Realizability Interpretation and Normalization of Typed Call-by-Need λ -calculus With Control

. We deﬁne a variant of Krivine realizability where realizers are pairs of a term and a substitution. This variant allows us to prove the normalization of a simply-typed call-by-need λ -calculus with control due to Ariola et al . Indeed, in such call-by-need calculus, substitutions have to be delayed until knowing if an argument is really needed. We then extend the proof to a call-by-need λ -calculus equipped with a type system equivalent to classical second-order predicate logic, representing one step towards proving the normalization of the call-by-need classical second-order arithmetic introduced by the second author to provide a proof-as-program interpretation of the axiom of dependent choice.


Realizability-based normalization
Normalization by realizability is a standard technique to prove the normalization of typed λ-calculi. Originally introduced by Tait [36] to prove the normalization of System T, it was extended by Girard to prove the normalization of System F [11]. This kind of techniques, also called normalization by reducibility or normalization by logical relations, works by interpreting each type by a set of typed or untyped terms seen as realizers of the type, then showing that the way these sets of realizers are built preserve properties such as normalization. Over the years, multiple uses and generalization of this method have been done, for a more detailed account of which we refer the reader to the work of Gallier [9].
Realizability techniques were adapted to the normalization of various calculi for classical logic (see e.g. [3,32]). A specific framework tailored to the study of realizability for classical logic has been designed by Krivine [19] on top of a λcalculus with control whose reduction is defined in terms of an abstract machine. In such a machinery, terms are evaluated in front of stacks; and control (thus classical logic) is made available through the possibility of saving and restoring stacks. During the last twenty years, Krivine's classical realizability turned out to be fruitful both from the point of view of logic, leading to the construction of new models of set theory, and generalizing in particular the technique of Cohen's forcing [20,21,22]; and on its computational facet, providing alternative tools to the analysis of the computational content of classical programs 3 .
Noteworthily, Krivine realizability is one of the approaches contributing to advocating the motto that through the Curry-Howard correspondence, with new programming instructions come new reasoning principles 4 . Our original motivation for the present work is actually in line with this idea, in the sense that our long-term purpose is to give a realizability interpretation to dPA ω , a call-by-need calculus defined by the second author [15]. In this calculus, the lazy evaluation is indeed a fundamental ingredient in order to obtain an executable proof term for the axiom of dependent choice.

Contributions of the paper
In order to address the normalization of typed call-by-need λ-calculus, we design a variant of Krivine's classical realizability, where the realizers are closures (a term with a substitution for its free variables). The call-by-need λ-calculus with control that we consider is the λ [lvτ ⋆] -calculus. This calculus, that was defined by Ariola et al. [2], is syntactically described in an extension with explicit substitutions of the λµμ-calculus [6,14,29]. The syntax of the λµμ-calculus itself refines the syntax of the λ-calculus by syntactically distinguishing between terms and evaluation contexts. It also contains commands which combine terms and evaluation contexts so that they can interact together. Thinking of evaluation contexts as stacks and commands as states, the λµμ-calculus can also be seen as a syntax for abstract machines. As for a proof-as-program point of view, the λµμ-calculus and its variants can be seen as a term syntax for proofs of Gentzen's sequent calculus. In particular, the λµμ-calculus contains control operators which give a computational interpretation to classical logic.
We give a proof of normalization first for the simply-typed λ [lvτ ⋆] -calculus 5 , then for a type system with first-order and second-order quantification. While we only apply our technique to the normalization of the λ [lvτ ⋆] -calculus, our interpretation incidentally suggests a way to adapt Krivine realizability to other call-by-need settings. This paves the way to the computational interpretation of classical proofs using lazy evaluation or shared memory cells, including the case of the call-by-need second order arithmetic dPA ω [15].

Explicit environments
While the results presented in this paper could be directly expressed using the λ lv -calculus, the realizability interpretation naturally arises from the decomposition of this calculus into a different calculus with an explicit environment, the λ [lvτ ⋆] -calculus [2]. Indeed, as we shall see in the sequel, the decomposition highlights different syntactic categories that are deeply involved in the type system and in the definition of the realizability interpretation.
The λ [lvτ ⋆] -calculus is a reformulation of the λ lv -calculus with explicit environments, called stores and denoted by τ . Stores consists of a list of bindings of the form [x := t], where x is a term variable and t a term, and of bindings of the form [α := e] where α is a context variable and e a context. For instance, in the closure cτ [x := t]τ ′ , the variable x is bound to t in c and τ ′ . Besides, the term t might be an unevaluated term (i.e. lazily stored), so that if x is eagerly demanded at some point during the execution of this closure, t will be reduced in order to obtain a value. In the case where t indeed produces a value V , the store will be updated with the binding [x := V ]. However, a binding of this form (with a value) is fixed for the rest of the execution. As such, our so-called stores somewhat behave like lazy explicit substitutions or mutable environments.
To draw the comparison between our structures and the usual notions of stores and environments, two things should be observed. First, the usual notion of store refers to a structure of list that is fully mutable, in the sense that the cells can be updated at any time and thus values might be replaced. Second, the usual notion of environment designates a structure in which variables are bounded to closures made of a term and an environment. In particular, terms and environments are duplicated, i.e. sharing is not allowed. Such a structure resemble to a tree whose nodes are decorated by terms, as opposed to a machinery allowing sharing (like ours) whose underlying structure is broadly a directed acyclic graph. See for instance [24] for a Krivine abstract machine with sharing.

Syntax & reduction rules
The lazy evaluation of terms allows for the following reduction rule: us to reduce a command µα.c||μx.c ′ to the command c ′ together with the binding [x := µα.c].
In this case, the term µα.c is left unevaluated ("frozen") in the store, until possibly reaching a command in which the variable x is needed. When evaluation reaches a command of the form x||F τ [x := µα.c]τ ′ , the binding is opened and the term is evaluated in front of the contextμ[x]. x||F τ ′ : The reader can think of the previous rule as the "defrosting" operation of the frozen term µα.c : this term is evaluated in the prefix of the store τ which predates it, in front of the contextμ[x]. x||F τ ′ where theμ[x] binder is waiting for a value.  This context keeps trace of the part of the store τ ′ that was originally located after the binding [x := .
..]. This way, if a value V is indeed furnished for the binderμ[x], the original command x||F is evaluated in the updated full store: The brackets inμ [x].c are used to express the fact that the variable x is forced at top-level (unlike contexts of the shapeμx.C[ x||F ] in the λ lv -calculus). The reduction system resembles the one of an abstract machine. Especially, it allows us to keep the standard redex at the top of a command and avoids searching through the meta-context for work to be done. Note that our approach slightly differ from [2] since we split values into two categories: strong values (v) and weak values (V ). The strong values correspond to values strictly speaking. The weak values include the variables which force the evaluation of terms to which they refer into shared strong value. Their evaluation may require capturing a continuation. The syntax of the language, which includes constants k and co-constants κ, is given in Figure 1. As for the reduction →, we define it as the compatible reflexive transitive closure of the rules given in Figure 1.
The different syntactic categories can be understood as the different levels of alternation in a context-free abstract machine (see [2]): the priority is first given to contexts at level e (lazy storage of terms), then to terms at level t (evaluation of µα into values), then back to contexts at level E and so on until level v. These different categories are directly reflected in the definition of the abstract machine defined in [2], and will thus be involved in the definition of our realizability interpretation. We chose to highlight this by distinguishing different types of sequents already in the typing rules that we shall now present.
We have nine kinds of (one-sided) sequents, one for typing each of the nine syntactic categories. We write them with an annotation on the ⊢ sign, using one of the letters v, V , t, F , E, e, l, c, τ . Sequents typing values and terms are asserting a type, with the type written on the right; sequents typing contexts are expecting a type A with the type written A ⊥ ⊥ ; sequents typing commands and closures are black boxes neither asserting nor expecting a type; sequents typing substitutions are instantiating a typing context. In other words, we have the following nine kinds of sequents: where types and typing contexts are defined by: The typing rules are given on Figure 2 where we assume that a variable x (resp. co-variable α) only occurs once in a context Γ (we implicitly assume the possibility of renaming variables by α-conversion). We also adopt the convention that constants k and co-constants κ come with a signature S which assigns them a type. This type system enjoys the property of subject reduction.
Proof. By induction on typing derivations, see Appendix A.

Normalization by realizability
The proof of normalization for the λ [lvτ ⋆] -calculus that we present in this section is inspired from techniques of Krivine's classical realizability [19], whose notations we borrow. Actually, it is also very close to a proof by reducibility 7 . In a nutshell, to each type A is associated a set |A| t of terms whose execution is guided by the structure of A. These terms are the ones usually called realizers in Krivine's classical realizability. Their definition is in fact indirect, and is done by orthogonality to a set of "correct" computations, called a pole. The choice of this set is central when studying models induced by classical realizability for secondorder-logic, but in the present case we only pay attention to the particular pole of terminating computations. This is where lies one of the difference with usual proofs by reducibility, where everything is done with respect to SN , while our definition are parametric in the pole (which is chosen to be SN in the end). The adequacy lemma, which is the central piece, consists in proving that typed terms belong to the corresponding sets of realizers, and are thus normalizing. More in details, our proof can be sketched as follows. First, we generalize the usual notion of closed term to the notion of closed term-in-store. Intuitively, this is due to the fact that we are no longer interested in closed terms and substitutions to close opened terms, but rather in terms that are closed when considered in the current store. This is based on the simple observation that a store is nothing more than a shared substitution whose content might evolve along the execution. Second, we define the notion of pole ⊥ ⊥, which are sets of closures closed by anti-evaluation and store extension. In particular, the set of normalizing closures is a valid pole. This allows to relate terms and contexts thanks to a notion of orthogonality with respect to the pole. We then define for each formula A and typing level o (of e, t, E, V, F, v) a set |A| o (resp. A o ) of terms (resp. contexts) in the corresponding syntactic category. These sets correspond to reducibility candidates, or to what is usually called truth values and falsity values in Krivine realizability. Finally, the core of the proof consists in the adequacy lemma, which shows that any closed term of type A at level o is in the corresponding set |A| o . This guarantees that any typed closure is in any pole, and in particular in the pole of normalizing closures. Technically, the proof of adequacy evaluates in each case a state of an abstract machine (in our case a closure), so that the proof also proceeds by evaluation. A more detailed explanation of this observation as well as a more introductory presentation of normalization proofs by classical realizability are given in an article by Dagand and Scherer [7].

Realizability interpretation for the λ [lvτ ⋆] -calculus
We begin by defining some key notions for stores that we shall need further in the proof.
Definition 2 (Closed store). We extend the notion of free variable to stores: so that we can define a closed store to be a store τ such that F V (τ ) = ∅. Definition 3 (Compatible stores). We say that two stores τ and τ ′ are independent and write τ # τ ′ when dom(τ ) ∩ dom(τ ′ ) = ∅. We say that they are compatible and write τ ⋄ τ ′ whenever for all variables x (resp. co-variables α) present in both stores: ; the corresponding terms (resp. contexts) in τ and τ ′ coincide. Finally, we say that τ ′ is an extension of τ and write We denote by τ τ ′ the compatible union join(τ, τ ′ ) of closed stores τ and τ ′ , defined by: The following lemma (which follows easily from the previous definition) states the main property we will use about union of compatible stores.
Proof. This follows easily from the previous definition.
⊓ ⊔ As we explained in the introduction of this section, we will not consider closed terms in the usual sense. Indeed, while it is frequent in the proofs of normalization (e.g. by realizability or reducibility) of a calculus to consider only closed terms and to perform substitutions to maintain the closure of terms, this only makes sense if it corresponds to the computational behavior of the calculus. For instance, to prove the normalization of λx.t in typed call-by-name λµμ-calculus, one would consider a substitution ρ that is suitable for with respect to the typing context Γ , then a context u · e of type A → B, and evaluates : Then we would observe that t ρ [u/x] = t ρ[x:=u] and deduce that ρ[x := u] is suitable for Γ, x : A, which would allow us to conclude by induction.
However, in the λ [lvτ ⋆] -calculus we do not perform global substitution when reducing a command, but rather add a new binding [x := u] in the store: Therefore, the natural notion of closed term invokes the closure under a store, which might evolve during the rest of the execution (this is to contrast with a substitution).
Definition 5 (Term-in-store). We call closed term-in-store (resp. closed contextin-store, closed closures) the combination of a term t (resp. context e, command c) with a closed store τ such that F V (t) ⊆ dom(τ ). We use the notation (t|τ ) (resp. (e|τ ), (c|τ )) to denote such a pair.
We should note that in particular, if t is a closed term, then (t|τ ) is a term-instore for any closed store τ . The notion of closed term-in-store is thus a generalization of the notion of closed terms, and we will (ab)use of this terminology in the sequel. We denote the sets of closed closures by C 0 , and will identify (c|τ ) and the closure cτ when c is closed in τ . Observe that if cτ is a closure in C 0 and τ ′ is a store extending τ , then cτ ′ is also in C 0 . We are now equipped to define the notion of pole, and verify that the set of normalizing closures is indeed a valid pole.
The following proposition is the one supporting the claim that our realizability proof is almost a reducibility proof whose definitions have been generalized with respect to a pole instead of the fixed set SN. Proposition 7. The set ⊥ ⊥ ⇓ = {cτ ∈ C 0 : cτ normalizes } is a pole.
Proof. As we only considered closures in C 0 , both conditions (closure by antireduction and store extension) are clearly satisfied: if cτ → c ′ τ ′ and c ′ τ ′ normalizes, then cτ normalizes too; -if c is closed in τ and cτ normalizes, if τ ⊳ τ ′ then cτ ′ will reduce as cτ does (since c is closed under τ , it can only use terms in τ ′ that already were in τ ) and thus will normalize. ⊓ ⊔ Definition 8 (Orthogonality). Given a pole ⊥ ⊥, we say that a term-in-store (t|τ ) is orthogonal to a context-in-store (e|τ ′ ) and write (t|τ )⊥ ⊥(e|τ ′ ) if τ and τ ′ are compatible and t||e τ τ ′ ∈ ⊥ ⊥.
Remark 9. The reader familiar with Krivine's forcing machine [20] might recognize his definition of orthogonality between terms of the shape (t, p) and stacks of the shape (π, q), where p and q are forcing conditions 8 : We can now relate closed terms and contexts by orthogonality with respect to a given pole. This allows us to define for any formula A the sets |A| v , |A| V , |A| t (resp. A F , A E , A e ) of realizers (or reducibility candidates) at level v, V , t (resp. F , E, e) for the formula A. It is to be observed that realizers are here closed terms-in-store.
Definition 10 (Realizers). Given a fixed pole ⊥ ⊥, we set: Remark 11. We draw the reader attention to the fact that we should actually write |A| ⊥ ⊥ v , A ⊥ ⊥ F , etc... and τ ⊥ ⊥ Γ , because the corresponding definitions are parameterized by a pole ⊥ ⊥. As it is common in Krivine's classical realizability, we ease the notations by removing the annotation ⊥ ⊥ whenever there is no ambiguity on the pole. Besides, it is worth noting that if co-constants do not occur directly in the definitions, they may still appear in the realizers by mean of the pole.
If the definition of the different sets might seem complex at first sight, we claim that they are quite natural in regards of the methodology of Danvy's semantics artifacts presented in [2]. Indeed, having an abstract machine in contextfree form (the last step in this methodology before deriving the CPS) allows us to have both the term and the context (in a command) that behave independently of each other. Intuitively, a realizer at a given level is precisely a term which is going to behave well (be in the pole) in front of any opponent chosen in the previous level (in the hierarchy v, F, V ,etc...). For instance, in a call-by-value setting, there are only three levels of definition (values, contexts and terms) in the interpretation, because the abstract machine in context-free form also has three. Here the ground level corresponds to strong values, and the other levels are somewhat defined as terms (or context) which are well-behaved in front of any opponent in the previous one. The definition of the different sets |A| v , A F , |A| V , etc... directly stems from this intuition.
In comparison with the usual definition of Krivine's classical realizability, we only considered orthogonal sets restricted to some syntactical subcategories. However, the definition still satisfies the usual monotonicity properties of biorthogonal sets: Proposition 12. For any type A and any given pole ⊥ ⊥, we have: Proof. All the inclusions are proved in a similar way. We only give the proof for |A| v ⊆ |A| V . Let ⊥ ⊥ be a pole and (v|τ ) be in |A| v . We want to show that (v|τ ) is in |A| V , that is to say that v is in the syntactic category V (which is true), and that for any (F |τ ′ ) ∈ A F such that τ ⋄ τ ′ , (v|τ )⊥ ⊥(F |τ ′ ). The latter holds by definition of (F |τ ′ ) ∈ A F , since (v|τ ) ∈ |A| v . ⊓ ⊔ We now extend the notion of realizers to stores, by stating that a store τ realizes a context Γ if it binds all the variables x and α in Γ to a realizer of the corresponding formula.
Definition 13. Given a closed store τ and a fixed pole ⊥ ⊥, we say that τ realizes Γ , which we write 9 τ Γ , if: In the same way than weakening rules (for the typing context) are admissible for each level of the typing system : the definition of realizers is compatible with a weakening of the store.
Lemma 14 (Store weakening). Let τ and τ ′ be two stores such that τ ⊳ τ ′ , let Γ be a typing context and let ⊥ ⊥ be a pole. The following statements hold: If (t|τ ) ∈ |A| t for some closed term (t|τ ) and type A, then (t|τ ′ ) ∈ |A| t . The same holds for each level e, E, V, F, v of the typing rules. 3. If τ Γ then τ ′ Γ .
Remark 16. From the latter definition, it is clear that a typing judgment that is derivable from a set of adequate inference rules is adequate too.
We will now show the main result of this section, namely that the typing rules of Figure 2 for the λ [lvτ ⋆] -calculus without co-constants are adequate with any pole. Observe that this result requires to consider the λ [lvτ ⋆] -calculus without co-constants. Indeed, we consider co-constants as coming with their typing rules, potentially giving them any type (whereas constants can only be given an atomic type). Thus, there is a priori no reason 10 why their types should be adequate with any pole.
However, as observed in the previous remark, given a fixed pole it suffices to check whether the typing rules for a given co-constant are adequate with this pole. If they are, any judgment that is derivable using these rules will be adequate.
Proof. The different statements are proved by mutual induction over typing derivations. We only give the most important cases here, the exhaustive induction is given in Appendix B.
Rule (→ l ). Assume that and let ⊥ ⊥ be a pole and τ a store such that τ Γ . Let (λx.t|τ ′ ) be a closed term in the set |A → B| v such that τ ⋄ τ ′ , then we have: By definition of |A → B| v , this closure is in the pole, and we can conclude by anti-reduction.
and let ⊥ ⊥ be a pole and τ a store such that τ Γ . As (x : A) ∈ Γ , we know that τ is of the form τ 0 [x := t]τ 1 with (t|τ 0 ) ∈ |A| t . Let (F |τ ′ ) be in A F , with τ ⋄ τ ′ . By Lemma 4, we know that τ τ ′ is of the form τ 0 [x := t]τ 1 . Hence we have: . x||F τ 1 τ 0 and it suffices by anti-reduction to show that the last closure is in the pole ⊥ ⊥. By induction hypothesis, we know that (t|τ 0 ) ∈ |A| t thus we only need to show that it is in front of a catchable context in A E . This corresponds exactly to the next case that we shall prove now.
⊓ ⊔ Corollary 18. If cτ is a closure such that ⊢ l cτ is derivable, then for any pole ⊥ ⊥ such that the typing rules for co-constants used in the derivation are adequate with ⊥ ⊥, cτ ∈ ⊥ ⊥.
We can now put our focus back on the normalization of typed closures. As we already saw in Proposition 7, the set ⊥ ⊥ ⇓ of normalizing closure is a valid pole, so that it only remains to prove that any typing rule for co-constants is adequate with ⊥ ⊥ ⇓ .
Lemma 19. Any typing rule for co-constants is adequate with the pole ⊥ ⊥ ⇓ , i.e. if Γ is a typing context, and τ is a store such that τ Γ , if κ is a co-constant such that Γ ⊢ F κ : Proof. This lemma directly stems from the observation that for any store τ and any closed strong value (v|τ ′ ) ∈ |A| v , v||κ τ τ ′ does not reduce and thus belongs to the pole ⊥ ⊥ ⇓ .
As a consequence, we obtain the normalization of typed closures of the full calculus.
Theorem 20. If cτ is a closure of the λ [lvτ ⋆] -calculus such that ⊢ l cτ is derivable, then cτ normalizes. This is to be contrasted with Okasaki, Lee and Tarditi's semantics for the call-by-need λ-calculus, which is not normalizing in the simply-typed case, as shown in Ariola et al. [2].

Extension to 2 nd -order type systems
We focused in this article on simply-typed versions of the λ lv and λ [lvτ ⋆] calculi. But as it is common in Krivine classical realizability, first and second-order quantifications (in Curry style) come for free through the interpretation. This means that we can for instance extend the language of types to first and secondorder predicate logic: We can then define the following introduction rules for universal quantifications: Observe that these rules need to be restricted at the level of strong values, just as they are restricted to values in the case of call-by-value 11 . As for the left rules, they can be defined at any levels, let say the more general e: where n is any natural number and B any formula. The usual (call-by-value) interpretation of the quantification is defined as an intersection over all the possible instantiations of the variables within the model. We do not wish to enter into too many details 12 on this topic here, but first-order variable are to be instantiated by integers, while second order are to be instantiated by subset of terms at the lower level, i.e. closed strong-values in store (which we write V 0 ): where the variable X is of arity k. It is then routine to check that the typing rules are adequate with the realizability interpretation.

Conclusion and further work
In this paper, we presented a system of simple types for a call-by-need calculus with control, which we proved to be safe in that it satisfies subject reduction (Theorem 1) and that typed terms are normalizing (Theorem 20). We proved the normalization by means of realizability-inspired interpretation of the λ [lvτ ⋆]calculus. Incidentally, this opens the doors to the computational analysis (in the spirit of Krivine realizability) of classical proofs using control, laziness and shared memory.
In further work, we intend to present two extensions of the present paper. First, following the definition of the realizability interpretation, we managed to type the continuation-and-store passing style translation for the λ [lvτ ⋆] -calculus (see [2]). Interestingly, typing the translation emphasizes its computational content, and in particular, the store-passing part is reflected in a Kripke forcing-like manner of typing the extensibility of the store [28,Chapter 6].
Second, on a different aspect, the realizability interpretation we introduced could be a first step towards new ways of realizing axioms. In particular, the first author used in his Ph.D. thesis [28,Chapter 8] the techniques presented in this paper to give a normalization proof for dPA ω , a proof system developed by the second author [15]. Indeed, this proof system allows to define a proof for the axiom of dependent choice thanks to the use of streams that are lazily evaluated, and was lacking a proper normalization proof.
Finally, to determine the range of our technique, it would be natural to investigate the relation between our framework and the many different presentations of call-by-need calculi (with or without control). Amongst other calculi, we could cite Chang-Felleisen presentation of call-by-need [4], Garcia et al. lazy calculus with delimited control [10] or Kesner's recent paper on normalizing by-need terms characterized by an intersection type system [16]. To this end, we might rely on Pédrot and Saurin's classical by-need [33]. They indeed relate (classical) call-by-need with linear head-reduction from a computational point of view, and draw the connections with the presentations of Ariola et al. [2] and Chang-Felleisen [4]. Ariola et al. λ lv -calculus being close to the λ [lvτ ⋆] -calculus (see [2] for further details), our technique is likely to be adaptable to their framework, and thus to Pédrot and Saurin's system.

A Subject reduction of the λ [lvτ ⋆] -calculus
We present in this section the proof of subject reduction for the λ [lvτ ⋆] -calculus (Section 1). The proof is done by reasoning by induction over the typing derivation, and relies on the fact that the type system admits a weakening rule. Theorem 1. If Γ ⊢ l cτ and cτ → c ′ τ ′ then Γ ⊢ l c ′ τ ′ .
Proof. By induction over the reduction rules of the λ [lvτ ⋆] -calculus (see Figure  1). Case t||μx.c τ → cτ [x := t]. A typing derivation of the closure on the left-hand side is of the form: where we implicitly used Lemma 21 to weaken Π E :

B Adequacy lemma
We give here the full proof of the adequacy lemma for the realizability interpretation of the λ [lvτ ⋆] -calculus.
Rule (μ). This case is identical to the previous one.
Rule (c). Assume that and let ⊥ ⊥ be a pole and τ a store such that τ Γ . Then by induction hypothesis (t|τ ) ∈ |A| t and (e|τ ) ∈ A e , so that t||e τ ∈ ⊥ ⊥.
Rule (τ t ). This case directly stems from the induction hypothesis which exactly matches the definition of τ τ ′ [x := t] Γ, Γ ′ , x : A. The case for the rule (τ E ) is identical, and the case for the rule (ε) is trivial.