Why Would You Trust B?

Wh y W ould Y ou T ru st B ? ´ Eric Jaeger 12 and Catherine Dubois 3 1 LIP6, Universit ´ e Pa ris 6, 4 place Jussieu, 75252 Paris C edex 05, F ra nce 2 L TI, Direction centrale de la s ´ ecurit´ e des syst ` emes d’information, 51 b oulev ard de La T our-Maub ourg, 75700 Paris 0 7 SP , F rance 3 CEDRIC, ´ Ecole nationale sup´ erie ure d’informatique p our l’industrie et l’entreprise, 18 all ´ ee Jean Rostand, 91025 Evry Cedex, F rance Abstract. The use of f ormal metho ds pro vides co nfi dence in the cor- rectness of developmen ts. Y et one may argue ab out the actual level of confidence obtained when the method itself – or its implementation – is not formally chec ked. W e a dd ress this question for the B , a widely used formal method th at allows for the deriv ation of correct p rograms from sp ecifications. Through a deep em b edding of the B logic in Co q , we c heck the B theory but also implement B to ols. Both asp ects are illustrated by the description of a pro ved p ro ver for the B logic. Key words: Confidence, F ormal Metho ds, Prov er, Deep embedding A clear b enefit of forma l metho ds is to increas e the confidence in the cor - rectness of developmen ts. How ever, o ne may a rgue a b o ut the ac tua l level of confidence o btained, when the metho d o r its implementation are not themselves formally check ed. This question is legitimate for safety , as one may accidentally derive inv alid r esults. It is even more r elev a nt when secur it y is a concern, a s any flaw can b e delib er a tely exploited by a malic ious developer to obfuscate undesirable be haviours of a sy stem while still getting a certification. B [1] is a popula r for mal metho d that allows for the deriv ation of c orrect progra ms from sp ecifications. Several industrial implementations ar e av ailable (e.g. AtelierB , B T o olkit ), and it is widely used in the industry for pro jects where safety or security is mandator y . So the B is a g o o d candidate for address ing our concern: when the pr ov er says that a development is rig ht, who says that the prov er is right? T o answer this question, one has to chec k the theory as well as the prov er w.r.t. this theory (or, alternatively , to provide a pro o f check er). Thos e are the ob jectives of BiCo q , a dee p embedding o f the B lo gic in Co q [2]. BiCo q b enefits from the supp ort o f Co q to study the theory of B , a nd to chec k the v alidity of standard definitions and r esults. BiCo q also allows us, through an implemen tation strategy , to develop forma lly check ed B to ols. This strategy is illustrated in this pap er b y the developmen t of a prov er engine fo r the B log ic, that can be extracted and us e d independently o f Co q . Co q is therefore our no tary public, witnessing the v alidity o f the res ults a sso ciated to the B theory , as well as the cor rectness of to o ls implementing those results – ultimately increa sing confidence in B developmen ts. The approach, combining a deep embedding and an implemen tation technique, can b e extended to addres s further elements of the B , b eyond its log ic, o r to safely enrich it, as illustrated in this pa pe r. This pap er is divided in to 9 sections. Sec tio ns 1, 2 and 3 br iefly introduce B , Co q and the notion of embedding. The B logic and its for malisation in Co q are presented in Sec. 4. Section 5 describ es v a rious results prov ed using BiCo q . Section 6 foc us es o n the implemen tation str ategy , and presents its applica tion to the developmen t of a set of extr actible pro of tactics for a B prover. Section 7 discusses further uses of BiCo q , and mentions some e x isting extensio ns . Finally , Sect. 8 co ncludes a nd iden tifies further activities. 1 A Short Introduct ion t o B In a nutshell, the B metho d defines a first- o rder predica te logic completed with elements of set theory , a Gener alise d Substitut ion L anguage ( GSL ) and a metho d- ology of developmen t. An a bs tract B machine is a mo dule combining a state, prop erties and op erations (describ ed as substitutions) to read or alter the state. The logic is used to express preconditions , inv ar ia nts, etc. and to conduct pro ofs. The GSL a llows for definitions of substitutions that can b e a bstract, declarative and no n-deterministic (that is, s p ecific a tions) a s well as co nc r ete, imper ative and deter minis tic (that is, prog rams). The following example uses the non-deterministic s ubs titution ANY (a “ magic” op erator finding a v alue which satisfies a prop erty) to s pe c ify the s quare r o ot of a natural num ber n : Example 1. ANY x WHERE x ∗ x ≤ n < ( x + 1) ∗ ( x + 1) THEN p ( n ) := x END Regarding the metho dology , a machine M C r efi nes an abs tr act machine M A if one cannot distinguish M C from M A by v alid op eration calls – this notion being indep endent of the int erna l repr esentations, as illustrated by the following example of a sys tem retur ning the maximum of a set of s tored v alues: Example 2. The state of M A is a (non implementable) set of natural num b ers; the state of M C is a natural number. Y et M C , having t he exp ected b ehaviour, refi nes M A . MACHINE M A V ARIABLES S INV ARIANT S ⊆ N INITIALISA TION S := ∅ OPERA TIONS stor e ( n ) , PRE n ∈ N THEN S := S ∪ { n } END m ← get , PRE S 6 = ∅ THEN m := max ( S ) END END REFINEMENT M C V ARIABLES s INV ARIANT s = max ( S ∪ { 0 } ) INITIALISA TION s : = 0 OPERA TIONS stor e ( n ) , IF s < n THEN s := n END m ← get , BEGIN m := s END END Refinement be ing transitive, it is p ossible to go prog ressively from the sp ecifi- cation to the implement atio n. By discharging at each s tep the pr o of obligations defined by the B metho dolog y , a pr o gram ca n b e proved to b e a correct and complete implementation o f a sp ecification. This metho dology , c o mbined with the numerous native notions provided b y the set theory and the exis tence of to olkits, make the B a po pular formal method, widely used in the industry . Note that the B lo gic is not genuinely t yp ed and allows for manipulation of free v aria bles. A sp ecial mechanism, called typ e-che cking (but therea fter referred to as wf-che cking ), filters ill-for med (potentially para doxal) ter ms ; it is only men tioned in this pap er, deserving a de dic a ted analysis. The r e st of the pap er only deals with the B logic (its inference r ules). 2 A Short Introduct ion t o Co q Co q is a pr o of as sistant based on a t yp e theo ry . It offers a higher- order log ical framework tha t allows for the construction a nd verification of pro o fs, as well as the developmen t and a na lysis of functional progra ms in an ML -lik e language with pattern-matching. It is p ossible in Co q to define v alues and types, including depe ndent types (that is, t yp es that ex plicitly dep end on v alues); types o f s o rt Set r epresent sets of computationa l v a lues, while types of sort Prop repr esent logical pr op ositions. When defining an inductive type (that is, a least fixp oint), asso ciated structural induction principles a re automatically g enerated. F or the inten t o f this pa p e r, it is sufficient to see Co q as allowing for the manipulation of inductive s ets of terms. F or example, let’s consider the standard representation of natural n umbers: Example 3. Induct ive N : Se t := 0 : N | S : N → N It defines a type N which is the smallest set of terms stable by application of the constructors 0 and S . N is exactly made of the ter ms 0 a nd S n (0) for any finite n ; being well-founded, structural induction on N is p ossible. Co q a lso allows for the decla ration o f inductive lo g ical pro p e rties, e.g.: Example 4. Induct ive ev : N → Prop := ev 0 : ev 0 | ev 2 : ∀ ( n : N ) , ev n → e v ( S ( S n )) It defines a family of lo gic al typ es : ev 0 is a type inhabited by the term ( ev 0 ), ev 2 is ano ther type inhabited by ( ev 2 0 ev 0 ), and ev 1 is an empty type. The standard interpretation is that ev 0 is a pr o of of the prop os itio n ev 0 and that there is no pro o f of ev 1, that is we hav e ¬ ( ev 1). An in tuitive interpretation o f our tw o examples is that N is a set o f terms, and e v a predicate ma rking some of them, defining a subset of N . 3 Deep E m b edding and Related W orks Emb e dding in a pro of a ssistant consists in mechanizing a guest logic by enco ding its syntax a nd semantic into a host logic ([3,4,5]). In a shal low em b edding, the enco ding is partia lly ba s ed on a direct translation of the guest lo gic int o constructs of the host logic. In a de ep embedding the syntax and the semantic are fo r malised as datatypes. At a fundamen tal level, taking the view presented in Sec. 2, the deep embedding of a logic is simply a definition of the set of all sequents (the terms) and a predicate marking those that are pr ovable (the inference rule s of the guest lo gic b eing enco ded as constructors of this predicate). Shallow embeddings of B in higher- o rder log ics hav e b een prop osed in sev- eral pap ers (cf. [6 ,7]) formalising the GS L in PVS , Co q o r Isab el le/HOL . Such embeddings a re not dealing with the B logic, and by using dire ctly the host logic to expr ess B no tions, they intro duce a form o f interpr etation . If the ob jec- tive is to hav e an accura te formalisa tion of the guest system, the definition of a v alid interpretation is difficult – e.g. B functions a re r elations, pos s ibly par tia l or undecidable, a nd tra nslating ac curately this concept in Co q is a tricky exercise. BiCo q a ims at such an accur ate formalisa tion, to pinp oint any problem of the theory with the ob jective to increas e confidence in the developments when safety o r s ecurity is a concer n; in addition, w e als o hav e a n implementation ob jective. In such cases , a deep em b edding is fully justified – see for example the development o f a so und and complete theorem prov er for first-or der logic verified in Isab el le pr op osed in [8]. A deep embedding of the B logic in Co q is desc r ib ed in [9] (using notations with na mes ), to v alidate the b ase rules used by the prover of Atelier-B – yet not c hecking standard B results, a nd without implementation goa l. As far a s the implement atio n of a trusted B prov er is conce r ned, w e can also mention the enco ding of the B lo gic as a rewr iting s y stem pr o p osed in [1 0]. Deep em b eddings hav e also the adv a ntage to clea rly s e parate the host and the guest logics: in Bic o q , ex c luded middle, pr ov a ble in B , is not promo ted to Co q . This improves readibility , and a llows o ne to study meta-theoretica l questions such as c o nsistency . F urthermore , the host logic consistency is not endangered. 4 F ormalising the B Logic in Co q In this section, we pr e s ent o ur embedding of the B logic in the Co q sy s tem; the embedding uses a De Bruijn representation that av oids ambiguities and constitutes an efficient s olution w.r.t. the implemen tation o b jective (see [11,12]). Deviations betw een B and its forma lisation a r e describ ed and justified. Notation. B definitions use upp er c ase letters with standar d notations. BiCoq uses lower c ase letters, and mixes B and Co q notations; standar d notations ar e use d for Co q (e.g. ∀ is the uni versal quantific ation) whil e dotte d notations ar e use d for the emb e dde d B (e.g. ˙ ∀ is the uni versal quantific ation c onstructor) . Notation. [ T ] denotes the typ e of the lists whose elements have typ e T . 4.1 Syn tax Given a set of identifiers ( I ), the B log ic s y nt ax defines predicates ( P ), expres- sions ( E ), sets ( S ) and v a r iables ( V ) as follows: P := P ∧ P | P ⇒ P | ¬ P | ∀ V · P | E = E | E ∈ E | [ V := E ] P E := V | S | E 7→ E | ↓ S | [ V := E ] E S := BIG | ↑ S | S × S | { V | P } V := I | V , V In this syntax, [ V := E ] T r epresents the (elementary) substitution, V 1 , V 2 a list of v ar iables, E 1 7→ E 2 a pair of expressio ns, ↓ and ↑ the choic e and p owerset op erators , and BIG a consta nt s et. The comprehension set op erator , while s yntactically defined by { V | P } , is rejected at wf-che cking if not of the form { V | V ∈ S ∧ P } , with V a v ariable not free in S Definition. Other c onne ctors ar e define d fr om the pr evious ones, P ⇔ Q is define d as P ⇒ Q ∧ Q ⇒ P , P ∨ Q as ¬ P ⇒ Q , and ∃ V · P as ¬∀ V · ¬ P . The fir st design choice o f BiCo q is to use a pur e nameless De Bruijn nota tio n (see [1 1,13]), wher e v ariables are r epresented by indexes giving the po sition o f their binder – her e the universal qua ntifier and the comprehens ion set. When an index e x ceeds the num b er o f pa rent binders, it is s aid to b e dangling and represents a fr e e variable , whose name is provided by a scop e (left implicit in this pap er), so that any syntactically corr ect ter m is s emantically v alid, and there is no need for well-formedness condition 4 . In this repr esentation, pr o ofs of side conditions r elated to na me clashing ar e replaced by computations on indexes, but the index r epresenting a v aria ble is not constant in a term. The B syntax is formalised in Co q b y tw o mutually inductive types with the following constructors, I b eing the set of indexes (that is, N \ { 0 } ) a nd J an infinite set of names with a decidable equality: P := P ˙ ∧ P | P ˙ ⇒ P | ˙ ¬ P | ˙ ∀ P | E ˙ = E | E ˙ ∈ E E := ˙ χ I | E ˙ 7→ E | ˙ ↓ E | ˙ Ω | ˙ ↑ E | E ˙ × E | { E ˙ | P } | ˙ ω J P r epresents B predicates , while E merges B expressio ns, sets and v a r iables. Using a De Bruijn r epresentation, binders ˙ ∀ and { ˙ |} hav e no attached names and only bind (implicitly) a single v ariable. Binding over list of v ar iables ca n b e eliminated without loss of expr e s sivity , as illustrated by the following example: Example 5. { V | V ∈ S 1 × S 2 ∧ ∃ V 1 · ( V 1 ∈ S 1 ∧ ∃ V 2 · ( V 2 ∈ S 2 ∧ V 1 7→ V 2 = V ∧ P )) } represen ts { V 1 , V 2 | V 1 , V 2 ∈ S 1 × S 2 ∧ P } 5 The constructor { ˙ |} is fur ther mo dified to b e par ameterised by an expr ession, to keep in the syntax definitio n only wf-chec k able terms. Indeed, only compre- hension sets of the for m { V | V ∈ E ∧ P } , with V no t free in E , ar e v alid. The BiCo q r epresentation of this se t is { e ˙ | p } ; to reflec t the non-freene s s condition, { e ˙ | p } only binds v ar iables in its predicate par ameter p . By these design choices, we bridge the ga p b etw een syntactically corr ect terms and wf-chec k able ones, while being conserv ative. ˙ Ω represents the constant set BIG , ˙ χ unary ( De Bruijn ) v aria bles. The constructor ˙ ω is without B equiv a lent, a nd provides elemen ts of ˙ Ω (cf. Par. 4 .3). Notation. ˙ χ i denotes the applic ation of c onstructor ˙ χ to i : I and ˙ ω j of c onstructor ˙ ω to j : J . By abuse of notation the variable ˙ χ i is also denote d simply by i . 4 An alternative approach to a void well-formedness conditions is describ ed in [14]. 5 This second representation, while standard in B , app ears to b e an illegal binding o ver th e expression x 7→ y rather than ov er the v ariable x , y , but the same notations are used for b oth in [1] and such confusions are frequent. Finally , the elementary substitution is not co nsidered in BiCo q a s a syn- tactical construct but is replaced by functions o n terms – s ubstitution being int ro duced ea rlier in B o nly to be us ed in the description of inference r ules. Note how ever that the full GSL of B can still b e formalised by additio na l terms constructors (the explicit su bst itution approa ch, see [15,16]). Notation. p 1 ˙ ⇔ p 2 is define d as p 1 ˙ ⇒ p 2 ˙ ∧ p 2 ˙ ⇒ p 1 , p 1 ˙ ∨ p 2 as ˙ ¬ p 1 ˙ ⇒ p 2 , and ˙ ∃ p as ˙ ¬ ˙ ∀ ˙ ¬ p . Notation. T denotes the typ e of terms, that i s the union of P and E . 4.2 Dealing with the De Bruij n Notation De Bru ijn notation is an elega nt solutio n to avoid complex name management, and it ha s numerous merits. But it also has a big drawback, being an unusual representation for hu man reader s: Example 6. If x ∈ y is the interpretation of t he term 1 ˙ ∈ 2, the interpretation of the term ˙ ∀ (1 ˙ ∈ 2) is ∀ t · t ∈ x ; b ecause of the binder, the scope has shifted (so 2 now represen ts x ), and (likely) the semantic has b een distorted. In this para graph, we illustrate some of the conseq ue nce s of us ing a De Bruijn notation, as well as how to mask such consequences from the users. Induction When defining type T , Co q automatica lly gener ates the asso ciated structural induction principle. As illustrated in Ex. 6, it is how ever not sema n- tically adequate, b eca use it do es not reflect De Bruijn indexes scoping. A mor e int ere s ting principle is der ived in BiCo q by using the syntactical depth function D o f a term as a well-founded measure: ∀ ( P : T → P rop ) , ( ∀ ( t : T ) , ( ∀ ( t ′ : T ) , D ( t ′ ) < D ( t ) → P t ′ ) → P t ) → ∀ ( t : T ) , P t With this principle, fo r the ter m ˙ ∀ (1 ˙ ∈ 3) (that is , ∀ t · t ∈ y ) we can c ho os e to use an induction hypo thesis o n 1 ˙ ∈ 2 (that is, x ∈ y ) instead of 1 ˙ ∈ 3 (that is, x ∈ z ). Non-F reeness The B nota tion V \ T means that the v ar iable V do es not appea r free in T . Non-freeness is defined in BiCo q as a type ˙ r : I → T → P rop (a r elation betw een I , repr esenting the v ariables , and T ), with the following rules 6 : i ˙ r ˙ Ω i ˙ r ˙ ω k i 1 6 = i 2 i 1 ˙ r i 2 ( i + 1) ˙ r p i ˙ r ˙ ∀ p i ˙ r e ( i + 1) ˙ r p i ˙ r { e ˙ | p } The tw o first rule s are axio ms , the asso cia ted constr uctors are ato mic and do not interact with v aria bles. The rules for ˙ ∀ and { ˙ |} reflect the fa c t that the asso ciated constructors are binders a nd therefo r e s hift the sco p e. 6 The rules for the other constructors are t rivial and can b e obtained by straigh tfor- w ard ext ension, e.g. here i ˙ r p and i ˙ r q allo w to d erive i ˙ r p ˙ ⇒ q . Binding, Instan tiation and Substitution It is p oss ible to define functions to simulate B binding (that is the use of ∀ or {} , repr esenting λ -abs traction). Thes e functions co nstitute a built-in user interface to pro duce De Bruijn terms w hile using the usual representation, ma k ing De Bruijn indexes a nd their manag ement invisible to the user (s e e also [17] for a similar approach): Usual rep. ∀ V 1 · V 1 ∈ { V 2 | V 2 ∈ E ∧ V 1 = V 2 } v v S S Pretty-prin tin g F u nctional rep. ↑ ∀ ( i 1 · i 1 ˙ ∈ ↑ { } ( i 2 : e · i 1 ˙ = i 2 )) C omputat ion + + Internal rep. ˙ ∀ (1 ˙ ∈{ e ˙ | 2 ˙ =1 } ) The binding functions ar e defined by: ↑ ∀ ( i · p ) := ˙ ∀ B ind i 1 p ↑ { } ( i : e · p ) := { e ˙ | Bind i 1 p } ↑ ∃ ( i · p ) := ˙ ∃ Bind i 1 p Bind ( i 1 i 2 : I )( t : T ) : T := m atch t with | ˙ Ω | ˙ ω j ′ ⇒ t | ˙ χ i ′ ⇒ t if i ′ < i 2 , or else ˙ χ i 2 if i ′ = i 1 , or else ˙ χ i ′ + 1 | ˙ ∀ p ′ ⇒ ˙ ∀ ( Bind ( i 1 + 1) ( i 2 + 1) p ′ ) | { e ′ ˙ | p ′ } ⇒ { Bind i 1 i 2 e ′ ˙ | Bind ( i 1 + 1) ( i 2 + 1) p ′ } | . . . ⇒ . . . (straigh tforwa rd ext en sion) On the same principles, the definition o f instantiation functions (for elimination of ∀ o r {} , repr esenting β -reduction and deno ted by ↓ ∀ ( p ← e ) : P → E → P and ↓ { } ( e 1 ← e 2 ) : E → E → P ) is str aightforw ar d – b eing par tial, these functions just require in Co q an additional pro of parameter (omitted in this pa pe r ) that the term is of the exp ected form. Finally , it is also p ossible to define a s ubstitution function 7 : h i := e i t : I → E → T → T := match t w ith | ˙ Ω | ˙ ω j ′ ⇒ t | ˙ χ i ′ ⇒ if i ′ = i then e els e t | ˙ ∀ p ′ ⇒ ˙ ∀ h i + 1 := Lift ( e ) i p ′ | { e ′ ˙ | p ′ } ⇒ {h i := e i e ′ ˙ |h i + 1 := Lift ( e ) i p ′ } | . . . ⇒ . . . (straigh tforwa rd exten sion) where Lift , not deta ile d in this pap er, incr ements da ngling De Bruijn indexes. Remem b er that substitution is intro duced e arly in B as a syntactical co nstruct, but only to be used in inference rule s . W e c onsider that such rules ar e b e tter represented using the r esulting ter m (that is, the r eduction of the application of the substitution). Once these functions are defined, numerous lemmas a re prov ed, such as the (in)famous ones describing all po ssible interactions b etw een lifting, binding, in- stantiation and substitution. The follo wing results a re then derived, proving 7 Substitution and instantia tion may seem similar in usual notation, but t heir differ- ences are emphasised when using De Bruijn notation. the irrelev ance o f α -renaming or describing relationships b etw een insta nt iatio n, binding and subs titution (with = the Co q term structural equality): i 2 ˙ r p → ↑ ∀ ( i 1 · p ) = ↑ ∀ ( i 2 · h i 1 := i 2 i p ) i 2 ˙ r p → ↑ { } ( i 1 : e · p ) = ↑ { } ( i 2 : e · h i 1 := i 2 i p ) ↓ ∀ ( ↑ ∀ ( i · p ) ← i ) = p ↓ { } ( ↑ { } ( i : e · p ) ← i ) = i ˙ ∈ e ˙ ∧ p ↓ ∀ ( ↑ ∀ ( i · p ) ← e ) = h i := e i p 4.3 Inference Rule s Having for malised the B syntax and defined s ome functions and prop erties on terms, the nex t s tep is to enco de the B infere nce r ules. Thanks to the use of the functional repre s entation describ ed in the previous para graph, BiCo q rules lo ok very muc h like the standar d B rules. The translation is therefore straig ht forward, merely a sy n tactica l o ne , and the risk of e rror is very limited. In our forma lisation sets o f h yp othesis ar e re pr esented by lis ts, with mem- ber ship ( ∈ ) and inclus io n ( ⊆ ) as well as the p oint wise ex tension of non-freeness ( ˙ r ). The B inference r ules are formalised as c o nstructors of an inductive type ˙ ⊢ : [ P ] → P → P rop , that is g ˙ ⊢ p is the Co q type of a ll B pr o ofs of p under the assumptions g . Such a t yp e may be inhabited (i.e. p is prov able assuming g ) o r empt y (i.e. there is no pro of o f p under the assumptions of g ). The B rules and their enco ding as constructor s are detailed in T ab. 1, uni- versal quantifications b eing o mitted (the types are g , g 1 , g 2 : [ P ]; p, p 1 , p 2 : P ; e, e 1 , e 2 , e 3 , e 4 : E , i, i 1 , i 2 : I and j, j 1 , j 2 : J ). F o r mos t of them, transla tion is str aightforw ar d, only taking care to use functional substitution and binding where appropr iate. O n the o ther hand, the use of the functiona l repr e sentation impo ses to keep the sy n tactica l side conditio ns, except for the comprehens ion set rule, where such condition is embedded in the sy nt ax ; new rules have to be derived to benefit o f the internal De Bruijn re presentation. Only the last tw o B inference rules deserve discus sion. The first one of these indicates that the consta nt set BIG is infinite, using the infini te B predicate defined by a fixp oint; unfolding this definition to pro duce a translatio n is p ossi- ble, but no t pra ctical. Therefore, this rule is replaced in BiCo q by tw o differe nt rules allowing to exhibit an infinity o f elements of BIG , J be ing itself infinite. The last rule, defining the sema n tics of pair s and pr o ducts, is more interest- ing. A stra ightforw ard tra nslation of this rule indeed leads to the imp ossibility to prov e, in BiCo q , the fo llowing theo rems from [1 ]: ⊢ ( E 7→ F ) = ( E ′ 7→ F ′ ) ⇒ E = E ′ ∧ F = F ′ ⊢ S ∈↑ U ∧ T ∈↑ V ⇒ ( S × T ) ∈↑ ( U × V ) The pro of of the fir st res ult provided in [1 ] is flaw ed, due to a confusion b etw e e n pairs of expres sions and lists of v aria bles (as p ointed out in [1 8]), b oth using the same notation – and cannot be corr ected in the absence of a form of des tr uctor for pairs. On the other ha nd, the pro of of the monotonicity of cartesian pro duct w.r.t. inclusion is not detailed in [1], b eing co nsidered trivial. How ever, using the listed rules, one may der ive predicates of the for m V ∈ S × T but without b eing able to co ns traint V to b e a pair to apply the la st rule (a c lassical problem of the un typed λ -calculus). Basically , injectivit y and surjectivity r ules a re lacking; T able 1. Enco ding of the B inference rules B inference rules BiCo q formalisation P ⊢ P None, derived from [ ∈ ] P app ears in Γ Γ ⊢ P p ∈ g → g ˙ ⊢ p [ ∈ ] Γ ′ includes Γ Γ ⊢ P Γ ′ ⊢ P g 1 ˙ ⊢ p → g 1 ⊆ g 2 → g 2 ˙ ⊢ p [ ⊆ ] Γ ⊢ P Γ , P ⊢ Q Γ ⊢ Q None, derived from [ ¬ n ] [ ¬ p ] [ ⊆ ] [ ∈ ] Γ ⊢ P ⇒ Q Γ , P ⊢ Q Γ , P ⊢ Q Γ ⊢ P ⇒ Q g ˙ ⊢ p 1 ˙ ⇒ p 2 → g , p 1 ˙ ⊢ p 2 g , p 1 ˙ ⊢ p 2 → g ˙ ⊢ p 1 ˙ ⇒ p 2 Γ ⊢ P Γ ⊢ Q Γ ⊢ P ∧ Q g ˙ ⊢ p 1 → g ˙ ⊢ p 2 → g ˙ ⊢ p 1 ˙ ∧ p 2 [ ∧ i ] Γ ⊢ P ∧ Q Γ ⊢ P Γ ⊢ P ∧ Q Γ ⊢ Q g ˙ ⊢ p 1 ˙ ∧ p 2 → g ˙ ⊢ p 1 g ˙ ⊢ p 1 ˙ ∧ p 2 → g ˙ ⊢ p 2 Γ , Q ⊢ P Γ , Q ⊢ ¬ P Γ ⊢ ¬ Q g , p 2 ˙ ⊢ p 1 → g , p 2 ˙ ⊢ ˙ ¬ p 1 → g ˙ ⊢ ˙ ¬ p 2 [ ¬ p ] Γ , ¬ Q ⊢ P Γ , ¬ Q ⊢ ¬ P Γ ⊢ Q g , ˙ ¬ p 2 ˙ ⊢ p 1 → g , ˙ ¬ p 2 ˙ ⊢ ˙ ¬ p 1 → g ˙ ⊢ p 2 [ ¬ n ] Γ ⊢ E = E g ˙ ⊢ e ˙ = e Γ ⊢ P V \ Γ Γ ⊢ ∀ V · P i ˙ r g → g ˙ ⊢ p → g ˙ ⊢ ↑ ∀ ( i · p ) [ ∀ i ] Γ ⊢ ∀ V · P Γ ⊢ [ V := E ] P g ˙ ⊢ ↑ ∀ ( i · p ) → g ˙ ⊢ h i := e i p V \ S ⊢ E ∈ { V | V ∈ S ∧ P } ⇔ E ∈ S ∧ [ V := E ] P ˙ ⊢ e 1 ˙ ∈ ↑ { } ( i : e 2 · p ) ˙ ⇔ e 1 ˙ ∈ e 2 ˙ ∧h i := e 1 i p Γ ⊢ E = F Γ ⊢ [ V := E ] P Γ ⊢ [ V := F ] P g ˙ ⊢ e 1 ˙ = e 2 → g ˙ ⊢ h i := e 1 i p → g ˙ ⊢ h i := e 2 i p V \ S ⊢ ∃ V · ( V ∈ S ) ⇒↓ S ∈ S i ˙ r e → g ˙ ⊢ ↑ ∃ ( i · i ˙ ∈ e ) ˙ ⇒ ˙ ↓ e ˙ ∈ e V \ S,T ⊢ S ∈↑ T ⇔ ∀ V · ( V ∈ S ⇒ V ∈ T ) i ˙ r e 1 → i ˙ r e 2 → g ˙ ⊢ e 1 ˙ ∈ ˙ ↑ e 2 ˙ ⇔ ↑ ∀ ( i · i ˙ ∈ e 1 ˙ ⇒ i ˙ ∈ e 2 ) V \ S,T ⊢ „ ∀ V · ( V ∈ S ⇒ V ∈ T ) ∧∀ V · ( V ∈ T ⇒ V ∈ S ) « ⇔ S = T g ˙ ⊢ e 1 ˙ ∈ ˙ ↑ e 2 → g ˙ ⊢ e 2 ˙ ∈ ˙ ↑ e 1 → g ˙ ⊢ e 1 ˙ = e 2 ⊢ i nfinite ( B I G ) g ˙ ⊢ ˙ ω j ˙ ∈ ˙ Ω j 1 6 = j 2 → g ˙ ⊢ ˙ ¬ ( ˙ ω j 1 ˙ = ˙ ω j 2 ) ⊢ ( E 7→ F ) ∈ ( S × T ) ⇔ ( E ∈ S ) ∧ ( F ∈ T ) g ˙ ⊢ e 1 ˙ 7→ e 2 ˙ = e 3 ˙ 7→ e 4 → g ˙ ⊢ e 1 ˙ = e 3 g ˙ ⊢ e 1 ˙ 7→ e 2 ˙ = e 3 ˙ 7→ e 4 → g ˙ ⊢ e 2 ˙ = e 4 i 1 ˙ r e ˙ ∈ ( e 1 ˙ × e 2 ) → i 2 ˙ r e ˙ ∈ ( e 1 ˙ × e 2 ) → i 1 6 = i 2 → g ˙ ⊢↑ ∃ ( i 1 · i 1 ˙ ∈ e 1 ˙ ∧ ↑ ∃ ( i 2 · i 2 ˙ ∈ e 2 ˙ ∧ e ˙ = i 1 ˙ 7→ i 2 )) ˙ ⇔ e ˙ ∈ ( e 1 ˙ × e 2 ) these o bserv ations, pro bably well known of the B gur us but not do cumented to our knowledge, have led us to replace this B rule by three new rules in order to b e able to prov e the exp ected theore ms . Ag ain, this pro cess illustra tes our conserv ative approach. 5 Pro ofs in BiCo q 5.1 Standard B Pro ofs Using the definition of ˙ ⊢ , we formally prove in BiCo q all prop o sitional calculus and predicate calculus r esults of [1], using the functional representation and following the prop osed pro of s tructure, e.g.: i 1 ˙ r g → i 1 ˙ r p → g ˙ ⊢ h i 2 := i 1 i p → g ˙ ⊢ ↑ ∀ ( i 2 · p ) , that is Γ ⊢ [ V 2 := V 1 ] P V 1 \ Γ,P Γ ⊢ ∀ V 2 · P T o assist the pro of co nstruction BiCo q provides Co q tac tics written in the Co q tactic language [19]. F or example, the prop ositional ca lculus pro cedure describ ed in [1 ], pr op osing a stra tegy based on pr o p ositional calculus theor ems, is provided as a Co q tac tic. More technical Co q ta c tics are also av ailable in BiCo q , e.g . to obtain pr ov ed fresh v ariables . An alternative form of theor ems is also derived, using the in terna l De Bruijn representation; e.g. the ˙ ∀ -introduction rule (to b e co mpared with [ ∀ i ] ) is: i ˙ r g → i ˙ r ˙ ∀ p → g ˙ ⊢ Inst i 1 p → g ˙ ⊢ ˙ ∀ p These la st r e s ults ar e o f cour s e rather techn ica l, no t b enefiting fro m the func- tional r epresentation. Y et they hav e so me interest, fo r technical lemma s or as derived r ules in which only sema ntical side conditions remain (computations o ver De Bru ijn indexes dealing with the s yntactical ones). 5.2 Mixing BiCo q and Co q Logics As it is standa rd in such a deep em b edding (e.g. see [9]), BiCo q pr ovides a lso results expressing relations betw een host and guest lo gics: ( g ˙ ⊢ p ∨ g ˙ ⊢ q ) → g ˙ ⊢ p ˙ ∨ q g ˙ ⊢ p ˙ ⇒ g → ( g ˙ ⊢ p → g ˙ ⊢ p ) ( g ˙ ⊢ p ∧ g ˙ ⊢ q ) ↔ g ˙ ⊢ p ˙ ∧ q ( ∀ ( y : I ) , g ˙ ⊢ h x := y i p ) ↔ g ˙ ⊢ ↑ ∀ ( x · p ) Asymmetrical results mark the differe nces betw een the cla s sical B log ic and the constructive Co q logic – e.g. a recipro cal of the fir st rule, combined with the excluded middle, would prov e that for any predicate p either ˙ ⊢ p or ˙ ⊢ ˙ ¬ p , which of cour se is not the case . This emphasis e s the fact that b oth logics are w ell separated, the B logic b eing em b edded has an external theory . By pr oviding the b es t of both worlds, these results c o nstitute efficient pro of tactics. F o r example, the last theorem do es not reflect no n-freeness side condi- tions fro m B to the Co q logic ( Co q taking care of such conditions a utomatically). 6 Dev eloping a P ro ved B T o olkit In this sectio n, we detail how BiCo q is us ed as a framework for the development of formally chec ked B to olkits. Co q offers mechanisms to ex tract pr ogra ms from constructive pro ofs (i.e. softw are from lo gical definitions a nd theorems), but a different a pproach is chosen here. Indeed, BiCo q includes co de (in the form of functions using the ML -like in terna l languag e o f Co q ) whic h is proved correct. This co de is extractible by a pure syntactical pro cess , e.g. in Obje ctive Caml , using the e xtraction mechanism of Co q . B y doing so, we obtain prov ed B to ols whose co de is sma ll, r e adable and efficient – and indep endent of Co q . Notation. B r epr esents the b o ole ans, ⊤ b eing tr ue and ⊥ b eing f alse . Notation. Hat notations ar e use d for b o ole an functions (e.g. b ∧ is the b o ole an and). 6.1 Implementing Decidable Prop erties F or P and f resp ectively a predicate and a b o olean function ov er a type S , we note ( P f ) when f decides P , i.e. when the following pr op erty is pr ov ed: ∀ ( s : S ) , ( f ( s ) = ⊤ → P ( s )) ∧ ( f ( s ) = ⊥ → ¬ P ( s )) By defining folding as the extension of pr edicates and functions to lis ts , we prove that if f decides P , then the folding of f de c ides the folding of P : F old p ( P ) := f un ( L : [ S ]) ⇒ ∀ ( s : S ) , s ∈ L → P ( s ) F old f ( f ) := f un ( L : [ S ]) ⇒ if empty ( L ) then ⊤ else f ( head ( L )) b ∧ F old f ( f )( tail ( L )) ( P f ) → ( F ol d p ( P ) F old f ( f )) Example 7 (Non-fr e eness). Non-freeness is defined in B as a logical prop osition and represented by th e inductive type ˙ r in BiCo q . Our implementation strategy consists in d evelo ping a p rogram b r : I → T → B and to pro ve th at ( ˙ r b r ) . Hence b r and its extension (chec king t h at a v ariable do es not o ccur free in a list of hypotheses) are prov ed correct and can b e extracted. In BiCo q this appro a ch is sy stematic; a ll typed equalities are implemented and prov ed corre c t (e.g. term equality), as w ell as non-freeness, list members hip, inclusion, etc. to c onstitute our formally chec ked B to olkit. 6.2 A Prov ed Pro v er for the B Logi c In this parag r aph we fo cus on the definition of an extractible prov er to conduct first-order B pro ofs for standard B developmen ts. BiCo q includes progr ams, named B t actics in the following, to simulate the application of B infere nce rules or theorems. By providing such a dedicated piece o f co de fo r each of the inference rules listed in T ab. 1, and by proving them cor rect, we got a cor rect a nd complete prover (that is, any sta nda rd B result can be der ived using this prov er). T o this end, a type for s e quen ts is defined a s the pro duct [ P ] × P ; for g : [ P ] and p : P we denote g  p the ass o ciated pair. While g ˙ ⊢ p is the type of B pro ofs of p under the assumptions g , that ca n b e inhabited o r not, g  p is a synt ac tica l construct extending T . T o interpret a s e q uent , we us e the transla tion T rans ⊢ that for a pair g  p r e tur ns the t yp e g ˙ ⊢ p (and its extension derived by F old p ). A B tactic is a function T B :  → [  ] that, pr ovided a goa l g  p , r eturns a list of subg oals [ g 1  p 1 , . . . , g n  p n ] which together ar e sufficient to pr ov e g  p ; if a B tactic concludes (pr oves the goa l) this list is empty . The following (element ar y) examples give the definition o f the B tactics asso ciated res pe c tively to the inference r ules [ ∈ ] and [ ∧ i ] : Example 8. T ∈ ( s ) := let ( g  p := s ) in i f p b ∈ g t hen [] el se [ s ] Example 9. T ∧ i ( s ) := let ( g  p := s ) in mat ch p w ith p 1 ˙ ∧ p 2 ⇒ [ g  p 1 , g  p 2 ] | ⇒ [ s ] The implemen tation str ategy describ ed in Par. 6.1 is now particula rly relev a nt , as T ∈ uses the b o o lean function b ∈ instead of the logic al pr op osition ∈ . F ollowing the same principles, numerous (muc h more complex) B tactics are provided in BiCo q , implementing theor ems or strategies, such as the decisio n pro cedure for prop ositiona l ca lculus descr ibe d in [1]. F or each B tactic T B , the correctnes s is ens ured by a pr o of of the following pro per ty: ∀ ( s :  ) , T rans ⊢ ( T B ( s )) → T rans ⊢ ( s ), that is g 1 ⊢ p 1 . . . g n ⊢ p n g ⊢ p Thanks to the functions defined in Par. 4.2, management of the De Bruijn indexes can b e hidden fro m the users of the B ta ctics. With the pro grams alr eady provided in BiCo q (suc h as non-freeness, binding, etc.), these B tactics c onstitute the core of a proved prov er . This prover still la cks automa tio n and HMI , and should be coupled with other to ols , for example a B par ser using the platform BRILLANT [20]. 7 Higher-Order Considerations and E xtensions While the B logic is fir st-order , v ario us definitions and pro ofs in [1] ar e con- ducted in a hig her-or de r meta-lo g ic: results in prop ositiona l calculus a re proved by induction ov er terms, and refinement is defined by q uantification over pred- icates b efore b eing transfor med into a n equiv a lent first-orde r definition. Using the higher-order framework provided by Co q , BiCo q can clearly b e extended to int egr ate and to formally chec k suc h concepts. New r esults can also b e derived; for example, using the pro of depth function D ⊢ : ˙ ⊢ → I , we obtain a depth induction principle on B pro of tr ees e.g. for results ab out pro of rewriting. Other results, proved in higher-or der lo g ic, ar e applicable in first-or der B log ic, and implemented a s B tactics for standar d B pr o ofs. T his is the case for the following congr uence results. Predicate Substitution. W e extend the B log ic syntax with a new pr e dic ate variable constr uctor ˙ π K : P ( K b eing an infinite set of names with a decidable equality), without adding any inference r ules in order no t to enrich the BiCo q logic 8 . Only limited mo difications of BiCo q are r e quired to dea l with this new constructor, e.g. no n-freeness with the additional r ule ∀ ( i : I )( k : K ) , i ˙ r ˙ π k . Predicate v a riables play a ro le similar to the o ne of the v ariables – they are placeholders that can be replaced b y a predicate using the substitution function h k : ≡ p 1 i p 2 : K → P → P → P , not detailed in this pap er, that mimicks the expression s ubstitution function (see Par. 4.2). Tha nks to this extensio n, we can prov e the fo llowing c o ngruence rules for ˙ ⇔ and implement asso ciated B tactics that can b e used e.g . to unfold a definition in a term, even under binders: g ˙ ⊢ p 1 ˙ ⇔ p 2 → g ˙ ⊢ h j : ≡ p 1 i p ˙ ⇔h j : ≡ p 2 i p g ˙ ⊢ p 1 ˙ ⇔ p 2 → g ˙ ⊢ h j : ≡ p 1 i e ˙ = h j : ≡ p 2 i e Example 10. x ˙ =0 , y ˙ ∈ N ˙ ⊢ y ≤ x ˙ ⇔ y ˙ =0, therefore we immediately derive (in one step) x ˙ =0 , y ˙ ∈ N ˙ ⊢ ↑ ∀ ( v · v ˙ ∈ ↑ { } ( t : N · t ≤ y ˙ ∧ y ≤ x )) ˙ ⇔ ↑ ∀ ( v · v ˙ ∈ ↑ { } ( t : N · t ≤ y ˙ ∧ y ˙ =0)) Note that pr edicate subs titution and ex pression substitution mec hanica lly forbid the capture o f v aria bles in the substituted subterm, by lifting dangling De Bruijn indexes when cro ssing a binder. That is , in Ex. 10, if v or t a ppe ar free in the substituted subterm, they escap e c a pture during subs titution. Predicate Grafting. Other congr uence results can b e derived for gr afting of predicates, a mo dified substitution (not lifting the subs tituted subterm) allowing for the ca pture o f v aria bles: h k ⊳ p i t : K → P → T → T := match t with | ˙ Ω | ˙ ω j ′ | ˙ χ i ′ ⇒ t | ˙ π k ′ ⇒ if k ′ = k t he n p e lse t | ˙ ∀ p ′ ⇒ ˙ ∀ h k ⊳ p i p ′ | { e ′ ˙ | p ′ } ⇒ {h k ⊳ p i e ′ ˙ |h k ⊳ p i p ′ } | . . . ⇒ . . . (straigh tforwa rd extension) The asso ciated cong ruence results and pro ofs a r e technical, and not detailed in this pap e r. W e just provide for illustration a simplified version of these res ults: ˙ ⊢ p 1 ˙ ⇔ p 2 → g ˙ ⊢ h j ⊳ p 1 i p ˙ ⇔h j ⊳ p 2 i p ˙ ⊢ p 1 ˙ ⇔ p 2 → g ˙ ⊢ h j ⊳ p 1 i e ˙ = h j ⊳ p 2 i e Example 11. g ˙ ⊢ h k ⊳ ˙ ¬ ˙ ¬ p i q ˙ ⇔h j ⊳ p i q , that is t he elimination of double n egations in a subterm (even if dan gling De Bruijn indexes of p are b ound in q ) Remark. Results such as the ones in Exs. 10 or 11 are prov able in B , on a ca se- by-case ba sis, with a first-or der pro of dep ending on the structure o f the term in which substitution or gra fting is done. It is therefore conceiv able to develop a sp e c ific (and likely co mplex) B tactic automatically building for such g o als a pro of using the B inference r ules. On the contrary , the prop osed extensio ns provide a new a pproach thr ough results der ived from a higher -order pr o of; the asso ciated B tac tics are therefore simpler, a nd pro duce g e neric (and sho rter) pro ofs b y using not only the B inference rules but a lso induction on T . 8 How ever, some new (prop ositional) sequents b ecame pro va ble, such as ˙ π k ˙ ⊢ ˙ π k . 8 Conclusion Through an accurate deep em b edding o f the B logic in Co q , we identify shor tfalls or co nfusions in [1] and prop ose amendments in order to b e able to v alidate stan- dard res ults – improving the co nfidence in the metho d and in the development s conducted with it. W e describ e a strategy to further b enefit from this deep e m- bedding b y implementing verified B to o ls, ex tractible to b e used indep endently of Co q . The appro ach is illustrated by the developmen t of B tactics that co nsti- tute a complete a nd correct prov er – usable to conduct pro ofs (pr ovided further automation), o r to chec k pr o ofs pr o duced b y other to ols. The ob jective, again, is to have b etter co nfidence in the development s conducted in B . W e also explain how, b enefiting fro m the hig her-orde r features of Co q , ne w results for B ca n b e derived, and present an extension to derive co ngruence theorems related to equiv alence, implemented in our prov er. All the results presented in this pap er ar e mechanically chec ked; BiCo q cur- rently repr esents ab out 55 0 definitions (i.e. types, prop er ties , functions), 75 0 theorems a nd pro ofs in Co q – and a bo ut 6 man.months of developmen t. It ha s now to b e extended with the following definitions and results: – Genera tio n by the prover o f B pro of terms check able by Co q . – Use of a lo cally nameless De Bruijn repres ent atio n with named free v ariables to derive unified co ngruence results (merging substitution and g rafting). – Fixp oint constructs, with application to the definition of natural num b ers in the B st yle; on the innov a tive side, we exp ect to derive inductive B tactics, not av a ilable in curre nt B implementations. – GSL de finitio n – either through a shallow embedding (an a pproach similar to the one presented in [6 ], but in BiCo q ) or throug h a deep embedding (with higher-or der and first-o rder refinement definitions, and pr o of of eq uiv alence). W e would like to emphasise the simplicit y a nd the efficiency of the deep em- bedding approach, when having b oth v alidatio n and implementation ob jectives. In a r elatively shor t amo unt of time, it was pos sible to descr ibe the B logic, to chec k its sta nda rd results, and to implemen t a proved prover for this logic. Ackno wledgeme nts. W e thank Pr. Hardin for reviewing earlier versions of th is pap er. References 1. Abrial, J.R.: The B-Bo ok - Assigning Programs t o Meanings. Cam bridge U niver- sit y Press (A ugust 1996) 2. T he Co q d evelo pment team: The Co q pro of assistant reference manual. LogiCal Pro ject. (2004) 3. M. J.C. Gordon: Mechanizing p rogramming logics in higher-order logic. In G.M. Birt wistle, P .A. Subrahmanya m, ed s.: Current T rend s in Hardw are V erification and Automatic Theorem Proving (Proceedings of th e W orkshop on Hardware V erifica- tion), Banff, Canada, Springer-V erlag, Berlin (1988) 387–439 4. Bo ulton, R.J., Gordon, A., Gordon, M.J.C., Harrison, J., Herb ert, J., T assel, J.V.: Exp erience with embedd in g hardwa re description languages in h ol. In Stavridou, V., Melham, T.F., Boute, R.T., eds.: TPCD. V olume A-10 of I FI P T ransactions., North-Holland (1992) 129–156 5. Azurat, A., Prasety a, I.: A survey on embedding programming logics in a t h eorem prov er. T echnical Rep ort U U-CS-2002-007, Institute of Information and Comput- ing Sciences, Utrech t Universit y ( 2002) 6. Bodeveix, J.P ., Filali, M., Mu ˜ noz, C.: A formalization of th e B-metho d in Coq and PV S. In: Electronic Pro ceedings of th e B-User Group Meeting at the W orld Congress on F ormal Method s FM 99. (1999) 33–49 7. C hartier, P .: F ormalisation of B in Isabelle/HOL. In : B ’98: Pro ceedings of the Second International B Conference on Recent Adva nces in t h e Developmen t and Use of the B Method , London, UK, Springer-V erlag (1998) 66–82 8. Ridge, T., Margetson, J.: A mechanica lly verified, sound and complete theorem prov er for first order logic. In Hurd, J., Melham, T.F., eds.: TPHOLs. V olume 3603 of Lecture Notes in Computer Science., S pringer (2005) 294–309 9. Be rk ani, K ., Du b ois, C., F aivre, A., F alampin, J.: V alidation des r` egles d e base d e l’A telier B. T echnique et Science Informatiques 23 (7) ( 2004) 855–878 10. Cirstea, H., Kirchner, C.: Using rewriting and strategies for describing the B predicate prov er. In Kirchner, C., Kirchner, H ., eds.: CADE-15 : W orkshop on Strategies in automated deduction. V olume 1421 of Lecture Notes in Computer Science., Lindau, Germany , Springer (1998) 25–36 11. d e Bruijn, N.G.: Lam b da calculus notation with nameless dummies, a to ol for automatic formula manipulation, with app lication to the c hurch-rosse r th eorem. Indagationes Mathematicae (Pro ceedings) (1972) 381–392 12. Liang, C., Nadathur, G.: T radeoffs in t h e intensio nal representation of lambda terms. In Tison, S., ed .: R T A. V olume 2378 of Lecture Notes in Computer Science., Springer (2002) 192–206 13. A ydemir, B., Chargu´ eraud, A., Pierce, B.C., W eirich, S.: Engineering asp ects of formal metatheory (April 2007) Manuscript. 14. Bird, R., Paterson, R .: De Bruijn notation as a n ested datatype. Journal of F u nctional Programming 9 (1) (1999) 77–91 15. A badi, M., Cardelli, L., Curien, P .L., L´ evy , J.J. : Explicit substitut ions. Journal of F u nctional Programming 1 (4) (1991) 375–4 16 16. Curien, P .L., Hardin, T., L ´ evy , J.J.: Confluence prop erties of wea k and strong calculi of ex p licit substitu tions. Journal of the ACM 43 (2) (March 1996) 362–397 17. Gordon, A.D.: A mechanis ation of name-carrying syntax up to alpha-conv ersion. In Joyce, J.J., Seger, C.J.H., eds.: H UG ’93: Proceedings of the 6th International W orkshop on Higher Order Logic Theorem Proving and its Applications. V olume 780 of Lecture N otes in Computer S cience., London, UK, Springer-V erlag (1993) 413–425 18. Mussat, L. Priv ate Comm unication (2005) 19. D elahay e, D.: A tactic language for th e sy stem Co q. I n P arigot, M., V oronko v , A ., eds.: Pro ceedings of Logic for Programming and Au t omated Reasoning (LP AR), Reunion Island. V olume 1955 of Lecture Notes in Computer Science., Springer- V erlag LNCS/LNAI (Nov ember 2000) 85–95 20. Colin, S., Peti t, D., Ro cheteau, J., Marcano, R., Mariano, G., Poirriez, V .: BR IL- LANT : An op en source and XML-based platform for rigourous soft war e develop- ment. In : S EFM (Soft ware En gineering and F ormal Metho ds), Koblenz, Germany , AGKI (Artifi cial I ntelli gence Research Kob lenz) , IEEE Computer S ociety Press (september 2005) selectivit y : 40/120 .