Reasoning on an imperative object-based calculus in Higher Order Abstract Syntax

We illustrate the benefits of using Natural Deduction in combination with weak Higher-Order Abstract Syntax for formalizing an object-based calculus with objects, cloning, method-update, types with subtyping, and side-effects, in inductive type theories such as the Calculus of Inductive Constructions. This setting suggests a clean and compact formalization of the syntax and semantics of the calculus, with an efficient management of method closures. Using our formalization and the Theory of Contexts, we can prove formally the Subject Reduction Theorem in the proof assistant Coq, with a relatively small overhead.


INTRODUCTION
Object-based languages, like Self and Obliq, are a kind of object-oriented languages where there is no notion of "class", di↵erently from class-based languages, like Java, C ++ and C # . Object-based languages are simpler, provide more primitive and flexible mechanisms, and can be used as intermediate languages in the implementation of classbased ones. Despite this, object-based languages are less used in practice than the latter; for this reason, while in recent years much e↵ort has been put in the formalization of class-based languages, relatively little or no formal work has been carried out on object-based ones. This is a serious gap, because most of the foundational calculi introduced for the mathematical analysis of the object-oriented paradigm are object-based [2,13]; in fact, object-based calculi represent for the object-oriented paradigm what the -calculus and its variants are for the functional paradigm.
The main aim of the present work is to fill this gap. More precisely, we focus on Abadi and Cardelli's imp& [2], a particularly representative object-based calculus featuring objects, methods, cloning, dynamic lookup, method-update, types, subtypes, and, last but not least, imperative features. Both static and dynamic aspects of imp& will be formalized in the Calculus of Inductive Constructions type theory (CIC), implemented in the interactive proof assistant Coq, which has been already successfully used in the formalization of class-based languages.
Due to its nature, imp& is quite complex, both at the syntactic and the semantic level: imp& features all the idiosyncrasies of functional languages with imperative features; moreover, the store model underlying the language allows for loops, thus making the typing system quite awkward. Consequently, key metatheoretic properties such as the Subject Reduction are much harder to state and prove for imp& than for usual functional languages, already "on paper". Therefore, a plain, naïve first-order encoding of imp& would add further confusing details, leading to a clumsy and unmanageable formalization; hence, a key aspect of this work is that the overhead introduced by the formalization should be as low as possible. This can be achieved by taking most advantage of the metatheoretic features o↵ered by the type theory-based Logical Frameworks (LFs). In particular, the direct support for Natural Deduction and Higher-Order Abstract Syntax, common to most LFs, can be used proficiently for defining alternative, and sparer, formalizations. For a significant fragment of imp& (i.e., without method-update), we can even drop the so-called store-types and all related machinery, by taking full advantage of coinductive judgments. However, in this paper we are interested in presenting the di culties and solutions we have developed for the full imp& calculus, rather than defining radically new semantics for ob-ject calculi; therefore, we will not discuss coinductive types and related proof systems. We refer the reader to [6].
Natural Deduction leads us to consider a di↵erent formulation of static and dynamic semantics of imp&, namely in the style of the Natural Deduction Semantics (NDS) [4,22]. The key point in using NDS is that all stack-like structures (e.g., environments, typing bases) are distributed in the hypotheses of the proof derivations. Therefore, these structures do not appear explicitly anymore in the formal judgments and proofs we have to deal with, which become fairly simpler. Of course, the semantics in NDS we focus on is equivalent to the original Natural Semantics of [2].
On the other hand, the imp& calculus has binders, which we have to deal e ciently with both in the syntax and in the semantics (due to the presence of closures). To this end, the weak Higher-Order Abstract Syntax (weak HOAS) approach has emerged as one of the most suited in inductive type theories like CIC [10,17,18]. Following such an approach, a separate, open type for variables is introduced, and binders are represented as second-order term constructors, taking functions over variables as arguments. In this way, it is possible to delegate to the metalanguage all the burden of ↵-conversion, still retaining the benefits of inductive definitions. The disadvantage of weak HOAS is that it does not allow to inherit substitution of terms for variables from the metalanguage, as it is possible, instead, using full HOAS in non inductive type theories [15,26]. Luckily, this is not a problem in the case of imp&, since its semantics is defined using closures instead of substitutions. Therefore, the solution of using weak HOAS fits perfectly the needs for encoding imp&; as a byproduct, the NDS and HOAS style yield a di↵erent, more e cient handling of closures.
However, the weak HOAS reveals its main drawback when we come to reasoning over our formalization of imp&, e.g. for proving key metaproperties such as the Subject Reduction.
Here we have to prove several properties concerning variable renaming, often by induction over second-order terms, and by case analysis over the name of the variables themselves. All this is problematic because CIC, and similar type theories, are not expressive enough [18].
In recent years, various approaches have been proposed to overcome these kinds of problems. One approach tends to propose new, more expressive metalanguages, especially designed for reasoning on names and variables, and based on di↵erent techniques such as modal types, functor categories, permutation models of set theory, etc. [11,12,14,16]. Another line of research tends to cope with these problems within the current systems and logical frameworks [18,25,27]. A comparison of the di↵erent approaches is out of the scope of this paper.
Since we carry out a weak HOAS encoding in CIC, we have decided to adopt the Theory of Contexts (ToC) [17], a quite general "plug-and-play" methodology for reasoning on object systems in weak HOAS. The gist of this approach is to extend directly the existing framework (CIC, in this case) with a small set of axioms capturing some basic and natural properties of names and term contexts. The main advantage of such a technique is that it requires a very low mathematical and logical overhead: it can be easily used in existing proof environments without the need of any redesign of the system, and it allows for carrying out proofs with arguments similar to those "on paper". It turns out that also in the present case, the ToC reveals to be well-suited: we actually succeed in proving the Subject Reduction for imp& with a small, sustainable overhead.
Our e↵ort is useful also from the point of view of Logical Frameworks. Their theoretical development and implementation will benefit from complex case studies like the present one, where we test the applicability of advanced encoding and proof methodologies. An interesting remark is that we have to slightly modify the "unsaturation", one of the axioms of the ToC, in order to take into account the di↵erent kinds of informations kept in the proof derivation environment. This is similar to previous applications of the ToC to typed languages [23], and it is needed in order to respect a form of "regularity" of well-formed contexts. Thus, we argue that such a "regularity" of proof contexts should allow to generalize further the ToC, subsuming the several variants used in the case studies so far.
Synopsis. The paper is structured as follows. Section 2 gives a brief account of the imp&-calculus, whose formalization in weak HOAS is presented in Section 3. Development of metatheoretic results, using the ToC, is discussed in Section 4. Final discussions and directions for future work are in Section 5. The Coq code is available at [7].

THE IMP& CALCULUS
Syntax. Abadi and Cardelli's imp&-calculus [2] is an imperative calculus of objects forming the kernel of the programming language Obliq [5]. The syntax is the following: Notice that & and let bind x in b, so usual conventions about ↵-conversion apply. The reader is referred to [2,Ch.10,11] for an explanation of the intuitive meaning of these constructs. We present the semantics of imp& using a Natural Deduction (NDS) style, because this leads to a simpler formalization in LFs, as will be explained and carried out in the next section.
Dynamic Semantics. First we need to introduce some implementation-level entities, such as store-locations, results, reduction contexts, closures and stores: Loc : ◆ 2 Nat store loc.

Res
: v ::= [li = ◆i] i2I result RedCtx : ::= ; | , x 7 ! v (x / 2 Dom( )) red. ctx. Store : s ::= ◆i 7 ! h&(xi)bi, ii i2I store A method-closure h&(x)b, i is a method together with a set of declarations for its free variables, the (reduction) context. In reduction contexts, variables are uniquely associated to results of object declarations. Each result is a (possibly empty) list of pairs: method-names together with storelocations, where the corresponding method-closure is stored. Hence a store is a function mapping locations to closures: in the following, the notation ◆i 7 ! ci i2I denotes the store that maps the locations ◆i to the closures ci, for i 2 I; s, ◆ 7 ! c extends s with c at location ◆ (fresh), and s.◆j c denotes the result of replacing the content of the location ◆j of s with c. Unless explicitly remarked, all the li, ◆i are distinct.
The big-step operational semantics is expressed by a reduction judgment relating a store s, a term a, a result v and another store s 0 (possibly di↵erent from s), in a given reduction context, i.e.: `s · a ; v · s 0 The intended meaning is that, evaluating the term a from the store s in the reduction context , yields the result v, in an updated store s 0 . In this semantics, variables never need to be replaced (i.e. substituted) by terms; instead, their result is book-kept in the reduction context. The rules for the reduction judgment are in Figure 1. Slightly di↵erent from the original presentation [2], ours is in Natural Deduction style (despite that rules are written in "horizontal", sequent-like format for saving space): in fact, in all the rules, the reduction context in each premise is a superset of the reduction context in the conclusion. This alternative presentation is much easier to implement and reason about in proof assistants based on type theory, as we will see in the next sections. Clearly, our presentation is equivalent to the original one (see [8,9]).
Static Semantics. The imp&-calculus has a first-order type system with subtyping. The only type constructor is that for object-types, i.e. T T ype : A, B ::= [li : Ai] i2I , so the only ground type is [ ].
In order to define the typing judgment we need to introduce the typing contexts (or bases), which are unique assignments of types to variables: T ypCtx : : The type system is given by three judgments: well-formedness of object-types `A, subtyping `A <: B, and term typing `a : A. The rules for these judgments are collected in Figure 2; notice that also this system is in Natural Deduction style. Subtyping induces subsumption: an object of a given type also belongs to any super-type of that type and can subsume objects in the super-type, because these have a more limited protocol. Correspondingly, the rule (Sub Obj) allows a longer object-type to be a subtype of a shorter one, when the shared components have exactly the same types. Thus, object-types are invariant (i.e. neither covariant nor contravariant) in their component types.
The typing of results is delicate, because results contain pointers to the store, and stores may contain loops; thus, it is not possible to determine the type of a result by examining its substructures recursively. In order to cope with this problem, a whole store is typed a priori by means of store-types. This is possible because type-sound computations do not store results of di↵erent types in the same location. A store-type associates a method-type to each store location. Method-types have the form [li : Bi] i2I ) Bj, where [li : Bi] i2I is the type of "self" and Bj, such that j 2 I, is the type of the j-th method-body: The type assignment system for results is given by five judgments: well-formedness of method-types M |= ⇧ and storetypes ⌃ |= ⇧, result typing ⌃ |= v : A and store typing ⌃ |= s, and context compatibility ⌃ |= : . The intended meaning of the main (result typing) judgment "⌃ |= v : A" is that the result v is given the type A, using the types assigned to locations by ⌃. On the other hand, ⌃ |= s ensures that the content of every store location of s can be given the type assigned by ⌃ to the same location. The rules for these judgments are collected in Figure 3.
Subject Reduction. The Type Soundness property for imp& establishes that every well-typed and not diverging term never yields the "message not found" runtime error. This is an immediate consequence of the Subject Reduction theorem [2].

FORMALIZATION OF IMP& IN CIC
In this section, we present and discuss the formalization of imp& in our LF based on type theory. For definiteness, we work in the Calculus of Inductive Constructions (CIC), and specifically in its Coq implementation, although the methodology we follow can be applied in any similar LF.
In encoding imp&, we have to address e ciently several aspects of its syntax and semantics. A clean and compact encoding is a prerequisite for simplifying the development of complex metatheoretical results, such as the Subject Reduction. In general, a naïve encoding would lead to a clumsy and unmanageable set of definitions, which would add further di culties to the formal proofs, which are already difficult on paper. Therefore, we need encoding methodologies that take most advantage of the features provided by modern type theories, so that most (if not all) details implicitly taken for granted working with paper and pencil can be automatically inherited in the formal developments.
Among other issues, the treatment of binders, closures and stores is of particular interest. We focus on these aspects at the syntactic and semantic level, in turn.

Syntax
Following the weak higher-order abstract syntax paradigm, we reduce all binders to the sole -abstraction. Therefore, the encoding of the syntax of terms and types of imp& is the following:  Notice that we use a separate type Var for variables: the only terms which can inhabit Var are the variables of the metalanguage. Thus ↵-equivalence on terms is immediately inherited from the metalanguage, still keeping induction and recursion principles. If Var were inductive, we could define "exotic terms" using the Case construct of Coq [10]. Exotic terms are Coq terms not corresponding to any expression of imp&, which therefore should be ruled out by extra "wellformedness" judgments, thus complicating the whole encoding. Notice also that the constructor var is declared as a coercion, thus it may omitted in the following. Weak HOAS has well-known encoding methodologies [15,28]; therefore, the adequacy of the encoding w.r.t. the NDS presentation of Section 2 follows from standard arguments. An alternative definition of objects could use directly the polymorphic lists of the Coq library, instead of introducing a separate type Object, as follows: | obj : (list (Lab * (Var->Term))) -> Term However, in our experience, this choice would not allow for defining, by recursion on the structure of terms, some fundamental functions which are essential for the rest of the formalization (such as, for example, the non-occurrence of variables " / 2"). Using polymorphic lists, the specification of these functions would be actually "unguarded", while they are feasible adopting the above definition.

Dynamic Semantics
As pointed out in the previous sections, a proof system in natural deduction like that in Figure 1 is easily encoded in a LF based on type theory. This can be carried out by taking advantage of hypothetical-general judgmentsà la Martin-Löf: the content of , i.e. the bindings between variables and results, is actually represented through assumptions in the proof context, namely by means of hypothetical premises local to sub-reductions, which are discharged in the conclusion, so adhering to the natural deduction style. Thus, the evaluation judgment `s · a ; v · s 0 can be represented by an inductive predicate: Inductive eval : Store -> Term -> Store -> Res -> Prop := but, before giving its specification, we need to address some details about locations and closures.
Informally, reduction contexts are (partial) functions, mapping (declared) variables to results; therefore, they can be represented as the graph of a function stack, which associates a result to each declared variable. This map is never e↵ectively defined, but only described by a finite set of assumptions of the form "(stack x)=v" (where "=" is Leibniz's equality). Each of such declarations corresponds to an assumption "x 7 ! v" of the context in Figure 1; these assumptions are used in evaluating variables, and discharged when needed, as in the rule for let: In the rule e let, the "hole" of b is filled with a fresh (i.e., locally quantified) variable associated to v. This rule allows also to enlighten why the weak HOAS approach is completely well-suited w.r.t. imp&: the only substitution we need is that of variables for variables, which is completely delegated to the metalanguage.
Closures. Some remarks about the rules dealing with closures are in order. Formally, closures are pairs h&(x)b, i, where &(x)b is a method and is the reduction context. Therefore, we have to face two problems in implementing closures: how to represent these sets of declarations , and how to gather and put back them from/to the proof context.
Since all the variables declared in the local context of a closure are "morally" bound in the body of the method, we have that the names of these "local" variables are pointless: so, reduction contexts are equivalent to local declarations of variables. Therefore, following the weak HOAS approach, we implement closures as a concrete second-order datatype:  where the outermost abstraction represents the "self" local variable x. Since stores are finite maps from locations to closures, we can define stores straightforwardly as: Definition Store : Set := (list Closure).
Some functions are needed for manipulating the above structures (e.g., for merging lists of pairs into single lists, for generating new results from objects and results, etc.), but their definition is not problematic; see [7] for the code.
Evaluation of closures. Let us see how closures are "opened" in the implementation of the rule for method invocation (Red Sel). Essentially, we have to add to the current proof environment all the bindings recorded in the closure; then, the evaluation of the closure-body may take place in the extended environment. The evaluation of closure-bodies can be pre-formalized by an auxiliary judgment `s ·b ; b v · s 0 whose rules are the following: Correspondingly, rule (Red Sel) can be stated better as: `s · a ; [li = ◆i] i2I · s 0 s 0 (◆j) = xj.bj , 0 , xj 7 ! [li = ◆i] i2I`s0 ·bj ; b v · s 00 j 2 I `s · a.lj ; v · s 00 (Red Sel 0 ) Thus, ; and ; b are two mutually recursive predicates: The auxiliary functions store_nth and loc_in_res implement the dereferencing of locations in stores, and the lookup of locations in results, respectively. The closure so obtained is c, which is evaluated by eval_body after that a local variable x, denoting "self", is associated to (the implementation of) the receiver, i.e. host, object itself.
Construction of closures. The construction of closures is more delicate. We cannot form pairs out of the proof context " " and methods: closures have to be "calculated" by wrapping method-bodies with all the results associated to their free variables, which are in the proof context. This closure construction is carried out by the auxiliary judgment wrap ✓ T erm ⇥ Body. The intended meaning of ẁ rap(b, b) is that "b is a closure-body obtained by binding all free variables in the term b to their respective results, which are in ". In order to keep track of free variables in terms, we introduce a judgment closed ✓ T erm, whose formal meaning is `closed(a) () 8x 2 FV(a) : closed(x) 2 . The rules for the two additional judgments are in Figure 4. Intuitively, the rules for wrap allow for successively binding the free variables appearing in the method-body (w bind), until it is "closed" (w ground). When we apply the rule (w bind), we choose any (free) variable y in b, and bind it to the corresponding result v, as stated in . The remaining partb of the closure can be seen as the closure body of a method where the variable z is supposed to be "closed", and therefore it is obtained in a proof environment containing this information. This is captured by the sub-derivation , closed(z)`wrap(b{z/y},b{z/y}), which applies the rule (w bind) until enough variables have been bound and, correspondingly, enough assumptions of the form closed(z) have been taken to be able to prove closed(b) (i.e., there are no more free variables to bind) and thus apply rule (w ground). Notice that the closures we get in this manner are "optimized", because only variables which are really free in the body need to be bound in the closure (although in a nondeterministic order).
The two auxiliary judgments wrap and closed can be formalized by two inductive predicates, as usual. However, the latter can be managed more e ciently as a function closed:Term->Prop, in the style of [24]: The intended behavior of this function, defined by mutual recursion on the structure of terms and objects, is to reduce an assertion (closed a):Prop into a conjunction of similar assertions about simpler terms. The dummy is the usual workaround for the negative occurrences of closed in the definition: dummy variables are just fill-ins for holes, and must be considered as "closed". The proposition resulting from the Simplification of a (closed a) goal is easily dealt with using the tactics provided by Coq. In a similar way, we define also the functions notin : Var -> Term -> Prop and fresh : Var -> (list Var) -> Prop, which capture the "freshness" of a variable in a term and w.r.t. a list of variables, respectively (see [7]). Finally, the judgment wrap is formalized via an inductive predicate: In the rule w_bind, the premise ((z:Var) (y=z) -> (notin y (b z))) ensures that b is a "good context" for y; that is, y does not occur free in b. Thus, the replacement b{z/y} in the rule (w bind) of Figure 4 can be implemented simply as the application (b z), where z is the local variable. All this technical machinery is useful, e.g., in the formalization of the rule (Red Obj): e_obj : (s:Store) (ml:Object) (cl:(list Closure)) (xl:Varlist) (scan (proj_meth_obj (ml)) (cl) (xl) (distinct (proj_lab_obj ml))) -> (eval s (obj ml) (alloc s cl) (new_res_obj ml (size s))) Recall that the reduction of an object ml has the side-e↵ect of allocating in the store the collection of closures corresponding to its methods. The scan function builds this list of closures cl out of an object, using the wrap predicate above. Then, the function alloc appends the new list of closures to the current store, and the function new res obj produces a new result, collecting the method-names of the given object and pairing them with fresh pointers to the store. The encoding of the remaining rules is not problematic.

Static Semantics
Typing of terms. The encoding of the typing system for terms is straightforward. Like done for the reduction context, we model the typing environment by means of a functional symbol, associating object-types to variables: Parameter typenv : Var -> TType.
The typing of terms is defined by mutual induction with the typing of objects; notice only that we need to carry along the whole (object) type while we scan and type the list of methods forming the objects: (c clone) , closed(z)`wrap(b{z/y},b{z/y}) z fresh y 7 ! v 2 where sub represents the subtype predicate "<:". Due to lack of space, we omit here its encoding, which makes also use of an auxiliary predicate for permutation of lists representing object types (see [7]).
Typing of results. In order to type results, it is necessary to type store-locations, whose content, in turn, may contain other pointers to the store: thus potential loops may arise in this process. The solution adopted in [2] is to introduce yet another typing structure, i.e. store-types, used for assigning to each store location a type consistent with its content: Proof.
1. The two points are proved by mutual structural induction on the derivations of ⌥`(eval ⌧ a ⌧ 0 v) and ⌥`(eval body ⌧b ⌧ 0 v).

By structural induction on the derivation of
Theorem 3 (Adequacy of term typing). Let ⌥ be well-formed, a typing context.

If
✓ ⌥, and `a : A, then ⌥`(type a A).

Proof.
1. By structural induction on the derivation of ⌥`(type a A).

By structural induction on the derivation of `a : A.
u t Theorem 4 (Adequacy of result typing). Let ⌥ be well-formed, and ⌃ such that ⌃`⇧. Proof.
1. By induction on v and inspection on the derivation ⌥`(comp ⌃ ⌧ ).

By inspection on the derivations of ⌃ |= v : A and
⌃ |= s. u t

METATHEORY OF IMP& IN Coq
One of the main aims of the formalization presented in the previous section is to allow for the formal development of important properties of imp&. In this section we discuss briefly the uppermost important, yet delicate to prove, metaproperty of the Subject Reduction (Theorem 1). Its formalization in Coq is as follows: The proof is by induction on the derivation of (eval s a t v). In order to prove the theorem, we have to address preliminarly all the specific aspects concerning the management of concrete structures, as objects, object-types, results, stores, store-types, and so on: thus, many technical lemmata about operational semantics, term and result typing have been specified and formally proved. It turns out that these lemmata are relatively compact to prove, due to the setting of our formalization, which is centered around the natural deduction style of proof and, correspondingly, the use of HOAS. Natural Deduction allows to distribute stack-like structures (i.e. reduction and typing contexts) in the hypotheses of the proof derivations: therefore, judgments and proofs we have to deal with are appreciably simpler than traditional ones. Weak HOAS, as previously remarked, fits perfectly the needs for encoding imp&: on one hand, it allows to get the ↵-equivalence for free; on the other hand, the fact that the general form of substitution is not automatically provided by weak HOAS is not a problem, because it is not required by the semantics of imp&.
However, it is well-known that HOAS presents some drawbacks: the main one is that most LFs do not provide an adequate support for higher-order encodings. For example, these systems neither provide recursion/induction principles over higher-order terms (i.e., terms with "holes") nor allow to access the notions related to the mechanisms delegated to the metalanguage. An important family of properties which cannot be proved in plain CIC are the so-called renaming lemmata, that is, invariance of validity under variable renaming, such as the following, regarding types of terms and closure-bodies of imp&: In other words, the expressive power of LFs is limited, when it comes to reason on formalizations in (weak) HOAS. A simple and direct way for recovering the missing expressive power is by assuming a suitable (but consistent) set of axioms. This is the approach adopted in [17,28], where ToC, a simple axiomatization capturing some basic and natural properties of (variable) names and term contexts, is proposed. These axioms allow for a smooth handling of schemata in HOAS, with a very low mathematical and logical overhead, hence they can be plugged in existing proof environments without requiring any redesign of the system. Their usefulness has been demonstrated in several case studies regarding untyped and simply typed -calculus, ⇡-calculus, and Ambients [18,23,29]. Therefore, the use of the ToC is a natural choice also in the present setting; it should be noticed that the present one is the first application of the ToC to an object-based calculus. The Theory of Contexts consists in four axioms (indeed, axiom schemata): unsaturation: 8M. 9x. x 6 2 FV(M ). This axiom captures the intuition that, since terms are finite entities, they cannot contain all the variables at once. The same axiom can be stated w.r.t. lists of variables, instead of terms, since it is always possible to obtain from a term the list of its free variables: 8L. 9x. x 6 2 L; decidability of equality over variables: 8x, y. x = y _ x 6 = y. In a classical framework, this axiom is just an instance of the Law of Excluded Middle. In the present case, it represents the minimal classical property we need in an (otherwise) intuitionistic setting; -expansion: 8M, x. 9N (·). x 6 2 FV(N (·))^M = N (x). Essentially, -expansion allows to generate a new context N with one more hole from another context M , by abstracting over a given variable x; extensionality: 8M (·), N(·), x. x 6 2 FV(M (·), N(·))( M (x) = N (x)) ) M (·) = N (·). Extensionality allows to conclude that two contexts are equal if they are equal when applied to a fresh variable x. Together with -expansion, this allows to derive properties by reasoning over the structure of higher-order terms.
The above axioms are very natural and useful for dealing with higher-order terms as methods, closures and local declarations. An important remark is that, in order to be e↵ectively used for reasoning on imp&, the "unsaturation" axiom has to be slightly modified with respect to its original formulation in [17].
One first di↵erence is due to the presence of types. Similarly to the case of other typed languages, we assume informally that there are infinite variables for every type. This is equivalent to say that each variable "generated" by the unsaturation axiom can be associated to a given type.
A second di↵erence, peculiar to imp& and not required by any previous application of the ToC, is due to the presence of implementation-level entities, namely closures. In the formalization of imp& presented in the previous section, variables are introduced in the Coq derivation context for two reasons: either during reductions and typing assignments (associated respectively to results and types), or in the construction of closures (used just as place-holders). In the first case the new variable is associated both to results and types by the stack and typenv maps. In the second case, the new variable is marked as dummy, because it does not carry any information about results, but is used just as a typed place-holder, needed for typing closure-bodies in the store.
Thus, we observe a kind of "regularity" of well-formed contexts: for each variable x, there is always the assumption (typenv x)=A for some A, and, either (stack x)=v for some v, or (dummy x). The unsaturation axiom has to respect such a regularity; this is reflected by assuming two variants of unsaturation, one for each case, as follows: In unsat_res, the premise (res S v A) ensures the consistency between results and types associated to the same variable: this can be interpreted as the implementation of the original context compatibility judgment of Figure 3. The two axioms can be validated in models similar to those of the original ToC [3]. Moreover, the notion of regularity is close to the "regular world assumption" introduced by Schürmann [30].
In order to convey better to the reader the above explanation about the ToC, we say that a typical example of the use of the axiom unsat is for proving that the type of a closure-body is preserved by the closure construction: provided the maps stack and typenv are consistent w.r.t. the store-type S. The proof of this property requires the use of both unsat and the decidability of equality over variables. On the other hand, the proof of the lemmata rename term and rename body, previously displayed, requires the application of the -expansion and extensionality.

CONCLUSIONS AND FUTURE WORK
In this paper, we have illustrated the benefits of using Natural Deduction in combination with Higher-Order Abstract Syntax and the Theory of Contexts for reasoning on object-calculi with binders in type theory-based logical frameworks. We have carried out our experiment on Abadi and Cardelli's imp&, an object-based calculus featuring types and side-e↵ects. Natural Deduction style of proof has allowed to distribute in the hypotheses of proof derivations both the reduction and typing context of imp&, thus obtaining judgments and proofs appreciably simpler than traditional ones. Weak HOAS has permitted to deal with the binders of imp& in the Calculus of Inductive Constructions without having to encode neither ↵-equivalence (which is inherited from the metalanguage) nor the substitution (which is not required by the calculus). This is a big advantage from the point of view of computer aided formal reasoning w.r.t. first-order techniques, as de Bruijn indexes or explicit names. A consequence of our choices is that we have obtained a more fine-grained treatment of closures. Finally, for reasoning on the formalization of imp& in CIC we have adopted the Theory of Contexts, in order to gain the extra power CIC needs for reasoning on HOAS encodings.
Thus we have obtained a clean and compact formalization of imp& in the proof assistant Coq, the implementation of CIC. Our style of encoding has allowed to prove formally a Subject Reduction theorem, which is particularly involved already "on paper", with relatively little e↵ort. Just notice that the full proof development amounts approximately to 112Kbyte and the size of the .vo file is 785Kbyte, working with Coq V7.3 on a Sun UltraSPARC IIe (64 bit).
To our knowledge, this is the first development of the theory of an object-based language with side e↵ects, in LF based on type theory. The closest work may be [21], where Abadi and Cardelli's functional object-based calculus Ob1<:µ is encoded in Coq, using traditional first-order techniques and Natural Semantics specifications through the Centaur system. A logic for reasoning on paper about object-oriented programs with imperative semantics, aliasing and self-reference in objects, has been presented in [1].
The Theory of Contexts has been already used with the weak HOAS for carrying out many case studies in recent years (see, e.g., [18,19,23,29]); however, the present work is the first application of the ToC to an object calculus. Our experience leads us to a rm that this approach is particularly well-suited with respect to the proof practice of Coq. The ToC can be actually plugged in existing LFs without requiring any redesign of these systems. In particular, it seems very suited for dealing with implementation-level structures, such as closures, since full substitution is not required.
Future work. As a first step, we plan to experiment further with the formalization we have carried out so far. We will consider other interesting (meta)properties of imp&, beside the albeit fundamental Subject Reduction theorem. In particular, we can use the formalization for proving observational and behavioral equivalences of object programs.
From a practical point of view, our formalization could be used for the development of certified tools, such as interpreters, compilers and type checkers, for imp&-like calculi and languages. We plan to certify a given tool with respect to the specification of the formal semantics of the object calculus and the target machine. We are confident that the use of Natural Deduction and HOAS should simplify these advanced tasks in the case of languages with binders.
From a more theoretical point of view, we had to modify slightly the unsaturation axiom of the ToC. This has occurred also in other applications of ToC [23,29]. From all these case studies, we observe that these adaptments are required when the proof contexts have to satisfy some kind of "well-formedness" about variables: every time a new variable is generated, it has to come together with a set of other assumptions and informations (about its type, its kind, etc.). This points out that the current ToC can be generalized to subsume all these small variants, and that there is a connection with Schürmann's regular world assumption [30], which should be investigated further.