Mechanized Metatheory for the Masses: The \u3cb\u3ePOPLMARK\u3c/b\u3e Challenge

How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F, a typed lambda-calculus with second-order polymorphism, subtyping, and records, these benchmarks embody many aspects of programming languages that are challenging to formalize: variable binding at both the term and type levels, syntactic forms with variable numbers of components (including binders), and proofs demanding complex induction principles. We hope that these benchmarks will help clarify the current state of the art, provide a basis for comparing competing technologies, and motivate further research

On the Formalisation of the Metatheory of the Lambda Calculus and Languages with Binders

Este trabajo trata sobre el razonamiento formal veri cado por computadora involucrando lenguajes con operadores de ligadura. Comenzamos presentando el Cálculo Lambda, para el cual utilizamos la sintaxis histórica, esto es, sintaxis de primer orden con sólo un tipo de nombres para las variables ligadas y libres. Primeramente trabajamos con términos concretos, utilizando la operación de sustitución múltiple de nida por Stoughton como la operación fundamental sobre la cual se de nen las conversiones alfa y beta. Utilizando esta sintaxis desarrollamos los principales resultados metateóricos del cálculo: los lemas de sustitución, el teorema de Church-Rosser y el teorema de preservación de tipo (Subject Reduction) para el sistema de asignación de tipos simples. En una segunda formalización reproducimos los mismos resultados, esta vez basando la conversion alfa sobre una operación más sencilla, que es la de permutación de nombres. Utilizando este mecanismo, derivamos principios de inducción y recursión que permiten trabajar identificando términos alfa equivalentes, de modo tal de reproducir la llamada convención de variables de Barendregt. De este modo, podemos imitar las demostraciones al estilo lápiz y papel dentro del riguroso entorno formal de un asistente de demostración. Como una generalización de este último enfoque, concluimos utilizando técnicas de programación genérica para definir una base para razonar sobre estructuras genéricas con operadores de ligadura. Definimos un universo de tipos de datos regulares con información de variables y operadores de ligadura, y sobre éstos definimos operadores genéricos de formación, eliminación e inducción. También introducimos una relación de alfa equivalencia basada en la operación de permutación y derivamos un principio de iteración/inducción que captura la convención de variables anteriormente mencionada. A modo de ejemplo, mostramos cómo definir el Cálculo Lambda y el sistema F en nuestro universo, ilustrando no sólo la reutilización de las pruebas genéricas, sino también cuán sencillo es el desarrollo de nuevas pruebas en estos casos. Todas las formalizaciones de esta tesis fueron realizadas en Teoría Constructiva de Tipos y verificadas utilizando el asistente de pruebas AgdaThis work is about formal, machine-checked reasoning on languages with name binders. We start by considering the ʎ-calculus using the historical ( rst order) syntax with only one sort of names for both bound and free variables. We rst work on the concrete terms taking Stoughton's multiple substitution operation as the fundamental operation upon which the ά and ß-conversion are de ned. Using this syntax we reach well-known meta-theoretical results, namely the Substitution lemmas, the Church-Rosser theorem and the Subject Reduction theorem for the system of assignment of simple types. In a second formalisation we reproduce the same results, this time using an approach in which -conversion is de ned using the simpler operation of name permutation. Using this we derive induction and recursion principles that allow us to work by identifying terms up to -conversion and to reproduce the so-called Barendregt's variable convention [4]. Thus, we are able to mimic pencil and paper proofs inside the rigorous formal setting of a proof assistant. As a generalisation of the latter, we conclude by using generic programming techniques to de ne a framework for reasoning over generic structures with binders. We de ne a universe of regular datatypes with variables and binders information, and over these we de ne generic formation, elimination, and induction operations. We also introduce an ά equivalence relation based on the swapping operation, and are able to derive an -iteration/induction principle that captures Barendregt's variable convention. As an example, we show how to de ne the ʎ calculus and System F in our universe, and thereby we are able to illustrate not only the reuse of the generic proofs but also how simple the development of new proofs becomes in these instances. All formalisations in this thesis have been made in Constructive Type Theory and completely checked using the Agda proof assistan

Mechanising and evolving the formal semantics of WebAssembly: the Web's new low-level language

WebAssembly is the first new programming language to be supported natively by all major Web browsers since JavaScript. It is designed to be a natural low-level compilation target for languages such as C, C++, and Rust, enabling programs written in these languages to be compiled and executed efficiently on the Web. WebAssembly’s specification is managed by the W3C WebAssembly Working Group (made up of representatives from a number of major tech companies). Uniquely, the language is specified by way of a full pen-and-paper formal semantics. This thesis describes a number of ways in which I have both helped to shape the specification of WebAssembly, and built upon it. By mechanising the WebAssembly formal semantics in Isabelle/HOL while it was being drafted, I discovered a number of errors in the specification, drove the adoption of official corrections, and provided the first type soundness proof for the corrected language. This thesis also details a verified type checker and interpreter, and a security type system extension for cryptography primitives, all of which have been mechanised as extensions of my initial WebAssembly mechanisation. A major component of the thesis is my work on the specification of shared memory concurrency in Web languages: correcting and verifying properties of JavaScript’s existing relaxed memory model, and defining the WebAssembly-specific extensions to the corrected model which have been adopted as the basis of WebAssembly’s official threads specification. A number of deficiencies in the original JavaScript model are detailed. Some errors have been corrected, with the verified fixes officially adopted into subsequent editions of the language specification. However one discovered deficiency is fundamental to the model, an instance of the well-known "thin-air problem". My work demonstrates the value of formalisation and mechanisation in industrial programming language design, not only in discovering and correcting specification errors, but also in building confidence both in the correctness of the language’s design and in the design of proposed extensions.2019 Google PhD Fellowship in Programming Technology and Software Engineering Peterhouse Research Fellowshi

Mechanising syntax with binders in Coq

Mechanising binders in general-purpose proof assistants such as Coq is cumbersome and difficult. Yet binders, substitutions, and instantiation of terms with substitutions are a critical ingredient of many programming languages. Any practicable mechanisation of the meta-theory of the latter hence requires a lean formalisation of the former. We investigate the topic from three angles: First, we realise formal systems with binders based on both pure and scoped de Bruijn algebras together with basic syntactic rewriting lemmas and automation. We automate this process in a compiler called Autosubst; our final tool supports many-sorted, variadic, and modular syntax. Second, we justify our choice of realisation and mechanise a proof of convergence of the sigma calculus, a calculus of explicit substitutions that is complete for equality of the de Bruijn algebra corresponding to the lambda calculus. Third, to demonstrate the practical usefulness of our approach, we provide concise, transparent, and accessible mechanised proofs for a variety of case studies refined to de Bruijn substitutions.Die Mechanisierung von Bindern in universellen Beweisassistenten wie Coq ist arbeitsaufwändig und schwierig. Binder, Substitutionen und die Instantiierung von Substitutionen sind jedoch kritischer Bestandteil vieler Programmiersprachen. Deshalb setzt eine praktikable Mechanisierung der Metatheorie von Programmiersprachen eine elegante Formalisierung von Bindern voraus. Wir nähern uns dem Thema aus drei Richtungen an: Zuerst realisieren wir formale Systeme mit Bindern mit Hilfe von reinen und indizierten de Bruijn Algebren, zusammen mit grundlegenden syntaktischen Gleichungen und Automatisierung. Wir automatisieren diesen Prozess in einem Kompilierer namens Autosubst. Unser finaler Kompilierer unterstützt Sortenlogik, variadische Syntax und modulare Syntax. Zweitens rechtfertigen wir unsere Repräsentation und mechanisieren einen Beweis der Konvergenz des SP-Kalküls, einem Kalkül expliziter Substitutionen der bezüglich der Gleichheit der puren de Bruijn Algebra des -Kalküls vollständig ist. Drittens entwickeln wir kurze, transparente und leicht zugängliche mechanisierte Beweise für diverse Fallstudien, die wir an de Bruijn Substitutionen angepasst haben. Wir weisen so die praktische Anwendbarkeit unseres Ansatzes nach