release exercise 06

6 months ago · 2eb230286f
parent 72b1ed7e30
commit 2eb230286f
10 changed files with 3937 additions and 0 deletions
--- a/11
+++ b/11
@ -51,6 +51,16 @@ theories/type_systems/systemf/binary_logrel.v
 theories/type_systems/systemf/binary_logrel_sol.v
 theories/type_systems/systemf/existential_invariants.v

+# SystemF-Mu
+theories/type_systems/systemf_mu/lang.v
+theories/type_systems/systemf_mu/notation.v
+theories/type_systems/systemf_mu/types.v
+theories/type_systems/systemf_mu/tactics.v
+theories/type_systems/systemf_mu/pure.v
+theories/type_systems/systemf_mu/untyped_encoding.v
+theories/type_systems/systemf_mu/parallel_subst.v
+theories/type_systems/systemf_mu/logrel.v
+
 # By removing the # below, you can add the exercise sheets to make
 #theories/type_systems/warmup/warmup.v
 #theories/type_systems/warmup/warmup_sol.v
@ -66,3 +76,4 @@ theories/type_systems/systemf/existential_invariants.v
 #theories/type_systems/systemf/exercises04_sol.v
 #theories/type_systems/systemf/exercises05.v
 #theories/type_systems/systemf/exercises05_sol.v
+#theories/type_systems/systemf_mu/exercises06.v
--- a/theories/type_systems/systemf_mu/exercises06.v
+++ b/theories/type_systems/systemf_mu/exercises06.v
@ -0,0 +1,202 @@
+From stdpp Require Import gmap base relations tactics.
+From iris Require Import prelude.
+From semantics.ts.systemf_mu Require Import lang notation types pure tactics logrel.
+From Autosubst Require Import Autosubst.
+
+(** * Exercise Sheet 6 *)
+
+Notation sub := lang.subst.
+
+Implicit Types
+  (e : expr)
+  (v : val)
+  (A B : type)
+.
+
+(** ** Exercise 5: Keep Rollin' *)
+(** This exercise is slightly tricky.
+  We strongly recommend you to first work on the other exercises.
+  You may use the results from this exercise, in particular the fixpoint combinator and its typing, in other exercises, however (which is why it comes first in this Coq file).
+ *)
+Section recursion_combinator.
+  Variable (f x: string). (* the template of the recursive function *)
+  Hypothesis (Hfx: f ≠ x).
+
+  (** Recursion Combinator *)
+  (* First, setup a definition [Rec] satisfying the reduction lemmas below. *)
+
+  (** You may find an auxiliary definition [rec_body] helpful *)
+  Definition rec_body (t: expr) : expr :=
+    roll (λ: f x, #0). (* TODO *)
+
+  Definition Rec (t: expr): val :=
+    λ: x, rec_body t. (* TODO *)
+
+  Lemma closed_rec_body t :
+    is_closed [] t → is_closed [] (rec_body t).
+  Proof. simplify_closed. Qed.
+  Lemma closed_Rec t :
+    is_closed [] t → is_closed [] (Rec t).
+  Proof. simplify_closed. Qed.
+  Lemma is_val_Rec t:
+    is_val (Rec t).
+  Proof. done. Qed.
+
+  
+
+   Lemma Rec_red (t e: expr):
+    is_val e →
+    is_val t →
+    is_closed [] e →
+    is_closed [] t →
+    rtc contextual_step ((Rec t) e) (t (Rec t) e).
+  Proof.
+    (* TODO: exercise *)
+  Admitted.
+
+
+  Lemma rec_body_typing n Γ (A B: type) t :
+    Γ !! x = None →
+    Γ !! f = None →
+    type_wf n A →
+    type_wf n B →
+    TY n; Γ ⊢ t : ((A → B) → (A → B)) →
+    TY n; Γ ⊢ rec_body t : (μ: #0 → rename (+1) A → rename (+1) B).
+  Proof.
+    (* TODO: exercise *)
+  Admitted.
+
+
+  Lemma Rec_typing n Γ A B t:
+    type_wf n A →
+    type_wf n B →
+    Γ !! x = None →
+    Γ !! f = None →
+    TY n; Γ ⊢ t : ((A → B) → (A → B)) →
+    TY n; Γ ⊢ (Rec t) : (A → B).
+  Proof.
+    (* TODO: exercise *)
+  Admitted.
+
+
+End recursion_combinator.
+
+Definition Fix (f x: string) (e: expr) : val := (Rec f x (Lam f%string (Lam x%string e))).
+(** We "seal" the definition to make it opaque to the [solve_typing] tactic.
+  We do not want [solve_typing] to unfold the definition, instead, we should manually
+  apply the typing rule below.
+
+  You do not need to understand this in detail -- the only thing of relevance is that
+  you can use the equality [Fix_eq] to unfold the definition of [Fix].
+*)
+Definition Fix_aux : seal (Fix). Proof. by eexists. Qed.
+Definition Fix' := Fix_aux.(unseal).
+Lemma Fix_eq : Fix' = Fix.
+Proof. rewrite -Fix_aux.(seal_eq) //. Qed.
+Arguments Fix' _ _ _ : simpl never.
+
+(* the actual fixpoint combinator *)
+Notation "'fix:' f x := e" := (Fix' f x e)%E
+  (at level 200, f, x at level 1, e at level 200,
+   format "'[' 'fix:'  f  x   :=  '/  ' e ']'") : val_scope.
+Notation "'fix:' f x := e" := (Fix' f x e)%E
+  (at level 200, f, x at level 1, e at level 200,
+   format "'[' 'fix:'  f  x   :=  '/  ' e ']'") : expr_scope.
+
+
+Lemma fix_red (f x: string) (e e': expr):
+  is_closed [x; f] e →
+  is_closed [] e' →
+  is_val e' →
+  f ≠ x →
+  rtc contextual_step ((fix: f x := e) e')%V (sub x e' (sub f (fix: f x := e)%V e)).
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
+
+Lemma fix_typing n Γ (f x: string) (A B: type) (e: expr):
+  type_wf n A →
+  type_wf n B →
+  f ≠ x →
+  TY n; <[x := A]> (<[f := (A → B)%ty]> Γ) ⊢ e : B →
+  TY n; Γ ⊢ (fix: f x := e) : (A → B).
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
+
+(** ** Exercise 1: Encode arithmetic expressions *)
+
+Definition aexpr : type := #0 (* TODO *).
+
+Definition num_val (v : val) : val := #0 (* TODO *).
+Definition num_expr (e : expr) : expr := #0 (* TODO *).
+
+Definition plus_val (v1 v2 : val) : val := #0 (* TODO *).
+Definition plus_expr (e1 e2 : expr) : expr := #0 (* TODO *).
+
+Definition mul_val (v1 v2 : val) : val := #0 (* TODO *).
+Definition mul_expr (e1 e2 : expr) : expr := #0 (* TODO *).
+
+Lemma num_expr_typed n Γ e :
+  TY n; Γ ⊢ e : Int →
+  TY n; Γ ⊢ num_expr e : aexpr.
+Proof.
+  intros. solve_typing.
+  (* TODO: exercise *)
+Admitted.
+
+
+Lemma plus_expr_typed n Γ e1 e2 :
+  TY n; Γ ⊢ e1 : aexpr →
+  TY n; Γ ⊢ e2 : aexpr →
+  TY n; Γ ⊢ plus_expr e1 e2 : aexpr.
+Proof.
+  (*intros; solve_typing.*)
+  (* TODO: exercise *)
+Admitted.
+
+
+Lemma mul_expr_typed n Γ e1 e2 :
+  TY n; Γ ⊢ e1 : aexpr →
+  TY n; Γ ⊢ e2 : aexpr →
+  TY n; Γ ⊢ mul_expr e1 e2 : aexpr.
+Proof.
+  (*intros; solve_typing.*)
+  (* TODO: exercise *)
+Admitted.
+
+
+Definition eval_aexpr : val :=
+  #0. (* TODO *)
+
+Lemma eval_aexpr_typed Γ n :
+  TY n; Γ ⊢ eval_aexpr : (aexpr → Int).
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
+
+
+(** Exercise 3: Lists *)
+
+Definition list_t (A : type) : type :=
+  ∃: (#0 (* mynil *)
+    × (A.[ren (+1)] → #0 → #0) (* mycons *)
+    × (∀: #1 → #0 → (A.[ren (+2)] → #1 → #0) → #0)) (* mylistcase *)
+  .
+
+Definition mylist_impl : val :=
+  #0 (* TODO *)
+  .
+
+
+
+Lemma mylist_impl_sem_typed A :
+  type_wf 0 A →
+  ∀ k, 𝒱 (list_t A) δ_any k mylist_impl.
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
--- a/theories/type_systems/systemf_mu/lang.v
+++ b/theories/type_systems/systemf_mu/lang.v
@ -0,0 +1,729 @@
+From stdpp Require Export binders strings.
+From iris.prelude Require Import options.
+From semantics.lib Require Export maps.
+
+Declare Scope expr_scope.
+Declare Scope val_scope.
+Delimit Scope expr_scope with E.
+Delimit Scope val_scope with V.
+
+(** Expressions and vals. *)
+Inductive base_lit : Set :=
+  | LitInt (n : Z) | LitBool (b : bool) | LitUnit.
+Inductive un_op : Set :=
+  | NegOp | MinusUnOp.
+Inductive bin_op : Set :=
+  | PlusOp | MinusOp | MultOp (* Arithmetic *)
+  | LtOp | LeOp | EqOp. (* Comparison *)
+
+
+Inductive expr :=
+  | Lit (l : base_lit)
+  (* Base lambda calculus *)
+  | Var (x : string)
+  | Lam (x : binder) (e : expr)
+  | App (e1 e2 : expr)
+  (* Base types and their operations *)
+  | UnOp (op : un_op) (e : expr)
+  | BinOp (op : bin_op) (e1 e2 : expr)
+  | If (e0 e1 e2 : expr)
+  (* Polymorphism *)
+  | TApp (e : expr)
+  | TLam (e : expr)
+  | Pack (e : expr)
+  | Unpack (x : binder) (e1 e2 : expr)
+  (* Products *)
+  | Pair (e1 e2 : expr)
+  | Fst (e : expr)
+  | Snd (e : expr)
+  (* Sums *)
+  | InjL (e : expr)
+  | InjR (e : expr)
+  | Case (e0 : expr) (e1 : expr) (e2 : expr)
+  (* Isorecursive types *)
+  | Roll (e : expr)
+  | Unroll (e : expr)
+.
+
+Bind Scope expr_scope with expr.
+
+Inductive val :=
+  | LitV (l : base_lit)
+  | LamV (x : binder) (e : expr)
+  | TLamV (e : expr)
+  | PackV (v : val)
+  | PairV (v1 v2 : val)
+  | InjLV (v : val)
+  | InjRV (v : val)
+  | RollV (v : val)
+.
+
+Bind Scope val_scope with val.
+
+Fixpoint of_val (v : val) : expr :=
+  match v with
+  | LitV l => Lit l
+  | LamV x e => Lam x e
+  | TLamV e => TLam e
+  | PackV v => Pack (of_val v)
+  | PairV v1 v2 => Pair (of_val v1) (of_val v2)
+  | InjLV v => InjL (of_val v)
+  | InjRV v => InjR (of_val v)
+  | RollV v => Roll (of_val v)
+  end.
+
+Fixpoint to_val (e : expr) : option val :=
+  match e with
+  | Lit l => Some $ LitV l
+  | Lam x e => Some (LamV x e)
+  | TLam e => Some (TLamV e)
+  | Pack e =>
+     to_val e ≫= (λ v, Some $ PackV v)
+  | Pair e1 e2 =>
+    to_val e1 ≫= (λ v1, to_val e2 ≫= (λ v2, Some $ PairV v1 v2))
+  | InjL e => to_val e ≫= (λ v, Some $ InjLV v)
+  | InjR e => to_val e ≫= (λ v, Some $ InjRV v)
+  | Roll e => to_val e ≫= (λ v, Some $ RollV v)
+  | _ => None
+  end.
+
+(** Equality and other typeclass stuff *)
+Lemma to_of_val v : to_val (of_val v) = Some v.
+Proof.
+  by induction v; simplify_option_eq; repeat f_equal; try apply (proof_irrel _).
+Qed.
+
+Lemma of_to_val e v : to_val e = Some v → of_val v = e.
+Proof.
+  revert v; induction e; intros v ?; simplify_option_eq; auto with f_equal.
+Qed.
+
+#[export] Instance of_val_inj : Inj (=) (=) of_val.
+Proof. by intros ?? Hv; apply (inj Some); rewrite <-!to_of_val, Hv. Qed.
+
+(** structural computational version *)
+Fixpoint is_val (e : expr) : Prop :=
+  match e with
+  | Lit l => True
+  | Lam x e => True
+  | TLam e => True
+  | Pack e => is_val e
+  | Pair e1 e2 => is_val e1 ∧ is_val e2
+  | InjL e => is_val e
+  | InjR e => is_val e
+  | Roll e => is_val e
+  | _ => False
+  end.
+Lemma is_val_spec e : is_val e ↔ ∃ v, to_val e = Some v.
+Proof.
+  induction e as [ | | ? e IH | e1 IH1 e2 IH2 | e IH | ? e1 IH1 e2 IH2 | e1 IH1 e2 IH2 e3 IH3 | e IH | e IH | e IH | ? e1 IH1 e2 IH2 | e1 IH1 e2 IH2 | e IH | e IH | e IH | e IH | e1 IH1 e2 IH2 e3 IH3 | e IH | e IH];
+    simpl; (split; [ | intros (v & Heq)]); simplify_option_eq; try naive_solver.
+  - rewrite IH. intros (v & ->). eauto.
+  - rewrite IH1, IH2. intros [(v1 & ->) (v2 & ->)]. eauto.
+  - rewrite IH. intros (v & ->). eauto.
+  - rewrite IH. intros (v & ->); eauto.
+  - rewrite IH. intros (v & ->). eauto.
+Qed.
+
+Global Instance base_lit_eq_dec : EqDecision base_lit.
+Proof. solve_decision. Defined.
+Global Instance un_op_eq_dec : EqDecision un_op.
+Proof. solve_decision. Defined.
+Global Instance bin_op_eq_dec : EqDecision bin_op.
+Proof. solve_decision. Defined.
+
+
+(** Substitution *)
+Fixpoint subst (x : string) (es : expr) (e : expr)  : expr :=
+  match e with
+  | Lit _ => e
+  | Var y => if decide (x = y) then es else Var y
+  | Lam y e =>
+      Lam y $ if decide (BNamed x = y) then e else subst x es e
+  | App e1 e2 => App (subst x es e1) (subst x es e2)
+  | TApp e => TApp (subst x es e)
+  | TLam e => TLam (subst x es e)
+  | Pack e => Pack (subst x es e)
+  | Unpack y e1 e2 => Unpack y (subst x es e1) (if decide (BNamed x = y) then e2 else subst x es e2)
+  | UnOp op e => UnOp op (subst x es e)
+  | BinOp op e1 e2 => BinOp op (subst x es e1) (subst x es e2)
+  | If e0 e1 e2 => If (subst x es e0) (subst x es e1) (subst x es e2)
+  | Pair e1 e2 => Pair (subst x es e1) (subst x es e2)
+  | Fst e => Fst (subst x es e)
+  | Snd e => Snd (subst x es e)
+  | InjL e => InjL (subst x es e)
+  | InjR e => InjR (subst x es e)
+  | Case e0 e1 e2 => Case (subst x es e0) (subst x es e1) (subst x es e2)
+  | Roll e => Roll (subst x es e)
+  | Unroll e => Unroll (subst x es e)
+  end.
+
+Definition subst' (mx : binder) (es : expr) : expr → expr :=
+  match mx with BNamed x => subst x es | BAnon => id end.
+
+(** The stepping relation *)
+Definition un_op_eval (op : un_op) (v : val) : option val :=
+  match op, v with
+  | NegOp, LitV (LitBool b) => Some $ LitV $ LitBool (negb b)
+  | MinusUnOp, LitV (LitInt n) => Some $ LitV $ LitInt (- n)
+  | _, _ => None
+  end.
+
+Definition bin_op_eval_int (op : bin_op) (n1 n2 : Z) : option base_lit :=
+  match op with
+  | PlusOp => Some $ LitInt (n1 + n2)
+  | MinusOp => Some $ LitInt (n1 - n2)
+  | MultOp => Some $ LitInt (n1 * n2)
+  | LtOp => Some $ LitBool (bool_decide (n1 < n2))
+  | LeOp => Some $ LitBool (bool_decide (n1 ≤ n2))
+  | EqOp => Some $ LitBool (bool_decide (n1 = n2))
+  end%Z.
+
+Definition bin_op_eval (op : bin_op) (v1 v2 : val) : option val :=
+  match v1, v2 with
+  | LitV (LitInt n1), LitV (LitInt n2) => LitV <$> bin_op_eval_int op n1 n2
+  | _, _ => None
+  end.
+
+Inductive base_step : expr → expr → Prop :=
+  | BetaS x e1 e2 e' :
+     is_val e2 →
+     e' = subst' x e2 e1 →
+     base_step (App (Lam x e1) e2) e'
+  | TBetaS e1 :
+      base_step (TApp (TLam e1)) e1
+  | UnpackS e1 e2 e' x :
+      is_val e1 →
+      e' = subst' x e1 e2 →
+      base_step (Unpack x (Pack e1) e2) e'
+  | UnOpS op e v v' :
+     to_val e = Some v →
+     un_op_eval op v = Some v' →
+     base_step (UnOp op e) (of_val v')
+  | BinOpS op e1 v1 e2 v2 v' :
+     to_val e1 = Some v1 →
+     to_val e2 = Some v2 →
+     bin_op_eval op v1 v2 = Some v' →
+     base_step (BinOp op e1 e2) (of_val v')
+  | IfTrueS e1 e2 :
+     base_step (If (Lit $ LitBool true) e1 e2) e1
+  | IfFalseS e1 e2 :
+     base_step (If (Lit $ LitBool false) e1 e2) e2
+  | FstS e1 e2 :
+     is_val e1 →
+     is_val e2 →
+     base_step (Fst (Pair e1 e2)) e1
+  | SndS e1 e2 :
+     is_val e1 →
+     is_val e2 →
+     base_step (Snd (Pair e1 e2)) e2
+  | CaseLS e e1 e2 :
+     is_val e →
+     base_step (Case (InjL e) e1 e2) (App e1 e)
+  | CaseRS e e1 e2 :
+     is_val e →
+     base_step (Case (InjR e) e1 e2) (App e2 e)
+  | UnrollS e :
+      is_val e →
+      base_step (Unroll (Roll e)) e
+.
+
+(* Misc *)
+Lemma is_val_of_val v : is_val (of_val v).
+Proof. apply is_val_spec. rewrite to_of_val. eauto. Qed.
+
+(** If [e1] makes a base step to a value under some state [σ1] then any base
+ step from [e1] under any other state [σ1'] must necessarily be to a value. *)
+Lemma base_step_to_val e1 e2 e2' :
+  base_step e1 e2 →
+  base_step e1 e2' → is_Some (to_val e2) → is_Some (to_val e2').
+Proof. destruct 1; inversion 1; naive_solver. Qed.
+
+(** We define evaluation contexts *)
+(** In contrast to before, we formalize contexts differently in a non-recursive way.
+  Evaluation contexts are now lists of evaluation context items, and we specify how to
+  plug these items together when filling the context.
+  For instance:
+   - HoleCtx becomes [], the empty list of context items
+   - e1 ●  becomes [AppRCtx e1]
+   - e1 (● + v2) becomes [PlusLCtx v2; AppRCtx e1]
+ *)
+Inductive ectx_item :=
+  | AppLCtx (v2 : val)
+  | AppRCtx (e1 : expr)
+  | TAppCtx
+  | PackCtx
+  | UnpackCtx (x : binder) (e2 : expr)
+  | UnOpCtx (op : un_op)
+  | BinOpLCtx (op : bin_op) (v2 : val)
+  | BinOpRCtx (op : bin_op) (e1 : expr)
+  | IfCtx (e1 e2 : expr)
+  | PairLCtx (v2 : val)
+  | PairRCtx (e1 : expr)
+  | FstCtx
+  | SndCtx
+  | InjLCtx
+  | InjRCtx
+  | CaseCtx (e1 : expr) (e2 : expr)
+  | UnrollCtx
+  | RollCtx
+.
+
+Definition fill_item (Ki : ectx_item) (e : expr) : expr :=
+  match Ki with
+  | AppLCtx v2 => App e (of_val v2)
+  | AppRCtx e1 => App e1 e
+  | TAppCtx => TApp e
+  | PackCtx => Pack e
+  | UnpackCtx x e2 => Unpack x e e2
+  | UnOpCtx op => UnOp op e
+  | BinOpLCtx op v2 => BinOp op e (of_val v2)
+  | BinOpRCtx op e1 => BinOp op e1 e
+  | IfCtx e1 e2 => If e e1 e2
+  | PairLCtx v2 => Pair e (of_val v2)
+  | PairRCtx e1 => Pair e1 e
+  | FstCtx => Fst e
+  | SndCtx => Snd e
+  | InjLCtx => InjL e
+  | InjRCtx => InjR e
+  | CaseCtx e1 e2 => Case e e1 e2
+  | UnrollCtx => Unroll e
+  | RollCtx => Roll e
+  end.
+(* The main [fill] operation is defined below. *)
+
+(** Basic properties about the language *)
+Global Instance fill_item_inj Ki : Inj (=) (=) (fill_item Ki).
+Proof. induction Ki; intros ???; simplify_eq/=; auto with f_equal. Qed.
+
+Lemma fill_item_val Ki e :
+  is_Some (to_val (fill_item Ki e)) → is_Some (to_val e).
+Proof. intros [v ?]. induction Ki; simplify_option_eq; eauto. Qed.
+
+Lemma val_base_stuck e1 e2 : base_step e1 e2 → to_val e1 = None.
+Proof. destruct 1; naive_solver. Qed.
+
+Lemma of_val_lit v l :
+  of_val v = (Lit l) → v = LitV l.
+Proof. destruct v; simpl; inversion 1; done. Qed.
+Lemma of_val_pair_inv (v v1 v2 : val) :
+  of_val v = Pair (of_val v1) (of_val v2) → v = PairV v1 v2.
+Proof.
+  destruct v; simpl; inversion 1.
+  apply of_val_inj in H1. apply of_val_inj in H2. subst; done.
+Qed.
+Lemma of_val_injl_inv (v v' : val) :
+  of_val v = InjL (of_val v') → v = InjLV v'.
+Proof.
+  destruct v; simpl; inversion 1.
+  apply of_val_inj in H1. subst; done.
+Qed.
+Lemma of_val_injr_inv (v v' : val) :
+  of_val v = InjR (of_val v') → v = InjRV v'.
+Proof.
+  destruct v; simpl; inversion 1.
+  apply of_val_inj in H1. subst; done.
+Qed.
+Ltac simplify_val :=
+  repeat match goal with
+  | H: to_val (of_val ?v) = ?o |- _ => rewrite to_of_val in H
+  | H: is_val ?e |- _ => destruct (proj1 (is_val_spec e) H) as (? & ?); clear H
+  | H: to_val ?e = ?v |- _ => is_var e; specialize (of_to_val _ _ H); intros <-; clear H
+  | H: of_val ?v = Lit ?l |- _ => is_var v; specialize (of_val_lit _ _ H); intros ->; clear H
+  | |- context[to_val (of_val ?e)] => rewrite to_of_val
+  end.
+
+Lemma base_ectxi_step_val Ki e e2 :
+  base_step (fill_item Ki e) e2 → is_Some (to_val e).
+Proof.
+  revert e2. induction Ki; inversion_clear 1; simplify_option_eq; simplify_val; eauto.
+Qed.
+
+Lemma fill_item_no_val_inj Ki1 Ki2 e1 e2 :
+  to_val e1 = None → to_val e2 = None →
+  fill_item Ki1 e1 = fill_item Ki2 e2 → Ki1 = Ki2.
+Proof.
+  revert Ki1. induction Ki2; intros Ki1; induction Ki1; try naive_solver eauto with f_equal.
+  all: intros ?? Heq; injection Heq; intros ??; simplify_eq; simplify_val; naive_solver.
+Qed.
+
+Section contexts.
+  Notation ectx := (list ectx_item).
+  Definition empty_ectx : ectx := [].
+  Definition comp_ectx : ectx → ectx → ectx := flip (++).
+
+  Definition fill (K : ectx) (e : expr) : expr := foldl (flip fill_item) e K.
+  Lemma fill_app (K1 K2 : ectx) e : fill (K1 ++ K2) e = fill K2 (fill K1 e).
+  Proof. apply foldl_app. Qed.
+  Lemma fill_empty e : fill empty_ectx e = e.
+  Proof. done. Qed.
+  Lemma fill_comp K1 K2 e : fill K1 (fill K2 e) = fill (comp_ectx K1 K2) e.
+  Proof. unfold fill, comp_ectx; simpl. by rewrite foldl_app. Qed.
+  Global Instance fill_inj K : Inj (=) (=) (fill K).
+  Proof. induction K as [|Ki K IH]; unfold Inj; naive_solver. Qed.
+
+  Lemma fill_val K e : is_Some (to_val (fill K e)) → is_Some (to_val e).
+  Proof.
+    induction K as [|Ki K IH] in e |-*; [ done |]. by intros ?%IH%fill_item_val.
+  Qed.
+  Lemma fill_not_val K e : to_val e = None → to_val (fill K e) = None.
+  Proof. rewrite !eq_None_not_Some. eauto using fill_val. Qed.
+
+End contexts.
+
+(** Contextual steps *)
+Inductive contextual_step (e1 : expr) (e2 : expr) : Prop :=
+  Ectx_step K e1' e2' :
+    e1 = fill K e1' → e2 = fill K e2' →
+    base_step e1' e2' → contextual_step e1 e2.
+
+
+Lemma base_contextual_step e1 e2 :
+  base_step e1 e2 → contextual_step e1 e2.
+Proof. apply Ectx_step with empty_ectx; by rewrite ?fill_empty. Qed.
+
+Lemma fill_contextual_step K e1 e2 :
+  contextual_step e1 e2 → contextual_step (fill K e1) (fill K e2).
+Proof.
+  destruct 1 as [K' e1' e2' -> ->].
+  rewrite !fill_comp. by econstructor.
+Qed.
+
+(** *** closedness *)
+Fixpoint is_closed (X : list string) (e : expr) : bool :=
+  match e with
+  | Var x => bool_decide (x ∈ X)
+  | Lam x e => is_closed (x :b: X) e
+  | Unpack x e1 e2 => is_closed X e1 && is_closed (x :b: X) e2
+  | Lit _ => true
+  | UnOp _ e | Fst e | Snd e | InjL e | InjR e | TApp e | TLam e | Pack e | Roll e | Unroll e => is_closed X e
+  | App e1 e2 | BinOp _ e1 e2 | Pair e1 e2 => is_closed X e1 && is_closed X e2
+  |  If e0 e1 e2 | Case e0 e1 e2 =>
+   is_closed X e0 && is_closed X e1 && is_closed X e2
+  end.
+
+(** [closed] states closedness as a Coq proposition, through the [Is_true] transformer. *)
+Definition closed (X : list string) (e : expr) : Prop := Is_true (is_closed X e).
+#[export] Instance closed_proof_irrel X e : ProofIrrel (closed X e).
+Proof. unfold closed. apply _. Qed.
+#[export] Instance closed_dec X e : Decision (closed X e).
+Proof. unfold closed. apply _. Defined.
+
+(** closed expressions *)
+Lemma is_closed_weaken X Y e : is_closed X e → X ⊆ Y → is_closed Y e.
+Proof. revert X Y; induction e; naive_solver (eauto; set_solver). Qed.
+
+Lemma is_closed_weaken_nil X e : is_closed [] e → is_closed X e.
+Proof. intros. by apply is_closed_weaken with [], list_subseteq_nil. Qed.
+
+Lemma is_closed_subst X e x es :
+  is_closed [] es → is_closed (x :: X) e → is_closed X (subst x es e).
+Proof.
+  intros ?.
+  induction e in X |-*; simpl; intros ?; destruct_and?; split_and?; simplify_option_eq;
+    try match goal with
+    | H : ¬(_ ∧ _) |- _ => apply not_and_l in H as [?%dec_stable|?%dec_stable]
+    end; eauto using is_closed_weaken with set_solver.
+Qed.
+Lemma is_closed_do_subst' X e x es :
+  is_closed [] es → is_closed (x :b: X) e → is_closed X (subst' x es e).
+Proof. destruct x; eauto using is_closed_subst. Qed.
+
+Lemma closed_is_closed X e :
+  is_closed X e = true ↔ closed X e.
+Proof.
+  unfold closed. split.
+  - apply Is_true_eq_left.
+  - apply Is_true_eq_true.
+Qed.
+
+(** Substitution lemmas *)
+Lemma subst_is_closed X e x es : is_closed X e → x ∉ X → subst x es e = e.
+Proof.
+  induction e in X |-*; simpl; rewrite ?bool_decide_spec, ?andb_True; intros ??;
+    repeat case_decide; simplify_eq; simpl; f_equal; intuition eauto with set_solver.
+Qed.
+
+Lemma subst_is_closed_nil e x es : is_closed [] e → subst x es e = e.
+Proof. intros. apply subst_is_closed with []; set_solver. Qed.
+Lemma subst'_is_closed_nil e x es : is_closed [] e → subst' x es e = e.
+Proof. intros. destruct x as [ | x]. { done. } by apply subst_is_closed_nil. Qed.
+
+(** ** More on the contextual semantics *)
+
+Definition base_reducible (e : expr) :=
+  ∃ e', base_step e e'.
+Definition base_irreducible (e : expr) :=
+  ∀ e', ¬base_step e e'.
+Definition base_stuck (e : expr) :=
+  to_val e = None ∧ base_irreducible e.
+
+(** Given a base redex [e1_redex] somewhere in a term, and another
+    decomposition of the same term into [fill K' e1'] such that [e1'] is not
+    a value, then the base redex context is [e1']'s context [K'] filled with
+    another context [K''].  In particular, this implies [e1 = fill K''
+    e1_redex] by [fill_inj], i.e., [e1]' contains the base redex.)
+ *)
+Lemma step_by_val K' K_redex e1' e1_redex e2 :
+    fill K' e1' = fill K_redex e1_redex →
+    to_val e1' = None →
+    base_step e1_redex e2 →
+    ∃ K'', K_redex = comp_ectx K' K''.
+Proof.
+  rename K' into K. rename K_redex into K'.
+  rename e1' into e1. rename e1_redex into e1'.
+  intros Hfill Hred Hstep; revert K' Hfill.
+  induction K as [|Ki K IH] using rev_ind; simpl; intros K' Hfill; eauto using app_nil_r.
+  destruct K' as [|Ki' K' _] using @rev_ind; simplify_eq/=.
+  { rewrite fill_app in Hstep. apply base_ectxi_step_val in Hstep.
+    apply fill_val in Hstep. by apply not_eq_None_Some in Hstep. }
+  rewrite !fill_app in Hfill; simpl in Hfill.
+  assert (Ki = Ki') as ->.
+  { eapply fill_item_no_val_inj, Hfill.
+    - by apply fill_not_val.
+    - apply fill_not_val. eauto using val_base_stuck.
+  }
+  simplify_eq. destruct (IH K') as [K'' ->]; auto.
+  exists K''. unfold comp_ectx; simpl. rewrite assoc; [done |]. apply _.
+Qed.
+
+(** If [fill K e] takes a base step, then either [e] is a value or [K] is
+    the empty evaluation context. In other words, if [e] is not a value
+    wrapping it in a context does not add new base redex positions. *)
+Lemma base_ectx_step_val K e e2 :
+  base_step (fill K e) e2 → is_Some (to_val e) ∨ K = empty_ectx.
+Proof.
+  destruct K as [|Ki K _] using rev_ind; simpl; [by auto|].
+  rewrite fill_app; simpl.
+  intros ?%base_ectxi_step_val; eauto using fill_val.
+Qed.
+
+(** If a [contextual_step] preserving a surrounding context [K] happens,
+   the reduction happens entirely below the context. *)
+Lemma contextual_step_ectx_inv K e e' :
+  to_val e = None →
+  contextual_step (fill K e) (fill K e') →
+  contextual_step e e'.
+Proof.
+  intros ? Hcontextual.
+  inversion Hcontextual; subst.
+  eapply step_by_val in H as (K'' & Heq); [ | done | done].
+  subst K0.
+  rewrite <-fill_comp in H1. rewrite <-fill_comp in H0.
+  apply fill_inj in H1. apply fill_inj in H0. subst.
+  econstructor; done.
+Qed.
+
+Lemma base_reducible_contextual_step_ectx K e1 e2 :
+  base_reducible e1 →
+  contextual_step (fill K e1) e2 →
+  ∃ e2', e2 = fill K e2' ∧ base_step e1 e2'.
+Proof.
+  intros (e2''&HhstepK) [K' e1' e2' HKe1 -> Hstep].
+  edestruct (step_by_val K) as [K'' ?];
+    eauto using val_base_stuck; simplify_eq/=.
+  rewrite <-fill_comp in HKe1; simplify_eq.
+  exists (fill K'' e2'). rewrite fill_comp; split; [done | ].
+  apply base_ectx_step_val in HhstepK as [[v ?]|?]; simplify_eq.
+  { apply val_base_stuck in Hstep; simplify_eq. }
+  by rewrite !fill_empty.
+Qed.
+
+Lemma base_reducible_contextual_step e1 e2 :
+  base_reducible e1 →
+  contextual_step e1 e2 →
+  base_step e1 e2.
+Proof.
+  intros.
+  edestruct (base_reducible_contextual_step_ectx empty_ectx) as (?&?&?);
+    rewrite ?fill_empty; eauto.
+  by simplify_eq; rewrite fill_empty.
+Qed.
+
+(** *** Reducibility *)
+Definition reducible (e : expr) :=
+    ∃ e', contextual_step e e'.
+Definition irreducible (e : expr) :=
+  ∀ e', ¬contextual_step e e'.
+Definition stuck (e : expr) :=
+  to_val e = None ∧ irreducible e.
+Definition not_stuck (e : expr) :=
+  is_Some (to_val e) ∨ reducible e.
+
+Lemma base_step_not_stuck e e' : base_step e e' → not_stuck e.
+Proof. unfold not_stuck, reducible; simpl. eauto 10 using base_contextual_step. Qed.
+
+Lemma val_stuck e e' : contextual_step e e' → to_val e = None.
+Proof.
+  intros [??? -> -> ?%val_base_stuck].
+  apply eq_None_not_Some. by intros ?%fill_val%eq_None_not_Some.
+Qed.
+Lemma not_reducible e : ¬reducible e ↔ irreducible e.
+Proof. unfold reducible, irreducible. naive_solver. Qed.
+Lemma reducible_not_val e : reducible e → to_val e = None.
+Proof. intros (?&?). eauto using val_stuck. Qed.
+Lemma val_irreducible e : is_Some (to_val e) → irreducible e.
+Proof. intros [??] ? ?%val_stuck. by destruct (to_val e). Qed.
+
+Lemma irreducible_fill K e :
+  irreducible (fill K e) → irreducible e.
+Proof.
+  intros Hirred e' Hstep.
+  eapply Hirred. by apply fill_contextual_step.
+Qed.
+
+Lemma base_reducible_reducible e :
+  base_reducible e → reducible e.
+Proof. intros (e' & Hhead). exists e'. by apply base_contextual_step. Qed.
+
+
+(* we derive a few lemmas about contextual steps *)
+Lemma contextual_step_app_l e1 e1' e2:
+  is_val e2 →
+  contextual_step e1 e1' →
+  contextual_step (App e1 e2) (App e1' e2).
+Proof.
+  intros [v <-%of_to_val]%is_val_spec Hcontextual.
+  by eapply (fill_contextual_step [AppLCtx _]).
+Qed.
+
+Lemma contextual_step_app_r e1 e2 e2':
+  contextual_step e2 e2' →
+  contextual_step (App e1 e2) (App e1 e2').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [AppRCtx e1]).
+Qed.
+
+Lemma contextual_step_tapp e e':
+  contextual_step e e' →
+  contextual_step (TApp e) (TApp e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [TAppCtx]).
+Qed.
+
+Lemma contextual_step_pack e e':
+  contextual_step e e' →
+  contextual_step (Pack e) (Pack e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [PackCtx]).
+Qed.
+
+Lemma contextual_step_unpack x e e' e2:
+  contextual_step e e' →
+  contextual_step (Unpack x e e2) (Unpack x e' e2).
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [UnpackCtx x e2]).
+Qed.
+
+Lemma contextual_step_unop op e e':
+  contextual_step e e' →
+  contextual_step (UnOp op e) (UnOp op e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [UnOpCtx op]).
+Qed.
+
+Lemma contextual_step_binop_l op e1 e1' e2:
+  is_val e2 →
+  contextual_step e1 e1' →
+  contextual_step (BinOp op e1 e2) (BinOp op e1' e2).
+Proof.
+  intros [v <-%of_to_val]%is_val_spec Hcontextual.
+  by eapply (fill_contextual_step [BinOpLCtx op v]).
+Qed.
+
+Lemma contextual_step_binop_r op e1 e2 e2':
+  contextual_step e2 e2' →
+  contextual_step (BinOp op e1 e2) (BinOp op e1 e2').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [BinOpRCtx op e1]).
+Qed.
+
+Lemma contextual_step_if e e' e1 e2:
+  contextual_step e e' →
+  contextual_step (If e e1 e2) (If e' e1 e2).
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [IfCtx e1 e2]).
+Qed.
+
+Lemma contextual_step_pair_l e1 e1' e2:
+  is_val e2 →
+  contextual_step e1 e1' →
+  contextual_step (Pair e1 e2) (Pair e1' e2).
+Proof.
+  intros [v <-%of_to_val]%is_val_spec Hcontextual.
+  by eapply (fill_contextual_step [PairLCtx v]).
+Qed.
+
+Lemma contextual_step_pair_r e1 e2 e2':
+  contextual_step e2 e2' →
+  contextual_step (Pair e1 e2) (Pair e1 e2').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [PairRCtx e1]).
+Qed.
+
+
+Lemma contextual_step_fst e e':
+  contextual_step e e' →
+  contextual_step (Fst e) (Fst e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [FstCtx]).
+Qed.
+
+Lemma contextual_step_snd e e':
+  contextual_step e e' →
+  contextual_step (Snd e) (Snd e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [SndCtx]).
+Qed.
+
+Lemma contextual_step_injl e e':
+  contextual_step e e' →
+  contextual_step (InjL e) (InjL e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [InjLCtx]).
+Qed.
+
+Lemma contextual_step_injr e e':
+  contextual_step e e' →
+  contextual_step (InjR e) (InjR e').
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [InjRCtx]).
+Qed.
+
+Lemma contextual_step_case e e' e1 e2:
+  contextual_step e e' →
+  contextual_step (Case e e1 e2) (Case e' e1 e2).
+Proof.
+  intros Hcontextual.
+  by eapply (fill_contextual_step [CaseCtx e1 e2]).
+Qed.
+
+Lemma contextual_step_roll e e':
+  contextual_step e e' →
+  contextual_step (Roll e) (Roll e').
+Proof. by apply (fill_contextual_step [RollCtx]). Qed.
+
+Lemma contextual_step_unroll e e':
+  contextual_step e e' → contextual_step (Unroll e) (Unroll e').
+Proof. by apply (fill_contextual_step [UnrollCtx]). Qed.
+
+
+#[export]
+Hint Resolve
+  contextual_step_app_l contextual_step_app_r contextual_step_binop_l contextual_step_binop_r
+  contextual_step_case contextual_step_fst contextual_step_if contextual_step_injl contextual_step_injr
+  contextual_step_pack contextual_step_pair_l contextual_step_pair_r contextual_step_snd contextual_step_tapp
+  contextual_step_tapp contextual_step_unop contextual_step_unpack contextual_step_roll contextual_step_unroll : core.
+
--- a/theories/type_systems/systemf_mu/logrel.v
+++ b/theories/type_systems/systemf_mu/logrel.v
--- a/theories/type_systems/systemf_mu/notation.v
+++ b/theories/type_systems/systemf_mu/notation.v
@ -0,0 +1,97 @@
+From semantics.ts.systemf_mu Require Export lang.
+Set Default Proof Using "Type".
+
+
+(** Coercions to make programs easier to type. *)
+Coercion of_val : val >-> expr.
+Coercion LitInt : Z >-> base_lit.
+Coercion LitBool : bool >-> base_lit.
+Coercion App : expr >-> Funclass.
+Coercion Var : string >-> expr.
+
+(** Define some derived forms. *)
+Notation Let x e1 e2 := (App (Lam x e2) e1) (only parsing).
+Notation Seq e1 e2 := (Let BAnon e1 e2) (only parsing).
+Notation Match e0 x1 e1 x2 e2 := (Case e0 (Lam x1 e1) (Lam x2 e2)) (only parsing).
+
+(* No scope for the values, does not conflict and scope is often not inferred
+properly. *)
+Notation "# l" := (LitV l%Z%V%stdpp) (at level 8, format "# l").
+Notation "# l" := (Lit l%Z%E%stdpp) (at level 8, format "# l") : expr_scope.
+
+(** Syntax inspired by Coq/Ocaml. Constructions with higher precedence come
+    first. *)
+Notation "( e1 , e2 , .. , en )" := (Pair .. (Pair e1 e2) .. en) : expr_scope.
+Notation "( e1 , e2 , .. , en )" := (PairV .. (PairV e1 e2) .. en) : val_scope.
+
+Notation "'match:' e0 'with' 'InjL' x1 => e1 | 'InjR' x2 => e2 'end'" :=
+  (Match e0 x1%binder e1 x2%binder e2)
+  (e0, x1, e1, x2, e2 at level 200,
+   format "'[hv' 'match:'  e0  'with'  '/  ' '[' 'InjL'  x1  =>  '/  ' e1 ']'  '/' '[' |  'InjR'  x2  =>  '/  ' e2 ']'  '/' 'end' ']'") : expr_scope.
+Notation "'match:' e0 'with' 'InjR' x1 => e1 | 'InjL' x2 => e2 'end'" :=
+  (Match e0 x2%binder e2 x1%binder e1)
+  (e0, x1, e1, x2, e2 at level 200, only parsing) : expr_scope.
+
+Notation "()" := LitUnit : val_scope.
+
+Notation "e1 + e2" := (BinOp PlusOp e1%E e2%E) : expr_scope.
+Notation "e1 - e2" := (BinOp MinusOp e1%E e2%E) : expr_scope.
+Notation "e1 * e2" := (BinOp MultOp e1%E e2%E) : expr_scope.
+Notation "e1 ≤ e2" := (BinOp LeOp e1%E e2%E) : expr_scope.
+Notation "e1 = e2" := (BinOp EqOp e1%E e2%E) : expr_scope.
+Notation "e1 < e2" := (BinOp LtOp e1%E e2%E) : expr_scope.
+
+(*Notation "~ e" := (UnOp NegOp e%E) (at level 75, right associativity) : expr_scope.*)
+
+Notation "'if:' e1 'then' e2 'else' e3" := (If e1%E e2%E e3%E)
+  (at level 200, e1, e2, e3 at level 200) : expr_scope.
+
+Notation "λ: x , e" := (Lam x%binder e%E)
+  (at level 200, x at level 1, e at level 200,
+   format "'[' 'λ:'  x ,  '/  ' e ']'") : expr_scope.
+Notation "λ: x y .. z , e" := (Lam x%binder (Lam y%binder .. (Lam z%binder e%E) ..))
+  (at level 200, x, y, z at level 1, e at level 200,
+   format "'[' 'λ:'  x  y  ..  z ,  '/  ' e ']'") : expr_scope.
+
+Notation "λ: x , e" := (LamV x%binder e%E)
+  (at level 200, x at level 1, e at level 200,
+   format "'[' 'λ:'  x ,  '/  ' e ']'") : val_scope.
+Notation "λ: x y .. z , e" := (LamV x%binder (Lam y%binder .. (Lam z%binder e%E) .. ))
+  (at level 200, x, y, z at level 1, e at level 200,
+   format "'[' 'λ:'  x  y  ..  z ,  '/  ' e ']'") : val_scope.
+
+Notation "'let:' x := e1 'in' e2" := (Lam x%binder e2%E e1%E)
+  (at level 200, x at level 1, e1, e2 at level 200,
+   format "'[' 'let:'  x  :=  '[' e1 ']'  'in'  '/' e2 ']'") : expr_scope.
+Notation "e1 ;; e2" := (Lam BAnon e2%E e1%E)
+  (at level 100, e2 at level 200,
+   format "'[' '[hv' '[' e1 ']' ;;  ']' '/' e2 ']'") : expr_scope.
+
+
+Notation "'Λ' , e" := (TLam e%E)
+  (at level 200, e at level 200,
+    format "'[' 'Λ' , '/  ' e ']'") : expr_scope.
+Notation "'Λ' , e" := (TLamV e%E)
+  (at level 200, e at level 200,
+    format "'[' 'Λ' , '/  ' e ']'") : val_scope.
+
+(* the [e] always needs to be paranthesized, due to the level
+   (chosen to make this cooperate with the [App] coercion) *)
+Notation "e '<>'" := (TApp e%E)
+  (at level 10) : expr_scope.
+(*Check ((Λ, #4) <>)%E.*)
+(*Check (((λ: "x", "x") #5) <>)%E.*)
+
+Notation "'pack' e" := (Pack e%E)
+  (at level 200, e at level 200) : expr_scope.
+Notation "'pack' v" := (PackV v%V)
+  (at level 200, v at level 200) : val_scope.
+Notation "'unpack'  e1  'as'  x  'in'  e2" := (Unpack x%binder e1%E e2%E)
+  (at level 200, e1, e2 at level 200, x at level 1) : expr_scope.
+
+Notation "'roll'  e" := (Roll e%E)
+  (at level 200, e at level 200) : expr_scope.
+Notation "'roll'  v" := (RollV v%E)
+  (at level 200, v at level 200) : val_scope.
+Notation "'unroll'  e" := (Unroll e%E)
+  (at level 200, e at level 200) : expr_scope.
--- a/theories/type_systems/systemf_mu/parallel_subst.v
+++ b/theories/type_systems/systemf_mu/parallel_subst.v
@ -0,0 +1,275 @@
+From stdpp Require Import prelude.
+From iris Require Import prelude.
+From semantics.lib Require Import facts maps.
+From semantics.ts.systemf_mu Require Import lang.
+
+Fixpoint subst_map (xs : gmap string expr) (e : expr) : expr :=
+  match e with
+  | Lit l => Lit l
+  | Var y => match xs !! y with Some es => es | _ =>  Var y end
+  | App e1 e2 => App (subst_map xs e1) (subst_map xs e2)
+  | Lam x e => Lam x (subst_map (binder_delete x xs) e)
+  | UnOp op e => UnOp op (subst_map xs e)
+  | BinOp op e1 e2 => BinOp op (subst_map xs e1) (subst_map xs e2)
+  | If e0 e1 e2 => If (subst_map xs e0) (subst_map xs e1) (subst_map xs e2)
+  | TApp e => TApp (subst_map xs e)
+  | TLam e => TLam (subst_map xs e)
+  | Pack e => Pack (subst_map xs e)
+  | Unpack x e1 e2 => Unpack x (subst_map xs e1) (subst_map (binder_delete x xs) e2)
+  | Pair e1 e2 => Pair (subst_map xs e1) (subst_map xs e2)
+  | Fst e => Fst (subst_map xs e)
+  | Snd e => Snd (subst_map xs e)
+  | InjL e => InjL (subst_map xs e)
+  | InjR e => InjR (subst_map xs e)
+  | Case e e1 e2 => Case (subst_map xs e) (subst_map xs e1) (subst_map xs e2)
+  | Roll e => Roll (subst_map xs e)
+  | Unroll e => Unroll (subst_map xs e)
+  end.
+
+Lemma subst_map_empty e :
+  subst_map ∅ e = e.
+Proof.
+  induction e; simpl; f_equal; eauto.
+  all: destruct x; simpl; [done | by rewrite !delete_empty..].
+Qed.
+
+Lemma subst_map_is_closed X e xs :
+  is_closed X e →
+  (∀ x : string, x ∈ dom xs → x ∉ X) →
+  subst_map xs e = e.
+Proof.
+  intros Hclosed Hd.
+  induction e in xs, X, Hd, Hclosed |-*; simpl in *;try done.
+  all: repeat match goal with
+  | H : Is_true (_ && _)  |- _ => apply andb_True in H as [ ? ? ]
+              end.
+  { (* Var *)
+    apply bool_decide_spec in Hclosed.
+    assert (xs !! x = None) as ->; last done.
+    destruct (xs !! x) as [s | ] eqn:Helem; last done.
+    exfalso; eapply Hd; last apply Hclosed.
+    apply elem_of_dom; eauto.
+  }
+  { (* lambdas *)
+    erewrite IHe; [done | done |].
+    intros y. destruct x as [ | x]; first apply Hd.
+    simpl.
+    rewrite dom_delete elem_of_difference not_elem_of_singleton.
+    intros [Hnx%Hd Hneq]. rewrite elem_of_cons. intros [? | ?]; done.
+  }
+  8: { (* Unpack *)
+    erewrite IHe1; [ | done | done].
+    erewrite IHe2; [ done | done | ].
+    intros y. destruct x as [ | x]; first apply Hd.
+    simpl.
+    rewrite dom_delete elem_of_difference not_elem_of_singleton.
+    intros [Hnx%Hd Hneq]. rewrite elem_of_cons. intros [? | ?]; done.
+  }
+  (* all other cases *)
+  all: repeat match goal with
+       | H : ∀ _ _, _ → _ → subst_map _ _ = _ |- _ => erewrite H; clear H
+       end; done.
+Qed.
+
+Lemma subst_map_subst map x (e e' : expr) :
+  is_closed [] e' →
+  subst_map map (subst x e' e) = subst_map (<[x:=e']>map) e.
+Proof.
+  intros He'.
+  revert x map; induction e; intros xx map; simpl;
+  try (f_equal; eauto).
+  - case_decide.
+    + simplify_eq/=. rewrite lookup_insert.
+      rewrite (subst_map_is_closed []); [done | apply He' | ].
+      intros ? ?. apply not_elem_of_nil.
+    + rewrite lookup_insert_ne; done.
+  - destruct x; simpl; first done.
+    + case_decide.
+      * simplify_eq/=. by rewrite delete_insert_delete.
+      * rewrite delete_insert_ne; last by congruence. done.
+  - destruct x; simpl; first done.
+    + case_decide.
+      * simplify_eq/=. by rewrite delete_insert_delete.
+      * rewrite delete_insert_ne; last by congruence. done.
+Qed.
+
+Definition subst_is_closed (X : list string) (map : gmap string expr) :=
+  ∀ x e, map !! x = Some e → closed X e.
+Lemma subst_is_closed_subseteq X map1 map2 :
+  map1 ⊆ map2 → subst_is_closed X map2 → subst_is_closed X map1.
+Proof.
+  intros Hsub Hclosed2 x e Hl. eapply Hclosed2, map_subseteq_spec; done.
+Qed.
+
+Lemma subst_subst_map x es map e :
+  subst_is_closed [] map →
+  subst x es (subst_map (delete x map) e) =
+  subst_map (<[x:=es]>map) e.
+Proof.
+  revert map es x; induction e; intros map v0 xx Hclosed; simpl;
+  try (f_equal; eauto).
+  - destruct (decide (xx=x)) as [->|Hne].
+    + rewrite lookup_delete // lookup_insert //. simpl.
+      rewrite decide_True //.
+    + rewrite lookup_delete_ne // lookup_insert_ne //.
+      destruct (_ !! x) as [rr|] eqn:Helem.
+      * apply Hclosed in Helem.
+        by apply subst_is_closed_nil.
+      * simpl. rewrite decide_False //.
+  - destruct x; simpl; first by auto.
+    case_decide.
+    + simplify_eq. rewrite delete_idemp delete_insert_delete. done.
+    + rewrite delete_insert_ne //; last congruence. rewrite delete_commute. apply IHe.
+      eapply subst_is_closed_subseteq; last done.
+      apply map_delete_subseteq.
+  - destruct x; simpl; first by auto.
+    case_decide.
+    + simplify_eq. rewrite delete_idemp delete_insert_delete. done.
+    + rewrite delete_insert_ne //; last congruence. rewrite delete_commute. apply IHe2.
+      eapply subst_is_closed_subseteq; last done.
+      apply map_delete_subseteq.
+Qed.
+
+Lemma subst'_subst_map b (es : expr) map e :
+  subst_is_closed [] map →
+  subst' b es (subst_map (binder_delete b map) e) =
+  subst_map (binder_insert b es map) e.
+Proof.
+  destruct b; first done.
+  apply subst_subst_map.
+Qed.
+
+Lemma closed_subst_weaken e map X Y :
+  subst_is_closed [] map →
+  (∀ x, x ∈ X → x ∉ dom map → x ∈ Y) →
+  closed X e →
+  closed Y (subst_map map e).
+Proof.
+  induction e in X, Y, map |-*; rewrite /closed; simpl; intros Hmclosed Hsub Hcl; first done.
+  all: repeat match goal with
+  | H : Is_true (_ && _)  |- _ => apply andb_True in H as [ ? ? ]
+              end.
+  { (* vars *)
+    destruct (map !! x) as [es | ] eqn:Heq.
+    + apply is_closed_weaken_nil. by eapply Hmclosed.
+    + apply bool_decide_pack. apply Hsub; first by eapply bool_decide_unpack.
+      by apply not_elem_of_dom.
+  }
+  { (* lambdas *)
+    eapply IHe; last done.
+    + eapply subst_is_closed_subseteq; last done.
+      destruct x; first done. apply map_delete_subseteq.
+    + intros y. destruct x as [ | x]; first by apply Hsub.
+      rewrite !elem_of_cons. intros [-> | Hy] Hn; first by left.
+      destruct (decide (y = x)) as [ -> | Hneq]; first by left.
+      right. eapply Hsub; first done. set_solver.
+  }
+  8: { (* unpack *)
+    apply andb_True; split; first naive_solver.
+    eapply IHe2; last done.
+    + eapply subst_is_closed_subseteq; last done.
+      destruct x; first done. apply map_delete_subseteq.
+    + intros y. destruct x as [ | x]; first by apply Hsub.
+      rewrite !elem_of_cons. intros [-> | Hy] Hn; first by left.
+      destruct (decide (y = x)) as [ -> | Hneq]; first by left.
+      right. eapply Hsub; first done. set_solver.
+  }
+  (* all other cases *)
+  all: repeat match goal with
+         | |- Is_true (_ && _) => apply andb_True; split
+              end.
+  all: naive_solver.
+Qed.
+
+Lemma subst_is_closed_weaken X1 X2 θ :
+  subst_is_closed X1 θ →
+  X1 ⊆ X2 →
+  subst_is_closed X2 θ.
+Proof.
+  intros Hcl Hincl x e Hlook.
+  eapply is_closed_weaken; last done.
+  by eapply Hcl.
+Qed.
+
+Lemma subst_is_closed_weaken_nil X θ :
+  subst_is_closed [] θ →
+  subst_is_closed X θ.
+Proof.
+  intros; eapply subst_is_closed_weaken; first done.
+  apply list_subseteq_nil.
+Qed.
+
+Lemma subst_is_closed_insert X e f θ :
+  is_closed X e →
+  subst_is_closed X (delete f θ) →
+  subst_is_closed X (<[f := e]> θ).
+Proof.
+  intros Hcl Hcl' x e'.
+  destruct (decide (x = f)) as [<- | ?].
+  - rewrite lookup_insert. intros [= <-]. done.
+  - rewrite lookup_insert_ne; last done.
+    intros Hlook. eapply Hcl'.
+    rewrite lookup_delete_ne; done.
+Qed.
+
+(* NOTE: this is a simplified version of the tactic in tactics.v which
+  suffice for this proof *)
+Ltac simplify_closed :=
+  repeat match goal with
+  | |- closed _ _ => unfold closed; simpl
+  | |- Is_true (_ && _)  => simpl; rewrite !andb_True; split_and!
+  | H : closed _ _ |- _ => unfold closed in H; simpl in H
+  | H: Is_true (_ && _) |- _ => simpl in H; apply andb_True in H
+  | H : _ ∧ _ |- _ => destruct H
+  end.
+
+Lemma is_closed_subst_map X θ e :
+  subst_is_closed X θ →
+  closed (X ++ elements (dom θ)) e →
+  closed X (subst_map θ e).
+Proof.
+  induction e in X, θ |-*; eauto.
+  all: try solve [intros; simplify_closed; naive_solver].
+  - unfold subst_map.
+    destruct (θ !! x) eqn:Heq.
+    + intros Hcl _. eapply Hcl; done.
+    + intros _ Hcl.
+      apply closed_is_closed in Hcl.
+      apply bool_decide_eq_true in Hcl.
+      apply elem_of_app in Hcl.
+      destruct Hcl as [ | H].
+      * apply closed_is_closed. by apply bool_decide_eq_true.
+      * apply elem_of_elements in H.
+        by apply not_elem_of_dom in Heq.
+  - intros. simplify_closed.
+    eapply IHe.
+    + destruct x as [ | x]; simpl; first done.
+      intros y e'. rewrite lookup_delete_Some. intros (? & Hlook%H).
+      eapply is_closed_weaken; first done.
+      by apply list_subseteq_cons_r.
+    + eapply is_closed_weaken; first done.
+      simpl. destruct x as [ | x]; first done; simpl.
+      apply list_subseteq_cons_l.
+      apply stdpp.sets.elem_of_subseteq.
+      intros y; simpl. rewrite elem_of_cons !elem_of_app.
+      intros [ | Helem]; first naive_solver.
+      destruct (decide (x = y)) as [<- | Hneq]; first naive_solver.
+      right. right. apply elem_of_elements. rewrite dom_delete elem_of_difference elem_of_singleton.
+      apply elem_of_elements in Helem; done.
+  - intros. simplify_closed. { naive_solver. }
+    (* same proof as for lambda *)
+    eapply IHe2.
+    + destruct x as [ | x]; simpl; first done.
+      intros y e'. rewrite lookup_delete_Some. intros (? & Hlook%H).
+      eapply is_closed_weaken; first done.
+      by apply list_subseteq_cons_r.
+    + eapply is_closed_weaken; first done.
+      simpl. destruct x as [ | x]; first done; simpl.
+      apply list_subseteq_cons_l.
+      apply stdpp.sets.elem_of_subseteq.
+      intros y; simpl. rewrite elem_of_cons !elem_of_app.
+      intros [ | Helem]; first naive_solver.
+      destruct (decide (x = y)) as [<- | Hneq]; first naive_solver.
+      right. right. apply elem_of_elements. rewrite dom_delete elem_of_difference elem_of_singleton.
+      apply elem_of_elements in Helem; done.
+Qed.
--- a/theories/type_systems/systemf_mu/pure.v
+++ b/theories/type_systems/systemf_mu/pure.v
@ -0,0 +1,289 @@
+From stdpp Require Import gmap base relations.
+From iris Require Import prelude.
+From semantics.lib Require Import maps.
+From semantics.ts.systemf_mu Require Import lang notation.
+
+Lemma contextual_ectx_step_case K e e' :
+  contextual_step (fill K e) e' →
+  (∃ e'', e' = fill K e'' ∧ contextual_step e e'') ∨ is_val e.
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
+
+(** ** Deterministic reduction *)
+
+Record det_step (e1 e2 : expr) := {
+  det_step_safe : reducible e1;
+  det_step_det e2' :
+    contextual_step e1 e2' → e2' = e2
+}.
+
+Record det_base_step (e1 e2 : expr) := {
+  det_base_step_safe : base_reducible e1;
+  det_base_step_det e2' :
+    base_step e1 e2' → e2' = e2
+}.
+
+Lemma det_base_step_det_step e1 e2 : det_base_step e1 e2 → det_step e1 e2.
+Proof.
+  intros [Hp1 Hp2]. split.
+  - destruct Hp1 as (e2' & ?).
+    eexists e2'. by apply base_contextual_step.
+  - intros e2' ?%base_reducible_contextual_step; [ | done]. by apply Hp2.
+Qed.
+
+(** *** Pure execution lemmas *)
+Local Ltac inv_step :=
+  repeat match goal with
+  | H : to_val _ = Some _ |- _ => apply of_to_val in H
+  | H : base_step ?e ?e2 |- _ =>
+     try (is_var e; fail 1); (* inversion yields many goals if [e] is a variable
+     and should thus better be avoided. *)
+     inversion H; subst; clear H
+  end.
+Local Ltac solve_exec_safe := intros; subst; eexists; econstructor; eauto.
+Local Ltac solve_exec_detdet := simpl; intros; inv_step; try done.
+Local Ltac solve_det_exec :=
+  subst; intros; apply det_base_step_det_step;
+    constructor; [solve_exec_safe | solve_exec_detdet].
+
+Lemma det_step_beta x e e2 :
+  is_val e2 →
+  det_step (App (@Lam x e) e2) (subst' x e2 e).
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_tbeta e :
+  det_step ((Λ, e) <>) e.
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_unpack e1 e2 x :
+  is_val e1 →
+  det_step (unpack (pack e1) as x in e2) (subst' x e1 e2).
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_unop op e v v' :
+  to_val e = Some v →
+  un_op_eval op v = Some v' →
+  det_step (UnOp op e) v'.
+Proof. solve_det_exec. by simplify_eq. Qed.
+
+Lemma det_step_binop op e1 v1 e2 v2 v' :
+  to_val e1 = Some v1 →
+  to_val e2 = Some v2 →
+  bin_op_eval op v1 v2 = Some v' →
+  det_step (BinOp op e1 e2) v'.
+Proof. solve_det_exec. by simplify_eq. Qed.
+
+Lemma det_step_if_true e1 e2 :
+  det_step (if: #true then e1 else e2) e1.
+Proof. solve_det_exec. Qed.
+Lemma det_step_if_false e1 e2 :
+  det_step (if: #false then e1 else e2) e2.
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_fst e1 e2 :
+  is_val e1 →
+  is_val e2 →
+  det_step (Fst (e1, e2)) e1.
+Proof. solve_det_exec. Qed.
+Lemma det_step_snd e1 e2 :
+  is_val e1 →
+  is_val e2 →
+  det_step (Snd (e1, e2)) e2.
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_casel e e1 e2 :
+  is_val e →
+  det_step (Case (InjL e) e1 e2) (e1 e).
+Proof. solve_det_exec. Qed.
+Lemma det_step_caser e e1 e2 :
+  is_val e →
+  det_step (Case (InjR e) e1 e2) (e2 e).
+Proof. solve_det_exec. Qed.
+
+Lemma det_step_unroll e :
+  is_val e →
+  det_step (unroll (roll e)) e.
+Proof. solve_det_exec. Qed.
+
+(** ** n-step reduction *)
+(** Reduce in n steps to an irreducible expression.
+    (this is ⇝^n from the lecture notes)
+ *)
+Definition red_nsteps (n : nat) (e e' : expr) := nsteps contextual_step n e e' ∧ irreducible e'.
+
+Lemma det_step_red e e' e'' n :
+  det_step e e' →
+  red_nsteps n e e'' →
+  1 ≤ n ∧ red_nsteps (n - 1) e' e''.
+Proof.
+  intros [Hprog Hstep] Hred.
+  inversion Hprog; subst.
+  destruct Hred as [Hred  Hirred].
+  destruct n as [ | n].
+  { inversion Hred; subst.
+    exfalso; eapply not_reducible; done.
+  }
+  inversion Hred; subst. simpl.
+  apply Hstep in H as ->. apply Hstep in H1 as ->.
+  split; first lia.
+  replace (n - 0) with n by lia. done.
+Qed.
+
+Lemma contextual_step_red_nsteps n e e' e'' :
+  contextual_step e e' →
+  red_nsteps n e' e'' →
+  red_nsteps (S n) e e''.
+Proof.
+  intros Hstep [Hsteps Hirred].
+  split; last done.
+  by econstructor.
+Qed.
+
+Lemma nsteps_val_inv n v e' :
+  red_nsteps n (of_val v) e' → n = 0 ∧ e' = of_val v.
+Proof.
+  intros [Hred Hirred]; cbn in *.
+  destruct n as [ | n].
+  - inversion Hred; subst. done.
+  - inversion Hred; subst. exfalso. eapply val_irreducible; last done.
+    rewrite to_of_val. eauto.
+Qed.
+
+Lemma nsteps_val_inv' n v e e' :
+  to_val e = Some v →
+  red_nsteps n e e' → n = 0 ∧ e' = of_val v.
+Proof. intros Ht. rewrite -(of_to_val _ _ Ht). apply nsteps_val_inv. Qed.
+
+Lemma red_nsteps_fill K k e e' :
+  red_nsteps k (fill K e) e' →
+  ∃ j e'', j ≤ k ∧
+    red_nsteps j e e'' ∧
+    red_nsteps (k - j) (fill K e'') e'.
+Proof.
+  (* TODO: exercise *)
+Admitted.
+
+
+
+(** Additionally useful stepping lemmas *)
+Lemma app_step_r (e1 e2 e2': expr) :
+  contextual_step e2 e2' → contextual_step (e1 e2) (e1 e2').
+Proof. by apply (fill_contextual_step [AppRCtx _]). Qed.
+
+Lemma app_step_l (e1 e1' e2: expr) :
+  contextual_step e1 e1' → is_val e2 → contextual_step (e1 e2) (e1' e2).
+Proof.
+  intros ? (v & Hv)%is_val_spec.
+  rewrite <-(of_to_val _ _ Hv).
+  by apply (fill_contextual_step [AppLCtx _]).
+Qed.
+
+Lemma app_step_beta (x: string) (e e': expr) :
+  is_val e' → is_closed [x] e → contextual_step ((λ: x, e) e') (lang.subst x e' e).
+Proof.
+  intros Hval Hclosed. eapply base_contextual_step, BetaS; eauto.
+Qed.
+
+Lemma unroll_roll_step (e: expr) :
+  is_val e → contextual_step (unroll (roll e)) e.
+Proof.
+  intros ?; by eapply base_contextual_step, UnrollS.
+Qed.
+
+
+Lemma fill_reducible K e :
+  reducible e → reducible (fill K e).
+Proof.
+  intros (e' & Hstep).
+  exists (fill K e'). eapply fill_contextual_step. done.
+Qed.
+
+Lemma reducible_contextual_step_case K e e' :
+  contextual_step (fill K e) (e') →
+  reducible e →
+  ∃ e'', e' = fill K e'' ∧ contextual_step e e''.
+Proof.
+  intros [ | Hval]%contextual_ectx_step_case Hred; first done.
+  exfalso. apply is_val_spec in Hval as (v & Hval).
+  apply reducible_not_val in Hred. congruence.
+Qed.
+
+(** Contextual lifting lemmas for deterministic reduction *)
+Tactic Notation "lift_det" uconstr(ctx) :=
+  intros;
+  let Hs := fresh in
+  match goal with
+  | H : det_step _ _ |- _ => destruct H as [? Hs]
+  end;
+  simplify_val; econstructor;
+  [intros; by eapply (fill_reducible ctx) |
+   intros ? (? & -> & ->%Hs)%(reducible_contextual_step_case ctx); done ].
+
+Lemma det_step_pair_r e1 e2 e2' :
+  det_step e2 e2' →
+  det_step (e1, e2)%E (e1, e2')%E.
+Proof. lift_det [PairRCtx _]. Qed.
+Lemma det_step_pair_l e1 e1' e2 :
+  is_val e2 →
+  det_step e1 e1' →
+  det_step (e1, e2)%E (e1', e2)%E.
+Proof. lift_det [PairLCtx _]. Qed.
+Lemma det_step_binop_r e1 e2 e2' op :
+  det_step e2 e2' →
+  det_step (BinOp op e1 e2)%E (BinOp op e1 e2')%E.
+Proof. lift_det [BinOpRCtx _ _]. Qed.
+Lemma det_step_binop_l e1 e1' e2 op :
+  is_val e2 →
+  det_step e1 e1' →
+  det_step (BinOp op e1 e2)%E (BinOp op e1' e2)%E.
+Proof. lift_det [BinOpLCtx _ _]. Qed.
+Lemma det_step_if e e' e1 e2 :
+  det_step e e' →
+  det_step (If e e1 e2)%E (If e' e1 e2)%E.
+Proof. lift_det [IfCtx _ _]. Qed.
+Lemma det_step_app_r e1 e2 e2' :
+  det_step e2 e2' →
+  det_step (App e1 e2)%E (App e1 e2')%E.
+Proof. lift_det [AppRCtx _]. Qed.
+Lemma det_step_app_l e1 e1' e2 :
+  is_val e2 →
+  det_step e1 e1' →
+  det_step (App e1 e2)%E (App e1' e2)%E.
+Proof. lift_det [AppLCtx _]. Qed.
+Lemma det_step_snd_lift e e' :
+  det_step e e' →
+  det_step (Snd e)%E (Snd e')%E.
+Proof. lift_det [SndCtx]. Qed.
+Lemma det_step_fst_lift e e' :
+  det_step e e' →
+  det_step (Fst e)%E (Fst e')%E.
+Proof. lift_det [FstCtx]. Qed.
+
+
+#[global]
+Hint Resolve app_step_r app_step_l app_step_beta unroll_roll_step : core.
+#[global]
+Hint Extern 1 (is_val _) => (simpl; fast_done) : core.
+#[global]
+Hint Immediate is_val_of_val : core.
+
+#[global]
+Hint Resolve det_step_beta det_step_tbeta det_step_unpack det_step_unop det_step_binop det_step_if_true det_step_if_false det_step_fst det_step_snd det_step_casel det_step_caser det_step_unroll : core.
+
+#[global]
+Hint Resolve det_step_pair_r det_step_pair_l det_step_binop_r det_step_binop_l det_step_if det_step_app_r det_step_app_l det_step_snd_lift det_step_fst_lift : core.
+
+#[global]
+Hint Constructors nsteps : core.
+
+#[global]
+Hint Extern 1 (is_val _) => simpl : core.
+
+(** Prove a single deterministic step using the lemmas we just proved *)
+Ltac do_det_step :=
+  match goal with
+  | |- nsteps det_step _ _ _ => econstructor 2; first do_det_step
+  | |- det_step _ _ => simpl; solve[eauto 10]
+  end.
--- a/theories/type_systems/systemf_mu/tactics.v
+++ b/theories/type_systems/systemf_mu/tactics.v
@ -0,0 +1,84 @@
+From stdpp Require Import gmap base relations.
+From iris Require Import prelude.
+From semantics.lib Require Export facts maps sets.
+From semantics.ts.systemf_mu Require Export lang notation types.
+
+Ltac map_solver :=
+  repeat match goal with
+         | |-  (⤉ _) !! _ = Some _ =>
+             rewrite fmap_insert
+         | |- <[ ?p := _ ]> _ !! ?p = Some _ =>
+             apply lookup_insert
+         | |- <[ _ := _ ]> _ !! _ = Some _ =>
+             rewrite lookup_insert_ne; [ | congruence]
+         end.
+Ltac solve_typing :=
+  intros;
+  repeat match goal with
+  | |- TY _ ; _ ⊢ ?e : ?A => first [eassumption | econstructor]
+  (* heuristic to solve tapp goals where we need to pick the right type for the substitution *)
+  | |- TY _ ; _ ⊢ ?e <> : ?A => eapply typed_tapp'; [solve_typing | | asimpl; reflexivity]
+  | |- TY _ ; _ ⊢ Unroll ?e : ?A => eapply typed_unroll'; [solve_typing | asimpl; reflexivity]
+  | |- bin_op_typed _ _ _ _ => econstructor
+  | |- un_op_typed _ _ _ _ => econstructor
+  | |- type_wf _ ?e => assert_fails (is_evar e); eassumption
+  | |- type_wf _ ?e => assert_fails (is_evar e); econstructor
+  | |- type_wf _ (subst _ ?A) => eapply type_wf_subst; [ | intros; simpl]
+  | |- type_wf _ ?e => assert_fails (is_evar e); eapply type_wf_mono; [eassumption | lia]
+  (* conditions spawned by the tyvar case of [type_wf] *)
+  | |- _ < _ => lia
+  (* conditions spawned by the variable case *)
+  | |- _ !! _ = Some _ => map_solver
+  end.
+
+Tactic Notation "unify_type" uconstr(A) :=
+  match goal with
+  | |- TY ?n; ?Γ ⊢ ?e : ?B => unify A B
+  end.
+Tactic Notation "replace_type" uconstr(A) :=
+  match goal with
+  | |- TY ?n; ?Γ ⊢ ?e : ?B => replace B%ty with A%ty; cycle -1; first try by asimpl
+  end.
+
+
+Ltac simplify_list_elem :=
+  simpl;
+  repeat match goal with
+         | |- ?x ∈ ?y :: ?l => apply elem_of_cons; first [left; reflexivity | right]
+         | |- _ ∉ [] => apply not_elem_of_nil
+         | |- _ ∉ _ :: _ => apply not_elem_of_cons; split
+  end; try fast_done.
+Ltac simplify_list_subseteq :=
+  simpl;
+  repeat match goal with
+         | |- ?x :: _ ⊆ ?x :: _ => apply list_subseteq_cons_l
+         | |- ?x :: _ ⊆ _ => apply list_subseteq_cons_elem; first solve [simplify_list_elem]
+         | |- elements _ ⊆ elements _ => apply elements_subseteq; set_solver
+         | |- [] ⊆ _ => apply list_subseteq_nil
+         | |- ?x :b: _ ⊆ ?x :b: _ => apply list_subseteq_cons_binder
+         (* NOTE: this might make the goal unprovable *)
+         (*| |- elements _ ⊆ _ :: _ => apply list_subseteq_cons_r*)
+         end;
+  try fast_done.
+
+(* Try to solve [is_closed] goals using a number of heuristics (that shouldn't make the goal unprovable) *)
+Ltac simplify_closed :=
+  simpl; intros;
+  repeat match goal with
+  | |- closed _ _ => unfold closed; simpl
+  | |- Is_true (is_closed [] _) => first [assumption | done]
+  | |- Is_true (is_closed _ (lang.subst _ _ _)) => rewrite subst_is_closed_nil; last solve[simplify_closed]
+  | |- Is_true (is_closed ?X ?v) => assert_fails (is_evar X); eapply is_closed_weaken
+  | |- Is_true (is_closed _ _) => eassumption
+  | |- Is_true (_ && true) => rewrite andb_true_r
+  | |- Is_true (true && _) => rewrite andb_true_l
+  | |- Is_true (?a && ?a) => rewrite andb_diag
+  | |- Is_true (_ && _)  => simpl; rewrite !andb_True; split_and!
+  | |- _ ⊆ ?A => match type of A with | list _ => simplify_list_subseteq end
+  | |- _ ∈ ?A => match type of A with | list _ => simplify_list_elem end
+  | |- _ ≠ _ => congruence
+  | H : closed _ _ |- _ => unfold closed in H; simpl in H
+  | H: Is_true (_ && _) |- _ => simpl in H; apply andb_True in H
+  | H : _ ∧ _ |- _ => destruct H
+  | |- Is_true (bool_decide (_ ∈ _)) => apply bool_decide_pack; set_solver
+  end; try fast_done.
--- a/theories/type_systems/systemf_mu/types.v
+++ b/theories/type_systems/systemf_mu/types.v
--- a/theories/type_systems/systemf_mu/untyped_encoding.v
+++ b/theories/type_systems/systemf_mu/untyped_encoding.v
@ -0,0 +1,80 @@
+From stdpp Require Import gmap base relations tactics.
+From iris Require Import prelude.
+From semantics.ts.systemf_mu Require Import lang notation types pure tactics.
+From Autosubst Require Import Autosubst.
+
+(** * Encoding of the untyped lambda calculus *)
+
+Definition D := (μ: #0 → #0)%ty.
+
+Definition lame (x : string) (e : expr) : val := RollV (λ: x, e).
+Definition appe (e1 e2 : expr) : expr := (unroll e1) e2.
+
+Lemma lame_typed n Γ x e :
+  TY n; (<[x := D]> Γ) ⊢ e : D →
+  TY n; Γ ⊢ lame x e : D.
+Proof. solve_typing. Qed.
+
+Lemma app_typed n Γ e1 e2 :
+  TY n; Γ ⊢ e1 : D →
+  TY n; Γ ⊢ e2 : D →
+  TY n; Γ ⊢ appe e1 e2 : D.
+Proof.
+  solve_typing.
+Qed.
+
+Lemma appe_step_l e1 e1' (v : val) :
+  contextual_step e1 e1' →
+  contextual_step (appe e1 v) (appe e1' v).
+Proof.
+  intros Hstep. unfold appe.
+  by eapply (fill_contextual_step [UnrollCtx; AppLCtx _]).
+Qed.
+
+Lemma appe_step_r e1 e2 e2' :
+  contextual_step e2 e2' →
+  contextual_step (appe e1 e2) (appe e1 e2').
+Proof.
+  intros Hstep. unfold appe.
+  by eapply (fill_contextual_step [AppRCtx _]).
+Qed.
+
+Lemma lame_step_beta x e (v : val) :
+  rtc contextual_step (appe (lame x e) v) (lang.subst x v e).
+Proof.
+  unfold appe, lame.
+  econstructor 2.
+  { eapply (fill_contextual_step [AppLCtx _]).
+    eapply base_contextual_step. by econstructor.
+  }
+  econstructor 2.
+  { eapply base_contextual_step. econstructor; eauto. }
+  reflexivity.
+Qed.
+
+(* Divergence *)
+Definition ω : expr :=
+  roll (λ: "x", (unroll "x") "x").
+
+Definition Ω := ((unroll ω) ω)%E.
+
+Lemma Ω_loops:
+  tc contextual_step Ω Ω.
+Proof.
+  econstructor 2; [|econstructor 1].
+  - rewrite /Ω /ω. eauto.
+  - rewrite /Ω. eauto.
+Qed.
+
+Lemma ω_typed :
+  TY 0; ∅ ⊢ ω : D.
+Proof.
+  solve_typing.
+Qed.
+
+Lemma Ω_typed : TY 0; ∅ ⊢ Ω : D.
+Proof.
+  rewrite /Ω. econstructor.
+  - eapply typed_unroll'; eauto using ω_typed.
+  - eapply ω_typed.
+Qed.