Results 11  20
of
43
The HigherOrder Recursive Path Ordering
 FOURTEENTH ANNUAL IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE
, 1999
"... This paper extends the termination proof techniques based on reduction orderings to a higherorder setting, by adapting the recursive path ordering definition to terms of a typed lambdacalculus generated by a signature of polymorphic higherorder function symbols. The obtained ordering is wellfoun ..."
Abstract

Cited by 44 (10 self)
 Add to MetaCart
This paper extends the termination proof techniques based on reduction orderings to a higherorder setting, by adapting the recursive path ordering definition to terms of a typed lambdacalculus generated by a signature of polymorphic higherorder function symbols. The obtained ordering is wellfounded, compatible with fireductions and with polymorphic typing, monotonic with respect to the function symbols, and stable under substitution. It can therefore be used to prove the strong normalizationproperty of higherorder calculi in which constants can be defined by higherorder rewrite rules. For example, the polymorphic version of Gödel's recursor for the natural numbers is easily oriented. And indeed, our ordering is polymorphic, in the sense that a single comparison allows to prove the termination property of all monomorphic instances of a polymorphic rewrite rule. Several other nontrivial examples are given which examplify the expressive power of the ordering.
I/O Automata in Isabelle/HOL
 Types for Proofs and Programs, volume 996 of Lecture Notes in Computer Science
, 1995
"... . We have embedded the metatheory of I/O automata, a model for describing and reasoning about distributed systems, in Isabelle 's version of higher order logic. On top of that, we have specified and verified a recent network transmission protocol which achieves reliable communication using sing ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
. We have embedded the metatheory of I/O automata, a model for describing and reasoning about distributed systems, in Isabelle 's version of higher order logic. On top of that, we have specified and verified a recent network transmission protocol which achieves reliable communication using singlebitheader packets over a medium which may reorder packets arbitrarily. 1 Introduction This paper describes a formalization of Input/Output automata (IOA), a particular model for concurrent and distributed discrete event systems due to Lynch and Tuttle [9], inside Isabelle/HOL, a theorem prover for higherorder logic [12]. The motivation for our work is twofold:  The verification of distributed systems is a challenging application for formal methods because in that area informal arguments are notoriously unreliable.  This area is doubly challenging for interactive general purpose theorem provers because modelchecking [4] already provides a successful automatic approach to the ver...
Type Theory and Programming
, 1994
"... This paper gives an introduction to type theory, focusing on its recent use as a logical framework for proofs and programs. The first two sections give a background to type theory intended for the reader who is new to the subject. The following presents MartinLof's monomorphic type theory and an im ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
This paper gives an introduction to type theory, focusing on its recent use as a logical framework for proofs and programs. The first two sections give a background to type theory intended for the reader who is new to the subject. The following presents MartinLof's monomorphic type theory and an implementation, ALF, of this theory. Finally, a few small tutorial examples in ALF are given.
A Bounded Retransmission Protocol for Large Data Packets. A Case Study in Computer Checked Algebraic Verification
"... This note describes a protocol for the transmission of data packets that are too large to be transferred in their entirety. Therefore, the protocol splits the data packets and broadcasts it in parts. It is assumed that in case of failure of transmission through data channels, only a limited number o ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
This note describes a protocol for the transmission of data packets that are too large to be transferred in their entirety. Therefore, the protocol splits the data packets and broadcasts it in parts. It is assumed that in case of failure of transmission through data channels, only a limited number of retries are allowed (bounded retransmission). If repeated failure occurs, the protocol stops trying and the sending and receiving protocol users are informed accordingly. The protocol and its external behaviour are speci ed in CRL. The correspondence between these is shown using the axioms of CRL. The whole proof of this correspondence has been computer checked using the proof checker Coq. This provides an example showing that proof checking of realistic protocols is feasible within the setting of process algebras.
Implicit Syntax
 Informal Proceedings of First Workshop on Logical Frameworks
, 1992
"... A proof checking system may support syntax that is more convenient for users than its `official' language. For example LEGO (a typechecker for several systems related to the Calculus of Constructions) has algorithms to infer some polymorphic instantiations (e.g. pair 2 true instead of pair nat bo ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
A proof checking system may support syntax that is more convenient for users than its `official' language. For example LEGO (a typechecker for several systems related to the Calculus of Constructions) has algorithms to infer some polymorphic instantiations (e.g. pair 2 true instead of pair nat bool 2 true) and universe levels (e.g. Type instead of Type(4)). Users need to understand such features, but do not want to know the algorithms for computing them. In this note I explain these two features by nondeterministic operational semantics for "translating" implicit syntax to the fully explicit underlying formal system. The translations are sound and complete for the underlying type theory, and the algorithms (which I will not talk about) are sound (not necessarily complete) for the translations. This note is phrased in terms of a general class of type theories. The technique described has more general application. 1 Introduction Consider the usual formal system, !, for simp...
A computerchecked verification of Milner's scheduler
 Proceedings of the 2 nd International Symposium on Theoretical Aspects of Computer Software, TACS '94
, 1994
"... We present an equational verification of Milner's scheduler, which we checked by computer. To our knowledge this is the first time that the scheduler is proofchecked for a general number n of scheduled processes. 1991 Mathematics Subject Classification: 68Q60, 68T15. 1991 CR Categories: F.3.1. K ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
We present an equational verification of Milner's scheduler, which we checked by computer. To our knowledge this is the first time that the scheduler is proofchecked for a general number n of scheduled processes. 1991 Mathematics Subject Classification: 68Q60, 68T15. 1991 CR Categories: F.3.1. Keywords & Phrases: Coq, micro CRL, Milner's Scheduler, proof checking, type theory. Other versions: This report is a more detailed version of [16], brought out at the University of Utrecht. An extended abstract will appear in the LNCS Proceedings of TACS'94 (International Symposium on Theoretical Aspects of Computer Software, Japan, April 1994). Support: The work of the first author took place in the context of EC Basic Research Action 7166 concur 2. The work of the second author is supported by the Netherlands Computer Science Research Foundation (SION) with financial support of the Netherlands Organisation for Scientific Research (NWO). 1
Proving theorems about Java and the JVM with ACL2
 Models, Algebras and Logic of Engineering Software
, 2003
"... We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. ..."
Abstract

Cited by 18 (9 self)
 Add to MetaCart
We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proofguiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not
Formal Description and Analysis of a Bounded Retransmission Protocol
 UNIVERSITY OF MARIBOR
, 1996
"... This paper reports about the formal specification and verification of a Bounded Retransmission Protocol (Brp) used by Philips in one of its products. We started with the descriptions of the Brp service (i.e., external behaviour) and protocol written in the µCrl language by Groote and van de Pol. Aft ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
This paper reports about the formal specification and verification of a Bounded Retransmission Protocol (Brp) used by Philips in one of its products. We started with the descriptions of the Brp service (i.e., external behaviour) and protocol written in the µCrl language by Groote and van de Pol. After translating them in the Lotos language, we performed verifications by modelchecking using the Cadp (Caesar/Aldébaran) toolbox. The models of the Lotos descriptions were generated using the Caesar compiler (by putting bounds on the data domains) and checked to be branching equivalent using the Aldébaran tool. Alternately, we formulated in the Actl temporal logic a set of safety and liveness properties for the Brp protocol and checked them on the corresponding model using our Xtl generic modelchecker.
Implementing a Model Checker for LEGO
 Proc. of the 4th Inter Symp. of Formal Methods Europe, FME'97: Industrial Applications and Strengthened Foundations of Formal Methods
, 1997
"... . Interactive theorem proving gives a general approach for modelling and verification of both hardware and software systems but requires significant human efforts to deal with many tedious proofs. To be used in practical, we need some automatic tools such as model checkers to deal with those tedious ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
. Interactive theorem proving gives a general approach for modelling and verification of both hardware and software systems but requires significant human efforts to deal with many tedious proofs. To be used in practical, we need some automatic tools such as model checkers to deal with those tedious proofs. In this paper, we formalise a verification system of both CCS and an imperative language in LEGO which can be used to verify both finite and infinite problems. Then a model checker, LegoMC, is implemented to generate the LEGO proof terms of finite models automatically. Therefore people can use LEGO to verify a general problem and throw some finite subproblems to be verified by LegoMC. On the other hand, this integration extends the power of model checking to verify more complicated and infinite models as well. 1 Introduction Interactive theorem proving gives a general approach for modelling and verification of both hardware and software systems but requires significant human effor...