Engineering formal metatheory

Machine-checked proofs of properties of programming languages have become acritical need, both for increased confidence in large and complex designsand as a foundation for technologies such as proof-carrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. There presentation and manipulation of terms with variable binding is a key issue. We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductivedefinitions of relations on terms (typing, reduction, ...). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations defined using cofinite quantification are strong enough for metatheoretic reasoning, and need not be explicitly strengthened. Strong inversion principles follow (automatically, in Coq) from the induction principles. Although many of the underlying ingredients of our technique have been used before, their combination here yields a significant improvement over other methodologies using first-order representations, leading to developments that are faithful to informal practice, yet require noexternal tool support and little infrastructure within the proof assistant. We have carried out several large developments in this style using the Coq proof assistant and have made them publicly available. Our developments include type soundness for System F sub; and core ML (with references, exceptions, datatypes, recursion, and patterns) and subject reduction for the Calculus of Constructions. Not only do these developments demonstrate the comprehensiveness of our approach; they have also been optimized for clarity and robustness, making them good templates for future extension.

[1]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[2]  James McKinna,et al.  Pure Type Systems Formalized , 1993, TLCA.

[3]  Amy P. Felty,et al.  Higher-Order Abstract Syntax in Coq , 1995, TLCA.

[4]  Gérard Huet,et al.  Residual theory in λ-calculus: a formal development , 1994, Journal of Functional Programming.

[5]  Peter Dybjer,et al.  Inductive families , 2005, Formal Aspects of Computing.

[6]  Alley Stoughton,et al.  Substitution Revisited , 1988, Theor. Comput. Sci..

[7]  Andrew D. Gordon,et al.  A Mechanisation of Name-Carrying Syntax up to Alpha-Conversion , 1993, HUG.

[8]  Randy Pollack,et al.  Closure Under Alpha-Conversion , 1994, TYPES.

[9]  Tobias Nipkow,et al.  More Church-Rosser Proofs (in Isabelle/HOL) , 1996, CADE.

[10]  Andrew D. Gordon,et al.  Five Axioms of Alpha-Conversion , 1996, TPHOLs.

[11]  Harold T. Hodes,et al.  The | lambda-Calculus. , 1988 .

[12]  Patrick Brézillon,et al.  Lecture Notes in Artificial Intelligence , 1999 .

[13]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[14]  J. F. Groote,et al.  Typed lambda calculi and applications : International Conference on Typed Lamda [i.e. Lambda] Calculi and Applications, TLCA '93, March 16-18, 1993, Utrecht, The Netherlands : proceedings , 1993 .

[15]  Karl Crary,et al.  Towards a mechanized metatheory of standard ML , 2007, POPL '07.

[16]  Conor McBride,et al.  Functional pearl: i am not a number--i am a free variable , 2004, Haskell '04.

[17]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[18]  Ole Rasmussen,et al.  The Church-Rosser Theorem in Isabelle: A Proof Porting Experiment , 1995 .

[19]  Maribel Fernández The Lambda Calculus , 2009 .

[20]  Ian A. Mason,et al.  Operational Techniques in PVS - A Preliminary Evaluation , 2001, Electron. Notes Theor. Comput. Sci..

[21]  Sam Lindley,et al.  Extensional Rewriting with Sums , 2007, TLCA.

[22]  James McKinna,et al.  Some Lambda Calculus and Type Theory Formalized , 1997, Journal of Automated Reasoning.

[23]  Peter V. Homeier A Proof of the Church-Rosser Theorem for the Lambda Calculus in Higher Order Logic , 2001 .

[24]  Gérard P. Huet,et al.  The Constructive Engine , 1989, A Perspective in Theoretical Computer Science.

[25]  Tobias Nipkow More Church–Rosser Proofs , 2004, Journal of Automated Reasoning.

[26]  Andrew M. Pitts,et al.  A New Approach to Abstract Syntax with Variable Binding , 2002, Formal Aspects of Computing.

[27]  Robert Harper,et al.  Mechanizing metatheory in a logical framework , 2007, Journal of Functional Programming.

[28]  T. Coquand An algorithm for testing conversion in type theory , 1991 .

[29]  de Ng Dick Bruijn,et al.  Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[30]  Andrew W. Appel Foundational proof-carrying code , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[31]  Benjamin C. Pierce,et al.  Mechanized Metatheory for the Masses: The PoplMark Challenge , 2005, TPHOLs.

[32]  R. Pollack The Theory of LEGO A Proof Checker for the Extended Calculus of Constructions , 1994 .

[33]  James Brotherston,et al.  A formalised first-order confluence proof for the -calculus using one-sorted variable names , 2003, Inf. Comput..

[34]  M. E. Szabo,et al.  The collected papers of Gerhard Gentzen , 1969 .

[35]  Natarajan Shankar,et al.  A mechanical proof of the Church-Rosser theorem , 1988, JACM.

[36]  Xavier Leroy A locally nameless solution to the POPLmark challenge , 2007 .

[37]  Michael Norrish,et al.  Barendregt's Variable Convention in Rule Inductions , 2007, CADE.

[38]  de Ng Dick Bruijn Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[39]  Furio Honsell,et al.  The Theory of Contexts for First Order and Higher Order Abstract Syntax , 2002, TOSCA.

[40]  D. Prawitz Natural Deduction: A Proof-Theoretical Study , 1965 .

[41]  Karl Crary,et al.  Toward a foundational typed assembly language , 2003, POPL '03.

[42]  Andrew M. Pitts,et al.  A First Order Theory of Names and Binding , 2001 .

[43]  Frank Pfenning,et al.  Higher-order abstract syntax , 1988, PLDI '88.

[44]  Tobias Nipkow,et al.  A machine-checked model for a Java-like language, virtual machine, and compiler , 2006, TOPL.

[45]  Christian Urban,et al.  Nominal Techniques in Isabelle/HOL , 2005, Journal of Automated Reasoning.

[46]  Jean-Louis Krivine,et al.  Lambda-calculus, types and models , 1993, Ellis Horwood series in computers and their applications.

[47]  Andrew M. Pitts,et al.  Nominal Logic: A First Order Theory of Names and Binding , 2001, TACS.

[48]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[49]  Martin Hofmann,et al.  Consistency of the theory of contexts , 2006, J. Funct. Program..

[50]  Tobias Nipkow,et al.  A machine-checked model for a Java-like language, virtual machine, and compiler , 2006, TOPL.

[51]  Tom Ridge,et al.  Ott: Effective tool support for the working semanticist , 2010, J. Funct. Program..

[52]  Thorsten Altenkirch A Formalization of the Strong Normalization Proof for System F in LEGO , 1993, TLCA.