Team Parsifal

Overall Objectives
Scientific Foundations
Application Domains
New Results
Other Grants and Activities

Section: Scientific Foundations

Keywords : higher-order abstract syntax, lambda-tree syntax, fixed points, definitions, LINC, generic judgments.

Reasoning about logic specifications

Participants : David Baelde, Joëlle Despeyroux, Dale Miller, Alexis Saurin, Axelle Ziegler.

Now that meaning is given using logic specifications (relational specifications), how do we reason about the formal properties of such specifications? Addressing this question is a central focus of the theoretical aspects of this project.

The traditional architecture for systems designed to help reasoning about the formal correctness of specification and programming languages can generally be characterized at a high-level as follows: First: Implement mathematics.This often involves choosing between a classical or constructive (intuitionistic) foundation, as well as a choosing abstraction mechanism (eg, sets or functions). The Coq and NuPRL systems, for example, have chosen intuitionistically typed $ \lambda$ -calculus for their approach to the formalization of mathematics. Systems such as HOL [28] use classical higher-order logic while systems such as Isabelle/ZF [42] use classical logic. Second: Reduce programming correctness problems to mathematics.Thus, data structures, states, stacks, heaps, invariants, etc, all are represented as various kinds of mathematical objects. One then reasons directly on these objects using standard mathematical techniques (induction, primitive recursion, fixed points, well-founded orders, etc).

Such an approach to formal methods is, of course, powerful and successful. There is, however, growing evidence that many of the proof search specifications that rely on such intensional aspects of logic as bindings and resource management (as in linear logic) are not served well by encoding them into the traditional data structures found in such systems. In particular, the resulting encoding can often be complicated enough that the essential logical character of a problem can be obfuscated.

We propose to use the LINC logic of [46] as the meta-logic for our system for reasoning about computation systems. The three key ingredients of LINC can be described as follows.

First, LINC is an intuitionistic logic for which provability is described similarly to Gentzen's LJ calculus [25] . Quantification at higher-order types (but not predicate types) is allowed and terms are simply typed $ \lambda$ -terms over $ \beta$$ \eta$ -equivalence. This core logic provides support for $ \lambda$ -tree syntax , a particular approach to higher-order abstract syntax . Considering a classical logic extension of LINC is also of some interest, as is an extension allowing for quantification at predicate type.

Second, LINC incorporates the proof-theoretical notion of definition , a simple and elegant device for extending a logic with the if-and-only-if closure of a logic specification and for supporting inductive and co-inductive reasoning over such specifications. This notion of definition was developed by Hallnäs and Schroeder-Heister [29] and, independently, by Girard [27] . Later McDowell, Miller, and Tiu have made substantial extensions to our understanding of this concept [35] , [36] , [40] . Tiu and Momigliano [41] , [46] have also shown how to modify the notion of definition to support induction and co-induction in the sequent calculus.

Third, LINC contains a new (third) logical quantifier $ \nabla$ (nabla). After several attempts to reason about logic specifications without using this new quantifier [34] , [37] , [36] , it became clear that when the object-logic supports $ \lambda$ -tree syntax, the generic judgment [40] , [11] and its associated quantifier could provide a strong and declarative role in reasoning. This new quantifier is able to help capture internal (intensional) reasons for judgment to hold generically instead of the universal judgment that holds for external (extensional) reasons. Another important observation to make about $ \nabla$ is that if given a logic specification that is essentially a collection of Horn clauses (that is, there is no uses of negation in the specification), there is no distinctions to be made between $ \forall$ or $ \nabla$ in the premise (body) of semantic definitions. In the presence of negations and implications, a difference between these two quantifiers does arise [11] .


Logo Inria