Traditionally the view has been that direct expression of control and store mechanisms and clear mathematical semantics are incompatible requirements. This paper shows that adding objects with memory to the call-by-value lambda calculus results in a language with a rich equational theory, satisfying many of the usual laws. Combined with other recent work this provides evidence that expressive, mathematically clean programming languages are indeed possible. 1. Overview Real programs have effects---creating new structures, examining and modifying existing structures, altering flow of control, etc. Such facilities are important not only for optimization, but also for communication, clarity, and simplicity in programming. Thus it is important to be able to reason both informally and formally about programs with effects, and not to sweep effects either to the side or under the store parameter rug. Recent work of Talcott, Mason, Felleisen, and Moggi establishes a mathematical foundation for...

In this paper we introduce a variable typed logic of effects inspired by the variable type systems of Feferman for purely functional languages. VTLoE (Variable Typed Logic of Effects) is introduced in two stages. The first stage is the first-order theory of individuals built on assertions of equality (operational equivalence `a la Plotkin), and contextual assertions. The second stage extends the logic to include classes and class membership. The logic we present provides an expressive language for defining and studying properties of programs including program equivalences, in a uniform framework. The logic combines the features and benefits of equational calculi as well as program and specification logics. In addition to the usual first-order formula constructions, we add contextual assertions. Contextual assertions generalize Hoare's triples in that they can be nested, used as assumptions, and their free variables may be quantified. They are similar in spirit to program modalities in ...

Proof-carrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of low-level typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, low-level type systems by providing machine-checkable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the oper-ational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higher-order logic. I also show how to construct an indexed possible-worlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a full-fledged low-level typed assembly language. Finally, I present a semantic model for a region calculus that supports type-invariant references as well as memory reuse. iii

We propose a theoretical framework for adding assignments and dynamic data to functional languages without violating their semantic properties. This differs from semi-functional languages like Scheme and ML in that values of expressions remain static and side-effect-free. A new form of abstraction called observer is designed to encapsulate state-oriented computation from the remaining purely applicative computation. The type system ensures that observers are combined linearly, allowing an implementation in terms of a global store. The utility of this extension is in manipulating shared dynamic data embedded in data structures. Evaluation of well-typed programs is Church-Rosser. Thus, programs produce the same results whether an eager or lazy evaluation order is used (assuming termination). A simple, sound logic permits reasoning about well-typed programs. The benefits of this work include greater expressive power and efficiency (compared to applicative languages), while retaining simplicity of reasoning.

this paper we regard the following as synonyms: references, program variables, pointers, locations, and unary cells) to a programming language complicates life. Adding them to the simply typed lambda calculus causes the failure of most of the nice mathematical properties and some of the more basic rules (such as j). For example strong normalization fails since it is possible, for each provably non--empty function type, to construct a Y --combinator for that type. References also interact unpleasantly with polymorphism [34, 35]. They are also troublesome from a denotational point of view as illustrated by the lack of fully abstract models. For example, in [22] Meyer and Sieber give a series of examples of programs that are operationally equivalent (according to the intended semantics of block-structured Algol-like programs) but which are not given equivalent denotations in traditional denotational semantics. They propose various modifications to the denotational semantics which solve some of these discrepancies, but not all. In [27, 26] a denotational semantics that overcomes some of these problems is presented. However variations on the seventh example remain problematic. Since numerous proof systems for Algol are sound for the denotational models in question, [8, 7, 32, 28, 16, 27, 26], these equivalences, if expressible, must be independent of these systems. The problem which motivated Meyer and Sieber's paper, [22], was to provide mathematical justification for the informal but convincing proofs of the operational equivalence of their examples. In this paper we approach the same problem, but from an operational rather than denotational perspective. This paper accomplishes two goals. Firstly, we present the first-order part of a new logic for reasoning about programs....

Many object-oriented languages used in practice descend from Algol. With this motivation, we study the theoretical issues underlying such languages via the theory of Algollike languages. It is shown that the basic framework of this theory extends cleanly and elegantly to the concepts of objects and classes. An important idea that comes to light is that classes are abstract data types, whose theory corresponds to that of existential types. Equational and Hoare-like reasoning methods, and relational parametricity provide powerful formal tools for reasoning about Algol-like object-oriented programs. 1

In this paper we introduce M-LISP, a simple new dialect of LISP which is designed with an eye toward reconciling LISP's metalinguistic power with the structural style of operational semantics advocated by Plotkin [Plo75]. We begin by reviewing the original denition of LISP [McC61] in an attempt to clarify the source of its metalinguistic power. We nd that it arises from a problematic clause in this denition. We then dene the abstract syntax and operational semantics of M-LISP, essentially a hybrid of M-expression LISP and Scheme. Next, we tie the operational semantics to the corresponding equational logic. As usual, provable equality in the logic implies operational equality. Having established this framework we then extend M-LISP with the metalinguistic eval and reify operators (the latter is a non-strict operator which converts its argument to its metalanguage representation.) These operators encapsulate the metalinguistic representation conversions that occur globall...

. In an earlier paper, one of the present authors presented a preliminary account of an equational logic called PIM. PIM is intended to function as a "transformational toolkit" to be used by compilers and analysis tools for imperative languages, and has been applied to such problems as program slicing, symbolic evaluation, conditional constant propagation, and dependence analysis. PIM consists of the untyped lambda calculus extended with an algebraic rewriting system that characterizes the behavior of lazy stores and generalized conditionals. A major question left open in the earlier paper was whether there existed a complete equational axiomatization of PIM's semantics. In this paper, we answer this question in the affirmative for PIM's core algebraic component, PIM t , under the assumption of certain reasonable restrictions on term formation. We systematically derive the complete PIM logic as the culmination of a sequence of increasingly powerful equational systems starti...

objects Abstract objects exhibit the non-inheritance aspects of object-oriented programming. An abstract object is a function with local store. Abstract objects provide a means of encapsulating features of a structure and controlling access to that structure. The idea is that the local store can only be changed by sending a message to the object. The operations on the encapsulated structure are determined by the messages accepted by the object. We illustrate these ideas for the special case of accumulators. An accumulator object accumulates a sequence of the things sent to it (via a !put; x? message) and responds to a !get? message by returning the sequence collected. If mkac(y) creates an accumulator object with initial contents the elements of y, then it mus satisfy the following three laws: Specification (Accumulator behavior): (put) letfa := mkac(y)gseq(a(!put; x?); e) 12 ' letfa := mkac(append (y; cons (x; Nil)))ge (get) letfa := mkac(y)gletfz := a(!get?)ge ' letfa := mkac(...

this paper we introduce a variable typed logic of effects (i.e. a logic of effects where classes can be defined and quantified over) inspired by the variable type systems of Feferman [3, 4] for purely functional languages. A similar extension incorporating non-local control operations was introduced in [27]. The logic we present provides an expressive language for defining specifications and constraints and for studying properties and program equivalences, in a uniform framework. Thus it has an advantage over a plethora of systems in the literature that aim to capture solitary aspects of computation. The theory also allows for the construction of inductively defined sets and derivation of the corresponding induction principles. Classes can be used to express, inter alia, the non-expansiveness of terms [29]. Other effects can also be represented within the system. These include read/write effects and various forms of interference [24]. The first order fragment is described in [16] where it is used to resolve the denotationally problematic examples of [17]. In our language atoms, references and lambda abstractions are all first class values and as such are storable. This has several consequences. Firstly, mutation and variable binding are separate and so we avoid the problems that typically arise (e.g. in Hoare's and dynamic logic) from the conflation of program variables and logical variables. Secondly, the equality and sharing of references (aliasing) is easily expressed and reasoned about. Thirdly, the combination of mutable references and lambda abstractions allows us to study object based programming within our framework. Our atomic formulas express the (operational or observational) equivalence of programs `a la Plotkin [23]. Neither Hoare's logic nor Dynamic logi...