Andrei Popescu

• Senior Lecturer at The University of Sheffield

This paper is a contribution to the meta-theory of systems featuring syntax with bindings, such as 𝜆-calculi and logics. It provides a general criterion that targets inductively defined rule-based systems, enabling for them inductive proofs that leverage Barendregt's variable convention of keeping the bound and free variables disjoint. It improves...

We study nominal recursors from the literature on syntax with bindings and compare them with respect to expressiveness. The term "nominal" refers to the fact that these recursors operate on a syntax representation where the names of bound variables appear explicitly, as in nominal logic. We argue that nominal recursors can be viewed as epi-recursor...

Cyclic proof systems, in which induction is managed implicitly, are a promising approach to automatic verification. The soundness of cyclic proof graphs is ensured by checking them against a trace-based Infinite Descent property. Although the problem of checking Infinite Descent is known to be PSPACE-complete, this leaves much room for variation in...

Collision avoidance is a major problem when robotic devices are being deployed to perform complex collaborative tasks. We present a vision for a framework that makes it convenient to program collaborative robots and to verify that their behaviour is collision-free. It consists of a domain-specific language that is shallowly embedded in the ROS (Rob...

We introduce renaming-enriched sets (rensets for short), which are algebraic structures axiomatizing fundamental properties of renaming (also known as variable-for-variable substitution) on syntax with bindings. Rensets compare favorably in some respects with the well-known foundation based on nominal sets. In particular, renaming is a more fundame...

We introduce renaming-enriched sets ( rensets for short), which are algebraic structures axiomatizing fundamental properties of renaming (also known as variable for-variable substitution) on syntax with bindings. Rensets compare favorably in some respects with the well-known foundation based on nominal sets. In particular, renaming is a more fundam...

Relativizing statements in Higher-Order Logic (HOL) from types to sets is useful for improving productivity when working with HOL-based interactive theorem provers such as HOL4, HOL Light and Isabelle/HOL. This paper provides the first comprehensive definition and study of types-to-sets relativization in HOL, done in the more general form of types-...

We study nominal recursors from the literature on syntax with bindings and compare them with respect to expressiveness. The term "nominal" refers to the fact that these recursors operate on a syntax representation where the names of bound variables appear explicitly, as in nominal logic. We argue that nominal recursors can be viewed as epi-recursor...

I introduce renaming-enriched sets (rensets for short), which are algebraic structures axiomatizing fundamental properties of renaming (also known as variable-for-variable substitution) on syntax with bindings. Rensets compare favorably in some respects with the well-known foundation based on nominal sets. In particular, renaming is a more fundamen...

I introduce renaming-enriched sets (rensets for short), which are algebraic structures axiomatizing fundamental properties of renaming (also known as variable-for-variable substitution) on syntax with bindings. Rensets compare favorably in some respects with the well-known foundation based on nominal sets. In particular, renaming is a more fundamen...

I introduce renaming-enriched sets (rensets for short), which are algebraic structures axiomatizing fundamental properties of renaming (also known as variable-for-variable substitution) on syntax with bindings. Rensets compare favorably in some respects with the well-known foundation based on nominal sets. In particular, renaming is a more fundamen...

We present an abstract development of Gödel’s incompleteness theorems, performed with the help of the Isabelle/HOL proof assistant. We analyze sufficient conditions for the applicability of our theorems to a partially specified logic. In addition to the usual benefits of generality, our abstract perspective enables a comparison between alternative...

We have previously published the Isabelle/HOL formalization of a general theory of syntax with bindings. In this companion paper, we instantiate the general theory to the syntax of lambda-calculus and formalize the development leading to several fundamental constructions and results: sound semantic interpretation, the Church-Rosser and standardizat...

We describe Bounded-Deducibility (BD) security, an expressive framework for the specification and verification of information-flow security. The framework grew by confronting concrete challenges of specifying and verifying fine-grained confidentiality properties in some realistic web-based systems. The concepts and theorems that constitute this fra...

We present a case study in formally verified security for realistic systems: the information flow security verification of the functional kernel of a web application, the CoCon conference management system. We use the Isabelle theorem prover to specify and verify fine-grained confidentiality properties, as well as complementary safety and “tracebac...

We present the formalization of a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory cont...

This book constitutes the proceedings of the 28th International Conference on Automated Reasoning with Analytic Tableaux and Related Methods, TABLEAUX 2019, held in London, UK, in September 2019, colocated with the 12th International Symposium on Frontiers on Combining Systems, FroCoS 2019. The 25 full papers presented were carefully reviewed and...

We present an abstract development of Gödel’s incompleteness theorems, performed with the help of the Isabelle/HOL theorem prover. We analyze sufficient conditions for the theorems’ applicability to a partially specified logic. In addition to the usual benefits of generality, our abstract perspective enables a comparison between alternative approac...

We present an abstract development of Gödel’s incompleteness theorems, performed with the help of the Isabelle/HOL theorem prover. We analyze sufficient conditions for the theorems’ applicability to a partially specified logic. In addition to the usual benefits of generality, our abstract perspective enables a comparison between alternative approac...

The interactive theorem prover Isabelle/HOL is based on the well understood higher-order logic (HOL), which is widely believed to be consistent (and provably consistent in set theory by a standard semantic argument). However, Isabelle/HOL brings its own personal touch to HOL: overloaded constant definitions, used to provide the users with Haskell-l...

Types in higher-order logic (HOL) are naturally interpreted as nonempty sets. This intuition is reflected in the type definition rule for the HOL-based systems (including Isabelle/HOL), where a new type can be defined whenever a nonempty set is exhibited. However, in HOL this definition mechanism cannot be applied inside proof contexts. We propose...

We present a general framework for specifying and reasoning about syntax with bindings. Abstract binder types are modeled using a universe of functors on sets, subject to a number of operations that can be used to construct complex binding patterns and binding-aware datatypes, including non-well-founded and infinitely branching types, in a modular...

This book constitutes the proceedings of the 12th International Symposium on Frontiers of Combining Systems, FroCoS 2019, held in London, UK, in September 2019, colocated with the 28th International Conference on Automated Reasoning with Analytic Tableaux and Related Methods, TABLEAUX 2019. The 20 papers presented were carefully reviewed and selec...

This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibi...

This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibi...

Definitions are traditionally considered to be a safe mechanism for introducing concepts on top of a logic known to be consistent. In contrast to arbitrary axioms, definitions should in principle be treatable as a form of abbreviation, and thus compiled away from the theory without losing provability. In particular, definitions should form a conser...

We describe a line of work that started in 2011 towards enriching Isabelle/HOL’s language with coinductive datatypes, which allow infinite values, and with a more expressive notion of inductive datatype than previously supported by any system based on higher-order logic. These (co)datatypes are complemented by definitional principles for (co)recurs...

We present the formalization of a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory incl...

Nonuniform (or “nested” or “heterogeneous”) datatypes are recursively defined types in which the type arguments vary recursively. They arise in the implementation of finger trees and other efficient functional data structures. We show how to reduce a large class of nonuniform datatypes and codatatypes to uniform types in higher-order logic. We prog...

We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate...

Many automatic theorem provers are restricted to untyped logics, and existing translations from typed logics are bulky or unsound. Recent research proposes monotonicity as a means to remove some clutter when translating monomorphic to untyped first-order logic. Here we pursue this approach systematically, analysing formally a variety of encodings t...

We introduce AmiCo, a tool that extends a proof assistant, Isabelle/HOL, with flexible function definitions well beyond primitive corecursion. All definitions are certified by the assistant’s inference kernel to guard against inconsistencies. A central notion is that of friends: functions that preserve the productivity of their arguments and that a...

The proof assistant Isabelle/HOL is based on an extension of Higher-Order Logic (HOL) with ad hoc overloading of constants. It turns out that the interaction between the standard HOL type definitions and the Isabelle-specific ad hoc overloading is problematic for the logical consistency. In previous work, we have argued that standard HOL semantics...

We introduce AmiCo, a tool that extends a proof assistant, Isabelle/HOL, with flexible function definitions well beyond primitive corecursion. All definitions are certified by the assistant’s inference kernel to guard against inconsistencies. A central notion is that of friends: functions that preserve the productivity of their arguments and that a...

We show how codatatypes can be employed to produce compact, high-level proofs of key results in logic: the soundness and completeness of proof systems for variations of first-order logic. For the classical completeness result, we first establish an abstract property of possibly infinite derivation trees. The abstract proof can be instantiated for a...

Types in Higher-Order Logic (HOL) are naturally interpreted as nonempty sets—this intuition is reflected in the type definition rule for the HOL-based systems (including Isabelle/HOL), where a new type can be defined whenever a nonempty set is exhibited. However, in HOL this definition mechanism cannot be applied inside proof contexts. We propose a...

This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibi...

This paper presents a formalized framework for defining corecursive functions safely in a total setting, based on corecursion up-to and relational parametricity. The end product is a general corecursor that allows corecursive (and even recursive) calls under "friendly" operations, including constructors. Friendly corecursive functions can be regist...

This paper presents a formalized framework for defining corecursive functions safely in a total setting, based on corecursion up-to and relational parametricity. The end product is a general corecursor that allows corecursive (and even recursive) calls under well-behaved operations, including constructors. Corecursive functions that are well behave...

The interactive theorem prover Isabelle/HOL is based on the well understood Higher-Order Logic (HOL), which is widely believed to be consistent (and provably consistent in set theory by a standard semantic argument). However , Isabelle/HOL brings its own personal touch to HOL: overloaded constant definitions, used to achieve Haskell-like type class...

We introduce term-generic logic (TGL), a first-order logic parameterized with terms defined axiomatically (rather than constructively), by requiring terms to only provide free variable and substitution operators satisfying some reasonable axioms. TGL has a notion of model that generalizes both first-order models and Henkin models of the λ-calculus....

We introduce term-generic logic (TGL), a first-order logic parameterized with terms defined axiomatically (rather than constructively), by requiring terms to only provide free variable and substitution operators satisfying some reasonable axioms. TGL has a notion of model that generalizes both first-order models and Henkin models of the λ-calculus....

Datatypes and codatatypes are useful for specifying and reasoning about (possibly infinite) computational processes. The Isabelle/HOL proof assistant has recently been extended with a definitional package that supports both. We describe a complete procedure for deriving nonemptiness witnesses in the general mutually recursive, nested case—nonemptin...

This paper presents an Isabelle/HOL formalization of recent research in automated reasoning: efficient encodings of sorts in unsorted first-order logic, as implemented in Isabelle’s Sledgehammer proof tool. The formalization provides the general-purpose machinery to reason about formulas and models, emulating the theory of institutions. Quantifiers...

Sledgehammer for Isabelle/HOL integrates automatic theorem provers to discharge interactive proof obligations. This paper considers a tighter integration of the superposition prover SPASS to increase Sledgehammer’s success rate. The main enhancements are native support for hard sorts (simple types) in SPASS, simplification that honors the orientati...

Codatatypes are absent from many programming and specification languages. We make a case for their importance by revisiting a classical result: the completeness theorem for first-order logic established through a Gentzen system. The core of the proof establishes an abstract property of possibly infinite derivation trees, independently of the concre...

We report on a formalization of ordinals and cardinals in Isabelle/HOL. A main challenge we faced is the inability of higher-order logic to represent ordinals canonically, as transitive sets (as done in set theory). We resolved this into a “decentralized” representation that identifies ordinals with wellorders, with all concepts and results proved...

We present a case study in verified security for realistic systems: the implementation of a conference management system, whose functional kernel is faithfully represented in the Isabelle theorem prover, where we specify and verify confidentiality properties. The various theoretical and practical challenges posed by this development led to a novel...

We extended Isabelle/HOL with a pair of definitional commands for datatypes and codatatypes. They support mutual and nested (co)recursion through well-behaved type constructors, including mixed recursion–corecursion, and are complemented by syntaxes for introducing primitively (co)recursive functions and by a general proof method for reasoning coin...

We present a uniform, top-down design method for security type systems applied to a parallel while-language. The method takes the following route: from a notion of end-to-end security via a collection of stronger notions of anytime security targeting compositionality to a matching collection of type-system-like syntactic criteria. This method has e...

We present an Isabelle formalization of probabilistic noninterference for a multi-threaded language with uniform scheduling. Unlike in previous settings from the literature, here probabilistic behavior comes from both the scheduler and the individual threads, making the language more realistic and the mathematics more challenging. We study resumpti...

Datatypes freely generated by their constructors are well supported in mainstream proof assistants. Algebraic specification languages offer more expressive datatypes on axiomatic means: nonfree datatypes generated from constructors modulo equations. We have implemented an Isabelle/HOL package for nonfree datatypes, without compromising foundations....

We develop a framework for expressing and analyzing the behavior of probabilistic schedulers. There, we define noninterfering schedulers by a probabilistic interpretation of Goguen and Meseguer’s seminal notion of noninterference. Noninterfering schedulers are proved to be safe in the following sense: if a multi-threaded program is possibilisticall...

We show how security type systems from the literature of language-based noninterference can be represented more directly as predicates defined by structural recursion on the programs. In this context, we show how our uniform syntactic criteria from previous work cover several previous type-system soundness results.

Most automatic theorem provers are restricted to untyped logics, and existing translations from typed logics are bulky or unsound. Recent research proposes monotonicity as a means to remove some clutter. Here we pursue this approach systematically, analysing formally a variety of encodings that further improve on efficiency while retaining soundnes...

We perform a formal analysis of compositionality techniques for proving possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninterference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ensur...

We perform a formal analysis of compositionality techniques for prov-ing possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninter-ference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ens...

Interactive theorem provers based on higher-order logic (HOL) traditionally follow the definitional approach, reducing high-level specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in HOL4, HOL Light, and Isabelle/HOL is fundamentally noncompositional, li...

We characterize the data type of terms with bindings, freshness and substitution, as an initial model in a suitable Horn theory. This characterization yields a convenient recursive definition principle, which we have formalized in Isabelle/HOL and employed in a series of case studies taken from the λ-calculus literature.

We present a point of view concerning HOAS(Higher-Order Abstract Syntax) and an extensive exercise in HOAS along this point of view. The point of view is that HOAS can be soundly and fruitfully regarded as a definitional extension on top of FOAS (First-Order Abstract Syntax). As such, HOAS is not only an encoding technique, but also a higher-order...

We present a coinductive proof system for bisimilarity in transition systems specifiable in the de Simone SOS format. Our coinduction is incremental, in that it allows building incrementally an a priori unknown bisimulation, and pattern-based, in that it works on equalities of process patterns (i.e., universally quantified equations of process term...

unpublished

This collection of documents presents the Isabelle formalization of Higher-Order Abstract Syntax (HOAS) as a definitional layer on top of First-Order Abstract Syntax (FOAS). The formal scripts shown here are provided as a technical companion to the paper "HOAS on top of FOAS" to be presented at LICS 2010 (and to its more detailed technical report v...

This is a browsable html document presenting an Isabelle formalization of a general theory of syntax with static bindings and substitution. unpublished not peer reviewed

This document presents and Isabelle formalization of a general theory of syntax with bindings. It also includes some case studies from the theory of lambda-calculus. unpublished not peer reviewed

We argue that weak bisimilarity of processes can be conveniently captured in a semantic domain by a combination of traces and coalgebraic finality, in such a way that important process algebra aspects such as parallel composition and recursion can be represented compositionally. We illustrate the usefulness of our approach by providing a fully-abst...

We describe the theoretical underpinnings to support the construction of an extension to the Isabelle/HOL theorem prover to support the creation of datatypes for weak higher-order abstract syntax, and give an example of its application. This theoretical basis is centered around the concept of variable types (i.e. types whose elements are variables)...

We develop some Higher-Order Abstract Syntax (HOAS) concepts and proof principles as a collection of definitions and propositions on top of the original syntax with bindings. Our approach brings together hassle-free (i.e., binding- and substitution-free) manipulation of the objects on the one hand, and inductive reasoning about the same objects on...

This paper develops a general algebraic setting for the notion of nuanced truth value, providing a Lukasiewicz-Moisil construction over an arbitrary truth functional logical system. Among old and new instances of this construction we nd boolean algebras, Lukasiewicz-Moisil (algebras and relation algebras), and nuanced residuated lattices.

Term-generic logic (TGL) is a first-order logic parameterized with terms defined axiomatically (rather than constructively), by requiring them to only provide generic notions of free variable and substitution satisfying reasonable properties. TGL has a complete Gentzen system generalizing that of first-order logic. A certain fragment of TGL, called...

We study MV-relation-algebras, appearing by abstracting away from the concrete many-valued relations and the operations on them, such as composition and converse. MV-relation-algebras are MV generalizations of the relation algebras developed by A. Tarski and his school starting from the late forties. Some facts about ideals, congruences, and variou...

We prove an institutional version of A. Robinson’s Consistency Theorem. This result is then appliedto the institution of many-sorted first-order predicate logic and to two of its variations, infinitary and partial, obtaining very general syntactic criteria sufficient for a signature square in order to satisfy the Robinson consistency and Craig inte...

We introduce the notion of n-nuanced MV-algebra by performing a Łukasiewicz–Moisil nuancing construction on top of MV-algebras. These structures extend both MV-algebras and Łukasiewicz–Moisil algebras, thus unifying two important types of structures in the algebra of logic. On a logical level, n-nuanced MV-algebras amalgamate two distinct approache...

We prove an institutional version of Tarski's elementary chain theorem applicable to a whole plethora of 'first-order-accessible' logics, which are, roughly speaking, logics whose sentences can be constructed from atomic formulae by means of classical First-order connectives and quantifiers. These include the unconditional equational, positive, (Pi...

Craig interpolation is investigated for various types of formulae. By shifting the focus from syntactic to semantic interpolation, we generate, prove and classify a series of interpolation results for first-order logic. A few of these results non-trivially generalize known interpolation results; all the others are new. We also discuss some applicat...

The paper develops a study of order convergence in Łukasiewicz-Moisil algebras. An axiomatical notion of distance (covering the pointwise and the Heyting distances) is provided, together with an associated notion of Cauchy sequence. Under natural hypotheses, the existence of Cauchy completions is proven. We analyze the connection to Boolean algebra...

This paper is concerned with the algebraic foundations of many-valued probability theory. We introduce and study a new notion of probability (state) on Łukasiewicz-Moisil algebras. This notion is parameterized by the considered logical implication (residuum) in Łukasiewicz-Moisil logic, knowing that there are several natural choices for the residuu...

We introduce Łukasiewicz-Moisil relation algebras, obtained by considering a relational dimension over Łukasiewicz-Moisil algebras. We prove some arithmetical properties, provide a characterization in terms of complex algebras, study the connection with relational Post algebras and characterize the simple structures and the matrix relation algebras...

We introduce and study a notion of logical convergence in residuated lattices (with operators). It is considered a convergence in similarity degree, rather than a bare order convergence – the lack of symmetry of residuated lattices brings our approach more related to the logical structure than to the set of truth values.

We introduce MV-relation algebras (MVRAs) and distributive MV-relation algebras (DMVRAs), many-valued generalizations of classical relation algebras and study some of their arithmetical properties. We provide corresponding notions of group relation algebra and complex algebra and generalize some results about them from the classical case. For this,...

We introduce MV-relation algebras (MVRAs) and distributive MV- relation algebras (DMVRAs), fuzzy generalizations of classical relation algebras and study some of their arithmetical properties. We provide fuzzy notions of group relation algebras and complex algebras and generalize some results about them from the classical case. For this, we work wi...

The lack of double negation and de Morgan properties makes fuzzy logic unsymmetrical. This is the reason why fuzzy versions of notions like closure operator or Galois connection deserve attention for both antiotone and isotone cases, these two cases not being dual. This paper offers them attention, comming to the following conclusions: – some kind...

The paper proposes a flexible way to build concepts within fuzzy logic and set theory. The framework is general enough to capture some important particular cases, with their own independent interpretations, like “antitone” or “isotone” concepts constructed from fuzzy binary relations, but also to allow the two universes (of objects and attributes)...

Weak pseudo BL-algebras (WPBL-algebras) are non-commutative fuzzy structures which arise from pseudo-t-norms (i.e. the non-commutative versions of triangular norms). In this paper, we study the pairs of weak negations on WPBL-algebras, extending the case of weak negations on Esteva–Godo MTL-algebras. A geometrical characterization of the pairs of w...

 Fuzzy Galois connections were introduced by Bělohlávek in [4]. The structure considered there for the set of truth values is a complete residuated lattice, which places the discussion in a “commutative fuzzy world”. What we are doing in this paper is dropping down the commutativity, getting the corresponding notion of Galois connection and general...

We introduce the notions of closure operator and closure system in a non-commutative fuzzy framework, where the structure of truth values is a generalized residuated lattice, L. We investigate the relationship between L-Galois connections and a weakened form of L-closure operators, which will eventually lead us to three ways of indicating a hierarc...

A classical (crisp) concept is given by its extent (a set of objects) and its intent (a set of properties). In commutative fuzzy logic, the generalization comes naturally, considering fuzzy sets of objects and properties. In both cases (the first being actually a particular case of the second), the situation is perfectly symmetrical: a concept is g...

We show that any institution I{\mathcal I} satisfying some reasonable conditions can be transformed into another institution, Ibeh{\mathcal I}_{beh}, which captures formally and abstractly the intuitions of adding support for behavioral equivalence and reasoning to an existing, particular algebraic framework. We call our transformation an “extensio...

The process of attening an indexed category, usually known under the name "Grothendieck construction", is extended to a very general form of morphism of indexed categories; some limit and colimit preservation and adjoint existence theorems are proved. These constructions and results are applied to diagram categories; but the perhaps most relevant a...

We present some results regarding languages that are context-free or regular w.r.t. a non-deterministic binary operation on words that is left variable, only asking a few general properties like associativity. This could be part of a unied approach to intertextuality, the results referring, in particular, to important instances of "putting texts to...

We perform a formal, machine-checked analysis of compositionality techniques for proving noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninterference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they en...

Combining traces, coalgebra and lazy-filtering channel configurations for parallel composition, we give a fully-abstract denotational semantics for the pi-calculus under weak early bisimilarity.

We develop a theory of syntax with bindings, focusing on: - methodological issues concerning the convenient representation of syntax; - techniques for recursive definitions and inductive reasoning. Our approach consists of a combination of FOAS (First-Order Abstract Syntax) and HOAS (Higher-Order Abstract Syntax) and tries to take advantage of the...