Return-Path:
Return-Path: <john.harrison-request@uk.ac.cam.cl>
Received: from nsf.ac.uk by swan.cl.cam.ac.uk via JANET
          with NIFTP to fgate (PP) id <28750-0@swan.cl.cam.ac.uk>;
          Fri, 28 Jun 1991 01:33:06 +0100
Received: from vax.nsfnet-relay.ac.uk by sun2.nsfnet-relay.ac.uk
          with SMTP inbound id <13118-34@sun2.nsfnet-relay.ac.uk>;
          Thu, 27 Jun 1991 16:31:29 +0100
Received: from [129.101.100.20] by vax.NSFnet-Relay.AC.UK via NSFnet with SMTP
          id aa08247; 27 Jun 91 14:34 BST
Received: from mcsun.EU.net by ted.cs.uidaho.edu (15.11/1.34) id AA06332;
          Thu, 27 Jun 91 06:25:48 pdt
Received: from kestrel.ukc.ac.uk by mcsun.EU.net with SMTP;
          id AA15116 (5.65a/CWI-2.95); Thu, 27 Jun 91 15:28:09 +0200
Received: from bnr.co.uk by kestrel.Ukc.AC.UK via PSS (UKC CAMEL FTP)
          id aa12683; 27 Jun 91 14:19 BST
X400-Received: by mta hedera.stl.stc.co.uk in /PRMD=STC Plc/ADMD=GOLD 400/C=GB/;
               Relayed; Thu, 27 Jun 1991 14:07:48 +0100
X400-Received: by /PRMD=stc plc/ADMD=gold 400/C=GB/; converted (ia5); Relayed;
               Thu, 27 Jun 1991 14:12:31 +0100
X400-Received: by /PRMD=icl/ADMD=gold 400/C=GB/; Relayed;
               Thu, 27 Jun 1991 13:56:23 +0100
Date: Thu, 27 Jun 1991 13:56:23 +0100
X400-Originator: R.B.Jones@gb.gold-400.icl.icl.win0103
X400-Mts-Identifier: [/PRMD=icl/ADMD=gold 400/C=GB/;win0103 0000010300000623]
Original-Encoded-Information-Types: ia5, undefined
X400-Content-Type: P2-1984 (2)
Content-Identifier: 623
From: win0103!R.B.Jones@net.eu.relay
Message-Id: <"623*/I=RB/S=Jones/OU=win0103/O=icl/PRMD=icl/ADMD=gold 400/C=GB/"@MHS>
To: info-hol@edu.uidaho.cs.ted
Subject: A response to "select" (on use of the choice function)
Sender: win0103!R.B.Jones@net.eu.relay


------------------------------ Start of body part 1

(this is a bit late since its been languishing at ucdavis)






------------------------------ Start of body part 2

Use of Choice function for writing loose specifications

The "new_specification" facility was introduced into HOL to support loose
specifications precisely because the choice function is not a satisfactory
substitute for a loose specification.  If you want to say that "f" is an
arbitrary function whose results have property "P" then use the property
"!x. P(f x)" in a call to new specification.

Given that the "new_specification" facility is available it should not be
necessary to use the choice function unless you really want the axiom of
choice, which is fairly unlikely for applications in computing.

However, this still won't enable you to prove some putative implementation "g"
to be correct, since there will be no relation between f and g which is
expressible let alone provable in the object language. (in the meta-language
you can say something like that every model of g is a model of f).

I personally regard this as being a deficiency in what is commonly held to
be a specification, and this view is reflected in most of the work which
is undertaken at ICL (Secure Systems).
The position we normally adopt is that a "specification"
is a property of systems, and an implementation is a system having that
property (or perhaps a widget which can be interpreted as such a system).

If this approach is adopted then the specification of a function the results
of which all have property P is:

"spec_f fun = !x. P(fun x)"

(which in this case can be entered by definition since the definition of this
loose specification is not itself loose)

It is now possible to express the claim that a function "g" satisfies this
specification.  This is simply "|-? spec_f g".  In most cases where this is
true it will also be provable.

Roger Jones (International Computers Limited)

------------------------------ End of body part 2