A program logic for fresh name generation
aa r X i v : . [ c s . L O ] J a n A Program Logic for Fresh Name Generation
Harold Pancho Eliott and Martin Berger , Department of Informatics, University of Sussex, Brighton, UK. Turing Core, Huawei 2012 Labs, London, UK.
Abstract.
We present a program logic for Pitts and Stark’s ν -calculus,an extension of the call-by-value simply-typed λ -calculus with a mech-anism for the generation of fresh names. Names can be compared forequality and inequality, producing programs with subtle observable prop-erties. Hidden names produced by interactions between generation andabstraction are captured logically with a second-order quantifier overtype contexts. We illustrate usage of the logic through reasoning aboutwell-known difficult cases from the literature. Naming is a long-standing problem in computer science. Most programminglanguages can define naming constructs, which, when called, yield a fresh name.The π -calculus [11] made naming and the ν -operator, a constructor for name cre-ation, a first-class construct, leading to a flurry of research, e.g. [6–8, 14, 15, 18].Initially it was unclear if the π -calculus approach had purchase beyond processcalculi. Pitts and Stark [16] as well as Odersky [12] added the ν -operator to thesimply-typed λ -calculus (STLC from now on), and showed that the subtletiesof naming are already present in the interplay between higher-order functionsand fresh name generation. This raises the question of how compositionally toreason about programs that can generate fresh names? There are program logicsfor ML-like languages that can generate fresh references, such as [4, 19], but, tothe best of our knowledge, always in the context of languages with other expres-sive features such as aliasing, mutable higher-order state or pointer arithmetic,leading to complex logics, where the contribution of fresh name generation tothe difficulties of reasoning is not apparent. This is problematic because, whilethe type Nm carries the same information as Ref ( Unit ) in ML, we are often in-terested in reasoning about languages that combine fresh name generation withother features, such as meta-programming [3]. Can we study reasoning aboutfresh names in as simple a programming language as possible?
Research question . Is there a Hoare-style program logic for the ν -calculus, conservatively extending program logics for the STLC in a nat-ural manner, that allows for compositional reasoning about fresh namegeneration?The present paper gives an affirmative answer to the research question, andpresents the first program logic for the ν -calculus. Harold Pancho Eliott and Martin Berger
Informal explanation . By the ν -calculus we mean the STLC with a type Nm of names, a constructor gensym of type Unit → Nm and a destructor, in formof equality and inequality on names ( gensym and ν are essentially identical,but the former is more widely used). Immediately we realise that the ν -calculusloses extensionality, as gensym () = gensym () evaluates to false . While the loss ofextensionality is expected in a stateful language, the ν -calculus does not havestate, at least not in a conventional sense.A first difficulty is expressing freshness in logic. What does it mean for aname x to be fresh? A first idea might be to say that x is guaranteed to bedistinct from all existing names. We cannot simply say { T } gensym () : u {∀ x.u = x } since we must prevent ∀ x.u = x being instantiated to u = u . We want to saysomething like: ∀ x. { T } gensym () : u { u = x } (1)Unfortunately we cannot quantify over Hoare triples. A second problem is that(1) is not strong enough, in the sense that gensym does not just create namesthat are fresh w.r.t. existing names, but also w.r.t. all future calls to gensym . Weintroduce a new quantifier to deal with both problems at the same time. A thirddifficulty is that fresh names can be exported or remain hidden, with observableconsequences. Consider: let x = gensym () in λy.x = y (2)of type Nm → Bool . It receives a name y as argument and compares it withfresh name x . Since x is never exported to the outside, no context can eversupply this fresh x to λy.x = y . Hence (2) must be contextually indistinguishablefrom λy. false . Operationally, this is straightforward. But how can we prove thiscompositionally? Note that this is not a property of λy.x = y , but it is also nota consequence of x ’s being freshly generated, for x is also fresh in this program: let x = gensym () in h x, λy.x = y i (3)But in (3), λy.x = y can return true , for example if we use (3) in this context: let p = [ · ] in ( π p )( π p )In program logics like [9], the specification of any abstraction λy.M willbe a universally quantified formula ∀ y.A . With fresh names, instantiation ofquantification is a core difficulty. Recall that in first-order logic, ∀ y.A alwaysimplies A [ e/y ], for all ambient expressions e . Clearly, in the case of (2) we cannotconclude to A [ x/y ] from ∀ y.A , because x is, in some sense, not available forinstantiation. In contrast, in the case of (3) we can infer A [ x/y ]. Hence we needto answer the question how to express logically the inability to instantiate auniversal quantifier with a fresh and hidden name like x in (2). We introducea novel restricted quantifier, limiting the values based on a type context, and anew quantifier over type contexts to extend the reach of restricted quantifiers. Program Logic for Fresh Name Generation 3
Our programming language is essentially the ν -calculus of [16], with small ad-ditions in particular pairs, included for the sake of convenience. We assume acountably infinite set of variables, ranged over by x, y, ... and a countably infi-nite set, disjoint from variables, of names, ranged over by r, ... . Constants rangedover by c are Booleans true , false , and Unit (). For simplicity we also call ourlanguage ν -calculus. It is given by the following grammar, where α ranges overtypes, Γ over standard type contexts (STC), V over values and M over programs.(Additions over the STLC highlighted.) α ::= Unit || Bool || Nm || α → α || α × α Γ ::= ∅ || Γ, x : αV ::= r || gensym || x || c || λx.M || h V, V i M ::= V || M M || let x = M in M || M = M || if M then M else M || h M, M i || π i ( M ) Free variables in M , written fv ( M ) are defined as usual. M is closed if fv ( M ) = ∅ .There are no binders for names so the set ˚a ( M ) of all names in M , is given bythe obvious rules, including ˚a ( r ) = { r } , ˚a ( M N ) = ˚a ( M ) ∪ ˚a ( N ). If ˚a ( M ) = ∅ then M is compile-time syntax. The νn.M constructor from the ν -calculus [16]is equivalent to let n = gensym () in M as gensym () generates fresh names. Thetyping judgements is Γ ⊢ M : α , with the STC Γ being an unordered map-ping from variables to types. Typing rules are standard [13] with the followingextensions: Γ ⊢ gensym : Unit → Nm and Γ ⊢ r : Nm .The operational semantics of our ν -calculus is straightforward and the sameas [16]. A configuration of type α is a pair ( G, M ) where M is a closed term oftype α , and G a finite set of previously Generated names such that ˚a ( M ) ⊆ G .The standard call-by-value reduction relation, → , has the following key rules.( G, ( λx.M ) V ) → ( G, M [ V /x ])( G, gensym ()) → ( G ∪ { n } , n ) ( n / ∈ G )( G ∪ { n } , n = n ) → ( G ∪ { n } , true )( G ∪ { n , n } , n = n ) → ( G ∪ { n , n } , false ) ( n = n )( G, M ) → ( G ′ , N ) implies ( G, E [ M ]) → ( G ′ , E [ N ])Here M [ V /x ] is the usual capture-avoiding substitution, and E [ · ] ranges over theusual reduction contexts of the STLC. Finally, ⇓ is short for → ∗ . This section defines the syntax of the logic. As is customary for program logics,ours is an extension of first order logic with equality (alongside axioms for arith-metic).
Expressions , ranged over by e , e ′ ,..., formulae , ranged over by A , B , C , ... Harold Pancho Eliott and Martin Berger and
Logical Type Contexts (LTCs), ranged over by I Γ , I Γ ′ , I Γ i , ... , are given bythe grammar below. (Extensions over [9] highlighted.) e ::= x α || c || h e, e i || π i ( e ) I Γ ::= ∅ || I Γ + x : α || I Γ + δ : TC A ::= e = e || ¬ A || A ∧ A || e • e = x α { A } || ∀ x α ∈ ( I Γ ) .A || ∀ δ.A Expressions, e , are standard, where constants, c , range over Booleans and (), butdo not include names or gensym as constants. Equality, negation and conjunctionare standard. Evaluation formulae e • e ′ = m { A } internalise triples [9] and expressthat if the program denoted by e is executed with argument denoted by e ′ , thenthe result, denoted by m , satisfies A . Since the ν -calculus has no recursion, allapplications terminate and we do not distinguish partial from total correctness.We write e • e = e as shorthand for e • e = m { m = e } .Given variables represent values, ensuring hidden names cannot be revealedin an unsafe manner requires the idea that a value is derived from an LTCif a name free term uses the variables in the LTC to evaluate to said value.Specifically define a name as reachable from said LTC if it can be derived fromit, and hidden otherwise.Freshness is not an absolute notion. Instead, a name is fresh with respect tosomething, in this case names generated in the past, and future of the compu-tation. Formulae refer to names by variables, and variables are tracked in theSTC. Freshness is now defined in two steps: (1) First we characterise freshnessof a name w.r.t. the current STC, meaning the name cannot be derived from thevariables in the STC. Then, (2) we define freshness w.r.t. all future extensionof the current STC, details in Sec. 4. The modal operator is used in [19] in or-der to express “for all future extensions”, but we found modalities inconvenient,since they don’t allow us to name extensions. We introduce a new quantifier ∀ x α ∈ ( I Γ ) .A instead, where I Γ ranges over LTCs from which x can be derived.To make this precise, we need LTCs (explained next), a generalisation of STCs. LTCs . Like STCs, LTCs map variables to types, and are needed for typingexpressions, formulae and triples (introduced in Sec. 6), LTCs generalise STCsin two ways: they are ordered , and they don’t just contain program variables, butalso type context variables (TCVs), ranged over by δ . TCVs are always mappedto the new type TC , short for type context . The ordering in LTCs is essentialbecause I Γ + δ : TC implies δ represents an extension of the LTC I Γ . Restricted universal quantification . The meaning of ∀ x α ∈ ( I Γ ) .A is in-tuitively simple: A must be true for all x that range only over values of type α , derived from I Γ that do not reveal hidden names. For example if the modelcontained the name r but only as λy.y = r , then r was hidden and whatever x in ∀ x α ∈ ( I Γ ) .A ranged over, it must not reveal r . Formalising this requirementis subtle. Quantification over LTCs . Below we formalise the axiomatic semantics of gensym by saying that the result of each call to this function is fresh w.r.t. all
Program Logic for Fresh Name Generation 5 future extensions of the present state (with the present state being included).The purpose of ∀ δ.A is to allow us to do so: ∀ δ.A implies for all future statesderived from the current state (included), when the LTC for that state is assignedto the TCV δ , then A holds. A convenient shorthand, the freshness predicate . We express freshness ofthe name x relative to the LTC I Γ as ∀ z ∈ ( I Γ ) .x = z. and, as this predicate isused pervasively, abbreviate it to x I Γ . Intuitively, x I Γ , a variant of a similarpredicate in [19], states that the name denoted by x is not derivable, directly orindirectly, from the LTC I Γ . Typing of expressions, formulae and triples . We continue with setting updefinitions that allow us to type expressions, formulae and triples. The orderedunion of I Γ and I Γ ′ with dom ( I Γ ) ∩ dom ( I Γ ′ ) = ∅ is written I Γ + I Γ ′ , and shouldbe understood as: every variable from dom ( I Γ ) comes before every variable from dom ( I Γ ′ ). Other abbreviations include ∃ x α ∈ ( I Γ ) .A def = ¬∀ x α ∈ ( I Γ ) . ¬ A ,and where α is obvious ( I Γ + y ) def = ( I Γ + y : α ) (respectively ( I Γ + δ ) def =( I Γ + δ : TC )). For simplicity, where not explicitly required, I Γ + δ is written δ .Functions on LTCs are defined as expected including mapping variables, I Γ ( x ),and TCVs, I Γ ( δ ); obtaining the domain, dom ( I Γ ); ordered removal of a variable, I Γ \ x ; ordered removal of all TCV, I Γ \ − T CV ; and removal of TCV to producea STC, I Γ ↓ − T C . We define free variables of LTC, fv ( I Γ ) def = dom ( I Γ ↓ − T C ) def = dom ( I Γ \ − T CV ), then free variables of formulae defined as expected, with theaddition of fv ( x I Γ ) def = fv ( I Γ ) ∪ { x } , fv ( ∀ x ∈ ( I Γ ) .A ) def = ( fv ( A ) \{ x } ) ∪ fv ( I Γ ),and fv ( ∀ δ.A ) def = fv ( A ). Similarly ftcv ( I Γ ) and ftcv ( A ) define all TCV occurringin I Γ and unbound by ∀ δ. in A respectively, calling I Γ TCV-free if ftcv ( I Γ ) def = ∅ .The typing judgement for LTCs, written I Γ (cid:13) I Γ ′ , checks that I Γ ′ is an ‘orderedsubset’ of I Γ . Type checks on expressions, formulae and triples use LTC as thebase, written I Γ (cid:13) e : α , I Γ (cid:13) A and I Γ (cid:13) { A } M : u { B } respectively. Fig. 1gives the rules defining the typing judgements. From now on we adhere to thefollowing convention: All expressions, formulae and triples are typed , and we willmostly omit being explicit about typing.
Advanced substitutions . Reasoning with quantifiers requires quantifier in-stantiation. This is subtle with ∀ δ.A , and we need to define two substitutions, A [ e/x ] I Γ (substitutes expressions for variables) and A [ I Γ /δ ] I Γ (LTCs substitutedfor TCVs). First extend the definition e is free for x α in A in [10], to ensure if e contains destructors i.e. π i ( ) or =, then all free occurrences of x in any LTC I Γ in A must imply I Γ (cid:13) e : α . Below, we assume the standard substitution e [ e ′ /x ] of expressions for variables in expressions, simple details omitted.We define A [ e/x ] I Γ , logical substitution of e for x in A in the context of I Γ ,if e is free for x in A and e is typed by I Γ , by the following clauses (simple casesomitted) and the auxiliary operation on LTCs below. We often write A [ e/x ] for A [ e/x ] I Γ . Harold Pancho Eliott and Martin Berger b ∈ { true , false } I Γ (cid:13) b : Bool − I Γ (cid:13) () : Unit I Γ ( x ) = α I Γ (cid:13) x : α I Γ (cid:13) e : α I Γ (cid:13) e ′ : β I Γ (cid:13) h e, e ′ i : α × β I Γ (cid:13) e : α × α I Γ (cid:13) π i ( e ) : α i − I Γ (cid:13) ∅ I Γ (cid:13) I Γ I Γ + x : α (cid:13) I Γ + x : α I Γ (cid:13) I Γ I Γ + δ (cid:13) I Γ + δ I Γ (cid:13) I Γ I Γ + I Γ ′ (cid:13) I Γ I Γ (cid:13) e : α I Γ (cid:13) e : α I Γ (cid:13) e = e I Γ (cid:13) A I Γ (cid:13) A I Γ (cid:13) A ∧ A I Γ (cid:13) A I Γ (cid:13) ¬ A I Γ + δ : TC (cid:13) A I Γ (cid:13) ∀ δ.A I Γ (cid:13) e : α → β I Γ (cid:13) e ′ : α I Γ + x : β (cid:13) A I Γ (cid:13) e • e ′ = x β { A } I Γ (cid:13) x : Nm I Γ (cid:13) I Γ ′ I Γ (cid:13) x I Γ ′ I Γ (cid:13) I Γ ′ I Γ + x : α (cid:13) A I Γ (cid:13) ∀ x α ∈ ( I Γ ′ ) .A I Γ (cid:13) A I Γ ↓ − TC ⊢ M : α I Γ + m : α (cid:13) B I Γ (cid:13) { A } M : m { B } Fig. 1.
Typing rules for LTCs, expressions, formulae and triples (see Sec. 6). Simplecases omitted. M in the last rule is compile-time syntax. ( e • e = m { A } )[ e/x ] I Γ def = e [ e/x ] • e [ e/x ] = m { A [ e/x ] I Γ + m } ( x = m, m / ∈ fv ( I Γ ))( y I Γ ′ )[ e/x ] I Γ def = y [ e/x ] I Γ ′ [ e/x ] I Γ )( ∀ m ∈ ( I Γ ′ ) .A )[ e/x ] I Γ def = ∀ m ∈ ( I Γ ′ [ e/x ] I Γ ) . ( A [ e/x ] I Γ + m ) ( x = m, m / ∈ fv ( I Γ ))( ∀ δ.A )[ e/x ] I Γ def = ∀ δ. ( A [ e/x ] I Γ + δ ) I Γ ′ [ e/x ] I Γ def = ( I Γ ′ e s.t. dom ( I Γ ′ e ) = fv ( e ) ∪ dom ( I Γ ′ \ x ) , I Γ (cid:13) I Γ ′ e x ∈ dom ( I Γ ′ ) I Γ ′ x / ∈ dom ( I Γ ′ ) Type context substitution A [ I Γ /δ ] I Γ instantiates δ with I Γ in A , similar toclassical substitution. We often write [ I Γ /δ ] for [ I Γ /δ ] I Γ as I Γ is used for orderingand is obvious. As above, the omitted cases are straightforward and the auxiliaryoperation on LTCs is included.( x I Γ ′ )[ I Γ /δ ] I Γ def = x I Γ ′ [ I Γ /δ ] I Γ )( e • e = m { A } )[ I Γ /δ ] I Γ def = e • e = m { A [ I Γ /δ ] I Γ + m } ( m / ∈ dom ( I Γ ))( ∀ x ∈ ( I Γ ′ ) .A )[ I Γ /δ ] I Γ def = ∀ x ∈ ( I Γ ′ [ I Γ /δ ] I Γ ) . ( A [ I Γ /δ ] I Γ + x ) ( x / ∈ dom ( I Γ ))( ∀ δ ′ .A )[ I Γ /δ ] I Γ def = ( ( ∀ δ ′ .A [ I Γ /δ ] I Γ + δ ′ ) δ = δ ′ ∀ δ.A otherwise ( δ ′ / ∈ dom ( I Γ )) I Γ ′ [ I Γ /δ ] I Γ def = ( I Γ s.t. dom ( I Γ ) = dom ( I Γ , I Γ ′ ) , I Γ (cid:13) I Γ δ ∈ dom ( I Γ ′ ) I Γ ′ δ / ∈ dom ( I Γ ′ ) We define a model ξ as a finite (possibly empty) map from variables and TCVto closed values and TCV-free LTCs respectively. Program Logic for Fresh Name Generation 7 ξ ::= ∅ || ξ · x : V || ξ · δ : I Γ ′ Standard actions on models ξ are defined as expected and include: variablemappings to values, ξ ( x ), or TCV mapping to LTC, ξ ( δ ); removal of variable x as ξ \ x (with ( ξ · δ : I Γ ) \ x = ( ξ \ x ) · δ : ( I Γ \ x )); removal of TCV δ as ξ \ δ ;removal of all TCVs as ξ \ − T CV ; and defining all names in ξ as ˚a ( ξ ) noting that ˚a ( I Γ ) = ∅ .A model ξ is typed by a LTC I Γ written ξ I Γ , if I Γ (cid:13) ξ as defined below, were I Γ d = I Γ d \ − T CV formalises that I Γ d is TCV-free. −∅ (cid:13) ∅ I Γ (cid:13) ξ ∅ ⊢ V : α I Γ + x : α (cid:13) ξ · x : V I Γ (cid:13) ξ I Γ (cid:13) I Γ d I Γ d = I Γ d \ − T CV I Γ + δ (cid:13) ξ · δ : I Γ d The closure of a term M by a model ξ , written M ξ is defined as standardwith the additions, gensym ξ def = gensym and rξ def = r . Noting that M ξ \ − T CV = M ξ = M ξ · δ : I Γ ′ holds for all δ and I Γ ′ as I Γ ↓ − T C ⊢ M : α .The interpretation of expression e in a model ξ I Γ , written [[ e ]] ξ , is standard,e.g. [[ c ]] ξ def = c , [[ x ]] ξ def = ξ ( x ), [[ h e, e ′ i ]] ξ def = h [[ e ]] ξ , [[ e ′ ]] ξ i , etc.The interpretation of LTCs I Γ in a model ξ I Γ , written [[ I Γ ]] ξ , outputs a STC.It is assumed I Γ (cid:13) the LTC in the following definition:[[ ∅ ]] ξ def = ∅ [[ I Γ + x : α ]] ξ def = [[ I Γ ]] ξ , x : α [[ I Γ + δ : TC ]] ξ def = [[ I Γ ]] ξ ∪ [[ ξ ( δ )]] ξ Write M [ I Γ, ξ ] V as the derivation of a value V from term M which is typedby the LTC I Γ and closed and evaluated in a model ξ . This ensures names arederived from actual reachable values in ξ as if they were programs closed by themodel, hence not revealing hidden names from ξ . M [ I Γ, ξ ] V holds exactly when: − ˚a ( M ) = ∅− [[ I Γ ]] ξ ⊢ M : α − ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) ∪ G ′ , V )Model extensions aim to capture the fact that models represent real states ofexecution, by stating a model is only constructed by evaluating terms derivablefrom the model.A model ξ ′ is a single step model extension to another model ξ I Γ , written ξ ξ ′ , if the single new value in ξ ′ is derived from ξ or the mapped LTC is I Γ with TCVs removed. Formally ξ I Γ ξ ′ holds if either of the following hold: − There is M αy such that M y [ I Γ, ξ ] V y and ξ ′ I Γ + y : α = ξ · y : V y . − ξ ′ I Γ + δ = ξ · δ : I Γ \ − T CV for some δ .We write ⋆ for the transitive, reflexive closure of . If ξ ⋆ ξ ′ we say ξ ′ is an extension of ξ and ξ is a contraction of ξ ′ . Harold Pancho Eliott and Martin Berger
A model ξ is constructed by I Γ , written I Γ ⊲ ξ , if any TCV represents a modelextension. Formally we define I Γ ⊲ ξ by the following rules: −∅ ⊲ ∅ I Γ ⊲ ξ exists M α .M [ I Γ, ξ ] V I Γ + x : α ⊲ ξ · x : V I Γ ⊲ ξ ξ ⋆ ξ I Γ I Γ = I Γ \ − T CV I Γ + δ ⊲ ξ · δ : I Γ A model ξ I Γ is well constructed if there exists an LTC, I Γ ′ , such that I Γ ′ ⊲ ξ ,noting that I Γ (cid:13) I Γ ′ .Model extensions and well constructed models represent models derivableby ν -calculus programs, ensuring names cannot be revealed by later programs.Consider the basic model: y : λa. if a = r then r else r , if r could be addedto the model, this clearly reveals access to r otherwise r is hidden. Hence theassumption that all models are well constructed from here onwards. Contextual equivalence of two terms requires them to be contextually indis-tinguishable in all variable-closing single holed contexts of Boolean type in anyvalid configuration, as is standard [1, 17]. When M and M are closed termsof type α and ˚a ( M ) ∪ ˚a ( M ) ⊆ G , we write M ∼ = Gα M to be equivalent to G, ∅ ⊢ M ≡ M : α from [1]. The satisfaction relation for formula A in a well constructed model ξ I Γ , written ξ | = A , assumes I Γ (cid:13) A , and is defined as follows: − ξ | = e = e ′ if [[ e ]] ξ ∼ = ˚a ( ξ ) α [[ e ′ ]] ξ . − ξ | = ¬ A if ξ = A . − ξ | = A ∧ B if ξ | = A and ξ | = B . − ξ | = e • e ′ = m { A } if [[ e ]] ξ [[ e ′ ]] ξ [ ∅ , ξ ] V and ξ · m : V | = A − ξ | = ∀ x α ∈ ( I Γ ′ ) .A if for all M. M [ I Γ ′ , ξ ] V implies ξ · x : V | = A − ξ | = ∀ δ.A if forall ξ ′ I Γ ′ .ξ ⋆ ξ ′ implies ξ ′ · δ : ( I Γ ′ \ − T CV ) | = A − ξ | = x I Γ if there is no M x such that M x [ I Γ , ξ ] [[ x ]] ξ In first-order logic, if a formula is satisfied by a model, then it is also satisfiedby extensions of that model, and vice-versa (as long as all free variables of theformula remain in the model). This can no longer be taken for granted in ourlogic. Consider the formula ∀ δ. ∃ z ∈ ( δ ) . ( z I Γ ∧ ¬ z δ ) Validity of this formuladepends on how many names exist in the ambient model: it may become invalidunder contracting the model. Fortunately, such formulae are rarely needed whenreasoning about programs. In order to simplify our soundness proofs we willtherefore restrict some of our axioms and rules to formulae that are stable undermodel extension and contractions. Sometimes we need a weaker property, whereformulae preserve their validity when a variable is removed from a model. Bothconcepts are defined semantically next.We define formula A as model extensions independent , short Ext-Ind , if forall I Γ, ξ I Γ , ξ ′ such that I Γ (cid:13) A and ξ ⋆ ξ ′ we have: ξ | = A iff ξ ′ | = A .We define formula A as thin w.r.t. x , written A thin w.r.t x α , if for all I Γ such that I Γ \ x (cid:13) A and x α ∈ dom ( I Γ ) we have for all well constructed models ξ I Γ and ξ \ x that: ξ | = A implies ξ \ x | = A. Program Logic for Fresh Name Generation 9
Axioms and axiom schemas are similar in intention to those of the logic for theSTLC, but expressed within the constraints of our logic. Axiom schemas areindexed by the LTC that types them and the explicit types where noted. Weintroduce the interesting axioms (schemas) and those used in Sec. 7.Equality axioms are standard where ( eq
1) allows for substitution. Most ax-ioms for universal quantification over LTCs ( u u
5) are inspired by those offirst order logic. The exceptions are ( u
2) which allows for the reduction of LTCsand ( u
5) which holds only on Nm -free types. Axioms for existential quantifica-tion over LTCs ( ex ex
3) are new aside from ( ex
1) which is the dual of ( u ex
2) introduces existential quantification from evaluation formulae thatproduce a fixed result. Reducing I Γ in ∃ x ∈ ( I Γ ) .A is possible via ( ex
3) for aspecific structure. We use base types α b ::= Unit || Bool || α b × α b as corelambda calculus types excluding functions. Freshness axioms ( f f
2) show in-stances LTCs can be extended, whereas ( f f
4) reduce the LTC. Axiom ( f f being derived from I Γ + x , and the rest are trivial.( eq I Γ (cid:13) A ( x ) ∧ x = e ↔ A ( x )[ e/x ] I Γ ( u I Γ (cid:13) ∀ x α ∈ ( I Γ ) .A → A [ e/x ] I Γ I Γ ⊢ e : α ( u ∀ x ∈ ( I Γ + I Γ ) .A → ( ∀ x ∈ ( I Γ ) .A ) ∧ ( ∀ x ∈ ( I Γ ) .A )( u A − x ↔ ∀ x ∈ ( I Γ ) .A − x A − Ext-Ind ( u ∀ x ∈ ( I Γ ) . ( A ∧ B ) ↔ ( ∀ x ∈ ( I Γ ) .A ) ∧ ( ∀ x ∈ ( I Γ ) .B )( u ∀ x α ∈ ( I Γ ) .A ↔ ∀ x α ∈ ( ∅ ) .A α is Nm -free( ex I Γ (cid:13) A [ e/x ] I Γ → ∃ x ′ ∈ ( I Γ ) .A I Γ (cid:13) I Γ and I Γ ⊢ e : α ( ex I Γ + x + I Γ (cid:13) a • b = c { c = x } → ∃ x ′ ∈ ( I Γ ) .x = x ′ { a, b } ⊆ dom ( I Γ )( ex I Γ + x (cid:13) ∀ y ∈ ( ∅ ) . ∃ z Nm ∈ ( I Γ + y ) .x = z → ∃ z ∈ ( I Γ ) .x = z ( f I Γ + x + f : α → α b (cid:13) x I Γ → x I Γ + f : α → α b ( f I Γ (cid:13) x I Γ ∧ ∀ y α ∈ ( I Γ ) .A ↔ ∀ y α ∈ ( I Γ ) . ( x I Γ + y ) ∧ A )( f x I Γ → x = e I Γ ⊢ e : Nm ( f x I Γ + I Γ ) → x I Γ ∧ x I Γ Axioms for quantification over LTCs are also similar to those for the classicaluniversal quantifier except (utc2) which extends the restricted quantifier to anyfuture LTC which can only mean adding fresh names.( utc I Γ (cid:13) ∀ δ.A → A [ I Γ/δ ] I Γ ( utc I Γ (cid:13) ∀ x Nm ∈ ( I Γ ) .A − δ ↔ ∀ δ. ∀ x Nm ∈ ( I Γ + δ ) .A A − Ext-Ind ( utc A − δ ↔ ∀ δ.A − δ A − Ext-Ind ( utc ∀ δ. ( A ∧ B ) ↔ ( ∀ δ.A ) ∧ ( ∀ δ.B )Axioms for the evaluation formulae are similar to those of [2]. The interactionbetween evaluation formulae and the new constructors are shown. All STLC values are included in the variables of Nm -free type, and if we let Ext ( e , e )stand for ∀ x ∈ ( ∅ ) .e • x = m { e • x = m { m = m }} then (ext) maintainsextensionality in this logic for the STLC terms. Typing restrictions require m / ∈ fv ( A ) in ( e
1) and fv ( e , e , m ) ∩ dom ( I Γ + x ) = ∅ in ( e e e • e = m { A ∧ B } ↔ ( A ∧ e • e = m { B } ) A − Ext-Ind ( e e • e = m {∀ x ∈ ( I Γ ) .A } ↔ ∀ x ∈ ( I Γ ) .e • e = m { A } )( e e • e = m α b {∀ δ.A } ↔ ∀ δ.e • e = m α b { A } A − Ext-Ind ( ext ) Ext ( e , e ) ↔ e = α → α e α → α is Nm -free Our logic uses standard triples { A } M : m { B } where in this logic, the program M is restricted to compile-time syntax. Triples are typed by the rule in Fig. 1.Semantics of triples is standard: if the pre-condition A holds and the valuederived from M is assigned to the anchor m then the post-condition B holds.In detail: let ξ I Γ be a model. ξ I Γ | = { A } M : m { B } iff ξ | = A implies ( M [ I Γ, ξ ] V and ξ · m : V | = B )The triple is valid , written | = { A } M : m { B } , if for all I Γ and ξ I Γ we have I Γ (cid:13) { A } M : m { B } and I Γ ⊲ ξ together imply: ξ | = { A } M : m { B } From here on we will assume all models are well constructed, noting that theconstruction of models is the essence of ∀ δ. as it allows for all possible futurenames generated. Variables occurring in dom ( ξ ) − dom ( I Γ ) may never occurdirectly in the triple, but their mapped values will have an effect.The rules of inference can be found in Fig. 2 and Fig. 3. We write ⊢ { A } M : m { B } to indicate that { A } M : m { B } can be derived from these rules. Ourrules are similar to those of [9] for vanilla λ -calculi, but suitably adapted tothe effectful nature of the ν -calculus. All rules are typed. The typing of rulesfollows the corresponding typing of the programs occurring in the triples, butwith additions to account for auxiliary variables. We have two substantiallynew rules: [Gensym] and [Let] . The former lets us reason about fresh namecreation by gensym , the latter about the let x = M in N . Operationally, let x = M in N is often just an abbreviation for ( λx.N ) M , but we have been unable toderive [Let] using the remaining rules and axioms. Any syntactic proof of [Let] requires [Lam] and [App] , which requires the postcondition: C thin w.r.t p for p the anchor of the [Lam] rule. We have not been able to prove this thinness forall models of the relevant type.In comparison with [9, 19], the primary difference with our rules is our sub-stitution. Our changes to substitution only affects [Eq] and [Proj( i )] which arereduced in strength by the new definition of substitution as more constraints Program Logic for Fresh Name Generation 11 are placed on the formulae to ensure correct substitution occurs. All other rulesremain equally strong. The other difference from [9] is the need for thinnessto replace the standard ‘free from’, which is discussed above. Removal of vari-ables via thinness is required in the proof of soundness, for example [App] ,which produces u from m and n , hence Ext-Ind is insufficient given the order of I Γ + m + n + u (cid:13) C , i.e. u introduced after m and n . We explain the novelty inthe rules in more detail below. −{ A [ x/m ] } x : m { A } [Var] −{ T } gensym : u {∀ δ.u • () = m { m δ }} [Gensym] −{ A [ c /m ] } c : m { A } [Const] { A } M : m { B } { B } N : n { C [ m = n/u ] }{ A } M = N : u { C } [Eq] A − Ext-Ind I Γ + δ + x : α ⊢ { A - x ∧ B } M : m { C } I Γ ⊢ { A } λx α .M : u {∀ δ. ∀ x α ∈ ( δ ) . ( B → u • x = m { C } ) } [Lam] { A } M : m { B } { B } N : n { m • n = u { C }}{ A } MN : u { C } [App] { A } M : m { B } { B [ b i /m ] } N i : u { C } b = true b = false i = 1 , { A } if M then N else N : u { C } [If] { A } M : m { B } { B } N : n { C [ h m, n i /u ] }{ A } h M, N i : u { C } [Pair] { A } M : m { C [ π i ( m ) /u ] }{ A } π i ( M ) : u { C } [Proj( i )] { A } M : m { B } { B } N : u { C }{ A } let m α = M in N : u { C } [Let] Fig. 2.
Rules for the core language, cf. [2,9,19]. We require C thin w.r.t m in [Proj( i ),Let] and C thin w.r.t m, n in [Eq, App, Pair] . We omit LTCs where not essential. In [Gensym] , u • () = m { m δ } indicates the name produced by u () andstored at m is not derivable from the LTC δ . If there were no quantification overLTCs prior to the evaluation we could only say m is fresh from the current typingcontext, however we want to say that even if there is a future typing context withnew names and we evaluate u (), this will still produce a fresh name. Hence weintroduce the ∀ δ. to quantify over all future LTCs (and hence all future names).Elsewhere in reasoning it is key that the post-condition of [Gensym] is Ext-Ind and hence holds in all extending and contracting models (assuming the anchorfor gensym is present), reinforcing the re-applicability of gensym in any context.Rules for λ -abstraction in previous logics for lambda-calculi [9,19] universallyquantify over all possible arguments. Our corresponding [Lam] rule refines thisand quantifies over current or future values that do not contain hidden names.Comparing the two LTCs typing the assumption and conclusion implies I Γ + δ + x extends I Γ to any possible extension assigned to δ , and extends to x a value derived from I Γ + δ . Hence the typing implies precisely what is conveyed in thepost-condition of the conclusion: ‘ ∀ δ. ∀ x ∈ ( δ ) . ’. Constraints on δ and x areintroduced by B , and A − Ext-Ind implies A still holds in all extensions of I Γ including I Γ + δ + x . The rest is trivial when we consider (( λx.M ) x ) ξ ∼ = ˚a ( ξ ) α M ξ .The STLC’s [Let] rule introduces x in the post-condition by means of an‘ ∃ x.C ’. This fails here as x may be unreachable, hence not derivable from anyextending or contracting LTC. The requirement that C thin w.r.t x ensures x is not critical to C so can either be derived from the current LTC or is hid-den. Thinness ensures no reference to the variable m is somehow hidden underquantification over LTCs.The [Invar] rule is standard with the constraint that C − Ext-Ind to ensure C holds in the extension where m has been assigned. The [LetFRESH] rule iscommonly used and hence included for convenience, but it is entirely derivablefrom the other rules. A → A ′ { A ′ } M : m { B ′ } B ′ → B { A } M : m { B } [Conseq] C − Ext-Ind { A } M : m { B }{ A ∧ C } M : m { B ∧ C } [Invar] A − Ext-Ind I Γ + m : Nm ⊢ { A ∧ m I Γ } M : u { C } I Γ ⊢ { A } let m = gensym () in M : u { C } [LetFresh] Fig. 3.
Key structural rules [Conseq] and [Invar] and for convenience the derived [LetFRESH] rule where C thin w.r.t m is required. Theorem 1.
All axioms and rules are sound.
Theorem 2.
The logic for the ν -calculus is a conservative extension of the logic[9] for the STLC. All proofs can be found in the first author’s forthcoming dissertation [5].
Example 1 . We reason about the core construct gensym () in an LTC I Γ . InLine 2, ( utc
1) instantiates the postcondition to b • () = a { a I Γ + b } and ( f b from the LTC to ensure the postcondition satisfies the thin w.r.t b requirement in [App] .1 I Γ (cid:13) { T } gensym : b {∀ δ.b • () = a { a δ }} [Gensym] I Γ (cid:13) { T } gensym : b { b • () = a { a I Γ }} [Conseq] , (utc1), (f4), 1 I Γ + b (cid:13) { b • () = a { a I Γ }} () : c { b • c = a { a I Γ }} [Const] I Γ (cid:13) { T } gensym () : a { a I Γ } [App] , 2, 3 Program Logic for Fresh Name Generation 13
Example 2 . We reason about the comparison of two fresh names, clearly re-turning false , by applying Example 1 in the relevant LTCs.1 I Γ (cid:13) { T } gensym () : a { a I Γ } See Example 1 I Γ + a (cid:13) { T } gensym () : b { b I Γ + a } See Example 1 I Γ + a (cid:13) { a I Γ } gensym () : b { a = b } [Conseq] , (f3), 2 I Γ (cid:13) { T } gensym () = gensym () : u { u = false } [Eq] , 3 Example 3 . Placing name generation inside an abstraction halts the productionof fresh names until the function is applied. When y is of type Unit then thisspecification is identical to that of gensym .1 I Γ + δ + y (cid:13) { T } gensym () : m { m I Γ + δ + y } See Example 1 I Γ (cid:13) { T } λy. gensym () : u {∀ δ. ∀ y ∈ ( δ ) .u • y = m { m I Γ + δ + y }} [Lam] , 2 Example 4 . Generating a name outside an abstraction and returning that samename in the function is often compared to Example 3 [1,17]. We reason as follows:letting A ( p ) def = ∀ δ. ∀ y ∈ ( δ ) .u • y = m { m I Γ ∧ p = m } .1 { x I Γ } x : m { m I Γ ∧ x = m } [Var] { x I Γ } λy.x : u { A ( x ) } [Lam] , 1 { x I Γ } λy.x : u {∃ x ′ ∈ ( u ) .A ( x ′ ) } [Conseq] , 2 I Γ (cid:13) { T } let x = gensym () in λy.x : u {∃ x ′ ∈ ( u ) .A ( x ′ ) } [LetFRESH] , 3 Proof of line 3 above, essentially proves x is derivable from u :5 A ( x ) ∧ ∀ y ∈ ( ∅ ) .u • y = m { x = m } (utc1), (u2), FOL A ( x ) ∧ ∃ x ′ ∈ ( u ) .x = x ′ (ex2), (ex3) ∃ x ′ ∈ ( u ) . ( A ( x ) ∧ x = x ′ ) (u3), (u4) ∃ x ′ ∈ ( u ) .A ( x ′ ) (eq1) Example 5 . In order to demonstrate the subtlety of hidden names, the Intro-duction used Program (2), which was M def = let x = gensym () in λy.x = y . Wenow use our logic to reason about M . I Γ + x + δ + y (cid:13) { T } x = y : m { m = ( x = y ) } [Eq] I Γ + x (cid:13) { T } λy.x = y : u {∀ δ. ∀ y ∈ ( δ ) .u • y = ( x = y ) } [Lam] , 1 I Γ + x (cid:13) { x I Γ } λy.x = y : u { x I Γ ∧ ∀ δ. ∀ y ∈ ( δ ) .u • y = ( x = y ) } [Invar] , 2 I Γ + x (cid:13) { x I Γ } λy.x = y : u {∀ y ∈ ( I Γ + u ) .u • y = false } [Conseq] , 3 I Γ (cid:13) { T } M : u {∀ y ∈ ( I Γ + u ) .u • y = false } [LetFresh] I Γ (cid:13) { T } M : u {∀ δ. ∀ y Nm ∈ ( δ ) .u • y = false } (utc2) To prove line 4 above we apply the axioms as follows:7 I Γ + x + u (cid:13) x I Γ ∧ ∀ δ. ∀ y ∈ ( δ ) .u • y = ( x = y )8 x I Γ ∧ ∀ y ∈ ( I Γ + x + u ) .u • y = ( x = y ) (utc1) x I Γ + u ∧ ∀ y ∈ ( I Γ + x + u ) . u • y = ( x = y ) (f1) x I Γ + u ∧ ∀ y ∈ ( I Γ + u ) . u • y = ( x = y ) (u2) ∀ y ∈ ( I Γ + u ) . x I Γ + u + y ∧ u • y = ( x = y ) (f2) ∀ y ∈ ( I Γ + u ) . x = y ∧ u • y = ( x = y ) (f3) ∀ y ∈ ( I Γ + u ) .u • y = false (e1) Example 6 . To demonstrate the release of a hidden variable using Program (3),which was M def = let x = gensym () in h x, λy.x = y i , we reason as follows, with A ( p, q ) def = p I Γ ∧ ∀ δ. ∀ y ∈ ( δ ) .q • y = ( p = y ):1 { x I Γ } x : b { x = b ∧ x I Γ } [Var] { T } λy.x = y : c {∀ δ. ∀ y ∈ ( δ ) .c • y = ( x = y ) } See Example 4, lines 1-2 { x = b ∧ x I Γ } λy.x = y : c { x = π ( h b, c i ) ∧ C ( x, c ) } [Conseq] , [Invar] , 2 { x = b ∧ x I Γ } λy.x = y : c { A ( π ( a ) , π ( a ))[ h b, c i /a ] } [Conseq] , (eq1) { x I Γ } h x, λy.x = y i : a { A ( π ( a ) , π ( a )) } [Pair] , 1, 4 I Γ (cid:13) { T } M : a { A ( π ( a ) , π ( a )) } [LetFresh] , 5 We have presented the first program logic for the ν -calculus, a variant of theSTLC with names as first class values. Our logic is a conservative extension withtwo new universal quantifiers of the logic in [9] for the STLC. We provide axioms Program Logic for Fresh Name Generation 15 and proof rules for the logic, prove their soundness, and show its expressive powerby reasoning about well-known difficult examples from the literature.We are currently unable to reason about this example from [16]: let F = ( let x, y = gensym () in λf Nm → Nm .f x = f y ) inlet G = λv Nm .F ( λu Nm .v = u ) in F G
Is this because our logic is too inexpressive, or did we simply fail to find theright proof? Another open question is whether our logic’s approach to freshnessis independent of the ν -calculus’s lack of integers and recursion, or not? For bothquestions we conjecture the former, and leave them as future work. References
1. Benton, N., Koutavas, V.: A Mechanized Bisimulation for the Nu-Calculus. Tech.Rep. MSR-TR-2008-129, Microsoft (2008)2. Berger, M., Tratt, L.: Program Logics for Homogeneous Generative Run-TimeMeta-Programming. Logical Methods in Computer Science (LMCS) (1:5) (2015)3. Berger, M., Tratt, L., Urban, C.: Modelling Homogeneous Generative Meta-Programming. In: Proc. ECOOP. pp. 5:1–5:23 (2017)4. Dreyer, D., Neis, G., Birkedal, L.: The impact of higher-order state and controleffects on local relational reasoning. In: Proc. ICFP. p. 143–156 (2010)5. Eliott, H.P.: Program Logic for Fresh Name Generation. Ph.D. thesis, Universityof Sussex (expected 2021), draft.6. Fern´andez, M., Gabbay, M.J., Mackie, I.: Nominal Rewriting Systems. In:Proc. PPDP. p. 108–119 (2004)7. Gabbay, M.J., Pitts, A.M.: A New Approach to Abstract Syntax with VariableBinding. Formal Aspects of Computing , 341–363 (2001)8. Honda, K.: Elementary structures in process theory (1): Sets with renaming. MSCS (5), 617–663 (2000)9. Honda, K., Yoshida, N.: A compositional logic for polymorphic higher-order func-tions. In: Proc. PPDP’04. pp. 191–202. ACM Press (2004)10. Mendelson, E.: Introduction to Mathematical Logic. Wadsworth Inc. (1987)11. Milner, R., Parrow, J., Walker, D.: A Calculus of Mobile Processes, Parts I and II.Information and Computation (1) (1992)12. Odersky, M.: A Functional Theory of Local Names. In: Proc. POPL. pp. 48–59(1994)13. Pierce, B.C.: Types and Programming Languages. MIT Press (2002)14. Pitts, A.M.: Nominal logic, a first order theory of names and binding. Informationand Computation , 165–193 (2003)15. Pitts, A.M.: Nominal Sets: Names and Symmetry in Computer Science. CUP(2013)16. Pitts, A.M., Stark, I.D.B.: Observable Properties of Higher Order Functions thatDynamically Create Local Names, or What’s new? In: MFCS (1993)17. Stark, I.: Names and Higher-Order Functions. Ph.D. thesis, University of Cam-bridge (1994), technical report 363, Univ. of Cambridge Computer Laboratory18. Urban, C., Tasson, C.: Nominal Techniques in Isabelle/HOL. In: Proc. CADE. p.38–53 (2005)19. Yoshida, N., Honda, K., Berger, M.: Logical Reasoning for Higher-Order Functionswith Local State. Logical Methods in Computer Science (2) (2008)6 Harold Pancho Eliott and Martin Berger Appendix
In the proofs that follow, we will use blue coloured to represent the “meta” logicconstructors, i.e. ∀ meaning “for all” (in meta language), ...We prove soundness of the logic by proving that all the rules and axioms aresound, i.e. ⊢ { A } M : u { B } implies (cid:15) { A } M : u { B } The proof of soundness of the logic requires us to prove all axioms and rulessound, this is done in App. C and App. D.We give a syntactic characterisation of
Ext-Ind and thinness and prove theyhold as such in App. E and App. F.Conservativity from the STLC is introduced formally and proven in App. G.
Structure of appendix . App. A Typing rules of ν -calculus program.App. B Lemmas used in following proofsApp. C Proof of soundness of axiomsApp. D Proof of soundness of rulesApp. E Define Syntactic Ext-Ind and proof that syntactic
Ext-Ind implies
Ext-Ind
App. F Define Syntactic thinness and proof that syntactic thinness implies thinnessApp. G Definition and proof of conservativity
A Typing Rules For The ν -calculus The typing rules for the ν -calculus are included for completeness in Fig. 4 c ∈ { true , false } Γ ⊢ c : Bool − Γ ⊢ () : Unit Γ ( x ) = αΓ ⊢ x : α − Γ ⊢ gensym : Unit → Nm − Γ ⊢ r : Nm Γ, x : α ⊢ M : α Γ ⊢ λx α .M : α → α Γ ⊢ M : α → α Γ ⊢ N : α Γ ⊢ MN : α Γ ⊢ M : α Γ, x : α ⊢ N : α Γ ⊢ let x α = M in N : α Γ ⊢ M : Bool Γ ⊢ N : α Γ ⊢ N : αΓ ⊢ if M then N else N : α Γ ⊢ M : α Γ ⊢ N : α Γ ⊢ h M, N i : α × α Γ ⊢ M : α × α Γ ⊢ π i ( M ) : α i Fig. 4.
Typing rules for the ν -calculus programming language. B Lemmas Used For The Following Proofs
First we introduce some definitions that are either from the literature or derivedfrom other definitions.
Program Logic for Fresh Name Generation 17
Contextual Equivalence . M ∼ = Gα M ↔∀ C [ · ] α , b Bool . (cid:18) ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ G (cid:19) → ( ˚a ( ξ ) ∪ G, C [ M ]) ⇓ ( G ′ , b ) ↔ ( ˚a ( ξ ) ∪ G, C [ M ]) ⇓ ( G ′ , b ) (4) Derived Semantics of formulae . − ξ I Γ | = ∃ x α ∈ ( I Γ ′ ) .A if there exists M α . M [ I Γ, ξ ] V and ξ ′ · x : V | = A − ξ | = A − x ( x )[ e/x ] I Γ if x / ∈ dom ( ξ ) ∧ e [ I Γ, ξ ] V ∧ ξ · x : V | = A ( x ) − ξ | = A − x ( x )[ e/x ] I Γ if x ∈ dom ( ξ ) ∧∀ x ′ .x ′ / ∈ dom ( ξ ) → ξ | = A ( x ′ )[ e/x ′ ] I Γ − ξ | = A − δ ( δ )[ I Γ /δ ] I Γ if δ / ∈ dom ( ξ ) then [[ I Γ ]] ξ = I Γ and ξ · δ : I Γ | = A ( δ ) − ξ | = A − δ ( δ )[ I Γ /δ ] I Γ if δ ∈ dom ( ξ ) and for all δ ′ / ∈ dom ( ξ ) . ξ | = A ( δ ′ )[ I Γ /δ ′ ] I Γ Lemmas . Now we introduce lemmas used to simplify the later proofs in App. C,App. D, App. E, App. F
Lemma 1 (Adding/removing unused names maintains evaluation). ∀ M, V, G ′ , G m . ˚a ( V ) ∩ G ′ = ∅ → ( ˚a ( M ) , G ′ , M ) ⇓ ( ˚a ( M ) , G ′ , G m , V ) ↔ ( ˚a ( M ) , M ) ⇓ ( ˚a ( M ) , G m , V ) Proof. Clearly holds as M does not require any name in G ′ if ˚a ( V ) ∩ G ′ = ∅ ,noting that G ∩ G m = ∅ and G ′ ∩ G m = ∅ and hence if this does not hold, thefresh names in V can be renamed so that it does hold.Note: If ˚a ( V ) ∩ G ′ = ∅ then this fails as it would imply previously generatednames that are not accessible can be reached. Lemma 2 (Congruence is unaffected by adding/removing excess names). ∀ G, G ′ . ˚a ( M, N ) ∩ ˚a ( G ′ ) = ∅ → ( M ∼ = Gα N ↔ M ∼ = G ∪ G ′ α N ) Proof. Clearly holds by Sem. ∼ = G ∪ G ′ α where ˚a ( M, N ) ⊆ G . In the following lemmas we use α b as the base types as defined in Sec. 5 i.e. α b ::= Unit || Bool || α b × α b . Note α b is also always a Nm -free type. Lemma 3 (Base type values are name free). ∀ V -value . ∅ ⊢ V : α b → ˚a ( V ) = ∅ Proof. By induction on the structure of type α b , so clearly holds. − α = Unit implies V = Unit so this clearly holds. − α = Bool implies V = true or V = false so this clearly holds. − α = α b × α b then V = h V , V i and by IH assuming ∀ V -value . ∅ ⊢ V : α b → ˚a ( V ) = ∅ ∀ V -value . ∅ ⊢ V : α b → ˚a ( V ) = ∅ then clearly ˚a ( h V , V i ) = ∅ Lemma 4 (Base type values can be derived equally from any LTC). ∀ I Γ, ξ I Γ , I Γ , V α b . I Γ (cid:13) I Γ → ( ∃ M α b . M ∅ , ξ ] V ↔ ∃ M α b . M I Γ , ξ ] V ) Proof. Holds as M ≡ V ≡ M always holds as ˚a ( V ) = ∅ ∧ ∅ ⊢ V : α b . Lemma 5 (Base type values don’t extend reach). ∀ I Γ . ∀ ξ I Γ . I Γ (cid:13) I Γ + y : α b → ( ∃ M Nm .M [ I Γ, ξ ] V ↔ ∃ M Nm .M [ I Γ + y : α b , ξ ] V ) Proof. Clearly holds from Lemmas 3 and 4 so no names are added to the LTC.
Lemma 6 (Base type values can be added and removed from the δ mappings without any harm). ∀ I Γ. ∀ ξ I Γ . ξ · x : V α b x · δ : I Γ \ − T CV | = A ↔ ξ · x : V α b x · δ : ( I Γ + x : α b ) \ − T CV | = A Proof. The only two occurrences of δ possible in assertions are in I Γ in ∀ x ∈ ( I Γ ) . and x I Γ :If A contains ∀ x ∈ ( I Γ ) .A ′ and I Γ contains δ then it is unaffected by the addition(or removal) of x : α b as M [ I Γ , ξ ] V ↔ M [ I Γ + y : α b , ξ ] V from Lemma 5If A contains x I Γ and I Γ contains δ then it is unaffected by the addition (orremoval) of x : α b as M [ I Γ , ξ ] V ↔ M [ I Γ + y : α b , ξ ] V from Lemma 5 hence theLemma holds. Lemma 7 (Base type values can be added/removed and maintain ex-tensions). ∀ I Γ − m , ξ I Γ , M α b , V m . M [ I Γ, ξ ] V m → ∀ I Γ ′ , ξ ′ I Γ ′ . ξ ⋆ ξ ′ ↔ ξ · m : V m ⋆ ξ ′ · m : V m Proof. → : from Lemma 28 ( ˚a ( V m ) = ∅ ). ← : This holds as V m : α b means the variable m can always be replaced by avalue V m which by Lemma 3, ˚a ( V m ) = ∅ and by being a value, ∅ ⊢ V m : α b , sotheir substitution is not problematic. Lemma 8 (Semantics of LTC is equal in model extensions). ∀ I Γ , I Γ , ξ I Γ , ξ I Γ . ( ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ) → [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ Proof. Prove by induction on the structure of I Γ : Induction on I Γ I Γ ≡ ∅ : [[ ∅ ]] ξ ≡ [[ ∅ ]] ξ I Γ ≡ I Γ ′ + x : α : By IH [[ I Γ ′ ]] ξ ≡ [[ I Γ ′ ]] ξ and also by Def ⋆ , I Γ ( x ) ≡ I Γ ( x ) . Program Logic for Fresh Name Generation 19 I Γ ≡ I Γ ′ + δ : TC : By IH [[ I Γ ′ ]] ξ ≡ [[ I Γ ′ ]] ξ and also by Def ⋆ , I Γ ( δ ) ≡ I Γ ( δ ) and ξ ( δ ) ≡ ξ ( δ ) gives us that this statement holds.I Γ ≡ I Γ ′ + I Γ ′′ : by IH on both I Γ ′ and I Γ ′′ this clearly holds. Lemma 9 (Model extensions close terms equally). ∀ I Γ , ξ I Γ , I Γ , ξ I Γ . ( ξ ⋆ ξ ∧ [[ I Γ ]] ξ ⊢ M : α ) → M ξ ≡ M ξ Proof. Prove by induction on the structure of M using the definition of termclosure: M ≡ x : x ∈ I Γ implies (Def ⋆ ) xξ ≡ ξ ( x ) ≡ ξ ( x ) ≡ xξ x / ∈ I Γ implies x is introduced by a λ hence should be left untouched. M ≡ c : cξ ≡ c ≡ cξ M ≡ gensym : gensym ξ ≡ gensym ≡ gensym ξ M ≡ λx.M ′ : x ∈ I Γ implies α -renaming can be used to substitute x for some other unusedvariable,i.e. λx.M ≡ λz. ( M [ z/x ]) hence the same proof as below holds. x / ∈ I Γ implies ξ − x ≡ ξ ⋆ ξ ≡ ξ − x and IH implies M ′ ξ − x ≡ M ′ ξ − x hence ( λx.M ′ ) ξ ≡ λx. ( M ′ ξ − x ) ≡ λx. ( M ′ ξ − x ) ≡ ( λx.M ′ ) ξ M ≡ N N : by IH on both N and N this clearly holds. M ≡ let x = N in N holds by induction on both N and N similar to the above two cases with xα -renamed if required. M ≡ h N , N i : by IH on both N and N this clearly holds. M ≡ π i ( M ′ ) : by IH on M ′ this clearly holds. M ≡ if M ′ then N else N : by IH on both M ′ , N and N this clearly holds. Lemma 10 (LTC derived values are unaffected by the addition/removalof a TCV to model). ∀ I Γ, ξ I Γ , I Γ , M. I Γ (cid:13) I Γ → ( M [ I Γ , ξ ] V ↔ M [ I Γ , ξ · δ : I Γ \ − TCV ] V ) Proof. This holds simply by Def [ , ] and the facts that δ cannot appear in I Γ and ˚a ( ξ ) ≡ ˚a ( ξ · δ : I Γ \ − T CV ) and M ξ ≡ M ( ξ · δ : I Γ \ − T CV ) and the possiblyderivable terms are equivalent. Lemma 11 (Evaluation under model extensions are equivalent). ∀ I Γ , ξ I Γ , I Γ , ξ I Γ , I Γ , M, V. ( ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ∧ ˚a ( V ) ∩ ˚a ( ξ ) ⊆ ˚a ( ξ )) → ( M [ I Γ , ξ ] V ↔ M [ I Γ , ξ ] V ) Proof. Essentially
M ξ ≡ M ξ (Lemma 9) and Lemma 1 prove this in bothdirections of the ↔ . Assume: I Γ , I Γ , ξ I Γ , ξ I Γ , I Γ s.t ∀ I Γ , ξ I Γ , I Γ , ξ I Γ , I Γ . ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ∧ M [ I Γ , ξ ] V ∧ ˚a ( V ) ∩ ˚a ( ξ ) ⊆ ˚a ( ξ ) Assume3 ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ∧ ˚a ( M ) = ∅ ∧ [[ I Γ ]] ξ ⊢ M : α ∧ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ↔ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) Lemma 9 → M ξ ≡ M ξ ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ∧ ˚a ( M ) = ∅ ∧ [[ I Γ ]] ξ ⊢ M : α ∧ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ↔ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) [[ I Γ ]] ξ ⊢ M : α → ˚a ( M ξ ) ⊆ ˚a ( ξ ) ⊆ ˚a ( ξ )Lemma 1 ˚a ( V ) ∩ ˚a ( ξ ) ⊆ ˚a ( ξ )5 hence: ∀ I Γ , ξ I Γ , I Γ , ξ I Γ , I Γ , M. ( ξ ⋆ ξ ∧ I Γ (cid:13) I Γ ) → ( M [ I Γ , ξ ] V ↔ M [ I Γ , ξ ] V ) Lemma 8, [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ The next few lemmas will be defined for types which are Nm -free, theserepresent the STLC types although the key is there are ν -calculus programsthat are of this Nm -free type but do contain names e.g. λx. ( r = r ). We showthat these Nm -free typed terms can be equated to a name-free term i.e. a STLCterm. One of the key assumptions to make the proof simple is that the initialSTLC is simple enough to not contain infinite values of a single type i.e. thereare no integers and no recursion, however proving these harder extensions wouldbe harder. To prove a finite number of values of any particular Nm -free type (upto equivalence), we first prove that it is possible to define when two functions of Nm -free type are equal, this is essentially through comparing each of the finitevalues of the input type. Definition 1.
Inductively define EQ α ( M, N ) as the program that equates twofunctions of type α as follows: EQ Unit ( M, N ) def = trueEQ Bool ( M, N ) def = M = N EQ α → Unit ( M, N ) def = trueEQ α × α ( M, N ) def = if ¬ EQ α ( π ( M ) , π ( N )) then false elseif ¬ EQ α ( π ( M ) , π ( N )) then false else trueEQ α → α ( M, N ) def = if ¬ EQ α ( M ˜ V , N ˜ V ) then false elseif ¬ EQ α ( M ˜ V , N ˜ V ) then false else ... if ¬ EQ α ( M ˜ V k , N ˜ V k ) then false else true where ˜ V is the set of all finite- k number of values of type α (Lemma 12) Program Logic for Fresh Name Generation 21
In the following lemmas we will write M ν for a standard ν -calculus term and M λ for a ν -calculus term constructed only from STLC terms (i.e. no names andno gensym ), we also ignore let x = M in N for simplicity. Lemma 12 (There are finite STLC values for each type). ∀ α. ∃ ˜ W αλ finite . ∀ M αλ . ∃ V αλ ∈ ˜ W λ .M λ ∼ = V λ Proof. By induction on the structure of α we create a complete list ˜ W α ≡ V [ α ] as follows: − α ≡ Unit then this clearly holds as ( G, M ) ⇓ ( G ′ , ()) must always hold andso V [ Unit ] ≡ () holds. − α ≡ Bool then this clearly holds as ( G, M ) ⇓ ( G ′ , true ) must always hold or ( G, M ) ⇓ ( G ′ , false ) must always hold and so V [ Bool ] ≡ true || false holds. − α ≡ α × α then clearly V [ α × α ] ≡ h V [ α ] , V [ α ] i where in the RHS V [ α ] represents every possible value of type α , hence the RHS is the list ofevery possible combination between V [ α ] and V [ α ] . − α ≡ α → α then by induction on α we can assume there are finite valuesof this type i.e. let ˜ W ≡ V [ α ] , we use this to state the values of type α → α as V [ α → α ] ≡ λx α . if EQ α ( x, ˜ W ) then V [ α ] elseif EQ α ( x, ˜ W ) then V [ α ] else ... if EQ α ( x, ˜ W k ) then V [ α ] else V [ α ] hence the RHS is the list of every possible combination between ˜ W , and V [ α ] in each instance.The number of values grow exponentially with the size of the type but thereare always finite number of values for each type. These values cover all possiblecases by definition as no other possible inputs or outputs exist to a function ofthe given type. Lemma 13 ( Nm -free terms are equivalent to a name free STLC term). If α is Nm -free. ∀ M αν . ∃ N λ .M ν ∼ = ˚a ( M ν ) α N λ I.e. for each term in the ν -calculus of a type which is Nm -free then there existsan equivalent term constructed only of core STLC terms.Proof. It is clear that all ν -term that are of type Unit and
Bool are equivalent toa constants of that type.The case for α ≡ α × α holds trivially by induction on π ( M ν ) α and π ( M ν ) α . The case for α ≡ α → α holds as follows: IH ( α ) def = ∀ M α . ∃ N λ . M ∼ = ˚a ( M ) α N IH ( α )2 Assume: IH ( α ) ∧ IH ( α ) for α , α being Nm -free3 Prove: IH ( α → α ) for α → α being Nm -free4 ∀ α. ∃ ˜ W α finite . ∀ M αλ . ∃ V α ∈ ˜ W .M ∼ = V α is Nm -free Lemma 125 IH ( α ) implies for each ν -term of type α there exists an equiva-lent λ -term(which must mean there are finite ones of these) whichwe call ˜ W IH ( α )6 ∀ M α ν . ∃ N α λ . M ν ∼ = ˚a ( M ν ) α N λ IH ( α )7 For each value in ˜ W , then M ˜ W i is a term of type α which by IH ( α ) implies there is an equivalent λ -term we call ˜ U i i.e. M ˜ V i ∼ =˜ U i IH ( α )8 ∀ ˜ W α i ∈ ˜ W α . ∀ M α → α ν . ∃ N α λ . M ˜ W i ∼ = ˚a ( M ) α N IH ( α )9 Using lines 5-8 we can build an equivalent formula to M by bruteforce such that for each input case we have the equivalent outputcase i.e. N λ ≡ λx α . if EQ α ( x, ˜ V ) then ˜ U elseif EQ α ( x, ˜ V ) then ˜ U else ... if EQ α ( x, ˜ V k − ) then ˜ U k − else ˜ U k By definition M ν ∼ = ˚a ( M ν ) α → α N λ as any use of N λ behaves identicallyto M ν in any application it is used in. Lemma 14 (Functions that map to base types cannot reveal names inthat function). ∀ M Nm , V ( α → α b ) , r Nm x . ( G ≡ ˚a ( M ) ∪ ˚a ( V )) r x / ∈ ˚a ( M ) ∧ f : α → α b ⊢ M : Nm ∧ r x ∈ ˚a ( V ) ∧ ∅ ⊢ V : ( α → α b ) → ¬ ( G, M [ V /f ]) ⇓ ( G, G ′ , r x ) Proof. Given the semantics, ⇓ ≡ → ∗ .Given r x / ∈ ˚a ( M ) then it is clear M = r x and given ∅ ⊢ V : ( α → α b ) then itis clear V = r x , hence r x must be derived from terms M and V . Assume thereexists at least one such M fro which this holds, then take the smallest one M ,then by definition there exists an M k such that ( G, M [ V /f ]) ⇓ ( G, G ′ , r x ) ↔ ( G, M [ V /f ]) ⇓ ( G, G ′ , M k ) → ( G, G ′ , r x ) then the following must hold: Program Logic for Fresh Name Generation 23 M k ≡ π ( h r x , V ′ i ) hence M [ V /f ] ≡ E [ π ( h M , M i )][ V /f ] where E [ M ][ V /f ] ⇓ r x so this E [ M ] is smaller than M hence contradiction. M k ≡ π ( h V ′ , r x i ) hence M [ V /f ] ≡ E [ π ( h M , M i )][ V /f ] where E [ M ][ V /f ] ⇓ r x so this E [ M ] is smaller than M hence contradiction. M k ≡ if true then r x else V ′ hence M [ V /f ] ≡ E [ if M b then M else M ][ V /f ] where E [ M ][ V /f ] ⇓ r x sothis E [ M ] is smaller than M hence contradiction. M k ≡ if false then V ′ else r x hence M [ V /f ] ≡ E [ if M b then M else M ][ V /f ] where E [ M ][ V /f ] ⇓ r x sothis E [ M ] is smaller than M hence contradiction. M k ≡ ( λa.r x ) V ′ hence M [ V /f ] ≡ E [( λa.M ) M ][ V /f ] where E [ M ][ V /f ] ⇓ r x so this C [ M ] is smaller than M hence contradiction. M k ≡ ( λa.a ) r x hence M [ V /f ] ≡ E [( λa.M ) M ][ V /f ] where E [ M ][ V /f ] ⇓ r x so this C [ M ] is smaller than M hence contradiction. M k ≡ let x = V ′ in M Similar for let x = V ′ in M − There are no other possible terms that reduce to r x . M k ≡ gensym () fails to produce r x as r x ∈ G i.e. Assuming a smallest M s.t. M ⇓ r x (which is assumed to exist), for eachterm M k which is just one → -step away from r x then it can be proven that asmaller M could be produced hence contradiction. Lemma 15 (Adding a name to the model but not to the context meansit is fresh). ∀ I Γ, ξ I Γ , r x . ( ∃ M x .M x [ I Γ, ξ ] r x ∧ ¬ ∃ N x .N x [ I Γ, ξ · x : r x ] r x ) → r x / ∈ ˚a ( ξ ) Proof. Assume r x ∈ ˚a ( ξ ) then clearly there would be a direct contradiction in theassumption as ∃ N x .N x [ I Γ, ξ · x : r x ] r x as ˚a ( ξ · x : r x ) ≡ ˚a ( ξ ) . Hence r x / ∈ ˚a ( ξ ) . Lemma 16 (LTC derived terms cannot reveal old names). ∀ I Γ, ξ I Γ , I Γ , M α y y , s Nm . I Γ (cid:13) I Γ ∧ M y [ I Γ , ξ ] V y ∧ s ∈ ˚a ( ξ ) → ∃ M .M I Γ + y, ξ · y : V y ] s ↔∃ M .M I Γ , ξ ] s Essentially V y cannot reveal any names in ξ that are not already available to I Γ .Proof. Proof by contradiction:assume some I Γ, ξ I Γ , I Γ , M α y y , s Nm with I Γ (cid:13) I Γ ∧ M y [ I Γ , ξ ] V y ∧ s ∈ ˚a ( ξ ) thenshowthe following fails ¬ ∃ M .M I Γ + y, ξ · y : V y ] s ∧ ∃ M .M I Γ , ξ ] s but this createsa contradiction simply by Def [ , ] .and the following fails ∃ s. ∃ M .M I Γ + y, ξ · y : V y ] s ∧ ¬ ∃ M .M I Γ , ξ ] s iff ∃ s. ∃ M . [[ I Γ + y ]] ξ · y : V y ⊢ M : Nm ∧ ˚a ( M ) = ∅ ∧ ( ˚a ( ξ · y : V y ) , M ξ · y : V y ) ⇓ ( ˚a ( ξ · y : V y ) , G ′ , s ) ∧ ¬ ∃ M . [[ I Γ ]] ξ ⊢ M : Nm ∧ ˚a ( M ) = ∅ ∧ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , s ) iff ∃ s. ∃ M ( y ) . [[ I Γ + y ]] ξ · y : V y ⊢ M ( y ) : Nm ∧ ˚a ( M ( y )) = ∅ ∧ ( ˚a ( ξ · y : V y ) , M ( y ) ξ · y : V y ) ⇓ ( ˚a ( ξ · y : V y ) , G ′ , s ) ∧ ¬ ∃ M . [[ I Γ ]] ξ ⊢ M : Nm ∧ ˚a ( M ) = ∅ ∧ ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , s ) iff ∃ s. ∃ M ( y ) . [[ I Γ + y ]] ξ · y : V y ⊢ M ( y ) : Nm ∧ ˚a ( M ( y )) = ∅ ∧ ( ˚a ( ξ · y : V y ) , M ( y ) ξ · y : V y ) ⇓ ( ˚a ( ξ · y : V y ) , G ′ , s ) ∧ ¬ ∃ let y = M y in M ( y ) . [[ I Γ ]] ξ ⊢ let y = M y in M ( y ) : Nm ∧ ˚a ( let y = M y in M ( y )) = ∅ ∧ ( ˚a ( ξ ) , ( let y = M y in M ( y )) ξ ) ⇓ ( ˚a ( ξ ) , G ′ , s ) hence contradiction as the name derived by M ( y ) in the first evaluation, thissame name can also be derived by let y = M y in M ( y ) in the second evalua-tion by the semantics of the evaluation of let y = M y in M ( y ) ξ → M ( V y ) ξ ≡ M ( y )( ξ · y : V y ) . Where M y reduces to the term equal to V y except the freshnames which have no affect on the name produced by M and M hence contra-diction.This works because s ∈ ˚a ( ξ ) hence the name cannot be fresh (derived from V y and any fresh names in V y can be replicated by a new generation via M y andwill be treated equally. Lemma 17 (Extensions cannot reveal old names). ∀ I Γ, ξ I Γ , I Γ ′ , ξ I Γ ′ , s Nm . (cid:18) ξ ⋆ ξ ′ ∧ s ∈ ˚a ( ξ ) (cid:19) → ∃ M ′ .M ′ [ I Γ ′ , ξ ′ ] s ↔∃ M.M [ I Γ, ξ ] s Essentially ξ ′ cannot reveal any names in ξ that are not already available to ξ .Proof. ← : clearly holds → : Proof by induction on the structure of ξ ′ : ξ ′ ≡ ξ then this clearly holds. ξ ′ ≡ ξ ′ · δ : I Γ \ − T CV then this holds as no new names are reachable by δ and IH on ξ ′ . ξ ′ ≡ ξ I Γ ′ · y : V y then ∃ M y .M y [ I Γ ′ , ξ ′ ] V y and using Lemma 16 and IH on ξ ′ this clearlyholds. In the next few lemmas we treat expressions as potential terms as each ex-pression, c , x , π i ( e ), and h e, e i is also a method of constructing a term and hence[[ e ]] ξ ≡ eξ (closure) implies we can treat e as a term even though it is an ex-pression, i.e. we write e even though we mean “the term constructed using theequivalent expression-constructors used to construct the expression e ”. Lemma 18 (Expressions cannot create new names). ∀ I Γ, ξ I Γ , e. I Γ (cid:13) e : α → ∃ V. ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( ˚a ( ξ ) , V ) Program Logic for Fresh Name Generation 25
Clearly guaranteed termination implies ∃ V ′ . ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ′ ) , how-ever this Lemma proves that no new names are produced in such an evaluation.Proof. By induction on structure of e ∈ { c, x, π i ( e ) , h e, e i} let G = ˚a ( ξ ) − e = c constants then clearly ( G, [[ e ]] ξ ) ≡ ( G, c ) ⇓ ( G, c ) − e = x clearly ( G, [[ e ]] ξ ) ≡ ( G, ξ ( x )) ⇓ ( G, ξ ( x )) as ξ ( x ) is a value by definition. − e = π i ( e ′ ) clearly ( G, [[ π i ( e ′ )]] ξ ) ≡ ( G, π i ([[ e ′ ]] ξ )) and by IH on e ′ then ∃ V ′ . ( G, [[ e ′ ]] ξ ) ⇓ ( G, V ′ ) with V ′ : α × β hence V ′ ≡ h V , V i hence π i ( V i ) is a value and hence ( G, [[ π i ( e )]] ξ ) ≡ ( G, π i ([[ e ]] ξ )) ⇓ ( G, V i ) − e = h e , e i by IH on e and e : ∃ V . ( G, [[ e ]] ξ ) ⇓ ( G, V ) and ∃ V . ( G, [[ e ]] ξ ) ⇓ ( G, V ) hence from operational semantics: ∃ V (= h V , V i ) . ( G, [[ h e , e i ]] ξ ) ≡ ( G, h [[ e ]] ξ , [[ e ]] ξ i ) ⇓ ( G, V ) Lemma 19 (Expressions are name free). ∀ e. I Γ (cid:13) e : α → ˚a ( e ) = ∅ Proof. By IH on the structure of e knowing that e ∈ { c, x, π i ( e ) , h e , e i} , i.e. nobuilt in names, names only come from closing with a model via the semantics of [[ e ]] ξ . Lemma 20 (Expressions are fresh name free). ∀ e. I Γ (cid:13) e : α ∧ e [ I Γ, ξ ] V e → ˚a ( V e ) ⊆ ˚a ( ξ ) Proof. By IH on the structure of e knowing that e ∈ { c, x, π i ( e ) , h e , e i} , i.e. nobuilt in names, names only come from closing with a model via the semantics of [[ e ]] ξ , and hence no evaluation of gensym () can occur, just producing old names. Lemma 21 (Expressions are congruent to their evaluation). ∀ I Γ, ξ I Γ , e. I Γ (cid:13) e : α ∧ e [ I Γ, ξ ] V e → eξ ∼ = ˚a ( ξ ) α V e Proof. By Lemma 20 we know all values contain names in the model.By induction on the structure of e : e ≡ c clearly holds. e ≡ x clearly holds as xξ ≡ ξ ( x ) ≡ V e e ≡ π i ( e ′ ) holds as by induction e ′ ,i.e. I Γ (cid:13) e ′ : α × α ∧ e ′ [ I Γ, ξ ] h V , V i → e ′ ξ ∼ = ˚a ( ξ ) α h V , V i hence π i ( e ′ ) ξ ∼ = ˚a ( ξ ) α V i e ≡ h e , e i holds by IH on e and e i.e. I Γ (cid:13) e : α ∧ e I Γ, ξ ] V → e ξ ∼ = ˚a ( ξ ) α V and I Γ (cid:13) e : α ∧ e I Γ, ξ ] V → e ξ ∼ = ˚a ( ξ ) α V implies h e , e i ξ ∼ = ˚a ( ξ ) α h V , V i Lemma 22 (Names fresh in term imply name fresh in value). ∀ I Γ, ξ I Γ , M, r. r / ∈ ˚a ( M ) ∧ ( ˚a ( M ) , r, G , M ) ⇓ ( ˚a ( ξ ) , r, G , G ′ , V ) → r / ∈ ˚a ( V ) Proof. By induction on the structure of M , most cases are trivial, the only non-trivial cases are: M ≡ M M :clearly M ⇓ V and M ⇓ V with r / ∈ V V (by IH) hence 2 cases occur: V ≡ λx.M ′ then this evaluates to M ′ [ V /x ] which by assumptions and Opsemantics r / ∈ M ′ [ V /x ] V ≡ gensym and V ≡ () then by Op. Sem. this generates a fresh name ( = r ). Lemma 23 (Fresh names are underivable from model plus that name). ∀ I Γ, ξ I Γ , r. r / ∈ ˚a ( ξ ) → ¬ ∃ M Nm .M [ I Γ, ξ · m : r ] r Proof. This holds as r must be a freshly generated name not appearing in ξ henceno term can be derived from the model ξ to generate such a name. Assume: I Γ , ξ I Γ s.t. prove by contradiction:i.e. assume ¬ ( r / ∈ ˚a ( ξ ) → ¬ ∃ M Nm .M [ I Γ, ξ · m : r ] r ) prove contradiction ↔ ( r / ∈ ˚a ( ξ ) ∧ ∃ M Nm .M [ I Γ, ξ · m : r ] r ) FOL4 ↔ r / ∈ ˚a ( ξ ) ∧ ∃ M Nm . ˚a ( M ) = ∅ ∧ I Γ ⊢ M : α ∧ ( ˚a ( ξ ) , r, M ( ξ · m : r )) ⇓ ( ˚a ( ξ ) , r, G ′ , r ) Sem. [ , ] ↔ r / ∈ ˚a ( ξ ) ∧ ∃ M Nm . ˚a ( M ) = ∅ ∧ I Γ ⊢ M : α ∧ ( ˚a ( ξ ) , r, M ξ ) ⇓ ( ˚a ( ξ ) , r, G ′ , r ) m / ∈ dom ( I Γ ) ∧ I Γ ⊢ M : α ↔ r / ∈ ˚a ( ξ ) ∧ ∃ M Nm . ˚a ( M ) = ∅ ∧ I Γ ⊢ M : α ∧ r / ∈ ˚a ( M ξ ) ∧ ( ˚a ( ξ ) , r, M ξ ) ⇓ ( ˚a ( ξ ) , r, G ′ , r ) r / ∈ ˚a ( M ξ ) andLemma 22imply contradiction7 ↔ r / ∈ ˚a ( ξ ) → ¬ ∃ M Nm .M [ I Γ, ξ · m : r ] r Lemma 24 (Extensions give equal semantics of expressions). ∀ I Γ , ξ I Γ , I Γ , ξ I Γ , e. ξ ⋆ ξ ∧ I Γ (cid:13) e : α → [[ e ]] ξ ≡ [[ e ]] ξ Program Logic for Fresh Name Generation 27
Proof. Prove by induction on the structure of e using semantics of expressions: e ≡ c : [[ c ]] ξ ≡ c ≡ [[ c ]] ξ e ≡ x : x ∈ I Γ implies (Def ⋆ ) [[ x ]] ξ ≡ ξ ( x ) ≡ ξ ( x ) ≡ [[ c ]] ξ e ≡ h e , e i : by IH on both e and e this clearly holds. e ≡ π i ( e ′ ) : by IH on e ′ this clearly holds. Lemma 25 (Sub LTC’s implies subtype-contexts). ∀ I Γ, I Γ , ξ I Γ . I Γ (cid:13) I Γ → [[ I Γ ]] ξ ⊆ [[ I Γ ]] ξ Proof: clearly holds through induction on structure of I Γ and I Γ and using thetyping rules in Fig. 1. Lemma 26 (Values derivable from subset of LTC is also derivable fromsuperset of LTC). ∀ I Γ, ξ I Γ , I Γ + I Γ , M. I Γ (cid:13) I Γ ∧ I Γ (cid:13) I Γ + I Γ ∧ M [ I Γ , ξ ] V → M [ I Γ + I Γ , ξ ] V Proof. By Lemma 25,I Γ (cid:13) I Γ ∧ I Γ (cid:13) I Γ + I Γ → I Γ + I Γ (cid:13) I Γ → [[ I Γ ]] ξ ⊆ [[ I Γ + I Γ ]] ξ hence this must hold. Lemma 27 (Values derived from I Γ maintain extension (single) whenadded to models which are extensions). ∀ I Γ, ξ I Γ , I Γ ′ , ξ ′ I Γ ′ , M α . ξ ξ ′ ∧ M [ I Γ, ξ ] V ∧ ˚a ( V ) ∩ ˚a ( ξ ′ ) ⊆ ˚a ( ξ ) → ξ · x : V ξ ′ · x : V Proof. Assume: I
Γ, ξ I Γ , I Γ ′ , ξ I Γ ′ , M α s.t. ξ ξ ′ ∧ M [ I Γ, ξ ] V The case for ξ ′ ≡ ξ · δ : I Γ \ − T CV is proven below: assume some I Γ s.t. I Γ (cid:13) I Γ with ξ ξ · δ : I Γ \ − T CV then I Γ + x (cid:13) I Γ and hence ξ · x : V ξ · δ : I Γ \ − T CV · x : V Sem. The case for ξ ′ ≡ ξ · y : V ′ is proven below: ξ ξ ′ ∧ M [ I Γ, ξ ] V ) → ∃ M ′ . M ′ [ I Γ, ξ ] V ′ ∧ ξ ′ ≡ ξ · y ′ : V ′ ∧ M [ I Γ, ξ ] V Sem. → ∃ M ′ . M ′ [ I Γ, ξ · x : V ] V ′ ∧ ξ ′ · x : V ≡ ξ · x : V · y ′ : V ′ Lemma 11 ( ˚a ( V ) ∩ ˚a ( V ′ ) ⊆ ˚a ( ξ ))7 → ∃ M ′ . M ′ [ I Γ + x : α x , ξ · x : V ] V ′ ∧ ξ ′ · x : V ≡ ξ · x : V · y ′ : V ′ Lemma 268 → ξ · x : V ξ ′ · x : V Sem. Lemma 28 (Values derived from I Γ maintain extension (star) whenadded to models which are extensions). ∀ I Γ, ξ I Γ , I Γ ′ , ξ ′ I Γ ′ , M. ξ ⋆ ξ ′ ∧ M [ I Γ, ξ ] V ∧ ˚a ( V ) ∩ ˚a ( ξ ′ ) ⊆ ˚a ( ξ ) → ξ · x : V ⋆ ξ ′ · x : V Proof. Use Lemma 27 with Def ⋆ to see this clearly holds. Lemma 29 (Names produced from an extension can be added to anextension and still hold). ∀ I Γ, ξ I Γ , I Γ ′ , ξ ′ I Γ ′ , M, r. M [ I Γ ′ , ξ ′ ] r ∧ ξ ⋆ ξ ′ → ξ · x : r ⋆ ξ ′ · x : r Proof. Assume a sequence of terms [˜ z : ˜ N ] that derive the (non-LTC) values of ξ ′ (the LTC are trivial), then three cases exist: r ∈ ˚a ( ξ ) then clearly this holds as the same sequence of terms [˜ z : ˜ N ] derives ξ ′ · x : r with the new LTC I Γ + x : Nm . Hence ξ · x : r ⋆ ξ ′ · x : rr / ∈ ˚a ( ξ ) ∧ r / ∈ ˚a ( ξ ′ ) then clearly r is fresh and the same reasoning as above holds. r / ∈ ˚a ( ξ ) ∧ r ∈ ˚a ( ξ ′ ) then r is derived from ξ ′ but not from ξ and hence the sequence [˜ z : ˜ N [ x/ gensym ()]] also derives ξ ′ proves ξ · x : r ⋆ ξ ′ · x : r where we write ˜ N [ x/ gensym ()] forthe term ˜ N i that initially produce r to substitute x for that gensym () whichclearly must produce the same results. All other fresh names are irrelevant. Lemma 30 (Extending the model by δ maintains models). ( A - Ext-Ind not required) ∀ I Γ, ξ I Γ , I Γ ′ , ξ ′ I Γ ′ , I Γ a . I Γ (cid:13) I Γ a → ( ξ · ξ ′ | = A − δ ↔ ξ · δ : I Γ a \ − T CV · ξ ′ | = A − δ ) where A − δ means δ does not occur syntactically in A .Proof. By definition of , ξ ξ · δ : I Γ a \ − T CV holds and implies via Def ⋆ that ξ · ξ ′ ⋆ ξ · δ : I Γ a \ − T CV · ξ ′ which allows the use of Lemma 24 and Lemma11 ( ˚a ( ξ · ξ ′ ) ≡ ˚a ( ξ · δ : I Γ a \ − T CV · ξ ′ ) ).The proof follows by IH on structure of A : − e = e proven by noting that [[ e i ]] ξ · ξ ′ ≡ [[ e i ]] ξ · δ : I Γ a \ − TCV · ξ ′ (Lemma 24). − A ∧ A , A ∨ A , A → A : IH on A , A . − ¬ A , proof by IH on A , assume ξ · δ : I Γ a \ − T CV · ξ ′ | = ¬ A then clearly ξ · δ : I Γ a \ − T CV · ξ ′ = A and by IH on A then ξ · ξ ′ = A i.e. ξ · ξ ′ | = ¬ A . − x I Γ ′ holds by Lemma 24 and Lemma 11 ( ˚a ( ξ · ξ ′ ) ≡ ˚a ( ξ · δ : I Γ a \ − T CV · ξ ′ ) )which ensure [[ x ]] ξ · ξ ′ ≡ [[ x ]] ξ · δ : I Γ a \ − TCV · ξ ′ and ∃ M x . M x [ I Γ ′ , ξ · ξ ′ ] V ↔ ∃ M x . M x [ I Γ ′ , ξ · δ : I Γ a \ − TCV · ξ ′ ] V respectively, henceclearly ¬ ∃ M x . M x [ I Γ ′ , ξ · ξ ′ ] [[ x ]] ξ · ξ ′ ↔ ¬ ∃ M x . M x [ I Γ ′ , ξ · δ : I Γ a \ − TCV · ξ ′ ] [[ x ]] ξ · δ : I Γ a \ − TCV · ξ ′ . − u • e = m { A } by IH on A with [[ u ]] ξ · ξ ′ ≡ [[ u ]] ξ · δ : I Γ a \ − TCV · ξ ′ and [[ e ]] ξ · ξ ′ ≡ [[ e ]] ξ · δ : I Γ a \ − TCV · ξ ′ (Lemma 24) hence evaluation is equivalent and this holds. Program Logic for Fresh Name Generation 29 − ∀ x ∈ ( I Γ ′ ) .A knowing that δ / ∈ I Γ ′ then the same possible terms are quan-tified over given Lemma 11 ( M x [ I Γ ′ , ξ · ξ ′ ] V ↔ M x [ I Γ ′ , ξ · δ : I Γ a \ − TCV · ξ ′ ] V ) andby IH on A the case holds. − ∀ δ ′ .A by IH on A this holds for any model containing δ and δ ′ then by thesemantics the lemma holds. The following 2 definitions will be used in some of the proofs using equality,but are not required otherwise.
Definition 2 (Similar extensions (single)).
Two model extensions are con-gruent model extensions (single) iff there exists an equivalent derivation for bothmodels: ∀ I Γ i , ξ I Γ i , ξ I Γ i , I Γ ′ i , ξ ′ I Γ ′ i , ξ ′ I Γ ′ i . ( ξ ξ ′ ) ∼ ( ξ ξ ′ ) ↔ I Γ ′ i ≡ I Γ i + δ j ∧ ξ ′ ( δ j ) ≡ ξ ′ ( δ j ) ∨ I Γ ′ i ≡ I Γ i + x j : α j ∧ ∃ M α j j . M j [ I Γ i , ξ ] ξ ′ ( x j ) ∧ M j [ I Γ i , ξ ] ξ ′ ( x j ) Definition 3 (Similar extensions (star)).
Two model extensions are simi-larly derived extensions (star) iff there exists an equivalent derivation for bothmodels: ∀ I Γ i , ξ I Γ i , ξ I Γ i , I Γ ′ i , ξ ′ I Γ ′ i , ξ ′ I Γ ′ i . ( ξ ⋆ ξ ′ ) ∼ ⋆ ( ξ ⋆ ξ ′ ) ↔ ξ ≡ ξ ′ ∧ ξ ≡ ξ ′ ∨ ( ξ ξ ′ ) ∼ ( ξ ξ ′ ) ∨∃ ξ I Γ j j , ξ I Γ j j . ( ξ ⋆ ξ j ) ∼ ⋆ ( ξ ⋆ ξ j ) ∧ ( ξ j ⋆ ξ ′ ) ∼ ⋆ ( ξ j ⋆ ξ ′ ) Lemma 31 (Congruent extensions implies their evaluation added to amodel, model equivalence equivalently). ∀ I Γ, ξ I Γ , M α , M α .M ξ ∼ = ˚a ( ξ ) α M ξ ∧ M I Γ, ξ ] V ∧ M I Γ, ξ ] V →∀ I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , e = e ′ . ( ξ · x : V ⋆ ξ ′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ ) ∧ I Γ i (cid:13) e = e ′ → ξ ′ | = e = e ′ ↔ ξ ′ | = e = e ′ As an example consider M ≡ gensym () ≡ M clearly any use of the namesproduced must be indistinguishable in any future similarly derived models as thenames can be switched asimilar to α -equivalence. Proof. Required to prove [[ e ]] ξ ′ ∼ = ˚a ( ξ ′ ) α [[ e ′ ]] ξ ′ → [[ e ]] ξ ′ ∼ = ˚a ( ξ ′ ) α [[ e ′ ]] ξ ′ Making the relevant assumptions about I Γ , ξ I Γ , M , M , I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , e = e ′ , s.t. ... M ξ ∼ = ˚a ( ξ ) α M ξ ↔ ∀ C [ · ] α , b Bool . (cid:18) ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔ ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) Sem. ∼ =4 Let ξ ′ j [ · ] be derived from the terms as follows ˜ z : ˜ N and x : V i noting that ˜ N i +1 may contain the variable ˜ z i and ignoring the inconsequential TCV-parts, thenif I Γ i (cid:13) e : α e a subset of C [ · ] can be set for any C ′ [ · ] α e as follows: → ∀ C [ · ] ≡ ( let x = [ · ] α ∅ in let ˜ z = ˜ Nξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) , b Bool . ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) → ( ˚a ( ξ ) , let x = [ M ξ ] α ∅ in let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔ ( ˚a ( ξ ) , let x = [ M ξ ] α ∅ in let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) Subset C [ · ] ≡ ...C ′ [ · ]-capture-avoidingvariables in dom ( I Γ i )6 →∀ b Bool . ∀ C [ · ] ≡ ( let x = [ · ] α ∅ in let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) , b Bool . ∅ ⊢ C [ · ] : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔ ∀ C [ · ] ≡ ( let x = [ · ] α ∅ in let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) , b Bool . ∅ ⊢ C [ · ] : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ( ∀ x.A ( x ) → ( B ( x ) ↔ C ( x ))) → ( ∀ x.A ( x ) → B ( x )) ↔ ( ∀ x.A ( x ) → C ( x ))FOL7 →∀ b Bool . ∀ let ˜ z = ˜ N in C ′ [ eξ ] = C ′ [ e ′ ξ ] . (cid:18) ∅ ⊢ let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ] : Bool ∧ ˚a ( let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔ ∀ let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ] . (cid:18) ∅ ⊢ let ˜ z = ˜ N in C ′ [ eξ ] = C ′ [ e ′ ξ ] : Bool ∧ ˚a ( let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , let ˜ z = ˜ N ξ in C ′ [ eξ ] = C ′ [ e ′ ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) M j [ I Γ, ξ ] V j then ξ j ≡ ξ · x : V j ( j = 1 , let x = M j in M ξ → M ξ j →∀ b Bool . ∀ C ′ [ · ] α . (cid:18) ∅ ⊢ C ′ [ · ] α e : Bool ∧ ˚a ( C ′ [ · ]) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , C ′ [ eξ ′ ] = C ′ [ e ′ ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ) ↔ ∀ C ′ [ · ] α e . (cid:18) ∅ ⊢ C ′ [ · ] α e : Bool ∧ ˚a ( C ′ [ · ]) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , C ′ [ eξ ′ ] = C ′ [ e ′ ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ) let ˜ z = ˜ N ξ j in M ξ j → M ξ ′ j C [ M j ξ ] → C ′ [ eξ j ] α = C ′ [ e ′ ξ j ] α → ∀ C ′ [ · ] α e , b ′ Bool . (cid:18) ∅ ⊢ C ′ [ · ] α e : Bool ∧ ˚a ( C ′ [ · ]) ⊆ ˚a ( ξ ′ ) (cid:19) → (cid:18) ( ˚a ( ξ ′ ) , C ′ [ eξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) ↔ ( ˚a ( ξ ′ ) , C ′ [ e ′ ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) (cid:19) ↔ ∀ C ′ [ · ] α e , b ′ Bool . (cid:18) ∅ ⊢ C ′ [ · ] α e : Bool ∧ ˚a ( C ′ [ · ]) ⊆ ˚a ( ξ ′ ) (cid:19) → (cid:18) ( ˚a ( ξ ′ ) , C ′ [ eξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) ↔ ( ˚a ( ξ ′ ) , C ′ [ e ′ ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) (cid:19) Hence given C ′ [ eξ ′ i ] ξ ′ i : Bool this implies:(To think about this set b ≡ true or b = false then clearly this holds) b = true : implies the = case of ↔ b = false : implies the = case of ↔ ξ ′ | = e = e ′ ↔ ξ ′ | = e = e ′ Sem. =
Program Logic for Fresh Name Generation 31
Lemma 32 (Congruent extensions implies their evaluation added to amodel, model equivalently). ∀ I Γ, ξ I Γ , M α , M α .M ξ ∼ = ˚a ( ξ ) α M ξ ∧ M I Γ, ξ ] V ∧ M I Γ, ξ ] V →∀ I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , A. ( ξ · x : V ⋆ ξ ′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ ) ∧ I Γ i (cid:13) A →∀ I Γ . I Γ i (cid:13) I Γ → ( ∃ M u .M u [ I Γ , ξ ′ ] [[ u ]] ξ ′ ↔ ∃ N u .N u [ I Γ , ξ ′ ] [[ u ]] ξ ′ ) If u ∈ dom ( ξ ) then clearly this holds.If u / ∈ dom ( ξ ) then clearly the u must be in ξ ′ j and hence is derived from a seriesof extensions, which are characterised by ˜ z : ˜ N therefore the same use in M u and N u of these variables derives the same [[ u ]] ξ ′ j . This relies on the fact that ifa name is used in ξ ′ then it is the same name used in ξ ′ or it is fresh from ξ inboth.Proof. This is proven using the fact that ξ ′ and ξ ′ are similar and hence any M u that produces [[ u ]] ξ ′ can be used to derive [[ u ]] ξ ′ as follows: Let the ∼ ⋆ -extension part be derived from by ˜ z : ˜ M where ˜ M i +1 may contain the variable ˜ z i . Assume some I
Γ, ξ I Γ , M α , M α s.t. M ξ ∼ = ˚a ( ξ ) α M ξ ∧ M I Γ, ξ ] V ∧ M I Γ, ξ ] V also assume some I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , A s.t. ( ξ · x : V ⋆ ξ ′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ ) ∧ I Γ i (cid:13) A also assume some I Γ s.t. I Γ i (cid:13) I Γ , prove → to prove ↔ -by symmetry Assume there exists M u s.t. M u [ I Γ , ξ ′ ] [[ u ]] ξ ′ then show that there exists N u s.t. N u [ I Γ , ξ ′ ] [[ u ]] ξ ′ M ξ ∼ = ˚a ( ξ ) α M ξ ↔ ∀ C [ · ] α , b Bool . (cid:18) ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔ ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) Sem. ∼ =9 ∀ b Bool . ∀ C [ · ] α . (cid:18) ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ↔∀ C [ · ] α . (cid:18) ∅ ⊢ C [ · ] α : Bool ∧ ˚a ( C [ · ]) ⊆ ˚a ( ξ ) (cid:19) → ( ˚a ( ξ ) , C [ M ξ ]) ⇓ ( ˚a ( ξ ) , G , b ) ( ∀ x.A ( x ) → ( B ( x ) ↔ C ( x ))) → (( ∀ x.A ( x ) → B ( x )) ↔ ( ∀ x.A ( x ) → C ( x )))10 Assume ξ ′ and ξ ′ are both derived from ξ via ˜ z : ˜ N and x : M j (from ∼ ⋆ )Select C [ · ] as let x = [ · ] α in let ˜ z = ˜ N ξ in ( C ′ [ M u ξ ] Nm = C ′ [ uξ ] Nm ) with C ′ [ · ] not capturing x, ˜ zM j [ I Γ, ξ ] V j implies C [ M j ] ξ → let ˜ z = ˜ N ( ξ · x : V j ) in C ′ [ M u ( ξ · x : V j )] Nm = C ′ [ u ( ξ · x : V j )] Nm ... → C ′ [ M u ξ ′ j ] Nm = C ′ [ uξ ′ j ] Nm → ∀ b Bool . ∀ C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm . (cid:18) ∅ ⊢ C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm : α ∧ ˚a ( C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm ) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , ( C ′ [ M u ξ ′ ] = C ′ [ uξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ) ↔∀ C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm . (cid:18) ∅ ⊢ C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm : α ∧ ˚a ( C ′ [ M u ξ ′ ] Nm = C ′ [ uξ ′ ] Nm ) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , ( C ′ [ M u ξ ′ ] = C ′ [ uξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ) Subset of C [ · ]from line 1012 → ∀ C ′ [ · ] Nm , b ′ Bool . (cid:18) ∅ ⊢ C ′ [ · ] Nm : Bool ∧ ˚a ( C ′ [ · ] Nm ) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , C ′ [ M u ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) ↔ ( ˚a ( ξ ′ ) , C ′ [ uξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) ↔∀ C ′ [ · ] Nm , b ′ Bool . (cid:18) ∅ ⊢ C ′ [ · ] Nm : Bool ∧ ˚a ( C ′ [ · ] Nm ) ⊆ ˚a ( ξ ′ ) (cid:19) → ( ˚a ( ξ ′ ) , C ′ [ M u ξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) ↔ ( ˚a ( ξ ′ ) , C ′ [ uξ ′ ]) ⇓ ( ˚a ( ξ ′ ) , G , b ′ ) b = true : clearly holds. b = false : holds as( C ′ [ M u ξ ′ j ] = C ′ [ uξ ′ j ]) ⇓ false ↔ C ′ [ M u ξ ′ j ] ⇓ b ′ ↔ C ′ [ uξ ′ j ] ⇓ ¬ b ′ implies( ∀ C ′ M u ,u [ · ] . T → F ) ↔ ( ∀ C ′ M u ,u [ · ] . T → F )and hence the more general F ↔ F → ( ∃ M u .M u [ I Γ , ξ ′ ] [[ u ]] ξ ′ ↔ ∃ N u .N u [ I Γ , ξ ′ ] [[ u ]] ξ ′ ) with precisely the same M u ≡ N u . Program Logic for Fresh Name Generation 33
Lemma 33 (Congruent extensions implies their evaluation added to amodel, model equivalently). ∀ I Γ, ξ I Γ , M α , M α .M ξ ∼ = ˚a ( ξ ) α M ξ ∧ M I Γ, ξ ] V ∧ M I Γ, ξ ] V →∀ I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , A. ( ξ · x : V ⋆ ξ ′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ ) ∧ I Γ i (cid:13) A → ξ ′ | = A ↔ ξ ′ | = A Use IH as the additions are all of the same form when proving A :Proof. Proof by IH on the structure of A : Assume: I Γ , ξ I Γ , M α , M α s.t. M ξ ∼ = ˚a ( ξ ) α M ξ ∧ M I Γ, ξ ] V ∧ M I Γ, ξ ] V Assume: I Γ i , ξ ′ I Γ i , ξ ′ I Γ i , A s.t. ( ξ · x : V ⋆ ξ ′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ ) ∧ I Γ i (cid:13) A Assume: ξ ′ | = A to prove ξ ′ | = A Noting that ∀ I Γ . I Γ i (cid:13) I Γ → [[ I Γ ]] ξ ′ ≡ [[ I Γ ]] ξ ′ as δ ’s are unaffected by ∼ ⋆ ,and the standard mappings are also unaffected.Next prove this final step by IH on the structure of A : A ≡ e = e ′ Lemma 31. A ≡ ¬ A ′ By IH on A ′ . A ≡ A ∧ A By IH on A and A . A ≡ A ∨ A By IH on A and A . A ≡ A → A By IH on A and A . A ≡ u • e = m { A ′ } Assuming ξ ′ | = u • e = m { A ′ } iff ( ˚a ( ξ ′ ) , ue [ I Γ, ξ ′ ] V m ∧ ξ ′ · m : V m | = A ′ then it is clear there exists W m s.t. ue [ I Γ, ξ ′ ] W m thus ( ξ · x : V ⋆ ξ ′ · m : V m ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ · m : W m ) hence by IH on A ′ : ξ ′ · m : W m | = A ′ hence ξ ′ | = u • e = m { A ′ } A ≡ u I Γ Prove by direct use of Lemma 32. A ≡ ∀ u ∈ ( I Γ ) .A ′ Assume ξ ′ | = ∀ u ∈ ( I Γ ) .A ′ iff ∀ M u .M u [ I Γ , ξ ′ ] V u → ξ ′ · u : V u | = A ′ Prove ξ ′ | = ∀ u ∈ ( I Γ ) .A ′ iff ∀ M u .M u [ I Γ , ξ ′ ] W u → ξ ′ · u : W u | = A ′ Assume some M u in the ξ ′ such that M u [ I Γ , ξ ′ ] W u then given [[ I Γ ]] ξ ′ ≡ [[ I Γ ]] ξ ′ and the assumption then: for that M u then M u [ I Γ , ξ ′ ] V u and hence ξ ′ · u : V u | = A ′ and as W u and V u are derived from the same term then ( ξ · x : V ⋆ ξ ′ · u : V u ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′ · u : W u ) by induction on A ′ this implies ξ ′ · u : W u | = A ′ .Hence ∀ M u .M u [ I Γ , ξ ′ ] W u → ξ ′ · u : W u | = A ′ hence ξ ′ | = ∀ u ∈ ( I Γ ) .A ′ A ≡ ∃ u ∈ ( I Γ ) .A ′ Similar proof as ∀ u ∈ ( I Γ ) .A ′ above. A ≡ ∀ δ.A ′ Assume ξ ′ | = ∀ δ.A ′ iff ∀ ξ ′′ I Γ ′′ i .ξ ′ ⋆ ξ ′′ → ξ ′′ · δ : I Γ ′′ i \ − T CV | = A ′ Prove ξ ′ | = ∀ δ.A ′ iff ∀ ξ ′′ I Γ ′′ i .ξ ′ ⋆ ξ ′′ → ξ ′′ · δ : I Γ ′′ i \ − T CV | = A ′ i.e. assume some ξ ′′ I Γ ′′ i such that ξ ′ ⋆ ξ ′′ then for the same derivationrequired for ξ ′′ from ξ ′ there is an similarly derived model ξ ′′ derived from ξ ′ and hence ( ξ · x : V ⋆ ξ ′′ ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′′ ) (By assumption)and hence ( ξ · x : V ⋆ ξ ′′ · δ : I Γ ′′ i \ − T CV ) ∼ ⋆ ( ξ · x : V ⋆ ξ ′′ · δ : I Γ ′′ i \ − T CV ) (Def 3)and IH on A ′ can now be used to show that given ξ ′′ · δ : I Γ ′′ i \ − T CV | = A ′ then ξ ′′ · δ : I Γ ′′ i \ − T CV | = A ′ hence the case holds. Lemma 34 (Two extensions combine to make extensions of each other). ∀ I Γ, I Γ , I Γ , ξ I Γ , ξ I Γ , ξ I Γ .ξ ⋆ ξ · ξ ∧ ξ ⋆ ξ · ξ → ( ξ · ξ ⋆ ξ · ξ · ξ ↔ ξ · ξ ⋆ ξ · ξ · ξ ) i.e. ξ ⋆ ξ · ˜ X : ˜ V ∧ ξ ⋆ ξ · ˜ Y : ˜ W → (cid:16) ξ · ˜ X : ˜ V ⋆ ξ · ˜ X : ˜ V · ˜ Y : ˜ W ↔ ξ · ˜ Y : ˜ W ⋆ ξ · ˜ X : ˜ V · ˜ Y : ˜ W (cid:17) Proof. By symmetry this only needs to be proven in one direction, which is as follows: Assume: ξ ⋆ ξ · ξ ∧ ξ ⋆ ξ · ξ ∧ ξ · ξ ⋆ ξ · ξ · ξ i.e. assume: ξ ⋆ ξ · ˜ X : ˜ V ˜ α ∧ ξ ⋆ ξ · ξ ∧ ξ · ˜ X : ˜ V ˜ α ⋆ ξ · ˜ X : ˜ V ˜ α · ξ From Def ⋆ , , and Lemma 30, the TCV can be discarded in thereasoning, hence only standard variables are considered Line 3 ↔ ∃ ˜ M . ˜ M I Γ, ξ ] ˜ V ∧ ˜ M I Γ +˜ X , ξ · ˜ X : ˜ V ] ˜ V ∧ ... ∧ ˜ M i +1 [ I Γ +˜ X + ... +˜ X i , ξ · ˜ X : ˜ V · ... · ˜ X i : ˜ V i ] ˜ V i +1 ∧ ... ∧ ξ ⋆ ξ · ξ ∧ ξ · ˜ X : ˜ V ˜ α ⋆ ξ · ˜ X : ˜ V ˜ α · ξ → ∃ ˜ M . ˜ M I Γ, ξ · ξ ] ˜ V ∧ ˜ M I Γ +˜ X , ξ · ξ · ˜ X : ˜ V ] ˜ V ∧ ... ∧ ˜ M i +1 [ I Γ +˜ X + ... +˜ X i , ξ · ξ · ˜ X : ˜ V · ... · ˜ X i : ˜ V i ] ˜ V i +1 ∧ ... Lemma 11 ξ ⋆ ξ · ξ ( ˚a ( ˜ V ) ∩ ˚a ( ξ ) ⊆ ˚a ( ξ · ˜ X : ˜ V )) ξ · ˜ X : ˜ V ⋆ ξ · ˜ X : ˜ V · ξ ...7 → ∃ ˜ M . ˜ M I Γ + I Γ , ξ · ξ ] ˜ V ∧ ˜ M I Γ + I Γ +˜ X , ξ · ξ · ˜ X : ˜ V ] ˜ V ∧ ... ∧ ˜ M i +1 [ I Γ + I Γ +˜ X + ... +˜ X i , ξ · ξ · ˜ X : ˜ V · ... · ˜ X i : ˜ V i ] ˜ V i +1 ∧ ... [[ I Γ ]] ξ · ξ ⊂ [[ I Γ + I Γ ]] ξ · ξ [[ I Γ + ˜ X ]] ξ · ξ · ˜ X : ˜ V ⊂ [[ I Γ + ˜ X + I Γ ]] ξ · ˜ X : ˜ V · ξ ... ↔ ξ · ˜ Y : ˜ W ˜ β ⋆ ξ · ˜ X : ˜ V ˜ α · ˜ Y : ˜ W ˜ β Program Logic for Fresh Name Generation 35
C Soundness of Axioms
We now prove the soundness of the axioms in Sec. 5 split up into sections foreach type of axiom.
C.1 Soundness of Axioms for e = e ′ The following axioms are proven trivially:( eq ≡ x = x , ( eq ≡ x = y ↔ y = x , ( eq ≡ x = y ∧ y = z → x = z Soundness proof of Axiom ( eq A ( x ) ∧ x = e → A ( x )[ e/x ] Proof.
Syntactically: if x occurs in an LTC and e contains a destructor as in Sec.3, then I Γ in A then I Γ (cid:13) e : α holds, otherwise we just add all variables in e to I Γ s.t. the order is maintained by the global LTC.1 Assume I Γ , ξ I Γ s.t. I Γ (cid:13) A ( x ) ∧ x = e → A ( x )[ e/x ] then:2 ξ I Γ | = A ( x ) ∧ x = e Assume e free for x in A ( x ) Assume ξ | = A ( x ) ∧ ξ | = x = e Sem. ∧ ξ | = A ( x ) ∧ [[ x ]] ξ ∼ = ˚a ( ξ ) α [[ e ]] ξ Sem. =6 ξ | = A ( x ) ∧ [[ x ]] ξ ∼ = ˚a ( ξ ) α [[ e ]] ξ ∧ ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e )7 ξ | = A ( x ) ∧ [[ x ]] ξ ∼ = ˚a ( ξ ) α [[ e ]] ξ ∧ [[ e ]] ξ ∼ = ˚a ( ξ ) α V e ∧ ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) Lemma 21 ξ | = A ( x ) ∧ [[ x ]] ξ ∼ = ˚a ( ξ ) α V e ∧ ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) e ∼ = e ′ ∧ e ′ ∼ = e ′′ → e ∼ = e ′′ → ξ | = A ( x ) ∧ ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) ∧ ∀ x ′ , A ( x ′ ) . x ′ / ∈ dom ( I Γ ) ∧ I Γ · x ′ : I Γ ( x ) (cid:13) A ( x ′ ) → ( ξ · x ′ : ξ ( x ) | = A ( x )[ x ′ /x ] ↔ ξ · x ′ : V e | = A ( x )[ x ′ /x ]) Lemma 33 B − x,x ′ ( x ′ ) ≡ B ( x )[ x ′ /x ] ( [[ e ]] ξ ≡ eξ ) ↔ ξ | = A ( x ) ∧ ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) ∧ ∀ x ′ .x ′ / ∈ dom ( I Γ ) → ( ξ | = A ( x ) ↔ ξ · x ′ : V e | = A ( x ′ )) Let A ≡ Aξ · x ′ : ξ ( x ) | = A ( x ′ ) ↔ ξ | = A ( x )11 → ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) ∧ ∀ x ′ .x ′ / ∈ dom ( I Γ ) → ξ · x ′ : V e | = A ( x ′ ) B ∧ ( B ↔ C ) → C → ∀ x ′ .x ′ / ∈ dom ( I Γ ) → (( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( G ′ , V e ) ∧ ξ · x ′ : V e | = A ( x ′ )) A ∧∀ x. ( B → C ) → ∀ x. ( B → A ∧ C )13 ↔ ∀ x ′ .x ′ / ∈ dom ( I Γ ) → ξ | = A ( x ′ )[ e/x ′ ] Sem. A [ e/x ′ ] ( x ′ / ∈ fv ( ξ ) ) ↔ ξ | = A ( x )[ e/x ] Sem. A [ e/x ] ( x ∈ fv ( ξ ) )
15 Hence: ∀ ξ I Γ . I Γ (cid:13) A ( x ) ∧ x = e → A ( x )[ e/x ] → ξ | = A ( x ) ∧ x = e → A ( x )[ e/x ] lines 1-14 C.2 Soundness of Axioms for ∀ x ∈ ( Γ ) .A Soundness proof of Axiom ( u ∀ x α ∈ ( I Γ ) .A ∧ I Γ (cid:13) e : α → A [ e/x ] Proof. I Γ , ξ I Γ d s.t. I Γ ⊲ ξ ∧ I Γ (cid:13) ∀ x α ∈ ( I Γ ) .A → A [ e/x ] and I Γ (cid:13) e : α ξ | = ∀ x α ∈ ( I Γ ) .A and I Γ ⊢ e : α Note e ∈ { x, c, Op (˜ e ) , h e , e i π i ( e ) } ∀ M x .M x [ I Γ , ξ ] V x → ξ · x : V x | = A Sem. ∀ ∈ () . , 2 e − expression → e − term → ˚a ( e ) = ∅ Lemma 19 I Γ (cid:13) I Γ → ( I Γ (cid:13) e : α → I Γ (cid:13) e : α ) Typing rules I Γ (cid:13) e : α → ∃ V e . ( ˚a ( ξ ) , [[ e ]] ξ ) ⇓ ( ˚a ( ξ ) , V e ) Lemma 18, 6 e [ I Γ , ξ ] V e Sem. [ , ] , 4, 5, 6, [[ e ]] ξ ≡ eξ e [ I Γ , ξ ] V e → ξ · x : V e | = A Instantiate ∀ M x to e , 3 → e [ I Γ, ξ ] V e ∧ ξ · x : V e | = A MP, 7, 8 ξ | = A [ e/x ] Sem. [ e/x ] , x / ∈ dom ( ξ )11 Hence ξ | = ∀ x α ∈ ( I Γ ) .A and I Γ ⊢ e : α implies ξ | = A [ e/x ] lines 2-10
12 Hence ∀ I Γ, I Γ , A, e. I Γ (cid:13) ∀ x α ∈ ( I Γ ) .A → A [ e/x ] ∧ I Γ (cid:13) e : α → ∀ ξ. I Γ ⊲ ξ → ξ | = (( ∀ x α ∈ ( I Γ ) .A ) → ( A [ e/x ])) lines 1-11 Soundness proof of Axiom ( u ∀ x α ∈ ( I Γ + I Γ ) .A → ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .A ) Proof. I Γ , ξ I Γ d s.t. I Γ ⊲ ξ ∧ I Γ (cid:13) ∀ x α ∈ ( I Γ + I Γ ′ ) .A → ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ′ ) .A )2 Assume: ξ | = ∀ x α ∈ ( I Γ , I Γ ) .A ξ | = ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .A )4 ∀ M.M [ I Γ + I Γ , ξ ] V → ξ · x : V | = A Sem. ∀ x ∈ ( I Γ , I Γ ) . ,1 →∀ M.M [ I Γ , ξ ] V → ξ · x : V | = A ∀ V. I Γ i ⊢ V : α ... ⊆ ∀ V. I Γ + I Γ ⊢ V : α ... ξ | = ∀ x α ∈ ( I Γ ) .A Sem. ∀ ∈ () . ξ | = ∀ x α ∈ ( I Γ ) .A Same as 3-5 but with I Γ → ξ | = ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .A ) ∀ I Γ. I Γ (cid:13) ∀ x α ∈ ( I Γ + I Γ ) .A → ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .A ) → ∀ ξ. I Γ ⊲ ξ → ξ | = ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .A ) lines 1-8 Program Logic for Fresh Name Generation 37
Soundness proof of Axiom ( u A − x ↔ ∀ x α ∈ ( I Γ ) .A Proof.
Clearly ∀ x ∈ ( I Γ ) .A → A applying ( u
1) given A − x [ e/x ] ≡ A and the x derived from I Γ (say V ) must imply an extension ξ ⋆ ξ · x : V which given A - Ext-Ind implies this direction.Then to prove A − x → ∀ x ∈ ( I Γ ) .A :1 Assume: I Γ, I Γ , A s.t. I Γ (cid:13) A − x → ∀ x α ∈ ( I Γ ) .A ∧ A − Ext-Ind ξ I Γ d s.t. I Γ ⊲ ξ and ξ | = A − x → ∀ M. M [ I Γ , ξ ] V → ξ | = A Tautology → ∀ M. M [ I Γ , ξ ] V → ξ · x : V | = A Sem. ⋆ , Lemmas 26 and A - Ext-Ind ξ | = ∀ x α ∈ ( I Γ ) .A Sem. ∀ ∈ () . ξ | = A → ξ | = ∀ x α ∈ ( I Γ ) .A ξ | = A → ∀ x α ∈ ( I Γ ) .A Sem. → ∀ I Γ. I Γ (cid:13) A → ∀ x α ∈ ( I Γ ) .A ∧ ∀ ξ I Γ d . I Γ ⊲ ξ → ξ | = A → ∀ x α ∈ ( I Γ ) .A lines 1-7 Soundness proof of Axiom ( u ( ∀ x α ∈ ( I Γ ) . ( A ∧ B )) ↔ ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .B ) Proof.
Assume I Γ, ξ I Γ d , A such that I Γ ⊲ξ ∧ I Γ (cid:13) ( ∀ x α ∈ ( I Γ ) . ( A ∧ B )) ↔ ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .B ) → : 1 Assume: ξ | = ( ∀ x α ∈ ( I Γ ) . ( A ∧ B ))2 ∀ M.M [ I Γ , ξ ] V → (cid:18) ξ · x : V | = A ∧ ξ · x : V | = B (cid:19) Sem. ∀ ∈ () . , ∧ ∀ M.M [ I Γ , ξ ] V → (cid:18) ξ · x : V | = A ∧ ξ · x : V | = B (cid:19) ∧∀ M.M [ I Γ , ξ ] V → (cid:18) ξ · x : V | = A ∧ ξ · x : V | = B (cid:19) FOL A → A ∧ A → ∀ M.M [ I Γ , ξ ] V → ξ · x : V | = A ∧∀ M.M [ I Γ , ξ ] V → ξ · x : V | = B FOL ∧ -elim ξ | = ∀ x α ∈ ( I Γ ) .A ∧ ξ | = ∀ x α ∈ ( I Γ ) .B Sem. ∀ ∈ () . ξ | = ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .B ) Sem. ∧ ← :1 Assume: ξ | = ( ∀ x α ∈ ( I Γ ) .A ) ∧ ( ∀ x α ∈ ( I Γ ) .B )2 ∀ M.M [ I Γ , ξ ] V → ξ · x : V | = A ∧∀ M.M [ I Γ , ξ ] V → ξ · x : V | = B Sem. ∀ ∈ () . , ∧ , 1 ∀ M. M [ I Γ , ξ ] V → ξ · x : V | = A ∧ M [ I Γ , ξ ] V → ξ · x : V | = B extract the common ∀ M ∀ M.M [ I Γ , ξ ] V → (cid:18) ξ · x : V | = A ∧ ξ · x : V | = B (cid:19) FOL (( A → B ) ∧ ( A → C )) → ( A → ( B ∧ C ))5 ξ | = ∀ x α ∈ ( I Γ ) . ( A ∧ B ) Sem. ∧ , ∀ x ∈ ( I Γ ) . Program Logic for Fresh Name Generation 39
Soundness proof of Axiom ( u ∀ x α ∈ ( I Γ ) .A ↔ ∀ x α ∈ ( ∅ ) .A iff α is Nm -free Proof.
Trivial using Lemma 13 as they both quantify over the same set of values.
Soundness proof of Axiom ( ex ( I Γ (cid:13) I Γ ∧ I Γ (cid:13) e : α ) → A [ e/x ] → ∃ x ∈ ( I Γ ) .x = e ∧ A Proof.
Assume I Γ − x , ξ I Γ d , I Γ − x , e, A such that I Γ (cid:13) A [ e/x ] → ∃ x ∈ ( I Γ ) .A , I Γ (cid:13) I Γ and I Γ (cid:13) e : α I Γ s.t. I Γ (cid:13) A [ e/x ] → ∃ x ∈ ( I Γ ) .x = e ∧ A I Γ , e s.t. I Γ (cid:13) I Γ and I Γ (cid:13) e : α ξ I Γ d s.t. I Γ ⊲ ξ and ξ | = A [ e/x ]4 ↔ e [ I Γ, ξ ] V ∧ ξ · x : V | = A Sem. A [ e/x ] , x / ∈ dom ( ξ )5 ↔ e [ I Γ , ξ ] V ∧ ξ · x : V | = A ∧ e ( ξ · x : V ) ∼ = ˚a ( ξ · x : V ) α x ( ξ · x : V ) Lemma 21 ↔ e [ I Γ , ξ ] V ∧ ξ · x : V | = x = e ∧ A Sem. = , ∧ → ∃ M e .M e [ I Γ , ξ ] V ∧ ξ · x : V | = x = e ∧ A Clearly holds for M e = e ↔ ξ | = ∃ x ∈ ( I Γ ) .x = e ∧ A Sem. ∃ x ∈ ( I Γ ) . Soundness proof of Axiom ( ex Assuming { a, b } ⊆ dom ( I Γ ) I Γ + x + I Γ (cid:13) a • b = c { c = x } → ∃ x ′ ∈ ( I Γ ) .x = x ′ Proof. ξ I Γ d s.t. I Γ + x + I Γ ⊲ ξ ξ | = a • b = c { c = x } → ab [ I Γ , ξ ] V c ∧ ξ · c : V c | = x = c Sem. • = {} →∃ M ′ x .M ′ x [ I Γ , ξ ] V c ∧ ξ · c : V c | = x = c M ′ x ≡ ab ( { a, b } ⊆ dom ( I Γ ) ) → ξ | = ∃ x ′ ∈ ( I Γ ) .x = x ′ Sem. ∃ ∈ () . ∀ I Γ + x + I Γ . I Γ + x + I Γ (cid:13) a • b = c { c = x } → ∃ x ′ ∈ ( I Γ ) .x = x → ∀ ξ I Γ d . I Γ + x + I Γ ⊲ ξ → ξ | = a • b = c { c = x } → ∃ x ′ ∈ ( I Γ ) .x = x ′ Soundness proof of Axiom ( ex I Γ + x (cid:13) ∀ y Nm ∈ ( ∅ ) . ∃ z Nm ∈ ( I Γ + y ) .x = z → ∃ z ∈ ( I Γ ) .x = z Proof. ξ I Γ d s.t. I Γ + x ⊲ ξ and ξ | = ∀ y Nm ∈ ( ∅ ) . ∃ z Nm ∈ ( I Γ + y ) .x = z →∀ M Nm y .M y [ ∅ , ξ ] V y →∃ M Nm z .M z [ I Γ + y, ξ · y : V y ] V z ∧ ξ · y : V y · z : V z | = x = z →∀ M Nm y .M y [ ∅ , ξ ] V y →∃ M Nm z .M z [ I Γ , ξ · y : V y ] V z ∧ ξ · y : V y · z : V z | = x = z replace y with M y →∀ M Nm y .M y [ ∅ , ξ ] V y →∃ M Nm z .M z [ I Γ , ξ ] V z ∧ [[ x ]] ξ · y : V y · z : V z ∼ = ˚a ( ξ · y : V y · z : V z ) Nm [[ z ]] ξ · y : V y · z : V z Lemma 1 →∀ M Nm y .M y [ ∅ , ξ ] V y →∃ M Nm z .M z [ I Γ , ξ ] V z ∧ [[ x ]] ξ · z : V z ∼ = ˚a ( ξ · y : V y · z : V z ) Nm [[ z ]] ξ · z : V z [[ x ]] ξ · y : V y = [[ x ]] ξ →∀ M Nm y .M y [ ∅ , ξ ] V y →∃ M Nm z .M z [ I Γ , ξ ] V z ∧ [[ x ]] ξ · z : V z ∼ = ˚a ( ξ · z : V z ) Nm [[ z ]] ξ · z : V z Lemma 2 →∃ M Nm z .M z [ I Γ , ξ ] V z ∧ [[ x ]] ξ · z : V z ∼ = ˚a ( ξ · z : V z ) Nm [[ z ]] ξ · z : V z FOL → ξ | = ∃ z ∈ ( I Γ ) .x = z Sem. ∃ ∈ () . ∀ I Γ + x. I Γ + x (cid:13) ∀ y Nm ∈ ( ∅ ) . ∃ z Nm ∈ ( I Γ + y ) .x = z → ∃ z ∈ ( I Γ ) .x = z → ∀ ξ I Γ d . I Γ + x ⊲ ξ → ξ | = ∀ y Nm ∈ ( ∅ ) . ∃ z Nm ∈ ( I Γ + y ) .x = z → ∃ z ∈ ( I Γ ) .x = z C.3 Soundness of Axioms for x Γ Soundness proof of Axiom ( f I Γ + x : Nm + f : α → α b (cid:13) x I Γ → x I Γ + f : α → α b Program Logic for Fresh Name Generation 41
Proof.
We use Lemma 14 so show that f cannot help produce x if f : α → α b .1 Assume: ξ xf s.t. I Γ + x : Nm + f : α → α b ⊲ ( ξ I Γ · x : r x · f : V f ) I Γ + x : Nm + f : α → α b ≡ ξ xf I Γ + x + f ⊲ ξ xf → ∃ M x .M x [ I Γ, ξ ] r x ∧ ∃ M f .M f [ I Γ + x, ξ · x : r x ] V f ξ xf | = x I Γ Assumption ∃ M x .M x [ I Γ, ξ ] r x ∧ ¬ ∃ N x .N x [ I Γ, ξ xf ] r x Sem. x I Γ , 2 ∃ M x .M x [ I Γ, ξ ] r x ∧ ¬ ∃ N x .N x [ I Γ, ξ · x : r x ] r x Lemma 11 → r x / ∈ ˚a ( ξ ) Lemma 15 r x / ∈ ˚a ( V f ) Then trivial as x -fresh and f cannot output r x , Lemma 22 r x ∈ ˚a ( V f ) (proof by contradiction) ∃ P x .P x [ I Γ + f, ξ xf ] r x ↔ ∃ P x . ˚a ( P x ) = ∅ ∧ [[ I Γ ]] ξ , f : α → α b ⊢ P x : Nm ∧ ( ˚a ( ξ xf ) , P x ξ xf ) ⇓ ( ˚a ( ξ xf ) , G ′ , r x ) Sem. [ , ] ↔ ∃ P x . ˚a ( P x ) = ∅ ∧ [[ I Γ ]] ξ , f : α → α b ⊢ P x : Nm ∧ ( ˚a ( ξ xf ) , P x [ V f /f ] ξ ) ⇓ ( ˚a ( ξ xf ) , G ′ , r x ) Def [ V /x ] , P − xx ↔ ∃ P x . ˚a ( P x ) = ∅ ∧ [[ I Γ ]] ξ , f : α → α b ⊢ P x : Nm ∧ ( ˚a ( ξ xf ) , ( P x ξ )[ V f /f ]) ⇓ ( ˚a ( ξ xf ) , G ′ , r x ) Def closure, V f -value ↔ ∃ P x . ˚a ( P x ) = ∅ ∧ [[ I Γ ]] ξ , f : α → α b ⊢ P x : Nm ∧ ( ˚a ( ξ xf ) , ( P x ξ )[ V f /f ]) ⇓ ( ˚a ( ξ xf ) , G ′ , r x ) ∧ ¬ ( ˚a ( ξ xf ) , ( P x ξ )[ V f /f ]) ⇓ ( ˚a ( ξ xf ) , G ′ , r x ) r x / ∈ ξ → r x / ∈ ˚a ( P x ξ ) , r x ∈ ˚a ( V f ) Lemma 14 → ¬ ( ... ⇓ r x )14 Contradiction, hence: ¬ ∃ P x .P x [ I Γ + f, ξ xf ] r x
15 Hence: ∀ ξ xf . I Γ + x + f ⊲ ξ xf → ξ xf | = x I Γ → x I Γ + f Soundness proof of Axiom ( f ( x I Γ ∧ ∀ y α y ∈ ( I Γ ) .A ) ↔ ∀ y α y ∈ ( I Γ ) . ( x I Γ + y : α y ) ∧ A ) Proof.
The ← direction is elementary.The → direction is as follows:1 Assume some I Γ , ξ I Γ s.t. I Γ (cid:13) ( x I Γ ∧ ∀ y α y ∈ ( I Γ ) .A ) → ∀ y α y ∈ ( I Γ ) . ( x I Γ + y : α y ) ∧ A )2 Assume: ξ | = x I Γ ∧ ( ∀ y ∈ ( I Γ ) .A )3 ¬ ∃ M x .M x [ I Γ , ξ ] [[ x ]] ξ ∧ ∀ M y . M y [ I Γ , ξ ] V y → ξ · y : V y | = A Sem. x I Γ ∀ y ∈ ( I Γ ) .A ∀ M y . M y [ I Γ , ξ ] V y → ¬ ∃ M x .M x [ I Γ , ξ ] [[ x ]] ξ ∧ ξ · y : V y | = A A − M y ∧ ∀ M y . B → C →∀ M y .B → ( A ∧ C )5 ∀ M y . M y [ I Γ , ξ ] V y → ¬ ∃ M x .M x [ I Γ + y, ξ · y : V y ] [[ x ]] ξ · y : V y ∧ ξ · y : V y | = A Lemma 16 [ I Γ , ξ ] s ↔ [ I Γ + y, ξ y ] s ,Lemma 24, [[ x ]] ξ ≡ [[ x ]] ξ · y : V y ∀ M y . M y [ I Γ , ξ ] V y → ξ · y : V y | = x I Γ + y ∧ ξ · y : V y | = A Sem. ξ | = ∀ y ∈ ( I Γ ) .x I Γ + y ) ∧ A Sem. ∀ ∈ () . , ∧ Soundness proof of Axiom ( f x I Γ ∧ I Γ (cid:13) e : Nm → x = e Proof.
Provable directly from syntactic definition of x I Γ and ( u Soundness proof of Axiom ( f x I Γ + I Γ ) → x I Γ ∧ x I Γ Proof.
Provable directly from syntactic definition of x I Γ , and ( u C.4 Soundness of Axioms for ∀ δ.A Soundness proof of Axiom ( utc I Γ (cid:13) ( ∀ δ.A ) → A [ I Γ/δ ] Program Logic for Fresh Name Generation 43
Proof. I Γ s.t. I Γ (cid:13) ( ∀ δ.A ) → A [ I Γ/δ ]2 Assume: ξ I Γ d s.t. I Γ ⊲ ξ and ξ | = ∀ δ.A ↔ ∀ ξ I Γ . ξ ⋆ ξ → ξ · δ : I Γ | = A Sem. ∀ δ. → ξ ⋆ ξ → ξ · δ : I Γ d | = A Instantiate ∀ ξ I Γ with ξ → ξ · δ : I Γ d | = A FOL, ( ξ ⋆ ξ ) ( ≡ T )6 → ξ · δ : I Γ | = A I Γ ⊲ ξ → [[ I Γ ]] ξ ≡ [[ I Γ d ]] ξ → ξ | = A [ I Γ/δ ] Sem. [ I Γ/δ ] Soundness proof of Axiom ( utc I Γ (cid:13) ∀ x Nm ∈ ( I Γ ) .A − δ ↔ ∀ δ. ∀ x Nm ∈ ( I Γ + δ ) .A − δ if A - Ext-Ind
Proof. ← : Holds through ( utc → :1 Assume: I Γ s.t. I Γ (cid:13) ∀ x ∈ ( I Γ ) .A ↔ ∀ δ. ∀ x ∈ ( I Γ + δ ) .A − δ ξ I Γ d s.t. I Γ ⊲ ξ and ξ | = ∀ x Nm ∈ ( I Γ ) .A ↔ ∀ M.M [ I Γ, ξ ] r → ξ · x : r | = A ξ ′ I Γ ′ , M ′ s.t. ξ ⋆ ξ ′ and M ′ [ I Γ + δ, ξ ′ · δ : I Γ ′ \ − TCV ] r ‘ ∀ δ. ∀ x ∈ ( δ ) . ’ ↔ M ′ [ I Γ ′ , ξ ′ ] r [[ I Γ + δ ]] ξ ′ · δ : I Γ ′ \ − TCV ≡ I Γ ′ , Lemma 10 r ∈ ˚a ( ξ ) → r ≡ r → ξ · x : r | = A Lemma 17 → r ≡ r obtainable r / ∈ ˚a ( ξ ) → fresh- r ≡ r → ξ · x : r | = A Let r ≡ r as r / ∈ ˚a ( ξ ) (fresh names can be swapped) → ξ ′ · x : r | = A Lemma 29, A − Ext-Ind → ξ ′ · δ : I Γ ′ \ − T CV · x : r | = A Lemma 30, A − δ → ξ | = ∀ δ. ∀ x Nm ∈ ( I Γ + δ ) .A − δ lines 4-9
11 Hence: ∀ I Γ. I Γ (cid:13) ∀ x ∈ ( I Γ ) .A ↔ ∀ δ. ∀ x ∈ ( I Γ + δ ) .A − δ → ∀ ξ I Γ d . I Γ ⊲ ξ → ξ | = ∀ x Nm ∈ ( I Γ ) .A − δ → ∀ δ. ∀ x Nm ∈ ( I Γ + δ ) .A − δ (Assuming A − Ext-Ind ) lines 1-10 Essentially in line 6: if r is in ˚a ( ξ ) then it can be derived from ξ , and in line7 if r is not in ˚a ( ξ ) then instantiating M ≡ gensym () produces a fresh namewhich can easily be set as (or swapped for) r . Soundness proof of Axiom ( utc A − Ext-Ind → A − δ ↔ ∀ δ.A Proof.
Assume: I Γ , ξ I Γ s.t. I Γ (cid:13) A − δ ↔ ∀ δ.A and assume some A − δ - Ext-Ind ,then: ← : Use ( utc
1) knowing that A − δ [ I Γ/δ ] ≡ A . → : 1 Assume: ξ | = A − δ ξ | = ∀ δ.A ξ | = A − δ → ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ | = A − δ trivial addition ξ | = A − δ → ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ | = A − δ A - Ext-Ind ξ | = A − δ → ∀ ξ ′ I Γ ′ .ξ ⋆ ξ ′ ∧ ξ ′ · δ : I Γ ′ | = A − δ Lemma 30 ξ | = A − δ → ξ | = ∀ δ.A Sem. ∀ δ. Soundness proof of Axiom ( utc ∀ δ. ( A ∧ B ) ↔ ( ∀ δ.A ) ∧ ( ∀ δ.B ) Proof.
Assume I Γ , ξ I Γ s.t. I Γ (cid:13) ∀ δ. ( A ∧ B ) ↔ ( ∀ δ.A ) ∧ ( ∀ δ.B ) → : 1 Assume: ξ | = ∀ δ. ( A ∧ B )2 Prove: ξ | = ( ∀ δ.A ) ∧ ( ∀ δ.B )3 ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧ B Sem. ∀ . ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧ B ∧∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧ B FOL A → ( A ∧ A )5 → ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = B ∧ -elim ↔ ξ | = ( ∀ δ.A ) ∧ ( ∀ δ.B ) ∧ -elim Program Logic for Fresh Name Generation 45 ← : 1 Assume: ξ | = ( ∀ δ.A ) ∧ ( ∀ δ.B )2 Prove: ξ | = ∀ δ. ( A ∧ B )3 ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = B Sem. ∧ , ∀ . → ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → (cid:18) ξ ′ · δ : I Γ ′ | = A ∧ ξ ′ · δ : I Γ ′ | = B (cid:19) ∀ ξ ′ unifing ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A ∧ B Sem. ∧ ↔ ξ | = ∀ δ. ( A ∧ B ) ∧ -elim C.5 Soundness of Axioms for u • e = m { A } Soundness proof of Axiom ( e e • e = m { A − m ∧ B } ↔ ( A ∧ e • e = m { B } ) iff m / ∈ fv ( A ) and A - Ext-Ind .1 Assume: I Γ , ξ I Γ s.t.2 Assume: I Γ (cid:13) e • e = m { A − m ∧ B } ↔ ( A ∧ e • e = m { B } ) with m / ∈ fv ( A )and A - Ext-Ind .3 ξ | = e • e = m { A − m ∧ B } m / ∈ dom ( I Γ )4 ↔ e e I Γ, ξ ] V ∧ ξ · m : V | = A ∧ B Sem. • = {} ↔ e e I Γ, ξ ] V ∧ ξ · m : V | = A ∧ ξ · m : V | = B Sem. ∧ ↔ e e I Γ, ξ ] V ∧ ξ | = A ∧ ξ · m : V | = B Sem. ⋆ , Lemma 26 and A - Ext-Ind ↔ ξ | = A ∧ ξ | = e • e = m { B } Sem. • = {} ↔ ξ | = ( A ∧ e • e = m { B } ) Sem. ∧ Soundness proof of Axiom ( e e • e = m {∀ x ∈ ( I Γ ) .A } ↔ ∀ x ∈ ( I Γ ) .e • e = m { A } iff x = e , e , m ∧ e , e , m / ∈ I Γ I Γ , ξ I Γ s.t.2 Assume: I Γ (cid:13) e • e = m {∀ x ∈ ( I Γ ) .A } ↔ ∀ x ∈ ( I Γ ) .e • e = m { A } with x = e , e , m ∧ e , e , m / ∈ I Γ ξ | = e • e = m {∀ x ∈ ( I Γ ) .A } ↔ e e I Γ, ξ ] V m ∧ ∀ M x . M x [ I Γ , ξ · m : V m ] V x → ξ · m : V m · x : V x | = A Sem. • = {} , ∀ ∈ () . ↔ e e I Γ, ξ ] V m ∧ ∀ M x . M x [ I Γ , ξ ] V x → ξ · m : V m · x : V x | = A m / ∈ I Γ ∧ ξ ⋆ ξ · m : V m Lemma 11 ( ˚a ( V x ) ∩ ˚a ( V m ) ⊆ ˚a ( ξ ) ) ↔ ∀ M x . e e I Γ, ξ ] V m ∧ ( M x [ I Γ , ξ ] V x → ξ · m : V m · x : V x | = A ) A ∧∀ X.B ↔ ∀
X.A − X ∧ B ↔ ∀ M x . M x [ I Γ , ξ ] V x → ( e e I Γ, ξ ] V m ∧ ξ · m : V m · x : V x | = A ) → : A ∧ ( B → C ) → B → ( C ∧ A ) ← : [[ e e ]] ⇓ V m terminates ↔ ∀ M x . M x [ I Γ , ξ ] V x → ( e e I Γ, ξ · x : V x ] V m ∧ ξ · m : V m · x : V x | = A ) x = e , e ,Lemma 11( ˚a ( V x ) ∩ ˚a ( V m ) ⊆ ˚a ( ξ \ x ) ) ↔ ξ | = ∀ x ∈ ( I Γ ) .e • e = m { A } Sem. ∀ ∈ () . , • = {} Program Logic for Fresh Name Generation 47
Soundness proof of Axiom ( e e • e = m α b {∀ δ.A } ↔ ∀ δ.e • e = m α b { A } iff A − Ext-Ind I Γ , ξ I Γ s.t.2 Assume: I Γ (cid:13) e • e = m α b {∀ δ.A } ↔ ∀ δ.e • e = m α b { A } with A - Ext-Ind ξ | = e • e = m α b {∀ δ.A } ↔ e e I Γ, ξ ] V m ∧ ∀ ξ ′ I Γ ′ m m . ξ · m : V m ⋆ ξ ′ m → ξ ′ m · δ : I Γ ′ m \ − T CV | = A Sem. • = {} , ∀ δ. ↔ e e I Γ, ξ ] V m ∧ ∀ ξ ′ I Γ ′ . ξ · m : V m ⋆ ξ ′ · m : V m → ξ ′ · m : V m · δ : I Γ ′ \ − T CV | = A Rewrite ξ ′ m Lemma 6 ↔ e e I Γ, ξ ] V m ∧ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · m : V m · δ : I Γ ′ \ − T CV | = A Lemma 7 ↔ ∀ ξ ′ I Γ ′ .ξ ⋆ ξ ′ → ( e e I Γ, ξ ] V m ∧ ξ ′ · m : V m · δ : I Γ ′ \ − T CV | = A ) [[ e e ]] ξ ⇓ V m terminates ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ( e e I Γ, ξ ′ ] V m ∧ ξ ′ · m : V m · δ : I Γ ′ \ − T CV | = A ) Lemmas 3, 11 ↔ ∀ ξ ′ I Γ ′ .ξ ⋆ ξ ′ → ( e e I Γ, ξ ′ · δ : I Γ ′ \ − TCV ] V m ∧ ξ ′ · δ : I Γ ′ \ − T CV · m : V m | = A ) Lemma 10 ↔ ∀ ξ ′ I Γ ′ .ξ ⋆ ξ ′ → ( e e I Γ ′ + δ, ξ ′ · δ : I Γ ′ \ − TCV ] V m ∧ ξ ′ · δ : I Γ ′ \ − T CV · m : V m | = A ) I Γ (cid:13) e e : α b ↔ ξ | = ∀ δ.e • e = m α b { A } Sem. • = {} , ∀ δ. Soundness proof of Axiom ( ext ) For all e , e : α → α s.t. α and α areboth Nm -free:( ∀ x α ∈ ( ∅ ) .e • x = m α { e • x = m α { m = m }} ) ↔ e = α → α e Proof.
Use Lemma 13 and the proof for ( ext ) in STLC to see this holds
D Soundness of Rules
In this section soundness proofs of the rules are introduced.Given the logic is limited to compile-time syntax, the condition then forany term s.t. I Γ (cid:13) M α where ˚a ( M ) = ∅ is implied then clearly ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ↔ M [ I Γ, ξ ] V hence this will be used equivalently for brevity. D.1 Soundness of [Var] −{ A [ x/m ] } x : m { A } [Var] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A [ x/m ] } x : m { A } s.t.2 Assume ξ s.t. I Γ ⊲ ξ and ξ | = A [ x/m ]3 → x [ I Γ, ξ ] ξ ( x ) xξ ≡ ξ ( x )4 ξ | = A [ x/m ] ↔ ξ · m : ξ ( x ) | = A Sem. [ x/m ] , m -fresh ξ | = A [ x/m ] → x [ I Γ, ξ ] ξ ( x ) ∧ ξ · m : ξ ( x ) | = A ξ ( x ) a value ∀ ξ. I Γ ⊲ ξ → ξ | = A [ x/m ] → x [ I Γ, ξ ] ξ ( x ) ∧ ξ · m : ξ ( x ) | = A
2, 5 −| = { A [ x/m ] } x : m { A } Sem. valid triple
D.2 Soundness of [Const] −{ A [ c/m ] } c : m { A } [Const] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A [ c/m ] } c : m { A } ξ s,t, I Γ ⊲ ξ and ξ | = A [ c/m ]3 → c [ I Γ, ξ ] c cξ ≡ c ξ | = A [ c/m ] ↔ ξ · m : c | = A Sem. [ c/m ]5 ξ | = A [ c/m ] → c [ I Γ, ξ ] c ∧ ξ · m : c | = A c a value ∀ ξ. I Γ ⊲ ξ → ξ | = A [ c/m ] → c [ I Γ, ξ ] c ∧ ξ · m : c | = A −| = { A [ c/m ] } c : m { A } Sem. valid triple
Program Logic for Fresh Name Generation 49
D.3 Soundness of [Eq] { A } M : m { B } { B } N : n { C [ m = n/u ] } C thin w.r.t m, n { A } M = N : u { C } [Eq] Proof:1 Assume: ∀ I Γ , ξ I Γ . I Γ (cid:13) { A } M : m { B } ∧ I Γ ⊲ ξ → ξ | = { A } M : m { B } IH(1) ∀ I Γ , ξ I Γ . I Γ (cid:13) { B } N : n { C [ m = n/u ] } ∧ I Γ ⊲ ξ → ξ | = { B } N : n { C [ m = n/u ] } IH(2) I Γ s.t. I Γ (cid:13) { A } M = N : u { C } ξ s,t, I Γ ⊲ ξ ∧ ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = B IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n , V n ) ∧ ξ · m : V m · n : V n | = C [ m = n/u ] IH(2) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n , V n ) ∧ ( m = n ) [ I Γ + m + n, ξ · m : V m · n : V n ] V u ∧ ξ mn · u : V u | = C Sem. C [ m = n/u ]9 → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n , V n ) ∧ ( m = n ) [ I Γ + m + n, ξ · m : V m · n : V n ] V u ∧ ξ · u : V u | = C C thin w.r.t m, n → ( ˚a ( ξ ) , ( M = N ) ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V u ) ∧ ξ · u : V u | = C Op. Sem.(=) → ∀ ξ. I Γ ⊲ ξ → ξ | = { A } M = N : u { C } Assumption, 5-10
12 Hence: | = { A } M : m { B } | = { B } N : n { C − m,n [ m = n/u ] } C thin w.r.t m, n | = { A } M = N : u { C } lines 1-11 D.4 Soundness of [Gensym] −{ T } gensym : u {∀ δ.u • () = m { m δ }} [Gensym] Soundness proof:1 Assume: I Γ s.t. I Γ (cid:13) { T } gensym : u {∀ δ.u • () = m { m δ }} ξ s.t. I Γ ⊲ ξ ∧ ξ | = T ξ I Γ u u ≡ ξ · u : gensym gensym -value and u / ∈ dom ( ξ )4 ∀ ξ I Γ x x . ( ˚a ( ξ x ) , gensym ()) ⇓ (( ˚a ( ξ x ) , r ) , r ) ∧ r / ∈ ˚a ( ξ x ) Op. Sem. gensym ()5 ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ r / ∈ ˚a ( ξ ) restrict thequantification, 4 [[ u ]] ξ ≡ gensym → ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ ¬ ∃ M Nm m .M m [ I Γ , ξ · m : r ] r Lemma 23 → ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ ¬ ∃ M Nm m .M m [ I Γ , ξ · m : r ] [[ m ]] ξ · δ : I Γ \ − TCV · m : r r ≡ [[ m ]] ξ · δ : I Γ \ − TCV · m : r → ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ ¬ ∃ M Nm m .M m [ I Γ , ξ · δ : I Γ \ − TCV · m : r ] [[ m ]] ξ · δ : I Γ \ − TCV · m : r Lemma 10 → ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ ¬ ∃ M Nm m .M m [ I Γ + δ, ξ · δ : I Γ \ − TCV · m : r ] [[ m ]] ξ · δ : I Γ \ − TCV · m : r [[ I Γ ]] ξ · δ : I Γ \ − TCV · m : r ≡ [[ I Γ + δ ]] ξ · δ : I Γ \ − TCV · m : r ∀ ξ I Γ . ξ · u : gensym ⋆ ξ → ( ˚a ( ξ ) , [[ u ]] ξ ()) ⇓ (( ˚a ( ξ ) , r ) , r ) ∧ ξ · δ : I Γ \ − T CV · m : r | = m I Γ + δ ) Sem. ∀ ξ I Γ . ξ · u : gensym ⋆ ξ ∧ ξ d ≡ ξ · δ : I Γ \ − T CV → ( ˚a ( ξ d ) , [[ u ]] ξ d ()) ⇓ (( ˚a ( ξ d ) , r ) , r ) ∧ ξ d · m : r | = m δ Lemma 11 ˚a ( ξ d ) ≡ ˚a ( ξ ) (Shorthand δ ) ξ · u : gensym | = ∀ δ.u • () = m { m δ } Sem. ∀ δ.u • () = m { m δ } ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = T → ( ˚a ( ξ ) , gensym ξ ) ⇓ ( ˚a ( ξ ) , gensym ) ∧ ξ · u : gensym | = ∀ δ.u • () = m { m I Γ + u + δ }
14 Hence: −| = { T } gensym : u {∀ δ.u • () = m { m δ }} Sem. valid triple
Program Logic for Fresh Name Generation 51
D.5 Soundness of [Lam] A − Ext-Ind ( I Γ + δ + x : α ) (cid:13) { A - x ∧ B } M : m { C } I Γ (cid:13) { A } λx α .M : u {∀ δ. ∀ x α ∈ ( δ ) . ( B → u • x = m { C } ) } [Lam] I Γ s.t. I Γ (cid:13) { A } λx α .M : u {∀ δ. ∀ x α ∈ ( δ ) . ( B → u • x = m { C } ) } I Γ + δ + x (cid:13) { A - x ∧ B } M : m { C } ∀ ξ I Γ + δ + x . I Γ + δ + x ⊲ ξ ∧ ξ | = A - x ∧ B → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ , V m ) ∧ ξ · m : V m | = C IH(1) ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( G, ( λx α .M ) ξ ) ⇓ ( G, G ′ , V u ) ∧ ξ · u : V u | = ∀ δ. ∀ x α ∈ ( δ ) . ( B → u • x = m { C } ) Need to Prove ξ I Γ s.t. I Γ ⊲ ξ ∧ ξ | = A Assume → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) Op. Sem. λx.M ξ uddx ≡ ∧ ξ ud · δ : I Γ ud \ − T CV · x : V x → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) ∧ ∀ ξ I Γ ud ud . ξ · u : λx. ( M ξ \ x ) ⋆ ξ ud ∧ ∀ P x . P x [ I Γ ud + δ, ξ ud · δ : I Γ ud \ − TCV ] V x ∧ ξ uddx | = B → ξ uddx | = B Assume some u , δ , x -extensionthat models B → B Tautology → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) ∧ ∀ ξ I Γ ud ud . ξ · u : λx. ( M ξ \ x ) ⋆ ξ ud ∧ ∀ P x . P x [ I Γ ud + δ, ξ ud · δ : I Γ ud \ − TCV ] V x ∧ ξ uddx | = B → ξ uddx | = A ∧ B line 5 ( ξ | = A ) ξ ⋆ ξ uddx A − Ext-Ind
Sem. ∧ → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) ∧ ∀ ξ I Γ ud ud . ξ · u : λx. ( M ξ \ x ) ⋆ ξ ud ∧ ∀ P x . P x [ I Γ ud + δ, ξ ud · δ : I Γ ud \ − TCV ] V x ∧ ξ uddx | = B → ( ˚a ( ξ uddx ) , M ξ uddx ) ⇓ ( ˚a ( ξ uddx ) , G m , V m ) ∧ ξ uddx · m : V m | = C IH(1)I Γ + u + δ + x ⊲ ξ uddx → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) ∧ ∀ ξ I Γ ud ud . ξ · u : λx. ( M ξ \ x ) ⋆ ξ ud ∧ ∀ P x . P x [ I Γ ud + δ, ξ ud · δ : I Γ ud \ − TCV ] V x ∧ ξ uddx | = B → ( ˚a ( ξ uddx ) , [[ u ]] ξ uddx [[ x ]] ξ uddx ) ⇓ ( ˚a ( ξ uddx ) , G m , V m ) ∧ ξ uddx · m : V m | = C M ξ ≡ (( λx.M ) x ) ξ ≡ [[ u ]] ξ uddx [[ x ]] ξ uddx → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , λx. ( M ξ \ x )) ∧ ∀ ξ I Γ ud ud . ξ · u : λx. ( M ξ \ x ) ⋆ ξ ud ∧ ∀ P x . P x [ I Γ ud + δ, ξ ud · δ : I Γ ud \ − TCV ] V x → ξ uddx | = B → u • x = m { C } Sem. u • x = m { C } , → ∧ implies → → ( ˚a ( ξ ) , ( λx.M ) ξ ) ⇓ ( ˚a ( ξ ) , V u ) ∧ ξ · u : V u | = ∀ δ. ∀ x ∈ ( δ ) .B → u • x = m { C } Sem. ∀ δ. ∀ x ∈ ( δ ) . | = { A } λx.M : u {∀ δ. ∀ x ∈ ( I Γ + u + δ ) . ( B → u • x = m { C } ) } line 5, Sem. { A } M : u { B }
15 Hence: A − Ext-Ind | = { A ∧ B } M : m { C }| = { A } λx.M : u {∀ δ. ∀ x ∈ ( I Γ + u + δ ) . ( B → u • x = m { C } ) } lines 1-13 D.6 Soundness of [App] { A } M : m { B } { B } N : n { m • n = u { C }} C − thin w.r.t m, n { A } M N : u { C } [App] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A } M N : u { C } → I Γ (cid:13) { A } M : m { B } ∧ I Γ + m (cid:13) { B } N : n { m • n = u { C }} I Γ ↓ − T C ⊢ M N : β → I Γ ↓ − T C ⊢ M : α → β ∧ I Γ ↓ − T C ⊢ N : α ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = B IH(1) ∀ ξ I Γ . I Γ + m ⊲ ξ → ξ | = B → ( ˚a ( ξ ) , N ξ ) ⇓ ( ˚a ( ξ ) , G n V n ) ∧ ξ · n : V n | = m • n = u { C } IH(2) ξ I Γ s.t. I Γ ⊲ ξ ∧ ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = B IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ξ · m : V m · n : V n | = m • n = u { C } IH(2) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , [[ m ]] ξ · m : V m · n : V n [[ n ]] ξ · m : V m · n : V n ) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · n : V n · u : V u | = C Sem. • = {} → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , V m V n ) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · n : V n · u : V u | = C Sem. [[ x ]] ξ → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , V m V n ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C C − thin w.r.t m, n → ( ˚a ( ξ ) , ( M N ) ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Op. Sem. (App) → ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , ( M N ) ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Assumption, line 6
14 Hence: | = { A } M : m { B } | = { B } N : n { m • n = u { C }} C − thin w.r.t m, n | = { A } M N : u { C } lines 1-13 Program Logic for Fresh Name Generation 53
D.7 Soundness of [Pair] { A } M : m { B } { B } N : n { C [ h m, n i /u ] I Γ + m + n } C thin w.r.t x { A } h M, N i : u { C } [Pair] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A } h M, N i : u { C [ h m, n i /u ] I Γ + m + n } → I Γ (cid:13) { A } M : m { B } ∧ I Γ + m (cid:13) { B } N : n { C [ h m, n i /u ] I Γ + m + n } ∧ I Γ ⊢ N : α ∀ I Γ, ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = B IH(1) ∀ I Γ, ξ I Γ + mm . I Γ + m ⊲ ξ m → ξ m | = B → ( ˚a ( ξ m ) , N ξ m ) ⇓ ( ˚a ( ξ m ) , G n V n ) ∧ ξ n · n : V n | = C [ h m, n i /u ] I Γ + m + n IH(2) ξ I Γ s.t. I Γ ⊲ ξ ∧ ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = B IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ξ · m : V m · n : V n | = C [ h m, n i /u ] I Γ + m + n IH(2) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , [[ h m, n i ]] ξ · m : V m · n : V n ) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · n : V n · u : V u | = C Sem. [ e/x ] , u / ∈ dom ( ξ · m · n )9 → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , h V m , V n i ) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · n : V n · u : V u | = C Sem. [[ e ]] ξ → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , N ( ξ · m : V m )) ⇓ ( ˚a ( ξ · m : V m ) , G n V n ) ∧ ( ˚a ( ξ · m : V m · n : V n ) , h V m , V n i ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C C thin w.r.t m,n → ( ˚a ( ξ ) , h M, N i ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Op. Sem. (Pair) → ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , h M, N i ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Assumption, (line 5)
13 Hence: | = { A } M : m { B } | = { B } N : n { C [ h m, n i /u ] I Γ + m + n } C − thin w.r.t m, n | = { A } h M, N i : u { C } lines 1- 12 D.8 Soundness of [Proj( i )] { A } M : m { C [ π i ( m ) /u ] I Γ + m } C thin w.r.t m { A } π i ( M ) : u { C } [Proj( i )] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A } π i ( M ) : u { C } → I Γ (cid:13) { A } M : m { C [ π i ( m ) /u ] I Γ + m } Typing rules ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = C [ π i ( m ) /u ] I Γ + m IH(1) ξ I Γ s.t. I Γ ⊲ ξ ∧ ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ξ · m : V m | = C [ π i ( m ) /u ] I Γ + m IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , [[ π i ( m )]] ξ · m : V m ) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · u : V u | = C Sem. [ e/x ] , u / ∈ dom ( ξ · m · n )7 → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , π i ( V m )) ⇓ ( G ′′′ , V u ) ∧ ξ · m : V m · u : V u | = C Sem. [[ e ]] ξ → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G m , V m ) ∧ ( ˚a ( ξ · m : V m ) , π i ( V m )) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C C thin w.r.t m → ( ˚a ( ξ ) , π i ( M ) ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Op. Sem. (Pair) → ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , h M, N i ξ ) ⇓ ( G ′′′ , V u ) ∧ ξ · u : V u | = C Assumption, (line 4)
11 Hence: | = { A } M : m { C [ π i ( m ) /u ] I Γ + m } C thin w.r.t m | = { A } π i ( M ) : u { C } lines 1-10 D.9 Soundness of [If] { A } M : m { B } { B [ b i /m ] } N i : u { C } b = true b = false i = 1 , { A } if M then N else N : u { C } [If] Proof: standard. Note that substitution is equivalent to standard substitutionfor b i -values of type Bool . Program Logic for Fresh Name Generation 55
D.10 Soundness of [Let] { A } M : x { B } { B } N : u { C } C thin w.r.t x { A } let x = M in N : u { C } [Let] I Γ s.t. I Γ (cid:13) { A } let x = M in N : u { C } → I Γ ↓ − T C ⊢ M : α ∧ I Γ ↓ − T C , x : α ⊢ N : β Typing terms ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ m , V m ) ∧ ξ · x : V m | = B IH(1) ∀ ξ I Γ + x : αx . I Γ + x ⊲ ξ x → ξ x | = B → ( ˚a ( ξ x ) , N ξ x ) ⇓ ( G ′ n , V n ) ∧ ξ x · u : V n | = C IH(2) ξ I Γ s.t: I Γ ⊲ ξ ∧ ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ , V m ) ∧ ξ · x : V m | = B IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ , V m ) ∧ ( ˚a ( ξ · x : V m ) , N ( ξ · x : V m )) ⇓ ( G ′ n , V n ) ∧ ξ · x : V m · u : V n | = C IH(2) → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ , V m ) ∧ ( ˚a ( ξ · x : V m ) , N ( ξ · x : V m )) ⇓ ( G ′ n , V n ) ∧ ξ · u : V n | = C C thin w.r.t x → ( ˚a ( ξ ) , M ξ ) ⇓ ( G ′ , V m ) ∧ ( ˚a ( ξ · x : V m ) , N [ V m /x ] ξ ) ⇓ ( G ′ n , V n ) ∧ ξ · u : V n | = C Sem. [ V m /x ]10 → ( ˚a ( ξ ) , ( let x = M in N ) ξ ) ⇓ ( G ′′ , V n ) ∧ ξ · u : V n | = C Op. Sem. let x = M in N ∀ ξ. I Γ ⊲ ξ → ξ | = { A } let x = M in N : m { C } Sem. valid triple
12 Hence: | = { A } M : x { B } | = { B } N : u { C } C thin w.r.t x | = { A } let x = M in N : u { C } lines 1-11 D.11 Soundness of derived rule [LetFRESH] A − Ext-Ind I Γ + x (cid:13) { A ∧ x I Γ } M : m { C } C thin w.r.t x I Γ (cid:13) { A } let x = gensym () in M : m { C } [LetFresh] I Γ s.t. I Γ (cid:13) { A } let x = gensym () in N : u { C } I Γ (cid:13) { T } gensym () : x { x I Γ } See Example 1 I Γ (cid:13) { A } gensym () : x { A ∧ x I Γ } [Invar] , 7, A − Ext-Ind I Γ + x (cid:13) { A ∧ x I Γ } M : m { C } Assumption C − thin w.r.t x Assumption I Γ (cid:13) { A } let x = gensym () in M : m { C } [Let] , 3, 4, 5 A − Ext-Ind | = { A ∧ x I Γ } N : u { C } C thin w.r.t x | = { A } let x = M in N : u { C } lines 1-6 Program Logic for Fresh Name Generation 57
D.12 Soundness of Key structural rules:D.13 Soundness of structural rule [Conseq] A → A ′ { A ′ } M : m { B ′ } B ′ → B { A } M : m { B } [Conseq] Proof, simply by application of the assumptions:1 Assume I Γ , s.t. I Γ (cid:13) { A } M : m { B } I Γ (cid:13) A → A ′ ∧ I Γ (cid:13) { A ′ } M α : m { B ′ } ∧ I Γ + m : α (cid:13) B ′ → B ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → A ′ IH(1) ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = { A ′ } M : m { B ′ } IH(2) ∀ ξ I Γ . I Γ + m ⊲ ξ → ξ | = B ′ → B IH(3) ξ I Γ ′ s.t. I Γ ⊲ ξ ∧ ξ | = A → ξ | = A ′ MP, IH(1) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ∧ ξ · m : V | = B ′ MP, IH(2) → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ∧ ξ · m : V | = B MP, IH(3) → ξ | = A → ( ˚a ( ξ ) , M ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V ) ∧ ξ · m : V | = B Assumption 6-9 → ∀ ξ I Γ ′ . I Γ ⊲ ξ → ξ | = { A } M : m { B } Assumption 3-10
12 Hence: A → A ′ | = { A ′ } M : m { B ′ } B ′ → B | = { A } M : m { B } Assumption 1-11
D.14 Soundness of structural rule [Invar] C − Ext-Ind { A } M : m { B }{ A ∧ C } M : m { B ∧ C } [Invar] Proof:1 Assume: I Γ s.t. I Γ (cid:13) { A ∧ C } M : m { B ∧ C } → I Γ (cid:13) { A } M : m { B } ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = A → ( G, M ξ ) ⇓ ( G, G ′ , V ) ∧ ξ · m : V | = B IH(1) ξ I Γ s.t. I Γ ⊲ ξ ∧ ξ | = A ∧ C ξ | = A ∧ ξ | = C Sem. ∧ G, M ξ ) ⇓ ( G, G ′ , V ) ∧ ξ · m : V | = B ∧ ξ | = C IH(1)
G, M ξ ) ⇓ ( G, G ′ , V ) ∧ ξ · m : V | = B ∧ ξ · m : V | = C C − Ext-Ind
Sem. [ , ] → M [ I Γ, ξ ] V Sem. ⋆ → ξ ⋆ ξ · m : V G, M ξ ) ⇓ ( G, G ′ , V ) ∧ ξ · m : V | = B ∧ C Sem. ∧ ∀ ξ I Γ . I Γ ⊲ ξ → ξ | = { A ∧ C } M : m { B ∧ C } lines 5-8
10 Hence: C − Ext-Ind | = { A } M : m { B }| = { A ∧ C } M : m { B ∧ C } lines 1-9 Program Logic for Fresh Name Generation 59 E Ext-Ind
Formulae Construction Lemmas
Syntactically define
Ext-Ind formulae and how to construct them:Some are not core constructions but specific instances used in the reasoningexamples in Sec. 7.A subset of all possible
Ext-Ind formulae are defined as
SYN-EXT-IND belowand are proven as
Ext-Ind in the lemma that follows.
Definition 4 (A Syntactic classification of
Ext-Ind formulae, written
SYN-EXT-IND ). Define
SYN-EXT-IND inductively as follows:1. T , F , e = e ′ and x I Γ ′ are all SYN-EXT-IND .2. If C and C are Ext-Ind then ¬ C , C ∧ C , C ∨ C , C → C , u • e = m α { C } , ∃ x ∈ ( I Γ ′ ) .C , ∀ x ∈ ( I Γ ′ ) .C are all SYN-EXT-IND .3. If C is Ext-Ind and contains no reference to δ then ∀ δ.C and ∀ δ. ∀ x ∈ ( δ ) .C are SYN-EXT-IND
4. Specific cases: ∀ δ.f • () = b { b δ } and ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } are SYN-EXT-IND
This is an incomplete characterisation of all
Ext-Ind formulae, but covers allcases required for the proofs.
We introduce the following 2 lemmas for the specific cases in Def. 4
Lemma 35 (Constructing
Ext-Ind formulae from ∀ δ. ∀ x ∈ ( δ ) . ). A − δ − Ext-Ind → ∀ δ. ∀ x ∈ ( δ ) .A − δ − Ext-Ind Assume: A − δ - Ext-Ind ↔ ∀ I Γ, ξ I Γ + x : αx , ξ ′ I Γ ′ ,x : αx . ( I Γ + x : α (cid:13) A ∧ ξ x ⋆ ξ ′ x ) → ( ξ x | = A ↔ ξ ′ x | = A )3 Show: ∀ I Γ, ξ I Γ , ξ ′ I Γ ′ . I Γ (cid:13) ∀ δ. ∀ x ∈ ( δ ) .A − δ ∧ ξ ⋆ ξ ′ → (cid:18) ξ | = ∀ δ. ∀ x ∈ ( δ ) .A ↔ ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .A (cid:19) Hence assume: I
Γ, ξ I Γ , ξ ′ I Γ ′ s.t. I Γ (cid:13) ∀ δ. ∀ x ∈ ( δ ) .A ∧ ξ ⋆ ξ ′ → : Show that: ξ | = ∀ δ. ∀ x ∈ ( δ ) .A → ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .A line 7 below6 ← : Show that: ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .A → ξ | = ∀ δ. ∀ x ∈ ( δ ) .A line 13 below → : Let: ξ d ≡ ξ · δ : I Γ \ − T CV and ξ ′ d ≡ ξ ′ · δ : I Γ \ − T CV ξ ⋆ ξ ′ ∧ ξ | = ∀ δ. ∀ x ∈ ( δ ) .A Ignore Typing Constraints as these hold9 ↔ ξ ⋆ ξ ′ ∧ ∀ ξ I Γ . ξ ⋆ ξ → ∀ M. M [ δ, ξ d ] V → ξ d · x : V | = A Sem. ∀ δ. ∀ x ∈ ( δ ) . ↔ ξ ⋆ ξ ′ ∧ ∀ ξ I Γ . ξ ⋆ ξ → ∀ M. M [ δ, ξ d ] V → ξ · x : V | = A Lemma 3011 → ξ ⋆ ξ ′ ∧ ∀ ξ ′ I Γ ′ . ξ ′ ⋆ ξ ′ → ∀ M. M [ δ, ξ ′ d ] V → ξ ′ · x : V | = A select ξ ′ s.t. ξ ′ ⋆ ξ ′ ↔ ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .A Lemma 30, Sem. ∀ δ. ∀ x ∈ ( δ ) . ← : Let: ξ ′ d ≡ ξ ′ · δ : I Γ \ − T CV and ξ d ≡ ξ · δ : I Γ \ − T CV and ξ ′ d ≡ ξ · δ : I Γ ′ \ − T CV ξ ⋆ ξ ′ ∧ ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .A Ignore Typing Constraints as these hold15 ↔ ξ ⋆ ξ ′ ∧ ∀ ξ ′ I Γ ′ . ξ ′ ⋆ ξ ′ → ∀ M.M [ δ, ξ ′ d ] V → ξ ′ d · x : V | = A Sem. ∀ δ. ∀ x ∈ ( δ ) . ↔ ξ ⋆ ξ ′ ∧ ∀ ξ ′ I Γ ′ . ξ ′ ⋆ ξ ′ → ∀ M.M [ δ, ξ ′ d ] V → ξ ′ · x : V | = A Lemma 3017 ↔ ξ ⋆ ξ ′ ∧ ∀ ξ I Γ . ξ ⋆ ξ → ∀ ξ ′ I Γ ′ .ξ ′ ⋆ ξ ′ → ∀ M. M [ δ, ξ ′ d ] V → ξ ′ · x : V | = A Intro ξ ↔ ξ ⋆ ξ · ˜ ξ ′ ∧ ∀ ( ξ · ˜ ξ ) I Γ . ξ ⋆ ξ · ˜ ξ → ∀ ( ξ · ˜ ξ ′ · ˜ ξ ′ ) I Γ ′ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ′ → ∀ M. M [ δ, ξ ′ d ] V → ξ ′ d · x : V | = A write ξ ≡ ξ · ˜ ξ ′ write ξ ≡ ξ · ˜ ξ write ξ ′ ≡ ξ ′ · ˜ ξ ′ ↔ ξ ⋆ ξ · ˜ ξ ′ ∧ ∀ ˜ ξ . ξ ⋆ ( ξ · ˜ ξ ) I Γ ∧ ξ · ˜ ξ ′ ⋆ ( ξ · ˜ ξ ′ · ˜ ξ ) I Γ ′ → ∀ M.M [ δ, ξ ′ d ] V → ξ · ˜ ξ ′ · ˜ ξ · x : V | = A Select ˜ ξ ′ as ˜ ξ I Γ ′ ≡ I Γ ′ FOL20 ↔ ξ ⋆ ξ · ˜ ξ ′ ∧ ∀ ˜ ξ . ξ ⋆ ( ξ · ˜ ξ ) I Γ ∧ ξ · ˜ ξ ⋆ ( ξ · ˜ ξ · ˜ ξ ′ ) I Γ ′ → ∀ M. M [ δ, ξ ′ d ] V → ξ · ˜ ξ · ˜ ξ ′ · x : V | = A Lemma 3421 → ξ ⋆ ξ · ˜ ξ ′ ∧ ∀ ˜ ξ . ξ ⋆ ( ξ · ˜ ξ ) I Γ ∧ ξ · ˜ ξ ⋆ ( ξ · ˜ ξ · ˜ ξ ′ ) I Γ ′ → ∀ M.M [ δ, ξ d ] V → ξ · ˜ ξ · ˜ ξ ′ · x : V | = A Subset of possible M ’s I Γ ′ (cid:13) I Γ Lemma 1122 → ∀ ξ . ξ ⋆ ξ I Γ ∧ ξ ⋆ ( ξ · ˜ ξ ′ ) I Γ ′ → ∀ M.M [ δ, ξ d ] V → ξ · x : V | = A Lemma 28 A - Ext-Ind → ∀ ξ . ξ ⋆ ξ I Γ → ∀ M. M [ δ, ξ d ] V → ξ · x : V | = A ˚a ( ˜ ξ ) ∩ ˚a ( ˜ ξ ′ ) ⊆ ˚a ( ξ )guarantees constraint24 ↔ ∀ ξ . ξ ⋆ ξ I Γ → ∀ M. M [ δ, ξ d ] V → ξ d | = A Lemma 30, A − δ ↔ ξ | = ∀ δ. ∀ x ∈ ( δ ) .A Sem. ∀ δ. ∀ x ∈ ( I Γ + δ ) . Lemma 36 (The formula in the postcondition of [Gensym] is Ext-Ind ). ∀ δ.f • () = b { b δ } − Ext-Ind
Proof: ∀ ξ I Γ , ξ ′ .ξ ⋆ ξ ′ → ( ξ | = ∀ δ.f • () = b { b δ } ↔ ξ ′ | = ∀ δ.f • () = b { b δ } ) Program Logic for Fresh Name Generation 61
Extending ( ξ | = ∀ δ.f • () = b { b δ } → ξ ′ | = ∀ δ.f • () = b { b δ } ): Assume: I Γ , s.t. I Γ (cid:13) ∀ δ.f • () = b { b I Γ } Assume some ξ I Γ d , ξ ′ I Γ ′ s.t. I Γ ⊲ ξ ξ ⋆ ξ ′ and ξ | = ∀ δ.f • () = b { b δ } ↔ ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • () = b { b δ } Sem. ∀ δ. → ∀ ξ I Γ .ξ ⋆ ξ ′ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • () = b { b δ } Subset ∀ ξ → ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • () = b { b δ } Remove ξ ⋆ → ξ ′ | = ∀ δ.f • () = b { b δ } Contracting ( ξ | = ∀ δ.f • () = b { b δ } ← ξ ′ | = ∀ δ.f • () = b { b δ } ): Assume: I Γ ,s.t. I Γ (cid:13) ∀ δ.f • () = b { b I Γ } Assume some ξ I Γ d , ξ ′ s.t. I Γ ⊲ ξ and ξ ⋆ ξ ′ and ξ ′ | = ∀ δ.f • () = b { b δ } ↔ ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • () = b { b δ } Sem. ∀ δ. ↔ ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ → ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV | = f • () = b { b δ } ξ ′ I Γ ′ ≡ ξ I Γ · ˜ ξ ′ ˜ I Γ ′ ξ I Γ ≡ ξ I Γ · ˜ ξ ′ ˜ I Γ ′ · ˜ ξ ˜ I Γ → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV | = f • () = b { b δ } Subset ∀ ˜ ξ only ˜ ξ s.t. ξ ⋆ ξ · ˜ ξ → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV f • () = b { b δ } See below: Line 16(reducing δ holds)13 → ∀ ˜ ξ ˜ I Γ .ξ ⋆ ξ · ˜ ξ → ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV | = f • () = b { b δ } Lemma 34, ˚a ( ˜ ξ ) ∩ ˚a ( ˜ ξ ′ ) ⊆ ˚a ( ξ )guarantees constraints14 → ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • () = b { b δ } I Γ ≡ I Γ + ˜ I Γ , ξ ≡ ξ · ˜ ξ → ξ | = ∀ δ.f • () = b { b δ } Sem. ∀ δ. Proof of: ∀ ξ I Γ , ˜ ξ ˜ I Γ , ˜ ξ ′ ˜ I Γ ′ , V x .ξ ⋆ ξ · ˜ ξ ′ ∧ ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ ∧ ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV | = f • () = b { b δ } → ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV | = f • () = b { b δ } Proof: ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ↔ ξ · ˜ ξ ⋆ ξ · ˜ ξ ′ · ˜ ξ Lemma 3417 → ξ · ˜ ξ · b : r b ⋆ ξ · ˜ ξ ′ · ˜ ξ · b : r b Lemma 2818
Let ξ ≡ ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV and ξ ≡ ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV Assume: ξ | = f • () = b { b δ } ↔ f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ δ, ξ · b : r b ] r b Sem. • = {} , → f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ δ, ξ · b : r b ] r b f ∈ [[ I Γ ]] ξ ⊆ [[ I Γ ]] ξ ⊆ [[ I Γ ]] ξ , Lemmas 1122 → f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ I Γ +˜ I Γ ′ +˜ I Γ , ξ · ˜ ξ ′ · ˜ ξ · b : r b ] r b M [ δ, ξ · δ : I Γ \ − T CV ] V ≡ M [ I Γ, ξ ] V → f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ I Γ +˜ I Γ , ξ · ˜ ξ ′ · ˜ ξ · b : r b ] r b Subset, I Γ + ˜ I Γ ′ + ˜ I Γ (cid:13) I Γ + ˜ I Γ → f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ I Γ +˜ I Γ , ξ · ˜ ξ · b : r b ] r b Lemma 11, line 1725 → f () [ I Γ , ξ ] r b ∧ ¬ ∃ M b .M b [ δ, ξ · b : r b ] r b M [ δ, ξ · δ : I Γ \ − T CV · b : r b ] V ≡ M [ I Γ, ξ · b : r b ] V → ξ | = f • () = b { b δ } Lemma 37 (The formula used in the reasoning for λx. gensym () is Ext-Ind ). ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } − Ext-Ind (Similar to proof above)Proof: ∀ ξ I Γ , ξ ′ .ξ ⋆ ξ ′ → ξ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } ↔ ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Extending ( ξ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } → ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } ): Assume: I Γ s.t. I Γ (cid:13) ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Assume some ξ I Γ d , ξ ′ s.t. I Γ ⊲ ξ and ξ ⋆ ξ ′ and ξ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } ↔ ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ \ − T CV | = ∀ x ∈ ( δ ) .f • x = b { b δ + x } Sem. ∀ δ. → ∀ ξ I Γ .ξ ⋆ ξ ′ ⋆ ξ → ξ · δ : I Γ \ − T CV | = ∀ x ∈ ( δ ) .f • x = b { b δ + x } Subset ∀ ξ → ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ · δ : I Γ \ − T CV | = ∀ x ∈ ( δ ) .f • x = b { b δ + x } Remove ξ ⋆ → ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Program Logic for Fresh Name Generation 63
Contracting ( ξ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } ← ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } ): Assume: I Γ , ξ I Γ s.t. I Γ (cid:13) ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Assume some ξ ′ s.t. ξ ⋆ ξ ′ and ξ ′ | = ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Let: ξ ′ d ≡ ξ I Γ · δ : I Γ \ − T CV ( ≡ ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV ) and ξ ′ d ↔ ∀ ξ I Γ . ξ ′ ⋆ ξ → ∀ M x .M x [ δ, ξ ′ d ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } Sem. ∀ δ. , ∀ x ∈ ( δ ) . ↔ ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ → ∀ M x .M x [ δ, ξ ′ d ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } ξ ′ I Γ ′ ≡ ξ I Γ · ˜ ξ ′ ˜ I Γ ′ ξ I Γ ≡ ξ I Γ · ˜ ξ ′ ˜ I Γ ′ · ˜ ξ ˜ I Γ → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ∀ M x . M x [ δ, ξ ′ d ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } Subset ∀ ˜ ξ only ˜ ξ s.t. ξ ⋆ ξ · ˜ ξ → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ∀ M x .M x [ I Γ +˜ I Γ ′ +˜ I Γ , ξ ′ d \ δ ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } [[ δ ]] ξ d ≡ I Γ + ˜ I Γ ′ + ˜ I Γ Lemma 1014
Let: ξ ≡ ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ ( → ∀ M x .M x [ I Γ +˜ I Γ , ξ · ˜ ξ ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } ) → ∀ M x .M x [ δ, ξ ] V x → ξ ′ d · x : V x | = f • x = b { b δ + x } Subset ∀ M x ξ \ δ ⊆ ξ d \ δ → ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ∀ M x .M x [ δ, ξ ] V x → ξ · x : V x | = f • x = b { b δ + x } See below, Line 1917 → ∀ ˜ ξ ˜ I Γ . ξ ⋆ ξ · ˜ ξ → ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV | = ∀ x ∈ ( δ ) .f • x = b { b δ + x } Lemma 34, ˚a ( ˜ ξ ) ∩ ˚a ( ˜ ξ ′ ) ⊆ ˚a ( ξ )guarantees constraints18 → ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ \ − T CV | = f • x = b { b δ + x } ξ I Γ ≡ ξ I Γ · ˜ ξ ˜ I Γ → ξ | = ∀ δ.f • x = b { b δ + x } Sem. ∀ δ. Proof of ∀ ˜ ξ ˜ I Γ . ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ → ξ d ≡ ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV ∧ ξ ≡ ξ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV ∧ ∀ M x . M x [ I Γ +˜ I Γ , ξ · ˜ ξ ] V x → ( ξ d · x : V x | = f • x = b { b δ + x } → ξ · x : V x | = f • x = b { b δ + x } ) ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ↔ ξ · ˜ ξ ⋆ ξ · ˜ ξ ′ · ˜ ξ Lemma 3420 → ξ · ˜ ξ · b : r b ⋆ ξ · ˜ ξ ′ · ˜ ξ · b : r b Lemma 2821
Let ξ I Γ x x ≡ ξ · ˜ ξ ′ · ˜ ξ · δ : ( I Γ + ˜ I Γ ′ + ˜ I Γ ) \ − T CV · x : V x Let ξ I Γ x x ≡ ξ I Γ · ˜ ξ · δ : ( I Γ + ˜ I Γ ) \ − T CV · x : V x Assume: ξ ⋆ ξ · ˜ ξ ′ ∧ ξ · ˜ ξ ′ ⋆ ξ · ˜ ξ ′ · ˜ ξ ∧ ξ ⋆ ξ · ˜ ξ Assume: ξ x | = f • x = b { b δ + x } ↔ f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ δ + x, ξ x · b : r b ] r b Sem. • = {} , ↔ f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ δ + x, ξ x · b : r b ] r b f, x ∈ [[ I Γ ]] ξ ⊆ [[ I Γ x ]] ξ x ⊆ [[ I Γ x ]] ξ x , Lemma 1127 ↔ f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ I Γ x , ( ξ x \ δ ) · b : r b ] r b [[ δ ]] ξ x = I Γ x , Lemma 1028 → f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ I Γ x , ( ξ x \ δ ) · b : r b ] r b Subset, I Γ + ˜ I Γ ′ + ˜ I Γ (cid:13) I Γ + ˜ I Γ → f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ I Γ x , ( ξ x \ δ ) · b : r b ] | r b Lemma 17, line 2030 → f x [ I Γ x , ξ x ] r b ∧ ¬ ∃ M b .M b [ δ + x, ξ x · b : r b ] r b [[ δ ]] ξ x = I Γ x , Lemma 1031 → ξ x | = f • x = b { b δ + x } Lemma 38 (
SYN-EXT-IND implies
Ext-Ind ). A is SYN-EXT-IND → A is Ext-Ind
Proof. i.e. A − SYN-EXT-IND → ∀ I Γ, ξ I Γ , I Γ ′ , ξ ′ I Γ ′ . I Γ (cid:13) A ∧ ξ ⋆ ξ ′ → ( ξ | = A ↔ ξ ′ | = A ) Proof by induction on the structure of A , using Lemma 8 (i.e. I Γ ⊆ I Γ → [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ ′ ) and Lemma 24 (i.e. [[ e ]] ξ ≡ [[ e ]] ξ ′ )1. Base Formulas: A ≡ T , F Clearly hold. A ≡ x I Γ I Γ (cid:13) x I Γ implies I Γ (cid:13) x : Nm and I Γ (cid:13) I Γ .Lemma 24 implies [[ x ]] ξ ≡ [[ x ]] ξ ′ .Lemma 8 implies [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ ′ .Lemma 11 implies ∃ M. M [ I Γ , ξ ] [[ x ]] ξ ↔ ∃ M. M [ I Γ , ξ ′ ] [[ x ]] ξ ′
2. Core Inductive Cases: A ≡ ¬ C Holds from IH on C as ξ | = C ↔ ξ ′ | = C hence ξ = C ↔ ξ ′ = C , hence ξ | = ¬ C ↔ ξ ′ | = ¬ C . A ≡ C ∧ C Holds from IH on C and C , as ξ | = C i ↔ ξ ′ | = C i implies ξ | = C ∧ C ↔ ξ | = C ∧ ξ | = C ↔ ξ ′ | = C ∧ ξ ′ | = C ↔ ξ ′ | = C ∧ C . Program Logic for Fresh Name Generation 65 A ≡ C ∨ C Derivable given A ∨ B ≡ ¬ ( ¬ A ∧ ¬ B ) A ≡ C → C Derivable given A → B ≡ ¬ ( A ∧ ¬ B ) A ≡ u • e = m { C } Lemma 11 implies ue [ I Γ, ξ ] V m ↔ ue [ I Γ, ξ ′ ] V m .Lemma 28 implies ξ ⋆ ξ ′ ∧ ue [ I Γ, ξ ] V m → ξ · m : V m ⋆ ξ ′ · m : V m .Induction on C implies ξ · m : V m | = C ↔ ξ ′ · m : V m | = C .Hence ξ | = u • e = m { C } ↔ ue [ I Γ, ξ ] V m ∧ ξ · m : V m | = C ↔ ue [ I Γ, ξ ′ ] V m ∧ ξ ′ · m : V m | = C ↔ ξ ′ | = u • e = m { C } . A ≡ ∀ x ∈ ( I Γ ) .C Lemma 8 implies [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ ′ Lemma 11 implies ∃ M. M [ I Γ , ξ ] [[ x ]] ξ ↔ ∃ M. M [ I Γ , ξ ′ ] [[ x ]] ξ ′ Lemma 28 implies ξ ⋆ ξ ′ ∧ M x [ I Γ , ξ ] V x → ξ · x : V x ⋆ ξ ′ · x : V x Induction on C implies ξ · x : V x | = C ↔ ξ ′ · x : V x | = C hence ξ | = ∀ x ∈ ( I Γ ) .C ↔ ∀ M.M [ I Γ , ξ ] W → ξ · x : W | = C Sem. ∀ x ∈ ( I Γ ) . ↔ ∀ M.M [ I Γ , ξ ′ ] W → ξ · x : W | = C [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ ′ Lemma 11 ↔ ∀
M.M [ I Γ , ξ ′ ] W → ξ ′ · x : W | = C IH on C ↔ ξ ′ | = ∀ x ∈ ( I Γ ) .C Sem. ∀ x ∈ ( I Γ ) .A ≡ ∃ x ∈ ( I Γ ) .C Derivable from ∃ x ∈ ( I Γ ) .C ≡ ¬∀ x ∈ ( I Γ ) . ¬ C ∀ δ. -Inductive Cases: A ≡ ∀ δ.C holds by IH on C , Knowing that C is δ -free then: ξ | = ∀ δ.C ↔ ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ | = C Sem. ∀ δ. → ∀ ξ I Γ .ξ ⋆ ξ ′ ⋆ ξ → ξ · δ : I Γ | = C Subset ∀→ ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ · δ : I Γ | = C ξ ⋆ ξ ′ clearly holds → ξ ′ | = ∀ δ.C Sem. ∀ δ.ξ ′ | = ∀ δ.C ↔ ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ · δ : I Γ | = C Sem. ∀ δ. → ∀ ξ I Γ .ξ ′ ⋆ ξ → ξ | = C Lemma 30 C − δ → ξ ′ | = C ∀ ξ → ξ ′ → ξ | = C IH → ∀ ξ I Γ .ξ ⋆ ξ → ξ | = C IH → ∀ ξ I Γ .ξ ⋆ ξ → ξ · δ : I Γ | = C Lemma 30 C − δ → ξ | = ∀ δ.C Sem. ∀ δ.A ≡ ∀ δ. ∀ x ∈ ( δ ) .C holds by IH on C − δ , Lemma 354. Two specific cases: ∀ δ.f • () = b { b δ } Lemma 36 ∀ δ. ∀ x ∈ ( δ ) .f • x = b { b δ + x } Lemma 37
F Syntactic Thinness Construction Lemmas
Definition 5.
Syntactically define thin formulae as follows:1. If I Γ (cid:13) A and I Γ (cid:13) x : α b then A thin w.r.t x Base types can always be removed if they do not occur in the assertion.2. For A ≡ T , F , e = e ′ , e = e ′ , y I Γ \ − T CV and x / ∈ fv ( A ) then A thin w.r.t x The base assertions are thin w.r.t x under basic assumptions.3. If ( I Γ + x + I Γ ′ ) \ x (cid:13) y I Γ ∧ I Γ (cid:13) I Γ then y I Γ thin w.r.t x If I Γ + x and I Γ (cid:13) I Γ then x is not included in I Γ and cannot be includedby any TCV occurring in I Γ .4. If ( I Γ + x : Nm + I Γ ′ ) \ x (cid:13) y I Γ + b ∧ I Γ (cid:13) I Γ ∧ I Γ ′ (cid:13) b : Nm then y I Γ + b thin w.r.t x Similar to 3, but two possibilities: b = x ∨ b = x both of which hold.5. If A thin w.r.t x and A thin w.r.t x then A ∧ A , A ∨ A , u • e = m { A } , ∀ y ∈ ( I Γ ) .A , ∃ y α b ∈ ( I Γ ) .A , ∃ y ∈ ( I Γ \ − T CV ) .A are all thin w.r.t x .Constructing thin assertions with thin assertions holds in most cases.6. If A thin w.r.t x and δ / ∈ ftcv ( A ) then ∀ δ.A thin w.r.t x If δ is unused in A then thinness is maintained.7. If A thin w.r.t x and δ / ∈ ftcv ( A ) then ∀ δ. ∀ y α y ∈ ( I Γ + δ ) .A thin w.r.t x If δ is only used to derive y , then thinness is maintained as it reduces thepotentially derived values. We now define some lemmas that help prove that syntactic thinness impliesthinness.
Lemma 39 (Syntactically thin implies thin for Freshness). ( I Γ + y + I Γ ′ ) \ y (cid:13) x I Γ ∧ I Γ (cid:13) I Γ → x I Γ thin w.r.t y Program Logic for Fresh Name Generation 67
Proof: Assume: ( I Γ + y + I Γ ′ ) \ y (cid:13) x I Γ ∧ I Γ (cid:13) I Γ → I Γ + I Γ ′ (cid:13) x I Γ ∧ I Γ (cid:13) I Γ Assume: ξ I Γ + y + I Γ ′ such that ξ | = x I Γ → ¬ ∃ M x .M x [ I Γ , ξ ] [[ x ]] ξ → ¬ ∃ M x .M x [ I Γ , ξ ] [[ x ]] ξ \ y [[ x ]] ξ ≡ [[ x ]] ξ \ y → ¬ ∃ M x . [[ I Γ ]] ξ ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ → ( ˚a ( ξ ) , M x ξ ) ⇓ ( ˚a ( ξ ) , G ′ , [[ x ]] ξ \ y ) Sem. [ , ] → ¬ ∃ M x . [[ I Γ ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ → ( ˚a ( ξ ) , M x ξ ) ⇓ ( ˚a ( ξ ) , G ′ , [[ x ]] ξ \ y ) I Γ (cid:13) I Γ → [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ \ y → ¬ ∃ M x . [[ I Γ ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ → ( ˚a ( ξ ) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ ) , G ′ , [[ x ]] ξ \ y ) I Γ (cid:13) I Γ ∧ [[ I Γ ]] ξ \ y ⊢ M x : Nm → M ξ ≡ M ( ξ \ y )9 → ¬ ∃ M x . [[ I Γ ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ → ( ˚a ( ξ \ y ) ∪ ˚a ( ξ ( y )) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ ) , G ′ , [[ x ]] ξ \ y ) ˚a ( ξ ) ≡ ˚a ( ξ \ y ) ∪ ˚a ( ξ ( y ))10 → ¬ ∃ M x . [[ I Γ ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ → ( ˚a ( ξ \ y ) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ \ y ) , G ′ , [[ x ]] ξ \ y ) y / ∈ fv ( M x ), Lemma 111 → ξ \ y | = y I Γ Sem.
Lemma 40 (Syntactically Thin formulae implies Thin).
Define a methodto syntactically define thin formulae as follows:1. If I Γ (cid:13) A and I Γ (cid:13) x : α b then A thin w.r.t x
2. The assertions A ≡ T , F , e = e ′ , e = e ′ , y I Γ \ − T CV and are all free from x ( x / ∈ fv ( A ) ) then A thin w.r.t x
3. If ( I Γ + y + I Γ ′ ) \ y (cid:13) x I Γ ∧ I Γ (cid:13) I Γ then x I Γ thin w.r.t y
4. If ( I Γ + y : Nm + I Γ ′ ) \ y (cid:13) x I Γ + b ∧ I Γ (cid:13) I Γ ∧ I Γ ′ (cid:13) b : Nm then x I Γ + b thin w.r.t y
5. If A thin w.r.t x and A thin w.r.t x then A ∧ A , A ∨ A , u • e = m { A } , ∀ y ∈ ( I Γ ) .A , ∃ y α b ∈ ( I Γ ) .A , ∃ y ∈ ( I Γ \ − T CV ) .A are all thin w.r.t x .6. If A thin w.r.t x and δ / ∈ ftcv ( A ) then ∀ δ.A thin w.r.t x
7. If A thin w.r.t x then ∀ δ. ∀ y α y ∈ ( I Γ + δ ) .A − δ thin w.r.t x Proof. This proof assumes that ξ \ x (or ξ \ y ) is a well-constructed models.1. If I Γ \ x (cid:13) A and I Γ (cid:13) x : α b then A thin w.r.t x :Given [[ e ]] ξ ≡ [[ e ]] ξ · x : V α b x and [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ · x : V α b x the proof holds easily.Lemmas 5, 6, 7.2. The assertions A ≡ T , F , e = e ′ , e = e ′ , y I Γ \ − T CV and are all free from x ( x / ∈ fv ( A ) ) then A thin w.r.t x : T , F clearly hold. e = e ′ ξ | = e = e ′ ↔ [[ e ]] ξ ∼ = ˚a ( ξ ) α [[ e ′ ]] ξ Sem. =3 ↔ [[ e ]] ξ \ x ∼ = ˚a ( ξ ) α [[ e ′ ]] ξ \ x I Γ \ x (cid:13) e : α → [[ e ]] ξ ≡ [[ e ]] ξ \ x ↔ [[ e ]] ξ \ x ∼ = ˚a ( ξ \ x ) α [[ e ′ ]] ξ \ x Lemma 25 ↔ ξ \ x | = e = e ′ e = e ′ See above. y I Γ \ − T CV ξ | = y I Γ \ − T CV ↔ ¬ ∃ M y .M y [ I Γ \ − TCV , ξ ] [[ y ]] ξ Sem. ↔ ¬ ∃ M y .M y [ I Γ \ − TCV , ξ ] [[ y ]] ξ \ x I Γ \ x (cid:13) y : Nm → [[ y ]] ξ ≡ [[ y ]] ξ \ x ↔ ¬ ∃ M y .M y [ I Γ \ − TCV , ξ ] [[ y ]] ξ \ x [[ I Γ ]] ξ ≡ [[ I Γ ]] ξ \ x → ξ \ x | = y I Γ \ − T CV
3. If ( I Γ + y + I Γ ′ ) \ y (cid:13) x I Γ ∧ I Γ (cid:13) I Γ then x I Γ thin w.r.t y :Lemma 394. If ( I Γ + y : Nm + I Γ ′ ) \ y (cid:13) x I Γ + b ∧ I Γ (cid:13) I Γ ∧ I Γ ′ (cid:13) b : Nm then x I Γ + b thin w.r.t y Essentially relies on b : Nm must either be equal to y in which case no issue,or different in which case no issue. Program Logic for Fresh Name Generation 69 ξ I Γ + y + I Γ ′ | = x I Γ + b ↔ ¬ ∃ M x .M x [ I Γ + b, ξ ] [[ x ]] ξ Sem. ↔ ¬ ∃ M x .M x [ I Γ + b, ξ ] [[ x ]] ξ \ y I Γ \ y (cid:13) x : Nm → [[ x ]] ξ ≡ [[ x ]] ξ \ y ↔ ¬ ∃ M x . [[ I Γ + b ]] ξ ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ ∧ ( ˚a ( ξ ) , M x ξ ) ⇓ ( ˚a ( ξ ) , G, [[ x ]] ξ \ y ) Sem. [ , ] → ¬ ∃ M x . [[ I Γ + b ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ ∧ ( ˚a ( ξ ) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ ) , G, [[ x ]] ξ \ y ) Subset M x [[ I Γ + b ]] ξ \ y ⊆ [[ I Γ + b ]] ξ Case ξ ( y ) ∈ ˚a ( ξ \ y ) implies ˚a ( ξ ) ≡ ˚a ( ξ \ y )7 → ¬ ∃ M x . [[ I Γ + b ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ ∧ ( ˚a ( ξ \ y ) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ \ y ) , G, [[ x ]] ξ \ y ) ˚a ( ξ ) ≡ ˚a ( ξ \ y )8 Case ξ ( y ) / ∈ ˚a ( ξ \ y ) implies ξ ( y ) / ∈ ˚a ( M ( ξ \ y ))9 → ¬ ∃ M x . [[ I Γ + b ]] ξ \ y ⊢ M x : Nm ∧ ˚a ( M x ) = ∅ ∧ ( ˚a ( ξ \ y ) , M x ( ξ \ y )) ⇓ ( ˚a ( ξ \ y ) , G, [[ x ]] ξ \ y ) Lemma 110 → ¬ ∃ M x .M x [ I Γ + b, ξ \ y ] [[ x ]] ξ \ y Sem. [ , ] → ξ \ y | = x I Γ + b
5. If A thin w.r.t x and A thin w.r.t x then A ∧ A , A ∨ A , u • e = m { A } , ∀ y ∈ ( I Γ ) .A , ∃ y α b ∈ ( I Γ ) .A , ∃ y ∈ ( I Γ \ − T CV ) .A are all thin w.r.t x :Elementary cases: obvious cases are A ∧ A , A ∨ A where the proofs are omitted. e • e ′ = m { A } : holds by IH on A and ξ | = e • e ′ = m { A } ↔ ee ′ [ I Γ, ξ ] V m ∧ ξ · m : V m | = A IH3 → ee ′ [ I Γ, ξ \ x ] V m ∧ ξ \ x · m : V m | = A [[ ee ′ ]] ξ ≡ [[ ee ′ ]] ξ \ x , Lemma 1( ˚a ( V m ) ∩ ˚a ( V x ) ⊆ ˚a ( ξ \ x ))4 → ξ \ x | = e • e ′ = m { A } ∀ y ∈ ( I Γ ) .A : holds assuming A thin w.r.t x then ξ | = ∀ y ∈ ( I Γ ) .A ↔ ∀ M y .M y [ I Γ , ξ ] V y → ξ · y : V y | = A Sem. ∀ y ∈ ( I Γ ) .A → ∀ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) → ξ · y : V y | = A Sem. [ , ] → ∀ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) → ξ · y : V y | = A [[ I Γ ]] ξ \ x ⊆ [[ I Γ ]] ξ → ∀ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ \ x ) , M y ξ \ x ) ⇓ ( ˚a ( ξ \ x ) , G ′ , V y ) → ξ · y : V y | = A x / ∈ fv ([[ I Γ ]] ξ \ x ),Lemma 1( ˚a ( V y ) ∩ ˚a ( V x ) ⊆ ˚a ( ξ \ x ))6 → ∀ M y .M y [ I Γ , ξ \ x ] V y → ( ξ · y : V y ) | = A Sem. [ , ] → ∀ M y .M y [ I Γ , ξ \ x ] V y → ( ξ · y : V y ) \ x | = A IH8 → ∀ M y .M y [ I Γ , ξ \ x ] V y → ξ \ x · y : V y | = A Def ξ \ x → ξ \ x | = ∀ y ∈ ( I Γ ) .A Sem. ∀ y ∈ ( I Γ ) .A ∃ y α b ∈ ( I Γ ) .A : holds as follows: ξ | = ∃ y α b ∈ ( I Γ ) .A ↔ ∃ M y .M y [ I Γ , ξ ] V y ∧ ξ · y : V y | = A Sem. ∃ y ∈ ( I Γ ) .A → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) ∧ ξ · y : V y | = A Sem. [ , ] → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) ∧ ξ · y : V y | = A V α b y equally derivable fromany TC, Lemma 45 → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ \ x ) , M y ξ \ x ) ⇓ ( ˚a ( ξ \ x ) , G ′ , V y ) ∧ ξ · y : V y | = A x / ∈ fv ([[ I Γ ]] ξ \ x ) , Lemma 1( ˚a ( V y ) ∩ ˚a ( V x ) ⊆ ˚a ( ξ \ x ))6 → ∃ M y .M y [ I Γ , ξ \ x ] V y ∧ ξ · y : V y | = A Sem. [ , ] → ∃ M y .M y [ I Γ , ξ ] V y ∧ ( ξ · y : V y ) \ x | = A IH8 → ∃ M y .M y [ I Γ , ξ ] V y ∧ ξ \ x · y : V y | = A Def ξ \ x → ξ \ x | = ∃ y ∈ ( I Γ ) .A Sem. ∃ y ∈ ( I Γ ) .A Program Logic for Fresh Name Generation 71 ∃ y ∈ ( I Γ \ − T CV ) .A : holds as follows: ξ | = ∃ y ∈ ( I Γ \ − T CV ) .A ↔ ∃ M y .M y [ I Γ \ − TCV , ξ ] V y ∧ ξ · y : V y | = A Sem. ∃ y ∈ ( I Γ \ − T CV ) .A → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ \ − T CV ]] ξ ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) ∧ ξ · y : V y | = A Sem. [ , ] → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ \ − T CV ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ ) , M y ξ ) ⇓ ( ˚a ( ξ ) , G ′ , V y ) ∧ ξ · y : V y | = A [[ I Γ ]] ξ \ x ⊆ [[ I Γ ]] ξ → ∃ M y . ˚a ( M y ) = ∅ ∧ [[ I Γ \ − T CV ]] ξ \ x ⊢ M y : α ∧ ( ˚a ( ξ \ x ) , M y ξ \ x ) ⇓ ( ˚a ( ξ \ x ) , G ′ , V y ) ∧ ξ · y : V y | = A x / ∈ fv ([[ I Γ ]] ξ \ x ) , Lemma 1( ˚a ( V y ) ∩ ˚a ( V x ) ⊆ ˚a ( ξ \ x ))6 → ∃ M y .M y [ I Γ \ − TCV , ξ ] V y ∧ ( ξ · y : V y ) \ x | = A IH7 → ∃ M y .M y [ I Γ \ − TCV , ξ ] V y ∧ ξ \ x · y : V y | = A Def ξ \ x → ∃ M y .M y [ I Γ \ − TCV , ξ \ x ] V y ∧ ( ξ · y : V y ) \ x | = A Sem. [ , ] → ξ \ x | = ∃ y ∈ ( I Γ \ − T CV ) .A Sem. ∃ y ∈ ( I Γ \ − T CV ) .A A thin w.r.t x and δ / ∈ ftcv ( A ) then ∀ δ.A thin w.r.t x :Holds by IH on A as follows ξ | = ∀ δ.A ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ · δ : I Γ ′ | = A Sem. ∀ δ. ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ | = A − δ Lemma 304 ↔ ∀ ξ ′ I Γ ′ . ξ ⋆ ξ ′ → ξ ′ \ x | = A − δ IH5 → ∀ ξ ′ \ x I Γ ′ \ x . ξ \ x ⋆ ξ ′ \ x → ξ ′ \ x | = A − δ Subset of ∀ ξ ′ I Γ ′ as [[ I Γ \ x ]] ξ \ x ⊆ [[ I Γ ]] ξ and ξ \ x ⊆ ξ → ∀ ξ ′′ I Γ ′′ . ξ \ x ⋆ ξ ′′ → ξ ′′ | = A − δ Rename ξ ′′ ≡ ξ ′ \ x → ∀ ξ ′′ I Γ ′′ . ξ \ x ⋆ ξ ′′ → ξ ′′ · δ : I Γ ′′ | = A − δ Lemma 308 → ξ \ x | = ∀ δ.A − δ Sem. ∀ δ. A thin w.r.t x then ∀ δ. ∀ y α y ∈ ( I Γ + δ ) .A − δ thin w.r.t x Holds by IH on A as follows: Assume: A thin w.r.t x i.e. assume ∀ I Γ, δ, y α y . I Γ + δ + y : α y \ x (cid:13) A → ∀ ξ I Γ + δ + y : α y dy . ξ dy | = A → ξ dy \ x | = A Assume: I Γ , ξ I Γ s.t. I Γ \ x (cid:13) ∀ δ. ∀ y ∈ ( I Γ + δ ) .A and ξ | = ∀ δ. ∀ y ∈ ( I Γ + δ ) .A → I Γ \ x + δ + y : α y (cid:13) A ∧ ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y .M y [ I Γ + δ, ξ d · δ : I Γ d ] V y → ξ d · δ : I Γ d · y : V y | = A Typing rules,Sem. ∀ . , ∀ ∈ () . → ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y .M y [ I Γ + δ, ξ d · δ : I Γ d ] V y → ξ d · y : V y | = A A − δ , Lemma 306 → ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y .M y [ I Γ + δ, ξ d · δ : I Γ d ] V y → ( ξ d · y : V y ) \ x | = A Assumption, 27 → ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y .M y [ I Γ + δ, ξ d · δ : I Γ d ] V y → ( ξ d · δ : I Γ d · y : V y ) \ x | = A A − δ , Lemma 30(Ignoring other TCV’s)8 → ∀ ξ I Γ d d . ξ ⋆ ξ d → ∀ M α y y . [[ I Γ + δ ]] ξ d · δ : I Γ d ⊢ M y : α y ∧ ˚a ( M y ) = ∅ ∧ ( ˚a ( ξ d · δ : I Γ d ) , M y ( ξ d · δ : I Γ d )) ⇓ ( ˚a ( ξ d · δ : I Γ d ) , G ′ , V y ) → ( ξ d · δ : I Γ d · y : V y ) \ x | = A Sem. [ , ] → ∧ ∀ ξ I Γ d d . ξ ⋆ ξ d → ∀ M α y y . ξ dd ≡ ξ d · δ : I Γ d ∧ [[( I Γ + δ ) \ x ]] ξ dd \ x ⊢ M y : α y ∧ ˚a ( M y ) = ∅ ∧ ( ˚a ( ξ dd ) , M y ξ dd ) ⇓ ( ˚a ( ξ dd ) , G ′ , V y ) → ( ξ dd · y : V y ) \ x | = A Subset of Type Context[[ I Γ + δ ]] ξ dd \ x ⊆ [[ I Γ + δ ]] ξ dd [[ I Γ ]] ξ \ x ≡ [[ I Γ \ x ]] ξ \ x → ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y . ξ dd − x ≡ ( ξ d · δ : I Γ d ) \ x ∧ [[( I Γ + δ ) \ x ]] ξ dd − x ⊢ M y : α y ∧ ˚a ( M y ) = ∅ ∧ ( ˚a ( ξ d · δ : I Γ d ) , M y ξ dd − x ) ⇓ ( ˚a ( ξ d · δ : I Γ d ) , G ′ , V y ) → ξ dd − x · y : V y | = A x / ∈ fv ( M ) → Mξ ≡ M ( ξ \ x )11 → ∀ ξ I Γ d d .ξ ⋆ ξ d → ∀ M α y y . ξ dd − x ≡ ( ξ d · δ : I Γ d ) \ x ∧ [[( I Γ + δ ) \ x ]] ξ dd − x ⊢ M y : α y ∧ ˚a ( M y ) = ∅ ∧ ( ˚a ( ξ dd − x ) , M y ξ dd − x ) ⇓ ( ˚a ( ξ dd − x ) , G ′ , V y ) → ξ dd − x · y : V y | = A Lemma 112 → ∀ ξ I Γ d d .ξ ⋆ ξ d → ( ξ d · δ : I Γ d ) \ x | = ∀ y ∈ ( I Γ + δ ) .A Sem. ∀ ∈ () . → ∀ ξ I Γ d − x d − x . ξ ⋆ ξ d − x · x : V x → ( ξ d − x · x : V x · δ : I Γ d ) \ x | = ∀ y ∈ ( I Γ + δ ) .A ξ d ≡ ξ d − x · x : V x → ∀ ξ I Γ d − x d − x . ξ \ x ⋆ ξ d − x → ξ d − x · δ : I Γ d − x | = ∀ y ∈ ( I Γ + δ ) .A Subset of ∀ ξ d − x → ξ \ x | = ∀ δ. ∀ y ∈ ( I Γ + δ ) .A Sem. ∀ δ. Hence: ∀ I Γ. I Γ \ x (cid:13) ∀ δ. ∀ y ∈ ( I Γ + δ ) .A → ∀ ξ I Γ . ξ | = ∀ δ. ∀ y ∈ ( I Γ + δ ) .A → ξ \ x | = ∀ δ. ∀ y ∈ ( I Γ + δ ) .A lines 3-1517 Hence: ∀ δ. ∀ y ∈ ( I Γ + δ ) .A thin w.r.t x Program Logic for Fresh Name Generation 73
G Conservativity
We sketch the proof that our logic is an extension of the STLC logic as definedin [9], and do not explain any of the trivial details. We define the logic introducedin this paper as the ν -logic for brevity. We ignore the other possible extensionsof Int and operations on
Int , Bool ,...
The language for STLC . α ::= Unit || Bool || α → α || α × αΓ ::= ∅ || Γ, x : αV ::= x || c || λx.M || h V, V i M ::= V || M M || let x = M in M || M = M || if M then M else M || h M, M i || π i ( M ) The logic for STLC . α ::= Unit || Bool || α → α || α × αe ::= c || x || π i ( e ) || h e, e i A ::= e = e || ¬ A || A ∧ A || e • e = x α { A } || ∀ x α .A Axioms for STLC . The axioms are: − STLC terms can only be reasoned about through types which are Nm -free,for which we introduce two axioms:( ext ) Ext ( e , e ) ↔ e = e ( u ∀ x α ∈ ( ∅ ) .A ↔ ∀ x α ∈ ( I Γ ) .A α is Nm -freeAxiom ( ext ) is similar to that of [9], but extended to all Nm -free types terms.Axiom ( u
5) ensures names in a Nm -free terms can be swapped for any freshname. − The axioms for predicate logic, which are equivalent in the ν -logic. − The axioms for evaluation formulae ( • = {} ) which are all lifted directlyfrom the STLC-logic [2, 9] but with the added assumption that all termsterminate and new definition of ∀ x α ∈ ( I Γ ) . which behaves identically to ∀ x. when α is Nm -free. − The axioms for ∀ x.A which are those of FOL, are represented by their trans-lation to the ν -logic and axioms for ∀ x ∈ ( I Γ ) . . − ( ext ) this axiom holds in the STLC-logic because functions must alwaysproduce the same result if applied twice. This still holds in ν -logic as seenin Sec. 5, but only for Nm -free types. A simple example of why this fails forother types is gensym : Unit → Nm which clearly produces different nameseach time it is applied. Rules for STLC . Can be seen in Fig. 5. −{ A [ x/m ] } x : m { A } [Var] −{ A [ c /m ] } c : m { A } [Const] { A } M : m { B } { B } N : n { C [ m = n/u ] }{ A } M = N : u { C } [Eq] { A - x ∧ B } M : m { C }{ A } λx α .M : u {∀ x α . ( B → u • x = m { C } ) } [Lam] { A } M : m { B } { B } N : n { m • n = u { C }}{ A } MN : u { C } [App] { A } M : m { B } { B [ b i /m ] } N i : u { C } b = true b = false i = 1 , { A } if M then N else N : u { C } [If] { A } M : m { B } { B } N : n { C [ h m, n i /u ] }{ A } h M, N i : u { C } [Pair] { A } M : m { B [ π i ( m ) /u ] }{ A } π i ( M ) : u { B } [Proj( i )] Fig. 5.
Rules for the STLC
Definition 6.
The logic for the ν -calculus is a conservative extension of thelogic for the simply typed λ -calculus, provided: − If A is a formula in the λ -logic derivable from the axioms for the STLCabove, then the translation of A to the ν -logic is also derivable from theaxioms in the logic of the ν -calculus. − If { A } M : m { B } is a triple in the logic of the STLC, derivable from therules for the STLC then { A } M : m { B } is also derivable from the rules inthe logic of the ν -calculus. Definition 7.
Define a translation of STLC assertions (and triples) into ν -calculus assertions (and triples)as follows: hh e = e ′ ii λ → ν = e = e ′ hh¬ A ii λ → ν = ¬hh A ii λ → ν hh A ∧ B ii λ → ν = hh A ii λ → ν ∧ hh B ii λ → ν hh e • e ′ = m { A }ii λ → ν = e • e ′ = m {hh A ii λ → ν }hh∀ x α .A ii λ → ν = ∀ x α ∈ ( ∅ ) . hh A ii λ → ν hh{ A } M : m { B }ii λ → ν = {hh A ii λ → ν } M : m {hh B ii λ → ν } (5) Theorem 3.
The logic for the ν -calculus is a conservative extension of the logicfor the simply typed λ -calculus above.Proof. Most axioms are simple extensions of the STLC logic, and thus no proofis required. Note that for all A λ . hh A ii λ → ν − Ext-Ind as hh A ii λ → ν is TCV free.Axioms that should hold easily are: ( eq u u e − u
1) an adaption ( u
5) for all types which arename free is required to instantiate to variables derived from ∅ .See Sec C.5 for soundness of ( ext ) for the limited case of name free types inthe LTC and formulae.All rules for ν -calculus are an extension of the rules for the STLC, with afew exceptions: Program Logic for Fresh Name Generation 75 − Substitution: given all LTCs in the logic are reduced to ∅ ( u
5) then substi-tution in all rules becomes standard as seen in the STLC as we never needto perform I Γ [ e/x ]. − [Lam] introduces ∀ δ. however this can just be instantiated. It also introduces ∀ x ∈ ( δ ) . which can be reduced to ∀ x ∈ ( ∅ ) . via ( u − thin w.r.t ˜ x : Given names are not present then thinness simply implies non-existence of such a variable, i.e. x / ∈ fv ( A ) or A − x − Ext-Ind holds for all assertions that are free from δδ