A Typed Context Calculus

Masatomo Hashimoto 1 and Atsushi Ohori 2

Research Institute for Mathematical Sciences, Kyoto University, Sakyo-ku, Kyoto606-8502, Japan

Abstract

This paper develops a typed calculus for contexts i.e., lambda terms with “holes”.In addition to ordinary lambda terms, the calculus contains labeled holes, hole ab-straction and context application for manipulating first-class contexts. The primaryoperation for contexts is hole-filling, which captures free variables. This operationconflicts with substitution of the lambda calculus, and a straightforward mixtureof the two results in an inconsistent system. We solve this problem by defining atype system that precisely specifies the variable-capturing nature of contexts andthat keeps track of bound variable renaming. These mechanisms enable us to de-fine a reduction system that properly integrates β-reduction and hole-filling. Theresulting calculus is Church-Rosser and the type system has the subject reductionproperty. We believe that the context calculus will serve as a basis for developinga programming language with advanced features that call for manipulation of openterms.

Key words: context, lambda calculus, type system, α-renaming

1 Introduction

A context in the lambda calculus is a term with a “hole” in it. The operationfor contexts is to fill the hole of a context with a term. For the purpose ofexplanation in this section, we write C[·] for a context containing the holeindicated by [·], and write C[M ] for the term obtained from C[·] by filling its

1 Masatomo Hashimoto’s current affiliation: Department of Information Science,University of Tokyo, Bunkyo-ku, Tokyo 113-0033, Japan.2 Atsushi Ohori’s work was partly supported by the Japanese Ministry of Edu-cation Grant-in-Aid for Scientific Research on Priority Area no. 275: “Advanceddatabases,” and by the Parallel and Distributed Processing Research Consortium,Japan.

Article published in Theoretical Computer Sciece 266 (2001) 249–272

hole with M . For example, if C[·] ≡ (λx.[·]+y) 3 then C[x+z] ≡ (λx.x+z+y) 3.As seen from this simple example, the feature that distinguishes this operationfrom substitution of the lambda calculus is that it captures free variables. Inthe above example, x in x + z becomes bound when it is filled in the context(λx.[·] + y) 3.

One motivation behind using contexts in the theory of lambda calculus is tostudy properties of open terms. Since the behavior of an open term dependson bindings of their free variables, in order to analyze its behavior, it is es-sential to consider possible contexts in which the open term occurs. Study ofprogram analyses based on contexts such as observational equivalence [13,11]yields important results in analysis of programming languages. In these andmost of other usages, context is a meta-level notion and its applicability toprogramming languages has largely been limited to meta-level manipulationof programs. We believe that if a programming language is extended withfirst-class contexts, then the extended language will provide various advancedfeatures that call for manipulation of open terms. Let us briefly mention a fewof them.

Programming environment. In conventional programming environments, pro-grams must first be compiled into “object modules”, and they must then belinked together to form an executable program. Moreover, an executable pro-gram must be a closed term. If a programming environment can be extendedwith the ability to link various software components dynamically, then itsflexibility will significantly increase. Since the mechanism of contexts we areadvocating offers a way of performing linking at runtime, it would provide abasis for developing such an environment in a theoretically sound way.

Distributed programming. In distributed programming, one often wants to senda piece of code to a remote site and execute it there. As witnessed by recentlyemerging Internet programming languages such as Java [4], this feature willgreatly enhance the expressive power of distributed programming. One naiveapproach to send a program is to pack all the necessary resources as a closureand send the entire closure to the remote site. An obvious drawback to thisapproach is inefficiency. Since in most cases, communicating sites share com-mon resources such as standard runtime libraries, a better approach would beto send an open term and to make the necessary binding at the remote site.A typed calculus with first-class contexts would provide a clean and type safemechanism for manipulating open terms.

First-class modules. A program using a module can naturally be regarded asan open term containing free variables whose values will be supplied by themodule. One way of modeling a module exporting a set of functions F1, . . . , Fn

through identifiers f1, . . . , fn would therefore be regarding it as a context thatcaptures variables f1, . . . , fn and bind them to F1, . . . , Fn, respectively. Using

2

(or “opening”) a module then corresponds to filling the hole of the contextwith the variables. This approach can provide a new foundation for flexiblemodule systems. In conventional languages with modules such as Modula-2[18] and Standard ML [12], there is rigid separation between the type systemfor modules and that of terms, and allowable operations on modules are ratherlimited. Significant potential advantage of the “modules-as-contexts” approachis that modules can be freely combined with any other constructions availablein the language i.e. that modules are treated as first-class citizens. Needless tosay, an actual module system must account for various features such as typeabstraction, type sharing and separate compilation, and the above simple viewalone does not immediately provide a proper basis for module systems. Wenonetheless believe that, when properly refined with various mechanisms formodule systems studied in literature, the above approach will open up a newpossibility for flexible module systems. Indeed, a recent work by Wells andVestergaad [17] shows a connection between their module language and ourcontext calculus.

The general motivation for this study is to develop a programming languagewith first-class contexts that can represent those features in a clean way.

Despite those and other potentially promising features of contexts, a languagewith first-class contexts has not been well investigated. Lee and Friedman[10] proposed a calculus where contexts and lambda terms are two disjointclasses of objects: contexts are regarded as “source code” and lambda termsas “compiled code”. This separation is done by assuming two disjoint variablename spaces: one for lambda terms and one for contexts. As a consequence, intheir system, β-reduction and fill-reduction are two disjoint relations withoutnon-trivial interaction. Dami [2] also announced a system for dynamic bindingsimilar to that of Lee and Friedman. While these approaches would be usefulfor representing source code as a data structure, they do not allow contextsof the language itself to be treated as first-class values inside the language.Kahrs [9] have developed a combinatory term rewriting system that is com-patible with contexts. However, contexts and hole-filling themselves are notrepresented as terms within the system of terms. Talcott [16] developed an al-gebraic system for manipulating binding structures. Her system includes suit-able mechanisms for manipulating contexts. In particular, it contains holes andhole-filling which commutes with substitution. However, this is a meta-levelsystem, and the issue of representing contexts and the associated hole-fillingoperation inside of the reduction system of lambda calculus is not addressed.One of the features of contexts is to bind variables through holes. In thissense, contexts are closely related to environments. Abadi et al. [1] developedthe λσ-calculus for explicit substitutions. Their motivation is similar in spiritto ours in that it internalizes a meta-level mechanism in the lambda calculus.However, they did not address the problem of first-class treatment of substitu-tions. In revising the present article, the authors noticed that Sato et al. [14]

3

recently developed an environment calculus where environments are first-classvalues. In obtaining a confluent calculus, they also address the problem ofvariable binding in the presence of first-class environments. Their solution tothis problem has some similarity to ours, although more general mechanismsare needed for a calculus with first-class contexts. We shall comment on thisin some detail when we describe our approach in the next section.

The goal of this paper is to establish a type theoretical basis for a program-ming language with first-class contexts by developing a typed context calculuswhere lambda terms are simply a special case of contexts. In particular, con-texts and lambda terms belong to the same syntactic category sharing thesame set of variables, and substitution and hole-filling are defined on the samesyntactic objects. This property is essential for achieving various features ex-plained above. As observed in the literature [9,10], however, β-reduction andfill-reduction for contexts do not mix well, and a (naive) integration of themyields an inconsistent system. The development of a meaningful calculus con-taining β-reduction and fill-reduction both acting on the same set of termsconstitutes a non-trivial technical challenge. Our main technical contributionis to establish that such a calculus is possible. We prove that the calculus isChurch-Rosser and its type system has the subject reduction property.

To obtain a confluent calculus, we have to overcome various delicate problemsin dealing with variables, and to introduce several new mechanisms in thelambda calculus. Before giving the technical development, in the next section,we explain the problems and outline our solution.

2 The Problem and Our Solution

It is not hard to extend the syntax of the (untyped) lambda calculus withconstructors for contexts. In conventional study, holes in contexts are name-less. However, since our goal is to develop a calculus with first-class contexts,we should be able to consider a context containing other contexts. This re-quires us to generalize contexts to contain multiple different holes, only oneof which is filled by each hole-filling operation. One way to define a uniformsyntax for those contexts is to introduce labeled holes [9]. We use upper caseletters X,Y, . . . for labeled holes. To incorporate operations for contexts asterms in a lambda calculus, we introduce hole abstraction δX.M which ab-stracts hole X in term M and creates a term that acts as a context whosehole is X, and we introduce context application M1¯M2 which denotes theoperation to fill the abstracted hole in M1 with term M2. For example, thecontext C[·] ≡ (λx.[·] + y) 3 is represented by the term

(δX.(λx.X + y) 3),

4

and the context application term

(δX.(λx.X + y) 3)¯(x + z)

denotes the term obtained by filling the hole in the context with x + z. Wecall a subterm of the form (δX.M1)¯M2 fill-redex , which contracts to theterm obtained from M1 by filling the X-hole in M1 with M2. Different fromthe meta notation C[x + z], context application is a term constructor, whichallows us to exploit the features of first-class contexts by combining it withlambda abstraction and lambda application. For example, we can write a termlike

(λk.k¯(x + z)) (δX.(λx.X + y) 3)

which is contracted to the above term.

The goal of this paper is to develop a type system and a reduction systemfor the lambda calculus extended with the above three term constructors, i.e.,labeled holes, hole abstraction and context application. The crucial step is thedevelopment of a proper mechanism for integrating variable-capturing hole-filling and capture-avoiding substitution in the lambda calculus. To see theproblem, consider the term

(λz.(δX.(λx.X + y) 3)¯(x + z)) x

where we use different type faces (x, x and x) to distinguish different occur-rences of variable x to which we should pay attention. The above term hastwo β-redexes and one fill-redex. Our intention is that the inner x should becaptured by the λx when it is filled in hole X, while the outer x is free. Thefollowing reduction sequence produces the intended result.

(λz.(δX.(λx.X + y) 3)¯(x + z)) x −→ (λz.(λx.x + z + y) 3) x

−→ (λz.3 + z + y) x

−→ 3 + x + y

However, reducing any of the β-redexes before the fill-redex will result in adifferent term. If we reduce the inner β-redex before the fill-redex then thebinding of inner x will be lost, yielding x + x + y. If we reduce the outerβ-redex before the fill-redex, then the outer x is unintentionally captured byλx, yielding 3+3+ y or x+x+ y depending on the order of the fill-redex andthe other β-redex.

To avoid these inconsistencies, we should redefine the scope of lambda bindingto reflect the behavior of terms of the form (δX.M1)¯M2. Suppose there is aλx in M1 whose scope contains X. Since M2 is filled in X, the scope of theλx also extends to M2. This property implies the following two requirements.First, a β-redex containing a hole X cannot be contracted. Secondly, when

5

substituting a term containing x for a free variable in M2, the λx in M1

and the corresponding variables in M1 and M2 need to be renamed to avoidunwanted capture. In the above example, we should not contract the inner β-redex before hole-filling, and when we contract the outer β-redex before hole-filling, we should rename λx and x before doing β-substitution. The situationbecomes more subtle when we consider a term like

(λw. · · · ((λz.w¯(x + z)) x) · · ·) (δX.(λx.X + y) 3).

Since w is a variable, simple inspection of term w¯(x+z) no longer tells whichvariables in x+z should be regarded as bound. However, variable-capture willstill occur when the hole abstraction is substituted for w.

Our strategy to solve this problem is to define a type system that tells exactlywhich variables should be considered bound, and to introduce a refined notionof α-equivalence that reconciles hole-filling and β-substitution.

To tell which variables should be considered bound, we type a hole abstractedterm δX.M with a context type of the form:

[{x1 : σ1, . . . , xn : σn} . τ1] ⇒ τ2

where τ1 is the type of the abstracted hole, τ2 is the type of the term that willbe produced by filling the hole in the context with a term, and {x1 : σ1, . . . , xn :σn} describes the set of variables being captured when they are filled in the holeX. We call those variables interface variables. For example, δX.(λx.X + y) 3would be typed as [{x : int} . int] ⇒ int. However, if we simply list the setof actual bound variables surrounding X in δX.M as interface variables inits type, then we cannot rename those bound variables. Since β-substitutioncan only be defined up to renaming of bound variables, this causes a problemin extending substitution to hole abstracted terms. For example, we cannotrename bound variable x in the term δX.(λx.X + y) 3. It should be notedthat the usual “bound variable convention” does not solve the problem. In thelambda calculus, we can simply assume that “all bound variables are differentfrom the free variables” for each β-redex. This is only possible when we canfreely rename bound variables. As well known in the theory of lambda calculus,the above condition is not preserved by substitution. Even if we start with aterm satisfying the bound variable condition, anomalous terms like the abovemay appear during β-reduction.

To avoid this problem, we separate actual bound variables in δX.M and thecorresponding interface variables, and refine hole-filling to an operation thatalso performs variable renaming. For manipulation of binding structures, Tal-cott [16] developed a technique to pair a hole with a substitution. We use thisapproach and annotate a hole X with a variable renamer ν, which renamesinterface variables to the corresponding bound variables. We write Xν for the

6

hole X annotated with ν. The above context can now be represented as thetyped term

δX.(λa.X{a/x} + y) 3 : [{x : int} . int] ⇒ int

where x is an interface variable and is renamed to a when it is filled in X. Bythis separation, bound variable a can be renamed without changing the typeof this term. This allows us to achieve a proper integration of hole-filling andβ-substitution with terms of the form δX.M . The semantics of hole-filling ispreserved by applying the renamer {a/x} to the term to be filled in X. Forexample, we have the following reduction for the example before.

(λz.(δX.(λa.X{a/x} + y) 3)¯(x + z)) x −→ (λz.(λa.{a/x}(x + z) + y) 3) x

≡ (λz.(λa.a + z + y) 3) x

−→ (λa.a + x + y) 3

−→ 3 + x + y

Yet another delicate problem arises when we consider the interaction betweensubstitution and a term of the form M¯N . This construct may bind somevariables in N . In order to determine those bound variables, we need to anno-tate this construct with the set of variables in N that will be bound by formingthis term. Since this set must correspond to the set of interface variables ofthe context term M , a naive attempt would be to annotate the constructorM¯N with this set. A subterm of the example term might then be repre-sented as the term (δX.(λa.X{a/x} + y) 3)¯{x} (x + z). As we noted earlier,the variable x must be treated as bound variable. This implies that, whencombining β-substitution, this variable needs to be renamed. Unfortunately,this is impossible for terms of the form w¯{x} (x + z). Since w is a variable,we cannot rename the corresponding interface variables of the hole abstractedterm that will be substituted later for w. So, again we need to separate theset of interface variables in the type of hole abstracted term and the set ofvariables that will be captured when they are filled in the hole of the context.To achieve this, we annotate the constructor for context application with arenamer ν and write M¯νN . The renamer ν renames variables in N that areto be bound by hole-filling to the corresponding interface variables in the holeabstracted term. Its effect is obtained by composing it with the renamer ofthe hole. Now the bound variables in N are independent of the correspond-ing interface variables, we can perform bound variable renaming. The aboveexample can be correctly represented by the following term:

(δX.(λa.X{a/x} + y) 3)¯{x/b}(b + z).

In this term, both a and b are bound variables, which can be renamed with-out changing the typing of the term. Again, the semantics of hole-filling is

7

preserved by applying the composition {a/x} ? {x/b}(≡ {a/b}) of renamers{a/x} and {x/b} to the term to be filled in X. The following is an example ofreduction involving renamer applications.

(δX.(λa.X{a/x} + y) 3)¯{x/b}(b + z)

−→ (λa.({a/x} ? {x/b})(b + z) + y) 3 ≡ (λa.a + z + y) 3.

Another slightly more general alternative to M¯νN is to make a renamer as aterm constructor [ν.N ] and introduce a new type constructor [{x1 : σ1, . . . , xn :σn} . τ ] for this constructor. We believe that this is also possible. In oursystem, however, we shall not take this approach, since the only eliminationoperation would be (the modified version of) the hole-filling and thereforethe additional flexibility is not essential in achieving our goal of first-classtreatment of contexts.

Based on the strategies outlined above, we have worked out the definition ofthe type system of the calculus, and its reduction system, and proved that thetype system has the subject reduction property and that the reduction systemis Church-Rosser.

In the work by Sato et al. [14], a type-theoretical approach similar to ours wastaken in order to identify the set of free and bound variables. However, theirsystem does not fully address the problem of mixing such a construct with β-substitution. Their calculus contains a term constructor e1[[e2]] whose intuitivemeaning is to evaluate e2 under the bindings provided by the environment e1.However, the reduction for nested application of this construction is restrictedto variables, and does not act on general terms. Because of this restrictedtreatment, the subtle problem of α-equivalence explained above does not arisein their system.

The careful reader may have noticed that some aspects of contexts can alreadybe represented in the lambda calculus. If one can predetermine the exact orderof variables exported by a context and imported by a term to be filled in thecontext, then one can represent hole abstractions and context applicationssimply by functionals as seen in the following encoding scheme. A hole-fillingof the form:

(δX.λx1. · · ·λxn. · · ·X · · ·)¯M

can be represented as a lambda term of the form:

(λX.λx1. · · ·λxn. · · · (X x1 · · · xn) · · ·) (λx1.λx2. · · ·λxn.M).

However, such encoding eliminates the ability to bind variables through names,and it therefore significantly reduces the benefits of first-class contexts we haveadvocated in the introduction.

The rest of the paper is organized as follows. In Section 3 we define the context

8

calculus. Section 4 defines the reduction system and proves the subject reduc-tion property and Church-Rosser property of the calculus. Section 5 concludesthe paper with the discussion of further investigations. Appendix containsproofs of some of the lemmas.

3 The Calculus

We use the following notation for functions. The domain and the codomainof a function f are written as dom(f) and cod(f) respectively. We sometimesregard a function as a set of pairs and write ∅ for the empty function. Let f, gbe functions. We write f ; g for f ∪ g provided that dom(f)∩ dom(g) = ∅. Weomit “;” if g is explicitly represented as a set, writing f{. . .} for f ; {. . .}. Therestriction of a function f to the domain D is written as f |D.

The set of types (ranged over by τ) of the calculus is given by the syntax:

τ ::= b | τ → τ | [Γ . τ ] ⇒ τ

where b ranges over a given set of base types, and Γ ranges over variable typeassignments each of which is a function from a finite set of variables to types.

We let x range over a countably infinite set of variables; we let X range overa countably infinite set of labeled holes; and we let ν range over variablerenamers each of which is a function from a finite set of variables to variablesdenoted by {y1/x1, . . . , yn/xn}. Let ν = {y1/x1, . . . , yn/xn} be a renamer. Toavoid unnecessary complication, we assume that {yi|i = 1 · · ·n} ∩ {xi|i =1 · · ·n} = ∅ or xi = yi (i = 1 · · ·n). That is, a renamer changes each name inthe domain of the renamer to a fresh name, if it is not an identity. A renameris extended to the set of all variables by letting ν(x) = x for all x 6∈ dom(ν). Inwhat follows, we identify a renamer with its extension. However, we maintainthat the domain dom(ν) of a renamer ν always means the domain of theoriginal finite function ν. The composition ν1 ? ν2 of two variable renamers ν1

and ν2 is the function ν such that dom(ν) = dom(ν2) and for all x ∈ dom(ν2),ν(x) = ν1(ν2(x)).

The set of (unchecked) terms (ranged over by M) of the calculus is given bythe syntax:

M ::= x |λx : τ.M |M M |Xν | δX.M |M¯ν M

A term δX.M binds the hole X in M . The definitions of bound holes and freeholes are given similarly to the usual definition of bound variables and freevariables in the ordinary lambda calculus. We write FH(M) for the set offree holes in M . Since δX is the only binder for holes, this does not create

9

FV (x) = {x}FV (λx : τ.M) = FV (M) \ {x}

FV (M1 M2) = FV (M1) ∪ FV (M2)

FV (Xν) = ∅FV (δX.M) = FV (M)

FV (M1¯ν M2) = FV (M1) ∪ (FV (M2) \ dom(ν))

BV (x) = ∅BV (λx : τ.M) = BV (M) ∪ {x}

BV (M1 M2) = BV (M1) ∪BV (M2)

BV (Xν) = ∅BV (δX.M) = BV (M)

BV (M1¯ν M2) = BV (M1) ∪BV (M2) ∪ dom(ν)

Fig. 1. The sets of free and bound variables

any of the subtle problems we have explained for variables in our calculus,and therefore we can safely assume α-renaming of bound holes just as in α-congruence in the ordinary lambda calculus. In what follows, we regard termsas their α-equivalence classes induced by bound holes renaming.

The set of free variables, denoted by FV (M), and that of bound variablesof M , denoted by BV (M) are given in Figure 1. These definitions correctlymodel the effect of context application terms of the form M1¯νM2 which bindsthe variables in dom(ν) in M2.

In addition to the sets of free and bound variables, we need to distinguishthree other classes of variables. Let M be a term containing a hole Xν . Thevariables in cod(ν), which we call free variable candidates, behave similarlyto free variables if they are not abstracted in M ; The variables in the setdom(ν), which we call interface variable candidates, are the source of interfacevariables. To see the last one, consider a term which contains M1¯ν M2. Thevariables in cod(ν), which we call exported variables, are used to match thevariables exported by the context M1 with bound variables in M2. The formaldefinitions of the set FV C(M) of free variable candidates of M , and the setIV C(M) of interface variables candidates of M are given in Figure 2, and thedefinition of the set EV (M) of exported variables of M is given in Figure 3.

10

FV C(x) = ∅FV C(λx : τ.M) = FV C(M) \ {x}

FV C(M1 M2) = FV C(M1) ∪ FV C(M2)

FV C(Xν) = cod(ν)

FV C(δX.M) = FV C(M)

FV C(M1¯ν M2) = FV C(M1) ∪ (FV C(M2) \ dom(ν))

IV C(x) = ∅IV C(λx : τ.M) = IV C(M)

IV C(M1 M2) = IV C(M1) ∪ IV C(M2)

IV C(Xν) = dom(ν)

IV C(δX.M) = IV C(M)

IV C(M1¯ν M2) = IV C(M1) ∪ IV C(M2)

Fig. 2. The sets of free variable candidates and interface variable candidates.

EV (x) = ∅EV (λx : τ.M) = EV (M)

EV (M1 M2) = EV (M1) ∪ EV (M2)

EV (Xν) = ∅EV (δX.M) = EV (M)

EV (M1¯ν M2) = EV (M1) ∪ EV (M2) ∪ cod(ν)

Fig. 3. The set of exported variables

We define the set PFV (M) of potentially free variables of M as

PFV (M) = FV (M) ∪ FV C(M).

We are now in the position to define the type system of the calculus. Sincea term may contain free holes as well as free variables, its type depends notonly on types of variables but also on types of free holes. A hole type isdetermined by a triple ([Γ . τ ], ν) consisting of type τ of a term to be filled,type assignment Γ describing the set of interface variables and their types,

11

and variable renamer ν which is used to keep track of the correspondencebetween bound variables and interface variables. While Γ describes the setof all abstracted variables, ν describes the set of free variable candidates tobe abstracted. We write Clos({x : τ}, ([Γ . τ ], ν)) for the triple obtained from([Γ . τ ], ν) by abstracting x, whose definition is given below.

Clos({x : τ}, ([Γ . τ ], ν ∪ {x/x′})) = ([Γ{x′ : τ} . τ ], ν)

Clos({x : τ}, ([Γ . τ ], ν)) = ([Γ . τ ], ν) if x 6∈ cod(ν)

This operation is extended to type assignments as follows:

Clos({x1 : τ1, . . . , xn : τn}, ([Γ . τ ], ν))

= Clos({x1 : τ1}, · · ·Clos({xn : τn}, ([Γ . τ ], ν)) · · ·)

A hole type assignment , ranged over by ∆, is a finite function which assignsa hole to a triple ([Γ . τ ], ν) describing the type of the hole, and we call thevariables in dom(Γ) interface variables. We write Clos(Γ, ∆) for the hole typeassignment {X : Clos(Γ, ∆(X))|X ∈ dom(∆)}. We write ν∆ for the hole typeassignment {X : ([Γ . σ], ν ? ν ′)|{X : ([Γ . σ], ν ′)} ∈ ∆}.

The type system of the calculus is defined as a proof system to derive a typingof the form:

Γ, ∆ ` M : τ

which indicates that term M has type τ under variable type assignment Γ andhole type assignment ∆. The set of typing rules is given in Figure 4.

Some explanations are in order.

• Rule (hole). Since X is not surrounded by any λ at this moment, the asso-ciated type assignment in the hole type assignment is empty, and the set offree variable candidates of X is specified by ν. They will be abstracted bythe rule (abs) and (fill).

• Rule (abs). Lambda abstracting x not only discharges x from the type hy-pothesis Γ for the term M , but also extends the set of interface variablesfor each hole in M with corresponding x′. The later effect is represented bythe operation Clos({x : τ}, ∆), which extends each Γ appearing in ∆.

• Rule (fill). By forming the term M1 {x′1/x1,...,x′n/xn}M2, each xi in M2 becomesbound, and the set of interface variables of each hole in M2 is extendedwith it. This property is modeled by discharging each xi from the typingjudgment for M2 and abstracting it from ∆2. This rule is similar to theone for a “closure” i.e., a term associated with an explicit substitution, inλσ-calculus [1].

Figure 5 shows an example of typing derivation.

12

(var) Γ, ∅ ` x : τ if x ∈ dom(Γ) and Γ(x) = τ

(abs)Γ{x : τ1}, ∆ ` M : τ2

Γ, Clos({x : τ1}, ∆) ` λx : τ1.M : τ1 → τ2

(app)Γ, ∆1 ` M1 : τ1 → τ2 Γ, ∆2 ` M2 : τ1

Γ, ∆1; ∆2 ` M1 M2 : τ2

(hole) Γ, {X : ([∅ . τ ], ν)} ` Xν : τ if cod(ν) ⊆ dom(Γ)

(habs)Γ1, ∆{X : ([Γ2 . τ1], ∅)} ` M : τ2

Γ1, ∆ ` δX.M : [Γ2 . τ1] ⇒ τ2

(fill)

Γ, ∆1 ` M1 : [{x′1 : σ1, . . . , x′n : σn} . τ1] ⇒ τ2

Γ{x1 : σ1, . . . , xn : σn}, ∆2 ` M2 : τ1

Γ, ∆1; Clos({x1 : σ1, . . . , xn : σn}, ∆2) ` M1¯{x′1/x1,...,x′n/xn}M2 : τ2

if dom(Γ) ∩ {x′i|i = 1 · · ·n} = ∅Fig. 4. The Type System

{x : int}, {X : ([∅ . int], {x/a})} ` X{x/a} : int

∅, {X : ([{a : int} . int], ∅)} ` λx : int.X{x/a} : int → int ∅, ∅ ` 3 : int

∅, {X : ([{a : int} . int], ∅)} ` (λx : int.X{x/a}) 3 : int

∅, ∅ ` δX.(λx : int.X{x/a}) 3 : [{a : int} . int] ⇒ int

Fig. 5. Example of Typing Derivation

In our calculus, each free hole occurs linearly in a well-typed term. If multipleoccurrences of a hole are allowed, then they could have different interfacevariables. This would considerably complicate the conceptual understandingof contexts as well as the type system. The linearity condition is ensured by therule (hole), the condition implied by the notation ∆1; ∆2 in rules (app), (fill),and the property that there is no rule for adding redundant hypothesis to ∆.The following lemma is easily shown by induction on the typing derivations.

Lemma 1 If Γ, ∆ ` M : τ then FH(M) = dom(∆). Moreover, each freehole appears exactly once in M .

The following standard properties also hold for this type system, and can be

13

easily shown by induction on the typing derivations.

Lemma 2 If Γ, ∆ ` M : τ then dom(Γ) ∩BV (M) = ∅.

Lemma 3 If Γ, ∆ ` M : τ then PFV (M) ⊆ dom(Γ).

Lemma 4 If Γ, {X1 : ([Γ1 . σ1], ν1), . . . Xn : ([Γn . σn], νn)} ` M : τ thenFV C(M) =

⋃ni=1 cod(νi).

Lemma 5 If Γ{x : σ}, ∆ ` M : τ and x 6∈ PFV (M) then Γ, ∆ ` M : τ .

Lemma 6 If Γ, ∆ ` M : τ and x 6∈ dom(Γ) ∪BV (M) ∪ EV (M) thenΓ{x : σ}, ∆ ` M : τ .

Lemma 7 If X{x′1/x1,...,x′m/xm,y′1/y1,...,y′n/yn} occurs in M , {zi, wj|i = 1 · · ·m, j =1 · · ·n} ∩ {x′i, y′j|i = 1 · · ·m, j = 1 · · ·n} = ∅, andΓ, ∆{X : ([{x1 : σ1, . . . , xm : σm} . σ], {y′1/y1, . . . , y

′n/yn})} ` M : τ then

Γ, ∆{X : ([{z1 : σ1, . . . , zm : σm} . σ], {y′1/w1, . . . , y′n/wn})} ` M ′ : τ where

M ′ is obtained from M by substituting X{x′1/x1,...,x′m/xm,y′1/y1,...,y′n/yn}

for X{x′1/z1,...,x′m/zm,y′1/w1,...,y′n/wn}.

4 The Reduction System

To define the reduction relation, we need to define substitution and hole-fillingoperations. In the ordinary lambda calculus, substitution can be defined mod-ulo α-congruence, which allows us to simply assume that unwanted variablecapture will not happen. In our calculus, since we have not yet obtained α-congruence, we need at first to define substitution as an operation on syntacticterms (not on equivalence class).

We write {M ′/x}M for the term obtained by substituting M ′ for any freeoccurrence of x in M . The following lemma shows that substitution preservestyping under a strong variable hygiene conditions.

Lemma 8 If Γ, ∅ ` M0 : σ, Γ{x : σ}, ∆ ` M : τ , BV (M) ∩ (BV (M0) ∪EV (M0)) = ∅ and x 6∈ FV C(M) then Γ, ∆ ` {M0/x}M : τ .

The proof is deferred to the Appendix. As in the standard definition of sub-stitution, we have the following composition lemma:

Lemma 9 {M1/x}({M2/y}M3) ≡ {({M1/x}M2)/y}({M1/x}M3) where y 6∈PFV (M1) and x 6≡ y.

As we have explained earlier, hole-filling involves application of the variable

14

renamer associated with the hole to the term being filled. To define hole-filling,we extend a variable renamer ν to a function ν on terms as follows:

ν(x) = ν(x)

ν(λx : τ.M) = λx : τ.(ν |(dom(ν)\{x}))M

ν(M1 M2) = νM1 νM2

ν(Xν′) = Xν?ν′

ν(δX.M) = δX.νM

ν(M1¯ν′M2) = νM1¯ν′ (ν |(dom(ν)\dom(ν′)))M2

We have the following renaming lemma, whose proof is deferred to the ap-pendix.

Lemma 10 If Γ{x : σ}, ∆ ` M : τ and x′ 6∈ dom(Γ)∪BV (M)∪ IV C(M)∪EV (M) then Γ{x′ : σ}, {x′/x}∆ ` {x′/x}M : τ .

Hole-filling is defined as a combination of variable renamer and substitution.We write M [M ′/X] for the term obtained from M by syntactically substitutingthe term ν(M ′) for X in M where ν is the variable renamer associated with X.Its definition is obtained by simply extending the following clauses accordingto the structure of M .

(Xν)[M ′/X] = νM ′ x[M ′/X] = x

From this definition and the property of typing, it is easily seen that if Γ, ∆ `M : τ and X 6∈ dom(∆) then M [M0/X] ≡ M . The following lemma showsthat hole-filling preserves the typing.

Lemma 11 If Γ1; Γ2{x′1 : σ1, . . . , x′n : σn}, ∆0 ` M0 : σ,

Γ1{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ2 . σ], {x1/x′1, . . . , xn/x′n})} ` M : τ ,

(BV (M) ∪ {xi|i = 1 · · ·n}) ∩ (IV C(M0) ∪ BV (M0) ∪ EV (M0)) = ∅ andBV (M) ∩ (dom(Γ2) ∪ {x′i|i = 1 · · ·n}) = ∅ thenΓ1{x1 : σ1, . . . , xn : σn}, ∆; Clos(Γ2, {x1/x

′1, . . . , xn/x′n}∆0) ` M [M0/X] : τ .

The proof is deferred to the appendix.

The following is the composition lemma for the hole-filling, where IV CX(M)denotes the domain of the variable renamer on the shoulder of hole X in M .

Lemma 12If X 6≡ Y, Y 6∈ FH(M1) and IV CX(M3) ∩ (PFV (M1) \ IV CY (M2)) = ∅ then(M3[M2/X])[M1/Y ] ≡ M3[M1/Y ][M2[M1/Y ]/X].

15

PROOF. If dom(ν1)∩(PFV (M)\dom(ν2)) = ∅ then (ν1 ? ν2)M ≡ ν1(ν2M)).2

The notion of α-congruence in our calculus is now defined as the congruencerelation on the set of well typed terms generated by the following two axioms:

• λx : τ.M ≡α λy : τ.{y/x}M if y 6∈ BV (M)∪PFV (M)∪IV C(M)∪EV (M)• M1¯{x′1/x1,...,x′n/xn}M2 ≡α M1¯{x′1/y1,...,x′n/yn}{y1/x1, . . . , yn/xn}M2

if each yi 6∈ BV (M2) ∪ PFV (M2) ∪ IV C(M2) ∪ EV (M)

The following lemma shows that α-renaming preserves typing, which is provedby induction on the derivation of M using lemma 10.

Lemma 13 If Γ, ∆ ` M : τ and M ≡α M ′ then Γ, ∆ ` M ′ : τ .

α-congruence allows us to rename bound variables whenever it is necessary.In what follows, we assume the following variable convention for our calculus:

bound variables are all distinct and the set of bound variables has no inter-section with the set of interface variable candidates, the set of potentiallyfree variables, and the set of exported variables.

Under this variable convention, the reduction axioms of our calculus are givenas follows:

(β) (λx : σ.M1) M2 −−→β

{M2/x}M1 if FH(M1) = FH(M2) = ∅(fill) (δX.M1)¯ν M2 −−→

fill(M1[X

ν/X])[M2/X]

In the axiom (β), the restriction FH(M2) = ∅ is needed to ensure that eachfree hole occurs linearly. The restriction FH(M1) = ∅ is needed to maintainthe binding generated by λx for the holes in M1. Since in our calculus contextsare represented not by terms with free holes but by hole abstracted terms, thisdoes not restrict first-class treatment of contexts.

The one-step reduction relation M −→ N is defined on the set of well typedterms as: M −→ M ′ iff M is well typed and M ′ is obtained by applying oneof the two reduction axioms to some subterm of M . We write M

∗−→ M ′ forthe reflexive, transitive closure of −→.

For this reduction, we have the following desired results.

Theorem 14 (Subject Reduction) If Γ, ∆ ` M : τ and M∗−→ M ′ then

Γ, ∆ ` M ′ : τ .

16

(var) x−→−→x (abs)M−→−→M ′

λx : τ.M−→−→λx : τ.M ′

(app)M1

−→−→M ′1 M2

−→−→M ′2

M1 M2−→−→M ′

1 M ′2

(betred)M1

−→−→M ′1 M2

−→−→M ′2

(λx : τ.M1) M2−→−→{M ′

2/x} M ′1

if FH(M1) = FH(M2) = ∅

(hole) Xν−→−→Xν (habs)M−→−→M ′

δX.M−→−→δX.M ′

(fill)M1

−→−→M ′1 M2

−→−→M ′2

M1¯ν M2−→−→M ′

1¯ν M ′2

(filred)M1

−→−→M ′1 M2

−→−→M ′2

(δX.M1)¯ν M2−→−→(M ′

1[Xν/X])[M ′

2/X]

Fig. 6. Definition of the Parallel Reduction

PROOF. This is a direct consequence of lemmas 7,8, 11 and 13. 2

Theorem 15 (Confluence) For any well typed term M , if M∗−→ M1 and

M∗−→ M2 then there is some M3 such that M1

∗−→ M3 and M2∗−→ M3.

The proof is by using the technique of parallel reduction due to Tait andMartin-Lof. The parallel reduction relation of our calculus, written −→−→, isgiven in Figure 6.

From this definition, it is easily seen that the transitive closure of the parallelreduction coincides with the reduction relation of the calculus (

∗−→). To provethe theorem, it is therefore sufficient to prove the diamond property of −→−→. Toshow this, we follow Takahashi [15] and prove the following stronger property.

Lemma 16 For any well typed term M , there exists a term M∗ such that ifM−→−→M ′ then M ′−→−→M∗.

In the lemma above, M∗ denotes the term obtained from M by parallel re-ducing all the possible redexes of M , whose definition is given Figure 7.

The proof of lemma 16 is by induction on the derivation of Γ, ∆ ` M−→−→M ′ :τ using the following lemmas:

17

x∗ = x

(λx : τ.M)∗ = λx : τ.M∗

(M1 M2)∗ = M∗

1 M∗2 if FH(M1) 6= ∅ or FH(M2) 6= ∅ or

M1 is not a lambda abstraction

((λx : τ.M1) M2)∗ = {M∗

2 /x}M∗1 if FH(M1) = FH(M2) = ∅

(Xν)∗ = Xν

(δX.M)∗ = δX.M∗

(M1¯ν M2)∗ = M∗

1¯ν M∗2 if M1 is not a hole abstraction

((δX.M1)¯ν M2)∗ = (M∗

1 [Xν/X])[M∗2 /X]

Fig. 7. Definition of M∗

Lemma 17 If M−→−→M ′, M0−→−→M ′

0 then {M0/x}M−→−→{M ′0/x}M ′ for any

terms M, M0 such that Γ{x : σ}, ∅ ` M : τ and Γ, ∅ ` M0 : σ for someΓ, ∆, τ, σ.

PROOF. We proceed by induction on the derivation of M−→−→M ′. Here weonly show the cases (betred) and(filred).

Case (betred)M1−→−→M ′

1 M2−→−→M ′

2

(λy : τ.M1) M2−→−→{M ′

2/y} M ′1

(FH(M1) = FH(M2) = ∅ and y 6≡ x).By the induction hypothesis,{M0/x}M1

−→−→{M ′0/x}M ′

1 and {M0/x}M2−→−→{M ′

0/x}M ′2.

Therefore by the rule(betred),(λy : τ.{M0/x}M1) {M0/x}M2

−→−→{{M ′0/x}M ′

2/y} {M ′0/x}M ′

1. The rest ofthis case is by lemma 9.

Case (filred)M1−→−→M ′

1 M2−→−→M ′

2

(δX.M1)¯ν M2−→−→(M ′

1[Xν/X])[M ′

2/X].

By the induction hypothesis,{M0/x}M1

−→−→{M ′0/x}M ′

1 and {M0/x}M2−→−→{M ′

0/x}M ′2.

Therefore by the rule(filred),(δX.{M0/x}M1)¯ν {M0/x}M2

−→−→(({M ′0/x}M ′

1)[Xν/X])[{M ′

0/x}M ′2/X]. We

can assume x 6∈ dom(ν) by the hygiene condition. Then,(({M ′

0/x}M ′1)[X

ν/X])[{M ′0/x}M ′

2/X] ≡ {M ′0/x}(M ′

1[Xν/X])[M ′

2/X]. 2

18

Lemma 18 If M−→−→M ′ and {x, x′}∩BV (M) = ∅ then {x′/x}M−→−→{x′/x}M ′.

PROOF. We proceed by induction on the derivation of M−→−→M ′. We onlyshow the crucial case (filred).

Case (filred)M1−→−→M ′

1 M2−→−→M ′

2

(δX.M1)¯ν M2−→−→(M ′

1[Xν/X])[M ′

2/X].

By the induction hypothesis,{x′/x}M1

−→−→{x′/x}M ′1 and {x′/x}M2

−→−→{x′/x}M ′2.

Then (δX.{x′/x}M1)¯ν {x′/x}M2−→−→(({x′/x}M ′

1)[Xν/X])[{x′/x}M ′

2/X] bythe rule (filred). Since {x, x′}∩BV ((δX.M1)¯νM2) = ∅, dom(ν)∩{x, x′} = ∅.Therefore (({x′/x}M ′

1)[Xν/X])[{x′/x}M ′

2/X] ≡ {x′/x}((M ′1[X

ν/X])[M ′2/X]).

2

Lemma 19 If M−→−→M ′ and M0−→−→M ′

0 then M [M0/X]−→−→M ′[M ′0/X]

for any terms M,M0 such thatΓ{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ′ . σ], {x1/x

′1, . . . , xn/x

′n})} ` M : τ and

Γ; Γ′{x′1 : σ1, . . . , x′n : σn}, ∆0 ` M0 : σ

for some Γ, Γ′, ∆, ∆0, τ, σ, x1, . . . , xn, x′1, . . . , x

′n.

PROOF. We proceed by induction on the derivation of M−→−→M ′. Here weonly show the cases (hole) and (filred).

Case(hole) Xν−→−→Xν . By repeated application of lemma 18.

Case (filred)M1−→−→M ′

1 M2−→−→M ′

2

(δY.M1)¯ν M2−→−→(M ′

1[Yν/Y ])[M ′

2/Y ](Y 6≡ X).

Suppose X ∈ FH(M1). Then, M2[M0/X] ≡ M2 and M ′2[M

′0/X] ≡ M ′

2. By theinduction hypothesis, M1[M0/X]−→−→M ′

1[M′0/X]. Therefore by the rule(filred),

(δY.M1[M0/X])¯ν M2−→−→((M ′

1[M′0/X])[Y ν/Y ])[M ′

2/Y ]. The rest of this sub-case is by (M ′

1[M′0/X])[Y ν/Y ] ≡ (M ′

1[Yν/Y ])[M ′

0/X]. Suppose X ∈ FH(M2).Then, M1[M0/X] ≡ M1 and M ′

1[M′0/X] ≡ M ′

1. By the induction hypothesis,M2[M0/X]−→−→M ′

2[M′0/X]. Therefore by the rule(filred),

(δY.M1)¯ν M2[M0/X]−→−→(M ′1[Y

ν/Y ])[M ′2[M

′0/X]/Y ]. By lemmas 2 and 3,

IV CY (M1) ∩ (PFV (M0) \ IV CX(M2)) = ∅. Therefore by lemma 12,(M ′

1[Yν/Y ])[M ′

2[M′0/X]/Y ] ≡ ((M ′

1[Yν/Y ])[M ′

2/Y ])[M ′0/X] . 2

This completes the proof of theorem 15.

19

5 Conclusions

We have developed a typed calculus for contexts. In this calculus, contexts andlambda terms share the same set of variables and can be freely mixed (as faras they type-check). This allows us to treat contexts truly as first-class values.However, a straightforward mixture of β-reduction and fill-reduction resultsin an inconsistent system. We have solved the problem by developing a typesystem that precisely specifies the variable-capturing nature of contexts. Theresulting typed calculus enjoys the subject reduction property and Church-Rosser property. We believe that the typed context calculus presented herewill serve as a type theoretical basis for developing a programming languagewith advanced features for manipulation of open terms. There are a numberof interesting topics that merit further investigation. We briefly discuss someof them below.

Integration with Explicit Substitution. In our calculus, β-contraction is re-stricted to those redexes that do not contain free holes. While this does notrestrict first-class treatment of contexts, removing this restriction will makethe reduction system slightly more general. As we have noted earlier, one rea-son for this restriction is that if we contract a β-redex containing a free hole,then the binding through the hole will be lost. One way of solving this problemwould be to integrate our calculus with λσ-calculus of Abadi et al. [1], andto generalize variable renamers to explicit substitutions. Dowek et al. [3] con-sidered a calculus containing holes and grafting, which roughly corresponds tohole-filling, and developed a technique to mingle capture-avoiding substitutionwith grafting by encoding them in a calculus of explicit substitution using deBruijn notation. Although their calculus does not contain a term constructorfor context application and therefore their technique is not directly applicableto our calculus, we believe that it is possible to extend their technique for ourcalculus by translating all the machinery we have developed for our calculusinto de Bruijn notation. However, such translation would significantly decreasethe flexibility of access to exported variables by names. It should also be notedthat the notion of de Bruijn indexes presupposes α-equivalence on terms, andtherefore defining the context calculus using de Bruijn notation requires themechanisms (or something similar to those) for obtaining α-equivalence wehave developed in this paper.

Programming Languages with Contexts. Our motivation is to provide a basisfor developing a programming language with the feature of first-class contexts.The context calculus we have worked out in this article guarantees that wecan have such a typed language with first-class contexts. In order to developan actual programming language, however, we need to develop a realistic eval-uation strategy for the calculus. Our preliminary investigation shows that theusual call-by-value evaluation strategy using closures can be extended to our

20

calculus. A more challenging topic is to develop a polymorphic type systemand a type inference algorithm for our calculus, which will enable us to de-velop an ML-style programming language with the feature of contexts we haveadvocated. One crucial issue is the flexible treatment of context types. In thecurrent definition, the constructor ¯{x1/x′1,...,xn/x′n} is annotated with a vari-able renamer. This reduces the flexibility of the calculus. A better approachwould be to refine the type system so that if Γ ⊆ Γ′ then a context of type[Γ′ . τ ] ⇒ σ can be used whenever a context of type [Γ . τ ] ⇒ σ is allowed.One of the authors has recently developed an ML-style language with first-class contexts [5] where an ML-style polymorphic type system, a call-by-valueoperational semantics and a type inference algorithm are given.

Relationship with formula-as-type notion. It is intuitively clear that a contextrepresented as a term in our calculus has constructive meaning. An importantquestion is to characterize this intuition formally in the sense of Curry-Howardisomorphism [7]. This would lead us to a new form of proof normalization pro-cess corresponding to our fill-reduction. Since the context calculus is Church-Rosser, it should be possible to develop a proof system that is conservativeover the conventional intuitionistic logic and supports a proof normalizationprocess corresponding to fill-reduction. The authors recently noticed that thereis an intriguing similarity between the proof system of typings in the contextcalculus and Joshi and Kulick’s partial proof manipulation system [8] which isused to represent linguistic information. Another relevant system is Herbelin’slambda calculus isomorphic to a variant of sequent calculus, where proofs ofcertain sequents are interpreted by applicative contexts [6]. These results sug-gest some interesting connections between context calculus and proof systems.

Acknowledgements

The authors thank Pierre-Louis Curien, Laurent Dami, Yasuhiko Minamide,Didier Remy, Masahiko Sato and anonymous referees for their careful readingof a draft of this paper and numerous useful comments. The second authoralso thanks Shinn-Der Lee, and Dan Friedman for insightful discussions oncontexts.

References

[1] L. Cardelli, P.-L. Curien, J.-J. Levy, M. Abadi. Explicit substitutions. J. Funct.Program, 1(4):375–416, October 1991.

[2] Laurent Dami. A lambda-calculus for dynamic binding. Theoretical ComputerScience, 192(2):201–31, February 1998. Special issue on Coordination.

21

[3] G. Dowek, T. Hardin, and C. Kirchner. Higher-order unification via explicitsubstitutions. In D. Kozen, editor, Proc. Logic in Computer Science, pages366–374, June 1995.

[4] J. Gosling. The feel of Java. Computer, 30(6):53–57, June 1997.

[5] M. Hashimoto. First-Class Contexts in ML. In Proc. 4th Asian ComputingScience Conference, volume 1538 of Lecture Notes in Computer Science, pages206–223. Springer, 1998.

[6] H. Herbelin. A lambda-calculus structure isomorphic to sequent calculusstructure. In Proc. Annual Conference of the European Association forComputer Science Logic (CSL’94), 1994.

[7] W. Howard. The formulae-as-types notion of construction. In To H. B. Curry:Essays on Combinatory Logic, Lambda-Calculus and Formalism, pages 476–490.Academic Press, 1980.

[8] A.K. Joshi and S. Kulick. Partial proof trees as building blocks for a categorizedgrammars. To appear Linguistics and Philosophy, 1997.

[9] Stefan Kahrs. Context rewriting. In Conditional Term Rewriting Systems.Third International Workshop, CTRS-92 Proceedings, pages 21–35, 1993.

[10] S. Lee and D. Friedman. Enriching the Lambda Calculus with Contexts:Towards A Theory of Incremental Program Construction. In Proceedings ofInternational Conference on Functional Programming, ACM SIGPLAN notices,pages 239–250, 1996.

[11] R. Milner. Fully abstract models of typed λ-calculi. Theoretical ComputerScience, 4:1–22, 1977.

[12] R. Milner, M. Tofte, and R. Harper. The Definition of Standard ML. The MITPress, 1990.

[13] G.D. Plotkin. LCF considered as a programming language. TheoreticalComputer Science, 5:223–255, 1977.

[14] M. Sato, T. Sakurai, and R. Burstall. Explicit Environments. In Proc. TypedLambda Calculi and Applications (TLCA’99), number 1581 in LNCS, pages340–354. Springer-Verlag, 1999.

[15] M. Takahashi. Parallel reductions in λ-calculus. Information and Computation,118:120–127, 1995.

[16] C.L. Talcott. A theory of binding structures and applications to rewriting.Theoretical Computer Science, 112:99–143, 1993.

[17] J. Wells and R. Vestergaard. Confluent Equational Reasoning forLinking with First-Class Primitive Modules, August 1999. Available fromhttp://www.cee.hw.ac.uk/~jbw/papers/.

[18] N. Wirth. Programming in Modula-2. Texts and Monographs in ComputerScience. Springer-Verlag, 1983.

22

A Appendix: Proofs

Lemma 8 If Γ, ∅ ` M0 : σ, Γ{x : σ}, ∆ ` M : τ , BV (M) ∩ (BV (M0) ∪EV (M0)) = ∅ and x 6∈ FV C(M) then Γ, ∆ ` {M0/x}M : τ .

PROOF. We proceed by induction on the derivation of Γ{x : σ}, ∆ ` M : τ .

Case (var) Γ{x : σ}, ∅ ` x : σ. Trivial.

Case (var) Γ{x : σ}, ∅ ` y : τ (y 6≡ x). Since y 6≡ x, also the judgmentΓ, ∅ ` y : τ is derivable.

Case (abs)Γ{x : σ}{y : τ1}, ∆′ ` M1 : τ2

Γ{x : σ}, ∆ ` λy : τ1.M1 : τ1 → τ2

(∆ = Clos({y : τ1}, ∆′) and y 6≡ x).Suppose BV (λy : τ1.M1) ∩ (BV (M0) ∪ EV (M0)) = ∅ and x 6∈ FV C(λy :τ1.M1). Since BV (λy : τ1.M1) = BV (M1)∪{y}, FV C(λy : τ1.M1) = FV C(M1)\{y} and y 6≡ x, the conditions BV (M1) ∩ (BV (M0) ∪ EV (M0)) = ∅ andx 6∈ FV C(M1) hold, and Γ{y : τ1}, ∅ ` M0 : σ by lemma 6. ThereforeΓ{y : τ1}, ∆ ` {M0/x}M1 : τ2 by the induction hypothesis. The rest of thiscase is by the rule (abs).

Case (app)Γ{x : σ}, ∆1 ` M1 : τ1 → τ2 Γ{x : σ}, ∆2 ` M2 : τ1

Γ{x : σ}, ∆1; ∆2 ` M1 M2 : τ2

.

Suppose BV (M1 M2) ∩ (BV (M0) ∪ EV (M0)) = ∅ and x 6∈ FV C(M1 M2).Since BV (M1 M2) = BV (M1) ∪ BV (M2) and FV C(M1 M2) = FV C(M1) ∪FV C(M2), also BV (M1)∩(BV (M0)∪EV (M0)) = ∅, x 6∈ FV C(M1), BV (M2)∩(BV (M0)∪EV (M0)) = ∅ and x 6∈ FV C(M2). Therefore by the induction hy-pothesis, we have Γ, ∆1 ` {M0/x}M1 : τ1 → τ2 and Γ, ∆2 ` {M0/x}M2 : τ1.The rest is by the rule (app).

Case (hole) Γ{x : σ}, {X : ([∅ . τ ], ν)} ` Xν : τ (x 6∈ cod(ν)). Sincex 6∈ PFV (Xν), we have Γ, {X : ([∅ . τ ], ν)} ` Xν : τ by lemma 5.

Case (habs)Γ1{x : σ}, ∆{X : ([Γ2 . τ1], ∅)} ` M1 : τ2

Γ1{x : σ}, ∆ ` δX.M1 : [Γ2 . τ1] ⇒ τ2

.

Suppose BV (δX.M1) ∩ (BV (M0) ∪EV (M0)) = ∅ and x 6∈ FV C(δX.M1). Bythe definition of BV and FV C, BV (M1) ∩ (BV (M0) ∪ EV (M0)) = ∅ and

23

x 6∈ FV C(M1). Therefore by the induction hypothesis, we obtainΓ1, ∆{X : ([Γ2 . τ1], ∅)} ` {M0/x}M1 : τ2. The rest is by the rule (habs).

Case (fill)

Γ{x : σ}, ∆1 ` M1 : [{x′1 : σ1, . . . , x′n : σn} . τ1] ⇒ τ2

Γ{x : σ}{x1 : σ1, . . . , xn : σn}, ∆2 ` M2 : τ1

Γ{x : σ}, ∆1; Clos({x1 : σ1, . . . , xn : σn}, ∆2) ` M1¯ν M2 : τ2

(ν = {x′1/x1, . . . , x′n/xn} and (dom(Γ) ∪ {x}) ∩ {x′i|i = 1 · · ·n} = ∅).

Suppose BV (M1¯νM2)∩ (BV (M0)∪EV (M0)) = ∅ and x 6∈ FV C(M1¯νM2).By the definition of BV , EV and FV C, and by x 6≡ xi, we have {xi|i =1 · · ·n}∩ (BV (M0)∪EV (M0)) = ∅, BV (M1)∩ (BV (M0)∪EV (M0)) = ∅, x 6∈FV C(M1) BV (M2)∩(BV (M0)∪EV (M0)) = ∅, and x 6∈ FV C(M2). Thereforeby the induction hypothesis applied toΓ{x : σ}, ∆1 ` M1 : [{x′1 : σ1, . . . , x

′n : σn} . τ1] ⇒ τ2,

we have Γ, ∆1 ` {M0/x}M1 : [{x′1 : σ1, . . . , x′n : σn} . τ1] ⇒ τ2. By lemma 6,

we obtain Γ{x1 : σ1, . . . , xn : σn}, ∆0 ` M0 : σ. Therefore by the inductionhypothesis applied to Γ{x : σ}{x1 : σ1, . . . , xn : σn}, ∆2 ` M2 : τ1, we haveΓ{x1 : σ1, . . . , xn : σn}, ∆2 ` {M0/x}M2 : τ1. The rest of this case is shownby the rule (fill). 2

Lemma 10 If Γ{x : σ}, ∆ ` M : τ and x′ 6∈ dom(Γ)∪BV (M)∪ IV C(M)∪EV (M) then Γ{x′ : σ}, {x′/x}∆ ` {x′/x}M : τ .

PROOF. We proceed by induction on the derivation of Γ{x : σ}, ∆ ` M : τ .The case of (var) is similar to lemma 8.

Case (abs)Γ{x : σ}{y : τ1}, ∆′ ` M1 : τ2

Γ{x : σ}, ∆ ` λy : τ1.M1 : τ1 → τ2

(∆ = Clos({y : τ1}, ∆′)).

Suppose x′ 6∈ dom(Γ)∪BV (λy : τ1.M1)∪ IV C(λy : τ1.M1)∪EV (λy : τ1.M1).Since BV (λy : τ1.M1) = BV (M1) ∪ {y}, IV C(λy : τ1.M1) = IV C(M1) andEV (λy : τ1.M1) = EV (M1), we have Γ{x′ : σ}{y : τ1}, {x′/x}∆′ ` {x′/x}M1 :τ2 by the induction hypothesis. Then, we obtainΓ{x′ : σ}, Clos({y : σ}, {x′/x}∆′) ` λy : τ1.{x′/x}M1 : τ by the rule (abs).Since y 6≡ x and y 6≡ x′, {x′/x}(Clos({y : σ}, ∆′)) = Clos({y : σ}, {x′/x}∆′)and {x′/x}(λy : τ1.M1) ≡ λy : τ1.{x′/x}M1.

Case (app)Γ{x : σ}, ∆1 ` M1 : τ1 → τ2 Γ{x : σ}, ∆2 ` M2 : τ1

Γ{x : σ}, ∆ ` M1 M2 : τ2

(∆ = ∆1; ∆2).Suppose x′ 6∈ dom(Γ) ∪ BV (M1 M2) ∪ IV C(M1 M2) ∪ EV (M1 M2). By the

24

definition of BV , IV C and EV , we can apply the induction hypothesis. Therest is by the rule (app).

Case (hole) Γ{x : σ}, {X : ([∅ . τ ], ν)} ` Xν : τ (x 6∈ cod(ν)). Trivial.

Case (hole) Γ{x : σ}, {X : ([∅ . τ ], ν{x/w})} ` Xν{x/w} : τ . Since x′ 6∈IV C(Xν{x/w}) = dom(ν) ∪ {w}, we have Γ{x′ : σ}, {X : ([∅ . τ ], ν{x′/w})} `Xν{x′/w} : τ by the well-formedness of the variable renamer.

Case (habs)Γ1{x : σ}, ∆{X : ([Γ2 . τ1], ∅)} ` M1 : τ2

Γ1{x : σ}, ∆ ` δX.M1 : [Γ2 . τ1] ⇒ τ2

.

Suppose x′ 6∈ dom(Γ1) ∪ BV (δX.M1) ∪ IV C(δX.M1) ∪ EV (δX.M1). By thedefinition of BV , IV C and EV , we can apply the induction hypothesis; wehave Γ1{x′ : σ}, {x′/x}(∆{X : ([Γ2 . τ1], ∅)}) ` {x′/x}M1 : τ2. The rest is bythe rule (habs).

Case (fill)

Γ{x : σ}, ∆1 ` M1 : [{x′1 : σ1, . . . , x′n : σn} . τ1] ⇒ τ2

Γ{x : σ}{x1 : σ1, . . . , xn : σn}, ∆2 ` M2 : τ1

Γ{x : σ}, ∆1; Clos({xi : σi}, ∆2) ` M1¯ν M2 : τ2

(ν = {x′1/x1, . . . , x′n/xn} and (dom(Γ) ∪ {x}) ∩ {x′i|i = 1 · · ·n} = ∅).

Suppose x′ 6∈ dom(Γ)∪BV (M1¯νM2)∪IV C(M1¯νM2)∪EV (M1¯νM2). Thenx′ 6∈ dom(Γ) ∪ BV (M1) ∪ IV C(M1) ∪ EV (M1), x′ 6∈ dom(Γ{x1 : σ1, . . . , xn :σn}) ∪ BV (M2) ∪ IV C(M2) ∪ EV (M2) and x′ 6∈ {x′i|i = 1 · · ·n}. There-fore by the induction hypothesis, we obtain Γ{x′ : σ}, {x′/x}∆1 ` {x′/x}M1 :[{x′1 : σ1, . . . , x

′n : σn} . τ1] ⇒ τ2 and Γ{x′ : σ}{x1 : σ1, . . . , xn : σn}, {x′/x}∆2 `

{x′/x}M2 : τ1.Then, we have Γ{x′ : σ}, {x′/x}∆1; Clos({x1 : σ1, . . . , xn : σn}, {x′/x}∆2) `{x′/x}M1¯ν{x′/x}M2 : τ2 by the rule(fill).Since x 6≡ xi, {x′/x}M1¯ν{x′/x}M2 = {x′/x}(M1¯ν M2) and{x′/x}∆1; Clos({x1 : σ1, . . . , xn : σn}, {x′/x}∆2)= {x′/x}(∆1; Clos({x1 : σ1, . . . , xn : σn}, ∆2)). 2

Lemma 11 If Γ1; Γ2{x′1 : σ1, . . . , x′n : σn}, ∆0 ` M0 : σ,

Γ1{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ2 . σ], {x1/x′1, . . . , xn/x′n})} ` M : τ ,

(BV (M) ∪ {xi|i = 1 · · ·n}) ∩ (IV C(M0) ∪ BV (M0) ∪ EV (M0)) = ∅ andBV (M) ∩ (dom(Γ2) ∪ {x′i|i = 1 · · ·n}) = ∅ thenΓ1{x1 : σ1, . . . , xn : σn}, ∆; Clos(Γ2, {x1/x

′1, . . . , xn/x′n}∆0) ` M [M0/X] : τ .

PROOF. We proceed by induction on the derivation ofΓ1{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ2 . σ], ν)} ` M : τ .

25

Case (abs)Γ1{x1 : σ1, . . . , xn : σn}{x : τ1}, ∆′{X : ([Γ2 . σ], ν)} ` M1 : τ2

Γ1{xi : σi}, ∆{X : ([Γ2 . σ], ν)} ` λx : τ1.M1 : τ1 → τ2

(ν = {x1/x′1, . . . , xn/x

′n}, ∆ = Clos({x : τ1}, ∆′) and x 6≡ xi).

Suppose (BV (λx : τ1.M1)∪{xi|i = 1 · · ·n})∩(IV C(M0)∪BV (M0)∪EV (M0))= ∅ and BV (λx : τ1.M1)∩ (dom(Γ2 ∪ {x′i|i = 1 · · ·n}). Then by lemma 6, wehave Γ1; Γ2{x′1 : σ1, . . . , x

′n : σn}{x : τ1}, ∆0 ` M0 : σ.

We obtain Γ1{x1 : σ1, . . . , xn : σn}{x : τ1}, ∆′; Clos(Γ2, ν∆0) ` M1[M0/X] : τby the induction hypothesis. Then by the rule (abs), we haveΓ1{x1 : σ1, . . . , xn : σn}, ∆; Clos(Γ2{x : τ1}, ν∆0) ` λx : τ1.M1[M0/X] : τ .Since x 6≡ xi and x 6∈ FV C(M0) ⊆ dom(Γ1; Γ2{x′1 : σ1, . . . , x

′n : σn}), and by

lemma 4, Clos(Γ2{x : τ1}, ν∆0) = Clos(Γ2, ν∆0).

Case

(abs)Γ1{x1 : σ1 . . . , xn : σn}{x : τ1}, ∆′{X : ([Γ′2 . σ], ν{x/x′})} ` M1 : τ2

Γ1{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ2 . σ], ν)} ` λx : τ1.M1 : τ1 → τ2

(ν = {x1/x′1, . . . , xn/x′n}, ∆ = Clos({x : τ1}, ∆′) and Γ2 = Γ′2{x′ : τ1}).

Since Γ2 = Γ′2{x′ : τ1}, we have Γ1; Γ′2{x′ : τ1}{x′1 : σ1 . . . , x′n : σn}, ∆0 ` M0 :

σ. By the induction hypothesis, we obtainΓ1{x1 : σ1, . . . , xn : σn}{x : τ1}, ∆′; Clos(Γ′2, ν{x/x′}∆0) ` M1[M0/X] : τ2.Since x 6∈ FV C(M0) ⊆ dom(Γ1; Γ2{x′1 : σ1 . . . , x′n : σn}) and by lemma 4,Clos({x : τ1}, ∆′; Clos(Γ′2, ν{x/x′}∆0)) = ∆; Clos(Γ2, ν∆0). By the rule(abs),we have Γ1{x1 : σ1 . . . , xn : σn}, ∆; Clos(Γ2, ν∆0) ` λx : τ1.M1[M0/X] : τ .

Case (app)

Γ1{x1 : σ1, . . . , xn : σn}, ∆1 ` M1 : τ1 → τ2

Γ1{x1 : σ1, . . . , xn : σn}, ∆2 ` M2 : τ1

Γ1{x1 : σ1, . . . , xn : σn}, ∆{X : ([Γ2 . σ], ν)} ` M1 M2 : τ2

(ν = {x1/x′1, . . . , xn/x

′n} and ∆{X : ([Γ2 . σ], ν)} = ∆1; ∆2).

Suppose ∆1 = ∆′1{X : ([Γ2 . σ], ν)}. By the induction hypothesis applied to

M1, the judgment Γ1{x1 : σ1, . . . , xn : σn}, ∆′1; Clos(Γ2, ν∆0) ` M1[M0/X] :

τ is derivable. The rest of this subcase is by the rule (app). The subcase of∆2 = ∆′

2{X : ([Γ2 . σ], ν)} is similar to the case above.

Case (hole) Γ1{x1 : σ1, . . . , xn : σn}, {X : ([∅ . τ ], ν)} ` Xν : τ(ν = {x1/x

′1, . . . , xn/x′n}).

Since xi 6∈ IV C(M0) ∪BV (M0) ∪ EV (M0),we have Γ1{x1 : σ1, . . . , xn : σn}, ν∆0 ` νM0 : τ by the repeated applicationsof lemma 10.

26

Case (habs)Γ1; Γ

′1, ∆{X : ([Γ2 . σ], ν)}{Y : ([Γ′2 . τ1], ∅)} ` M : τ2

Γ1; Γ′1, ∆{X : ([Γ2 . σ], ν)} ` δY.M : [Γ′2 . τ1] ⇒ τ2

(Γ′1 = {x1 : σ1, . . . , xn : σn} and ν = {x1/x′1, . . . , xn/x′n}).

By the induction hypothesis, we obtainΓ1; Γ

′1, ∆{Y : ([Γ′2 . τ1], ∅)}; Clos(Γ2, ν∆0) ` M [M0/X] : τ2. The rest is by

the rule (habs).

Case (fill)Γ1; Γx, ∆1 ` M1 : [Γy . τ1] ⇒ τ2 Γ1; Γx; Γy, ∆2 ` M2 : τ1

Γ1; Γx, ∆{X : ([Γ2 . σ], ν)} ` M1¯ν′M2 : τ2

(Γx = {x1 : σ1, . . . , xn : σn}, Γy = {y1 : σ′1, . . . , ym : σ′m},ν = {x1/x

′1, . . . , xn/x′n}, ν ′ = {y′1/y1, . . . , y

′m/ym}

and ∆{X : ([Γ2 . σ], ν)} = ∆1; Clos(Γy, ∆2)).If ∆1 = ∆′

1{X : ([Γ2 .σ], ν)}, then by the induction hypothesis applied to M1,Γ1; Γx, ∆

′1; Clos(Γ2, ν∆0) ` M1[M0/X] : [{y′1 : σ′1, . . . , y

′m : σ′m} . τ1] ⇒ τ2.

The rest is by the rule (fill).Suppose {y′ai

|i = 1 · · · p} = dom(Γ2) ∩ {y′j|j = 1 · · ·m}, {y′bi|i = 1 · · · q} =

{y′j|j = 1 · · ·m} \ {y′ai|i = 1 · · · p}, p+q=m, Γ2 = Γ′2{y′a1

: σ′a1, . . . , y′ap

:σ′ap} and ∆2 = ∆′

2{X : ([Γ′2 . σ], ν{ya1/y′a1

, . . . , yap/y′ap})}. Then, we have

Γ1; Γ′2{y′a1

: σ′a1, . . . , y′ap

: σ′ap}{x′1 : σ1, . . . , x

′n : σn}, ∆0 ` M0 : σ. Since ybi

6∈dom(Γ1)∪dom(Γ2)∪{x′k|k = 1 · · ·n}∪BV (M0)∪EV (M0), by lemma 6, we haveΓ1{yb1 : σ′b1 , . . . , ybq : σ′bq

}; Γ′2{y′a1: σ′a1

, . . . , y′ap: σ′ap

}{x′1 : σ1, . . . , x′n : σn}, ∆0 `

M0 : σ. By (BV (M1¯ν′ M2) ∪ {xk|k = 1 · · ·n}) ∩ (IV C(M0) ∪ BV (M0) ∪EV (M0)) = ∅, (BV (M2) ∪ {xk|k = 1 · · ·n} ∪ {yai

|i = 1 · · · p}) ∩ (IV C(M0) ∪BV (M0) ∪ EV (M0)) = ∅. Therefore by the induction hypothesis, we obtainΓ1; Γx; Γy, ∆

′2; Clos(Γ′2, (ν{ya1/y

′a1

, . . . , yap/y′ap})∆0) ` M2[M0/X] : τ1.

Finally, we obtain Γ1; Γx, ∆; Clos(Γ2, ν∆0) ` M1¯ν′M2[M0/X] : τ2 by therule (fill) in a similar way to the case of (abs). 2

27