Generative Unbinding of Names
GENERATIVE UNBINDING OF NAMES ∗ ANDREW M. PITTS a AND MARK R. SHINWELL ba University of Cambridge Computer Laboratory, Cambridge CB3 0FD, UK e-mail address : [email protected] b CodeSourcery, Ltd e-mail address : [email protected]
Abstract.
This paper is concerned with the form of typed name binding used by theFreshML family of languages. Its characteristic feature is that a name binding is repre-sented by an abstract (name,value)-pair that may only be deconstructed via the generationof fresh bound names. The paper proves a new result about what operations on names canco-exist with this construct. In FreshML the only observation one can make of names isto test whether or not they are equal. This restricted amount of observation was thoughtnecessary to ensure that there is no observable difference between alpha-equivalent namebinders. Yet from an algorithmic point of view it would be desirable to allow other oper-ations and relations on names, such as a total ordering. This paper shows that, contraryto expectations, one may add not just ordering, but almost any relation or numericalfunction on names without disturbing the fundamental correctness result about this formof typed name binding (that object-level alpha-equivalence precisely corresponds to con-textual equivalence at the programming meta-level), so long as one takes the state ofdynamically created names into account. Introduction
FreshML and the language systems that it has inspired provide some user-friendlyfacilities within the context of strongly typed functional programming for computing withsyntactical data structures involving names and name binding. The underlying theorywas presented in [PG00, SPG03] and has been realised in the Fresh patch of ObjectiveCaml [Shi05b]. FreshML has also inspired Pottier’s C α ml tool [Pot05] for Objective Camland Cheney’s FreshLib library [Che05] for Haskell. The approach taken to binding in allthese works is “nominal” in that the user is given access to the names of bound entitiesand can write syntax manipulating programs that follow the informal practice of referringto α -equivalence classes of terms via representatives. However, in FreshML the means ofaccess to bound names is carefully controlled by the type system. It has been shown [Shi05a,SP05b] that its static and dynamic properties combine to guarantee a certain “correctness D.3.1, D.3.3, F.3.2.
Key words and phrases:
Abstract syntax, binders, alpha-conversion, meta-programming. ∗ This paper is a revised and expanded version of [PS07]. a Research supported by UK EPSRC grant EP/D000459/1.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-4 (1:4) 2008 c (cid:13)
A.M. Pitts and M.R. Shinwell CC (cid:13) Creative Commons
A.M. PITTS AND M.R. SHINWELL type atmtype α bndval fresh : unit → atmval bind : atm ∗ α → α bndval unbind : α bnd → atm ∗ α val (=) : atm → atm → bool Figure 1: A signature for name binding.of representation” property: data structures representing α -equivalent syntactical terms(that is, ones differing only in the names of bound entities) always behave the same in anyprogram. So even though programs can name names, as it were, α -equivalence of namebindings is taken care of automatically by the programming language design.Of course such a correctness of representation property depends rather delicately uponwhich operations on bound names are allowed. At the heart of this approach to bindingis an operation that we call generative unbinding . To explain what it involves, consider asimplified version of Fresh Objective Caml with a single type atm of bindable names anda parametric family of types α bnd classifying abstractions of single names over values oftype α . To explain: both atm and α bnd are abstract types that come with the signatureof operations shown in Figure 1. The closed values of type atm are drawn from a countablyinfinite set A of symbols that we call atoms . Programs only get access to atoms by evaluatingthe expression fresh() to get a fresh one; and hence program execution depends upon a staterecording the atoms that have been created so far. Given a type τ , closed values of type τ bnd are called atom bindings and are given by pairs « a » v consisting of an atom a : atm and aclosed value v : τ . Atom bindings are constructed by evaluating bind( a , v ) . Fresh ObjectiveCaml provides a very convenient form of generative pattern-matching for deconstructingatom bindings. To keep things simple, here we will avoid the use of pattern-matching andconsider an equivalent mechanism for deconstructing atom binding via an unbind functioncarrying out generative unbinding: unbind « a » v evaluates by first evaluating fresh() toobtain a fresh atom a ′ and then returning the pair ( a ′ , v { a ′ /a } ) , where in general v { a ′ /a } denotes the value obtained from v by renaming all occurrences of a to be a ′ . The instanceof renaming that arises when evaluating unbind « a » v is special: the fresh atom a ′ doesnot occur in v and so v { a ′ /a } is equivalent to the result of applying to v the semanticallybetter behaved operation of swapping a and a ′ . Although implementing such an atomswapping operation on all types of values is the main extension that the Fresh patch makesto Objective Caml, we have not included a swap : atm → atm → α → α operation in thesignature of Figure 1. This is because it is possible for users to define atom swappingthemselves for specific types on a case-by-case basis. Although this approach has somelimitations, is enough for our purposes here. (The approach is more useful in the presenceof Haskell-style type classes—see [Che05].)The type α bnd is used in data type declarations in the argument type of value construc-tors representing binders. To take a familiar example, the terms of the untyped λ -calculus(all terms, whether open or closed, with variables given by atoms a ∈ A ) t ::= a | λa.t | t t ENERATIVE UNBINDING OF NAMES 3 can be represented by closed values of the type term given by the declaration type term = V of atm | L of term bnd | A of term ∗ term . (1.1)The value p t q : term representing a λ -term t is defined by p a q , V a p λa.t q , L « a » p t qp t t q , A( p t q , p t q ) (1.2)and satisfies: Correctness of Representation : two λ -terms are α -equivalent, t = α t ,iff p t q and p t q are contextually equivalent closed values of type term ,i.e. can be used interchangeably in any well-typed Fresh Objective Caml pro-gram without affecting the observable results of program execution. Since it is also the case that every closed value of type term is of the form p t q for some λ -term t , it follows that there is a bijection between α -equivalence classes of λ -terms andcontextual equivalence classes of closed values of type term . The Correctness of Representa-tion property is not easy to prove because of the nature of contextual equivalence, with itsquantification over all possible program contexts. It was established in [Shi05a, SP05b] us-ing denotational methods that take permutations of atoms into account. The same methodscan be used to generalise from the example of λ -terms to terms over any nominal signature in the sense of [UPG04]. Contribution of this paper.
For the signature in Figure 1, the only operation on atomsapart from bind is a test for equality: a = a ′ evaluates to true if a and a ′ are the same atomand to false otherwise. Adding extra operations and relations for atoms may well changewhich program phrases are contextually equivalent. Is it possible to have some relationsor operations on atoms in addition to equality without invalidating the above Correctnessof Representation property? For example it would be very useful to have a linear order ( < ) : atm → atm → bool , so that values of type atm could be used as keys in efficient datastructures for finite maps and the like. We show that this is possible, and more. This is arather unexpected result, for the following reason.The proof of the Correctness of Representation property given in [Shi05a, SP05b] reliesupon equivariant properties of the semantics, in other words ones whose truth is invariantunder permuting atoms. Atom equality is equivariant: since a permutation is in particularbijective, it preserves and reflects the value of a = a ′ . At first it seems that a linear orderon atoms cannot be equivariant, since if a < a ′ is true, then applying the permutationswapping a and a ′ we get a ′ < a , which is false. However, equivariance is a global property:when considering invariance of the truth of a property under permutations, it is crucial totake into account all the parameters upon which the property depends. Here there is ahidden parameter: the current state of dynamically created atoms . So we should permutethe atoms in this state as well as the arguments of the relation. We shall see that it isperfectly possible to have a state-dependent equivariant ordering for the type atm withoutinvalidating the Correctness of Representation property. Indeed we prove that one canadd any n -ary function from atm to numbers (or to booleans, for that matter) whose A.M. PITTS AND M.R. SHINWELL semantics is reasonable (we explain what is reasonable in Section 3) , without invalidatingthe Correctness of Representation property for any nominal signature.
We have to work quite hard to get this result, which generalises the one announced in[SPG03] (with a flawed proof sketch) and finally proved in [SP05b, Shi05a]; but whereasthose works uses denotational techniques, here we use an arguably more direct approachbased on the operational semantics of the language. We obtain the correctness result (Theo-rem 5.3) as a corollary of more general result (Propositions 5.7 and 5.10) showing that, up tocontextual equivalence, the type τ bnd behaves like the atom-abstraction construct of [GP01,Sect. 5]. Along the way to these results we prove a Mason-Talcott-style “CIU” [MT91] char-acterisation of contextual equivalence for our language (Theorem 4.4). This is proved usingHowe’s method [How96] applied to a formulation of the operational semantics with Felleisen-style evaluation contexts [FH92], via an abstract machine with frame stacks [Pit02]. Theproof technique underlying our work is rule-based induction, but with the novel twist thatwe exploit semantic properties of freshness of names that are based on the use of namepermutations and that were introduced in [GP01] and developed in [Pit03, UN05, Pit06].2. Generative Unbinding
We use a version of FreshML that provides the signature in Figure 1 in the presenceof higher order recursively defined functions on user declared data structures. Its syntax isgiven in Figure 2.
Variable binding.
The syntax of expressions and frame stacks in Figure 2 involves somevariable-binding constructs. Specifically: • free occurrences of f and x in e are bound in fun( f x = e ) ; • free occurrences of x in e are bound in let x = e ′ in e ; • for i = 1 ..n , free occurrences of x i in e i are bound in match v with (C x → e | · · · | C x n → e n ) ; • free occurrences of x in e are bound in S ◦ ( x.e ) .As usual, we identify expressions and frame stacks up to renaming of bound variables . Wewrite fv( e ) for the finite set of free variables of an expression e (and similarly for framestacks); and we write e [ v, . . . /x, . . . ] (2.1)for the simultaneous, capture avoiding substitution of values v, . . . for all free occurrencesof the corresponding variables x, . . . in the expression e (well-defined up to α -equivalence ofbound variables). Reduced form.
The expressions in Figure 2 are given in a “reduced” form (also called“A-normal” form [FSDF93]), in which the order of evaluation is made explicit through let -expressions. This is not essential: the use of reduced form makes the developmentof properties of the language’s dynamics more succinct and that is mostly what we areconcerned with here. However, when giving example expressions it is convenient to use the“unreduced” forms given in Figure 3.
ENERATIVE UNBINDING OF NAMES 5
Variables f, x ∈ V countably infinite set (fixed) Atoms a ∈ A countably infinite set (fixed) Data types δ ∈ D finite set (variable) Constructors C ∈ C finite set (variable) Observations obs ∈ O finite set (variable)
Values v ∈ Val ::= variable x unit () pair ( v , v ) recursive function fun( f x = e ) data construction C v atom a atom binding « v » v Expressions e ∈ Exp ::= value v sequencing let x = e in e first projection fst v second projection snd v function application v v data deconstruction match v with (C x → e | · · · ) fresh atom fresh() generative unbinding unbind v atom observation obs v · · · v Frame stacks S ∈ Stk ::= empty Id non-empty S ◦ ( x.e ) States ~a ∈ State , finite lists of distinct atoms Machine configurations h ~a, S, e i Types τ ∈ Typ ::= unit unit pairs τ ∗ τ functions τ → τ data type δ atoms atm atom bindings τ bnd Typing environments Γ ∈ V fin → Typ
Typing judgements expressions & values Γ ⊢ e : τ frame stacks Γ ⊢ S : τ → τ ′ Initial basis natural numbers nat ∈ D zero (Zero : unit → nat) ∈ C successor (Succ : nat → nat) ∈ C atom equality eq ∈ O (arity = 2) Figure 2: Language syntax.
A.M. PITTS AND M.R. SHINWELL ( e, e ′ ) , let x = e in let x ′ = e ′ in ( x, x ′ ) ( x / ∈ fv( e ′ ) , x ′ = x ) λx. e , fun( f x = e ) ( f / ∈ fv( e ) , f = x ) k e , let x = e in k x ( k = C , fst , snd) « e » e ′ , let x = e in let x ′ = e ′ in « x » x ′ ( x / ∈ fv( e ′ ) , x ′ = x ) e e ′ , let x = e in let x ′ = e ′ in x x ′ ( x / ∈ fv( e ′ ) , x ′ = x )match e with ( · · · ) , let x = e in match x with ( · · · ) ( x / ∈ fv( · · · ))if e then e ′ else e ′′ , match e with(Zero() → e ′ | Succ x → e ′′ ) ( x / ∈ fv( e ′′ )fresh x in e , let x = fresh() in e let « x » x = e in e ′ , let x = e inlet x ′ = unbind x inlet x = fst x ′ inlet x = snd x ′ in e ′ ( x, x ′ / ∈ fv( e ′ ) x ′ = x, x = x )obs e · · · e n , let x = e in · · · let x n = e n in obs x · · · x n ( x , . . . , x n / ∈ fv( e , . . . , e n ) x , . . . , x n distinct ) . Figure 3: Some “unreduced” forms of expression.
Remark 2.1 ( Object-level binding ) . As well as variables (standing for unknown values),the language’s expressions and frame stacks may contain atoms drawn from a fixed, count-ably infinite set A . As discussed in the introduction, atoms are used to represent namesin the object-level languages that are being represented as data in this programming meta-language. In particular a value of the form « a » v is used to represent the object-level bindingof a name a in the value v . However, note that there are no atom-binding constructs at theprogramming meta-level. The reader (especially one used to using lambda-abstraction torepresent all forms of statically-scoped binding) may well ask why? Why cannot we factorout by « »-bound atoms and thereby trivialise (one half of) the Correctness of Representa-tion result referred to in the Introduction? The reason is that it does not make semanticsense to try to regard « a » ( − ) as a form of meta-level binding and identify all expressions upto an α -equivalence involving renaming « »-bound atoms. For example, if a and a ′ are twodifferent atoms, such an α -equivalence would identify fun( f x = « a » x ) with fun( f x = « a ′ » x ) .However, these are two semantically different values: they are not contextually equivalentin the sense discussed in Section 4. For example, the operational semantics described belowgives observably different results ( and respectively) when we place the two expressionsin the context let « x » x = [ − ] a in eq x x (where eq ∈ O is the observation for atom-equality that we always assume is present—seeRemark 3). The reason for this behaviour is that variables in FreshML-like languages standfor unknown values that may well involve atoms free at the object level. We may get captureof such atoms within the scope of an atom-binding « a » ( − ) during evaluation. In the exam-ple, we replaced the hole in [ − ] a with fun( f x = « a » x ) and fun( f x = « a ′ » x ) respectively,yielding expressions that evaluate to « a » a and « a ′ » a —the first involving capture and thesecond not; and such capturing substitution does not respect naive α -equivalence. So the ENERATIVE UNBINDING OF NAMES 7 Γ( x ) = τ Γ ⊢ x : τ Γ ⊢ () : unit Γ ⊢ v : τ Γ ⊢ v : τ Γ ⊢ ( v , v ) : τ ∗ τ Γ , f : τ → τ ′ , x : τ ⊢ e : τ ′ Γ ⊢ fun( f x = e ) : τ → τ ′ C : τ → δ Γ ⊢ v : τ Γ ⊢ C v : δ a ∈ A Γ ⊢ a : atm Γ ⊢ v : atm Γ ⊢ v : τ Γ ⊢ « v » v : τ bndΓ ⊢ e : τ Γ , x : τ ⊢ e ′ : τ ′ Γ ⊢ let x = e in e ′ : τ ′ Γ ⊢ v : τ ∗ τ Γ ⊢ fst v : τ Γ ⊢ v : τ ∗ τ Γ ⊢ snd v : τ Γ ⊢ v : τ → τ ′ Γ ⊢ v : τ Γ ⊢ v v : τ ′ δ = C of τ | · · · | C n of τ n Γ ⊢ v : δ Γ , x : τ ⊢ e : τ · · · Γ , x n : τ n ⊢ e n : τ Γ ⊢ match v with (C x → e | · · · | C n x n → e n ) : τ Γ ⊢ fresh() : atm Γ ⊢ v : τ bndΓ ⊢ unbind v : atm ∗ τ arity(obs) = k Γ ⊢ v : atm · · · Γ ⊢ v k : atmΓ ⊢ obs v . . . v k : natΓ ⊢ Id : τ → τ Γ , x : τ ⊢ e : τ ′ Γ ⊢ S : τ ′ → τ ′′ Γ ⊢ S ◦ ( x.e ) : τ → τ ′′ Notation: • Γ , x : τ indicates the typing environment obtained by extending the finite partial function Γ by mapping a variable x to the type τ (we always assume that x / ∈ dom(Γ) ). • In the typing rule for match -expressions, the hypothesis “ δ = C of τ | · · · | C n of τ n ” refersto the top-level data type declaration (2.2); in other words, the only constructors whoseresult type is δ are C , . . . , C n and τ i is the argument type of C i (for i = 1 ..n ). Figure 4: Typing relation.relation of contextual equivalence that we define in Section 4 does not contain this naive α -equivalence that identifies all (open or closed) expressions up to renaming of « »-boundatoms. However, we will show (Theorem 5.3) that when we restrict to closed expressionsrepresenting object-level languages, then contextual equivalence does contain (indeed, co-incides with) this form of α -equivalence: this is the correctness of representation resultreferred to in the Introduction. Data types and observations.
The language defined in Figure 1 is parameterised by thechoice of a finite set O of function symbols that we call observations on atoms and whoserole is discussed in Section 3, by a finite set D of data type symbols, and by a finite set C of constructor symbols. Each constructor C ∈ C is assumed to come with a type, C : τ → δ ,where τ ∈ Typ and δ ∈ D . The choice of D , C and this typing information constitutes an Since the problematic possibly-capturing substitution is part of the dynamics of FreshML, there remainsthe possibility that the end results in the dynamics of expression evaluation can be made more abstractby identifying them up to renaming bound atoms: see Remark 2.5. There are also less naive versionsof object-level α -equivalence that respect possibly-capturing substitution, such as the one developed in[UPG04] involving hypothetical judgements about freshness of atoms for variables; contextual equivalenceand “contextual freshness” should form a model of this notion, but we do not pursue this here. A.M. PITTS AND M.R. SHINWELL
ML-style top-level declaration of some (possibly mutually recursive) data types: type δ = C , of τ , | · · · | C ,n of τ ,n ... and δ m = C m, of τ m, | · · · | C m,n m of τ m,n m . (2.2)Here δ i (for i = 1 ..m ) are the distinct elements of the set D of data type symbols and C i,j (for i = 1 ..m and j = 1 ..n i ) are the distinct elements of the set C of constructorsymbols. The above declaration just records the typing information C : τ → δ that comeswith each constructor, grouped by result types: δ i appears as the result type of preciselythe constructors C i, , . . . , C i,n i and their argument types are τ i, , . . . , τ i,n i . For the momentwe place no restriction on these types τ i,j : they can be any element of the set Typ whosegrammar is given in Figure 2. However, when we consider representation of object-levellanguages up to α -equivalence in Section 5, we will restrict attention to top-level data typedeclarations where the types τ i,j do not involve function types.We consider observations on atoms that return natural numbers. (The effect of admit-ting some other types of operation on atoms is discussed in Section 6.2.) So we assume D always contains a distinguished data type nat for the type of natural numbers and thatcorrespondingly C contains constructors Zero : unit → nat and Succ : nat → nat for zero andsuccessor. Each obs ∈ O denotes a numerical function on atoms. We assume it comes withan arity , specifying the number of arguments it takes: so if arity(obs) = k and ( v , . . . , v k ) is a k -tuple of values of type atm , then obs v . . . v k is an expression of type nat . The typingof the language’s values, expressions and frame stacks takes place in the presence of typingenvironments, Γ , each assigning types to finitely many variables. The rules in Figure 4 forthe inductively defined typing relation are entirely standard, given that we are followingthe signature in Fig 1.As well as an arity, we assume that each obs ∈ O comes with a specified interpretation:the form this takes is discussed in Section 3. Example 2.2 ( Swapping atoms ) . Examples of programming in FreshML using its char-acteristic feature of generatively unbinding atom-binding values may be found in [SPG03,SP05a]. Another feature of FreshML, the operation of swapping atoms, has been left out ofthe grammar in Figure 2. However, as we mentioned in the introduction, there is a type-directed definition of swapping, swap τ : atm → atm → τ → τ , for this language. For example,when τ is the type atm of atoms we can make use of the observation eq ∈ O for atom-equality that we always assume is present (see Remark 3) together with the abbreviationsin Figure 3 and define swap atm , λx.λy.λz. if eq z x then y else if eq z y then x else z. (2.3)At unit, product, function and atom-binding types we can make use of standard definitionsof permutation action for these types of data (see [Pit06, Section 3], for example): swap unit , λx.λy.λz. z (2.4) swap τ ∗ τ , λx.λy.λz. (swap τ x y (fst z ) , swap τ x y (snd z )) (2.5) swap τ → τ , λx.λy.λz.λx . swap τ x y ( z (swap τ x y x )) (2.6) swap τ bnd , λx.λy.λz. let z = « z » z in « swap atm x y z » (swap τ x y z ) . (2.7)At data types we have to make recursive definitions corresponding to the inductive natureof the data types. For example, if we assume that in addition to the data type nat for ENERATIVE UNBINDING OF NAMES 9 h ~a, S, e i −→ h ~a ′ , S ′ , e ′ i (1) h ~a, S ◦ ( x.e ) , v i −→ h ~a, S, e [ v/x ] i (2) h ~a, S, let x = e in e i −→ h ~a, S ◦ ( x.e ) , e i (3) h ~a, S, match C v with ( · · · | C x → e | · · · ) i −→ h ~a, S, e [ v/x ] i (4) h ~a, S, fst( v , v ) i −→ h ~a, S, v i (5) h ~a, S, snd( v , v ) i −→ h ~a, S, v i (6) h ~a, S, v v i −→ h ~a, S, e [ v , v /f, x ] i if v = fun( f x = e ) (7) h ~a, S, fresh() i −→ h ~a < a ′ , S, a ′ i if a ′ / ∈ atom( ~a ) (8) h ~a, S, unbind « a » v i −→ h ~a < a ′ , S, ( a ′ , v { a ′ /a } ) i if a ′ / ∈ atom( ~a ) (9) h ~a, S, obs a . . . a k i −→ h ~a, S, p m q i if arity(obs) = k , ( a , . . . , a k ) ∈ atom( ~a ) k and J obs K ~a ( a , . . . , a k ) = m Notation: • v { a ′ /a } is the result of replacing all occurrences of an atom a by an atom a ′ in the value v ; • atom( _ ) is the finite set of all atoms occurring in _ ; • ~a < a ′ is the state obtained by appending an atom a ′ not in atom( ~a ) to the right of the finitelist of distinct atoms ~a ; • p m q is the the closed value of type nat corresponding to m ∈ N : p q , Zero() and p m +1 q , Succ p m q ; • J obs K is the meaning of obs : see Section 3. Figure 5: Transition relation.natural numbers we just have a data type term as in (1.1), then we can define swap nat , λx.λy. fun( f z = match z with (Zero() → Zero() | Succ z → Succ( f z ))) (2.8) swap term , λx.λy. fun( f z = match z with (V z → V(swap atm x y z ) | L z → let « z » z = z inL( « swap atm x y z » ( f z )) | A z → A( f (fst z ) , f (snd z )) )) . (2.9)(The fact that values of type nat do not involve atoms means that the above systematicdefinition of swap nat is in fact contextually equivalent to λx.λy.λz. z .) Operational semantics.
The abstract machine that we use to define the language’s dy-namics has configurations of the form h ~a, S, e i . Here e is the expression to be evaluated, S isa stack of evaluation frames and ~a is a finite list of distinct atoms that have been allocatedso far. Figure 5 defines the transition relation between configurations that we use to givethe language’s operational semantics. The first six types of transition are all quite stan-dard. Transition 7 defines the dynamic allocation of a fresh atom and transition 8 definesgenerative unbinding using a freshly created atom; we discuss transition 9 for observationson atoms in the next section. For the atom a ′ in 7 to really be fresh, we need to know thatit does not occur in S ; similarly, in 8 we need to know that a ′ does not occur in ( S, a, v ) .These requirements are met if configurations h ~a, S, e i satisfy that all the atoms occurringin the frame stack S or the expression e occur in the list ~a . Using the notation atom( − ) mentioned in Figure 5, we write this condition as atom( S, e ) ⊆ atom( ~a ) . (2.10) Theorem 2.4 shows that this property of configurations is invariant under transitions, as iswell-typedness. Before stating this theorem we introduce some useful terminology.
Definition 2.3 ( Worlds ) . A ( possible ) world w is just a finite subset of the the fixed set A of atoms. We write World for the set of all worlds.In what follows we will index various relations associated with the language we areconsidering by worlds w ∈ World that make explicit the atoms involved in the relation.Sometimes (as in the following theorem) this is merely a matter of notational convenience;world-indexing will be more crucial when we consider program equivalence: see Remark 4.7below.
Theorem 2.4 ( Type Safety ) . Write ⊢ w h ~a, S, e i : τ to mean that atom( S, e ) ⊆ atom( ~a ) = w and that there is some type τ ′ with ∅ ⊢ S : τ ′ → τ and ∅ ⊢ e : τ ′ . The type system has thefollowing properties. Preservation: if ⊢ w h ~a, S, e i : τ and h ~a, S, e i −→ h ~a ′ , S ′ , e ′ i , with atom( ~a ′ ) = w ′ say,then w ⊆ w ′ and ⊢ w ′ h ~a ′ , S ′ , e ′ i : τ . Progress: if ⊢ w h ~a, S, e i : τ , then either S = Id and e ∈ Val , or h ~a, S, e i −→ h ~a ′ , S ′ , e ′ i holds for some ~a ′ , S ′ and e ′ .Proof. The proof of these properties is routine and is omitted.
Remark 2.5 ( Alternative operational semantics ) . It is worth remarking that thereare alternative approaches to representing object-level binding of a name a in a value v in FreshML-like languages. In the original paper on FreshML [PG00], the authors makea distinction between non-canonical expressions a.v for atom-binding and the “semanticvalues” abs( a, val ) to which they evaluate. That paper gives an operational semantics inthe style of the Definition of Standard ML [MTHM97] in which programming language ex-pressions are separate from semantic values. It is possible to identify such semantic valuesup to α -equivalence of abs( a, − ) -bound atoms without the kind of inconsistency illustratedin Remark 2.1. (Such semantic values in which abs( a, − ) is a binder are used by Pot-tier [Pot07], albeit for first-order values.) However, this does not help to simplify the typeof Correctness of Representation result in which we are interested here, because programsare written using expressions, not semantic values. For example, identifying semantic valuesin this way, abs( a, a ) and abs( a ′ , a ′ ) are identical and hence trivially contextually equiva-lent; however the expressions a.a and a ′ .a ′ (that here we write as « a » a and « a ′ » a ′ ) are notequal and there is something to be done to prove that they are contextually equivalent.In the operational semantics of [PG00] these expressions evaluate to the same semanticvalue up to α -equivalence; so one would need to prove that contextual equivalence for thatlanguage contains “Kleene equivalence”—for example by proving a “CIU” theorem like ourTheorem 4.4 below. So it is probably possible to develop the results of this paper usingthis slightly more abstract style of operational semantics with semantic values identified upto α -equivalence of bound atoms. However our experience is that the style of operationalsemantics we use here, in which semantic values are identified with certain canonical ex-pressions (but necessarily not identified up α -equivalence of bound atoms, for the reasonsdiscussed in Remark 2.1) leads to a simpler technical development overall. ENERATIVE UNBINDING OF NAMES 11 h ~a, S, e i↓ n h ~a, S, e i↓h ~a, Id , v i↓ h ~a, S, e i −→ h ~a ′ , S ′ , e ′ i h ~a ′ , S ′ , e ′ i↓ n h ~a, S, e i↓ n +1 h ~a, S, e i↓ n h ~a, S, e i↓ Figure 6: Termination relations.3.
Observations on Atoms
The language we are considering is parameterised by a choice of a finite set O ofnumerical functions on atoms. We assume that each obs ∈ O comes with a specifiedmeaning J obs K . As mentioned in the introduction, we should allow these meanings to bedependent on the current state (the list of distinct atoms that have been created so far).So if arity(obs) = k , for each ~a ∈ State we assume given a function J obs K ~a : atom( ~a ) k → N mapping k -tuples of atoms occurring in the state ~a to natural numbers. These functionsare used in the transitions of type 9 in Figure 5. Not every such family ( J obs K ~a | ~a ∈ State) of functions is acceptable as an observation on atoms: we require that the family be equivariant . To explain what this means we need the following definition.
Definition 3.1 ( Permutations ) . A finite permutation of atoms is a bijection π from theset A of atoms onto itself such that supp( π ) , { a ∈ A | π ( a ) = a } is a finite set. We write P for the set of all such permutations. If π ∈ P and ~a ∈ State , then π · ~a denotes the finitelist of distinct atoms obtained by mapping π over the list ~a ; if e is an expression, then π · e denotes the expression obtained from it by applying π to the atoms in e ; and similarly forother syntactical structures involving finitely many atoms, such as values and frame stacks.We require the functions ( J obs K ~a | ~a ∈ State) associated with each obs ∈ O to satisfyan equivariance property: for all π ∈ P , ~a ∈ State and ( a , . . . , a k ) ∈ atom( ~a ) k (where k isthe arity of obs ) J obs K ~a ( a , . . . , a k ) = J obs K π · ~a ( π ( a ) , . . . , π ( a k )) . (3.1)We impose condition (3.1) for the following reason. In Figure 5, the side conditions ontransitions of types 7 and 8 do not specify which of the infinitely many atoms in A − atom( ~a ) should be chosen as the fresh atom a ′ . Any particular implementation of the language willmake such choices in some specific way, for example by implementing atoms as numbersand incrementing a global counter to get the next fresh atom. We wish to work at alevel of abstraction that is independent of such implementation details. We can do so byensuring that we only use properties of machine configurations h ~a, S, e i that depend on therelative positions of atoms in the list ~a , rather than upon their identities. So properties ofconfigurations should be equivariant: if h ~a, S, e i has the property, then so should h π · ~a, π · S, π · e i for any π ∈ P . The main property of configurations we need is termination , definedin Figure 6, since as we see in the next section this determines contextual equivalence ofexpressions. With condition (3.1) we have: Lemma 3.2. If h ~a, S, e i↓ n , then h π · ~a, π · S, π · e i↓ n for any π ∈ P .Proof. In view of the definition of termination in Figure 6, it suffices to show that thetransition relation is equivariant: h ~a, S, e i −→ h ~a ′ , S ′ , e ′ i ⇒ h π · ~a, π · S, π · e i −→ h π · ~a ′ , π · S ′ , π · e ′ i . Equality , eq ( arity = 2 ): J eq K ~a ( a, a ′ ) , ( if a = a ′ , otherwise. Linear order , lt ( arity = 2 ): J lt K ~a ( a, a ′ ) , ( if a occurs to the left of a ′ in the list ~a , otherwise. Ordinal , ord ( arity = 1 ): J ord K ~a ( a ) , n , if a is the n th element of the list ~a . State size , card ( arity = 0 ): J card K ~a () , length of the list ~a . Figure 7: Examples of observations on atoms.This can be proved by cases from the definition of −→ in Fig 5. Cases 1–8 follow fromgeneral properties of the action of permutations on syntactical structures (such as the factthat π · ( e [ v/x ]) equals ( π · e )[ π · v/x ] ); case 9 uses property (3.1).As a corollary we find that termination is indeed independent of the choice of freshatom in transitions of the form 7 or 8. Corollary 3.3. If h ~a, S, fresh i↓ n +1 with atom( S ) ⊆ atom( ~a ) , then for all a ′ / ∈ atom( ~a ) , itis the case that h ~a < a ′ , S, a ′ i↓ n . Similarly, if h ~a, S, unbind « a » v i↓ n +1 with atom( S, a, v ) ⊆ atom( ~a ) , then for all a ′ / ∈ atom( ~a ) , it is the case that h ~a < a ′ , S, ( a ′ , v { a ′ /a } ) i↓ n . There are observations on atoms that are not equivariant, that is, whose value on someatoms in a particular state does not depend just upon the relative position of those atomsin the state. For example, if we fix some enumeration of the set of atoms, α : N ∼ = A , itis easy to see that the unary observation given by J obs K ~a ( a ) = α − ( a ) fails to satisfy (3.1).Nevertheless, there is a wide range of functions that do have this property. Figure 7 givessome examples. Remark 3.4 ( Atom-equality test ) . The first observation on atoms given in Figure 7, eq , combined with the usual arithmetic operations for nat that are already definable in thelanguage, gives us the effect of the function (=) : atm → atm → bool from the signature inFigure 1; so we assume that the set O of observations on atoms always contains eq . Remark 3.5 ( Fresh Atoms Largest ) . Note that in the operational semantics of Figure 5we have chosen to make “fresh atoms largest”, in the sense that the fresh atom a ′ intransitions 7 and 8 is added to the right-hand end of the list ~a representing the currentstate. In the presence of observations on atoms other than equality, such a choice maywell affect the properties of the notion of program equivalence that we explore in the nextsection. Other choices are possible, but to insist that program equivalence is independentof any such choice would rule out many useful observations on atoms (such as lt or ord inFigure 7). ENERATIVE UNBINDING OF NAMES 13 Contextual Equivalence
We wish to prove that the language we have described satisfies Correctness of Rep-resentation properties of the kind mentioned in the introduction. To do so, we first haveto be more precise about what it means for two expressions to be contextually equivalent ,that is, to be interchangeable in any program without affecting the observable results ofexecuting that program. What is a program, what does it mean to execute it, and whatresults of execution do we observe? The answers we take to these questions are: programsare closed well-typed expressions; execution means carrying out a sequence of transitions ofthe abstract machine from an initial machine configuration consisting of a state (that is, alist of atoms containing those mentioned in the program), the empty frame stack and theprogram; and we observe whether execution reaches a terminal configuration, that is, oneof the form h ~a, Id , v i . We need only observe termination because of the language’s strictevaluation strategy: observing any (reasonable) properties of the final value v results inthe same notion of contextual equivalence. Also, it is technically convenient to be a bitmore liberal about what constitutes an initial configuration by allowing the starting framestack to be non-empty: this does not change the notion of contextual equivalence becauseof the correspondence between frame stacks and “evaluation” contexts—see the remarksafter Definition 4.5 below. So we can say that e and e ′ are contextually equivalent if forall program contexts C [ − ] , the programs C [ e ] and C [ e ′ ] are operationally equivalent in thefollowing sense. Definition 4.1 ( Operational Equivalence of Closed Expressions ) . ⊢ w e ∼ = e ′ : τ isdefined to hold if • atom( e, e ′ ) ⊆ w ; • ∅ ⊢ e : τ and ∅ ⊢ e ′ : τ ; and • for all ~a , S and τ ′ with w ∪ atom( S ) ⊆ atom( ~a ) and ∅ ⊢ S : τ → τ ′ , it is the casethat h ~a, S, e i↓ ⇔ h ~a, S, e ′ i↓ .However, for the reasons given in [Pit05, Section 7.5], we prefer not to phrase the formaldefinition of contextual equivalence in terms of the inconveniently concrete operation ofpossibly capturing substitution of open expressions for the hole “ − ” in program contexts C [ − ] . Instead we take the more abstract relational approach originally advocated by Gordon[Gor98] and Lassen [Las98] that focuses upon the key features of contextual equivalence,namely that it is the largest congruence relation for well-typed expressions that contains therelation of operational equivalence of Definition 4.1. A congruence relation is an expressionrelation that is an equivalence, compatible and substitutive, in the following sense.
Definition 4.2 ( Expression Relations ) . An expression relation E is a set of tuples (Γ , w, e, e ′ , τ ) (made up of a typing context, a world, two expressions and a type) satis-fying atom( e, e ′ ) ⊆ w , Γ ⊢ e : τ and Γ ⊢ e ′ : τ . We write Γ ⊢ w e E e ′ : τ to indicatethat (Γ , w, e, e ′ , τ ) is a member of E . We use the following terminology in connection withexpression relations. • E is an equivalence if it is reflexive ( atom( e ) ⊆ w ∧ Γ ⊢ e : τ ⇒ Γ ⊢ w e E e : τ ),symmetric ( Γ ⊢ w e E e ′ : τ ⇒ Γ ⊢ w e ′ E e : τ ) and transitive ( Γ ⊢ w e E e ′ : τ ∧ Γ ⊢ w e ′ E e ′′ : τ ⇒ Γ ⊢ w e E e ′′ : τ ). • E is compatible if b E ⊆ E , where b E is the compatible refinement of E , defined inFigure 8. Γ( x ) = τ Γ ⊢ w x b E x : τ Γ ⊢ w () b E () : unit Γ ⊢ w v E v ′ : τ Γ ⊢ w v E v ′ : τ Γ ⊢ w ( v , v ) b E ( v ′ , v ′ ) : τ ∗ τ Γ , f : τ → τ ′ , x : τ ⊢ w e E e ′ : τ ′ Γ ⊢ w fun( f x = e ) b E fun( f x = e ′ ) : τ → τ ′ C : τ → δ Γ ⊢ w v E v ′ : τ Γ ⊢ w C v b E C v ′ : δ a ∈ w Γ ⊢ w a b E a : atmΓ ⊢ w v E v ′ : atm Γ ⊢ w v E v ′ : τ Γ ⊢ w « v » v b E « v ′ » v ′ : τ bnd Γ ⊢ w e E e ′ : τ Γ , x : τ ⊢ w e E e ′ : τ ′ Γ ⊢ w let x = e in e b E let x = e ′ in e ′ : τ ′ Γ ⊢ w v E v ′ : τ ∗ τ Γ ⊢ w fst v b E fst v ′ : τ Γ ⊢ w v E v ′ : τ ∗ τ Γ ⊢ w snd v b E snd v ′ : τ Γ ⊢ w v E v ′ : τ → τ ′ Γ ⊢ w v E v ′ : τ Γ ⊢ w v v b E v ′ v ′ : τ ′ δ = C of τ | · · · | C n of τ n Γ ⊢ w v E v ′ : δ Γ , x : τ ⊢ w e E e ′ : τ · · · Γ , x n : τ n ⊢ w e n E e ′ n : τ Γ ⊢ w match v with (C x → e | · · · | C n x n → e n ) b E match v ′ with (C x → e ′ | · · · | C n x n → e ′ n ) : τ Γ ⊢ w fresh() b E fresh() : atm Γ ⊢ w v E v ′ : τ bndΓ ⊢ w unbind v b E unbind v ′ : atm ∗ τ arity(obs) = k Γ ⊢ w v E v ′ : atm · · · Γ ⊢ w v k E v ′ k : atmΓ ⊢ w obs v . . . v k b E obs v ′ . . . v ′ k : natΓ ⊢ w Id b E Id : τ → τ Γ , x : τ ⊢ w e E e ′ : τ ′ Γ ⊢ w S b E S ′ : τ ′ → τ ′′ Γ ⊢ w S ◦ ( x.e ) b E S ′ ◦ ( x.e ′ ) : τ → τ ′′ Figure 8: Compatible refinement b E of an expression relation E . • E is substitutive if Γ ⊢ w v E v ′ : τ ∧ Γ , x : τ ⊢ w e E e ′ : τ ′ ⇒ Γ ⊢ w e [ v/x ] E e ′ [ v ′ /x ] : τ ′ . • E is equivariant if Γ ⊢ w e E e ′ : τ ⇒ Γ ⊢ π · w π · e E π · e ′ : τ . • E is adequate if ∅ ⊢ w e E e ′ : τ ⇒ ⊢ w e ∼ = e ′ : τ .We extend operational equivalence (Definition 4.1) to an expression relation, Γ ⊢ w e ∼ = ◦ e ′ : τ , by instantiating free variables with closed values: Definition 4.3 ( ∼ = ◦ ) . Supposing
Γ = { x : τ , . . . , x n : τ n } , we define Γ ⊢ w e ∼ = ◦ e ′ : τ tohold if • atom( e, e ′ ) ⊆ w ; • Γ ⊢ e : τ and Γ ⊢ e ′ : τ ; and • for all w ′ ⊇ w and all closed values v i with atom( v i ) ⊆ w ′ and ∅ ⊢ v i : τ i (for i = 1 ..n ), it is the case that ⊢ w ′ e [ ~v/~x ] ∼ = e ′ [ ~v/~x ] : τ .Note that for closed expressions, that is, in the case that Γ = ∅ , the relation ∼ = ◦ agrees with ∼ = : ∅ ⊢ w e ∼ = ◦ e ′ : τ ⇔ ⊢ w e ∼ = e ′ : τ . (4.1) ENERATIVE UNBINDING OF NAMES 15
Theorem 4.4 ( CIU ) . Operational equivalence of possibly open expressions, ∼ = ◦ , is a com-patible, substitutive and adequate equivalence. It is the largest such expression relation. Itis also equivariant.Proof. The fact that ∼ = ◦ is equivariant follows from Lemma 3.2. The fact that it is anequivalence and adequate is immediate from its definition; as is the fact that it containsany expression relation that is adequate, substitutive and reflexive. So the main difficulty isto show that it is compatible and substitutive. One can do this by adapting a constructiondue to Howe [How96]; see Appendix A. Definition 4.5 ( Contextual Equivalence ) . In view of the discussion at the beginning ofthis section, Theorem 4.4 tells us that ∼ = ◦ coincides with a conventional notion of contextualequivalence defined using program contexts: so from now on we refer to ∼ = ◦ as contextualequivalence . Remark 4.6 ( Uses of closed instantiations ) . We labelled the above theorem “CIU”because it is analogous to a theorem of that name due to Mason and Talcott [MT91]. CIU,after permutation, stands for “Uses of Closed Instantiations”; and the theorem tells usthat to test open expressions for contextual equivalence it suffices to first close them bysubstituting closed values for free variables and then test the resulting closed expressionsfor termination when they are used in any evaluation context [FH92]. This follows fromthe definition of ∼ = ◦ and the fact that termination in evaluation contexts corresponds totermination of machine configurations via the easily verified property h ~a, S, e i↓ ⇔ h ~a, Id , S [ e ] i↓ (4.2)where the expression S [ e ] is defined by recursion on the length of the stack S by: Id[ e ] , eS ◦ ( x.e ′ )[ e ] , S [let x = e in e ′ ] . (4.3)Theorem 4.4 serves to establish some basic properties of contextual equivalence, suchas the fact that the state-independent transitions in Figure 5 (types 1–6 and 9) give rise tocontextual equivalences. For example, Γ ⊢ w let x = v in e ∼ = ◦ e [ v/x ] : τ ′ holds if Γ ⊢ w v : τ and Γ , x : τ ⊢ w e : τ ′ . However, we have to work a bit harder to understand the consequencesof transitions of types 7 and 8 for contextual equivalence at atom binding types, τ bnd . Weaddress this in the next section. Remark 4.7 ( Possible Worlds ) . It is immediate from the definition of ∼ = ◦ that it satisfiesa weakening property: Γ ⊢ w e ∼ = ◦ e ′ : τ ∧ w ⊆ w ′ ⇒ Γ ⊢ w ′ e ∼ = ◦ e ′ : τ . (4.4)If it also satisfied a strengthening property Γ ⊢ w ′ e ∼ = ◦ e ′ : τ ∧ atom( e, e ′ ) ⊆ w ⊆ w ′ ⇒ Γ ⊢ w e ∼ = ◦ e ′ : τ (4.5)then we could make the indexing of contextual equivalence by “possible worlds” w implicitby taking w = atom( e, e ′ ) . When O just contains eq , property (4.5) does hold; this is whythere is no need for indexing by possible worlds in [Shi05a, SP05b]. However, it is nothard to see that the presence of some observations on atoms, such as the function card inFigure 7, can cause (4.5) to fail. It is for this reason that we have built indexing by possibleworlds into expression relations (Definition 4.2). ⊢ w () = α () : unit ⊢ w v = α v ′ : σ ⊢ w v = α v ′ : σ ⊢ w ( v , v ) = α ( v ′ , v ′ ) : σ ∗ σ C : σ → δ ⊢ w v = α v ′ : σ ⊢ w C v = α C v ′ : δa ∈ w ⊢ w a = α a : atm a ′′ / ∈ w ⊇ atom( a, v, a ′ , v ′ ) ⊢ w ∪{ a ′′ } v { a ′′ /a } = α v ′ { a ′′ /a ′ } : σ ⊢ w « a » v = α « a ′ » v ′ : σ bnd Figure 9: α -Equivalence.5. Correctness of Representation
Recall from Section 2 that the language we are considering is parameterised by a top-level declaration of some (possibly mutually recursive) data types: type δ = C , of τ , | · · · | C ,n of τ ,n ... and δ m = C m, of τ m, | · · · | C m,n m of τ m,n m . (5.1)If we restrict attention to declarations in which the argument types τ i,j of the constructors C i,j are just finite products of the declared data types δ . . . , δ m , then the above declarationcorresponds to a many-sorted algebraic signature ; furthermore, in this case the language’svalues at each data type are just the abstract syntax trees of terms of the correspondingsort in the signature. By allowing atoms and atom bindings in addition to products in theargument types τ i,j , one arrives at the notion of “nominal signature”, introduced in [UPG04]and more fully developed in [Pit06]. It extends the notion of many-sorted algebraic signaturewith names (of possibly many kinds) and information about name binding in constructors.Here, for simplicity, we are restricting to a single kind of name, represented by the type atm of atoms; but our results extend easily to the case of many kinds of name. Definition 5.1 ( Nominal Signatures ) . The subset
Arity ⊆ Typ is given by the grammar σ ∈ Arity ::= unit | σ ∗ σ | δ | atm | σ bnd (5.2)where δ ranges over the finite set D of data type symbols. (In other words Arity consists ofthose types of our language that do not involve any use of the function type construction, → .) The elements of the set Arity are called nominal arities . (The notation hh atm ii σ is usedin [UPG04, Pit06] for what we here write as σ bnd .) A nominal signature with a single sortof atoms, atm , is specified by a data type declaration (5.1) in which the argument types τ i,j of the constructors C i,j are all nominal arities.The occurrences of σ bnd in a nominal signature (5.1) indicate arguments with boundatoms. In particular, we can associate with each such signature a notion of α -equivalence , = α , that identifies closed values of nominal arity up to renaming bound atoms. The induc-tive definition of = α is given in Figure 9. It generalises to an arbitrary nominal signature thesyntax-directed characterisation of α -equivalence of λ -terms given in [Gun92, p. 36]. Thedefinition in Figure 9 is essentially that given in [Pit06], except that we have included anindexing by possible worlds w , to chime with our form of judgement for contextual equiv-alence; without that indexing, the condition “ a ′′ / ∈ w ⊇ atom( a, v, a ′ , v ′ ) ” in the rule for α -equivalence of values of atom binding type would be replaced by “ a ′′ / ∈ atom( a, v, a ′ , v ′ ) ”. Remark 5.2 ( The role of closed values ) . For each σ ∈ Arity , the closed values (thatis, ones with no free variables) of that type, ∅ ⊢ w v : σ , correspond precisely to the ground ENERATIVE UNBINDING OF NAMES 17 terms (with arity σ and atoms in w ) over the given nominal signature, as defined in [UPG04].For example, the declaration (1.1) corresponds to the nominal signature for λ -calculus; andclosed values of type term correspond as in (1.2) to the abstract syntax trees for λ -terms—open or closed ones, with λ -calculus variables represented by atoms. For other examples ofnominal signatures, with more complicated patterns of binding, see [Pit06, Section 2.2].Note that the definition of = α in Figure 9 cannot be extended naively to open val-ues with free variables, for the reasons discussed in Remark 2.1. Free variables stand forunknown values that may well involve atoms that get captured by « »-binders upon substi-tution. So as we saw in that remark, it does not make semantic sense to say, for example,that « a » x and « a » x are α -equivalent without putting some restrictions on the kind of value x stands for. In [UPG04], Urban et al consider such restrictions consisting of assumptionsabout the freshness of atoms for variables; they generalise Figure 9 to a hypothetical no-tion of α -equivalence between open values , with hypotheses consisting of such freshnessassumptions. It may be possible to relate the validity of this general form of α -equivalenceto contextual equivalence, but here we content ourselves with the following result about thestraightforward notion of α -equivalence on closed values given by Figure 9. Theorem 5.3 ( Correctness of Representation ) . Suppose that all the observations onatoms obs in O satisfy the equivariance property (3.1) . For each nominal signature, twoclosed values v, v ′ of the same nominal arity σ (with atoms contained in the finite set w ,say) are α -equivalent if and only if they are contextually equivalent: ⊢ w v = α v ′ : σ ⇔ ⊢ w v ∼ = v ′ : σ . (5.3)The rest of this section is devoted to the proof of the bi-implication in (5.3). Beforecommencing the proof we make some remarks about the relative difficulty of each half ofthe bi-implication and about alternative approaches to the proof than the one we take. Remark 5.4 ( ⊢ w v = α v ′ : σ ⇒ ⊢ w v ∼ = v ′ : σ ) . At first sight it might seem that thisimplication is trivial: since we identify expressions up to α -equivalence of bound variables,contextual equivalence automatically contains that notion of equivalence. However, = α is not that meta-level α -equivalence, it is α -equivalence at the object-level for « »-boundatoms. As we noted in Remark 2.1, identifying all (open or closed) expressions up torenaming « »-bound atoms is incompatible with contextual equivalence: so we cannottrivialise the left-to-right implication in (5.3) by factoring out in this way. Note that therestriction to nominal arities in Figure 9 means that we do not have to consider = α forvalues of the form fun( f x = e ) and hence for open expressions e where the naive definitionof = α would encounter the semantic problems discussed in Remarks 2.1 and 5.2.So there really is something to do to establish the left-to-right implication in (5.3).However, we will see that we have already done most of the heavy lifting for this half of thetheorem by establishing the CIU Theorem 4.4. Remark 5.5 ( ⊢ w v ∼ = v ′ : σ ⇒ ⊢ w v = α v ′ : σ ) . This is equivalent to showingthat if two closed values v and v ′ of nominal arity σ are not α -equivalent, then they arenot contextually equivalent. Proving contextual inequivalence is much easier than provingcontextual equivalence, since one just has to construct a context in which the two values havedifferent operational behaviour. In this case it would suffice to exhibit a closed expression aeq σ : σ → σ → nat correctly implementing = α , in the sense that for all v and v ′ This is a slight over-simplification, since their “nominal terms” are not just the open values consideredhere: they involved explicit atom-permutations as well. ⊢ w v = α v ′ : σ ⇒ ∀ ~a. w ⊆ atom( ~a ) ⇒ ∃ ~a ′ . h ~a, Id , aeq σ v v ′ i −→ ∗ h ~a ′ , Id , Zero() i⊢ w v = α v ′ : σ ⇒ ∀ ~a. w ⊆ atom( ~a ) ⇒ ∃ ~a ′ . h ~a, Id , aeq σ v v ′ i −→ ∗ h ~a ′ , Id , Succ(Zero()) i . It is indeed possible to construct such an expression aeq σ by induction on the structure of σ ,by a definition that mimics the rules in Figure 9, using the definition of atom-swapping fromExample 2.2 in the case of an atom-binding arity and using recursively defined functionsat data types. The proof of the above properties of aeq σ is relatively straightforward iftedious; one first has to prove suitable correctness properties for the swapping expressions swap σ from Example 2.2.This is not the route to the right-to-left implication in (5.3) that we take. Insteadwe deduce it from a general “extensionality” property of atom-binding types τ bind thatholds for all types τ , including ones that are not nominal arities, that is, ones involvingfunction types. This property (Propositions 5.7 and 5.10) shows that, up to contextualequivalence, the type τ bnd behaves like the atom-abstraction construct of [GP01, Sect. 5].It seems interesting in its own right. We are able to prove this property of general atom-binding types τ bind only under a restriction on observations on atoms over and above theequivariance property (3.1) that we always assume they possess. This is the “affineness”property given in Definition 5.8 below. The equality test eq (Figure 7) is affine and we willsee that this fact is enough to prove Theorem 5.3 as stated, that is, without any restrictionon the observations present other than equivariance.We now begin the proof of Theorem 5.3. Proposition 5.6. (i) ⊢ w () ∼ = () : unit . (ii) For all types τ , τ ∈ Typ , ⊢ w ( v , v ) ∼ = ( v ′ , v ′ ) : τ ∗ τ iff ⊢ w v ∼ = v ′ : τ and ⊢ w v ∼ = v ′ : τ . (iii) For each data type δ i in the declaration (5.1) , ⊢ w C i,j v ∼ = C i,j ′ v ′ : δ i iff j = j ′ and ⊢ w v ∼ = v ′ : τ i,j . (iv) ⊢ w a ∼ = a ′ : atm iff a = a ′ ∈ w .Proof. Part (i) and the “if” directions of (ii)–(iv) are consequences of the fact (Theorem 4.4)that ∼ = ◦ is a compatible equivalence. For the “only if” directions of (ii) and (iii) we applysuitably chosen destructors. Thus for part (ii) we use the operational equivalences ⊢ w fst( v , v ) ∼ = v : τ and ⊢ w snd( v , v ) ∼ = v : τ that are consequences of the definitionsof ∼ = and the termination relation. Similarly, part (iii) follows from the easily establishedoperational (in)equivalences ⊢ w diverge = v : τ ⊢ w proj i,j (C i,j v ) ∼ = v : τ i,j ⊢ w proj i,j (C i,j ′ v ) ∼ = diverge : τ i,j if j = j ′ which make use of the following expressions diverge , fun( f x = f x )()proj i,j v , match v with (C i, x → d j, | · · · | C i,n i x n i → d j,n i ) ENERATIVE UNBINDING OF NAMES 19 where d j,j ′ , ( x j if j = j ′ , diverge if j = j ′ .Finally, for the “only if” direction of part (iv) we make use of the fact that O always containsthe atom equality function eq from Figure 7: see Lemma A.4(i) in Appendix A.This proposition tells us that ∼ = has properties mirroring those of α -equivalence givenby the first four rules in Figure 9. To complete the proof of the correctness theorem, weneed to prove a property of ∼ = at atom binding arities σ bnd that mirrors the fifth rule inthat figure. We split this into two parts, Propositions 5.7 and 5.10. Proposition 5.7.
For any type τ ∈ Typ , suppose we are given closed, well-typed atombinding values ∅ ⊢ w « a » v : τ bnd and ∅ ⊢ w « a ′ » v ′ : τ bnd . If for some atom a ′′ / ∈ w we have ⊢ w ∪{ a ′′ } v { a ′′ /a } ∼ = v ′ { a ′′ /a ′ } : τ (5.4) then ⊢ w « a » v ∼ = « a ′ » v ′ : τ bnd . (5.5) Proof.
Unlike the previous proposition, this result is not just a simple consequence of thecongruence properties of operational equivalence. It can be proved via an induction overthe rules defining termination: see Appendix B.Next we need to prove the converse of the above proposition, namely that (5.5) implies(5.4) for any a ′′ / ∈ w . The difficulty is that in verifying (5.4) we have to consider thetermination behaviour of v { a ′′ /a } and v ′ { a ′′ /a ′ } in all states ~a with atom( ~a ) ⊇ w ∪ { a ′′ } .The atom a ′′ may occur at any position in ~a and not necessarily at its right-hand end;whereas in assuming (5.5), all we appear to know about the termination behaviour of v { a ′′ /a } and v ′ { a ′′ /a ′ } is what happens when a fresh atom a ′′ is placed at the end of thestate via generative unbinding (cf. Remark 3.5). In fact we are able to combine bind and unbind operations to rearrange atoms sufficiently to prove the result we want, but onlyin the presence of observations on atoms that are insensitive to atoms being added at theleft-hand (that is, least) end of the state. The following definition makes this property ofobservations precise. It uses the notation a ′ < ~a for the state obtained from ~a ∈ State byappending an atom a ′ not in atom( ~a ) to the left of the finite list of distinct atoms ~a (cf. ~a < a ′ defined in Figure 5). Definition 5.8 ( Affine Observations ) . An observation on atoms, obs ∈ O , is affine if itis equivariant (3.1) and satisfies: for all ~a ∈ State , all a ′ / ∈ atom( ~a ) and all ( a , . . . , a k ) ∈ atom( ~a ) k (where k is the arity of obs ) J obs K a ′ < ~a ( a , . . . , a k ) = J obs K ~a ( a , . . . , a k ) . (5.6)For example, of the observations defined in Figure 7, eq and lt are affine, whereas ord and card are not.The following property of termination follows from its definition in Figures 5 and 6,using Corollary 3.3. Lemma 5.9.
Given a frame stack S and an expression e , suppose that only affine ob-servations on atoms occur in them. Then for all ~a with atom( S, e ) ⊆ atom( ~a ) and all a ′ / ∈ atom( ~a ) , h a < ~a, S, e i↓ n ⇔ h ~a, S, e i↓ n . We now give a converse of Proposition 5.7, under the assumption that only affineobservations are used. The proof is the technically most involved result in the paper.
Proposition 5.10.
Suppose that O only contains affine observations. For any type τ ∈ Typ , suppose we are given closed, well-typed atom binding values ∅ ⊢ w « a » v : τ bnd and ∅ ⊢ w « a ′ » v ′ : τ bnd . Then for all atoms a ′′ / ∈ w we have ⊢ w « a » v ∼ = « a ′ » v ′ : τ bnd (5.7) implies ⊢ w ∪{ a ′′ } v { a ′′ /a } ∼ = v ′ { a ′′ /a ′ } : τ . (5.8) Proof.
Suppose (5.7) holds and that a ′′ / ∈ w . To prove (5.8) we have to show for any w ′ ∈ World , ~a ∈ State and τ ′ ∈ Typ with atom( ~a ) = w ′ ⊇ w ∪ { a ′′ } and ∅ ⊢ w ′ S : τ → τ ′ that h ~a, S, v { a ′′ /a }i↓ ⇔ h ~a, S, v ′ { a ′′ /a ′ }i↓ . (5.9)Since a ′′ ∈ atom( ~a ) , we have ~a = ~a ′ < a ′′ < a < · · · < a n − (5.10)for some state ~a ′ and atoms a , . . . , a n − ( n ≥ ). Choose distinct atoms b , . . . , b n − notoccurring in w ′ and consider the frame stack S ′ , Id ◦ ( z. let « x » y = z inlet « x » y = « b » y in ... let « x n − » y n = « b n − » y n − in S { x, x , . . . , x n − /a ′′ , a . . . , a n − } [ y n ]) (5.11)where z, x, x , . . . , x n − , y , . . . , y n are distinct variables not occurring in S . Here we haveused the notation “ let « x » x = e in e ′ ” from Figure 3, the notation “ S [ e ] ” from (4.3) andthe operation ( − ) { x/a } of replacing an atom a by a variable x .Since atom( S ) ⊆ w ′ = atom( ~a ) , by definition of S ′ and from (5.10) we have atom( S ′ ) ⊆ atom( ~b ′ ) where ~b ′ , b < · · · < b n − < ~a ′ . (5.12)Let π ∈ P be the permutation swapping each a i with b i (for i = 0 ..n − ). Since a ′′ / ∈ w ⊇ atom( a, v ) , by definition of ~b ′ we have atom( π · « a » v ) ⊆ atom( ~b ′ ) . Therefore the configura-tion h ~b ′ , S ′ , π · « a » v i satisfies the well-formedness condition needed to apply Corollary 3.3.Noting that π · ( « a » v ) = « π ( a ) » ( π · v ) and that π · ( v { a ′′ /a } ) = ( π · v ) { π ( a ′′ ) /π ( a ) } =( π · v ) { a ′′ /π ( a ) } , from that corollary, property (4.2) and the definition of S ′ we get: h ~b ′ , S ′ , π · ( « a » v ) i↓ ⇔h ~b ′ < a ′′ < a < · · · < a n − , S, ( π · ( v { a ′′ /a } )) { a , . . . , a n − /b , . . . , b n − }i↓ . Note that by definition of π ( π · ( v { a ′′ /a } )) { a , . . . , a n − /b , . . . , b n − } = (( v { a ′′ /a } ) { b , . . . , b n − /a , . . . , a n − } ) { a , . . . , a n − /b , . . . , b n − } = v { a ′′ /a } ; ENERATIVE UNBINDING OF NAMES 21 and ~b ′ < a ′′ < a < · · · < a n − = b < · · · < b n − < ~a by (5.10) and (5.12). So altogether wehave h ~b ′ , S ′ , π · « a » v i↓ ⇔ h b < · · · < b n − < ~a, S, v { a ′′ /a }i↓ . (5.13)A similar argument gives h ~b ′ , S ′ , π · « a ′ » v ′ i↓ ⇔ h b < · · · < b n − < ~a, S, v ′ { a ′′ /a ′ }i↓ . (5.14)We noted in Theorem 4.4 that operational equivalence is equivariant. So from (5.7) we have ⊢ atom( ~b ′ ) π · « a » v ∼ = π · « a ′ » v ′ : τ bnd . Since ∅ ⊢ atom( ~b ′ ) S ′ : τ bnd → τ ′ , this operationalequivalence gives h ~b ′ , S ′ , π · « a » v i↓ ⇔ h ~b ′ , S ′ , π · « a ′ » v ′ i↓ . Combining this with (5.13) and (5.14) yields h b < · · · < b n − < ~a, S, v { a ′′ /a }i↓ ⇔ h b < · · · < b n − < ~a, S, v ′ { a ′′ /a ′ }i↓ . (5.15)Since b , . . . , b n − / ∈ w ′ = atom( ~a ) ⊇ atom( S, a ′′ , v, v ′ ) and O only contains affine observa-tions, we can now apply Lemma 5.9 to (5.15) to get (5.9), as required. Example 5.11.
We conjecture that Proposition 5.10 fails to hold if we drop the requirementthat observations are affine (but still require them to be equivariant). For example considerthe equivariant but non-affine observation ord in Figure 7 and the values v , fun( f x = f x ) v ′ , fun( f x = match ord a with (Zero → () | Succ y → v ())) where a is some atom. We claim that ⊢ { a } « a » v ∼ = « a » v ′ : (unit → unit)bnd (5.16)but that for any a ′ = a ⊢ { a,a ′ } v { a ′ /a } 6∼ = v ′ { a ′ /a } : unit → unit . (5.17)The operational inequivalence (5.17) is witnessed by the state ~a , [ a ′ , a ] and the framestack S , Id ◦ ( x. x unit) , for which one has h ~a, S, v ′ { a ′ /a }i↓ , but not h ~a, S, v { a ′ /a }i↓ . Atthe moment we lack a formal proof of the operational equivalence (5.16), but the intuitivejustification for it is as follows. For any state ~a containing a and any frame stack S , weclaim that in any sequence of transitions from h ~a, S, « a » v ′ i the occurrence of ord a in v ′ canonly be renamed to ord a ′ for atoms a ′ at positions strictly greater than in the currentstate; and hence h ~a, S, « a » v ′ i has the same termination properties as h ~a, S, « a » v i . Proof of Theorem 5.3.
One proves that ⊢ w v = α v ′ : σ implies ⊢ w v ∼ = v ′ : σ by inductionon the the rules defining α -equivalence in Figure 9, using Propositions 5.6 and 5.7.To prove the converse implication, first note that if ∅ ⊢ v : σ , then v contains noinstances of observations obs ∈ O . The proof of this is by induction on the structureof the nominal arity σ ; the only way observations on atoms can appear in values of thelanguage is via function values, fun( f x = e ) , and the definition of “nominal arity” excludesfunction types. It follows from the definition of operational equivalence in Definition 4.1that if ⊢ w v ∼ = v ′ : σ holds for a language with observation set O , it also holds for thesub-language with minimal observation set { eq } . Thus it suffices to prove the implication ⊢ w v ∼ = v ′ : σ ⇒ ⊢ w v = α v ′ : σ for this minimal sub-language; and this can be done byinduction on the structure of σ using Propositions 5.6 and 5.10 (the latter applies because eq is affine). Related and Further Work
Correctness of Representation.
It is instructive to compare the Correctness ofRepresentation property of FreshML (Theorem 5.3) with adequacy results for type-theoreticlogical frameworks [Pfe01]. Both are concerned with the representation of expressions ofsome object-language in a meta-language. For logical frameworks the main issue is surjec-tivity: one wants every expression at the meta-level to be convertible to a normal form andfor every normal form at certain types to be the representation of some object-level expres-sion. The fact that α -equivalence of object-level expressions is preserved and reflected bythe representation is a simple matter, because equivalence in the logical framework is takento be αβη -conversion, which specialises on normal forms to just α -equivalence. Contrastthis with the situation for FreshML where surjectivity of the representation is straightfor-ward, because values of the relevant FreshML data types are just first order abstract syntaxtrees; whereas the fact that α -equivalence of object-level expressions is preserved and re-flected by the representation in FreshML is a non-trivial property. This is because we takeequivalence of FreshML expressions to be contextual equivalence. This is the natural notionof equivalence from a programming point of view, but its properties are hard won.One aspect of adequacy results for logical frameworks highlighted in [Pfe01] is com-positionality of representations. Although important, this issue is somewhat orthogonalto our concerns here. It refers to the question of whether substitution of expressions forvariables at the object-level is represented by β -conversion at the meta-level. From thepoint of view of nominal signatures [Pit06], variables are just one kind of name. Propertiesof α -conversion of all kinds of names are treated by the theory; but if one wants notionsof substitution and β -conversion for a particular kind of name, one has to give a defini-tion (an “ α -structural” recursive definition [Pit06]). For example in FreshML, using thedata type (1.1) for λ -terms one can give an appealingly simple declaration for a function subst : term → atm → term → term for capture-avoiding substitution; see [SPG03, p. 264].Compositionality of the representation t p t q given in the introduction then becomesthe contextual equivalence ⊢ w p t [ t /a ] q ∼ = subst p t q a p t q : term . The CIU theorem(Theorem 4.4) provides the basis for proving such contextual equivalences. (We believethis particular equivalence is valid when O = { eq , lt } , but not when O = { eq , card } ; seeSection 7.)6.2. Concrete Semantics.
We have explored some of the consequences of adding integer-valued “observations on atoms” to FreshML over and above the usual test for equality. Suchfunctions allow more efficient data structures to be used for algorithms involving atoms askeys. For example, binary search trees making use of the comparison function lt fromFigure 7 could be used instead of association lists.What about adding functions from numbers to atoms? An implementation of thelanguage may well represent atoms by numbers, via some fixed enumeration of the set ofatoms, α : N ∼ = A . Can we give the programmer access to this bijection? Less radically,can we allow operations on atoms that make use of arithmetic properties of the underlyingrepresentation? Not without breaking the invariant atom( S, e ) ⊆ atom( ~a ) of configurations h ~a, S, e i —the property of our operational semantics that ensures that an atom’s freshnesswith respect to the current state really does mean that it is different from all other atomsin the current context. For example, suppose we add to the language an operation suc : ENERATIVE UNBINDING OF NAMES 23 atm → atm whose meaning is “successor function on atoms”, with transitions h ~a, S, suc a i −→h ~a, S, a ′ i whenever a = α ( n ) and a ′ = α ( n + 1) for some n ∈ N . Then it may well be thecase that a ′ / ∈ atom( ~a ) even though a ∈ atom( ~a ) .So exposing the numerical representation of atoms involves giving up the invariant prop-erties of the abstract semantics we have used here. Perhaps a more interesting alternative toactually exposing numerical representations of atoms would be to prove contextual equiva-lence of efficient and naive implementations of the abstract semantics extended with typesof finite maps on atoms. Such abstract types form an addition to the signature in Figure 1different from the kind we have considered here, but certainly one worthy of investigation.6.3. Mechanising Meta-Theory.
The techniques we used here to prove the Correctnessof Representation property are operationally based, in contrast to the denotational tech-niques used in [Shi05a, SP05b]. The advantage of working directly with the syntax andoperational semantics of the language is that there are lower mathematical “overheads”—various kinds of induction being the main techniques involved. The disadvantage is thatto deploy such inductive techniques often involves great ingenuity choosing inductive hy-potheses and much error prone tedium checking induction steps. Furthermore, with thesemethods it seems harder to predict the effect that a slight change in language or formalisa-tion may have on a proof. Although ingenuity in choosing inductive hypotheses may alwaysbe the preserve of humans, machine assistance of the kind envisaged by the “POPLmarkchallenge” [ABF +
05] seems a very good idea for the other aspects of the operationallybased approach. The main results presented here are still a challenging target for fullyformalised and machine checked proofs. We have taken some care with the formalisation(using a “relational” approach to contextual equivalence, for example); but results con-cerning coinductive equivalences, like the CIU theorem (Theorem 4.4), are quite complexlogically speaking, compared with the kind of type safety results (like Theorem 2.4) thatPOPLMark has focused on so far. Systems like Isabelle/HOL [NPW02] that develop proofsin full classical higher order logic seem appropriate to the task, in principle. But there is agap between what is possible in principle for an expert of any particular system and whatis currently practicable for a casual user. Urban and Berghofer [UB06] are developing a
Nominal Data Type Package for Isabelle/HOL that may be very useful for narrowing thisgap. The fact that FreshML and the Urban-Berghofer package both have to do with thesame mathematical universe of “nominal sets” [Pit06] is perhaps slightly confusing: theirNominal Data Type Package is useful for fully formalising proofs about names and name-binding in operational semantics whether or not those proofs have to do with the particularmechanism of generative unbinding that is the focus of this paper.7.
Conclusion
The FreshML [SPG03, Shi05b] approach to functional programming with binders com-bines abstract types for names and name binding with an unbinding operation that involvesgeneration of fresh names. In this paper we have studied some theoretical properties of thisdesign to do with data correctness. We showed that the addition of integer valued ob-servations on names does not break FreshML’s fundamental Correctness of Representationproperty that α -equivalence classes of abstract syntax trees (for any nominal signature)coincide with contextual equivalence classes of user declared data values. In particular, itis possible to give programmers access to a linear order on names without breaking the “up to α -equivalence” representation of syntax. The simple insight behind this possibly sur-prising result has to do with the fact that FreshML is impure—program execution mutatesthe state of dynamically created names. If the state is taken into account when giving themeaning of observations on names, then the permutation invariance properties that underlythe correctness property can be retained. The original version of FreshML [PG00] was pureby dint of the “freshness inference” included in its type system. Subsequent experiencewith the language showed that the form of freshness inference that was used there wasoverly restrictive from a programming point of view. So freshness inference was dropped in[SPG03]. However, Pottier [Pot07] has recently regained purity in a FreshML-like languagethrough the use of user-provided assertions. We have not investigated whether results likethose presented in this paper also apply to Pottier’s language.This paper has been concerned with data correctness, but what about general resultson program correctness ? The only restriction we placed on observations on atoms is that,as functions of both the state and the names they operate upon, they should be invariantunder permuting names. We have seen that the Correctness of Representation property(Theorem 5.3) remains valid in the presence of any such observation. However, we arecertainly not advocating that arbitrary equivariant observations be added to FreshML.This is because some forms of observation may radically affect the general programminglaws that contextual equivalence satisfies. We saw one example of this here: only for“affine” observations (which are insensitive to how many names have been created beforethe arguments to which they are applied) were we able to combine Propositions 5.7 and 5.10to get an “extensionality” result explaining contextual equivalence at type τ bnd in termsof contextual equivalence at τ , for arbitrary higher types τ .More investigation of program correctness properties in the presence of particular ob-servations on atoms is needed before one can advocate adding them to the FreshML design.The techniques we used in this paper could form the basis for such an investigation. Theycombine the usual engine of structural operational semantics—namely syntax-directed, rulebased induction—with the approach to freshness of names based on name permutationsthat was introduced in [GP01] and developed in [Pit03, UN05, Pit06]. Acknowledgement.
The authors are grateful for the suggestions for improvement made by the anonymousreferees.
References [ABF +
05] B. E. Aydemir, A. Bohannon, M. Fairbairn, J. N. Foster, B. C. Pierce, P. Sewell, D. Vytinio-tis, G. Washburn, S. Weirich, and S. Zdancewic. Mechanised metatheory for the masses: ThePOPLmark challenge. In J. Hurd and T. Melham, editors, , volume 3603 of
Lecture Notes in ComputerScience , pages 50–65. Springer-Verlag, 2005. .[BL05] P. N. Benton and X. Leroy, editors.
ACM SIGPLAN Workshop on ML (ML 2005), Tallinn,Estonia , Electronic Notes in Theoretical Computer Science. Elsevier, September 2005.[Che05] J. Cheney. Scrap your nameplate (functional pearl). In
Tenth ACM SIGPLAN InternationalConference on Functional Programming (ICFP’05), Tallinn, Estonia , pages 180–191. ACMPress, September 2005.[FH92] M. Felleisen and R. Hieb. The revised report on the syntactic theories of sequential control andstate.
Theoretical Computer Science , 103:235–271, 1992.
ENERATIVE UNBINDING OF NAMES 25 [FSDF93] C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen. The essence of compiling with con-tinuations. In
Proceedings ACM SIGPLAN Conference on Programming Language Design andImplementation, PLDI’93, Albuquerque, NM, USA , pages 237–247. ACM Press, June 1993.[Gor98] A. D. Gordon. Operational equivalences for untyped and polymorphic object calculi. In Gordonand Pitts [GP98], pages 9–54.[GP98] A. D. Gordon and A. M. Pitts, editors.
Higher Order Operational Techniques in Semantics .Publications of the Newton Institute. Cambridge University Press, 1998.[GP01] M. J. Gabbay and A. M. Pitts. A new approach to abstract syntax with variable binding.
FormalAspects of Computing , 13:341–363, 2001.[Gun92] C. A. Gunter.
Semantics of Programming Languages: Structures and Techniques . Foundationsof Computing. MIT Press, 1992.[How96] D. J. Howe. Proving congruence of bisimulation in functional programming languages.
Informa-tion and Computation , 124(2):103–112, 1996.[Las98] S. B. Lassen. Relational reasoning about contexts. In Gordon and Pitts [GP98], pages 91–135.[MT91] I. A. Mason and C. L. Talcott. Equivalence in functional languages with effects.
Journal ofFunctional Programming , 1:287–327, 1991.[MTHM97] R. Milner, M. Tofte, R. Harper, and D. MacQueen.
The Definition of Standard ML (Revised) .MIT Press, 1997.[NPW02] T. Nipkow, L. C. Paulson, and M. Wenzel.
Isabelle/HOL—A Proof Assistant for Higher-OrderLogic , volume 2283 of
Lecture Notes in Computer Science . Springer-Verlag, 2002.[Pfe01] F. Pfenning. Logical frameworks. In A. Robinson and A. Voronkov, editors,
Handbook of Auto-mated Reasoning , chapter 17, pages 1063–1147. Elsevier Science and MIT Press, 2001.[PG00] A. M. Pitts and M. J. Gabbay. A metalanguage for programming with bound names modulorenaming. In R. Backhouse and J. N. Oliveira, editors,
Mathematics of Program Construction.5th International Conference, MPC2000, Ponte de Lima, Portugal, July 2000. Proceedings ,volume 1837 of
Lecture Notes in Computer Science , pages 230–255. Springer-Verlag, Heidelberg,2000.[Pit02] A. M. Pitts. Operational semantics and program equivalence. In G. Barthe, P. Dybjer, andJ. Saraiva, editors,
Applied Semantics, Advanced Lectures , volume 2395 of
Lecture Notes in Com-puter Science, Tutorial , pages 378–412. Springer-Verlag, 2002. International Summer School,APPSEM 2000, Caminha, Portugal, September 9–15, 2000.[Pit03] A. M. Pitts. Nominal logic, a first order theory of names and binding.
Information and Compu-tation , 186:165–193, 2003.[Pit05] A. M. Pitts. Typed operational reasoning. In B. C. Pierce, editor,
Advanced Topics in Typesand Programming Languages , chapter 7, pages 245–289. The MIT Press, 2005.[Pit06] A. M. Pitts. Alpha-structural recursion and induction.
Journal of the ACM , 53(3):459–506, 2006.[Pot05] F. Pottier. An overview of C α ml. In Benton and Leroy [BL05], pages 27–52.[Pot07] F. Pottier. Static name control for FreshML. In Twenty-Second Annual IEEE Symposium onLogic In Computer Science (LICS’07) , pages 356–365, Wroclaw, Poland, July 2007. IEEE Com-puter Society Press.[PS07] A. M. Pitts and M. R. Shinwell. Generative unbinding of names. In ,pages 85–95. ACM Press, January 2007.[Shi05a] M. R. Shinwell.
The Fresh Approach: Functional Programming with Names and Binders . PhDthesis, University of Cambridge Computer Laboratory, 2005. Available as University of Cam-bridge Computer Laboratory Technical Report UCAM-CL-TR-618.[Shi05b] M. R. Shinwell. Fresh O’Caml: Nominal abstract syntax for the masses. In Benton and Leroy[BL05], pages 53–76.[SP05a] M. R. Shinwell and A. M. Pitts. Fresh Objective Caml user manual. Technical Report UCAM-CL-TR-621, University of Cambridge Computer Laboratory, February 2005.[SP05b] M. R. Shinwell and A. M. Pitts. On a monadic semantics for freshness.
Theoretical ComputerScience , 342:28–55, 2005.[SPG03] M. R. Shinwell, A. M. Pitts, and M. J. Gabbay. FreshML: Programming with binders madesimple. In
Eighth ACM SIGPLAN International Conference on Functional Programming (ICFP2003), Uppsala, Sweden , pages 263–274. ACM Press, August 2003. [UB06] C. Urban and S. Berghofer. A recursion combinator for nominal datatypes implemented inIsabelle/HOL. In , volume 4130 of
Lecture Notes in Computer Science , pages 498–512. Springer-Verlag, 2006.[UN05] C. Urban and M. Norrish. A formal treatment of the Barendregt Variable Convention in ruleinductions. In
Proceedings of the 3rd ACM SIGPLAN Workshop on Mechanized Reasoning aboutLanguages with Variable Binding (MERLIN ’05), Tallinn, Estonia , pages 25–32. ACM Press,2005.[UPG04] C. Urban, A. M. Pitts, and M. J. Gabbay. Nominal unification.
Theoretical Computer Science ,323:473–497, 2004.
Appendix A. Proof of Theorem 4.4
We wish to show that the expression relation ∼ = ◦ of Definition 4.3 is compatible andsubstitutive (see Definition 4.2). We use an adaptation of “Howe’s method” [How96] to doso. Let the expression relation ∼ = ∗ be inductively defined from ∼ = ◦ by the rule Γ ⊢ w e c ∼ = ∗ e ′ : τ Γ ⊢ w e ′ ∼ = ◦ e ′′ : τ Γ ⊢ w e ∼ = ∗ e ′′ : τ . (A.1)In making this inductive definition, we are implicitly relying upon the easily proved factthat compatible refinement, E 7→ b E , is a monotone operation on expression relations, thatis, E ⊆ E ⇒ b E ⊆ b E . Lemma A.1. (i) Γ ⊢ w e ∼ = ∗ e ′ : τ ∧ Γ ⊢ w e ′ ∼ = ◦ e ′′ : τ ⇒ Γ ⊢ w e ∼ = ∗ e ′′ : τ . (ii) ∼ = ∗ is compatible and substitutive. (iii) atom( e ) ⊆ w ∧ Γ ⊢ e : τ ⇒ Γ ⊢ w e ∼ = ∗ e : τ . (iv) atom( S ) ⊆ w ∧ Γ ⊢ S : τ → τ ′ ⇒ Γ ⊢ w S c ∼ = ∗ S : τ → τ ′ . (v) Γ ⊢ w v ∼ = ∗ e ′ : τ ⇒ ∃ v ′ . Γ ⊢ w v ∼ = ∗ v ′ : τ ∧ Γ ⊢ w v ′ ∼ = ◦ e ′ : τ .Proof. These properties of ∼ = ∗ are simple consequences of its definition and the definitionof the extension of compatible refinement to a relation between frame stacks given by thelast two rules in Figure 8. Lemma A.2. (i) ∼ = ∗ is equivariant. (ii) Γ ⊢ w e ∼ = ∗ e ′ : τ ∧ w ⊆ w ′ ⇒ Γ ⊢ w ′ e ∼ = ∗ e ′ : τ . (iii) Γ ⊢ w S c ∼ = ∗ S ′ : τ → τ ′ ∧ w ⊆ w ′ ⇒ Γ ⊢ w ′ S c ∼ = ∗ S ′ : τ → τ ′ .Proof. Part (i) follows from the fact that ∼ = ◦ is equivariant, which in turn is a consequenceof Lemma 3.2. Parts (ii) and (iii) are consequences of the fact that world weakening is builtinto the definition of operational equivalence in Definition 4.1. Lemma A.3. Γ ⊢ w e ∼ = ◦ e ′ : τ ⇒ Γ ⊢ w e ∼ = ∗ e ′ : τ .Proof. If Γ ⊢ w e ∼ = ◦ e ′ : τ , then in particular atom( e ) ⊆ w and Γ ⊢ e : τ , so that byLemma A.1(iii) we have Γ ⊢ w e ∼ = ∗ e : τ ; so from part (i) of that lemma we get Γ ⊢ w e ∼ = ∗ e ′ : τ . ENERATIVE UNBINDING OF NAMES 27
We wish to show that ∼ = ∗ coincides with ∼ = ◦ . In view of the previous lemma, it justremains to show that ∼ = ∗ ⊆ ∼ = ◦ . Lemma A.5 provides the key to this. Before stating thatlemma we give some simple properties of ∼ = that are needed to prove it. Lemma A.4. (i) ⊢ w a ∼ = a ′ : atm ⇒ a = a ′ . (ii) ⊢ w v ∼ = v ′ : τ bnd ⇒ ⊢ w unbind v ∼ = unbind v ′ : atm ∗ τ . (iii) If ⊢ w v ∼ = v ′ : τ → τ , then for any world w ′ ⊇ w and value v with atom( v ) ⊆ w ′ and ⊢ v : τ , it is the case that ⊢ w ′ v v ∼ = v ′ v : τ .Proof. For part (i) we make use of the fact that O always contains the atom equality function eq from Figure 7. Consider the frame stack S a , Id ◦ ( x. let y = eq x a inmatch y with (Zero → () | Succ z → diverge)) . If a = a ′ are distinct elements of w , then choosing some ~a ∈ State with atom( ~a ) = w , it is nothard to see that h ~a, S a , a i↓ holds whereas h ~a, S a , a ′ i↓ does not hold. So if ⊢ w a ∼ = a ′ : atm it cannot be the case that a = a ′ .For part (ii), given any ~a , S and τ ′ with w ∪ atom( S ) ⊆ atom( ~a ) and ∅ ⊢ S : τ → τ ′ ,then h ~a, S, unbind v i↓ ⇔ h ~a, S ◦ ( x. unbind x ) , v i↓ by definition of ↓⇔ h ~a, S ◦ ( x. unbind x ) , v ′ i↓ since ⊢ w v ∼ = v ′ : τ bnd ⇔ h ~a, S, unbind v ′ i↓ by definition of ↓ and thus ⊢ w unbind v ∼ = unbind v ′ : atm ∗ τ .The proof of part (iii) is similar to that for (ii), using the frame ( x. x v ) in place of ( x. unbind x ) . Lemma A.5.
For all n ≥ and all w, S, S ′ , τ, τ ′ , e, e ′ , ~a ∅ ⊢ w S c ∼ = ∗ S ′ : τ → τ ′ ∧ ∅ ⊢ w e ∼ = ∗ e ′ : τ ∧ atom( ~a ) = w ∧ h ~a, S, e i↓ n ⇒ h ~a, S ′ , e ′ i↓ . (A.2) Proof.
The lemma is proved by induction on n . The base case n = 0 follows from thedefinition of b − (which implies that ∅ ⊢ w Id c ∼ = ∗ S ′ : τ → τ ′ can only hold when S ′ = Id ),combined with Lemma A.1(v) and the definition of ∼ = ◦ . For the induction step, assume(A.2) holds and that ∅ ⊢ w S c ∼ = ∗ S ′ : τ → τ ′ (A.3) ∅ ⊢ w e ∼ = ∗ e ′ : τ (A.4) atom( ~a ) = w (A.5) h ~a, S, e i −→ h ~a , S , e i (A.6) h ~a , S , e i↓ n (A.7)We have to prove h ~a, S ′ , e ′ i↓ and do so by an analysis of (A.6) against the possible cases1–9 in the definition of the transition relation in Figure 5. Case 1.
In this case S = S ◦ ( x. e ) , e = v ∈ Val , ~a = ~a , and e = e [ v/x ] , for some e and v . For (A.3) to hold, by definition of c ∼ = ∗ it must be the case that S ′ = S ′ ◦ ( x. e ′ ) forsome S ′ and e ′ with { x : τ } ⊢ w e ∼ = ∗ e ′ : τ (A.8) ∅ ⊢ w S c ∼ = ∗ S ′ : τ → τ ′ (A.9)for some type τ . Since e = v is a value, applying Lemma A.1(v) to (A.4) we get ∅ ⊢ w v ∼ = ∗ v ′ : τ (A.10) ⊢ w v ′ ∼ = e ′ : τ (A.11)for some v ′ ∈ Val . Since ∼ = ∗ is substitutive (Lemma A.1(ii)), from (A.8) and (A.10) we get ∅ ⊢ w e [ v/x ] ∼ = ∗ e ′ [ v ′ /x ] : τ . (A.12)Applying the induction hypothesis (A.2) to (A.9), (A.12), (A.5) and to (A.7), we get h ~a, S ′ , e ′ [ v ′ /x ] i↓ ; hence h ~a, S ′ ◦ ( x.e ′ ) , v ′ i↓ , that is, h ~a, S ′ , v ′ i↓ ; and therefore by (A.11)we also have h ~a, S ′ , e ′ i↓ , as required. Case 2.
In this case we have e = let x = e in e , ~a = ~a and S = S ◦ ( x. e ) for some e .Since (A.4) holds, by definition of ∼ = ∗ , there must exist some e ′ , e ′ and τ with ∅ ⊢ w e ∼ = ∗ e ′ : τ (A.13) { x : τ } ⊢ w e ∼ = ∗ e ′ : τ (A.14) ⊢ w (let x = e ′ in e ′ ) ∼ = e ′ : τ (A.15)and then from (A.3) and (A.14) we get ∅ ⊢ w S ◦ ( x. e ) c ∼ = ∗ S ′ ◦ ( x. e ′ ) : τ → τ ′ . (A.16)The induction hypothesis (A.2) applied to (A.16), (A.13) and (A.5) gives h ~a, S ′ ◦ ( x. e ′ ) , e ′ i↓ and hence h ~a, S ′ , let x = e ′ in e ′ i↓ . This and (A.15) then give h ~a, S ′ , e ′ i↓ , as required. Case 3.
This follows from the definition of ∼ = ∗ using its substitutivity property, much asfor case 1. Case 4.
In this case τ = τ ∗ τ , e = ( v , v ) , ~a = ~a and e = v , for some τ , τ ∈ Typ and v , v ∈ Val . By definition of c ∼ = ∗ , for (A.4) to hold it must be the case that ∅ ⊢ w v i ∼ = ∗ v ′ i : τ i (for i = 1 , ) (A.17) ⊢ w ( v ′ , v ′ ) ∼ = e ′ : τ ∗ τ (A.18)for some v ′ and v ′ . By the induction hypothesis (A.2) applied to (A.3), (A.17), (A.5)and (A.7), we get h ~a, S ′ , v ′ i↓ and hence also h ~a, S ′ , fst( v ′ , v ′ ) i↓ . Hence by (A.18) we have h ~a, S ′ , e ′ i↓ , as required. Case 5.
This is similar to the previous case.
ENERATIVE UNBINDING OF NAMES 29
Case 6.
In this case e = v v , ~a = ~a , S = S and e = e [ v , v /f, x ] for some v =fun( f x = e ) and v . Since (A.4) holds, by definition of ∼ = ∗ together with Lemma A.4(iii),there must exist some e ′ , v ′ and τ with { f : τ → τ, x : τ } ⊢ w e ∼ = ∗ e ′ : τ (A.19) ∅ ⊢ w v ∼ = ∗ v ′ : τ (A.20) ⊢ w fun( f x = e ′ ) v ′ ∼ = e ′ : τ → τ . (A.21)Since ∼ = ∗ is compatible (Lemma A.1(ii)), from (A.19) we get ∅ ⊢ w v ∼ = ∗ fun( f x = e ′ ) : τ → τ ; and since ∼ = ∗ is also substitutive, this together with (A.19) and (A.20) gives ∅ ⊢ w e [ v , v /f, x ] ∼ = ∗ e ′ [fun( f x = e ′ ) , v ′ /f, x ] : τ . Therefore by the induction hypothesis (A.2)applied to (A.3), this, (A.5) and (A.7), we get h ~a, S ′ , e ′ [fun( f x = e ′ ) , v ′ /f, x ] i↓ . Hence h ~a, S ′ , fun( f x = e ′ ) v ′ i↓ and thus by (A.21), h ~a, S ′ , e ′ i↓ as required. Case 7.
In this case τ = atm , e = fresh() , ~a = ~a < a , S = S and e = a , for some a / ∈ atom( ~a ) = w . Since (A.4) holds, by definition of ∼ = ∗ we have ⊢ w fresh() ∼ = e ′ : atm . (A.22)By Lemma A.2(iii) applied to (A.3), we have ∅ ⊢ w ∪{ a } S c ∼ = ∗ S ′ : atm → τ ′ ; and byLemma A.1(iii) we also have ∅ ⊢ w ∪{ a } a ∼ = ∗ a : atm . So by the induction hypothesis(A.2) applied to these, atom( ~a < a ) = w ∪ { a } and (A.7), we get h ~a < a, S ′ , a i↓ . Hence h ~a, S ′ , fresh i↓ and hence from (A.22) we also have h ~a, S ′ , e ′ i↓ , as required. Case 8.
In this case τ = atm ∗ τ , e = unbind « a » v , ~a = ~a < a , S = S , and e =( a , v { a /a } ) , for some τ , a , v and a with a / ∈ atom( ~a ) = w . Since (A.4) holds, bydefinition of ∼ = ∗ together with parts (i) and (ii) of Lemma A.4, there must exist some v ′ with ∅ ⊢ w v ∼ = ∗ v ′ : τ (A.23) ⊢ w unbind « a » v ′ ∼ = e ′ : atm ∗ τ . (A.24)We now appeal to the easily verified fact that since a / ∈ w ⊇ atom( v, v ′ ) , the renamedvalues v { a /a } and v ′ { a /a } are respectively equal to the permuted values ( a a ) · v and ( a a ) · v ′ (where ( a a ) denotes the permutation swapping a and a ′ ). Therefore by parts (i)and (ii) of Lemma A.2 applied to (A.23) and by parts (ii) and (iii) of Lemma A.1, we have ∅ ⊢ w ∪{ a } ( a , v { a /a } ) ∼ = ∗ ( a , v ′ { a /a } ) : atm ∗ τ . (A.25)By applying Lemma A.2(iii) to (A.3) we also have ∅ ⊢ w ∪{ a } S c ∼ = ∗ S ′ : atm ∗ τ → τ ′ . Then applying the induction hypothesis (A.2) to this, (A.25), atom( ~a < a ) = w ∪ { a } and (A.7) yields h ~a < a , S ′ , ( a , v ′ { a /a } ) i↓ . Therefore h ~a, S ′ , unbind « a » v ′ i↓ ; and henceby (A.24), we also have h ~a, S ′ , e ′ i↓ , as required. Case 9.
In this case τ = nat , e = obs a . . . a k for some a , . . . , a k ∈ w , ~a = ~a , S = S ,and e = p m q where m = J obs K ~a ( a , . . . , a k ) . Since (A.4) holds, by definition of ∼ = ∗ togetherwith Lemma A.4(i), we must have ⊢ w obs a . . . a k ∼ = e ′ : nat . (A.26)Note that by Lemma A.1(iii) we also have ∅ ⊢ w p m q ∼ = ∗ p m q : nat . So by the inductionhypothesis (A.2) applied to this, (A.3), (A.5) and (A.7) we get h ~a, S ′ , p m q i↓ . Since m = J obs K ~a ( a , . . . , a k ) , this implies that h ~a, S ′ , obs a . . . a k i↓ ; and hence from (A.26) we havethat h ~a, S ′ , e ′ i↓ holds, as required.This completes the proof of Lemma A.5. Lemma A.6.
Let ( ∼ = ∗ ) + denote the transitive closure of ∼ = ∗ . Then Γ ⊢ w e ∼ = ∗ e ′ : τ ⇒ Γ ⊢ w e ′ ( ∼ = ∗ ) + e : τ . Proof.
This can be proved by induction on the derivation of Γ ⊢ w e ∼ = ∗ e ′ : τ from therule in (A.1) and the rules for compatible refinement in Figure 8, using the fact that ∼ = ◦ issymmetric and using Lemmas A.3 and A.1(iii).We can now complete the proof of Theorem 4.4 by showing that ∼ = ◦ is compatible andsubstitutive (Definition 4.2). Since ∼ = ∗ has those properties by Lemma A.1(ii), it sufficesto show that ∼ = ◦ coincides with ∼ = ∗ . We already noted in Lemma A.3 that ∼ = ◦ is containedin ∼ = ∗ . For the reverse inclusion, since ∼ = ∗ is substitutive and reflexive (Lemma A.1), it isclosed under substituting values for variables; so by Definition 4.3, it suffices to show that ∅ ⊢ w e ∼ = ∗ e ′ : τ ⇒ ⊢ w e ∼ = e ′ : τ . (A.27)To see this, note that by Lemma A.5 (together with Lemmas A.1(iv) and A.2(ii)) we have: ∅ ⊢ w e ∼ = ∗ e ′ : τ ⇒ ∀ ~a, S, τ ′ . w ∪ atom( S ) ⊆ atom( ~a ) ∧ ∅ ⊢ S : τ → τ ′ ∧ h ~a, S, e i↓⇒ h ~a, S, e ′ i↓ . (A.28)Since the right-hand side of the implication in (A.28) is a transitive relation between ex-pressions e, e ′ , we also have ∅ ⊢ w e ∼ = ∗ + e ′ : τ ⇒ ∀ ~a, S, τ ′ . w ∪ atom( S ) ⊆ atom( ~a ) ∧ ∅ ⊢ S : τ → τ ′ ∧ h ~a, S, e i↓⇒ h ~a, S, e ′ i↓ and therefore Lemma A.6 gives {} ⊢ w e ∼ = ∗ e ′ : τ ⇒ ∀ ~a, S, τ ′ . ( w ∪ atom( S ) ⊆ atom( ~a ) ∧ ∅ ⊢ S : τ → τ ′ ∧ h ~a, S, e ′ i↓⇒ h ~a, S, e i↓ . (A.29)Combining (A.28) and (A.29) gives (A.27). ENERATIVE UNBINDING OF NAMES 31
Appendix B. Proof of Proposition 5.7
Let E be the closure under compatible refinement (Figure 8) of the pairs of closed atombinding values that we wish to show are operationally equivalent. In other words E is theexpression relation inductively defined by the following two rules. a ′′ / ∈ w ⊆ atom( a, v, a ′ , v ′ ) ⊢ w ∪{ a ′′ } v { a ′′ /a } ∼ = v ′ { a ′′ /a ′ } : τ ∅ ⊢ w « a » v E « a ′ » v ′ : τ bnd Γ ⊢ w e b E e ′ : τ Γ ⊢ w e E e ′ : τ (B.1) Lemma B.1. (i) E is compatible and substitutive. (ii) atom( e ) ⊆ w ∧ Γ ⊢ e : τ ⇒ Γ ⊢ w e E e : τ . (iii) atom( S ) ⊆ w ∧ Γ ⊢ S : τ → τ ′ ⇒ Γ ⊢ w S b E S : τ → τ ′ . (iv) Γ ⊢ w v E e ′ : τ ⇒ e ′ ∈ Val .Proof.
These properties of E are simple consequences of its definition in (B.1), the definitionof compatible refinement in Figure 8, and the definition of its extension to a relation betweenframe stacks given by the last two rules in that figure. Lemma B.2. (i) E is equivariant. (ii) Γ ⊢ w e E e ′ : τ ∧ w ⊆ w ′ ⇒ Γ ⊢ w ′ e E e ′ : τ . (iii) Γ ⊢ w S b E S ′ : τ → τ ′ ∧ w ⊆ w ′ ⇒ Γ ⊢ w ′ S E S ′ : τ → τ ′ .Proof. This is the analogue of Lemma A.2 for E , and is proved in the same way as thatlemma. Lemma B.3.
For all n ≥ and all w, S, S ′ , τ, τ ′ , e, e ′ , ~a ∅ ⊢ w S b E S ′ : τ → τ ′ ∧ ∅ ⊢ w e E e ′ : τ ∧ atom( ~a ) = w ∧ h ~a, S, e i↓ n ⇒ h ~a, S ′ , e ′ i↓ . (B.2) Proof.
The lemma is proved by induction on n . The base case n = 0 follows directly fromLemma B.1(iii) and the definition of b E (which implies that {} ⊢ w Id b E S ′ : τ → τ ′ can onlyhold when S ′ = Id ). For the induction step, assume (B.2) holds and that ∅ ⊢ w S b E S ′ : τ → τ ′ (B.3) ∅ ⊢ w e E e ′ : τ (B.4) atom( ~a ) = w (B.5) h ~a, S, e i −→ h ~a , S , e i (B.6) h ~a , S , e i↓ n (B.7)We have to prove h ~a, S ′ , e ′ i↓ and do so by an analysis of (B.6) against the possible cases1–9 in the definition of the transition relation in Figure 5. Cases 1, 3 and 6 follow fromthe definition of E and its substitutivity property; we give the details for the first one andomit the other two. Cases 4, 5 and 9 also follow easily from the definition of E (usingLemma B.1(ii) in the third case). So we give the proofs just for cases 1, 2, 7 and 8. Case 1.
In this case S = S ◦ ( x. e ) , e = v ∈ Val , ~a = ~a , and e = e [ v/x ] , for some e and v . For (B.3) to hold, by definition of b E it must be the case that S ′ = S ′ ◦ ( x. e ′ ) forsome S ′ and e ′ with { x : τ } ⊢ w e E e ′ : τ (B.8) ∅ ⊢ w S b E S ′ : τ → τ ′ (B.9)for some type τ . Since e = v is a value, applying Lemma B.1(iv) to (B.4) we get e ′ = v ′ for some v ′ ∈ Val . So since b E is substitutive (Lemma B.1(i)), from (B.4) and (B.8) we get ∅ ⊢ w e [ v/x ] E e ′ [ v ′ /x ] : τ . (B.10)Applying the induction hypothesis (B.2) to (B.9), (B.10), (B.5) and to (B.7), we get h ~a, S ′ , e ′ [ v ′ /x ] i↓ ; hence h ~a, S ′ ◦ ( x.e ′ ) , v ′ i↓ , that is, h ~a, S ′ , e ′ i↓ , as required. Case 2.
In this case e = let x = e in e , ~a = ~a and S = S ◦ ( x. e ) for some e . For (B.4)to hold, by definition of b E it must be the case that e ′ = let x = e ′ in e ′ for some e ′ , e ′ and τ with {} ⊢ w e E e ′ : τ (B.11) { x : τ } ⊢ w e E e ′ : τ . (B.12)From (B.3) and (B.12) we get ∅ ⊢ w S ◦ ( x. e ) b E S ′ ◦ ( x. e ′ ) : τ → τ ′ ; and the inductionhypothesis (B.2) applied to this, (B.11), (B.5) and (B.7) gives h ~a, S ′ ◦ ( x. e ′ ) , e ′ i↓ . Hence h ~a, S ′ , let x = e ′ in e ′ i↓ , that is, h ~a, S ′ , e ′ i↓ , as required. Case 7.
In this case τ = atm , e = fresh() , ~a = ~a < a , S = S and e = a , for someatom a / ∈ w . For (B.4) to hold, by definition of E it must be the case that e ′ = fresh() .Now Lemma B.2(iii) applied to (B.3) gives ∅ ⊢ w ∪{ a } S b E S ′ : τ → τ ′ ; and Lemma B.1(ii)gives ∅ ⊢ w ∪{ a } a E a : atm . Applying the induction hypothesis (B.2) to these two facts, atom( ~a < a ) = w ∪ { a } and (B.7) gives h ~a < a, S ′ , a i↓ . Hence h ~a, S ′ , fresh() i↓ , that is, h ~a, S ′ , e ′ i↓ , as required. Case 8.
In this case τ = atm ∗ τ , e = unbind « a » v , ~a = ~a < a , S = S , and e =( a , v { a /a } ) , for some τ , a , v and a with a / ∈ w . For (B.4) to hold, by definition of E itmust be the case that e ′ = unbind « a ′ » v ′ witheither (a): a = a ′ ∧ ∅ ⊢ w v E v ′ : τ or (b): ∃ a ′′ / ∈ w. ⊢ w ∪{ a ′′ } v { a ′′ /a } ∼ = v ′ { a ′′ /a } : τ (B.13)If (B.13)(a) holds, then as in the proof of Lemma A.5 we now appeal to the easilyverified fact that since a / ∈ w ⊇ atom( v, v ′ ) , the renamed values v { a /a } and v ′ { a /a } arerespectively equal to the permuted values ( a a ) · v and ( a a ) · v ′ (where ( a a ) denotesthe permutation swapping a and a ′ ). Therefore from the fact that ∅ ⊢ w v E v ′ : τ holds,from parts (i) and (ii) of Lemma B.2 we get ∅ ⊢ w ∪{ a } v { a /a } E v ′ { a /a } : τ . Then since a = a ′ , by Lemma B.1(ii) we have ∅ ⊢ w ∪{ a } ( a , v { a /a } ) E ( a , v ′ { a /a ′ } ) : atm ∗ τ .Applying the induction hypothesis (B.2) to this, (B.3) (weakened using Lemma B.2(iii)), atom( ~a < a ) = w ∪ { a } and (B.7) yields h ~a < a , S ′ , ( a , v ′ { a /a } ) i↓ with a / ∈ atom( ~a ) .Therefore by definition of ↓ , we also have h ~a, S ′ , unbind « a ′ » v ′ i↓ . ENERATIVE UNBINDING OF NAMES 33
If (B.13)(b) holds, then by Theorem 4.4, so does ⊢ w ∪{ a ′′ } ( a ′′ , v { a ′′ /a } ) ∼ = ( a ′′ , v ′ { a ′′ /a } ) : atm ∗ τ (B.14)Lemma 3.2 applied to (B.7) with π = ( a a ′′ ) gives h ~a < a ′′ , S, ( a ′′ , v { a ′′ /a } ) i↓ n . Combiningthis with (B.3) (weakened using Lemma B.2(iii)), ∅ ⊢ w ∪{ a ′′ } ( a ′′ , v { a ′′ /a } ) E ( a ′′ , v { a ′′ /a } ) :atm ∗ τ (by Lemma B.1(ii)), atom( ~a < a ′′ ) = w ∪ { a ′′ } and the induction hypothesis (B.2),we get h ~a < a ′′ , S ′ , ( a ′′ , v { a ′′ /a } ) i↓ . Then by definition of ∼ = , from this and (B.14) we get h ~a < a ′′ , S ′ , ( a ′′ , v ′ { a ′′ /a } ) i↓ with a ′′ / ∈ ~a . Therefore as before, by definition of ↓ , we alsohave h ~a, S ′ , unbind « a ′ » v ′ i↓ .So in either case in (B.13), since e ′ = unbind « a ′ » v ′ , we get h ~a, S ′ , e ′ i↓ , as required.This completes the proof of Lemma B.3.We can now complete the proof of Proposition 5.7. For any type τ ∈ Typ , suppose weare given closed, well-typed atom binding values ∅ ⊢ « a » v : τ bnd and ∅ ⊢ « a ′ » v ′ : τ bnd with atom( a, v, a ′ , v ′ ) ⊆ w and satisfying ⊢ w ∪{ a ′′ } v { a ′′ /a } ∼ = v ′ { a ′′ /a ′ } : τ (B.15)for some atom a ′′ / ∈ w . By definition of E this implies ∅ ⊢ w « a » v E « a ′ » v ′ : τ bnd . (B.16)For any w ′ , ~a , S , and τ ′ with atom( ~a ) = w ′ ⊇ w ∪ atom( S ) and ∅ ⊢ S : τ → τ ′ , we have ∅ ⊢ w ′ S b E S : τ → τ ′ (B.17)by Lemma B.1(iii) and ∅ ⊢ w ′ « a » v E « a ′ » v ′ : τ bnd (B.18)by Lemma B.2(ii) applied to (B.16). So Lemma B.3 applied to (B.17), (B.18) and atom( ~a ) = w ′ , we have h ~a, S, « a » v i↓ ⇒ h ~a, S, « a ′ » v ′ i↓ . Since ∼ = is symmetric, the same argument shows that (B.15) implies h ~a, S, « a ′ » v ′ i↓ ⇒ h ~a, S, « a » v i↓ . Thus (B.15) implies that « a » v and « a ′ » v ′ are operationally equivalent, as required. This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/