Foundations of Event-B's Logic. As Xxxxx is used to develop safety critical systems, bugs in Rodin's theorem prover constitute a serious problem. Unfortunately, several bugs have been discovered that make Xxxxx'x theorem prover unsound. Obviously, any examination of soundness presupposes a clearly written specification of the logic's syntax, semantics, and proof calculus. There are several publications on the logic of Event-B, but they fail to serve as specification documents, because the logic defined therein is inconsistent [7] or only fragments of the logic implemented in Rodin are considered [8] [9] . Therefore we have devised a rigorous specification document for the logic of Event-B [10] . Mathematical extensions[1] play an important role in avoiding unsoundness, because they allow the user to define new operators, binders, types, and inference and rewrite rules in a soundness preserving fashion. The specification document [10] also devises the theoretical foundations of mathematical extensions. Note that mathematical extensions are well-understood for, e.g., HOL[11] , but the extension methods for HOL cannot be straightforwardly adopted for Event-B because of Event-B's well-definedness [12] mechanism and non-standard term rewriting.
Foundations of Event-B's Logic. The major design decision concerned the logic in which the semantics of Event-B's logic is formalized. We experimented with ZF set theory and HOL. Finally, we decided to define semantics in terms of a (shallow) embedding into HOL, because that allows us to carry out vast parts of our soundness proofs using Isabelle/HOL[13] . In the long term, the embedding allows us to use Xxxxxxxx/HOL as an external theorem prover for Rodin. Other design decisions, e.g., concerning terminology, are discussed in [10] .
