## Tool Support for Logics of Programs (1996)

Venue: | Mathematical Methods in Program Development: Summer School Marktoberdorf 1996, NATO ASI Series F |

Citations: | 6 - 6 self |

### BibTeX

@INPROCEEDINGS{Paulson96toolsupport,

author = {Lawrence C. Paulson},

title = {Tool Support for Logics of Programs},

booktitle = {Mathematical Methods in Program Development: Summer School Marktoberdorf 1996, NATO ASI Series F},

year = {1996},

pages = {461--498},

publisher = {Springer, Published}

}

### Years of Citing Articles

### OpenURL

### Abstract

Proof tools must be well designed if they...

### Citations

3224 | Communication and Concurrency - Milner - 1989 |

1408 | A Discipline of Programming - DIJKSTRA - 1976 |

1145 | A semantics for a logic of authentication - Abadi, Tuttle - 1991 |

697 | A Framework for Defining Logics - Harper, Honsell, et al. - 1992 |

504 |
Introduction to HOL: A Theorem Proving Environment for Higher Order Logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...r make the classical reasoner prove assertions that do not follow from the axioms. 5. Mechanized Set Theories We need set theory whether or not we have types. Simple types (as found in the HOL system =-=[12]-=-) are too rigid: there is no type of n-element lists. Predicate subtyping (as in PVS) can help. But even in highly expressive type systems, one usually denes some sort of set theory. Set-theoretic pri... |

422 | Isabelle: a Generic Theorem Prover
- Paulson
- 1994
(Show Context)
Citation Context ...P (x + 1)]] =) P (n) 4 The rule's premises and conclusion receive the additional quantication !!x. All variables in the rule are given x as an additional argument. Their types are changed accordingly =-=[24, 33]-=-.sTOOL SUPPORT FOR LOGICS OF PROGRAMS In higher-order logic (HOL), we can express induction using predicate variables: P (0)s(8x: P (x) ! P (x + 1)) ! P (n): Isabelle provides the meta-level connectiv... |

414 | Depth-first iterative-deepening: An optimal admissable tree search - Korf - 1985 |

366 |
ML for the working programmer
- Paulson
- 1991
(Show Context)
Citation Context ...lations. Such relations are commonly found in theoretical computer science. 6.1 Recursive Types and Functions A datatype is a disjoint sum and may be recursive. The syntax is based upon Standard ML's =-=[38]-=-. Datatypes can model lists, trees and nite enumerations. 7 For example, here is a specication of binary trees. A binary tree may be a leaf (Lf) or a branch node (Br) carrying a label and two subtrees... |

294 | Otter 3.0 Reference Manual and Guide
- McCune
- 1994
(Show Context)
Citation Context ...PORT FOR LOGICS OF PROGRAMS 2.5 The Role of Resolution Isabelle uses resolution to provide proof checking in the forward and backward styles. Unlike classical resolution theorem provers such as Otter =-=[22]-=-, Isabelle does not seek contradictions, but derives rules in positive form. Horn clause resolution is a special case of the sophisticated forms of resolution used in Otter. On the other hand, Isabell... |

239 |
The Formal Semantics of Programming Languages, the
- Winskel
- 1993
(Show Context)
Citation Context ...(ZF and HOL) to specify a (co)inductive denition. Isabelle reduces it to a least xedpoint (greatest xedpoint for a coinductive denition). A broad class of denitions is acceptable [35]. Rule induction =-=[52]-=- is a powerful inference rule for proving consequences of xs ! ys. Recall that ! is the least set closed under the rules given in Figure 6.1. If some 22 TOOL SUPPORT FOR LOGICS OF PROGRAMS predicate P... |

215 | A linear logic framework
- Cervesato, Pfenning
- 1996
(Show Context)
Citation Context ...resentation of rules was inspired by Schroeder-Heister's [48] `rules of higher level' in natural deduction. The current approach is essentially identical to that of Felty and Miller [9, 10]. Pfenning =-=[43]-=- surveys other work on logical frameworks. 12 TOOL SUPPORT FOR LOGICS OF PROGRAMS Exercise 3.1. Express this substitution rule, where P serves as a template for substitution, in Isabelle form: t = u P... |

176 | An Introduction to Inductive Definitions - Aczel - 1977 |

175 | Logic programming in the LF logical framework - Pfenning - 1991 |

169 |
A unification algorithm for typed -calculus
- Huet
- 1975
(Show Context)
Citation Context ... to t[u=x]: this is easy. But sometimes Isabelle must solve equations like ?f(t) j g u 1 : : : u k : This task involves making guesses for the unknown function ?f . Isabelle uses a renement of Huet's =-=[14]-=- search procedure. It solves equations by guessing the leading symbol of ?f , simplifying, then recursively unifying the result. In the general case, higher-order unication is undecidable. Fortunately... |

165 | Logic and Computation: Interactive Proof with Cambridge LCF - Paulson - 1987 |

115 | A unification algorithm for typed λ-calculus - Huet - 1975 |

103 | A gentle introduction to haskell - Hudak, Fasel, et al. - 1996 |

98 |
Seventy-five Problems for Testing Automatic Theorem Provers
- Pelletier
- 1986
(Show Context)
Citation Context ...oal's conclusion and assumptions, and proving resulting trivial subgoals by assumption. Here are some examples of what the classical reasoner can prove. We begin with #40 from Pelletier's problem set =-=[42]-=-. It is rather easy; its proof requires only 0.5 seconds on a fast SPARCstation. (9y8x: Pxy $ Pxx) ! :8x9y8z: P zy $ :P zx The classical reasoner can prove many set-theoretic identities. For this task... |

97 | Type Theory and Functional Programming - Thompson - 1991 |

82 |
Axiomatic Set Theory
- Suppes
- 1960
(Show Context)
Citation Context ..., which is why they are found in specication languages such as Z and B. Isabelle implements two set theories. Isabelle/ZF [34] is built upon rst-order logic using the standard Zermelo-Fraenkel axioms =-=[50]-=-. Isabelle's higher-order logic (Isabelle/HOL) includes a polymorphically typed set theory, with sets represented by predicates. The two theories are similar but not identical; below we shall consider... |

76 |
Co-induction in relational semantics
- Milner, Tofte
- 1991
(Show Context)
Citation Context ... reduction relations. To demonstrate coinductive denitions, Frost [11] has proved the consistency of the dynamic and static semantics for a small functional language. The example, by Milner and Tofte =-=[26]-=-, concerns a coinductively dened typing relation. Isabelle/ZF supports codatatypes, which are like datatypes but admit innitely deep nesting. (Constructing non-well-founded trees in the presence of th... |

73 |
The Semantics of Programming Languages: An Elementary Introduction using Structural Operational Semantics
- Hennessy
- 1990
(Show Context)
Citation Context ...2 Inductive Denitions An inductive denition species the least set closed under a given collection of rules [1]. The set of theorems in a logic is inductively dened. A structural operational semantics =-=[13]-=- inductively denes an evaluation relation on programs. Dually, a coinductive denition species the greatest set closed under given rules. Equivalence of concurrent processes is often dened coinductivel... |

67 | Fundamentals of deductive program synthesis
- Manna, Waldinger
- 1992
(Show Context)
Citation Context ...ors at the Max Planck Institute, Saarbr#cken have worked on deriving logic programs [2], functional programs [4] and hardware [5]. Coen [8] has implemented a variant of Manna and Waldinger's approach =-=[19]-=- to renement of functional programs. His Classical Computational Logic (CCL) extends rst-order logic with a functional language dened by an operational semantics. He derives programs in this language,... |

65 | Implementing tactics and tacticals in a higher-order logic programming language - Felty - 1993 |

51 | Winskel is (almost) right: Towards a mechanized semantics
- Nipkow
- 1998
(Show Context)
Citation Context ...need only mention subgoal 1, as other subgoals are moved up when the rst subgoal is proved. 6.4 Applications of (Co)Inductive Denitions Several large studies use inductive denitions. L#tzbeyer et al. =-=[18, 31]-=- have related the operational and denotational semantics of Winskel's toy programming language imp [52]. Using dioeerent techniques, Nipkow [30] and Rasmussen [45] have both proved the Church-Rosser t... |

47 |
Protocol Failures in Cryptosystems
- Moore
- 1988
(Show Context)
Citation Context ...sis. Protocols are treated at a high level, rather than as strings of bits. Encryption is regarded as a primitive; we cannot detect attacks that rely on numerical idiosyncrasies of encryption methods =-=[27]-=-. Such attacks can be prevented by including redundancy in the body of each encrypted message. Agents include the server, the friendly agents and the spy. We can model attacks where the spy is an insi... |

46 | A natural extension of natural deduction
- Schroeder-Heister
- 1984
(Show Context)
Citation Context ...hat from premises to conclusion. It is implication: not the implication of rst-order logic, but implication at the metalevel. We can regard !-intr as a rule whose premise is itself a rule, namely P Q =-=[48]-=-. We must augment resolution to allow for nesting of =). Let us consider why. To prove P ! (Q ! (PsQ)), resolution with !-intr yields the subgoal P =) Q ! (PsQ); as expected, the step adds P to the as... |

45 | Set theory for verification: I. From foundations to functions - Paulson - 1993 |

44 | A fixedpoint approach to implementing (co)inductive definitions - Paulson |

42 | Set theory for verification: II. Induction and recursion - Paulson - 1995 |

39 | More Church-Rosser proofs (in Isabelle/HOL
- Nipkow
(Show Context)
Citation Context ...e studies use inductive denitions. L#tzbeyer et al. [18, 31] have related the operational and denotational semantics of Winskel's toy programming language imp [52]. Using dioeerent techniques, Nipkow =-=[30]-=- and Rasmussen [45] have both proved the Church-Rosser theorem. A datatype species the set of -terms, while inductive denitions specify several reduction relations. To demonstrate coinductive denition... |

36 | Proof Development System: User’s Manual - LEGO - 1992 |

33 |
Depth- rst iterative-deepening: An optimal admissible tree search
- Korf
- 1985
(Show Context)
Citation Context ...its rst argument to its second. It is the user's responsibility to ensure that the eliminated alternatives are not needed. There are tacticals for several other search strategies: iterative deepening =-=[16]-=-, best-rst, etc. The argument satp is a boolean-valued function specifying what kind of state to search for, typically in terms of how many subgoals are left unsolved. Articial Intelligence textbooks ... |

33 | Order-sorted polymorphism in Isabelle
- Nipkow
- 1993
(Show Context)
Citation Context ... declarations. Using type classes, we can specify whether to allow quantications over booleans and functions. If we allow them, we get higher-order logic; otherwise we get many-sorted rst-order logic =-=[29]-=-. 3. A General Approach to Quantiers 9 kinds of variables is pragmatic. Unknowns may be replaced during unication; free variables remain xed. This article often omits the question marks to avoid clutt... |

32 | Towards formal analysis of security protocols
- Mao, Boyd
- 1993
(Show Context)
Citation Context ... replacing nonce Na 0 by A's original nonce Na (in message 2j), thereby fooling A into accepting key K ca as a key for talking with B. This attack is more serious than that discovered by Mao and Boyd =-=[20]-=-, where the server could detect that nonces are being misused. Unaware of Mao and Boyd's attack, I attempted to prove the protocol correct. I could not prove a subgoal containing messages 1 and 2j. In... |

26 | Generic automatic proof tools - Paulson - 1997 |

23 | Type reconstruction for type classes - Nipkow, Prehofer - 1995 |

19 | Interactive Program Derivation - Coen - 1992 |

18 | Function definition in Higher-Order Logic - Slind - 1996 |

16 | abczewski. Mechanizing set theory. Cardinal arithmetic and the axiom of choice
- Paulson, Gr
- 1996
(Show Context)
Citation Context ...ews is using Isabelle to implement Feferman's theory of nitary inductive denitions, FS0 [21]. Grffabczewski has mechanized the rst two chapters of Rubin and Rubin's Equivalents of the Axiom of Choice =-=[41]-=-. To conclude, let us recall those features of Isabelle that have turned out to be particularly successful. Designers of new tools should bear them in mind.sA higher-order syntax supports variable bin... |

16 | A Concrete Final Coalgebra Theorem for ZF Set Theory - Paulson - 1994 |

15 | Verification of compiler correctness for the WAM
- Pusch
- 1996
(Show Context)
Citation Context ...lysthe composition operator combines a function with a list of functions. The ilist ofj operator is monotonic, however, and Isabelle allows monotonic operators to appear in inductive denitions. Pusch =-=[44]-=- is proving the correctness of a compiling algorithm from Prolog to the Warren Abstract Machine (WAM). She uses datatypes to formalize Prolog's syntax and data structures involved in the interpretatio... |

14 | Encoding a Dependent-Type -Calculus in a Logic Programming Language. Rapport de recherche 1259, Inria - Felty, Miller - 1990 |

13 | A framework for de��ning logics - Harper, Honsel, et al. - 1942 |

10 |
Implementing FS0 in Isabelle: adding structure at the metalevel
- Matthews
- 1996
(Show Context)
Citation Context ... As a rst example of modular presentation of logics, they have implemented a wide variety of modal logics. Matthews is using Isabelle to implement Feferman's theory of nitary inductive denitions, FS0 =-=[21]-=-. Grffabczewski has mechanized the rst two chapters of Rubin and Rubin's Equivalents of the Axiom of Choice [41]. To conclude, let us recall those features of Isabelle that have turned out to be parti... |

10 | The Church-Rosser theorem in Isabelle: A proof porting experiment
- Rasmussen
- 1995
(Show Context)
Citation Context ...tive denitions. L#tzbeyer et al. [18, 31] have related the operational and denotational semantics of Winskel's toy programming language imp [52]. Using dioeerent techniques, Nipkow [30] and Rasmussen =-=[45]-=- have both proved the Church-Rosser theorem. A datatype species the set of -terms, while inductive denitions specify several reduction relations. To demonstrate coinductive denitions, Frost [11] has p... |

10 | Encoding a dependent-type λ-calculus in a logic programming language - Felty, Miller - 1990 |

9 |
A Structure Preserving Encoding of Z
- Kolyang, Wolff, et al.
- 1996
(Show Context)
Citation Context ...nication. Rasmussen has embedded the relational hardware description language Ruby using Isabelle's ZF set theory [46]. Two separate projects aim to support the Z specication language. Kolyang et al. =-=[15]-=- report a promising implementation of Z References 29 schemas. The TokiZ project [17] has built a prototype including a deductive system for Z and much of Z's mathematical library. Isabelle has been a... |

9 | et al. The Coq proof assistant user's guide - Dowek - 1993 |

8 | Generic system support for deductive program development - Ayari, Basin - 1996 |