HOL Light is a new version of the HOL theorem prover. While retaining the reliability and programmability of earlier versions, it is more elegant, lightweight, powerful and automatic; it will be the basis for the Cambridge component of the HOL-2000 initiative to develop the next generation of HOL theorem provers. HOL Light is written in CAML Light, and so will run well even on small machines, e.g. PCs and Macintoshes with a few megabytes of RAM. This is in stark contrast to the resource-hungry systems which are the norm in this field, other versions of HOL included. Among the new features of this version are a powerful simplifier, effective first order automation, simple higher-order matching and very general support for inductive and recursive definitions.

We study the problem of representing a modular specification language in a type-theory based theorem prover. Our goals are: to provide mechanical support for reasoning about specifications and about the specification language itself; to clarify the semantics of the specification language by formalising them fully; to augment the specification language with a programming language in a setting where they are both part of the same formal environment, allowing us to define a formal implementation relationship between the two. Previous work on similar issues has given rise to a dichotomy between “shal-low ” and “deep ” embedding styles when representing one language within another. We show that the expressiveness of type theory, and the high degree of reflection that it permits, allow us to develop embedding techniques which lie between the “shallow ” and “deep ” extremes. We consider various possible embedding strategies and then choose one of them to explore more fully. As our object of study we choose a fragment of the Z specification language, which we encode in the type theory UTT, as implemented in the LEGO proof-checker. We use the encoding to study some of the operations on schemas provided by Z. One of our main concerns is whether it is possible to reason about Z specifications at the level of these operations. We prove some theorems about Z showing that, within certain constraints, this kind of reasoning is indeed possible. We then show how these metatheorems can be used to carry out formal reasoning about Z specifications. For this we make use of an example taken from the Z Reference Manual (ZRM). Finally, we exploit the fact that type theory provides a programming lan-guage as well as a logic to define a notion of implementation for Z specifications. We illustrate this by encoding some example programs taken from the ZRM. ii Declaration I declare that this thesis was composed by myself, and that the work con-tained in it is my own except where otherwise stated. Some of this work has been published previously [Mah94]. iii

This project aims to demonstrate that it is practical, using existing theorem proving technology, to formally verify industrially significant floating point algorithms and their implementations. Models of such algorithms will be mechanically verified with the hol theorem proving system against precise specifications, often based on real numbers. Industry is sceptical about the value of formal verification. It is hoped that our studies will help convince manufacturers that the potential benefits far outweigh the costs. This could have a tremendous impact on the industrial uptake of `formal methods'. B Scientific/Technological Relevance In most circumstances, even intelligent testing and simulation can still leave considerable doubts as to the correctness of computer systems. This makes formal verification appealing. There are well-rehearsed arguments over the value of verification for safety-critical systems, such as fly-by-wire aircraft, antilock braking systems in cars, radiothera...

This thesis investigates the issues involved in the creation of a “general theory of operational semantics ” in LEGO, a type-theoretic theorem proving environment implementing a constructionist logic. Such a general theory permits the ability to manipulate and reason about operational semantics both individually and as a class. The motivation for this lies in the studies of semantics directed compiler generation in which a set of generic semantics transforming functions can help convert arbitrary semantic definitions to abstract machines. Such transformations require correctness theorems that quantify over the class of operational semantics. In implementation terms this indicates the need to ensure both the class of operational semantics and the means of inferring results thereon remain at the theorem prover level. The endeavour of this thesis can be seen as assessing both the requirements that general theories of semantics impose on proof assistants and the efficacy of proof assistants in modelling such theories. Acknowledgements First and foremost I would like to thank Kevin Mitchell who supervised me for my first four years, supplying me with many helpful hints and constructive criticisms. He also bore with me at a period of my life when my mental health deteriorated for which I am eternally grateful. Secondly I would like to thank Stuart Anderson an ever present of my life at the University since I first arrived in 1988, for taking over the supervision of my work when it was seemingly near its conclusion. The help and encouragement I received meant I was able to (finally!) complete this thesis. Special mention must go to Rod Burstall, my mentor through the entirety of my postgraduate studies. My all too brief encounters with him lifted my spirits at a time when they were desperately in need of a boost. I would also like to especially thank Thomas Kleymann (formerly Schreiber) for the many times he aided me in my Lego miseries. I also thank James Hugh McKinna, Randy Pollack and other members of the Lego club for their helpful ideas, various helpful officemates