## A Survey on Embedding Programming Logics in a Theorem Prover (2002)

Venue: | Institute of Information and Computing Sciences Utrecht University |

Citations: | 8 - 2 self |

### BibTeX

@TECHREPORT{Azurat02asurvey,

author = {A. Azurat and I. S. W. B. Prasetya},

title = {A Survey on Embedding Programming Logics in a Theorem Prover},

institution = {Institute of Information and Computing Sciences Utrecht University},

year = {2002}

}

### OpenURL

### Abstract

Theorem provers were also called 'proof checkers' because that is what they were in the beginning. They have grown powerful, however, capable in many cases to automatically produce complicated proofs. In particular, higher order logic based theorem provers such as HOL and PVS became popular because the logic is well known and very expressive. They are generally considered to be potential platforms to embed a programming logic for the purpose of formal verification. In this paper we investigate a number of most commonly used methods of embedding programming logics in such theorem provers and expose problems we discover. We will also propose an alternative approach: hybrid embedding.

### Citations

383 | Formal Methods: State of the Art and Future Direction
- Clarke, Wing
- 1996
(Show Context)
Citation Context ... checker represents a program as an automaton. It simulates the automaton. As it generates all possible 1sstates reachable by the program, it verifies if those states fulfil the program’s requiremen=-=ts[6]-=-. Model checkers are good in finding errors because they are highly automated, but they tend to have problems in representing infinite state spaces and infinite data structures (such as unbounded inte... |

159 |
Parallel Program Design
- Chandy, Misra
- 1989
(Show Context)
Citation Context ... mention some achievements –there are too many to mention all of them. In [2, 21, 25], Andersen, Prasetya and Vos reported the embedding of the programming logic UNITY in HOL –UNITY is a simple lo=-=gic [5]-=- for reasoning about temporal properties of distributed systems. Andersen, Prasetya and Vos have used their embedding to mechanically verify non-trivial distributed algorithms. Furthermore, Prasetya a... |

122 |
Computability and unsolvability
- Davis
- 1958
(Show Context)
Citation Context ...ions and then verify them by other tools. We may also want to borrow the idea of reflection in theorem prover community[10] while keeping aware not to violate the Gödel’s Second Incompleteness Theo=-=rem[7]. -=-• Case study. Realistic case study will raise confidence. There are several case studies formulated as challenges to the formal method community. In [20] a verification of cache buffer algorithm usi... |

107 |
Introduction to HOL
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...veness makes it much easier for us to convince ourselves of the soundness of the host logic. Obviously it is not safe to build an embedding on a host logic with questionable soundness. The HOL system =-=[9]-=- is an example of a theorem prover based on a small, yet very expressive logic (a higher order, typed predicate logic). Note that once proven, an embedded logic inherits the soundness of its host. Unf... |

59 | Metatheory and reflection in theorem proving: a survey and critique
- Harrison
- 1995
(Show Context)
Citation Context ...on. The third way, and the most difficult one, is to formally specify those functions and then verify them by other tools. We may also want to borrow the idea of reflection in theorem prover community=-=[10] whil-=-e keeping aware not to violate the Gödel’s Second Incompleteness Theorem[7]. • Case study. Realistic case study will raise confidence. There are several case studies formulated as challenges to t... |

55 | A logic for the Java Modeling Language JML
- Jacobs, Poll
- 2001
(Show Context)
Citation Context ... of a larger tool called LOOP. LOOP 2 The grammar of a language is a set of rules specifying how the formulas of the language are constructed. 4sfeatures a specification language for Java, called JML =-=[13]-=-, and compilers to compile a Java program and its JML specifications to their embedded representations. 3 Shallow Embedding Shallow embedding concentrates on how the semantics of the guest logic can b... |

48 | Functional parsers
- Fokker
- 1995
(Show Context)
Citation Context ...nted much better in deep embedding, as it uses functional data types to represent the grammar –it is known that there is strong correspondence between (context free) grammars and recursive data type=-=s [8]-=-. Because of the explicit representation of the grammar, in deep embedding it is possible to encode and verify syntactic operations and analyses made on the formulas of the guest logic. This is not po... |

39 | Experience with Embedding Hardware Description Languages
- Boulton, Gordon, et al.
- 1992
(Show Context)
Citation Context ... a real language; or remain with a real language, but give up trying to achieve full formality.” In the theorem prover community, people often distinguish between so-called shallow and deep embeddin=-=g [3]. -=-Shallow embedding of a logic L embeds the 3ssemantics of L but does only a minimal effort to represent the grammar 2 (syntax) L in L ′ . Deep embedding embeds also the syntactic structures of the lo... |

33 |
Mechanizing programming logics in higher-order logic
- Gordon
(Show Context)
Citation Context ...epresent a state by a function from variables to values. We can use string to represent variables (actually, variables’ names) 3 . This representation is quite simple and is used by many others, e.g=-=. [2, 17, 21, 25]-=-. Alternatively, one can also use lists to represent states. Since VSPL only has two kind of values, booleans and integers, we can represent VSPL values in HOL with the following HOL data type: Code 4... |

26 |
A Theorem Prover for UNITY in Higher Order Logic
- Andersen
- 1992
(Show Context)
Citation Context ...rther reduce the readability of the representations. Lots of work has been invested in embedding in the past 10 years. We will mention some achievements –there are too many to mention all of them. I=-=n [2, 21, 25], -=-Andersen, Prasetya and Vos reported the embedding of the programming logic UNITY in HOL –UNITY is a simple logic [5] for reasoning about temporal properties of distributed systems. Andersen, Prasety... |

25 | Mechanizing UNITY in Isabelle
- Paulson
(Show Context)
Citation Context ...he value of x is 0 is represented by the following record: <| b=T; x=0 |>. The approach produces cleaner representations of programs and specifications. The approach is widely used, for example as in =-=[24, 1, 19]-=-. Unfortunately the field names of a record are not first class values in HOL. This has certain disadvantages. 5.1 Semantics In this embedding we will use the following semantic domains. As in Section... |

21 |
Java Program Verification in Higher-Order Logic with PVS and Isabelle
- Huisman
- 2001
(Show Context)
Citation Context ...nitions, and 906 major theorems, using over 57,000 lines of proof, organized in 22 HOL theories. An attempt to use embedding for a real programming language and logic was recently reported by Huisman =-=[12]-=- who embeds Java (without threads) in PVS and Isabelle. The embedding is part of a larger tool called LOOP. LOOP 2 The grammar of a language is a set of rules specifying how the formulas of the langua... |

15 |
Mechanically Supported Design of Self-stabilizing Algorithms
- Prasetya
- 1995
(Show Context)
Citation Context ...rther reduce the readability of the representations. Lots of work has been invested in embedding in the past 10 years. We will mention some achievements –there are too many to mention all of them. I=-=n [2, 21, 25], -=-Andersen, Prasetya and Vos reported the embedding of the programming logic UNITY in HOL –UNITY is a simple logic [5] for reasoning about temporal properties of distributed systems. Andersen, Prasety... |

12 |
Mechanizing program verification in HOL
- Agerholm
- 1991
(Show Context)
Citation Context ...he value of x is 0 is represented by the following record: <| b=T; x=0 |>. The approach produces cleaner representations of programs and specifications. The approach is widely used, for example as in =-=[24, 1, 19]-=-. Unfortunately the field names of a record are not first class values in HOL. This has certain disadvantages. 5.1 Semantics In this embedding we will use the following semantic domains. As in Section... |

9 |
UNITY in Diversity: A Stratified Approach to the Verification of Distributed Algorithms
- Vos
- 2000
(Show Context)
Citation Context ...rther reduce the readability of the representations. Lots of work has been invested in embedding in the past 10 years. We will mention some achievements –there are too many to mention all of them. I=-=n [2, 21, 25], -=-Andersen, Prasetya and Vos reported the embedding of the programming logic UNITY in HOL –UNITY is a simple logic [5] for reasoning about temporal properties of distributed systems. Andersen, Prasety... |

8 |
The Evolution of Type Theory
- Laan
- 1997
(Show Context)
Citation Context ...BL = fromInt int | fromBool bool | fromList (’a list) 5 Without restriction, Value can be extremely large that it contains everything. Such a set leads to a certain paradox called Russel paradox. Se=-=e [14]-=- 16sThough the type system of HOL (and most type systems) will make sure we do not run into the Russel paradox, the above type is actually not what we want. Consider the (destructor) function toList w... |

5 |
Mechanical verification of total correctness through diversion verification conditions
- Homeier, Martin
- 1998
(Show Context)
Citation Context ...ng by having typed program variables more explicitly represented. An example of deep embedding is the embedding of a simple imperative programming language called Sunrise in HOL by Homeier and Martin =-=[11]-=-. A Verification Condition Generator (VCG) is supplied, based on a method named Diversion Verification Condition to provide total correctness of mutually recursive functions. The VCG basically does a ... |

4 |
Task description
- Lindner
- 1995
(Show Context)
Citation Context ...ral case studies formulated as challenges to the formal method community. In [20] a verification of cache buffer algorithm using PVS is presented. This is a sub part of an Operating system module. In =-=[15] a d-=-escription of ’production cell’ as one of the manufacturing system is presented. Another known case study for formal method is the RPC memory specification problem, as presented in [4]. References... |

4 | A theory for composing distributed components based on mutual exclusion, 2002. Draft. Download: www.cs.uu.nl/˜wishnu
- Prasetya, Vos, et al.
(Show Context)
Citation Context ...concrete programs may be problematic because of the universal quantifications on potentially infinite domains in the definition of partial equality and preservation. Fortunately, this is not the case =-=[22]. For confinement, c-=-onsider as an example the predicate x = 0. This predicate is confined by the set {x, y}. This is represented by the following in HOL: (\s. (toInt o s) "x" = 0) IS CONFINED BY {"x",... |

4 |
Program transformations and refinements in HOL
- Wright, Sere
- 1992
(Show Context)
Citation Context ...he value of x is 0 is represented by the following record: <| b=T; x=0 |>. The approach produces cleaner representations of programs and specifications. The approach is widely used, for example as in =-=[24, 1, 19]-=-. Unfortunately the field names of a record are not first class values in HOL. This has certain disadvantages. 5.1 Semantics In this embedding we will use the following semantic domains. As in Section... |

2 | A Type-Theoretic Analysis of Modular Specifications
- Maharaj
- 1996
(Show Context)
Citation Context ... problems. For example, it takes lots of effort to set up. Changing the syntax of the guest logic may also incur lots of work. In some theorem provers, such as COQ, there is no deep-shallow dichotomy =-=[16]-=-. COQ is based on a type system, which is even more primitive than the logic used by, for example, the HOL system. The disadvantage is that a guest logic must now be represented in an even more primit... |

1 | The RPC-Memory specification problem — problem statement - Broy, Lamport - 1169 |

1 | Formal verification of an O.S. submodule
- Pendharkar, Gopinath
- 1530
(Show Context)
Citation Context ...late the Gödel’s Second Incompleteness Theorem[7]. • Case study. Realistic case study will raise confidence. There are several case studies formulated as challenges to the formal method community=-=. In [20] a v-=-erification of cache buffer algorithm using PVS is presented. This is a sub part of an Operating system module. In [15] a description of ’production cell’ as one of the manufacturing system is pre... |

1 |
and Andrzej Tarlecki. Algebraic methods for specification and formal development of programs
- Sannella
- 1999
(Show Context)
Citation Context ...of formal semantics. The semantics of a real programming language is very complicated, raising the issue of maintaining the correctness and the reliability of the semantics itself. We quote here from =-=[23]: -=-”Our EML experience suggests that, at least at the present time, tackling the problems of specification and formal development in a real programming language at a fully formal level is just too diff... |