The thesis describes the production of a large prototype proof system for Z, and a tactic language in which the proof tactics used in a wide range of systems (including the system described here) can be discussed. The details of the construction of the tool---using the W logic for Z, and implemented in 2OBJ---are presented, along with an account of some of the proof tactics which enable W to be applied to typical proofs in Z. A case study gives examples of such proofs. Special attention is paid to soundness concerns, since it is considerably easier to check that a program such as this one produces sound proofs, than to check that each of the impenetrable proofs which it creates is indeed sound. As the first such encoding of W, this helped to find bugs in the published presentations of W, and to demonstrate that W makes proof in Z tractable. The second part of the thesis presents a tactic language, with a formal semantics (independent of any particular tool) and a set of rules for reasoning about tactics written in this language. A small set of these rules is shown to be complete for the finite (nonrecursive)

Many proof tools use `tactic languages' as programs to direct their proofs. We present a simplified idealised tactic language, and describe its denotational semantics. The language has many applications outside theorem-proveo activ5QbG) The semantics is parametrised by a monad (plus additional structure). By instantiating this inv arious ways, the core semantics of a number of di#erent tactic languages is obtained. 1 Int roduct45 The notiB of a tactic as a program usedi the constructifi of a (machic[ assi46fi8 formal proof has become quie wie[S---#fifi[ Tacti# orifi---#z[ i the work of Gordon et al [GMW79] onEdi burgh LCF. The extent to whi h other`tacti4 based' systems istems[ t essentien[ the same style of programmifi faci---#---[I vari4 consi[I8#Bfi . InEdi burgh LCF, atacti does notit[8B construct a proof. Rather,i ti s usedi backwardreasoni[ to construct a vali#fiz[I functi[ whi h mayi46z8 prove thedesi6B property. Theoremhood i guarded by use of a `safe datatype', and only sound vali484[I functi[I may construct elements ofthi type. In other work, the type of theoremsi protected by havi8 the class oftacti--- icti protected, so thati i ia ossiSB tobui# unsound proofs. The account here tends towards the secondvion though the treatment oftacti6 i s actually so abstract that thi may not be an i[ edi---# t to i[ appli#[IS# i eipli sense. Whie. tacti[ arewiS---fi6[IS--- tacti programmi--- remai4 adiBfiBS task. Inthi paper, weconsi#[ abstractdescri[S#fi--- oftactifi[ wit the hope that modern algori------ desii techniSzS# such as thosedescri ed byBiS and de Moor [BdM97], can be brought to bear on thedi8S---fi[IS ontacti programmi#4 Earlia di#------S[ISS oftacti6 i n the abstract (wiract operati6z[ bii to any parti[ISS proof tool)i)[SS--- those by SchmiB [Sch84] and Mi4#...