Although a number of mechanical provers have been introduced and applied widely by academic researchers, these provers are rarely used in the practical development of software. For mechanical provers to be used more widely in practice, two major barriers must be overcome. First, the languages provided by the mechanical provers for expressing the required system behavior must be more natural for software developers. Second, the reasoning steps supported by mechanical provers are usually at too low and detailed a level and therefore discourage use of the prover. To help remove these barriers, we are developing a system called TAME, a high-level user interface to PVS for specifying and proving properties of automata models. TAME provides both a standard specification format for automata models and numerous high-level proof steps appropriate for reasoning about automata models. In previous work, we have shown how TAME can be useful in proving properties about systems described as Lynch-Vaa...

Abstract. Matita is a new, document-centric, tactic-based interactive theorem prover. This paper focuses on some of the distinctive features of the user interaction with Matita, mostly characterized by the organization of the library as a searchable knowledge base, the emphasis on a high-quality notational rendering, and the complex interplay between syntax, presentation, and semantics.

. We present an approach to integrate several existing tools and methods to a technical framework for correctly developing and executing program transformations. The resulting systems enable program derivations in a user-friendly way. We illustrate the approach by proving and implementing the transformation Global Search on the basis of the tactical theorem prover Isabelle. A graphical user-interface based on the X-Window toolkit Tk provides user friendly access to the underlying machinery. 1 Introduction Development by transformation is a prominent approach in formal program development (CIP [Bau + 85], PROSPECTRA [HK 93], KIDS [Smi 90]). Many case studies have proven its feasibility and demonstrated how much more abstract and user-oriented developments could be achieved than using usual post-verification approaches (fundamental for systems like PVS [OSR 93]). One recent case study is [KW 95]; and a prominent one is [SPW 95] where a strategic transportation scheduling algorithm is de...

This report describes DECLARE, a prototype implementation of a declarative proof system for simple higher order logic. The purpose of DECLARE is to explore mechanisms of specification and proof that may be incorporated into other theorem provers. It has been developed to aid with reasoning about operational descriptions of systems and languages. Proofs in DECLARE are expressed as proof outlines, in a language that approximates written mathematics. The proof language includes specialised constructs for (co-)inductive types and relations. The system includes an abstract/article mechanism that provides a way of isolating the process of formalization from what results, and simultaneously allow the efficient separate processing of work units. After describing the system we discuss our approach to two subsidiary issues: automation and the interactive environment provided to the user. 1 Introduction This technical report describes DECLARE, a prototype implementation of a declarative proof sy...

We present issues that arose in the design of the CtCoq user-interface for proof development. Covered issues include multi-processing, data display, mouse interaction, and script management.

. The refinement calculus provides a theory for the stepwise refinement

. This paper proposes a set of guidelines for use in the design of automated support for theorem proving. In particular they are aimed at graphical user interfaces to existing interactive proof engines. The application of these guidelines to the design of a graphical user interface to Isabelle is described. 1 Introduction This paper presents a number of principles formulated to guide the design of enhancements to a graphical user interface of an interactive theorem prover. An interactive theorem prover is a tool in which a user chooses and applies proof steps to terms in a given logic, to produce theorems. The prover actually performs the proof steps and ensures that only valid chains of inference are developed. Although there are many standards and texts which provide general guidelines for designing GUIs there is great benefit in attempting to formulate principles and guidelines that are specific to the problem domain of an application. Such specific principles can be informed by th...

A proof by pointing user interface component allows a user to direct the course of a proof assistant by selecting terms with a mouse. Such a gesture is interpreted as a high-level tactical which triggers a sequence of low-level basic commands for the proof engine. The algorithm inherently relies on a structure-conscious environment; as a novelty we show how proof-by-pointing may easily be integrated into an interface without a structure editor. We discuss in detail the use of nested selectable text regions for user interaction, the modifications necessary to the proofengine output, and the algorithm for interpreting selections as proof commands, with particular reference to a concrete implementation using XEmacs and LEGO.

. We describe our experiences verifying real communications hardware using machine-assisted proof. In particular we reflect on the errors found, problems encountered and the bottlenecks that slowed the progress of the proofs. We also note techniques which would alleviate the problems. Most of the problems we discuss only become significant when large designs are verified. 1 Introduction Descriptions of formal verification projects invariably focus on the successes. However, much can also be learned from the things that slow progress. In this paper we reflect on the problems encountered in the verification of real communications hardware: the Fairisle Asynchronous Transfer Mode (ATM) switching fabrics [7]. Fairisle is an existing network, designed by the Systems Research Group in Cambridge. It was designed as a platform for research into multimedia and management issues of ATM networks, and carries real user data. The switching fabrics that we considered contain both control and data p...

. Proof is a programming activity. Consequently programming environments which support proof in the large are required. We describe an environment which supports one area of proof-in-the-large: that of theory management. We present the notion of virtual theories. They give the illusion of multiple active theories allowing the user to switch between different theories at will, proving theorems and making definitions in each. The system ensures that proofs only use resources that are available in the environment of the current virtual theory. The code has been implemented on top of the HOL90 system. A side effect is that a version of autoloading is obtained for HOL90. A more radical feature that is obtained is the autoloading of tools. The system has been tested on part of a real hardware verification proof. Who controls the past controls the future, Who controls the present controls the past. George Orwell, Nineteen Eighty-Four 1 Introduction Interactive, machine-checked proof is ess...