusion 167
A Commutative Diagrams 169
B Proofs: The Struct. of the -Calculus 171
B.1 Diamond Tiling Lemma . . . . . . . . . . . . . . . . . . . . . . . . . 171
B.2 Hindley-Rosen Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . 172
B.3 Commuting Conuence Lemma . . . . . . . . . . . . . . . . . . . . . 173
B.4 Substitution and Free Variables . . . . . . . . . . . . . . . . . . . . . 174
B.5 Substitution and Capturing Variables . . . . . . . . . . . . . . . . . 176
C Proofs: A Renaming-Free
var
-Fragment 181
C.1 Marked Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
C.2 Residual-Completion Substitutivity . . . . . . . . . . . . . . . . . . . 183
D Proofs: -Equivalence 189
D.1 Left i-Substitutivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
E Proofs: - and
var
-Conuence 193
E.1 Preservation and Reection of Diamond . . . . . . . . . . . . . . . . 193
E.2 Parallel /Fresh-naming Commutativity . . . . . . . . . . . . . . . 195
E.3 / Commutativity up to -Resolution . . . . . . . . . . . . . . . . 197
F Proofs: -Standardisation 199
F.1 Takahashis Semi-Standardisation Framework . . . . . . . . . . . . . 199
F.2 Inner/Weak-Head Substitutivity . . . . . . . . . . . . . . . . . . . . 200
Bibliography 203
Index 210
vii
viii
List of Figures
1.1 Free, bound, and capturing variable names . . . . . . . . . . . 55
1.2 The uniquely bound
var
-predicate . . . . . . . . . . . . . . . 68
1.3 Renaming-free substitution and -, -, and -reduction . . . 69
1.4 Curry-style substitution (re-)dened inductively . . . . . . . . 72
1.5 Renaming-free substitution (re-)dened inductively . . . . . . 76
2.1 Residual -reduction . . . . . . . . . . . . . . . . . . . . . . . 82
2.2 Residual-completion -reduction . . . . . . . . . . . . . . . . 82
2.3 The simple proof-layer hierarchy . . . . . . . . . . . . . . . . 85
3.1 Indexed, one-step, inside-out, complete fresh-naming . . . . . 100
4.1 Parallel -reduction . . . . . . . . . . . . . . . . . . . . . . . 116
4.2 Total-development -reduction . . . . . . . . . . . . . . . . . 117
4.3 The full proof-layer hierarchy . . . . . . . . . . . . . . . . . . 120
4.4 The administrative proof layer for parallel- diamond . . . . 122
4.5 The administrative proof layer for diamond diagonalisation . 123
4.6 The administrative proof layer for a small diamond property 124
4.7 The administrative proof layer for local conuence . . . . . . 125
4.8 The administrative proof layer for parallel- diamond over
0
126
4.9 The administrative proof layer for -commutativity . . . . . . 129
4.10 The administrative proof layer for -commutativity . . . . . 131
5.1 The administrative proof layer for residual completion . . . . 136
6.1 Parallel -reduction . . . . . . . . . . . . . . . . . . . . . . . . 144
6.2 The admin. proof layer for / composition commutation . . 148
7.1 Weak-head -reduction . . . . . . . . . . . . . . . . . . . . . 150
7.2 Inner and parallel inner -reduction . . . . . . . . . . . . . . 150
7.3 The weakly fresh-naming
1
-relation and the wBCF-predicate 152
7.4 The admin. proof layer for decomposing parallel steps . . . . 156
7.5 The admin. proof layer for parallelising weak-head after inner 157
7.6 Failed admin. proof layer for progression standardisation . . . 159
7.7 The admin. proof layer for Lemma 7.22, case (Abstr

wh
) . . . 161
ix
List of Symbols
| alpha-equivalence class, page 75
alpha-equivalence, page 66

alpha-reduction, page 69

io
0
alpha-reduction, complete, page 100

i
io
0
alpha-reduction, complete, indexed, page 100

Cu alpha-reduction, Curry-style, page 63

0
alpha-reduction, fresh-naming, page 95

0
alpha-reduction, fresh-naming, alternative index, page 95

i
0
alpha-reduction, fresh-naming, indexed, page 95

i
1
alpha-reduction, fresh-naming, weak, page 152

Hi alpha-reduction, Hindley-style, page 65

i
alpha-reduction, indexed, page 69
BCF() Barendregt conventional form, page 68
wBCF() Barendregt conventional form, weak, page 152
BVC Barendregt variable convention, page 67

beta-reduction, page 69

Cu beta-reduction, Curry-style, page 63

Hi beta-reduction, Hindley-style, page 66

I beta-reduction, inner (strong), page 149

I beta-reduction, inner (strong), parallel, page 149

I beta-reduction, inner (strong), parallel, real, page 149

I beta-reduction, inner (strong), real, page 149

beta-reduction, parallel, page 115

beta-reduction, parallel, real, page 121

beta-reduction, real, page 75

@ beta-reduction, residual, page 82

@ beta-reduction, residual-completion, page 83

beta-reduction, total development, page 116

beta-reduction, total development, real, page 121

wh beta-reduction, weak-head, page 149

x

wh beta-reduction, weak-head, real, page 149

BV() bound variables, page 55
Capt

() capturing variables, page 55

CR() Church-Rosser, page 61
Con() conuence, page 61
SFDP() development property, strong, nite, page 136
SWFDP() development property, strong weakly-nite, page 137

dev
development relation, page 133
() diamond property, page 60
Distinct(

x
i
) distinct variable names, page 97

y
i
() eta-expansion, page 145

eta-reduction, page 69

Cu eta-reduction, Curry-style, page 63

Hi eta-reduction, Hindley-style, page 66

eta-reduction, parallel, page 143

eta-reduction, parallel, real, page 143

eta-reduction, real, page 75

FV() free variables, page 55
Fresh() Fresh-naming, page 52

var
Lambda, page 51

var
@
Lambda, residual, page 82
Lambda, real, page 75
LCon() local conuence, page 60
SN() normalisation, strong, page 58
WN() normalisation, weak, page 58
#

() number of lambdas, page 100

PPP() proof principles, primitive, page 55
PPP
FOAS
VN proof principles, primitive, simple syntax, page 55

@
residual relation, page 133
RCP() residual-completion property, page 134
[ := ]
Cu
substitution, capture-avoiding, page 64
[ := ] substitution, renaming-free, page 69
UB() uniquely bound, page 68
unMarked() unmarked, page 133
1^ variable names, page 52
Var() variables, page 55

x
i
vector, page 70
x
i
vector, elements of, page 70
[[ [[ vector, length of, page 70

x
i
vector, reversed, page 70
xi
xii
Introduction
1
Preface
The fundamental fact here is that we lay down rules, a
technique, for a game, and that then when we follow the
rules, things do not turn out as we had assumed. That
we are therefore as it were entangled in our own rules.
The entanglement in our rules is what we want to under-
stand (i.e. get a clear view of).
Ludwig Wittgenstein: Philosophical Investigations, 125
This thesis is not so much about results as it is about proofs. In fact,
we principally concern ourselves with the use and useability of certain well-
known proof principles and methodologies and our main contribution is to
show that, and how, they can be used formally. The specic context we
work in is programming-language theory for which the use of concrete rep-
resentations of considered structures is inescapable because of the areas
reliance on computers. In terms of programming languages this means that
we are considering syntax trees (i.e., rst-order abstract syntax, FOAS).
Going back almost four decades, the standard in the programming-language
theory community for reasoning informally about syntax trees is structural
induction and related proof principles. The proof principles we are consider-
ing are thus extremely well-understood informally and they have given rise
to some very elegant and informative reasoning methodologies that express
complex properties of languages in simple and concise terms.
Structural Induction and Syntax
Algebraically speaking, structural induction is a primitive proof principle,
PPP, of syntax trees in the sense that any notion of syntax tree automati-
cally comes equipped with a principle of structural induction and vice versa.
For a concrete example, consider the integers presented with a zero element
and a successor function along with natural-number induction. In other
words, structural induction and abstract syntax are interdependent notions,
two sides of the same coin, so to speak. One cannot have one without the
2
PREFACE 3
other. If either fails (to succeed), concerns must invariably be raised about
the other. As a matter of public record, and in spite of substantial eorts in
the theorem-proving community, no formal developments have successfully
employed structural proof principles prior to our work but have instead
focused on introducing formal alternatives to rst-order abstract syntax.
This is clearly unsatisfactory from a mathematical perspective (although, of
course, the alternatives are interesting in their own right). The situation is
also rather unsettling as far as the large amount of literature using abstract
syntax and structural induction informally is concerned.
Methodology
We stress that, of course, proof means many things and so it shall in-
deed, must to us. Presented rather naively, one extreme meaning is what
could be called a social one: a proof is anything that conveys an insight
(or otherwise) to another person in a manner that convinces that person
of its validity. Another extreme in this setting is a formalist one: a proof
is a sequence of simple formula manipulations that ideally all are obviously
correct. Apart from technical dierences, the two also dier conceptually,
size-wise, and in focus as, oftentimes, conceptually straightforward does not
imply technically straightforward, to make a pertinent point. Methodologi-
cally, our approach has been a formal one that we have tried to enrich with
social structure in the presentation of the material.
Formalisation Work
Substantial parts of this thesis were formally veried in the Isabelle/HOL
theorem prover [48]. The results in question are those presented in Chapter 2
[6, 66, 67] as well as a full proof of -conuence as discussed in Section 4.2
[6, 65, 68]. That the proofs have been formally veried means, more con-
cretely, that we have rm evidence (i) that the results are correct in a strict
algebraic sense and (ii) that the proofs really can be conducted in the pre-
scribed manner and with the stated proof principles. This is a signicant
achievement that involved roughly 10 weeks of work and upwards of 5500
lines of Isabelle/HOL proof scripts. The actual verication work was under-
taken by James Brotherston under the supervision of the thesis author and
proceeded from hand-written proofs in the style we present here. The hand-
written proofs were not entirely complete but, on the whole, held up to the
formal scrutiny of the verication process. Please refer to the Conclusion
for an account of lessons learned from our formalisation work.
The proof principles we refer to as primitive in the thesis are inter-
nally available in Isabelle/HOL when the syntactic/algebraic structures we
present are input as datatypes and they can be invoked in their pure form
by the use of the relevant proof tactics of Isabelle/HOL. More speculative
4 INTRODUCTION
tactics attempting to facilitate automation in the proof developments are
also available in Isabelle/HOL. Our formal proofs are, however, almost ex-
clusively brute-force for reasons that we shall discuss in the Conclusion.
Notation
Virtually all of our formal statements are written as predicates. Any symbol
that can be construed as special is, furthermore, explained prior to its use.
Two points are worth making.
We suppress initial universal quantications. Free variables are thus
always universally quantied at the outermost level of the property.
For a range of rewriting properties, we are using commutative dia-
grams, cf. Appendix A, as a short-hand for the classic predicate no-
tation. Our diagram notation is unambiguous and the appendix gives
the (simple) translation algorithm into the classic notation.
Focus
When establishing a property, any property, we will typically proceed by the
proof principles that are associated with the outermost constructor being
considered. Our approach to doing proofs is thus rather algebraic and, in
that sense, is induced by the problem at hand. Succinctly stated, our focus
is on the primitive proof theory of the subject matter.
The Problem
The overall issue we address is that of binding in higher-order languages,
i.e., languages that contain constructs that can quantify over elements of
the language. This means that a higher-order language has place-holders
for language-elements as rst-class objects. The way we manage the place-
holders and the role they fulll is what we refer to as binding. Examples of
binders are the usual logical quantiers: for all and exists. In programming,
binding is what is being done by the formal arguments of procedures and
functions. We typically represent binding with object-level variable names.
The problem of (managing) binding might look simple: it is, after all, just a
matter of simple syntax. However, there are very good, independent reasons
for thinking that the problem is not simple, quite apart from the absence
of a satisfactory formal treatment of the matter. We shall give two reasons
here that are of a fairly technical but also fundamental nature.
Complexity In [3, 4], Asperti and Mairson study the computational com-
plexity of so-called optimal evaluation (aka Levys families-of-redexes reduc-
tion) [2, 35, 36]. That evaluation is optimal means that any piece of com-
putation that is about to be copied must have its (deferred) computation
PREFACE 5
shared between all the places it can end up at: each family of (shared) com-
putations/redexes must be performed/contracted as one. This entails the
sharing of both values and evaluation contexts. Based on (Mairsons proof
[40] of) Statmans Theorem [60], which says that deciding -equivalence in
the simply-typed -calculus is not elementary recursive,
1
Asperti and Mair-
son show that the cost of a sequence of n contractions of families-of-redexes
is not bounded as O(2
2
2
n
) for any xed stack of 2s.
1
Now, in Lampings
(graph) implementation of optimal evaluation there are two kinds of compu-
tation: contraction of a redex family and propagation (and other manage-
ment) of so-called sharing nodes, which amount to binding-resolution [34].
Substitution is implemented as graph edges and is therefore free. Contrac-
tion is a unit-cost operation, which means that the complexity of Lampings
notion of binding is not elementary recursive.
Consistency In the -calculus, the identity function can be written as
x.x. It can also be written as y.y and it is undesirable to distinguish
these two representations of the identity function. We therefore typically
introduce a formal notion, -equivalence, which collapses terms that only
dier in the particular names they use for expressing binding. Gabbay and
Pitts [17, 18, 19, 51] present a (in fact, the only known) framework that has
primitive support for inductive reasoning up-to -equivalence. This means
that not only do x.x and y.y behave the same way computationally, they
are algebraically equal. More or less, anyway, seeing that in the Gabbay-
Pitts framework, the inductive structure of -collapsed syntax is achieved
at the price of (object-level) variable names being inaccessible to the per-
son writing the syntax, so to speak. Syntax can instead be written with
meta-level variables that are subject to non-trivial well-formedness condi-
tions [18]. Having concrete variable names would typically allow a user to
pick a new, unused variable name relative to some piece of syntax. From a
proof-theoretical perspective, this validates the axiom of (co-nite) choice,
which is provably inconsistent with the various Gabbay-Pitts frameworks
[51]. In other words, simple, concrete syntax and -collapsed induction
seemingly cannot coexist.
Other Applications
The proof methodology we pursue in the thesis was also applied in [71].
The paper introduces a calculus of linking with rst-class modules, which,
amongst other things, allows for mutually recursive binding and, further-
more, collapses a list representation to sets under associative, commutative
(AC-)equivalence the same way we collapse under (-)equivalence of bound
variable names here.
1
A function is (Kalm ar-)elementary recursive if its computation is bounded as
O(K

(n)) for some on input (of size) n, with K

0
(n) = n and K
+1
(n) = 2
K

(n)
.
6 INTRODUCTION
Thesis Organisation
Apart from the main body of text, this thesis also contains a front and an
end matter. The pages of the body and the end matter are indexed with
arabic numerals while the pages of the front matter are indexed with roman
numerals. The front matter consists of the front page, a copyright-notice
page, an abstract, a dedication, acknowledgements, a table of contents, a
list of gures, and a list of the symbols we dene and use. The body of the
thesis consists of an introduction followed by three technical parts compris-
ing seven chapters. The end matter contains a conclusion, six appendices, a
list of references, and an index. The conclusion summarises the thesis and
outlines the lessons learned from our formalisation eorts. The presenta-
tion of our technical contributions is three-way. The introduction contains a
comprehensive overview of the results that we have established formally in
the style of a stand-alone article (of limited size). The main body of text lls
in all the technical details but (brutally, perhaps) does not include proofs
that are more than one page in length. These can, instead, be found in the
appendices. The organisation of the main of body of text is rather deliber-
ate and is designed to minimise redundancy in our proof developments. In
total, the main body of text contains around 200 numbered, formal state-
ments (denitions, lemmas, theorems, etc.) that, in one extreme, list as
much as 16 individual properties. It also contains 29 numbered and count-
less unnumbered gures.
Overview
This chapter summarises the remainder of the thesis. Not all results and
proof alternatives that are considered in the body of the thesis are presented
here. Of the results that are presented some appear slightly dierently and
sometimes in a dierent order. The objective has been to give a stand-alone
and hopefully easily-read executive summary of the results we can establish
by the proof technologies we are considering and of the wider implications of
this. The chapter should not be read as an introduction to the material but,
rather, be used to either remind the reader of the content of the thesis or to
give an experienced reader a avour of what to expect. For an introduction
(in the traditional sense of the word), we refer instead to Chapter 1. In case
of perceived conicts or imprecisions in this chapter, please default to the
presentation of the results (alongside their full proofs) in the other chapters.
We do not refer to the other chapters from this chapter, except for the
denition of standard concepts. The numbering scheme we use here is in
the style of an article rather than with sub-indices on the chapter number
like in the rest of the thesis. The gures and sections in the chapter are not
listed in the front matter to avoid redundancy.
1 Introduction
The use of structural induction and related proof principles for simple syntax
(i.e., rst-order abstract syntax over one-sorted variable names, FOAS
VN
) is
a long-standing and widely-used practice in the programming-language the-
ory community and elsewhere where formal languages are employed. Un-
fortunately, at a rst, closer inspection it seems that the practice is not
formally justiable because of a need to avoid undue variable capture when
performing substitution; something which breaks the syntactic equality un-
derlying structural induction and other structural proof principles. Even
more worrying is the fact that, in spite of substantial eorts in the mecha-
nised theorem-proving community, no formal proof developments (prior to
what we report on here) have been able to overcome the problems that are
encountered with substitution and go on to successfully employ the proof
7
8 INTRODUCTION
principles in question, i.e., the primitive proof principles of simple syntax,
PPP
FOAS
VN . Indeed, and starting with de Bruijn [11], it has become an
active research area to dene, formalise, and automate alternative syntac-
tic frameworks that preserve as much of the inherent naturality of simple
syntax as possible [11, 13, 14, 15, 19, 26, 42, 58]. However, by changing the
underlying syntactic framework, the algebraic meaning of, e.g., a diamond
property also changes, which means that, e.g., conuence as proved and as
dened no longer coincide, cf. Lemma 18 and [68].
In the recognition that the above is both unfortunate as far as the formal
status of the existing informal literature is concerned and unsatisfactory
from a mathematical perspective, we shall pursue the naive approach here.
In particular, we show that it is, indeed, possible to base formal proofs
on rst-order abstract syntax over one-sorted variable names. We hope to
convince the reader that, while the technical gap between pen-and-paper
and formal proofs is rather large, the conceptual gap is somewhat smaller.
Furthermore, we hope that the comprehensive range of applications of the
proof methodology that we present will establish its wider relevance.
Syntax of the -Calculus
The -calculus is intended to capture the concept of a function. It does
so, rst of all, by providing syntax that can be used to express function
application and denition:
e ::= x [ e
1
e
2
[ x.e
The above, informal syntax says that a -term, e, is dened inductively
as either a variable name, as an application of one term to another, or as a
-, or functional, abstraction of a variable name over a term. The variable
names, x, are typically taken to be, or range over, words over the Latin
alphabet. In Section 2, we will review the exact requirements to variable
names in an abstract sense. Being based on a simple, inductive denition,
-terms also come equipped with a range of primitive proof principles [1, 7].
As indicated, the general set of primitive proof principles for simple syntax
will be referred to as PPP
FOAS
VN .
Syntactic Equality
As a -term, e, is nite and consists of variable names, the obvious variable-
name equality, =
VN
, which exists at least in the case of words over the Latin
alphabet, canonically extends to all -terms:
x =
VN
y
x =

var y
e
1
=

var e

1
e
2
=

var e

2
e
1
e
2
=

var e

1
e

2
x =
VN
y e =

var e

x.e =

var y.e

OVERVIEW 9
A denition as the one above immediately induces a proof principle, rule
induction, for the dened object, in this case =

var .
Structural Induction
In order to prove properties about the set of -terms, we can proceed by
means of structural induction, mimicking the inductive denition of the
terms:
x.P(x) e
1
, e
2
.P(e
1
) P(e
2
) P(e
1
e
2
) x, e.P(e) P(x.e)
e.P(e)
Structural Case-Splitting
As each syntax constructor of the -calculus is unique, we see that it is
possible to case-split on terms with E
i
in some suitable meta-language:
case e of x E
1
(x)
[ e
1
e
2
E
2
(e
1
, e
2
)
[ x.e
0
E
3
(x, e
0
)
Structural Recursion
Based on the above we can even dene functions on -terms by means of
structural recursion, i.e., by making recursive calls only on the sub-terms of
a considered constructor:
f(x) = E
1
(x)
f(e
1
e
2
) = E
2
(f(e
1
), f(e
2
))
f(x.e) = E
3
(x, f(e))
The use of structural recursion guarantees that only well-dened functions
are constructed (provided the E
i
are well-behaved): the above f is com-
putable by virtue of well-foundedness of terms, total because the denition
case-splits exhaustively on -terms, and functional because there is no over-
lap of the cases. As an example application, we dene the function that
computes the free variables in a term, i.e., the variable names that do not
occur inside a -abstraction of themselves.
Denition 1
FV(y) = y
FV(e
1
e
2
) = FV(e
1
) FV(e
2
)
FV(y.e) = FV(e) y
Proposition 2 FV() is a total, computable function.
10 INTRODUCTION
y[x := e]
Cu
=

e if x = y
y otherwise
(e
1
e
2
)[x := e]
Cu
= e
1
[x := e]
Cu
e
2
[x := e]
Cu
(y.e
0
)[x := e]
Cu
=

y.e
0
if x = y
y.e
0
[x := e]
Cu
if x ,= y (y , FV(e) x , FV(e
0
))
z.e
0
[y := z]
Cu
[x := e]
Cu
otherwise; rst z , x FV(e) FV(e
0
)
Figure 1: Curry-style capture-avoiding substitution
Reduction and Substitution
In order to have -abstractions act as functions and not to have too many,
e.g., identity functions, amongst other things, we are typically interested
in the following reduction relations that can be applied anywhere in a term
(they are, in other words, contextually closed) their precise form, including
the substitution operator, is due to Curry [9].
2
1. (x.e)e

Cu e[x := e

]
Cu
2. y.e[x := y]
Cu

Cu x.e, if y , FV(e)
Our interest in 2., above is the equivalence relation it induces. We denote it
by ==

, cf. Section 1.2, and we will eventually factor it out, as is standard.

Variable Capture
In his seminal formalist presentation of the -calculus [9], Curry denes the
above substitution operator, [ := ]
Cu
, essentially as in Figure 1. The
last clause is the interesting one. It renames the considered y into the rst
z that has not been used already.
3
Consider, for example, the substitution
of x for z in the two terms x.z and y.z. Both terms-as-functions discard
their argument. If we simply replace the z in the terms with x, the latter
would still discard its argument but the former would become the identity
function and this discrepancy would lead to inconsistencies.
Well-Denedness
Of formalist relevance, we remark that Curry-style substitution is not well-
dened by construction as the denition does not employ structural re-
2
Curry assumes a linearly ordered set of variable names, for which the rst z that has
not been used in ... makes sense. We work more abstractly, and will, instead, merely
assume that there is some function that returns a fresh variable name when given a term.
3
While the notion the rst z is trivially well-dened in the present case, the issue is
a bit more subtle in a wider context, as we shall see in Section 2.
OVERVIEW 11
cursion. The oender is the last clause that applies [x := e] to a term,
e
0
[y := z], that is not a subterm of y.e
0
in general. It can be observed that
while e
0
[y := z] is not a sub-term of y.e
0
, it will have the same size as e
0
and we can thus establish the well-formedness of [ := ]
Cu
by external
means. Alternatively, we can introduce a more advanced, parallel substitu-
tion operator [61]. However, as we eventually will distance ourselves from
the use of renaming in substitution, we will do neither but instead refer to
Section 2 for an alternative derivation of Curry-style substitution.
Variable-Name Indeterminacy
Having initially committed ourselves to using renaming in substitution, a
range of problems are brought down on us. Hindley [25] observed, for ex-
ample, that it becomes impossible to predetermine the particular variable
name that will be used for a given abstraction after reducing, thus putting,
e.g., conuence out of reach:
(y.x.xy)y x.xy
(x.(y.x.xy)x)y
(x.z.zx)y z.zy

Cu

Cu

Cu

Cu
In the lower branch, the innermost x-abstraction must be renamed to a
z-abstraction, while the upper branch never encounters the variable-name
clash. Hindley proceeded to dene a -relation on -equivalence classes that
overcomes the above indeterminacy by factoring it out:
e| =
def
e

[ e ==

e
1
|

Hi e
2
| =
def
e

1
e
1
|, e

2
e
2
|.e

Cu e

2
While this construction is relevant in its own right, it does not introduce
proof principles pertaining to syntax (akin to structural proof principles),
which therefore must be addressed independently.
Broken Induction Steps
Instead of factoring out -equivalence altogether, one could attempt to rea-
son while unifying variable names at the end of a property, so to speak.
Unfortunately, this does not work. A example that highlights the central
problem is the following attempted adaptation of the well-known equiva-
lence between conuence and the Church-Rosser property. Please refer to
Appendix A for a precise denition of our diagram notation.
Non-Lemma 3 Writing for reexive, transitive closure and == for
reexive, transitive, symmetric closure of a relation, , we do not have:

12 INTRODUCTION
Abstract Reasoning
Administrative Proof Layer
Commutativity Lemmas
Substitutivity Lemmas
Substitution Lemmas Variable Monotonicity
Substitution Tidiness
Figure 2: The proof-layer hierarchy for primitive equational reasoning
about the -calculus as simple syntax
Proof [Broken] By reexive, transitive, symmetric induction in =.
Base, Reexive, Symmetric Cases: Simple.
Transitive Case: Breaks down (I.H. indicates that the diagram exists by
induction hypothesis; similarly, Assm. is existence by assumption).
M
1
M
2
M
3
I.H. I.H.
N
1
N
2
Assm. N
3
N
4
N
5
N
6

The wider problem is, of course, that transitive induction becomes impaired.
Broken -Equality in Sub-Terms
Having failed to control limited use of -equivalence, one might think that
the syntactic version of Hindleys approach, cf. Section 3, could work: that
it is possible to state all properties about terms up to ==

rather than the

primitive =

var .
OVERVIEW 13
Lemma 4 (Simplied Substitution modulo )
e
1
==

e
2
(x
1
, x
2
y
1
, y
2
= ) y
1
,= y
2

e
1
[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
Cu
==

e
2
[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
Proof [Broken] By structural induction in e
1
.
Most Cases: Trivial.
Last Abstraction Case (simplied): Breaks down.
(y
1
.e)[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
= z.e

[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
Cu
==

z.e

[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
= (z.e

)[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
The problem above is that e and e

are not actually -equivalent, even if

y
1
.e and z.e

are, and the ==

-step can thus not be substantiated by the

induction hypothesis. Consider, e.g., e as y
1
and e

as z. The above result

is certainly correct but, unfortunately, not provable with the tools we have
at our disposal at the moment.
Our Contribution
The results we are addressing are mostly well-known and have been con-
sidered in several contexts before. Indeed, a number of truly beautiful and
concise informal proofs exist; see, in particular, Takahashi [62], to whom we
owe a great debt. We therefore spend little energy on the easily accessible
parts of the proofs and focus instead on what it takes to formalise them.
There are two key issues: (i) the syntactic properties that can actually be
established up to =

var (as opposed to ==

, which we have seen to be highly

problematic) and (ii) how to generalise these to the algebraic properties we
are interested in. Because of our very detailed proof developments, we are
also able to (radically) improve various easily accessible parts of known
proofs, in particular in the context of residual theory.
In general, our proofs follow the structure we present in Figure 2. It is
induced from nested uses of induction (in both denitions and proofs). The
full-coloured arrows mean is the key lemma for, while the others mean
is used to substantiate side-conditions on lemma applications. The rst
issue above, (i), is expressed in the addition of the Variable Monotonicity
proof layer in Figure 2. The second issue, (ii), is entirely accounted for in
the Administrative Proof Layer in Figure 2. The remaining layers should
be recognisable from informal proofs (that have been conducted in some
detail).
14 INTRODUCTION
BV(y) =
BV(e
1
e
2
) = BV(e
1
) BV(e
2
)
BV(y.e) = y BV(e)
Capt
x
(y) =
Capt
x
(e
1
e
2
) = Capt
x
(e
1
) Capt
x
(e
2
)
Capt
x
(y.e) =

y Capt
x
(e) if x FV(y.e)
otherwise
Figure 3: Bound and capturing variable names
The proofs underpinning Section 3 and the part of Section 4 have been
veried in full in Isabelle/HOL by James Brotherston, under the supervision
of the author [6, 66, 68] (for at least one alternative in the cases where several
proofs are presented). By the nature of Figure 2, this means that substantial
parts of the other proofs have been veried as well.
2 The
var
-Calculus
Having seen that the standard presentations of the -calculus lead to formal-
ist problems, we will now give an alternative presentation that overcomes
the problems. The dierent presentations dier only in how they lend them-
selves to provability. Their equational properties are provably equivalent, as
we shall see.
Formal Syntax
We use es to range over the inductively built-up set of -terms. The variable
names, 1^, are generic but must meet certain minimal requirements.
Denition 5
var
::= 1^ [
var

var
[ 1^.
var
Assumption 6 1^ is a single-sorted set of objects, aka variable names.
Assumption 7 1^-equality, =
VN
, is decidable.
Assumption 8 There exists a total, computable function, Fresh() :
var

1^, such that:

4
Fresh(e) , FV(e) BV(e)
4
For the denition of BV(), see Figure 3.
OVERVIEW 15
y[x := e] =

e if x = y
y otherwise
(e
1
e
2
)[x := e] = e
1
[x := e]e
2
[x := e]
(y.e
0
)[x := e] =

y.e
0
[x := e] if x ,= y y , FV(e)
y.e
0
otherwise
y , Capt
x
(e) FV(e)
()
x.e
y

i
y.e[x := y]
e
y

i
e

x.e
y

i
x.e

e
1
y

i
e

1
e
1
e
2
y

i
e

1
e
2
e
2
y

i
e

2
e
1
e
2
y

i
e
1
e

2
Capt
x
(e
1
) FV(e
2
) =
()
(x.e
1
)e
2

e
1
[x := e
2
]
e

x.e

x.e

e
1

1
e
1
e
2

1
e
2
e
2

2
e
1
e
2

e
1
e

2
x , FV(e)
()
x.ex

e
e

x.e

x.e

e
1

1
e
1
e
2

1
e
2
e
2

2
e
1
e
2

e
1
e

2
Figure 4: Renaming-free substitution, [ := ], dened recursively, and
-, -, -reduction dened inductively over
var
The last assumption trivially implies that 1^ is innite.
5
We shall use xs, ys, and zs as meta-variables over 1^ and, by a slight
abuse of notation, also as actual variable names in terms. We will suppress
the 1^ sux on variable-name equality and merely write, e.g., x = y.
Orthonormal Reduction
The key technicality to prevent implicit renaming is our use of a predi-
cate, Capt
x
(e
1
) FV(e
2
) = , cf. Figure 3, which guarantees that no cap-
ture takes place in the substitution: e
1
[x := e
2
]. It coincides with the notion
of is free for.
Denition 9 (The
var
-Calculus) The terms of the
var
-calculus are
var
,
cf. Denition 5. The (indexed) -, -, and -reduction relations of
var
:

i
,

, and

are given inductively in Figure 4. The plain -relation

5
In the setting of Nominal Logic [51], the assumption also validates the axiom of (co-
nite) choice. The axiom of choice is known to be inconsistent with Fraenkel-Mostowski set
theory, which underpins Nominal Logic. Nominal Logic instead guarantees the existence
of some fresh variable name, which by design can be any variable name except for a nite
number, but the user cannot see which one it is. More work needs to be done to clarify
the correspondence between simple syntax and syntax based on Nominal Logic.
16 INTRODUCTION
x[x := e]
Cu
= e
x = y
y[x := e]
Cu
= y
e
1
[x := e]
Cu
= e

1
e
2
[x := e]
Cu
= e

2
(e
1
e
2
)[x := e]
Cu
= e

1
e

2
(x.e
0
)[x := e]
Cu
= x.e
0
x = y (y FV(e) x FV(e

0
)) e
0
[x := e]
Cu
= e

0
(y.e
0
)[x := e]
Cu
= y.e

0
x = y y FV(e) x FV(e
0
) z = Fresh((e
0
e)x) e
0
[y := z]
Cu
= e

0
e

0
[x := e]
Cu
= e

0
(y.e
0
)[x := e]
Cu
= z.e

0
Figure 5: Curry-style substitution (re-)dened inductively
is:
e

def
y.e
y

i
e

Unlike the situation with Curry-style substitution, our notion of substi-

tution is dened by structural recursion and is thus primitively well-dened.
Proposition 10 [x := e] is a total, computable function.
Proof By construction.
The - and -relations we have presented above do not incur any re-
naming that could have been performed in a stand-alone fashion by the -
relation, thus making them orthogonal. The normality part of our informal
orthonormality principle is established by the following property, symmetry
of

, which implies that the -relation itself is renaming-free.

Lemma 11

Currys -Calculus Decomposed

In order to assure ourselves that the
var
-calculus is indeed the right calculus
and partly to test the usefulness of the associated primitive proof principles,
we now show how to derive Currys presentation from ours. First, we show
that as far as our use of substitution is concerned, [ := ] coincides with
[ := ]
Cu
.
Proposition 12
Capt
x
(e
a
) FV(e) =

e
a
[x := e] = e
a
[x := e]
Cu
Proof A straightforward structural induction in e
a
.
OVERVIEW 17
What might not be obvious is that Curry-style substitution can be shown
to decompose into the
var
-calculus as a whole. In contrast to the struc-
turally awed Figure 1, Figure 5 introduces a primitively-dened, 4-ary
relation that is Curry-style substitution, albeit with no claim of totality,
computability, or even functionality.
Lemma 13 With ! meaning unique existence, we have:
e
a
[x := e]
Cu
= e

!e
b
.e
a

e
b
e
b
[x := e] = e

a
Proof By rule induction in Curry-style substitution-as-a-relation, cf. Fig-
ure 5. Uniqueness of e
b
is guaranteed by the functionality of Fresh().
We stress that the property is not provable by structural induction in e
a
.
Lemma 14 For any x and e, [x := e]
Cu
= is a total, computable
function of the rst, open argument onto the second, open argument.
Proof From Lemma 13, observing that the unique-existence quantier,
!, is established constructively in the proof.
By extension, Lemma 13 also establishes the decomposition of Currys
calculus as a whole into the
var
-calculus.
Lemma 15 With ()
1
the converse of a relation, we have:

Cu)
1

Lemma 16 With ; relation composition, we have:

Cu

The Real -Calculus

As suggested previously, the actual calculus we are interested in is the -
collapse of
var
. Algebraically speaking, this means that we want to consider
the following structure, cf. Hindleys presentation.
Denition 17 (The Real -Calculus)
=
def

var
/==

| :
def

var

e e

[ e ==

e
1
|

e
2
|
def
e
1
==

; ==

e
2
e
1
|

e
2
|
def
e
1
==

; ==

e
2
18 INTRODUCTION
t
1

@ t

1
t
2

@ t

2
Capt
x
(t

1
) FV(t

2
) = x FV(t

1
)
(
@

)
(x.t
1
) @t
2

@ t

1
[x := t

2
]
t
1

@ t

1
x , FV(t

1
)
(lazy
@

)
(x.t
1
) @t
2

@ t

1
(Var

)
x

@ x
t

@ t

(L

)
x.t

@ x.t

t
1

@ t

1
t
2

@ t

2
(A

)
t
1
t
2

@ t

1
t

2
Figure 6: Residual-completion -reduction
It can be shown (without too much trouble) that Currys, Hindleys, and
our relations all are pointwise identical, cf. [68]. For now, we merely present
the part of that result that pertains to the current set-up.
Lemma 18 For X , , (any X, in fact), we have:
e|
X
e

| e
X
e

Proof By denition of the real relations and reexive, transitive closure,

we immediately see that
e|
X
e

| e (==

;
X
; ==

e ==

The result thus follows fairly directly from Lemma 11.

3 Residual Theory
This section shows that residual theory, i.e., the exclusive contraction of
pre-existing, or marked, redexes, provides a nice setting for quantifying the
computing power of the renaming-free -relation. We use t
i
s as meta-
variables over the marked terms and we allow ourselves to use
var
-concepts
for the marked terms with only implicit coercions; in particular, we assume
there is an
@
-relation that can rename all (not just marked) abstractions.
Denition 19 (The Marked
var
-Calculus)

var
@
::= x [
var
@

var
@
[ 1^.
var
@
[ (1^.
var
@
) @
var
@

@ is like

except only marked redexes, (x.t

1
) @t
2
, may be con-
tracted (provided Capt
x
(t
1
) FV(t
2
) = ). We further dene a residual-
completion relation,

@, by induction over terms that attempts to con-

tract all (marked) redexes in one step, starting from within, cf. Figure 6.
OVERVIEW 19
UB(x) = True
UB(e
1
e
2
) = UB(e
1
) UB(e
2
) (BV(e
1
) BV(e
2
) = )
UB(x.e) = UB(e) x , BV(e)
Figure 7: The uniquely bound
var
-predicate
To address any inherent requirements for renaming in the -calculus,
we introduce a formal notion called Barendregt Conventional Form (BCF),
6
which, as it turns out, provides a rational reconstruction of the usual (in-
formal) Barendregt Variable Convention [5], cf. [68]. BCFs are terms where
all variable names are dierent.
Denition 20 Cf. Figures 3 and 7:
BCF(e) = UB(e) (BV(e) FV(e) = )
As a rst approximation to renaming-freeness, we note that it is a
straightforward proof that BCFs residually complete, i.e., that all marked
redexes in a BCF can be contracted from within without causing variable
clashes.
Lemma 21
(BCF)

@
We also show that the residual-completion relation is functional on the
full -residual theory of a term, i.e., that residual completion always catches
up with itself.
Lemma 22

@

@

@

@
Proof The right-most conjunct follows from the left-most by a simple re-
exive, transitive induction in which the latter constitutes the base case.
The left-most conjunct follows by a rule induction in

@ for which it is
paramount that redexes are enabled if Capt
x
() FV() = rather than
only if BV() FV() = . Other than that, the proof is mostly straight-
forward, albeit big.
6
The term was suggested to us by Randy Pollack.
20 INTRODUCTION
x

x
e

x.e

x.e

e
1

1
e
2

2
e
1
e
2

1
e

2
e
1

1
e
2

2
FV(e

2
) Capt
x
(e

1
) =
(

)
(x.e
1
)e
2

1
[x := e

2
]
Figure 8: The parallel -relation for
var
The above property asserts that when residual completion exists, the
considered divergence can be resolved as shown. The property allows us to
prove that -residual theory is renaming-free up to BCF-initiality, i.e., that
no redexes are blocked by their side-condition.
Theorem 23
(BCF)

@
Proof Consider a BCF and a

@-reduction of it. By Lemma 21, the

considered BCF also residually completes and, by Lemma 22, the thus-
created divergence can be resolved by a trailing residual completion.
A subtle point of interest is that the above proof, in fact, shows that the
-residual theory of any term that residually-completes, i.e., is renaming-free
if contracted from within, is renaming-free in general.
4 Conuence
The previous section establishes a rather large fragment of the
var
-calculus
as susceptible to primitive equational reasoning. This section summarises
and elaborates on our formally veried eorts to bring this to bearing on
-conuence [68]. We also present proofs that apply the methodology to
show - and -conuence.
-Conuence
The

-relation does not enjoy the diamond property because a redex that
is contracted in one direction of a divergence can be duplicated (or erased)
in the other direction by the substitution operator. As shown by Tait and
Martin-L of, the potential divergence blow-up does not materialise because
it can be controlled by parallel reduction. Please refer to Figure 8 for the

var
-version of this relation.
Lemma 24


(BCF)

[
[

[[

[
[

[[
OVERVIEW 21
M
0
M
l
1
M
r
1
M
l
2
M
r
2
M
l
3
M
r
3

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
M
r
3
(BCF)

0

0

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
(BCF)

0

0

[
[

[
[

[
[

[
[
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
(BCF)

0

0

[
[

[
[

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3
(BCF)

0

0

[
[

[
[

[
[

[
[

[
[

[
[
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3
(BCF)

0

0

[
[

[
[

[
[

[
[

[
[

[
[

Figure 9: The administrative proof layer for -conuence

Proof Rather than prove this property by an exhaustive case-splitting,
thus resulting in a minimally resolving end-term, Takahashi observed that
the considered diamond can be diagonalised by the relation that contracts
all redexes in one step, i.e., by a maximally resolving end-term [62]. As we
saw in Section 3 this is within reach of the structural proof principles of

var
.
The Full Proof Burden
A real version of the parallel -relation on syntax can be dened along the
lines of Denition 17 (which, further to Lemma 21, turns out to be the real
real parallel -relation).
22 INTRODUCTION
Denition 25 e
1
|

e
2
|
def
e
1
==

; ==

e
2
In order to prove the diamond property for

, we need some measure

of commutativity between - and -reduction.
Fresh-Naming
As the general -/-commutativity result obviously is not provable, we in-
troduce the following restricted -relation that only uses names that have
not been used already.
Denition 26
e

0
e

def
z.e
z

i
e

z , FV(e) BV(e)
The fresh-naming -relation can straightforwardly be proven to commute
with the parallel (actually, any one-step) -relation with the proviso that
the resolving -steps are not necessarily fresh-naming (because of -incurred
term duplication).
Lemma 27

[[

[[
Similarly, the fresh-naming -relation can be shown to resolve -equivalence
to a BCF (although the formal proof of this is surprisingly involved, cf. [68]).
Lemma 28

(BCF)

0

0
Applying Administration
With these results in place, we can lift Lemma 24 to the real -calculus.
Lemma 29 (

) (

)
Proof As for the left-most conjunct, see Figure 9 for the step by step
resolution of the denitionally-given syntactic divergence. We trust the steps
are self-evident and that it can be seen that a slight adaptation of the gure
also proves the right-most conjunct.
OVERVIEW 23
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3

0

0

M
l
1
M
0
M
r
1
M
l
2
N
l
1
N
r
1
M
r
2
M
l
3
N
2
M
r
3

Figure 10: The administrative proof layer for -conuence

We are now in a position to establish -conuence.
Theorem 30
Con(

) Con(

)
Con(

Cu

Cu)
Con(

Hi )
Proof The two top-most conjuncts are equivalent by Lemma 18. They can
also be proved independently by applying the Diamond Tiling Lemma of Sec-
tion 1.2.3 (not in this chapter) to the corresponding conjunct in Lemma 29.
The third conjunct follows by Lemmas 15 and 16. The nal conjunct follows
in an analogous manner.
-Conuence
Unlike the -relation, -reduction is natively renaming-free:
Lemma 31 (/ Commutativity) Let

be reexive closure of

24 INTRODUCTION
Lemma 32 ( Commutativity)

Proof The left-most conjunct is straightforwardly provable by structural

means. The proof of the right-most property follows from the left-most as
displayed in Figure 10. The top part of the gure is a proof by the general
method; the lower part is an optimised version that takes advantage of
commuting with , not just with
0
.
Theorem 33 Con(

) Con(

) Con(

)
Proof The two left-most conjuncts can be established from the corre-
sponding conjuncts in Lemma 32 by the Hindley-Rosen Lemma of Sec-
tion 1.2.3 (not in this chapter). The right-most conjunct can be established
either by the Commuting Conuence Lemma of Section 1.2.3 (not in this
chapter) applied to the left-most conjunct and generalisations of Lemmas 11
and 31 or, alternatively, it can be observed that the two right-most conjuncts
are equivalent by Lemma 18.
-Conuence
Since the -relation is natively renaming-free and the -relation relies on the
-relation, we must show that - commutes with combined -reduction in
order to apply the Commuting Conuence Lemma of Section 1.2.3 (not in
this chapter).
Lemma 34

Proof The proof of the left-most conjunct is straightforward. The -

step in the resolution on the right is needed for the obvious divergence
on x.(y.e)x, with x ,= y. The middle conjunct combines the left-most
conjunct and Lemma 31. The right-most conjunct follows from the middle
by the Hindley-Rosen Lemma of Section 1.2.3 (not in this chapter).
Lemma 35

OVERVIEW 25
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3

0

0

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
1
M
r
3

Figure 11: The administrative proof layer for -conuence

Proof Figure 11 shows how the left-most conjunct follows from the left-
most conjunct of Lemma 34. The top part of the gure is by the general
method; the lower part is an optimisation based on (full) -commutativity,
Lemma 31. The right-most conjunct follows by the Hindley-Rosen Lemma
of Section 1.2.3 (not in this chapter).
Theorem 36 Con(

) Con(

)
Proof We rst observe that the two conjuncts are equivalent by Lemma 18.
They can also be proved independently by the Commuting Conuence Lemma
of Section 1.2.3 (not in this chapter) applied to Theorems 30 and 33 as well
as Lemmas 35 and 34, respectively.
5 -Decidability
One might think that a suitable adaptation of Lemma 28 would allow us to
conclude that -equivalence is decidable [57]. This is not obviously so as we
shall see in this section. In fact, we have been unable to nd a correct proof
of the result in the literature. The problem is to ensure that the choice of
variable names in the resolution is computable.
26 INTRODUCTION
(Var
i
io
0
)
x

i
io
0
x
e

z
i

i
io
0
e

z / {z
i
} {z, z
i
} Var(x.e) =
(i
io
0
)
x.e
z

z
i

i
io
0
z.e

[x := z]
e
1

x
i

i
io
0
e

1
e
2

y
i

i
io
0
e

2
{x
i
} {y
i
} = {x
i
} Var(e
2
) = {y
i
} Var(e
1
) =
(A
i
io
0
)
e
1
e
2

x
i

y
i

i
io
0
e

1
e

2
Figure 12: Indexed, one-step, inside-out, complete fresh-naming
We rst dene the fresh-naming -relation as a computable function in
Figure 12. A salient feature of the gure is that it allows us to prove that
the dened function respects (and we note that even the slightest change
in the denition can obstruct the proof of this result and that we reverse the
order in which we use the z
i
). We index the reexive, transitive closure of
the fresh-naming
0
-relation,

i
0
, with a vector of variable names, one
for each base step, e.g., e
1
z
1
z
2

i
0
e
2
= e
1
z
1

i
0
;
z
2

i
0
e
2
.
Lemma 37 e
a

z
i

i
io
0
e

a
e
a

z
i

i
0
e

a
Unfortunately, we cannot prove the equivalent of Lemma 28 as it stands
because (i)

z
i

i
io
0
is not contextually closed as there is the possibility of
a clash between any vector of fresh variable name and the bound name of
an abstraction and (ii) the transitive step in the needed ==

-induction is
obstructed by the fact that we do not know which fresh variable names are
produced in the induction step:
M
1
M
2
M
3
N
1
N
2

x
i

y
i

y
i

x
i
The wider problem is that we cannot guarantee anything about M
2
, which
means that it can break any variable-name condition we might consider
for an adaptation of Lemma 28. We can, furthermore, see that universally
quantifying

z
i
over any fresh names will fail for the same reason although we,
in fact, need exactly this result to ensure the computability of the resolving

z
i
. As we cannot pursue either of these results in isolation, we prove instead
the surprising fact that existentially and universally quantifying the used
fresh variable names (in the right amount) result in equivalent properties.
OVERVIEW 27
Lemma 38 Informally speaking, we have:
_


z
i
.

z
i
fresh and right amount

z
i

z
i
_

_


z
i
.

z
i
fresh and right amount

z
i

z
i
_
Proof
Case : Given -equal e
1
and e
2
, identify enough fresh variable names
by applying Fresh() repeatedly and, subsequently, invoke the as-
sumed property (the right-hand side of the equivalence).
Case :
7
Assume the left-hand side of the equivalence and construct
the following two commutative diagrams by repeatedly using the two
lemmas that says that (i) we can

i
io
0
-reduce any term provided we
use fresh

z
i
and (ii)

i
io
0
is transitive if the

z
i
of the second step are
fresh with respect to the start term of the rst step, as well.
M
1
M
2
N
1
N
2
N
3

z
i

z
i

x
i

x
i

x
i

y
i

y
i

y
i
M
1
M
2
N
1
N

2
N

z
i

z
i

s
i

s
i

s
i

t
i

t
i

t
i
By introducing the N
2
(on the left), we see that we strengthen the for
some

z
i
to for any

x
i
that are fresh with respect to N
1
, M
1
, and
M
2
. Unfortunately, this does not suce as the variables in N
1
are still
excluded from consideration. Constructing the N

2
on the right allows
us to use variables,

s
i
, that are fresh with respect to any specic

x
i
as
well as N
1
, M
1
, and M
2
. By subsequently adding the layers of N
3
and
7
The following direct proof is also possible although it does not have the generic avour
the main proof has by virtue of being zero-knowledge. Consider the left-most diagram in
the main proof. We are trying to prove that any fresh

y
i
can be used for the resolution
but we do not know that

y
i
and

z
i
are disjoint and, so, cannot use

y
i
up-front. Pick,
instead, some totally fresh

x
i
as an intermediate step, as shown in the diagram. (With
thanks to Jamie Gabbay.)
28 INTRODUCTION
N

3
, we can on the one hand use any

y
i
that are fresh with respect to
M
1
, M
2
, and any specic

x
i
. On the other hand, we can also use any

t
i
that are fresh with respect to M
1
, M
2
, and any specic

s
i
. As

s
i
are fresh with respect to any specic

x
i
by construction, we are thus
able to use any variable names,

y
i
or

t
i
, that are fresh with respect to
just M
1
and M
2
.
This type of property is called a Some/Any Property, cf. the ad hoc
presentation in [42] and the native presentation in [19]. The strength of
the above lemma lies in the fact that the equivalence, combined with the
Fresh() function, allows us to recompute I.H.-given fresh names when
needed. This means that we can give a direct proof of either (well, both) of
the equivalent properties in Lemma 38.
Theorem 39 ==

is decidable.
6 Residual -Conuence
We say that the reexive, transitive closure of a residual relation is the
associated development relation, a step of which is said to be complete if the
target term does not contain a mark, unMarked(). With this terminology
in place, we dene a weakened version of the strong nite development
property.
8
Denition 40 Let
@
be the residual relation of . We say that
enjoys the strong weakly-nite development property, SWFDP(), if
1. t
@
t

.t

@
t

unMarked(t

)
developments can be completed
2. t
@
t
i
unMarked(t
i
) i 1, 2 t
1
= t
2
completions are unique
To motivate the name of the property, we see that, indeed:
Proposition 41 SWFDP() WN(
@
)
9
Proof By Denition 40, 1. and reexivity of
@
.
8
The strong nite development property also requires that the residual relation is
strongly normalising. It is typically used to prove (residual) conuence.
9
The predicate WN() stands for Weak Normalisation and means that it is possible
to reduce all terms to a normal form although (a dierent) reduction may also diverge.
OVERVIEW 29
Surprisingly, perhaps, we have that already the SWFDP implies residual
conuence.
Lemma 42 SWFDP() Con(
@
)
Proof Consider the following divergence:
M
M
1
M
2
@ @
By Denition 40, 1., there exist N
1
, N
2
, such that unMarked(N
1
), unMarked(N
2
)
and:
M
M
1
M
2
N
1
N
2
@ @
@ @
By transitivity of
@
and Denition 40, 2., we see that, in fact, N
1
= N
2
and we are done.
With direct reference to Section 3, we dene the following property,
which is fairly easily proven to be equivalent to the SWFDP.
Denition 43 A relation, , enjoys the residual-completion property,
RCP(), if there exists a residual-completion relation,
@
, such that:
1.
@

@
residual-completion is a development
2.
(NF
@
)
@
residual-completion totally completes
3.

@
@
@
residual-completion is residually co-nal
Lemma 44 RCP() SWFDP()
Our interest in the RCP is its constructive nature, in particular when
the residual-completion relation is dened as a computable function the way
we did in Section 3.
Lemma 45 RCP(

) SWFDP(

)
Proof We prove the left-most conjunct, according to the clauses of Deni-
tion 43. Clause 1. follows from the easily established fact that

@.
Clause 2 follows from Lemmas 21 and 28. Finally, Clause 3 is proved as
shown in Figure 13.
30 INTRODUCTION
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
M
b
3
M
b
4

@
0

@
0
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
N
t
2
M
b
3
N
b
2
M
b
4

@
0

@
0

@

@
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
N
t
2
M
b
3
N
b
2
M
b
4

@
0

@
0

@

@
Figure 13: The administrative proof layer for -residual completion
Theorem 46 Con(

@) Con(

@)
We see that SN(

@) (i.e., the dierence between the SWFDP and

the strong nite development property) is not needed for concluding con-
uence from a residual analysis of the -relation although, sometimes, the
opposite view is presented [5, p.283]. Strong nite development essentially
implies conuence through Newmans Lemma, thus relying crucially on the
(non-equational) SN-property for the residual relation. We think the above
development is a nice purication of the equational import of residual
theory (see also [28, 35]).
7 -over--Postponement
As well as condensing Tait and Martin-L ofs use of parallel -reduction for
proving -conuence, Takahashi [62] also shows how to adapt the parallel-
OVERVIEW 31
x , FV(e) e

)
x.ex

x.e

x.e

e
1

1
e
2

2
e
1
e
2

1
e

2
x

x
Figure 14: The parallel -relation for
var
M
1
M
2
N
1
M
3
N
2
M
4
M
5
M
6
M
7
(BCF)

[
[

[
[

[
[

M
1
M
2
N
1
M
3
N
2
N
4
M
4
M
5
M
6
N
3
M
7
(BCF)
(BCF)

[
[

[
[ [
[

[
[

[
[

[
[

Figure 15: The administrative proof layer for -postponing

reduction technology to other typical situations in the equational theory of
the -calculus. One such situation is for proving -over--postponement, cf.
Figure 14. The proof presented by Takahashi [62] essentially goes through
up to BCF-initiality as it stands, albeit not completely. Rather than focus-
ing on the low-level technical details, this section merely shows the Admin-
istrative and Abstract proof layers of our formalisation of Takahashis proof.
The notion of commutativity that we have considered so far is orthogonal
in nature to that employed in the -over--postponement theorem. Whereas
the former can be described as divergence commutativity, this section focuses
on composition commutativity.
Lemma 47


(BCF)

[
[

[[

[[

[
[
Proof The parallel -relation is used to allow for the duplication of a -
32 INTRODUCTION
redex by the -contraction when the latter is performed rst. The parallel
-relation, on the other hand, is used. e.g., for the following situation:
(x.(y.e
1
)x)e
2

(y.e
1
)e
2

e
1
[y := e
2
]
This reduction sequence commutes into a leading parallel -step with a
trailing -step, which in this case is reexive:
(x.(y.e
1
)x)e
2

e
1
[y := x][x := e
2
]
BCF-initiality is used to enable the double (n-fold, in general) substitution
in the commuted reduction sequence.
Lemma 48

[
[

[[

[[

[
[
Proof Please refer to Figure 15 for the details of the proof. A novel aspect
in the proof is the existence of an
0
-step from M
5
to N
2
. By construction,
we know that the two terms are -equivalent. A simple lemma shows that
N
2
is a BCF because -reduction preserves BCFs. The nal result we need
(i.e., that
0
-reduction can reach any BCF that is -equivalent to the start
term) can also be proved by structural means but it is not as straightforward
as could be imagined.
With the one necessary technical lemma in place, we present the post-
ponement theorem.
Theorem 49

Proof By reexive, transitive induction in

. The only interesting

case is the transitive case, which follows in a manner akin to the Hindley-
Rosen Lemma of Section 1.2.3 (not in this chapter) using Lemma 48.
8 -Standardisation
Standardisation is also a composition-commutativity result like postpone-
ment. It is a very powerful result that, informally speaking, says that any
reduction sequence can be executed by contracting in a left-to-right order,
possibly skipping some redexes. Standardisation implies rewriting results
such as the left-most reduction lemma [5, 62] and, in a wider perspective,
guarantees the existence of evaluation-order independent semantics [53].
OVERVIEW 33
Capt
x
(e
1
) FV(e
2
) =
(
wh
)
(x.e
1
)e
2

wh e
1
[x := e
2
]
e
1

wh e

1
(@
wh
)
e
1
e
2

wh e

1
e
2
Figure 16: Weak-head -reduction
e
1

I e

1
(@
I
1
)
e
1
e
2

I e

1
e
2
e
2

2
(@
I
2
)
e
1
e
2

I e
1
e

2
e

(
I
)
x.e

I x.e

(Var
I

)
x

I x
e
1

I e

1
e
2

2
(@
I

)
e
1
e
2

I e

1
e

2
e

(
I

)
x.e

I x.e

Figure 17: Inner and parallel inner -reduction

This section addresses three dierent approaches to proving standardis-
ation due to Mitschke [44], Plotkin [53], and David [10], respectively. The
three approaches are fairly closely related, with Plotkins proof bridging
the other two, so to speak. Mitschkes and Plotkins proofs both use semi-
standardisation while Davids and Plotkins both can be described as ab-
sorption standardisation. As it turns out, only Plotkins approach is for-
malisable with the proof principles we are considering (exactly because it
does not overuse one or the other approach). We shall examine the failures
of the other two proofs closely.
Hereditary Semi-Standardisation
In this section, we shall pursue a slight adaptation of Takahashis adaptation
[62] of Mitschkes proof [44]. Instead of head and a corresponding notion
of inner reduction, we base the proof on weak-head reduction [42]. This
does not aect the formal status of the proof technique but does allow us
to reuse the results of this section when pursuing Plotkins approach. The
main proof burden is to show that (weak-)head redexes can be contracted
before any inner redexes, so-called semi-standardisation.
34 INTRODUCTION
N
3
N
1
N
2
M
1
M
2
M
3
M
4
(BCF)

0
[[

0
[[

wh

[
[

Figure 18: The administrative proof layer for weak-head before inner
parallel decomposition
M
1
N
1
N
3
M
7
M
2
N
2
M
6
M
3
M
5
M
4
(BCF)
(wBCF)

0
[
[

0
[
[

I
[[

wh

wh
1

Figure 19: The administrative proof layer for parallelization of weak-head

after inner
Denition 50 Weak-head -reduction,

wh, is dened in Figure 16.

The corresponding (strong) inner,

I , and parallel inner,

I , -relations
are dened in Figure 17.
Lemma 51

(BCF) [[

wh
[
[

[[

wh
[
[

I
Proof Please refer to Figure 18 for the proof of the right-most conjunct
based on the left-most conjunct, which, in turn, is proved by rule induction
in

.
The use of BCF-initiality in the left-most conjunct above guarantees that
weak-head redexes can be contracted without waiting for the contraction of
an inner redex to eliminate a variable clash.
Lemma 52

(BCF) [[

[
[

I

wh

[[

[
[

I

wh
Proof Please refer to Figure 19 for the proof of the right-most conjunct
based on the left-most. We rst note that the gure invokes the obvious
OVERVIEW 35
adaptation of Lemma 27 to

I . Although the proof as a whole is simi-

lar to that of -over--postponement, cf. Lemma 48, we do not have that

I preserves BCFs, as is the case with

. Instead, we can introduce

a weakened notion of BCF, wBCF, that allows identical binders to occur
in adjacent positions (but not nested and not coinciding with any free vari-
ables) and show that

I sends BCFs to wBCFs. In the same manner

that
0
-reduction and the BCF-predicate correspond to each other, we can
introduce an
1
-relation that corresponds to the wBCF-predicate. The
1
-
relation is less well-behaved than the
0
-relation but we can, at least, show
that it commutes with

(and thus

wh), up to -resolution. The

left-most conjunct of the lemma, follows by rule induction in

I .
Lemma 53 (Semi-Standardisation)

wh

I
Proof From Lemmas 51 and 52, cf. the obvious reexive, transitive gen-
eralisation of Lemma 56 in the transitive case.
At this point, the idea is to case-split on the in Lemma 53 and show
that the sub-terms in which the outgoing

I -step are ordinary -steps,

themselves can be semi-standardised and so on. Unfortunately, the is
quantied over -equivalence classes for which it by no means is obvious
whether we can perform the required case-splitting. We have found no
satisfactory formal solution to this impasse and consider it unlikely that one
exists.
Absorptive Weak-Head Standardisation
Plotkin [53] denes standardisation as the least contextually-closed relation
on terms that enjoys left-absorptivity over weak-head reduction. The fol-
lowing presentation of the proof methodology owes a great debt to McKinna
and Pollack [42]. The dierence between their and our presentation is that
we focus on provability with structural induction, etc., while they work with
an alternative syntactic framework that is derived from rst-order abstract
syntax with two-sorted variable names. The proof requirements in their
setting and in ours are substantially dierent as a result.
A First (Failing) Approach A rst approach, which immediately fails,
is to dene Plotkins relation directly on terms.
36 INTRODUCTION
M
1
M
2
N
1
M
3
N
2
M
4
M
5
M
6
N
3
M
7
(BCF)
(wBCF)

0

M
1
M
2
N
1
M
3
N
a
2
M
4
M
5
N
b
2
M
6
N
3
M
7
(BCF)
(BCF)

0

0
Figure 20: Failed administrative proof layer for left-absorptivity of
progression standardisation
e

wh e

~
P
e

e ~
P
e

x ~
P
x
e
1
~
P
e

1
e
2
~
P
e

2
e
1
e
2
~
P
e

1
e

2
e ~
P
e

x.e ~
P
x.e

As standardisation pertains to all -reductions (i.e.,

, not just

), the naive approach needs the full -calculus to be renaming-free,

which it is not. The problem manifests itself in the required administrative
proof layer for the standardisation property and its exact nature is of inde-
pendent interest. The point is that, despite the fact that we can prove the
following key property,
10
we cannot prove full standardisation but at most
standardisation of the renaming-free fragment of the
var
-calculus.
(BCF)

P
P
Please refer to Figure 20 for the only two approaches to the adminis-
trative proof layer for the following property, which is derived from the one
above.
10
Coincidentally, it is interesting to note that the proof of the property can only be
conducted by rule induction in
P
and not in

.
OVERVIEW 37
Non-Lemma 54

P
P
The left-most diagram in the gure attempts to align itself with Figure 15,
which fails because ~
P
only commutes with

0
. The right-most di-
agram adheres to this and fails because of the inserted

0
, which we
cannot incorporate into the syntactic version of the property. More gener-
ally, the following counter-example shows that the sought-after property is,
in fact, false.
(s.ss)(x.y.xy)

(x.y.xy)(x.y.xy)
We can turn the end-term into an -equivalent BCF, as it happens, which
standardises:
(x
1
.y
1
.x
1
y
1
)(x
2
.y
2
.x
2
y
2
) ~
P
y
1
.y
2
.y
1
y
2
As the end-term of this step uses the two y copies nested within each other,
we see that the original start term does not standardise directly to it.
Combining Term Structure and -Collapsed Reduction In order
to avoid these problems, we adapt the above denition slightly.
Denition 55
e|

wh e

| e

~
wh
e

(wh
pre
)
e ~
wh
e

(V

wh
)
x ~
wh
x
e
1
~
wh
e

1
e
2
~
wh
e

2
(@

wh
)
e
1
e
2
~
wh
e

1
e

2
e ~
wh
e

wh
)
x.e ~
wh
x.e

The denition mixes the advantages of being able to dene relations

inductively over terms with the use of reduction in the real -calculus to
avoid issues of renaming. Note, however, that, further to the failed proof
of Lemma 4, it is by no means obvious whether this mixture will lend itself
to primitive structural reasoning. The proof-technical issue surfaces in the
(

wh
)-case of the proof of Lemma 57.
Lemma 56

I
[
[

wh

wh

I
[
[
Proof The property can be derived from Lemmas 51 and 52 based on a
suitable adaptation of the Hindley-Rosen Lemma of Section 1.2.3 (not in
this chapter).
38 INTRODUCTION
y.e
1
y

.e

1
y

.e

2
x.e
2
x.e
3
x.e
0
x.e

[[

I
wh
[[

Figure 21: The administrative proof layer for the (

wh
)-case of Lemma 57
The key technical lemma in the present standardisation proof develop-
ment is the following absorption property.
Lemma 57
e
1
|

I e
2
| e
2
~
wh
e
3
e
1
~
wh
e
3
Proof The proof is by rule induction in ~
wh
and uses Lemma 56 be-
fore applying the I.H. and the denitional left-absorptivity over weak-head
reduction when needed. As far as administration is concerned, the only
interesting case is for abstraction.
Case (

wh
): We are considering the following situation.
y.e
1
==

.e

I y

.e

2
==

x.e
2
~
wh
x.e
3
By Denition 50 and the case, we have e

2
and e
2
~
wh
e
3
. If
y

= x, we can prove e

2
==

e
2
, which means that we are considering
e

1
|

2
| ~
wh
e
3
, so to speak. From Lemma 51, we thus have:
e

1
|

wh e

1
|

I e

2
| ~
wh
e
3
. An application of the I.H. and
an invocation of the (wh
pre
)-rule will then give us that e

1
~
wh
e
3
and
we have x.e

1
~
wh
x.e
3
by the (

wh
)-rule. A nal (reexive) ap-
plication of the (wh
pre
)-rule thus nishes the case: y.e
1
~
wh
x.e
3
.
Unfortunately, we can not guarantee y

= x. Instead, Figure 21 shows

how to overcome this using our general administrative proof-layer tech-
nology, cf. Figure 2. Based on the upper line, we rst rewrite y

.e

1
to
(the BCF) x.e
0
. The commuting square involving x.e

0
can then be
constructed by an adaptation of Lemma 27 and the diagram can nally
be closed based on Lemma 11. To show that y.e
1
~
wh
-standardises
to x.e
3
, rst apply the reasoning above to show that x.e
0
does and,
then, use the (wh
pre
)-rule reexively to show the result we are after.
Other Cases: Fairly straightforward.
Theorem 58 e
1
|

e
2
| e
1
~
wh
e
2
Proof By reexive, left-transitive induction in

. The reexive case

is a straightforward structural induction. The left-transitive case follows by
OVERVIEW 39
an I.H.-application followed by a case-split on the considered

-step into

wh and

I (seeing that we can show that the union of the latter two
is the former). In case of

wh, we are done by denition of ~

wh
. In
case of

I , we are done by Lemma 57.

(Failing) Progression Standardisation
An alternative proof development for standardisation was proposed by David
[10] and pursued, more or less independently, in [29, 31, 37]. The idea is to
dene a standardisation relation directly by induction over terms (although
this is only done implicitly in [10]): ~
prg
, and to show that this relation
right-absorbs the ordinary -relation. In that sense, the proof development is
the dual approach to what we considered in the previous section. Informally,
the key technical point is to contract terms as follows, cf. [29, 37]:
11
(..(e[x := e
0
]e
1
)..)e
k
~
prg
e

(..((x.e)e
0
)e
1
..)e
k
~
prg
e

This ensures that contraction progresses from left-to-right while at the same
time allowing newly created redexes to be contracted. Other rules allow
redexes not to be contracted as the relation otherwise would be left-most
reduction.
Right-Absorptivity As mentioned, the key technical lemma is purported
to show right-absorptivity of ~
prg
over

, which appears to be straight-

forward, at least in the case of the above contraction rule [10, 29, 31, 37].
Non-Lemma 59
(BCF)
prg
prg
Unfortunately, not even the BCF-initial version of the property is true.
The following is a counter-example.
(s.ss)(x.(y.xy)z) ~
prg
(y.(x.xz)y)z

(y.yz)z
The problem in the counter-example is the last step of the standardisa-
tion, which amounts to the contraction of the redex involving the inner
y-abstraction below.
(y.(x.(y.xy)z)y)z
As it happens, this is the point where the considered

-step (i.e., the

contraction of the redex involving the x-abstraction) must be inserted but
that is not possible because of a clash with the inner y-abstraction.
11
In order for the relation to make sense in the current setting, it is necessary to supply
it with a nite axiomatisation, which can be done.
40 INTRODUCTION
Left-Absorptivity In sharp contrast with the above (and surprisingly, at
rst), it turns out to be possible to prove left-absorptivity, as also seen at
the beginning of the absorptive weak-head standardisation section.
(BCF)
prg
prg
The dierence between right- and left-absorptivity is that the universal
quantication over ~
prg
covers far fewer steps in the latter case than in the
former. As we saw, this manifests itself when trying to prove standardisation
for the real -calculus.
Non-Lemma 60

prg
prg
The counter-example we considered for hereditary weak-head standard-
isation applies.
Conclusion
By using structural proof principles only, we have proved the relative renam-
ing freeness of -residual theory (Theorem 23), -conuence (Theorem 30),
-conuence (Theorem 33), -conuence (Theorem 36), decidability of -
equivalence (Theorem 39), -residual completion aka strong weakly-nite
-development (Lemma 45), residual -conuence (Theorem 46), -over-
postponement(Theorem 49), and -standardisation (Theorem 58), along
with a range of supporting lemmas, including results that establish the
equivalence of our, Currys, and Hindleys presentations of the -calculus
as well as the usual notions of substitution and substitutivity lemmas.
Standard, informal practice in the programming language-theory com-
munity when using structural induction and related proof principles is to
assume that variable clashes are not an issue (aka Barendregts Variable
Convention). We have shown this to be formally correct for a wide range
of properties, possibly up to BCF-initiality: Lemmas 21, 22, 24, 32, 34, 47,
51, 52, and 57. We also presented general results that suggest that the con-
sidered proof principles are formally applicable for the full residual theory
of -reduction and for all of - and -reduction (Theorem 23, Lemmas 11,
and 31, respectively).
Drawing parallels to informal practice, we stressed that the established
properties are formally weaker than the results they attempt to establish.
Subsequently we therefore showed that, for the most part, the full proof
burden of the considered properties can be met formally by the addition of
OVERVIEW 41
a fairly simple administrative proof layer, cf. Figures 9, 10, 11, 13, 15, 18,
and 19. Of wider relevance, we observed that the administrative proof layers
mostly rely on the same additional lemmas, thus preventing a blow-up of
the overall proof obligations for a particular language.
Finally, we showed that at least in the cases of decidability, stan-
dardisation, and residual conuence, standard informal practice misses
some rather important details. Through various means (including the intro-
duction of the constructively-avoured Some/Any property, Lemma 38, and
residual-completion property, Lemma 45), we were, however, able to present
formal, concise proofs for these results, as well.
42 INTRODUCTION
Related Work
Abstractly speaking, this thesis is concerned with the proof theory of pro-
gramming languages. In that sense, it is closely related to what could be
called the proof theory of proof theory [20] and the proof theory of rewriting
[43, 63].
Informal Work
We will account for any history there might be to the various equational
proof technologies we employ at their point of use. Trying to reference
them all at once is unlikely to convey much information, not least because
most other uses of the technologies are informal and, moreover, not directly
formalisable (hence this thesis). That said, we should mention Barendregt [5]
as the standard reference for equational reasoning about the -calculus and
Takahashi [62], which epitomises the elegance of the informal approaches.
We would also like to mention Schroer [57], which appears to be the rst
comprehensive attempt at formally justifying all equational-reasoning steps
in its treatment of the -calculus, albeit on paper, only. Of relevance to
our work, we point out that the proof-theoretic underpinning of [57] is not
entirely transparent and, thus, not necessarily too instructive. For exam-
ple, our Chapter 5 establishes essentially the same results as are ultimately
sought in [57]. When including all the results that our Chapter 5 depends
on, Schroers development is thus at least an order of magnitude more vo-
luminous than ours. The main result in our Section 3.3, decidability of
-equivalence, is also addressed in [57] as part of the overall development
but, as we show, seems to be insuciently dealt with.
The idea of pursuing equivalences in a rewriting setting are also fun-
damental to rewriting modulo [30, 49], normalised rewriting [41], and, in
a more general sense, to renement theory as, e.g., accounted for in [56].
We, however, do not attempt to reason up to the equivalences, as do the
listed approaches. Instead, we study the actual impact that the equiva-
lence collapses has on the algebraic meaning of the considered properties,
in particular as far as proof principles are concerned. Apart from this last
43
44 INTRODUCTION
point, some of our abstract results are therefore related to issues of meaning
preservation [69].
12
Formal Work
We are not aware of any other work that uses the primitive proof principles
of rst-order abstract syntax over one-sorted variable names, PPP
FOAS
VN ,
formally. Indeed, what we will account for here are the alternative for-
mal proof principles that have been introduced to avoid having to address
variable names in an object-level manner. As a result, the alternative ap-
proaches will typically establish properties that, algebraically speaking, are
weaker than what we consider: the denitional proof burden of results that
are found, e.g., in a programming-language setting (i.e., properties that de-
rive from rst-order abstract syntax over one-sorted variable names). That
said, a diamond property, for example, is still a diamond property so the
importance of strength could be debated. However, please refer to, e.g.,
Theorem 4.2 for an account of algebraic discrepancies between diamond
properties in closely related rewrite systems.
Syntax-Representation Alternatives
The basic problems that are encountered with FOAS
VN
have resulted in the
inception of syntax formalisms that avoid using variable names altogether.
Relativised Binding In work with the Automath theorem prover [45],
de Bruijn introduced the idea of referring to the abstraction that binds a
particular variable occurrence by its oset from the occurrence [11]. In
other words, instead of writing, e.g., x.y.xy, de Bruijn observed that we
can write 21. The 2 refers to the second abstraction that encapsulates
it, etc., which means that abstractions no longer are annotated with an
indication of which variable occurrences they bind. While the notation
renders itself well to verication work in the sense that PPP
FOAS
dB
can be
used [28, 47, 59], there are a number of drawbacks to using it from a human
as well as from a formal perspective.
Compared to FOAS
VN
, de Bruijns notation is not immediately legible
and is not suitable, e.g., for programming.
Substitution on de Bruijn terms is a complicated operation to imple-
ment in that it has non-local eects and substituted terms cannot be
shared amongst the places they can end up at. For an example of the
rst issue, consider (2)7. The end-term of the -reduction will be
1, which means that the body of the contracted abstraction changes
12
[69] could, strictly speaking, also have been addressed under the next section heading.
RELATED WORK 45
even if the invoked substitution is void. For the second issue, consider
(1(2))3. This time the end-term of the -reduction will be 3(4) for
which we see that the argument, 3, is and must be treated dierently
in the two locations it is substituted into.
In formal proof developments (at least), it becomes necessary to prove
non-intuitive properties [47]
It is by no means obvious how de Bruijn notation relates formally to
FOAS
VN
. The problem is the role played by free variables: whereas
x.yz can be abstracted to either y.x.yz, z.x.yz, or, indeed,
s.x.yz, the future binding order of, e.g., 23 is predetermined, it
diers from that of 32, and the term cannot be abstracted to behave
like s.x.yz.
Further to the previous point and the lack of a linear order on our
abstract notion of variable names, 1^, simulation results (` a la the
guarding clauses of Theorem 4.2) between a FOAS
VN
and a de Bruijn
version of a reduction relation are impaired denitely leaving, e.g.,
Theorem 4.2, 3. and 4. out of reach.
Meta-level Binding Another way to avoid dealing with variable names
is to not consider a native notion of binding in the rst place but instead
to rely on a pre-existing function space to implement abstraction. This
approach is called higher-order abstract syntax (HOAS) and it has been
studied thoroughly in a number of recent articles [12, 13, 14, 15, 26, 50, 58].
The reason for the wide range of studies is that HOAS suers natively from
a number of problems, including, but not limited to, lacking induction and,
in particular, recursion principles that are sound, the existence of functions
that do not correspond to terms, problems with dening, e.g., substitution
as a function, etc.. That said, Pfenning and Sch urmanns Twelf [50] im-
plementation of higher-order abstract syntax over a modalised, parametric
function space (PPP
HOAS2
) [14] in particular is very well suited for bringing
about substantial amounts of automation when doing mechanised theorem
proving [58] something our approach does not immediately allow for [6].
As studied extensively in [26], it is, however, far from well-understood which
FOAS
VN
property a HOAS proof corresponds to, cf. our Theorem 4.2.
Variable-Name Alternatives
Recent research has shown that there can be formalist advantages to em-
ploying a certain amount of ingenuity on the issue of variable names [19, 42].
Distinguishing Free and Bound Variables McKinna and Pollack [42]
take as starting point FOAS with two-sorted variable names: FOAS
VNVN
.
46 INTRODUCTION
The two sorts are intended to be used disjointly for free and bound variables.
In order to restrict the sort of bound variables to occur in bound positions
only, they, therefore, introduce a well-formedness predicate prescribing when
this is the case. In fact, it is this predicate, which is dened recursively
over the FOAS
VNVN
-terms, that gives rise to the proof principles they
employ in their substantial (and impressive) development of the equational
theory of Pure Type Systems in the LEGO theorem prover [39]. To be more
precise, apart from FOAS
VNVN
-equality, McKinna and Pollack do not use
PPP
FOAS
VNVN . Instead, two provably equivalent denitions of the above-
mentioned predicate (in terms of a Some/Any property, cf. our Lemma 3.26)
give rise to suitable induction and recursion principles, respectively. The
equivalence proof uses induction over the size of terms and, indeed, does
not appear to be PPP
FOAS
VNVN -provable, thus making [42] also proof-
theoretically dierent from this thesis. A further, subtle point is that their
proof developments only pertain to actual terms up to an implicit use of set
comprehension over the well-formedness predicate.
Fraenkel-Mostowski Set Theory Based on Fraenkel-Mostowski (FM)
set theory, Gabbay and Pitts [17, 18, 19, 51] demonstrate that a permu-
tation model of set theory with atoms is a suitable framework in which to
represent (the syntax of) higher-order languages. The idea is to see the
FM-set notion of set abstraction as functional abstraction and the permuta-
tion actions of FM-sets as variable-name swapping (as opposed to renaming,
which we would use) a notion that also axiomatises -equivalence, so to
speak. The advantage of the FM approach is that full PPP
FM
VN exist for
the objects that correspond to our -equivalence classes. Unfortunately, it is
not obvious what is the exact correspondence between FM-based syntax and
FOAS
VN
. For example, it is known that the axiom of (co-nite) choice (i.e.,
our Fresh()-function, cf. Assumption 1.4) is provably inconsistent with FM
set theory [51]. The framework has also not been used for the kind of reason-
ing we are interested in. Work is under way to clarify the various issues and
we believe the Gabbay-Pitts framework has great potential, with the proviso
that it will force us to rethink our ideas about simple syntax (and, at least,
give up the precision, if we can call it that, of PPP
FOAS
VN ) [52]. This might
not be so bad in a wider perspective seeing that the enforced inaccessibility
of object-level variable names in the framework, cf. our Preface chapter, in
a certain sense corresponds exactly to what happens with implementations
of programming languages: syntactic binding is represented, e.g., by the use
of an environment in the semantics of the language. The analogy is that
osets into the environment cannot be manipulated at the language level.
RELATED WORK 47
Equivariant Reasoning
Pitts [51] presents a couple of examples of how the principles of their FM-
framework (see above) can be applied to FOAS
VN
. A precursor of the
technique, called equivariant reasoning, can also be found in Gabbays sub-
stantiation of FM sets with atoms based on ordinary Zermelo-Fraenkel set
theory with atoms in [18]. The idea is to observe that virtually all notions
and predicates being considered when reasoning about programming lan-
guages respect name swapping (with the notable exception of Fresh(), cf.
Assumption 1.4, amongst others). This means that, e.g., an induction hy-
pothesis involving FOAS
VN
can be changed at any point in a proof to make
it pertain to any representative of the -equivalence class that implicitly
is being considered. This aects the algebraic granularity, if we can call it
that, of the proof in that the technique amounts to, e.g., rewriting mod-
ulo, which we discussed above, when applied in a rewriting setting (cf. our
Theorem 4.2).
Derived Proof Principles for
var
Gordon [22] and Gordon and Melham [21] are concerned with deriving
proof principles for -equivalence classes of terms: DPP
FOAS
VN
/==

. In
both cases, the developments are formally underpinned by a de Bruijn-
style syntax (PPP
FOAS
dB
), although the derived proof principles pertain to
name-carrying syntax.
13
In [22], Gordon presents two induction principles
that allow binder renaming to be performed in the terms substantiating
its premises, which, however, come at the price of having to additionally
induct over either the size of in-going terms or a set of essentially fresh
variable names. In [21], Gordon and Melham present a more basic notion
of DPP
FOAS
VN
/==

, which, on the one hand, derives the two previously-

discussed induction principles, but which also is more dicult to work with
in that its premises pertain to innitely many terms: all possible renamings
of the term at hand, so to speak. Neither of the approaches have been used
in actual proof developments as far as we are aware.
Recently Ford and Mason [16] and Homeier [27] have developed and
employed DPP
FOAS
VN
/==

that are not based on FOAS

dB
. Instead they
essentially show that functions such as FV() (see Figure 1.1) and term size
are constant on the elements of FOAS
VN
/==

. The considered size-measures

are used explicitly to make their derived proof principles well-founded. The
two approaches dier most clearly in their presentation of ==

, although
there are other dierences as well.
13
The approach should not be confused with that of Shankar [59] where properties about
FOAS
VN
/==

are established by the use of PPP

FOAS
dB
and a mapping from FOAS
VN
to
FOAS
dB
whose kernel (seemingly) is given by ==

.
48 INTRODUCTION
Part I
Fundamentals
49
50
Chapter 1
The Structure of the
-Calculus
In this chapter, we account comprehensively for the mathematical tools we
employ in the thesis. As stated in the front matter, we shall only pursue the
-calculus from a programming-language perspective, i.e., when presented
with rst-order abstract syntax over one-sorted variable names. We do so to
study the primitive proof principles of that framework in a formal sense and
to meet the full proof burden of the result we are considering. Please refer to
the chapter on related work in the introduction for alternative approaches.
1.1 The Algebra of Simple Syntax
The -calculus is intended to capture the concept of a function in a formal
sense. It does so, rst of all, by providing syntax that can be used to express
(unnamed) function application and denition:
Denition 1.1
var
::= 1^ [
var

var
[ 1^.
var
The above abstract syntax says that a -term is dened inductively as
either a variable name, as an application of one term to another, or as a
-/functional abstraction of a variable name over a term, respectively. Only
objects that are composed in accordance with the scheme are
var
-terms.
Conventions We shall use e, e
i
as meta-variables over
var
(but see Ap-
pendix A for an exception) and x, y, z, s, t as meta-variables over 1^. The
variable names are typically taken to be words over the Latin alphabet and,
as we shall see, we essentially follow suit. As for writing concrete syntax,
we (i) make no distinction between object- and meta-level variables over
1^ and (ii) follow the conventions that application binds stronger than ab-
straction, application is left associative, and otherwise use parentheses to
51
52 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
indicate the correct parsing. Here are three examples, with concrete and
abstract syntax paired in columns.
(x.xy)z x.xyz x.x(yz)
z
x
x y

x
z
x y

x
x
y z
We trust the above conventions will pose no diculties to the reader.
A Note on Inductive Denitions We shall use inductive denitions
extensively in this thesis. All uses are very basic, even self-evident, and no
advanced technology shall be employed at any time. Short of presenting a
general theory of inductive denitions, the remainder of this chapter focuses
on justifying and explicitly accounting for the technology that is actually
used and to put it in perspective. We hope that, in doing so, the reader will
feel assured of the soundness of our tools and technologies and, at the same
time, will feel comfortable with their foundational qualities. A comprehen-
sive, stand-alone development of the general theory of inductive denitions
can be found, e.g., in [1]. As we have used Isabelle/HOL to formally verify
a large part of the proofs in the thesis, we also refer the interested reader
to the account of inductive denitions in [48, Chapter 7]. Finally, we make
reference to [7] for a seminal exposition of the issues.
1.1.1 Variable Names
The set of variable names, 1^, will be considered entirely abstractly and
we only require that it meets the following conditions (which, e.g., words
over the Latin alphabet do).
Assumption 1.2 1^ is a single-sorted set of objects, aka variable names.
Assumption 1.3 1^-equality, =
VN
, is decidable.
Assumption 1.4 There exists a total, computable function on nite sub-
sets of 1^, Fresh() : T
n
(1^) 1^, such that: Fresh(VN) , VN.
The last assumption immediately implies that 1^ is innite. Technically
speaking, the assumption thus claims the existence of a choice function that
picks out a variable name from the complement (relative to the innite 1^)
of a nite set. The assumption, in other words, amounts to the axiom of
1.1. THE ALGEBRA OF SIMPLE SYNTAX 53
co-nite choice.
1
All notions of syntax that we can think of, with the notable
exception of that used in FreshML, cf. the related work chapter, admit a
fresh function naturally.
Fresh() is, as the name suggests, intended to allow us to introduce a
variable name that does not already occur in a term. We will therefore allow
ourselves to write Fresh(e) for the application of the fresh function to the
nite set of variables that occur in a
var
-term, Var(e), cf. Denition 1.7.
1.1.2 Case-Splitting on
var
In order to avoid trivial confusions with terms, we also make the following
and nal assumption about the syntax.
Assumption 1.5 The constructors for function application and abstrac-
tion are identiable and can be distinguished from each other and from 1^.
With these assumptions, we see that it is possible to case-split on terms
with the E
i
s below in some suitable meta-language:
case e of x E
1
(x)
[ e
1
e
2
E
2
(e
1
, e
2
)
[ x.e
0
E
3
(x, e
0
)
The import of case-splitting is one of analyticity in that it introduces a
well-dened notion of sub-term, etc.. For example, we can say about x.x
that (i) it is a -abstracted function, (ii) its body (i.e., the x after the .)
is a variable name, and (iii) the function will behave as the identity function
because the two variable names coincide.
1.1.3 Structural Induction over
var
As the set of
var
-terms is dened inductively (i.e., is completely determined
by the inductive clauses being used), we see that we can proceed by means
of structural induction when trying to prove properties about
var
:
x.P(x) e
1
, e
2
.P(e
1
) P(e
2
) P(e
1
e
2
) x, e.P(e) P(x.e)
e.P(e)
Structural induction states that we can prove properties of
var
by show-
ing that the various inductive clauses preserve a considered property, so to
speak. The precise form of the above structural-induction principle is im-
portant: it has to match the denition of
var
in order to be sound by
1
We remark that, whereas the assumption clearly causes no problems in our framework
of simple syntax, the axiom of (co-nite) choice is, in fact, not permissible in Nominal
Logic, which means that Fresh() does not exist in there, cf. the related work chapter.
54 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
construction. If we change the rule, even slightly, we are no longer guaran-
teed by construction that the resulting proof principle is sound.
We refer the reader to Sections 3.3, 4.1, and 7.4 for comprehensive ac-
counts of core issues that cannot be addressed without algebraic discrepan-
cies when using a relaxed induction principle (that, e.g., allows x.x and
y.y to be used interchangeably, to make a pertinent point).
1.1.4 Denition by Induction
In analogy with the previous section, we see that we can also use the induc-
tive construction of
var
to, e.g., extend variable-name equality, =
VN
, to an
equality on all
var
-terms:
x =
VN
y
x =

var y
e
1
=

var e

1
e
2
=

var e

2
e
1
e
2
=

var e

1
e

2
x =
VN
y e =

var e

x.e =

var y.e

We shall refer to the induction principle associated with the above deni-
tion of =

var (and others like it) as rule induction. It diers from structural
induction in not being associated with a notion corresponding to Assump-
tion 1.5. That means that rule induction only is accompanied by an exten-
sional (or point-wise) equality as opposed to an intensional one. In turn,
this means that, e.g., =

var does not come equipped with analytic proof

principles; something which has direct implications for the next section.
1.1.5 Structural Recursion over
var
Based on case-splitting and the fact that terms are well-founded by con-
struction, we can dene functions on -terms by means of structural (or
primitive) recursion, i.e., by making recursive calls on the sub-terms of a
given term, only:
f(x) = E
1
(x)
f(e
1
e
2
) = E
2
(f(e
1
), f(e
2
))
f(x.e) = E
3
(x, f(e))
The use of structural recursion ensures that any f dened as above (i)
is functional when the cases are disjoint, e.g., because there is a case per
syntax constructor, cf. Assumption 1.5, (ii) is computable by virtue of well-
foundedness of terms, and (iii) is total when the denition case-splits ex-
haustively on -terms (provided the E
i
are total, computable functions, of
course). We see, for example, that =

var is dened structural-recursively

1.1. THE ALGEBRA OF SIMPLE SYNTAX 55
FV(y) = y BV(y) =
FV(e
1
e
2
) = FV(e
1
) FV(e
2
) BV(e
1
e
2
) = BV(e
1
) BV(e
2
)
FV(y.e) = FV(e) y BV(y.e) = y BV(e)
Capt
x
(y) =
Capt
x
(e
1
e
2
) = Capt
x
(e
1
) Capt
x
(e
2
)
Capt
x
(y.e) =

y Capt
x
(e) if x FV(y.e)
otherwise
Figure 1.1: Free, bound, and capturing variable names
and hence is a total, computable function from
var

var
to truth values:
2
x =

var y = x =
VN
y
e
1
e
2
=

var e

1
e

2
= e
1
=

var e

1
e
2
=

var e

2
x.e =

var y.e

= x =
VN
y e =

var e

In other words, the decidability of =

VN
(i.e., Assumption 1.3) has the fol-
lowing result as an immediate consequence.
Proposition 1.6 =

var is decidable.
Proof By construction.
1.1.6 Basic
var
Properties
This section is devoted to some simple applications of the primitive proof
principles of
var
: PPP(
var
), that we considered in Sections 1.1.11.1.5.
First, however, we remark that any language that is dened as rst-order
abstract syntax, FOAS, over one-sorted variable names, 1^, will come
equipped with equivalent proof principles, which we shall refer to by the
generic term: PPP
FOAS
VN .
Denition 1.7 (Auxiliary
var
-Functions) Figure 1.1 denes free vari-
ables, FV(), bound variables, BV(), and the capturing variables of free
occurrences of x, Capt
x
(), by structural recursion over
var
. We also de-
ne the set of all variables occurring in a term Var(e) = FV(e) BV(e).
The capturing variables of x in e, Capt
x
(e), are the -abstracted variable
names in e that have a free occurrence of x (relative to e) in the associated
body, e.g., Capt
x
(y.x) y , Capt
x
(x.y.x) Capt
x
(x.y). In general,
we have:
2
To be precise, the fully correct form of the denition is, e.g., as follows:
x =

var e = case e of y x =
VN
y | e
1
e
2
False | y.e
0
False
56 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
Proposition 1.8 x , FV(e) Capt
x
(e) =
Proof We proceed by structural induction in e while assuming x , FV(e).
Case e y: Trivial.
Case e e
a
e
b
: Straightforward by two applications of the I.H., which are
possible as x , FV(e) immediately implies x , FV(e
a
) x , FV(e
b
).
Case e y.e

: We case-split on the clauses for Capt

x
(y.e

):
Sub-case x ,= y x FV(e

):
3
The premises of the sub-case are in-
consistent with the assumption and we are trivially done.
Sub-case x = y x , FV(e

): We are trivially done by denition.

Some other immediate consequences of the denition that pertain to its
well-formedness are the following.
Proposition 1.9
1. FV(), BV(), and Capt
x
() are total, computable functions.
2. Var() is a total, computable function.
3. Capt
x
(e) BV(e), for all x and e.
Proof The rst property holds by construction. The second is derived
from the rst. As for the third property, we proceed by structural induction
in e.
Variable Case: Trivial.
Application Case: Straightforward by two applications of the I.H. (and
monotonicity of ).
Abstraction Case: We case-split on the clauses for Capt
x
(y.e). The rst
case follows by an application of the I.H. (and monotonicity of ). The
second case is trivial.
3
It is immediate to see that x = y x FV(e

) is equivalent to x FV(y.e

).
1.2. RELATIONAL STRUCTURE 57
1.2 Relational Structure
With
var
-terms dened, we now review some of the standard constructions
for and properties of binary relations,
var

var
, that we shall use.
We shall refer to such binary relations as reduction relations. The wider
subject area that we are considering is called abstract rewriting and we refer
to, e.g., [33] for a comprehensive account of the eld.
A term, e
1
, for which there is a term, e
2
, such that e
1
e
2
(in inx
notation) is said to (-)reduce.
The e
1
and e
2
above are called the start- and end-term of the reduction,
respectively.
The converse of a relation is: e
2
()
1
e
1

def
e
1
e
2
.
Point-wise composition of two relations is:
e
1

1
;
2
e
3

def
e
2
. e
1

1
e
2
e
2

2
e
3
(Proper) composition,
1
;
2
, is the set of point-wise compositions.
We write the union of two relations as:

1,2
=
def

1

2
If no confusion is possible, we omit the comma.
The reexive closure of a relation is given thus:
e
1
e
2
(Base)
e
1
e
2
(Re)
e e
Reexive, transitive closure is given thus:
e
1
e
2
(B)
e
1
e
2
(R)
e e
e
1
e
2
e
2
e
3
(Trans)
e
1
e
3
We will also write reexive, transitive closure as ()

.
Reexive, transitive, and symmetric closure is given thus:
e
1
e
2
(B)
e
1
== e
2
(R)
e == e
e
1
== e
2
e
2
== e
3
(T)
e
1
== e
3
e
1
== e
2
(Symm)
e
2
== e
1
58 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
The situation of a term reducing to two terms is called a divergence.
Two diverging reductions, as dened above, are said to be co-initial.
Dually, two reductions that share their end-term are said to be co-nal.
Co-initial reductions are resolvable if they compose with co-nal re-
ductions.
A term that does not (-)reduce is said to be a (-)normal form.
A relation, , is said to weakly normalise, WN(), if all terms
-reduce to a -normal form.
A relation, , is said to strongly normalise, SN(), if it is not
possible to construct a -derivation containing innitely many in-
stances of the base rule, (B)/(Base); if there are no innite reduction
sequences, so to speak.
1.2.1 Basic Properties of Relational Structure
The core constructions in the above list are the closure operators that im-
mediately can be shown to form and respect hierarchies, as the next two
results show.
Proposition 1.10 ==
Proof The proofs are subsumed by a reexive, transitive induction.
(Base)-Case: We are, e.g., considering e
1
e
2
, with e
1
e
2
and we
can immediately conclude that e
1
== e
2
by the (Base)-rule for ==.
(Re)-Case: We are, e.g., considering e e and we trivially have e == e
by the (Re)-rule for ==.
(Trans)-Case: We are, e.g., considering e
1
e
2
, with some e, such that,
e
1
e and e e
2
. By I.H., we conclude that e
1
== e and e == e
2
and we are done by the (Trans)-rule for ==.
Proposition 1.11

(
1

2
) (
1

2
) (==
1
==
2
)
Proof The proofs are subsumed by a straightforward reexive, transitive,
symmetric induction. We do not present the details.
1.2. RELATIONAL STRUCTURE 59
The closure operators also respect term formation in the following sense.
Denition 1.12 A
var
-relation, , is contextually closed, CC(), if
e e

(ee
2
e

e
2
) (e
1
e e
1
e

) (x.e x.e

)
Proposition 1.13
CC()

CC() CC( ) CC(==)

Proof The proofs are subsumed by a reexive, transitive, symmetric in-
duction.
Base Case: Directly by assumption.
Reexive Case: We are trying to substantiate, e.g., ee
2
ee
2
, which we
see that the reexive rule trivially expresses.
Transitive Case: We wish to substantiate, e.g., e
1
e e
1
e

e
1
e

,
both steps of which follow by an application of the I.H..
Symmetric Case: A simple I.H.-application suces.
A contextually-closed equivalence relation, CC(==), is called a congruence.
The next property shows that the closure constructions we have given are
not unique. Indeed, we see that in order to prove properties about we
can either consider a base, a reexive, and a transitive case or, alternatively,
a reexive and a left-/right-transitive case.
Lemma 1.14 We have
l
= =
r
, for the following denitions of
reexive and left-/right-transitive closure.
(Re
l
)
e
l
e
(Re
r
)
e
r
e
e
1
e
2
e
2

l
e
3
(left-Tr)
e
1

l
e
3
e
1

r
e
2
e
2
e
3
(right-Tr)
e
1

r
e
3
Proof We show the left-most equality. The direction is by reexive,
left-transitive induction:
(Re
l
)-Case: Trivial.
60 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
(left-Tr)-Case:
e
1
e
2
e
2
e
3
(l-Tr)
e
1
e
3

e
1
e
2
(B)
e
1
e
2
e
2
e
3
(Tr)
e
1
e
3
The direction is by reexive, transitive induction:
Base Case: Straightforward:
e
1
e
2
e
2

l
e
2
e
1

l
e
2
(Re)-Case: Trivial.
(Trans)-Case: We are considering: e
1
e
2
e
3
, which, by I.H., means
that we have: e
1

l
e
2

l
e
3
. To nish the case, we therefore prove
the following property by induction in the left(!)
l
:

l l
l
(1.1)
(Re)-Case: Trivial.
(left-Tr)-Case: We are considering: e
1
e
2

l
e
3

l
e
4
. By
I.H., we have e
2

l
e
4
and we are done by the (left-Tr)-rule.
1.2.2 Basic Divergences and Resolutions
As an example application of relational-structure proof principles, we will
now consider the archetypical divergence/resolution scenario. We rst present
various technical issues before explaining their wider relevance at the end of
the section.
A relation has the diamond property, (), if any and all divergences
can be resolved.

A relation is locally conuent, LCon(), if any and all -divergences

have a -resolution.

1.2. RELATIONAL STRUCTURE 61

A relation, is conuent, Con(), if ( ).
A relation is Church-Rosser, CR(), if any and all ==-equivalences
can be -resolved:

We rst note that local conuence is a strictly weaker property than

conuence proper as, e.g., shown by the following reduction relation [25]:
a b c d
As it turns out, this particular counter-example concisely captures a rea-
son for why LCon() Con() does not hold: existence of loops.
Newmans Lemma ([46]) LCon() SN() Con()
In contrast to this, we have the following equivalence.
Conuence/Church-Rosser Equivalence Lemma
Con() CR()
Proof The -direction follows straightforwardly from Proposition 1.10.
The -direction is proved by reexive, transitive, and symmetric induc-
tion in ==, while assuming Con().
(Base)-Case: We are considering e
1
== e
2
because e
1
e
2
and we are
done by assumption because we have e
1
e
2
and e
1
e
1
.
(Re)-Case: We are, again, done by assumption.
(Trans)-Case: We are straightforwardly done by two I.H.-applications, by
assumption, and by transitivity of .
M
1
M
2
M
3
I.H. I.H.
N
1
Assm. N
2
N
3
(Symm)-Case: Trivial.

62 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS

From a computational perspective, conuence implies that at most one
result (i.e., normal form) can be obtained when reducing. From an equa-
tional perspective, Church-Rosser (combined with the existence of more than
one normal form) implies that the meaning that is captured (i.e., axioma-
tised) by a reduction relation is non-trivial in the sense that not everything
is equated to everything else.
1.2.3 Some Known Commutation Lemmas
For future reference and to show-case the proof principles of relational struc-
ture a bit further, we recount a number of standard results in this section.
We trust the reader is comfortable with their statement and, therefore, pro-
vide them with commentary pertaining exclusively to their proofs and the
invoked (primitive) proof principles.
Diamond Tiling Lemma
(
2
.
1

2

1
(
2
)) Con(
1
)
Proof The proof proceeds by two subsequent reexive, transitive induc-
tions in
1
of which the rst establishes the following property.


2
1 1
2
Please refer to Appendix B.1 for the details.
Hindley-Rosen Lemma


2
1 1
2

2
1 1
2
Proof The proof proceeds by two subsequent reexive, transitive induc-
tions, rst in
1
and then in
2
. The intermediate result is:


2
1 1
2
Please refer to Appendix B.2 for the details, which essentially are identical
to those of the proof of the Diamond Tiling Lemma.
Commuting Conuence Lemma


1
2 2
1
Con(
1
) Con(
2
) Con(
1,2
)
1.3. REDUCTION, SUBSTITUTION, AND THEIR PROBLEMS 63
Proof The proof proceeds by two subsequent reexive, transitive induc-
tions in
1,2
of which the rst establishes the following property.


1, 2
1, 2 1, 2
1, 2
Proposition 1.11 plays a crucial role in the proof, which essentially is identi-
cal to those of the Diamond Tiling Lemma and the Hindley-Rosen Lemma.
Please refer to Appendix B.3 for the details.
Diamond Diagonalisation Lemma

(P)
b

(Q)
a
b
c

(P Q)
a a
c c
Proof Assume the premises and consider Ms, such that, P(M), Q(M),
and M
a
M
i
, for i 1, 2. By the left-most premise, there is an N,
such that M
b
N. By the second premise, we therefore have M
i

c
N,
for i 1, 2, and we are done.
1.3 Reduction, Substitution, and their Problems
Having accounted comprehensively for the structure of terms and (abstract)
relations in the previous two sections, we will now apply these considerations
to the standard denitions of some (concrete) reduction relations on
var
.
1.3.1 Names, Functions, and Graphs
In order not to have too many, e.g., identity functions, to have -abstractions
act as functions, and for functions to be extensional (i.e., representable by
an input-output graph), respectively, we are initially interested in the con-
textual closures of the following contraction rules:
y.e[x := y]
Cu

Cu x.e, if y , FV(e)
(x.e)e

Cu e[x := e

]
Cu
x.ex

e, if x , FV(e)
4
The precise form of the considered contraction rules is due to Curry [9]. The
[ := ]
Cu
-operator is meta-level substitution. In other words, [ := ]
Cu
is not a new kind of syntax but rather a function that returns syntax. The
4
We shall also refer to this relation as

Cu but only as a matter of presentation.

There is only one reasonable (axiomatisation of the) -reduction relation.
64 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
above three rules therefore prescribe that: () we can change the particu-
lar variable name used in an abstraction provided we (correctly) make the
change in the body as well, () we can treat an abstraction as a function by
(correctly) passing the considered argument into the body in place of the
abstracted variable name, and () we do not distinguish between explicit
and implicit functions, so to speak. Unfortunately, substitution is not as
simple an operation as it may appear to be at rst.
1.3.2 Variable Capture
In his seminal formalist presentation of the -calculus [9], Curry essentially
denes the above substitution operator, [ := ]
Cu
, as follows:
y[x := e]
Cu
=
_
e if x = y
y otherwise
(e
1
e
2
)[x := e]
Cu
= e
1
[x := e]
Cu
e
2
[x := e]
Cu
(y.e
0
)[x := e]
Cu
=
_

_
y.e
0
if x = y
y.e
0
[x := e]
Cu
if
_
_
_
x ,= y
(y , FV(e)
x , FV(e
0
))
z.e
0
[y := z]
Cu
[x := e]
Cu
o/w; z = Fresh((e
0
e)x)
The interesting clause is the last one, which renames the considered y
into a z (the rst z, in Currys terminology) that has not been used already.
Consider, for example, the substitution of x for z in the two terms x.z and
y.z. Both terms-as-functions discard their argument. If we simply replace
the z in the terms with x, the latter would still discard its argument but the
former would become the identity function and this discrepancy would lead
to inconsistencies. Currys denition overcomes this problem.
1.3.3 Well-Denedness
We see that Curry-style substitution is not well-dened by construction, as
the denition does not employ structural recursion. The oender is the last
clause that applies [x := e] to a term, e
0
[y := z], which in general is not
a subterm of y.e
0
. To see that this is a real problem, consider, e.g., the
following adaptation of Curry-style substitution (with only the last clause
given):
(y.e

)[x := e]
Cu
= z.e

[y := (y.yx)]
Cu
[x := e]
Cu

Albeit clearly nonsensical, the denition employs exactly the same denition
scheme as Curry-style substitution proper. This contrived notion of substi-
tution, however, admits, e.g., the following non-terminating unravelling of
1.3. REDUCTION, SUBSTITUTION, AND THEIR PROBLEMS 65
the denition:
(y.yx)[x := y]
Cu
= z.(yx)[y := y.yx]
Cu
[x := y]
Cu

= z.((y.yx)[x := y]
Cu
)y
= . . .
On the other hand, it can be observed that while e
0
[y := z] is not a sub-
term of y.e
0
, it will have the same size as e
0
and we can thus establish the
well-formedness of [ := ]
Cu
by external means (although that would go
against the declared goal of this thesis to employ primitive proof principles,
only). Alternatively, we can introduce a more advanced, parallel substitu-
tion operator [61]. However, neither of these approaches deal with the wider
range of problems caused by Curry-style capture avoidance, as we shall see
shortly, and we shall not pursue them.
It is pertinent to mention that we derive Curry-style substitution and
show it to be well-formed by means of PPP(
var
) in Section 1.5.3. Our
results establish that Curry-style substitution should not be considered a
primitive notion the way it traditionally is done.
1.3.4 Variable-Name Indeterminacy
Having initially committed ourselves to using renaming in substitution, a
range of problems must be faced. Hindley [25] observed, for example, that it
becomes impossible to predict the variable name used for a given abstraction
after reducing, thus putting, e.g., conuence out of immediate reach:
(y.x.xy)y x.xy
(x.(y.x.xy)x)y
(x.z.zx)y z.zy

Cu

Cu

Cu

Cu
In the lower branch, the innermost x-abstraction must be renamed to a
z-abstraction while the upper branch never encounters the variable-name
clash. As a similar renaming problem exists for the
Cu
-relation, Hindley
introduced the following relation.
x.e

Hi y.e[x := y]
Cu
, if x ,= y, y , FV(e)BV(e), and x , BV(e)
The use of Curry-style substitution in Hindleys -relation is such that
the renaming clause is never invoked although the resulting equivalence re-
lation is the same.
Lemma 1.15 (From Lemma 4.7, Lemma 4.8, Corollary 4.8 [25])
==

Cu =

Cu =

Hi = ==

Hi
66 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
Notation 1.16 (-Equivalence) To have an axiomatisation-independent
name for the above relation, we refer to it as (aleph).
Hindley proceeded to dene the - and -relations on -equivalence
classes, which overcomes the above indeterminacy by factoring it out:
e| =
def
e

[ e ==

e
1
|

Hi e
2
| =
def
e

1
e
1
|, e

2
e
2
|.e

Cu e

2
e
1
|

e
2
| =
def
e

1
e
1
|, e

2
e
2
|.e

2
5
Unfortunately, no relevant proof principles for the syntax and relations
dened on syntax are introduced by this and the approach cannot be used
in a formal setting as it stands. Still, the denition is the right one as far
as the equational theory of the -calculus is concerned and we shall invoke
it later (albeit in a slightly dierent-looking form, cf. Denition 1.31).
1.3.5 Name Unication and Broken Induction Steps
Instead of factoring out -equivalence altogether, one could attempt to rea-
son up to post-xed name unication. Unfortunately, this would lead to a
range of unusual situations as far as subsequent uses of abstract rewriting
is concerned. The core issue is that transitive induction becomes impaired.
Non-Lemma 1.17 (cf. Section 1.2.2)

Proof [Broken] By reexive, transitive, symmetric induction in =.

Base, Reexive, Symmetric Cases: Trivial.
Transitive Case: Breaks down.
M
1
M
2
M
3
I.H. I.H.
N
1
N
2
Assm. N
3
N
4
N
5
N
6

5
We shall also refer to this relation as

Hi but only as a matter of presentation.

There is only one reasonable (axiomatisation of the) -reduction relation.
1.4. THE BARENDREGT VARIABLE CONVENTION 67
1.3.6 Broken -Equality in Sub-Terms
Having failed in our attempts to control limited use of -equivalence, one
might think that the syntactic version of Hindleys approach, cf. Section 1.3.4,
could work, i.e., that it is possible to state all properties about terms upto
==

rather than the primitive =

var . This is not true either as we can see

when trying to prove that two unrelated substitutions can be performed
in either order (a result that we show in Section 2.2 to be necessary when
proving any kind of commutation result for reduction relations).
Lemma 1.18 (Simplied Substitution modulo )
e
1
==

e
2
x ,= y
i
y
1
,= y
2

e
1
[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
Cu
==

e
2
[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
Proof [Broken] By structural induction in e
1
.
Most Cases: Trivial.
Last Abstraction Case (simplied): Breaks down.
(y
1
.e)[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
= z.e

[x
1
:= y
1
]
Cu
[x
2
:= y
2
]
Cu
==

z.e

[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
= (z.e

)[x
2
:= y
2
]
Cu
[x
1
:= y
1
]
Cu
The problem above is that e and e

are not actually -equivalent, even

if y
1
.e and z.e

are, and the ==

-step can thus not be substantiated by

the induction hypothesis. To see this, consider, for example, the situation
with e as y
1
and e

as z. The above result is certainly correct but it is,

unfortunately, not provable with the tools we have at our disposal at the
moment.
1.4 The Barendregt Variable Convention
Before proceeding with the formal development, we remark that the de facto
approach in the programming language-theory community for sidestepping
the problems with variable names and conduct reasoning about higher-order
languages is the so-called Barendregt Variable Convention (BVC) [5]:
2.1.12. Convention. Terms that are -congruent are iden-
tied [on a syntactic level].
2.1.13. Variable Convention. If M
1
, . . . , M
n
occur in a
certain mathematical context (e.g., denition, proof), then
in these terms all bound variables are chosen to be dierent
from the free variables.
68 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
UB(x) = True
UB(e
1
e
2
) = UB(e
1
) UB(e
2
) (BV(e
1
) BV(e
2
) = )
UB(x.e) = UB(e) x , BV(e)
Figure 1.2: The uniquely bound
var
-predicate
2.1.14. Moral. Using conventions 2.1.12 and 2.1.13 one can
work with -terms in the naive way.
The Barendregt Variable Convention cannot be assigned an unambigu-
ous formal meaning as it stands. The problem lies in 2.1.12., with the text
in [] taken from the context of the statement in [5]. That said, its intention
is obvious: use the simple, well-understood proof principles of the syntax
for reasoning but ignore any diculties caused by variable-name clashes. In
fact, this is how the BVC consistently has been used in the literature. In
contrast to this, we shall now introduce a formal variant of the BVC that
we refer to as BCF-initiality, for Barendregt Conventional Form.
6
We will
eventually use the notion to formally justify that variable-name changes
can be ignored, or more precisely, need not be performed in the relevant
circumstances (see, for example, Lemma 4.14).
Denition 1.19 A term in which all bound variables are unique and dif-
ferent from the free variables is called a Barendregt Conventional Form, cf.
Figures 1.1 and 1.2:
BCF(e) =
def
UB(e) (BV(e) FV(e) = )
In a literal reading, our variable convention is similar to a convention
found in [24] in that both are eager, as it were, whereas the BVC seemingly
is lazy. Still, the point is not so much the literal reading of the conventions
but rather the use they are put to. In this case, it is to justify the use of
PPP
FOAS
VN , as stated in Barendregts 2.1.14. Moral.
1.5 The (Orthonormal)
var
-Calculus
We will now introduce an axiomatisation of the -calculus that avoids the
problems we saw were caused by capture-avoiding substitution. Intuitively,
one can think of our - and -relations as well as the standard -relation as
an orthonormal axiomatisation of the sought-after equational theory.
Denition 1.20 (The
var
-Calculus) The terms of the
var
-calculus are

var
, cf. Denition 1.1. The -, -, and indexed -relations of
var
:

, and

i
are given inductively in Figure 1.3. Plain -reduction is
given as: e
1

e
2

def
y.e
1
y

i
e
2
6
The term was suggested to us by Randy Pollack.
1.5. THE (ORTHONORMAL)
VAR
-CALCULUS 69
y[x := e] =

e if x = y
y otherwise
(e
1
e
2
)[x := e] = e
1
[x := e]e
2
[x := e]
(y.e
0
)[x := e] =

y.e
0
[x := e] if x ,= y y , FV(e)
y.e
0
otherwise
y , Capt
x
(e) FV(e)
(i)
x.e
y

i
y.e[x := y]
e
y

i
e

(L
i
)
x.e
y

i
x.e

e
1
y

i
e

1
(Al
i
)
e
1
e
2
y

i
e

1
e
2
e
2
y

i
e

2
(Ar
i
)
e
1
e
2
y

i
e
1
e

2
Capt
x
(e
1
) FV(e
2
) =
()
(x.e
1
)e
2

e
1
[x := e
2
]
e

(L

)
x.e

x.e

e
1

1
(Al

)
e
1
e
2

1
e
2
e
2

2
(Ar

)
e
1
e
2

e
1
e

2
x , FV(e) =
()
x.ex

e
e

(L

)
x.e

x.e

e
1

1
(Al

)
e
1
e
2

1
e
2
e
2

2
(Ar

)
e
1
e
2

e
1
e

2
Figure 1.3: Renaming-free substitution, [ := ], dened recursively, and
-, -, and -reduction dened inductively over
var
The central point in the denition is the use of side-conditions on the
contraction rules in order to avert the need for binder-renaming. Informally,
the side-conditions express that the binders that must be passed in order to
reach an actual substitution target may not capture any free variables in the
term being substituted in; they coincide with the notion of is free for. We
shall shortly see that the
var
-calculus, perhaps surprisingly, is provably(!)
equivalent to the known presentations of the -calculus.
The indexed -relation will be used to conduct the ensuing proofs but is,
as such, not needed for dening the
var
-calculus. We remind the reader that
the relations come equipped with a rule induction principle, that relation
equality is extensional, and that no recursion over relations is possible, cf.
Section 1.1.4.
70 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
1.5.1 (Indexed) Relational Structure for
var
We remark that the constructions and results for relational structure in
Section 1.2 do not immediately apply to
var
because of the indexed -
relation.
Denition 1.21 Vectors of variable names are dened inductively thus.
V ::= [ xV
[[ [[ is the length function for vectors (dened structural-recursively).
Notation 1.22
We write

x
i
for the vector consisting of the variable names denoted by
the x
i
(to be thought of as x
1
, x
2
, . . . x
n
).
Analogously, we write

x
i
for the (reversed) vector: x
n
, . . . x
2
, x
1
.
We write

x for any vector in which all elements are x.
We write x for a vector with just one element.
We write x
i
for the set of elements in

x
i
.
With reference to Section 1.2, we associate reexivity of indexed relations
with the empty list (), transitivity with vector composition, and symmetry
with vector reversal in the obvious manner. With this, we have the following.
Proposition 1.23
CC(

i
) CC(

i
) CC(

i
) CC(

==
i
)
CC(

) CC(

) CC(

) CC(==

)
CC(

) CC(

) CC(

) CC(==

)
CC(

) CC(

) CC(

) CC(==

)
Proof The left-most conjuncts of the rst and the last two bullets follow
directly from Denition 1.12 by rules (L

), (Al

), and (Ar

). The left-
most conjunct of the second bullet follows from the left-most conjunct of
the rst bullet by construction. The other conjuncts follow from these four
by Proposition 1.13.
1.5. THE (ORTHONORMAL)
VAR
-CALCULUS 71
1.5.2 Basic Properties of Renaming-Free Substitution
Apart from being renaming-free, the precise form of our notion of substitu-
tion is intended to enable us to prove certain tidiness properties for it.
Proposition 1.24 [x := e] :
var

var
is a total, computable function.
Proof That the co-domain is
var
is veried by a straightforward rule in-
duction. The remainder of the property follows by construction as renaming-
free substitution is dened by structural recursion.
The following proposition establishes, in order, that the identity substi-
tution is indeed the identity; a void substitution is indeed voided; renaming
with any non-free y is reversible; and, the act of substitution is suitably
exhaustive. The properties will all be needed later on.
Proposition 1.25 For x, y 1^ and e, e

var
:
1. e[x := x] = e
2. x / FV(e) e[x := e

] = e
3. y / FV(e) e[x := y][y := x] = e
4. x / FV(e

) (Capt
x
(e) FV(e

) = ) x / FV(e[x := e

])
Proof All proofs are straightforward structural inductions in e and we
therefore restrict attention to the second property in this context. Note,
however, that the third property is able to deal correctly with irregularities
like (y.x)[x := y][y := x] = y.x exactly because both substitutions are
discarded. As for proving the second property, we assume x / FV(e) and
aim to establish: e[x := e

] = e:
Case e y: By assumption, we know that y ,= x. By unravelling the de-
nition of substitution: y[x := e

] = y, we are trivially done.

Case e e
1
e
2
: By denition, we have (e
1
e
2
)[x := e

] = e
1
[x := e

]e
2
[x := e

].
As x , FV(e
1
e
2
) x , FV(e
1
) x , FV(e
2
), we can apply the I.H.
twice: e
i
[x := e

]=e
i
for i = 1, 2, and we are done.
Case e z.e
0
: We case-split on z.
Sub-case z = x: We are immediately done.
Sub-case z ,= x z , FV(e

): By x , FV(z.e
0
), z ,= x, and the
denition of FV(), we have x , FV(e
0
). We can therefore apply
the induction hypothesis to the unravelling of the denition of
substitution to get (z.e
0
)[x := e

] = z.e
0
[x := e

] = z.e
0
.
Sub-case z ,= x z FV(e

): We are immediately done by unravel-

ling the denition of substitution: (z.e
0
)[x := e

] = z.e
0
.
72 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
x[x := e]
Cu
= e
x = y
y[x := e]
Cu
= y
e
1
[x := e]
Cu
= e

1
e
2
[x := e]
Cu
= e

2
(e
1
e
2
)[x := e]
Cu
= e

1
e

2
(x.e
0
)[x := e]
Cu
= x.e
0
x = y (y FV(e) x FV(e
0
)) e
0
[x := e]
Cu
= e

0
(y.e
0
)[x := e]
Cu
= y.e

0
x = y y FV(e) x FV(e
0
) z = Fresh((e
0
e)x) e
0
[y := z]
Cu
= e

0
e

0
[x := e]
Cu
= e

0
(y.e
0
)[x := e]
Cu
= z.e

0
Figure 1.4: Curry-style substitution (re-)dened inductively
We stress that the last clause of the proof (which incorrectly discards
the substitution) goes to show an algebraic property of the dened notion
of substitution. In actual uses of substitution, the clause will never be
invoked. In fact, one of the properties we show next is that, as far as our
use of substitution is concerned, the present notion coincides with Currys.
1.5.3 Capture-Avoiding vs Renaming-Free Substitution
In order to formally relate the
var
-calculus with the known presentations of
the -calculus and to overcome the well-denedness problems with Curry-
style substitution dened recursively, we elect to work with Curry-style sub-
stitution in the less restrictive setting of (rule-)inductive denitions, cf. Fig-
ure 1.4. Please refer to Section 1.6.1 for a precise account of recursive vs
inductive denitions.
The rst result we show is that, as far as our use of substitution is
concerned, capture-avoiding and renaming-free substitution coincide.
Lemma 1.26
e
a
[x := e]
Cu
= e
b
Capt
x
(e
a
) FV(e) =

e
a
[x := e] = e
b
Proof By rule induction in the 4-ary [ := ]
Cu
= -relation, cf. Fig-
ure 1.4.
Variable Cases: Straightforward.
Application Case: We are considering e
a
e
1
e
2
. By denition, we have
Capt
x
(e
i
) Capt
x
(e
a
), for i 1, 2, and we are done by two I.H.-
applications.
1.5. THE (ORTHONORMAL)
VAR
-CALCULUS 73
Abstraction Case x = y: Straightforward.
Abstraction Case x ,= y

, simple: We are considering e

0
[x := e]
Cu
= e

0
and we case-split on the disjunct in the premises of the rule. In
case of the right-most disjunct, we can apply the I.H. by Proposi-
tion 1.8 to conclude e
0
[x := e] = e

0
. As we have e

0
= e
0
by Propo-
sition 1.25, 2., we see that we are done irrespective of which case of
(y.e
0
)[x := e] we are considering. In case y / FV(e) x FV(e
0
),
we have Capt
x
(e
0
) Capt
x
(y.e
0
) by denition and we can straight-
forwardly apply the I.H. and we are done.
Abstraction Case x ,= y

, complex: The three left-most premises of the

rule contradict the premise of the lemma and we are trivially done.
The lemma not only implies that e
a
[x := e]
Cu
= e
a
[x := e] holds but also
establishes that [x := e]
Cu
is functional in the considered circumstances.
Furthermore, in the cases where the pre-condition of Lemma 1.26 is broken,
we can actually prove (and this is surprising, cf. Section 1.3.6) that the
renamings incurred by [ := ]
Cu
can be simulated by

pre-xed to
[ := ]. The tricky step in the proof is agged by a footnote.
Lemma 1.27
e
a
[x := e]
Cu
= e

!e
b
.e
a

e
b
e
b
[x := e] = e

a
Proof By rule induction in the 4-ary [ := ]
Cu
= -relation, cf. Fig-
ure 1.4.
Abstraction Case x ,= y, complex: We are considering e
a
y.e
0
, with
e
0
[y := z]
Cu
= e

0
and e

0
[x := e]
Cu
= e

0
. By Lemma 1.26 and I.H., we
have e
0
[y := z] = e

0
(as z = Fresh((e
0
e)x)), with e
0
unique by I.H..
Similarly, applying the I.H. to e

0
[x := e]
Cu
= e

0
gives us a unique e

1
such that e

1
and e

1
[x := e] = e

0
.
7
In other words, we have:
e
a
= y.e
0

z.e
0
[y := z] = z.e

z.e

1
= e
b
The

-step is possible as z = Fresh((e

0
e)x), while the

-step fol-
lows by Proposition 1.23. The considered e
b
is unique by functionality
of Fresh() and uniqueness of e

1
. As (z.e

1
)[x := e] = z.e

1
[x := e]
by denition, we are done.
Other Cases: Analogous to the corresponding cases in Lemma 1.26. Unique-
ness follows either because only reexive

-steps can be used or by

invoking the I.H., using also Proposition 1.23.
7
The fact that this conclusion can be reached by a simple application of an I.H. is the
main thrust of using rule induction over Curry-style substitution, cf. Section 1.3.6.
74 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
The lemma immediately implies that capture-avoiding substitution is
a derived notion relative to the strictly PPP(
var
)-setting of renaming-free
substitution. In fact, the basic desirable properties of a substitution operator
are also derivable for Curry-style substitution.
Proposition 1.28 For any x and e, [x := e]
Cu
= is a total, com-
putable function of the rst, open argument onto the second, open argument.
Proof According to Lemma 1.27, it suces to argue that that lemmas
conclusion amounts to a total, computable function. As for [x := e], see
Lemma 1.24. In case of !, we have totality by , functionality by its unique-
ness, !, and computability as the proof of Lemma 1.27 is constructive and
only relies on the computable Fresh()-function.
1.5.4 Curry-Style Reduction Decomposed
Having established a precise relationship between capture-avoiding and renaming-
free substitution, we are able to extend the relationship to the various rela-
tions that invoke the substitution operators.
Lemma 1.29

Hi

Cu)
1

Proof The reasoning in the rst case is subsumed by the second case,
which we show. The proof is by rule induction in the underlying
y

i
-
relation.
Case (i): The premise of the considered rule prescribes, amongst other
things, that y , FV(e) for given y and x.e. By denition we therefore
have x.e (

Cu)
1
y.e[x := y]
Cu
. As the premise of the rule allows
us to invoke Lemma 1.26: e[x := y]
Cu
= e[x := y], we are done.
Cases (L
i
), (Al
i
), (Ar
i
): Trivial.
The third inclusion follows by an equally straightforward rule induction in
(

Cu)
1
, using Lemma 1.27 in the contraction case.
Our last result of the section implies that Curry-style -reduction is a
composed notion relative to PPP(
var
), comprising both - and -reduction.
Lemma 1.30

Cu

Proof The rst inclusion is established by a simple rule induction in

,
using Lemma 1.26 in the -contraction case. The second inclusion follows
by an equally simple rule induction in

Cu using Proposition 1.27 in the

-contraction case.
1.5. THE (ORTHONORMAL)
VAR
-CALCULUS 75
1.5.5
var
-Collapses to the Real -Calculus
With these fundamental results in place, we have ensured the intuitive
soundness of the following denition which mimics Hindleys construc-
tion.
Denition 1.31 (The Real -Calculus)
=
def

var
/==

| :
def

var

e e

[ e ==

e
1
|

e
2
|
def
e
1
==

; ==

e
2
e
1
|

e
2
|
def
e
1
==

; ==

e
2
Having dened the -collapsed -calculus, we study the induced rela-
tional structure next.
Proposition 1.32 For X , , , we have:
e|
X
e

| e (==

;
X
; ==

e ==

Proof The left-most disjunct is the straightforward transitive version of

X
on syntax. The right-most disjunct comes from the reexive case,
again by denition.
In order to assess the right-hand side of the above equivalence in a bit
more detail, we see that the

is very well behaved, indeed.

Lemma 1.33 (

-Symmetry)

Proof By a straightforward rule induction, using Proposition 1.25, 3..

Lemma 1.34 =

= ==

(cf. Notation 1.16)

Proof By straightforward reexive, transitive(, symmetric) inductions us-
ing Lemmas 1.15 and 1.29 and Lemma 1.33, respectively.
The properties above allow us to prove that all the various relations we
have considered are point-wise equivalent.
Lemma 1.35 For X , , , we have:
e|
X
e

| e
,X
e

Cu
,X
Cu e

e|
X
Hi e

|
Proof From Lemma 1.33, it is straightforward to prove that
((==

;
X
; ==

==

) =
,X
and the rst bi-implication is established by Proposition 1.32. The second bi-
implication follows by Lemmas 1.29, 1.30, and 1.34. The last biimplication
follows in an analogous manner.
76 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
x[x := e]
I
e
x ,= y
y[x := e]
I
y
e
1
[x := e]
I
e

1
e
2
[x := e]
I
e

2
(e
1
e
2
)[x := e]
I
e

1
e

2
x ,= y y , FV(e) e
0
[x := e]
I
e

0
(Strict)
(y.e
0
)[x := e]
I
y.e

0
x = y y FV(e)
(Lazy)
(y.e
0
)[x := e]
I
y.e
0
Figure 1.5: Renaming-free substitution (re-)dened inductively
Based on the point-wise equivalence of relations, we see that we are
considering just one equational theory, thus arming a basic tidiness check.
Corollary 1.36 For X , , , we have:
(/ =
X
) = (
var
/==
X
) = (
var
/==

Cu
X
Cu) = ((
var
/==

Hi )/=
X
Hi )
1.6 Renaming-Free Substitution Explored
To pursue in more detail the fact we took advantage of in Section 1.5.3,
namely that functions are relations that potentially can be dened induc-
tively, this section spells out the various issues that are encountered when
considering renaming-free substitution inductively. Whereas Section 1.5.3
essentially introduces an inductive denition of (the non-primitive recur-
sive) Curry-style substitution to arrive at some measure of PPP for it, we
will now account for both the induction and the recursion principles that
are primitive to renaming-free substitution. More concretely, this section
rst analyses and relates the various technical notions associated with a full
range of PPP for renaming-free substitution before going on to employ them
to establish some technical properties we shall need later in the thesis.
1.6.1 Inductive vs Recursive Substitution
Denition 1.37 Figure 1.5 denes the 4-ary substitution relation:
[ := ]
I

var
1^
var

var
Proposition 1.38 e
a
[x := e
b
]
I
e e
a
[x := e
b
] = e
Proof
Direction: By rule induction in [ := ]
I
.
Variable Cases: We are straightforwardly done.
1.6. RENAMING-FREE SUBSTITUTION EXPLORED 77
Application Case: We are considering e
a
e
1
e
2
and, for i 1, 2,
we have e
i
[x := e
b
] = e

i
whenever e
i
[x := e
b
]
I
e

i
by I.H. and we
are done by denition.
(Strict) Abstraction Case: We are considering e
a
y.e
0
and we
have e
0
[x := e
b
] = e

0
whenever e
o
[x := e
b
]
I
e

0
by I.H. and we
are done by denition.
(Lazy) Abstraction Case: We are straightforwardly done.
Direction: We show e
a
[x := e
b
]
I
e
a
[x := e
b
] by structural induction
in e
a
.
Variable Case: We are straightforwardly done by the obvious case-
split.
Application Case: We are considering e
a
e
1
e
2
, such that, by I.H.:
e
i
[x := e
b
]
I
e
i
[x := e
b
] for i 1, 2, whence we are done.
Abstraction Case: We are considering e
a
y.e
0
and case-split ap-
propriately:
Sub-case x ,= y y / FV(e
b
): We have e
0
[x := e
b
]
I
e
0
[x := e
b
]
by I.H., and thus (y.e
0
)[x := e
b
]
I
y.e
0
[x := e
b
] by (Strict),
as desired.
Sub-case x = y y FV(e
b
): We are trivially done.
Corollary 1.39 [x := e
b
]
I
is a total, computable function of the rst
open argument onto the second open argument.
Based on Proposition 1.38, we see that it is reasonable and, indeed,
entirely in line with substitution-as-a-function to present the following de-
nition and notational convention for substitution-as-a-relation.
Denition 1.40 Extend the functions of Figure 1.1 to the substitution re-
lation as follows:
FV(e
a
[x := e
b
]
I
e) =
def
FV(e)
BV(e
a
[x := e
b
]
I
e) =
def
BV(e)
Capt
y
(e
a
[x := e
b
]
I
e) =
def
Capt
y
(e)
Notation 1.41 Based on Denition 1.37 and Proposition 1.39, the follow-
ing is well-dened notation:
FV(e
a
[x := e
b
]
I
) BV(e
a
[x := e
b
]
I
) Capt
y
(e
a
[x := e
b
]
I
)
In other words, the inductive and the recursive version of renaming-free
substitution can be used almost entirely interchangeably.
78 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
1.6.2 Substitution and Variable Names
With the above PPP in place, we establish the coherence of renaming-free
substitution with the notions of free, bound, and capturing variables. While
the results can be proved using structural induction, we opt instead to
use rule induction over substitution-as-a-relation. This is done not only
to show-case what this means specically but also because the engendered
case-splittings turn out to be more to the point than those of structural
induction (albeit still not simple). To be precise, (i) we state the various
properties in terms of substitution-as-a-function (for their later use), (ii) we
prove them with substitution-as-a-relation (for PPP reasons), and (iii) we in-
voke established lemmas about substitution-as-a-function. We remark that
while such an approach is straightforward from a conceptual perspective,
the involved formalism is somewhat heavy on coercions.
Lemma 1.42 (Substitution and Free Variables)
Capt
x
(e
a
) FV(e
b
) =

FV(e
a
[x := e
b
]) =
_
FV(e
a
) if x / FV(e
a
)
FV(e
a
) x FV(e
b
) if x FV(e
a
)
Proof The proof is by rule induction in the substitution relation, cf. Sec-
tion 1.6.1. Although straightforward, the proof requires substantial compu-
tation. Please refer to Appendix B.4 for the details.
Lemma 1.43 (Substitution and Bound Variables)
Capt
x
(e
a
) FV(e
b
) =

BV(e
a
[x := e
b
]) =
_
BV(e
a
) if x / FV(e
a
)
BV(e
a
) BV(e
b
) if x FV(e
a
)
Proof The proof is analogous to that of Lemma 1.42.
Lemma 1.44 (Substitution and Capturing Variables) Under the as-
sumption that Capt
x
(e
a
) FV(e
b
) = , we have:
1.
_
_
_
x = y y / FV(e
b
)

Capt
y
(e
a
[x := e
b
]) =
2.
_
_
_
x / FV(e
a
) (x ,= y y / FV(e
b
))

Capt
y
(e
a
[x := e
b
]) = Capt
y
(e
a
)
3.
_
_
_
x FV(e
a
) y FV(e
b
)

Capt
y
(e
a
[x := e
b
]) = Capt
y
(e
a
) Capt
x
(e
a
) Capt
y
(e
b
)
1.6. RENAMING-FREE SUBSTITUTION EXPLORED 79
Proof The proof is by rule induction in the substitution relation, cf. Sec-
tion 1.6.1. It is both big and involved but, otherwise, mainly a piece of
computation. Please refer to Appendix B.5 for the details.
1.6.3 Reduction and Variable Names
Summarising the results in the previous section, we see that we have the
following property.
Lemma 1.45 e

FV(e

) FV(e) BV(e

) BV(e)
Proof By reexive, transitive induction, it suces to consider the one-step
case, which we do by rule induction in

.
Case (): The premise on the rule allows us to invoke Lemmas 1.42 and
1.43, respectively, and we are straightforwardly done.
Remaining Cases: Straightforward applications of the I.H. and the de-
nition of FV() and BV(), respectively.
We note that Capt
x
() is not monotone under -reduction the way we
have just seen that FV() and BV() are. Consider, for example, the
following term (which we shall revisit in Nota Bene 2.13):
(x.(y.z.y)x)z
Either of the two -redexes in the above term can be contracted but not
both (in either order) as the two zs clash. The reason is two-fold: (i) new
capturing variables of some (any) x can be introduced under reduction (the
inner contraction above). And, (ii) a sub-term of some term can have its
free variables changed as a result of a substitution coming from its context
(the outer contraction above).
80 CHAPTER 1. THE STRUCTURE OF THE -CALCULUS
Chapter 2
A Renaming-Free

var
-Fragment
We saw in Section 1.3 that
var
-equality and, thus, PPP
FOAS
VN as a whole
are easily broken when reasoning about (presentations of the) -calculus in
general. In this chapter, we will show that it is possible to identify a fairly
large and natural fragment of the rewriting theory of the
var
-calculus where
this does not happen. The following observation suggests the reason for the
correctness of the formal development that ensues.
Hylands Disjointness Property [32] says that two distinct sub-
terms of some term that are residuals (to be dened) of the same
sub-term are disjoint, i.e., neither contains the other.
By Hylands Disjointness Property, a binding cannot come into conict
with a residual sibling in residual theory, so to speak, as that would require
one to occur within the other. In other words, variable-name conicts in
residual theory are exclusively caused by properly distinct variable-name
occurrences. BCF-initiality (cf. Section 1.4), enforcing distinctness of all
variable names, can thus be seen to enable residual theory in an informal
sense. This chapter is dedicated to showing this to be the case, in a formal
sense. As an appetiser for later developments, in particular Chapter 5,
we indicate that the results in the present chapter essentially suce for
establishing -conuence, etc..
2.1 The Residual
var
-Theory
Informally speaking, residual theory is the dierent ways in which the re-
dexes in given terms can be contracted.
81
82 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
Capt
x
(t
1
) FV(t
2
) =
(
@
)
(x.t
1
) @t
2

@ t
1
[x := t
2
]
t
1

@ t

1
(Al

@)
t
1
t
2

@ t

1
t
2
t
1

@ t

1
(@1

@)
(x.t
1
) @t
2

@ (x.t

1
) @t
2
t
2

@ t

2
(Ar

@)
t
1
t
2

@ t
1
t

2
t
2

@ t

2
(@2

@)
(x.t
1
) @t
2

@ (x.t
1
) @t

2
t

@ t

(L

@
)
x.t

@ x.t

Figure 2.1: Residual -reduction

t
1

@ t

1
t
2

@ t

2
Capt
x
(t

1
) FV(t

2
) = x FV(t

1
)
(
@

)
(x.t
1
) @t
2

@ t

1
[x := t

2
]
t
1

@ t

1
x , FV(t

1
)
(lazy
@

)
(x.t
1
) @t
2

@ t

1
(Var

)
x

@ x
t

@ t

(L

)
x.t

@ x.t

t
1

@ t

1
t
2

@ t

2
(A

)
t
1
t
2

@ t

1
t

2
Figure 2.2: Residual-completion -reduction
2.1.1 The Marked
var
-Calculus
A convenient way of dening residual theory is by introducing syntactic
marks and to require the presence of a mark on a redex in contraction
rules. As new marks are not introduced, only pre-existing redexes and their
descendants, i.e., their residuals, can be contracted this way.
Denition 2.1 (The Raw, Marked -Calculus) Marked terms are

var
@
::= x [
var
@

var
@
[ 1^.
var
@
[ (1^.
var
@
) @
var
@
The marked -relation:

@, is given in Figure 2.1.

2.1. THE RESIDUAL
VAR
-THEORY 83
Proposition 2.2 With CC
@
() the straightforward adaptation of CC(),
cf. Denition 1.12, to
var
@
, we have:
CC
@
(

@) CC
@
(

@) CC
@
(

@) CC
@
(==

@)
Proof A straightforward adaptation of the proof of Proposition 1.23.
We shall use t, possibly with indices, as meta-variable over
var
@
-terms
and otherwise align ourselves completely with the notation and conventions
of Chapter 1. In particular, we shall assume that the predicates and func-
tions we introduced for
var
, such as FV(), have also been properly dened
for
var
@
in accordance with the obvious de-marking function.
Denition 2.3 (De-Marking)
:
var
@

var
(x) = x
(t
1
t
2
) = (t
1
)(t
2
)
(x.t) = x.(t)
((x.t
1
) @t
2
) = (x.(t
1
))(t
2
)
Proposition 2.4 is a total computable function.
Proof is dened by structural recursion.
Moreover, we shall use the identity inclusion,
var

var
@
, entirely im-
plicitly and, for example, write t
var
to mean that t contains no marks.
This sleight of hand, reasonable and innocent as it may seem, glosses over
some amount of formalisation work in a mechanised setting, which, however,
is unlikely to hide any relevant information from a human reader and we,
thus, leave out the details.
2.1.2 Residual Completion
As a rst step in quantifying the renaming-free part of the residual theory of
the
var
-calculus, we dene a one-step relation that attempts to contract all
marked redexes in a term, inside-out. We shall later see that the relation,
amongst other things, is non-trivial (i.e., some terms are reduced by it).
Denition 2.5 Figure 2.2 denes the residual-completion relation:

@.
We note that the denition of the relation contains a lazy -contraction
rule for the cases where the considered argument would have been discarded
by the intended substitution, cf. Proposition 1.25, 2.. It does so for technical
reasons that pertain to a crucial step in the proof that establishes the main
technical property we are after: that the residual-completion relation indeed
residually completes, cf. Lemma 2.15. Informally speaking, the problem is
84 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
that a reduction step that is globally renaming-free can discard sub-terms, as
captured in the (lazy
@

)-rule, that would require renaming if considered

independently. In such cases, we are unable to substantiate all the premises
of the (
@

)-rule when applying the I.H., hence the scaled-down (lazy

@

)-
rule (cf. Nota Bene 2.13). Aside from this, the relation behaves as would be
expected:
Proposition 2.6

@
Proof By rule induction in

@.
Case (
@

): By two applications of the I.H. and Proposition 2.2, we have

(x.t
1
) @t
2

@ (x.t

1
) @t
2

@ (x.t

1
) @t

2
. As we straightfor-
wardly have (x.t

1
) @t

@ t

1
[x := t

2
] (seeing that the required
(
@
)-premise is given directly in the considered (
@

)-rule), we are
done by Proposition 1.10 and

@-transitivity.
Case (lazy
@

): By an application of the I.H. and Proposition 2.2, we have

(x.t
1
) @t
2

@ (x.t

1
) @t
2
. By Proposition 1.8, the premise of the
obvious (
@
)-application is trivially substantiated and we are done by
Proposition 1.25, 2..
Remaining Cases: Straightforward by applications of the I.H., Proposi-
tion 2.2, and

@-reexivity, and -transitivity.

Lemma 2.7 t

@ t

(FV(t

) FV(t) BV(t

) BV(t))
Proof By Lemma 1.45 and Proposition 2.6.
Proposition 2.8 t

@ t

var
.
Proof By rule induction in

@. The only case not following straight-

forwardly from applications of the I.H. is (
@

), which uses substitution. By

I.H., however, the invoked substitution is undertaken with two
var
-terms
and the result follows from Proposition 1.24.
Proposition 2.9

@ is a computable (partial) function.

Proof The relation is dened structural-recursively (albeit not with ex-
haustive case-splitting) and the property is thus given by construction.
2.2. THE COMMUTATION PROOF-LAYER HIERARCHY 85
Commutativity Lemmas
Substitutivity Lemmas
Substitution Lemmas Variable Monotonicity
Substitution Tidiness
Figure 2.3: The simple proof-layer hierarchy for equational PPP
FOAS
VN -
reasoning about the residual theory of
var
. The square up-arrows read is
the key lemma for a main case of whereas the rounded, dotted up-arrows
are justies the side conditions on a key lemma for.
2.2 The Commutation Proof-Layer Hierarchy
This section establishes a number of lemmas for the (degenerate) relation-
commutation results that we shall consider in the next section. As it turns
out (cf. Parts II and III), proofs of these types of results typically follow
the pattern set out in Figure 2.3. Each layer amounts to a distinct use of
an induction principle, which means that the gure is induced by the proof
requirements we are facing. In other words, the gure reects the algebraic
structure of the -calculus that we considered in Chapter 1 (reading bottom-
up): terms, substitution on terms, relations invoking substitution, etc.. In
this sense, the proof-layer hierarchy is, in fact, primitive to the -calculus
itself.
2.2.1 Substitution
For the following lemma, we point out that the premises (aside from the
rst two conjuncts) state that the substitutions in the conclusion are used
correctly, in the sense that no undue capture takes place. The correctness-
predicate that is not listed in the rst lemma is derivable from the others.
The second conjunct, the disjunction, ensures that the second substitution
on the right is not incorrectly inserted into t
2
, so to speak.
Lemma 2.10 (Marked Substitution)
x ,= y (y , FV(t
2
) x / FV(t
1
))
(Capt
y
(t
1
) FV(t
3
) = ) (Capt
x
(t
1
[y := t
3
]) FV(t
2
) = )
(Capt
x
(t
1
) FV(t
2
) = ) (Capt
x
(t
3
) FV(t
2
) = )

t
1
[y := t
3
][x := t
2
] = t
1
[x := t
2
][y := t
3
[x := t
2
]]
86 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
Proof By structural induction in t
1
. The proof is a rather involved and
lengthy analysis of the behaviour of the considered substitutions relative to
the premises (for purposes of applying the I.H.). The proof relies crucially
on Lemmas 1.42 and 1.44. Please refer to Appendix C.1 for the details.
We also need to prove a (non-trivial) variant of the above conclusion
that pertains to the situation where x and y coincide.
Lemma 2.11 (Consecutive Marked Substitution)
(Capt
x
(t
1
) FV(t
3
) = )
(Capt
x
(t
1
) FV(t
3
[x := t
2
]) = ) (Capt
x
(t
3
) FV(t
2
) = )

t
1
[x := t
3
][x := t
2
] = t
1
[x := t
3
[x := t
2
]]
Proof By structural induction in t
1
.
Case t
1
z: We case-split on x:
Sub-case x = z: Both sides of the equation in the conclusion are
straightforwardly seen to equal t
3
[x := t
2
].
Sub-case x ,= z: Both sides of the equation in the conclusion are
straightforwardly seen to equal z.
Case t
1
t
a
t
b
: Straightforward by denition and two I.H.-applications.
Case t
1
z.t
0
: We case-split on z.
Sub-case z = x: Both sides of the equation trivially equals t
1
.
Sub-case z ,= x x / FV(t
0
): Both sides of the equation equals t
1
by
Proposition 1.25, 2..
Sub-case z ,= x x FV(t
0
): By denition, z Capt
x
(t
1
) and we
conclude z / FV(t
3
) by a premise of the lemma. As we can ap-
ply Lemma 1.42 to get FV(t
3
[x := t
2
]) = FV(t
3
) x FV(t
2
),
we can conclude z / FV(t
2
) in a similar manner. The considered
equation thus amounts to the following, which holds by I.H..
z.t
0
[x := t
3
][x := t
2
] = z.t
0
[x := t
3
[x := t
2
]]
To see this, observe that Capt
x
(t
0
) Capt
x
(t
1
) in the present
sub-case by denition.
Case t
1
(z.t
a
) @t
b
: This case is, in eect, covered by the previous two
cases.
2.2. THE COMMUTATION PROOF-LAYER HIERARCHY 87
2.2.2 Substitutivity
The previous section shows commutativity of substitutions. This section
will use that to show that substitution and reduction commute (or, rather,
that substitution distributes over reduction).
Lemma 2.12 (Residual-Completion Substitutivity)
t
1

@ t

1
t
2

@ t

2
(Capt
x
(t
1
) FV(t
2
) = ) (Capt
x
(t

1
) FV(t

2
)=)

t
1
[x := t
2
]

@ t

1
[x := t

2
]
Proof By rule induction in

@. The proof is easily the most involved

we present, in particular the contraction cases. It, furthermore, contains
non-trivial reasoning steps in order to validate the uses of the I.H., aside
from the use of a range of the lemmas we have presented already. That said,
it does follow the logic of Figure 2.3 and can, as such, be reconstructed with
some degree of precision. Please refer to Appendix C.2 for the details. We
also refer to the Preface and Conclusion for an account of our verication of
the proof (and the employed proof principles) in the Isabelle/HOL theorem
prover [6, 66].
Nota Bene 2.13 Please note that we are not able to (and, by virtue of
the (lazy
@

) rule, need not) substantiate t

b
[x := t
2
]

@ t

b
[x := t

2
] in
the (lazy
@

)-case of the above proof (cf. the role played by t

b
and t

b
in
the (
@

)-case). The reason is that the (lazy

@

)-case does not enjoy the

(C.2)-inclusion in Appendix C.2, which means that we cannot substantiate
Capt
x
(t

b
) FV(t

2
) = and the I.H. as stated in the (
@

)-case would have

remained inapplicable. In fact, the following counter-example (with y
1
,= y
2
)
shows that the problem is not just one of failing proof principles:
((y
1
.y
2
) @((y
3
.z.y
3
) @x))[x := z]
In the above, (y
3
.z.y
3
) @x takes the role of t
b
, while t
2
is z. As we have
t

b
= z.x, we do, indeed, have that:
Capt
x
(t

b
) FV(t

2
) = z z ,=
In more concrete terms, we see that t
b
[x := t
2
] = (y
3
.z.y
3
) @z does not

@-reduce due to the variable-name conict involving z.

Corresponding to uses of the (lazy
@

) rule, we also need the following

substitutivity lemma.
Lemma 2.14 (Lazy Residual-Completion Substitutivity)
t
1

@ t

1
x , FV(t

1
)

t
1
[x := t
2
]

@ t

1
88 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
Proof By rule induction in

@.
Case (
@

): We are considering t
1
(y.t
a
) @t
b
and we case-split on the
cases for t
1
[x := t
2
]:
Sub-case x ,= y y , FV(t
2
): We are considering:
t
1
[x := t
2
] = (y.t
a
[x := t
2
]) @t
b
[x := t
2
]
With t
v

@ t

v
(for v a, b), we can apply the I.H.:
t
a
[x := t
2
]

@ t

a
t
b
[x := t
2
]

@ t

b
We are, therefore, straightforwardly done.
Sub-case x = y y FV(t
2
): We are considering:
t
1
[x := t
2
] = (y.t
a
) @t
b
[x := t
2
]
And, we are trivially done.
Case (lazy
@

): This case is a simplied version of the previous case.

Case (Var

): We have t
1
y, for some y ,= x, and we are trivially done.
Case (L

): By the case, we have t

1
y.t and we case-split on the cases
for t
1
[x := t
2
]:
Sub-case x ,= y y , FV(t
2
): Straightforward by an I.H. application.
Sub-case x = y y FV(t
2
): We are trivially done.
Case (A

): We are done by two simple applications of the I.H..

2.3 BCF-Initial Residual Theory is Renaming-Free
Because we are using a primitive notion of residuals through marks, we can
employ simple reexive and, crucially, transitive induction in the proof of
the right-most conjunct below. The result can be seen as an extension of
Proposition 2.9, establishing functionality of

@ not only on terms but

on the development class of terms relative to some start term.
Lemma 2.15

@

@

@

@
2.3. BCF-INITIAL RESIDUAL THEORY IS RENAMING-FREE 89
Proof The right-most conjunct follows from the left-most by reexive,
transitive induction. The proof of the left-most conjunct is by rule induction
in

@.
Case (
@

): We case-split on the applicable

@-rules:
Sub-case (
@
): For any considered t

1
and t

2
, we must resolve this
divergence:
(x.t
1
) @t
2
t

1
[x := t

2
]
t
1
[x := t
2
]

@
In other words, we must show t
1
[x := t
2
]

@ t

1
[x := t

2
], which
follows by Lemma 2.12. Please note that the conditions on the
lemma are directly substantiated by the premises of the contrac-
tion rules above.
Sub-case (@1

@): For any considered t

1
, t

2
, and t

1
, we must resolve:
(x.t
1
) @t
2
t

1
[x := t

2
]
(x.t

1
) @t
2

@
By I.H., we immediately have that t

@ t

1
. Applying the
(
@

)-rule to (x.t

1
) @t
2
is trivially possible as the outstanding
premises are those of the (
@

)-application of the case and we are

done.
Sub-case (@2

@): Analogous to the previous sub-case.

Case (lazy
@

): We, again, case-split on the applicable

@-rules:
Sub-case (
@
): In analogy with the corresponding sub-case in the
previous induction case, we refer to Lemma 2.14.
Sub-case (@1

@): By the I.H. and an (lazy

@

)-application, as above.
Sub-case (@2

@): By applying (lazy

@

) directly.
Case (Var

): No

@-step is possible.
Case (L

): By I.H. and an application of (L

).
Case (A

): We case-split on

@; each of the two sub-cases follows

straightforwardly by an application of the I.H..
90 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
The next lemma shows straightforwardly that the residual-completion
relation is non-trivial.
Lemma 2.16 (Residual Completion is BCF-Enabled)
(BCF)

@
Proof By structural induction in the initial BCF:
Case x: Use (Var

).
Case t
1
t
2
: Both t
1
and t
2
are trivially BCFs and thus

@-reduce by I.H..
We can therefore apply (A

).
Case x.t: t

@-reduces by I.H. and we can apply (L

).
Case (x.t
1
) @t
2
: We, again, have that t
1
and t
2

@-reduce by I.H.. If
x , FV(t

1
), we are done using (lazy
@

). If, instead, x FV(t

1
),
we need to substantiate that Capt
x
(t

1
) FV(t

2
) = in order to apply
the desired (
@

). By Lemma 2.7, we have FV(t

2
) FV(t
2
) and
BV(t

1
) BV(t
1
), and thus BV(t

1
) FV(t

2
) = by BCF-ness. As we
also have Capt
x
(t

1
) BV(t

1
) by Proposition 1.9, 3., we are done.
With these two lemmas in place, we can show that BCF-initial residual
theory indeed is renaming-free. We hope the reader will appreciate the
straightforwardness with which we arrived at the result.
Theorem 2.17 (BCF)

@
Proof By Lemma 2.16, any BCF residual-completes. By Lemma 2.15,
such a completion can absorb any initial

@.
Concretely, the theorem states that any residual of a BCF is such that
any marked redex in it (except, possibly, for those that are discarded by the
lazy -rule) can be contracted without resulting in a variable clash.
We believe the lazy -rule could be avoided for the purposes of the above
result. The conclusion would then be that all marked redexes in any residual
of a BCF can be contracted. However, this would greatly complicate the
proof of Lemma 2.15 as the transitive, reexive induction no longer would
2.3. BCF-INITIAL RESIDUAL THEORY IS RENAMING-FREE 91
be straightforward. The reason is that the considered property would need
to be formulated with, say, BCF-initiality which is not preserved along the
inducted relation. As it stands, the only enforced restriction is that

@
must be well-dened in any non-trivial cases (of which there are some, cf.
Lemma 2.16).
92 CHAPTER 2. A RENAMING-FREE
VAR
-FRAGMENT
Chapter 3
-Equivalence
This chapter will detail a number of properties of -equivalence and the
various axiomatisations of it. It contains a number of redundancies relative
to the use we make of the results in later chapters and could, as such,
have been shortened somewhat. For example, we present a primitively-
established proof of the entirely innocent-looking and stand-alone result that
-equivalence is decidable. As it turns out, the result is not at all innocent
to prove; a fact that appears to have been missed in the literature. The
crucial point to the proof burden resolution is the need for a Some/Any
Property for fresh variable names as is known from [19, 42, 51].
3.1 -Substitutivity and Variable Monotonicity
Further to Figure 2.3, this section will establish the low-level properties of
the gure that we shall need later on.
Proposition 3.1
e

z
i

i
e

FV(e

) = FV(e)
BV(e

) BV(e) z
i

Capt
x
(e

) Capt
x
(e) z
i

Proof By reexive, transitive induction, it suces to consider the one-step

cases, which we do by rule induction in
z
0

i
.
Case (i): In case of the rst two conjuncts, we are straightforwardly done
by Lemmas 1.42 and 1.43, respectively. In case of the last conjunct,
we apply Lemma 1.44 and observe that if we fall under its clause 3.,
we have x = z and thus Capt
x
(z.e[y := z]) = and we are trivially
done.
Remaining Cases: Straightforward by I.H.-applications.
93
94 CHAPTER 3. -EQUIVALENCE
Lemma 3.2 (Left i-Substitutivity)
_
_
_
_
_
_
_
e
1
y

i
e

1
Capt
x
(e
1
) FV(e
2
) =
Capt
x
(e

1
) FV(e
2
) =

e
1
[x := e
2
]
y

i
e

1
[x := e
2
]
_
_
_
_
_
_
_

_
_
_
_
_
_
_
_
e
1

y
i

i
e

1
Capt
x
(e
1
) FV(e
2
) =
y
i
FV(e
2
) =

e
1
[x := e
2
]

y
i

i
e

1
[x := e
2
]
_
_
_
_
_
_
_
_
Proof As for the right-most conjunct, we see that y
i
FV(e
2
) =
guarantees Capt
x
(e

1
) FV(e
2
) = by Proposition 3.1 and we are done by a
simple reexive, transitive induction using the left-most conjunct in the base
case. The left-most conjunct follows by rule induction in e
1
y

i
e

1
. Please
refer to Appendix D.1 for the details, which are mostly straightforward.
Lemma 3.3 (Right i-Substitutivity) Writing

y
for a vector contain-
ing just ys, we have:
e
2

i
e

2
(Capt
x
(e
1
) FV(e
2
) = )

e
1
[x := e
2
]

i
e
1
[x := e

2
]
Proof We proceed by structural induction in e
1
, while assuming the premises.
Case e
1
z: We case-split on the substitution that is applied to e
1
:
Sub-case z[x := e
2
] = e
2
: Done by a premise of the lemma.
Sub-case z[x := e
2
] = z: Done by reexivity of

i
.
Case e
1
e
a
e
b
: By I.H., we have e
v
[x := e
2
]

i
e
v
[x := e

2
] for v a, b.
By Proposition 1.23, we therefore have:
(e
a
e
b
)[x := e
2
]

i
e
a
[x := e

2
]e
b
[x := e
2
]

i
e
a
[x := e

2
]e
b
[x := e

2
]
Case e
1
z.e: We case-split on the substitution that is applied to e
1
:
Sub-case z ,= x z / FV(e
2
): We have e[x := e
2
]

i
e[x := e

2
] by
I.H.. By Proposition 3.1, we have (z.e)[x := e

2
] = z.e[x := e

2
]
and we are done by Proposition 1.23.
Sub-case z = x z FV(e
2
): By reexivity of

i
, we are trivially
done in case x = z. If z FV(e
2
), we have z FV(e

2
) by Propo-
sition 3.1 and we are, again, trivially done.
3.2. FRESH-NAMING REDUCTION 95
3.2 Fresh-naming Reduction
We will eventually want to consider commutativity of - and -reduction.
Unfortunately, a general commutativity result does not hold as it is fairly
straightforward to invalidate the guarding predicate of most -redexes, i.e,
Capt
x
(e
1
)FV(e
2
) = for (x.e
1
)e
2
, by performing renaming in e
1
. On the
other hand, it turns out that we typically only need a very limited notion
of commutativity, viz. between the -relation and the restricted -relation
that fresh-names, only.
Denition 3.4
e
z

i
0
e

def
e
z

i
e

z , Var(e)
e

0
e

def
z.e
z

i
0
e

Lemma 3.5 (Left i

0
-Substitutivity)
_
_
_
_
_
_
_
e
1
z

i
0
e

1
Capt
x
(e
1
) FV(e
2
) =
z / Var(e
2
) =

e
1
[x := e
2
]
z

i
0
e

1
[x := e
2
]
_
_
_
_
_
_
_

_
_
_
_
_
_
_
_
e
1

z
i

i
0
e

1
Capt
x
(e
1
) FV(e
2
) =
z
i
Var(e
2
) =

e
1
[x := e
2
]

z
i

i
0
e

1
[x := e
2
]
_
_
_
_
_
_
_
_
Proof By Proposition 3.1, we can apply Lemma 3.2 to the premises of
the left-most conjunct and conclude e
1
[x := e
2
]
z

i
e

1
[x := e
2
], which is a

0
-step by Lemmas 1.42 and 1.43. A reexive, transitive induction using
Proposition 3.1 derives the right-most conjunct from the left-most.
3.2.1 Fresh-Naming Resolution of -Equivalence
A slightly anomalous indexing scheme for composed versions of
0
turns out
to be useful for the ensuing proofs. The scheme allows us to retain an index
in the reexive case, i.e., when performing an empty step.
Denition 3.6 (Index-Anomalous, Composed i

0
)
e
1
z

i
0
e
2
e
1
z

0
e
2
e
z

0
e
e
1
z

i
0
e
2
e
1
z

0
e
2
e
z

0
e
e
1

z
i

0
e
2
e
2

z
j

0
e
3
e
1

z
i

z
j

0
e
3
96 CHAPTER 3. -EQUIVALENCE
We saw in Lemma 1.33 that the plain -relation is symmetric, which
means that -equality (i.e., ) is

-orientable, cf. Lemma 1.34. We can

not expect a similar result for the fresh-naming
0
-relation as, e.g., x.x.x
never can be reached by an
0
-step. Instead, we will now take the long
route, so to speak, to show that also

0
can resolve -equality, which
means that the
0
-relation, in fact, is yet another axiomatisation of .
Lemma 3.7 (Quasi-Con(

i
0
)) For x
i
y
i
= :


i
0
x
0
i
0
y
0
i
0
x
0
i

0
y
0

x
i
i

y
i
i

x
i
i

y
i
Proof The right-most conjunct follows from the left-most by a straight-
forward adaptation of the Hindley-Rosen Lemma, cf. Section 1.2.3. The
left-most conjunct is proved by rule induction in
x
0

i
, with x
0
fresh.
Case (i): We consider z.e and case-split on the
y
0

i
-step, with fresh y
0
.
Sub-case (i): The following divergence resolution is valid.
z.e y
0
.e[z := y
0
]
x
0
.e[z := x
0
]

0
i
0
x
0
We rst note that x
0
/ Var(y
0
.e[z := y
0
]) by Proposition 3.1, as
there is a
x
0

i
0
-step from z.e and as x
0
,= y
0
. We thus have
y
0
.e[z := y
0
]
x
0

i
0
x
0
.e[z := y
0
][y
0
:= x
0
]. As x
0
and y
0
are
fresh and dierent, we apply Lemma 2.10 to obtain this equality:
e[z := y
0
][y
0
:= x
0
] = e[y
0
:= x
0
][z := y
0
[y
0
:= x
0
]]
As y
0
/ FV(e), we are therefore done by Proposition 1.25, 2..
Sub-case (L
i
): By Lemma 3.5 applied to the sub-case: e
y
0

i
0
e

,
we have x
0
.e[z := x
0
]
y
0

i
0
x
0
.e

[z := x
0
]. By Proposition 3.1,
we also have z.e

x
0

i
x
0
.e

[z := x
0
] and we are done.
Case (L
i
): We consider z.e and case-split on the possible
y
0

i
-steps.
Sub-case (i): Analogous to the converse step above.
Sub-case (L
i
): By a simple I.H.-application.
Case (Al
i
): We case-split on whether (Al
i
) or (Ar
i
) is used for the
y
0

i
-
step. In the former case, we are done by a simple I.H.-application. In
the latter case, we are straightforwardly done.
Case (Ar
i
): Analogous to the previous case.
3.2. FRESH-NAMING REDUCTION 97
In order to avoid conicts between the universally quantied fresh vari-
able names below, we next dene the predicate that prevents this.
Denition 3.8
Distinct() = True
Distinct(x

x
i
) = x / x
i
Distinct(

x
i
)
Proposition 3.9 Distinct() is a total, computable function.
Proof Distinct() is dened structural-recursively over vectors that are,
themselves, dened inductively.
We can now state and prove that any suciently fresh and long vector
of variable names allows us to
0
-resolve -equivalence.
Lemma 3.10 For x
i
z
i
= , Distinct(

z
i
), [[

x
i
[[=[[

z
i
[[, and fresh
z
i
(cf. Denition 3.4), we have:

i
x
0
i
0
z
0
i
0
z
0

x
i
i

z
i
i

z
i

0

0
In order to eliminate the ambiguity of the left-most conjunct, we write it
also as a predicate:
(e
1
x
0

i
e
2
z
0
/ Var(e
1
) z
0
,= x
0
) e.e
1
z
0

i
0
e e
2
z
0

i
0
e
Proof The right-most conjunct follows from the middle by Lemma 1.34.
The middle conjunct follows by reexive, transitive induction. The base
case is the left-most conjunct. The reexive case is trivial. The transitive
case is proved as follows:
M
1
M
2
M
3
N
1
N
2
N
3
i

x
i i

y
i
i

s
i
i

s
i
i

t
i
i

t
i
i

t
i
i

s
i
The upper triangles exist by the I.H.. The lower diamond is Lemma 3.7.
The left-most conjunct follows by rule induction in
x
0

i
.
Case (i): We consider y.e and must show e[y := z
0
] = e[y := x
0
][x
0
:= z
0
],
which follows by Lemma 2.10 and Proposition 1.25, 2.. The premises
of these results are substantiated by the case and by freshness of z
0
.
Other Cases: Straightforward I.H.-applications.
98 CHAPTER 3. -EQUIVALENCE
As indicated, we have thus substantiated that the fresh-naming -equivalence
relation is the usual one.
Lemma 3.11 = ==

0
Proof By Lemma 1.34, we need to show ==

= ==

0
. We have by
denition and Proposition 1.11 and by Lemma 3.10.
3.2.2 Fresh-Naming BCF-Existence
In contrast with the fact that, e.g., x.x.x cannot be reached by
0
-steps,
all terms can be the originator of
0
-steps, which, moreover, always can
reach a BCF-term.
Lemma 3.12 (BCF)

0
Proof A direct proof can be given akin to that of Lemma 3.24. As
Lemma 3.22 implies this result from Lemma 3.24, we postpone the details.
Combining the previous lemma with the results of the previous section,
we can thus see that not only does the
0
-relation resolve , it can do so to
BCF-terms.
Lemma 3.13 (Fresh-Naming CR(

) with BCF-Finality)

(BCF)

0

0
Proof The result follows from Lemmas 3.10 and 3.12 by (the denitional)
transitivity of

0
.
The above lemma alludes to a close correspondence between the
0
-
relation and BCF-terms that we, coincidentally, will explore a bit further
next.
3.2.3 Fresh-Naming BCF-Universality
This section strengthens the results in the previous section to say that any
BCF can be reached through fresh-naming from an -equivalent term.
Lemma 3.14 (e

0
e

BCF(e)) BCF(e

)
Proof By reexive, transitive induction, it suces to consider the case of
the one-step
0
-relation, which follows by a straightforward rule induction
in

i
, using Lemmas 1.42 and 1.43.
3.3. -DECIDABILITY 99
Lemma 3.15 (BCF)

0
(BCF)

0
Proof The right-most conjunct follows from the left-most by a straight-
forward reexive, transitive induction, using Lemma 3.14. The left-most
conjunct follows by rule induction in

i
0
. The proof is a straightforward
adaptation of the proof of Lemma 1.33 for which it suces to observe that
the y that is replaced by a fresh x in going from left-to-right is itself fresh
with respect to everything else in the left term by BCF-ness.
We saw previously that -equivalence is not
0
-orientable. On the
other hand, the above results immediately imply that -equivalence is
0
-
orientable up to BCF-nality.
Lemma 3.16 (BCF)

0
Proof By Lemmas 3.10 and 3.15 and (the denitional) transitivity of

0
:
M
l
M
r
N
(BCF)

0

0

Let bcf = e [ BCF(e); that is, consider the set of BCF-terms. As we

saw above, there is a nice algebraic correspondence between bcf and the

0
-relation: bcf is the

0
-kernel of
var
in the following sense.
bcf is

0
-reachable in
var
, cf. Lemma 3.12.
bcf is

0
-closed, cf. Lemma 3.14.
The -equivalence classes of bcf are

0
-saturated, cf. Lemma 3.16.
The import of the above is that the -equivalence classes of bcf serve as
a kind of normal-form classes for

0
, whose elements are indistinguish-
able, rather than non-reducible, as far as

0
is concerned.
3.3 -Decidability
Complementing the results of the previous section, this section formalises a
particular approach to deciding -equivalence: rename two terms in some
specic order using enough fresh variable names and observe that the result-
ing terms are syntactically equal if and only if the original terms are -equal
[57]. The section has been included because informal approaches are likely
to miss some subtleties regarding the role played by variable names. In
fact, we have been unable to nd any correct proofs of the decidability of
-equivalence in the literature.
100 CHAPTER 3. -EQUIVALENCE
(Var
i
io
0
)
x

i
io
0
x
e

z
i

i
io
0
e

z / {z
i
} {z, z
i
} Var(x.e) =
(i
io
0
)
x.e
z

z
i

i
io
0
z.e

[x := z]
e
1

x
i

i
io
0
e

1
e
2

y
i

i
io
0
e

2
{x
i
} {y
i
} = {x
i
} Var(e
2
) = {y
i
} Var(e
1
) =
(A
i
io
0
)
e
1
e
2

x
i

y
i

i
io
0
e

1
e
2
Figure 3.1: Indexed, one-step, inside-out, complete fresh-naming
3.3.1 Complete Fresh-Naming and its Basic Properties
The central point to the approach is the following denition of the complete
fresh-naming of a term.
Denition 3.17 Indexed, one-step, inside-out, complete fresh-naming

i
io
0
is dened in Figure 3.1. The plain variant is:
e
1

io
0
e
2

def

z
i
.e
1

z
i

i
io
0
e
2
We note that the version of this relation that is informally described in
[57] performs the fresh-naming outside-in.
e[x := z]

z
i

i
oi
0
e

z , z
i
BV(x.e) FV(x.e)
(L
i
oi
0
)
x.e
z

z
i

i
oi
0
z.e

Although the majority of the proof development of this section could have
been conducted with that denition [68], the next result would become non-
trivial to establish by primitive means, cf. Section 1.3.3.
Proposition 3.18 For given

z
i
,

z
i

i
io
0
is a computable (partial) function.
Proof By construction, as Figure 3.1 employs structural recursion.
In order to show that the relation, indeed, completely fresh-names, we
rst dene the function that counts the number of bound variables (i.e.,
abstractions) in a term before relating that number to the index of the
completely fresh-naming relation.
Denition 3.19
#

(x) = 0
#

(e
1
e
2
) = #

(e
1
) + #

(e
2
)
#

(x.e) = 1 + #

(e)
3.3. -DECIDABILITY 101
Proposition 3.20 #

() is a total, computable function.

Proof #

() is dened structural-recursively.
With this, we can start addressing the relationship between complete
fresh-naming and terms.
Proposition 3.21
e
a

z
i

i
io
0
e

a
Distinct(

z
i
)
z
i
= BV(e

a
)
FV(e
a
) = FV(e

a
)
z
i
Var(e
a
) =
#

(e
a
) =[[

z
i
[[
BCF(e

a
)
Proof The rst ve conjuncts are established by straightforward rule in-
ductions in

z
i

i
io
0
. The last conjunct is a consequence of the others.
A somewhat surprising fact is that the proof of the following result cru-
cially depends on the exact denition of

i
io
0
. Indeed, even a slight weak-
ening of the fresh-naming requirements in the relation to use Var(e), rather
than Var(x.e), in the right-most premise of the (i
io
0
)-rule would create
serious problems as seen at
()
in the proof below. Other changes lead to
other problems, either here or later.
Lemma 3.22 e
a

z
i

i
io
0
e

a
e
a

z
i

i
0
e

a
Proof By rule induction in

z
i

i
io
0
.
Case (Var
i
io
0
): Trivial.
Case (i
io
0
): We are considering x.e and fresh-naming with z

z
i
, and we
have e

z
i

i
0
e

by I.H.. By Proposition 3.21 (i.e., z

i
Var(e
a
) = ,
which implies x / z
i
), we can apply (an adaptation of) Proposi-
tion 1.23 to get x.e

z
i

i
0
x.e

.
()
We are thus done as we, further
to the premises of the case, trivially have x.e

i
0
z.e

[x := z].
Case (A
i
io
0
): We are straightforwardly done by two I.H.-applications and
(the above adaptation of) Proposition 1.23, using Proposition 3.21 on
the case: e
1
e
2

y
i

i
0
e
1
e

x
i

i
0
e

1
e

2
.
102 CHAPTER 3. -EQUIVALENCE
As outlined in the proof-layer hierarchy in Figure 2.3, we will eventually
need a notion of

i
0
-substitutivity.
Lemma 3.23 (Left-Substitutivity of Complete Fresh-Naming)
e
a

z
i

i
0
e

a
y
2
/ Capt
y
1
(e
a
) z
i

e
a
[y
1
:= y
2
]

z
i

i
0
e

a
[y
1
:= y
2
]
Proof By rule induction in

z
i

i
0
, although we shall not present the de-
tails. We can use Lemmas 3.5 and 3.22 to conclude the following property.
e
a
[y
1
:= y
2
]

z
i

i
0
e

a
[y
1
:= y
2
]
Informally, we can see that the considered sequence of
0
-steps will obey
the order and structure required by

z
i

i
0
.
Next, we show that all terms

io
0
-reduce when fresh variables are used.
Lemma 3.24
[[

z
i
[[= #

(e
a
) Distinct(

z
i
) (z
i
Var(e
a
) = )

!e
b
.e
a

z
i

i
0
e
b
Proof By structural induction in e
a
. We note that uniqueness of e
b
follows
by Proposition 3.18 in any and all cases where

z
i

i
0
is dened.
Case e
a
x: Trivial.
Case e
a
e
a
e
b
: By I.H., we have e
1

x
i

i
0
e

1
and e
2

y
i

i
0
e

2
, with

z
i
=

x
i

y
i
(with the obvious splitting point). The remaining premises of (A
i
io
0
)
are easily substantiated by the premises of the lemma and we are done.
Case e
a
x.e: By I.H., we have e

x
i

i
0
e

for the considered

z
i
equal to
z

x
i
. Rule (i
io
0
) can straightforwardly be applied and we are done.
We will also need

io
0
to be transitive. Unfortunately, this is not true
in general as witnessed, e.g., by:
x
1
.x
2
.x
1
x
2

io
0
y.z.yz

io
0
x
2
.x
1
.x
2
x
1
Fortunately, sucient freshness of the involved variable names suces.
3.3. -DECIDABILITY 103
Lemma 3.25
e
1

x
i

i
io
0
e
2
e
2

y
i

i
io
0
e
3
(y
i
BV(e
1
) = )

e
1

y
i

i
io
0
e
3
Proof By rule induction in

x
i

i
io
0
.
1
Case (A
i
io
0
): Trivial.
Case (L
i
io
0
): We are considering:
z.e
x

x
i

i
io
0
x.e

[z := x]
y

y
i

i
io
0
y.e

[x := y]
The steps are justied by e

x
i

i
io
0
e

and e

[z := x]

y
i

i
io
0
e

, respec-
tively. We have e

[z := x][x := z]

y
i

i
io
0
e

[x := z] by Lemma 3.23
as all variable names are dierent by the premises of the lemma and
by Proposition 3.21. By the same argument, we can apply Proposi-
tion 1.25, 3. to conclude e

[z := x][x := z] = e

. At this point, we can

therefore apply the I.H. to conclude e

y
i

i
io
0
e

[x := z]. By choice of
y, we can nally invoke the (L
i
io
0
)-rule thus:
z.e
y

y
i

i
io
0
y.e

[x := z][z := y]
An application of Lemma 2.10, which is justied by the considered
variable names being fresh and dierent, show that the end term is
y.e

[z := y][x := z[z := y]]. By Propositions 1.25, 2. and 1.25, 4. and

3.21, this term is, indeed, y.e

[x := y].
Case (A
i
io
0
): By two straightforward I.H.-applications.
3.3.2 A Some/Any Property
In this section, we shall outline and prove a some/any property of fresh
variable-names akin to [19, 42]. Not only is the property rather useful for
the proofs that we shall undertake in the next section, it, in fact, appears
to be needed to do those proofs correctly a point that appears to have
1
The proof can also be conducted by rule induction in

y
i

i
io
0
, with a somewhat dierent
(L
i
io
0
)-case.
104 CHAPTER 3. -EQUIVALENCE
been missed in the literature. The property states the equivalence between
the resolution of -equivalence by complete fresh-naming using either some
or any fresh names. The property can informally be stated as follows.
_


z
i
.

z
i
fresh and of right length

z
i

z
i
_

_


z
i
.

z
i
fresh and of right length

z
i

z
i
_
From a logical perspective, this result is surprising seeing that it states
the equivalence of two properties that dier by quantifying a particular vec-
tor of variables either existentially or universally. Proof-theoretically, the
property-as-an-axiom is rather useful in that it substantiates that a proof of
-resolution need only display a particular vector of variable names while,
in uses of the property (including as an induction hypothesis), one is free to
choose and even change the used variable names as needed. This means that
the quantication mode that is obtained by seeing these two equivalent
notions of quantication as a primitive connective preserves decidability in
a computationally eective manner. We also believe that the proof of the
result is interesting in its own right, not least because it is zero-knowledge
and, thus, not specic to this particular result but, rather, has the avour
of being a general construction.
As for the lemma itself, we note that it partly suppresses the use of

z
i
fresh and of right length by way of Proposition 3.21.
Lemma 3.26
_
e
1
==

e
2
(e
3
,

z
i
.e
1

z
i

i
io
0
e
3
, e
2

z
i

i
io
0
e
3
)
_

_
_
_
_
e
1
==

e
2
(z
i
Var(e
1
e
2
) = ) Distinct(

z
i
) (#

(e
1
) =[[

z
i
[[)

e
3
.e
1

z
i

i
io
0
e
3
e
2

z
i

i
io
0
e
3
_
_
_
_
Proof
Case : Given -equal e
1
and e
2
, identify enough fresh variable names
by applying Fresh() repeatedly and, subsequently, invoke the as-
sumed property (the right-hand side of the equivalence).
3.3. -DECIDABILITY 105
Case :
2
Assume the left-hand side of the equivalence and construct
the following two commutative diagrams by repeatedly using Lemmas
3.24 and 3.25.
M
1
M
2
N
1
N
2
N
3

z
i

z
i

x
i

x
i

x
i

y
i

y
i

y
i
M
1
M
2
N
1
N

2
N

z
i

z
i

s
i

s
i

s
i

t
i

t
i

t
i
By introducing the N
2
(on the left), we see that we strengthen the for
some

z
i
to for any

x
i
that are fresh with respect to N
1
, M
1
, and
M
2
. Unfortunately, this does not suce as the variables in N
1
are still
excluded from consideration. Constructing the N

2
on the right allows
us to use variables,

s
i
, that are fresh with respect to any specic

x
i
as
well as N
1
, M
1
, and M
2
. By subsequently adding the layers of N
3
and
N

3
, we can on the one hand use any

y
i
that are fresh with respect to
M
1
, M
2
, and any specic

x
i
. On the other hand, we can also use any

t
i
that are fresh with respect to M
1
, M
2
, and any specic

s
i
. As

s
i
are fresh with respect to any specic

x
i
by construction, we are thus
able to use any variable names,

y
i
or

t
i
, that are fresh with respect to
just M
1
and M
2
.
3.3.3 Equivalence Resolution and -Decidability
Our rst use of the above some/any property is in the proof of the resolution
by complete fresh-naming of a

-step. The property is crucially used in

the (L
i
)-case to make fresh-naming as a whole, rather than fresh-naming
with some specic variable names, extensional, i.e., applicable in all contexts.
Lemma 3.27 Omitting some i
io
0
-subscripts, here and in the proof, and
with

z
i
existentially quantied alongside the bulleted term, we have:

z
i

z
i
2
The following direct proof is also possible although it does not have the generic avour
the main proof has by virtue of being zero-knowledge. Consider the left-most diagram in
the main proof. We are trying to prove that any fresh

y
i
can be used for the resolution
but we do not know that

y
i
and

z
i
are disjoint and, so, cannot use

y
i
up-front. Pick,
instead, some totally fresh

x
i
as an intermediate step, as shown in the diagram. (With
thanks to Jamie Gabbay.)
106 CHAPTER 3. -EQUIVALENCE
Proof We proceed by rule induction in the underlying

i
-relation.
Case (i): We are considering x.e
y

i
y.e[x := y]. By Lemma 3.24,
we can pick distinct z

z
i
, such that, z, z
i
(Var(x.e) y) = ,
e

z
i

i
io
0
e

, for some e

, and x.e
z

z
i

i
io
0
z.e

[x := z]. By Lemma 3.23

(which we can apply by the case and by choice of z
i
), we also have
e[x := y]

z
i

i
io
0
e

[x := y] and y.e[x := y]
z

z
i

i
io
0
z.e

[x := y][y := z].
It thus remains to be seen that e

[x := y][y := z] = e

[x := z]. If x = y,
we are done by Proposition 1.25, 1.. Otherwise, apply Lemma 2.10.
Case (L
i
): Consider x.e
1
y

i
x.e
2
. By I.H., we have e
i

z
i

i
io
0
e, for
some e and

z
i
and for i 1, 2. By the duality of Lemma 3.26, we
can assume that x , z
i
and, thus, invoke (i
io
0
) with some fresh z.
Case (Al
i
): Consider e
1
e
2
y

i
e

1
e
2
. Lemma 3.26 allows us not only to
apply the I.H. to the e
1
s but to do so such that the introduced, fresh-
naming

z
i
are fresh with respect to e
2
as well. The rest is straightfor-
ward, using Lemma 3.24 on e
2
.
Case (Ar
i
): Analogous to the previous case.
Our next use of the some/any property is to show that both its equivalent
properties are true. We note that the some/any property is a stand-alone
result, which means that we can invoke it in the proof at will; in particular,
we can apply it to either property when used as an induction hypothesis.
Lemma 3.28
_
e
1
==

e
2
(e
3
,

z
i
.e
1

z
i

i
io
0
e
3
, e
2

z
i

i
io
0
e
3
)
_

_
_
_
_
e
1
==

e
2
(z
i
Var(e
1
e
2
) = ) Distinct(

z
i
) (#

(e
1
) =[[

z
i
[[)

e
3
.e
1

z
i

i
io
0
e
3
e
2

z
i

i
io
0
e
3
_
_
_
_
Proof We show the top-most conjunct by reexive, transitive, symmetric
induction in ==

. The bottom-most conjunct then follows by Lemma 3.26.

Base Case: Directly by Lemma 3.27:
M
1
M
2
N

z
i

z
i
3.3. -DECIDABILITY 107
Reexive Case: Pick enough fresh variable names by means of Fresh()
and apply Lemma 3.24:
M
N

z
i
Symmetric Case: Trivial
M
2
M
1
N

z
i

z
i
Transitive Case: By two applications of the I.H., we obtain the left-most
diagram below. By Lemma 3.26, the use of any other suciently fresh
and long

z
i
will also result in a resolution. We can, in particular, do
both resolutions with a

z
i
that is fresh with respect to M
1
, M
2
, M
3
.
By the uniqueness of e
2
in Lemma 3.24, i.e., N below, we thus have
the right-most diagram:
M
1
M
2
M
3
N
1
N
2

x
i

y
i

y
i

x
i
M
1
M
2
M
3
N

z
i

z
i

z
i

We saw in the above proof that the some/any property, i.e., Lemma 3.26,
is crucial for establishing the some part by itself. Had we instead at-
tempted to prove the any part directly, we would have needed the some/any
property in the same step of the proof: we can only establish that we can
use any

z
i
in the transitive case that are fresh with respect to M
1
, M
2
, and
M
3
, not just with respect to M
1
and M
3
as required.
Theorem 3.29 -equivalence is decidable by means of

io
0
.
Proof Given two terms, count the number of -abstractions in them
and, provided the gures coincide, identify equally many fresh variable
names by means of Fresh(). Apply the computable

i
io
0
, cf. Propo-
sition 3.18, and use the bottom-most conjunct in Lemma 3.28 to conclude
(full) -equivalence based on syntactical equality which is decidable by
construction, cf. Proposition 1.6 of the results. Two terms that are not -
equivalent are not equated as

io
0
respects -equivalence by Lemma 3.22.
For given

z
i
, a term, e,

z
i

i
io
0
-reduces only if #

(e) =[[

z
i
[[, cf. Propo-
sition 3.21, which means that passing the above counting argument is a
prerequisite for -equivalence and all cases have thus been considered.
108 CHAPTER 3. -EQUIVALENCE
3.4 ==

-Generation Lemmas
Our nal results concerning show that not only does -equivalence respect
syntax constructors, the converse is also true and provable to some extent. It
is not dicult to see that the results in this section are true; still, some of the
subtler proof steps require us to use lemmas that are not immediately seen
to be correct and, indeed, are dicult to establish. In particular, we note
that we cannot immediately establish a more precise relationship between
e
a
and e
b
in the last case of the following lemma.
Lemma 3.30
e ==

x e = x
e ==

e
a
e
b
e

a
, e

b
. e = e

a
e

b
e
a
==

a
e
b
==

b
e ==

x.e
a
y, e
b
. e = y.e
b
Proof By straightforward reexive, transitive, symmetric inductions in
==

, observing that, in the base case,

preserves the outer-most syntax

constructor.
The following result is a generation lemma for substitution that will be
needed for proving generation lemmas for .
Lemma 3.31 e
a
[x := z] = e
b
[x := z] z / Var(e
a
) Var(e
b
) e
a
= e
b
Proof By rule induction in e
a
[x := z].
Variables Cases: Straightforward.
Application Case: By two simple I.H.-applications.
Lazy Abstraction Case: We are considering e
a
y.e
1
, with y = x by
the case, as y ,= z by assumption. We therefore have e
b
x.e
2
for
some e
2
as no binder is changed by a substitution. This means that
also the substitution on e
b
is discarded and we are done by the premise.
Strict Abstraction Case: An analogous argument to the previous case
shows that we are considering y.e
1
[x := z] and y.e
2
[x := z] and we
are done by I.H..
The last two lemmas remedy the stated short-coming of Lemma 3.30
by relating the bodies of -equivalent abstractions. The rst lemma ad-
dresses the situation where two -equivalent abstractions abstract over the
same variable name, the second addresses abstraction over dierent variable
names. The proofs rely heavily on the results of the previous section, which,
in turn, were seen to rely heavily on a some/any property, Lemma 3.26.
Lemma 3.32 x.e
a
==

x.e
b
e
a
==

e
b
3.4. ==

-GENERATION LEMMAS 109

Proof Consider fresh z

z
i
. By Lemma 3.28, we have e

v
s (for v a, b),
such that, e
v

z
i

i
io
0
e

v
and x.e
v
z

z
i

i
io
0
z.e

v
[x := z]. We also see that
e

a
[x := z] = e

b
[x := z] and we are done by applying rst Lemma 3.31 and
then Lemma 3.22.
Lemma 3.33
x.e
a
==

y.e
b
z / Var(x.e
a
) Var(y.e
b
)

e
a
[x := z] ==

e
b
[y := z]
Proof Assume the premises of the property and consider fresh

z
i
. By
Lemma 3.28, we have e

a
and e

b
such that x.e
a
z

z
i

i
io
0
z.e

a
[x := z] and
y.e
b
z

z
i

i
io
0
z.e

b
[y := z], with e

a
[x := z] = e

b
[y := z]. Next, apply Lemma 3.23
to conclude e
a
[x := z]

z
i

i
io
0
e

a
[x := z] and e
b
[y := z]

z
i

i
io
0
e

b
[y := z]. With
this, we are done according to Lemma 3.22.
110 CHAPTER 3. -EQUIVALENCE
Part II
Divergence Commutation
111
112
Chapter 4
- and
var
-Conuence
In this chapter, we shall prove the archetypical commutation lemma: con-
uence. Our main contributions are:
We conduct all proofs strictly by means of PPP
FOAS
VN .
We show that a number of presentations of the -calculus lead to
equivalent notions of conuence.
We undertake the full proof burden resolution (in a precise algebraic
sense) of the conuence property.
One of the several proofs we present for -conuence has been formalised
in full in Isabelle/HOL, as discussed in the Preface and Conclusion [6, 65,
68]. The formalisation, naturally, adheres strictly to the requirements of
PPP
FOAS
VN in fact, the formalisation work was undertaken mainly to
verify our use of PPP
FOAS
VN .
4.1 Structural Collapses and Diamond Properties
Albeit not a strict requirement for the formal conuence proofs that follow,
this section accounts comprehensively for how the conuence property re-
lates algebraically to the process of factoring out -equivalence. We do so
to highlight the exact sense in which we improve on the existing conuence
proofs. The rst result we present appears to be new. Although it is very
basic and related to the areas of rewriting modulo and renement theory, we
have found no comprehensive overlaps in the literature.
1
In any event, the
presentation is novel and provides a uniform framework in which to discuss
the relevant issues. The basis of the presentation is the following rather
large class of mappings between rewrite systems.
1
A special case of Theorem 4.2, 4 is reported in [30] and we contradict a result in [54]
(by way of one of the counter-examples given in the proof of Theorem 4.2).
113
114 CHAPTER 4. - AND
VAR
-CONFLUENCE
Denition 4.1 (Point-Surjective ARS Morphism) Given two ARSs,

A
AA and
B
B B, a mapping, / : A B, will be said to
be a point-surjective ARS morphism
2
from
A
to
B
if it is total and onto
on points and a homomorphism from
A
to
B
:

/
(total)

/
(onto)

(homo)

A
/ /
B
An example of a point-surjective ARS morphism is the function that
sends an object to its equivalence class relative to any equivalence relation
(such as - or AC-equivalence): what one would call a structural collapse.
Note that a point-surjective ARS morphism does not prescribe surjectivity
on relations and, as such, should not be called a structural collapse in
itself. Instead, the following theorem analyses the various degrees of rela-
tional surjectivity relative to the conuence property. It basically shows
that we need to establish that any representative of an equivalence class
can be used for a considered rewriting step in order to relate the diamond
property across the structural collapse.
Theorem 4.2 (Preservation and Reection of Diamond) Given a point-
surjective ARS morphism, /, from
A
to
B
:
3
1.


A
/ /
B
((
A
) (
B
))
2.


A
/ /
B
((
A
) (
B
))
3.


A
/ /
B

_
(
A
) (
B
)
(
A
) (
B
)
_
4.


A
/ /
B
((
A
) (
B
))
Proof Please refer to Appendix E.1 for the details of the positive results.
The reexive closures of the following ARSs provide counter-examples for
the negative results, left-to-right and right-to-left, respectively. Reexivity
is required to establish the property in the rst place.
a
1
a
2
b
2
b
1
a

1
a

2
b

2
A
A
B
a
1
b
1
a
2
a
3
b
2
A A
B

2
The name is inspired from [55], in which point-surjectivity is not considered.
3
In the theorem, the notation , means existence of counter-examples.
4.2. -CONFLUENCE 115
An implication of the theorem is that the stand-alone use of the BVC
or the BCF, cf. Section 1.4, in a conuence proof at best results in an
incomplete proof-burden resolution as doing so places us in cases 1 or 2. If
such a proof otherwise is correct it obviously establishes some result but it
will in all likelihood not be Con(

). As far as the actual proof burden of

conuence goes, the following result establishes various avours of it. If we
view the result from the perspective of the proof principles that potentially
can be used, those associated with

is the natural (indeed, the only

viable) option.
Theorem 4.3 For X , , , we have
Con(
X
) Con(
X
) Con(

Cu
X
Cu) Con(
X
Hi )
Proof The denitional totality and surjectivity of |, combined with
Lemma 1.35, means that | is a point-surjective ARS morphism, cf. De-
nition 4.1, that enjoys the property in the premise of Theorem 4.2, 4. relative
to the reexive, transitive closures of the relations.
We note the crucial role played by -symmetry (Lemma 1.34, to be
precise) in the proof of Lemma 1.35 and we point out that it is -symmetry
that allows us to state the above result for any X.
4.2 -Conuence
We will present a range of formal -conuence proofs in this section. They
are all based on the Tait/Martin-L of/Takahashi parallel-reduction technique
and they all employ the proof principles associated with

. The varia-
tion in the presented proofs is due to the dierent ways in which it is possible
to go from the diamond result that is actually provable at the level of syntax
to the real conuence property.
4.2.1 BCF-Initial Parallel- Diamond ` a la Takahashi
In contrast to the situation that is captured in the Hindley-Rosen Lemma,
Section 1.2.3, the -relation seemingly causes an unbounded divergence
blow-up because of the use of substitution in -contraction, which may re-
sult in term (and redex) duplication. To counter this, Tait and Martin-L of
introduced the concept of parallel reduction.
Denition 4.4 The parallel -relation,

, is dened in Figure 4.1.

Proposition 4.5 CC(

)
Proof By (Var

), (L

), and (A

).
116 CHAPTER 4. - AND
VAR
-CONFLUENCE
(Var

)
x

x
e

(L

)
x.e

x.e

e
1

1
e
2

2
(A

)
e
1
e
2

1
e

2
e
1

1
e
2

2
FV(e

2
) Capt
x
(e

1
) =
(

)
(x.e
1
)e
2

1
[x := e

2
]
Figure 4.1: Parallel -reduction: contraction of any number of -redexes
The parallel -relation admits the contraction of any number of -
redexes starting from within (as long as no variable renaming is required);
this includes the contraction of no redexes.
Proposition 4.6 e

e
Proof A straightforward structural induction.
The relation is, in other words, bounded by the ordinary -relation and
its reexive, transitive closure.
Proposition 4.7

Proof The inclusions follow by straightforward rule inductions in

and

, respectively. We present the details of the latter. The former uses

Proposition 4.5 in place of Proposition 1.23 below.
Case (Var

): Trivial.
Case (L

): By I.H. and Proposition 1.23.

Case (A

): By two I.H.-applications and Proposition 1.23.

Case (

): By two I.H.-applications and Proposition 1.23, followed by an

application of (), cf. Figure 1.3.
Extensionally, we have actually considered the parallel reduction relation
already in the form of

@: a mark in the latter is an explicit representa-

tion of a contracted redex in the former case, and vice versa. We note that
complete contraction of unmarked (as opposed to marked) terms is a special
case of parallel reduction.
Denition 4.8 Total -development,

, is dened in Figure 4.2.

Proposition 4.9

Proof Straightforward rule induction in

, using Proposition 4.5, cf.

Lemma 4.7.
4.2. -CONFLUENCE 117
(Var

)
x

x
e

(L

)
x.e

x.e

(A
Var

)
xe

xe

e
11
e
12

1
e
2

2
(A
A

)
(e
11
e
12
)e
2

1
e

2
e
1

1
e
2

2
FV(e

2
) Capt
x
(e

1
) =
(

)
(x.e
1
)e
2

1
[x := e

2
]
Figure 4.2: Total-development -reduction: attempted contraction of all
redexes
Having introduced these two relations, we immediately establish their
lower-layer properties relative to the hierarchy in Figure 2.3.
Proposition 4.10 (CD-/Parallel- Variable Monotonicity)
e

FV(e

) FV(e) BV(e

) BV(e)
Proof From Lemma 1.45 by Propositions 4.7 and 4.9.
Lemma 4.11 (Parallel Substitutivity)
(e
1

1
e
2

2
Capt
x
(e
1
) FV(e
2
) = Capt
x
(e

1
) FV(e

2
) = )

e
1
[x := e
2
]

1
[x := e

2
]
Proof The proof is a straightforward adaptation of the proofs of Lem-
mas 2.12 and 2.14 combined. As

is reexive (Proposition 4.6) the

relation does not need a stand-alone contraction rule a la (lazy
@

), cf.
Figure 2.2. The proof uses the straightforward adaptations of Lemmas 2.10
and 2.11 that arise from going from
var
@
to
var
. Please refer to the Pref-
ace and Conclusion for an account of our verication of the proof in the
Isabelle/HOL theorem prover [6, 65, 68].
Our proof of a diamond property for -reduction on syntax uses the
Diamond Diagonalisation Lemma, Section 1.2.3, i.e., it employs Takahashis
adaptation of the Tait/Martin-L of proof. We therefore need to establish the
(conditional) existence of (non-renaming) total -development.
Lemma 4.12
(BCF)

Proof By structural induction in the start term, e.

Case e x: Use (Var

).
118 CHAPTER 4. - AND
VAR
-CONFLUENCE
Case e x.e
0
: By I.H. on e
0
and then using (L

).
Case e e
1
e
2
: We case-split on e
1
.
Sub-case e
1
x: By I.H. on e
2
and then using (A
Var

).
Sub-case e
1
e
11
e
12
: By I.H. on e
1
and e
2
and then using (A
A

).
Sub-case e
1
x.e
0
: After using the I.H. on e
0
and e
2
, we see that
Propositions 4.10 and 1.9, 3. combined with BCF-initiality vali-
dates the remaining premise on (

) and we are done.

We note that the proof is surprisingly straightforward. That said, BCF-
initiality is crucial for the property. The terms (x.y.x)y and y.(x.y.x)y
fail to enjoy free/bound variable disjointness and unique binding, respec-
tively, and neither totally develops. BCF-initiality is, thus, sucient for the
existence of a complete development but only necessary in a weak sense:
breaking either conjunct of the BCF-predicate can prevent renaming-free
total development but some non-BCFs still totally develop, e.g., (x.x)x
and x.(x.x)x.
The second of the two required results for the application of the Diamond
Diagonalisation Lemma, Section 1.2.3, must establish that any parallel -
step can always catch up with a completely developing -step by a parallel
-step (with no renaming involved), cf. Lemma 2.15.
Lemma 4.13

[
[

[
[
Proof By rule induction in

:
Case (Var

): Trivial.
Case (L

): We are considering x.e

x.e

and x.e

x.e

. As
we have e

by I.H., we are done by invoking (L

).
Case (A
Var

): Analogous to the previous case.

Case (A
A

): Analogous to the previous cases.

Case (

): We case-split on

.
Sub-case (A

): We have e
i

i
and e
i

i
, for i 1, 2, and
are considering the following (resolved) divergence.
(x.e
1
)e
2
e

1
[x := e

2
]
(x.e

1
)e

[
[

[
[
The resolution is justied by two I.H.-applications and the invo-
cation of (

), whose nal premise is given by the case.

4.2. -CONFLUENCE 119
Sub-case (

):
(x.e
1
)e
2
e

1
[x := e

2
]
e

1
[x := e

2
]

[
[

[
[
The resolving step is justied by Lemma 4.11 instantiated with
the two obvious I.H.-applications. The premise of the lemma that
pertains to variable names is given directly by the case and the
sub-case.
It is interesting that the above property requires no initiality condi-
tions, like the BCF-predicate, to be provable except, that is, from well-
denedness of

in any non-trivial cases. The generality is mainly due to

our use of the weakest possible side-condition on -contraction to make
renaming free (i.e., FV() Capt

() = ). Had we instead required that

the free variables of the argument were disjoint from the full set of bound
variables in the body of the applied function (i.e., FV() BV() = ), the
property would not have been true. A counter-example is (y.(x.y)z)z.z.
It takes advantage of complete developments contracting from within. Con-
tracting the outermost redex rst (e.g., by a parallel step) would block
the contraction of the residual of the innermost redex if the stronger side-
condition was imposed: (x.z.z)z. As it stands, though, we can conclude
a conditional diamond property for the parallel -relation.
Lemma 4.14


(BCF)

[
[

[[

[
[

[[
Proof By the Diamond Diagonalisation Lemma, cf. Section 1.2.3, applied
to Lemmas 4.12 and 4.13.
4.2.2 Weak
0
-/-Commutativity
In order to strengthen the above conditional property, we will need to con-
sider commutativity of

and

. As is apparent at this point, such

a result cannot hold in its full generality. Fortunately, it turns out that a
much weaker result is actually required.
Lemma 4.15

[[

[[

[[

[[
120 CHAPTER 4. - AND
VAR
-CONFLUENCE
Abstract Reasoning
Administrative Proof Layer
Commutativity Lemmas
Substitutivity Lemmas
Substitution Lemmas Variable Monotonicity
Substitution Tidiness
Figure 4.3: The proof-layer hierarchy for equational reasoning about over
FOAS
VN
. The square up-arrows read is the key lemma for a main case of
whereas the rounded, dotted up-arrows are justies the side conditions on
a key lemma for.
Proof This left-most conjunct follows by rule induction in
y

i
0
and
then an involved case-splitting on

; please refer to Appendix E.2 for

the details. The proof relies crucially on the diverging y being fresh. In
the

i
-resolution, the same y is used at each step, which prevents the
resolution from being based on
0
. The right-most conjunct follows from
the left-most by a simple reexive, transitive induction.
Lemma 4.16

Proof It is not dicult to see that this proof is a straightforward adapta-

tion of the proof of Lemma 4.15, even if it does not follow from it.
4.2.3 Administrative Proof Layers
With the conditional -diamond property and the weak
0
-/-commutativity
results in place, this section will detail the dierent ways they can be com-
bined to allow us to conclude an unconditional -commutativity lemma.
4.2. -CONFLUENCE 121
The proof step we are considering here will be referred to as the adminis-
trative layer of the (full) proof-layer hierarchy that we present in Figure 4.3.
With Figure 2.3 and Section 1.2.3 in mind, we trust that the meaning of the
gure is obvious.
Before presenting any details, however, we shall dene parallel and total-
development -relations on -equivalence classes in the obvious manner. Al-
though of no formal relevance, we remark that the relations are the right
ones as Lemma 3.12 guarantees that every -equivalence class contains a
BCF and either Lemma 2.16 with a suitable marking or Lemma 4.12 guar-
antee that any conceivable parallel or total-development step can proceed
from a BCF.
Denition 4.17
e
1
|

e
2
|
def
e
1
==

; ==

e
2
e
1
|

e
2
|
def
e
1
==

; ==

e
2
Administration for Parallel- Diamond
Lemma 4.18 (

)
Proof For the diverging Ms given, we can construct the resolving Ns in
Figure 4.4 in order. The individual diagrams show (i) the considered diver-
gence restated to the syntactic level, cf. Denition 4.17, (ii) an application
of Lemma 3.10, (iii) two applications of Lemma 4.15, (iv) insertion of the
obvious -equivalences, (v) an application of Lemma 4.14, and (vi) the use
of reexive -equivalence to complete the sought-after divergence resolution.
(Alternatively, we can apply the Diamond Diagonalisation Lemma, cf. Sec-
tion 1.2.3, to Lemmas 4.19 and 4.20.)
Administration for Diamond Diagonalisation
Lemma 4.19

[
[

[
[
Proof Please refer to Figure 4.5. The rst diagram displays the consid-
ered divergence restated to the syntactic level (cf. Denition 4.17) and the

0
-resolution of the initial -equivalence by Lemma 3.10. The second dia-
gram brings together the considered -steps into a (resolvable) divergence
by applying Lemmas 4.15 and 4.16. The third diagram resolves the created
divergence by Lemma 4.13 and adds the obvious -equivalences to complete
the sought-after divergence resolution.
122 CHAPTER 4. - AND
VAR
-CONFLUENCE
M
0
M
l
1
M
r
1
M
l
2
M
r
2
M
l
3
M
r
3

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
M
r
3
(BCF)

0

0

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
(BCF)

0

0

[
[

[
[

[
[

[
[
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
(BCF)

0

0

[
[

[
[

[
[

[
[

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3
(BCF)

0

0

[
[

[
[

[
[

[
[

[
[

[
[
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3
(BCF)

0

0

[
[

[
[

[
[

[
[

[
[

[
[

Figure 4.4: The administrative proof layer for parallel- diamond

Lemma 4.20

Proof By Denition 4.17, we are done by Lemma 3.12 composed with

Lemma 4.12 and reexivity of ==

.
A More Direct Administrative Proof Layer
We saw in the previous two paragraphs that we can obtain commutation
lemmas about relations on -equivalence classes by administrative con-
siderations. The idea is to subsequently employ abstract reasoning, cf. Sec-
tion 1.2.3, directly to these in order to establish conuence. By Theorem 4.3,
however, we can in principle also prove conuence proper at the level of syn-
tactic relations, which gives rise to us listing the following result.
4.2. -CONFLUENCE 123
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
M
b
3
M
b
4

[
[

0
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
N
t
2
M
b
3
N
b
2
M
b
4

[
[

0

[
[

M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
N
t
2
M
b
3
N
b
2
M
b
4

[
[

0

[
[

[
[

Figure 4.5: The administrative proof layer for diamond diagonalisation

Lemma 4.21 (

)
Proof Steps (ii), (iii), and (v) of Lemma 4.18s proof, cf. Figure 4.6.
4.2.4 Abstract Proof Back-Ends
As is standard with the Tait/Martin-L of proof method, the abstract back-
end of the proof is essentially the Diamond Tiling Lemma, cf. Section 1.2.3,
which means that we need the following lemma.
Lemma 4.22
1.

2.

Proof The rst property amounts to the following inclusions at the level
of syntax by denition and Lemma 1.35:
(==

; ==

) (==

; ==

124 CHAPTER 4. - AND

VAR
-CONFLUENCE
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
N
l
1
N
r
1
N
3
(BCF)

0

0
[
[

[
[

[
[

[
[

[
[

[
[
Figure 4.6: The administrative proof layer for a small diamond property
It is immediate to see that this property follows from Proposition 4.7 (and
Lemma 1.34), as does the other property when taking reexivity of

and

into account.
Theorem 4.23 (Conuence of the Raw and Real -Calculi)
Con(

) Con(

)
Con(

Cu

Cu)
Con(

Hi )
Proof We rst note that the four conjuncts are equivalent by Theorem 4.3.
Direct proofs can be given as follows: (i) the rst conjunct follows from
the Diamond Tiling Lemma, cf. Section 1.2.3, applied to Lemmas 4.21 and
4.22, 2. (ii) the second conjunct follows by the Diamond Tiling Lemma,
cf. Section 1.2.3, applied to Lemma 4.22, 1. and either (ii-a) the result of
applying the Diamond Diagonalisation Lemma, cf. Section 1.2.3, to Lem-
mas 4.19 and 4.20, or (ii-b) Lemma 4.18. The remaining two properties do
not appear to have direct proofs, as we have seen.
4.3 Variants of -Conuence
The previous section detailed a number of proofs of the conuence property
for -reduction. In this section, we briey show that the technologies we
introduced can also be used for weaker and stronger results.
4.3. VARIANTS OF -CONFLUENCE 125
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3
(BCF)

0

0

Figure 4.7: The administrative proof layer for local conuence

4.3.1 Local -Conuence
Lemma 4.24


(BCF)

Proof The left-most conjunct is a special case of Lemma 4.14 by Lemma 4.7.
A proof of the right-most conjunct, employing Lemma 4.7-adaptations of
Lemmas 4.15 and 4.14, is given in Figure 4.7, cf. Figure 4.4.
4.3.2 The Strictly Fresh-Naming Case
We rst show that Con(

) is a stronger property than Con(

).
Lemma 4.25

Proof The -part of the result is trivial. The -part follows by

reexive, right-transitive induction in

.
Reexive Case: Trivial.
Right-Transitive Case: We case-split on the trailing

-step.
Sub-case

: We are straightforwardly done by I.H..

M
1
M
2
M
3
N

Sub-case

: In the diagram below, we rst construct N

1
by I.H..
Next, N
2
exists by Lemma 3.10 and N
3
exists by Proposition 4.7
126 CHAPTER 4. - AND
VAR
-CONFLUENCE
M
0
M
l
1
M
r
1
M
l
2
N
1
M
r
2
M
l
3
N
l
2
N
r
2
M
r
3
N
l
4
N
3
N
r
4
N
l
5
N
r
5
N
6
(BCF)

0
0

0

0
[
[

[
[

[
[

[
[

[
[

[
[

[
[

[
[

0
0

0
0

0
0

0

0
Figure 4.8: The administrative proof layer for parallel- diamond over
0
and Lemma 4.15 (although, of course, the introduced -step will
be

, even if we have not proved it). Finally, the

-step
from N
3
to M
3
exists by Lemma 1.34.
M
1
M
2
M
3
N
1
N
2
N
3

Lemma 4.26 Con(

) Con(

)
Proof By Theorem 4.2, 3., according to Lemmas 1.35 and 4.25.
Lemmas 3.12 and 3.16 strongly suggest that Con(

) can be ob-
tained in a manner similar to what we have seen for the unrestricted case
and this is, indeed, so. It is interesting to note that although the proof of
the following key lemma is bigger than in the unrestricted case, it is the
same lemmas being used.
Lemma 4.27 (

0
;

0
)
Proof Figure 4.8, cf. Figure 4.6. The N
4
s and N
6
exist by Lemma 3.10.
Lemma 4.28

0
;

Proof Straightforward, cf. Lemma 4.22.

Theorem 4.29 Con(

)
Proof By the Diamond Tiling Lemma, cf. Section 1.2.3, applied to Lem-
mas 4.27 and 4.28.
4.4. -CONFLUENCE 127
4.4 -Conuence
In this section we shall prove -conuence in the same manner in which
we proved -conuence. We shall focus especially on the optimisations of
the administrative proof-layer that arise from the fact that the -relation is
simpler than the -relation as far as renaming is concerned.
4.4.1 Lower-Layer Results
With reference to Figure 4.3, we present the following three results.
Proposition 4.30 (

Variable Monotonicity)
e

FV(e

) = FV(e) BV(e

) BV(e) Capt
x
(e

) Capt
x
(e)
Proof By reexive, transitive induction in

. Only the base case is

interesting and it follows by straightforward rule inductions.
Lemma 4.31 (

Left-Substitutivity)
e
1

1
FV(e
2
) Capt
x
(e
1
) =

e
1
[x := e
2
]

1
[x := e
2
]
Proof We will not prove this result directly but instead refer to the proof
of Lemma 6.4, which subsumes the present proof, cf. Lemma 6.2.
Lemma 4.32 (

Right-Substitutivity)
e
2

2
FV(e
2
) Capt
x
(e
1
) =

e
1
[x := e
2
]

e
1
[x := e

2
]
Proof We will not prove this result directly but instead refer to the proof
of Lemma 6.4, which subsumes the present proof, cf. Lemma 6.2.
4.4.2 Commutativity Lemmas
Unlike the -relation, -reduction is natively renaming-free.
Lemma 4.33 (/ Commutativity)

128 CHAPTER 4. - AND

VAR
-CONFLUENCE
Proof The right-most conjunct follows from the left-most by the Hindley-
Rosen Lemma, cf. Section 1.2.3. The left-most conjunct follows by rule
induction in

:
Case (): We case-split on the applicable -rules.
Sub-case ():
x.ex e
y.ey e

The diverging

-step leaves e unchanged by the side-condition

on the ()-rule according to Proposition 1.25, 2., which means
that the lower resolution step is enabled by the sub-case. The
right-most resolution step is a (trivially-enabled) reexive step.
Sub-case (L

): The considered -rule must be followed by (Al

).
x.ex e
x.e

x e

The right-most resolution step is given by the sub-case. The lower

resolution step is enabled by Proposition 3.1.
Case (L

): We case-split on the applicable -rules.

Sub-case ():
x.e x.e

y.e[x := y] y.e

[x := y]

The right-most resolution step is enabled by Proposition 4.30, the

lower by Lemma 4.31.
Other Sub-cases: Straightforward by I.H.:
x.e x.e

x.e

x.e

Cases (Al

) & (Ar

): Straightforward by either I.H. or by the divergence

arising from contraction in dierent sub-terms of the application (thus
being trivially resolvable).
4.4. -CONFLUENCE 129
M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3

0

0

M
l
1
M
0
M
r
1
M
l
2
N
l
1
N
r
1
M
r
2
M
l
3
N
2
M
r
3

Figure 4.9: The administrative proof layer for -commutativity

Lemma 4.34 ( Commutativity)

Proof The right-most property follows from the left-most as displayed in

Figure 4.9. The top part of the gure is a proof by the general method;
the lower part is an optimised version that takes advantage of commuting
with , not just with
0
. The left-most property follows by a rule induction
in the upper

.
Case (): We case-split on the applicable rules for the left-most

.
Sub-case (): We are straightforwardly done by reexive resolution.
x.ex
e

Sub-case (L

): The sub-case rule must be followed by (Al

).
x.ex e
x.e

x e

The right-most resolution step is given by the sub-case. The lower

resolution step is enabled by Proposition 4.30.
130 CHAPTER 4. - AND
VAR
-CONFLUENCE
Case (L

): We case-split on the applicable rules for the left-most

.
Sub-case (): Analogous to Case (), Sub-case (L

).
Sub-case (L

): The divergence is straightforwardly resolved by I.H..

x.e x.e

x.e

x.e

Case (Al

): We case-split on the applicable rules for the left-most

.
Sub-case (Al

): The divergence is straightforwardly resolved by I.H..

e
1
e
2
e

1
e
2
e

1
e
2
e

1
e
2

Sub-case (Ar

): We are straightforwardly done.

e
1
e
2
e

1
e
2
e
1
e

2
e

1
e

Case (Ar

): Analogous to Case (Al

).

Theorem 4.35 Con(

) Con(

) Con(

)
Proof The two left-most conjuncts can be established from the corre-
sponding conjuncts in Lemma 4.34 by the Hindley-Rosen Lemma, cf. Sec-
tion 1.2.3. The right-most conjunct can be established either by the Com-
muting Conuence Lemma, cf. Section 1.2.3, applied to the left-most con-
junct and Lemmas 1.34 and 4.33 or, alternatively, by equivalence of the two
right-most conjuncts, cf. Lemma 1.35.
4.5 -Conuence
In order to show -conuence on -equivalence classes by means of the
Commuting Conuence Lemma, cf. Section 1.2.3, we see that we must show
that -reduction commutes with combined -reduction.
Lemma 4.36

4.5. -CONFLUENCE 131

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
l
1
N
r
1
M
r
3
N
3

0

0

M
0
M
l
1
M
r
1
M
l
2
N
0
M
r
2
M
l
3
N
1
M
r
3

Figure 4.10: The administrative proof layer for -commutativity

Proof The proof of the left-most conjunct is straightforward. The -
step in the resolution on the right is needed for the obvious divergence on
x.(y.e)x, with x ,= y. Please refer to Appendix E.3 for the details. The
middle conjunct combines the left-most conjunct and Lemma 4.33. The
right-most conjunct follows from the middle by the Hindley-Rosen Lemma,
cf. Section 1.2.3.
Lemma 4.37

Proof Using Lemmas 3.10, 4.15, and 4.33, Figure 4.10 shows how to prove
the left-most conjunct from the left-most conjunct of Lemma 4.36. The top
part of the gure is by the general method; the lower part is an optimisation
based on (full) -commutativity, Lemma 4.33. The right-most conjunct
follows by the Hindley-Rosen Lemma, cf. Section 1.2.3.
Theorem 4.38 Con(

) Con(

)
Proof The two conjuncts are equivalent by Lemma 1.35. They can also
be proved independently by the Commuting Conuence Lemma, cf. Sec-
tion 1.2.3, applied to Theorems 4.23 and 4.35 as well as Lemma 4.37 and
Lemma 4.36, respectively.
132 CHAPTER 4. - AND
VAR
-CONFLUENCE
Chapter 5
Residual Theory Revisited
The results in this chapter are direct extensions of and elaborations on the
results in Chapter 2. The main result, -residual completion, can be seen
as special cases of the strong nite development property [8, 57] (as we shall
see) and of Huets prism theorem [28], which itself is a special case of Levys
cube lemma [35] (although we shall not pursue this connection any further).
The residual-completion property admits the use of some nice constructive
methods and is vastly simpler to establish than either of the other properties
although it, too, implies, e.g., conuence.
Abstractly speaking, we are considering a reduction relation on ordi-
nary terms (without marks), , its associated residual relation on marked
terms,
@
, a (normal-form) predicate saying when a marked term contains
no actual marks, unMarked(), a de-marking function (cf. Denition 2.3),
and a development relation on ordinary terms:
e
1

dev
e
2

def
b
1
, b
2
.(b
1
) = e
1
(b
2
) = e
2
b
1

@
b
2
5.1 Conuence vs Residual Conuence
We shall rst account for the manner in which a residual relation can be
used to prove conuence proper. We do it by way of an adaptation of
Theorem 4.2, 1. that highlights the key steps of the methodology. The
result is not important in itself.
Lemma 5.1 Con(
@
) ((
@
) (
dev
)) Con()
Proof As Con(
@
) and (
@
) are the same property, the assump-
tions imply (
dev
). The conclusion can thus be reached from the Dia-
mond Tiling Lemma, cf. Section 1.2.3, seeing that it is straightforward to
prove
dev
from the (implied) properties of and
@
.
133
134 CHAPTER 5. RESIDUAL THEORY REVISITED
The fact that we do not have (
@
) (
dev
) for free was already
observed in Theorem 4.2. In terms of the present situation the problem is
that an unmarked divergence is not known to correspond to a marked di-
vergence. We merely know that two
@
-reductions proceed from marked
terms that map to the same unmarked term. The standard way of overcom-
ing this is to introduce a marking that covers both the other markings. We
shall not pursue the matter here but instead focus on Con(
@
). Suce
it to say that the (substantial amount of) details can be worked out using
PPP(
var
), only.
The key to understanding why the proof methodology of Lemma 5.1
is useful lies in the fact that
@
is transitive whereas
dev
is not. By
working on the residual side, more proof principles are available, so to speak.
5.2 -Residual Completion
This section introduces the (abstract) residual-completion property and shows
that it implies residual conuence. It goes on to establish the -residual
completion property and, thus, residual -conuence.
5.2.1 The Abstract Framework
We take Chapter 2 as starting point.
Denition 5.2 A relation, , enjoys the residual-completion property,
RCP(), if there exists a residual-completion relation,
@
, such that:
1.
@

@
residual-completion is marked development
2.
(unMarked)
@
residual-completion totally completes
3.

@
@
@
residual-completion is residually co-nal
In spite of the relative weakness of the individual properties above, they
combine well and in a way that brings out some powerful constructive no-
tions, e.g., the strengthening of the existential quantication in 2. above
to the universal quantication in 2. below as well as the use of reexive,
transitive closure on 3. above to obtain 1. below.
Proposition 5.3 Assume RCP(), witnessed by
@
.
1.

@
@
@
2. t
@
t

unMarked(t

)
5.2. -RESIDUAL COMPLETION 135
3.
@
is a (total) function.
Proof The rst property follows from Denition 5.2, 3. by a straight-
forward reexive, transitive induction. We prove the last two properties
simultaneously (observing that totality is Denition 5.2, 2). Consider some
t
@
t

. By Denition 5.2, 2., there exists a t

, such that, t
@
t

and unMarked(t

). By Denition 5.2, 1., we see that, in fact, t

@
t

.
By the rst property of this proposition, we therefore have that t

@
t

and, thus, by Denition 5.2, 1, that t

@
t

. As unMarked(t

), we have
t

= t

and we are done.

Lemma 5.4 RCP() Con(
@
)
Proof Apply the Diamond Diagonalisation Lemma, cf. Section 1.2.3, to
Denition 5.2, 2. and Proposition 5.3, 1. and observe that the inferred
divergence-resolution is of the right kind by Denition 5.2, 1..
5.2.2 The -Residual -Theory
This section applies the results of the previous section to the straightforward
administrative treatment, cf. Figure 4.3, of the results in Chapter 2 to show
RCP(

) and, thus, Con(

@). We will rely heavily on the treatment

of -reduction on
var
. The -reduction relation on
var
@
is not constrained
by the marks but can contract both a marked redex, (x.e
1
) @e
2
, and a
stand-alone abstraction, x.e. The denition of the -collapsed residual
-calculus is equally straightforward.
Denition 5.5

@
=
def

var
@
/==

| :
def

var
@

@
t t

[ t ==

@ t

t
1
|

@ t
2
|
def
t
1
==

@;

@; ==

@ t
2
t
1
|

@ t
2
|
def
t
1
==

@;

@; ==

@ t
2
Lemma 5.6 RCP(

)
Proof We prove the individual properties in Denition 5.2 in turn, using

@ as the residual-completion relation.
1. By an adaptation of Lemma 4.22.
2. By denition, we must prove:

@
. The result
follows from (adaptations of) Lemmas 2.16 and 3.28 as well as the
denitional reexivity of ==

@.
136 CHAPTER 5. RESIDUAL THEORY REVISITED
M
1
M
t
2
M
t
3
M
t
4
M
b
2
N
1
N
t
2
M
b
3
N
b
2
M
b
4

@
0

@
0

@

@
Figure 5.1: The administrative proof layer for residual completion
3. The property follows from the left-most conjunct in Lemma 2.15, cf.
Figures 4.5 and 5.1. The results that are invoked in the present gure
are straightforward adaptations of Lemmas 3.10 and 4.15.
Theorem 5.7 Con(

@) Con(

@)
Proof By Lemmas 5.4 and 5.6 and Theorem 4.2, 4. (with an adaptation
of Lemma 1.35), respectively.
5.3 Strong (Weakly-)Finite Development
In this section, we shall pursue the so-called strong nite development prop-
erty [8, 57] and show that it is closely related to the RCP, albeit more
cumbersome to establish. Indeed, it is our opinion that the latter is proof-
theoretically more relevant and to-the-point than the former.
The original interest in strong nite development was the notion that is
also captured in Newmans Lemma, cf. Section 1.2.2, viz the use of SN to
eliminate the possibility of wayward reductions.
Denition 5.8 A relation, , enjoys the strong nite development prop-
erty, SFDP(), if
1. SN(
@
)
2. t
@
t

.t

@
t

unMarked(t

)
developments can be completed
3. t
@
t
1
t
@
t
2
unMarked(t
1
) unMarked(t
2
) t
1
= t
2
completions are unique
5.3. STRONG (WEAKLY-)FINITE DEVELOPMENT 137
The use of SN in the above property seems unfortunate to us as it is a
non-equational notion, unlike the intentions of the SFDP as a whole, which
suggests to us that it can be improved upon. Curiously, it seems that the
adjusted property that simply leaves out SN is equally expressive.
Denition 5.9 A relation, , enjoys the strong weakly-nite develop-
ment property, SWFDP(), if
1. t
@
t

.t

@
t

unMarked(t

)
developments can be completed
2. t
@
t
1
t
@
t
2
unMarked(t
1
) unMarked(t
2
) t
1
= t
2
completions are unique
The name of the property is motivated by the following property and
the way it contrasts with the use of SN in the SFDP. Indeed, we see that
WN is an equational manifestation unlike SN.
Proposition 5.10 SWFDP() WN(
@
)
Proof By Denition 5.8, 2., using reexivity: t
@
t.
As suggested, and surprisingly, perhaps,
1
we have that already the SWFDP
implies conuence and straightforwardly so, at that.
Lemma 5.11 SWFDP() Con(
@
)
Proof Consider the following divergence:
M
M
1
M
2
@ @
By Denition 5.8, 2., there exist N
1
, N
2
, such that unMarked(N
1
), unMarked(N
2
)
and:
M
M
1
M
2
N
1
N
2
@ @
@ @
By transitivity of
@
and Denition 5.8, 3., we see that, in fact, N
1
= N
2
and we are done.
1
[5, p.283]: [The niteness of developments] has important consequences, among them
being [conuence] . . .
138 CHAPTER 5. RESIDUAL THEORY REVISITED
Alternatively, we can show the above property by the following result,
which shows that residual-completion and strong weakly-nite development
are equivalent. This nal result thus establishes the (constructive) notion of
residual-completion as an alternative to strong (weakly-)nite development.
In our opinion, the relevant proof-theoretical import of the two properties
is brought out most clearly in the new result, residual-completion.
Lemma 5.12 RCP() SWFDP()
Proof
direction: We establish the clauses of Denition 5.9 under the as-
sumption of RCP().
Clause 1.: By Denition 5.2, 2. followed by Denition 5.2, 1. applied
to the considered end-term (i.e., t

).
Clause 2.: Consider t
@
t
i
unMarked(t
i
), for i 1, 2. By Def-
inition 5.2, 2., there exists a t

, such that, t
@
t

and unMarked(t

).
By Proposition 5.3, 1. applied twice, we have t
i

@
t

, which,
by Denition 5.2, 1., means that t
i

@
t

. By unMarked-ness,
we conclude that t
1
= t = t
2
.
direction: We show that t
@
t

def
t
@
t

unMarked(t

)
enjoys the individual clauses of Denition 5.2 under the assumption of
SWFDP().
Clause 1: By denition of
@
.
Clause 2: By Proposition 5.10 following the denition of
@
.
Clause 3: Consider t
@
t
1
and t
@
t
2
. By Denition 5.9, 1.,
there exists a t

1
, such that, t
1

@
t

1
and unMarked(t

1
). As
also unMarked(t
2
) (by denition), Denition 5.9, 2 implies that
t

1
= t
2
. Finally, t
1

@
t
2
holds by denition of
@
.
Lemma 5.13 SWFDP()
Proof Lemmas 5.6 and 5.12.
5.3. STRONG (WEAKLY-)FINITE DEVELOPMENT 139
140 CHAPTER 5. RESIDUAL THEORY REVISITED
Part III
Composition Commutation
141
142
Chapter 6
-over- Postponement
The -over- postponement theorem says that a series of - and - steps can
be rearranged such that the -steps come rst and the -steps come last.
The notion of commutation that we shall consider in this chapter (and the
next) is thus orthogonal in nature to that considered till now: composition
vs divergence commutation, respectively.
The proof development in this chapter essentially follows that of Taka-
hashi [62]. Apart from our explicit treatment of the -relation, the main
novelties in our proof are a somewhat simplied -generation lemma and the
introduction of the relevant administrative proof layer, which, due to the dif-
ferences between divergence and composition commutation, necessitates the
introduction of novel administration technology, cf. Figure 4.3. We shall
focus our attention on the latter issue, cf. Lemma 6.12, in anticipation of
the technically far more advanced Chapter 7.
6.1 Parallel Reduction
The results in this section are straightforward and entirely in line with [62],
whence we largely suppress commentary.
Denition 6.1 The parallel relation on syntax is given in Figure 6.1.
The -collapsed relation is:
e|

|
def
e ==

; ==

Lemma 6.2 (

is Reduction)

Proof The left-most conjunct follows by straightforward rule inductions

in

and

, respectively. The right-most conjunct follows from the

left-most in a manner akin to Lemma 4.22.
143
144 CHAPTER 6. -OVER- POSTPONEMENT
x , FV(e) e

)
x.ex

(L

)
x.e

x.e

e
1

1
e
2

2
(A

)
e
1
e
2

1
e

2
(Var

)
x

x
Figure 6.1: Parallel -reduction
Proposition 6.3 (

Variable Monotonicity)
e

FV(e

) = FV(e) BV(e

) BV(e) Capt
x
(e

) Capt
x
(e)
Proof From Proposition 4.30 by Lemma 6.2.
Lemma 6.4 (

Substitutivity)
e
1

1
e
2

2
FV(e
2
) Capt
x
(e
1
) =

e
1
[x := e
2
]

1
[x := e

2
]
Proof By rule induction in e
1

1
.
Case (

): We are considering e
1
y.ey, with y / FV(e), and we case-
split on the considered substitution.
Sub-case y = x y FV(e
2
): If y = x, the substitution on e
1
is dis-
carded by denition, while the substitution on e

1
= e is discarded
by Proposition 1.25, 2. as (x =)y / FV(e) by the sub-case. If, on
the other hand, y ,= x y FV(e
2
), we see that x / FV(y.ey)
(and thus x / FV(e)) by a premise of the lemma and we are
straightforwardly done by Proposition 1.25, 2..
Sub-case y ,= x y / FV(e
2
): We are done by a simple application
of the I.H..
Remaining Cases: Straightforward applications of the I.H., etc.; in part
because of Proposition 6.3.
Lemma 6.5 (/ Commutativity)

[[

[[

[[

[[
Proof A straightforward adaptation of the proof of Lemma 4.33.
6.1. PARALLEL REDUCTION 145
In order to understand the following denition and lemma, we refer to
the statement of Lemma 6.9 and the example preceding it.
Denition 6.6 (-Expansion)

y
i
(e) =
_
e if

y
i
=
x.e

x if

y
i
= x

x
i
x / FV(e) e

x
i
(e)
Proposition 6.7

y
i
() is a (partial) computable function.
Proof

y
i
() is dened structural-recursively over the inductively-dened
vector,

y
i
, and the result follows by construction.
To motivate the next result, we consider the following reduction step:
e
a

x.e
b
. By the end-term, only () and (L

) could have been used to

derive the considered step, which means that we have either a y such that
e
a
= y.(x.e
b
)y or an e
c
such that e
a
= x.e
c
and e
c

e
b
.
Lemma 6.8 (-Generation)
e
a

x.e
b


y
i
, e
c
. e
a
=

y
i
(x.e
c
) e
c

e
b
Proof By rule induction in

.
Case (

): We are considering the following situation:

y / FV(e
1
) e
1

x.e
b
y.e
1
y

x.e
b
By I.H., we have e
1
=

y
i
(x.e
c
) and e
c

e
b
and we are done as
y.e
1
y =
y

y
i
(x.e
c
).
Case (L

): Straightforward, using

y
i
= .
Remaining Cases: The considered rules cannot have an abstraction as
end-term and the cases, thus, hold trivially.
Consider the following example from the perspective of -over- post-
ponement.
(y.(x.x)y)z

(x.x)z

z
The x-abstraction needs to be -contracted rst as no trailing -contraction
can get rid of it. That means that we are considering (y.y)z as an interme-
diate term. It, too, must be -contracted. The following lemma thus states
that the z eventually will be passed in to the x through a parallel -step,
even if this happens through a y-abstraction.
146 CHAPTER 6. -OVER- POSTPONEMENT
Lemma 6.9 (-Annihilation of -Expansion)
e

y, y
i
Var(x.e) =

y
i
(x.e)

y.e

[x := y]
Proof By rule induction in

y
i
() (not in
y

y
i
()!).
Case

(): We are straightforwardly done:

e

y y / Capt
x
(e

)
(x.e)y

[x := y]
y.(x.e)y

y.e

[x := y]
The top, right-most premise above follows from a premise of the lemma
by Proposition 4.10.
Case
z

z
i
(): We are, again, straightforwardly done:

z
i
(x.e)

z.e

[x := z] y

y y / Capt
z
(e

[x := z])
(x.e)y

[x := y]
y.(x.e)y

y.e

[x := z][z := y]
The top, left-most premise above follows by I.H.. The top, right-
most premise follows from a premise of the lemma by Lemma 1.43
and Proposition 4.10. Finally, e

[x := z][z := y] = e

[x := y] by
Lemma 2.10, using a premise of the lemma.
6.2 Postponement
Our rst result of this section, which will eventually establish the postpone-
ment theorem, is the key commutation lemma on syntax. The interesting
step is where Lemma 6.9 is invoked.
Lemma 6.10


(BCF)

[
[

[[

[[

[
[
Proof By rule induction in

.
Case (

) We are considering x.ex

, for some e

with x , FV(e). By I.H., we have an e

, such that e

and thus also x.ex

x.e

x. We also have FV(e

) FV(e) by
Lemma 4.10 and, thus, x , FV(e

), and we are done.

6.2. POSTPONEMENT 147
Case (L

) Straightforward by I.H.
Case (A

) We are considering e
1
e
2

1
e

, for some e
i

i
,
and we case-split on the

-step.
Sub-case (A

) In this case, we have e

i
, with e

= e

1
e

2
, and
we are done by applying the I.H. twice (and by noting that

is reexive).
Sub-case (

) We are considering e
1
e
2

(x.e

1
)e

1
[x := e

2
].
By Lemma 6.8 (which we can apply by the case), there exist e
and

y
i
such that e
1
=

y
i
(x.e) and e

1
. By I.H., there
exist e

i
such that e

1
and e
2

2
.
By Lemmas 2.10, 4.11, and 6.9 (which we can apply by BCF-
initiality), it follows that e
1
e
2

1
[x := e

2
] and we are done
by Lemma 6.4.
Case (Var

) Trivial.
BCF-initiality is important for the previous property as witnessed, e.g.,
by (y.x.yx)x

(y.y)x

x, where the - and -steps do not com-

mute.
Lemma 6.11 e
1

e
2
BCF(e
1
) BCF(e
2
)
Proof By rule induction in

.
Case (

) We have e
1
= x.ex, with x , FV(e) and BCF(e) by denition.
The case prescribes that e

e
2
and we are done by I.H.
Case (L

) We are considering e
1
= x.e with e

. By I.H., BCF(e

)
and as BV(e

) BV(e) , x by a premise of the lemma and Proposi-

tion 6.3, we are done.
Case (A

) Analogous to the previous case.

Case (Var

) Trivial.
Lemma 6.12

[
[

[[

[[

[
[

Proof The right-most conjunct follows from the left-most in an analogous

manner to the results in Section 1.2.3, cf. Lemmas 4.22 and 6.2. Please refer
to Figure 6.2 for the details of the proof of the left-most conjunct. The
BCF N
1
exists by Lemma 3.13 and N
2
exists by Lemma 6.5. A novel aspect
introduced in this administrative proof layer is that we can observe that also
N
2
is a BCF, cf. Lemma 6.11, which means that it is
0
-reachable from M
5
by Lemma 3.16. In turn, this means that N
3
exists by Lemma 4.15 and we
can apply Lemma 6.10 to show that N
4
exists, which nishes the proof.
148 CHAPTER 6. -OVER- POSTPONEMENT
M
1
M
2
N
1
M
3
N
2
M
4
M
5
M
6
M
7
(BCF)

[
[

[
[

[
[

M
1
M
2
N
1
M
3
N
2
N
4
M
4
M
5
M
6
N
3
M
7
(BCF)
(BCF)

[
[

[
[ [
[

[
[

[
[

[
[

Figure 6.2: The admin. proof layer for / composition commutation

Theorem 6.13

Proof By reexive, transitive induction in

. The only interesting

case is the transitive case, which follows from I.H.-applications, the right-
most conjunct of Lemma 6.12, and transitivity of the considered relations:
M
1
M
2
M
3
N
1
N
2
N
3

Chapter 7
-Standardisation
Standardisation is also a composition-commutativity result like postpone-
ment. It is a very powerful result that, informally speaking, says that any
reduction sequence can be executed by contracting in a left-to-right order,
possibly skipping some redexes. Standardisation implies rewriting results
such as the left-most reduction lemma [5, 62] and, in a wider perspective,
guarantees the existence of evaluation-order independent semantics [53].
This section addresses three dierent approaches to proving standardis-
ation due to Mitschke [44], Plotkin [53], and David [10], respectively. The
three approaches are fairy closely related, with Plotkins proof bridging the
other two, so to speak. Mitschkes and Plotkins proofs both use semi-
standardisation while Davids and Plotkins both can be described as ab-
sorption standardisation. We shall show that, because of this, only Plotkins
approach is formalisable with the proof principles we are considering. We
shall examine the failures of the other two proofs closely.
7.1 Denitions and Basic Properties
In this section, we present the relations the various proofs are based on and
establish their basic properties. The relations allow us to distinguish be-
tween weak-head and inner redexes. As stressed in [42], the crucial property
of the inner relations is that they preserve the outermost syntax constructor
of the term they reduce, thus giving us the analytical tools to infer which
particular rule has been applied to arrive at a considered end-term.
Denition 7.1 Weak-head -reduction,

wh, is dened in Figure 7.1.

The corresponding (strong) inner,

I , and parallel inner,

I , -relations
149
150 CHAPTER 7. -STANDARDISATION
Capt
x
(e
1
) FV(e
2
) =
(
wh
)
(x.e
1
)e
2

wh e
1
[x := e
2
]
e
1

wh e

1
(@
wh
)
e
1
e
2

wh e

1
e
2
Figure 7.1: Weak-head -reduction
e
1

I e

1
(@
I
1
)
e
1
e
2

I e

1
e
2
e
2

2
(@
I
2
)
e
1
e
2

I e
1
e

2
e

(
I
)
x.e

I x.e

(Var
I

)
x

I x
e
1

I e

1
e
2

2
(@
I

)
e
1
e
2

I e

1
e

2
e

(
I

)
x.e

I x.e

Figure 7.2: Inner and parallel inner -reduction

are dened in Figure 7.2. We also have:
e|

wh e

|
def
e ==

wh; ==

e|

I e

|
def
e ==

I ; ==

e|

I e

|
def
e ==

I ; ==

Proposition 7.2 e

I e
Proof A straightforward structural induction using Proposition 4.6.
Proposition 7.3 (

I ) (

I )
Proof The left-most conjunct follows by straightforward rule inductions,
using Proposition 4.7. Based on this, the proof of the right-most conjunct
is essentially the same as that of Proposition 4.22, 1..
While the ensuing lemma might seem unassuming, it, in fact, establishes
the crucial proof principle that we can case-split on a -reduction step and
consider a weak-head and an inner case.
Lemma 7.4 (

wh) (

wh)
Proof The right-most conjunct is a direct consequence of the left-most.
The proof of the -part of the left-most conjunct consists of two straightfor-
ward rule inductions in

I and

wh, respectively. The proof of the -

part is by rule induction in

. The only non-trivial case is (@

1
), for which
we are considering e
1
e
2
, with e
1

1
. By I.H., we have e
1

wh e

1
.
In case e
1

I e

1
, we can apply (@
I
1
). Otherwise, we can apply (@
wh
).
7.2. (HEREDITARY) SEMI-STANDARDISATION 151
As usual, we also need to establish variable monotonicity of the intro-
duced relations.
Proposition 7.5
e

wh e

FV(e

) FV(e) BV(e

) BV(e)
e

I e

FV(e

) FV(e) BV(e

) BV(e)
Proof From Lemma 1.45 by Lemma 7.4.
It may be worth noting that, although

I and

wh cannot contract
the same redex (they are intensionally dierent, in other words), it is not
the case that

wh= . The problem is that the latter is a point-

wise (or extensional) notion that can be broken because the -relation can
reduce some terms to themselves, even if an actual contraction takes place.
It is, for example, well-known that we have

, with denoting
(x.xx)(x.xx). In turn, this means that we have

I as well as

wh . Fortunately (and as it happens, we might add) we do not

need point-wise disjointness for the two relations.
7.2 (Hereditary) Semi-Standardisation
In this section, we shall pursue a slight adaptation of Takahashis adaptation
[62] of Mitschkes proof [44]. Instead of head and a corresponding notion
of inner reduction, we base the proof on weak-head reduction [42]. This
does not aect the formal status of the proof technique but it does allow us
to reuse the results of this section when pursuing Plotkins approach (and
it does make the proofs somewhat simpler). The main proof burden is to
show that (weak-)head redexes can be contracted before any inner redexes,
so-called semi-standardisation. As the following result (which is implicit in
Takahashi [62]) is purely abstract, we state it with generic relation names.
An exception is the use of , which we nd instructive but which should not
be taken to imply that the relation must be a parallel relation;

is still
reexive, transitive closure, however.
Lemma 7.6 (Takahashi) Assume
b

b
and
c

c

c
.

[[
b
a
[
[
c

[[
b
[
[
c
a

b
a
c
Proof Please refer to Appendix F.1.
We note that the proof does not need
b
to be included in
b
,
although this fact is not of any consequence as far as our use of the result
is concerned.
152 CHAPTER 7. -STANDARDISATION
y , Var(e)
(i
1
)
x.e
y

i
1
y.e[x := y]
e
y

i
1
e

y ,= x
(L

1
)
x.e
y

i
1
x.e

e
1
y

i
1
e

1
y / FV(e
2
)
(Al

1
)
e
1
e
2
y

i
1
e

1
e
2
e
2
y

i
1
e

2
y / FV(e
1
)
(Ar

1
)
e
1
e
2
y

i
1
e
1
e

2
wBCF(x)
wBCF(e) x / BV(e)
wBCF(x.e)
wBCF(e
1
) wBCF(e
2
) FV(e
1
) BV(e
2
) = FV(e
2
) BV(e
1
) =
wBCF(e
1
e
2
)
Figure 7.3: The weakly fresh-naming
1
-relation and the wBCF-predicate
7.2.1 Weak Fresh-Naming
Before proving the two assumed properties in the above property, we will
introduce a slightly less restrictive notion of fresh-naming than
0
that will
turn out to be needed. Identical binders are permitted in adjacent but not
in nested positions in an abstract syntax tree and free and bound variables
are disjoint. The proofs and properties we present in this section are all
variations of proof and properties in previous chapters.
Denition 7.7 The weakly fresh-naming

1
-relation and the correspond-
ing wBCF-predicate are dened in Figure 7.3.
Proposition 7.8
wBCF(e) FV(e) BV(e) =
e
y

i
1
e

FV(e

) = FV(e) BV(e

) BV(e) y
wBCF/
1
Stability
Unlike the situation with BCF, wBCF is suitably closed under substitution.
Lemma 7.9
wBCF(e
a
) wBCF(e
b
) (BV(e
a
) Var(e
b
) = BV(e
b
) Var(e
a
) = )

wBCF(e
a
[x := e
b
])
Proof By rule induction in [ := ]; only two cases are non-trivial.
7.2. (HEREDITARY) SEMI-STANDARDISATION 153
Application Case: We are considering e
a
e
1
e
2
, with wBCF(e
i
[x := e
b
]),
for i 1, 2 by I.H.. By Lemmas 1.42 and 1.43 (which are applicable
by the right-most premise), it therefore suces to show the following
properties in order to establish wBCF(e
1
[x := e
b
]e
2
[x := e
b
]):
FV(e
1
) BV(e
2
) = from wBCF(e
1
e
2
) by Proposition 7.8.
FV(e
2
) BV(e
1
) = from wBCF(e
1
e
2
) by Proposition 7.8.
FV(e
b
) BV(e
i
) = follows from BV(e
1
e
2
) Var(e
b
) = .
FV(e
i
) BV(e
b
) = follows from BV(e
b
) Var(e
1
e
2
) = .
FV(e
b
) BV(e
b
) = from wBCF(e
b
) by Proposition 7.8.
Complex Abstraction Case: We are considering y.e[x := e
b
]. In order
to apply the I.H., we rst observe that we have wBCF(e) by denition.
Next, we note that BV(e) BV(y.e) and Var(e) Var(y.e) holds
straightforwardly and we have wBCF(e[x := e
b
]) by the premises of
the lemma. In order to establish wBCF(y.e[x := e
b
]), we note that
Lemma 1.43 implies that it suces to show that y / BV(e) BV(e
b
)
to apply the relevant wBCF-rule. The left-most of these follows by
wBCF(y.e) and the right-most follows by BV(y.e) Var(e
b
) = .
In analogy with the situation with
0
and BCF, we can prove that
1
and wBCF are closely related notions.
Lemma 7.10 e
a

1
e

a
wBCF(e
a
) wBCF(e

a
)
Proof By reexive, transitive induction, it suces to consider the base
case, which follows by rule induction in
y

i
1
.
Case (i
1
): Directly from Lemma 7.9 by choice of y.
Case (L

1
): By Lemmas 1.42 and 1.43 (which are applicable by choice of
y), we can apply the I.H. to get wBCF(e

) and we are done, again by

choice of y.
Application Cases: Straightforward by I.H. and Proposition 7.8.
Lemma 7.11 (wBCF)

1
(wBCF)

1
Proof The right-most conjunct follows from the left-most by a straight-
forward reexive, transitive induction, using Lemma 7.10. The left-most
conjunct follows by rule induction in
y

i
1
.
Case (i
1
): We are considering x.e and, according to Proposition 1.25, 3.,
we merely have to show x / Var(e[x := y]). We have x / FV(e[x := y])
directly from Proposition 1.25, 2. and 4. (as x = y x / Var(e)) and
we have x / BV(e) by wBCF(x.e), which means that we are done by
Lemma 1.43.
154 CHAPTER 7. -STANDARDISATION
Case (L

1
): We are considering x.e, with e
y

i
1
e

. By I.H., we thus
have some z BV(e) such that e

i
1
e and we can apply the
(L

1
)-rule because of wBCF(x.e), which implies x ,= z.
Application Cases: By I.H. and Proposition 7.8.
Lemma 7.12 (wBCF)

1
Proof The inner triangle below exists by Lemma 3.10 while the extra
reduction exists by Lemma 7.11 as, clearly,

1
. The denitional
transitivity of

1
completes the proof.
M
l
M
r
N
(wBCF)

0

0

Weak Fresh-Naming and -Reduction

Our main interest in the
1
-relation and the wBCF-predicate is the following
result from which the notions, in fact, are derived.
Lemma 7.13 e

BCF(e) wBCF(e

)
Proof By rule induction in

.
Most cases: Either trivial or straightforward by I.H. and Proposition 4.10.
Case (

): We are considering (x.e

1
)e
2
, with e
i

i
. By I.H., we
have wBCF(e

i
) while, by Proposition 4.10 and BCF((x.e
1
)e
2
), we
have Var(e

1
) Var(e

2
) = . Under these assumptions, we prove that,
indeed, wBCF(e

1
[x := e

2
]); the proof is by rule induction in [ := ]
and all cases are either trivial or straightforward by Lemmas 1.42 and
1.43 and the I.H..
Lemma 7.14

wh

wh

wh

wh
Proof The right-most conjunct follows from the left-most by a straight-
forward reexive, transitive induction in

1
. The proof of the left-most
conjunct is a not-too-complicated adaptation of the proof of Lemma 4.15.
7.2. (HEREDITARY) SEMI-STANDARDISATION 155
It is not crucial to the above property that the -relation is restricted
to weak-head redexes. The point is, rather, that only one -contraction
is performed. If several -contractions were to be considered, we would
immediately run into the problem that the end-term below is stuck.
(x.y.xy)(z.y.z)

y.(z.y.z)y
7.2.2 Substitutivity
In order to ll out the remainder of the proof hierarchy in Figure 4.3, we see
that we also have substitutivity results for weak-head and inner reduction.
Lemma 7.15
1.
_
_
_
e
a

wh e

a
(Capt
x
(e
a
) FV(e
b
) = Capt
x
(e

a
) FV(e

b
) = )

e
a
[x := e
b
]

wh e

a
[x := e
b
]
2.
_
_
_
e
a

wh e

a
(BV(e
a
) FV(e
b
) = )

e
a
[x := e
b
]

wh e

a
[x := e
b
]
Proof The lower property follows from the upper by reexive, transi-
tive induction, invoking Proposition 7.5 in the transitive case and Proposi-
tions 1.9, 3. and 7.5 in the base case. The upper property is established by a
rule induction in

wh, which is subsumed by the proof of Lemma 2.12.

Lemma 7.16
(e
a

I e

a
e
b
(

wh;

I )

b
Capt
x
(e
a
) FV(e
b
) = Capt
x
(e

a
) FV(e

b
) = )

e
a
[x := e
b
] (

wh;

I )

a
[x := e

b
]
Proof The proof is by rule induction in

I . Please refer to Appendix F.2

for the details.
It is important in the above result that

wh;

I is normalised by

as, otherwise, we cannot guarantee renaming-freeness because

wh
does not respect residual theory in the sense of Section 2. The concrete man-
ifestation of the problem is the required use of Lemma 4.11 in the proof. An
informal proof does not immediately allow us to appreciate that particular
and crucial aspect of the property and it is, indeed, missing from [62].
1
7.2.3 The Proof Back-End
We are now in a position to establish the relevant versions of the premises
of Lemma 7.6, thus establishing semi-standardisation.
1
Interestingly, though, it is present in [42], which, however, does not deal explicitly
with renaming concerns.
156 CHAPTER 7. -STANDARDISATION
N
3
N
1
N
2
M
1
M
2
M
3
M
4
(BCF)

0
[[

0
[[

wh

[
[

Figure 7.4: The admin. proof layer for decomposing parallel steps
Lemma 7.17

(BCF) [[

wh
[
[

[[

wh
[
[

I
Proof Please refer to Figure 7.4 for the proof of the right-most conjunct
based on the left-most conjunct, which, in turn, is proved by rule induction
in

.
Case (Var

): As

wh is reexive, using (Var

I

) suces.
Case (

): We are considering y.e, with e

. By denition, we have
y.e

I y.e

and we are done by reexivity of

wh
Case (@

): We are considering e
1
e
2
, with e
i

i
, for i 1, 2. By I.H.,
e
1

wh e

I e

1
, for some e. By a straightforward adaptation of
Proposition 1.13, we have e
1
e
2

wh ee
2
and a subsequent

I -step
takes us to e

1
e

2
, as required.
Case (

): We are considering (x.e

1
)e
2
, with e
i

i
, for i 1, 2. By
the I.H. applied twice, we have some e

i
, such that:
e
1

wh e

I e

1
e
2

wh e

I e

2
(7.1)
By transitivity of

wh, we are done by the following steps:

(x.e
1
)e
2

wh e
1
[x := e
2
]

wh e

1
[x := e
2
]

wh;

I e

1
[x := e

2
]
The rst line follows as we have Capt
x
(e
1
) FV(e
2
) = by BCF-
initiality. The second line follows by Lemma 7.15, 2., again by BCF-
initiality. The third line follows by Lemma 7.16, applied to Propo-
sitions 1.9, 3. and 7.5 by BCF-initiality. The lemma can be invoked
according to Lemma 4.11 applied to the parts of the I.H.-application
in (7.1) that are not stated: e
i

i
.
7.2. (HEREDITARY) SEMI-STANDARDISATION 157
M
1
N
1
M
7
M
2
N
2
M
6
M
3
M
5
M
4
(BCF)

0
[
[

0
[[

wh

M
1
N
1
M
7
M
2
N
2
M
6
M
3
M
5
M
4
(BCF)
(wBCF)

0
[
[

0
[[

wh

M
1
N
1
N
3
M
7
M
2
N
2
M
6
M
3
M
5
M
4
(BCF)
(wBCF)

0
[
[

0
[[

I
[[

wh

wh

Figure 7.5: The admin. proof layer for parallelising weak-head after inner
The use of BCF-initiality in the left-most conjunct above guarantees that
weak-head redexes can be contracted without waiting for the contraction of
an inner redex to eliminate a variable clash.
Lemma 7.18

(BCF) [[

[
[

I

wh

[[

[
[

I

wh
Proof Please refer to Figure 7.5 for the proof of the right-most conjunct
based on the left-most. We rst note that the top part of the gure invokes
the obvious adaptation of Lemma 4.15 to

I . Although the proof as

a whole is similar to that of -over--postponement, cf. Lemma 6.12, we
do not have that

I preserves BCFs, as is the case for

. Instead,
158 CHAPTER 7. -STANDARDISATION
Lemma 7.13 shows that

I sends BCFs to wBCFs, which is crucial to

the middle part of the gure that also uses Lemma 7.12. The nal part of
the gure is comprised of invocations of Lemmas 7.14 and 1.34, as well as
the left-most conjunct of the present lemma, which, in turn, follows by rule
induction in

I .
Case (Var
I

): No ensuing

wh-step is possible.
Case (@
I

): We are considering e
1
e
2
, with e
1

I e

1
and e
2

2
and
we case-split on the ensuing
wh
-rule:
Sub-case (
wh
): We see that we are, in fact, considering e
1
= x.e
0
,
with e
0

0
, such that, (x.e

0
)e

wh e

0
[x := e

1
]. But, this
is just the (

)-rule and we are done.

Sub-case (@
wh
): We are considering e

1
e

wh e

1
e

2
, with e

wh e

1
.
By I.H., we have e
1

1
and we are done using (@

).
Case (
I

): No ensuing

wh-step is possible.
Lemma 7.19 (Semi-Standardisation)

I
Proof By Lemma 7.6 applied to Lemmas 7.17 and 7.18, using also Propo-
sitions 4.7 and 7.3.
At this point, the idea is to case-split on the in Lemma 7.19 and show
that the sub-terms in which the outgoing

I -step are ordinary -steps,

themselves can be semi-standardised and so on. Unfortunately, the is
quantied over -equivalence classes for which it by no means is obvious
whether we can perform the required case-splitting. We have found no
satisfactory formal solution to this impasse and consider it unlikely that one
exists.
7.3 Absorptive Weak-Head Standardisation
Plotkin [53] denes standardisation as the least contextually-closed relation
on terms that enjoys left-absorptivity over weak-head reduction, cf. [42]:
e

wh e

~
P
e

e ~
P
e

x ~
P
x
e
1
~
P
e

1
e
2
~
P
e

2
e
1
e
2
~
P
e

1
e

2
e ~
P
e

x.e ~
P
x.e

7.3. ABSORPTIVE WEAK-HEAD STANDARDISATION 159

M
1
M
2
N
1
M
3
N
2
M
4
M
5
M
6
N
3
M
7
(BCF)
(wBCF)

0

M
1
M
2
N
1
M
3
N
a
2
M
4
M
5
N
b
2
M
6
N
3
M
7
(BCF)
(BCF)

0

0
Figure 7.6: Failed admin. proof layer for progression standardisation
7.3.1 Failure of the Naive Approach
This approach is, however, not likely to succeed in a formal setting as it
stands because we are trying to prove that all -reductions (i.e.,

, not
just

) can be standardised. The problem is that the above relation is

renaming-free, which we have seen that the -calculus is not. The problem
manifests itself in the required administrative proof layer for the standard-
isation property and its exact nature is of independent interest. The point
is that, even if it is possible to prove the following property (which, in fact,
seems to be the case
2
), we cannot prove full standardisation but at most
standardisation of the renaming-free fragment of the
var
-calculus.
(BCF)

P
P
Please refer to Figure 7.6 for two failed approaches to the administrative
proof layer for the following property.

P
P
The left-most diagram in the gure attempts to align itself with Figure 6.2,
which fails because ~
P
only commutes with

0
. The right-most di-
agram adheres to this and fails because of the inserted

0
, which we
2
Coincidentally, it is interesting to note that the proof of the property can only be
conducted by rule induction in
P
and not in

.
160 CHAPTER 7. -STANDARDISATION
cannot incorporate into Lemma 7.25. It is even straightforward to come up
with a counter-example.
(s.ss)(x.y.xy)

(x.y.xy)(x.y.xy)
We can turn the end-term into an -equivalent BCF, as it happens, which
standardises:
(x
1
.y
1
.x
1
y
1
)(x
2
.y
2
.x
2
y
2
) ~
P
y
1
.y
2
.y
1
y
2
As the end-term of this step uses the two y copies nested within each other,
we see that the original start term does not standardise to it.
7.3.2 Combining Term Structure and -Collapsed Reduction
In order to avoid the above problems, we adapt Plotkins original denition
slightly.
Denition 7.20
e|

wh e

| e

~
wh
e

(wh-prex)
e ~
wh
e

(Var

wh
)
x ~
wh
x
e
1
~
wh
e

1
e
2
~
wh
e

2
(Appl

wh
)
e
1
e
2
~
wh
e

1
e

2
e ~
wh
e

(Abstr

wh
)
x.e ~
wh
x.e

The above denition mixes the advantages of being able to dene rela-
tions inductively over terms with the use of reduction in the real -calculus
to avoid issues of renaming. Note, however, that, further to Section 1.3, it
is by no means obvious whether this mixture will lend itself to PPP
FOAS
VN -
reasoning. The proof-technical issue surfaces in the (Abstr

wh
)-case of the
proof of Lemma 7.22.
Lemma 7.21

I
[
[

wh

wh

I
[
[
Proof This is property (F.2) in the proof, cf. Appendix F.1, of Takahashis
Lemma 7.6, given that we have Lemmas 7.17 and 7.18.
7.3. ABSORPTIVE WEAK-HEAD STANDARDISATION 161
y.e
1
y

.e

1
y

.e

2
x.e
2
x.e
3
x.e
0
x.e

[[

I
wh
[[

Figure 7.7: The admin. proof layer for Lemma 7.22, case (Abstr

wh
)
The key technical lemma in the present standardisation proof develop-
ment is the following absorption property.
Lemma 7.22 e
1
|

I e
2
| e
2
~
wh
e
3
e
1
~
wh
e
3
Proof The proof is by rule induction in ~
wh
.
Case (wh-prex): Directly from Lemma 7.21 and an application of the in-
duction hypothesis.
Case (Var

wh
): By Lemma 3.30 and Denitions 7.1 and 7.20, we are con-
sidering e
1
= e
2
= e
3
= x. We are, therefore, straightforwardly done.
Case (Appl

wh
): By Lemma 3.30 and Denition 7.1, we are considering
e
a
e
b
|

I e

a
e

b
| because e
a
|

I e

a
| and e
b
|

b
|. By
I.H., we immediately have, in the notation of Denition 7.20, that
e
a
~
wh
e

1
. For e
b
, we can invoke Lemma 7.17 to conclude that
e
b
|

wh e

b
|

I e

b
|. We rst note that we, in the notation of
Denition 7.20, have e

b
~
wh
e

2
by I.H., which means that we can
conclude e
b
~
wh
e

2
by using the (wh-prex)-rule. A nal application
of the (Appl

wh
)-rule thus nishes the case.
Case (Abstr

wh
): By Lemma 3.30 and Denitions 7.1 and 7.20, we are
considering the following situation.
y.e
1
==

.e

I y

.e

2
==

x.e
2
~
wh
x.e
3
By Denition 7.1 and the case, we have e

2
and e
2
~
wh
e
3
.
In case y

= x, we have from Lemma 3.32 that e

2
==

e
2
, which means
that we are considering e

1
|

2
| ~
wh
e
3
, so to speak. From
Lemma 7.17, we thus have: e

1
|

wh e

1
|

I e

2
| ~
wh
e
3
. An
application of the I.H. and an invocation of the (wh-prex)-rule will
then give us that e

1
~
wh
e
3
and we have x.e

1
~
wh
x.e
3
by the
(Abstr

wh
)-rule. A nal (reexive) application of the (wh-prex)-rule
thus nishes the case: y.e
1
~
wh
x.e
3
. Unfortunately, we are not
guaranteed that y

= x. Instead, Figure 7.7 shows how to overcome

this using our general administrative proof-layer technology, cf. Fig-
ure 4.3. Based on the upper line, we rst rewrite y

.e

1
to (the BCF)
x.e
0
by, e.g., applying Lemma 3.24 twice, cf. Lemma 3.22. The com-
muting square involving x.e

0
can then be constructed by the obvious
162 CHAPTER 7. -STANDARDISATION
adaptation of Lemma 4.15 and the diagram can nally be closed by
Lemma 1.34. To show that y.e
1
~
wh
-standardises to x.e
3
, rst
apply the reasoning above to show that x.e
0
does and, then, use the
(wh-prex)-rule reexively to show the result we are after.
Theorem 7.23 e
1
|

e
2
| e
1
~
wh
e
2
Proof By reexive, left-transitive induction in

. The reexive case

is a straightforward structural induction. The left-transitive case follows by
an I.H.-application followed by a case-split on the considered

-step, cf.
Lemma 7.4. In case of

wh, we are done by denition of ~

wh
. In case
of

I , we are done by Lemma 7.22, cf. Proposition 7.3.

7.4 (Failing) Progression Standardisation
An alternative proof development for standardisation was proposed by David
[10] and pursued, more or less independently, in [29, 31, 37]. The idea is to
dene a standardisation relation directly by induction over terms (although
this is only done implicitly in [10]): ~
prg
, and to show that this relation
right-absorbs the ordinary -relation. In that sense, the proof development is
the dual approach to what we considered in the previous section. Informally,
the key technical point is to contract terms as follows, cf. [29, 37]:
3
(..(e[x := e
0
]e
1
)..)e
k
~
prg
e

(..((x.e)e
0
)e
1
..)e
k
~
prg
e

This ensures that contraction progresses from left-to-right while at the same
time allowing newly created redexes to be contracted. Other rules allow
redexes not to be contracted as the relation otherwise would be left-most
reduction.
7.4.1 Right-Absorptivity
As mentioned, the key technical lemma is purported to show right-absorptivity
of ~
prg
over

, which appears to be straightforward, at least in the

case of the above contraction rule [10, 29, 31, 37].
Non-Lemma 7.24
(BCF)
prg
prg
3
In order for the relation to make sense in the current setting, it is necessary to supply
it with a nite axiomatisation, which can be done.
7.4. (FAILING) PROGRESSION STANDARDISATION 163
Unfortunately, not even the BCF-initial version of the property is true.
The following is a counter-example.
(s.ss)(x.(y.xy)z) ~
prg
(y.(x.xz)y)z

(y.yz)z
The problem in the counter-example is the last step of the standardisa-
tion, which amounts to the contraction of the redex involving the inner
y-abstraction below.
(y.(x.(y.xy)z)y)z
As it happens, this is the point where the considered

-step (i.e., the

contraction of the redex involving the x-abstraction) must be inserted but
that is not possible because of a clash with the inner y-abstraction.
7.4.2 Left-Absorptivity
In sharp contrast to the above, it turns out that it is possible to prove
left-absorptivity:
Lemma 7.25
(BCF)
prg
prg
Proof By rule induction in ~
prg
(not in

!).
The dierence between right- and left-absorptivity is that the universal
quantication over ~
prg
covers far fewer steps in the latter case than in the
former. This, of course, manifests itself when trying to prove standardisation
for the real -calculus, cf. Section 7.3.1 and Figure 7.6, in particular.
Non-Lemma 7.26

prg
prg
The following is a counter-example.
(s.ss)(x.y.xy)

(x.y.xy)(x.y.xy)
We can turn the resulting term into an -equivalent BCF, as it happens,
which standardises:
(x
1
.y
1
.x
1
y
1
)(x
2
.y
2
.x
2
y
2
) ~
prg
y
1
.y
2
.y
1
y
2
As the resulting term of this step uses the two y copies nested within each
other, it is straightforward to see that the original start term does not stan-
dardise to it (without renaming).
164 CHAPTER 7. -STANDARDISATION
Part IV
End Matter
165
166
Conclusion
By using structural proof principles only, we have proved the relative re-
naming freeness of -residual theory (Theorem 2.17), decidability of -
equivalence (Theorem 3.29), -conuence (Theorem 4.23), -conuence (The-
orem 4.35), -conuence (Theorem 4.38), -residual completion (Lemma 5.6)
aka strong weakly-nite -development (Lemma 5.13), residual -conuence
(Theorem 5.7), -over- postponement(Theorem 6.13), and -standardisation
(Theorem 7.23), along with a range of supporting lemmas, including results
that establish the equivalence of our, Currys, and Hindleys presentations of
the -calculus as well as the usual notions of substitution and substitutivity
lemmas.
Standard, informal practice in the programming language theory com-
munity when using structural induction and related proof principles is to
assume that variable clashes are not an issue (aka Barendregts Variable
Convention). We have showed this to be formally correct for a wide range
of properties, possibly up to BCF-initiality: Lemmas 2.15, 2.16, 4.14, 4.34,
4.36, 6.10, 7.17, 7.18, and 7.22. We also presented general results that
suggest that the considered proof principles are formally applicable for the
full residual theory of -reduction and for all of - and -reduction (Theo-
rem 2.17, Lemmas 1.33, and 4.33, respectively).
Drawing parallels to informal practice, we stressed that the established
properties are formally weaker than the results they attempt to establish.
Subsequently we therefore showed that, for the most part, the full proof
burden of the considered properties can be met formally by the addition
of a fairly simple administrative proof layer, cf. Figures 4.4, 4.9, 4.10, 5.1,
6.2, 7.4, and 7.5. Of wider relevance, we observed that the administrative
proof layers mostly rely on the same additional lemmas, thus preventing a
blow-up of the overall proof obligations for a particular language.
Finally, we showed that at least in the cases of decidability, standard-
isation, and residual conuence, standard informal practice misses some
rather important details. Through various means, including the introduction
of constructively-avoured Some/Any (Lemma 3.26, see also Figure 7.7) and
residual-completion properties (Lemma 5.6), we were able to present formal,
concise proofs for these results, as well.
167
168
Formalisation Work
As mentioned in the Preface, some of the presented results have been for-
mally veried in Isabelle/HOL [48] by James Brotherston, under the super-
vision of the thesis author [6, 65, 66, 67, 68]. This means that those results
have been shown to be correct in a strict algebraic sense and, moreover, have
been veried to be provable by structural means, as claimed.
The rst result we formalised was -conuence. It was done through
Lemma 4.21 all the way to the rst two conjuncts of Theorem 4.23 [6, 65, 68].
Starting with hand-written proofs, the formalisation work took 9 weeks and
required approximately 4000 lines of Isabelle/HOL proof scripts. A non-
negligible part of the time was spent learning Isabelle/HOL and mechanised
theorem proving in general. Later we formalised the results in Chapter 2 [6,
66, 67]. The cost for this was roughly 1 week and 1500 lines of Isabelle/HOL
code. The speed-up in the process was predominantly due to the fact that
the results below the Substitutivity Lemmas layer in Figure 4.3 in this case
basically could be obtained by a simple replay strategy of the proof scripts of
the rst project, while explicitly handling the minor denitional dierences
between the two set-ups by hand. As the structure of the thesis makes
clear, we therefore have very good reason to believe that all the results we
present can be formally veried. We also have direct evidence for our claim
that there will not be a massive blow-up in lower-layer proof obligations, cf.
Figure 4.3, when considering several properties of a programming language.
Our proof scripts are mainly brute-force tactics that invoke PPP
FOAS
VN
directly. The reason for this is two-fold: (i) we set out to verify that
PPP
FOAS
VN , indeed, are applicable as claimed, but once we had convinced
ourselves of this, we continued with the brute-force approach because (ii)
Isabelle/HOLs more speculative proof scripts, that allow for proof automa-
tion, generally failed to terminate. We believe the main reason to be the
heavily conditioned proof goals we are considering after all case-splittings
in a proof have been performed we are typically dealing with more than
a dozen assumptions [6]. The problem with premises is that the proof
search space grows factorially in their amount, which is reected in the
large amount of proof-script invocations we made that rotate premises so
as to allow our proofs to proceed by the right induction. We should note,
however, that it is entirely possible that a more experienced Isabelle/HOL
user could have had more success in getting Isabelle/HOL to help out by,
e.g., giving it the right clues before attempting an automated proof task.
It is our rm opinion that the proofs of this thesis contain so many
subtle details that without their formalisation, the justication for the work
would be partly gone. More generally speaking, we believe that the style
of proof formalisation that we have presented here is important (i) to avoid
the pitfalls of routine (and fallible) thinking and (ii) to clarify exactly what
are the key cases of a proof and what are their exact importance.
Appendix A
Commutative Diagrams
We use commutative diagrams in three dierent ways, which can be distin-
guished in their notation for vertices.
Vertices as Terms
When written with terms as vertices, commutative diagrams simply describe
reduction scenarios.
Vertices as s, s
Formally, a commutative diagram of this nature is a set of vertices and a
set of directed edges between pairs of vertices. Informally, the colour of
a vertex ( vs ) denotes quantication modes over terms, universal and
existential, respectively. A vertex may be guarded by a predicate. Edges
are written as the relational symbol they pertain to and are either dark-
coloured (black) or light-coloured (gray). Informally, the colour indicates
assumed and concluded relations, respectively. An edge connected to a
must be light-coloured. A diagram must be type-correct on domains. A
property is read o of a diagram thus:
1. write universal quantications for all s
2. assume the dark-coloured relations and the validation of any guarding
predicate for a
3. conclude the guarded existence of all s and their relations
The following diagram and property are thus equivalent.


(P)
(Q)
e
1
e
2
e
1
e
3
P(e
1
)

e
4
. e
2
e
4
e
3
e
4
Q(e
4
)
169
170 APPENDIX A. COMMUTATIVE DIAGRAMS
Vertices as Ms, Ns
As we saw, commutative diagrams are used to express rewriting predicates
such as:
For all terms, such that, . . . , there exist terms, such that, . . . .
In order to prove these results, we start by writing Ms for the universally
quantied terms and gradually introduce Ns from supporting lemmas to
eventually substantiate the existence claims. Please note that we use to
signify claimed existences that are impossible.
Appendix B
Proofs for Chapter 1
B.1 Diamond Tiling Lemma
Lemma (
2
.
1

2

1
(
2
)) Con(
1
)
Proof Assume the premise. We rst prove the following property by re-
exive, transitive induction in
1
.


2
1 1
2
(B.1)
Base Case: We are considering M
1
M
1
and M
2
M
2
. By assump-
tion, we also have M
2
M
1
. By (
2
), we have an N, such that,
M
i

2
N for i 1, 2. We are therefore done by
2

1
.
M M
2
M
1
N
1
2
2
2
2 1
Reexive Case: Straightforward.
Transitive Case: By two I.H.-applications and transitivity of
1
:
M
1
M
2
M
3
N
1
M
4
N
2
1
1
2
2
1
1
2
1
With (B.1) in place, we address the conclusion of the lemma by reexive,
transitive induction in one of the diverging
1
.
171
172 APPENDIX B. PROOFS: THE STRUCT. OF THE -CALCULUS
Base Case: We are considering the Ms below. By assumption, we have
M
2
M
2
, which means that we have the considered N by (B.1). By
assumption, we also have M
1

1
N and we are done.
M M
2
M
1
N
1
1
2
1
2
1
Reexive Case: Straightforward.
Transitive Case: By two I.H.-applications and transitivity of
1
:
M
1
M
2
M
3
M
4
N
1
N
2
1 1
1 1
1 1
1
1

B.2 Hindley-Rosen Lemma
Lemma


2
1 1
2

2
1 1
2
Proof Assume the premise. We rst prove the following property by re-
exive, transitive induction in
1
.


2
1 1
2
(B.2)
Base Case: We are done by assumption.
Reexive Case: Straightforward.
Transitive Case: Either by two I.H.-applications or, in case M
3
= N
1
, by
just one as well as by transitivity of
1
:
M
1
M
2
M
3
N
1
M
4
N
2
1
1
2
2
1
1
2
1
With (B.2) in place, we address the conclusion of the lemma by reexive,
transitive induction in
2
.
B.3. COMMUTING CONFLUENCE LEMMA 173
Base Case: By (B.2):
M M
2
M
1
N
2
1
2
1
2
Reexive Case: Straightforward.
Transitive Case: By two I.H.-applications and transitivity of
2
:
M
1
M
2
M
3
M
4
N
1
N
2
2 2
1 1
2 2
1
2

B.3 Commuting Conuence Lemma
Lemma


1
2 2
1
Con(
1
) Con(
2
) Con(
1,2
)
Proof Assume the premises. We rst prove the following property by
reexive, transitive induction in
1,2
.


1, 2
1, 2 1, 2
1, 2
(B.3)
Base Case: We case split on the divergence combinations.
Sub-case
1
/
1
: We are done by Con(
1
) and Proposition 1.11.
Sub-case
2
/
2
: Analogous to the previous case.
Sub-case
1
/
2
: We are done by the left-most premise and Propo-
sition 1.11.
Reexive Case: Straightforward.
Transitive Case: By two I.H.-applications and transitivity of
1,2
:
M
1
M
2
M
3
N
1
M
4
N
2
1, 2
1, 2
1, 2
1, 2
1, 2
1, 2
1, 2
1, 2
174 APPENDIX B. PROOFS: THE STRUCT. OF THE -CALCULUS
Next, we prove Con(
1,2
) by reexive, transitive induction in
1,2
.
Base Case: By (B.3).
Reexive Case: Straightforward.
Transitive Case: By two I.H.-applications and transitivity of
1
:
M
1
M
2
M
3
M
4
N
1
N
2
1, 2 1, 2
1, 2 1, 2
1, 2 1, 2
1, 2
1, 2
B.4 Substitution and Free Variables
Lemma 1.42
Capt
x
(e
a
) FV(e
b
) =

FV(e
a
[x := e
b
]) =
_
FV(e
a
) if x / FV(e
a
)
FV(e
a
) x FV(e
b
) if x FV(e
a
)
Proof We rst remark that Proposition 1.25, 2 establishes the top-most
clause trivially. We, therefore, assume x FV(e
a
) Capt
x
(e
a
) FV(e
b
) =
and proceed to prove the second clause by rule induction in the substitution
relation, cf. Section 1.6.1.
Variable Cases: By assumption, the variable name is x and we are straight-
forwardly done by denition unravelling.
Application Case: We have e
a
e
1
e
2
and, thus, by denition:
FV((e
1
e
2
)[x := e
b
]) = FV(e
1
[x := e
b
]e
2
[x := e
b
])
= FV(e
1
[x := e
b
]) FV(e
2
[x := e
b
])
We rst remark that Capt
x
(e
i
) FV(e
b
) = holds for i 1, 2 by
denition, which means we are free to apply the I.H. to e
i
in case
x FV(e
i
). We proceed by a case-split on x:
Sub-case x / FV(e
1
) x / FV(e
2
): Not possible as x FV(e
a
).
Sub-case x FV(e
1
) x / FV(e
2
): The rst equality below follows
by an application of the I.H. alongside an invocation of the rst
B.4. SUBSTITUTION AND FREE VARIABLES 175
clause in the considered property. The second equality follows by
the right-most conjunct of the sub-case.
FV((e
1
e
2
)[x := e
b
]) = FV(e
1
) x FV(e
b
) FV(e
2
)
= (FV(e
1
) FV(e
2
)) x FV(e
b
)
= FV(e
a
) x FV(e
b
)
Sub-case x / FV(e
1
) x FV(e
2
): Analogous to the above sub-case.
Sub-case x FV(e
1
) x FV(e
2
): In analogy with above, we have:
FV((e
1
e
2
)[x := e
b
]) = FV(e
1
) x FV(e
b
)
FV(e
2
) x FV(e
b
)
= (FV(e
1
) FV(e
2
)) x FV(e
b
)
= FV(e
a
) x FV(e
b
)
(Strict) Abstraction Case: We are considering e
a
y.e
0
. By the as-
sumption that x FV(y.e
0
), we see that we have the following:
Capt
x
(e
0
) FV(e
b
) Capt
x
(y.e
0
) FV(e
b
) =
As we (obviously) also have x FV(e
0
), we can apply the I.H. to get:
FV(e
0
[x := e
b
]) = FV(e
0
) x FV(e
b
), and thus:
FV(e
a
[x := e
b
]) = FV((y.e
0
)[x := e
b
])
= FV(y.e
0
[x := e
b
])
= FV(e
0
[x := e
b
]) y
= (FV(e
0
) x FV(e
b
)) y
= FV(e
0
) y x FV(e
b
)
= FV(y.e
0
) x FV(e
b
)
The penultimate equation holds because y Capt
x
(y.e
0
) implies that
y / FV(e
b
), seeing that we have assumed Capt
x
(y.e
0
) FV(e
b
) = .
(Lazy) Abstraction Case: We are considering e
a
y.e
0
and we see that
the case is not possible under the current assumptions. In the case of
the left-most disjunct of the premise of the rule, the contradiction is
with x FV(e
a
), while for the right-most disjunct (conjoined with
the negation of the left-most disjunct), a contradiction arises as y
Capt
x
(e
a
) FV(e
b
) ,= .

176 APPENDIX B. PROOFS: THE STRUCT. OF THE -CALCULUS

B.5 Substitution and Capturing Variables
Lemma 1.44 Under the assumption that Capt
x
(e
a
) FV(e
b
) = , we have:
1.
_
_
_
x = y y / FV(e
b
)

Capt
y
(e
a
[x := e
b
]) =
2.
_
_
_
x / FV(e
a
) (x ,= y y / FV(e
b
))

Capt
y
(e
a
[x := e
b
]) = Capt
y
(e
a
)
3.
_
_
_
x FV(e
a
) y FV(e
b
)

Capt
y
(e
a
[x := e
b
]) = Capt
y
(e
a
) Capt
x
(e
a
) Capt
y
(e
b
)
Proof
Property 1: By Lemma 1.42 and the premise, we have y / FV(e
a
[x := e
b
])
and we are done by Proposition 1.8.
Properties 2 and 3: In the case of the left-most disjunct of the premise
of 2, Proposition 1.25, 2. establishes the property immediately. Under
the assumption that x FV(e
a
) Capt
x
(e
a
) FV(e
b
) = , it therefore
remains to be seen that, for e = e
a
[x := e
b
], we have:
Capt
y
(e) =
_
Capt
y
(e
a
) if x ,= y y / FV(e
b
)
Capt
y
(e
a
) Capt
x
(e
a
) Capt
y
(e
b
) if y FV(e
b
)
We proceed by rule induction in the substitution employed in e.
Variable Cases: By assumption, the considered variable name is x,
hence e = e
b
. For the rst clause, we note that Capt
y
(x) =
by denition and that Capt
y
(x[x := e
b
]) = Capt
y
(e
b
) = from
Proposition 1.8 by the side-condition. For the second clause, we
note that Capt
y
(x) Capt
x
(x) = and we are trivially done.
Application Case: We are considering e
a
e
1
e
2
and proceed by a
case-split on x.
Sub-case x / FV(e
1
) x / FV(e
2
): Not possible as x FV(e
a
).
Sub-case x FV(e
1
) x / FV(e
2
): By Proposition 1.25, 2., we
have that Capt
y
(e
2
[x := e
b
]) = Capt
y
(e
2
). As the premises
of the I.H. are substantiated for e
1
by the sub-case and by
denition of Capt
y
(e
1
e
2
) further to the overall assumption of
Capt
y
(e
a
) FV(e
b
) = , we can proceed by a case-split on
the clauses of the considered property:
B.5. SUBSTITUTION AND CAPTURING VARIABLES 177
Sub
2
-case x ,= y y / FV(e
b
): From the I.H., we are con-
sidering Capt
y
(e
1
[x := e
b
]) = Capt
y
(e
1
), whence, by def-
inition: Capt
y
(e) = Capt
y
(e
1
) Capt
y
(e
2
), and we are
done.
Sub
2
-case y FV(e
b
): From the I.H., we are considering
Capt
y
(e
1
[x := e
b
]) = Capt
y
(e
1
) Capt
x
(e
1
) Capt
y
(e
b
).
By applying Proposition 1.8, we conclude Capt
x
(e
2
) =
and we have:
Capt
y
(e)
= Capt
y
(e
1
) Capt
x
(e
1
) Capt
y
(e
b
) Capt
y
(e
2
)
= Capt
y
(e
1
) Capt
x
(e
1
) Capt
y
(e
b
)
Capt
y
(e
2
) Capt
x
(e
2
)
= Capt
y
(e
a
) Capt
x
(e
a
) Capt
y
(e
b
)
Sub-case x / FV(e
1
) x FV(e
2
): Analogous to the previous
sub-case.
Sub-case x FV(e
1
) x FV(e
2
): Only sub
2
-case y FV(e
b
)
diers from the previous two sub-cases, for which we, in this
sub-case, directly have that:
Capt
y
(e)
= Capt
y
(e
1
) Capt
x
(e
1
) Capt
y
(e
b
)
Capt
y
(e
2
) Capt
x
(e
2
) Capt
y
(e
b
)
= Capt
y
(e
a
) Capt
x
(e
a
) Capt
y
(e
b
)
(Strict) Abstraction Case: We are considering e
a
z.e
0
. As we
have assumed x FV(z.e
0
), we have by denition that:
Capt
x
(e
0
) FV(e
b
) Capt
x
(e
a
) FV(e
b
) =
And, we see that we can apply the I.H.. We proceed by a case-
split in the clauses of the property we are proving
Sub-case x ,= y y / FV(e
b
): The rst equation below is given
by the case. The second equation follows by denition of
Capt

(). The third equation follows by the I.H. as far

as the clauses are concerned and by denition of FV() as
far as the side-conditions are concerned because x ,= z by
the premises of (Strict). The penultimate equation follows
by Lemma 1.42 combined with the sub-case, while the last
178 APPENDIX B. PROOFS: THE STRUCT. OF THE -CALCULUS
equation is by denition.
Capt
y
((z.e
0
)[x := e
b
])
= Capt
y
(z.e
0
[x := e
b
])
=
_
Capt
y
(e
0
[x := e
b
]) z if y FV(z.e
0
[x := e
b
])
if y / FV(z.e
0
[x := e
b
])
=
_
Capt
y
(e
0
) z if y FV(e
0
[x := e
b
])
if y / FV(e
0
[x := e
b
])
=
_
Capt
y
(e
0
) z if y FV(e
0
)
if y / FV(e
0
)
= Capt
y
(z.e
0
)
Sub-case y FV(e
b
): The rst equation below is given by the
case. The second equation follows by the denitions of, on
the one hand, Capt

() and, secondly, of FV() (by (Strict),

as we saw above).
Capt
y
((z.e
0
)[x := e
b
])
= Capt
y
(z.e
0
[x := e
b
])
=
_
Capt
y
(e
0
[x := e
b
]) z if y FV(e
0
[x := e
b
])
if y / FV(e
0
[x := e
b
])
We note that y FV(e
b
) and Lemma 1.42 imply that:
y / FV(e
0
[x := e
b
]) x / FV(e
0
) y / FV(e
0
)
As we have assumed x FV(z.e
0
) for the property we are
proving and as x ,= z by (Strict), we see that the lower clause
above is not possible in the present circumstances. The equa-
tion below thus follows from above by the I.H..
= Capt
y
(e
0
) Capt
x
(e
0
) Capt
y
(e
b
) z (B.4)
We remind ourselves that we trying to equate the above to:
Capt
y
(z.e
0
) Capt
x
(z.e
0
) Capt
y
(e
b
) (B.5)
As we have assumed x FV(z.e
0
), (B.5) unfolds as follows:
= Capt
y
(z.e
0
) Capt
x
(e
0
) z Capt
y
(e
b
)(B.6)
Together with the assumption of Capt
x
(z.e
0
) FV(e
b
) = ,
the above-listed assumption further implies that z / FV(e
b
).
By the sub-case, we therefore have z ,= y, which means that
B.5. SUBSTITUTION AND CAPTURING VARIABLES 179
y FV(z.e
0
) y FV(e
0
). By denition of Capt
y
(),
(B.6) thus leads to this equation:
=
_
Capt
y
(e
0
) {z} Capt
x
(e
0
) {z} Capt
y
(e
b
) if y FV(e
0
)
Capt
x
(e
0
) {z} Capt
y
(e
b
) if y / FV(e
0
)
The top clause is immediately seen to equate to (B.4). The
lower clause also equates to (B.4) as y / FV(e
0
) implies
Capt
y
(e
0
) = by Proposition 1.8.
(Lazy) Abstraction Case: We are considering e
a
z.e
0
and we
see that the case is not possible under the current assumptions.
In the case of the left-most disjunct of the premise of the rule,
the contradiction is with x FV(e
a
), while for the right-most
disjunct (conjoined with the negation of the left-most disjunct),
a contradiction arises as z Capt
x
(e
a
) FV(e
b
) ,= .

180 APPENDIX B. PROOFS: THE STRUCT. OF THE -CALCULUS

Appendix C
Proofs for Chapter 2
C.1 Marked Substitution
Lemma 2.10
x ,= y (y , FV(t
2
) x / FV(t
1
))
(Capt
y
(t
1
) FV(t
3
) = ) (Capt
x
(t
1
[y := t
3
]) FV(t
2
) = )
(Capt
x
(t
1
) FV(t
2
) = ) (Capt
x
(t
3
) FV(t
2
) = )

t
1
[y := t
3
][x := t
2
] = t
1
[x := t
2
][y := t
3
[x := t
2
]]
Proof By structural induction in t
1
.
Case t
1
z: We case-split on z.
Sub-case y = z = x: Not possible by assumption.
Sub-case y = z ,= x: The LHS of the equation becomes t
3
[x := t
2
]
when instantiating the rst substitution and, by the sub-case,
the RHS instantiates to the same after using both substitutions
and we are done.
Sub-case y ,= z = x: We case-split on the disjuncted premise:
Sub
2
-case y / FV(t
2
): Proposition 1.25, 2. implies that both
sides become t
2
when instantiating the substitutions.
Sub
2
-case x / FV(t
1
): As the sub- and the sub
2
-case contradict
each other on the role of x, we are trivially done.
Sub-case y ,= z ,= x: Both sides trivially become z when instantiat-
ing the substitutions.
Case t
1
t
a
t
b
: Directly by denition of substitution and two simple appli-
cations of the I.H. (with the premises trivially substantiated by de-
nition).
Case t
1
z.t
0
: We case-split on the substitutions on the LHS that go
through the abstraction.
181
182 APPENDIX C. PROOFS: A RENAMING-FREE
VAR
-FRAGMENT
Sub-case LHS = z.t
0
[y := t
3
][x := t
2
]: With t
0
taking the role of t
1
,
there are three non-trivial premises to be substantiated in order
to apply the I.H.:
Capt
y
(t
0
) FV(t
3
) = : By assumption, it suces to show
that Capt
y
(t
0
) Capt
y
(z.t
0
). As we know z ,= y by the
sub-case, we case-split as follows:
Sub
2
-case y FV(t
0
): By denition.
Sub
2
-case y / FV(t
0
): By Proposition 1.8.
Capt
x
(t
0
) FV(t
2
) = : It, again, suces to show that
Capt
x
(t
0
) Capt
x
(z.t
0
), which is analogous to above.
Capt
x
(t
0
[y := t
3
]) FV(t
2
) = : By the rst bullet in the
sub-case, we can apply Lemma 1.44 to Capt
x
(t
0
[y := t
3
]). In
case of 1. in the lemma, we are trivially done. For 2., we are
done by the previous bullet. For 3., we must show that:
(Capt
x
(t
0
) Capt
y
(t
0
) Capt
x
(t
3
)) FV(t
2
) =
Disjointness with FV(t
2
) of the rst disjunction is by the
previous bullet; for the second disjunction, it is by the rst
bullet of the sub-case; for the last disjunction, it is by a
premise of the lemma.
With the I.H. application justied, we are straightforwardly done
with the help of Lemma 1.42.
Sub-case LHS = z.t
0
[y := t
3
]: It must be the case that either z = x
or z FV(t
2
).
Sub
2
-case z = x: By assumption, we know that z ,= y and thus
Capt
y
(t
1
) =
_
x Capt
y
(t
0
) if y FV(t
0
)
if y / FV(t
0
)
By the assumption that Capt
y
(t
1
)FV(t
3
) = , we therefore
have either x / FV(t
3
) or y / FV(t
0
). In the former case,
we have RHS = t
1
[y := t
3
[x := t
2
]] = t
1
[y := t
3
] by Proposi-
tion 1.25, 2. and we are trivially done. In the latter case, we
have LHS = z.t
0
= RHS by the same result.
Sub
2
-case z ,= x z FV(t
2
): From the right-most conjunct, we
can, according to the premises of the lemma, conclude that
z / Capt
x
(t
1
[y := t
3
]) (i.e., z / Capt
x
(z.t
0
[y := t
3
])). By
denition and the left-most conjunct, we can therefore con-
clude that x / FV(t
1
[y := t
3
]). At the same time, we can, by
a premise of the lemma, apply Lemma 1.42 to obtain:
FV(t
1
[y := t
3
]) =
_
FV(t
1
) if y / FV(t
1
)
FV(t
1
) y FV(t
3
) if y FV(t
1
)
C.2. RESIDUAL-COMPLETION SUBSTITUTIVITY 183
We thus have y FV(t
1
) x / FV(t
3
). If y / FV(t
1
) (and
thus y / FV(t
0
), as y ,= z by the sub-case), we are trivially
done by Proposition 1.25, 2.. If y FV(t
1
), we saw above
that x / FV(t
3
) and the RHS is equal to the LHS, again by
Proposition 1.25, 2..
Sub-case LHS = z.t
0
[x := t
2
]: By denition, it must be the case
that either z = y or z FV(t
3
). In the former case, we are triv-
ially done as [y := t
3
[x := t
2
]] on the RHS straightforwardly is
discarded, resulting in the LHS, as required. In case z FV(t
3
),
we can, by an assumption of the lemma and the fact that z ,= x by
the sub-case, apply Lemma 1.42 to show that z FV(t
3
[x := t
2
]),
which means we can justify the last equation below:
RHS = t
1
[x := t
2
][y := t
3
[x := t
2
]]
= (z.t
0
[x := t
2
])[y := t
3
[x := t
2
]]
= z.t
0
[x := t
2
]
Sub-case LHS = z.t
0
: We can immediately discard [x := t
2
] on
the RHS for the reason it was discarded on the LHS. To discard
[y := t
3
[x := t
2
]] (on the RHS), observe that we are trivially
done if [y := t
3
] was discarded (on the LHS) because z = y.
Assume, therefore, that z FV(t
3
). As we otherwise would have
z Capt
y
(t
1
) FV(t
3
), thus contradicting an assumption of the
lemma, we have that y / FV(t
1
) and we are done by Proposi-
tion 1.25, 2..
Case t
1
(z.t
a
) @t
b
: This case is, in eect, covered by the previous two
cases.

C.2 Residual-Completion Substitutivity

Lemma 2.12
t
1

@ t

1
t
2

@ t

2
(Capt
x
(t
1
) FV(t
2
) = ) (Capt
x
(t

1
) FV(t

2
)=)

t
1
[x := t
2
]

@ t

1
[x := t

2
]
Proof We proceed by rule induction in

@.
Case (
@

): By the case, we know that t

1
(y.t
a
) @t
b
, with t
a

@ t

a
,
t
b

@ t

b
, Capt
y
(t

a
) FV(t

b
) = , and y FV(t

a
). Depending on y,
184 APPENDIX C. PROOFS: A RENAMING-FREE
VAR
-FRAGMENT
we note that the body of the abstraction (i.e., t
a
) may or may not be
subjected to the considered substitution and we thus dene:
t =
_
t
a
[x := t
2
] if y ,= x y , FV(t
2
)
t
a
otherwise
t

=
_
t

a
[x := t

2
] if y ,= x y , FV(t
2
)
t

a
otherwise
With t and t

in place, we see that the proof burden of the case amounts

to justifying the applicability of the following (
@

)-rule and to show

that the term arrived at by combining the premise reducts as pre-
scribed by the (
@

)-rule is, indeed, the reduct in the conclusion:

t

@ t

t
b
[x := t
2
]

@ t

b
[x := t

2
] Capt
y
(t

) FV(t

b
[x := t

2
]) = y FV(t

)
((y.t
a
) @t
b
)[x := t
2
]

@ t

a
[y := t

b
][x := t

2
]
Three of the premises are case-dependent, i.e., they involve t or t

. The
second premise from the left, on the other hand, immediately follows
from an application of the I.H.. To see this, note, rst of all, that:
Capt
x
(t
b
) FV(t
2
) Capt
x
((y.t
a
) @t
b
) FV(t
2
)
= Capt
x
(t
1
) FV(t
2
) (C.1)
=
The above inclusion is by denition while the equations are by the
case and the premises of the lemma, respectively. Furthermore, and
still by the case, we can apply Lemma 1.44, 3. (if x FV(t

b
)) and
Proposition 1.8 (if x / FV(t

b
)) to show Capt
x
(t

b
) Capt
x
(t

a
[y := t

b
]).
Capt
x
(t

b
) FV(t

2
) Capt
x
(t

a
[y := t

b
]) FV(t

2
)
= Capt
x
(t

1
) FV(t

2
) (C.2)
=
By the I.H., we have thus established the second needed premise above
and we turn our attention to the other three premises of the rule. First,
we instantiate Lemma 1.42 (cf. (C.2)) to the present situation:
FV(t

b
[x := t

2
]) =
_
FV(t

b
) if x , FV(t

b
)
FV(t

b
) x FV(t

2
) if x FV(t

b
)
(C.3)
For later use, we go on to establish the following property:
Capt
y
(t

a
) FV(t

b
[x := t

2
]) = (C.4)
By (C.3) and the case, it remains to be seen, for x FV(t

b
), that
Capt
y
(t

a
) FV(t

2
) = (C.5)
C.2. RESIDUAL-COMPLETION SUBSTITUTIVITY 185
In that case, and as we also have y FV(t

a
) and Capt
y
(t

a
) FV(t

b
) =
by the premises of the case, we see that Lemma 1.44, 3. implies that
Capt
y
(t

a
) Capt
x
(t

a
[y := t

b
]) and we are done, cf. (C.2).
We now proceed with the other three premises by a case-split on t:
Sub-case y ,= x y , FV(t
2
): The left-most needed premise follows
by an application of the I.H. that is justied as follows:
Proposition 1.8 (in case x / FV(t
a
)) and, remembering that
y ,= x, the denition of Capt
x
() (in case x FV(t
a
)) imply
Capt
x
(t
a
) Capt
x
(y.t
a
) and thus, cf. (C.1):
Capt
x
(t
a
) FV(t
2
) (C.6)
Lemma 1.44, 2.-3. (with 1. ruled out by y ,= x) implies
Capt
x
(t

a
) Capt
x
(t

a
[y := t

b
]), hence, cf. (C.2):
Capt
x
(t

a
) FV(t

2
) (C.7)
Using (C.7) and y ,= x, Lemma 1.42 implies FV(t

a
) FV(t

) and,
as y FV(t

a
) by the premise of the case, we have established the
right-most needed premise. For the nal premise, the second from
right, we rst note that FV(t

2
) FV(t
2
) by Lemma 2.7, hence
y / FV(t

2
) by the sub-case. Lemma 1.44, 2. thus implies
Capt
y
(t

a
[x := t

2
]) = Capt
y
(t

a
)
By (C.4), we have therefore justied the needed premises, hence
((y.t
a
) @t
b
)[x := t
2
]

@ t

a
[x := t

2
][y := t

b
[x := t

2
]]
That the end-term is equal to t

a
[y := t

b
][x := t

2
] follows from
Lemma 2.10 whose premises we list and substantiate:
x ,= y: By the sub-case.
y , FV(t

2
) x / FV(t

a
): We have the left-most disjunct
from the sub-case by Lemma 2.7.
Capt
y
(t

a
) FV(t

b
) = : By the case.
Capt
x
(t

a
[y := t

b
]) FV(t

2
) = : From Lemma 1.44 and the
other items in this list, we see that it only remains to be
shown that Capt
y
(t

a
) FV(t

2
) = , in case y FV(t

a
) and
x FV(t

2
). This we have by (C.5).
Capt
x
(t

a
) FV(t

2
) = : (C.7).
Capt
x
(t

b
) FV(t

2
) = : (C.2).
186 APPENDIX C. PROOFS: A RENAMING-FREE
VAR
-FRAGMENT
Sub-case y = x y FV(t
2
): We trivially have the left-most and the
right-most needed premises satised by the case as, in this sub-
case, t = t
a
and t

= t

a
. The nal premise, the second from right,
is (C.4) and we thus have
((y.t
a
) @t
b
)[x := t
2
]

@ t

a
[y := t

b
[x := t

2
]]
We case-split on the disjunct of the Sub-case.
Sub
2
-case y = x: The result follows from Lemma 2.11, which
we can apply because:
Capt
x
(t

a
) FV(t

b
) = this is a premise of the rule in-
stance of the Case.
Capt
x
(t

a
) FV(t

b
[x := t

2
]) = see (C.4).
Capt
x
(t

b
) FV(t

2
) = see (C.2).
Sub
2
-case y ,= x y FV(t
2
): By the right-most conjunct and
a premise of the lemma, we have y / Capt
x
(t
1
) and we can
use t
1
(y.t
a
) @t
b
to infer from the denition of Capt
x
()
and y ,= x (of the Sub
2
-case) that x / FV(t
a
). We thus have
x / FV(t

a
) by Lemma 2.7, which means that Proposition 1.25,
2. gives us that
t

a
[y := t

b
[x := t

2
]] = t

a
[x := t

2
][y := t

b
[x := t

2
]]
We are therefore done by applying Lemma 2.10, which is
possible according to the listed substantiation of the premises
in the previous sub-case, with the following modications:
x ,= y: By the sub
2
-case.
y , FV(t

2
) x / FV(t

a
): See above for a substantiation
of x / FV(t

a
).
Capt
x
(t

a
) FV(t

2
) = : From the previous bullet by
Proposition 1.8.
Case (lazy
@

): By the case, we have t

1
(y.t
a
) @t
b
, with t
a

@ t

a
,
y , FV(t

a
), and t

1
t

a
. We case-split on the cases for (y.t
a
)[x := t
2
].
Sub-case y = x y FV(t
2
): We have (y.t
a
)[x := t
2
] = y.t
a
by def-
inition and we are straightforwardly done.
Sub-case y ,= x y , FV(t
2
): We want to apply the I.H. to the body
of the substitution result: (y.t
a
)[x := t
2
] = y.t
a
[x := t
2
]. We
therefore case-split as follows:
Sub
2
-case x , FV(t
a
): By Proposition 1.8 and Lemma 2.7 (im-
plying x , FV(t

a
)), we have Capt
x
(t
a
) = Capt
x
(t

a
) = .
Sub
2
-case x FV(t
a
): By denition and the case, we have
C.2. RESIDUAL-COMPLETION SUBSTITUTIVITY 187
Capt
x
(t
a
) Capt
x
(y.t
a
) Capt
x
(t
1
)
Capt
x
(t

a
) = Capt
x
(t

1
)
In either sub
2
-case, we can justify the premises of the I.H. by re-
ferring to the premises of the overall property. By Lemma 2.7, we
have y / FV(t

2
) and, by Lemma 1.42 (cf. Lemma 1.44, 2.-3.), we
therefore have y / FV(t

a
[x := t

2
]) and we are straightforwardly
done.
Case (Var

): We case-split on whether or not x = y. In either case, we

are straightforwardly done by the assumed t
i

@ t

i
, for i 1, 2.
Case (L

): We case-split on the cases of the substitution. The proof is

essentially subsumed by the case for (lazy
@

).
Case (A

): We are done by two simple applications of the I.H..

188 APPENDIX C. PROOFS: A RENAMING-FREE

VAR
-FRAGMENT
Appendix D
Proofs for Chapter 3
D.1 Left i-Substitutivity
Lemma 3.2
e
1
y

i
e

1
(Capt
x
(e
1
) FV(e
2
) = Capt
x
(e

1
) FV(e
2
) = )

e
1
[x := e
2
]
y

i
e

1
[x := e
2
]
Proof By rule induction in e
1
y

i
e

1
.
Case (i): We are considering e
1
z.e and we case-split on e
1
[x := e
2
]:
Sub-case z ,= x z / FV(e
2
): We make a further case-split on x:
Sub
2
-case x / FV(e): We are trivially done by two applications
of Proposition 1.25, 2. as we, by Proposition 3.1, also have
x / FV(e

1
).
Sub
2
-case x FV(e): We rst note that y ,= x by a premise
of the considered rule and the sub
2
-case. We, similarly,
have that y Capt
x
(y.e[z := y]) because x FV(e
1
) by the
sub- and sub
2
-cases and thus x FV(e

1
) by Proposition 3.1,
which means, by a premise of the lemma, that:
y / FV(e
2
) (D.1)
We are therefore considering a situation where:
e
1
[x := e
2
] = z.e[x := e
2
]
e

1
[x := e
2
] = y.e[z := y][x := e
2
]
In order to apply Lemma 2.10, we must substantiate the
following properties (viz the relevant premises of the lemma):
1. x ,= y: We noted this at the start of the sub
2
-case.
189
190 APPENDIX D. PROOFS: -EQUIVALENCE
2. z / FV(e
2
) x / FV(e): We have the left-most disjunct
by the sub-case.
3. Capt
z
(e) FV(y) = : The property is equivalent to a
premise of the considered rule: y / Capt
z
(e).
4. Capt
x
(e[z := y]) FV(e
2
) = : As x FV(e

1
) (as we saw
above), we have Capt
x
(e[z := y]) Capt
x
(e

1
) by de-
nition and the property is implied by a premise of the
lemma.
5. Capt
x
(e) FV(e
2
) = : By the sub- and sub
2
-cases, we
have Capt
x
(e) Capt
x
(e
1
) per denition and the prop-
erty follows by a premise of the lemma.
6. Capt
x
(y) FV(e
2
): Trivial as Capt
x
(y) = by deni-
tion.
By Lemma 2.10 and y ,= x, we therefore have
e[z := y][x := e
2
] = e[x := e
2
][z := y[x := e
2
]]
= e[x := e
2
][z := y]
In order to establish the conclusion of the lemma, it thus only
remains to be seen that we can apply the obvious (i)-rule,
i.e., that y / Capt
z
(e[x := e
2
]) FV(e[x := e
2
]). By 5. above
and the sub-case, we can apply Lemma 1.44, 2. to show that
Capt
z
(e[x := e
2
]) = Capt
z
(e) and half of the needed premise
follows by the premise of the considered rule. By the same
reasoning, we can apply Lemma 1.42 to show that
FV(e[x := e
2
]) FV(e) FV(e
2
)
By this, we are done by the premise of the considered rule
and by (D.1), respectively.
Sub-case z = x z FV(e
2
): For the left-most disjunct, we trivially
have x / FV(e
1
). If, on the other hand, z FV(e
2
) (and z ,= x),
we have z / Capt
x
(z.e) by a premise of the lemma, which means
that we have x / FV(e
1
) by denition of Capt
x
(). By Propo-
sition 3.1, we thus also have x / FV(e

1
) in either case, which
means that the conclusion of the lemma is trivially reached by a
premise of the lemma according to Proposition 1.25, 2..
Case (L
i
): We are considering e
1
z.e and we case-split on e
1
[x := e
2
]:
Sub-case z ,= x z / FV(e
2
): We make a further case-split on x:
Sub
2
-case x / FV(e): Identical to the corresponding sub
2
-case
in the previous case.
D.1. LEFT I-SUBSTITUTIVITY 191
Sub
2
-case x FV(e): By Proposition 3.1, we have x FV(e

),
where e

1
z.e

. We can thus apply the I.H. to e

y

i
e

as,
in this case, Capt
x
(e) Capt
x
(e
1
) and Capt
x
(e

) Capt
x
(e

1
)
by denition and we are straightforwardly done.
Sub-case z = x z FV(e
2
): Identical to the corresponding sub-case
in the previous case.
Case (Al
i
): Straightforward application of the I.H..
Case (Ar
i
): Straightforward application of the I.H..

192 APPENDIX D. PROOFS: -EQUIVALENCE

Appendix E
Proofs for Chapter 4
E.1 Preservation and Reection of Diamond
Theorem 4.2 Given a point-surjective ARS morphism, /, from
A
to

B
:
1
1.


A
/ /
B
((
A
) (
B
))
2.


A
/ /
B
((
A
) (
B
))
3.


A
/ /
B

_
(
A
) (
B
)
(
A
) (
B
)
_
4.


A
/ /
B
((
A
) (
B
))
Proof The following example-ARSs should not be considered directly.
Rather, they must be reexively closed in order to ensure the diamond
property in the rst place.
1. Counter-example: (
A
) , (
B
)
a
1
a
2
b
2
b
1
a

1
a

2
b

2
A
A
B
B
Counter-example: (
A
) , (
B
)
a
1
b
1
a
2
a
3
b
2
A A
B
1
In the theorem, the notation , means existence of counter-examples.
193
194 APPENDIX E. PROOFS: - AND
VAR
-CONFLUENCE
2. Counter-example: (
A
) , (
B
)
As above.
Counter-example: (
A
) , (
B
)
As above.
3. Proof of (
A
) (
B
): : Assume (
A
) and consider
b
b
1
b
2
B B
For any a such that ((a) = b, there are a
1
, a
2
such that ((a
i
) = b
i
and a
A
a
i
by the premise of the case. By ( onto we have such
an a and by (
A
) furthermore an a

such that, all in all:

a b
a
1
a
2
b
1
b
2
a

A A
A A
B B
By ( a total homomorphism we are thus done:
b
b
1
b
2
((a

)
B B
B B
Counter-example: (
A
) , (
B
)
As above.
4. Proof of (
A
) (
B
): : As above.
Proof of (
A
) (
B
): : Assume (
B
) and consider
a
a
1
a
2
A A
By ( a total homomorphism and (
B
) we have some b such
that:
a ((a)
a
1
a
2
((a
1
) ((a
2
)
b
A A
B B
B B
E.2. PARALLEL /FRESH-NAMING COMMUTATIVITY 195
By the premise of the case and ( onto we therefore have an b
C

A such that ((b

C
) = b and furthermore:
a
a
1
a
2
b
C
A A
A A

E.2 Parallel /Fresh-naming Commutativity

Lemma 4.15 We saw that it suces to prove following property:

[[

[[
Proof We proceed by rule induction in
z

i
0
Case (i
0
): Let e

and consider
x.e x.e

z.e[x := z] z.e

[x := z]

[[
z
i
0
i
z

[[
The resolving reductions are substantiated as follows:
Right resolution: By choice of z and Proposition 4.10, we have z ,
Var(e

) and the -step is certainly enabled.

Lower resolution: As z

z by Proposition 4.6, we are done by

Lemma 4.11.
Case (L
i
0
): Let e
z

i
0
e

, x ,= z, and e

we are straightfor-
wardly done by I.H. and Proposition 1.23:
x.e x.e

x.e

x.e

[[
z
i
0 i
z

[[
Case (Al
i
0
): We perform a case-splitting on

.
Sub-case (A

): By the case, we have e

1
z

i
0
e

1
. We also have
e
1

1
and e
2

2
. By I.H. on the e
1
s and Proposi-
tion 1.23, we therefore have some e

1
, such that:
e
1
e
2
e

1
e

2
e

1
e
2
e

1
e

[[
z
i
0 i
z

[[
196 APPENDIX E. PROOFS: - AND
VAR
-CONFLUENCE
Sub-case (

): A further case-splitting is done on

z

i
0
.
Sub
2
-case (Al
i
0
) then (i
0
):
(x.e
1
)e
2
e

1
[x := e

2
]
(z.e
1
[x := z])e
2
e

1
[x := z][z := e

2
]

[[
z
i
0

[[
The resolving reductions are substantiated as follows:
Right resolution: By Proposition 1.25, 3..
Lower resolution: We have e
1
[x := z]

1
[x := z] accord-
ing to Lemma 4.11. As z , BV(e

1
[x := z]) by choice of
z and Proposition 4.10, we are done.
Sub
2
-case (Al
i
0
) then (L
i
0
): By I.H., we have an e

1
, such
that e

1
z

i
e

1
and e

1
. We therefore have
(x.e
1
)e
2
e

1
[x := e

2
]
(x.e

1
)e
2
e

1
[x := e

2
]

[[
z
i
0 i
z

[[
The resolving reductions are substantiated as follows:
Right resolution: Lemma 3.2.
Lower resolution: We see that it only remains to be seen
that FV(e

2
) Capt
x
(e

1
) = in order to apply (

) to
(x.e

1
)e
2
. We note that we have FV(e

2
) Capt
x
(e

1
) =
by the Sub-case. By choice of z, we are therefore done by
way of Proposition 3.1: Capt
x
(e

1
) Capt
x
(e

1
) z.
Case (Ar
i
0
): We perform a case-splitting on

.
Sub-case (A

): The following e

2
is straightforwardly given by I.H.
e
1
e
2
e

1
e

2
e
1
e

2
e

1
e

[[
z
i
0 i
z

[[
The resolving reductions are substantiated as follows:
Right resolution: Proposition 1.23.
Lower resolution: Proposition 4.5.
Sub-case (

): The following e

2
is straightforwardly given by I.H.
(x.e
1
)e
2
e

1
[x := e

2
]
(x.e
1
)e

2
e

1
[x := e

2
]

[[
z
i
0 i
z

[[
E.3. / COMMUTATIVITY UP TO -RESOLUTION 197
The resolving reductions are substantiated as follows:
Right resolution: Lemma 3.3.
Lower resolution: We see that it only remains to be seen that
FV(e

2
) Capt
x
(e

1
) = in order to apply (

) to (x.e
1
)e

2
.
As we have e

i
e

2
by I.H., we have FV(e

2
) = FV(e

2
)
by Proposition 3.1 and we are done by the Sub-case.
E.3 / Commutativity up to -Resolution
Lemma 4.36

Proof We proceed by rule induction in

, while case-splitting on

.
Case: ():
Sub-case (L

) followed by (): We are considering two abstractions.

Sub
2
-case dierent variable names:
x.(y.e)x y.e
x.e[y := x]

The resolving reduction exists as (i) x , FV(e); this follows
from the side-condition on the () step: x , FV(y.e), and
the Sub
2
-case. We also need (ii) x , Capt
y
(e), which is given
directly by the side condition on ().
Sub
2
-case identical variable name: We are straightforwardly
done by Proposition 1.25, 1.:
x.(x.e)x
x.e

Sub-case (L

) followed by a rule other than ():

x.ex e
x.e

x e

The resolving reductions are substantiated as follows:

198 APPENDIX E. PROOFS: - AND
VAR
-CONFLUENCE
Right resolution: Trivial by the Sub-case.
Lower resolution: Straightforward by Lemma 1.45.
Case (L

): We are considering (L

) and are straightforwardly done by I.H.:

x.e x.e

x.e

x.e

Case: (Al

):
Sub-case (): We perform a further case-splitting on

.
Sub
2
-case (): We are trivially done as e
1
[x := e
2
] = e
1
by the
side-condition on (): x , FV(e
1
).
(x.e
1
x)e
2
e
1
e
2

Sub
2
-case a rule other than ():
(x.e
1
)e
2
(x.e

1
)e
2
e
1
[x := e
2
] e

1
[x := e
2
]

The resolving reductions are substantiated as follows:

Right resolution: Straightforward by Proposition 4.30.
Lower resolution: Straightforward by Lemma 4.31.
Sub-case (Al

): Straightforward by I.H..
Sub-case (Ar

): Trivially resolvable as the divergence is non-critical

(i.e., is caused by reduction in two distinct sub-terms).
Case (Ar

):
Sub-case ():
(x.e
1
)e
2
(x.e
1
)e

2
e
1
[x := e
2
] e
1
[x := e

2
]

The resolving reductions are substantiated as follows:

Right resolution: Straightforward by Proposition 4.30.
Lower resolution: Lemma 4.32.
Sub-case (Al

): Trivially resolvable as the divergence is non-critical

(i.e., is caused by reduction in two distinct sub-terms).
Sub-case (Ar

): Straightforward by I.H..

Appendix F
Proofs for Chapter 7
F.1 Takahashis Semi-Standardisation Framework
Lemma 7.6 Assume
b

b
and
c

c

c
.

[[
b
a
[
[
c

[[
b
[
[
c
a

b
a
c
Proof By composing the premises, we rst see that we have:


[
[
c
a
a
[
[
c
(F.1)
Next, a reexive, transitive induction in
a
gives us:


[
[
c
a
a
[
[
c
(F.2)
The base case is (F.1), the reexive case is trivial, and the transitive case
follows by two I.H.-applications as well as transitivity of
a
.
M
1
N
1
N
2
M
2
M
3
M
4
[
[
c
a a
a a
[
[
c
[
[
c
a
In a similar vain, we can establish the following property by reexive,
transitive induction in
c
.


c
a
a
c
(F.3)
199
200 APPENDIX F. PROOFS: -STANDARDISATION
The base case of the proof is a special case of (F.2) by assumption, the re-
exive case is trivial, and the transitive case follows by two I.H.-applications
as well as transitivity of
c
.
M
1
N
2
M
2
N
1
M
3
M
4
c
c
a
a
c
c
a
c
We are now ready to establish the conclusion of the lemma by reexive,
transitive induction in
b
. The base case is a special case of the right-
most premise of the lemma by assumption. The reexive case is trivial and
the transitive case follows by two I.H.-applications, (F.3), and transitivity
of
a
and
c
.
M
1
M
2
M
3
N
1
N
2
N
3
b b
a
c
a
c
a
c
a
c

F.2 Inner/Weak-Head Substitutivity

Lemma 7.16
(e
a

I e

a
e
b
(

wh;

I )

b
Capt
x
(e
a
) FV(e
b
) = Capt
x
(e

a
) FV(e

b
) = )

e
a
[x := e
b
] (

wh;

I )

a
[x := e

b
]
Proof (by rule induction in

I ).
Case (Var
I

): We are considering e
a
= e

a
= y for some y:
Sub-case y = x: Straightforward as x[x := e
2
] = e
2
and the second
premise thus states the desired property.
Sub-case y ,= x: Straightforward by reexivity of all the relations in
the conclusions as e
a
[x := e
b
] = y = e

a
[x := e

b
].
Case (@
I

): We are considering e
a
= e
1
e
2
, with e
1
e
2

I e

1
e

2
, e
1

I e

1
,
and e
2

2
. By Lemma 4.11, we have e
2
[x := e
b
]

2
[x := e

b
]
while, by I.H., we have that:
e
1
[x := e
b
] (

wh;

I )

1
[x := e

b
] (F.4)
F.2. INNER/WEAK-HEAD SUBSTITUTIVITY 201
By denition, we can therefore conclude that we have:
e
1
[x := e
b
]e
2
[x := e
b
]

1
[x := e

b
]e

2
[x := e

b
]
Next, we case-split to show the remainder of the property, viz:
e
1
[x := e
b
]e
2
[x := e
b
]

wh;

I e

1
[x := e

b
]e

2
[x := e

b
] (F.5)
Sub-case e
1
[x := e
b
] y: By

I applied to e
1
and, in case e
1
=
x and e
2
= y, by

applied to e
2
, we necessarily have that
e

1
[x := e

2
] = y and, as

wh is reexive, we have (F.5) by a

stand-alone application of (@
I

) with y

I y in the left premise.

Sub-case e
1
[x := e
b
] y.e: By the use of

in (F.4), we see that

we have e

1
[x := e

b
] = y.e

for some e

, with e

. Again
using the reexivity of

wh, we once more have (F.5) by a

stand-alone application of (@
I

), this time with an application of

(
I

) in the left premise.

Sub-case e
1
[x := e
b
] e
3
e
4
: By (F.4), there is an e, such that:
e
3
e
4

wh e

I e

1
[x := e

b
]
A straightforward adaptation of Proposition 1.13 gives us that:
(e
5
e
6
)e
4
[x := e
2
]

wh ee
4
[x := e
2
] (F.6)
And, a subsequent application of (
I

) nishes the sub-case:

e

I e

1
[x := e

b
] e
2
[x := e
b
]

2
[x := e

b
]
(
I

)
ee
2
[x := e
b
]

I e

1
[x := e

b
]e

2
[x := e

b
]
Case
I

: We are considering e
a
= y.e and e

a
= y.e

, with e

I e

.
Sub-case y = x: Both substitutions are abandoned and we are there-
fore left with substantiating the following property, which follows
by the denitional reexivity of

wh and Proposition 4.6.

y.e (

wh;

I )

y.e

Sub-case y ,= x y FV(e
b
): The substitution on e
a
is abandoned,
as above, but, unfortunately, it might be the case that y / FV(e

b
),
which means that the substitution on e

a
might go through to
e

. However, from Capt

x
(e
a
) FV(e
b
) = , which we assume in
the lemma, we have x / FV(e) and thus, by Lemma 7.4 and
Proposition 4.10, x / FV(e

). By Proposition 1.25, 2., we can

therefore conclude that either the substitution on e

a
is abandoned
or it is void and the reasoning in the previous sub-case applies.
202 APPENDIX F. PROOFS: -STANDARDISATION
Sub-case y ,= x y / FV(e
b
): By I.H., we have
e[x := e
2
] (

wh;

I )

[x := e

2
]
As we, in particular, have the

-step, we see by denition that:

y.e[x := e
2
]

y.e

[x := e

2
]
And, we are done by the denitional reexivity of

wh.
Bibliography
[1] Peter Aczel. An introduction to inductive denitions. In J. Barwise, ed-
itor, Handbook of Mathematical Logic, volume 90 of Studies in Logic and
the Foundations of Mathematics, chapter C.7, pages 739782. North-
Holland, Amsterdam, 1977.
[2] Andrea Asperti and Stefano Guerrini. The optimal Implementation of
Functional Programming Languages. Cambridge Tracts in Theoretical
Computer Science. Cambridge University Press, 1998.
[3] Andrea Asperti and Harry G. Mairson. Parallel beta reduction is not
elementary recursive. In Proceedings of the ACM SIGPLAN-SIGACT
symposium POPL-25, pages 303315. ACM Press, 1998.
[4] Andrea Asperti and Harry G. Mairson. Parallel beta reduction is not el-
ementary recursive. Information and Computation, 170(1):4980, 2001.
[5] Henk Barendregt. The Lambda Calculus Its Syntax and Semantics
(Revised Edition). North-Holland, 1984.
[6] James Brotherston. Formalizing proofs in Isabelle/HOL of equational
properties for the lambda-calculus using one-sorted variable names.
Honours dissertation, University of Edinburgh; available from the au-
thors homepage, 2001.
[7] Rod Burstall. Proving properties of programs by structural induction.
The Computer Journal, 12, 1967.
[8] Alonzo Church and J. Barkley Rosser. Some properties of conversion.
Transaction of the American Mathematical Society, 39, 1936.
[9] H. B. Curry and R. Feys. Combinatory Logic. North-Holland, Amster-
dam, 1958.
[10] Rene David. Une preuve simple de r`esultats classiques en calcul.
Comptes Rendus de lAcad`emie des Sciences, 320(11):14011406, 1995.
Serie I.
203
204 BIBLIOGRAPHY
[11] N.G. de Bruijn. Lambda calculus notation with nameless dummies,
a tool for automatic formula manipulation, with application to the
Church-Rosser Theorem. Indag. Math., 34:381392, 1972.
[12] Joelle Despeyroux, Amy Felty, and Andre Hirschowitz. Higher-order
abstract syntax in Coq. In M. Dezani-Ciancaglini and G. Plotkin, ed-
itors, Proceedings of TLCA-2, volume 902 of LNCS. Springer Verlag,
1995.
[13] Joelle Despeyroux and Andre Hirschowitz. Higher-order abstract syn-
tax with induction in Coq. In Frank Pfenning, editor, Proceedings of
LPAR-5, volume 822 of LNAI. Springer-Verlag, 1994.
[14] Joelle Despeyroux, Frank Pfenning, and Carsten Sch urmann. Primi-
tive recursion for higher-order abstract syntax. In Philippe De Groote
and J. Roger Hindley, editors, Proceedings of TLCA-3, volume 1210 of
LNCS. Springer-Verlag, 1997.
[15] Marcelo Fiore, Gordon Plotkin, and Daniele Turi. Abstract syntax and
variable binding. In Longo [38], pages 193202.
[16] Jonathan Ford and Ian Mason. Operational techniques in PVS - a
preliminary evaluation. In Colin Fidge, editor, Proceedings of CATS-7,
volume 42 of Electronic Notes in Theoretical Computer Science. Elsevier
Science, 2001.
[17] M. J. Gabbay and A. M. Pitts. A new approach to abstract syntax with
variable binding. Formal Aspects of Computing, 13:341363, 2002.
[18] Murdoch Jamie Gabbay. A Theory of Inductive Denitions with Alpha-
Equivalence. PhD thesis, Cambridge University, 2001.
[19] Murdoch Jamie Gabbay and Andrew Pitts. A new approach to abstract
syntax involving binders. In Longo [38], pages 214224.
[20] Jean-Yves Girard. Locus solum: From the rules of logic to the logic of
rules. MSCS, 11(3), 2001.
[21] A. D. Gordon and T. Melham. Five axioms of alpha-conversion. In
J. Von Wright, J. Grundy, and J. Harrison, editors, Proceedings of
TPHOL-9, volume 1125 of LNCS. Springer Verlag, 1996.
[22] Andy Gordon. A mechanisation of name-carrying syntax up to alpha-
conversion. In Jerey Joyce and Carl-Johan Seger, editors, Proceedings
of TPHOL/HUG-6, volume 780 of Lecture Notes in Computer Science.
Springer Verlag, 1993.
BIBLIOGRAPHY 205
[23] David Hilbert and Wilhelm Ackermann. Grundz uge der theoretischen
Logik. Springer-Verlag, 1928. English translation of 2nd ed. (1938) is
[24].
[24] David Hilbert and Wilhelm Ackermann. Principles of Mathematical
Logic. Chelsea Publishing Company, 1950. Translation of the 2nd ed.
(1938) of [23].
[25] J. Roger Hindley. The Church-Rosser Property and a Result in Com-
binatory Logic. PhD thesis, University of Newcastle upon Tyne, 1964.
[26] Martin Hofmann. Semantical analysis of higher-order abstract syntax.
In Longo [38], pages 204213.
[27] Peter Homeier. A proof of the church-rosser theorem for the lambda
calculus in higher order logic. Category B paper at TPHOL-14, 2001.
[28] Gerard Huet. Residual theory in -calculus: A formal development.
Journal of Functional Programming, 4(3):371394, 1994.
[29] Felix Joachimski and Ralph Matthes. Standardization and conuence
for a lambda calculus with generalized applications. In Leo Bachmair,
editor, Proceedings of RTA-11, volume 1833 of LNCS. Springer Verlag,
2000.
[30] Jean-Pierre Jouannaud and Hel`ene Kirchner. Completion of a set of
rules modulo a set of equations. SIAM Journal on Computing, 15:1155
1194, November 1986.
[31] Ryo Kashima. On the standardization theorem for lambda-beta-eta-
calculus. In Proceedings of RPC01, 2001. Technical report, the
Research Institute of Electrical Communication, Tohoku University,
Japan.
[32] Jan W. Klop. Combinatory Reduction Systems. Mathematical Centre
Tracts 127. Mathematisch Centrum, Amsterdam, 1980.
[33] Jan W. Klop. Term Rewriting Systems. In Samson Abramsky, Dov M.
Gabby, and T. S. E. Maibaum, editors, Handbook of Logic in Com-
puter Science, Vol. 2, chapter 1, pages 2116. Oxford University Press,
Oxford, 1992.
[34] John Lamping. An algorithm for optimal lambda-calculus reductions.
In Proceedings of the ACM symposium POPL-17, pages 1630. ACM
Press, 1990.
[35] Jean-Jacques Levy. Reduction correctes et optimale dans le lambda-
calcul. Th`ese detat, Universite Paris 7, 1978.
206 BIBLIOGRAPHY
[36] Jean-Jacques Levy. Optimal reductions in the lambda-calculus. In
J. P. Seldin and J. R. Hindley, editors, To H.B. Curry: Essays on
Combinatory Logic, Lambda-Calculus and Formalism. Academic Press,
1980.
[37] Ralph Loader. Notes on simply typed lambda calculus. Technical report
no. ECS-LFCS-98-381 of LFCS, University of Edinburgh, 1998.
[38] Giuseppe Longo, editor. Proceedings of LICS-14. IEEE CS Press, 1999.
[39] Zhaohui Luo and Robert Pollack. The LEGO proof development sys-
tem: A users manual. Technical Report ECS-LFCS-92-211, University
of Edinburgh, May 1992.
[40] Harry G. Mairson. A simple proof of a theorem of Statman. Theoretical
Computer Science, 103(2):387394, 1992.
[41] Claude Marche. Normalized rewriting: an alternative to rewriting mod-
ulo a set of equations. Journal of Symbolic Computation, 21(3):253288,
1996.
[42] James McKinna and Randy Pollack. Some lambda calculus and type
theory formalized. Journal of Automated Reasoning, 23(34), November
1999.
[43] Paul-Andre Melli`es. Axiomatic rewriting theory I, II, III, IV, V, VI, VII.
Submitted, JCL 10(3)-2000, CTCS-7 (97), LICS-14 (98), in prepara-
tion, RTA-13 (02), in preparation, respectivly.
[44] Gerd Mitschke. The standardization theorem for -calculus. Zeitschrift
f ur mathematische Logik und Grundlagen der Mathematik, 25:2931,
1979.
[45] Rob Nederpelt, Herman Geuvers, and Roel de Vrijer, editors. Selected
Papers on Automath. North-Holland, 1994.
[46] M. H. A. Newman. On theories with a combinatorial denition of
equivalence. In Annals of Math, volume 43, pages 223243, 1942.
[47] Tobias Nipkow. More Church-Rosser proofs (in Isabelle/HOL). Journal
of Automated Reasoning, 26:5166, 2001.
[48] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Is-
abelle/HOL A Proof Assistant for Higher-Order Logic, volume 2283
of LNCS. Springer, 2002.
[49] Enno Ohlebusch. Church-Rosser theorems for abstract reduction mod-
ulo an equivalence relation. In Proceedings of RTA-9, volume 1379 of
Lecture Notes in Computer Science. Springer-Verlag, 1998.
BIBLIOGRAPHY 207
[50] Frank Pfenning and Carsten Sch urmann. System description: Twelf -
a meta-logical framework for deductive systems. In Harald Ganzinger,
editor, Proceedings of CADE-16, volume 1632 of Lecture Notes in Ar-
ticial Intelligence. Springer-Verlag, 1999.
[51] Andrew Pitts. Nominal logic, a rst order theory of names and binding.
Information and Computation, 200X. To appear; a preliminary version
appears in TACS-4 2001, LNCS 2215.
[52] Andrew Pitts, Jamie Gabbie, Mike Gordon, Mark Shinwell,
Christian Urban, Peter White, and Simon Peyton Jones. The
freshml programming language. Documentation, implemen-
tation, and support available at http://www.freshml.org/ and
http://www.cl.cam.ac.uk/users/amp12/freshml/.
[53] Gordon D. Plotkin. Call-by-name, call-by-value and the -calculus.
Theoretical Computer Science, 1:125159, 1975.
[54] Kristoer Rose. Explicit substitutions tutorial & survey. Techni-
cal Report LS-96-13, BRICS, Aarhus University, Denmark, September
1996.
[55] J. J. M. M. Rutten. A calculus of transition systems (towards uni-
versal coalgebra). Technical Report CS-R9503, CWI - Centrum voor
Wiskunde en Informatica, January 31, 1995.
[56] Donald Sannella and Andrzej Tarlecki. Essential concepts of algebraic
specication and program development. Formal Aspects of Computing,
9:229269, 1997.
[57] David Schroer. The Church-Rosser theorem. PhD thesis, Cornell, June
1965.
[58] Carsten Sch urmann. Automating the Meta Theory of Deductive Sys-
tems. PhD thesis, Carnegie Mellon University, 2000.
[59] N. Shankar. A mechanical proof of the Church-Rosser Theorem. Journal
of the ACM, 35(3):475522, 1988.
[60] Richard Statman. The typed -calculus is not elementary recursive.
Theoretical Computer Science, 9:7381, 1979.
[61] Allen Stoughton. Substitution revisited. Theoretical Computer Science,
59(3):317325, August 1988.
[62] Masako Takahashi. Parallel reductions in -calculus. Information and
Computation, 118:120127, 1995.
208 BIBLIOGRAPHY
[63] Vincent van Oostrom. Equivalence of reductions. In Terese, editor,
Term Rewriting Systems, Cambridge Tracts in Theoretical Computer
Science. Cambridge University Press, 2003.
[64] Rene Vestergaard. The Primitive Proof Theory of the -Calculus. PhD
thesis, School of Mathematical and Computer Sciences, Heriot-Watt
University, 2003.
[65] Rene Vestergaard and James Brotherston. A formalised rst-order con-
uence proof for the -calculus using one-sorted variable names (Baren-
dregt was right after all ... almost). In Aart Middeldorp, editor, Pro-
ceedings of RTA-12, volume 2051 of LNCS. Springer-Verlag, 2001. A
full version is [68].
[66] Rene Vestergaard and James Brotherston. The mechanisation of
Barendregt-style equational proofs (the residual perspective). Elec-
tronic Notes in Theoretical Computer Science, 58(1), 2001. Invited
version of MERLIN01 workshop paper.
[67] Rene Vestergaard and James Brotherston. The mechanisation of
Barendregt-style equational proofs (the residual perspective). In Si-
mon Ambler, Roy Crole, and Alberto Momigliano, editors, Proceedings
of MERLIN-1, volume 2001/26 of Technical report series, Department
of Mathematics and Computer Science, University of Leicester, 2001.
A later version is [66].
[68] Rene Vestergaard and James Brotherston. A formalised rst-order con-
uence proof for the -calculus using one-sorted variable names. Infor-
mation and Computation, 183(2):212 244, 2003. Special edition with
selected papers from RTA01.
[69] Joe Wells, Detlef Plump, and Fairouz Kamareddine. Diagrams for
meaning preservation. Draft, January 2003.
[70] Joe Wells and Rene Vestergaard. Conuent equational reasoning for
linking with rst-class primitive modules. Technical report, Heriot-
Watt University, August 1999. Full paper, 3 appendices of proofs; a
published version is [71].
[71] Joe Wells and Rene Vestergaard. Equational reasoning for linking with
rst-class primitive modules. In Gert Smolka, editor, Proceedings of
ESOP-9, volume 1782 of LNCS. Springer Verlag, 2000. A long version
is [70].
BIBLIOGRAPHY 209
Index
alpha-equivalence, 66, 75, 93, 98,
108109
decidable, 99108
alpha-equivalence class, 75
alpha-reduction, 69
ARS morphism, point-surjective, 114
Barendregt conventional form, 68
weak, 152
Barendregt variable convention, 68
BCF-enabling, 90
BCF-existence, 98
BCF-universality, 98
beta-reduction, 69, 75
inner (strong), 149
parallel, 149
parallel, 115, 121
residual, 82, see residual rela-
tion
residual-completion, 83
total development, 116, 121
weak-head, 149
case-splitting, 53
Church-Rosser, 61
co-nality, 58
co-initiality, 58
commuting conuence lemma, 62
composition, relation, 57
point-wise, 57
conuence, 61, 113131
-, 124
- (fresh-naming), 126
- (local), 125
- (residual), 136
-, 131
, 130
equivalences, 115
local, 60
preservation of, 114
reection of, 114
conuence/Church-Rosser equiva-
lence lemma, 61
congruence, 59
contextual closure, 59, 70, 82
contraction, 63
converse relation, 57
Curry-style reduction, 63, 7475
Curry-style substitution, see sub-
stitution, capture-avoiding
de-marking, 83, 133
development property
strong, nite, 136
strong, weakly-nite, 137
-, 135
development relation, 133
diamond diagonalisation lemma, 63
diamond property, 60
diamond tiling lemma, 62
divergence, reduction, 58
end-term, 57
equational theory, 76
equivalence, point-wise (relations),
75
eta-expansion, 145
eta-reduction, 63, 66, 69, 75
generation lemma, 145
parallel, 143
fresh-naming, 52, 9599
choice, axiom of co-nite, 53
210
INDEX 211
complete, 100103
weak, 152
hierarchy, reduction-relation, 58
59
Hindley-Rosen Lemma, 62
Hindley-style reduction, 6566
Hylands disjointness property, 81
induction, denition by, 54
induction, rule, 54
induction, structural, 53
name unication, 66
Newmans Lemma, 61
normal form, reduction, 58
normalisation, strong, 58
normalisation, weak, 58
orthonormality, 6876
postponement, -over-, 148
proof principles, primitive, 5255
proof-layer hierarchy, 8588, 121
recursion, structural/primitive, 54
reduction relation, 5758
reexivity, relation, 57
residual completion, 8384, 90
residual relation, 133
residual theory, 81
residual-completion property, 134
-, 135
resolvable (co-initiality), 58
rewriting, abstract, 57
some/any property, 93, 103105
standardisation, 149163
hereditary semi-, 151158
absorptive weak-head (-), 162
progression (failing), 162163
semi (-), 158
start-term, 57
structural collapse, 113
substitution lemma, 67, 85, 86
substitution tidiness, 7172, 7879
substitution, capture-avoiding, 64,
7274
substitution, renaming-free, 69
substitution-as-a-relation, 7274, 76
77
substitutivity lemma, 87, 94, 95,
102, 117, 127, 144, 155
symmetry, relation, 57
syntax, 51, see variable names
abstract/concrete, 52
assumptions, 53
conventions, writing, 51
equality, decidable, 55
marked/residual, 82
meta-variables, 51
transitivity, relation, 57
left/right, 59
union, relation, 57
uniquely bound, 68
unmarked, 133
variable monotonicity, 79, 93, 117,
127, 144, 151, 152
variable names, 52
assumptions, 52
bound, 55
capturing, 55
distinct, 97
equality, decidable, 52
free, 55
innitary, 52
meta-variables, 51
occurring, 55
vector, 70
elements of, 70