Theory POPLmark

(*  Title:      POPLmark/POPLmark.thy
    Author:     Stefan Berghofer, TU Muenchen, 2005
*)

theory POPLmark
imports Basis
begin


section ‹Formalization of the basic calculus›

text ‹
\label{sec:basic-calculus}
In this section, we describe the formalization of the basic calculus
without records. As a main result, we prove {\it type safety}, presented
as two separate theorems, namely {\it preservation} and {\it progress}.
›


subsection ‹Types and Terms›

text ‹
The types of System \fsub{} are represented by the following datatype:
›

datatype type =
    TVar nat
  | Top
  | Fun type type    (infixr "→" 200)
  | TyAll type type  ("(3∀<:_./ _)" [0, 10] 10)

text ‹
The subtyping and typing judgements depend on a {\it context} (or environment) @{term Γ}
containing bindings for term and type variables. A context is a list of bindings,
where the @{term i}th element @{term "Γ⟨i⟩"} corresponds to the variable
with index @{term i}.
›

datatype binding = VarB type | TVarB type
type_synonym env = "binding list"

text ‹
In contrast to the usual presentation of type systems often found in textbooks, new
elements are added to the left of a context using the ‹Cons› operator ‹∷› for lists.
We write @{term is_TVarB} for the predicate that returns @{term True} when applied to
a type variable binding, function @{term type_ofB} extracts the type contained in a binding,
and @{term "mapB f"} applies @{term f} to the type contained in a binding.
›

primrec is_TVarB :: "binding ⇒ bool"
where
  "is_TVarB (VarB T) = False"
| "is_TVarB (TVarB T) = True"

primrec type_ofB :: "binding ⇒ type"
where
  "type_ofB (VarB T) = T"
| "type_ofB (TVarB T) = T"

primrec mapB :: "(type ⇒ type) ⇒ binding ⇒ binding"
where
  "mapB f (VarB T) = VarB (f T)"
| "mapB f (TVarB T) = TVarB (f T)"

text ‹
The following datatype represents the terms of System \fsub{}:
›

datatype trm =
    Var nat
  | Abs type trm   ("(3λ:_./ _)" [0, 10] 10)
  | TAbs type trm  ("(3λ<:_./ _)" [0, 10] 10)
  | App trm trm    (infixl "∙" 200)
  | TApp trm type  (infixl "∙⇩τ" 200)


subsection ‹Lifting and Substitution›

text ‹
One of the central operations of $\lambda$-calculus is {\it substitution}.
In order to avoid that free variables in a term or type get ``captured''
when substituting it for a variable occurring in the scope of a binder,
we have to increment the indices of its free variables during substitution.
This is done by the lifting functions ‹↑⇩τ n k› and ‹↑ n k›
for types and terms, respectively, which increment the indices of all free
variables with indices ‹≥ k› by @{term n}. The lifting functions on
types and terms are defined by
›

primrec liftT :: "nat ⇒ nat ⇒ type ⇒ type" ("↑⇩τ")
where
  "↑⇩τ n k (TVar i) = (if i < k then TVar i else TVar (i + n))"
| "↑⇩τ n k Top = Top"
| "↑⇩τ n k (T → U) = ↑⇩τ n k T → ↑⇩τ n k U"
| "↑⇩τ n k (∀<:T. U) = (∀<:↑⇩τ n k T. ↑⇩τ n (k + 1) U)"

primrec lift :: "nat ⇒ nat ⇒ trm ⇒ trm" ("↑")
where
  "↑ n k (Var i) = (if i < k then Var i else Var (i + n))"
| "↑ n k (λ:T. t) = (λ:↑⇩τ n k T. ↑ n (k + 1) t)"
| "↑ n k (λ<:T. t) = (λ<:↑⇩τ n k T. ↑ n (k + 1) t)"
| "↑ n k (s ∙ t) = ↑ n k s ∙ ↑ n k t"
| "↑ n k (t ∙⇩τ T) = ↑ n k t ∙⇩τ ↑⇩τ n k T"

text ‹
It is useful to also define an ``unlifting'' function ‹↓⇩τ n k› for
decrementing all free variables with indices ‹≥ k› by @{term n}.
Moreover, we need several substitution functions, denoted by
\mbox{‹T[k ↦⇩τ S]⇩τ›}, \mbox{‹t[k ↦⇩τ S]›}, and \mbox{‹t[k ↦ s]›},
which substitute type variables in types, type variables in terms,
and term variables in terms, respectively. They are defined as follows:
›

primrec substTT :: "type ⇒ nat ⇒ type ⇒ type"  ("_[_ ↦⇩τ _]⇩τ" [300, 0, 0] 300)
where
  "(TVar i)[k ↦⇩τ S]⇩τ =
     (if k < i then TVar (i - 1) else if i = k then ↑⇩τ k 0 S else TVar i)"
| "Top[k ↦⇩τ S]⇩τ = Top"
| "(T → U)[k ↦⇩τ S]⇩τ = T[k ↦⇩τ S]⇩τ → U[k ↦⇩τ S]⇩τ"
| "(∀<:T. U)[k ↦⇩τ S]⇩τ = (∀<:T[k ↦⇩τ S]⇩τ. U[k+1 ↦⇩τ S]⇩τ)"

primrec decT :: "nat ⇒ nat ⇒ type ⇒ type"  ("↓⇩τ")
where
  "↓⇩τ 0 k T = T"
| "↓⇩τ (Suc n) k T = ↓⇩τ n k (T[k ↦⇩τ Top]⇩τ)"

primrec subst :: "trm ⇒ nat ⇒ trm ⇒ trm"  ("_[_ ↦ _]" [300, 0, 0] 300)
where
  "(Var i)[k ↦ s] = (if k < i then Var (i - 1) else if i = k then ↑ k 0 s else Var i)"
| "(t ∙ u)[k ↦ s] = t[k ↦ s] ∙ u[k ↦ s]"
| "(t ∙⇩τ T)[k ↦ s] = t[k ↦ s] ∙⇩τ ↓⇩τ 1 k T"
| "(λ:T. t)[k ↦ s] = (λ:↓⇩τ 1 k T. t[k+1 ↦ s])"
| "(λ<:T. t)[k ↦ s] = (λ<:↓⇩τ 1 k T. t[k+1 ↦ s])"

primrec substT :: "trm ⇒ nat ⇒ type ⇒ trm"    ("_[_ ↦⇩τ _]" [300, 0, 0] 300)
where
  "(Var i)[k ↦⇩τ S] = (if k < i then Var (i - 1) else Var i)"
| "(t ∙ u)[k ↦⇩τ S] = t[k ↦⇩τ S] ∙ u[k ↦⇩τ S]"
| "(t ∙⇩τ T)[k ↦⇩τ S] = t[k ↦⇩τ S] ∙⇩τ T[k ↦⇩τ S]⇩τ"
| "(λ:T. t)[k ↦⇩τ S] = (λ:T[k ↦⇩τ S]⇩τ. t[k+1 ↦⇩τ S])"
| "(λ<:T. t)[k ↦⇩τ S] = (λ<:T[k ↦⇩τ S]⇩τ. t[k+1 ↦⇩τ S])"

text ‹
Lifting and substitution extends to typing contexts as follows:
›

primrec liftE :: "nat ⇒ nat ⇒ env ⇒ env" ("↑⇩e")
where
  "↑⇩e n k [] = []"
| "↑⇩e n k (B ∷ Γ) = mapB (↑⇩τ n (k + ∥Γ∥)) B ∷ ↑⇩e n k Γ"

primrec substE :: "env ⇒ nat ⇒ type ⇒ env"  ("_[_ ↦⇩τ _]⇩e" [300, 0, 0] 300)
where
  "[][k ↦⇩τ T]⇩e = []"
| "(B ∷ Γ)[k ↦⇩τ T]⇩e = mapB (λU. U[k + ∥Γ∥ ↦⇩τ T]⇩τ) B ∷ Γ[k ↦⇩τ T]⇩e"

primrec decE :: "nat ⇒ nat ⇒ env ⇒ env"  ("↓⇩e")
where
  "↓⇩e 0 k Γ = Γ"
| "↓⇩e (Suc n) k Γ = ↓⇩e n k (Γ[k ↦⇩τ Top]⇩e)"

text ‹
Note that in a context of the form @{term "B ∷ Γ"}, all variables in @{term B} with
indices smaller than the length of @{term Γ} refer to entries in @{term Γ} and therefore
must not be affected by substitution and lifting. This is the reason why an
additional offset @{term "∥Γ∥"} needs to be added to the index @{term k}
in the second clauses of the above functions. Some standard properties of lifting
and substitution, which can be proved by structural induction on terms and types,
are proved below. Properties of this kind are
quite standard for encodings using de Bruijn indices and can also be found in
papers by Barras and Werner \<^cite>‹"Barras-Werner-JAR"› and Nipkow \<^cite>‹"Nipkow-JAR01"›.
›

lemma liftE_length [simp]: "∥↑⇩e n k Γ∥ = ∥Γ∥"
  by (induct Γ) simp_all

lemma substE_length [simp]: "∥Γ[k ↦⇩τ U]⇩e∥ = ∥Γ∥"
  by (induct Γ) simp_all

lemma liftE_nth [simp]:
  "(↑⇩e n k Γ)⟨i⟩ = map_option (mapB (↑⇩τ n (k + ∥Γ∥ - i - 1))) (Γ⟨i⟩)"
  apply (induct Γ arbitrary: i)
  apply simp
  apply simp
  apply (case_tac i)
  apply simp
  apply simp
  done

lemma substE_nth [simp]:
  "(Γ[0 ↦⇩τ T]⇩e)⟨i⟩ = map_option (mapB (λU. U[∥Γ∥ - i - 1 ↦⇩τ T]⇩τ)) (Γ⟨i⟩)"
  apply (induct Γ arbitrary: i)
  apply simp
  apply simp
  apply (case_tac i)
  apply simp
  apply simp
  done

lemma liftT_liftT [simp]:
  "i ≤ j ⟹ j ≤ i + m ⟹ ↑⇩τ n j (↑⇩τ m i T) = ↑⇩τ (m + n) i T"
  by (induct T arbitrary: i j m n) simp_all

lemma liftT_liftT' [simp]:
  "i + m ≤ j ⟹ ↑⇩τ n j (↑⇩τ m i T) = ↑⇩τ m i (↑⇩τ n (j - m) T)"
  apply (induct T arbitrary: i j m n)
  apply simp_all
  apply arith
  apply (subgoal_tac "Suc j - m = Suc (j - m)")
  apply simp
  apply arith
  done

lemma lift_size [simp]: "size (↑⇩τ n k T) = size T"
  by (induct T arbitrary: k) simp_all

lemma liftT0 [simp]: "↑⇩τ 0 i T = T"
  by (induct T arbitrary: i) simp_all

lemma lift0 [simp]: "↑ 0 i t = t"
  by (induct t arbitrary: i) simp_all

theorem substT_liftT [simp]:
  "k ≤ k' ⟹ k' < k + n ⟹ (↑⇩τ n k T)[k' ↦⇩τ U]⇩τ = ↑⇩τ (n - 1) k T"
  by (induct T arbitrary: k k') simp_all

theorem liftT_substT [simp]:
  "k ≤ k' ⟹ ↑⇩τ n k (T[k' ↦⇩τ U]⇩τ) = ↑⇩τ n k T[k' + n ↦⇩τ U]⇩τ"
  apply (induct T arbitrary: k k')
  apply simp_all
  done

theorem liftT_substT' [simp]: "k' < k ⟹
  ↑⇩τ n k (T[k' ↦⇩τ U]⇩τ) = ↑⇩τ n (k + 1) T[k' ↦⇩τ ↑⇩τ n (k - k') U]⇩τ"
  apply (induct T arbitrary: k k')
  apply simp_all
  apply arith
  done

lemma liftT_substT_Top [simp]:
  "k ≤ k' ⟹ ↑⇩τ n k' (T[k ↦⇩τ Top]⇩τ) = ↑⇩τ n (Suc k') T[k ↦⇩τ Top]⇩τ"
  apply (induct T arbitrary: k k')
  apply simp_all
  apply arith
  done

lemma liftT_substT_strange:
  "↑⇩τ n k T[n + k ↦⇩τ U]⇩τ = ↑⇩τ n (Suc k) T[k ↦⇩τ ↑⇩τ n 0 U]⇩τ"
  apply (induct T arbitrary: n k)
  apply simp_all
  apply (thin_tac "⋀x. PROP P x" for P :: "_ ⇒ prop")
  apply (drule_tac x=n in meta_spec)
  apply (drule_tac x="Suc k" in meta_spec)
  apply simp
  done

lemma lift_lift [simp]:
  "k ≤ k' ⟹ k' ≤ k + n ⟹ ↑ n' k' (↑ n k t) = ↑ (n + n') k t"
  by (induct t arbitrary: k k') simp_all

lemma substT_substT:
  "i ≤ j ⟹ T[Suc j ↦⇩τ V]⇩τ[i ↦⇩τ U[j - i ↦⇩τ V]⇩τ]⇩τ = T[i ↦⇩τ U]⇩τ[j ↦⇩τ V]⇩τ"
  apply (induct T arbitrary: i j U V)
  apply (simp_all add: diff_Suc split: nat.split)
  apply (thin_tac "⋀x. PROP P x" for P :: "_ ⇒ prop")
  apply (drule_tac x="Suc i" in meta_spec)
  apply (drule_tac x="Suc j" in meta_spec)
  apply simp
  done


subsection ‹Well-formedness›

text ‹
\label{sec:wf}
The subtyping and typing judgements to be defined in \secref{sec:subtyping}
and \secref{sec:typing} may only operate on types and contexts that
are well-formed. Intuitively, a type @{term T} is well-formed with respect to a
context @{term Γ}, if all variables occurring in it are defined in @{term Γ}.
More precisely, if @{term T} contains a type variable @{term "TVar i"}, then
the @{term i}th element of @{term Γ} must exist and have the form @{term "TVarB U"}.
›

inductive
  well_formed :: "env ⇒ type ⇒ bool"  ("_ ⊢⇩w⇩f _" [50, 50] 50)
where
  wf_TVar: "Γ⟨i⟩ = ⌊TVarB T⌋ ⟹ Γ ⊢⇩w⇩f TVar i"
| wf_Top: "Γ ⊢⇩w⇩f Top"
| wf_arrow: "Γ ⊢⇩w⇩f T ⟹ Γ ⊢⇩w⇩f U ⟹ Γ ⊢⇩w⇩f T → U"
| wf_all: "Γ ⊢⇩w⇩f T ⟹ TVarB T ∷ Γ ⊢⇩w⇩f U ⟹ Γ ⊢⇩w⇩f (∀<:T. U)"

text ‹
A context @{term "Γ"} is well-formed, if all types occurring in it only refer to type variables
declared ``further to the right'':
›

inductive
  well_formedE :: "env ⇒ bool"  ("_ ⊢⇩w⇩f" [50] 50)
  and well_formedB :: "env ⇒ binding ⇒ bool"  ("_ ⊢⇩w⇩f⇩B _" [50, 50] 50)
where
  "Γ ⊢⇩w⇩f⇩B B ≡ Γ ⊢⇩w⇩f type_ofB B"
| wf_Nil: "[] ⊢⇩w⇩f"
| wf_Cons: "Γ ⊢⇩w⇩f⇩B B ⟹ Γ ⊢⇩w⇩f ⟹ B ∷ Γ ⊢⇩w⇩f"

text ‹
The judgement ‹Γ ⊢⇩w⇩f⇩B B›, which denotes well-formedness of the binding @{term B}
with respect to context @{term Γ}, is just an abbreviation for ‹Γ ⊢⇩w⇩f type_ofB B›.
We now present a number of properties of the well-formedness judgements that will be used
in the proofs in the following sections.
›

inductive_cases well_formed_cases:
  "Γ ⊢⇩w⇩f TVar i"
  "Γ ⊢⇩w⇩f Top"
  "Γ ⊢⇩w⇩f T → U"
  "Γ ⊢⇩w⇩f (∀<:T. U)"

inductive_cases well_formedE_cases:
  "B ∷ Γ ⊢⇩w⇩f"

lemma wf_TVarB: "Γ ⊢⇩w⇩f T ⟹ Γ ⊢⇩w⇩f ⟹ TVarB T ∷ Γ ⊢⇩w⇩f"
  by (rule wf_Cons) simp_all

lemma wf_VarB: "Γ ⊢⇩w⇩f T ⟹ Γ ⊢⇩w⇩f ⟹ VarB T ∷ Γ ⊢⇩w⇩f"
  by (rule wf_Cons) simp_all

lemma map_is_TVarb:
  "map is_TVarB Γ' = map is_TVarB Γ ⟹
    Γ⟨i⟩ = ⌊TVarB T⌋ ⟹ ∃T. Γ'⟨i⟩ = ⌊TVarB T⌋"
  apply (induct Γ arbitrary: Γ' T i)
  apply simp
  apply (auto split: nat.split_asm)
  apply (case_tac z)
  apply simp_all
  done

text ‹
A type that is well-formed in a context @{term Γ} is also well-formed in another context
@{term Γ'} that contains type variable bindings at the same positions as @{term Γ}:
›

lemma wf_equallength:
  assumes H: "Γ ⊢⇩w⇩f T"
  shows "map is_TVarB Γ' = map is_TVarB Γ ⟹ Γ' ⊢⇩w⇩f T" using H
  by (induct arbitrary: Γ') (auto intro: well_formed.intros dest: map_is_TVarb)

text ‹
A well-formed context of the form @{term "Δ @ B ∷ Γ"} remains well-formed if we replace
the binding @{term B} by another well-formed binding @{term B'}:
›

lemma wfE_replace:
  "Δ @ B ∷ Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f⇩B B' ⟹ is_TVarB B' = is_TVarB B ⟹
    Δ @ B' ∷ Γ ⊢⇩w⇩f"
  apply (induct Δ)
  apply simp
  apply (erule wf_Cons)
  apply (erule well_formedE_cases)
  apply assumption
  apply simp
  apply (erule well_formedE_cases)
  apply (rule wf_Cons)
  apply (case_tac a)
  apply simp
  apply (rule wf_equallength)
  apply assumption
  apply simp
  apply simp
  apply (rule wf_equallength)
  apply assumption
  apply simp
  apply simp
  done

text ‹
The following weakening lemmas can easily be proved by structural induction on
types and contexts:
›

lemma wf_weaken:
  assumes H: "Δ @ Γ ⊢⇩w⇩f T"
  shows "↑⇩e (Suc 0) 0 Δ @ B ∷ Γ ⊢⇩w⇩f ↑⇩τ (Suc 0) ∥Δ∥ T"
  using H
  apply (induct "Δ @ Γ" T arbitrary: Δ)
  apply simp_all
  apply (rule conjI)
  apply (rule impI)
  apply (rule wf_TVar)
  apply simp
  apply (rule impI)
  apply (rule wf_TVar)
  apply (subgoal_tac "Suc i - ∥Δ∥ = Suc (i - ∥Δ∥)")
  apply simp
  apply arith
  apply (rule wf_Top)
  apply (rule wf_arrow)
  apply simp
  apply simp
  apply (rule wf_all)
  apply simp
  apply simp
  done

lemma wf_weaken': "Γ ⊢⇩w⇩f T ⟹ Δ @ Γ ⊢⇩w⇩f ↑⇩τ ∥Δ∥ 0 T"
  apply (induct Δ)
  apply simp_all
  apply (drule_tac B=a in wf_weaken [of "[]", simplified])
  apply simp
  done

lemma wfE_weaken: "Δ @ Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f⇩B B ⟹ ↑⇩e (Suc 0) 0 Δ @ B ∷ Γ ⊢⇩w⇩f"
  apply (induct Δ)
  apply simp
  apply (rule wf_Cons)
  apply assumption+
  apply simp
  apply (rule wf_Cons)
  apply (erule well_formedE_cases)
  apply (case_tac a)
  apply simp
  apply (rule wf_weaken)
  apply assumption
  apply simp
  apply (rule wf_weaken)
  apply assumption
  apply (erule well_formedE_cases)
  apply simp
  done

text ‹
Intuitively, lemma ‹wf_weaken› states that a type @{term T} which is well-formed
in a context is still well-formed in a larger context, whereas lemma ‹wfE_weaken›
states that a well-formed context remains well-formed when extended with a
well-formed binding. Owing to the encoding of variables using de Bruijn
indices, the statements of the above lemmas involve additional lifting functions.
The typing judgement, which will be described in \secref{sec:typing}, involves
the lookup of variables in a context. It has already been pointed out earlier that each
entry in a context may only depend on types declared ``further to the right''. To ensure that
a type @{term T} stored at position @{term i} in an environment @{term Γ} is valid in the full
environment, as opposed to the smaller environment consisting only of the entries in
@{term Γ} at positions greater than @{term i}, we need to increment the indices of all
free type variables in @{term T} by @{term "Suc i"}:
›

lemma wf_liftB:
  assumes H: "Γ ⊢⇩w⇩f"
  shows "Γ⟨i⟩ = ⌊VarB T⌋ ⟹ Γ ⊢⇩w⇩f ↑⇩τ (Suc i) 0 T"
  using H
  apply (induct arbitrary: i)
  apply simp
  apply (simp split: nat.split_asm)
  apply (frule_tac B="VarB T" in wf_weaken [of "[]", simplified])
  apply simp+
  apply (rename_tac nat)
  apply (drule_tac x=nat in meta_spec)
  apply simp
  apply (frule_tac T="↑⇩τ (Suc nat) 0 T" in wf_weaken [of "[]", simplified])
  apply simp
  done

text ‹
We also need lemmas stating that substitution of well-formed types preserves the well-formedness
of types and contexts:
›

theorem wf_subst:
  "Δ @ B ∷ Γ ⊢⇩w⇩f T ⟹ Γ ⊢⇩w⇩f U ⟹ Δ[0 ↦⇩τ U]⇩e @ Γ ⊢⇩w⇩f T[∥Δ∥ ↦⇩τ U]⇩τ"
  apply (induct T arbitrary: Δ)
  apply simp_all
  apply (rule conjI)
  apply (rule impI)
  apply (drule_tac Γ=Γ and Δ="Δ[0 ↦⇩τ U]⇩e" in wf_weaken')
  apply simp
  apply (rule impI conjI)+
  apply (erule well_formed_cases)
  apply (rule wf_TVar)
  apply (simp split: nat.split_asm)
  apply (rename_tac nat Δ T nata)
  apply (subgoal_tac "∥Δ∥ ≤ nat - Suc 0")
  apply (subgoal_tac "nat - Suc ∥Δ∥ = nata")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply (rule impI)
  apply (erule well_formed_cases)
  apply (rule wf_TVar)
  apply simp
  apply (rule wf_Top)
  apply (erule well_formed_cases)
  apply (rule wf_arrow)
  apply simp+
  apply (erule well_formed_cases)
  apply (rule wf_all)
  apply simp
  apply (thin_tac "⋀x. PROP P x" for P :: "_ ⇒ prop")
  apply (drule_tac x="TVarB T1 ∷ Δ" in meta_spec)
  apply simp
  done

theorem wfE_subst: "Δ @ B ∷ Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f U ⟹ Δ[0 ↦⇩τ U]⇩e @ Γ ⊢⇩w⇩f"
  apply (induct Δ)
  apply simp
  apply (erule well_formedE_cases)
  apply assumption
  apply simp
  apply (case_tac a)
  apply (erule well_formedE_cases)
  apply (rule wf_Cons)
  apply simp
  apply (rule wf_subst)
  apply assumption+
  apply simp
  apply (erule well_formedE_cases)
  apply (rule wf_Cons)
  apply simp
  apply (rule wf_subst)
  apply assumption+
  done


subsection ‹Subtyping›

text ‹
\label{sec:subtyping}
We now come to the definition of the subtyping judgement ‹Γ ⊢ T <: U›.
›

inductive
  subtyping :: "env ⇒ type ⇒ type ⇒ bool"  ("_ ⊢ _ <: _" [50, 50, 50] 50)
where
  SA_Top: "Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f S ⟹ Γ ⊢ S <: Top"
| SA_refl_TVar: "Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f TVar i ⟹ Γ ⊢ TVar i <: TVar i"
| SA_trans_TVar: "Γ⟨i⟩ = ⌊TVarB U⌋ ⟹
    Γ ⊢ ↑⇩τ (Suc i) 0 U <: T ⟹ Γ ⊢ TVar i <: T"
| SA_arrow: "Γ ⊢ T⇩1 <: S⇩1 ⟹ Γ ⊢ S⇩2 <: T⇩2 ⟹ Γ ⊢ S⇩1 → S⇩2 <: T⇩1 → T⇩2"
| SA_all: "Γ ⊢ T⇩1 <: S⇩1 ⟹ TVarB T⇩1 ∷ Γ ⊢ S⇩2 <: T⇩2 ⟹
    Γ ⊢ (∀<:S⇩1. S⇩2) <: (∀<:T⇩1. T⇩2)"

text ‹
The rules ‹SA_Top› and ‹SA_refl_TVar›, which appear at the leaves of
the derivation tree for a judgement @{term "Γ ⊢ T <: U"}, contain additional
side conditions ensuring the well-formedness of the contexts and types involved.
In order for the rule ‹SA_trans_TVar› to be applicable, the context @{term Γ}
must be of the form \mbox{@{term "Γ⇩1 @ B ∷ Γ⇩2"}}, where @{term "Γ⇩1"} has the length @{term i}.
Since the indices of variables in @{term B} can only refer to variables defined in
@{term "Γ⇩2"}, they have to be incremented by @{term "Suc i"} to ensure that they point
to the right variables in the larger context ‹Γ›.
›

lemma wf_subtype_env:
  assumes PQ: "Γ ⊢ P <: Q"
  shows "Γ ⊢⇩w⇩f" using PQ
  by induct assumption+

lemma wf_subtype:
  assumes PQ: "Γ ⊢ P <: Q"
  shows "Γ ⊢⇩w⇩f P ∧ Γ ⊢⇩w⇩f Q" using PQ
  by induct (auto intro: well_formed.intros elim!: wf_equallength)

lemma wf_subtypeE:
  assumes H: "Γ ⊢ T <: U"
  and H': "Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f T ⟹ Γ ⊢⇩w⇩f U ⟹ P"
  shows "P"
  apply (rule H')
  apply (rule wf_subtype_env)
  apply (rule H)
  apply (rule wf_subtype [OF H, THEN conjunct1])
  apply (rule wf_subtype [OF H, THEN conjunct2])
  done

text ‹
By induction on the derivation of @{term "Γ ⊢ T <: U"}, it can easily be shown
that all types and contexts occurring in a subtyping judgement must be well-formed:
›

lemma wf_subtype_conj:
  "Γ ⊢ T <: U ⟹ Γ ⊢⇩w⇩f ∧ Γ ⊢⇩w⇩f T ∧ Γ ⊢⇩w⇩f U"
  by (erule wf_subtypeE) iprover

text ‹
By induction on types, we can prove that the subtyping relation is reflexive:
›

lemma subtype_refl: ― ‹A.1›
  "Γ ⊢⇩w⇩f ⟹ Γ ⊢⇩w⇩f T ⟹ Γ ⊢ T <: T"
  by (induct T arbitrary: Γ) (blast intro:
    subtyping.intros wf_Nil wf_TVarB elim: well_formed_cases)+

text ‹
The weakening lemma for the subtyping relation is proved in two steps:
by induction on the derivation of the subtyping relation, we first prove
that inserting a single type into the context preserves subtyping:
›

lemma subtype_weaken:
  assumes H: "Δ @ Γ ⊢ P <: Q"
  and wf: "Γ ⊢⇩w⇩f⇩B B"
  shows "↑⇩e 1 0 Δ @ B ∷ Γ ⊢ ↑⇩τ 1 ∥Δ∥ P <: ↑⇩τ 1 ∥Δ∥ Q" using H
proof (induct "Δ @ Γ" P Q arbitrary: Δ)
  case SA_Top
  with wf show ?case
    by (auto intro: subtyping.SA_Top wfE_weaken wf_weaken)
next
  case SA_refl_TVar
  with wf show ?case
    by (auto intro!: subtyping.SA_refl_TVar wfE_weaken dest: wf_weaken)
next
  case (SA_trans_TVar i U T)
  thus ?case
  proof (cases "i < ∥Δ∥")
    case True
    with SA_trans_TVar
    have "(↑⇩e 1 0 Δ @ B ∷ Γ)⟨i⟩ = ⌊TVarB (↑⇩τ 1 (∥Δ∥ - Suc i) U)⌋"
      by simp
    moreover from True SA_trans_TVar
    have "↑⇩e 1 0 Δ @ B ∷ Γ ⊢
      ↑⇩τ (Suc i) 0 (↑⇩τ 1 (∥Δ∥ - Suc i) U) <: ↑⇩τ 1 ∥Δ∥ T"
      by simp
    ultimately have "↑⇩e 1 0 Δ @ B ∷ Γ ⊢ TVar i <: ↑⇩τ 1 ∥Δ∥ T"
      by (rule subtyping.SA_trans_TVar)
    with True show ?thesis by simp
  next
    case False
    then have "Suc i - ∥Δ∥ = Suc (i - ∥Δ∥)" by arith
    with False SA_trans_TVar have "(↑⇩e 1 0 Δ @ B ∷ Γ)⟨Suc i⟩ = ⌊TVarB U⌋"
      by simp
    moreover from False SA_trans_TVar
    have "↑⇩e 1 0 Δ @ B ∷ Γ ⊢ ↑⇩τ (Suc (Suc i)) 0 U <: ↑⇩τ 1 ∥Δ∥ T"
      by simp
    ultimately have "↑⇩e 1 0 Δ @ B ∷ Γ ⊢ TVar (Suc i) <: ↑⇩τ 1 ∥Δ∥ T"
      by (rule subtyping.SA_trans_TVar)
    with False show ?thesis by simp
  qed
next
  case SA_arrow
  thus ?case by simp (iprover intro: subtyping.SA_arrow)
next
  case (SA_all T⇩1 S⇩1 S⇩2 T⇩2 Δ)
  with SA_all(4) [of "TVarB T⇩1 ∷ Δ"]
  show ?case by simp (iprover intro: subtyping.SA_all)
qed

text ‹
All cases are trivial, except for the ‹SA_trans_TVar› case, which
requires a case distinction on whether the index of the variable is smaller
than @{term "∥Δ∥"}.
The stronger result that appending a new context @{term Δ} to a context
@{term Γ} preserves subtyping can be proved by induction on @{term Δ},
using the previous result in the induction step:
›

lemma subtype_weaken': ― ‹A.2›
  "Γ ⊢ P <: Q ⟹ Δ @ Γ ⊢⇩w⇩f ⟹ Δ @ Γ ⊢ ↑⇩τ ∥Δ∥ 0 P <: ↑⇩τ ∥Δ∥ 0 Q"
  apply (induct Δ)
  apply simp_all
  apply (erule well_formedE_cases)
  apply simp
  apply (drule_tac B="a" and Γ="Δ @ Γ" in subtype_weaken [of "[]", simplified])
  apply simp_all
  done

text ‹
An unrestricted transitivity rule has the disadvantage that it can
be applied in any situation. In order to make the above definition of the
subtyping relation {\it syntax-directed}, the transitivity rule ‹SA_trans_TVar›
is restricted to the case where the type on the left-hand side of the ‹<:›
operator is a variable. However, the unrestricted transitivity rule
can be derived from this definition.
In order for the proof to go through, we have to simultaneously prove
another property called {\it narrowing}.
The two properties are proved by nested induction. The outer induction
is on the size of the type @{term Q}, whereas the two inner inductions for
proving transitivity and narrowing are on the derivation of the
subtyping judgements. The transitivity property is needed in the proof of
narrowing, which is by induction on the derivation of \mbox{@{term "Δ @ TVarB Q ∷ Γ ⊢ M <: N"}}.
In the case corresponding to the rule ‹SA_trans_TVar›, we must prove
\mbox{@{term "Δ @ TVarB P ∷ Γ ⊢ TVar i <: T"}}. The only interesting case
is the one where @{term "i = ∥Δ∥"}. By induction hypothesis, we know that
@{term "Δ @ TVarB P ∷ Γ ⊢ ↑⇩τ (i+1) 0 Q <: T"} and
@{term "(Δ @ TVarB Q ∷ Γ)⟨i⟩ = ⌊TVarB Q⌋"}.
By assumption, we have @{term "Γ ⊢ P <: Q"} and hence 
\mbox{@{term "Δ @ TVarB P ∷ Γ ⊢ ↑⇩τ (i+1) 0 P <: ↑⇩τ (i+1) 0 Q"}} by weakening.
Since @{term "↑⇩τ (i+1) 0 Q"} has the same size as @{term Q}, we can use
the transitivity property, which yields
@{term "Δ @ TVarB P ∷ Γ ⊢ ↑⇩τ (i+1) 0 P <: T"}. The claim then follows
easily by an application of ‹SA_trans_TVar›.
›

lemma subtype_trans: ― ‹A.3›
  "Γ ⊢ S <: Q ⟹ Γ ⊢ Q <: T ⟹ Γ ⊢ S <: T"
  "Δ @ TVarB Q ∷ Γ ⊢ M <: N ⟹ Γ ⊢ P <: Q ⟹
     Δ @ TVarB P ∷ Γ ⊢ M <: N"
  using wf_measure_size
proof (induct Q arbitrary: Γ S T Δ P M N rule: wf_induct_rule)
  case (less Q)
  {
    fix Γ S T Q'
    assume "Γ ⊢ S <: Q'"
    then have "Γ ⊢ Q' <: T ⟹ size Q = size Q' ⟹ Γ ⊢ S <: T"
    proof (induct arbitrary: T)
      case SA_Top
      from SA_Top(3) show ?case
        by cases (auto intro: subtyping.SA_Top SA_Top)
    next
      case SA_refl_TVar show ?case by fact
    next
      case SA_trans_TVar
      thus ?case by (auto intro: subtyping.SA_trans_TVar)
    next
      case (SA_arrow Γ T⇩1 S⇩1 S⇩2 T⇩2)
      note SA_arrow' = SA_arrow
      from SA_arrow(5) show ?case
      proof cases
        case SA_Top
        with SA_arrow show ?thesis
          by (auto intro: subtyping.SA_Top wf_arrow elim: wf_subtypeE)
      next
        case (SA_arrow T⇩1' T⇩2')
        from SA_arrow SA_arrow' have "Γ ⊢ S⇩1 → S⇩2 <: T⇩1' → T⇩2'"
          by (auto intro!: subtyping.SA_arrow intro: less(1) [of "T⇩1"] less(1) [of "T⇩2"])
        with SA_arrow show ?thesis by simp
      qed
    next
      case (SA_all Γ T⇩1 S⇩1 S⇩2 T⇩2)
      note SA_all' = SA_all
      from SA_all(5) show ?case
      proof cases
        case SA_Top
        with SA_all show ?thesis by (auto intro!:
          subtyping.SA_Top wf_all intro: wf_equallength elim: wf_subtypeE)
      next
        case (SA_all T⇩1' T⇩2')
        from SA_all SA_all' have "Γ ⊢ T⇩1' <: S⇩1"
          by - (rule less(1), simp_all)
        moreover from SA_all SA_all' have "TVarB T⇩1' ∷ Γ ⊢ S⇩2 <: T⇩2"
          by - (rule less(2) [of _ "[]", simplified], simp_all)
        with SA_all SA_all' have "TVarB T⇩1' ∷ Γ ⊢ S⇩2 <: T⇩2'"
          by - (rule less(1), simp_all)
        ultimately have "Γ ⊢ (∀<:S⇩1. S⇩2) <: (∀<:T⇩1'. T⇩2')"
          by (rule subtyping.SA_all)
        with SA_all show ?thesis by simp
      qed
    qed
  }
  note tr = this
  {
    case 1
    thus ?case using refl by (rule tr)
  next
    case 2
    from 2(1) show "Δ @ TVarB P ∷ Γ ⊢ M <: N"
    proof (induct "Δ @ TVarB Q ∷ Γ" M N arbitrary: Δ)
      case SA_Top
      with 2 show ?case by (auto intro!: subtyping.SA_Top
        intro: wf_equallength wfE_replace elim!: wf_subtypeE)
    next
      case SA_refl_TVar
      with 2 show ?case by (auto intro!: subtyping.SA_refl_TVar
        intro: wf_equallength wfE_replace elim!: wf_subtypeE)
    next
      case (SA_trans_TVar i U T)
      show ?case
      proof (cases "i < ∥Δ∥")
        case True
        with SA_trans_TVar show ?thesis
          by (auto intro!: subtyping.SA_trans_TVar)
      next
        case False
        note False' = False
        show ?thesis
        proof (cases "i = ∥Δ∥")
          case True
          from SA_trans_TVar have "(Δ @ [TVarB P]) @ Γ ⊢⇩w⇩f"
            by (auto elim!: wf_subtypeE)
          with ‹Γ ⊢ P <: Q›
          have "(Δ @ [TVarB P]) @ Γ ⊢ ↑⇩τ ∥Δ @ [TVarB P]∥ 0 P <: ↑⇩τ ∥Δ @ [TVarB P]∥ 0 Q"
            by (rule subtype_weaken')
          with SA_trans_TVar True False have "Δ @ TVarB P ∷ Γ ⊢ ↑⇩τ (Suc ∥Δ∥) 0 P <: T"
            by - (rule tr, simp+)
          with True and False and SA_trans_TVar show ?thesis
            by (auto intro!: subtyping.SA_trans_TVar)
        next
          case False
          with False' have "i - ∥Δ∥ = Suc (i - ∥Δ∥ - 1)" by arith
          with False False' SA_trans_TVar show ?thesis
            by - (rule subtyping.SA_trans_TVar, simp+)
        qed
      qed
    next
      case SA_arrow
      thus ?case by (auto intro!: subtyping.SA_arrow)
    next
      case (SA_all T⇩1 S⇩1 S⇩2 T⇩2)
      thus ?case by (auto intro: subtyping.SA_all
        SA_all(4) [of "TVarB T⇩1 ∷ Δ", simplified])
    qed
  }
qed

text ‹
In the proof of the preservation theorem presented in \secref{sec:evaluation},
we will also need a substitution theorem, which is proved by
induction on the subtyping derivation:
›

lemma substT_subtype: ― ‹A.10›
  assumes H: "Δ @ TVarB Q ∷ Γ ⊢ S <: T"
  shows "Γ ⊢ P <: Q ⟹ Δ[0 ↦⇩τ P]⇩e @ Γ ⊢ S[∥Δ∥ ↦⇩τ P]⇩τ <: T[∥Δ∥ ↦⇩τ P]⇩τ"
  using H
  apply (induct "Δ @ TVarB Q ∷ Γ" S T arbitrary: Δ)
  apply simp_all
  apply (rule SA_Top)
  apply (rule wfE_subst)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (rule wf_subst)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (rule impI conjI)+
  apply (rule subtype_refl)
  apply (rule wfE_subst)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (erule wf_subtypeE)
  apply (drule_tac T=P and Δ="Δ[0 ↦⇩τ P]⇩e" in wf_weaken')
  apply simp
  apply (rule conjI impI)+
  apply (rule SA_refl_TVar)
  apply (rule wfE_subst)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (erule wf_subtypeE)
  apply (drule wf_subst)
  apply assumption
  apply simp
  apply (rule impI)
  apply (rule SA_refl_TVar)
  apply (rule wfE_subst)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (erule wf_subtypeE)
  apply (drule wf_subst)
  apply assumption
  apply simp
  apply (rule conjI impI)+
  apply simp
  apply (drule_tac Γ=Γ and Δ="Δ[0 ↦⇩τ P]⇩e" in subtype_weaken')
  apply (erule wf_subtypeE)+
  apply assumption
  apply simp
  apply (rule subtype_trans(1))
  apply assumption+
  apply (rule conjI impI)+
  apply (rule SA_trans_TVar)
  apply (simp split: nat.split_asm)
  apply (subgoal_tac "∥Δ∥ ≤ i - Suc 0")
  apply (rename_tac nat)
  apply (subgoal_tac "i - Suc ∥Δ∥ = nat")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply simp
  apply (rule impI)
  apply (rule SA_trans_TVar)
  apply (simp split: nat.split_asm)
  apply (subgoal_tac "Suc (∥Δ∥ - Suc 0) = ∥Δ∥")
  apply (simp (no_asm_simp))
  apply arith
  apply (rule SA_arrow)
  apply simp+
  apply (rule SA_all)
  apply simp
  apply simp
  done

lemma subst_subtype:
  assumes H: "Δ @ VarB V ∷ Γ ⊢ T <: U"
  shows "↓⇩e 1 0 Δ @ Γ ⊢ ↓⇩τ 1 ∥Δ∥ T <: ↓⇩τ 1 ∥Δ∥ U"
  using H
  apply (induct "Δ @ VarB V ∷ Γ" T U arbitrary: Δ)
  apply simp_all
  apply (rule SA_Top)
  apply (rule wfE_subst)
  apply assumption
  apply (rule wf_Top)
  apply (rule wf_subst)
  apply assumption
  apply (rule wf_Top)
  apply (rule impI conjI)+
  apply (rule SA_Top)
  apply (rule wfE_subst)
  apply assumption
  apply (rule wf_Top)+
  apply (rule conjI impI)+
  apply (rule SA_refl_TVar)
  apply (rule wfE_subst)
  apply assumption
  apply (rule wf_Top)
  apply (drule wf_subst)
  apply (rule wf_Top)
  apply simp
  apply (rule impI)
  apply (rule SA_refl_TVar)
  apply (rule wfE_subst)
  apply assumption
  apply (rule wf_Top)
  apply (drule wf_subst)
  apply (rule wf_Top)
  apply simp
  apply (rule conjI impI)+
  apply simp
  apply (rule conjI impI)+
  apply (simp split: nat.split_asm)
  apply (rule SA_trans_TVar)
  apply (subgoal_tac "∥Δ∥ ≤ i - Suc 0")
  apply (rename_tac nat)
  apply (subgoal_tac "i - Suc ∥Δ∥ = nat")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply simp
  apply (rule impI)
  apply (rule SA_trans_TVar)
  apply simp
  apply (subgoal_tac "0 < ∥Δ∥")
  apply simp
  apply arith
  apply (rule SA_arrow)
  apply simp+
  apply (rule SA_all)
  apply simp
  apply simp
  done


subsection ‹Typing›

text ‹
\label{sec:typing}
We are now ready to give a definition of the typing judgement ‹Γ ⊢ t : T›.
›

inductive
  typing :: "env ⇒ trm ⇒ type ⇒ bool"    ("_ ⊢ _ : _" [50, 50, 50] 50)
where
  T_Var: "Γ ⊢⇩w⇩f ⟹ Γ⟨i⟩ = ⌊VarB U⌋ ⟹ T = ↑⇩τ (Suc i) 0 U ⟹ Γ ⊢ Var i : T"
| T_Abs: "VarB T⇩1 ∷ Γ ⊢ t⇩2 : T⇩2 ⟹ Γ ⊢ (λ:T⇩1. t⇩2) : T⇩1 → ↓⇩τ 1 0 T⇩2"
| T_App: "Γ ⊢ t⇩1 : T⇩1⇩1 → T⇩1⇩2 ⟹ Γ ⊢ t⇩2 : T⇩1⇩1 ⟹ Γ ⊢ t⇩1 ∙ t⇩2 : T⇩1⇩2"
| T_TAbs: "TVarB T⇩1 ∷ Γ ⊢ t⇩2 : T⇩2 ⟹ Γ ⊢ (λ<:T⇩1. t⇩2) : (∀<:T⇩1. T⇩2)"
| T_TApp: "Γ ⊢ t⇩1 : (∀<:T⇩1⇩1. T⇩1⇩2) ⟹ Γ ⊢ T⇩2 <: T⇩1⇩1 ⟹
    Γ ⊢ t⇩1 ∙⇩τ T⇩2 : T⇩1⇩2[0 ↦⇩τ T⇩2]⇩τ"
| T_Sub: "Γ ⊢ t : S ⟹ Γ ⊢ S <: T ⟹ Γ ⊢ t : T"

text ‹
Note that in the rule ‹T_Var›, the indices of the type @{term U} looked up in
the context @{term Γ} need to be incremented in order for the type to be well-formed
with respect to @{term Γ}. In the rule ‹T_Abs›, the type @{term "T⇩2"} of the
abstraction body @{term "t⇩2"} may not contain the variable with index ‹0›,
since it is a term variable. To compensate for the disappearance of the context
element @{term "VarB T⇩1"} in the conclusion of thy typing rule, the indices of all
free type variables in @{term "T⇩2"} have to be decremented by ‹1›.
›

theorem wf_typeE1:
  assumes H: "Γ ⊢ t : T"
  shows "Γ ⊢⇩w⇩f" using H
  by induct (blast elim: well_formedE_cases)+

theorem wf_typeE2:
  assumes H: "Γ ⊢ t : T"
  shows "Γ ⊢⇩w⇩f T" using H
  apply induct
  apply simp
  apply (rule wf_liftB)
  apply assumption+
  apply (drule wf_typeE1)+
  apply (erule well_formedE_cases)+
  apply (rule wf_arrow)
  apply simp
  apply simp
  apply (rule wf_subst [of "[]", simplified])
  apply assumption
  apply (rule wf_Top)
  apply (erule well_formed_cases)
  apply assumption
  apply (rule wf_all)
  apply (drule wf_typeE1)
  apply (erule well_formedE_cases)
  apply simp  
  apply assumption
  apply (erule well_formed_cases)
  apply (rule wf_subst [of "[]", simplified])
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  apply (erule wf_subtypeE)
  apply assumption
  done

text ‹
Like for the subtyping judgement, we can again prove that all types and contexts
involved in a typing judgement are well-formed:
›
lemma wf_type_conj: "Γ ⊢ t : T ⟹ Γ ⊢⇩w⇩f ∧ Γ ⊢⇩w⇩f T"
  by (frule wf_typeE1, drule wf_typeE2) iprover

text ‹
The narrowing theorem for the typing judgement states that replacing the type
of a variable in the context by a subtype preserves typability:
›

lemma narrow_type: ― ‹A.7›
  assumes H: "Δ @ TVarB Q ∷ Γ ⊢ t : T"
  shows "Γ ⊢ P <: Q ⟹ Δ @ TVarB P ∷ Γ ⊢ t : T"
  using H
  apply (induct "Δ @ TVarB Q ∷ Γ" t T arbitrary: Δ)
  apply simp_all
  apply (rule T_Var)
  apply (erule wfE_replace)
  apply (erule wf_subtypeE)
  apply simp+
  apply (case_tac "i < ∥Δ∥")
  apply simp
  apply (case_tac "i = ∥Δ∥")
  apply simp
  apply (simp split: nat.split nat.split_asm)+
  apply (rule T_Abs [simplified])
  apply simp
  apply (rule_tac T⇩1⇩1=T⇩1⇩1 in T_App)
  apply simp+
  apply (rule T_TAbs)
  apply simp
  apply (rule_tac T⇩1⇩1=T⇩1⇩1 in T_TApp)
  apply simp
  apply (rule subtype_trans(2))
  apply assumption+
  apply (rule_tac S=S in T_Sub)
  apply simp
  apply (rule subtype_trans(2))
  apply assumption+
  done

lemma subtype_refl':
  assumes t: "Γ ⊢ t : T"
  shows "Γ ⊢ T <: T"
proof (rule subtype_refl)
  from t show "Γ ⊢⇩w⇩f" by (rule wf_typeE1)
  from t show "Γ ⊢⇩w⇩f T" by (rule wf_typeE2)
qed

lemma Abs_type: ― ‹A.13(1)›
  assumes H: "Γ ⊢ (λ:S. s) : T"
  shows "Γ ⊢ T <: U → U' ⟹
    (⋀S'. Γ ⊢ U <: S ⟹ VarB S ∷ Γ ⊢ s : S' ⟹
      Γ ⊢ ↓⇩τ 1 0 S' <: U' ⟹ P) ⟹ P"
  using H
proof (induct Γ "λ:S. s" T arbitrary: U U' S s P)
  case (T_Abs T⇩1 Γ t⇩2 T⇩2)
  from ‹Γ ⊢ T⇩1 → ↓⇩τ 1 0 T⇩2 <: U → U'›
  obtain ty1: "Γ ⊢ U <: T⇩1" and ty2: "Γ ⊢ ↓⇩τ 1 0 T⇩2 <: U'"
    by cases simp_all
  from ty1 ‹VarB T⇩1 ∷ Γ ⊢ t⇩2 : T⇩2› ty2
  show ?case by (rule T_Abs)
next
  case (T_Sub Γ S' T)
  from ‹Γ ⊢ S' <: T› and ‹Γ ⊢ T <: U → U'›
  have "Γ ⊢ S' <: U → U'" by (rule subtype_trans(1))
  then show ?case
    by (rule T_Sub) (rule T_Sub(5))
qed

lemma Abs_type':
  assumes H: "Γ ⊢ (λ:S. s) : U → U'"
  and R: "⋀S'. Γ ⊢ U <: S ⟹ VarB S ∷ Γ ⊢ s : S' ⟹
    Γ ⊢ ↓⇩τ 1 0 S' <: U' ⟹ P"
  shows "P" using H subtype_refl' [OF H]
  by (rule Abs_type) (rule R)

lemma TAbs_type: ― ‹A.13(2)›
  assumes H: "Γ ⊢ (λ<:S. s) : T"
  shows "Γ ⊢ T <: (∀<:U. U') ⟹
    (⋀S'. Γ ⊢ U <: S ⟹ TVarB U ∷ Γ ⊢ s : S' ⟹
      TVarB U ∷ Γ ⊢ S' <: U' ⟹ P) ⟹ P"
  using H
proof (induct Γ "λ<:S. s" T arbitrary: U U' S s P)
  case (T_TAbs T⇩1 Γ t⇩2 T⇩2)
  from ‹Γ ⊢ (∀<:T⇩1. T⇩2) <: (∀<:U. U')›
  obtain ty1: "Γ ⊢ U <: T⇩1" and ty2: "TVarB U ∷ Γ ⊢ T⇩2 <: U'"
    by cases simp_all
  from ‹TVarB T⇩1 ∷ Γ ⊢ t⇩2 : T⇩2›
  have "TVarB U ∷ Γ ⊢ t⇩2 : T⇩2" using ty1
    by (rule narrow_type [of "[]", simplified])
  with ty1 show ?case using ty2 by (rule T_TAbs)
next
  case (T_Sub Γ S' T)
  from ‹Γ ⊢ S' <: T› and ‹Γ ⊢ T <: (∀<:U. U')›
  have "Γ ⊢ S' <: (∀<:U. U')" by (rule subtype_trans(1))
  then show ?case
    by (rule T_Sub) (rule T_Sub(5))
qed

lemma TAbs_type':
  assumes H: "Γ ⊢ (λ<:S. s) : (∀<:U. U')"
  and R: "⋀S'. Γ ⊢ U <: S ⟹ TVarB U ∷ Γ ⊢ s : S' ⟹
    TVarB U ∷ Γ ⊢ S' <: U' ⟹ P"
  shows "P" using H subtype_refl' [OF H]
  by (rule TAbs_type) (rule R)

lemma T_eq: "Γ ⊢ t : T ⟹ T = T' ⟹ Γ ⊢ t : T'" by simp

text ‹
The weakening theorem states that inserting a binding @{term B}
does not affect typing:
›

lemma type_weaken:
  assumes H: "Δ @ Γ ⊢ t : T"
  shows "Γ ⊢⇩w⇩f⇩B B ⟹
    ↑⇩e 1 0 Δ @ B ∷ Γ ⊢ ↑ 1 ∥Δ∥ t : ↑⇩τ 1 ∥Δ∥ T" using H
  apply (induct "Δ @ Γ" t T arbitrary: Δ)
  apply simp_all
  apply (rule conjI)
  apply (rule impI)
  apply (rule T_Var)
  apply (erule wfE_weaken)
  apply simp+
  apply (rule impI)
  apply (rule T_Var)
  apply (erule wfE_weaken)
  apply assumption
  apply (subgoal_tac "Suc i - ∥Δ∥ = Suc (i - ∥Δ∥)")
  apply simp
  apply arith
  apply (rule refl)
  apply (rule T_Abs [THEN T_eq])
  apply simp
  apply simp
  apply (rule_tac T⇩1⇩1="↑⇩τ (Suc 0) ∥Δ∥ T⇩1⇩1" in T_App)
  apply simp
  apply simp
  apply (rule T_TAbs)
  apply simp
  apply (erule_tac T_TApp [THEN T_eq])
  apply (drule subtype_weaken)
  apply simp+
  apply (case_tac Δ)
  apply (simp add: liftT_substT_strange [of _ 0, simplified])+
  apply (rule_tac S="↑⇩τ (Suc 0) ∥Δ∥ S" in T_Sub)
  apply simp
  apply (drule subtype_weaken)
  apply simp+
  done

text ‹
We can strengthen this result, so as to mean that concatenating a new context
@{term Δ} to the context @{term Γ} preserves typing:
›

lemma type_weaken': ― ‹A.5(6)›
  "Γ ⊢ t : T ⟹ Δ @ Γ ⊢⇩w⇩f ⟹ Δ @ Γ ⊢ ↑ ∥Δ∥ 0 t : ↑⇩τ ∥Δ∥ 0 T"
  apply (induct Δ)
  apply simp
  apply simp
  apply (erule well_formedE_cases)
  apply simp
  apply (drule_tac B=a in type_weaken [of "[]", simplified])
  apply simp+
  done

text ‹
This property is proved by structural induction on the context @{term Δ},
using the previous result in the induction step. In the proof of the preservation
theorem, we will need two substitution theorems for term and type variables,
both of which are proved by induction on the typing derivation.
Since term and type variables are stored in the same context, we again have to
decrement the free type variables in @{term Δ} and @{term T} by ‹1›
in the substitution rule for term variables in order to compensate for the
disappearance of the variable.
›

theorem subst_type: ― ‹A.8›
  assumes H: "Δ @ VarB U ∷ Γ ⊢ t : T"
  shows "Γ ⊢ u : U ⟹
    ↓⇩e 1 0 Δ @ Γ ⊢ t[∥Δ∥ ↦ u] : ↓⇩τ 1 ∥Δ∥ T" using H
  apply (induct "Δ @ VarB U ∷ Γ" t T arbitrary: Δ)
  apply simp
  apply (rule conjI)
  apply (rule impI)
  apply simp
  apply (drule_tac Δ="Δ[0 ↦⇩τ Top]⇩e" in type_weaken')
  apply (rule wfE_subst)
  apply assumption
  apply (rule wf_Top)
  apply simp
  apply (rule impI conjI)+
  apply (simp split: nat.split_asm)
  apply (rule T_Var)
  apply (erule wfE_subst)
  apply (rule wf_Top)
  apply (subgoal_tac "∥Δ∥ ≤ i - Suc 0")
  apply (rename_tac nat)
  apply (subgoal_tac "i - Suc ∥Δ∥ = nat")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply simp
  apply (rule impI)
  apply (rule T_Var)
  apply (erule wfE_subst)
  apply (rule wf_Top)
  apply simp
  apply (subgoal_tac "Suc (∥Δ∥ - Suc 0) = ∥Δ∥")
  apply (simp (no_asm_simp))
  apply arith
  apply simp
  apply (rule T_Abs [THEN T_eq])
  apply simp
  apply (simp add: substT_substT [symmetric])
  apply simp
  apply (rule_tac T⇩1⇩1="T⇩1⇩1[∥Δ∥ ↦⇩τ Top]⇩τ" in T_App)
  apply simp+
  apply (rule T_TAbs)
  apply simp
  apply simp
  apply (rule T_TApp [THEN T_eq])
  apply simp
  apply (rule subst_subtype [simplified])
  apply assumption
  apply (simp add: substT_substT [symmetric])
  apply (rule_tac S="S[∥Δ∥ ↦⇩τ Top]⇩τ" in T_Sub)
  apply simp
  apply simp
  apply (rule subst_subtype [simplified])
  apply assumption
  done

theorem substT_type: ― ‹A.11›
  assumes H: "Δ @ TVarB Q ∷ Γ ⊢ t : T"
  shows "Γ ⊢ P <: Q ⟹
    Δ[0 ↦⇩τ P]⇩e @ Γ ⊢ t[∥Δ∥ ↦⇩τ P] : T[∥Δ∥ ↦⇩τ P]⇩τ" using H
  apply (induct "Δ @ TVarB Q ∷ Γ" t T arbitrary: Δ)
  apply simp_all
  apply (rule impI conjI)+
  apply simp
  apply (rule T_Var)
  apply (erule wfE_subst)
  apply (erule wf_subtypeE)
  apply assumption
  apply (simp split: nat.split_asm)
  apply (subgoal_tac "∥Δ∥ ≤ i - Suc 0")
  apply (rename_tac nat)
  apply (subgoal_tac "i - Suc ∥Δ∥ = nat")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply simp
  apply (rule impI)
  apply (case_tac "i = ∥Δ∥")
  apply simp
  apply (rule T_Var)
  apply (erule wfE_subst)
  apply (erule wf_subtypeE)
  apply assumption
  apply simp
  apply (subgoal_tac "i < ∥Δ∥")
  apply (subgoal_tac "Suc (∥Δ∥ - Suc 0) = ∥Δ∥")
  apply (simp (no_asm_simp))
  apply arith
  apply arith
  apply (rule T_Abs [THEN T_eq])
  apply simp
  apply (simp add: substT_substT [symmetric])
  apply (rule_tac T⇩1⇩1="T⇩1⇩1[∥Δ∥ ↦⇩τ P]⇩τ" in T_App)
  apply simp+
  apply (rule T_TAbs)
  apply simp
  apply (rule T_TApp [THEN T_eq])
  apply simp
  apply (rule substT_subtype)
  apply assumption
  apply assumption
  apply (simp add: substT_substT [symmetric])
  apply (rule_tac S="S[∥Δ∥ ↦⇩τ P]⇩τ" in T_Sub)
  apply simp
  apply (rule substT_subtype)
  apply assumption
  apply assumption
  done


subsection ‹Evaluation›

text ‹
\label{sec:evaluation}
For the formalization of the evaluation strategy, it is useful to first define
a set of {\it canonical values} that are not evaluated any further. The canonical
values of call-by-value \fsub{} are exactly the abstractions over term and type variables:
›

inductive_set
  "value" :: "trm set"
where
  Abs: "(λ:T. t) ∈ value"
| TAbs: "(λ<:T. t) ∈ value"

text ‹
The notion of a @{term value} is now used in the defintion of the evaluation
relation \mbox{‹t ⟼ t'›}. There are several ways for defining this evaluation
relation: Aydemir et al.\ \<^cite>‹"PoplMark"› advocate the use of {\it evaluation
contexts} that allow to separate the description of the ``immediate'' reduction rules,
i.e.\ $\beta$-reduction, from the description of the context in which these reductions
may occur in. The rationale behind this approach is to keep the formalization more modular.
We will take a closer look at this style of presentation in section
\secref{sec:evaluation-ctxt}. For the rest of this section, we will use a different
approach: both the ``immediate'' reductions and the reduction context are described
within the same inductive definition, where the context is described by additional
congruence rules.
›

inductive
  eval :: "trm ⇒ trm ⇒ bool"  (infixl "⟼" 50)
where
  E_Abs: "v⇩2 ∈ value ⟹ (λ:T⇩1⇩1. t⇩1⇩2) ∙ v⇩2 ⟼ t⇩1⇩2[0 ↦ v⇩2]"
| E_TAbs: "(λ<:T⇩1⇩1. t⇩1⇩2) ∙⇩τ T⇩2 ⟼ t⇩1⇩2[0 ↦⇩τ T⇩2]"
| E_App1: "t ⟼ t' ⟹ t ∙ u ⟼ t' ∙ u"
| E_App2: "v ∈ value ⟹ t ⟼ t' ⟹ v ∙ t ⟼ v ∙ t'"
| E_TApp: "t ⟼ t' ⟹ t ∙⇩τ T ⟼ t' ∙⇩τ T"

text ‹
Here, the rules ‹E_Abs› and ‹E_TAbs› describe the ``immediate'' reductions,
whereas ‹E_App1›, ‹E_App2›, and ‹E_TApp› are additional congruence
rules describing reductions in a context. The most important theorems of this section
are the {\it preservation} theorem, stating that the reduction of a well-typed term
does not change its type, and the {\it progress} theorem, stating that reduction of
a well-typed term does not ``get stuck'' -- in other words, every well-typed, closed
term @{term t} is either a value, or there is a term @{term t'} to which @{term t}
can be reduced. The preservation theorem
is proved by induction on the derivation of @{term "Γ ⊢ t : T"}, followed by a case
distinction on the last rule used in the derivation of @{term "t ⟼ t'"}.
›

theorem preservation: ― ‹A.20›
  assumes H: "Γ ⊢ t : T"
  shows "t ⟼ t' ⟹ Γ ⊢ t' : T" using H
proof (induct arbitrary: t')
  case (T_Var Γ i U T t')
  from ‹Var i ⟼ t'›
  show ?case by cases
next
  case (T_Abs T⇩1 Γ t⇩2 T⇩2 t')
  from ‹(λ:T⇩1. t⇩2) ⟼ t'›
  show ?case by cases
next
  case (T_App Γ t⇩1 T⇩1⇩1 T⇩1⇩2 t⇩2 t')
  from ‹t⇩1 ∙ t⇩2 ⟼ t'›
  show ?case
  proof cases
    case (E_Abs T⇩1⇩1' t⇩1⇩2)
    with T_App have "Γ ⊢ (λ:T⇩1⇩1'. t⇩1⇩2) : T⇩1⇩1 → T⇩1⇩2" by simp
    then obtain S'
      where T⇩1⇩1: "Γ ⊢ T⇩1⇩1 <: T⇩1⇩1'"
      and t⇩1⇩2: "VarB T⇩1⇩1' ∷ Γ ⊢ t⇩1⇩2 : S'"
      and S': "Γ ⊢ S'[0 ↦⇩τ Top]⇩τ <: T⇩1⇩2" by (rule Abs_type' [simplified]) blast
    from ‹Γ ⊢ t⇩2 : T⇩1⇩1›
    have "Γ ⊢ t⇩2 : T⇩1⇩1'" using T⇩1⇩1 by (rule T_Sub)
    with t⇩1⇩2 have "Γ ⊢ t⇩1⇩2[0 ↦ t⇩2] : S'[0 ↦⇩τ Top]⇩τ"
      by (rule subst_type [where Δ="[]", simplified])
    hence "Γ ⊢ t⇩1⇩2[0 ↦ t⇩2] : T⇩1⇩2" using S' by (rule T_Sub)
    with E_Abs show ?thesis by simp
  next
    case (E_App1 t'')
    from ‹t⇩1 ⟼ t''›
    have "Γ ⊢ t'' : T⇩1⇩1 → T⇩1⇩2" by (rule T_App)
    hence "Γ ⊢ t'' ∙ t⇩2 : T⇩1⇩2" using ‹Γ ⊢ t⇩2 : T⇩1⇩1›
      by (rule typing.T_App)
    with E_App1 show ?thesis by simp
  next
    case (E_App2 t'')
    from ‹t⇩2 ⟼ t''›
    have "Γ ⊢ t'' : T⇩1⇩1" by (rule T_App)
    with T_App(1) have "Γ ⊢ t⇩1 ∙ t'' : T⇩1⇩2"
      by (rule typing.T_App)
    with E_App2 show ?thesis by simp
  qed
next
  case (T_TAbs T⇩1 Γ t⇩2 T⇩2 t')
  from ‹(λ<:T⇩1. t⇩2) ⟼ t'›
  show ?case by cases
next
  case (T_TApp Γ t⇩1 T⇩1⇩1 T⇩1⇩2 T⇩2 t')
  from ‹t⇩1 ∙⇩τ T⇩2 ⟼ t'›
  show ?case
  proof cases
    case (E_TAbs T⇩1⇩1' t⇩1⇩2)
    with T_TApp have "Γ ⊢ (λ<:T⇩1⇩1'. t⇩1⇩2) : (∀<:T⇩1⇩1. T⇩1⇩2)" by simp
    then obtain S'
      where "TVarB T⇩1⇩1 ∷ Γ ⊢ t⇩1⇩2 : S'"
      and "TVarB T⇩1⇩1 ∷ Γ ⊢ S' <: T⇩1⇩2" by (rule TAbs_type') blast
    hence "TVarB T⇩1⇩1 ∷ Γ ⊢ t⇩1⇩2 : T⇩1⇩2" by (rule T_Sub)
    hence "Γ ⊢ t⇩1⇩2[0 ↦⇩τ T⇩2] : T⇩1⇩2[0 ↦⇩τ T⇩2]⇩τ" using T_TApp(3)
      by (rule substT_type [where Δ="[]", simplified])
    with E_TAbs show ?thesis by simp
  next
    case (E_TApp t'')
    from ‹t⇩1 ⟼ t''›
    have "Γ ⊢ t'' : (∀<:T⇩1⇩1. T⇩1⇩2)" by (rule T_TApp)
    hence "Γ ⊢ t'' ∙⇩τ T⇩2 : T⇩1⇩2[0 ↦⇩τ T⇩2]⇩τ" using ‹Γ ⊢ T⇩2 <: T⇩1⇩1›
      by (rule typing.T_TApp)
    with E_TApp show ?thesis by simp
  qed
next
  case (T_Sub Γ t S T t')
  from ‹t ⟼ t'›
  have "Γ ⊢ t' : S" by (rule T_Sub)
  then show ?case using ‹Γ ⊢ S <: T›
    by (rule typing.T_Sub)
qed

text ‹
The progress theorem is also proved by induction on the derivation of
@{term "[] ⊢ t : T"}. In the induction steps, we need the following two lemmas
about {\it canonical forms}
stating that closed values of types @{term "T⇩1 → T⇩2"} and @{term "∀<:T⇩1. T⇩2"}
must be abstractions over term and type variables, respectively.
›

lemma Fun_canonical: ― ‹A.14(1)›
  assumes ty: "[] ⊢ v : T⇩1 → T⇩2"
  shows "v ∈ value ⟹ ∃t S. v = (λ:S. t)" using ty
proof (induct "[]::env" v "T⇩1 → T⇩2" arbitrary: T⇩1 T⇩2)
  case T_Abs
  show ?case by iprover
next
  case (T_App t⇩1 T⇩1⇩1 t⇩2 T⇩1 T⇩2)
  from ‹t⇩1 ∙ t⇩2 ∈ value›
  show ?case by cases
next
  case (T_TApp t⇩1 T⇩1⇩1 T⇩1⇩2 T⇩2 T⇩1 T⇩2')
  from ‹t⇩1 ∙⇩τ T⇩2 ∈ value›
  show ?case by cases
next
  case (T_Sub t S T⇩1 T⇩2)
  from ‹[] ⊢ S <: T⇩1 → T⇩2›
  obtain S⇩1 S⇩2 where S: "S = S⇩1 → S⇩2"
    by cases (auto simp add: T_Sub)
  show ?case by (rule T_Sub S)+
qed simp

lemma TyAll_canonical: ― ‹A.14(3)›
  assumes ty: "[] ⊢ v : (∀<:T⇩1. T⇩2)"
  shows "v ∈ value ⟹ ∃t S. v = (λ<:S. t)" using ty
proof (induct "[]::env" v "∀<:T⇩1. T⇩2" arbitrary: T⇩1 T⇩2)
  case (T_App t⇩1 T⇩1⇩1 t⇩2 T⇩1 T⇩2)
  from ‹t⇩1 ∙ t⇩2 ∈ value›
  show ?case by cases
next
  case T_TAbs
  show ?case by iprover
next
  case (T_TApp t⇩1 T⇩1⇩1 T⇩1⇩2 T⇩2 T⇩1 T⇩2')
  from ‹t⇩1 ∙⇩τ T⇩2 ∈ value›
  show ?case by cases
next
  case (T_Sub t S T⇩1 T⇩2)
  from ‹[] ⊢ S <: (∀<:T⇩1. T⇩2)›
  obtain S⇩1 S⇩2 where S: "S = (∀<:S⇩1. S⇩2)"
    by cases (auto simp add: T_Sub)
  show ?case by (rule T_Sub S)+
qed simp

theorem progress:
  assumes ty: "[] ⊢ t : T"
  shows "t ∈ value ∨ (∃t'. t ⟼ t')" using ty
proof (induct "[]::env" t T)
  case T_Var
  thus ?case by simp
next
  case T_Abs
  from value.Abs show ?case ..
next
  case (T_App t⇩1 T⇩1⇩1 T⇩1⇩2 t⇩2)
  hence "t⇩1 ∈ value ∨ (∃t'. t⇩1 ⟼ t')" by simp
  thus ?case
  proof
    assume t⇩1_val: "t⇩1 ∈ value"
    with T_App obtain t S where t⇩1: "t⇩1 = (λ:S. t)"
      by (auto dest!: Fun_canonical)
    from T_App have "t⇩2 ∈ value ∨ (∃t'. t⇩2 ⟼ t')" by simp
    thus ?thesis
    proof
      assume "t⇩2 ∈ value"
      with t⇩1 have "t⇩1 ∙ t⇩2 ⟼ t[0 ↦ t⇩2]"
        by simp (rule eval.intros)
      thus ?thesis by iprover
    next
      assume "∃t'. t⇩2 ⟼ t'"
      then obtain t' where "t⇩2 ⟼ t'" by iprover
      with t⇩1_val have "t⇩1 ∙ t⇩2 ⟼ t⇩1 ∙ t'" by (rule eval.intros)
      thus ?thesis by iprover
    qed
  next
    assume "∃t'. t⇩1 ⟼ t'"
    then obtain t' where "t⇩1 ⟼ t'" ..
    hence "t⇩1 ∙ t⇩2 ⟼ t' ∙ t⇩2" by (rule eval.intros)
    thus ?thesis by iprover
  qed
next
  case T_TAbs
  from value.TAbs show ?case ..
next
  case (T_TApp t⇩1 T⇩1⇩1 T⇩1⇩2 T⇩2)
  hence "t⇩1 ∈ value ∨ (∃t'. t⇩1 ⟼ t')" by simp
  thus ?case
  proof
    assume "t⇩1 ∈ value"
    with T_TApp obtain t S where "t⇩1 = (λ<:S. t)"
      by (auto dest!: TyAll_canonical)
    hence "t⇩1 ∙⇩τ T⇩2 ⟼ t[0 ↦⇩τ T⇩2]" by simp (rule eval.intros)
    thus ?thesis by iprover
  next
    assume "∃t'. t⇩1 ⟼ t'"
    then obtain t' where "t⇩1 ⟼ t'" ..
    hence "t⇩1 ∙⇩τ T⇩2 ⟼ t' ∙⇩τ T⇩2" by (rule eval.intros)
    thus ?thesis by iprover
  qed
next
  case (T_Sub t S T)
  show ?case by (rule T_Sub)
qed

end