Ian Stark

The Continuous π-Calculus: A Process Algebra for Biochemical Modelling

We introduce the continuous π-calculus, a process algebra for modelling behaviour and variation in molecular systems. Key features of the language are: its expressive succinctness; support for diverse interaction between agents via a flexible network of molecular affinities; and operational semantics for a continuous space of processes. This compositional semantics also gives a modular way to generate conventional differential equations for system behaviour over time. We illustrate these features with a model of an existing biological system, a simple oscillatory pathway in cyanobacteria. We then discuss future research directions, in particular routes to applying the calculus in the study of evolutionary properties of biochemical pathways.

Mobile resource guarantees for smart devices

We present the Mobile Resource Guarantees framework: a system for ensuring that downloaded programs are free from run-time violations of resource bounds. Certificates are attached to code in the form of efficiently checkable proofs of resource bounds; in contrast to cryptographic certificates of code origin, these are independent of trust networks. A novel programming language with resource constraints encoded in function types is used to streamline the generation of proofs of resource usage.

Observable Properties of Higher Order Functions that Dynamically Create Local Names, or What's new?

The research reported in this paper is concerned with the problem of reasoning about properties of higher order functions involving state. It is motivated by the desire to identify what, if any, are the difficulties created purely by locality of state, independent of other properties such as side-effects, exceptional termination and non-termination due to recursion. We consider a simple language (equivalent to a fragment of Standard ML) of typed, higher order functions that can dynamically create fresh names; names are created with local scope, can be tested for equality and can be passed around via function application, but that is all. Despite the extreme simplicity of the language and its operational semantics, the observable properties of such functions are shown to be very subtle. A notion of ‘logical relation’ is introduced which incorporates a version of representation independence for local names. We show how to use it to establish observational equivalences. The method is shown to be complete (and decidable) for expressions of first order types, but incomplete at higher types.

Names and higher-order functions.

Many functional programming languages rely on the elimination of ‘impure’ features: assignment to variables, exceptions and even input/output. But some of these are genuinely useful, and it is of real interest to establish how they can be reintroducted in a controlled way. This dissertation looks in detail at one example of this: the addition to a functional language of dynamically generated names. Names are created fresh, they can be compared with each other and passed around, but that is all. As a very basic example of state, they capture the graduation between private and public, local and global, by their interaction with higher-order functions. The vehicle for this study is the nu-calculus, an extension of the simply-typed lambdacalculus. The nu-calculus is equivalent to a certain fragment of Standard ML, omitting side-effects, exceptions, datatypes and recursion. Even without all these features, the interaction of name creation with higher-order functions can be complex and subtle. Various operational and denotational methods for reasoning about the nu-calculus are developed. These include a computational metalanguage in the style of Moggi, which distinguishes in the type system between values and computations. This leads to categorical models that use a strong monad, and examples are devised based on functor categories. The idea of logical relations is used to derive powerful reasoning methods that capture some of the distinction between private and public names. These techniques are shown to be complete for establishing contextual equivalence between first-order expressions; they are also used to construct a correspondingly abstract categorical model. All the work with the nu-calculus extends cleanly to Reduced ML, a larger language that introduces integer references: mutable storage cells that are dynamically allocated. It turns out that the step up is quite simple, and both the computational metalanguage and the sample categorical models can be reused.

Categorical Models for Local Names

This paper describes the construction of categorical models for thenu-calculus, a language that combines higher-order functions with dynamically creatednames. Names are created with local scope, they can be compared with each other and passed around through function application, but that is all.The intent behind this language is to examine one aspect of the imperative character of Standard ML: the use of local state by dynamic creation of references. The nu-calculus is equivalent to a certain fragment of ML, omitting side effects, exceptions, datatypes and recursion. Even without all these features, the interaction of name creation with higher-order functions can be complex and subtle; it is particularly difficult to characterise theobservable behaviour of expressions.Categorical monads, in the style of Moggi, are used to build denotational models for the nu-calculus. An intermediate stage is the use of a computational metalanguage, which distinguishes in the type system between values and computations.The general requirements for a categorical model are presented, and two specific examples described in detail. These provide a sound denotational semantics for the nu-calculus, and can be used to reason about observable equivalence in the language. In particular a model using logical relations is fully abstract for first-order expressions.

Automatic verification of design patterns in Java

Design patterns are widely used by designers and developers for building complex systems in object-oriented programming languages such as Java. However, systems evolve over time, increasing the chance that the pattern in its original form will be broken.To verify that a design pattern has not been broken requires specifying the original intent of the design pattern. Whilst informal descriptions of design patterns exist, no formal specifications are available due to differences in implementations between programming languages.We present a pattern specification language, Spine, that allows patterns to be defined in terms of constraints on their implementation in Java. We also present some examples of patterns defined in Spine and show how they are processed using a proof engine called Hedgehog.The conclusion discusses the type of patterns that are amenable to defining in Spine, and highlights some repeated mini-patterns discovered in the formalisation of these design patterns.

A dependent type theory with names and binding

We consider the problem of providing formal support for working with abstract syntax involving variable binders. Gabbay and Pitts have shown in their work on Fraenkel-Mostowski (FM) set theory how to address this through first-class names: in this paper we present a dependent type theory for programming and reasoning with such names. Our development is based on a categorical axiomatisation of names, with freshness as its central notion. An associated adjunction captures constructions known from FM theory: the freshness quantifier И, name-binding, and unique choice of fresh names. The Schanuel topos — the category underlying FM set theory — is an instance of this axiomatisation. Working from the categorical structure, we define a dependent type theory which it models. This uses bunches to integrate the monoidal structure corresponding to freshness, from which we define novel multiplicative dependent products ∏ * and sums ∑ *, as well as a propositions-as-types generalisation H of the freshness quantifier.

Reducibility and ⊤⊤-lifting for computation types

We propose ⊤⊤-lifting as a technique for extending operational predicates to Moggis monadic computation types, independent of the choice of monad. We demonstrate the method with an application to Girard-Tait reducibility, using this to prove strong normalisation for the computational metalanguage λml. The particular challenge with reducibility is to apply this semantic notion at computation types when the exact meaning of “computation” (stateful, side-effecting, nondeterministic, etc.) is left unspecified. Our solution is to define reducibility for continuations and use that to support the jump from value types to computation types. The method appears robust: we apply it to show strong normalisation for the computational metalanguage extended with sums, and with exceptions. Based on these results, as well as previous work with local state, we suggest that this “leap-frog” approach offers a general method for raising concepts defined at value types up to observable properties of computations.

Automatic verification of Java design patterns

Design patterns are widely used by object oriented designers and developers for building complex systems in object oriented programming languages such as Java. However, systems evolve over time, increasing the chance that the pattern in its original form will be broken. We attempt to show that many design patterns (implemented in Java) can be verified automatically. Patterns are defined in terms of variants, mini-patterns, and artifacts in a pattern description language called SPINE. These specifications are then processed by Hedgehog, an automated proof tool that attempts to prove that Java source code meets these specifications.

Grail: a functional form for imperative mobile code

In Robert Louis Stevenson’s novel [31], Dr Jekyll is a well-regarded member of polite society, while his alter ego Mr Hyde shares the same physical form but roams abroad communing with the lowest elements. In this paper we present Grail, a well-behaved first-order functional language that is the target for an ML-like compiler; while also being a wholly imperative language of assignments that travels and executes as Java classfiles. We use this dual identity in the Mobile Resource Guarantees project, where Grail serves as proof-carrying code to provide assurances of time and space performance, thereby supporting secure and reliable global computing.