IFIP Transactions A: Computer Science and Technology International Federation for Information Processing Technical Committees: Software: Theory and Practice (TC2) Education (TC3) System Modelling and Optimization (TC7) Information Systems (TC8) Relationship between Computers and Society (TC9) Computer Systems Technology (TC10) Security and Protection in Information Processing Systems (TC11) Artificial Intelligence (TC12) Human-Computer Interaction (TC13) Foundations of Computer Science (SG14) IFIP Transactions Editorial Policy Board The IFIP Transactions Editorial Policy Board is responsible for the overall scientific quality of the IFIP Transactions through a stringent review and selection process. Chairman 0. Spaniol (TC6) G.J. Morris, UK P. Thoft-Christensen (TC7) Members G.B. Davis (TC8) D. Khakhar, Sweden K. Brunnstein (TC9) Lee Poh Aun, Malaysia Gl. Reijns (TC10) M. Tienari, Finland W.J. Caelli (TC11) P.C. Poole (TC2) R. Meersman (TC12) P. Bollerslev (TC3) B. Shackel (TC13) M. Tomljanovich (TC5) J.Gruska (SG14) IFIP Transactions Abstracted/Indexed in: INSPEC Information Services A - 20 HIGHER ORDER LOGIC THEOREM PROVING A ND ITS APPLICATIONS Proceedings of the IFIP TC10/WG10.2 International Workshop on Higher Order Logic Theorem Proving and its Applications - HOL '92 organized by CHEOPS ESPRIT BRA 3215 sponsored by IMEC and the Commission of the European Communities Leuven, Belgium, 21-24 September 1992 Edited by LUCJ.M.CLAESEN Interuniversity Micro-Electronics Center and Katholieke Universiteit Leuven Leuven, Belgium MICHAEL J.C. GORDON Computer Laboratory University of Cambridge Cambridge, England N-H WM m 1993 NORTH-HOLLAND AMSTERDAM · LONDON · NEW YORK · TOKYO ELSEVIER SCIENCE PUBLISHERS B.V. Sara Burgerhartstraat 25 P.O. Box 211,1000 AE Amsterdam, The Netherlands Keywords are chosen from the ACM Computing Reviews Classification System, ©1991, with permission. Details of the full classification system are available from ACM, 11 West 42nd St., New York, NY 10036, USA. ISBN: 0 444 89880 8 ISSN: 0926-5473 © 1993 IFIP. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher, Elsevier Science Publishers B.V., Copyright & Permissions Department, P.O. Box 521,1000 AM Amsterdam, The Netherlands. Special regulations for readers in the U.S.A. - This publication has been registered with the Copyright Clearance Center Inc. (CCC), Salem, Massachusetts. Information can be obtained from the CCC about conditions under which photocopies of parts of this publication may be made in the U.S.A. All other copyright questions, including photocopying outside of the U.S.A., should be referred to the publisher, Elsevier Science Publishers B.V., unless otherwise specified. No responsibility is assumed by the publisher or by IFIP for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. pp. 117-132: Copyright not transferred This book is printed on acid-free paper. Printed in The Netherlands ν Preface This book contains all the papers submitted to the workshop entitled Higher Order Logic Theorem Proving and its Applications. These range from reports on student projects to original research contributions. The workshop was organized in IMEC, Leuven, Belgium, from 21 to 24 September 1992 by the CHEOPS ESPRIT Basic Research Action in cooperation with IFIP working group 10.2. The meeting was the fifth in a series of annual workshops dedicated to the topic of higher order logic theorem proving, its usage in the HOL system and its applications. Previous workshops have taken place in Cambridge UK, Aarhus Denmark and Davis California. The HOL system is a higher order logic theorem proving system implemented at Edin- burgh University, Cambridge University and INRIA. It has found many applications, from the verification of hardware designs at all levels to the vérification of programs and com- munication protocols. Contributions and experiences with other systems based on higher order logic, namely Nuprl and LAMBDA, are also presented here. The papers in this book cover the following topics: • Mathematical Logic. • Induction. • General Modelling and Proofs. • Formalizing and Modelling of Automata. • Program Verification. • Hardware Description Language Semantics. • Hardware Verification Methodologies. • Simulation in Higher Order Logic. • Extended uses of Higher Order Logic. vi The workshop was attended by 60 participants (Europe: 45, North America: 15) Tutorials were presented by Roger B. Jones on Proof Power and by Carl Seger and Jeff Joyce on Hybrid Formal Verification Techniques. In addition to regular presentations on the practical application of higher order logic and the HOL system, the workshop included a HOL users clinic organized by Tom Melham for in-depth discussion of issues concerning the use of the HOL system. A special LAMBDA users meeting session was organized by Holger Bush. The next workshop in the series will be organized by Jeff Joyce and Carl Seger at the University of Britisch Columbia in Vancouver Canada. We are grateful to the Commission of the European Communities for sponsoring this workshop by providing grants for students to participate. Luc Claesen, Michael Gordon November 1992 vii Conference organization. Workshop Chair: Luc Claesen Interuniversity Micro Electronics Center h Katholieke Universiteit Leuven Kapeldreef 75, B-3001 Leuven (Belgium) e-mail: [email protected] Workshop Co-Chair: Michael Gordon University of Cambridge Computer Laboratory Pembroke Street Cambridge CB2 3QG (U.K.) email: [email protected] Program Committee Myla Archer (University of California, Davis, USA) Graham Birtwistle (University of Calgary, CA) Holger Bush (Siemens AG, D) Albert Camilleri (Hewlett-Packard, UK) Shui-Kai Chin (Syracuse University, USA) Luc Claesen (IMEC / Kath. Univ. Leuven, B) Simon Finn (Abstract Hardware Ltd., UK) Michael Gordon (University of Cambridge, UK) Elsa L. Gunter (AT&T Bell Labs, USA) John Herbert (SRI International, UK) Roger B. Jones (ICL, UK) Jeff Joyce (University of British Columbia, CA) Ton Kalker (Philips, NL) Matt Kaufmann (Computational Logic Inc., USA) Kurt Keutzer (Synopsys, USA) Ramayya Kumar (Univ. of Karlsruhe, D) viii Miriam Leeser (Cornell University, USA) Tim Leonard (Digital Equipement Corp., USA) Paul Loewenstein (Sun Microsystems, USA) Tom Melham (University of Cambridge, UK) Carl Seger (University of British Columbia, CA) David Shepherd (Inmos Ltd., UK) Gerd Venzl (Siemens AG, D) Phillip J. Windley (University of Idaho, USA) Local Organizing Committee. Catia Angelo Marcondes, Luc Claesen, Geert De Pril, Peter De Vijt, Mark Genoe, Peter Johannes, Wim Ploegaerts, Hans Samsom, Robert Severyns, Annemie Stas, John Tytgat, Jan Vandenbergh, Diederik Verkest, Eric Verlind Reviewers. J. Alves-Foss, C. Angelo Marcondes, M. Archer, G. Birtwistle, H. Bush, A. Camilleri, S-K. Chin, L. Claesen, S. Finn, M. Gordon, E.L. Gunter, J. Grundy, J. Herbert, R.B. Jones, J. Joyce, A. Kalker, M. Kaufmann, Κ. Keutzer, R. Kumar, M. Leeser, T. Leonard, P. Loewenstein, T. Melham, W. Ploegaerts, C. Seger, D. Shepherd, G. Venzl, D. Verkest, Ph.J. Windley xiii Higher Order Logic Theorem Proving and its Applications (A-20) L.J.M. Claesen and M.J.C. Gordon (Editors) Elsevier Science Publishers B.V. (North-Holland) 3 © 1993 IFIP. All rights reserved. The HOL Logic Extended with Quantification over Type Variables Thomas F. Melham University of Cambridge Computer Laboratory, New Museums Site, Pembroke Street, Cambridge, CB2 3QG, England. Abstract This paper discusses a proposal to extend the primitive basis of the HOL logic with a very simple form of quantification over types. It is shown how certain practical problems with using the definitional mechanisms of HOL would be solved by the additional expressive power gained by making this extension. Keyword Codes: F.4.1; 1.2.3 Keywords: Mathematical Logic; Deduction and Theorem Proving. 1 Introduction The version of higher order logic mechanized by the HOL system is essentially Church's formulation of simple type theory [2] extended with explicit rules of definition and with object-language polymorphism of the kind developed by Milner for the LCF logic PPA [4]. In this paper a further extension to the logic is proposed—namely, the addition of a very limited form of object-language quantification over types. The motivation for this extension comes from a particular technical problem that arises when using the definitional mechanisms provided by the HOL logic. This paper explains this problem and shows how the proposed extension solves it. It is assumed that the reader is familiar with the details of the HOL logic given in the DESCRIPTION volume of the HOL documentation [5]. 2 Types and polymorphism in HOL Type expressions in the HOL logic have the following syntax: σ ::= c | a | σ σ | (σι,...,σ )ορ λ 2 η where σ, σι, ..., σ range over types, c ranges over type constants, a ranges over type η variables, and op ranges over n-ary type operators (for η > 1). It is the inclusion of 4 type variables in this syntax of types that makes the HOL logic polymorphic. Typing of terms takes place within the context of an assignment of generic types to constants, and a constant is well-typed at any substitution instance of its generic type. Theorems that contain polymorphic types are also true for any substitution instance of them, so there is a limited form of implicit universal quantification over types in the HOL logic. More precisely, there is an implicit universal quantification over type variables at the level of sequents. A sequent Γ h Ρ means that Ρ is provable by natural deduction from the hypotheses Γ. All occurrences of a type variable in such a sequent are identified by the semantics, and there is an implicit universal quantification over the value of this variable whose scope is the entire sequent. This is reflected in the primitive rule of type instantiation shown below. , ..., α not in Γ. Γ h Ρ[σι,...,σ / αϊ,..., η η where Ρ [σι,..., σ / αϊ,..., α ] means the result of simultaneously substituting the type η η σ{ for the type variable a; for 1 < i < η at every occurrence of a; in the term P. The side condition on this rule is a consequence of the fact that if a type variable occurs in both the hypotheses and the conclusion of a sequent, then both occurrences are assumed to denote the same set. In fact, from this primitive rule one can derive the more general instantiation rule ΓΚΡ Γ[σι,..., σ / α ,..., α ] h Ρ [σι,..., σ / a ..., α„] η χ η η u which allows one to substitute types for type variables throughout an entire sequent. There is an additional side condition on both of the rules shown above, namely the condition that no two distinct term variables in Ρ (and, for the second rule, Γ) may become identified as a result of doing the substitution. The HOL system deals with this side condition by renaming variables as required. 3 Motivation The proposal of this paper is to extend the very simple form of polymorphism described above with limited object-language quantification over types. In particular, we wish to add primitive terms to the HOL logic of the forms Va. Ρ and 3α. P, where α is a type variable and Ρ is a boolean term. Informally, the intended interpretation is that Ρ[σ/α] is true for all types σ and for some type σ, respectively. Note that we are not proposing an extension to the type language of HOL—the quantifications Va. Ρ and 3α. Ρ are new term constructs, and not type constructs of the kind found (for example) in Girard's system F [3]. The extended logic proposed here resembles system Q, a transfinite type theory due to Andrews [1]. It is, however, still much weaker than Andrews' system. The motivation for this extension originally arose in connection with work on new derived rules of definition for HOL—particularly in work on derived rules for defining abstract data types. The following sections explain this motivational background. Readers primarily interested in the semantics and other details of the proposed extension may wish to skip to section 4.