Results 11  20
of
78
Nominal Inversion Principles
"... Abstract. When reasoning about inductively defined predicates, such as typing judgements or reduction relations, proofs are often done by a case analysis on the last rule of a derivation. In HOL and other formal frameworks this case analysis involves solving equational constraints on the arguments o ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. When reasoning about inductively defined predicates, such as typing judgements or reduction relations, proofs are often done by a case analysis on the last rule of a derivation. In HOL and other formal frameworks this case analysis involves solving equational constraints on the arguments of the inductively defined predicates. This is wellunderstood when the arguments consist of variables and injective termconstructors. However, when alphaequivalence classes are involved, that is when termconstructors are not injective, these equational constraints give rise to annoying variable renamings. In this paper, we show that more convenient inversion principles can be derived where one does not have to deal with explicit variable renamings. An interesting observation is that our result relies on the fact that inductive predicates must satisfy the variable convention compatibility condition, which was introduced to justify the admissibility of Barendregt’s variable convention in rule inductions. 1
The Logical Basis of Evaluation Order and PatternMatching
, 2009
"... for the degree of Doctor of Philosophy. ..."
Verified enforcement of automatonbased information release policies
 CSTR4906, CS Dept
, 2008
"... Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that securitycritical software correctly enforces its information release policy. Our approach has ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that securitycritical software correctly enforces its information release policy. Our approach has two parts. First, an information release policy is specified as a security automaton written in a new language called AIR. Second, we enforce an AIR policy by translating it into an API for programs written in λAIR, a core formalism for a functional programming language. λAIR uses a novel combination of dependent, affine, and singleton types to ensure that the API is used correctly. As a consequence we can certify that programs written in λAIR meet the requirements of the original AIR policy specification. 1
Dependently Typed Programming with DomainSpecific Logics
 SUBMITTED TO POPL ’09
, 2008
"... We define a dependent programming language in which programmers can define and compute with domainspecific logics, such as an accesscontrol logic that statically prevents unauthorized access to controlled resources. Our language permits programmers to define logics using the LF logical framework, ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
We define a dependent programming language in which programmers can define and compute with domainspecific logics, such as an accesscontrol logic that statically prevents unauthorized access to controlled resources. Our language permits programmers to define logics using the LF logical framework, whose notion of binding and scope facilitates the representation of the consequence relation of a logic, and to compute with logics by writing functional programs over LF terms. These functional programs can be used to compute values at runtime, and also to compute types at compiletime. In previous work, we studied a simplytyped framework for representing and computing with variable binding [LICS 2008]. In this paper, we generalize our previous type theory to account for dependently typed inference rules, which are necessary to adequately represent domainspecific logics, and we present examples of using our type theory for certified software and mechanized metatheory.
Formalizing the LLVM Intermediate Representation for Verified Program Transformations
 In 39th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL
, 2012
"... This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA form. The framework is built using the Coq interactive theorem prover. It includes multiple operational semantics and proves relations among them to facilitate different reasoning styles and proof techniques. To validate Vellvm’s design, we extract an interpreter from the Coq formal semantics that can execute programs from LLVM test suite and thus be compared against LLVM reference implementations. To demonstrate Vellvm’s practicality, we formalize and verify a previously proposed transformation that hardens C programs against spatial memory safety violations. Vellvm’s tools allow us to extract a new, verified implementation of the transformation pass that plugs into the real LLVM infrastructure; its performance is competitive with the nonverified, adhoc original. Categories and Subject Descriptors D.2.4 [Software Engineering]:
A Mechanized Bisimulation for the NuCalculus
, 2008
"... We introduce a SumiiPierceKoutavasWandstyle bisimulation for Pitts and Stark’s nucalculus, a simplytyped lambda calculus with fresh name generation. This bisimulation coincides with contextual equivalence and provides a usable and elementary method for establishing all the subtle equivalences ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
We introduce a SumiiPierceKoutavasWandstyle bisimulation for Pitts and Stark’s nucalculus, a simplytyped lambda calculus with fresh name generation. This bisimulation coincides with contextual equivalence and provides a usable and elementary method for establishing all the subtle equivalences given by Stark [11]. We also describe the formalization of soundness and of the examples in the Coq proof assistant.
Reasoning in Abella about Structural Operational Semantics Specifications
"... The approach to reasoning about structural operational semantics style specifications supported by the Abella system is discussed. This approach uses λtree syntax to treat object language binding and encodes binding related properties in generic judgments. Further, object language specifications ar ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
The approach to reasoning about structural operational semantics style specifications supported by the Abella system is discussed. This approach uses λtree syntax to treat object language binding and encodes binding related properties in generic judgments. Further, object language specifications are embedded directly into the reasoning framework through recursive definitions. The treatment of binding via generic judgments implicitly enforces distinctness and atomicity in the names used for bound variables. These properties must, however, be made explicit in reasoning tasks. This objective can be achieved by allowing recursive definitions to also specify generic properties of atomic predicates. The utility of these various logical features in the Abella system is demonstrated through actual reasoning tasks. Brief comparisons with a few other logic based approaches are also made. 1
Revisiting cutelimination: One difficult proof is really a proof
 RTA 2008
, 2008
"... Powerful proof techniques, such as logical relation arguments, have been developed for establishing the strong normalisation property of termrewriting systems. The first author used such a logical relation argument to establish strong normalising for a cutelimination procedure in classical logic. ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Powerful proof techniques, such as logical relation arguments, have been developed for establishing the strong normalisation property of termrewriting systems. The first author used such a logical relation argument to establish strong normalising for a cutelimination procedure in classical logic. He presented a rather complicated, but informal, proof establishing this property. The difficulties in this proof arise from a quite subtle substitution operation. We have formalised this proof in the theorem prover Isabelle/HOL using the Nominal Datatype Package, closely following the first authors PhD. In the process, we identified and resolved a gap in one central lemma and a number of smaller problems in others. We also needed to make one informal definition rigorous. We thus show that the original proof is indeed a proof and that present automated proving technology is adequate for formalising such difficult proofs.
Typed selfrepresentation
 IN PLDI
, 2009
"... Selfrepresentation – the ability to represent programs in their own language – has important applications in reflective languages and many other domains of programming language design. Although approaches to designing typed program representations for sublanguages of some base language have become ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Selfrepresentation – the ability to represent programs in their own language – has important applications in reflective languages and many other domains of programming language design. Although approaches to designing typed program representations for sublanguages of some base language have become quite popular recently, the question whether a fully metacircular typed selfrepresentation is possible is still open. This paper makes a big step towards this aim by defining the F ∗ ω calculus, an extension of the higherorder polymorphic lambda calculus Fω that allows typed selfrepresentations. While the usability of these representations for metaprogramming is still limited, we believe that our approach makes a significant step towards a new generation of reflective languages that are both safe and efficient.