Results 1  10
of
103
Nominal techniques in Isabelle/HOL
 Proceedings of the 20th International Conference on Automated Deduction (CADE20
, 2005
"... Abstract. In this paper we define an inductive set that is bijective with the ffequated lambdaterms. Unlike deBruijn indices, however, our inductive definition includes names and reasoning about this definition is very similar to informal reasoning on paper. For this we provide a structural induc ..."
Abstract

Cited by 80 (12 self)
 Add to MetaCart
Abstract. In this paper we define an inductive set that is bijective with the ffequated lambdaterms. Unlike deBruijn indices, however, our inductive definition includes names and reasoning about this definition is very similar to informal reasoning on paper. For this we provide a structural induction principle that requires to prove the lambdacase for fresh binders only. The main technical novelty of this work is that it is compatible with the axiomofchoice (unlike earlier nominal logic work by Pitts et al); thus we were able to implement all results in Isabelle/HOL and use them to formalise the standard proofs for ChurchRosser and strongnormalisation. Keywords. Lambdacalculus, nominal logic, structural induction, theoremassistants.
Gradual typing for objects
 In ECOOP 2007, volume 4609 of LCNS
, 2007
"... Abstract. Static and dynamic type systems have wellknown strengths and weaknesses. In previous work we developed a gradual type system for a functional calculus named λ? →. Gradual typing provides the benefits of both static and dynamic checking in a single language by allowing the programmer to co ..."
Abstract

Cited by 46 (8 self)
 Add to MetaCart
Abstract. Static and dynamic type systems have wellknown strengths and weaknesses. In previous work we developed a gradual type system for a functional calculus named λ? →. Gradual typing provides the benefits of both static and dynamic checking in a single language by allowing the programmer to control whether a portion of the program is type checked at compiletime or runtime by adding or removing type annotations on variables. Several objectoriented scripting languages are preparing to add static checking. To support that work this paper develops Ob? <:, a gradual type system for objectbased languages, extending the Ob<: calculus of Abadi and Cardelli. Our primary contribution is to show that gradual typing and subtyping are orthogonal and can be combined in a principled fashion. We also develop a smallstep semantics, provide a machinechecked proof of type safety, and improve the space efficiency of higherorder casts. 1
Alphastructural recursion and induction
 Journal of the ACM
, 2006
"... The nominal approach to abstract syntax deals with the issues of bound names and αequivalence by considering constructions and properties that are invariant with respect to permuting names. The use of permutations gives rise to an attractively simple formalisation of common, but often technically i ..."
Abstract

Cited by 44 (6 self)
 Add to MetaCart
The nominal approach to abstract syntax deals with the issues of bound names and αequivalence by considering constructions and properties that are invariant with respect to permuting names. The use of permutations gives rise to an attractively simple formalisation of common, but often technically incorrect uses of structural recursion and induction for abstract syntax modulo αequivalence. At the heart of this approach is the notion of finitely supported mathematical objects. This paper explains the idea in as concrete a way as possible and gives a new derivation within higherorder logic of principles of αstructural recursion and induction for αequivalence classes from the ordinary versions of these principles for abstract syntax trees.
Ott: Effective tool support for the working semanticist
 PROC. ICFP
, 2007
"... It is rare to give a semantic definition of a fullscale programming language, despite the many potential benefits. Partly this is because the available metalanguages for expressing semantics  usually either LATEX for informal mathematics, or the formal mathematics of a proof assistant  make it ..."
Abstract

Cited by 42 (4 self)
 Add to MetaCart
It is rare to give a semantic definition of a fullscale programming language, despite the many potential benefits. Partly this is because the available metalanguages for expressing semantics  usually either LATEX for informal mathematics, or the formal mathematics of a proof assistant  make it much harder than necessary to work with large definitions. We present a metalanguage specifically designed for this problem, and a tool,
A certified lightweight noninterference java bytecode verifier
 European Symposium on Programming, Lecture Notes in Computer Science
, 2007
"... Abstract. Noninterference is a semantical condition on programs that guarantees the absence of illicit information flow throughout their execution, and that can be enforced by appropriate information flow type systems. Much of previous work on type systems for noninterference has focused on calcul ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
Abstract. Noninterference is a semantical condition on programs that guarantees the absence of illicit information flow throughout their execution, and that can be enforced by appropriate information flow type systems. Much of previous work on type systems for noninterference has focused on calculi or highlevel programming languages, and existing type systems for lowlevel languages typically omit objects, exceptions, and method calls, and/or do not prove formally the soundness of the type system. We define an information flow type system for a sequential JVMlike language that includes classes, objects, arrays, exceptions and method calls, and prove that it guarantees noninterference. For increased confidence, we have formalized the proof in the proof assistant Coq; an additional benefit of the formalization is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to our best knowledge, the first sound and implemented information flow type system for such an expressive fragment of the JVM. 1
The Abella interactive theorem prover (system description
 In Fourth International Joint Conference on Automated Reasoning
, 2008
"... Abella [3] is an interactive system for reasoning about aspects of object languages that have been formally presented through recursive rules based on syntactic structure. Abella utilizes a twolevel logic approach to specification and reasoning. One level is defined by a specification logic which s ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
Abella [3] is an interactive system for reasoning about aspects of object languages that have been formally presented through recursive rules based on syntactic structure. Abella utilizes a twolevel logic approach to specification and reasoning. One level is defined by a specification logic which supports a transparent
Barendregt’s variable convention in rule inductions
 In Proc. of the 21th International Conference on Automated Deduction (CADE), volume 4603 of LNAI
, 2007
"... Abstract. Inductive definitions and rule inductions are two fundamental reasoning tools in logic and computer science. When inductive definitions involve binders, then Barendregt's variable convention is nearly always employed (explicitly or implicitly) in order to obtain simple proofs. Using this c ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
Abstract. Inductive definitions and rule inductions are two fundamental reasoning tools in logic and computer science. When inductive definitions involve binders, then Barendregt's variable convention is nearly always employed (explicitly or implicitly) in order to obtain simple proofs. Using this convention, one does not consider truly arbitrary bound names, as required by the rule induction principle, but rather bound names about which various freshness assumptions are made. Unfortunately, neither Barendregt nor others give a formal justification for the variable convention, which makes it hard to formalise such proofs. In this paper we identify conditions an inductive definition has to satisfy so that a form of the variable convention can be built into the rule induction principle. In practice this means we come quite close to the informal reasoning of "pencilandpaper " proofs, while remaining completely formal. Our conditions also reveal circumstances in which Barendregt's variable convention is not applicable, and can even lead to faulty reasoning. 1 Introduction In informal proofs about languages that feature bound variables, one often assumes (explicitly or implicitly) a rather convenient convention about those bound variables. Barendregt's statement of the convention is: Variable Convention: If M1; : : : ; Mn occur in a certain mathematical context (e.g. definition, proof), then in these terms all bound variables are chosen to be different from the free variables. [2, Page 26]
Parametric HigherOrder Abstract Syntax for Mechanized Semantics
"... We present parametric higherorder abstract syntax (PHOAS), a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higherorder abstract syntax (HOAS), PHOAS uses the meta language’s binding constructs to represent the object language ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
We present parametric higherorder abstract syntax (PHOAS), a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higherorder abstract syntax (HOAS), PHOAS uses the meta language’s binding constructs to represent the object language’s binding constructs. Unlike HOAS, PHOAS types are definable in generalpurpose type theories that support traditional functional programming, like Coq’s Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several staticallytyped functional programming languages formalized with PHOAS; that is, each transformation has a machinechecked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simplytyped lambda calculus, CPS translation for System F, and translation from a language with MLstyle pattern matching to a simpler language with no variablearity binding constructs. By avoiding the syntactic hassle associated with firstorder representation techniques, we achieve a very high degree of proof automation. Categories and Subject Descriptors F.3.1 [Logics and meanings
Scrap your Nameplate  Functional Pearl
"... Recent research has shown how boilerplate code, or repetitive code for traversing datatypes, can be eliminated using generic programming techniques already available within some implementations of Haskell. One particularly intractable kind of boilerplate is nameplate, or code having to do with names ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
Recent research has shown how boilerplate code, or repetitive code for traversing datatypes, can be eliminated using generic programming techniques already available within some implementations of Haskell. One particularly intractable kind of boilerplate is nameplate, or code having to do with names, namebinding, and fresh name generation. One reason for the difficulty is that operations on data structures involving names, as usually implemented, are not regular instances of standard map, fold , or zip operations. However, in nominal abstract syntax, an alternative treatment of names and binding based on swapping, operations such as #equivalence, captureavoiding substitution, and free variable set functions are much betterbehaved.
Semantic subtyping with an SMT solver
, 2010
"... We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; for example, intersection, union, negation, singleton, nullable, variant, and algebraic types are all derivable. We formulate a semantics in which expressions denote terms, and types are interpreted as firstorder logic formulas. Subtyping is defined as valid implication between the semantics of types. The formulas are interpreted in a specific model that we axiomatize using standard firstorder theories. On this basis, we present a novel typechecking algorithm able to eliminate many dynamic tests and to detect many errors statically. The key idea is to rely on an SMT solver to compute subtyping efficiently. Moreover, interpreting types as formulas allows us to call the SMT solver at runtime to compute instances of types.