Lecture Notes in Computer Science 971 Edited by G. Goos, J. Hartmanis and J. van Leeuwen Advisory Board: W. Brauer D. Gries J. Stoer E. Thomas Schubert Phillip J. Windley James Alves-Foss ).sdE( Higher redrO Logic Theorem Proving dna stI Applications ht8 International Workshop Aspen Grove, ,TU USA September 11-14, 1995 Proceedings r e g ~ n i r p S Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, ,YN USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors E. Thomas Schubert Department of Computer Science, CMPS, Portland State University P.O. Box 751, Portland, OR 97207-0751, USA Phillip J. Windley Department of Computer Science,TMCB 3370, Brigham Young University Provo, UT 84602-6576, USA James Alves-Foss Department of Computer Science, University of Idaho Moscow, ID 83844-1010, USA Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Higher order logic theorem proving and its applications : ... international workshop ; proceedings. - Berlin ; Heidelberg ; New York ; London ; Paris ; Tokyo ; Hong Kong ; Barcelona ; Budapest : Springer. 8. Aspen Grove, UT, USA, September 11 - 14, 1995. - 1995 (Lecture notes in computer science ; Vol. )179 ISBN 3-540-60275-5 (Berlin ...) NE: GT CR Subject Classification (1991): F.4.1, 1.2.2-3, B.6.3, B.7.2, D.2.2, D.4.6, F.3.1 ISBN 3-540-60275-5 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. (cid:14)9 Springer-Verlag Berlin Heidelberg 1995 Printed in Germany Typesetting: Camera-ready by author SPIN 10485472 06/3142 - 5 4 3 2 1 0 Printed on acid-free paper Preface This volume is the proceedings of the international workshop on Higher Order Logic Theorem Proving and its Applications, held at Aspen Grove, Utah, USA during September 11-14, 1995. The workshop is the eighth in a series of annual meetings that brings together researchers and practitioners to explore issues re- lated to higher order logic theorem proving technology and the use of higher order logic as a basis for formal methods reasoning. Though the original focus of the workshop was the HOL theorem proving system, the scope has since broad- ened to include the development and use of other higher order logic mechanized theorem provers. Each of the thirty-five papers submitted this year was fully refereed by at least three reviewers selected by the program committee. The program committee accepted twenty-six papers for presentation and publication in the proceedings. The papers selected fall into three general categories: representation of for- malisms in higher order logic; applications of mechanized higher order logic; and enhancements to the HOL and other theorem proving systems. Papers in the first category discuss embedding a variety of formalisms in higher order logic, including ZF set theory, graph theory, TLA, pi-calculus, and VHDL. Papers in the second category describe applications of higher order logic. Several papers describe hardware verification efforts, including pipeline verifica- tion, multiprocessor memory protocol verification, and formal circuit synthesis. Other papers discuss floating point verification, cryptographic protocol analysis, and reasoning about distributed programming languages. The final category concerns higher order logic theorem proving infrastruc- ture. Topics covered by papers in this area include proof methods, decision pro- cedures, proof engineering support, user interface tools, definition mechanisms, transformation techniques, and proof checking. The conference continued its tradition of providing an open venue for the discussion and sharing of preliminary results. Eight researchers were invited to present their work during an informal poster session. The workshop was spon- sored by the Departments of Computer Science at Brigham Young University, Portland State University, and the University of Idaho. The conference orga- nizers would also like to thank Paul Black, Kelly Hall, Michael Jones, Rosina Bignall, Trent Larson, and Robert Beers, all of whom helped ensure a successful conference. More information about future conferences and the HOL system can be found on the World Wide Web at http ://lal. cs. byu/lal/hol-documentat ion. html. September, 1995 Tom Schubert Phil Windley Jim Alves-Foss IV Conference Organization Workshop Chair Program Chair Dr. Phillip Windley Dr. Thomas Schubert Dept. of Computer Science TMCB 0733 Dept. of Computer Science Brigham Young University P.O. Box 157 Provo, Utah 84602-6576 Portland State University e-maih windley@cs, byu, edu Portland, Oregon 1570-70279 e-mail: schubert@cs, pdx. edu Special Sessions Chair Dr. Jim Alves-Foss Dept. of Computer Science University of Idaho Moscow, Idaho 0101-44838 e-maih j (cid:127) uidaho, edu Program Committee Jim Alves-Foss (Idaho) Tim Leonard (DEC) Flemming Andersen (TDR) Karl Levitt (UC Davis) Richard Boulton (Cambridge) Paul Loewenstein (SUN) Albert Camilleri (HP) Tom Melham (Glasgow) Shui-Kai Chin (Syracuse) Tom Schubert (Portland State) Elsa Gunter (AT&T) David Shepherd (SGS-THOMSON) John Herbert (SRI) Joakim yon Wright (/~bo Akademi) Ramayya Kumar (FZI) Phil Windley (BYU) Miriam Leeser (Cornell) Additional Reviewers Brian R. Becker, A. Rosina Bignall, Paul E. Black, Michael Butler, Surekha Ghantasala, Jim Grundy, Kelly M. Hall, John Harrison, Mark Heckman, Shahid Ikram, Michael Jones, Jang Dae Kim, Thomas L&ngbacka, Munna, John O'Leary, Stacey Son, Donald Syme, Wai Wong, Cui Zhang Contents Mechanizing a z-Calculus Equivalence within HOL O~mane Ai't Mohamed ...................................................... 1 Non-Primitive Recursive Function Definitions Sten Agerholm ............................................................. 17 Experiments with ZF Set Theory in HOL and Isabelle Sten Agerholm and Mike Gordon .......................................... 23 Automatically Synthesized Term Denotation Predicates: A Proof Aid Paul E. Black and PhiUip J. Windley ...................................... 46 On the Refinement of Symmetric Memory Protocols J.-P. Bodeveix and M. Filali .............................................. 85 Combining Decision Procedures in the HOL System Richard J. Boulton ........................................................ 75 Deciding Cryptographic Protocol Adequacy with HOL Stephen H. Brackin ....................................................... 09 A Practical Method for Reasoning About Distributed Systems in a Theorem Prover Holger Busch ............................................................ 601 A Theory of Finite Maps Graham Collins and Donald Syme ...................................... .. 221 Virtual Theories Paul Curzon ............................................................. 831 An Automata Theory Dedicated Towards Formal Circuit Synthesis Dirk Eisenbiegler and Ramayya Kumar ................................... 451 Interfacing HOL90 with a Functional Database Query Language Elsa L. Gunter and Leonid Libkin ........................................ 071 Floating Point Verification in HOL John Harrison ........................................................... 681 IIIV Inductive Definitions: Automation and Application John Harrison ........................................................... 002 A Formulation of TLA in Isabelle Sara Kalvala ............................................................. 214 Formal Verification of Serial Pipeline Multipliers Jang Dae Kim and Shiu-Kai Chin ........................................ 922 TkWinHOL: A Tool for Window Inference in HOL Thomas Ldngbaeka, Rimvydas RukY~nas and Joakim yon Wrigh~ .......... 542 Formal Verification of Counterflow Pipeline Architecture Paul N. I, oewenstein ..................................................... 162 Deep Embedding VHDL Ralf Reetz ................................................................ 277 HOLCF: Higher Order Logic of Computable Functions Franz Regensburger ...................................................... 392 A Mechanized Logic for Secure Key Escrow Protocol Verification Tom Schubert and Sarah Mocaa .......................................... 803 A New Interface for HOL - Ideas, Issues and Implementation Donald Syme ............................................................ 423 Very Efficient Conversions Morten Welinder ......................................................... 043 Recording and Checking HOL Proofs Wai Wong ....................................... ~ ....................... 353 Formalization of Planar Graphs Mitsuharu Yamamoto, Shin-ya Nishizahi, Masami Hagiya, and Yozo Toda ........................................................... 963 A Hierarchical Method for Reasoning About Distributed Programming Languages Cui, Zhang, Brian R. Becket, Mark R. Heckman, Karl Levitt, and Ron A. Olsson ....................................................... 583 Mechanizing a '-calculus equivalence in HOL Otmane AIT MOHAMED* CRIN-CNRS & INRIA-Lorraine, BP 239, Vandoeuvre-l~s-Nancy Cedex, France Abstract. The z-calculus is a relatively simple framework in which the semantics of dynamic creation and transmission of channels can be de- scribed nicely. In this paper we consider the issue of verifying mechan- ically the equivalence of 7r-terms in the context of bisimulation based semantics while relying on the general purpose theorem prover ttOL. Our main contribution is the presentation of a proof method to check early equivalence between ~r-terms. The method is based on 7r-terms rewriting and an operational definition of bisimulation. The soundness of the rewriting steps relies on standard algebraic laws which are for- mally proved in HOL. The resulting method is implemented in HOL ~a an automatic tactic. 1 Introduction The r-calculus 12 is an extension of CCS 10 based on the idea that processes can communicate channel names. This possibility dramatically increases the ex- pressive power of the calculus, for instance it allows one to model networks with a dynamically changing topology 14, and reasonable encodings of the A-calculus and of higher-order process calculi have been proposed 11, 2, 15. This paper reports on work concerning the mechanical verification of equiva- lence between co-terms in the context of bisimulation based semantics within the general purpose theorem prover I-IOL. This work is based on the one described in 3, and is constructed on top of our mechanization of the ~r-caleulus theory in the HOL system I. The embedding of the ~r-calculus in LOI=I is inspired by previous works on the mechanization of process algebra in HOL, namely, the mechanization of CSP by Camilleri 6, the mechanization of CCS by Nesi 13, and, recently, the mechanization of the ~r-calculus by Melham 9. Our general goal is two fold: firstly, we want to develop formally the theory of the ~'-calculus and secondly, we want to apply this framework to the verification of applications specified in the ~'-calculus. In the proof construction process it is of the utmost importance to have tactics that carry out simple parts of the proof automatically. In particular our goal here is to define a tactic that can solve automatically the equivalence problem for finite terms (a term is said to be finite if it contains only finite summations, and no recursion). More precisely, the main contribution of this * emaih amohamed~loria.fr paper is to describe a method of checking early equivalence between finite -tI terms, and its implementation in ttOL (the method can be applied to general 1r-terms as well but in this case termination is not guaranteed). This method is composed of two basic parts: * In the first part a r-term is rewritten into a prefixed form where it is possible to read directly one of its next actions (if any). More precisely, a process P is said to be in a prefixed form if it is Nil, or it is in one of the two forms: cr.P or cr + Q, where Nil is the terminated process, Lo is a suitable prefix, and + is the non-deterministic sum. The rewriting rules are obtained by forcing a suitable orientation of basic algebraic laws of the 7r-calculus, typically we apply a suitable form of the expansion theorem and a certain number of rules concerning the commutation of restriction with the other operators. Since the algebraic laws have been formally derived in our HOL's formali- sation of the r-calculus 1 we are able to derive easily the soundness of the rewriting process. Let us anticipate that, in order to represent certain inter- mediate states of the computation we employ a few new operators. These auxiliary operators give an equational characterization of parallel composi- tion. They were introduced for the first time by Bergstra and Klop in their finite axiomatization of strong bisimulation equivalence over ACP ,4 5. This in turn leads to transformational proof techniques for showing that a pro- cess implementation meets its specification. These operators are introduced in ttOL's 7r-calculus theory by following the definitional principle, in order to ensure the consistency of this extension. Related algebraic laws are derived formally and applied to the rewriting process. * In the second part two prefixed forms are compared according to a suit- able set of rules. These rules are based on the definition of the bisimulation relation. Their soundness is shown within the HOL system. In general, our tactic alternates the computation of prefixed forms (part 1) and their comparison according to the rules of bisimulation (part 2). The structure of the paper is as follows: In section 2 we give a brief presenta- tion of the ~r-calculus: its syntax, its semantics and the definition of the strong early equivalence. In section 3 we recall some aspects of the formalisation of the r-calculus in ttOL. In section 4 we give the definition of our proof method, fol- lowed by its representation in the ttOL system. We conclude with some remarks and some directions for future work. 2 It-calculus In this section, we present the syntax and the semantic of the 1r-calculus, as well as the definition of the strong early equivalence. For further details on these topics we refer to 12. The syntax of the ~r-calculus is given by the following BNF grammar: P ::= Nil I X I a.P I ~ = YP I (vc)P I (P + P) (P I P) I Rec X P c(~) ,:, ::= l~d I r Where Nil is the inactive process, c(x).P is a process that receives an arbi- trary channel d at c and then it behaves like Pd/x. -dd.P sends the channel d along c and then behaves like P. v.P performs a silent action "7 and then behaves like P. The process x = yP behaves like P if z and y are identical, and oth- erwise like Nil. 1P + 2P represents nondeterministic choice. 1P I 2P represents two processes acting in parallel with the possibility of communication. The term (vc)P behaves like P except that the channel c is local to P. The actions at channels c are prohibited (but communication between components of P along the channel c are not). The process Rec X P specifies a process that has a recur- sive behaviour. We abbreviate the process (vd)'dd, P by -d(d).P, i.e, the process that sends a new local channel to its environment. The definitions of free and bound names are standard. (In c(x).P and in (vx)P the variable x is bound). We denote by Fn(P) and Fn(a) the teS of free names of P and a and by Bn(P) and Bn(a) the set of bound names of P and .~o N(P) and N(a) denote the set of names occurring in P and ~. We shall identify two processes that differ only by their bound names. A substitution "o maps channel names to channel names. We denote by "oP the process obtained by replacing by -ox each free occurrence of a variable x in P. The operational semantics of the calculus is given via a labelled transition system, which is displayed in Fig. .1 We have omitted the symmetric versions of the rules suml, par1, corn1 and closel. nd ,~ ~ Fn(,,=)P ~ c(~).P ~ P~l* out ~ -~d.P --~ P tan ~ r.P +5_- p match P +2- P' ~ c = cP +2- P' parl P ~ P' ABn(c~)nFn(Q)=O ~= PQ--2+ P'Q suml p +.2_ p' ~= p + Q +.2- p' rec PRecX P/X %-- P' ~= RecX P %-- P' ~mo~ P ~ P' ^ Q -'~ Q' ~ P I Q ~ P'd/w I Q' close1 p ~_K p, ^ Q ~ Q, ~ P I Q -~ (vw)(P' I Q') nu P +-2-- p' A c ~ N(~) ~ (vc)P ~ > (vc)P' nepo P --~ P' ^ d (cid:127) c A w ~ Fn((vc)P) ~:: (vc)P d('~ P'w/c Pig. 1. It-calculus transition system