Lecture Notes in Computer Science 2410Edited by G Goos J Hartmanis and J van Leeuwen

3BerlinHeidelbergNew YorkBarcelonaHong KongLondonMilanParisTokyo

Victor A CarrenoCeacutesar A Munoz Sofiegravene Tahar (Eds)

Theorem Provingin Higher Order Logics

15th International Conference TPHOLs 2002Hampton VA USA August 20-23 2002Proceedings

1 3

Series Editors

Gerhard Goos Karlsruhe University GermanyJuris Hartmanis Cornell University NY USAJan van Leeuwen Utrecht University The Netherlands

Volume Editors

Victor A CarrenoNASA Langley Research CenterMS 130 Hampton VA 23681 USAE-mail vacarrenolarcnasagov

Ceacutesar A MunozICASE-Langley Research CenterMS 132C Hampton VA 23681 USAE-mail munozicaseedu

Sofiegravene TaharConcordia University Electrical and Computer Engineering1455 de Maisonneuve Blvd WMontreacuteal Queacutebec H3G 1M8 CanadaE-Mail taharececoncordiaca

Cataloging-in-Publication Data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme

Theorem proving in higher order logics 15th international conference proceedings TPHOLs 2002 Hampton VA USA August 20 - 23 2002Victor A Carreno (ed) - Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Springer 2002

(Lecture notes in computer science Vol 2410)ISBN 3-540-44039-9

CR Subject Classification (1998) F41 I23 F31 D24 B63

ISSN 0302-9743ISBN 3-540-44039-9 Springer-Verlag Berlin Heidelberg New York

This work is subject to copyright All rights are reserved whether the whole or part of the material isconcerned specifically the rights of translation reprinting re-use of illustrations recitation broadcastingreproduction on microfilms or in any other way and storage in data banks Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9 1965in its current version and permission for use must always be obtained from Springer-Verlag Violations areliable for prosecution under the German Copyright Law

Springer-Verlag Berlin Heidelberg New Yorka member of BertelsmannSpringer Science+Business Media GmbH

httpwwwspringerde

copy Springer-Verlag Berlin Heidelberg 2002Printed in Germany

Typesetting Camera-ready by author data conversion by Christian Grosche HamburgPrinted on acid-free paper SPIN 10873706 063142 5 4 3 2 1 0

Preface

This volume contains the proceedings of the 15th International Conference onTheorem Proving in Higher Order Logics (TPHOLs 2002) held on 20ndash23 August2002 in Hampton Virginia USA The conference serves as a venue for the pre-sentation of work in theorem proving in higher-order logics and related areasin deduction formal specification software and hardware verification and otherapplications

Each of the 34 papers submitted in the full research category was refereed byat least three reviewers from the program committee or by a reviewer appointedby the program committee Of these submissions 20 papers were accepted forpresentation at the conference and publication in this volume

Following a well-established tradition in this conference series TPHOLs 2002also offered a venue for the presentation of work in progress For the work inprogress track short introductory talks were given by researchers followed byan open poster session for further discussion Papers accepted for presentationin this track have been published as Conference Proceedings CP NASA-2002-211736

The organizers would like to thank Ricky Butler and Gerard Huet for grace-fully accepting our invitation to give talks at TPHOLs 2002 Ricky Butler wasinstrumental in the formation of the Formal Methods program at the NASALangley Research Center and has led the group since its beginnings The NASALangley Formal Methods group under Ricky Butlerrsquos guidance has fundedbeen involved in or influenced many formal verification projects in the US overmore than two decades In 1998 Gerard Huet received the prestigious HerbrandAward for his fundamental contributions to term rewriting and theorem provingin higher-order logic as well as many other key contributions to the field of au-tomated reasoning He is the originator of the Coq System under developmentat INRIA-Rocquencourt Dr Huetrsquos current main interest is computational lin-guistics however his work continues to influence researchers around the world ina wide spectrum of areas in theoretical computer science formal methods andsoftware engineering

The venue of the TPHOLs conference traditionally changes continent eachyear in order to maximize the likelihood that researchers from all over the worldwill attend Starting in 1993 the proceedings of TPHOLs and its predecessorworkshops have been published in the following volumes of the Springer-VerlagLecture Notes in Computer Science series

1993 (Canada) 780 1998 (Australia) 14791994 (Malta) 859 1999 (France) 16901995 (USA) 971 2000 (USA) 18691996 (Finland) 1125 2001 (UK) 21521997 (USA) 1275

VI Preface

The 2002 conference was organized by a team from NASA Langley ResearchCenter the ICASE Institute at Langley Research Center and Concordia Uni-versity Financial support came from Intel Corporation The support of all theseorganizations is gratefully acknowledged

August 2002 Vıctor A CarrenoCesar A Munoz

VII

Organization

TPHOLs 2002 is organized by NASA Langley and ICASE in cooperation withConcordia University

Organizing Committee

Conference Chair Vıctor A Carreno (NASA Langley)Program Chair Cesar A Munoz (ICASE NASA LaRC)

Sofiene Tahar (Concordia University)

Program Committee

Mark Aagaard (Waterloo)David Basin (Freiburg)Vıctor Carreno (NASA Langley)Shiu-Kai Chin (Syracuse)Paul Curzon (Middlesex)Gilles Dowek (INRIA)Harald Ganzinger (MPI Saarbrucken)Ganesh Gopalakrishnan (Utah)Jim Grundy (Intel)Elsa Gunter (NJIT)John Harrison (Intel)Doug Howe (Carleton)Bart Jacobs (Nijmegen)Paul Jackson (Edinburgh)Sara Kalvala (Warwick)

Michael Kohlhase (CMU amp Saarland)Thomas Kropf (Bosch)Tom Melham (Glasgow)J Strother Moore (Texas Austin)Cesar Munoz (ICASE NASA LaRC)Sam Owre (SRI)Christine Paulin-Mohring (INRIA)Lawrence Paulson (Cambridge)Frank Pfenning (CMU)Klaus Schneider (Karlsruhe)Henny Sipma (Stanford)Konrad Slind (Utah)Don Syme (Microsoft)Sofiene Tahar (Concordia)Wai Wong (Hong Kong Baptist)

Additional Reviewers

Otmane Ait-MohamedBehzad AkbarpourNancy DayBen Di VitoJean-Christophe Filliatre

Alfons GeserHanne GottliebsenMike KishinevskyHans de NivelleAndrew Pitts

Harald RueszligLeon van der TorreTomas Uribe

Invited Speakers

Ricky Butler (NASA Langley)Gerard Huet (INRIA)

VIII Preface

Sponsoring Institutions

NASA LangleyICASEConcordia UniversityINTEL

Table of Contents

Invited Talks

Formal Methods at NASA Langley 1Ricky Butler

Higher Order Unification 30 Years Later 3Gerard Huet

Regular Papers

Combining Higher Order Abstract Syntax with Tactical Theorem Provingand (Co)Induction 13

Simon J Ambler Roy L Crole Alberto Momigliano

Efficient Reasoning about Executable Specifications in Coq 31Gilles Barthe Pierre Courtieu

Verified Bytecode Model Checkers 47David Basin Stefan Friedrich Marek Gawkowski

The 5 Colour Theorem in IsabelleIsar 67Gertrud Bauer Tobias Nipkow

Type-Theoretic Functional Semantics 83Yves Bertot Venanzio Capretta Kuntal Das Barman

A Proposal for a Formal OCL Semantics in IsabelleHOL 99Achim D Brucker Burkhart Wolff

Explicit Universes for the Calculus of Constructions 115Judicael Courant

Formalised Cut Admissibility for Display Logic 131Jeremy E Dawson Rajeev Gore

Formalizing the Trading Theorem for the Classification of Surfaces 148Christophe Dehlinger Jean-Francois Dufourd

Free-Style Theorem Proving 164David Delahaye

A Comparison of Two Proof Critics Power vs Robustness 182Louise A Dennis Alan Bundy

X Table of Contents

Two-Level Meta-reasoning in Coq 198Amy P Felty

PuzzleTool An Example of Programming Computation and Deduction 214Michael JC Gordon

A Formal Approach to Probabilistic Termination 230Joe Hurd

Using Theorem Proving for Numerical Analysis 246Micaela Mayero

Quotient Types A Modular Approach 263Aleksey Nogin

Sequent Schema for Derived Rules 281Aleksey Nogin Jason Hickey

Algebraic Structures and Dependent Records 298Virgile Prevosto Damien Doligez Therese Hardin

Proving the Equivalence of Microstep and Macrostep Semantics 314Klaus Schneider

Weakest Precondition for General Recursive Programs Formalized in Coq 332Xingyuan Zhang Malcolm Munro Mark Harman Lin Hu

Author Index 349

Formal Methods at NASA Langley

Ricky Butler

Assessment Technology BranchMail Stop 130 NASA Langley Research Center

Hampton VA 23681-2199rwbutlerlarcnasagov

Extended Abstract

In this talk a short history of NASA Langleyrsquos research in formal methods ispresented The talk begins with an examination of the attempted formal verifi-cation of the SIFT (Software Implemented Fault Tolerance) operating system inthe late 1970s The primary goal of the SIFT verification project was to verify anoperating system for a fault-tolerant distributed real-time avionics computingplatform The SIFT project was deemed a failure because it did not meet its pri-mary objective However important results in the field of computer science wereobtained from the SIFT project including fault tolerant clock synchronizationByzantine agreement (interactive consistency) and others

After the SIFT project formal methods at NASA Langley went through aperiod of hibernation and would have probably died except for the providentialvisit of John Cullyer to NASA Langley in 1988 Soon after this a Memoran-dum of Understanding (MOU) between NASA Langley and The Royal Signaland Radar Establishment (RSRE) was initiated NASA Langley was asked toperform a critical assessment of the VIPER microprocessor which had been de-signed at the RSRE research laboratory With the help of Computational LogicInc (CLI) and the Boeing Commercial Airplane Company the usefulness ofthe VIPER processor for aerospace application was investigated ComputationalLogic wrote a critical review emphasizing the incompleteness of the VIPER me-chanical proofs Although an unprecedented level of analysis had been performedon the VIPER the CLI team did not consider hand-proofs to be adequate forsomething like the VIPER Once again Langley found itself in the midst of aformal methods controversy At the heart of this controversy was the nature ofproof itself How rigorous does a proof have to be before one can claim that amathematical proof has been accomplished

Next NASA Langley began to fund the direct application of existing formalmethods to real problems in the aerospace industry A competitive procurementresulted in three contracts to Computational Logic Inc SRI International andOdyssey Research Associates During this period NASA Langley had its firstrecognized successes in formal methods the formal verification of the RockwellCollins AAMP5 microprocessor and the formal verification of the Draper FTPPscoreboard circuit Most of the work centered on fault-tolerance and hardware

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 1ndash2 2002ccopy Springer-Verlag Berlin Heidelberg 2002

2 Ricky Butler

verification at this time but some initial work in modeling software was also ini-tiated The Jet Select subsystem of the Space Shuttle was modeled and later theGPS upgrade and 3-Engine-Out upgrade was formally analyzed Both theoremproving and model checking approaches were pursued

Towards the end of the 1990s the Langley team began to look into ways ofusing formal methods to improve critical flight deck software After the Pentiumbug mobilized the commercial silicon manufacturers to pursue formal verifica-tion technology the Langley team decided to focus its attention on software andsystems Cooperative work with industry to model flight guidance systems Adarun-time systems operating systems that support integrated modular avionicsand other safety-critical applications were begun In FY2000 the Langley for-mal methods team began to work for the Aviation Safety Program The AviationSafety Program is a NASA focused program with a goal of reducing the fatalaviation accident rate by 80 in ten years and 90 in twenty years Four newcontracts were started with a goal of using formal methods to make flight sys-tems safer (1) Rockwell Collins Advanced Technology Center to develop formalrequirements modeling and analysis techniques to detect and remove flight deckmode confusion (2) Honeywell Engines and Systems with SRI International toadapt the Time Triggered Architecture (TTA) to a Full Authority Digital EngineControl (FADEC) (3) Barron AssociatesGoodrich to develop formal verifica-tion methods that can serve as a basis for certifying non-adaptive neural netsand (4) University of Virginia to develop formal specification tools that inte-grate formal and informal languages enabling the analysis of the combinationIn FY2001 the Langley formal methods team was asked to apply formal meth-ods technology to the Air Traffic Management problem Current work is lookingat conflict detection and resolution algorithms (CDampR) needed in future freeflight concepts and at merging and self-spacing algorithms in the terminal areaThese later algorithms are being developed in support of NASA Langleyrsquos SmallAircraft Transportation Systems (SATS) program The Langley team has hadsome early successes with the verification of Air Traffic Management conceptsand the outlook is quite promising for this area

Future goals for the Langley formal methods program include (1) facilitatingthe transfer of successful formal approaches into the product lines of aerospacecompanies by developing cost-effective tools that integrate well with existingindustrial life-cycle processes (2) working with the FAA to develop new cer-tification processes that take advantage of the capabilities of formal methods(3) performing fundamental research in new challenging areas such as systemswhere there are complex interactions between discrete and continuous compo-nents and (4) integrating formal methods technology into existing engineeringtools such as Mathworks

Higher Order Unification 30 Years Later

(Extended Abstract)

Gerard Huet

INRIA-RocquencourtBP 105 F-78153 Le Chesnay Cedex

GerardHuetinriafr

Abstract The talk will present a survey of higher order unificationcovering an outline of its historical development a summary of its appli-cations to three fields automated theorem proving and more generallyengineering of proof assistants programming environments and softwareengineering and finally computational linguistics It concludes by a pre-sentation of open problems and a few prospective remarks on promisingfuture directions This presentation assumes as background the surveyby Gilles Dowek in the Handbook of automated theorem proving [28]

1 Theory

11 Early History

The problem of automating higher order logic was first posed by J A Robinsonin [100101] Peter Andrews formulated a version of the resolution principle foraccommodating Churchrsquos Simple Theory of Types [164] and as early as 1964Jim Guardrsquos team at Applied Logic Corporation had been independently inves-tigating higher order logic versions of unification [4241] but the complexity ofthe problem appeared when higher order unification was shown to be undecid-able in 1972 independently by G Huet [46] and C Lucchesi [61] a result tobe sharpened by W Goldfarb [39] Jensen and Pietrzykowky [8950] at Uni-versity of Waterloo gave a complete recursive enumeration of unifiers but theprocess was over-generative in an untractable fashion since computational quag-mires happened where at every step of the process all previous solutions weresubsumed by the next one Huet proposed a more tractable enumeration of pre-unifiers for better conditioned problems where rigidity of one of the problemterms led to sequential behavior By delaying ill-conditioned problems in theform of constraints it became possible to implement a complete version of theresolution principle for Churchrsquos Type Theory [49] An extensive theory of uni-fication in various algebraic settings building on early work of G Plotkin [90]was developed by G Huet in his These drsquoEtat [47] while P Andrews and hiscollaborators at CMU went on implementing constrained resolution in the proofassistant TPS [5]

Thus the original motivation for higher-order unification was its use as afundamental algorithm in automated theorem-provers We shall see below that

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3ndash12 2002ccopy Springer-Verlag Berlin Heidelberg 2002

4 Gerard Huet

the design and implementation of proof assistants is still its main applicationarea not just in the setting of classical logic with versions of the resolutionprinciple but in more general meta-theoretic frameworks where it is the workhorse of pattern-matching and more generally proof search For instance exten-sions of the term-rewriting paradigm of equational logic building on higher-orderunification were proposed by Nipkow Jouannaud and Okada Breazu-TannenBlanqui and many others [7610] while C Benzmuller investigated the additionof equality paramodulation to higher-order resolution [89]

12 λ Prolog

It was soon realized that resolution was better behaved in the restricted contextof Horn sentences and Colmerauer and Kowalski took advantage of this qualityin the framework of first-order logic with the design of PROLOG which spurredthe whole new field of Logic Programming The generalization of this promis-ing technology to higher-order logic was successfully accomplished by D Millerwith his λ-PROLOG system [6573] G Nadathur further investigated the λ-PROLOG methodology and its efficient implementation [7172707374] In theMali team in Rennes Yves Bekkers and colleagues implemented a λ-PROLOGmachine with specific dynamic memory management [714] The most impres-sive application of the λ-PROLOG formalism was accomplished by F Pfenningin his ELF system a logic programming environment for Edinburghrsquos LogicalFramework [8588]

The theory of higher-order unification in more powerful higher order frame-works encompassing dependent types polymorphism or inductive types wasinvestigated by C Elliott[3132] G Pym [96] G Dowek [2026] F Pfenning[8687] etc in a series of publications in the 80rsquos and 90rsquos We refer the inter-ested reader to the extensive presentation in G Dowekrsquos survey [28]

13 Matching

An important special case of unification (ie solving equations in term struc-tures) is when one of the terms is closed Unification in this special case ispattern matching a specially important algorithm in symbolic computationHuetrsquos semi-decision algorithm turned into an algorithm generating a finite setof solutions in the case of second-order terms [474822] Furthermore it waspossible to combine pattern-matching for linear terms with first-order unifica-tion as Miller demonstrated with his higher-order patterns [66] However thegeneral problem in the full higher-order hierarchy remained open for a long timeG Dowek showed that the third-order problem was decidable [27] while exten-sions in various other directions led to undecidability [2124] Padovani showedthat the fourth-order case was decidable [808182] Wolfram gave an algorithmwhich always terminate [115] but whose completeness is dubious More recentlyLoader announced the undecidability of higher-order matching in [5960] but the

Higher Order Unification 30 Years Later 5

argument does not carry over if the η rule of extensionality is added to β com-putation rule of λ calculus This vexing but important problem is thus still openafter 30 years of intense investigation

2 Applications

The talk will survey applications in three domains

21 Proof Technology

Early experiments with resolution systems as proof assistants were extremelynaive since full automation was aimed at for mathematical theories which areundecidable or at least badly untractable It is interesting that to this day re-search teams keep the pretense of solving deep mathematical problems in a fullyautomated fashion despite all evidence to the contrary

Hopefully better methodologies exist than attempting to solve mathematicswith combinatorial blackboxes Proof Assistants following the early models ofAutomath LCF and NuPRL have been designed as interactive systems wherethe mathematically sophisticated user drives a proof search process with thehelp of specialized programmable tactics implementing decision or semi-decisionprocedures which operate on formulas kept in user-understandable terms Twoparadigms are of paramount importance in this newer vision of proof search theuse of general meta-level formalisms (the so-called logical frameworks wheregeneric pattern-matching and unification algorithms are put to use) and therecognition of proof structures as higher-order objects themselves (through suit-able instances of the Curry-Howard correspondence) This gave a second life tohigher-order unification at the level of proof search this time (and not just at thelevel of terms search) This methodology was clearly articulated by G Dowekin his thesis [2023] and by by D Miller and A Felty [235] Typical of this ap-proach are the proof assistants Isabelle [83] the Edinburgh Logical Frameworkand its ELF Logic Programming engine [8588] and the various versions of theCalculus of Constructions or Intuitionistic Type Theory implementations (CoqLego Alf)

22 Program Schemas Manipulation and Software Engineering

The second-order matching algorithm presented in the 70rsquos by Huet and Lang[48] was motivated by an application to program schemas recognition in a soft-ware engineering paradigm of program transformations originally proposed byBurstall and Darlington Indeed all the Burstall and Darlington rewrite ruleswere easily encompasssed by this technology but it seemed difficult to extrapo-late this simple methodology to software engineering in the large Still grandioseprojects of Inferential Programming based on Semantically Based Program-ming Tools were lavishly financed in the 80rsquos on such principles [55] Whatfinally emerged when the dust settled was the notion of Higher-order Abstract

6 Gerard Huet

Syntax as a fundamental structure for logic-based programming environments[67458435164]

23 Anaphora Resolution and Other Computational LinguisticsApplications

Meanwhile researchers in computational linguistics working at the frontier be-tween syntax and semantics and notably within Montague Semantics had beeninvestigating the resolution of anaphora constructions (pronouns focus ellipsisetc) through the higher order unification algorithm Such experiments were fa-cilitated by the widespread adoption of PROLOG as a computation paradigm inthis community Typical representatives of this approach were Dale Miller andGopalan Nadathur at CMU [68] S Shieber and colleagues in Harvard [62114] SPulman in SRICambridge [95] and C Gardent and colleagues in Saarbrucken[15373836]

3 Prospective

The talk will end with some prospective remarks

References

1 G Amiot The undecidability of the second order predicate unification problemArchive for mathematical logic 30193ndash199 1990

2 Dale Miller Amy Felty Specifying theorem provers in a higher-order logic pro-gramming language In Proceedings of the 9th Int Conference on AutomatedDeduction (CADE-9) volume 310 of Lecture Notes in Computer Science pages61ndash80 Springer-Verlag Argonne Illinois 1988

3 Penny Anderson Represnting proof transformations for program optimization InProceedings of the 12th Int Conference on Automated Deduction (CADE-12) vol-ume 814 of Lecture Notes in Artificial Intelligence pages 575ndash589 Nancy France1994 Springer-Verlag

4 PB Andrews Resolution in type theory The Journal of Symbolic Logic36(3)414ndash432 1971

5 PB Andrews M Bishop S Issar D Nesmith F Pfenning and H Xi Tpsa theorem proving system for classical type theory J of Automated Reasoning16321ndash353 1996

6 J Avenhaus and CA Lorıa-Saenz Higher-order conditional rewriting and nar-rowing In J-P Jouannaud editor International Conference on Constaints inComputational Logic volume 845 of Lecture Notes in Computer Science pages269ndash284 Springer-Verlag 1994

7 Yves Bekkers Olivier Ridoux and Lucien Ungaro Dynamic memory managementfor sequential logic programming languages In IWMM pages 82ndash102 1992

8 C Benzmuller Extensional higher-order resolution In Proceedings of the 15thInt Conference on Automated Deduction (CADE-15) volume 1421 of LectureNotes in Artificial Intelligence pages 56ndash71 Springer-Verlag Lindau Germany1998

Higher Order Unification 30 Years Later 7

9 C Benzmuller Equality and extensionality in automated higher-order theoremproving Doctoral Dissertation Universitat des Saarlandes Saarbrucken 1999

10 Frederic Blanqui Theorie des types et reecriture These de Doctorat UniversiteParis-Sud 2001

11 P Borovansky Implementation of higher-order unification based on calculus ofexplicit substitution In M Bartosek J Staudek and J Wiedermann editorsSOFSEM Theory and Practice of Informatics volume 1012 in Lecture Notes inComputer Science pages 363ndash368 Springer-Verlag 1995

12 A Boudet and E Contejean AC-unification of higher-order patterns InG Smolka editor Principles and Practice of Constraint Programming volume1330 of Lecture Notes in Computer Science pages 267ndash281 Springer-Verlag 1997

13 D Briaud Higher order unification as typed narrowing Technical Report 96-R-112 Centre de recherche en informatique de Nancy 1996

14 Pascal Brisset and Olivier Ridoux The architecture of an implementation oflambdaprolog Prologmali Technical Report RR-2392 INRIA Oct 1994

15 M Kohlhase C Gardent and K Konrad Higher-order colored unification Alinguistic application J of Logic Language and Information 9313ndash338 2001

16 A Church A formulation of the simple theory of types The Journal of SymbolicLogic 5(1)56ndash68 1940

17 H Comon and Y Jurski Higher-order matching and tree automata In M Nielsenand W Thomas editors Conference on Computer Science Logic volume 1414 ofLecture Notes in Computer Science pages 157ndash176 Springer-Verlag 1997

18 DJ Dougherty Higher-order unification via combinators Theoretical ComputerScience 114273ndash298 1993

19 DJ Dougherty and P Johann A combinatory logic approach to higher-orderE-unification In D Kapur editor Conference on Automated Deduction volume607 of Lecture Notes in Artificial Intelligence pages 79ndash93 Springer-Verlag 1992

20 G Dowek Demonstration automatique dans le calcul des constructions Thesede Doctorat Universite de Paris VII 1991

21 G Dowek Lrsquoindecidabilite du filtrage du troisieme ordre dans les calculs avectypes dependants ou constructeurs de types (the undecidability of third orderpattern matching in calculi with dependent types or type constructors) ComptesRendus a lrsquoAcademie des Sciences I 312(12)951ndash956 1991 Erratum ibid I318 1994 p 873

22 G Dowek A second-order pattern matching algorithm in the cube of typed λ-calculi In A Tarlecki editor Mathematical Foundation of Computer Sciencevolume 520 of Lecture notes in computer science pages 151ndash160 Springer-Verlag1991

23 G Dowek A complete proof synthesis method for the cube of type systemsJournal of Logic and Computation 3(3)287ndash315 1993

24 G Dowek The undecidability of pattern matching in calculi where primitiverecursive functions are representable Theoretical Computer Science 107349ndash356 1993

25 G Dowek The undecidability of typability in the lambda-pi-calculus InM Bezem and JF Groote editors Typed Lambda Calculi and Applications vol-ume 664 in Lecture Notes in Computer Science pages 139ndash145 Springer-Verlag1993

26 G Dowek A unification algorithm for second-order linear terms Manuscript1993

27 G Dowek Third order matching is decidable Annals of Pure and Applied Logic69135ndash155 1994

8 Gerard Huet

28 G Dowek Higher-Order Unification and Matching chapter 16 pages 1009ndash1062Elsevier 2001

29 G Dowek T Hardin and C Kirchner Higher-order unification via explicitsubstitutions Information and Computation 157183ndash235 2000

30 G Dowek T Hardin C Kirchner and F Pfenning Unification via explicitsubstitutions the case of higher-order patterns In M Maher editor Joint Inter-national Conference and Symposium on Logic Programming pages 259ndash273 TheMIT Press 1996

31 CM Elliott Higher-order unification with dependent function types In N Der-showitz editor Internatinal Conference on Rewriting Techniques and Applica-tions volume 355 of Lecture Notes in Computer Science pages 121ndash136 Springer-Verlag 1989

32 CM Elliott Extensions and applications of higher-order unification PhD thesisCarnegie Mellon University 1990

33 WM Farmer A unification algorithm for second-order monadic terms Annalsof Pure and applied Logic 39131ndash174 1988

34 WM Farmer Simple second order languages for which unification is undecidableTheoretical Computer Science 8725ndash41 1991

35 Amy Felty Implementing tactics and tacticals in a higher-order logic program-ming language Journal of Automated Reasoning 1143ndash81 1993

36 C Gardent Deaccenting and higher-order unification J of Logic Language andInformation 9313ndash338 2000

37 C Gardent and M Kohlhase Focus and higher-order unification In 16th Inter-national Conference on Computational Linguistics Copenhagen 1996

38 C Gardent and M Kohlhase Higher-order coloured unification and naturallanguage semantics In ACL editor 34th Annual Meeting of the Association forComputational Linguistics Santa Cruz 1996

39 WD Goldfarb The undecidability of the second-order unification problem The-oretical Computer Science 13225ndash230 1981

40 J Goubault Higher-order rigid E-unification In F Pfenning editor 5th Interna-tional Conference on Logic Programming and Automated Reasoning volume 822in Lecture Notes in Artificial Intelligence pages 129ndash143 Springer-Verlag 1994

41 WE Gould A matching procedure for ω-order logic Scientific report 4 AFCRL66-781 (contract AF 19 (628)-3250) AD 646 560

42 JR Guard Automated logic for semi-automated mathematics Scientific report1 AFCRL 64-411 (contract AF 19 (628)-3250) AS 602 710 1964

43 M Hagiya Programming by example and proving by example using higher-orderunification In ME Stickel editor Conference on Automated Deduction volume449 in Lecture Notes in Computer Science pages 588ndash602 Springer-Verlag 1990

44 M Hagiya Higher-order unification as a theorem proving procedure In K Fu-rukawa editor International Conference on Logic Programming pages 270ndash284MIT Press 1991

45 John Hannan and Dale Miller Uses of higher-order unification for implementingprograms transformers In RA Kowalski an KA Bowen editor InternationalConference and Symposium on Logic Programming pages 942ndash959 1988

46 G Huet The undecidability of unification in third order logic Information andControl 22257ndash267 1973

47 G Huet Resolution drsquoequations dans les langages drsquoordre 12 ω These drsquoEtatUniversite de Paris VII 1976

48 G Huet and B Lang Proving and applying program transformations expressedwith second order patterns Acta Informatica 1131ndash55 1978

Higher Order Unification 30 Years Later 9

49 Gerard Huet Constrained resolution A complete method for higher order logicPhD thesis Case Western University Aug 1972

50 DC Jensen and T Pietrzykowski Mechanizing ω-order type theory throughunification Theoretical Computer Science 3123ndash171 1976

51 Frank Pfenning Joelle Despeyroux and Carsten Schurmann Primitive recursionfor higher-order syntax In R Hindley editor Proceedings of the 3rd Int Confer-ence on Typed Lambda Calculus and Applications (TLCArsquo97) volume 1210 of Lec-ture Notes in Computer Science pages 147ndash163 Nancy France 1997 Springer-Verlag

52 Patricia Johann and Michael Kohlhase Unification in an extensional lambda cal-culus with ordered function sorts and constant overloading In Alan Bundy editorConference on Automated Deduction volume 814 in Lecture Notes in ArtificialIntelligence pages 620ndash634 Springer-Verlag 1994

53 C Kirchner and Ch Ringeissen Higher-order equational unification via ex-plicit substitutions In M Hanus J Heering and K Meinke editors Algebraicand Logic Programming International Joint Conference ALPrsquo97-HOArsquo97 vol-ume 1298 of Lecture Notes in Computer Science pages 61ndash75 Springer-Verlag1997

54 K Kwon and G Nadathur An instruction set for higher-order hereditary harropformulas (extended abstract) In Proceedings of the Workshop on the lambdaProlog Programming Language UPenn Technical Report MS-CIS-92-86 1992

55 Peter Lee Frank Pfenning John Reynolds Gene Rollins and Dana Scott Re-search on semantically based program-design environments The ergo projectin 1988 Technical Report CMU-CS-88-118 Computer Science DepartmentCarnegie Mellon University 1988

56 J Levy Linear second order unification In H Ganzinger editor RewritingTechniques and Applications volume 1103 of Lecture Notes in Computer Sciencepages 332ndash346 Springer-Verlag 1996

57 Jordi Levy and Margus Veanes On unification problems in restricted second-order languages In Annual Conf of the European Ass of Computer ScienceLogic (CSL98) Brno Czech Republic 1998

58 Jordi Levy and Mateu Villaret Linear second-order unification and context uni-fication with tree-regular constraints In Proceedings of the 11th Int Conf onRewriting Techniques and Applications (RTA 2000) volume 1833 of Lecture Notesin Computer Science pages 156ndash171 Norwich UK 2000 Springer-Verlag

59 R Loader The undecidability of λ-definability To appear in Church memorialvolume 1994

60 R Loader Higher order β matching is undecidable Private communication2001

61 CL Lucchesi The undecidability of the unification problem for third orderlanguages Technical Report CSRR 2060 Department of applied analysis andcomputer science University of Waterloo 1972

62 Stuart M Shieber Mary Dalrymple and Fernando CN Pereira Ellipsis andhigher-order unification Linguistic and Philosophy 14399ndash452 1991

63 R Mayr and T Nipkow Higher-order rewrite systems and their confluenceTheoretical Computer Science 1923ndash29 1998

64 Raymond McDowell and Dale Miller Reasoning with higher-order abstract syntaxin a logical framework ACM Transactions on Computational Logic (TOCL)380ndash136 2002

65 Dale Miller Abstractions in logic programming In P Odifreddi editor Logicand computer science pages 329ndash359 Academic Press 1991

10 Gerard Huet

66 Dale Miller Unification under a mixed prefix Journal of Symbolic Computation14321ndash358 1992

67 Dale Miller and Gopalan Nadathur A logic programming approach to manipu-lating formulas and programs In IEEE Symposium on Logic Programming pages247ndash255 San Francisco California 1986

68 Dale Miller and Gopalan Nadathur Some uses of higher-order logic in computa-tional linguistics In 24th Annual Meeting of the Association for ComputationalLinguistics pages 247ndash255 1986

69 O Muller and F Weber Theory and practice of minimal modular higher-orderE-unification In A Bundy editor Conference on Automated Deduction volume814 in Lecture Notes in Artificial Intelligence pages 650ndash664 Springer-Verlag1994

70 Gopalan Nadathur An explicit substitution notation in a λprolog implementa-tion In First International Workshop on Explicit Substitutions 1998

71 Gopalan Nadathur A Higher-Order Logic as the Basis for Logic ProgrammingPhD thesis University of Pennsylvania Dec 1986

72 Gopalan Nadathur and Dale Miller Higher-order horn clauses J of the Associ-ation for Computing Machinery 37777ndash814 1990

73 Gopalan Nadathur and Dale Miller Higher-order logic programming In D MGabbay C J Hogger and J A Robinson editors Handbook of logic in artificialintelligence and logic programming volume 5 pages 499ndash590 Clarendon Press1998

74 Gopalan Nadathur and DJ Mitchell System description A compiler and ab-stract machine based implementation of λprolog In Conference on AutomatedDeduction 1999

75 T Nipkow Higher-order critical pairs In Logic in Computer Science pages342ndash349 1991

76 T Nipkow Higher-order rewrite systems In Proceedings of the 6th Int Conf onRewriting Techniques and Applications (RTA-95) volume 914 of Lecture Notesin Computer Science pages 256ndash256 Keiserlautern Germany 1995 Springer-Verlag

77 T Nipkow and Ch Prehofer Higher-order rewriting and equational reasoningIn W Bibel and PH Schmitt editors Automated Deduction - A Basis for Ap-plications volume 1 pages 399ndash430 Kluwer 1998

78 Tobias Nipkow and Zhenyu Qian Modular higher-order e-unification In Proceed-ings of the 4th Int Conf on Rewriting Techniques and Applications (RTA) vol-ume 488 of Lecture Notes in Computer Science pages 200ndash214 Springer-Verlag1991

79 Tobias Nipkow and Zhenyu Qian Reduction and unification in lambda calculiwith a general notion of subtype Journal of Automated Reasoning 12389ndash4061994

80 V Padovani Fourth-order matching is decidable Manuscript 199481 V Padovani Decidability of all minimal models In S Berardi and M Coppo

editors Types for Proof and Programs 1995 volume 1158 in Lecture Notes inComputer Science pages 201ndash215 Springer-Verlag 1996

82 V Padovani Filtrage drsquoordre superieur These de Doctorat Universite de ParisVII 1996

83 Larry C Paulson Isabelle The next 700 theorem provers In P Odifreddi editorLogic and computer science pages 361ndash385 Academic Press 1991

84 F Pfenning Partial polymorphic type inference and higher-order unification InConference on Lisp and Functional Programming pages 153ndash163 1988

Higher Order Unification 30 Years Later 11

85 F Pfenning Logic programming in the LF logical framework In G Huet andG Plotkin editors Logical frameworks pages 149ndash181 Cambridge UniversityPress 1991

86 F Pfenning Unification and anti-unification in the calculus of constructions InLogic in Computer Science pages 74ndash85 1991

87 F Pfenning and I Cervesato Linear higher-order pre-unification In Logic inComputer Science 1997

88 Frank Pfenning and Carsten Schurmann System description Twelf mdash A meta-logical framework for deductive systems In Proceedings of the 16th Int Con-ference on Automated Deduction (CADE-16) volume 1632 of Lecture Notes inArtificial Intelligence Springer-Verlag 1999

89 T Pietrzykowski A complete mecanization of second-order type theory J of theAssociation for Computing Machinery 20333ndash364 1973

90 G Plotkin Building-in equational theories Machine Intelligence 773ndash90 197291 C Prehofer Decidable higher-order unification problems In A Bundy editor

Conference on Automated Deduction volume 814 of Lecture Notes in ArtificialIntelligence pages 635ndash649 Springer-Verlag 1994

92 C Prehofer Higher-order narrowing In Logic in Computer Science (LICSrsquo94pages 507ndash516 1994

93 C Prehofer Solving higher-order equations From logic to programming Doctoralthesis Technische Universitat Munchen Technical Report TUM-19508 Institutfur Informatik TUM Munchen 1995

94 C Prehofer Solving Higher-Order Equations From Logic to ProgrammingProgress in theoretical coputer science Birkhauser 1998

95 S Pulman Higher-order unification and the interpretation of focus Linguisticsand Philosophy 2073ndash115 1997

96 D Pym Proof search and computation in general logic Doctoral thesis Uni-versity of Edinburgh 1990

97 Z Qian Higher-order equational logic programming In Principle of ProgrammingLanguages pages 254ndash267 1994

98 Z Qian and K Wang Higher-order equational E-unification for arbitrary theo-ries In K Apt editor Joint International Conference and Symposium on LogicProgramming 1992

99 Z Qian and K Wang Modular AC unification of higher-order patterns In J-P Jouannaud editor International Conference on Constaints in ComputationalLogic volume 845 of Lecture Notes in Computer Science pages 105ndash120 Springer-Verlag 1994

100 JA Robinson New directions in mechanical theorem proving In AJH Morrelleditor International Federation for Information Processing Congress 1968 pages63ndash67 North Holland 1969

101 JA Robinson A note on mechanizing higher order logic Machine Intelligence5123ndash133 1970

102 H Saıdi Resolution drsquoequations dans le systeme T de Godel Memoire de DEAUniversite de Paris VII 1994

103 M Schmidt-Schauszlig Unification of stratified second-order terms Technical Re-port 12 JWGoethe-Universitat Frankfurt 1994

104 M Schmidt-Schauszlig Decidability of bounded second order unification TechnicalReport 11 JWGoethe-Universitat Frankfurt 1999

105 M Schmidt-Schauszlig and KU Schulz Solvability of context equations with twocontext variables is decidable In H Ganzinger editor Conference on Automated

12 Gerard Huet

Deduction volume 1632 in Lecture Notes in Artificial Intelligence pages 67ndash811999

106 A Schubert Linear interpolation for the higher order matching problem InM Bidoit and M Dauchet editors Theory and Practice of Software Developmentvolume 1214 of Lecture Notes in Computer science pages 441ndash452 Springer-Verlag 1997

107 A Schubert Second-order unification and type inference for Church-style poly-morphism In Principle of Programming Languages pages 279ndash288 1998

108 W Snyder Higher-order E-unification In M E Stickel editor Conference onAutomated Deduction volume 449 of Lecture Notes in Artificial Intelligence pages573ndash587 Springer-Verlag 1990

109 W Snyder and J Gallier Higher order unification revisited Complete sets oftranformations Journal of Symbolic Computation 8(1 amp 2)101ndash140 1989 Spe-cial issue on unification Part two

110 W Snyder and J Gallier Higher-order unification revisited Complete sets oftransformations Journal of Symbolic Computation 8101ndash140 1989

111 J Springintveld Algorithms for type theory Doctoral thesis Utrecht University1995

112 J Springintveld Third-order matching in presence of type constructors InM Dezani-Ciancagliani and G Plotkin editors Typed Lambda Calculi and Ap-plications volume 902 of Lecture Notes in Computer Science pages 428ndash442Springer-Verlag 1995

113 J Springintveld Third-order matching in the polymorphic lambda calculus InG Dowek J Heering K Meinke and B Moller editors Higher-order AlgebraLogic and Term Rewriting volume 1074 of Lecture Notes in Computer Sciencepages 221ndash237 Springer-Verlag 1995

114 Fernando CN Pereira Stuart M Shieber and Mary Dalrymple Interactions ofscope and ellipsis Linguistics and Philosophy 19527ndash552 1996

115 DA Wolfram The clausal theory of types Doctoral thesis University of Cam-bridge 1989

116 M Zaionc The regular expression description of unifier set in the typed λ-calculus Fundementa Informaticae X309ndash322 1987

117 M Zaionc Mechanical procedure for proof construction via closed terms in typedλ-calculus Journal of Automated Reasoning 4173ndash190 1988

Combining Higher Order Abstract Syntax with

Tactical Theorem Proving and (Co)Induction

Simon J Ambler Roy L Crole and Alberto Momigliano

Department of Mathematics and Computer ScienceUniversity of Leicester Leicester LE1 7RH UKSAmblerRCroleAMomiglianomcsleacuk

Abstract Combining Higher Order Abstract Syntax (HOAS) and in-duction is well known to be problematic We have implemented a toolcalled Hybrid within Isabelle HOL which does allow object logics tobe represented using HOAS and reasoned about using tactical theoremproving in general and principles of (co)induction in particular In thispaper we describe Hybrid and illustrate its use with case studies We alsoprovide some theoretical adequacy results which underpin our practicalwork

1 Introduction

Many people are concerned with the development of computing systems whichcan be used to reason about and prove properties of programming languagesHowever developing such systems is not easy Difficulties abound in both prac-tical implementation and underpinning theory Our paper makes both a theoret-ical and practical contribution to this research area More precisely this paperconcerns how to reason about object level logics with syntax involving variablebindingmdashnote that a programming language can be presented as an exampleof such an object logic Our contribution is the provision of a mechanized toolHybrid which has been coded within Isabelle HOL and

ndash provides a form of logical framework within which the syntax of an objectlevel logic can be adequately represented by higher order abstract syntax(HOAS)

ndash is consistent with tactical theorem proving in general and principles of in-duction and coinduction in particular and

ndash is definitional which guarantees consistency within a classical type theory

We proceed as follows In the introduction we review the idea of simple logicalframeworks and HOAS and the problems in combining HOAS and inductionIn Section 2 we introduce our tool Hybrid In Section 3 we provide some keytechnical definitions in Hybrid In Section 4 we explain how Hybrid is used torepresent and reason about object logics by giving some case studies In Section 5

This work was supported by EPSRC grant number GRM98555

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 13ndash30 2002ccopy Springer-Verlag Berlin Heidelberg 2002

14 Simon J Ambler et al

we give a mathematical description of Hybrid together with some underpinningtheory In Section 6 we review the articles related to our work In Section 7 wecomment on future plansHybrid provides a form of logical framework Here we briefly recall some

fundamental technical details of a basic logical framework by usingthe vehicle of quantified propositional logic (QPL) as an object levellogicmdashthe notation will be used in Sections 4 and 5 While this is avery small logic it comes with a single binding construct which exemplifies theproblems we are tackling We let V1 V2 be a countable set of (object level)variables The QPL formulae are given by Q = Vi | Q sup Q | forallVi Q Recall howto represent QPL in a simple logical frameworkmdashthe framework here providesa form of HOAS following [25] A framework theory is specified by a signatureof ground types which generate function types and constants The objects ofthe theory are given by e = name | vi | e e | λ vi e where name ranges overconstants and i ranges over N giving a countable set of (meta) variables vi Fromthis a standard type assignment system can be formulated leading to a notionof canonical form We refer the reader to [25] for the full definition To representQPL we take a ground type oo of formulae We also give the constants of thetheory each of which corresponds to a QPL constructor For QPL we specifyImp oo rArr oo rArr oo and All (oo rArr oo) rArr oo One can define a translationfunction minus by the clauses

Vi def= vi Q1 sup Q2 def= Imp Q1 Q2 forallVi Q def= All (λ vi Q)

One can then show that this translation gives a ldquosensiblerdquo representation of QPLin the framework meaning that the function minus provides a bijection betweenQPL and canonical objects and further minus is compositional on substitutionAlthough there are well known benefits in working with such higher order

abstract syntax there are also difficulties In general it is not immediately clearhow to obtain a principle of induction over expressions or how to define functionson them by primitive recursion although such principles do exist [27] Worse stillapparently promising approaches can lead to inconsistencies [16] The axiom ofchoice leads to loss of consistency and exotic terms may lead to loss of adequacyIn our example one would like to view the constants above as the constructorsof a datatype oo = var | Imp (oo lowast oo) | All (oo rArr oo) so that an inductionprinciple is ldquoimmediaterdquo Such datatype declarations would be perfectly legal infunctional programming languages In a theorem prover such as Isabelle HOL theconstructors of a datatype are required to be injective [13] However the functionAll (oo rArr oo)rArr oo cannot be injective for cardinality reasons (Cantorrsquos proofcan be formalized within HOL) as Isabelle HOL provides a classical set theoryMoreover the function space oo rArr oo yields Isabelle HOL definable functionswhich do not ldquocorrespondrdquo to terms of QPL Such functions give rise to termsin oo which are unwanted so-called exotic terms such as

All (λx if x = u then u else All (λ z z))

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 15

We show that it is possible to define a logical framework in which All is injectiveon a subset of oo rArr oo The subset is sufficiently large to give an adequaterepresentation of syntaxmdashsee Section 41

2 Introducing Hybrid

Within Isabelle HOL our goal is to define a datatype for λ-calculus withconstants over which we can deploy (co)induction principles whilerepresenting variable binding through Isabellersquos HOAS We do this ina tool called Hybrid which we introduce in this section Our startingpoint is the work [1] of Andrew Gordon which we briefly review It is well known(though rarely provedmdashsee Section 5) that λ-calculus expressions are in bijectionwith (a subset of) de Bruijn expressions Gordon defines a de Bruijn notationin which expressions have named free variables given by strings He can writeT = dLAMBDA v t (where v is a string) which corresponds to an abstraction inwhich v is bound in t The function dLAMBDA has a definition which convertsT to the corresponding de Bruijn term which has an outer abstraction anda subterm which is t in de Bruijn form in which (free) occurrences of v areconverted to bound de Bruijn indices For example

dLAMBDA v (dAPP (dVAR v) (dVAR u)) = dABS (dAPP (dBND 0) (dVAR u))

Gordon demonstrates the utility of this approach It provides a good mechanismthrough which one may work with named bound variables but it does not exploitthe built in HOAS which Isabelle HOL itself uses to represent syntax The noveltyof our approach is that we do exploit the HOAS at the meta (machine) levelWe introduce Hybrid by example First some basics Of central importance

is a Isabelle HOL datatype of de Bruijn expressions where bnd and var are thenatural numbers and con provides names for constants

expr = CON con | VAR var | BND bnd | expr $$ expr | ABS expr

Let TO = ΛV1 Λ V2 V1 V3 be a genuine honest to goodness (object level) syn-tax1 tree Gordon would represent this by

TG = dLAMBDA v1 (dLAMBDA v2 (dAPP (dVAR v1) (dVAR v3)))

which equalsdABS (dABS (dAPP (dBND 1) (dVAR v3)))

Hybrid provides a binding mechanism with similarities to dLAMBDA GordonrsquosT would be written as LAM v t in Hybrid This is simply a definition for ade Bruijn term A crucial difference in our approach is that bound variablesin the object logic are bound variables in Isabelle HOL Thus the v in LAM v t

1 We use a capital Λ and capital V to avoid confusion with meta variables v and metaabstraction λ

16 Simon J Ambler et al

is a metavariable (and not a string as in Gordonrsquos approach) In Hybrid wealso choose to denote object level free variables by terms of the form VAR ihowever this has essentially no impact on the technical detailsmdashthe importantthing is the countability of free variables In Hybrid the TO above is renderedas TH = LAM v1 (LAM v2 (v1 $$ VAR 3)) The LAM is an Isabelle HOL binderand this expression is by definition

lambda (λ v1 (lambda (λ v2 (v1 $$ VAR 3))))

where λvi is meta abstraction and one can see that the object level term isrendered in the usual HOAS format where lambda (expr rArr expr) rArr expr isa defined function Then Hybrid will reduce TH to the de Bruijn term

ABS (ABS (BND 1 $$ VAR 3))

as in Gordonrsquos approach The key to this is of course the definition of lambdawhich relies crucially on higher order pattern matching We return to its defini-tion in Section 3 In summary Hybrid provides a form of HOAS where objectlevel

ndash free variables correspond to Hybrid expressions of the form VAR indash bound variables correspond to (bound) meta variablesndash abstractions ΛVE correspond to expressions LAM v e = lambda (λ v e)ndash applications E1 E2 correspond to expressions e1 $$ e2

3 Definition of Hybrid in Isabelle HOL

Hybrid consists of a small number of Isabelle HOL theories One of these providesthe dataype of de Bruijn expressions given in Section 2 The theories also containdefinitions of various key functions and inductive sets In this section weoutline the definitions and give some examples where e ranges overIsabelle HOL expressions We show how Hybrid provides a form ofHOAS and how this can be married with inductionWe are going to use a pretty-printed version of Isabelle HOL concrete syntax

a ruleH1 Hn

C

will be represented as [[ H1 Hn ]] =rArr C An Isabelle HOL type declarationhas the form s [ t1 tn ] rArr t The Isabelle metauniversal quantifier is

and

while Isabelle HOL connectives are represented via the usual logical notationFree variables are implicitly universally quantified Datatypes will be introducedusing BNF grammars The sign == (Isabelle metaequality) will be used forequality by definitionNote that all of the infrastructure of Hybrid which we now give is specified

definitionally We do not postulate axioms as in some approaches reviewed inSection 6 which require validation

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 17

level [ bnd expr ]rArr bool Recall that BND i corresponds to a bound vari-able in the λ-calculus and VAR i to a free variable we refer to bound and freeindices respectively We call a bound index i dangling if i or less Abs labelsoccur between the index i and the root of the expression tree e is said to be atlevel l ge 1 if enclosing e inside l Abs nodes ensures that the resulting expressionhas no dangling indices These ideas are standard as is the implementation oflevel

proper expr rArr bool One has proper e == level 0 e A proper expression isone that has no dangling indices and corresponds to a λ-calculus expression

insts bnd rArr (expr )list rArr expr rArr expr We explain this function by ex-ample Suppose that j is a bound index occurring in e and v0 vm a list ofmetavariables of type expr Let BND j be enclosed by a ABS nodes If a le j(so that j dangles) then insts replaces BND j by vjminusa If j does not dangle theninsts leaves BND j alone For example noting 5minus 2 = 3insts 0 v0 vm ABS (ABS (BND 0 $$ BND 5)) = ABS (ABS (BND 0 $$ v3))

abst [ bnd expr rArr expr ]rArr bool This predicate is defined by induction asa subset of bnd lowast (expr rArr expr) The inductive definition is

=rArr abst i (λ v v)=rArr abst i (λ vVAR n)

j lt i =rArr abst i (λ vBND j)[[ abst i f abst i g ]] =rArr abst i (λ v f v $$ g v)

abst (Suc i) f =rArr abst i (λ vABS (f v))

This definition is best explained in terms of the next functionabstr [ expr rArr expr ]rArr bool We set abstr e == abst 0 e This function de-

termines when an expression e of type expr rArr expr is an abstraction Thisis a key idea and the notion of an abstraction is central to the formulation ofinduction principles We illustrate the notion by example Suppose that ABS eis proper for example let e = ABS (BND 0 $$ BND 1) Then e is of level 1 andin particular there may be some bound indices which now dangle for exam-ple BND 1 in ABS (BND 0 $$ BND 1) An abstraction is produced by replacingeach occurrence of a dangling index with a metavariable (which can be auto-mated with insts) and then abstracting the meta variable Our example yieldsthe abstraction λ vABS (BND 0 $$ v)

lbnd [ bnd expr rArr expr expr ]rArr bool This predicate is defined as an in-

ductive subset of S def= bnd lowast (expr rArr expr) lowast expr The inductive definitionis

=rArr lbnd i (λ v v) (BND i)=rArr lbnd i (λ vVAR n) (VAR n)=rArr lbnd i (λ vBND j) (BND j)

[[ lbnd i f s lbnd i g t ]] =rArr lbnd i (λ v f v $$ g v) (s $$ t)lbnd (Suc i) f s =rArr lbnd i (λ vABS (f v)) (ABS s)

18 Simon J Ambler et al

There is a default case (omitted above) which is called when the second argumentdoes not match any of the given patterns It is a theorem that this defines afunction The proof is by induction on the rank of the function where rank f == size (f (VAR 0))

lbind [ bnd expr rArr expr ]rArr expr Set lbind i e == ε s lbnd i e s where ε

is the description operator Consider the abstraction λ vABS (BND 0 $$ v) Thearguments to lbind consist of a bound index and an abstraction The intuitiveaction of this function is that it replaces each bound occurrence of a bindingvariable in the body of an abstraction with a bound index so that a level 1expression results This is the reverse of the procedure defined in the paragraphconcerning abstractions where dangling indices were instantiated to metavari-ables using insts In practice lbind will be called on 0 at the top level Thus onehas

lbind 0 (λ vABS (BND 0 $$ v)) = = ABS (BND 0 $$ BND 1)

lambda (expr rArr expr)rArr expr Set lambda e == ABS (lbind 0 e) Its pur-pose is to transform an abstraction into the ldquocorrespondingrdquo proper de Bruijnexpression Our running example yields

lambda (λ vABS (BND 0 $$ v)) = ABS (ABS (BND 0 $$ BND 1))

It is easy to perform induction over a datatype of de Bruijn terms Howeverwe wish to be able to perform induction over the Hybrid expressions which wehave just given In order to do this we want to view the functions CON VAR$$ and lambda as datatype constructors that is they should be injective withdisjoint images In fact we identify subsets of expr and expr rArr expr for whichthese properties hold The subset of expr consists of those expressions which areproper The subset of expr rArr expr consists of all those e for which LAM v e vis proper In fact this means e is an abstraction which is intuitive but requiresproofmdashit is a Hybrid theorem We can then prove that

[[ abstr e abstr f ]] =rArr (Lamx e x = Lam y f y) = (e = f) INJ

which says that lambda is injective on the set of abstractions This is crucial forthe proof of an induction principle for Hybrid which is omitted for reasons ofspace but will appear in a journal version of this paper

4 Hybrid as a Logical Framework

Recall that in Section 2 we showed that Hybrid supports HOAS In this sectionwe show how Hybrid can be used as a logical framework to representobject logics and further how we can perform tactical theorem prov-ingThe system provides

ndash A number of automatic tactics for example proper tac (resp abstr tac) willrecognize whether a given term is indeed proper (resp an abstraction)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 19

ndash A suite of theorems for example the injectivity and distinctness propertiesof Hybrid constants and induction principles over expr and expr rArr expras discussed in Section 3

Note that the adequacy of our representations will be proved in a forthcomingpaper

41 Quantified Propositional Logic

We begin with an encoding of the quantified propositional logic introduced inSection 1 While the fragment presented there is functionally complete we chooseto work with the following syntax

Q = Vi | notQ | Q andQprime | Q orQprime | Q sup Qprime | forallVi Q | existVi Q

This will allow us to demonstrate the representation of object level syntax indetail and show some properties of an algorithm to produce negation normalformsSo far we have written expr for the type of Hybrid expressions This was

to simplify the exposition and does not correspond directly to our code Thereone sees that Hybrid actually provides a type con expr of de Bruijn expressionswhere con is a type of names of constants Typically such names are for objectlogic constructors Thus we can define a different type con for each object logicwe are dealing with In the case of QPL we declare

con = cNOT | cIMP | cAND | cOR | cALL | cEX

followed by a Isabelle HOL type whose elements represent the object level formu-lae namely oo == con expr Readers should pause to recall the logical framework(and HOAS) of Section 1Now we show how to represent the object level formulae as Hybrid expres-

sions of type oo The table below shows analogous constructs in LF and Hybrid

Constants Application AbstractionLF name e1 e2 λ vi e

Hybrid CON cNAME e1 $$ e2 LAM vi e

In the next table we show the representation of the object level formulae Q sup Qprime

and forallVi Q in LF and Hybrid where minus is a translation functionLF Imp Q Qprime All (λ v Q)

Hybrid CON cIMP $$ Q $$ Qprime CON cALL $$ LAM v QAbbrevs Q Imp Qprime All v Q

The bottom row introduces some Isabelle HOL binders as abbreviations for themiddle row where the Isabelle HOL definitions are

q Imp qprime == CON cIMP $$ q $$ qprime where Imp [ oo oo ]rArr oo

20 Simon J Ambler et al

and

All v q v == CON cALL $$ LAM v q v where All (oo rArr oo)rArr oo

The code for the representation of the remainder of QPL is similar

And [ oo oo ]rArr oo Or [ oo oo ]rArr ooq And qprime == CON cAND $$ q $$ qprime q Or qprime == CON cOR $$ q $$ qprime

Not oo rArr oo Ex (oo rArr oo)rArr ooNot q == CON cNOT $$ q Ex v q v == CON cEX $$ LAM v q v

The QPL formula forallV1 forallV2 V1 sup V2 is represented by All v1All v2 v1 Imp v2although the ldquorealrdquo underlying form is

CON cALL $$ (LAM v1CON cALL $$ LAM v2 (CON cIMP $$ v1 $$ v2)

These declarations almost induce a data-type in the sense the above definedconstants enjoy certain freeness properties much as they would if they weredatatype constructors We can prove that they define distinct values for ex-ample All v q v = Ex v q v This is achieved by straightforward simplificationof their definitions to the underlying representation Injectivity of higher-orderconstructors (recall the end of Section 1) holds conditionally on their bodies be-ing abstractions In particular recall from Section 3 the result INJ that theLAM binder is injective on the set of abstractions Simplification will yield[[ abstr e abstr f All v e v = All v f v ]] =rArr e = f Since the type oo of le-gal formulae is merely an abbreviation for Hybrid expressions we need to in-troduce a ldquowell-formednessrdquo predicate such that isForm Q holds iff Q is alegal object level formula2 The inductive definition of isForm in Isabelle HOLis immediate as far as the propositional part of QPL is concerned for exam-ple [[ isForm p isForm q ]] =rArr isForm ( p Imp q) For the quantified part we firstremark that in a framework such as LF one would write

[[ forally isForm y rarr isForm (p y) ]] =rArr isForm (All v p v)

This is not possible in Isabelle HOL since the above clause if taken as primitivewould induce a (set-theoretic) non-monotone operator and cannot be part of anintroduction rule in an inductive definition Therefore we instead descend intothe scope of the quantifier replacing it with a fresh free variable and add thecorresponding base case

isForm (VAR i)[[ abstr p foralli isForm (p (VAR i)) ]] =rArr isForm (All v p v)

We can now proceed to an encoding of an algorithm for negation normalform as an inductive relation where we skip some of the propositional clauses

2 Please see remarks in Section 7 concerning internalizing such predicates as types

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 21

and Φ abbreviates abstr p abstr q

nnf (VAR i) (VAR i)nnf (Not (VAR i)) (Not (VAR i))

nnf b d =rArr nnf (Not (Not b)) d[[ nnf (Not p) d nnf (Not q)e ]] =rArr nnf (Not ( p And q)) ( d Or e)

[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (Ex v p v)) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (All v p v)) (Ex v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (All v p v) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Ex v p v) (Ex v q v)

Note how in the binding cases we explicitly state in Φ which second-orderterms are abstractions this allows us to exploit the injectivity of abstractions toderive the appropriate elimination rulesIt is possible to show in a fully automatic way that the algorithm yields

negation normal forms (whose definition is omitted) that is nnf q qprime =rArr isNnf qprimeMoreover it is a functional relation nnf q q1 =rArr forallq2 nnf q q2 rarr q1 = q2 Thelatter proof exploits a theorem regarding extensionality of abstractions namely

[[ abstr e abstr f foralli e (VAR i) = f (VAR i) ]] =rArr e = f

Note that the above is taken as an axiom in the Theory of Contexts [17]

42 Operational Semantics in the Lazy Lambda Calculus

The object logic in this section is yet another λ-calculus Abramskyrsquos lazy one[2] We describe some properties of its operational semantics In particular wegive HOAS encodings of some notions such as divergence and simulation whichare naturally rendered coinductivelymdashthis can only be approximated in otherapproaches as we discuss in Section 6To represent the lazy λ-calculus the type con will contain the names cAPP

and cABS used to represent object level application and abstraction We thendefine the constants below from these names where lexp == con expr

[ lexp lexp ]rArr lexp Fun (lexp rArr lexp)rArr lexpp q == CON cAPP $$ p $$ q Funx f x == CON cABS $$ LAM x f x

The definition of the well-formedness predicate isExp is analogous to the one inSection 4 and is omittedThe benefits of obtaining object-level substitution via metalevel β-conversion

are exemplified in the encoding of call-by-name evaluation (on closed terms) viathe inductive definition of gtgt [ lexp lexp ]rArr bool

[[ abstr e foralli isExp (e (VAR i)) ]] =rArr Funx e x gtgt Funx e x[[ e1 gtgt Funx e x abstr e isExp e2 (e e2) gtgt v ]] =rArr (e1 e2) gtgt v

Standard properties such as uniqueness of evaluation and value soundness havedirect proofs based only on structural induction and the introduction and elim-ination rules

22 Simon J Ambler et al

Divergence can be defined co-inductively as the predicate divrg lexp rArrbool

[[ isExp e1 isExp e2 divrg e1 ]] =rArr divrg (e1 e2)[[ e1 gtgt Funx e x abstr e isExp e2 divrg (e e2) ]] =rArr divrg (e1 e2)

We can give a fully automated co-inductive proof of the divergence of combi-nators such as Ω

def= (Funx x x) (Funx x x) once we have added theabstr tac tactic to the built-in simplifier Moreover there is a direct proof thatconvergence and divergence are exclusive and exhaustiveApplicative (bi)simulation le [ lexp lexp ] rArr bool is another interesting

(co-inductive) predicate with the single introduction rule

[[ forallt r gtgt Funx t x and abstr trarr (existu s gtgt Funx u x and abstr u and(forallpisExp prarr (t p) le (u p))) ]] =rArr r le s

The HOAS style here greatly simplifies the presentation and correspondinglythe metatheory Indeed with the appropriate instantiation of the coinductiverelation the proofs that simulation is a pre-order and bisimulation an equivalencerelation are immediate Other verified properties include Kleene equivalence isa simulation and divergent terms are the least element in this order

43 The Higher-Order π-Calculus

We present an encoding of the monadic higher-order π-calculus [24] with struc-tural congruence and reaction rules see [11] for a review of other styles of en-codings for the first-order case The syntax is given by the following where a aranges over names X over agent variables

α = τ | a(X) | a〈P 〉P = X | ΣiisinIαi P | (P1 | P2) | (νa)P

The encoding introduces appropriate type abbreviations (namely pi and name)and constants we concentrate on restriction input and output

New (name rArr pi)rArr pi(New a)p a == CON cNU $$ LAM a p a

In [name (pi rArr pi) ]rArr piIn a (p) == CON cIN $$ lambda p

Out [name pi pi ]rArr piOut a〈p〉q == CON cOUT $$ a $$ p $$ q

Replication is defined from these constants and need not be primitive

p == (New a)(D|Out a〈p|D〉) where D == In a (λx (x|Out a〈x〉))We then inductively define well-formed processes isProc p whose introductionrules are omitting non-binding cases

isProc (VAR i)[[ abstr p foralla isName ararr isProc (p a) ]] =rArr isProc (New a)p a

[[ abstr p isName a foralli isProc (p (VAR i)) ]] =rArr isProc In a (p)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 23

Restriction being represented as a function of type name rArr pi is well-formed ifits body (p a) is under the assumption isName a this differs from input whichcontains a function of type pi rArr pi

Process abstraction is defined by procAbstr p == abstr p and (forallq isProc q rarrisProc (p q)) Next structural congruence is introduced and we proceed to encodereaction rules as the inductive definition minusrarr [ pi rArr pi ]rArr bool Note that thepresence of the structural rule make this unsuitable for search Here is a sample

[[ procAbstr p isProc q isProc pprime isName a ]] =rArr In a (p)|Out a〈q〉pprime minusrarr (p q)|pprime

[[ abstr p abstr pprime (foralla isName ararr (p a) minusrarr (pprime a)) ]] =rArr (New a)p a minusrarr (New a)pprime a

A formalization of late operational semantics following [18] is possible and willbe treated within a separate paper

5 A Theory of Hybrid

The goal of this section is to describe a mathematical model of Hybridand then show that the model provides an adequate representationof the λ-calculus The work here serves to illustrate and under-pinHybrid We proceed as follows In Section 51 we set up an explicit bijectionbetween the set of alpha equivalence classes of lambda expressions and the setof proper de Bruijn terms This section also allows us to introduce notationIn Section 52 we prove adequacy for an object level λ-calculus by proving anequivalent result for (proper) object level de Bruijn expressions and appealingto the bijectionFirst some notation for the object level λ-calculus expressions are inductively

defined by E = Vi | E E | ΛVi E We write E[EprimeVi] for capture avoidingsubstitution E simα Eprime for α-equivalence and [E]α for alpha equivalence classesWe write LE for the set of expressions and LEsimα for the set of all alphaequivalence classes The set of de Bruijn expressions is denoted by DB andgenerated by D = i | i | D $ D | A(D) where i is a free index We write DB(l)for the set of expressions at level l and PDB for the set of proper expressionsNote that PDB = DB(0) sub DB(1) sub DB(l) sub DB and DB = ⋃lltω DB(l)

51 A Bijection between λ-Calculus and Proper de Bruijn

Theorem 1 There is a bijection θLEsimα PDBφ between the set LEsimα

of alpha equivalence classes of λ-calculus expressions and the set PDB of properde Bruijn expressions

In order to prove the theorem we first establish in Lemma 1 and Lemma 2the existence of a certain family of pairs of functions [[minus]]LLE DB(|L|) (|minus|)LHere list L of length |L| is one whose elements are object level variables Vi Wesay that L is ordered if it has an order reflected by the indices i and no repeatedelements The first element has the largest index We write ε for the empty list

Lemma 1 For any L there exists a function [[minus]]LLE rarr DB(|L|) given recur-sively by

24 Simon J Ambler et al

ndash [[Vi]]Ldef= if Vi isin L then i else posn Vi L where posn Vi L is the position of Vi

in L counting from the head which has position 0ndash [[E1 E2]]L

def= [[E1]]L $ [[E2]]Lndash [[ΛVi E]]L

def= A([[E]]ViL)

Lemma 2 For any ordered L there exists a function (|minus|)LDB(|L|) rarr LEgiven recursively by

ndash (|i|)L def= Vi

ndash (|j|)L def= elem j L the jth element of L

ndash (|D1 $ D2|)L def= (|D1|)L (|D2|)Lndash (|A(D)|)L def= ΛVM+1 (|D|)VM+1L where M

def= Max (DL)

Max (DL) denotes the maximum of the free indices which occur in D and theindex j where Vj is the head of L

The remainder of the proof involves establishing facts about these functionsIt takes great care to ensure all details are correct and many sub-lemmas arerequired We prove that each pair of functions ldquoalmostrdquo gives rise to an isomor-phism namely that [[(|D|)L]]L = D and that (|[[E]]L|)Lprime simα E[LprimeL] Let qLE rarrLEsimα be the quotient function We define θ([E]α)

def= [[E]]ε and φdef= q (|minus|)ε

and the theorem follows by simple calculation Although our proofs take greatcare to distinguish α-equivalence classes from expressions we now write simplyE instead of [E]α which will allow us to write [[minus]]LLEsimα DB(|L|) (|minus|)L

52 Adequacy of Hybrid for the λ-Calculus

It would not be possible to provide a ldquocompleterdquo proof of the adequacy of theHybrid machine tool for λ-calculus A compromise would be to work with amathematical description of Hybrid but even that would lead to extremely longand complex proofs Here we take a more narrow approachmdashwe work with whatamounts to a description of a fragment of Hybrid as a simply typed lambdacalculusmdashpresented as a theory in a logical framework as described in Section 1Before we can state the adequacy theorem we need a theory in the logicalframework which we regard as a ldquomodelrdquo of Hybrid The theory has ground typesexpr var and bnd The types are generated by σ = expr | var | bnd | σ rArr σWe declare constants

i var BND bnd rArr expri bnd $$ expr rArr expr rArr expr

VAR var rArr expr ABS expr rArr expr

where i ranges over the natural numbers The objects are generated as in Sec-tion 1 Shortage of space means the definitions are omittedmdashhere we aim to givea flavour of our results Our aim is to prove

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 25

Theorem 2 (Representational Adequacy)

ndash There is an injective function || minus ||εLEsimα rarr CLFexpr(empty) which isndash compositional on substitution that is

||E[EprimeVi]||ε = subst ||Eprime||ε i ||E||εwhere subst eprime i e is the function on canonical expressions in which eprime replacesoccurrences of VAR i in e The definition of meta substitution and the setCLFexpr (Γ ) of canonical objects in typing environment Γ is omitted

To show adequacy we establish the existence of the following functions

LEsimα|| minus ||L CLFexpr(β(L)) ΣL DB(|L|)

The function β is a bijection between object level variables Vi and meta variablesvi Thus β(Vi) = vi The notation β(L) means ldquomaprdquo β along L We write β(L)for a typing environment in the framework with all variables of type expressionFrom now on all lists L are ordered The function ΣL is defined by the clauses

ndash ΣL idef= VAR i

ndash ΣL idef= elem i β(L)

ndash ΣL (D1 $ D2)def= ΣL D1 $$ ΣL D2

ndash ΣLA(D)def= lambda (λ vM+1 ΣVM+1L D) = LAM vM+1 ΣVM+1L D where

Mdef= Max (DL) (see Lemma 2)

The definition of ||minus||L is ΣL [[minus]]L Note that this is a well defined function onan α-equivalence class because [[minus]]L is In view of Theorem 1 and the definitionof || minus ||ε it will be enough to show the analogous result for the function Σε The proof strategy is as follows We show that there is a function insts whichmaps de Bruijn expressions to canonical objects possesses a left inverse andis compositional with respect to substitution Then we prove that the action ofΣL is simply that of the insts function Proofs of results will appear in a journalversion of this paper

6 Related Work

Our work could not have come about without the contributions of others Herefollowing [28] we classify some of these contributions according to the mathemati-cal construct chosen to model abstraction The choice has dramatic consequenceson the associated notions of recursion and proof by induction

ndash De Bruijn syntax [4] we do not review this furtherndash Name-carrying syntax here abstractions are pairs ldquo(name expression)rdquo andthe mechanization works directly on parse trees which are quotiented by α-conversion [22299] While recursioninduction is well-supported the detail

26 Simon J Ambler et al

that needs to be taken care of on a case-by-case basis tends to be overwhelm-ing To partially alleviate this [1] defines name-carrying syntax in terms ofan underlying type of De Bruijn λ-expressions which is then used as a meta-logic where equality is α-convertibility Very recently in [1028] Gabbay andPitts have introduced a novel approach based on the remarkable observationthat a first-order theory of α-conversion and binding is better founded onthe notion of name swapping rather than renaming The theory can eitherbe presented axiomatically as formalizing a primitive notion of swappingand freshness of names from which binding can be derived or as a non-classical set-theory with an internal notion of permutation of atoms Sucha set-theory yields a natural notion of structural induction and recursionover α-equivalence classes of expressions but it is incompatible with theaxiom of choice The aim of Pitts and Gabbayrsquos approach is to give a sat-isfying foundation of the informal practice of reasoning modulo renamingmore than formulate an alternative logical framework for metareasoning (al-though this too is possible) An ML-like programming language FreshMLis under construction geared towards metaprogramming applications

ndash Abstractions as functions from names to expressions mentioned in [1] (anddeveloped in [12]) it was first proposed in [5] as a way to have bindersas functions on inductive data-types while coping with the issue of exoticexpressions stemming from an inductive characterization of the set of namesThe most mature development is Honsell et alrsquos framework [17] whichexplicitly embraces an axiomatic approach to metareasoning with HOASIt consists of a higher-order logic inconsistent with unique choice but ex-tended with a set of axioms called the Theory of Contexts parametric toa HOAS signature Those axioms include the reification of key propertiesof names akin to freshness More crucially higher-order induction and re-cursion schemata on expressions are also assumed The consistency of suchaxioms with respect to functor categories is left to a forthcoming paper Theapplication of this approach to object logics such as the π-calculus [18] suc-ceeds not only because the possibility to ldquoreflectrdquo on names is crucial forthe metatheory of operations such as mismatch but also because here hy-pothetical judgments which are only partially supported in such a style [5]are typically not needed Moreover β-conversion can implement object-levelsubstitution which is in this case simply ldquonamerdquo for bound variable in aprocess The latter may not be possible in other applications such as theambient calculus This is also the case for another case-study [23] wherethese axioms seem less successful In particular co-induction is availablebut the need to code substitution explicitly makes some of the encodingfairly awkward

ndash Abstractions as functions from expressions to expressions [2615] We candistinguish here two main themes to the integration of HOAS and induc-tion one where they coexist in the same language and the other whereinductive reasoning is conducted at an additional metalevel In the first onethe emphasis is on trying to allow (primitive) recursive definitions on func-tions of higher type while preserving adequacy of representations this has

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 27

been realized for the simply-typed case in [7] and more recently for thedependently-typed case in [6] The idea is to separate at the type-theoreticlevel via an S4 modal operator the primitive recursive space (which encom-passes functions defined via case analysis and iteration) from the parametricfunction space (whose members are those convertible to expressions builtonly via the constructors)On the other side the Twelf project [27] is built on the idea of devising an ex-plicit (meta)metalogic for reasoning (inductively) about logical frameworksin a fully automated wayM2 is a constructive first-order logic whose quan-tifiers range over possibly open LF object over a signature In the metalogicit is possible to express and inductively prove metalogical properties of anobject logic By the adequacy of the encoding the proof of the existenceof the appropriate LF object(s) guarantees the proof of the correspond-ing object-level property It must be remarked that Twelf usage model isexplicitly non-interactive (ie not programmable by tactics) Moreover co-inductive definitions have to be rewritten in an inductive fashion exploitingthe co-continuity of the said notion when possibleMiller and McDowell [20] introduce a metameta logic FOλ∆IN that is basedon intuitionistic logic augmented with definitional reflection [14] and induc-tion on natural numbers Other inductive principles are derived via the use ofappropriate measures At the metameta level they reason about object-leveljudgments formulated in second-order logic They prove the consistency ofthe method by showing that FOλ∆IN enjoys cut-elimination [19] FOλ∆IN

approach [20] is interactive a tactic-based proof editor is under developmentbut the above remark on co-induction applies

7 Conclusions and Future Work

The induction principles of Hybrid involve universal quantifications over freevariables when instantiating abstractions It remains future work to determinethe real utility of our principles and how they compare to more standard treat-ments Informal practice utilises the someany quantifier that has emerged for-mally in [10] McKinna and Pollack discuss some of these issues in [21]Several improvements are possibleWe will internalize the well-formedness predicates as abstract types in Is-

abelle HOL significantly simplifying judgments over object logics For examplethe subset of lazy λ-calculus expressions identified by predicate isExp will becomea type say tExp so that evaluation will be typed as gtgt [ tExp tExp ]rArr bool We will specialize the abstr predicate to the defined logic so that it will havetype (tExp rArr tExp)rArr bool We envisage eventually having a system similar in spirit to Isabelle HOLrsquos

datatype package where the user is only required to enter a binding signaturefor a given object logic the system will provide an abstract type characterizingthe logic plus a series of theorems expressing freeness of the constructors of sucha type and an induction principle on the shape of expressions analogous to theone mentioned in Section 3

28 Simon J Ambler et al

We are in the process of further validating our approach by applying ourmethods to the compiler optimization transformations for Benton amp KennedyrsquosMIL-lite language [3]We intend to develop further the theory of Hybrid Part of this concerns

presenting the full details of the material summarized here There are also addi-tional results which serve to show how Hybrid relates to λ-calculus For exam-ple we can prove that if abstr e then there exists [ΛVi E]α isin LEsimα such that||ΛVi E||ε = LAM vi e vi On a deeper level we are looking at obtaining cate-gorical characterisations of some of the notions described in this paper basedon the work of Fiore Plotkin and Turi in [8]A full journal version of this paper is currently in preparation which in

particular will contain a greatly expanded section on the theory of Hybrid andprovide full details of the case studies

Acknowledgments

We would like to thank Andy Gordon for useful discussions and having providedthe HOL script from [1] We thank Simon Gay for discussions and ideas con-cerning the π-calculus Finally we are very grateful for the financial support ofthe UK EPSRC

References

1 A Gordon A mechanisation of name-carrying syntax up to alpha-conversion InJJ Joyce and C-JH Seger editors International Workshop on Higher OrderLogic Theorem Proving and its Applications volume 780 of Lecture Notes in Com-puter Science pages 414ndash427 Vancouver Canada Aug 1993 University of BritishColumbia Springer-Verlag published 1994

2 S Abramsky The lazy lambda calculus In D Turner editor Research Topics inFunctional Programming pages 65ndash116 Addison-Wesley 1990

3 N Benton and A Kennedy Monads effects and transformations In Proceedingsof the 3rd International Workshop in Higher Order Operational Techniques in Se-mantics volume 26 of Electronic Notes in Theoretical Computer Science Elsevier1998

4 N de Bruijn Lambda-calculus notation with nameless dummies A tool for auto-matic formula manipulation with application to the Church-Rosser theorem IndagMath 34(5)381ndash392 1972

5 J Despeyroux A Felty and A Hirschowitz Higher-order abstract syntax in CoqIn M Dezani-Ciancaglini and G Plotkin editors Proceedings of the InternationalConference on Typed Lambda Calculi and Applications pages 124ndash138 EdinburghScotland Apr 1995 Springer-Verlag LNCS 902

6 J Despeyroux and P Leleu Metatheoretic results for a modal λ-calculus Journalof Functional and Logic Programming 2000(1) 2000

7 J Despeyroux F Pfenning and C Schurmann Primitive recursion for higher-order abstract syntax In R Hindley editor Proceedings of the Third InternationalConference on Typed Lambda Calculus and Applications (TLCArsquo97) pages 147ndash163 Nancy France Apr 1997 Springer-Verlag LNCS

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 29

8 M Fiore GD Plotkin and D Turi Abstract Syntax and Variable Binding InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 193ndash202 Trento Italy 1999 IEEE Computer SocietyPress

9 J Ford and IA Mason Operational Techniques in PVS ndash A Preliminary Evalua-tion In Proceedings of the Australasian Theory Symposium CATS rsquo01 2001

10 M Gabbay and A Pitts A new approach to abstract syntax involving binders InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 214ndash224 Trento Italy 1999 IEEE Computer SocietyPress

11 S Gay A framework for the formalisation of pi-calculus type systems in Is-abelleHOL In Proceedings of the 14th International Conference on TheoremProving in Higher Order Logics (TPHOLs 2001 LNCS Springer-Verlag 2001

12 AD Gordon and T Melham Five axioms of alpha-conversion In J von WrightJ Grundy and J Harrison editors Proceedings of the 9th International Conferenceon Theorem Proving in Higher Order Logics (TPHOLsrsquo96) volume 1125 of LectureNotes in Computer Science pages 173ndash190 Turku Finland August 1996 Springer-Verlag

13 EL Gunter Why we canrsquot have SML style datatype declarations in HOL InLJM Claese and MJC Gordon editors Higher Order Logic Theorem Provingand Its Applications volume Andash20 of IFIP Transactions pages 561ndash568 North-Holland Press Sept 1992

14 L Hallnas Partial inductive definitions Theoretical Computer Science 87(1)115ndash147 July 1991

15 R Harper F Honsell and G Plotkin A framework for defining logics Journalof the Association for Computing Machinery 40(1)143ndash184 Jan 1993

16 M Hofmann Semantical analysis for higher-order abstract syntax In G Longoeditor Proceedings of the 14th Annual Symposium on Logic in Computer Science(LICSrsquo99) pages 204ndash213 Trento Italy July 1999 IEEE Computer Society Press

17 F Honsell M Miculan and I Scagnetto An axiomatic approach to metareasoningon systems in higher-order abstract syntax In Proc ICALP 2001 volume 2076 inLNCS pages 963ndash978 Springer-Verlag 2001

18 F Honsell M Miculan and I Scagnetto π-calculus in (co)inductive type theoriesTheoretical Computer Science 2(253)239ndash285 2001

19 R McDowell Reasoning in a Logic with Definitions and Induction PhD thesisUniversity of Pennsylvania 1997

20 R McDowell and D Miller Reasoning with higher-order abstract syntax in alogical framework ACM Transaction in Computational Logic 2001 To appear

21 J McKinna and R Pollack Some Type Theory and Lambda Calculus FormalisedTo appear in Journal of Automated Reasoning Special Issue on Formalised Math-ematical Theories (F Pfenning Ed)

22 TF Melham A mechanized theory of the π-calculus in HOL Nordic Journal ofComputing 1(1)50ndash76 Spring 1994

23 M Miculan Developing (meta)theory of lambda-calculus in the theory of contextsIn S Ambler R Crole and A Momigliano editors MERLIN 2001 Proceedingsof the Workshop on MEchanized Reasoning about Languages with variable bINd-ing volume 58 of Electronic Notes in Theoretical Computer Scienc pages 1ndash22November 2001

24 J Parrow An introduction to the pi-calculus In J Bergstra A Ponse andS Smolka editors Handbook of Process Algebra pages 479ndash543 Elsevier Science2001

30 Simon J Ambler et al

25 F Pfenning Computation and deduction Lecture notes 277 pp Revised 19941996 to be published by Cambridge University Press 1992

26 F Pfenning and C Elliott Higher-order abstract syntax In Proceedings of theACM SIGPLANrsquo88 Symposium on Language Design and Implementation pages199ndash208 Atlanta Georgia June 1988

27 F Pfenning and C Schurmann System description Twelf mdash A metalogical frame-work for deductive systems In H Ganzinger editor Proceedings of the 16th Inter-national Conference on Automated Deduction (CADE-16) pages 202ndash206 TrentoItaly July 1999 Springer-Verlag LNAI 1632

28 A M Pitts Nominal logic A first order theory of names and binding InN Kobayashi and B C Pierce editors Theoretical Aspects of Computer Software4th International Symposium TACS 2001 Sendai Japan October 29-31 2001Proceedings volume 2215 of Lecture Notes in Computer Science pages 219ndash242Springer-Verlag Berlin 2001

29 R Vestergaard and J Brotherson A formalized first-order conflence proof for theλ-calculus using one sorted variable names In A Middelrop editor Proceedingsof RTA 2001 volume 2051 of LNCS pages 306ndash321 Springer-Verlag 2001

Ecient Reasoning about Executable

Specications in Coq

Gilles Barthe and Pierre Courtieu

INRIA Sophia-Antipolis FranceGillesBarthePierreCourtieusophiainriafr

Abstract We describe a package to reason eciently about executablespecications in Coq The package provides a command for synthesizinga customized induction principle for a recursively dened function anda tactic that combines the application of the customized induction prin-ciple with automatic rewriting We further illustrate how the packageleads to a drastic reduction (by a factor of 10 approximately) of the sizeof the proofs in a large-scale case study on reasoning about JavaCard

1 Introduction

Proof assistants based on type theory such as Coq [9] and Lego [15] combinean expressive specication language (featuring inductive and record types) anda higher-order predicate logic (through the Curry-Howard Isomorphism) to rea-son about specications Over the last few years these systems have been usedextensively in particular for the formalization of programming languages Twostyles of formalizations are to be distinguished

the functional style in which specications are written in a functional pro-gramming style using pattern-matching and recursion

the relational style in which specications are written in a logic programmingstyle using inductively dened relations

In our opinion the functional style has some distinctive advantages over its rela-tional counterpart especially for formalizing complex programming languagesIn particular the functional style oers support for testing the specication andcomparing it with a reference implementation and the possibility to generateprograms traces upon which to reason using eg temporal logic Yet it is strik-ing to observe that many machine-checked accounts of programming languagesemantics use inductive relations In the case of proof assistants based on typetheory two factors contribute to this situation

rstly type theory requires functions to be total and terminating (in factthey should even be provably so using a criterion that essentially capturesfunctions dened by structural recursion) therefore specications written ina functional style may be more cumbersome than their relational counter-part

VA Carrentildeo C Muntildeoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3146 2002ccopy Springer-Verlag Berlin Heidelberg 2002

32 Gilles Barthe and Pierre Courtieu

secondly a proof assistant like Coq oers through a set of inversion [1011]and elimination tactics eective support to reason about relational speci-cations In contrast there is no similar level of support for reasoning aboutexecutable functions

Here we address this second issue by giving a package that provides eective sup-port for reasoning about complex recursive denitions see Section 2 Furtherwe illustrate the benets of the package in reasoning about executable specica-tions of the JavaCard platform [34] and show how its use yields compact proofsscripts up to 10 times shorter than proofs constructed by hand see Section 3Related work is discussed in Section 3 We conclude in Section 5

2 Elimination Principles for Functions

21 Elimination on Inductive Types and Properties

One of the powerful tools provided by proof assistants like Coq for reasoning oninductive types is the elimination principle which is usually generated automat-ically from the denition of the type We see here the denition in Coq of thetype nat and the type of its associated principle

Inductive nat Set = O nat | S natrarrnatnat_ind(P natrarrProp) (P O) rarr((nnat)(P n)rarr(P (S n))) rarr(nnat)(P n)

The logical meaning of an elimination principle attached to an inductive typeT is that closed normal terms of type T have a limited set of possible formsdetermined by the constructors of T It also captures the recursive structure ofthe type It is important to notice that elimination principles are nothing elsethan recursive functions for example the denition of nat_ind is the following

[P natrarrProp f(P O) f0((nnat)(P n)rarr(P (S n)))]Fixpoint F [nnat] (P n) =lt[xnat](P x)gt Cases n of O rArrf

| (S n0) rArr(f0 n0 (F n0))end

The expression lt[xnat](P x)gt is a specic type scheme for dependentlytyped case expressions (dependent types are necessary to represent predicateslike P) It is used to build case branches having dierent types provided thateach one corresponds to the scheme applied to the corresponding pattern Forexample the rst branch is correct because ([xnat](P x) O)=(P O) Sim-ilarly the second case is accepted because (f0 n0 (F n0)) has type (P (Sn0)) which is equal to ([xnat](P x) (S n0))

The type of the whole case expression is obtained by applying the scheme tothe term on which the case analysis is done here n ie (P n)

Reasoning by elimination on an inductive property P can be understoodintuitively as reasoning by induction on the proof of P We see here the principleassociated to the relation le

Ecient Reasoning about Executable Specications in Coq 33

Inductive le [n nat] natrarrProp =le_n (le n n)

| le_S (mnat)(le n m)rarr(le n (S m))

le_ind (nnat P(natrarrProp))(P n) rarr ((mnat)(le n m)rarr(P m)rarr(P (S m)))rarr (mnat)(le n m)rarr(P m)

Suppose we are trying to prove (P m) for all m such that H(le n m) wecan apply the theorem le_ind which leads to two subgoals corresponding tothe possible constructors of le This way of reasoning which has proved to bevery useful in practice makes relational specications a popular solution

22 Elimination Following the Shape of a Function

Basic Idea When we choose a functional style of specication recursive func-tions are used instead of inductive relations and elimination principles are usu-ally not automatically available However once a function is dened (ie provedterminating which is automatic in Coq for structural recursion) it is relativelynatural to build an induction principle which follows its shape It allows reason-ing by induction on the possible branches of the denition of the function Sincethe new term follows the same recursive calls as the function we know that thisnew term denes a correct induction scheme and that it will be accepted by CoqFor example the following function

Fixpoint isfourtime [nnat] bool =Cases n of | O rArr true

| (S S S S m) rArr (isfourtime m)| _ rArr false

end

yields an induction principle with a nested case analysis of depth 5 Redoing allthe corresponding steps each time we want to consider the dierent paths of thefunction would be long and uninteresting (see Section 3 for more examples)

We have designed a Coq package allowing automation of the inductivecaseanalysis process According to the Coq paradigm our package builds proof terms

in the Curry-Howard philosophy Surprisingly the presence of proof terms is help-ful since functions and proofs are all represented by λ-terms we can build proofterms by transforming the term of the function we consider Since moreover wefocus on functions dened by structural recursion (see Section 42 for extension tomore general recursion schemes) termination of the function (and consequentlythe correctness of the elimination principles we generate) is ensured by the typechecking of Coq

The proof of a property forallxP using isfourtime as a model will be a termQ obtained by transforming isfourtime (notice how implicit cases have beenexpanded)

Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of

34 Gilles Barthe and Pierre Courtieu

| O rArr( (P O))| (S O) rArr( (P (S O)))| (S S O) rArr( (P (S S O)))| (S S S O) rArr( (P (S S S O)))| (S S S S m) rArr(((xnat)(P x)rarr(P (S S S S x))) m (Q m))end

where the ve (H) stand for properties H yet to be proved (subgoals) InSubsection 25 we concentrate on the structure of this incomplete term and itsautomatic generation from the denition of the function

Once built this incomplete term can be applied to a particular goal withthe Refine tactic or completed into a general reusable induction principleTo achieve the latter we replace the s by abstracted variables (Hypx in theexample below) We also abstract the predicate (P) and nally obtain a generalprinciple On our example this leads to

[P(natrarrProp) Hyp0(P O) Hyp1(P (S O))Hyp2(P (S (S O))) Hyp3(P (S (S (S O))))Hyp4(xnat) (P x) rarr(P (S (S (S (S x)))))]Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of| O rArrHyp0| (S O) rArrHyp1| (S S O) rArrHyp2| (S S S O) rArrHyp3| (S S S S m) rArrHyp4 m (Q m)end

(P(natrarrProp)) (P O) rarr(P (S O)) rarr(P (S (S O)))rarr(P (S (S (S O)))) rarr((xnat) (P x) rarr(P (S (S (S (S x))))))rarr(nnat)(P n)

This term is well-typed and thus denes a correct induction principle

Capturing the Environment of Each Branch In the examples above sub-goals contain nothing more than induction hypotheses but generally this willnot be enough Indeed we need to capture for each subgoal the environment

induced by the branches of Cases expressions which have been chosen We illus-trate this situation with the following function (which computes for every n thelargest m le n such that m = 4k for some k)

Fixpoint findfourtime [nnat] nat =Cases n of| O rArrO| (S m) rArrCases (isfourtime n) of| true rArrn| false rArr(findfourtime m)end

end

Ecient Reasoning about Executable Specications in Coq 35

In this case it is necessary to remember that in the rst branch n=O inthe second branch n=O and (isfourtime n)=true and in the third branch(isfourtime n)=false Otherwise it will be impossible to prove for examplethe following property

P equiv forallnnat(isfourtime (findfourtime n)) = true

Finally the proof of the elimination principle generated from findfourtime

has the form

Fixpoint Q2 [nnat] (P n) =(lt[xbool](isfourtime n)=x rarr(P n)gtCases n of| O rArr((P O))| (S m) rArrlt[bbool](isfourtime (S m))=brarr(P (S m))gtCases (isfourtime (S m)) of| true rArr((isfourtime (S m))=truerarr(P (S m)))| false rArr((P m)rarr(isfourtime (S m))=falserarr(P (S m))) (Q2 m)end (refl_equal bool (isfourtime (S m))))

end

where (reflequal bool (isfourtime (S m))) is the proof of the dier-ent equalities induced by the case analysis Recall that reflequal is the con-structor of the inductive type eq representing the equality so(reflequal A x) is of type (eq A x x))

These proofs are gathered outside the case expression so as to obtain a well-typed term This point is subtle equality proofs have the form (reflequalbool (isfourtime (S m))) which is of type (isfourtime (S m))=(isfourtime (S m)) We see therefore that to be accepted by the case typingrule explained above we must apply this term to a term of type (isfourtime(S m))=(isfourtime (S m))rarr (P (S m)) This is the type of the wholecase expression but not of each branch taken separately So moving thereflequal expression inside the Cases would result in an ill-typed term

23 Contents of the Package

The main components of the package are

A Coq command Functional Scheme which builds a general induction prin-ciple from the denition of a function f It is a theorem of the form

(P (forallxi TiP rop))(H1 PO1)(Hn POn)rarr forallxi Ti(P xi)

where the POis are the proof obligations generated by the algorithm de-scribed above and xis correspond to the arguments of f To make an elim-ination the user just applies the theorem The advantage of this method isthat the structure of the function (and its type checking) is not duplicatedeach time we make an elimination

A tactic Analyze which applies the above algorithm to a particular goalThis tactic allows for more automation see for that section 26

36 Gilles Barthe and Pierre Courtieu

24 Using the Package on an Example

We now prove the following property

P equiv forallnnat(findfourtime n) le n

Using the Tactic Analyze In order to benet from the rewriting steps of thetactic we rst unfold the denition of the function and then apply the tactic

Lemma P(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeAnalyze findfourtime params n

At this point we have the following three subgoals corresponding to the threebranches of the denition of findfourtime notice the induction hypothesison the last one

1 (le O O)

2 [(isfourtime (S m))=true] (le (S m) (S m))

3 [(le (findfourtime m) m) (isfourtime (S m))=false]

(le (findfourtime m) (S m))

Each of these subgoals is then proved by the Auto tactic

Using the General Principle We set

Functional Scheme findfourtime_ind= Induction for findfourtime

Then the proof follows the same pattern as above

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_ind

Again we have three subgoals1 (le O O)

2 [eq(isfourtime (S m))=true]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

3[(le (findfourtime m) m) eq(isfourtime (S m))=false]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

We see that some rewriting steps must be done by hand to obtain the sameresult than with the tactic Finally the whole script is the following

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_indIntrosAutoRewrite eqAutoSave

In more complex cases like in section 32 the rewriting operations done by theAnalyze tactic make the script signicantly smaller than when using the generalprinciple

Ecient Reasoning about Executable Specications in Coq 37

25 Inference System

In this subsection we give an inference system to build an elimination princi-ple for a particular property G from a function t The main goal of this sys-tem is to reproduce the structure of the term t including Case Fix let andλ-abstractions until it meets an application a constant or a variable The re-maining terms are replaced by proof obligations whose type is determined by theCase Fix let and λ-abstractions from above The result of this algorithm isan incomplete term like Q2 above from which we can either apply the Refinetactic or build a general principle

Grammar Coqs internal representation of the expressions of the Calculus ofInductive Constructions (CIC) is given in Figure 1 Although our package dealswith mutually recursive functions we omit them from the presentation for clarityreasons The construction Ind(x T )T where T stands for a vector of terms(types actually) is an inductive type whose n-th constructor is denoted by CnT

(in the sequel we often omit T ) In the Fix expression X is bound in f andcorresponds to the function being dened t is its type and f is the body of thefunction In the Case expression tis are functions taking as many arguments asthe corresponding constructors take see [1617]

Variables V = x y Sorts S = Set | Prop | TypeTerms T = V | S | λV TT | forallV TT | (T T )

| Fix(V T T ) | Case T of T end | let T = T in T| Ind(x T )T | CnT

Fig 1 Syntax of terms of CCI

Judgment Judgments are of the form t X G Γ1 Γ2 P where t is the func-tion to use as a model X is the variable corresponding to the recursive function(bound by Fix in t used to nd recursive calls) G is the property to be proved(the goal) Γ1 is the list of bound variables (initially empty) Γ2 is the list ofequalities corresponding to the case analysis and P is the proof term of theprinciple When proving a property G we build a term P containing proof obli-gations represented by ( T ) where T is the awaited property (ie type) thatmust be proved

Rules are given in Figure 2 In the last rule (X ti) represents all recursivecalls found in t In the present implementation no nested recursion is allowedIn the rule (Case) we note (Ci xi) the fully applied constructor Ci

38 Gilles Barthe and Pierre Courtieu

t X G x T cup Γ1 Γ2 P

λx Tt X G Γ1 Γ2 λx TP(Lambda)

foralliti X G xi Ti cup Γ1 E = (Ci xi) cup Γ2 PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

t X G xi Ti isin u cup Γ1 u = v cup Γ2 P

let u = v in t X G Γ1 Γ2 let u = v in P(Let)

f X G Γ1 Γ2 P

Fix(X T f) _ G Γ1 Γ2 Fix(X G P )(Fix)

(X ti) isin t

t X G Γ1 Γ2 (( forallΓ1X ti rarr Γ2 rarr G) Γ1)(Rec)

if t = Fix Caselet or λx Tt

Fig 2 Elimination algorithm

26 More Automation

We can use the equalities generated by the tactic to perform rewriting stepsautomatically thereby reducing the user interactions to achieve the proof

First we can rewrite in the generated hypothesis of each branch We givea modied version of the (Case) rule in gure 3 where Γ2[E larr Ci(xi)] isthe set of equalities Γ2 where E has been replaced by Ci(xi) in the rightmembers

foralliti[E larr Ci(xi)] X G xi Ti cup Γ1 E = (Ci xi) cup Γ2[E larr Ci(xi)] PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

Fig 3 (Case) rule with rewriting

Second we can propagate these rewriting steps in the goal itself This ispossible in the tactic Analyze where we call the Rewrite tactic of Coqwhich performs substitutions in the goal with the set of equalities Γ2As Coq provides a mechanism for foldingunfolding constants it is possiblethat rewriting steps become possible later during the proofs of the generatedsubgoals This is specially true when dealing with complex specications

Ecient Reasoning about Executable Specications in Coq 39

where unfolding all denitions is not comfortable Therefore we also providea rewriting database that contains all the equalities of Γ2 for each branchThe database can be used later with the AutoRewrite tactic

Third we can optimize the Analyze tactic in the particular case of a nonrecursive function applied to constructor terms ie terms of which headsymbol is a constructor of an inductive type For example suppose we havea goal of the form

(nnat)(P (f O (S (S (S n)))))

Where f is a non recursive function It is clear that we do not want toconsider all possible constructors for the arguments of f For example thecase (f (S ) ) is not interesting for us The idea is to focus onthe case branch corresponding to the constructors We use a simple trickto achieve this we apply the function to its arguments and reduce Theresulting term is a new function containing only the relevant case analysisWe apply the tactic to this term instead of the initial functionNote that this optimization is hardly useful for recursive functions becausesome recursive hypothesis can be lost when focusing on a particular branch

3 Applications to JavaCard

In this section we illustrate the benets of our package in establishing correctnessresults for the JavaCard platform Note that for the clarity of presentation theCoq code presented below is a simplied account of [34]

31 Background

JavaCard is a dialect of Java tailored towards programming multi-applicationsmartcards Once compiled JavaCard applets typically electronic purses andloyalty applets are veried by a bytecode verier (BCV) and loaded on thecard where they can be executed by a JavaCard Virtual Machine (JCVM)

Correctness of the JavaCard Platform The JCVM comes in two avours adefensive JCVM which manipulates typed values and performs type-checkingat run-time and an oensive JCVM which manipulates untyped values andrelies on successful bytecode verication to eliminate type verication at run-time Following a strategy streamlined in [14] we want to prove that the oensiveand defensive VMs coincide on those programs that pass bytecode vericationThis involves

formalizing both VMs and show that both machines coincide on those pro-grams whose execution on the defensive VM does not raise a type error

formalizing a BCV as a dataow analysis of an abstract VM that only ma-nipulates types and show that the defensive VM does not raise a type errorfor those programs that pass bytecode verication

40 Gilles Barthe and Pierre Courtieu

In both cases we need to establish a correspondence between two VMs Moreprecisely we need to show that the oensive and abstract VMs are sound (non-standard) abstract interpretations of the defensive VMs in the sense that undersuitable constraints abstraction commutes with execution

CertiCartes [34] is an in-depth feasibility study in the formal verication of theJavaCard platform CertiCartes contains formal executable specications of thethree VMs (defensive abstract and oensive) and of the BCV and a proof thatthe defensive and oensive VM coincide on those programs that pass bytecodeverication The bulk of the proof eort is concerned with the soundness of theoensive and abstract VMs wrt the defensive VM In our initial work suchproofs were performed by successive unfoldings of the case analyses arising inthe denition of the semantics of each bytecode leading to cumbersome proofswhich were hard to produce understand and modify In contrast the Analyzetactic leads to (up to 10 times) smaller proofs that are easier to perform andunderstand as illustrated in the next subsections

32 Applications to Proving the Correspondence between Virtual

Machines

In order to establish that the oensive VM is a sound abstraction of the de-fensive VM one needs to prove that abstraction commutes with execution forevery bytecode of the JavaCard instruction set In the particular case of methodinvocation one has to show

nargsnatnm class_method_idxstate dstatecapjcprogram=========================================let res=(dinvokevirtual nargs nm state cap) inlet ostate=(alpha_off state) inlet ores=(oinvokevirtual nargs nm ostate cap)in (INVOKEVIRTUAL_conds res) rarr(alpha_off res) = ores

where

the abstraction function alpha_offmaps a defensive state into an oensiveone

the predicate INVOKEVIRTUAL_conds ensures that the result state res isnot a type error

the functions dinvokevirtual and oinvokevirtual respectively de-note the defensive and oensive semantics of virtual method invokation

The denition of dinvokevirtual is

Definition dinvokevirtual =[nargsnat][nmclass_method_idx][statedstate][capjcprogram]

Ecient Reasoning about Executable Specications in Coq 41

(lowast The initial state is decomposed lowast)Cases state of(sh (hp nil)) rArr(AbortCode state_error state) |(sh (hp (cons h lf))) rArr

(lowast nargs must be greater than zero lowast)Cases nargs ofO rArr(AbortCode args_error state) |(S _) rArr

(lowast Extraction of the object reference (the nargsth element) lowast)Cases (Nth_func (opstack h) nargs) oferror rArr(AbortCode opstack_error state) |(value x) rArr

(lowast Tests if this element is a reference lowast)Cases x of((Prim _) vx) rArr(AbortCode type_error state) |((Ref _) vx) rArr

(lowast tests if the reference is null lowast)(if (test_NullPointer vx)then (ThrowException NullPointer state cap)else

(lowast Extraction of the referenced object lowast)Cases (Nth_func hp (absolu vx)) oferror rArr(AbortMemory heap_error state) |(value nhp) rArr

(lowast Get the corresponding class lowast)Cases (Nth_elt (classes cap) (get_obj_class_idx nhp)) of(value c) rArr

(lowast Get the corresponding method lowast)Cases (get_method c nm) of(lowast Successful method call lowast)(value m) rArr(new_frame_invokevirtual nargs m nhp state cap) |error rArr(AbortCap methods_membership_error state)end |_ rArr(AbortCap class_membership_error state)end end) end end end end

In our initial work on CertiCartes such statements were proved by handby following the successive case analyses arising in the denition of the semanticsof each bytecode The proofs were hard to produce understand and modify Incontrast the Analyze tactic leads to smaller proofs that are easier to performand understand For example the following script provides the rst steps of theproof

42 Gilles Barthe and Pierre Courtieu

SimplUnfold dinvokevirtualAnalyze dinvokevirtual params nargs nm state cap

At this point nine dierent subgoals are generated each of them correspondingto a full case analysis of the function In the case of a successful method callthe corresponding subgoal is

_eg_8 (get_method c nm)=(value m)_eg_7 (Nth_elt (classes cap) (get_obj_class_idx nhp))

=(value c)_eg_7 (Nth_func hp (absolu vx))=(value nhp)_eg_6 (test_NullPointer vx)=false_eg_5 t=(Ref t0)_eg_4 x=((Ref t0)vx)_eg_3 (Nth_func (opstack h) (S n))=(value ((Ref t0)vx))_eg_2 nargs=(S n)_eg_1 state=(sh(hp(cons h lf)))H (INVOKEVIRTUAL_conds(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=========================================(alpha_off(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=(oinvokevirtual (S n) nm (alpha_off (sh(hp(cons h lf)))) cap)

This goal as all other goals generated by the tactic can in turn be dischargedusing rewriting and some basic assumptions on the representation of JavaCardprograms

33 Applications to Proving Memory Invariants

In order to establish that the abstract VM is a sound abstraction of the defensiveVM one needs to establish a number of invariants on the memory of the virtualmachine for example that executing the abstract virtual machine does not createillegal JavaCard types such as arrays of arrays Proving such a property is tediousand involves several hundreds of case analyses including a topmost case analysison the instruction set In the case of the load bytecode one is left with the goal

s astatet typel locvars_idx==================================================(legal_types s) rarr(legal_types (tload t l s))

Whereas a proof by hand leaves the user with 29 subgoals to discharge anapplication of the Analyze tactic leaves the user with 3 subgoals to dischargenamely the three interesting cases corresponding to the successful execution ofthe tload bytecode In such examples the use of our tactic reduces the size ofproof scripts by a factor of 10

Ecient Reasoning about Executable Specications in Coq 43

4 Extensions and Related Work

41 Related Work

Our work is most closely related to Slinds work on reasoning about terminatingfunctional programs see eg [20] where Slind presents a complete methodologyto dene a function from a list of equations and a termination relation Thisrelation is used to generate termination conditions which need to be dischargedto prove that the rewrite system dened by the equations terminates From theproofs of the termination conditions Slind automatically synthesizes an induc-tion principle for the function Slinds induction principle is closely related toours but there are some dierences

Slinds work focuses on proof-assistants based on higher-order logic in par-ticular on Isabelle [18] and HOL [13] that do not feature proof terms Inour framework objects properties and proofs are all terms of the Calculusof Inductive Constructions and hence we need to provide a proof term forthe customized principle attached to the function As pointed out in Section2 the construction of the proof term can be done directly by transformingthe term corresponding to the function

Slinds work provides for each total and terminating function f a genericinduction principle that can be used to prove properties about f In contrastthe tactic Analyze starts from the property to be proven say φ and proceedsto build directly a proof of φ by following the shape of the denition off Eventually the tactic returns some proof obligations that are requiredto complete the proof of φ This allows our package to perform rewritingand other operations during the building of the proof leading to a drasticincrease in automation Since similar proof terms are constructed every timeone applies the tactic on the function f it could be argued that such afeature is costly in terms of memory However we have not experienced anyeciency problem although our JavaCard development is fairly large

Slinds work provides support for well-founded and nested recursion whichour package does not handle currently

Our work is also closely related to the induction process dened by Boyerand Moore In Nqthm [8] the directive INDUCT (f v1vn) can be usedduring a proof to perform the same case analysis and recursion steps as in thedenition of f An interesting feature that we do not handle in this paper is theability of merging dierent functions into one single induction principle

These works as well as ours aims at providing ecient support for reasoningabout executable specications An alternative strategy consists in developingtools for executing specications that may be relational at least in part For ex-ample Elf [19] combines type theory and logic programming and hence providessupport for executing relational specications Further there have been someeorts to develop tools for executing specications written in Coq Isabelle orrelated systems In particular some authors have provided support for executingrelational specications for example Berghofer and Nipkow [5] have developed

44 Gilles Barthe and Pierre Courtieu

a tool to execute Isabelle theories in a functional language and used it in thecontext of their work on Java and JavaCard Conversely some authors haveprovided support to translate executable specications into input for proof as-sistants for example Terrasse [2122] has developed a tool to translate Typolspecications into Coq However we believe that executable specications arebetter suited for automating proofs especially because they lend themselves wellto automated theorem-proving and rewriting techniques

A third possible strategy would consist of relating relational and functionalspecications For example one could envision a tool that would derive automat-ically from a functional specication (1) its corresponding relational specication(2) a formal proof that the two specications coincide Such a tool would allowthe combination of the best of both worlds (one could be using eliminationin-version principles to reason about relational specications and then transfer theresults to functional ones) yet we are not aware of any conclusive experience inthis direction

42 Extensions

As emphasized in the introduction the main motivation behind the package isto develop eective tool support to reason about the JavaCard platform Thefollowing two extensions are the obvious next steps towards this objective

support for conditional rewriting rules We would like to introduce functionsusing the format of conditional rewriting rules of [2] Indeed this formatwhich can be automatically translated into Coq (provided the guard condi-tions are satised) lead to more readable specications especially for partialfunctions

support for inversion principles We also would like to provide inversionprinciples like those that exist for inductive types [10] Such principles donot use induction instead they proceed by case analysis and use the factthat constructors of inductive types are injective For example inversionprinciples for functions should allow us to deduce

x=O or x=(S S S S y)and((isfourtime y)=true)

from (isfourtime x)=true support for merging Merging [8] allows to generate a single induction prin-ciple for several functions This technique allows to dene very accurateinduction principles that are very useful in fully automated tactics

From a more general perspective it would be interesting to provide support fornested and well-founded recursion Furthermore a higher automation of equa-tional reasoning is required in the proofs of commuting diagrams One possibilityis to rely on an external tool to generate rewriting traces that are then translatedin Coq There are several candidates for such tools including Elan [6] and Spike[7] and ongoing work to interface them with proof assistants such as Coq seeeg [1]

Ecient Reasoning about Executable Specications in Coq 45

5 Conclusion

We have described a toolset for reasoning about complex recursive functions inCoq A fuller account of the package including a tutorial can be found in [12]

In addition we have illustrated the usefulness of our package in reasoningabout the JavaCard platform This positive experience supports the claim laidin [2] that proofs of correctness of the JavaCard platform can be automated to alarge extent and indicates that proof assistants could provide a viable approachto validate novel type systems for future versions of Javacard

Thanks

We would like to thank the anonymous referees for there constructive remarksYves Bertot for its precious advice ideas and examples Guillaume Dufay for thefeedback on using the tactic intensively and Konrad Slind for the precisions onTFLIsabelle

References

1 C Alvarado and Q-H Nguyen elan for equational reasoning in coq In J De-speyroux editor Proceedings of LFM00 2000 Rapport Technique INRIA

2 G Barthe G Dufay M Huisman and S Melo de Sousa Jakarta a toolset toreason about the JavaCard platform In I Attali and T Jensen editors Proceedingsof e-SMART 2001 volume 2140 of Lecture Notes in Computer Science pages 218Springer-Verlag 2001

3 G Barthe G Dufay L Jakubiec and S Melo de Sousa A formal correspondencebetween oensive and defensive JavaCard virtual machines In A Cortesi editorProceedings of VMCAI 2002 volume 2294 of Lecture Notes in Computer Sciencepages 3245 Springer-Verlag 2002

4 G Barthe G Dufay L Jakubiec B Serpette and S Melo de Sousa A FormalExecutable Semantics of the JavaCard Platform In D Sands editor Proceedingsof ESOP 2001 volume 2028 of Lecture Notes in Computer Science pages 302319Springer-Verlag 2001

5 S Berghofer and T Nipkow Executing higher order logic In P Callaghan Z LuoJ McKinna and R Pollack editors Proceedings of TYPES 2000 volume LNCS2277 of Lecture Notes in Computer Science Springer-Verlag 2002

6 P Borovanskyacute H Cirstea H Dubois C Kirchner H Kirchner P-E MoreauC Ringeissen and M Vittek The Elan V34 Manual 2000

7 A Bouhoula Automated theorem proving by test set induction Journal of Sym-bolic Computation 234777 1997

8 RS Boyer and JS Moore A Computational Logic Handbook Academic Press1988

9 Coq Development Team The Coq Proof Assistant Users Guide Version 72January 2002

10 C Cornes Conception dun langage de haut niveau de representation de preuvesReacutecurrence par ltrage de motifs Unication en preacutesence de types inductifs prim-itifs Synthegravese de lemmes dinversion PhD thesis Universiteacute de Paris 7 1997

46 Gilles Barthe and Pierre Courtieu

11 C Cornes and D Terrasse Automating inversion and inductive predicates in CoqIn S Berardi and M Coppo editors Proceedings of Types95 volume 1158 ofLecture Notes in Computer Science pages 85104 Springer-Verlag 1995

12 P Courtieu Function Schemes in Coq Documentation and tutorial Seehttpwww-sopinriafrlemmePierreCourtieufunschemehtml

13 MJC Gordon and TF Melham editors Introduction to HOL A theorem provingenvironment for higher-order logic Cambridge University Press 1993

14 J-L Lanet and A Requet Formal Proof of Smart Card Applets Correctness InJ-J Quisquater and B Schneier editors Proceedings of CARDIS98 volume 1820of Lecture Notes in Computer Science pages 8597 Springer-Verlag 1998

15 Z Luo and R Pollack LEGO proof development system Users manual TechnicalReport ECS-LFCS-92-211 LFCS University of Edinburgh May 1992

16 C Paulin-Mohring Inductive denitions in the system Coq Rules and propertiesIn M Bezem and JF Groote editors Proceedings of TLCA93 volume 664 ofLecture Notes in Computer Science pages 328345 Springer-Verlag 1993

17 C Paulin-Mohring Deacutenitions Inductives en Theorie des Types dOrdre SuperieurHabilitation agrave diriger les recherches Universiteacute Claude Bernard Lyon I 1996

18 L Paulson Isabelle A generic theorem prover volume 828 of Lecture Notes inComputer Science Springer-Verlag 1994

19 F Pfenning Elf a meta-language for deductive systems In A Bundy editorProceedings of CADE-12 volume 814 of Lecture Notes in Articial Intelligencepages 811815 Springer-Verlag 1994

20 K Slind Reasoning about Terminating Functional Programs PhD thesis TUMuumlnich 1999

21 D Terrasse Encoding natural semantics in Coq In V S Alagar editor Pro-ceedings of AMAST95 volume 936 of Lecture Notes in Computer Science pages230244 Springer-Verlag 1995

22 D Terrasse Vers un environnement daide au deacuteveloppement de preuves en Seacute-mantique Naturelle PhD thesis Ecole Nationale des Ponts et Chausseacutees 1995

3BerlinHeidelbergNew YorkBarcelonaHong KongLondonMilanParisTokyo

Victor A CarrenoCeacutesar A Munoz Sofiegravene Tahar (Eds)

Theorem Provingin Higher Order Logics

15th International Conference TPHOLs 2002Hampton VA USA August 20-23 2002Proceedings

1 3

Series Editors

Gerhard Goos Karlsruhe University GermanyJuris Hartmanis Cornell University NY USAJan van Leeuwen Utrecht University The Netherlands

Volume Editors

Victor A CarrenoNASA Langley Research CenterMS 130 Hampton VA 23681 USAE-mail vacarrenolarcnasagov

Ceacutesar A MunozICASE-Langley Research CenterMS 132C Hampton VA 23681 USAE-mail munozicaseedu

Sofiegravene TaharConcordia University Electrical and Computer Engineering1455 de Maisonneuve Blvd WMontreacuteal Queacutebec H3G 1M8 CanadaE-Mail taharececoncordiaca

Cataloging-in-Publication Data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme

Theorem proving in higher order logics 15th international conference proceedings TPHOLs 2002 Hampton VA USA August 20 - 23 2002Victor A Carreno (ed) - Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Springer 2002

(Lecture notes in computer science Vol 2410)ISBN 3-540-44039-9

CR Subject Classification (1998) F41 I23 F31 D24 B63

ISSN 0302-9743ISBN 3-540-44039-9 Springer-Verlag Berlin Heidelberg New York

This work is subject to copyright All rights are reserved whether the whole or part of the material isconcerned specifically the rights of translation reprinting re-use of illustrations recitation broadcastingreproduction on microfilms or in any other way and storage in data banks Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9 1965in its current version and permission for use must always be obtained from Springer-Verlag Violations areliable for prosecution under the German Copyright Law

Springer-Verlag Berlin Heidelberg New Yorka member of BertelsmannSpringer Science+Business Media GmbH

httpwwwspringerde

copy Springer-Verlag Berlin Heidelberg 2002Printed in Germany

Typesetting Camera-ready by author data conversion by Christian Grosche HamburgPrinted on acid-free paper SPIN 10873706 063142 5 4 3 2 1 0

Preface

This volume contains the proceedings of the 15th International Conference onTheorem Proving in Higher Order Logics (TPHOLs 2002) held on 20ndash23 August2002 in Hampton Virginia USA The conference serves as a venue for the pre-sentation of work in theorem proving in higher-order logics and related areasin deduction formal specification software and hardware verification and otherapplications

Each of the 34 papers submitted in the full research category was refereed byat least three reviewers from the program committee or by a reviewer appointedby the program committee Of these submissions 20 papers were accepted forpresentation at the conference and publication in this volume

Following a well-established tradition in this conference series TPHOLs 2002also offered a venue for the presentation of work in progress For the work inprogress track short introductory talks were given by researchers followed byan open poster session for further discussion Papers accepted for presentationin this track have been published as Conference Proceedings CP NASA-2002-211736

The organizers would like to thank Ricky Butler and Gerard Huet for grace-fully accepting our invitation to give talks at TPHOLs 2002 Ricky Butler wasinstrumental in the formation of the Formal Methods program at the NASALangley Research Center and has led the group since its beginnings The NASALangley Formal Methods group under Ricky Butlerrsquos guidance has fundedbeen involved in or influenced many formal verification projects in the US overmore than two decades In 1998 Gerard Huet received the prestigious HerbrandAward for his fundamental contributions to term rewriting and theorem provingin higher-order logic as well as many other key contributions to the field of au-tomated reasoning He is the originator of the Coq System under developmentat INRIA-Rocquencourt Dr Huetrsquos current main interest is computational lin-guistics however his work continues to influence researchers around the world ina wide spectrum of areas in theoretical computer science formal methods andsoftware engineering

The venue of the TPHOLs conference traditionally changes continent eachyear in order to maximize the likelihood that researchers from all over the worldwill attend Starting in 1993 the proceedings of TPHOLs and its predecessorworkshops have been published in the following volumes of the Springer-VerlagLecture Notes in Computer Science series

1993 (Canada) 780 1998 (Australia) 14791994 (Malta) 859 1999 (France) 16901995 (USA) 971 2000 (USA) 18691996 (Finland) 1125 2001 (UK) 21521997 (USA) 1275

VI Preface

The 2002 conference was organized by a team from NASA Langley ResearchCenter the ICASE Institute at Langley Research Center and Concordia Uni-versity Financial support came from Intel Corporation The support of all theseorganizations is gratefully acknowledged

August 2002 Vıctor A CarrenoCesar A Munoz

VII

Organization

TPHOLs 2002 is organized by NASA Langley and ICASE in cooperation withConcordia University

Organizing Committee

Conference Chair Vıctor A Carreno (NASA Langley)Program Chair Cesar A Munoz (ICASE NASA LaRC)

Sofiene Tahar (Concordia University)

Program Committee

Mark Aagaard (Waterloo)David Basin (Freiburg)Vıctor Carreno (NASA Langley)Shiu-Kai Chin (Syracuse)Paul Curzon (Middlesex)Gilles Dowek (INRIA)Harald Ganzinger (MPI Saarbrucken)Ganesh Gopalakrishnan (Utah)Jim Grundy (Intel)Elsa Gunter (NJIT)John Harrison (Intel)Doug Howe (Carleton)Bart Jacobs (Nijmegen)Paul Jackson (Edinburgh)Sara Kalvala (Warwick)

Michael Kohlhase (CMU amp Saarland)Thomas Kropf (Bosch)Tom Melham (Glasgow)J Strother Moore (Texas Austin)Cesar Munoz (ICASE NASA LaRC)Sam Owre (SRI)Christine Paulin-Mohring (INRIA)Lawrence Paulson (Cambridge)Frank Pfenning (CMU)Klaus Schneider (Karlsruhe)Henny Sipma (Stanford)Konrad Slind (Utah)Don Syme (Microsoft)Sofiene Tahar (Concordia)Wai Wong (Hong Kong Baptist)

Additional Reviewers

Otmane Ait-MohamedBehzad AkbarpourNancy DayBen Di VitoJean-Christophe Filliatre

Alfons GeserHanne GottliebsenMike KishinevskyHans de NivelleAndrew Pitts

Harald RueszligLeon van der TorreTomas Uribe

Invited Speakers

Ricky Butler (NASA Langley)Gerard Huet (INRIA)

VIII Preface

Sponsoring Institutions

NASA LangleyICASEConcordia UniversityINTEL

Table of Contents

Invited Talks

Formal Methods at NASA Langley 1Ricky Butler

Higher Order Unification 30 Years Later 3Gerard Huet

Regular Papers

Combining Higher Order Abstract Syntax with Tactical Theorem Provingand (Co)Induction 13

Simon J Ambler Roy L Crole Alberto Momigliano

Efficient Reasoning about Executable Specifications in Coq 31Gilles Barthe Pierre Courtieu

Verified Bytecode Model Checkers 47David Basin Stefan Friedrich Marek Gawkowski

The 5 Colour Theorem in IsabelleIsar 67Gertrud Bauer Tobias Nipkow

Type-Theoretic Functional Semantics 83Yves Bertot Venanzio Capretta Kuntal Das Barman

A Proposal for a Formal OCL Semantics in IsabelleHOL 99Achim D Brucker Burkhart Wolff

Explicit Universes for the Calculus of Constructions 115Judicael Courant

Formalised Cut Admissibility for Display Logic 131Jeremy E Dawson Rajeev Gore

Formalizing the Trading Theorem for the Classification of Surfaces 148Christophe Dehlinger Jean-Francois Dufourd

Free-Style Theorem Proving 164David Delahaye

A Comparison of Two Proof Critics Power vs Robustness 182Louise A Dennis Alan Bundy

X Table of Contents

Two-Level Meta-reasoning in Coq 198Amy P Felty

PuzzleTool An Example of Programming Computation and Deduction 214Michael JC Gordon

A Formal Approach to Probabilistic Termination 230Joe Hurd

Using Theorem Proving for Numerical Analysis 246Micaela Mayero

Quotient Types A Modular Approach 263Aleksey Nogin

Sequent Schema for Derived Rules 281Aleksey Nogin Jason Hickey

Algebraic Structures and Dependent Records 298Virgile Prevosto Damien Doligez Therese Hardin

Proving the Equivalence of Microstep and Macrostep Semantics 314Klaus Schneider

Weakest Precondition for General Recursive Programs Formalized in Coq 332Xingyuan Zhang Malcolm Munro Mark Harman Lin Hu

Author Index 349

Formal Methods at NASA Langley

Ricky Butler

Assessment Technology BranchMail Stop 130 NASA Langley Research Center

Hampton VA 23681-2199rwbutlerlarcnasagov

Extended Abstract

In this talk a short history of NASA Langleyrsquos research in formal methods ispresented The talk begins with an examination of the attempted formal verifi-cation of the SIFT (Software Implemented Fault Tolerance) operating system inthe late 1970s The primary goal of the SIFT verification project was to verify anoperating system for a fault-tolerant distributed real-time avionics computingplatform The SIFT project was deemed a failure because it did not meet its pri-mary objective However important results in the field of computer science wereobtained from the SIFT project including fault tolerant clock synchronizationByzantine agreement (interactive consistency) and others

After the SIFT project formal methods at NASA Langley went through aperiod of hibernation and would have probably died except for the providentialvisit of John Cullyer to NASA Langley in 1988 Soon after this a Memoran-dum of Understanding (MOU) between NASA Langley and The Royal Signaland Radar Establishment (RSRE) was initiated NASA Langley was asked toperform a critical assessment of the VIPER microprocessor which had been de-signed at the RSRE research laboratory With the help of Computational LogicInc (CLI) and the Boeing Commercial Airplane Company the usefulness ofthe VIPER processor for aerospace application was investigated ComputationalLogic wrote a critical review emphasizing the incompleteness of the VIPER me-chanical proofs Although an unprecedented level of analysis had been performedon the VIPER the CLI team did not consider hand-proofs to be adequate forsomething like the VIPER Once again Langley found itself in the midst of aformal methods controversy At the heart of this controversy was the nature ofproof itself How rigorous does a proof have to be before one can claim that amathematical proof has been accomplished

Next NASA Langley began to fund the direct application of existing formalmethods to real problems in the aerospace industry A competitive procurementresulted in three contracts to Computational Logic Inc SRI International andOdyssey Research Associates During this period NASA Langley had its firstrecognized successes in formal methods the formal verification of the RockwellCollins AAMP5 microprocessor and the formal verification of the Draper FTPPscoreboard circuit Most of the work centered on fault-tolerance and hardware

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 1ndash2 2002ccopy Springer-Verlag Berlin Heidelberg 2002

2 Ricky Butler

verification at this time but some initial work in modeling software was also ini-tiated The Jet Select subsystem of the Space Shuttle was modeled and later theGPS upgrade and 3-Engine-Out upgrade was formally analyzed Both theoremproving and model checking approaches were pursued

Towards the end of the 1990s the Langley team began to look into ways ofusing formal methods to improve critical flight deck software After the Pentiumbug mobilized the commercial silicon manufacturers to pursue formal verifica-tion technology the Langley team decided to focus its attention on software andsystems Cooperative work with industry to model flight guidance systems Adarun-time systems operating systems that support integrated modular avionicsand other safety-critical applications were begun In FY2000 the Langley for-mal methods team began to work for the Aviation Safety Program The AviationSafety Program is a NASA focused program with a goal of reducing the fatalaviation accident rate by 80 in ten years and 90 in twenty years Four newcontracts were started with a goal of using formal methods to make flight sys-tems safer (1) Rockwell Collins Advanced Technology Center to develop formalrequirements modeling and analysis techniques to detect and remove flight deckmode confusion (2) Honeywell Engines and Systems with SRI International toadapt the Time Triggered Architecture (TTA) to a Full Authority Digital EngineControl (FADEC) (3) Barron AssociatesGoodrich to develop formal verifica-tion methods that can serve as a basis for certifying non-adaptive neural netsand (4) University of Virginia to develop formal specification tools that inte-grate formal and informal languages enabling the analysis of the combinationIn FY2001 the Langley formal methods team was asked to apply formal meth-ods technology to the Air Traffic Management problem Current work is lookingat conflict detection and resolution algorithms (CDampR) needed in future freeflight concepts and at merging and self-spacing algorithms in the terminal areaThese later algorithms are being developed in support of NASA Langleyrsquos SmallAircraft Transportation Systems (SATS) program The Langley team has hadsome early successes with the verification of Air Traffic Management conceptsand the outlook is quite promising for this area

Future goals for the Langley formal methods program include (1) facilitatingthe transfer of successful formal approaches into the product lines of aerospacecompanies by developing cost-effective tools that integrate well with existingindustrial life-cycle processes (2) working with the FAA to develop new cer-tification processes that take advantage of the capabilities of formal methods(3) performing fundamental research in new challenging areas such as systemswhere there are complex interactions between discrete and continuous compo-nents and (4) integrating formal methods technology into existing engineeringtools such as Mathworks

Higher Order Unification 30 Years Later

(Extended Abstract)

Gerard Huet

INRIA-RocquencourtBP 105 F-78153 Le Chesnay Cedex

GerardHuetinriafr

Abstract The talk will present a survey of higher order unificationcovering an outline of its historical development a summary of its appli-cations to three fields automated theorem proving and more generallyengineering of proof assistants programming environments and softwareengineering and finally computational linguistics It concludes by a pre-sentation of open problems and a few prospective remarks on promisingfuture directions This presentation assumes as background the surveyby Gilles Dowek in the Handbook of automated theorem proving [28]

1 Theory

11 Early History

The problem of automating higher order logic was first posed by J A Robinsonin [100101] Peter Andrews formulated a version of the resolution principle foraccommodating Churchrsquos Simple Theory of Types [164] and as early as 1964Jim Guardrsquos team at Applied Logic Corporation had been independently inves-tigating higher order logic versions of unification [4241] but the complexity ofthe problem appeared when higher order unification was shown to be undecid-able in 1972 independently by G Huet [46] and C Lucchesi [61] a result tobe sharpened by W Goldfarb [39] Jensen and Pietrzykowky [8950] at Uni-versity of Waterloo gave a complete recursive enumeration of unifiers but theprocess was over-generative in an untractable fashion since computational quag-mires happened where at every step of the process all previous solutions weresubsumed by the next one Huet proposed a more tractable enumeration of pre-unifiers for better conditioned problems where rigidity of one of the problemterms led to sequential behavior By delaying ill-conditioned problems in theform of constraints it became possible to implement a complete version of theresolution principle for Churchrsquos Type Theory [49] An extensive theory of uni-fication in various algebraic settings building on early work of G Plotkin [90]was developed by G Huet in his These drsquoEtat [47] while P Andrews and hiscollaborators at CMU went on implementing constrained resolution in the proofassistant TPS [5]

Thus the original motivation for higher-order unification was its use as afundamental algorithm in automated theorem-provers We shall see below that

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3ndash12 2002ccopy Springer-Verlag Berlin Heidelberg 2002

4 Gerard Huet

the design and implementation of proof assistants is still its main applicationarea not just in the setting of classical logic with versions of the resolutionprinciple but in more general meta-theoretic frameworks where it is the workhorse of pattern-matching and more generally proof search For instance exten-sions of the term-rewriting paradigm of equational logic building on higher-orderunification were proposed by Nipkow Jouannaud and Okada Breazu-TannenBlanqui and many others [7610] while C Benzmuller investigated the additionof equality paramodulation to higher-order resolution [89]

12 λ Prolog

It was soon realized that resolution was better behaved in the restricted contextof Horn sentences and Colmerauer and Kowalski took advantage of this qualityin the framework of first-order logic with the design of PROLOG which spurredthe whole new field of Logic Programming The generalization of this promis-ing technology to higher-order logic was successfully accomplished by D Millerwith his λ-PROLOG system [6573] G Nadathur further investigated the λ-PROLOG methodology and its efficient implementation [7172707374] In theMali team in Rennes Yves Bekkers and colleagues implemented a λ-PROLOGmachine with specific dynamic memory management [714] The most impres-sive application of the λ-PROLOG formalism was accomplished by F Pfenningin his ELF system a logic programming environment for Edinburghrsquos LogicalFramework [8588]

The theory of higher-order unification in more powerful higher order frame-works encompassing dependent types polymorphism or inductive types wasinvestigated by C Elliott[3132] G Pym [96] G Dowek [2026] F Pfenning[8687] etc in a series of publications in the 80rsquos and 90rsquos We refer the inter-ested reader to the extensive presentation in G Dowekrsquos survey [28]

13 Matching

An important special case of unification (ie solving equations in term struc-tures) is when one of the terms is closed Unification in this special case ispattern matching a specially important algorithm in symbolic computationHuetrsquos semi-decision algorithm turned into an algorithm generating a finite setof solutions in the case of second-order terms [474822] Furthermore it waspossible to combine pattern-matching for linear terms with first-order unifica-tion as Miller demonstrated with his higher-order patterns [66] However thegeneral problem in the full higher-order hierarchy remained open for a long timeG Dowek showed that the third-order problem was decidable [27] while exten-sions in various other directions led to undecidability [2124] Padovani showedthat the fourth-order case was decidable [808182] Wolfram gave an algorithmwhich always terminate [115] but whose completeness is dubious More recentlyLoader announced the undecidability of higher-order matching in [5960] but the

Higher Order Unification 30 Years Later 5

argument does not carry over if the η rule of extensionality is added to β com-putation rule of λ calculus This vexing but important problem is thus still openafter 30 years of intense investigation

2 Applications

The talk will survey applications in three domains

21 Proof Technology

Early experiments with resolution systems as proof assistants were extremelynaive since full automation was aimed at for mathematical theories which areundecidable or at least badly untractable It is interesting that to this day re-search teams keep the pretense of solving deep mathematical problems in a fullyautomated fashion despite all evidence to the contrary

Hopefully better methodologies exist than attempting to solve mathematicswith combinatorial blackboxes Proof Assistants following the early models ofAutomath LCF and NuPRL have been designed as interactive systems wherethe mathematically sophisticated user drives a proof search process with thehelp of specialized programmable tactics implementing decision or semi-decisionprocedures which operate on formulas kept in user-understandable terms Twoparadigms are of paramount importance in this newer vision of proof search theuse of general meta-level formalisms (the so-called logical frameworks wheregeneric pattern-matching and unification algorithms are put to use) and therecognition of proof structures as higher-order objects themselves (through suit-able instances of the Curry-Howard correspondence) This gave a second life tohigher-order unification at the level of proof search this time (and not just at thelevel of terms search) This methodology was clearly articulated by G Dowekin his thesis [2023] and by by D Miller and A Felty [235] Typical of this ap-proach are the proof assistants Isabelle [83] the Edinburgh Logical Frameworkand its ELF Logic Programming engine [8588] and the various versions of theCalculus of Constructions or Intuitionistic Type Theory implementations (CoqLego Alf)

22 Program Schemas Manipulation and Software Engineering

The second-order matching algorithm presented in the 70rsquos by Huet and Lang[48] was motivated by an application to program schemas recognition in a soft-ware engineering paradigm of program transformations originally proposed byBurstall and Darlington Indeed all the Burstall and Darlington rewrite ruleswere easily encompasssed by this technology but it seemed difficult to extrapo-late this simple methodology to software engineering in the large Still grandioseprojects of Inferential Programming based on Semantically Based Program-ming Tools were lavishly financed in the 80rsquos on such principles [55] Whatfinally emerged when the dust settled was the notion of Higher-order Abstract

6 Gerard Huet

Syntax as a fundamental structure for logic-based programming environments[67458435164]

23 Anaphora Resolution and Other Computational LinguisticsApplications

Meanwhile researchers in computational linguistics working at the frontier be-tween syntax and semantics and notably within Montague Semantics had beeninvestigating the resolution of anaphora constructions (pronouns focus ellipsisetc) through the higher order unification algorithm Such experiments were fa-cilitated by the widespread adoption of PROLOG as a computation paradigm inthis community Typical representatives of this approach were Dale Miller andGopalan Nadathur at CMU [68] S Shieber and colleagues in Harvard [62114] SPulman in SRICambridge [95] and C Gardent and colleagues in Saarbrucken[15373836]

3 Prospective

The talk will end with some prospective remarks

References

1 G Amiot The undecidability of the second order predicate unification problemArchive for mathematical logic 30193ndash199 1990

2 Dale Miller Amy Felty Specifying theorem provers in a higher-order logic pro-gramming language In Proceedings of the 9th Int Conference on AutomatedDeduction (CADE-9) volume 310 of Lecture Notes in Computer Science pages61ndash80 Springer-Verlag Argonne Illinois 1988

3 Penny Anderson Represnting proof transformations for program optimization InProceedings of the 12th Int Conference on Automated Deduction (CADE-12) vol-ume 814 of Lecture Notes in Artificial Intelligence pages 575ndash589 Nancy France1994 Springer-Verlag

4 PB Andrews Resolution in type theory The Journal of Symbolic Logic36(3)414ndash432 1971

5 PB Andrews M Bishop S Issar D Nesmith F Pfenning and H Xi Tpsa theorem proving system for classical type theory J of Automated Reasoning16321ndash353 1996

6 J Avenhaus and CA Lorıa-Saenz Higher-order conditional rewriting and nar-rowing In J-P Jouannaud editor International Conference on Constaints inComputational Logic volume 845 of Lecture Notes in Computer Science pages269ndash284 Springer-Verlag 1994

7 Yves Bekkers Olivier Ridoux and Lucien Ungaro Dynamic memory managementfor sequential logic programming languages In IWMM pages 82ndash102 1992

8 C Benzmuller Extensional higher-order resolution In Proceedings of the 15thInt Conference on Automated Deduction (CADE-15) volume 1421 of LectureNotes in Artificial Intelligence pages 56ndash71 Springer-Verlag Lindau Germany1998

Higher Order Unification 30 Years Later 7

9 C Benzmuller Equality and extensionality in automated higher-order theoremproving Doctoral Dissertation Universitat des Saarlandes Saarbrucken 1999

10 Frederic Blanqui Theorie des types et reecriture These de Doctorat UniversiteParis-Sud 2001

11 P Borovansky Implementation of higher-order unification based on calculus ofexplicit substitution In M Bartosek J Staudek and J Wiedermann editorsSOFSEM Theory and Practice of Informatics volume 1012 in Lecture Notes inComputer Science pages 363ndash368 Springer-Verlag 1995

12 A Boudet and E Contejean AC-unification of higher-order patterns InG Smolka editor Principles and Practice of Constraint Programming volume1330 of Lecture Notes in Computer Science pages 267ndash281 Springer-Verlag 1997

13 D Briaud Higher order unification as typed narrowing Technical Report 96-R-112 Centre de recherche en informatique de Nancy 1996

14 Pascal Brisset and Olivier Ridoux The architecture of an implementation oflambdaprolog Prologmali Technical Report RR-2392 INRIA Oct 1994

15 M Kohlhase C Gardent and K Konrad Higher-order colored unification Alinguistic application J of Logic Language and Information 9313ndash338 2001

16 A Church A formulation of the simple theory of types The Journal of SymbolicLogic 5(1)56ndash68 1940

17 H Comon and Y Jurski Higher-order matching and tree automata In M Nielsenand W Thomas editors Conference on Computer Science Logic volume 1414 ofLecture Notes in Computer Science pages 157ndash176 Springer-Verlag 1997

18 DJ Dougherty Higher-order unification via combinators Theoretical ComputerScience 114273ndash298 1993

19 DJ Dougherty and P Johann A combinatory logic approach to higher-orderE-unification In D Kapur editor Conference on Automated Deduction volume607 of Lecture Notes in Artificial Intelligence pages 79ndash93 Springer-Verlag 1992

20 G Dowek Demonstration automatique dans le calcul des constructions Thesede Doctorat Universite de Paris VII 1991

21 G Dowek Lrsquoindecidabilite du filtrage du troisieme ordre dans les calculs avectypes dependants ou constructeurs de types (the undecidability of third orderpattern matching in calculi with dependent types or type constructors) ComptesRendus a lrsquoAcademie des Sciences I 312(12)951ndash956 1991 Erratum ibid I318 1994 p 873

22 G Dowek A second-order pattern matching algorithm in the cube of typed λ-calculi In A Tarlecki editor Mathematical Foundation of Computer Sciencevolume 520 of Lecture notes in computer science pages 151ndash160 Springer-Verlag1991

23 G Dowek A complete proof synthesis method for the cube of type systemsJournal of Logic and Computation 3(3)287ndash315 1993

24 G Dowek The undecidability of pattern matching in calculi where primitiverecursive functions are representable Theoretical Computer Science 107349ndash356 1993

25 G Dowek The undecidability of typability in the lambda-pi-calculus InM Bezem and JF Groote editors Typed Lambda Calculi and Applications vol-ume 664 in Lecture Notes in Computer Science pages 139ndash145 Springer-Verlag1993

26 G Dowek A unification algorithm for second-order linear terms Manuscript1993

27 G Dowek Third order matching is decidable Annals of Pure and Applied Logic69135ndash155 1994

8 Gerard Huet

28 G Dowek Higher-Order Unification and Matching chapter 16 pages 1009ndash1062Elsevier 2001

29 G Dowek T Hardin and C Kirchner Higher-order unification via explicitsubstitutions Information and Computation 157183ndash235 2000

30 G Dowek T Hardin C Kirchner and F Pfenning Unification via explicitsubstitutions the case of higher-order patterns In M Maher editor Joint Inter-national Conference and Symposium on Logic Programming pages 259ndash273 TheMIT Press 1996

31 CM Elliott Higher-order unification with dependent function types In N Der-showitz editor Internatinal Conference on Rewriting Techniques and Applica-tions volume 355 of Lecture Notes in Computer Science pages 121ndash136 Springer-Verlag 1989

32 CM Elliott Extensions and applications of higher-order unification PhD thesisCarnegie Mellon University 1990

33 WM Farmer A unification algorithm for second-order monadic terms Annalsof Pure and applied Logic 39131ndash174 1988

34 WM Farmer Simple second order languages for which unification is undecidableTheoretical Computer Science 8725ndash41 1991

35 Amy Felty Implementing tactics and tacticals in a higher-order logic program-ming language Journal of Automated Reasoning 1143ndash81 1993

36 C Gardent Deaccenting and higher-order unification J of Logic Language andInformation 9313ndash338 2000

37 C Gardent and M Kohlhase Focus and higher-order unification In 16th Inter-national Conference on Computational Linguistics Copenhagen 1996

38 C Gardent and M Kohlhase Higher-order coloured unification and naturallanguage semantics In ACL editor 34th Annual Meeting of the Association forComputational Linguistics Santa Cruz 1996

39 WD Goldfarb The undecidability of the second-order unification problem The-oretical Computer Science 13225ndash230 1981

40 J Goubault Higher-order rigid E-unification In F Pfenning editor 5th Interna-tional Conference on Logic Programming and Automated Reasoning volume 822in Lecture Notes in Artificial Intelligence pages 129ndash143 Springer-Verlag 1994

41 WE Gould A matching procedure for ω-order logic Scientific report 4 AFCRL66-781 (contract AF 19 (628)-3250) AD 646 560

42 JR Guard Automated logic for semi-automated mathematics Scientific report1 AFCRL 64-411 (contract AF 19 (628)-3250) AS 602 710 1964

43 M Hagiya Programming by example and proving by example using higher-orderunification In ME Stickel editor Conference on Automated Deduction volume449 in Lecture Notes in Computer Science pages 588ndash602 Springer-Verlag 1990

44 M Hagiya Higher-order unification as a theorem proving procedure In K Fu-rukawa editor International Conference on Logic Programming pages 270ndash284MIT Press 1991

45 John Hannan and Dale Miller Uses of higher-order unification for implementingprograms transformers In RA Kowalski an KA Bowen editor InternationalConference and Symposium on Logic Programming pages 942ndash959 1988

46 G Huet The undecidability of unification in third order logic Information andControl 22257ndash267 1973

47 G Huet Resolution drsquoequations dans les langages drsquoordre 12 ω These drsquoEtatUniversite de Paris VII 1976

48 G Huet and B Lang Proving and applying program transformations expressedwith second order patterns Acta Informatica 1131ndash55 1978

Higher Order Unification 30 Years Later 9

49 Gerard Huet Constrained resolution A complete method for higher order logicPhD thesis Case Western University Aug 1972

50 DC Jensen and T Pietrzykowski Mechanizing ω-order type theory throughunification Theoretical Computer Science 3123ndash171 1976

51 Frank Pfenning Joelle Despeyroux and Carsten Schurmann Primitive recursionfor higher-order syntax In R Hindley editor Proceedings of the 3rd Int Confer-ence on Typed Lambda Calculus and Applications (TLCArsquo97) volume 1210 of Lec-ture Notes in Computer Science pages 147ndash163 Nancy France 1997 Springer-Verlag

52 Patricia Johann and Michael Kohlhase Unification in an extensional lambda cal-culus with ordered function sorts and constant overloading In Alan Bundy editorConference on Automated Deduction volume 814 in Lecture Notes in ArtificialIntelligence pages 620ndash634 Springer-Verlag 1994

53 C Kirchner and Ch Ringeissen Higher-order equational unification via ex-plicit substitutions In M Hanus J Heering and K Meinke editors Algebraicand Logic Programming International Joint Conference ALPrsquo97-HOArsquo97 vol-ume 1298 of Lecture Notes in Computer Science pages 61ndash75 Springer-Verlag1997

54 K Kwon and G Nadathur An instruction set for higher-order hereditary harropformulas (extended abstract) In Proceedings of the Workshop on the lambdaProlog Programming Language UPenn Technical Report MS-CIS-92-86 1992

55 Peter Lee Frank Pfenning John Reynolds Gene Rollins and Dana Scott Re-search on semantically based program-design environments The ergo projectin 1988 Technical Report CMU-CS-88-118 Computer Science DepartmentCarnegie Mellon University 1988

56 J Levy Linear second order unification In H Ganzinger editor RewritingTechniques and Applications volume 1103 of Lecture Notes in Computer Sciencepages 332ndash346 Springer-Verlag 1996

57 Jordi Levy and Margus Veanes On unification problems in restricted second-order languages In Annual Conf of the European Ass of Computer ScienceLogic (CSL98) Brno Czech Republic 1998

58 Jordi Levy and Mateu Villaret Linear second-order unification and context uni-fication with tree-regular constraints In Proceedings of the 11th Int Conf onRewriting Techniques and Applications (RTA 2000) volume 1833 of Lecture Notesin Computer Science pages 156ndash171 Norwich UK 2000 Springer-Verlag

59 R Loader The undecidability of λ-definability To appear in Church memorialvolume 1994

60 R Loader Higher order β matching is undecidable Private communication2001

61 CL Lucchesi The undecidability of the unification problem for third orderlanguages Technical Report CSRR 2060 Department of applied analysis andcomputer science University of Waterloo 1972

62 Stuart M Shieber Mary Dalrymple and Fernando CN Pereira Ellipsis andhigher-order unification Linguistic and Philosophy 14399ndash452 1991

63 R Mayr and T Nipkow Higher-order rewrite systems and their confluenceTheoretical Computer Science 1923ndash29 1998

64 Raymond McDowell and Dale Miller Reasoning with higher-order abstract syntaxin a logical framework ACM Transactions on Computational Logic (TOCL)380ndash136 2002

65 Dale Miller Abstractions in logic programming In P Odifreddi editor Logicand computer science pages 329ndash359 Academic Press 1991

10 Gerard Huet

66 Dale Miller Unification under a mixed prefix Journal of Symbolic Computation14321ndash358 1992

67 Dale Miller and Gopalan Nadathur A logic programming approach to manipu-lating formulas and programs In IEEE Symposium on Logic Programming pages247ndash255 San Francisco California 1986

68 Dale Miller and Gopalan Nadathur Some uses of higher-order logic in computa-tional linguistics In 24th Annual Meeting of the Association for ComputationalLinguistics pages 247ndash255 1986

69 O Muller and F Weber Theory and practice of minimal modular higher-orderE-unification In A Bundy editor Conference on Automated Deduction volume814 in Lecture Notes in Artificial Intelligence pages 650ndash664 Springer-Verlag1994

70 Gopalan Nadathur An explicit substitution notation in a λprolog implementa-tion In First International Workshop on Explicit Substitutions 1998

71 Gopalan Nadathur A Higher-Order Logic as the Basis for Logic ProgrammingPhD thesis University of Pennsylvania Dec 1986

72 Gopalan Nadathur and Dale Miller Higher-order horn clauses J of the Associ-ation for Computing Machinery 37777ndash814 1990

73 Gopalan Nadathur and Dale Miller Higher-order logic programming In D MGabbay C J Hogger and J A Robinson editors Handbook of logic in artificialintelligence and logic programming volume 5 pages 499ndash590 Clarendon Press1998

74 Gopalan Nadathur and DJ Mitchell System description A compiler and ab-stract machine based implementation of λprolog In Conference on AutomatedDeduction 1999

75 T Nipkow Higher-order critical pairs In Logic in Computer Science pages342ndash349 1991

76 T Nipkow Higher-order rewrite systems In Proceedings of the 6th Int Conf onRewriting Techniques and Applications (RTA-95) volume 914 of Lecture Notesin Computer Science pages 256ndash256 Keiserlautern Germany 1995 Springer-Verlag

77 T Nipkow and Ch Prehofer Higher-order rewriting and equational reasoningIn W Bibel and PH Schmitt editors Automated Deduction - A Basis for Ap-plications volume 1 pages 399ndash430 Kluwer 1998

78 Tobias Nipkow and Zhenyu Qian Modular higher-order e-unification In Proceed-ings of the 4th Int Conf on Rewriting Techniques and Applications (RTA) vol-ume 488 of Lecture Notes in Computer Science pages 200ndash214 Springer-Verlag1991

79 Tobias Nipkow and Zhenyu Qian Reduction and unification in lambda calculiwith a general notion of subtype Journal of Automated Reasoning 12389ndash4061994

80 V Padovani Fourth-order matching is decidable Manuscript 199481 V Padovani Decidability of all minimal models In S Berardi and M Coppo

editors Types for Proof and Programs 1995 volume 1158 in Lecture Notes inComputer Science pages 201ndash215 Springer-Verlag 1996

82 V Padovani Filtrage drsquoordre superieur These de Doctorat Universite de ParisVII 1996

83 Larry C Paulson Isabelle The next 700 theorem provers In P Odifreddi editorLogic and computer science pages 361ndash385 Academic Press 1991

84 F Pfenning Partial polymorphic type inference and higher-order unification InConference on Lisp and Functional Programming pages 153ndash163 1988

Higher Order Unification 30 Years Later 11

85 F Pfenning Logic programming in the LF logical framework In G Huet andG Plotkin editors Logical frameworks pages 149ndash181 Cambridge UniversityPress 1991

86 F Pfenning Unification and anti-unification in the calculus of constructions InLogic in Computer Science pages 74ndash85 1991

87 F Pfenning and I Cervesato Linear higher-order pre-unification In Logic inComputer Science 1997

88 Frank Pfenning and Carsten Schurmann System description Twelf mdash A meta-logical framework for deductive systems In Proceedings of the 16th Int Con-ference on Automated Deduction (CADE-16) volume 1632 of Lecture Notes inArtificial Intelligence Springer-Verlag 1999

89 T Pietrzykowski A complete mecanization of second-order type theory J of theAssociation for Computing Machinery 20333ndash364 1973

90 G Plotkin Building-in equational theories Machine Intelligence 773ndash90 197291 C Prehofer Decidable higher-order unification problems In A Bundy editor

Conference on Automated Deduction volume 814 of Lecture Notes in ArtificialIntelligence pages 635ndash649 Springer-Verlag 1994

92 C Prehofer Higher-order narrowing In Logic in Computer Science (LICSrsquo94pages 507ndash516 1994

93 C Prehofer Solving higher-order equations From logic to programming Doctoralthesis Technische Universitat Munchen Technical Report TUM-19508 Institutfur Informatik TUM Munchen 1995

94 C Prehofer Solving Higher-Order Equations From Logic to ProgrammingProgress in theoretical coputer science Birkhauser 1998

95 S Pulman Higher-order unification and the interpretation of focus Linguisticsand Philosophy 2073ndash115 1997

96 D Pym Proof search and computation in general logic Doctoral thesis Uni-versity of Edinburgh 1990

97 Z Qian Higher-order equational logic programming In Principle of ProgrammingLanguages pages 254ndash267 1994

98 Z Qian and K Wang Higher-order equational E-unification for arbitrary theo-ries In K Apt editor Joint International Conference and Symposium on LogicProgramming 1992

99 Z Qian and K Wang Modular AC unification of higher-order patterns In J-P Jouannaud editor International Conference on Constaints in ComputationalLogic volume 845 of Lecture Notes in Computer Science pages 105ndash120 Springer-Verlag 1994

100 JA Robinson New directions in mechanical theorem proving In AJH Morrelleditor International Federation for Information Processing Congress 1968 pages63ndash67 North Holland 1969

101 JA Robinson A note on mechanizing higher order logic Machine Intelligence5123ndash133 1970

102 H Saıdi Resolution drsquoequations dans le systeme T de Godel Memoire de DEAUniversite de Paris VII 1994

103 M Schmidt-Schauszlig Unification of stratified second-order terms Technical Re-port 12 JWGoethe-Universitat Frankfurt 1994

104 M Schmidt-Schauszlig Decidability of bounded second order unification TechnicalReport 11 JWGoethe-Universitat Frankfurt 1999

105 M Schmidt-Schauszlig and KU Schulz Solvability of context equations with twocontext variables is decidable In H Ganzinger editor Conference on Automated

12 Gerard Huet

Deduction volume 1632 in Lecture Notes in Artificial Intelligence pages 67ndash811999

106 A Schubert Linear interpolation for the higher order matching problem InM Bidoit and M Dauchet editors Theory and Practice of Software Developmentvolume 1214 of Lecture Notes in Computer science pages 441ndash452 Springer-Verlag 1997

107 A Schubert Second-order unification and type inference for Church-style poly-morphism In Principle of Programming Languages pages 279ndash288 1998

108 W Snyder Higher-order E-unification In M E Stickel editor Conference onAutomated Deduction volume 449 of Lecture Notes in Artificial Intelligence pages573ndash587 Springer-Verlag 1990

109 W Snyder and J Gallier Higher order unification revisited Complete sets oftranformations Journal of Symbolic Computation 8(1 amp 2)101ndash140 1989 Spe-cial issue on unification Part two

110 W Snyder and J Gallier Higher-order unification revisited Complete sets oftransformations Journal of Symbolic Computation 8101ndash140 1989

111 J Springintveld Algorithms for type theory Doctoral thesis Utrecht University1995

112 J Springintveld Third-order matching in presence of type constructors InM Dezani-Ciancagliani and G Plotkin editors Typed Lambda Calculi and Ap-plications volume 902 of Lecture Notes in Computer Science pages 428ndash442Springer-Verlag 1995

113 J Springintveld Third-order matching in the polymorphic lambda calculus InG Dowek J Heering K Meinke and B Moller editors Higher-order AlgebraLogic and Term Rewriting volume 1074 of Lecture Notes in Computer Sciencepages 221ndash237 Springer-Verlag 1995

114 Fernando CN Pereira Stuart M Shieber and Mary Dalrymple Interactions ofscope and ellipsis Linguistics and Philosophy 19527ndash552 1996

115 DA Wolfram The clausal theory of types Doctoral thesis University of Cam-bridge 1989

116 M Zaionc The regular expression description of unifier set in the typed λ-calculus Fundementa Informaticae X309ndash322 1987

117 M Zaionc Mechanical procedure for proof construction via closed terms in typedλ-calculus Journal of Automated Reasoning 4173ndash190 1988

Combining Higher Order Abstract Syntax with

Tactical Theorem Proving and (Co)Induction

Simon J Ambler Roy L Crole and Alberto Momigliano

Department of Mathematics and Computer ScienceUniversity of Leicester Leicester LE1 7RH UKSAmblerRCroleAMomiglianomcsleacuk

Abstract Combining Higher Order Abstract Syntax (HOAS) and in-duction is well known to be problematic We have implemented a toolcalled Hybrid within Isabelle HOL which does allow object logics tobe represented using HOAS and reasoned about using tactical theoremproving in general and principles of (co)induction in particular In thispaper we describe Hybrid and illustrate its use with case studies We alsoprovide some theoretical adequacy results which underpin our practicalwork

1 Introduction

Many people are concerned with the development of computing systems whichcan be used to reason about and prove properties of programming languagesHowever developing such systems is not easy Difficulties abound in both prac-tical implementation and underpinning theory Our paper makes both a theoret-ical and practical contribution to this research area More precisely this paperconcerns how to reason about object level logics with syntax involving variablebindingmdashnote that a programming language can be presented as an exampleof such an object logic Our contribution is the provision of a mechanized toolHybrid which has been coded within Isabelle HOL and

ndash provides a form of logical framework within which the syntax of an objectlevel logic can be adequately represented by higher order abstract syntax(HOAS)

ndash is consistent with tactical theorem proving in general and principles of in-duction and coinduction in particular and

ndash is definitional which guarantees consistency within a classical type theory

We proceed as follows In the introduction we review the idea of simple logicalframeworks and HOAS and the problems in combining HOAS and inductionIn Section 2 we introduce our tool Hybrid In Section 3 we provide some keytechnical definitions in Hybrid In Section 4 we explain how Hybrid is used torepresent and reason about object logics by giving some case studies In Section 5

This work was supported by EPSRC grant number GRM98555

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 13ndash30 2002ccopy Springer-Verlag Berlin Heidelberg 2002

14 Simon J Ambler et al

we give a mathematical description of Hybrid together with some underpinningtheory In Section 6 we review the articles related to our work In Section 7 wecomment on future plansHybrid provides a form of logical framework Here we briefly recall some

fundamental technical details of a basic logical framework by usingthe vehicle of quantified propositional logic (QPL) as an object levellogicmdashthe notation will be used in Sections 4 and 5 While this is avery small logic it comes with a single binding construct which exemplifies theproblems we are tackling We let V1 V2 be a countable set of (object level)variables The QPL formulae are given by Q = Vi | Q sup Q | forallVi Q Recall howto represent QPL in a simple logical frameworkmdashthe framework here providesa form of HOAS following [25] A framework theory is specified by a signatureof ground types which generate function types and constants The objects ofthe theory are given by e = name | vi | e e | λ vi e where name ranges overconstants and i ranges over N giving a countable set of (meta) variables vi Fromthis a standard type assignment system can be formulated leading to a notionof canonical form We refer the reader to [25] for the full definition To representQPL we take a ground type oo of formulae We also give the constants of thetheory each of which corresponds to a QPL constructor For QPL we specifyImp oo rArr oo rArr oo and All (oo rArr oo) rArr oo One can define a translationfunction minus by the clauses

Vi def= vi Q1 sup Q2 def= Imp Q1 Q2 forallVi Q def= All (λ vi Q)

One can then show that this translation gives a ldquosensiblerdquo representation of QPLin the framework meaning that the function minus provides a bijection betweenQPL and canonical objects and further minus is compositional on substitutionAlthough there are well known benefits in working with such higher order

abstract syntax there are also difficulties In general it is not immediately clearhow to obtain a principle of induction over expressions or how to define functionson them by primitive recursion although such principles do exist [27] Worse stillapparently promising approaches can lead to inconsistencies [16] The axiom ofchoice leads to loss of consistency and exotic terms may lead to loss of adequacyIn our example one would like to view the constants above as the constructorsof a datatype oo = var | Imp (oo lowast oo) | All (oo rArr oo) so that an inductionprinciple is ldquoimmediaterdquo Such datatype declarations would be perfectly legal infunctional programming languages In a theorem prover such as Isabelle HOL theconstructors of a datatype are required to be injective [13] However the functionAll (oo rArr oo)rArr oo cannot be injective for cardinality reasons (Cantorrsquos proofcan be formalized within HOL) as Isabelle HOL provides a classical set theoryMoreover the function space oo rArr oo yields Isabelle HOL definable functionswhich do not ldquocorrespondrdquo to terms of QPL Such functions give rise to termsin oo which are unwanted so-called exotic terms such as

All (λx if x = u then u else All (λ z z))

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 15

We show that it is possible to define a logical framework in which All is injectiveon a subset of oo rArr oo The subset is sufficiently large to give an adequaterepresentation of syntaxmdashsee Section 41

2 Introducing Hybrid

Within Isabelle HOL our goal is to define a datatype for λ-calculus withconstants over which we can deploy (co)induction principles whilerepresenting variable binding through Isabellersquos HOAS We do this ina tool called Hybrid which we introduce in this section Our startingpoint is the work [1] of Andrew Gordon which we briefly review It is well known(though rarely provedmdashsee Section 5) that λ-calculus expressions are in bijectionwith (a subset of) de Bruijn expressions Gordon defines a de Bruijn notationin which expressions have named free variables given by strings He can writeT = dLAMBDA v t (where v is a string) which corresponds to an abstraction inwhich v is bound in t The function dLAMBDA has a definition which convertsT to the corresponding de Bruijn term which has an outer abstraction anda subterm which is t in de Bruijn form in which (free) occurrences of v areconverted to bound de Bruijn indices For example

dLAMBDA v (dAPP (dVAR v) (dVAR u)) = dABS (dAPP (dBND 0) (dVAR u))

Gordon demonstrates the utility of this approach It provides a good mechanismthrough which one may work with named bound variables but it does not exploitthe built in HOAS which Isabelle HOL itself uses to represent syntax The noveltyof our approach is that we do exploit the HOAS at the meta (machine) levelWe introduce Hybrid by example First some basics Of central importance

is a Isabelle HOL datatype of de Bruijn expressions where bnd and var are thenatural numbers and con provides names for constants

expr = CON con | VAR var | BND bnd | expr $$ expr | ABS expr

Let TO = ΛV1 Λ V2 V1 V3 be a genuine honest to goodness (object level) syn-tax1 tree Gordon would represent this by

TG = dLAMBDA v1 (dLAMBDA v2 (dAPP (dVAR v1) (dVAR v3)))

which equalsdABS (dABS (dAPP (dBND 1) (dVAR v3)))

Hybrid provides a binding mechanism with similarities to dLAMBDA GordonrsquosT would be written as LAM v t in Hybrid This is simply a definition for ade Bruijn term A crucial difference in our approach is that bound variablesin the object logic are bound variables in Isabelle HOL Thus the v in LAM v t

1 We use a capital Λ and capital V to avoid confusion with meta variables v and metaabstraction λ

16 Simon J Ambler et al

is a metavariable (and not a string as in Gordonrsquos approach) In Hybrid wealso choose to denote object level free variables by terms of the form VAR ihowever this has essentially no impact on the technical detailsmdashthe importantthing is the countability of free variables In Hybrid the TO above is renderedas TH = LAM v1 (LAM v2 (v1 $$ VAR 3)) The LAM is an Isabelle HOL binderand this expression is by definition

lambda (λ v1 (lambda (λ v2 (v1 $$ VAR 3))))

where λvi is meta abstraction and one can see that the object level term isrendered in the usual HOAS format where lambda (expr rArr expr) rArr expr isa defined function Then Hybrid will reduce TH to the de Bruijn term

ABS (ABS (BND 1 $$ VAR 3))

as in Gordonrsquos approach The key to this is of course the definition of lambdawhich relies crucially on higher order pattern matching We return to its defini-tion in Section 3 In summary Hybrid provides a form of HOAS where objectlevel

ndash free variables correspond to Hybrid expressions of the form VAR indash bound variables correspond to (bound) meta variablesndash abstractions ΛVE correspond to expressions LAM v e = lambda (λ v e)ndash applications E1 E2 correspond to expressions e1 $$ e2

3 Definition of Hybrid in Isabelle HOL

Hybrid consists of a small number of Isabelle HOL theories One of these providesthe dataype of de Bruijn expressions given in Section 2 The theories also containdefinitions of various key functions and inductive sets In this section weoutline the definitions and give some examples where e ranges overIsabelle HOL expressions We show how Hybrid provides a form ofHOAS and how this can be married with inductionWe are going to use a pretty-printed version of Isabelle HOL concrete syntax

a ruleH1 Hn

C

will be represented as [[ H1 Hn ]] =rArr C An Isabelle HOL type declarationhas the form s [ t1 tn ] rArr t The Isabelle metauniversal quantifier is

and

while Isabelle HOL connectives are represented via the usual logical notationFree variables are implicitly universally quantified Datatypes will be introducedusing BNF grammars The sign == (Isabelle metaequality) will be used forequality by definitionNote that all of the infrastructure of Hybrid which we now give is specified

definitionally We do not postulate axioms as in some approaches reviewed inSection 6 which require validation

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 17

level [ bnd expr ]rArr bool Recall that BND i corresponds to a bound vari-able in the λ-calculus and VAR i to a free variable we refer to bound and freeindices respectively We call a bound index i dangling if i or less Abs labelsoccur between the index i and the root of the expression tree e is said to be atlevel l ge 1 if enclosing e inside l Abs nodes ensures that the resulting expressionhas no dangling indices These ideas are standard as is the implementation oflevel

proper expr rArr bool One has proper e == level 0 e A proper expression isone that has no dangling indices and corresponds to a λ-calculus expression

insts bnd rArr (expr )list rArr expr rArr expr We explain this function by ex-ample Suppose that j is a bound index occurring in e and v0 vm a list ofmetavariables of type expr Let BND j be enclosed by a ABS nodes If a le j(so that j dangles) then insts replaces BND j by vjminusa If j does not dangle theninsts leaves BND j alone For example noting 5minus 2 = 3insts 0 v0 vm ABS (ABS (BND 0 $$ BND 5)) = ABS (ABS (BND 0 $$ v3))

abst [ bnd expr rArr expr ]rArr bool This predicate is defined by induction asa subset of bnd lowast (expr rArr expr) The inductive definition is

=rArr abst i (λ v v)=rArr abst i (λ vVAR n)

j lt i =rArr abst i (λ vBND j)[[ abst i f abst i g ]] =rArr abst i (λ v f v $$ g v)

abst (Suc i) f =rArr abst i (λ vABS (f v))

This definition is best explained in terms of the next functionabstr [ expr rArr expr ]rArr bool We set abstr e == abst 0 e This function de-

termines when an expression e of type expr rArr expr is an abstraction Thisis a key idea and the notion of an abstraction is central to the formulation ofinduction principles We illustrate the notion by example Suppose that ABS eis proper for example let e = ABS (BND 0 $$ BND 1) Then e is of level 1 andin particular there may be some bound indices which now dangle for exam-ple BND 1 in ABS (BND 0 $$ BND 1) An abstraction is produced by replacingeach occurrence of a dangling index with a metavariable (which can be auto-mated with insts) and then abstracting the meta variable Our example yieldsthe abstraction λ vABS (BND 0 $$ v)

lbnd [ bnd expr rArr expr expr ]rArr bool This predicate is defined as an in-

ductive subset of S def= bnd lowast (expr rArr expr) lowast expr The inductive definitionis

=rArr lbnd i (λ v v) (BND i)=rArr lbnd i (λ vVAR n) (VAR n)=rArr lbnd i (λ vBND j) (BND j)

[[ lbnd i f s lbnd i g t ]] =rArr lbnd i (λ v f v $$ g v) (s $$ t)lbnd (Suc i) f s =rArr lbnd i (λ vABS (f v)) (ABS s)

18 Simon J Ambler et al

There is a default case (omitted above) which is called when the second argumentdoes not match any of the given patterns It is a theorem that this defines afunction The proof is by induction on the rank of the function where rank f == size (f (VAR 0))

lbind [ bnd expr rArr expr ]rArr expr Set lbind i e == ε s lbnd i e s where ε

is the description operator Consider the abstraction λ vABS (BND 0 $$ v) Thearguments to lbind consist of a bound index and an abstraction The intuitiveaction of this function is that it replaces each bound occurrence of a bindingvariable in the body of an abstraction with a bound index so that a level 1expression results This is the reverse of the procedure defined in the paragraphconcerning abstractions where dangling indices were instantiated to metavari-ables using insts In practice lbind will be called on 0 at the top level Thus onehas

lbind 0 (λ vABS (BND 0 $$ v)) = = ABS (BND 0 $$ BND 1)

lambda (expr rArr expr)rArr expr Set lambda e == ABS (lbind 0 e) Its pur-pose is to transform an abstraction into the ldquocorrespondingrdquo proper de Bruijnexpression Our running example yields

lambda (λ vABS (BND 0 $$ v)) = ABS (ABS (BND 0 $$ BND 1))

It is easy to perform induction over a datatype of de Bruijn terms Howeverwe wish to be able to perform induction over the Hybrid expressions which wehave just given In order to do this we want to view the functions CON VAR$$ and lambda as datatype constructors that is they should be injective withdisjoint images In fact we identify subsets of expr and expr rArr expr for whichthese properties hold The subset of expr consists of those expressions which areproper The subset of expr rArr expr consists of all those e for which LAM v e vis proper In fact this means e is an abstraction which is intuitive but requiresproofmdashit is a Hybrid theorem We can then prove that

[[ abstr e abstr f ]] =rArr (Lamx e x = Lam y f y) = (e = f) INJ

which says that lambda is injective on the set of abstractions This is crucial forthe proof of an induction principle for Hybrid which is omitted for reasons ofspace but will appear in a journal version of this paper

4 Hybrid as a Logical Framework

Recall that in Section 2 we showed that Hybrid supports HOAS In this sectionwe show how Hybrid can be used as a logical framework to representobject logics and further how we can perform tactical theorem prov-ingThe system provides

ndash A number of automatic tactics for example proper tac (resp abstr tac) willrecognize whether a given term is indeed proper (resp an abstraction)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 19

ndash A suite of theorems for example the injectivity and distinctness propertiesof Hybrid constants and induction principles over expr and expr rArr expras discussed in Section 3

Note that the adequacy of our representations will be proved in a forthcomingpaper

41 Quantified Propositional Logic

We begin with an encoding of the quantified propositional logic introduced inSection 1 While the fragment presented there is functionally complete we chooseto work with the following syntax

Q = Vi | notQ | Q andQprime | Q orQprime | Q sup Qprime | forallVi Q | existVi Q

This will allow us to demonstrate the representation of object level syntax indetail and show some properties of an algorithm to produce negation normalformsSo far we have written expr for the type of Hybrid expressions This was

to simplify the exposition and does not correspond directly to our code Thereone sees that Hybrid actually provides a type con expr of de Bruijn expressionswhere con is a type of names of constants Typically such names are for objectlogic constructors Thus we can define a different type con for each object logicwe are dealing with In the case of QPL we declare

con = cNOT | cIMP | cAND | cOR | cALL | cEX

followed by a Isabelle HOL type whose elements represent the object level formu-lae namely oo == con expr Readers should pause to recall the logical framework(and HOAS) of Section 1Now we show how to represent the object level formulae as Hybrid expres-

sions of type oo The table below shows analogous constructs in LF and Hybrid

Constants Application AbstractionLF name e1 e2 λ vi e

Hybrid CON cNAME e1 $$ e2 LAM vi e

In the next table we show the representation of the object level formulae Q sup Qprime

and forallVi Q in LF and Hybrid where minus is a translation functionLF Imp Q Qprime All (λ v Q)

Hybrid CON cIMP $$ Q $$ Qprime CON cALL $$ LAM v QAbbrevs Q Imp Qprime All v Q

The bottom row introduces some Isabelle HOL binders as abbreviations for themiddle row where the Isabelle HOL definitions are

q Imp qprime == CON cIMP $$ q $$ qprime where Imp [ oo oo ]rArr oo

20 Simon J Ambler et al

and

All v q v == CON cALL $$ LAM v q v where All (oo rArr oo)rArr oo

The code for the representation of the remainder of QPL is similar

And [ oo oo ]rArr oo Or [ oo oo ]rArr ooq And qprime == CON cAND $$ q $$ qprime q Or qprime == CON cOR $$ q $$ qprime

Not oo rArr oo Ex (oo rArr oo)rArr ooNot q == CON cNOT $$ q Ex v q v == CON cEX $$ LAM v q v

The QPL formula forallV1 forallV2 V1 sup V2 is represented by All v1All v2 v1 Imp v2although the ldquorealrdquo underlying form is

CON cALL $$ (LAM v1CON cALL $$ LAM v2 (CON cIMP $$ v1 $$ v2)

These declarations almost induce a data-type in the sense the above definedconstants enjoy certain freeness properties much as they would if they weredatatype constructors We can prove that they define distinct values for ex-ample All v q v = Ex v q v This is achieved by straightforward simplificationof their definitions to the underlying representation Injectivity of higher-orderconstructors (recall the end of Section 1) holds conditionally on their bodies be-ing abstractions In particular recall from Section 3 the result INJ that theLAM binder is injective on the set of abstractions Simplification will yield[[ abstr e abstr f All v e v = All v f v ]] =rArr e = f Since the type oo of le-gal formulae is merely an abbreviation for Hybrid expressions we need to in-troduce a ldquowell-formednessrdquo predicate such that isForm Q holds iff Q is alegal object level formula2 The inductive definition of isForm in Isabelle HOLis immediate as far as the propositional part of QPL is concerned for exam-ple [[ isForm p isForm q ]] =rArr isForm ( p Imp q) For the quantified part we firstremark that in a framework such as LF one would write

[[ forally isForm y rarr isForm (p y) ]] =rArr isForm (All v p v)

This is not possible in Isabelle HOL since the above clause if taken as primitivewould induce a (set-theoretic) non-monotone operator and cannot be part of anintroduction rule in an inductive definition Therefore we instead descend intothe scope of the quantifier replacing it with a fresh free variable and add thecorresponding base case

isForm (VAR i)[[ abstr p foralli isForm (p (VAR i)) ]] =rArr isForm (All v p v)

We can now proceed to an encoding of an algorithm for negation normalform as an inductive relation where we skip some of the propositional clauses

2 Please see remarks in Section 7 concerning internalizing such predicates as types

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 21

and Φ abbreviates abstr p abstr q

nnf (VAR i) (VAR i)nnf (Not (VAR i)) (Not (VAR i))

nnf b d =rArr nnf (Not (Not b)) d[[ nnf (Not p) d nnf (Not q)e ]] =rArr nnf (Not ( p And q)) ( d Or e)

[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (Ex v p v)) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (All v p v)) (Ex v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (All v p v) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Ex v p v) (Ex v q v)

Note how in the binding cases we explicitly state in Φ which second-orderterms are abstractions this allows us to exploit the injectivity of abstractions toderive the appropriate elimination rulesIt is possible to show in a fully automatic way that the algorithm yields

negation normal forms (whose definition is omitted) that is nnf q qprime =rArr isNnf qprimeMoreover it is a functional relation nnf q q1 =rArr forallq2 nnf q q2 rarr q1 = q2 Thelatter proof exploits a theorem regarding extensionality of abstractions namely

[[ abstr e abstr f foralli e (VAR i) = f (VAR i) ]] =rArr e = f

Note that the above is taken as an axiom in the Theory of Contexts [17]

42 Operational Semantics in the Lazy Lambda Calculus

The object logic in this section is yet another λ-calculus Abramskyrsquos lazy one[2] We describe some properties of its operational semantics In particular wegive HOAS encodings of some notions such as divergence and simulation whichare naturally rendered coinductivelymdashthis can only be approximated in otherapproaches as we discuss in Section 6To represent the lazy λ-calculus the type con will contain the names cAPP

and cABS used to represent object level application and abstraction We thendefine the constants below from these names where lexp == con expr

[ lexp lexp ]rArr lexp Fun (lexp rArr lexp)rArr lexpp q == CON cAPP $$ p $$ q Funx f x == CON cABS $$ LAM x f x

The definition of the well-formedness predicate isExp is analogous to the one inSection 4 and is omittedThe benefits of obtaining object-level substitution via metalevel β-conversion

are exemplified in the encoding of call-by-name evaluation (on closed terms) viathe inductive definition of gtgt [ lexp lexp ]rArr bool

[[ abstr e foralli isExp (e (VAR i)) ]] =rArr Funx e x gtgt Funx e x[[ e1 gtgt Funx e x abstr e isExp e2 (e e2) gtgt v ]] =rArr (e1 e2) gtgt v

Standard properties such as uniqueness of evaluation and value soundness havedirect proofs based only on structural induction and the introduction and elim-ination rules

22 Simon J Ambler et al

Divergence can be defined co-inductively as the predicate divrg lexp rArrbool

[[ isExp e1 isExp e2 divrg e1 ]] =rArr divrg (e1 e2)[[ e1 gtgt Funx e x abstr e isExp e2 divrg (e e2) ]] =rArr divrg (e1 e2)

We can give a fully automated co-inductive proof of the divergence of combi-nators such as Ω

def= (Funx x x) (Funx x x) once we have added theabstr tac tactic to the built-in simplifier Moreover there is a direct proof thatconvergence and divergence are exclusive and exhaustiveApplicative (bi)simulation le [ lexp lexp ] rArr bool is another interesting

(co-inductive) predicate with the single introduction rule

[[ forallt r gtgt Funx t x and abstr trarr (existu s gtgt Funx u x and abstr u and(forallpisExp prarr (t p) le (u p))) ]] =rArr r le s

The HOAS style here greatly simplifies the presentation and correspondinglythe metatheory Indeed with the appropriate instantiation of the coinductiverelation the proofs that simulation is a pre-order and bisimulation an equivalencerelation are immediate Other verified properties include Kleene equivalence isa simulation and divergent terms are the least element in this order

43 The Higher-Order π-Calculus

We present an encoding of the monadic higher-order π-calculus [24] with struc-tural congruence and reaction rules see [11] for a review of other styles of en-codings for the first-order case The syntax is given by the following where a aranges over names X over agent variables

α = τ | a(X) | a〈P 〉P = X | ΣiisinIαi P | (P1 | P2) | (νa)P

The encoding introduces appropriate type abbreviations (namely pi and name)and constants we concentrate on restriction input and output

New (name rArr pi)rArr pi(New a)p a == CON cNU $$ LAM a p a

In [name (pi rArr pi) ]rArr piIn a (p) == CON cIN $$ lambda p

Out [name pi pi ]rArr piOut a〈p〉q == CON cOUT $$ a $$ p $$ q

Replication is defined from these constants and need not be primitive

p == (New a)(D|Out a〈p|D〉) where D == In a (λx (x|Out a〈x〉))We then inductively define well-formed processes isProc p whose introductionrules are omitting non-binding cases

isProc (VAR i)[[ abstr p foralla isName ararr isProc (p a) ]] =rArr isProc (New a)p a

[[ abstr p isName a foralli isProc (p (VAR i)) ]] =rArr isProc In a (p)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 23

Restriction being represented as a function of type name rArr pi is well-formed ifits body (p a) is under the assumption isName a this differs from input whichcontains a function of type pi rArr pi

Process abstraction is defined by procAbstr p == abstr p and (forallq isProc q rarrisProc (p q)) Next structural congruence is introduced and we proceed to encodereaction rules as the inductive definition minusrarr [ pi rArr pi ]rArr bool Note that thepresence of the structural rule make this unsuitable for search Here is a sample

[[ procAbstr p isProc q isProc pprime isName a ]] =rArr In a (p)|Out a〈q〉pprime minusrarr (p q)|pprime

[[ abstr p abstr pprime (foralla isName ararr (p a) minusrarr (pprime a)) ]] =rArr (New a)p a minusrarr (New a)pprime a

A formalization of late operational semantics following [18] is possible and willbe treated within a separate paper

5 A Theory of Hybrid

The goal of this section is to describe a mathematical model of Hybridand then show that the model provides an adequate representationof the λ-calculus The work here serves to illustrate and under-pinHybrid We proceed as follows In Section 51 we set up an explicit bijectionbetween the set of alpha equivalence classes of lambda expressions and the setof proper de Bruijn terms This section also allows us to introduce notationIn Section 52 we prove adequacy for an object level λ-calculus by proving anequivalent result for (proper) object level de Bruijn expressions and appealingto the bijectionFirst some notation for the object level λ-calculus expressions are inductively

defined by E = Vi | E E | ΛVi E We write E[EprimeVi] for capture avoidingsubstitution E simα Eprime for α-equivalence and [E]α for alpha equivalence classesWe write LE for the set of expressions and LEsimα for the set of all alphaequivalence classes The set of de Bruijn expressions is denoted by DB andgenerated by D = i | i | D $ D | A(D) where i is a free index We write DB(l)for the set of expressions at level l and PDB for the set of proper expressionsNote that PDB = DB(0) sub DB(1) sub DB(l) sub DB and DB = ⋃lltω DB(l)

51 A Bijection between λ-Calculus and Proper de Bruijn

Theorem 1 There is a bijection θLEsimα PDBφ between the set LEsimα

of alpha equivalence classes of λ-calculus expressions and the set PDB of properde Bruijn expressions

In order to prove the theorem we first establish in Lemma 1 and Lemma 2the existence of a certain family of pairs of functions [[minus]]LLE DB(|L|) (|minus|)LHere list L of length |L| is one whose elements are object level variables Vi Wesay that L is ordered if it has an order reflected by the indices i and no repeatedelements The first element has the largest index We write ε for the empty list

Lemma 1 For any L there exists a function [[minus]]LLE rarr DB(|L|) given recur-sively by

24 Simon J Ambler et al

ndash [[Vi]]Ldef= if Vi isin L then i else posn Vi L where posn Vi L is the position of Vi

in L counting from the head which has position 0ndash [[E1 E2]]L

def= [[E1]]L $ [[E2]]Lndash [[ΛVi E]]L

def= A([[E]]ViL)

Lemma 2 For any ordered L there exists a function (|minus|)LDB(|L|) rarr LEgiven recursively by

ndash (|i|)L def= Vi

ndash (|j|)L def= elem j L the jth element of L

ndash (|D1 $ D2|)L def= (|D1|)L (|D2|)Lndash (|A(D)|)L def= ΛVM+1 (|D|)VM+1L where M

def= Max (DL)

Max (DL) denotes the maximum of the free indices which occur in D and theindex j where Vj is the head of L

The remainder of the proof involves establishing facts about these functionsIt takes great care to ensure all details are correct and many sub-lemmas arerequired We prove that each pair of functions ldquoalmostrdquo gives rise to an isomor-phism namely that [[(|D|)L]]L = D and that (|[[E]]L|)Lprime simα E[LprimeL] Let qLE rarrLEsimα be the quotient function We define θ([E]α)

def= [[E]]ε and φdef= q (|minus|)ε

and the theorem follows by simple calculation Although our proofs take greatcare to distinguish α-equivalence classes from expressions we now write simplyE instead of [E]α which will allow us to write [[minus]]LLEsimα DB(|L|) (|minus|)L

52 Adequacy of Hybrid for the λ-Calculus

It would not be possible to provide a ldquocompleterdquo proof of the adequacy of theHybrid machine tool for λ-calculus A compromise would be to work with amathematical description of Hybrid but even that would lead to extremely longand complex proofs Here we take a more narrow approachmdashwe work with whatamounts to a description of a fragment of Hybrid as a simply typed lambdacalculusmdashpresented as a theory in a logical framework as described in Section 1Before we can state the adequacy theorem we need a theory in the logicalframework which we regard as a ldquomodelrdquo of Hybrid The theory has ground typesexpr var and bnd The types are generated by σ = expr | var | bnd | σ rArr σWe declare constants

i var BND bnd rArr expri bnd $$ expr rArr expr rArr expr

VAR var rArr expr ABS expr rArr expr

where i ranges over the natural numbers The objects are generated as in Sec-tion 1 Shortage of space means the definitions are omittedmdashhere we aim to givea flavour of our results Our aim is to prove

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 25

Theorem 2 (Representational Adequacy)

ndash There is an injective function || minus ||εLEsimα rarr CLFexpr(empty) which isndash compositional on substitution that is

||E[EprimeVi]||ε = subst ||Eprime||ε i ||E||εwhere subst eprime i e is the function on canonical expressions in which eprime replacesoccurrences of VAR i in e The definition of meta substitution and the setCLFexpr (Γ ) of canonical objects in typing environment Γ is omitted

To show adequacy we establish the existence of the following functions

LEsimα|| minus ||L CLFexpr(β(L)) ΣL DB(|L|)

The function β is a bijection between object level variables Vi and meta variablesvi Thus β(Vi) = vi The notation β(L) means ldquomaprdquo β along L We write β(L)for a typing environment in the framework with all variables of type expressionFrom now on all lists L are ordered The function ΣL is defined by the clauses

ndash ΣL idef= VAR i

ndash ΣL idef= elem i β(L)

ndash ΣL (D1 $ D2)def= ΣL D1 $$ ΣL D2

ndash ΣLA(D)def= lambda (λ vM+1 ΣVM+1L D) = LAM vM+1 ΣVM+1L D where

Mdef= Max (DL) (see Lemma 2)

The definition of ||minus||L is ΣL [[minus]]L Note that this is a well defined function onan α-equivalence class because [[minus]]L is In view of Theorem 1 and the definitionof || minus ||ε it will be enough to show the analogous result for the function Σε The proof strategy is as follows We show that there is a function insts whichmaps de Bruijn expressions to canonical objects possesses a left inverse andis compositional with respect to substitution Then we prove that the action ofΣL is simply that of the insts function Proofs of results will appear in a journalversion of this paper

6 Related Work

Our work could not have come about without the contributions of others Herefollowing [28] we classify some of these contributions according to the mathemati-cal construct chosen to model abstraction The choice has dramatic consequenceson the associated notions of recursion and proof by induction

ndash De Bruijn syntax [4] we do not review this furtherndash Name-carrying syntax here abstractions are pairs ldquo(name expression)rdquo andthe mechanization works directly on parse trees which are quotiented by α-conversion [22299] While recursioninduction is well-supported the detail

26 Simon J Ambler et al

that needs to be taken care of on a case-by-case basis tends to be overwhelm-ing To partially alleviate this [1] defines name-carrying syntax in terms ofan underlying type of De Bruijn λ-expressions which is then used as a meta-logic where equality is α-convertibility Very recently in [1028] Gabbay andPitts have introduced a novel approach based on the remarkable observationthat a first-order theory of α-conversion and binding is better founded onthe notion of name swapping rather than renaming The theory can eitherbe presented axiomatically as formalizing a primitive notion of swappingand freshness of names from which binding can be derived or as a non-classical set-theory with an internal notion of permutation of atoms Sucha set-theory yields a natural notion of structural induction and recursionover α-equivalence classes of expressions but it is incompatible with theaxiom of choice The aim of Pitts and Gabbayrsquos approach is to give a sat-isfying foundation of the informal practice of reasoning modulo renamingmore than formulate an alternative logical framework for metareasoning (al-though this too is possible) An ML-like programming language FreshMLis under construction geared towards metaprogramming applications

ndash Abstractions as functions from names to expressions mentioned in [1] (anddeveloped in [12]) it was first proposed in [5] as a way to have bindersas functions on inductive data-types while coping with the issue of exoticexpressions stemming from an inductive characterization of the set of namesThe most mature development is Honsell et alrsquos framework [17] whichexplicitly embraces an axiomatic approach to metareasoning with HOASIt consists of a higher-order logic inconsistent with unique choice but ex-tended with a set of axioms called the Theory of Contexts parametric toa HOAS signature Those axioms include the reification of key propertiesof names akin to freshness More crucially higher-order induction and re-cursion schemata on expressions are also assumed The consistency of suchaxioms with respect to functor categories is left to a forthcoming paper Theapplication of this approach to object logics such as the π-calculus [18] suc-ceeds not only because the possibility to ldquoreflectrdquo on names is crucial forthe metatheory of operations such as mismatch but also because here hy-pothetical judgments which are only partially supported in such a style [5]are typically not needed Moreover β-conversion can implement object-levelsubstitution which is in this case simply ldquonamerdquo for bound variable in aprocess The latter may not be possible in other applications such as theambient calculus This is also the case for another case-study [23] wherethese axioms seem less successful In particular co-induction is availablebut the need to code substitution explicitly makes some of the encodingfairly awkward

ndash Abstractions as functions from expressions to expressions [2615] We candistinguish here two main themes to the integration of HOAS and induc-tion one where they coexist in the same language and the other whereinductive reasoning is conducted at an additional metalevel In the first onethe emphasis is on trying to allow (primitive) recursive definitions on func-tions of higher type while preserving adequacy of representations this has

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 27

been realized for the simply-typed case in [7] and more recently for thedependently-typed case in [6] The idea is to separate at the type-theoreticlevel via an S4 modal operator the primitive recursive space (which encom-passes functions defined via case analysis and iteration) from the parametricfunction space (whose members are those convertible to expressions builtonly via the constructors)On the other side the Twelf project [27] is built on the idea of devising an ex-plicit (meta)metalogic for reasoning (inductively) about logical frameworksin a fully automated wayM2 is a constructive first-order logic whose quan-tifiers range over possibly open LF object over a signature In the metalogicit is possible to express and inductively prove metalogical properties of anobject logic By the adequacy of the encoding the proof of the existenceof the appropriate LF object(s) guarantees the proof of the correspond-ing object-level property It must be remarked that Twelf usage model isexplicitly non-interactive (ie not programmable by tactics) Moreover co-inductive definitions have to be rewritten in an inductive fashion exploitingthe co-continuity of the said notion when possibleMiller and McDowell [20] introduce a metameta logic FOλ∆IN that is basedon intuitionistic logic augmented with definitional reflection [14] and induc-tion on natural numbers Other inductive principles are derived via the use ofappropriate measures At the metameta level they reason about object-leveljudgments formulated in second-order logic They prove the consistency ofthe method by showing that FOλ∆IN enjoys cut-elimination [19] FOλ∆IN

approach [20] is interactive a tactic-based proof editor is under developmentbut the above remark on co-induction applies

7 Conclusions and Future Work

The induction principles of Hybrid involve universal quantifications over freevariables when instantiating abstractions It remains future work to determinethe real utility of our principles and how they compare to more standard treat-ments Informal practice utilises the someany quantifier that has emerged for-mally in [10] McKinna and Pollack discuss some of these issues in [21]Several improvements are possibleWe will internalize the well-formedness predicates as abstract types in Is-

abelle HOL significantly simplifying judgments over object logics For examplethe subset of lazy λ-calculus expressions identified by predicate isExp will becomea type say tExp so that evaluation will be typed as gtgt [ tExp tExp ]rArr bool We will specialize the abstr predicate to the defined logic so that it will havetype (tExp rArr tExp)rArr bool We envisage eventually having a system similar in spirit to Isabelle HOLrsquos

datatype package where the user is only required to enter a binding signaturefor a given object logic the system will provide an abstract type characterizingthe logic plus a series of theorems expressing freeness of the constructors of sucha type and an induction principle on the shape of expressions analogous to theone mentioned in Section 3

28 Simon J Ambler et al

We are in the process of further validating our approach by applying ourmethods to the compiler optimization transformations for Benton amp KennedyrsquosMIL-lite language [3]We intend to develop further the theory of Hybrid Part of this concerns

presenting the full details of the material summarized here There are also addi-tional results which serve to show how Hybrid relates to λ-calculus For exam-ple we can prove that if abstr e then there exists [ΛVi E]α isin LEsimα such that||ΛVi E||ε = LAM vi e vi On a deeper level we are looking at obtaining cate-gorical characterisations of some of the notions described in this paper basedon the work of Fiore Plotkin and Turi in [8]A full journal version of this paper is currently in preparation which in

particular will contain a greatly expanded section on the theory of Hybrid andprovide full details of the case studies

Acknowledgments

We would like to thank Andy Gordon for useful discussions and having providedthe HOL script from [1] We thank Simon Gay for discussions and ideas con-cerning the π-calculus Finally we are very grateful for the financial support ofthe UK EPSRC

References

1 A Gordon A mechanisation of name-carrying syntax up to alpha-conversion InJJ Joyce and C-JH Seger editors International Workshop on Higher OrderLogic Theorem Proving and its Applications volume 780 of Lecture Notes in Com-puter Science pages 414ndash427 Vancouver Canada Aug 1993 University of BritishColumbia Springer-Verlag published 1994

2 S Abramsky The lazy lambda calculus In D Turner editor Research Topics inFunctional Programming pages 65ndash116 Addison-Wesley 1990

3 N Benton and A Kennedy Monads effects and transformations In Proceedingsof the 3rd International Workshop in Higher Order Operational Techniques in Se-mantics volume 26 of Electronic Notes in Theoretical Computer Science Elsevier1998

4 N de Bruijn Lambda-calculus notation with nameless dummies A tool for auto-matic formula manipulation with application to the Church-Rosser theorem IndagMath 34(5)381ndash392 1972

5 J Despeyroux A Felty and A Hirschowitz Higher-order abstract syntax in CoqIn M Dezani-Ciancaglini and G Plotkin editors Proceedings of the InternationalConference on Typed Lambda Calculi and Applications pages 124ndash138 EdinburghScotland Apr 1995 Springer-Verlag LNCS 902

6 J Despeyroux and P Leleu Metatheoretic results for a modal λ-calculus Journalof Functional and Logic Programming 2000(1) 2000

7 J Despeyroux F Pfenning and C Schurmann Primitive recursion for higher-order abstract syntax In R Hindley editor Proceedings of the Third InternationalConference on Typed Lambda Calculus and Applications (TLCArsquo97) pages 147ndash163 Nancy France Apr 1997 Springer-Verlag LNCS

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 29

8 M Fiore GD Plotkin and D Turi Abstract Syntax and Variable Binding InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 193ndash202 Trento Italy 1999 IEEE Computer SocietyPress

9 J Ford and IA Mason Operational Techniques in PVS ndash A Preliminary Evalua-tion In Proceedings of the Australasian Theory Symposium CATS rsquo01 2001

10 M Gabbay and A Pitts A new approach to abstract syntax involving binders InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 214ndash224 Trento Italy 1999 IEEE Computer SocietyPress

11 S Gay A framework for the formalisation of pi-calculus type systems in Is-abelleHOL In Proceedings of the 14th International Conference on TheoremProving in Higher Order Logics (TPHOLs 2001 LNCS Springer-Verlag 2001

12 AD Gordon and T Melham Five axioms of alpha-conversion In J von WrightJ Grundy and J Harrison editors Proceedings of the 9th International Conferenceon Theorem Proving in Higher Order Logics (TPHOLsrsquo96) volume 1125 of LectureNotes in Computer Science pages 173ndash190 Turku Finland August 1996 Springer-Verlag

13 EL Gunter Why we canrsquot have SML style datatype declarations in HOL InLJM Claese and MJC Gordon editors Higher Order Logic Theorem Provingand Its Applications volume Andash20 of IFIP Transactions pages 561ndash568 North-Holland Press Sept 1992

14 L Hallnas Partial inductive definitions Theoretical Computer Science 87(1)115ndash147 July 1991

15 R Harper F Honsell and G Plotkin A framework for defining logics Journalof the Association for Computing Machinery 40(1)143ndash184 Jan 1993

16 M Hofmann Semantical analysis for higher-order abstract syntax In G Longoeditor Proceedings of the 14th Annual Symposium on Logic in Computer Science(LICSrsquo99) pages 204ndash213 Trento Italy July 1999 IEEE Computer Society Press

17 F Honsell M Miculan and I Scagnetto An axiomatic approach to metareasoningon systems in higher-order abstract syntax In Proc ICALP 2001 volume 2076 inLNCS pages 963ndash978 Springer-Verlag 2001

18 F Honsell M Miculan and I Scagnetto π-calculus in (co)inductive type theoriesTheoretical Computer Science 2(253)239ndash285 2001

19 R McDowell Reasoning in a Logic with Definitions and Induction PhD thesisUniversity of Pennsylvania 1997

20 R McDowell and D Miller Reasoning with higher-order abstract syntax in alogical framework ACM Transaction in Computational Logic 2001 To appear

21 J McKinna and R Pollack Some Type Theory and Lambda Calculus FormalisedTo appear in Journal of Automated Reasoning Special Issue on Formalised Math-ematical Theories (F Pfenning Ed)

22 TF Melham A mechanized theory of the π-calculus in HOL Nordic Journal ofComputing 1(1)50ndash76 Spring 1994

23 M Miculan Developing (meta)theory of lambda-calculus in the theory of contextsIn S Ambler R Crole and A Momigliano editors MERLIN 2001 Proceedingsof the Workshop on MEchanized Reasoning about Languages with variable bINd-ing volume 58 of Electronic Notes in Theoretical Computer Scienc pages 1ndash22November 2001

24 J Parrow An introduction to the pi-calculus In J Bergstra A Ponse andS Smolka editors Handbook of Process Algebra pages 479ndash543 Elsevier Science2001

30 Simon J Ambler et al

25 F Pfenning Computation and deduction Lecture notes 277 pp Revised 19941996 to be published by Cambridge University Press 1992

26 F Pfenning and C Elliott Higher-order abstract syntax In Proceedings of theACM SIGPLANrsquo88 Symposium on Language Design and Implementation pages199ndash208 Atlanta Georgia June 1988

27 F Pfenning and C Schurmann System description Twelf mdash A metalogical frame-work for deductive systems In H Ganzinger editor Proceedings of the 16th Inter-national Conference on Automated Deduction (CADE-16) pages 202ndash206 TrentoItaly July 1999 Springer-Verlag LNAI 1632

28 A M Pitts Nominal logic A first order theory of names and binding InN Kobayashi and B C Pierce editors Theoretical Aspects of Computer Software4th International Symposium TACS 2001 Sendai Japan October 29-31 2001Proceedings volume 2215 of Lecture Notes in Computer Science pages 219ndash242Springer-Verlag Berlin 2001

29 R Vestergaard and J Brotherson A formalized first-order conflence proof for theλ-calculus using one sorted variable names In A Middelrop editor Proceedingsof RTA 2001 volume 2051 of LNCS pages 306ndash321 Springer-Verlag 2001

Ecient Reasoning about Executable

Specications in Coq

Gilles Barthe and Pierre Courtieu

INRIA Sophia-Antipolis FranceGillesBarthePierreCourtieusophiainriafr

Abstract We describe a package to reason eciently about executablespecications in Coq The package provides a command for synthesizinga customized induction principle for a recursively dened function anda tactic that combines the application of the customized induction prin-ciple with automatic rewriting We further illustrate how the packageleads to a drastic reduction (by a factor of 10 approximately) of the sizeof the proofs in a large-scale case study on reasoning about JavaCard

1 Introduction

Proof assistants based on type theory such as Coq [9] and Lego [15] combinean expressive specication language (featuring inductive and record types) anda higher-order predicate logic (through the Curry-Howard Isomorphism) to rea-son about specications Over the last few years these systems have been usedextensively in particular for the formalization of programming languages Twostyles of formalizations are to be distinguished

the functional style in which specications are written in a functional pro-gramming style using pattern-matching and recursion

the relational style in which specications are written in a logic programmingstyle using inductively dened relations

In our opinion the functional style has some distinctive advantages over its rela-tional counterpart especially for formalizing complex programming languagesIn particular the functional style oers support for testing the specication andcomparing it with a reference implementation and the possibility to generateprograms traces upon which to reason using eg temporal logic Yet it is strik-ing to observe that many machine-checked accounts of programming languagesemantics use inductive relations In the case of proof assistants based on typetheory two factors contribute to this situation

rstly type theory requires functions to be total and terminating (in factthey should even be provably so using a criterion that essentially capturesfunctions dened by structural recursion) therefore specications written ina functional style may be more cumbersome than their relational counter-part

VA Carrentildeo C Muntildeoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3146 2002ccopy Springer-Verlag Berlin Heidelberg 2002

32 Gilles Barthe and Pierre Courtieu

secondly a proof assistant like Coq oers through a set of inversion [1011]and elimination tactics eective support to reason about relational speci-cations In contrast there is no similar level of support for reasoning aboutexecutable functions

Here we address this second issue by giving a package that provides eective sup-port for reasoning about complex recursive denitions see Section 2 Furtherwe illustrate the benets of the package in reasoning about executable specica-tions of the JavaCard platform [34] and show how its use yields compact proofsscripts up to 10 times shorter than proofs constructed by hand see Section 3Related work is discussed in Section 3 We conclude in Section 5

2 Elimination Principles for Functions

21 Elimination on Inductive Types and Properties

One of the powerful tools provided by proof assistants like Coq for reasoning oninductive types is the elimination principle which is usually generated automat-ically from the denition of the type We see here the denition in Coq of thetype nat and the type of its associated principle

Inductive nat Set = O nat | S natrarrnatnat_ind(P natrarrProp) (P O) rarr((nnat)(P n)rarr(P (S n))) rarr(nnat)(P n)

The logical meaning of an elimination principle attached to an inductive typeT is that closed normal terms of type T have a limited set of possible formsdetermined by the constructors of T It also captures the recursive structure ofthe type It is important to notice that elimination principles are nothing elsethan recursive functions for example the denition of nat_ind is the following

[P natrarrProp f(P O) f0((nnat)(P n)rarr(P (S n)))]Fixpoint F [nnat] (P n) =lt[xnat](P x)gt Cases n of O rArrf

| (S n0) rArr(f0 n0 (F n0))end

The expression lt[xnat](P x)gt is a specic type scheme for dependentlytyped case expressions (dependent types are necessary to represent predicateslike P) It is used to build case branches having dierent types provided thateach one corresponds to the scheme applied to the corresponding pattern Forexample the rst branch is correct because ([xnat](P x) O)=(P O) Sim-ilarly the second case is accepted because (f0 n0 (F n0)) has type (P (Sn0)) which is equal to ([xnat](P x) (S n0))

The type of the whole case expression is obtained by applying the scheme tothe term on which the case analysis is done here n ie (P n)

Reasoning by elimination on an inductive property P can be understoodintuitively as reasoning by induction on the proof of P We see here the principleassociated to the relation le

Ecient Reasoning about Executable Specications in Coq 33

Inductive le [n nat] natrarrProp =le_n (le n n)

| le_S (mnat)(le n m)rarr(le n (S m))

le_ind (nnat P(natrarrProp))(P n) rarr ((mnat)(le n m)rarr(P m)rarr(P (S m)))rarr (mnat)(le n m)rarr(P m)

Suppose we are trying to prove (P m) for all m such that H(le n m) wecan apply the theorem le_ind which leads to two subgoals corresponding tothe possible constructors of le This way of reasoning which has proved to bevery useful in practice makes relational specications a popular solution

22 Elimination Following the Shape of a Function

Basic Idea When we choose a functional style of specication recursive func-tions are used instead of inductive relations and elimination principles are usu-ally not automatically available However once a function is dened (ie provedterminating which is automatic in Coq for structural recursion) it is relativelynatural to build an induction principle which follows its shape It allows reason-ing by induction on the possible branches of the denition of the function Sincethe new term follows the same recursive calls as the function we know that thisnew term denes a correct induction scheme and that it will be accepted by CoqFor example the following function

Fixpoint isfourtime [nnat] bool =Cases n of | O rArr true

| (S S S S m) rArr (isfourtime m)| _ rArr false

end

yields an induction principle with a nested case analysis of depth 5 Redoing allthe corresponding steps each time we want to consider the dierent paths of thefunction would be long and uninteresting (see Section 3 for more examples)

We have designed a Coq package allowing automation of the inductivecaseanalysis process According to the Coq paradigm our package builds proof terms

in the Curry-Howard philosophy Surprisingly the presence of proof terms is help-ful since functions and proofs are all represented by λ-terms we can build proofterms by transforming the term of the function we consider Since moreover wefocus on functions dened by structural recursion (see Section 42 for extension tomore general recursion schemes) termination of the function (and consequentlythe correctness of the elimination principles we generate) is ensured by the typechecking of Coq

The proof of a property forallxP using isfourtime as a model will be a termQ obtained by transforming isfourtime (notice how implicit cases have beenexpanded)

Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of

34 Gilles Barthe and Pierre Courtieu

| O rArr( (P O))| (S O) rArr( (P (S O)))| (S S O) rArr( (P (S S O)))| (S S S O) rArr( (P (S S S O)))| (S S S S m) rArr(((xnat)(P x)rarr(P (S S S S x))) m (Q m))end

where the ve (H) stand for properties H yet to be proved (subgoals) InSubsection 25 we concentrate on the structure of this incomplete term and itsautomatic generation from the denition of the function

Once built this incomplete term can be applied to a particular goal withthe Refine tactic or completed into a general reusable induction principleTo achieve the latter we replace the s by abstracted variables (Hypx in theexample below) We also abstract the predicate (P) and nally obtain a generalprinciple On our example this leads to

[P(natrarrProp) Hyp0(P O) Hyp1(P (S O))Hyp2(P (S (S O))) Hyp3(P (S (S (S O))))Hyp4(xnat) (P x) rarr(P (S (S (S (S x)))))]Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of| O rArrHyp0| (S O) rArrHyp1| (S S O) rArrHyp2| (S S S O) rArrHyp3| (S S S S m) rArrHyp4 m (Q m)end

(P(natrarrProp)) (P O) rarr(P (S O)) rarr(P (S (S O)))rarr(P (S (S (S O)))) rarr((xnat) (P x) rarr(P (S (S (S (S x))))))rarr(nnat)(P n)

This term is well-typed and thus denes a correct induction principle

Capturing the Environment of Each Branch In the examples above sub-goals contain nothing more than induction hypotheses but generally this willnot be enough Indeed we need to capture for each subgoal the environment

induced by the branches of Cases expressions which have been chosen We illus-trate this situation with the following function (which computes for every n thelargest m le n such that m = 4k for some k)

Fixpoint findfourtime [nnat] nat =Cases n of| O rArrO| (S m) rArrCases (isfourtime n) of| true rArrn| false rArr(findfourtime m)end

end

Ecient Reasoning about Executable Specications in Coq 35

In this case it is necessary to remember that in the rst branch n=O inthe second branch n=O and (isfourtime n)=true and in the third branch(isfourtime n)=false Otherwise it will be impossible to prove for examplethe following property

P equiv forallnnat(isfourtime (findfourtime n)) = true

Finally the proof of the elimination principle generated from findfourtime

has the form

Fixpoint Q2 [nnat] (P n) =(lt[xbool](isfourtime n)=x rarr(P n)gtCases n of| O rArr((P O))| (S m) rArrlt[bbool](isfourtime (S m))=brarr(P (S m))gtCases (isfourtime (S m)) of| true rArr((isfourtime (S m))=truerarr(P (S m)))| false rArr((P m)rarr(isfourtime (S m))=falserarr(P (S m))) (Q2 m)end (refl_equal bool (isfourtime (S m))))

end

where (reflequal bool (isfourtime (S m))) is the proof of the dier-ent equalities induced by the case analysis Recall that reflequal is the con-structor of the inductive type eq representing the equality so(reflequal A x) is of type (eq A x x))

These proofs are gathered outside the case expression so as to obtain a well-typed term This point is subtle equality proofs have the form (reflequalbool (isfourtime (S m))) which is of type (isfourtime (S m))=(isfourtime (S m)) We see therefore that to be accepted by the case typingrule explained above we must apply this term to a term of type (isfourtime(S m))=(isfourtime (S m))rarr (P (S m)) This is the type of the wholecase expression but not of each branch taken separately So moving thereflequal expression inside the Cases would result in an ill-typed term

23 Contents of the Package

The main components of the package are

A Coq command Functional Scheme which builds a general induction prin-ciple from the denition of a function f It is a theorem of the form

(P (forallxi TiP rop))(H1 PO1)(Hn POn)rarr forallxi Ti(P xi)

where the POis are the proof obligations generated by the algorithm de-scribed above and xis correspond to the arguments of f To make an elim-ination the user just applies the theorem The advantage of this method isthat the structure of the function (and its type checking) is not duplicatedeach time we make an elimination

A tactic Analyze which applies the above algorithm to a particular goalThis tactic allows for more automation see for that section 26

36 Gilles Barthe and Pierre Courtieu

24 Using the Package on an Example

We now prove the following property

P equiv forallnnat(findfourtime n) le n

Using the Tactic Analyze In order to benet from the rewriting steps of thetactic we rst unfold the denition of the function and then apply the tactic

Lemma P(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeAnalyze findfourtime params n

At this point we have the following three subgoals corresponding to the threebranches of the denition of findfourtime notice the induction hypothesison the last one

1 (le O O)

2 [(isfourtime (S m))=true] (le (S m) (S m))

3 [(le (findfourtime m) m) (isfourtime (S m))=false]

(le (findfourtime m) (S m))

Each of these subgoals is then proved by the Auto tactic

Using the General Principle We set

Functional Scheme findfourtime_ind= Induction for findfourtime

Then the proof follows the same pattern as above

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_ind

Again we have three subgoals1 (le O O)

2 [eq(isfourtime (S m))=true]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

3[(le (findfourtime m) m) eq(isfourtime (S m))=false]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

We see that some rewriting steps must be done by hand to obtain the sameresult than with the tactic Finally the whole script is the following

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_indIntrosAutoRewrite eqAutoSave

In more complex cases like in section 32 the rewriting operations done by theAnalyze tactic make the script signicantly smaller than when using the generalprinciple

Ecient Reasoning about Executable Specications in Coq 37

25 Inference System

In this subsection we give an inference system to build an elimination princi-ple for a particular property G from a function t The main goal of this sys-tem is to reproduce the structure of the term t including Case Fix let andλ-abstractions until it meets an application a constant or a variable The re-maining terms are replaced by proof obligations whose type is determined by theCase Fix let and λ-abstractions from above The result of this algorithm isan incomplete term like Q2 above from which we can either apply the Refinetactic or build a general principle

Grammar Coqs internal representation of the expressions of the Calculus ofInductive Constructions (CIC) is given in Figure 1 Although our package dealswith mutually recursive functions we omit them from the presentation for clarityreasons The construction Ind(x T )T where T stands for a vector of terms(types actually) is an inductive type whose n-th constructor is denoted by CnT

(in the sequel we often omit T ) In the Fix expression X is bound in f andcorresponds to the function being dened t is its type and f is the body of thefunction In the Case expression tis are functions taking as many arguments asthe corresponding constructors take see [1617]

Variables V = x y Sorts S = Set | Prop | TypeTerms T = V | S | λV TT | forallV TT | (T T )

| Fix(V T T ) | Case T of T end | let T = T in T| Ind(x T )T | CnT

Fig 1 Syntax of terms of CCI

Judgment Judgments are of the form t X G Γ1 Γ2 P where t is the func-tion to use as a model X is the variable corresponding to the recursive function(bound by Fix in t used to nd recursive calls) G is the property to be proved(the goal) Γ1 is the list of bound variables (initially empty) Γ2 is the list ofequalities corresponding to the case analysis and P is the proof term of theprinciple When proving a property G we build a term P containing proof obli-gations represented by ( T ) where T is the awaited property (ie type) thatmust be proved

Rules are given in Figure 2 In the last rule (X ti) represents all recursivecalls found in t In the present implementation no nested recursion is allowedIn the rule (Case) we note (Ci xi) the fully applied constructor Ci

38 Gilles Barthe and Pierre Courtieu

t X G x T cup Γ1 Γ2 P

λx Tt X G Γ1 Γ2 λx TP(Lambda)

foralliti X G xi Ti cup Γ1 E = (Ci xi) cup Γ2 PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

t X G xi Ti isin u cup Γ1 u = v cup Γ2 P

let u = v in t X G Γ1 Γ2 let u = v in P(Let)

f X G Γ1 Γ2 P

Fix(X T f) _ G Γ1 Γ2 Fix(X G P )(Fix)

(X ti) isin t

t X G Γ1 Γ2 (( forallΓ1X ti rarr Γ2 rarr G) Γ1)(Rec)

if t = Fix Caselet or λx Tt

Fig 2 Elimination algorithm

26 More Automation

We can use the equalities generated by the tactic to perform rewriting stepsautomatically thereby reducing the user interactions to achieve the proof

First we can rewrite in the generated hypothesis of each branch We givea modied version of the (Case) rule in gure 3 where Γ2[E larr Ci(xi)] isthe set of equalities Γ2 where E has been replaced by Ci(xi) in the rightmembers

foralliti[E larr Ci(xi)] X G xi Ti cup Γ1 E = (Ci xi) cup Γ2[E larr Ci(xi)] PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

Fig 3 (Case) rule with rewriting

Second we can propagate these rewriting steps in the goal itself This ispossible in the tactic Analyze where we call the Rewrite tactic of Coqwhich performs substitutions in the goal with the set of equalities Γ2As Coq provides a mechanism for foldingunfolding constants it is possiblethat rewriting steps become possible later during the proofs of the generatedsubgoals This is specially true when dealing with complex specications

Ecient Reasoning about Executable Specications in Coq 39

where unfolding all denitions is not comfortable Therefore we also providea rewriting database that contains all the equalities of Γ2 for each branchThe database can be used later with the AutoRewrite tactic

Third we can optimize the Analyze tactic in the particular case of a nonrecursive function applied to constructor terms ie terms of which headsymbol is a constructor of an inductive type For example suppose we havea goal of the form

(nnat)(P (f O (S (S (S n)))))

Where f is a non recursive function It is clear that we do not want toconsider all possible constructors for the arguments of f For example thecase (f (S ) ) is not interesting for us The idea is to focus onthe case branch corresponding to the constructors We use a simple trickto achieve this we apply the function to its arguments and reduce Theresulting term is a new function containing only the relevant case analysisWe apply the tactic to this term instead of the initial functionNote that this optimization is hardly useful for recursive functions becausesome recursive hypothesis can be lost when focusing on a particular branch

3 Applications to JavaCard

In this section we illustrate the benets of our package in establishing correctnessresults for the JavaCard platform Note that for the clarity of presentation theCoq code presented below is a simplied account of [34]

31 Background

JavaCard is a dialect of Java tailored towards programming multi-applicationsmartcards Once compiled JavaCard applets typically electronic purses andloyalty applets are veried by a bytecode verier (BCV) and loaded on thecard where they can be executed by a JavaCard Virtual Machine (JCVM)

Correctness of the JavaCard Platform The JCVM comes in two avours adefensive JCVM which manipulates typed values and performs type-checkingat run-time and an oensive JCVM which manipulates untyped values andrelies on successful bytecode verication to eliminate type verication at run-time Following a strategy streamlined in [14] we want to prove that the oensiveand defensive VMs coincide on those programs that pass bytecode vericationThis involves

formalizing both VMs and show that both machines coincide on those pro-grams whose execution on the defensive VM does not raise a type error

formalizing a BCV as a dataow analysis of an abstract VM that only ma-nipulates types and show that the defensive VM does not raise a type errorfor those programs that pass bytecode verication

40 Gilles Barthe and Pierre Courtieu

In both cases we need to establish a correspondence between two VMs Moreprecisely we need to show that the oensive and abstract VMs are sound (non-standard) abstract interpretations of the defensive VMs in the sense that undersuitable constraints abstraction commutes with execution

CertiCartes [34] is an in-depth feasibility study in the formal verication of theJavaCard platform CertiCartes contains formal executable specications of thethree VMs (defensive abstract and oensive) and of the BCV and a proof thatthe defensive and oensive VM coincide on those programs that pass bytecodeverication The bulk of the proof eort is concerned with the soundness of theoensive and abstract VMs wrt the defensive VM In our initial work suchproofs were performed by successive unfoldings of the case analyses arising inthe denition of the semantics of each bytecode leading to cumbersome proofswhich were hard to produce understand and modify In contrast the Analyzetactic leads to (up to 10 times) smaller proofs that are easier to perform andunderstand as illustrated in the next subsections

32 Applications to Proving the Correspondence between Virtual

Machines

In order to establish that the oensive VM is a sound abstraction of the de-fensive VM one needs to prove that abstraction commutes with execution forevery bytecode of the JavaCard instruction set In the particular case of methodinvocation one has to show

nargsnatnm class_method_idxstate dstatecapjcprogram=========================================let res=(dinvokevirtual nargs nm state cap) inlet ostate=(alpha_off state) inlet ores=(oinvokevirtual nargs nm ostate cap)in (INVOKEVIRTUAL_conds res) rarr(alpha_off res) = ores

where

the abstraction function alpha_offmaps a defensive state into an oensiveone

the predicate INVOKEVIRTUAL_conds ensures that the result state res isnot a type error

the functions dinvokevirtual and oinvokevirtual respectively de-note the defensive and oensive semantics of virtual method invokation

The denition of dinvokevirtual is

Definition dinvokevirtual =[nargsnat][nmclass_method_idx][statedstate][capjcprogram]

Ecient Reasoning about Executable Specications in Coq 41

(lowast The initial state is decomposed lowast)Cases state of(sh (hp nil)) rArr(AbortCode state_error state) |(sh (hp (cons h lf))) rArr

(lowast nargs must be greater than zero lowast)Cases nargs ofO rArr(AbortCode args_error state) |(S _) rArr

(lowast Extraction of the object reference (the nargsth element) lowast)Cases (Nth_func (opstack h) nargs) oferror rArr(AbortCode opstack_error state) |(value x) rArr

(lowast Tests if this element is a reference lowast)Cases x of((Prim _) vx) rArr(AbortCode type_error state) |((Ref _) vx) rArr

(lowast tests if the reference is null lowast)(if (test_NullPointer vx)then (ThrowException NullPointer state cap)else

(lowast Extraction of the referenced object lowast)Cases (Nth_func hp (absolu vx)) oferror rArr(AbortMemory heap_error state) |(value nhp) rArr

(lowast Get the corresponding class lowast)Cases (Nth_elt (classes cap) (get_obj_class_idx nhp)) of(value c) rArr

(lowast Get the corresponding method lowast)Cases (get_method c nm) of(lowast Successful method call lowast)(value m) rArr(new_frame_invokevirtual nargs m nhp state cap) |error rArr(AbortCap methods_membership_error state)end |_ rArr(AbortCap class_membership_error state)end end) end end end end

In our initial work on CertiCartes such statements were proved by handby following the successive case analyses arising in the denition of the semanticsof each bytecode The proofs were hard to produce understand and modify Incontrast the Analyze tactic leads to smaller proofs that are easier to performand understand For example the following script provides the rst steps of theproof

42 Gilles Barthe and Pierre Courtieu

SimplUnfold dinvokevirtualAnalyze dinvokevirtual params nargs nm state cap

At this point nine dierent subgoals are generated each of them correspondingto a full case analysis of the function In the case of a successful method callthe corresponding subgoal is

_eg_8 (get_method c nm)=(value m)_eg_7 (Nth_elt (classes cap) (get_obj_class_idx nhp))

=(value c)_eg_7 (Nth_func hp (absolu vx))=(value nhp)_eg_6 (test_NullPointer vx)=false_eg_5 t=(Ref t0)_eg_4 x=((Ref t0)vx)_eg_3 (Nth_func (opstack h) (S n))=(value ((Ref t0)vx))_eg_2 nargs=(S n)_eg_1 state=(sh(hp(cons h lf)))H (INVOKEVIRTUAL_conds(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=========================================(alpha_off(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=(oinvokevirtual (S n) nm (alpha_off (sh(hp(cons h lf)))) cap)

This goal as all other goals generated by the tactic can in turn be dischargedusing rewriting and some basic assumptions on the representation of JavaCardprograms

33 Applications to Proving Memory Invariants

In order to establish that the abstract VM is a sound abstraction of the defensiveVM one needs to establish a number of invariants on the memory of the virtualmachine for example that executing the abstract virtual machine does not createillegal JavaCard types such as arrays of arrays Proving such a property is tediousand involves several hundreds of case analyses including a topmost case analysison the instruction set In the case of the load bytecode one is left with the goal

s astatet typel locvars_idx==================================================(legal_types s) rarr(legal_types (tload t l s))

Whereas a proof by hand leaves the user with 29 subgoals to discharge anapplication of the Analyze tactic leaves the user with 3 subgoals to dischargenamely the three interesting cases corresponding to the successful execution ofthe tload bytecode In such examples the use of our tactic reduces the size ofproof scripts by a factor of 10

Ecient Reasoning about Executable Specications in Coq 43

4 Extensions and Related Work

41 Related Work

Our work is most closely related to Slinds work on reasoning about terminatingfunctional programs see eg [20] where Slind presents a complete methodologyto dene a function from a list of equations and a termination relation Thisrelation is used to generate termination conditions which need to be dischargedto prove that the rewrite system dened by the equations terminates From theproofs of the termination conditions Slind automatically synthesizes an induc-tion principle for the function Slinds induction principle is closely related toours but there are some dierences

Slinds work focuses on proof-assistants based on higher-order logic in par-ticular on Isabelle [18] and HOL [13] that do not feature proof terms Inour framework objects properties and proofs are all terms of the Calculusof Inductive Constructions and hence we need to provide a proof term forthe customized principle attached to the function As pointed out in Section2 the construction of the proof term can be done directly by transformingthe term corresponding to the function

Slinds work provides for each total and terminating function f a genericinduction principle that can be used to prove properties about f In contrastthe tactic Analyze starts from the property to be proven say φ and proceedsto build directly a proof of φ by following the shape of the denition off Eventually the tactic returns some proof obligations that are requiredto complete the proof of φ This allows our package to perform rewritingand other operations during the building of the proof leading to a drasticincrease in automation Since similar proof terms are constructed every timeone applies the tactic on the function f it could be argued that such afeature is costly in terms of memory However we have not experienced anyeciency problem although our JavaCard development is fairly large

Slinds work provides support for well-founded and nested recursion whichour package does not handle currently

Our work is also closely related to the induction process dened by Boyerand Moore In Nqthm [8] the directive INDUCT (f v1vn) can be usedduring a proof to perform the same case analysis and recursion steps as in thedenition of f An interesting feature that we do not handle in this paper is theability of merging dierent functions into one single induction principle

These works as well as ours aims at providing ecient support for reasoningabout executable specications An alternative strategy consists in developingtools for executing specications that may be relational at least in part For ex-ample Elf [19] combines type theory and logic programming and hence providessupport for executing relational specications Further there have been someeorts to develop tools for executing specications written in Coq Isabelle orrelated systems In particular some authors have provided support for executingrelational specications for example Berghofer and Nipkow [5] have developed

44 Gilles Barthe and Pierre Courtieu

a tool to execute Isabelle theories in a functional language and used it in thecontext of their work on Java and JavaCard Conversely some authors haveprovided support to translate executable specications into input for proof as-sistants for example Terrasse [2122] has developed a tool to translate Typolspecications into Coq However we believe that executable specications arebetter suited for automating proofs especially because they lend themselves wellto automated theorem-proving and rewriting techniques

A third possible strategy would consist of relating relational and functionalspecications For example one could envision a tool that would derive automat-ically from a functional specication (1) its corresponding relational specication(2) a formal proof that the two specications coincide Such a tool would allowthe combination of the best of both worlds (one could be using eliminationin-version principles to reason about relational specications and then transfer theresults to functional ones) yet we are not aware of any conclusive experience inthis direction

42 Extensions

As emphasized in the introduction the main motivation behind the package isto develop eective tool support to reason about the JavaCard platform Thefollowing two extensions are the obvious next steps towards this objective

support for conditional rewriting rules We would like to introduce functionsusing the format of conditional rewriting rules of [2] Indeed this formatwhich can be automatically translated into Coq (provided the guard condi-tions are satised) lead to more readable specications especially for partialfunctions

support for inversion principles We also would like to provide inversionprinciples like those that exist for inductive types [10] Such principles donot use induction instead they proceed by case analysis and use the factthat constructors of inductive types are injective For example inversionprinciples for functions should allow us to deduce

x=O or x=(S S S S y)and((isfourtime y)=true)

from (isfourtime x)=true support for merging Merging [8] allows to generate a single induction prin-ciple for several functions This technique allows to dene very accurateinduction principles that are very useful in fully automated tactics

From a more general perspective it would be interesting to provide support fornested and well-founded recursion Furthermore a higher automation of equa-tional reasoning is required in the proofs of commuting diagrams One possibilityis to rely on an external tool to generate rewriting traces that are then translatedin Coq There are several candidates for such tools including Elan [6] and Spike[7] and ongoing work to interface them with proof assistants such as Coq seeeg [1]

Ecient Reasoning about Executable Specications in Coq 45

5 Conclusion

We have described a toolset for reasoning about complex recursive functions inCoq A fuller account of the package including a tutorial can be found in [12]

In addition we have illustrated the usefulness of our package in reasoningabout the JavaCard platform This positive experience supports the claim laidin [2] that proofs of correctness of the JavaCard platform can be automated to alarge extent and indicates that proof assistants could provide a viable approachto validate novel type systems for future versions of Javacard

Thanks

We would like to thank the anonymous referees for there constructive remarksYves Bertot for its precious advice ideas and examples Guillaume Dufay for thefeedback on using the tactic intensively and Konrad Slind for the precisions onTFLIsabelle

References

1 C Alvarado and Q-H Nguyen elan for equational reasoning in coq In J De-speyroux editor Proceedings of LFM00 2000 Rapport Technique INRIA

2 G Barthe G Dufay M Huisman and S Melo de Sousa Jakarta a toolset toreason about the JavaCard platform In I Attali and T Jensen editors Proceedingsof e-SMART 2001 volume 2140 of Lecture Notes in Computer Science pages 218Springer-Verlag 2001

3 G Barthe G Dufay L Jakubiec and S Melo de Sousa A formal correspondencebetween oensive and defensive JavaCard virtual machines In A Cortesi editorProceedings of VMCAI 2002 volume 2294 of Lecture Notes in Computer Sciencepages 3245 Springer-Verlag 2002

4 G Barthe G Dufay L Jakubiec B Serpette and S Melo de Sousa A FormalExecutable Semantics of the JavaCard Platform In D Sands editor Proceedingsof ESOP 2001 volume 2028 of Lecture Notes in Computer Science pages 302319Springer-Verlag 2001

5 S Berghofer and T Nipkow Executing higher order logic In P Callaghan Z LuoJ McKinna and R Pollack editors Proceedings of TYPES 2000 volume LNCS2277 of Lecture Notes in Computer Science Springer-Verlag 2002

6 P Borovanskyacute H Cirstea H Dubois C Kirchner H Kirchner P-E MoreauC Ringeissen and M Vittek The Elan V34 Manual 2000

7 A Bouhoula Automated theorem proving by test set induction Journal of Sym-bolic Computation 234777 1997

8 RS Boyer and JS Moore A Computational Logic Handbook Academic Press1988

9 Coq Development Team The Coq Proof Assistant Users Guide Version 72January 2002

10 C Cornes Conception dun langage de haut niveau de representation de preuvesReacutecurrence par ltrage de motifs Unication en preacutesence de types inductifs prim-itifs Synthegravese de lemmes dinversion PhD thesis Universiteacute de Paris 7 1997

46 Gilles Barthe and Pierre Courtieu

11 C Cornes and D Terrasse Automating inversion and inductive predicates in CoqIn S Berardi and M Coppo editors Proceedings of Types95 volume 1158 ofLecture Notes in Computer Science pages 85104 Springer-Verlag 1995

12 P Courtieu Function Schemes in Coq Documentation and tutorial Seehttpwww-sopinriafrlemmePierreCourtieufunschemehtml

13 MJC Gordon and TF Melham editors Introduction to HOL A theorem provingenvironment for higher-order logic Cambridge University Press 1993

14 J-L Lanet and A Requet Formal Proof of Smart Card Applets Correctness InJ-J Quisquater and B Schneier editors Proceedings of CARDIS98 volume 1820of Lecture Notes in Computer Science pages 8597 Springer-Verlag 1998

15 Z Luo and R Pollack LEGO proof development system Users manual TechnicalReport ECS-LFCS-92-211 LFCS University of Edinburgh May 1992

16 C Paulin-Mohring Inductive denitions in the system Coq Rules and propertiesIn M Bezem and JF Groote editors Proceedings of TLCA93 volume 664 ofLecture Notes in Computer Science pages 328345 Springer-Verlag 1993

17 C Paulin-Mohring Deacutenitions Inductives en Theorie des Types dOrdre SuperieurHabilitation agrave diriger les recherches Universiteacute Claude Bernard Lyon I 1996

18 L Paulson Isabelle A generic theorem prover volume 828 of Lecture Notes inComputer Science Springer-Verlag 1994

19 F Pfenning Elf a meta-language for deductive systems In A Bundy editorProceedings of CADE-12 volume 814 of Lecture Notes in Articial Intelligencepages 811815 Springer-Verlag 1994

20 K Slind Reasoning about Terminating Functional Programs PhD thesis TUMuumlnich 1999

21 D Terrasse Encoding natural semantics in Coq In V S Alagar editor Pro-ceedings of AMAST95 volume 936 of Lecture Notes in Computer Science pages230244 Springer-Verlag 1995

22 D Terrasse Vers un environnement daide au deacuteveloppement de preuves en Seacute-mantique Naturelle PhD thesis Ecole Nationale des Ponts et Chausseacutees 1995

Victor A CarrenoCeacutesar A Munoz Sofiegravene Tahar (Eds)

Theorem Provingin Higher Order Logics

15th International Conference TPHOLs 2002Hampton VA USA August 20-23 2002Proceedings

1 3

Series Editors

Gerhard Goos Karlsruhe University GermanyJuris Hartmanis Cornell University NY USAJan van Leeuwen Utrecht University The Netherlands

Volume Editors

Victor A CarrenoNASA Langley Research CenterMS 130 Hampton VA 23681 USAE-mail vacarrenolarcnasagov

Ceacutesar A MunozICASE-Langley Research CenterMS 132C Hampton VA 23681 USAE-mail munozicaseedu

Sofiegravene TaharConcordia University Electrical and Computer Engineering1455 de Maisonneuve Blvd WMontreacuteal Queacutebec H3G 1M8 CanadaE-Mail taharececoncordiaca

Cataloging-in-Publication Data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme

Theorem proving in higher order logics 15th international conference proceedings TPHOLs 2002 Hampton VA USA August 20 - 23 2002Victor A Carreno (ed) - Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo Springer 2002

(Lecture notes in computer science Vol 2410)ISBN 3-540-44039-9

CR Subject Classification (1998) F41 I23 F31 D24 B63

ISSN 0302-9743ISBN 3-540-44039-9 Springer-Verlag Berlin Heidelberg New York

This work is subject to copyright All rights are reserved whether the whole or part of the material isconcerned specifically the rights of translation reprinting re-use of illustrations recitation broadcastingreproduction on microfilms or in any other way and storage in data banks Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9 1965in its current version and permission for use must always be obtained from Springer-Verlag Violations areliable for prosecution under the German Copyright Law

Springer-Verlag Berlin Heidelberg New Yorka member of BertelsmannSpringer Science+Business Media GmbH

httpwwwspringerde

copy Springer-Verlag Berlin Heidelberg 2002Printed in Germany

Typesetting Camera-ready by author data conversion by Christian Grosche HamburgPrinted on acid-free paper SPIN 10873706 063142 5 4 3 2 1 0

Preface

This volume contains the proceedings of the 15th International Conference onTheorem Proving in Higher Order Logics (TPHOLs 2002) held on 20ndash23 August2002 in Hampton Virginia USA The conference serves as a venue for the pre-sentation of work in theorem proving in higher-order logics and related areasin deduction formal specification software and hardware verification and otherapplications

Each of the 34 papers submitted in the full research category was refereed byat least three reviewers from the program committee or by a reviewer appointedby the program committee Of these submissions 20 papers were accepted forpresentation at the conference and publication in this volume

Following a well-established tradition in this conference series TPHOLs 2002also offered a venue for the presentation of work in progress For the work inprogress track short introductory talks were given by researchers followed byan open poster session for further discussion Papers accepted for presentationin this track have been published as Conference Proceedings CP NASA-2002-211736

The organizers would like to thank Ricky Butler and Gerard Huet for grace-fully accepting our invitation to give talks at TPHOLs 2002 Ricky Butler wasinstrumental in the formation of the Formal Methods program at the NASALangley Research Center and has led the group since its beginnings The NASALangley Formal Methods group under Ricky Butlerrsquos guidance has fundedbeen involved in or influenced many formal verification projects in the US overmore than two decades In 1998 Gerard Huet received the prestigious HerbrandAward for his fundamental contributions to term rewriting and theorem provingin higher-order logic as well as many other key contributions to the field of au-tomated reasoning He is the originator of the Coq System under developmentat INRIA-Rocquencourt Dr Huetrsquos current main interest is computational lin-guistics however his work continues to influence researchers around the world ina wide spectrum of areas in theoretical computer science formal methods andsoftware engineering

The venue of the TPHOLs conference traditionally changes continent eachyear in order to maximize the likelihood that researchers from all over the worldwill attend Starting in 1993 the proceedings of TPHOLs and its predecessorworkshops have been published in the following volumes of the Springer-VerlagLecture Notes in Computer Science series

1993 (Canada) 780 1998 (Australia) 14791994 (Malta) 859 1999 (France) 16901995 (USA) 971 2000 (USA) 18691996 (Finland) 1125 2001 (UK) 21521997 (USA) 1275

VI Preface

The 2002 conference was organized by a team from NASA Langley ResearchCenter the ICASE Institute at Langley Research Center and Concordia Uni-versity Financial support came from Intel Corporation The support of all theseorganizations is gratefully acknowledged

August 2002 Vıctor A CarrenoCesar A Munoz

VII

Organization

TPHOLs 2002 is organized by NASA Langley and ICASE in cooperation withConcordia University

Organizing Committee

Conference Chair Vıctor A Carreno (NASA Langley)Program Chair Cesar A Munoz (ICASE NASA LaRC)

Sofiene Tahar (Concordia University)

Program Committee

Mark Aagaard (Waterloo)David Basin (Freiburg)Vıctor Carreno (NASA Langley)Shiu-Kai Chin (Syracuse)Paul Curzon (Middlesex)Gilles Dowek (INRIA)Harald Ganzinger (MPI Saarbrucken)Ganesh Gopalakrishnan (Utah)Jim Grundy (Intel)Elsa Gunter (NJIT)John Harrison (Intel)Doug Howe (Carleton)Bart Jacobs (Nijmegen)Paul Jackson (Edinburgh)Sara Kalvala (Warwick)

Michael Kohlhase (CMU amp Saarland)Thomas Kropf (Bosch)Tom Melham (Glasgow)J Strother Moore (Texas Austin)Cesar Munoz (ICASE NASA LaRC)Sam Owre (SRI)Christine Paulin-Mohring (INRIA)Lawrence Paulson (Cambridge)Frank Pfenning (CMU)Klaus Schneider (Karlsruhe)Henny Sipma (Stanford)Konrad Slind (Utah)Don Syme (Microsoft)Sofiene Tahar (Concordia)Wai Wong (Hong Kong Baptist)

Additional Reviewers

Otmane Ait-MohamedBehzad AkbarpourNancy DayBen Di VitoJean-Christophe Filliatre

Alfons GeserHanne GottliebsenMike KishinevskyHans de NivelleAndrew Pitts

Harald RueszligLeon van der TorreTomas Uribe

Invited Speakers

Ricky Butler (NASA Langley)Gerard Huet (INRIA)

VIII Preface

Sponsoring Institutions

NASA LangleyICASEConcordia UniversityINTEL

Table of Contents

Invited Talks

Formal Methods at NASA Langley 1Ricky Butler

Higher Order Unification 30 Years Later 3Gerard Huet

Regular Papers

Combining Higher Order Abstract Syntax with Tactical Theorem Provingand (Co)Induction 13

Simon J Ambler Roy L Crole Alberto Momigliano

Efficient Reasoning about Executable Specifications in Coq 31Gilles Barthe Pierre Courtieu

Verified Bytecode Model Checkers 47David Basin Stefan Friedrich Marek Gawkowski

The 5 Colour Theorem in IsabelleIsar 67Gertrud Bauer Tobias Nipkow

Type-Theoretic Functional Semantics 83Yves Bertot Venanzio Capretta Kuntal Das Barman

A Proposal for a Formal OCL Semantics in IsabelleHOL 99Achim D Brucker Burkhart Wolff

Explicit Universes for the Calculus of Constructions 115Judicael Courant

Formalised Cut Admissibility for Display Logic 131Jeremy E Dawson Rajeev Gore

Formalizing the Trading Theorem for the Classification of Surfaces 148Christophe Dehlinger Jean-Francois Dufourd

Free-Style Theorem Proving 164David Delahaye

A Comparison of Two Proof Critics Power vs Robustness 182Louise A Dennis Alan Bundy

X Table of Contents

Two-Level Meta-reasoning in Coq 198Amy P Felty

PuzzleTool An Example of Programming Computation and Deduction 214Michael JC Gordon

A Formal Approach to Probabilistic Termination 230Joe Hurd

Using Theorem Proving for Numerical Analysis 246Micaela Mayero

Quotient Types A Modular Approach 263Aleksey Nogin

Sequent Schema for Derived Rules 281Aleksey Nogin Jason Hickey

Algebraic Structures and Dependent Records 298Virgile Prevosto Damien Doligez Therese Hardin

Proving the Equivalence of Microstep and Macrostep Semantics 314Klaus Schneider

Weakest Precondition for General Recursive Programs Formalized in Coq 332Xingyuan Zhang Malcolm Munro Mark Harman Lin Hu

Author Index 349

Formal Methods at NASA Langley

Ricky Butler

Assessment Technology BranchMail Stop 130 NASA Langley Research Center

Hampton VA 23681-2199rwbutlerlarcnasagov

Extended Abstract

In this talk a short history of NASA Langleyrsquos research in formal methods ispresented The talk begins with an examination of the attempted formal verifi-cation of the SIFT (Software Implemented Fault Tolerance) operating system inthe late 1970s The primary goal of the SIFT verification project was to verify anoperating system for a fault-tolerant distributed real-time avionics computingplatform The SIFT project was deemed a failure because it did not meet its pri-mary objective However important results in the field of computer science wereobtained from the SIFT project including fault tolerant clock synchronizationByzantine agreement (interactive consistency) and others

After the SIFT project formal methods at NASA Langley went through aperiod of hibernation and would have probably died except for the providentialvisit of John Cullyer to NASA Langley in 1988 Soon after this a Memoran-dum of Understanding (MOU) between NASA Langley and The Royal Signaland Radar Establishment (RSRE) was initiated NASA Langley was asked toperform a critical assessment of the VIPER microprocessor which had been de-signed at the RSRE research laboratory With the help of Computational LogicInc (CLI) and the Boeing Commercial Airplane Company the usefulness ofthe VIPER processor for aerospace application was investigated ComputationalLogic wrote a critical review emphasizing the incompleteness of the VIPER me-chanical proofs Although an unprecedented level of analysis had been performedon the VIPER the CLI team did not consider hand-proofs to be adequate forsomething like the VIPER Once again Langley found itself in the midst of aformal methods controversy At the heart of this controversy was the nature ofproof itself How rigorous does a proof have to be before one can claim that amathematical proof has been accomplished

Next NASA Langley began to fund the direct application of existing formalmethods to real problems in the aerospace industry A competitive procurementresulted in three contracts to Computational Logic Inc SRI International andOdyssey Research Associates During this period NASA Langley had its firstrecognized successes in formal methods the formal verification of the RockwellCollins AAMP5 microprocessor and the formal verification of the Draper FTPPscoreboard circuit Most of the work centered on fault-tolerance and hardware

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 1ndash2 2002ccopy Springer-Verlag Berlin Heidelberg 2002

2 Ricky Butler

verification at this time but some initial work in modeling software was also ini-tiated The Jet Select subsystem of the Space Shuttle was modeled and later theGPS upgrade and 3-Engine-Out upgrade was formally analyzed Both theoremproving and model checking approaches were pursued

Towards the end of the 1990s the Langley team began to look into ways ofusing formal methods to improve critical flight deck software After the Pentiumbug mobilized the commercial silicon manufacturers to pursue formal verifica-tion technology the Langley team decided to focus its attention on software andsystems Cooperative work with industry to model flight guidance systems Adarun-time systems operating systems that support integrated modular avionicsand other safety-critical applications were begun In FY2000 the Langley for-mal methods team began to work for the Aviation Safety Program The AviationSafety Program is a NASA focused program with a goal of reducing the fatalaviation accident rate by 80 in ten years and 90 in twenty years Four newcontracts were started with a goal of using formal methods to make flight sys-tems safer (1) Rockwell Collins Advanced Technology Center to develop formalrequirements modeling and analysis techniques to detect and remove flight deckmode confusion (2) Honeywell Engines and Systems with SRI International toadapt the Time Triggered Architecture (TTA) to a Full Authority Digital EngineControl (FADEC) (3) Barron AssociatesGoodrich to develop formal verifica-tion methods that can serve as a basis for certifying non-adaptive neural netsand (4) University of Virginia to develop formal specification tools that inte-grate formal and informal languages enabling the analysis of the combinationIn FY2001 the Langley formal methods team was asked to apply formal meth-ods technology to the Air Traffic Management problem Current work is lookingat conflict detection and resolution algorithms (CDampR) needed in future freeflight concepts and at merging and self-spacing algorithms in the terminal areaThese later algorithms are being developed in support of NASA Langleyrsquos SmallAircraft Transportation Systems (SATS) program The Langley team has hadsome early successes with the verification of Air Traffic Management conceptsand the outlook is quite promising for this area

Future goals for the Langley formal methods program include (1) facilitatingthe transfer of successful formal approaches into the product lines of aerospacecompanies by developing cost-effective tools that integrate well with existingindustrial life-cycle processes (2) working with the FAA to develop new cer-tification processes that take advantage of the capabilities of formal methods(3) performing fundamental research in new challenging areas such as systemswhere there are complex interactions between discrete and continuous compo-nents and (4) integrating formal methods technology into existing engineeringtools such as Mathworks

Higher Order Unification 30 Years Later

(Extended Abstract)

Gerard Huet

INRIA-RocquencourtBP 105 F-78153 Le Chesnay Cedex

GerardHuetinriafr

Abstract The talk will present a survey of higher order unificationcovering an outline of its historical development a summary of its appli-cations to three fields automated theorem proving and more generallyengineering of proof assistants programming environments and softwareengineering and finally computational linguistics It concludes by a pre-sentation of open problems and a few prospective remarks on promisingfuture directions This presentation assumes as background the surveyby Gilles Dowek in the Handbook of automated theorem proving [28]

1 Theory

11 Early History

The problem of automating higher order logic was first posed by J A Robinsonin [100101] Peter Andrews formulated a version of the resolution principle foraccommodating Churchrsquos Simple Theory of Types [164] and as early as 1964Jim Guardrsquos team at Applied Logic Corporation had been independently inves-tigating higher order logic versions of unification [4241] but the complexity ofthe problem appeared when higher order unification was shown to be undecid-able in 1972 independently by G Huet [46] and C Lucchesi [61] a result tobe sharpened by W Goldfarb [39] Jensen and Pietrzykowky [8950] at Uni-versity of Waterloo gave a complete recursive enumeration of unifiers but theprocess was over-generative in an untractable fashion since computational quag-mires happened where at every step of the process all previous solutions weresubsumed by the next one Huet proposed a more tractable enumeration of pre-unifiers for better conditioned problems where rigidity of one of the problemterms led to sequential behavior By delaying ill-conditioned problems in theform of constraints it became possible to implement a complete version of theresolution principle for Churchrsquos Type Theory [49] An extensive theory of uni-fication in various algebraic settings building on early work of G Plotkin [90]was developed by G Huet in his These drsquoEtat [47] while P Andrews and hiscollaborators at CMU went on implementing constrained resolution in the proofassistant TPS [5]

Thus the original motivation for higher-order unification was its use as afundamental algorithm in automated theorem-provers We shall see below that

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3ndash12 2002ccopy Springer-Verlag Berlin Heidelberg 2002

4 Gerard Huet

the design and implementation of proof assistants is still its main applicationarea not just in the setting of classical logic with versions of the resolutionprinciple but in more general meta-theoretic frameworks where it is the workhorse of pattern-matching and more generally proof search For instance exten-sions of the term-rewriting paradigm of equational logic building on higher-orderunification were proposed by Nipkow Jouannaud and Okada Breazu-TannenBlanqui and many others [7610] while C Benzmuller investigated the additionof equality paramodulation to higher-order resolution [89]

12 λ Prolog

It was soon realized that resolution was better behaved in the restricted contextof Horn sentences and Colmerauer and Kowalski took advantage of this qualityin the framework of first-order logic with the design of PROLOG which spurredthe whole new field of Logic Programming The generalization of this promis-ing technology to higher-order logic was successfully accomplished by D Millerwith his λ-PROLOG system [6573] G Nadathur further investigated the λ-PROLOG methodology and its efficient implementation [7172707374] In theMali team in Rennes Yves Bekkers and colleagues implemented a λ-PROLOGmachine with specific dynamic memory management [714] The most impres-sive application of the λ-PROLOG formalism was accomplished by F Pfenningin his ELF system a logic programming environment for Edinburghrsquos LogicalFramework [8588]

The theory of higher-order unification in more powerful higher order frame-works encompassing dependent types polymorphism or inductive types wasinvestigated by C Elliott[3132] G Pym [96] G Dowek [2026] F Pfenning[8687] etc in a series of publications in the 80rsquos and 90rsquos We refer the inter-ested reader to the extensive presentation in G Dowekrsquos survey [28]

13 Matching

An important special case of unification (ie solving equations in term struc-tures) is when one of the terms is closed Unification in this special case ispattern matching a specially important algorithm in symbolic computationHuetrsquos semi-decision algorithm turned into an algorithm generating a finite setof solutions in the case of second-order terms [474822] Furthermore it waspossible to combine pattern-matching for linear terms with first-order unifica-tion as Miller demonstrated with his higher-order patterns [66] However thegeneral problem in the full higher-order hierarchy remained open for a long timeG Dowek showed that the third-order problem was decidable [27] while exten-sions in various other directions led to undecidability [2124] Padovani showedthat the fourth-order case was decidable [808182] Wolfram gave an algorithmwhich always terminate [115] but whose completeness is dubious More recentlyLoader announced the undecidability of higher-order matching in [5960] but the

Higher Order Unification 30 Years Later 5

argument does not carry over if the η rule of extensionality is added to β com-putation rule of λ calculus This vexing but important problem is thus still openafter 30 years of intense investigation

2 Applications

The talk will survey applications in three domains

21 Proof Technology

Early experiments with resolution systems as proof assistants were extremelynaive since full automation was aimed at for mathematical theories which areundecidable or at least badly untractable It is interesting that to this day re-search teams keep the pretense of solving deep mathematical problems in a fullyautomated fashion despite all evidence to the contrary

Hopefully better methodologies exist than attempting to solve mathematicswith combinatorial blackboxes Proof Assistants following the early models ofAutomath LCF and NuPRL have been designed as interactive systems wherethe mathematically sophisticated user drives a proof search process with thehelp of specialized programmable tactics implementing decision or semi-decisionprocedures which operate on formulas kept in user-understandable terms Twoparadigms are of paramount importance in this newer vision of proof search theuse of general meta-level formalisms (the so-called logical frameworks wheregeneric pattern-matching and unification algorithms are put to use) and therecognition of proof structures as higher-order objects themselves (through suit-able instances of the Curry-Howard correspondence) This gave a second life tohigher-order unification at the level of proof search this time (and not just at thelevel of terms search) This methodology was clearly articulated by G Dowekin his thesis [2023] and by by D Miller and A Felty [235] Typical of this ap-proach are the proof assistants Isabelle [83] the Edinburgh Logical Frameworkand its ELF Logic Programming engine [8588] and the various versions of theCalculus of Constructions or Intuitionistic Type Theory implementations (CoqLego Alf)

22 Program Schemas Manipulation and Software Engineering

The second-order matching algorithm presented in the 70rsquos by Huet and Lang[48] was motivated by an application to program schemas recognition in a soft-ware engineering paradigm of program transformations originally proposed byBurstall and Darlington Indeed all the Burstall and Darlington rewrite ruleswere easily encompasssed by this technology but it seemed difficult to extrapo-late this simple methodology to software engineering in the large Still grandioseprojects of Inferential Programming based on Semantically Based Program-ming Tools were lavishly financed in the 80rsquos on such principles [55] Whatfinally emerged when the dust settled was the notion of Higher-order Abstract

6 Gerard Huet

Syntax as a fundamental structure for logic-based programming environments[67458435164]

23 Anaphora Resolution and Other Computational LinguisticsApplications

Meanwhile researchers in computational linguistics working at the frontier be-tween syntax and semantics and notably within Montague Semantics had beeninvestigating the resolution of anaphora constructions (pronouns focus ellipsisetc) through the higher order unification algorithm Such experiments were fa-cilitated by the widespread adoption of PROLOG as a computation paradigm inthis community Typical representatives of this approach were Dale Miller andGopalan Nadathur at CMU [68] S Shieber and colleagues in Harvard [62114] SPulman in SRICambridge [95] and C Gardent and colleagues in Saarbrucken[15373836]

3 Prospective

The talk will end with some prospective remarks

References

1 G Amiot The undecidability of the second order predicate unification problemArchive for mathematical logic 30193ndash199 1990

2 Dale Miller Amy Felty Specifying theorem provers in a higher-order logic pro-gramming language In Proceedings of the 9th Int Conference on AutomatedDeduction (CADE-9) volume 310 of Lecture Notes in Computer Science pages61ndash80 Springer-Verlag Argonne Illinois 1988

3 Penny Anderson Represnting proof transformations for program optimization InProceedings of the 12th Int Conference on Automated Deduction (CADE-12) vol-ume 814 of Lecture Notes in Artificial Intelligence pages 575ndash589 Nancy France1994 Springer-Verlag

4 PB Andrews Resolution in type theory The Journal of Symbolic Logic36(3)414ndash432 1971

5 PB Andrews M Bishop S Issar D Nesmith F Pfenning and H Xi Tpsa theorem proving system for classical type theory J of Automated Reasoning16321ndash353 1996

6 J Avenhaus and CA Lorıa-Saenz Higher-order conditional rewriting and nar-rowing In J-P Jouannaud editor International Conference on Constaints inComputational Logic volume 845 of Lecture Notes in Computer Science pages269ndash284 Springer-Verlag 1994

7 Yves Bekkers Olivier Ridoux and Lucien Ungaro Dynamic memory managementfor sequential logic programming languages In IWMM pages 82ndash102 1992

8 C Benzmuller Extensional higher-order resolution In Proceedings of the 15thInt Conference on Automated Deduction (CADE-15) volume 1421 of LectureNotes in Artificial Intelligence pages 56ndash71 Springer-Verlag Lindau Germany1998

Higher Order Unification 30 Years Later 7

9 C Benzmuller Equality and extensionality in automated higher-order theoremproving Doctoral Dissertation Universitat des Saarlandes Saarbrucken 1999

10 Frederic Blanqui Theorie des types et reecriture These de Doctorat UniversiteParis-Sud 2001

11 P Borovansky Implementation of higher-order unification based on calculus ofexplicit substitution In M Bartosek J Staudek and J Wiedermann editorsSOFSEM Theory and Practice of Informatics volume 1012 in Lecture Notes inComputer Science pages 363ndash368 Springer-Verlag 1995

12 A Boudet and E Contejean AC-unification of higher-order patterns InG Smolka editor Principles and Practice of Constraint Programming volume1330 of Lecture Notes in Computer Science pages 267ndash281 Springer-Verlag 1997

13 D Briaud Higher order unification as typed narrowing Technical Report 96-R-112 Centre de recherche en informatique de Nancy 1996

14 Pascal Brisset and Olivier Ridoux The architecture of an implementation oflambdaprolog Prologmali Technical Report RR-2392 INRIA Oct 1994

15 M Kohlhase C Gardent and K Konrad Higher-order colored unification Alinguistic application J of Logic Language and Information 9313ndash338 2001

16 A Church A formulation of the simple theory of types The Journal of SymbolicLogic 5(1)56ndash68 1940

17 H Comon and Y Jurski Higher-order matching and tree automata In M Nielsenand W Thomas editors Conference on Computer Science Logic volume 1414 ofLecture Notes in Computer Science pages 157ndash176 Springer-Verlag 1997

18 DJ Dougherty Higher-order unification via combinators Theoretical ComputerScience 114273ndash298 1993

19 DJ Dougherty and P Johann A combinatory logic approach to higher-orderE-unification In D Kapur editor Conference on Automated Deduction volume607 of Lecture Notes in Artificial Intelligence pages 79ndash93 Springer-Verlag 1992

20 G Dowek Demonstration automatique dans le calcul des constructions Thesede Doctorat Universite de Paris VII 1991

21 G Dowek Lrsquoindecidabilite du filtrage du troisieme ordre dans les calculs avectypes dependants ou constructeurs de types (the undecidability of third orderpattern matching in calculi with dependent types or type constructors) ComptesRendus a lrsquoAcademie des Sciences I 312(12)951ndash956 1991 Erratum ibid I318 1994 p 873

22 G Dowek A second-order pattern matching algorithm in the cube of typed λ-calculi In A Tarlecki editor Mathematical Foundation of Computer Sciencevolume 520 of Lecture notes in computer science pages 151ndash160 Springer-Verlag1991

23 G Dowek A complete proof synthesis method for the cube of type systemsJournal of Logic and Computation 3(3)287ndash315 1993

24 G Dowek The undecidability of pattern matching in calculi where primitiverecursive functions are representable Theoretical Computer Science 107349ndash356 1993

25 G Dowek The undecidability of typability in the lambda-pi-calculus InM Bezem and JF Groote editors Typed Lambda Calculi and Applications vol-ume 664 in Lecture Notes in Computer Science pages 139ndash145 Springer-Verlag1993

26 G Dowek A unification algorithm for second-order linear terms Manuscript1993

27 G Dowek Third order matching is decidable Annals of Pure and Applied Logic69135ndash155 1994

8 Gerard Huet

28 G Dowek Higher-Order Unification and Matching chapter 16 pages 1009ndash1062Elsevier 2001

29 G Dowek T Hardin and C Kirchner Higher-order unification via explicitsubstitutions Information and Computation 157183ndash235 2000

30 G Dowek T Hardin C Kirchner and F Pfenning Unification via explicitsubstitutions the case of higher-order patterns In M Maher editor Joint Inter-national Conference and Symposium on Logic Programming pages 259ndash273 TheMIT Press 1996

31 CM Elliott Higher-order unification with dependent function types In N Der-showitz editor Internatinal Conference on Rewriting Techniques and Applica-tions volume 355 of Lecture Notes in Computer Science pages 121ndash136 Springer-Verlag 1989

32 CM Elliott Extensions and applications of higher-order unification PhD thesisCarnegie Mellon University 1990

33 WM Farmer A unification algorithm for second-order monadic terms Annalsof Pure and applied Logic 39131ndash174 1988

34 WM Farmer Simple second order languages for which unification is undecidableTheoretical Computer Science 8725ndash41 1991

35 Amy Felty Implementing tactics and tacticals in a higher-order logic program-ming language Journal of Automated Reasoning 1143ndash81 1993

36 C Gardent Deaccenting and higher-order unification J of Logic Language andInformation 9313ndash338 2000

37 C Gardent and M Kohlhase Focus and higher-order unification In 16th Inter-national Conference on Computational Linguistics Copenhagen 1996

38 C Gardent and M Kohlhase Higher-order coloured unification and naturallanguage semantics In ACL editor 34th Annual Meeting of the Association forComputational Linguistics Santa Cruz 1996

39 WD Goldfarb The undecidability of the second-order unification problem The-oretical Computer Science 13225ndash230 1981

40 J Goubault Higher-order rigid E-unification In F Pfenning editor 5th Interna-tional Conference on Logic Programming and Automated Reasoning volume 822in Lecture Notes in Artificial Intelligence pages 129ndash143 Springer-Verlag 1994

41 WE Gould A matching procedure for ω-order logic Scientific report 4 AFCRL66-781 (contract AF 19 (628)-3250) AD 646 560

42 JR Guard Automated logic for semi-automated mathematics Scientific report1 AFCRL 64-411 (contract AF 19 (628)-3250) AS 602 710 1964

43 M Hagiya Programming by example and proving by example using higher-orderunification In ME Stickel editor Conference on Automated Deduction volume449 in Lecture Notes in Computer Science pages 588ndash602 Springer-Verlag 1990

44 M Hagiya Higher-order unification as a theorem proving procedure In K Fu-rukawa editor International Conference on Logic Programming pages 270ndash284MIT Press 1991

45 John Hannan and Dale Miller Uses of higher-order unification for implementingprograms transformers In RA Kowalski an KA Bowen editor InternationalConference and Symposium on Logic Programming pages 942ndash959 1988

46 G Huet The undecidability of unification in third order logic Information andControl 22257ndash267 1973

47 G Huet Resolution drsquoequations dans les langages drsquoordre 12 ω These drsquoEtatUniversite de Paris VII 1976

48 G Huet and B Lang Proving and applying program transformations expressedwith second order patterns Acta Informatica 1131ndash55 1978

Higher Order Unification 30 Years Later 9

49 Gerard Huet Constrained resolution A complete method for higher order logicPhD thesis Case Western University Aug 1972

50 DC Jensen and T Pietrzykowski Mechanizing ω-order type theory throughunification Theoretical Computer Science 3123ndash171 1976

51 Frank Pfenning Joelle Despeyroux and Carsten Schurmann Primitive recursionfor higher-order syntax In R Hindley editor Proceedings of the 3rd Int Confer-ence on Typed Lambda Calculus and Applications (TLCArsquo97) volume 1210 of Lec-ture Notes in Computer Science pages 147ndash163 Nancy France 1997 Springer-Verlag

52 Patricia Johann and Michael Kohlhase Unification in an extensional lambda cal-culus with ordered function sorts and constant overloading In Alan Bundy editorConference on Automated Deduction volume 814 in Lecture Notes in ArtificialIntelligence pages 620ndash634 Springer-Verlag 1994

53 C Kirchner and Ch Ringeissen Higher-order equational unification via ex-plicit substitutions In M Hanus J Heering and K Meinke editors Algebraicand Logic Programming International Joint Conference ALPrsquo97-HOArsquo97 vol-ume 1298 of Lecture Notes in Computer Science pages 61ndash75 Springer-Verlag1997

54 K Kwon and G Nadathur An instruction set for higher-order hereditary harropformulas (extended abstract) In Proceedings of the Workshop on the lambdaProlog Programming Language UPenn Technical Report MS-CIS-92-86 1992

55 Peter Lee Frank Pfenning John Reynolds Gene Rollins and Dana Scott Re-search on semantically based program-design environments The ergo projectin 1988 Technical Report CMU-CS-88-118 Computer Science DepartmentCarnegie Mellon University 1988

56 J Levy Linear second order unification In H Ganzinger editor RewritingTechniques and Applications volume 1103 of Lecture Notes in Computer Sciencepages 332ndash346 Springer-Verlag 1996

57 Jordi Levy and Margus Veanes On unification problems in restricted second-order languages In Annual Conf of the European Ass of Computer ScienceLogic (CSL98) Brno Czech Republic 1998

58 Jordi Levy and Mateu Villaret Linear second-order unification and context uni-fication with tree-regular constraints In Proceedings of the 11th Int Conf onRewriting Techniques and Applications (RTA 2000) volume 1833 of Lecture Notesin Computer Science pages 156ndash171 Norwich UK 2000 Springer-Verlag

59 R Loader The undecidability of λ-definability To appear in Church memorialvolume 1994

60 R Loader Higher order β matching is undecidable Private communication2001

61 CL Lucchesi The undecidability of the unification problem for third orderlanguages Technical Report CSRR 2060 Department of applied analysis andcomputer science University of Waterloo 1972

62 Stuart M Shieber Mary Dalrymple and Fernando CN Pereira Ellipsis andhigher-order unification Linguistic and Philosophy 14399ndash452 1991

63 R Mayr and T Nipkow Higher-order rewrite systems and their confluenceTheoretical Computer Science 1923ndash29 1998

64 Raymond McDowell and Dale Miller Reasoning with higher-order abstract syntaxin a logical framework ACM Transactions on Computational Logic (TOCL)380ndash136 2002

65 Dale Miller Abstractions in logic programming In P Odifreddi editor Logicand computer science pages 329ndash359 Academic Press 1991

10 Gerard Huet

66 Dale Miller Unification under a mixed prefix Journal of Symbolic Computation14321ndash358 1992

67 Dale Miller and Gopalan Nadathur A logic programming approach to manipu-lating formulas and programs In IEEE Symposium on Logic Programming pages247ndash255 San Francisco California 1986

68 Dale Miller and Gopalan Nadathur Some uses of higher-order logic in computa-tional linguistics In 24th Annual Meeting of the Association for ComputationalLinguistics pages 247ndash255 1986

69 O Muller and F Weber Theory and practice of minimal modular higher-orderE-unification In A Bundy editor Conference on Automated Deduction volume814 in Lecture Notes in Artificial Intelligence pages 650ndash664 Springer-Verlag1994

70 Gopalan Nadathur An explicit substitution notation in a λprolog implementa-tion In First International Workshop on Explicit Substitutions 1998

71 Gopalan Nadathur A Higher-Order Logic as the Basis for Logic ProgrammingPhD thesis University of Pennsylvania Dec 1986

72 Gopalan Nadathur and Dale Miller Higher-order horn clauses J of the Associ-ation for Computing Machinery 37777ndash814 1990

73 Gopalan Nadathur and Dale Miller Higher-order logic programming In D MGabbay C J Hogger and J A Robinson editors Handbook of logic in artificialintelligence and logic programming volume 5 pages 499ndash590 Clarendon Press1998

74 Gopalan Nadathur and DJ Mitchell System description A compiler and ab-stract machine based implementation of λprolog In Conference on AutomatedDeduction 1999

75 T Nipkow Higher-order critical pairs In Logic in Computer Science pages342ndash349 1991

76 T Nipkow Higher-order rewrite systems In Proceedings of the 6th Int Conf onRewriting Techniques and Applications (RTA-95) volume 914 of Lecture Notesin Computer Science pages 256ndash256 Keiserlautern Germany 1995 Springer-Verlag

77 T Nipkow and Ch Prehofer Higher-order rewriting and equational reasoningIn W Bibel and PH Schmitt editors Automated Deduction - A Basis for Ap-plications volume 1 pages 399ndash430 Kluwer 1998

78 Tobias Nipkow and Zhenyu Qian Modular higher-order e-unification In Proceed-ings of the 4th Int Conf on Rewriting Techniques and Applications (RTA) vol-ume 488 of Lecture Notes in Computer Science pages 200ndash214 Springer-Verlag1991

79 Tobias Nipkow and Zhenyu Qian Reduction and unification in lambda calculiwith a general notion of subtype Journal of Automated Reasoning 12389ndash4061994

80 V Padovani Fourth-order matching is decidable Manuscript 199481 V Padovani Decidability of all minimal models In S Berardi and M Coppo

editors Types for Proof and Programs 1995 volume 1158 in Lecture Notes inComputer Science pages 201ndash215 Springer-Verlag 1996

82 V Padovani Filtrage drsquoordre superieur These de Doctorat Universite de ParisVII 1996

83 Larry C Paulson Isabelle The next 700 theorem provers In P Odifreddi editorLogic and computer science pages 361ndash385 Academic Press 1991

84 F Pfenning Partial polymorphic type inference and higher-order unification InConference on Lisp and Functional Programming pages 153ndash163 1988

Higher Order Unification 30 Years Later 11

85 F Pfenning Logic programming in the LF logical framework In G Huet andG Plotkin editors Logical frameworks pages 149ndash181 Cambridge UniversityPress 1991

86 F Pfenning Unification and anti-unification in the calculus of constructions InLogic in Computer Science pages 74ndash85 1991

87 F Pfenning and I Cervesato Linear higher-order pre-unification In Logic inComputer Science 1997

88 Frank Pfenning and Carsten Schurmann System description Twelf mdash A meta-logical framework for deductive systems In Proceedings of the 16th Int Con-ference on Automated Deduction (CADE-16) volume 1632 of Lecture Notes inArtificial Intelligence Springer-Verlag 1999

89 T Pietrzykowski A complete mecanization of second-order type theory J of theAssociation for Computing Machinery 20333ndash364 1973

90 G Plotkin Building-in equational theories Machine Intelligence 773ndash90 197291 C Prehofer Decidable higher-order unification problems In A Bundy editor

Conference on Automated Deduction volume 814 of Lecture Notes in ArtificialIntelligence pages 635ndash649 Springer-Verlag 1994

92 C Prehofer Higher-order narrowing In Logic in Computer Science (LICSrsquo94pages 507ndash516 1994

93 C Prehofer Solving higher-order equations From logic to programming Doctoralthesis Technische Universitat Munchen Technical Report TUM-19508 Institutfur Informatik TUM Munchen 1995

94 C Prehofer Solving Higher-Order Equations From Logic to ProgrammingProgress in theoretical coputer science Birkhauser 1998

95 S Pulman Higher-order unification and the interpretation of focus Linguisticsand Philosophy 2073ndash115 1997

96 D Pym Proof search and computation in general logic Doctoral thesis Uni-versity of Edinburgh 1990

97 Z Qian Higher-order equational logic programming In Principle of ProgrammingLanguages pages 254ndash267 1994

98 Z Qian and K Wang Higher-order equational E-unification for arbitrary theo-ries In K Apt editor Joint International Conference and Symposium on LogicProgramming 1992

99 Z Qian and K Wang Modular AC unification of higher-order patterns In J-P Jouannaud editor International Conference on Constaints in ComputationalLogic volume 845 of Lecture Notes in Computer Science pages 105ndash120 Springer-Verlag 1994

100 JA Robinson New directions in mechanical theorem proving In AJH Morrelleditor International Federation for Information Processing Congress 1968 pages63ndash67 North Holland 1969

101 JA Robinson A note on mechanizing higher order logic Machine Intelligence5123ndash133 1970

102 H Saıdi Resolution drsquoequations dans le systeme T de Godel Memoire de DEAUniversite de Paris VII 1994

103 M Schmidt-Schauszlig Unification of stratified second-order terms Technical Re-port 12 JWGoethe-Universitat Frankfurt 1994

104 M Schmidt-Schauszlig Decidability of bounded second order unification TechnicalReport 11 JWGoethe-Universitat Frankfurt 1999

105 M Schmidt-Schauszlig and KU Schulz Solvability of context equations with twocontext variables is decidable In H Ganzinger editor Conference on Automated

12 Gerard Huet

Deduction volume 1632 in Lecture Notes in Artificial Intelligence pages 67ndash811999

106 A Schubert Linear interpolation for the higher order matching problem InM Bidoit and M Dauchet editors Theory and Practice of Software Developmentvolume 1214 of Lecture Notes in Computer science pages 441ndash452 Springer-Verlag 1997

107 A Schubert Second-order unification and type inference for Church-style poly-morphism In Principle of Programming Languages pages 279ndash288 1998

108 W Snyder Higher-order E-unification In M E Stickel editor Conference onAutomated Deduction volume 449 of Lecture Notes in Artificial Intelligence pages573ndash587 Springer-Verlag 1990

109 W Snyder and J Gallier Higher order unification revisited Complete sets oftranformations Journal of Symbolic Computation 8(1 amp 2)101ndash140 1989 Spe-cial issue on unification Part two

110 W Snyder and J Gallier Higher-order unification revisited Complete sets oftransformations Journal of Symbolic Computation 8101ndash140 1989

111 J Springintveld Algorithms for type theory Doctoral thesis Utrecht University1995

112 J Springintveld Third-order matching in presence of type constructors InM Dezani-Ciancagliani and G Plotkin editors Typed Lambda Calculi and Ap-plications volume 902 of Lecture Notes in Computer Science pages 428ndash442Springer-Verlag 1995

113 J Springintveld Third-order matching in the polymorphic lambda calculus InG Dowek J Heering K Meinke and B Moller editors Higher-order AlgebraLogic and Term Rewriting volume 1074 of Lecture Notes in Computer Sciencepages 221ndash237 Springer-Verlag 1995

114 Fernando CN Pereira Stuart M Shieber and Mary Dalrymple Interactions ofscope and ellipsis Linguistics and Philosophy 19527ndash552 1996

115 DA Wolfram The clausal theory of types Doctoral thesis University of Cam-bridge 1989

116 M Zaionc The regular expression description of unifier set in the typed λ-calculus Fundementa Informaticae X309ndash322 1987

117 M Zaionc Mechanical procedure for proof construction via closed terms in typedλ-calculus Journal of Automated Reasoning 4173ndash190 1988

Combining Higher Order Abstract Syntax with

Tactical Theorem Proving and (Co)Induction

Simon J Ambler Roy L Crole and Alberto Momigliano

Department of Mathematics and Computer ScienceUniversity of Leicester Leicester LE1 7RH UKSAmblerRCroleAMomiglianomcsleacuk

Abstract Combining Higher Order Abstract Syntax (HOAS) and in-duction is well known to be problematic We have implemented a toolcalled Hybrid within Isabelle HOL which does allow object logics tobe represented using HOAS and reasoned about using tactical theoremproving in general and principles of (co)induction in particular In thispaper we describe Hybrid and illustrate its use with case studies We alsoprovide some theoretical adequacy results which underpin our practicalwork

1 Introduction

Many people are concerned with the development of computing systems whichcan be used to reason about and prove properties of programming languagesHowever developing such systems is not easy Difficulties abound in both prac-tical implementation and underpinning theory Our paper makes both a theoret-ical and practical contribution to this research area More precisely this paperconcerns how to reason about object level logics with syntax involving variablebindingmdashnote that a programming language can be presented as an exampleof such an object logic Our contribution is the provision of a mechanized toolHybrid which has been coded within Isabelle HOL and

ndash provides a form of logical framework within which the syntax of an objectlevel logic can be adequately represented by higher order abstract syntax(HOAS)

ndash is consistent with tactical theorem proving in general and principles of in-duction and coinduction in particular and

ndash is definitional which guarantees consistency within a classical type theory

We proceed as follows In the introduction we review the idea of simple logicalframeworks and HOAS and the problems in combining HOAS and inductionIn Section 2 we introduce our tool Hybrid In Section 3 we provide some keytechnical definitions in Hybrid In Section 4 we explain how Hybrid is used torepresent and reason about object logics by giving some case studies In Section 5

This work was supported by EPSRC grant number GRM98555

VA Carreno C Munoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 13ndash30 2002ccopy Springer-Verlag Berlin Heidelberg 2002

14 Simon J Ambler et al

we give a mathematical description of Hybrid together with some underpinningtheory In Section 6 we review the articles related to our work In Section 7 wecomment on future plansHybrid provides a form of logical framework Here we briefly recall some

fundamental technical details of a basic logical framework by usingthe vehicle of quantified propositional logic (QPL) as an object levellogicmdashthe notation will be used in Sections 4 and 5 While this is avery small logic it comes with a single binding construct which exemplifies theproblems we are tackling We let V1 V2 be a countable set of (object level)variables The QPL formulae are given by Q = Vi | Q sup Q | forallVi Q Recall howto represent QPL in a simple logical frameworkmdashthe framework here providesa form of HOAS following [25] A framework theory is specified by a signatureof ground types which generate function types and constants The objects ofthe theory are given by e = name | vi | e e | λ vi e where name ranges overconstants and i ranges over N giving a countable set of (meta) variables vi Fromthis a standard type assignment system can be formulated leading to a notionof canonical form We refer the reader to [25] for the full definition To representQPL we take a ground type oo of formulae We also give the constants of thetheory each of which corresponds to a QPL constructor For QPL we specifyImp oo rArr oo rArr oo and All (oo rArr oo) rArr oo One can define a translationfunction minus by the clauses

Vi def= vi Q1 sup Q2 def= Imp Q1 Q2 forallVi Q def= All (λ vi Q)

One can then show that this translation gives a ldquosensiblerdquo representation of QPLin the framework meaning that the function minus provides a bijection betweenQPL and canonical objects and further minus is compositional on substitutionAlthough there are well known benefits in working with such higher order

abstract syntax there are also difficulties In general it is not immediately clearhow to obtain a principle of induction over expressions or how to define functionson them by primitive recursion although such principles do exist [27] Worse stillapparently promising approaches can lead to inconsistencies [16] The axiom ofchoice leads to loss of consistency and exotic terms may lead to loss of adequacyIn our example one would like to view the constants above as the constructorsof a datatype oo = var | Imp (oo lowast oo) | All (oo rArr oo) so that an inductionprinciple is ldquoimmediaterdquo Such datatype declarations would be perfectly legal infunctional programming languages In a theorem prover such as Isabelle HOL theconstructors of a datatype are required to be injective [13] However the functionAll (oo rArr oo)rArr oo cannot be injective for cardinality reasons (Cantorrsquos proofcan be formalized within HOL) as Isabelle HOL provides a classical set theoryMoreover the function space oo rArr oo yields Isabelle HOL definable functionswhich do not ldquocorrespondrdquo to terms of QPL Such functions give rise to termsin oo which are unwanted so-called exotic terms such as

All (λx if x = u then u else All (λ z z))

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 15

We show that it is possible to define a logical framework in which All is injectiveon a subset of oo rArr oo The subset is sufficiently large to give an adequaterepresentation of syntaxmdashsee Section 41

2 Introducing Hybrid

Within Isabelle HOL our goal is to define a datatype for λ-calculus withconstants over which we can deploy (co)induction principles whilerepresenting variable binding through Isabellersquos HOAS We do this ina tool called Hybrid which we introduce in this section Our startingpoint is the work [1] of Andrew Gordon which we briefly review It is well known(though rarely provedmdashsee Section 5) that λ-calculus expressions are in bijectionwith (a subset of) de Bruijn expressions Gordon defines a de Bruijn notationin which expressions have named free variables given by strings He can writeT = dLAMBDA v t (where v is a string) which corresponds to an abstraction inwhich v is bound in t The function dLAMBDA has a definition which convertsT to the corresponding de Bruijn term which has an outer abstraction anda subterm which is t in de Bruijn form in which (free) occurrences of v areconverted to bound de Bruijn indices For example

dLAMBDA v (dAPP (dVAR v) (dVAR u)) = dABS (dAPP (dBND 0) (dVAR u))

Gordon demonstrates the utility of this approach It provides a good mechanismthrough which one may work with named bound variables but it does not exploitthe built in HOAS which Isabelle HOL itself uses to represent syntax The noveltyof our approach is that we do exploit the HOAS at the meta (machine) levelWe introduce Hybrid by example First some basics Of central importance

is a Isabelle HOL datatype of de Bruijn expressions where bnd and var are thenatural numbers and con provides names for constants

expr = CON con | VAR var | BND bnd | expr $$ expr | ABS expr

Let TO = ΛV1 Λ V2 V1 V3 be a genuine honest to goodness (object level) syn-tax1 tree Gordon would represent this by

TG = dLAMBDA v1 (dLAMBDA v2 (dAPP (dVAR v1) (dVAR v3)))

which equalsdABS (dABS (dAPP (dBND 1) (dVAR v3)))

Hybrid provides a binding mechanism with similarities to dLAMBDA GordonrsquosT would be written as LAM v t in Hybrid This is simply a definition for ade Bruijn term A crucial difference in our approach is that bound variablesin the object logic are bound variables in Isabelle HOL Thus the v in LAM v t

1 We use a capital Λ and capital V to avoid confusion with meta variables v and metaabstraction λ

16 Simon J Ambler et al

is a metavariable (and not a string as in Gordonrsquos approach) In Hybrid wealso choose to denote object level free variables by terms of the form VAR ihowever this has essentially no impact on the technical detailsmdashthe importantthing is the countability of free variables In Hybrid the TO above is renderedas TH = LAM v1 (LAM v2 (v1 $$ VAR 3)) The LAM is an Isabelle HOL binderand this expression is by definition

lambda (λ v1 (lambda (λ v2 (v1 $$ VAR 3))))

where λvi is meta abstraction and one can see that the object level term isrendered in the usual HOAS format where lambda (expr rArr expr) rArr expr isa defined function Then Hybrid will reduce TH to the de Bruijn term

ABS (ABS (BND 1 $$ VAR 3))

as in Gordonrsquos approach The key to this is of course the definition of lambdawhich relies crucially on higher order pattern matching We return to its defini-tion in Section 3 In summary Hybrid provides a form of HOAS where objectlevel

ndash free variables correspond to Hybrid expressions of the form VAR indash bound variables correspond to (bound) meta variablesndash abstractions ΛVE correspond to expressions LAM v e = lambda (λ v e)ndash applications E1 E2 correspond to expressions e1 $$ e2

3 Definition of Hybrid in Isabelle HOL

Hybrid consists of a small number of Isabelle HOL theories One of these providesthe dataype of de Bruijn expressions given in Section 2 The theories also containdefinitions of various key functions and inductive sets In this section weoutline the definitions and give some examples where e ranges overIsabelle HOL expressions We show how Hybrid provides a form ofHOAS and how this can be married with inductionWe are going to use a pretty-printed version of Isabelle HOL concrete syntax

a ruleH1 Hn

C

will be represented as [[ H1 Hn ]] =rArr C An Isabelle HOL type declarationhas the form s [ t1 tn ] rArr t The Isabelle metauniversal quantifier is

and

while Isabelle HOL connectives are represented via the usual logical notationFree variables are implicitly universally quantified Datatypes will be introducedusing BNF grammars The sign == (Isabelle metaequality) will be used forequality by definitionNote that all of the infrastructure of Hybrid which we now give is specified

definitionally We do not postulate axioms as in some approaches reviewed inSection 6 which require validation

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 17

level [ bnd expr ]rArr bool Recall that BND i corresponds to a bound vari-able in the λ-calculus and VAR i to a free variable we refer to bound and freeindices respectively We call a bound index i dangling if i or less Abs labelsoccur between the index i and the root of the expression tree e is said to be atlevel l ge 1 if enclosing e inside l Abs nodes ensures that the resulting expressionhas no dangling indices These ideas are standard as is the implementation oflevel

proper expr rArr bool One has proper e == level 0 e A proper expression isone that has no dangling indices and corresponds to a λ-calculus expression

insts bnd rArr (expr )list rArr expr rArr expr We explain this function by ex-ample Suppose that j is a bound index occurring in e and v0 vm a list ofmetavariables of type expr Let BND j be enclosed by a ABS nodes If a le j(so that j dangles) then insts replaces BND j by vjminusa If j does not dangle theninsts leaves BND j alone For example noting 5minus 2 = 3insts 0 v0 vm ABS (ABS (BND 0 $$ BND 5)) = ABS (ABS (BND 0 $$ v3))

abst [ bnd expr rArr expr ]rArr bool This predicate is defined by induction asa subset of bnd lowast (expr rArr expr) The inductive definition is

=rArr abst i (λ v v)=rArr abst i (λ vVAR n)

j lt i =rArr abst i (λ vBND j)[[ abst i f abst i g ]] =rArr abst i (λ v f v $$ g v)

abst (Suc i) f =rArr abst i (λ vABS (f v))

This definition is best explained in terms of the next functionabstr [ expr rArr expr ]rArr bool We set abstr e == abst 0 e This function de-

termines when an expression e of type expr rArr expr is an abstraction Thisis a key idea and the notion of an abstraction is central to the formulation ofinduction principles We illustrate the notion by example Suppose that ABS eis proper for example let e = ABS (BND 0 $$ BND 1) Then e is of level 1 andin particular there may be some bound indices which now dangle for exam-ple BND 1 in ABS (BND 0 $$ BND 1) An abstraction is produced by replacingeach occurrence of a dangling index with a metavariable (which can be auto-mated with insts) and then abstracting the meta variable Our example yieldsthe abstraction λ vABS (BND 0 $$ v)

lbnd [ bnd expr rArr expr expr ]rArr bool This predicate is defined as an in-

ductive subset of S def= bnd lowast (expr rArr expr) lowast expr The inductive definitionis

=rArr lbnd i (λ v v) (BND i)=rArr lbnd i (λ vVAR n) (VAR n)=rArr lbnd i (λ vBND j) (BND j)

[[ lbnd i f s lbnd i g t ]] =rArr lbnd i (λ v f v $$ g v) (s $$ t)lbnd (Suc i) f s =rArr lbnd i (λ vABS (f v)) (ABS s)

18 Simon J Ambler et al

There is a default case (omitted above) which is called when the second argumentdoes not match any of the given patterns It is a theorem that this defines afunction The proof is by induction on the rank of the function where rank f == size (f (VAR 0))

lbind [ bnd expr rArr expr ]rArr expr Set lbind i e == ε s lbnd i e s where ε

is the description operator Consider the abstraction λ vABS (BND 0 $$ v) Thearguments to lbind consist of a bound index and an abstraction The intuitiveaction of this function is that it replaces each bound occurrence of a bindingvariable in the body of an abstraction with a bound index so that a level 1expression results This is the reverse of the procedure defined in the paragraphconcerning abstractions where dangling indices were instantiated to metavari-ables using insts In practice lbind will be called on 0 at the top level Thus onehas

lbind 0 (λ vABS (BND 0 $$ v)) = = ABS (BND 0 $$ BND 1)

lambda (expr rArr expr)rArr expr Set lambda e == ABS (lbind 0 e) Its pur-pose is to transform an abstraction into the ldquocorrespondingrdquo proper de Bruijnexpression Our running example yields

lambda (λ vABS (BND 0 $$ v)) = ABS (ABS (BND 0 $$ BND 1))

It is easy to perform induction over a datatype of de Bruijn terms Howeverwe wish to be able to perform induction over the Hybrid expressions which wehave just given In order to do this we want to view the functions CON VAR$$ and lambda as datatype constructors that is they should be injective withdisjoint images In fact we identify subsets of expr and expr rArr expr for whichthese properties hold The subset of expr consists of those expressions which areproper The subset of expr rArr expr consists of all those e for which LAM v e vis proper In fact this means e is an abstraction which is intuitive but requiresproofmdashit is a Hybrid theorem We can then prove that

[[ abstr e abstr f ]] =rArr (Lamx e x = Lam y f y) = (e = f) INJ

which says that lambda is injective on the set of abstractions This is crucial forthe proof of an induction principle for Hybrid which is omitted for reasons ofspace but will appear in a journal version of this paper

4 Hybrid as a Logical Framework

Recall that in Section 2 we showed that Hybrid supports HOAS In this sectionwe show how Hybrid can be used as a logical framework to representobject logics and further how we can perform tactical theorem prov-ingThe system provides

ndash A number of automatic tactics for example proper tac (resp abstr tac) willrecognize whether a given term is indeed proper (resp an abstraction)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 19

ndash A suite of theorems for example the injectivity and distinctness propertiesof Hybrid constants and induction principles over expr and expr rArr expras discussed in Section 3

Note that the adequacy of our representations will be proved in a forthcomingpaper

41 Quantified Propositional Logic

We begin with an encoding of the quantified propositional logic introduced inSection 1 While the fragment presented there is functionally complete we chooseto work with the following syntax

Q = Vi | notQ | Q andQprime | Q orQprime | Q sup Qprime | forallVi Q | existVi Q

This will allow us to demonstrate the representation of object level syntax indetail and show some properties of an algorithm to produce negation normalformsSo far we have written expr for the type of Hybrid expressions This was

to simplify the exposition and does not correspond directly to our code Thereone sees that Hybrid actually provides a type con expr of de Bruijn expressionswhere con is a type of names of constants Typically such names are for objectlogic constructors Thus we can define a different type con for each object logicwe are dealing with In the case of QPL we declare

con = cNOT | cIMP | cAND | cOR | cALL | cEX

followed by a Isabelle HOL type whose elements represent the object level formu-lae namely oo == con expr Readers should pause to recall the logical framework(and HOAS) of Section 1Now we show how to represent the object level formulae as Hybrid expres-

sions of type oo The table below shows analogous constructs in LF and Hybrid

Constants Application AbstractionLF name e1 e2 λ vi e

Hybrid CON cNAME e1 $$ e2 LAM vi e

In the next table we show the representation of the object level formulae Q sup Qprime

and forallVi Q in LF and Hybrid where minus is a translation functionLF Imp Q Qprime All (λ v Q)

Hybrid CON cIMP $$ Q $$ Qprime CON cALL $$ LAM v QAbbrevs Q Imp Qprime All v Q

The bottom row introduces some Isabelle HOL binders as abbreviations for themiddle row where the Isabelle HOL definitions are

q Imp qprime == CON cIMP $$ q $$ qprime where Imp [ oo oo ]rArr oo

20 Simon J Ambler et al

and

All v q v == CON cALL $$ LAM v q v where All (oo rArr oo)rArr oo

The code for the representation of the remainder of QPL is similar

And [ oo oo ]rArr oo Or [ oo oo ]rArr ooq And qprime == CON cAND $$ q $$ qprime q Or qprime == CON cOR $$ q $$ qprime

Not oo rArr oo Ex (oo rArr oo)rArr ooNot q == CON cNOT $$ q Ex v q v == CON cEX $$ LAM v q v

The QPL formula forallV1 forallV2 V1 sup V2 is represented by All v1All v2 v1 Imp v2although the ldquorealrdquo underlying form is

CON cALL $$ (LAM v1CON cALL $$ LAM v2 (CON cIMP $$ v1 $$ v2)

These declarations almost induce a data-type in the sense the above definedconstants enjoy certain freeness properties much as they would if they weredatatype constructors We can prove that they define distinct values for ex-ample All v q v = Ex v q v This is achieved by straightforward simplificationof their definitions to the underlying representation Injectivity of higher-orderconstructors (recall the end of Section 1) holds conditionally on their bodies be-ing abstractions In particular recall from Section 3 the result INJ that theLAM binder is injective on the set of abstractions Simplification will yield[[ abstr e abstr f All v e v = All v f v ]] =rArr e = f Since the type oo of le-gal formulae is merely an abbreviation for Hybrid expressions we need to in-troduce a ldquowell-formednessrdquo predicate such that isForm Q holds iff Q is alegal object level formula2 The inductive definition of isForm in Isabelle HOLis immediate as far as the propositional part of QPL is concerned for exam-ple [[ isForm p isForm q ]] =rArr isForm ( p Imp q) For the quantified part we firstremark that in a framework such as LF one would write

[[ forally isForm y rarr isForm (p y) ]] =rArr isForm (All v p v)

This is not possible in Isabelle HOL since the above clause if taken as primitivewould induce a (set-theoretic) non-monotone operator and cannot be part of anintroduction rule in an inductive definition Therefore we instead descend intothe scope of the quantifier replacing it with a fresh free variable and add thecorresponding base case

isForm (VAR i)[[ abstr p foralli isForm (p (VAR i)) ]] =rArr isForm (All v p v)

We can now proceed to an encoding of an algorithm for negation normalform as an inductive relation where we skip some of the propositional clauses

2 Please see remarks in Section 7 concerning internalizing such predicates as types

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 21

and Φ abbreviates abstr p abstr q

nnf (VAR i) (VAR i)nnf (Not (VAR i)) (Not (VAR i))

nnf b d =rArr nnf (Not (Not b)) d[[ nnf (Not p) d nnf (Not q)e ]] =rArr nnf (Not ( p And q)) ( d Or e)

[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (Ex v p v)) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Not (All v p v)) (Ex v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (All v p v) (All v q v)[[ Φ foralli nnf (Not (p (VAR i)))(q (VAR i)) ]] =rArr nnf (Ex v p v) (Ex v q v)

Note how in the binding cases we explicitly state in Φ which second-orderterms are abstractions this allows us to exploit the injectivity of abstractions toderive the appropriate elimination rulesIt is possible to show in a fully automatic way that the algorithm yields

negation normal forms (whose definition is omitted) that is nnf q qprime =rArr isNnf qprimeMoreover it is a functional relation nnf q q1 =rArr forallq2 nnf q q2 rarr q1 = q2 Thelatter proof exploits a theorem regarding extensionality of abstractions namely

[[ abstr e abstr f foralli e (VAR i) = f (VAR i) ]] =rArr e = f

Note that the above is taken as an axiom in the Theory of Contexts [17]

42 Operational Semantics in the Lazy Lambda Calculus

The object logic in this section is yet another λ-calculus Abramskyrsquos lazy one[2] We describe some properties of its operational semantics In particular wegive HOAS encodings of some notions such as divergence and simulation whichare naturally rendered coinductivelymdashthis can only be approximated in otherapproaches as we discuss in Section 6To represent the lazy λ-calculus the type con will contain the names cAPP

and cABS used to represent object level application and abstraction We thendefine the constants below from these names where lexp == con expr

[ lexp lexp ]rArr lexp Fun (lexp rArr lexp)rArr lexpp q == CON cAPP $$ p $$ q Funx f x == CON cABS $$ LAM x f x

The definition of the well-formedness predicate isExp is analogous to the one inSection 4 and is omittedThe benefits of obtaining object-level substitution via metalevel β-conversion

are exemplified in the encoding of call-by-name evaluation (on closed terms) viathe inductive definition of gtgt [ lexp lexp ]rArr bool

[[ abstr e foralli isExp (e (VAR i)) ]] =rArr Funx e x gtgt Funx e x[[ e1 gtgt Funx e x abstr e isExp e2 (e e2) gtgt v ]] =rArr (e1 e2) gtgt v

Standard properties such as uniqueness of evaluation and value soundness havedirect proofs based only on structural induction and the introduction and elim-ination rules

22 Simon J Ambler et al

Divergence can be defined co-inductively as the predicate divrg lexp rArrbool

[[ isExp e1 isExp e2 divrg e1 ]] =rArr divrg (e1 e2)[[ e1 gtgt Funx e x abstr e isExp e2 divrg (e e2) ]] =rArr divrg (e1 e2)

We can give a fully automated co-inductive proof of the divergence of combi-nators such as Ω

def= (Funx x x) (Funx x x) once we have added theabstr tac tactic to the built-in simplifier Moreover there is a direct proof thatconvergence and divergence are exclusive and exhaustiveApplicative (bi)simulation le [ lexp lexp ] rArr bool is another interesting

(co-inductive) predicate with the single introduction rule

[[ forallt r gtgt Funx t x and abstr trarr (existu s gtgt Funx u x and abstr u and(forallpisExp prarr (t p) le (u p))) ]] =rArr r le s

The HOAS style here greatly simplifies the presentation and correspondinglythe metatheory Indeed with the appropriate instantiation of the coinductiverelation the proofs that simulation is a pre-order and bisimulation an equivalencerelation are immediate Other verified properties include Kleene equivalence isa simulation and divergent terms are the least element in this order

43 The Higher-Order π-Calculus

We present an encoding of the monadic higher-order π-calculus [24] with struc-tural congruence and reaction rules see [11] for a review of other styles of en-codings for the first-order case The syntax is given by the following where a aranges over names X over agent variables

α = τ | a(X) | a〈P 〉P = X | ΣiisinIαi P | (P1 | P2) | (νa)P

The encoding introduces appropriate type abbreviations (namely pi and name)and constants we concentrate on restriction input and output

New (name rArr pi)rArr pi(New a)p a == CON cNU $$ LAM a p a

In [name (pi rArr pi) ]rArr piIn a (p) == CON cIN $$ lambda p

Out [name pi pi ]rArr piOut a〈p〉q == CON cOUT $$ a $$ p $$ q

Replication is defined from these constants and need not be primitive

p == (New a)(D|Out a〈p|D〉) where D == In a (λx (x|Out a〈x〉))We then inductively define well-formed processes isProc p whose introductionrules are omitting non-binding cases

isProc (VAR i)[[ abstr p foralla isName ararr isProc (p a) ]] =rArr isProc (New a)p a

[[ abstr p isName a foralli isProc (p (VAR i)) ]] =rArr isProc In a (p)

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 23

Restriction being represented as a function of type name rArr pi is well-formed ifits body (p a) is under the assumption isName a this differs from input whichcontains a function of type pi rArr pi

Process abstraction is defined by procAbstr p == abstr p and (forallq isProc q rarrisProc (p q)) Next structural congruence is introduced and we proceed to encodereaction rules as the inductive definition minusrarr [ pi rArr pi ]rArr bool Note that thepresence of the structural rule make this unsuitable for search Here is a sample

[[ procAbstr p isProc q isProc pprime isName a ]] =rArr In a (p)|Out a〈q〉pprime minusrarr (p q)|pprime

[[ abstr p abstr pprime (foralla isName ararr (p a) minusrarr (pprime a)) ]] =rArr (New a)p a minusrarr (New a)pprime a

A formalization of late operational semantics following [18] is possible and willbe treated within a separate paper

5 A Theory of Hybrid

The goal of this section is to describe a mathematical model of Hybridand then show that the model provides an adequate representationof the λ-calculus The work here serves to illustrate and under-pinHybrid We proceed as follows In Section 51 we set up an explicit bijectionbetween the set of alpha equivalence classes of lambda expressions and the setof proper de Bruijn terms This section also allows us to introduce notationIn Section 52 we prove adequacy for an object level λ-calculus by proving anequivalent result for (proper) object level de Bruijn expressions and appealingto the bijectionFirst some notation for the object level λ-calculus expressions are inductively

defined by E = Vi | E E | ΛVi E We write E[EprimeVi] for capture avoidingsubstitution E simα Eprime for α-equivalence and [E]α for alpha equivalence classesWe write LE for the set of expressions and LEsimα for the set of all alphaequivalence classes The set of de Bruijn expressions is denoted by DB andgenerated by D = i | i | D $ D | A(D) where i is a free index We write DB(l)for the set of expressions at level l and PDB for the set of proper expressionsNote that PDB = DB(0) sub DB(1) sub DB(l) sub DB and DB = ⋃lltω DB(l)

51 A Bijection between λ-Calculus and Proper de Bruijn

Theorem 1 There is a bijection θLEsimα PDBφ between the set LEsimα

of alpha equivalence classes of λ-calculus expressions and the set PDB of properde Bruijn expressions

In order to prove the theorem we first establish in Lemma 1 and Lemma 2the existence of a certain family of pairs of functions [[minus]]LLE DB(|L|) (|minus|)LHere list L of length |L| is one whose elements are object level variables Vi Wesay that L is ordered if it has an order reflected by the indices i and no repeatedelements The first element has the largest index We write ε for the empty list

Lemma 1 For any L there exists a function [[minus]]LLE rarr DB(|L|) given recur-sively by

24 Simon J Ambler et al

ndash [[Vi]]Ldef= if Vi isin L then i else posn Vi L where posn Vi L is the position of Vi

in L counting from the head which has position 0ndash [[E1 E2]]L

def= [[E1]]L $ [[E2]]Lndash [[ΛVi E]]L

def= A([[E]]ViL)

Lemma 2 For any ordered L there exists a function (|minus|)LDB(|L|) rarr LEgiven recursively by

ndash (|i|)L def= Vi

ndash (|j|)L def= elem j L the jth element of L

ndash (|D1 $ D2|)L def= (|D1|)L (|D2|)Lndash (|A(D)|)L def= ΛVM+1 (|D|)VM+1L where M

def= Max (DL)

Max (DL) denotes the maximum of the free indices which occur in D and theindex j where Vj is the head of L

The remainder of the proof involves establishing facts about these functionsIt takes great care to ensure all details are correct and many sub-lemmas arerequired We prove that each pair of functions ldquoalmostrdquo gives rise to an isomor-phism namely that [[(|D|)L]]L = D and that (|[[E]]L|)Lprime simα E[LprimeL] Let qLE rarrLEsimα be the quotient function We define θ([E]α)

def= [[E]]ε and φdef= q (|minus|)ε

and the theorem follows by simple calculation Although our proofs take greatcare to distinguish α-equivalence classes from expressions we now write simplyE instead of [E]α which will allow us to write [[minus]]LLEsimα DB(|L|) (|minus|)L

52 Adequacy of Hybrid for the λ-Calculus

It would not be possible to provide a ldquocompleterdquo proof of the adequacy of theHybrid machine tool for λ-calculus A compromise would be to work with amathematical description of Hybrid but even that would lead to extremely longand complex proofs Here we take a more narrow approachmdashwe work with whatamounts to a description of a fragment of Hybrid as a simply typed lambdacalculusmdashpresented as a theory in a logical framework as described in Section 1Before we can state the adequacy theorem we need a theory in the logicalframework which we regard as a ldquomodelrdquo of Hybrid The theory has ground typesexpr var and bnd The types are generated by σ = expr | var | bnd | σ rArr σWe declare constants

i var BND bnd rArr expri bnd $$ expr rArr expr rArr expr

VAR var rArr expr ABS expr rArr expr

where i ranges over the natural numbers The objects are generated as in Sec-tion 1 Shortage of space means the definitions are omittedmdashhere we aim to givea flavour of our results Our aim is to prove

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 25

Theorem 2 (Representational Adequacy)

ndash There is an injective function || minus ||εLEsimα rarr CLFexpr(empty) which isndash compositional on substitution that is

||E[EprimeVi]||ε = subst ||Eprime||ε i ||E||εwhere subst eprime i e is the function on canonical expressions in which eprime replacesoccurrences of VAR i in e The definition of meta substitution and the setCLFexpr (Γ ) of canonical objects in typing environment Γ is omitted

To show adequacy we establish the existence of the following functions

LEsimα|| minus ||L CLFexpr(β(L)) ΣL DB(|L|)

The function β is a bijection between object level variables Vi and meta variablesvi Thus β(Vi) = vi The notation β(L) means ldquomaprdquo β along L We write β(L)for a typing environment in the framework with all variables of type expressionFrom now on all lists L are ordered The function ΣL is defined by the clauses

ndash ΣL idef= VAR i

ndash ΣL idef= elem i β(L)

ndash ΣL (D1 $ D2)def= ΣL D1 $$ ΣL D2

ndash ΣLA(D)def= lambda (λ vM+1 ΣVM+1L D) = LAM vM+1 ΣVM+1L D where

Mdef= Max (DL) (see Lemma 2)

The definition of ||minus||L is ΣL [[minus]]L Note that this is a well defined function onan α-equivalence class because [[minus]]L is In view of Theorem 1 and the definitionof || minus ||ε it will be enough to show the analogous result for the function Σε The proof strategy is as follows We show that there is a function insts whichmaps de Bruijn expressions to canonical objects possesses a left inverse andis compositional with respect to substitution Then we prove that the action ofΣL is simply that of the insts function Proofs of results will appear in a journalversion of this paper

6 Related Work

Our work could not have come about without the contributions of others Herefollowing [28] we classify some of these contributions according to the mathemati-cal construct chosen to model abstraction The choice has dramatic consequenceson the associated notions of recursion and proof by induction

ndash De Bruijn syntax [4] we do not review this furtherndash Name-carrying syntax here abstractions are pairs ldquo(name expression)rdquo andthe mechanization works directly on parse trees which are quotiented by α-conversion [22299] While recursioninduction is well-supported the detail

26 Simon J Ambler et al

that needs to be taken care of on a case-by-case basis tends to be overwhelm-ing To partially alleviate this [1] defines name-carrying syntax in terms ofan underlying type of De Bruijn λ-expressions which is then used as a meta-logic where equality is α-convertibility Very recently in [1028] Gabbay andPitts have introduced a novel approach based on the remarkable observationthat a first-order theory of α-conversion and binding is better founded onthe notion of name swapping rather than renaming The theory can eitherbe presented axiomatically as formalizing a primitive notion of swappingand freshness of names from which binding can be derived or as a non-classical set-theory with an internal notion of permutation of atoms Sucha set-theory yields a natural notion of structural induction and recursionover α-equivalence classes of expressions but it is incompatible with theaxiom of choice The aim of Pitts and Gabbayrsquos approach is to give a sat-isfying foundation of the informal practice of reasoning modulo renamingmore than formulate an alternative logical framework for metareasoning (al-though this too is possible) An ML-like programming language FreshMLis under construction geared towards metaprogramming applications

ndash Abstractions as functions from names to expressions mentioned in [1] (anddeveloped in [12]) it was first proposed in [5] as a way to have bindersas functions on inductive data-types while coping with the issue of exoticexpressions stemming from an inductive characterization of the set of namesThe most mature development is Honsell et alrsquos framework [17] whichexplicitly embraces an axiomatic approach to metareasoning with HOASIt consists of a higher-order logic inconsistent with unique choice but ex-tended with a set of axioms called the Theory of Contexts parametric toa HOAS signature Those axioms include the reification of key propertiesof names akin to freshness More crucially higher-order induction and re-cursion schemata on expressions are also assumed The consistency of suchaxioms with respect to functor categories is left to a forthcoming paper Theapplication of this approach to object logics such as the π-calculus [18] suc-ceeds not only because the possibility to ldquoreflectrdquo on names is crucial forthe metatheory of operations such as mismatch but also because here hy-pothetical judgments which are only partially supported in such a style [5]are typically not needed Moreover β-conversion can implement object-levelsubstitution which is in this case simply ldquonamerdquo for bound variable in aprocess The latter may not be possible in other applications such as theambient calculus This is also the case for another case-study [23] wherethese axioms seem less successful In particular co-induction is availablebut the need to code substitution explicitly makes some of the encodingfairly awkward

ndash Abstractions as functions from expressions to expressions [2615] We candistinguish here two main themes to the integration of HOAS and induc-tion one where they coexist in the same language and the other whereinductive reasoning is conducted at an additional metalevel In the first onethe emphasis is on trying to allow (primitive) recursive definitions on func-tions of higher type while preserving adequacy of representations this has

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 27

been realized for the simply-typed case in [7] and more recently for thedependently-typed case in [6] The idea is to separate at the type-theoreticlevel via an S4 modal operator the primitive recursive space (which encom-passes functions defined via case analysis and iteration) from the parametricfunction space (whose members are those convertible to expressions builtonly via the constructors)On the other side the Twelf project [27] is built on the idea of devising an ex-plicit (meta)metalogic for reasoning (inductively) about logical frameworksin a fully automated wayM2 is a constructive first-order logic whose quan-tifiers range over possibly open LF object over a signature In the metalogicit is possible to express and inductively prove metalogical properties of anobject logic By the adequacy of the encoding the proof of the existenceof the appropriate LF object(s) guarantees the proof of the correspond-ing object-level property It must be remarked that Twelf usage model isexplicitly non-interactive (ie not programmable by tactics) Moreover co-inductive definitions have to be rewritten in an inductive fashion exploitingthe co-continuity of the said notion when possibleMiller and McDowell [20] introduce a metameta logic FOλ∆IN that is basedon intuitionistic logic augmented with definitional reflection [14] and induc-tion on natural numbers Other inductive principles are derived via the use ofappropriate measures At the metameta level they reason about object-leveljudgments formulated in second-order logic They prove the consistency ofthe method by showing that FOλ∆IN enjoys cut-elimination [19] FOλ∆IN

approach [20] is interactive a tactic-based proof editor is under developmentbut the above remark on co-induction applies

7 Conclusions and Future Work

The induction principles of Hybrid involve universal quantifications over freevariables when instantiating abstractions It remains future work to determinethe real utility of our principles and how they compare to more standard treat-ments Informal practice utilises the someany quantifier that has emerged for-mally in [10] McKinna and Pollack discuss some of these issues in [21]Several improvements are possibleWe will internalize the well-formedness predicates as abstract types in Is-

abelle HOL significantly simplifying judgments over object logics For examplethe subset of lazy λ-calculus expressions identified by predicate isExp will becomea type say tExp so that evaluation will be typed as gtgt [ tExp tExp ]rArr bool We will specialize the abstr predicate to the defined logic so that it will havetype (tExp rArr tExp)rArr bool We envisage eventually having a system similar in spirit to Isabelle HOLrsquos

datatype package where the user is only required to enter a binding signaturefor a given object logic the system will provide an abstract type characterizingthe logic plus a series of theorems expressing freeness of the constructors of sucha type and an induction principle on the shape of expressions analogous to theone mentioned in Section 3

28 Simon J Ambler et al

We are in the process of further validating our approach by applying ourmethods to the compiler optimization transformations for Benton amp KennedyrsquosMIL-lite language [3]We intend to develop further the theory of Hybrid Part of this concerns

presenting the full details of the material summarized here There are also addi-tional results which serve to show how Hybrid relates to λ-calculus For exam-ple we can prove that if abstr e then there exists [ΛVi E]α isin LEsimα such that||ΛVi E||ε = LAM vi e vi On a deeper level we are looking at obtaining cate-gorical characterisations of some of the notions described in this paper basedon the work of Fiore Plotkin and Turi in [8]A full journal version of this paper is currently in preparation which in

particular will contain a greatly expanded section on the theory of Hybrid andprovide full details of the case studies

Acknowledgments

We would like to thank Andy Gordon for useful discussions and having providedthe HOL script from [1] We thank Simon Gay for discussions and ideas con-cerning the π-calculus Finally we are very grateful for the financial support ofthe UK EPSRC

References

1 A Gordon A mechanisation of name-carrying syntax up to alpha-conversion InJJ Joyce and C-JH Seger editors International Workshop on Higher OrderLogic Theorem Proving and its Applications volume 780 of Lecture Notes in Com-puter Science pages 414ndash427 Vancouver Canada Aug 1993 University of BritishColumbia Springer-Verlag published 1994

2 S Abramsky The lazy lambda calculus In D Turner editor Research Topics inFunctional Programming pages 65ndash116 Addison-Wesley 1990

3 N Benton and A Kennedy Monads effects and transformations In Proceedingsof the 3rd International Workshop in Higher Order Operational Techniques in Se-mantics volume 26 of Electronic Notes in Theoretical Computer Science Elsevier1998

4 N de Bruijn Lambda-calculus notation with nameless dummies A tool for auto-matic formula manipulation with application to the Church-Rosser theorem IndagMath 34(5)381ndash392 1972

5 J Despeyroux A Felty and A Hirschowitz Higher-order abstract syntax in CoqIn M Dezani-Ciancaglini and G Plotkin editors Proceedings of the InternationalConference on Typed Lambda Calculi and Applications pages 124ndash138 EdinburghScotland Apr 1995 Springer-Verlag LNCS 902

6 J Despeyroux and P Leleu Metatheoretic results for a modal λ-calculus Journalof Functional and Logic Programming 2000(1) 2000

7 J Despeyroux F Pfenning and C Schurmann Primitive recursion for higher-order abstract syntax In R Hindley editor Proceedings of the Third InternationalConference on Typed Lambda Calculus and Applications (TLCArsquo97) pages 147ndash163 Nancy France Apr 1997 Springer-Verlag LNCS

Combining Higher Order Abstract Syntax with Tactical Theorem Proving 29

8 M Fiore GD Plotkin and D Turi Abstract Syntax and Variable Binding InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 193ndash202 Trento Italy 1999 IEEE Computer SocietyPress

9 J Ford and IA Mason Operational Techniques in PVS ndash A Preliminary Evalua-tion In Proceedings of the Australasian Theory Symposium CATS rsquo01 2001

10 M Gabbay and A Pitts A new approach to abstract syntax involving binders InG Longo editor Proceedings of the 14th Annual Symposium on Logic in ComputerScience (LICSrsquo99) pages 214ndash224 Trento Italy 1999 IEEE Computer SocietyPress

11 S Gay A framework for the formalisation of pi-calculus type systems in Is-abelleHOL In Proceedings of the 14th International Conference on TheoremProving in Higher Order Logics (TPHOLs 2001 LNCS Springer-Verlag 2001

12 AD Gordon and T Melham Five axioms of alpha-conversion In J von WrightJ Grundy and J Harrison editors Proceedings of the 9th International Conferenceon Theorem Proving in Higher Order Logics (TPHOLsrsquo96) volume 1125 of LectureNotes in Computer Science pages 173ndash190 Turku Finland August 1996 Springer-Verlag

13 EL Gunter Why we canrsquot have SML style datatype declarations in HOL InLJM Claese and MJC Gordon editors Higher Order Logic Theorem Provingand Its Applications volume Andash20 of IFIP Transactions pages 561ndash568 North-Holland Press Sept 1992

14 L Hallnas Partial inductive definitions Theoretical Computer Science 87(1)115ndash147 July 1991

15 R Harper F Honsell and G Plotkin A framework for defining logics Journalof the Association for Computing Machinery 40(1)143ndash184 Jan 1993

16 M Hofmann Semantical analysis for higher-order abstract syntax In G Longoeditor Proceedings of the 14th Annual Symposium on Logic in Computer Science(LICSrsquo99) pages 204ndash213 Trento Italy July 1999 IEEE Computer Society Press

17 F Honsell M Miculan and I Scagnetto An axiomatic approach to metareasoningon systems in higher-order abstract syntax In Proc ICALP 2001 volume 2076 inLNCS pages 963ndash978 Springer-Verlag 2001

18 F Honsell M Miculan and I Scagnetto π-calculus in (co)inductive type theoriesTheoretical Computer Science 2(253)239ndash285 2001

19 R McDowell Reasoning in a Logic with Definitions and Induction PhD thesisUniversity of Pennsylvania 1997

20 R McDowell and D Miller Reasoning with higher-order abstract syntax in alogical framework ACM Transaction in Computational Logic 2001 To appear

21 J McKinna and R Pollack Some Type Theory and Lambda Calculus FormalisedTo appear in Journal of Automated Reasoning Special Issue on Formalised Math-ematical Theories (F Pfenning Ed)

22 TF Melham A mechanized theory of the π-calculus in HOL Nordic Journal ofComputing 1(1)50ndash76 Spring 1994

23 M Miculan Developing (meta)theory of lambda-calculus in the theory of contextsIn S Ambler R Crole and A Momigliano editors MERLIN 2001 Proceedingsof the Workshop on MEchanized Reasoning about Languages with variable bINd-ing volume 58 of Electronic Notes in Theoretical Computer Scienc pages 1ndash22November 2001

24 J Parrow An introduction to the pi-calculus In J Bergstra A Ponse andS Smolka editors Handbook of Process Algebra pages 479ndash543 Elsevier Science2001

30 Simon J Ambler et al

25 F Pfenning Computation and deduction Lecture notes 277 pp Revised 19941996 to be published by Cambridge University Press 1992

26 F Pfenning and C Elliott Higher-order abstract syntax In Proceedings of theACM SIGPLANrsquo88 Symposium on Language Design and Implementation pages199ndash208 Atlanta Georgia June 1988

27 F Pfenning and C Schurmann System description Twelf mdash A metalogical frame-work for deductive systems In H Ganzinger editor Proceedings of the 16th Inter-national Conference on Automated Deduction (CADE-16) pages 202ndash206 TrentoItaly July 1999 Springer-Verlag LNAI 1632

28 A M Pitts Nominal logic A first order theory of names and binding InN Kobayashi and B C Pierce editors Theoretical Aspects of Computer Software4th International Symposium TACS 2001 Sendai Japan October 29-31 2001Proceedings volume 2215 of Lecture Notes in Computer Science pages 219ndash242Springer-Verlag Berlin 2001

29 R Vestergaard and J Brotherson A formalized first-order conflence proof for theλ-calculus using one sorted variable names In A Middelrop editor Proceedingsof RTA 2001 volume 2051 of LNCS pages 306ndash321 Springer-Verlag 2001

Ecient Reasoning about Executable

Specications in Coq

Gilles Barthe and Pierre Courtieu

INRIA Sophia-Antipolis FranceGillesBarthePierreCourtieusophiainriafr

Abstract We describe a package to reason eciently about executablespecications in Coq The package provides a command for synthesizinga customized induction principle for a recursively dened function anda tactic that combines the application of the customized induction prin-ciple with automatic rewriting We further illustrate how the packageleads to a drastic reduction (by a factor of 10 approximately) of the sizeof the proofs in a large-scale case study on reasoning about JavaCard

1 Introduction

Proof assistants based on type theory such as Coq [9] and Lego [15] combinean expressive specication language (featuring inductive and record types) anda higher-order predicate logic (through the Curry-Howard Isomorphism) to rea-son about specications Over the last few years these systems have been usedextensively in particular for the formalization of programming languages Twostyles of formalizations are to be distinguished

the functional style in which specications are written in a functional pro-gramming style using pattern-matching and recursion

the relational style in which specications are written in a logic programmingstyle using inductively dened relations

In our opinion the functional style has some distinctive advantages over its rela-tional counterpart especially for formalizing complex programming languagesIn particular the functional style oers support for testing the specication andcomparing it with a reference implementation and the possibility to generateprograms traces upon which to reason using eg temporal logic Yet it is strik-ing to observe that many machine-checked accounts of programming languagesemantics use inductive relations In the case of proof assistants based on typetheory two factors contribute to this situation

rstly type theory requires functions to be total and terminating (in factthey should even be provably so using a criterion that essentially capturesfunctions dened by structural recursion) therefore specications written ina functional style may be more cumbersome than their relational counter-part

VA Carrentildeo C Muntildeoz S Tahar (Eds) TPHOLs 2002 LNCS 2410 pp 3146 2002ccopy Springer-Verlag Berlin Heidelberg 2002

32 Gilles Barthe and Pierre Courtieu

secondly a proof assistant like Coq oers through a set of inversion [1011]and elimination tactics eective support to reason about relational speci-cations In contrast there is no similar level of support for reasoning aboutexecutable functions

Here we address this second issue by giving a package that provides eective sup-port for reasoning about complex recursive denitions see Section 2 Furtherwe illustrate the benets of the package in reasoning about executable specica-tions of the JavaCard platform [34] and show how its use yields compact proofsscripts up to 10 times shorter than proofs constructed by hand see Section 3Related work is discussed in Section 3 We conclude in Section 5

2 Elimination Principles for Functions

21 Elimination on Inductive Types and Properties

One of the powerful tools provided by proof assistants like Coq for reasoning oninductive types is the elimination principle which is usually generated automat-ically from the denition of the type We see here the denition in Coq of thetype nat and the type of its associated principle

Inductive nat Set = O nat | S natrarrnatnat_ind(P natrarrProp) (P O) rarr((nnat)(P n)rarr(P (S n))) rarr(nnat)(P n)

The logical meaning of an elimination principle attached to an inductive typeT is that closed normal terms of type T have a limited set of possible formsdetermined by the constructors of T It also captures the recursive structure ofthe type It is important to notice that elimination principles are nothing elsethan recursive functions for example the denition of nat_ind is the following

[P natrarrProp f(P O) f0((nnat)(P n)rarr(P (S n)))]Fixpoint F [nnat] (P n) =lt[xnat](P x)gt Cases n of O rArrf

| (S n0) rArr(f0 n0 (F n0))end

The expression lt[xnat](P x)gt is a specic type scheme for dependentlytyped case expressions (dependent types are necessary to represent predicateslike P) It is used to build case branches having dierent types provided thateach one corresponds to the scheme applied to the corresponding pattern Forexample the rst branch is correct because ([xnat](P x) O)=(P O) Sim-ilarly the second case is accepted because (f0 n0 (F n0)) has type (P (Sn0)) which is equal to ([xnat](P x) (S n0))

The type of the whole case expression is obtained by applying the scheme tothe term on which the case analysis is done here n ie (P n)

Reasoning by elimination on an inductive property P can be understoodintuitively as reasoning by induction on the proof of P We see here the principleassociated to the relation le

Ecient Reasoning about Executable Specications in Coq 33

Inductive le [n nat] natrarrProp =le_n (le n n)

| le_S (mnat)(le n m)rarr(le n (S m))

le_ind (nnat P(natrarrProp))(P n) rarr ((mnat)(le n m)rarr(P m)rarr(P (S m)))rarr (mnat)(le n m)rarr(P m)

Suppose we are trying to prove (P m) for all m such that H(le n m) wecan apply the theorem le_ind which leads to two subgoals corresponding tothe possible constructors of le This way of reasoning which has proved to bevery useful in practice makes relational specications a popular solution

22 Elimination Following the Shape of a Function

Basic Idea When we choose a functional style of specication recursive func-tions are used instead of inductive relations and elimination principles are usu-ally not automatically available However once a function is dened (ie provedterminating which is automatic in Coq for structural recursion) it is relativelynatural to build an induction principle which follows its shape It allows reason-ing by induction on the possible branches of the denition of the function Sincethe new term follows the same recursive calls as the function we know that thisnew term denes a correct induction scheme and that it will be accepted by CoqFor example the following function

Fixpoint isfourtime [nnat] bool =Cases n of | O rArr true

| (S S S S m) rArr (isfourtime m)| _ rArr false

end

yields an induction principle with a nested case analysis of depth 5 Redoing allthe corresponding steps each time we want to consider the dierent paths of thefunction would be long and uninteresting (see Section 3 for more examples)

We have designed a Coq package allowing automation of the inductivecaseanalysis process According to the Coq paradigm our package builds proof terms

in the Curry-Howard philosophy Surprisingly the presence of proof terms is help-ful since functions and proofs are all represented by λ-terms we can build proofterms by transforming the term of the function we consider Since moreover wefocus on functions dened by structural recursion (see Section 42 for extension tomore general recursion schemes) termination of the function (and consequentlythe correctness of the elimination principles we generate) is ensured by the typechecking of Coq

The proof of a property forallxP using isfourtime as a model will be a termQ obtained by transforming isfourtime (notice how implicit cases have beenexpanded)

Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of

34 Gilles Barthe and Pierre Courtieu

| O rArr( (P O))| (S O) rArr( (P (S O)))| (S S O) rArr( (P (S S O)))| (S S S O) rArr( (P (S S S O)))| (S S S S m) rArr(((xnat)(P x)rarr(P (S S S S x))) m (Q m))end

where the ve (H) stand for properties H yet to be proved (subgoals) InSubsection 25 we concentrate on the structure of this incomplete term and itsautomatic generation from the denition of the function

Once built this incomplete term can be applied to a particular goal withthe Refine tactic or completed into a general reusable induction principleTo achieve the latter we replace the s by abstracted variables (Hypx in theexample below) We also abstract the predicate (P) and nally obtain a generalprinciple On our example this leads to

[P(natrarrProp) Hyp0(P O) Hyp1(P (S O))Hyp2(P (S (S O))) Hyp3(P (S (S (S O))))Hyp4(xnat) (P x) rarr(P (S (S (S (S x)))))]Fixpoint Q [nnat] P =lt[xnat](P x)gt Cases n of| O rArrHyp0| (S O) rArrHyp1| (S S O) rArrHyp2| (S S S O) rArrHyp3| (S S S S m) rArrHyp4 m (Q m)end

(P(natrarrProp)) (P O) rarr(P (S O)) rarr(P (S (S O)))rarr(P (S (S (S O)))) rarr((xnat) (P x) rarr(P (S (S (S (S x))))))rarr(nnat)(P n)

This term is well-typed and thus denes a correct induction principle

Capturing the Environment of Each Branch In the examples above sub-goals contain nothing more than induction hypotheses but generally this willnot be enough Indeed we need to capture for each subgoal the environment

induced by the branches of Cases expressions which have been chosen We illus-trate this situation with the following function (which computes for every n thelargest m le n such that m = 4k for some k)

Fixpoint findfourtime [nnat] nat =Cases n of| O rArrO| (S m) rArrCases (isfourtime n) of| true rArrn| false rArr(findfourtime m)end

end

Ecient Reasoning about Executable Specications in Coq 35

In this case it is necessary to remember that in the rst branch n=O inthe second branch n=O and (isfourtime n)=true and in the third branch(isfourtime n)=false Otherwise it will be impossible to prove for examplethe following property

P equiv forallnnat(isfourtime (findfourtime n)) = true

Finally the proof of the elimination principle generated from findfourtime

has the form

Fixpoint Q2 [nnat] (P n) =(lt[xbool](isfourtime n)=x rarr(P n)gtCases n of| O rArr((P O))| (S m) rArrlt[bbool](isfourtime (S m))=brarr(P (S m))gtCases (isfourtime (S m)) of| true rArr((isfourtime (S m))=truerarr(P (S m)))| false rArr((P m)rarr(isfourtime (S m))=falserarr(P (S m))) (Q2 m)end (refl_equal bool (isfourtime (S m))))

end

where (reflequal bool (isfourtime (S m))) is the proof of the dier-ent equalities induced by the case analysis Recall that reflequal is the con-structor of the inductive type eq representing the equality so(reflequal A x) is of type (eq A x x))

These proofs are gathered outside the case expression so as to obtain a well-typed term This point is subtle equality proofs have the form (reflequalbool (isfourtime (S m))) which is of type (isfourtime (S m))=(isfourtime (S m)) We see therefore that to be accepted by the case typingrule explained above we must apply this term to a term of type (isfourtime(S m))=(isfourtime (S m))rarr (P (S m)) This is the type of the wholecase expression but not of each branch taken separately So moving thereflequal expression inside the Cases would result in an ill-typed term

23 Contents of the Package

The main components of the package are

A Coq command Functional Scheme which builds a general induction prin-ciple from the denition of a function f It is a theorem of the form

(P (forallxi TiP rop))(H1 PO1)(Hn POn)rarr forallxi Ti(P xi)

where the POis are the proof obligations generated by the algorithm de-scribed above and xis correspond to the arguments of f To make an elim-ination the user just applies the theorem The advantage of this method isthat the structure of the function (and its type checking) is not duplicatedeach time we make an elimination

A tactic Analyze which applies the above algorithm to a particular goalThis tactic allows for more automation see for that section 26

36 Gilles Barthe and Pierre Courtieu

24 Using the Package on an Example

We now prove the following property

P equiv forallnnat(findfourtime n) le n

Using the Tactic Analyze In order to benet from the rewriting steps of thetactic we rst unfold the denition of the function and then apply the tactic

Lemma P(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeAnalyze findfourtime params n

At this point we have the following three subgoals corresponding to the threebranches of the denition of findfourtime notice the induction hypothesison the last one

1 (le O O)

2 [(isfourtime (S m))=true] (le (S m) (S m))

3 [(le (findfourtime m) m) (isfourtime (S m))=false]

(le (findfourtime m) (S m))

Each of these subgoals is then proved by the Auto tactic

Using the General Principle We set

Functional Scheme findfourtime_ind= Induction for findfourtime

Then the proof follows the same pattern as above

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_ind

Again we have three subgoals1 (le O O)

2 [eq(isfourtime (S m))=true]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

3[(le (findfourtime m) m) eq(isfourtime (S m))=false]

(le (if (isfourtime (S m))

then (S m) else (findfourtime m)) (S m))

We see that some rewriting steps must be done by hand to obtain the sameresult than with the tactic Finally the whole script is the following

Lemma Qrsquo(nnat)(le (findfourtime n) n)Intro n Unfold findfourtimeElim n using findfourtime_indIntrosAutoRewrite eqAutoSave

In more complex cases like in section 32 the rewriting operations done by theAnalyze tactic make the script signicantly smaller than when using the generalprinciple

Ecient Reasoning about Executable Specications in Coq 37

25 Inference System

In this subsection we give an inference system to build an elimination princi-ple for a particular property G from a function t The main goal of this sys-tem is to reproduce the structure of the term t including Case Fix let andλ-abstractions until it meets an application a constant or a variable The re-maining terms are replaced by proof obligations whose type is determined by theCase Fix let and λ-abstractions from above The result of this algorithm isan incomplete term like Q2 above from which we can either apply the Refinetactic or build a general principle

Grammar Coqs internal representation of the expressions of the Calculus ofInductive Constructions (CIC) is given in Figure 1 Although our package dealswith mutually recursive functions we omit them from the presentation for clarityreasons The construction Ind(x T )T where T stands for a vector of terms(types actually) is an inductive type whose n-th constructor is denoted by CnT

(in the sequel we often omit T ) In the Fix expression X is bound in f andcorresponds to the function being dened t is its type and f is the body of thefunction In the Case expression tis are functions taking as many arguments asthe corresponding constructors take see [1617]

Variables V = x y Sorts S = Set | Prop | TypeTerms T = V | S | λV TT | forallV TT | (T T )

| Fix(V T T ) | Case T of T end | let T = T in T| Ind(x T )T | CnT

Fig 1 Syntax of terms of CCI

Judgment Judgments are of the form t X G Γ1 Γ2 P where t is the func-tion to use as a model X is the variable corresponding to the recursive function(bound by Fix in t used to nd recursive calls) G is the property to be proved(the goal) Γ1 is the list of bound variables (initially empty) Γ2 is the list ofequalities corresponding to the case analysis and P is the proof term of theprinciple When proving a property G we build a term P containing proof obli-gations represented by ( T ) where T is the awaited property (ie type) thatmust be proved

Rules are given in Figure 2 In the last rule (X ti) represents all recursivecalls found in t In the present implementation no nested recursion is allowedIn the rule (Case) we note (Ci xi) the fully applied constructor Ci

38 Gilles Barthe and Pierre Courtieu

t X G x T cup Γ1 Γ2 P

λx Tt X G Γ1 Γ2 λx TP(Lambda)

foralliti X G xi Ti cup Γ1 E = (Ci xi) cup Γ2 PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

t X G xi Ti isin u cup Γ1 u = v cup Γ2 P

let u = v in t X G Γ1 Γ2 let u = v in P(Let)

f X G Γ1 Γ2 P

Fix(X T f) _ G Γ1 Γ2 Fix(X G P )(Fix)

(X ti) isin t

t X G Γ1 Γ2 (( forallΓ1X ti rarr Γ2 rarr G) Γ1)(Rec)

if t = Fix Caselet or λx Tt

Fig 2 Elimination algorithm

26 More Automation

We can use the equalities generated by the tactic to perform rewriting stepsautomatically thereby reducing the user interactions to achieve the proof

First we can rewrite in the generated hypothesis of each branch We givea modied version of the (Case) rule in gure 3 where Γ2[E larr Ci(xi)] isthe set of equalities Γ2 where E has been replaced by Ci(xi) in the rightmembers

foralliti[E larr Ci(xi)] X G xi Ti cup Γ1 E = (Ci xi) cup Γ2[E larr Ci(xi)] PiCase E of ti end X G Γ1 Γ2

(Case E of Pi end (reflequal TE E))

(Case)

Fig 3 (Case) rule with rewriting

Second we can propagate these rewriting steps in the goal itself This ispossible in the tactic Analyze where we call the Rewrite tactic of Coqwhich performs substitutions in the goal with the set of equalities Γ2As Coq provides a mechanism for foldingunfolding constants it is possiblethat rewriting steps become possible later during the proofs of the generatedsubgoals This is specially true when dealing with complex specications

Ecient Reasoning about Executable Specications in Coq 39

where unfolding all denitions is not comfortable Therefore we also providea rewriting database that contains all the equalities of Γ2 for each branchThe database can be used later with the AutoRewrite tactic

Third we can optimize the Analyze tactic in the particular case of a nonrecursive function applied to constructor terms ie terms of which headsymbol is a constructor of an inductive type For example suppose we havea goal of the form

(nnat)(P (f O (S (S (S n)))))

Where f is a non recursive function It is clear that we do not want toconsider all possible constructors for the arguments of f For example thecase (f (S ) ) is not interesting for us The idea is to focus onthe case branch corresponding to the constructors We use a simple trickto achieve this we apply the function to its arguments and reduce Theresulting term is a new function containing only the relevant case analysisWe apply the tactic to this term instead of the initial functionNote that this optimization is hardly useful for recursive functions becausesome recursive hypothesis can be lost when focusing on a particular branch

3 Applications to JavaCard

In this section we illustrate the benets of our package in establishing correctnessresults for the JavaCard platform Note that for the clarity of presentation theCoq code presented below is a simplied account of [34]

31 Background

JavaCard is a dialect of Java tailored towards programming multi-applicationsmartcards Once compiled JavaCard applets typically electronic purses andloyalty applets are veried by a bytecode verier (BCV) and loaded on thecard where they can be executed by a JavaCard Virtual Machine (JCVM)

Correctness of the JavaCard Platform The JCVM comes in two avours adefensive JCVM which manipulates typed values and performs type-checkingat run-time and an oensive JCVM which manipulates untyped values andrelies on successful bytecode verication to eliminate type verication at run-time Following a strategy streamlined in [14] we want to prove that the oensiveand defensive VMs coincide on those programs that pass bytecode vericationThis involves

formalizing both VMs and show that both machines coincide on those pro-grams whose execution on the defensive VM does not raise a type error

formalizing a BCV as a dataow analysis of an abstract VM that only ma-nipulates types and show that the defensive VM does not raise a type errorfor those programs that pass bytecode verication

40 Gilles Barthe and Pierre Courtieu

In both cases we need to establish a correspondence between two VMs Moreprecisely we need to show that the oensive and abstract VMs are sound (non-standard) abstract interpretations of the defensive VMs in the sense that undersuitable constraints abstraction commutes with execution

CertiCartes [34] is an in-depth feasibility study in the formal verication of theJavaCard platform CertiCartes contains formal executable specications of thethree VMs (defensive abstract and oensive) and of the BCV and a proof thatthe defensive and oensive VM coincide on those programs that pass bytecodeverication The bulk of the proof eort is concerned with the soundness of theoensive and abstract VMs wrt the defensive VM In our initial work suchproofs were performed by successive unfoldings of the case analyses arising inthe denition of the semantics of each bytecode leading to cumbersome proofswhich were hard to produce understand and modify In contrast the Analyzetactic leads to (up to 10 times) smaller proofs that are easier to perform andunderstand as illustrated in the next subsections

32 Applications to Proving the Correspondence between Virtual

Machines

In order to establish that the oensive VM is a sound abstraction of the de-fensive VM one needs to prove that abstraction commutes with execution forevery bytecode of the JavaCard instruction set In the particular case of methodinvocation one has to show

nargsnatnm class_method_idxstate dstatecapjcprogram=========================================let res=(dinvokevirtual nargs nm state cap) inlet ostate=(alpha_off state) inlet ores=(oinvokevirtual nargs nm ostate cap)in (INVOKEVIRTUAL_conds res) rarr(alpha_off res) = ores

where

the abstraction function alpha_offmaps a defensive state into an oensiveone

the predicate INVOKEVIRTUAL_conds ensures that the result state res isnot a type error

the functions dinvokevirtual and oinvokevirtual respectively de-note the defensive and oensive semantics of virtual method invokation

The denition of dinvokevirtual is

Definition dinvokevirtual =[nargsnat][nmclass_method_idx][statedstate][capjcprogram]

Ecient Reasoning about Executable Specications in Coq 41

(lowast The initial state is decomposed lowast)Cases state of(sh (hp nil)) rArr(AbortCode state_error state) |(sh (hp (cons h lf))) rArr

(lowast nargs must be greater than zero lowast)Cases nargs ofO rArr(AbortCode args_error state) |(S _) rArr

(lowast Extraction of the object reference (the nargsth element) lowast)Cases (Nth_func (opstack h) nargs) oferror rArr(AbortCode opstack_error state) |(value x) rArr

(lowast Tests if this element is a reference lowast)Cases x of((Prim _) vx) rArr(AbortCode type_error state) |((Ref _) vx) rArr

(lowast tests if the reference is null lowast)(if (test_NullPointer vx)then (ThrowException NullPointer state cap)else

(lowast Extraction of the referenced object lowast)Cases (Nth_func hp (absolu vx)) oferror rArr(AbortMemory heap_error state) |(value nhp) rArr

(lowast Get the corresponding class lowast)Cases (Nth_elt (classes cap) (get_obj_class_idx nhp)) of(value c) rArr

(lowast Get the corresponding method lowast)Cases (get_method c nm) of(lowast Successful method call lowast)(value m) rArr(new_frame_invokevirtual nargs m nhp state cap) |error rArr(AbortCap methods_membership_error state)end |_ rArr(AbortCap class_membership_error state)end end) end end end end

In our initial work on CertiCartes such statements were proved by handby following the successive case analyses arising in the denition of the semanticsof each bytecode The proofs were hard to produce understand and modify Incontrast the Analyze tactic leads to smaller proofs that are easier to performand understand For example the following script provides the rst steps of theproof

42 Gilles Barthe and Pierre Courtieu

SimplUnfold dinvokevirtualAnalyze dinvokevirtual params nargs nm state cap

At this point nine dierent subgoals are generated each of them correspondingto a full case analysis of the function In the case of a successful method callthe corresponding subgoal is

_eg_8 (get_method c nm)=(value m)_eg_7 (Nth_elt (classes cap) (get_obj_class_idx nhp))

=(value c)_eg_7 (Nth_func hp (absolu vx))=(value nhp)_eg_6 (test_NullPointer vx)=false_eg_5 t=(Ref t0)_eg_4 x=((Ref t0)vx)_eg_3 (Nth_func (opstack h) (S n))=(value ((Ref t0)vx))_eg_2 nargs=(S n)_eg_1 state=(sh(hp(cons h lf)))H (INVOKEVIRTUAL_conds(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=========================================(alpha_off(new_frame_invokevirtual (S n) m nhp (sh(hp(cons h lf))) cap))=(oinvokevirtual (S n) nm (alpha_off (sh(hp(cons h lf)))) cap)

This goal as all other goals generated by the tactic can in turn be dischargedusing rewriting and some basic assumptions on the representation of JavaCardprograms

33 Applications to Proving Memory Invariants

In order to establish that the abstract VM is a sound abstraction of the defensiveVM one needs to establish a number of invariants on the memory of the virtualmachine for example that executing the abstract virtual machine does not createillegal JavaCard types such as arrays of arrays Proving such a property is tediousand involves several hundreds of case analyses including a topmost case analysison the instruction set In the case of the load bytecode one is left with the goal

s astatet typel locvars_idx==================================================(legal_types s) rarr(legal_types (tload t l s))

Whereas a proof by hand leaves the user with 29 subgoals to discharge anapplication of the Analyze tactic leaves the user with 3 subgoals to dischargenamely the three interesting cases corresponding to the successful execution ofthe tload bytecode In such examples the use of our tactic reduces the size ofproof scripts by a factor of 10

Ecient Reasoning about Executable Specications in Coq 43

4 Extensions and Related Work

41 Related Work

Our work is most closely related to Slinds work on reasoning about terminatingfunctional programs see eg [20] where Slind presents a complete methodologyto dene a function from a list of equations and a termination relation Thisrelation is used to generate termination conditions which need to be dischargedto prove that the rewrite system dened by the equations terminates From theproofs of the termination conditions Slind automatically synthesizes an induc-tion principle for the function Slinds induction principle is closely related toours but there are some dierences

Slinds work focuses on proof-assistants based on higher-order logic in par-ticular on Isabelle [18] and HOL [13] that do not feature proof terms Inour framework objects properties and proofs are all terms of the Calculusof Inductive Constructions and hence we need to provide a proof term forthe customized principle attached to the function As pointed out in Section2 the construction of the proof term can be done directly by transformingthe term corresponding to the function

Slinds work provides for each total and terminating function f a genericinduction principle that can be used to prove properties about f In contrastthe tactic Analyze starts from the property to be proven say φ and proceedsto build directly a proof of φ by following the shape of the denition off Eventually the tactic returns some proof obligations that are requiredto complete the proof of φ This allows our package to perform rewritingand other operations during the building of the proof leading to a drasticincrease in automation Since similar proof terms are constructed every timeone applies the tactic on the function f it could be argued that such afeature is costly in terms of memory However we have not experienced anyeciency problem although our JavaCard development is fairly large

Slinds work provides support for well-founded and nested recursion whichour package does not handle currently

Our work is also closely related to the induction process dened by Boyerand Moore In Nqthm [8] the directive INDUCT (f v1vn) can be usedduring a proof to perform the same case analysis and recursion steps as in thedenition of f An interesting feature that we do not handle in this paper is theability of merging dierent functions into one single induction principle

These works as well as ours aims at providing ecient support for reasoningabout executable specications An alternative strategy consists in developingtools for executing specications that may be relational at least in part For ex-ample Elf [19] combines type theory and logic programming and hence providessupport for executing relational specications Further there have been someeorts to develop tools for executing specications written in Coq Isabelle orrelated systems In particular some authors have provided support for executingrelational specications for example Berghofer and Nipkow [5] have developed

44 Gilles Barthe and Pierre Courtieu

a tool to execute Isabelle theories in a functional language and used it in thecontext of their work on Java and JavaCard Conversely some authors haveprovided support to translate executable specications into input for proof as-sistants for example Terrasse [2122] has developed a tool to translate Typolspecications into Coq However we believe that executable specications arebetter suited for automating proofs especially because they lend themselves wellto automated theorem-proving and rewriting techniques

A third possible strategy would consist of relating relational and functionalspecications For example one could envision a tool that would derive automat-ically from a functional specication (1) its corresponding relational specication(2) a formal proof that the two specications coincide Such a tool would allowthe combination of the best of both worlds (one could be using eliminationin-version principles to reason about relational specications and then transfer theresults to functional ones) yet we are not aware of any conclusive experience inthis direction

42 Extensions

As emphasized in the introduction the main motivation behind the package isto develop eective tool support to reason about the JavaCard platform Thefollowing two extensions are the obvious next steps towards this objective

support for conditional rewriting rules We would like to introduce functionsusing the format of conditional rewriting rules of [2] Indeed this formatwhich can be automatically translated into Coq (provided the guard condi-tions are satised) lead to more readable specications especially for partialfunctions

support for inversion principles We also would like to provide inversionprinciples like those that exist for inductive types [10] Such principles donot use induction instead they proceed by case analysis and use the factthat constructors of inductive types are injective For example inversionprinciples for functions should allow us to deduce

x=O or x=(S S S S y)and((isfourtime y)=true)

from (isfourtime x)=true support for merging Merging [8] allows to generate a single induction prin-ciple for several functions This technique allows to dene very accurateinduction principles that are very useful in fully automated tactics

From a more general perspective it would be interesting to provide support fornested and well-founded recursion Furthermore a higher automation of equa-tional reasoning is required in the proofs of commuting diagrams One possibilityis to rely on an external tool to generate rewriting traces that are then translatedin Coq There are several candidates for such tools including Elan [6] and Spike[7] and ongoing work to interface them with proof assistants such as Coq seeeg [1]

Ecient Reasoning about Executable Specications in Coq 45

5 Conclusion

We have described a toolset for reasoning about complex recursive functions inCoq A fuller account of the package including a tutorial can be found in [12]

In addition we have illustrated the usefulness of our package in reasoningabout the JavaCard platform This positive experience supports the claim laidin [2] that proofs of correctness of the JavaCard platform can be automated to alarge extent and indicates that proof assistants could provide a viable approachto validate novel type systems for future versions of Javacard

Thanks

We would like to thank the anonymous referees for there constructive remarksYves Bertot for its precious advice ideas and examples Guillaume Dufay for thefeedback on using the tactic intensively and Konrad Slind for the precisions onTFLIsabelle

References

1 C Alvarado and Q-H Nguyen elan for equational reasoning in coq In J De-speyroux editor Proceedings of LFM00 2000 Rapport Technique INRIA

2 G Barthe G Dufay M Huisman and S Melo de Sousa Jakarta a toolset toreason about the JavaCard platform In I Attali and T Jensen editors Proceedingsof e-SMART 2001 volume 2140 of Lecture Notes in Computer Science pages 218Springer-Verlag 2001

3 G Barthe G Dufay L Jakubiec and S Melo de Sousa A formal correspondencebetween oensive and defensive JavaCard virtual machines In A Cortesi editorProceedings of VMCAI 2002 volume 2294 of Lecture Notes in Computer Sciencepages 3245 Springer-Verlag 2002

4 G Barthe G Dufay L Jakubiec B Serpette and S Melo de Sousa A FormalExecutable Semantics of the JavaCard Platform In D Sands editor Proceedingsof ESOP 2001 volume 2028 of Lecture Notes in Computer Science pages 302319Springer-Verlag 2001

5 S Berghofer and T Nipkow Executing higher order logic In P Callaghan Z LuoJ McKinna and R Pollack editors Proceedings of TYPES 2000 volume LNCS2277 of Lecture Notes in Computer Science Springer-Verlag 2002

6 P Borovanskyacute H Cirstea H Dubois C Kirchner H Kirchner P-E MoreauC Ringeissen and M Vittek The Elan V34 Manual 2000

7 A Bouhoula Automated theorem proving by test set induction Journal of Sym-bolic Computation 234777 1997

8 RS Boyer and JS Moore A Computational Logic Handbook Academic Press1988

9 Coq Development Team The Coq Proof Assistant Users Guide Version 72January 2002

10 C Cornes Conception dun langage de haut niveau de representation de preuvesReacutecurrence par ltrage de motifs Unication en preacutesence de types inductifs prim-itifs Synthegravese de lemmes dinversion PhD thesis Universiteacute de Paris 7 1997

46 Gilles Barthe and Pierre Courtieu

11 C Cornes and D Terrasse Automating inversion and inductive predicates in CoqIn S Berardi and M Coppo editors Proceedings of Types95 volume 1158 ofLecture Notes in Computer Science pages 85104 Springer-Verlag 1995

12 P Courtieu Function Schemes in Coq Documentation and tutorial Seehttpwww-sopinriafrlemmePierreCourtieufunschemehtml

13 MJC Gordon and TF Melham editors Introduction to HOL A theorem provingenvironment for higher-order logic Cambridge University Press 1993

14 J-L Lanet and A Requet Formal Proof of Smart Card Applets Correctness InJ-J Quisquater and B Schneier editors Proceedings of CARDIS98 volume 1820of Lecture Notes in Computer Science pages 8597 Springer-Verlag 1998

15 Z Luo and R Pollack LEGO proof development system Users manual TechnicalReport ECS-LFCS-92-211 LFCS University of Edinburgh May 1992

16 C Paulin-Mohring Inductive denitions in the system Coq Rules and propertiesIn M Bezem and JF Groote editors Proceedings of TLCA93 volume 664 ofLecture Notes in Computer Science pages 328345 Springer-Verlag 1993

17 C Paulin-Mohring Deacutenitions Inductives en Theorie des Types dOrdre SuperieurHabilitation agrave diriger les recherches Universiteacute Claude Bernard Lyon I 1996

18 L Paulson Isabelle A generic theorem prover volume 828 of Lecture Notes inComputer Science Springer-Verlag 1994

19 F Pfenning Elf a meta-language for deductive systems In A Bundy editorProceedings of CADE-12 volume 814 of Lecture Notes in Articial Intelligencepages 811815 Springer-Verlag 1994

20 K Slind Reasoning about Terminating Functional Programs PhD thesis TUMuumlnich 1999

21 D Terrasse Encoding natural semantics in Coq In V S Alagar editor Pro-ceedings of AMAST95 volume 936 of Lecture Notes in Computer Science pages230244 Springer-Verlag 1995

22 D Terrasse Vers un environnement daide au deacuteveloppement de preuves en Seacute-mantique Naturelle PhD thesis Ecole Nationale des Ponts et Chausseacutees 1995