Brian Aydemir
Benjamin C. Pierce
Stephanie Weirich
Abstract
Machine-checked proofs of properties of programming languages have become acritical need, both for increased confidence in large and complex designsand as a foundation for technologies such as proof-carrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. There presentation and manipulation of terms with variable binding is a key issue.
We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductivedefinitions of relations on terms (typing, reduction, ...). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations defined using cofinite quantification are strong enough for metatheoretic reasoning, and need not be explicitly strengthened. Strong inversion principles follow (automatically, in Coq) from the induction principles. Although many of the underlying ingredients of our technique have been used before, their combination here yields a significant improvement over other methodologies using first-order representations, leading to developments that are faithful to informal practice, yet require noexternal tool support and little infrastructure within the proof assistant.
We have carried out several large developments in this style using the Coq proof assistant and have made them publicly available. Our developments include type soundness for System F sub; and core ML (with references, exceptions, datatypes, recursion, and patterns) and subject reduction for the Calculus of Constructions. Not only do these developments demonstrate the comprehensiveness of our approach; they have also been optimized for clarity and robustness, making them good templates for future extension.
- Thorsten Altenkirch. A formalization of the strong normalization proof for System F in LEGO. In Bezem and Groote (1993), pages 13--28. Google Scholar
Digital Library
- Andrew W. Appel. Foundational proof-carrying code. In IEEE Symposium on Logic in Computer Science (LICS), Boston, Massachusetts, pages 247--258, June 2001. Google ScholarDigital Library
- Michael Ashley-Rollman, Karl Crary, and Robert Harper. Submission to the POPLMARK challenge. Available from http://www.cis.upenn.edu/~plclub/mmm/, 2005.Google Scholar
- Brian E. Aydemir, Aaron Bohannon, Matthew Fairbairn, J. Nathan Foster, Benjamin C. Pierce, Peter Sewell, Dimitrios Vytiniotis, Geoffrey Washburn, Stephanie Weirich, and Steve Zdancewic. Mechanized metatheory for the masses: The POPLMARK challenge. In Joe Hurd and Tom Melham, editors, Theorem Proving in Higher Order Logics: 18th International Conference, TPHOLs 2005, volume 3603 of Lecture Notes in Computer Science, pages 50--65. Springer, 2005. Google ScholarDigital Library
- Henk P. Barendregt. The Lambda Calculus. North Holland, revised edition, 1984.Google Scholar
- Bruno Barras and Benjamin Werner. Coq in coq. Available from http://pauillac.inria.fr/~barras/coq_work-eng.html, 1997.Google Scholar
- M. Bezem and J. F. Groote, editors. Typed Lambda Calculi and Applications: International Conference on Typed Lambda Calculi and Applications, TLCA'93, volume 664 of Lecture Notes in Computer Science, 1993. Springer. Google ScholarDigital Library
- Anna Bucalo, Furio Honsell, Marino Miculan, Ivan Scagnetto, and Martin Hoffman. Consistency of the theory of contexts. J. Funct. Program, 16 (3), 2006. Google ScholarDigital Library
- Adam Chlipala. Submission to the POPLMARK challenge, part 1a. Available from http://www.cs.berkeley.edu/~adamc/poplmark/, 2006.Google Scholar
- The Coq Development Team. The Coq proof assistant reference manual, version 8.1. Available from http://coq.inria.fr/, 2007.Google Scholar
- Thierry Coquand. An algorithm for testing conversion in type theory. In Gérard Huet and Gordon Plotkin, editors, Logical Frameworks, pages 255--279. Cambridge University Press, 1991. Google ScholarDigital Library
- Karl Crary. Toward a foundational typed assembly language. In POPL '03: Proceedings of the 30th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 198--212. ACM Press, 2003. Google ScholarDigital Library
- N. G. de Bruijn. Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem. Indagationes Mathematicae, 34(5):381--392, 1972.Google ScholarCross Ref
- Jöelle Despeyroux, Amy Felty, and André Hirschowitz. Higher-order abstract syntax in Coq. In Typed Lambda Calculi and Applications, Second International Conference on Typed Lambda Calculi and Applications, TLCA'95, volume 902 of Lecture Notes in Computer Science, pages 124--138. Springer, 1995. Also available as INRIA Research Report 2556. Google ScholarDigital Library
- Peter Dybjer. Inductive families. Formal Aspects of Computing, 6:1--26, 1994.Google ScholarCross Ref
- Jonathan M. Ford and Ian A. Mason. Operational techniques in PVS - A preliminary evaluation. Electronic Notes in Theoretical Computer Science, 42, 2001.Google Scholar
- Gerhard Gentzen. The Collected Papers of Gerhard Gentzen. North-Holland, 1969. Edited by Mandred Szabo.Google Scholar
- Andrew D. Gordon. A mechanisation of name-carrying syntax up to alphaconversion. In J. J. Joyce and C.-J. H. Seger, editors, Higher-order Logic Theorem Proving And Its Applications, Proceedings, 1993, volume 780 of Lecture Notes in Computer Science, pages 414--426. Springer, 1994. Google ScholarDigital Library
- Andrew D. Gordon and Tom Melham. Five axioms of alpha-conversion. In J. von Wright, J. Grundy, and J. Harrison, editors, Theorem Proving in Higher Order Logics: 9th International Conference, TPHOLs'96, volume 1125 of Lecture Notes in Computer Science, pages 173--190. Springer, 1996. Google ScholarDigital Library
- Robert Harper and Daniel R. Licata. Mechanizing metatheory in a logical framework. Journal of Functional Programming, 17(4--5):613--673, 2007. Google ScholarDigital Library
- Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for defining logics. Journal of the ACM, 40(1):143--184, 1993. Google ScholarDigital Library
- Dimitri Hendriks and Vincent van Oostrom. Adbmal. In F. Baader, editor, Automated Deduction - CADE-19, volume 2741 of Lecture Notes in Artificial Intelligence, pages 136--150. Springer-Verlag, 2003.Google Scholar
- Peter Homeier. A proof of the Church-Rosser theorem for the lambda calculus in higher order logic. In Richard J. Boulton and Paul B. Jackson, editors, TPHOLs 2001: Supplemental Proceedings, pages 207--222. Division of Informatics, University of Edinburgh, September 2001. Available as Informatics Research Report EDI-INF-RR-0046.Google Scholar
- Furio Honsell, Marino Miculan, and Ivan Scagnetto. The theory of contexts for first order and higher order abstract syntax. Electronic Notes in Theoretical Computer Science, 62, 2002.Google Scholar
- Gérard Huet. The constructive engine. In Raghavan Narasimhan, editor, A Perspective in Theoretical Computer Science: Commerative Volume for Gift Siromoney. World Scientific Publishing, 1989. Also available as INRIA Technical Report 110.Google Scholar
- Gérard Huet. Residual theory inall-calculus: A formal development. Journal of Functional Programming, 4(3):371--394, July 1994. Also available as INRIA Research Report 2009 (August 1993).Google ScholarCross Ref
- Gerwin Klein and Tobias Nipkow. A machine-checked model for a Javalike language, virtual machine, and compiler. ACM Transactions on Programming Languages and Systems, 28(4):619--695, 2006. Google ScholarDigital Library
- J. L. Krivine. Lambda-Calculus, Types and Models. Ellis Horwood, 1990. Google ScholarDigital Library
- Daniel K. Lee, Karl Crary, and Robert Harper. Towards a mechanized metatheory of Standard ML. In POPL '07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 173--184. ACM Press, 2007. Google ScholarDigital Library
- Xavier Leroy. Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In Proc. of the 33rd Symposium on Principles of Programming Languages, pages 42--54. ACM Press, 2006. Google ScholarDigital Library
- Xavier Leroy. A locally nameless solution to the POPLmark challenge. Research report 6098, INRIA, January 2007.Google Scholar
- Zhaohui Luo and Robert Pollack. The LEGO proof development system: A user's manual. Technical Report ECS-LFCS-92-211, University of Edinburgh, May 1992.Google Scholar
- Conor McBride and James McKinna. Functional pearl: I am not a number-I am a free variable. In Haskell '04: Proceedings of the 2004 ACM SIGPLAN Workshop on Haskell, pages 1--9. ACM Press, 2004. Google ScholarDigital Library
- James McKinna and Robert Pollack. Pure Type Systems formalized. In Bezem and Groote (1993), pages 289--305. Google ScholarDigital Library
- James McKinna and Robert Pollack. Some lambda calculus and type theory formalized. Journal of Automated Reasoning, 23(3--4):373--409, 1999. Google ScholarDigital Library
- Tobias Nipkow. More Church-Rosser proofs (in Isabelle/HOL). Journal of Automated Reasoning, 26(1):51--66, January 2001. Google ScholarDigital Library
- Michael Norrish and Konrad Slind. HOL 4. Available from http://hol.sourceforge.net/, 2007.Google Scholar
- Frank Pfenning and Conal Elliot. Higher-order abstract syntax. In PLDI '88: Proceedings of the ACM SIGPLAN 1988 Conference on Language Design and Implementation, pages 199--208. ACM Press, 1988. Google ScholarDigital Library
- Frank Pfenning and Carsten Schürmann. System description: Twelf - A meta-logical framework for deductive systems. In Harald Ganzinger, editor, Automated Deduction, CADE 16: 16th International Conference on Automated Deduction, volume 1632 of Lecture Notes in Artificial Intelligence, pages 202--206. Springer, 1999. Google ScholarDigital Library
- Andrew M. Pitts. Nominal logic, a first order theory of names and binding. Information and Computation, 186:165--193, 2003. Google ScholarDigital Library
- Randy Pollack. Reasoning about languages with binding: Can we do it yet?, February 2006. Presentation, slides available from http://homepages.inf.ed.ac.uk/rpollack/.Google Scholar
- Robert Pollack. Closure under alpha-conversion. In H. Barendregt and T. Nipkow, editors, TYPES'93: Workshop on Types for Proofs and Programs, Nijmegen, May 1993, Selected Papers, volume 806 of Lecture Notes in Computer Science, pages 313--332. Springer, 1994a. Google ScholarDigital Library
- Robert Pollack. The Theory of LEGO: A Proof Checker for the Extended Calculus of Constructions. PhD thesis, Univ. of Edinburgh, 1994b.Google Scholar
- Dag Prawitz. Natural Deduction: Proof Theoretical Study. Almquist and Wiksell, Stockholm, 1965.Google Scholar
- Ole Rasmussen. The Church-Rosser theorem in Isabelle: A proof porting experiment. Technical Report 364, University of Cambridge, Computer Laboratory, March 1995.Google Scholar
- Wilmer Ricciotti. Submission to the POPLMARK challenge, part 1a. Available from http://ricciott.web.cs.unibo.it/, 2007.Google Scholar
- Peter Sewell, Francesco Zappa Nardelli, Scott Owens, Gilles Peskine, Thomas Ridge, Susmit Sarkar, and Rok StrniÇsa. Ott: Effective tool support for the working semanticist. In ICFP '07: Proceedings of the 2007 ACM SIGPLAN International Conference on Functional Programming, pages 1--12. ACM, 2007. Google ScholarDigital Library
- Natarajan Shankar. A mechanical proof of the Church-Rosser theorem. Journal of the Association for Computing Machinery, 35(3):475--522, 1988. Google ScholarDigital Library
- Allen Stoughton. Substitution revisited. Theoretical Computer Science, 59 (3):317--325, 1988. Google ScholarDigital Library
- Christian Urban. Nominal techniques in Isabelle/HOL. Journal of Automatic Reasoning, 2007. To appear; available from http://www4.in.tum.de/~urbanc/publications.html. Google ScholarDigital Library
- Christian Urban and Randy Pollack. Locally nameless representation in Nominal Isabelle. Talk at Workshop on Mechanizing Metatheory. Available from www4.in.tum.de/~urbanc/Publications/ln.pdf, 2007.Google Scholar
- Christian Urban, Stefan Berghofer, and Julien Narboux. Nominal datatype package for Isabelle/HOL. Available from http://isabelle.in.tum.de/nominal/, 2007a.Google Scholar
- Christian Urban, Stefan Berghofer, and Michael Norrish. Barendregt's variable convention in rule inductions. In Proceedings of the 21th Conference on Automated Deduction (CADE 2007), volume 4603 of Lecture Notes in Computer Science, pages 35--50. Springer, 2007b. Google ScholarDigital Library
- Rene Vestergaard and James Brotherston. A formalised first-order confluence proof for the lambda-calculus using one-sorted variable names. Information and Computation, 183(2):212--244, 2003. Google ScholarDigital Library
Index Terms
- Engineering formal metatheory
Recommendations
Engineering formal metatheory
POPL '08: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesMachine-checked proofs of properties of programming languages have become acritical need, both for increased confidence in large and complex designsand as a foundation for technologies such as proof-carrying code. However, constructing these proofs ...
Completeness and decidability of converse PDL in the constructive type theory of Coq
CPP 2018: Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and ProofsThe completeness proofs for Propositional Dynamic Logic (PDL) in the literature are non-constructive and usually presented in an informal manner. We obtain a formal and constructive completeness proof for Converse PDL by recasting a completeness proof ...
A List-machine Benchmark for Mechanized Metatheory
We propose a benchmark to compare theorem-proving systems on their ability to express proofs of compiler correctness. In contrast to the first POPLmark, we emphasize the connection of proofs to compiler implementations, and we point out that much can be ...
Comments