Lemma (From the execution tree to the proof tree)

If ∫_AΣ,ε⊃t≤s (see 4.2.3) and its execution tree has the one-expansion property, then ∫_RΣ⊃Ü_t,εá≤Ü_s,εá_.

Proof

We proceed by induction on the depth k of the successful execution tree of an initial goal

Σ,ε⊃t≤s (see 4.2). Depth is measured by the number of adjacent pairs of nodes (µ_A)-(→_A) in the longest branch from the root. In the inductive case, each subgoal is converted into an initial goal of the same depth, in order to apply the induction hypothesis.

Case k=0.

The tree consists of a (µ_A) root (since the goal is initial) and a single leaf which is either (assmp_A), (®_{A), (}©_{A), or (varA). Then after the application of the (}µ_{A) rule, with s,t}Ï_Dom(ε_{), we}

are in a terminal case Σ∪{t≤s},ε⊃ε(t)≤ε(s).

Subcase (assmp_A). Σ∪{t≤s},ε⊃ a≤b, where ε(t)=a, ε(s)=b, and a≤b∈Σ. Then a,bÌDom(ε) (by definition of Tenv), and Üt,εá=µt.a=a, Üs,εá=µs.b=b. By (assmp_R), a≤b∈Σ⇒∫_RΣ⊃ _a≤_b.

Conclude by (eq_R): ∫_RΣ⊃µt.a≤a, ∫_RΣ⊃ b≤µs.b, and (trans_R).

Subcase (®_A). Σ∪_{t≤_s},ε⊃®≤ε_{(s), where} ε_(t)=®_.

Subcase (©_{A). Similar.}

Subcase (var_A). Σ∪{t≤s},ε⊃ a≤a, where ε(t)=ε(s)=a and aÌDom(ε). Then Ü_t,εá₌µ_t.a=a=µ_s.a=Ü_s,εá_{. We can apply (eqR):} Σ⊃ _a≤_a,

then conclude with (eq_R) and (trans_R).

Case k>0.

The tree has a (µ_A) root with a (→_A) child, hence ε(t)=t₁→t₂, ε(s)=s₁→s₂, where by definition of Tenv t₁,t₂,s₁,s₂Ï_Dom(ε_):

Σ∪{t≤s},ε⊃ s₁≤t₁, Σ∪{t≤s},ε⊃ t₂≤s₂

⇒ Σ∪{t≤s},ε⊃ t₁→t₂ ≤ s₁→s₂

⇒ Σ,ε⊃ t≤s

We initially focus on one of the subgoals of depth k-1: (A) Σ∪{t≤s},ε⊃t₂≤s₂

Let us consider the following goal (B), which we intend to subject, instead of (A), to the induction hypothesis:

(B) Σ∪{t≤s}, ε'⊃σ(t₂)≤σ(s₂)

where σ@[t'/t, s'/s] is a substitution with fresh variables t' and s', and ε'@ σ(ε\t\s)∪{t'=t, s'=s}. First we show that the goal (B) is initial. Since ∫_AΣ_,ε⊃_t≤_{s is initial we have:}

Vars(Σ)∩Dom(ε)=

ε=ε₁∪ε₂ with Dom(ε₁)∩Dom(ε₂)=_{, such that t}Ï_Dom(ε_{1), s}Ï_Dom(ε₂₎

Hence we also have:

t₁,t₂Ï_Dom(ε_{1) (only); s1,s2}Ï_Dom(ε_{2) (only)}

ε'=ε'₁∪ε'₂ where ε'₁@σ(ε₁\t)∪{t'=t}, ε'₂@σ(ε₂\s)∪{s'=s} From which we conclude:

Vars(Σ∪{t≤s})∩Dom(ε')=

Dom(ε'₁)∩Dom(ε'₂)= σ(t₂)ÏDom(ε'₁), because:

if t₂7_{t then} σ_(t2)7_{t' and t'}Ï_Dom(ε_{'1); (t2}7_{s is not possible)}

if t₂?t then σ(t₂)7t₂; since t₂ÏDom(ε₁), we have σ(t₂)ÏDom(ε'₁)

σ(s₂)Ï_Dom(ε_{'2), similarly.}

Second, let Tree(A) be the execution subtree of root (A), and Tree(B) be the execution tree of root (B). We show, by induction on the length of the longest path in Tree(A), that we can build a tree T such that: (1) T has the same depth as Tree(A); (2) T succeeds; (3) T expands the same variables as Tree(A) in (µ_A) nodes, with the exception of t',s'; (4) T has the one-expansion property; and (5) T = Tree(B). (Hence, we also have ∫_A (B).)

We proceed by induction on each subgoal A = Σ∪{t≤s},ε⊃α≤β of Tree(A), for which we build a subtree T of the shape Σ∪{t≤s},ε'⊃σ(α)≤σ(β).

For the case (assmp_A) we have Σ∪{t≤s},ε⊃t≤s with t≤sÏΣ∪_{t≤_{s}. By the properties of one-}

expansion noted in 5.4, we only need to consider the cases when either t7t and s7s, or t,s,t,s are pairwise distinct.

If t7_{t, s}7_{s then Tree(A) is} Σ∪_{t≤_s},ε⊃_t≤_{s, and T is taken to be} Σ∪_{t≤_s,t'≤_s'},ε_'⊃_t≤_s ⇒ Σ∪{t≤s},ε'⊃t'≤s', which is successful by (assmp_A) and (µ_A), and has one-expansion. This T is longer but it still has depth 0.

If t,t,s,s are pairwise distinct then Tree(A) is Σ∪{t≤s,t≤s},ε⊃t≤s, and T is taken to be

Σ∪{t≤s,t≤s},ε'⊃t≤s which is successful by (assmp_A), has one-expansion, and has depth 0.

For the case (µ_A) we must have, by one-expansion, t,t,s,s pairwise distinct. Then Tree(A) has the shape:

Σ∪{t≤s,t≤s}, ε⊃ε(t)≤ε(s) ⇒Σ∪{t≤s},ε⊃t≤s with t,sÏDom(ε).

Now σ(t)7_t, σ_(s)7_{s, and since t,s}Ï_Dom(ε_{') we have} ε_'(t)=σ₍ε_(t)), ε_'(s)=σ₍ε_{(s)). The tree T is then}

chosen with the shape:

Σ∪{t≤s,t≤s}, ε' ⊃σ(ε(t))≤σ(ε(s)) ⇒Σ∪{t≤s}, ε'⊃ t≤s

hence preserving success and depth by (µ_A) and the induction hypothesis. One-expansion is preserved because, by induction hypothesis, T expands the same variables in (µ_A) node as Tree(A), which has one-expansion; except that t',s' are expanded in the (assmp_A) case, but in the present situation t,s,t',s' are distinct.

The other cases do not pose difficulties. One-expansion for the (→_A) case follows from one- expansion of the two branches, since one-expansion is defined path-wise.

Hence we can apply the induction hypothesis to (B), obtaining:

∫_RΣ∪_{t≤_s} ⊃Üσ_t2,ε_'á≤Üσ_s2,ε_'á

Then, by the equivalences Üσt₂,ε'á=_RÜt₂,ε\tá, Üσs₂,ε'á=_RÜs₂,ε\sá, and (eq_R), (trans_R):

∫_RΣ∪_{t≤_s} ⊃Ü_t2,ε_\tá≤Ü_s2,ε_\sá

By a similar argument on Σ∪{t≤s},ε⊃s₁≤t₁ we obtain:

∫_RΣ∪_{t≤_s} ⊃Ü_s1,ε_\sá≤Ü_t1,ε_\tá Finally: ⇒Σ∪{t≤s} ⊃Ü_t1,ε_\tá→Ü_t2,ε_\tá≤Ü_s1,ε_\sá→Ü_s2,ε_\sá ₍→_R) ⇔Σ∪{t≤s} ⊃Üε(t),ε\tá ≤Üε(s),ε\sá ⇒Σ⊃µt.Üε_(t),ε_\tá≤µ_s.Üε_(s),ε_\sá ₍µ_R) ⇔Σ ⊃Üt,εá≤Üs,εá M 5.4.4 Example

We describe how to associate a proof tree to the execution tree with one expansion property built in 5.4.2, by repeatedly applying the inductive proof just presented. For convenience we rewrite here the execution tree:

(©_{A) (assmpA)} ⇒ {r₁≤u₁,r₃≤u₃},θ⊃u₆≤r₆ ⇒ {r₁≤u₁,r₃≤u₃},θ⊃r₃≤u₃ (®_A) ⇒ _{r1≤_u1,r3≤_u3},θ⊃_r6→_r3≤_u6→_u3 ⇒ {r₁≤u₁},θ⊃u₄≤r₄ ⇒ {r₁≤u₁},θ⊃r₃≤u₃ ⇒ {r₁≤u₁},θ⊃r₄→r₃≤u₄→u₃ ⇒ ,θ⊃r₁≤u₁ where θ = θ₁∪θ₂, with:

θ₁ = {r₁=r₄→r₃, r₄=©_{, r3=r6}→_{r3, r6=}©_},

θ₂ = {u₁=u₄→u₃, u₄=®, u₃=u₆→u₃, u₆=u₆→u₆}

Proceeding from the root we first fall on an inductive case. Hence we reapply the procedure to the modified subgoals:

{r₁≤u₁},θ'⊃u₄≤r₄ {r₁≤u₁},θ'⊃r₃≤u₃ where: θ' = θ'₁∪θ'₂, σ = [r'/r₁, u'/u₁],

θ'₁ = σ(θ₁\r₁) ∪ {r'=r₁} = {r₄=©_{, r3=r6}→_{r3, r6=}©_{, r'=r1},}

θ'₂ = σ(θ₂\u₁) ∪ {u'=u₁} = {u₄=®, u₃=u₆→u₃, u₆=u₆→u₆, u'=u₁}.

The first modified subgoal, {r₁≤u₁},θ'⊃u₄≤r₄, leads to a subcase (®_{A). Hence we have:} ∫_R {r₁≤u₁} ⊃ <u₄,θ'> ≤ <r₄,θ'>, <u₄,θ'> = ®, <r₄,θ'> = © (a)

The second modified subgoal, {r₁≤u₁},θ'⊃r₃≤u₃, leads again to an inductive case. Hence we generate two new modified subgoals:

{r₁≤u₁,r₃≤u₃},θ"⊃u₆≤r₆ {r₁≤u₁,r₃≤u₃},θ"⊃r₃≤u₃ where: θ" = θ"₁∪θ"₂, σ = [r"/r₃, u"/u₃],

θ"₁ = σ(θ'₁\r₃) ∪ {r"=r₃} = {r₄=©_{, r6=}©_{, r'=r1, r"=r3},}

θ"₂ = σ(θ'₂\u₃) ∪ {u"=u₃} = {u₄=®, u₆=u₆→u₆, u'=u₁, u"=u₃} .

The first modified subgoal, {r₁≤u₁,r₃≤u₃},θ"⊃u₆≤r₆, leads to a subcase (©_{A). Hence we have:} ∫_R {r₁≤u₁,r₃≤u₃} ⊃ <u₆,θ"> ≤ <r₆,θ">, (b)

<u₆,θ"> = µu₆.u₆→u₆, <r₆,θ"> = ©

The second modified subgoal, {r₁≤u₁,r₃≤u₃},θ"⊃r₃≤u₃, leads to a subcase (assmp_A). Hence we have:

∫_R {r₁≤u₁,r₃≤u₃} ⊃ <r₃,θ"> ≤ <u₃,θ">, (c) <r₃,θ"> = r₃, <u₃,θ"> = u₃

We can now build the proof tree, bottom up, using the proofs (a), (b), (c) as leaves: {r₁≤u₁,r₃≤u₃} ⊃µu₆.u₆→u₆≤© _{r1≤_u1,r3≤_u3} ⊃ _r3≤ _u3

{r₁≤u₁,r₃≤u₃} ⊃©→r₃≤ (µu₆.u₆→u₆)→u₃ {r₁≤u₁} ⊃®≤© _{r1≤_u1} ⊃µ_r3.(©→_r3) ≤µ_u3.((µ_u6.u6→_u6)→_u3)

{r₁≤u₁} ⊃ (©→µr₃.(©→r₃)) ≤ (®→µu₃.((µu₆.u₆→u₆)→u₃))

⊃µ_r1.(©→µ_r3.(©→_r3)) ≤µ_u1.(®→µ_u3.((µ_u6.u6→_u6)→_u3))

It just remains to observe the following equivalences to get back to the types we started with in 5.4.2:

µr₁.(©→µr₃.(©→r₃)) =_R©→µr₃.(©→r₃) =_Rµr₃.(©→r₃), and

µu₁.(®→µ_u3.((µ_u6.u6→_u6)→_{u3)) =R}®→µ_u3.((µ_u6.u6→_u6)→_{u3) =R}

5.4.5 Theorem (Completeness of the subtyping rules)