Strong Call-by-Value is Reasonable, Implosively
Beniamino Accattoli, Andrea Condoluci, Claudio Sacerdoti Coen
SStrong Call-by-Value is Reasonable, Implosively
Beniamino Accattoli
India & LIX, ´Ecole Polytechnique, FranceEmail: [email protected]
Andrea Condoluci
Tweag I/O, FranceEmail: [email protected]
Claudio Sacerdoti Coen
University of Bologna, ItalyEmail: [email protected]
Abstract
Whether the number of β -steps in the λ -calculus can be taken as a reasonable cost model (that is, polynomially related tothe one of Turing machines) is a delicate problem, which depends on the notion of evaluation strategy. Since the nineties, itis known that weak (that is, out of abstractions) call-by-value evaluation is a reasonable strategy while L´evy’s optimal parallelstrategy, which is strong (that is, it reduces everywhere), is not. The strong case turned out to be subtler than the weak one. In2014 Accattoli and Dal Lago have shown that strong call-by-name is reasonable, by introducing a new form of useful sharingand, later, an abstract machine with an overhead quadratic in the number of β -steps.Here we show that strong call-by-value evaluation is also reasonable, via a new abstract machine realizing useful sharing andhaving a linear overhead. Moreover, our machine uses a new mix of sharing techniques, adding on top of useful sharing a form ofimplosive sharing, which on some terms brings an exponential speed-up. We give an example of family that the machine executesin time logarithmic in the number of β -steps. I. I
NTRODUCTION
A. Background
In the last few years, the understanding of the time cost models of the λ -calculus has attracted considerable attention. Thebeauty of the λ -calculus is that it is an abstract formalism, distant from low level implementation details, and where the sameexpressive power of Turing machine is expressed via a single β -rule, based on a natural notion of substitution. This is howeveralso its main drawback, as the substitution it is based upon is a non-atomic operation that may duplicate whole sub-programs.A natural question then is how to measure the time of programs expressed in the λ -calculus. Of course, one wants a reasonable cost model in the sense of Slot and van Emde Boas [1], that is, preserving the notion of polynomial time complexity as definedon Turing machines.The candidate measure for time is the number of β -steps to normal form. At first sight, this approach does not seem towork. A first issue is that one has to be more precise because there are many different evaluation strategies and notions ofnormal form in the λ -calculus. There is however a second bigger issue, called size explosion , that affects every evaluationstrategy. Namely, there are families { t n } n ∈ N of λ -terms such that t n produces in n β -steps—independently of the strategy—aresult r n of size exponential in n . Then the chosen measure of time—namely n —does not even account for the time to writedown the result, whose size is exponential in n . How to Stop Worrying and Love the Bomb:
The way out of this apparent cul-de-sac is to turn to evaluation up to sharing ,where sharing is used to provide compact representations of results, avoiding the explosion. It then turns out that (for somenatural strategies and notions of normal form) the number of β -steps is a reasonable time cost model. The point is subtle, letus be precise.The idea is to first fix a strategy → s (together with its notion of normal form) in the λ -calculus, which is kept as a specification,reference system. Then, to study → s via a refined λ -calculus with sharing—think of an abstract machine—showing that → s can be implemented with an overhead polynomial in the number of → s steps, producing in output a term with sharing. Theexponential explosion is then moved to the process of unsharing output terms. Luckily, unsharing can essentially always beavoided (unless one really needs to print the unshared output) as terms with sharing can be manipulated efficiently withouthaving to unshare them, see Condoluci, Accattoli, and Sacerdoti Coen [2]. Subterm Sharing and Closed Evaluation:
Sharing is an overloaded word, indicating a number of very different techniquesin the literature about decompositions of the λ -calculus. The most basic one can be deemed subterm sharing —itself comingin a number of variants—that amounts to annotate terms with delayed substitutions, coming from β -steps that have beenencountered during the evaluation process. Such annotations may take the form of let -expressions, explicit substitutions, orenvironments in abstract machines. Subterm sharing is enough to show that the the number of β -steps is a reasonable costmodel for both call-by-name (shortened to CbN) and call-by-value (CbV) weak evaluation (that is, out of abstractions) withclosed terms. These two settings are here referred to as Closed CbN and Closed CbV. The latter models evaluation in CbVfunctional programming languages such as OCaml, and the fact that it is reasonable has been the first result in the literatureabout reasonable strategies for the λ -calculus, due to Blelloch and Greiner [3]. Similar results have also been obtained bySands, Gustavsson, and Moran [4] and Dal Lago and Martini [5], [6]. a r X i v : . [ c s . L O ] F e b seful Sharing and Strong (CbN) Evaluation: Subterm sharing is not enough beyond the closed case, that is, whenevaluation may take place under abstraction and terms may be open—what we refer to as the strong λ -calculus . Namely, thereare exploding families whose strong evaluation with subterm sharing takes exponential time, independently of the evaluationstrategy. For some time, indeed, it has been an open question whether there are strong strategies that can be implementedwithin a reasonable overhead. The community used to believe that it was not the case, because of Asperti and Mairson’s resultthat the L´evy’s optimal (strong) strategy is not reasonable [7].The question was settled by Accattoli and Dal Lago, showing that Strong CbN is reasonable: the number of call-by-nameleftmost(-outermost) evaluation, which is a strong strategy, is a reasonable time cost model [8]. For proving their result, theyintroduce the new layer of useful sharing , operating on top of subterm sharing, and show that this is mandatory. Useful sharingamounts to do minimal unsharing work, namely only when it contributes to create β -steps, while avoiding to unfold the sharingwhen it only makes the term grow in size.In [8], the authors prove a polynomial overhead without investigating the degree. Later on, Accattoli provided an abstractmachine—the only reasonable strong machine in the literature—with quadratic overhead [9].Knowing that leftmost evaluation (sometimes referred to as normal order ) is reasonable is theoretically valuable. Because itanswers an important questions, but also because leftmost evaluation is a sort of canonical strategy for the strong λ -calculus.At the same time, however, it is not of much practical value because leftmost evaluation is very inefficient, and Strong CbVor Strong Call-by-Need are preferred in practice. B. Contributions of the Paper
We prove, for the first time, that Strong CbV is also reasonable. We provide an abstract machine that, via subterm and usefulsharing, implements Strong CbV within a linear overhead, improving over Accattoli’s bound. We also go considerably further,adding a form of implosive sharing (surveyed below) which on some terms brings an exponential speed-up, evaluating themin time logarithmic (!) in the number of β -steps, as we show on an example. Since implosive sharing forbids to use the usualproof technique for the correctness of abstract machines, we develop a new more flexible one, based on the notion of relaxedimplementation . Last, we provide a prototype implementation of our machine in OCaml. C. Motivations
First and foremost, our motivation is foundational. We want to contribute to the study of reasonable cost models, showingthat Strong CbV is reasonable. We also strive to obtain the best bounds for implementing strong evaluations because, afterdecades of research, how to best implement (strong) β -reduction is still an open problem.Another motivation comes from the theory of proof assistants, where strong evaluation plays a role. Typically, settings suchas Coq or Agda use strong evaluation to implement the β -conversion test, used for type checking with dependent types. Inparticular, one of the abstract machines at work in Coq, due to Gr´egoire and Leroy [10], relies on call-by-value. Bounds for β -Conversion: The pure algorithm for testing β -conversion of two terms t and u first reduces them to normalform and then tests the results for equality. In general, conversion is undecidable, because t or u may diverge, but one mayask—when t and u are normalizable—what is the complexity of checking conversion. Without sharing, the pure algorithm isclearly exponential. By combining our results with the linear time algorithm for equality up to sharing by Condoluci, Accattoli,and Sacerdoti Coen [2], we obtain a pure call-by-value algorithm using sharing, and working in time linear in the numberof (CbV) β -steps and in the size of the initial terms. We are not aware of other similar bounds in the literature, nor of anyalgorithmic study of β -conversion. Foundations, not Applications:
Beware that we aim at providing foundations for the implementation of proof assistants,but we do not aim at direct applications. This is because proof assistants do not usually implement conversion via the purealgorithm. In fact, they rest on a number of heuristics to shortcut it. Also, the language that they implement usually extendsthe λ -calculus with at least pattern matching and fixpoints. Finally, the specific case of Coq uses also a call-by-need machinedue to Barras [11]. Nothing prevents, however, to extend our work to pattern matching and fixpoints and to integrate heuristics.Also, call-by-need being a blend of CbN and CbV, it is mandatory to first understand the CbV case. D. Implosive Sharing and All That
Once subterm sharing is adopted, it is possible to also evaluate inside shared subterms, thus sharing evaluations , not justsubterms. The consequence is that one β -step in the shared settings maps to potentially many β -steps in the λ -calculus, creatingin some cases a steps explosion , or, dually, an implosion: n β -steps in the λ -calculus may in some cases implode to log n steps in the refinement with sharing.The terminology implosive sharing is ours but not the (previously nameless) concept: the literature contains implosiveevaluation strategies, such as Wadsworth’s call-by-need [12] (shortened to CbNeed) or L´evy’s optimal reduction [13].Implosive sharing poses two technical issues. First, proving correctness, because one needs to relate a single β -step inthe sharing setting with potentially many β -steps in the unshared one, which is always involved. The second challenge isomplexity analyses, because implosive sharing at times breaks the so-called subterm invariant , which is the key property usedin all existing proofs that a strategy is reasonable. Mixing Implosive and Useful Sharing:
There is a degree of freedom in the design of useful sharing. Accattoli and Dal Lagouse a non-implosive approach which is naturally suggested by the CbN setting that they study. We adopt here an alternativeimplosive approach, naturally suggested by the CbV setting. This and other design choices of our strong crumbling abstractmachine (shortened to SCAM), such as garbage collection and the light form of compilation called crumbling , are detailed inSect. VI.Because of implosive sharing, correctness is the most demanding theorem of the paper, for which we develop a newabstract approach, deemed relaxed implementation , that we then apply concretely. They key idea is modeling the one-to-manyphenomenon induced by implosive sharing via a parallel strategy on the calculus. The complexity analysis of the SCAM,instead, is a smooth adaptation of others in the literature, because the implosive sharing of the SCAM is carefully designed asto not clash with the subterm invariant.
E. Related WorkAbout Abstract Machines:
The study of machines for strong evaluation is a blind spot of the field, despite the relevancefor the implementation of proof assistants. There are very few strong machines in the literature. The ones by Cr´egut [14], [15](CbN), Biernacka et al. [16] (CbV), and Biernacka and Charatonik [17] (CbNeed) all have exponential overhead. The last twoworks are based on Ager et al. functional correspondence [18] and Danvy and Nielsen (generalized) refocusing [19], [20]. DeCarvalho [21] and Ehrhard and Regnier [22] study variants of Cr´egut’s machine for denotational purposes.Strong evaluation as implemented in Coq according to Gr´egoire and Leroy [10] is—perhaps surprisingly—not based on astrong machine. It is obtained by iterating under abstractions a CbV machine for weak evaluation with open terms—a settingsometimes called
Open CbV . Their machine for Open CbV has exponential overhead, and the iteration is also naive and costly(namely it unfolds sharing before iterating, thus potentially exploding in size), adding a further exponential cost. Iterating anopen machine is actually very subtle: Accattoli and Guerrieri in [23] show that, even without sharing unfolding, and even whenthe open machine is reasonable, iterating may not give a reasonable machine for Strong CbV, as the iteration may introducean exponential blow up. Abstract machines for Open CbV have then been studied in-depth by Accattoli and co-authors in [24],[23], [25], and optimized as to be reasonable and with linear overhead, but never extended to Strong CbV.The Strong CbNeed machine at work in Coq is studied in Barras’ PhD thesis [11] and no complexity results are known—itscorrectness to our knowledge has never been fully proved.
About Implosive Sharing:
CbNeed evaluation—usually considered in the closed setting—is an implosive sharing refinementof Closed CbN. Its correctness is notoriously technical, see for instance Maraist, Odersky, and Wadler [26], and Ariola andFelleisen [27], [28]. Kesner developed an elegant alternative technique resting on multi types [29], that has been adapted to thestrong case—becoming quite more technical—in [30]. The correctness of implementations of optimal reductions is extremelyinvolved and sophisticated, see Asperti and Guerrini [31]. None of these works are presented using abstract machines. Call-by-need machines do exist, but their correctness is always proved relatively to a call-by-need calculus, as in [32], with respectto which they are not implosive—the standard correctness technique indeed applies.
Proofs:
Proofs are in the Appendix. In case of acceptance, this version with Appendix will be available on arXiv.II. T HE V ALUE S UBSTITUTION C ALCULUS
Plotkin’s call-by-value λ -calculus [33] is known to behave perfectly as long as terms are closed (that is, without free variables)and evaluation is weak—let us call such a setting Closed CbV , following Accattoli and Guerrieri [34].It is well known that as soon as one considers open term or strong evaluation then Plotkin’s CbV β v -rule ( λx.t ) v → β v t { x (cid:0) v } is no longer adequate with various semantical properties—as first shown by Paolini and Ronchi della Rocca [35], [36], [37]—and the operational semantics has to be extended somehow. In [34], Accattoli and Guerrieri compare various ways of doingit, and show that in the open setting they are all equivalent .Here we adopt one of those calculi, Accattoli and Paolini’s value substitution calculus , shortened here to VSC [40]. It wasfirst introduced to study a semantical property of Strong CbV, solvability , and it is isomorphic to the CbV representation ofthe λ -calculus into linear logic, as shown by Accattoli [41].It is also well known that values can be defined as variables and abstractions, or simply as abstractions—the resulting theoriesdiffer only for inessential details. Restricting values to abstractions is preferred by works on CbV abstract machines—includingthis one—because it leads to better performances, as shown by Accattoli and Sacerdoti Coen [42]. One of these calculi is (the CbV and intuitionistic fragment of) Curien and Herbelin’s λµ ˜ µ -calculus [38], which could be used to reformulate the resultsin this work, another one is Guerrieri and Carraro’s shuffling calculus λ shuf [39], which instead could not, because its cost model is unclear, see [34]. he Value Substitution Calculus: There are various ingredients in the VSC. First, the syntax of the λ -calculus is extendedwith let -expressions, that we here prefer to more compactly write as explicit substitutions t [ x (cid:0) u ] (shortened to ES), while weuse t { x (cid:0) u } for meta-level substitution.VSC V ALUES v ::= λx.t VSC T
ERMS t, u, p ::= x | λx.t | tu | t [ x (cid:0) u ] There also is a crucial use of contexts to specify the rewriting rules. Contexts are terms with a hole (cid:104)·(cid:105) intuitively standing fora removed subterm. We shall see various notion of contexts. For now, we need unrestricted contexts C and the special case ofsubstitution contexts L . C ONTEXTS C ::= (cid:104)·(cid:105) | Ct | tC | λx.C | C [ x (cid:0) t ] | t [ x (cid:0) C ] S UB . C TXS L ::= (cid:104)·(cid:105) | L [ x (cid:0) t ] Replacing the hole of a context C with a term t (or another context C (cid:48) ) is called plugging and noted C (cid:104) t (cid:105) (resp. C (cid:104) C (cid:48) (cid:105) ).Given the use of explicit substitutions (shortened to ES), β -steps are decomposed in two, the introduction of the ES and theturning of an ES into a meta-level substitution. The rewrite rules work up to a substitution context L , or, if you prefer, up toES (also called at a distance ). VSC R ULES AT TOP LEVEL M ULTIPLICATIVE L (cid:104) λx.t (cid:105) u (cid:55)→ m L (cid:104) t [ x (cid:0) u ] (cid:105) E XPONENTIAL t [ x (cid:0) L (cid:104) v (cid:105) ] (cid:55)→ e L (cid:104) t { x (cid:0) v }(cid:105) C ONTEXTUAL CLOSURE : t (cid:55)→ a t (cid:48) C (cid:104) t (cid:105) → a C (cid:104) t (cid:48) (cid:105) ( a ∈ { m , e } )N OTATION : → vsc := → m ∪ → e Examples: ( λx.t )[ y (cid:0) u ] p → m t [ x (cid:0) p ][ y (cid:0) u ] and t [ x (cid:0) v [ y (cid:0) u ]] → e t { x (cid:0) v } [ y (cid:0) u ] . The terminology comes from the connectionwith linear logic proof nets. Note that the CbV restriction is not on multiplicative/ β -redexes, but on exponential redexes.Please note that the VSC can simulate Plotkin’s β v rule, as ( λx.t ) v → m t [ x (cid:0) v ] → e t { x (cid:0) v } . Actually, it does more: anopen term such as t := ( λx.δ )( yy ) δ diverges as follows t → m δ [ x (cid:0) yy ] δ → m ( zz )[ z (cid:0) δ ][ x (cid:0) yy ] → e ( δδ )[ x (cid:0) yy ] → vsc . . . where δ is the duplicator, while for Plotkin it is normal.A key property of the VSC is that while → vsc , being able to simulate Plotkin’s β v rule, obviously does not terminate, itstwo rules when taken separately are strongly normalizing. Lemma II.1 (Local termination, [40]) . The reductions → m and → e are strongly normalizing. An evaluation is a possibly empty sequence d : t → ∗ vsc u of → vsc steps, whose number of → m (resp. → e ) steps is noted | d | m (resp. | d | e ).In the rest of this section, we discuss the simple open fragment, as it allows to introduce some key concepts for the generalcase, and on top of which we shall define the parallel strategy to be implemented by the SCAM. The Open VSC:
The open fragment of the VSC is obtained by first defining open contexts—by removing the abstractioncase—and then use them to define the open variant of the rewriting rules.O
PEN CTXS O ::= (cid:104)·(cid:105) | Ot | tO | O [ x (cid:0) t ] | t [ x (cid:0) O ] O PEN REWRITE RULES : t (cid:55)→ a t (cid:48) O (cid:104) t (cid:105) → o a O (cid:104) t (cid:48) (cid:105) ( a ∈ { m , e } )O PEN REDUCTION : → o := → om ∪ → oe Careful: the open fragment contains closed terms, because terms and contexts are potentially (and not necessarily) open.Note that the grammar of open contexts implies that evaluation is non-deterministic, as rewriting steps can take place onboth sides of an application and on both subterms of ES. For instance, for any step t → o u , we have the following span ut o ← tt → o tu that closes on uu with one → o step on each side—the same happens with u [ x (cid:0) t ] o ← t [ x (cid:0) t ] → o t [ x (cid:0) u ] .Such a non-determinism is harmless because it is diamond . A rewriting relation → is diamond if u ← t → u and u (cid:54) = u imply u → p ← u for some p (it is the 1-step strengthening of confluence). Proposition II.2 ([40]) . The reduction → o is diamond. here are two famous consequences of being diamond: uniform normalization , that is, if there is a normalizing reductionsequence then there are no diverging sequences, and random descent , that is, when a term is normalizable, all sequences tonormal form have the same length. Essentially, the diamond is a relaxed form of determinism.The normal forms of the open fragment have a nice inductive characterization, coming from the so-called fireball calculus [34]. Fireballs are defined by mutual induction with inert terms , and including values, as follows.I
NERT TERMS i, i (cid:48) ::= x | if | i [ x (cid:0) i (cid:48) ] F IREBALLS f, f (cid:48) ::= v | i | f [ x (cid:0) i ] For instance, λy. (( λx.y ) y ) is a fireball as a value, while x , y ( λx.x ) , xy , and ( z ( λx. Ω))( zz ) are fireballs as inert terms. Proposition II.3 ([40]) . Let t be a VSC term. t is → o normal if and only if t is a fireball.The Strong Calculus: Outside of the open fragment evaluation is not necessarily diamond. For instance, for any step t → vsc u , the following span ( λy.t )( λy.t ) e ← ( xx )[ x (cid:0) λy.t ] → vsc ( xx )[ x (cid:0) λy.u ] closes on ( λy.u )( λy.u ) but not with a diamond diagram. Anyway, the VSC is confluent. Proposition II.4 ([40]) . The reduction → vsc is confluent. Strong normal forms also have a nice characterization, iterating inside values the one for open normal forms.S
TRONG INERT TERMS i s ::= x | i s f s | i s [ x (cid:0) i (cid:48) s ] S TRONG VALUES v s ::= λx.f s S TRONG FIREBALLS f s ::= i s | v s | f s [ x (cid:0) i s ] For instance, λy. ( y ( λx.y )) is a strong value, while λy. (( λx.y ) y ) is not. Similarly, x ( λz.zz ) is a strong inert term, while x ( λz. (( λy.y ) z )) is not. Note that strong fireballs are similar to the normal forms of the (CbN) λ -calculus, except that theycan have ES containing strong inert terms. Lemma II.5 (Characterization of normal forms) . Let t be a VSC term. Proof p. 18 t is → vsc -normal if and only if t is a strong fireball. III. T HE E XTERNAL S TRATEGY
Since the VSC is not diamond, we need to isolate an evaluation strategy, playing the role of the leftmost(-outermost) strategyin CbN. Usually, the strategies implemented by abstract machines are deterministic. Here instead we adopt a diamond strategy,that—as we explained in the previous section—can be seen as a form of relaxed determinism.While CbN has a clear left-to-right orientation, reflected by its leftmost evaluation strategy, in CbV there is no such directionof evaluation. For instance, Plotkin standard evaluations are left-to-right [33], Leroy’s ZINC abstract machine [43] is right-to-left, and Dal Lago and Martini follow an unspecified non-deterministic order [44]. Our strategy shall then be liberal, and notimpose an order on the evaluation of applications.On the other hand, we shall keep the outermost aspect of the leftmost-outermost CbN strategy. Our external strategy, indeed,shall reduce only redexes that cannot be duplicated or erased by any other redex.The definition of the strategy requires the auxiliary notion of rigid terms, which are the variation over inert terms where thearguments of the head variable can be whatever term.R
IGID TERMS r, r (cid:48) ::= x | rt | r [ x (cid:0) r (cid:48) ] Every (strong) inert term is a rigid term, but the converse does not hold, consider for instance y ( δδ ) . External (evaluation) contexts are defined by mutual induction with rigid contexts .T ERM EVALUATION CONTEXTS E XTERNAL E ::= (cid:104)·(cid:105) | λx.E | t [ x (cid:0) R ] | E [ x (cid:0) r ] | R R IGID R ::= rE | Rt | R [ x (cid:0) r ] | r [ x (cid:0) R ] Finally, the rewriting rules are obtained by closing the open rules with external contexts.E
XTERNAL REWRITE RULES : t → o a t (cid:48) E (cid:104) t (cid:105) → x a E (cid:104) t (cid:48) (cid:105) ( a ∈ { m , e } )E XTERNAL REDUCTION : → x := → xm ∪ → xe Key points: • Normalizing : the strategy normalizes the potentially diverging term ( λx.y )( λz. Ω) → xm y [ x (cid:0) λz. Ω] → xe y , and divergeson y ( λz. Ω) . In a companion paper about the semantics of Strong CbV (also submitted to LICS 2021), it is proved thatthe external strategy is normalizing, i.e. , it reaches a normal form whenever it exists in the VSC. External : external steps are not contained in any value that is applied or ready to be substituted. The grammars ofexternal and rigid contexts indeed forbid these situations: given an open step t → o u , note that ( λx.t ) p (cid:54)→ x ( λx.u ) p and ( xx )[ x (cid:0) λy.t ] (cid:54)→ x ( xx )[ x (cid:0) λy.u ] . On the other hand, the external strategy does enter values that shall not be substituted,for instance yp ( λx.t ) → x yp ( λx.u ) and p [ x (cid:0) y ( λx.t )] → x p [ x (cid:0) y ( λx.u )] . • Non-determinism : since → x contains the open rules, it is neither left-to-right nor right-to-left—we have both ( II )( II ) → xm ( y [ y (cid:0) I ])( II ) and ( II )( II ) → xm ( II )( y [ y (cid:0) I ]) . Another example is given by t = x ( λy. ( II ))[ x (cid:0) w ( II )] → xm x ( λy.z [ z (cid:0) I ])[ x (cid:0) w ( II )] , and t → xm x ( λy. ( II ))[ x (cid:0) w ( z [ z (cid:0) I ])] . Proposition III.1 (Properties of → x ) . Proof p. 25
Let t be a VSC term.1) Diamond : → x is diamond. Moreover, every → xm evaluation to normal form (if any) has the same number of → xm steps.2) Normal forms : if t is x -normal then it is a strong fireball.Cost Model of the VSC: As time cost model of the VSC we take the number of → m steps of the external strategy. Atthe end of the paper, we shall prove it reasonable. Subtlety : the cost model makes sense despite the non-determinism of → x ,because the diamond of → x in particular preserves the kind of step (see Lemma C.2.2 in the Appendix), and so all evaluationsto normal form have the same number of → m steps. Structural Equivalence:
The VSC comes with a notion of structural equivalence ≡ , that equates terms differing onlyfor the position of ES. A strong justification comes from the CbV linear logic interpretation of λ -terms with ES, in whichstructurally equivalent terms translate to the same (recursively typed) proof net, see [41].The SCAM shall implement the external strategy → x , but only up to ≡ , which is why we introduce ≡ here. Structural equivalence ≡ is defined as the least equivalence relation on terms closed by all contexts and generated by thefollowing top-level cases: t [ y (cid:0) p ][ x (cid:0) u ] ≡ com t [ x (cid:0) u ][ y (cid:0) p ] if y / ∈ fv ( u ) , x / ∈ fv ( p ) t p [ x (cid:0) u ] ≡ @ r ( tp )[ x (cid:0) u ] if x (cid:54)∈ fv ( t ) t [ x (cid:0) u [ y (cid:0) p ]] ≡ [ · ] t [ x (cid:0) u ][ y (cid:0) p ] if y (cid:54)∈ fv ( t ) t [ x (cid:0) u ] p ≡ @ l ( tp )[ x (cid:0) u ] if x (cid:54)∈ fv ( p ) Extending the VSC with ≡ results in a smooth system, as ≡ commutes with evaluation, and can thus be postponed.Additionally, the commutation is strong , as it preserves the number and kind of steps—one says that it is a strong bisimulation (with respect to → x ). In particular, the equivalence is not needed to compute and it does not break, or make more complex,any property of the calculus—on the contrary, it makes it more flexible. Proposition III.2 ( ≡ is a strong bisimulation) . Proof p. 26 If t ≡ u and t → a t (cid:48) then there exists u (cid:48) ∈ Λ vsc such that u → a u (cid:48) and t (cid:48) ≡ u (cid:48) ,for a ∈ { m , e , om , oe , sm , se } . Note that Prop. III.2 implies that ≡ preserves normal forms.IV. A T ASTE OF U SEFUL AND I MPLOSIVE S HARING
Here we use the VSC to give an informal overview of the various forms of sharing at work in this work.The VSC comes with ES t [ x (cid:0) u ] , which are a form of subterm sharing . The exponential rewriting rule, however, rests onmeta-level substitution, and so the system is closer to the λ -calculus than to an implementation, which would rather use amicro-step variant of the exponential rule such as M ICRO E XPONENTIAL C (cid:104) x (cid:105) [ x (cid:0) L (cid:104) v (cid:105) ] → mi - e L (cid:104) C (cid:104) v (cid:105) [ x (cid:0) v ] (cid:105) Useful Sharing:
In CbN, useful sharing amounts to two modifications of the substitution process, which are mandatoryin order to obtain reasonable implementations of strong evaluation. The first one is that normal terms that are not abstractionsshould never be substituted, because they cannot create β -redexes. In Strong CbV as presented via the VSC, this is hardcoded,as only abstractions can be substituted, so nothing needs to be changed. The effect of the optimization can however be seen onnormal forms: it is accounted by the fact that strong fireballs have ES containing strong inert terms, which are exactly normalterms that are not abstractions.The second optimization, sometimes called substituting abstractions on-demand , is trickier. It requires abstraction to besubstituted only on applied variable occurrences. A step such as ( xy )[ x (cid:0) v ] → e vy is accepted, or, it is useful , because itcreates a β /multiplicative redex, while a step such as ( yx )[ x (cid:0) v ] → e yv is useless , and must not be done.Note however that this optimization makes sense only when one switches to micro-step evaluation via → mi - e above, that is,at the level of machines, because in ( xx )[ x (cid:0) v ] there are both a useful and a useless occurrence of x . The implementation of substituting abstractions on-demand is very subtle, also because by not performing useless substitutions, it leaves pending ESwith values. ixing Implosive and Useful Sharing: There is a case concerning such pending ES where there is some freedom indeciding how to evaluate. Consider a term such as (( xy ) y )[ y (cid:0) λz.t ] where t is a term with some β -redexes. Both micro-step substitutions of λz.t on y are useless, but t needs to be evaluated. The non-implosive choice is to copy λz.t , obtaining ( x ( λz.t ))( λz.t ) , and then evaluate t twice. This is what Accattoli and Dal Lago do in their useful implementations of theleftmost-outermost CbN strategy in [8], [9]. It can be seen as useful, because each copy of λz.t contains some β -redexes, soone is not substituting for nothing.The implosive choice, which is also more CbV in spirit, is to evaluate λz.t only once, keeping it in the ES, that is, reducing (( xy ) y )[ y (cid:0) λz.t ] to some (( xy ) y )[ y (cid:0) λz.u ] . This is what the SCAM shall do. A natural question:
Why not always evaluate values before substituting them? Because, it is unsound with respect toStrong CbV. Consider t := ( x ( λx.y ))[ x (cid:0) λz.z ( λw. Ω)] . The term t would then diverge because it would evaluate Ω , while itnormalizes to y with the external strategy: ( x ( λx.y ))[ x (cid:0) λz.z ( λw. Ω)] → xe ( λz.z ( λw. Ω))( λx.y ) → xm → xe ( λx.y )( λw. Ω) → xm → xe y Note that in this example the substitution happens on an applied variable. Evaluating a value v before substituting it can bedone safely only when in t [ x (cid:0) v ] the term t is normal and all the occurrences of x in t are not applied (that is, the associatedmicro substitution steps are useless), which is exactly when the SCAM shall do it.V. R ELAXED I MPLEMENTATIONS
Here we explain abstractly the subtle and unusual way in which our machine implements the external strategy → x modulostructural equivalence ≡ .Before giving the details, let us stress a key point. The machine is started on λ -terms, not VSC terms, that is, the initialterm is not supposed to have any ES. Non-initial states of the machine however shall decode to VSC terms. Machines and Structural Strategies: A machine M = ( s, (cid:32) , · ◦ , ·→ ) is a transitions system (cid:32) over a set of states, noted s ,with transitions partitioned into β -transitions (cid:32) β and overhead transitions (cid:32) o , together with a compilation function · ◦ turning λ -terms into states, and a read-back function ·→ turning states into VSC terms and satisfying the initialization constraint t ◦ → = t for all λ -terms t . A state s is initial if s = t ◦ for some λ -term t , and final if no transitions apply. An execution ρ : s (cid:32) ∗ s (cid:48) isa possibly empty sequence of transitions from an initial state to a state s (cid:48) said reachable .A structural strategy ( → , ≡ ) is a strategy → together with a structural equivalence ≡ on VSC terms, such that ≡ is a strongbisimulation with respect to → . Relaxed Implementations:
In the literature, a machine implements a (structural) strategy when the two are weakly bisimilar,where weakness is given by the fact that the overhead transitions of the machine (that search for redexes and decompose thesubstitution process) are invisible on the calculus. The bisimulation relates executions of the machine and evaluations onthe calculus locally , or small-steps , that is, β -step-by- β -step, and for sequences not necessarily reaching a normal form. Inparticular, there is a bijection between the β -steps of the strategy and β -transitions of the machine.Our machine does not follow such a simple schema, because it evaluates the body of some shared abstractions, and each β -transition in these bodies potentially maps (via read-back) to many β -steps on the calculus, breaking the bijection, andforbidding the machine to simulate single steps of the calculus.We then adopt a relationship between the strategy and the machine that is weaker than a bisimulation and asymmetric: thestrategy simulates the machine locally (potentially taking many steps for each β -transition), while the machine simulates thestrategy only globally , or big-steps : preserving divergence and normalizing evaluations, with their cost model, but not β -step-by- β -step. In the VSC, the role of β steps on the calculus is played by multiplicative steps, whose number in an evaluationsequence d is noted | d | m . Definition V.1 (Relaxed implementations) . A machine M = ( s, (cid:32) , · ◦ , ·→ ) is a relaxed implementation of a structural strategy ( → , ≡ ) on VSC terms when, given a λ -term t :1) Executions to evaluations : for any M -execution ρ : t ◦ (cid:32) ∗ M s there is a → -evaluation d : t → ∗ ≡ s → with | ρ | β ≤ | d | m .2) Normalizing evaluations to executions : if d : t → ∗ u with u → -normal then there is an M -execution ρ : t ◦ (cid:32) ∗ M s with s final such that s →≡ u with | ρ | β ≤ | d | m .3) Diverging evaluations to executions : if → diverges on t then M diverges on t ◦ doing infinitely many β -transitions. Next, we isolate sufficient conditions for relaxed implementations, that shall structure our implementative study.
Definition V.2 (Relaxed implementation system) . A relaxed implementation system is given by a machine M = ( s, (cid:32) , · ◦ , ·→ ) and a structural strategy ( → , ≡ ) such that for every reachable state s :1) Relaxed β -projection : s (cid:32) β s (cid:48) implies that there exists d : s →→ + ≡ s (cid:48) → such that | d | m ≥ ;2) Overhead transparency : s (cid:32) o s (cid:48) implies s →≡ s (cid:48) → ;) Overhead transitions terminate : (cid:32) o terminates;4) Halt : if s is final then s → is → -normal;5) Lax determinism : → is diamond and (cid:32) is deterministic. Theorem V.3 (Abstract implementation) . Let M and ( → , ≡ ) form a relaxed implementation system. Proof p. 26
Then, M is a relaxedimplementation of ( → , ≡ ) . VI. I
NTRODUCING THE
SCAMFrom the next section, we start with the implementative details, therefore here we overview some key points.
Crumbling:
The SCAM builds on the theory of CbV abstract machines developed by Accattoli and co-authors [45],[24], [23], [25]. In particular, it relies on the crumbling technique of [25], which essentially is a specific presentation of thetransformation into administrative normal forms by Flanagan et al. [46], [47]. As shown in [25], crumbling allows to reducethe number of data structures, as it encodes the dump and the stack of CbV machines inside the environment. This in turnreduces the number of transitions of the machine. Both aspects are extremely valuable when studying strong evaluation, asstrong machines tends to have many data structures and at least a dozen of transitions. Our strong crumbling abstract machine (shortened to SCAM)—thanks to crumbling—is compact, having only 1 data structure and 9 transitions. The price to pay arethe technicalities of crumbling, roughly amounting to a light form of compilation.
Garbage Collection:
An unusual but key aspect is that garbage collection is done by the SCAM itself, that is, it is notleft to the meta-level garbage collector, as it usually the case with abstract machines. This happens because, in the search forvalues to evaluate strongly, the SCAM has to avoid the garbage ones, as evaluating their bodies would indeed break correctnesswith respect to Strong CbV.
Zig-Zag:
The SCAM shall have two alternating phases, one performing open evaluation, and one searching for a value λx.t to evaluate strongly. Once the SCAM finds it, it switches to the open phase for evaluating its body t , and so on. Theopen phase can be implemented exploring the code from left-to-right or from right-to-left—we adopt right-to-left, becausethis choice induces some stronger invariants. The phase searching for values is instead left-to-right, because it also performsgarbage collection, which cannot be done right-to-left. Our mixed order is hinted at in Biernacka et al. [16] as a possibleoptimization of their right-to-left strong machine. Two Levels of Implosive Sharing:
There are two levels of implosiveness, connected to the out/under abstraction dichotomy.
Shallow implosive sharing evaluates inside shared subterms but not inside shared abstractions. This happens in CbNeed.
Deepimplosive sharing , instead, also enters shared abstraction—an instance is optimal reduction . The SCAM adopts a deep implosiveapproach to useful sharing. VII. C OMPILATION AND R EAD -B ACK
In a CbV λ -calculus with a construct for subterm sharing, such as ES, applications can be decomposed by introducingsharing points for any non-variable subterm. Here we consider the case where applications are only between variables . Forinstance, the crumbling representation t of t := ( λx. ( λy.y ) ( xx )) ( λz.zz ) (see forthcoming Ex. VII.2) is ( xy )[ x (cid:0) λx. zw [ z (cid:0) λy.y ][ w (cid:0) xx ]][ y (cid:0) λz.zz ] where we denoted the sharing points introduced by the transformation by x , y , z , w . Note that the transformation involvesalso function bodies ( i.e. λx. ( λy.y ) ( xx ) turns into λx. ( zw )[ z (cid:0) λy.y ][ w (cid:0) xx ] ), that ES are grouped together unless forbiddenby abstractions, and that ES are flattened out, i.e. they are not nested unless nesting is forced by abstractions. Here we shalladopt a variant where the first subterm xy of t is in a pending ES [ (cid:63) (cid:0) xy ] on a special variable (cid:63) dedicated to such pendingES—this is analogous to the initial continuation of continuation-passing transformations.Such a crumbled representation of terms impacts on the design of machines for CbV evaluation. By removing the applicativestructure, there is no need for data structures encoding the evaluation context, such as the applicative stack and the dump, thatget encoded in the environment. The environment is the data structure for sharing that collects the ES obtained 1) at compiletime, i.e. by the crumbling transformation and 2) dynamically, during execution.In [25], it is shown that the crumbling technique smoothly accommodates open terms, by designing an abstract machinethat implements the Open CbV within a bilinear overhead. This paper extends that work to the strong case. As explained inthe introduction, the extension is non-trivial. Here we cover compilation via crumbling, the next section deals with the openmachine, and Sect. IX presents the strong extension. We avoid the weak/strong terminology, because there can be strong evaluation with shallow implosive sharing, as in Strong Call-by-Need [30]. For crumbling, we follow [25]. Therein applications can have abstractions as subterms. Here however we adopt the minor variant where abstractions arealso removed from applications and shared.
UXILIARY x := ( x, (cid:15) ) λx.t := ( z, [ z (cid:0) λx.t ]) tu := ( z, [ z (cid:0) xy ] ee (cid:48) ) C RUMBLING x := [ (cid:63) (cid:0) x ] λx.t := [ (cid:63) (cid:0) λx.t ] tu := [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) := t and ( y, e (cid:48) ) := u in both tu and tu ; and z fresh in V cr in both λx.t and tu .Fig. 1: Crumbling transformation. Crumbled Environments:
We first have to define the target language of the translation, which are not terms with ES but crumbled environments , a slight variant. A crumbled environment is a list of ES containing bites , defined below. A key point isthat we need to distinguish the variables introduced by the crumbling transformation from those originally in the term, whichis why variables range over a set of names V = V cr (cid:93) V calc where V cr is the set of crumbling variables and V calc the set ofvariables of the calculus, both infinite—the names in V cr are sometimes noted x , y , z for clarity, but in general names fromboth sets are noted x, y, z . Moreover, there is a distinguished variable (cid:63) ∈ V cr .B ITES b ::= x | xy | λx.e ( ∗ ) (C RUMBLED ) E
NVS e ::= (cid:15) | e : [ x (cid:0) b ] Side conditions ( ∗ ) : x (cid:54) = (cid:63) (cid:54) = y in x and xy , and x ∈ V calc and e is non-empty in λx.e . The conditions imply that (cid:63) cannothave free occurrences. As for terms, bites of the form λx.e are values , ranged over by v , while x and xy are inert bites .Environments are defined concatenating on the right, but we shall freely concatenate also on the left, concatenate wholeenvironments, and omit the concatenation symbol ’ : ’. Environments are also meant to be looked up for substitution. Notation: e ( x ) = b if e = e (cid:48) [ x (cid:0) b ] e (cid:48)(cid:48) with x / ∈ dom ( e (cid:48) ) , and e ( x ) = ⊥ otherwise—note that in open/strong settings environments maybe undefined on some variables. Crumbling λ -Terms: Machines start their execution on the compilation of ordinary λ -terms (with no ES), and the followingcrumbling transformation t shall be our notion of compilation. Note that (cid:63) appears always and only as the variable ”bound”by the first ES in t . Definition VII.1 (Crumbling transformation · ) . Let t be a λ -term. We define its crumbling t using an auxiliary function · mapping λ -terms to pairs of a variable plus an environment. The formal definition of · and · are given in Fig. 1, and explainedin the next example. Example VII.2.
The main transformation · is used at top level, both of the initial term and recursively at top level of everyfunction body. The auxiliary transformation · instead is used when compiling applications, and it returns the variable that willbe used in place of the original term, plus a crumbled environment that binds additional results of the transformation.For the sake of example, let us consider the term t := ( λx.I ( x x )) δ = ( λx. ( λy.y ) ( x x )) ( λz.z z ) . The term t consists of an application of two non-variable terms, hence the transformation yields t = [ (cid:63) (cid:0) xy ][ x (cid:0) ? ] · · · [ y (cid:0) ? ] · · · where x and y are two fresh variables generated respectively by λx.I ( xx ) and δ : λx.I ( xx ) = ( x , [ x (cid:0) λx.I ( xx )]= ( x , [ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) xx ]]) of the form ( x , [ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) ? ] · · · [ w (cid:0) ? ] · · · ]) δ = ( y , [ y (cid:0) λz.zz ]) = ( y , [ y (cid:0) λz. [ (cid:63) (cid:0) zz ]]) . The fully transformed t is: [ (cid:63) (cid:0) xy ][ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) xx ]][ y (cid:0) λz. [ (cid:63) (cid:0) zz ]] . Names:
A key point is that crumbled environments and bites are not considered modulo α -equivalence, as it is standardfor abstract machines. Some machine transitions shall rename variables: α -equivalence can rename x with y only if they areboth in V cr \ { (cid:63) } (resp. both in V calc ), and (cid:63) cannot be renamed. We also need a notion of well-namedness for both λ -termsand environments. Definition VII.3 (Well-named) . A λ -term t is well-named if its bound variables are all distinct, and fv ( t ) ⊥ bv ( t ) . Anenvironment e (resp. a bite b ) is well-named if when two binders bind the same variable x then x = (cid:63) , and fv ( e ) ∩ bv ( e ) ⊆ { (cid:63) } (resp. fv ( b ) ∩ bv ( b ) ⊆ { (cid:63) } ).ead-back: Bites and environments are mapped to VSC terms via a read-back function, that in particular inverts thecrumbling transformation. The distinction between the two kinds of variables plays a role. The intuition is that ES are unfoldedwhen they come from crumbling or when they contain values, as to include in the read-back the useless part of the work doneby → e on the calculus.The read-back of a bite b and an environment e are, respectively, the terms b → and e → defined by:B ITES READ - BACK x → := x ( xy ) → := xy ( λx.e ) → := λx.e → C RUMBLED ENVIRONMENTS READ - BACK (cid:15) → := (cid:63) e [ x (cid:0) b ] → := (cid:40) e →{ x (cid:0) b →} if b = v or x ∈ V cr e → [ x (cid:0) b ] otherwise. Lemma VII.4 (Crumbling properties) . Proof p. 31 If t is a well-named λ -term then t is well-named and t → = t . In the next sections, we shall need a modular deconstruction of read-back, spelled out below.
Definition VII.5.
Let e be an environment. Then the substitution σ e and the substitution context L e induced by e are givenby (where ( ∗ ) stands for “ b = v or x ∈ V cr ”) S UBSTITUTION σ e INDUCED BY eσ (cid:15) := Id σ e [ x (cid:0) b ] := (cid:40) σ e { x (cid:0) b →} if ( ∗ ) σ e otherw. S UBSTITUTION CONTEXT L e INDUCED BY eL (cid:15) := (cid:104)·(cid:105) L e [ x (cid:0) b ] := (cid:40) L e { x (cid:0) b →} if ( ∗ ) L e [ x (cid:0) b ] otherw. Lemma VII.6 (Modular read-back) . Proof p. 33 ( ee (cid:48) ) → = L e (cid:48) (cid:104) e → σ e (cid:48) (cid:105) . Example VII.7.
Let us consider the environment [ (cid:63) (cid:0) y ] (cid:124) (cid:123)(cid:122) (cid:125) e [ y (cid:0) yy ][ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:124) (cid:123)(cid:122) (cid:125) e (cid:48) where y is a “normal” variable, and y is a crumbling variable. The read-back ee (cid:48) → proceeds as follows: ee (cid:48) → = [ (cid:63) (cid:0) y ][ y (cid:0) yy ] →{ y (cid:0) λz. [ (cid:63) (cid:0) z z ] } = [ (cid:63) (cid:0) y ] → [ y (cid:0) yy ] { y (cid:0) λz. [ (cid:63) (cid:0) z z ] } = (cid:0) [ (cid:63) (cid:0) y ] →{ y (cid:0) λz. [ (cid:63) (cid:0) z z ] } (cid:1) ([ y (cid:0) yy ] { y (cid:0) λz. [ (cid:63) (cid:0) z z ] } ) The equality in Lemma VII.6 holds at this point, since: L e (cid:48) = (cid:104)·(cid:105) [ y (cid:0) yy ] { y (cid:0) λz. [ (cid:63) (cid:0) z z ] } σ e (cid:48) = { y (cid:0) λz. [ (cid:63) (cid:0) z z ] } The full read-back ee (cid:48) → is y [ y (cid:0) ( λz. [ (cid:63) (cid:0) z z ])( λz. [ (cid:63) (cid:0) z z ])] . VIII. T HE O PEN C RUMBLING M ACHINE
Here we overview an abstract machine implementing the open VSC → o , that shall be the starting point for the strongmachine of the next section. We keep following the crumbling technique by [25], slightly adapted.The only structure at work in the machine is a crumbled environment, traversed from right to left, together with a pointerto where the machine is operating. Then a machine state s := e (cid:47) e (cid:48) is a pair of crumbled environments where • Right : e (cid:48) is the part that has already been processed, • Left : e is the part yet to be processed, and • Separator : (cid:47) represents the pointer to the active point.The Open Crumbling Abstract Machine (OCAM) has 4 transitions, two β transitions (cid:32) β v and (cid:32) β i , and two overheadtransitions (cid:32) ren and (cid:32) sea , detailed below. Compilation is defined as t ◦ := t (cid:47) (cid:15) for a well-named λ -term t , and read-backsimply as ( e (cid:47) e (cid:48) ) → := ( ee (cid:48) ) → . By Lemma VII.4, compilation and read-back verify the initialization constraint for the OCAM. -Transitions: They are quite technical unfortunately, because of crumbling. The idea is that there two cases, (cid:32) β v forwhen the argument is a value and (cid:32) β i for when it is a inert term. In the first case, the machine also does in one singletransition both the β /multiplicative step and the exponential step that is created. Because of crumbling, the β -redex is given byan application of variables yz , whose abstraction and argument are to be found in the environment. Actually, the transitionsalso does the copy of the abstraction that replaces y . They are (further explanations follow): e [ x (cid:0) y z ] (cid:47) e (cid:48) (cid:32) β v e ([ x (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } ) (cid:47) e (cid:48) e [ x (cid:0) y z ] (cid:47) e (cid:48) (cid:32) β i e [ x (cid:0) b ] e (cid:48)(cid:48) (cid:47) [ w (cid:0) z ] e (cid:48) where in both cases e (cid:48) ( y ) is a value and ( e (cid:48) ( y )) α =: λw. ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) is a well-named copy of e (cid:48) ( y ) with fresh names, and e (cid:48) ( z ) is a value in (cid:32) β v , while in (cid:32) β i it is an inert bite. Explanation.
The bite under analysis is yz and y maps to a value v in e (cid:48) , thus the read-back turns yz into ( yz ) σ e (cid:48) = σ e (cid:48) ( y ) σ e (cid:48) ( z ) = vσ e (cid:48) ( z ) that is a β /multiplicative redex. The machine copies v , obtaining λw. ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) , as copying correspondsto α -renaming. Variables have indeed to be intended as memory locations, and α -renaming means making a copy somewhereelse in the memory. Letting the argument z aside, what happens to both transitions is: the β -redex is fired and yz is replacedby the body [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) of the copied value, that is concatenated with e , obtaining e [ x (cid:0) b ] e (cid:48)(cid:48) . Via read-back, the multiplicativeredex is vσ e (cid:48) ( z ) = ( λw.t ) σ e (cid:48) ( z ) with t = ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → , which takes a (cid:55)→ m step to t [ w (cid:0) σ e (cid:48) ( z ) → ] .Consider now the argument z . If it is associated with a value v in e (cid:48) then its read-back is also a value, namely v (cid:48) = vσ e (cid:48) ,and so on the calculus t [ w (cid:0) v (cid:48) ] is a (cid:55)→ e redex. The machine substitutes z for w in the body [ x (cid:0) b ] e (cid:48)(cid:48) of the copied value.This corresponds to performing the (cid:55)→ e -redex t [ w (cid:0) v (cid:48) ] (cid:55)→ e t { w (cid:0) v (cid:48) } on the calculus. Note that the machine only performs arenaming, it does not duplicate v (cid:48) —up to read-back this is equivalent. If instead z is associated to an inert bite in e (cid:48) , let usassume for a moment that z reads back to an inert term. Then t [ w (cid:0) σ e (cid:48) ( z ) → ] = t [ w (cid:0) i ] for some inert term i , and no substitutionhappens.For (cid:32) β v and (cid:32) β i to cover all cases, the environment e (cid:48) needs to satisfy two properties. First, values are not hidden behindchains of renamings, that is, if e ( x ) = y then e ( y ) is not a value. Second, if e ( x ) is a inert bite, then it reads back to a inertterm. These two invariants are nicely expressed in “read-back form” via σ e (cid:48) : on any reachable state e (cid:47) e (cid:48)• e (cid:48) is a fireball substitution , that is, σ e (cid:48) ( x ) is a fireball for every x ∈ dom ( σ e (cid:48) ) . • e (cid:48) has immediate values , that is, if σ e (cid:48) ( x ) is a value and x (cid:54) = (cid:63) then e (cid:48) ( x ) is a value. Useful Sharing:
The OCAM implements useful sharing because it copies only abstractions and only on-demand , that is,only on variable occurrences that are applied, namely on y in the definitions of (cid:32) β v and (cid:32) β i . Overhead Transitions:
The overhead transition (cid:32) ren eliminates explicit renamings, that is, ES containing variables: e [ x (cid:0) y ] (cid:47) e (cid:48) (cid:32) ren e { x (cid:0) y } (cid:47) e (cid:48) when x (cid:54) = (cid:63) . The forthcoming pristine invariant of the machine guarantees that x always has at most one occurrence in e (Lemma VIII.3 below), so that (cid:32) ren shall not be costly.The overhead transition (cid:32) sea simply moves the pointer (cid:47) to the left when no other rule is applicable, i.e. when 1) b is avalue, or 2) when b is y or yz but e (cid:48) ( y ) is not a value: e [ x (cid:0) b ] (cid:47) e (cid:48) (cid:32) sea e (cid:47) [ x (cid:0) b ] e (cid:48) Example VIII.1.
Let us see how the OCAM reduces the environment from Ex. VII.2: [ (cid:63) (cid:0) xy ][ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) x x ]][ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:47) (cid:32) sea [ (cid:63) (cid:0) xy ][ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) x x ]] (cid:47) [ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:32) sea [ (cid:63) (cid:0) xy ] (cid:47) [ x (cid:0) λx. [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) x x ]][ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:32) β v [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) y y ] (cid:47) [ x (cid:0) · · · ][ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:32) β v [ (cid:63) (cid:0) zw ][ z (cid:0) λy. [ (cid:63) (cid:0) y ]][ w (cid:0) y y ] (cid:47) [ x (cid:0) · · · ][ y (cid:0) λz. [ (cid:63) (cid:0) z z ]] (cid:32) β v . . . The first two steps apply the search transition: the two rightmost ES bind values, thus they can just be skipped since thereis nothing to evaluate. The next steps apply a β λ transition, substituting the body of the abstraction bound in the environmentby y . Evaluation then loops infinitely because the environment has no normal form.A. Implementation Theorem The main property for the implementation theorem is relaxed β -projection. At the open level, one β -transition projects toone → om step, plus one → oe step if the transition is (cid:32) β v . To prove it, we need that after read-back 1) the bite yz rewrittenby β -transitions becomes a → om redex (with a value as an argument for (cid:32) β v ) and 2) it occurs in an open context. Becominga → om redex is guaranteed by the two invariants above. Occurring in an open context instead requires the further invariantbelow.ow, if s = e [ x (cid:0) yz ] (cid:47) e (cid:48) performs a β -transition, by modular read-back (Lemma VII.6) s → = L e (cid:48) (cid:104) ( e [ x (cid:0) yz ]) → σ e (cid:48) (cid:105) . We havethat L e (cid:48) is an open context. Let’s focus on e [ x (cid:0) yz ] . The invariant is that the environments on the left of (cid:47) are pristine , thatis, that in our case e unfolds to O (cid:104) x (cid:105) for some open context O such that x / ∈ vars ( O ) . Definition VIII.2 (Pristine) . Pristine environments and pristine bites are mutually defined as follows: • Environments : (cid:15) is a pristine environment; e [ x (cid:0) b ] is pristine if e and b are pristine, x ∈ V cr , and e → = O (cid:104) x (cid:105) for someopen context O such that x / ∈ vars ( O ) . • Bites : inert bites are pristine; λx.e is pristine if e is pristine. The following property shall be crucial for the complexity analysis in Sect. XI.
Lemma VIII.3.
Proof p. 34 If e [ x (cid:0) b ] is pristine and well-named and x (cid:54) = (cid:63) , then x occurs exactly once in e . Now, if s = e [ x (cid:0) yz ] (cid:47) e (cid:48) the invariants give s → = L e (cid:48) (cid:104) O (cid:104) yz (cid:105) σ e (cid:48) (cid:105) = L e (cid:48) (cid:104) Oσ e (cid:48) (cid:104) yσ e (cid:48) zσ e (cid:48) (cid:105)(cid:105) which has the desired shapebecause L e (cid:48) (cid:104) Oσ e (cid:48) (cid:105) is open—both O and L e (cid:48) are open, and open contexts are stable by substitution and plugging—and yσ e (cid:48) zσ e (cid:48) is a (cid:55)→ m -redex, as seen before. Structural equivalence ≡ plays a role in the projection of (cid:32) β i , to put the created ES [ w (cid:0) z ] at the right place.For the halt property, note that final states have the form (cid:15) (cid:47) e (cid:48) that by definition of read-back, Lemma VII.6, and the fireballsubstitution invariant, read-backs to L e (cid:48) (cid:104) f (cid:105) , where f is a fireball. A last invariant ensures that the substitution context L e (cid:48) induced by every reachable state e (cid:47) e (cid:48) is a inert (substitution) context that is, it contains only inert terms— L e (cid:48) (cid:104) f (cid:105) is then afireball, as required.Spelling out the details, one obtains that the OCAM is a relaxed implementation of ( → o , ≡ ) .IX. T HE S TRONG C RUMBLING M ACHINE
Here we define the Strong Crumbling Abstract Machine (SCAM), building on the previous section.Basically, we extend the OCAM with a new strong phase , identified by a new separator (cid:46) , whose task is to look for ES [ x (cid:0) v ] containing values and, once one is found, evaluating v under abstraction if x occurs somewhere in the state, and garbagecollect it otherwise. Garbage Collection:
Consider the term t := ( λy.x )( λz. Ω) that evaluates in two → x step to x while containing thediverging subterm λz. Ω . The OCAM executed on t produces the final state s := (cid:47) [ (cid:63) (cid:0) x ][ y (cid:0) λz. Ω] . Now its strong extensionshould search for ES containing values in s , but it has to avoid entering [ y (cid:0) λz. Ω] otherwise it would diverge, breaking thecorrespondence with → x . Then the machine has to track which ES are garbage and which are not. Here we assume that themachine can check it easily, the next section discusses how this is implemented. Deep Implosive Sharing:
Then the machine enters into values whose ES [ x (cid:0) v ] is such that x does occur, potentially many times. This ingredient accounts for deep implosive sharing. A key point is that the machine enters only inside ES thatshall no longer substitute their values (they are left there pending because of useful sharing, as they bound useless occurrencesonly)—this is why the crucial subterm property for complexity analyses is not compromised. Useful sharing, instead, is alreadyimplemented by the OCAM, and thus simply inherited by the SCAM. SCAM:
First of all, we generalize the right component of states, so as to account for evaluation positions under abstraction.The idea is that the right environment e (cid:48) can be seen as a context, namely (cid:104)·(cid:105) e (cid:48) , and that going under abstraction simply requiresa further context construction. M ACHINE CONTEXTS K ::= (cid:104)·(cid:105) e (cid:48) | e [ x (cid:0) λy.K ] e (cid:48) S TATES s ::= e (cid:47) K | e (cid:46) K Often (cid:104)·(cid:105) (cid:15) and e [ x (cid:0) λy.K ] (cid:15) are noted (cid:104)·(cid:105) and e [ x (cid:0) λy.K ] , respectively. Plugging inside machine contexts, of both environmentsand machine contexts, is defined as expected, and noted K (cid:104) e (cid:105) and K (cid:104) K (cid:48) (cid:105) . We use (cid:46)(cid:47) for an unspecified separator, i.e. (cid:46)(cid:47) ∈ { (cid:47) , (cid:46) } . The idea is that a state e (cid:46)(cid:47) K represent the environment K (cid:104) e (cid:105) and the active point is between K and e , possiblydeep inside many abstractions in K (cid:104) e (cid:105) . Compilation is now defined as t ◦ := t (cid:47) (cid:104)·(cid:105) for a well-named λ -term t , and read-backas ( e (cid:46)(cid:47) K ) → := K (cid:104) e (cid:105)→ . A state e (cid:46)(cid:47) K is well-named if K (cid:104) e (cid:105) is well-named. The Open Phase:
To lift the transitions of the open machine, we have to define the environment e K induced by a machinecontext K , playing the role played by e (cid:48) in Sect. VIII. Definition IX.1.
The environment e K of K is given by e (cid:104)·(cid:105) e (cid:48) := e (cid:48) and e e [ x (cid:0) λy.K ] e (cid:48) := e K e (cid:48) . The transitions of the OCAM smoothly lift (where ( ∗ ) stands for “ ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) ”), as shown in Fig. 2. Notethat the last transition applies when 1) b is a value, or 2) b is y or yz but e K ( y ) is not a value. [ x (cid:0) y z ] (cid:47) K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47) K if ( ∗ ) and e K ( z ) = v for some v ; e [ x (cid:0) y z ] (cid:47) K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47) K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) if ( ∗ ) and e K ( z ) = i for some i ; e [ x (cid:0) y ] (cid:47) K (cid:32) ren e { x (cid:0) y } (cid:47) K if x (cid:54) = (cid:63) ; e [ x (cid:0) b ] (cid:47) K (cid:32) sea e (cid:47) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) if none of the other rules is applicable.Fig. 2: Open phase of the SCAM. (cid:15) (cid:47) K (cid:32) sea (cid:15) (cid:46) Ke (cid:46) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46) K if b is not a value; e (cid:46) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e (cid:46) K if x / ∈ fv ( e ) and e is not empty; e (cid:46) K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46) Ke (cid:46) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47) K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) if x ∈ fv ( e ) .Fig. 3: Strong phase of the SCAM. The Strong Phase:
There are 5 new transitions, that on a state e (cid:46) K inspect K rather than e , and accumulate in e the ESthat survived the strong phase, which are now fully evaluated. The transitions inspect K from the inside, that is, by lookingat what is on the right of the hole (cid:104)·(cid:105) , see Fig. 3.The union of the nine transitions of the SCAM is noted (cid:32) SCAM . Let us explain the new ones. • (cid:32) sea simply switches from to the strong phase, when the current open phase is over. • (cid:32) sea moves the next ES [ x (cid:0) b ] of the context to the fully evaluated e , if b is not a value. • (cid:32) gc garbage collects [ x (cid:0) v ] when x does not occur in e . Checking only e for occurrences is correct: a well-namedinvariant shall guarantee that x cannot occur in K . • (cid:32) sea handles the case in which the search has fully processed the current body e of a value, and thus it re-unites theenclosing abstraction λy in K with e , adding λy.e to the fully evaluated environment e (cid:48) , and resumes search at the upperabstraction level. • (cid:32) sea enters into the body e (cid:48) of the next ES in K , when its content is a value. Searching for values is temporary over, themachine switches back to the open phase to evaluate e (cid:48) . The fully evaluated environment e and the enclosing abstraction λy are then moved to K , and the body e (cid:48) becomes the new left component of the state.X. T HE S TRONG I MPLEMENTATION T HEOREM
The definition of the SCAM is a smooth generalization of the OCAM, but its implementation theorem is considerably moresophisticated, because of deep implosive sharing. We overview the main concepts here, many details are in the Appendix. Theobstacle is the relaxed β -projection property. Multi Contexts:
The crux is showing that the read back K → of a machine context (defined below, but keep reading) is anexternal (evaluation) context E , first of all because... it is not. Both strong and machine contexts have exactly one hole, but if K = e [ x (cid:0) λy.K (cid:48) ] e (cid:48) then x may have many occurrences in e , causing duplications of the hole via read-back—this is the deepimplosive sharing ingredient. The first step, then, is to model K → as a VSC multi context . We need generic multi contexts,plus external and rigid variants. M ULTI CONTEXTS G ENERIC C ::= (cid:104)·(cid:105) | x | λx. C | C [ x (cid:0) C ] | CC E XTERNAL E ::= (cid:104)·(cid:105) | t | λx. E | R | E [ x (cid:0) R ] R IGID R ::= x | RE | R [ x (cid:0) R ] Multi contexts may have no holes, and thus be a term . A multi context is proper if it has at least one hole. Plugging C (cid:104) t (cid:105) plugs t in all the holes of C , erasing t if C is not proper.The next lemma shows that E is the right generalizations of E : for every external step t → a u with a ∈ { xm , xe } , eachreplaced hole in E (cid:104) t (cid:105) is a → a redex, and the firing of the redex gives the expected result E (cid:104) u (cid:105) —similarly for R , see Appendix H(p. 38). We avoid on purpose the definition of a parallel step, that would induce a more complex notion of implementation—parallelism here is more flexibly caught by the diamond property of → x . For technical reasons, we prove a more generalresult: Lemma X.1 (Multi step) . Proof p. 38
Let E be a proper external multi context with k holes and { a , . . . , a n } ⊆ { xm , xe } .If t → a · · · → a n u then E (cid:104) t (cid:105) ( → a · · · → a n ) k E (cid:104) u (cid:105) where the i -th sequence of steps has the shape E i (cid:104) t (cid:105) → a · · · → a n E i (cid:104) u (cid:105) for an external context E i , for every i ∈ { , . . . , k } . It is easily seen that the grammar of C allows to generate all terms, and the one for R all rigid terms—see the Lemma H.2 in the Appendix (page 38).For E , terms are simply injected in by the grammar itself. ead back then extends to K via the following clauses (reading back usual ES as before), obtaining a multi context: (cid:104)·(cid:105)→ := (cid:104)·(cid:105) and ( e [ x (cid:0) λy.K ]) → := e →{ x (cid:0) λy.K →} . Moreover, it factors in a way similar to the open case (Lemma VII.6). Lemma X.2 (Modular read-back) . Proof p. 40 K (cid:104) e (cid:105)→ = K →(cid:104) e → σ e K (cid:105) .Invariants: Let K be the machine context of a reachable state s . Proving that K → is a proper external multi context E requires delicate and involved invariants, that build on those for the OCAM. An essential concept is the frame of K , thatisolates its fully evaluated part plus the hole.F RAMES F ::= (cid:104)·(cid:105) | e [ x (cid:0) λy.F ] The frame F K of a context K is defined by F (cid:104)·(cid:105) e (cid:48) := (cid:104)·(cid:105) and F e [ x (cid:0) λy.K ] e (cid:48) := e [ x (cid:0) λy.F K ] .Proving that K → is proper , requires an invariant ensuring that F K is garbage-free , so that every variable bound by an ES(but (cid:63) ) occurs, implying that ( e [ x (cid:0) λy.K ]) → = e →{ x (cid:0) λy.K →} does not erase λy.K → and that K → is itself proper.Proving that K → is external , requires a sophisticated goodness invariant, building on the invariants of the OCAM. Roughly, K → is given by F K → where one applies the substitution σ e K and shuffles around the ES in L e K . Oversimplifying, goodnesssays that F K → is an external multi context that stays so also after the application of σ e K and the shuffling of L e K . Theorem X.3 (Contextual read-back) . Proof p. 54
Let s = e (cid:46)(cid:47) K be a reachable state. Then K → is a proper external multi context. Obtaining Thm. X.3 is the difficult and involved step. Then, β -transitions are smoothly projected on → x steps, and theimplementation theorem easily follows. Theorem X.4 (SCAM implementation) . Proof p. 54 Proof p. 55
Relaxed β -projection : let s be a reachable state. If s (cid:32) β v s (cid:48) then s → ( → xm → xe ) + s (cid:48) → , and if s (cid:32) β i s (cid:48) then s →→ + xm ≡ s (cid:48) → .2) Proof p. 56
Strong implementation : the SCAM is a relaxed implementation of the external strategy ( → x , ≡ ) . XI. C
OMPLEXITY A NALYSIS OF THE
SCAMHere we prove that the SCAM can be implemented within a bilinear overhead. The proof is simple and mostly follows astandard schema: we bound the number of overhead steps, then bound the cost of single steps, and end by combining the two.It all rests on the size invariant below, that is a quantitative form of the subterm invariant needed for all complexity analysesof abstract machines.The size | t | of the initial term t is one of the two parameters of the analysis, linearly preserved by compilation t ◦ = t (cid:47) (cid:104)·(cid:105) . λ - TERMS B ITES E NVS | x | := 1 | x | := 1 | (cid:15) | := 0 | tu | := | t | + | u | + 1 | xy | := 1 | e [ x (cid:0) b ] | := | λx.t | := | t | + 1 | λx.e | := 1 + | e | | e | + | b | Lemma XI.1 (Linear compilation) . Proof p. 57
Let t be a λ -term. Then | t | ≤ | t | . The size invariant provides a size bound on the values that may be duplicated by β -transitions, that is the only point wherethe size of states may grow. Lemma XI.2 (Size invariant) . Proof p. 57
Let s = e (cid:46)(cid:47) K be a state reachable from s = e (cid:47) (cid:104)·(cid:105) . Then | v | ≤ | e | for every value v thatoccurs in e or e K if (cid:46)(cid:47) = (cid:47) , or in e K if (cid:46)(cid:47) = (cid:46) .Number of Overhead Transitions: We bound the number of overhead transitions in a modular way with respect to thetwo phases of the machine. First, a global analysis shows that the number of transitions of all strong phases is bounded bythe number of transitions of all open phases:
Lemma XI.3 (Open phases bound strong phases) . Proof p. 58
Let ρ : s (cid:32) s an execution of the SCAM. Then: | ρ | sea + | ρ | sea + | ρ | gc + | ρ | sea + | ρ | sea ≤ | ρ | β i + 4 | ρ | sea + 1 . To quantify the overhead of the open phase, we introduce a new measure (cid:107)·(cid:107) over machine states, tailored to decrease onall open transitions but β s. C ONTEXTS (cid:107)(cid:104)·(cid:105)(cid:107) := 0 (cid:107) e [ x (cid:0) λy.K ] (cid:107) := (cid:107) K (cid:107)(cid:107) K [ x (cid:0) b ] (cid:107) := (cid:107) K (cid:107) + | b | S TATES (cid:107) e (cid:47) K (cid:107) := | e | + (cid:107) K (cid:107)(cid:107) e (cid:46) K (cid:107) := (cid:107) K (cid:107) Lemma XI.4 (Measure during execution) . Proof p. 59
Let s be a state reachable from s , and s (cid:32) a s (cid:48) .1) Beta transitions increase the measure: if a ∈ { β λ , β i } then (cid:107) s (cid:48) (cid:107) ≤ (cid:107) s (cid:107) + (cid:107) s (cid:107) .) Open overhead decreases the measure: if a ∈ { ren , sea } then (cid:107) s (cid:48) (cid:107) < (cid:107) s (cid:107) .3) Strong phase does not increase the measure: if a ∈ { sea , sea , gc , sea , sea } then (cid:107) s (cid:48) (cid:107) ≤ (cid:107) s (cid:107) . By combining the two previous lemmas, we obtain a bilinear bound on the total overhead:
Corollary XI.5 (Bilinear number of overhead transitions) . Proof p. 60
Let t be a λ -term and ρ : t ◦ (cid:32) ∗ SCAM s be a SCAM execution. Then | ρ | ∈ O ((1 + | ρ | β ) | t | ) .Cost of Single Steps: We need high-level assumptions on how bites and crumbled environments are concretelyimplemented—a reference implementation in OCaml is explained in Appendix J, p. 61 and can be downloaded athttps://tinyurl.com/y5remxo8.As it is standard for machines with global environments, variables are represented as memory locations, variable occurrencesas pointers, and an ES [ x (cid:0) b ] is the fact that the location associated with x contains b —this allows O (1) look-up inenvironments. The copy/renaming in β -transitions costs O ( | t | ) by the size invariant, following Accattoli and Barras [48],essentially implementing the proof-nets representation of a term, that can be seen as a pointer-based DAG.The SCAM visits the proof-net/DAG in bi-directional ways: environments are visited both right-to-left (open phases) andleft-to-right (strong phases), and abstractions are entered/exited at phase switches. Rather than having doubly linked nodeswe adapt to our more general DAG framework the subtler space-conscious technique by McBride [49], itself generalizing thestandard zipper technique for lists by Huet [50], obtaining bi-directional moves over the graph in O (1) .To implement (cid:32) ren in O (1) we need to jump to the occurrence of the renamed variable. By Lemma VIII.3, the renamedvariable has at most one occurrence when the rule fires. An implementation can thus keep with no overhead a bi-directionallink between the variable and its occurrence — as long as the variable occurs once.For (cid:32) gc , variables also carry a reference counter, to test if they occur in O (1) . By the size invariant, the size of erasedvalues is O ( | t | ) , but since there can be O ((1 + | ρ | β ) | t | ) (cid:32) gc steps (Corollary XI.5), we obtain a bound quadratic in | t | , whichis too loose. The stricter bilinear bound is inferred via global analysis. Indeed, by the size invariant the size of a state isbounded by O ((1 + | ρ | β ) | t | ) . So, the global cost of erasing cannot be more than O ((1 + | ρ | β ) | t | ) . Summing all up, Theorem XI.6 (The SCAM is bilinear) . Proof p. 61
Let t be a λ -term and ρ : t ◦ (cid:32) ∗ SCAM s a SCAM execution. Then ρ can be implementedon a RAM in O ((1 + | ρ | β ) | t | ) . Via the implementation theorem (Theorem X.4), we obtain reasonable cost models for Strong CbV.
Corollary XI.7 (Reasonable cost models) . Let t be a λ -term, d : t → ∗ x u , and ρ : t ◦ (cid:32) ∗ SCAM s . Then | d | m and | ρ | m arereasonable time cost models for Strong CbV. XII. I
MPLOSIVENESS AT W ORK
Let us give an example of the implosive phenomenon. Consider the following families of terms t := πI and t n +1 := π ( λz.t n ) , where π := λx.λy. (( yx ) x ) , and u := λy. (( yI ) I ) and u n +1 := λy. (( yu n ) u n ) .An easy induction shows that → x takes on t n a number of steps exponential in n . Note that 1) all the β -redexes of t n are given by a copy of π with just one argument, which is a value, 2) the argument is duplicated, and that 3) these facts arestable by evaluation. Therefore, substitution always happens on occurrences of x as arguments. The SCAM never substituteson arguments, and evaluates them while they are shared, thus avoiding the exponential duplication of redexes. Proposition XII.1 (Implosive family) . Proof p. 66
Let t n and u n as above.1) External strategy (exponentially many steps) : t n ( → xm → xe ) n − u n and u n is a strong fireball.2) SCAM Implosion (linearly many steps) : ρ n : t ◦ n (cid:32) ∗ SCAM s n with s n → = u n and | ρ n | β = n . XIII. C
ONCLUSIONS
Our implementative study provides a reasonable time cost model for Strong CbV. It complements the similar result byAccattoli and Dal Lago for Strong CbN, showing that being reasonable applies also to strategies relevant for applications, notjust theoretical ones. In particular, thanks to both useful and implosive sharing, the SCAM is the implementation of β reductionwith the lowest overhead in the whole literature.In future work, we plan to adapt our study to call-by-need.R EFERENCES[1] C. F. Slot and P. van Emde Boas, “On tape versus core; an application of space efficient perfect hash functions to the invariance of space,” in
Proceedingsof the 16th Annual ACM Symposium on Theory of Computing, April 30 - May 2, 1984, Washington, DC, USA , 1984, pp. 391–400.[2] A. Condoluci, B. Accattoli, and C. S. Coen, “Sharing equality is linear,” in
Proceedings of the 21st International Symposium on Principlesand Practice of Programming Languages, PPDP 2019, Porto, Portugal, October 7-9, 2019 , 2019, pp. 9:1–9:14. [Online]. Available:https://doi.org/10.1145/3354166.33541743] G. E. Blelloch and J. Greiner, “Parallelism in sequential functional languages,” in
Proceedings of the seventh international conference on Functionalprogramming languages and computer architecture, FPCA 1995, La Jolla, California, USA, June 25-28, 1995 , 1995, pp. 226–237.[4] D. Sands, J. Gustavsson, and A. Moran, “Lambda Calculi and Linear Speedups,” in
The Essence of Computation, Complexity, Analysis, Transformation.Essays Dedicated to Neil D. Jones , 2002, pp. 60–84.[5] U. Dal Lago and S. Martini, “On Constructor Rewrite Systems and the Lambda Calculus,”
Logical Methods in Computer Science , vol. 8, no. 3, 2012.[6] U. Dal Lago and S. Martini, “Derivational complexity is an invariant cost model,” in
Foundational and Practical Aspects of Resource Analysis - FirstInternational Workshop, FOPARA 2009, Eindhoven, The Netherlands, November 6, 2009, Revised Selected Papers , 2009, pp. 100–113.[7] A. Asperti and H. G. Mairson, “Parallel beta reduction is not elementary recursive,”
Inf. Comput. , vol. 170, no. 1, pp. 49–80, 2001. [Online]. Available:https://doi.org/10.1006/inco.2001.2869[8] B. Accattoli and U. Dal Lago, “(leftmost-outermost) beta reduction is invariant, indeed,”
Logical Methods in Computer Science , vol. 12, no. 1, 2016.[9] B. Accattoli, “The useful mam, a reasonable implementation of the strong λ -calculus,” in Logic, Language, Information, and Computation - 23rdInternational Workshop, WoLLIC 2016, Puebla, Mexico, August 16-19th, 2016. Proceedings , 2016, pp. 1–21.[10] B. Gr´egoire and X. Leroy, “A compiled implementation of strong reduction,” in
Proceedings of the Seventh ACM SIGPLAN International Conferenceon Functional Programming, ICFP ’02 . ACM, 2002, pp. 235–246.[11] B. Barras, “Auto-validation d’un syst`eme de preuves avec familles inductives,” Ph.D. dissertation, Universit´e Paris 7, 1999.[12] C. P. Wadsworth, “Semantics and pragmatics of the lambda-calculus,” PhD Thesis, Oxford, 1971, chapter 4.[13] J.-J. L´evy, “R´eductions correctes et optimales dans le lambda-calcul,” Th´ese d’Etat, Univ. Paris VII, France, 1978.[14] P. Cr´egut, “Strongly reducing variants of the krivine abstract machine,”
High. Order Symb. Comput. , vol. 20, no. 3, pp. 209–230, 2007.[15] ´A. Garc´ıa-P´erez and P. Nogueira, “The full-reducing krivine abstract machine KN simulates pure normal-order reduction in lockstep: A proof viacorresponding calculus,”
J. Funct. Program. , vol. 29, p. e7, 2019.[16] M. Biernacka, D. Biernacki, W. Charatonik, and T. Drab, “An abstract machine for strong call by value,” in
Programming Languages and Systems -18th Asian Symposium, APLAS 2020, Fukuoka, Japan, November 30 - December 2, 2020, Proceedings , 2020, pp. 147–166.[17] M. Biernacka and W. Charatonik, “Deriving an abstract machine for strong call by need,” in , 2019, pp. 8:1–8:20.[18] M. S. Ager, D. Biernacki, O. Danvy, and J. Midtgaard, “A functional correspondence between evaluators and abstract machines,” in
Proceedings of the5th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming, 27-29 August 2003, Uppsala, Sweden , 2003, pp.8–19.[19] O. Danvy and L. R. Nielsen, “Refocusing in Reduction Semantics,” BRICS, Tech. Rep. RS-04-26, 2004.[20] M. Biernacka, W. Charatonik, and K. Zielinska, “Generalized refocusing: From hybrid strategies to abstract machines,” in , 2017, pp. 10:1–10:17.[21] D. de Carvalho, “Execution time of λ -terms via denotational semantics and intersection types,” Math. Str. in Comput. Sci. , vol. 28, no. 7, pp. 1169–1203,2018.[22] T. Ehrhard and L. Regnier, “B¨ohm trees, krivine’s machine and the taylor expansion of lambda-terms,” in
Logical Approaches to Computational Barriers,Second Conference on Computability in Europe, CiE 2006, Swansea, UK, June 30-July 5, 2006, Proceedings , 2006, pp. 186–197.[23] B. Accattoli and G. Guerrieri, “Abstract machines for open call-by-value,”
Sci. Comput. Program. , vol. 184, 2019.[24] B. Accattoli and C. Sacerdoti Coen, “On the relative usefulness of fireballs,” in , 2015, pp. 141–155.[25] B. Accattoli, A. Condoluci, G. Guerrieri, and C. Sacerdoti Coen, “Crumbling abstract machines,” in
Proceedings of the 21st International Symposiumon Principles and Practice of Programming Languages, PPDP 2019, Porto, Portugal, October 7-9, 2019 , 2019, pp. 4:1–4:15.[26] J. Maraist, M. Odersky, and P. Wadler, “The Call-by-Need Lambda Calculus,”
Journal of Functional Programming , vol. 8, no. 3, pp. 275–317, 1998.[27] Z. M. Ariola, M. Felleisen, J. Maraist, M. Odersky, and P. Wadler, “The call-by-need lambda calculus,” in . ACM Press, 1995, pp. 233–246.[28] Z. M. Ariola and M. Felleisen, “The Call-By-Need lambda Calculus,”
J. Funct. Program. , vol. 7, no. 3, pp. 265–301, 1997.[29] D. Kesner, “Reasoning about call-by-need by means of types,” in
Foundations of Software Science and Computation Structures - 19th InternationalConference, FOSSACS 2016, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2016, Eindhoven, TheNetherlands, April 2-8, 2016, Proceedings , 2016, pp. 424–441.[30] T. Balabonski, P. Barenbaum, E. Bonelli, and D. Kesner, “Foundations of strong call by need,”
PACMPL , vol. 1, no. ICFP, pp. 20:1–20:29, 2017.[Online]. Available: https://doi.org/10.1145/3110264[31] A. Asperti and S. Guerrini,
The Optimal Implementation of Functional Programming Languages . Cambridge University Press, 1998.[32] O. Danvy and I. Zerny, “A synthetic operational account of call-by-need evaluation,” in , 2013, pp. 97–108.[33] G. D. Plotkin, “Call-by-Name, Call-by-Value and the lambda-Calculus,”
Theoretical Computer Science , vol. 1, no. 2, pp. 125–159, 1975.[34] B. Accattoli and G. Guerrieri, “Open Call-by-Value,” in
Programming Languages and Systems - 14th Asian Symposium, APLAS 2016 , ser. Lecture Notesin Computer Science, vol. 10017. Springer, 2016, pp. 206–226.[35] L. Paolini and S. Ronchi Della Rocca, “Call-by-value solvability,”
RAIRO Theor. Informatics Appl. , vol. 33, no. 6, pp. 507–534, 1999.[36] L. Paolini, “Call-by-value separability and computability,” in
Theoretical Computer Science, 7th Italian Conference, ICTCS 2001, Torino, Italy, October4-6, 2001, Proceedings , 2001, pp. 74–89.[37] S. Ronchi Della Rocca and L. Paolini,
The Parametric λ -Calculus – A Metamodel for Computation , ser. Texts in Theoretical Computer Science. AnEATCS Series. Springer, 2004.[38] P. Curien and H. Herbelin, “The duality of computation,” in Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming(ICFP ’00), Montreal, Canada, September 18-21, 2000 , 2000, pp. 233–243.[39] A. Carraro and G. Guerrieri, “A semantical and operational account of call-by-value solvability,” in
Foundations of Software Science and ComputationStructures - 17th International Conference, FOSSACS 2014, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS2014, Grenoble, France, April 5-13, 2014, Proceedings , 2014, pp. 103–118.[40] B. Accattoli and L. Paolini, “Call-by-value solvability, revisited,” in
Functional and Logic Programming - 11th International Symposium, FLOPS 2012,Kobe, Japan, May 23-25, 2012. Proceedings , 2012, pp. 4–16.[41] B. Accattoli, “Proof nets and the call-by-value λ -calculus,” Theor. Comput. Sci. , vol. 606, pp. 2–24, 2015.[42] B. Accattoli and C. Sacerdoti Coen, “On the value of variables,”
Information and Computation , vol. 255, pp. 224–242, 2017. [Online]. Available:https://doi.org/10.1016/j.ic.2017.01.003[43] X. Leroy, “The ZINC experiment: an economical implementation of the ML language,” INRIA, Technical report 117, 1990. [Online]. Available:http://gallium.inria.fr/ ∼ xleroy/publi/ZINC.pdf[44] U. Dal Lago and S. Martini, “The weak lambda calculus as a reasonable machine,” Theor. Comput. Sci. , vol. 398, no. 1-3, pp. 32–50, 2008.[45] B. Accattoli, P. Barenbaum, and D. Mazza, “Distilling abstract machines,” in . ACM, 2014, pp. 363–376.46] C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen, “The essence of compiling with continuations (with retrospective),” in
20 Years of the ACMSIGPLAN Conference on Programming Language Design and Implementation 1979-1999, A Selection, PLDI 1993 . ACM, 1993, pp. 502–514.[Online]. Available: https://doi.org/10.1145/989393.989443[47] A. Sabry and M. Felleisen, “Reasoning about Programs in Continuation-Passing Style,”
Lisp and Symbolic Computation , vol. 6, no. 3-4, pp. 289–360,1993.[48] B. Accattoli and B. Barras, “Environments and the complexity of abstract machines,” in . ACM, 2017, pp. 4–16.[49] C. Mcbride, “The derivative of a regular type is its type of one-hole contexts (extended abstract),” 2001.[50] G. P. Huet, “The zipper,”
J. Funct. Program. , vol. 7, no. 5, pp. 549–554, 1997. [Online]. Available: http://journals.cambridge.org/action/displayAbstract?aid=44121[51] H. P. Barendregt,
The Lambda Calculus – Its Syntax and Semantics . North-Holland, 1984, vol. 103.
ECHNICAL A PPENDIX A PPENDIX AP RELIMINARIES AND N OTATIONS IN R EWRITING
For a relation R on a set of terms, R ∗ is its reflexive-transitive closure. Given a relation → r , an r - evaluation (or simplyevaluation if unambiguous) d is a finite sequence of terms ( t i ) ≤ i ≤ n (for some n ≥ ) such that t i → r t i +1 for all ≤ i < n ,and we write d : t → ∗ r u if t = t and t n = u . The length n of d is denoted by | d | , and | d | a is the number of a - steps ( i.e. thenumber of t i → a t i +1 for some ≤ i ≤ n ) in d , for a given subrelation → a of → r .A term t is r - normal if there is no u such that t → r u . An evaluation d : t → ∗ r u is r -normalizing if u is r -normal. A term t is weakly r -normalizing if there is a r -normalizing evaluation d : t → ∗ r u ; and t is strongly r -normalizing if there no infinitesequence ( t i ) i ∈ N such that t = t and t i → r t i +1 for all i ∈ N . Clearly, strong r -normalization implies weak r -normalization.A relation → r is diamond if u r ← t → r u and u (cid:54) = u imply u → r p r ← u for some p . As a consequence:1) → r is confluent ( i.e. u ∗ r ← t → ∗ r u implies u → ∗ r p ∗ r ← u for some p );2) any term t has at most one normal form ( i.e. if t → ∗ r u and t → ∗ r p with u and p r -normal, then u = p );3) all r -evaluations with the same start and end terms have the same length ( i.e. if d : t → ∗ r u and d (cid:48) : t → ∗ r u then | d | = | d (cid:48) | );4) t is weakly r -normalizing iff it is strongly r -normalizing.Two relations → r and → r strongly commute if u r ← t → r u implies u → r p r ← u for some p . If → r and → r strongly commute and are diamond, then1) → r = → r ∪ → r is diamond,2) all r -evaluations with the same start and end terms have the same number of any kind of steps ( i.e. if d : t → ∗ r u and d (cid:48) : t → ∗ r u then | d | r = | d (cid:48) | r and | d | r = | d (cid:48) | r ).It is a strong form of confluence and implies uniform normalization (if there is a normalizing sequence from t then thereare no diverging sequences from t ) and the random descent property (all normalizing sequences from t have the same length)A PPENDIX BP ROOFS OF S ECTION
II (VSC)
Lemma B.1 (Shape of strong fireballs) . Let t be a strong fireball. Then exactly one of the following holds: • either t is a strong inert term, • or t is a value fireball.Proof. Proving that at least one of the two holds is left for the reader. We now prove that only one of them holds: • Let t be a strong inert term. We prove that t is not a value fireball by structural induction on t : – Variable : Trivial. – Application : Trivial. – ES ; i.e. , t = i s [ x (cid:0) i (cid:48) s ] : Then i s is not a value fireball —by i.h. —, and so neither is t . • Let t = L (cid:104) λx.f s (cid:105) , with L = [ x (cid:0) i s, ] . . . [ x n (cid:0) i s,n ] , with n ≥ . We prove that t is not a strong inert term by inductionon n : – Empty substitution context ; i.e. , L = (cid:104)·(cid:105) : Trivial. – Non-empty substitution context ; i.e. , L = L (cid:48) [ x (cid:0) i s,n +1 ] : Since L (cid:48) (cid:104) λx.f (cid:105) is not a strong inert term —by i.h. —, thenneither is L (cid:48) (cid:104) λx.f (cid:105) [ x (cid:0) i s,n +1 ] = t . Proposition B.2 (Characterization of normal forms) . See p. 5Lemma II.5
Let t be a VSC term. t is → vsc -normal if and only if t is a strong fireball.Proof. We prove the two directions of the equivalence separately.1) Let t be vsc -normal. We shall prove that t is a strong fireball by induction on t : • Variable . Trivial. • Abstraction ; i.e. , t = λx.u . As t is → vsc -normal, so is u . By i.h. , u is a strong fireball, and then so is t . • Application ; i.e. , t = t t . Since t is → vsc -normal, so are t and t . By i.h. , t and t are strong fireballs. Note that t (cid:54) = L (cid:104) λx.u (cid:105) , otherwise t (cid:55)→ m L (cid:104) u [ x (cid:0) t ] (cid:105) which contradicts vsc -normality of t . So, t is a strong inert term (byLemma B.1), thus t is a strong fireball. • Explicit substitution ; i.e. , t = t [ x (cid:0) t ] . Since t is vsc -normal, then so are t and t . By i.h. , t and t are strongfireballs. Note that t (cid:54) = L (cid:104) v (cid:105) , otherwise t (cid:55)→ e L (cid:104) t { x (cid:0) v }(cid:105) which contradicts the vsc -normality of t . Thus t is astrong inert term (by Lemma B.1), and so t is a strong fireball.2) Let t be a strong fireball. We prove that t is vsc -normal by induction on the definition of strong fireball. • Variable . Trivial. • Abstraction ; i.e. , t = λx.f s . By i.h. , f s is vsc -normal, and hence so is t . Application ; i.e. , t = i s f s . By i.h. , i s and f s are vsc -normal. Since i s is not of the of the form L (cid:104) λx.u (cid:105) (by Lemma B.1),then t is also vsc -normal. • Explicit substitution ; i.e. , t = f s [ x (cid:0) i s ] (it includes the case when f s is a strong inert term). By i.h. , both f s and i s are vsc -normal. Since i s is not of the form L (cid:104) v (cid:105) (by Lemma B.1), then t is also vsc -normal. Lemma B.3 (Basic Properties of λ vsc ) . → m and → e are strongly normalizing (separately).2) → om and → oe are diamond (separately).3) → om and → oe strongly commute.Proof. The statements of Lemma B.3 are a refinement of some results proved in [40], where → o is denoted by → w .1) See [40, Lemma 3].2) We prove that → om is diamond, i.e. if u om ← t → om p with u (cid:54) = p then there exists t (cid:48) ∈ Λ vsc such that u → om t (cid:48) om ← p .The proof is by induction on the definition of → om . Since there t → om p (cid:54) = u and the reduction → om is weak, there areonly eight cases: • Step at the Root for t → om u and Application Right for t → om p , i.e. t := L (cid:104) λx.r (cid:105) q (cid:55)→ m L (cid:104) r [ x (cid:0) q ] (cid:105) =: u and t (cid:55)→ m L (cid:104) λx.r (cid:105) q (cid:48) =: p with q → om q (cid:48) : then, u → om L (cid:104) r [ x (cid:0) q (cid:48) ] (cid:105) om ← p ; • Step at the Root for t → om u and Application Left for t → om p , i.e. , for some n > , t := ( λx.r )[ x (cid:0) t ] . . . [ x n (cid:0) t n ] q (cid:55)→ m r [ x (cid:0) q ][ x (cid:0) t ] . . . [ x n (cid:0) t n ] =: u whereas t → om ( λx.r )[ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] q =: p with t j → om t (cid:48) j for some ≤ j ≤ n : then, u → om r [ x (cid:0) q ][ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] om ← p ; • Application Left for t → om u and Application Right for t → om p , i.e. t := qr → om q (cid:48) r =: u and t → om qr (cid:48) =: p with q → om q (cid:48) and r → om r (cid:48) : then, u → om q (cid:48) r (cid:48) om ← p ; • Application Left for both t → om u and t → om p , i.e. t := qr → om q (cid:48) r =: u and t → om q (cid:48)(cid:48) r =: p with q (cid:48) om ← q → om q (cid:48)(cid:48) : by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → om q m ← q (cid:48)(cid:48) , hence u → om q r m ← p ; • Application Right for both t → om u and t → om p , i.e. t := rq → om rq (cid:48) =: u and t → om rq (cid:48)(cid:48) =: p with q (cid:48) om ← q → om q (cid:48)(cid:48) : by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → om q om ← q (cid:48)(cid:48) , hence u → om rq om ← p ; • ES left for t → om u and ES right for t → om p , i.e. t := q [ x (cid:0) r ] → om q (cid:48) [ x (cid:0) r ] =: u and t → om q [ x (cid:0) r (cid:48) ] =: p with q → om q (cid:48) and r → om r (cid:48) : then, u → om q (cid:48) [ x (cid:0) r (cid:48) ] om ← p • ES left for both t → om u and t → om p , i.e. t := q [ x (cid:0) r ] → om q (cid:48) [ x (cid:0) r ] =: u and t → om q (cid:48)(cid:48) [ x (cid:0) r ] =: p with q (cid:48) om ← q → om q (cid:48)(cid:48) : by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → om q om ← q (cid:48)(cid:48) , hence u → m q [ x (cid:0) r ] om ← p ; • ES right for both t → om u and t → om p , i.e. t := r [ x (cid:0) q ] → om r [ x (cid:0) q (cid:48) ] =: u and t → om r [ x (cid:0) q (cid:48)(cid:48) ] =: p with q (cid:48) om ← q → m q (cid:48)(cid:48) : by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → om q om ← q (cid:48)(cid:48) , hence u → m r [ x (cid:0) q ] om ← p .We prove that → oe is diamond, i.e. if u oe ← t → oe p with u (cid:54) = p then there exists q ∈ Λ vsc such that u → oe t (cid:48) e ← p .The proof is by induction on the definition of → oe . Since there t → oe p (cid:54) = u and the reduction → oe is weak, there areonly eight cases: • Step at the Root for t → oe u and ES left for t → oe p , i.e. t := q [ x (cid:0) L (cid:104) v (cid:105) ] (cid:55)→ e L (cid:104) q { x (cid:0) v }(cid:105) =: u and t (cid:55)→ e q (cid:48) [ x (cid:0) L (cid:104) v (cid:105) ] =: p with q → oe q (cid:48) : then, u → oe L (cid:104) q (cid:48) [ x (cid:0) v ] (cid:105) oe ← p • Step at the Root for t → oe u and ES right for t → oe p , i.e. , for some n > , t := q [ x (cid:0) v [ x (cid:0) t ] . . . [ x n (cid:0) t n ]] (cid:55)→ e q { x (cid:0) v } [ x (cid:0) t ] . . . [ x n (cid:0) t n ] =: u whereas t → oe q [ x (cid:0) v [ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ]] =: p with t j → oe t (cid:48) j forsome ≤ j ≤ n : then, u → oe q { x (cid:0) v } [ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] oe ← p ; • Application Left for t → oe u and Application Right for t → oe p , i.e. t := qr → oe q (cid:48) r =: u and t → oe qr (cid:48) =: p with q → oe q (cid:48) and r → oe r (cid:48) : then, u → oe q (cid:48) r (cid:48) oe ← p ; • Application Left for both t → oe u and t → oe p , i.e. t := qr → oe q (cid:48) r =: u and t → oe q (cid:48)(cid:48) r =: p with q (cid:48) oe ← q → oe q (cid:48)(cid:48) :by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → oe q oe ← q (cid:48)(cid:48) , hence u → oe q r oe ← p ; • Application Right for both t → oe u and t → oe p , i.e. t := rq → oe rq (cid:48) =: u and t → oe rq (cid:48)(cid:48) =: p with q (cid:48) oe ← q → oe q (cid:48)(cid:48) :by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → oe q oe ← q (cid:48)(cid:48) , hence u → oe rq oe ← p ; • ES left for t → oe u and ES right for t → oe p , i.e. t := q [ x (cid:0) r ] → oe q (cid:48) [ x (cid:0) r ] =: u and t → oe q [ x (cid:0) r (cid:48) ] =: p with q → oe q (cid:48) and r → oe r (cid:48) : then, u → oe q (cid:48) [ x (cid:0) r (cid:48) ] oe ← p ; ES left for both t → e u and t → e p , i.e. t := q [ x (cid:0) r ] → e q (cid:48) [ x (cid:0) r ] =: u and t → e q (cid:48)(cid:48) [ x (cid:0) r ] =: p with q (cid:48) e ← q → e q (cid:48)(cid:48) :by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → e q e ← q (cid:48)(cid:48) , hence u → e q [ x (cid:0) r ] e ← p ; • ES right for both t → e u and t → e p , i.e. t := r [ x (cid:0) q ] → e r [ x (cid:0) q (cid:48) ] =: u and t → e r [ x (cid:0) q (cid:48)(cid:48) ] =: p with q (cid:48) e ← q → e q (cid:48)(cid:48) :by i.h. , there exists q ∈ Λ vsc such that q (cid:48) → e q e ← q (cid:48)(cid:48) , hence u → e r [ x (cid:0) q ] e ← p .Note that in [40, Lemma 11] it has just been proved the strong confluence of → vsc , not of → m or → e .3) We show that → oe and → om strongly commute, i.e. if u oe ← t → om p , then u (cid:54) = p and there is t (cid:48) ∈ Λ vsc such that u → om t (cid:48) oe ← p . The proof is by induction on the definition of t → oe u . The proof that u (cid:54) = p is left to the reader. Sincethe → e and → m cannot reduce under λ ’s, all values are om -normal and oe -normal. So, there are the following cases. • Step at the Root for t → oe u and ES left for t → om p , i.e. t := q [ z (cid:0) L (cid:104) v (cid:105) ] → oe L (cid:104) q { z (cid:0) v }(cid:105) =: u and t → om q (cid:48) [ z (cid:0) L (cid:104) v (cid:105) ] =: p with q → om q (cid:48) : then u → om L (cid:104) q (cid:48) { z (cid:0) v }(cid:105) oe ← u • Step at the Root for t → oe u and ES right for t → om p , i.e. t := q [ z (cid:0) v [ x (cid:0) t ] . . . [ x n (cid:0) t n ]] → oe q { z (cid:0) v } [ x (cid:0) t ] . . . [ x n (cid:0) t n ] =: u and t → om q [ z (cid:0) v [ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ]] =: p for some n > , and t j → om t (cid:48) j for some ≤ j ≤ n : then, u → om q { z (cid:0) v } [ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] oe ← p ; • Application Left for t → e u and Application Right for t → m p , i.e. t := qr → oe q (cid:48) r =: u and t → om qr (cid:48) =: p with q → e q (cid:48) and r → om r (cid:48) : then, t → om q (cid:48) r (cid:48) oe ← u ; • Application Left for both t → oe u and t → om p , i.e. t := qr → oe q (cid:48) r =: u and t → om q (cid:48)(cid:48) r =: p with q (cid:48) oe ← q → om q (cid:48)(cid:48) :by i.h. , there exists s ∈ Λ vsc such that q (cid:48) → om s oe ← q (cid:48)(cid:48) , hence u → om sr oe ← p ; • Application Left for t → oe u and Step at the Root for t → om p , i.e. t := ( λx.r )[ x (cid:0) t ] . . . [ x n (cid:0) t n ] q → oe ( λx.r )[ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] q =: u with n > and t j → oe t (cid:48) j for some ≤ j ≤ n , and t → om r [ x (cid:0) q ][ x (cid:0) t ] . . . [ x n (cid:0) t n ] =: p Then, u → om r [ x (cid:0) q ][ x (cid:0) t ] . . . [ x j (cid:0) t (cid:48) j ] . . . [ x n (cid:0) t n ] oe ← p ; • Application Right for t → oe u and Application Left for t → m p , i.e. t := rq → oe rq (cid:48) =: u and t → om r (cid:48) q =: p with q → oe q (cid:48) and r → om r (cid:48) : then, u → om r (cid:48) q (cid:48) oe ← p ; • Application Right for both t → oe u and t → om p , i.e. t := rq → oe rq (cid:48) =: u and t → om rq (cid:48)(cid:48) =: p with q (cid:48) oe ← q → om q (cid:48)(cid:48) :by i.h. , there exists s ∈ Λ vsc such that q (cid:48) → om s oe ← q (cid:48)(cid:48) , hence u → om rs oe ← p ; • Application Right for t → oe u and Step at the Root for t → om p , i.e. t := L (cid:104) λx.r (cid:105) q → oe L (cid:104) λx.r (cid:105) q (cid:48) =: u with q → oe q (cid:48) , and t → om L (cid:104) r [ x (cid:0) q ] (cid:105) =: p : then, u → om L (cid:104) r [ x (cid:0) q (cid:48) ] (cid:105) oe ← p ; • ES left for t → oe u and ES right for t → om p , i.e. t := q [ x (cid:0) r ] → oe q (cid:48) [ x (cid:0) r ] =: u and t → om q [ x (cid:0) r (cid:48) ] =: p with q → e q (cid:48) and r → om r (cid:48) : then, u → om q (cid:48) [ x (cid:0) r (cid:48) ] oe ← p ; • ES left for both t → oe u and t → om p , i.e. t := q [ x (cid:0) r ] → e q (cid:48) [ x (cid:0) r ] =: u and t → om q (cid:48)(cid:48) [ x (cid:0) r ] =: p with q (cid:48) oe ← q → om q (cid:48)(cid:48) : by i.h. ,there is s ∈ Λ vsc such that q (cid:48) → om s oe ← q (cid:48)(cid:48) , hence u → om s [ x (cid:0) r ] oe ← p ; • ES right for t → oe u and ES left for t → om p , i.e. t := r [ x (cid:0) q ] → oe r [ x (cid:0) q (cid:48) ] =: u and t → om r (cid:48) [ x (cid:0) q ] =: p with q → oe q (cid:48) and r → om r (cid:48) : then, u → om r (cid:48) [ x (cid:0) q (cid:48) ] oe ← p ; • ES right for both t → oe u and t → om p , i.e. t := r [ x (cid:0) q ] → oe r [ x (cid:0) q (cid:48) ] =: u and t → om r [ x (cid:0) q (cid:48)(cid:48) ] =: p with q e ← q (cid:48) → om q (cid:48)(cid:48) : by i.h. , there is s ∈ Λ vsc such that q → om s oe ← q (cid:48)(cid:48) , so u → om r [ x (cid:0) s ] oe ← p .A PPENDIX CP ROOFS OF S ECTION
III (E
XTERNAL S TRATEGY ) Lemma C.1 (Properties of rigid terms) .
1) Given t ∈ Λ vsc and a rigid context R , R (cid:104) t (cid:105) is a rigid term.2) Let r be a rigid term and t ∈ Λ vsc such that r → o t . Then t is rigid.3) Let r be a rigid term and t ∈ Λ vsc such that r → x t . Then t is rigid.Proof.
1) By induction on the definition of R .2) Let O be an open evaluation context such that r = O (cid:104) u (cid:105) → o O (cid:104) u (cid:48) (cid:105) = t , with u (cid:55)→ m u (cid:48) or u (cid:55)→ e u (cid:48) . We prove this for → om by structural induction on O ; the proof for → oe follows the same schema. Empty context ; i.e. , O = (cid:104)·(cid:105) . This case is not possible, because it would imply that r = u = L (cid:104) λx.p (cid:105) q , which is nota rigid term. • Application right ; i.e. , O = qO (cid:48) . As r = qO (cid:48) (cid:104) u (cid:105) , then q is a rigid term, and so qO (cid:48) (cid:104) u (cid:48) (cid:105) = t is rigid. • Application left ; i.e. , O = O (cid:48) q . As r = O (cid:48) (cid:104) u (cid:105) q and O (cid:48) (cid:104) u (cid:48) (cid:105) is rigid by i.h. , then O (cid:48) (cid:104) u (cid:48) (cid:105) q = t is rigid too. • ES left ; i.e. , O = O (cid:48) [ x (cid:0) q ] . Since r = O (cid:48) (cid:104) u (cid:105) [ x (cid:0) q ] , then both O (cid:48) (cid:104) u (cid:105) and q are rigid. Moreover, O (cid:48) (cid:104) u (cid:48) (cid:105) is rigid by i.h. ,and so O (cid:48) (cid:104) u (cid:48) (cid:105) [ x (cid:0) q ] = t is rigid too. • ES right ; i.e. , O = q [ x (cid:0) O (cid:48) ] . Since r = q [ x (cid:0) O (cid:48) (cid:104) u (cid:105) ] , then both q and O (cid:48) (cid:104) u (cid:105) are rigid. Moreover, O (cid:48) (cid:104) u (cid:48) (cid:105) is rigid by i.h. , and so q [ x (cid:0) O (cid:48) (cid:104) u (cid:48) (cid:105) ] = t is rigid too.3) Let S be a strong evaluation context such that r = S (cid:104) u (cid:105) → x S (cid:104) u (cid:48) (cid:105) = t , with u → om u (cid:48) or u → oe u (cid:48) . We prove this for u → om u (cid:48) by structural induction on S ; the proof for → oe follows the same schema. • Empty context ; i.e. , S = (cid:104)·(cid:105) . Then r = u → om u (cid:48) = t and the statement holds by Lemma C.1.2 • Under λ -abstraction right ; i.e. , S = λx.S (cid:48) . This case is not possible, because it would imply that r = λx.S (cid:48) (cid:104) u (cid:105) ,which is not a rigid term. • External context, ES right ; i.e. , S = q [ x (cid:0) R ] . Since r = q [ x (cid:0) R (cid:104) u (cid:105) ] , then both q and R (cid:104) u (cid:105) are rigid terms. Moreover, R (cid:104) u (cid:48) (cid:105) is rigid by i.h. , and so q [ x (cid:0) R (cid:104) u (cid:48) (cid:105) ] = p is rigid too. • External context, ES left ; i.e. , S = S (cid:48) [ x (cid:0) q ] , with q a rigid term. Since r = S (cid:48) (cid:104) u (cid:105) [ x (cid:0) q ] , then S (cid:48) (cid:104) u (cid:105) is rigid. Moreover, S (cid:48) (cid:104) u (cid:48) (cid:105) is rigid by i.h. , and so S (cid:48) (cid:104) u (cid:48) (cid:105) [ x (cid:0) q ] = p is rigid too. • Rigid context, application right ; i.e. , S = qS (cid:48) , with q a rigid term. Then qS (cid:48) (cid:104) u (cid:48) (cid:105) = p is rigid too. • Rigid context, application left ; i.e. , S = Rq . Since r = R (cid:104) u (cid:105) q , then R (cid:104) u (cid:105) is rigid. Moreover, R (cid:104) u (cid:48) (cid:105) is rigid by i.h. ,and so R (cid:104) u (cid:48) (cid:105) q is rigid too. • Rigid context, ES left ; i.e. , S = R [ x (cid:0) q ] , with q a rigid term. Since r = R (cid:104) u (cid:105) [ x (cid:0) q ] , then R (cid:104) u (cid:105) is rigid. Moreover, R (cid:104) u (cid:48) (cid:105) is rigid by i.h. , and so R (cid:104) u (cid:48) (cid:105) [ x (cid:0) q ] = p is rigid too. • Rigid context, ES right ; i.e. , S = q [ x (cid:0) R ] , with q a rigid term. Since r = q [ x (cid:0) R (cid:104) u (cid:105) ] , then R (cid:104) u (cid:105) is rigid. Moreover, R (cid:104) u (cid:48) (cid:105) is rigid by i.h. , and so q [ x (cid:0) R (cid:104) u (cid:48) (cid:105) ] = p is rigid too.The properties stated by the next proposition are the building blocks for the proof that → x is diamond, coming right next.In particular, the strong commutation of → xm and → xe shall ensure that the diamond of → x preserves the kind of step, thusstrengthening the diamond of → x with the guarantee that all → x sequences to normal form (if any) have the same number of → m steps. Lemma C.2 (Basic Properties of → x ) . → xm and → xe are diamond (separately).2) → xm and → xe strongly commute.Proof.
1) We prove that → xm is diamond, i.e. if u xm ← t → xm p with u (cid:54) = p then there exists t (cid:48) ∈ Λ vsc such that u → xm t (cid:48) xm ← p (the proof that → xe is diamond is analogue). The proof is by structural induction on t , doing caseanalysis on t → xm u and t → xm p : • Under λ -abstraction for both t → xm u and t → xm p ; i.e. , t = λx.q → xm λx.r = u and t = λx.q → xm λx.s = p , with q → xm r and q → xm s . By i.h. there exists q (cid:48) such that r → xm q (cid:48) xm ← s and so u = λx.r → xm λx.q (cid:48) xm ← λx.s = p . • Application right for t → xm u and application left for t → xm p ; i.e. , t = qr → xm qr (cid:48) = u and t = qr → xm q (cid:48) r = p .There are several sub-cases to this: – Let t = qr = qO (cid:104) ˜ r (cid:105) → om qO (cid:104) ˜ r (cid:48) (cid:105) = u , with ˜ r (cid:55)→ m ˜ r (cid:48) , and t = R (cid:104) ˜ q (cid:105) r → xm R (cid:104) ˜ q (cid:48) (cid:105) r , with ˜ q → om ˜ q (cid:48) . Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xm ← R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:105) = p Note that u → xm t (cid:48) holds because every rigid context is an open context. – Let t = qr = qO (cid:104) ˜ r (cid:105) → om qO (cid:104) ˜ r (cid:48) (cid:105) = u , with ˜ r (cid:55)→ m ˜ r (cid:48) , and t = O (cid:104) ˜ q (cid:105) r → om O (cid:104) ˜ q (cid:48) (cid:105) r , with ˜ q (cid:55)→ m ˜ q (cid:48) . Then thestatement holds by Lemma B.3.2 – Let t = qS (cid:104) ˜ r (cid:105) → xm qS (cid:104) ˜ r (cid:48) (cid:105) = u , with q a rigid term and ˜ r → om ˜ r (cid:48) , and t = R (cid:104) ˜ q (cid:105) r → xm R (cid:104) ˜ q (cid:48) (cid:105) r = p , with ˜ q → om ˜ q (cid:48) . Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xm ← R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) = p Note that t (cid:48) xm ← p holds because R (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.1. – Let t = qS (cid:104) ˜ r (cid:105) → xm qS (cid:104) ˜ r (cid:48) (cid:105) = u , with q a rigid term and ˜ r → om ˜ r (cid:48) , and t = O (cid:104) ˜ q (cid:105) r → xm O (cid:104) ˜ q (cid:48) (cid:105) r , with ˜ q (cid:55)→ m ˜ q (cid:48) .Let t (cid:48) := O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = O (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xm ← O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) = p ote that t (cid:48) xm ← p holds because the fact that q is a rigid term and that q = O (cid:104) ˜ q (cid:105) → om O (cid:104) ˜ q (cid:48) (cid:105) imply that O (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.2. • Application right for both t → xm u and t → xm p ; i.e. , t = qr → xm qr (cid:48) = u and t = qr → xm qr (cid:48)(cid:48) = p . By i.h. thereexists s ∈ Λ vsc such that r (cid:48) → xm s xm ← r (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigid typecontexts involved in t → xm u and t → xm p , follows the same schema as for the previous item, all showing that u = qr (cid:48) → xm qs xm ← qr (cid:48)(cid:48) = p • Application left for both t → xm u and t → xm p ; i.e. , t = qr → xm q (cid:48) r = u and t = qr → xm q (cid:48)(cid:48) r = p . By i.h. thereexists s ∈ Λ vsc such that q (cid:48) → xm s xm ← q (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigid typecontexts involved in t → xm u and t → xm p , follows the same schema as for the previous item, all showing that u = q (cid:48) r → xm sr xm ← q (cid:48)(cid:48) r = p • ES right for t → xm u and ES left for t → xm p ; i.e. , t = q [ x (cid:0) r ] → xm q [ x (cid:0) r (cid:48) ] = u and t = q [ x (cid:0) r ] → xm q (cid:48) [ x (cid:0) r ] .There are several sub-cases to this: – Let t = q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r (cid:55)→ m ˜ r (cid:48) , and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q (cid:55)→ m ˜ q (cid:48) .Then the statement holds by Lemma B.3.2. – Let t = q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r (cid:55)→ m ˜ r (cid:48) , and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = O (cid:104) ˜ r (cid:105) → xm O (cid:104) ˜ r (cid:48) (cid:105) imply that O (cid:104) ˜ r (cid:48) (cid:105) isa rigid term —by Lemma C.1.3. – Let t = q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r (cid:55)→ m ˜ r (cid:48) , and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = R (cid:104) ˜ q (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = O (cid:104) ˜ r (cid:105) → xm O (cid:104) ˜ r (cid:48) (cid:105) imply O (cid:104) ˜ r (cid:48) (cid:105) is arigid term —by Lemma C.1.2. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) , and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q (cid:55)→ m ˜ q (cid:48) . Let t (cid:48) := O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = O (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) , and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = R (cid:104) ˜ r (cid:105) → xm R (cid:104) ˜ r (cid:48) (cid:105) imply that R (cid:104) ˜ r (cid:48) (cid:105) isa rigid term —by Lemma C.1.3. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) , and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = R (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = R (cid:104) ˜ r (cid:105) → xm R (cid:104) ˜ r (cid:48) (cid:105) imply that R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) and q is a rigid term, and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q (cid:55)→ m ˜ q (cid:48) . Let t (cid:48) := O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = O (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that p xm ← t (cid:48) holds because the fact that r is a rigid term and that r = R (cid:104) ˜ r (cid:105) → xm R (cid:104) ˜ r (cid:48) (cid:105) imply that R (cid:104) ˜ r (cid:48) (cid:105) isa rigid term —by Lemma C.1.3. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) and q is a rigid term, and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p ote that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = R (cid:104) ˜ r (cid:105) → xm R (cid:104) ˜ r (cid:48) (cid:105) imply that R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. Moreover, note that t (cid:48) xm ← p holds because the fact that q is a rigid term andthat q = S (cid:104) ˜ q (cid:105) → xm S (cid:104) ˜ q (cid:48) (cid:105) imply that S (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] → xm q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] = u , with ˜ r → om ˜ r (cid:48) and q is a rigid term, and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = R (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xm ← R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because the fact that r is a rigid term and that r = R (cid:104) ˜ r (cid:105) → xm R (cid:104) ˜ r (cid:48) (cid:105) imply that R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. Moreover, note that t (cid:48) xm ← p holds because the fact that q is a rigid term andthat q = R (cid:104) ˜ q (cid:105) → xm R (cid:104) ˜ q (cid:48) (cid:105) imply that R (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. • ES right for both t → xm u and t → xm p ; i.e. , t = q [ x (cid:0) r ] → xm q [ x (cid:0) r (cid:48) ] = u and t = q [ x (cid:0) r ] → xm q [ x (cid:0) r (cid:48)(cid:48) ] = p . By i.h. there exists s ∈ Λ vsc such that r (cid:48) → xm s xm ← r (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigidtype contexts involved in t → xm u and t → xm p , follows the same schema as for the previous item, all showing that u = q [ x (cid:0) r (cid:48) ] → xm q [ x (cid:0) s ] xm ← q [ x (cid:0) r (cid:48)(cid:48) ] = p • ES left for both t → xm u and t → xm p ; i.e. , t = q [ x (cid:0) r ] → xm q (cid:48) [ x (cid:0) r ] = u and t = q (cid:48)(cid:48) [ x (cid:0) r ] . By i.h. there exists s ∈ Λ vsc such that q (cid:48) → xm s xm ← q (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigid type contextsinvolved in t → xm u and t → xm p , follows the same schema as for the previous item, all showing that u = q (cid:48) [ x (cid:0) r ] → xm s [ x (cid:0) r ] xm ← q (cid:48)(cid:48) [ x (cid:0) r ] = p The proof that → xe is diamond ( i.e. , if u xe ← t → xe p with u (cid:54) = p then there exists t (cid:48) ∈ Λ vsc such that u → xe t (cid:48) xe ← p )follows the same schema as for → xm .2) We show that → xe and → xm strongly commute; i.e. , if u xe ← t → xm p , then u (cid:54) = p and there is t (cid:48) ∈ Λ vsc such that u → xm t (cid:48) xe ← p . The proof is by structural induction on t , doing case analysis on t xe ← u and t → xm p : • Under λ -abstraction for both t xe ← u and t → xm p ; i.e. , t = λx.r xe ← λx.q = u and t = λx.q → xm λx.s = p , with r oe ← q → om s . By Lemma B.3.3, there exists q (cid:48) such that r → xm q (cid:48) xe ← s , and so u = λx.r → om λx.q (cid:48) oe ← λx.s . • Application right for u xe ← t and application left for t → xm p ; i.e. , u = qr (cid:48) xe ← qr = t and t = qr → xm q (cid:48) r = p .There are several sub-cases to this: – Let u = qO (cid:104) ˜ r (cid:48) (cid:105) xe ← qO (cid:104) ˜ r (cid:105) = t , with ˜ r (cid:48) oe ← ˜ r , and t = R (cid:104) ˜ q (cid:105) r → xm R (cid:104) ˜ q (cid:48) (cid:105) r = p , with ˜ q → om ˜ q (cid:48) . Let t (cid:48) = R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:105) = p – Let u = qO (cid:104) ˜ r (cid:48) (cid:105) xe ← qO (cid:104) ˜ r (cid:105) = t , and t = O (cid:104) ˜ q (cid:105) r → xm O (cid:104) ˜ q (cid:48) (cid:105) r = p , with ˜ q → xm ˜ q (cid:48) . Then the statement holdsby Lemma B.3.3 – Let u = qS (cid:104) ˜ r (cid:48) (cid:105) xe ← qS (cid:104) ˜ r (cid:105) = t , with q a rigid term and ˜ r (cid:48) oe ← ˜ r , and t = R (cid:104) ˜ q (cid:105) r → xm R (cid:104) ˜ q (cid:48) (cid:105) r = p , with ˜ q → om ˜ q (cid:48) .Let t (cid:48) = R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) = p Note that t (cid:48) xe ← p holds because R (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let u = qS (cid:104) ˜ r (cid:48) (cid:105) xe ← qS (cid:104) ˜ r (cid:105) = t , with q a rigid term and ˜ r (cid:48) oe ← ˜ r , and t = O (cid:104) ˜ q (cid:105) r → xm O (cid:104) ˜ q (cid:48) (cid:105) r = p , with ˜ q (cid:55)→ m ˜ q (cid:48) .Let t (cid:48) = O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = O (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) → xm t (cid:48) xe ← O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) = p Note that t (cid:48) xe ← p holds because O (cid:104) ˜ q (cid:48) (cid:105) is rigid—by Lemma C.1.2. • Application left for u xe ← t and application right for t → xm p ; i.e. , u = q (cid:48) r xe ← qr = t and t = qr → xm qr (cid:48) = p .There are several sub-cases to this: – Let u = R (cid:104) ˜ q (cid:48) (cid:105) r xe ← R (cid:104) ˜ q (cid:105) r = t , with ˜ q (cid:48) oe ← ˜ q , and t = qO (cid:104) ˜ r (cid:105) → xm qO (cid:104) ˜ r (cid:48) (cid:105) = p , with ˜ r (cid:55)→ m ˜ r (cid:48) . Let t (cid:48) = R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:48) (cid:105) O (cid:104) ˜ r (cid:105) → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:105) O (cid:104) ˜ r (cid:48) (cid:105) = p – Let u = O (cid:104) ˜ q (cid:48) (cid:105) r xe ← O (cid:104) ˜ q (cid:105) r = t , with ˜ q (cid:48) oe ← ˜ q , and t = qO (cid:104) ˜ r (cid:105) → xm qO (cid:104) ˜ r (cid:48) (cid:105) = p , with ˜ r (cid:55)→ m ˜ r (cid:48) . Then thestatement holds by Lemma B.3.3 – Let u = R (cid:104) ˜ q (cid:48) (cid:105) r xe ← R (cid:104) ˜ q (cid:105) r = t , with ˜ q (cid:48) oe ← ˜ q , and t = qS (cid:104) ˜ r (cid:105) → xm qS (cid:104) ˜ r (cid:48) (cid:105) = p , with ˜ r → om ˜ r (cid:48) and q a rigidterm. Let t (cid:48) = R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = R (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) = p ote that u → xm t (cid:48) holds because R (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let u = O (cid:104) ˜ q (cid:48) (cid:105) r xe ← O (cid:104) ˜ q (cid:105) r = t , with ˜ q (cid:48) oe ← ˜ q , and t = qS (cid:104) ˜ r (cid:105) → xm qS (cid:104) ˜ r (cid:48) (cid:105) = p , with q a rigid term and ˜ r → om ˜ r (cid:48) .Let t (cid:48) = O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) , having that u = O (cid:104) ˜ q (cid:48) (cid:105) S (cid:104) ˜ r (cid:105) → xm t (cid:48) xe ← O (cid:104) ˜ q (cid:105) S (cid:104) ˜ r (cid:48) (cid:105) = p Note that u → xm t (cid:48) holds because O (cid:104) ˜ q (cid:48) (cid:105) is rigid—by Lemma C.1.2. • Application right for both u xe ← t and t → xm p ; i.e. , u = qr (cid:48) xe ← qr = t and t = qr → xm qr (cid:48)(cid:48) = p . By i.h. , thereexists s ∈ Λ vsc such that r (cid:48) → xm s xe ← r (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigid typecontexts involved in u xe ← t and t → xm p follows the same schema as for the previous item, all showing that u = qr (cid:48) → xm qs xe ← qr (cid:48)(cid:48) = p • Application left for both u xe ← t and t → xm p ; i.e. , u = q (cid:48) r xe ← qr = t and t = qr → xm q (cid:48)(cid:48) r = p . By i.h. , thereexists s ∈ Λ vsc such that q (cid:48) → xm s xe ← q (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open/strong/rigid typecontexts involved in u xe ← t and t → xm p follows the same schema as for the previous item, all showing that u = q (cid:48) r → xm sr xe ← q (cid:48)(cid:48) r = p • ES right for u xe ← t and ES left for t → xm p ; i.e. , u = q [ x (cid:0) r (cid:48) ] xe ← q [ x (cid:0) r ] = t and t = q [ x (cid:0) r ] → xm q (cid:48) [ x (cid:0) r ] = p .There are several sub-cases to this: – Let u = q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) e ← (cid:91) ˜ r , and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q (cid:55)→ m ˜ q (cid:48) .Then the statement holds by Lemma B.3.3. – Let u = q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) e ← (cid:91) ˜ r , and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because O (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.2 – Let u = q [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) e ← (cid:91) ˜ r , and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = R (cid:104) ˜ q (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) O (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because O (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.2 – Let u = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with r (cid:48) oe ← r , and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ r → xm ˜ r (cid:48) .Let t (cid:48) := O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) r (cid:48) (cid:105) ] , having that u = O (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p – Let u = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) oe ← ˜ r , and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let u = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) oe ← ˜ r , and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] having that u = R (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] Note that u → xm t (cid:48) holds because R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let u = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) oe ← ˜ r and q is a rigid term, and t = O (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q (cid:55)→ m ˜ q (cid:48) . Let t (cid:48) := O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that u = O (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← O (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that t (cid:48) xe ← p holds because O (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.2. – Let t = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) oe ← ˜ r and q is a rigid term, and t = S (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] ,with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] aving that u = S (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← S (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3—, and that t xe ← p holds because S (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. – Let u = q [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] xe ← q [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = t , with ˜ r (cid:48) oe ← ˜ r and q is a rigid term, and t = R (cid:104) ˜ q (cid:105) [ x (cid:0) r ] → xm R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) r ] = p , with ˜ q → om ˜ q (cid:48) and r is a rigid term. Let t (cid:48) := R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] , having that uR (cid:104) ˜ q (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:48) (cid:105) ] → xm t (cid:48) xe ← R (cid:104) ˜ q (cid:48) (cid:105) [ x (cid:0) R (cid:104) ˜ r (cid:105) ] = p Note that u → xm t (cid:48) holds because R (cid:104) ˜ r (cid:48) (cid:105) is a rigid term —by Lemma C.1.3—, and that t (cid:48) xe ← p because R (cid:104) ˜ q (cid:48) (cid:105) is a rigid term —by Lemma C.1.3. • ES left for u xe ← t and ES right for t → xm p ; i.e. , u = q (cid:48) [ x (cid:0) r ] xe ← q [ x (cid:0) r ] = t and t = q [ x (cid:0) r ] → xm q [ x (cid:0) r (cid:48) ] = p .There are several sub-cases to this, all of which follow the same kind of reasoning as for the case ES right for u xe ← t and ES left for t → xm p . Therefore, we shall leave this case for the reader. • ES right for both u xe ← t and t → xm p ; i.e. , u = q [ x (cid:0) r (cid:48) ] xe ← q [ x (cid:0) r ] = t and t = q [ x (cid:0) r ] → xm q [ x (cid:0) r (cid:48)(cid:48) ] = p By i.h. there exists s ∈ Λ vsc such that r (cid:48) → xm r xe ← r (cid:48)(cid:48) . The analysis of the sub-cases, depending on theopen/strong/rigid type contexts involved in t → xm u and t → xm p , follows the same schema as for the previousitem, all showing that u = q [ x (cid:0) r (cid:48) ] → xm q [ x (cid:0) s ] xe ← q [ x (cid:0) r (cid:48)(cid:48) ] = p • ES left for both u xe ← t and t → xm p ; i.e. , u = q (cid:48) [ x (cid:0) r ] xe ← q [ x (cid:0) r ] = t and t = q [ x (cid:0) r ] → xm q (cid:48)(cid:48) [ x (cid:0) r ] = p By i.h. there exists s ∈ Λ vsc such that r (cid:48) → xm r xe ← r (cid:48)(cid:48) . The analysis of the sub-cases, depending on the open /strong / rigid type contexts involved in t → xm u and t → xm p , follows the same schema as for the previous item, allshowing that u = q (cid:48) [ x (cid:0) r ] → xm s [ x (cid:0) r ] xe ← q (cid:48)(cid:48) [ x (cid:0) r ] = p. Proposition C.3 (Properties of → x ) . See p. 6Prop. III.1
Let t be a VSC term.1) Diamond : → x is diamond. Moreover, every → xm evaluation to normal form (if any) has the same number of → xm steps.2) Normal forms : if t is → x normal then it is a strong fireball. In the following proof we refer to terms of the form L (cid:104) t (cid:105) as answers . Proof.
1) Follows from strong commutation of → xm and → xe (Lemma C.2.2), from diamond for → xm and → xe (Lemma C.2.1), and from Hindley-Rosen lemma ([51, Prop. 3.3.5]). By the random descent property (which is a well-known corollary of the diamond recalled in Sect. II), all → x evaluation sequences to normal form have the same numberof steps. By strong commutation of → xm and → xe , they also have the number of → xm steps.2) To have the right i.h. , we prove simultaneously, by induction on t , the following stronger statements (we recall that allstrong inert terms are strong fireballs):a) Fireball property : If t is x -normal, then t is a strong fireball.b) Non-value property : If t is x -normal and not an answer, then t is a strong inert term.Cases: • Variable , i.e. , t = x : both properties trivially hold, since t is a strong inert term and so a strong fireball. • Abstraction , i.e. , t = λx.u :a) Non-value property : vacuously true, as t is an abstraction and hence an answer.b) Fireball property : Since t is x -normal, so is u . By i.h. applied to u (fireball property), u is a strong fireball andhence so is t (as a strong value). • Application ; i.e. , t = t t (which is not an answer):) Non-value property : Since t is x -normal, so are t and t . Moreover, t is not an answer (otherwise t would be a → xm -redex). By i.h. applied to t (non-value property) and to t (fireball property), t is a strong inert term and t is a strong fireball. Thus, t is a strong inert term.b) Fireball property : We have just proved that t is a strong inert term, and hence it is a strong fireball. • Explicit substitutions , i.e. , t = t [ x (cid:0) t ] :a) Fireball property : Since t is x -normal, so are t and t . Moreover, t is not an answer (otherwise t would be a → xe λ -redex). By i.h. applied to t (fireball property) and to t (non-value property), t is a strong fireball and t is a strong inert term. Thus, t is a strong fireball.b) Non-value property : We have just proved that t is a strong fireball. If moreover t is not a answer, then t is notan answer and hence, by i.h. applied to t (non-value property), t is a strong inert term. Therefore, t is a stronginert term. Proposition C.4 ( ≡ is a strong bisimulation) . See p. 6Prop. III.2 If t ≡ u and t → a t (cid:48) then there exists u (cid:48) ∈ Λ vsc such that u → a u (cid:48) and t (cid:48) ≡ u (cid:48) ,for a ∈ { m , e , om , oe , sm , se } .Proof. Easy adaptation of the proof in [40, Lemma 12].A
PPENDIX DP ROOFS OF S ECTION
V (R
ELAXED I MPLEMENTATION )This section proves Thm. V.3 (proved in Thm. D.2) using the following auxiliary lemma.
Lemma D.1 (One-step transfer) . Let M and ( → , ≡ ) be a relaxed implementation system. For any state s of M , if s →→ u then there is a state s (cid:48) of M such that s (cid:32) ∗ o (cid:32) β s (cid:48) .Proof. For any state s of M , let nf o ( s ) be the normal form of s with respect to (cid:32) o : such a state exists and is unique becauseoverhead transitions terminate (Point 3) and M is deterministic (Point 5). Since (cid:32) o is mapped on identities (Point 2), onehas nf o ( s ) → = s → . As s → is not → -normal by hypothesis, the halt property (Point 4) entails that nf o ( s ) is not final, therefore s (cid:32) ∗ o nf o ( s ) (cid:32) β s (cid:48) for some state s (cid:48) . Theorem D.2 (Sufficient condition for implementations) . Let M and ( → , ≡ ) See p. 8Thm. V.3 be a relaxed implementation system. Then, M isa relaxed implementation of ( → , ≡ ) .Proof. Executions to evaluations : by induction on the length of the execution. It follows easily from relaxed β -projectionand overhead transparency, plus the strong bisimulation of ≡ with respect to → .2) Normalizing evaluations to executions : we prove a more general statement where we replace t ◦ with a general state s ,and t with s → : if d : s →→ ∗ u with u normal form then there exists an M -execution ρ : s (cid:32) ∗ s (cid:48) with s (cid:48) final such that s (cid:48) →≡ u with | ρ | β ≤ | d | m . Then if we instantiate this more general statement on s = t ◦ we obtain the official statement,because by the initialization constraint of the machine we have t ◦ → = t .The proof of the generalized statement is by induction on | d | m . If | d | m = 0 then consider nf o ( s ) , that by overheadtransparency (Point 2) satisfies nf o ( s ) → = s → . Now, if nf o ( s ) has a β -transition then from s → it is eventually possible todo a → m steps by relaxed β -projection (Point 1), which is impossible, because | d | m = 0 and by the diamond property allevaluations sequences from a term have the same number and kind of steps. Then, nf o ( s ) is a final state and there is anexecution ρ : s (cid:32) ∗ o nf o ( s ) such that | ρ | β = 0 .If | d | m > then s → → + u and s → → p → ∗ u for some p . By the one-step transfer lemma (Lemma D.1), we obtain s (cid:32) ∗ o (cid:32) β s (cid:48) for some s (cid:48) . By overhead transparency and relaxed β projection, we obtain d (cid:48) : s →→ + q ≡ s (cid:48) → for some q and with | d (cid:48) | m ≥ . By diamond of → , we obtain an evaluation e : q → ∗ u such that | e | m ≤ | d | m − . Note also thatby strong bisimulation of ≡ applied to e we obtain e (cid:48) : s (cid:48) →→ | e | u (cid:48) with u (cid:48) ≡ u . We can then apply the i.h. , obtainingan execution σ : s (cid:48) (cid:32) ∗ s (cid:48)(cid:48) with s (cid:48)(cid:48) final and such that s (cid:48)(cid:48) →≡ u (cid:48) , and | σ | β ≤ | e | m ≤ | d | m − . Note that the execution ρ : s (cid:32) ∗ o (cid:32) β s (cid:48) (cid:32) ∗ s (cid:48)(cid:48) satisfies the statement because s (cid:48)(cid:48) →≡ u (cid:48) ≡ u and | ρ | β = | σ | β + 1 ≤ | e | m + 1 ≤ | d | m .3) Diverging evaluations to executions : suppose that → diverges on t but M terminates, that is, that there is an execution ρ : t ◦ (cid:32) ∗ s with s final. Then the projection ρ → : t → ∗ u ≡ s → for some u given by point 1 (of this theorem) isa normalizing sequence by the halt property (guaranteeing that s → is → normal), and by strong bisimulation so is theevaluation t → ∗ u . Then → normalizes t and so, by diamond (precisely by uniform normalization implied by the diamondproperty, see footnote Sect. II), → cannot diverge on t —absurd. Therefore M diverges on t ◦ . Now, since (cid:32) o terminates,the diverging execution from t ◦ must have infinitely many β transitions. Note that a diverging → sequence necessarilyhas an infinity of → m -steps, because → e terminates (Lemma II.1). PPENDIX EP ROOFS OF S ECTION
VII (C
OMPILATION & R
EAD - BACK )In this section, we introduce formally the notions of well-namedness , crumbling, and read-back. The main results are somefundamental properties about the crumbling translation – Lemma VII.4 (proved in Lemma E.22) – and the modular read-backof crumbled terms – Lemma VII.6 (proved in Lemma E.27). To achieve the goal we will also provide first a number ofadditional technical properties on (well-named) environments and on the definitions of read-back. A. λ -terms & well-namedness Definition E.1 (Capture-avoiding substitution) . We denote by t { x (cid:0) u } the term obtained by replacing the variable x with u in t . The operation of replacing may rename bound variables in order to avoid captures, but we assume that it minimizes thenumber of renamings by performing only the strictly necessary ones. Definition E.2. A substitution σ is a mapping from variables to terms such that it is the identity on all but a finite number ofvariables. Its domain dom ( σ ) is the finite set of variables that are not mapped to themselves. The set fv ( σ ) of free variablesof σ is the set of all variables that occur free in at least one σ ( y ) for y ∈ dom ( σ ) . It is a fireball substitution if it mapsvariables to fireballs. We write σ σ for the composed substitution defined by ( σ σ )( x ) := σ ( σ ( x )) . We write { x (cid:0) t } for asubstitution on a single variable and tσ for the term obtained from t by the capture-avoiding replacement of every x ∈ fv ( t ) with σx . Similarly for every other syntactic category, e.g. eσ . The terms that we operate on are subject to well-namedness, which basically amounts to Barendregt’s variable convention.To lighten up the proofs, we introduce the following shorthand to denote disjoint sets of variables:
Definition E.3 (Disjoint variables – λ -calculus version) . Let X and Y be sets of variable names. We say that X and Y aredisjoint (in symbols, X ⊥ Y ) if X ∩ Y = ∅ . Definition E.4 (Well-named λ -terms) . A λ -term t is well-named if its bound variables are all distinct, and fv ( t ) ⊥ bv ( t ) .B. Crumbled environments Definition E.5 (Capture-avoiding substitution) . We denote by e { x (cid:0) y } and b { x (cid:0) y } the environment (resp. bite) obtained byreplacing the variable x with y in e (resp. b ). The operation of replacing may rename bound variables in order to avoidcaptures, but we assume that it minimizes the number of renamings by performing only the strictly necessary ones. Definition E.6 (Free and bound variables) . We define the sets of free and bound variables of crumbled environments and bites,and the domain of crumbled environments, as expected: bv ( (cid:15) ) := ∅ bv ( e [ x (cid:0) b ]) := bv ( e ) ∪ { x } ∪ bv ( b ) fv ( (cid:15) ) := { (cid:63) } fv ( e [ x (cid:0) b ]) := fv ( e ) \ { x } ∪ fv ( b ) dom ( (cid:15) ) := ∅ dom ( e [ x (cid:0) b ]) := dom ( e ) ∪ { x } bv ( x ) := ∅ bv ( xy ) := ∅ bv ( λx.e ) := { x } ∪ bv ( e ) fv ( x ) := { x } fv ( xy ) := { x, y } fv ( λx.e ) := fv ( e ) \ { x } Moreover, vars ( e ) := fv ( e ) ∪ bv ( e ) and vars ( b ) := fv ( b ) ∪ bv ( b ) . Definition E.7 ( α -equality = α ) . We define the relation = α as the smallest equivalence relation (reflexive, symmetric, transitive)over crumbled forms, satisfying the following properties:1) Structural, ES: If e = α e (cid:48) and b = α b (cid:48) then e [ x (cid:0) b ] = α e (cid:48) [ x (cid:0) b (cid:48) ] .2) Rename, ES: e [ x (cid:0) b ] = α e { x (cid:0) y } [ y (cid:0) b ] when y (cid:54)∈ vars ( e ) .3) Rename, abstraction: λx.e = α λy. ( e { x (cid:0) y } ) when y (cid:54)∈ vars ( e ) .4) Structural, abstraction: If e = α e (cid:48) then λx.e = α λx.e (cid:48) .Moreover, in points 2 and 3, α -equivalence can rename x with y only if they are both in V cr \ { (cid:63) } (resp. both in V calc ); (cid:63) cannot be renamed. Given an environment e , we denote by e α any environment that is α -equivalent to e : we call e α a “copy” of e . Later, whennecessary, we will attach additional requirements on the variables of e α , for instance that bv ( e α ) is disjoint from a certain setof variables.In crumbled environments may occur so-called crumbling variables ( V cr ). We do not handle these variables any differentwith respect to well-namedness: the only difference is that we ignore the special variable (cid:63) , both when defining disjoint set ofvariables, and in well-namedness. efinition E.8 (Disjoint variables – crumbled version) . Let X and Y be sets of variable names, i.e. X, Y ⊆ V calc ∪ V cr . Wesay that X and Y are disjoint (in symbols, X ⊥ Y ) if X ∩ Y ⊆ { (cid:63) } . Definition E.9 (Well-named crumbled forms) . An environment e (resp. a bite b ) is well-named if its bound variables (notincluding (cid:63) ) are all distinct, and fv ( e ) ⊥ bv ( e ) (resp. fv ( b ) ⊥ bv ( b ) ). Lemma E.10 (Variables and concatenation) . For all crumbled environments e and e (cid:48) : • fv ( ee (cid:48) ) ⊆ fv ( e ) \ dom ( e (cid:48) ) ∪ fv ( e (cid:48) ) • bv ( ee (cid:48) ) = bv ( e ) ∪ bv ( e (cid:48) ) • vars ( ee (cid:48) ) = vars ( e ) ∪ vars ( e (cid:48) ) • dom ( ee (cid:48) ) = dom ( e ) ∪ dom ( e (cid:48) ) .Proof. Easy, by induction on the structure of e (cid:48) .We provide a formal definition of α -equality for crumbled environments. Definition E.11 ( α -equality = α ) . We define the relation = α as the smallest equivalence relation (reflexive, symmetric, transitive)over terms, satisfying the following properties:1) Structural, ES: If t = α t (cid:48) and u = α u (cid:48) then t [ x (cid:0) u ] = α t (cid:48) [ x (cid:0) u (cid:48) ] .2) Rename, ES: t [ x (cid:0) u ] = α t { x (cid:0) y } [ y (cid:0) u ] when y (cid:54)∈ vars ( t ) .3) Rename, abstraction: λx.t = α λy. ( t { x (cid:0) y } ) when y (cid:54)∈ vars ( t ) .4) Structural, abstraction: If t = α u then λx.t = α λx.u . Free variables of a crumbled environment are stable under α -renaming: Lemma E.12 (Alpha and free variables) . For every environments e, e (cid:48) : if e = α e (cid:48) then fv ( e ) = fv ( e (cid:48) ) .Proof. Easy, by structural induction on the derivation of e = α e (cid:48) . C. Properties of well-named environments
Lemma E.13 (Concatenation of well-named environments) . Let e, e (cid:48) be well-named crumbled environments such that: • bv ( e ) ⊥ vars ( e (cid:48) ) , • fv ( e ) \ dom ( e (cid:48) ) ⊥ bv ( e (cid:48) ) .Then ee (cid:48) is well-named.Proof. By induction on the structure of e (cid:48) : • If e (cid:48) = (cid:15) , then ee (cid:48) = e and we conclude. • If e (cid:48) = e (cid:48)(cid:48) [ x (cid:0) b ] , in order to apply the i.h. obtaining that ee (cid:48)(cid:48) is well-named, we need the following properties: – bv ( e ) ⊥ vars ( e (cid:48)(cid:48) ) . Follows from the hypothesis bv ( e ) ⊥ vars ( e (cid:48) ) because vars ( e (cid:48)(cid:48) ) ⊆ vars ( e (cid:48) ) . – fv ( e ) \ dom ( e (cid:48)(cid:48) ) ⊥ bv ( e (cid:48)(cid:48) ) . Note that dom ( e (cid:48)(cid:48) ) = dom ( e ) \ { z } , hence fv ( e ) \ dom ( e (cid:48)(cid:48) ) ⊆ fv ( e ) \ dom ( e (cid:48) ) ∪ { z } .Also, bv ( e (cid:48)(cid:48) ) ⊆ bv ( e (cid:48) ) . Finally, we use the fact that z (cid:54)∈ bv ( e (cid:48)(cid:48) ) , which follows from the hypothesis that e (cid:48)(cid:48) [ x (cid:0) b ] iswell-named.We have just obtained that ee (cid:48)(cid:48) is well-named. We need to show that ee (cid:48)(cid:48) [ x (cid:0) b ] is well-named. – Bound variables are all distinct. It suffices to show that bv ( ee (cid:48)(cid:48) ) ∪ { x } ⊥ bv ( b ) , and that x (cid:54)∈ bv ( ee (cid:48)(cid:48) ) . Both followfrom bv ( e ) ⊥ vars ( e (cid:48) ) and from the well-namedness of e (cid:48) . – Free variables are distinct from bound ones. By definition, fv ( ee (cid:48)(cid:48) [ x (cid:0) b ]) = fv ( ee (cid:48)(cid:48) ) \ { x } ∪ fv ( b ) and bv ( ee (cid:48)(cid:48) [ x (cid:0) b ]) = bv ( ee (cid:48)(cid:48) ) ∪ { x } ∪ bv ( b ) . ∗ fv ( ee (cid:48)(cid:48) ) \ { x } ⊥ bv ( ee (cid:48)(cid:48) ) ∪ { x } because fv ( ee (cid:48)(cid:48) ) ⊥ bv ( ee (cid:48)(cid:48) ) by the well-namedness of ee (cid:48)(cid:48) ; ∗ fv ( b ) ⊥ bv ( b ) by well-namedness of e (cid:48) ; ∗ x (cid:54)∈ fv ( b ) by well-namedness of e (cid:48) ; ∗ fv ( b ) ⊥ bv ( ee (cid:48)(cid:48) ) if and only if fv ( b ) ⊥ bv ( e ) and fv ( b ) ⊥ bv ( e (cid:48)(cid:48) ) . The first follows from bv ( e ) ⊥ vars ( e (cid:48) ) , thesecond by well-namedness of e (cid:48) . ∗ bv ( b ) ⊥ fv ( ee (cid:48)(cid:48) ) \ { x } . Note that x (cid:54)∈ bv ( b ) by well-namedness of e (cid:48) , therefore we prove instead the equivalent bv ( b ) ⊥ fv ( ee (cid:48)(cid:48) ) . The hypothesis fv ( e ) \ dom ( e (cid:48) ) ⊥ bv ( e (cid:48) ) implies fv ( e ) \ dom ( e (cid:48) ) ⊥ bv ( b ) , and since by well-namedness of e (cid:48) bv ( b ) ⊥ dom ( e (cid:48) ) , fv ( e ) \ dom ( e (cid:48) ) ⊥ bv ( b ) is equivalent to fv ( e ) ⊥ bv ( b ) . Again by well-namednessof e (cid:48) , fv ( e (cid:48)(cid:48) ) ⊥ bv ( b ) , and we conclude because fv ( ee (cid:48)(cid:48) ) ⊆ fv ( e ) ∪ fv ( e (cid:48)(cid:48) ) by Lemma E.10.An auxiliary lemma that will be used in later sections: Lemma E.14. If e [ x (cid:0) b ] is well-named then e is well-named and fv ( b ) ⊥ bv ( e ) .Proof. Easy by the definition of well-named. . Read-back properties
Before proving some important properties of the read-back in Lemma E.18, we need the following additional properties ofVSC terms.
Lemma E.15 (Alpha & substitution) . If t = α t (cid:48) and u = α u (cid:48) , then t { x (cid:0) u } = α t (cid:48) { x (cid:0) u (cid:48) } .Proof. Easy by structural induction on the derivation of t = α t (cid:48) , and by the definition of substitution. Lemma E.16 (Variables & substitution) . Let t, u be terms. Then:1) fv ( t { x (cid:0) u } ) ⊆ fv ( t ) \ { x } ∪ fv ( u ) .2) bv ( t { x (cid:0) u } ) ⊆ bv ( t ) ∪ bv ( u ) when bv ( t ) ⊥ fv ( u ) .Proof. Easy, by induction on the structure of t .Similar properties hold for crumbled environments: Lemma E.17.
Let e be an environment such that y (cid:54)∈ bv ( e ) . Then:1) fv ( e { x (cid:0) y } ) ⊆ fv ( e ) \ { x } ∪ { y } .2) bv ( e { x (cid:0) y } ) = bv ( e ) .Proof. Easy, by induction on the structure of e . Lemma E.18 (Properties of the read-back) . For all environments e, e (cid:48) :1) α -Equality: if e = α e (cid:48) and e, e (cid:48) are well-named, then e → = α e (cid:48) → .2) Renaming: e { x (cid:0) y }→ = e →{ x (cid:0) y } when y (cid:54)∈ bv ( e ) .3) Free variables: fv ( e → ) ⊆ fv ( e ) .4) Bound variables: bv ( e → ) ⊆ bv ( e ) when e is well-named.5) Dissociation: if fv ( e (cid:48) ) ⊥ dom ( e ) and dom ( e ) ⊂ V cr then e (cid:48) [ x (cid:0) b ] e → = e (cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e →} .Proof. We prove the points by mutual induction on the size of e :1) We prove at the same time the corresponding statement for bites, i.e. that b = α b (cid:48) implies b → = α b (cid:48) → for all bites b, b (cid:48) .By structural induction on the derivation of respectively e = α e (cid:48) or b = α b (cid:48) : • Reflexivity: in this case e = e (cid:48) and b = b (cid:48) , and therefore trivially e → = e (cid:48) → and b → = b (cid:48) → . • Symmetry: e = α e (cid:48) because e (cid:48) = α e . Then by i.h. we obtain e (cid:48) → = α e → , and we conclude because = α is symmetric.Similarly for bites. • Transitivity: e = α e (cid:48) because e = α e (cid:48)(cid:48) and e (cid:48)(cid:48) = α e (cid:48) . Just use the i.h. and use symmetry of = α . Similarly for bites. • Structural, ES: e = α e (cid:48) because e = e (cid:48)(cid:48) [ x (cid:0) b ] , e (cid:48) = e (cid:48)(cid:48)(cid:48) [ x (cid:0) b (cid:48) ] where e (cid:48)(cid:48) = α e (cid:48)(cid:48)(cid:48) and b = α b (cid:48) . Then e → = e (cid:48)(cid:48) [ x (cid:0) b ] → ,and there are two subcases: – x ∈ V cr or b abstraction: then e (cid:48)(cid:48) [ x (cid:0) b ] → = e (cid:48)(cid:48) →{ x (cid:0) b →} and e (cid:48)(cid:48)(cid:48) [ x (cid:0) b (cid:48) ] → = e (cid:48)(cid:48)(cid:48) →{ x (cid:0) b (cid:48) →} . By i.h. e (cid:48)(cid:48) → = α e (cid:48)(cid:48)(cid:48) → and b → = α b (cid:48) → . We conclude by Lemma E.15. – x ∈ V calc : then e (cid:48)(cid:48) [ x (cid:0) b ] → = e (cid:48)(cid:48) → [ x (cid:0) b → ] and e (cid:48)(cid:48)(cid:48) [ x (cid:0) b (cid:48) ] → = e (cid:48)(cid:48)(cid:48) → [ x (cid:0) b (cid:48) → ] . By i.h. e (cid:48)(cid:48) → = α e (cid:48)(cid:48)(cid:48) → and b → = α b (cid:48) → .Conclude by the property Structural, ES of = α for the ES calculus. • Rename, ES : e = α e (cid:48) because e = e (cid:48)(cid:48) [ x (cid:0) b ] and e (cid:48) = e (cid:48)(cid:48) { x (cid:0) y } [ y (cid:0) b ] with y (cid:54)∈ vars ( e ) . Again two subcases: – x ∈ V cr or b abstraction: then e → = e (cid:48)(cid:48) →{ x (cid:0) b →} and e (cid:48) → = e (cid:48)(cid:48) { x (cid:0) y }→{ y (cid:0) b →} . By Point 2 e (cid:48)(cid:48) { x (cid:0) y }→{ y (cid:0) b →} = e (cid:48)(cid:48) →{ x (cid:0) y }{ y (cid:0) b →} because y (cid:54)∈ bv ( e (cid:48)(cid:48) ) . Since y (cid:54)∈ vars ( e (cid:48)(cid:48) ) , by Point 3 y (cid:54)∈ bv ( e (cid:48)(cid:48) → ) . Therefore e (cid:48)(cid:48) →{ x (cid:0) y }{ y (cid:0) b →} = e (cid:48)(cid:48) →{ x (cid:0) b →} and we conclude. – Otherwise, e → = e (cid:48)(cid:48) → [ x (cid:0) b → ] and e (cid:48) → = e (cid:48)(cid:48) { x (cid:0) y }→ [ y (cid:0) b → ] . As in the point above, e (cid:48)(cid:48) { x (cid:0) y }→ [ y (cid:0) b → ] = e (cid:48)(cid:48) →{ x (cid:0) y } [ y (cid:0) b → ] and we conclude by the points “Rename, ES” of = α for the ES calculus. • Rename, abstraction: b = α b (cid:48) because b = λx.e and b (cid:48) = λy. ( e { x (cid:0) y } ) for y (cid:54)∈ vars ( e ) . Then b → = λx. ( e → ) and b (cid:48) → = λy. ( e { x (cid:0) y }→ ) . By Point 2 e { x (cid:0) y }→ = e →{ x (cid:0) y } . By Point 3 and Point 4 y (cid:54)∈ vars ( e → ) , and we conclude bythe point “Rename, abstraction” of = α for the ES calculus. • Structural, abstraction: b = α b because b = λx.e and b (cid:48) = λx.e (cid:48) and e = α e (cid:48) . Use the i.h. and conclude by the point“Structural, abstraction” of = α for the ES calculus.2) We prove at the same time the corresponding statement for bites, i.e. that b { x (cid:0) y }→ = b →{ x (cid:0) y } when y (cid:54)∈ bv ( b ) . Bystructural induction on e and b : • The cases e = (cid:15) , b = z , and b = zw are trivial. • If b = λz.e , then b →{ x (cid:0) y } = ( λz. ( e → )) { x (cid:0) y } . There are two subcases: – If x = z , then ( λz.e ) { x (cid:0) y } = λz.e and ( λz. ( e → )) { x (cid:0) y } = λz. ( e → ) , and we can conclude. If x (cid:54) = z , then ( λz.e ) { x (cid:0) y } = λz. ( e { x (cid:0) y } ) and ( λz. ( e → )) { x (cid:0) y } = λz. ( e →{ x (cid:0) y } ) (recall that y (cid:54)∈ bv ( e ) , hence y (cid:54)∈ bv ( e → ) by Point 4, and also y (cid:54) = z ). By i.h. e { x (cid:0) y }→ = e →{ x (cid:0) y } and we conclude. • If e = e (cid:48) [ z (cid:0) b ] , then e →{ x (cid:0) y } = e (cid:48) [ z (cid:0) b ] →{ x (cid:0) y } . There are two subcases: – If z ∈ V cr or b abstraction, e (cid:48) [ z (cid:0) b ] →{ x (cid:0) y } = e (cid:48) →{ z (cid:0) b →}{ x (cid:0) y } . Note that y (cid:54) = z by the hypothesis that y (cid:54)∈ bv ( e ) .Two subsubcases: ∗ If x = z , then e (cid:48) →{ z (cid:0) b →}{ x (cid:0) y } = e (cid:48) →{ z (cid:0) b →{ x (cid:0) y }} . By i.h. b →{ x (cid:0) y } = b { x (cid:0) y }→ , and we conclude with e (cid:48) →{ z (cid:0) b →{ x (cid:0) y }} = e (cid:48) [ z (cid:0) b { x (cid:0) y } ] → = e (cid:48) [ z (cid:0) b ] { x (cid:0) y }→ . ∗ If x (cid:54) = z , then e (cid:48) →{ z (cid:0) b →}{ x (cid:0) y } = e (cid:48) →{ x (cid:0) y }{ z (cid:0) b →{ x (cid:0) y }} . By i.h. e (cid:48) →{ x (cid:0) y } = e (cid:48) { x (cid:0) y }→ and b →{ x (cid:0) y } = b { x (cid:0) y }→ , hence e (cid:48) →{ x (cid:0) y }{ z (cid:0) b →{ x (cid:0) y }} = e (cid:48) { x (cid:0) y }→{ z (cid:0) b { x (cid:0) y }→} = e (cid:48) { x (cid:0) y } [ z (cid:0) b { x (cid:0) y } ] → = e (cid:48) [ z (cid:0) b ] { x (cid:0) y }→ . – Otherwise, e (cid:48) [ z (cid:0) b ] →{ x (cid:0) y } = e (cid:48) → [ z (cid:0) b → ] { x (cid:0) y } . Note that y (cid:54) = z by the hypothesis that y (cid:54)∈ bv ( e ) . Twosubsubcases: ∗ If x = z , then e (cid:48) → [ z (cid:0) b → ] { x (cid:0) y } = e (cid:48) → [ z (cid:0) b →{ x (cid:0) y } ] . By i.h. b →{ x (cid:0) y } = b { x (cid:0) y }→ , and we conclude with e (cid:48) → [ z (cid:0) b →{ x (cid:0) y } ] = e (cid:48) [ z (cid:0) b { x (cid:0) y } ] → = e (cid:48) [ z (cid:0) b ] { x (cid:0) y }→ . ∗ If x (cid:54) = z , then e (cid:48) → [ z (cid:0) b → ] { x (cid:0) y } = e (cid:48) →{ x (cid:0) y } [ z (cid:0) b →{ x (cid:0) y } ] . By i.h. e (cid:48) →{ x (cid:0) y } = e (cid:48) { x (cid:0) y }→ and b →{ x (cid:0) y } = b { x (cid:0) y }→ , hence e (cid:48) →{ x (cid:0) y } [ z (cid:0) b →{ x (cid:0) y } ] = e (cid:48) { x (cid:0) y }→ [ z (cid:0) b { x (cid:0) y }→ ] = e (cid:48) { x (cid:0) y } [ z (cid:0) b { x (cid:0) y } ] → = e (cid:48) [ z (cid:0) b ] { x (cid:0) y }→ .3) We prove at the same time the corresponding statement for bites, i.e. that fv ( b → ) ⊆ fv ( b ) for each well-named b . Byinduction on the structure of e and b : • If e = (cid:15) , then fv ( e → ) = fv ( (cid:63) ) = { (cid:63) } and fv ( e ) = { (cid:63) } . • If e = e (cid:48) [ x (cid:0) b ] , then there are two subcases: – If x ∈ V cr or b is an abstraction, then e → = e (cid:48) →{ x (cid:0) b →} . By Lemma E.16.1 fv ( e (cid:48) →{ x (cid:0) b →} ) ⊆ fv ( e (cid:48) → ) \ { x } ∪ fv ( b → ) .By i.h. fv ( e (cid:48) → ) ⊆ fv ( e (cid:48) ) and fv ( b → ) ⊆ fv ( b ) , and we conclude because fv ( e ) = fv ( e (cid:48) ) \ { x } ∪ fv ( b ) . – Otherwise e → = e (cid:48) → [ x (cid:0) b → ] , and fv ( e → ) = fv ( e (cid:48) → ) \ { x } ∪ fv ( b → ) . By i.h. fv ( e (cid:48) → ) ⊆ fv ( e (cid:48) ) and fv ( b → ) ⊆ fv ( b ) , andwe conclude. • If b = x , then fv ( x → ) = fv ( x ) = { x } . • If b = xy , then fv ( xy → ) = fv ( xy ) = { x, y } . • If b = λx.e , then fv ( λx.e → ) = fv ( λx. ( e → )) = fv ( e → ) \ { x } . By i.h. fv ( e → ) ⊆ fv ( e ) , and we conclude.4) We prove at the same time the corresponding statement for bites, i.e. that bv ( b → ) ⊆ bv ( b ) for each well-named b . Byinduction on the structure of e and b : • If e = (cid:15) , then bv ( e → ) = bv ( (cid:63) ) = ∅ and bv ( e ) = ∅ . • If e = e (cid:48) [ x (cid:0) b ] , then there are two subcases: – If x ∈ V cr or b is an abstraction, then e → = e (cid:48) →{ x (cid:0) b →} . By Lemma E.16.2 bv ( e (cid:48) →{ x (cid:0) b →} ) ⊆ bv ( e (cid:48) → ) ∪ bv ( b → ) .By i.h. bv ( e (cid:48) → ) ⊆ bv ( e (cid:48) ) and bv ( b → ) ⊆ bv ( b ) , and we conclude because bv ( e ) = bv ( e (cid:48) ) ∪ { x } ∪ bv ( b ) . – Otherwise e → = e (cid:48) → [ x (cid:0) b → ] , and bv ( e → ) = bv ( e (cid:48) → ) ∪ { x } ∪ bv ( b → ) . By i.h. bv ( e (cid:48) → ) ⊆ bv ( e (cid:48) ) and bv ( b → ) ⊆ bv ( b ) ,and we conclude. • If b = x then fv ( x → ) = bv ( x ) = ∅ . • If b = xy then bv ( xy → ) = bv ( xy ) = ∅ . • If b = λx.e , then bv ( λx.e → ) = bv ( e → ) \{ x } and bv ( λx.e ) = bv ( e ) \{ x } . By i.h. bv ( e → ) ⊆ bv ( e ) , and we conclude.5) We proceed by induction over the structure of e : • If e = (cid:15) , then e (cid:48) [ x (cid:0) b ] e → = e (cid:48) [ x (cid:0) b ] → = e (cid:48) →{ x (cid:0) b →} = e (cid:48) → [ x (cid:0) [ (cid:63) (cid:0) b ] → ] . • If e = e (cid:48)(cid:48) [ y (cid:0) b (cid:48) ] , then e (cid:48) [ x (cid:0) b ] e → = e (cid:48) [ x (cid:0) b ] e (cid:48)(cid:48) [ y (cid:0) b (cid:48) ] → = e (cid:48) [ x (cid:0) b ] e (cid:48)(cid:48) →{ y (cid:0) b (cid:48) →} . By i.h. e (cid:48) [ x (cid:0) b ] e (cid:48)(cid:48) → = e (cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →} ,and therefore e (cid:48) [ x (cid:0) b ] e (cid:48)(cid:48) →{ y (cid:0) b (cid:48) →} = e (cid:48)(cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →}{ y (cid:0) b (cid:48) →} .From the hypothesis fv ( e (cid:48) ) ⊥ dom ( e ) it follows that y (cid:54)∈ fv ( e (cid:48) ) , and therefore y (cid:54)∈ fv ( e (cid:48) → ) by Point 3. Hence e (cid:48)(cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →}{ y (cid:0) b (cid:48) →} = e (cid:48)(cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →{ y (cid:0) b (cid:48) →}} = e (cid:48)(cid:48) →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) [ y (cid:0) b (cid:48) ] →} .The following lemma is an easy consequence of Lemma E.18.5, but we state it separately because it is used later in theproofs about the machine. Lemma E.19 (Pristine dissociation) . Let e [ x (cid:0) b ] be a pristine and well-named environment. Then there exists an open context O such that for every pristine environment e (cid:48) satisfying fv ( e ) ⊥ dom ( e (cid:48) ) , it holds: ( e [ x (cid:0) b ] e (cid:48) ) → = O (cid:104) [ (cid:63) (cid:0) b ] e (cid:48) →(cid:105) . Proof.
By pristinity of e [ x (cid:0) b ] , there exists an open context O such that e → = O (cid:104) x (cid:105) and x (cid:54)∈ vars ( O ) . Let e (cid:48) be any environmentsatisfying the hypotheses. By Lemma E.18.5, e [ x (cid:0) b ] e (cid:48) → = e →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48) →} = O (cid:104) [ (cid:63) (cid:0) b ] e (cid:48) →(cid:105) . . Read-back is inverse to translation We now want to prove Lemma VII.4 (proved in Lemma E.22), i.e. that the translation of a well-named λ -term t read-backsto t itself.The proof depends on the following technical lemma that relates the free and bound variables of a translated term to thoseof the term to be translated. Lemma E.20 (On the variables of a translated term) . Let t be a λ -term. • fv ( t ) = fv ( t ) • bv ( t ) ∩ V calc = bv ( t ) • dom ( t ) ⊂ V cr Moreover, if t is not a variable and t = ( y, e ) : • fv ( e ) = fv ( t ) • bv ( e ) ∩ V calc = bv ( t ) • dom ( e ) ⊂ V cr Proof.
The proof proceeds by mutual induction on the structure of t . Here however we provide the proof only for the principalcrumbling translation ( · ) , as the proof for ( · ) is similar. • If t = x , then fv ( t ) = fv ([ (cid:63) (cid:0) x ]) = { x } , bv ( t ) = bv ([ (cid:63) (cid:0) x ]) = { (cid:63) } , and dom ( t ) = { (cid:63) } , and we can conclude. • If t = λx.u , then fv ( t ) = fv ([ (cid:63) (cid:0) λx.u ]) = fv ( u ) \ { x } , bv ( t ) = { (cid:63), var } ∪ bv ( u ) , and dom ( t ) = { (cid:63) } . We conclude byusing the i.h. • If t = up , then then t = [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) := u and ( y, e (cid:48) ) := p . By cases on u and p : – If u and p are both variables, then e = e (cid:48) = (cid:15) , t = [ (cid:63) (cid:0) xy ] and t = ( z, [ z (cid:0) xy ]) . Clearly fv ( t ) = fv ([ z (cid:0) xy ]) = { x, y } , bv ( t ) = { (cid:63) } and bv ( e ) = { z } , and we can conclude because { (cid:63), z } ⊂ V cr . – If u and p are both not variables, then e, e (cid:48) (cid:54) = (cid:15) and x ∈ dom ( e ) and y ∈ dom ( e (cid:48) ) . By i.h. , fv ( e ) = fv ( u ) , fv ( e (cid:48) ) = fv ( p ) , bv ( e ) ∩ V calc = bv ( u ) , bv ( e (cid:48) ) ∩ V calc = bv ( p ) , and dom ( e ) ∪ dom ( e (cid:48) ) ⊂ V cr . ∗ The requirement dom ( t ) ⊂ V cr follows directly from the i.h. , since dom ( t ) = { (cid:63) } ∪ dom ( e ) ∪ dom ( e (cid:48) ) byLemma E.10. ∗ The requirement bv ( e ) ∩ V calc = bv ( t ) follows easily, since bv ( e ) = { (cid:63) } ∪ bv ( e ) ∪ bv ( e (cid:48) ) by Lemma E.10. ∗ As for the free variables, note that by Lemma E.10 fv ([ (cid:63) (cid:0) xy ] ee (cid:48) ) = ( { x, y } \ dom ( e ) ∪ fv ( e )) \ dom ( e (cid:48) ) ∪ fv ( e (cid:48) ) .By i.h. ( { x, y } \ dom ( e ) ∪ fv ( e )) \ dom ( e (cid:48) ) ∪ fv ( e (cid:48) ) = ( { x, y } \ dom ( e ) ∪ fv ( u )) \ dom ( e (cid:48) ) ∪ fv ( p ) , which issimply fv ( u ) ∪ fv ( p ) because dom ( e ) ⊥ dom ( e (cid:48) ) since the crumbling variables are chosen as globally fresh duringcrumbling, and fv ( u ) ⊥ dom ( e (cid:48) ) because dom ( e (cid:48) ) are fresh crumbling variables for the same reason. • The cases when only one among u and p is a variable are similar to the two cases proved above.We also need the following technical and rather uninteresting lemma on the auxiliary translation. Lemma E.21 (On the auxiliary translation) . Let t be a λ -term such that t = ( x, e ) . Then:1) If e = (cid:15) , then t = x and x ∈ V calc .2) If e (cid:54) = (cid:15) , say e := [ x (cid:0) b ] e (cid:48) , then t = [ (cid:63) (cid:0) b ] e (cid:48) and x ∈ V cr .Proof. By inspection of the rules defining the crumbling transformation.
Lemma E.22 (Crumbling properties) . See p. 10Lemma VII.4
Let t be a well-named λ -term. Then1) Inverse : t → = t .2) Name : t is well-named.Proof.
1) We proceed by induction on the structure of t : • If t = x , then t = [ (cid:63) (cid:0) x ] , and clearly [ (cid:63) (cid:0) x ] → = x = t . • If t = λx.u , then t = [ (cid:63) (cid:0) λx.u ] . By definition [ (cid:63) (cid:0) λx.u ] → = λx. ( u → ) , and we conclude by using the i.h. u → = u . • If t = up , then t = [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) = u and ( y, e (cid:48) ) = p . We proceed by cases on p : – If p = y , then y ∈ V calc and e (cid:48) = (cid:15) . We proceed by cases on u : ∗ If u = x , then also e = (cid:15) . Thus t = [ (cid:63) (cid:0) xy ] and t → = [ (cid:63) (cid:0) xy ] → = xy = up = t . ∗ If u (cid:54) = x , then e (cid:54) = (cid:15) , say e = [ x (cid:0) b ] e (cid:48)(cid:48) . By Lemma E.21 u = [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) and x ∈ V cr , and by Lemma E.20 y (cid:54)∈ dom ( e ) ∪ { x } . Hence by Lemma E.18.5 [ (cid:63) (cid:0) xy ] e → = [ (cid:63) (cid:0) xy ] →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →} . By i.h. [ (cid:63) (cid:0) xy ] →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →} =[ (cid:63) (cid:0) xy ] →{ x (cid:0) t } = ty . If p (cid:54) = y , then e (cid:48) (cid:54) = (cid:15) , say e (cid:48) = [ x (cid:0) b ] e (cid:48)(cid:48) . By Lemma E.21 p = [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) and y ∈ V cr . By Lemma E.18.5 [ (cid:63) (cid:0) xy ] ee (cid:48) → = [ (cid:63) (cid:0) xy ] e →{ y (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →} . By i.h. [ (cid:63) (cid:0) xy ] e →{ y (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →} = [ (cid:63) (cid:0) xy ] e →{ y (cid:0) p } . We now proceed bycases on u : ∗ If u = x , then also e = (cid:15) and x ∈ V calc . Thus [ (cid:63) (cid:0) xy ] e →{ y (cid:0) p } = [ (cid:63) (cid:0) xy ] →{ y (cid:0) p } = xy { y (cid:0) p } = xp . ∗ If u (cid:54) = x , then e (cid:54) = (cid:15) , say e = [ x (cid:0) b ] e (cid:48)(cid:48) . By Lemma E.21 u = [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) and x ∈ V cr . Moreover, x (cid:54) = y because they are fresh crumbling variables created in distinct branches of the crumbling transformation. Henceby Lemma E.18.5 [ (cid:63) (cid:0) xy ] e →{ y (cid:0) p } = [ (cid:63) (cid:0) xy ] →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →}{ y (cid:0) p } . By i.h. [ (cid:63) (cid:0) xy ] →{ x (cid:0) [ (cid:63) (cid:0) b ] e (cid:48)(cid:48) →}{ y (cid:0) p } =[ (cid:63) (cid:0) xy ] →{ x (cid:0) u }{ y (cid:0) p } = xy { x (cid:0) u }{ y (cid:0) p } . We conclude with xy { x (cid:0) u }{ y (cid:0) p } = up because y (cid:54)∈ fv ( u ) since y ∈ V cr .2) We prove at the same time the corresponding statement for ( · ) , i.e. that if t is well-named and t = ( x, e ) , then e iswell-named. By mutual induction on the size of t : • If t = x for some variable x , then t = [ (cid:63) (cid:0) x ] which is well-named. t = ( x, (cid:15) ) and (cid:15) is clearly well-named. • If t = λx.u , then t = [ (cid:63) (cid:0) λx.u ] . By i.h. u is well-named, thus [ (cid:63) (cid:0) λx.u ] is well-named as well, if x (cid:54)∈ bv ( u ) (whichholds by Lemma E.20 and well-namedness of t ). Similarly for t = ( z, [ z (cid:0) λx.u ]) , since z (cid:54)∈ vars ( λx.u ) because it isa fresh local variable. • If t = up , then t = [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) := u and ( y, e (cid:48) ) := p . By i.h. both e and e (cid:48) are well-named. We applytwice Lemma E.13 to conclude, but we first need to prove the following disjointedness conditions: – bv ([ (cid:63) (cid:0) xy ]) ⊥ vars ( e ) follows from the definition of ⊥ because bv ([ (cid:63) (cid:0) xy ]) = { (cid:63) } . – fv ([ (cid:63) (cid:0) xy ]) \ dom ( e ) ⊥ bv ( e ) , that is { x, y } \ dom ( e ) ⊥ bv ( e ) . We proceed by cases on u and p : ∗ If u = x , then e = (cid:15) and we conclude because bv ( e ) = ∅ . ∗ If u (cid:54) = x and p (cid:54) = y , then x ∈ dom ( e ) and y ∈ dom ( e (cid:48) ) . Note that dom ( e ) ⊥ dom ( e (cid:48) ) by the definition ofcrumbling, which always generates fresh crumbling variables. Thus { x, y } \ dom ( e ) = { y } . By Lemma E.20, bv ( e ) ∩ V calc = bv ( u ) . Conclude again by the property of freshness during crumbling. ∗ If u (cid:54) = x and p = y , then x ∈ dom ( e ) and e (cid:48) = (cid:15) . In this case { x, y } \ dom ( e ) = { y } because y (cid:54)∈ V cr while dom ( e ) ⊂ V cr by Lemma E.20. By well-namedness of t , y (cid:54)∈ bv ( u ) , and conclude by Lemma E.20. – bv ([ (cid:63) (cid:0) xy ] e ) ⊥ vars ( e (cid:48) ) , that is bv ( e ) ⊥ vars ( e (cid:48) ) , i.e. bv ( e ) ⊥ fv ( e (cid:48) ) and bv ( e ) ⊥ bv ( e (cid:48) ) . By Lemma E.20 fv ( e (cid:48) ) = fv ( p ) , bv ( e ) ∩ V calc = bv ( t ) and bv ( e (cid:48) ) ∩ V calc = bv ( p ) . From the hypothesis that t is well-named, itfollows that fv ( u ) ⊥ bv ( p ) , and that bv ( u ) ⊥ bv ( p ) . The remaining requirements follow from the definition ofcrumbling, where crumbling variables are always chosen to be globally fresh. – fv ([ (cid:63) (cid:0) xy ] e ) \ dom ( e (cid:48) ) ⊥ bv ( e (cid:48) ) . By Lemma E.10, fv ([ (cid:63) (cid:0) xy ] e ) = { x, y } \ dom ( e ) ∪ fv ( e ) , and by Lemma E.20 { x, y } \ dom ( e ) ∪ fv ( e ) = { x, y } \ dom ( e ) ∪ fv ( u ) . First of all, note that dom ( e (cid:48) ) ⊥ fv ( u ) because dom ( e (cid:48) ) onlycontains crumbling variables (Lemma E.20); therefore fv ([ (cid:63) (cid:0) xy ] e ) \ dom ( e (cid:48) ) = { x, y } \ dom ( e ) \ dom ( e (cid:48) ) ∪ fv ( u ) .We proceed by cases on u, p : ∗ If p = y then e (cid:48) = (cid:15) , and we conclude because bv ( e (cid:48) ) = ∅ . ∗ If u = x and p (cid:54) = y , then x ∈ V calc , e = (cid:15) , and y ∈ dom ( e (cid:48) ) . In this case { x, y }\ dom ( e ) \ dom ( e (cid:48) ) ∪ fv ( u ) = { x } .By well-namedness of t , { x, y } ⊥ bv ( u ) , and we conclude with { x, y } ⊥ bv ( u ) by Lemma E.20. ∗ If u (cid:54) = x and p (cid:54) = y , then x ∈ dom ( e ) and y ∈ dom ( e (cid:48) ) . In this case { x, y } \ dom ( e ) \ dom ( e (cid:48) ) ∪ fv ( u ) = fv ( u ) .By well-namedness of t , fv ( u ) ⊥ bv ( u ) , and we conclude with fv ( u ) ⊥ bv ( u ) by Lemma E.20.As for the case of t = ( z, [ z (cid:0) xy ] ee (cid:48) ) where ( x, e ) := u and ( y, e (cid:48) ) := p , the proof proceeds in a similar way asabove. F. On the properties of σ · and L · Here we collect several properties that relate an environment e and its associated σ e and L e . Lemma E.23. dom ( σ e ) ⊆ dom ( e ) Proof.
By structural induction over e : • Case (cid:15) : dom ( σ e ) = dom ( Id ) = ∅ = dom ( (cid:15) ) . • Case e (cid:48) [ x (cid:0) b ] : σ e (cid:48) [ x (cid:0) b ] is either σ e (cid:48) or σ e (cid:48) { x (cid:0) b →} . Composing σ e (cid:48) with { x (cid:0) b →} can add x to the domain of σ e (cid:48) andremove an arbitrary number of other variables that, after the substitution, can now be mapped to themselves. Thereforewe conclude dom ( σ e (cid:48) { x (cid:0) b →} ) ⊆ dom ( σ e (cid:48) ) ∪ { x } ⊆ i.h. dom ( e (cid:48) ) ∪ { x } = dom ( e (cid:48) [ x (cid:0) b ]) . Lemma E.24. σ ee (cid:48) = σ e σ e (cid:48) roof. By structural induction over e (cid:48) : • Case (cid:15) : σ e = σ e Id = σ e σ (cid:15) . • Case e (cid:48)(cid:48) [ x (cid:0) b ] : σ ee (cid:48)(cid:48) [ x (cid:0) b ] = σ ee (cid:48)(cid:48) σ [ x (cid:0) b ] = i.h. σ e σ e (cid:48)(cid:48) σ [ x (cid:0) b ] = σ e σ e (cid:48)(cid:48) [ x (cid:0) b ] .In the following statement we commit a little abuse of notation: we write { w (cid:0) b → σ e } ∪ σ e to mean { w (cid:0) b → σ e } ∪ ( σ e \{ w (cid:0) σ e ( w ) } ) , i.e. the total function that maps w to b → σ e and every other variable x to σ e ( x ) . Lemma E.25 (Left-to-right induced substitutions and substitution contexts ) . σ [ w (cid:0) b ] e = { w (cid:0) b → σ e } ∪ σ e if b = v or w ∈ V cr and σ [ w (cid:0) b ] e = σ e otherwise2) L [ w (cid:0) b ] e = L e if b = v or w ∈ V cr and L [ w (cid:0) b ] e = [ w (cid:0) bσ e ] L e otherwiseProof. We have to prove that:1) σ [ w (cid:0) b ] e = { w (cid:0) b → σ e } ∪ σ e if b = v or w ∈ V cr and σ [ w (cid:0) b ] e = σ e otherwise. By Lemma E.24, σ [ w (cid:0) b ] e = σ [ w (cid:0) b ] σ e . Thethesis follows from the definition of composition of substitutions and the definition of σ [ w (cid:0) b ] .2) L [ w (cid:0) b ] e = L e if b = v or w ∈ V cr and L [ w (cid:0) b ] e = [ w (cid:0) bσ e ] L e otherwise. We proceed by structural induction on e . • Case (cid:15) . The property holds by definition of induced substitution context, noticing that σ (cid:15) = Id . • Case e (cid:48) [ x (cid:0) b (cid:48) ] . L [ w (cid:0) b ] e (cid:48) [ x (cid:0) b (cid:48) ] = L [ w (cid:0) b ] e (cid:48) σ [ x (cid:0) b (cid:48) ] L [ x (cid:0) b (cid:48) ] = i.h. L e (cid:48) σ [ x (cid:0) b (cid:48) ] L [ x (cid:0) b (cid:48) ] = L e (cid:48) [ x (cid:0) b (cid:48) ] if b = v or w ∈ V cr [ w (cid:0) bσ e (cid:48) ] L e (cid:48) σ [ x (cid:0) b (cid:48) ] L [ x (cid:0) b (cid:48) ] =[ w (cid:0) bσ e (cid:48) ] L e (cid:48) [ x (cid:0) b (cid:48) ] otherwise. Lemma E.26. If e is well-named and e ( x ) = v then σ e ( x ) is a value.Proof. If e ( x ) = v then e = e [ x (cid:0) v ] e and, by Lemma E.24, σ e ( x ) = σ e [ x (cid:0) v ] e ( x ) = ( σ e { x (cid:0) v →} σ e )( x ) . Since e [ x (cid:0) v ] e is well-named, x (cid:54)∈ bv ( e ) ⊇ dom ( e ) ⊇ L.E. dom ( σ e ) and thus ( σ e { x (cid:0) v →} σ e )( x ) = v → σ e , which is a value by definitionof substitution. G. Read-back is modular
Lemma E.27.
See p. 10Lemma VII.6 ( ee (cid:48) ) → = L e (cid:48) (cid:104) e → σ e (cid:48) (cid:105) .Proof. By induction on e (cid:48) . Base case : if e (cid:48) = (cid:15) then L e (cid:48) = (cid:104)·(cid:105) and σ e (cid:48) is the identity, so that L e (cid:48) (cid:104) e → σ e (cid:48) (cid:105) = e → . Inductive case :if e (cid:48) = e (cid:48)(cid:48) [ x (cid:0) b ] there are two cases. • b = v or x ∈ V cr then ( ee (cid:48)(cid:48) [ x (cid:0) b ]) → = ( ee (cid:48)(cid:48) ) →{ x (cid:0) b →} = i.h. L e (cid:48)(cid:48) (cid:104) e → σ e (cid:48)(cid:48) (cid:105){ x (cid:0) b →} = L e (cid:48)(cid:48) { x (cid:0) b →}(cid:104) e → σ e (cid:48)(cid:48) { x (cid:0) b →}(cid:105) = L e (cid:48)(cid:48) [ x (cid:0) b ] (cid:104) e → σ e (cid:48)(cid:48) [ x (cid:0) b ] (cid:105) . • Otherwise: ( ee (cid:48)(cid:48) [ x (cid:0) b ]) → = ( ee (cid:48)(cid:48) ) → [ x (cid:0) b → ]= i.h. L e (cid:48)(cid:48) (cid:104) e → σ e (cid:48)(cid:48) (cid:105) [ x (cid:0) b → ]= L e (cid:48)(cid:48) [ x (cid:0) b ] (cid:104) e → σ e (cid:48)(cid:48) (cid:105) = L e (cid:48)(cid:48) [ x (cid:0) b ] (cid:104) e → σ e (cid:48)(cid:48) [ x (cid:0) b ] (cid:105) . A PPENDIX FP ROOFS OF S ECTION
VIII (O
PEN C RUMBLING M ACHINE )The aim of this section is to provide all the lemmas required to prove the open machine correct. We do not provide thelatter proof explicitly. Instead we shall later extend the open machine to a strong machine by adding a new phase and we shallprove that correct. Therefore the proof of correctness of the strong machine shall entail the one for the open machine and —of course — requires all the lemmas provided in this section. . Fundamental property of pristine environments
One fundamental property of pristine environments is the fact that the crumbling variables introduced by the crumblingtransformation occur at most once in the resulting environment. In order to prove Lemma VIII.3 (proved in Lemma F.3), wefirst prove the following two auxiliary lemmas:
Lemma F.1 (Pristine free variables) . If e is pristine and well-named, then fv ( e ) = fv ( e → ) .Proof. One direction is proved in Lemma E.18. We now prove the inclusion fv ( e ) ⊆ fv ( e → ) . We prove the required statementby mutual induction with the corresponding statement for bites (proved below). By induction on the structure of e : • If e = (cid:15) then fv ( (cid:15) ) = fv ( (cid:15) → ) = { (cid:63) } . • If e = e (cid:48) [ y (cid:0) b ] then, by the definition of pristine, both e (cid:48) and b are pristine, and e (cid:48) → = O (cid:48) (cid:104) y (cid:105) for an open context O (cid:48) suchthat y (cid:54)∈ vars ( O (cid:48) ) . By i.h. fv ( e (cid:48) ) = fv ( e (cid:48) → ) and fv ( b ) = fv ( b → ) . We conclude by Lemma E.16.1 and Lemma E.17.1.Now the corresponding statement for bites. We prove that fv ( b ) ⊆ fv ( b → ) for every pristine and well-named bite b : • If b is a variable, then clearly fv ( b ) = fv ( b → ) = { b } . • If b is an application b = xy , then clearly fv ( b ) = fv ( b → ) = { x, y } . • If b is an abstraction b = λx.e , then by i.h. fv ( e ) = fv ( e → ) . We conclude with fv ( b ) = fv ( e ) \ { x } = fv ( e → ) \ { x } = fv ( b → ) . Lemma F.2.
Let e be a pristine and well-named environment. If e → = O (cid:104) x (cid:105) for some open context O such that x (cid:54)∈ vars ( O ) ,then x occurs at most once in e .Proof. We prove the required statement by mutual induction with the corresponding statement for bites (proved below). Byinduction on the structure of e : • If e = (cid:15) then e → = (cid:63) , and the only option is O = (cid:104)·(cid:105) and x = (cid:63) . • If e = e (cid:48) [ y (cid:0) b ] then, by the definition of pristine, both e (cid:48) and b are pristine, and e (cid:48) → = O (cid:48) (cid:104) y (cid:105) for an open context O (cid:48) suchthat y (cid:54)∈ vars ( O (cid:48) ) . By Lemma F.7 e → = O (cid:48) (cid:104) b (cid:48) →(cid:105) , and therefore we obtain that O (cid:104) x (cid:105) = O (cid:48) (cid:104) b (cid:48) →(cid:105) . Recall the hypothesis x (cid:54)∈ vars ( O ) . We proceed by cases: – If x ∈ vars ( O (cid:48) ) , then x (cid:54)∈ vars ( b → ) and e (cid:48) → = O (cid:48) (cid:104) y (cid:105) = O (cid:48)(cid:48) (cid:104) x (cid:105) for some O (cid:48)(cid:48) such that x (cid:54)∈ vars ( O (cid:48)(cid:48) ) . By i.h. , x occurs at most once in e (cid:48) . In order to conclude, it suffices to show that x (cid:54)∈ vars ([ y (cid:0) b ]) . As for the bound variables, x (cid:54)∈ bv ([ y (cid:0) b ]) holds by well-namedness of e , because x is free in e . As for the free variables, it follows by Lemma F.1. – If x (cid:54)∈ vars ( O (cid:48) ) , then O = O (cid:48) (cid:104) O (cid:48)(cid:48) (cid:105) where O (cid:48)(cid:48) (cid:104) x (cid:105) = b → . By i.h. , we obtain that x occurs at most once in b . Note thatby well-namedness x (cid:54) = y . From x (cid:54)∈ vars ( O (cid:48) ) we obtain x (cid:54)∈ vars ( O (cid:48) (cid:104) y (cid:105) ) = vars ( e (cid:48) → ) , and we conclude like in thecase above by Lemma F.1.Now the corresponding statement for bites. We prove that for every pristine and well-named bite b , if b → = O (cid:104) x (cid:105) for someopen context O such that x (cid:54)∈ vars ( O ) , then x occurs at most once in b : • If b is a variable, then necessarily b = x which clearly occurs once in b . • If b is an application, then necessarily b = xy ( O = (cid:104)·(cid:105) y ) or b = yx ( O = y (cid:104)·(cid:105) ) for x (cid:54) = y (because x (cid:54)∈ vars ( O ) ), andtherefore x clearly occurs once in b . • The case when b is an abstraction is not possible, because in this case b → is an abstraction as well, and thus it cannothold that b → = O (cid:104) x (cid:105) for some open context O .As a corollary: Lemma F.3.
See p. 12Lemma VIII.3 If e [ x (cid:0) b ] is pristine and well-named and x (cid:54) = (cid:63) , then x occurs exactly once in e .Proof. Lemma F.2 and the definition of pristine imply that x occurs at most once in e . From the definition of pristine it alsofollows that x ∈ fv ( e → ) . To conclude, just note that the unfolding preserves the names of free variables by Lemma E.18 (theonly exception is (cid:63) , which can be syntactically present in the unfolding, but not in the original environment, for example inthe case (cid:15) → = (cid:63) ). Thus when a free variable different that (cid:63) occurs in the unfolding, it must also occur syntactically in theoriginal environment. B. Other fundamental properties of pristine environments
Pristine environments are stable under a certain number of operations that are performed on them during a run of the openmachine. These properties are used in the proof of correctness of the machine to show the invariant that certain environmentsof the machine remain pristine during execution, assuming that the property holds for the initial machine state.In order to prove the essential properties of pristine environments in Lemma F.8, we first introduce some auxiliary propertiesof open contexts.he first one is the fact that open contexts are closed under composition:
Lemma F.4 (Composition of open contexts) . Let O and O (cid:48) be open contexts. Then their composition O (cid:104) O (cid:48) (cid:105) is still a opencontext.Proof. By an easy inspection of the grammar of open evaluation contexts. It can be proved formally by induction on O .An easy property about the variables of plugged open contexts: Lemma F.5.
Let O be an open context, and t be a term. Then1) fv ( O ) ⊆ fv ( O (cid:104) t (cid:105) ) .2) bv ( O ) ⊆ bv ( O (cid:104) t (cid:105) ) .Proof. Easy, by induction on the structure of O .The following two lemmas prove properties of open contexts under certain substitutions of terms. Lemma F.6 (Open contexts and substitutions) . Let O be an open context and σ be a substitution. Then:1) O (cid:104) b (cid:105) σ = Oσ (cid:104) bσ (cid:105) when bv ( O ) ⊥ fv ( σ ) ∪ dom ( σ ) .2) Oσ is a open context.Proof.
1) By induction over the structure of O : • The case O = (cid:104)·(cid:105) is trivial. • If O = O (cid:48) t , then O (cid:104) b (cid:105) σ = ( O (cid:48) (cid:104) b (cid:105) t ) σ = O (cid:48) (cid:104) b (cid:105) σ ( tσ ) . By i.h. O (cid:48) (cid:104) b (cid:105) σ = O (cid:48) σ (cid:104) bσ (cid:105) . Since Oσ = ( O (cid:48) σ )( tσ ) we canconclude. • The case O = tO (cid:48) is similar to the one above. • Case O = O (cid:48) [ x (cid:0) t ] . bv ( O ) ⊥ fv ( σ ) ∪ dom ( σ ) implies x (cid:54)∈ fv ( σ ) ∪ dom ( σ ) . Therefore O (cid:48) [ x (cid:0) t ] σ = O (cid:48) σ [ x (cid:0) tσ ] , andwe conclude by i.h. • Case O = t [ x (cid:0) O ] . Again, bv ( O ) ⊥ fv ( σ ) ∪ dom ( σ ) implies x (cid:54)∈ fv ( σ ) ∪ dom ( σ ) . Therefore t [ x (cid:0) O (cid:48) ] σ = tσ [ x (cid:0) O (cid:48) σ ] ,and we conclude by i.h.
2) Easy, by induction on the structure of O . Lemma F.7.
Let t, u be terms and O be an open context such that x (cid:54)∈ vars ( O ) and bv ( O ) ⊥ fv ( u ) . Then O (cid:104) t (cid:105){ x (cid:0) u } = O (cid:104) t { x (cid:0) u }(cid:105) .Proof. By induction on the structure of O : • When O = (cid:104)·(cid:105) , clearly O (cid:104) t (cid:105){ x (cid:0) u } = t { x (cid:0) u } = O (cid:104) t { x (cid:0) u }(cid:105) . • When O = O (cid:48) p , O (cid:104) t (cid:105){ x (cid:0) u } = O (cid:48) (cid:104) t (cid:105){ x (cid:0) u } p { x (cid:0) u } . Note that bv ( O (cid:48) ) ⊆ bv ( O ) and vars ( O (cid:48) ) ⊆ vars ( O ) , and thereforeby i.h. O (cid:48) (cid:104) t (cid:105){ x (cid:0) u } = O (cid:48) (cid:104) t { x (cid:0) u }(cid:105) . Moreover, from x (cid:54)∈ vars ( O ) it follows that x (cid:54)∈ fv ( p ) , and therefore p { x (cid:0) u } = p .As a consequence, O (cid:48) (cid:104) t (cid:105){ x (cid:0) u } p { x (cid:0) u } = O (cid:48) (cid:104) t { x (cid:0) u }(cid:105) p = O (cid:104) t { x (cid:0) u }(cid:105) . • The case O = pO (cid:48) is similar to the case above. • When O = O (cid:48) [ y (cid:0) p ] , O (cid:104) t (cid:105){ x (cid:0) u } = O (cid:48) (cid:104) t (cid:105) [ y (cid:0) p ] { x (cid:0) u } . Since by hypothesis x (cid:54)∈ vars ( O ) and y (cid:54)∈ fv ( u ) , O (cid:48) (cid:104) t (cid:105) [ y (cid:0) p ] { x (cid:0) u } = O (cid:48) (cid:104) t (cid:105){ x (cid:0) u } [ y (cid:0) p { x (cid:0) u } ] . Since bv ( O (cid:48) ) ⊆ bv ( O ) and vars ( O (cid:48) ) ⊆ vars ( O ) , by i.h. O (cid:48) (cid:104) t (cid:105){ x (cid:0) u } = O (cid:48) (cid:104) t { x (cid:0) u }(cid:105) , and from the hypothesis that x (cid:54)∈ vars ( O ) it follows that x (cid:54)∈ fv ( p ) and hence p { x (cid:0) u } = p . • The case O = p [ y (cid:0) O (cid:48) ] is similar to the case above.We now have all the ingredients to prove the following important properties of every pristine environment: Lemma F.8 (Pristine properties) . Replacement : if e [ x (cid:0) b ] is pristine, then e [ x (cid:0) b (cid:48) ] is pristine for any pristine b (cid:48) .2) Concatenation : if e [ x (cid:0) b ] and [ (cid:63) (cid:0) b (cid:48) ] e (cid:48) are pristine, then e [ x (cid:0) b (cid:48) ] e (cid:48) is pristine, under the requirement that bv ( e ) ⊥ fv ([ (cid:63) (cid:0) b (cid:48) ] e (cid:48) ) and fv ( e ) ⊥ dom ( e (cid:48) ) .3) α -Conversion : if e is well-named and pristine and e = α e (cid:48) for e (cid:48) well-named, then e (cid:48) is pristine as well.4) Renaming : if e is well-named and pristine then e { x (cid:0) y } is pristine when y (cid:54)∈ bv ( e ) .Proof.
1) Trivial by the definition of pristine.2) By induction on e (cid:48) . If e (cid:48) = (cid:15) then the statement follows directly from Point 1. Let us suppose now that e (cid:48) = e (cid:48)(cid:48) [ y (cid:0) b (cid:48)(cid:48) ] . Bythe hypothesis that [ (cid:63) (cid:0) b (cid:48) ] e (cid:48) is pristine, it follows that y ∈ V cr , that b (cid:48)(cid:48) is pristine, and that [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48) is pristine. Thereforey i.h. e [ x (cid:0) b (cid:48) ] e (cid:48)(cid:48) is pristine. To prove that e [ x (cid:0) b (cid:48) ] e (cid:48)(cid:48) [ y (cid:0) b (cid:48) ] is pristine, it remains to prove that e [ x (cid:0) b (cid:48) ] e (cid:48)(cid:48) → = O (cid:104) y (cid:105) forsome open context O such that y (cid:54)∈ vars ( O ) .First of all, by the pristine hypothesis, e → = O (cid:48) (cid:104) x (cid:105) and [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48) → = O (cid:48)(cid:48) (cid:104) y (cid:105) for some open contexts O (cid:48) and O (cid:48)(cid:48) suchthat x (cid:54)∈ vars ( O (cid:48) ) and y (cid:54)∈ vars ( O (cid:48)(cid:48) ) . We then apply Lemma E.18.5 and obtain that ( e [ x (cid:0) b (cid:48) ] e (cid:48)(cid:48) ) → = e →{ x (cid:0) [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48) →} = O (cid:48) (cid:104) x (cid:105){ x (cid:0) O (cid:48)(cid:48) (cid:104) y (cid:105)} = O (cid:48) (cid:104) O (cid:48)(cid:48) (cid:104) y (cid:105)(cid:105) , where O := O (cid:48) (cid:104) O (cid:48)(cid:48) (cid:105) is an open context because the composition of weak contexts isstill a weak context (see Lemma F.4), and y (cid:54)∈ vars ( O (cid:48) (cid:104) O (cid:48)(cid:48) (cid:105) ) because y (cid:54)∈ vars ( O (cid:48)(cid:48) ) and y (cid:54)∈ vars ( O (cid:48) ) .3) We prove at the same time the corresponding statement for bites, i.e. that if b is pristine and well-named and b = α b (cid:48) for b (cid:48) well-named, then b (cid:48) is pristine. By structural induction on the derivation of respectively e = α e (cid:48) or b = α b (cid:48) : • Reflexivity: in this case e = e (cid:48) and b = b (cid:48) , and therefore trivially e (cid:48) and b (cid:48) are pristine. • Symmetry: e = α e (cid:48) because e (cid:48) = α e . Then by i.h. we obtain e (cid:48) pristine, and we conclude because = α is symmetric.Similarly for bites. • Transitivity: e = α e (cid:48) because e = α e (cid:48)(cid:48) and e (cid:48)(cid:48) = α e (cid:48) . Just use the i.h. and use symmetry of = α . Similarly for bites. • Structural, ES: e = α e (cid:48) because e = e (cid:48)(cid:48) [ x (cid:0) b ] , e (cid:48) = e (cid:48)(cid:48)(cid:48) [ x (cid:0) b (cid:48) ] where e (cid:48)(cid:48) = α e (cid:48)(cid:48)(cid:48) and b = α b (cid:48) . By i.h. e (cid:48)(cid:48)(cid:48) and b (cid:48) arepristine, and it remains to show that e (cid:48)(cid:48)(cid:48) → = O (cid:104) x (cid:105) for some open context O such that x (cid:54)∈ vars ( O ) . Since e is pristine, e (cid:48)(cid:48) → = O (cid:104) x (cid:105) for some open context O such that x (cid:54)∈ vars ( O ) . Conclude by Lemma E.18.1. • Rename, ES : e = α e (cid:48) because e = e (cid:48)(cid:48) [ x (cid:0) b ] and e (cid:48) = e (cid:48)(cid:48) { x (cid:0) y } [ y (cid:0) b ] with y (cid:54)∈ vars ( e ) . By i.h. e (cid:48)(cid:48) and b are pristine,and it remains to show that y ∈ V cr and e (cid:48)(cid:48) { x (cid:0) y }→ = O (cid:104) y (cid:105) for some open context O such that y (cid:54)∈ vars ( O ) . y ∈ V cr because α -equality renames crumbling variables to crumbling variables. As for the readback, since e ispristine, e (cid:48)(cid:48) → = O (cid:48) (cid:104) x (cid:105) for some open context O (cid:48) such that x (cid:54)∈ vars ( O (cid:48) ) . Let us take O := O (cid:48) . By Lemma E.18.2, e (cid:48)(cid:48) { x (cid:0) y }→ = e (cid:48)(cid:48) →{ x (cid:0) y } = O (cid:48) (cid:104) x (cid:105){ x (cid:0) y } . Note from y (cid:54)∈ vars ( e ) , Lemma F.5 and Lemma E.18 follows that y (cid:54)∈ vars ( O ) . Finally, by Lemma F.7, O (cid:104) x (cid:105){ x (cid:0) y } = O (cid:104) y (cid:105) (which requires x (cid:54)∈ vars ( O ) and y (cid:54)∈ bv ( O ) ), and we conclude. • Rename, abstraction: b = α b (cid:48) because b = λx.e and b (cid:48) = λy. ( e { x (cid:0) y } ) for y (cid:54)∈ vars ( e ) . Since e is pristine, by Point 4 e { x (cid:0) y } is pristine as well, and we conclude. • Structural, abstraction: b = α b because b = λx.e and b (cid:48) = λx.e (cid:48) and e = α e (cid:48) . By i.h. e (cid:48) is pristine, and we conclude.4) We prove the statement by induction on the structure of e , mutually with the following corresponding statement for bites:if b is well-named and pristine then b { x (cid:0) y } is pristine when y (cid:54)∈ bv ( e ) .If e = (cid:15) , then e { x (cid:0) y } = (cid:15) and it is therefore pristine. If e = e (cid:48) [ z (cid:0) b ] , there are two subcases: • If x = z , then e { x (cid:0) y } = e (cid:48) [ z (cid:0) b { x (cid:0) y } ] . By i.h. b { x (cid:0) y } is pristine, and we can conclude by Point 1. • If x (cid:54) = z , then e { x (cid:0) y } = e (cid:48) { x (cid:0) y } [ z (cid:0) b { x (cid:0) y } ] because y (cid:54) = z by hypothesis. By i.h. e (cid:48) { x (cid:0) y } and b { x (cid:0) y } arepristine, and in order to conclude it suffices to show that e (cid:48) { x (cid:0) y }→ = O (cid:104) z (cid:105) for some open context O such that z (cid:54)∈ vars ( O ) . By pristinity of e it follows that e (cid:48) → = O (cid:48) (cid:104) z (cid:105) for some open context O (cid:48) such that z (cid:54)∈ vars ( O (cid:48) ) .By Lemma E.18.2 e (cid:48) { x (cid:0) y }→ = e (cid:48) →{ x (cid:0) y } because y (cid:54)∈ bv ( e (cid:48) ) and thus also y (cid:54)∈ bv ( e (cid:48) → ) by Lemma E.18.4. Thisimplies that e (cid:48) { x (cid:0) y }→ = O (cid:48) (cid:104) z (cid:105){ x (cid:0) y } , which equals O (cid:48) { x (cid:0) y }(cid:104) z { x (cid:0) y }(cid:105) by Lemma F.6.1, and thus O (cid:48) { x (cid:0) y }(cid:104) z (cid:105) .We take as the required context O (cid:48) := O (cid:48) { x (cid:0) y } , which is open by Lemma F.6.2. It remains to prove that z (cid:54)∈ vars ( O (cid:48) { x (cid:0) y } ) , which follows from the fact that x (cid:54)∈ vars ( O ) and by Lemma F.5 and Lemma E.16.Finally, the statement for bites. If b is a variable or an application then b { x (cid:0) y } is clearly pristine; if b = λz.e (cid:48) , there areagain two cases: • If x = z , then b { x (cid:0) y } = b , and we conclude. • If x (cid:54) = z , then b { x (cid:0) y } = λz. ( e (cid:48) { x (cid:0) y } ) because y (cid:54)∈ bv ( b ) i.e. y (cid:54) = z , and we conclude because by i.h. e (cid:48) { x (cid:0) y } ispristine. C. Compilation produces a pristine environment
The initial state of an open machine is obtained by compiling a well-named λ -term, obtaining a pristine environment(Lemma F.9). As we will see, that property of being pristine is preserved during a machine execution, but only on theenvironments on the left of (cid:47) . Lemma F.9 (Properties of the translation) . Let t be a well-named λ -term. Then t is pristine.Proof. By induction on the size of t : • If t = x , then t = [ (cid:63) (cid:0) x ] , which is pristine. • If t = λx.u , then t = [ (cid:63) (cid:0) λx.u ] . Since u is also well-named, the i.h. provides that u is pristine, and we can conclude. • If t = up , then t = [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) = u and ( y, e (cid:48) ) = p .We proceed to prove that every sub-environment of [ (cid:63) (cid:0) xy ] ee (cid:48) is pristine. The thesis then follows easily. We proceed byinduction on the length of the chosen sub-environment: – Case length equals 1, i.e. [ (cid:63) (cid:0) xy ] . Clearly pristine. Case [ (cid:63) (cid:0) xy ] e (cid:48)(cid:48) [ z (cid:0) b ] where the ES [ z (cid:0) b ] belongs to e . By i.h. [ (cid:63) (cid:0) xy ] e (cid:48)(cid:48) is pristine. z ∈ V cr because z ∈ dom ( e ) andby Lemma E.20. It remains to prove that [ (cid:63) (cid:0) xy ] e (cid:48)(cid:48) → = O (cid:104) z (cid:105) for some open context O such that z ∈ vars ( O ) . ∗ If z = x then e (cid:48)(cid:48) = (cid:15) and we conclude with O := (cid:104)·(cid:105) y . ∗ If z (cid:54) = x then e (cid:48)(cid:48) (cid:54) = (cid:15) . In this case, suppose e (cid:48)(cid:48) = [ x (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] . By inspection of the definition of crumbling andLemma E.21, the environment [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] is an initial sub-environment of u , which by i.h. is pristine. Hence [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] → = O (cid:48) (cid:104) w (cid:105) for some open context O (cid:48) such that z (cid:54)∈ vars ( O (cid:48) ) . By Lemma E.18.5, [ (cid:63) (cid:0) xy ] e (cid:48)(cid:48) → = xy { x (cid:0) O (cid:48) (cid:104) w (cid:105)} . Conclude by taking O := O (cid:48) (cid:104) w (cid:105) y . – Case [ (cid:63) (cid:0) xy ] ee (cid:48)(cid:48) [ z (cid:0) b ] where the ES [ z (cid:0) b ] belongs to e (cid:48) . By i.h. [ (cid:63) (cid:0) xy ] ee (cid:48)(cid:48) is pristine. z ∈ V cr because z ∈ dom ( e (cid:48) ) and by Lemma E.20. It remains to prove that [ (cid:63) (cid:0) xy ] ee (cid:48)(cid:48) → = O (cid:104) z (cid:105) for some open context O such that z ∈ vars ( O ) .First of all, note that [ (cid:63) (cid:0) xy ] e → = [ (cid:63) (cid:0) xy ] →{ x (cid:0) t →} = [ (cid:63) (cid:0) xy ] →{ x (cid:0) t } = uy by the discussion on the previous pointand by Point 1. ∗ If z = y then e (cid:48)(cid:48) = (cid:15) and we conclude with O := t (cid:104)·(cid:105) . ∗ If z (cid:54) = y then e (cid:48)(cid:48) (cid:54) = (cid:15) . In this case, suppose e (cid:48)(cid:48) = [ y (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] . By inspection of the definition of crumbling andby Lemma E.21, the environment [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] is an initial sub-environment of p , which by i.h. is pristine. Hence [ (cid:63) (cid:0) b (cid:48) ] e (cid:48)(cid:48)(cid:48) [ w (cid:0) b (cid:48)(cid:48) ] → = O (cid:48) (cid:104) w (cid:105) for some open context O (cid:48) such that z (cid:54)∈ vars ( O (cid:48) ) . By Lemma E.18.5, [ (cid:63) (cid:0) xy ] ee (cid:48)(cid:48) → = uy { y (cid:0) O (cid:48) (cid:104) w (cid:105)} = uO (cid:48) (cid:104) w (cid:105) . Conclude by taking O := uO (cid:48) (cid:104) w (cid:105) .A PPENDIX GP ROOFS OF S ECTION
IX (S
TRONG C RUMBLING M ACHINE )There are no proofs to be done for Sect. IX. However we include here a bunch of technical lemmas on e ( · ) that will beused in the rest of the paper. Lemma G.1.
For every K :1) fv ( e K ) ⊆ fv ( K ) bv ( e K ) ⊆ bv ( K )
3) If K is well-named then e K is well-named4) If K (cid:104) e (cid:105) is well-named then e is well-named5) If K (cid:104) e (cid:105) is well-named then K is well-namedProof. Easy structural induction on K . Lemma G.2.
Let K be a context. Then1) e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = [ x (cid:0) b ] e K .2) e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = e K .Proof. By induction on K .1) If K = (cid:104)·(cid:105) e (cid:48) then e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = [ x (cid:0) b ] e (cid:48) = [ x (cid:0) b ] e K and the statement holds. If K = e [ x (cid:0) λy.K (cid:48) ] e then e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = e K (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) e . By i.h. , e K (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = [ x (cid:0) e ] K (cid:48) , and so e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = [ x (cid:0) b ] e K (cid:48) e = [ x (cid:0) b ] e K .2) If K = (cid:104)·(cid:105) e (cid:48) then e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = e e [ x (cid:0) λy. (cid:104)·(cid:105) ] e (cid:48) = e (cid:104)·(cid:105) e (cid:48) = e K and the statement holds. If K = e [ x (cid:0) λy.K (cid:48) ] e then e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = e e [ x (cid:0) λy.K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) ] e = e K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) e = i.h. e K (cid:48) e = e e [ x (cid:0) λy.K (cid:48) ] e = e K . a) Variables of plugged machine contexts: We group here a couple of technical lemmas about the variables of pluggedmachine contexts.
Lemma G.3. fv ( b ) ⊆ fv ( e ) ∪ bv ( K (cid:104) e [ x (cid:0) b ] (cid:105) ) .Proof. Easy by induction on the structure of e .The following is a generalization of Lemma E.10: Lemma G.4.
For all machine contexts K and environments e :1) fv ( K (cid:104) e (cid:105) ) ⊆ fv ( e ) \ V ∪ fv ( K ) where V is a set of variables that depends on K but not on e , such that V ⊆ bv ( K ) .2) bv ( K (cid:104) e (cid:105) ) = bv ( K ) ∪ bv ( e ) vars ( K (cid:104) e (cid:105) ) = vars ( K ) ∪ vars ( e ) Proof.
Easy by structural induction on K . PPENDIX HP ROOFS OF S ECTION
X (S
TRONG I MPLEMENTATION T HEOREM )Following the main part of the paper, we first introduce multi-contexts, their properties and multi-step reduction. Lastly, weaddress the Strong Implementation Theorem Theorem X.4.2 (proved in Thm. H.38) that requires them.
A. Multi-contexts and their properties
We begin studying properties of multi-contexts and proving Lemma X.1 (proved in Lemma H.3).
B. Multi-contexts and multi-steps reduction
We recall here the terminology introduced in the paper and add some more.
Definition H.1 (Kinds of multi context) . A multi context C is • Normal if C (cid:104) f s (cid:105) is a strong fireball for every strong fireball f s ; • Proper if it has at least one hole; • Fine if it is strong and proper.
We state an auxiliary lemma that shows properties of strong and rigid multi-contexts that are required to prove Lemma X.1.
Lemma H.2.
Let E and R be respectively a strong and a rigid multi contexts, and let t be a term.1) There exists a term u such that E (cid:104) t (cid:105) = u .2) There exists a rigid term r such that R (cid:104) t (cid:105) = r .Note that the two points imply that if E and R have no holes then they are a term and a rigid term respectively.Proof. By mutual induction on E and R .1) Cases of E : • E = (cid:104)·(cid:105) : obvious. • E = t : obvious. • E = λx. E (cid:48) : it follows by the i.h. • E = R : by i.h. on rigid contexts. • E = E (cid:48) [ x (cid:0) R ] : by i.h. there exists a term p and a rigid term r such that E (cid:48) (cid:104) t (cid:105) = p and R (cid:104) t (cid:105) = r . Therefore, E (cid:104) t (cid:105) = p [ x (cid:0) r ] .2) Cases of R : • R = y : obvious. • R = R (cid:48) E : by i.h. there exists a rigid term r (cid:48) and a term u such that R (cid:48) (cid:104) t (cid:105) = r (cid:48) and E (cid:104) t (cid:105) = u . Therefore, R (cid:104) t (cid:105) = r (cid:48) u . • R = R (cid:48) [ x (cid:0) R (cid:48)(cid:48) ] : by i.h. there exist rigid terms r (cid:48) and r (cid:48)(cid:48) such that R (cid:48) (cid:104) t (cid:105) = r (cid:48) and R (cid:48)(cid:48) (cid:104) t (cid:105) = r (cid:48)(cid:48) . Therefore, R (cid:104) t (cid:105) = r (cid:48) [ x (cid:0) r (cid:48)(cid:48) ] .We can now proceed proving Lemma X.1 mutually with the corresponding statement for rigid multi contexts: Lemma H.3 (Multi step) . See p. 13Lemma X.1
Let E and R be respectively an external and rigid proper multi context with k holes and { a , . . . , a n } ⊆ { xm , xe } . If t → a · · · → a n u then1) R (cid:104) t (cid:105) ( → a · · · → a n ) k R (cid:104) u (cid:105) where the i -th sequence of steps has the shape R i (cid:104) t (cid:105) → a · · · → a n R i (cid:104) u (cid:105) for a rigid context R i , for every i ∈ { , . . . , k } ;2) E (cid:104) t (cid:105) ( → a · · · → a n ) k E (cid:104) u (cid:105) where the i -th sequence of steps has the shape E i (cid:104) t (cid:105) → a · · · → a n E i (cid:104) u (cid:105) for an externalcontext E i , for every i ∈ { , . . . , k } .Proof. Let us lighten the notation by writing → a ··· a n in place of ( → a · · · → a n ) . By mutual induction on E and R :1) Cases of R : • R = y : trivial. • R = R (cid:48) E : we have R (cid:104) t (cid:105) = R (cid:48) (cid:104) t (cid:105) E (cid:104) t (cid:105) where R (cid:48) has k holes, E has k holes, and k + k = k . We deal with thecase where k (cid:54) = 0 (cid:54) = k . If k = 0 then by Lemma H.2 R (cid:48) = R (cid:48) (cid:104) t (cid:105) is a rigid term and we consider only E (cid:104) t (cid:105) , anddually if k = 0 .By i.h. , E (cid:104) t (cid:105) → k a ··· a n E (cid:104) u (cid:105) where for the i -th sequence of steps there is an external context E (cid:48) i such that the stephas the shape E (cid:48) i (cid:104) t (cid:105) → a ··· a n E (cid:48) i (cid:104) u (cid:105) for i ∈ { , . . . , k } . Then R (cid:48) (cid:104) t (cid:105) E (cid:48) i is a rigid context because by Lemma H.2.2 R (cid:48) (cid:104) t (cid:105) is a rigid term. Then R (cid:48) (cid:104) t (cid:105) E (cid:104) t (cid:105) → k a ··· a n R (cid:48) (cid:104) t (cid:105) E (cid:104) u (cid:105) y i.h. , R (cid:48) (cid:104) t (cid:105) → k a ··· a n R (cid:48) (cid:104) u (cid:105) where for the j -th sequence of steps there is a rigid context R (cid:48) j such that the stephas the shape R (cid:48) j (cid:104) t (cid:105) → a ··· a n R (cid:48) j (cid:104) u (cid:105) for j ∈ { , . . . , k } . Then R (cid:48) j E (cid:104) u (cid:105) is a rigid context for every j , given that byLemma H.2.1 E (cid:104) u (cid:105) is a term. Therefore, we obtain: R (cid:48) (cid:104) t (cid:105) E (cid:104) u (cid:105) → k a ··· a n R (cid:48) (cid:104) u (cid:105) E (cid:104) u (cid:105) Summing up, R (cid:48) (cid:104) t (cid:105) E (cid:104) t (cid:105) → k + k a ··· a n R (cid:48) (cid:104) u (cid:105) E (cid:104) u (cid:105) The k + k rigid contexts of the statement are given by R (cid:48) (cid:104) t (cid:105) E (cid:48) i with i ∈ { , . . . , k } followed by R (cid:48) j E (cid:104) u (cid:105) with j ∈ { , . . . , k } . • R = R (cid:48) [ y (cid:0) R (cid:48)(cid:48) ] : we have R (cid:104) t (cid:105) = R (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] where R (cid:48) has k holes, R (cid:48)(cid:48) has k holes, and k + k = k . We dealwith the case where k (cid:54) = 0 (cid:54) = k . If k = 0 then by Lemma H.2 R (cid:48) = R (cid:48) (cid:104) t (cid:105) is a rigid term and we consider only R (cid:48)(cid:48) (cid:104) t (cid:105) , and dually if k = 0 .By i.h. , R (cid:48) (cid:104) t (cid:105) → k a ··· a n R (cid:48) (cid:104) u (cid:105) where for the i -th sequence of steps there is a rigid context R (cid:48) i such that the step hasthe shape R (cid:48) i (cid:104) t (cid:105) → a ··· a n R (cid:48) i (cid:104) u (cid:105) for i ∈ { , . . . , k } . Then R (cid:48) i [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] is a rigid context for every i because byLemma H.2.2 R (cid:48)(cid:48) (cid:104) t (cid:105) is a rigid term, and so R (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] → k a ··· a n R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] By i.h. , R (cid:48)(cid:48) (cid:104) t (cid:105) → k a ··· a n R (cid:48)(cid:48) (cid:104) u (cid:105) where for the j -th sequence of steps there is a rigid context R (cid:48)(cid:48) j such that the step hasthe shape R (cid:48)(cid:48) j (cid:104) t (cid:105) → a ··· a n R (cid:48)(cid:48) j (cid:104) u (cid:105) for j ∈ { , . . . , k } . Then R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) j ] is a rigid context for every j , given that byLemma H.2.2 R (cid:48) (cid:104) u (cid:105) is a term. Therefore, we obtain: R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] → k a ··· a n R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) u (cid:105) ] Summing up, R (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] → k + k a ··· a n R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) u (cid:105) ] The k + k rigid contexts of the statement are given by R (cid:48) i [ y (cid:0) R (cid:48)(cid:48) (cid:104) t (cid:105) ] with i ∈ { , . . . , k } followed by R (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:48)(cid:48) j ] with j ∈ { , . . . , k } .2) Cases of E : • E = (cid:104)·(cid:105) : trivial. • E = p : trivial. • E = λy. E (cid:48) : it follows by the i.h. • E = R : by i.h. on rigid contexts. • E = E (cid:48) [ y (cid:0) R ] : we have E (cid:104) t (cid:105) = E (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:104) t (cid:105) ] where E (cid:48) has k holes, R has k holes, and k + k = k . We deal withthe case where k (cid:54) = 0 (cid:54) = k . If k = 0 then by Lemma H.2 E (cid:48) = E (cid:48) (cid:104) t (cid:105) is a term and we consider only R (cid:104) t (cid:105) , anddually if k = 0 . By i.h. , E (cid:48) (cid:104) t (cid:105) → k a ··· a n E (cid:48) (cid:104) u (cid:105) where for the i -th sequence of steps there is an external context E (cid:48) i such that the step has the shape E (cid:48) i (cid:104) t (cid:105) → a ··· a n E (cid:48) i (cid:104) u (cid:105) for i ∈ { , . . . , k } . Then E (cid:48) i [ y (cid:0) R (cid:104) t (cid:105) ] is an external contextfor every i because by Lemma H.2.2 R (cid:104) t (cid:105) is a rigid term, and so E (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:104) t (cid:105) ] → k a ··· a n E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:104) t (cid:105) ] By i.h. , R (cid:104) t (cid:105) → k a ··· a n R (cid:104) u (cid:105) where for the j -th sequence of steps there is a rigid context R j such that the step hasthe shape R j (cid:104) t (cid:105) → a ··· a n R j (cid:104) u (cid:105) for j ∈ { , . . . , k } . Then E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R j ] is an external context for every j , given thatby Lemma H.2.1 E (cid:104) u (cid:105) is a term. Therefore, we obtain: E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:104) t (cid:105) ] → k a ··· a n E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:104) u (cid:105) ] Summing up, E (cid:48) (cid:104) t (cid:105) [ y (cid:0) R (cid:104) t (cid:105) ] → k + k a ··· a n E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R (cid:104) u (cid:105) ] The k + k external contexts of the statement are given by E (cid:48) i [ y (cid:0) R (cid:104) t (cid:105) ] with i ∈ { , . . . , k } followed by E (cid:48) (cid:104) u (cid:105) [ y (cid:0) R j ] with j ∈ { , . . . , k } . . Modular read-back We prove Lemma X.2 as Lemma H.4.3. The proof requires two auxiliary and uninteresting subparts,
Lemma X. . and Lemma X. . . Lemma H.4 (Modular read back) . See p. 14Lemma X.2
For all environments e, e (cid:48) and machine contexts K :1) ( (cid:104)·(cid:105) e (cid:48) ) → = L e (cid:48) ( e [ x (cid:0) λy.K ] e (cid:48) ) → = L e (cid:48) (cid:104) e →{ x (cid:0) λy.K →} σ e (cid:48) (cid:105) K (cid:104) e (cid:105)→ = K →(cid:104) e → σ e K (cid:105) Proof.
1) By induction on e (cid:48) . Base case : if e (cid:48) = (cid:15) then ( (cid:104)·(cid:105) e (cid:48) ) → = (cid:104)·(cid:105) = L (cid:15) . Inductive case : let e (cid:48) = e (cid:48)(cid:48) [ x (cid:0) b ] . If b = v or x ∈ V cr then ( (cid:104)·(cid:105) e (cid:48)(cid:48) [ x (cid:0) b ]) → = ( (cid:104)·(cid:105) e (cid:48)(cid:48) ) →{ x (cid:0) b →} = i.h. L e (cid:48)(cid:48) { x (cid:0) b →} = L e (cid:48)(cid:48) [ x (cid:0) b ] . Otherwise ( (cid:104)·(cid:105) e (cid:48)(cid:48) [ x (cid:0) b ]) → = ( (cid:104)·(cid:105) e (cid:48)(cid:48) ) → [ x (cid:0) b ] = i.h. L e (cid:48)(cid:48) [ x (cid:0) b ] = L e (cid:48)(cid:48) [ x (cid:0) b ] .2) By induction on e (cid:48) , as in the previous point.3) By induction on K . Cases: • Base : K = (cid:104)·(cid:105) e (cid:48) . Note that e (cid:48) = e K . Then K (cid:104) e (cid:105)→ = ee (cid:48) → = L.V II. L e (cid:48) (cid:104) e → σ e (cid:48) (cid:105) = P. K →(cid:104) e → σ e (cid:48) (cid:105) = K →(cid:104) e → σ e K (cid:105) . • Inductive : K = e (cid:48)(cid:48) [ x (cid:0) λy.K (cid:48) ] e (cid:48) . Then K (cid:104) e (cid:105)→ = e (cid:48)(cid:48) [ x (cid:0) λy.K (cid:48) (cid:104) e (cid:105) ] e (cid:48) → = P. L e (cid:48) (cid:104) e (cid:48)(cid:48) [ x (cid:0) λy.K (cid:48) (cid:104) e (cid:105) ] → σ e (cid:48) (cid:105) = L e (cid:48) (cid:104) e (cid:48)(cid:48) →{ x (cid:0) λy.K (cid:48) (cid:104) e (cid:105)→} σ e (cid:48) (cid:105) = i.h. L e (cid:48) (cid:104) e (cid:48)(cid:48) →{ x (cid:0) λy.K (cid:48) →(cid:104) e → σ e K (cid:48) (cid:105)} σ e (cid:48) (cid:105) = L e (cid:48) (cid:104) e (cid:48)(cid:48) → σ e (cid:48) { x (cid:0) λy.K (cid:48) → σ e (cid:48) (cid:104) e → σ e K (cid:48) σ e (cid:48) (cid:105)}(cid:105) = ( L e (cid:48) (cid:104) e (cid:48)(cid:48) → σ e (cid:48) { x (cid:0) λy.K (cid:48) → σ e (cid:48) } ) (cid:104) e → σ e K (cid:48) σ e (cid:48) (cid:105)(cid:105) = ( L e (cid:48) (cid:104) e (cid:48)(cid:48) →{ x (cid:0) λy.K (cid:48) →} σ e (cid:48) ) (cid:104) e → σ e K (cid:48) σ e (cid:48) (cid:105)(cid:105) = P. K →(cid:104) e → σ e K (cid:48) σ e (cid:48) (cid:105) = K →(cid:104) e → σ e K (cid:105) D. Properties of frames
Here we collect a number of technical lemmas on frames and frames of a context. They are used in the proof of propagationof the invariants since a few invariants are formulated on frames.
Lemma H.5. F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) .2) F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = F K .Proof. We have to prove:1) F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) . We proceed by structural induction on K . • Case (cid:104)·(cid:105) e (cid:48) : F e [ x (cid:0) λy. (cid:104)·(cid:105) ] e (cid:48) = e [ x (cid:0) λy. (cid:104)·(cid:105) ]= F (cid:104)·(cid:105) e (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) • Case e (cid:48) [ z (cid:0) λw.K (cid:48) ] e (cid:48)(cid:48) : F e (cid:48) [ z (cid:0) λw.K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) ] e (cid:48)(cid:48) = e (cid:48) [ z (cid:0) λw.F K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) ]= i.h. e (cid:48) [ z (cid:0) λw.F K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) ]= e (cid:48) [ z (cid:0) λw.F K (cid:48) ] (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = F e (cid:48) [ z (cid:0) λw.K (cid:48) ] e (cid:48)(cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = F K . We proceed by structural induction on K . • Case (cid:104)·(cid:105) e (cid:48) : F (cid:104)·(cid:105) [ x (cid:0) b ] e (cid:48) = (cid:104)·(cid:105) = F (cid:104)·(cid:105) e (cid:48) • Case e (cid:48) [ z (cid:0) λw.K (cid:48) ] e (cid:48)(cid:48) : F e (cid:48) [ z (cid:0) λw.K (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) ] e (cid:48)(cid:48) = e (cid:48) [ z (cid:0) λw.F K (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) ]= i.h. e (cid:48) [ z (cid:0) λw.F K (cid:48) ]= F e (cid:48) [ z (cid:0) λw.K (cid:48) ] e (cid:48)(cid:48) emma H.6. F (cid:104) e (cid:105)→ = F →(cid:104) e →(cid:105) F (cid:104) F (cid:48) (cid:105)→ = F →(cid:104) F (cid:48) →(cid:105) Proof.
We show the first point, the proof of the second point is obtained by simply replacing e with a frame. By induction on F . Cases: • Base : F = (cid:104)·(cid:105) . Then F (cid:104) e (cid:105)→ = e → = (cid:104)·(cid:105)→(cid:104) e →(cid:105) . • Inductive : F = e (cid:48) [ x (cid:0) λy.F (cid:48) ] . Then F (cid:104) e (cid:105)→ = e (cid:48) [ x (cid:0) λy.F (cid:48) (cid:104) e (cid:105) ] → = e (cid:48)(cid:48) →{ x (cid:0) λy.F (cid:48) (cid:104) e (cid:105)→} = i.h. e (cid:48)(cid:48) →{ x (cid:0) λy.F (cid:48) →(cid:104) e →(cid:105)} = ( e (cid:48)(cid:48) →{ x (cid:0) λy.F (cid:48) →} ) (cid:104) e →(cid:105) = F →(cid:104) e →(cid:105) E. Invariants
The aim of this section is to define enough invariants on the reachable machine states to be able to prove relaxed β -projectionTheorem X.4.1 (proved in Thm. H.36): for each reachable state s we need to prove that:1) If s (cid:32) β v s (cid:48) then s → ( → xm → xe ) + s (cid:48) → .2) If s (cid:32) β i s (cid:48) then s →→ + xm ≡ s (cid:48) → .Let s = e [ x (cid:0) yz ] (cid:47)K . The proof requires a few intermediate results, the most important are1) Open unfolding : e [ x (cid:0) (cid:104)·(cid:105) ] → must be an open context, so that e [ x (cid:0) yz ] → is a top-level redex in an open context.To guarantee Open unfolding we ask every body in e K to be pristine for each reachable state s and moreover e to bepristine if s = e(cid:47)K and e (cid:54) = (cid:15) . We call this the Pristine invariant. The same invariant is required also to prove the openmachine correct, where e K collapses to the the environment on the right of (cid:47) .2) Proper unfolding : K → must be proper, otherwise the redex would disappear during the read-back.To guarantee Proper unfolding we introduce a notion of garbage-free state and we prove every reachable state to begarbage-free. We call this the Garbage invariant.In order to show Garbage to be invariant, we shall also introduce an additional, technical invariant that we call
Well-crumbling and that basically says that some properties of pristine environments are propagated also to the evaluated, nolonger pristine parts of the state.The proof of the Garbage invariant requires the Well-crumbling invariant to hold. The latter in turn requires the Pristineinvariant.3)
Strong unfolding : K → must be an external multi-context, so that K (cid:104) e [ x (cid:0) yz ] (cid:105)→ is a top-level redex in an open context ina strong, context, i.e. a redex according to the strong strategy.To guarantee Strong unfolding we introduce the notion of good state and we prove each reachable state to be good. Wecall this the Goodness invariant.In order to show Goodness to be an invariant, we shall also introduce the last invariant, called
Well-named , that asks everyreachable state to be well-named.The four invariants introduced so far, namely Well-Named, Pristine, Well-Crumbled, Garbage, and Good, are sufficient toprove also the other requirements of a relaxed implementation system.We now define and show the invariance of each of these statements in the following subsections, H-E1–H-E5.
1) Well-named invariant:
The Well-named invariant, required to prove the Goodness invariant, is customary in the abstractmachine literature since it guarantees the possibility to drop variable names and use the address of variables in memory instead.As a consequence the α -renaming operation · α is implemented just by physically copying the term. Definition H.7 (Well-named states) . We say that a state e (cid:46)(cid:47) K is well-named if K (cid:104) e (cid:105) is well-named. Theorem H.8 (Well-named invariant) . Let s = e (cid:46)(cid:47) K be a state reachable from an initial state s . Then s is well-named.Proof. By induction on the length of the execution ρ : s → ∗ M s . If ρ is empty then s = s and, by definition of initial state, s = e (cid:47) (cid:104)·(cid:105) for some well-named and pristine environment e : then s is well-named because (cid:104)·(cid:105)(cid:104) e (cid:105) = e is well-named byhypothesis.If ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the well-named invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v .e need to prove that K (cid:104) e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:105) is well-named, under the hypothesis that K (cid:104) e [ x (cid:0) y z ] (cid:105) is well-named. – The bound variables of K (cid:104) e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:105) are all distinct: by Lemma G.4, the bound variables in s are the onesbound in s (cid:48) plus the bound variables of [ x (cid:0) b ] e (cid:48) { w (cid:0) z } (excluding x , which was already present in s (cid:48) ). The boundvariables of [ x (cid:0) b ] e (cid:48) { w (cid:0) z } , however, are all globally fresh due to α -renaming (excluding x ) and by Lemma E.17.2. – The bound variables of K (cid:104) e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:105) are distinct from its free variables: we prove that fv ( s ) ⊆ fv ( s (cid:48) ) and bv ( s ) ⊆ bv ( s (cid:48) ) ∪ W (with W a set of globally fresh new variables disjoint from vars ( s (cid:48) ) ), and then conclude usingthe i.h. fv ( s (cid:48) ) ⊥ bv ( s (cid:48) ) . ∗ Free variables.
By Lemma G.4, fv ( s (cid:48) ) = fv ( e [ x (cid:0) yz ]) \ V ∪ fv ( K ) and fv ( s ) = fv ( e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } )) \ V ∪ fv ( K ) forsome set of variables V . By Lemma E.12, fv ([ (cid:63) (cid:0) b ] e (cid:48) ) ⊆ fv ( v ) ∪ { w } and by Lemma E.17.1 fv ([ (cid:63) (cid:0) b ] e (cid:48) { w (cid:0) z } ) ⊆ fv ( v ) ∪ { z } . By Lemma E.10, fv ( e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } )) ⊆ fv ( e ) \ dom ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) ∪ fv ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) . Becauseof the α -renaming performed, the variables in dom ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) \ { x } are globally fresh, and therefore fv ( e ) \ dom ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) ∪ fv ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) = fv ( e ) \ { x } ∪ fv ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) ⊆ fv ( e ) \ { x } ∪ fv ( v ) ∪ { z } . ∗ Bound variables.
By Lemma E.10 and Lemma G.4, bv ( s (cid:48) ) ⊆ bv ( e [ x (cid:0) yz ]) ∪ bv ( K ) = bv ( e ) ∪ bv ([ x (cid:0) yz ]) ∪ bv ( K ) and bv ( s ) = bv ( e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } )) ∪ bv ( K ) = bv ( e ) ∪ bv ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) ∪ bv ( K ) . Because of the α -renamingperformed and Lemma E.17.2, bv ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) = { x } ∪ W where W is a set of new, globally fresh variables. • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i .We need to prove that K (cid:104) e ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) (cid:105) is well-named, under the hypothesis that K (cid:104) e [ x (cid:0) y z ] (cid:105) is well-named. – The bound variables of K (cid:104) e ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) (cid:105) are all distinct: by Lemma G.4, the bound variables in s are the onesbound in s (cid:48) plus the bound variables of [ x (cid:0) b ] e (cid:48) [ w (cid:0) z ] (excluding x , which was already present in s (cid:48) ). The boundvariables of [ x (cid:0) b ] e (cid:48) [ w (cid:0) z ] , however, are all globally fresh due to α -renaming (excluding x ). – The bound variables of K (cid:104) e ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) (cid:105) are distinct from its free variables: we prove that fv ( s ) ⊆ fv ( s (cid:48) ) and bv ( s ) ⊆ bv ( s (cid:48) ) ∪ W (with W a set of globally fresh new variables disjoint from vars ( s (cid:48) ) ), and then conclude usingthe i.h. fv ( s (cid:48) ) ⊥ bv ( s (cid:48) ) . ∗ Free variables.
By Lemma G.4, fv ( s (cid:48) ) = fv ( e [ x (cid:0) yz ]) \ V ∪ fv ( K ) and fv ( s ) = fv ( e ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ])) \ V ∪ fv ( K ) for some set of variables V . By Lemma E.12, fv ([ (cid:63) (cid:0) b ] e (cid:48) ) ⊆ fv ( v ) ∪ { w } and by definition fv ([ (cid:63) (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ⊆ fv ( v ) ∪ { z } . By Lemma E.10, fv ( e [ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ⊆ fv ( e ) \ dom ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ∪ fv ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) . Because ofthe α -renaming performed, the variables in dom ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) \ { x } are globally fresh, and therefore fv ( e ) \ dom ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ∪ fv ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) = fv ( e ) \ { x } ∪ fv ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ⊆ fv ( e ) \ { x } ∪ fv ( v ) ∪ { z } . ∗ Bound variables.
By Lemma E.10 and Lemma G.4, bv ( s (cid:48) ) ⊆ bv ( e [ x (cid:0) yz ]) ∪ bv ( K ) = bv ( e ) ∪ bv ([ x (cid:0) yz ]) ∪ bv ( K ) and bv ( s ) = bv ( e ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ])) ∪ bv ( K ) = bv ( e ) ∪ bv ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) ∪ bv ( K ) . Because of the α -renamingperformed and Lemma E.17.2, bv ([ x (cid:0) b ] e (cid:48) [ w (cid:0) z ]) = { x } ∪ W where W is a set of new, globally fresh variables. • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) .We need to prove that K (cid:104) e { x (cid:0) y }(cid:105) is well-named, under the hypothesis that K (cid:104) e [ x (cid:0) y ] (cid:105) is well-named. – The bound variables of K (cid:104) e { x (cid:0) y }(cid:105) are all distinct: by Lemma G.4, the bound variables in s are the ones bound in K plus the ones in e { x (cid:0) y } . Note that y (cid:54)∈ vars ( e ) by well-namedness of s (cid:48) , and hence by Lemma E.17.2 the boundvariables of e { x (cid:0) y } are the same of e . Therefore we can conclude by using the hypothesis that s (cid:48) is well-named. – The bound variables of K (cid:104) e { x (cid:0) y }(cid:105) are distinct from its free variables: we prove that fv ( s ) ⊆ fv ( s (cid:48) ) and bv ( s ) ⊆ bv ( s (cid:48) ) , and then conclude using the i.h. fv ( s (cid:48) ) ⊥ bv ( s (cid:48) ) . ∗ Free variables.
By Lemma G.4 and Lemma E.17.1, fv ( K (cid:104) e { x (cid:0) y }(cid:105) ) = fv ( e { x (cid:0) y } ) \ V ∪ fv ( K ) ⊆ fv ( e ) \ { x } ∪{ y }\ V ∪ fv ( K ) and fv ( K (cid:104) e [ x (cid:0) y ] (cid:105) ) = fv ( e [ x (cid:0) y ]) \ V ∪ fv ( K ) = fv ( e ) \{ x }∪{ y }\ V ∪ fv ( K ) for some V ⊆ bv ( K ) ,and we conclude. ∗ Bound variables.
By Lemma G.4 and Lemma E.17.2, bv ( K (cid:104) e { x (cid:0) y }(cid:105) ) = bv ( e { x (cid:0) y } ) ∪ bv ( K ) ⊆ bv ( e ) ∪ bv ( K ) and bv ( K (cid:104) e [ x (cid:0) y ] (cid:105) ) = bv ( e [ x (cid:0) y ]) ∪ bv ( K ) = bv ( e ) ∪ { y } ∪ fv ( K ) , and we conclude. • e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value. e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is obviously well-named because plugging the crumbled environment in the machine context has the sameresult in s (cid:48) and s . • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)Ke [ x (cid:0) b ] (cid:46)K is obviously well-named because plugging the crumbled environment in the machine context has the sameresult in s (cid:48) and s . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application. (cid:15)(cid:46)K is obviously well-named because plugging the crumbled environment in the machine context has the same result in s (cid:48) and s . e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) .We need to prove that K (cid:104) e (cid:105) is well-named, under the hypothesis that K (cid:104) e [ x (cid:0) v ] (cid:105) is well-named. – The bound variables of s are all distinct: clearly s contains fewer occurrences of bound variables than s (cid:48) . In fact, byLemma E.10 and Lemma G.4, the bound variables in s (cid:48) are the ones bound in s plus x and the bound variables in b .Therefore all the bound variables in s are distinct because all bound variables of s (cid:48) are distinct by well-namedness. – The bound variables of K (cid:104) e (cid:105) are distinct from its free variables: first of all, by Lemma G.4, fv ( s (cid:48) ) = fv ( e [ x (cid:0) v ]) \ V ∪ fv ( K ) and fv ( s ) = fv ( e ) \ V ∪ fv ( K ) for some set of variables V . Moreover, from the discussion on the pointabove, bv ( s ) ⊆ bv ( s (cid:48) ) . Now, note that fv ( e [ x (cid:0) v ]) = fv ( e ) \ { x } ∪ fv ( b ) = fv ( e ) ∪ fv ( b ) ⊇ fv ( e ) because x (cid:54)∈ fv ( e ) .Therefore also fv ( s ) ⊆ fv ( s (cid:48) ) , and we conclude by the well-named hypothesis fv ( s (cid:48) ) ⊥ bv ( s (cid:48) ) . • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . e (cid:48) [ x (cid:0) λy.e ] (cid:46)K is obviously well-named because plugging the crumbled environment in the machine context has the sameresult in s (cid:48) and s . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) . e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is obviously well-named because plugging the crumbled environment in the machine context has thesame result in s (cid:48) and s .
2) Pristine invariant:
Previously, we defined pristine environments so to characterize the good properties that are enforcedby the translation from λ -terms. We extend the notion of pristine environments to machine states as follows, by consideringall the unevaluated environments therein contained: Definition H.9 (Pristine state) . A state e (cid:46)(cid:47) K is pristine if every body in e K is pristine, and also if (cid:46)(cid:47) = (cid:47) and e (cid:54) = (cid:15) then e is pristine. The fundamental property of a pristine state was basically already stated in Lemma VIII.3 (proved in Lemma F.3). We nowlift that result to machine states.
Theorem H.10 (Pristine invariant) . Let s = e (cid:46)(cid:47) K be a state reachable from an initial state s . Then s is pristine.Proof. By induction on the execution ρ : s → ∗ M s . If ρ is empty then s = s and, by definition of initial state, s = e (cid:47) (cid:104)·(cid:105) for some well-named environment e . • Every body in e (cid:104)·(cid:105) is pristine: obvious since there are none. • e is pristine: by the definition of initial state and Lemma F.9.If ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the pristine invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v . – Every body in e K is pristine: obvious because the property holds by i.h. . – e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) is pristine: by i.h. e [ x (cid:0) y z ] is pristine. Note that e K ( y ) is a value, and therefore by the previouspoint, the body e (cid:48)(cid:48) of e K ( y ) is pristine. Therefore, [ (cid:63) (cid:0) b ] e (cid:48) , which is an α -renaming of e (cid:48)(cid:48) , is pristine by Lemma F.8.3.By Lemma F.8.4 also [ (cid:63) (cid:0) b ] e (cid:48) { w (cid:0) z } is pristine (note that z (cid:54)∈ bv ( e (cid:48) ) because [ (cid:63) (cid:0) b ] e (cid:48) is an α -renaming of e (cid:48)(cid:48) where allbound variables are globally fresh). In order to apply Lemma F.8.2 to conclude that e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) is pristine, weneed to show that vars ( e ) ⊥ bv ( e (cid:48) { w (cid:0) z } ) (which follows from the fact that [ (cid:63) (cid:0) b ] e (cid:48) is an α -renaming of e (cid:48)(cid:48) whereall bound variables are globally fresh and Lemma E.17.2) and bv ( e ) ⊥ fv ([ (cid:63) (cid:0) b ] e (cid:48) { w (cid:0) z } ) ( fv ([ (cid:63) (cid:0) b ] e (cid:48) { w (cid:0) z } ) ⊆ fv ([ (cid:63) (cid:0) b ] e (cid:48) ) \ { w } ∪ { z } by Lemma E.17.1, fv ([ (cid:63) (cid:0) b ] e (cid:48) ) = fv ( e (cid:48)(cid:48) ) by Lemma E.12, which are different than the boundvariables in e by well-namedness). • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i . – Every body in e K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) = L.G. . [ w (cid:0) z ] e K is pristine: obvious because the property holds by i.h. for e K . – e [ x (cid:0) b ] e (cid:48) is pristine : by i.h. , e [ x (cid:0) y z ] is pristine. Note that e K ( y ) is a value, and therefore by the previous point, thebody e (cid:48)(cid:48) of e K ( y ) is pristine. Therefore, [ (cid:63) (cid:0) b ] e (cid:48) , which is an α -renaming of e (cid:48)(cid:48) , is pristine by Lemma F.8.3. In order toapply Lemma F.8.2 to conclude that e [ x (cid:0) b ] e (cid:48) is pristine, we need to show that vars ( e ) ⊥ bv ( e (cid:48) ) (which follows fromthe fact that [ (cid:63) (cid:0) b ] e (cid:48) is an α -renaming of e (cid:48)(cid:48) where all bound variables are globally fresh) and bv ( e ) ⊥ fv ([ (cid:63) (cid:0) b ] e (cid:48) ) ( fv ([ (cid:63) (cid:0) b ] e (cid:48) ) = fv ( e (cid:48)(cid:48) ) by Lemma E.12, which are different than the bound variables in e by well-namedness). • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) . – Every body in e K is pristine: obvious because the property holds by i.h. . – e { x (cid:0) y } is pristine: by i.h. , e [ x (cid:0) y ] is pristine and so e is pristine. Since s is well-named also e [ x (cid:0) y ] is well-named,and thus y (cid:54)∈ bv ( e ) . Finally, e { x (cid:0) y } is pristine by Lemma F.8.4. e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value. – Every body in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . [ x (cid:0) b ] e K is pristine: by i.h. , e [ x (cid:0) b ] (cid:47)K is good and therefore e [ x (cid:0) b ] is pristineand thus b is a pristine bite. By induction on the structure of b one can show that every body in b is pristine. By i.h. ,the property holds for every body of e K as well, concluding this case. – e is pristine (if it is not empty): it follows by the fact that e [ x (cid:0) b ] is pristine. • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)K . – Every body in e K is pristine: obvious because the property holds by i.h. . – Obvious because e is pristine. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application. – Every body in e K is pristine: obvious because the property holds by i.h. for every body in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . [ x (cid:0) b ] e K . – Nothing to prove because we are in the (cid:46) phase. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) . – Every body in e K is pristine: obvious because the property holds by i.h. for every body in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) = L.G. . [ x (cid:0) v ] e K . – Nothing to prove because we are in the (cid:46) phase. • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . – Every body in e K is pristine: obvious because the property holds by i.h. for every body in e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . e K . – Nothing to prove because we are in the (cid:46) phase. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) . – Every body in e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . e K is pristine: obvious because the property holds by i.h. for every body in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) = L.G. . [ x (cid:0) λy.e (cid:48) ] e K . – e (cid:48) is pristine: e (cid:48) is a body of e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) = L.G. . [ x (cid:0) λy.e (cid:48) ] e K , and is therefore pristine by the previous point.
3) Well-crumbled invariant:
The Well-crumbling invariant is a technical invariant required to prove the Garbage invariant.
Definition H.11 (Well-crumbling) . An environment e is well-crumbled iff1) for every decomposition e = e [ x (cid:0) b ] e such that x ∈ V cr and b is not an abstraction, x ∈ fv ( e → ) .2) the property holds recursively for the body of every abstraction that occurs in e A state e (cid:46)(cid:47) K is well-crumbled if K (cid:104) e (cid:105) is. Lemma H.12.
1) If e is well-crumbled then e α also is.2) If ee (cid:48) is well-crumbled and x (cid:54)∈ dom ( e (cid:48) ) then e { x (cid:0) y } e (cid:48) is well-crumbled.Proof. We need to prove that:1) If e is well-crumbled then e α also is. Variables in V cr can only be renamed into variables in V cr , renaming turns non-abstractions into non-abstractions and, by Lemma E.12 and Lemma E.18.1, it does not change the set of free variables inthe unfolding of an environment.2) If ee (cid:48) is well-crumbled and x (cid:54)∈ dom ( e (cid:48) ) then e { x (cid:0) y } e (cid:48) is well-crumbled. The substitution { x (cid:0) y } cannot turn a non-abstraction into an abstraction and, by Lemma E.18.2, fv ( e { x (cid:0) y }→ ) = fv ( e →{ x (cid:0) y } ) ⊇ fv ( e → ) \ { x } . Since x (cid:54)∈ dom ( e (cid:48) ) ,the property follows. Lemma H.13.
Every pristine environment is well-crumbled.Proof.
For every decomposition e [ x (cid:0) b ] e of a pristine environment it holds that e → = O (cid:104) x (cid:105) for some open context O . Thus x ∈ fv ( e → ) as required to be well-crumbled. The fact that the same holds recursively for each body of a pristine environmentis trivially proved by structural recursion over e . Theorem H.14 (Well-crumbled invariant) . Let s = e (cid:46)(cid:47) K be a state reachable from an initial state s . Then s is well-crumbled.Proof. By induction on the execution ρ : s → ∗ M s . If ρ is empty then s = s and, by definition of initial state, s = e (cid:47) (cid:104)·(cid:105) for some well-named and pristine environment e : s is well-crumbled by definition if e is well-crumbled, which holds byLemma H.13.f ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the well-crumbled invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v .By i.h. e [ x (cid:0) y z ] (cid:47)K is well-crumbled. Since e K ( y ) is an abstraction that occurs in the well-crumbled state e [ x (cid:0) y z ] (cid:47)K ,its body must be well-crumbled and therefore, by Lemma H.12.1, also [ (cid:63) (cid:0) b ] e (cid:48) is well-crumbled and, by Lemma H.12.2,also [ (cid:63) (cid:0) b ] e (cid:48) { w (cid:0) z } is well-crumbled. The hypothesis over z used for applying Lemma H.12.2 is trivially satisfied because z is a fresh variable that does not occur in K at all. Since x is bound to a non-abstraction, if x ∈ V cr then x ∈ fv ( e → ) .Therefore e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) is well-crumbled. We conclude that e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K is well-crumbled by noting that y and z are bound to abstractions. • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i .By i.h. e [ x (cid:0) y z ] (cid:47)K is well-crumbled. Since e K ( y ) is an abstraction that occurs in the well-crumbled state e [ x (cid:0) y z ] (cid:47)K ,its body must be well-crumbled and therefore, by Lemma H.12.1, also [ (cid:63) (cid:0) b ] e (cid:48) is well-crumbled and thus [ (cid:63) (cid:0) b ] e (cid:48) [ w (cid:0) z ] is also well-crumbled because w ∈ V calc . Since x is bound to a non-abstraction, if x ∈ V cr then x ∈ fv ( e → ) . Therefore e [ x (cid:0) b ] e (cid:48) [ w (cid:0) z ] is well-crumbled. We conclude that e [ x (cid:0) b ] e (cid:48) [ w (cid:0) z ] (cid:47)K is well-crumbled by noting that y is bound to anabstraction and that z occurs in the unfolding of the environment because [ w (cid:0) z ] does too because w ∈ V calc . • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) .Obvious because by i.h. e [ x (cid:0) y ] (cid:47)K is well-crumbled and by Lemma H.12.2. • e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value. e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is obviously well-crumbled because e [ x (cid:0) b ] (cid:47)K is well-crumbled by i.h. and, by definition of well-crumbledcontext, both the hypothesis and the conclusion require K (cid:104) e [ x (cid:0) b ] (cid:105) to be well-crumbled. • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)K(cid:15)(cid:46)K is obviously well-crumbled because (cid:15)(cid:47)K is well-crumbled by i.h. . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application. e [ x (cid:0) b ] (cid:46)K is obviously well-crumbled because e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is well-crumbled by i.h. and, by definition of well-crumbledcontext, both the hypothesis and the conclusion require K (cid:104) e [ x (cid:0) b ] (cid:105) to be well-crumbled. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) . e(cid:46)K is obviously well-crumbled because by i.h. e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) is well-crumbled. • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . To prove that e (cid:48) [ x (cid:0) λy.e ] (cid:46)K is well-crumbled, simply note that e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is well-crumbled by i.h. and, by definition of well-crumbled context, both the hypothesis and theconclusion require K (cid:104) e (cid:48) [ x (cid:0) λy.e ] (cid:105) to be well-crumbled. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) . e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is obviously well-crumbled because e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) is well-crumbled by i.h. and, by definition ofwell-crumbled context, both the hypothesis and the conclusion require K (cid:104) e [ x (cid:0) λy.e (cid:48) ] (cid:105) to be well-crumbled.
4) Garbage invariant:
The Garbage invariant basically guarantees that the read-back K → of a machine context K is a propermulti-context. We formulate the invariant directly on the frame of K , since being garbage-free is a property enforced in thealready evaluated part of a state. Definition H.15 (Garbage-free) . • Environments: an environment e is garbage-free if y ∈ fv ( e ) implies y ∈ fv ( e → ) . • Frames: a frame F is garbage-free if – F = (cid:104)·(cid:105) , or – F = e [ x (cid:0) λy.F (cid:48) ] and ∗ e is garbage-free, ∗ x ∈ fv ( e ) , and ∗ F (cid:48) is garbage-free. • States: a state s = e (cid:46)(cid:47) K is garbage-free if F K is garbage-free and when (cid:46)(cid:47) = (cid:46) then e is garbage-free. Garbage-free frames are decomposable:
Lemma H.16 (Garbage-free decomposition) . F (cid:104) F (cid:48) (cid:105) is garbage-free iff F and F (cid:48) are.Proof. By structural induction over F . Case (cid:104)·(cid:105) . By definition. • Case e [ x (cid:0) λy.F (cid:48)(cid:48) ] . We need to prove that e [ x (cid:0) λy.F (cid:48)(cid:48) ] is garbage-free iff e [ x (cid:0) λy.F (cid:48)(cid:48) (cid:104) F (cid:48) (cid:105) ] is. The property follows fromthe i.h. over F (cid:48) and the definition of garbage-free context. Theorem H.17 (Garbage-free invariant) . Let s = e (cid:46)(cid:47) K be a state reachable from an initial state s . Then s is garbage-free.Proof. By induction on the execution ρ : s → ∗ M s . If ρ is empty then s = s and, by definition of initial state, s = e (cid:47) (cid:104)·(cid:105) for some well-named and pristine environment e : then s is garbage-free by definition of garbage-free state.If ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the garbage-free invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v . e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K is garbage-free iff F K is garbage-free. The property holds because, by i.h. , e [ x (cid:0) y z ] (cid:47)K is garbage-free. • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i . e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) is garbage-free iff F K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) = L.H. . F K is garbage-free. The property holds because, by i.h. , e [ x (cid:0) y z ] (cid:47)F K is garbage-free. • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) . e { x (cid:0) y } (cid:47)K is garbage-free iff F K is garbage-free. The property holds because, by i.h. , e [ x (cid:0) y ] (cid:47)K is garbage-free. • e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value. e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is garbage-free iff F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.H. . F K . The property holds because F K is garbage free because, by i.h. , e [ x (cid:0) b ] (cid:47)K is garbage-free. • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)K(cid:15)(cid:46)K is garbage-free iff F K is garbage-free, which holds by i.h. , and (cid:15) is garbage-free, which is obvious by definition ofgarbage-free environment. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application. e [ x (cid:0) b ] (cid:46)K is garbage-free iff F K and e [ x (cid:0) b ] are garbage-free. By i.h. , e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is garbage-free, i.e. F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.H. . F K and e are garbage-free. By the well-crumbled invariant, e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is well-crumbled andtherefore, because x is bound to a non-abstraction, if x ∈ V cr then x ∈ fv ( e → ) . Therefore any variable that occurs free in b also occurs free in e [ x (cid:0) b ] → that is either e →{ x (cid:0) b } , if x ∈ V cr , or e → [ x (cid:0) b ] . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) . e(cid:46)K is garbage-free iff F K and e are garbage-free. The property holds because, by i.h. , e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) is garbage-free,i.e. e and F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) = L.H. . F K are garbage-free. • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . e (cid:48) [ x (cid:0) λy.e ] (cid:46)K is garbage-free iff K and e (cid:48) [ x (cid:0) λy.e ] are garbage-free. By i.h. , e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is garbage-free,i.e. F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.H. . F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) and e are garbage-free. By Lemma H.16, F K and F e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] aregarbage-free and thus e (cid:48) is garbage-free and x ∈ fv ( e (cid:48) ) by definition of garbage-free context. In order to concludethat e (cid:48) [ x (cid:0) λy.e ] is garbage-free we need to show that every variable that occurs free in e (cid:48) [ x (cid:0) λy.e ] occurs free in e (cid:48) [ x (cid:0) λy.e ] → = e (cid:48) →{ x (cid:0) λy.e →} . A variable that occurs free in e (cid:48) [ x (cid:0) λy.e ] occurs free either in e (cid:48) and thus in e (cid:48) → because e (cid:48) is garbage-free, or in e and thus in e → because e is garbage-free. Therefore it occurs free in e (cid:48) →{ x (cid:0) λy.e →} because x ∈ e → because x ∈ e (cid:48) and e (cid:48) is garbage-free. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) . e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is garbage-free iff F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is garbage-free. By i.h. , e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) is garbage-free, i.e. F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) = L.H. . F K and e are garbage-free. By Lemma H.16, it is sufficient to prove that e [ x (cid:0) λy. (cid:104)·(cid:105) ] isgarbage-free, i.e. that e is garbage-free, which we already proved, and that x ∈ fv ( e ) , which holds by hypothesis.
5) Good invariant:
The good invariant is definitely the most complex one. The fundamental property, which is part of therequirement for a good state e (cid:46)(cid:47) K , is that K → is a fine context.However, in order to show that this holds as an invariant for all reachable states, the notion of good state must be strengthenedby imposing strict, technical requirements on various fragments of the machine state.One such requirement is called compatibility and it is imposed on the environment that is being evaluated with respect tothe substitution σ e K originated by the enclosing machine context K . efinition H.18 (Compatibility with a fireball substitution) . Let f s be a strong fireball. We say that f s is compatible with a(fireball) substitution σ if whenever a variable x such that σ ( x ) = v occurs free in f s then it does as the argument of anapplication. Compatibility for other syntactic categories, e.g. external multi contexts, is defined similarly. Another fundamental requirement is called well-framing and it is imposed on the frame F K . The frame F K is the part ofthe context that has already been strongly evaluated. The induced property is that F K → is a normal fine multi-context suchthat applying the substitution σ e K does not create new redexes in the already computed part.The well-framed requirement w.r.t. a substitution is a strengthening of that property that requires it to hold hereditarily, sincethis is necessary in order to propagate it in the proof that all reachable states are good. Definition H.19 (Well-framed) . A frame F is well-framed w.r.t. a substitution σ if, for every decomposition F = F (cid:48) (cid:104) F (cid:48)(cid:48) (cid:105) , F (cid:48) → is a normal fine multi-context compatible with σ . The following lemma is a trivial technical property over well-framed frames.
Lemma H.20. If F (cid:104) F (cid:48) (cid:105) is well-framed w.r.t. σ , then F is well-framed w.r.t. σ .Proof. Every decomposition F = F (cid:104) F (cid:105) induces a decomposition F (cid:104) F (cid:48) (cid:105) = F (cid:104) F (cid:104) F (cid:48) (cid:105)(cid:105) . The statement follows by definitionof well-framed frame.We are ready to define formally the good property: Definition H.21 (Good stuff) . An environment e (cid:48) is open good if • σ e (cid:48) is a fireball substitution; • L e (cid:48) is an inert context. • e (cid:48) has immediate values.A context K is good when • e K is open good; • F K is well-framed w.r.t. σ e K ; • K → is a fine context.A state e (cid:46)(cid:47) K is good if • K is good and • if (cid:46)(cid:47) = (cid:46) then e → is a strong fireball compatible with σ e K . As already mentioned, the proof of the Good invariant is quite involved. Before proving that all reachable states are good(Thm. H.32) we need a good number of auxiliary results, which we prove in the following paragraphs. Since SCAM transitionscan add or remove ES from the machine state, we are going to show that goodness is stable under the addition and removalof ES, under suitable conditions. In order to do that, we need to prove multiple corresponding properties for multi contextsand compatible substitutions. a) Basic properties of multi contexts:
In this paragraph we prove a couple of general properties of multi contexts thatare required in the next paragraph.The first lemma allows to see terms as (non-proper) multi contexts.
Lemma H.22.
1) Every rigid term r is a rigid multi context with no holes.2) Every inert context is a fine multi context.Proof. By an easy inspection of the grammar of multi contexts, and by definition.The second lemma shows that the plugging of multi contexts amounts to syntactic substitution, in the case when no variablecapture can occur:
Lemma H.23 (Substitution and plugging for multi contexts) . Let E and R be a strong and a rigid multi contexts such thatthey do not capture variables in fv ( E (cid:48) ) and with no free occurrences of x . Then1) R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = R (cid:104) E (cid:48) (cid:105) .2) E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = E (cid:104) E (cid:48) (cid:105) .Proof. By mutual induction on R and E .1) Rigid . Cases: • Variable , i.e. R = y . Then R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = y { x (cid:0) E (cid:48) } = y = R (cid:104) E (cid:48) (cid:105) . Application , i.e. R = R (cid:48) E . Then R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = R (cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = i.h. R (cid:48) (cid:104) E (cid:48) (cid:105) E (cid:104) E (cid:48) (cid:105) = R (cid:104) E (cid:48) (cid:105) • Explicit substitution , i.e. R = R (cid:48) [ y (cid:0) R (cid:48)(cid:48) ] . Then R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = ( R (cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) x (cid:105) ]) { x (cid:0) E (cid:48) } . We have that y / ∈ fv ( E (cid:48) ) because R does not capture variables in fv ( E (cid:48) ) . Therefore, ( R (cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) x (cid:105) ]) { x (cid:0) E (cid:48) } = R (cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } [ y (cid:0) R (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } ] without having to rename y in R (cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) x (cid:105) ] . And then one can continue asexpected: R (cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } [ y (cid:0) R (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } ]= i.h. R (cid:48) (cid:104) E (cid:48) (cid:105) [ y (cid:0) R (cid:48)(cid:48) (cid:104) E (cid:48) (cid:105) ] = R (cid:104) E (cid:48) (cid:105) Strong . Cases: • Empty , i.e. E = (cid:104)·(cid:105) . Then E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = x { x (cid:0) E (cid:48) } = E (cid:48) = E (cid:104) E (cid:48) (cid:105) . • Term , i.e. E = t . Remember that x / ∈ fv ( E ) = fv ( t ) . Then E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = t { x (cid:0) E (cid:48) } = t = E (cid:104) E (cid:48) (cid:105) . • Abstraction , i.e. E = λy. E (cid:48)(cid:48) . Then E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = ( λy. E (cid:48)(cid:48) (cid:104) x (cid:105) ) { x (cid:0) E (cid:48) } . We have that y / ∈ fv ( E (cid:48) ) because E doesnot capture variables in fv ( E (cid:48) ) . Therefore, ( λy. E (cid:48)(cid:48) (cid:104) x (cid:105) ) { x (cid:0) E (cid:48) } = λy. E (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } without having to rename y in λy. E (cid:48)(cid:48) (cid:104) x (cid:105) . And then one can continue as expected: λy. E (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = i.h. λy. E (cid:48)(cid:48) (cid:104) E (cid:48) (cid:105) = E (cid:104) E (cid:48) (cid:105) . • Rigid , i.e. E = R . By Point 1. • Explicit substitution , i.e. E = E (cid:48)(cid:48) [ x (cid:0) R ] . Then E (cid:104) x (cid:105){ x (cid:0) E (cid:48) } = ( E (cid:48)(cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:104) x (cid:105) ]) { x (cid:0) E (cid:48) } . We have that y / ∈ fv ( E (cid:48) ) be-cause R does not capture variables in fv ( E (cid:48) ) . Therefore, ( E (cid:48)(cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:104) x (cid:105) ]) { x (cid:0) E (cid:48) } = E (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } [ y (cid:0) R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } ] without having to rename y in E (cid:48)(cid:48) (cid:104) x (cid:105) [ y (cid:0) R (cid:104) x (cid:105) ] . And then one can continue as expected: E (cid:48)(cid:48) (cid:104) x (cid:105){ x (cid:0) E (cid:48) } [ y (cid:0) R (cid:104) x (cid:105){ x (cid:0) E (cid:48) } ]= i.h. E (cid:48)(cid:48) (cid:104) E (cid:48) (cid:105) [ y (cid:0) R (cid:104) E (cid:48) (cid:105) ] = R (cid:104) E (cid:48) (cid:105) b) Multi contexts and compatible substitutions: The following lemma shows that compatibility of a multi context E withrespect to a substitution σ ensures that some nice properties of E are preserved in E σ . Lemma H.24 (Multi contexts and compatible substitutions) . Let R be a rigid multi context and E and a fine multi contextboth compatible with a fireball substitution σ . Then1) R σ is a rigid multi context. Moreover, if R is proper then R σ is proper.2) E σ is an external multi context. Moreover, if E is proper then E σ is proper.Proof. By mutual induction on R and E .1) Rigid . Cases: • Variable , i.e. R = x . Since x does not occur as an argument, by compatibility R σ = xσ = σ ( x ) is an inert term. ByLemma H.22.1 σ ( x ) can be seen as a rigid multi context. • Application , i.e. R = R (cid:48) E . Note that R (cid:48) is compatible with σ and that E is compatible only if E (cid:54) = x . By i.h. , R (cid:48) σ is a rigid multi context. If E = x then E σ = xσ = σ ( var ) which is an inert term and thus a rigid multi context byLemma H.22.1. If E (cid:54) = x then by i.h. E σ is an external multi context. Then R σ = R (cid:48) σ E σ is a rigid multi context.If R is proper then one among R (cid:48) and E is proper, and properness of R σ follows from the i.h. • Explicit substitution , i.e. R = R (cid:48) [ x (cid:0) R (cid:48)(cid:48) ] . Both R (cid:48) and R (cid:48)(cid:48) are compatible with σ . By i.h. , both R (cid:48) σ and R (cid:48)(cid:48) σ are rigidmulti contexts. Then R σ = R (cid:48) σ R (cid:48)(cid:48) σ is a rigid multi context.If R is proper then one among R (cid:48) and R (cid:48)(cid:48) is proper, and properness of R σ follows from the i.h. Strong . Cases: • Empty , i.e. E = (cid:104)·(cid:105) . Trivial, because (cid:104)·(cid:105) σ = (cid:104)·(cid:105) . • Term , i.e. E = t . Trivial because every term, and in particular tσ is an external multi context. • Abstraction , i.e. E = λy. E (cid:48) . By i.h. , E (cid:48) σ is an external multi context, and so is E σ = λy. E (cid:48) σ . The moreover parfollows from the moreover part of the i.h. • Rigid , i.e. E = R . It follows from Point 1. • Explicit substitution , i.e. E = E (cid:48) [ x (cid:0) R ] . Both E (cid:48) and R are compatible with σ . By i.h. , both E (cid:48) σ and R σ are externalmulti contexts. Then E σ = E (cid:48) σ R σ is an external multi context.If R is proper then one among R (cid:48) and R (cid:48)(cid:48) is proper, and properness of R σ follows from the i.h. The following two lemmas show that compatibility is preserved both by plugging and by composition of rigid and externalmulti contexts: emma H.25 (Plugging preserves compatibility) . Let E and R be a strong and a rigid multi contexts and f s be a strongfireball such that they are all compatible with σ . Then1) R (cid:104) f s (cid:105) is compatible with σ .2) E (cid:104) f s (cid:105) is compatible with σ .Proof. By mutual induction on R and E .1) Rigid . Cases: • Variable , i.e. R = x . Then R (cid:104) f s (cid:105) = x = R is compatible with σ . • Application , i.e. R = R (cid:48) E (cid:48)(cid:48) . It follows immediately from the i.h. on R (cid:48) and E (cid:48)(cid:48) , apart when E (cid:48)(cid:48) = x and σ ( x ) = v .In such a case however the i.h. gives compatibility of R (cid:48) which is enough to obtain compatibility of R . • Explicit substitution , i.e. R = R (cid:48) [ x (cid:0) R (cid:48)(cid:48) ] . It follows immediately from the i.h. Strong . Cases: • Empty , i.e. E = (cid:104)·(cid:105) . Trivial, because E (cid:104) f s (cid:105) = f s is compatible with σ by hypothesis. • Term , i.e. E = t . Then E (cid:104) f s (cid:105) = t which is compatible by hypothesis. • Abstraction , i.e. E = λx.f s . It follows immediately from the i.h. • Rigid , i.e. E = R . By Point 1. • Explicit substitution , i.e. E = f s [ x (cid:0) R ] . It follows immediately from the i.h. Lemma H.26 (Composition of multi contexts) . Let E and R be a strong and a rigid multi contexts, and E (cid:48) be a furtherexternal multi context. Then1) R (cid:104) E (cid:48) (cid:105) is a rigid multi context.2) E (cid:104) E (cid:48) (cid:105) is an external multi context.Moreover, let C ∈ { E , R } and1) if both C and E (cid:48) are proper (and thus fine), so does C (cid:104) E (cid:48) (cid:105) .2) if both C and E (cid:48) are compatible with σ , so does C (cid:104) E (cid:48) (cid:105) .3) if both C and E (cid:48) are normal, so does C (cid:104) E (cid:48) (cid:105) .Proof. By mutual induction on R and E .1) Rigid . Cases: • Variable , i.e. R = x . Then R (cid:104) E (cid:48) (cid:105) = x which is a rigid multi context. • Application , i.e. R = R (cid:48) E (cid:48)(cid:48) . It follows immediately from the i.h. on R (cid:48) and E (cid:48)(cid:48) , apart for compatibility with σ when E (cid:48)(cid:48) = x and σ ( x ) = v . In such a case however the i.h. gives compatibility of R (cid:48) which is enough to obtaincompatibility of R . • Explicit substitution , i.e. R = R (cid:48) [ x (cid:0) R (cid:48)(cid:48) ] . It follows immediately from the i.h. Strong . Cases: • Empty , i.e. E = (cid:104)·(cid:105) . Trivial. • Term , i.e. E = t . Then E (cid:104) E (cid:48) (cid:105) = t which is an external multi context. • Abstraction , i.e. E = λx. E (cid:48) . It follows immediately from the i.h. • Rigid , i.e. E = R . By Point 1. • Explicit substitution , i.e. E = E (cid:48) [ x (cid:0) R ] . It follows immediately from the i.h. The following auxiliary, technical lemma allows to extract from a term all the occurrences of a free variable, decomposingthe term into a multi context that plugs that variable:
Lemma H.27 (Context extraction from fireballs) . Let t be a well-named term such that x ∈ fv ( t ) and t is compatible with { x (cid:0) v } .1) if t is a strong inert term then there exists a normal and proper rigid multi context R such that t = R (cid:104) x (cid:105) and x / ∈ fv ( R ) .2) if t is a strong fireball then there exists a fine and normal multi context E such that t = E (cid:104) x (cid:105) and x / ∈ fv ( E ) .Proof. By induction on t . Cases: • Variable , i.e. t = x :1) trivially true, as the compatibility hypothesis is not verified ( x occurs free but not as an argument);2) Simply take E := (cid:104)·(cid:105) . • Application , i.e. t = i s f s :) Suppose that x occurs in both i s and f s . Note that i s is compatible and that f s is compatible only if f s (cid:54) = x . By i.h. there is a normal and proper rigid normal multi context R (cid:48) such that i s = R (cid:48) (cid:104) x (cid:105) and x / ∈ fv ( R (cid:48) ) . If f s = x then take E := (cid:104)·(cid:105) , otherwise by i.h. there exists a fine and normal multi context E such that f s = E (cid:104) x (cid:105) and x / ∈ fv ( E ) . Then R := R (cid:48) E satisfies the statement.If x does not occur in i s then one uses Lemma H.22.1 to see i s as a normal rigid multi context and reason as before.If x does not occur in f s then one sees f s as a normal and fine multi context with no holes, as all terms are externalmulti contexts. Note that x has to occur in i or f s , because it occurs in t , and so the context R is always proper.2) Simply take E as the rigid multi context obtained in the previous point. • Abstraction , i.e. t = λy.f s :1) trivially true, as the hypothesis is not verified;2) Simply take E := λy. E (cid:48) , where E (cid:48) is the fine and normal multi context given by the i.h. on f s . • Explicit substitution , i.e. t = u [ y (cid:0) i s ] :1) if t is a strong inert term then so is u . Suppose that x occurs in both u and i . Note that both u and i s are compatiblewith { x (cid:0) v } . Therefore, we can apply the i.h. on both terms, obtaining two normal and proper rigid multi context R (cid:48) and R (cid:48)(cid:48) such that R (cid:48) (cid:104) x (cid:105) = u , R (cid:48)(cid:48) (cid:104) x (cid:105) = i s , x / ∈ fv ( R (cid:48) ) , and x / ∈ fv ( R (cid:48)(cid:48) ) . Then R := R (cid:48) [ y (cid:0) R (cid:48)(cid:48) ] verifies the statement.If x does not occur in one among u and i then one uses Lemma H.22.1 to see it as a normal rigid multi context andreason as before. Note that x has to occur in u or i , because it occurs in t , and so the context R is always proper.2) Along the lines of the previous point, spelled out in the following. If t is a strong fireball then so is u . Suppose that x occurs in both u and i s . We can apply the i.h. obtaining a fine and normal multi context E (cid:48) such that f s = E (cid:104) x (cid:105) and x / ∈ fv ( E ) . By the compatibility hypothesis i s does not have shape L (cid:104) x (cid:105) , and so we can apply the i.h. , obtaininga normal and proper rigid multi context R (cid:48) such that R (cid:48) (cid:104) x (cid:105) = i s and x / ∈ fv ( R (cid:48) ) . Then E := E (cid:48) [ y (cid:0) R (cid:48)(cid:48) ] verifies thestatement. If x does not occur in i s then one uses Lemma H.22.1 to see i s as a normal rigid multi context and reasonas before. If x does not occur in u then one sees u as a normal and fine multi context with no holes, as all terms areexternal multi contexts. Note that x has to occur in u or i , because it occurs in t , and so the context E is always proper. c) Stability of goodness by addition/removal of ES: The invariance of goodness for the (cid:47) -transitions requires (weak)goodness to be stable by addition appropriate ES next to the hole of K . Similarly, (cid:46) -transitions require stability of (weak)goodness by removal of the innermost ES next to the hole in K . We first focus on adding ES, in the next two lemmas. Lemma H.28 (Open goodness addition) . Let e be open good and i be an inert term. Then:1) if e ( x ) undefined or e ( x ) = i then [ y (cid:0) x ] e and [ y (cid:0) xz ] e are open good.2) [ y (cid:0) λx.e (cid:48) ] e is open good.Proof.
1) We have to prove three facts:a) σ [ y (cid:0) x ] e is a fireball substitution . Three sub-cases: • y ∈ V cr and e ( x ) undefined: then σ [ y (cid:0) x ] e = L.E. . { y (cid:0) x } ∪ σ e . By hypothesis, σ e is a fireball substitution, andthus so is σ [ y (cid:0) x ] e . • y ∈ V cr and e ( x ) = i : σ [ y (cid:0) x ] e = L.E. . { y (cid:0) σ e ( x ) } ∪ σ e . By hypothesis, σ e is a fireball substitution, thus σ e ( x ) isa fireball, and we conclude. • y ∈ V calc : σ [ y (cid:0) x ] e = L.E. . σ e , which by hypothesis is a fireball substitution.b) L [ y (cid:0) x ] e is a inert context . Three sub-cases: • y ∈ V cr : L [ y (cid:0) x ] e = L.E. . L e , which by hypothesis is an inert context. • y ∈ V calc and e ( x ) undefined: L [ y (cid:0) x ] e = L.E. . [ y (cid:0) x ] L e . By hypothesis, L e is an inert context, and thus so is L [ y (cid:0) x ] e . • y ∈ V calc and e ( x ) = i : L [ y (cid:0) x ] e = L.E. . [ y (cid:0) σ e ( x )] L e . By hypothesis, L e is an inert context, and we need to provethat σ e ( x ) is an inert term. Since e is open good, σ e ( x ) is a fireball, and if it is a value then e ( x ) is also a value.By the side condition of the rule, e ( x ) is an inert, and thus σ e ( x ) is not a value, that is, it is a inert term.c) [ y (cid:0) x ] e has immediate values . Assume that σ [ y (cid:0) x ] e ( z ) is a value for z (cid:54) = (cid:63) , we have to prove that ([ y (cid:0) x ] e )( z ) is avalue. Three sub-cases: • y ∈ V cr and e ( x ) undefined: σ [ y (cid:0) x ] e ( z ) = L.E. . ( { y (cid:0) x } ∪ σ e )( z ) . If z (cid:54) = y then it follows by the fact that e has immediate values (by hypothesis). Otherwise, ( { y (cid:0) x } ∪ σ e )( y ) = x which is not a value, and so the statementtrivially holds. • y ∈ V cr and e ( x ) = i : σ [ y (cid:0) x ] e ( z ) = L.E. . ( { y (cid:0) σ e ( x ) } ∪ σ e )( z ) . If z (cid:54) = y then it follows by the fact that e hasimmediate values (by hypothesis). Otherwise, ( { y (cid:0) σ e ( x ) } ∪ σ e )( y ) = σ e ( x ) . Since e has immediate values and (cid:54) = (cid:63) (because it occurs in [ y (cid:0) x ] ), if σ e ( x ) is a value then e ( x ) is a value, against the hypothesis that it is an inertterm—then this case is not possible. • y ∈ V calc : σ [ y (cid:0) x ] e ( z ) = σ e ( z ) and the property follows from the fact that e has immediate value (by hypothesis).2) We have to prove three facts:a) σ [ y (cid:0) λx.e (cid:48) ] e is a fireball substitution . Then σ [ y (cid:0) λx.e (cid:48) ] e = L.E. . { y (cid:0) λx.e (cid:48) → σ e } ∪ σ e . By hypothesis, σ e is a fireballsubstitution, thus so is σ [ y (cid:0) λx.e (cid:48) ] e .b) L [ y (cid:0) x ] e is a inert context . Then L [ y (cid:0) λx.e (cid:48) ] e = L.E. . L e , which by hypothesis is an inert context.c) [ y (cid:0) λx.e (cid:48) ] e has immediate values . Assume that σ [ y (cid:0) λx.e (cid:48) ] e ( z ) is a value for z (cid:54) = (cid:63) , we have to prove that ([ y (cid:0) λx.e (cid:48) ] e )( z ) is a value. Note that σ [ y (cid:0) λx.e (cid:48) ] e ( z ) = L.E. . ( { y (cid:0) λx.e (cid:48) → σ e } ∪ σ e )( z ) . If z (cid:54) = y then it follows by the fact that e hasimmediate values (by hypothesis). Otherwise, ( { y (cid:0) λx.e (cid:48) → σ e }∪ σ e )( y ) = λx.e (cid:48) → σ e and ([ y (cid:0) λx.e (cid:48) ] e )( y ) = λx.e (cid:48) which,as required, is a value. Lemma H.29 (Goodness addition) . Let K be good and i be an inert term.1) If e K ( x ) undefined or e K ( x ) = i then K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105) and K (cid:104)(cid:104)·(cid:105) [ y (cid:0) xz ] (cid:105) are good.2) If y / ∈ fv ( F K ) then K (cid:104)(cid:104)·(cid:105) [ y (cid:0) λx.e (cid:48) ] (cid:105) is good.Proof. Let K (cid:48) be either K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105) , K (cid:104)(cid:104)·(cid:105) [ y (cid:0) xz ] (cid:105) or K (cid:104)(cid:104)·(cid:105) [ y (cid:0) λx.e (cid:48) ] (cid:105) depending on which case we are proving. For bothpoints, by Lemma H.28 e K (cid:48) is open good and F K is well-framed, so that we only have to show that the unfolding of theframe F K (cid:48) → of K (cid:48) is a fine and normal multi context compatible with e K (cid:48) and that the unfolding K (cid:48) → of K (cid:48) is fine. • F K (cid:48) → is a fine and normal multi context compatible with e K (cid:48) :1) We treat the case of K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105) , for K (cid:104)(cid:104)·(cid:105) [ w (cid:0) xz ] (cid:105) the reasoning is identical. Note that F K = F K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105) . So by i.h. we know that F K → is a fine and normal multi context. We only need to show that it is compatible with σ [ y (cid:0) x ] e K ,knowing what we refer to as the compatibility hypothesis , that is, that it is compatible with σ [ y (cid:0) x ] e K . Three sub-cases:a) y ∈ V cr and e K ( x ) undefined: then by Lemma E.25.1 we have σ [ y (cid:0) x ] e K = { y (cid:0) x } ∪ σ e K . Since x is inert,compatibility then follows from the compatibility hypothesis.b) y ∈ V cr and e K ( x ) = i : then by Lemma E.25.1 we have σ [ y (cid:0) x ] e K = { y (cid:0) σ e K ( x ) } ∪ σ e K . By hypothesis, e K ( x ) is an inert term. Since e K is open good, it has immediate values, and so σ e K ( x ) is an inert term as well because x (cid:54) = (cid:63) because x occurs in [ y (cid:0) x ] . Compatibility then follows from the compatibility hypothesis.c) y ∈ V calc : then by Lemma E.25.2 we have σ [ y (cid:0) x ] e K = σ e K and the property follows by compatibility hypothesis.2) Note that also in this case we have F K = L.H. . F K (cid:104)(cid:104)·(cid:105) [ y (cid:0) λx.e (cid:48) ] (cid:105) , and the i.h. gives that it is a fine and normalmulti context follows. We have to show it compatible with σ [ y (cid:0) x ] e K , knowing that it is compatible with σ e K . This isimmediate, because by hypothesis y / ∈ fv ( F K ) and thus y / ∈ fv ( F K → ) . • K (cid:48) → is fine:1) We treat the case of K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105) , for K (cid:104)(cid:104)·(cid:105) [ w (cid:0) xz ] (cid:105) the reasoning is identical. We have K (cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] (cid:105)→ = K →(cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] → σ e K (cid:105) by Lemma X.2.3. Note that (cid:104)·(cid:105) [ y (cid:0) x ] → is either the inert context (cid:104)·(cid:105) or the inert context (cid:104)·(cid:105) [ y (cid:0) x ] .Now we apply various lemmas about multi contexts: – (cid:104)·(cid:105) [ y (cid:0) x ] → is a fine multi context by Lemma H.22.2, – it is also is compatible with the fireball substitution σ e K because by hypothesis x is not bound to an abstraction in e K , then – (cid:104)·(cid:105) [ y (cid:0) x ] → σ e K is a fine context by Lemma H.24, and finally – K →(cid:104)(cid:104)·(cid:105) [ y (cid:0) x ] → σ e K (cid:105) is a fine context by Lemma H.26.1.2) Trivial because by Lemma X.2.3 K (cid:104)(cid:104)·(cid:105) [ y (cid:0) λx.e (cid:48) ] (cid:105)→ = K →(cid:104)(cid:104)·(cid:105) [ y (cid:0) λx.e (cid:48) ] → σ e K (cid:105) = K →(cid:104)(cid:104)·(cid:105) σ e K (cid:105) = K → that is fine byhypothesis because K is good.Goodness is also stable under removal of ES. In order to show that, we first prove in the following lemma a correspondingproperty for multi contexts: rigidity, strength, and properness are stable under removal. Lemma H.30.
Let C be a multi context.1) If C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context then so is C .2) If C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is an external multi context then so is C .Moreover, if C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is proper then C is proper.Proof. By induction on C . • Empty , i.e. C = (cid:104)·(cid:105) .) Then C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) = (cid:104)·(cid:105) [ x (cid:0) t ] but no rigid multi context can have this shape, so this case is impossible.2) Then (cid:104)·(cid:105) is an external multi context. • Variable , i.e. R = x .1) x is a rigid multi context.2) x is an external multi context. • Abstraction , i.e. C = λx. C (cid:48) .1) Then C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) = λx. C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) but no rigid multi context can have this shape, so this case is impossible.2) By i.h. C (cid:48) is an external multi context, and then so is C . • Application , i.e. C = C (cid:48) C (cid:48)(cid:48) .1) If C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) = C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context then C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context and C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is an external multi context. By i.h. , C (cid:48) is rigid and C (cid:48)(cid:48) is strong. Then C is rigid.2) C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is an external multi context only if it is rigid. By Point 1, C is rigid, and thus strong. • Explicit substitution , i.e. C = C (cid:48) [ y (cid:0) C (cid:48)(cid:48) ] .1) If C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) = C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) [ y (cid:0) C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) ] is a rigid multi context then C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context and C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context. By i.h. , both C (cid:48) and C (cid:48)(cid:48) are rigid, and then so is C .2) If C (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) = C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) [ y (cid:0) C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) ] is an external multi context then C (cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is an external multicontext and C (cid:48)(cid:48) (cid:104)(cid:104)·(cid:105) [ x (cid:0) t ] (cid:105) is a rigid multi context. By i.h. , C (cid:48) is an external multi context and C (cid:48)(cid:48) is a rigid multicontext. Then C is an external multi context.The moreover part follows evidently holds in the base cases, and it follows immediately from the i.h. in the inductive cases.The invariance of goodness by removals of the innermost ES next to the hole in K is simpler than stability for addition,and it is given by the next lemma. Lemma H.31 (Goodness removal) .
1) If [ x (cid:0) b ] e is open good then e is open good.2) If K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good, then K is good.Proof.
1) We have to prove three facts:a) σ e is a fireball substitution . By Lemma E.25.1, σ [ x (cid:0) b ] e is σ e plus possibly a substitution on x . Therefore, if σ [ x (cid:0) b ] e isa fireball substitution then so is σ e .b) L e is a inert context . By Lemma E.25.2, L [ x (cid:0) b ] e is L e plus possibly an ES on x . Therefore, if L [ x (cid:0) b ] e is a inertsubstitution context then so is L e .c) e has immediate values . By Lemma E.25.1, σ [ x (cid:0) b ] e is σ e plus possibly a substitution on x . Therefore, if σ [ x (cid:0) b ] e hasimmediate values then so does σ e .2) By hypothesis e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . [ x (cid:0) b ] e K is open good, and so e K is open good by the previous point.a) We prove that F K is well-framed w.r.t. σ e K . By hypothesis, F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.H. . F K is well-framed w.r.t. σ e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = σ [ x (cid:0) b ] e K . Now, by Lemma E.25.1, we have that σ [ x (cid:0) b ] e K is σ e K plus possibly a substitution on x .Therefore, compatibility with respect to σ [ x (cid:0) b ] e K implies compatibility with respect to σ e K and thus F K is also well-framed w.r.t. σ e K .b) We prove K → is a fine multi context. By hypothesis we know that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good and therefore that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)→ = L.X. . K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] → σ e K (cid:105) is a fine multi context. Two cases: • If b = v or x ∈ V cr then K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] → σ e K (cid:105) = K →(cid:104)(cid:104)·(cid:105){ x (cid:0) b →} σ e K (cid:105) = K → , which is then a fine multi context. • Otherwise, K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] → σ e K (cid:105) = K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) bσ e K ] (cid:105) . By Lemma H.30.2, K → is a fine multi context.We now have all the ingredients to conclude that also Goodness is propagated. Theorem H.32 (Goodness invariant) . Let s = e (cid:46)(cid:47) K be a state reachable from an initial state s . Then s is good.Proof. By induction on the execution ρ : s → ∗ M s . If ρ is empty then s = s and, by definition of initial state, s = e (cid:47) (cid:104)·(cid:105) for some well-named and pristine environment e : e (cid:47) (cid:104)·(cid:105) is good by the definition of good, since e is pristine.If ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the goodness invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v .Goodness follows from the i.h. • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i .y i.h. , K is good; then K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) is good by Lemma H.29. • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) .Goodness follows from the i.h. • e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value.To show that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good, note that by i.h. , K is good. For all cases but when b is an abstraction we canimmediately apply Lemma H.29 and obtain that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good. When b is an abstraction, by i.h. we obtain that s (cid:48) is well-named, and so x / ∈ fv ( F K ) . Then we can apply Lemma H.29 and obtain that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good. • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)K(cid:15)(cid:46)K is obviously good because the property holds by i.h. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application.To show that e [ x (cid:0) b ] (cid:46)K is good: – K is good : by i.h. , K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) is good. By Lemma H.31, K is good. – e [ x (cid:0) b ] → is a strong fireball compatible with σ e K : by i.h. , e → is a strong fireball compatible with σ e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . σ [ x (cid:0) b ] e K . Two cases: ∗ x ∈ V cr : e [ x (cid:0) b ] → = e →{ x (cid:0) b →} and σ [ x (cid:0) b ] e K = L.E. . { x (cid:0) σ e K ( b ) } ∪ σ e K . Because e → is a strong fireball (by i.h. )and b → = b is a strong inert (by hypothesis of the transition), then e →{ x (cid:0) b →} is a strong fireball because strongfireballs are stable under the substitution of strong inerts. Let y be such that σ e K is a value. By compatibility of e → with { x (cid:0) σ e K ( b ) } ∪ σ e K , y occurs in e → only as an argument, if ever. Two cases: · b is a variable z and z (cid:54) = (cid:63) since it occurs in [ x (cid:0) b ] . Note that z (cid:54) = y , otherwise e K would not have immediatevalues, against goodness of K , and that for the same reason one also has x (cid:54) = y . Then y does not occur as anargument in e [ x (cid:0) b ] → = e →{ x (cid:0) z } . · b is an application zw . Note that if z = y then σ e K ( b ) is not a fireball, against the hypothesis that { x (cid:0) σ e K ( b ) } ∪ σ e K is a fireball substitution. Then y occurs only as an argument in e [ x (cid:0) b ] → , and compatibility holds. ∗ x ∈ V calc : then e [ x (cid:0) b ] → = e → [ x (cid:0) b ] and σ [ x (cid:0) b ] e K = L.E. . σ e K . Since e → is a strong fireball (by i.h. ) and b is astrong inert term (by hypothesis of the transition), then e [ x (cid:0) b ] → is a strong fireball. Compatibility for e → followsfrom the i.h. , we only have to analyze [ x (cid:0) b ] . Let y be such that σ e K is a value. Two cases: · b is a variable z and z (cid:54) = (cid:63) since it occurs in [ x (cid:0) b ] . Note that z (cid:54) = y , otherwise e K would not have immediatevalues, against goodness of K , and that for the same reason one also has x (cid:54) = y . Then compatibility holds. · b is an application zw . Note that if z = y then σ e K ( b ) is not a fireball, against the hypothesis that { x (cid:0) σ e K ( b ) } ∪ σ e K is a fireball substitution. Then z (cid:54) = y and compatibility holds. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) .By i.h. , K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) is good. By Lemma H.31, K is good. • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K .To show that e (cid:48) [ x (cid:0) λy.e ] (cid:46)K is good: – K is good : by i.h. K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is good. We have to prove that: ∗ e K is open good : note that e K = L.G. . e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) and e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is open good because K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is good. ∗ F K is well-framed w.r.t. σ e K . By i.h. F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.H. . F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is well-framed w.r.t. σ e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . σ e K . Therefore also F K is well-framed w.r.t. σ e K by Lemma H.20. ∗ K → is fine : by hypothesis we know that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e ] (cid:105) is good and therefore that K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e ] (cid:105)→ = L.X. . K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e ] → σ e K (cid:105) = K →(cid:104)(cid:104)·(cid:105){ x (cid:0) λy.e →} σ e K (cid:105) = K → is a fine multi context. – e (cid:48) [ x (cid:0) λy.e ] → is a strong fireball compatible with σ e K : since e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is good, we have that ∗ e → is a strong fireball compatible with σ e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . σ e K . ∗ F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) → = L.H. . F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)→ is a fine context compatible with σ e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . σ e K .Then e (cid:48) [ x (cid:0) λy.e ] → = F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:104) e (cid:105)→ = L.H. . F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) →(cid:104) e →(cid:105) is a strong fireball because F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is normal by i.h. By Lemma H.25, compatibility of F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) → and e → with σ e K implies compatibility of F K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) →(cid:104) e →(cid:105) with σ e K . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) .We need to prove that e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is good. By i.h. , e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) is good, which means that: e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) = L.G. . [ x (cid:0) λy.e (cid:48) ] e K is open good, – F K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) is well-framed w.r.t. σ e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . σ e K . Therefore, by Lemma H.20, F K is also well-framedw.r.t. σ e K . – K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105)→ = L.X. . K →(cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] → σ e K (cid:105) = K →(cid:104)(cid:104)·(cid:105){ x (cid:0) λy.e (cid:48) →}→ σ e K (cid:105) = K → is a fine multi context. – e → is a strong fireball compatible with σ [ x (cid:0) λy.e (cid:48) ] e K = L.E. . { x (cid:0) λy.e (cid:48) → σ e K } σ e K ,We have to prove that: – K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is good : that is, we have to prove that ∗ e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is open good : note that e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . e K . By i.h. (first item above), we know that [ x (cid:0) λy.e (cid:48) ] e K is open good. Then, e K is open good by the open goodness removal lemma (Lemma H.31). ∗ F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) is well-framed w.r.t. σ e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . σ e K : note that F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.H. . F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) and that we already proved that F K is well-framed w.r.t. σ e K . Therefore we just need to show F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)→ = L.H. . F K →(cid:104) e →{ x (cid:0) λy. (cid:104)·(cid:105)}(cid:105) to be a normal fine multi-context compatible with σ e K .Since F K is well-framed w.r.t. σ e K , F K → is a fine and normal multi context compatible with σ e K . By the fourthitem of the i.h. above, e → is a strong fireball compatible with { x (cid:0) λy.e (cid:48) → σ e K } σ e K . By the hypothesis on thetransition, x ∈ fv ( e ) , and by the garbage invariant x ∈ fv ( e → ) . Note that the compatibility hypothesis on e → impliesin particular that e → is compatible with { x (cid:0) v } .Then by Lemma H.27 there exists a fine and normal context E such that x / ∈ fv ( E ) and e → = E (cid:104) x (cid:105) , and (by the hy-pothesis on e → ) E is compatible with σ e K . By Lemma H.26, e { x (cid:0) λy. (cid:104)·(cid:105)}→ = E (cid:104) x (cid:105){ x (cid:0) λy. (cid:104)·(cid:105)} = L.H. E (cid:104) λy. (cid:104)·(cid:105)(cid:105) isa fine and normal context, compatible with σ e K because E is. Note that F K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) → = F K →(cid:104) e →{ x (cid:0) λy. (cid:104)·(cid:105)}(cid:105) = F K →(cid:104) E (cid:104) λy. (cid:104)·(cid:105)(cid:105)(cid:105) , which is finally proved to be a fine and normal context compatible with σ e K by applyingLemma H.26 once more. ∗ K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)→ is fine: K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)→ = L.X. . K →(cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] → σ e K (cid:105) = K →(cid:104) E (cid:104) λy. (cid:104)·(cid:105)(cid:105) σ e K (cid:105) where E (cid:104) λy. (cid:104)·(cid:105)(cid:105) is the fine (and normal) context compatible with σ e K built in the previous proof item. Thus, byLemma H.24, E (cid:104) λy. (cid:104)·(cid:105)(cid:105) σ e K is a fine multi context and by Lemma H.26.1 so is K →(cid:104) E (cid:104) λy. (cid:104)·(cid:105)(cid:105) σ e K (cid:105) .We conclude this section with the following theorem, proving the property of machine contexts that motivated the introductionof the Good invariant in the first place: Theorem H.33 (Contextual read-back) . See p. 14Thm. X.3
Let s = e (cid:46)(cid:47) K be a reachable state. Then K → is a proper external multi context.Proof. By Thm. H.32 s is good. Then K → is a proper external multi context. F. Proof of the SCAM Implementation Theorem
Here we are supposed to prove the following theorem.
Theorem H.34 (SCAM implementation) . See p. 14Thm. X.4 Relaxed β -projection : let s be a reachable state. If s (cid:32) β v s (cid:48) then s → ( → xm → xe ) + s (cid:48) → , and if s (cid:32) β i s (cid:48) then s →→ + xm ≡ s (cid:48) → .2) Strong implementation : the SCAM is a relaxed implementation of the strategy ( → x , ≡ ) . We prove the two points separately.
G. Proof of Relaxed Projection
In this section we provide the proof of Theorem X.4 (proved in Thm. H.34): the read back projects β transitions to stepsin the calculus. More precisely, each (cid:32) β v transition projects to one or more → xm steps followed by as many → xe steps— Theorem X.4.1 (proved in Thm. H.36) —, and each (cid:32) β i transition projects to one or more → xm steps up to structuralequivalence , i.e. → + xm ≡ (hence the term “relaxed”) — Theorem X.4.2 (proved in Thm. H.38).For this reason, we first need an auxiliary lemma that shows how substitutions can be permutated in terms. The followinglemma proves (under suitable requirements on variables) that substitution contexts commute with open contexts, up to thestructural equality of VSC. Lemma H.35 (Open and substitution contexts commute up to ≡ ) . Let L be a substitution context and O be an open contextsuch that: • dom ( L ) ⊥ fv ( O ) , • fv ( L ) ⊥ dom ( O ) , • dom ( L ) ⊥ dom ( O ) .Then L (cid:104) O (cid:104) t (cid:105)(cid:105) ≡ O (cid:104) L (cid:104) t (cid:105)(cid:105) .Proof. By induction on the structure of O : If O = (cid:104)·(cid:105) , the statement follows trivially. • If O = O (cid:48) u , then L (cid:104) O (cid:104) t (cid:105)(cid:105) = L (cid:104) O (cid:48) (cid:104) t (cid:105) u (cid:105) . We prove that L (cid:104) O (cid:48) (cid:104) t (cid:105) u (cid:105) ≡ ∗ @ l L (cid:104) O (cid:48) (cid:104) t (cid:105)(cid:105) u by induction on the structure of L : – The case L = (cid:104)·(cid:105) is trivial. – When L = L (cid:48) [ y (cid:0) p ] , L (cid:104) O (cid:48) (cid:104) t (cid:105) u (cid:105) = L (cid:48) (cid:104) O (cid:48) (cid:104) t (cid:105) u (cid:105) [ y (cid:0) p ] . By i.h. L (cid:48) (cid:104) O (cid:48) (cid:104) t (cid:105) u (cid:105) [ y (cid:0) p ] ≡ ∗ @ l L (cid:48) (cid:104) O (cid:48) (cid:104) t (cid:105)(cid:105) u [ y (cid:0) p ] (note that theadditional requirement that y (cid:54)∈ dom ( O (cid:48) ) follows from the hypothesis that dom ( L ) ⊥ dom ( O ) ). In order to apply onelast time ≡ @ l and conclude, we need to show that y (cid:54)∈ fv ( u ) , which follows from the hypothesis that dom ( L ) ⊥ fv ( O ) .Finally, we conclude by using the i.h. • The case O = uO (cid:48) is similar to the case above. • If O = O (cid:48) [ x (cid:0) u ] then L (cid:104) O (cid:104) t (cid:105)(cid:105) = L (cid:104) O (cid:48) [ x (cid:0) u ] (cid:105) . We prove that L (cid:104) O (cid:48) [ x (cid:0) u ] (cid:105) ≡ ∗ com L (cid:104) O (cid:48) (cid:105) [ x (cid:0) u ] by induction on the structureof L : – The case L = (cid:104)·(cid:105) is trivial. – When L = L (cid:48) [ y (cid:0) p ] , L (cid:104) O (cid:48) [ x (cid:0) u ] (cid:105) = L (cid:48) (cid:104) O (cid:48) [ x (cid:0) u ] (cid:105) [ y (cid:0) p ] . By i.h. L (cid:48) (cid:104) O (cid:48) [ x (cid:0) u ] (cid:105) [ y (cid:0) p ] ≡ ∗ com L (cid:48) (cid:104) O (cid:48) (cid:105) [ x (cid:0) u ][ y (cid:0) p ] (again,the additional requirement that y (cid:54)∈ dom ( O (cid:48) ) follows from the hypothesis that dom ( L ) ⊥ dom ( O ) ). In order to applyone last time ≡ com and conclude, we need to show that y (cid:54)∈ fv ( u ) and x (cid:54)∈ fv ( p ) : the first follows from the hypothesisthat dom ( L ) ⊥ fv ( O ) , the second from dom ( O ) ⊥ fv ( L ) .Finally, we conclude by using the i.h. • If O = u [ x (cid:0) O (cid:48) ] then L (cid:104) O (cid:104) t (cid:105)(cid:105) = L (cid:104) u [ x (cid:0) O (cid:48) (cid:104) t (cid:105) ] (cid:105) . We prove that L (cid:104) u [ x (cid:0) O (cid:48) (cid:104) t (cid:105) ] (cid:105) ≡ ∗ [ · ] u [ x (cid:0) L (cid:104) O (cid:48) (cid:104) t (cid:105)(cid:105) ] by induction on thestructure of L : – The case L = (cid:104)·(cid:105) is trivial. – When L = L (cid:48) [ y (cid:0) p ] , L (cid:104) u [ x (cid:0) O (cid:48) (cid:104) t (cid:105) ] (cid:105) = L (cid:48) (cid:104) u [ x (cid:0) O (cid:48) (cid:104) t (cid:105) ] (cid:105) [ y (cid:0) p ] . By i.h. L (cid:48) (cid:104) u [ x (cid:0) O (cid:48) (cid:104) t (cid:105) ] (cid:105) [ y (cid:0) p ] ≡ ∗ [ · ] u [ x (cid:0) L (cid:48) (cid:104) O (cid:48) (cid:104) t (cid:105)(cid:105) ][ y (cid:0) p ] (again, the additional requirement that y (cid:54)∈ dom ( O (cid:48) ) follows from the hypothesis that dom ( L ) ⊥ dom ( O ) ). In orderto apply one last time ≡ [ · ] and conclude, we need to show that y (cid:54)∈ fv ( u ) , which follows from the hypothesis that dom ( L ) ⊥ fv ( O ) and dom ( L ) ⊥ dom ( O ) .Finally, we conclude by using the i.h. Theorem H.36 (Relaxed projection) . See p. 14Theorem X.4.1
Let s be a reachable state.1) If s (cid:32) β v s (cid:48) then s → ( → xm → xe ) + s (cid:48) → .2) If s (cid:32) β i s (cid:48) then s →→ + xm ≡ s (cid:48) → .Proof. The state s must be e [ x (cid:0) y z ] (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) . There are two cases, depending on whether e K ( z ) is an abstraction or an inert. • Abstraction , i.e. e K ( z ) = v . Since s is reachable it is well-named by Thm. H.8 and thus by Lemma G.1.5 K is well-namedand so by Lemma G.1.3 e K is well named and thus by Lemma E.26 zσ e K = σ e K ( z ) is a value. The machine transitionis s = e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } ) (cid:47)K = s (cid:48) and it projects as follows: s → = ( e [ x (cid:0) y z ] (cid:47)K ) → = K →(cid:104) ( e [ x (cid:0) y z ]) → σ e K (cid:105) = K good E (cid:104) ( e [ x (cid:0) y z ]) → σ e K (cid:105) = L.E. E (cid:104) O (cid:104) [ (cid:63) (cid:0) yz ] → σ e K (cid:105)(cid:105) = E (cid:104) O (cid:104) yσ e K zσ e K (cid:105)(cid:105) = E (cid:104) O (cid:104) ( λw. ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → σ e K ) ( zσ e K ) (cid:105)(cid:105) ( → xm → xe ) + L.X. ,zσ eK is a value E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → σ e K { w (cid:0) zσ e K }(cid:105)(cid:105) = E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) →{ w (cid:0) z } σ e K (cid:105)(cid:105) = L.E. . E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } ) → σ e K (cid:105)(cid:105) = E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b { w (cid:0) z } ]( e (cid:48)(cid:48) { w (cid:0) z } )) → σ e K (cid:105)(cid:105) = L.E. E (cid:104) ( e [ x (cid:0) b { w (cid:0) z } ]( e (cid:48)(cid:48) { w (cid:0) z } ))) → σ e K (cid:105) = E (cid:104) ( e ([ x (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } )) → σ e K (cid:105) = K good K →(cid:104) ( e ([ x (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } )) → σ e K (cid:105) = ( e ([ x (cid:0) b ] e (cid:48)(cid:48) { w (cid:0) z } ) (cid:47)K ) → = s (cid:48) → = s (cid:48) → Inert , i.e. e K ( z ) = i . Since s is reachable it is good by Thm. H.32 and so σ e K has immediate values. Thus, since z (cid:54) = (cid:63) because it occurs in [ x (cid:0) yz ] and since e K ( z ) is an inert, zσ e K = σ e K ( z ) must be an inert by definition of the immediatevalues property. The machine transition is s = e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48)(cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) = s (cid:48) and it projects as follows: s → = ( e [ x (cid:0) y z ] (cid:47)K ) → = K →(cid:104) ( e [ x (cid:0) y z ]) → σ e K (cid:105) = K good E (cid:104) ( e [ x (cid:0) y z ]) → σ e K (cid:105) = L.E. E (cid:104) O (cid:104) [ (cid:63) (cid:0) yz ] → σ e K (cid:105)(cid:105) = E (cid:104) O (cid:104) yσ e K zσ e K (cid:105)(cid:105) = E (cid:104) O (cid:104) ( λw. ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → σ e K ) ( zσ e K ) (cid:105)(cid:105)→ + xm L.X. ,zσ eK is an inert E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → σ e K [ w (cid:0) zσ e K ] (cid:105)(cid:105)≡ L.H. E (cid:104) O (cid:104) ([ (cid:63) (cid:0) b ] e (cid:48)(cid:48) ) → σ e K (cid:105) [ w (cid:0) zσ e K ] (cid:105) = L.E. E (cid:104) e [ x (cid:0) b ] e (cid:48)(cid:48) → σ e K [ w (cid:0) zσ e K ] (cid:105) = E (cid:104) e [ x (cid:0) b ] e (cid:48)(cid:48) → [ w (cid:0) z ] σ e K (cid:105) = E (cid:104) ( e [ x (cid:0) b ] e (cid:48)(cid:48) [ w (cid:0) z ]) → σ e K (cid:105) = K good K →(cid:104) ( e [ x (cid:0) b ] e (cid:48)(cid:48) [ w (cid:0) z ]) → σ e K (cid:105) = ( e [ x (cid:0) b ] e (cid:48)(cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) ) → = s (cid:48) → H. Proof of overhead transparency
In this section we provide the proof of Lemma H.37, i.e. that the read back projects overhead transitions to equality in theVSC calculus.
Lemma H.37 (Overhead transparency) . Let s be reachable. If s (cid:32) s (cid:48) with a non- β transition, then s →≡ s (cid:48) → .Proof. By inspection of the non-multiplicative machine transitions. The proof for all the search steps is trivial since a searchstep has the form e (cid:46)(cid:47) K → e (cid:46)(cid:47) K with K (cid:104) e (cid:105) = K (cid:104) e (cid:105) and thus s → = K (cid:104) e (cid:105)→ = K (cid:104) e (cid:105)→ = s (cid:48) → . We analyze theremaining steps. • Case e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) . Since e [ x (cid:0) y ] (cid:47)K is reachable, it is well-named and therefore, byLemma G.1.4, e [ x (cid:0) y ] is well-named and thus, by Lemma E.14, e is well-named and y (cid:54)∈ bv ( e ) . e [ x (cid:0) y ] (cid:47)K → = K (cid:104) e [ x (cid:0) y ] (cid:105)→ = L.X. . K →(cid:104) e [ x (cid:0) y ] → σ e K (cid:105) = x ∈ V cr K →(cid:104) e →{ x (cid:0) y } σ e K (cid:105) = L.E. . K →(cid:104) e { x (cid:0) y }→ σ e K (cid:105) = L.X. . K (cid:104) e { x (cid:0) y }(cid:105)→ = e { x (cid:0) y } (cid:47)K → • Case e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) . e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105)→ = K (cid:104) e [ x (cid:0) v ] (cid:105)→ = L.X. . K →(cid:104) e [ x (cid:0) v ] → σ e K (cid:105) = K →(cid:104) e →{ x (cid:0) v →} σ e K (cid:105) = L.E. . , x (cid:54)∈ fv ( e ) K →(cid:104) e → σ e K (cid:105) = L.X. . K (cid:104) e (cid:105)→ = e(cid:46)K → We now have all the ingredients to prove Theorem X.4.2 (proved in Thm. H.38), i.e. the implementation theorem for theSCAM machine:
Theorem H.38 (Strong CbV Implementation) . See p. 14Theorem X.4.2
The SCAM is a relaxed implementation of the strong fireball strategy ( → x , ≡ ) .roof. The strong fireball strategy ( → x , ≡ ) is a structural strategy by Prop. C.4. We show that ( (cid:32) SCAM , → x , ≡ , ·→ ) form arelaxed implementation system, and obtain the statement by Thm. V.3. First of all, the initialization constraint for the SCAMis given by Lemma VII.4. About the conditions for a relaxed implementation system:1) Relaxed β -projection: by Theorem X.4.1 (proved in Thm. H.36).2) Overhead transparency: by Lemma H.37.3)
Overhead transitions terminates: it follows by Corollary XI.5.4)
Halt: by inspection of the SCAM transitions, the only normal states of the machine have the form e(cid:46) . Since this state isgood, e → is a strong fireball. By Lemma II.5, e → is a → x -normal form.5) Relaxed determinism : • → x is diamond : by Prop. III.1.1. • (cid:32) SCAM is deterministic : by a simple inspection of the transitions and the well-naming property. Well-naming grantsuniqueness of lookup in the environment during transitions (cid:32) β v and (cid:32) β i .A PPENDIX IP ROOFS OF S ECTION
XI (C
OMPLEXITY )In this section we prove that the SCAM can be implemented within a bilinear time overhead. The fundamental invariant isthe size invariant, proved in Thm. I.3: it basically shows that the size of the abstractions present in the unevaluated parts of areachable state is bound by the size of the initial state.First of all, we show that the measure of the initial state is linearly related to the size of the initial λ -term: Lemma I.1 (Linear compilation) . See p. 14Lemma XI.1
Let t be a λ -term. Then | t | ≤ | t | .Proof. We prove this statement mutually with the corresponding statement for the auxiliary translation, i.e. that | e | ≤ | t | when ( , e ) := t . We proceed by induction on the structure of t : • If t = x , then t = [ (cid:63) (cid:0) x ] , and | t | = 2 = 2 | t | . • If t = λx.u , then t = [ (cid:63) (cid:0) λx.u ] , and | t | = 2 + | u | ≤ i.h. | u | = 2( | u | + 1) = 2 | t | . • If t = up , then t = [ (cid:63) (cid:0) xy ] ee (cid:48) where ( x, e ) := u and ( y, e (cid:48) ) := p . By i.h. | e | ≤ | u | and | e (cid:48) | ≤ | p | . Hence | t | = | [ (cid:63) (cid:0) xy ] ee (cid:48) | = 2 + | e | + | e (cid:48) | ≤ i.h. | u | + 2 | p | = 2( | u | + | p | + 1) = 2 | t | .Concerning the auxiliary translation: • If t = x , then t = ( x, (cid:15) ) , and | (cid:15) | = 0 < | t | . • If t = λx.u , then t = ( z, [ z (cid:0) λx.u ]) , and | e | = 2 + | u | ≤ i.h. | u | = 2 | t | . • If t = up , then t = ( z, [ z (cid:0) xy ] ee (cid:48) ) where ( x, e ) := u and ( y, e (cid:48) ) := p . By i.h. | e | ≤ | u | and | e (cid:48) | ≤ | p | . Hence | [ z (cid:0) xy ] ee (cid:48) | = 2 + | e | + | e (cid:48) | ≤ i.h. | u | + 2 | p | = 2 | t | .In the proof of the size invariant we shall use repeatedly the following trivial properties of size: Lemma I.2 (Properties of | · | ) . For all environments e, e (cid:48) :1) | ee (cid:48) | = | e | + | e (cid:48) | | e { x (cid:0) y }| = | e |
3) if e = α e (cid:48) , then | e | = | e (cid:48) | | [ x (cid:0) b ] e (cid:48) | = | [ (cid:63) (cid:0) b ] e (cid:48) | Proof.
1) By induction on the structure of e (cid:48) : • Case (cid:15) : | e(cid:15) | = | e | = | e | + 0 = | e | + | (cid:15) | . • Case e (cid:48)(cid:48) [ x (cid:0) b ] : | ee (cid:48) | = | ee (cid:48)(cid:48) [ x (cid:0) b ] | = 1 + | ee (cid:48)(cid:48) | + | b | = i.h. | e | + | e (cid:48)(cid:48) | + | b | = | e | + | e (cid:48)(cid:48) [ x (cid:0) b ] | = | e | + | e (cid:48) | .2) Obvious because the definition of | · | does not care about names.3) Obvious because the definition of | · | does not care about names.4) Obvious because the definition of | · | does not care about names.We turn to the proof of the size invariant: Theorem I.3 (Size invariant) . Let s = e (cid:46)(cid:47) K be a state reachable starting from an initial state s = e (cid:47) (cid:104)·(cid:105) . Then | v | ≤ | e | holds for every abstraction v either in e (when the state is e (cid:47) K ) or in e K .Proof. By induction on the execution ρ : s → ∗ M s .If ρ is empty then s = s ; in this case, the size invariant is trivial by the definition of size.f ρ is non-empty we look at the last transition s (cid:48) → M s , knowing by i.h. that the size invariant holds for s (cid:48) : • e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = v for some v . Every value v in e K is such that | v | ≤ | e | because the property holds by i.h. . Moreover, values in e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) are either renamings of α -renamings of values in e K or values in e and thus in e [ x (cid:0) y z ] . Therefore the property holds by i.h. , Lemma I.2.2 andLemma I.2.3. • e [ x (cid:0) y z ] (cid:47)K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) with ( e K ( y )) α = λw. ([ (cid:63) (cid:0) b ] e (cid:48) ) and e K ( z ) = i for some inert term i . Everyvalue v in e K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) = L.G. . [ w (cid:0) z ] e K is such that | v | ≤ | e | because the property holds by i.h. for e K . Moreover,values in e [ x (cid:0) b ] e (cid:48) are either α -renamings of values in e K or values in e and thus in e [ x (cid:0) y z ] . Therefore the propertyholds by i.h. and Lemma I.2.3. • e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K with x (cid:54) = (cid:63) . Every abstraction in e K or in e { x (cid:0) y } is an abstraction in e K or a renaming ofan abstraction in e [ x (cid:0) y ] . The property follows from i.h. by Lemma I.2.2. • e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) when b is an abstraction or when b is y or yz but y is not defined in e K or e K ( y ) isnot a value. Every abstraction in e or in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . [ x (cid:0) b ] e K is also in e [ x (cid:0) b ] or in e K . Therefore the propertyholds by i.h. . • (cid:15)(cid:47)K (cid:32) sea (cid:15)(cid:46)K . Immediate because the context does not change and the environment is empty both before and after thetransition. • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K where b is a variable or an application. Every abstraction in e K is also in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) = L.G. . [ x (cid:0) b ] e K . Therefore the property holds by i.h. . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K with x / ∈ fv ( e ) . Every abstraction in e K is also in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) = L.G. . [ x (cid:0) v ] e K . Thereforethe property holds by i.h. . • e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . Trivial because e K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . e K . • e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) with x ∈ fv ( e ) . Every abstraction in e (cid:48) or in e K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) = L.G. . e K isalso in e K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) = L.G. . [ x (cid:0) λy.e (cid:48) ] e K . Therefore the property holds by i.h. . A. Number of overhead transitions
The aim of this sub-section is to provide a bound on the number of machine steps as a function of the number of β -steps, i.e. Corollary XI.5 (proved in Corollary I.7). The result is obtained as a corollary of Lemma XI.3 (proved in Lemma I.4) andLemma XI.4 (proved in Lemma I.6).We estimate the number of overhead transitions in a modular way: first bounding those in all strong phases, then those inthe open phases.The number of transitions of strong phases is bound by the number of transitions of open phases: we provide a globalanalysis in the following lemma.
Lemma I.4 (Open phases bound strong phases) . See p. 14Lemma XI.3
Let ρ : s (cid:32) s an execution of the SCAM. Then: | ρ | sea + | ρ | sea + | ρ | gc + | ρ | sea + | ρ | sea ≤ | ρ | β i + 4 | ρ | sea + 1 . Proof.
The statement is a consequence of the following inequalities: • | ρ | sea ≤ | ρ | sea + 1 because only sea switches the phase to (cid:47) (plus 1 because the initial state is in the (cid:47) phase). • | ρ | sea + | ρ | gc ≤ | ρ | β i + | ρ | sea because sea and gc pop entries of the form [ x (cid:0) b ] from the machine environment, whichare pushed only by β i and sea . • | ρ | sea ≤ | ρ | sea because sea pops entries of the form [ x (cid:0) λy. (cid:104)·(cid:105) ] from the machine environment, which are pushed onlyby sea . • | ρ | sea ≤ | ρ | sea because sea pops entries of the form [ x (cid:0) λy.e (cid:48) ] from the machine environment, which are pushed onlyby sea .To bound the number of overhead transitions of open phases, we introduce a new measure (cid:107)·(cid:107) over machine states: E NVIRONMENTS | (cid:15) | := 0 | e [ x (cid:0) b ] | := 1 + | e | + | b | C ONTEXTS (cid:107)(cid:104)·(cid:105)(cid:107) := 0 (cid:107) e [ x (cid:0) λy.K ] (cid:107) := (cid:107) K (cid:107) (cid:107) K [ x (cid:0) b ] (cid:107) := (cid:107) K (cid:107) + | b | S TATES (cid:107) e (cid:47) K (cid:107) := | e | + (cid:107) K (cid:107) (cid:107) e (cid:46) K (cid:107) := (cid:107) K (cid:107) Note: the measure (cid:107)·(cid:107) completely ignores the environment e on the left of the cursor during the strong phase (case (cid:107) e (cid:46) K (cid:107) ).In fact, that environment has already been fully evaluated, and thus it should not contribute in any way. The environment e in (cid:107) e (cid:47) K (cid:107) , instead, contributes with its size: in this way, the measure strictly decreases after an open overhead transition, since (cid:32) ren and sea pop an entry from the environment on the left of the cursor.irst, we prove a couple of trivial properties of the measure, that will be used repeatedly in the proof of Lemma I.6. Lemma I.5 (Properties of (cid:107)·(cid:107) ) . For all contexts
K, K (cid:48) :1) (cid:107) K (cid:104) K (cid:48) (cid:105)(cid:107) = (cid:107) K (cid:107) + (cid:107) K (cid:48) (cid:107) (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) = (cid:107) K (cid:107) + | b | Proof.
1) By induction on the structure of K : • Case (cid:104)·(cid:105) : trivial. • Case K [ x (cid:0) b ] : (cid:107) K (cid:48)(cid:48) [ x (cid:0) b ] (cid:104) K (cid:48) (cid:105)(cid:107) = (cid:107) K (cid:48)(cid:48) (cid:104) K (cid:48) (cid:105) [ x (cid:0) b ] (cid:107) = (cid:107) K (cid:48)(cid:48) (cid:104) K (cid:48) (cid:105)(cid:107) + | b | = i.h. (cid:107) K (cid:48)(cid:48) (cid:107) + (cid:107) K (cid:48) (cid:107) + | b | = (cid:107) K (cid:48)(cid:48) [ x (cid:0) b ] (cid:107) + (cid:107) K (cid:48) (cid:107) . • Case e [ x (cid:0) λy.K (cid:48)(cid:48) ] : (cid:107) e [ x (cid:0) λy.K (cid:48)(cid:48) ] (cid:104) K (cid:48) (cid:105)(cid:107) = (cid:107) e [ x (cid:0) λy.K (cid:48)(cid:48) (cid:104) K (cid:48) (cid:105) ] (cid:107) = (cid:107) K (cid:48)(cid:48) (cid:104) K (cid:48) (cid:105)(cid:107) = i.h. (cid:107) K (cid:48)(cid:48) (cid:107) + (cid:107) K (cid:48) (cid:107) = (cid:107) e [ x (cid:0) λy.K (cid:48)(cid:48) ] (cid:107) + (cid:107) K (cid:48) (cid:107) .2) (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) = P. (cid:107) K (cid:107) + (cid:107)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:107) = (cid:107) K (cid:107) + | b | . Lemma I.6 (Measure during execution) . See p. 14Lemma XI.4
Let s be a state reachable from s , and s (cid:32) a s (cid:48) . • Beta transitions increase the measure: if a ∈ { β λ , β i } then (cid:107) s (cid:48) (cid:107) ≤ (cid:107) s (cid:107) + (cid:107) s (cid:107) . • Open overhead decreases the measure: if a ∈ { ren , sea } then (cid:107) s (cid:48) (cid:107) < (cid:107) s (cid:107) . • Strong phase does not increase the measure: if a ∈ { sea , sea , gc , sea , sea } then (cid:107) s (cid:48) (cid:107) ≤ (cid:107) s (cid:107) .Proof. We proceed by cases on the transition a : • Case β λ : e [ x (cid:0) y z ] (cid:47)K (cid:32) β v e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K where e K ( y ) = v and v α = λw. [ (cid:63) (cid:0) b ] e (cid:48) . First of all, note that by thesize invariant: | [ (cid:63) (cid:0) b ] e (cid:48) | < | λw. [ (cid:63) (cid:0) b ] e (cid:48) | = | v α | = L.I. . | v |≤ T.I. (cid:107) s (cid:107) Then: (cid:107) e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) (cid:47)K (cid:107) = | e ([ x (cid:0) b ] e (cid:48) { w (cid:0) z } ) | + (cid:107) K (cid:107) = L.I. . | e | + | [ x (cid:0) b ] e (cid:48) { w (cid:0) z }| + (cid:107) K (cid:107) = L.I. . | e | + | [ x (cid:0) b ] e (cid:48) | + (cid:107) K (cid:107) = L.I. . | e | + | [ (cid:63) (cid:0) b ] e (cid:48) | + (cid:107) K (cid:107)≤ | e | + (cid:107) s (cid:107) + (cid:107) K (cid:107) < | e [ x (cid:0) y z ] | + (cid:107) K (cid:107) + (cid:107) s (cid:107) = (cid:107) e [ x (cid:0) y z ] (cid:47)K (cid:107) + (cid:107) s (cid:107) • Case β i : e [ x (cid:0) y z ] (cid:47) K (cid:32) β i e [ x (cid:0) b ] e (cid:48) (cid:47) K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105) where e K ( y ) = v and v α = λw. [ (cid:63) (cid:0) b ] e (cid:48) .Then: (cid:107) e [ x (cid:0) b ] e (cid:48) (cid:47)K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105)(cid:107) = | e [ x (cid:0) b ] e (cid:48) | + (cid:107) K (cid:104)(cid:104)·(cid:105) [ w (cid:0) z ] (cid:105)(cid:107) = L.I. . | e [ x (cid:0) b ] e (cid:48) | + (cid:107) K (cid:107) = L.I. . | e | + | [ x (cid:0) b ] e (cid:48) | + (cid:107) K (cid:107) = L.I. . | e | + | [ (cid:63) (cid:0) b ] e (cid:48) | + (cid:107) K (cid:107)≤ | e | + (cid:107) s (cid:107) + (cid:107) K (cid:107) < | e [ x (cid:0) y z ] | + (cid:107) K (cid:107) + (cid:107) s (cid:107) = (cid:107) e [ x (cid:0) y z ] (cid:47)K (cid:107) + (cid:107) s (cid:107) • Case (cid:32) ren : e [ x (cid:0) y ] (cid:47)K (cid:32) ren e { x (cid:0) y } (cid:47)K where x (cid:54) = (cid:63) . Then | e { x (cid:0) y } (cid:47)K | = | e { x (cid:0) y }| + (cid:107) K (cid:107) = L.I. . | e | + (cid:107) K (cid:107) < | e [ x (cid:0) y ] | + (cid:107) K (cid:107) = (cid:107) e [ x (cid:0) y ] (cid:47)K (cid:107) Case sea : e [ x (cid:0) b ] (cid:47)K (cid:32) sea e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) . Then (cid:107) e(cid:47)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) = | e | + (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) = L.I. . | e | + (cid:107) K (cid:107) + | b | < | e | + | b | + (cid:107) K (cid:107) = | e [ x (cid:0) b ] | + (cid:107) K (cid:107) = (cid:107) e [ x (cid:0) b ] (cid:47)K (cid:107) • Case sea : (cid:47)K (cid:32) sea (cid:46)K . Then (cid:107) (cid:46)K (cid:107) = (cid:107) K (cid:107) = (cid:107) (cid:47)K (cid:107) • Case sea : e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105) (cid:32) sea e [ x (cid:0) b ] (cid:46)K . Then (cid:107) e [ x (cid:0) b ] (cid:46)K (cid:107) = (cid:107) K (cid:107) < (cid:107) K (cid:107) + | b | = L.I. . (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) = (cid:107) e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) b ] (cid:105)(cid:107) • Case gc : e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105) (cid:32) gc e(cid:46)K . Then (cid:107) e(cid:46)K (cid:107) = (cid:107) K (cid:107) < (cid:107) K (cid:107) + | v | = L.I. . (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105)(cid:107) = (cid:107) e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) v ] (cid:105)(cid:107) • Case sea : e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) (cid:32) sea e (cid:48) [ x (cid:0) λy.e ] (cid:46)K . Then (cid:107) e (cid:48) [ x (cid:0) λy.e ] (cid:46)K (cid:107) = (cid:107) K (cid:107) = (cid:107) K (cid:107) + (cid:107) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:107) = L.I. . (cid:107) K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)(cid:107) = (cid:107) e(cid:46)K (cid:104) e (cid:48) [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)(cid:107) • Case sea : e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105) (cid:32) sea e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105) . Then (cid:107) e (cid:48) (cid:47)K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)(cid:107) = | e (cid:48) | + (cid:107) K (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:105)(cid:107) = L.I. . | e (cid:48) | + (cid:107) K (cid:107) + (cid:107) e [ x (cid:0) λy. (cid:104)·(cid:105) ] (cid:107) = | e (cid:48) | + (cid:107) K (cid:107) < (cid:107) K (cid:107) + | λy.e (cid:48) | = L.I. . (cid:107) K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105)(cid:107) = (cid:107) e(cid:46)K (cid:104)(cid:104)·(cid:105) [ x (cid:0) λy.e (cid:48) ] (cid:105)(cid:107) As a consequence of the two previous lemmas, we obtain the following combined bound on the number of machine transitions:
Corollary I.7 (Bi-linear number of overhead transitions) . See p. 15Cor. XI.5
Let t be a λ -term and ρ : t ◦ (cid:32) ∗ SCAM s a SCAM execution. Then | ρ | ∈ O ((1 + | ρ | β ) · | t | ) .Proof. Let s := t(cid:47) (cid:104)·(cid:105) . Then (cid:107) s (cid:107) = | t | , and by Lemma XI.1 (cid:107) s (cid:107) ∈ O ( | t | ) . To prove the required statement, it suffices toshow that overhead transitions are bilinear, i.e. that: | ρ | ren + | ρ | sea + | ρ | sea + | ρ | sea + | ρ | gc + | ρ | sea + | ρ | sea ∈ O ((1 + | ρ | β ) · | t | ) . Note that Lemma I.6 implies that (cid:107) s (cid:107) ≤ (cid:107) s (cid:107) + | ρ | β · | t | − | ρ | ren − | ρ | sea . Since (cid:107) s (cid:107) = | t | and (cid:107) s (cid:107) ≥ , we obtain | ρ | ren + | ρ | sea ≤ (1 + | ρ | β ) · | t | , i.e. the number of ren and sea transitions is bilinear. To bound the number of the remainingoverhead transitions, just use Lemma I.4. . Bi-linearity of the SCAM In this subsection, we formalize the arguments in the paper about the cost of implementing SCAM execution on RandomAccess Machines. We proceed in the following way:1) we prove in Lemma I.8 that all machine steps but garbage collection run in bi-linear time,2) we derive in Cor. I.9 that the space consumption of the machine is also bi-linear,3) we conclude noting that garbage collection, which runs in time proportional to the amount of space to be freed, is alsobi-linear and therefore the SCAM runs in bi-linear time (Cor. I.10 which proves Thm. XI.6).
Lemma I.8 (The SCAM without garbage-collection is bilinear) . For any λ -term t and any SCAM execution ρ : t ◦ (cid:47) (cid:32) ∗ SCAM e(cid:46) (cid:104)·(cid:105) , the cost of implementing ρ on a RAM, excluding the cost of (cid:32) gc steps, is O ((1 + | ρ | β ) | t | ) .Proof. Consider that: • each → x f step costs O ( | t | ) because, by Thm. I.3, the actual representation that encodes the value to be copied andrenamed has size O ( | t | ) . There are | ρ | β such steps. • each overhead step except (cid:32) gc costs O (1) and there are O ((1 + | ρ | β ) | t | ) such steps by Corollary XI.5.Adding all the costs together yields the expected bound. Corollary I.9 (Cost of (cid:32) gc steps) . A RAM in O ((1 + | ρ | β ) | t | ) cannot create more than O ((1 + | ρ | β ) | t | ) new constructors.Since the number of initial node is also O ( | t | ) , garbage-collection cannot recover more than O ((1 + | ρ | β ) | t | ) constructors andthus the overall cost of garbage-collection is also O ((1 + | ρ | β ) | t | ) . Corollary I.10 (The SCAM is bilinear) . See p. 15Thm. XI.6
Let t be a λ -term and ρ : t ◦ (cid:32) ∗ SCAM s a SCAM execution. Then ρ can be implementedon a RAM in O ((1 + | ρ | β ) | t | ) time.Proof. Immediate by Lemma I.8 and Corollary I.9. A
PPENDIX JI MPLEMENTATION IN OC AML
We describe now an implementation of the SCAM in OCaml, that can be downloaded at https://tinyurl.com/y5remxo8. Thecode is meant to demonstrate concretely that every machine transition can be implemented in O (1) . Moreover we tried veryhard to minimize the memory footprint, avoiding doubly-linked data structures almost everywhere.The implementation is also useful to experiment with ideas and variations and to trace execution on interesting terms. Thecode is not meant instead to be tested via benchmarks, to compare the implementation with other ones: it heavily employsmutation, which is costly in OCaml because of the write barrier of the garbage collector. Moreover OCaml is garbage collected,but our machine already takes care of garbage collecting. Therefore, for the sake of comparing with other implementations,the code should be rewritten in a low-level language like C.The code is attached to the submission. It is self-contained and it implements a parser for pure terms, the crumblingtranslation, and the SCAM itself. It is also possible to compile the code to JavaScript and run it in a browser. In this case theuser can write down a term to be reduced in the browser and look at every intermediate machine states.The code snippets that we show in this section have been obtained by removing from the submitted code the pretty-printingstatements used only to show how the machine runs. A. Preliminaries: machine moves and zippers
The SCAM works on a graph of memory cells that encodes machine states. It crawls the graph looking for the next redex,which is reduced performing local graph modifications only. To reach the next redex, the machine moves in two differentdirections:1) bi-directional horizontal visits of environments : the machine alternates left to right (in the open phase) and right to left(in the strong phase) walks on environments. Note that, because of sharing, environments are not simply lists but DAGstructures. ‘2) bi-directional vertical visits of abstractions : switching from an open phase to a strong one is done when entering into thebody of an abstraction, itself an environment, and the opposite switch requires to exit the abstraction.As we recall next, the space-conscious way of visiting bidirectionally a list is using a zipper , rather than doubly linking thelist—the technique also smoothly scales up to trees. Our implementation uses the same principle, except that we have to dealwith a rich graph structure (an enriched DAG), not just lists or trees.ig. 4: Example of a crumbled environment as a graph: [ (cid:63) (cid:0) yx ][ x (cid:0) λz. [ (cid:63) (cid:0) wd ][ w (cid:0) λv. [ (cid:63) (cid:0) aa ][ a (cid:0) vv ]][ d (cid:0) zz ]][ e (cid:0) yf ]
1) Zippers:
In functional programming, imperative data structures equipped with a cursor, such that the only modificationscan happen locally where the cursor is placed, are effectively replaced by zipper-like data structures [50].The zipper — the first zipper-like data structure ever discovered — represents a list and a cursor into it with two lists —actually two stacks: the first one is the tail of the list, i.e. the suffix of the list that starts at the cursor; the second one is theprefix of the list already traversed, with all pointers reversed to obtain again a list. Moving the cursor one position to the rightor to the left, for example, just corresponds to popping the head of one list and pushing it on top of the other. Inserting anelement where the cursor is corresponds to pushing an element on top of the suffix list, etc.The zipper is interesting also in an imperative setting because it provides in O (1) most operations normally implementedusing bi-directional lists, but it uses the same amount of space of a normal list (plus one additional pointer).Zipper-like data structures can be obtained for all kind of algebraic data types via formal derivation [49]. In particular, it iseasy to obtain a zipper-like data structure for trees. To obtain the zipper the idea is simply: every time a pointer is traversed,it is also reversed and the entry-point into the data structure becomes a tuples of forward pointers — to proceed in the visit— and backward pointers — to go back. B. Data structures
We discuss now all the data structures used for the implementation, shown in Table I.
1) Bites and crumbled environments:
An example of the representation in memory of a crumbled environment is given inFigure 4.The type of bites is bite . A bite is either an occurrence of a variable, an abstraction or an application.Free variables and variables bound by abstractions are encoded by
Var cells. A
Var holds a name (an integer), used only forpretty-printing purposes. Variables bound in the context are encoded by
Shared cells, that hold (mutable) pointers to elementsof the exp_subst datatype, which encodes explicit substitutions. We shall come back soon to the details of exp_subst .Application cells
App just hold two pointers to the two arguments.Abstraction cells
Lam hold a pointer to the bound variables and a (mutable) value of type body_or_container , thatencodes the two possible forms of an abstraction in our zipper-like data structure: when the body of the abstraction is notbeing visited, the abstraction holds a pointer to its body, which is an environment encoded as a pointer to its rightmost explicitsubstitution. When the body is being visited, instead, the abstraction points back to its innermost enclosing abstraction, if itexists. To identify the enclosing abstraction, however, a single pointer to the bite is not sufficient to resume the visit later;instead we identify the enclosing abstraction — which is always the definiens of an explicit substitution — by pointing to itsexplicit substitution via a zipper over the environment the explicit substitution belongs to. We use the
Body constructor tolabel the pointer to the body and the
Container constructor to label the optional label to the zipper pointing to the enclosingabstraction. ype var = { name : int } type exp_subst ={ mutable content : bite; mutable copying : bool; mutable prev : exp_subst option; mutable rc : int; mutable occurs : bite option } and environment = exp_subst and revenvironment = exp_subst and body_or_container =| Body of environment| Container of zipper option and bite =| Var of var| Lam of {v: var ; mutable b: body_or_container}| App of bite * bite| Shared of { mutable c: exp_subst} and zipper = environment option * revenvironment option TABLE I: Data structuresFig. 5: Example of a machine state as a graph: [ (cid:63) (cid:0) aa ] (cid:46) [ (cid:63) (cid:0) yx ][ x (cid:0) λz. [ (cid:63) (cid:0) wd ][ w (cid:0) λv. (cid:104)·(cid:105) [ a (cid:0) vv ]][ d (cid:0) zz ]][ e (cid:0) yf ] The datatype zipper represents standard zippers over environments, which are lists. It is defined as a pair made of anenvironment, of type environment , and an environment where all pointers are reversed, of type revenvironment . Bothenvironments are identified by the first explicit substitution of the list.Explicit substitutions are represented by records of type exp_subst made of several mutable fields: • content , a bite, it is the bite b of the ES [ x (cid:0) b ] . The variable x , instead, is unnamed and identified with the memorylocation of the cell. • copying is a boolean that is used to implement the linear graph copying algorithm described in [48], used to implementthe α -renaming in the β -transitions of the SCAM. The algorithm is the same used in mark&sweep garbage collectors tocopy a graph of linked cells to a new memory region without loosing sharing. Normally, the boolean is set to false. Ittemporarily becomes true during the copy when the cell has already been copied and therefore pointers to the cell areto be forwarded to the copy. We write (in green) the name x in the example graphs of this section for legibility purposes only, even if the name is lost in the implementation. et rec gc {prev=p;content=c;_} =Option.iter gc p;gc_bite c and gc_bite = function Var _ -> ()| Shared {c=v} -> v.rc <- v.rc - 1| App(t1,t2) -> gc_bite t1; gc_bite t2| Lam{b=Body e;_} -> gc e| Lam{b=Container _;_} -> assert false
TABLE II: Garbage collection • prev , another optional explicit substitution, is the next substitution in the environment containing the explicit substitution.Therefore an environment is represented like in C lists by cells pointing to the next cell or to None if the cell is the lastone of the list. • rc , for reference counter , an integer, holding the number of occurrences in the graph of the variable bound by the explicitsubstitution. When it becomes zero the explicit substitution can be garbage collected. • occurs , an optional bite: roughly, it indicates whether the variable bound by the ES has been introduced by the crumblingtransformation. More precisely, variables generated during crumbling occurs exactly once; later, when rule (cid:32) ren is fired,a machine invariant (see Lemma F.1) grants the variable to be still occurring at most once. The occurs field, if set andif the explicit substitution is part of a pristine environment, points to the unique occurrence and it is used to implementrule (cid:32) ren in O (1) . This is the only pointer that violates acyclicity of the memory cells graph.
2) Contexts and states:
We recall here the definition of machine contexts and machine states:M
ACHINE CONTEXTS K ::= (cid:104)·(cid:105) e (cid:48) | e [ x (cid:0) λy.K ] e (cid:48) S TATE s ::= e (cid:47) K | e (cid:46) K A machine state is of the form e (cid:46)(cid:47) K where e is a crumbled environment, K is a machine context and together theyidentify a precise position in the crumbled environment K (cid:104) e (cid:105) . Observe that K (cid:104) e (cid:105) can be uniquely rewritten as K (cid:104) ee (cid:48) (cid:105) where K is either (cid:104)·(cid:105) or it has the form K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] e (cid:105) . Therefore, to identify the position, it is sufficient to use a zipper forenvironments to encode ee (cid:48) and a second optional zipper for environments to identify [ x (cid:0) λy. (cid:104)·(cid:105) ] inside e [ x (cid:0) λy. (cid:104)·(cid:105) ] e . Wealready took care of identifying e [ x (cid:0) λy. (cid:104)·(cid:105) ] e inside K (cid:48) (cid:104) e [ x (cid:0) λy. (cid:104)·(cid:105) ] e (cid:105) by making the traversed abstraction λy. (cid:104)·(cid:105) pointback, via another optional zipper, to its innermost enclosing abstraction.Figure 5 shows the OCaml representation of a machine state e(cid:46)K such that K (cid:104) e (cid:105) is identical to the crumbled environmentof Figure 4. The root of the graph is the pair of zippers just discussed. Dotted blue lines represents prev arcs that have beenreversed or arcs used to make abstractions point to the innermost enclosing abstraction.To summarize so far, the number of memory cells used to represent a machine state is linear in the number of cells used torepresent a crumbled environment: for each traversed abstraction we added a new cell holding the two pointers of a zipper. C. Machine moves and garbage collection
This section ends with the code of the right-to-left and left-to-right evaluation phases. The code also depends on twoadditional functions: gc , shown in Table II, that is meant to garbage collect the term and copy_env that creates in lineartime an α -renamed copy of an environment using a modified mark&sweep algorithm described in [48].Both evaluation functions take in input the entry point of the graph, i.e. the pairs made of the zipper and the optional zipperpreviously discussed. The call to start evaluation on a crumbled environment e is eval_RL (Some e,None) None where (Some e, None) is the initial zipper on the unvisited environment e and the second None signifies that we never crossedan abstraction so far.The two eval functions trivially implement the reduction rules of the machine. The only interesting observations are:1) eval_LR and eval_LR are mutual functions as expected.2) all recursive calls to one of the two eval functions are in tail position and therefore there is no inner cost in space toevaluate them.3) the calls to the two auxiliary functions gc and copy_env are not in tail position. These functions, moreover, havecomplexity linear in the size of their input both in space and in time.4) all other operations except the calls to gc and copy_env have constant complexity as expected: they just incremen-t/decrement numbers, read or assign pointers, pattern-match and build algebraic data types, and test pointer equalities.The gc function written in OCaml is a bit weird: since OCaml has automatic garbage collection, gc just needs to traversethe data structure to decrement all the reference counters. Then the implementation of the (cid:32) gc rule will not use in the recursiveall the explicit substitution to be garbage collected, triggering the garbage collector of OCaml. An implementation in C wouldjust free all cells during the recursion. let rec eval_RL ((n,z) as zip : zipper) (k : zipper option) = match n with None ->(* (cid:32) sea *)eval_LR (None,z) k| Some n -> match n.content with | (App(_ ,App _) | App(App _,_)|App(_, Lam _) | App(Lam _,_)|App(Shared {c={content=Lam{b=Container _;_};_}},_)) -> assert false| App(Shared {c={content=Lam{v=y;b=Body e;_};_} as r}, (Shared {c={content=Lam _;_} as y'})) ->(* (cid:32) β v *)r.rc <- r.rc - 1 ;y'.rc <- y'.rc - 1 ; let e' = copy_env y y' n e in eval_RL (Some e',z) k| App(Shared {c={content=Lam{v=y;b=Body e};_} as r}, t) ->(* (cid:32) β i *)r.rc <- r.rc - 1 ; let y' = mk_exp_subst t inlet e' = copy_env y y' n e in y'.prev <- z;eval_RL (Some e',Some y') k| Shared {c={content=(Shared _ | Var _);_} as c} when n.prev <> None ->(* (cid:32) ren *)( match n.occurs with Some (Shared r as o) ->c.occurs <- Some o;r.c <- c ;eval_RL (n.prev,z) k| _ -> assert false) ;| (Lam _ | Var _ | App(Var _, _)|Shared _ | App(Shared _, _)) ->(* (cid:32) sea *) let p = n.prev in eval_RL (Some e',z) k| App(Shared {c={content=Lam{v=y;b=Body e};_} as r}, t) ->(* (cid:32) β i *)r.rc <- r.rc - 1 ; let y' = mk_exp_subst t inlet e' = copy_env y y' n e in y'.prev <- z;eval_RL (Some e',Some y') k| Shared {c={content=(Shared _ | Var _);_} as c} when n.prev <> None ->(* (cid:32) ren *)( match n.occurs with Some (Shared r as o) ->c.occurs <- Some o;r.c <- c ;eval_RL (n.prev,z) k| _ -> assert false) ;| (Lam _ | Var _ | App(Var _, _)|Shared _ | App(Shared _, _)) ->(* (cid:32) sea *) let p = n.prev in n.prev <- z;eval_RL (p,Some n) k and eval_LR ((n,z) as zip : zipper) (k : zipper option) = match z,k with None,None ->(* normal form reached! *)n| None,Some (n',Some ({prev=z'';content=Lam({b=Container k';_} as r);_} as z')) ->* (cid:32) sea *)r.b <- Body ( match n with None -> assert false | Some n -> n);z'.prev <- n';eval_LR (Some z',z'') k'| None,Some _ -> assert false| Some ({prev=p;rc;_} as zz),_ -> match zz.content with | Lam {b=Body e;_} when rc = 0 ->(* (cid:32) gc *)gc e;eval_LR (n,p) k| Lam ({b=Body e;_} as r) ->(* (cid:32) sea *)r.b <- Container k;eval_RL (Some e,None) (Some (n,z))| Lam {b=Container _;_} ->assert false| (Var _ | Shared _ | App _) ->(* (cid:32) sea *)zz.prev <- n;eval_LR (Some zz,p) k A PPENDIX KP ROOFS OF S ECTION
XII (I
MPLOSIVENESS AT W ORK ) Proposition K.1 (Implosive family) . See p. 15Prop. XII.1
Let t n and u n as in Section XII.1) External strategy (exponentially many steps) : t n ( → xm → xe ) n − u n and u n is a strong fireball.2) SCAM Implosion (linearly many steps) : ρ n : t ◦ n (cid:32) ∗ SCAM s n with s n → = u n and | ρ n | β = n .Proof.
1) By induction on n . • Case n = 1 : t = πI = ( λx.λy. (( yx ) x )) I → xm λy. (( yx ) x )[ x (cid:0) I ] → xe λy. (( yI ) I ) = u and u is evidently a strong fireball. • Case n + 1 : t n +1 = π ( λz.t n ) = ( λx.λy. (( yx ) x ))( λz.t n ) → xm ( λy. (( yx ) x ))[ x (cid:0) λz.t n ] → xe λy. (( y ( λz.t n ))( λz.t n )) . By i.h. , t n ( → xm → xe ) n − u n and the two copies of t n in λy. (( y ( λz.t n ))( λz.t n )) are inside an external evaluation con-text. Then λy. (( y ( λz.t n ))( λz.t n ))( → xm → xe ) n − λy. (( y ( λz.u n ))( λz.t n ))( → xm → xe ) n − λy. (( y ( λz.u n ))( λz.u n )) = u n +1 . The number of → xm → xe double steps is n − n − n +1 − . By i.h. , u n is a strong fireball andso u n +1 is a strong fireball.2) We sketch the idea. The crumbling of t n +1 is: [ (cid:63) (cid:0) wz (cid:48) ][ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] Thus the machine does [ (cid:63) (cid:0) wz (cid:48) ][ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] (cid:47) (cid:104)·(cid:105) (cid:32) sea [ (cid:63) (cid:0) wz (cid:48) ][ w (cid:0) λx.λy. (( yx ) x )] (cid:47) (cid:104)·(cid:105) [ z (cid:48) (cid:0) λz.t n ] (cid:32) sea [ (cid:63) (cid:0) wz (cid:48) ] (cid:47) (cid:104)·(cid:105) [ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] (cid:32) β v [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )] (cid:47) (cid:104)·(cid:105) [ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] (cid:32) sea (cid:47) (cid:104)·(cid:105) [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )][ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] At this point the machine changes phase and enters λy (cid:48) . Since the body is normal and the occurrences of z (cid:48) appear asarguments, the machine shall go through it without performing any β -transition, and thus without copying λz.t n . Thusthe machine gets to the state [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )] (cid:46) (cid:104)·(cid:105) [ w (cid:0) λx.λy. (( yx ) x )][ z (cid:48) (cid:0) λz.t n ] Next, the machine garbage collects the ES on w and enters λz . (cid:32) gc [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )] (cid:46) (cid:104)·(cid:105) [ z (cid:48) (cid:0) λz.t n ] (cid:32) sea t n (cid:47) [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )][ z (cid:48) (cid:0) λz. (cid:104)·(cid:105) ] ote that t n is closed, so that its execution does not depend on the context [ (cid:63) (cid:0) λy (cid:48) . (( y (cid:48) z (cid:48) ) z (cid:48) )][ z (cid:48) (cid:0) λz. (cid:104)·(cid:105) ] . Therefore the machine repeats the same sequence of transitions—that contains only one β -transition—for t n . Therefore, the machine executes t n +1 doing only n + 1 β -transitions. By bilinearity, the wholeexecution has length O ( n + 1)+ 1)