A logic for specification and verification is derived from the axioms of Zermelo-Fraenkel set theory. The proofs are performed using the proof assistant Isabelle. Isabelle is generic, supporting several different logics. Isabelle has the flexibility to adapt to variants of set theory. Its higher-order syntax supports the definition of new binding operators. Unknowns in subgoals can be instantiated incrementally. The paper describes the derivation of rules for descriptions, relations and functions, and discusses interactive proofs of Cantor’s Theorem, the Composition of Homomorphisms challenge [9], and Ramsey’s Theorem [5]. A generic proof assistant can stand up against provers dedicated to particular logics. Key words. Isabelle, set theory, generic theorem proving, Ramsey’s Theorem,

A theory of recursive and corecursive definitions has been developed in higher-order logic (HOL) and mechanized using Isabelle. Least fixedpoints express inductive data types such as strict lists; greatest fixedpoints express coinductive data types, such as lazy lists. Wellfounded recursion expresses recursive functions over inductive data types; corecursion expresses functions that yield elements of coinductive data types. The theory rests on a traditional formalization of infinite trees. The theory is intended for use in specification and verification. It supports reasoning about a wide range of computable functions, but it does not formalize their operational semantics and can express noncomputable functions also. The theory is illustrated using finite and infinite lists. Corecursion expresses functions over infinite lists; coinduction reasons about such functions. Key words. Isabelle, higher-order logic, coinduction, corecursion Copyright c fl 1996 by Lawrence C. Paulson Content...

Our objective is to describe a formal proof of correctness for the following Haskell [13] program in a type theory-based proof verification system, such as the Coq system [10, 1]. sieve (p:rest) = p:sieve [r | r <- rest, r ‘rem ‘ p / = 0] primes = sieve [2..] This program is a functional implementation of Eratosthenes ’ sieve that consists in removing all multiples of previously found primes from the sequence of natural numbers. We want to prove that the expression primes is the stream containing all the prime numbers in increasing order. This work relies on co-inductive types [5, 11, 12] because the program manipulates infinite lists, also known as streams. It first uses the infinite list of natural numbers larger than 2, then the infinite list of numbers larger than 3 and containing no multiples of 2, then the infinite list of numbers larger than 4 and containing no multiples of prime numbers smaller than 4, and so on. This example was initially proposed as a challenge by G. Kahn and used as an illustration of a program and its proof of correctness in a

We describe an experience concerning the implementation and use of co-inductive types in the proof editor Coq. Co-inductive types are recursive types which, opposite to inductive ones, may be inhabited by infinite objects. In order to illustrate their use in Coq, we describe an axiomatisation of a calculus of broadcasting systems where recursive processes are represented using infinite objects. This calculus is used for developing a verification proof of the alternating bit protocol. Keywords: Program Verification, Type Theory, Co-Inductive Types, Communicating Processes R'esum'e Dans cet article nous d'ecrivons une exp'erience concernant l'implantation et l'utilisation de types co-inductifs dans l'environnement de preuves Coq. Les types co-inductifs sont des types recursifs qui, `a la diff'erence des types inductifs, peuvent etre habit'es par des objets infinis. Pour illustrer leur utilisation dans Coq nous d'ecrivons comment axiomatiser un calcul de processus qui communiq...

m networks and the recent works of Thierry Coquand in type theory have been the most important sources of motivation for the ideas presented here. I wish to specially thank Roberto Amadio, who read the manuscript in a very short delay, providing many helpful comments and remarks. Many thanks also to Luc Boug'e, who accepted to be my oficial supervisor, and to the chair of the jury, Michel Cosnard, who opened to me the doors of the LIP. During these last three years in Lyon I met many wonderful people, who then become wonderful friends. Miguel, Nuria, Veronique, Patricia, Philippe, Pia, Rodrigo, Salvador, Sophie : : : with you I have shared the happiness and sadness of everyday life, those little things which make us to remember someone forever. I also would like to thank the people from "Tango de Soie", for all those funny nights at the Caf'e Moulin Joly. Thanks too to the Uruguayan research community in Computer Science (specially to Cristina Cornes and Alberto Pardo) w

In this paper we specialize the notion of abstract computational procedure previously introduced for intensionally presented structures to those which are extensionally given. This is provided by a form of generalized recursion theory which uses schemata for explicit definition, conditional definition and least fixed point (LFP) recursion in functionals of type level ≤ 2 over any appropriate structure. It is applied here to the case of potentially infinite (and more general partial) streams as an abstract data type. 1

We present a realizability interpretation of co-inductive types based on partial equivalence relations (per's). We extract from the per's interpretation sound rules to type recursive definitions. These recursive definitions are needed to introduce "infinite" and "total" objects of co-inductive type such as an infinite stream or a non-terminating process. We show that the proposed type system enjoys the basic syntactic properties of subject reduction and strong normalization with respect to a confluent rewriting system first studied by Gimenez. We also compare the proposed type system with those studied by Coquand and Gimenez. In particular, we provide a semantic reconstruction of Gimenez's system which suggests a rule to type nested recursive definitions.

The logical framework LF is a type theory defined by Harper, Honsell and Plotkin. It is wellsuited to serve as a meta language to represent deductive systems. LF and its logic programming implementation Elf are also well-suited to represent meta-theoretic proofs and their computational content, but search for such proofs lies outside the framework. This thesis proposes a computational meta logic (MLF) for the Horn fragment of LF. The Horn fragment is a significant restriction of LF but it is powerful enough to represent non-trivial problems. This thesis demonstrates how MLF can be used for the problem of compiler verification. It also discusses some theoretical properties of MLF. Contents 1 Introduction 1 2 Motivation 3 2.1 An Example : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 2.1.1 A Toy Language : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 2.1.2 Natural Semantics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :...

When providing a collection of constructors to define an inductive type, we actually also define a dual operation: a destructor. This destructor is always defined using the same structure of pattern-matching, so that we have a tendency to forget that we do extend the “pattern-matching ” capability with a new destructor at each definition. Constructors and destructors play a dual role in the definition of inductive types. Constructors produce elements of the inductive type, destructors consume elements of the inductive type. The inductive type itself is defined as the smallest collection of elements that is stable with respect to the constructors: it must contain all constants that are declared to be in the inductive type and all results of the constructors when the arguments of these constructors are already found to be in the inductive type. When considering structural recursion, recursive definitions are functions that consume elements of the inductive type. The discipline of structural recursion imposes that recursive calls consume data that is obtained through the destructor. The inductive type uses the constructors and destructors in a specific way. Co-inductive

: Coq is a proof assistant based on a higher-order logic allowing powerful definitions of functions. Coq V6.1 is available by anonymous ftp at ftp.inria.fr:/INRIA/Projects/coq/V6.1 and ftp.ens-lyon.fr:/pub/LIP/COQ/V6.1 Key-words: Coq, Proof Assistant, Formal Proofs, Calculus of Inductives Constructions (R'esum'e : tsvp) This research was partly supported by ESPRIT Basic Research Action "Types" and by the GDR "Programmation " co-financed by MRE-PRC and CNRS. Unit'e de recherche INRIA Rocquencourt Domaine de Voluceau, Rocquencourt, BP 105, 78153 LE CHESNAY Cedex (France) T'el'ephone : (33 1) 39 63 55 11 -- T'el'ecopie : (33 1) 39 63 53 30 Manuel de r'ef'erence du syst`eme Coq version V6.1 R'esum'e : Coq est un syst`eme permettant le d'eveloppement et la v'erification de preuves formelles dans une logique d'ordre sup'erieure incluant un riche langage de d'efinitions de fonctions. Ce document constitue le manuel de r'ef'erence de la version V6.1 qui est distribu 'ee par ftp ...