Results 1  10
of
18
A verified runtime for a verified theorem prover
"... rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem pro ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem prover. Our runtime consists of 7,500 lines of machine code and is able to complete a 4 gigabyte Milawa proof effort. When our runtime is used to carry out Milawa proofs, less unverified code must be trusted than with any other theorem prover. Our runtime includes a justintime compiler, a copying garbage collector, a parser and a printer, all of which are HOL4verified down to the concrete x86 code. We make heavy use of our previously developed tools for machinecode verification. This work demonstrates that our approach to machinecode verification scales to nontrivial applications. 1
Software Verification and System Assurance
, 2009
"... Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the probabilistic properties such as reliability that are the targets for systemlevel assurance. We enumerate the hazards to formal verification, consider how each of these may be countered, and propose relative weightings that an assessor may employ in assigning a probability of perfection.
Directly reflective metaprogramming
 Journal of Higher Order and Symbolic Computation
, 2008
"... Existing metaprogramming languages operate on encodings of programs as data. This paper presents a new metaprogramming language, based on an untyped lambda calculus, in which structurally reflective programming is supported directly, without any encoding. The language features callbyvalue and ca ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Existing metaprogramming languages operate on encodings of programs as data. This paper presents a new metaprogramming language, based on an untyped lambda calculus, in which structurally reflective programming is supported directly, without any encoding. The language features callbyvalue and callbyname lambda abstractions, as well as novel reflective features enabling the intensional manipulation of arbitrary program terms. The language is scope safe, in the sense that variables can neither be captured nor escape their scopes. The expressiveness of the language is demonstrated by showing how to implement quotation and evaluation operations, as proposed by Wand. The language’s utility for metaprogramming is further demonstrated through additional representative examples. A prototype implementation is described and evaluated.
Importing HOL Light into Coq
 In ITP
, 2010
"... Abstract. We present a new scheme to translate mathematical developments from HOL Light to Coq, where they can be reused and rechecked. By relying on a carefully chosen embedding of HigherOrder Logic into Type Theory, we try to avoid some pitfalls of interoperation between proof systems. In parti ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We present a new scheme to translate mathematical developments from HOL Light to Coq, where they can be reused and rechecked. By relying on a carefully chosen embedding of HigherOrder Logic into Type Theory, we try to avoid some pitfalls of interoperation between proof systems. In particular, our translation keeps the mathematical statements intelligible. This translation has been implemented and allows the importation of the HOL Light basic library into Coq. 1
Formalizing Arrow’s theorem
"... Abstract. We present a small project in which we encoded a proof of Arrow’s theorem – probably the most famous results in the economics field of social choice theory – in the computer using the Mizar system. We both discuss the details of this specific project, as well as describe the process of for ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We present a small project in which we encoded a proof of Arrow’s theorem – probably the most famous results in the economics field of social choice theory – in the computer using the Mizar system. We both discuss the details of this specific project, as well as describe the process of formalization (encoding proofs in the computer) in general. Keywords: formalization of mathematics, Mizar, social choice theory, Arrow’s theorem, GibbardSatterthwaite theorem, proof errors.
Towards Practical Reflection for Formal Mathematics
"... Abstract. We describe a design for a system for mathematical theory exploration that can be extended by implementing new reasoners using the logical input language of the system. Such new reasoners can be applied like the builtin reasoners, and it is possible to reason about them, e.g. proving thei ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We describe a design for a system for mathematical theory exploration that can be extended by implementing new reasoners using the logical input language of the system. Such new reasoners can be applied like the builtin reasoners, and it is possible to reason about them, e.g. proving their soundness, within the system. This is achieved in a practical and attractive way by adding reflection, i.e. a representation mechanism for terms and formulae, to the system’s logical language, and some knowledge about these entities to the system’s basic reasoners. The approach has been evaluated using a prototypical implementation called MiniTma. It will be incorporated into the Theorema system. 1
Connecting Gröbner bases programs with Coq to do proofs in algebra, geometry and arithmetics
"... We describe how we connected three programs that compute Gröbner bases [1] to Coq [11], to do automated proofs on algebraic, geometrical and arithmetical expressions. The result is a set of Coq tactics and a certificate mechanism 1. The programs are: F4 [5], GB [4], and gbcoq [10]. F4 and GB are the ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We describe how we connected three programs that compute Gröbner bases [1] to Coq [11], to do automated proofs on algebraic, geometrical and arithmetical expressions. The result is a set of Coq tactics and a certificate mechanism 1. The programs are: F4 [5], GB [4], and gbcoq [10]. F4 and GB are the fastest (up to our knowledge) available programs that compute Gröbner bases. Gbcoq is slow in general but is proved to be correct (in Coq), and we adapted it to our specific problem to be efficient. The automated proofs concern equalities and nonequalities on polynomials with coefficients and indeterminates in R or Z, and are done by reducing to Gröbner computation, via Hilbert’s Nullstellensatz. We adapted also the results of [7], to allow to prove some theorems about modular arithmetics. The connection between Coq and the programs that compute Gröbner bases is done using the ”external” tactic of Coq that allows to call arbitrary programs accepting xml inputs and outputs. We also produce certificates in order to make the proof scripts independent from the external programs.
Proof Translation and SMTLIB Benchmark Certification: A Preliminary Report
 In 6’th International Workshop on SMT
, 2008
"... Satisfiability Modulo Theories (SMT) solvers are large and complicated pieces of code. As a result, ensuring their correctness is challenging. In this paper, we discuss a technique for ensuring soundness by producing and checking proofs. We give details of our implementation using CVC3 and HOL Light ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Satisfiability Modulo Theories (SMT) solvers are large and complicated pieces of code. As a result, ensuring their correctness is challenging. In this paper, we discuss a technique for ensuring soundness by producing and checking proofs. We give details of our implementation using CVC3 and HOL Light and provide initial results from our effort to certify the SMTLIB benchmarks. 1
HOL2P  A system of classical higher order logic with second order polymorphism
 20th International Conference on Theorem Proving in Higher Order Logics: TPHOLs 2007, volume 4732 of Lecture Notes in Computer Science
, 2007
"... Abstract. This paper introduces the logical system HOL2P that extends classical higher order logic (HOL) with type operator variables and universal types. HOL2P has explicit term operations for type abstraction and type application. The formation of type application terms t [ T] is restricted to sma ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. This paper introduces the logical system HOL2P that extends classical higher order logic (HOL) with type operator variables and universal types. HOL2P has explicit term operations for type abstraction and type application. The formation of type application terms t [ T] is restricted to small types T that do not contain any universal types. This constraint ensures the existence of a settheoretic model and thus consistency. The expressiveness of HOL2P allows categorytheoretic concepts such as natural transformations and initial algebras to be applied at the level of polymorphic HOL functions. The parameterisation of terms with type operators adds genericity to theorems. Type variable quantification can also be expressed. A prototype of HOL2P has been implemented on top of HOLLight. Type inference is semiautomatic, and some type annotations are necessary. Reasoning is supported by appropriate tactics. The implementation has been used to check some sample derivations. 1
Stateless HOL
"... Dedicated to Roel de Vrijer, in the tradition of Automath. We present a version of the HOL Light system that supports undoing definitions in such a way that this does not compromise the soundness of the logic. In our system the code that keeps track of the constants that have been defined thus far h ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Dedicated to Roel de Vrijer, in the tradition of Automath. We present a version of the HOL Light system that supports undoing definitions in such a way that this does not compromise the soundness of the logic. In our system the code that keeps track of the constants that have been defined thus far has been moved out of the kernel. This means that the kernel now is purely functional. The changes to the system are small. All existing HOL Light developments can be run by the stateless system with only minor changes. The basic principle behind the system is not to name constants by strings, but by pairs consisting of a string and a definition. This means that the data structures for the terms are all merged into one big graph. OCaml – the implementation language of the system – can use pointer equality to establish equality of data structures fast. This allows the system to run at acceptable speeds. Our system runs at about 85 % of the speed of the stateful version of HOL Light.