. We present a shallow embedding of the weakest precondition semantics for a program renement language. We use the Isabelle/ZF theorem prover for untyped set theory, and statements in our renement language are represented as set transformers. Our representation is signi cant in making use of the expressiveness of Isabelle/ZF's set theory to represent states as dependently-typed functions from variable names to their values. This lets us give a uniform treatment of statements such as variable assignment, framed specication statements, local blocks, and parameterisation. ZF set theory requires set comprehensions to be explicitly bounded. This requirement propagates to the denitions of statements in our renement language, which have operands for the state type. We reduce the syntactic burden of repeatedly writing the state type by using Isabelle's meta-logic to dene a lifted set transformer language which implicitly passes the state type to statements. Weakest precondi...

Introduction The goal of this project was to demonstrate the feasibility of the independent and trusted validation of the proofs generated by existing theorem provers. Our intention was to design, implement and formally verify a proof checking program for HOL [5] generated proofs. A proof checker can be much simpler than a full theorem prover such as HOL as it is only concerned with checking existing proofs rather than searching for or generating them. Our work has clearly demonstrated the feasibility of this approach. In particular, the main achievements of the project are as follows. ffl We have developed a computer representation suitable for communicating large, formal, machine generated proofs. ffl We have modified the HOL system to allow primitive inference proofs to be recorded in the above format. ffl We have formalised, within the HOL theorem proving system, theories of higher-order logic, Hilb