Section: New Results
Mechanization of type systems and axiomatic and operational semantics
Engineering formal metatheory
Participants : Arthur Charguéraud, Brian Aydemir [ University of Pennsylvania ] , Benjamin C. Pierce [ University of Pennsylvania ] , Randy Pollack [ University of Edinburgh ] , Stephanie Weirich [ University of Pennsylvania ] .
Machine-checked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proof-carrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. The representation and manipulation of terms with variable binding is a key issue.
We propose a novel style for formalizing metatheory which combines a locally nameless representation of terms (bound variables are represented using de Bruijn indices while free variables are represented using names) and a cofinite quantification of free variable names in inductive definitions of relations on terms. Following this style obviates the need for reasoning about alpha-conversion (the fact that alpha-equivalent terms need to be identified) and about equivariance (the fact that free names can be renamed in derivations).
Although many of the underlying ingredients of our technique have been used before, their combination here yields a significant improvement over other methodologies using first-order representations, leading to developments that are faithful to informal practice, yet require no external tool support and little infrastructure within the proof assistant.
We have carried out several large developments in this style using the Coq proof assistant, proving type soundness for System-Fsub and core ML (with references, exceptions, datatypes, recursion, and patterns), as well as subject reduction for the Calculus of Constructions. Not only do these developments demonstrate the comprehensiveness of our approach; they have also been optimized for clarity and robustness, making them good templates for future extension.
This work is described in a paper to be presented at the POPL 2008 symposium [Oops!] . This work also gave rise to a tutorial day affiliated with POPL 2008 and organized by the University of Pennsylvania Programming Language Club. The tutorial is entitled: “Using Proof Assistants for Programming Language Research, or: How to write your next POPL paper in Coq”.
Coinductive natural semantics
Natural semantics, also called big-step operational semantics, is a well-known formalism for describing the semantics of a wide variety of programming languages. It lends itself well to proving the correctness of compilers and other program transformations. Our ongoing work on compiler verification makes heavy use of natural semantics. A limitation of natural semantics, as commonly used, is that it can only describe the semantics of terminating programs. However, it turns out that non-termination can be captured by inference rules similar to those of natural semantics, provided that these rules are interpreted coinductively instead of the usual inductive interpretation, or in other terms provided that infinite evaluation derivations are considered in addition to the usual finite evaluation derivations.
This year, Hervé Grall and Xavier Leroy completed a study and Coq formalization of this approach on the particular case of the call-by-value -calculus. New results include an extension of the coinductive approach to trace semantics, as well as new equivalence results with a simple form of denotational semantics. These results are accepted for publication in a special issue of Information and Computation [Oops!] .
A separation logic for a subset of the C language
It is highly valuable for the development of critical software to validate the correctness of implementations using formal methods. Among the most important correctness properties that the implementation should satisfy is memory safety. Separation logic is a powerful tool to reason about memory safety. The logic has a primitive construct for expressing separation properties between memory areas, facilitating reasoning about programs with pointers and aliases.
Keiko Nakata, under guidance of Sandrine Blazy and Xavier Leroy, is developing a separation logic for the Clight subset of the C language that serves as input language to the Compcert compiler, formalizing this logic within the Coq proof assistant, and proving its soundness with respect to the operational semantics of Clight.
The intended use for this logic is to prove, using the Coq assistant, correctness properties of programs written in Clight, then compiled using the Compcert compiler. Since this compiler is formally proved, using Coq as well, to preserve the observational behavior programs, the guarantees offered by the source-level proof extend to the final executable code. An issue with this approach is that Coq is a mostly interactive prover offering little proof automation. This makes program proofs using the Clight separation logic tedious. To alleviate this issue, Keiko Nakata is considering the use of fully automated decision procedures: her separation logic is designed to support the use of a first-order decision procedure (the Ergo automatic theorem prover) by choosing suitable primitive constructs for the logic.
A separation logic for small-step Cminor
Last year, Andrew Appel and Sandrine Blazy specified in Coq a separation logic for the Cminor intermediate language of the Compcert certified compiler. In this logic, we can prove fine-grained properties about pointers and memory footprints that are not ensured by the certified compiler. In 2007, this work was adapted to follow the evolutions of the Cminor language. Additional proofs were conducted to establish the soundness of the separation logic with respect to a small-step semantics for Cminor. These results were presented at the TPHOL 2007 conference [Oops!] . Andrew Appel and his group are currently extending this work in order to handle shared-memory concurrency, based on the ideas of concurrent separation logic.