A new coinductive confluence proof for infinitary lambda-calculus

A new coinductive confluence proof for infinitary lambda-calculus

[ University of Copenhagen, Universitetsparken 5, 2100 Copenhagen, Denmark luta@di.ku.dk
Abstract

We present a new and formal coinductive proof of confluence and normalisation of Böhm reduction in infinitary lambda-calculus. The proof is simpler than previous proofs of this result. The technique of the proof is new, i.e., it is not merely a coinductive reformulation of any earlier proofs. We formalised the proof in the Coq proof assistant.

infinitary rewriting, confluence, normalisation, Böhm trees, coinduction
\DeclareMathOperator\Coloneqq

::=  Ł. Czajka]Łukasz Czajka thanks: Supported by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement number 704111.

1 Introduction

Infinitary lambda-calculus is a generalisation of lambda-calculus that allows infinite lambda-terms and transfinite reductions. This enables the consideration of “limits” of terms under infinite reduction sequences. For instance, for a term we have

Intuitively, the “value” of  is an infinite term  satisfying , where by  we denote identity of terms. In fact, is the normal form of  in infinitary lambda-calculus.

In [EndrullisPolonsky2011, EndrullisHansenHendriksPolonskySilva2018] it is shown that infinitary reductions may be defined coinductively. The standard non-coinductive definition makes explicit mention of ordinals and limits in a certain metric space [KennawayKlopSleepVries1997, KennawayVries2003, BarendregtKlop2009]. A coinductive approach is better suited to formalisation in a proof-assistant. Indeed, with relatively little effort we have formalised our results in Coq (see Section 7).

In this paper we show confluence of infinitary lambda-calculus, modulo equivalence of so-called meaningless terms [KennawayOostromVries1999]. We also show confluence and normalisation of infinitary Böhm reduction over any set of strongly meaningless terms. All these results have already been obtained in [KennawayKlopSleepVries1997, KennawayOostromVries1999] by a different and more complex proof method.

In a related conference paper [Czajka2014] we have shown confluence of infinitary reduction modulo equivalence of root-active subterms, and confluence of infinitary Böhm reduction over root-active terms. The present paper is quite different from [Czajka2014]. A new and simpler method is used. The proof in [Czajka2014] follows the general strategy of [KennawayKlopSleepVries1997]. There first the confluence modulo equivalence of root-active terms is shown, proving the confluence of an auxiliary -calculus as an intermediate step. Then confluence of Böhm reduction is derived from confluence modulo equivalence of root-active terms. Here we first show that every term has a unique normal form reachable by a special standard infinitary -reduction. Then we use this result to derive confluence of Böhm reduction, and from that confluence modulo equivalence of meaningless terms. We do not use any -calculus at all. See the beginning of Section 5 for a more detailed discussion of our proof method.

1.1 Related work

Infinitary lambda-calculus was introduced in [KennawayKlopSleepVries1997, KennawayKlopSleepVries1995b]. Meaningless terms were defined in [KennawayOostromVries1999]. The confluence and normalisation results of this paper were already obtained in [KennawayKlopSleepVries1997, KennawayOostromVries1999], by a different proof method. See also [KennawayVries2003, BarendregtKlop2009, EndrullisHendriksKlop2012] for an overview of various results in infinitary lambda-calculus and infinitary rewriting.

Joachimski in [Joachimski2004] gives a coinductive confluence proof for infinitary lambda-calculus, but Joachimski’s notion of reduction does not correspond to the standard notion of a strongly convergent reduction. Essentially, it allows for infinitely many parallel contractions in one step, but only finitely many reduction steps. The coinductive definition of infinitary reductions capturing strongly convergent reductions was introduced in [EndrullisPolonsky2011]. Later [EndrullisHansenHendriksPolonskySilva2015, EndrullisHansenHendriksPolonskySilva2018] generalised this to infinitary term rewriting systems. In [Czajka2014] using the definition from [EndrullisPolonsky2011] the confluence of infinitary lambda-calculus modulo equivalence of root-active subterms was shown coinductively. The proof in [Czajka2014] follows the general strategy of [KennawayKlopSleepVries1997, KennawayKlopSleepVries1995b]. The proof in the present paper bears some similarity to the proof of the unique normal forms property of orthogonal iTRSs in [KlopVrijer2005]. It is also similar to the coinductive confluence proof for nearly orthogonal infinitary term rewriting systems in [Czajka2015a], but there the “standard” reduction employed is not unique and need not be normalising.

Confluence and normalisation results in infinitary rewriting and infinitary lambda calculus have been generalised to the framework of infinitary combinatory reduction systems [KetemaSimonsen2009, KetemaSimonsen2010, KetemaSimonsen2011].

There are three well-known variants of infinitary lambda-calculus: the , and  calculi [BarendregtKlop2009, EndrullisHendriksKlop2012, KennawayKlopSleepVries1997, KennawayKlopSleepVries1995b]. The superscripts , , indicate the depth measure used: means that we shall add // to the depth when going down/left/right in the tree of the lambda-term [KennawayKlopSleepVries1997, Definition 6]. In this paper we are concerned only with a coinductive presentation of the -calculus.

In the -calculus, after addition of appropriate -rules, every finite term has its Böhm tree [KennawayKlopSleepVries1995b] as the normal form. In  and , the normal forms are, respectively, Berarducci trees and Levy-Longo trees [KennawayKlopSleepVries1997, KennawayKlopSleepVries1995b, Berarducci1996b, Levy1975, Longo1983]. With the addition of infinite - or -reductions it is possible to also capture, repsectively, -Böhm or -Böhm trees as normal forms [SeveriVries2002, SeveriVries2017].

The addition of -rules may be avoided by basing the definition of infinitary terms on ideal completion. This line of work is pursued in [Bahr2010, Bahr2014, Bahr2018]. Confluence of the resulting calculi is shown, but the proof depends on the confluence results of [KennawayKlopSleepVries1997].

2 Infinite terms and corecursion

In this section we define many-sorted infinitary terms. We also explain and justify guarded corecursion using elementary notions.

{defi}

A many-sorted algebraic signature consists of a collection of sort symbols  and a collection of constructors . Each constructor  has an associated type where . If then  is a constant of sort . In what follows we use , etc., for many-sorted algebraic signatures, , etc., for sort symbols, and , etc., for constructors.

The set , or just , of infinitary terms over  is the set of all finite and infinite terms over , i.e., all finite and infinite labelled trees with labels of nodes specified by the constructors of  such that the types of labels of nodes agree. More precisely, a term  over  is a partial function from  to  satisfying:

  • , and

  • if with then

    • with for ,

    • for ,

  • if then  for every ,

where means that  is undefined, means that  is defined, and  is the empty string. We use obvious notations for infinitary terms, e.g., when and , and the types agree. We say that a term  is of sort  if is a constructor of type for some . By  we denote the set of all terms of sort  from .

{exa}

Let be a set. Let consist of two sorts  and , one constructor  of type and a distinct constant of sort  for each element of . Then  is the set of streams over . We also write and . Instead of we usually write , and we assume that  associates to the right, e.g., is . We also use the notation to denote the application of the constructor for  to  and . We define the functions and by

Specifications of many-sorted signatures may be conveniently given by coinductively interpreted grammars. For instance, the set  of streams over a set  could be specified by writing

A more interesting example is that of finite and infinite binary trees with nodes labelled either with  or , and leaves labelled with one of the elements of a set :

As such specifications are not intended to be formal entities but only convenient visual means for describing sets of infinitary terms, we will not define them precisely. It is always clear what many-sorted signature is meant.

For the sake of brevity we often use and , i.e., we omit the signature  when clear from the context or irrelevant.

{defi}

The class of constructor-guarded functions is defined inductively as the class of all functions (for arbitrary , ) such that there are a constructor  of type and functions () such that

for all , and for each one of the following holds:

  • is constructor-guarded, or

  • is a constant function, or

  • and there is with for all .

Let  be a set. A function is constructor-guarded if for every the function defined by is constructor-guarded. A function is defined by guarded corecursion from and () if  is constructor-guarded and  satisfies

for all .

The following theorem is folklore in the coalgebra community. We sketch an elementary proof. In fact, each set of many-sorted infinitary terms is a final coalgebra of an appropriate set-functor. Then Theorem 2 follows from more general principles. We prefer to avoid coalgebraic terminology, as it is simply not necessary for the purposes of the present paper. See e.g. [JacobsRutten2011, Rutten2000] for a more general coalgebraic explanation of corecursion.

{thm}

For any constructor-guarded function and any (), there exists a unique function defined by guarded corecursion from  and .

{proof}

Let be an arbitrary function. Define  for by . Using the fact that  is constructor-guarded, one shows by induction on  that:

  • for and with

where  denotes the length of . Indeed, the base is obvious. We show the inductive step. Let . Because  is constructor-guarded, we have for instance

Let with . The only interesting case is when , i.e., when  points inside . But then , so by the inductive hypothesis . Thus .

Now we define by

for , . Using  it is routine to check that  is a well-defined infinitary term for each . To show that  is defined by guarded corecursion from  and , using  one shows by induction on the length of  that for any :

To prove that  is unique it suffices to show that it does not depend on . For this purpose, using  one shows by induction on the length of  that  does not depend on  for any .

We shall often use the above theorem implicitly, just mentioning that some equations define a function by guarded corecursion.

{exa}

Consider the equation

It may be rewritten as

So is defined by guarded corecursion from given by

and given by

By Theorem 2 there is a unique function satisfying the original equation.

Another example of a function defined by guarded corecursion is :

The following function is also defined by guarded corecursion:

3 Coinduction

In this section111This section is largely based on [Czajka2015a, Section 2]. we give a brief explanation of coinduction as it is used in the present paper. Our presentation of coinductive proofs is similar to e.g. [EndrullisPolonsky2011, BezemNakataUustalu2012, NakataUustalu2010, LeroyGrall2009, KozenSilva2017]. Since we formalised our main results, the proofs may be understood as a paper presentation of formal Coq proofs. They can also be justified by appealing to one of a number of established coinduction principles, or by indicating how to interpret them in ordinary set theory, which is what we do in this section.

There are many ways in which our coinductive proofs could be justified. With enough patience one could, in principle, reformulate all proofs to directly employ the usual coinduction principle in set theory based on the Knaster-Tarski fixpoint theorem [Sangiorgi2012]. One could probably also use the coinduction principle from [KozenSilva2017]. All our proofs and corecursive definitions are actually guarded, so they can be formalised in a proof assistant based on type theory with a syntactic guardedness check, e.g., in Coq [Coquand1993, Gimenez1994]. We carried out a Coq formalisation of our main results, described in more detail in Section 7.

The purpose of this section is to explain how to justify our proofs by reducing coinduction to transfinite induction. The present section does not provide a formal coinduction proof principle as such, but only indicates how one could elaborate the proofs so as to eliminate the use of coinduction. Naturally, such an elaboration would introduce some tedious details. The point is that all these details are essentially the same for each coinductive proof. The advantage of using coinduction is that the details need not be provided each time. An analogous elaboration could be done to directly employ any of a number of established coinduction principles, but as far as we know elaborating the proofs in the way explained here requires the least amount of effort in comparison to reformulating them to directly employ an established coinduction principle. In fact, we do not wish to explicitly commit to any formal proof principle, as much as papers in e.g. number theory do not, in general, explicitly commit to a given formalisation of arithmetic. We do not think that choosing a specific principle has an essential impact on the content of our proofs, except by making it more or less straightforward to translate the proofs into a form which uses the principle directly.

A reader not satisfied with the level of rigour of the explanations of coinduction below is referred to our formalisation (see Section 7). The present section provides one way in which our proofs can be understood and verified without resorting to a formalisation. To make the observations of this section completely precise and general one would need to introduce formal notions of “proof” and “statement”. In other words, one would need to formulate a system of logic with a capacity for coinductive proofs. We do not want to do this here, because this paper is about a coinductive confluence proof for infinitary lambda-calculus, not about foundations of coinduction. It would require some work, but should not be too difficult, to create a formal system based on the present section in which our coinductive proofs could be interpreted reasonably directly. We defer this to future work.

{exa}

Let  be the set of all finite and infinite terms defined coinductively by

where  is a countable set of variables, and , are constructors. By we denote variables, and by we denote elements of . Define a binary relation  on  coinductively by the following rules.

Formally, the relation  is the greatest fixpoint of a monotone function

defined by

Alternatively, using the Knaster-Tarski fixpoint theorem, the relation  may be characterised as the greatest binary relation on  (i.e. the greatest subset of w.r.t. set inclusion) such that , i.e., such that for every with one of the following holds:

  1. for some variable ,

  2. , with ,

  3. , with and ,

  4. , with .

Yet another way to think about  is that holds if and only if there exists a potentially infinite derivation tree of built using the rules .

The rules  could also be interpreted inductively to yield the least fixpoint of . This is the conventional interpretation, and it is indicated with a single line in each rule separating premises from the conclusion. A coinductive interpretation is indicated with double lines.

The greatest fixpoint  of  may be obtained by transfinitely iterating  starting with . More precisely, define an ordinal-indexed sequence  by:

  • ,

  • ,

  • for a limit ordinal .

Then there exists an ordinal  such that . The least such ordinal is called the closure ordinal. Note also that for (we often use this fact implicitly). See e.g. [DaveyPriestley2002, Chapter 8]. The relation  is called the -approximant. Note that the -approximants depend on a particular definition of  (i.e. on the function ), not solely on the relation  itself. We use  for the -approximant of a relation .

It is instructive to note that the coinductive rules for  may also be interpreted as giving rules for the -approximants, for any ordinal .

Usually, the closure ordinal for the definition of a coinductive relation is . In general, however, it is not difficult to come up with a coinductive definition whose closure ordinal is greater than . For instance, consider the relation defined coinductively by the following two rules.

We have , for , , and only . Thus the closure ordinal of this definition is .

In this paper we are interested in proving by coinduction statements of the form where

and are coinductive relations on , i.e, relations defined as the greatest fixpoints of some monotone functions on the powerset of an appropriate cartesian product of , and is  with  substituted for . Statements with an existential quantifier may be reduced to statements of this form by skolemising, as explained in Example 3 below.

Here are meta-variables for which relations on  may be substituted. In the statement  only occur free. The meta-variables are not allowed to occur in . In general, we abbreviate with . The symbols  denote some functions of .

To prove  it suffices to show by transfinite induction that holds for each ordinal , where  is the -approximant of . It is an easy exercise to check that because of the special form of  (in particular because  does not contain ) and the fact that each  is the full relation, the base case  and the case of  a limit ordinal hold. They hold for any  of the above form, irrespective of . Note that  is the same in all  for any , i.e., it does not refer to the -approximants or the ordinal . Hence it remains to show the inductive step for  a successor ordinal. It turns out that a coinductive proof of  may be interpreted as a proof of this inductive step for a successor ordinal, with the ordinals left implicit and the phrase “coinductive hypothesis” used instead of “inductive hypothesis”.

{exa}

On terms from  (see Example 3) we define the operation of substitution by guarded corecursion.

We show by coinduction: if and then , where  is the relation from Example 3. Formally, the statement we show by transfinite induction on  is: for , if and then . For illustrative purposes, we indicate the -approximants with appropriate ordinal superscripts, but it is customary to omit these superscripts.

Let us proceed with the proof. The proof is by coinduction with case analysis on . If with , then . If then (note that ). If , and , then by the coinductive hypothesis. Thus by rule . If , then the proof is analogous. If , and , then the proof is also similar. Indeed, by the coinductive hypothesis we have , so by rule .

With the following example we explain how our proofs of existential statements should be interpreted.

{exa}

Let  and  be as in Example 3. We want to show: for all , if and then there exists with and . The idea is to skolemise this statement. So we need to find a Skolem function which will allow us to prove the Skolem normal form:

  • if and then and .

The rules for  suggest a definition of :

This is a definition by guarded corecursion, so there exists a unique function satisfying the above equations. The last case in the above definition of  corresponds to the case in Definition 2 where all  are constant functions. Note that any fixed term has a fixed constructor (in the sense of Definition 2) at the root. In the sense of Definition 2 also the elements of  are nullary constructors.

We now proceed with a coinductive proof of . Assume and . If then , and by rule . If , and with and , then by the coinductive hypothesis and . We have . Hence and , by rule . If , and , with , , and , then by the coinductive hypothesis we have , , and . Hence by rule . Analogously, by rule . Other cases are similar.

Usually, it is inconvenient to invent the Skolem function beforehand, because the definition of the Skolem function and the coinductive proof of the Skolem normal form are typically interdependent. Therefore, we adopt an informal style of doing a proof by coinduction of a statement

with an existential quantifier. We intertwine the corecursive definition of the Skolem function  with a coinductive proof of the Skolem normal form

We proceed as if the coinductive hypothesis was  (it really is the Skolem normal form). Each element obtained from the existential quantifier in the coinductive hypothesis is interpreted as a corecursive invocation of the Skolem function. When later we exhibit an element to show the existential subformula of , we interpret this as the definition of the Skolem function in the case specified by the assumptions currently active in the proof. Note that this exhibited element may (or may not) depend on some elements obtained from the existential quantifier in the coinductive hypothesis, i.e., the definition of the Skolem function may involve corecursive invocations.

To illustrate our style of doing coinductive proofs of statements with an existential quantifier, we redo the proof done above. For illustrative purposes, we indicate the arguments of the Skolem function, i.e., we write  in place of . These subscripts are normally omitted.

We show by coinduction that if and then there exists with and . Assume and . If then take . If , and with and , then by the coinductive hypothesis we obtain  with and . More precisely: by corecursively applying the Skolem function to we obtain , and by the coinductive hypothesis we have and . Hence and , by rule . Thus we may take . If , and , with , , and , then by the coinductive hypothesis we obtain  and  with , , and . Hence by rule . Analogously, by rule . Thus we may take . Other cases are similar.

It is quite clear that the above informal proof, when interpreted in the way outlined before, implicitly defines the Skolem function . It should be kept in mind that in every case the definition of the Skolem function needs to be guarded. We do not explicitly mention this each time, but verifying this is part of verifying the proof.

When doing proofs by coinduction the following criteria need to be kept in mind in order to be able to justify the proofs according to the above explanations.

  • When we conclude from the coinductive hypothesis that some relation  holds, this really means that only its approximant  holds. Usually, we need to infer that the next approximant  holds (for some other elements ) by using  as a premise of an appropriate rule. But we cannot, e.g., inspect (do case reasoning on) , use it in any lemmas, or otherwise treat it as .

  • An element  obtained from an existential quantifier in the coinductive hypothesis is not really the element itself, but a corecursive invocation of the implicit Skolem function. Usually, we need to put it inside some constructor , e.g. producing , and then exhibit  in the proof of an existential statement. Applying at least one constructor to  is necessary to ensure guardedness of the implicit Skolem function. But we cannot, e.g., inspect , apply some previously defined functions to it, or otherwise treat it as if it was really given to us.

  • In the proofs of existential statements, the implicit Skolem function cannot depend on the ordinal . However, this is the case as long as we do not violate the first point, because if the ordinals are never mentioned and we do not inspect the approximants obtained from the coinductive hypothesis, then there is no way in which we could possibly introduce a dependency on .

Equality on infinitary terms may be characterised coinductively.

{defi}

Let  be a many-sorted algebraic signature, as in Definition 2. Let . Define on  a binary relation  of bisimilarity by the coinductive rules

for each constructor .

It is intuitively obvious that on infinitary terms bisimilary is the same as identity. The following easy (and well-known) proposition makes this precise.

{prop}

For we have: iff .

{proof}

Recall that each term is formally a partial function from  to . We write if either both are defined and equal, or both are undefined.

Assume . It suffices to show by induction of the length of that or , where by  we denote the subterm of  at position . For this is obvious. Assume . By the inductive hypothesis, or . If then and for some with for . If then . Otherwise, if or if , then by the definition of infinitary terms.

For the other direction, we show by coinduction that for any we have . If then for some . By the coinductive hypothesis we obtain for . Hence by the rule for .

For infinitary terms , we shall theorefore use the notations and interchangeably, employing Proposition 3 implicitly. In particular, the above coinductive characterisation of term equality is used implicitly in the proof of Lemma 5.4.

{exa}

Recall the coinductive definitions of  and  from Example 2.

By coinduction we show

for any stream . Let . Then for some and . We have

In the equality marked with (by CH) we use the coinductive hypothesis, and implicitly a bisimilarity rule from Definition 3.

The above explanation of coinduction is generalised and elaborated in much more detail in [Czajka2015]. Also [KozenSilva2017] may be helpful as it gives many examples of coinductive proofs written in a style similar to the one used here. The book [Sangiorgi2012] is an elementary introduction to coinduction and bisimulation (but the proofs there are presented in a different way than here, not referring to the coinductive hypothesis but explicitly constructing a backward-closed set). The chapters [BertotCasteran2004Chapter13, Chlipala2013Chapter5] explain coinduction in Coq from a practical viewpoint. A reader interested in foundational matters should also consult [JacobsRutten2011, Rutten2000] which deal with the coalgebraic approach to coinduction.

In the rest of this paper we shall freely use coinduction, giving routine coinductive proofs in as much (or as little) detail as it is customary with inductive proofs of analogous difficulty.

4 Definitions and basic properties

In this section we define infinitary lambda-terms and the various notions of infinitary reductions.

{defi}

The set of infinitary lambda-terms is defined coinductively:

where  is an infinite set of variables and  is a set of constants such that . An atom is a variable or a constant. We use the symbols for variables, and for constants, and for atoms, and for terms. By  we denote the set of variables occurring free in .

We define substitution by guarded corecursion.

We silently omit here the issue of the renaming of bound variables and work with infinitary lambda-terms in a naive way, implicitly employing the variable convention like in [Barendregt1984, 2.1.13]: if occur in a certain mathematical context (e.g. definition, proof) then in these terms all bound variables are chosen to be different from the free ones. We consider terms up to renaming of bound variables, e.g.