### Citations

698 |
Interactive Theorem Proving and Program Development: Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...o large. On the other hand, sophisticated representations make it harder to write proof checkers. Several different ‘use-cases’ have been developed for proof objects: – Constructive logics, e.g., Coq =-=[5]-=- and Agda [9], which are justified by the Proofs-as-Programs principle, explicitly incorporate proofs in the logic of the ITP. A formula in such a logic is a type, and a proof that the type is inhabit... |

119 | Integrating Decision Procedures into Heuristic Theorem Provers: A Case Study of Linear Arithmetic.
- Boyer, Moore
- 1988
(Show Context)
Citation Context .... However, an ITP based on the Careful Extension model will typically not support the implementation of a new proof procedure, except by one of the developers.) Some examples of such extensions: – In =-=[10]-=-, Boyer and Moore discuss the issues involved with integrating a linear arithmetic decision procedure into the Boyer-Moore theorem prover, paying particular attention to the interplay between conditio... |

111 |
Metafunctions: Proving them correct and using them efficiently as new proof procedures
- Boyer, Moore
- 1981
(Show Context)
Citation Context ...Hurd [19]. Earlier work in this area has been done by Skalberg and Obua [20] in order to translate HOL-4 theories to Isabelle/HOL. 2.4 Metafunctions This technique is originally due to Boyer and Moore=-=[11]-=- , but has been rediscovered several times since. It is sometimes called reflection or partial reflection.2 The approach is based on an internalization of the syntax and semantics of a subset3 S of th... |

100 | An Integration of Model-checking with Automated Proof Checking,"
- Rajan, Shankar, et al.
- 1995
(Show Context)
Citation Context ...ith integrating a linear arithmetic decision procedure into the Boyer-Moore theorem prover, paying particular attention to the interplay between conditional rewriting and the decision procedure. – In =-=[23]-=- an integration of model-checking into PVS is described. – In [2], Armand, Gregoire, Spiwack, and Thery extend Coq by adding machine integers and arrays as primitive logical objects. 2.2 LCF style Thi... |

94 | The semantics of reflected proof
- Allen, Constable, et al.
- 1990
(Show Context)
Citation Context ...ut of the inference kernel. Howe [18] developed an approach similar to metafunctions in the Nuprl type theory, going as far as formalizing and verifying a term rewriter. Later work in the Nurpl group =-=[1]-=- explored more recondite aspects of reflection, where the logic featured an explicit rule of reflection. An approach to metafunctions in Coq was presented in [8] and it has become a heavily exploited ... |

69 | Using reflection to build efficient and certified decision procedures
- Boutin
- 1997
(Show Context)
Citation Context ...ewriter. Later work in the Nurpl group [1] explored more recondite aspects of reflection, where the logic featured an explicit rule of reflection. An approach to metafunctions in Coq was presented in =-=[8]-=- and it has become a heavily exploited technique, for example in Gonthier’s proof of the Four Color Theorem [14]. In Isabelle/HOL the metafunctions approach has been applied to incorporate a linear ar... |

65 | Metatheory and reflection in theorem proving: A survey and critique
- Harrison
- 1995
(Show Context)
Citation Context ...an lead to relatively inefficient proof procedures in LCF style systems. The thesis of Boulton [7] proposes techniques to ameliorate the problem, and there is another good discussion of the issues in =-=[16]-=-. As mentioned, ML has to date been the programming language of choice when implementing an LCF style system. However, Pollack [21] offers reasons why a dependently-typed programming language may be p... |

42 |
Extending Coq with imperative features and its application to SAT verification
- Armand, Grégoire, et al.
- 2010
(Show Context)
Citation Context ...yer-Moore theorem prover, paying particular attention to the interplay between conditional rewriting and the decision procedure. – In [23] an integration of model-checking into PVS is described. – In =-=[2]-=-, Armand, Gregoire, Spiwack, and Thery extend Coq by adding machine integers and arrays as primitive logical objects. 2.2 LCF style This approach relies on the data abstraction facilities of the host ... |

40 |
Fast LCF-style proof reconstruction for Z3.
- Bohme, Weber
- 2010
(Show Context)
Citation Context ..., which are used to guide automatic proof generation in a variety of ITPs. This allows an ITP to extend its automation with the power of current automated provers without compromising the trust story =-=[6, 24]-=-. – Proof objects have also been used for translating theories between different implementations of HOL. Recent work in this area is the OpenTheory implementation of Hurd [19]. Earlier work in this ar... |

39 | Proof terms for simply typed higher order logic.
- Berghofer, Nipkow
- 2000
(Show Context)
Citation Context ...s argument for such systems. Note that some systems, e.g., Coq, avoid some of the issues with the size of proof objects by treating evaluation as a single step. – Isabelle also provides proof objects =-=[4]-=-, although they are not crucial to its trust story, as Isabelle is an LCF design. – A variety of SAT, FOL, and SMT provers generate proof objects, which are used to guide automatic proof generation in... |

38 |
Computational metatheory in Nuprl
- Howe
- 1988
(Show Context)
Citation Context ...such as higher order logic, taking this speedy route can mean that the equality of t and t′ needs to be asserted as a new axiom since running the compiled code steps out of the inference kernel. Howe =-=[18]-=- developed an approach similar to metafunctions in the Nuprl type theory, going as far as formalizing and verifying a term rewriter. Later work in the Nurpl group [1] explored more recondite aspects o... |

27 | Efficiency in a fully-expansive theorem prover
- Boulton
- 1993
(Show Context)
Citation Context ...plemented. The requirement that all proof steps be justified by passing through a simple logical kernel can lead to relatively inefficient proof procedures in LCF style systems. The thesis of Boulton =-=[7]-=- proposes techniques to ameliorate the problem, and there is another good discussion of the issues in [16]. As mentioned, ML has to date been the programming language of choice when implementing an LC... |

10 |
A Self-Verifying Theorem Prover
- Davis
- 2009
(Show Context)
Citation Context ...ural reflection. Harrison’s paper on reflection [16] gives a comprehensive overview of the topic, with an extensive bibliography. Another reflective approach is developed in Jared Davis’ Milawa prover=-=[13]-=-, which is obtained by bootstrapping from a simple prover (so simple that it can be seen to be correct by inspection) to a system that provides a significant subset of the functionality of the ACL2 pr... |

9 | Proof synthesis and reflection for linear arithmetic.
- Chaieb, Nipkow
- 2008
(Show Context)
Citation Context ... exploited technique, for example in Gonthier’s proof of the Four Color Theorem [14]. In Isabelle/HOL the metafunctions approach has been applied to incorporate a linear arithmetic decision procedure =-=[12]-=-. 2.5 Implementation verification One way to trust an ITP extension is to prove it correct, as we saw with the metafunctions approach. However, that method essentially depends on the formalization of ... |

9 | On extensibility of proof checkers
- Pollack
- 1995
(Show Context)
Citation Context ...e the problem, and there is another good discussion of the issues in [16]. As mentioned, ML has to date been the programming language of choice when implementing an LCF style system. However, Pollack =-=[21]-=- offers reasons why a dependently-typed programming language may be preferable. 2.3 Proof objects In this approach, a theorem prover that successfully proves a formula also produces a proof object, wh... |

5 |
A computer checked proof of the four colour theorem
- Gonthier
- 2005
(Show Context)
Citation Context ...red an explicit rule of reflection. An approach to metafunctions in Coq was presented in [8] and it has become a heavily exploited technique, for example in Gonthier’s proof of the Four Color Theorem =-=[14]-=-. In Isabelle/HOL the metafunctions approach has been applied to incorporate a linear arithmetic decision procedure [12]. 2.5 Implementation verification One way to trust an ITP extension is to prove ... |

3 |
On formal specification of a proof tool
- Arthan
(Show Context)
Citation Context ...he external tools. 4 Further Sources Although we have given a few pointers into the literature, we have certainly not been exhaustive. However, here are a few other citations that may be useful. – In =-=[3]-=-, Rob Arthan provides a formal specification in ProofPower of the requirements for an implementation of higher order logic. – In [22], Randy Pollack provides a careful, somewhat philosophical, discuss... |

2 |
2011 The right tools for the job: correctness of cone of influence reduction proved using ACL2 and HOL4
- MJ, Kaufmann, et al.
(Show Context)
Citation Context ...L2 may be automatically translated to HOL without having to justify them by re-running proofs. An example of the application of this system is a proof of the correctness of a model-checking algorithm =-=[15]-=-. 3 System Trust Explanations Here are contributions, made after the workshop ended, explaining major ITP systems’ approaches to trust. 3.1 Isabelle (Larry Paulson, with feedback from Burkhart Wolff):... |

2 | Composable packages for higher order logic theories,
- Hurd
- 2010
(Show Context)
Citation Context ...ising the trust story [6, 24]. – Proof objects have also been used for translating theories between different implementations of HOL. Recent work in this area is the OpenTheory implementation of Hurd =-=[19]-=-. Earlier work in this area has been done by Skalberg and Obua [20] in order to translate HOL-4 theories to Isabelle/HOL. 2.4 Metafunctions This technique is originally due to Boyer and Moore[11] , bu... |

2 |
to believe a machine-checked proof
- How
- 1997
(Show Context)
Citation Context ...e. However, here are a few other citations that may be useful. – In [3], Rob Arthan provides a formal specification in ProofPower of the requirements for an implementation of higher order logic. – In =-=[22]-=-, Randy Pollack provides a careful, somewhat philosophical, discussion on the issues surrounding the checking of large proofs. – (Mentioned in Rob Arthan’s description of ProofPower.) In [25], Wiedijk... |

1 |
Ulf Norell, A brief overview of Agda—a functional language with dependent types, Theorem Proving
- Bove, Dybjer
(Show Context)
Citation Context ...he other hand, sophisticated representations make it harder to write proof checkers. Several different ‘use-cases’ have been developed for proof objects: – Constructive logics, e.g., Coq [5] and Agda =-=[9]-=-, which are justified by the Proofs-as-Programs principle, explicitly incorporate proofs in the logic of the ITP. A formula in such a logic is a type, and a proof that the type is inhabited amounts to... |

1 |
Validating QBF invalidity
- Weber
(Show Context)
Citation Context ..., which are used to guide automatic proof generation in a variety of ITPs. This allows an ITP to extend its automation with the power of current automated provers without compromising the trust story =-=[6, 24]-=-. – Proof objects have also been used for translating theories between different implementations of HOL. Recent work in this area is the OpenTheory implementation of Hurd [19]. Earlier work in this ar... |