Formalizing Strong Normalization Proofs Kazuhiko Sakaguchi College - - PowerPoint PPT Presentation

Formalizing Strong Normalization Proofs

Kazuhiko Sakaguchi

College of Information Science, University of Tsukuba

2014/12/3 TPP2014

Strong Normalization Theorem

In typed λ-calculi, strong normalization (SN) theorem is as follows.

∀Γ, t, τ. Γ ⊢ t : τ ⇒ SN(t)

If t is a typed term, then all reduction sequences from t are finite.

2 / 42

Strong Normalization Theorem

In typed λ-calculi, strong normalization (SN) theorem is as follows.

∀Γ, t, τ. Γ ⊢ t : τ ⇒ SN(t)

If t is a typed term, then all reduction sequences from t are finite.

2 / 42

Strong Normalization Theorem

In typed λ-calculi, strong normalization (SN) theorem is as follows.

∀Γ, t, τ. Γ ⊢ t : τ ⇒ SN(t)

If t is a typed term, then all reduction sequences from t are finite.

2 / 42

Strong Normalization Theorem

In typed λ-calculi, strong normalization (SN) theorem is as follows.

∀Γ, t, τ. Γ ⊢ t : τ ⇒ SN(t)

If t is a typed term, then all reduction sequences from t are finite. Non-terminating example of a untyped λ-term:

(λx. x x) (λx. x x) →β (λx. x x) (λx. x x)

2 / 42

Our Formalization of the λ-Calculus [Sak15]

◮ https://github.com/pi8027/lambda-calculus ◮ Goal

◮ Formalize many differnt proofs of the strong normalization

theorem in Coq.

◮ Build a general framework for formalizations of the strong

normalization theorem.

3 / 42

Our Formalization of the λ-Calculus [Sak15]

◮ https://github.com/pi8027/lambda-calculus ◮ Goal

◮ Formalize many differnt proofs of the strong normalization

theorem in Coq.

◮ Build a general framework for formalizations of the strong

normalization theorem.

◮ Current developments

◮ using de Bruijn representation ◮ untyped λ-calculus ◮ Church-Rosser theorem ◮ simply typed λ-calculus (λ→) and System F (λ2) ◮ subject reduction theorem ◮ strong normalization theorem

(contains 3 different definitions of the reducibility for each system)

3 / 42

Our Formalization of the λ-Calculus [Sak15]

◮ https://github.com/pi8027/lambda-calculus ◮ Goal

◮ Formalize many differnt proofs of the strong normalization

theorem in Coq.

◮ Build a general framework for formalizations of the strong

normalization theorem.

◮ Current developments

◮ using de Bruijn representation ◮ untyped λ-calculus ◮ Church-Rosser theorem ◮ simply typed λ-calculus (λ→) and System F (λ2) ◮ subject reduction theorem ◮ strong normalization theorem

(contains 3 different definitions of the reducibility for each system)

3 / 42

Part I

Nameless Terms and Proof Automation

Substitution for Nameless Terms

m[n := t] =      m − 1 if n < m t ↑n if n = m m if n > m

(u v)[n := t] = u[n := t] v[n := t] (λu)[n := t] = λu[n + 1 := t]

t ↑n is a term which is obtained by adding n to all the free variables of t. This operation is called a shift or lift.

u u[n := t] t

−1 ↑n n n + 1

5 / 42

Substitution for Nameless Terms

m[n := t] =      m − 1 if n < m t ↑n if n = m m if n > m

(u v)[n := t] = u[n := t] v[n := t] (λu)[n := t] = λu[n + 1 := t]

t ↑n is a term which is obtained by adding n to all the free variables of t. This operation is called a shift or lift.

u u[n := t] t

−1 ↑n n n + 1

5 / 42

Substitution for Nameless Terms

m[n := t] =      m − 1 if n < m t ↑n if n = m m if n > m

(u v)[n := t] = u[n := t] v[n := t] (λu)[n := t] = λu[n + 1 := t]

t ↑n is a term which is obtained by adding n to all the free variables of t. This operation is called a shift or lift.

u u[n := t] t

−1 ↑n n n + 1

5 / 42

Shift

t ↑d

c adds d to all the free variable of t that

are greater than or equal to c. n ↑d

c =

• n + d

if c ≤ n n if n < c

(t u) ↑d

c = t ↑d c u ↑d c

(λ t) ↑d

c = λ t ↑d c+1

t ↑d = t ↑d

t t ↑d

c

+d c c + d

6 / 42

Shift

t ↑d

c adds d to all the free variable of t that

are greater than or equal to c. n ↑d

c =

• n + d

if c ≤ n n if n < c

(t u) ↑d

c = t ↑d c u ↑d c

(λ t) ↑d

c = λ t ↑d c+1

t ↑d = t ↑d

t t ↑d

c

+d c c + d

6 / 42

Shift

t ↑d

c adds d to all the free variable of t that

are greater than or equal to c. n ↑d

c =

• n + d

if c ≤ n n if n < c

(t u) ↑d

c = t ↑d c u ↑d c

(λ t) ↑d

c = λ t ↑d c+1

t ↑d = t ↑d

t t ↑d

c

+d c c + d

6 / 42

(Restricted) Parallel Substitution

u[n := t1, . . . , tm] substitutes t1, . . . , tm for free variables n, . . . , n + m − 1 in u.

m[n := t] =      m − |t| if n + |t| ≤ m tm−n ↑n if n ≤ m < n + |t| m if m < n (u v)[n := t] = (u[n := t]) (v[n := t]) (λ u)[n := t] = λ (u[n + 1 := t])

u u[n := t] t

−|t| ↑n n n + |t|

7 / 42

(Restricted) Parallel Substitution

u[n := t1, . . . , tm] substitutes t1, . . . , tm for free variables n, . . . , n + m − 1 in u.

m[n := t] =      m − |t| if n + |t| ≤ m tm−n ↑n if n ≤ m < n + |t| m if m < n (u v)[n := t] = (u[n := t]) (v[n := t]) (λ u)[n := t] = λ (u[n + 1 := t])

u u[n := t] t

−|t| ↑n n n + |t|

7 / 42

(Restricted) Parallel Substitution

u[n := t1, . . . , tm] substitutes t1, . . . , tm for free variables n, . . . , n + m − 1 in u.

m[n := t] =      m − |t| if n + |t| ≤ m tm−n ↑n if n ≤ m < n + |t| m if m < n (u v)[n := t] = (u[n := t]) (v[n := t]) (λ u)[n := t] = λ (u[n + 1 := t])

u u[n := t] t

−|t| ↑n n n + |t|

7 / 42

(Restricted) Parallel Substitution

u[n := t1, . . . , tm] substitutes t1, . . . , tm for free variables n, . . . , n + m − 1 in u.

m[n := t] =      m − |t| if n + |t| ≤ m tm−n ↑n if n ≤ m < n + |t| m if m < n (u v)[n := t] = (u[n := t]) (v[n := t]) (λ u)[n := t] = λ (u[n + 1 := t]) This is useful for proving the strong normaliza- tion theorem.

u u[n := t] t

−|t| ↑n n n + |t|

7 / 42

Equational Properties

• f Shift and Parallel Substitution

t ↑0

n = t

(1) c ≤ c′ ≤ c + d ⇒ t ↑d

c↑d′ c′ = t ↑d′+d c

(2) c′ ≤ c ⇒ t ↑d

c↑d′ c′ = t ↑d′ c′ ↑d d′+c

(3) c ≤ n ⇒ t[n := u] ↑d

c = t ↑d c [d + n := u]

(4) n ≤ c ⇒ t[n := u] ↑d

c = t ↑d |u|+c [n := u ↑d c−n]

(5) c ≤ n ∧ |u| + n ≤ d + c ⇒ t ↑d

c [n := u] = t ↑d−|u| c

(6) m ≤ n ⇒ t[m := u][n := v] = t[|u| + n := v][m := u[n − m := v]] (7) t[|v| + n := u][n := v] = t[n := v + + u] (8) t[n := []] = t (9) where t ↑d

c = [t ↑d c| t ← t]

t[n := u] = [t[n := u] | t ← t]

8 / 42

Equational Property (5)

n ≤ c ⇒ t[n :=u] ↑d

c = t ↑d |u|+c[n :=u ↑d c−n]

t t[n := u] ↑d

c

t ↑d

|u|+c [n := u ↑d c−n]

u n |u| + n |u| + c d + c c − n

9 / 42

Equational Property (5)

n ≤ c ⇒ t[n :=u] ↑d

c = t ↑d |u|+c[n :=u ↑d c−n]

t t[n := u] ↑d

c

t ↑d

|u|+c [n := u ↑d c−n]

u n |u| + n |u| + c d + c c − n

9 / 42

Equational Property (5)

n ≤ c ⇒ t[n :=u] ↑d

c = t ↑d |u|+c[n :=u ↑d c−n]

t t[n := u] t[n := u] ↑d

c

t ↑d

|u|+c [n := u ↑d c−n]

u n |u| + n |u| + c c d + c c − n

9 / 42

Equational Property (5)

n ≤ c ⇒ t[n :=u] ↑d

c = t ↑d |u|+c[n :=u ↑d c−n]

t t ↑d

|u|+c

t[n := u] ↑d

c

t ↑d

|u|+c [n := u ↑d c−n]

u ↑d

c−n

u n |u| + n |u| + c d + |u| + c d + c d + c − n c − n

9 / 42

Equational Property (5)

n ≤ c ⇒ t[n :=u] ↑d

c = t ↑d |u|+c[n :=u ↑d c−n]

t t[n := u] t ↑d

|u|+c

t[n := u] ↑d

c

t ↑d

|u|+c [n := u ↑d c−n]

u ↑d

c−n

u n |u| + n |u| + c c d + |u| + c d + c d + c − n c − n

9 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

structural induction on term

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

structural induction on term applying congruence tactic

with some hypotheses: Sm + n = S(m + n), m + Sn = S(m + n)

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

structural induction on term applying congruence tactic

with some hypotheses: Sm + n = S(m + n), m + Sn = S(m + n)

case analysis

do !case: ifP

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

structural induction on term applying congruence tactic

with some hypotheses: Sm + n = S(m + n), m + Sn = S(m + n)

case analysis

do !case: ifP

automation based on omega

10 / 42

Proof Outline of the Equational Properties

We can apply some automation techniques for these proofs.

eliminating hypotheses

∀m. n ≤ m ⇒ P[n, m] ֒ → ∀m′. P[n, n + m′]

structural induction on term applying congruence tactic

with some hypotheses: Sm + n = S(m + n), m + Sn = S(m + n)

case analysis

do !case: ifP

automation based on omega manual proof

10 / 42

Example

Lemma subst_shift_distr n d c ts t : n <= c -> shift d c (substitute n ts t) = substitute n (map (shift d (c - n)) ts) (shift d (size ts + c) t). Proof. elimleq; elim: t n; congruence’ => v n; elimif_omega.

• rewrite !nth_default ?size_map /=; elimif_omega.
• rewrite -shift_shift_distr // nth_map’ /=;

congr shift; apply nth_equal; rewrite size_map; elimif_omega. Qed.

11 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

12 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

minn is the smallest number of two natural numbers.

x − (x − y) is a frequently appearing pattern in proofs relevant to the de Bruijn representation.

12 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

minn is the smallest number of two natural numbers.

x − (x − y) is a frequently appearing pattern in proofs relevant to the de Bruijn representation.

12 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

minn is the smallest number of two natural numbers.

x − (x − y) is a frequently appearing pattern in proofs relevant to the de Bruijn representation.

associativity of minn

12 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

minn is the smallest number of two natural numbers.

x − (x − y) is a frequently appearing pattern in proofs relevant to the de Bruijn representation.

associativity of minn runs forever

12 / 42

Performance Problem of omega

Notation minn x y := (x - (x - y)). Lemma minnA x y z : minn x (minn y z) = minn (minn x y) z.

• Proof. omega.

Some techniques are required to use the omega tactic for proving the equational properties. minn is the smallest number of two natural numbers.

x − (x − y) is a frequently appearing pattern in proofs relevant to the de Bruijn representation.

associativity of minn runs forever

12 / 42

Part II

Strong Normalization Theorem

λ→: Simply Typed λ-Calculus

types and terms: U ::= X

| (U → U)

t ::= x

| (t t) | (λx : U. t)

typing rules: Γ(x) = U Γ ⊢ x : U Γ ⊢ t : U → V Γ ⊢ u : U Γ ⊢ t u : V

{x : U} + Γ ⊢ t : V

Γ ⊢ λx : U. t : U → V reduction rules:

(λx : U. t) u →β t[x := u]

t1 →β t2 t1 u →β t2 u u1 →β u2 t u1 →β t u2 t →β t′ λx : U. t →β λx : U. t′

14 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

Proof Outline of the SN Theorem

Our proofs are based on the Girard’s proof [GTL89].

Γ ⊢ t : U SN→β(t) REDU(t)

Proof by induction

• n t or U.

(2) Proof by induction on t. (1) Proof by induction on U.

15 / 42

What is REDU?

in the Simply Typed λ-Calculus

REDU (reducibility) is defined by induction on the type U as follows: REDX(t)

def

⇐ ⇒ SN→β(t)

REDU→V(t)

def

⇐ ⇒ ∀u. REDU(u) ⇒ REDV(t u).

16 / 42

What is REDU?

in the Simply Typed λ-Calculus

REDU (reducibility) is defined by induction on the type U as follows: REDX(t)

def

⇐ ⇒ SN→β(t)

REDU→V(t)

def

⇐ ⇒ ∀u. REDU(u) ⇒ REDV(t u).

In typical definitions, REDU is a set of typed terms. But this definition of REDU contains untyped terms. For example,

(λx : U. x x) ∈ REDX.

16 / 42

Part 1: Reducible Terms are SN

CR1 REDU(t) ⇒ SN→β(t) CR2 t →β t′ ∧ REDU(t) ⇒ REDU(t′) CR3 neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t)

17 / 42

Part 1: Reducible Terms are SN

CR1 REDU(t) ⇒ SN→β(t) CR2 t →β t′ ∧ REDU(t) ⇒ REDU(t′) CR3 t is not of the form λx. u. neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t)

17 / 42

Part 1: Reducible Terms are SN

CR1 REDU(t) ⇒ SN→β(t) CR2 t →β t′ ∧ REDU(t) ⇒ REDU(t′) CR3 t is not of the form λx. u. neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t) CR2 is proved by induction on U. CR1,3 are proved together by induction on U.

17 / 42

Part 2: Typed Terms are Reducible

First, we prove the following proposition (reducibility theorem) by induction on t.

{x1 : U1, . . . , xn : Un, y1 : V1, . . . , ym : Vm} ⊢ t : U ∧ (∀i ∈ {1, . . . , n}. REDUi(ti)) ⇒ REDU(t[x1, . . . , xn := t1, . . . , tn])

18 / 42

Part 2: Typed Terms are Reducible

First, we prove the following proposition (reducibility theorem) by induction on t.

{x1 : U1, . . . , xn : Un, y1 : V1, . . . , ym : Vm} ⊢ t : U ∧ (∀i ∈ {1, . . . , n}. REDUi(ti)) ⇒ REDU(t[x1, . . . , xn := t1, . . . , tn])

In case of n = 0, this proposition is equivalent to

{y1 : V1, . . . , ym : Vm} ⊢ t : U ⇒ REDU(t).

18 / 42

Part 2: Typed Terms are Reducible

First, we prove the following proposition (reducibility theorem) by induction on t.

{x1 : U1, . . . , xn : Un, y1 : V1, . . . , ym : Vm} ⊢ t : U ∧ (∀i ∈ {1, . . . , n}. REDUi(ti)) ⇒ REDU(t[x1, . . . , xn := t1, . . . , tn])

In case of n = 0, this proposition is equivalent to

{y1 : V1, . . . , ym : Vm} ⊢ t : U ⇒ REDU(t).

Finally, we get a proof of the strong normalization theorem.

18 / 42

Typed Reducibility

Unsuccessful Example

Now, we redefine the reducibility as a set of typed terms. RED′Γ

X(t) def

⇐ ⇒ SN→β(t)

RED′Γ

U→V(t) def

⇐ ⇒ ∀u. REDΓ

U(u) ⇒ REDΓ V(t u)

REDΓ

U(t) def

⇐ ⇒ Γ ⊢ t : U ∧ RED′Γ

U(t)

19 / 42

Typed Reducibility

Unsuccessful Example

Now, we redefine the reducibility as a set of typed terms. RED′Γ

X(t) def

⇐ ⇒ SN→β(t)

RED′Γ

U→V(t) def

⇐ ⇒ ∀u. REDΓ

U(u) ⇒ REDΓ V(t u)

REDΓ

U(t) def

⇐ ⇒ Γ ⊢ t : U ∧ RED′Γ

U(t)

In this definition, proof of CR1 is unsuccessful.

19 / 42

A Proof of CR1

in Untyped Settings

CR1 REDU(t) ⇒ SN→β(t) CR3 neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t) CR1,3 are proved together by induction on U.

20 / 42

A Proof of CR1

in Untyped Settings

CR1 REDU(t) ⇒ SN→β(t) CR3 neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t) CR1,3 are proved together by induction on U.

• Proof. If U is a type variable, CR1 is a tautology. The only

remaining case is U = V → W.

20 / 42

A Proof of CR1

in Untyped Settings

CR1 REDU(t) ⇒ SN→β(t) CR3 neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t) CR1,3 are proved together by induction on U.

• Proof. If U is a type variable, CR1 is a tautology. The only

remaining case is U = V → W. REDV→W(t)

⇔ ∀u. REDV(u) ⇒ REDW(t u)

(definition of RED)

⇒ REDV(x) ⇒ REDW(t x)

(x is a fresh variable)

⇒ REDW(t x)

(I.H. of CR3)

⇒ SN→β(t x)

(I.H. of CR1)

⇒ SN→β(t)

(basic property of SN)

20 / 42

A Proof of CR1

in Untyped Settings

CR1 REDU(t) ⇒ SN→β(t) CR3 neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(t′)) ⇒ REDU(t) CR1,3 are proved together by induction on U.

• Proof. If U is a type variable, CR1 is a tautology. The only

remaining case is U = V → W. REDV→W(t)

⇔ ∀u. REDV(u) ⇒ REDW(t u)

(definition of RED)

⇒ REDV(x) ⇒ REDW(t x)

(x is a fresh variable)

⇒ REDW(t x)

(I.H. of CR3)

⇒ SN→β(t x)

(I.H. of CR1)

⇒ SN→β(t)

(basic property of SN) In typed settings, a term of type V is not always existing.

20 / 42

Solutions

There are 2 ways to solve this issue:

◮ Construct finite set of types by traversing proof tree of

Γ ⊢ t : U, and add it to Γ with fresh variables.

◮ Redefine REDU as a Kripke logical predicate.

21 / 42

Solution 1: Proof Tree Traversal

T

• Γ(x) = U

Γ ⊢ x : U

• = T ′(U)

T

• P1

P2 Γ ⊢ t u : V

• = T ′(V) ∪ T (P1) ∪ T (P2)

T

• P1

Γ ⊢ λx : U. t : U → V

• = T ′(U → V) ∪ T (P1)

T ′(X) = ∅ T ′(U → V) = {U} ∪ T ′(U) ∪ T ′(V)

22 / 42

Solution 1: Proof Tree Traversal

It is possible to prove the following CR1,2,3 in a similar method. CR1 (∀V ∈ T ′(U). V ∈ Γ) ∧ REDΓ

U(t) ⇒ SN→β(t)

CR2 t →β t′ ∧ REDΓ

U(t) ⇒ REDΓ U(t′)

CR3 (∀V ∈ T ′(U). V ∈ Γ) ∧ Γ ⊢ t : U

∧ neutral(t) ∧ (∀t′. t →β t′ ⇒ REDΓ

U(t′)) ⇒ REDΓ U(t)

23 / 42

Solution 1: Proof Tree Traversal

It is possible to prove the following CR1,2,3 in a similar method. CR1 (∀V ∈ T ′(U). V ∈ Γ) ∧ REDΓ

U(t) ⇒ SN→β(t)

CR2 t →β t′ ∧ REDΓ

U(t) ⇒ REDΓ U(t′)

CR3 (∀V ∈ T ′(U). V ∈ Γ) ∧ Γ ⊢ t : U

∧ neutral(t) ∧ (∀t′. t →β t′ ⇒ REDΓ

U(t′)) ⇒ REDΓ U(t)

23 / 42

Solution 2: Kripke Logical Predicate

RED′

X(Γ, t) def

⇐ ⇒ SN→β(t)

RED′

U→V(Γ, t) def

⇐ ⇒ ∀∆, u. Γ ≤ · ∆ ∧ REDU(∆, u) ⇒ REDV(∆, t u)

REDU(Γ, t)

def

⇐ ⇒ Γ ⊢ t : U ∧ RED′

U(Γ, t)

24 / 42

Solution 2: Kripke Logical Predicate

RED′

X(Γ, t) def

⇐ ⇒ SN→β(t)

RED′

U→V(Γ, t) def

⇐ ⇒ ∀∆, u. Γ ≤ · ∆ ∀x ∈ dom(Γ). Γ(x) = ∆(x) ∧ REDU(∆, u) ⇒ REDV(∆, t u)

REDU(Γ, t)

def

⇐ ⇒ Γ ⊢ t : U ∧ RED′

U(Γ, t)

24 / 42

Solution 2: Kripke Logical Predicate

RED′

X(Γ, t) def

⇐ ⇒ SN→β(t)

RED′

U→V(Γ, t) def

⇐ ⇒ ∀∆, u. Γ ≤ · ∆ ∀x ∈ dom(Γ). Γ(x) = ∆(x) ∧ REDU(∆, u) ⇒ REDV(∆, t u)

REDU(Γ, t)

def

⇐ ⇒ Γ ⊢ t : U ∧ RED′

U(Γ, t)

CR1 REDU(Γ, t) ⇒ SN→β(t) CR2 t →β t′ ∧ REDU(Γ, t) ⇒ REDU(Γ, t′) CR3 Γ ⊢ t : U ∧ neutral(t) ∧ (∀t′. t →β t′ ⇒ REDU(Γ, t′))

⇒ REDU(Γ, t)

24 / 42

λ2: System F [Gir72, GTL89]

types and terms: U ::= . . .

| (ΠX. U)

t ::= . . .

| (t U) | (ΛX. t)

additional typing rules: Γ ⊢ t : ΠX. U Γ ⊢ t V : U[X := V] X /

∈ Γ

Γ ⊢ t : U Γ ⊢ ΛX. t : ΠX. U additional reduction rules:

(ΛX. t) U →β t[X := U]

t1 →β t2 t1 U →β t2 U t1 →β t2 ΛX. t1 →β ΛX. t2

25 / 42

Strong Normalization Proofs for System F

It is impossible to define a reducibility for System F directly.

26 / 42

Strong Normalization Proofs for System F

It is impossible to define a reducibility for System F directly. Proof outline of the part 1:

• 1. Define the reducibility candidates. This is a (type indexed)

family of terms, and defined by conditions like CR1,2,3.

• 2. Define the reducibility with parameters. This corresponds

to the reducibility of λ→.

• 3. Prove that the reducibility with parameters is a reducibility

candidate.

26 / 42

Untyped Reducibility Candidates

Set of terms R is reducibility candidate if and only if CR1 R(t) ⇒ SN(t) CR2 t →β t′ ∧ R(t) ⇒ R(t) CR3 neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t).

27 / 42

Untyped Reducibility Candidates

Set of terms R is reducibility candidate if and only if CR1 R(t) ⇒ SN(t) CR2 t →β t′ ∧ R(t) ⇒ R(t) CR3 t is not of the form λx. u or ΛX. u. neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t).

27 / 42

Untyped Reducibility Candidates

Set of terms R is reducibility candidate if and only if CR1 R(t) ⇒ SN(t) CR2 t →β t′ ∧ R(t) ⇒ R(t) CR3 t is not of the form λx. u or ΛX. u. neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t). For example, SN is a reducibility candidate.

27 / 42

Untyped Reducibility with Parameters

REDY[X := R](t)

def

⇐ ⇒

• Ri(t)

if Y = Xi SN(t) if Y /

∈ X

REDU→V[X := R](t)

def

⇐ ⇒ ∀u. REDU[X := R](u) ⇒ REDV[X := R](t u)

REDΠY. U[X := R](t)

def

⇐ ⇒ ∀V, S. RC(S) ⇒ REDU[Y, X := S, R](t V)

28 / 42

Untyped Reducibility with Parameters

REDY[X := R](t)

def

⇐ ⇒

• Ri(t)

if Y = Xi SN(t) if Y /

∈ X

REDU→V[X := R](t)

def

⇐ ⇒ ∀u. REDU[X := R](u) ⇒ REDV[X := R](t u)

REDΠY. U[X := R](t)

def

⇐ ⇒ ∀V, S. RC(S) ⇒ REDU[Y, X := S, R](t V)

Lemma If R is a sequence of reducibility candidates, REDU[X := R] is a reducibility candidate.

28 / 42

Typed Reducibility Candidates 1 [Hur10]

Set of terms R is reducibility candidate of Γ, U if and only if CR1 #Γ ⊢ t : U ∧ R(t) ⇒ SN(t) CR2 #Γ ⊢ t : U ∧ t →β t′ ∧ R(t) ⇒ R(t′) CR3 #Γ ⊢ t : U ∧ neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t). where #Γ = {b : ΠX. X} + Γ

29 / 42

Typed Reducibility Candidates 1 [Hur10]

Set of terms R is reducibility candidate of Γ, U if and only if CR1 #Γ ⊢ t : U ∧ R(t) ⇒ SN(t) CR2 #Γ ⊢ t : U ∧ t →β t′ ∧ R(t) ⇒ R(t′) CR3 #Γ ⊢ t : U ∧ neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t). where #Γ = {b : ΠX. X} + Γ #Γ ⊢ b U : U b U is neutral and normal

29 / 42

Typed Reducibility with Parameters 1

REDΓ

Y[X := R : U](t) def

⇐ ⇒

• Ri(t)

if Y = Xi SN(t) if Y / ∈ X REDΓ

V→W[X := R : U](t) def

⇐ ⇒ ∀u. #Γ ⊢ u : V[X := U] ⇒ REDΓ

V[X := R : U](u)

⇒ REDΓ

W[X := R : U](t u)

REDΓ

ΠY. V[X := R : U](t) def

⇐ ⇒ ∀W, S. RCΓ

W(S)

⇒ REDΓ

V[Y, X := S, R : W, U](t W)

30 / 42

Typed Reducibility with Parameters 1

REDΓ

Y[X := R : U](t) def

⇐ ⇒

• Ri(t)

if Y = Xi SN(t) if Y / ∈ X REDΓ

V→W[X := R : U](t) def

⇐ ⇒ ∀u. #Γ ⊢ u : V[X := U] ⇒ REDΓ

V[X := R : U](u)

⇒ REDΓ

W[X := R : U](t u)

REDΓ

ΠY. V[X := R : U](t) def

⇐ ⇒ ∀W, S. RCΓ

W(S)

⇒ REDΓ

V[Y, X := S, R : W, U](t W)

Lemma If Ri is a reducibility candidate of Γ, Ui for all i ≤ |X|, REDΓ

V[X := R : U] is a reducibility candidate of Γ, V[X := U].

30 / 42

Typed Reducibility Candidates 2 [Gal89]

Set of pairs of type environment and term R is reducibility candidate of type U if and only if CRtyped R(Γ, t) ⇒ Γ ⊢ t : U CR0 Γ ≤

· ∆ ∧ R(Γ, t) ⇒ R(∆, t)

CR1 R(t) ⇒ SN(t) CR2 t →β t′ ∧ R(t) ⇒ R(t′) CR3 Γ ⊢ t : U ∧ neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t).

31 / 42

Typed Reducibility Candidates 2 [Gal89]

Set of pairs of type environment and term R is reducibility candidate of type U if and only if CRtyped R(Γ, t) ⇒ Γ ⊢ t : U CR0 Γ ≤

· ∆ ∧ R(Γ, t) ⇒ R(∆, t)

CR1 R(t) ⇒ SN(t) CR2 t →β t′ ∧ R(t) ⇒ R(t′) CR3 Γ ⊢ t : U ∧ neutral(t) ∧ (∀t′.t →β t′ ⇒ R(t′)) ⇒ R(t).

31 / 42

Typed Reducibility with Parameters 2

REDY[X := R : U](Γ, t)

def

⇐ ⇒

• Ri(Γ, t)

if Y = Xi SN′(Γ, t) if Y / ∈ X REDV→W[X := R : U](Γ, t)

def

⇐ ⇒ Γ ⊢ t : V → W ∧(∀∆, u. Γ ≤ · ∆ ⇒ REDV[X := R : U](∆, u) ⇒ REDW[X := R : U](∆, t u)) REDΠY. V[X := R : U](Γ, t)

def

⇐ ⇒ ∀W, S. RCW(S) ⇒ REDV[Y, X := S, R : W, U](t W)

32 / 42

Typed Reducibility with Parameters 2

REDY[X := R : U](Γ, t)

def

⇐ ⇒

• Ri(Γ, t)

if Y = Xi SN′(Γ, t) if Y / ∈ X REDV→W[X := R : U](Γ, t)

def

⇐ ⇒ Γ ⊢ t : V → W ∧(∀∆, u. Γ ≤ · ∆ ⇒ REDV[X := R : U](∆, u) ⇒ REDW[X := R : U](∆, t u)) REDΠY. V[X := R : U](Γ, t)

def

⇐ ⇒ ∀W, S. RCW(S) ⇒ REDV[Y, X := S, R : W, U](t W)

Lemma If Ri is a reducibility candidate of Ui for all i ≤ |X|, REDV[X := R : U] is a reducibility candidate of V[X := U].

32 / 42

Comparison of the SN Proofs

◮ SN proofs with typed reducibility requires type

preservation lemmas. On the other hand, SN proofs with untyped reducibility are completed without type preservation lemmas. (Untyped proofs are relatively simple.)

◮ Typed reducibilities are capturing the features of reducible

terms.

33 / 42

Conclusion

◮ We formalized strong normalization proofs with 6 different

definitions of the reducibility.

◮ $ wc -lc **/*.v

... 1808 72327 coq/LC/Debruijn/F.v 647 24413 coq/LC/Debruijn/STLC.v ... 3746 138149 total

◮ https://github.com/pi8027/lambda-calculus

34 / 42

Appendix

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder.

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

1

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

1

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

1

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

1

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

free occurrence of 0

36 / 42

λ-Calculus and Representations of Binding

named representation (name-carrying term) t ::= x (∈ Var) | (t t) | (λx. t) de Bruijn representation [dB72] (nameless terms) t ::= x (∈ N) | (t t) | (λt)

This number indicates the index of corresponding binder. Nameless terms don’t require a variable name in binding positions.

examples: λx. λy. (λz. y x z) x a

free occurrence of a

λλ(λ1 2 0) 1 2

free occurrence of 0

We use the de Bruijn representation for our formalization.

36 / 42

(Informal) Definition of Reduction

(λx. t) u →β t[x := u]

substituting u for every free occurrence of x in t t1 →β t2 t1 u →β t2 u u1 →β u2 t u1 →β t u2 t →β t′ λx. t →β λx. t′

37 / 42

(Informal) Definition of Reduction

(λx. t) u →β t[x := u]

substituting u for every free occurrence of x in t t1 →β t2 t1 u →β t2 u u1 →β u2 t u1 →β t u2 t →β t′ λx. t →β λx. t′

37 / 42

Capture

(λy. λx. y) x

38 / 42

Capture

(λy. λx. y) x

free occurrence of x

38 / 42

Capture

(λy. λx. y) x →β (λx. y)[y := x]

free occurrence of x

38 / 42

Capture

(λy. λx. y) x →β (λx. y)[y := x] = λx. x

free occurrence of x

38 / 42

Capture

(λy. λx. y) x →β (λx. y)[y := x] = λx. x

free occurrence of x x is bound variable. (captured)

38 / 42

Capture

(λy. λx. y) x →β (λx. y)[y := x] = λx. x

In the named representation, it is necessary to use a restricted reduction rule and the α-equivalence relation or capture-avoiding substitutions. free occurrence of x x is bound variable. (captured)

38 / 42

Comparison of the Representations

◮ named representation

◮ Non essential part of the proofs relevant to bindings are

large.

◮ Most part of proofs are required conditions relevant to free

variables such as x / ∈ FV(t), FV(t) ∩ FV(t′) = ∅, etc.

◮ de Bruijn representation

◮ We can concentrate on the essential part of the proofs. ◮ Conditions relevant to free variables are replaced by

inequality between indices.

39 / 42

Comparison of the Representations

◮ named representation

◮ Non essential part of the proofs relevant to bindings are

large.

◮ Most part of proofs are required conditions relevant to free

variables such as x / ∈ FV(t), FV(t) ∩ FV(t′) = ∅, etc.

◮ de Bruijn representation

◮ We can concentrate on the essential part of the proofs. ◮ Conditions relevant to free variables are replaced by

inequality between indices.

◮ The set of nameless terms corresponds to the quotient set

• f the named terms by α-equivalence relation.

39 / 42

Strong Normalization Property

The set of strongly normalizable terms SN ⊆ A can be defined by following axioms. SN-Intro ∀x ∈ A. (∀y ∈ A. x y ⇒ SN(y)) ⇒ SN(x) SN-Elim ∀P ⊆ A. (∀x ∈ A. (∀y ∈ A. x y ⇒ SN(y) ∧ P(y)) ⇒

P(x)) ⇒ SN ⊆ P

40 / 42

Strong Normalization Property

The set of strongly normalizable terms SN ⊆ A can be defined by following axioms. SN-Intro ∀x ∈ A. (∀y ∈ A. x y ⇒ SN(y)) ⇒ SN(x) SN-Elim ∀P ⊆ A. (∀x ∈ A. (∀y ∈ A. x y ⇒ SN(y) ∧ P(y)) ⇒

P(x)) ⇒ SN ⊆ P

In the Coq standard library, the strong normalization property is defined as a inductive predicate Acc. Constructor and induction principle of Acc correspond to SN-Intro and SN-Elim.

40 / 42

Bibliography I

Nicolaas Govert de Bruijn. Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem. Indagationes Mathematicae, 75(5):381–392, 1972. Jean H. Gallier. On Girard’s “candidats de reductibilité”. In Logic and Computer Science. Academic Press, 1989. Jean-Yves Girard. Interprétation fonctionnelle et élimination des coupures de l’arithmétique d’ordre supérieur. PhD thesis, Université de Paris 7, 1972. Jean-Yves Girard, Paul Taylor, and Yves Lafont. Proofs and Types. Cambridge University Press, 1989.

41 / 42

Bibliography II

Chung-Kil Hur. Heq : a Coq library for heterogeneous equality, 2010. URL: http://sf.snu.ac.kr/gil.hur/Heq/. Kazuhiko Sakaguchi. A formalization of typed and untyped λ-calculi in SSReflect-Coq and Agda2, 2011-2015. URL: https://github.com/pi8027/lambda-calculus.

42 / 42