We begin to lay the foundations for reasoning about proofs whose steps include both invocations of programs to build subproofs (tactics) and references to representations of proofs themselves (reflected proofs). The main result is the definition of a single type of proof which can mention itself, using a new technique which finds a fixed point of a mapping between metalanguage and object language. This single type contrasts with hierarchies of types used in other approaches to accomplish the same classification. We show that these proofs are valid, and that every proof can be reduced to a proof involving only primitive inference rules. We also show how to extend the results to proofs from which programs (such as tactics) can be derived, and to proofs that can refer to a library of definitions and previously proven theorems. We believe that the mechanism of reflection is fundamental in building proof development systems, and we illustrate its power with applications to automating reasoning and describing modes of computation.

In 1933 G odel introduced a calculus of provability (also known as modal logic S4) and left open the question of its exact intended semantics. In this paper we give a solution to this problem. We find the logic LP of propositions and proofs and show that G odel's provability calculus is nothing but the forgetful projection of LP. This also achieves G odel's objective of defining intuitionistic propositional logic Int via classical proofs and provides a Brouwer-Heyting-Kolmogorov style provability semantics for Int which resisted formalization since the early 1930s. LP may be regarded as a unified underlying structure for intuitionistic, modal logics, typed combinatory logic and #-calculus.

One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an approach will never be efficient enough for large, complex proofs. One alternative, commonly called reflection, is to analyze proofs using a second layer of logic, a metalogic, and so justify abbreviating or simplifying proofs, making the kinds of shortcuts humans often do or appealing to specialized decision algorithms. In this paper we contrast the fully-expansive LCF approach with the use of reflection. We put forward arguments to suggest that the inadequacy of the LCF approach has not been adequately demonstrated, and neither has the practical utility of reflection (notwithstanding its undoubted intellectual interest). The LCF system with which we are most concerned is the HOL proof ...

It is generally accepted that in principle it’s possible to formalize completely almost all of present-day mathematics. The practicability of actually doing so is widely doubted, as is the value of the result. But in the computer age we believe that such formalization is possible and desirable. In contrast to the QED Manifesto however, we do not offer polemics in support of such a project. We merely try to place the formalization of mathematics in its historical perspective, as well as looking at existing praxis and identifying what we regard as the most interesting issues, theoretical and practical.

Computer programs may be regarded as formal mathematical objects whose properties are subject to mathematical proof. Program verification is the use of formal, mathematical techniques to debug software and software specifications. 1. Code Verification How are the properties of computer programs proved? We discuss three approaches in this article: inductive invariants, functional semantics, and explicit semantics. Because the first approach has received by far the most attention, it has produced the most impressive results to date. However, the field is now moving away from the inductive invariant approach. 1.1. Inductive Assertions The so-called Floyd-Hoare inductive assertion method of program verification [25, 33] has its roots in the classic Goldstine and von Neumann reports [53] and handles the usual kind of programming language, of which FORTRAN is perhaps the best example. In this style of verification, the specifier "annotates " certain points in the program with mathematical assertions that are supposed to describe relations that hold between the program variables and the initial input values each time "control " reaches the annotated point. Among these assertions are some that characterize acceptable input and the desired output. By exploring all possible paths from one assertion to the next and analyzing the effects of intervening program statements it is possible to reduce the correctness of the program to the problem of proving certain derived formulas called verification conditions. Below we illustrate the idea with a simple program for computing the factorial of its integer input N flowchart assertion start with input(N) input N A: = 1 N = 0 yes stop with? answer A

A program development methodology based on verified program transformations is described and illustrated through derivations of a high level bisimulation algorithm and an improved minimum-state DFA algorithm. Certain doubts that were raised about the correctness of an initial paper-and-pencil derivation of the DFA minimizationalgorithm were laid to rest by machine-checked formal proofs of the most difficult derivational steps. Although the protracted labor involved in designing and checking these proofs was almost overwhelming, the expense was somewhat offset by a successful reuse of major portions of these proofs. In particular, the DFA minimization algorithm is obtained by specializing and then extending the last step in the derivation of the high level bisimulation algorithm. Our experience suggests that a major focus of future research should be aimed towards improving the technology of machine checkable proofs --- their construction, presentation, and reuse. This paper demonstrat...

The five lectures at Marktoberdorf on which these notes are based were about the architecture of problem solving environments which use theorem provers. Experience with these systems over the past two decades has shown that the prover must be extensible, yet it must be kept safe. We examine a way to safely add new decision procedures to the Nuprl prover. It relies on a reflection mechanism and is applicable to any tactic-oriented prover with sufficient reflection. The lectures explain reflection in the setting of constructive type theory, the core logic of Nuprl.

We show how explicit control strategies can be represented in a declarative (classical) metatheory as first order formulae (proof plans). Proof plans can be reasoned about (by metatheoretic theorem proving) to modify the search strategy and "executed" (by suitably "interpreting" them in terms of the deductive machinery implementation code) to prove a theorem in the object theory. The resulting architecture is uniform as it becomes possible to define a tower of metatheories, each using the same deductive machinery, each (but the lowest) being able to represent proof plans with formulae of the same shape. Plan formation at one level can be obtained by plan execution one level up. The realization of these ideas in the GETFOL system is briefly described via the implementation of a simplified version of the Boyer and Moore theorem prover. 1 Introduction The idea of using metatheories in theorem proving has been extensively studied in the past, a not exhaustive list is [DS79, Wey8...

. Feferman has proposed FS 0 , a theory of finitary inductive systems, as a framework theory that allows a user to reason both in and about an encoded theory. I look here at how practical FS 0 really is. To this end I formalise a sequent calculus presentation of classical propositional logic, and show this can be used for work in both the theory and the metatheory. the latter is illustrated with a discussion of a proof of Gentzen's Hauptsatz. Contents x 1 Introduction 2 x 1.1 Background : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 x 1.2 Outline of paper : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 x 2 The theory FS 0 and notational conventions 4 x 2.1 What is FS 0 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 x 3 An informal description of Gentzen's calculus 5 x 3.1 The language : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 x 3.2 The calculus for classical propositional logic : : : : : : : : : : : : 6 x 4 Formalising the ...

Existing meta-programming languages operate on encodings of programs as data. This paper presents a new meta-programming language, based on an untyped lambda calculus, in which structurally reflective programming is supported directly, without any encoding. The language features call-by-value and call-by-name lambda abstractions, as well as novel reflective features enabling the intensional manipulation of arbitrary program terms. The language is scope safe, in the sense that variables can neither be captured nor escape their scopes. The expressiveness of the language is demonstrated by showing how to implement quotation and evaluation operations, as proposed by Wand. The language’s utility for meta-programming is further demonstrated through additional representative examples. A prototype implementation is described and evaluated.