Engineering Formal Metatheory

Brian Aydemir, Arthur Charguéraud, Benjamin C. Pierce, Randy Pollack and Stephanie Weirich

POPL'08

This paper is part of the research project: Formal Metatheory.

Machine-checked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proof-carrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. The representation and manipulation of terms with variable binding is a key issue.

We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductive definitions of relations on terms (typing, reduction, . . . ). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations defined using cofinite quantification are strong enough for metatheoretic reasoning, and need not be explicitly strengthened. Strong inversion principles follow (automatically, in Coq) from the induction principles. Although many of the underlying ingredients of our technique have been used before, their combination here yields a significant improvement over other methodologies using first-order representations, leading to developments that are faithful to informal practice, yet require no external tool support and little infrastructure within the proof assistant.

We have carried out several large developments in this style using the Coq proof assistant and have made them publicly available. Our developments include type soundness for System Fsub and core ML (with references, exceptions, datatypes, recursion, and patterns) and subject reduction for the Calculus of Constructions. Not only do these developments demonstrate the comprehensiveness of our approach; they have also been optimized for clarity and robustness, making them good templates for future extension.

The corresponding Coq proof scripts are available for download (compiles only with Coq v8.1).

[UPDATE] A working version of the library that compiles with Coq v8.2 is available from here.
It is still incomplete at this time, but I hope to be able to release a stable version at some point.
Please don't hesitate to contact me if you encounter any difficulty while using this library.
Note: the documentation for the extended set of tactics (file LibTactics.v) can be found on this page

You can browse the metatheory developments directly from the tables below.

Metatheory Library	Lib_Tactic Metatheory_Var Metatheory_Fresh Metatheory_Env Metatheory
System-Fsub: PoplMark 1A+2A (Type soundness)	Fsub_Definitions Fsub_Infrastructure Fsub_Soundness
ML with datatypes, recursion, references and exceptions (Type soundness)	ML_Definitions ML_Infrastructure ML_Soundness
Pure lambda calculus (Church-Rosser)	Lambda_Definitions Lambda_Infrastructure Lambda_ChurchRosser
Calculus of Constructions (Subject reduction)	CoC_Definitions CoC_Infrastructure CoC_BetaStar CoC_ChurchRosser CoC_Conversion CoC_Preservation

For pedagogical purposes, I also provide a collection of simpler developments

STLC (Type soundness)	STLC_Core_Definitions STLC_Core_Infrastructure STLC_Core_Soundness
STLC (Extra material)	STLC_Core_Adequacy STLC_Core_FullBeta STLC_Core_Light
STLC + Datatypes (Type soundness)	STLC_Data_Definitions STLC_Data_Infrastructure STLC_Data_Soundness
STLC + Exceptions (Type soundness)	STLC_Exn_Definitions STLC_Exn_Infrastructure STLC_Exn_Soundness
STLC + References (Type soundness)	STLC_Ref_Definitions STLC_Ref_Infrastructure STLC_Ref_Soundness
STLC with annotations (Decidability of type-checking)	STLC_Dec_Definitions STLC_Dec_Infrastructure STLC_Dec_Soundness STLC_Dec_Decidability
Core ML (Type soundness)	ML_Core_Definitions ML_Core_Infrastructure ML_Core_Soundness