A Sound Definitional Interpreter for a Simply Typed Functional Language

Abstract

In this paper, we develop, in the proof assistant Coq, a definitional interpreter and a type-checker for a simply typed functional language, and formally prove that the mentioned type-checker is sound with respect to the definitional interpreter via progress and preservation. To represent binders, we embark on the choice of “concrete syntax” in which parameters are just names (or strings).

1. Introduction

In the domain of programming language semantics, interpreters [1] constitute the bases for the abstract specification of higher-order programming languages. This specification is simply handled by defining the semantics of an object language in terms of the semantics of a target (or host) language. An interpreter is said to be definitional if it is computational; that is, if it could be executed to test and validate the semantics of the object language programs in the “trusted” target language with well-known semantics. Functional programming languages that support algebraic data types (such as Haskell, OCaml, Coq, etc.), especially those serving dependent types, are suitable targets to implement interpreters. We definitionally formalize small-step operational semantics of a simply typed functional language, a variant of simply typed Lambda calculus (${\lambda }^{\to }$) [2], alongside a type-checker in the Coq proof assistant [3]. In such an approach, one needs to bridge the interpreter and the type-checker together simply by proving that the type system is sound, potentially embarking on the approach proposed by Wright and Felleisen [4]. In more formal terms, one needs to make sure that the following properties hold.

(i)

If an arbitrarily given term is well-typed, then it either reduces in a single step into some other term or it is already a value. That is, well-typed terms are never stuck;

(ii)

the type of a given term does not vary under reduction/evaluation.

The former property is called progress while the latter is known as preservation. Putting all related technical machinery together and obtaining these proofs even for a not-so-rich object language might very well be tedious and, thus, error-prone. This underpins the main target of the paper, where we carefully investigate and prove the properties (i) and (ii) for a simply typed functional language (extending ${\lambda }^{\to }$) both in a pen-and-paper setting and in a Coq formalization. We detail and present technical machinery that constructs those proofs in both contexts and relate one to the other. To the best of the author’s knowledge, such a Coq development does not exist out there with a similar extent of technicality (as well as the approach). Related formalization is not definitional and does not prove the soundness via (i) and (ii).

1.1. Related Work and Contributions

The approach employed by [5,6,7,8] benefits from intrinsically typed abstract syntax definitions when it comes to encoding the object language terms into a dependently typed target language. This way, the type checker of the target language is enabled to automatically verify the safety type of the interpreter. The approach has been extended in [9] such that it supports linearly typed languages as well.

Darais et al. [10,11] studied abstract definitional interpreters written in a monadic style, which makes it possible to capture operations that interact with the outside world. Therefore, languages with impure features (e.g., use of local/global state, mechanisms to handle exceptions, etc.) could also be nicely interpreted. This approach has close relations with that of [12,13,14,15,16] where definitional interpreters mimic state machines, especially non-deterministic pushdown automata.

With all of these mentioned, the main contribution of this paper lies in the Coq formalization of an interpreter for a simply typed language alongside its soundness proof captured by progress and preservation properties. In these lines, novelties are a ’few folded’, as mentioned below:

• The presented interpreter is implemented to be computational; not living in Coq’s Prop. Amin et al. [17] definitionally implemented a similar interpreter; however, the attached soundness proof was not handled by progress and preservation. Moreover, the approach conducted in Software Foundations [18] and Koprowski’s paper [19] makes use of non-definitional interpreters, living in Coq’s Prop, it, however, obtains soundness proof via progress and preservation. In essence, we combine these approaches.
• We aimed to have complete literature on the Coq formalization surrounding the definitional interpreters for simply typed languages, alongside [20,21]. We discuss the technical machinery that closes the soundness proof of the interpreter. Even though the main message of the paper is well-known, to the author’s best knowledge, there is no Coq formalization that implements both type-checking and reduction (for some extension of ${\lambda }^{\to }$) in a definitional fashion (outside Coq’s Prop), formally relating to one another.
• Our ${\lambda }^{\to }$ extension involves a ’fixpoint’, branching constructors, and a few binary operations over natural numbers and Booleans.

The Coq formalization already deals with an extension of ${\lambda }^{\to }$ interpreted as a case study. We could make use of the same approach presented here (https://github.com/ekiciburak/Lambda2, accessed on 8 December 2022) (a definitional interpreted for a polymorphically typed functional language coded in Haskell), enriching the current state of our interpreter. The extension is very easily adaptable, as discussed in  [17]; it brings over new cases as part of the soundness and will be targeted in the near future.

In this regard, the milestones of the formalization are explained in Section 2.3, Section 2.4 and Section 3 while the whole library is accessible at https://github.com/ekiciburak/extSTLC/tree/master (accessed on 17 December 2020). For the file organization of the library, please refer to Appendix A.

1.2. Organization of the Paper

In Section 2, we first give a quick recap of the untyped Lambda calculus. We then present an extension with natural numbers, Booleans, branching, and fixpoint constructors. Afterward, we introduce a definitional interpreter based on small-step call-by-value semantics, and a type-system employing simple (or non-dependent) types. Along the same lines, we give a taste of such functions in a Coq formalization. In Section 3, we discuss, in deep technical details, the soundness of the type system with respect to the interpretation via both pen-and-paper and Coq-certified proofs.

2. A Quick Recap of the $\mathbf{\lambda }$ Calculus

The $\lambda$ calculus is a mathematical formalism that expresses computations as function evaluations. It treats functions in an intensional viewpoint in which a function simply is an abstraction composed of input arguments and a body. The equality over functions is syntactically tested in between function bodies modulo renaming (α-equivalence or renaming) of the bound arguments. The principle of functional extensionality cannot be directly proven there but can be taken as an axiom whenever needed. The functions with multiple input arguments can be rewritten as sequences of functions using a single argument. This technique is known as Currying or Schonfinkeling. We now state below the syntax of the $\lambda$ calculus in an inductive fashion:

t	:=	x	term variable/identifier
	∣	$\lambda x.t$	function abstraction
	∣	$tt$	function application

An abstraction $\lambda x.t$ is indeed a representation of a function with the bound input argument x and the body t separated by the period ‘.’ symbol. For instance, thinking of a function $f\left(a\right):=a+1$, with argument a ranging over natural numbers, one can simply encode it as $\lambda a.a+1$ within the Lambda terms. Here, the Greek letter $\lambda$ is chosen to anonymously name functions as it does not matter whether to name functions. Thus, all of them are uniquely named $\lambda$.

To express a computation within the scope of $\lambda$ calculus, the function applications of the form $tt$ are employed. It is not possible to evaluate terms under the binder Lambda. Namely, an abstraction alone cannot be evaluated. It is necessary to have an abstraction applied to a term (reducible term or redex) when it comes to speaking of function evaluations:

$$(\lambda x.M)N{\to }_{\beta }M[x:=N]$$

This one step of the evaluation is known as β-reduction and is denoted by the right-arrow with the letter $\beta$ sub-scripted: ‘${\to }_{\beta }$’. The $\beta$-reduction can be viewed as a single step of the computation in which an application of the form $(\lambda x.M)N$ evaluates or reduces into a term $M[x:=N]$ denoting a variant of M in which every occurrence of the argument x is substituted by the applicant term N.

Example 1.

The term $(\lambda x.x+y)10$ evaluates in one beta-step into $10+y$. Notice that the variable y here is not bound by the binder Lambda. These kinds of terms in Lambda expressions are known asfree variables.

Example 2

(Church Encoding). It is possible to encode natural numbers in λ calculus in such a way that the term $\lambda f.\lambda n.fn$ denotes the natural number 1 while $\lambda f.\lambda n.fffn$ denotes the natural 3. Namely, the number of applications of the term f over the term n defines the corresponding natural number.

Example 3.

Let $t:=\lambda x.\lambda y.x$ in $1t=(\lambda f.\lambda n.fn)t{\to }_{\beta }\lambda n.tn=\lambda n.(\lambda x.\lambda y.x)n{\to }_{\beta }\lambda n.(\lambda x.\lambda y.x)n$.

Example 4.

Let $\Omega :=\lambda x.xx$ in $\Omega \Omega =\lambda x.xx(\lambda x.xx){\to }_{\beta }\Omega \Omega {\to }_{\beta }\Omega \Omega {\to }_{\beta }\Omega \Omega \dots$

Example 5.

There are two ways to beta-reduce the term $\Omega 1t$: (i) into $11t$ if the application on the left is accounted for first; (ii) into $\Omega \lambda n.tn$ if the one on the right.

Notice that the expression $\Omega \Omega$ in Example 4 loops under beta-reduction returning itself. Such an evaluation never reaches a final or termination state. Moreover, the Example 5 aims at presenting the fact that non-deterministic evaluations can also be encoded within the scope of $\lambda$ calculus. The goal to have them is to informally show that $\lambda$ calculus is indeed Turing complete. Namely, any computation that could be simulated by a Turing machine could also be implemented within Lambda terms. This conclusion can also be inferred from the famous Church–Turing Thesis but cannot be formally proven as it is not mathematically stated. However, one can disprove it just by refutation. Namely, it suffices for one to come up with a computation that can be simulated with one model but not with the other.

2.1. Evaluation Strategies

In order to impose an order of evaluation for a deterministic reduction of Lambda terms, several strategies are put forward. We discuss in this section, the strategy named call-by-value (CBV) and skip the others as it constitutes a basis for our Coq development. The CBV permits an application to reduce only after reducing its argument into a value. Namely, considering the term $e_1{e}_2$, CBV ensures that $e_2$ is fully evaluated until no further reduction steps are possible (into the normal form), and then the application takes place. That could formally be stated as:

$\frac{\mathrm{isvalue} e_2=\mathrm{true}}{({\lambda }_x.e_1)e_2\to \beta e_1[x:=e_2]} \left({\mathit{app}}_1\right) \frac{\mathrm{isvalue} e_2=\mathrm{false} e_2\to \beta e_2^{\prime }}{({\lambda }_x.e_1)e_2\to \beta ({\lambda }_x.e_1)e_2^{\prime }} \left({\mathit{app}}_2\right)$

such that the isvalue and substitution (denoted $?[?:=?]$) functions are formally given in Definitions 1 and 2, respectively.

Definition 1.

The isvalue   function is defined as follows:

$\begin{array}{lll}\mathit{isvalue}(\lambda x.e)& \Rightarrow & \mathit{true}\\ \mathit{isvalue}\_& \Rightarrow & \mathit{false}\end{array}$

Definition 2.

The substitution function is recursively implemented as follows:

$\mathit{Ident}x[s:=v]$	⇒	$\mathit{if}x=s\mathit{then}v\mathit{else}\mathit{Ident}x$
$(\lambda x.e)[s:=v]$	⇒	$\mathit{if}x\ne s\mathit{then}\lambda x.e[s:=v]\mathit{else}\lambda x.e$

2.2. Extensions

For a more involved calculus, let us now extend the set of Lambda terms, and accordingly, the accompanying evaluation strategy. We drop in natural numbers, Booleans, a technique to handle branching and a fixpoint combinator. Moreover, we include three operations over natural numbers, addition, subtraction, and multiplication, together with a pair of Boolean comparison operators: equality and greater-than checks. The extended set of terms are lsited in Figure 1:

In Figure 2, we extend the CBV strategy, such that it covers the newly introduced terms as well.

Definition 3.

Theisvaluefunction is updated into:

$\mathit{isvalue}(\lambda x.e)$	⇒	true
$\mathit{isvalue}\left(NValn\right)$	⇒	true
$\mathit{isvalue}\left(BValb\right)$	⇒	true
$\mathit{isvalue}\_$	⇒	false

Definition 4.

Moreover, the substitution function is extended in the following cases:

$\left(t_1{t}_2\right)[s:=v]$	⇒	$\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{ITE}{t}_1{t}_2{t}_3\right)[s:=v]$	⇒	$\mathrm{ITE}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)\left(t_3[s:=v]\right)$
$\left(\mathrm{Fix}{t}_1\right)[s:=v]$	⇒	$\mathrm{Fix}\left(t_1[s:=v]\right)$
$\left(\mathrm{Plus}{t}_1{t}_2\right)[s:=v]$	⇒	$\mathrm{Plus}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{Minus}{t}_1{t}_2\right)[s:=v]$	⇒	$\mathrm{Minus}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{Mult}{t}_1{t}_2\right)[s:=v]$	⇒	$\mathrm{Mult}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{Eq}{t}_1{t}_2\right)[s:=v]$	⇒	$\mathrm{Eq}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{Gt}{t}_1{t}_2\right)[s:=v]$	⇒	$\mathrm{Gt}\left(t_1[s:=v]\right)\left(t_2[s:=v]\right)$
$\left(\mathrm{NVal}n\right)[s:=v]$	⇒	$\mathrm{NVal}n$
$\left(\mathrm{BVal}b\right)[s:=v]$	⇒	$\mathrm{BVal}b$

Notice that the symbols ‘+’, ‘−’ and ‘×’ appearing in the conclusions of the rules $plu{s}_1$, $minu{s}_1$, and $mul{t}_1$ are, respectively, denoting addition, subtraction, and multiplication over natural numbers. Similarly, the symbols ‘=’ and ‘>’ used in the conclusions of the rules $e{q}_1$ and $g{t}_1$ are employed to denote Boolean equality and greater-than checks. The rules to define branching $it{e}_1$, $it{e}_2$, and $it{e}_3$ are indeed folklore. The term ITE $e_1$  $e_2$  $e_3$ evaluates in a single step into $e_2$ if $e_1$ is the Boolean value true; into $e_3$ if $e_2$ is the Boolean false. Otherwise, it reduces to ITE $e_1^{\prime }$  $e_2$  $e_3$ if $e_1$ evaluates into $e_1^{\prime }$. There is a fixpoint combinator Fix that takes a term f and, in a single beta-step, replaces every occurrence of the variable (or identifier) x with the term f itself in e if f is a Lambda term, such as $\lambda x.e$. Otherwise, if f is evaluated into $f^{\prime }$ in a single beta-step then the term Fix f reduces into Fix $f^{\prime }$. The rules governing operations over ’naturals’ and Booleans are also very usual. The term Plus x  y reduces into the natural number $a+b$ (denoted NVal ($a+b$)) if x is a natural number a (NVal a) and y is a natural number b (NVal b). If this is not the case, plus x  y evaluates into Plus x  $y^{\prime }$ if x is a value; into Plus $x^{\prime }$  y, otherwise, given that x reduces to $x^{\prime }$ and y reduces to $y^{\prime }$ in a single step. The other rules concerning subtraction, multiplication, equality, and greater-than checks should be read in the same manner as addition. Note also that the terms that are marked values (by the isvalue function) do not evaluate any further, similar to variables (or identifiers).

2.3. A Type System with a Coq Implementation

Looking back at Example 3 in Section 2, one could easily notice that applying the constant term 1 to the first projection function t makes no sense in a reasonable sort of mathematics. It is possible to make a similar comment for the term $\Omega$ in Example 4: self-application might be decently awkward. Therefore, to avoid these kinds of unintended cases, and to prune them out, one may follow a syntactic approach that categorizes terms according to the types of values they compute. This eventually allows for the proof of the fact that there are no more questions about the aforementioned unintended program behaviors. The set of Lambda terms presented in Figure 1, this time, with the typing information injected-in, is listed in Figure 3.

The Lambda binder is indeed the only constructor where typing information appears within the term declarations. This simply is to well-type the input variable of a given Lambda term in the construction phase. The rest of the terms are indeed the same as they are given before in Figure 1. It is not cumbersome to reflect these into a Coq implementation:

One crucial point to underline is that the type system here allows only for ordinary function/arrow types leaving aside dependent and polymorphic function types. Namely, it is a variant and an extension of the simply typed Lambda calculus; not as expressive as, other calculi in Barendregt’s cube [22], such as System F [23], System $F\omega$ nor $\lambda C$ [24]. The type system involves two base types Int and Bool with the possibility of inductively constructing “Arrow” types out of them. Notice also that in implementing binders, we embark on the choice of “concrete syntax” due to Church [2], in which the identifiers of Lambda terms are just strings. This choice definitely requires some extra care when it comes to avoid variable capture. See Section 2.4, especially the text following the subst function, for a further explanation. Another point to draw attention to is that the term constructor NVal adds to the set of terms the natural numbers (nat) of Coq. Similarly, the constructor BVal enriches the set of terms with the Coq Booleans (bool).

Let us now take a closer look into the typing judgments, formally stated in Figure 4, which are supposed to govern term evaluations just by allowing well-typed terms to reduce only.

We assume that there exists some context $\Gamma$ that is interpreted as a list of typing relations, such as $\mathtt{x}:\varphi$, respecting the shadowing property. Namely, if the same variable appears more than once in the context, the leftmost appearance is considered: the one on the left shadows others. For instance, suppose we have a context $\Gamma$ in the form of [$(\mathtt{x}:{\varphi }_{\mathtt{1}})::(\mathtt{y}:{\varphi }_{\mathtt{2}})::(\mathtt{x}:{\varphi }_{\mathtt{3}})$], we consider the type of the instance x to be ${\varphi }_{\mathtt{1}}$ not ${\varphi }_{\mathtt{3}}$. Therefore, under some context $\Gamma$ (denoted “$\Gamma ⊢?$”), to obtain the type of a given variable x, a lookup (starting from the left end of the context), denoted $\Gamma \left(x\right)$, is employed ($i{d}_t$). Similarly, under some context $\Gamma$ extended with the fact that some variable x ranging over the type ${\tau }_1$, if it is possible to deduce that some term e is of type ${\tau }_2$ then the Lambda term $\lambda x:\tau .e$ has the arrow type ${\tau }_1\to {\tau }_2$ under the same context $\Gamma$ ($la{m}_t$), accordingly denoted $\Gamma ,x:t_1⊢e:t_2$. To apply an arbitrary term $e_1$ to a term $e_2$, one needs to make sure that the former term is of an arrow type such that the domain of this type matches with the type of the latter. Moreover, the application $e_1{e}_2$ is now an instance of $e_1$’s co-domain type ($ap{p}_t$).

If f is a term of some arrow type $\tau \to \tau$, then the term $\mathrm{Fix}f$ is thought to be a fix-point f, and must be of type $\tau$ ($fi{x}_t$). The term $\mathrm{Plus}{e}_1{e}_2$ is of the base type $Int$ only if both $e_1$ and $e_2$ are of type $Int$ ($plu{s}_t$). Similarly, the term $\mathrm{Eq}{e}_1{e}_2$ is of the base type $Bool$ only if both $e_1$ and $e_2$ are of type $Int$ ($e{q}_t$). Remark also that $⊢t:\tau$ denotes the fact that the term t is of type $\tau$ under the empty context. In a Coq formalization, we implement the rules stated in Figure 4, using a recursive function named typecheck, as follows: where the context ctx is a list of string-type pairs which always is extended on the left-hand side to obtain the shadowing property (explained above) satisfied.

In our implementation, lookups are always performed by/starting from the left end of a given context. This matches with the idea that designates the shadowing feature. The output type of the lookup function is wrapped by the option type (or monad [25]) of Coq, just in case that the input variable is absent from the provided context: the function ends up returning None.

The function typecheck takes a term along with a context, and outputs the type of the term under the input context. Similar to that of the lookup, the instances returned by the typecheck function are also wrapped with the option type so that upon ill-typed inputs, such as App (NVal 5) (BVal false), the function returns None.

2.4. A Definitional Interpreter in Coq

We first adapt the rules stated in Figure 2, such that the typing information explicitly appears in reduction steps. To do so, it suffices to add types to the terms where the Lambda binder is involved as it is the only constructor that embodies syntactical typing information. Therefore, only the rules $ap{p}_3$ and $ap{p}_4$ are re-designated and presented in Figure 5.

A small-step CBV interpreter based on the typing-adapted versions of the rules (as in Figure 5) stated in Figure 2 is definitionally implemented in Coq as follows: where the substitution function subst (Definition 4) is formalized to be:

The point that this interpreter being definitional stems from the fact that it takes a term, and computes in real time a reduced term out of it. This is in fact the point where our interpreter differs from that of ’Software Foundations’ [18] in which interpretation is not computational as it is developed in Coq’s Prop. The return type of the function beta is wrapped by the option type for stuck (see Definition 6) terms, such as App (NVal 5) (BVal false), the  function returns None, meaning no further reduction steps on this term is possible. Notice that we skipped in the above definition the match-cases for operators, such as Minus, Mult, Eq and Gt because they are very similar to that of Plus. Please refer to the accompanying Coq library for the complete definition. Considering the substitution, we implement a function (named subst above) that is capture avoiding but in a restricted form: only to be used in handling beta-reduction of closed terms; namely terms that do not involve free variables. To generalize the implementation so that it also handles terms with free variables requires extra care at the match-case “Lambda y t m”:

• Substitution would be applicable not only when $\mathtt{y}\ne \mathtt{x}$ but also when $\mathtt{y}\notin \mathtt{fv}\left(\mathtt{n}\right)$ to avoid the bound variable y being captured by any free variable present in the substituted term n.
• If the bound variable y is somehow captured by either of the cases $\mathtt{y}=\mathtt{x}$ and $\mathtt{y}\in \mathtt{fv}\left(\mathtt{n}\right)$, one possibility to avoid the capture is to introduce a fresh variable and replace it with the bound variable y. Another choice may be to completely discard the naming bound variables by employing de Bruijn indices [26] in the Lambda binder, or alternatively pick a locally nameless strategy [27], or maybe embark on (parametric) higher-order abstract syntax [28]. Opting one of these methods, and adjusting the implementation accordingly is set as a future goal.

3. Type Soundness

We devote this section to step-by-step explore the soundness proof of the type system presented in Figure 4. It may be beneficial to first look into the chart in Figure 6 that exhibits the dependency among statements proven further in this section, and then read the proof terms in detail.

Remark that the definition, lemma, and theorem names in the upcoming text are indeed links to the corresponding formalization in the Coq library. Please click on the names to browse the related code.

Lemma 1 

(istypechecked_app). $\forall t_1{t}_2\tau ,⊢\left(t_1{t}_2\right):\tau \Rightarrow \exists \upsilon ,⊢t_1:\upsilon \to \tau \wedge$$⊢t_2:\upsilon .$

Proof. 

The statement is just the inversion of the ($ap{p}_t$) rule presented in Figure 4. Notice that we are trying to show $\exists \upsilon ,⊢t_1:\upsilon \to \tau \wedge ⊢t_2:\upsilon$ assuming $⊢\left(t_1{t}_2\right):\tau$ (H). The proof proceeds with nested case distinctions over the statements, i.e., whether the terms $t_1$ and $t_2$ are well-typed under the empty context:

1.

$⊢t_1:\kappa \to \tau$ for some arbitrary type $\kappa$.

(a)

$⊢t_2:\rho$ for some arbitrary type $\rho$. In this case, both $t_1$ and $t_2$ are individually well-typed under the empty context. By employing this fact, the rule ($ap{p}_t$) and the hypothesis (H), it is easy to deduce that $\kappa =\rho$. Under the same set of assumptions, we could show $\exists \upsilon ,⊢t_1:\upsilon \to \tau \wedge ⊢t_2:\upsilon$ holds just by plugging in the type $\rho$ (or equivalently $\kappa$) for $\upsilon$. The hypothesis (H) would not hold otherwise.

(b)

$⊬t_2:\rho$. Given that the application $\left(t_1{t}_2\right)$ is well-typed, under the empty context, the term $t_2$ must be well-typed as well. This case is a violation thus the goal is closed by contradiction.

2.

$⊬t_1:\kappa \to \rho$. Similar to the item above, if the application $\left(t_1{t}_2\right)$ is well-typed, the term $t_1$ must also be well-typed under the empty context context. This case is a violation, thus, the goal is closed by contradiction as well.

□

Lemma 2 

(istypechecked_ite).$\forall t_1{t}_2{t}_3\tau ,⊢ITE{t}_1{t}_2{t}_3:\tau \Rightarrow ⊢t_1=Bool\wedge$$⊢t_2:\tau \wedge ⊢t_3:\tau .$

Proof.

The statement is the inversion of the rule ($it{e}_t$) stated in Figure 4. We aim to prove $⊢t_1=Bool\wedge ⊢t_2:\tau \wedge ⊢t_3:\tau$ provided $⊢\mathrm{ITE}{t}_1{t}_2{t}_3:\tau$ (H). The proof we present here proceeds with nested case distinctions over the statements, whether the terms $t_1$, $t_2$ and $t_3$ are well-typed under the empty context:

1

$⊢t_1:{\kappa }_1$ for some arbitrary type ${\kappa }_1$.

(a)

$⊢t_2:{\kappa }_2$ for some arbitrary type ${\kappa }_2$.

i.

$⊢t_3:{\kappa }_3$ for some arbitrary type ${\kappa }_3$. In this case, the terms $t_1$, $t_2$, and $t_3$ are all individually well-typed under the empty context. With this, the hypothesis (H), and the rule ($it{e}_t$), we could simply deduce the facts that ${\kappa }_1$ must be $Bool$, and both ${\kappa }_2$ and ${\kappa }_3$ must be $\tau$. Any other choice of $\kappa$ s would contradict the hypothesis (H).

ii.

$⊬t_3:{\kappa }_3$. If the term $\mathrm{ITE}{t}_1{t}_2{t}_3$ is well-typed, under the empty context, the term $t_3$ must also be well-typed. This case is a violation, thus, the goal is closed by contradiction.

(b)

$⊬t_2:{\kappa }_2$. The goal in this case similarly holds by contradiction.

2.

$⊬t_1:{\kappa }_1$. The goal in this case is closed by contradiction in a similar manner with that of the above item.

□

Lemma 3 

(istypechecked_fix).$\forall t\tau ,⊢Fixt:\tau \Rightarrow ⊢t:\tau \to \tau$

Proof.

The statement is the inversion of the rule ($fi{x}_t$) stated in Figure 4. The goal here is to show that $⊢t:\tau \to \tau$ holds, assuming $\mathrm{Fix}t:\tau$ (H). The proof proceeds with a case distinction over the statement whether the term t is well-typed under the empty context:

• $⊢t:\kappa$ for some arbitrary type $\kappa$. Thanks to the hypothesis (H) and the rule ($fi{x}_t$), we could easily reason that $\kappa$ must be $\tau \to \tau$; the hypothesis (H) would not hold otherwise.
• $⊬t:\kappa$. If the term $\mathrm{Fix}t$ is well-typed, under the empty context, the term t must also be well-typed. This case is a violation, thus, the goal is closed by contradiction.

□

Lemma 4 

(istypechecked_plus). $\forall t_1{t}_2\tau ,⊢Plus{t}_1{t}_2:\tau \Rightarrow \tau =Int\wedge ⊢t_1:Int$$\wedge ⊢t_2:Int$

Proof.

The statement is indeed the inversion of the rule ($plu{s}_t$) in Figure 4. We aim to prove $\tau =Int\wedge ⊢t_1:Int\wedge ⊢t_2:Int$ provided that $⊢\mathrm{Plus}{t}_1{t}_2:\tau$ (H). The proof we present here proceeds with nested case distinctions over the statements, i.e., whether the terms $t_1$ and $t_2$ are well-typed under the empty context:

1.

$⊢t_1:{\kappa }_1$ for some arbitrary type ${\kappa }_1$.

(a)

$⊢t_2:{\kappa }_2$ for some arbitrary type ${\kappa }_2$. In this case, the terms $t_1$ and $t_2$ are individually well-typed under the empty context. With this, the hypothesis (H), and the rule ($plu{s}_t$), it is easy to deduce the fact that the types $\tau$, ${\kappa }_1$ and ${\kappa }_2$ must be $Int$. Any other choice of $\kappa$ s and $\tau$ would be in contradiction with the hypothesis (H).

(b)

$⊬t_2:{\kappa }_2$. If the term $\mathrm{Plus}{t}_1{t}_2$ is well-typed, under the empty context, the term $t_2$ must also be well-typed. This case is a violation, thus, the goal is closed by contradiction.

2.

$⊬t_1:{\kappa }_1$. The goal in this case is closed by contradiction in a similar manner with that of the above item.

□

The progress statement claims that if an arbitrary term t type-checks under the empty context then it either reduces in a single step into some term $t^{\prime }$ or it is already a value. That is, well-typed terms are never stuck (see Definition 6 for a formal explanation of being stuck for a term). The terms that are well-typed and do not reduce at the same time are those marked values (see Definition 3).

Theorem 1 

(Progress). $\forall t,⊢t:\tau \Rightarrow$ isvalue t = true $\vee \exists t^{\prime },t{\to }_{\beta }{t}^{\prime }$ for some type τ.

Proof.

The proof proceeds with structural induction on the term t. The cases with Ident x, $\lambda x:\tau .t$, $\mathrm{NVal}n$ and $\mathrm{BVal}b$ are indeed trivial: the first assumes false by $⊢\mathrm{Ident}x:\tau$ for some type $\tau$, and the rest are already values.

1.

The case with the application ($t_1{t}_2$), for some terms $t_1$ and $t_2$, is more involved. There, we aim to prove that isvalue $\left(t_1{t}_2\right)=true$ $\vee \exists t^{\prime },\left(t_1{t}_2\right){\to }_{\beta }{t}^{\prime }$ given $⊢\left(t_1{t}_2\right):\tau$ ($Htc$) for some type $\tau$, along with two induction hypotheses $⊢t_1:{\tau }_1\Rightarrow$isvalue $t_1=true$ $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ ($IH{t}_1$) for some type ${\tau }_1$, and $⊢t_2:{\tau }_2\Rightarrow$isvalue $t_2=true$ $\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ ($IH{t}_2$) for some type ${\tau }_2$. Notice that isvalue $\left(t_1{t}_2\right)=false$; therefore, we consider showing the right disjunction $\exists t^{\prime },\left(t_1{t}_2\right){\to }_{\beta }{t}^{\prime }$ here. It is easy to demonstrate that the Boolean function isvalue is decidable. That is, $\forall t,\mathtt{isvalue}t=true\vee \mathtt{isvalue}t=false$. We start off with a case analysis, specializing this fact on the term $t_1$, and  throw two individual subgoals to close the assuming $\mathtt{isvalue}{t}_1=true$ and $\mathtt{isvalue}{t}_1=false$, independently:

(a)

$\mathtt{isvalue}{t}_1=true$. We proceed with a case analysis specializing the decidability of the isvalue function, this time with the term $t_2$ and obtain two more subgoals to prove, given $\mathtt{isvalue}{t}_2=true$ and $\mathtt{isvalue}{t}_2=false$ separately:

i.

$\mathtt{isvalue}{t}_2=true$. On a case analysis over the term $t_1$, we in fact have to prove the below three cases in which $t_1$ is a value (other cases, such as $t_1$ being $\mathrm{ITE}{e}_1{e}_2{e}_3$, are trivial just because $t_1$ s are not values that yield in contradictory cases):

• $t_1=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. Mind that the goal here turns out to be $\exists t^{\prime },(\lambda x:{\tau }_{x}e)t_2{\to }_{\beta }{t}^{\prime }$. There obviously exists some $t^{\prime }$; that is the substitution $e[x:=t_2]$, closing the goal thanks to the rule ($ap{p}_3$) in Figure 2.
• $t_1=\mathrm{NVal}n$. In this case, the hypothesis ($Htc$) takes the following shape: $⊢\left(\mathrm{NVal}n\right)t_2:\tau$, which is indeed false and yields in a contradiction as the first term in an application needs to be of some arrow-type but it is of type $Int$ here.
• $t_1=\mathrm{BVal}b$. This case is proven in a similar fashion to that of the above item.

ii.

$\mathtt{isvalue}{t}_2=false$. Thanks to Lemma 1, we have $⊢t_2:{\tau }_2$, for some type ${\tau }_2$ out of $⊢\left(t_1{t}_2\right):\tau$. We use this fact to specialize the induction hypothesis ($IH{t}_2$) to turn it into $\mathtt{isvalue}{t}_2=true\vee \exists t^{\prime },t_2{\to }_{\beta }{t}^{\prime }$. We destruct this, and are supposed to prove the below statements, assuming $\mathtt{isvalue}{t}_2=true$ and $\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ individually:

A.

$\mathtt{isvalue}{t}_2=true$. This case holds by contradiction.

B.

$\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. On a case analysis over the term $t_1$, we in fact have to prove the below three cases in which $t_1$ is a value (other cases, such as $t_1$ being $\mathrm{ITE}{e}_1{e}_2{e}_3$, are trivial just because $t_1$ s are not values that yield in contradictory cases):

• $t_1=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. The goal we aim to show in this case is $\exists t^{\prime },(\lambda x:{\tau }_x.e)t_2{\to }_{\beta }{t}^{\prime }$. Such a $t^{\prime }$ obviously exists as $(\lambda x:{\tau }_x.e)t_2^{\prime }$ due to the rule ($ap{p}_4$) in Figure 2.
• $t_1=\mathrm{NVal}n$. In this case, the hypothesis ($Htc$) takes the following shape: $⊢\left(\mathrm{NVal}n\right)t_2:\tau$, which is a contradiction, because in an application, the first term needs to be of some arrow-type, but it is $Int$ here.
• $t_1=\mathrm{BVal}b$. This case is proven in a similar manner to that of the above item.

(b)

$\mathtt{isvalue}{t}_1=false$. Thanks to Lemma 1, we have $⊢t_1:{\tau }_1$, for some type ${\tau }_1$ out of $⊢\left(t_1{t}_2\right):\tau$. We use this fact to specialize the induction hypothesis ($IH{t}_1$) to turn it into the shape $\mathtt{isvalue}{t}_1=true\vee \exists t^{\prime },t_1{\to }_{\beta }{t}^{\prime }$. We destruct this, and are supposed to prove the below statements, assuming $\mathtt{isvalue}{t}_1=true$ and $\exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ separately:

i.

$\mathtt{isvalue}{t}_1=true$. The statement in this case trivially holds by contradiction.

ii.

$\exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$. In a case analysis over the term $t_1$, we in fact have to prove subgoals in which $t_1$ is not a value (other cases such as $t_1$ being $\lambda x:\tau .e$ are trivial just because $t_1$ s are values that yield in proofs by contradiction):

• Recall that we are trying to show $\exists t^{\prime },\left(t_1{t}_2\right){\to }_{\beta }{t}^{\prime }$ such that $t_1$ is not a value. We close all such cases uniformly: there definitely exists a $t^{\prime }$ being ($t_1^{\prime }{t}_2$) given $t_1{\to }_{\beta }{t}_1^{\prime }$, due to the rule ($ap{p}_2$) in Figure 2.

2.

Looking into the case with $\mathrm{ITE}{t}_1{t}_2{t}_3$, we need to show isvalue $\mathrm{ITE}{t}_1{t}_2{t}_3=true$ $\vee \exists t^{\prime },\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }{t}^{\prime }$ given $⊢\mathrm{ITE}{t}_1{t}_2{t}_3:\tau$ ($Htc$) for some type $\tau$, along with three induction hypotheses $⊢t_1:{\tau }_1\Rightarrow$isvalue $t_1=true$ $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ ($IH{t}_1$) for some type ${\tau }_1$, $⊢t_2:{\tau }_2\Rightarrow$isvalue $t_2=true$ $\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ ($IH{t}_2$) for some type ${\tau }_2$, and $⊢t_3:{\tau }_3\Rightarrow$isvalue $t_3=true$ $\vee \exists t_3^{\prime },t_3{\to }_{\beta }{t}_3^{\prime }$ ($IH{t}_3$) for some type ${\tau }_3$. Notice that the sole case we are supposed to demonstrate is $\exists t^{\prime },\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }{t}^{\prime }$ as isvalue $\mathrm{ITE}{t}_1{t}_2{t}_3=false$. Plugging the hypothesis ($Htc$) into Lemma 2, we deduce the facts that $⊢t_1:Bool$ ($Ha$), $⊢t_2:\tau$ ($Hb$), and $⊢t_3:\tau$ ($Hc$). We then specialize the induction hypothesis ($IH{t}_1$) with ($Ha$), and obtain isvalue $t_1=true$ $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$. Destructing this hypothesis, we are supposed to prove the goal $\exists t^{\prime },\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }{t}^{\prime }$ twice, assuming isvalue $t_1=true$ and $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ individually:

(a)

isvalue$t_1=true$. On a case analysis over the term $t_1$, we in fact have to prove the below three cases in which $t_1$ is a value (other cases such as $t_1$ being $Fixf$ are trivial just because $t_1$ s are not values that yield in contradictory cases):

• $t_1=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. It is possible to show that $\exists t^{\prime },\mathrm{ITE}(\lambda x:{\tau }_x.e)$ $t_2{t}_3{\to }_{\beta }{t}^{\prime }$ holds just by contradiction as the hypothesis ($Ha$), namely $⊢(\lambda x:{\tau }_x.e):Bool$ proves False. The Lambda terms are of the arrow-type.
• $t_1=\mathrm{NVal}n$. In this case, it is similarly possible to prove False within the set of hypotheses: considering the hypothesis ($Ha$), namely $⊢\mathrm{NVal}n:Bool$, we deduce False as it in fact is $⊢\mathrm{NVal}n:Int$.
• $t_1=\mathrm{BVal}b$. If the Boolean variable b is true, then the statement $\exists t^{\prime },\mathrm{ITE}\left(\mathrm{BVal}true\right)t_2{t}_3{\to }_{\beta }{t}^{\prime }$ could easily be proven by plugging the term $t_2$ in place of $t^{\prime }$ due to the rule ($it{e}_1$). If b is the Boolean false, then $t^{\prime }$ is chosen to be $t_3$ to close the goal due to the rule ($it{e}_2$) in Figure 2.

(b)

$\exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$. The term $t_1$ is obviously not a value as it reduces at least one step. Therefore, it cannot be $\mathrm{BVal}b$, $\mathrm{NVal}n$, and $\lambda x:{\tau }_x.e$. We prove the statement $\exists t^{\prime },\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }{t}^{\prime }$ uniformly for the other choices of $t_1$ as follows: just plug in the term $\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3$ for the term $t^{\prime }$ within the goal, and obtain $\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3$, which trivially holds thanks to the rule ($it{e}_3$) presented in Figure 2.

3.

For the case with $\mathrm{Fix}f$, we need to prove that isvalue $\mathrm{Fix}f=true$ $\vee \exists t^{\prime },\mathrm{Fix}f{\to }_{\beta }{t}^{\prime }$ given $⊢\mathrm{Fix}f:\tau$ ($Htc$) for some type $\tau$, along with the induction hypothesis $⊢f:\tau \Rightarrow$isvaluef = true $\vee \exists f^{\prime },f{\to }_{\beta }{f}^{\prime }$ ($IHf$). Lemma 3 gives proof of the fact that $⊢f:{\tau }_f$, for some type ${\tau }_f$ out of ($Htc$). We specialize in the induction hypothesis ($IHf$) with this fact and handle isvalue $f=true$ $\vee \exists f^{\prime },f{\to }_{\beta }{f}^{\prime }$. By destructing this, we are supposed to prove the goal $\exists t^{\prime },\mathrm{Fix}f{\to }_{\beta }{t}^{\prime }$ (as isvalue $\mathrm{Fix}f=false$) twice for both isvalue $f=true$ and $\exists f^{\prime },f{\to }_{\beta }{f}^{\prime }$.

(a)

isvalue$f=true$. On a case analysis over the term f, we in fact have to prove the below three cases in which f is a value (other cases, such as f being $\mathrm{Plus}{t}_1{t}_2$ are trivial just because fs are not values that yield in contradictory cases):

• $f=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. It suffices to plug the term $e[x:=\mathrm{Fix}(\lambda x:{\tau }_x.e)]$ into the formula $\exists t^{\prime },\mathrm{Fix}(\lambda x:{\tau }_x.e){\to }_{\beta }{t}^{\prime }$, and then apply the rule ($fi{x}_1$) in Figure 2 to have this case proven.
• $f=\mathrm{NVal}n$. In this case, it is possible to prove False within the current context: considering ($Ha$), namely $⊢\mathrm{Fix}\left(\mathrm{NVal}n\right):\tau$ is simply false as it is an ill-typed term according to the rules in Figure 4. See the rule ($fi{x}_t$) that states that terms of the form $\mathrm{Fix}f$ are well-typed only when f is of some arrow-type with the same domain and co-domain. This does not match with the fact that $⊢\mathrm{NVal}n:Int$.
• $f=\mathrm{BVal}b$. This case holds due to the same reason as that of $t_1=\mathrm{NVal}n$ given above.

(b)

$\exists f^{\prime },f{\to }_{\beta }{f}^{\prime }$. Given the rule ($fi{x}_2$) in Figure 2, one can reason that $\exists t^{\prime },\mathrm{Fix}f{\to }_{\beta }{t}^{\prime }$ holds simply by plugging the term $\mathrm{Fix}{f}^{\prime }$ in, for $t^{\prime }$ except for the cases where f is a value. These cases are contradictory as there is no $f^{\prime }$ into which f evaluates.

4.

Considering the case involving $\mathrm{Plus}{t}_1{t}_2$, we need to show isvalue $\mathrm{Plus}{t}_1{t}_2=true$ $\vee \exists t^{\prime },\mathrm{Plus}{t}_1{t}_2{\to }_{\beta }{t}^{\prime }$ given $⊢\mathrm{Plus}{t}_1{t}_2:\tau$ ($Htc$) for some type $\tau$, along with two induction hypotheses $⊢t_1:{\tau }_1\Rightarrow$isvalue $t_1=true$ $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ ($IH{t}_1$) for some type ${\tau }_1$, and $⊢t_2:{\tau }_2\Rightarrow$isvalue $t_2=true$ $\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ ($IH{t}_2$) for some type ${\tau }_2$. Notice that we are supposed to prove only $\exists t^{\prime },\mathrm{Plus}{t}_1{t}_2{\to }_{\beta }{t}^{\prime }$ as isvalue $\mathrm{Plus}{t}_1{t}_2=false$. Employing Lemma 4, we deduce the facts that $⊢t_1:Int$ ($Ha$), and that $⊢t_2:Int$ ($Hb$) out of the hypothesis ($Htc$). Specializing the induction hypotheses ($IH{t}_1$) with ($Ha$) and ($IH{t}_2$) with ($Hb$), we obtain isvalue $t_1=true$ $\vee \exists t_1^{\prime },t_1{\to }_{\beta }{t}_1^{\prime }$ and isvalue $t_2=true$ $\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. We carry on with a case analysis on the decidability of the isvalue function parameterized by the term $t_1$. We, therefore, need to prove the aforementioned goal twice for two distinct cases with $\mathtt{isvalue}{t}_1=true$ and $\mathtt{isvalue}{t}_1=false$:

(a)

$\mathtt{isvalue}{t}_1=true$. Applying a case analysis on the term $t_1$, we are supposed to prove the below three cases (others, such as $t_1$ being $\mathrm{Fix}f$, are trivial just because $t_1$ s are not values that yield in contradictions):

i.

$t_1=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. Notice that in this case, the goal turns out to be $\exists t^{\prime },\mathrm{Plus}(\lambda x:{\tau }_x.e)t_2{\to }_{\beta }{t}^{\prime }$. This holds by contradiction just because the type of $\lambda x:{\tau }_x.e$ is an arrow-type while it is expected to be $Int$ by the hypothesis ($Ha$). Please check out the rule ($la{m}_t$) given in Figure 4 for a justification.

ii.

$t_1=\mathrm{NVal}n$. In this case, we start off destructing the induction hypothesis ($IH{t}_2$), and are in the need of proving the goal $\exists t^{\prime },\mathrm{Plus}\mathrm{NVal}n{t}_2$ ${\to }_{\beta }{t}^{\prime }$ twice provided $\mathtt{isvalue}{t}_2=true$ and $\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ individually:

A.

isvalue$t_2=true$. We proceed with the case analysis of the term $t_2$, we are supposed to prove the below three cases (others, such as $t_2$ being $\mathrm{Fix}f$, are trivial just because $t_2$ s are not values that yield in contradictions):

• $t_2=\lambda x:{\tau }_x.e$, for some type ${\tau }_x$. Here, we need to show that $\exists t^{\prime },\mathrm{Plus}\left(\mathrm{NVal}n\right)(\lambda x:{\tau }_x.e){\to }_{\beta }{t}^{\prime }$ holds. This is doable again by contradiction as the term $\lambda x:{\tau }_x.e$ is of an arrow-type, while it is expected to be $Int$ by the hypothesis ($Hb$).
• $t_2=\mathrm{NVal}m$. In this case, we could simply show that $\exists t^{\prime },\mathrm{Plus}\left(\mathrm{NVal}n\right)\left(\mathrm{NVal}m\right){\to }_{\beta }{t}^{\prime }$ holds by first plugging in the term $\mathrm{NVal}(n+m)$ for $t^{\prime }$, and then employing the rule ($plu{s}_1$) presented in Figure 2.
• $t_2=\mathrm{BVal}b$. The goal $\exists t^{\prime },\mathrm{Plus}\left(\mathrm{NVal}n\right)\left(\mathrm{BVal}b\right){\to }_{\beta }{t}^{\prime }$ in this case holds also by contradiction: the type of $\left(\mathrm{BVal}b\right)$ is $Bool$ while it is expected to be $Int$ by the rule ($Hb$).

B.

$\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. In this case, $\exists t^{\prime },\mathrm{Plus}\left(\mathrm{NVal}n\right)t_2{\to }_{\beta }{t}^{\prime }$ needs to be shown. In cases where $t_2$ is a value, we close the goal by contradiction, as $\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$ allows for proving False: values do not evaluate any further. For the rest, we plug the term $\mathrm{Plus}\left(\mathrm{NVal}n\right)t_2^{\prime }$ into the goal, for the term $t^{\prime }$, and solve it with the rule ($plu{s}_2$) stated in Figure 2.

iii.

$t_1=\mathrm{BVal}b$. It is possible to show that $\exists t^{\prime },\mathrm{Plus}\left(\mathrm{BVal}b\right)t_2{\to }_{\beta }{t}^{\prime }$ by contradiction as the type of $\left(\mathrm{BVal}b\right)$ is $Bool$ while it is here expected to be $Int$ by the rule ($Ha$).

(b)

$\mathtt{isvalue}{t}_1=false$. On a case analysis over the term $t_1$, we in fact have to prove subgoals where $t_1$ is not a value (other cases such as $t_1$ being $\lambda x:\tau .e$ are trivial just because $t_1$ s are values that yield in contradictory cases):

• Recall that we are trying to show $\exists t^{\prime },\mathrm{Plus}{t}_1{t}_2{\to }_{\beta }{t}^{\prime }$, such that $t_1$ is not a value. We close all such cases uniformly: there definitely exists a $t^{\prime }$ as $\mathrm{Plus}{t}_1^{\prime }{t}_2$ given $t_1{\to }_{\beta }{t}_1^{\prime }$, thanks to the rule ($plu{s}_3$) presented in Figure 2.

5.

The remaining cases with, for instance, $\mathrm{Minus}{t}_1{t}_2$, could be proven by employing a very similar idea presented in the above item 4.

□

We summarize below the given Coq implementation, proof of Theorem 1, in such a way that we highlight the crucial points itemized in the above pen-and-paper proof by comment-outs. Please refer to the accompanying library for the complete proof.

Lemma 5

(subst_preserves_typing). $\forall xtv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t:\tau \Rightarrow ⊢v:\upsilon \Rightarrow$$\Gamma ⊢t[x:=v]:\tau .$

Proof.

The statement informally says that under some context $\Gamma$, substitution of the string x with some term v within the term t, the type of t remains unchanged, provided $\Gamma ,x:\upsilon ⊢t:\tau$ ($Ha$) and $⊢v:\upsilon$ ($Hb$). We argue by structural induction on the term t:

• $t=\mathrm{Ident}s$ for some arbitrary string s. If $x=s$, the hypothesis $Ha$ takes the following shape: $\Gamma ,s:\upsilon ⊢\mathrm{Ident}s:\tau$ which implies that $\upsilon =\tau$. The goal $\Gamma ⊢\left(\mathrm{Ident}s\right)[s:=v]:\upsilon$ simplifies into $\Gamma ⊢v:\upsilon$ by Definition 2 of the substitution function. Employing the fact that $\forall \Gamma \Lambda e\kappa ,\Gamma ⊢e:\kappa \Rightarrow$ $(\forall y,y\notin \mathrm{fv}y\Rightarrow \Gamma (y)=\Lambda (y\left)\right)\Rightarrow$ $\Lambda ⊢e:\kappa$ (named context_invariance in the Coq code), we deduce $\Gamma ⊢v:\upsilon$ out of the hypothesis $Hb$, and the goal is closed. Else if $x\ne s$ then ($Ha$) turns into $\Gamma \left(s\right)=\tau$. The goal $\Gamma ⊢\left(\mathrm{Ident}s\right)[x:=v]:\tau$ simplifies into $\Gamma \left(s\right)=\tau$ again by Definition 2. This is in fact the hypothesis ($Hb$) itself.
• $t=\lambda s:\kappa .e$ for some arbitrary string s, type $\kappa$, and term e. The goal we aim to prove is $\Gamma ⊢(\lambda s:\kappa .e)[x:=v]:\tau$, provided an induction hypothesis $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢e:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢e[x:=v]:\tau$ ($IHe$). If $x=s$ then we have $(\lambda s:\kappa .e)[s:=v]$ amounts to $\lambda s:\kappa .e$ by Definition 2. Therefore, the goal turns out to be $\Gamma ⊢\lambda s:\kappa .e:\tau$. Using the fact that $\forall \Gamma \Lambda e\kappa ,\Gamma ⊢e:\kappa \Rightarrow (\forall y,y\notin \mathrm{fv}y$ $\Rightarrow \Gamma \left(y\right)=\Lambda \left(y\right))$ $\Rightarrow \Lambda ⊢e:\kappa$ (context_invariance in the Coq code) over the contexts $\Gamma ,s:\upsilon$ and $\Gamma$ with the hypothesis $Ha$ (namely, $\Gamma ,s:\upsilon ⊢\lambda s:\kappa .e:\tau$), we manage to extend the list of assumptions with $\Gamma ⊢\lambda s:\kappa .e:\tau$, and have the goal closed. If $x\ne s$, we need to show that $\Gamma ⊢\lambda s:\kappa .e[x:=v]:\tau$ or better that $\Gamma ,s:\kappa ⊢e[x:=v]:\tau$ thanks to Definition 2 and to the ($ap{p}_t$) rule in Figure 4. Remark that in this case, the hypothesis ($Ha$) first takes the shape $\Gamma ,x:\upsilon ⊢\lambda s:\kappa .e:\tau$ then simplifies into $\Gamma ,x:\upsilon ,s:\kappa ⊢e:\tau$ again by the ($ap{p}_t$) rule. Specializing the induction hypothesis ($IHe$) with the context $\Gamma ,s:\kappa$, simplified version of ($Ha$) and ($Hb$), we close this goal.
• $t=\left(t_1{t}_2\right)$ for some terms $t_1$ and $t_2$. We try proving $\Gamma ⊢\left(t_1{t}_2\right)[x:=v]:\tau$ given $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_1:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_1[x:=v]:\tau$ ($IH{t}_1$) and $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_2:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_2[x:=v]:\tau$ ($IH{t}_2$) as induction hypotheses. We deduce $\Gamma ,x:\upsilon ⊢t_1:\kappa \to \tau$ (H) and $\Gamma ,x:\upsilon ⊢t_2:\kappa$ ($H_0$), for some type $\kappa$, by inversion over the hypothesis ($Ha$), namely $\Gamma ,x:\upsilon ⊢\left(t_1{t}_2\right):\tau$. Using (H) and ($Hb$) in ($IH{t}_1$), and ($H_0$) and ($Hb$) in ($IH{t}_2$), we, respectively, obtain $\Gamma ⊢t_1[x:=v]:\kappa \to \tau$ and $\Gamma ⊢t_2[x:=v]:\kappa$, which prove the goal thanks to Definition 4 of the substitution function and the rule ($ap{p}_t$) in Figure 4.
• $t=\mathrm{ITE}{t}_1{t}_2{t}_3$ for some terms $t_1$, $t_2$, and $t_3$. The statement we intend to show in this case turns out to be $\Gamma ⊢\left(\mathrm{ITE}{t}_1{t}_2{t}_3\right)[x:=v]:\tau$ given $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_1:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_1[x:=v]:\tau$ ($IH{t}_1$), $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_2:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_2[x:=v]:\tau$ ($IH{t}_2$) and $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_3:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_3[x:=v]:\tau$ ($IH{t}_3$) as induction hypotheses. It is quite easy to infer $\Gamma ,x:\upsilon ⊢t_1:Bool$ (H), $\Gamma ,x:\upsilon ⊢t_2:\tau$ ($H_0$), and $\Gamma ,x:\upsilon ⊢t_3:\tau$ ($H_1$) by inversion over the hypothesis ($Ha$), namely $\Gamma ,x:\upsilon ⊢\mathrm{ITE}{t}_1{t}_2{t}_3:\tau$. We then specialize ($IH{t}_1$) with (H) and ($Hb$), ($IH{t}_2$) with ($H_0$) and ($Hb$), and ($IH{t}_3$) with ($H_1$) and ($Hb$) to respectively obtain $\Gamma ⊢t_1[x:=v]:Bool$, $\Gamma ⊢t_2[x:=v]:\tau$ and $\Gamma ⊢t_3[x:=v]:\tau$. These are adequate to prove the statement due to Definition 4 of the substitution function and the rule ($it{e}_t$) in Figure 4.
• $t=\mathrm{Fix}{t}_1$ for some term $t_1$. The goal of the case is of the following shape: $\Gamma ⊢\left(\mathrm{Fix}{t}_1\right)[x:=v]:\tau$. We additionally have a single induction hypothesis $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_1:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_1[x:=v]:\tau$ ($IH{t}_1$). The hypothesis ($Ha$), $\Gamma ,x:\upsilon ⊢\mathrm{Fix}{t}_1:\tau$, entails by inversion that $\Gamma ,x:\upsilon ⊢t_1:\tau \to \tau$ (H). We then specialize ($IH{t}_1$) with (H) and ($Hb$) to have $\Gamma ⊢t_1[x:=v]:\tau \to \tau$. This is enough to close the goal thanks to Definition 4 of the substitution function and the rule ($fi{x}_t$) in Figure 4.
• $t=\mathrm{Plus}{t}_1{t}_2$ for some terms $t_1$ and $t_2$. The goal we aim to close in this case is $\Gamma ⊢\left(\mathrm{Plus}{t}_1{t}_2\right)[x:=v]:\tau$ along with two induction hypotheses $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_1:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_1[x:=v]:\tau$ ($IH{t}_1$), $\forall xv\tau \upsilon \Gamma ,\Gamma ,x:\upsilon ⊢t_2:\tau \Rightarrow ⊢v:\upsilon \Rightarrow \Gamma ⊢t_2[x:=v]:\tau$ ($IH{t}_2$). We infer $\Gamma ,x:\upsilon ⊢t_1:Int$ (H) and $\Gamma ,x:\upsilon ⊢t_2:Int$ ($H_0$) inverting the hypothesis ($Ha$). Lastly, we specialize ($IH{t}_1$) with (H) and ($Hb$), ($IH{t}_2$) with ($H_0$) and ($Hb$) to handle $\Gamma ⊢t_1[x:=v]:Int$, $\Gamma ⊢t_2[x:=v]:Int$ which prove the goal due to Definition 4 and the rule ($plu{s}_t$) in Figure 4.
• The cases with t, being either $\mathrm{Minus}{t}_1{t}_2$, $\mathrm{Mult}{t}_1{t}_2$, $\mathrm{Eq}{t}_1{t}_2$, or $\mathrm{Gt}{t}_1{t}_2$ follow the same lines with the proof given in the above item 6. The cases where $t=\mathrm{NVal}n$ and $t=\mathrm{BVal}b$ are trivial just because the substitution function has no impact on these terms.

□

The preservation statement claims that the type of a given term does not vary under beta-reduction.

Theorem 2

(Preservation). $\forall t{t}^{\prime },⊢t:\tau \wedge t{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$.

Proof.

The proof proceeds by a structural induction over the term t. The cases involving $\mathrm{Ident}x$, $\lambda x:\tau .e$, $\mathrm{NVal}n$, and $\mathrm{BVal}b$ trivially hold by contradiction: these terms do not reduce any further, contradicting the assumption $t{\to }_{\beta }{t}^{\prime }$.

1.

The case with the application ($t_1{t}_2$), for some arbitrary terms $t_1$ and $t_2$, are more appealing and, thus, deserve a closer look. Here, we are supposed to show (for all types $\tau$) that $⊢t^{\prime }:\tau$ holds; provided $\left(t_1{t}_2\right):\tau$ (H), $\left(t_1{t}_2\right){\to }_{\beta }{t}^{\prime }$ ($H_0$), and a pair of induction hypotheses $\forall t^{\prime }\tau ,⊢t_1:\tau \wedge t_1{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_1$) and $\forall t^{\prime }\tau ,⊢t_2:\tau \wedge t_2{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_2$). Notice that by plugging in the hypothesis (H) into Lemma 1, we can deduce the facts that $⊢t_1:\upsilon \to \tau$ ($H_1$) and $⊢t_2:\upsilon$ ($H_2$), for some type $\upsilon$. At this stage, we apply a case analysis on the term $t_1$ (below the goals) to close:

(a)

$t_1=\lambda x:\upsilon .e$ for some term e and type $\upsilon$. We definitely obtain some $t^{\prime }$ after beta-reducing the term inhabited by the hypothesis (H) $(\lambda x:\upsilon .e)t_2$ depending on the choice of whether $t_2$ is a value or not:

i.

$\mathtt{isvalue}{t}_2=true$. In this case, $t^{\prime }$ amounts to $e[x:=t_2]$, due to the rule ($ap{p}_3$) presented in Figure 2, and we are expected to prove that $⊢e[x:=t_2]:\tau$. Thanks to Lemma 5, to obtain $⊢e[x:=t_2]:\tau$ (proven), we need to close two goals, which are $x:\upsilon ⊢e:\tau$ and $⊢t_2:\upsilon$:

• $x:\upsilon ⊢e:\tau$. Recall that we have $⊢\lambda x:\upsilon .e:\upsilon \to \tau$ due to ($H_1$). We solve the goal just by inverting the rule ($la{m}_t$) in Figure 4.
• $⊢t_2:\upsilon$. This one is exactly ($H_2$).

ii.

$\mathtt{isvalue}{t}_2=false$. Thanks to Progress Theorem 1 and the hypothesis ($H_1$), we have $\mathtt{isvalue}{t}_2=true\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. As the left side of the disjunction is contradictory to the assumption of the case, we focus on the right side, which tells us that there exists some $t_2^{\prime }$, such that $t_2{\to }_{\beta }{t}_2^{\prime }$. Therefore, $t^{\prime }$ amounts to $(\lambda x:\upsilon .e)t_2^{\prime }$ due to the rule ($ap{p}_4$) presented in Figure 2. Namely, we are supposed to show that $⊢(\lambda x:\upsilon .e)t_2^{\prime }:\tau$ holds. By properly specializing the induction hypothesis ($IH{t}_2$), we end up with $⊢t_2^{\prime }:\upsilon$. With this information in hand, just by employing the rule ($ap{p}_t$) in Figure 4, we ensure that the application $(\lambda x:\upsilon .e)t_2^{\prime }$ is of type $\tau$ under the empty context.

(b)

$t_1=\left(e_1{e}_2\right)$ for some arbitrary terms $e_1$ and $e_2$. It is known by ($H_1$) that the application $\left(e_1{e}_2\right)$ is of type $\upsilon \to \tau$ under the empty context. Passing this well-typed information to Progress Theorem 1, we have $\mathtt{isvalue}\left(e_1{e}_2\right)=true\vee \exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$. Due to the fact that $\mathtt{isvalue}\left(e_1{e}_2\right)=false$, we are left with $\exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$. Therefore, the goal that we aim to prove in this case takes the following shape: $⊢t_1^{\prime }{t}_2:\tau$ due to the rule ($ap{p}_2$) presented in Figure 2. Specializing the induction hypothesis ($IH{t}_1$) with the correct ingredients gives us $⊢t_1^{\prime }:\upsilon \to \tau$. Making use of the hypothesis ($H_2$) and the rule ($ap{p}_t$) placed in Figure 4, we conclude that $⊢t_1^{\prime }{t}_2:\tau$ holds.

(c)

$t_1=\mathrm{ITE}{e}_1{e}_2{e}_3$ for some arbitrary terms $e_1$, $e_2$ and $e_3$. Similar to the proof in the above item, we know that the term $\mathrm{ITE}{e}_1{e}_2{e}_3$ is of type $\upsilon \to \tau$ under the empty context. This, Progress Theorem 1 gives us $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=true\vee \exists t_1^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{t}_1^{\prime }$. Just that $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=true$ is incorrect, we focus on $\exists t_1^{\prime },\left(\mathrm{ITE}{e}_1{e}_2{e}_3\right)$ ${\to }_{\beta }{t}_1^{\prime }$. This heads us toward proving $⊢t_1^{\prime }{t}_2:\tau$ due to the rule ($ap{p}_2$) presented in Figure 2. Similar to that of the above item (b), we specialize in the induction hypothesis ($IH{t}_1$) with the correct ingredients, and have $⊢t_1^{\prime }:\upsilon \to \tau$. We close this goal just by employing the hypothesis ($H_2$) and the rule ($ap{p}_t$) appearing in Figure 4.

(d)

$t_1=\mathrm{Fix}{e}_1$ for some arbitrary term $e_1$. By chasing the exact same steps demonstrated in the above items (b) and (c), we end up retaining $\exists t_1^{\prime },\mathrm{Fix}{e}_1{\to }_{\beta }{t}_1^{\prime }$ to show $⊢t_1^{\prime }{t}_2:\tau$, which we solve again by putting the induction hypothesis ($IH{t}_2$) together with the rule ($ap{p}_t$) in operation.

(e)

$t_1=\left(\mathrm{Plus}{e}_1{e}_2\right)$ for some arbitrary terms $e_1$ and $e_2$. The goal in this case is proven by contradiction as due to the hypothesis ($H_1$), the term $t_1$ needs to be of some arrow-type $\upsilon \to \tau$, but it is of type $Int$.

(f)

The other cases in which the term $t_1$ appears to be either $\mathrm{NVal}n$, $\mathrm{Minus}{e}_1{e}_2$, $\mathrm{Mult}{e}_1{e}_2$, $\mathrm{Eq}{e}_1{e}_2$, or $\mathrm{Gt}{e}_1{e}_2$, and could be proven in a similar manner with that of the above item (e). The goal where $t_1$ amounts to $\mathrm{BVal}b$ is similarly proven with a single difference, where $t_1$ is of type $Bool$, not $Int$. Lastly, the goal with $t_1=\mathrm{Ident}x$ holds by contradiction as the term $t_1$ is ill-typed under the empty context.

2.

$t=\mathrm{ITE}{t}_1{t}_2{t}_3$ for some terms $t_1$, $t_2$ and $t_3$. In this case, we aim to prove for all types $\tau$ that $⊢t^{\prime }:\tau$ holds; given that $\mathrm{ITE}{t}_1{t}_2{t}_3:\tau$ (H), $\mathrm{ITE}{t}_1{t}_2{t}_3{\to }_{\beta }{t}^{\prime }$ ($H_0$) along with three induction hypotheses $\forall t^{\prime }\tau ,⊢t_1:\tau \wedge t_1{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_1$), $\forall t^{\prime }\tau ,⊢t_2:\tau \wedge t_2{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_2$), and $\forall t^{\prime }\tau ,⊢t_3:\tau \wedge t_3{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_3$). Note also that we deduce the facts $⊢t_1:Bool$ ($Ha$), $⊢t_2:\tau$ ($Hb$), and $⊢t_3:\tau$ ($Hc$) by specializing Lemma 2 with the hypothesis (H). The proof proceeds with a case analysis over the term $t_1$, and  requires the following cases to be proven:

(a)

The goals in which the term $t_1$ is $\mathrm{Ident}x$, $\mathrm{NVal}n$, $\lambda x:\upsilon .e$, $\mathrm{Plus}{e}_1{e}_2$, $\mathrm{Minus}{e}_1{e}_2$, $\mathrm{Mult}{e}_1{e}_2$, $\mathrm{Eq}{e}_1{e}_2$, or $\mathrm{Gt}{e}_1{e}_2$ are trivially shown by contradictions, as none of these terms are of type $Bool$ as expected by the hypothesis ($Ha$).

(b)

$t_1=\left(e_1{e}_2\right)$ for some arbitrary terms $e_1$ and $e_2$. The hypothesis $Ha$ tells us that $⊢\left(e_1{e}_2\right):Bool$. This, with Progress Theorem 1, entails that $\mathtt{isvalue}\left(e_1{e}_2\right)=true\vee \exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$. The left side of the disjunction is obviously incorrect. We, therefore, obtain $\exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$. Accordingly, the goal we intend to prove in this case turns out to be $⊢\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3:\tau$ due to the rule ($it{e}_3$) presented in Figure 2. By specializing the induction hypothesis ($IH{t}_1$) with proper terms and types, we have $⊢t_1^{\prime }:Bool$. Thanks to the hypotheses ($Hb$), ($Hc$), and the rule ($it{e}_t$) given in Figure 4, we show that $⊢\left(\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3\right):\tau$.

(c)

$t_1=\mathrm{BVal}b$ for Boolean b. We carry on with a case distinction on b:

• if b is Boolean true: $\mathrm{ITE}\left(\mathrm{BVal}\mathrm{true}\right)t_2{t}_3{\to }_{\beta }{t}_2$, thanks to the rule ($it{e}_1$) presented in Figure 2. Therefore, the goal takes the shape $⊢t_2:\tau$, which is the hypothesis ($Hb$).
• if b is Boolean false: similarly, $\mathrm{ITE}\left(\mathrm{BVal}\mathrm{false}\right)t_2{t}_3{\to }_{\beta }{t}_3$, thanks to the rule ($it{e}_2$) stated in Figure 2. The goal is now $⊢t_3:\tau$. This is trivial as it is exactly the hypothesis ($Hc$).

(d)

$t_1=\mathrm{ITE}{e}_1{e}_2{e}_3$ for some arbitrary terms $e_1$, $e_2$ and $e_3$. The hypothesis $\left(Ha\right)$ entails that $⊢\mathrm{ITE}{e}_1{e}_2{e}_3:Bool$. Progress Theorem 1 over this fact gives $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=true\vee \exists t_1^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{t}_1^{\prime }$. Provided that $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=false$, we focus on the right side of the disjunction; that is $\exists t_1^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{t}_1^{\prime }$. In this parallel, the goal we want to close is $⊢\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3:\tau$ thanks to the rule ($it{e}_3$) presented in Figure 2. By specializing the induction hypothesis ($IH{t}_1$) with proper terms and types, we have $⊢t_1^{\prime }:Bool$. Thanks to the hypotheses ($Hb$), ($Hc$), and the rule ($it{e}_t$) stated in Figure 4, we show that $⊢\mathrm{ITE}{t}_1^{\prime }{t}_2{t}_3:\tau$.

(e)

$t_1=\mathrm{Fix}f$ for some term f. Similar to case (d) above, the hypothesis ($Ha$) entails that $⊢\mathrm{Fix}f:\tau$. This, with Progress Theorem 1, we deduce $\mathtt{isvalue}\mathrm{Fix}f=true\vee \exists f^{\prime },\mathrm{Fix}f{\to }_{\beta }{f}^{\prime }$. As it is obvious that $\mathtt{isvalue}\mathrm{Fix}f=false$, we are left with $\exists f^{\prime },\mathrm{Fix}f{\to }_{\beta }{f}^{\prime }$. The goal we want to close here is that $⊢\mathrm{ITE}{f}^{\prime }{t}_2{t}_3:\tau$ due to the rule ($it{e}_3$) presented in Figure 2. We now specialize the induction hypothesis ($IH{t}_1$) with proper terms and types, and obtain $⊢f^{\prime }:Bool$. Thanks to the hypotheses ($Hb$), ($Hc$), and the rule ($it{e}_t$) appearing in Figure 4, we prove that $⊢\mathrm{ITE}{f}^{\prime }{t}_2{t}_3:\tau$.

3.

For the case $\mathrm{Fix}f$, we aim to prove for all types $\tau$ that $⊢f^{\prime }:\tau$ holds; given that $\mathrm{Fix}f:\tau$ (H), $\mathrm{Fix}f{\to }_{\beta }{t}^{\prime }$ ($H_0$) strengthened with the induction hypothesis $\forall f^{\prime }\tau ,⊢f:\tau \wedge f{\to }_{\beta }{f}^{\prime }\Rightarrow ⊢f^{\prime }:\tau$ ($IHf$). Moreover, we have $⊢f:\tau \to \tau$ ($Ha$) when Lemma 3 is applied to the hypothesis (H). The proof proceeds with a case analysis over the term f, and requires the following cases to be proven:

(a)

The goals in which the term $t_1$ is any of $\mathrm{Ident}x$, $\mathrm{NVal}n$, $\mathrm{BVal}b$, $\mathrm{Plus}{e}_1{e}_2$, $\mathrm{Minus}{e}_1{e}_2$, $\mathrm{Mult}{e}_1{e}_2$, $\mathrm{Eq}{e}_1{e}_2$ and $\mathrm{Gt}{e}_1{e}_2$ are trivially demonstrated by contradiction as none of these terms are of the arrow type $\tau \to \tau$ as expected by the hypothesis ($Ha$).

(b)

$f=\lambda x:\upsilon .e$ for some term e and type $\upsilon$. Recall that the rule ($fi{x}_1$) stated in Figure 2, we have $\mathrm{Fix}(\lambda x:\upsilon .e){\to }_{\beta }e[x:=\mathrm{Fix}(\lambda x:\upsilon .e)]$. Notice that, on a side note, the term $\lambda x:\upsilon .e$ needs to be of type $\tau \to \tau$ due to the hypothesis ($Ha$). By inversion here, we deduce that $\upsilon =\tau$ and $x:\tau ⊢e:\tau$ ($Hb$). Having said that, let us look into the statement that needs to be proven in this case: $⊢e[x:=\mathrm{Fix}(\lambda x:\tau .e\left)\right]:\tau$ (due to the rule ($fi{x}_1$) presented in Figure 2). Thanks to Lemma 5, to prove the mentioned goal, we need to close two goals: $x:\tau ⊢e:\tau$ and $⊢\mathrm{Fix}(\lambda x:\tau .e):\tau$.

• $x:\tau ⊢e:\tau$. This is exactly the hypothesis ($Hb$).
• $⊢\mathrm{Fix}(\lambda x:\tau .e):\tau$. This one matches with the hypothesis (H).

(c)

$f=\left(e_1{e}_2\right)$ for some arbitrary terms $e_1$ and $e_2$. The hypothesis ($Ha$) entails that $⊢\left(e_1{e}_2\right):\tau \to \tau$. Employing this fact within Progress Theorem 1, we deduce $\mathtt{isvalue}\left(e_1{e}_2\right)=true\vee \exists f^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{f}^{\prime }$. The left side of the disjunction is obviously incorrect. We therefore obtain $\exists f^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{f}^{\prime }$. Thus the goal turns out to be $⊢\mathrm{Fix}{f}^{\prime }:\tau$ due to the rule ($fi{x}_2$) presented in Figure 2. By properly specializing the induction hypothesis ($IHf$), we have $⊢f^{\prime }:\tau \to \tau$. Now by the rule ($fi{x}_t$) given in Figure 4, we conclude that $\mathrm{Fix}{f}^{\prime }:\tau$.

(d)

$f=\mathrm{ITE}{e}_1{e}_2{e}_3$ for some arbitrary terms $e_1$, $e_2$ and $e_3$. Similar to case (c) above, the hypothesis ($Ha$) entails that $⊢\mathrm{ITE}{e}_1{e}_2{e}_3:\tau \to \tau$. Progress Theorem 1 specialized with this fact implies that $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=true\vee \exists t_1^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{t}_1^{\prime }$. Provided that $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=false$, we focus on the right side of the disjunction; that is $\exists f^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{f}^{\prime }$. In this parallel, the goal we want to close here is $⊢\mathrm{Fix}{f}^{\prime }:\tau$ due to the rule ($fi{x}_2$) presented in Figure 2. We now specialize the induction hypothesis ($IHf$), and obtain $⊢f^{\prime }:\tau \to \tau$. Now by the rule ($fi{x}_t$) stated in Figure 4, we conclude that $\mathrm{Fix}{f}^{\prime }:\tau$.

(e)

$f=\mathrm{Fix}e$ for some arbitrary term e. By following the exact same steps presented in the above items (c) and (d), we end up having $\exists f^{\prime },\mathrm{Fix}e{\to }_{\beta }{f}^{\prime }$ to show $⊢\mathrm{Fix}{f}^{\prime }:\tau$ (due to the rule ($fi{x}_2$) presented in Figure 2) which we solve again by putting the induction hypothesis ($IHf$) together with the rule ($fi{x}_t$) in use.

4.

Concerning the case with $t=\mathrm{Plus}{t}_1{t}_2$, for some arbitrarily chosen terms, $t_1$ and $t_2$, we want to prove for all types $\tau$ that $⊢t^{\prime }:\tau$ holds, provided that $⊢\mathrm{Plus}{t}_1{t}_2:\tau$ (H), $\mathrm{Plus}{t}_1{t}_2{\to }_{\beta }{t}^{\prime }$ ($H_0$) and two induction hypotheses $\forall t^{\prime }\tau ,⊢t_1:\tau \wedge t_1{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_1$), $\forall t^{\prime }\tau ,⊢t_2:\tau \wedge t_2{\to }_{\beta }{t}^{\prime }\Rightarrow ⊢t^{\prime }:\tau$ ($IH{t}_2$). In addition to these, we enrich the set of hypotheses with $\tau =Int$ ($Ha$), $⊢t_1:Int$ ($Hb$), and $⊢t_2:Int$ ($Hc$) just by applying Lemma 4 over the hypothesis (H). The proof proceeds with a case distinction over the term $t_1$, and throws us cases to prove:

(a)

The goals in which term $t_1$ is $\mathrm{Ident}x$, $\mathrm{BVal}b$, $(\lambda x:\upsilon .e)$, $\left(\mathrm{Eq}{e}_1{e}_2\right)$, or $\left(\mathrm{Gt}{e}_1{e}_2\right)$ and trivially proven by contradiction as none of these terms are of type $Int$ as expected by the hypothesis ($Hb$).

(b)

$t_1=\left(e_1{e}_2\right)$ for some arbitrary terms $e_1$ and $e_2$. We deduce out of the hypothesis ($Hb$) that $⊢\left(e_1{e}_2\right):Int$. With this information, we could further infer that $\mathtt{isvalue}\left(e_1{e}_2\right)=true\vee \exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$ thanks to Progress Theorem 1. Given that $\mathtt{isvalue}\left(e_1{e}_2\right)=false$, we take $\exists t_1^{\prime },\left(e_1{e}_2\right){\to }_{\beta }{t}_1^{\prime }$ into account, and therefore the goal takes the following shape: $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$, due to the rule ($plu{s}_3$) presented in Figure 2. We could put the induction hypothesis ($IH{t}_1$) into the following shape: $⊢t_1^{\prime }:Int$ employing the hypothesis ($Hb$). Now, by using the rule ($plu{s}_t$), and the hypothesis ($Hc$), we conclude that $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$ holds.

(c)

$t_1=\mathrm{NVal}n$ for some Coq natural n. Thanks to the hypothesis ($Hc$), we already know that $⊢t_2:Int$. Applying Progress Theorem 1 to this fact, we obtain $\mathtt{isvalue}{t}_2=true\vee \exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. Destructing this disjunction throws us the following two goals to prove, independently assuming $\mathtt{isvalue}{t}_2=true$ and $\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$:

• $\mathtt{isvalue}{t}_2=true$. The only choice that makes this case non-contradictory is that of $t_2=\mathrm{NVal}m$ for a Coq natural m. Other cases lead to contradictions disobeying either $\mathtt{isvalue}{t}_2=true$ or $⊢t_2:Int$. Using the rule ($plu{s}_1$) shown in Figure 2, we have $\mathrm{Plus}\left(\mathrm{NVal}n\right)\left(\mathrm{NVal}m\right){\to }_{\beta }\mathrm{NVal}(n+m)$. Therefore, the statement we try proving here is $⊢\mathrm{NVal}(n+m):Int$, which is entailed by the rule ($nva{l}_t$) presented in Figure 4.
• $\exists t_2^{\prime },t_2{\to }_{\beta }{t}_2^{\prime }$. We proceed with a case distinction on the term $t_2$. Note that the statements where $t_2$ is a value trivially hold, no further reductions from $t_2$ are possible, which contradicts the assumption of the case. We have the statement $⊢\mathrm{Plus}\left(\mathrm{NVal}n\right)t_2^{\prime }:Int$ to be proven for the remaining cases, due to the rule ($plu{s}_2$) stated in Figure 2. To prove this statement, we specialize the induction hypothesis ($IH{t}_2$) with proper terms and types, and turn it into $⊢t_2^{\prime }:Int$. This fact and the rule ($plu{s}_t$) presented in Figure 4 give us $⊢\mathrm{Plus}\left(\mathrm{NVal}n\right)t_2^{\prime }:Int$.

(d)

$t_1=\mathrm{ITE}{e}_1{e}_2{e}_3$ for some arbitrary terms $e_1$, $e_2$ and $e_3$. The hypothesis ($Hb$) can be used to infer $⊢\mathrm{ITE}{e}_1{e}_2{e}_3:Int$. Using this within Progress Theorem 1, it is possible to infer $\mathtt{isvalue}\mathrm{ITE}{e}_1{e}_2{e}_3=true$ $\vee \exists t_1^{\prime },\mathrm{ITE}{e}_1{e}_2{e}_3{\to }_{\beta }{t}_1^{\prime }$. Recall that only the right side of this disjunction is useful as the other leads to a contradiction. Building on this, our goal here turns out to be $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$ due to the rule ($plu{s}_3$) given in Figure 2. We then specialize the induction hypothesis ($IH{t}_1$) properly and obtain $⊢t_1^{\prime }:Int$. By the rule ($plu{s}_t$) and the hypothesis ($Hc$), we have $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$ proven.

(e)

$t_1=\mathrm{Fix}f$ for some arbitrary term f. We follow the exact same steps presented in the above items (b) and (d): first infer $\exists t_1^{\prime },\mathrm{Fix}f{\to }_{\beta }{t}_1^{\prime }$ then show $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$ by employing the rule ($plu{s}_t$), and putting the induction hypothesis ($IH{t}_1$) in the intended shape.

(f)

$t_1=\mathrm{Plus}{e}_1{e}_2$ for some arbitrary terms $e_1$ and $e_2$. We follow the same step with that of the above item (e). That is, we first have $\exists t_1^{\prime },\mathrm{Plus}{e}_1{e}_2{\to }_{\beta }{t}_1^{\prime }$ out of Progress Theorem 1, and aim at proving $⊢\mathrm{Plus}{t}_1^{\prime }{t}_2:Int$ (thanks to the rule ($plu{s}_3$) presented in Figure 2). The proof is constructed out of the rule ($plu{s}_t$) and correctly shaped induction hypothesis ($IH{t}_1$).

(g)

The other cases in which the term $t_1$ appears to be $\mathrm{Minus}{e}_1{e}_2$ or $\mathrm{Mult}{e}_1{e}_2$ could be proven in a similar manner to $\mathrm{Plus}{e}_1{e}_2$ described in the above item (f).

5.

The remaining cases with, for instance, $\mathrm{Mult}{t}_1{t}_2$, could be proven, employing a very similar idea presented in the above item 4.

□

We summarize below, in a Coq implementation, a proof of Theorem 2 marking the items presented in the above pen-and-paper proof with comment-outs. Please refer to the accompanying library for the complete proof.

Definition 5

(Multi-Step Evaluation). We define the multi-step evaluation function (evaln) as the reflexive-transitive closure of the beta-reduction upper-bounded by a natural n:

evaln t 0	→	t
evaln t (S n)	→	let $t{\to }_{\beta }{t}^{\prime }in$ evaln $t^{\prime }$ n

In Coq, we wrap the output term of the evaln function with Coq’s option type. By this, we aim to handle the cases in which t has no further evaluation steps with None:

Definition 6

(Stuck). A term t is said to be stuck if there exists no $t^{\prime }$, such that $t{\to }_{\beta }{t}^{\prime }$ and t is not a value. That formally is

$$\forall t,\nexists t^{\prime },t{\to }_{\beta }{t}^{\prime }\wedge \mathtt{i}\mathtt{s}\mathtt{v}\mathtt{a}\mathtt{l}\mathtt{u}\mathtt{e}t=false.$$

It is straightforward to reflect this definition into Coq:

The soundness statement just combines the claims of that of progress and preservation. Namely, for every well-typed term t, if after n reduction steps, t reduces into some term $t^{\prime }$ then $t^{\prime }$ cannot be stuck.

Theorem 3

(Type Soundness). $\forall nt{t}^{\prime }\tau ,⊢t:\tau \wedge evalntn=t^{\prime }\Rightarrow \neg stuck{t}^{\prime }.$

Proof.

Unfolding the definitions stuck and not, we are supposed to prove False (in Coq’s Prop) provided that $⊢t:\tau$ ($Ha$), $evalntn=t^{\prime }$ ($Hb$), $\nexists t^{\prime \prime },t^{\prime }{\to }_{\beta }{t}^{\prime \prime }$ ($Hne$) and $\mathtt{isvalue}{t}^{\prime }=false$ ($Hnv$). The proof proceeds by a structural induction over the natural number n throwing us two cases to prove.

• $n=0$. Notice that the hypothesis ($Hb$) (with $n=0$) entails that $t=t^{\prime }$. We employ Progress Theorem 1 specialized by the hypothesis ($Ha$), and deduce $\mathtt{isvalue}t=true$ $\vee \exists t^{\prime \prime },t{\to }_{\beta }{t}^{\prime \prime }$. The goal, in this case, is trivially proven as the left side of the disjunction contradicts with ($Hnv$), while the right-hand side contradicts with ($Hne$).
• $n=Sm$. In this case, we additionally have the induction hypothesis $\forall t{t}^{\prime }\tau ,⊢t:\tau \Rightarrow evalntm=t^{\prime }\Rightarrow \nexists t^{\prime \prime },t^{\prime }{\to }_{\beta }{t}^{\prime \prime }\wedge \mathtt{isvalue}{t}^{\prime }=false$$\Rightarrow \mathtt{False}$ ($IHn$). We again make use of Progress Theorem 1 specialized by the hypothesis ($Ha$), and obtain $\mathtt{isvalue}t=true$ $\vee \exists e,t{\to }_{\beta }e$. We now destruct this fact, and are supposed to prove the goal, which is False here, twice assuming $\mathtt{isvalue}t=true$ and $\exists e,t{\to }_{\beta }e$ independently:
  • $\mathtt{isvalue}t=true$. It is obvious in this case that the term t does not reduce even a single step further. Namely, there is no $t^{\prime }$, such that $evalnt\left(Sm\right)=t^{\prime }$, which contradicts the hypothesis ($Hb$), and closes the goal.
  • $\exists e,t{\to }_{\beta }e$. We know that there is some term e into which the term t reduces in a single beta-step. We also know by the hypothesis ($Hb$) that t reduces into some term $t^{\prime }$ in $Sm$ (or $m+1$) steps. Putting these together, we infer that the term e reduces into the $t^{\prime }$ in m steps, namely $evalnem=t^{\prime }$. Moreover, we specialize the Preservation Theorem 2 with the hypothesis ($Ha$) and the fact that $t{\to }_{\beta }e$ to retain $⊢e:\tau$ ($Hte$). This time, making use of ($Hte$) and the fact that $evalnem=t^{\prime }$, we put the induction hypothesis ($IHn$) into the following shape: $\nexists t^{\prime \prime },t^{\prime }{\to }_{\beta }{t}^{\prime \prime }\wedge \mathtt{isvalue}{t}^{\prime }=false\Rightarrow \mathtt{False}$. Into this, we plug the conjunction of the hypotheses ($Hne$) and ($Hnv$), and obtain a proof of False, which literally implies everything.

□

In a Coq implementation, the proof above could be summarized as follows:

4. Discussion

Observe that the detailed interpreter was developed in an extensible fashion. Namely, it is possible to extend the language of types, such that the object language becomes polymorphically typed. One can similarly extend the language of terms with other programming constructs, such as pairs, lists, match constructs, etc., to handle a richer object language safely interpreted. The formalization already contains an extension of ${\lambda }^{\to }$ interpreted as an application. For a use case that deals with a more involved and richer language, we kindly ask the reader to refer to a definitional interpreter (Section 1.1) for a polymorphically typed functional language written in Haskell. The same approach could easily be followed in the current Coq formalization (with additional cases brought over to prove) and reserved to be targeted as future work.

Obviously, for an object language that supports dependent types, the presented approach would not work well. That is because in a dependently typed setting, type-checking requires an evaluation; thus, it is better to have a single language for terms and types.

Remark also that interpreting object languages with computational side effects is beyond the scope of the implementation presented here. It is possible to extend the interpreter’s formalization in Coq with certain monads, as in [29], and handle related impurities. Moreover, monads could benefit from generating fresh variables to avoid ’variable capture’ that potentially comes up in substituting Lambda terms.

5. Conclusions

We developed (in the proof assistant Coq) a definitional interpreter and a type-checker for a purely functional language based on (some extension of) the simply typed Lambda calculus. We formally prove that the type-checker is sound with respect to the evaluation strategy. Namely, every term that type-checks also evaluates (or reduces) unless it is a value. We formalized the soundness proof by employing progress and presentation properties, and discuss the related lemmata in technical detail in the pen-and-paper style containing pointers to the corresponding Coq code. Moreover, there are a few items that could extend the development and be set as future goals. We list them below.

• The formalization does not handle de Bruijn indices [26] or other methods [27,28] that help avoid the variable capture, concerning terms involving free variables. The technical machinery related to these methods will be implemented.
• Extending the interpreter to handle polymorphically typed Lambda calculus embarking on the same approach presented herenote1 is (a definitional interpreted for a polymorphically typed functional language coded in Haskell) another goal to achieve.
• The interpreter could be expanded and scaled to handle some other programming blocks, such as pairs, match-end constructs, let bindings, pairs, lists, and records.

The accompanying Coq sources were tested to compile with coqc version coq-8.15.2 within approximately 43 s on an Intel Core i7-7600U machine running Ubuntu 22.04 LTS over 16 GB of external memory.