On the Formalization of λ-Calculus Confluence and Residuals Beniamino Accattoli Universit` a di Bologna

λ-calculus Language: M, N

:=

x

|

λx.M

|

MN

Evaluation: (λx.M)N →β M{x N} Aim of the talk: to formalise confluence of →β . Challenge: to be as faithful as possible to pen-and-paper reasoning.

The Informal Theory

Terms are considered up to α-equivalence, i.e. λx.M =α λy .(M{x y }) for y fresh Substitution is capture-avoiding: (λx.yx){y x} = 6 λx.xx instead (λx.yx){y x} = λz.xz i.e. it renames bound names to avoid capture of free names.

Formalizing languages with binders

There are 3 main approaches to formalize binders: 1. De Bruijn Indexes: encoding into a language without binders. 2. Nominal Logic: primitive handling of α-equivalence. 3. λ-Trees or Higher-Order Abstract Syntax (HOAS): binders are inherited from the system.

Formalizing languages with binders De Bruijn indexes: pros: no α-equivalence; cons: unreadable, exp. handling of subst, lifting of indexes. Nominal logic: pros: implicit handling of α-equivalence, open terms. cons: explicit handling of substitution. λ-trees - HOAS: pros: implicit handling of substitution and α-equivalence. cons: no direct access to variables, troubles with open terms.

De Bruijn Indexes Idea: numbers as implicit pointers to abstractions. Language: M, N, P

:=

n∈N

|

λ.M

|

MN

Example: the term λx.((λy .xy )(λz.λy .xy )) is represented as λ(λ21)(λλ31) Remark: the two occurrences of λy .xy are represented differently. Substitution needs to lift indexes. Issue: a new notion of substitution for every language.

λ-trees - HOAS

The proof assistant (PA) has a primitive notion of (typed) λ-term. Binders, variables, and substitution in the PA model those in the language to represent Pro: just one substitution for all languages. Con: steeper learning curve for the PA, no access to variables.

λ-trees - HOAS, Example

Syntax for λ-terms in the PA (up to α, β, and η): Abstraction: x\ t

Application: t s

Representation of the λ-calculus: Kind tm type Type ap

tm -> tm -> tm.

Type abs

(tm -> tm) -> tm.

Representation of λx.xx: abs (x\ (ap x x)).

λ-trees - HOAS, Example Syntax for λ-terms in the PA (up to α, β, and η): Abstraction: x\ t

Application: t s

Representation of the λ-calculus: Kind tm type Type ap

tm -> tm -> tm.

Type abs

(tm -> tm) -> tm.

Representation of β-reduction (λx.M)N →β M{x N}: Define tobeta : tm -> tm -> prop by tobeta (ap (abs M) N) (M N). M{x N} is simply noted M N, because the PA is up to β.

Closed and Open Terms

Problem: an open term like xy cannot be represented. Consider the definition of parallel reduction ⇒: x ⇒x

M ⇒ M0 λx.M ⇒ λx.M 0

M ⇒ M0 N ⇒ N0 MN ⇒ M 0 N 0

M ⇒ M0 N ⇒ N0 (λx.M)N ⇒ M 0 {x N 0 }

How to deal with the base case?

Parallel Reduction Without Variables

Reinforce the hypothesis of the cases with binders: ∀N s.t. N ⇒ N implies M{x N} ⇒ M 0 {x N} λx.M ⇒ λx.M 0 M ⇒ M0 N ⇒ N0 MN ⇒ M 0 N 0 ∀N s.t. N ⇒ N implies M{x N} ⇒ M 0 {x N} (λx.M)P ⇒ M 0 {x P 0 }

Ok, but not faithful to pen-and-paper reasoning.

P ⇒ P0

Outline

Abella and ∇ Confluence and Parallel Reduction Representing Residuals The Cube Property Variations on a Theme

Abella Abella is a recent proof assistant, developed by Andrew Gacek. It is based on work of Gacek, Miller, Nadathur, and Tiu. It is maintained by Kaustuv Chaudhuri at INRIA (Parsifal team). Its features: λ-trees-HOAS approach; Nominal quantifier ∇, called nabla, handling free variables; Induction and co-induction (not in this talk). 2 levels approach (not in this talk).

Clash Between ∀ and λ

The quantifier ∀ is not adequate to reason about binders. Writing ∀x.∀y .Axy it may be that x = y . In particular ∀x.∀y .Axy ⇒ ∀z.Azz. Consider ∀y λx.x 6= λx.y , which should be provable. Turning λ into ∀ we obtain ∀y ∀x.x 6= y , which cannot be provable, otherwise x 6= x.

Trying to explain ∇

∇ solves this problem. Its proof theory is tricky (and omitted). Intuition: x is different from y in ∇x.∇y .Axy Some properties: Freshness: ∇x.∇y .Axy 6⇒ ∇z.Azz. Commutes with itself: ∇x.∇y .Axy ⇔ ∇y .∇x.Axy ∇-weakening: A ⇒ ∇x.A.

Examples The predicate M is a term: Define is_a_term : tm -> prop by nabla x, is_a_term x; is_a_term (abs M) := nabla x, is_a_term (M x); is_a_term (app M N) := is_a_term M /\ is_a_term N. The non-equality predicate (omitting symmetric cases): Define neq : tm -> tm -> prop by nabla x y, neq x y; nabla x, neq x (app (M x) (N x)); nabla x, neq x (abs (M x)); neq (abs M) (abs N) := nabla x, neq (M x) (N x); neq (abs M) (app M1 N1); neq (app M1 N1) (app M2 N2):= neq M1 M2; neq (app M1 N1) (app M2 N2):= neq N1 N2.

Summing up

HOAS handles α, binders, and capture avoiding substitution. ∇ handles free variables and reasoning on open terms. Abella seems to be the perfect tool for reasoning with binders. Let’s switch to confluence.

Outline

Abella and ∇ Confluence and Parallel Reduction Representing Residuals The Cube Property Variations on a Theme

Confluence for λ-calculus

A rewriting system (S, →) if confluent when: *

t

u1

*

t

u1

implies ∃s s.t. *

u2

Confluence in general is difficult to prove.

*

u2

*

s

*

Easy Cases of Confluence It is easy if the system has the diamond property: t

u1

t

u1

u2

s

implies ∃s s.t. u2

Or if it is strongly normalising (SN) and locally confluent, i.e. t

u1

t

u1

implies ∃s s.t. u2

u2

*

s

*

λ-Calculus is not an Easy Case.

The diamond property does not hold for the λ-calculus: (λx.xx)(II ) (II )(II )

(λx.xx)I I (II )

II

and the λ-calculus is locally confluent but not SN (Ω →β Ω).

Parallel reductions Confluence for λ-calculus by Tait-Martin-L¨ of’s technique. Idea: consider parallel reduction ⇒ x ⇒x

M ⇒ M0 λx.M ⇒ λx.M 0

N ⇒ N0 M ⇒ M0 MN ⇒ M 0 N 0

M ⇒ M0 N ⇒ N0 (λx.M)N ⇒ M 0 {x N 0 }

which is s.t.: 1. it has the diamond property, and so it is confluent. 2. ⇒ extends →β : →β ⊆ ⇒ ⊆ →∗β . By (2) we get ⇒∗ = →∗β , and so (1) implies →β is confluent.

Parallel Reduction in Abella x ⇒x

N ⇒ N0 M ⇒ M0 MN ⇒ M 0 N 0

M ⇒ M0 λx.M ⇒ λx.M 0

M ⇒ M0 N ⇒ N0 (λx.M)N ⇒ M 0 {x N 0 }

In Abella: Define pred : tm -> tm -> prop by nabla x, pred x x; pred (abs T) (abs T’) := nabla x, pred (T x) (T’ x); pred (app T U) (app T’ U’) := pred T T’ /\ pred U U’; pred (app (abs T) U) (T’ U’) := nabla x, pred (T x) (T’ x) /\ pred U U’.

Proof of the diamond property Lemma (Substitutivity of ⇒) If M ⇒ M 0 and N ⇒ N 0 then M{x N} ⇒ M 0 {x N 0 }.

Proof. By induction on M ⇒ M 0 . The formal proof is as it would be on the blackboard: Theorem pred_sub : forall M M’ N N’, nabla x, pred (M x) (M’ x) -> pred N N’ -> pred (M N) (M’ N’). induction on 1. intros. case H1. search. % Base case (T x) = x search. % Base case (T x) = y apply IH to H3 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search.

Proof of the diamond property 2 Theorem (Diamond property) M

N1

M

N1

N2

P

implies ∃P s.t. N2

Proof. By induction on M ⇒ N1 and case analysis of M ⇒ N2 . Theorem diamond : forall M N1 N2, pred M N1 -> pred M N2 -> exists P, pred N1 P /\ pred N2 P. induction on 1. intros. case H1. case H2. search. case H2. apply IH to H3 H4. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. case H3. apply IH to H4 H5. apply IH to H7 H6. apply pred_sub to H11 H9. search. case H2. case H5. apply IH to H3 H6. apply IH to H4 H7. apply pred_sub to H10 H8. search. apply IH to H3 H5. apply IH to H4 H6. apply pred_sub to H9 H7. apply pred_sub to H10 H8. search.

Diamond ⇒ Confluence The rest of the proof is not very interesting. Confluence of ⇒ follows from the strip lemma: M

n

N1

M

n

N1

implies ∃P s.t. N2

N2

n

P

that is a striaghtforward iteration of the diamond property. The inclusions →β ⊆ ⇒ ⊆ →∗β are routine.

Developments There are lots of formalised proofs of confluence (at least 12). Similar to Pfenning’s proof in Twelf [CMU Tech Report ’92]. But more natural, as Pfenning’s uses: ∀N s.t. N ⇒ N implies M{x N} ⇒ M 0 {x N} λx.M ⇒ λx.M 0 M ⇒ M0 N ⇒ N0 MN ⇒ M 0 N 0 ∀N s.t. N ⇒ N implies M{x N} ⇒ M 0 {x N} (λx.M)P ⇒ M 0 {x P 0 }

P ⇒ P0

My proof is not the one on the Abella’s web site. That proof (due to Randy Pollack) has 18 lemmas, mine has 2!

Developments There is an alternative proof of the diamond property. It uses full developments: x◦ (λx.M)◦ ((λx.M)N)◦ (MN)◦

:= := := :=

x λx.M ◦ M ◦ {x N ◦ } M ◦N ◦

if M 6= λx.M 0

and it is based on the triangle property: M M

N

N

implies

M

N1

N2

M◦

implies M

◦

A Myth Let’s debunk a myth. Masako Takahashi [Parallel reductions in λ-calculus, I&C ’95]: To prove the Church-Rosser Theorem for β-reduction it suffices to show the diamond property for ⇒. But we can prove the following stronger statement more easily: Then she shows and proves the triangle property. She concludes with: The proof is rigorous, direct, and perhaps the shortest among all the known proofs of the theorem

A Myth

It is not true that using developments is simpler. The proof uses the same induction than the direct proof. It requires the substitutivity lemma anyway (even if Takahashi’s proof does not mention it).

Plus the notion of development.

Outline

Abella and ∇ Confluence and Parallel Reduction Representing Residuals The Cube Property Variations on a Theme

Introducing Residuals More informative form of diamond property. Basis of the advanced rewriting theory of λ-calculus. Semantic content of orthogonal rewrite systems. Introduced by Church & Rosser, brought to fame by J.-J. L´ evy. Abstract theory in Terese (chp 8, van Oostrom & de Vrijer). Rest of the talk: simplification of a formalisation by Huet in Coq (JFP ’94) [A., CPP ’12].

Residuals Residuals refine parallel reduction by R

Expliciting the set of redexes R reduced in a parallel step ⇒, and Adding a tracing system for redexes satisfying the Parallel moves property: the redexes reduced to close (local) diagrams can be traced back to the starting term:

t R

u2

P

u1

t

implies ∃s, R/P, P/R s.t.

P

u1 R/P

R

u2

P/R

R/P is the set of redexes which are residuals of R after P.

s

Examples in λ-calculus Let I := λx.x. P/R is the empty set: P

(λx.y )( II ) R

y

P/R

(λx.y )I R/P

y

P/R has more than one element: (λx.xx)( II )

P

(λx.xx)I R/P

R P/R

( II )( II )

II

Representing sets of redexes Main issue with residuals: clear idea, less clear formalisation. A set of redexes R of a term t is a decoration of t, where the redexes in R have been underlined: R, P, S :: x | λx.R | RP | (λx.R)P Example: the four possible sets of redexes of (λx.(II ))I are (λx.(II ))I

(λx.(II ))I

(λx.(II ))I

(λx.(II ))I

Simplification: redexes—and not applications—are marked. Consequence: no notion of well-formed term is required (called regular terms in Huet’s paper).

Huet’s pearl Idea: residuals as parallel reduction indexed by a set of redexes. A set of residuals R/P is a set of redexes, i.e. a marked term. P

R/P is defined as the term R 0 s.t. R ⇒ R 0 , where: S

R ⇒ R0

x

x ⇒ x

λx.S

λx.R ⇒ λx.R 0 Q

P

R ⇒ R0

S ⇒ S0 PQ

RS ⇒ R 0 S 0 Q

P

R ⇒ R0 (λx.R)S

S ⇒ S0

(λx.P)Q

⇒

(λx.R 0 )S 0

Q

P

R ⇒ R0 (λx.R)S

S ⇒ S0

(λx.P)Q

⇒

Q

P

R ⇒ R0 (λx.R)S

R 0 {x S 0 } S ⇒ S0

(λx.P)Q

⇒

R 0 {x S 0 }

Outline

Abella and ∇ Confluence and Parallel Reduction Representing Residuals The Cube Property Variations on a Theme

Parallel Moves The diamond property: t

u1

u2

s

Lifts via residuals to the parallel moves property: t

P

u1 R/P

R

u2

P/R

s

The Cube Property The parallel moves property: t

P

u1 R/P

R

u2

P/R

s

generalises to the cube property, due to J.-J. L´evy: S

P

S/P

R

S/R

R/P P/R

Q

The cube is a contextual refinement of parallel moves: P R/P

R P/R

⇒ ⇒ and ⇒ ⇒ act in the same way on any set of redexes S

Substitutivity Lemma

Residuals satisfy a substitution property:

Lemma (substitution lemma for residuals) P

Q

If R ⇒ R 0 and S ⇒ S 0 then R{x S}

Proof.

P{x Q}

⇒

R 0 {x S 0 }.

P

By induction on R ⇒ R 0 . Compare with parallel reduction: If t ⇒ t 0 and u ⇒ u 0 then t{x u} ⇒ t 0 {x u 0 }.

Cube property The cube can be proved exactly as the diamond property:

Theorem (Cube Property) S

P

S/P

implies ∃Q s.t.

R

S/R

Proof.

P

S R

R/P

S/R

P

S/P

P/R

Q

R

By induction on S ⇒ S/P and case analysis of S ⇒ S/R. 1 definition (residuals), 1 lemma (subst.), and 1 theorem (cube). (Much simpler than Huet’s development).

Outline

Abella and ∇ Confluence and Parallel Reduction Representing Residuals The Cube Property Variations on a Theme

Prism Huet identifies ’a more fundamental’ prism property. Define the union R ∪ P as the term with the marks in R or P. Prism: let S, R, and P be sets of redexes S

P

S/P R∪P R/P

S/(R∪P)

Prism is not ’more fundamental’: In the abstract theory of residuals (van Oostrom-de Vrijer) the cube is an axiom, not the prism.

Cube and Prism

As for developments, Prism and Cube use the same induction. The cube-prism property: S

P

R∪P

R

S/R

S/P

P/R

R/P

S/(R∪P)

proved exactly as the cube property.

Abella Development The formalization: 2 definitions, 1 lemma, and 1 theorem: Kind mtm type. Type mapp Type mabs Type mredex

mtm -> mtm -> mtm. (mtm -> mtm) -> mtm. (mtm -> mtm) -> mtm -> mtm.

Define res : mtm -> mtm -> mtm -> prop by nabla x, res x x x; res (mabs R) (mabs P) (mabs R’) := nabla x, res (R x) (P x) (R’ x); res (mapp R S) (mapp P Q) (mapp R’ S’) := res R P R’ /\ res S Q S’; res (mredex R S) (mapp (mabs P) Q) (mredex R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’; res (mapp (mabs R) S) (mredex P Q) (R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’; res (mredex R S) (mredex P Q) (R’ S’) := nabla x, res (R x) (P x) (R’ x) /\ res S Q S’. Define res_union : mtm -> mtm -> mtm -> prop by nabla x, res_union x x x; res_union (mabs R) (mabs P) (mabs Q) := nabla x, res_union res_union (mapp R S) (mapp P T) (mapp Q U) := res_union R P Q /\ res_union S T U; res_union (mredex R S) (mredex P T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S res_union (mapp (mabs R) S) (mredex P T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S res_union (mredex R S) (mapp (mabs P) T) (mredex Q U) := nabla x, res_union (R x) (P x) (Q x) /\ res_union S

(R x) (P x) (Q x);

T U; T U; T U.

Theorem res_subst : forall R P R’ S Q S’, nabla x, res (R x) (P x) (R’ x) -> res S Q S’ -> res (R S) (P Q) (R’ S’). induction on 1. intros. case H1. search. search. apply IH to H3 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. apply IH to H3 H2. apply IH to H4 H2. search. Theorem prism_cube : forall Q P R Q’ Q’’, res Q R Q’’ -> res Q P Q’ -> exists P’ R’ RunionP S, res P R P’ /\ res R P R’ /\ res Q’ R’ S /\ res Q’’ P’ S /\ res Q RunionP S /\ res_union P R RunionP. induction on 1. intros. case H1. case H2. search. case H2. apply IH to H3 H4. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. case H3. apply IH to H4 H6. apply IH to H7 H5. apply res_subst to H16 H10. search. case H2. apply IH to H3 H5. apply IH to H4 H6. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. search. case H2. case H5. apply IH to H3 H7. apply IH to H4 H6. apply res_subst to H11 H17. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. apply res_subst to H10 H16. search. case H2. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H10 H16. search. apply IH to H3 H5. apply IH to H4 H6. apply res_subst to H9 H15. apply res_subst to H10 H16. search.

Prism and Parallel Reduction A form of prism property is also true for parallel reduction: t

u1

u2

s

The diamond property via complete developments is an instance: t

u1

u2

t◦

Once again, the proof structure is the same.

Conclusions

Abella is an excellent tool for languages with binders. Formalized proofs faithfully reflect pen-and-paper proofs. Simple proof of the cube property. Formalizations help to understand the theory. Future work: the pushout theorem for residuals.

THANKS!