Combining generic judgments with recursive definitions

Combining generic judgments with r ecursiv e definitions Andrew Gac ek Department of CS&E Univ ersity of Minnesota Dale Miller INRIA Saclay - ˆ Ile-de-France & LIX/ ´ Ecole polytechnique Gopalan Nadathur Department of CS&E Univ ersity of Minnesota Abstract Many semantical aspects of pr ogr amming languages, such as their op erational semantics and th eir type assign- ment ca lculi, ar e specifie d by describing appr opriate pr oof systems. Recent res ear ch ha s identifi ed two p r oof-theor etic featur es that allow dir ect, logic-ba sed r easoning ab out suc h descriptions: the tr ea tment o f atomic ju dgments as fixed points (r ecursive defin itions) and an en coding of b inding constructs via generic judgmen ts. However , the logics en - compassing th ese two featur es h ave th us fa r treated them orthogonally: that is, the y do no t pr ovide th e ability to de- fine object-logic pr operties that themselves depend on an intrinsic tr eatmen t of binding. W e pr op ose a new an d sim- ple inte gration of th ese features within an intuitionistic logic enhan ced with ind uction over natural numb ers and we show that the r esu lting logic is consistent. The p ivotal ben efit of the inte gration is that it allows recurs ive defi nitions to not just encod e simp le, traditional forms of atomic judg- ments but a lso to ca ptur e generic pr op erties p ertaining to such ju dgments. The usefulness o f th is logic is illustrated by showing how it can pr ovide ele gant tr eatments of object- logic contexts that app ear in pr oofs in volving typin g calcu li and of arbitrarily cascad ing substitutions that p lay a r ole in r ed ucibility ar gu ments. Keywords: generic judgmen ts, high er-order abstract syn- tax, proof search, reasoning about operational semantics 1. Intr oduction An impo rtant approach to specifying and reasoning about computations inv olves pr oo f theory and pr o of sear ch . W e discuss belo w three kinds of judgmen ts abou t computa- tional systems that one might want to capture and the proof theoretic techniqu es that h av e b een u sed to captu re them. W e divide this discussion into two parts: the first p art deals with jud gments over algebraic terms and th e second with judgmen ts over terms-with-b inders . W e then exploit th is overview to describe the n ew featu res of th e lo gic we are presenting in this paper . 1.1. Judgments i n volving alge braic terms W e overview f eatures of proof theory that supp ort recur - si ve definitio ns about first-ord er (algebraic) term s and, us- ing CCS as a n examp le, we illustrate the judgme nts about computatio ns that can be encod ed through s uch definition s. (1) Logic programming, may behavior Logic program- ming lan guages allow fo r a natural specification and ani- mation of operational semantics and typ ing j udgm ents: this observation goes b ack to at least th e Centaur pro ject and its animation of T ypol specification s using Prolog [5]. For example, Horn clauses provide a simple and imm ediate en- coding of CCS labeled tra nsition systems and unifica tion and ba cktracking provid e a means fo r exploring what is r ea chable fr om a gi ven process. T raditional logic prog ram- ming is, howe ver , limited to may behavior judg ments: us- ing it, we cannot prove that a gi ven CCS pr ocess P can not make a tra nsition and, sin ce this negativ e property is logi- cally equivalent to proving that P is bisimilar to 0 (the null process), such systems cannot capture bisimulation. (2) Model checking, must b ehavior Proof theoretic technique s f or must beh aviors (such as bisimulation an d many model check ing pr oblems) have been developed in the e arly 19 90’ s [8, 29] and fu rther extend ed later [ 15]. Since these techniques work by unfolding co mputation s un- til terminatio n, they ar e applicab le to recur sive defi nitions that ar e no etherian . As an example, bisimu lation for finite CCS can be g i ven an imme diate an d declara ti ve specifica- tion [17]. (3) Theorem proving, infinite beha vior Reasoning about all membe rs o f a d omain or about po ssibly in finite executions requires indu ction and coind uction. Inco rporat- ing inductio n in pr oof theory goes back to Ge ntzen. Th e work in [15, 23, 33] provides in duction and coind uction rules associated with the above-mentioned recursive defi- nitions. In such a setting, one can pr ove, for example, that (strong) bisimulation in CCS is a congru ence. 1.2. Judgments i n volving bindings The proo f theore tic treatment of binding in ter ms has echoed the three stage s o f development de scribed above. W e switch fro m CCS to the π - calculus to illustrate th e dif - ferent kinds of judgmen ts that these supp ort. (1) Log ic progra mming, λ -tree syntax Higher-order generalizatio ns o f logic programm ing, such as highe r -or der her editary Harr op formulas [21] and the dependently typed LF [9], adequately capture may behavior for terms contain- ing bindings. In particular, the presen ce of h ypothetica l and uni versal judgm ents supp orts the λ -tree syntax [20] ap- proach to hig her-order abstract syntax [26]. The lo gic p ro- grammin g languages λ Prolog [24] an d T welf [27] su pport such syn tax representatio ns an d pr ovide simple specifica- tion of, for example, reachability in the π -ca lculus. (2) Model checking, ∇ -quantificat ion While the n o- tions of universal q uantification and generic judg ment are often con flated, a satisfactory treatmen t of must behavior re- quires splitting apart th ese con cepts. Th e ∇ -qu antifier [22] was introduced to encod e gen eric judgments directly . T o il- lustrate the issues here, consider the fo rmula ∀ w. ¬ ( λx.x = λx.w ) . If we think of λ -terms as denoting abstracted syntax (terms modulo α -c on version), this formu la s hould be pr ov- able (v ar iable cap ture is not allo wed in logically sound sub- stitution). I f we th ink o f λ -terms as d escribing fu nctions, then the equation λy .t = λy .s is equ i valent to ∀ y .t = s . But then our examp le form ula is equi valent to ∀ w. ¬∀ x.x = w , which sho uld n ot be provable since it is not true in a model with a single elemen t domain . T o think of λ -ter ms syntactically instead, we treat λy .t = λy .s as eq uiv ale nt to ∇ y .t = s . In this case, ou r exam ple form ula is equiva- lent to ∀ w. ¬∇ x.x = w , which is pr ov able [22]. Using this quantifier, the π -calculus p rocess ( ν x ) . [ x = w ] . ¯ w x can be encoded such that it is p rovably bisimilar to 0 . Bedwyr [ 3] is a model checker that treats such generic judgments. (3) Theo rem proving, LG ω When the re is on ly finite behavior , lo gics fo r recur si ve defin itions do not need the cut o r initial rules, and, con sequently , they d o n ot need to answer th e q uestion “Wh en are two g eneric judg ments equal?” On the oth er hand, in duction and coindu ction do need an answer to this que stion: e.g. , when doing induction over natural numb ers, o ne must be able to rec ognize th at the case for i + 1 has been redu ced to the case f or i . The LG ω proof system [ 34] pr ovides a n atural setting f or answerin g this question . Using L G ω encodin gs, one can p rove that (open) bisimulation is a π -calculus congru ence. 1.3. Allo wing definitions of gene ric judgments In the developments d iscussed above, recursive defini- tions ar e permitted only fo r atomic judgm ents. I n ma ny syntax an alysis problem s, binding constru cts are treated b y building up a loca l context that attributes prope rties to the objects the y bind. In reasoning abou t such ana lyses, it is of - ten necessary to be able to associate relev ant generic p roper- ties with atomic judg ments. For example, a typical type as- signment calculus for λ -term s treats abstractions by adding assumptions about the type of the bound variables to the context of the typing judgm ent. T o mo del such a con text, we mig ht use a pred icate cntx that en codes the assignment of typ es to abstracted variables. Thu s, an atom ic judgm ent of the form cntx [ h x 1 , t 1 i , . . . , h x n , t n i ] would deno te the assignment of ty pes t 1 , . . . , t n to the variables x 1 , . . . , x n and can be used as a h ypothesis in the cou rse of determ in- ing th e ty pe of a term . Now , cer tain “gen eric” p roperties hold implicitly of the con texts that are constructed : f or ex- ample, the se assign types o nly to bou nd variables and have at mo st one assign ment for each of them. Such pro perties are no t ac tually used in enco ding the rules for type infer- ence but th ey do have to b e made explicit if we want to prove pro perties, such as th e determ inacy of type assign - ment, abou t the calc ulus that is en coded. Recursive defi- nitions provide a mean s for fo rmalizing pro perties that are needed in th ese kin ds o f reason ing tasks. Un fortuna tely , these defin itions are not strong enough in their pr esent form to allow for the convenient statement of gener ic pr operties ranging over atomic jud gments. These issues surrou nding the specification of contexts are actually ende mic to reasoning about many different kinds of specifications that utilize λ -tree syntax. W e pro- vide an elegant trea tment of it here by extend ing recu rsi ve definitions to app ly n ot only to atomic but also to gen eric judgmen ts. Using this device, we will, for instance, be able to define a property of the form ∇ x 1 · · · ∇ x n . cntx [ h x 1 , t 1 i , . . . , h x n , t n i ] . By stating the prop erty in this way , we ensur e that cntx as- signs types only to variables and at most o ne to each. Now , this prop erty can be used in an indu ctiv e proo f, provid ed it can be verified that the contexts that are b uilt up during type analysis r ecursively satisfy th e de finition. W e pre sent rules that support this style of argument. 1.4. An outline of the paper Section 2 describes the logic G that allows for th e ex- tended fo rm of definitions and Section 3 establishes its con- sistency . The extension has sign ificant co nsequen ces fo r writing and reasonin g about logical specification s. W e pro- vide a h int of this th rough a few examples in Section 4; as discussed later , many other applicatio ns such as solu tions to the POPLmar k challen ge prob lems [2], cut-eliminatio n for sequ ent calculi, and a n en coding of T ait’ s logical re- lations based pro of of n ormalization for the simply ty ped 2 λ -calculus [32] have been successfully developed using the Abella system th at implements G . W e conclude the paper with a compar ison to related work and an indication o f f u- ture directions. 2. A logic with generalized definitions The logic G is obtain ed by extending an intu itionistic and predicative subset of Church’ s Simp le Theory of T ypes with fixed point definitio ns, natu ral numb er in duction, and a new quantifier for en coding gener ic judgmen ts. Its main com- ponen ts are elab orated in the subsections b elow . It is pos- sible to develop a classical variant o f G as well: we d o not follow that path but just comm ent that movin g fr om in tu- itionistic to classical lo gic can h av e in teresting impacts on specifications. For example, the intuition istic reading of the specification of bisimulatio n for th e π - calculus yields ope n bisimulation while th e classical read ing of the same speci- fication yields late bisimulation [36]. 2.1. The basic syntax Follo wing Church [6], terms are co nstructed using ab- straction and app lication from co nstants an d (bou nd) vari- ables. All terms are typ ed using a mo nomorp hic typ ing system; th ese typ es also constrain the set of well-for med expressions in the expe cted way . The provability relation concern s well-formed terms of the distinguished type o that are a lso called f ormulas. Lo gic is intro duced by including special constants rep resenting the pro positional connec ti ves ⊤ , ⊥ , ∧ , ∨ , ⊃ an d, for e very typ e τ th at does not contain o , the co nstants ∀ τ and ∃ τ of typ e ( τ → o ) → o . The binar y propo sitional connectives are written as usual in infix form and the expression s ∀ τ x.B and ∃ τ x.B abb reviate the for- mulas ∀ τ λx.B and ∃ τ λx.B , r espectively . T ype subscripts will be omitted f rom qu antified for mulas when they can be inferred from the context or are not important to the discus- sion. W e also use a shorth and for iter ated quan tification: if Q is a qua ntifier , the expression Q x 1 , . . . , x n .P will abbre- viate Q x 1 . . . Q x n .P . The usual inference ru les fo r the un iv ersal quantifier can be seen as equatin g it to the co njunction o f all of its instances: that is, this quantifier is treated extensionally . There ar e a num ber of situation s [2 2] where one wishe s to have a gene ric tr eatment of a statement like “ B ( x ) holds for all x ”: in th ese situations, the form o f th e argument is im- portant and not the argu ment’ s beh avior on a ll its po ssible instances. T o enco de such gen eric judgme nts, we use th e ∇ -quantifier (na bla) [22]. Syntactically , this qua ntifier cor- respond s to inc luding a constant ∇ τ of typ e ( τ → o ) → o for each ty pe τ ( not con taining o ). As with th e oth er quan - tifiers, ∇ τ x.B a bbreviates ∇ τ λx.B an d the type sub scripts are often suppressed for readability . 2.2. Generic judgments and ∇ -quantification Sequents in intuitionistic logic are usually written as Σ : B 1 , . . . , B n ⊢ B 0 ( n ≥ 0) where Σ is the “global sign ature” for the sequen t: in par tic- ular , it contains the eigen variables of the s equent proof . W e shall th ink o f Σ in this pr efix po sition as being a bind ing operator for each variable it contain s. The F Oλ ∆ ∇ logic [22] introd uced “local signatures” fo r each for mula in the sequent: that is, sequents are written instead as Σ : σ 1 ⊲ B 1 , . . . , σ n ⊲ B n ⊢ σ 0 ⊲ B 0 , where each σ 0 , . . . , σ n is a list of variables that are bound locally in the formula adjacent to it. Such local signa- tures within pr oofs reflect b indings in for mulas using th e ∇ -quantifier: in particu lar , the ju dgment and formula x 1 , . . . , x n ⊲ B and ∇ x 1 · · · ∇ x n .B ( n ≥ 0) have the same proo f-theor etic force. The F O λ ∆ ∇ logic [22] (and its partial imp lementation in the Bed wyr logic prog ramming /model ch ecking system [3]) eschewed atom ic fo rmulas fo r explicit fixed poin t (re - cursive) definitions, alon g with infere nce r ules to unfo ld them. In such a system, both the cut-ru le and the initial rule can be eliminated an d check ing the eq uality of two g eneric judgmen ts is not necessary . As we ha ve already mention ed, when one is provin g mor e ambitious theorems inv olving in- duction and coind uction, equality of g eneric jud gments be- comes importan t. 2.3. LG ω and structural rules f or ∇ -quantification There are two equation s for ∇ th at we seem force d to include wh en we consider p roofs b y indu ction. In a sense, these equation s p lay th e role o f stru ctural r ules for the lo - cal, g eneric con text. Written at the level o f form ulas, th ey are th e ∇ -exchange rule ∇ x ∇ y .F = ∇ y ∇ x.F and the ∇ - str eng thening rule ∇ x.F = F , provid ed x is no t free in F . The L G ω proof system of Tiu [34] is essentially F Oλ ∆ ∇ extended with these tw o structural rules for ∇ . The move fro m th e weaker F Oλ ∆ ∇ to the stronger LG ω logic has at least two important additional consequenc es. First, the streng thening r ule implies that every type at which o ne is wi lling to use ∇ -quan tification is not on ly non - empty but co ntains an unboun ded numbe r of members. For example, the fo rmulas ∃ τ x. ⊤ is always provable, ev en if there are no clo sed terms of type τ becau se this form ula is equiv alent t o ∇ τ y ∃ τ x. ⊤ which is provable, as will be clear from the pro of system given in Figure 1. Sim ilarly , for any giv en n ≥ 1 , the following formula is prov a ble ∃ x 1 . . . ∃ x n [ ^ 1 ≤ i,j ≤ n,i 6 = j x i 6 = x j ] . 3 π .B = π ′ .B ′ Σ : Γ , B ⊢ B ′ id π Σ : Γ ⊢ B Σ : B , ∆ ⊢ C Σ : Γ , ∆ ⊢ C cut Σ : Γ , B , B ⊢ C Σ : Γ , B ⊢ C c L Σ : Γ , ⊥ ⊢ C ⊥L Σ : Γ , B ⊢ C Σ : Γ , D ⊢ C Σ : Γ , B ∨ D ⊢ C ∨L Σ : Γ ⊢ B i Σ : Γ ⊢ B 1 ∨ B 2 ∨R , i ∈ { 1 , 2 } Σ : Γ ⊢ ⊤ ⊤R Σ : Γ , B i ⊢ C Σ : Γ , B 1 ∧ B 2 ⊢ C ∧L , i ∈ { 1 , 2 } Σ : Γ ⊢ B Σ : Γ ⊢ C Σ : Γ ⊢ B ∧ C ∧R Σ : Γ ⊢ B Σ : Γ , D ⊢ C Σ : Γ , B ⊃ D ⊢ C ⊃ L Σ : Γ , B ⊢ C Σ : Γ ⊢ B ⊃ C ⊃ R Σ , K , C ⊢ t : τ Σ : Γ , B [ t/x ] ⊢ C Σ : Γ , ∀ τ x.B ⊢ C ∀L Σ , h : Γ ⊢ B [ h ~ c/x ] Σ : Γ ⊢ ∀ x.B ∀R , h / ∈ Σ , supp( B ) = { ~ c } Σ : Γ , B [ a/x ] ⊢ C Σ : Γ , ∇ x.B ⊢ C ∇L , a / ∈ supp( B ) Σ : Γ ⊢ B [ a/x ] Σ : Γ ⊢ ∇ x.B ∇R , a / ∈ supp( B ) Σ , h : Γ , B [ h ~ c/x ] ⊢ C Σ : Γ , ∃ x.B ⊢ C ∃L , h / ∈ Σ , supp( B ) = { ~ c } Σ , K , C ⊢ t : τ Σ : Γ ⊢ B [ t/ x ] Σ : Γ ⊢ ∃ τ x.B ∃R Figure 1. The core rules of G Second, the validity of th e strength ening and excha nge rules mean that all local contexts can be mad e equal. As a result, th e local binding can now be consider ed a s an (im - plicit) g lobal bin der . In su ch a setting, the co llection of globally ∇ -bou nd variables can be replaced with nomina l constants . Of cour se, in light of the exchange ru le, we must consider atomic judgmen ts a s being identical if they differ by only permutatio ns of such con stants. W e shall follow the LG ω approa ch to treating ∇ . Thus, for every type we assume an in finite co llection of no minal constants. The c ollection o f all nominal co nstants is de- noted by C ; these constants are to be distinguished from the collection of u sual, non- nominal co nstants that we denote by K . W e define the sup port of a ter m (or f ormula), writ- ten supp( t ) , as the set of nom inal constants appearing in it. A p ermutation of n ominal constan ts is a bijection π from C to C su ch that { x | π ( x ) 6 = x } is finite and π preserves types. Permutations will b e extend ed to term s ( and fo rmu- las), written π .t , as follows: π .a = π ( a ) , if a ∈ C π .c = c, if c / ∈ C is ato mic π . ( λx.M ) = λx. ( π .M ) π . ( M N ) = ( π .M ) ( π .N ) The core frag ment of G is presen ted in Fig ure 1. Se- quents in this logic h av e th e form Σ : Γ ⊢ C where Γ is a multiset an d the signature Σ co ntains all the free variables of Γ and C . In th e ∇L an d ∇R rules, a den otes a n ominal constant of an a ppropr iate type. In the ∃L and ∀R rule we use raising [ 19] to enco de the depen dency of th e quantified variable on the sup port of B ; th e expression ( h ~ c ) used in these two rules den otes the (curried ) application of h to the constants ap pearing in the sequence ~ c . Th e ∀L an d ∃R ru les make use of judgmen ts of the form Σ , K , C ⊢ t : τ . Th ese judgmen ts enforce the requirement that the expression t in- stantiating the quantifier in th e rule is a well-for med term of type τ constructed f rom th e variables in Σ and the con- stants in K ∪ C . Notice that in contrast the ∀R and ∃L ru les seem to allow for a depend ency on only a restricted set of nominal con stants. Howe ver , this asymme try is n ot signifi- cant: th e dependen cy expressed through raising in the latter rules can be extend ed to any num ber of no minal constants that are no t in th e relev ant support set without affecting the provability of sequents. 2.4. Recurs ive defi nitions The structure of definitions in G is, in a sense, its distin- guishing characteristic. T o motiv ate the ir fo rm and also to understan d their expr essi veness, we consider first the defi- nitions that are p ermitted in LG ω . In that setting, a d efini- tional clause has the form ∀ ~ x.H , B wh ere H is an atomic formu la all of whose free variables are contained in ~ x and B is an arbitrar y f ormula all of whose free variables mu st also be free in H . In a clause of th is sort, H is called the head an d B is called th e bo dy and a ( possibly infin ite) col- lection o f clauses c onstitutes a definition. Now , there are two pro perties of su ch definitional clauses that should b e noted. First, H and B are restricted to not con tain occur- rences of nom inal co nstants. Second, the in terpretation of such a clause p ermits the variables in ~ x to b e instantiated with terms containing any nominal constant; intuiti vely , the quantification al structur e at the he ad of the definition h as a ∇∀ form , with the (imp licit) ∇ qu antification be ing over arbitrary sequenc es of no minal co nstants. The se two p rop- erties actua lly limit the power of definition s: ( subparts of ) terms satisfying the relations the y identify cannot be fo rced to be nominal con stants and, similarly , specific (sub )terms 4 cannot be stipulated to be independ ent of such constants. These s hortco mings are addressed in G by allo wing defi- nitional clauses to take the form ∀ ~ x. ( ∇ ~ z .H ) , B where all the free v ariab les in ∇ ~ z .H must appear in ~ x an d all the free variables in B must also be free in ∇ ~ z .H . The intended in- terpretation of the ∇ quantification o ver H is that particu lar terms appearing in the relation being defined must b e identi- fied as nom inal constants although specific names may still not be assign ed to these co nstants. Moreover , the location of this quantifier chang es the prefix over th e h ead f rom a ∇∀ f orm to the m ore general ∇∀∇ form. Con cretely , the explicit ∇ q uantification over ~ z for ces the instan tiations for the externally ∀ q uantified variables ~ x to be indepe ndent of the nominal constants used for ~ z . One illustration of the definitions p ermitted in G is pro- vided by the following clause: ( ∇ n. name n ) , ⊤ . An atomic predicate name N would satisfy this clause pro - vided that it can b e matched with its head. For this to be possible, N must be a nomin al con stant. Thu s, name is a predicate that recog nizes such constants. A s anoth er e xam- ple, consider the clause ∀ E . ( ∇ x. fresh x E ) , ⊤ . In this case the atomic f ormula fresh N T will satisfy the clause ju st in case N is a nomin al constant an d T is a te rm that does not contain this constant (th e impossibility of vari- able captur e en sures this constrain t). Thus, th is c lause ex- presses th e p roperty of a name being “fresh” to a g iv en term. Further illustratio ns of the new form of definitions and their use in reasoning tasks are considered in Section 4. Definitions impa ct the lo gical system thr ough introduc - tion rules for atomic jud gments. Formalizing these rules in volves the u se of sub stitutions. A sub stitution θ is a type-pr eserving mappin g (who se ap plication is wr itten in postfix notation) fro m variables to term s, suc h tha t th e set { x | xθ 6 = x } is finite. Althou gh a sub stitution is extended to a mapp ing from terms to terms, formulas to fo rmulas, etc , when we r efer to its doma in and range , we mean these sets for this most ba sic function. A substitution is exten ded to a function from ter ms to terms in the usu al fashion. If Γ is a multiset o f formulas th en Γ θ is the m ultiset { J θ | J ∈ Γ } . If Σ is a sign ature then Σ θ is the signatur e that results from re- moving fro m Σ the v a riables in the domain of θ an d adding the variables that are fr ee in the range of θ . T o suppo rt th e de sired interpretatio n of a definitional clause, when match ing the h ead of ∀ ~ x. ( ∇ ~ z.H ) , B with an atomic judgment, we mu st per mit the instantiations for ~ x to contain th e nominal co nstants appearin g in that judgm ent. Like wise, we must consider instantiations for the eigen vari- ables app earing in the judgmen t that p ossibly contain th e nominal constants ch osen for ~ z . Both p ossibilities can be { Σ ′ θ : ( π .B ′ ) θ, Γ ′ θ ⊢ C ′ θ } Σ : A, Γ ⊢ C def L Σ ′ : Γ ′ ⊢ ( π .B ′ ) θ Σ : Γ ⊢ A def R Figure 2. Rules for definitions realized via raising. Giv en a clause ∀ x 1 , . . . , x n . ( ∇ ~ z .H ) , B , we define a version of it r aised over th e sequ ence of nominal constants ~ a an d away from a signatur e Σ as ∀ ~ h. ( ∇ ~ z .H [ h 1 ~ a/x 1 , . . . , h n ~ a/x n ]) , B [ h 1 ~ a/x 1 , . . . , h n ~ a/x n ] , where h 1 , . . . , h n are distinct variables of suitable type that do not appear in Σ . Given the sequent Σ : Γ ⊢ C and a sequence of nom inal constants ~ c non e of which app ear in the support of Γ or C , let σ be any substitution of the form { h ′ ~ c/h | h ∈ Σ and h ′ is a variable of suitable type that is not in Σ } . Then the sequent Σ σ : Γ σ ⊢ C σ constitutes a version of Σ : Γ ⊢ C raised over ~ c . The introduction rules based on definition s are pr esented in Figure 2. The def L rule has a set of premises that is gen- erated by co nsidering each de finitional clause of the for m ∀ ~ x. ( ∇ ~ z .H ) , B in the fo llowing fashion. Assuming that ~ z = z 1 , . . . , z n , let ~ c = c 1 , . . . , c n be a seque nce of dis- tinct no minal constants none of which ap pear in the supp ort of Γ , A or C and let Σ ′ : A ′ , Γ ′ ⊢ C ′ denote a version of the lower sequen t raised over ~ c . Further, le t H ′ and B ′ be obtained by taking the h ead and bod y of a version of the clause b eing con sidered raised over a listing ~ a of the co n- stants in the supp ort o f A an d away f rom Σ ′ and app lying the substitution [ c 1 /z 1 , . . . , c n /z n ] to them. Then the set of premises arising fr om this clau se are obtain ed by consider- ing all p ermutation s π of ~ a ~ c an d all substitutions θ suc h that ( π .H ′ ) θ = A ′ θ , with the pr oviso that the rang e of θ m ay not contain any nominal constants. The def R r ule has exactly one pr emise that is ob tained by using any o ne defin itional clau se. The for mulas B ′ and H ′ are g enerated fro m this clau se a s in the def L c ase, but π is now taken to be any o ne permutatio n of ~ a ~ c and θ is taken to be any one substitution such that ( π .H ′ ) θ = A ′ , again with the proviso th at the rang e o f θ may not contain any nominal constants. In summ ary , the definition rules ar e based on r aising the sequent over th e nominal constants p icked fo r the ∇ vari- ables from the definition , raising the defin ition over nom i- nal c onstants from the sequ ent, and then un ifying the ch o- sen atomic ju dgment an d the head of th e d efinition under various per mutations of th e nomin al co nstants. As it is stated, the set of p remises in the def L rule arising fro m any 5 ⊢ I z x : I x ⊢ I ( s x ) Σ : Γ , I N ⊢ C Σ : Γ , nat N ⊢ C nat L Σ : Γ ⊢ nat z nat R Σ : Γ ⊢ nat N Σ : Γ ⊢ nat ( s N ) nat R Figure 3. Rules for natural n umber induction one defin itional c lause is potentially infinite because of the need to con sider every unify ing substitution. It is po ssible to restrict these substitutions instead to the mem bers of a complete set of unifiers. In th e situation s where there is a single most gen eral un ifier , as is the case when we are dea l- ing with the higher-order pattern fragment [18], the number of pr emises arising fro m each definitio n clause is boun ded by the numb er of permutations. I n practice, this number can be quite small as illustrated in Section 4. T wo restriction s m ust be placed on definitional clau ses to ensure consistency of the log ic. Th e first is that no nomi- nal constants may appear in such a clau se; this requirement also enfo rces an equiv ariance p roperty for defin itions. T he second is th at such clauses m ust be stratified so as to guar- antee th e existence of fixed po ints. T o do this we associate with each p redicate p a n atural numb er lvl( p ) , th e level o f p . The notio n is generalized t o for mulas as follo ws. Definition 1. Given a formula B, its level lvl( B ) is de fined as follows: 1. lvl( p ¯ t ) = lvl( p ) 2. lvl( ⊥ ) = lvl( ⊤ ) = 0 3. lvl( B ∧ C ) = lvl( B ∨ C ) = max(lvl( B ) , lvl ( C )) 4. lvl( B ⊃ C ) = ma x(lvl( B ) + 1 , lv l( C )) 5. lvl( ∀ x.B ) = lvl( ∇ x.B ) = lvl( ∃ x.B ) = lvl( B ) For every definitional clau se ∀ ~ x. ( ∇ ~ z .H ) , B , we r e- quire lvl( B ) ≤ lvl( H ) . This stratification c ondition en- sures that a d efinition canno t d epend negatively on itself. More precise stratification co nditions which allow such de- penden cy in a controlled fashion are possible, but we c hoose this conditio n fo r simplicity . See [ 15, 34] for a description of why these properties lead to consistency . 2.5. Induction over natural numbers The final componen t o f G is an encoding of natural num- bers an d rules for carrying out in duction over these n um- bers. This form of inductio n is useful in reason ing abou t specifications of computatio ns becau se it a llows us to in- duct on the h eight of object-logic proof tre es that encode the lengths of comp utations. Spec ifically , we introdu ce the typ e nt and c orrespon ding constructors z : nt and s : nt → nt . Use of indu ction is controlled b y the disting uished pre di- cate nat : nt → o . Th e rules for this predicate are presented in Figure 3. The rule nat L is ac tually a rule sche ma, pa- rameterized by th e induction inv ariant I . Providing ind uc- tion over on ly natural numbers is mostly a matter of conve- nience in studying the meta-theo ry of G . Extending induc - tion to other algebraic da tatypes [23, 3 3] shou ld h av e little impact on th e meta- theory of G , althoug h it would clearly be a usefu l extension for any system implementing G (suc h as Abella [7]). 3. Cut-elimination and consistency for G The consistency of G is an immed iate conseq uence of the cut-elimin ation result for this lo gic. Cut-elimin ation is proved for LG ω [35] by a g eneralization of the ap proach used for F O λ ∆I N [15] that is itself based on a techniqu e in- troduced b y T ait [3 2] and re fined by Martin -L ¨ o f [1 2]. The main aspect of this generalizatio n is r ecognizin g and u ti- lizing the fact th at cer tain transfo rmations of sequ ents pre- serve prov ab ility and also do not incre ase (minimum) proof height. The particular transfor mations that are conside red in the case of LG ω have to do with weakenin g of h ypothe- ses, per mutations o f nom inal constants, and su bstitutions for eigenv ariables. W e can use this framework to show that cut can be eliminated from G by addin g one mor e transfor- mation to this collectio n. T his tran sformation p ertains to the raising of sequen ts that is n eeded in the introdu ction ru les based on the extended form of definitio nal clauses. W e mo- ti vate this transform ation by sketching th e structu re o f the argument as it concerns the use of such clauses belo w . The critical part of th e cu t-elimination argumen t is the reduction of wh at are called th e essential ca ses of the use of the cut rule, i.e. , the situation s wh ere the last r ule in the deriv ation is a cut and the last rules in the derivations of its premises introdu ce the cu t for mula. Now , the o nly rules of G that are different from tho se of LG ω are def L and def R . Thus, we have to con sider a different argumen t only wh en these ru les are the last o nes u sed in the prem ise deriv ations in an essential case of a cut . In this case, the overall deri va- tion has the form Π 1 Σ ′ : Γ ′ ⊢ ( π .B ′ ) θ Σ : Γ ⊢ A def R ( Π ρ,π ′ ,B ′′ 2 Σ ′′ ρ : ( π ′ .B ′′ ) ρ, ∆ ′′ ρ ⊢ C ′′ ρ ) Σ : A, ∆ ⊢ C def L Σ : Γ , ∆ ⊢ C cut where Π 1 and Π ρ,π ′ ,B ′′ 2 represent derivations of the relevant sequents. Let Σ ′ : Γ ′ ⊢ A ′ be the raised version o f Σ : Γ ⊢ A and let H ′ and B ′ be the head and body of the version of the definitio nal clause raised over supp( A ) and away f rom Σ ′ used in the def R rule. From the d efinition of this rule , 6 we know that θ is substitution such th at ( π .H ′ ) θ = A ′ . Let θ ′ be the restriction of θ to the free variables of H ′ . Clearly ( π .H ′ ) θ = ( π .H ′ ) θ ′ and ( π .B ′ ) θ = ( π .B ′ ) θ ′ . Further, since the free v ariables of H ′ are distinct fro m the variables in Σ ′ , θ ′ has no effect on Σ ′ , ∆ ′ , C ′ , or A ′ . Thus, it must be the case that ( π .H ′ ) θ ′ = A ′ θ ′ . Fro m this it follows that Π θ ′ ,π ,B ′ 2 Σ ′ : ( π .B ′ ) θ ′ , ∆ ′ ⊢ C ′ is included in the set of derivations ab ove the lo wer sequent of the def L rule. W e can theref ore reduc e the cut in q uestion to the following: Π 1 Σ ′ : Γ ′ ⊢ ( π .B ′ ) θ ′ Π θ ′ ,π ,B ′ 2 Σ ′ : ( π .B ′ ) θ ′ , ∆ ′ ⊢ C ′ Σ ′ : Γ ′ , ∆ ′ ⊢ C ′ The proof of cut-elimination for LG ω is based on induction over th e height of th e right premise in a cut , ther efore th is cut can be fu rther r educed and eliminated . The essential proper ties we n eed to comp lete the proo f at this poin t are that Σ ′ : Γ ′ , ∆ ′ ⊢ C ′ is provable if and only if Σ : Γ , ∆ ⊢ C is provable, and that both proofs have the same height in this case. W e for malize these in the lemma below . Definition 2 (Proof height) . Th e height of a derivatio n Π , denoted by ht (Π) , is 1 if Π has no premis e derivation s and is the lea st upper boun d o f { ht (Π i ) + 1 } i ∈I if Π ha s the pr emise derivations { Π i } i ∈I wher e I is som e index set. Lemma 3 (Raising) . Let Σ : Γ ⊢ C be a sequent, let ~ c be a list of nomina l con stants not in the support o f Γ or C , an d let Σ ′ : Γ ′ ⊢ C ′ be a version o f Σ : Γ ⊢ C raised over ~ c . Then Σ : Γ ⊢ C ha s a pr oof of height h if an d o nly if Σ ′ : Γ ′ ⊢ C ′ has a pr o of of height h . W ith this lemma in place, the f ollowing theorem a nd its corollary follow . Theorem 4. The cut rule can be eliminated fr om G without affecting the pr ovability r ela tion. Corollary 5 . The logic G is con sistent, i.e. , it i s not the case that both A and A ⊃ ⊥ ar e pr ovable. Cut-elimination is also useful in d esigning theorem provers and its counter part, cut-admissibility , allows one to reason richly abou t the properties of such pr oof pro cedures. 4. Examples W e will of ten suppress the outermo st universal qu anti- fiers in disp layed de finitions and will a ssume th at cap ital letters denote implicitly universally quantified variables. member B L , ∃ n. nat n ∧ element n B L element z B ( B :: L ) , ⊤ element ( s N ) B ( C :: L ) , element N B L Figure 4. List membership Freshness In Sec tion 2 we showed h ow the prop erty o f freshness could be defined in G by the definitiona l clause ∀ E . ( ∇ x. fresh x E ) , ⊤ . This clau se ensures th at the atomic jud gment ( fresh X E ) holds if and only if X is a nominal constant which does not appear anywhere in th e term E . T o see th e simplicity and directness of this d efinition, co nsider how we mig ht define freshness in a s ystem lik e LG ω which allo ws for definitio ns only of atomic judg ments. In this situation, we will have to verify that X is a n ominal constan t by rulin g out th e possi- bility that it is a term of one of the other p ermitted form s. Then, checking that X do es not appear in E will re quire an explicit walking over the struc ture of E . In sh ort, such a definition w o uld ha ve to have the s pecific structure of terms coded into it and would also use (a mild form of ) negative judgmen ts. T o illustrate how the definition in G can be used in a rea- soning task, consider proving the follo wing lemma ∀ x, e, ℓ. ( fresh x ℓ ∧ member e ℓ ) ⊃ fresh x e where member is defined in Figu re 4. This lemma is u seful in con structing a rguments such as typ e u niquen ess wher e one m ust know that a list does no t contain a ty ping judg ment for a p articular variable. The proo f of th is lem ma p roceeds by induction on the natural nu mber n quan tified in the body of member . The base case an d the indu ctiv e step e ventually require showing the fo llowing: ∀ x, b, ℓ. fresh x ( b :: ℓ ) ⊃ fresh x b ∀ x, b, ℓ. fresh x ( b :: ℓ ) ⊃ fresh x ℓ W e shall consider the proo f of only the first statement; the proof of the second has a similar structure. The first statement follows if we can prove th e sequent x, b, ℓ : fresh x ( b :: ℓ ) ⊢ fresh x b. Consider how def L acts on the hyp othesis ( fresh x ( b :: ℓ )) in th is seq uent. First th e clause for fresh is r aised over th e support of the hyp othesis, but this is empty so raising has no effect. Seco nd, the seq uent is raised over some new nominal constant c co rrespond ing to the ∇ in the h ead of the d efini- tion for fresh . The last step is to conside r all perm utations π of the set { c } a nd all solutions θ of ( π . fresh c e ) θ = ( fresh ( x ′ c ) (( b ′ c ) :: ( ℓ ′ c ))) θ. 7 seq N L h A i , member A L seq ( s N ) L ( B ∧ C ) , seq N L B ∧ seq N L C seq ( s N ) L ( A ⊃ B ) , seq N ( A :: L ) B seq ( s N ) L ( ∀ B ) , ∇ x. seq N L ( B x ) seq ( s N ) L h A i , ∃ b. prog A b ∧ seq N L b Figure 5. Second- or der hereditary Harr op logic in G There is, in fact, a most general unifier here: θ = [ x ′ → ( λx.x ) , b ′ → ( λx.b ′′ ) , ℓ ′ → ( λx.ℓ ′′ ) , e → ( b ′′ :: ℓ ′′ )] . The resulting sequent is b ′′ , ℓ ′′ : ⊤ ⊢ fresh c b ′′ The next step in this proof is to ap ply def R to the con- clusion. T o do this we first raise the clause for fresh over the su pport o f the conclusio n which is { c } . Th en we raise the sequen t over a n ew nominal con stant c ′ correspo nd- ing to the ∇ in the head o f the defin ition. F inally we need to find a permu tation π o f { c, c ′ } an d a so lution θ to ( π . fresh c ′ ( e ′ c )) θ = fresh c ( b ′′′ c ′ ) . Her e we find th e permutatio n which swaps c and c ′ and the solution θ which unifies e ′ and b ′′′ . Th e resulting sequent is then b ′′′ , ℓ ′′′ : ⊤ ⊢ ⊤ which is tri vially provable. T yping c ontexts W e now illustrate an appr oach to ani- mating and reaso ning abou t the static and dy namic seman- tics of p rogram ming languag es. The fir st step in this ap- proach is that of enco ding these two kind s of semantics u s- ing th e (second -order fragmen t of the) logic of h ereditary Harrop form ulas. Specifications provided throug h these formu las have a n atural executable interpr etation based on the lo gic p rogramm ing paradigm [21]. The interesting part from the perspective o f this paper is that we can enco de provability of th is subset of hereditary Harrop fo rmulas as a definition in G . This definition , then, b ecomes the bridg e for reasoning about the (executable) specification s. T o develop th ese ideas in mo re detail, we encod e pr ov- ability in the seco nd-or der hereditary Har rop logic as a three-place definition ( seq N L G ) wh ere L denotes the context o f hyp othetical (assum ed) atomic fo rmulas and G denotes the go al f ormula [16, 22]. The a rgument N cor- respond s to the h eight of the p roof tree an d is used for in- ductive arguments; we write this argument as a subscript to ∀ m, n, t, u [ of m ( arr u t ) ∧ of n u ⊃ of ( app m n ) t ] ∀ r , t, u [ ∀ x [ of x t ⊃ of ( r x ) u ] ⊃ of ( abs t r ) ( arr t u )] Figure 6. Simple typing of λ -terms downplay its s ignificance. The definition of seq is presented in Figure 5. The constructor h·i is used to inject atom ic for- mulas into formulas; as such, it serves as a device for isolat- ing atomic form ulas. The o bject level un iv ersal quan tifier is r eflected in to a meta le vel gen eric ( i.e. , ∇ ) quan tifier in the d efinition of seq ; this treatm ent turn s out to ca pture the computatio nal semantics o f the u niversal qu antifier rather precisely . Back chaining is rea lized by the last clause of seq . In giving meanin g to th is clau se, we expe ct that the spec - ification o f interest in a particular situatio n ( i.e. , the logic pr ogram that we want to reason abou t) has been encod ed throug h the definition of prog . In pa rticular, a logic pro - gram clau se of the for m ∀ ¯ x. (( G ¯ x ) ⊃ h A ¯ x i ) would result, in the reasonin g context, in the addition of a d efinitional clause ∀ ¯ x. prog ( A ¯ x ) ( G ¯ x ) , ⊤ that can be used b y th e seq predicate. T o simplify notatio n, we write L  P for ∃ n. ( nat n ∧ seq n L P ) . When L is nil we write just  P . An example of a specification that we may wish to rea- son abo ut is that of the ty ping rules for th e simply typ ed λ -calculus. These rules can b e encod ed using h ereditary Harrop for mulas a s shown in Figure 6 that, in turn, would be reflected into definitio nal clau ses fo r prog as d escribed above. In these formu las, app and abs are the usual con- structors for applica tion an d abstraction in the untyp ed λ - calculus. Note that no explicit co ntext of typing assump- tions is used in these r ules: r ather the hy pothetical judg- ment of hereditary Harrop formulas is used to keep track of such assumptio ns. This con text is made explicit only when reasoning about this specification via the seq definition. Consider demon strating the type uniq ueness pro perty f or the simply typ ed λ -c alculus using the seq encodin g. W e can do this by showing that the f ormula ∀ m, t, s. (  h of m t i∧  h of m s i ) ⊃ t = s, is a theorem: here, the binary pred icate = is defined by the single clause ∀ x. x = x , ⊤ . W e can prove th is for- mula using an induc tion on natur al numbers but, to do th is, we m ust g eneralize it to ac count for th e fact that the ru le for typ ing abs that allows us to descend under ab stractions enhances the ato mic fo rmulas assumed by seq . A suitably generalized form of the statement, then, is ∀ ℓ, m, t, s. ( cntx ℓ ∧ ℓ  h of m t i ∧ ℓ  h of m s i ) ⊃ t = s. Now , this form ula is provable only if the defin ition of cntx ensures that if cntx ℓ ho lds then ℓ is of the for m ( of c 1 T 1 :: . . . :: of c n T n :: nil ) , 8 cntx nil , ⊤ cntx ( of X A :: L ) , ( ∀ M , N .X = app M N ⊃ ⊥ ) ∧ ( ∀ M , B .X = abs B M ⊃ ⊥ ) ∧ ( ∀ B . member ( of X B ) L ⊃ ⊥ ) ∧ cntx L Figure 7. cntx in LG ω cntx nil , ⊤ ( ∇ x. cntx ( of x A :: L )) , cntx L Figure 8. cntx in G where c 1 . . . c n are distinct no minal constants. The chal- lenge then, is in provid ing a definition of cntx which accu - rately describ es this requ irement. In pa rticular, the defini- tion must ensure that the first argumen ts to of in th e ele- ments of this list are no minal constants and n ot som e oth er piece of syntax, and it mu st also ensure that each such co n- stant is distinct from all others. In LG ω , cntx can be defined by explicitly restricting ea ch element of the context as sho wn in Figure 7 . This definition checks that the fir st argument to of is a nom inal constant by explicitly ru ling out all oth er po ssibilities fo r it. Th en, to e nsure d istinctness of argumen ts, the rest o f the list is trav ersed using member . This definition is evidently com- plex and the complexity car ries over also into the process of reasoning based on it. In G we c an give a dir ect and concise definition o f cntx using ∇ qua ntification in the head of a definition as is done in Figu re 8. The occu rrence of th e ∇ -b ound variable x in the first argu ment of of codifies the fact tha t type assign- ments are only m ade for nominal constants. The uniquen ess of such no minal constants is enfor ced by the qu antification structure of cntx : the variable L cannot c ontain any occu r- rences of x . W ith this definition of cntx , the g eneralized theorem of type un iqueness is prov ab le. Use of def L on the hypoth esis of cntx ℓ will allow only the possibility of type assignments fo r nom inal co nstants, wh ile use of def R will verify th at the contexts that are created in treatin g ab strac- tions align with the req uiremen ts imposed by the de finition of cntx . Arbitrarily cascading substitutions Reducibility argu- ments, such as T ait’ s proo f of n ormalization fo r the simply typed λ -ca lculus [ 32], are based on judg ments over closed terms. During re asoning, howe ver , one is often working with open terms. T o comp ensate, the closed term judg ment is extend ed to open terms by considering all possible closed subst z nil T T , ⊤ ( ∇ x. subst ( s N ) (( x, V ) :: L ) ( T x ) S ) , subst N L ( T V ) S Figure 9. Arbitrary cascading substitu tions instantiations of the open terms. When reason ing with G , open terms ar e deno ted b y terms with nom inal c onstants representin g free variables. The gener al f orm of an open term is thus M c 1 · · · c n , and we want to co nsider all pos- sible instantiatio ns M V 1 · · · V n where the V i are closed terms. This ty pe o f arbitra ry cascading substitution s is d if- ficult to realize in reason ing systems based on λ -tree s yntax since M would hav e an arbitrary number of abstractions. W e can de fine arb itrary cascading sub stitutions in G u s- ing the unique s tructur e of definitio ns. In particu lar , we can define a predicate which hold s on a list of pair s ( c i , V i ) , a term with the f orm M c 1 · · · c n and a term of the form M V 1 · · · V n . The idea is to iterate over th e list of pa irs and for ea ch pair ( c, V ) u se ∇ in the h ead of a d efinition to ab stract c o ut o f th e first term an d the n sub stitute V b e- fore contin uing. This is the mo ti vation for subst defined in Figure 9. Note tha t we have also a dded a natu ral numbe r argument to be used for inductiv e pro ofs. Giv en the d efinition of subst one may the n show that ar - bitrary cascading substitution s have m any o f the same prop- erties as no rmal higher-order substitutions. For instance, in the dom ain of the un typed λ -ca lculus, we can sh ow that subst acts compo sitionally via the following lemmas. ∀ n, ℓ , t, r, s. ( nat n ∧ subst n ℓ ( app t r ) s ) ⊃ ∃ u, v .s = app u v ∧ subst n ℓ t u ∧ subst n ℓ r v ∀ n, ℓ , t, r. ( nat n ∧ subst n ℓ ( abs t ) r ) ⊃ ∃ s.r = abs s ∧ ∇ z . subst n ℓ ( t z ) ( s z ) Both of these lemmas h av e straig htforward pro ofs: induct on n , use def L on the assumption of subst , apply the indu c- ti ve hypothesis and use def R to com plete the proof. 5. Related work Mechanized reasonin g abo ut struc tural o peration al se- mantic-style specifications of form al systems has rece i ved the atten tion o f o ther research ers. Recent im petus f or th is kind of r easoning has b een provided by a d esire for c om- puter verified pro ofs in the realm o f prog ramming lan- guage theo ry [2]. On e lin e of research fo cuses on de- veloping proof s with in the fr amew ork provided by an ex- isting and well-developed interactive theorem p rover such as Coq [ 4] and Isabelle/HOL [ 25]. M any of the contexts 9 in which machine authen ticated reason ing of this kind is needed de al with ob jects in volving bindin g. Several pre- vious attemp ts have been chara cterized by the use of alge- braic datatypes, enh anced p erhaps by a d e Bru ijn-like rep - resentation o f bo und variables, in th e enco ding o f bin ding constructs. While some succ ess has been achieved using this ap proach to object representatio n [10, 11, 38], it has also been noted that the re al re asoning task is often over- whelmed un der such an appr oach by the proo fs of mundane binding and substitution oriented lemmas. The mor e natural and more promising appr oaches to the kind o f reasonin g of interest a re th e on es that provide spe- cial logic based treatments of bin ding such as is manifest in λ -tree syntax . W e discuss the main lines o f research u nder this rubric below . Nominal lo gic based reasoning Nominal logic extends first-order syntax with p rimitiv es f or treatin g variable na mes in such a way th at α -equivalence classes ar e recogn ized [28]. This considerably simp lifies the treatmen t of bind- ing in specificatio ns. I n contrast to the approach underlying our w ork, no separate meta-logic has as yet been dev eloped for reasonin g ab out nomin al logic description s. Reasonin g about specification s wr itten in this logic is instead realized by axio matizing the primitives of the logic in a rich system such as Coq o r Isabelle/HOL [1, 37]. This appr oach has proved successful for many applications. Aside from the absence of a meta-logic, the most promi- nent difference between the nominal logic b ased appr oach and our work is that we use λ -tree syntax and thus obtain a compr ehensive treatment of bo th α -equ i valence and sub - stitution within the logic. The no minal logic approach does not pr ovide any direc t su pport for substitution, and in stead requires substitution to be defined o n a case-b y-case basis. In reasonin g, this mean s that various substitution lemmas need to be proved f or each syntactic class over wh ich sub- stitution is d efined. Another difference worth noting is that we can derive freshne ss as a conseque nce of the n esting of quantifiers in an explicit definition o f the fresh predicate, whereas nomina l logic approac hes either take fr eshness as primitive or define it in terms of set membership. T wo-levels of logic McDowell & Miller [13, 14, 16] ex- plored u sing a two-level ap pr oa ch to r easoning ab out, f or example, the op erational semantics an d the typing of small progr amming languag es. Both levels of log ic sha red the same λ -tree approac h to the treatmen t of (ob ject-level and meta-level) binding: th e object- logic was a simple secon d- order intuitionistic logic and the me ta-logic was c alled F O λ ∆I N . While F Oλ ∆I N contained in ference rules for def- initions, it lacked the ∇ -quan tifier . As a result, the seq pred- icate could not b e specified in the same d irect fashion as it is in Figure 5. As we illustra ted briefly in Section 4, replacing F O λ ∆I N with G strengthen s the expr essi veness of the meta-lo gic by allowing mor e declarative approa ches to the s pecification of in variants for (ob ject-level) contexts. As a result, m any o f the theorems that ha ve been proved in F Oλ ∆I N [16] can be giv en much more understandab le proo fs in G . T welf Pfenning and Schr ¨ umann [31] also describe a two- lev el appro ach in wh ich LF terms and types are used at the object-level and the lo gic M 2 is used at the meta-level. Schr ¨ umann’ s PhD thesis [3 0] fu rther extend ed that meta- logic to on e called M + 2 . Th is framework is realized in T welf [2 7], which also provid es a r elated style of meta- reasoning based on m ode, coverage, and termina tion chec k- ing over higher-orde r judgmen ts in LF . Their approac h also makes use of λ -tree syntax at bo th the object and meta- lev els an d g oes beyond ou r p roposal here in that th ey han dle the comp lexities of de pendent types and pr oof objects [9]. On the other hand, the k inds of m eta-level theo rems they can prove are different from what is av a ilable in G . For ex- ample, implication and negation are not present in M + 2 and cannot be enc oded in high er-order LF judgmen ts: hen ce, proper ties such as bisimulatio n fo r CCS or the π -calculus are not provable. A key compon ent in M + 2 and in the hig her-order LF judgmen t appr oach to meta-reasoning is the ability to s pec- ify in variants related to the structure of m eta-logical con- texts. These inv a riants are called re gula r worlds and th eir analogu e in our system is judgmen ts such as cntx which explicitly describe the structur e of contexts. While the ap- proach to proving pro perties in T welf is powerful and con - venient for many app lications, one mig ht prefer d efining ex- plicit inv ariants, su ch as cntx , over th e use of regular worlds, since this allows describin g mo re general judgme nts over contexts, such as in the e xample of arbitrary cascading sub- stitutions where the subst predicate actively manipu lates the context of a term. Implementation The first author has implemented a sig- nificant portion of G in a recently released system called Abella [7]. This system provid es an interactive tactics- based inter face to p roof con struction. The primar y focus of Ab ella is on reasonin g abo ut o bject-level specification s written in hereditar y Harro p formu las: provability in that logic is provided b y a definition similar to that of seq in Figure 5. Th rough th is a pproach , Abella is ab le to take advantage of meta-level pro perties of the lo gic of he redi- tary Harro p formulas ( e.g. , cut and instantiatio n properties) while nev er ha ving to reason outside of G . Abella has been used in many applications, including all the examp les mentioned in this paper . First-order results in- clude reasoning on structur es such as natur al numb ers an d lists. T ak ing advantage of λ -tree syntax, application do- mains such as the simply typed λ -calcu lus are dire ctly ac- cessible. Particular results include eq uiv alen ce o f big-step and small-step ev aluation, p reservation of typing for b oth forms o f ev aluation, an d determ inacy for both forms of ev al- 10 uation. Mo re advanced results wh ich make use of generic judgmen ts for describing contexts include type uniqueness, disjoint partition ing of λ -terms into nor mal a nd non-normal form, and the Chu rch-Rosser theo rem. Larger applicatio ns include cha llenges 1a an d 2a o f the POPLmark challen ge [2], a task which in volves re asoning ab out th e contexts of subtyping judg ments fo r F < : , a λ -calculus with bound ed subtype polymor phism. Finally , we ha ve formalized a proo f of nor malization f or the simp ly-typed λ -calculus based on T ait’ s redu cibility argumen t [32]. Th is last example u ses the forma lization of arbitrar ily cascad ing sub stitutions d e- scribed Section 4. 6. Futur e work W e ar e presently inves tigating the extension o f G with a gene ral treatme nt of ind uction over definition s a s in the closely related log ic Lin c [3 3]. This extension would sim- plify ma ny indu ctiv e argum ents by obviating explicit mea- sures in induction ; thu s, natural n umbers e ncoding comp u- tation leng ths would n ot b e need ed in the definition s of the element and subst predicates co nsidered in Sec tion 4 if we can induct directly on the unfo lding of their definition s. A n- other benefit of this appr oach to induction is that it has a naturally du al rule for co induction over co inductive defini- tions. This rule has been found useful in Linc, for example, in proving properties of systems su ch as the π -calculus. At a practical lev el, we are continuing to de velop Abella as a theore m proving system a nd to explo re its u se in com- plex reasoning task s. W e expe ct to use Abella to p rovide more elegant p roofs of the m any meta-lo gical theorems found in [1 6], which include cut-elimination theo rems, type preservation, and deter minacy of typ ing and e valuation. Fi- nally , if the previously men tioned work on c oinductio n is completed , Ab ella can be used to explore the ro le of gener ic definitions in a coinductive setting. 7. Ackno wledgements W e thank Da vid Baelde and Alwen Tiu for v aluable sug- gestions and anonymous r evie wer s for co mments on an ear- lier version of this p aper . Th is work has been supp orted by INRIA throug h the “Equip es Associ ´ ees” Slimmer , by the NSF Grants OI SE-0553 462 (IRES-REUSSI) an d CCR- 04295 72, and b y a gr ant from Boston Scientific. Opinio ns, findings, and conc lusions or recomm endation s expressed in this pap ers are those of th e auth ors and d o not n ecessarily reflect the views of the Natio nal Science F ounda tion. Refer ences [1] B. A ydemir , A. Bohannon , and S. W eirich. Nominal reason - ing techniques in Coq. In International W orkshop on Logi- cal Fr ameworks and Meta-Languag es:T heory and Practice (LFMTP) , Seattle, W A, USA, Aug. 2006. [2] B. E . A ydemir , A. Bohannon, M. Fairbairn, J. N. Fos- ter , B. C. Pierce, P . Sewell, D. Vytiniotis, G. W ashburn, S. W eirich, and S. Zdancewic. Mechanized metatheory for the masses: The P OPLmark challenge. In Theor em Pro v- ing in Higher Or der Logics: 18th International Confer ence , number 3603 in LNCS, pages 5 0–65. Springer-V erlag, 2005. [3] D. Baelde, A. Gacek, D. Miller, G. Nadathur, and A. Tiu. The Bedwyr system for model checking over syntactic ex- pressions. In F . Pfenning, editor, 21th Conferen ce on Au- tomated Deduction (CA DE) , number 4603 in LNAI, pages 391–39 7. Springer, 2007. [4] Y . Bertot and P . Cast ´ eran. Interactive Theor em Pro ving and Pr ogr am Development. Coq’Art: The Calculus of Induc- tive Constructions . T exts in Theoretical C omputer Science. Springer V erlag, 2004. [5] P . Borras, D. Cl ´ ement, T . Despeyrou x, J. Incerpi, G. Kahn, B. L ang, and V . Pascual. Centaur: t he system. In Pr oceed- ings of S IGSOFT’88: Third Annual Symposium on Softwar e Developme nt En vir onments (SDE3) , Boston, 1988. [6] A. Church. A formulation of the simple theory of types. J. of Symbolic Logic , 5:56– 68, 1940. [7] A. Gacek. System description: Abella – A system for rea- soning about computations. A vailable from http://arxiv .org/ abs/0803.23 05, 2008. [8] J. -Y . Girard. A fixpoint theorem in linear logic. An email posting t o the mailing list linear@cs.stanford.edu, Feb . 1992. [9] R. H arper , F . Honsell, and G. Plotkin. A fr ame work for defining logics. Journa l of the ACM , 40 (1):143–184, 1993. [10] D. Hi rschko ff. A full formalization of pi-calculus theory in the Calculus of Constructions. In E. Gunter and A. Felty , editors, Pr oceedings of the 10th International Confer ence on Theor em Pro ving in Higher Order Lo gics (TP HOLs’97) , number 1275 in LNCS, pages 153–169, Murray Hi ll, New Jersey , Aug. 1997. [11] X. Leroy . A locally nameless solution to the POPLmark challenge. Research report 6098 , IN RIA, Jan. 2007. [12] P . Martin-L ¨ of. Hauptsatz for t he intuitionistic theory of it- erated inductiv e definiti ons. In J. E. Fenstad, editor, Pr o- ceedings of the Sec ond Scandinavian Lo gic Symposium , v ol- ume 63 of Studies in Logic and the F oundations of Mathe- matics , pages 179–21 6. North-Holland, 1971. [13] R. Mc Dowell. Reasoning in a Logic w ith Definitions and In- duction . PhD thesis, Uni versity of P ennsylv ania, Dec. 199 7. [14] R. McDo well and D. Miller . A logic f or reasoning with higher-o rder abstract syntax. In G. Winsk el, editor , 12th Symp. on L ogic in C omputer Science , pages 434–445, W ar- saw , Poland, July 1997. IEEE Computer Society Press. [15] R. Mc Dowell and D. Miller . Cut-elimination for a logic with definitions and induction. Theor etical Computer Science , 232:91–1 19, 2000. [16] R. McDo well and D. Mill er . Reasoning with higher-ord er abstract syntax in a logical frame work. ACM Tr ans. on Com- putational Logic , 3(1 ):80–136, 2002. [17] R. Mc Dowell, D. M iller , and C. Palamidessi. Encoding tran- sition systems in sequent calculus. Theor etical Computer Science , 294(3):41 1–437, 2003. 11 [18] D. Miller . A logic programming languag e with lambda- abstraction, function variab les, and simple unification. J. of Logic and Computation , 1(4):497–5 36, 1991. [19] D. Miller . Unification under a mixed prefix. Journ al of Sym- bolic Computation , 14(4):321–3 58, 1992. [20] D. Miller . Abstract syntax for variable binders: An ov ervie w . In J. Lloyd and et. al., editors, Computational Logic - CL 2000 , number 1861 in LNAI, pages 239–253 . Springer , 2000. [21] D. Miller , G. Nadathur , F . Pfenning, and A. S cedrov . Uni- form proofs as a foundation for logic programming. Annals of Pur e and Applied Logic , 51:125 –157, 1991. [22] D. Miller and A. T iu. A proof theory for g eneric judgme nts. ACM T rans. on Computational Logic , 6(4):749–783 , Oct. 2005. [23] A. Momigliano and A. Tiu . Induction and co-induction in sequent calculus. In M. C. S . Berardi and F . Damiani, editors, P ost-pro ceedings of TYP ES 2003 , number 3085 in LNCS, pages 293–308, Jan. 2003. [24] G. Nadathur and D. Miller . An Overvie w of λ Prolog. In F ifth International L ogic Pro gramming Confer ence , pages 810–82 7, Seattl e, Aug. 1988 . MIT Press. [25] T . Nipko w , L. C. Paulson, and M. W enzel. Isabelle/HOL: A Pro of A ssistant for Hi gher-Or der Logic . Springer, 2002. LNCS T utorial 2283. [26] F . Pfenning and C. Elliott. Higher-orde r abstract syn- tax. In Pr oceedings of the ACM-SIGPLAN Confer ence on Pr ogr amming Languag e Design and Implementation , pages 199–20 8. ACM Press, Ju ne 1988. [27] F . Pfenning and C. S ch ¨ urmann. System description: T welf — A meta-logical framew ork for deducti ve systems. In H. Ganzinger , editor, 16th Confer ence on Automated De- duction (CADE) , number 1632 in LN AI, pages 202–206, T rento, 1999. Springer . [28] A. M. Pitts. Nominal logic, A first order theory of names and binding. Information and Computation , 186(2):165– 193, 2003. [29] P . Schroeder-Heister . Rules of definitional reflection. In M. V ardi, editor , Eighth A nnual Symposium on L ogic in Computer Science , page s 222–232. IEEE Computer Society Press, IEEE, June 1993. [30] C. Sch ¨ urmann. Automating the Meta T heory of Deductive Systems . PhD t hesis, Carnegie Mellon Un iv ersity , Oct. 2000. CMU-CS-00-146. [31] C. Sch ¨ urmann and F . Pfenning. Automated t heorem prov- ing in a simple meta-logic for L F. In C. Kirchner and H. Kirchner , editors, 15th Conferen ce on Au tomated De duc- tion (CADE) , volume 1421 of Lecture Notes in Computer Science , pages 286–300. Springer , 1998. [32] W . W . T ait. In tensional interpretations of functionals of finite type I. J . of Symbolic Logic , 32(2):198–2 12, 1967. [33] A. T iu. A Logical F ramework for Reasoning about L ogical Specifications . P hD thesis, Pennsylv ania State Uni versity , May 2004. [34] A. T iu. A logic for reasoning about generic judgments. In A. Momigliano and B. Pientka, editors, International W ork- shop on L ogica l Fr ameworks and Meta-Languag es:Theory and Practice (LFMTP’06) , 2006 . [35] A. T i u. Cut elimination for a logic with generic judg- ments and induction. T echnical report, CoRR, Jan. 2008. Extended version of LFMTP’06 paper . A vailable from http://arxiv .org/abs/080 1.3065. [36] A. Tiu and D. Miller . A proof search specification of the π -calculus. In 3r d W orkshop on the F oundations of Gl obal Ubiquitous Computing , volume 138 of ENTCS , pages 79– 101, Sept. 2004 . [37] C. Urban and C. T asson. Nominal techniques in Is- abelle/HOL. In R. Nieuwenhuis, editor , 20th Confer ence on Automated Deduction (CADE) , volume 3632 of LNCS , pages 38–5 3. Springer , 2005. [38] M. V anInwegen. The Machine-Assisted Pr oof of Pr ogr am- ming Langua ge Pro perties . PhD thesis, Univ ersity of Penn- sylv ania, May 1996. 12