A two-level logic approach to reasoning about computations

Relational descriptions have been used in formalizing diverse computational notions, including, for example, operational semantics, typing, and acceptance by non-deterministic machines. We therefore propose a (restricted) logical theory over relations as a language for specifying such notions. Our specification logic is further characterized by an ability to explicitly treat binding in object languages. Once such a logic is fixed, a natural next question is how we might prove theorems about specifications written in it. We propose to use a second logic, called a reasoning logic, for this purpose. A satisfactory reasoning logic should be able to completely encode the specification logic. Associated with the specification logic are various notions of binding: for quantifiers within formulas, for eigenvariables within sequents, and for abstractions within terms. To provide a natural treatment of these aspects, the reasoning logic must encode binding structures as well as their associated notions of scope, free and bound variables, and capture-avoiding substitution. Further, to support arguments about provability, the reasoning logic should possess strong mechanisms for constructing proofs by induction and co-induction. We provide these capabilities here by using a logic called G which represents relations over lambda-terms via definitions of atomic judgments, contains inference rules for induction and co-induction, and includes a special generic quantifier. We show how provability in the specification logic can be transparently encoded in G. We also describe an interactive theorem prover called Abella that implements G and this two-level logic approach and we present several examples that demonstrate the efficacy of Abella in reasoning about computations.

💡 Research Summary

The paper addresses a fundamental challenge in formal methods: how to specify computational notions such as operational semantics, typing, and nondeterministic machine acceptance in a uniform logical framework, and how to reason about those specifications within a single, well‑behaved logic. The authors propose a two‑level logic approach. The first level, called the specification logic, is a restricted logical theory over relations. It is designed to express a wide range of computational specifications while providing an explicit treatment of binding in object languages. Binding appears in three distinct forms: quantifiers inside formulas, eigenvariables that appear in sequents, and abstractions inside λ‑terms. The specification logic must therefore support notions of scope, free versus bound variables, and capture‑avoiding substitution.

To reason about specifications, a second logic—the reasoning logic—is required. This logic must be capable of fully encoding the specification logic, including its binding mechanisms, and must provide strong proof‑construction facilities such as induction and co‑induction. The authors select a logic called G for this purpose. G represents relations over λ‑terms by means of definitions of atomic judgments; these definitions are interpreted as fixed points, which naturally give rise to induction and co‑induction principles. Crucially, G introduces a special generic quantifier, denoted ∇, which allows the introduction of fresh, globally scoped variables without committing to a concrete name. This quantifier mirrors the role of eigenvariables in the specification logic and guarantees capture‑avoiding substitution automatically.

The paper shows that provability in the specification logic can be transparently encoded in G. Every inference rule of the specification logic is mapped to a definition or a rule in G, and the authors prove a soundness and completeness theorem stating that a judgment is derivable in the specification logic iff its translation is derivable in G. The encoding respects binding structure: free and bound variables are preserved, scopes are correctly modeled, and substitution behaves as expected. As a result, reasoning about specifications can be carried out entirely within G, using its built‑in induction, co‑induction, and ∇‑quantifier mechanisms.

To demonstrate practicality, the authors present Abella, an interactive theorem prover that implements G and the two‑level approach. Abella supports higher‑order abstract syntax (HOAS), allowing object‑level binders to be represented directly by meta‑level λ‑abstractions. The system provides tactics for unfolding definitions, applying induction or co‑induction, and handling ∇‑quantified variables. Users write specifications as sets of definitional clauses, then construct proofs about those specifications using Abella’s proof language.

The paper includes several substantial case studies:

1. Simply‑typed λ‑calculus – evaluation and type preservation are specified in the specification logic and proved in Abella. The proof scripts are concise, and the handling of variable binding is completely automated by the ∇‑quantifier.
2. Imperative language semantics – a small‑step operational semantics for a language with assignment and sequencing is encoded, and properties such as determinism and preservation of store equivalence are proved.
3. Nondeterministic finite automata – acceptance of strings is expressed as a relational predicate; the classic language‑recognition theorem is proved using co‑induction to handle potentially infinite runs.
4. π‑calculus – name passing and scope extrusion are modeled; bisimulation equivalence is proved, showcasing the ability of G to manage complex name binding via ∇.
5. Co‑inductive stream definitions – infinite data structures are defined, and co‑inductive reasoning principles in G are exercised to prove properties like productivity.

Across all examples, Abella demonstrates that the two‑level logic approach scales to both inductive and co‑inductive reasoning, and that the overhead of encoding binding is negligible compared with traditional approaches that require explicit substitution lemmas.

In conclusion, the paper makes three key contributions: (1) a clean, relational specification logic that explicitly supports multiple forms of binding; (2) the identification of logic G as a reasoning logic capable of faithfully encoding the specification logic while providing robust induction, co‑induction, and generic quantification; and (3) an implementation, Abella, that validates the approach on a variety of non‑trivial computational systems. This work bridges the gap between specification and verification, offering a unified framework where the same logical machinery that defines a system can also be used to prove its fundamental properties.