Abstract not found

Auxiliary variables are essential for specifying programs in Hoare Logic. They are required to relate the value of variables in different states. However, the axioms and rules of Hoare Logic turn a blind eye to the rle of auxiliary variables. We stipulate a new structural rule for adjusting auxiliary variables when strengthening preconditions and weakening postconditions. Courtesy of this new rule, Hoare Logic is adaptation complete, which benefits software re-use. This property is responsible for a number of improvements. Relative completeness follows uniformly from the Most General Formula property. Moreover, contrary to common belief, one can show that Hoare Logic subsumes VDM's operation decomposition rules in that every derivation in VDM can be naturally embedded in Hoare Logic. Furthermore, the new treatment leads to a significant simplification in the presentation for verification calculi dealing with more interesting features such as recursion or concurrency.

Investigating soundness and completeness of verification calculi for imperative programming languages is a challenging task. Many incorrect results have been published in the past. We take advantage of the computer-aided proof tool LEGO to interactively establish soundness and completeness of both Hoare Logic and the operation decomposition rules of the Vienna Development Method (VDM) with respect to operational semantics. We deal with parameterless recursive procedures and local variables in the context of total correctness. As a case study, we use LEGO to verify the correctness of Quicksort in Hoare Logic. As our main contribution, we illuminate the rle of auxiliary variables in Hoare Logic. They are required to relate the value of program variables in the final state with the value of program variables in the initial state. In our formalisation, we reflect their purpose by interpreting assertions as relations on states and a domain of auxiliary variables. Furthermore, we propose a new structural rule for adjusting auxiliary variables when strengthening preconditions and weakening postconditions. This rule is stronger than all previously suggested structural rules, including rules of adaptation. With the new treatment, we are able to show that, contrary to common belief, Hoare Logic subsumes VDM in that every derivation in VDM can be naturally embedded in Hoare Logic. Moreover, we establish completeness results uniformly as corollaries of Most General Formula theorems which remove the need to reason about arbitrary assertions.

We propose and study coercive subtyping, a formal extension with subtyping of dependent type theories such as Martin-Lof's type theory [NPS90] and the type theory UTT [Luo94]. In this approach, subtyping with specified implicit coercions is treated as a feature at the level of the logical framework; in particular, subsumption and coercion are combined in such a way that the meaning of an object being in a supertype is given by coercive definition rules for the definitional equality. It is shown that this provides a conceptually simple and uniform framework to understand subtyping and coercion relations in type theories with sophisticated type structures such as inductive types and universes. The use of coercive subtyping in formal development and in reasoning about subsets of objects is discussed in the context of computerassisted formal reasoning. 1 Introduction A type in type theory is often intuitively thought of as a set. For example, types in Martin-Lof's type theory [ML84, NPS90...

. We want to prove "automatically" that a program is correct with respect to a set of given properties that is a specification. Proofs of specifications contain logical parts and computational parts. Programs can be seen as computational parts of proofs. They can then be extracted from proofs and be certified to be correct. We focus on the inverse problem : is it possible to reconstruct proof obligations from a program and its specification ? The framework is the type theory where a proof can be represented as a typed -term [Con86, NPS90] and particularly the Calculus of Inductive Constructions [Coq85]. A notion of coherence is introduced between a specification and a program containing annotations as in the Hoare sense. This notion is based on the definition of an extraction function called the weak extraction. Such an annotated program can give a method to reconstruct a set of proof obligations needed to have a proof of the initial specification. This can be seen either as a method o...

. This paper investigates the semantics of mathematical concepts in a type theoretic framework with coercive subtyping. The typetheoretic analysis provides a formal semantic basis in the design and implementation of Mathematical Vernacular (MV), a natural language suitable for interactive development of mathematics with the support of the current theorem proving technology. The idea of semantic well-formedness in mathematical language is motivated with examples. A formal system based on a notion of conceptual category is then presented, showing how type checking supports our notion of well-formedness. The power of this system is then extended by incorporating a notion of subcategory, using ideas from a more general theory of coercive subtyping, which provides the mechanisms for modelling conventional abbreviations in mathematics. Finally, we outline how this formal work can be used in an implementation of MV. 1 Introduction By mathematical vernacular (MV), we mean a mathematical and n...

The system Coq is an environment for proof development based on the Calculus of Constructions extended by inductive definitions. Functional programs can be extracted from constructive proofs written in Coq. The extracted program and its corresponding proof are strongly related. The idea in this paper is to use this link to have another approach: to give a program and to generate automatically the proof from which it could be extracted. Moreover, we introduce a notion of annotated programs.

We develop a theory of program specification using the notion of refinement type. This provides a notion of structured specification, useful for verification and program development. We axiomatise the satisfaction of specifications by programs as a generalised typing relation and give rules for refining specifications. A per semantics based on Henkin models is given, for which the system is proven to be sound and complete. Keywords Specification, refinement, verification, type theory, Henkin models 1

This paper presents a comparison between algebraic specifications-in-the-large and a type theoretical formulation of modular specifications, called deliverables. It is shown that the laws of module algebra can be translated to laws about deliverables which can be proved correct in type theory. The adequacy of the Extended Calculus of Constructions as a possible implementation of type theory is discussed and it is explained how the reformulation of the laws is influenced by this choice.

We give a canonical program refinement calculus based on the lambda calculus and classical first-order predicate logic, and study its proof theory and semantics. The intention is to construct a metalanguage for refinement in which basic principles of program development can be studied. The idea is that it should be possible to induce a refinement calculus in a generic manner from a programming language and a program logic. For concreteness, we adopt the simply-typed lambda calculus augmented with primitive recursion as a paradigmatic typed functional programming language, and use classical first-order logic as a simple program logic. A key feature is the construction of the refinement calculus in a modular fashion, as the combination of two orthogonal extensions to the underlying programming language (in this case, the simply-typed lambda calculus). The crucial observation is that a refinement calculus is given by extending a programming language to allow indeterminate expressions (or ‘stubs’) involving the construction ‘some program x such that P ’. Factoring this into ‘some x...’