 %%% This is the scribe notes template for CS611
%%% There are several comments preceded by CS611: and boxed in %%%%'s 
%%% which indicate where macros should be altered to set up the header
%%% for the paper.  Your Notes should go at the comment SCRIBE NOTES GO HERE!.

%%% In the various .sty files that accompany this .tex file you will    
%%% find LaTeX macros that make it easier to typeset inference rules    
%%% and programming language constructs.  You must make sure that the   
%%% file proof.sty is in a path searched by LaTeX when you try to       
%%% use this file.  Take a look to see what macros are available--it    
%%% will save you time and make the notes look better.  Feel free to    
%%% extend the set of macros--post them to the newsgroup and contact    
%%% the course staff if you come up with some good ones so they can be  
%%% added to the template.                                              

%%% This template includes examples of how to use some of the macros
%%% to give you an idea of how they work.  (Delete the examples when
%%% you do your scribing.)

\documentclass{article}
\usepackage{611-lecture}
\usepackage{amssymb,amsfonts}
%\usepackage{amsmath,amssymb,amsthm,amsfonts}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% CS611: Please fill in these macros as appropriate:
\lecture{24} %% Lecture number
\title{Soundness of the Typing Rules}   %% Title of lecture
%\author{Stephen Chong, Prakash Linga, Andrew Myers}  %% name of scribe
\date{25 October 2006}    %% Date of lecture
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

% See 611.sty for a variety of macros that will be helpful in
% typesetting the lecture
%
% quotes can be used for typewriter font
% <> can be used for angle brackets

\renewcommand\Set[1]{\ensuremath{\mathrm{\mathbf{#1}}}}

\newtheorem{theorem}{Theorem}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{corollary}[theorem]{Corollary}

\newcommand{\ENV}{\impfnt{Env}}
\newcommand{\FENV}{\impfnt{FEnv}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\group}[1]{\left\langle{#1}\right\rangle}

%\theoremstyle{definition}
%\newtheorem*{defn}{Definition}
\newcommand{\nondet}{\left[\!\kern1pt\right]}
\renewcommand\phi\varphi
\renewcommand\wp[2]{\mathsf{wp}~{#1}~{#2}}
\newcommand\wlp[2]{\mathsf{wlp}~{#1}~{#2}}
\renewcommand\({\begin{eqnarray*}}
\renewcommand\){\end{eqnarray*}}

\newcommand\LOOKUP[2]{\mathrm{LOOKUP}~{#1}~{#2}}
\newcommand\UPDATE[3]{\mathrm{UPDATE}~{#1}~{#2}~{#3}}
\newcommand\MALLOC[2]{\mathrm{MALLOC}~{#1}~{#2}}
\newcommand\EMPTY{\mathrm{EMPTY\mbox{-}STORE}}
\renewcommand\dom[1]{\mathrm{dom}\,{#1}}
\newcommand\p[2]{\langle{#1},\,{#2}\rangle}
\newcommand\bigcdot{\mathrel{\raisebox{1pt}{$\scriptscriptstyle\bullet$}}}
\newcommand\holed[1]{[\,#1\,]}
\newcommand\hole{\holed\bigcdot}
\newcommand\context[1]{E\kern1pt\holed{#1}}
\newcommand\contextHole{\context\bigcdot}
\newcommand\goesto[2]{\underset{#2}{\overset{#1}\longrightarrow}}
\newcommand\ifthenelse[3]{\mathsf{if\ }#1\mathsf{\ then\ }#2\mathsf{\ else\ }#3}
\newcommand\ifpthenelse[3]{\mathsf{ifp\ }#1\mathsf{\ then\ }#2\mathsf{\ else\ }#3}
\newcommand\whiledo[2]{\mathsf{while\ }#1\mathsf{\ do\ }#2}
\newcommand\letin[3]{\mathsf{let\ }#1 = #2\mathsf{\ in\ }#3}
\newcommand\letrec[5]{\mathsf{letrec\ }#1 = #2\mathsf{\ and\ \ldots\ and\ }#3 = #4\mathsf{\ in\ }#5}
\newcommand\letrecone[3]{\mathsf{letrec\ }#1 = #2\mathsf{\ in\ }#3}
\newcommand\true{\ensuremath{\mathsf{true}}}
\newcommand\false{\ensuremath{\mathsf{false}}}
\newcommand\error{\ensuremath{\mathsf{error}}}
\newcommand\pca[3]{\{#1\}\kern1pt{#2}\kern1pt\{#3\}}
\newcommand\states{\Set{St}}
\newcommand\rtc{^{\textstyle *}}
\newcommand\sat\vDash
\newcommand\force\vdash

\newcommand\hyphen{\mbox{-}}
\newcommand\lookup[2]{\nm{LOOKUP}~#1~\mquote{#2}}
\newcommand\update[3]{\nm{UPDATE}~#1~\mquote{#2}~#3}
\newcommand\SBk[1]{\SB{#1}k}
\newcommand\fix[1]{\mathsf{fix}\,{#1}}

\newlength\reasonwidth
\setlength\reasonwidth{3cm}
\newcommand\reasoning[1]{\def\longest{#1}\settowidth{\reasonwidth}{$\displaystyle\longest$}\addtolength{\reasonwidth}{5mm}} %dck 2/12/98
\newcommand\reason[2]{\makebox[\reasonwidth][l]{$\displaystyle{#1}$}\mbox{#2}}

\renewcommand\inj[1]{\mathsf{in}_{#1}}
\newcommand\proj[1]{\pi_{#1}}
\newcommand{\dlt}{\sqsubseteq}
\newcommand\floor[1]{\lfloor{#1}\rfloor}
\newcommand\cf[1]{[\kern1pt{#1}\kern1pt]}
\newcommand\SBpr[1]{\SB{#1}\,\phi\,\rho}%

\newcommand\judge[2]{\force{#1}\ty{#2}}
\newcommand\Gjudge[2]{\Gamma\judge{#1}{#2}}%
\renewcommand\C[3]{\Tr C{#1}\kern1pt{#2}\kern1pt{#3}}
\renewcommand\Cr[1]{\C{#1}\Gamma\rho}
\newcommand\Irred[1]{\ensuremath{\mathrm{Irred}(#1)}}

\begin{document}

\maketitle

\section{Soundness from the Operational Perspective}
%\nopagebreak

We will now look at the soundness of the $\lambda^\rightarrow$
typing rules from the operational perspective. This means:
\begin{center}
\emph{The typing rules are sound}  $\iff$  \emph{no well-formed program gets stuck.}
\end{center}

For this language, _well-formed_ and _well-typed_ are synonymous.  To be more precise, let us call $e$ _irreducible_ and write \Irred e\ if there is no reduction possible on $e$.  All values of $\lambda^\to$ are irreducible.  If $e$ is irreducible but is not a value, then $e$ is said to be _stuck_.  We wish to show
\begin{theorem}[Operational Soundness]\quad
$\judge e\tau\ \wedge\ e \stackrel*\to e'\ \wedge\ \Irred{e'}\ \ \Rightarrow\ \ e'\in\Set{Val}\ \wedge\ \judge {e'}\tau$.
\end{theorem}
We will prove this in two steps using the following two lemmas:
\begin{lemma}[Type Preservation]\quad
$\Gjudge e\tau\ \wedge\ e \to e'\ \ \Rightarrow\ \ \Gjudge{e'}\tau$.
\end{lemma}
\begin{lemma}[Progress]\quad
$\judge e\tau\ \wedge\ \Irred e\ \ \Rightarrow\ \ e\in\Set{Val}$.
\end{lemma}
The type preservation lemma says that as we evaluate a program, its type is preserved at each step.  The progress lemma says that every program is either a value or can be stepped to another program (and by the preservation lemma, this will be of the same type).

Operational soundness follows easily from these two lemmas.  Type preservation
says every step preserves the type, so we use
induction on the number of steps taken in $e \stackrel*to e'$ to show
that $e'$ must have the same type as $e$. Then progress can
be applied to $e'$ to show that the evaluation isn't stuck there.
We will now set out to prove these two lemmas.

\section{Proof of the Type Preservation Lemma}

Assuming that $\Gjudge e\tau$ and $e\to e'$, we wish to show that $\Gjudge{e'}\tau$.
We will do this by induction on the well-founded subterm relation.

If $e\to e'$, there are three cases corresponding to the three evaluation rules:
\[
\begin{array}{c@{\hspace{1cm}}c@{\hspace{1cm}}c}
\infer[\mbox{(L)}]{e_0~e_1 \to e'_0~e_1}{e_0 \to e'_0} &
\infer[\mbox{(R)}]{v~e \to v~e'}{e \to e'} &
\infer[(\beta)]{(\lam{x\ty\sigma}{e})~v \to \subst evx}{}
\end{array}
\]

\begin{itemize}
\item Case (L): $e_0~e_1 \to e'_0~e_1$.

Because we have a typing derivation for $e_0~e_1$, we know
that there are typing derivations for $e_0$ and $e_1$ too. We must
have $\Gjudge{e_0}{\sigma\to\tau}$ and $\Gjudge{e_1}\sigma$
for some type $\sigma$.  By the induction hypothesis,
the reduction $e_0 \to e_0'$ also preserves type, so
$\Gjudge{e_0'}{\sigma\to\tau}$.  Applying the typing rule for
applications, we have that $\Gjudge{e_0'~e_1}\tau$.

\item Case (R): $v~e \to v~e'$.

This case is symmetrical to case (L).  In this case it is the right-hand
subexpression making the step.

\item Case ($\beta$): $(\lam{x\ty\sigma}{e})~v \to \subst evx$.

The typing derivation of $\Gjudge{(\lam{x\ty\sigma}{e})~v}\tau$ must look like this:

\[
   \infer{
	 \Gjudge{(\lam{x\ty\sigma}{e})~v}\tau
	 }
	 {
	 \infer {
		\Gjudge{(\lam{x\ty\sigma}{e})}{\sigma\to\tau}
		}
		{
		\Gamma,\,x\ty\sigma\judge{e}\tau
		}	
	 &
	 \Gjudge v\sigma
	 }
\]

We want to show that $\Gjudge{\subst evx}\tau$ using the facts
$\Gamma,\,x\ty\sigma\judge e\tau$ and $\judge v\sigma$.
Our induction hypothesis doesn't help us here; we need to
prove this separately. It follows as a special case of the
substitution lemma below, which captures the type
preservation of $\beta$-reduction.
\end{itemize}

\section{The Substitution Lemma}

\begin{lemma}[Substitution Lemma]\quad
$\judge v\sigma\ \ \Rightarrow\ \ (\Gamma,\,x\ty\sigma\judge e\tau\ \ \Leftrightarrow\ \ \Gjudge{\subst evx}\tau)$.
\end{lemma}
We will prove this by structural induction on $e$.

\begin{itemize}

\item Case 1: $x\notin\FV e$.

This case covers the base cases $e\in\{n, "true", "false", "null"\}$ and $e = y\neq x$ and $\lambda$-abstractions $\lam{x\ty\rho}e$ that bind $x$.  In this case the substitution has no effect and any binding of $x$ in the type environment $\Gamma$ is irrelevant, thus the lemma reduces to the trivial statement
\(
\judge v\sigma &\Rightarrow& (\Gjudge e\tau\ \ \Leftrightarrow\ \ \Gjudge e\tau).
\)

\item Case 2: $e = x$.

In this case the lemma reduces to
\(
\judge v\sigma &\Rightarrow& (\Gamma,\,x\ty\sigma\judge x\tau\ \ \Leftrightarrow\ \ \Gjudge v\tau),
\)
since $\subst xvx=v$.  Since $v$ is closed, the type environment $\Gamma$ is irrelevant, so the statement further reduces to
\(
\judge v\sigma &\Rightarrow& (x\ty\sigma\judge x\tau\ \ \Leftrightarrow\ \ \judge v\tau),
\)
Since types are unique, both sides of the double implication say that $\sigma=\tau$, so again the lemma reduces to a tautology.

\item Case 3: $e = e_0~e_1$.

Suppose $\judge v\sigma$.
\reasoning{\exists\sigma\ \ \Gjudge{\subst{e_0}vx}\sigma\to\tau\ \wedge\ \Gjudge{\subst{e_1}vx}\sigma}
\(
\Gamma,\,x\ty\sigma\judge{e_0~e_1}\tau
&\Leftrightarrow& \reason{\exists\sigma\ \ \Gamma,\,x\ty\sigma\judge{e_0}\sigma\to\tau\ \wedge\ \Gamma,\,x\ty\sigma\judge{e_1}\sigma}{typing rule for applications}\\
&\Leftrightarrow& \reason{\exists\sigma\ \ \Gjudge{\subst{e_0}vx}\sigma\to\tau\ \wedge\ \Gjudge{\subst{e_1}vx}\sigma}{induction hypothesis}\\
&\Leftrightarrow& \reason{\Gjudge{\subst{e_0}vx~\subst{e_1}vx}\tau}{typing rule for applications}\\
&\Leftrightarrow& \reason{\Gjudge{\subst{(e_0~e_1)}vx}\tau}{definition of substitution.}
\)

\item Case 4: $e = \lam{y\ty\rho}{e'}$, where $y\neq x$ (the case $y=x$ was covered in Case 1).

Suppose $\judge v\sigma$.  The type of $\lam{y\ty\rho}{e'}$, if it exists, must be $\rho\to\tau$ for some $\tau$.  Similarly, the type of $\subst{(\lam{y\ty\rho}{e'})}vx=\lam{y\ty\rho}{(\subst{e'}vx)}$, if it exists, must be $\rho\to\tau'$ for some $\tau'$.
\reasoning{\Gjudge{\subst{(\lam{y\ty\rho}{e'})}vx}{\rho\to\tau}}
\(
\Gamma,\,x\ty\sigma\judge{(\lam{y\ty\rho}{e'})}{\rho\to\tau}
&\Leftrightarrow& \reason{\Gamma,\,x\ty\sigma,\,y\ty\rho\judge{e'}\tau}{typing rule for abstractions}\\
&\Leftrightarrow& \reason{\Gamma,\,y\ty\rho,\,x\ty\sigma\judge{e'}\tau}{exchange}\\
&\Leftrightarrow& \reason{\Gamma,\,y\ty\rho\judge{\subst{e'}vx}\tau}{induction hypothesis}\\
&\Leftrightarrow& \reason{\Gjudge{\lam{y\ty\rho}{(\subst{e'}vx)}}{\rho\to\tau}}{typing rule for abstractions}\\
&\Leftrightarrow& \reason{\Gjudge{\subst{(\lam{y\ty\rho}{e'})}vx}{\rho\to\tau}}{definition of substitution.}
\)
\end{itemize}

\section{Proof of the Progress Lemma}

To finish the proof of soundness, it remains to prove the progress lemma.  Recall that this lemma states
\(
\judge e\tau\ \wedge\ \Irred e &\Rightarrow& e\in\Set{Val},
\)
or equivalently,
\(
\judge e\tau\ \wedge\ e\notin\Set{Val} &\Rightarrow& \exists e'\ e\to e'.
\)
In other words, we cannot get stuck when evaluating a well-typed expression.

We prove the progress lemma using structural induction on $e$.
Recall the definition of a term in $\lambda^\to$:
\(
e &::=& b \bnf x \bnf \lam{x\ty\tau}e \bnf e_0~e_1,
\)
where $b$ denotes a constant.  This gives four cases:

\begin{itemize}

\item Case $e=b$.

Since $b\in\Set{Val}$, we are done.

\item Case $e=x$.

This case is impossible, because we cannot assign a type to $x$ if the type environment is empty.

\item Case $e=\lam{x\ty\sigma}{e'}$.

Since $e\in\Set{Val}$, we are done.

\item Case $e=e_0\,e_1$.

We know that there is a type derivation of $\Gjudge{e_0\,e_1}\tau$, and the last step of this derivation must have the form
\[
\infer{\Gjudge{e_0\,e_1}\tau}{\Gjudge{e_0}{\sigma\to\tau} & \Gjudge{e_1}\sigma}
\]
for some type $\sigma$.  By the induction hypothesis, either $e_0\in\Set{Val}$ or $\exists e_0'\ e_0\to e_0'$, and either $e_1\in\Set{Val}$ or $\exists e_1'\ e_1\to e_1'$.  This gives three possibilities:
\begin{itemize}
\item
Both $e_0$ and $e_1$ are values.  Since $e_0$ is a value with an arrow type $\sigma\to\tau$, it has to be an abstraction, say $e_0=\lam{x\ty\sigma}{e''}$, and $e_1$ is some value $v$ of type $\sigma$.  Then 
\(
e &=& (\lam{x\ty\sigma}{e''})~v\ \ \to\ \ \subst{e''}vx,
\)
so $e$ can be further reduced.

\item $e_0$ is not a value. 
Then $\exists e_0'\ e_0\to e_0'$, and we have
\[
\infer{e_0\,e_1\to e_0'\,e_1}{e_0\to e_0'},
\]
so $e=e_0\,e_1$ can be further reduced.

\item $e_0$ is some value $v$, but $e_1$ is not a value.
Then $\exists e_1'\ e_1\to e_1'$, and we have
\[
\infer{v\,e_1\to v\,e_1'}{e_1\to e_1'},
\]
so $e=v\,e_1$ can be further reduced.
\end{itemize}
\end{itemize}
This completes the proof.


\end{document}