Isabelle/HOL has recently acquired new versions of definitional packages for inductive datatypes and primitive recursive functions. In contrast to its predecessors and most other implementations, Isabelle/HOL datatypes may be mutually and indirect recursive, even infinitely branching. We also support inverted datatype definitions for characterizing existing types as being inductive ones later. All our constructions are fully definitional according to established HOL tradition. Stepping back from the logical details, we also see this work as a typical example of what could be called "Formal-Logic Engineering". We observe that building realistic theorem proving environments involves further issues rather than pure logic only. 1

The model of timed I/O automata represents an extension of the model of I/O automata with the aim of reasoning about realtime systems. A number of case studies using timed I/O automata has been carried out, among them a treatment of the so-called Generalized Railroad Crossing (GRC). An already existing formalization of the metatheory of I/O automata within Isabelle/HOLCF allows for fully formal tool-supported verification using I/O automata. We present a modification of this formalization which accomodates for reasoning about timed I/O automata. The guiding principle in choosing the parts of the metatheory of timed I/O automata to formalize has been to provide all the theory necessary for formalizing the solution to the GRC. This leads to a formalization of the GRC, in which not only the correctness proof itself has been formalized, but also the underlying meta-theory of timed I/O automata, on which the correctness proof is based.

Abstraction techniques are indispensable for the specification and verification of the functional behavior of programs. In object-oriented specification languages like JML, a powerful abstraction technique is the use of model classes, that is, classes that are only used for specification purposes and that provide object-oriented interfaces for essential mathematical concepts such as sets or relations. While the use of model classes in specifications is natural and powerful, they pose problems for verification. Program verifiers map model classes to their underlying logics. Flaws in a model class or the mapping can easily lead to unsoundness and incompleteness. This article proposes an approach for the faithful mapping of model classes to mathematical structures provided by the theorem prover of the program verifier at hand. Faithfulness means that a given model class semantically corresponds to the mathematical structure it is mapped to. Our approach enables reasoning about programs specified in terms of model classes. It also helps in writing consistent and complete model-class specifications as well as in identifying and checking redundant specifications. 1

The Generalized Railroad Crossing (GRC) has been designed as a benchmark for the comparison of formal methods for the specification and verification of real-time systems. One of the solutions to the GRC is based on the Lynch-Vaandrager timed automaton model, parts of which have subsequently been formalized by Archer and Heitmeyer using PVS. We present a more extensive formalization of the GRC in Isabelle/HOLCF. The distinguishing feature of our formalization is its completeness in the sense that not only the correctness proof itself has been formalized, but also the underlying meta-theory of timed I/O automata, on which the correctness proof is based. Large parts of this formalization were created by `upgrading' the necessary parts of an existing formalization of untimed I/O automata in Isabelle/HOLCF.

pport. Contents 1 Introduction and Overview 1 2 Types for Proofs 2 2.1 Formal Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.1 What is a Formal System? . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.2 The Origins of Formal Systems . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.3 Formal Systems in Computer Science . . . . . . . . . . . . . . . . . . . . . 3 2.2 Theorem Proving: Making Formal Systems Usable . . . . . . . . . . . . . . . . . . 4 2.2.1 Objectives of Interactive Theorem Proving . . . . . . . . . . . . . . . . . . 4 2.2.2 How to Ensure Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.3 How to Facilitate Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.4 How to Facilitate Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 Reasoning in Higher-Order Logic (HOL) . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.1 Church's Si