The Church-Rosser Property for -reduction in Typed -Calculi. Herman Geuvers. University of Nijmegen

Transcription

1 The Church-Rosser Property for -reduction in Typed -Calculi Herman Geuvers Faculty of Mathematics and Computer Science University of Nijmegen Nijmegen, The Netherlands Abstract In this paper we investigate the Church-Rosser property (CR) for Pure Type Systems with reduction. For Pure Type Systems with only - reduction, CR on well typed terms follows immediately from CR on the so called 'pseudoterms' and subject reduction. For -reduction, CR on the set of pseudoterms is just false, as was shown by [Nederpelt 1973]. Here we prove that CR (for ) on the well-typed terms of a xed type holds, which is the maximum we can expect in view of Nederpelts counterexample. The proof is given for a large class of Pure Type systems that contains e.g. LF (for which CR for was proved by [Salvesen 1989] and [Coquand 1991]), F, F! and the Calculus of Constructions. In the proof, one key lemma (a very weak form of CR for on pseudoterms) takes a central position. It is remarkable that in the proof of this key lemma the counterexample to CR for is essentially used. 1 Introduction Simply typed lambda calculus (from now on denoted by!) and polymorphic lambda calculus are usually described by rst giving the set of types and then the derivation rules for deriving typing judgements of the form? ` M:, where is a type,? is a 'context' and M is an element of the set of so called 'pseudoterms'. For! this amounts to the following. Typ! ::= TVar j Typ!!Typ! ; where TVar denotes the set of type variables. A context is a sequence of declarations x: with 2 Typ! and x 2 var, the set of term variables. The derivation rules are. (var)? ` x : if x: 2??; x: ` M : ()? ` x::m :! (app)? ` M :!? ` N :? ` MN : For meta-theory it is convenient to introduce the set of pseudoterms of!, T! ::= var j (var:typ! :T!) j T!T!; then one can see the derivation rules as singling out the well-typed terms from the set of pseudoterms. Let's write Term! for the set of pseudoterms typable with some type in some context. Now, -reduction on T! is Church-Rosser, so with the Subject Reduction property:? ` M: & M?!?! M 0, then? ` M 0 :, we obtain that -reduction is CR on the well-typed terms: M 2 Term!, M?!?! M 0 & M?!?! M 00, then 9N 2 Term!:M 0?!?! N & M 00?!?! N. If one is interested in the combination of - and -reduction, the situation is a little bit more complicated, because we have the following counterexample to CR for -reduction on T!. (Originally due to [Nederpelt 1973].) Take M := x::(y::y)x; with 6=. Then M?! x::x and M?! x::x and both are in normal form. This problem can be overcome by noticing that the only problematic overlapping of redexes in T! is when we have a subterm x::(y::m)x (with x =2 FV(M)) and by proving that in well-typed terms, this can only happen when. For the polymorphic lambda calculus the situation is quite similar; we now have polymorphic types and polymorphic terms (with abstraction and application), but for the problematic overlapping of redexes in a term (x::(y::m)x with x =2 FV(M)), we still have that. For the higher order lambda calculus (F! ), the situation is a bit more dicult, because we have reduction inside types. Now types are also formed inside a context and there is an extra rule, stating that convertible types have the same 'inhabitants'. The syntax is the following. There are two sets of variables, var, denoting the term variables, and Var, denoting the so called constructor variables (the set of constructors will include the types.) We also distinguish two kinds of contexts, the constructor contexts, denoted by, for declaring constructor variables, and the term contexts, denoted by?, for declaring term variables. The term variables are declared to types and the constructor variables to so called kinds. 'Kind' represents the collection of kinds and 'Type' represents the kind of types. Kind is dened by Kind ::= Type j Kind!Kind. We now give the derivation rules. Let be a constructor context. 1. (Var) ` : A if :A 2

2 ; :A ` M : B 2. (1) ` :A:M : A!B 3. (app1) ` M : A!B ` N : A ` MN : B ` A : Type ` B : Type 4. (!) ` A!B : Type ; :A ` B : Type 5. () ` :A:B : Type ` A : Type ;? ok 6. (context) ;?; x:a ok ;? ok 7. (var) if x:a 2? ;? ` x : A ;?; x:a ` M : B 8. (2) ;? ` x:a:m : A!B ; :A;? ` M : B 9. (3) if =2 FV(?) ;? ` :A:M : :A:B ;? ` M : A!B ;? ` N : A 10. (app2) ;? ` MN : B ;? ` M : x:a:b ;? ` N : A 11. (app3) ;? ` MN : B[N=x] ;? ` M : A ` B : Type 12. (conv ) A = B ;? ` M : B Here constructor variables are denoted by Greek characters and term variables by Roman characters. In the rules (Var), (var) and (weak) it is always assumed that the newly declared variable is fresh, that is, it has not yet been declared in?. If one wants to look at -reduction in the system, it is of course reasonable to replace the rule (conv ) by (conv ), which is the conversion rule with A = B as side condition. This equality condition is an equality in the set of pseudoterms T, which can be dened similarly to T! for!, with extra clauses for - expressions etcetera. This equality on pseudoterms as a side condition may seem strange, because many of these pseudoterms do not have any semantical significance and it would be more intuitive to replace this side condition by an equality judgement of the form? ` A = B : Type (where this judgement means that A converts to B via a reduction/expansion path in which all expressions are well-typed.) A reason for studying the system with equality as a side condition is that meta-theory about reduction and conuence becomes easier, because one can apply well-known properties of the untyped lambda calculus without having to cope with typing conditions. We see that for studying reduction, untyped lambda calculus is not of immediate help. Nevertheless, the general CR proof given below will make use of the untyped lambda calculus. We shall come back later to the two dierent ways of introducing and using the equality in the system. Now CR on the pseudoterms T doesn't hold and if x:a:(y:b:m)x (well-typed with A; B:Type) is a - and an -redex, we only obtain (by meta-reasoning) that A = B. It looks like before proving CR for well-typed terms, we have to prove CR for types. In the system F! this is possible; types can only contain redexes in which the -abstraction arises from the (1)-rule and application from the (app1)-rule, because terms can't be subexpressions of types. So, one rst proves conuence of -reduction for types (for A and B types, if A = B, then A?!?! C and B?!?! C for some type C.) Then CR for terms follows. For systems with so called dependent types, that is types that have terms as subexpressions, like LF or the Calculus of Constructions (CC), the Church-Rosser property is very complicated: if x:a:(y:b:m)x is a well-typed term, we know A = B, but now this doesn't bring us any further because the equality may arise from an equality between terms. CR for LF was proved in [Salvesen 1989] and later by [Coquand 1991], but for more complicated systems with dependent types the question of CR was still open. Here we shall prove CR for normalizing, functional Pure Type Systems, which includes CC. (There is no proof of normalization for reduction for CC in the literature. However, the strong normalization proof for -reduction for CC in [Geuvers and Nederhof 1991] can easily be adapted to the case for -reduction.) 2 Pure Type Systems and the extension with -reduction Let's take a look at the denition of Pure Type Systems (PTSs for short) and give some of the meta theory. (See [Geuvers and Nederhof 1991], [Barendregt 199+] for more meta-theory and examples.) Denition 2.1 For S a set, A S S and R S S S, (S; A; R) is the typed lambda calculus with the following deduction rules. 1. (sort) ` s 1 : s 2 if (s 1 ; s 2 ) 2 A.? ` A : s 2. (var)?; x:a ` x : A 3. (weak)? ` A : s? ` M : C?; x:a ` M : C 4. ()? ` A : s 1?; x:a ` B : s 2? ` x:a:b : s 3 if (s 1 ; s 2 ; s 3 ) 2 R?; x:a ` M : B? ` x:a:b : s 5. ()? ` x:a:m : x:a:b

3 6. (app)? ` M : x:a:b? ` N : A? ` MN : B[N=x] 7. (conv )? ` M : A? ` B : s? ` M : B A = B In the rules (var) and (weak) it is always assumed that the newly declared variable is fresh, that is, it has not yet been declared in?. If s 2 s 3 in a triple (s 1 ; s 2 ; s 3 ) 2 R, one usually just writes (s 1 ; s 2 ) 2 R. The equality A = B is the transitive, reexive, symmetric closure of one-step--reduction, which is (x:a:m)n?! M[N=x]; compatible with application, -abstraction and - abstraction, on the set of pseudoterms T, dened by T ::= S j Var j (Var:T:T) j (Var:T:T) j TT: The notions of free variable and bound variable of an expression are the usual ones from untyped lambda calculus ( and are the binders), writing FV(M) for the set of free variables of M. We work modulo -conversion, i.e. pseudoterms that only dier in their bound variables are considered to be equal, which equality will be denoted by. (So in fact we work with -equivalence classes of pseudoterms or representants of such classes. For practical reasons we shall only work with representants of -equivalence classes in which all bound variables are pairwise distinct and dierent from the free variables. (The variable convention)) The? in the judgement? ` M : A is, as usual, called a context. For? = x 1 :A 1 ; : : :x n :A n, FV(?) denotes the set FV(A 1 ; : : :A n ). We say that M is of type A in? if? ` M : A is a conclusion of a deduction tree which uses only the rules stated above. A well-typed term is a pseudoterm A for which? ` A : B or? ` B : A for some? and B. Term denotes the set of well-typed terms in a PTS, and Term(?; A) denotes the well-typed terms of type A in?. A PTS is normalizing, if every well-typed term in it reduces to a normal form. The collection of PTSs contains well-known type systems like simply typed lambda calculus,!, ((ftype; Kindg; ftype:kindg; f(type; Type)g), Girards systems F (! extended with the rule (Kind; Type)) and F! (F extended with (Kind; Kind)) and the Calculus of Constructions (F! with the rule (Type; Kind)). (It requires some meta-theory to see that this version of F! is the same as the one introduced before.) The inconsistent type system, where 'Type' is a type is also a PTS ((ftypeg; ftype:typeg; f(type; Type)g) and the notion of PTS also captures logical systems like rst, second order and higher order predicate logic, as shown by [Berardi 1988]. (See also [Barendregt 199+].) In this paper we want to study the extension with -equality. First we give some motivations why this extension is interesting and why the Church-Rosser property of the combined -reduction is important. (This will hardly need any explanation.) Then we want to show what are the problems that arise when trying to prove CR for. Section 2 gives an outline of the proof. 2.1 Properties of Pure Type Systems Here we give some of the meta-theory for PTSs, mainly those theorems that will be encountered later in the Church-Rosser proof. For detailed proofs we refer to [Geuvers and Nederhof 1991] or [Barendregt 199+]. In the following, unless noted otherwise, we work in an arbitrary PTS. Proposition 2.2 (CR ) The reduction relation?!?! is Church-Rosser on T. (That is, if M?!?! M 1 and M?!?! M 2 then M 1?!?! N and M 2?!?! N for some N 2 T. (The proof follows precisely the Church-Rosser proof of -reduction on the untyped lambda terms in [Barendregt 1984].) Corollary 2.3 (Conuence of on T, CON ) If M = M 0 then M?!?! N and M 0?!?! N for some N 2 T. We shall write M # M 0 for 9N 2 T:M?!?! N & M 0?!?! N. From the form of the derivation rules we can conclude the following. Lemma 2.4 (Stripping) 1.? ` x:a:m : C )?; x:a ` M : B;? ` x:a:b : s for some B and some s 2 S such that x:a:b = C. 2.? ` MN : C )? ` M : x:a:b;? ` N : A for some A and B such that B[N=x] = C. Proposition 2.5 (Subject Reduction for, SR ) If? ` M : A and M?!?! M 0 then? ` M 0 : A. The proof of the proposition is by induction on the derivation, proving the statement simultaneously for a one step reduction in? or M. It uses Stripping (2.4) and the fact that x:a:b = x:c:d implies A = C and B = D, which holds by CON on T. We don't have in the (conv ) rule, but we do have subject reduction for. Proposition 2.6 (Subject Reduction for, SR ) If? ` M : A and M?!?! M 0 then? ` M 0 : A. The proof of this proposition is, just as for SR, by induction on the derivation, proving the statement simultaneously for a one step reduction in? or in M. In the proof one needs strengthening: Proposition 2.7 (Strengthening) If? 1 ; x:a;? 2 ` M : B with x =2 FV(? 2 ; M; B), then? 1 ;? 2 ` M : B.

4 The proof is in [van Benthem Jutting 199+]. In [Geuvers and Nederhof 1991] a proof is given for a subcollection of PTSs, the so called functional ones: A PTS is functional if the relation A is a function from S to S and the relation R is a function from S S to S. (That is, if s : s 0, s : s 00 2 A, then s 0 s 00 and if (s 1 ; s 2 ; s 3 ); (s 1 ; s 2 ; s 0 3) 2 R then s 3 s 0 3.) Both proofs use CR on T. Proposition 2.8 (Uniqueness of types, UT) In a functional PTS: If? ` M : A,? ` M : A 0, then A = A 0. The proof is by induction on the derivation. It uses CON in the sense that one needs x:a:b = x:c:d ) B = D to hold. (The proposition is false for non-functional PTSs.) 2.2 The extension with Extending the PTSs with means just replacing the conversion rule by (conv )? ` M : A? ` B : s A = B? ` M : B To distinguish the two, we write PTS for the ones with (conv ) as conversion rule and PTS for the ones with (conv ). There are many reasons for studying this extension. For one thing, the stronger -equality is quite natural, especially if we think about a PTS as representing a logic. The need for -equality also becomes apparent when we look at type systems that are used as frameworks, like LF. The completeness of the interpretation of a formal system in a signature relies on dening a mapping back, from terms in the signature to terms of the formal system, which is dened on (representants of) -equivalence classes. (See [Harper et al. 1987].) A nice consequence of CR is that the unication algorithms for the Calculus of Constructions, as discussed in [Pfenning 1991] are complete. A semantical reason for strengthening the equality is that in almost all models of type systems the rule is valid. Further CR is essential if we relate the syntax of PTSs to the semantics: The systems that are really interpreted in e.g. [Streicher 1989] and [Jacobs 1991] are not the ones as formulated above (with equality on the pseudoterms as a side condition), but with an equality judgement inside the context. If is a PTS, write = for the associated 'semantical' version of the system (with equality judgement), replacing ` by `=. The conversion rule of = is (conv 0 )? `= M : A? `= A = B : s? `= M : B where the judgement? `= A = B : s is generated by ()? `= x:a:m : x:c:d? `= N : C? `= (x:a:m)n = M[N=x] : D[N=x] ()?; x:a `= Mx : B? `= x:a:b : s if? `= x:a:mx = M : x:a:b x =2 FV(M) taking the transitive, reexive, symmetric closure, made compatible with application, - and - abstraction. In this version of the system the conversion rule can only be applied to two equal types if they are equal via a path through the well-typed terms. In the original PTS version one only claims that the types are equal as pseudoterms. If we have only -conversion (i.e. in = we don't have ()), the two versions are equivalent: If M; M 0 2 Term with M = M 0, then there is a path between them through Term (by CR on T and SR ). This is expressed by the following theorem for any PTS. Theorem 2.9? ` M : A? ` M 0 : A M = M ) ()? `= M = M 0 : A: In fact, this theorem also states that the system with equality on the pseudoterms is a 'sound' system: there would really be something wrong if? ` M; M 0 : A and M = M as pseudoterms without there being a path from M to M 0 through Term(?; A). If we extend both versions of PTSs with, we need some form of Church-Rosser to prove the equivalence of the two versions. It suces to have that if M and M 0 are of the same type in some context? and M = M 0, then M # M 0. This is precisely what will be proved, for normalizing functional PTSs. As consequences we nd that and = are equivalent (for functional and normalizing) and that CR and CON hold for =. (It is not clear how a proof of CR for = could be essentially simpler then via the proof for.) 2.3 Problems with proving CR As already remarked, the main problem with proving CR is that on the pseudoterms T it is just false. The counterexample (x:a:(y:b:y)x with A 6= B) implies that also CON on T (see 2.3) is not true, even if we restrict ourselves to well-typed terms. For the meta-theory for PTSs with this has some serious consequences. UT is not immediate anymore for functional PTSs, with = replaced by =. (One needs that x:a:b = x:c:d ) B = D.) For SR and SR the situation is also problematic: The rst requires x:a:b = x:c:d ) A = C & B = D. The second requires strengthening, the proof of which uses Church-Rosser. Our solution to this will be to prove a very weak form of Church-Rosser for reduction on T (using the counterexample to CR (!)), which will turn out to be sucient to get UT and SR. Also this key lemma will be sucient to prove strengthening (and so SR ) for functional, normalizing PTSs. Using all this, we shall prove (for functional, normalizing PTSs)? ` M; M 0 : A; M = M 0 ) nf(m) nf(m 0 )

5 Where we write nf(m) for the normal form obtained by some normalization procedure. We have as an immediate corollary CON for Term(?; A). 3 The proof of CR for functional, normalizing pure type systems In the proof of Church-Rosser we shall relate the -reduction on typed terms to the reductions on untyped lambda terms. Properties of reduction on the untyped terms will be used to obtain results about reduction in T. We therefore dene an erasure mapping from T to and give some properties for it. Then we give some properties of -reduction and equality on T, which will enable us to prove SR and SR. The counterexample of [Nederpelt 1973] shows that, if one tries to prove CR, there is a problem in the types of the -abstracted variables. We shall call these types domains: A subterm A of M is a domain if it occurs as x:a in M. (So we are not concerned with -abstractions.) The erasure map removes all domains. Denition 3.1 The map j j : T! is dened with induction on the structure of pseudoterms as follows. jxj := x; jsj := s; jx:a:m j := x:jm j; jx:a:bj := x:jaj:jbj; jmnj := jmjjnj: Here, is extended with the extra variable binder and constants s for each s 2 S. If one views x:jaj:jbj just as GjAj(x:jBj), with G some xed constant, it's easy to see that all the facts (like CR ) about -reduction in hold for. It is easy to see that if for M; M 0 2 T, jmj jm 0 j, then M and M 0 have the same 'structure' apart from the domains that may be very dierent. If jmj jm 0 j and the respective domains in M and M 0 are all equal, we say that M and M 0 are domain-equal, notation M d M 0. We have the following proposition, relating reduction in T to reduction in. Proposition 3.2 Let M and M 0 be in T. M?! M 0 ) jmj?! jm 0 j _ jmj jm 0 j; and similar for?! and so for =. jmj?!?! jm 0 j ) 9N[M?!?! N & jnj jm 0 j]: (This doesn't hold for?!?!.) Proof The rst is trivial: If the redex is erased by j j, then jmj jm 0 j and otherwise the same redex can still be done in, so jmj?! jm 0 j. The second is almost trivial; we are done if we give the proof for a one-step -reduction. As j j only erases domains, a - redex in jmj is also a -redex in M, and by evaluating it we nd N 2 T with M?! N and N M 0. This is not valid for, as is shown by the counterexample M x::y(z:p x:z)x. (This term can even be welltyped in e.g. the Calculus of Constructions: Take P x::, y:(!)!!. In Lemma 3.14 we shall see that nevertheless, if M is well-typed in the Calculus of Constructions and jmj is in -nf, then M is in -nf.) 2 The following is an immediate corollary of the counterexample to CR on T. Lemma 3.3 (Domain Lemma) If C[x:A:M] and B are in T (i.e. C is a pseudoterm with subterm x:a:m ), then Proof C[x:A:M] C[x:A:M] = C[x:B:M] C[y:B:(x:A:M)y] C[x:B:M] where y is any variable not occurring free in A or M. 2 Lemma 3.4 (Key Lemma) Let c be a variable or a sort. 1. cp 1 : : :P n = Q ) Q?!?! ~y: ~A:cQ 1 : : :Q n ~y, with Q i = P i (1 i n). 2. x:p 1 :P 2 = Q ) Q?!?! ~y: ~ A:(x:Q 1 :Q 2 )~y, with P i = Q i (i = 1; 2): Proof We only proof the rst case, since the second is totally similar. Some notation: For D 2 T and M 2 T, M D 2 T is the pseudoterm obtained by replacing all domains in M by D. For D 2 T and t 2, t +D 2 T is the pseudoterm obtained by adding D as domain to every abstraction in t. (So e.g. x:x is replaced by x:d:x.) For reasons of readibility we adapt here the convention to use capitals for pseudoterms and small characters for elements of. Let cp 1 : : :P n and Q be as in the rst case of the lemma. By CR on we nd t 1 ; : : :; t n 2 with cjp 1 j : : :jp n j?!?! ct 1 : : : t n and jqj?!?! ct 1 : : : t n. Using postponement of -reduction, we nd that jqj?!?! ~y:cq 1 : : :q n ~y?!?! ct 1 : : :t n. (Doing as many -reductions as possible, i.e. we -reduce all the -redexes that are also -redexes.) By 3.2 we nd a term ~y: ~A:cQ 1 : : : Q n ~y with Q?!?! ~y: ~A:cQ 1 : : : Q n ~y and j~y: A:cQ ~ 1 : : :Q n ~yj ~y:cq 1 : : :q n ~y. The situation is as follows. cp 1 : : : P n cjp 1 j : : :jp n j jqj ct 1 : : : t n ~y:cq 1 : : : q n ~y Q ~y: ~A:cQ 1 : : : Q n ~y

6 Take for D some closed pseudoterm (or fresh variable), then ~y: ~D:cQ D 1 : : :Q D n ~y?!?! ct +D 1 : : :t +D n and cp D 1 : : : Pn D?!?! ct +D 1 : : :t +D n. Using Lemma 3.3 we obtain (for 1 i n), P i = P D i Q D i = Q i t +D i so Q i = P i (1 i n) and we are done. 2 Using the Key Lemma we get the following important properties. Proposition 3.5 (UT for functional PTSs) In a functional PTS we have? ` M : A&? ` M : A 0 ) A = A 0. Theorem 3.6 (SR ) For a PTS, j= SR. The proofs of the proposition and the theorem are straightforward by redoing the proofs for PTS in [Geuvers and Nederhof 1991], using the Key Lemma. As corollaries of SR and the Key Lemma we nd: If? ` Q; x:p 1 :P 2 : s (s 2 S) with Q = x:p 1 :P 2, then Q?!?! x:q 1 :Q 2 with P i = Q i and similar for xp 1 : : : P n. Further, if? ` M : Q with Q = s (s 2 S), then Q?!?! s. (These are proved using the fact that a type is not a -abstraction.) We shall now turn to the proof of SR for functional, normalizing systems. Again the Key Lemma is used and, as said, we also need some form of strengthening to prove SR. First we state another lemma, which is required for strengthening. Lemma 3.7 In a functional normalizing PTS : )? ` D : s? ` D 0 : s 0 ) s s 0 : D = D 0 There are essentially two ways to prove this lemma: It can be proved directly (it requires some sublemmas), but also by rst adding strengthening as a rule to the system, that is we have an extra derivation rule (streng)? 1; x:a;? 2 ` M : B? 1 ;? 2 ` M : B if x =2 FV(? 2; M; B). In the second case one has to redo the proof for SR (straightforward) and prove SR (using the rule (streng)). Then the proof of CR and CON can be done in the same way as will be done here (in ) From CON one then proves that Lemma 3.7 holds in the system without the (streng) rule and so CR and CON hold in the system without (streng). The direct proof involves some sublemmas. We give them here without a detailed proof. Sublemma 3.8?; x:d ` M : C;? ` D 0 : s (s 2 S); D = D 0 then?; x:d 0 ` M : C Sublemma 3.9? ` B : s;? ` B 0 : s 0 ; B = B 0 ; B in nf then s s 0. The proof of the rst is by changing everywhere in the derivation tree of?; x:d ` M : C the declaration x : D into x : D 0 : We introduce x as x : D 0 (with the rule (var) or (weak)) and if x is introduced with the (var) rule, we immediately apply (conv ) to conclude?; x:d 0 ` x : D. The proof of the second is by induction on B, using the rst sublemma and the Key Lemma. Now Lemma 3.7 easily follows. Using 3.7 we can prove a weak form of strengthening for functional normalizing PTS, which is sucient to prove SR and which also implies strengthening itself. The proof uses also the Key Lemma and it's corollaries. Lemma 3.10 In a functional, normalizing PTS :? 1 ; x:a;? 2 ` M : B x =2 FV(? 2 ; M) )? 1;? 2 ` M : B 0 for some B 0 = B: Proposition 3.11 (SR ) For a functional, normalizing PTS, j= SR. Proof The proof is by proving simultaneously the case for a one step reduction in the context or in the subject. The only interesting case is when? ` x:a:mx : C with x =2 FV(M) and we have to prove? ` M : C. By the Stripping Lemma (2.4), we nd a term B with x:a:b = C and?; x:a ` Mx : B. Again with Stripping Lemma we nd a term y:d:e with?; x:a ` M : x:d:e, E[x=y] = B and D = A. By Lemma 3.10 we nd that?; x:a ` M : F with F = y:d:e = x:a:b = C. Applying (conv ) we conclude?; x:a ` M : C. 2 The next lemmas will establish the proof of CON on Term(?; A) for functional normalizing Pure Type Systems. So suppose we work in such a PTS. Lemma 3.12? ` M:A? ` M 0 :A 0 A = A 0 jmj jm 0 j M; M 0 in -nf 9 >= >; ) M d M 0 (For the denition of d, see the remarks after Denition 3.1.) Proof M and M 0 have the same structure (apart from the domains), say M = x 1 :A 1 : : : x n :A n :N and M 0 = x 1 :A 0 1 : : :x n :A 0 n:n 0, with N and N 0 not abstractions. From the type of M and M 0 we conclude that A i = A 0 i. Now compare from left to right all domains in N and N 0. Say B occurs as zr 1 : : :R q (y 1 :E 1 : : :y p :E p :x:b:p ) in N and B 0 occurs as zr 0 1 : : : R 0 q(y 1 :E 0 1 : : :y p :Ep:x:B 0 0 :P 0 ) in N 0 and for all domains to the left of B (respectively B 0 ) we are already done. (This implies that

7 R i = R 0 i for all i and E i = E 0 i for all i.) We look at the types of z; zr 1 ; : : :; zr 1 : : : R q in the derivation tree and compare them with the types of z; zr 0 1; : : :; zr 0 1 : : :R 0 q in the other derivation tree. Notice that they are pairwise -equal. This implies that the types of y 1 :E 1 : : :y p :E p :x:b:p and y 1 :E 0 1 : : :y p :Ep:x:B 0 0 P 0 are -equal, so B = B 0. 2 Lemma 3.13? ` A:s A in -nf A = C x =2 FV(C;?) 9 >= ) x =2 FV(A): >; Proof The proof is by induction on the structure of A. For A a variable or a sort it's trivial. For A x:a 1 :A 2, we are done by induction hypothesis. Suppose now A is an application term and x 2 FV(A). Then x is only free in domains of A. (Note that jcj = jaj?!?! nf(jaj), and in untyped lambda calculus -reductions do not remove any free variables, so x =2 FV(jAj).) Say B is the leftmost domain of A in which x occurs free, say in the subterm zr 1 : : : R q (y 1 :E 1 : : : y p :E p :y:b:p ). Then there is a type for z in which x is not free (z is declared in the context or left to B), so there is a type for zr 1 : : :R q in which x is not free, so B = E, for some E in which x is not free. Now by induction hypothesis, x =2 F V (B). 2 Lemma 3.14 For M 2 Term, if M in -nf, then jmj in -nf. Proof Suppose jm j is not in -nf. Then there is an -redex in jm j, which is not an -redex in M, say x:jn jx is the rst such. Then x 2 FV(N), but x =2 FV(jN j), so x is only free in domains of N. Say B is the leftmost domain in which x is free, and say B occurs in the subterm zr 1 : : : R q (y 1 :E 1 : : : y p :E p :y:b:p ). The type of z does not have x as a free variable in it. (If z is abstracted in the context or left from the abstraction over x, then not by variable convention and if z is abstracted right from x, then not by the assumption that B is the leftmost domain containing x.) With an argument similar to that in the proof of 3.13, there is a type B 0 with B = B 0, and x =2 FV(B 0 ). By 3.13: x =2 FV(B). 2 Lemma 3.15 (CON for types) Let s; s 0 2 S.? ` A:s? ` B:s 0 A = B A; B in -nf 9 >= >; ) A B: Proof By induction on the structure of A, using the Key Lemma, 3.12 and If A x:a 1 :A 2, then B = x:b 1 :B 2 with A 1 = B 1 and A 2 = B 2 (by Key Lemma). By induction hypothesis A 1 B 1 and A 2 B 2. If A xp 1 : : :P n, then B = xq 1 : : :Q n with P i = Q i (by Key Lemma.) Now, the types of xp 1 : : :P i and xq 1 : : :Q i in the derivations of? ` A:s resp? ` B:s 0 are pairwise -equal. Further, all P i and Q i are in -nf, so, by 3.14, all jp i j and jq i j are, so jp i j jq i j for all i. We can apply 3.12 to conclude that P i d Q i for all i and so A d B (all respective domains in A and B are -equal.) By induction hypothesis (comparing the respective domains in A and B from left to right) we conclude that A B. 2 Theorem 3.16 (CON ) )? ` M:A? ` M 0 :A ) M # M = M 0 M 0 : Proof Dene N := nf(m); N 0 := nf(m 0 ). We prove N N 0 and we are done. By SR and SR we nd? ` N:A and? ` N 0 :A. By 3.14, jnj and jn 0 j are in normal form, so jnj jn 0 j. By 3.12, N d N 0 : All respective domains in N and N 0 are -equal. By CON for types (3.15), all respective domains in N and N 0 are syntactically equal (), so N N Discussion We have proved CON for terms in a xed context of a xed type, but only for functional normalizing PTS. This immediately implies CR on Term. We have also seen that conuence for well-typed terms of dierent types doesn't hold. (And the same for welltyped terms in dierent contexts; take? and? 0 such that? ` x(y : A:y) : Type and? 0 ` x(y : B:y) : Type.) We think that, using the work of [van Benthem Jutting 199+], who gives an analysis of typing in PTSs, these results can be extended to arbitrary normalizing type systems. The most interesting extension, however, seems to be the one to non-normalizing type systems, like. First because the proof given here relies very heavily on the normalization, which makes the CR theorem a higher order property, where we believe it is essentially combinatoric. Second, because from CON on Term(?; A) in (with (conv )) we hope to get CON on Term(?; A) for an arbitrary PTS, by imitating the reduction steps in in the other PTS, using the terminality of in the category PTS. This would also require SR for an arbitrary PTS. (Here we only have a proof of SR for normalizing systems.) Because of the restriction to normalizing systems, we need to prove normalization of -reduction without using the Church-Rosser property. This may look problematic but in practice it isn't. For example for the Calculus of Constructions, the strong normalization proof in [Geuvers and Nederhof 1991] for the system with (conv ) can be adapted to a proof of strong normalization for the system with (conv ). In that

8 paper a reduction preserving map from Term(CC) to Term(F!) is dened. This mapping can easily be extended to CC with (conv ) such that also - reductions are preserved and all the required properties of the mapping stil hold (using the Key Lemma.) We conjecture here the general theorem that, if a PTS is (strongly) normalizing, then the PTS is. If we look at the Church-Rosser property from a point of view as to how to compute the common reduct, we see that the situation is really a bit more complicated then for untyped lambda calculus. In untyped lambda calculus, if M?!?! M 1 and M?!?! M 2, a common reduct of M 1 and M 2 can be found using complete developments. (See [Barendregt 1984].) Here one has to do something more, namely reducing the domains: Consider e.g. M := x:a:(y:b:y)x, M 1 := x:a:x and M 2 := y:b:y. There are no residuals of the -redex in M 2, nor are there any residuals of the -redex in M 1, so we have a complete development of the set containing both redexes, but M 1 6 M 2. (They would have been in the untyped case.) We still have to unify A and B. Acknowledgements We would like to thank Anne Salvesen for pointing out some mistakes in an earlier version of this paper. References [Barendregt 1984] H.P. Barendregt, The lambda calculus: its syntax and semantics, revised edition. Studies in Logic and the Foundations of Mathematics, North Holland. [Harper et al. 1987] R. Harper, F. Honsell and G. Plotkin, A framework for dening logics. Proceedings Second Symposium on Logic in Computer Science, (Ithaca, N.Y.), IEEE, Washington DC, pp [Jacobs 1991] B.P.F. Jacobs, Categorical type theory. Ph.D. thesis, University of Nijmegen, The Netherlands. [Nederpelt 1973] R.P. Nederpelt, Strong normalization in a typed lambda calculus with lambda structured types. Ph.D. thesis, Eindhoven Technological University, The Netherlands. [Pfenning 1991] F. Pfenning, Unication and antiunication in the Calculus of Constructions. Proceedings Sixth Symposium on Logic in Computer Science, (Amsterdam, the Netherlands), IEEE, Washington DC, pp [Salvesen 1989] A. Salvesen, The Church-Rosser Theorem for LF with reduction. Notes of a talk presented at the BRA-Logical Frameworks meeting, Antibes [Streicher 1989] Th. Streicher, Correctness and completeness of a categorical semantics of the Calculus of Constructions. Ph. D. thesis, University of Passau, Germany. [Barendregt 199+] H.P. Barendregt, Typed lambda calculi. In Abramski et al. (eds.), Handbook of Logic in Computer Science, Oxford Univ. Press, to appear. [van Benthem Jutting 199+] L.S. van Benthem Jutting, Typing in Pure Type Systems. To appear in Information and Computation. [Berardi 1988] S. Berardi, Towards a mathematical analysis of the Coquand-Huet calculus of constructions and the other systems in Barendregts cube. Dept. Computer Science, Carnegie-Mellon University and Dipartimento Matematica, Universita di Torino, Italy. [Coquand 1991] Th. Coquand, An algorithm for testing conversion in type theory. In Huet and Plotkin (eds.), Logical Frameworks, Cambridge Univ. Press. [van Daalen 1980] D.T. van Daalen, The language theory of AUTOMATH. Ph.D. thesis, Eindhoven Technological University, The Netherlands. [Geuvers and Nederhof 1991] J.H. Geuvers and M.J. Nederhof, A modular proof of strong normalization for the calculus of constructions. Journal of Functional Programming, vol 1 (2), pp