DOCSLIB.ORG

Structural Logical Relations∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Structural Logical Relations∗ Structural Logical Relations∗ Carsten Schurmann¨ Jeffrey Sarnat IT University of Copenhagen Yale University Copenhagen, Denmark New Haven, CT, USA [email protected] [email protected] Abstract The proof theoretic strength of the different systems vary significantly. Once the proof assistant question is settled Tait’s method (a.k.a. proof by logical relations) is a pow- and a proof development has begun, there is often no turn- erful proof technique frequently used for showing founda- ing back. If unforeseen challenges in the formalization of tional properties of languages based on typed λ-calculi. a meta-theoretic argument arise, one can find oneself in a Historically, these proofs have been extremely difficult to situation where one is seemingly stuck. This might suggest formalize in proof assistants with weak meta-logics, such that the best proof assistant is necessarily the most expres- as Twelf, and yet they are often straightforward in proof as- sive, but such a perspective is too naive with respect to other sistants with stronger meta-logics. In this paper, we propose considerations that influence the choice of proof assistant. structural logical relations as a technique for conducting In this paper we present a technique called structural these proofs in systems with limited meta-logical strength logical relations that avails proofs by logical relations to by explicitly representing and reasoning about an auxiliary systems with limited meta-logical strength by explicitly rep- logic. In support of our claims, we give a Twelf-checked resenting and reasoning about an auxiliary logic. Proofs by proof of the completeness of an algorithm for checking structural logical relations follow the same line of reasoning equality of simply typed λ-terms. as their informal counterparts. The central idea is to formal- ize the relevant part of the argument in this auxiliary logic, which we refer to as the assertion logic. Structural logi- 1. Introduction cal relations are therefore best employed in proof assistants based on logical frameworks, such as Twelf, that provide When formalizing meta-theoretic proofs about formal adequate, elegant, and convenient to work with encodings systems, one is usually first confronted with choosing a of proofs in the assertion logic. proof assistant. This decision is usually driven by concerns We show how to formalize structural logical relations in regarding the expressive power of the proof assistant, the practice using the meta-logical framework Twelf. But this trust in its logical foundation, performance, the features of paper is not just about the how, it also highlights some in- the tactic language, and the ease with which we can encode sights into the proof itself. For example, we illustrate that the formal system. a proof by logical relations can be viewed as a recipe to re- For example, Thomas Hales has chosen HOL duce the provability of a theorem to the normalizability of Light [Har96] for his work on the formalization of proofs in the assertion logic. We present the results in such a Kepler’s conjecture. George Necula has chosen variants of way that the reader interested in the nature of logical proofs, the LF type theory for his original work on proof-carrying but not in their formalization, should be able to follow this code [Nec97]. Daniel Lee, Karl Crary, and Bob Harper paper by ignoring the formalized material. have chosen the Twelf system for formalizing the proof To best follow the paper, however, it is important that of the soundness of an SML type system [LCH07] and we distinguish carefully between the logical framework, Georges Gonthier has chosen Coq for his formalized proof in our case LF [HHP93] that serves the formalization of of the four color theorem [Gon05]. The solutions posted to judgments, the assertion logic that we will encode in LF, the POPLmark challenge employ a whole range of different and the meta-logic of Twelf, in which we carry out proofs proof assistants, including Twelf, Coq, Isabelle/HOL, by structural logical relations. Our proofs are construc- Matita, Alpha Prolog, and ATS. tive and executable, laying to rest the common miscon- ∗This research has been funded by the National Science Foundation ception that the meta-logical framework Twelf is unable under grant CCR-0325808. to reason with proofs by logical relations. The F OL∆N 1 system [MM97] has a similar distinction between logical proof using structural logical relations for the same property framework and meta-logic; we suspect that structural logi- is given in Section 4. cal relations would be convenient in that setting as well. Taking a step back, we notice that the logical relation This paper is structured as follows: In Section 2 we defined above relies on two things: structural induction on define the term structural logical relation and give a sim- τ, judgments of the form of J, and connectives “for all” ple yet useful example of an assertion logic, namely min- and “if ... then.” Logical relations are typically formulated imal first-order logic, suitable for reasoning about sim- with the understanding that the induction principle, judg- ply typed languages. In Section 3, we briefly comment ments, and connectives live on the same level. The idea of on the formalization of the technique in the proof assis- structural logical relations is to separate these concepts: in- tant Twelf. We give an introductory example of a struc- duction lives on the meta-level, whereas the judgments and tural logical relations proof, namely the weak normaliza- connectives live elsewhere. To this end, we declare a logic, tion for the simply typed λ-calculus in Section 4 before the assertion logic, that is expressive enough to define both we address the goal of this paper, the completeness of a logical relation in terms of logical connectives and atomic equivalence checking in Section 5. An identifying fea- formulas P that represent the judgments J in the logic. The ture of our structural logical relations proofs is the cut- formulas of our assertion logic that we use throughout this elimination property of the assertion logic. Therefore, we paper are defined by the following. study the features and implications of cut-elimination of the τ assertion logic in Section 6. We conclude with Section 7 Formulas F; G ::= P j F ⊃ G j 8x :F τ where we discuss implications and possible extensions. The Assumptions ∆ ::= · j ∆;F j ∆; x accompanying Twelf source code [SS08] is available at In the definition of expressions, every variable carries its http://www.twelf.org/slr. own type, which means that we can restrict the universal quantifier to range over well-typed expressions even if these 2. Structural Logical Relations contain free variables. We write eτ for an expression e of type τ and omit the superscript τ whenever it can be easily A proof by logical relations (also sometimes referred to inferred. as Tait’s method) relies on an interpretation of types as re- We define the judgment of derivability in a sequent cal- lations between objects. On paper, these interpretations are culus ∆ ` F by the following rules. If ∆ is ·, then we usually formulated in set theory. In the spirit of intuition- simply drop it from the judgment. ism, we not only want to know that a certain property holds, F 2 ∆ ∆;F ` G but we would like to be able to produce a constructive wit- ax impR ness of this fact. ∆ ` F ∆ ` F ⊃ G Consider the simply typed λ-calculus. ∆;F ⊃ G ` F ∆;F ⊃ G; G ` H impL Types τ ::= o j τ1 ) τ2 ∆;F ⊃ G ` H τ τ Expressions e ::= x j lam x : e j app e1 e2 ∆; xτ ` F ∆; 8xτ : F; [eτ =x]F ` H We refer to a property that is logic independent as a judg- allR allL τ τ ment. Examples of judgments J include, for example, e ∆ ` 8x :F ∆; 8x :F ` H reduces to a normal form, e weak-head reduces to e0, or e The rules are standard. We let the universal quantifier is βη-equivalent to e0. Given some judgment J(e), a unary range over expressions eτ . We write [eτ =x]F for the usual logical relation [[τ]] can be defined as the smallest set that notion of capture-avoiding substitution. satisfies the following two conditions. For practical reasons we will work with the assertion cut logic with cut. The judgment ∆ ` F is defined by infer- e 2 [[o]] iff J(e) cut ence rules similar to the ones above except with ` instead e 2 [[τ2 ) τ1]] iff for all e2, if e2 2 [[τ2]] of `, plus one additional rule. then app e e2 2 [[τ1]] cut cut The hallmark characteristic of a logical relation is the def- ∆ ` F ∆;F ` G cut cut inition at function types: functions are related if they map ∆ ` G related arguments to related results. A proof by logical rela- tions typically proceeds in two stages: first, it is shown that The rules for defining the atomic formulas P vary for e 2 [[τ]] implies J(e), then it is shown that, for every e of each structural logical relation. Hence they are defined in type τ, e 2 [[τ]]. A paper proof for the weak normalization Sections 4 and 5, where we discuss concrete applications of of the simply typed λ-calculus can be found in [Pfe92]; a our technique. We show later in the paper that the choice of 2 inference rules cannot be arbitrary: they must not destroy We write -> (infix) if the dependency is vacuous. Further- the cut-elimination property of the sequent-calculus. more, we write [t:tp] for λ-abstraction, t:tp for type Returning to the definition of structural logical relations, ascription, and juxtaposition for application in the logical we can now define [[τ]] more formally by meta-level induc- framework.
Load more

Recommended publications
  • Foundational Proof Checkers with Small Witnesses
    Foundational Proof Checkers with Small Witnesses Dinghao Wu Andrew W. Appel Aaron Stump Princeton University Washington University in St. Louis dinghao,appel @cs.princeton.edu [email protected] f g ABSTRACT tion of the proof witness to the size of the binary machine- Proof checkers for proof-carrying code (and similar) systems language program. Necula's LFi proof witnesses were about can suffer from two problems: huge proof witnesses and un- 4 times as big as the programs whose properties they proved. trustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, Pfenning's Elf and Twelf systems [14, 15] are implementa- design, and implementation of a proof-checker that permits tions of the Edinburgh Logical Framework. In these sys- small proof witnesses and machine-checkable proofs of the tems, proof-search engines can be represented as logic pro- soundness of the system. grams, much like (dependently typed, higher-order) Prolog. Elf and Twelf build proof witnesses automatically; if each logic-program clause is viewed as an inference rule, then the 1. INTRODUCTION proof witness is a trace of the successful goals and subgoals In a proof-carrying code (PCC) system [10], or in other executed by the logic program. That is, the proof witness proof-carrying applications [3], an untrusted prover must is a tree whose nodes are the names of clauses and whose convince a trusted checker of the validity of a theorem by subtrees correspond to the subgoals of these clauses. sending a proof. Two of the potential problems with this approach are that the proofs might be too large, and that Necula's theorem provers were written in this style, origi- the checker might not be trustworthy.
    [Show full text]
  • Functions-As-Constructors Higher-Order Unification
    Functions-as-constructors Higher-order Unification Tomer Libal and Dale Miller Inria Saclay & LIX/École Polytechnique, Palaiseau, France Abstract Unification is a central operation in the construction of a range of computational logic systems based on first-order and higher-order logics. First-order unification has a number of properties that dominates the way it is incorporated within such systems. In particular, first-order unifi- cation is decidable, unary, and can be performed on untyped term structures. None of these three properties hold for full higher-order unification: unification is undecidable, unifiers can be incomparable, and term-level typing can dominate the search for unifiers. The so-called pattern subset of higher-order unification was designed to be a small extension to first-order unification that respected the basic laws governing λ-binding (the equalities of α, β, and η-conversion) but which also satisfied those three properties. While the pattern fragment of higher-order unification has been popular in various implemented systems and in various theoretical considerations, it is too weak for a number of applications. In this paper, we define an extension of pattern unifica- tion that is motivated by some existing applications and which satisfies these three properties. The main idea behind this extension is that the arguments to a higher-order, free variable can be more than just distinct bound variables: they can also be terms constructed from (sufficient numbers of) such variables using term constructors and where no argument is a subterm of any other argument. We show that this extension to pattern unification satisfies the three properties mentioned above.
    [Show full text]
  • A Survey of Engineering of Formally Verified Software
    The version of record is available at: http://dx.doi.org/10.1561/2500000045 QED at Large: A Survey of Engineering of Formally Verified Software Talia Ringer Karl Palmskog University of Washington University of Texas at Austin [email protected] [email protected] Ilya Sergey Milos Gligoric Yale-NUS College University of Texas at Austin and [email protected] National University of Singapore [email protected] Zachary Tatlock University of Washington [email protected] arXiv:2003.06458v1 [cs.LO] 13 Mar 2020 Errata for the present version of this paper may be found online at https://proofengineering.org/qed_errata.html The version of record is available at: http://dx.doi.org/10.1561/2500000045 Contents 1 Introduction 103 1.1 Challenges at Scale . 104 1.2 Scope: Domain and Literature . 105 1.3 Overview . 106 1.4 Reading Guide . 106 2 Proof Engineering by Example 108 3 Why Proof Engineering Matters 111 3.1 Proof Engineering for Program Verification . 112 3.2 Proof Engineering for Other Domains . 117 3.3 Practical Impact . 124 4 Foundations and Trusted Bases 126 4.1 Proof Assistant Pre-History . 126 4.2 Proof Assistant Early History . 129 4.3 Proof Assistant Foundations . 130 4.4 Trusted Computing Bases of Proofs and Programs . 137 5 Between the Engineer and the Kernel: Languages and Automation 141 5.1 Styles of Automation . 142 5.2 Automation in Practice . 156 The version of record is available at: http://dx.doi.org/10.1561/2500000045 6 Proof Organization and Scalability 162 6.1 Property Specification and Encodings .
    [Show full text]
  • Efficient Verification Techniques For
    Overcoming performance barries: efficient verification techniques for logical frameworks Brigitte Pientka School of Computer Science McGill University Montreal, Canada [email protected] Abstract. In recent years, logical frameworks which support formalizing language specifications to- gether with their meta-theory have been pervasively used in small and large-scale applications, from certifying code [2] to advocating a general infrastructure for formalizing the meta-theory and semantics of programming languages [5]. In particular, the logical framework LF [9], based on the dependently typed lambda-calculus, and light-weight variants of it like LFi [17] have played a major role in these applications. While the acceptance of logical framework technology has grown and they have matured, one of the most criticized points is concerned with the run-time performance. In this tutorial we give a brief introduction to logical frameworks, describe its state-of-the art and present recent advances in addressing some of the existing performance issues. 1 Introduction Logical frameworks [9] provide an experimental platform to specify, and implement formal systems together with the proofs about them. One of its applications lies in proof-carrying code, where it is successfully used to specify and verify formal guarantees about the run-time behavior of programs. More generally, logical frameworks provide an elegant language for encoding and mechanizing the meta-theory and semantics of programming languages. This idea has recently found strong advocates among programming languages researchers who proposed the POPLmark challenge, a set of benchmarks to evaluate and compare tool support to experiment with programming language design, and mechanize the reasoning about programming languages [5].
    [Show full text]
  • Type Theory and Applications
    Type Theory and Applications Harley Eades [email protected] 1 Introduction There are two major problems growing in two areas. The first is in Computer Science, in particular software engineering. Software is becoming more and more complex, and hence more susceptible to software defects. Software bugs have two critical repercussions: they cost companies lots of money and time to fix, and they have the potential to cause harm. The National Institute of Standards and Technology estimated that software errors cost the United State's economy approximately sixty billion dollars annually, while the Federal Bureau of Investigations estimated in a 2005 report that software bugs cost U.S. companies approximately sixty-seven billion a year [90, 108]. Software bugs have the potential to cause harm. In 2010 there were a approximately a hundred reports made to the National Highway Traffic Safety Administration of potential problems with the braking system of the 2010 Toyota Prius [17]. The problem was that the anti-lock braking system would experience a \short delay" when the brakes where pressed by the driver of the vehicle [106]. This actually caused some crashes. Toyota found that this short delay was the result of a software bug, and was able to repair the the vehicles using a software update [91]. Another incident where substantial harm was caused was in 2002 where two planes collided over Uberlingen¨ in Germany. A cargo plane operated by DHL collided with a passenger flight holding fifty-one passengers. Air-traffic control did not notice the intersecting traffic until less than a minute before the collision occurred.
    [Show full text]
  • Twelf User's Guide
    Twelf User’s Guide Version 1.4 Frank Pfenning and Carsten Schuermann Copyright c 1998, 2000, 2002 Frank Pfenning and Carsten Schuermann Chapter 1: Introduction 1 1 Introduction Twelf is the current version of a succession of implementations of the logical framework LF. Previous systems include Elf (which provided type reconstruction and the operational semantics reimplemented in Twelf) and MLF (which implemented module-level constructs loosely based on the signatures and functors of ML still missing from Twelf). Twelf should be understood as research software. This means comments, suggestions, and bug reports are extremely welcome, but there are no guarantees regarding response times. The same remark applies to these notes which constitute the only documentation on the present Twelf implementation. For current information including download instructions, publications, and mailing list, see the Twelf home page at http://www.cs.cmu.edu/~twelf/. This User’s Guide is pub- lished as Frank Pfenning and Carsten Schuermann Twelf User’s Guide Technical Report CMU-CS-98-173, Department of Computer Science, Carnegie Mellon University, November 1998. Below we state the typographic conventions in this manual. code for Twelf or ML code ‘samp’ for characters and small code fragments metavar for placeholders in code keyboard for input in verbatim examples hkeyi for keystrokes math for mathematical expressions emph for emphasized phrases File names for examples given in this guide are relative to the main directory of the Twelf installation. For example ‘examples/guide/nd.elf’ may be found in ‘/usr/local/twelf/examples/guide/nd.elf’ if Twelf was installed into the ‘/usr/local/’ directory.
    [Show full text]
  • A Meta-Programming Approach to Realizing Dependently Typed Logic Programming
    A Meta-Programming Approach to Realizing Dependently Typed Logic Programming Zach Snow David Baelde Gopalan Nadathur Computer Science and Eng. Computer Science and Eng. Computer Science and Eng. University of Minnesota University of Minnesota University of Minnesota [email protected] [email protected] [email protected] ABSTRACT in an elegant way through type dependencies, and they for- Dependently typed lambda calculi such as the Logical Frame- malize the authentication of proofs through type-checking. work (LF) can encode relationships between terms in types Such calculi can also be assigned a logic programming in- and can naturally capture correspondences between formu- terpretation by exploiting the well-known isomorphism be- las and their proofs. Such calculi can also be given a logic tween formulas and types [12]. The Twelf system [17] that programming interpretation: the Twelf system is based on we consider in this paper exploits this possibility relative such an interpretation of LF. We consider here whether a to LF. As such, it has been used successfully in specifying conventional logic programming language can provide the and prototyping varied formal systems and mechanisms have benefits of a Twelf-like system for encoding type and proof- also been built into it to reason about these specifications. and-formula dependencies. In particular, we present a sim- Predicate logics provide the basis for logic programming ple mapping from LF specifications to a set of formulas in languages that are also capable of encoding rule-based spec- the higher-order hereditary Harrop (hohh) language, that ifications. Within this framework, the logic of higher-order relates derivations and proof-search between the two frame- hereditary Harrop (hohh) formulas [13] that underlies the works.
    [Show full text]
  • Twelf User's Guide
    Twelf User’s Guide Version 1.3 Frank Pfenning and Carsten Schuermann Copyright c 1998 Frank Pfenning and Carsten Schuermann Chapter 1: Introduction 1 1 Introduction Twelf is the current version of a succession of implementations of the logical framework LF. Previous systems include Elf (which provided type reconstruction and the operational semantics reimplemented in Twelf) and MLF (which implemented module-level constructs loosely based on the signatures and functors of ML still missing from Twelf). Twelf should be understood as research software. This means comments, suggestions, and bug reports are extremely welcome, but there are no guarantees regarding response times. The same remark applies to these notes which constitute the only documentation on the present Twelf implementation. For current information including download instructions, publications, and mailing list, see the Twelf home page at http://www.cs.cmu.edu/~twelf/. This User’s Guide is published as Frank Pfenning and Carsten Schuermann Twelf User’s Guide Technical Report CMU-CS-98-173, Department of Computer Science, Carnegie Mellon University, November 1998. Below we state the typographic conventions in this manual. code for Twelf or ML code ‘samp’ for characters and small code fragments metavar for placeholders in code keyboard for input in verbatim examples KEY for keystrokes math for mathematical expressions emph for emphasized phrases File names for examples given in this guide are relative to the main directory of the Twelf in- stallation. For example ‘examples/guide/nd.elf’ may be found in ‘/usr/local/twelf/examples/guide/nd.elf’ if Twelf was installed into the ‘/usr/local/’ direc- tory.
    [Show full text]
  • A Simple Module System for Twelf
    15-819K: Logic Programming Final Project Report A Simple Module System for Twelf Dan Licata, Rob Simmons, Daniel Lee December 15, 2006 Abstract Twelf is an implementation of the LF logical framework and the Elf logic programming language that provides several automated analy- ses of Elf programs. It is increasingly used in the development and study of large deductive systems, such as programming languages and logics. Such large projects would benefit from language exten- sions that facilitate extensible code reuse and modular development. Drawing on prior work with module systems for LF and Elf, have de- signed and prototyped a simple module system for Twelf. The mod- ule system supports namespace management and simple forms of pa- rameterization and reuse. It is defined by elaboration into the current Twelf implementation. 1 Introduction LF [Harper et al., 1993] is a logical framework used to represent deductive systems such as programming languages and logics. Elf [Pfenning, 1989] is a logic programming language that endows LF with an operational se- mantics based on proof search. Twelf [Pfenning and Schurmann,¨ 1999] is an implementation of LF and Elf that provides various analyses, such as mode, coverage, and termination, of Elf programs. Metatheorems1 about deductive systems can be represented in Twelf as logic programs that sat- isfy certain totality analyses. Consequently, Twelf’s analyses simultane- 1In this report, we will use the words “directive”, “analysis”, and “assertion” for Twelf directives such as mode, worlds, and totality, whereas we will use the word “metatheorem” more broadly to refer to any proposition about a deductive system. FINAL PROJECT REPORT DECEMBER 15, 2006 ASimpleModuleSystemforTwelf 2 ously ensure that logic programs will run correctly and verify metatheo- retic properties of deductive systems.
    [Show full text]
  • Celf – a Logical Framework for Deductive and Concurrent Systems
    Short Talk: Celf – A Logical Framework for Deductive and Concurrent Systems Anders Schack-Nielsen and Carsten Sch¨urmann IT University of Copenhagen Denmark Abstract. CLF (Concurrent LF) [?] is a logical framework for specify- ing and implementing deductive and concurrent systems from areas, such as programming language theory, security protocol analysis, process al- gebras, and logics. Celf is an implementation of the CLF type theory that extends the LF type theory by linear types to support representation of state and a monad to support representation of concurrency. The Celf system is a tool for experimenting with deductive and concurrent systems prevalent in programming language theory, security protocol analysis, process algebras, and logics. It supports the specification of object language syn- tax and semantics through a combination of deductive methods and resource- aware concurrent multiset transition systems. Furthermore it supports the ex- perimentation with those specifications through concurrent logic programming based on multiset rewriting with constraints. Many case studies have been conducted in Celf including all of the motivating examples that were described in the original CLF technical report [?]. In par- ticular, Celf has been successfully employed for experimenting with concurrent ML, its type system, and a destination passing style operational semantics that includes besides the pure core a clean encoding of Haskell-style suspensions with memoizations, futures, mutable references, and concurrency omitting negative acknowledgments. Other examples include various encodings of the π-calculus, security protocols, petri-nets, etc. CLF is a conservative extension over LF, which implies that Celf’s function- ality is compatible with that of Twelf [?]. With a few syntactic modifications Twelf signatures can be read, type checked, and queries can be executed.
    [Show full text]
  • A New Higher-Order Unification Algorithm for Kanren
    A New Higher-order Unification Algorithm for _Kanren WEIXI MA, Indiana University DANIEL P. FRIEDMAN, Indiana University _Kanren, adapted from _Prolog, extends miniKanren with higher-order logic programming. The existing higher-order unification algorithms, however, are neither sound nor complete w.r.t. an “intuitive” under- standing of U-equivalence. This paper shows these gaps and proposes a new method tohandle U-equivalence in higher-order unification. ACM Reference Format: Weixi Ma and Daniel P. Friedman. 2021. A New Higher-order Unification Algorithm for _Kanren. 1, 1 (Au- gust 2021), 10 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn 1 BACKGROUND Is there a world where true is equal to false? Indeed, there is, if higher-order unification [13] and miniKanren [9] meet each other. Even if all components are already well-established, it may still end up with unnatural or even absurd results, if we combine them naively. This paper unveils the difficulties in handling binders with standard higher-order unification. To solve these problems, we propose a new unification formulation. Higher-order unification [13] solves equations among _-terms modulo UV[-equivalence [3]. Miller [19] finds a decidable fragment of higher-order unification problems by restricting theap- plication forms of the input terms. For an application form 퐹 0, if 퐹 is a unification variable, then 0 must be a list of zero or more distinct bound variables. Such restricted application forms are called patterns and we hereafter refer to the problem identified by Miller as pattern unification. Pattern unification then becomes the coreof _Prolog [20]. _Prolog implements a more expres- sive logic [21] than Prolog does.
    [Show full text]
  • Mechanizing Metatheory in a Logical Framework
    Under consideration for publication in J. Functional Programming 1 Mechanizing Metatheory in a Logical Framework Robert Harper and Daniel R. Licata Carnegie Mellon University (e-mail: frwh,[email protected]) Abstract The LF logical framework codifies a methodology for representing deductive systems, such as programming languages and logics, within a dependently typed λ-calculus. In this methodology, the syntactic and deductive apparatus of a system is encoded as the canonical forms of associated LF types; an encoding is correct (adequate) if and only if it defines a compositional bijection between the apparatus of the deductive system and the associated canonical forms. Given an adequate encoding, one may establish metatheoretic properties of a deductive system by reasoning about the associated LF representation. The Twelf implementation of the LF logical framework is a convenient and powerful tool for putting this methodology into practice. Twelf supports both the representation of a deductive system and the mechanical verification of proofs of metatheorems about it. The purpose of this paper is to provide an up-to-date overview of the LF λ-calculus, the LF methodology for adequate representation, and the Twelf methodology for mechanizing metatheory. We begin by defining a variant of the original LF language, called Canonical LF, in which only canonical forms (long βη-normal forms) are permitted. This variant is parameterized by a subordination relation, which enables modular reasoning about LF representations. We then give an adequate representation of a simply typed λ-calculus in Canonical LF, both to illustrate adequacy and to serve as an object of analysis. Using this representation, we formalize and verify the proofs of some metatheoretic results, including preservation, determinacy, and strengthening.
    [Show full text]