Richard J. Boulton

The PROSPER Toolkit

The PROSPER (Proof andS pecification Assisted Design Environments) project advocates the use of toolkits which allow existing verification tools to be adapted to a more flexible format so that they may be treated as components. A system incorporating such tools becomes another component that can be embedded in an application. This paper describes the PROSPER Toolkit which enables this. The nature of communication between components is specifiedin a language-independent way. It is implemented in several common programming languages to allow a wide variety of tools to have access to the toolkit.

An Interface between Clam and HOL

This paper describes an interface between the CLAM proof planner and the HOL interactive theorem prover. The interface sends HOL goals to CLAM for planning, and translates plans back into HOL tactics that solve the initial goals. The combined system is able to automatically prove a number of theorems involving recursively defined functions.

A Hoare logic for single-input single-output continuous-time control systems

This paper presents a Hoare-style logic for reasoning about the frequency response of control systems in the continuous-time domain. Two properties, the gain (amplitude) and phase shift, of a control system are considered. These properties are for a sinusoidal input of variable frequency. The logic operates over a simplified form of block diagram, including arbitrary transfer functions, feedback loops, and summation of signals. Reasoning is compositional, i.e. properties of a system can be deduced from properties of its subsystems. A prototype tool has been implemented in a mechanised theorem prover.

Automatic Derivation and Application of Induction Schemes for Mutually Recursive Functions

This paper advocates and explores the use of multipredicate induction schemes for proofs about mutually recursive functions. The interactive application of multi-predicate schemes stemming from datatype definitions is already well-established practice; this paper describes an automated proof procedure based on multi-predicate schemes. Multipredicate schemes may be formally derived from (mutually recursive) function definitions; such schemes are often helpful in proving properties of mutually recursive functions where the recursion pattern does not follow that of the underlying datatypes. These ideas have been implemented using the HOL theorem prover and the Clam proof planner.

Design Verification for Control Engineering

We introduce control engineering as a new domain of application for formal methods. We discuss design verification, drawing attention to the role played by diagrammatic evaluation criteria involving numeric plots of a design, such as Nichols and Bode plots. We show that symbolic computation and computational logic can be used to discharge these criteria and provide symbolic, automated, and very general alternatives to these standard numeric tests. We illustrate our work with reference to a standard reference model drawn from military avionics.

An ML editor based on proofs-as-programs

C/sup Y/NTHIA is a novel editor for the functional programming language ML in which each function definition is represented as the proof of a simple specification. Users of C/sup Y/NTHIA edit programs by applying sequences of high-level editing commands to existing programs. These commands make changes to the proof representation from which a new program is then extracted. The use of proofs is a sound framework for analysing ML programs and giving useful feedback about errors. Amongst the properties analysed within C/sup Y/NTHIA at present is termination. C/sup Y/NTHIA has been successfully used in the teaching of ML in two courses at Napier University, Scotland. C/sup Y/NTHIA is a convincing, real-world application of the proofs-as-programs idea.

System Description: An Interface Between CLAM and HOL

The CLAM proof planner has been interfaced to the HOL interactive theorem prover to provide the power of proof planning to people using HOL for formal verification, etc. The interface sends HOL goals to CLAM for planning and translates plans back into HOL tactics that solve the initial goals. The project homepage can be found at http://www.cl.cam.ac.uk/Research/HVG/Clam.HOL/intro.html.

Theorem Proving in Higher Order Logics

ions for Fault-Tolerant Distributed System Verification . . . . . . . . . . 257 Lee Pike, Jeffrey Maddalon, Paul Miner, and Alfons Geser Formalizing Integration Theory with an Application to Probabilistic Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Stefan Richter Formalizing Java Dynamic Loading in HOL . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Tian-jun Zuo, Jun-gang Han, and Ping Chen Certifying Machine Code Safety: Shallow Versus Deep Embedding . . . . . . . . 305 Martin Wildmoser and Tobias Nipkow Term Algebras with Length Function and Bounded Quantifier Alternation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Ting Zhang, Henny B. Sipma, and Zohar Manna Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Error Analysis of Digital Filters Using Theorem Proving Behzad Akbarpour and Sofiène Tahar Dept. of Electrical & Computer Engineering, Concordia University 1455 de Maisonneuve W., Montreal, Quebec, H3G 1M8, Canada {behzad,tahar}@ece.concordia.ca Abstract. When a digital filter is realized with floating-point or fixedWhen a digital filter is realized with floating-point or fixedpoint arithmetics, errors and constraints due to finite word length are unavoidable. In this paper, we show how these errors can be mechanically analysed using the HOL theorem prover. We first model the ideal real filter specification and the corresponding floating-point and fixed-point implementations as predicates in higher-order logic. We use valuation functions to find the real values of the floating-point and fixed-point filter outputs and define the error as the difference between these values and the corresponding output of the ideal real specification. Fundamental analysis lemmas have been established to derive expressions for the accumulation of roundoff error in parametric Lth-order digital filters, for each of the three canonical forms of realization: direct, parallel, and cascade. The HOL formalization and proofs are found to be in a good agreement with existing theoretical paper-and-pencil counterparts.

Generating Embeddings from Denotational Descriptions

This paper describes a tool for generating embeddings of computer languages from denotational-style specifications of semantics. The language used to specify the semantics is based on ML with extra features for succinctly handling environments/states. The tool generates input for the HOL theorem prover in the form of files containing ML code. Three files are generated: one for defining the semantics as recursive functions, one containing proof rules that ‘evaluate’ the semantics, and one containing ML functions that simulate the semantics (if it is executable). The definitions allow reasoning about computer languages and specific language texts. The simulation functions provide a means of rapidly testing the semantics and/or the behaviour of language texts. The proof rules can be used for more rigorous simulation when that is appropriate. In this case the evaluation can be symbolic, i.e., parts of a language text can be replaced by logical variables. The proof rules are also useful when proving properties. The embedding generator exploits the notion of a monad (from work on functional programming languages and semantics) to handle environments in a regular way.

Transparent optimisation of rewriting combinators

The LCF system was the first mechanical theorem prover to be user-programmable via a metalanguage, ML, from which the functional programming language Standard ML has been developed. Paulson has demonstrated how a modular rewriting engine can be implemented in LCF. This provides both clarity and flexibility. This paper shows that the same modular approach (using higher-order functions) allows transparent optimisation of the rewriting engine; performance can be improved while few, if any, changes are required to code written using these functions. The techniques described have been implemented in the HOL system, a descendant of LCF, and some are now in daily use. Comparative results are given. Some of the techniques described, in particular ones to avoid processing parts of a data structure that do not need to be changed, may be of more general use in functional programming and beyond.