Introduction Proof planning [4] is an approach to theorem proving which encodes heuristics for constructing mathematical proofs in a meta-theory of methods. The Clam system, developed at Edinburgh [3], has been used for several years to develop proof planning, in particular proof plans for induction. It has become clear that many of the theorem-proving tasks that we would like to perform are naturally higher-order. For example, an important technique called middle-out reasoning [6] uses meta-variables to stand for some unknown objects in a proof, to be instantiated as the proof proceeds. Domains such as the synthesis and verification of software and hardware systems, and techniques such as proof critics [7], benefit greatly from such middle-out reasoning. Since in these domains the meta-variables often become instantiated with terms of function type, reasoning with them is naturally higher-order, and higher-order unification is a

. We present a framework for automating the discovery of loop invariants based upon failed proof attempts. The discovery of suitable loop invariants represents a bottleneck for automatic verification of imperative programs. Using the proof planning framework we reconstruct standard heuristics for developing invariants. We relate these heuristics to the analysis of failed proof attempts allowing us to discover invariants through a process of refinement. 1 Introduction Loop invariants are a well understood technique for specifying the behaviour of programs involving loops. The discovery of suitable invariants, however, is a major bottleneck for automatic verification of imperative programs. Early research in this area [18, 24] exploited both theorem proving techniques as well as domain specific heuristics. However, the potential for interaction between these components was not fully exploited. The proof planning framework, in which we reconstruct the standard heuristics, couples ...

Abstract. We present an account of rippling with proof critics suitable for use in higher order logic in Isabelle/IsaPlanner. We treat issues not previously examined, in particular regarding the existence of multiple annotations during rippling. This results in an efficient mechanism for rippling that can conjecture and prove needed lemmas automatically as well as present the resulting proof plans as Isar style proof scripts. 1

Proof planning is a paradigm for the automation of proof that focuses on encoding intelligence to guide the proof process. The idea is to capture common patterns of reasoning which can be used to derive abstract descriptions of proofs known as proof plans. These can then be executed to provide fully formal proofs. This thesis concerns the development and analysis of a novel approach to proof planning that focuses on an explicit representation of choices during search. We embody our approach as a proof planner for the generic proof assistant Isabelle and use the Isar language, which is human-readable and machine-checkable, to represent proof plans. Within this framework we develop an inductive theorem prover as a case study of our approach to proof planning. Our prover uses the difference reduction heuristic known as rippling to automate the step cases of the inductive proofs. The development of a flexible approach to rippling that supports its various modifications and extensions is the second major focus of this thesis. Here, our inductive theorem prover provides a context in which to evaluate rippling experimentally. This work results in an efficient and powerful inductive theorem prover for Isabelle as well as proposals for further improving the efficiency of rippling. We also draw observations in order

Proof by mathematical induction plays a crucial role in reasoning about functional programs. A generalization step often holds the key to discovering an inductive proof. We present a generalization technique which is particularly applicable when reasoning about functional programs involving accumulating parameters. We provide empirical evidence for the success of our technique and show how it is contributing to the ongoing development of a parallelising compiler for Standard ML. 1 Introduction and Motivations Functional programs, by their very nature, are highly amenable to formal methods of reasoning. This has been exploited within the formal verification community where the majority of theorem proving based tools have a strong functional bias (Boyer & Moore, 1979; Boyer & Moore, 1988; Bundy et al., 1990; Owre et al., 1992; Kapur & Zhang, 1995; ORA, 1996; Hutter & Sengler, 1996; Kaufmann & Moore, 1997). Proof by mathematical induction plays a crucial role in reasoning about recursiv...

Coloring terms (rippling) is a technique developed for inductive theorem proving which uses syntactic dierences of terms to guide the proof search. Annotations (colors) to symbol occurrences in terms are used to maintain this information. This technique has several advantages, e.g. it is highly goal oriented and involves little search. In this paper we give a general formalization of coloring terms in a higher-order setting. We introduce a simply-typed calculus with color annotations and present appropriate algorithms for the general, pre- and pattern unification problems. Our work is a formal basis to the implementation of rippling in a higher-order setting which is required e.g. in case of middle-out reasoning. Another application is in the construction of natural language semantics, where the color annotations rule out linguistically invalid readings that are possible using standard higher-order unification.

Abstract. We report on an initial success obtained in investigating the Feature Interaction problem (FI) via proof planning. FIs arise as an unwanted/unexpected behaviour in large telephone networks and have recently attracted interest not only from the Computer Science community but also from the industrial world. So far, FIs have been solved mainly via approximation plus finite-state methods (model checking being the most popular); in our work we attack the problem via proof planning in First-Order Linear Temporal Logic (FOLTL), therefore making use of no finite-state approximation or restricting assumption about quantification. We have integrated the proof planner λCLAM with an object-level FOLTL theorem prover called FTL, and have so far re-discovered a feature interaction in a basic (but far from trivial) example. 1

This paper reports a case study in the use of proof planning in the context of higher order syntax. Rippling is a heuristic for guiding rewriting steps in induction that has been used successfully in proof planning inductive proofs using first order representations. Ordinal arithmetic provides a natural set of higher order examples on which transfinite induction may be attempted using rippling. Previously Boyer-Moore style automation could not be applied to such domains. We demonstrate that a higher-order extension of the rippling heuristic is sufficient to plan such proofs automatically. Accordingly, ordinal arithmetic has been implemented in Clam, a higher order proof planning system for induction, and standard undergraduate text book problems have been successfully planned. We show the synthesis of a fixpoint for normal ordinal functions which demonstrates how our automation could be extended to produce more interesting results than the textbook examples tried so far.

We describe proof planning: a technique for both describing the hierarchical structure of proofs and then using this structure to guide proof attempts. When such a proof attempt fails, these failures can be analyzed and a patch formulated and applied. We also describe rippling: a powerful proof method used in proof planning. We pose and answer a number of common questions about proof planning and rippling.

Syntax or -tree syntax. A term can be a constant, a variable, an function application, a -abstraction or a tuple of terms. t ::= A j a j (app t t) j (abs xn t) j tuple[t