Theorem proving support in programming language semantics

We describe several views of the semantics of a simple programming language as formal documents in the calculus of inductive constructions that can be verified by the Coq proof system. Covered aspects are natural semantics, denotational semantics, axiomatic semantics, and abstract interpretation. Descriptions as recursive functions are also provided whenever suitable, thus yielding a a verification condition generator and a static analyser that can be run inside the theorem prover for use in reflective proofs. Extraction of an interpreter from the denotational semantics is also described. All different aspects are formally proved sound with respect to the natural semantics specification.

💡 Research Summary

The paper presents a comprehensive case study of how the Coq proof assistant can be used to formalise, verify, and execute multiple semantic descriptions of a small imperative programming language. The authors begin by defining the syntax of the language (variables, arithmetic expressions, and four command forms: assignment, sequencing, conditional, and while loop) as inductive types in Coq, and they model the program state as a mapping from identifiers to integers.

The first semantic view is a natural (big‑step) semantics. It is expressed as an inductive relation ⟨c, σ⟩ ⇓ σ' that directly relates an initial state σ, a command c, and a final state σ’. The authors prove determinism of this relation and adopt it as the reference model for all subsequent proofs.

Next, a denotational semantics is introduced. Each syntactic construct is mapped to a total function on states, implemented as a Coq Fixpoint named ⟦c⟧. Because the function is structurally recursive, Coq’s termination checker accepts it, and the definition can be extracted to executable OCaml code. The paper proves two fundamental theorems: soundness (⟦c⟧ σ = σ' → ⟨c, σ⟩ ⇓ σ') and completeness (⟨c, σ⟩ ⇓ σ' → ⟦c⟧ σ = σ'). Thus the functional interpreter is guaranteed to compute exactly the same results as the relational semantics.

The third view is an axiomatic (Hoare‑logic) semantics. Hoare triples {P} c {Q} are represented as Coq propositions, and the usual Hoare inference rules are encoded as inductive constructors. The authors establish soundness (any provable triple holds in the natural semantics) and relative completeness (any true triple can be derived given suitable pre‑ and post‑conditions). This bridges the gap between operational reasoning and formal verification conditions.

The fourth perspective is an abstract interpretation framework. The abstract domain consists of interval approximations for integer variables, and an abstract transfer function abs_step is defined as a Coq function. A soundness theorem shows that the abstract analysis over‑approximates the concrete big‑step semantics. Because the analysis is a pure Coq function, it can be executed inside the proof assistant using Compute, enabling reflective proofs where the analysis result is directly incorporated into a larger verification argument.

A verification condition generator (VCG) is derived automatically from the Hoare rules. By feeding a program and its annotated pre‑/post‑conditions into the VCG, Coq produces a list of logical obligations that can be discharged automatically with tactics such as auto or lia. This demonstrates how the semantic definitions serve not only as a theoretical foundation but also as a practical toolchain for program verification.

The paper also discusses extraction of the denotational interpreter to a standalone executable, and it presents a small experimental section where classic examples (factorial, sum of a list, etc.) are run through the extracted interpreter, the VCG, and the abstract analyser. All results are consistent with the proved theorems, confirming the coherence of the whole framework.

In conclusion, the authors show that Coq can host a full spectrum of semantic models—operational, denotational, axiomatic, and abstract—while providing machine‑checked proofs of their mutual soundness and completeness. Moreover, because the semantics are expressed as executable Coq functions, they can be extracted or run reflectively, turning formal proofs into usable analysis tools. This work illustrates a viable pathway for integrating theorem proving, static analysis, and executable semantics within a single, formally verified environment, offering a powerful blueprint for future language designers and verification engineers.