Formally Verified Interval Arithmetic and Its Application to Program Verification

Interval arithmetic is a well known mathematical technique to analyse or mitigate rounding or measurement errors. Thus, it is promising to integrate interval analysis into program verification environments. Such an integration is not only useful for the verification of numerical algorithms: the need to ensure that computations stay within certain bounds is common. For example, to show that arithmetic computations stay within the hardware bounds of a given number representation. We present a formalisation of (extended) interval arithmetic in Isabelle/HOL, including the concept of inclusion isotone (extended) interval analysis. The main result of this part is the formal proof that interval-splitting converges for Lipschitz-continuous interval isotone functions. We also show how interval types can be used for verifying programs in a C-like programming language.


INTRODUCTION
Interval analysis [28] in general and, in particular, inclusion isotone (or inclusion isotonic) extended interval arithmetic [34], are well known mathematical techniques to analyse or mitigate rounding errors or measurement errors [13].Thus, it is promising to integrate interval analysis into program verification environments.Such an integration is not only useful for the verification of numerical algorithms: the need to ensure that computations stay within certain bounds is common.For example, to show that computations stay within the hardware bounds of a given number representation.
Another application is the verification of cyber-physical systems, where a discretised implementation approximates a system described in physical quantities expressed using perfect mathematical reals, and perfect ordinary differential equations.Moreover, first applications of interval analysis to the security analysis of neural networks are promising [38,17].
In this paper, we present a formalisation of interval arithmetic in Isabelle/HOL, including the concept of inclusion isotone (extended) interval analysis.Moreover, we show how interval types can be integrated into the weakest precondition generation of Clean programs and demonstrate the use of interval arithmetic in program verification.In more detail, our contributions are: (1) a conservative formalisation of (extended) interval arithmetic in Isabelle/HOL, including interval extension of functions (Sect.3.1), inclusion isotonicity (Sect.3.2), Lipschitz continuity (Sect.3.3), division of intervals (Sect.3.4), extended interval arithmetic (Sect.3.5), and multi-intervals (Sect.3.6).The main result of this part is the formal proof that interval-splitting converges for Lipschitz-continuous inclusion isotone functions at least linearly with the number of splits (Sect.3.7); (2) an integration of the extended interval type into Clean, allowing for using interval analysis as part of the verification of imperative programs (Sect.4); (3) a case study, demonstrating the use of interval arithmetic in program verification (Sect.5).

BACKGROUND
In this section, we introduce the technical background of our work, namely Isabelle/HOL [32], Isabelle's interval type, and Clean [36].

Isabelle/HOL
Isabelle [32] is an interactive theorem prover that has been used successfully in large-scale verification projects (e.g., [23] presents the verification of an operating system kernel using Isabelle/HOL).The formal language of Isabelle is Higher-order logic (HOL) [10], which is a classical logic based on a simple type system.It provides the usual logical connectives like ¬ _, _ ∧ _, _ ∨ _, _ −→ _ as well as the object-logical quantifiers ∀ x.P x and ∃ x.P x.In contrast to first-order logic, quantifiers may range over arbitrary types, including total functions f:: ⇒ (where and are polymorphic type variables).Isabelle/HOL allows for extending theories in a logically safe way: A theory-extension is conservative if the extended theory is consistent, provided that the original theory was consistent.Conservative extensions can be constant definitions, type definitions, datatype definitions, primitive recursive definitions and well-founded recursive definitions.

Interval Arithmetic
Isabelle [32] provides a formalisation of (closed) intervals in the theory HOL-Library.Interval.This theory provides a datatype modelling intervals as tuples, where the first element is the lower bound of the interval and the second element is the upper bound: The interval theory defines the basic operations on intervals such as subtraction, addition, and multiplication (but not division).It also shows that intervals are an instantiation of certain type classes (e.g., preorder, equal and lattice).However, it does not define interval arithmetic in the way mathematicians typically understand it, nor does it include the property of inclusion isotonicity, or the notion of interval extension and Lipschitz continuity on intervals.
One notable aspect of the existing theory is that it leaves an interval undefined if the upper bound is lower than the lower bound.To address this, we developed a definition mk_interval, which swaps the bounds if this condition is met, ensuring the proper definition of an interval.In examples, we might use the mathematical notation [ , ] for Interval (l, u).Furthermore, we also prove the following equality, which often is suitable as a simplification rule in proofs: Isabelle (Isar) lemma mk_interval': mk_interval = ( (x,y).(if x ≤ y then Interval(x, y) else Interval(y, x))) unfolding mk_interval_def by(rule ext, rule arg_cong, auto)

Convergence Example.
Interval arithmetic is often used in computer programs to mitigate rounding errors [13], or ensure that computations stay within hardware bounds.However, intervals often produce an over approximation which creates a degree of uncertainty.This over approximation, can potentially compromise the assurance of safety requirements being met.
To mitigate this, a technique known as splitting can be utilised.This method involves subdividing the interval into smaller segments, thereby reducing the extent of over approximation.As the process of splitting is performed, the approximation converges towards the precise value.This increases the precision of the computations and can ensure the adherence to safety requirements.For example, let us consider the function We know this is an inclusion isotone, Lipschitz continuous function.
The interval extension of this function is: where [2,2] denotes the (closed) interval.When we apply the extension to the interval [0, 1] we get into subintervals, we then take the union of the resulting subintervals and find narrower interval bounds that still contain the range of the values of ( ).Table 1 shows the union of the results for a range of .

Clean
Clean [36] is a small imperative C-style language in the spirit of Winskel's IMP [39] and its formalisation in Isabelle/HOL [31].In contrast to most other embeddings of programming languages into Isabelle/HOL that are deep embeddings (e.g., [31,24,25,35]), Clean is a shallow embedding (for a discussion of deep and shallow embeddings, we refer the reader to [5,1]).Clean supports a typesafe notion of program-variables, an incremental construction of the typed state-space, support of incremental verification, and openworld extensibility of new type definitions.The Clean language supports conditionals and loops as well as break and return.
To define a (non-recursive) Clean function, we use the Isar command function_spec detailing the function name, return type, precondition and postconditions, local variables, and body.For example, the well known weighted sum algorithm: Hence, when needed we can replace the polymorphic type 'a with any type which instantiates addition and multiplication.The consequence of this abstraction is the ability to formalise generic programs and emulate a more extensible program design without the need to expand the base semantics.
When considering the total correctness of the weighted sum function, Clean will generate precondition and postcondition definitions from their respective keywords.In Isabelle, we express this correctness using the Hoare Triple: The ⊲ asserts that the state is free of break and or return state changes.Also note that the verification is solely focusing on total correctness, thus to verify this function would require a measure alongside the invariant.

FORMALISING INTERVAL ARITHMETIC
In this section we present our formalisation of interval arithmetic and extended interval analysis.For the terms and definitions discussed we mostly follow the notation presented by Moore et al in [28], but we will note where our definitions deviate.

Interval Extensions of Functions
In the context of interval arithmetic, a function is considered an interval extension of a function under the condition that for any degenerate interval argument (e.g., an interval that consists of a single point), yields the same result as .This can be expressed as ([ , ]) = ( ).In Isabelle, we define this as the following: We choose to keep the definitions as generic as possible by using type variables (e.g., 'a, 'b), instead of concrete types (e.g., real, int), for functions and their results.By choosing appropriate 'a and 'b we can select a representation which is appropriate for the problem domain.
Moore et al [28] define a more general natural interval extension to follow from these properties: (1) the real variable is replaced by an interval ; (2) the real arithmetic operations are replaced with the corresponding interval ones.
If these properties are met then is a natural extension of .The formalisation of intervals in Isabelle uses a shallow embedding and so does our work on (extended) interval arithmetic.By using a shallow embedding, this prevents us from replacing real arithmetic operations to interval arithmetic operations in a straightforward way.More importantly, the definition of Moore et al [28] assumes that the operations of intervals enjoy essentially the same properties (like commutativity, associativity) than their counterparts over reals (and essentially have a very similar semantics).This is something that we need to prove formally in Isabelle.Furthermore, our formalisation is more generic in the sense that it does not only work over real intervals.
Hence, we define our stronger version of interval extension by first applying the function onto both the upper and lower bounds of the interval, and then constructing a new interval with the bounds of the result.This is particularly useful when evaluating bounds on real valued functions: In interval analysis it is important to be able to compute the interval extension function from the function .To this extent, the following definition, extend_natural, takes a function and returns a new function that, given an interval , returns a new interval constructed from the lower and upper bounds of evaluated through .This allows us to extend the domain of to intervals.These provide a formal guarantee that extend_natural correctly extends a function to intervals according to our definitions of interval and natural interval extensions.

Inclusion Isotonicity
Inclusion isotonicity ensures that the relationship between intervals is preserved under the extension of functions.
A function is said to be inclusion isotone if for any = 0, ..., − 1 and ≤ implies This means that if the upper and lower bounds of the interval are contained within the bounds of the interval then the output of the function applied to is contained within the output of the function applied to .
We define the property of inclusion isotonicity as follows: Note that in terms of intervals the less than equal inequality, ≤, is the equivalent of a subset equal relationship, ⊆, on sets.
It then easily follows that for all affine functions of type real to real, if we use our function extend_natural (discussed in Sect.3.1) to extend this to a function that can work on the interval domain, then the extension is also inclusion isotone.
The proof for this lemma follows from the definition of interval extension, which states that ∀ .([ , ]) = ( ) (see Sect. 3.1), and the definition of inclusion isotone (see Equation 4).
There are slight differences in representation of our lemma fundamental_theorem_of_interval_analysis, as, while Moore et al [28] use a representation of intervals synonymous with set notation, the strict type system of Isabelle/HOL requires the explicit conversion between the interval and set datatypes (using set_of).

Lipschitz Interval Extension
The combination of inclusion isotonicity, with Lipschitz continuity provides a reliable enclosure of the range of a function over any interval.This is because Lipschitz continuity ensures that there are no abrupt changes in a function that could lead to holes in the interval extension.
More formally, in the context of real-valued functions, a function : R → R is Lipschitz continuous if there exists a positive real constant such that, for all real and , the absolute difference in the function values at these points is less than or equal to times the absolute difference in the points.In the theory HOL-Analysis.Lipschitz [32] this is defined as: We extend the notion of Lipschitz continuity to interval arithmetic, so that a function is said to be Lipschitz continuous on an interval if there exists a real constant 0 ≤ such that, the width of the result of the function applied onto the interval , is less than or equal to the width of the original interval multiplied by some constant .This constant is referred to as the Lipschitz constant for the function.We define this Lipschitz interval extension as the following in Isabelle/HOL: From the definition of Lipschitz continuity on intervals we know that the width of ( ) approaches zero at least linearly with the width of .This is an important idea which will be discussed in more detail in Sect.3.7 to closely approximate ( 0 , ..., −1 ).
When combining the concept of Lipschitz continuity with inclusion isotone interval extensions, we know that if a function is an interval extension of where satisfies the standard Lipschitz condition, then it follows that the extension of , is a Lipschitz interval extension [28].To this extent we have the following lemma which states that if is a natural interval extension of then is also Lipschitz continuous, with the same Lipschitz constant.

Isabelle (Isar) lemma natural_extension_transfer_lipschitz:
assumes positive_N: 0 < N and inc_isotonic_F: inclusion_isotonic F and interval_ext_F: F is_natural_interval_extension_of f and lipschitz_f: C-lipschitz_on (set_of X) f shows C-lipschitzI_on (set (uniform_subdivision X N)) F This requires the interval extension to satisfy our stronger definition of is_natural_interval_extension discussed in Sect.3.1.The weaker definition is_interval_extension cannot guarantee that the Lipschitz interval extension holds with the same Lipschitz constant for that satisfies the standard Lipschitz condition.However, there does exist some Lipschitz constant such that is also Lipschitz continuous.This allows us to reason about the composition of Lipschitz continuous functions, and is a direct extension of the property of Lipschitz continuous functions in real analysis to intervals.

Interval Division
The existing formalisation of the interval type in Isabelle (as part of the theory HOL-Library.Interval) does not provide a definition of division due to the fact that there is no universally accepted definition of division for intervals.See, for example, [34] for a discussion of various definitions of interval division.Still, most definitions (e.g., [27,34]) satisfy the following two properties for intervals that do not include 0, Where and represent the lower and upper bounds of the interval respectively, These two properties are sufficient to prove the main results of (extended) interval analysis (namely, convergence of Lipschitz continuous, inclusion isotone function as motivated in Sect.2.2.1 and discussed in more detail in Sect.3.7).
Isabelle defines (as Coq [2], Agda [37] or Lean [15]) division such that /0 = 0 holds (the theorem division_ring_divide_zero captures this fact in Isabelle/HOL).Thus, we can define integer division in a straight-forward manner for the type real interval: This definition satisfies the requirements of Equation 6and Equation 7 and hence, it can provide an interpretation of the locale interval_division_inverse.

Extended Interval Arithmetic
More standard definitions of interval divisions (e.g., following the proposal of [27]) require the use extended reals, i.e., the extension of R with the two infinity elements −∞ and +∞.A first attempt to define interval division over extended reals is: This definition also satisfies the requirements of Equation 6 and Equation 7. One drawback of this definition is that for the case lower a < 0 ∧ 0 < upper a the over-approximation [−∞, ∞] is very imprecise.Actually, Moore et al [27]  Thus, developing full support for extended interval arithmetic requires lifting all operations over intervals to multi-intervals (or lists of intervals).

Multi-Intervals
As motivated in the previous section, we need to model list of intervals, also called multi-intervals.In our Isabelle formalisation, we provide infrastructure to work with different types of multiintervals, depending on whether overlapping or adjacent intervals should be preserved or automatically merged.
The most important multi-interval type in our formalisation represents non overlapping multi intervals, or adjacent intervals: Where valid_mInterval_adj is a predicate describing restricting the list of intervals to non-overlapping intervals that are sorted by their lower bound: The type 'a minterval_adj provides a canonical representation of multi-intervals.
Furthermore, we define helpers to lift interval operations to list of intervals.For instance, we can define the addition over list of intervals as follows: We then prove various algebraic properties, for instance, that addition over adjacent multi-intervals is commutative, and instantiate type classes (respective interpret locales) to lift generic lemmas to multi-intervals.

Subdivisions and Refinements
The properties inclusion isotonicity and Lipschitz continuity can be combined to lead us to an important property of interval arithmetic.By splitting an interval into subdivisions and taking the union of the interval evaluations of the extended function applied to each element in the subdivisions, we can compute arbitrarily sharp upper and lower bounds on the interval (recall Sect.2.2.1).This is proven to converge linearly in the width of the subdivisions of the original interval .
However, in order to formally verify this convergence of refinement property in Isabelle/HOL, we first need to define the behaviour of some key components of the proof.
Firstly, in Sect.2.2.1 we mention the term subintervals, this requires a method of dividing an interval into partitions.For the purpose of this work we define a version of partitioning into uniform subdivisions, all of equal width, and call this definition uniform_subdivisions. Mathematically a uniform subdivision can be described as the following: Where ( ) represents the width of the interval and is the number of subdivisions.We model this in Isabelle as follows: Isabelle (Isar) definition uniform_subdivision where uniform_subdivision X N = map ( i. let i' = of_nat i in mk_interval (lower X + (upper X -lower X) * i' / of_nat N, lower X + (upper X -lower X) * (i' + 1) / of_nat N)) [0..<N] From this definition of uniform_subdivision it follows that the width of the interval at subdivision is ( )/ where is a natural number representing the number of subdivisions.Furthermore, the union of all the subdivisions results in the original interval , both of which are proven in Isabelle/HOL.In addition to these properties, we have also proven that the results obtained from uniform_subdivision meets our definition of a valid multiinterval type described in Sect.3.6.
The increased granularity that uniform_subdivision provides over the interval allows for a more detailed analysis over the behaviour of the function over that interval.In this context, refinement of the function over the interval is defined as the union of the interval values of applied over the all elements in the uniform subdivision.In other words, a refinement is a more precise representation of the function over the interval .Mathematically this is defined as Where ( ) is the refinement of interval ( ), using the partition of into subdivisions.
In Isabelle/HOL we define refinement as the following, where interval_list_union takes the union of the list of intervals returned from uniform_subdivisions.

Isabelle (Isar)
definition refinement where refinement F N X = (interval_list_union (map F uniform_subdivision X N)) From the fundamental theorem of interval analysis (see Equation 5) we know that ( ) ⊆ set_of ( ( )), and from the example in Sect.2.2.1, we can clearly see that the extension is an over approximation of .Hence, there is some excess interval such that when this is added to the result of applied onto every ∈ { , . . ., } the result is ( ).We call this the excess width of ( ), and we have defined it as the following in Isabelle.
Isabelle (Isar) definition excess_width where excess_width F f X = width(F X) -width_set (f `set_of X) The function ({ , . . ., }) has an excess width of zero, it gives the exact range of values for { , . . ., }, whereas ( ) introduces an over approximation.However, we can compute ({ , . . ., }) as closely as desired by the repeated subdivision and refinement of ( ).In fact, the excess width of a refinement is of order 1/ where is the number of subdivisions.
Recall that we have some excess width ( ) of an interval result of ( ), for each interval we then have ( ) = ({ , . . ., }) + .This statement is also true for all of the subdivisions of , and so we can calculate the excess width of each subdivision to be ( ) ≤ • ( )/ where is the number of subdivisions, is the interval and , are the intervals and excess width represented by a subdivision of .This has been proven in Isabelle with the following lemma: Isabelle (Isar) lemma each_subdivision_excess_width_order: fixes X :: real interval assumes inc_isotonic_F: inclusion_isotonic F and lipschitz_F: lipschitzI_on C U F and interval_ext_F: F is_interval_extension_of f and lipschitz_F_on: set (uniform_subdivision X N) ⊆ U and positive_N: 0 < N and lipschitz_f: L-lipschitz_on (set_of X) f shows ∀ Xs ∈ set (uniform_subdivision X N) .
excess_width F f Xs ≤ C * width (X) / of_nat N This lemma holds due to the Lipschitz condition on the interval extension function .We know that the excess width of a subdivision of is ( ) = ( ( )) − ( ({ , . . ., })), it follows that the excess width ( ) ≤ ( ( )).As is a Lipschitz continuous, inclusion isotone extension of , the rate of change of the function is bounded by our Lipschitz condition on intervals (Sect.3.3), hence this means that ( ( )) ≤ • ( )/ , and therefore ( ) ≤ • ( )/ , where is the number of subdivisions.
When then looking at the excess width of the refinement of , (i.e., the union of all of the subdivisions after applying the function ), then the inequality holds with ( ) ≤ ( ( )) ≤ 2• • ( )/ as the upper limit of the excess width must be added to both the upper and lower bounds in the interval union.In Isabelle our lemma is the following (this is a formalisation of the paper proof in [28]): Where excess_width_set and refinement_set are variants of excess_width and refinement that the interval result into their set equivalent.
As the result from uniform_subdivision is a contiguous list of intervals, when applying an inclusion isotone function to this list, the result is a list of overlapping intervals.It is this overlapping that means only the excess width of the first and last intervals are considered in the union, and hence in the worst case scenario, the maximum excess width is to the left of the lower bound and to the right of the upper bound of , resulting in the inequality proven in isotonic_lipschitz_refinement.
This shows how we can compute arbitrarily close lower and upper bounds of a range of values represented as an interval by subdividing the interval and taking the union of the function applied to all elements of the subdivision.This method converges with the width of the pieces in the subdivision, or as , the number of subdivisions, increases.It is important to note, that while in this paper, we focus on a uniform subdivision of the interval into parts, the same result holds for a non-uniform, or weighted subdivision, with an adjustment of the rate of convergence.In this case, the method would converge with the width of the largest interval in the subdivision.

Discussion
A large part of the effort in formalising interval arithmetic was focused on straightening out the mathematical textbook notation that does not clearly distinguish between functions over real values vs. real intervals (and mostly assumes that for real operators there is an equivalent operation over real intervals).Furthermore, the textbook notation does not distinguish properly between intervals and their set representation-an aspect that needs to be clearly separated in a strongly typed systems such as higher-order logic.The need for lifting interval operations to multi-intervals is, essentially, neglected in the interval analysis literature (e.g., [28,34]).

INTERVAL AWARE CLEAN
In this section, we provide a brief overview of the verification support we developed for Clean [36].

Polymorphism in Clean
We can define programs of interval types easily in Clean is due to the state architecture.Clean's semantics and functionality are defined over a base control state, modelled in Isabelle/HOL as: Isabelle (Isar) record control_state = break_status :: bool return_status :: bool Records in Isabelle [30] are essentially named tuples where each field can have polymorphic typing.These records can also be extended with other named fields, importantly: if a record is an extension of , then lemmas over also hold for (due to being a subtype of ).
Clean makes use of record extensibility when creating function states.For instance, Clean will automatically generate the local_weighted_sum_state for weighted_sum defined in Sect.2.3, extending the control_state with the addition of the local variables out :: 'a and i :: nat: Isabelle (Isar) record 'a local_weighted_sum_state = control_state + out :: 'a i :: nat Due to proof inheritance, Clean's semantics and functionality proved on our weighted sum state.This makes working with types like intervals significantly easier than common deep embeddings like IMP2 [24], as we do not need to manually edit the core state formalisation.
Furthermore, the extensible state of Clean also allows us to define, similar to definition of functions in Sect.3.1, that a Clean program is an interval extension of Clean program .Informally, and differ only in their typing: in all types used in are lifted to their corresponding interval type.For instance, a variable of type nat in would be of type nat interval in .This allows us to apply the concept of interval analysis to the analysis of programs.
In addition to the state, Clean's semantics are defined over the State Exception Monad, which informally converts some state of type ' to some tuple of output and state or some exception: Semantics being defined over some polymorphic output type allows for functions of any well-defined type to be parsed.Hence, functions over interval types do not require editing of the core command semantics.

CASE STUDY
In this section, we present a small case study, demonstrating how interval analysis can be combined with program verification in Isabelle/HOL.We build on the example shown in Sect.2.3 and prove both the correctness and the inclusion isotonicity of performing a weighted sum over intervals.We also show that the interval weighted sum is an extension of the regular weighted sum.Being concise, only the interval correctness proof will be shown as the regular weighted sum has an analogous formalisation.

Formalisation in Clean
From Sect.4.1, we know that integrating intervals to be a trivial exercise in Clean.Thus, requiring no semantic extension of vanilla Clean, our interval weighted sum is identical to the regular weighted sum from Sect.2.3 with interval typing: To prove this, unfolding the definition of I_weighted_sum leads to three sequential components: We shall focus on item 2 as the others are trivial.When parsing each line, we will make use of our sequential composition WP rule: To use this, we require the termination of 1 to simplify the WP of 1 ; − 2 .Parsing the assignment of out := 0 and i := 0 requires the local assignment simplification rule on normal execution states: Where update is a record specific update function for and upd_hd updates the value of with .Using our adapted while loop and sequential rules, we require to show the correctness of a chosen invariant: Isabelle (Isar) definition I_invariant xs ws ≡ ( .hd(out ) = sum_list (map2 ( * ) (take (hd (i )) xs) (take (hd (i )) ws)) Where the first line states that the value of out should be equal to the weighted sum of the input lists up to index i.The conjunction out ] is trivial but required for Isabelle's level of scrutiny.Finally, we require the loop to not change the return status of the control state.
We further require termination of the loop: I_ws_measure xs ws ≡ ( .length xs -hd(i )) Which is clearly decreasing for increasing i .For more details about the formalisation, we refer readers to the artifact.
To close the correctness proof, we use our WP rule for return C .Since return result_value out is assigning out to result_value, the WP rule is essentially identical to the local assignment rule with the addition that return_status is now True.This, combined with the post loop value of out, will show that our function truly implements an interval weighted sum.

Inclusion Isotonicity
Defining a more functional representation of our Clean function: We represent the inclusion isotonicity of our Clean function as: To prove this, we first will show that the Isabelle/HOL weighted sum is inclusion isotonic: via the inclusion isotonicity of map2, foldr (+) and • for inclusion isotonic functions and .Finally, using the correctness lemma, we can show the equivalence of F ws to the Isabelle/HOL representation, which will close the goal of inclusion isotonicity.

Proof of Interval Extension
We now wish to show that our interval weighted sum over reals is an interval extension of the weighted sum over regular reals.By similar means to the previous section, we define an identical functional representation of the regular weighted sum: Which in Isabelle, is formalised as: To prove this, we first can use both correctness proofs to simplify the Clean implementation into standard Isabelle/HOL.Which is proven from our conclusion in Sect.5.2 and the precondition assumptions.From this, the right-hand side is then =1 • , which can be easily reduced to =1 [ • , • ].By the linearity of intervals w.r.t addition, it further simplifies to =1 • , =1 • .This is precisely the L.H.S, closing the proof.

Fundamental Theorem of Interval Analysis
Given we have proven F ws is both an interval extension of the regular weighted sum f ws and inclusion isotonic, it should agree with the Fundamental Theorem of Interval Analysis.There is a difference, however, with how it has been formalised in Sect.3.2 and our needs here.Our weighted sum is over lists of intervals, not plain intervals and so the lemma needs to be adjusted slightly: The main modification is requiring each element of the list interval_of_list xs to be a subset of X.This is needed to prove the interval extension from Sect.5.4.Using this, along with the inclusion isotonicity of F ws we can close the proof.

Discussion
We now have a verified imperative program that uses interval types as first class citizen.This can be used for proving the correctness of numerical algorithms that rely on (extended) interval analysis.Furthermore, our program I_weighted_sum can also be understood as the (natural) interval extension of an imperative program weighted_sum computing the weighted sum over reals.If, in the context of a larger program verification task, we need to show that the result of weighted_sum stays within certain bounds, the proof can be reduced to symbolic evaluation.

RELATED WORK
There are a number of libraries offering a formalisation of interval arithmetic in interactive theorem provers.For example CoqInterval; this is a formalisation of interval arithmetic for the Coq proof assistant, developed mainly by Melquiond in [26] which provides tactics for proving inequalities on real-values expressions by using a combination of interval arithmetic and automatic differentiation.
A similar method has been implemented in PVS (Prototype Verification System) in [29] to efficiently approximate real valued functions in theorem provers.Most similarly to our presented work, Daumas et al [12] combine this method with their earlier work [14] to integrate interval splitting and Taylor series expansion to reduce the dependency effect of interval arithmetic in order to provide guaranteed proof of numerical properties.This work has been developed and verified in the theorem prover PVS.
There are also libraries developed in non-formal settings, for example Boost.Interval [6], a general C++ library that offers interval arithmetic, as well as Harapanahalli et al [17] who introduce a framework for interval analysis implemented directly in numpy.
Research on interval analysis and arithmetic us abdundant, it can be used in many application areas, for example it is common to use interval analysis to mitigate rounding errors and solving differential equations (e.g.[16], [11] and [4]).However, early success has been seen when implementing the interval splitting and refinement method to approximate the output of a neural network.Wang et al use this method with an aircraft collision avoidance system (ACAS Xu [33]), to ensure that it adheres to strict security specifications [38].Whereas Harapanahalli et al [17] use their framework to verify the output of network controlled systems.
In Isabelle/HOL in particular there are many cases of using interval arithmetic to prove the correctness of programs, for example Hölzl provides a proof method that translates inequalities into interval arithmetic calculations on floating-point numbers to compute boundary computations [18].Boher uses this interval arithmetic to implement a programming language where all terms have 32-bit signed word values [3], and Immler and Hölzl use intervals and Lipschitz continuity to show a unique solution to multivariate case of the Picard-Lindelöf theorem [19], [20].

CONCLUSION AND FUTURE WORK
We presented a formalisation of interval analysis in Isabelle/HOL; in particular, we have proven formally the fundamental result that for inclusion isotone Lipschitz-continuous functions interval approximation converges to the value of the non-interval function.Furthermore, we extended this result to imperative programs.For the latter, we exploited the fact that Clean [36] has been designed for extensionality in mind.
We see two major lines of future work: First, our formalisation of interval arithmetic is reusable and can, for instance, be used for verifying the correctness of widely used numerical algorithms for analysing real world systems.Interesting targets include, for instance, the verification of the widely used Newton-Raphson method.Furthermore, interval analysis has been proven successful in the analysis of safety-critical neural networks, as pioneered by the Marabou [22].Hence, combining our work with formal verification approaches of neural networks in Isabelle/HOL (e.g., [9]) would allow for the development of a neural network verification tool that is fully verified.
Second, the work on Clean shows the potential of the verification of programs over a polymorphic state.Hence, we plan to extend our weakest precondition calculus into a verification condition generator.Other applications areas that we consider of high importance are programs that integrate probabilistic variables (e.g., imperative programs that interact with neural networks) or that support ordinary differential equations as first class citizen (e.g., for the verification of cyber-physical systems).

AVAILABILITY.
The formalisation and case studies for Isabelle 2023, as described in this paper, are available to view on Zenodo [7].The materials include both the Isabelle/HOL implementation and the detailed documentation generated by Isabelle.A maintained version that also will receive updates (including being ported to future versions of Isabelle) is available in the Archive of Formal Proofs (AFP) [8] under a BSD-license (SPDX-License-Identifier: BSD-3-Clause).

( 1 )
push_local_I_weighted_sum_state: Initialises the local variables and result value to [undefined].(2) I_weighted_sum_core: Contains the body of the Clean function (3) unset break and return status': After the body is executed, restore the control status' of the state.(4) pop_local_I_weighted_sum: Pops the result value of the function and restores local variables.