We investigate the problem of translating between different styles of proof systems in higherorder logic: analytic proofs which are well suited for automated theorem proving, and nonanalytic deductions which are well suited for the mathematician. Analytic proofs are represented as expansion proofs, H, a form of the sequent calculus we define, non-analytic proofs are represented by natural deductions. A non-deterministic translation algorithm between expansion proofs and H-deductions is presented and its correctness is proven. We also present an algorithm for translation in the other direction and prove its correctness. A cut-elimination algorithm for expansion proofs is given and its partial correctness is proven. Strong termination of this algorithm remains a conjecture for the full higher-order system, but is proven for the first-order fragment. We extend the translations to a non-analytic proof system which contains a primitive notion of equality, while leaving the notion of expansion proof unaltered. This is possible, since a non-extensional equality is definable in our system of type theory. Next we extend analytic and non-analytic proof systems and the translations between them to include extensionality. Finally, we show how the methods and notions used so far apply to the problem of translating expansion proofs into natural deductions. Much care is taken to specify this translation in a

Abstract. By means of two well-known examples it is demonstrated that the method of extracting programs from proofs is manageable in practice and may yield efficient programs. The Warshall algorithm computing the transitive closure of a relation is extracted from a constructive proof that repetitions in a path can always be avoided. Secondly, we extract a program from a classical (i.e. non constructive) proof of a special case of Dickson’s Lemma, by transforming the classical proof into a constructive one. These techniques (as well as the examples) are implemented in the interactive theorem prover Minlog developed at the University of Munich. 1.

This article presents a theory of classes and inheritance built on top of constructive type theory. Classes are defined using dependent and very dependent function types that are found in the Nuprl constructive type theory. Inheritance is defined in terms of a general subtyping relation over the underlying types. Among the basic types is the intersection type which plays a critical role in the applications because it provides a method of composing program components. The class theory is applied to defining algebraic structures such as monoids, groups, rings, etc. and relating them. It is also used to define communications protocols as infinite state automata. The article illustrates the role of these formal automata in defining the services of a distributed group communications system. In both applications the inheritance mechanisms allow reuse of proofs and the statement of general properties of system composition. 1

In automated deduction systems that are intended for human use, the presentation of a proof is no less important than its discovery. For most of today’s automated theorem proving systems, this requires a non-trivial translation procedure to extract human-oriented deductions from machine-oriented proofs. Previously known translation procedures, though complete, tend to produce unintuitive deductions. One of the major flaws in such procedures is that too often the rule of indirect proof is used where the introduction of a lemma would result in a shorter and more intuitive proof. We present an algorithm, symmetric simplification, for discovering useful lemmas in deductions of theorems in first- and higher-order logic. This algorithm, which has been implemented in the TPS system, has the feature that resulting deductions may no longer have the weak subformula property. It is currently limited, however, in that it only generates lemmas of the form C ∨ ¬C ′ , where C and C ′ have the same negation normal form. 1

Software development environments of the future will be characterized by extensive reuse of previous work. This paper addresses the issue of reusability in the context in which design is achieved by the transformational development of formal specifications into efficient implementations. It explores how an implementation of a modified specification can be realized by replaying the transformational derivation of the original and modifying it as required by changes made to the specification. Our approach is to structure derivations using the notion of tactics, and record derivation histories as an execution trace of the application of tactics. One key idea is that tactics are compositional: higher level tactics are constructed from more rudimentary using defined control primitives. This is similar to the approach used in LCF[12] and NuPRL[1, 8]. Given such a derivation history and a modified specification, the correspondence problem [21, 20] addresses how during replay a correspondence...

We present an approach to a coherent program synthesis system which integrates a variety of interactively controlled and automated techniques from theorem proving and algorithm design at different levels of abstraction. Besides providing an overall view we summarize the individual research results achieved in the course of this development.

We show how to implement a calculus with higher-order subtyping and subkinding by replacing uses of implicit subsumption with explicit coercions. To ensure this can be done, a polymorphic function is adjusted to take, as an additional argument, a proof that its type constructor argument has the desired kind. Such a proof is extracted from the derivation of a kinding judgement and may in turn require proof coercions, which are extracted from subkinding judgements. This technique is formalized as a type-directed translation from a calculus of higher-order subtyping to a subtyping-free calculus. This translation generalizes an existing result for second-order subtyping calculi (such as F ). We also discuss two interpretations of subtyping, one that views it as type inclusion and another that views it as the existence of a well-behaved coercion, and we show, by a type-theoretic construction, that our translation is the minimum consequence of shifting from the inclusion interpretation to th...

This paper deals with the very fundamentals of a socalled "Turing Test Methodology" for expert system validation which was recently proposed by [KP96]. It is more intended to provide a firm basis for discussions among the engaged scientists than to become a conference contribution. For this purpose, emphasis is put on a detailed and, perhaps, a little long-winded discussion, in some places. There might be future versions of this report to reflect the ongoing progress of the investigation. First, we survey several concepts of verification and validation. Our favoured concepts are lucidly characterized by the words that verification guarantees to build the system right whereas validation deals with building the right system. Next, we critically inspect the thought-experiment called the TURING test. It turns out that, although this approach may not be sufficient to reveal a system 's intelligence, it provides a suitable methodological background to certify a system's validity. The prin...

Since almost 30 years software production has to face two major problems: the cost of non-standard software, caused by long development times and the constant need for maintenance, and a lack of confidence in the reliability of software. Recent accidents like the crash of KAL’s 747 in August 1997 or the

Abstract. We present an automatic approach for instantiating existentially quantified variables in inductive specifications proofs. Our approach uses first-order meta-variables in place of existentially quantified variables and combines logical proof search with rippling techniques. We avoid the non-termination problems which usually occur in the presence of existentially quantified variables. Moreover, we are able to synthesize conditional substitutions for the meta-variables. We illustrate our approach by discussing the specification of the integer square root. 1