Results 1  10
of
18
Mechanized metatheory for the masses: The POPLmark challenge
 In Theorem Proving in Higher Order Logics: 18th International Conference, number 3603 in LNCS
, 2005
"... Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with se ..."
Abstract

Cited by 161 (14 self)
 Add to MetaCart
(Show Context)
Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with secondorder polymorphism, subtyping, and records, these benchmarks embody many aspects of programming languages that are challenging to formalize: variable binding at both the term and type levels, syntactic forms with variable numbers of components (including binders), and proofs demanding complex induction principles. We hope that these benchmarks will help clarify the current state of the art, provide a basis for comparing competing technologies, and motivate further research. 1
C formalised in HOL
, 1998
"... We present a formal semantics of the C programming language, covering both the type system and the dynamic behaviour of programs. The semantics is wideranging, covering most of the language, with its most significant omission being the C library. Using a structural operational semantics we specify ..."
Abstract

Cited by 86 (9 self)
 Add to MetaCart
(Show Context)
We present a formal semantics of the C programming language, covering both the type system and the dynamic behaviour of programs. The semantics is wideranging, covering most of the language, with its most significant omission being the C library. Using a structural operational semantics we specify transition relations for C's expressions, statements and declarations in higher order logic.
Mechanizing the metatheory of Standard ML
, 2007
"... We present an internal language with equivalent expressive power to Standard ML, and discuss its formalization in LF and the machinechecked verification of its type safety in Twelf. The internal language is intended to serve as the target of elaboration in an elaborative semantics for Standard ML ..."
Abstract

Cited by 80 (11 self)
 Add to MetaCart
We present an internal language with equivalent expressive power to Standard ML, and discuss its formalization in LF and the machinechecked verification of its type safety in Twelf. The internal language is intended to serve as the target of elaboration in an elaborative semantics for Standard ML in the style of Harper and Stone. Therefore, it includes all the programming mechanisms necessary to implement Standard ML, including translucent modules, abstraction, polymorphism, higher kinds, references, exceptions, recursive types, and recursive functions. Our successful formalization of the proof involved a careful interplay between the precise formulations of the various mechanisms, and required the invention of new representation and proof techniques of general interest.
Formalizing the LLVM Intermediate Representation for Verified Program Transformations
 In 39th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL
, 2012
"... This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA ..."
Abstract

Cited by 26 (9 self)
 Add to MetaCart
(Show Context)
This paper presents Vellvm (verified LLVM), a framework for reasoning about programs expressed in LLVM’s intermediate representation and transformations that operate on it. Vellvm provides a mechanized formal semantics of LLVM’s intermediate representation, its type system, and properties of its SSA form. The framework is built using the Coq interactive theorem prover. It includes multiple operational semantics and proves relations among them to facilitate different reasoning styles and proof techniques. To validate Vellvm’s design, we extract an interpreter from the Coq formal semantics that can execute programs from LLVM test suite and thus be compared against LLVM reference implementations. To demonstrate Vellvm’s practicality, we formalize and verify a previously proposed transformation that hardens C programs against spatial memory safety violations. Vellvm’s tools allow us to extract a new, verified implementation of the transformation pass that plugs into the real LLVM infrastructure; its performance is competitive with the nonverified, adhoc original. Categories and Subject Descriptors D.2.4 [Software Engineering]:
Efficiency in a FullyExpansive Theorem Prover
, 1993
"... The HOL system is a fullyexpansive theorem prover: Proofs generated in the system are composed of applications of the primitive inference rules of the underlying logic. This has two main advantages. First, the soundness of the system depends only on the implementations of the primitive rules. Secon ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
The HOL system is a fullyexpansive theorem prover: Proofs generated in the system are composed of applications of the primitive inference rules of the underlying logic. This has two main advantages. First, the soundness of the system depends only on the implementations of the primitive rules. Second, users can be given the freedom to write their own proof procedures without the risk of making the system unsound. A full functional programming language is provided for this purpose. The disadvantage with the approach is that performance is compromised. This is partly due to the inherent cost of fully expanding a proof but, as demonstrated in this thesis, much of the observed inefficiency is due to the way the derived proof procedures are written. This thesis seeks to identify sources of noninherent inefficiency in the HOL system and proposes some generalpurpose and some specialised techniques for eliminating it. One area that seems to be particularly amenable to optimisation is equational reasoning. This is significant because equational reasoning constitutes large portions of many proofs. A number of techniques are proposed that transparently optimise equational reasoning. Existing programs in the HOL system require little or no modification to work faster. The other major contribution of this thesis is a framework in which part of the computation involved in HOL proofs can be postponed. This enables users to make better use of their time. The technique exploits a form of lazy evaluation. The critical feature is the separation of the code that generates the structure of a theorem from the code that justifies it logically. Delaying the justification allows some nonlocal optimisations to be performed in equational reasoning. None of the techniques sacrifice the securit...
A sound semantics for OCamllight
 In: Programming Languages and Systems, 17th European Symposium on Programming, ESOP 2008, Lecture Notes in Computer Science
, 2008
"... Abstract. Few programming languages have a mathematically rigorous definition or metatheory—in part because they are perceived as too large and complex to work with. This paper demonstrates the feasibility of such undertakings: we formalize a substantial portion of the semantics of Objective Caml’s ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Few programming languages have a mathematically rigorous definition or metatheory—in part because they are perceived as too large and complex to work with. This paper demonstrates the feasibility of such undertakings: we formalize a substantial portion of the semantics of Objective Caml’s core language (which had not previously been given a formal semantics), and we develop a mechanized type soundness proof in HOL. We also develop an executable version of the operational semantics, verify that it coincides with our semantic definition, and use it to test conformance between the semantics and the OCaml implementation. We intend our semantics to be a suitable substrate for the verification of OCaml programs. 1 Mechanizing Metatheory Researchers in programming languages and program verification routinely develop their ideas in the context of core calculi and idealized models. The advantage of the core calculus approach comes from the efficacy of pencilandpaper mathematics, both for specification and proof; however, these techniques do not scale well. Usable programming
Recording and Checking HOL Proofs
 Higher Order Logic Theorem Proving and Its Applications. 8th International Workshop, volume 971 of LNCS
, 1995
"... Formal proofs generated by mechanised theorem proving systems may consist of a large number of inferences. As these theorem proving systems are usually very complex, it is extremely difficult if not impossible to formally verify them. This calls for an independent means of ensuring the consistency o ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Formal proofs generated by mechanised theorem proving systems may consist of a large number of inferences. As these theorem proving systems are usually very complex, it is extremely difficult if not impossible to formally verify them. This calls for an independent means of ensuring the consistency of mechanically generated proofs. This paper describes a method of recording HOL proofs in terms of a sequence of applications of inference rules. The recorded proofs can then be checked by an independent proof checker. Also described in this paper is an efficient proof checker which is able to check a practical proof consisting of thousands of inference steps. 1 Introduction Formal methods have been used in the development of many safetycritical systems in the form of formal specification and formal proof of correctness. Formal proofs are usually carried out using theorem provers or proof assistants. These systems are based on wellfounded formal logic, and provide a programming environmen...
A Proof Tool for Reasoning about Functional Programs
 In Proc. 1996 International Workshop on Higher Order Logic Theorem Proving, Lecture Notes in Computer Science 1125
, 1996
"... . This paper describes a system to support reasoning about lazy functional programs. We describe an approach based on combining a deep embedding of the language in HOL and a set of proof tools to raise the level of interaction with the theorem prover. This approach allows metatheoretic reasoning ab ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
. This paper describes a system to support reasoning about lazy functional programs. We describe an approach based on combining a deep embedding of the language in HOL and a set of proof tools to raise the level of interaction with the theorem prover. This approach allows metatheoretic reasoning about the semantics and reasoning about undefined programs while still supporting practical reasoning about programs in the language. 1 Introduction It is often claimed that functional programming languages, and in particular pure functional languages, are suitable for formal reasoning. This claim is supported by the fact that many people in the functional programming community do reason about their programs in a formal or semiformal way. Depending on the nature of the problem, different styles of reasoning, such as equational reasoning, induction and coinduction, are used. This paper discusses some of the technical issues involved in constructing a proof tool, using HOL [4], for reasoning ...
Studying the ML Module System in HOL
, 1994
"... syntax for higherorder functors (additions and changes) I 2 Int = FunIntEnv \Theta StrIntEnv \Theta Fin(var) SIE 2 StrIntEnv = strid fin ! Int FIE 2 FunIntEnv = funid fin ! Int IB 2 IntBasis = FunIntEnv \Theta SigEnv \Theta StrIntEnv ME 2 ModEnv = FunEnv \Theta ModStrEnv \Theta VarEnv MSE ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
syntax for higherorder functors (additions and changes) I 2 Int = FunIntEnv \Theta StrIntEnv \Theta Fin(var) SIE 2 StrIntEnv = strid fin ! Int FIE 2 FunIntEnv = funid fin ! Int IB 2 IntBasis = FunIntEnv \Theta SigEnv \Theta StrIntEnv ME 2 ModEnv = FunEnv \Theta ModStrEnv \Theta VarEnv MSE 2 ModStrEnv = strid fin ! ModEnv B 2 Basis = SigEnv \Theta ModEnv FIGURE 5. Semantic objects for higherorder functors (additions and changes) thinning functors. The nature of this information is discussed at length later. Interface Bases (IntBasis) These now have a new component: a functor interface environment. Modulelevel environments (ModEnv) These are the environments obtained as the result of evaluating structures. Since structures can contain functors, these environments contain a functor environment (FunEnv) component. In the rest of this paper we will refer to these objects as "environments" unless there is a possibility of confusion with Corelevel environments. Modulelev...
Two Weak Links in the Formal Methods Chain
 Dept. of Electr. and Comp
"... ification of programming languages and cryptographic protocols. It is sometimes thought that a language such as C is not sufficiently wellspecified to support formal proofs. However, this is only a parttruth. A bigger problem is that the specification leaves so many possibilities open that proofs ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
ification of programming languages and cryptographic protocols. It is sometimes thought that a language such as C is not sufficiently wellspecified to support formal proofs. However, this is only a parttruth. A bigger problem is that the specification leaves so many possibilities open that proofs of properties from a corresponding formal specification would be quite difficult. For instance, the following correct C++ program void main() int a[] = 1,2,3; for (int i = 0; i ! 3; i++)  a[i1] = 1; cout !! "i = " !! i !! ", "; Author email addresses: fgunter,lee,scedrovg@cis.upenn.edu. has the output i = 1, i = 1, ... for at least one machine, compiler, and program run, because its semantics depends on the runtime layout of the variables. 1 By contrast, it is easier to formulate properties for a more restrictive design, if there is a sufficiently rigorous specification. For instance,