Results 1  10
of
14
Formalizing a JVML verifier for initialization in a theorem prover
, 2001
"... The bytecode verier is advertised as a key component of the security and safety strategy for the Java language, making it possible to use and exchange Java programs without fearing too much damage due to erroneous programs or malignant program providers. As Java is likely to become one of the langu ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
The bytecode verier is advertised as a key component of the security and safety strategy for the Java language, making it possible to use and exchange Java programs without fearing too much damage due to erroneous programs or malignant program providers. As Java is likely to become one of the languages used to embed programs in all kinds of appliances or computerbased applications, it becomes important to verify that the claim of safety is justified. We worked on a type system proposed in [7] to enforce a discipline for object initialization in the Java Virtual Machine Language and implemented it in the Coq [5] proof and specification language. We first produced mechanically checked proofs of the theorems in [7] and then we constructed a functional implementation of a bytecode verifier. We have a mechanical proof that this bytecode verifier only accepts programs that have a safe behavior with respect to initialization. Thanks to the extraction mechanism provided in Coq...
Efficient reasoning about executable specifications in Coq, in
 Tahar (eds), Theorem Proving in HigherOrder Logics (TPHOLs 2002
, 2002
"... Abstract. We describe a package to reason efficiently about executable specifications in Coq. The package provides a command for synthesizing a customized induction principle for a recursively defined function, and a tactic that combines the application of the customized induction principle with au ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a package to reason efficiently about executable specifications in Coq. The package provides a command for synthesizing a customized induction principle for a recursively defined function, and a tactic that combines the application of the customized induction principle with automatic rewriting. We further illustrate how the package leads to a drastic reduction (by a factor of 10 approximately) of the size of the proofs in a largescale case study on reasoning about JavaCard. 1
A Step Towards the Mechanization of Partial Functions: Domains as Inductive Predicates
, 1998
"... . This work is centred on the specification of partial operations in a system based on a classical logic with total functions. We present a style with preconditions: our method enables calculation of the domain of a partial function f independently of calculation of f. We also study the influen ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
. This work is centred on the specification of partial operations in a system based on a classical logic with total functions. We present a style with preconditions: our method enables calculation of the domain of a partial function f independently of calculation of f. We also study the influence of this style upon the proof facility and the later use of the specification. 1 Introduction In this paper we are in the context of a logic which does not incorporate the notion of partiality and where any function is total. This choice is justified by the power of the underlying logic and by the expressive power of the associated languages. In this context, various tricks are used to encode the partiality. In a typed world, a total function of type ! 0 is defined for every value of type . Thus we have to encode a partial function whose arguments and result are respectively of type 1 and 2 into a total function of type ! 0 . Usually 1 and are identical but 2 and 0 are...
Developing (Meta)Theory of lambdacalculus in the Theory of Contexts
 Proc. MERLIN’01, TR 2001/26, Dept. of Math. and Comp. Sci., Univ. of Leicester
, 2001
"... . We present a case study on the formal development of a non trivial (meta)theory in the Theory of Contexts using the Coq proof assistant. The methodology underlying the Theory of Contexts for reasoning on systems presented in HOAS is based on an axiomatic syntactic standpoint. We feel that one ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
. We present a case study on the formal development of a non trivial (meta)theory in the Theory of Contexts using the Coq proof assistant. The methodology underlying the Theory of Contexts for reasoning on systems presented in HOAS is based on an axiomatic syntactic standpoint. We feel that one of the main advantages of this approach, is that it requires a very low logical overhead. The object logic we focus on is the lazy, callbyname #calculus (#cbn ), both untyped and simply typed. We will see that the formal, fully detailed development of the theory of #cbn in the Theory of Contexts introduces a small, sustainable overhead with respect to the proofs "on the paper". Moreover, this will allow for comparison with similar case studies developed in other approaches to the metatheoretical reasoning in higherorder abstract syntax. Keywords: higherorder abstract syntax, induction, logical frameworks.
A few constructions on constructors
 Types for Proofs and Programs
, 2005
"... Abstract. We present four constructions for standard equipment which can be generated for every inductive datatype: case analysis, structural recursion, no confusion, acyclicity. Our constructions follow a twolevel approach—they require less work than the standard techniques which inspired them [11 ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We present four constructions for standard equipment which can be generated for every inductive datatype: case analysis, structural recursion, no confusion, acyclicity. Our constructions follow a twolevel approach—they require less work than the standard techniques which inspired them [11, 8]. Moreover, given a suitably heterogeneous notion of equality, they extend without difficulty to inductive families of datatypes. These constructions are vital components of the translation from dependently typed programs in pattern matching style [7] to the equivalent programs expressed in terms of induction principles [21] and as such play a crucial behindthescenes rôle in Epigram [25]. 1
A Certified Compiler for an Imperative Language
, 1998
"... This paper describes the process of mechanically certifying a compiler with respect to the semantic specification of the source and target languages. The proofs are performed in type theory using the Coq system. These proofs introduce specific theoretical tools: fragmentation theorems and general in ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
This paper describes the process of mechanically certifying a compiler with respect to the semantic specification of the source and target languages. The proofs are performed in type theory using the Coq system. These proofs introduce specific theoretical tools: fragmentation theorems and general induction principles.
Nominal Inversion Principles
"... Abstract. When reasoning about inductively defined predicates, such as typing judgements or reduction relations, proofs are often done by a case analysis on the last rule of a derivation. In HOL and other formal frameworks this case analysis involves solving equational constraints on the arguments o ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. When reasoning about inductively defined predicates, such as typing judgements or reduction relations, proofs are often done by a case analysis on the last rule of a derivation. In HOL and other formal frameworks this case analysis involves solving equational constraints on the arguments of the inductively defined predicates. This is wellunderstood when the arguments consist of variables and injective termconstructors. However, when alphaequivalence classes are involved, that is when termconstructors are not injective, these equational constraints give rise to annoying variable renamings. In this paper, we show that more convenient inversion principles can be derived where one does not have to deal with explicit variable renamings. An interesting observation is that our result relies on the fact that inductive predicates must satisfy the variable convention compatibility condition, which was introduced to justify the admissibility of Barendregt’s variable convention in rule inductions. 1
Inverting Inductively Defined Relations in LEGO
 TYPES FOR PROOFS AND PROGRAMS, ’96, VOLUME 1512 OF LNCS
, 1998
"... ..."
External and internal syntax of the λcalculus
 In: Buchberger, Ida, Kutsia (Eds.), Proc. of the AustrianJapanese Workshop on Symbolic Computation in Software Science, SCSS 2008. No. 08–08 in RISCLinz Report Series
"... There is growing interest in the study of the syntactic structure of expressions equipped with a variable binding mechanism. The importance of this study can be justified for various reasons, e.g. educational, scientific and engineering reasons. This study is educationally important since in logic a ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
There is growing interest in the study of the syntactic structure of expressions equipped with a variable binding mechanism. The importance of this study can be justified for various reasons, e.g. educational, scientific and engineering reasons. This study is educationally important since in logic and computer science, we cannot avoid teaching the
Formal metatheory of programming languages in the Matita interactive theorem prover
 Journal of Automated Reasoning: Special Issue on the Poplmark Challenge. Published online
, 2011
"... Abstract. This paper is a report about the use of Matita, an interactive theorem prover under development at the University of Bologna, for the solution of the POPLmark Challenge, part 1a. We provide three different formalizations, including two direct solutions using pure de Bruijn and locally name ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper is a report about the use of Matita, an interactive theorem prover under development at the University of Bologna, for the solution of the POPLmark Challenge, part 1a. We provide three different formalizations, including two direct solutions using pure de Bruijn and locally nameless encodings of bound variables, and a formalization using named variables, obtained by means of a sound translation to the locally nameless encoding. According to this experience, we also discuss some of the proof principles used in our solutions, which have led to the development of a generalized inversion tactic for Matita. 1.