Reasoning in Abella about Structural Operational Semantics Specifications

Reasoning in Ab ella ab out Structural Op erational Seman tics Sp ecifications Andrew Gacek 1 Dale Miller 2 Gopala n Nadathur 1 Abstract The approac h to reasoning about structural operational semantics style specifications supp orted by the Abell a system is dis cussed. This approach uses λ -tree syn tax to treat ob ject language binding and enco des binding related prop erties in generic judgmen ts. F urther, ob ject language sp ecifications are embedded directly i n to the reasoning framework through recursive definitions. The treatment of binding via generic judgmen ts i mplicitly enforces distinctness and atomicit y in the names used for b ound v ariables. These properties m ust, how ev er, be made explicit i n r easoning tasks. This ob j ectiv e can b e achiev ed by allowing recursive definitions to also specify generic properties of at omic predicates. The utility of these v arious logical f eatures in the Ab ella system is demonstrated through actual reasoning tasks. Brief comparis ons with a f ew other logic based approac hes ar e also made. 1 In tro duction This pap er concerns reasoning ab out the descriptions of sys tems that manipulate formal ob jects suc h as p rograms and their sp ecifications. A common appr oac h to mo delling th e dynamic and static seman tics of these systems is to use a syn tax- driv en rule-based present ation. These pr esen tations can b e n aturally enco ded as theories within a simple, intuitionistic logic . If the in tuitionistic logic su pp orts λ -terms and the qu an tification of v ariables ranging ov er s u c h terms, then it also pro vides a conv enient means for captur ing bindin g notions in the syn tactic ob jects of interest; in p articular, it facilitate s the use of the λ -tree ap p roac h to abstract syn tax. A fur ther b en efit to using su c h a logic to enco de semant ic sp ecificat ions is that an immediate and effectiv e animation of them is provided b y logic programming systems s u c h as λ Pr olog [ NM88 ] and Twe lf [ PS 99 ]. Giv en a logic-based sp ecification of a formal sys tem, establishing p r op erties of the system r educes to answ ering questions ab out what is pr o v able in the logic en- co ding the sp ecification. Different app roac hes can b e adopted for this task. A t one 1 Departmen t of Computer Science and Engineering, Universit y of Minnesota, Minneap olis, M N 55455. 2 INRIA Saclay - ˆ Ile-de-F rance & LIX/ ´ Ecole p olytec hnique, Palaiseau, F rance 3 This wo rk has b een s upported by INRIA through the “Equip es Asso ci´ ees” Slimmer, and by the NSF Grant CCR-0429572 whic h include s funding for Sl i mmer. Opinions, findings, and conclusions or recommendations expressed in this papers are those of the authors and do not necessarily reflect the vi ews of the National Science F oundation. c  2018 Published by Elsevier Science B. V. Gacek, Miller, Nada thur end, the sp ecificatio n logic can b e formalized and reasoned ab out within a general purp ose theorem-pro ving framework su ch as that provided by Co q [ BC04 ] or Is- ab elle [ NPW02 ]. A t the other end, one can deve lop another logic, often called a meta-lo gic , th at is exp licitly tuned to reasoning ab out the sp ecification logic. It is the latter approac h that we examine h ere. In particular, w e exp ose its practical use within the con text of a sp ecific theorem-proving system called Ab ella [ Gac08 ]. The d esign of a log ic that can act as a p o w erful and expressive meta-logic has b een the sub ject of muc h r ecen t researc h [ BGM + 07 , GMN08 , MM02 , MT05 , Tiu06 ]. The logics emanating from th ese stu d ies share a common theme: th ey all pro vide recursiv e d efinitions as a means for enco din g s p ecification logics and some form of generic reasoning for mo delling bin ding n otions at th e meta level . W e exp ose here an expressive and fl exible logic called G within th is framew ork. Ab ella is based on G but also provides sp ecial supp ort for the wa ys in whic h G is in tended to b e u s ed in meta-reasoning tasks. Our presen tation p a ys atten tion to the no v el features of b oth G and Ab ella from this p er s p ectiv e. Concreteness is p ro vided by considering pro ofs of ev aluation, t yping, and norm alization prop erties of the λ -calculus. This p ap er is organized as follo ws. The logic G is summarized in S ection 2 and its particular realization in Ab ella is discussed in Section 3 . Section 4 illustrates the us e of Ab ella in a significant th eorem-pr o ving task, that of f ormalizing a T ait - st yle p ro of of normalizabilit y in the λ -calculus. Section 5 p oint s out limitations of the current ly implemen ted system. Finally , in Section 6 we compare Ab ella-st yle reasoning with some other appr oac h es to the same k in d of r easoning tasks. 2 The Logical F oundation The logic G [ GMN08 ] which we u se to formalize arguments ab out stru ctural op er- ational seman tics is based on an intuitionistic and predicativ e subset of Ch urch’s Simple Theory of Typ es. T erms in G are monomorphically t yp ed and are con- structed using abstraction and application from constan ts and (b ound) v ariables. The pr o v abilit y relation concerns terms of the distinguished type o that are also called formulas. Logic is in tro du ced by including sp ecial constan ts representing the prop ositional connectiv es ⊤ , ⊥ , ∧ , ∨ , ⊃ and, for ev ery t yp e τ that do es not con- tain o , th e constan ts ∀ τ and ∃ τ of typ e ( τ → o ) → o . Th e binary prop ositio nal connectiv es are written as usual in infix form and the expression ∀ τ x.B ( ∃ τ x.B ) ab- breviates the formula ∀ τ λx.B (resp ectiv ely , ∃ τ λx.B ). T yp e s u bscripts are typica lly omitted f rom quantified formulas w hen their iden tities do not aid the discussion. The standard treatmen t of the u niv ersal qu an tifier accords it an extensional in terpretation. When treating λ -tree syn tax it is often necessary to giv e imp ortance to the form of the argument for a statemen t lik e “ B ( x ) holds for all x ” r ather than fo cusing on whether or not ev ery in s tance of B ( x ) is true. The ∇ quan tifier [ MT05 ] is used to enco de suc h generic j u dgmen ts. S p ecifically , we include the constants ∇ τ of typ e ( τ → o ) → o for eac h type τ (n ot contai ning o ). As with the other quan tifiers, ∇ τ x.B abbr eviates ∇ τ λx.B . The F O λ ∆ ∇ logic [ MT05 ] in corp orates ∇ quantificatio n into a sequ en t calculus present ation of intuitionistic pr o of b y attac hin g a lo cal signature to every formula o ccurrence in a sequent. W e are in terested here in considerin g also p ro ofs that use 2 Gacek, Miller, Nada thur π .B = π ′ .B ′ Σ : Γ , B ⊢ B ′ id π Σ : Γ ⊢ B Σ : B , ∆ ⊢ C Σ : Γ , ∆ ⊢ C cut Σ , K , C ⊢ t : τ Σ : Γ , B [ t/x ] ⊢ C Σ : Γ , ∀ τ x.B ⊢ C ∀L Σ , h : Γ ⊢ B [ h ¯ c/x ] Σ : Γ ⊢ ∀ x.B ∀R , h / ∈ Σ Σ : Γ , B [ a/x ] ⊢ C Σ : Γ , ∇ x.B ⊢ C ∇L , a / ∈ supp( B ) Σ : Γ ⊢ B [ a/x ] Σ : Γ ⊢ ∇ x.B ∇R , a / ∈ su pp( B ) Σ , h : Γ , B [ h ¯ c/x ] ⊢ C Σ : Γ , ∃ x.B ⊢ C ∃L , h / ∈ Σ Σ , K , C ⊢ t : τ Σ : Γ ⊢ B [ t/x ] Σ : Γ ⊢ ∃ τ x.B ∃R Fig. 1. The core rules of G : the introduction rules for the proposi tional connectiv es are not display ed. induction. In this situation, w e are led n aturally to includin g certain stru ctural rules p ertaining to local signatures [ Tiu06 ]. W ritten at th e leve l of form ulas, these are the ∇ - exchange rule ∇ x ∇ y .F ≡ ∇ y ∇ x.F and the ∇ - str engthening rule ∇ x.F ≡ F , pro vided x is not free in F . If w e adopt these rules, w e can mak e all lo cal signatures equal and hence rep resen table by an (implicit) global bin der. W e sh all refer to these globally ∇ -b ound v ariables as nominal c onstants . Intuitiv ely , one can think of nominal constant s as denoting arb itrary , unique n ames. Notice that the exc hange rule r equires us to consider atomic jud gmen ts as b eing id en tical if they differ by only p ermutati ons of nominal constan ts. The logic G uses the ab ov e tr eatment of the ∇ quantifier that w as first in tro duced in th e LG ω system [ Tiu 06 ]. Sp ecifically , an infin ite collection of nomin al constan ts are assumed for eac h t yp e. The set of all nominal constan ts is denoted by C . These constan ts are distinct from the collection of usual, n on-nominal constan ts denoted b y K . W e define the supp ort of a term (or form ula) t , written s upp( t ), as th e set of nominal constan ts app earing in it. A p ermutatio n of nominal constan ts is a t yp e preserving b ij ection π from C to C su c h that { x | π ( x ) 6 = x } is fin ite. P ermutat ions are extended to terms (and f orm ulas), wr itten π .t , as follo ws: π .a = π ( a ), if a ∈ C π .c = c if c / ∈ C is atomic π . ( λx.M ) = λx. ( π.M ) π . ( M N ) = ( π.M ) ( π .N ) Figure 1 present s a subs et of the core rules for G ; th e standard r ules f or the prop ositional connectiv es hav e b een omitted for brevit y . Sequ en ts in this logic ha v e the form Σ : Γ ⊢ C w here Γ is a set and the signature Σ cont ains all th e f ree v ariables of Γ and C . In the rules, Γ , F den otes Γ ∪ { F } . In th e ∇L and ∇ R rules, a denotes a nominal constant of app ropriate t yp e. In th e ∃L and ∀R rules, ¯ c is a listing of the v ariables in su pp( B ) and h ¯ c represents the app licatio n of h to these constan ts; raising is used here to enco de the dep en d ency of the quant ified v ariable on su pp( B ) [ Mil92 ]. T he ju dgmen t Σ , K , C ⊢ t : τ th at app ears in th e ∀L and ∃R rules enforces the requ iremen t that the expr ession t in s tan tiating the quan tifier in the rule is a well-fo rmed term of t yp e τ constructed from the v ariables in Σ and the constan ts in K ∪ C . A tomic judgments in G are defin ed recursiv ely by a set of clauses of the form ∀ ¯ x. ( ∇ ¯ z .H ) , B : here H is an atomic form ula all of whose fr ee v ariables are con- tained in either ¯ x or in ¯ z and B is an arbitrary formula all of wh ose f r ee v ariables are also free in ∇ ¯ z .H . Th e atom H is the he ad of suc h a clause and B is its b o dy . No nominal constan t is p ermitted to app ear in either of these formulas. A clause of 3 Gacek, Miller, Nada thur { Σ ′ θ : ( π.B ′ ) θ , Γ ′ θ ⊢ C ′ θ } Σ : A, Γ ⊢ C def L Σ ′ : Γ ′ ⊢ ( π .B ′ ) θ Σ : Γ ⊢ A def R Fig. 2. Rules f or definitions this form pr o vides part of the d efi nition of a relation named b y H using B . Th e ∇ quan tifiers ov er H ma y b e instan tiated by d istinct n ominal constan ts. The v ariables ¯ x that are b ound by the ∀ quant ifiers may b e instan tiated by terms th at dep end on an y n ominal constan t except those c hosen for the v ariables in ¯ z . Certain auxiliary n otions are needed in formalizing the rules for definitions in G . A substitution θ is a t yp e-pr eservin g mapp in g from v ariables to terms such that the set { x | xθ 6 = x } , the domain of θ , is finite. A sub stitution is exte nded to a function from terms to terms in the usual fashion and we write its applicati on using a p ostfix notatio n. If Γ is a set of formulas then Γ θ is the set { J θ | J ∈ Γ } . If Σ is a signature then Σ θ is the signature that results from remo ving from Σ the v ariables in the domain of θ and adding the v ariables that are free in the r ange of θ . Giv en a clause ∀ x 1 , . . . , x n . ( ∇ ¯ z .H ) , B , we define a ve rsion of it raised o v er the nominal constan ts ¯ a and aw ay fr om a signature Σ as ∀ ¯ h. ( ∇ ¯ z .H [ h 1 ¯ a/x 1 , . . . , h n ¯ a/x n ]) , B [ h 1 ¯ a/x 1 , . . . , h n ¯ a/x n ] , where h 1 , . . . , h n are distinct v ariables of suitable t yp e that do not app ear in Σ. Finally , giv en the sequen t Σ : Γ ⊢ C and the nominal constants ¯ c that do not app ear in the s u pp ort of Γ or C , let σ b e an y substitution of th e form { h ′ ¯ c/h | h ∈ Σ an d h ′ is a v ariable of suitable t yp e that is not in Σ } . Then we call the sequent Σ σ : Γ σ ⊢ C σ a version of Σ : Γ ⊢ C raised ov er ¯ c . The introdu ction r ules for atomic j udgmen ts b ased on defin itions are p resen ted in Figure 2 . The def L rule h as a s et of pr emises that is generated b y considering eac h d efinitional clause of the form ∀ ¯ x. ( ∇ ¯ z .H ) , B in the follo wing fash ion. L et ¯ c b e a list of d istinct n ominal constan ts equal in length to ¯ z su c h th at n one of these constan ts app ear in the sup p ort of Γ, A or C and let Σ ′ : A ′ , Γ ′ ⊢ C ′ denote a v ersion of the lo wer sequen t raised o ver ¯ c . F ur ther, let H ′ and B ′ b e obtained b y taking the head and b od y of a version of th e clause b eing considered raised o v er ¯ a = su pp( A ) and a w a y fr om Σ ′ and applying the s ubstitution [¯ c/ ¯ z ] to them. Then th e set of premises arising from this clause are obtained by considering all p erm utations π of ¯ a ¯ c and all substitutions θ such that ( π .H ′ ) θ = A ′ θ , with the pro viso that the range of θ may not con tain any nominal constan ts. T he def R ru le, b y contrast, has exactly one p remise th at is obtained b y using any one defin itional clause. B ′ and H ′ are generated from this clause as in the def L case, but π is no w tak en to b e an y one p ermutati on of ¯ a ¯ c and θ is tak en to b e any one substitution su c h that ( π .H ′ ) θ = A ′ , again with the pr o viso that the r ange of θ ma y n ot con tain any nominal constan ts. Some of th e expressive ness arising from the quan tificational structure p ermitted in defin itions in G is demonstrated by the follo wing definitional clauses: ( ∇ x. name x ) , ⊤ ∀ E . ( ∇ x. fresh x E ) , ⊤ The ∇ quantifier in the first clause ensur es that name h olds only for n ominal con- stan ts. Similarly , th e relativ e scop es of ∀ and ∇ in the second clause force f resh to hold only b etw een a n ominal constan t and a term n ot contai ning th at constan t. 4 Gacek, Miller, Nada thur When G is used in applications, b ound v ariables in syn tactic ob j ects w ill b e rep - resen ted either explicitly , by term-lev el, λ -b ound v ariables, or imp licitly , b y n ominal constan ts. The equiv ariance pr inciple for n omin al constan ts realizes alpha con v ert- ibilit y in th e latte r situation. Enco din g b ound v ariables by λ -terms ensures that substitution is b uilt-in and that dep enden cies of sub terms on bindin gs is controll ed; sp ecific d ep endencies can b e realized by using the device of raising. Definitions with ∇ in the h ead allo w for a similar con trol o v er dep endencies p ertaining to nominal constan ts and raising can b e used to similar effect with these as wel l. The consistency of G requires some kind of stratification condition to go vern the p ossible n egativ e uses of pr ed icates in the b o d y of defin itions. There are sev eral c hoices for such a condition. Rather than p ic king one in an a priori fashion, we will note relev ant su ch cond itions as n eeded. The fin al capabilit y of int erest is induction ov er n atur al num b ers. These num b ers are encod ed in G u sing the t yp e nt and th e constructors z : nt and s : nt → nt . Use of ind uction is con trolled b y the d istinguished pr edicate nat : nt → o which is treated b y sp ecific int ro du ction ru les. In particular, the left in tro duction rule for nat corresp onds to natural n umber in d uction. 3 The Arc hitecture of Ab ella Ab ella is an interact ive theorem p ro v er for the logic G . The s tructure of Ab ella is influenced considerably by a tw o-lev el logic approac h to sp ecifying and reason- ing ab out computations. T h ere is a logic—the in tuitionistic theory of second-order hereditary Harrop form ulas that we call hH 2 here—that pr ovides a conv enient vehi- cle for form ulating structural, rule-based c haracterizations of a v ariet y of prop erties suc h as ev aluation and t yp e assignment. An esp ecially useful feature of suc h en- co dings is that deriv ations within this “sp ecificatio n” log ic r eflect the structure of deriv ations in th e ob ject logic. 4 No w, the sp ecificatio n logic can b e em b edd ed into G through the mediu m of defin itions. When used in this manner, G p la ys the r ole of a reasoning or meta logic: form ulas in G can b e us ed to encapsulate p r op erties of deriv ations in the sp ecificati on logic and, hence, of computations in the ob ject logic. By kee ping the corresp onden ces simple, reasoning within G can b e made to directly reflect the structure of informal argum en ts relativ e to th e ob ject logics. This tw o-lev el logic approac h w as enunciat ed b y McDo well and Miller already in the con text of the logic F O λ ∆I N [ MM02 ]. Ab ella realizes this idea usin g a richer logic that is capable of conv enientl y enco ding more prop erties of computations. As a theorem pr o v er, Ab ella also bu ilds in particular prop erties arising out of the enco ding of the s p ecification logic. W e d iscu ss th ese asp ects in more detail b elo w . The sp ecification logic The formulas of hH 2 are giv en by the follo wing m utu- ally recursive definitions: G = A | A ⊃ G | ∀ τ x.G | G ∧ G D = A | G ⊃ D | ∀ τ x.D In these definitions, A denotes an atomic formula and τ r anges o v er types of ord er 0 or 1 not con taining o . The sequents for whic h pro ofs are constructed in hH 2 are 4 Since hH 2 is a subset of λ Prolog [ NM88 ], it turns out that such sp ecifications can also be compiled and execute d effectiv ely [ NM 99 ]. 5 Gacek, Miller, Nada thur x : a ∈ Γ Γ ⊢ x : a Γ ⊢ m : ( a → b ) Γ ⊢ n : a Γ ⊢ m n : b Γ , x : a ⊢ r : b Γ ⊢ ( λx : a.r ) : ( a → b ) x n ot in Γ Fig. 3. Rules for relating a λ -term to a si m ple type ∀ m, n, a, b [ of m ( arr a b ) ∧ of n a ⊃ of ( app m n ) b ] ∀ r , a, b [ ∀ x [ of x a ⊃ of ( r x ) b ] ⊃ of ( abs a r ) ( arr a b )] Fig. 4. Second-order hereditary Harr op for mu las ( hH 2 ) enco ding simpl y typing restricted to the form ∆ − → G where ∆ is a set of D -form ulas and G is a G -form ula. F or such sequents, pr ov abilit y in intuiti onistic logic is completely charact erized by the more restricted notion of (cut-free) uniform pro ofs [ MNPS91 ]. In the case of hH 2 , ev ery sequen t in a un iform pro of of ∆ − → G is of the form ∆ , L − → G ′ for some G -form ula G ′ and for some set of atoms L . Thus, du ring the searc h for a pro of of ∆ − → G , the in itial con text ∆ is glob al : c h anges o ccur only in the set of atoms on the left and the goal form ula on the righ t. W e briefly illustr ate the ease w ith whic h t yp e assignmen t for th e simply t yp ed λ -calculus can b e enco ded in hH 2 . Th ere are tw o classes of ob jects in this domain: t yp es and terms . F or t yp es we will consider a single b ase t yp e called i and the arr o w constructor for forming fu nction types. T erms can b e v ariables x , ap p lications ( m n ) where m and n are terms, and t yp ed abstractions ( λx : a.r ) where r is a term and a is the t yp e of x . The s tandard ru les for assigning t yp es to terms are giv en in Figure 3 . Ob ject-lev el unt yp ed λ -terms and simple t yp es can b e enco ded in a simply typed (meta-lev el) λ -calculus as follo ws. The simple types are built from the tw o constructors i and arr and terms are b uilt using the t w o constructors app and abs . Here, the constru ctor abs tak es t wo arguments: one for the t yp e of th e v ariable b eing abstracted and the other for th e actual abstraction. T erms in the sp ecification logic cont ain binding and so there is no need for an explicit constructor for v ariables. Thus, the (ob ject-lev el) term ( λf : i → i. ( λx : i. ( f x ))) can b e enco ded as the m eta-lev el term abs ( arr i i ) ( λf . abs i ( λx. app f x )). Giv en this enco ding of the u n t yp ed λ -ca lculus and simple t yp es, the inference rules of Figure 3 can b e sp ecified by the hH 2 form ulas in Figure 4 in v olving the binary p redicate of . Note that this sp ecificati on in hH 2 do es not main tain an explicit con text for t yping assumptions bu t uses hypothetical judgments instead. Also, the explicit side-condition in the r ule for typing abstractions is not needed sin ce it is captured by the usu al pro of theory of th e unive rsal quant ifier in the hH 2 logic. Enco ding sp ecification logic pro v ability in G The defin itional clauses in Figure 5 en cod e hH 2 pro v ability in G . In these and other su c h clauses in this pap er, w e use the con v en tion that capitalize d v ariables are imp licitly u niv ersally quan tified at the head. T his enco din g of hH 2 pro v ability deriv es from McDo well and Miller [ MM02 ]. As describ ed earlier, uniform p ro ofs in hH 2 con tain sequ en ts of the form ∆ , L − → G where ∆ is a fi xed set of D -form ulas and L is a v arying set of atomic formulas. Our enco ding uses the G predicate prog to represen t the D -form ulas in ∆: the D f orm ula ∀ ¯ x. [ G 1 ⊃ · · · ⊃ G n ⊃ A ] is enco d ed as the clause ∀ ¯ x. prog A ( G 1 ∧ · · · ∧ G n ) , ⊤ and ∀ ¯ x.A is enco d ed by th e clause ∀ ¯ x. prog A t t , ⊤ . 6 Gacek, Miller, Nada thur elemen t N B ( B :: L ) , ⊤ elemen t ( s N ) B ( C :: L ) , eleme nt N B L mem b er B L , ∃ n. nat n ∧ elemen t n B L seq N L h A i , member A L seq ( s N ) L ( B ∧ C ) , seq N L B ∧ seq N L C seq ( s N ) L ( A ⊃ B ) , seq N ( A :: L ) B seq ( s N ) L ( ∀ B ) , ∇ x. seq N L ( B x ) seq ( s N ) L h A i , ∃ b. pr og A b ∧ seq N L b seq ( s N ) L h A i , prog A tt Fig. 5. Second-order hereditary Harr op logic in G Sequent s are enco ded u s ing the atomic f ormula ( seq N L G ) where L is a list encod ing the set of atomic formulas L and G enco d es the G -form ula. The argum ent N , written as a subscript, enco des the heigh t of the pro of tree that is needed in inductiv e argumen ts. The constructor h·i is used to inject the s p ecial t yp e of atom in to form ulas. T o simplify n otation, w e w rite L  G for ∃ n. nat n ∧ seq n L G . When L is nil we wr ite simply  G . Pro ofs of u n iv ersally quantified G formulas in hH 2 are generic in nature. A natural enco ding of this (ob ject-lev el) quant ifier in the defi n ition of seq uses a (meta- lev el) ∇ -quan tifier. In the case of pro ving an implication, the ato mic assumption is main tained in a list (the second argum ent of seq ). T h e p en ultimate clause for seq imp lemen ts back chai ning ov er a fixed hH 2 sp ecification (stored as prog atomic form ulas). Th e matc hing of atomic judgments to heads of clauses is handled b y the treatment of defi n itions in the logic G , thus the p enultimat e rule for seq simply p erforms this matc hing and makes a recurs iv e call on the corresp ondin g clause b o dy . With this kind of an encodin g, w e can no w formulate an d pr o v e in G statemen ts ab out what is or is not p ro v able in hH 2 . In duction ov er the heigh t of d eriv ations ma y b e needed in suc h argumen ts an d this can b e r ealized via natural num b er induction on n in seq n L P . F urthermore, the def L rule encod es case analysis in the deriv ation of an atomic goal, leading ev en tually to a consideration of the differen t w a ys in w hic h an atomic judgment ma y ha v e b een inferred in the s p ecification logic. Ab ella is designed to hid e muc h of the details of ho w the seq and prog sp ecifications w ork and to reflect instead the aggregate structure d escrib ed here. Since w e hav e enco ded the entire sp ecification logic, w e can p ro v e general p rop er- ties ab out it in G that can then b e used in reasoning ab out particular sp ecifications. In Ab ella, v arious such sp ecification log ic prop erties can b e inv oke d either automat - ically or throu gh the u s e of tactics. F or example, the follo wing prop ert y , wh ic h is pro v able in G , states the judgment ℓ  g is n ot affected by p erm uting, con tracting, or weak ening the con text of hyp othetical assump tions ℓ . ∀ ℓ 1 , ℓ 2 , g . ( ℓ 1  g ) ∧ ( ∀ e. mem b er e ℓ 1 ⊃ memb er e ℓ 2 ) ⊃ ( ℓ 2  g ) This prop erty can b e applied to an y sp ecificatio n j udgmen t that uses hyp othetical assumptions. Using it w ith the enco ding of typing ju dgmen ts for the simply typed λ -calculus, for example, w e easily obtain that p erm uting, con tracting, or w eak enin g the typing con text of a typing jud gmen t do es n ot inv alidate that judgment. Tw o additional prop er ties of our sp ecification logic wh ic h are u s eful and pro v- 7 Gacek, Miller, Nada thur able in G are cal led the instantiation an d cut p rop erties. The instantiat ion p r op ert y reco v ers the notion of un iv ersal quant ification from our r epresen tation of the sp ec- ification logic ∀ u sing ∇ . Th e exact p rop ert y is ∀ ℓ, g . ( ∇ x. ( ℓ x )  ( g x )) ⊃ ∀ t. ( ℓ t )  ( g t ) . Stated another wa y , although ∇ quanti fication cannot b e replaced b y ∀ q u an tifi- cation in general, it can b e r ep laced in this wa y when d ealing w ith sp ecification judgments. The cut prop ert y allo ws u s to remov e h yp othetical judgments u sing a pro of of suc h ju dgmen ts. T his prop erty is stated as the f ormula ∀ ℓ 1 , ℓ 2 , a, g . ( ℓ 1  h a i ) ∧ ( a :: ℓ 2  g ) ⊃ ( ℓ 1 , ℓ 2  g ) , whic h can b e prov ed in G : here, ℓ 1 , ℓ 2 denotes the app endin g of tw o con texts. As a concrete example, we can again tak e our sp ecification of simply t yp ed λ -calculus and use the instan tiation and cut prop erties to establish a t yp e substitution pr op ert y , i.e. , if Γ 1 , x : a ⊢ m : b and Γ 2 ⊢ n : a then Γ 1 , Γ 2 ⊢ m [ x := n ] : b . Enco ding prop erties of specifications in definitions Definitions w ere used ab o v e to enco de the sp ecification logi c and also particular sp ecifications in G . There is another role for defin itions in Ab ella: they can b e used also to capture implicit prop erties of a sp ecification that are needed in a reasoning task. A s an example, consider the en cod ing of type assignment. Here, the instances of ( seq N L G ) that arise all h a v e L b oun d to a list of en tries of the form ( of x t ) w here x is a nominal constan t th at is, moreo v er, d ifferen t from all other s u c h constan ts app earing in L . Observing these prop er ties is critical to pro ving the un iqueness of t yp e assignmen t. T o wa rds this end, we ma y d efine a predicate cntx via the f ollo wing clauses: cn tx nil , ⊤ ( ∇ x. cn tx (( of x T ) :: L )) , cn tx L Reasoning within G , it can no w b e shown th at L in ev ery ( seq N L G ) atom wh ose pro of is considered alwa ys satisfies the pr op ert y expressed by cn tx and, fu rther, if L satisfies suc h a prop ert y then the uniqueness of t yp e assignment is guaran teed. Induction on definitions The logic G supp orts indu ction only o v er natural n umber s . Th us the defin itions of elemen t and seq in Figure 5 b oth mak e use of a natural n umber argumen t to provide a target for induction. In Ab ella, su c h argumen ts are un n ecessary since the system implicitly assigns suc h an additional argumen t to all definitions. Thus wh en we r efer to in d uction o v er a definition we mean ind uction on the implicit n atural num b er argu m en t of that definition. 4 Example: Normalizabilit y in the T yp ed λ -Calculus In order to illustrate the strengths and w eaknesses of Ab ella, w e detail in this section a p r o of of normalizabilit y for the call-b y -v alue, simply t yp ed λ -calculus (sometimes also called “w eak normalizabilit y”). W e follo w her e the pro of presen ted in [ Pie02 ]. Stronger r esults are p ossib le for th e fu ll, simply t yp ed λ -calculus, but the one at hand su ffices to exp ose the interesting reasoning tec hniques. The pro of under consideration is b ased on T ait’s logical r elations argument [ T ai67 ] and makes use of sim ultaneous substitutions. Figure 6 con tains the sp ecification of call-b y-v alue ev aluation and of simple t yp- 8 Gacek, Miller, Nada thur ∀ a, r [ v alue ( abs a r )] ∀ m, n, m ′ [ step m m ′ ⊃ step ( app m n ) ( app m ′ n )] ∀ m, n, n ′ [ v alue m ∧ step n n ′ ⊃ step ( app m n ) ( app m n ′ )] ∀ a, r, m [ v alue m ⊃ s tep ( app ( abs a r ) m ) ( r m )] ∀ m [ steps m m ] ∀ m, n, p [ step m p ∧ steps p n ⊃ steps m n ] t yp e i ∀ a, b [ type a ∧ typ e b ⊃ t yp e ( arr a b )] ∀ a, b, m, n [ of m ( arr a b ) ∧ of n a ⊃ of ( app m n ) b ] ∀ a, b, r [ t yp e a ∧ ∀ x [ of x a ⊃ of ( r x ) b ] ⊃ of ( abs a r ) ( arr a b )] Fig. 6. Sp ecification of simply-typed λ -calculus ing for the λ -calculus. V alues are recognized b y the predicate v alue . S m all-step ev aluation is defined by step , and a p ossibly zero length sequence of small s teps is defined by steps . The p r edicate typ e recognizes w ell-formed types, and of defin es the typing rules of the calculus. A notewo rthy asp ect of the sp ecification of the of p redicate is that it uses the t yp e pred icate to ensur e that typ es ment ioned in abstraction terms are w ell-formed: a fact us ed in later argument s. The goal of this section is to p ro v e w eak normalizabilit y , whic h w e can now state formally in our meta-logic as f ollo ws: ∀ M , A. (  h of M A i ) ⊃ ∃ V . (  h steps M V i ) ∧ (  h v alue V i ) . The rest of this section describ es d efinitions and lemmas n ecessary to pro ve this form ula. In general, almost all r esults in this section h a v e simple pr o ofs based on induction, case analysis, applying lemmas, and bu ilding results from h yp otheses. F or such pro ofs, w e will omit the details except to note the ind uctiv e argument and k ey lemmas used. The fu ll details of this dev elopmen t are a v ailable in the soft w are distribution of Ab ella. Ev aluation and typing Definitions can b e used in Ab ella to in tro duce useful in terv ening concepts. One su ch concept is that of halting. W e sa y that a term M halts if it ev aluates to a v alue in fin itely man y steps and we define a pr edicate capturing th is notion as follo ws: halts M , ∃ V . (  h steps M V i ) ∧ (  h v alue V i ) . An most imp ortan t prop erty ab out halting is that it is in v ariant un der ev aluation steps (b oth forw ards and backw ards ). Using the abbreviation F ≡ G f or ( F ⊃ G ) ∧ ( G ⊃ F ), we can state th is p r op ert y formally as ∀ M , N . (  h step M N i ) ⊃ ( halts M ≡ halts N ) . This result is immediate in the bac kwa rd dir ection, i.e. , halts N ⊃ h alts M . In the forw ard d irection it requires sh o wing that one step of ev aluation is deterministic: ∀ M , N , P . (  h step M N i ) ∧ (  h step M P i ) ⊃ N = P. This formula is p ro v ed by induction on the heigh t of the deriv ation of either one of the ju dgmen ts inv olving the step p redicate. A standard resu lt in the λ -calculus, which w e will need later, is that one s tep of ev aluation preserves typing. This is stated form ally as 9 Gacek, Miller, Nada thur ∀ M , N , A. (  h step M N i ) ∧ (  h of M A i ) ⊃ (  h of N A i ) . The p ro of of this formula u ses ind uction on the height of the d eriv ation of the judgment in v olving th e step pr edicate. An interesting case in this pro of is wh en step M N is s tep ( app ( abs B R ) P ) ( R P ) for some B , R , and P , i.e. , w hen β -reduction is p erformed. Deconstructing the typing judgment (  h of ( app ( abs B R ) P ) A i ) w e can deduce that (  h of P B i ) and (( of x B ) :: nil  h of ( R x ) A i ) where x is a nominal constant. Here we use the instanti ation prop ert y of our sp ecification logic to replace x with P yielding (( of P B ) :: nil  h of ( R P ) A i ). Next we apply the cut prop erty of our sp ecificat ion logic to dedu ce (  h of ( R P ) A i ) whic h is our goal. Finally , w e note that the con texts wh ic h are constru cted d uring the pr o of of a t yping jud gmen t alwa ys ha v e the form ( of x 1 a 1 ) :: . . . :: ( of x n a n ) :: nil wh ere the x i ’s are distinct nominal constan ts and th e a i ’s are v alid types. W e in tro duce the follo w ing formal d efinition of cntx to exactly describ e such context s: cn tx nil , ⊤ ( ∇ x. cn tx (( of x A ) :: L )) , (  h t yp e A i ) ∧ cntx L Note, ∇ in the defin ition head ensur es that th e x i ’s are distinct nominal constan ts. The logical relation The d ifficult y with p ro ving w eak normalizabilit y dir ectly is that the halting prop erty is n ot closed un d er application, i. e. , h alts M and halts N do es not imply halts ( app M N ). Instead, we m ust strengthen the halting pr op ert y to one w h ic h includ es a notion of closure u nder application. W e defin e the logical relation r educe by indu ction ov er the type of a term as f ollo ws: reduce M i , (  h of M i i ) ∧ halts M reduce M ( arr A B ) , (  h of M ( arr A B ) i ) ∧ h alts M ∧ ∀ N . ( reduce N A ⊃ reduce ( app M N ) B ) Note that r educe is defin ed w ith a negativ e use of itself. Such a u s age is p ermitted in G only if there is a stratification condition that ens u res that there are no logical cycles in the defin ition. In this case, the cond ition to use is ob vious: the second argumen t to reduce d ecreases in size in the recursive use. Lik e h alts , the redu ce relation is preserved by ev aluation: ∀ M , N , A. (  h step M N i ) ∧ (  h of M A i ) ⊃ ( reduce M A ≡ redu ce N A ) . This formula is p ro v ed by indu ction on the definition of r educe , usin g th e lemmas that halts is pr eserv ed by ev aluation and of is preserved by ev aluation. Clearly r educe is closed under app lication and it imp lies the halting prop erty , th us we strengthen our desired w eak n ormalizabilit y result to the f ollo win g: ∀ M , A. (  h of M A i ) ⊃ reduce M A. In ord er to prov e this form ula w e will ha v e to induct on the heigh t of the pro of of the jud gmen t (  h of M A i ). Ho wev er, when we consid er the case that M is an abstraction, w e will n ot b e able to use th e inductiv e hyp othesis on the b o d y of M since reduce is defined only on closed terms , i.e. , those typ eable in the emp ty con text. T h e standard wa y to deal w ith this issue is to generalize the desired formula to sa y that if M , a p ossibly op en term, has t yp e A then eac h closed in stan tiation for all the free v ariables in M , sa y N , s atisfies reduce N A . Th is requires a formal 10 Gacek, Miller, Nada thur description of sim ultaneous substitutions that can “close” a term. Arbitrary cascading substitutions a nd freshness G iv en ( L  h of M A i ), i.e. , an op en term and its t yping con text, w e defi ne a pro cess of su bstituting eac h free v ariable in M with a v alue V w hic h satisfies th e logical r elation for the appropriate t yp e. W e d efine this subst relation as follo ws: subst nil M M , ⊤ ( ∇ x. su bst (( of x A ) :: L ) ( R x ) M ) , ∃ V . reduce V A ∧ (  h v alue V i ) ∧ subst L ( R V ) M By emp loying ∇ in the head of the second clause, w e are able to use the notion of substitution in the meta-logic to directly and succinctly enco de substitution in the ob ject language. Also note that we are, in fact, defin ing a pro cess of cascading substitutions r ather than simultaneo us sub stitutions. Since the substitutions we define (using closed terms) d o not affect eac h other, these tw o notions of sub stitution are equiv alen t. W e w ill ha v e to pr o v e s ome part of this formally , of course, whic h in turn requir es pro ving results ab out the (non)o ccurr ences of nominal constan ts in our jud gmen ts. The r esults in this section are often assumed in informal p ro ofs. One consequence of definin g cascading subs titutions via the n otion of substi- tution in the meta-logi c is th at we do not get to sp ecify where subs titutions are applied in a term. In particular, give n an abstraction abs A R we cannot pr eclud e the p ossibilit y that a substitution for a nominal constan t in this term will affec t the t yp e A . I nstead, w e must sh o w that we ll-formed t yp es cannot con tain free v ariables whic h can b e formalized as ∀ A. ∇ x. (  h t yp e ( A x ) i ) ⊃ ∃ B . A = λy .B . This formula essen tially state s that any w ell-formed typ e which p ossibly dep ends on a nominal constan t x must dep end on it only in a v acuous wa y . The ab ov e result ab out t yp es assumes that jud gmen ts concerning type o ccur in an empty con text. No w, suc h jud gmen ts actually enter the pictur e through uses of the sp ecificatio n logic ru le for of that deals with the case of abstractions. This means that we hav e to consider judgmen ts in vo lving t y p e that hav e a conte xt mean t to b e used in judgments inv olving the of predicate. T o use th e result we ha v e j ust established, we m ust sh ow that these con texts can b e ignored. W e formalize this as ∀ L, A. cntx L ∧ ( L  h type A i ) ⊃ (  h t yp e A i ), a form ula that can b e pr o v ed u sing induction on the pro of of the judgmen t ( L  h t yp e A i ). In the b ase case w e must establish ∀ L, A. cntx L ∧ mem b er ( t yp e A ) L ⊃ ⊥ , whic h is prov ed b y induction on the p r o of of member . Another n ecessary result is that in any prov able ju dgmen t of the form ( L  h of M A i ), an y nominal constant (denoting a free v ariable) in M m ust also o ccur in L , i.e. , ∀ L, R , A. ∇ x. cn tx L ∧ ( L  h of ( R x ) ( A x ) i ) ⊃ ∃ M . R = λy .M The pr o of is by indu ction on the heigh t of th e deriv ation of the ju d gmen t inv olving of . In the base case, w e need th at an element of a list cann ot conta in any n ominal constan t which do es not o ccur in the list, i.e. , ∀ L, E . ∇ x. mem b er ( E x ) L ⊃ ∃ F . E = λy .F . This formula is prov ed by ind u ction on m em b er . W e n ext show that t yping judgments pr o duce w ell-formed t yp es by proving ∀ L, M , A. cntx L ∧ ( L  h of M A i ) ⊃ (  h type A i ) . 11 Gacek, Miller, Nada thur The in duction here is on the heigh t of th e d eriv ation of the jud gmen t in v olving of and the base case is ∀ L , M , A. cn tx L ∧ member ( of M A ) L ⊃ (  h t yp e A i ), whic h is p ro v ed by a simple induction on mem b er . Giv en our rep ertoire of results ab out the o ccurrences of nomin al constan ts in judgments, w e can no w prov e f undamenta l prop erties of arbitrary cascading subs ti- tutions. T he first pr op ert y state s that closed term s , those t yp eable in the empt y con text, are n ot affected by su bstitutions, i.e. , ∀ L, M , N , A. (  h of M A i ) ∧ su bst L M N ⊃ M = N . The pro of here is b y indu ction on s ubst whic h corresp onds to indu ction on the length of the list L . Th e key step within th e pro of is using the lemma that an y nominal constan t in the ju dgmen t (  h of M A i ) m ust also b e con tained in the con text of th at judgment. S ince the cont ext is empty in this case, there are no nominal constants in M and thus the sub stitutions from L do not affect it. W e must sho w th at our cascading sub s titutions act comp ositionally on terms in the ob ject λ -calculus. T his is stated formally for application as follo ws: ∀ L, M , N , R. cn tx L ∧ su bst L ( app M N ) R ⊃ ∃ M ′ , N ′ . R = app M ′ N ′ ∧ sub st L M M ′ ∧ sub st L N N ′ . This is prov ed by induction on cn tx , which amounts to in duction on the length of the list L . F or abstractions we p ro v e the follo w ing, also by induction on cn tx : ∀ L, M , R , A. cn tx L ∧ su bst L ( abs A M ) R ∧ (  h type A i ) ⊃ ∃ M ′ . R = abs A M ′ ∧ ( ∀ V . reduce V A ∧ (  h v alue V i ) ⊃ ∇ x. sub st (( of x A ) :: L ) ( M x ) ( M ′ V )). Here we hav e the add itional h yp othesis of (  h t yp e A i ) to ensure that the subs ti- tutions created from L do not affect A . At one p oint in this pro of we ha v e to show that the ord er in which cascading substitutions are applied is irr elev an t. The k ey to s h o wing th is is realizing that all substitutions are f or closed terms. S ince closed terms cannot conta in an y nominal constan ts, substitutions do not affec t eac h other. Finally , w e must show that cascading su bstitutions preserve typing. Moreo v er, after applying a full cascading su bstitution f or all the f ree v ariables in a term, that term sh ould no w b e t yp eable in the empt y con text: ∀ L, M , N , A. cntx L ∧ subst L M N ∧ ( L  h of M A i ) ⊃ (  h of N A i ) . This formula is prov ed by induction on cntx and by using the instan tiation and cut prop erties of our sp ecificatio n logic. The final result Using cascading su bstitutions we can no w f orm alize the gener- alizati on of w eak norm alizabilit y that we describ ed earlier: give n a (p ossibly op en) w ell-t yp ed term, every closed instan tiation for it satisfies the log ical relation redu ce : ∀ L, M , N , A. cntx L ∧ ( L  h of M A i ) ∧ su bst L M N ⊃ reduce N A. The pr o of of this formula is b y induction on the h eigh t of the deriv ation of the t yping jud gmen t ( L  h of M A i ). T he in ductiv e cases are fairly straigh tforw ard using the comp ositional p rop erties of cascading sub s titutions and v arious results ab out inv ariance un der ev aluation. In th e base case, w e must prov e ∀ L, M , N , A. cntx L ∧ mem b er ( of M A ) L ∧ subst L M N ⊃ redu ce N A, 12 Gacek, Miller, Nada thur whic h is d one b y induction on cn tx . W eak normalizabilit y is no w a simple corollary where we tak e L to b e nil . Thus we ha v e pro v ed ∀ M , A. (  h of M A i ) ⊃ halts M . 5 Assessmen t and F u ture W ork The Ab ella system h as b een tested with seve ral p rotot ypical examples; d etails are a v ailable with the system d istribution. These exp erimen ts indicate considerable promise f or the t w o-lev el logic based ap p roac h in reasoning ab out formal systems. Ho w ev er, the exp erim ents hav e also rev ealed some iss ues with Ab ella at a p ractical lev el. W e d iscuss these b elo w and suggest work aimed at addressing them. Base case lemmas Eve ry lemma whose p ro of uses indu ction on a sp ecification logic j u dgmen t w ith a non-empt y con text requires another lemma to b e prov ed for the b ase case where th at judgment follo ws b ecause it is in the conte xt. This creates mundane o v erhead. Th e wo rk in these base case lemmas consists of a simp le induction o v er the length of the con text. Supp ort for richer tactic s for indu ction on sp ecification ju dgmen ts might lead to m ore user friendly b eha vior in suc h cases. T yp es in sp ecifications The sp ecification logic is em b ed d ed as an unt yp ed logic in G . This is usually not an issue: sp ecificat ion logic judgments themselve s imp ose t yp e restrictions on terms. F or example, the t yping jud gmen t of M A holds on ly if M is a λ -term. Ho w ev er, sometimes explicit t yp e judgments—suc h as the judgment t yp e for r ecognizing well-fo rmed simple t yp es—are required in sp ecifications. One p ossibilit y that is b eing considered for add r essing the typing issu e that is of an implemen tation su c h as Ab ella automatically generating recognizer pred icates b ased on t yp e information. These predicates could then b e implicitly attac hed to all declarations of meta-lev el v ariables. Differen t sp ecification logics Currently , Ab ella has built into it exactly one sp ecification language ( hH 2 ) and exactly one pro of system for it (uniform pro ofs). Certain application areas migh t b enefit fr om having other pro of systems for in tu- itionistic logic a v ailable as w ell as other sp ecification logics. F or example, linear logic sp ecification languages [ HM94 , Mil96 ] can b e used to p ro vide d eclarativ e sp ecifica- tions of th e op erational semant ics of pr ogramming languages that conta in features suc h as references, exceptions, and concur r ency . Thus, McDo well and Miller [ MM02 ] present ed a seq -lik e predicate for a sub set of intuitionistic linear log ic that they used to sp ecify the op erational s eman tics of a simple fu nctional language extended with references and to then pro ve a sub ject-reduction theorem for that language . It w ould b e natural to consider extending th e sp ecification logic in Ab ella to b e all of in tuitionistic linear logic (or, in fact, all of linear logic) since this wo uld enhance that logic’s expressiv eness a great deal. Such an extension could b e d esigned so that if a giv en sp ecificatio n did n ot employ th e n o v el linear logic connectiv es, then the enco ding of se q would mo dularly r ev ert back to th at of intuitio nistic logic. 6 Related W ork Nominal logic approac h The Nominal pac k age for Isab elle/ HOL automates a pro cess of d efining and proving standard results ab out α -equiv alence classes [ UT05 ]. 13 Gacek, Miller, Nada thur This allo ws for formal r easoning o v er ob j ects with bind in g w h ic h is close to informal reasoning. O n e d ra wbac k of the nominal approac h is that it do es not pro vide a notion of substitution, and thus user s m ust d efine their own s ubstitution f u nction and pr o v e v arious prop erties relating to it. A pro of of we ak normalizabilit y for the simply typed λ -calculus has b een conducted w ith the nominal pack age [ NU08 ], and in this case a notion of simulta neous subs titution is u sed. F or the nominal approac h, this extended notion of substitution can b e defined d irectly since one w orks with α - equiv alence classes and not higher-order terms as in our case. Additionally , the cost of defin ing and reasoning ab out sim ultaneous substitution is not a significant step up from what is already requ ir ed for stand ard su bstitution in th e n ominal app roac h . The sp ecificati on language for the nominal pac k age is functions and pr edicates o v er α -equiv alence classes. T his language d o es not h a v e a built-in notion of hy- p othetical judgments wh ic h are t ypically u seful for describing structural rules o v er ob jects w ith b inding. F or example, by enco d in g the simply typed λ -calculus in our sp ecification language usin g hypothetical ju dgmen ts for t yping assumptions, we de- riv e a type substitutivit y prop erty as consequence of general instan tiation and cu t prop erties of the logic, see Section 3 . In the n ominal approac h, su c h a p r o of m ust b e condu cted man ually . Tw elf The T welf s ystem [ PS99 ] uses LF terms and types for a sp ecificatio n lan- guage [ HHP93 ] and the meta-logic M + 2 [ Sc h00 ] f or reasoning. T h e primary d iffer- ence b etw een th e Tw elf appr oac h and ou r s is that the M + 2 meta-log ic is relativ ely w eak in expressive p ow er. F or ins tance, it is restricted to Π 2 form ulas ( i.e. , ∀ ∃ form ulas) and lac ks logical connectiv es s uc h as conju nction, disj unction, and impli- cation. Despite these restrictions, the m eta-lo gic is expressive enough for most com- mon r easoning tasks and h as b een v ery successfu l in practice. Another significant difference is th at M + 2 is designed with an in heren t notion of a global hyp othetical con text. Thus the m eta-lo gic builds in some notion of which j u dgmen ts can dep end on assumptions of other ju dgmen ts. T his is less of a concern in our app r oac h sin ce eac h judgments h as its own lo cal cont ext. Due to th e Π 2 restriction of the meta-logic M + 2 , it is not p ossible to enco de a direct pr o of of wea k normalizabilit y for th e simply t yp ed λ -calculus usin g a logical relations argumen t. Recent ly , h o w ev er, an indirect pro of was completed using an in termediate assertion lo g ic which has enough r ic hness to enco de the prop er logical relation [ SS08 ]. This is a useful tec hnique for extending the exp r essiv e p ow er of the Tw elf system, bu t it comes w ith the cost of mo ving from a tw o-lev el logic app roac h to a three-lev el logic appr oac h . Lo cally nameless The lo cally n ameless representa tion for syntact ic ob jects with binding is a first-order app r oac h using de Bruijn ind ices for b ound v ariables and names for free v ariables. Th is balance b et w een t w o representat ional tec hniques has b een used successfully in practice [ A CP + 08 ]. Our app roac h to r epresen tation can b e seen as a meta-lev el version of this b alance w h ere we use (meta-lev el) λ - terms to r epresen t explicitly b ound v ariables and (meta-lev el) nominal constan ts for implicitly b ound v ariables ( i.e. , free v ariables). With this un d erstanding, the trade-off b et w een the fi r st-order an d meta-lev el approac hes to b oun d/free v ariable represent ation is that the former works with existing theorem p ro v ers w hile the latter h as substitution and equiv ariance built-in. 14 Gacek, Miller, Nada thur References [ACP + 08] Brian Aydemir, Ar th ur Chargu ´ eraud, Benjamin C. Pi erce, Randy Pollac k, and Stephanie W eirich. Engineering formal metath eory . In 35th ACM Symp. on Principles of Pr o gr amming L anguages , pages 3–15. ACM, Janua ry 2008. [BC04] Yves Bertot and Pierre Cast´ eran. Inter active The or em Pr oving and Pr o gr am Development. Co q’Art: The Calculus of Inductive Constructions . T exts in Theoretical Computer Science. Springer V erl ag, 2004. [BGM + 07] David Baelde, Andrew Gacek, Dale Mi ller, Gopalan Nadathur, and Alwen Tiu. The Bedwyr system f or m o del chec king ov er synt actic expressions. In F rank Pfenning, editor, 21th Confer enc e on Automate d De duction (CADE) , num ber 4603 i n LNAI, pages 391–397. Springer, 2007. [Gac08] Andrew Gacek . The Abella in teractiv e theorem prov er (system description). I n F ourth International Joint Confer enc e on A utomate d R e asoning , 2008. Av ailable from h ttp://arxiv.org/abs/0803.2305 . T o appear in IJCAR. [GMN08] Andr ew Gacek, Dale Mil ler, and Gopalan N adathur. Combining generic judgments with recursive definitions. In F. Pfenning, editor, 23th Symp. on L o gic in Computer Scienc e . IEEE Computer So ciety Press, 2008. T o app ear. [HHP93] Rob ert Harp er, F urio H onsell , and Gordon Plotkin. A fr amew ork for defining logics. Journal of the ACM , 40(1):143–184, 1993. [HM94] Josh ua Ho das and Dale Mill er . Logic programming in a fragment of intuitionistic linear logic. Information and Computation , 110(2):327 –365, 1994. [Mil92] Dale Miller. Unification under a mixed prefix. Journal of Symb olic Computation , 14(4):321–358, 1992. [Mil96] Dale Mi ller. F orum: A multiple-conclusion specification logic. The or etic al Computer Scienc e , 165(1):201 –232, Sept ember 1996. [MM02] Raymond M cDo well and Dale M iller. Reasoning with higher-order abstract syn tax in a logical framework. ACM T r ans. on Computationa l L o gic , 3(1):80–136 , 2002. [MNPS91] D al e M iller, Gopalan Nadath ur, F r ank Pf enning, and Andre Scedrov. Uniform pro ofs as a foundation for logic programming. Annals of Pur e and Applie d L o gic , 51:125–157, 1991. [MT05] D al e Miller and Alwen Tiu. A pr oof theory f or generic judgmen ts. ACM T r ans. on Computational L o gic , 6(4):749–783, October 2005. [NM88] Gopa lan Nadath ur and Dale M iller. An Ove rview of λ Prolog. In Fifth Internati onal L o gic Pr o gr amming Confer enc e , pages 810–827, Seattle, August 1988. MIT Press. [NM99] Gopa lan Nadath ur and Dustin J. Mitch ell. System description: T eyjus — A compiler and abstract mac hine based implement ation of λ Prolog. In H. Ganzinger, editor, 16th Confer enc e on A utomate d De duction (CADE) , num b er 1632 in LNAI, pages 287–291, T rent o, 1999. Springer. [NPW02] T obias N ipk ow, La wrence C. Paulson, and Markus W enzel. Isab el le/HOL: A Pr o of Assistant for Higher-O r der L o gic . Spri nger, 2002. LNCS T utorial 2283. [NU08] Juli en Narb oux and Chri stian Ur ban. Nominal formali sations of typical SOS pro ofs. Av ailable at http://dp t-info.u- strasbg.fr/˜narb oux/pap ers/SOS.pdf , 2008. [Pie02] Benjamin C. Pierce. T yp es and Pr o gr amming L anguages . MIT Press, 2002. [PS99] F rank Pfenning and Carsten Sc h ¨ urmann. System description: Twelf — A meta-logical framework for deductiv e systems. In H. Ganzinger, editor, 16th Confer e nc e on A utomate d De duction (CADE) , num b er 1632 in LNA I, pages 202–206, T rento, 1999. Springer. [Sc h00] Carsten Sch¨ urmann. Au tomating the Met a The ory of De ductive Systems . PhD thesis, Carnegie Mellon Uni versity , October 2000. CMU- CS-00-146. [SS08] Carsten Sch¨ urmann and Jeffrey Sarnat. Structural logical relations. In F. Pfenning, editor, 23th Symp. on L o gic in Compu ter Scienc e . IEEE Computer So ciety Press, 2008. T o app ear. [T ai67] W. W. T ait. In tensional interpretations of functionals of finite ty p e I. J. of Symb olic L o gic , 32(2):198– 212, 1967. [Tiu06] Al w en Ti u. A logic for reasoning ab out generic judgmen ts. In A. Momigliano and B. Pientk a, editors, Int. Workshop on L o gic al F ra meworks and Meta- L anguages: The ory and Pr actic e (LFMTP’06) , 2006. [UT05] Chr i stian Ur ban and Chris tine T asson. Nominal tech niques in Isabelle/HOL. In R. Ni eu wenh ui s, editor, 20th Confer enc e on Automate d De duction (CADE) , volume 3632 of LNCS , pages 38–53. Springer, 2005. 15