feat: StrongNormalizationUntypedAndStlc (#411)

WegmannDavid · chenson2018 · web-flow · commit b39710e78e7c · 2026-03-15T01:03:22.000Z
This pull request adds general strong normalization lemmas and strong
normalization via saturated sets for locally nameless stlc.

---------

Co-authored-by: Chris Henson &lt;chrishenson.net@gmail.com&gt;
diff --git a/Cslib.lean b/Cslib.lean
@@ -89,6 +89,7 @@ public import Cslib.Languages.LambdaCalculus.LocallyNameless.Fsub.Typing
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Fsub.WellFormed
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Stlc.Basic
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Stlc.Safety
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Stlc.StrongNorm
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.Basic
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.FullBeta
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.FullBetaConfluence
@@ -98,6 +99,7 @@ public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.LcAt
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.MultiApp
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.MultiSubst
 public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.Properties
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.StrongNorm
 public import Cslib.Languages.LambdaCalculus.Named.Untyped.Basic
 public import Cslib.Logics.HML.Basic
 public import Cslib.Logics.HML.LogicalEquivalence
diff --git a/Cslib/Languages/LambdaCalculus/LocallyNameless/Stlc/StrongNorm.lean b/Cslib/Languages/LambdaCalculus/LocallyNameless/Stlc/StrongNorm.lean
@@ -0,0 +1,124 @@
+/-
+Copyright (c) 2025 David Wegmann. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: David Wegmann
+-/
+
+module
+
+public import Cslib.Foundations.Data.HasFresh
+public import Cslib.Foundations.Data.Relation
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Stlc.Basic
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.FullBeta
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.StrongNorm
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.LcAt
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.MultiSubst
+
+@[expose] public section
+
+set_option linter.unusedDecidableInType false
+
+namespace Cslib
+
+universe u v
+
+namespace LambdaCalculus.LocallyNameless.Stlc
+
+open Untyped Typing LambdaCalculus.LocallyNameless.Untyped.Term
+
+variable {Var : Type u} {Base : Type v} [DecidableEq Var] [HasFresh Var]
+
+open LambdaCalculus.LocallyNameless.Stlc
+open scoped Term
+
+/-- A set of terms is called saturated if it
+
+    1. only contains locally closed terms,
+    2. only contains strongly normalizing terms,
+    3. contains all neutral locally closed terms, and
+    4. is closed under top-level β-reduction of the form (λ M) N P₁ … Pₙ → M ^ N P₁ … Pₙ.
+-/
+@[scoped grind]
+structure Saturated (S : Set (Term Var)) : Prop where
+  lc : ∀ M ∈ S, LC M
+  sn : ∀ M ∈ S, SN M
+  neutal_lc : ∀ M, Neutral M → LC M → M ∈ S
+  multiApp : ∀ M N P, LC N → SN N → multiApp (M ^ N) P ∈ S → multiApp (M.abs.app N) P ∈ S
+
+/-- The semantic map maps each type to a corresponding saturated set of terms.
+    For the strong normalization proof to work, we must ensure that
+    Γ ⊢ t ∶ τ implies that t is in the set of terms corresponding to τ.
+
+    Strong normalization later follows from the fact that terms in saturated
+    sets are strongly normalizing.
+-/
+@[simp, scoped grind =]
+def semanticMap : Ty Base → Set (Term Var)
+  | .base _ => { t | SN t ∧ LC t }
+  | .arrow τ₁ τ₂ => { t | ∀ s, s ∈ semanticMap τ₁ → app t s ∈ semanticMap τ₂ }
+
+/-- The sets constructed by semanticMap are saturated -/
+lemma semanticMap_saturated (τ : Ty Base) : @Saturated Var (semanticMap τ) := by
+  induction τ with
+  | base => grind [sn_abs_app_multiApp, sn_neutral, open_abs_lc]
+  | arrow τ₁ τ₂ ih₁ ih₂ =>
+    constructor
+    · grind [ih₁.neutal_lc (fvar <| fresh {}) (.fvar <| fresh {}) (.fvar <| fresh {}), cases LC]
+    · grind [sn_app_left (Var := Var) (N := fvar <| fresh {})]
+    · grind
+    · intro M N P _ _ _ s _
+      grind [ih₂.multiApp M N (s :: P)]
+
+/-- The `entails_context` predicate ensures that each variable in the context
+    is mapped to a term in the corresponding semantic map. -/
+abbrev entails_context (E : Term.Env Var) (Γ : Context Var (Ty Base)) :=
+  ∀ {x τ}, ⟨x, τ⟩ ∈ Γ → (multiSubst E (fvar x)) ∈ semanticMap τ
+
+/-- The empty context is entailed by any environment. -/
+lemma entails_context_empty {Γ : Context Var (Ty Base)} : entails_context [] Γ := by
+  have := semanticMap_saturated (Var := Var) (Base := Base)
+  grind
+
+open scoped Context in
+omit [HasFresh Var] in
+/-- The `entails_context` predicate is preserved when extending the context
+    with a new variable, provided the new variable is fresh and its
+    substitution is in the corresponding semantic map. -/
+lemma entails_context_cons (E : Term.Env Var) (Γ : Context Var (Ty Base))
+    (x : Var) (τ : Ty Base) (sub : Term Var)
+    (h_fresh : x ∉ E.dom ∪ E.fv ∪ Γ.dom)
+    (h_mem : sub ∈ semanticMap τ) :
+    entails_context E Γ → entails_context (⟨ x, sub ⟩ :: E) (⟨ x, τ ⟩ :: Γ) := by
+  grind [multiSubst_fvar_fresh, subst_fresh, multiSubst_preserves_not_fvar]
+
+/-- The `entails` predicate states that a term `t` is
+    semantically valid with respect to a context `Γ` and a type `τ` -/
+abbrev entails (Γ : Context Var (Ty Base)) (t : Term Var) (τ : Ty Base) :=
+    ∀ E, env_LC E → (entails_context E Γ) → (multiSubst E t) ∈ semanticMap τ
+
+/-- The `soundness` lemma states that if a term `t` has type `τ` in context `Γ`,
+    then `t` is semantically valid with respect to `Γ` and `τ` -/
+lemma soundness {Γ : Context Var (Ty Base)} (derivation_t : Γ ⊢ t ∶ τ) : entails Γ t τ := by
+  induction derivation_t with
+  | var Γ xσ_mem_Γ => grind
+  | @abs σ Γ t τ L HL IH =>
+    intro E _ _ s
+    have sat_semMap_σ := semanticMap_saturated (Var := Var) σ
+    have sat_semMap_τ := semanticMap_saturated (Var := Var) τ
+    have := sat_semMap_τ.multiApp (multiSubst E t) s []
+    let := multiSubst E t
+    have ⟨x, _⟩ := fresh_exists <| E.dom ∪ free_union [fv, Context.dom, Env.fv] Var
+    have := IH (x := x) (E := ⟨x,s⟩ :: E)
+    grind [multiSubst_abs, entails_context_cons, multiSubst_open_var]
+  | app => grind [multiSubst_app]
+
+/-- Using soundness and the fact that the empty context
+    is entailed by any environment, we can conclude that
+    a well-typed term is strongly normalizing. -/
+theorem strong_norm {t : Term Var} {τ : Ty Base} (der : Γ ⊢ t ∶ τ) : SN t := by
+  apply (semanticMap_saturated τ).sn
+  apply (soundness der [] (by grind) entails_context_empty)
+
+end LambdaCalculus.LocallyNameless.Stlc
+
+end Cslib
diff --git a/Cslib/Languages/LambdaCalculus/LocallyNameless/Untyped/StrongNorm.lean b/Cslib/Languages/LambdaCalculus/LocallyNameless/Untyped/StrongNorm.lean
@@ -0,0 +1,153 @@
+/-
+Copyright (c) 2025 David Wegmann. All rights reserved.
+Released under Apache 2.0 license as described in the file LICENSE.
+Authors: David Wegmann
+-/
+
+module
+
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.FullBeta
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.MultiApp
+public import Cslib.Languages.LambdaCalculus.LocallyNameless.Untyped.LcAt
+
+@[expose] public section
+
+set_option linter.unusedDecidableInType false
+
+namespace Cslib
+
+universe u
+
+namespace LambdaCalculus.LocallyNameless.Untyped.Term
+
+variable {Var : Type u} {t t' : Term Var}
+
+open FullBeta
+
+attribute [grind =] Finset.union_singleton
+
+/-- A term is strongly normalizing if every reduction sequence terminates at some point.
+    This is ensured by the following type as inductive data must always be finite. -/
+inductive SN {α} : Term α → Prop
+| sn t : (∀ t', t ⭢βᶠ t' → SN t') → SN t
+
+attribute [scoped grind .] SN.sn
+
+/-- A single β-reduction step preserves strong normalization. -/
+lemma sn_step (t_st_t' : t ⭢βᶠ t') (sn_t : SN t) : SN t' := by
+  grind [cases SN]
+
+/-- Multiple β-reduction steps also preserve strong normalization. -/
+lemma sn_steps (t_st_t' : t ↠βᶠ t') (sn_t : SN t) : SN t' := by
+  induction t_st_t' with grind [sn_step]
+
+/-- Free variables are strongly normalizing. -/
+lemma sn_fvar {x : Var} : SN (fvar x) := by
+  grind [cases FullBeta]
+
+/-- An application is strongly normalizing if the left and right terms are strongly normalizing,
+    as well as all possible future top level abstraction application beta reductions -/
+lemma sn_app (t s : Term Var) (sn_t : SN t) (sn_s : SN s)
+    (hβ : ∀ {t' s' : Term Var}, t ↠βᶠ t'.abs → s ↠βᶠ s' → SN (t' ^ s')) : SN (t.app s) := by
+  induction sn_t generalizing s with
+  | sn t ht ih_t =>
+    induction sn_s with
+    | sn s hs ih_s =>
+      constructor
+      intro u hstep
+      cases hstep with
+      | beta _ _       => grind
+      | appL _ h_s_red => apply ih_s _ h_s_red
+                          grind [Relation.ReflTransGen.head]
+      | appR _ h_t_red => apply ih_t _ h_t_red _ (SN.sn s hs)
+                          grind [Relation.ReflTransGen.head]
+
+/-- The left side of a strongly normalizing application is strongly normalizing. -/
+lemma sn_app_left (M N : Term Var) (lc_N : Term.LC N) (sn_MN : SN (M.app N)) :
+    SN M := by
+  generalize Heq : M.app N = P
+  rw [Heq] at sn_MN
+  induction sn_MN generalizing M N with grind
+
+/-- The right side of a strongly normalizing application is strongly normalizing. -/
+lemma sn_app_right (M N : Term Var) (lc_N : Term.LC M) (sn_MN : SN (M.app N)) :
+    SN N := by
+  generalize Heq : M.app N = P
+  rw [Heq] at sn_MN
+  induction sn_MN generalizing M N with grind
+
+/-- A neutral term is a term of the form v t₁ … t_n where
+    v is a variable and t₁ … t_n are strongly normalizing terms. -/
+@[scoped grind]
+inductive Neutral : Term Var → Prop
+/-- Just a bound variable is neutral. -/
+| bvar : ∀ n, Neutral (bvar n)
+/-- Just a free variable is neutral. -/
+| fvar : ∀ x, Neutral (fvar x)
+/-- Applying a strongly normalizing term to a neutral term yields a neutral term. -/
+| app : ∀ t1 t2, Neutral t1 → SN t2 → Neutral (app t1 t2)
+
+--attribute [scoped grind .] Neutral.bvar Neutral.fvar Neutral.app
+
+/-- Neutral terms only reduce to other neutral terms in a single step -/
+lemma neutral_step (Hneut : Neutral t) (Hstep : t ⭢βᶠ t') : Neutral t' := by
+  induction Hneut generalizing t' with grind [cases FullBeta, sn_step]
+
+/-- Neutral terms only reduce to other neutral terms in multiple steps -/
+lemma neutral_steps (Hneut : Neutral t) (Hsteps : t ↠βᶠ t') : Neutral t' := by
+  induction Hsteps <;> grind [neutral_step]
+
+/-- Neutral terms are strongly normalizing. -/
+lemma sn_neutral (Hneut : Neutral t) : SN t := by
+  induction Hneut with
+  | app => grind [→ neutral_steps, sn_app]
+  | _ => grind [cases FullBeta]
+
+/-- A lambda abstraction is strongly normalizing if its body is strongly normalizing. -/
+lemma sn_abs [DecidableEq Var] [HasFresh Var] {M N : Term Var} (sn_MN : SN (M ^ N)) (lc_N : LC N) :
+    SN (abs M) := by
+  generalize h : (M ^ N) = M_open at sn_MN
+  induction sn_MN generalizing M N with
+  | sn =>
+    constructor
+    intro _ h_step
+    cases h_step with | abs _ H => grind [step_open_cong_l _ _ _ _ H]
+
+/-- A term of the form λ M N P_1 … P_n is strongly normalizing if
+      1. N is strongly normalizing,
+      1. M ^ N P₁ … Pₙ is strongly normalizing,
+      1. N is locally closed,
+      1. M ^ N P₁ … Pₙ is locally closed -/
+lemma sn_abs_app_multiApp [DecidableEq Var] [HasFresh Var] {Ps} {M N : Term Var}
+    (sn_N : SN N) (sn_MNPs : SN (multiApp (M ^ N) Ps))
+    (lc_N : LC N) (lc_MNPs : LC (multiApp (M ^ N) Ps)) : SN (multiApp (M.abs.app N) Ps) := by
+  induction Ps with
+  | nil =>
+    apply sn_app
+    · grind [sn_abs]
+    · exact sn_N
+    · grind [→ steps_open_cong_abs, open_abs_lc, sn_steps]
+  | cons P Ps ih =>
+    apply sn_app
+    · cases lc_MNPs with grind [sn_app_left]
+    · grind [sn_app_right]
+    · intro Q' P' hstep1 hstep2
+      have ⟨M', N', Ps', h_M_red, h_N_red, h_Ps_red, h_cases⟩ := invert_abs_multiApp_mst hstep1
+      rcases h_cases with h_P | ⟨h_st1, h_st2⟩
+      · cases Ps' with grind
+      · have innerSteps : (M ^ N).multiApp Ps ↠βᶠ (M' ^ N').multiApp Ps' := by
+          trans
+          · exact steps_multiApp_r h_Ps_red (by grind)
+          · apply steps_multiApp_l
+            · apply steps_open_cong_abs M M' N N' <;> grind [open_abs_lc]
+            · grind [multiApp_steps_lc]
+        apply sn_steps
+        · calc ((M ^ N).multiApp Ps).app P
+            _ ↠βᶠ ((M ^ N).multiApp Ps).app P' := by grind
+            _ ↠βᶠ Q'.abs.app P' := redex_app_l_cong (.trans innerSteps h_st2) (by grind)
+            _ ↠βᶠ Q' ^ P' := by grind [beta]
+        · grind
+
+end LambdaCalculus.LocallyNameless.Untyped.Term
+
+end Cslib
