Under onsideration for publi ation in Formal Aspe ts of ComputingAbstra t Syntax with Variable Binding1Murdo h J. Gabbay and Andrew M. PittsCambridge University Computer LaboratoryKeywords: abstra t syntax; alpha- onversion; stru tural indu tion; permuta-tion a tions; set theoryAbstra t. The permutation model of set theory with atoms (FM-sets), devisedby Fraenkel and Mostowski in the 1930s, supports notions of `name-abstra tion'and `fresh name' that provide a new way to represent, ompute with, and rea-son about the syntax of formal systems involving variable-binding operations.Indu tively de�ned FM-sets involving the name-abstra tion set former (togetherwith artesian produ t and disjoint union) an orre tly en ode syntax mod-ulo renaming of bound variables. In this way, the standard theory of algebrai data types an be extended to en ompass signatures involving binding operators.In parti ular, there is an asso iated notion of stru tural re ursion for de�ningsyntax-manipulating fun tions (su h as apture avoiding substitution, set of freevariables, et ) and a notion of proof by stru tural indu tion, both of whi h re-main pleasingly lose to informal pra ti e in omputer s ien e.1. Introdu tionThis paper presents a simple variant of lassi al set theory that turns out to bevery onvenient for developing the metamathemati s of formal systems involvingvariable-binding operations. The main message we wish to get a ross is that arelatively small hange to lassi al set theory, involving the use of atoms (orurelements, as they are often referred to), an reap great bene�ts for this aspe t ofmetamathemati s. In parti ular we will see that in su h a set theory it is possibleto represent �-equivalen e lasses of abstra t syntax trees as the elements of anindu tively de�ned set, rather than just the quotient of su h a set. Moreover,this an be done in su h a way that the te hniques of stru tural indu tion andCorresponden e and o�print requests to: Andrew M. Pitts, Cambridge University ComputerLaboratory, Pembroke Street, Cambridge CB2 3QG, UK. e-mail: Andrew.Pitts� l. am.a .uk1 This paper is dedi ated to Rod Burstall. It is a revised and expanded version of [GP99℄.

2 M. J. Gabbay and A. M. Pittsre ursion, that Burstall did so mu h to promote in omputer s ien e [Bur69,Bur77℄, extend in a pleasant fashion from onventional algebrai datatypes toones involving variable-binding operations.But of ourse using a di�erent set theory, even though it is very lose to theusual one, is not a step to be undertaken lightly; so we begin with a ritique ofthe urrent state of the art. It is oriented towards the parti ular use of su h ametatheory of variable binding that most on erns us, namely ma hine-assistedproofs about the stru tural operational semanti s [Plo81℄ of programming lan-guages.Ba kgroundThe theory and pra ti e of spe ifying and reasoning about synta ti al stru turesthat do not involve variable-binding onstru ts is well understood. The theoryinvolves su h indispensable on epts as algebrai data types [GTWW77℄, indu -tively de�ned sets, de�nition by stru tural re ursion and proof by stru turalindu tion [Bur69℄; the pra ti e an be seen in several general-purpose systemsfor ma hine-assisted proof (su h as [GM93, PM93℄). This algebrai , `no binders'ma hinery is often applied to syntax that does involve binders; but in that aseit yields overly- on rete representations in whi h large numbers of essentiallyroutine onstru tions and proofs to do with renaming bound variables, aptureavoiding substitution, and so on, must be done and re-done for ea h obje t-language on a ase-by- ase basis. To make large, ma hine- he kable proofs fea-sible, one has to take a more sophisti ated approa h.One su h approa h involves representing obje t-level variables by variables ina metalanguage based on typed �- al ulus. This shifts renaming and substitutionto the meta-level where their properties are established on e and for all. Thisis the `higher order abstra t syntax' (HOAS) approa h [PE88℄|an idea goingba k to Chur h [Chu40℄ and Martin-L�of [Mar84℄ that has found its way intomany of the urrent logi al frameworks and proof assistants. Its big drawba k,in its original form at least, is that one looses the ability to de�ne fun tions onsyntax by stru tural re ursion and to prove properties by stru tural indu tion|absolutely essential tools, espe ially for appli ations to operational semanti s.There are re ent proposals to over ome this short oming [MM97, DPS97℄. Theyresult in systems that are te hni ally very interesting but for e the designer ofalgorithms and proofs `modulo-�- onversion' to use forms of expression that arerather far from familiar informal pra ti e. Indeed, the whole HOAS approa h byits very nature disallows a feature that we regard of key pra ti al importan e:the ability to manipulate names of bound variables expli itly in omputation andproof.2 The same riti ism applies to approa hes to variable binding based uponde Bruijn's nameless terms [dB72℄ or ategori al ombinators [Cur93℄: these aregood for ma hine implementations, but not, we would argue, for representationsintended for ma hine-assisted human reasoning.2 Of ourse, one an introdu e a type of `names' in a HOAS-style signature, as for example isdone in [HMS98℄; but as the authors of that work say [p 26℄: \The main drawba k of HOAS isthe diÆ ulty of dealing with metatheoreti issues on erning names. . . . As a onsequen e, somemetatheoreti properties involving substitution and freshness of names. . . annot be provedinside the framework and instead have to be postulated." It is pre isely su h problems withnames that we laim our approa h over omes in a simple way.

Abstra t Syntax with Variable Binding 3Instead of the HOAS approa h of moving both �- onversion and substitutionto the meta-level, we will just promote the former, leaving notions of substitutionto be de�ned (by stru tural re ursion) on a ase-by- ase basis by the user. Thisdoes not seem too bad a ompromise, sin e we show that it permits both ani e al ulus of bound names and notions of stru tural re ursion and stru turalindu tion for variable-binding onstru ts. We present these in a theory withthe expressive power of lassi al set theory (without the axiom of hoi e) andwhi h remains lose to informal pra ti e in its forms of expression. This, andthe fo us on �- onversion rather than substitution as primitive, makes our work lose in spirit to that of Gordon and Melham [GM96℄, who axiomatise a typeof untyped �-terms modulo �- onversion within Chur h's higher order logi .However, we take a more foundational approa h, in that the ne essary propertiesof �- onversion be ome part of the underlying set theory3 itself. This results innotions of stru tural re ursion and indu tion that seem rather simpler than thosein [GM96℄ ( f. Example 6.10 below).Overview of the paperThe Fraenkel-Mostowski permutation model of set theory was devised in orderto prove the independen e of the Axiom of Choi e (AC) from the other axiomsof Zermelo-Fraenkel set theory with atoms (ZFA) (and some de ades later Cohenproved the harder result of independen e of AC from set theory without atoms(ZF), via his elebrated for ing method; see [Je 77, Se tion 6℄ for a brief surveyof these matters). Our appli ation of the permutation model of set theory toabstra t syntax with variable binding is rather far from this original purpose!To motivate its use, in Se tion 2 we onsider a paradigmati example of syntaxinvolving variable binding, the lambda al ulus, and show that �- onversion of�-terms an be expressed in terms of the primitive operation of permuting aterm's variables, be they free, bound or binding (Proposition 2.2). This moti-vates the use of sets equipped with permutation a tions as a general setting fordis ussing syntax: the basi notions, in luding the key notion of `�nite support'are reviewed in Se tion 3; and the Fraenkel-Mostowski umulative hierar hy ofsets with �nite support is re alled in Se tion 4. That se tion introdu es FM-settheory, an axiomatisation of the Fraenkel-Mostowski permutation model whosespe ial features, ompared with the usual Zermelo-Fraenkel set theory, are ex-pressed in terms of a set of atoms, a `freshness' predi ate a# x (meaning `atoma is not in the (�nite) support of obje t x') and a quanti�er Na 2 A� (meaning`for all but �nitely many atoms a, � holds'). As far as we know, the N-quanti�eris novel; it has a dual `some/any' hara ter (see Lemma 4.10), whi h gives itvery pleasant logi al properties that we exploit throughout the rest of the pa-per. Our main ontribution o urs in Se tion 5, where we de�ne a new notion of`atom-abstra tion' within FM-set theory. Then in Se tion 6 we show that atom-abstra tion an be used in ombination with artesian produ t and disjoint unionto form indu tively de�ned sets in the Fraenkel-Mostowski permutation modelthat represent syntax modulo �- onversion (Theorem 6.2). The standard theory3 Instead of using set theory, one an use a higher order logi based on Chur h's simple theoryof types[Chu40℄ as the basis of the approa h des ribed here, but we have yet to develop thisformulation

4 M. J. Gabbay and A. M. Pittsof algebrai data types extends to en ompass signatures involving binding op-erators. In parti ular, there are notions of stru tural re ursion (Corollary 6.7)and indu tion (Theorem 6.8) for these indu tively de�ned FM-sets that respe tindistinguishability of �-variants and yet are pleasingly lose to informal pra -ti e when manipulating �-equivalen e lasses via representatives with expli itlynamed bound variables. Se tion 7 dis usses related work; and in Se tion 8, we on lude by mentioning some ways in whi h the theory presented here is beingdeveloped and applied.2. Permutative RenamingAs a motivating example, onsider the terms M of the untyped lambda al u-lus [Bar84℄:M ::= a jMM j �a:M (1)where a ranges over some ountably in�nite set A of names of variables.De�nition 2.1. The ountably in�nite set A will be �xed throughout this pa-per. We all its elements atoms.Given a; a0 2 A , onsider the following three versions of the notion of variable-renaming for �-terms M :fa0=agM; the textual substitution of a0 for all free o urren es of a in M ;[a0=a℄M; the apture-avoiding substitution of a0 for all free o urren es of a inM ;(a0 a) �M; the transposition of all o urren es (be they free, bound, or binding)of a and a0 in M .For example, when M is (�a0:a a0)(�a:a), thenfa0=agM = (�a0:a0a0)(�a:a);[a0=a℄M = (�a00:a0a00)(�a:a) (a00 fresh),(a0 a) �M = (�a:a0a)(�a0:a0):We assume the reader is familiar with the �rst two notions of renaming (if not,see [Bar84℄, for example). Although the third version is possibly less familiar, itis in fa t more basi than the other two, be ause: �rstly, one does not need toknow whether any of the operations in the underlying signature for �-terms aresupposed to be variable-binders in order to de�ne it; se ondly, it an neverthelessbe used to de�ne �- onversion, as the following result shows ( f. [Gun92, p 36℄,whi h uses fa0=ag(�) in pla e of (a0 a) � (�) for the same purpose). Re all that�- onversion, =�, is usually de�ned as the least ongruen e on the set of �-termsthat identi�es �a:M with �a0:[a0=a℄M .Proposition 2.2. The relation of �- onversion between �-terms, =�, oin ideswith the binary relation � indu tively generated by the following axioms and

Abstra t Syntax with Variable Binding 5rules.a 2 Aa � a M1 �M 01 M2 �M 02M1M2 �M 01M 02(a00 a) �M � (a00 a0) �M 0 a00 6= a; a0a00 does not o ur in M;M 0�a:M � �a0:M 0Proof. It is not hard to see that (a0 a) � (�) preserves =� and hen e that =�is losed under the axioms and rules de�ning �. Therefore � is ontained in=�. The onverse follows by proving that � is a ongruen e relating �a:M and�a0:[a0=a℄M : this follows from the easily veri�ed fa ts that (a0 a) � (�) preserves�, and that if a0 does not o ur in M , then (a0 a) �M � [a0=a℄M .This proposition shows that matters to do with variable binding an bephrased in terms of the elementary operation of variable-transposition, (a0 a)�(�),rather than the more ompli ated operation of variable-substitution, be it tex-tual or apture-avoiding. Both are more ompli ated than transposition be ausethey depend on the auxiliary de�nition of what are the free variables of a term.Note that transposition is an instan e of the more general operation of permutingthe atoms in M a ording to a bije tion � : A �= A , the result of whi h we writeas � � M . This `permutation a tion' permits one to formalise an important ab-stra tness property of metatheoreti assertions involving the notion of `variable',namely that the validity of assertions about synta ti al obje ts should be sensitiveonly to distin tions between variable names, rather than to the parti ular namesthemselves. Put more formally, this is the equivarian e property of an assertion�(M) about terms M :8�;M (�(M) , �(� �M)) (2)the validity of whi h of ourse depends upon the nature of the assertion �(M)(in parti ular one would expe tM to be the only free metavariable in � for (2) tobe valid; f. Lemma 4.7). Su h notions belong to the ri h mathemati al theoryof sets equipped with a permutation a tion, whi h we re all next. It is worthnoting that mu h of that theory would be inappli able were one to try to basethe development upon arbitrary (or even inje tive) renaming fun tions fromatoms to atoms, rather than upon permutations.3. Permutation A tions and Finite SupportLet perm(A ) denote the group of all permutations of A . Thus the elements � ofperm(A ) are bije tions from A to itself. The group multipli ation takes two su hbije tions � and �0 and omposes them|we write the omposition of � followedby �0 as �0 Æ�. The group identity is the identity fun tion on A , denoted by id A .As one may gather from the dis ussion above, we will be parti ularly on ernedwith the elements of perm(A ) that are transpositions : given a; b 2 A , we write(a b) for the permutation that inter hanges a and b, leaving all other atoms �xed:(a b)( ) , 8<:b if = aa if = b otherwise. (3)

6 M. J. Gabbay and A. M. PittsDe�nition 3.1. A perm(A )-set onsists of a set X equipped with an a tionof the group perm(A ): this is a fun tion (�) �X (�) mapping pairs (�; x) 2perm(A ) �X to elements � �X x of X and satisfying�0 �X (� �X x) = (�0 Æ �) �X x and id A �X x = xfor all �; �0 2 perm(A ) and x 2 X .We will usually refer to a perm(A )-set via its underlying set when the asso- iated a tion is lear from the ontext.Example 3.2. Of the many examples of sets equipped with an a tion of thegroup perm(A ), we mention some that will be relevant here.(i) The set A itself has a perm(A )-a tion given by applying the permutation,qua fun tion, to atoms:� �A a , �(a):(ii) The set � of �-terms M , de�ned as in equation (1), possesses a perm(A )-a tion de�ned by indu tion on the stru ture of M by:8<:� �� a , � �A a� �� (MM 0) , (� �� M)(� �� M 0)� �� (�a:M) , �(� �A a):(� �� M):(iii) Note that if two �-terms are �-equivalent, M =� M 0, then for any permu-tation � one also has � ��M =� � ��M 0. It follows that (�) �� (�) indu esan a tion on the quotient set �==�:� �(�==�) [M ℄� , [� �� M ℄�(where we write [M ℄� for the �-equivalen e lass of the �-term M).(iv) IfX is a perm(A )-set, with a tion (�)�X (�), then we an endow its powersetpow(X) = fS j S � Xg with a perm(A )-a tion by de�ning:� �pow(X) S , f� �X x j x 2 Sg:(v) If X and Y are perm(A )-sets, then we an endow the disjoint union X+Y =f(0; x) j x 2 Xg [ f(1; y) j y 2 Y g with a perm(A )-a tion by de�ning:� �(X+Y ) z , �(0; � �X x) if z = (0; x)(1; � �Y y) if z = (1; y).(vi) The unique fun tion A � ; ! ; is a perm(A )-a tion on the emptyset ;.(vii) We say that X is a sub-perm(A )-set of Y if X � Y and � �Y (�) restri ts toa fun tion X ! X , for any � 2 perm(A ). In that ase X with the restri teda tion is itself a perm(A )-set. If X is a set of perm(A )-sets that is linearlyordered by this relation, then the union SX = fx j 9X 2 X (x 2 X)g hasa perm(A )-a tion given by the a tions on ea h X 2 X (whi h agree wherethey overlap):� �(SX ) x = � �X x if x 2 X 2 X .In general, an a tion of perm(A ) on a set X gives us an abstra t way ofregarding the elements x of X as somehow `involving atoms from A in their

Abstra t Syntax with Variable Binding 7 onstru tion', in as mu h as the a tion tells us how permuting atoms hangesx|whi h turns out to be all we need for an abstra t theory of variable renamingand binding. An important part of this theory is the notion of �nite support.This generalises the property of an abstra t syntax tree that it only involves�nitely many atoms in its onstru tion to the abstra t level of an element of anyset equipped with a perm(A )-a tion.De�nition 3.3 (Finite support). Given a set perm(A )-set X and an elementx 2 X , a set of atoms w � A is said to support x if all permutations � 2 perm(A )that �x every element of w also �x x:8a 2 w(�(a) = a) ) � �X x = x: (4)We say that x is �nitely supported (in X) if there is some �nite subset w �A supporting it. The perm(A )-set X has the �nite support property if all itselements are �nitely supported.Proposition 3.4 (The support of an obje t). If an element x of a perm(A )-set X is �nitely supported, then there is a least �nite subset of A supporting x.We write supp(x) for this (ne essarily unique) �nite set of atoms and all it thesupport of x (leaving impli it whi h perm(A )-set X is being referred to).Proof. We give a proof that emphasises the role of transpositions (see equa-tion (3)) and the predi ate \a is not in the support of x", whi h play ru ialroles in the theory we develop in this paper. Indeed, one an give an expli itformula for supp(x) in terms of the a tion of transpositions on x:supp(x) , fa 2 A j fb 2 A j (a b) �X x 6= xg is not �niteg: (5)Thus for any a 2 A , a =2 supp(x) holds if and only if (a b) �X x = x holds for allbut �nitely many b 2 A . (Cf. the de�nition of the N-quanti�er given below inDe�nition 4.4.) We show that this de�nition of supp(x) has the following threeproperties.(i) If w is a �nite set of atoms supporting x, then supp(x) � w.(ii) If a; b 2 A � supp(x), then (a b) �X x = x.(iii) If w is a �nite set of atoms supporting x, then so is w � fag, for anya 2 w � supp(x).So if x is �nitely supported, (i) together with �nitely many appli ations of (iii)allows us to dedu e that supp(x) is indeed a �nite set supporting x and is theleast su h. We need (ii) in order to prove (iii).Property (i) follows almost immediately from the de�nition of supp(x) inequation (5). For suppose w is a �nite set of atoms supporting x. If a; b =2 w,then 8 2 w : (a b)( ) = , so sin e w supports x, we have (a b)�X x = x. Thereforea =2 w implies fb 2 A j (a b) �X x 6= xg is ontained in w and hen e is �nite, sothat a =2 supp(x). Thus a 2 supp(x) implies a 2 w, as required.To prove property (ii), learly it suÆ es to onsider the ase when a 6= b. Sosuppose a and b are distin t atoms not belonging to supp(x). By de�nition ofsupp(x), the set of atoms f 2 A j (a )�X x 6= xg[f 2 A j (b )�X x 6= xg[fa; bgis �nite; so we an �nd an atom not in this set, i.e. su h that 6= a; b and(a ) �X x = x = (b ) �X x: (6)Sin e a; b; are all distin t, the permutations (a b) and (a ) Æ (b ) Æ (a ) are

8 M. J. Gabbay and A. M. Pittsequal. Therefore from equation (6) we have(a b) �X x = ((a ) Æ (b ) Æ (a )) �X x = (a ) �X ((b ) �X ((a ) �X x)) = xas required.Finally, to prove property (iii), suppose w is a �nite set of atoms supportingx, that a 2 w� supp(x), and that � 2 perm(A ) satis�es 8b 2 w�fag(�(b) = b).We have to prove that � �X x = x. We may assume �(a) 6= a, for otherwise ��xes every element of w and hen e � �X x = x, be ause x is supported by w. Butthen we also have ��1(a) =2 w � fag, sin e otherwise ��1(a), being an elementof w � fag, would be �xed by �, so that a = �(��1(a)) = ��1(a), and hen e�(a) = a, ontrary to assumption. By property (i) and assumption on a, we havesupp(x) � w � fag and hen e a; ��1(a) =2 supp(x). Therefore by property (ii),(��1(a) a) �X x = x. So� �X x = � �X ((��1(a) a) �X x) = (� Æ (��1(a) a)) �X x: (7)But the permutation � Æ (��1(a) a) learly �xes a; and it �xes every element ofw � fag be ause (��1(a) a) and � do so. So � Æ (��1(a) a) �xes all of w andtherefore, sin e w supports x, we have(� Æ (��1(a) a)) �X x = x: (8)Combining equations (7) and (8) yields � �X x = x, as required.Example 3.5. Consider the perm(A )-sets in Example 3.2.(i) A has the �nite support property, with supp(a) = fag for ea h a 2 A .(ii) � has the �nite support property: the support of a �-term M turns out tobe the �nite set of atoms o urring in it, whether as free, bound, or bindingo urren es.(iii) The quotient set �==� also has the �nite support property, with the supportof an �-equivalen e lass of �-terms being the �nite set of atoms o urringfreely in any representative of the lass (it does not matter whi h).(iv) A powerset pow (X) does not ne essarily have the �nite support propertyeven if X does. For example, the only elements of �nite support in pow (A )are the subsets S � A that are either �nite or o�nite (i.e. whose relative omplement A � S is �nite). However note that given any perm(A )-set X ,if S 2 pow (X) is supported by a �nite set of atoms w, then � �pow(X) S issupported by the �nite set � �pow(A) w, for any � 2 perm(A ). Therefore theperm(A )-a tion on pow(X) restri ts to one on the subsetpow fs(X) , fS � X j S is �nitely supported in pow (X)gand pow fs(X) has the �nite support property (whether or not X does).(v) If X and Y have the �nite support property, then so does their disjointunion X + Y : ea h z 2 X + Y is either of the form (0; x) and supportedby the �nite set of atoms supporting x in X , or is of the form (1; y) andsupported by the �nite set of atoms supporting y in Y .(vi) The emptyset has the �nite support property, for rather trivial reasons.(vii) If ea h element of a linearly ordered set X of perm(A )-sets has the �nitesupport property, then so does its union: ea h x 2 SX is supported by the�nite set of atoms that supports it in any X 2 X ontaining x.

Abstra t Syntax with Variable Binding 94. FM-Set TheoryThe perm(A )-sets with the �nite support property are the obje ts of a ategorywhose morphisms f : X �! Y are the so- alled equivariant fun tions|thosefun tions satisfying f(� �X x) = � �Y f(x) for all � 2 perm(A ) and x 2 X . At thispoint we ould develop our theory of name-abstra tion in terms of onstru tionswithin this ategory: see [PG00, Appendix℄. Instead, here we take a set-theoreti approa h and onstru t a single, `large' perm(A )-set FM(A ) with the �nite sup-port property, in whi h our theory an be expressed using familiar, set-theoreti language. One bene�t is that if a parti ular onstru tion an be expressed inthis language, then the a tion of permutations is inherited from the ambientuniverse FM(A ) without having to de�ne it expli itly and without having toprove the asso iated �nite support property. (Compare this with the approa hto denotational metalanguages initiated by S ott [S o93℄ in whi h questions ofdomain-theoreti ontinuity are made impli it.)Re all the usual von Neumann umulative hierar hy of sets [Sho77℄:8<:V0 , ;V�+1 , pow(V�)V� , S�6� V� (� a limit ordinal). (9)More generally, given a set A we an de�ne a umulative hierar hy of `setsinvolving atoms from A':8<:V0(A) , ;V�+1(A) , A+ pow (V�(A))V�(A) , S�6� V�(A) (� a limit ordinal) (10)where + denotes disjoint union of sets and pow (�) the powerset operation (see(v) and (iv) in Example 3.2). We an build the notions of `permutation a tion'and `�nite support property' into su h a set-theoreti hierar hy by taking A tobe the perm(A )-set A of atoms and repla ing pow(�) by the pow fs(�) operationfrom Example 3.5(iv):8<:FM0(A ) , ;FM�+1(A ) , A + pow fs(FM�(A ))FM�(A ) , S�6� FM�(A ) (� a limit ordinal). (11)Be ause of the properties noted in Example 3.5, ea h FM�(A ) is a perm(A )-setwith the �nite support property and FM�(A ) is a sub-perm(A )-set of FM�(A )when � 6 �|enabling us to use the union operation at limit ordinals as inExample 3.5(vii). More generally, when we onsider the union of all the FM�(A )we get one large perm(A )-set (i.e. a perm(A )- lass) in whi h every element has�nite support.De�nition 4.1 (FM-sets). The union of all FM�(A ) (as � ranges over theordinals) is alled the Fraenkel-Mostowski universe (over the set of atoms A ) andis denoted FM(A ). Using the suggestive names atm and set for the fun tionsx 7! (0; x) and x 7! (1; x) giving the two in lusions into a disjoint union, fromde�nition (11) we have that every element x of FM(A ) is either of the formatm(a) with a 2 A , or of the form set(X) where X is a �nitely supported set ofFM-sets formed at an earlier ordinal stage than x ( f. Example 3.5(iv)). We all

10 M. J. Gabbay and A. M. Pittselements of the form set(X) FM-sets and elements of the form atm(a) atoms (aslight abuse of terminology). We will just write (�) � (�) for the perm(A )-a tionon the Fraenkel-Mostowski universe; it satis�es� � atm(a) = atm(�(a)); � � set(X) = set(f� � x j x 2 Xg): (12)Remark 4.2 (Pure FM-sets). Given an element x of the Fraenkel-Mostowskiuniverse FM(A ), let TC (x) denote the transitive losure of x under the appro-priate membership relation, namely 2FM(A) = f(x; y) j 9Y (x 2 Y ^ set(Y ) = yg.Note that FM(A ) ontains a opy of the von Neumann universe V , onsistingof those FM-sets x for whi h TC (x) is disjoint from fatm(a) j a 2 A g. We allsu h an x a pure FM-set.The usual set-theoreti onstru tions an be arried out within FM(A ) tobuild various sets. In parti ular we will make use of the set ! of natural numbers,and the usual onstru tions of ordered pairs, artesian produ ts, disjoint unions,power- and fun tion-sets. To be more pre ise and to develop the properties ofthe Fraenkel-Mostowski universe further, we introdu e a suitable theory of atomsand FM-sets within lassi al �rst-order logi with equality. This theory is basedupon ZFA|Zermelo-Fraenkel set theory with Atoms (see for example [Fou80℄,or [JM95, x5℄). This has a signature ontaining not only a binary relation symbol`2' for membership, but also a onstant A for the set of atoms, A . The axiomsof ZFA are as follows.(Sets) x 2 y ) y =2 A(Extensionality) x =2 A ^ y =2 A ^ 8z(z 2 x, z 2 y)) x = y(Separation) 9y =2 A8z(z 2 y , (z 2 x ^ �)), y not free in �(2-Indu tion) 8x(8y 2 x [y=x℄�) �)) 8x�(Colle tion) 8y 2 x 9w �) 9z 8y 2 x 9w 2 z �(Pairing) 9z(x 2 z ^ y 2 z)(Union) 9y 8z(z 2 y , 9w 2 x(z 2 w))(Powerset) 9y 8z(z 2 y , 8w 2 z(w 2 x))(In�nity) 9x(9y(y 2 x) ^ 8y 2 x 9w 2 x(y 2 w)):Remark 4.3 (Atoms). Axiom (Sets) expresses the fa t that only non-atoms an have elements (`atoms are empty'); the other axioms are like those of theusual Zermelo-Fraenkel set theory, ex ept that ertain quanti� ations Qx : (�)(for Q = 8; 9) have to be restri ted to Qx =2 A : (�) when x must range justover sets rather than over sets and atoms. This di�eren e is mathemati allyinno uous, but makes it very hard to re-use ma hine- he ked versions of Zermelo-Fraenkel set theory to develop a theory of the Fraenkel-Mostowski universe withina proof assistant. The �rst author's implementation of su h a theory within theIsabelle generi theorem prover [Gab00, Chapter III℄ gets round this problem byworking in a non-well-founded setting and repla ing `empty atoms' by so- alledQuine atoms [Qui63, Se tion 4℄|obje ts satisfying a = fag|at the expense ofhaving to alter the axiom of (2-Indu tion).The above axioms apture the basi , set-theoreti properties of FM(A ) with-out saying anything very spe i� about properties of the set of atoms itself, orof the permutation a tion. The properties relevant to our intended appli ationdepend upon the fa t that A is ( ountably) in�nite and that every element of

Abstra t Syntax with Variable Binding 11FM(A ) is �nitely supported in the sense of De�nition 3.3. We an apture thesetwo properties with the following axioms, whi h use notation introdu ed in Def-inition 4.4.(A-Not-Finite) A =2 pow�n(A)(Fresh) 9a 2 A(a# x):De�nition 4.4. Here and elsewhere we will freely augment the rather sparselanguage of ZFA with extensions involving new fun tion and relation symbols(written in this font) uniquely de�ned by formulas of ZFA. In parti ular we makethe following de�nitions.Finite subsets. De�ne pow�n(x) to be a term denoting the set of �nite subsetsof x. One pra ti ally useful way of formulating this is to de�ne pow�n(x) tobe the least set of subsets of x ontaining the empty set ; and losed underthe operations of adding an element of x, s 7! s [ fyg, for ea h y 2 x.Co�nite subsets. De�ne pow of(x) to be a term denoting the set of o�nitesubsets of x, i.e. those s � x su h that the relative omplement x � s is inpow�n(x).Permutation a tion. De�ne perm(A) to be a term denoting the set of permu-tations of A. In view of (12), the a tion of su h permutations � 2 perm(A) an be de�ned by 2-re ursion as follows:� � x = ��(x) if x 2 Af� � y j y 2 xg if x =2 A.In parti ular, de�ne (a b) �x to be a term denoting the result of inter hanginga; b 2 A in x.N-quanti�er. For ea h formula � of the language of ZFA, de�ne Na 2 A� (\forall but �nitely many atoms a, �") to be the formula 9s 2 pow of(A)8a(a 2s, �) expressing that fa 2 A j �g is a o�nite set of atoms.Freshness relation. De�ne the formula a # x (\atom a is fresh with respe tto x") as follows:a# x 4, Nb 2 A((a b) � x = x): (13)That this is a reasonable de�nition of `freshness' may not be immediatelyapparent; however, the following proposition shows (amongst other things)that a#x holds if and only if a is not in the support of x, as de�ned in Propo-sition 3.4.Proposition 4.5. The axioms of FM-set theory are by de�nition the axiomsof ZFA plus the two axioms (A-Not-Finite) and (Fresh). Modulo the other ax-ioms, axiom (Fresh) is equivalent to asserting that every x has the �nite supportproperty of De�nition 3.3, suitably formulated in the language of ZFA:8x 9a 2 A(a# x) ,8x 9w 2 pow�n(A)8� 2 perm(A) (8a 2 w(�(a) = a))) � � x = x: (14)In parti ular the Fraenkel-Mostowski universe FM(A ) over an in�nite set A(De�nition 4.1) satis�es these axioms if we interpret the membership relation`2' by the binary relation f(x; y) 2 FM(A ) �FM(A ) j 9Y (x 2 Y ^ set(Y ) = ygand the onstant A by the element set(fatm(a) j a 2 Ag) 2 FM(A ).

12 M. J. Gabbay and A. M. PittsProof. To prove (14), �rst note that for any x, if a; b; are distin t atoms satis-fying (a ) � x = x = (b ) � x, then (a b) � x = x (see the proof of property (ii) inthe proof of Proposition 3.4). From this we an dedu e the following two usefulfa ts.a# x ^ b# x ) (a b) � x = x (15)9a 2 A(a# x) , Na 2 A(a# x): (16)Note also that if we de�ne supp(x) as in equation (5), then by de�nition of # wehavea# x , a =2 supp(x): (17)So if the right-hand side of (14) holds, then for ea h x, the proof of Proposition 3.4yields that supp(x) 2 pow�n(A); and hen e from (A-Not-Finite) supp(x) 6= A, sothat by (16) again, 9a 2 A(a# x).Conversely, if 8x 9a 2 A(a# x), then for ea h x, supp(x) 2 pow�n(A) by (16)and (17); and by (15) and (17), (a b) � x = x for any a; b =2 supp(x). So any per-mutation � 2 perm(A) that is �nite (i.e. with fa 2 A j �(a) 6= ag 2 pow�n(A))and that �xes ea h element of supp(x) satis�es � � x = x, be ause su h a per-mutation is expressible as the omposition of �nitely many transpositions (a b)with a; b =2 supp(x). But axiom (Fresh) implies that any � 2 perm(A) is �nite:for if a# �, it is not hard to see that �(a) = a; so from (16) we have �(a) = afor o�nitely many atoms a, so that � is �nite. Thus if (Fresh) holds then forea h x, supp(x) de�ned as in (5) is a �nite set of atoms supporting x. Thus wedo indeed have the left-to-right impli ation in (14).Remark 4.6 (Failure of the Axiom of Choi e). In the literature, arefulpresentations of the de�nition of apture-avoiding substitution quite often makeuse of a hoi e fun tion for pi king out fresh variables: see [Sto88, Se tion 2℄, forexample. The vague feeling that su h on rete hoi es should be irrelevant rys-tallises here into the fa t that su h hoi e fun tions are in onsistent with FM-settheory, be ause its axioms ontradi t the Axiom of Choi e (AC). For example,the axiom (A-Not-Finite) implies that the set of o�nite subsets of A is a setof non-empty sets; but there an be no hoi e fun tion for it|a diagonalisationargument (using the fa t that the graph of any fun tion from pow�n(A) to Amust be �nitely supported) shows this. (Indeed it an be shown that the axiomof ountable hoi e is in onsistent with FM-set theory.)Me hanised proof assistants based on set theory, or on higher order logi ,often in lude Hilbert's hoi e operator, "x : �, to provide anonymous notationsfor terms de�ned by formulas (see [LP99, Se tion 2.1℄). Sin e the "-operator anbe used to prove AC, we annot add it to FM-set theory without in onsisten y.However, in a fully formal presentation of FM-set theory it would be both on-sistent and useful to augment the language of FM-set theory with a notationand axioms for forming terms uniquely de�ned by a formula. As mentioned inDe�nition 4.4, here we pro eed in a semi-formal fashion and just introdu e newnotation on the y, uniquely de�ned by formulas. Corollary 4.8 allows us tobound the support of terms involving su h new notation by the support of thenotation's parameters. It is a onsequen e of the following equivarian e property( f. equation (2)), whi h is important in its own right.Lemma 4.7 (Equivarian e property of FM-set theory). Suppose �(~x) isa formula of FM-set theory, with free variables ontained in the list of distin t

Abstra t Syntax with Variable Binding 13variables ~x. Then8a; b 2 A8~x (�(~x), �((a b) � ~x)is provable in FM-set theory (where �((a b)�~x) denotes the simultaneous ( apture-avoiding) substitution of (a b) �xi for all free o urren es of xi in �, as xi rangesover ~x).Proof. By indu tion on the stru ture of �, using the following properties of the onstant and relation symbols of the language:x = y ) (a b) � x = (a b) � y (18)x 2 y ) (a b) � x 2 (a b) � y (19)(a b) � A = A: (20)Property (18) is a trivial onsequen e of the usual properties of equality; andproperties (19) and (20) follow from the de�nition of the permutation a tion inDe�nition 4.4.Corollary 4.8 (Support of de�ned notation). Suppose �(~x) and (~x; y) areformulas of FM-set theory, with free variables ontained in the indi ated lists ofvariables, and that�(~x) ) 9!y (~x; y) (21)holds. If we de�ne the term f(~x) to be the unique y su h that (~x; y), so that�(~x) ) 8y(y = f(~x), (~x; y)), then�(~x) ) 8a 2 A(a# ~x ) a# f(~x)): (22)(where a#~x stands for a onjun tion of freshness formulas, one for ea h variablein the list ~x). Hen e �(~x) ) supp(f(~x)) � supp(x1) [ � � � [ supp(xn), if ~x =x1; : : : xn.Proof. Suppose �(~x) and a # ~x hold. We have to prove a# y for the unique ysu h that (~x; y). By axiom (Fresh) we an �nd b 2 A with b# ~x; y. Sin e b# y,by Lemma 4.7 we have a # (a b) � y. But (a b) � y = y by the uniqueness partof property (21): for not only does (~x; y) hold (by de�nition of y), but so alsodoes (~x; (a b) � y) (sin e Lemma 4.7 applied to (~x; y) gives ((a b) � ~x; (a b) � y)and (a b) �~x = ~x by property (15), be ause a; b#~x). So we do indeed have a# y.Example 4.9 (Fun tions). As usual, an FM-set f is a (partial) fun tion if itonly ontains ordered pairs and is single-valued, i.e. if Fun(f) holds, whereFun(f) 4, 8x 2 f 9y; z(x = (y; z))^ 8y; z; z0((y; z) 2 f ^ (y; z0) 2 f ) z = z0):Using (Colle tion) and (Separation), if Fun(f) holds then the domain of de�nitionof f is the uniquely de�ned FM-set dom(f) of �rst omponents of elements off , i.e. dom(f) = fx j 9y((x; y) 2 f)g. Similarly the image of f is img(f) = fy j9x((x; y) 2 f)g. If Fun(f) and x 2 dom(f), then there is a unique y su h that(x; y) 2 f and in this ase, as usual, we de�ne the appli ation notation f(x) tostand for this y. From Corollary 4.8 we haveFun(f) ) 8a 2 A(a# f ) a# dom(f) ^ a# img(f)) (23)

14 M. J. Gabbay and A. M. PittsFun(f) ^ x 2 dom(f) ) 8a 2 A(a# f ^ a# x ) a# f(x)): (24)While we are about it, let us mention another pie e of notation asso iated withfun tions. If X and Y are FM-sets, then the fun tion set X ! Y is the FM-setde�ned by: f 2 (X ! Y ) , Fun(f) ^ dom(f) = X ^ img(f) � Y .In De�nition 4.4 we introdu ed the notation Na 2 A� to stand for a quan-ti� ation over all but �nitely many atoms. However, the nature of the set ofatoms in FM-set theory endows this quanti�er with very spe ial properties, asProposition 4.10 and Corollary 4.11 show.Proposition 4.10 ( Nas a `freshness' quanti�er). For any formula � andlist of distin t variables a; ~x in the language of FM-set theory, onsider the fol-lowing formulas.8a 2 A (a# ~x) �) (25)Na 2 A� (26)9a 2 A (a# ~x ^ �): (27)Then in FM-set theory, (25) ) (26) ) (27). If the free variables of � are on-tained in the list a; ~x, then also (27) ) (25) and hen e in this ase the threeformulas are provably equivalent.Proof. Note that by axiom (Fresh) and (16) (and the fa t that o�nite sets are losed under �nite interse tion), we have fa 2 A j a# ~xg 2 pow of(A). So if (25)holds, fa 2 A j �g ontains fa 2 A j a# ~xg and hen e is o�nite, i.e. (26) holds.Similarly, if (26) holds then fa 2 A j a # ~xg \ fa 2 A j �g is the interse tionof two o�nite sets, hen e is o�nite and hen e by (A-Not-Finite) is non-empty:so (27) holds.Now suppose the free variables of � are ontained in fa; ~xg and that (27)holds. We use the equivarian e property of formulas of FM-set theory given inLemma 4.7 to dedu e from a# ~x ^ � that for any b 2 Ab# (a b) � ~x ^ �(b; (a b) � ~x) (28)where �(b; (a b) �~x) denotes the result of substituting b for all free o urren es ofa and (a b) �xi for all free o urren es of xi in �, as xi ranges over ~x. So if b# ~x,sin e we also have a# ~x, from (15) we get (a b) � ~x = ~x and hen e (28) implies�(b; ~x). So (27) does indeed imply (25).Corollary 4.11. The quanti�er Na 2 A : (�) ommutes with the propositional onne tives: for all formulas � and Na 2 A(� � ) , ( Na 2 A�) � ( Na 2 A ) where � is ^, _, ) or , (29)Na 2 A(:�) , :( Na 2 A�) (30)Na 2 A true (31)are all provable in FM-set theory. Moreover, if all the elements of an FM-setX have empty support (for example, if X is pure in the sense of Remark 4.2),then Na 2 A : (�) ommutes with existential and universal quanti� ation over

Abstra t Syntax with Variable Binding 15elements of X :X =2 A ^ 8a 2 A8x 2 X(a# x) )( Na 2 A 9x 2 X � , 9x 2 X Na 2 A�) ^( Na 2 A8x 2 X � , 8x 2 X Na 2 A�): (32)Proof. These properties of the N-quanti�er follow easily from its dual 8-9 natureestablished in Proposition 4.10. (For property (32), we also need to note that ifX =2 A ^ 8a 2 A8x 2 X(a# x) holds, then so does 8a 2 A(a#X).)In view of Proposition 4.10, we are justi�ed in reading Na 2 A : � as `forsome/any fresh atom a, it is the ase that �'. This dual 9-8 avour of the N-quanti�er seems to exa tly �t many situations where a statement about freshnessof variables is required: we hoose some fresh variable with a parti ular property,but later on may need the fa t that any su h variable will do. For example, whenreasoning about �- onversion of �-terms using the rules in Proposition 2.2 ina `top-down' fashion, we satisfy the side- ondition in the third rule by pi kingsome fresh a00; and when using them in a `bottom-up' fashion, it is useful to knowthat any fresh a00 will do. We will see further examples of this phenomenon insubsequent se tions, where we put the N-quanti�er to work.5. Abstra tion SetsIn Proposition 2.2 we saw that �- onversion of �-terms an be formulated interms of the operation of transposing two variables in a term, together with therelation that a variable does not o ur in a term. In view of Example 3.5(ii),equation (17) and Proposition 4.10, we an re-express the rule for �- onversionof �-abstra tions in Proposition 2.2 asNa00((a00 a) � t � (a00 a0) � t0)�a:t � �a0:t0 :This suggests how to generalise the notion of �- onversion from the syntax treesof �-terms to arbitrary obje ts in the Fraenkel-Mostowski universe FM(A ) in-trodu ed by De�nition 4.1. Let �A be the binary relation between A and FM(A )de�ned by:(a; x) �A (b; y) 4, a 2 A ^ b 2 A ^ N 2 A(( a) � x = ( b) � y): (33)It is not hard to see that �A is an equivalen e relation. The following lemmashows that its equivalen e lasses are FM-sets.Lemma 5.1 (Atom-abstra tions). FM-set theory satis�es:(a; x) �A (b; y) , a 2 A ^ b 2 A ^ y = (b a) � x ^ (b = a _ b# x): (34)Hen e by the axiom (Colle tion), for ea h a 2 A and x 2 FM(A ) there is anFM-seta:x , f(b; (b a) � x) j b 2 A ^ (b = a _ b# x)g (35)whi h is the �A-equivalen e lass of the pair (a; x). We all a:x the atom-abstra tion determined by a and x.

16 M. J. Gabbay and A. M. PittsProof. We split the proof of (34) into two ases, a ording to whether b = a ornot. In the �rst ase, the result follows from the easily veri�ed impli ation(a; x) �A (a; y) ) x = y: (36)So suppose b 6= a. If (a; x) �A (b; y), then there is some 2 A with # a; x; b; yand( a) � x = ( b) � y: (37)Sin e #y, by the equivarian e property (Lemma 4.7) we also have b = ( b) � #( b)�y and hen e by (37), b#( a)�x. From this we get ( a)�b#( a)�(( a)�x) = x,i.e. b# x (sin e ( a) leaves b �xed). So for the left-to-right impli ation in (34),it just remains to show that y = (b a) � x. Buty = ( b) � (( b) � y) = ( b) � (( a) � x) by (37)= (b a) � (( b) � x) sin e ( b) Æ ( a) = (b a) Æ ( b)= (b a) � x by (15) applied to # x ^ b# x.Conversely, if y = (b a) � x and b# x, then by axiom (Fresh) there is some 2 Awith # a; x; b; y and( b) � y = ( b) � ((b a) � x) sin e y = (b a) � x= ( a) � (( b) � x) sin e ( b) Æ (b a) = ( a) Æ ( b)= ( a) � x sin e # x ^ b# x.Therefore N 2 A(( a) � x = ( b) � y), i.e. (a; x) �A (b; y), as required.Corollary 5.2. FM-set theory satis�es:a# a:x (38)b 6= a ^ b# x ) b# a:x (39)b 6= a ^ b# a:x ) b# x: (40)Hen e 8b 2 A(b # a:x , (b = a _ b # x)) and therefore supp(a:x) =supp(x)� fag.Proof. First note that as a onsequen e of the equivarian e property of Lemma 4.7one has( b) � (a:x) = (( b)(a)):(( b) � x): (41)So if b# a; x, then (b a) � (a:x) = b:((b a) � x) = a:x by (34); thus Nb 2 A((b a) �(a:x) = a:x) holds, whi h is (38).Property (39) follows from property (22) and the easily veri�ed fa t thatb 6= a, b# a.Finally for (40), if b 6= a and b # a:x, i.e. N 2 A(( b) � (a:x) = a:x), thenby (41) we have N 2 A(a:(( b) � x) = a:x); hen e by (36), N 2 A(( b) � x = x),as required.The de�nition of atom-abstra tion embodies a form of `abstra tion as infor-mation hiding', sin e a:x a ts like a pair (a; x) in whi h the name in the �rst omponent has been hidden, or made anonymous. However, atom-abstra tionsalso embody a notion of `abstra tion as fun tion', sin e (36) shows that ea hatom-abstra tion a:x is a partial fun tion; and by onstru tion, the domain ofde�nition of this partial fun tion is a set of atoms. In other words, using the

Abstra t Syntax with Variable Binding 17notation of Example 4.9, Fun(a:x) ^ dom(a:x) � A holds. Indeed, by (35) andCorollary 5.2dom(a:x) = fb 2 A j b = a _ b# xg = A� supp(a:x): (42)We will use the following spe ial notation for the result of applying su h a partialfun tion to an atom in its domain of de�nition.De�nition 5.3 (Con retion of atom-abstra tions). The result of applyingan atom-abstra tion y, regarded as a partial fun tion, to an atom b 2 dom(y) =A � supp(y) will be alled the on retion of y at b and written y�b. From (35)we have that if y = a:x, then following form of �- onversion holds for atom-abstra tion/ on retion:8b 2 A((b = a _ b# x) ) (a:x)�b = (b a) � x): (43)De�nition 5.4 (Abstra tion sets). For ea h FM-set X , we an use the (Col-le tion) axiom to dedu e the existen e of an FM-set [A℄X of atom-abstra tionsof elements of X , de�ned by:y 2 [A℄X 4, 9a 2 A 9x 2 X(y = a:x ^ a#X): (44)One might wonder why the ondition `a#X ' is in luded in the above de�nition.It is needed to ensure that the on retion of an element of [A℄X at a fresh atomlands us ba k in X :8y 2 [A℄X Nb 2 A(y�b 2 X): (45)For note that be ause of the ondition a # X in (44), plus the fa t that a # yholds when y = a:x (by Corollary 5.2), from Proposition 4.10 we havey 2 [A℄X , Na 2 A 9x 2 X(y = a:x): (46)Hen e given y 2 [A℄X and b#X; y, then y = a:x for some a 2 A and x 2 X witha# b;X. By (43), y�b = (b a) � x; and sin e x 2 X , we have (b a) � x 2 (b a) �X .But (b a) � X = X , sin e a # X and b # X ; and hen e y�b 2 X , as requiredfor (45).Proposition 5.5 (Extensionality for atom-abstra tions). A form of �- on-version holds for atom-abstra tion/ on retion, namely:8y 2 [A℄X Nb 2 A(b:(y�b) = y) (47)and hen e the following extensionality prin iple holds:8y; y0 2 [A℄X(y = y0 , Nb 2 A(y�b = y0�b)): (48)Proof. Given y 2 [A℄X and b # y, by (44) we an �nd a 2 A and x 2 X withy = a:x (and a#X). Thenb:(y�b) = b:((b a) � x) sin e y�b = (b a) � x by (43)= a:x by (34)= y:Thus (47) holds by Proposition 4.10.Remark 5.6. The abstra tion-set former [A℄(�) is remarkably well-behaved. Inparti ular it preserves artesian produ ts, disjoint unions and even fun tion-sets,

18 M. J. Gabbay and A. M. Pittsup to natural bije tions:[A℄(X � Y ) �= ([A℄X)� ([A℄Y )[A℄(X + Y ) �= ([A℄X) + ([A℄Y )[A℄(X ! Y ) �= ([A℄X)! ([A℄Y ):For proofs of these bije tions, see [Gab00, Corollary 9.6.9℄.6. Indu tively de�ned FM-setsWe an use the [A℄(�) onstru t in ombination with artesian produ t anddisjoint union to form indu tively de�ned FM-sets that allow us to view sets ofsyntax involving bindersmodulo �- onversion as algebrai data types in FM(A ),generalising the ` lassi al' theory for syntax without binders. To see this, we �rstneed to re all a little of the theory of indu tively de�ned sets, within the ontextof FM-set theory.Suppose F is a de�nable fun tion from FM-sets to FM-sets. In other words,suppose that there is a formula �(X;Y ) of FM-set theory with the indi ated freevariables and satisfying 8X =2 A 9!Y =2 A�(X;Y ); and suppose that for ea h X ,F (X) is the unique Y su h that �(X;Y ). Suppose further that the fun tion Fis monotone for in lusionsX =2 A ^ Y =2 A ^X � Y ) F (X) � F (Y ) (49)and preserves unions of ountable as ending hains8n 2 !(X(n) =2 A ^X(n) � X(n+ 1)) )F ([fX(n) j n 2 !g) =[fF (X(n)) j n 2 !g: (50)(Just as we require F to be de�nable in FM-set theory, so we only onsider ountable hains of FM-sets (X(n) j n 2 !) that are de�nable in FM-set theory;so in parti ular there is one �nite set of atoms supporting every X(n), ratherthan one su h set for ea h n 2 !.) Then F possesses a least (pre)�xed point,�(F ):F (�(F )) = �(F ) (51)F (X) � X ) �(F ) � X: (52)We all �(F ) the indu tively de�ned FM-set determined by F . It an be on-stru ted via the familiar Tarski formula�(F ) , SfFn(;) j n 2 !g where�F 0(;) , ;Fn+1(;) , F (Fn(;)): (53)The indu tively de�ned FM-sets in whi h we are interested are all determinedby fun tions F that are also the obje t part of fun tors preserving in lusions.In other words, not only is F a de�nable monotone fun tion on FM-sets pre-serving de�nable ountable hains, but also there is another de�nable fun tion(traditionally also denoted by F ) a ting on fun tions between FM-setsf 2 (X ! Y ) ) F (f) 2 (F (X)! F (Y ))

Abstra t Syntax with Variable Binding 19that preserves ompositionf 2 (X ! Y ) ^ g 2 (Y ! Z) ) F (g Æ f) = F (g) Æ F (f)and in lusion fun tionsX � Y ) F (iX;Y ) = iF (X);F (Y )where iX;Y 2 (X ! Y ) is f(x; x) j x 2 Xg. In this ase �(F ) is the initial algebrafor the fun tor F : for every FM-set X and fun tion f 2 F (X) ! X , there is aunique f 2 (�(F ))! X su h thatF (�(F ))F (f) �(F )fF (X) f X (54) ommutes (i.e. f = fÆF (f)). Indeed, paralleling the onstru tion of �(F ) in (53),we havef , Sffn 2 (Fn(;)! X) j n 2 !g where(f0 , ;fn+1 , f Æ F (fn): (55)Lemma 6.1. The abstra tion-set operation [A℄(�) of De�nition 5.4 is mono-tone, preserves unions of de�nable ountable as ending hains of FM-sets and isthe obje t part of a fun tor preserving in lusions.Proof. The fa t that [A℄(�) preserves in lusions and unions of de�nable ount-able hains follows immediately from the hara terisation of [A℄X in (46) togetherwith the fa t (Corollary 4.11) that Na 2 A(�) preserves impli ations and om-mutes with 9n 2 !(�) (be ause ! has empty support). We extend it to a fun toron FM-sets as follows. Given f 2 (X ! Y ), de�ne[A℄f , f(u; v) 2 ([A℄X)� ([A℄Y ) j Na 2 A(f(u�a) = v�a)g:That this does give an element of ([A℄X) ! ([A℄Y ) and that f 7! [A℄f pre-serves omposition and in lusion fun tions all follow from the properties of atom-abstra tions established in Se tion 5 (see [Gab00, Se tion 10℄ for more details).It is well known that set-fun tions F built up from onstants and proje tionsusing the operations of artesian produ t, (�)� (�), and disjoint union, (�) +(�), enjoy the above properties of monotoni ity, preservation of unions of hainsand fun toriality; and hen e su h set-fun tions an be used to form indu tivelyde�ned sets �(F ) with the above initial algebra property. This is the startingpoint for the initial algebra semanti s of algebrai signatures [GTWW77℄ withinthe usual ZF set theory and its model, the von Neumann hierar hy V de�nedby equation (9). All this remains un hanged if we move from V to the larger( f. Remark 4.2) Fraenkel-Mostowski umulative hierar hy FM(A ) and repla eZF by FM-set theory. But now the above lemma shows that within this largersetting of FM-sets, we an also use the abstra tion-set operation [A℄(�) in the onstru tion of F and still be able to form the indu tive FM-set �(F ) as in (53),with its initial algebra property (54). In this way we are able to extend initialalgebra semanti s to deal with signatures with binding and in parti ular to get

20 M. J. Gabbay and A. M. Pittsa purely indu tive representation of the quotient modulo �-equivalen e of theset of abstra t syntax trees over su h a signature. Rather than treat the aseof arbitrary `binding signatures' (for whi h see [Gab00, Se tion 10.2℄), we willillustrate these ideas with respe t to the paradigmati example, the signaturefor the untyped �- al ulus.Theorem 6.2 (�==� as an indu tive FM-set). Consider the FM-set � ofuntyped �-terms, given as the indu tively de�ned FM-set �(F ) whereF (X) , A+ (X �X) + (A�X): (56)Then the FM-set of equivalen e lasses of �-terms modulo the equivalen e rela-tion of �- onversion, �==�, is in bije tion with the indu tively de�ned FM-set�� = �(F�), whereF�(X) , A+ (X �X) + ([A℄X): (57)Proof. This follows by ombining the hara terisation of =� given by Propo-sition 2.2 with the de�nition of atom-abstra tion in Se tion 5 in terms of theequivalen e relation �A given by equation (33).In passing from �==� to the bije tively equivalent set ��, we repla e theglobal use of quotienting by =� with lo al, indu tive use of quotienting by �A.This is a simplifying step be ause the quotient sets [A℄X (they are the quotientof f(a; x) 2 A � X j a # Xg by �A) have some very pleasant properties. Inparti ular, the following lemma gives a simple hara terisation of fun tions ofatom-abstra tions a:x 2 [A℄X in terms of fun tions of pairs (a; x) 2 A�X .Lemma 6.3. For all fun tions f 2 (A �X) ! Y in FM(A ), there is a uniquefun tion f 2 ([A℄X)! Y satisfyingNa 2 A8x 2 X(f(a:x) = f(a; x)) (58)if and only if f satis�esNa 2 A8x 2 X(a# f(a; x)): (59)Proof. First note that if su h an f exists, then applying Proposition 4.10 to (58),there is some a 2 A witha#X; f; f ^ 8x 2 X(f(a:x) = f(a; x)):But for any x 2 X we always have a# a:x (Corollary 5.2); and a# f holds byassumption on a; hen e by property (24), a # f(a:x), i.e. a # f(a; x). Thus asatis�esa#X; f ^ 8x 2 X(a# f(a; x))whi h by Proposition 4.10 again, is ondition (59). There an be at most onefun tion f satisfying property (58), be ause by (44) we have that (a; x) 7! a:xis a surje tion from f(a; x) 2 A�X j a#Xg onto [A℄X .Conversely, suppose ondition (59) does hold. Thus by Proposition 4.10 wehave8a 2 A(a#X; f ) 8x 2 X(a# f(a; x))): (60)

Abstra t Syntax with Variable Binding 21De�ne an FM-set f by:f , f(z; y) 2 ([A℄X)� Y j Na 2 A 9x 2 X(z = a:x ^ f(a; x) = y)g:This is a single-valued relation, be ause if (z; y) 2 f and (z; y0) 2 f , then byde�nition of f , and using axiom (Fresh), we an �nd some a#X; f; z; y; y0 andx; x0 2 X with z = a:x, z = a:x0, y = f(a; x) and y = f(a; x0); then x = x0 byproperty (36) and hen e y = y0. Moreover, for ea h z 2 [A℄X there is some y 2 Ysatisfying (z; y) 2 f : for, pi king a#X; z; f and taking x to be the on retion z�a(De�nition 5.3), we have x 2 X by property (45) and hen e by property (60),y = f(a; x) 2 Y satis�es a# y. Thus we have9a 2 A(a#X; z; f; y ^ 9x 2 X(z = a:x ^ f(a; x) = y)) (61)so that (z; y) 2 f (by Proposition 4.10). So f is indeed an element of ([A℄X)! Y .Furthermore, property (58) holds of it: for if a # X; f , then for any x 2 Xproperty (61) holds with z = a:x and y = f(a; x) (sin e in that ase a # zby (38) and a# y by (59)), so that (z; y) 2 f , i.e. f(a:x) = f(z) = y = f(a; x),as required.Remark 6.4 (Lo ally fresh atoms). Given f 2 (A�X)! Y satisfying prop-erty (59) and given z 2 [A℄X , we use the notation ase z of fa:x! f(a; x)g (62)(where the variables a and x are bound in this expression) for the elementf(z) 2 Y spe i�ed by the above lemma. From property (58) we have that this`eliminator' for the abstra tion-set onstru t satis�es the onversion law8a0 2 A8x0 2 X Nb 2 A( ase a0:x0 of fa:x! f(a; x)g = f(b; (b a0) � x0)): (63)As a spe ial ase of this onstru t, given by taking X = 1 = f0g in Lemma 6.3,we have that for ea h f 2 A! Y satisfying Na 2 A(a# f(a)), there is a uniqueelement of Y , that we denote bynew a 2 A in f(a) (64)(on e again, a is a bound variable in this expression), satisfyingNa0 2 A(new a 2 A in f(a) = f(a0)): (65)In e�e t, the expression new a 2 A in f(a) denotes the use of a `lo ally fresh'atom a in the expression f(a); and this is meaningful if the value of f(a) isindependent of the hoi e of a, in the sense that a # f(a) holds for some/anyfresh atom a.For example, taking f 2 A! ([A℄A) to be a 7! a:a, by property (38) we have8a 2 A(a # a:a) and hen e there is an element (new a 2 A in a:a) 2 [A℄A. Infa t there is a bije tion [A℄A �= 1 + A , f(0; 0)g [ f(1; b) j b 2 Ag given in onedire tion by[A℄A ! 1 +Az 7! ase z of fa:b! if a = b then (0; 0) else (1; b)gand in the other by1 +A ! [A℄A(0; 0) 7! new a 2 A in a:a(1; b) 7! new a 2 A in a:b:

22 M. J. Gabbay and A. M. PittsExpression-formers su h as ase (�) of fa:x ! (�)g and new a 2 A in (�) arepart of a term- al ulus for atom-abstra tions that forms part of the fun tionalprogramming language proposed by the authors in [PG00℄.Returning to the indu tively de�ned FM-set �� = �(F�) introdu ed in The-orem 6.2, from property (51) we have that �� is a disjoint union of three om-ponents�� = A+ (�� � ��) + ([A℄��):Letvar 2 A! �� app 2 (�� � ��)! �� lam 2 ([A℄��)! ��denote the in lusion fun tions of the omponents into the disjoint union. Com-bining the least �xed point and initial algebra properties of �� = �(F�) withthe above lemma, we obtain the following prin iples of stru tural iteration, re- ursion and indu tion for our indu tive FM-set representing �-terms modulo �- onversion. (Compare them with the Re ursion S heme of [GM96, Se tion 3.1℄.)Theorem 6.5 (Stru tural iteration for ��). Given fun tions f 2 A ! X ,g 2 (X �X)! X , and h 2 (A�X)! X in FM(A ) with h satisfyingNa 2 A8x 2 X(a# h(a; x)) (66)there is a unique k 2 �� ! X su h that8a 2 A(k(var(a)) = f(a))^ 8t 2 �� 8t0 2 ��(k(app(t; t0)) = g(k(t); k(t0)))^ Na 2 A8t 2 ��(k(lam(a:t)) = h(a; k(t))): (67)Proof. By Lemma 6.3, the ondition (66) means that it indu es a fun tion h 2([A℄X)! X . Then f , g and h �t together to give a fun tion from the oprodu tA + (X �X) + ([A℄X) to X , i.e. a fun tion F�(X) ! X . Then k is the uniquefun tion �(F�)! X given by the initial algebra property (54).Remark 6.6. Note that this stru tural iteration prin iple for �� proves theexisten e of total fun tions out of �� even though in property (67), as far as�-abstra tions are on erned, we only have to spe ify what the fun tion does forfresh bound variables. Indeed, we an slightly strengthen Theorem 6.5 by onlyrequiring h to be a partial fun tion with dom(h) = f(a; x) 2 A�X j a#Xg, forwhi h ondition (66) still makes sense. However if supp(X) = ;, as is the ase inthe examples below, then dom(h) is in fa t the whole of A�X .Corollary 6.7 (Stru tural re ursion for ��). Given fun tions f 2 A ! X ,g 2 (�� � �� �X �X) ! X , and h 2 (�� � A �X) ! X in FM(A ) with hsatisfyingNa 2 A8t 2 �� 8x 2 X(a# h(t; a; x)) (68)there is a unique k 2 �� ! X su h that8a 2 A(k(var(a)) = f(a))^ 8t 2 �� 8t0 2 ��(k(app(t; t0)) = g(t; t0; k(t); k(t0))^ Na 2 A8t 2 ��(k(lam(a:t)) = h(t; a; k(t)): (69)Proof. The passage from iteration to (primitive) re ursion for initial algebras usesa standard tri k relying upon the uniqueness part of the initial algebra property:

Abstra t Syntax with Variable Binding 23de�ne X 0 to be �� � X and onsider f 0 2 A ! X 0, g 2 (X 0 �X 0) ! X 0, andh0 2 (A�X 0)! X 0 given byf 0(a) , (var(a); f(a))g0((t; x); (t0; x0)) , (app(t; t0); g(t; t0; x; x0))h0(a; (t; x)) , (lam(a:t); h(t; a; x)):Note that h0 satis�es ondition (66) be ause of property (38) and be ause hsatis�es (68). So let k0 2 �� ! X 0 be the fun tion uniquely de�ned by iterationfrom (f 0; g0; h0) as in Theorem 6.5. Writing �1 and �2 for the proje tion fun tions(t; x) 7! t and (t; x) 7! x, one veri�es that �1 Æ k0 and the identity fun tionid�� 2 �� ! �� both satisfy the onditions required of the fun tion iterativelyde�ned by (var; app; lam), where lam 2 (A � ��) ! �� is (a; t) 7! lam(a:x).(Note that this triple of fun tions is suitable for a stru turally iterative de�nitionbe ause lam satis�es the ne essary ondition (66), thanks to property (38).)Hen e �1 Æ k0 = id�� . Using this one easily veri�es that k = �2 Æ k0 2 �� ! X isthe uniquely de�ned fun tion with the required property (69).Theorem 6.8 (Stru tural indu tion for ��). Given a subset S � �� inFM(A ), to prove that S is the whole of �� it suÆ es to show8a 2 A(var(a) 2 S)^ 8t 2 S 8t0 2 S(app(t; t0) 2 S)^ Na 2 A8t 2 S(lam(a:t) 2 S): (70)Proof. Condition (70) tells us that the in lusionA+ (S � S) + ([A℄S) � A+ (�� � ��) + ([A℄��) = ��fa tors through S � �� (we use property (46) to see this for the third omponentof the disjoint union). Hen e F�(S) � S and therefore by property (52) we have�� = �(F�) � S. Thus S = ��.This stru tural indu tion prin iple for �� seems to orrespond well to infor-mal indu tive arguments about �-equivalen e lasses of �-terms that pro eed bypi king representative names of bound variables and applying stru tural indu -tion at the level of abstra t syntax trees (i.e. stru tural indu tion for � = �(F ),as de�ned in Theorem 6.2), leaving mute the tedious proofs that su h hoi es donot a�e t the argument. In e�e t, by restri ting to obje ts with �nite support(De�nition 3.3) and equivariant properties (Lemma 4.7), FM-set theory ensuresthat su h hoi es are guaranteed not to a�e t meaning, provided freshness on-ditions like property (66) in Theorem 6.5 are satis�ed.In the rest of this se tion we give some simple examples of the use of Theo-rems 6.5 and 6.8.Example 6.9 (Capture-avoiding substitution). Given s 2 �� and b 2 A,in Theorem 6.5 take X = �� and de�ne f 2 A! ��, g 2 (�� � ��)! �� andh 2 (A� ��)! �� byf(a) , if a = b then s else var(a)g(t; t0) , app(t; t0)h(a; t) , lam(a:t):Note that h satis�es ondition (66) be ause of property (38). So by the theorem

24 M. J. Gabbay and A. M. Pittsthere is a unique fun tion in �� ! ��, whose value at t 2 �� we write assub s for b in t, satisfying8a 2 A sub s for b in var(a) =if a = b then s else var(a)^ 8t0 2 �� 8t00 2 �� sub s for b in app(t; t0) =app(sub s for b in t; sub s for b in t0)^ Na 2 A8t 2 �� sub s for b in lam(a:t) =lam(a:(sub s for b in t)) :From the above properties it follows that under the bije tion of Theorem 6.2between elements s of �� and �-equivalen e lasses of �-terms N , the fun -tion sub s for b in (�) orresponds to the apture-avoiding substitution fun tion[N=b℄(�). Note that in the lause for �-abstra tions lam(a:t), we only have tospe ify the result of substitution for the simple ase that a is fresh in order forsub s for b in (�) to be de�ned on the whole of ��.One property of apture-free substitution is that the only free o urren es ofb in [N=b℄M are due to free o urren es of b in N . The analogue for �� of thisproperty isb# s ) 8t 2 ��(b# sub s for b in t): (71)This an be proved by stru tural indu tion on t by taking S = ft 2 �� jb # sub s for b in tg in Theorem 6.8 and making use of the easily veri�ed fa tthatb# s ) b# (if a = b then s else var(a)):Applying Proposition 4.10 to (71), we have for ea h s 2 �� thatNb 2 A8t 2 ��(b# sub s for b in t):Thus by Lemma 6.3, for ea h s 2 �� the element of (A � ��) ! �� givenby (b; t) 7! sub s for b in t indu es a fun tion ([A℄��) ! ��. In this way weget a substitution fun tion � 2 (([A℄��) � ��) ! �� satisfying for all (y; s) 2([A℄��) � �� that Na 2 A(�(y; s) = sub s for a in (y�a)). (Compare with thesubstitution fun tion � : Æ�� �! � in [FPT99, Se tion 3℄.)Example 6.10 (A size fun tion). In Theorem 6.5, takingX to be the set ! ofnatural numbers, f 2 A! ! to be the onstant fun tion a 7! 1, g 2 (!�!)! !to be addition and h 2 (A � !) ! ! to be the fun tion (a; n) 7! n + 1, we andedu e that there is a unique fun tion k 2 �� ! ! satisfying8a 2 A(k(var(a)) = 1)^ 8t 2 �� 8t0 2 ��(k(app(t; t0)) = k(t) + k(t0))^ Na 2 A8t 2 ��(k(lam(a:t)) = k(t) + 1):Condition (66) is satis�ed in this ase be ause ! is a pure FM-set (see Re-mark 4.2) and hen e 8a 2 A8n 2 !(a# n).By Proposition 4.10, the last property of k in the above onjun tion is equiv-alent to8a 2 A(a# k ) 8t 2 ��(k(lam(a:t)) = k(t) + 1)):But Corollary 4.8 implies that a # k holds for any a 2 A. Therefore we anstrengthen this last de�ning lause for k to:8a 2 A8t 2 ��(k(lam(a:t)) = k(t) + 1)):

Abstra t Syntax with Variable Binding 25Thus the formalism we have developed allows us to express very easily the prop-erties we expe t a size fun tion to have on �-equivalen e lasses of �-terms.Compare this example with the ompli ations en ountered by Gordon and Mel-ham when de�ning a similar fun tion by re ursion using their axiomatisation of�- onversion [GM96, Se tion 3.3℄.Example 6.11 (Set of free atoms). In Theorem 6.5, take X to be the setpow�n(A) of �nite sets of atoms, f 2 A! pow�n(A) to be the singleton fun tiona 7! fag, g 2 (pow�n(A) � pow�n(A)) ! pow�n(A) to be union and g 2 (A �pow�n(A)) ! pow�n(A) to be the subtra tion fun tion (a; w) 7! w � fag. Notethat h satis�es ondition (66), be ause the support of a �nite set of atoms w 2pow�n(A) is just w itself and hen e a# (w � fag), for any a 2 A. So there is aunique fun tion k 2 �� ! pow�n(A) satisfying8a 2 A(k(var(a)) = fag)^ 8t 2 �� 8t0 2 ��(k(app(t; t0)) = k(t) [ k(t0))^ 8a 2 A8t 2 ��(k(lam(a:t)) = k(t)� fag)where in the last onjun t we have strengthened Na 2 A : : : to 8a 2 A : : : usingthe same argument as in the previous example. This fun tion k gives a stru -turally iterative de�nition of the `�nite set of free atoms' for elements of ��.Using the stru tural indu tion prin iple of Theorem 6.8, one an show for allt 2 �� that in fa t k(t) = supp(t). Thus under the bije tion of Theorem 6.2, theset of (names of) free variables of an �-equivalen e lass of �-terms is identi�edwith the support of the orresponding element of �� ( f. Example 3.5(iii)). Inparti ular, ft 2 �� j supp(t) = ;g orresponds to the subset of losed �-termsmodulo =�.Example 6.12 (Binding o urren es of atoms). It is simple enough to de-�ne a fun tion �! pow�n(A) sending ea h �-term M to the �nite set of atomsthat o ur in M in binding position. Clearly this set is not invariant under �- onversion and so does not indu e a fun tion on �==�. Correspondingly, there isno fun tion ba 2 �� ! pow�n(A) in FM(A ) pi king out the �nite set of `bindingatoms' of elements of ��, in the sense that it satis�es8a 2 A(ba(var(a)) = ;)^ 8t 2 �� 8t0 2 ��(ba(app(t; t0)) = ba(t) [ ba(t0))^ Na 2 A8t 2 ��(ba(lam(a:t)) = fag [ ba(t)):(Note that we annot use Theorem 6.5 to de�ne su h a fun tion be ause inthis ase ondition (66) would require a# fag [ w (any w 2 pow�n(A)), whi his ertainly false.) Indeed, we an argue by ontradi tion to see that no su hfun tion exists in FM(A ): if it did, pi king any atoms a 6= a0 not in its support,we would have (a0 a) �ba = ba (by property (15)); then t = lam(a:var(a)) satis�esba(t) = fag and sofa0g = (a0 a) � fag = (a0 a) � ba(t)= ba(t) sin e a; a0 # ba(t), by (24)= fagi.e. a0 = a, ontradi ting the hoi e of a and a0.The theory we have presented seems rather well adapted to expressing the`usual' forms of re ursion/indu tion for abstra t syntax, while at the same time

26 M. J. Gabbay and A. M. Pittsdealing with freshness of variables and variable renaming systemati ally, at themeta-level. Of ourse mu h more needs to be done to establish the utility of thesestru tural re ursion and indu tion prin iples (see Se tion 8). However, we regardthe sheer simpli ity of the above examples ( ompared with analogous examplesin other formalisms) as a good sign! We �nish this se tion by mentioning someextensions of the theory.Remark 6.13 (Binding signatures). The terms of the lambda al ulus arethe terms over a signature with one binary operation (appli ation) and one unarybinder (�-abstra tion). The results of this se tion an be extended to deal withmore general signatures, onsisting of k operators (for some k � 0) ea h of whi htakes m arguments (for some m � 0) with ea h argument an n-ary abstra tion(for some n � 0)|these are the binding signatures onsidered in [FPT99, Se -tion 2℄. The fun tion F on FM-sets orresponding to su h a signature takes theformF (�) = A+ k summandsz }| {� � �+ (� � � � [A℄n(�)� � � �| {z }m fa tors ) + � � �where�[A℄0(X) , X[A℄n+1(X) , [A℄([A℄n(X)):Generalising Theorem 6.2, one an show that the indu tively de�ned FM-set�(F ) determined by F is in bije tion with the set of terms modulo �- onversionover the binding signature. This FM-set is an initial algebra for the fun torasso iated with F ; and from the shape of the signature an be read o� prin iplesof stru tural re ursion and indu tion like those above. Many-sorted signatures an be dealt with using FM-sets mutually indu tively de�ned by several su hfun tions. See [Gab00, Se tion 10℄ for more details.Remark 6.14 (Splitting the set of atoms). To support syntax involving �n-itely many di�erent sorts of variables one an use the following mild generalisa-tion of the Fraenkel-Mostowski universe FM(A ) of De�nition 4.1. Partition theset of atoms A into a ountably in�nite set of in�nite subsets:A = SfA(n) j n 2 !g^ 8n 2 !(A(n) =2 pow�n(A(n)))^ 8n; n0 2 !(n 6= n0 ) A(n) \ A(n0) = ;):Working with sets equipped with an a tion of the subgroup G of perm(A ) on-sisting of permutations that respe t the partition (so that G is isomorphi to theprodu t group Qn2! perm(A(n))), we an repeat the development of Se tions 3and 4, forming a universe of sets with hereditarily �nite support with respe tto the a tion of G. There is a orresponding generalisation of FM-set theoryto Fraenkel-Mostowski set theory with many Sorts of atoms (FMS-set theory),whose axioms we will not give here. Within that theory one an develop thetheory of transpositions (a b) �A x, a freshness predi ate a #A x, a quanti�erNa 2 A(�) and abstra tion sets [A℄X , where a; b 2 A 2 fA(n) j n 2 !g. Thelatter an be used in ombination with artesian produ ts and disjoint unionsto form indu tively de�ned sets in the universe just as in Se tion 6. For ex-ample, taking two distin t sorts of atoms, T , A(0) and V , A(1) naming

Abstra t Syntax with Variable Binding 27type variables and term variables respe tively, the mutually indu tively de�nedFMS-setsType = tyvar(T ) + Fun(Type � Type) + all([T ℄Type)Term = var(V ) + app(Term � Term) + lam(Type � [V ℄Term)+ spe (Term � Type) + gen([T ℄Term) 9=; (72)represent, respe tively, the the types and terms of the Girard-Reynolds polymor-phi lambda al ulus [Gir72, Rey83℄modulo renaming of bound type variables andbound term variables. (The disjoint union in lusion fun tions have been namedexpli itly in (72) to indi ate the intended meaning.)7. Related WorkOne origin of the work presented here lies in the `�- al ulus', a fragment ofML [MTHM97℄ introdu ed by the se ond author and Stark [PS93a, Sta95℄ toexplore the properties, with respe t to semanti equivalen e of programs, of all-by-value higher order fun tions and dynami ally reated names (see also [JR99℄).In [Sta96a℄, Stark studies a model of the �- al ulus based on one of Moggi's`dynami allo ation' monads [Mog89℄ in the presheaf ategory SetI , where Iis the ategory of �nite ordinals and inje tive fun tions between them. Cru ialingredients of the dynami allo ation monad used there are the `obje t of names',given by the in lusion fun tor I ,! Set, and the shift fun tor Æ : SetI ! SetI ,given by ÆX(n) = X(n+1). These ingredients also o ur in subsequent work onmodelling �- al ulus names in SetI [FMS96, Sta96b℄ and, most relevantly, re entwork on modelling variable-binding abstra t syntax [FPT99, Hof99℄, where otherpresheaf ategories besides SetI are onsidered.Now, a somewhat overlooked model of the �- al ulus, mentioned in [PS93b,Examples 4.3℄, is the full sub ategory of SetI whose obje ts are the pullba kpreserving fun tors. This is equivalent to a well-known topos, sometimes alledthe S hanuel topos|the ategory of ontinuous G-sets for the topologi al groupG = perm(A ) of permutations of a ountably in�nite set A topologised as asubspa e of Baire spa e: see [Joh83, Lemma 1.8℄ and [MM92, Se tion III.9℄. Putmore on retely, and this is the point, the obje ts of the S hanuel topos areperm(A )-sets (De�nition 3.1) in whi h every element has �nite support (De�-nition 3.3), and its morphisms are the equivariant fun tions de�ned at the be-ginning of Se tion 4. Thus on the one hand, the S hanuel topos relates to the umulative hierar hy of FM-sets de�ned by equation (11) mu h as the usual vonNeumann umulative hierar hy, de�ned by equation (9), relates to the topos ofsets (see [JM95℄ for more on the ategory theory of universes of sets); on the otherhand, the S hanuel topos is a sheaf subtopos of the presheaf ategory SetI , withthe in lusion sending the FM-set of atoms A to the obje t of names I ,! Setand the abstra tion operator [A ℄(�) to the shift fun tor Æ(�) mentioned above.Both the presheaf toposes used in [FPT99, Hof99℄ and the S hanuel topos(and indeed many other ategories equipped with a faithful fun tor to Set!)support an initial algebra semanti s for signatures with binding. So does theS hanuel topos, and its asso iated FM-set theory, have any advantage over theseother, related ategories? It is well known that toposes orrespond to theoriesin extensional, higher-order, intuitionisti logi [LS86℄. Unlike presheaf toposes

28 M. J. Gabbay and A. M. Pittsin general, the S hanuel topos models lassi al rather than intuitionisti higherorder logi ; furthermore, its higher order stru ture (fun tion and power obje ts)is rather amenable to making al ulations, ompared with the higher order stru -ture of presheaf ategories. Thus if one is looking for a single, general-purposesetting for modelling variable-binding syntax, the logi of the S hanuel topos isboth a bit more powerful and familiar. One an view [FPT99℄ as establishing,amongst other things, a very ni e ategori al algebra for the de Buijn, `name-less' style of treating variable-binding and substitution. By ontrast, here wehave presented a useful logi for variable-binding in whi h names o ur expli -itly. The motivation for su h a `nameful' rather than nameless style is partly toformalise existing ommon pra ti e; but the logi an also serve as a basis forproving that de Bruijn-like formulations are orre t with respe t to more on- rete representations. Cru ial to all this is the notion of `�nite support' (leadingto the N-quanti�er and our FM-set-theoreti notion of atom-abstra tion), whi his present the S hanuel toposes, but not, apparently, in the presheaf toposes usedin [FPT99℄|or at least not with su h pleasant properties.Finally, it is worth emphasising that although we have hosen to use a set-theoreti rather than a topos-theoreti presentation here|be ause we think itis more a essible|the same fundamental ideas to do with names and name-abstra tion underlie both FM-set theory and the S hanuel topos.8. Con lusion and Further DevelopmentsThe Fraenkel-Mostowski permutation model of ZFA is well over sixty years old.Yet the use to whi h we have put it here seems new. The idea that one mightwant to treat syntax up to permutative renamings of variables is hardly original,but we hope we have demonstrated onvin ingly that the theory really takes o�when one ombines that idea with the subtle notion of `�nite support' inherent inthe Fraenkel-Mostowski model. Using it, we introdu ed a useful quanti�er Nforfresh names and a new set-forming operation for name-abstra tion, [A℄(�), whoseproperties seem better suited to modelling variable-binding than the fun tionspa e A! (�) that is often used for that purpose. Among other things, we sawthat the theory of indu tively de�ned FM-sets using this notion of abstra tion an orre tly model �-equivalen e lasses of variable-binding syntax. At the sametime we remain pleasantly lose to the familiar theory of �rst-order algebrai datatypes|witness Theorems 6.5 and 6.8, and Examples 6.9{6.12.We believe that the theory of indu tively de�ned FM-sets will be a usefulsetting for developing programming language semanti s based on stru tural op-erational semanti s [Plo81℄. Syntax-dire ted, rule-based indu tive de�nitions ofrelations quite often ontain side- onditions to do with freshness of variables,and the hope is that these an be assimilated and manipulated onveniently viathe freshness predi ate # and the N-quanti�er we have introdu ed here. Thisapproa h seems parti ularly relevant for the labelled transition semanti s of pro- ess al uli su h as the �- al ulus and its relations [MPW92, AG99, CG00b℄;both be ause ompli ated forms of binding to do with names and names restri -tion play a key role there and be ause analyses based on `name-abstra tion asfun tions' [HMS98, Des00℄ are not entirely satisfa tory. The formalism of permu-tation a tions and �nite support has been redis overed independently by Hondain his work on a general framework for pro esses [Hon00℄. It also features in workon �nite state transition systems for he king bisimilarity of �- al ulus pro esses

Abstra t Syntax with Variable Binding 29in [MP00℄. Cardelli and Gordon have taken up some of the ideas presented hereand used permutative renaming and the N-quanti�er as part of a modal logi fortheir ambient al ulus [CG00a℄.This paper is a revised and expanded version of [GP99℄. Sin e that paperappeared, the theory we have des ribed here has been developed and appliedin two somewhat di�erent dire tions. The �rst author has developed an imple-mentation of FM-set theory within the Isabelle generi theorem prover [Pau94℄.This required a good deal of `proof engineering' to reuse the existing IsabelleZF theory; an a ount may be found in Chapter III of the �rst author's the-sis [Gab00℄ (Chapter II of whi h ontains a development of FM-set theory moredetailed than the one given here). Se ondly, we have begun to design an ML-style metalanguage, FreshML, for programming with re ursively de�ned fun -tions on indu tively de�ned FM-sets. The ingredients of FreshML are des ribedin [PG00℄ and [Gab00, Chapter IV℄. It has a type of atoms, a type onstru tor foratom-abstra tions, and fa ilities for de�ning re ursive fun tions involving lo allyfresh names and pattern-mat hing on atom-abstra tions ( f. Remark 6.4). TheFreshML type system infers not only onventional typing information, but alsoinformation about freshness assertions a# x; the ru ial point is that the typesystem ensures that the language's fa ilities for manipulating bound names anonly be used in well-typed programs in ways that are insensitive to renamingthose bound names.Referen es[AG99℄ M. Abadi and A. D. Gordon. A al ulus for ryptographi proto ols: the spi al ulus. Information and Computation, 148:1{70, 1999.[Bar84℄ H. P. Barendregt. The Lambda Cal ulus: Its Syntax and Semanti s. North-Holland, revised edition, 1984.[Bur69℄ R. M. Burstall. Proving properties of programs by stru tural indu tion. TheComputer Journal, 12:41{48, 1969.[Bur77℄ R. M. Burstall. Design onsiderations for a fun tional programming language. InPro . of the Infote h State of the Art Conferen e, Copenhagen, 1977.[CG00a℄ L. Cardelli and A. D. Gordon. Logi al properties of name restri tion. Draft., 2000.[CG00b℄ L. Cardelli and A. D. Gordon. Mobile ambients. Theoreti al Computer S ien e,240:177{213, 2000.[Chu40℄ A. Chur h. A formulation of the simple theory of types. Journal of Symboli Logi , 5:56{68, 1940.[Cur93℄ P.-L. Curien. Categori al Combinators, Sequential Algorithms, and Fun tionalProgramming. Birkh�auser, 1993.[dB72℄ N. G. de Bruijn. Lambda al ulus notation with nameless dummies, a tool forautomati formula manipulation, with appli ation to the Chur h-Rosser theorem.Indag. Math., 34:381{392, 1972.[Des00℄ J. Despeyroux. A higher-order spe i� ation of the pi- al ulus. In IFIP Inter-national Conferen e on Theoreti al Computer S ien e, IFIP TCS'2000, Sendai,Japan, 2000.[DPS97℄ J. Despeyroux, F. Pfenning, and C. S h�urmann. Primitive re ursion for higher-order abstra t syntax. In Typed Lambda Cal ulus and Appli ations, 3rd Inter-national Conferen e, volume 1210 of Le ture Notes in Computer S ien e, pages147{163. Springer-Verlag, Berlin, 1997.[FMS96℄ M. P. Fiore, E. Moggi, and D. Sangiorgi. A fully abstra t model for the �- al ulus(extended abstra t). In Eleventh Annual Symposium on Logi in Computer S i-en e, pages 43{54. IEEE Computer So iety Press, Washington, 1996.[Fou80℄ M. P. Fourman. Sheaf models for set theory. Journal of Pure and Applied Algebra,19:91{101, 1980.[FPT99℄ M. P. Fiore, G. D. Plotkin, and D. Turi. Abstra t syntax and variable binding.

30 M. J. Gabbay and A. M. PittsIn 14th Annual Symposium on Logi in Computer S ien e, pages 193{202. IEEEComputer So iety Press, Washington, 1999.[Gab00℄ M. J. Gabbay. A Theory of Indu tive De�nitions with �-Equivalen e: Seman-ti s, Implementation, Programming Language. PhD thesis, Cambridge University,2000. Submitted.[Gir72℄ J.-Y. Girard. Interpr�etation fon tionelle et �elimination des oupures dansl'arithmetique d'ordre sup�erieur. PhD thesis, Universit�e Paris VII, 1972. Th�esede do torat d'�etat.[GM93℄ M. J. C. Gordon and T. F. Melham. Introdu tion to HOL. A theorem provingenvironment for higher order logi . Cambridge University Press, 1993.[GM96℄ A. D. Gordon and T. Melham. Five axioms of alpha- onversion. In TheoremProving in Higher Order Logi s: 9th Interational Conferen e, TPHOLs'96, vol-ume 1125 of Le ture Notes in Computer S ien e, pages 173{191. Springer-Verlag,Berlin, 1996.[GP99℄ M. J. Gabbay and A. M. Pitts. A new approa h to abstra t syntax involvingbinders. In 14th Annual Symposium on Logi in Computer S ien e, pages 214{224. IEEE Computer So iety Press, Washington, 1999.[GTWW77℄ J. A. Goguen, J. W. That her, E. G. Wagner, and J. B. Wright. Initial algebrasemanti s and ontinuous algebras. JACM, 24:68{95, 1977.[Gun92℄ C. A. Gunter. Semanti s of Programming Languages: Stru tures and Te hniques.Foundations of Computing. MIT Press, 1992.[HMS98℄ F. Honsell, M. Mi ulan, and I. S agnetto. �- al ulus in ( o)indu tive type the-ory. Te hni al report, Dipartimento di Matemati a e Informati a, Universit�a degliStudi di Udine, 1998.[Hof99℄ M. Hofmann. Semanti al analysis of higher-order abstra t syntax. In 14th An-nual Symposium on Logi in Computer S ien e, pages 204{213. IEEE ComputerSo iety Press, Washington, 1999.[Hon00℄ K. Honda. Elementary stru tures in pro ess theory (1): Sets with renaming. Math-emati al Stru tures in Computer S ien e, 10:617{663, 2000.[Je 77℄ T. J. Je h. About the axiom of hoi e. In J. Barwise, editor, Handbook of Math-emati al Logi , pages 345{370. North-Holland, 1977.[JM95℄ A. Joyal and I. Moerdijk. Algebrai Set Theory. Number 220 in London Mathe-mati al So iety Le ture Notes in Mathemati s. Cambridge University Press, 1995.[Joh83℄ P. T. Johnstone. Quotients of de idable obje ts in a topos. Math. Pro . CambridgePhilosophi al So iety, 93:409{419, 1983.[JR99℄ A. Je�rey and J. Rathke. Towards a theory of bisimulation for lo al names. In 14thAnnual Symposium on Logi in Computer S ien e, pages 56{66. IEEE ComputerSo iety Press, Washington, 1999.[LP99℄ L. Lamport and L. C. Paulson. Should your spe i� ation language be typed? ACMTransa tions on Programming Languages and Systems, 21(3):502{526, 1999.[LS86℄ J. Lambek and P. J. S ott. Introdu tion to Higher Order Categori al Logi . Cam-bridge University Press, 1986.[Mar84℄ P. Martin-L�of. Intuitionisti Type Theory. Bibliopolis, Napoli, 1984.[MM92℄ S. Ma Lane and I. Moerdijk. Sheaves in Geometry and Logi . A First Introdu tionto Topos Theory. Springer-Verlag, New York, 1992.[MM97℄ R. M Dowell and D. Miller. A logi for reasoning with higher-order abstra tsyntax. In 12th Annual Symposium on Logi in Computer S ien e, pages 434{445. IEEE Computer So iety Press, Washington, 1997.[Mog89℄ E. Moggi. An abstra t view of programming languages. Te hni al Report ECS-LFCS-90-113, Department of Computer S ien e, University of Edinburgh, 1989.[MP00℄ U. Montanari and M. Pistore. �-Cal ulus, stru tured oalgebras and minimalHD-automata. In 25th International Symposium on Mathemati al Foundationsof Computer S ien e, Bratislava, Slovak Republi ,, volume 1893 of Le ture Notesin Computer S ien e, pages ?{? Springer-Verlag, 2000.[MPW92℄ R. Milner, J. Parrow, and D. Walker. A al ulus of mobile pro esses (parts I andII). Information and Computation, 100:1{77, 1992.[MTHM97℄ R. Milner, M. Tofte, R. Harper, and D. Ma Queen. The De�nition of StandardML (Revised). MIT Press, 1997.[Pau94℄ L. C. Paulson. Isabelle: A Generi Theorem Prover, volume 828 of Le ture Notesin Computer S ien e. Springer-Verlag, Berlin, 1994.[PE88℄ F. Pfenning and C. Elliott. Higher-order abstra t syntax. In Pro . ACM-

Abstra t Syntax with Variable Binding 31SIGPLAN Conferen e on Programming Language Design and Implementation,pages 199{208. ACM Press, 1988.[PG00℄ A. M. Pitts and M. J. Gabbay. A metalanguage for programming with boundnames modulo renaming. In R. Ba khouse and J. N. Oliveira, editors, Mathemat-i s of Program Constru tion. 5th International Conferen e, MPC2000, Ponte deLima, Portugal, July 2000. Pro eedings, volume 1837 of Le ture Notes in Com-puter S ien e, pages 230{255. Springer-Verlag, Heidelberg, 2000.[Plo81℄ G. D. Plotkin. A stru tural approa h to operational semanti s. Te hni al ReportDAIMI FN-19, Aarhus University, 1981.[PM93℄ Chr. Paulin-Mohring. Indu tive de�nitions in the system Coq; rules and prop-erties. In M. Bezem and J. F. Groote, editors, Typed Lambda Cal ulus and Ap-pli ations, volume 664 of Le ture Notes in Computer S ien e, pages 328{345.Springer-Verlag, Berlin, 1993.[PS93a℄ A. M. Pitts and I. D. B. Stark. Observable properties of higher order fun tions thatdynami ally reate lo al names, or: What's new? In Mathemati al Foundations ofComputer S ien e, Pro . 18th Int. Symp., Gda�nsk, 1993, volume 711 of Le tureNotes in Computer S ien e, pages 122{141. Springer-Verlag, Berlin, 1993.[PS93b℄ A. M. Pitts and I. D. B. Stark. On the observable properties of higher or-der fun tions that dynami ally reate lo al names (preliminary report). InWorkshop on State in Programming Languages, Copenhagen, 1993, pages 31{45. ACM SIGPLAN, 1993. Yale Univ. Dept. Computer S ien e Te hni al ReportYALEU/DCS/RR-968.[Qui63℄ W. V. O. Quine. Set Theory and its Logi (Revised Edition). Harvard UniversityPress, 1963.[Rey83℄ J. C. Reynolds. Types, abstra tion and parametri polymorphism. In R. E. A.Mason, editor, Information Pro essing 83, pages 513{523. North-Holland, Ams-terdam, 1983.[S o93℄ D. S. S ott. A type-theoreti al alternative to ISWIM, CUCH, OWHY. Theoreti alComputer S ien e, 121:411{440, 1993.[Sho77℄ J. R. Shoen�eld. Axioms of set theory. In J. Barwise, editor, Handbook of Math-emati al Logi , pages 321{344. North-Holland, 1977.[Sta95℄ I. D. B. Stark. Names and Higher-Order Fun tions. PhD thesis, University ofCambridge, 1995. Also published as Te hni al Report 363, University of Cam-bridge Computer Laboratory, April 1995.[Sta96a℄ I. D. B. Stark. Categori al models for lo al names. Lisp and Symboli Computa-tion, 9(1):77{107, 1996.[Sta96b℄ I. D. B. Stark. A fully abstra t domain model for the �- al ulus. In 11th AnnualSymposium on Logi in Computer S ien e, pages 36{42. IEEE Computer So ietyPress, Washington, 1996.[Sto88℄ A. Stoughton. Substitution revisited. Theoreti al Computer S ien e, 59:317{325,1988.