Results 1  10
of
23
On the Observable Properties of Higher Order Functions that Dynamically Create Local Names (preliminary report)
 IN MATHEMATICAL FOUNDATIONS OF COMPUTER SCIENCE, PROC. 18TH INT. SYMP
, 1993
"... The research reported in this paper is concerned with the problem of reasoning about properties of higher order functions involving state. It is motivated by the desire to identify what, if any, are the difficulties created purely by locality of state, independent of other properties such as sideef ..."
Abstract

Cited by 119 (13 self)
 Add to MetaCart
The research reported in this paper is concerned with the problem of reasoning about properties of higher order functions involving state. It is motivated by the desire to identify what, if any, are the difficulties created purely by locality of state, independent of other properties such as sideeffects, exceptional termination and nontermination due to recursion. We consider a simple language (equivalent to a fragment of Standard ML) of typed, higher order functions that can dynamically create fresh names. Names are created with local scope, can be tested for equality and can be passed around via function application, but that is all. we demonstrate
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Metatheory and Reflection in Theorem Proving: A Survey and Critique
, 1995
"... One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an appro ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an approach will never be efficient enough for large, complex proofs. One alternative, commonly called reflection, is to analyze proofs using a second layer of logic, a metalogic, and so justify abbreviating or simplifying proofs, making the kinds of shortcuts humans often do or appealing to specialized decision algorithms. In this paper we contrast the fullyexpansive LCF approach with the use of reflection. We put forward arguments to suggest that the inadequacy of the LCF approach has not been adequately demonstrated, and neither has the practical utility of reflection (notwithstanding its undoubted intellectual interest). The LCF system with which we are most concerned is the HOL proof ...
A Variable Typed Logic of Effects
 Information and Computation
, 1993
"... In this paper we introduce a variable typed logic of effects inspired by the variable type systems of Feferman for purely functional languages. VTLoE (Variable Typed Logic of Effects) is introduced in two stages. The first stage is the firstorder theory of individuals built on assertions of equalit ..."
Abstract

Cited by 48 (12 self)
 Add to MetaCart
In this paper we introduce a variable typed logic of effects inspired by the variable type systems of Feferman for purely functional languages. VTLoE (Variable Typed Logic of Effects) is introduced in two stages. The first stage is the firstorder theory of individuals built on assertions of equality (operational equivalence `a la Plotkin), and contextual assertions. The second stage extends the logic to include classes and class membership. The logic we present provides an expressive language for defining and studying properties of programs including program equivalences, in a uniform framework. The logic combines the features and benefits of equational calculi as well as program and specification logics. In addition to the usual firstorder formula constructions, we add contextual assertions. Contextual assertions generalize Hoare's triples in that they can be nested, used as assumptions, and their free variables may be quantified. They are similar in spirit to program modalities in ...
Compilation and Equivalence of Imperative Objects
, 1998
"... We adopt the untyped imperative object calculus of Abadi and Cardelli as a minimal setting in which to study problems of compilation and program equivalence that arise when compiling objectoriented languages. We present both a bigstep and a smallstep substitutionbased operational semantics fo ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
We adopt the untyped imperative object calculus of Abadi and Cardelli as a minimal setting in which to study problems of compilation and program equivalence that arise when compiling objectoriented languages. We present both a bigstep and a smallstep substitutionbased operational semantics for the calculus. Our rst two results are theorems asserting the equivalence of our substitutionbased semantics with a closurebased semantics like that given by Abadi and Cardelli. Our third result is a direct proof of the correctness of compilation to a stackbased abstract machine via a smallstep decompilation algorithm. Our fourth result is that contextual equivalence of objects coincides with a form of Mason and Talcott's CIU equivalence; the latter provides a tractable means of establishing operational equivalences. Finally, we prove correct an algorithm, used in our prototype compiler, for statically resolving method osets. This is the rst study of correctness of an objectoriented abstract machine, and of operational equivalence for the imperative object calculus.
Logical reasoning for higherorder functions with local state
 In Foundations of Software Science and Computation Structure
"... ABSTRACT. We introduce an extension of Hoare logic for callbyvalue higherorder functions with MLlike local reference generation. Local references may be generated dynamically and exported outside their scope, may store higherorder functions and may be used to construct complex mutable data stru ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
ABSTRACT. We introduce an extension of Hoare logic for callbyvalue higherorder functions with MLlike local reference generation. Local references may be generated dynamically and exported outside their scope, may store higherorder functions and may be used to construct complex mutable data structures. This primitive is captured logically using a predicate asserting reachability of a reference name from a possibly higherorder datum and quantifiers over hidden references. We explore the logic’s descriptive and reasoning power with nontrivial programming examples combining higherorder procedures and dynamically generated local state. Axioms for reachability and local invariant play a central role for reasoning about the examples.
A Theory of Classes for a Functional Language with Effects
 In Proceedings of CSL92, volume 702 of Lecture Notes in Computer Science
, 1993
"... this paper we introduce a variable typed logic of effects (i.e. a logic of effects where classes can be defined and quantified over) inspired by the variable type systems of Feferman [3, 4] for purely functional languages. A similar extension incorporating nonlocal control operations was introduced ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
this paper we introduce a variable typed logic of effects (i.e. a logic of effects where classes can be defined and quantified over) inspired by the variable type systems of Feferman [3, 4] for purely functional languages. A similar extension incorporating nonlocal control operations was introduced in [27]. The logic we present provides an expressive language for defining specifications and constraints and for studying properties and program equivalences, in a uniform framework. Thus it has an advantage over a plethora of systems in the literature that aim to capture solitary aspects of computation. The theory also allows for the construction of inductively defined sets and derivation of the corresponding induction principles. Classes can be used to express, inter alia, the nonexpansiveness of terms [29]. Other effects can also be represented within the system. These include read/write effects and various forms of interference [24]. The first order fragment is described in [16] where it is used to resolve the denotationally problematic examples of [17]. In our language atoms, references and lambda abstractions are all first class values and as such are storable. This has several consequences. Firstly, mutation and variable binding are separate and so we avoid the problems that typically arise (e.g. in Hoare's and dynamic logic) from the conflation of program variables and logical variables. Secondly, the equality and sharing of references (aliasing) is easily expressed and reasoned about. Thirdly, the combination of mutable references and lambda abstractions allows us to study object based programming within our framework. Our atomic formulas express the (operational or observational) equivalence of programs `a la Plotkin [23]. Neither Hoare's logic nor Dynamic logi...
Names, Equations, Relations: Practical Ways to Reason about new
, 1996
"... The nucalculus of Pitts and Stark is a typed lambdacalculus, extended with state in the form of dynamicallygenerated names. These names can be created locally, passed around, and compared with one another. Through the interaction between names and functions, the language can capture notions of sc ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
The nucalculus of Pitts and Stark is a typed lambdacalculus, extended with state in the form of dynamicallygenerated names. These names can be created locally, passed around, and compared with one another. Through the interaction between names and functions, the language can capture notions of scope, visibility and sharing. Originally motivated by the study of references in Standard ML, the nucalculus has connections to other kinds of local declaration, and to the mobile processes of the calculus. This