Abstract. We present a fully proof-producing implementation of a quantifierelimination procedure for real closed fields. To our knowledge, this is the first generally useful proof-producing implementation of such an algorithm. Whilemany problems within the domain are intractable, we demonstrate convincing examples of its value in interactive theorem proving. 1 Overview and related work Arguably the first automated theorem prover ever written was for a theory of lineararithmetic [8]. Nowadays many theorem proving systems, even those normally classified as `interactive ' rather than `automatic', contain procedures to automate routinearithmetical reasoning over some of the supported number systems like N, Z, Q, R and C. Experience shows that such automated support is invaluable in relieving users ofwhat would otherwise be tedious low-level proofs. We can identify several very common limitations of such procedures:- Often they are restricted to proving purely universal formulas rather than dealingwith arbitrary quantifier structure and performing general quantifier elimination.- Often they are not complete even for the supported class of formulas; in partic-ular procedures for the integers often fail on problems that depend inherently on divisibility properties (e.g. 8x y 2 Z. 2x + 1 6 = 2y)- They seldom handle non-trivial nonlinear reasoning, even in such simple cases as 8x y 2 R. x> 0 ^ y> 0) xy> 0, and those that do [18] tend to use heuristicsrather than systematic complete methods.- Many of the procedures are standalone decision algorithms that produce no certifi-cate of correctness and do not produce a `proof ' in the usual sense. The earliest serious exception is described in [4]. Many of these restrictions are not so important in practice, since subproblems aris-ing in interactive proof can still often be handled effectively. Indeed, sometimes the restrictions are unavoidable: Tarski's theorem on the undefinability of truth implies thatthere cannot even be a complete semidecision procedure for nonlinear reasoning over

Abstract. We describe a formalization of the elementary algebra, topology and analysis of finite-dimensional Euclidean space in the HOL Light theorem prover. (Euclidean space is R N with the usual notion of distance.) A notable feature is that the HOL type system is used to encode the dimension N in a simple and useful way, even though HOL does not permit dependent types. In the resulting theory the HOL type system, far from getting in the way, naturally imposes the correct dimensional constraints, e.g. checking compatibility in matrix multiplication. Among the interesting later developments of the theory are a partial decision procedure for the theory of vector spaces (based on a more general algorithm due to Solovay) and a formal proof of various classic theorems of topology and analysis for arbitrary N-dimensional Euclidean space, e.g. Brouwer’s fixpoint theorem and the differentiability of inverse functions. 1 1 The problem with R N

de recherche ISSN 0249-6399 ISRN INRIA/RR--6155--FR+ENG

We use higher-order logic to verify a quantifier elimination procedure for linear arithmetic over ordered fields, where the coefficients of variables are multivariate polynomials over another set of variables, we call parameters. The procedure generalizes Ferrante and Rackoff’s algorithm for the non-parametric case. The formalization is based on axiomatic type classes and automatically carries over to e.g. the rational, real and non-standard real numbers. It is executable, can be applied to HOL formulae by reflection and performs well on practical examples.