Comprehending Isabelle/HOL’s Consistency
 888 Downloads
Abstract
The proof assistant Isabelle/HOL is based on an extension of HigherOrder Logic (HOL) with ad hoc overloading of constants. It turns out that the interaction between the standard HOL type definitions and the Isabellespecific ad hoc overloading is problematic for the logical consistency. In previous work, we have argued that standard HOL semantics is no longer appropriate for capturing this interaction, and have proved consistency using a nonstandard semantics. The use of an exotic semantics makes that proof hard to digest by the community. In this paper, we prove consistency by prooftheoretic means—following the healthy intuition of definitions as abbreviations, realized in HOLC, a logic that augments HOL with comprehension types. We hope that our new proof settles the Isabelle/HOL consistency problem once and for all. In addition, HOLC offers a framework for justifying the consistency of new deduction schemas that address practical user needs.
Keywords
Type Definition Ground Type Ground Instance Type Constructor Substitutive Closure1 Introduction
Isabelle/HOL [35, 36] is a popular proof assistant, with hundreds of users worldwide in both academia and industry. It is being used in major verification projects, such as the seL4 operating system kernel [24]. In addition, Isabelle/HOL is a framework for certified programming: functional programming (including lazy (co)programming [9]) is supported natively and imperative programming is supported via a monadic extension [10]. Programs can be written and verified in Isabelle/HOL, and efficient code for them (in Haskell, Standard ML, OCaml and Scala) can be produced using a code generator [19]. This certified programming methodology has yielded a wide range of verified software systems, from a Java compiler [32] to an LTL model checker [14] to a conference management system [23]. The formal guarantees of all such systems, as well as those considered by some formal certification agencies [21], are based on one major assumption: the correctness/consistency of Isabelle/HOL’s inference engine.
Keeping the underlying logic simple, hence manifestly consistent, along with reducing all the user developments to the logic kernel, has been a major tenet of the LCF/HOL approach to formal verification, originating from Robin Milner and Mike Gordon [17]. Yet, Isabelle/HOL, one of the most successful incarnations of this approach, takes some liberties beyond the wellunderstood higherorder logic kernel. Namely, its definitional mechanism allows delayed ad hoc overloading of constant definitions—in turn, this enables Haskellstyle type classes [46] on top of HOL [37].
When 0 is defined for concrete types, such as \({\mathsf {real}}\) and \(\alpha \;{\mathsf {list}}\), the library theorems about arbitrarydomain polynomials are enabled for polynomials over these concrete types.^{3}
The above would lead to a proof of false taking advantage of the circularity \(T \rightsquigarrow c_{\mathsf {bool}}\rightsquigarrow T\) in the dependency relation introduced by the definitions: one first defines the type T to contain precisely one element just in case \(c_{\mathsf {bool}}\) is \(\mathsf {{True}}\), and then defines \(c_{\mathsf {bool}}\) to be \(\mathsf {{True}}\) just in case T contains more than one element.
Because Isabelle/HOL has a large user base and is heavily relied upon, it is important that the consistency of its logic be established with a high degree of clarity and a high degree of rigor. In 2014, we started an investigation into the foundations of this logic, which has revealed a few consistency problems (including the above “paradox”). These issues have generated quite a lot of discussion in the Isabelle community, during which some philosophical disagreements and misunderstandings among the users and the developers have surfaced [1]. The technical issues have been addressed [27, 29] and are no longer exhibited in Isabelle2016.^{4}
In addition to taking care of these issues, one of course needs some guarantees that similar issues are not still present in the logic. To address this, in previous work [29] we have proved that the logic is now consistent, employing a semantic argument in terms of a nonstandard semantics for HOL. Our original proof was somewhat sketchy and lacking in rigor—full (penandpaper) proofs are now included in an extended report [28]. Of course, a machinechecked proof, perhaps building on a recent formalization of HOL [15, 25], would make further valuable progress on the rigor aspect.
This paper’s first contribution is a new proof of consistency for Isabelle/HOL’s logic, easy to digest by the large community of “syntacticists” who (quite legitimately) wish to regard definitions as a form of abbreviations. The problem is that type definitions cannot simply be unfolded (and inlined)—a type definition is an axiom that postulates a new type and an embeddingprojection pair between the new type and the original type (from where the new type is carved out by a nonempty predicate). But the syntactic intuition persists: what if we were allowed to unfold type definitions? As it turns out, this can be achieved in a gentle extension of HOL featuring comprehension types. This extended logic, called HOL with Comprehension (HOLC), is a syntacticist’s paradise, allowing for a consistency proof along their intuition. This proof is systematically developed in Sect. 3. First, HOLC is introduced (Sect. 3.1) and shown consistent by a standard argument (Sect. 3.2). Then, a translation is defined from wellformed Isabelle/HOL definitions to HOLC, which is proved sound, i.e., deductionpreserving (Sect. 3.3). The key to establishing soundness is the use of a modified deduction system for HOL where type instantiation is restricted—this tames the inherent lack of uniformity brought about by ad hoc overloading. Finally, soundness of the translation together with consistency of HOLC ensures consistency of Isabelle/HOL.It’s a bit puzzling, not to say worrying, to want a settheoretic semantics for plain definitions. The point of definitions (and the origin of the idea that they preserve consistency) is that they are abbreviations.
As a second contribution, we use HOLC to justify some recently proposed extensions of Isabelle/HOL—namely, two new deduction schemas [30]. One enables local type definitions inside proof contexts; the other allows replacing undefined instances of overloaded constants with universally quantified variables. As we argue in [30], both extensions are useful for simplifying proof development by enabling the transition from light typebased theorems to heavier but more flexible setbased theorems. However, proving that these extensions do not introduce inconsistency is surprisingly difficult. In particular, our previously defined (consistencyjustifying) semantics [29] has a blind spot on the second extension— it is only from the viewpoint of HOLC that the consistency of both extensions is manifest (Sect. 4).
More details on our constructions and proofs can be found in a technical report made available online [31].
2 The Isabelle/HOL Logic Recalled
2.1 HOL Syntax and Deduction
The syntax and deduction system we present here are minor variations of the standard ones for HOL (as in, e.g., [3, 18, 20]). What we call HOL axioms correspond to the theory INIT from [3].

an infinite set \(\mathsf {{TVar}}\), of type variables, ranged by \(\alpha ,\beta \)

an infinite set \(\mathsf {VarN}\), of (term) variable names, ranged by x, y, z

a set K of symbols, ranged by k, called type constructors, containing three special symbols: \({\mathsf {bool}}\), \({\mathsf {ind}}\) and \(\rightarrow \) (aimed at representing the type of booleans, an infinite type and the function type constructor, respectively)

a set \({{\textsf {Const}}}\), ranged over by c, of symbols called constants, containing five special symbols: \(\longrightarrow \), \(=\), \({{\varepsilon }}\), \({{\mathsf {zero}}}\) and \({{\mathsf {suc}}}\) (aimed at representing logical implication, equality, Hilbert choice of some element from a type, zero and successor, respectively)
 a function \({{\mathsf {tpOf}}}: {{\textsf {Const}}}\rightarrow \mathsf {{Type}}\) associating a type to every constant, such that:
We say that \(\sigma \) is an instance of \(\tau \) via a substitution of \(\rho \in {\textsf {TSubst}}\), written \(\sigma \le _\rho \tau \), if \(\overline{\rho }(\tau ) = \sigma \). We say that \(\sigma \) is an instance of \(\tau \), written \(\sigma \le \tau \), if there exists \(\rho \in {\textsf {TSubst}}\) such that \(\sigma \le _\rho \tau \). Two types \(\sigma _1\) and \(\sigma _2\) are called orthogonal, written \(\sigma _1 \#\sigma _2\), if they have no common instance; i.e., for all \(\tau \) it holds that \(\tau \not \le \sigma _1\) or \(\tau \not \le \sigma _2\).
A term is a welltyped term if there exists a (necessarily unique) type \(\tau \) such that \(t : \tau \). We write \({{\mathsf {tpOf}}}(t)\) for this unique \(\tau \). We let \({{\textsf {Term}}}_w\) be the set of welltyped terms. We can apply a type substitution \(\rho \) to a term t, written \(\overline{\rho }(t)\), by applying \(\overline{\rho }\) to the types of all variables and constant instances occurring in t. \({{\textsf {FV}}}(t)\) is the set of t’s free variables. The term t is called closed if it has no free variables: \({{\textsf {FV}}}(t) = \emptyset \). We write \(t[s/x_\sigma ]\) for the term obtained from t by capturefree substituting s for all free occurrences of \(x_\sigma \).
A formula is a term of type \({\mathsf {bool}}\). The formula connectives and quantifiers are defined in a standard way, starting from the implication and equality primitives. When writing terms, we sometimes omit the types of variables if they can be inferred.
BuiltIns and NonbuiltIns. A builtin type is any type of the form \({\mathsf {bool}}\), \({\mathsf {ind}}\), or \(\sigma \rightarrow \tau \) for \(\sigma ,\tau \in \mathsf {{Type}}\). We let \(\mathsf {{Type}}^\bullet \) denote the set of types that are not builtin. Note that a nonbuiltin type can have a builtin type as a subexpression, and vice versa; e.g., if \({\mathsf {list}}\) is a type constructor, then \({\mathsf {bool}}\,{\mathsf {list}}\) and \((\alpha \rightarrow \beta )\,{\mathsf {list}}\) are nonbuiltin types, whereas \(\alpha \rightarrow \beta \;{\mathsf {list}}\) is a builtin type.
A builtin constant is a constant of the form \(\longrightarrow \), \(=\), \({{\varepsilon }}\), \({{\mathsf {zero}}}\) or \({{\mathsf {suc}}}\). We let \({{\textsf {CInst}}}^\bullet \) be the set of constant instances that are not instances of builtin constants.
As a general notation rule, the superscript \(\bullet \) indicates nonbuiltin items, where an item can be either a type or a constant instance.
2.2 The Isabelle/HOL Definitional Mechanisms
Constant(Instance) Definitions. Given \(c_\sigma \in {{\textsf {CInst}}}^\bullet \) and a closed term \(t : \sigma \), we let \(c_\sigma \equiv t\) denote the formula \(c_\sigma =t\). We call \(c_\sigma \equiv t\) a constantinstance definition provided \({{\textsf {TV}}}(t) \subseteq {{\textsf {TV}}}(c_\sigma )\) (i.e., \({{\textsf {TV}}}(t) \subseteq {{\textsf {TV}}}(\sigma )\)).
Thus, \(\tau \equiv t\) means: provided t represents a nonempty subset of \(\sigma \), the new type \(\tau \) is isomorphic to this subset via \({ abs }\) and \({ rep }\). Note that this is a conditional type definition, which distinguishes Isabelle/HOL from other HOLbased provers where an unconditional version is postulated (but only after the user proves nonemptiness). We shall see that this conditional approach, known among the Isabelle developers as the Makarius Wenzel trick, is useful in the overall scheme of proving consistency.
However, as far as user interaction is concerned, Isabelle/HOL proceeds like the other HOL provers, in particular, it requires nonemptiness proofs. When the user issues a command to define \(\tau \) via \(t: \sigma \rightarrow {\mathsf {bool}}\), the system asks the user to prove \(\exists x_\sigma .\; t\;x\), after which the new type \(\tau \) and the morphisms \({ abs }\) and \({ rep }\) are produced and \((\tau \approx t)^{{ abs }}_{{ rep }}\) is proved by applying Modus Ponens.
An Isabelle/HOL development proceeds by declaring types and constants, issuing constantinstance and type definitions, and proving theorems about them via HOL deduction.^{5} Therefore, at any point in the development, there is a finite set D of registered constantinstance and type definitions (over a HOL signature \(\varSigma \))—we call such a set a definitional theory. We are interested in proving the consistency of definitional theories, under the syntactic wellformedness restrictions imposed by the system.
WellFormed Definitional Theories. Given any binary relation R on \(\mathsf {{Type}}^\bullet \cup {{\textsf {CInst}}}^\bullet \), we write \(R^\downarrow \) for its (type)substitutive closure, defined as follows: \(p \,R^\downarrow \, q\) iff there exist \(p',q'\) and a type substitution \(\rho \) such that \(p = \overline{\rho }(p')\), \(q = \overline{\rho }(q')\) and \(p' \,R\, q'\). We say that a relation R is terminating if there exists no sequence \((p_i)_{i \in \mathbb {N}}\) such that \(p_i\,R\,p_{i+1}\) for all i. We shall write \(R^+\) and \(R^*\) for the transitive and the reflexivetransitive closure of R.

either one of them is a type definition and the other is a constantinstance definition

or both are type definitions with orthogonal lefthand sides, i.e., \({ def }_{\!1}\) has the form \(\tau _1 \equiv \ldots \), \({ def }_{\!2}\) has the form \(\tau _2 \equiv \ldots \), and \(\tau _1 \#\tau _2\).

or both are constantinstance definitions with orthogonal lefthand sides, i.e., \({ def }_{\!1}\) has the form \(c_{\tau _1} \equiv \ldots \), \({ def }_{\!2}\) has the form \(d_{\tau _2} \equiv \ldots \), and \(c_{\tau _1}\! \#d_{\tau _2}\).
 1.
there exists in D a definition of the form \(u \equiv t\) such that \(v \in {{\mathsf {consts}}}^{\bullet }(t) \,\cup \, {{\mathsf {types}}}^{\bullet }(t)\).
 2.
\(u \in {{\textsf {CInst}}}^\bullet \) such that u has the form \(c_{{{\mathsf {tpOf}}}(c)}\), and \(v \in {{\mathsf {types}}}^{\bullet }({{\mathsf {tpOf}}}(c))\).
We call \(\rightsquigarrow \) the dependency relation associated to D: it shows how the types and constant instances depend on each other through definitions in D. The fact that builtin items do not participate at this relation (as shown by the bullets which restrict to nonbuiltin items) is justified by the builtin items having a predetermined interpretation, which prevents them from both “depending” and “being depended upon” [29].
We call the definitional theory D wellformed if it is orthogonal and the substitutive closure of its dependency relation, \(\rightsquigarrow ^\downarrow \), is terminating. Orthogonality prevents inconsistency arising from overlapping lefthand sides of definitions: defining \(c_{\alpha \times {\mathsf {ind}}\rightarrow {\mathsf {bool}}}\) to be \(\lambda x_{\alpha \times {\mathsf {ind}}}.{\mathsf {{False}}}\) and \(c_{{\mathsf {ind}}\times \alpha \rightarrow {\mathsf {bool}}}\) to be \(\lambda x_{{\mathsf {ind}}\times \alpha }.\mathsf {{True}}\) yields \(\lambda x_{{\mathsf {ind}}\times {\mathsf {ind}}}.{\mathsf {{False}}}= c_{{\mathsf {ind}}\times {\mathsf {ind}}\rightarrow {\mathsf {bool}}} \) \(=\lambda x_{{\mathsf {ind}}\times {\mathsf {ind}}}.\mathsf {{True}}\) and hence \({\mathsf {{False}}}= \mathsf {{True}}\). Termination prevents inconsistency arising from circularity, as in the encoding of Russel’s paradox in the introduction.
In previous work [29], we proved that these prevention measures are sufficient:
Theorem 1
If D is wellformed, then D is consistent.
Let us briefly recall the difficulties arising in proving the consistency theorem. A main problem problem rests in the fact that (recursive) overloading does not interact well with settheoretic semantics. This makes it difficult to give a meaning to the overloaded definitions, in spite of the fact that their syntactic dependency terminates.
Example 2
Here, c and k are mutually dependent. Hence, since c is overloaded, both c and k behave differently depending on the types they are instantiated with or applied to. Here are some examples. Because \(c_{{\mathsf {bool}}\rightarrow {\mathsf {bool}}}\) is (vacuously) true, \(({\mathsf {bool}},{\mathsf {bool}})\,k\) contains four elements (corresponding to all elements of \({\mathsf {bool}}\,\times \,{\mathsf {bool}}\)). On the other hand, because \(c_{{\mathsf {nat}}\rightarrow {\mathsf {bool}}}\) is (vacuously) false, \((\alpha ,{\mathsf {nat}})\,k\) and \(({\mathsf {nat}},\alpha )\,k\) each contain one single element (corresponding to (d, d)). Moreover, \(({\mathsf {bool}},({\mathsf {bool}},{\mathsf {nat}})\,k)\,k\) contains two elements, for the following reason: both \(c_{{\mathsf {bool}}\rightarrow {\mathsf {bool}}}\) and \(c_{({\mathsf {bool}},{\mathsf {nat}})\,k\rightarrow {\mathsf {bool}}}\) are true, the latter since \(c_{{\mathsf {bool}}\rightarrow {\mathsf {bool}}}\) is true and \(c_{{\mathsf {nat}}\rightarrow {\mathsf {bool}}}\) is false (as required in the definition of \(c_{(\alpha ,\beta )\,k\rightarrow {\mathsf {bool}}}\)); so \(({\mathsf {bool}},({\mathsf {bool}},{\mathsf {nat}})\,k)\,k\) has as many elements as its host type, \({\mathsf {bool}}\times ({\mathsf {bool}},{\mathsf {nat}})\,k\); and \(({\mathsf {bool}},{\mathsf {nat}})\,k\) has only one element (corresponding to (d, d)). Finally, \(({\mathsf {bool}},({\mathsf {nat}},{\mathsf {bool}})\,k)\,k\) contains only one element, because \(c_{({\mathsf {nat}},{\mathsf {bool}})\,k\rightarrow {\mathsf {bool}}}\) is false (by the definitions of \(c_{(\alpha ,\beta )\,k\rightarrow {\mathsf {bool}}}\) and \(c_{{\mathsf {nat}}\rightarrow {\mathsf {bool}}}\)).
In the standard HOL semantics [41], a type constructor such as k is interpreted compositionally, as an operator [k] on sets (from a suitable universe) obtained from k’s type definition—here, as a binary operator taking the sets A and B to the set \(\{(a,b) \in A \times B \mid [c]_{A}(a) \,\wedge \, [c]_{B}\,(b) \,\vee \, (a,b) = ([d]_A,[d]_B)\}\), where \(([c]_A)_{A}\) and \(([d]_A)_A\) would be the interpretations of c and d as families of sets, with each \([c]_A\) a predicate on A and each \([d]_A\) an element of A. But defining [k] in one go for any sets A and B is impossible here, since the needed instances of [c] are not yet known, and in fact are mutually dependent with [k]. This means that, when defining [k] and [c], the inputs A and B would need to be analyzed in an ad hoc fashion, for the (syntactic!) occurrences of [k] itself. The orthogonality and termination of such semantic definitions would be problematic (and, as far as we see, could only be worked out by a heavy machinery that would constrain semantics to behave like syntax—adding syntactic annotations to the interpreting sets). Using John Reynolds’s famous wording [42], we conclude that ad hoc polymorphism is not settheoretic.^{6}
In [29], we proposed a workaround based on acknowledging that ad hoc overloading regards different instances of the same nonbuiltin polymorphic type as completely unrelated types. Instead of interpreting type constructors as operators on sets, we interpret each nonbuiltin ground type and constant instance separately, in the order prescribed by the terminating dependency relation. Here, for example, \(c_{{\mathsf {bool}}\rightarrow {\mathsf {bool}}}\) and \(c_{{\mathsf {nat}}\rightarrow {\mathsf {bool}}}\) are interpreted before \(({\mathsf {bool}},{\mathsf {nat}})\,k\), which is interpreted before \(c_{({\mathsf {bool}},{\mathsf {nat}})\,k \rightarrow {\mathsf {bool}}}\), which is interpreted before \((({\mathsf {bool}},{\mathsf {nat}})\,k,{\mathsf {bool}})\,k\), etc. (But note that termination does not necessarily come from structural descent on types: definitions such as \(e_{{\mathsf {nat}}} \equiv {{\textsf {head}}}(e_{{\mathsf {nat}}\;{\mathsf {list}}})\) are also acceptable.) Finally, polymorphic formulas are interpreted as the infinite conjunction of the interpretation of all their ground instances: for example, \(c_{\alpha \rightarrow {\mathsf {bool}}}\,d_\alpha \) is true iff \(c_{\sigma \rightarrow {\mathsf {bool}}}\,d_\sigma \) is true for all ground types \(\sigma \). This way, we were able to construct a ground model for the definitional theory. And after showing that the deduction rules for (polymorphic) HOL are sound for ground models, we inferred consistency. Thus, our solution was based on a mixture of syntax and semantics: interpret type variables by universally quantifying over all ground instances, and interpret nonbuiltin ground types disregarding their structure.
Such a hybrid approach, involving a nonstandard semantics, may seem excessive. There is a more commonsense alternative for accommodating the observation that standard semantics cannot be married with ad hoc overloading: view overloaded definitions as mere textual abbreviations. The “semantics” of an overloaded constant will then be the result of unfolding the definitions—but, as we have seen, types must also be involved in this process. This is the alternative taken by our new proof.
3 New Proof of Consistency
The HOL logical infrastructure allows unfolding constant definitions, but not type definitions. To amend this limitation, we take an approach common in mathematics. The reals were introduced by closing the rationals under Cauchy convergence, the complex numbers were introduced by closing the reals under roots of polynomials. Similarly, we introduce a logic, HOL with Comprehension (HOLC), by closing HOL under type comprehension—that is, adding to HOL comprehension types to express subsets of the form \(\{ x : \sigma \mid t\;x \}\) (Sect. 3.1). While there is some tension between these subsets being possibly empty and the HOLC types having to be nonempty due to the Hilbert choice operator, this is resolved thanks to the HOLC comprehension axioms being conditioned by nonemptiness. With this proviso, HOLC admits standard settheoretical models, making it manifestly consistent (Sect. 3.2). In turn, Isabelle/HOLstyle overloaded constants and types can be normalized in HOLC by unfolding their definitions (Sect. 3.3). The normalization process provides an intuition and a justification for the syntactic checks involving nonbuiltin types and constants. Finally, consistency of Isabelle/HOL is inferable from consistency of HOLC.
3.1 HOL with Comprehension (HOLC)

a set K of type constructors including the builtin ones \({\mathsf {bool}},{\mathsf {ind}},\rightarrow \).

a function \({{\textsf {arOf}}}: K \rightarrow \mathbb {N}\) assigning an arity to each type constructor.

a set \({{\textsf {Const}}}\) of constants, including the builtin ones \(\longrightarrow \), \(=\), \({{\varepsilon }}\), \({{\mathsf {zero}}}\) and \({{\mathsf {suc}}}\).
Above, we highlight the only difference from the HOL types and terms: the comprehension types, whose presence makes the ctypes and cterms mutually recursive. Indeed, Open image in new window contains the term t, whereas a typed variable \(x_\sigma \) and a constant instance \(c_\sigma \) contain the type \(\sigma \). We think of a comprehension type Open image in new window with \(t : \sigma \rightarrow {\mathsf {bool}}\) as representing a set of elements which in standard mathematical notation would be written \(\{x : \sigma \mid t\;x\}\), that is, the set of all elements of \(\sigma \) satisfying t. \(\mathsf {{Var}}\) denotes the set of (typed) variables, \(x_\sigma \). \(\mathsf {{CType}}\) and \({{\textsf {CTerm}}}\) denotes the sets of ctypes and cterms.
We let \(\mathsf {{CType}}_w\) and \({{\textsf {CTerm}}}_w\) be the sets of wellformed ctypes and welltyped cterms. Also, we let \(\mathsf {{Var}}_w\) be the set of variables \(x_\sigma \) that are welltyped as cterms, i.e., have their ctype \(\sigma \) wellformed.
The notions of type substitution, a type or a constant instance being an instance of (\(\le \)) or being orthogonal with (\(\#\)) another type or constant instance, are defined similarly to those for HOL. Note that a type Open image in new window is unrelated to another type Open image in new window even when the extent of the predicate \(t'\) includes that of t. This is because HOLC, like HOL (and unlike, e.g., PVS [39]), has no subtyping—instead, traveling between smaller and larger types is achieved via embeddingprojection pairs.
Since in HOLC types may contain terms, we naturally lift term concepts to types. Thus, the free (cterm) variables of a ctype \(\sigma \), written \({{\textsf {FV}}}(\sigma \)), are all the free variables occurring in the cterms contained in \(\sigma \). A type is called closed if it has no free variables.
A Note on Declaration Circularity. In HOLC we allow \({{\mathsf {tpOf}}}\) to produce declaration cycles—for example, the type of a constant may contain instances of that constant, as in Open image in new window . However, the typing system will ensure that no such cyclic entity will be welltyped. For example, to type an instance \(c_\sigma \), we need to apply the rule (Const), requiring that Open image in new window be wellformed. For the latter, we need the rule (W\(_3\)), requiring that \(c_{\mathsf {bool}}\) be welltyped. Finally, to type \(c_{\mathsf {bool}}\), we again need the rule (Const), requiring that Open image in new window be wellformed. So \(c_\sigma \) can never be typed. It may seem strange to allow constant declarations whose instances cannot be typed (hence cannot belong to welltyped terms and wellformed types)—however, this is harmless, since HOLC deduction only deals with welltyped and wellformed items. Moreover, all the constants translated from HOL will be shown to be welltyped.
This axiom is nothing but a generalization of the HOL type definition \(\tau \equiv t\), taking advantage of the fact that in HOLC we have a way to write the expression defining \(\tau \) as the type Open image in new window . Note that \(\alpha \) is a type variable standing for an arbitrary type, previously denoted by \(\sigma \). Thus, HOLC allows us to express what in HOL used to be a schema (i.e., an infinite set of formulas, one for each type \(\sigma \)) by a single axiom.
3.2 Consistency of HOLC
In a nutshell, HOLC is consistent for a similar reason that HOL (without definitions) is consistent: the types have a straightforward settheoretic interpretation and the deduction rules are manifestly sound w.r.t. this interpretation. Similar logics, employing mutual dependency between types and terms, have been shown to be consistent for the foundations of Coq [6] and PVS [39].
Compared to these logics, the only twist of HOLC is that all types have to be nonempty. Indeed, HOLC inherits from HOL the polymorphic Hilbert choice operator, \({{\varepsilon }}: (\alpha \rightarrow {\mathsf {bool}}) \rightarrow \alpha \), which immediately forces all types to be inhabited, e.g., by \({{\varepsilon }}\;(\lambda x_\sigma .\;\mathsf {{True}})\).
From a technical point of view, this nonemptiness requirement is easy to satisfy. The only types that are threatened by emptiness are the comprehension types Open image in new window . We will interpret them according to their expected semantics, namely, as the subset of \(\sigma \) for which t holds, only if this subset turns out to be nonempty; otherwise we will interpret them as a fixed singleton set \(\{*\}\). This is consistent with the HOLC comprehension axiom, Open image in new window , which only requires that Open image in new window have the expected semantics if \(\exists x_\alpha .\,t\,x\) holds. Notice how the Makarius Wenzel trick of introducing type definitions as conditional statements in Isabelle/HOL (recalled on page 7), which has inspired a similar condition for Open image in new window , turns out to be very useful in our journey. Of all the HOLbased provers, this “trick” is only used by Isabelle/HOL, as if anticipating the need for a more involved argument for consistency.

a twoelement set \(\mathbb {B}= \{ \mathsf {{false}}, \mathsf {{true}}\} \in \mathcal {U}\)

a singleton set \(\{*\} \in \mathcal {U}\)

for each \(k \in K\), a function \(\fbox {k} : \mathcal {U}^{{{\textsf {arOf}}}(k)} \rightarrow \mathcal {U}\)

a global choice function, \({{\mathsf {choice}}}\), that assigns to each nonempty set \(A \in \mathcal {U}\) an element \({{\mathsf {choice}}}(A) \in A\).

the set \({{\textsf {Compat}}}(u)\), of compatible valuation functions \(\xi : {{\textsf {TV}}}(u) \,\cup \, {{\textsf {FV}}}(u) \rightarrow \mathcal {U}\)

the interpretation \([u] : {{\textsf {Compat}}}(u) \rightarrow \mathcal {U}\)
For each u, assuming [v] has been defined for all structurally smaller \(v \in \mathsf {{CType}}_w \,\cup \, {{\textsf {CTerm}}}_w\), we take \({{\textsf {Compat}}}(u)\) to consist of all functions \(\xi : {{\textsf {TV}}}(u) \,\cup \, {{\textsf {FV}}}(u) \rightarrow \mathcal {U}\) such that Open image in new window for all \(x_\sigma \in {{\textsf {FV}}}(u)\). (Here, Open image in new window denotes the restriction of \(\xi \) to the indicated set, which is clearly included in \(\xi \)’s domain, since \({{\textsf {TV}}}(\sigma ) \subseteq {{\textsf {TV}}}(u)\) and \({{\textsf {FV}}}(\sigma ) \subseteq {{\textsf {FV}}}(u)\).)
We say that a formula \(\varphi \) is true under the valuation \(\xi \in {{\textsf {Compat}}}(\varphi )\) if \([\varphi ](\xi ) = \mathsf {{true}}\). We say that \(\varphi \) is (unconditionally) true if it is true under all \(\xi \in {{\textsf {Compat}}}(\varphi )\). Given a context \(\varGamma \) and a formula \(\varphi \), we write \(\varGamma \models \varphi \) to mean that \(\bigwedge \varGamma \longrightarrow \varphi \) is true, where \(\bigwedge \varGamma \) is the conjunction of all formulas in \(\varGamma \).
Theorem 3
HOLC is consistent, in that \(\emptyset \not \Vdash {\mathsf {{False}}}\).
Proof
3.3 Translation of Isabelle/HOL to HOLC
We fix a HOL signature \(\varSigma = (K,{{\textsf {arOf}}},{{\textsf {Const}}},{{\mathsf {tpOf}}})\) and an Isabelle/HOL wellformed definitional theory D over \(\varSigma \). We will produce a translation of the types and welltyped terms of \(\varSigma \) into wellformed ctypes and welltyped cterms of the HOLC signature \(\varSigma _D = (K,{{\textsf {arOf}}},{{\textsf {Const}}},{{\mathsf {tpOf}}}_D)\) (having the same type constructors and constants as \(\varSigma \)). The typing function \({{\mathsf {tpOf}}}_D : {{\textsf {Const}}}\rightarrow \mathsf {{CType}}\) will be defined later. For \(\varSigma _D\), we use all the notations from Sect. 3.1—we write \(\mathsf {{CType}}\) and \({{\textsf {CTerm}}}\) for the sets of cterms and ctypes, etc.
The translation will consist of two homonymous “normal form” functions Open image in new window and Open image in new window . However, since we have not yet defined \({{\mathsf {tpOf}}}_D\), the sets \(\mathsf {{CType}}_w\) and \({{\textsf {CTerm}}}_w\) (of wellformed ctypes and welltyped cterms) are not yet defined either. To bootstrap the definitions, we first define Open image in new window and Open image in new window , then define \({{\mathsf {tpOf}}}_D\), and finally show that the images of the Open image in new window functions are included in \(\mathsf {{CType}}_w\) and \({{\textsf {CTerm}}}_w\).
Example 4
It is immediate to see that Open image in new window captures the recursive calls of Open image in new window : the structural calls via Open image in new window and the unfolding calls via \({\equiv ^{\downarrow }}\). So the welldefinedness of Open image in new window is reduced to the termination of Open image in new window .
Lemma 5
The relation Open image in new window is terminating (hence the functions Open image in new window are welldefined).
Proof
We shall use the following crucial fact, which follows by induction using the definitions of Open image in new window and \(\rightsquigarrow ^{\downarrow }\): If \(u, v \in \mathsf {{Type}}^\bullet \cup {{\textsf {CInst}}}^\bullet \) and Open image in new window . (*)
Let us assume, for a contradiction, that Open image in new window does not terminate. Then there exists an infinite sequence \((w_i)_{i \in \mathbb {N}}\) such that Open image in new window for all i. Since Open image in new window is defined as Open image in new window and Open image in new window clearly terminates, there must exist an infinite subsequence \((w_{i_j})_{j \in \mathbb {N}}\) such that Open image in new window for all j. Since from the definition of \(\equiv \) we have \(w_{i_j} \in \mathsf {{Type}}^\bullet \cup {{\textsf {CInst}}}^\bullet \), we obtain from (*) that \(w_{i_j} \rightsquigarrow ^{\downarrow }w_{i_{j+1}}\) for all j. This contradicts the termination of \(\rightsquigarrow ^{\downarrow }\). \(\square \)
With Open image in new window in place, we can define the missing piece of the target HOLC signature: we take \({{\mathsf {tpOf}}}_D\) to be the normalized version of \({{\mathsf {tpOf}}}\), i.e. Open image in new window .
Lemma 6

Open image in new window is wellformed in HOLC.

If \(t : \tau \), then Open image in new window .
Our main theorem about the translation will be its soundness:
Theorem 7
If \(D;\emptyset \vdash \varphi \) in HOL, then Open image in new window in HOLC.
Let us focus on proving this theorem. If we define Open image in new window as Open image in new window , the proof that \(D;\varGamma \vdash \varphi \) implies Open image in new window should proceed by induction on the definition of \(D;\varGamma \vdash \varphi \). Due to the similarity of \(\vdash \) and \(\Vdash \), most of the cases go smoothly.
For the HOL rule \(\textsc {(Beta)}\), we need to prove Open image in new window , that is, Open image in new window . Hence, in order to conclude the proof for this case using the HOLC rule \(\textsc {(Beta)}\), we need that Open image in new window commutes with term substitution—this is not hard to show, since substituting terms for variables does not influence the matching of definitions, i.e., the behavior of Open image in new window :
Lemma 8
(where \(\rho \) is a type substitution). Note the difference between \({\textsc {(Fact}\hbox {}\textsc {T}\hbox {}\textsc {Inst)}}\) and the combination of \(\textsc {(Fact)}\) and \({\textsc {(T}\hbox {}\textsc {Inst)}}\): in the former, only axioms and elements of D are allowed to be typeinstantiated, whereas in the latter instantiation can occur at any moment in the proof. It is immediate to see that \(\vdash \) is at least as powerful as \(\vdash '\), since \({\textsc {(Fact}\hbox {}\textsc {T}\hbox {}\textsc {Inst)}}\) can be simulated by \(\textsc {(Fact)}\) and \({\textsc {(T}\hbox {}\textsc {Inst)}}\). Conversely, it is routine to show that \(\vdash '\) is closed under type substitution, and a fortiori under \({\textsc {(T}\hbox {}\textsc {Inst)}}\); and \({\textsc {(Fact}\hbox {}\textsc {T}\hbox {}\textsc {Inst)}}\) is stronger than \(\textsc {(Fact)}\).
Using \(\vdash '\) instead of \(\vdash \), we can prove Theorem 7. All the cases that were easy with \(\vdash \) are also easy with \(\vdash '\). In addition, for the case \({\textsc {(Fact}\hbox {}\textsc {T}\hbox {}\textsc {Inst)}}\) where one infers \(D;\varGamma \vdash \rho (\varphi )\) with \(\varphi \in \mathsf {Ax}\), we need a less general lemma than commutation of Open image in new window in an arbitrary term. Namely, noticing that the HOL axioms do not contain nonbuiltin constants or types, we need the following lemma, which can be proved by routine induction over t:
Lemma 9
Now, assume \({\textsc {(Fact}\hbox {}\textsc {T}\hbox {}\textsc {Inst)}}\) is being used to derive \(D;\varGamma \vdash ' \overline{\rho }(\varphi )\) for \(\varphi \in \mathsf {Ax}\). We need to prove Open image in new window , that is, Open image in new window . But this follows from n applications of the (TInst) rule (in HOLC), where n is the size of Open image in new window ’s support (as any finitesupport simultaneous substitution can be reduced to a sequence of unary substitutions).

If u is a constant instance \(c_\sigma \), then by the definition of Open image in new window we have Open image in new window . But then Open image in new window , that is, Open image in new window , follows from \(\textsc {(Fact)}\) applied with the reflexivity axiom.

If u is a type \(\sigma \) and \(t : \tau \rightarrow {\mathsf {bool}}\), then \(\overline{\rho }(\varphi )\) is \(\overline{\rho }(\sigma ) \equiv ^{\downarrow }\overline{\rho (t)}\). In other words, \(\overline{\rho }(\varphi )\) has the format of a HOL type definition, just like \(\varphi \). Hence, Open image in new window is seen to be an instance of Open image in new window , namely, Open image in new window together with Open image in new window substituted for the first quantifier. Hence Open image in new window follows from \(\textsc {(Fact)}\) applied with Open image in new window , followed by \(\forall \)instantiation (the latter being the standardly derived rule for \(\forall \)).
In summary, our HOLC translation of overloading emulates overloading itself in that it treats the defined constant instances \(c_\tau \) as being disconnected from their “mother” instances \(c_{{{\mathsf {tpOf}}}(c)}\). The translation is sound thanks to the fact that the considered theory has no axioms about these constants besides the overloaded definitions. This sound translation immediately allows us to reach our overall goal:
Proof of Theorem 1
(Consistency of Isabelle/HOL). By contradiction. Let \(D;\emptyset \vdash {\mathsf {{False}}}\). Then by Theorem 7, we obtain Open image in new window and since Open image in new window , we derive contradiction with Theorem 3. \(\square \)
4 Application: Logical Extensions
We introduced HOLC as an auxiliary for proving the consistency of Isabelle/HOL’s logic. However, a natural question that arises is whether HOLC would be itself a practically useful extension. We cannot answer this question yet, beyond noting that it would be a significant implementation effort due to the need to reorganize types as mutually dependent with terms. Over the years, some other proposals to go beyond HOL arose. For example, an interesting early proposal by Melham to extend the terms with explicit type quantifiers [34] was never implemented. Homeier’s HOL\(_\omega \) [22], an implemented and currently maintained extension of HOL with firstclass type constructors, is another example.
A strong argument for using HOL in theorem proving is that it constitutes a sweet spot between expressiveness and simplicity. The expressiveness part of the claim is debatable—and has been challenged, as shown by the above examples, as well as by Isabelle/HOL itself which extends HOL in a nontrivial way. In our recent work we joined the debate club and advocated a new sweet spot for HOL (and for Isabelle/HOL, respectively) [30] by introducing local type definitions and an unoverloading rule expressing parametricity. HOLC plays a special role in this proposal because we use it to prove the extensions’ consistency.
In the following, we first introduce and motivate the extensions (Sect. 4.1), and then discuss how we applied HOLC to justify their consistency and why our previous ground semantic [29] is not suitable for this job (Sect. 4.2).
4.1 Two Extensions for Traveling from Types to Sets
Thus, (UO) tells us that if a constant c was not overloaded for \(\sigma \) (or a more general type), the meaning of the constant instance \(c_\sigma \) is unrestricted, i.e., it behaves as a free term variable of the same type. That is to say, the truth of a theorem \(\varphi \) containing \(c_\sigma \) cannot depend on the definition of \(c_\tau \) for some \(\tau < \sigma \). In summary, (UO) imposes a certain notion of parametricity, which is willing to cohabitate with ad hoc overloading.
The extensions have already been picked up by Isabelle/HOL power users for translating between different representations of matrices [12, 13], for implementing a certified and efficient algorithm for factorization [11], and for tightly integrating invariants in proof rules for a probabilistic programming language [33].
4.2 Consistency of the Extensions
We will fist show that HOL + (LT) is consistent by showing (LT) to be admissible in HOLC (as a straightforward consequence of Open image in new window ).
Theorem 10
The inference system consisting of the deduction rules of Isabelle/HOL and the (LT) rule is consistent (in that it cannot prove \({\mathsf {{False}}}\)).
In contrast to (LT), we could not use the ground semantics for the consistency of (UO) and this is where HOLC shows its power.
Theorem 11
The inference system consisting of the deduction rules of Isabelle/HOL, the (LT) rule and the (UO) rule is consistent.
Proof sketch. We will first argue that HOLC + (UO) (without its sideconditions, since they do not make sense in HOLC) is still a consistent logic. This means, from \(\varphi [c_\sigma /x_\sigma ]\) we can derive \(\forall x_\sigma .\;\varphi \) in HOLC + (UO). W.l.o.g. let us assume that the interpretation of type constructors in the semantics of HOLC from Sect. 3.2 is nonoverlapping. Since HOLC does not contain any definitions, we interpret \(c_\sigma \) arbitrarily (as long as the value belongs to the interpretation of \(\sigma \)) in the model construction for HOLC. That is to say, the proof of consistency does not rely on the actual value of \(c_\sigma \)’s interpretation, hence we can replace \(c_\sigma \) by a term variable \(x_\sigma \). Therefore the formula \(\varphi \) must be fulfilled for every evaluation of \(x_\sigma \).
The second step is to show that Open image in new window is a sound embedding of Isabelle/HOL + (LT) + (UO) into HOLC + (UO). Since we have shown that the translation of (LT) is admissible in HOLC, we only need to focus on (UO). The first side condition of (UO) guarantees that unfolding by Open image in new window does not introduce any new \(c_\sigma \) and the second one guarantees that Open image in new window does not unfold any \(c_\sigma \). Therefore the substitution \([c_\sigma /x_\sigma ]\) commutes with Open image in new window , i.e., Open image in new window . \(\square \)
The reason we could not use the ground semantics to prove Theorem 11 is because the semantics is too coarse to align with the meaning of (UO): that the truth of a theorem \(\varphi \) stating a property of \(c_\sigma \) cannot depend on the fact that a proper instance of \(c_\sigma \), say, \(c_\tau \) for \(\tau < \sigma \), was already overloaded, say, by a definition \(c_\tau \equiv t\). In semantic terms, this means that the interpretation of \(c_\sigma \) cannot depend on the interpretation of \(c_\tau \). Recall that in the ground semantics we considered a polymorphic HOL formula \(\varphi \) to be true just in case all its ground type instances are true. (See also the discussion on page 9.) This definition of truth cannot validate (UO). To see this, let us assume that \(\varphi \) is polymorphic only in \(\alpha \) and \(\tau \) is ground. We want to assume the truth of \(\varphi [\sigma /\alpha ][c_\sigma /x_\sigma ]\) and infer the truth of Open image in new window . In particular, since Open image in new window is a ground instance of the latter, we would need to infer that Open image in new window is true, and in particular that \(\varphi [\tau /\alpha ][c_\tau /x_\tau ]\) is true. But this is impossible, since the interpretation of \(c_\tau \) in \(\varphi [\tau /\alpha ][c_\tau /x_\tau ]\) is fixed and dictated by the definitional theorem \(c_\tau \equiv t\).
5 Conclusions and Related Work
It took the Isabelle/HOL community almost twenty years to reach a definitional mechanism that is consistent by construction, w.r.t. both types and constants.^{7} This paper, which presents a clean syntactic argument for consistency, is a culmination of previous efforts by Wenzel [48], Obua [38], ourselves [27, 29], and many other Isabelle designers and developers.
The key ingredients of our proof are a typeinstantiation restricted version of HOL deduction and HOLC, an extension of HOL with comprehension types. HOLC is similar to a restriction of Coq’s Calculus of Inductive Constructions (CiC) [8], where: (a) proof irrelevance and excluded middle axioms are enabled; (b) polymorphism is restricted to rank 1; (c) the formation of (truly) dependent product types is suppressed. However, unlike CiC, HOLC stays faithful to the HOL tradition of avoiding empty types. HOLC also bears some similarities to HOL with predicate subtyping [43] as featured by PVS [44]. Yet, HOLC does not have real subtyping: from \(t : \sigma \rightarrow {\mathsf {bool}}\) and Open image in new window we cannot infer Open image in new window . Instead, HOLC retains HOL’s separation between a type defined by comprehension and the original type: the former is not included, but merely embedded in the latter. Comprehension types are also known in the programming language literature as refinement types [16].
Wiedijk defines stateless HOL [49], a version of HOL where types and terms carry definitions in their syntax. Kumar et al. [25] define a translation from standard (stateful) HOL with definitions to stateless HOL, on the way of proving the consistency of both. Their translation is similar to our HOL to HOLC translation, in that it internalizes HOL definitions as part of “stateless” formulas in a richer logic.
Although a crucial property, consistency is nevertheless rather weak. One should legitimately expect definitions to enjoy a much stronger property: that they can be compiled away without affecting provability not in a richer logic (like HOLC), but in HOL itself. Wenzel calls this property “metasafety” and proves it for Isabelle/HOL constant definitions [48]. In particular, metasafety yields prooftheoretic conservativity, itself stronger than consistency: if a formula that contains no defined item is deducible from a definitional theory, then it is deducible in the core (definitionfree) logic. Metasafety and conservativity for arbitrary definitional theories (factoring in not only constant, but also type definitions) are important metatheoretic problems, which seem to be open not only for Isabelle/HOL, but also for standard HOL [2]. We leave them as future work.
Footnotes
 1.
There are other specification schemes supported by some HOL provers, allowing for more abstract (under)specification of constants—but these schemes are known to be captured or overapproximated by the standard (equational) definition scheme [5].
 2.
To improve readability, in the examples we use a simplified Isabelle syntax. To run these examples in Isabelle, one must enclose in overloading blocks the overloaded definitions of constants and add the overloaded attribute to type definitions that depend on overloaded constants; in addition, one must provide nonemptiness proofs for type definitions [47, Sect. 11(3,7)]. Note also that Isabelle uses \(\Rightarrow \) instead of \(\rightarrow \) for function types and : : instead of : for typing.
 3.
Isabelle/HOL implements a typeclass infrastructure allowing fine control over such instantiations. In this case, \(\alpha \) is assumed to be of type class \({{\mathsf {zero}}}\); then \({\mathsf {real}}\), \(\alpha \;{\mathsf {list}}\) etc. are registered as members of \({{\mathsf {zero}}}\) as soon as 0 is defined for them. Polymorphic properties can also be associated to type classes, and need to be verified upon instantiation. Type classes do not require any logical extension, but are representable as predicates inside the logic—[48, Sect. 5] explains the mechanism in detail.
 4.
The philosophical dispute about foundations is far from having come to an end [4], and unfortunately tends to obscure what should be a welldefined mathematical problem: the consistency of the Isabelle/HOL logical system (which is of course not the same as the overall reliability of the Isabelle/HOL implementation).
 5.
Isabelle/HOL is a complex software system, allowing interaction at multiple levels, including by the insertion of ML code. What we care about here is of course an abstract notion of an Isabelle/HOL development—employing the logical mechanisms alone.
 6.
Reynolds’s result of course refers to (higherrank) parametric polymorphism.
 7.
Isabelle is by no means the only prover with longstanding foundational issues [29, Sect. 1].
Notes
Acknowledgments
We thank Tobias Nipkow, Larry Paulson, Makarius Wenzel, and the members of the Isabelle mailing list for inspiring and occasionally intriguing opinions and suggestions concerning the foundations of Isabelle/HOL. We also thank the reviewers for suggestions on how to improve the presentation and for indicating related work. Kunčar is supported by the German Research Foundation (DFG) grant “Security Type Systems and Deduction” (Ni 491/133) in the priority program “RS\(^3\) – Reliably Secure Software Systems” (SPP 1496). Popescu is supported by the UK Engineering and Physical Sciences Research Council (EPSRC) starting grant “VOWS – Verification of Webbased Systems” (EP/N019547/1).
References
 1.Isabelle Foundation & Certification (2015). https://lists.cam.ac.uk/pipermail/clisabelleusers/2015September/thread.html
 2.Conservativity of HOL constant and type definitions (2016). https://sourceforge.net/p/hol/mailman/message/35448054/
 3.The HOL system logic (2016). https://sourceforge.net/projects/hol/files/hol/kananaskis10/kananaskis10logic.pdf
 4.Type definitions in Isabelle; article “A Consistent Foundation for Isabelle/HOL” by Kunčar/Popescu (2016). https://lists.cam.ac.uk/pipermail/clisabelleusers/2016August/thread.html
 5.Arthan, R.: On definitions of constants and types in HOL. J. Autom. Reason. 56(3), 205–219 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
 6.Barras, B.: Sets in Coq, Coq in sets. J. Formal. Reason. 3(1), 29–48 (2010)MathSciNetzbMATHGoogle Scholar
 7.Berghofer, S., Wenzel, M.: Inductive datatypes in HOL – lessons learned in formallogic engineering. In: Bertot, Y., Dowek, G., Théry, L., Hirschowitz, A., Paulin, C. (eds.) TPHOLs 1999. LNCS, vol. 1690, pp. 19–36. Springer, Heidelberg (1999). doi: 10.1007/3540482563_3 CrossRefGoogle Scholar
 8.Bertot, Y., Casteran, P.: Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2004)CrossRefzbMATHGoogle Scholar
 9.Blanchette, J.C., Popescu, A., Traytel, D.: Foundational extensible corecursion. In: ICFP 2015. ACM (2015)Google Scholar
 10.Bulwahn, L., Krauss, A., Haftmann, F., Erkök, L., Matthews, J.: Imperative functional programming with Isabelle/HOL. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 134–149. Springer, Heidelberg (2008). doi: 10.1007/9783540710677_14 CrossRefGoogle Scholar
 11.Divasón, J., Joosten, S., Thiemann, R., Yamada, A.: A formalization of the BerlekampZassenhaus factorization algorithm. In: CPP, pp. 17–29 (2017)Google Scholar
 12.Divasón, J., Kunčar, O., Thiemann, R., Yamada, A.: Certifying exact complexity bounds for matrix interpretations. In: LCC (2016)Google Scholar
 13.Divasón, J., Kunčar, O., Thiemann, R., Yamada, A.: PerronFrobenius theorem for spectral radius analysis. Archive of Formal Proofs (2016). https://www.isaafp.org/entries/Perron_Frobenius.shtml
 14.Esparza, J., Lammich, P., Neumann, R., Nipkow, T., Schimpf, A., Smaus, J.G.: A fully verified executable LTL model checker. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 463–478. Springer, Heidelberg (2013). doi: 10.1007/9783642397998_31 CrossRefGoogle Scholar
 15.Fallenstein, B., Kumar, R.: Proofproducing reflection for HOL  with an application to model polymorphism. In: ITP, pp. 170–186 (2015)Google Scholar
 16.Freeman, T., Pfenning, F.: Refinement types for ML. In: PLDI, pp. 268–277 (1991)Google Scholar
 17.Geuvers, H.: Proof assistants: history, ideas and future. Sadhana 34(1), 3–25 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 18.Gordon, M.J.C., Melham, T.F. (eds.): Introduction to HOL: A Theorem Proving Environment for Higher Order Logic. Cambridge University Press, Cambridge (1993)zbMATHGoogle Scholar
 19.Haftmann, F., Nipkow, T.: Code generation via higherorder rewrite systems. In: Blume, M., Kobayashi, N., Vidal, G. (eds.) FLOPS 2010. LNCS, vol. 6009, pp. 103–117. Springer, Heidelberg (2010). doi: 10.1007/9783642122514_9 CrossRefGoogle Scholar
 20.Harrison, J.: HOL Light: an overview. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 60–66. Springer, Heidelberg (2009). doi: 10.1007/9783642033599_4 CrossRefGoogle Scholar
 21.Holger Blasum, O.H., Tverdyshev, S.: Euromils: secure European virtualisation for trustworthy applications in critical domains  formal methods used. www.euromils.eu/downloads/Deliverables/Y2/2015EMUsedFormalMethodsWhitePaperOctober2015.pdf
 22.Homeier, P.V.: The HOLOmega logic. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 244–259. Springer, Heidelberg (2009). doi: 10.1007/9783642033599_18 CrossRefGoogle Scholar
 23.Kanav, S., Lammich, P., Popescu, A.: A conference management system with verified document confidentiality. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 167–183. Springer, Heidelberg (2014). doi: 10.1007/9783319088679_11 Google Scholar
 24.Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an operatingsystem kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
 25.Kumar, R., Arthan, R., Myreen, M.O., Owens, S.: HOL with definitions: semantics, soundness, and a verified implementation. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 308–324. Springer, Heidelberg (2014). doi: 10.1007/9783319089706_20 Google Scholar
 26.Kunčar, O.: Types, abstraction and parametric polymorphism in higherorder logic. Ph.D. thesis, Fakultät für Informatik, Technische Universität München (2016). http://www21.in.tum.de/~kuncar/documents/kuncarphdthesis.pdf
 27.Kunčar, O.: Correctness of Isabelle’s cyclicity checker: implementability of overloading in proof assistants. In: CPP, pp. 85–94 (2015)Google Scholar
 28.Kunčar, O., Popescu, A.: A Consistent Foundation for Isabelle/HOL  Extended Version. http://www21.in.tum.de/~kuncar/kuncarpopescuisacons2016.pdf
 29.Kunčar, O., Popescu, A.: A consistent foundation for Isabelle/HOL. In: Urban, C., Zhang, X. (eds.) ITP 2015. LNCS, vol. 9236, pp. 234–252. Springer, Heidelberg (2015). doi: 10.1007/9783319221021_16 Google Scholar
 30.Kunčar, O., Popescu, A.: From types to sets by local type definitions in higherorder logic. In: Blanchette, J.C., Merz, S. (eds.) ITP 2016. LNCS, vol. 9807, pp. 200–218. Springer, Heidelberg (2016). doi: 10.1007/9783319431444_13 CrossRefGoogle Scholar
 31.Kunčar, O., Popescu, A.: Comprehending Isabelle/HOL’s consistency. Technical report (2017). http://andreipopescu.uk/pdf/compr_IsabelleHOL_cons_TR.pdf
 32.Lochbihler, A.: Verifying a compiler for Java threads. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 427–447. Springer, Heidelberg (2010). doi: 10.1007/9783642119576_23 CrossRefGoogle Scholar
 33.Lochbihler, A.: Probabilistic functions and cryptographic oracles in higher order logic. In: Thiemann, P. (ed.) ESOP 2016. LNCS, vol. 9632, pp. 503–531. Springer, Heidelberg (2016). doi: 10.1007/9783662494981_20 CrossRefGoogle Scholar
 34.Melham, T.F.: The HOL logic extended with quantification over type variables. In: TPHOLs, pp. 3–17 (1992)Google Scholar
 35.Nipkow, T., Paulson, L., Wenzel, M.: Isabelle/HOL  A Proof Assistant for HigherOrder Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
 36.Nipkow, T., Klein, G.: Concrete Semantics  With Isabelle/HOL. Springer, Heidelberg (2014)zbMATHGoogle Scholar
 37.Nipkow, T., Snelting, G.: Type classes and overloading resolution via ordersorted unification. In: Hughes, J. (ed.) FPCA 1991. LNCS, vol. 523, pp. 1–14. Springer, Heidelberg (1991). doi: 10.1007/3540543961_1 CrossRefGoogle Scholar
 38.Obua, S.: Checking conservativity of overloaded definitions in higherorder logic. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 212–226. Springer, Heidelberg (2006). doi: 10.1007/11805618_16 CrossRefGoogle Scholar
 39.Owre, S., Shankar, N.: The formal semantics of PVS, SRI Technical report, March 1999. http://www.csl.sri.com/papers/csl972/
 40.Paulson, L.: Personal communication (2014)Google Scholar
 41.Pitts, A.: The HOL logic. In: Introduction to HOL: A Theorem Proving Environment for Higher Order Logic, pp. 191–232 (1993). Gordon and Melham [18]Google Scholar
 42.Reynolds, J.C.: Polymorphism is not settheoretic. In: Kahn, G., MacQueen, D.B., Plotkin, G. (eds.) SDT 1984. LNCS, vol. 173, pp. 145–156. Springer, Heidelberg (1984). doi: 10.1007/3540133461_7 CrossRefGoogle Scholar
 43.Rushby, J.M., Owre, S., Shankar, N.: Subtypes for specifications: predicate subtyping in PVS. IEEE Trans. Softw. Eng. 24(9), 709–720 (1998)CrossRefGoogle Scholar
 44.Shankar, N., Owre, S., Rushby, J.M.: PVS Tutorial. Computer Science Laboratory, SRI International, Menlo Park (1993)Google Scholar
 45.Traytel, D., Popescu, A., Blanchette, J.C.: Foundational, compositional (co)datatypes for higherorder logic: category theory applied to theorem proving. In: LICS, pp. 596–605 (2012)Google Scholar
 46.Wadler, P., Blott, S.: How to make adhoc polymorphism less adhoc. In: POPL (1989)Google Scholar
 47.Wenzel, M.: The Isabelle/Isar reference manual (2016). http://isabelle.in.tum.de/doc/isarref.pdf
 48.Wenzel, M.: Type classes and overloading in higherorder logic. In: Gunter, E.L., Felty, A. (eds.) TPHOLs 1997. LNCS, vol. 1275, pp. 307–322. Springer, Heidelberg (1997). doi: 10.1007/BFb0028402 CrossRefGoogle Scholar
 49.Wiedijk, F.: Stateless HOL. In: TYPES, pp. 47–61 (2009)Google Scholar