Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....comparison to HOL, Isabelle is more generic, comes with more builtin theorem proving power, and appears to be more user friendly, as it provides powerful syntactic facilities. In contrast to PVS, Isabelle is more flexible, offers several logics, and is built according to the LCF system approach [Pau87] The latter means that every proof is internally broken down to a small and clear set of primitive inferences. This considerably increases the confidence in the soundness of the proof tool itself and thus in its machine checked proofs. A further advantage of the expressiveness of higher order ....

....Reg94] for short HOLCF) conservatively extends HOL with concepts of domain theory such as complete partial orders, continuous functions and a fixpoint operator. By this means it supports reasoning in Scott s Logic for Computable Functions [SG90, Win93] The logic of the Cambridge LCF prover [Pau87] constitutes a proper sublanguage of HOLCF. Whereas HOL is restricted to total functions, HOLCF allows arbitrary recursive function definitions and is therefore especially useful for handling infinite or partial objects. Partial Orders as Type Classes. HOLCF uses Isabelle s type classes [Wen97] ....

[Article contains additional citation context not shown here]

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....a formula, a set of formulas and the theoretical closure of under the deduction (for example, Gentzen style) rules. CN( FN( and PN( are the sets of constants, functions, and predicates of . A is called a sequent and denotes the A is deduced from according to Gentzen style deduction rules [11]. Here, is a sequence, it is also taken as a set of formulas when it is required [11] A model M is a pair of M; I , where M is a domain, I is an interpretation. Sometimes, M is used to denote a model for a particular problem . TM denotes the set of all true sentences of M and is a ....

....example, Gentzen style) rules. CN( FN( and PN( are the sets of constants, functions, and predicates of . A is called a sequent and denotes the A is deduced from according to Gentzen style deduction rules [11] Here, is a sequence, it is also taken as a set of formulas when it is required [11]. A model M is a pair of M; I , where M is a domain, I is an interpretation. Sometimes, M is used to denote a model for a particular problem . TM denotes the set of all true sentences of M and is a countable set. To simplify the proofs, it is assumed that TM has the built in Skolem ....

[Article contains additional citation context not shown here]

Paulson, L., Logic and Computations, Cambridge University Press, 1987, 38-50. 16

....of the system. To derive a black box view of a system from its properties of its executions we extract the value of the input and output streams of a system in the virtual last state of an execution. A system invariant stays valid in all states during an execution. If it is also admissible [16], is valid for an in nite execution, as it is expressed in the following rule, suitable to show safety history properties of a system. adm S j= 2 [ S] S j= #o = 7 #o [ S] #o The second rule allows the derivation of a speci c liveness property that we call ....

....according to the structure of invariance and response diagrams to temporal logic formulas. The derivation of the history properties from the temporal logic properties is not handled within our formalization: This would require the use of the much more complicated logic of computable functions [16]. The Isabelle formalization is documented in [5] The theory les and proof scripts can be accessed electronically [2] Introductory texts to Isabelle are also available electronically [11] 5 Examples This section gives a short overview of two examples for our approach. The rst example is a ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....of the system. To derive a black box view of a system from its properties of its executions we extract the value of the input and output streams of a system in the virtual last state of an execution. A system invariant # stays valid in all states during an execution. If it is also admissible [16], # is valid for an infinite execution, as it is expressed in the following rule, suitable to show safety history properties of a system. adm # S = ## [ S] # # S = #o = # # # # ## #o # [ S] # #o # # The second rule allows the derivation of a specific liveness property ....

....according to the structure of invariance and response diagrams to temporal logic formulas. The derivation of the history properties from the temporal logic properties is not handled within our formalization: This would require the use of the much more complicated logic of computable functions [16]. The Isabelle formalization is documented in [5] The theory files and proof scripts can be accessed electronically [2] Introductory texts to Isabelle are also available electronically [11] 5 Examples This section gives a short overview of two examples for our approach. The first example is ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....of propositional derived rules and structural rules. We will refer explicitly to natural deduction sequent rules for , 8 and 9, using a 8 elim which can easily account for left introduction as much as the ordinary 9 elim, in order to mimic sequent calculus rules when useful. We refer to (Paulson 1987) for the use of natural deduction in tactic based theorem proving, and to (Gordon et al. 1999) for the relation between natural deduction rules and the axiomatisation of the HOL version of higher order logic. Here is a list of the rules that we are using, plus a few more. The metarule P rop, in ....

Paulson, L.: 1987, Logic and computation, Cambridge University Press.

....cannot be derived by our calculus. These include for example propositions about fixpoints or about one value not being contained in another, as such goals are not needed to prove properties of Opal structures. The design of the calculus is heavily influenced by the PP calculus as presented in [Pau87] Hence, the calculus also is designed for backwards proofs. The process of proving begins with a goal from which (hopefully) simpler subgoals are derived until the proof tree is completed. We distinguish four kinds of rules in our calculus: structural rules, logical rules, predicate rules, and ....

....cut rule. With the help of this rule proofs can be structured by introducing lemmata. Gamma Delta; A Gamma; A Delta Gamma Delta (cut) 3.2 Logical Rules Logical Rules describe how the logical connectives are to be handled. Most of these are common standard and can be found e.g. in [Pau87] so we just give 11 the rules for conjunction as an example. The whole Basic Calculus is given in Appendix A. Gamma; A; B Delta Gamma; A B Delta ( left) Gamma Delta; A Gamma Delta; B Gamma Delta; A B ( right) Quantified variables in Opal are restricted to defined ....

[Article contains additional citation context not shown here]

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....total functions and venturing into the sea of continuity and undefinedness. The purpose of this section is to demonstrate that, given the right infrastructure (HOLCF ) this step need not be painful. HOLCF [Reg94, Reg95, MNOS98] is a conservative extension of HOL with the notions of domain theory [Pau87] employing Isabelle s axiomatic type classes [Wen97] which extend Haskell s type classes [HPJW92] with axioms. In particular, HOLCF provides ffl a class cpo of types which come equipped with a complete partial order v. ffl a subclass pcpo (pointed cpo) of cpos that also have a least element . ....

....like its relative (5) by rule induction, which is again almost automatic. by induction on c with nested fixpoint induction in the WHILE case. The rule of fixpoint induction [ adm P; P ; V x. P x = P(F x) P(fix F) is a theorem of HOLCF. It is applicable only if P is admissible [Pau87] (called inclusive by Winskel) expressed as the premise adm P, where adm : ff ) bool) bool. Fortunately, HOLCF already contains the lemma adm(u.P(u x) where the argument type of P must be a flat pcpo, and a lemma stating flatness of (ff)lift. These two lemmas automatically prove ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....It can be used for generating decision procedures for first order theories, checking consistency and completeness of equational specifications, and solving equations modulo an equational theory. The KADS system [61] uses resolution augmented with special purpose deciders. EHDM [66] and PVS [51] use a variety of ground decision procedures combined with rules for interactive proving. PVS has a rich type system and provides the ability to postpone type checking, by making presumptions, analogous to verification conditions. The Ontic rule compiler [42] compiles sets of rules of suitable ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

.... For the safety part of the black box specifications, we need to show the following properties: Sender ] # x # i [ Receiver ] # o # y [ Receiver ] # #req # 1 #y [ Queue] # y # x [ Queue] # #ack # min(#x , #req N 1) All of these properties are admissible [16], hence it is su#cient to show that the properties are invariants of the state transitions systems. For example, we have to show: Sender = inv x # i 41 That these properties are invariants cannot be proven directly. Instead, we derive stronger invariants, which imply the safety properties ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....each such chain has a unique least upper bound s which is denoted by # s i i # N The operators defined above as well as the notion of chains and least upper bounds can be extended pointwise to tuples of streams. A function out of Msg # 1 # Msg # 2 is called a continuous function [28], i# # f (s i ) i # N = f ( # s i i # N ) Continuous functions are also monotonic: x # y # f (x ) # f (y) An example of a continuous function is the filter function #; M#s is the substream of s that contains only messages also contained in the set M . The filter ....

....machine. Technically, a property of the black box view [ S] is a history predicate # (see Section 4.1) which is valid for each valuation in a system s black box view: # # # [ S] # = # We then write [ S] # #. A useful class of history predicates is that of admissible predicates [28]. A history predicate # is admissible in a set of variable W # free(#) if it holds for the limit of a chain of valuations for its variables, provided that it holds for each element of the chain. If predicate # is admissible in free(#) it is simply called admissible. The free variables in a ....

[Article contains additional citation context not shown here]

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....i i # N . A predicate # where the free variables range over streams M # is admissible, if it holds for the limit of a chain of valuations for its variables, provided that it holds for each element of the chain. We then write adm #. Syntactical criteria for admissibility can be found in [12]. Stream concatenation and the prefix order can be extended pointwise to tuples of streams; continuity of functions and admissibility of prefix can also be defined for stream tuples. 2.2 Component Specification Figure 1 shows the system structure of a bounded transmission system with three ....

....form a chain. Because it is invariant, # holds for every element of the chain. Because of admissibility, it also holds in the limit. Example. In 4.1 we showed that x = i # is an invariant of the sender. Moreover, x # i is also an invariant since i # # i . This predicate is also admissible [12], and thus we can directly conclude [ Sender ] # x # i This means that the sender STD implies the first half of the sender s history specification in 2.2. Similarly, we can show [ Sender ] # #x # 1 #ack . 5.2 Progress Properties In general, progress properties expressed with the ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....according to the structure of invariance and response diagrams to temporal logic formulas. The derivation of the I O history properties from the temporal logic properties is not handled within our formalization: This would require the use of the much more complicated logic of computable functions [12]. The Isabelle formalization is documented in [4] The theory files and proof scripts can be accessed electronically [3] Introductory texts to Isabelle are also available electronically [8] Design tools. The translation of the state transition and verification diagrams into an Isabelle theory ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....admissible formulas. Hence, systems based on denotational semantics usually have complicated tests for admissibility (which still reject many admissible formulas) 62, p. 70] Moreover, a full formalization of denotational semantics requires a higher order logic (as it is for instance used in lcf [31, 62] and its descendants hol [32] and isabelle [63] Of course, compared to provers working on a first order language, these systems are much more expressive, but in general, higher order logics often raise harder problems for automation [5] For that reason, an alternative formalization has been ....

....partial algorithms, too. 14 Essentially, the reason is that our basic (i.e. non function) data types are flat complete partial orderings. Thus, in a first order formula, all occurrences of functions are in terms of chain finite type. A similar admissibility criterion is for instance used in lcf [62] and a slightly weaker criterion has also been suggested in [70, 71] where however the restriction to chain finite terms is not mentioned. 15 As an example, let f be defined by f(x) 0 and let g have the defining equations g(0) 0, g(s(x) g(x) The conjecture 8x ( def(x) def(f(x) ....

Paulson, L. C., Logic and Computation, Cambridge University Press (1987).

....based on denotational semantics instead. The classical technique for proofs about denotational semantics is computational induction (e.g. D. Scott s fixpoint induction [Sco69] A full formalization of denotational semantics requires a higher order logic (as it is for instance used in lcf [Pau87] but an alternative formalization of an lcf like calculus with fixpoint induction using first order logic can be found in [Sha89] However, while fixpoint induction is a powerful tool for reasoning about programs, it is less suitable for automation. For that reason, virtually all (explicit) ....

Paulson, L. C., Logic and Computation, Cambridge University Press, 1987.

....of reasoning about time: another complex process, requiring much proof. It may be argued that the state of automatic theorem proving programs is insufficient to support this amount of proof: the reply is that one need not do it all by hand, and that machine support is available for example, lcf [15, 32] or hol [16] In support of all this effort, we offer the following remarks. The first is of practical. If the system that is to be built is intended to be safety critical, it must be realized that lives may depend upon its correct functioning. The best guarantees of correct functioning that can ....

Paulson, L., Logic and Computation, Cambridge University Press, 1987.

....section we summarize the distinguishing aspects of the different tools used, as far as they are relevant to the sequence formalizations. 2.1 The different Logics Isabelle HOL and Gordon s HOL. Gordon s HOL [GM93] is a theorem prover for higher order logic developed according to the LCF approach [Pau87]. Isabelle [Pau94] is a generic theorem prover that supports a number of logics, among them first order logic (FOL) Zermelo Frankel set theory (ZF) constructive type theory (CTT) higher order logic (HOL) and others. As Isabelle HOL and Gordon s HOL are similar, we will in general not ....

....HOL incorporates Hilbert s choice operator as a primitive constant. HOLCF. HOLCF [Reg95] conservatively extends Isabelle HOL with concepts of domain theory such as complete partial orders, continuous functions and a fixed point operator. As a consequence, the logic of the original LCF tool [Pau87] constitutes a proper sublanguage of HOLCF. HOLCF uses Isabelle s type classes, similar to Haskell, to distinguish between HOL and LCF types. A type class is a constraint on a polymorphic variable restricting it to the class of types fulfilling certain requirements. For example, there is a type ....

[Article contains additional citation context not shown here]

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....s i j i 2 Ng. A predicate Phi where the free variables range over streams M is admissible, if it holds for the limit of a chain of valuations for its variables, provided that it holds for each element of the chain. We then write adm Phi. Syntactical criteria for admissibility can be found in [12]. Stream concatenation and the prefix order can be extended pointwise to tuples of streams; continuity of functions and admissibility of prefix can also be defined for stream tuples. 2.2 Component Specification Figure 1 shows the system structure of a bounded transmission system with three ....

....of it is invariant, Phi holds for every element of the chain. Because of admissibility, it also holds in the limit. Example. In x 4.1 we showed that x = i ffi is an invariant of the sender. Moreover, we have i ffi v i , and thus x v i is also an invariant. This predicate is also admissible [12], and thus we can directly conclude [ Sender ] x v i This means that the sender STD implies the first half of the sender s history specification in x 2.2. Similarly, we can show [ Sender ] #x 1 #ack . 5.2 Progress Properties In general, progress properties expressed with the leadsto ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....of HOL s total functions and venturing into the sea of continuity and undefinedness. The purpose of this section is to demonstrate that, given the right infrastructure (HOLCF ) this step need not be painful. HOLCF [10, 11] is a conservative extension of HOL with the notions of domain theory [7]. In particular it provides a class pcpo (pointed cpo) of types which come equipped with a complete partial order v and a least element . a space of continuous functions between pcpos, together with its own abstraction , infix application , composition oo, and fixpoint operator fix. We ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....e.g. v and fixpoints. The obvious choice for a machine assisted version of the proof is LCF [7] a Logic for Computable Functions, which formalizes standard domain theory. Having fixed the precise logic, we still had a choice between two theorem provers supporting this logic: Cambridge LCF [15] and Isabelle LCF. Cambridge LCF is dedicated solely to theorem proving in LCF whereas Isabelle [16] is a generic theorem prover which supports a host of other logics apart from LCF, e.g. FirstOrder Logic (FOL) Zermelo Fraenkel set theory (ZF) and Higher Order Logic (HOL) Isabelle can be ....

....and proof search via backtracking. These features give rise to powerful proof procedures which are a definite advance in automation over what Cambridge LCF has to offer. Thus we opted for Isabelle LCF, which is an extension of Isabelle FOL and follows the logic LCF as described by Paulson [15] as closely as possible. We will therefore concentrate on the differences between LCF and Isabelle LCF. Syntax Due to Isabelle s flexible front end, the only syntactic difference is that curried application f x y, where f : 1 2 3 , is written f(x; y) Correspondingly, 1 2 3 may be ....

[Article contains additional citation context not shown here]

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....types [Chu40, And86] In the theorem proving community, higher order logic is often abbreviated to HOL and refers to the simple theory of types. We follow this convention which is due to one of the first theorem provers for this logic, Mike Gordon s HOL system [Gor85, GM93] a descendant of LCF [Pau87] The work reported in this paper has been conducted with the help of Isabelle HOL: Isabelle [Pau94] is a generic interactive theorem prover, and Isabelle HOL an instance supporting HOL. There are many other systems supporting HOL, and many other higher order logics. Mike Gordon s HOL system has ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....according to the structure of invariance and response diagrams to temporal logic formulas. The derivation of the I O history properties from the temporal logic properties is not handled within our formalization: This would require the use of the much more complicated logic of computable functions [12]. The Isabelle formalization is documented in [4] The theory les and proof scripts can be accessed electronically [3] Introductory texts to Isabelle are also available electronically [8] Design tools. The translation of the state transition and veri cation diagrams into an Isabelle theory is ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....language has been incorporated to serve as such a representation. Properties are expressed by first order predicate logic formulas. The primitive predicates are based on the complete partial ordering of definedness of functional expressions, much as in the Logic of Computable Functions [Pau87] Closed formulas are used to state algebraic axiomatic laws, as in algebraic specification languages. A detailed proof calculus is currently under development ( DF94a, DF94b] and outlined in the full version of the paper. Algebraic laws are encapsulated in so called property parts, which are ....

L.C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....0 t = identity def succ(n) t = t; n t This example also gives an idea how the user may extend the set of predefined tacticals. These tacticals might again be defined in the functional programming language itself. Recall, that ml originated as programming language for the lcf theorem prover [5]. As a last resort, the derivation might also be developed interactively. Interactive development of a derivation is comparable to interactive debugging of an erroneous function implementation. With the help of an external tool the user tries to find the reason why the derivation has failed, and ....

L.C.Paulson. Logic and Computation. Cambridge University Press, 1987.

....are reported in [6] and [7] A pilot study for the main proof is reported in [5] 3 The HOL Verification System The verification of Viper has been approached within HOL (Higher Order Logic) 2,14,15] a theorem proving system derived from R. Milner s LCF system (Logic for Computable Functions) [13,23] and based on the version of higher order logic 2 formulated by A. Church [3] HOL was implemented by M. Gordon at the University of Cambridge and is currently in use by the Hardware Verification Group at Cambridge and at several sites throughout the world. Verification was understood by ....

L. Paulson, Logic and Computation, Cambridge University Press, 1987

....than manual proofs, as they force the user to supply details for all cases. There are two reasons why this confidence in machine checked proofs is even higher in our case than e.g. for proofs performed in PVS [33] or LP [13] First, Isabelle itself is built according to the LCF system approach [35], which means that every proof is broken down to a small and clear set of primitive inferences. Second, we introduce new theories only in a definitional way, which ensures that no inconsistencies, for example caused by contradictory axioms, can occur. Scalability Interactive provers like ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....above rule. In order to formulate this induction principle for a fixpoint object within the metalanguage, we introduce a constructive logic, called FIX, of properties of terms over the metalanguage. Thus there are strong connections between FIX and the traditional axiomatic domain theory of LCF [13] and to Plotkin s approach to denotational semantics using partial continuous functions [15] However, our logic is inherently more constructive, since it is based on the notion of evaluation of a (possibly non terminating) computation to a value, rather than on non termination and on information ....

L.C.Paulson, Logic and Computation (Cambridge University Press, 1987).

....is an interactive environment for machine assisted theorem proving in classical higher order logic. The basic deductive machinery is a natural deduction proof system, with capability for both forwards and goal oriented deduction. HOL is one of the LCF family of systems, that includes LCF itself [27, 55], and Isabelle [56] In all of these systems, proof procedures (tactics and tacticals) can be expressed using ML. Isabelle is a generic theorem prover. It supports interactive proof development in several formal systems, including first order logic (intuitionistic and classical) higher order ....

....logics. Standard systems include equational logic, classical logic (first and higher order) intuitionistic logic (first and higher order) Martin Lof type theory, modal and temporal logics, to name a few. Logics inspired by programming languages include the Boyer Moore logic [8, 10] and LCF [55] for reasoning about recursively defined functions, dynamic logic [30] process logics [48] and various logics for concurrency [54, 14] The latter typically contain a first order language for reasoning about static data and temporal operators for reasoning about the dynamic aspects. The models ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....only to HOLCF when really required. We explain this in Subsection 4.3. 4.1 Introduction to HOLCF HOLCF [Reg95, Reg94] extends HOL conservatively with concepts of domain theory such as complete partial orders, continuous partial functions and a fixed point operator. As a result, the logic LCF [Pau87] constitutes a proper sublanguage of HOLCF. HOLCF uses Isabelle s type classes to distinguish HOL and LCF types. More precisely, it introduces a type class pcpo which is equipped with a complete partial order v and a least element . pcpo becomes the default type class of HOLCF and is a subclass ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....function spaces. For example datatype t = C (nat = t) D is unproblematic. However, Isabelle does not support recursion involving = at all at the moment. For a theoretical analysis of what kinds of datatypes are feasible in HOL see, for example, 2] There are alternatives to pure HOL: LCF [7] is a logic where types like datatype t = C (t t) do indeed make sense (note the intentionally different arrow ) There is even a version of LCF on top of HOL, called HOLCF [4] 3.4.4 Case study: Tries Tries are a classic search tree data structure [3] for fast indexing with strings. ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....of two logical systems, HOL and LCF, combining the best of both worlds. Before we go into technicalities (of which there is no shortage) we sketch the historical and logical roots of HOLCF. The development of tactic based interactive theorem provers started with LCF (Gordon et al. 1979; Paulson, 1987), a system to support reasoning in Scott s Logic for Computable Functions. Apart from its many technical innovations, it was the first theorem prover to take the notion of partial computable functions serious. Unfortunately, this commitment does not come cheap, as the users of LCF were to discover ....

....built into the type constructor used for any argument f of fix. This considerably facilitates reasoning about fixpoint equalities. Fixpoint induction. The fixpoint induction rule has been derived as usual: adm P; P ; V x. P x = P (f x) P (fix f) As known from the literature (e.g. (Paulson, 1987)) this rule includes the admissibility of P as an assumption. A predicate P is admissible iff it holds for the least upper bound of every chain satisfying P. consts adm : ff: cpo ) bool) bool defs adm P j 8Y. chain Y Gamma (8i. P (Y i) Gamma P (lub(range Y) In practice, it is of vital ....

[Article contains additional citation context not shown here]

Paulson, Lawrence C. (1987). Logic and computation. Cambridge University Press.

....way of expressing proofs, that is, as objects of types. So AUTOMATH can be seen as an early formulation of the kind of type theory we will discuss here. The first implementation of Martin Lof s type theory was made in Goteborg [41] this system was based on the Edinburgh LCF proof assistant [21, 40]. Soon after this a more advanced system, NuPRL, was developed at Cornell [7] Recently several interactive proof systems based on type theory have been implemented which have the important property that they can serve as logical frameworks: rules and axiom of various theories can easily be ....

....as a term of type theory, or if we want to consider a possibly non terminating program, we represent it as an inductively defined relation. This example was suggested by Colin Runciman, who uses it as a LCF exercise. The example gives a good illustration of the differences between the LCF approach [21, 40] and the present natural semantics approach [28] In the LCF approach, each function is considered a priori to be partial, and one has to prove that a given function is total. In the present type theoretic approach, a function represents always a total function (for instance, the compiler itself ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....section we summarize the distinguishing aspects of the different tools used, as far as they are relevant to the sequence formalizations. 2.1 The different Logics Isabelle HOL and Gordon s HOL. Gordon s HOL [GM93] is a theorem prover for higher order logic developed according to the LCF approach [Pau87]. Isabelle [Pau94] is a generic theorem prover that supports a number of logics, among them first order logic (FOL) Zermelo Frankel set theory (ZF) constructive type theory (CTT) higher order logic (HOL) and others. As Isabelle HOL and Gordon s HOL are similar, we will in general not ....

....HOL incorporates Hilbert s choice operator as a primitive constant. HOLCF. HOLCF [Reg95] conservatively extends Isabelle HOL with concepts of domain theory such as complete partial orders, continuous functions and a fixed point operator. As a consequence, the logic of the original LCF tool [Pau87] constitutes a proper sublanguage of HOLCF. HOLCF uses Isabelle s type classes, similar to Haskell, to distinguish between HOL and LCF types. A type class is a constraint on a polymorphic variable restricting it to the class of types fulfilling certain requirements. For example, there is a type ....

[Article contains additional citation context not shown here]

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

.... theory where functions are identified with functional relations one has to live with the coexistence of full and continuous function spaces of domains (which both carry a domain structure) Although one may have classical theories of domains with continuous function spaces only as e.g. LCF (Paulson, 1987; Regensburger, 1994) in such theories one cannot have the intuitively appealing Axiom of Unique Choice (AUC) stating that any functional relation is traced by a continuous function. But it is consistent with intuitionistic logic to claim that all functions between domains are continuous and even ....

Paulson, L.C. (1987). Logic and Computation. Cambridge Tracts in Theoretical Computer Science, vol. 2. Cambridge University Press.

....supports the definition of lazy lists. Therefore we decided to model traces and executions in HOLCF. 4 HOLCF 4.1 Introduction HOLCF [18] extends HOL with concepts of domain theory such as complete partial orders, continuous functions and a fixed point operator. As a result, the logic LCF [16] constitutes a proper sublanguage of HOLCF. In HOLCF there is a special type for continuous functions. Elements of this type are called operations, the type constructor is denoted by in contrast to the standard function type constructor ) For abstractions and applications of operations a ....

L. C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....presence of indeterministic computations. We present a semantic model for the concurrency monad of the purely functional programming and specification language Opal [3] which is formulated by means of a temporal axiomatization. This axiomatization bases on the logic of computable functions, LCF [18], on top of which we put a temporal calculus that is an instance of interval logic [17, 2] The intention is not only to get a semantics for the concurrency monad but also to make a first step towards a framework that is suitable for formal reasoning about concurrent monadic programs in a standard ....

....the logical framework. We then introduce the abstract type of states and a temporal logic to express observations on states. We finally apply this model to the axiomatization of the concurrency monad. 3.1. Logical Framework We presume that our object language Opal is embedded in an LCF style [18] first order predicate calculus. In the model of LCF, monomorphic types are interpreted by complete partial orderings and polymorphic types by families of such orderings, indexed by the monomorphic instantiations. Atomic predicates are based on the partial ordering of domains: the formula e 1 v ....

[Article contains additional citation context not shown here]

L. Paulson. Logic and Computation. Cambridge University Press, 1987.

....as networks of asynchronously communicating agents. The agents themselves are represented by a set of functions, where every function processes infinite streams of incoming messages and yields infinite streams of outgoing messages. The semantical foundation is provided by Scott s domain theory [Pau87] Using for example the least fixed point theorem allows us to model feedbacks of message streams. Focus also provides various refinement calculi. We concentrate on a particular calculus defined by a set of refinement rules in an Assumption Commitment (A C) style [SDW93] The aim of this paper ....

....and f is a stream processing function. 2.2 Isabelle HOL and HOLCF In our approach, we use the logic HOLCF [Reg95] both for formalizing specifications and for proving the refinement rules. HOLCF extends Isabelle s instantiation of HOL conservatively by the Logic of Computable Functions LCF [Pau87] HOL formalizes Church s formulation of Higher Order Logic. To distinguish LCF types from HOL types, HOLCF introduces the type class pcpo, which is equipped with a complete partial order v and a least element . pcpo is introduced as a subclass of term, the default class of HOL. HOLCF provides ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....the role of an existential type given to the variable x . Note that in our setting the relation fi is deterministic and could thus be represented as an evaluation function on terms. 2. 3 LCF Style Denotational Semantics We presume that the object language Opal is embedded in an LCF style [Pau87] firstorder predicate calculus. Basically, this calculus provides a syntax for denotational semantics, using Opal as its object language. 3 THE CONCURRENCY MONAD 8 In the model of LCF monomorphic types are interpreted by complete partial orderings 2 and polymorphic types by families of such ....

....Semantics In this section we present a semantic model for the concurrency monad of the purely functional programming and specification language Opal [DFG 94] which is formulated by means of a temporal axiomatization. This axiomatization is based on the logic of computable functions, LCF [Pau87] cf. to Section 2.3) on top of which we put a temporal calculus that is an instance of interval logic [Mos83, CHR91] The intention is not only to get a semantics for the concurrency monad but also to make a first step towards a framework that is suitable for formal reasoning about concurrent ....

[Article contains additional citation context not shown here]

L. Paulson. Logic and Computation. Cambridge University Press, 1987.

....that presents a problem when communicating the results of our work. What is needed is a more efficient way of communicating formal proofs, namely by means of proof tactics instead of proof steps. There is a great deal of work available on proof tactics in connection with automatic theorem proving [22], and we foresee no difficulties in taking advantage of that work. Note, however, that our motivation comes from a concern with effective communication, and not from a desire to automate the derivation process. A related concern is the implementation of our abstract results in existing programming ....

L. Paulson. Logic and Computation. Cambridge University Press, 1988.

....of two logical systems, HOL and LCF, combining the best of both worlds. Before we go into technicalities (of which there is no shortage) we sketch the historical and logical roots of HOLCF. The development of tactic based interactive theorem provers started with LCF (Gordon et al. 1979; Paulson, 1987), a system to support reasoning in Scott s Logic for Computable Functions. Aart from its many technical innovations, it was the first theorem prover to take the notion of partial computable functions seriously. Unfortunately, this commitment does not come cheap, as the users of LCF were to ....

....built into the type constructor used for any argument f of fix. This considerably facilitates reasoning about fixpoint equalities. Fixpoint induction. The fixpoint induction rule has been derived as usual: adm P; P ; V x. P x = P (f x) P (fix f) As known from the literature (e.g. (Paulson, 1987)) this rule includes the admissibility of P as an assumption. A predicate P is admissible iff it holds for the least upper bound of every chain satisfying P. consts adm : ff: cpo ) bool) bool defs adm P j 8Y. chain Y Gamma (8i. P (Y i) Gamma P (lub(range Y) In practice, it is of vital ....

[Article contains additional citation context not shown here]

Paulson, Lawrence C. (1987). Logic and computation. Cambridge University Press.

....we deal with mixtures of partial and total objects in Subsection 4.3. 4.1. Introduction to HOLCF HOLCF [12, 13] extends HOL conservatively with concepts of domain theory such as complete partial orders, continuous partial functions and a fixed point operator. As a result, the original LCF logic [22] constitutes a proper sublanguage of HOLCF. HOLCF uses Isabelle s type classes to distinguish HOL and LCF types. More precisely, a type class pcpo which is equipped with a complete partial order v and a least element is introduced. pcpo becomes the default type class of HOLCF and is a subclass ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

....12] which was designed by de Bruijn to check proofs of mathematical theorems. Quite large proofs were checked by the system, for example the proofs in Landau s book Grundlagen der Analysis [24] Another system, which is more intended as a proof assistant, is the Edinburgh (Cambridge) LCF system [19, 34]. The proofs are constructed in a goal directed fashion, starting from the proposition the user wants to prove and then using tactics to divide it into simpler propositions. The LCF system also introduced the notion of metalanguage (ML) in which the user could implement her own proof strategies. ....

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

No context found.

Lawrence C. Paulson. Logic and Computation. Cambridge University Press, 1987.

No context found.

L. C. Paulson. Logic and Computation, Cambridge University Press, 1987. ISBN 0-52-134632-0.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC