Lem: A Lightweight Tool for Heavyweight Semantics [chapter]

Scott Owens, Peter Böhm, Francesco Zappa Nardelli, Peter Sewell
2011 Lecture Notes in Computer Science  
Many ITP developments exist in the context of a single prover, and are dominated by proof effort. In contrast, when applying rigorous semantic techniques to realistic computer systems, engineering the definitions becomes a major activity in its own right. Proof is then only one task among many: testing, simulation, communication, community review, etc. Moreover, the effort invested in establishing such definitions should be re-usable and, where possible, irrespective of the local
more » ... culture. For example, in recent work on processor and programming language concurrency (x86, Power, ARM, C++0x, Com-pCertTSO), we have used Coq, HOL4, Isabelle/HOL, and Ott-often using multiple provers simultaneously, to exploit existing definitions or local expertise. In this paper we describe Lem, a prototype system specifically designed to support pragmatic engineering of such definitions. It has a carefully designed source language, of a familiar higher-order logic with datatype definitions, inductively defined relations, and so on. This is typechecked and translated to a variety of programming languages and proof assistants, preserving the original source structure (layout, comments, etc.) so that the result is readable and usable. We have already found this invaluable in our work on Power, ARM and C++0x concurrency. 1 Motivation Mechanised proof assistants such as ACL2 [1], Coq [6], HOL4 [9], HOL Light [8], Isabelle/HOL [10], PVS [12], and Twelf [19] are becoming important tools for Computer Science. In many applications of these tools, the majority of effort is devoted to proof, and that is rightly a main focus of their developers. This focus leads each of these systems to have its own logic, various mechanisms for making mathematical definitions, and extensive support for machine-checked interactive and/or automated reasoning. In some applications, however, the definitions themselves, of types, functions, and relations, are a major focus of the work. This is often the case when modelling key computational infrastructure: network protocols, programming languages, multiprocessors, and so on. For example, we have worked on TCP [4,13], Optical Networking [3], Java Module Systems [18], the semantics of an OCaml fragment [11] , concurrency for C and C++ [2, 5, 16] , and the semantics of x86, POWER and ARM multiprocessors [14, 15] ; and there are numerous examples by other groups (far too many to cite here). In each of these cases, considerable
doi:10.1007/978-3-642-22863-6_27 fatcat:sujwlulilzcgbjm52vtzq3kbfi