We present a foundation for a computational meta-theory of languages with bindings implemented in a computer-aided formal reasoning environment. Our theory provides the ability to reason abstractly about operators, languages, open-ended languages, classes of languages, etc. The theory is based on the ideas of higher-order abstract syntax, with an appropriate induction principle parameterized over the language (i.e. a set of operators) being used. In our approach, both the bound and free variables are treated uniformly and this uniform treatment extends naturally to variable-length bindings. The implementation is reflective, namely there is a natural mapping between the meta-language of the theorem-prover and the object language of our theory. The object language substitution operation is mapped to the meta-language substitution and does not need to be defined recursively. Our approach does not require designing a custom type theory; in this paper we describe the implementation of this foundational theory within a general-purpose type theory. This work is fully implemented in the MetaPRL theorem prover, using the pre-existing NuPRL-like MartinL of-style computational type theory. Based on this implementation, we lay out an outline for a framework for programming language experimentation and exploration as well as a general reflective reasoning framework. This paper also includes a short survey of the existing approaches to syntactic reflection. 1

This paper describes the HW-Hume level of the novel Hume language. HW-Hume is the simplest subset of Hume that we have identified. It provides strong formal properties but posseses limited abstraction capabilities. In this paper, we introduce HW-Hume, show some simple example programs, describe an eÆcient software implementation, and demonstrate how important properties can be exposed as part of an integrated formally-based verification approach.

ReFLect [4] is a functional programming language designed and implemented at Intel’s Strategic CAD Labs under the direction of Jim Grundy. The language is strongly typed and similar to ML, but provides certain reflection features intended for applications in industrial hardware design and verification. Like LISP, reFLect has quotation and antiquotation constructs that may be used to construct and decompose expressions in the language itself. Unlike LISP, these mechanisms are typed. The language also provides a primitive mechanism for pattern-matching, and in particular for defining functions over code by pattern-matching on the structure of reFLect expressions. The design of reFLect draws on the experience of applying an earlier reflective language called FL [1] to large-scale formal verification problems within Intel’s Forte framework [8]. One of the intended roles of reFLect is to be the host language for a functional HDL. As with other work based on Haskell [2, 7] or LISP [5, 6], a key requirement is the ability to simulate hardware models by program execution. Circuit descriptions are just functional programs, which we can simply run to simulate the circuits on test case inputs. But in addition to this simulation capability, we also wish to execute various operations on the abstract syntax of circuit descriptions written in the language. We want to be able to write programs that ‘see ’ the code of a circuit description.

Abstract. Forte is a formal verification system developed by Intel’s Strategic CAD Labs for applications in hardware design and verification. Forte integrates model checking and theorem proving within a functional programming language, which both serves as an extensible specification language and allows the system to be scripted and customized. The latest version of this language, called reFLect, has quotation and antiquotation constructs that build and decompose expressions in the language itself. This provides combination of pattern-matching and reflection features tailored especially for the Forte approach to verification. This short paper is an abstract of an invited presentation given at the International Conference on Integrated Formal Methods in 2004, in which the philosophy and architecture of the Forte system are described and an account is given of the role of reFLect in the system. 1 The Forte Verification Environment Forte [17] is a formal verification environment that has been very effective on

Abstract. Effective formal verification tools require that robust implementations of automatic procedures for first-order logic and satisfiability modulo theories be integrated into expressive interactive frameworks for logical deduction, such as higher-order logic

Abstract. Hume is a novel language in the functional tradition, strongly oriented to systems requiring strong guarantees that resource bounds are met. To facilitate resource assurance, Hume enforces a separation of coordination and computation concerns, and deploys an abstract machine intermediary between implementations and analyses. These core design decisions also enable a high degree of portability across architectures and suit Hume well to multi-processor implementations. This papers machines. Initial results from experimental implementations are discussed and the design of a novel FPGA architecture tailored to Hume coordination is presented. Keywords: FPGA; embedded system; Hume. 1

Abstract: This paper focuses on the important, but tricky, problem of determining provably correct program properties automatically from program source. We describe a novel approach to constructing correct low-level programs. By using modern, full-spectrum dependent types, we are able to give an explicit and checkable link between the low-level program and its high-level meaning. Our approach closely links programming and theorem proving in that a type correct program is a constructive proof that the program meets its specification. It goes beyond typical model-checking approaches, that are commonly used to check formal properties of low-level programs, by building proofs over abstractions of properties. In this way, we avoid the state-space explosion problem that bedevils model-checking solutions. We are also able to consider properties over potentially infinite domains and determine properties for potentially infinite programs. We illustrate our approach by implementing a carry-ripple adder for binary numbers.

This paper presents several technical results concerning the operational semantics of the reflective functional programming language reFLect, currently being developed at Intel [7]. The design of reFLect...

In efforts to overcome the complexity of the syntax and the lack of formal semantics of conventional hardware description languages, a number of functional hardware description languages have been developed. Like conventional hardware description languages, however, functional hardware description languages eventually convert all source programs into netlists, which describe wire connections in hardware circuits at the lowest level and conceal all high-level descriptions written into source programs. We develop a variant of the lambda calculus, called lλ (linear lambda), which may serve as a high-level substitute for netlists. In order to support higher-order functions, lλ uses a linear type system which enforces the linear use of variables of function type. The translation of lλ into structural descriptions of hardware circuits is sound and complete in the sense that it maps expressions only to realizable hardware circuits and that every realizable hardware circuit has a corresponding expression in lλ. To illustrate the use of lλ as a high-level substitute for netlists, we design a simple hardware description language that extends lλ with polymorphism, and use it to implement a Fast Fourier Transform circuit.

Abstract. General purpose functional languages such as Haskell, have been widely used as host languages for the embedding of domain specific languages. In particular, various hardware description languages have been successfully embedded in Haskell and other functional languages. More recently, meta-programming languages have also started being used for the embedding of such languages, where the meta-language features allow us to access the structure of data objects in a shallow-style embedding, while retaining the characteristics of a deep-embedding. In this paper, we discuss the application of meta-functional languages for the embedding of a hardware description language, based on reFLect, a functional meta-language which provides an alternative approach for embedding a hardware description language by means of built-in reflection features. Through the use of code quotation and pattern matching, we use reFLect to build a framework through which we can access the structure of our circuits by means of reflection. 1