An Idealized MetaML:Simpler, and More Expressive?.(Includes Proofs)Eugenio Moggi1, Walid Taha2, Zine El-Abidine Benaissa2, and Tim Sheard21 DISI, Univ di GenovaGenova, Italymoggi@disi.unige.it2 Oregon Graduate InstitutePortland, OR, USAfwalidt,benaissa,sheardg@cse.ogi.eduAbstract. MetaML is a multi-stage functional programming languagefeaturing three constructs that can be viewed as statically-typed re�ne-ments of the back-quote, comma, and eval of Scheme. Thus it providesspecial support for writing code generators and serves as a semantically-sound basis for systems involving multiple interdependent computationalstages. In previous work, we reported on an implementation of MetaML,and on a small-step semantics and type-system for MetaML. In this pa-per, we present An Idealized MetaML (AIM) that is the result of ourstudy of a categorical model for MetaML. An important outstandingproblem is �nding a type system that provides the user with a meansfor manipulating both open and closed code. This problem has eludede�orts by us and other researchers for over three years. AIM solves theissue by providing two type constructors, one classi�es closed code andthe other open code, and exploiting the way they interact.1 Introduction\If thought corrupts language, language can also corrupt thought"1. Staging com-putation into multiple steps is a well-known optimization technique used in manyimportant algorithms, such as high-level program generation, compiled programexecution, and partial evaluation. Yet few typed programming languages allowus to express staging in a natural and concise manner. MetaML was designed to�ll this gap. Intuitively, MetaML has a special type for code that combines some? The research reported in this paper was supported by the USAF Air Materiel Com-mand, contract #F19628-96-C-0161, NSF Grant IRI-9625462, DoD contract \Do-main Speci�c Languages as a Carrier for Formal Methods", MURST progetto co�-nanziato \Tecniche formali per la speci�ca, l'analisi, la veri�ca, la sintesi e la trasfor-mazione di sistemi software", ESPRIT WG APPSEM1 George Orwell, Politics and the English Language, 1946.

features of both open code, that is, code that can contain free variables, andclosed code, that is, code that contains no free variables. In a statically typedsetting, open code and closed code have di�erent properties, which we explainin the following section.Open and Closed Code A number of typed languages for manipulating codefragments have been proposed in the literature. Some have types for open code[9,6, 3, 12], and others have types for closed code [4, 13]. On one hand, languageswith open code types play an important role in the study of partial evaluation.Typically, they provide two constructs, one for building a code fragment with freevariables, and one for combining such fragments. Being able to construct openfragments allows the user to force computations \under a lambda". Generally, ithas been hard for such languages to include constructs for executing such codefragments, because they can contain \not-yet-bound identi�ers". On the otherhand, languages with closed code types play an important role in the studyof run-time (machine) code generation. Typically, they include constructs forbuilding closed code, and for executing them. Generally, in such languages thereis no mechanism for forcing computations \under a lambda".The importance of having a way to execute code within a language is best illus-trated by considering the eval of Scheme. In particular, E�cient implementationsof Domain-Speci�c or \little" languages can be developed as follows: First, builda translator from the source language to Scheme, and then use eval to executethe generated Scheme code. For many languages, such an implementation wouldbe almost as simple as an interpreter implementation (especially if back-quoteand comma are utilized), but would incur almost non of the overhead associatedwith an interpretive implementation.MetaML [12, 11] provides constructs for manipulating open code and executingit, but does not distinguish between open and closed code types. But open codecannot be executed because it may contain free variables that have not beenbound yet. This means that in MetaML type information is not enough to decidewhether or not we can safely execute a code fragment. In what follows, weintroduce MetaML, explain what it allows us to express, and where it falls short.MetaML MetaML has three staging annotations: Brackets h i, Escape ~and Run run . An expression hei defers the computation of e; ~ e splices thedeferred expression obtained by evaluating e into the body of a surroundingBracketed expression; and run e evaluates e to obtain a deferred expression, andthen evaluates it. Note that ~e is only legal within lexically enclosing Brackets.Finally, Brackets in types such as <int> are read \Code of int". To illustrate,consider the following interactive session:-| val rec exp = fn n => fn x =>if n=0 then <1> else < ~x * ~(exp (n-1) x) >;val exp = fn : int -> <int> -> <int>

-| val exponent = fn n =><fn a => ~(exp n <a>)>;val exponent = fn : int -> <int -> int>-| val cube = exponent 3;val cube = <fn a => a * (a * (a * 1))> : <int -> int>-| val program = <~cube 2>val program = <(fn a => a * (a * (a * 1))) 2> : <int>-| run program;val it = 8 : intThe function exp returns a code fragment representing an exponent, given an in-teger power n and a code fragment representing a base x. The function exponentis very similar, but takes only a power and returns a code fragment representinga function that takes a base and returns the exponent. The code fragment cubeis the specialization of exponent to the power 3. Next, we construct the codefragment program which is an application of the code of cube to the base 2.Finally, the last declaration executes this code fragment.Unfortunately, there is a problem with the above example. In particular, thevery last declaration is not typable with the basic type system of MetaML [11].Intuitively, the type system for MetaML must keep track of free variables in acode fragment, so as to ensure that programs don't get stuck. But there is noway for the type system to know that program is closed, hence, a conservativeapproximation is made, and the term is rejected by the type system.Contribution and Organization of this Paper In previous work [12], wereported on the implementation and applications of MetaML, and later [11]presented an axiomatic semantics and a type system for MetaML and provedtype-safety. However, there were still a number of drawbacks:1. As discussed above, there is a typing problem with executing a separately-declared code fragment.While this problem is addressed in the implementationusing a sound rule for top-level declarations, this solution is ad hoc.2. Only a call-by-value semantics could be de�ned for MetaML, because substi-tution was a partial function, only de�ned when variables are substituted withvalues.3. The type judgment used two indices. Moreover, it has been criticized for notbeing based on a standard logical system [13].This paper describes the type system and operational semantics of An IdealizedMetaML (AIM), whose design is inspired by a categorical model for MetaML(such a model will be the subject of another paper). AIM is strictly more ex-pressive than any known typed multi-level language, and features:

1. An open code type hti, which corresponds to t of � [3] and hti of MetaML;2. A closed code type [t], which corresponds to �t of �� [4];3. Cross-stage persistence of MetaML;4. A Run-with construct, generalizing Run of MetaML.This work is the �rst to achieve a semantically sound integration of Davies andPfenning's �� [4] and Davies' � [3], and to identify useful interactions betweenthem. Moreover, we present important simpli�cations over MetaML [11], whichovercome the problems mentioned above:1. The type system uses only one level annotation, like the � type system [3];2. The level Promotion and level Demotion lemmas, and the Substitution lemma,are proven in full generality and not just for the cases restricted to values. Thisdevelopment is crucial for a call-by-name semantics. Such a semantics seemsto play an important role in the formal theory of Normalization by Evaluation[1] and Type Directed Partial Evaluation [2];3. The big-step semantics is de�ned in the style in which � was de�ned [3], anddoes not make explicit use of a stateful renaming function;4. Terms have no explicit level annotations.Finally, it is straight forward to extend AIM with new base types and constants,therefore it provides a general setting for investigating staging combinators.In the rest of the paper, we present the type system and establish several syn-tactic properties. We give a big-step semantics of AIM, including a call-by-namevariant, and prove type-safety. We present embeddings of � , MetaML and ��into AIM. Finally, we discuss related works.2 AIM: An Idealized MetaMLThe de�nition of AIM's types t 2 T and terms e 2 E is parameterized withrespect to a signature consisting of a set of base types b and constants c:t 2 T : : = b j t1 ! t2 j hti j [t]e 2 E: : = c j x j e1 e2 j �x:e j hei j ~e j run e with fxi = eiji 2 mg jbox e with fxi = eiji 2 mg j unbox eWhere m is a natural number, and it is identi�ed with the set of its predecessors.The �rst four constructs are the standard ones in a call-by-value �-calculus withconstants. Bracket and Escape are the same as in MetaML [12,11]. Run-Withgeneralizes Run of MetaML, in that allows the use of additional variables xi inthe body of e if they satisfy certain typing requirements that are made explicitin the next section. Box-With and unbox are not in MetaML, but are motivatedby ��of Davies and Pfenning [4]. We use some abbreviated forms:run e for run e with ;box e for box e with ;run e with xi = ei for run e with fxi = eiji 2 mgbox e with xi = ei for box e with fxi = eiji 2 mg

� ` c: tnc � ` x: tn if � x = tm and m � n �; x: tn1 ` e: tn2� ` �x:e: (t1 ! t2)n� ` e1: (t1 ! t2)n � ` e2: tn1� ` e1 e2: tn2 � ` e: tn+1� ` hei: htin � ` e: htin� ` ~e: tn+1� ` ei: [ti]n �+1; fxi: [ti]nji 2mg ` e: htin� ` run e with xi = ei: tn� ` ei: [ti]n fxi: [ti]0ji 2 mg ` e: t0� ` box e with xi = ei: [t]n � ` e: [t]n� ` unbox e: tnFig. 1. Typing Rules2.1 Type SystemAn AIM typing judgment has the form � ` e: tn, where t 2 T , n 2 N and � isa type assignment, that is, a �nite set fxi: tnii ji 2 mg with the xi distinct. Thereading of � ` e: tn is \term e has type t at level n in the type assignment �".We say that � x = tn if x: tn is in � . Furthermore, we write �+r for the typeassignment obtained by incrementing the level annotations in � by r, that is,�+r x = tn+r if and only if � x = tn. Figure 1 gives the typing rules for AIM.The Constant rule says that a constant c of type tc, which has to be given in thesignature, can be used at any level n. The Variable rule incorporates cross-stagepersistence, therefore if x is introduced at level m it can be used later, thatis, at level n � m, but not before. The Abstraction and Application rules arestandard. The Bracket and Escape rules establish an isomorphism between tn+1and htin. Typing Run in MetaML [11] introduces an extra index-annotation ontypes for counting the number of Runs surrounding an expression (see Figure 3).We avoid this extra annotation by incrementing the level of all variables in � .In particular, the Run rule of MetaML becomes�+1 ` e: htin� ` run e: tnThe Box rule ensures that there are no \late" free variables in the term beingBoxed. This ensures that when a Boxed term is evaluated in a type-safe context,the resulting value is a closed term. The Box rule ensures that only the variablesexplicitly bound in the Box statement can occur free in the term e. At the sametime, it ensures that no \late" free variable can in�ltrate the body of a Box usingone of these variables. This is accomplished by forcing the With-bound variablesthemselves to have a Boxed type. Note that in run e with xi = ei the term e maycontain other free variables besides the xi.

2.2 Properties of the Type SystemThe following level Promotion, level Demotion and Substitution lemmas areneeded for proving Type Preservation.Lemma 1 (Promotion). If �1; �2 ` e: tn then �1; �+12 ` e: tn+1.Meaning that if we increment the level of a well-formed term e it remains well-formed. Furthermore, we can simultaneously increment the level of an arbitrarysubset of the variables in the environment.Demotion on e at n, written e#n, lowers the level of e from level n+ 1 down tolevel n, and is well-de�ned on all terms, unlike demotion for MetaML [11].De�nition 1 (Demotion). e#n is de�ned by induction on e:c#n=cx#n=x(e1 e2)#n=e1#n e2#n(�x:e)#n=�x:e#nhei#n=he#n+1i~e#0=run e(~e)#n+1=~(e#n)(run e with xi = ei)#n=run e#n with xi = ei #n(box e with xi = ei)#n=box e with xi = ei #n(unbox e)#n=unbox e#nThe key for making demotion total on all terms is handling the case for Escape~e#0: Escape is simply replaced by Run. It should also be noted that demotiondoes not go into the body of Box.Lemma 2 (Demotion). If �+1 ` e: tn+1 then � ` e#n: tn.Meaning that demotion of a well-formed term e is well-formed, provided the levelof all free variables is decremented.Details of all proofs can be found in the Appendix.Lemma 3 (Weakening). If �1; �2 ` e2: tn2 and x is fresh, then �1; x: tn01 ; �2 `e2: tn2 .Lemma 4 (Substitution). If �1 ` e1: tn01 and �1; x: tn01 ; �2 ` e2: tn2 then �1; �2 `e2[x: = e1]: tn2 .This is the expected substitution property, that is, a variable x can be replacedby a term e1, provided e1 meets the type requirements on x.

Evaluation.e1 0,! �x:e e2 0,! v1 e[x:= v1] 0,! v2e1 e2 0,! v2 �x:e 0,! �x:eei 0,! vi e[xi:= vi] 0,! hv0i v0 #0 0,! vrun e with xi = ei 0,! v e 0,! hvi~e 1,! vei 0,! vibox e with xi = ei 0,! box e[xi:= vi] e 0,! box e0 e0 0,! vunbox e 0,! vBuilding.e n+1,! vunbox e n+1,! unbox v e n+1,! v�x:e n+1,! �x:v x n+1,! xe n+1,! v ei n+1,! virun e with xi = ei n+1,! run v with xi = vi e n+1,! v~e n+2,! ~v e n+1,! vhei n,! hviei n+1,! vibox e with xi = ei n+1,! box e with xi = vi e1 n+1,! v1 e2 n+1,! v2e1 e2 n+1,! v1 v2 c n+1,! cStuck.e 0,! v 6� box e0unbox e 0,! err e1 0,! v 6� �x:ee1e2 0,! err x 0,! errei 0,! vi e[xi:= vi] 0,! v 6� he0irun e with xi = ei 0,! err e 0,! v 6� he0i~e 1,! err ~e 0,! errFig. 2. Big-Step Semantics3 Big-Step SemanticsThe big-step semantics for MetaML [12] re ects the existing implementation: itis complex, and hence not very suitable for formal reasoning. Figure 2 presentsa concise big-step semantics for AIM, which is presented at the same level ofabstraction as that for � [3]. We avoid the explicit use of a gensym or newnamefor renaming bound variables: this is implicitly done by substitution.

De�nition 2 (Values).v0 2 V 0 : : = �x:e j hv1i j box ev1 2 V 1 : : = c j x j v1 v1 j �x:v1 j hv2i j run v1 with xi = v1i jbox e with xi = v1i j unbox v1vn+2 2 V n+2 : : = c j x j vn+2 vn+2 j �x:vn+2 j hvn+3i j ~vn+1 jrun vn+2 with xi = vn+2i j box e with xi = vn+2i j unbox vn+2Values have three important properties: First, a value at level 1 can be a Brack-eted or a Boxed expression, re ecting the fact that terms representing open andclosed code are both considered acceptable results from a computation. Second,values at level n+ 1 can contain Applications such as h(�y:y) (�x:x)i, re ectingthe fact that Brackets defer computations. Finally, there are no level 1 Escapesin values, re ecting the fact that having such an Escape in a term would meanthat evaluating the term has not yet been completed. This is true, for example,in terms like h~(f x)i.Lemma 5 (Orthogonality). If v 2 V 0 and � ` v: [t]0 then ; ` v: [t]0.Theorem 1 (Type Preservation). If �+1 ` e: tn and e n,! v then v 2 V nand �+1 ` v: tn.Note that in AIM (unlike ordinary programming languages) we cannot restrictthe evaluation rules to closed terms, because at levels above 0 evaluation issymbolic and can go inside the body of binders. On the other hand, evaluationof a variable at level 0 is an error! The above theorem strikes the right balance,namely it allows open terms provided their free variables are at level above 0(this is re ected by the use of �+1 in the typing judgment).Having no level 1 escapes ensures that demotion is the identity on V n+1 as shownin following lemma. Thus, we don't need to perform demotion in the evaluationrule for Run when evaluating a well-formed term.Lemma 6 (Value Demotion). If v 2 V n+1 then v#n� v.A good property for multi-level languages is the existence of a bijection betweenprograms ; ` e: t0 and program representations ; ` hvi: hti0. This property holdsfor AIM, in fact it is a consequence of the following result:Proposition 1 (Re ection). If � ` e: tn, then �+1 ` e: tn+1 and e 2 V n+1.Conversely, if v 2 V n+1 and �+1 ` v: tn+1, then � ` v: tn.3.1 Call-by-NameThe di�erence between the call-by-name semantics and the call-by-value seman-tics for AIM is only in the evaluation rule for Application at level 0. For call-by-name, this rule becomes e1 0,! �x:e e[x: = e2] 0,! ve1 e2 0,! v

The Type Preservation proof must be changed for this case. However, this notproblematic, since the Substitution Lemma for the AIM's type system has novalue restriction.Theorem 2 (CBN Type Preservation). If �+1 ` e: tn and e n,! v thenv 2 V n and �+1 ` v: tn.3.2 ExpressivenessMetaML's type system has one Code type constructor, which tries to combinethe features of the Box and Circle type constructors of Davies and Pfenning.However, this combination leads to the typing problem discussed in the intro-duction. In contrast, AIM's type system incorporates both Box and Circle typeconstructors, thereby providing correct semantics for the following functions:1. unbox : [t] ! t. This function executes closed code. AIM has no function oftype t ! [t], thus we avoid the \collapse" of types in the recent work ofWickline, Lee, and Pfenning [13]. Such a function does not exist in MetaML.2. up : t! hti. This function corresponds to cross-stage persistence [12], in fact itembeds any value into an open fragment, including values of functional type.Such a function does not exist in � . At the same time, AIM has no functionof type hti ! t, re ecting the fact that open code cannot be executed. up isexpressible as �x:hxi.3. weaken: [t] ! hti. The composite of the two functions above. weaken re ectsthe fact that closed code can always be viewed as open code. AIM has nofunction of type hti ! [t].4. execute: [hti]! t. This function executes closed code, and it can be de�ned inAIM as �x:run x with x = x.5. build: [hti]! [hti] This function forces the building of an open fragment knownto be closed. build is not expressible in the language, but it can be added as anew combinator with the following semantics:e 0,! box e0 e0 0,! hvibuild e 0,! box hviType Preservation is still valid with such an extension.Now, the MetaML example presented in the Introduction can be expressed inAIM as follows:-| val rec exp = box (fn n => fn x =>if n=0 then <1> else < ~x * ~((unbox exp) (n-1) x) >)with {exp=exp};val exp = [fn] : [int -> <int> -> <int>]-| val exponent = box (fn n =>

<fn a => ~((unbox exp) n <a>)>)with {exp=exp};val exponent = [fn] : [int -> <int -> int>]-| val cube = build (box ((unbox exponent) 3)with {exponent=exponent});val cube = [<fn a => a * (a * (a * 1))>] : [<int -> int>]-| val program = build (box <~(unbox cube) 2>with {cube=cube})val program = [<(fn a => a * (a * (a * 1))) 2>] : [<int>]-| execute program;val it = 8 : intIn AIM, asserting that a code fragment is closed (using Box) has become part ofthe responsibilities of the programmer. Furthermore, Build is needed to explicitlyovercome the default lazy behavior of Box. If Build was not used in the aboveexamples, the (Boxed code) values returned for cube and program would containlevel 0 Escapes. In general, it appears that the lazy behavior of Box is not neededwhen our primary concern is high-level program generation.Unfortunately, the syntax is verbose compared to that of MetaML. In futurework, we hope to improve the syntax based on experience using AIM.4 Embedding ResultsThis section shows that other languages for staging computations can be trans-lated into AIM, and that the embedding respects the typing and evaluation. Thelanguages we consider are � [3], MetaML [11], and �� [4].4.1 Embedding of � The embedding of � into AIM is straight forward. In essence, � correspondsto the Open fragment of AIM:t 2 TOpen: : = b j t1 ! t2 j htie 2 EOpen: : = c j x j e1 e2 j �x:e j hei j ~eThe translation ( ) between � and AIM is as follows: ( t) = h(t )i,(next e) = he i, and (prev e) = ~ (e ). With these identi�cations thetyping and evaluation rules for � are those of AIM restricted to the relevantfragment. The only exception is the typing rule for variables, which in � issimply � ` x: tn if � x = tn (this re ects the fact that � has no cross-stagepersistence).We write � ` e: t and e n,! v for the typing and evaluation judgments of � ,so that they are not confused with the corresponding judgments of AIM.

� ` c: (tc; r)n � ` x: (t; r)n if � x = (t; p)m and m+ r � n+ p�; x: (t1; r)n ` e: (t2; r)n� ` �x:e: (t1 ! t2; r)n � ` e1: (t1 ! t2; r)n � ` e2: (t1; r)n� ` e1 e2: (t2; r)n� ` e: (t; r)n+1� ` hei: (hti; r)n � ` e: (hti; r)n� ` ~e: (t; r)n+1 � ` e: (hti; r + 1)n� ` run e: (t; r)nFig. 3. MetaML Typing rulesProposition 2 (Temporal Type Embedding). If � ` e: tn is derivable in� , then � ` e : (t )n is derivable in AIM.Proposition 3 (Temporal Semantics Embedding). If e n,! v is derivablein � , then e n,! v is derivable in AIM.4.2 Embedding of MetaMLThe di�erence between MetaML and AIM is in the type system. We show thatwhile AIM's typing judgments are simpler, what is typable in MetaML remainstypable in AIM.t 2 TMetaML: : = b j t1 ! t2 j htie 2 EMetaML: : = c j x j e1 e2 j �x:e j hei j ~e j run eA MetaML's typing judgment has the form � ` e: (t; r)n, where t 2 T , n; r 2 Nand � is a type assignment, that is, a �nite set fxi: (ti; ri)ni ji 2 mg with the xidistinct. Figure 3 recalls the MetaML [11].De�nition 3 (Acceptable Judgment). We say that a MetaML typing judg-ment fxi: (ti; ri)ni ji 2 mg ` e: (t; r)n is acceptable if and only if 8i 2 m: ri � r.Remark 1. A careful analysis of MetaML's typing rules shows that typing judg-ments occurring in the derivation of a judgment ; ` e: (t; r)n are acceptable:In MetaML typing rules are acceptable whenever its conclusion is acceptable,simply because the index r never decreases when we go from the conclusion ofa type rule to its premise, thus, we never get an environment binding with an rhigher than that of the judgment.Proposition 4 (MetaML Type Embedding). If fxi: (ti; ri)ni ji 2 mg `e: (t; r)n is acceptable, then it is derivable in MetaML if and only if fxi: tni+r�rii ji 2mg ` e: tn is derivable in AIM.4.3 Embedding of ��Figure 4 summarizes the language �� [4]. We translate �� into the Closed

Syntax Types t 2 T�: := b j t1 ! t2 j �tExpressions e 2 E�: := x j �x:e j e1 e2 j box e j let box x = e1 in e2Type assignments �;�: := fxi: tiji 2mgType System�;� `� x: t if �x = t �;� `� x: t if �x = t�; (�; x: t0) `� e: t�;� `� �x:e: t0 ! t (�;x: t0); � `� e2: t �; � `� e1:�t0�;� `� let box x = e1 in e2: t�;� `� e1: t0 ! t �;� `� e2: t0�;� `� e1 e2: t �; ; `� e: t�;� `� box e:�tBig-Step Semanticse1 ,!� �x:e e2 ,!� v0 e[x:= v0] ,!� ve1; e2 ,!� v �x:e ,!� �x:ee1 ,!� box e e2[x:= e] ,!� vlet box x = e1 in e2 ,!� v box e ,!� box eFig. 4. Description of ��fragment of AIM:t 2 TClosed: : = b j t1 ! t2 j [t]e 2 EClosed: : = c j x j e1 e2 j �x:e j box e with xi = ei j unbox eFurthermore, we consider only typing judgments of the form fxi: t0i ji 2 mg ` e: t0and evaluation judgments of the form e 0,! v. These restrictions are possible fortwo reasons. If the conclusion of a typing rule is of the form fxi: t0i ji 2 mg ` e: t0with types and terms in the Closed fragment, then also the premises of the typingrule enjoy such properties. When e is a closed term in the Closed fragment, theonly judgments e0 n,! v0 that can occur in the derivation of e 0,! v are such thatn = 0 and e0 and v0 are closed terms in the Closed fragment.De�nition 4 (Modal Type Translation). The translation of �� types isgiven by b� = b (t1 ! t2)� = t�1 ! t�2 (�t)� = [t�]

The translation of �� terms depends on a set X of variables, namely thosedeclared in the modal context �.x�X = unbox x if x 2 Xx�X = x if x 62 X(box e)�X = box e�X with fx = x j x 2 FV(e) \Xg(let box x = e1 in e)�X = (�x:e�X[fxg) e�X1(�x:e)�X = �x:e�X(e1 e2)�X = e�X1 e�X2Proposition 5 (Modal Type Embedding). If �;� `� e: t is derivable in��, then [��]; �� ` e�X : t� is derivable in AIM's Closed fragment, where Xis the set of variables declared in �, fxi: tiji 2 mg� is fxi: t�i ji 2 mg, and[fxi: tiji 2 mg] is fxi: [ti]ji 2 mg.The translation of �� into the AIM's Closed fragment does not preserve eval-uation on the nose (that is, up to syntactic equality). Therefore, we need toconsider an administrative reduction.De�nition 5 (Box-Reduction). The !box reduction is given by the rewriterules unbox (box e)! ebox e0 with xi = ei; x = box e; xj = ej ! box e0[x: = box e] with xi = ei; xj = ejwhere e is a closed term of the Closed fragment.Lemma 7 (Properties of Box-Reduction).The!box reduction on the Closedfragment satis�es the following properties:{ Subject Reduction, that is, � ` e: t and e! e0 imply � ` e0: t{ Con uence and Strong Normalization{ Compatibility with Evaluation on closed terms, that is, e1 ,! v1 and e1 ��!boxe2 imply that exists v2 s.t. v1 ��!box v2 and e2 ,! v2.Lemma 8 (Substitutivity). Given a closed term e0 2 E� the following prop-erties hold:{ e�X [y: = e�;0 ] � (e[y: = e0])�X , provided y 62 X{ e�X[fxg[x: = box e�;0 ] ��!box (e[x: = e0])�XProposition 6 (Modal Semantics Embedding). If e 2 E� is closed ande ,!� v is derivable in ��, then there exists v0 such that e�; 0,! v0 and v0 ��!boxv�;.

5 Related WorkMulti-stage programming techniques have been used in a wide variety of settings[12], including run-time specialization of C programs [10].Nielson and Nielson present a seminal detailed study into a two-level functionalprogramming language [9]. This language was developed for studying code gen-eration. Davies and Pfenning show that a generalization of this language to amulti-level language called �� gives rise to a type system related to a modal logic,and that this type system is equivalent to the binding-time analysis of Nielsonand Nielson [4]. Intuitively, �� provides a natural framework where Scheme'sback-quote and eval can be present in a language. The semantics of our Box andUnbox correspond closely to those of back-quote and eval, respectively.Gomard and Jones [6] use a statically-typed two-level language for partial evalu-ation of the untyped �-calculus. This language is the basis for many binding-timeanalyses.Gl�uck and J�rgensen study partial evaluation in the generalized context whereinputs can arrive at an arbitrary number of times rather than just two (namely,specialization-time and run-time) [5], and demonstrate that binding-time anal-ysis in a multi-level setting can be done with e�ciency comparable to that oftwo-level binding time analysis.Davies extends the Curry-Howard isomorphism to a relation between temporallogic and the type system for a multi-level language [3]. Intuitively, � providesa good framework for formalizing the presence of back-quote and comma in astatically typed language. The semantics of our Bracket and Escape correspondclosely to those of back-quote and comma, respectively.Moggi [8] advocates a categorical approach to two-level languages based on in-dexed categories, and stresses formal analogies with a categorical account ofphase distinction and module languages.References1. U. Berger and H. Schwichtenberg. An inverse of the evaluation functional fortyped �{calculus. In Rao Vemuri, editor, Proceedings of the Sixth Annual IEEESymposium on Logic in Computer Science. IEEE Computer Society Press, LossAlamitos, 1991.2. Olivier Danvy. Type-directed partial evaluation. In ACM Symposium on Princi-ples of Programming Languages, pages 242{257, Florida, January 1996. New York:ACM.3. Rowan Davies. A temporal-logic approach to binding-time analysis. In Proceedings,11th Annual IEEE Symposium on Logic in Computer Science, pages 184{195, NewBrunswick, New Jersey, July 1996. IEEE Computer Society Press.4. Rowan Davies and Frank Pfenning. A modal analysis of staged computa-tion. In 23rd Annual ACM Symposium on Principles of Programming Languages(POPL'96), St.Petersburg Beach, Florida, January 1996.5. Robert Gl�uck and Jesper J�rgensen. An automatic program generator for multi-level specialization. Lisp and Symbolic Computation, 10(2):113{158, 1997.

6. Carsten K. Gomard and Neil D. Jones. A partial evaluator for the untyped lambdacalculus. Journal of Functional Programming, 1(1):21{69, January 1991.7. Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for de�ninglogics. Journal of the ACM, 40(1):143{184, January 1993.8. Eugenio Moggi. A categorical account of two-level languages. InMFPS 1997, 1997.9. Flemming Nielson and Hanne Rijs Nielson. Two-Level Functional Languages. Num-ber 34 in Cambridge Tracts in Theoretical Computer Science. Cambridge Univer-sity Press, 1992.10. Calton Pu, Andrew Black, Crispin Cowan, and Jonathan Walpole. Microlanguagesfor operating system specialization. In Proceedings of the SIGPLAN Workshop onDomain-Speci�c Languages, Paris, January 1997.11. Walid Taha, Zine-El-Abidine Benaissa, and Tim Sheard. Multi-stage programming:Axiomatization and type-safety. In 25th International Colloquium on Automata,Languages, and Programming, Aalborg, Denmark, 13{17July 1998.12. Walid Taha and Tim Sheard. Multi-stage programming with explicit annotations.In Proceedings of the ACM-SIGPLAN Symposium on Partial Evaluation and se-mantic based program manipulations PEPM'97, Amsterdam, pages 203{217. ACM,1997.13. Philip Wickline, Peter Lee, and Frank Pfenning. Run-time code generation andModal-ML. In Proceedings of the ACM SIGPLAN'98 Conference on ProgrammingLanguage Design and Implementation (PLDI), pages 224{235, Montreal, Canada,17{19 June 1998.

A Type preservationConvention 6 (Notation for Proofs on Derivations)Whenever convenient,proofs will be laid out in 2-dimensions to re ect that we are relating one deriva-tion tree to another. Symbols such as R*, R(), and R+ will be used for (one- ortwo-way) implications, where R is the list of rule(s) used to achieve this impli-cation.Proofs start from the left and proceed either up, down, or right. We go up ordown depending on the normal orientation of the particular rule that is beingused in an implication.Horizontal implications are aligned with their precedents and antecedents.Lemma 1 If �1; �2 ` e: tn then �1; �2+1 ` e: tn+1.Proof: By structural induction over the �rst derivation.{ Lambda abstraction:`* �1; (�2; x: t1n) ` e: t2n�1; �2 ` �x:e: t1 ! t2n IH=) �1; (�2+1; x: t1n+ 1) ` e: t2n+1�1; �2+1 ` �x:e: t1 ! t2n+1 `+{ Variables (I): `* �1 x = (t; n0)n0 � n�1; �2 ` x: tn =)�=) �1 x = (t; n0)n0 < n + 1�1; �2+1 ` x: tn+1 `+{ Variables (II): * �2 x = (t; n0)n0 � n�1; �2 ` x: tn +=)�=) �2+1 x = (t; n0 + 1)n0 + 1 � n+ 1�1; �2+1 ` x: tn+1 `+The rest of the cases are completely structural.{ Applications:`* �1; �2 ` e1: t1 ! t2n�1; �2 ` e2: t1n�1; �2 ` e1 e2: t2n IH=)IH=) �1; �2+1 ` e1: t1 ! t2n+1�1; �2+1 ` e2: t1n+1�1; �2+1 ` e1 e2: t2n+1 `+{ Run:`* �1; �2 ` ei: [ti]n�+11 ; �+12 ; fxi: [ti]ng ` e: htin�1; �2 ` run e with xi = ei: tn IH=)IH=) �1; �+12 ` ei: [ti]n+1�+11 ; �2+2; fxi: [ti]n+1g ` e: htin+1�1; �2+1 ` run e with xi = ei: tn+1 `+

{ Escape: `* �1; �2 ` e: htin�1; �2 ` ~e: tn+1 IH=) �1; �2+1 ` e: htin+1�1; �2+1 ` ~e: tn+2 `+{ Bracket: `* �1; �2 ` e: tn+1�1; �2 ` hei: htin IH=) �1; �2+1 ` e: tn+2�1; �2+1 ` hei: htin+1 `+{ Box:`* �1; �2 ` ei: [ti]nfxi: [ti]0g ` e: t0�1; �2 ` box e with xi = ei: [t]n IH=)=) �1; �+12 ` ei: [ti]n+1fxi: [ti]0g ` e: t0�1; �2+1 ` box e with xi = ei: [t]n+1 `+{ Unbox: `* �1; �2 ` e: [t]n�1; �2 ` unbox e: tn IH=) �1; �2+1 ` e: [t]n+1�1; �2+1 ` unbox e: tn+1 `+ utLemma 2 If �+1 ` e: tn+1 then � ` e#: tn.Proof: By structural induction over the �rst derivation.{ Lambda abstraction:`* �+1; x: t1n+1 ` e: t2n+1�+1 ` �x:e: t1 ! t2n+1 IH=) �; x: t1n ` e#: t2n� ` �x:e#: t1 ! t2n `;#+{ Variables: `* �+1 x = (t; n0 + 1)n0 + 1 � n+ 1�+1 ` x: tn+1 +=)�=) � x = (t; n0)n0 � n� ` x#: tn `;#+{ Applications:`* �+1 ` e1: t1 ! t2n+1�+1 ` e2: t1n+1�+1 ` e1 e2: t2n+1 IH=)IH=) � ` e1 #: t1 ! t2n� ` e2 #: t1n� ` e1 e2 #: t2n `;#+{ Run:`* �+1 ` ei: [ti]n+1�+2; fxi: [ti]n+1g ` e: htin+1�+1 ` run e with xi = ei: tn+1 IH=)IH=) � ` e#n: [ti]n�+1; fxi: [ti]ng ` e#n: htin� ` (run e with xi = ei)#n: tn `;#+

{ Escape (I): Note that here ~e#= run e.`* �+1 ` e: hti0�+1 ` ~e: t1 =) �+1 ` e: hti0� ` ~e#: t0 `;#+{ Escape (II): `* �+1 ` e: htin+1�+1 ` ~e: tn+2 IH=) � ` e#: htin� ` ~e#: tn+1 `;#+{ Bracket: `* �+1 ` e: tn+2�+1 ` hei: htin+1 IH=) � ` e#: tn+1� ` hei#: htin `;#+{ Box:`* �+1 ` ei: [ti]n+1fxi: [ti]0g ` e: t0�+1 ` box e with xi = ei: [t]n+1 IH=)=) � ` ei #n: [ti]nfxi: [ti]0g ` e: t0� ` (box e with xi = ei)#n: [t]n `;#+{ Unbox: `* �+1 ` e: [t]n+1�+1 ` unbox e: tn+1 IH=) � ` e#n: [t]n� ` (unbox e)#n: tn `;#+ utLemma 4 If �1 ` e1: tn01 and �1; x: t1n0 ; �2 ` e2: tn2 then �1; �2 ` e2[x: = e1]: tn2 .Proof: By structural induction over the second derivation.{ Lambda abstraction: By Barendregt's convention, y 6= x.`* �1; x: t1n0 ; �2; y: t3n ` e: t4n�1; x: t1n0 ; �2 ` �y:e: t3 ! t4n IH=) �1; �2; y: t3n ` e[x: = e1]: t4n�1; �2 ` �y:e[x: = e1]: t3 ! t4n `;:=+{ Variables (I): If e2 = x, we already know �1 ` e1: tn01 . By weakening wehave �1; �2 ` e1: tn01 , and by n � n0 uses of the promotion lemma we have�1; �2 ` e1: tn1 .{ Variables (II): If e2 = z 6= x, we already know �1; x: t1n0 ; �2 ` e2: tn2 andby weakening we have �1; �2 ` e2: tn2 . The rest of the cases are completelystructural.{ Applications:`* �1; x: t1n0 ; �2 ` e1: t1 ! t2n�1; x: t1n0 ; �2 ` e2: t1n�1; x: t1n0; �2 ` e1 e2: t2n IH=)IH=) �1; �2 ` e1[x: = e1]: t1 ! t2n�1; �2 ` e2[x: = e1]: t1n�1; �2 ` e1 e2[x: = e1]: t2n `;:=+

{ Run: By applying promotion lemma to the premise �1 ` e1: tn01 , we get �+11 `e1: tn0+11 . Now, we use these two judgement to apply induction hypothesis.`* �1; x: t1n0 ; �2 ` e0i: [ti]n�+11 ; x: t1n0+1; �+12 ; fxi: [ti]ng ` e: htin�1; x: t1n0 ; �2 ` run e with xi = e0i: tn IH=)IH=) �1; �2 ` ei[x: = e1]: [ti]n�+11 ; �+12 ; fxi: [ti]ng ` e[x: = e1]: htin�1; �2 ` (run e with xi = ei)[x: = e1]: tn `;:=+{ Escape:`* �1; x: t1n0 ; �2 ` e: htin�1; x: t1n0 ; �2 ` ~e: tn+1 IH=) �1; �2 ` e[x: = e1]: htin�1; �2 ` ~e[x: = e1]: tn+1 `;:=+{ Bracket:`* �1; x: t1n0 ; �2 ` e: tn+1�1; x: t1n0; �2 ` hei: htin IH=) �1; �2 ` e[x: = e1]: tn+1�1; �2 ` hei[x: = e1]: htin `;:=+{ Box:`* �1; x: t1n0 ; �2 ` e0i: [ti]nfxi: [ti]0g ` e: t0�1; x: t1n0; �2 ` box e with xi = e0i: [t]n IH=)=) �1; �2 ` e0i[x: = e1]: [ti]nfxi: [ti]ng ` e: t0�1; �2 ` (box e with xi = e0i)[x: = e1]: [t]n `;:=+{ Unbox:`* �1; x: t1n0; �2 ` e: [t]n�1; x: t1n0 ; �2 ` unbox e: tn IH=) �1; �2 ` e[x: = e1]: [t]n�1; �2 ` (unbox e)[x: = e1]: tn `;:=+ utLemma 5 If v 2 V 0 and � ` v: [t]0 then ; ` v: [t]0.Proof. Since v 2 V 0 and � ` v: [t]0, then v = box e for some e. By box rule, theexpression e must have type ; ` e: t0. Thus; ` e: t0; ` box e: [t]0Proposition 1 If �+1 ` e: tn and e n,! v then v 2 V n and �+1 ` v: tn.Proof: By structural induction over the derivation of n,!.{ Bottom: ? n+1,! ? and ? 2 V n+1 and �+1 ` ?: tn+1.{ Lambda-abstraction I: Interestingly, no induction is needed here. In particular,�x:e 0,! �x:e. By de�nition, �x:e 2 V 0, and from the premise �+1 ` �x:e: t0.

{ Lambda-abstraction II: Straight forward induction.`* �+1; x: tn+11 ` e: tn+1�+1 ` �x:e: t1 ! tn+1 ,!* e n+1,! e0�x:e n+1,! �x:e0 IH=) e0 2 V n+1�x:e0 2 V n+1 V + �+1; x: tn+11 ` e0: tn+1�+1 ` �x:e0: t1 ! tn+1 `+{ Variables I: n = 0 is vacuous, because we can only derive err{ Variables II: x n+1,! x and x 2 V n+1 and �+1 ` x: tn+1.{ Applications I: First, we use (twice) the induction hypothesis, which gives usa result that we can use with the substitution lemma (:=):`* �+1 ` e1: t1 ! t0�+1 ` e2: t01�+1 ` e1 e2: t0 ,!* e1 0,! �x:ee2 0,! e02e[x: = e02] 0,! e0e1 e2 0,! e0 IH=)IH=) �+1; x: t01 ` e: t0�+1 ` �x:e: t1 ! t0 `*�+1 ` e02: t01�+1 ` e[x: = e02]: t0 :=+Note that we also use the judgment �+1; x: t01 ` e: t0 when we apply thesubstitution lemma.Then, based on this information about e[x: = e2] we applythe induction hypothesis for the third time to get e0 2 V 0 and �+1 ` e0: t0.{ Applications II:`* �+1 ` e1: t1 ! tn+1�+1 ` e2: tn+11�+1 ` e1 e2: tn+1 ,!* e1 n+1,! e01e2 n+1,! e02e1 e2 n+1,! e01 e02 IH=)IH=) e01 2 V n+1e02 2 V n+1e01 e02 2 V n+1 V + �+1 ` e01: t1 ! tn+1�+1 ` e02: tn+11�+1 ` e01 e02: tn+1 `+{ Run I: First, we apply the induction hypothesis once, then reconstruct thetype judgment of the result:`* �+1 ` e1: [ti]0�+2; fxi: [ti]0g ` e: hti0�+1 ` run e with xi = ei: t0 ,!* ei 0,! box e0ie[xi: = box e0i] 0,! he0ie0 #0 0,! e00run e with xi = ei 0,! e00 IH=) �+1 ` box e0i: [ti]0By Orthogonality lemmaapplied to �+1 ` box e0i: [ti]0, we get �+2 ` box e0i: [ti]0.By Substitution lemmaapplied to �+2 ` box e0i: [ti]0 and �+2; fxi: [ti]0g ` e: hti0,we get �+2 ` e[xi: = box e0i]: hti0.By IH applied to �+2 ` e[xi: = box e0i]: hti0 and e[xi: = box e0i] 0,! he0i, we get�+2 ` he0i: hti0.By Bracket rule applied to �+2 ` he0i: hti0, we get �+2 ` e0: t1.By Demotion lemma applied to �+2 ` e0: t1, we get �+1 ` e0: t0.

{ Run II: For space reason, we assume R = run e with xi = e1 and R0 =run e0 with xi = e01.`* �+1 ` ei: [ti]n+1�+2; fxi: [ti]n+1g ` e: htin+1�+1 ` R: tn+1 ,!* ei n+1,! e0ie n+1,! e0R n+1,! R0 IH=)IH=) e0i 2 V n+1e0 2 V n+1R0 2 V n+1 V + �+1 ` e0i: [ti]n+1�+2; fxi: [ti]n+1g ` e0: htin+1�+1 ` R0: tn+1 `+{ Escape I:`* �+1 ` e: hti0�+1 ` ~e: t1 ,!* e 0,! he0i~e 1,! e00 IH=) e0 2 V 1he0i 2 V 0 V * �+1 ` e0: t1�+1 ` he0i: hti0 `*{ Escape II:`* �+1 ` e: htin+1�+1 ` ~e: tn+2 ,!* e n+1,! e0~e n+2,! ~e0 IH=) e0 2 V n+1~e0 2 V n+2 V + �+1 ` e0: htin+1�+1 ` ~e0: tn+2 `+{ Bracket:`* �+1 ` e: tn+1�+1 ` hei: htin ,!* e n+1,! e0hei n,! he0i IH=) e0 2 V n+1he0i 2 V n V + �+1 ` e0: tn+1�+1 ` he0i: htin `+{ Box I: First, we apply the induction hypothesis once, then reconstruct thetype judgment of the result:`* �+1 ` e1: [ti]0fxi: [ti]0g ` e: t0�+1 ` B: [t]0 ,!* ei 0,! box e0iB 0,! box e[xi: = box e0i] IH=) �+1 ` box e0i: [ti]0By Orthogonality lemmaapplied to �+1 ` box e0i: [ti]0, we get fg ` box e0i: [ti]0.By Substitution lemma applied to fg ` box e0i: [ti]0 and fxi: [ti]0g ` e: t0, weget fg ` e[xi: = box e0i]: t0.By Box rule applied to fg ` e[xi: = box e0i]: t0, we get �+1 ` box e[xi: =box e0i]: t0.{ Box II: For space reason, we assume B = box e with xi = e1 and B0 =box e with xi = e01.`* �+1 ` ei: [ti]n+1fxi: [ti]0g ` e: t0�+1 ` B: [t]n+1 ,!* ei n+1,! e0iB n+1,! B0 IH=)=) e0i 2 V n+1B0 2 V n+1 V + �+1 ` e0i: [ti]n+1fxi: [ti]0g ` e0: t0�+1 ` B0: tn+1 `+

{ Unbox I:`* �+1 ` e: [t]0�+1 ` unbox e: t0 ,!* e 0,! box e0e0 1,! e00unbox e 0,! e00 IH=) box e0 2 V 0 fg ` e0: t0�+1 ` box e0: [t]0 `*By Weakening lemma applied to fg ` e0: t0, we get �+ ` e0: t0. By IH appliedto �+1 ` e0: t0 and e0 1,! e00, we get �+1 ` e00: t0.{ Unbox II:`* �+1 ` e: [t]n+1�+1 ` unbox e: tn+1 ,!* e n+1,! e0unbox e n+2,! unbox e0 IH=) e0 2 V n+1unbox e0 2 V n+1 V + �+1 ` e0: [t]n+1�+1 ` unbox e0: tn+1 `+utLemma 4 The judgment � no e: t; r is derivable if and only if the judgment(�� )+r ` e: tn is also derivable.Remark 2 (Environment Restriction). Technically, we also assume � x = (t; n0; r0)imply r0 � r. The restriction \� x = (t; n0; r0) implies r0 � r" is implicit in theoriginal type system. In particular, r never decreases when we go from the con-clusion of a type rule to it's premise, thus, we never add a binding with an rhigher than that of the judgement.Proof: By structural induction over the �rst and the second derivations (toprove the implications in both directions). The di�erent cases for each of thetwo derivations are one-to-one, and so we combine corresponding pairs and dothe proof in both directions for each pair.{ Lambda abstraction:`om �; x: (t1; n; r) no e: t2; r� no �x:e: t1 ! t2; r IH;�() (�� )+r ; x: t1n�r+r ` e: t2n(�� )+r ` �x:e: t1 ! t2n �;`m{ Variables:om � x = (t; n0; r0)n0 + r � n+ r0� no x: t; r �()�() (�� )+r x = (t; n0 � r0 + r)n0 � r0 + r � n(�� )+r ` x: tn `m{ Applications:`om � no e1: t1 ! t2; r� no e2: t1; r� no e1 e2: t2; r IH()IH() (�� )+r ` e1: t1 ! t2n(�� )+r ` e2: t1n(�� )+r ` e1 e2: t2n `m

{ Run: `om � no e: hti; r + 1� no run e: t; r IH() (�� )+r+1 ` e: htin(�� )+r ` run e: tn `m{ Escape: `om � no e: hti; r� n+1`o ~e: t; r IH() (�� )+r ` e: htin(�� )+r ` ~e: tn+1 `m{ Bracket: `om � n+1`o e: t; r� no hei: hti; r IH() (�� )+r ` e: tn+1(�� )+r ` hei: htin `mB Proofs of the Embedding of ��B.1 Strong NormalisationThe proof follows Harper, Honsell, and Plotkin [7]. We present a translation intothe simply-typed �-calculus. This translation essentially ignores all details of theoriginal expression, except for the cases when there is a Box-redex, in which casethe translation produces a term with a �-redex. We translate raw terms of theclosed fragment into terms of the simply typed �-calculus with one base type oand additional constants app : o! (o! o)abs : (o! o)! oThe mapping for types is simply: t� = o. The mapping for terms isx� = x(e1 e2)� = app e�1 e�2(�x:e)� = abs (�x: o:e�)(unbox e)� = (�x: o:x) e�(box e)� = e�(box e with xi = ei)� = (�x1: o: : : :(�xn: o:e�) e�n : : : ) e�1Next, we show that e1 !box e2 implies e�1 !beta e�2.First, we make sure that the terms produced by the translation are indeed inthe simply typed �-calculus, in particular, that they are well-typed.Lemma 9 (Star Well-Typedness). If e 2 EClosed and FV(e) � fxig, thenfxi: og ` e�: o.Proof. By induction over the typing derivation. ut

Then, we prove the following distributivity property that will be needed to provestrong normalization.Lemma 10 (Star Substitution). e�[x: = e0�] � (e[x: = e0])�.Proof. By induction on the structure of e. One issue arising in this proof is theneed for substitution to propagate into the body of Box expressions, which isnot needed when we are dealing only with well-typed terms. utLemma 11 (Lockstep). If e1 !box e2 then e�1 !� e�2.Proof. By induction on the derivation of !box. Most cases are treated by anapplication of the induction hypothesis, with the exception of the two caseswhen a Box reduction takes place explicitly. The interesting case is whene1 � box e0 with xi = ei; x = box e; xj = ejand then e2 � box e0[x: = box e] with xi = ei; xj = ejwe proceed as follows:e�1= (�xjn : o: : : :(�x: o: : : : (�xi1 : o:e0�) e�i1 : : : ) (box e)� : : : ) e�jn!� (�xjn : o: : : : : : : (�xi1 : o:e0�[x: = (box e)�]) e�i1 [x: = (box e)�] : : : : : : ) e�jnBy Barendregt's convention for variable names x 62 FV(ei)= (�xjn : o: : : : : : : (�xi1 : o:e0�[x: = (box e)�]) e�i1 : : : : : : ) e�jnBy Star Distribution lemma= (�xjn : o: : : : : : : (�xi1 : o:(e0[x: = box e])�) e�i1 : : : : : : ) e�jn= box e0[x: = box e] with xi = ei; xj = ej utFinally, we can prove our main lemmaLemma 12 (Strong Normalization). !box is strongly normalizing.Proof. From Lockstep, and because the simply-typed �-calculus is strongly nor-malizing, it follows that Box-reduction is likewise. utB.2 Con uenceLemma 13. The !box relation is sub-commutative.Proof. The only critical pair is the second rule with it self. It easy to check it isconvergent and close in one step.Corollary 1. The !box relation is con uent.Proof. Direct consequence of the previous lemma.

B.3 Compatibility w.r.t the semantics of AIM box fragmentWe use the notion of parallel reduction to deal with duplication of redices causedby substitution. Roughly speaking, parallel reduction is de�ned by the simulta-neous reduction of a set of redices in a term.De�nition 7 (Parallel Reduction). q!box is formally de�ned as follows:e q!box e0unbox box e q!box e0a q!box a0 b q!box b0 ci q!box c0ibox a with xi = ci; x = box b q!box box a0[x: = box b0] with xi = c0iand the usual distribution rules for all constructs including the unbox and boxconstructs. Constants and variables are axioms.Lemma 14 (Parallel Reduction and Substitution). If a q!box a0 and b q!box b0 then a[x: = b] q!box a0[x: = b0].Proof. Induction on the structure of a.Lemma 15 (Soundness of!box). If e1 q!box e2 and e2 0,! v2 then there existsv1 such that e1 0,! v1 and v1 q!box v2.Proof. Induction on the lexicographic composition of the derivation of e2 0,! v2and the derivation of e1 q!box e2.If one of the redices of e1 is at the root then two cases are possible:1. If e1 = unbox box e then e1 q!box e and e q!box e2.By applying IH to e2 0,! v2 and e q!box e2, we derive e 0,! v1 and v1 q!box v2.Thus, we have box e 0,! box e e 0,! v1unbox box e 0,! v12. If e1 = box a with xi = ci; x = box b then e2 = box a0[x: = box b0] with xi = c0i,where a q!box a0, b q!box b0,and ci q!box c0i. By the semantics of box , we knowthat: c0i 0,! v0ibox a0[x: = box b0] with xi = c0i 0,! box a0[x: = box b0][xi: = v0i]By applying the IH to c0i 0,! v0i and ci q!box c0i, we derive ci 0,! vi and vi q!boxv0i. Thus

box b 0,! box b ci 0,! vibox a with xi = ci; x = box b 0,! box a[x: = box b][xi: = vi]and by lemma 14, we drive box a[x: = box b][xi: = vi] q!box box a0[x: =box b0][xi: = v0i] since a q!box a0, b q!box b0, and vi q!box v0i.If all redices are subterms of e1.{ If e1 = �x:e and e2 = �x:e0 such that e q!box e0. It is easy the check thatv1 = �x:e and v2 = �x:e0. hence, v1 q!box v2.{ If e1 = a b and e2 = a0 b0 such that a q!box a0 and b q!box b0. we know thata0 0,! �x:e0 b0 0,! v0 e0[x: = v0] 0,! v2a0 b0 0,! v2By applying IH to a0 0,! �x:e0 and a0 q!box a and then to b0 0,! v0 and b q!box b0,we derive a 0,! �x:e and �x:e q!box �x:e0, and b 0,! v and v q!box v0.By lemma 14, e[x: = v] q!box e0[x: = v0]. Thus, we can apply the induc-tion hypothesis to e0[x: = v0] 0,! v2 and e[x: = v] q!box e0[x: = v0] to derivee[x: = v] 0,! v1 and v1 ��!box v2. Hence,a 0,! �x:e b 0,! v e[x: = v0] 0,! v1a b 0,! v1{ If e1 = box a with xi = bi and e2 = box a0 with xi = b0i such that a q!box a0and bi q!box b0i. We know that; b0i 0,! v0ie2 0,! box a0[xi: = v0i]Notice that v2 = box a0[xi: = v0i]. By applying IH to b0i 0,! v0i and bi q!box b0i, wederive bi 0,! vi and vi q!box v0i. By Lemma 14, we have a[xi: = vi] q!box a0[xi: =v0i] since a q!box a0 and vi q!box v0i. Thus, box a[xi: = vi] q!box box a0[xi: = v0i]and bi 0,! vibox a with xi = bi 0,! box a[xi: = vi]{ e1 = unbox e and e2 = unbox e0 such that e q!box e0. we havee0 0,! box a0 a0 0,! v2unbox e0 0,! v2

by applying IH to e0 0,! box a0 and e q!box e0, we derive e 0,! box a and box a q!box box a0. Hence, a q!box a0. Thus IH applies to a0 0,! v2 and a q!box a0, toderive a 0,! v1 and v1 q!box v2. We conclude bye 0,! box a a 0,! v2unbox e 0,! v2Corollary 2. If e1 !box e2 and e2 0,! v2 then there exists v1 such that e1 0,! v1and v1 ��!box v2.Proof. Use the precedent lemma, and the facts that!box�q!box for the hypoth-esis and q!box � ��! for the conclusion of this corollary.B.4 SubstitutivityLemma 16 (Weakening). If FV(e) \ S = ; then e�T = e�T[S .Proof. By induction on the structure of e. Box case requires some simple setlogic. utLemma 8 Given a closed term e0 2 E� the following properties hold:{ e�X [y: = e�;0 ] � (e[y: = e0])�X , provided y 62 X{ e�X[fxg[x: = box e�;0 ] ��!box (e[x: = e0])�XProof. By induction over the structure of e, for both properties. The interestingcase|in both proofs|is Box, which requires explicit reasoning about sets of freevariables. Some Variable sub-cases require Weakening (Lemma 16). utB.5 Main Result: Embedding of ��Proposition 6 If e 2 E� is closed and e ,!� v is derivable in ��, then thereexists v0 such that e�; 0,! v0 and v0 ��!box v�;.Proof. Induction on the derivation of e ,!� v.{ If e = x, vacuous{ If e = box e1 then we have: box e1 ,!� box e1 and box e�; = box e�;, hencebox e�; 0,! box e�;{ If e = e1 e2, we have e1 ,!� �x:e0 (1)e2 ,!� v0 (2)e0[x: = v0] ,!� v (3)e1 e2 ,!� v

By applying respectively (IH) to (1), (2) and (3), we derive e�;1 0,! �x:e00,e�;2 0,! v00, and e0[x: = v0]�; 0,! v1 such that �x:e00 ��!box (�x:e0)�;, v00 ��!box(v0)�;, and v1 ��!box v�;.By lemma8, we have e0[x: = v0]�; = (e0)�;[x: = (e0)�;]. Since e00 ��!box (e0)�;and v00 ��!box (v0)�;, we have e00[x: = v00] ��!box (e0)�;[x: = (e0)�;].Hence, we apply the compatibility lemma to derive: e00[x: = v00] 0,! v01 andv01 ��!box v1Thus, v01 ��!box v�; ande�;1 0,! �x:e00 e�;2 0,! v00 e00[x: = e00] 0,! v01(e1 e2)�; 0,! v01{ If e = let box x = e1 in e2, we havee1 ,!� box e3 (1)e2[x: = e3] ,!� v0 (2)let box x = e1 in e2 ,!� vBy applying respectively (IH to (1) and (2), we derive: e�;1 0,! v1 and e2[x: = e3]�; 0,!v such that v1 ��!box box e�;3 and v0 ��!box v�;.Since v1 2 V 0 rewrite to box e�;3 then v1 � box e4.By hypothesis and typing rule we know fx:� t0g; ; `� e2: t. Hence, we canapply property 2 of Lemma 8, we have:e�fxg2 [x: = box e4] ��!box e�fxg2 [x: = box e�;3 ] ��!box e2[x: = e3]�;By compatibility of!box, we have: e�fxg2 [x: = box e�;1 ] 0,! v00 and v00 ��!box v0.thus, v00 ��!box v and e�;1 0,! box e4e�fxg2 [x: = box e4] 0,! v00let box x = e1 in e�;2 0,! v00