: Our ultimate goal is to provide a framework and a methodology which will allow users, and not only system developers, to construct complex reasoning systems by composing existing modules, or to add new modules to existing systems, in a "plug and play" manner. These modules and systems might be based on different logics; have different domain models; use different vocabularies and data structures; use different reasoning strategies; and have different interaction capabilities. This paper makes two main contributions towards our goal. First, it proposes a general architecture for a class of reasoning systems called Open Mechanized Reasoning Systems (OMRSs). An OMRS has three components: a reasoning theory component which is the counterpart of the logical notion of formal system, a control component which consists of a set of inference strategies, and an interaction component which provides an OMRS with the capability of interacting with other systems, including OMRSs and hum...

One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an approach will never be efficient enough for large, complex proofs. One alternative, commonly called reflection, is to analyze proofs using a second layer of logic, a metalogic, and so justify abbreviating or simplifying proofs, making the kinds of shortcuts humans often do or appealing to specialized decision algorithms. In this paper we contrast the fully-expansive LCF approach with the use of reflection. We put forward arguments to suggest that the inadequacy of the LCF approach has not been adequately demonstrated, and neither has the practical utility of reflection (notwithstanding its undoubted intellectual interest). The LCF system with which we are most concerned is the HOL proof ...

Machine code ((Schellhorn and Ahrendt, 1997) and Chapter III.2.6). We use it as a reference or benchmark. Parts of it are repeated every now and then to evaluate the success of our integration concepts, see Section 7. In realistic applications in software verification, proof attempts are more likely to fail than to go through. This is because specifications, programs, I_3_16-mod_a.tex; 9/03/1998; 13:09; p.2 INTEGRATED THEOREM PROVING 549 or user-defined lemmas typically are erroneous. Correct versions usually are only obtained after a number of corrections and failed proof attempts. Therefore, the question is not only how to produce powerful theorem provers but also how to integrate proving and error correction. Current research on this and related topics is discussed in Section 8. There are different approaches of combining interactive methods with automated ones. Their relation to our approach is the subject of Section 9. Finally, in Section 10 we draw conclusions. 2. IDENTIFYING ...

Model Checking is an algorithmic technique to determine whether a temporal property holds of a program. For linear time properties, a model checker produces a counterexample computation if the check fails. This computation acts as a "certificate" of failure, as it can be checked easily and independently of the model checker by simulating it on the program. On the other hand, no such certificate is produced if the check succeeds. In this paper, we show how this asymmetry can be eliminated with a certifying model checker. The key idea is that, with some extra bookkeeping, a model checker can produce a deductive proof on either success or failure. This proof acts as a certificate of the result, as it can be checked mechanically by simple, non-fixpoint methods that are independent of the model checker. We develop a deductive proof system for verifying branching time properties expressed in the mu-calculus, and show how to generate a proof in this system from a model checking run. Proofs for linear time properties form a special case. A model checker that generates proofs can be used for many interesting applications, such as better ways of exploring errors in a program, and a tight integration of model checking with automated theorem proving. 1

Abstract. Model checking and theorem proving are two complementary approaches to formal verification. In this paper we show how binary decision diagram (BDD) based symbolic model checking algorithms may be embedded in a theorem prover to take advantage of the comparatively secure environment without incurring an unacceptable performance penalty. 1

The appeal of automatic formal verification is that it's automatic --- minimal human labor and expertise should be needed to get useful results and counterexamples. BDD(binary decision diagram)-based approaches have promised to allow automatic verification of complex, real systems. For large classes of problems, however, (including many distributed protocols, multiprocessor systems, and network architectures) this promise has yet to be fulfilled. Indeed, the few successes have required extensive time and effort from sophisticated researchers in the field. Clearly, techniques are needed that are more sophisticated than the obvious direct implementation of theoretical results. This thesis addresses that need, emphasizing an application domain that has been particularly difficult for BDD-based methods --- high-level models of systems or distributed protocols --- rather than gate-level descriptions of circuits. Additionally, the emphasis is on providing useful debugging information for the...

. Designs are often modified for use in new circumstances. If formal proof is to be an acceptable verification methodology for industry, it must be capable of tracking design changes quickly. We describe our experiences formally verifying an implementation of an ATM network component, and on our subsequent verification of modified designs. Three of the designs verified are in use in a working network. They were designed and implemented with no consideration for formal methods. This case study gives an indication of the difficulties in formally verifying a real design and of subsequently tracking design changes. 1 Introduction Designs are often modified as requirements change. Such modifications often take a fraction of the original design time to complete. Even if a design can initially be validated in an acceptable time scale, formal verification is unlikely to be accepted if a similar amount of time is required to validate subsequent modified designs. It has been suggested that this...

Abstract. This paper presents on-going researches on theoretical and practical issues of combining rewriting based automated theorem proving and user-guided proof development, with the strong constraint of safe cooperation of both. In practice, we instantiate the theoretical study on the Coq proof assistant and the ELAN rewriting based system, focusing first on equational and then on inductive proofs. Different concepts, especially rewriting calculus and deduction modulo, contribute to define and to relate proof search, proof representation and proof check.

Abstract. The translation of the temporal logic CTL [2] into the modal µ-calculus Lµ [10] is formalised in the HOL theorem prover [8]. 1

T HIS paper has been written for the IPA workshop in Egmond aan Zee, 16-20 october 1995. Despite its size, it is intended as an introduction ---a quick tour--- to the technology of mechanical verification and the formal design of distributed algorithms, and is not intended to be complete. Nevertheless it will provide the necessary information for the reader to understand the topics. For further reading on the topics, the reader can try the introduction book to HOL [GM93] and the book of UNITY [CM88]. Most of this paper is taken from my Ph.D. thesis. If the reader is interested in further technical details, my thesis is available through ftp at: ftp.cs.ruu.nl in directory pub/RUU/CS/phdtheses/Prasetya Chapter 1 Introduction T HE role of distributed programs has become increasingly important as more and more people hook their computers together, either locally or world-wide. The technology of computer networks advances rapidly and so is its availability. Today, it is no longer a lux...