We describe Elf, a metalanguage for proof manipulation environments that are independent of any particular logical system. Elf is intended for meta-programs such as theorem provers, proof transformers, or type inference programs for programming languages with complex type systems. Elf unifies logic definition (in the style of LF, the Edinburgh Logical Framework) with logic programming (in the style of Prolog). It achieves this unification by giving types an operational interpretation, much the same way that Prolog gives certain formulas (Horn-clauses) an operational interpretation. Novel features of Elf include: (1) the Elf search process automatically constructs terms that can represent object-logic proofs, and thus a program need not construct them explicitly, (2) the partial correctness of meta-programs with respect to a given logic can be expressed and proved in Elf itself, and (3) Elf exploits Elliott's unification algorithm for a -calculus with dependent types. This research was...

: The expressive power of higher order logic makes it possible to define a wide variety of types within the logic and to prove theorems that state the properties of these types concisely and abstractly. This paper contains a tutorial introduction to the logical basis for such type definitions. Examples are given of the formal definitions in logic of several simple types. A method is then described for systematically defining any instance of a certain class of commonly-used recursive types. The automation of this method in HOL, an interactive system for generating proofs in higher order logic, is also discussed. 1 To appear in Current Trends in Hardware Verification and Automated Theorem Proving, proceedings of the 1988 Banff Workshop on Hardware Verification, edited by G. Birtwistle and P. Subrahmanyam (Springer-Verlag, 1988). Revised 28 January Contents Introduction 5 1 Introduction to Higher Order Logic 6 1.1 Notation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : ...

An interactive theorem prover, Isabelle, is under development. In LCF, each inference rule is represented by one function for forwards proof and another (a tactic) for backwards proof. In Isabelle, each inference rule is represented by a Horn clause.

: Recent advances in the field of hardware verification have raised some fresh (and some familiar) issues to do with the scope and limitations of formal proof. In this note, some of these are considered in the context of the Viper verification project. Viper is a microprocessor designed by W. J. Cullyer, C. Pygott and J. Kershaw, of the Royal Signals and Radar Establishment of the U.K. Ministry of Defense, for use in safety-critical applications. Much to their credit, the designers intended from the start that Viper be formally verified; they presented Viper's more abstract specifications in a language suitable for formal reasoning, and they placed the design in the public domain. Viper microprocessors are currently being marketed as verified chips. The formal proof aspects of the verification work have been carried out at the Computer Laboratory of the University of Cambridge. To date, some important properties of a register-transfer level model of Viper, relative to a more abstract ...

ion Mechanisms for Hardware Verification Thomas F. Melham University of Cambridge Computer Laboratory New Museums Site, Pembroke Street Cambridge, CB2 3QG, England Abstract: It is argued that techniques for proving the correctness of hardware designs must use abstraction mechanisms for relating formal descriptions at different levels of detail. Four such abstraction mechanisms and their formalization in higher order logic are discussed. Introduction Recent advances in microelectronics have given designers of digital hardware the potential to build electronic devices of unprecedented size and complexity. With increasing size and complexity, however, it becomes increasingly difficult to ensure that such systems will not malfunction because of design errors. This problem has prompted some researchers to look for a firm theoretical basis for correct design of hardware systems. Mathematical methods have been developed to model the functional behaviour of electronic devices and to verify,...

. Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea of Proof-Carrying is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties that are covered in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries. 1 Introduction Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program cod...

: The expressive power of higher order logic makes it possible to define a wide variety of data types within the logic and to prove theorems that state the properties of these types concisely and abstractly. This paper describes how such defined data types can be used to support formal reasoning in higher order logic about the behaviour of hardware designs. First printed: May 1988 Reprinted with revisions: April 1990 An earlier version of this paper appears in: The Fusion of Hardware Design and Verification, ed. G.J. Milne (North-Holland, 1988), pp. 27--50. Contents Introduction 5 1 Hardware Verification using Higher Order Logic 5 1.1 Notation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1.2 Specifying Hardware Behaviour : : : : : : : : : : : : : : : : : : 6 1.3 Specifying Hardware Structure : : : : : : : : : : : : : : : : : : 7 1.4 Formulating Correctness : : : : : : : : : : : : : : : : : : : : : : 8 2 Recursive Types in Higher Order Logic 8 2.1 Type Definit...

Term rewriting has proven to be an important technique in theorem proving. In this paper, we illustrate that rewrite systems and strategies for higher-order term rewriting, which includes the usual notion of first-order rewriting, can be naturally specified and implemented in a higher-order logic programming language. We adopt a notion of higher-order rewrite system which uses the simply typed -calculus as the language for expressing rules, with a restriction on the occurrences of free variables on the left hand sides of rules so that matching of terms with rewrite templates is decidable. The logic programming language contains an implementation of the simply-typed lambda calculus including fij- conversion and higher-order unification. In addition, universal quantification in queries and the bodies of clauses is permitted. For higher-order rewriting, we show how these operations implemented at the meta-level provide elegant mechanisms for the object-level operations of descending thro...

. The ability of a theorem prover to generate explicit derivations for the theorems it proves has major benets for the testing and maintenance of the prover. It also eliminates the need to trust the correctness of the prover at the expense of trusting a much simpler proof checker. However, it is not always obvious how to generate explicit proofs in a theorem prover that uses decision procedures whose operation does not directly model the axiomatization of the underlying theories. In this paper we describe the modications that are necessary to support proof generation in a congruence-closure decision procedure for equality and in a Simplex-based decision procedure for linear arithmetic. Both of these decision procedures have been integrated using a modied Nelson-Oppen cooperation mechanism in the Touchstone theorem prover, which we use to produce proof-carrying code. Our experience with designing and implementing Touchstone is that proof generation has a relatively low c...

The appeal of automatic formal verification is that it's automatic --- minimal human labor and expertise should be needed to get useful results and counterexamples. BDD(binary decision diagram)-based approaches have promised to allow automatic verification of complex, real systems. For large classes of problems, however, (including many distributed protocols, multiprocessor systems, and network architectures) this promise has yet to be fulfilled. Indeed, the few successes have required extensive time and effort from sophisticated researchers in the field. Clearly, techniques are needed that are more sophisticated than the obvious direct implementation of theoretical results. This thesis addresses that need, emphasizing an application domain that has been particularly difficult for BDD-based methods --- high-level models of systems or distributed protocols --- rather than gate-level descriptions of circuits. Additionally, the emphasis is on providing useful debugging information for the...