Dominic P. Mulligan

Learn More
Nominal terms extend first-order terms with binding. They lack some properties of first-and higher-order terms: Terms must be reasoned about in a context of 'freshness assumptions'; it is not always possible to 'choose a fresh variable symbol' for a nominal term; it is not always possible to 'α-convert a bound variable symbol' or to 'quotient by(More)
Recent years have seen remarkable successes in <i>rigorous engineering</i>: using mathematically rigorous semantic models (not just idealised calculi) of real-world processors, programming languages, protocols, and security mechanisms, for testing, proof, analysis, and design. Building these models is challenging, requiring experimentation, dialogue with(More)
This paper develops the correspondence between equality reasoning with axioms using &#955;-terms syntax, and reasoning using nominal terms syntax. Both syntaxes involve name-abstraction: &#955;-terms represent functional abstraction; nominal terms represent atomsabstraction in nominal sets. It is not evident how to relate the two syntaxes because their(More)
We investigate a class of nominal algebraic Henkin-style models for the simply typed λ-calculus in which variables map to names in the denotation and λ-abstraction maps to a (non-functional) name-abstraction operation. The resulting denotations are smaller and better-behaved, in ways we make precise, than functional valuation-based models. Using these new(More)
The Curry-Howard correspondence connects Natural Deduction derivation with the lambda-calculus. Predicates are types, derivations are terms. This supports reasoning from assumptions to conclusions , but we may want to reason 'backwards' from the desired conclusion towards the assumptions. At intermediate stages we may have an 'incomplete derivation', with(More)
We provide an overview of the FET-Open Project CerCo ('Certified Complexity'). Our main achievement is the development of a technique for analysing non-functional properties of programs (time, space) at the source level with little or no loss of accuracy and a small trusted code base. The core component is a C compiler, verified in Matita, that produces an(More)
Weakly consistent multiprocessors such as ARM and IBM POWER have been with us for decades, but their subtle programmer-visible concurrency behaviour remains challenging, both to implement and to use; the traditional architecture documentation, with its mix of prose and pseudocode, leaves much unclear. In this paper we show how a precise architectural(More)
We present a proof of correctness in Matita for an optimising assembler for the MCS-51 microcontroller. The efficient expansion of pseudoinstructions, namely jumps, into machine instructions is complex. We isolate the decision making over how jumps should be expanded from the expansion process itself as much as possible using 'policies', making the proof of(More)