Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Aspects of Formal Metatheory

Published byΆλκηστις Γούναρης Modified over 6 years ago

Similar presentations

Presentation on theme: "Engineering Aspects of Formal Metatheory"— Presentation transcript:

1 Engineering Aspects of Formal Metatheory
Stephanie Weirich joint work with Brian Aydemir, Arthur Chargueraud, and Benjamin Pierce

2 Why Mechanize PL Metatheory?
Many ICFP and POPL papers accompanied by "write-only" technical reports. Difficult to develop and keep consistent From paper: "… we define the subtype relation as the greatest fixpoint of these subtype rules." From tech report: "Proof: by routine induction on the subtype derivation." Solution: replace tech report by machine-checked mathematics But how? Which prover? How to treat binding? 12/3/2018

3 How to compare systems Transparency Overhead Cost of entry
How close are developments to informal conventions? How difficult to know what has been proved? Overhead How much additional work (operations/proof obligations) is necessary? Cost of entry Can non-experts read definitions and theorems? What help is available to get started? 12/3/2018

4 This work A Coq template for developing programming language metatheory A methodology for representing binding and specifying induction principles Compiles the best ideas of the past Includes our own novel contributions A library that supports this methodology reasoning about freshness representing environments Reference examples & supporting experience multiple calculi (STLC, F<:, CoC) multiple theorems (type soundness, confluence) All currently available online 12/3/2018

5 Basic datastructure Locally nameless representation
Names for free variables de Bruijn indices for bound variables Example: Untyped lambda calculus Inductive exp : Set := | Lam : exp -> exp | App : exp -> exp -> exp | BVar : nat -> exp | FVar : atom -> exp. x. y. (x y) z represented as Lam (Lam (App (App (BVar 1) (BVar 0)) (FVar "z") 12/3/2018

6 Basic operations Two substitution functions Important special case
[k -> u]t replace index k with u [x ~> u]t replace free variable x with u Important special case t ^ x replace index 0 with x Free variable calculation fv t finite set of free atoms in t 12/3/2018

7 Why locally nameless rep?
Transparency: Alpha-equivalent terms have a unique representation Alternative: Pollute semantics or lemmas G |- e : t t = t' G |- e : t' If G |- e : t and e -> e' then G' |- e' : t' for some t' = t and G' = G. 12/3/2018

8 Why locally nameless rep?
Allows name-based reasoning about environments Simple defs for operations, simple proofs about them de Bruijn indices: position-based reasoning Shifting of indices required Requires careful consideration of the environment at all times 12/3/2018

9 Issues with locally nameless rep
Three important issues to resolve Local closure Not all exps are lambda calculus terms Induction principles How to make reasoning close to the "Barendregt Variable Convention" Function definitions How to define semantic functions with Coq functions and reason about them 12/3/2018

10 Local closure Not all members of type exp are lambda calculus terms
Lam (BVar 3)? Predicate term : exp -> Prop Picks out members of type exp that are locally-closed Type { e | term e } Includes only lambda calculus terms Never actually use this type 12/3/2018

11 Treatment of local closure
Definitions respect local closure If term u and term t, then term ([x ~> u]t) If t  t' then term t and term t' Many theorems need not refer to local closure If t  t' and t  t'', then t' = t''. Some theorems require it, tactics discharge assumptions [x ~> u](t ^ y) = ([x ~> u]t) ^ y when x  y, term u 12/3/2018

12 Local closure and Induction
Inductive term : exp -> Prop := | t_var : x. term (FVar x) | t_app : t1 t2. term t1 -> term t2 -> term (App t1 t2) | t_lamE : x t1. x  fv t1 -> term (t1 ^ x) -> term (Lam t1) Can show t.term t -> P(t) when x. P(FVar x) t1 t2. P(t1) -> P(t2) -> P(App t1 t2) x t1. x  fv t1 -> P(t1 ^ x) -> P (Lam t1) [McKinna & Pollack 93] 12/3/2018

13 Weak principle In Lam case know that P holds for an arbitrary name not already free in t1. x t1. x  fv t1 -> P(t1 ^ x) -> P (Lam t1) Not strong enough for some proofs. 12/3/2018

14 Substitution Lemma In Lam case, WTP term [y ~> u](Lam t1)
Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: for some x  fv t1 term [y ~> u](t1^x) By lemma term ([y ~> u]t1)^x By t_lamE term (Lam [y ~> u]t1) By def of subst term [y ~> u](Lam t1) Uh oh! Only holds if x  y 12/3/2018

15 A stronger induction principle
Show t.term t -> P(t) when x. P(FVar x) t1 t2. P(t1) -> P(t2) -> P(App t1 t2) t1. (x. P(t1 ^ x)) -> P (Lam t1) IH applies to any x. Why is it sound? How to define it? 12/3/2018

16 Coq definition Change definition of local closure [MP 93]
| t_lamA : t1. (x. term (t1 ^ x)) > term (Lam t1) Soundness from equivalence of relations Lemma t_lamE : x t1. x  fv t1 -> term (t1 ^ x) -> term (Lam t1) Proof relies on swapping operation Definition swap:atom -> atom -> exp Lemma swap_term:t x y, term t -> term (swap x y t) 12/3/2018

17 Substitution lemma Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: x. term [y ~> u](t1 ^ x) Let x  {y}  fv u  fv t1 be arbitrary By lemma term ([y ~> u]t1) ^ x By t_lamE term (Lam [y ~>u]t1) By def of subst term [y ~>u](Lam t1) 12/3/2018

18 Swapping and Substitution
Must we define and prove properties of both? interaction with opening terms [x ~> u](t ^ y) = ([x ~> u]t) ^ y when x  y, term u swap x z (t ^ y) = (swap x z t) ^ y when x,z  y interaction with free variables x  fv t -> [x ~> u]t = t x  fv t -> y  fv t -> swap x y t = t interaction with local closure term u -> term t -> term ([x ~> u] t) term t -> term (swap x y t) 12/3/2018

19 A not-so-strong IH New definition of local closure
| t_lamC : t1 L. (x. x  L -> term (t1 ^ x)) -> term (Lam t1) Can prove substitution lemma directly. 12/3/2018

20 Substitution lemma Lemma subst_term : t u y. term u -> term t -> term [y ~> u]t In Lam case, WTP term [y ~> u](Lam t1) IH in Lam case: x. x  L -> term [y ~> u](t1 ^ x) Let x  {y}  L be arbitrary By lemma term ([y ~> u]t1) ^ x By t_lamC term (Lam [y ~> u]t1) By def of subst term [y ~> u](Lam t1) 12/3/2018

21 Soundness without swapping
Use substitution to prove t_lamE without swapping. Lemma term_rename : t1 x y. x  fv t1 -> term (t1 ^ x) -> term (t1 ^ y). Lemma t_lamE : x t1. x  fv t1 -> term (t1 ^ x) > term (Lam t1). 12/3/2018

22 General Form of Development
Def. of syntax Def. of index substitution (t ^ x) Def. of local closure (term t) Def. of free variable substitution ([x ~> u]t) Def. of free variable function (fv t) Interaction lemmas Def. of semantic relations (t -> t', etc.) Show semantic relations respect local closure Substitution lemma for each relation w/ binding Show derived existential form of rules 12/3/2018

23 Conclusions Can use Coq's standard mechanisms for reasoning (inductive defs, tactics, etc.) Swapping does not appear to be essential. Seldom need to rename during proofs. IH applies to an infinite # of suitably fresh variables. Specialized tactics help local closure obligations fresh variable introduction 12/3/2018

24 Related work McKinna and Pollack 93 Gordon 94 Urban
"Locally-named" representation Local closure def / structural induction Strong ind. principle using forall Gordon 94 Gives a "nominal" interface to a locally-nameless representation Urban Nominal Isabelle package Strengthened induction principle 12/3/2018

25 Mark your calendars! Using Proof Assistants for Programming Language Research or, How to write your next POPL paper in Coq SIGPLAN sponsored tutorial at POPL San Francisco, CA / January 8, 2008 12/3/2018

Download ppt "Engineering Aspects of Formal Metatheory"

Similar presentations

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Some important properties Lectures of Prof. Doron Peled, Bar Ilan University.

Some important properties Lectures of Prof. Doron Peled, Bar Ilan University.
Substitution & Evaluation Order cos 441 David Walker.

Substitution & Evaluation Order cos 441 David Walker.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Elements of Lambda Calculus Functional Programming Academic Year 2005-2006 Alessandro Cimatti

Elements of Lambda Calculus Functional Programming Academic Year Alessandro Cimatti
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Semantics Syntax Lunch: Strongly-typed term representations in Coq Andrew Kennedy Microsoft Research Cambridge TexPoint fonts used in EMF. Read the TexPoint.

Semantics Syntax Lunch: Strongly-typed term representations in Coq Andrew Kennedy Microsoft Research Cambridge TexPoint fonts used in EMF. Read the TexPoint.
Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,

Section 7.4: Closures of Relations Let R be a relation on a set A. We have talked about 6 properties that a relation on a set may or may not possess: reflexive,
VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Introduction to Computability Theory

Introduction to Computability Theory
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Formalizing Alpha: Soundness and Completeness Bram van Heuveln Dept. of Cognitive Science RPI.

Formalizing Alpha: Soundness and Completeness Bram van Heuveln Dept. of Cognitive Science RPI.
Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman.

Twelf: The Quintessential Proof Assistant for Language Metatheory Karl Crary Carnegie Mellon University Joint work with Robert Harper and Michael Ashley-Rollman.
POPLmark 1A in Cinic Evan Austin, Aaron Stump, and Edwin Westbrook 1.

POPLmark 1A in Cinic Evan Austin, Aaron Stump, and Edwin Westbrook 1.
Syntax With Binders COS 441 Princeton University Fall 2004.

Syntax With Binders COS 441 Princeton University Fall 2004.
Sparkle A theorem prover for the functional language Clean Maarten de Mol University of Nijmegen February 2002.

Sparkle A theorem prover for the functional language Clean Maarten de Mol University of Nijmegen February 2002.
1 Explicit Contexts in LF Karl Crary Carnegie Mellon University Workshop on Mechanized Metatheory, 9/21/06.

1 Explicit Contexts in LF Karl Crary Carnegie Mellon University Workshop on Mechanized Metatheory, 9/21/06.

Similar presentations

Ads by Google