您的当前位置：首页 Form and Content

Form and Content

来源：意榕旅游网

ATrustworthy,ExtensibleTheoremProver

Ph.D.DissertationProposal

JaredDavis

DepartmentofComputerSciencesTheUniversityofTexasatAustin1UniversityStationC0500Austin,TX78712-0233,USA

jared@cs.utexas.edu

October22,2007

Contents

1Introduction

2Sketchofourproposal

2.1Formalveriﬁcation........................1332.2Ourchoiceoflogic........................2.3Computerscheckingproofs....................2.4Ourproofchecker.........................2.5Proofcheckerextensions.....................2.6Proposedextensions.......................2.7Usingextensions.....

....................3Presentandremainingwork

3.1Sketchofourlogic........................3.2Ourproofchecker.........................3.3BuildingProofp-checkableproofs................3.4ExtendingProofpwithanewrule................3.5Provingthenewruleissound..................3.6Remainingwork..........................4Relatedwork

4.1Currenttheoremprovers.....................4.2Embeddedproofcheckers.....................4.3Independentproofchecking...................4.4Metareasoning.......

...

................

4577810111116181820232424282930

1Introduction

Programshaveprecisesemantics,sowecanusemathematicalprooftoes-tablishtheirproperties.Theseproofsareoftentoolargetovalidatewiththeusual“socialprocess”ofmathematics,soinsteadwedevelopandcheckthemwiththeorem-provingsoftware.Thissoftwaremustbesophisticatedenoughtomaketheproofprocesstractible,butthisverysophisticationcastsdoubtuponthewholeenterprise:whoveriﬁestheveriﬁer?

Inthisthesis,weproposedevelopingauseful,mechanically-veriﬁedthe-oremprover.Ourprogramwillsatisfytwooften-conﬂictinggoals:

•Trust.Ourproverwillbebasedonawell-understoodlogicandshouldonlyaccepttheorems.Thesoundness-criticalcodewillbeeasytoiden-tifyandshortenoughforagoodprogrammerormathematiciantoreviewinafewhours.

•Capability.Oursystemwillprovidetoolstohelptheuserconstructproofs.Forexample,itwillpermittheusertosetuplemmasthatcanbeautomaticallyreusedtomakeprogressinnewproofattempts.Therearemanywaystoapproachthesegoals.Oursistoproveourprogramissound,i.e.,ifitclaimsaformulaisatheorem,thenitisatheorem.

Ofcourse,wecannotmeaningfullyuseourprogramtoproveitsownsoundness,sincethiswouldbelikeaskingsomeoneiftheyeverlie.Instead,weimaginetwoprograms,AandB.Aisaproofcheckerthatonlyacceptsproofscomposedofthemostprimitivesteps,likeinstantiationandcut;Aissosimplethesocialprocessofmathematicscanestablishbothitssoundnessandtheconsistencyofthelogicaltheoryitimplements(soweknowtheoremsare“alwaystrue”).Meanwhile,Bisthepractically-useful,automatedtheoremproverweareproposingtoverify.Inthisthesis,wewillconstructanA-styleproofthatshowsBissound,andcheckthisproofwithA.Then,sincewetrustA,andsinceAsaysBissound,wecanalsotrustB.

Ourﬁrsttaskistowritetheproofchecker,A.WhichlogicshouldAimplement?Wewilluseacomputational,quantiﬁer-free,ﬁrst-orderlogicoftotal,recursivefunctionswithinduction,modeledaftertheACL2logic.Ourlogic,likeanyother,putsforthasyntacticdeﬁnitionofproof,sowritingaproofcheckerjustmeanstranslatingthisdeﬁnitionintoaprogram.Thisisstraightforwardandcouldbedoneinanyreasonableprogramminglanguage,sowhichlanguageshouldweuse?Ourlogic,likeACL2’s,iscompatiblewith

CommonLisp,sowecantreatthefunctionswedeﬁneasLispprograms.AndthereisgoodreasontowriteAasaprograminourlogic.SinceourgoalistouseAtoprovethesoundnessofB(“ifBacceptsφ,thenφisprovable”),weneedawaytoexpressprovabilityinourlogic.WritingAinourlogicletsusdothisquiteeasily,i.e.,wecansay“φisprovablewhenthereisaproofofφthatAaccepts.”

Wealsoneedtodevelopthetheoremprover,B.LikeA,wewriteBasaprograminourlogicsowecanreasonaboutitsdeﬁnition.BwillbefarmoresophisticatedthanA,e.g.,itwillincludearule-drivensimpliﬁerwhichcanemploycalculation.ButthismeanstheproofofB’ssoundnesswillbeadeepresult,whichisconcerningsinceA-styleproofsaretedioustowriteandexcessivelylarge.

Howcanweconstructthisproof?OurapproachisﬁrsttouseACL2,amatureandcapabletheoremprover,to“sketchout”theproof(normallyACL2isthoughtofasaformalandtrustedtool,buthereweareonlyusingitinaninformalcapacity.)UsingACL2inthiswayallowsustoplanourproofwithoutneedingtoconfront,simultaneously,theproblemofbuildingA-styleproofs.Afterwehaveasolidideaofhowtheproofshouldgo(andarereasonablyconvinceditis,infact,atheorem),wecanbeginworkingontranslatingoursketchintoanA-styleproof.

HowbigwillthisA-styleproofbe?WillitbepracticaltouseAtocheckit?HereourapproachistolayertheveriﬁcationofB.Thatis,insteadofgoingdirectlyfromAtoB,wewilluseAtoverifyA󰀁,aslightlyricherproofchecker,thenuseA󰀁toverifyA󰀁󰀁,etc.,untilwegettoB.EachsuccessiveproofcheckeracceptsanewkindofproofstepthatisnotavailableinA,e.g.,perhapsA󰀁addsatautologycheckersoitcanproveanytautologyinonestep,whereasitmighttakehundredsorthousandsofstepstoprovesometautologywithA.OnceeachAihasbeenveriﬁed,wecantrustitasmuchaswetrustA,andwecanmakeuseofitsnewcapabilitiesaswesetouttoverifyAi+1.

SuccessfullyverifyingBwillmakethefollowingcontributions:•Anewtool.Ourﬁnalprogramwillbesuitableindomainsfromcircuitanalysistoprogramveriﬁcation,andwillconveygreaterconﬁdencethantoolswithlarger,lessdeliberately-deﬁnedcores.

•Metatheoryasaproverdesign.Wewillcounterthesizeofformalproofsbyaddingnewproofmethodstoraiseourlevelofabstraction,whileverifyingthesemethodstoensuresoundness.

•Extensibleproofmethods.Usersmaydevelopnew,customproofmeth-odsfortheirdomainseitherastactic-styleprogramsforB,orasnewprovers(B󰀁,B󰀁󰀁,...)whichcanbeveriﬁedwithB.TheworkwehavedonetoverifyBwillprovideusefullemmasforverifyingthesenewprovers.

•Eﬃcientproofconstruction.Wewillformallyverifyseveralextendedproofmethods.Byhavingshownthesealgorithmscanbetrusted,wemayfreelyusethemwithoutcheckingtheirwork.Forexample,Bwillincludeaveriﬁedrewriter.

•Potentialtargetforothersystems.Externalprogramsmaybeabletoconstructhigher-level,B-orB󰀁-styleproofsmoreeasilythanlow-levelA-styleproofs.

2Sketchofourproposal

Wewillnowgiveamoredetailedtourofourproposal.Webeginbydiscussingthenotionsofformalproofandformalveriﬁcation(§2.1),thelogicwewilluse(§2.2),thepotentialforerrorswhencomputerscheckproofs(§2.3),andourA-styleproofchecker(§2.4).Wethenturnourattentiontotheextendedproofcheckers(A󰀁,A󰀁󰀁,...,B)anddescribehowtheycanbeimplemented(§2.5),whattypesofproofmethodstheywillimplement(§2.6),andﬁnallyhowtheycanbeputtouseintheproofofB’ssoundness(§2.7).

2.1Formalveriﬁcation

Formalveriﬁcationistheuseofmathematicalprooftoshowhardwareorsoftwaredesignshavedesirableproperties.WeadoptaHilbert-esquenotionofproofasa“step-by-step,syntacticallycheckabledeductionasmaybecar-riedoutwithinaconsistent,formallogicalcalculus.”[DLP77]Wecallthisformalproof.

The“veryidea”offormalveriﬁcationwaschallengedbyJamesFet-zer[Fet88],whoarguedprogramsarenotmathematicalentitiesbecausetheyrunoncomputers;hence,asinotherappliedscienceswheremeasurementsareimpreciseandnaturallawsareimperfectlyunderstood,strictdeductiveproofsareinappropriate.Butwe,likeHoare[Hoa69],viewComputerScienceasan“exactscience”ofabstractmathematics;ourprogramminglanguages

havepuresemanticsindependentlyfromanyphysicalcomputers,anditisthroughthesesemanticswewishtoanalyzeaprogram’sdesign.

DeMillo,Lipton,andPerlis[DLP77]contestedthevalueofformalproof,arguingproofisinsteadthesocialprocesswherebymathematicianscometoagreeaformulaisatheorem.Wecallthisinformalproof.Formalproofs,theyargued,aretoolonganddetailedtobebelievable,andcannotconveyintuitiontothereader.Thisobjectionwasnotwidelyaccepted[Mac01,§6],forasFetzer[Fet88]observed,thevalidityofaformulaandourbeliefinitsvalidityaredistinct;WinstonandO’Brienmayagreetwoplustwomakesﬁve,buttheirconsensusdoesnotmakeitso.Incontrast,onlytruthsmaybederivedinasoundlogicalframework,soformalproofscanserveas“objectiveevidence”ofthetruthofastatement.

Thereislittlehopemathematicianswillbewillingorabletoproveprop-ertiesaboutinterestingprogramsinformally,as“theproofsofevenverysimpleprogramsrunintodozensofprintedpages.”[DLP77]Butunlikethevaguely-deﬁnedsocialprocessbehindinformalproofs,formalproofsinvolveonlysimpleruleswhoseapplicationcanbecheckedbycomputerprograms.Byautomatingtheconstructionandcheckingofformalproofs,formalveri-ﬁcationbecomespossible.

2.2Ourchoiceoflogic

Beforewecanbuildandcheckformalproofs,wemustdecideupona“for-mallogicalcalculus”touse.Moderntheoremproversdonotagreeonanystandard,andthischoiceis“amatteroftasteandexperience”[LP99]whichmaybeviewed“eclecticallyandpragmatically.”[Mac01,§8]

WeproposeusingasimpliﬁedversionoftheACL2logic[KM98,KMM00].Ourobjectswillbethesymbolsandnaturals,recursivelyclosedunderor-deredpairing.Wewilleliminateguards[KM94,§4.3]andpackagestosim-plifytheconnectionwithCommonLisp.Wewillalsoadoptinﬁnitely-manyprimitiveconstantsandanewrule,calledbaseevaluation,forapplyingthebasicfunctionslikeconsand+toconstants;thisismuchlikeMc-Carthy’s[McC60]Lispinterpreter,apply,whichhadspecialcasestoevaluate“elementaryS-functions”likecons.

ThemajorcharacteristicsoftheACL2logicwillbepreserved.Ourlogicwillbeﬁrst-order,willlackexplicitquantiﬁers,andwillhaveequalityasitsonlypredicatesymbol.WewilldirectlyadoptShoenﬁeld’s[Sho67]rulesofpropositionalcalculusandACL2’sinstantiationandinductionrules.Wewill

permittheintroductionoftotal,untyped,recursivefunctions,theintroduc-tionofSkolemfunctions,andinductionuptoε0.

Finally,partingwithACL2tofollowtheworkofG¨odel[G¨od31],wewillextendourlogicwithanintegratedproofcheckersowemayestablishmetatheoremsaboutprovability,e.g.,“A󰀁onlyacceptsprovableformulas.”WewillalsoaddaruleofcomputationalreﬂectionasdescribedbyHarri-son[Har95],toallowtheuseofmetatheoremsduringproofs,e.g.,“A󰀁acceptsφ,soφmustbetrue.”

Thelogicjustdescribedwillberatherrestrictive,notablylackingtypes,quantiﬁers,andhigher-orderfunctions.But,asKaufmann,Manolios,andMoore[KMM00]havenoted,theselimitationsoften“canbeovercomewith-outundueviolencetotheintuitionsyouaretryingtocapture.”Asevidenceofthisclaim,considerthediverseusesofthesimilarly-restrictiveACL2sys-tem,whichincludetheveriﬁcationof:

•processormodels[BKM96,Moo98,GWH00,Saw00],•RTLdesigns[Rus98,RF00],•circuitmodels[Hun00,HR05,HR06],•virtualmachines[BM96,LM03],•compilers[BT00,Goe00],•imperativeprograms[LM04],and

•otheralgorithms[RMT03,TB03,RRAHMM04,MZ05].

Therearealsoadvantagestousingasimplelogic.Forexample,termquo-tationandreﬂectionaremorestraightforwardwhennotypesareinvolvedandtermequalitydoesnotrelyonreductions[Bar01,How88].Also,becauseourtermsaresosimple,oursystemwillnotneedatypechecker,typeinferenceengine,ormuchinthewayofinterfacinglayerssuchasparsersandtermrendering.

2.3Computerscheckingproofs

Formalproofsaretoolongforhumanstocheckreliably,butcomputersarewellsuitedtothistask.Ourproofcheckingprogram,whichwecalledAinthe

introduction,willbeafunctioncalledProofp,deﬁnedinourlogic;ourlogicwillbecompatiblewithCommonLisp,sowecanuseaLispsystemtorunthisfunctiononacomputer.ThereareseveralLispimplementations,operatingsystems,andhardwareplatformstochoosefrom,asshowninFigure1.

AllegroLinux x86, x86−64, PPCMacOSX PPC, IntelWindows 32/64Solaris SPARC, AMD64Misc. Unix 32/64CLISPVarious Linux, BSDMacOSX (Fink)Windows (Cygwin)Solaris x86, SPARCMisc. Unix 32/64CMUCLLinux x86, AlphaVarious BSD x86MacOSX PPCSolaris SPARCGCLLinux x86, PPC, SPARC, ...FreeBSDWindows 32 (Cygwin)Solaris SPARCOpenMCLLinux x86−64, PPCMacOSX x86−64, PPCSBCLLinux x86, PPC, SPARC, ...Various BSD x86MacOSX PPC, IntelSolaris x86, SPARCFigure1:AsamplingofCommonLispsystems

Computers,operatingsystems,andLispcompilersarenotperfect,andtheirdefectsmightcauseourprogramtoincorrectlyacceptaninvalidproof.Tomakethislesslikely,wesuggestusingaheterogeneouscollectionofplat-formswhencheckingproofsofinterest.Thisidea,calledn-versionprogram-ming[Avi95],isnotwithoutprecedentincomputer-assistedproof[Mac01,ch.4].Becauseseparategroupshaveindependentlydevelopedthesehard-wareplatforms,operatingsystems,andLispimplementations1,itisunlikelyadiversecombinationofthesesystemswillshareanequivalenterror.

Thisargumentisadmittedlyinformal,butasDijkstra[Dij82]wrote,“[Sci-entiﬁcthought]derivesitseﬀectivenessfromourwillingnesstoacknowledgethesmallnessofourheads”anddealwithproblems“indepthandiniso-lation.”Therearenoformallyveriﬁedprocessors,operatingsystems,andprogrammingenvironmentsavailableforustouse,andwemuststartsome-where.

CMUCLandSBCLareforksofthesamecodebase,buttheotherLispsareoriginal.

2.4Ourproofchecker

G¨odel[G¨od31]deﬁnedaproofcheckercalledBw2withinhislogicinordertoprovehisincompletenesstheorem.Bwdependedupon43auxiliarydeﬁnitionswhichdealtwithencodingproofsasobjectsinthelogic,andwithrecognizingvalid,encodedproofsteps.

Ourlogicwillbemorecomplex,andourProofpfunctionwillmakeuseofauxiliarydeﬁnitionsincludingprimitiveLispfunctions(suchascons,natp,and+),basiclistutilities(e.g.,len,app,andmemberp),recognizersandconstructorsfortermsandformulas,substitutionoperations,andrecogniz-ersforvalidproofsteps.OurworkingdraftofProofpinvolvesaround100deﬁnitions,totallingunder1,000linesofLisp.InadditiontoProofp,wewillalsohaveasmallcommandlooptoreadinstructionsfrominputﬁles.

ItwillbediﬃculttowriteinterestingProofp-checkableproofssinceProofponlyimplementsbasicrulesofinferenceandprovidesnoautomation.How-ever,itissimplywrittenandisshortenoughtobethoroughlyreviewed.Partofourdissertationwillbeanexplanationofwhythisprogramcorrectlyimplementsourlogic,andwhyourlogicisreasonable.

2.5Proofcheckerextensions

Foroursystemtobeuseful,wewillneedtomakeproofconstructioneasierandmoreautomatic.Weplantodothisbyaddingnewproofmethodsthatarenotfoundamongtheinferencerulesofourlogic.Intheintroduction,wecalledtheseA󰀁,A󰀁󰀁,...,B.Tomaintainourtrustinthesystem,wewillneedtoensurethesenewproofmethodsaresound,i.e.,theycanonlybeusedtoderiveprovableformulas.

OurProofpfunctionisshowngraphicallyinFigure2.Forsimplicitywewillignorethefunctionarities,axioms,andtheoremsittakesasinputs,andonlywriteProofp(x),wherexistheallegedprooftocheck.Proofswillbemadeupofproofsteps,andeachstepwillhaveamethodofproof,aconclusion,and(exceptforaxiomsandtheorems)somesubproofs.Aproofstepwillbeacceptablewhenitsmethodcanbeappliedtoitssubproofstoobtainitsconclusion,e.g.,thecontractionmethodcanbeappliedtoasubproofofφ∨φtoconcludeφ.AproofwillbeacceptedbyProofpwhenallitsstepsareproperapplicationsoftheinferencerulesofourlogic.

ShortforBewisﬁgur,Germanforproofﬁgure.

AcceptAlleged Proofassociativitycutcontraction. . .TheoremsAxiomsFunction AritiesProofpRejectFigure2:OperationofProofp

Anextensionwillbeanewproofcheckingfunction,sayProof2p,thatacceptsalltheproofmethodsknowntoProofpandalsosomenewmethods.Forexample,perhapsProof2pwilladdModusPonensoratautologychecker.WewillsayProof2pissoundwhenwecanprovethesoundnessclaim,

∀x:Proof2p(x)→Provablep(Conclusion(x)),

whereProvablep(φ)isdeﬁnedas,

∃p:Proofp(p)∧Conclusion(p)=φ.

Ifthisclaimisatheorem,thenProof2pdoesnotallowustoproveanythingthatcannotbeprovenbyProofp.

Wecouldestablishsoundnessclaimsbyhandorwithanothertheoremprover,butourtrustinProof2pwouldthendependonexternalproofs.Toavoidthis,weproposedeﬁningourextensionsasfunctionsinourlogic,sowecanexpressthesesoundnessclaimsinourlogicandprovethemusingonlyProofpandalready-veriﬁedextensions.

Intheend,wewilltrustallformulasacceptedbyProofparevalidbe-causeProofpisshortandsimpleenoughtoreviewthoroughly.OneoftheseformulaswillstateProof2pcannotacceptformulasthatarenotacceptedbyProofp.Hence,wecantrustanyformulaacceptedbyProof2pistrue.

2.6Proposedextensions

Weplantoaddseveralproofmethods,whichwehaveclassiﬁedinFigure3aseitherderivedrulesofinferenceorheuristictheoremproving.

Derived Rules of InferencePropositional RulesEquality RulesLambda Reduction RulesThe Deduction LawThe Tautology TheoremEquivalence SubstitutionSubstitution of Equals for EqualsHeuristic Theorem ProvingFormula Compilation, ClausificationCalculation of Ground TermsEquality ReasoningConditional Term RewritingDestructor EliminationClause SimplificationFigure3:Overviewofourextensions

Wewillbeginwithderivedrulesofinferenceformanipulatingproposi-tionalformulas,suchasModusPonensanddoublenegationrules.Wewillthenaddrulesforequality,suchasitstransitivityandcommutativity,andthesubstitutionofequaltermsforargumentstofunctionsandlambdas.Moreinterestingderivedrulesofinferencewillincludethedeductionlaw,whichallowsustoproveF→GbytemporarilyassumingFistrue,thenshowingGfollows.OtherclassicmetatheoremswillfollowtheworkofShoen-ﬁeld[Sho67]andShankar[Sha94],andwillinclude:

•Tautologycheckingforidentifyingpropositionaltautologies,

•Equivalencesubstitutionforpropositionalformulas,i.e.,replacingoc-currencesofFwithGandviceversaafterprovingF↔G,and•Equalitysubstitutionforformulas,i.e.,replacingoccurrencesoft1fort2andviceversaafterprovingt1=t2.

Theseprooftechniquesdonotembodyagenericproofstrategyanddonottakeadvantageofuser-createdknowledgesuchaslemmalibraries.Toaddressthesedeﬁciencies,ourheuristictheoremprovingextensionsarein-tendedtomimicthekeystrategiesusedbyACL2:toproveaformula,wewillcompileitintoanequivalentterm,whichwillbeconvertedintoaclause;wewillsimplifytheclausebyapplyingconditionalrewriterules,equalityreasoning,andcalculation.Thisapproachallowspreviously-provenlemmas

tobeautomaticallyreusedinnewproofattempts,sotheusercanfocusondevelopingstrategiesfortheprovertofollowonitsown.

2.7Usingextensions

Logiciansoftenappealtometatheoremsduringotherwise-formalproofs.Forexample,afterprovingthetautologytheorem,onemightsay,“sinceφisatautology,letpbeaproofofφ,”withoutexplicitlysayinghowpistobeconstructed.Inotherwords,wefeelfreetosubstitutethemetatheoreticallyestablished“φisprovable”foraformalproofofφ.

Reﬂectionreferstotechniquesthatcapturethisideawithoutaseparatemetalogic.Inoursystem,themetatheoreticnotion“φisprovable”willbeanordinary,formalproofofProvablep(󰀂φ󰀁),where󰀂φ󰀁istheencodedformofφ.Tousethismetatheorem,wewillsupportcomputationalreﬂection[Har95]:

Provablep(󰀂φ󰀁)

.φSupposeProof2pisanextendedproofcheckerthataddstautologycheck-ing,andwehaveprovenitssoundnessclaim.WenowwanttobeabletoproveformulaswithProof2panditsbuilt-intautologycheckerinsteadofusingtheless-capableProofp.Ourreﬂectionruleisoneoftwocapabilitiesneededforthis;eﬃcientcomputationofgroundtermsistheother.SupposepisaProof2p-levelproofofφ.Then,wecanconvertpintoaProofp-levelproofasfollows:

1.2.3.4.5.6.

∀x,Proof2p(x)→Provablep(Conclusion(x))SoundnessTheoremProof2p(p)→Provablep(Conclusion(p))InstantiationProof2p(p)→Provablep(󰀂φ󰀁)ComputationProof2p(p)ComputationProvablep(󰀂φ󰀁)ModusPonensφReﬂection

RecallthatourlogicwillbecompatiblewithCommonLisp,andour

extensionssuchasProof2pwillbefunctionsinourlogic.Asaresult,aCommonLispsystemcanrunourextensions.Tojustifysteps3and4above,wewilluseLisptoevaluateConclusion(p)andProof2p(p).

Manytheoremprovers,includingACL2,PVS,Isabelle/HOL[BN02],andCoq,allowevaluationsinaprogramminglanguagetobetreatedasproofsof

equality.ButHarrison[Har95]hasreferredtothistransitionasa“glaringleapoffaith,”andLispevaluationiscertainlynobasicruleofinference.Tohelpjustifyourapproach,anearlyextensionwillbeanevaluatorinthespiritofMcCarthy’s[McC60]functionapply,andwewillproveourevaluatorproducesavaluethatislogicallyequaltoitsinputterm.WebelieveourevaluatorcorrectlymodelsthesemanticsofLispevaluationforourfragmentofthelanguage,butthisargumentcanonlybemadeinformallysinceLisp’sevaluatorisnotdeﬁnedinourlogic.

3Presentandremainingwork

Inthissection,wedescribeourlogic(§3.1),theworkingdraftofourproofchecker(§3.2),andtheconstructionofProofp-levelproofs(§3.3).WethenintroduceasimpleextensionofProofp(§3.4)andexplainhowwewereabletoverifythisextension(§3.5).Finally,weremarkuponwhatstillneedstobedone(§3.6).

3.1Sketchofourlogic

Ouruniverse,U,containsthenaturalsandsymbols,closedunderorderedpairing.WetakesomenotationalconventionsfromLisp:•Wewritetheorderedpairofaandbas(a.b),•(x1x2...xn.b)isshorthandfor(x1.(x2...xn.b)),•()isshorthandforthesymbolnil,•(x)isshorthandfor(x.nil),and

•(x1x2...xn)isshorthandfor(x1.(x2...xn)).

Ourtermsareprimitiveconstants,variables,functionapplications,andλabbreviations.Wewritetermsinthetypewriterfont.

•Wehaveaprimitiveconstantforeveryx∈U,whichwewillwriteas’x.Forexample,’(1.2)istheconstantcorrespondingto(1.2).•Wehaveavariableforeverysymbolexcepttandnil.Forexample,x,y,foo,andbar,arevariables.

•Wehaveafunctionnameforeverysymbolexceptnil;quote;ﬁrst;second;third;fourth;ﬁfth;and;or;list;cond;let;let*;pequal*;por*;andpnot*.Weassociateanaritywitheachfunctionname.Afunctionapplicationiswrittenas(ft1...tn)wherefisafunctionnameofarityn,andeachtiisaterm.

•Alambdaabbreviationiswrittenas((λ(x1...xn)β)t1...tn),whereeachxiisadistinctvariable,andβandeachtiareterms.Tomakesubstitutionsimpler,βmayhavenofreevariablesbesidesthexi.Sincewedonotallowtorniltobevariablesymbols,noambiguityariseswhenweomitthequoteson’tand’nil;similarlywewillnotbothertoquotenumberswhenwewishtousethemasconstants.

Ourformulasareequalitiesbetweenterms(writtent1=t2),negations(written¬F),anddisjunctions(writtenF∨G).Otherconnectives(e.g.,→,∧,and↔)aretreatedasabbreviations.Ourformulashavenoquantiﬁers,andweinterpretfreevariablesinformulasasuniversallyquantiﬁedatthetoplevel.

OurrulesforpropositionalcalculusareshowninFigure4,andourrulesforequalityareshowninFigure5.MostofthesearetakenfromACL2[KMM00,§6]andShoenﬁeld[Sho67].

Wetakeforgrantedcertainbasefunctions,inspiredbyCommonLisp,showninFigure6.Thesefunctionsaretotal;theycanbeappliedtoanyobjectsinouruniverse.Foreachbasefunctionfofarityn,andforallcon-stantsc1,...,cn,weaddanaxiomoftheform(fc1...cn)=x,wherexistheappropriateconstant.Theseaxiomsallowustouseprimitivecalcula-tionsinproofs,e.g.,wecanprove(+12)=3inonestep.Theseaxiomsalsoallowustodevelopanevaluatorforarbitrarygroundterms,basedonMcCarthy’s[McC60]applyfunction.

LikeKaufmannandMoore[KM98,p.31–47],weaddseveral“symbolicaxioms”toexplainthebehaviorofourbasefunctions,e.g.,(consp(consxy))=tandx=y→(equalxy)=nil.Wealsoaddanencodingoftheordinalsuptoε0,takenfromManoliosandVroon[MV06],whichwewilluseforterminationproofsandtojustifyinduction.OurinductionruleisbasedonACL2’srule[KMM00,p.80],andisshowninFigure7.Weﬁnallydeﬁneourproofcheckerinthelogicsowecanreasonaboutprovability.

¬A∨AA∨AAAB∨AA∨(B∨C)(A∨B)∨CA∨B¬A∨C

B∨CAA/σPropositionalschema

Contraction

Expansion

Associativity

Cut

Instantiation

Figure4:Propositionalrules

x=x

x1=y1→x2=y2→x1=x2→y1=y2

x1=y1→···→xn=yn→(fx1...xn)=(fy1...yn)((λ(x1...xn)β)t1...tn)=

β/[x1←t1,...,xn←tn]

ReﬂexivityaxiomEqualityaxiomFunctionalequality

schemaBetareduction

schema

Figure5:Equalityaxioms

(ifxyz)(equalxy)(conspx)(natpx)(symbolpx)(consxy)(carx)(cdrx)(Returnsyifxisnon-nil,zotherwiseChecksifxandyarethesameChecksifxisapairChecksifxisanaturalChecksifxisasymbol

Buildsthepair(x.y)

Accessestheﬁrstelementofanorderedpair∗Accessesthesecondelementofanorderedpair∗Checksifxislessthany†

Performsnatural-numberadditionofxandy†

Performsnatural-numbersubtractionofyfromx†

(symbol-∗†‡

afterinterpretingnon-pairargumentsas(nil.nil)afterinterpretingnon-naturalargumentsas0afterinterpretingnon-symbolicargumentsasnil

Figure6:Basefunctions

Inductionrule.

Wemayderiveaformula,F,from:•Aterm,m,calledthemeasure,•Asetofformulas,{q1,...,qk},

•Foreachformulaqi,asetofsubstitutionlists,

Σi={σi,1,σi,2,...,σi,hi},and

•Proofsofeachofthefollowingformulas:

–Basisstep

F∨q1∨···∨qk

–Inductivesteps

Foreach1≤i≤k,

F∨¬qi∨¬F/σi,1∨···∨¬F/σi,hi–Ordinalstep∗

(ordpm)=t

–Measuresteps†

Foreach1≤i≤kand1≤j≤hi,¬qi∨(ord∗†

ordpisourrecognizerforencodedordinalsordFigure7:Inductionrule

3.2Ourproofchecker

Wehavedevelopedadraftofourproofchecker,whichiscompleteexceptforthereﬂectionruleandeﬃcientcomputation.WehaveportedourprogramtoseveralLispimplementations.OurproofcheckerissimilartoG¨odel’s[G¨od31,pp.163–171]Bwprogram,whichwasbasedon43auxiliarydeﬁnitions,including:

•Basicoperationstoencoderecursivestructuresasprimepowers(1–10),•Constructorsforencodedformulas(13–16),

•Recognizersforencodedvariables,types,formulas,andsequencesofformulas(11,12,17–23),

•Variablebindingandsubstitutionoperations(25–33,37),and•Recognizersforvalidproofsteps(34–36,38–43).

Ourlogicismorecomplex,andourProofpprogramreliesuponaround100deﬁnitions.G¨odelencodedtermsasnumbersusingprimepowers.Ourencodingismorereadablesincewecanuselistsandsymbols.•Weencode’xas(quotex),

•Weencodethevariableforthesymbolvasv,

•Weencode(ft1...tn)as(f󰀂t1󰀁...󰀂tn󰀁),where󰀂ti󰀁representstheencodingofti,and

•Weencode((λ(x1...xn)β)t1...tn)as

((lambda(󰀂x1󰀁...󰀂xn󰀁)󰀂β󰀁)󰀂t1󰀁...󰀂tn󰀁).

Sincewedonotallowquotetobeusedasafunctionname,thereisnoconfusionastowhetheranencodedtermrepresentsaconstantorafunctioncall.Similarly,wedonotpermitpequal*,pnot*,orpor*tobeusedasfunctionnames,sowecanencodetheformulaswithoutoverlappingthetermsasfollows:

•Weencodet1=t2as(pequal*󰀂t1󰀁󰀂t2󰀁),

•Weencode¬Fas(pnot*󰀂F󰀁),and•WeencodeF∨Gas(por*󰀂F󰀁󰀂G󰀁).

Finally,weencodeproofsusingappeals.Eachappealrepresentsasinglestepintheproof,andisatupleoftheform:

(methodconclusion[subproofs][extras]),

where:

•Themethodisthenameoftheproofrulebeingused,•Theconclusionistheformulathissteppurportstoprove,

•Ifpresent,thesubproofsarealistofsubsidiaryappealswhichmustalsobecheckedbeforethisappealcanbeconsideredvalid(rulesofinferencehavesubproofs,whileaxiomsare“atomic”anddonot),and

•Ifpresent,theextrascontainanyadditionalinformationneededtojus-tifythisstep,e.g.,anappealtoinstantiationshouldspecifythesubsti-tutiontobeused.

Foreachruleofinference,weintroduceafunctiontocheckifanappealisavalidapplicationoftherule.Forexample,ourinstantiationruleallowsustoproveA/σfromaproofofA,sowewritethefunctionInstantiationOkp(x),whichchecksthat:

•Themethodisinstantiation,

•Thereisasinglesubproof,callitsconclusionA,•Theextrascontainasubstitutionlist,callitσ,and•TheconclusionisA/σ.

Finally,weintroduceProofStepOkp,whichchecksifasinglestepintheproofisvalidbyinspectingitsmethodandcallingtheappropriaterule-checker.WerecursivelyextendProofStepOkpacrosstheentireprooftoob-tainProofp,ourwhole-proofchecker.

3.3BuildingProofp-checkableproofs

ItisimpracticaltowriteProofp-checkableproofsbyhand.Forexample,evenourproofofx=y→z=x∨z=y,showninFigure8,takesafullpage.Accordingly,wehavedevelopedfunctionstoconstructproofsforus.Thesebuilderstypicallyusesomeinputproofs,formulas,ortermstocreateanewproofofacertainshape.WedonotneedtotrustthesebuilderssincewecanchecktheiroutputwithProofp.

Webeginwithsimplebuildersforourprimitiverules.Forexample,BuildPropSchemaconsestogetheraproofof¬A∨AgiventheformulaA,andBuildCutconsestogetheraproofofB∨CgivenproofsofA∨Band¬A∨C.Theseareusedtocreatenewbuildersthatactlikederivedrulesofinference,e.g.,“commutativityofor”isnotaprimitiverule,butwecanderiveB∨AfromaproofofA∨Basfollows:

1.A∨BGiven

2.¬A∨APropositionalschema3.B∨ACut

Wecantranslatethesestepsintoafunction,BuildCommuteOr,whichcreates

aproofofB∨Ausingaproof,x,ofA∨Basinput:

BuildCommuteOr(x:A∨B)=BuildCut(x,BuildPropSchema(A)).Wehavedevelopedmanybuilders,includingfunctionsformanipulatingpropositions,reasoningaboutlogicalequality,dealingwithlambdas,andhandlingthespecialequal,if,iff,andnotfunctions.Ourmostsophisti-catedbuildersperformlargetaskssuchasif-lifting,clausesplitting,evalua-tion,andrewriting.Thesetoolsallowustodescribetheproofswewishtoconstructmoreconcisely,buttheproofstheygeneratecanbecomelargeandcheckingthemcanbecomputationallyexpensive.

3.4ExtendingProofpwithanewrule

Wehaveveriﬁedanewproofchecker,Proof2p,whichextendsproofpbyadditionallyaccepting“commutativityofor”inferencesinonestep.SinceProofponlyneededtwostepstoachievethesameeﬀect,theaddedpowerofProof2poverProofpisnegligible.ButverifyingthisextensionrequiredustouseProofptoreasonaboutitselfanditsrelationshiptoProof2p,andshowswecanhandleallthe“generic”workinvolvedwithverifyingextensions.

(CUT(POR*(PEQUAL*XY)(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*ZY))))

((ASSOCIATIVITY(POR*(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*ZY)))(PEQUAL*XY))((CUT(POR*(PNOT*(PEQUAL*ZX))(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY)))

((CONTRACTION(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))(PNOT*(PEQUAL*ZX)))((CUT(POR*(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))(PNOT*(PEQUAL*ZX)))

(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))(PNOT*(PEQUAL*ZX))))

((CUT(POR*(PEQUAL*YY)

(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX))))

((ASSOCIATIVITY(POR*(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX)))

(PEQUAL*YY))

((EXPANSION(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(POR*(PNOT*(PEQUAL*ZX))(PEQUAL*YY)))

((EXPANSION(POR*(PNOT*(PEQUAL*ZX))(PEQUAL*YY))

((INSTANTIATION(PEQUAL*YY)

((AXIOM(PEQUAL*XX)))((X.Y)))))))))

(PROPOSITIONAL-SCHEMA(POR*(PNOT*(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX))))

(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX)))))))

(CUT(POR*(PNOT*(PEQUAL*YY))

(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX))))

((ASSOCIATIVITY(POR*(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX)))

(PNOT*(PEQUAL*YY)))

((CUT(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*YY))))

((ASSOCIATIVITY(POR*(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*YY)))

(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY)))

((INSTANTIATION(POR*(PNOT*(PEQUAL*ZX))

(POR*(PNOT*(PEQUAL*YY))

(POR*(PNOT*(PEQUAL*ZY))

(PEQUAL*XY))))

((AXIOM(POR*(PNOT*(PEQUAL*X1Y1))

(POR*(PNOT*(PEQUAL*X2Y2))

(POR*(PNOT*(PEQUAL*X1X2))

(PEQUAL*Y1Y2))))))

((X1.Z)(X2.Y)(Y1.X)(Y2.Y)))))

(PROPOSITIONAL-SCHEMA(POR*(PNOT*(POR*(PNOT*(PEQUAL*ZX))

(PNOT*(PEQUAL*YY))))

(POR*(PNOT*(PEQUAL*ZX))

(PNOT*(PEQUAL*YY)))))))))

(PROPOSITIONAL-SCHEMA(POR*(PNOT*(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX))))

(POR*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))

(PNOT*(PEQUAL*ZX)))))))))))

(PROPOSITIONAL-SCHEMA(POR*(PNOT*(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY)))

(POR*(PNOT*(PEQUAL*ZY))(PEQUAL*XY))))))))

(PROPOSITIONAL-SCHEMA(POR*(PNOT*(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*ZY))))

(POR*(PNOT*(PEQUAL*ZX))(PNOT*(PEQUAL*ZY)))))))

Figure8:Proofp-checkableproofofx=y→z=x∨z=y

ThedeﬁnitionofProof2pisstraightforward.Webeginbyintroducinganewfunction,CommuteOrOkp(x),whichacceptstheappealxonlyif:•Themethodiscommute-or,

•ThereisasinglesubgoalwhoseconclusionhastheformA∨B,and•TheconclusionisB∨A.

WethenintroduceProof2StepOkp,whichacceptstheappealsrecognizedbyCommuteOrOkpandProofStepOkp.WeﬁnallyintroduceProof2p,whichrecursivelyensureseverystepinaproofisProof2StepOkp.

ToshowwecantrustProof2p,weneedtoshowitonlyacceptsproofsofformulasthatcouldbeprovenbyProofp.Thatis,wewanttoshow:

∀x:Proof2p(x)→Provablep(Conclusion(x)),

whereProvablep(φ)isdeﬁnedas:

∃p:Proofp(p)∧Conclusion(p)=φ

Theinformalproofisstraightforward.AssumeProof2p(x)holds,andin-ductivelyassumeallthesubproofsofxconsistentirelyofProofp-levelsteps.Ifxisanotacommute-orstep,thenxisalreadyacceptedbyProofp.Oth-erwise,xmustbeacommute-orstep;assumeitconcludesB∨AfromitssubproofofA∨B,andapplyBuildCommuteOrtothissubprooftoobtainanentirelyProofp-levelproofofx’sconclusion.

Ourstrategyforverifyingotherextensionsissimilar:wewriteabuilderfunctionthatmimicsourextensionandcanbuildaproofofanyconclusiontheextensionmightmake.Wethenshowwheneverweusetheextensioninahigh-levelproof,ourbuildercouldhavebeenusedtocreateanequivalentlow-levelproof.Hence,theextensioncanonlybeusedtoacceptprovableformulas.

3.5Provingthenewruleissound

WehaveconstructedaProofp-checkableproofofoursoundnessclaimforProof2p.Thiswasparticularlychallengingsince,havingnoveriﬁedexten-sionstoworkwith,ourproofcoulduseonlytheprimitiveinferences.Ourproofeﬀortwascarriedoutinthreephases:

•Phase1.Wedevelopedacollectionofprooftools(e.g.,anevaluator,aclausesplitter,arewriter)asACL2functions,andweusedACL2to“informally”provethesetoolsaresound.

•Phase2.WeusedthesetoolstobuildaProofp-styleproofofthesoundnessofProof2p.Thiseﬀortinvolves“translating”theACL2-styleproofsfromPhase1intoProofp-checkableobjects.

•Phase3.WecheckedtheproofsfromPhase2withoursmallcommandloopprogram.ThisprogramisindependentofACL2andcanruninmanyLispenvironments.

Phase1.WeﬁrstfocusedoncreatingthetoolsweexpectedtoneedtoproveProof2pandotherextensionsaresound.Forexample,wedevelopedanevaluatorandarewriterwhichcanbuildProofp-checkableproofstojus-tifytheirclaims.Wecouldhavewrittenthesetoolsinanylanguage,butdevelopingtheminACL2hadtwoimportantadvantages.

First,itgaveusastraightforwardwaytoturnourtoolsintoextensionsofProofp.ThiswouldnotbeimportantifourgoalwereonlytoverifyProof2p,butweeventuallywanttodevelopausefultheoremproverwhichincludesfacilitieslikeevaluationandrewriting.WritingourtoolsinACL2,whichisalmostthesameasourlogic,willmakeiteasytointroducethesefunctionsintooursystem.IfwehadinsteadimplementedthesetoolsasCprogramsorPerlscripts,itwouldnotbenearlysostraightforwardtoreusetheminthisway.

Second,usingACL2allowedusto“informally”proveourtoolsaresound.Havingtheseproofsavailableallowedus,inPhase2,tofocusonrecreatingratherthandiscoveringproofs.Toeasethistranslationandlessenthenumberoftoolsweneededtoimplement,wedevelopedourACL2proofswithoutusingthemoresophisticatedfeaturesofACL2,andrestrictedourselvestorewritingwithlemmas,execution,destructorelimination,andinduction.OurACL2proofstyleislibrary-centric:wefocusoncreatingcollectionsofruleswhich,together,cangreatlysimplifythetermsweencounterduringproofs.LikeBevier[Bev87]wekeepourfunctiondeﬁnitionsdisabled—thatis,thetheoremproveronlyattemptstousedeﬁnitionswhenitisexplicitlytoldtodoso.ButunlikeBevier,wekeepourrewriterulesenabledandfocusonmakingthemworkwelltogether.Sometimesweareabletopredictusefulrulesasweintroducenewfunctions,whileothertimesweonlyrealizeweneedanewruleafterseeingafailedproofattempt.Becauseofthisapproach,our

ACL2proofofthesoundnessclaimforProof2poccursonlyincidentallyasonelemmaamongthousandsofotherrewriterules.

Phase2.TotranslatethesoundnessclaimforProof2pintoaProofp-styleproof,wefocusonrecreatingtheselemmalibraries.Todothis,wedevelopedatactic-styleinterfacetoourprooftoolsfromPhase1.Thisinterfacecanbedriveninteractively:wecanposenewconjectures,thenperformrewritingwithlemmas,casesplitting,destructorelimination,andsoforth.Wealsodevelopedanautotactical,whichautomaticallytriesusingthesediﬀerentapproachestomakeprogress.Asweproveeachlemma,ourrewriterbecomesmoreusefulbecauseitnowhasanotherruletouse.Intheend,wewereabletoconstructtheProofp-counterpartsoftheallthelemmasleadinguptoandincludingthesoundnessclaimforProof2p.

Whengeneratingproofs,wemadeuseofBoyerandHunt’s[BH06]mem-oizationandhash-consingextensionofACL2,whichgreatlyincreasedourproof-buildingspeedandmemoryeﬃciency.Whenwesavedproofstodisk,weusedastructure-sharingrepresentationwhererepeatedtermscanbenamedandreferredtolater.

Sometimesourproofsgrewtoolargetodealwith.Typicallythiscouldbeaddressedbychoosingmorecarefulproofstrategies,e.g.,controllingwhendeﬁnitionsareexpandedtoavoidintroducingcaseexplosions,andbyintro-ducingintermediatelemmasasnecessary.Othertimes,ourproof-buildingtoolshadtobeimproved.Asthemostsevereexampleofthis,anearlydraftofourevaluationbuilderwaswrittenwithoutpayingattentiontoproofsizes,anditsproofofﬁb(2)=2wasover790millionconses;areviseddrafttookonly35,000consestobuildthesameproof.

Phase3.Finally,wecheckedthegeneratedproofstoensuretheywerevalid.WehaveimplementedasmallCommonLispprogramtorunourproofchecker.ThisprogramisisindependentfromACL2anddoesnotincludeanymemoizationcode.Itprocessesalistofinstructions,e.g.,“addthistheoremwhichisjustiﬁedbythisproof”and“admitthisfunctionwhoseterminationisguaranteedbythisproof.”Theproofsarecheckedinorder,onebyone.Ittook7.6hourstocheckallourlemmasusingOpenMCLastheLispenvironmentonourdevelopmentmachine(a2.2-GHzAMDOpteronsystemwith32GBofmemoryrunning64-bitLinux).Wethendouble-checkedtheproofsin4.1hoursusingCMUCLonadiﬀerentmachine(a2.13-GHzIntelCore2processorwith4GBofmemoryrunning32-bitLinux).Forourthesis,wealsoplantocheckourproofsusingadditionalplatformstominimizeanychancethatacomputererrorhasinappropriatelycausedsomeprooftobe

accepted.

Howbigistheproofofthesoundnessclaim?Includingallthelemmasleadinguptoandincludingoursoundnessclaim,wehaveover200deﬁnitionsand2,000rewriteruleswhoseproofstakenearly2GBofdiskspace.Theseproofsaregeneratedbyabout6,000linesofcodewhichdriveourtacticinterface,andthisbuildprocesstakesabout50minutestocompletewhenrunninginparallelonourdevelopmentmachine(whichhas8cores).AmoredetailedbreakdownisshowninFigure9.

DirectorySourcelinesUtilities3,086Logic2,750Build389Demo132Total6,357DefsRulesBuildtime

698478.6m1311,17939.4m281146.6m64220m2342,18251mProofsize488MB1.4GB36MB57MB1.9GBStatisticsasofSVNRevision401,Aug2007.Linecountexcludescommentsandblanklines.Rulecountexcludestrivialdeﬁnitionrules.Buildtimecomputedwithomake-j8onlhug-1.cs.utexas.eduusingACL23.2.1onOpenMCL;totaltimeisbetterthanthesumsinceaddedparallelismisavailablewhenbuildingmultipledirectories.

Figure9:Proofsizemetricsbydirectory

Whyissomuchworkneededforsuchatrivialextension?AsFigure9suggests,thevastmajorityofourproofeﬀortisnotrelatedtothisparticularextensionatall,butinsteadisspentlayingthegroundworkforreasoningaboutarithmetic,lists,maps,terms,formulas,substitution,andproofs(theutilitiesandlogicdirectories).

3.6Remainingwork

InSection2.6weproposeddevelopinganumberofextensions,manyofwhicharefarmorecomplicatedthanthecommutativityofor.ThemajorremainingchallengeistoshowtherestoftheseextensionsaresoundusingonlyProofpandalready-veriﬁedextensions.

WehavealreadyimplementedtheseextensionsinACL2,andhavecreatedACL2proofsshowingtheyaresound.Inotherwords,wehavecompletedPhase1fortheentireproject.WestillneedtotranslatetheseACL2proofsintotheproperProofp-checkable(orProof2p-checkable,etc.)form.Webelievethisshouldbepossible,asevidencedbyourabilitytoverifythe

commutativityoforextension.Thetoolswedevelopedtocompletethisveriﬁcation,andthethousandsoflemmaswehaveprovenandcannowreuse,shouldgiveusausefulstartingpointforthiswork.Asweprogress,proofsizeshouldbecomelessofanissue,sinceintroducingnewproofmethodswillallowhigher-levelproofstobemorecompact.Nevertheless,wewilllikelyneedtofurtherimproveourprooftools,andwemayalsoneedtodevelopsomenewtactics.

Wealsoneedtoaddresstheissueofevaluation.Wewillneedtosetupaneﬃcientevaluator(i.e.,acallofLisp’sevalfunction),fairlyearlyinthestackofextensionssothereﬂectivetransitionfromhigher-levelproofstoProofp-levelproofscanbedoneeﬀectively.Ideally,thiswouldbeourﬁrstextension,butproofsizeissuesmightforceustointroducesomeintermediateextensionsﬁrst.Ifthisprovesdiﬃcult,analternateapproachwouldbetouseProof2pandlaterproofcheckersdirectly,insteadofextendingProofpwithareﬂectionrule.

4.1

Relatedwork

Currenttheoremprovers

Thereareseveralgeneral-purposeproofsystemsavailable,includingtheBoyer-MooreproversACL2[KM97]andNQTHM[BKM95];higher-orderlogicproverssuchasHOL4[GCM+05],HOLLight[Har96],Isabelle/HOL[NPW02],andPVS[ORSSC98];andconstructivetypetheoryproverssuchasCoq[BC04]andNuprl[TPG95].

OurlogicisaslightvariantoftheACL2logic[KM98],whichistheleastexpressiveamongthesesystems.Theothersystemsprovidequantiﬁersandhigher-orderfunctions,andusetypesystemstoavoidlogicalparadoxes.ThelogicsofNuprlandCoqareintuitionistic,thoughthisdoesnotseemtohavemuchimpactonhardwareandsoftwareveriﬁcation.Despitetherestrictivenessofourlogic,manyformalveriﬁcationproblemscanstillbeexpressed.

IntheACL2system,proofsare“whateverthedefthmcommandaccepts.”Thisproofsearchisinﬂuencedbyadatabaseofimplicitrulesandalsobyexplicithints,andmayinvolverewriting,arithmeticreasoning,induction,BDDs,andothertechniques.TheseproofmethodsarehighlycomplexanddonotresembletherulesoftheACL2logic.Theprogramhasnotbeensub-24

jectedtoanyrigorous,formalanalysis,andsoundnessbugshaveoccasionallybeendiscoveredinoﬃcialreleases(seeFigure4.1).Proofattemptscreatehuman-readablelogswhichexplainatahighlevelwhattheproverisdoing,butthesearenotsuitableforcheckingbyotherprograms.

HOLsystemshaveamoreexplicitnotionofproof.TheoremsinHOLareobjectsoftypethmandrepresentsequentsΓ󰀏twhereΓisasetofassumptionsandtisaconclusion.Thethmtypeisabstract,sotheonlywaytoconstructathmistouseprimitive,built-infunctionscorrespondingtoHOL’srulesofinference.Forexample,HOL’sreﬂexivityruleis:

∅󰀏t=tThecorrespondingfunction,REFL,takesaterm-typedargumenttasinputandproducesthethmwithnoassumptionsandconclusiont=t.Asanotherexample,HOL’srulefordischargingassumptionsis:

Γ󰀏t2

Γ−{t1}󰀏t1→t2

Inotherwords,ift2followsfromΓ,thent1→t2followsafterweremovet1fromΓ.Thecorrespondingfunction,DISCH,takest1andathmoftheformΓ󰀏t2asinputs,andproducesthethm,Γ−{t1}󰀏t1→t2.

Ifthetypesystemisimplementedcorrectly,theonlywaytocreateathmobjectistoinvokefunctionslikeREFLandDISCH.Asaresult,anythm-typeobjectmusthavebeencreatedentirelybyfollowingtherulesofinference.Consequently,theintermediatestepsofaproofneednotbestored,althoughsometimesproofrecordingschemeshavebeenaddedtoHOLsystems[Won95,BN00,OS06]tofacilitateprooftranslationorexternaldouble-checking.ThePVSsystem[ORS92]alsousesanabstracttypetorepresenttheo-rems,butprovidesmorepowerfulprimitivesthanHOLsystems,particularlyHOLLight[Har96].Forexample,rewritingwithlemmasisaprimitiveruleinPVS.GriﬃoenandHuisman[GH98]regardedPVSfavorably,butweresomewhatcriticalonthispoint:“thesedecisionproceduressometimescausesoundnessproblems...PVSstillseemstocontainalotofbugsandfrequentlynewbugsshowup.”

CoqandNuprlhaveanother,well-deﬁnednotionofproof.Certaintypesarecalledpropositions.Wheneverthetypeofanobjectxisaproposition,wesayxitselfisaproofofthatproposition.Noabstracttypeisused;instead

ACL2Release

October,1998(Version2.3)August,1999(2.4)June,2000(2.5)

November,2001(2.6)November,2002(2.7)

SoundnessBugsFixed

SubversiverecursionsImmediateforcemode

MetafunctionswithhypothesesLineararithmeticEvaluationinproofsFunctionalinstantiationBDDsGuards

TautologycheckingACL2arrays

ProofcheckercommandsDeﬁningpackagesTrackingaxioms

Typeprescriptionsinequivalences

Redundancyandsingle-threadedobjectsPackagenames

TrackingprogrammodeMacroexpansionLineararithmetic

ProgrammodeindefconstMetaruleswithlocaleventsProgrammodeinlocalLocaltableeventsPackagewitnesses

ForcinginlineararithmeticRedundancyandmeasuresUnknown/hiddenpackagesMetarules

RedeﬁnitionandprogrammodeRawlispcodeintracing

March,2004(2.8)

October,2004(2.9)

August,2005(2.9.3)February,2006(2.9.4)June,2006(3.0)August,2006(3.0.1)December,2006(3.1)

April,2007(3.2)

Figure10:SomecorrectedACL2soundnessbugs

Source:ACL2releasenotes[KM07]

theproofrulesaredirectlyencodedintothetypesystemastypingrules.ThisistheCurry-Howardisomorphism:theproposition“PimpliesQ”canbeencodedasthearrowtypeoffunctionsfromPtoQ,i.e.,P→Q.

Likethethmapproach,thecorrectnessofthesesystemsdependsonarelativelysmallkernel.Thetypesystemneedstobecorrectlyimplemented,andthetypingrulesforpropositionsneedtocorrespondtothelogic.Sincewholeprooftermsarestored,thisispotentiallylessspace-eﬃcientthantheabstractthmtypeapproach.InCoq,thisissomewhatalleviatedbyacomplexnotionoftermequalitywhereinreducibly-equivalenttermsaresaidtobeequal.Forexample,Coqcanprove2+3=5withasingleuseofitsreﬂexivityrule.

Inmostsystems,proofsareconstructedwithfully-expansive,goal-directedscriptscalledtactics.Ifatacticattemptstobuildatheoremwithaninvalidinference,anerrorwillbecausedandtheproofattemptwillfail.Tacticscanoftenbecombinedintostrategiesortacticals,whichcanrespondtofailurebytryingothertactics,etc.Tacticsneednotbetrustedandcanbewrittenbytheuser(whereastrustedcodemustbewrittenbythetheoremprover’sauthors)sincealltheirworkwillbecheckedbythethmconstructors.Eventhoughoursystemdoesnotuseanabstractthmtype,wecanemulatetacticsbyhavingthemconstructproofsinsteadofthms,andcheckingtheseproofswithProofp.

TheACL2systemdoesnothaveanexplicitnotionofproof,anditsversionoftacticsandtacticals,proofcheckermacros,arerarelyused.Instead,thebuilt-inrewriteriscontrolledbyaddinglemmas.Indirectadviceabouthowtousetheselemmascanalsobeadded,makingtheapproachsomewhatﬂexibleandautomatic:theuserfocusesonsettinguprulesthatwillworkwelltogether,andthesystemappliesthisstrategytonewproblems.Whenthedefaultstrategyisinsuﬃcienttoproveatroublesomeconjecture,extrahintscanbegivenbytheuserorautomaticallysuggestedbyuser-developedheuristics(see,e.g.,[Dav04]).

Nothingpreventsatactic-basedsystemfromfollowingtheheuristicrewrit-ingapproach.Boulton[Bou92]hasimplementedtacticstoemulatesomeofNQTHM’sautomationinHOL,andlemma-basedsimpliﬁcationisavailableinmostprovers,e.g.,autorewriteinCoq,therewritepackageinNuprl,rewritetacinHOL4,andthesimptacticinIsabelle/HOL.Indeed,inoursystemwehaveprimarilyusedafewtacticsthatemulatesomeofACL2’sautomation.

4.2Embeddedproofcheckers

General-purposetheoremproversareexpressiveenoughthatnewproof-checkingprogramscanbeexpressedintheirlogics.Infact,thecurrentdraftofoursystemcanbeunderstoodasaproofcheckerwritteninsideACL2.Thishasbeendonemanytimesinvariousprojects.

Inasomewhatuniqueeﬀort,Shankar[Sha94]wroteaproofcheckerinNQTHMforShoenﬁeld’sﬁrst-orderlogicwithCohen’sZ2axiomsinordertoproveG¨odel’sincompletenesstheorem.Hisgoalwastomechanicallycheckclassicmetamathematicaltheorems,andhedidnotintendtoproduceanewtheoremproverforeverydayuse.HeusedNQTHMtointroduceextensionsliketautologychecking,butdidnottryto“bootstrap”theseproofsintoaformhisproofcheckercouldself-check.

Morecommonly,thisapproachhasbeenusedtostudypropertiesofsimpleproofcheckingprograms.Forexample:

•J.vonWright[vW94a,vW94b]wroteaproofcheckerforhigher-orderlogicinHOL.ThisinvolveddeﬁningaHOLspeciﬁcation,Isproof,whichdescribesthevalidproofs.Aprimitive,imperativeprogramminglanguagewasthendeﬁnedwithinHOL,andaproofcheckingprogramwaswritteninthislanguage.HOLwasusedtoshowtheimperativeprogramimplementedthehigh-levelIsproofspeciﬁcation.

•RidgeandMargetson[RM05]wroteaﬁrstordertheoremproverasdef-initionsinIsabelle/HOLand,usingIsabelle/HOL,provedtheprogramtobesoundandcomplete.Theprogramdoessomeproofsearch,buttheymentionitsperformanceisnotcompetitivewithtypicalresolutionprovers.

•Harrison[Har06]hasmimickedtheimplementationofHOLLight,anOCamlprogram,asaHOLLightspeciﬁcation.Byassuminganaddi-tionalaxiomaboutsets,hecanshowtheencodedHOLsystemiscon-sistent.Withouttheaxiom,hecanshowtheencodedsystemexceptfortheaxiomofinﬁnityisconsistent.Theseresultsindicate“somethingclosetotheactualimplementationofHOL”issound.

Ineachoftheseeﬀorts,anexistingproveristrustedandisusedtoprovepropertiesaboutanewproofcheckingcore.Ourprojectiscomplementary:

wearewillingtotrustoursmallcore,andourinterestisintheveriﬁca-tionofnew,extendedproofmethods.Wedonotproposetoinvestigatethesoundnessofourcoremechanically.

4.3Independentproofchecking

Therehavealsobeensomeprojectswhereonesystemisusedtochecktheworkofanother.ThisideaissomewhatlikeBoulton’ssuggestion[Bou93]ofseparatingproofsearchfromproofconstructioninHOL,butmayalsobeusefulfor“porting”resultsobtainedinonesystemtoanother.Afewsuchprojectsinclude:

•McCuneandShumsky[MS00]havewrittenACL2functionstocheckproofobjectsemittedbyOtter,aresolutionprover,forvalidity.ThemajorityoftheproofsearchcanbeoﬄoadedontoOtter,andtheACL2programonlychecksthatOtterdidnotmakeamistake.Noattemptismadetoverifytheresolutionprover,whichisanoptimizedCprogram,butsincetheACL2programcheckstheprooftranscript,ACL2canbeusedtoshowthecombinedsystemissound.

•CaldwellandCowles[CC02]describepreliminaryworkonindepen-dentlycheckingNuprlproofswithaprogramwritteninACL2.Astheyemphasize,“wearenotmakingclaimsaboutthecorrectnessofNuprlitself,”whichwasseenasimpracticallyhard:Nuprl’simplemen-tationapparentlyinvolvesa60,000-lineLispcoreanda40,000-lineMLinterface,with167rulesofinferencewhicharesometimescomplicated,e.g.,thearithrule.Theprojectisapparentlystillintheearlystages.•ObuaandSkalberg[OS06]haveextendedHOLLightwithaproofrecorderthattrackscallstotheproofconstructors.Acomplexstructure-sharingschemeisusedinordertocombatthesizeofproofobjects,andmanyproofscanbereadintoIsabelle/HOLandcheckedindependentlyfromHOLLight.Theauthorsspeculatethatadding“higherinfer-encerules,”suchasrewriting,mighthelptomaketheemittedproofssmaller,buthavenotapparentlytriedtoimplementsuchascheme.Ourprojecttakesadiﬀerentapproach.Ratherthancheckingsomeun-veriﬁedproofmethoddidnotmakeamistakeafteritseveryuse,wewanttoverifyproofmethodssoweneednotchecktheirwork.

4.4Metareasoning

Oursystemwillhaveanintegratedproofcheckerdeﬁnedinitsownlogicsowecandirectlyreasonaboutprovability.Thisallowsustoshownewprooftechniquesaresoundandcanbetrusted.

Evenwithoutanintegratedproofchecker,othertheoremprovershavesomesupportformetareasoning.Mostofthisworkfollows,withminordiﬀerences,themetafunctionapproach[BM81],whichinvolvesﬁvesteps:1.Anencodingfortherelevanttermsisintroduced,

2.Asemanticfunction,meaning(term,env),isintroducedtoevaluateanencodedtermwithrespecttosomeassignmentofvariables,3.A“metafunction”,fn(term),isintroducedtosimplifyencodedterms,4.Theuserprovesmeaning(fn(term),env)=meaning(term,env),forallwell-formedencodedtermsandforallenvironments,todemonstratefncanbetrusted,and5.Someevaluationmechanismallowsfntobeusedtosimplifyencodedtermsinproofs.InACL2,astandardencoding(quoting)canbeused,andmeaningfunc-tionsforaﬁxedsetofconceptscanbeintroducedusingthedefevaluatorfacility.Ametafunction,fn,isaregularACL2program,writtenasarecur-sivefunctionthatmanipulatesencodedterms.Abuilt-inmechanismallowsthesystemtobeginusingametafunctionafterthesoundnesstheoremisproven.

MetafunctionscanbeausefultoolforadvancedACL2users,buttheyhavelimitations.Theyaresubservienttotherewriterandcannotkeepstatebetweeninvocations,i.e.,forbuildingupdatabasesoffacts[SNG+04].Also,sincetheACL2simpliﬁerisnotafunctionintheACL2logic,metafunctionscanonlycalluponitheuristically[HKK+05].Thatis,evenifACL2canrewritetermtoterm’,wecannotassumeterm=term󰀁whenwetrytoprovethesoundnesstheorem.

ACL2’sproofsearchiscontrolledbyalargeamountofunveriﬁedcode,anditisdiﬃculttoimagine“lifting”anysubstantialpartofthisintometa-functions.Manyfeatures,suchaslineararithmetic,aredeeplyintegratedintotherewriter[BM88],keepstateacrossinvocations,ordonotﬁtintothe

metafunctionparadigmofreplacingonetermwithanequalone(e.g.,gen-eralization).Wewouldalsofaceabootstrappingproblem:evenifwecouldcleanlyextractaprooftechniqueliketypereasoningintoametafunction,couldweprovethesoundnesstheoremwithoutusingtypereasoning?Wedonotseemuchhopeofmovinginthisdirection.

MetatheoreticextensibilityisachallengeforHOLsystems,wheretoaddanewproofprocedure“wemustsomehowripopenanabstracttype,tinkerwithittoaddanewconstructor,andthencloseitupagain.”[Har95]

Slind[Sli92]proposedaschemeforallowingmkthm,an“arbitrary”thmconstructorthatdoesnotcorrespondtoanyruleofinference,tobeusedunderrestrictedcircumstances.First,thesemanticsofMLwouldbefor-malizedinHOL,aswouldtheHOLimplementation.Then,mkthmtistobepermittedonlyifwecanprovethereissomefunctionfthatproducesausual,fully-expansiveHOLproofoft.Thisideawasneverimplemented.3

MorerecentlyChaiebandNipkow[CN05]havewrittenandveriﬁedaquantiﬁer-eliminationprocedureforPresburgerarithmeticinIsabelle/HOL.TheyencodePresburgerformulaswithanewtype,anddeﬁnetheirownmeaningfunctiontomapencodedformulasintoBooleans(theformulasofHOL).Ametafunction-likeeliminationprocedureisimplementedinasubsetofHOLwhichcanbecompiledtoMLusingaHOLcompiler[BN02].Finally,anew,experimentalruleofinferenceisaddedtothesystemsoexecutionsoftheMLprogramareallowedtobetreatedasproofsofequality.Thissystemisapparently200timesfasterforsolvingPresburgerformulasthananequivalent,tactic-basedsolution.ThistechniqueavoidstheburdenofformalizinganMLsystemandaHOLimplementationasSlindproposed,butthecodeforconstructingthmobjectsremainsseparatedfromthelogic,andasaresultwestillcannotreasonaboutthmconstructionandtheprovabilityofformulas.

MetafunctionsarealsosupportedinCoq.Gr´egoireandMahboubi[GM05]haveintroducedaprocedureforreasoningaboutequalitybetweenpolyno-mialsincommutativerings.Theydeﬁneanewtypetorepresentencodedpolynomialsoveraringandprovideameaningfunctionasabove.Theyshowametafunction-likecanonicalizationroutinepreservesthemeaningofencodedterms,andtheirprocedurecanthenbeusedinproofsviaCoq’sevaluation/reductionfacilities.AsinChaiebandNipkow’swork,nomethodisavailableforreasoningabouttherulesofinferenceandprovabilityoffor-3

CorrespondencewithKonradSlind,August2006.

mulasingeneral.

WearenotawareofanysupportformetareasoninginPVS.

KnoblockandConstable[KC86]proposedtwostrategiesforaddingmetar-easoningtoNuprl.Oneapproachinvolvedahierarchyoflanguages,whereeachPRLn+1wouldincludeanencodingofthePRLnproofs.Intheother,astackoflanguageswouldnotbeneeded,andinsteadpartofPRL1wouldbedirectlyencodedintoPRL0.Theseideaswereneverimplemented.4

CorrespondancewithRobertConstable,August2006.

References

[Avi95]

[Bar01][BC04]

[Bev87][BH06]

[BKM95]

[BKM96]

[BM81]

[BM88]

AlgirdasA.Avi˘zienis.Themethodologyofn–versionprogramming.InM.R.Lyu,editor,SoftwareFaultTolerance,pages23–46.Wiley,1995.

EliBarzilay.QuotationandreﬂectioninNuprlandScheme.TechnicalReport2001-1832,CornellUniversity,2001.YvesBertotandPierreCast´eran.InteractiveTheoremProvingandProgramDevelopment:Coq’Art:TheCalculusofInductiveConstructions.TextsinTheoreticalComputerScience.Springer-Verlag,2004.

WilliamR.Bevier.AVeriﬁedOperatingSystemKernel.PhDthesis,UniversityofTexasatAustin,December1987.RobertS.BoyerandWarrenA.Hunt,Jr.Function

memoizationanduniqueobjectrepresentationforACL2functions.InACL2’06,August2006.

RobertS.Boyer,MattKaufmann,andJStrotherMoore.TheBoyer-Mooretheoremproveranditsinteractiveenhancement.ComputersandMathematicswithApplications,29(2):27–62,1995.

BishopBrock,MattKaufmann,andJMoore.ACL2

theoremsaboutcommercialmicroprocessors.InM.SrivasandA.Camilleri,editors,FormalMethodsin

Computer-AidedDesign(FMCAD’96),volume1166ofLNCS,pages275–293.Springer-Verlag,1996.

R.S.BoyerandJStrotherMoore.Metafunctions:provingthemcorrectandusingthemeﬃcientlyasnewproof

proceedures.InR.S.BoyerandJStrotherMoore,editors,TheCorrectnessProbleminComputerScience,pages103–184.AcademicPress,1981.

R.S.BoyerandJS.Moore.Integratingdecisionproceduresintoheuristictheoremprovers:Acasestudyoflinear

[BM96]

[BN00]

[BN02]

[Bou92]

[Bou93]

[BT00]

[CC02]

[CN05]

arithmetic.InMachineIntelligence11,pages83–124.OxfordUniversityPress,1988.

BobBoyerandJMoore.Mechanizedformalreasoningaboutprogramsandcomputingmachines.InR.Veroﬀ,editor,AutomatedReasoninganditsApplications,EssaysinHonorofLarryWos.MITPress,1996.

StefanBerghoferandTobiasNipkow.Prooftermsforsimplytypedhigherorderlogic.InJ.HarrisonandM.Aagaard,editors,TheoremProvinginHigherOrderLogics(TPHOLS’00),volume1869ofLNCS,pages38–52.Springer-Verlag,2000.

StefanBerghoferandTobiasNipkow.Executinghigherorderlogic.InTypesforProofsandPrograms(Types’00),volume2277ofLNCS,pages24–40.Springer-Verlag,2002.RichardJ.Boulton.Boyer-MooreautomationfortheHOLsystem.InL.J.M.ClaesenandM.J.C.Gordon,editors,HigherOrderLogicTheoremProvinganditsApplications(TPHOLS’92),volumeA-20ofIFIPTransactions,pages133–142.ElsevierSciencePublisher,September1992.RichardJohnBoulton.EﬃciencyinaFully-ExpansiveTheoremProver.PhDthesis,UniversityofCambridge,December1993.

PiergiorgioBertoliandPaoloTraverso.Designveriﬁcationofasafety-criticalembeddedveriﬁer.InComputer-AidedReasoning:ACL2CaseStudies,chapter14.KluwerAcademicPublishers,2000.

JamesL.CaldwellandJohnCowles.RepresentingNuprlproofobjectsinACL2:TowardaproofcheckerforNuprl.InDominiqueBorrione,MattKaufmann,andJMoore,editors,ACL2’02,April2002.

AmineChaiebandTobiasNipkow.VerifyingandreﬂectingquantiﬁereliminationforPresburgerarithmetic.InLogic

[Dav04]

[Dij82]

[DLP77]

[Fef86][Fet88]

[GCM+05]

[GH98]

[GM05]

Programming,ArtiﬁcialIntelligence,andReasoning(LPAR’05),volume3835ofLNCS,pages367–380.Springer-Verlag,2005.

JaredDavis.Finitesettheorybasedonfullyorderedlists.InMattKaufmannandJMoore,editors,ACL2’04,November2004.

EdsgerW.Dijkstra.OnthefactthattheAtlanticOceanhastwosides.InSelectedwritingsoncomputing:apersonalperspective,pages268–176.Springer-Verlag,1982.RichardA.DeMillo,RichardJ.Lipton,andAlanJ.Perlis.Socialprocessesandproofsoftheoremsandprograms.InPrinciplesofProgrammingLanguages(POPL’77),pages206–214.ACMPress,1977.

SolomonFeferman,editor.KurtG¨odel:CollectedWorks,volume1.OxfordUniversityPress,1986.

JamesH.Fetzer.Programveriﬁcation:Theveryidea.CommunicationsoftheACM,31(9):1048–1063,September1988.

MikeGordon,AvraCohn,TomMelham,KonradSlind,MichaelNorrish,andetal.TheHOLsystem:Tutorial,September2005.ForHOLKananaskis-3.

DavidGriﬃoenandMariekeHuisman.AcomparisonofPVSandIsabelle/HOL.InJimGundyandMalcomNewey,editors,TheoremProvinginHigherOrderLogics(TPHOLS’98),volume1479ofLNCS,pages123–142.Springer-Verlag,September1998.

BenjaminGr´egoireandAssiaMahboubi.ProvingequalitiesinacommutativeringdonerightinCoq.InJ.HurdandT.Melham,editors,TheoremProvinginHigherOrder

Logics(TPHOLS’05),volume3603ofLNCS,pages98–113.Springer-Verlag,2005.

[G¨od31]

[Goe00]

[GWH00]

[Har95]

[Har96]

[Har06]

[HKK+05]

[Hoa69]

KurtG¨odel.Uber¨formalunentscheidbares¨atzeder

PrincipiaMathematicaundverwandtersystemeI.Monatsheftef¨urmathematikundphysik,38:173–198,1931.Englishtranslationin[Fef86],pages145–195:OnformallyundecidablepropositionsofPrincipiaMathematicaandrelatedsystemsI.

WolfgangGoerigk.Compilerveriﬁcationrevisited.InComputer-AidedReasoning:ACL2CaseStudies,chapter15.KluwerAcademicPublishers,2000.DavidGreve,MatthewWilding,andDavidHardin.High-speed,analyzablesimulators.InComputer-AidedReasoning:ACL2CaseStudies,chapter8.KluwerAcademicPublishers,2000.

JohnHarrison.Metatheoryandreﬂectionintheorem

proving:Asurveyandcritique.TechnicalReportCRC-053,SRICambridge,MillersYard,Cambridge,UK,1995.JohnHarrison.HOLlight:Atutorialintroduction.InM.SrivasandA.Camilleri,editors,FormalMethodsinComputer-AidedDesign(FMCAD’96),volume1166ofLNCS,pages265–269.Springer-Verlag,1996.

JohnHarrison.Towardsself-veriﬁcationofhollight.InUlrichFurbachandNatarajanShankar,editors,

InternationalJointConferenceonAutomatedReasoning(IJCAR’06),volume4130ofLNAI,pages177–191.Springer-Verlag,August2006.

WarrenA.Hunt,Jr.,MattKaufmann,RobertBellarmineKrug,JMoore,andEricWhitmanSmith.MetareasoninginACL2.InJ.HurdandT.Melham,editors,TheoremProvinginHigherOrderLogics(TPHOLS’05),volume3603ofLNCS,pages163–178.Springer-Verlag,2005.C.A.R.Hoare.Anaxiomaticbasisforcomputerprogramming.CommunicationsoftheACM,12(10):576–583,October1969.

[How88]

[HR05]

[HR06]

[Hun00]

[KC86]

[KM94][KM97]

[KM98][KM07]

DouglasJ.Howe.ComputationalmetatheoryinNuprl.InE.LuskandR.Overbeek,editors,Conferenceon

AutomatedDeduction(CADE’88),LNCS,pages238–257.Springer-Verlag,March1988.

WarrenA.Hunt,Jr.andErikReeber.FormalizationoftheDE2language.InCorrectHardwareDesignandVeriﬁcationMethods(CHARME’05),volume3725ofLNCS,pages20–34.Springer-Verlag,2005.

WarrenA.Hunt,Jr.andErikReeber.ApplicationsoftheDE2language.InMarySheeranandTomMelham,editors,DesigningCorrectCircuits(DCC’06).ETAPS’06,March2006.

WarrenHunt,Jr.TheDElanguage.InComputer-AidedReasoning:ACL2CaseStudies,chapter10.KluwerAcademicPublishers,2000.

ToddB.KnoblockandRobertL.Constable.Formalizedmetareasoningintypetheory.InLogicinComputerScience(LICS’86),pages237–248.IEEEComputerSociety,June1986.

MattKaufmannandJMoore.DesigngoalsofACL2.TechnicalReport101,ComputationalLogic,Inc.,1994.MattKaufmannandJStrotherMoore.Anindustrial

strengththeoremproverforalogicbasedonCommonLisp.IEEETransactionsonSoftwareEngineering,23(4):203–213,April1997.

MattKaufmannandJStrotherMoore.AprecisedescriptionoftheACL2logic,April1998.

MattKaufmannandJMoore.TheACL2user’smanual,2007.Version3.2.Availableonline:

http://www.cs.utexas.edu/users/moore/acl2/v3-2/acl2-doc-index.html.

[KMM00]

[LM03]

[LM04]

[LP99]

[Mac01][McC60]

[Moo98]

[MS00]

[MV06]

MattKaufmann,PanagiotisManolios,andJStrother

Moore.Computer-AidedReasoning:AnApproach.KluwerAcademicPublishers,June2000.

HanbingLiuandJStrotherMoore.ExecutableJVMmodelforanalyticalreasoning:Astudy.InInterpreters,VirtualMachinesandEmulators(IVME’03),pages15–23,2003.HanbingLiuandJStrotherMoore.JavaprogramveriﬁcationviaaJVMdeepembeddinginACL2.InKonradSlind,AnnetteBunker,andGanesh

Gopalakrishnan,editors,TheoremProvinginHigherOrderLogics(TPHOLS’04),pages184–200,2004.

LeslieLamportandLawrenceC.Paulson.Shouldyourspeciﬁcationlanguagebetyped?ACMTransactionsonProgrammingLanguagesandSystems(TOPLAS’99),21(3):502–526,May1999.

DonaldMacKenzie.MechanizingProof:Computing,Risk,andTrust.TheMITPress,October2001.

JohnMcCarthy.Recursivefunctionsofsymbolic

expressionsandtheircomputationbymachine,part1.CommunicationsoftheACM,3(4):184–195,April1960.JMoore.Symbolicsimulation:AnACL2approach.In

G.GopalakrishnanandP.Windley,editors,FormalMethodsinComputer-AidedDesign(FMCAD’98),volume1522ofLNCS,pages334–350.Springer-Verlag,November1998.WilliamMcCuneandOlgaShumsky.Ivy:Apreprocessorandproofcheckerforﬁrst-orderlogic.InComputer-AidedReasoning:ACL2CaseStudies,chapter16.KluwerAcademicPublishers,2000.

PanagiotisManoliosandDaronVroon.Ordinalarithmetic:Algorithmsandmechanization.JournalofAutomatedReasoning,pages1–37,2006.

[MZ05]

[NPW02]

[ORS92]

[ORSSC98]

[OS06]

[RF00]

[RM05]

JStrotherMooreandQiangZhang.Proofpearl:Dijkstra’sshortestpathalgorithmveriﬁedwithACL2.InJ.HurdandT.Melham,editors,TheoremProvinginHigherOrderLogics(TPHOLS’05),volume3603ofLNCS,pages373–384.Springer-Verlag,2005.

TobiasNipkow,LawrenceC.Paulson,andMarkusWenzel.Isabelle/HOL—AProofAssistantforHigher-OrderLogic,volume2283ofLNCS.Springer,2002.

S.Owre,J.M.Rushby,andN.Shankar.PVS:Aprototypeveriﬁcationsystem.InDeepakKapur,editor,ConferenceonAutomatedDeduction(CADE),volume607ofLectureNotesinArtiﬁcialIntelligence,pages748–752.Springer-Verlag,June1992.

S.Owre,J.M.Rushby,N.Shankar,andD.W.J.

Stringer-Calvert.PVS:Anexperiencereport.InDieterHutter,WernerStephan,PaoloTraverso,andMarkusUllman,editors,AppliedFormalMethods–FM-Trends98,volume1641ofLNCS,pages338–345.Springer-Verlag,October1998.

StevenObuaandSebastianSkalberg.ImportingHOLintoIsabelle/HOL.InUlrichFurbachandNatarajanShankar,editors,InternationalJointConferenceonAutomatedReasoning(IJCAR’06),volume4130ofLNAI,pages298–302.Springer-Verlag,August2006.

DavidM.RussinoﬀandArthurFlatau.RTLveriﬁcation:Aﬂoating-pointmultiplier.InComputer-AidedReasoning:ACL2CaseStudies,chapter13.KluwerAcademicPublishers,2000.

TomRidgeandJamesMargetson.Amechanicallyveriﬁed,soundandcompletetheoremproverforﬁrstorderlogic.InJ.HurdandT.Melham,editors,TheoremProvingin

HigherOrderLogics(TPHOLS’05),volume3603ofLNCS,pages294–309.Springer-Verlag,2005.

[RMT03]

SandipRay,JohnMatthews,andMarkTuttle.CertifyingcompositionalmodelcheckingalgorithmsinACL2.InACL2’03,July2003.

[RRAHMM04]J.-L.Ruiz-Reina,J.-A.Alonso,M.-J.Hidalgo,andF.-J.

[Rus98]

[Saw00]

[Sha94][Sho67][Sli92]

[SNG+04]

[TB03]

Mart´ın-Mateos.Aformallyveriﬁedquadraticuniﬁcationalgorithm.InMattKaufmannandJMoore,editors,ACL2’04,November2004.DavidM.Russinoﬀ.AmechanicallycheckedproofofIEEEcomplianceofaregister-transfer-levelspeciﬁcationoftheAMD-K7ﬂoating-pointmultiplication,division,andsquarerootinstructions.LMSJournalofComputationandMathematics,1:147–200,December1998.

JunSawada.Veriﬁcationofasimplepipelinedmachinemodel.InComputer-AidedReasoning:ACL2CaseStudies,chapter9.KluwerAcademicPublishers,2000.N.Shankar.Metamathematics,Machines,andG¨odel’sProof.CambridgeUniversityPress,1994.

JosephR.Shoenﬁeld.MathematicalLogic.TheAssociationforSymbolicLogic,1967.

KonradSlind.AddingnewrulestoanLCF-stylelogicimplementation:Preliminaryreport.InL.J.M.ClaesanandM.J.C.Gordon,editors,HigherOrderLogicTheoremProvinganditsApplications(TPHOLS’92),volumeA-20ofIFIPTransactions.ElsevierSciencePublisher,September1992.

EricSmith,SeritaNelesen,DavidGreve,MatthewWilding,andRaymondRichards.AnACL2libraryforbags.InMattKaufmannandJMoore,editors,ACL2’04,November2004.DianaTomaandDominiqueBorrione.SHAformalization.InACL2’03,July2003.

[TPG95]

[vW94a][vW94b]

[Won95]

CornellUniversityThePRLGroup.Implementing

mathematicswiththeNuprlproofdevelopmentsystem,October1995.

J.vonWright.Theformalveriﬁcationofaproofchecker,1994.SRIInternalReport.

J.vonWright.Representinghigher-orderlogicproofsinHOL.InThomasF.MelhamandJuanitoCamilleri,editors,HigherOrderLogicTheoremProvingandItsApplications(TPHOLS’94),volume859ofLNCS.Springer-Verlag,September1994.

WaiWong.RecordingandcheckingHOLproofs.InE.ThomasSchubert,PhillipJ.Windley,andJim

Alves-Foss,editors,HigherOrderLogicTheoremProvinganditsApplications(TPHOLS’95),volume971ofLNCS,pages353–368.Springer-Verlag,September1995.

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文