This thesis is primarily about the design of formal programming environments for building large software systems. This work articulates two principles and uses them to guide the design, implementation, and study of a specific formal programming environment. First, design methods for large software systems will include multiple languages, methodologies, and refinement techniques that are suited to problem subdomains. This means that any formal system must provide the ability to define multiple logics, and it is by definition a logical framework. Second, the framework must provide the ability to express formal relations between logical theories to address the problem of system decomposition. This thesis also presents the the MetaPRL formal system. MetaPRL was built to provide a modular, abstract logical framework where multiple designs can be expressed and related. The MetaPRL design builds on our experience with logical frameworks and with structured programming concepts like inheritance and re-use to provide an efficient, highly abstract, logical machine. The contribution includes several parts. • The development of an untyped meta-logic using explicit substitution. • The definition of a very-dependent function type in the Nuprl type theory. • A system architecture for generic multi-logical development. • A generic refiner that provides automation and enforcement for the multiple logical theories in logical environment. • A module system for logics and theories. • A generic distributed interactive theorem prover. BIOGRAPHICAL SKETCH Jason Jonathan Hickey was born in 1963 in a small town called Delano in the heart of California’s central San Jaoquin valley. Jason’s early experiences included the fulfillment of various agricultural obligations with

Introduction Many researchers who study the theoretical aspects of inference systems believe that if inference rule A is complete and more restrictive than inference rule B, then the use of A will lead more quickly to proofs than will the use of B. The literature contains statements of the sort "our rule is complete and it heavily prunes the search space; therefore it is efficient". 2 These positions are highly questionable and indicate that the authors have little or no experience with the practical use of automated inference systems. Restrictive rules (1) can block short, easy-to-find proofs, (2) can block proofs involving simple clauses, the type of clause on which many practical searches focus, (3) can require weakening of redundancy control such as subsumption and demodulation, and (4) can require the use of complex checks in deciding whether such rules should be applied. The only way to determ

This paper presents a taxonomy of parallel theorem-proving methods based on the control of search (e.g., master-slaves versus peer processes), the granularity of parallelism (e.g., fine, medium and coarse grain) and the nature of the method (e.g., ordering-based versus subgoalreduction) . We analyze how the di#erent approaches to parallelization a#ect the control of search: while fine and medium-grain methods, as well as master-slaves methods, generally do not modify the sequential search plan, parallel-search methods may combine sequential search plans (multi-search) or extend the search plan with the capability of subdividing the search space (distributed search). Precisely because the search plan is modified, the latter methods may produce radically di#erent searches than their sequential base, as exemplified by the first distributed proof of the Robbins theorem generated by the Modified Clause-Di#usion prover Peers-mcd. An overview of the state of the field and directions...

Proof reconstruction is the operation of extracting the computed proof from the trace of a theorem-proving run. We study the problem of proof reconstruction in distributed theorem proving: because of the distributed nature of the derivation and especially because of deletions of clauses by contraction, it may happen that a deductive process generates the empty clause, but does not have all the necessary information to reconstruct the proof. We analyze this problem and we present a method for distributed theorem proving, called Modified Clause-Diffusion, which guarantees that the deductive process that generates the empty clause will be able to reconstruct the distributed proof. This result is obtained without imposing a centralized control on the deductive processes or resorting to a round of post-processing with ad hoc communication. We prove that Modified Clause-Diffusion is fair (hence complete) and guarantees proof reconstruction. First we define a set of conditions, next we prove that they are sufficient for proof reconstruction, then we show that Modified Clause-Diffusion satisfies them. Fairness is proved in the same way, which has the advantage that the sufficient conditions provide a treatment of the problem relevant for distributed theorem proving in general. 1.

Higher-order logics are expressive tools for tasks ranging from formalizing the foundations of mathematics to large-scale software verification and synthesis. Because of their complexity, proofs in higher-order logics often use a combination of interactive proving together with computationally-intensive tactic applications that perform proof automation. As problems and proof automation become more sophisticated, these proofs represent substantial investments -- each interactive step may represent several hours of design time. We present an implementation of a distributed proving architecture to address the problems of speed, availability, and reliability in tactic provers. This architecture is implemented as a module in the MetaPRL logical framework. The implementation supports arbitrary process joins and allbut-one process failures at any time during a proof. Proof distribution is completely transparent; the existing tactic base is unmodified.

. The Distributed Larch Prover, DLP, is a distributed and parallel version of LP, an interactive prover. DLP helps users find proofs by creating and managing many proof attempts that run in parallel. Parallel attempts may cooperate by working on different subgoals, and they may compete by using different inference methods to prove the same goal. DLP runs on a network of workstations. 1 Introduction The Distributed Larch Prover, DLP, is an experiment in parallelizing LP, the Larch Prover. LP is an interactive, rewrite-rule based reasoning system for proving formulas in first-order, multi-sorted logic by first-order reasoning and induction [4]. DLP runs on a network of workstations. DLP uses a novel approach for exploiting parallelism. The user of DLP is encouraged to launch many parallel attempts to prove conjectures. Some attempts compete by using different inference methods, such as proof-by-cases and proofby -induction, to try to prove the same goal, while other attempts cooperate...

We introduce the distributed theorem prover Peers-mcd for networks of workstations. Peers-mcd is the parallelization of the Argonne prover EQP, according to our Clause-Diffusion methodology for distributed deduction. The new features of Peers-mcd include the AGO (Ancestor-Graph Oriented) heuristic criteria for subdividing the search space among parallel processes. We report the performance of Peers-mcd on several experiments, including problems which require days of sequential computation. In these experiments Peersmcd achieves considerable, sometime super-linear, speed-up over EQP. We analyze these results by examining several statistics produced by the provers. The analysis shows that the AGO criteria partitions the search space effectively, enabling Peers-mcd to achieve super-linear speed-up by parallel search. 1 Introduction Distributed deduction is concerned with the problem of proving difficult theorems by distributing the work among networked computers. The motivation is to st...

A new paradigm for parallel interactive theorem proving is advocated using DLP, a distributed and parallel version of LP, the Larch Prover. The rewriterule based parallel prover runs on a network of workstations. The amount and nature of parallelism are under explicit user control, unlike other parallel theorem provers in which parallelism is hidden from the user. The main objective is to exploit parallelism for enhancing user productivity in finding proofs of conjectures by induction and other first-order inference methods. The user is encouraged to try different combinations of high-level inference steps automatically and in parallel, leading to multiple proof attempts. While some parallel attempts compete, others cooperate by doing subparts of a problem. When no attempt leads to a proof, the user gets a global view of all attempts on the conjecture with the theorem prover generating useful feedback. A parallel interface provides mechanisms for managing multiple proof attempts. The...

We overview the development of first-order automated reasoning systems starting from their early years. Based on the analysis of current and potential applications of such systems, we also try to predict new trends in first-order automated reasoning. Our presentation will be centered around two main motives: efficiency and usefulness for existing and future potential applications. This paper expresses the views of the author on past, present, and future of theorem proving in first-order logic gained during ten years of working on the development, implementation, and applications of the theorem prover Vampire, see [Riazanov and Voronkov, 2002a]. It reflects our recent experience with applications of Vampire in verification, proof assistants, theorem proving, and semantic Web, as well as the analysis of future potential applications. 1 Theorem Proving in First-Order Logic The idea of automatic theorem proving has a long history both in mathematics and computer science. For a long time, it was believed by many that hard theorems in mathematics can be proved in a completely automatic way, using the ability of computers to perform fast combinatorial calculations. The very first experiments in automated theorem proving have shown that the purely combinatorial methods of proving firstorder theorems are too week even for proving theorems regarded as relatively easy by mathematicians. Provability in first-order logic is a very hard combinatorial problem. First-order logic is undecidable, which means that there is no terminating procedure checking provability of formulas. There are decidable classes of first-order formulas but formulas of these classes do not often arise in applications. Due to undecidability, very short formulas may turn out to be extremely complex, while very long ones rather easy. Sometimes first-order provers find proofs consisting of several thousand steps in a few seconds, but sometimes it takes hours to find a ten-step proof. The theory of first-order reasoning is centered around the completeness theorems while in practice completeness is often not an issue due to the intrinsic * Partially supported by a grant from EPSRC.

This thesis is primarily about the design of formal programming environments for building large software systems. This work articulates two principles and uses them to guide the design, implementation, and study of a specific formal programming environment. First, design methods for large software systems will include multiple languages, methodologies, and refinement techniques that are suited to problem subdomains. This means that any formal system must provide the ability to define multiple logics, and it is by definition a logical framework. Second, the framework must provide the ability to express formal relations between logical theories to address the problem of system decomposition. This thesis also presents the the MetaPRL formal system. MetaPRL was built to provide a modular, abstract logical framework where multiple designs can be expressed and related. The MetaPRL design builds on our experience with logical frameworks and with structured programming concepts like inheritance and re-use to provide an efficient, highly abstract, logical machine. The contribution includes several parts. • The development of an untyped meta-logic using explicit substitution. • The definition of a very-dependent function type in the Nuprl type theory. • A system architecture for generic multi-logical development. • A generic refiner that provides automation and enforcement for the multiple logical theories in logical environment. • A module system for logics and theories. • A generic distributed interactive theorem prover.