Abstract not found

Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a "certificate" of failure, as it can be checked easily and independently of the model checker by simulating it on the program. On the other hand, no such certificate is produced if the check succeeds. In this paper, we show how this asymmetry can be eliminated with a certifying model checker. The key idea is that, with some extra bookkeeping, a model checker can produce a deductive proof on either success or failure. This proof acts as a certificate of the result, as it can be checked mechanically by simple, non-fixpoint methods that are independent of the model checker. We develop a deductive proof system for verifying branching time properties expressed in the mu-calculus, and show how to generate a proof in this system from a model checking run. Proofs for linear time properties form a special case. A model checker that generates proofs can be used for many interesting applications, such as better ways of exploring errors in a program, and a tight integration of model checking with automated theorem proving. 1

We describe an implementation and a proof of correctness of binary decision diagrams (BDDs), completely formalized in Coq. This allows us to run BDD-based algorithms inside Coq and paves the way for a smooth integration of symbolic model checking in the Coq proof assistant by using reflection. It also gives us, by Coq's extraction mechanism, certified BDD algorithms implemented in Caml. We also implement and prove correct a garbage collector for our implementation of BDDs inside Coq. Our experiments show that this approach works in practice, and is able to solve both relatively hard propositional problems and actual industrial hardware verification tasks.

. We report on the formalisation and correctness proof of a model checker for the modal -calculus in Coq's constructive type theory. Using Coq's extraction mechanism we obtain an executable Caml program, which is added as a safe decision procedure to the system. An example illustrates its application in combination with deduction. 1 Introduction There is an obvious advantage in combining theorem proving and model checking techniques for the verification of reactive systems. The expressiveness of the theorem prover's (often higher-order) logic can be used to accommodate a variety of program modelling and verification paradigms, so infinite state and parametrised designs can be verified. However, using a theorem prover is not transparent and may require a fair amount of expertise. On the other hand, model checking is transparent, but exponential in the number of concurrent components. Its application is thus limited to systems with small state spaces. A combination of the two techn...

This paper is part of an ongoing research programme at the Computer Science Department of the University of Udine on proof editors, started in 1992, based on HOAS encodings in dependent typed #-calculus for program logics [15, 21, 16]. In this paper, we investigate the applicability of this approach to the modal -calculus. Due to its expressive power, we adopt the Calculus of Inductive Constructions (CIC), implemented in the system Coq. Beside its importance in the theory and verification of processes, the modal -calculus is interesting also for its syntactic and proof theoretic peculiarities. These idiosyncrasies are mainly due to a) the negative arity of "" (i.e., the bound variable x ranges over the same syntactic class of x#); b) a context-sensitive grammar due the condition on x#; c) rules with complex side conditions (sequent-style "proof " rules). These anomalies escape the "standard" representation paradigm of CIC; hence, we need to accommodate special techniques for enforcing these peculiarities. Moreover, since generated editors allow the user to reason "under assumptions", the designer of a proof editor for a given logic is urged to look for a Natural Deduction formulation of the system. Hence, we introduce a new proof system N # K in Natural Deduction style for K. This system should be more natural to use than traditional Hilbert-style systems; moreover, it takes best advantage of the possibility of manipulating assumptions o#ered by CIC in order to implement the problematic substitution of formul for variables. In fact, substitutions are delayed as much as possible, and are kept in the derivation context by means of assumptions. This mechanism fits perfectly the stack discipline of assumptions of Natural Deduction, and it is neatly formalized in CIC. Bes...

In this paper we present the Durham Mathematical Vernacular (MV) project, discuss the general design of a prototype to support experimentation with issues of MV, explain current work on the prototype -- specifically in the type theory basis of the work, and end with a brief discussion of methodology and future directions. The current work concerns an implementation of Luo's typed logical framework LF, and making it more flexible with respect to the demands of implementing MV -- in particular, meta-variables, multiple contexts, subtyping, and automation. This part of the project may be of particular interest to the general theorem proving community. We will demonstrate a prototype at the conference. 1 Introduction: Defining a Mathematical Vernacular The long term aim of the project is to develop theory and techniques with which the complementary strengths of NLP (Natural Language Processing) and CAFR (Computer-Assisted Formal Reasoning) can be combined to support computer-assisted reas...

Tree automata are a fundamental tool in computer science. We report on experiments to integrate tree automata in Coq using shallow and deep reflection techniques. While shallow reflection seems more natural in this context, it turns out to give disappointing results. Deep reflection is more difficult to apply, but is more promising.

A modular formalization of the branching time temporal logic CTL∗ is presented. Our formalization subsumes prior formalizations of propositional linear temporal logic (PTL) and computation tree logic (CTL). Moreover, the modularity allows to instantiate our formalization for different formal security models. Validity of axioms and soundness of inference rules in axiomatizations of PTL, UB, CTL, and CTL∗ are discussed as well.

Abstract. Tree automata are a fundamental tool in computer science. We report on experiments to integrate tree automata in Coq using shallow and deep reflection techniques. While shallow reflection seems more natural in this context, it turns out to give disappointing results. Deep reflection is more difficult to apply, but is more promising. 1

ence card): -- \Pi-types, -abstraction and applications: fx:AgB, A-?B, [x:A]b, (f a). -- Inductive types: macro Inductive with options such as Theorems, Relation, Inversion, Double, etc. For example (also see examples like the less-than relation in exercises): Inductive [List : Type] Theorems Parameters [A : Type] Constructors [nil : List] [cons : A-?List-?List]; Lecture notes for Types Summer School'99: Theory and Practice of Formal Proofs, Giens, France, 1999. 1 -- Predicative universes (with `typical ambiguity'): Type(i), Type. -- Logical universe (impredicative, giving HOL): Prop. -- Local definitions: [x=a]b. -- Argument synthesis: fx---A