Abstract. This paper illustrates the use of coinductive definitions and proofs in big-step operational semantics, enabling the latter to describe diverging evaluations in addition to terminating evaluations. We show applications to proofs of type soundness and to proofs of semantic preservation for compilers. 1

Semantics of programming languages and interactive environments for the development of proofs and programs are two important aspects of Gilles Kahn’s scientific contributions. In his paper “The semantics of a simple language for parallel programming ” [11], he proposed an interpretation of (deterministic) parallel programs (now called Kahn networks) as stream transformers based on the theory of complete partial orders (cpos). A restriction of this language to synchronous programs is the basis of the data-flow Lustre language which is used for the development of critical embedded systems [14, 10]. We present a formalization of this seminal paper in the Coq proof assistant [4, 15]. For that purpose, we developed a general library for cpos. Our cpos are defined with an explicit function computing the least upper bound (lub) of an increasing sequence of elements. This is different from what G. Kahn developed for the standard Coq library where only the existence of lubs (for arbitrary directed sets) is required, giving no way to explicitly compute a fixpoint. We define a cpo structure for the type of possibly infinite streams. It is then possible to define formally what is a Kahn network and what is its semantics, achieving the goal of having a concept closed by composition and recursion. The library is illustrated by the example taken from the original paper as well as the Sieve of Eratosthenes, an example of a dynamic network. 1

Abstract. We present four coinductive operational semantics for the While language accounting for both terminating and non-terminating program runs: big-step and small-step relational semantics and big-step and small-step functional semantics. The semantics employ traces (possibly infinite sequences of states) to record the states that program runs go through. The relational semantics relate statement-state pairs to traces, whereas the functional semantics return traces for statement-state pairs. All four semantics are equivalent. We formalize the semantics and their equivalence proofs in the constructive setting of Coq. 1

When providing a collection of constructors to define an inductive type, we actually also define a dual operation: a destructor. This destructor is always defined using the same structure of pattern-matching, so that we have a tendency to forget that we do extend the “pattern-matching ” capability with a new destructor at each definition. Constructors and destructors play a dual role in the definition of inductive types. Constructors produce elements of the inductive type, destructors consume elements of the inductive type. The inductive type itself is defined as the smallest collection of elements that is stable with respect to the constructors: it must contain all constants that are declared to be in the inductive type and all results of the constructors when the arguments of these constructors are already found to be in the inductive type. When considering structural recursion, recursive definitions are functions that consume elements of the inductive type. The discipline of structural recursion imposes that recursive calls consume data that is obtained through the destructor. The inductive type uses the constructors and destructors in a specific way. Co-inductive

Abstract. Some total languages, like Agda and Coq, allow the use of guarded corecursion to construct infinite values and proofs. Guarded corecursion is a form of recursion in which arbitrary recursive calls are allowed, as long as they are guarded by a coinductive constructor. Guardedness ensures that programs are productive, i.e. that every finite prefix of an infinite value can be computed in finite time. However, many productive programs are not guarded, and it can be nontrivial to put them in guarded form. This paper gives a method for turning a productive program into a guarded program. The method amounts to defining a problem-specific language as a data type, writing the program in the problem-specific language, and writing a guarded interpreter for this language. 1

In this article we present a method to define algebraic structure (field operations) on a representation of real numbers by coinductive streams. The field operations will be given in two algorithms (homographic and quadratic algorithm) that operate on streams of Möbius maps. The algorithms can be seen as coalgebra maps on the coalgebra of streams and hence they will be formalised as general corecursive functions. We use the machinery of Coq proof assistant for coinductive types to present the formalisation.

Higher-order logic (HOL) forms the basis of several popular interactive theorem provers. These follow the definitional approach, reducing high-level specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in HOL4, HOL Light, and Isabelle/HOL is fundamentally noncompositional, limiting its efficiency and flexibility, and it does not cater for codatatypes. We present a fully modular framework for constructing (co)datatypes in HOL, with support for mixed mutual and nested (co)recursion. Mixed (co)recursion enables type definitions involving both datatypes and codatatypes, such as the type of finitely branching trees of possibly infinite depth. Our framework draws heavily from category theory. The key notion is that of a rich type constructor—a functor satisfying specific properties preserved by interesting categorical operations. Our ideas are formalized in Isabelle and implemented as a new definitional package, answering a long-standing user request.

Purely inductive definitions give rise to tree-shaped values where all branches have finite depth, and purely coinductive definitions give rise to values where all branches are potentially infinite. If this is too restrictive, then an alternative is to use mixed induction and coinduction. This technique appears to be fairly unknown. The aim of this paper is to make the technique more widely known, and to present several new applications of it, including a parser combinator library which guarantees termination of parsing, and a method for combining coinductively defined inference systems with rules like transitivity. The developments presented in the paper have been formalised and checked in Agda, a dependently typed programming language and proof assistant.

One approach to Prof. Hoare’s challenge is to view the development of verified software from the perspective of interactive theorem provers. This idea is already commonly developed and many medium-scale software systems have been developed and verified in this manner. Developments based on HOL, ACL2, or PVS have already been described and advocated and our position stands on the same line: most powerful (higher-order) theorem proving systems already contain a programming language, programs can be developed and the correctness of these programs can be specified and verified, they can then be compiled into traditional executable code. In this sense, we already have a small scale example of a verification aware programming language. We propose to take advantage of the notion of “dependent types ” to ensure that this programming language combines powerful logical capabilities, reasonable expressive power, and practical linkage between computational content and logical annotations. Almost all mathematic developments contain algorithms. This imposes that