DOCSLIB.ORG

Logics and Type Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Logics and Type Systems Logics and Typ e Systems een wetenschapp elijke pro eve op het gebied van de wiskunde en informatica proefschrift ter verkrijging van de graad van do ctor aan de Katholieke Universiteit Nijmegen volgens b esluit van het College van Decanen in het op enbaar te verdedigen op dinsdag septemb er des namiddags te uur precies do or Jan Herman Geuvers geb oren mei te Deventer druk Universiteitsdrukkerij Nijmegen Promotor Professor dr H P Barendregt Logics and Typ e Systems Herman Geuvers Cover design Jean Bernard Ko eman cipgegevens Koninklijke Bibliotheek Den Haag Geuvers Jan Herman Logics and typ e systems Jan Herman Geuvers Sl sn Nijmegen Universiteitsdrukkerij Nijmegen Pro efschrift Nijmegen Met lit opgreg ISBN Trefw logica vo or de informatica iv Contents Intro duction Natural Deduction Systems of Logic Intro duction The Logics Extensionality Some useful variants of the systems Some easy conservativity results Conservativity b etween the logics Truth table semantics for classical prop ositional logics Algebraic semantics for intuitionistic prop ositional logics Kripke semantics for intuitionistic prop ositional logics Formulasastyp es Intro duction The formulasastyp es notion a la Howard Completeness of the emb edding Comparison with other emb eddings Reduction of derivations and extensions to higher orders The formulasastyp es notion a la de Bruijn Pure Typ e Systems Intro duction Denitions Examples of Pure Typ e Systems and morphisms The cub e of typ ed lamb da calculi Logics as Pure Typ e Systems Morphisms b etween Pure Typ e Systems Inconsistent Pure Typ e Systems Meta theory of Pure Typ e Systems Sp ecifying the notions to b e studied Analyzing equality on the pseudoterms A list of prop erties for Pure Typ e Systems v vi CONTENTS CR for Intro duction The pro of of CR for normalizing systems Discussion The Calculus of Constructions Intro duction The cub e of typ ed lamb da calculi and the logic cub e Some more metatheory for CC Intuitions b ehind the Calculus of Constructions Formulasastyp es of logics into the cub e The formulasastyp es emb edding into CC The formulasastyp es emb edding into subsystems of CC Conservativity relations inside the cub e Consistency of contexts of CC Formulas ab out datatyp es in CC SN for in CC Intro duction Metatheory for CC with conversion The pro of of SN for in CC Obtaining SN for CC from SN for F Strong Normalization for reduction in F Discussion Conuence and Normalization Semantical version of the systems Acknowledgements First of all I would like to thank my sup ervisor Henk Barendregt not only for creating a stimulating research environment during the last four and a half years but also for letting me nd my own way in the jungle of interesting sub jects of research But mayb e most of all I should thank him for sharing his knowledge with me I am also very grateful to all those other researchers that I have b een able to talk to and to listen to Esp ecially the contact with in reverse alphab etical order Benjamin Werner Marco Swaen Thomas Streicher Randy Pollack Christine Paulin MarkJan Nederhof James McKinna Zhaohui Luo Bart Jacobs Philippa Gardner Gilles Dowek Thierry Co quand Stefano Berardi Bert van Benthem Jutting Erik Barendsen and Thorsten Altenkirch has b een b oth very pleasant and very fruitful In an earlier stage the contact with Wim Veldman has b een very imp ortant his lectures have guided me into the eld of logic and have stimulated my interest in foundational issues In particular with resp ect to the contents of this thesis I would furthermore like to thank the manuscript committee consisting of Rob Nederp elt JanWillem Klop and Thierry Co quand for their judgement Sp ecial thanks to Rob Neder p elt for his detailed comments on part of an earlier version of this work and to James McKinna for his valuable comments on English contents and typ os Erik a Barendsen deserves a very sp ecial thanks without his knowledge of L T X and E his willingness to always answer my technical questions this thesis would not b e as it is now A pleasant working environment is very valuable and almost a necessary con dition for a go o d result I would therefore like to thank the p eople from our faculty that have made work pleasant esp ecially those from the research groups foundations of computing science and parallelism and computational mo dels Last but not least I would like to thank Monique for her supp ort during the ups and the downs of the work on this thesis vii viii CONTENTS Prop ositio ns Dene the mapping from full onesorted rst order predicate logic to higher order prop osition logic as follows x x Rt t Rt t n n x x x x So for example xP x P x xP x P x The x on the left is an ob ject variable the x on the right a prop ositional variable Similarly the R on the left is a relation symb ol the R on the right a higher order variable In fact the range of the mapping is a very small extension of second order prop ositionl logic The mapping is sound but not complete There is no xed p oint combinator in the Pure Typ e System U Thanks to Benjamin Werner The system of higher order prop ositional logic PROP is a conservative extension of second order prop ositional logic PROP The pro of uses the fact that complete Heyting algebras constitute a sound and complete mo del for PROP If is a set of formulas and a formula of PROP such that PROP with derivation then it is in general not true that the normal form of which is obtained by eliminating cuts is a derivation of PROP In typ ed lamb da calculus this corresp onds to the following two facts Let b e a context and b e a typ e of Then M nfM ix x CONTENTS M N N Therefore it is not surprising that up to now there is no purely syntactical pro of of the conservativity of PROP over PROP The restriction of the typ ed lamb da calculus with recursive typ es to the calculus where one only allows abstractions over p ositive typ e schemes is not a real restriction For every typ e of one can construct a typ e of such that Hence all lamb da terms can b e given a typ e in The pro of of Corollary in Barendregt is not complete the part stating M has a nf M has a nf is indeed trivial but it is not true that contractions do not create new redexes It is wellknown that it is imp ossible to prove in the Calculus of Constructions Here and are the p olymorphic Church numerals In the inconsistent systems U and U the statement is of course provable but even with a pro of in normal form Let N b e the Pure Typ e System with conversion dened by S N A N N R N N N If N satises the ChurchRosser prop erty for reduction CR then all Pure Typ e Systems satisfy CR The relation with d t u if t t and u is a domain of t for some t d is in general not wellfounded on the set of welltyp ed terms of a Pure Typ e System A domain of t is a term that app ears in t as the typ e of a abstraction This causes a problem when trying to prove conuence of reduction in Pure Typ e Systems that are not normalizing CONTENTS xi Besides the dierence in income the most imp ortant dierence b etween AIOs and the oldstyle research trainees on Dutch universities is that the rst on top of the tasks of the oldstyle research trainees also have the duty to follow courses The AIOs should not demand from the universities that they organise courses as comp ensation for the nancial oer Instead they should try to keep their duties in terms of courses they have to attend as low as p ossible The exp erience of having deep insight is not the same as having deep insight The rst can b e attained by various means the second only by serious study xii CONTENTS Chapter Intro duction In this thesis we are concerned with systems of logic systems of typ es and the relations b etween them The systems of typ es should b e understo o d here as systems of typ ed lamb da calculus so in fact this thesis takes up the study of the relation b etween typ ed lamb da calculus and logic This is not a new sub ject a lot of research has b een done most of which is centered around the so called formulasastyp es emb edding from a logical system into a typ ed lamb da calculus This emb edding will also b e the main topic of this thesis The rst to describ e the formulasastyp es emb edding was Howard who also intro duced the terminology formulasastyp es Howard The manuscript of this pap er go es back to and a lot of ideas b ehind the emb edding go back even further esp ecially to Curry see Curry and Feys who was the rst to note the close connection b etween minimal prop osition logic and combi natory logic The article of Howard
Load more

Recommended publications
  • Introduction to the Calculus of Inductive Constructions Christine Paulin-Mohring
    Introduction to the Calculus of Inductive Constructions Christine Paulin-Mohring To cite this version: Christine Paulin-Mohring. Introduction to the Calculus of Inductive Constructions. Bruno Woltzen- logel Paleo; David Delahaye. All about Proofs, Proofs for All, 55, College Publications, 2015, Studies in Logic (Mathematical logic and foundations), 978-1-84890-166-7. hal-01094195 HAL Id: hal-01094195 https://hal.inria.fr/hal-01094195 Submitted on 11 Dec 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Introduction to the Calculus of Inductive Constructions Christine Paulin-Mohring1 LRI, Univ Paris-Sud, CNRS and INRIA Saclay - ˆIle-de-France, Toccata, Orsay F-91405 [email protected] 1 Introduction The Calculus of Inductive Constructions (CIC) is the formalism behind the interactive proof assis- tant Coq [24, 5]. It is a powerful language which aims at representing both functional programs in the style of the ML language and proofs in higher-order logic. Many data-structures can be repre- sented in this language: usual data-types like lists and binary trees (possibly polymorphic) but also infinitely branching trees. At the logical level, inductive definitions give a natural representation of notions like reachability and operational semantics defined using inference rules.
    [Show full text]
  • Proving Termination of Evaluation for System F with Control Operators
    Proving termination of evaluation for System F with control operators Małgorzata Biernacka Dariusz Biernacki Sergue¨ıLenglet Institute of Computer Science Institute of Computer Science LORIA University of Wrocław University of Wrocław Universit´ede Lorraine [email protected] [email protected] [email protected] Marek Materzok Institute of Computer Science University of Wrocław [email protected] We present new proofs of termination of evaluation in reduction semantics (i.e., a small-step opera- tional semantics with explicit representation of evaluation contexts) for System F with control oper- ators. We introduce a modified version of Girard’s proof method based on reducibility candidates, where the reducibility predicates are defined on values and on evaluation contexts as prescribed by the reduction semantics format. We address both abortive control operators (callcc) and delimited- control operators (shift and reset) for which we introduce novel polymorphic type systems, and we consider both the call-by-value and call-by-name evaluation strategies. 1 Introduction Termination of reductions is one of the crucial properties of typed λ-calculi. When considering a λ- calculus as a deterministic programming language, one is usually interested in termination of reductions according to a given evaluation strategy, such as call by value or call by name, rather than in more general normalization properties. A convenient format to specify such strategies is reduction semantics, i.e., a form of operational semantics with explicit representation of evaluation (reduction) contexts [14], where the evaluation contexts represent continuations [10]. Reduction semantics is particularly convenient for expressing non-local control effects and has been most successfully used to express the semantics of control operators such as callcc [14], or shift and reset [5].
    [Show full text]
  • Lecture Notes on Types for Part II of the Computer Science Tripos
    Q Lecture Notes on Types for Part II of the Computer Science Tripos Prof. Andrew M. Pitts University of Cambridge Computer Laboratory c 2016 A. M. Pitts Contents Learning Guide i 1 Introduction 1 2 ML Polymorphism 6 2.1 Mini-ML type system . 6 2.2 Examples of type inference, by hand . 14 2.3 Principal type schemes . 16 2.4 A type inference algorithm . 18 3 Polymorphic Reference Types 25 3.1 The problem . 25 3.2 Restoring type soundness . 30 4 Polymorphic Lambda Calculus 33 4.1 From type schemes to polymorphic types . 33 4.2 The Polymorphic Lambda Calculus (PLC) type system . 37 4.3 PLC type inference . 42 4.4 Datatypes in PLC . 43 4.5 Existential types . 50 5 Dependent Types 53 5.1 Dependent functions . 53 5.2 Pure Type Systems . 57 5.3 System Fw .............................................. 63 6 Propositions as Types 67 6.1 Intuitionistic logics . 67 6.2 Curry-Howard correspondence . 69 6.3 Calculus of Constructions, lC ................................... 73 6.4 Inductive types . 76 7 Further Topics 81 References 84 Learning Guide These notes and slides are designed to accompany 12 lectures on type systems for Part II of the Cambridge University Computer Science Tripos. The course builds on the techniques intro- duced in the Part IB course on Semantics of Programming Languages for specifying type systems for programming languages and reasoning about their properties. The emphasis here is on type systems for functional languages and their connection to constructive logic. We pay par- ticular attention to the notion of parametric polymorphism (also known as generics), both because it has proven useful in practice and because its theory is quite subtle.
    [Show full text]
  • A Core Language for Dependently Typed Programming
    DRAFT ΠΣ: A Core Language for Dependently Typed Programming Thorsten Altenkirch Nicolas Oury University of Nottingham {txa,npo}@cs.nott.ac.uk Abstract recursion and hence is, without further restrictions, unsuitable as We introduce ΠΣ, a core language for dependently typed program- a logical system. It is, after all, intended to be primarily a core ming. Our intention is that ΠΣ should play the role extensions of language for programming, not for reasoning. Apart from Σ- and System F are playing for conventional functional languages with Π-types our language has only a few more, namely: polymorphism, like Haskell. The core language incorporates mu- Type : Type This is the simplest choice, the most general form of tual dependent recursive definitions, Type : Type, Π- and Σ-types, impredicative polymorphism possible. It is avoided in systems finite sets of labels and explicit constraints. We show that standard used for reasoning because it destroys logical consistency. We constructions in dependently typed programming can be easily en- don’t care because we have lost consistency already by allowing coded in our language. We address some important issues: having recursion. an equality checker which unfolds recursion only when needed, avoiding looping when typechecking sensible programs; the sim- Finite types A finite type is given by a collection of labels, e.g. { , } plification of type checking for eliminators like case by using equa- true false to define the type of Booleans. Our labels are tional constraints, allowing the flexible use of case expressions a special class and can be reused, opening the scope for a within dependently typed programming and the representation of hereditary definition of subtyping.
    [Show full text]
  • The System F of Variable Types, Fifteen Years Later
    Theoretical Computer Science 45 (1986) 159-192 159 North-Holland THE SYSTEM F OF VARIABLE TYPES, FIFTEEN YEARS LATER Jean-Yves GIRARD Equipe de Logique Mathdmatique, UA 753 du CNRS, 75251 Paris Cedex 05, France Communicated by M. Nivat Received December 1985 Revised March 1986 Abstract. The semantic study of system F stumbles on the problem of variable types for which there was no convincing interpretation; we develop here a semantics based on the category-theoretic idea of direct limit, so that the behaviour of a variable type on any domain is determined by its behaviour on finite ones, thus getting rid of the circularity of variable types. To do so, one has first to simplify somehow the extant semantic ideas, replacing Scott domains by the simpler and more finitary qualitative domains. The interpretation obtained is extremely compact, as shown on simple examples. The paper also contains the definitions of a very small 'universal model' of lambda-calculus, and investigates the concept totality. Contents Introduction ................................... 159 1. Qualitative domains and A-structures ........................ 162 2. Semantics of variable types ............................ 168 3. The system F .................................. 174 3.1. The semantics of F: Discussion ........................ 177 3.2. Case of irrt ................................. 182 4. The intrinsic model of A-calculus .......................... 183 4.1. Discussion about t* ............................. 183 4.2. Final remarks ...............................
    [Show full text]
  • An Introduction to Logical Relations Proving Program Properties Using Logical Relations
    An Introduction to Logical Relations Proving Program Properties Using Logical Relations Lau Skorstengaard [email protected] Contents 1 Introduction 2 1.1 Simply Typed Lambda Calculus (STLC) . .2 1.2 Logical Relations . .3 1.3 Categories of Logical Relations . .5 2 Normalization of the Simply Typed Lambda Calculus 5 2.1 Strong Normalization of STLC . .5 2.2 Exercises . 10 3 Type Safety for STLC 11 3.1 Type safety - the classical treatment . 11 3.2 Type safety - using logical predicate . 12 3.3 Exercises . 15 4 Universal Types and Relational Substitutions 15 4.1 System F (STLC with universal types) . 16 4.2 Contextual Equivalence . 19 4.3 A Logical Relation for System F . 20 4.4 Exercises . 28 5 Existential types 29 6 Recursive Types and Step Indexing 34 6.1 A motivating introduction to recursive types . 34 6.2 Simply typed lambda calculus extended with µ ............ 36 6.3 Step-indexing, logical relations for recursive types . 37 6.4 Exercises . 41 1 1 Introduction The term logical relations stems from Gordon Plotkin’s memorandum Lambda- definability and logical relations written in 1973. However, the spirit of the proof method can be traced back to Wiliam W. Tait who used it to show strong nor- malization of System T in 1967. Names are a curious thing. When I say “chair”, you immediately get a picture of a chair in your head. If I say “table”, then you picture a table. The reason you do this is because we denote a chair by “chair” and a table by “table”, but we might as well have said “giraffe” for chair and “Buddha” for table.
    [Show full text]
  • Proof-Assistants Using Dependent Type Systems
    CHAPTER 18 Proof-Assistants Using Dependent Type Systems Henk Barendregt Herman Geuvers Contents I Proof checking 1151 2 Type-theoretic notions for proof checking 1153 2.1 Proof checking mathematical statements 1153 2.2 Propositions as types 1156 2.3 Examples of proofs as terms 1157 2.4 Intermezzo: Logical frameworks. 1160 2.5 Functions: algorithms versus graphs 1164 2.6 Subject Reduction . 1166 2.7 Conversion and Computation 1166 2.8 Equality . 1168 2.9 Connection between logic and type theory 1175 3 Type systems for proof checking 1180 3. l Higher order predicate logic . 1181 3.2 Higher order typed A-calculus . 1185 3.3 Pure Type Systems 1196 3.4 Properties of P ure Type Systems . 1199 3.5 Extensions of Pure Type Systems 1202 3.6 Products and Sums 1202 3.7 E-typcs 1204 3.8 Inductive Types 1206 4 Proof-development in type systems 1211 4.1 Tactics 1212 4.2 Examples of Proof Development 1214 4.3 Autarkic Computations 1220 5 P roof assistants 1223 5.1 Comparing proof-assistants . 1224 5.2 Applications of proof-assistants 1228 Bibliography 1230 Index 1235 Name index 1238 HANDBOOK OF AUTOMAT8D REASONING Edited by Alan Robinson and Andrei Voronkov © 2001 Elsevier Science Publishers 8.V. All rights reserved PROOF-ASSISTANTS USING DEPENDENT TYPE SYSTEMS 1151 I. Proof checking Proof checking consists of the automated verification of mathematical theories by first fully formalizing the underlying primitive notions, the definitions, the axioms and the proofs. Then the definitions are checked for their well-formedness and the proofs for their correctness, all this within a given logic.
    [Show full text]
  • Lightweight Linear Types in System F°
    University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 1-23-2010 Lightweight linear types in System F° Karl Mazurak University of Pennsylvania Jianzhou Zhao University of Pennsylvania Stephan A. Zdancewic University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/cis_papers Part of the Computer Sciences Commons Recommended Citation Karl Mazurak, Jianzhou Zhao, and Stephan A. Zdancewic, "Lightweight linear types in System F°", . January 2010. Karl Mazurak, Jianzhou Zhao, and Steve Zdancewic. Lightweight linear types in System Fo. In ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI), pages 77-88, 2010. doi>10.1145/1708016.1708027 © ACM, 2010. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, {(2010)} http://doi.acm.org/10.1145/1708016.1708027" Email [email protected] This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_papers/591 For more information, please contact [email protected]. Lightweight linear types in System F° Abstract We present Fo, an extension of System F that uses kinds to distinguish between linear and unrestricted types, simplifying the use of linearity for general-purpose programming. We demonstrate through examples how Fo can elegantly express many useful protocols, and we prove that any protocol representable as a DFA can be encoded as an Fo type. We supply mechanized proofs of Fo's soundness and parametricity properties, along with a nonstandard operational semantics that formalizes common intuitions about linearity and aids in reasoning about protocols.
    [Show full text]
  • CS 6110 S18 Lecture 32 Dependent Types 1 Typing Lists with Lengths
    CS 6110 S18 Lecture 32 Dependent Types When we added kinding last time, part of the motivation was to complement the functions from types to terms that we had in System F with functions from types to types. Of course, all of these languages have plain functions from terms to terms. So it's natural to wonder what would happen if we added functions from values to types. The result is a language with \compile-time" types that can depend on \run-time" values. While this arrangement might seem paradoxical, it is a very powerful way to express the correctness of programs; and via the propositions-as-types principle, it also serves as the foundation for a modern crop of interactive theorem provers. The language feature is called dependent types (i.e., types depend on terms). Prominent dependently-typed languages include Coq, Nuprl, Agda, Lean, F*, and Idris. Some of these languages, like Coq and Nuprl, are more oriented toward proving things using propositions as types, and others, like F* and Idris, are more oriented toward writing \normal programs" with strong correctness guarantees. 1 Typing Lists with Lengths Dependent types can help avoid out-of-bounds errors by encoding the lengths of arrays as part of their type. Consider a plain recursive IList type that represents a list of any length. Using type operators, we might use a general type List that can be instantiated as List int, so its kind would be type ) type. But let's use a fixed element type for now. With dependent types, however, we can make IList a type constructor that takes a natural number as an argument, so IList n is a list of length n.
    [Show full text]
  • A Calculus of Constructions with Explicit Subtyping Ali Assaf
    A calculus of constructions with explicit subtyping Ali Assaf To cite this version: Ali Assaf. A calculus of constructions with explicit subtyping. 2014. hal-01097401v1 HAL Id: hal-01097401 https://hal.archives-ouvertes.fr/hal-01097401v1 Preprint submitted on 19 Dec 2014 (v1), last revised 14 Jan 2016 (v2) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A calculus of constructions with explicit subtyping Ali Assaf September 16, 2014 Abstract The calculus of constructions can be extended with an infinite hierar- chy of universes and cumulative subtyping. In this hierarchy, each uni- verse is contained in a higher universe. Subtyping is usually left implicit in the typing rules. We present an alternative version of the calculus of constructions where subtyping is explicit. This new system avoids prob- lems related to coercions and dependent types by using the Tarski style of universes and by introducing additional equations to reflect equality. 1 Introduction The predicative calculus of inductive constructions (PCIC), the theory behind the Coq proof system [15], contains an infinite hierarchy of predicative universes Type0 : Type1 : Type2 : ... and an impredicative universe Prop : Type1 for propositions, together with a cumulativity relation: Prop ⊆ Type0 ⊆ Type1 ⊆ Type2 ⊆ ...
    [Show full text]
  • System F and Existential Types 15-312: Foundations of Programming Languages
    Recitation 6: System F and Existential Types 15-312: Foundations of Programming Languages Serena Wang, Charles Yuan February 21, 2018 We saw how to use inductive and coinductive types last recitation. We can also add polymorphic types to our type system, which leads us to System F. With polymorphic types, we can have functions that work the same regardless of the types of some parts of the expression.1 1 System F Inductive and coinductive types expand the expressivity of T considerably. The power of type operators allows us to genericly manipulate data of heterogeneous types, building new types from old ones. But to write truly \generic" programs, we want truly polymorphic expressions| functions that operate on containers of some arbitrary type, for example. To gain this power, we add parametric polymorphism to the language, which results in System F, introduced by Girand (1972) and Reynolds (1974). Typ τ ::= t type variable τ1 ! τ2 function 8(t.τ) universal type Exp e ::= x variable λ (x : τ) e abstraction e1(e2) application Λ(t) e type abstraction e[τ] type application Take stock of what we've added since last time, and what we've removed. The familiar type variables are now baked into the language, along with the universal type. We also have a new form of lambda expression, one that works over type variables rather than expression variables. What's missing? Nearly every other construct we've come to know and love! As will be the case repeatedly in the course, our tools such as products, sums, and inductive types are subsumed by the new polymorphic types.
    [Show full text]
  • Type Theory and Applications
    Type Theory and Applications Harley Eades [email protected] 1 Introduction There are two major problems growing in two areas. The first is in Computer Science, in particular software engineering. Software is becoming more and more complex, and hence more susceptible to software defects. Software bugs have two critical repercussions: they cost companies lots of money and time to fix, and they have the potential to cause harm. The National Institute of Standards and Technology estimated that software errors cost the United State's economy approximately sixty billion dollars annually, while the Federal Bureau of Investigations estimated in a 2005 report that software bugs cost U.S. companies approximately sixty-seven billion a year [90, 108]. Software bugs have the potential to cause harm. In 2010 there were a approximately a hundred reports made to the National Highway Traffic Safety Administration of potential problems with the braking system of the 2010 Toyota Prius [17]. The problem was that the anti-lock braking system would experience a \short delay" when the brakes where pressed by the driver of the vehicle [106]. This actually caused some crashes. Toyota found that this short delay was the result of a software bug, and was able to repair the the vehicles using a software update [91]. Another incident where substantial harm was caused was in 2002 where two planes collided over Uberlingen¨ in Germany. A cargo plane operated by DHL collided with a passenger flight holding fifty-one passengers. Air-traffic control did not notice the intersecting traffic until less than a minute before the collision occurred.
    [Show full text]