Citation Context

...eed) is part of the arduous process of becoming a power user of a theorem-proving system. These observations about formal verification are not new. They have long been used to motivate model-checking =-=[15]-=-. In modelchecking, the user specifies the system and describes properties which it should satisfy; it is the computer’s job to search for counterexamples or to determine that none exist. Although it ...

Citation Context

...r small finite-state systems when first proposed more than 25 years ago, improved techniques for searching the state space efficiently (such as symbolic model checking using Boolean decision diagrams =-=[28]-=-) have now made it feasible to verify industrial hardware designs. As a result, model checking has gained widespread acceptance in industry. We argue that mechanically verified proof is neither the on...

Citation Context

...ut this is presently just translated to an equivalent (but far more verbose) relational implementation, using flattening (more sophisticated functional logic programming techniques, such as narrowing =-=[21]-=-, would require the development of novel nominal equational unification algorithms). After the definition of the sub function, we have added some directives that state desired properties of substituti...

Citation Context

...titutions and constraints with free variables play a similar role. Another related technique is automated testing in functional programming languages, for example in the QuickCheck system for Haskell =-=[14]-=-. QuickCheck provides type class libraries for “generator” functions that construct test data, and a logical specification language to describe the properties the program should satisfy. In conjunctio...

Citation Context

...vital property. In fact, it is well known [19] that the semantics of NF has a very high degree of unsolvability and completeness results have been proven w.r.t. a three-valued semantics, due to Kunen =-=[24]-=-. Logic programs define recursively enumerable relations, and it is only possible to define the complement of an r.e. relation if and only if it is recursive. We therefore cannot expect true completen...

Citation Context

...programming language based on nominal logic, a first-order theory axiomatizing names and name-binding introduced by Pitts [40] and based on Gabbay and Pitts’ swapping-based approach to binding syntax =-=[20]-=-. Unlike ordinary Prolog, αProlog is typed; all constants, function symbols, and predicate symbols must be declared explicitly. We provide a brief review in this section and a more detailed discussion...

Citation Context

...as and side-conditions needed to ensure that all of the proof steps are correct and that enough cases have been considered. A great deal of attention, recently reinvigorated by the POPLMark Challenge =-=[2]-=-, has been focused on the problem of metatheory mechanization, that is, formally verifying such properties using computational tools. Formal, machine-checkable proof is widely agreed to provide the hi...

Citation Context

...ines the derivations of the hypotheses (consider, for example, the derivation transformations involved in proofs of substitution lemmas). We only report a counterexample when the gen [τ ] : τ → o gen =-=[1]-=-(t) = t ≈ 〈〉 gen [τ1 × τ2](t) = gen [τ1](π1(t)) ∧ gen [τ2 ](π2(t)) gen [δ](t) = genδ (t) gen [〈ν〉τ ](t) =N a:ν. gen [τ ](t @ a) gen [ν ](t) genδ (t) = :− ⊤ � {∃X:τ. t = f(X) ∧ gen [τ ](X) | f : τ → δ ...

Citation Context

...nitely fails from a program D, then its complement NotG(G) should be provable from Not D (D). In a model checking context, this is is a desirable, though not vital property. In fact, it is well known =-=[19]-=- that the semantics of NF has a very high degree of unsolvability and completeness results have been proven w.r.t. a three-valued semantics, due to Kunen [24]. Logic programs define recursively enumer...

Citation Context

...ks involving judgments that rely on higher-order abstract syntax (hypothetical judgments) such as tc pres cannot be directly expressed in Bedwyr without moving to a more intricate “2-levels” approach =-=[27]-=-. The Logic-Programming-Based Model Checking project at Stony Brook (http://www.cs.sunysb.edu/~lmc/) implements the model checker XMC for value-passing CCS and a fragment of the mu-calculus on top the...

Citation Context

...htforward lambda-calculus example discussed above, we have used the NFbased implementation to check for errors in several substantial examples, including: • LF typechecking and equivalence algorithms =-=[23]-=- • The F≤ language described in the POPLMark Challenge (implemented in αProlog by Matthew Fairbairn [17]) • λ zap , a “faulty lambda calculus” [50] • A (type-unsafe) mini-ML language with polymorphism...

Citation Context

...sequent (as an introduction rule), as opposed to traditional meta-logics where case analysis corresponds to inversion, i.e. an elimination rule. Model checking and logic programming The Bedwyr system =-=[47, 29]-=- is a generalization of logic programming based on definitions that allows model checking directly on syntactic expressions possibly containing binding. This is supported by term-level λ-binders, a fr...

Citation Context

...oretic) union. Let FV (t1, . . . , tn) = �x disjoint from FV (u1, . . . , um) = �y. Then the relative complement problem can be also expressed by the following (restricted) form of equational problem =-=[16]-=-, where the zi’s are free variables. n� m� ∃�x∀�y. zi = ti ∧ i=1 i=1 zi �= ui A complement operator must satisfy the following desiderata: for fixed t, and all ground terms s 1. Exclusivity: it is not...

Citation Context

...applied recursively. The existential case is instead more delicate: a well known difficulty in the theory of negation elimination is that in general Horn programs are not closed under complementation =-=[26]-=-; if a clause contains a existential variable (more commonly known as a local variable) i.e. asneq [τ ] : τ × τ → o neq [1](t, u) = ⊥ neq [τ1 × τ2](t, u) = neq [τ1](π1(t),π1(u)) ∨ neq [τ2 ](π2(t), π2(...

Citation Context

...uickCheck is also capable of searching for partiallyinstantiated counterexamples. Random testing and counterexample generation has also been considered in theorem proving systems such as Isabelle/HOL =-=[4]-=-. Analyses for checking modes, coverage, termination, and other program properties can be used to verify program properties; this technique plays an important role in the Twelf system [37, 38]. This a...

Citation Context

...ibe an approach to checking desired properties of formal systems implemented in αProlog, a logic programming language which supports programming with “concrete” names and binding modulo α-equivalence =-=[11]-=-. Our work is the first to show how to find bugs in high-level specifications of programming languages and other calculi automatically and effectively. We explore techniques based on both negation-as-...

Citation Context

...vation, we pre-compute the complement of the term structure in each clause head by constructing a set of terms that differ in at least one position. This is known as the (relative) complement problem =-=[25]-=-, which we formally define in Section 5.1. • Complementing clauses. This can be seen as a negation normal form procedure which is consistent with the operational semantics of the language. The idea of...

Citation Context

...ntation (listed in Figure 7), where the X’s are fresh logic variables and f : τ → δ. Define Not(t) = N : τ iff N = {n | Not(t) ⇒ n : τ}. The correctness of the algorithm follows from previous results =-=[3, 31]-=-. We intend to address the general case of nominal term complement in future work (Section 8). 5.2 Clause Complementation via generic operations Clause complementation is usually described in terms of...

Citation Context

...t resolution based on nominal unification is sound and complete for proof search for this case, in contrast to the general case where a more complicated equivariant unification problem must be solved =-=[7]-=-. We define contexts Γ to be sequences of bindings of names or of variables: whichN Γ ::= · | Γ, X:τ | Γ#a:ν Note that names in closed formulas are always introduced using the -quantifier; as such, na...

Citation Context

...urposes of metatheory model-checking we consider only input programs within a smaller, better-behaved fragment for which the semantics (and accompanying implementation techniques) are well-understood =-=[12, 11, 10, 48]-=-. In particular, to simplify the presentation we consider only monomorphic, non-parametric types. A signature Σ = (ΣD,ΣN,ΣF ) consists of sets ΣD and ΣN of base data types δ and name types ν, respecti...

Citation Context

...ers, a fresh name ∇-quantifier, higher-order pattern unification and principles of (co)induction. The relationship of (a fragment of) this framework with nominal logic has been investigated elsewhere =-=[9]-=-; in particular, in Bedwyr it is possible to capture both finite success and finite failure, as a negated atom Γ ⊢ ¬A is seen as Γ, A ⊢ ⊥ and solved by case analysis (definitional reflection) on A. Ho...

Citation Context

...hat construct test data, and a logical specification language to describe the properties the program should satisfy. In conjunction with an implementation of nominal abstract syntax (such as FreshLib =-=[8]-=-), QuickCheck could be used to implement metatheory model-checking. Using Haskell’s lazy evaluation strategy, QuickCheck is also capable of searching for partiallyinstantiated counterexamples. Random ...

Citation Context

...m complement in future work (Section 8). 5.2 Clause Complementation via generic operations Clause complementation is usually described in terms of contraposition of the only-if part of the completion =-=[3, 6, 33]-=-. We instead present a more direct, syntax-directed approach. To complement atomic constraints such as equality and freshness, we need (α-)inequality and non-freshness; we implemented these using type...

Citation Context

...nd non-freshness; we implemented these using type-directed code generation within the αProlog interpreter. We write neq δ , nfrδ , etc. as the names of the generated clauses (cf. analogous notions in =-=[18]-=-). Each of these clauses is defined as shown in Figure 8, together with auxiliary, type-indexed functions neq [τ ],nfr [τ ], etc. which are used to construct appropriate subgoals for each type. In par...

Citation Context

... NotG(G). 2. It is not the case that Γ : ∆; ∇ D ¬p(t) −→ p(t) and Γ : ∆ − ; ∇ NotD (D) −→ The proof, by mutual induction on the derivation of Γ : ∆; ∇ ⇒ G and Γ : ∆; ∇ D −→ p(t), follows the lines in =-=[30]-=-. Completeness can be stated as follows: if a goal G finitely fails from a program D, then its complement NotG(G) should be provable from Not D (D). In a model checking context, this is is a desirable...

Citation Context

...everal settings. A principle of “proof by case analysis” was studied in [3, 5] and then somewhat refined in [33]. The proof-theory of success and failure of existential goals has been investigated in =-=[22]-=-, although not in the presence of generic (intensional) universal quantification. A related approach is constructive negation, in particular as formulated by Stuckey [46], in which negated existential...

Citation Context

...f so does G[t/X] for every (ground) term of type τ. Since this is hardly practical to implement from the logic programming standpoint, extensional quantification has been interpreted by case analysis =-=[5]-=- and SLD-derivations have been extended with such a step. Figure 9 shows the proof search semantics of the ∀ ∗ -quantifier. Clause complementation is now unsurprising: given a rule ∀(q(t) ← G), its co...

Citation Context

...errors in several substantial examples, including: • LF typechecking and equivalence algorithms [23] • The F≤ language described in the POPLMark Challenge (implemented in αProlog by Matthew Fairbairn =-=[17]-=-) • λ zap , a “faulty lambda calculus” [50] • A (type-unsafe) mini-ML language with polymorphism and references We did not expect to find previously unknown errors in these systems; however, the check...