This thesis is primarily about the design of formal programming environments for building large software systems. This work articulates two principles and uses them to guide the design, implementation, and study of a specific formal programming environment. First, design methods for large software systems will include multiple languages, methodologies, and refinement techniques that are suited to problem subdomains. This means that any formal system must provide the ability to define multiple logics, and it is by definition a logical framework. Second, the framework must provide the ability to express formal relations between logical theories to address the problem of system decomposition. This thesis also presents the the MetaPRL formal system. MetaPRL was built to provide a modular, abstract logical framework where multiple designs can be expressed and related. The MetaPRL design builds on our experience with logical frameworks and with structured programming concepts like inheritance and re-use to provide an efficient, highly abstract, logical machine. The contribution includes several parts. • The development of an untyped meta-logic using explicit substitution. • The definition of a very-dependent function type in the Nuprl type theory. • A system architecture for generic multi-logical development. • A generic refiner that provides automation and enforcement for the multiple logical theories in logical environment. • A module system for logics and theories. • A generic distributed interactive theorem prover. BIOGRAPHICAL SKETCH Jason Jonathan Hickey was born in 1963 in a small town called Delano in the heart of California’s central San Jaoquin valley. Jason’s early experiences included the fulfillment of various agricultural obligations with

Interactive theorem provers require too much effort from their users. We have been developing a system in which Isabelle users obtain automatic support from automatic theorem provers (ATPs) such as Vampire and SPASS. An ATP is invoked at suitable points in the interactive session, and any proof found is given to the user in a window displaying an Isar proof script. There are numerous differences between Isabelle (polymorphic higher-order logic with type classes, natural deduction rule format) and classical ATPs (first-order, untyped, clause form). Many of these differences have been bridged, and a working prototype that uses background processes already provides much of the desired functionality. 1

In this paper we present an extension to basic type theory to allow a uniform construction of abstract data types (ADTs) having many of the properties of objects, including abstraction, subtyping, and inheritance. The extension relies on allowing type dependencies for function types to range over a well-founded domain. Using the propositions--as--types correspondence, abstract data types can be identified with logical theories, and proofs of the theories are the objects that inhabit the corresponding ADT. 1 Introduction In the past decade, there has been considerable progress in developing formal account of a theory of objects. One property of object oriented languages that make them popular is that they attack the problem of scale: all object oriented languages provide mechanisms for providing software modularity and reuse. In addition, the mechanisms are intuitive enough to be followed easily by novice programmers. During the same decade, the body of formal mathematics has be...

. We describe two proofs of correctness for Cachet, an adaptive cache-coherence protocol. Each proof demonstrates soundness (conformance to an abstract cache memory model CRF) and liveness. One proof is manual, based on a term-rewriting system definition; the other is machine-assisted, based on a TLA formulation and using PVS. A twostage presentation of the protocol simplifies the treatment of soundness, in the design and in the proofs, by separating all liveness concerns. The TLA formulation demands precision about what aspects of the system's behavior are observable, bringing complication to some parts which were trivial in the manual proof. Handing a completed design over for independent verification is unlikely to be successful: the prover requires detailed insight into the design, and the designer must keep correctness concerns at the forefront of the design process. 1 Introduction: Memory Models and Protocols Shared memory multiprocessor systems provide a global mem...

Theorem provers for higher-order logics often use tactics to implement automated proof search. Tactics use a general-purpose meta-language to implement both general-purpose reasoning and computationally intensive domain-specific proof procedures. The generality of tactic provers has a performance penalty; the speed of proof search lags far behind special-purpose provers. We present a new modular proving architecture that significantly increases the speed of the core logic engine.

Higher-order logics are expressive tools for tasks ranging from formalizing the foundations of mathematics to large-scale software verification and synthesis. Because of their complexity, proofs in higher-order logics often use a combination of interactive proving together with computationally-intensive tactic applications that perform proof automation. As problems and proof automation become more sophisticated, these proofs represent substantial investments -- each interactive step may represent several hours of design time. We present an implementation of a distributed proving architecture to address the problems of speed, availability, and reliability in tactic provers. This architecture is implemented as a module in the MetaPRL logical framework. The implementation supports arbitrary process joins and allbut-one process failures at any time during a proof. Proof distribution is completely transparent; the existing tactic base is unmodified.

We describe the results and status of a project aiming to provide a provably correct library of basic circuits. We use the theorem proving system PVS in order to prove circuits such as incrementers, adders, arithmetic units, multipliers, leading zero counters, shifters, and decoders. All specifications and proofs are available on the web.

Abstract not found

. In this article, we describe an approach for the tool-supported development and verification of fault-tolerant systems according to the invent&verify paradigm. Our method is based on the CSP (Communicating Sequential Processes) specification language. It allows the desired properties of a system to be expressed as implicit specifications (assertions about traces and refusals), explicit specifications (CSP process terms), refinement relations or combinations of these three description formalisms. From our experience with industrial verification projects, this possibility to choose between different specification paradigms according to the specific needs of each development step is essential to cope with large-scale formal development and verification projects. Each topdown development step according to the invent&verify paradigm introduces a verification obligation whose type depends on the specification techniques applied for the different components involved in the step. We describe...

We present the design of a formal integrated design environment. The long-term goal of this effort is to allow seamless interaction between software production tools and formal design and analysis tools, especially between compilers and higher-order theorem provers. The work in this report is the initial design and architecture for integration of 1) the MetaPRL logical framework, 2) a multilanguage compiler we call Mojave, and 3) a generic extensible parser we call Phobos. The integration is currently performed at the level of the Mojave functional intermediate representation, allowing the use of the theorem prover for program analysis, transformation, and optimization.