## Towards Self-verification of HOL Light (2006)

Venue: | In International Joint Conference on Automated Reasoning |

Citations: | 16 - 0 self |

### BibTeX

@INPROCEEDINGS{Harrison06towardsself-verification,

author = {John Harrison},

title = {Towards Self-verification of HOL Light},

booktitle = {In International Joint Conference on Automated Reasoning},

year = {2006},

pages = {177--191},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. The HOL Light prover is based on a logical kernel consisting of about 400 lines of mostly functional OCaml, whose complete formal verification seems to be quite feasible. We would like to formally verify (i) that the abstract HOL logic is indeed correct, and (ii) that the OCaml code does correctly implement this logic. We have performed a full verification of an imperfect but quite detailed model of the basic HOL Light core, without definitional mechanisms, and this verification is entirely conducted with respect to a set-theoretic semantics within HOL Light itself. We will duly explain why the obvious logical and pragmatic difficulties do not vitiate this approach, even though it looks impossible or useless at first sight. Extension to include definitional mechanisms seems straightforward enough, and the results so far allay most of our practical worries. 1 Introduction: quis custodiet ipsos custodes? Mathematical proofs are subjected to peer review before publication, but there

### Citations

852 |
A formulation of the simple theory of types
- Church
- 1940
(Show Context)
Citation Context ...n and so unlikely to feature the same implementation bugs. 2 Thanks to Rob Arthan for pointing out this kind of possibility.s4 HOL Light foundations and axioms HOL Light’s logic is simple type theory =-=[3, 1]-=- with polymorphic type variables. The terms of the logic are those of simply typed lambda calculus, with formulas being terms of boolean type, rather than a separate category. Every term has a single ... |

501 |
Introduction to HOL: A Theorem Proving Environment for Higher Order Logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...from being unknown, and on at least one occasion, there was an announcement that an open problem had been solved by a theorem prover, later traced to a bug in the prover. For example, versions of HOL =-=[9]-=- have in the past had errors of two kinds: 1 – Errors in the underlying logic, e.g. early versions allowed constant definitions with type variables occurring in the definiens but not the constant. – E... |

427 |
Introduction to higher order categorical logic
- Lambek, Scott
- 1986
(Show Context)
Citation Context ...Γ ⊢ p where p is a term of boolean type and Γ is a set (possibly empty) of terms of boolean type. There are ten primitive rules of inference, rather similar to those for the internal logic of a topos =-=[12]-=-. ⊢ t = t REFL Γ ⊢ s = t ∆ ⊢ t = u Γ ∪ ∆ ⊢ s = u Γ ⊢ s = t ∆ ⊢ u = v Γ ∪ ∆ ⊢ s(u) = t(v) TRANS MK COMB Γ ⊢ s = t Γ ⊢ (λx. s) = (λx. t) ABS ⊢ (λx. t)x = t BETA {p} ⊢ p ASSUME Γ ⊢ p ⇔ q ∆ ⊢ p Γ ∪ ∆ ⊢ q ... |

308 |
An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof
- Andrews
- 2002
(Show Context)
Citation Context ...n and so unlikely to feature the same implementation bugs. 2 Thanks to Rob Arthan for pointing out this kind of possibility.s4 HOL Light foundations and axioms HOL Light’s logic is simple type theory =-=[3, 1]-=- with polymorphic type variables. The terms of the logic are those of simply typed lambda calculus, with formulas being terms of boolean type, rather than a separate category. Every term has a single ... |

87 |
Edinburgh LCF: A Mechanised Logic
- Gordon, Milner, et al.
- 1979
(Show Context)
Citation Context ...ere are established approaches to this problem. Some systems satisfy the de Bruijn criterion [2]: they can output a proof that is checkable by a much simpler program. Others based on the LCF approach =-=[10]-=- generate all theorems internally using a small logical kernel: only this is allowed to create objects of the special type ‘theorem’, just as only the kernel of an operating system is allowed to execu... |

69 | HOL Light: A tutorial introduction
- Harrison
- 1996
(Show Context)
Citation Context ...the absence of a highly rigorous abstract specification of the logic, it’s not always easy to categorize errors in this way, but these examples seem clear.sHOL system [9] and its descendant HOL Light =-=[11]-=- are LCF-style provers. HOL Light is constructed on top of a logical kernel consisting of only around 400 lines of Objective CAML. Thus, if we accept that the interface to the trusted kernel is correc... |

48 |
A type-theoretical alternative to ISWIM
- Scott
- 1993
(Show Context)
Citation Context ...nstrument an LCF kernel so that it does actually output separately checkable proofs [22]. The original Edinburgh LCF system was designed to support proofs in a special ‘Logic of Computable Functions’ =-=[19]-=-, hence the name LCF. But the key idea, as Gordon [8] emphasizes, is equally applicable to more orthodox logics supporting conventional mathematics, and subsequently many ‘LCF-style’ proof checkers ha... |

32 |
Reasoning about Terminating Functional Programs
- Slind
- 1999
(Show Context)
Citation Context ... we model much of the OCaml code in the core faithfully. Most syntax functions are purely functional, and we “naively” transcribe them into corresponding definitional theorems in the logic, following =-=[20]-=-. In general, recursive functions in OCaml may fail to terminate, and this aspect is not adequately modelled by our encoding. 5 In practice all the functions we use do terminate, and without some indu... |

29 | Ivy: A preprocessor and proof checker for first-order logic
- McCune, Shumsky
- 2000
(Show Context)
Citation Context ...f a ‘real’ theorem prover has been verified against a semantic model, though syntactic features of the HOL logic have been formalized before [23], and full correctness for a first-order proof checker =-=[14]-=- and a simple first-order tableau prover [17] have been verified. We believe that a proof based on a semantics is more valuable than one relative to an abstract description of the same deductive syste... |

26 | How to believe a machine-checked proof
- Pollack
- 1998
(Show Context)
Citation Context ...achine-checked proofsthat we couldn’t conceivably ‘survey’ ourselves, provided we understand and have confidence in the checking program — in this sense a proof checker provides intellectual leverage =-=[16]-=-. But how can we, or why should we? Who checks the checker? 2 LCF Many practitioners consider worries about the fallibility of provers somewhat pointless. Experience shows unambiguously that typical m... |

25 |
Axiom of choice and complementation
- Diaconescu
- 1975
(Show Context)
Citation Context ...f taste. – The axiom of choice SELECT AX, asserting that the Hilbert operator ε is a choice operator: ⊢ P x =⇒ P ((ε)P ). It is only from this axiom that we can deduce that the HOL logic is classical =-=[5]-=-. – The axiom of infinity INFINITY AX, discussed further below. In addition, HOL Light includes two principles of definition, which allow one to extend the set of constants and the set of types in a w... |

24 | The impact of the lambda calculus in logic and computer science
- Barendregt
- 1997
(Show Context)
Citation Context ...eckers are large and complex systems of software, their correctness is certainly open to doubt. However, there are established approaches to this problem. Some systems satisfy the de Bruijn criterion =-=[2]-=-: they can output a proof that is checkable by a much simpler program. Others based on the LCF approach [10] generate all theorems internally using a small logical kernel: only this is allowed to crea... |

19 | The HOL logic extended with quantification over type variables
- Melham
- 1993
(Show Context)
Citation Context ...ct types of types and terms. Another avenue for future work would be to extend the semantics to cover extensions to the logic, such as the introduction of quantifiers over type variables suggested in =-=[15]-=-. Tom Ridge has already updated large parts of HOL Light to incorporate them, and we believe the extension of the semantics is straightforward. Acknowledgements I would like to thank Rob Arthan, who f... |

13 |
Representing higher-order logic proofs in HOL
- Wright
- 1995
(Show Context)
Citation Context ...is is the first time anything close to the implementation of a ‘real’ theorem prover has been verified against a semantic model, though syntactic features of the HOL logic have been formalized before =-=[23]-=-, and full correctness for a first-order proof checker [14] and a simple first-order tableau prover [17] have been verified. We believe that a proof based on a semantics is more valuable than one rela... |

11 |
Fidelity in mathematical discourse: Is one and one really two? American Mathematical Monthly 79(3):252–263
- Davis
- 1972
(Show Context)
Citation Context ...ries. 1 Introduction: quis custodiet ipsos custodes? Mathematical proofs are subjected to peer review before publication, but there are plenty of cases where published results turned out to be faulty =-=[13, 4]-=-. Such errors seem more likely in mathematical correctness proofs of algorithms, protocols etc. These tend to be more messy and intricate than (most) proofs in pure mathematics, and those performing t... |

10 |
Recording HOL proofs
- Wong
- 1993
(Show Context)
Citation Context ...that the proof exists only ephemerally and is checked by the kernel as it is created. And it is straightforward to instrument an LCF kernel so that it does actually output separately checkable proofs =-=[22]-=-. The original Edinburgh LCF system was designed to support proofs in a special ‘Logic of Computable Functions’ [19], hence the name LCF. But the key idea, as Gordon [8] emphasizes, is equally applica... |

8 |
Representing a logic in the LCF metalanguage
- Gordon
- 1982
(Show Context)
Citation Context ...t separately checkable proofs [22]. The original Edinburgh LCF system was designed to support proofs in a special ‘Logic of Computable Functions’ [19], hence the name LCF. But the key idea, as Gordon =-=[8]-=- emphasizes, is equally applicable to more orthodox logics supporting conventional mathematics, and subsequently many ‘LCF-style’ proof checkers have been designed using the same principles. In partic... |

5 |
A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic. Isabelle Archive of Formal Proofs
- Ridge
- 2004
(Show Context)
Citation Context ...gainst a semantic model, though syntactic features of the HOL logic have been formalized before [23], and full correctness for a first-order proof checker [14] and a simple first-order tableau prover =-=[17]-=- have been verified. We believe that a proof based on a semantics is more valuable than one relative to an abstract description of the same deductive system: even the abstract definitions of notions l... |

3 |
Formal techniques and sizeable programs (EWD563
- Dijkstra
- 1976
(Show Context)
Citation Context ... be more messy and intricate than (most) proofs in pure mathematics, and those performing the proofs are often not primarily trained as mathematicians. So while there are still some voices of dissent =-=[6]-=-, there is a general consensus in the formal verification world that correctness proofs should be at least checked, and perhaps partly or wholly generated, by computer. In pure mathematics a similar o... |

3 |
Gödel’s Incompleteness Theorems, Volume 19 of Oxford Logic Guides
- Smullyan
- 1992
(Show Context)
Citation Context ...wn semantics, and Gödel’s second incompleteness theorem tells us that it cannot prove its own consistency in any way at all — unless of course it isn’t consistent, in which case it can prove anything =-=[21]-=-. So, regardless of implementation details, if we want to prove the consistency of a proof checker, we need to use a logic that in at least some respects goes beyond the logic the checker itself suppo... |

2 |
Reasoning about theoretical entities, Volume 3
- Forster
- 2003
(Show Context)
Citation Context ...erm * term | Abs of term * term 4 In simple type theory, it is problematic defining a general type of cardinals, but many arguments can be rephrased in terms of cardinal comparison and set operations =-=[7]-=-.sIn the HOL formalization, we wire in the two primitive constants, where ‘Equal α’ represents (=) : α → α → bool and ‘Select α’ represents (ε) : (α → bool) → α, and we syntactically force the bound v... |

2 |
An overview of the MIZAR project. Available on the Web as http://web.cs.ualberta.ca/~piotr/Mizar/MizarOverview.ps
- Rudnicki
- 1992
(Show Context)
Citation Context ...gic the checker itself supports. The most obvious approach, therefore, would be to verify HOL Light using a system whose logic is at least strong enough to formalize HOL Light’s semantics, e.g. Mizar =-=[18]-=- based on Tarski-Grothendieck set theory. Instead, simply on the grounds of personal expertise with it, we have chosen to verify HOL Light in itself. Of course, in the light of the above observations,... |

1 |
Erreurs de Mathematiciens
- Lecat
- 1935
(Show Context)
Citation Context ...ries. 1 Introduction: quis custodiet ipsos custodes? Mathematical proofs are subjected to peer review before publication, but there are plenty of cases where published results turned out to be faulty =-=[13, 4]-=-. Such errors seem more likely in mathematical correctness proofs of algorithms, protocols etc. These tend to be more messy and intricate than (most) proofs in pure mathematics, and those performing t... |