QED at Large: A Survey of Engineering of Formally Verified Software

Development of formal proofs of correctness of programs can increase actual and perceived reliability and facilitate better understanding of program specifications and their underlying assumptions. Tools supporting such development have been available for over 40 years, but have only recently seen wide practical use. Projects based on construction of machine-checked formal proofs are now reaching an unprecedented scale, comparable to large software projects, which leads to new challenges in proof development and maintenance. Despite its increasing importance, the field of proof engineering is seldom considered in its own right; related theories, techniques, and tools span many fields and venues. This survey of the literature presents a holistic understanding of proof engineering for program correctness, covering impact in practice, foundations, proof automation, proof organization, and practical proof development.

[1]  Amy P. Felty,et al.  Hybrid - A Definitional Two-Level Approach to Reasoning with Higher-Order Abstract Syntax , 2012, J. Autom. Reason..

[2]  Roope Kaivola,et al.  Proof Engineering in the Large: Formal Verification of Pentium® 4 Floating-Point Divider , 2001, CHARME.

[3]  Ahmet Çelik,et al.  ICoq: Regression proof selection for large-scale verification projects , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[5]  Benjamin C. Pierce,et al.  Mechanized Metatheory for the Masses: The PoplMark Challenge , 2005, TPHOLs.

[6]  Zhong Shao,et al.  Safety and Liveness of MCS Lock - Layer by Layer , 2017, APLAS.

[7]  Damien Pous,et al.  Tactics for Reasoning Modulo AC in Coq , 2011, CPP.

[8]  Stephen Kell,et al.  The missing link: explaining ELF static linking, semantically , 2016, OOPSLA.

[9]  Sidney Amani,et al.  Cogent: Verifying High-Assurance File System Implementations , 2016, ASPLOS.

[10]  Kwangkeun Yi,et al.  EDUCATIONAL PEARL: ‘Proof-directed debugging’ revisited for a first-order version , 2006, Journal of Functional Programming.

[11]  Lawrence C. Paulson,et al.  Deriving Structural Induction in LCF , 1984, Semantics of Data Types.

[12]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[13]  Andrej Bauer,et al.  The HoTT library: a formalization of homotopy type theory in Coq , 2016, CPP.

[14]  Robert Harper,et al.  The RedPRL Proof Assistant (Invited Paper) , 2018, LFMTP@FSCD.

[15]  Robert Harper,et al.  Algebraic Foundations of Proof Refinement , 2017, ArXiv.

[16]  Andrei Popescu,et al.  Foundational (Co)datatypes and (Co)recursion for Higher-Order Logic , 2017, FroCoS.

[17]  Bruno Barras,et al.  Sets in Coq, Coq in Sets , 2010, J. Formaliz. Reason..

[18]  Ingo Dahn,et al.  Integration of Automated and Interactive Theorem Proving in ILP , 1997, CADE.

[19]  Andrew W. Appel,et al.  Verified Software Toolchain , 2012, NASA Formal Methods.

[20]  Gudmund Grov,et al.  Machine Learning in Proof General: Interfacing Interfaces , 2012, UITP.

[21]  David Aspinall,et al.  Subtyping dependent types , 2001, Theor. Comput. Sci..

[22]  Scott F. Smith,et al.  CoqPIE: An IDE Aimed at Improving Proof Development Productivity - (Rough Diamond) , 2016, ITP.

[23]  Einar Broch Johnsen,et al.  Theorem Reuse by Proof Term Transformation , 2004, TPHOLs.

[24]  Gilles Barthe,et al.  A Two-Level Approach Towards Lean Proof-Checking , 1995, TYPES.

[25]  Jónathan Heras,et al.  Recycling Proof Patterns in Coq: Case Studies , 2013, Math. Comput. Sci..

[26]  Conor McBride Turing-Completeness Totally Free , 2015, MPC.

[27]  Nicolas Tabareau,et al.  Gradual certified programming in coq , 2015, DLS.

[28]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[29]  D. Ross Jeffery,et al.  An empirical research agenda for understanding formal methods productivity , 2015, Inf. Softw. Technol..

[30]  Sylvain Conchon,et al.  Improving Coq Propositional Reasoning Using a Lazy CNF Conversion Scheme , 2009, FroCoS.

[31]  Yutaka Nagashima,et al.  A Framework for the Automatic Formal Verification of Refinement from Cogent to C , 2016, ITP.

[32]  Thierry Coquand,et al.  Inductively defined types , 1988, Conference on Computer Logic.

[33]  Jeffery I. Zucker Formalization of Classical Mathematics in Automath , 1994 .

[34]  Malcolm C. Newey Axioms and theorems for integers, lists and finite sets in LCF. , 1973 .

[35]  P. Aczel,et al.  Homotopy Type Theory: Univalent Foundations of Mathematics , 2013 .

[36]  Manuel M. T. Chakravarty,et al.  Modular type classes , 2007, POPL '07.

[37]  D. Ross Jeffery,et al.  Empirical Study Towards a Leading Indicator for Cost of Formal Software Verification , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[38]  Paul Graham ANSI Common Lisp , 1995 .

[39]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[40]  Freek Wiedijk,et al.  Mizar Light for HOL Light , 2001, TPHOLs.

[41]  Thomas Kolbe,et al.  Proof Analysis, Generalization and Reuse , 1998 .

[42]  Rachid Guerraoui,et al.  Introduction to Reliable and Secure Distributed Programming (2. ed.) , 2011 .

[43]  Arthur Charguéraud,et al.  Engineering formal metatheory , 2008, POPL '08.

[44]  Georges Gonthier,et al.  Formal Proof—The Four- Color Theorem , 2008 .

[45]  Cyril Cohen,et al.  Refinements for Free! , 2013, CPP.

[46]  David Aspinall,et al.  Polar: A Framework for Proof Refactoring , 2013, LPAR.

[47]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[48]  David L. Dill,et al.  Developing Bug-Free Machine Learning Systems With Formal Mathematics , 2017, ICML.

[49]  Luca Cardelli,et al.  An Extension of System F with Subtyping , 1991, TACS.

[50]  K. Gödel Die Vollständigkeit der Axiome des logischen Funktionenkalküls , 1930 .

[51]  Joseph Tassarotti,et al.  MoSeL: a general, extensible modal framework for interactive proofs in separation logic , 2018, Proc. ACM Program. Lang..

[52]  Pierre Corbineau,et al.  A Declarative Language for the Coq Proof Assistant , 2007, TYPES.

[53]  M. Pope The Art of Discovery. , 2000 .

[54]  Peter Lammich,et al.  Automatic Data Refinement , 2013, ITP.

[55]  Xavier Leroy,et al.  Validating LR(1) Parsers , 2012, ESOP.

[56]  William R. Cook,et al.  Product lines of theorems , 2011, OOPSLA '11.

[57]  Florian Kammüller,et al.  Locales - A Sectioning Concept for Isabelle , 1999, TPHOLs.

[58]  Benjamin C. Pierce,et al.  Generating good generators for inductive relations , 2017, Proc. ACM Program. Lang..

[59]  Andrea Asperti,et al.  A Content Based Mathematical Search Engine: Whelp , 2004, TYPES.

[60]  Andrzej Trybulec,et al.  Computer Assisted Reasoning with MIZAR , 1985, IJCAI.

[61]  Nicolas Oury Extensionality in the Calculus of Constructions , 2005, TPHOLs.

[62]  Carus Paul The Foundation of Mathematics. , 1920 .

[63]  Ulrich Berger,et al.  Program Extraction from Normalization Proofs , 1993, Stud Logica.

[64]  Christoph Weidenbach,et al.  A Verified SAT Solver Framework with Learn, Forget, Restart, and Incrementality , 2016, Journal of Automated Reasoning.

[65]  Simon Boulier,et al.  Towards Certified Meta-Programming with Typed Template-Coq , 2018, ITP.

[66]  Makarius Wenzel Isabelle/Isar — a Generic Framework for Human-Readable Proof Documents , 2007 .

[67]  Richard J. Boulton,et al.  Experience with Embedding Hardware Description Languages in HOL , 1992, TPCD.

[68]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[69]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[70]  Joseph Tassarotti,et al.  Argosy: verifying layered storage systems with recovery refinement , 2019, PLDI.

[71]  Robert L. Constable,et al.  Infinite Objects in Type Theory , 1986, LICS.

[72]  Yann Régis-Gianas,et al.  Lightweight Proof by Reflection Using a Posteriori Simulation of Effectful Computation , 2013, ITP.

[73]  C. Angiuli The RedPRL Proof Assistant , 2018 .

[74]  Pierre Courtieu,et al.  Efficient Reasoning about Executable Specifications in Coq , 2002, TPHOLs.

[75]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[76]  Ramana Kumar,et al.  Self-compilation and self-verification , 2016 .

[77]  Brigitte Pientka,et al.  Programming with proofs and explicit contexts , 2008, PPDP '08.

[78]  Thierry Coquand,et al.  Constructions: A Higher Order Proof System for Mechanizing Mathematics , 1985, European Conference on Computer Algebra.

[79]  Mehdi T. Harandi,et al.  A logical framework for software proof reuse , 1995, SSR '95.

[80]  Tobias Nipkow,et al.  Nitpick: A Counterexample Generator for Higher-Order Logic Based on a Relational Model Finder , 2010, ITP.

[81]  Amy P. Felty,et al.  The Next 700 Challenge Problems for Reasoning with Higher-Order Abstract Syntax Representations , 2015, Journal of Automated Reasoning.

[82]  Joe Hurd Integrating Gandalf and HOL , 1999, TPHOLs.

[83]  John McCarthy,et al.  A basis for a mathematical theory of computation, preliminary report , 1899, IRE-AIEE-ACM '61 (Western).

[84]  Derek Dreyer,et al.  Mtac2: typed tactics for backward reasoning in Coq , 2018, Proc. ACM Program. Lang..

[85]  Stephanie Weirich,et al.  Binders unbound , 2011, ICFP.

[86]  Robin Milner,et al.  Proving compiler correctness in a mechanised logic , 1972 .

[87]  Michael J. C. Gordon,et al.  Edinburgh LCF: A mechanised logic of computation , 1979 .

[88]  Christian Urban,et al.  A Head-to-Head Comparison of de Bruijn Indices and Names , 2007, Electron. Notes Theor. Comput. Sci..

[89]  Josef Urban,et al.  Overview and Evaluation of Premise Selection Techniques for Large Theory Mathematics , 2012, IJCAR.

[90]  Ewaryst Rafaj,et al.  Preprint of the paper that appeared in : Lecture Notes in Computer Science , Lecture Notes in Artificial Intelligence , 2013 .

[91]  Benjamin WernerINRIA-Rocquencourt Coq in Coq , 1997 .

[92]  Hendrik Pieter Barendregt,et al.  Autarkic Computations in Formal Proofs , 2002, Journal of Automated Reasoning.

[93]  David Aspinall,et al.  Proof General: A Generic Tool for Proof Development , 2000, TACAS.

[94]  Zohar Manna,et al.  The calculus of computation - decision procedures with applications to verification , 2007 .

[95]  Conor McBride,et al.  Elimination with a Motive , 2000, TYPES.

[96]  Jacques D. Fleuriot,et al.  IsaPlanner: A Prototype Proof Planner in Isabelle , 2003, CADE.

[97]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[98]  Cezary Kaliszyk,et al.  Web Interfaces for Proof Assistants , 2007, UITP@FLoC.

[99]  van Ls Bert Benthem Jutting Checking Landau's "Grundlagen" in the Automath system : Parts of chapters 0, 1 and 2 (Introduction, Preparation, Translation) , 1994 .

[100]  Dan Diaper,et al.  Desirable features of educational theorem provers - a cognitive dimensions viewpoint , 1999, PPIG.

[101]  Cezary Kaliszyk,et al.  HolStep: A Machine Learning Dataset for Higher-order Logic Theorem Proving , 2017, ICLR.

[102]  Cezary Kaliszyk,et al.  Hammer for Coq: Automation for Dependent Type Theory , 2018, Journal of Automated Reasoning.

[103]  Gordon Plotkin,et al.  From Semantics to Computer Science: Essays in Honour of Gilles Kahn , 2009 .

[104]  Charles Morisset,et al.  A Graph-Based Implementation for Mechanized Refinement Calculus of OO Programs , 2010, SBMF.

[105]  Vladimir Voevodsky,et al.  An experimental library of formalized Mathematics based on the univalent foundations , 2015, Mathematical Structures in Computer Science.

[106]  Josef Urban,et al.  DeepMath - Deep Sequence Models for Premise Selection , 2016, NIPS.

[107]  N. Lynch,et al.  FORWARD AND BACKWARD SIMULATIONS PART I: UNTIMED SYSTEMS (replaces TM-486) , 1994 .

[108]  Xavier Leroy A locally nameless solution to the POPLmark challenge , 2007 .

[109]  Cezary Kaliszyk,et al.  Automating Formalization by Statistical and Semantic Parsing of Mathematics , 2017, ITP.

[110]  Pierre Letouzey,et al.  A New Extraction for Coq , 2002, TYPES.

[111]  Bas Spitters,et al.  Program Extraction from Large Proof Developments , 2003, TPHOLs.

[112]  Aaron Stump The calculus of dependent lambda eliminations* , 2017, Journal of Functional Programming.

[113]  Lawrence C. Paulson,et al.  A Generic Tableau Prover and its Integration with Isabelle , 1999, J. Univers. Comput. Sci..

[114]  Ilya Sergey,et al.  Communicating State Transition Systems for Fine-Grained Concurrent Resources , 2014, ESOP.

[115]  Markus Wenzel PIDE as front-end technology for Coq , 2013, ArXiv.

[116]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[117]  William G. Griswold,et al.  Inferring Loop Invariants through Gamification , 2018, CHI.

[118]  J. A. Robinson,et al.  A Machine-Oriented Logic Based on the Resolution Principle , 1965, JACM.

[119]  F. Wiedijk,et al.  The challenge of computer mathematics , 2005, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[120]  Herman Geuvers,et al.  A Constructive Proof of the Fundamental Theorem of Algebra without Using the Rationals , 2000, TYPES.

[121]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[122]  N. Yazdani,et al.  Ornaments for Proof Reuse in Coq , 2019, ITP.

[123]  Benjamin C. Pierce,et al.  Foundational Property-Based Testing , 2015, ITP.

[124]  Olivier Boite,et al.  Proof Reuse with Extended Inductive Types , 2004, TPHOLs.

[125]  Dale Miller,et al.  Mechanized Metatheory Revisited , 2018, Journal of Automated Reasoning.

[126]  Timothy Bourke,et al.  Challenges and Experiences in Managing Large-Scale Proofs , 2012, AISC/MKM/Calculemus.

[127]  Cyril Cohen Pragmatic Quotient Types in Coq , 2013, ITP.

[128]  Matthieu Sozeau Equations: A Dependent Pattern-Matching Compiler , 2010, ITP.

[129]  LeroyXavier Formal certification of a compiler back-end or , 2006 .

[130]  Thibault Gauthier,et al.  Classification of Alignments Between Concepts of Formal Mathematical Systems , 2017, CICM.

[131]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP.

[132]  Pierre Jouvelot,et al.  jsCoq: Towards Hybrid Theorem Proving Interfaces , 2017, UITP.

[133]  Moa Johansson,et al.  Electronic Communications of the EASST Volume 72 ( 2015 ) Proceedings of the 15 th International Workshop on Automated Verification of Critical Systems ( AVoCS 2015 ) Conditional Lemma Discovery and Recursion Induction in Hipster , 2015 .

[134]  Peter V. Homeier A Design Structure for Higher Order Quotients , 2005, TPHOLs.

[135]  Lukas Bulwahn,et al.  The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof , 2012, CPP.

[136]  Jónathan Heras,et al.  Proof-Pattern Recognition and Lemma Discovery in ACL2 , 2013, LPAR.

[137]  Dan Grossman,et al.  How programming languages will co-evolve with software engineering: a bright decade ahead , 2014, FOSE.

[138]  Conor McBride,et al.  Inverting Inductively Defined Relations in LEGO , 1996, TYPES.

[139]  A. Church An Unsolvable Problem of Elementary Number Theory , 1936 .

[140]  Cezary Kaliszyk,et al.  Towards Formal Proof Metrics , 2016, FASE.

[141]  Jennifer Paykin,et al.  QWIRE Practice: Formal Verification of Quantum Circuits in Coq , 2018, QPL.

[142]  François Garillot,et al.  Generic Proof Tools and Finite Group Theory , 2011 .

[143]  Graham Hutton,et al.  Calculating correct compilers , 2015, Journal of Functional Programming.

[144]  Nicolas Tabareau,et al.  Universe Polymorphism in Coq , 2014, ITP.

[145]  Dan Grossman,et al.  Adapting proof automation to adapt proofs , 2018, CPP.

[146]  Lawrence C. Paulson Mechanizing Coinduction and Corecursion in Higher-Order Logic , 1997, J. Log. Comput..

[147]  Gernot Heiser,et al.  High-assurance timing analysis for a high-assurance real-time operating system , 2017, Real-Time Systems.

[148]  Dmitriy Traytel,et al.  A verified prover based on ordered resolution , 2019, CPP.

[149]  Nada Amin Type Soundness for Dependent Object Types ( DOT ) Tiark Rompf , 2016 .

[150]  Iain Whiteside Refactoring proofs , 2013 .

[151]  Hugo Herbelin,et al.  Automatic and Transparent Transfer of Theorems along Isomorphisms in the Coq Proof Assistant , 2015, ArXiv.

[152]  Koen Claessen,et al.  Hipster: Integrating Theory Exploration in a Proof Assistant , 2014, CICM.

[153]  Cezary Kaliszyk,et al.  MaSh: Machine Learning for Sledgehammer , 2013, ITP.

[154]  Abhishek Anand,et al.  Towards a Formally Verified Proof Assistant , 2014, ITP.

[155]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[156]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[157]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[158]  Christine C. Paulin Extraction de programmes dans le calcul des constructions , 1989 .

[159]  Tobias Nipkow,et al.  A Revision of the Proof of the Kepler Conjecture , 2009, Discret. Comput. Geom..

[160]  Gert Smolka,et al.  Autosubst: Reasoning with de Bruijn Terms and Parallel Substitutions , 2015, ITP.

[161]  Alfred North Whitehead,et al.  Principia Mathematica to *56 , 1910 .

[162]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[163]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[164]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[165]  Théo Winterhalter,et al.  Normalization by evaluation for sized dependent types , 2017, Proc. ACM Program. Lang..

[166]  Pierre Courtieu,et al.  Company-Coq: Taking Proof General one step closer to a real IDE , 2016 .

[167]  Conor McBride Ornamental Algebras, Algebraic Ornaments , 2014 .

[168]  Enrico Tassi,et al.  Coqoon , 2016, International Journal on Software Tools for Technology Transfer.

[169]  Christine Paulin-Mohring,et al.  Extracting ω's programs from proofs in the calculus of constructions , 1989, POPL '89.

[170]  Keith D. Cooper,et al.  Engineering a Compiler , 2003 .

[171]  Zhong Shao,et al.  Verification of safety properties for concurrent assembly code , 2004, ICFP '04.

[172]  Viktor Vafeiadis,et al.  Mtac: a monad for typed tactic programming in Coq , 2013, ICFP.

[173]  Thibault Gauthier,et al.  TacticToe: Learning to Reason with HOL4 Tactics , 2017, LPAR.

[174]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[175]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[176]  G. Frege Grundgesetze der Arithmetik , 1893 .

[177]  Paul C. van Oorschot,et al.  BP: Formal Proofs, the Fine Print and Side Effects , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[178]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[179]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[180]  Jasmin Christian Blanchette,et al.  Three years of experience with Sledgehammer, a Practical Link Between Automatic and Interactive Theorem Provers , 2012, IWIL@LPAR.

[181]  Matthieu Sozeau,et al.  First-Class Type Classes , 2008, TPHOLs.

[182]  Lawrence C. Paulson Defining functions on equivalence classes , 2006, TOCL.

[183]  Henk Barendregt,et al.  Foundations of Mathematics from the Perspective of Computer Verification , 2013, CSL 2013.

[184]  Alberto Ciaffaglione,et al.  A weak HOAS approach to the POPLmark Challenge , 2013, LSFA.

[185]  Robert Harper,et al.  Practical Foundations for Programming Languages , 2012 .

[186]  A. M. Turing,et al.  Checking a large routine , 1989 .

[187]  Ralph-Johan Back,et al.  A calculus of refinements for program derivations , 1988, Acta Informatica.

[188]  Christian Urban,et al.  Nominal Techniques in Isabelle/HOL , 2005, Journal of Automated Reasoning.

[189]  John Harrison,et al.  A Mizar Mode for HOL , 1996, TPHOLs.

[190]  Assia Mahboubi,et al.  An introduction to small scale reflection in Coq , 2010, J. Formaliz. Reason..

[191]  David B. MacQueen Using dependent types to express modular structure , 1986, POPL '86.

[192]  Lawrence Charles Paulson Tactics and tacticals in Cambridge LCF , 1983 .

[193]  Makarius Wenzel Further Scaling of Isabelle Technology , 2018 .

[194]  Sorin Lerner,et al.  Establishing Browser Security Guarantees through Formal Shim Verification , 2012, USENIX Security Symposium.

[195]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[196]  Per Martin-Löf,et al.  Constructive mathematics and computer programming , 1984 .

[197]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[198]  Tobias Nipkow,et al.  Concrete Semantics: With Isabelle/HOL , 2014 .

[199]  Fan Long,et al.  An analysis of patch plausibility and correctness for generate-and-validate patch generation systems , 2015, ISSTA.

[200]  Yutaka Nagashima,et al.  PaMpeR: Proof Method Recommendation System for Isabelle/HOL , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[201]  Valentin Robert,et al.  Front-end tooling for building and maintaining dependently-typed functional programs , 2018 .

[202]  Wouter Swierstra A Hoare Logic for the State Monad , 2009, TPHOLs.

[203]  Chung-Kil Hur,et al.  Pilsner: a compositionally verified compiler for a higher-order imperative language , 2015, ICFP.

[204]  Cezary Kaliszyk,et al.  HOL(y)Hammer: Online ATP Service for HOL Light , 2013, Math. Comput. Sci..

[205]  Pierre-Évariste Dagand,et al.  The essence of ornaments , 2017, Journal of Functional Programming.

[206]  Paul A. Strooper,et al.  Refinement Calculus for Logic Programming in Isabelle/HOL , 2001, TPHOLs.

[207]  Gudmund Grov,et al.  Understanding and maintaining tactics graphically OR how we are learning that a diagram can be worth more than 10K LoC , 2016, J. Formaliz. Reason..

[208]  Derek Dreyer,et al.  RustBelt: securing the foundations of the rust programming language , 2017, Proc. ACM Program. Lang..

[209]  Roberto Guanciale,et al.  Provably secure memory isolation for Linux on ARM , 2016, J. Comput. Secur..

[210]  Soonho Kong,et al.  Theorem Proving in Lean , 2016 .

[211]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[212]  Amy P. Felty,et al.  Combining de Bruijn Indices and Higher-Order Abstract Syntax in Coq , 2006, TYPES.

[213]  William G. Griswold,et al.  Polymorphic Blocks: Formalism-Inspired UI for Structured Connectors , 2015, CHI.

[214]  Roy L. Crole,et al.  Combining Higher Order Abstract Syntax with Tactical Theorem Proving and (Co)Induction , 2002, TPHOLs.

[215]  Alastair R. Beresford,et al.  Verifying strong eventual consistency in distributed systems , 2017, Proc. ACM Program. Lang..

[216]  Oscar Slotosch Higher Order Quotients and their Implementation in Isabelle HOL , 1997, TPHOLs.

[217]  Cezary Kaliszyk,et al.  Learning-Assisted Automated Reasoning with Flyspeck , 2012, Journal of Automated Reasoning.

[218]  Gregory Malecha,et al.  Extensible and Efficient Automation Through Reflective Tactics , 2016, ESOP.

[219]  Julien Narboux,et al.  A Decision Procedure for Geometry in Coq , 2004, TPHOLs.

[220]  Rod M. Burstall,et al.  Proving Properties of Programs by Structural Induction , 1969, Comput. J..

[221]  J. Stuart Aitken,et al.  An analysis of errors in interactive proof attempts , 2000, Interact. Comput..

[222]  Bernhard Beckert,et al.  A Usability Evaluation of Interactive Theorem Provers Using Focus Groups , 2014, SEFM Workshops.

[223]  Markus Wenzel,et al.  Constructive Type Classes in Isabelle , 2006, TYPES.

[224]  Dianfu Ma,et al.  Tree-Structure CNN for Automated Theorem Proving , 2017, ICONIP.

[225]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[226]  Eduardo Giménez,et al.  Codifying Guarded Definitions with Recursive Schemes , 1994, TYPES.

[227]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[228]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1960, Commun. ACM.

[229]  Hannes Mehnert,et al.  Tool Demonstration: An IDE for Programming and Proving in Idris , 2014 .

[230]  Muffy Calder,et al.  Interactive Theorem Proving: An Empirical Study of User Activity , 1998, J. Symb. Comput..

[231]  Damien Pous,et al.  Deciding Kleene Algebras in Coq , 2011, Log. Methods Comput. Sci..

[232]  Matthew Z. Weaver,et al.  CertiCoq : A verified compiler for Coq , 2016 .

[233]  Amy P. Felty,et al.  Benchmarks for reasoning with syntax trees containing binders and contexts of assumptions , 2018, Math. Struct. Comput. Sci..

[234]  Enrico Tassi,et al.  A Language of Patterns for Subterm Selection , 2012, ITP.

[235]  Liming Zhu,et al.  Large-scale formal verification in practice: A process perspective , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[236]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[237]  Makarius Wenzel Interactive Theorem Provers , 2014 .

[238]  Robin Milner,et al.  Implementation and applications of Scott's logic for computable functions , 1972, Proving Assertions About Programs.

[239]  Freek Wiedijk,et al.  MMode, a Mizar Mode for the proof assistant Coq , 2003 .

[240]  Andrew D. Irvine,et al.  Russell’s Paradox , 1995 .

[241]  Thierry Coquand,et al.  Cubical Type Theory: A Constructive Interpretation of the Univalence Axiom , 2015, TYPES.

[242]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[243]  Avra Cohn The Equivalence of Two Semantic Definitions: A Case Study in LCF , 1983, SIAM J. Comput..

[244]  Wouter Swierstra,et al.  Engineering Proof by Reflection in Agda , 2012, IFL.

[245]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[246]  Edwin Brady,et al.  Idris, a general-purpose dependently typed programming language: Design and implementation , 2013, Journal of Functional Programming.

[247]  Cezary Kaliszyk,et al.  Deep Network Guided Proof Search , 2017, LPAR.

[248]  Tobias Nipkow,et al.  Code Generation via Higher-Order Rewrite Systems , 2010, FLOPS.

[249]  Anton Podkopaev,et al.  Bridging the gap between programming languages and hardware weak memory models , 2019, Proc. ACM Program. Lang..

[250]  Tobias Nipkow,et al.  A FORMAL PROOF OF THE KEPLER CONJECTURE , 2015, Forum of Mathematics, Pi.

[251]  Xavier Leroy,et al.  CompCert: Practical Experience on Integrating and Qualifying a Formally Verified Optimizing Compiler , 2018 .

[252]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[253]  Amy P. Felty,et al.  Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison , 2010, ITP.

[254]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[255]  J. H. Geuvers,et al.  Proof assistants: History, ideas and future , 2009 .

[256]  David Aspinall,et al.  Subtyping dependent types , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[257]  Thierry Coquand,et al.  Infinite Objects in Type Theory , 1994, TYPES.

[258]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[259]  Dan Grossman,et al.  Œuf: minimizing the Coq extraction TCB , 2018, CPP.

[260]  Tom Ridge,et al.  SibylFS: formal specification and oracle-based testing for POSIX and real-world file systems , 2015, SOSP.

[261]  Zhaohui Luo,et al.  An Implementation of LF with Coercive Subtyping & Universes , 2001, Journal of Automated Reasoning.

[262]  Robert L. Constable,et al.  The semantics of reflected proof , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[263]  Juan Chen,et al.  Verifying higher-order programs with the dijkstra monad , 2013, PLDI.

[264]  Toby Murray,et al.  Provably trustworthy systems , 2017, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[265]  Tom Ridge,et al.  Ott: effective tool support for the working semanticist , 2007, ICFP '07.

[267]  Luís Cruz-Filipe,et al.  A Large-Scale Experiment in Executing Extracted Programs , 2006, Calculemus.

[268]  Cezary Kaliszyk,et al.  Computing with Classical Real Numbers , 2009, J. Formaliz. Reason..

[269]  Federico Biancuzzi,et al.  Masterminds of Programming - Conversations with the Creators of Major Programming Languages , 2009 .

[270]  Gernot Heiser,et al.  Formally verified software in the real world , 2018, Commun. ACM.

[271]  Alan Bundy,et al.  The Use of Explicit Plans to Guide Inductive Proofs , 1988, CADE.

[272]  Michael D. Ernst,et al.  Verifying Invariants of Lock-Free Data Structures with Rely-Guarantee and Refinement Types , 2017, ACM Trans. Program. Lang. Syst..

[273]  Arnaud Spiwack An abstract type for constructing tactics in Coq , 2010 .

[274]  Christine Paulin-Mohring,et al.  Synthesis of ML Programs in the System Coq , 1993, J. Symb. Comput..

[275]  Yves Bertot,et al.  A Generic Approach to Building User Interfaces for Theorem Provers , 1998, J. Symb. Comput..

[276]  Aleksandar Nanevski,et al.  Subjective auxiliary state for coarse-grained concurrency , 2013, POPL.

[277]  Thorsten Altenkirch,et al.  A user's guide to {ALF , 1994 .

[278]  Dana S. Scott,et al.  A Type-Theoretical Alternative to ISWIM, CUCH, OWHY , 1993, Theor. Comput. Sci..

[279]  Thomas Anderson,et al.  Operating Systems: Principles and Practice , 2012 .

[280]  Xavier Leroy,et al.  Closing the Gap – The Formally Verified Optimizing Compiler CompCert , 2017 .

[281]  Markus Wenzel Isabelle/jEdit - A Prover IDE within the PIDE Framework , 2012, AISC/MKM/Calculemus.

[282]  Kevin C. Klement,et al.  GOTTLOB FREGE , 2010 .

[283]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[284]  Tobias Nipkow,et al.  Proof transformations for equational theories , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[285]  Fredrik Lindblad,et al.  A Tool for Automated Theorem Proving in Agda , 2004, TYPES.

[286]  Robert S. Boyer Panel Discussion: A Mechanically Proof-Checked Encyclopedia of Mathematics: Should We Build One? Can We? , 1994, CADE.

[287]  Tom Ridge,et al.  Lem: reusable engineering of real-world semantics , 2014, ICFP.

[288]  Zhong Shao,et al.  VeriML: typed computation of logical terms inside a language with effects , 2010, ICFP '10.

[289]  Sidney Amani,et al.  COGENT: Certified Compilation for a Functional Systems Language , 2016, ArXiv.

[290]  Annette Bieniusa,et al.  Formal Specification and Verification of CRDTs , 2014, FORTE.

[291]  de Ng Dick Bruijn,et al.  Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[292]  F. Fukuyama The End of History? , 1989, The New Social Theory Reader.

[293]  Philip Wadler,et al.  How to make ad-hoc polymorphism less ad hoc , 1989, POPL '89.

[294]  Herman Geuvers,et al.  A Constructive Algebraic Hierarchy in Coq , 2002, J. Symb. Comput..

[295]  Thibault Gauthier,et al.  Matching Concepts across HOL Libraries , 2014, CICM.

[296]  Andrew W. Appel,et al.  Program Logics for Certified Compilers , 2014 .

[297]  Cezary Kaliszyk,et al.  What's in a Theorem Name? , 2016, ITP.

[298]  Lukas Bulwahn The New Quickcheck for Isabelle Random , Exhaustive and Symbolic Testing Living Under One Roof , 2012 .

[299]  Xinyu Feng,et al.  Practical Tactics for Verifying C Programs in Coq , 2015, CPP.

[300]  Jónathan Heras,et al.  ML4PG in Computer Algebra Verification , 2013, MKM/Calculemus/DML.

[301]  Andrew D. Gordon,et al.  A Mechanisation of Name-Carrying Syntax up to Alpha-Conversion , 1993, HUG.

[302]  Peter Lammich,et al.  Refinement to Imperative HOL , 2015, Journal of Automated Reasoning.

[303]  Tobias Nipkow,et al.  Data Refinement in Isabelle/HOL , 2013, ITP.

[304]  Alan Bundy,et al.  GALILEO: A System for Automating Ontology Evolution , 2011 .

[305]  Andrew W. Appel,et al.  A Trustworthy Proof Checker , 2004, Journal of Automated Reasoning.

[306]  William A. Howard,et al.  The formulae-as-types notion of construction , 1969 .

[307]  de Ng Dick Bruijn,et al.  The mathematical language AUTOMATH, its usage, and some of its extensions , 1970 .

[308]  John von Neumann,et al.  First draft of a report on the EDVAC , 1993, IEEE Annals of the History of Computing.

[309]  H B Curry,et al.  Functionality in Combinatory Logic. , 1934, Proceedings of the National Academy of Sciences of the United States of America.

[310]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[311]  Adam Chlipala Parametric higher-order abstract syntax for mechanized semantics , 2008, ICFP.

[312]  G. Bancerek The Fundamental Properties of Natural Numbers , 1990 .

[313]  D. Sangiorgi Introduction to Bisimulation and Coinduction , 2011 .

[314]  Ilya Sergey,et al.  Mechanized verification of fine-grained concurrent programs , 2015, PLDI.

[315]  Aquinas Hobor,et al.  A Theory of Termination via Indirection , 2010, Modelling, Controlling and Reasoning About State.

[316]  Robert J. Simmons,et al.  SASyLF: an educational proof assistant for language theory , 2008, FDPE '08.

[317]  Viktor Vafeiadis,et al.  Structuring the verification of heap-manipulating programs , 2010, POPL '10.

[318]  Stefan Berghofer,et al.  Inductive Datatypes in HOL - Lessons Learned in Formal-Logic Engineering , 1999, TPHOLs.

[319]  Tobias Nipkow,et al.  Executing Higher Order Logic , 2000, TYPES.

[320]  Robert M. Norton,et al.  ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS , 2019, Proc. ACM Program. Lang..

[321]  Nicolas Tabareau,et al.  Equivalences for free: univalent parametricity for effective transport , 2018, Proc. ACM Program. Lang..

[322]  Cezary Kaliszyk,et al.  General Bindings and Alpha-Equivalence in Nominal Isabelle , 2012, Log. Methods Comput. Sci..

[323]  Stephanie Weirich,et al.  Combining proofs and programs in a dependently typed language , 2014, POPL.

[324]  Tobias Nipkow,et al.  Automatic Proof and Disproof in Isabelle/HOL , 2011, FroCoS.

[325]  J. Harrison Metatheory and Reflection in Theorem Proving: A Survey and Critique , 1995 .

[326]  Derek Dreyer,et al.  How to make ad hoc proof automation less ad hoc , 2011, ICFP '11.

[327]  Xavier Leroy,et al.  The CompCert Memory Model, Version 2 , 2012 .

[328]  B. Russell,et al.  Introduction to Mathematical Philosophy , 1920, The Mathematical Gazette.

[329]  D. Ross Jeffery,et al.  Productivity for proof engineering , 2014, ESEM '14.

[330]  Bohua Zhan AUTO2, A Saturation-Based Heuristic Prover for Higher-Order Logic , 2016, ITP.

[331]  Cristina Cornes,et al.  Automating Inversion of Inductive Predicates in Coq , 1995, TYPES.

[332]  Nada Amin,et al.  Type soundness for dependent object types (DOT) , 2016, OOPSLA.

[333]  Moa Johansson,et al.  Automated Theory Exploration for Interactive Theorem Proving: - An Introduction to the Hipster System , 2017, ITP.

[334]  Thomas C. Hales,et al.  The Jordan Curve Theorem, Formally and Informally , 2007, Am. Math. Mon..

[335]  Jian Wang,et al.  Premise Selection for Theorem Proving by Deep Graph Embedding , 2017, NIPS.

[336]  Gilles Kahn,et al.  Proof by Pointing , 1994, TACS.

[337]  Robert Harper,et al.  Proof-directed debugging , 1999, Journal of Functional Programming.

[338]  Zhaohui Luo,et al.  Coercive Subtyping , 1995 .

[339]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[340]  Dean B. Krafft AVID: A system for the Interactive Development of Verifiably Correct Programs , 1981 .

[341]  Adam Chlipala,et al.  Certified Programming with Dependent Types - A Pragmatic Introduction to the Coq Proof Assistant , 2013 .

[342]  Markus Wenzel Shared-Memory Multiprocessing for Interactive Theorem Proving , 2013, ITP.

[343]  Cezary Kaliszyk,et al.  A Learning-Based Fact Selector for Isabelle/HOL , 2016, Journal of Automated Reasoning.

[344]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[345]  Gerwin Klein,et al.  Proof Engineering Considered Essential , 2014, FM.

[346]  Peter Lammich,et al.  Verified Model Checking of Timed Automata , 2018, TACAS.

[347]  Cezary Kaliszyk,et al.  Hammering towards QED , 2016, J. Formaliz. Reason..

[348]  Alfred Tarski,et al.  Der Wahrheitsbegriff in den formalisierten Sprachen , 1935 .

[349]  Adam Chlipala,et al.  Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant , 2015, POPL.

[350]  Lawrence C. Paulson A preliminary users manual for Isabelle , 1988 .

[351]  Robert Pollack,et al.  How to Believe a Machine-Checked Proof , 1997 .

[352]  Liming Zhu,et al.  Simulation modeling of a large-scale formal verification process , 2012, 2012 International Conference on Software and System Process (ICSSP).

[353]  Tobias Nipkow,et al.  A Verified Compiler from Isabelle/HOL to CakeML , 2018, ESOP.

[354]  Dominique Devriese,et al.  On the bright side of type classes: instance arguments in Agda , 2011, ICFP '11.

[355]  Frank Pfenning,et al.  Inductively Defined Types in the Calculus of Constructions , 1989, Mathematical Foundations of Programming Semantics.

[356]  Robin Milner,et al.  A Metalanguage for interactive proof in LCF , 1978, POPL.

[357]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[358]  Don Syme,et al.  A New Interface for HOL - Ideas, Issues and Implementation , 1995, TPHOLs.

[359]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[360]  Sarah M. Loos,et al.  HOList: An Environment for Machine Learning of Higher-Order Theorem Proving (extended version) , 2019, ArXiv.

[361]  林俊彦 用Visual Studio实践敏捷测试(一) , 2010 .

[362]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[363]  Patrice Godefroid,et al.  Verification of safety properties , 1996 .

[364]  J. Hurd First-Order Proof Tactics in Higher-Order Logic Theorem Provers In Proc , 2003 .

[365]  Conrad Watt,et al.  Mechanising and verifying the WebAssembly specification , 2018, CPP.

[366]  Enrico Tassi,et al.  Canonical Structures for the Working Coq User , 2013, ITP.

[367]  Arthur Charguéraud,et al.  The Locally Nameless Representation , 2012, Journal of Automated Reasoning.

[368]  Dov M. Gabbay,et al.  Handbook of the history of logic , 2004 .

[369]  Leonard J. Bass,et al.  Formal specifications better than function points for code sizing , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[370]  Jacques Malenfant,et al.  Reflection in logic, functional and object-oriented programming: a Short Comparative Study , 1995 .

[371]  Andrew W. Appel,et al.  VST-Floyd: A Separation Logic Tool to Verify Correctness of C Programs , 2018, Journal of Automated Reasoning.

[372]  Cliff B. Jones,et al.  The tactic language , 1991 .

[373]  David Garlan,et al.  Seminal Papers in Software Engineering: The Carnegie Mellon Canonical Collection , 2015 .

[374]  J. Bates A Logic for Correct Program Development , 1979 .

[375]  Frank Pfenning,et al.  Higher-order abstract syntax , 1988, PLDI '88.

[376]  Ilya Sergey,et al.  Programming and proving with distributed protocols , 2017, Proc. ACM Program. Lang..

[377]  Andrew McCreight,et al.  Practical Tactics for Separation Logic , 2009, TPHOLs.

[378]  Andrew W. Appel Efficient Verified Red-Black Trees , 2011 .

[379]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[380]  Tom Ridge,et al.  Engineering with Logic , 2018, J. ACM.

[381]  A self-contained, brief and complete formulation of Voevodsky's Univalence Axiom , 2018, 1803.02294.

[382]  Andrew Ireland,et al.  Productive use of failure in inductive proof , 1996, Journal of Automated Reasoning.

[383]  Samuel Boutin,et al.  Using Reflection to Build Efficient and Certified Decision Procedures , 1997, TACS.

[384]  Aaron Stump,et al.  Generic zero-cost reuse for dependent types , 2018, PACMPL.

[385]  Nicolas Magaud,et al.  Changing Data Structures in Type Theory: A Study of Natural Numbers , 2000, TYPES.

[386]  Lawrence C. Paulson,et al.  Isabelle: The Next 700 Theorem Provers , 2000, ArXiv.

[387]  Tobias Nipkow,et al.  Proving Pointer Programs in Higher-Order Logic , 2003, CADE.

[388]  Pierre Letouzey,et al.  Programmation fonctionnelle certifiée : L'extraction de programmes dans l'assistant Coq. (Certified functional programming : Program extraction within Coq proof assistant) , 2004 .

[389]  Ramana Kumar,et al.  A Proof Strategy Language and Proof Script Generation for Isabelle/HOL , 2016, CADE.

[390]  Brian Huffman,et al.  Lifting and Transfer: A Modular Design for Quotients in Isabelle/HOL , 2013, CPP.

[391]  Peter Dybjer,et al.  Intuitionistic Type Theory , 2016 .

[392]  Konrad Slind AC Unification in HOL90 , 1993, HUG.

[393]  Jeremy Avigad,et al.  A Machine-Checked Proof of the Odd Order Theorem , 2013, ITP.

[394]  Sorin Stratulat,et al.  Theory exploration of binary trees , 2015, 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY).

[395]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[396]  Robert Pollack,et al.  On Extensibility of Proof Checkers , 1994, TYPES.

[397]  Moa Johansson,et al.  Conditional Lemma Discovery and Recursion Induction in Hipster. , 2015 .

[398]  Tobias Nipkow,et al.  Mining the Archive of Formal Proofs , 2015, CICM.

[399]  Gilles Barthe,et al.  Implicit Coercions in Type Systems , 1995, TYPES.

[400]  Bruno C. d. S. Oliveira,et al.  Modular monadic meta-theory , 2013, ICFP.

[401]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[402]  Gilles Barthe,et al.  Type Isomorphisms and Proof Reuse in Dependent Type Theory , 2001, FoSSaCS.

[403]  Didier Rémy,et al.  Ornaments in practice , 2014, WGP '14.

[404]  Jeremy Gibbons,et al.  Programming with ornaments , 2017, J. Funct. Program..

[405]  K. Gödel Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I , 1931 .

[406]  David Delahaye,et al.  A Tactic Language for the System Coq , 2000, LPAR.

[407]  A. Heyting,et al.  Intuitionism: An introduction , 1956 .

[408]  Magnus O. Myreen,et al.  The Reflective Milawa Theorem Prover is Sound (Down to the Machine Code that Runs it) , 2015, Journal of Automated Reasoning.

[409]  Clemens Ballarin,et al.  Interpretation of Locales in Isabelle: Theories and Proof Contexts , 2006, MKM.

[410]  Markus Wenzel,et al.  Local Theory Specifications in Isabelle/Isar , 2009, TYPES.

[411]  Karin Wibergh Automatic refactoring for Agda , 2019 .

[412]  Andrew W. Appel,et al.  A List-Machine Benchmark for Mechanized Metatheory , 2011, Journal of Automated Reasoning.

[413]  Andrea Asperti,et al.  User Interaction with the Matita Proof Assistant , 2007, Journal of Automated Reasoning.

[414]  Peter Beike,et al.  The Definition Of Standard Ml Revised , 2016 .

[415]  Markus Wenzel Structured Induction Proofs in Isabelle/Isar , 2006, MKM.

[416]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[417]  Michael D. Ernst,et al.  Verification games: making verification fun , 2012, FTfJP@ECOOP.

[418]  Markus Wenzel,et al.  Eisbach: A Proof Method Language for Isabelle , 2016, Journal of Automated Reasoning.

[419]  Adam Chlipala,et al.  The End of History? Using a Proof Assistant to Replace Language Design with Library Design , 2017, SNAPL.

[420]  Markus Wenzel,et al.  Asynchronous User Interaction and Tool Integration in Isabelle/PIDE , 2014, ITP.

[421]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[422]  Thibault Gauthier,et al.  Aligning concepts across proof assistant libraries , 2019, J. Symb. Comput..

[423]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[424]  Andrei Popescu,et al.  A Consistent Foundation for Isabelle/HOL , 2015, Journal of Automated Reasoning.

[425]  Hendrik Pieter Barendregt Proofs of Correctness in Mathematics and Industry , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[426]  Enrico Tassi,et al.  Asynchronous Processing of Coq Documents: From the Kernel up to the User Interface , 2015, ITP.

[427]  Venanzio Capretta,et al.  General recursion via coinductive types , 2005, Log. Methods Comput. Sci..

[428]  Luca Cardelli An implementation of F , 1993 .

[429]  Adam Chlipala,et al.  Effective interactive proofs for higher-order imperative programs , 2009, ICFP.

[430]  Alan Bundy,et al.  Rippling - meta-level guidance for mathematical reasoning , 2005, Cambridge tracts in theoretical computer science.

[431]  Wouter Swierstra,et al.  Data types à la carte , 2008, Journal of Functional Programming.

[432]  Arthur Charguéraud Program verification through characteristic formulae , 2010, ICFP '10.

[433]  Thomas Kropf,et al.  Integrating A First-order Automatic prover In The HOL Environment , 1991, 1991., International Workshop on the HOL Theorem Proving System and Its Applications.

[434]  Robert Harper,et al.  Mechanizing metatheory in a logical framework , 2007, Journal of Functional Programming.

[435]  Koji Nakagawa,et al.  Theorema: Towards computer-aided mathematical theory exploration , 2006, J. Appl. Log..

[436]  Sorin Lerner,et al.  Automating formal proofs for reactive systems , 2014, PLDI.

[437]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[438]  Gernot Heiser,et al.  From L3 to seL4 what have we learnt in 20 years of L4 microkernels? , 2013, SOSP.

[439]  Christopher Strachey,et al.  Fundamental Concepts in Programming Languages , 2000, High. Order Symb. Comput..

[440]  Tobias Nipkow,et al.  A Fully Verified Executable LTL Model Checker , 2013, CAV.

[441]  Martin Monperrus,et al.  Automatic Software Repair , 2018, ACM Comput. Surv..

[442]  Amokrane Saibi Outils Génériques de Modélisation et de Démonstration pour la Formalisation des Mathématiques en Théorie des Types. Application à la Théorie des Catégories. , 1999 .

[443]  Benjamin Grégoire,et al.  Proving Equalities in a Commutative Ring Done Right in Coq , 2005, TPHOLs.

[444]  Anne Mulhern Proof Weaving , 2006 .

[445]  Jacek Chrząszcz Implementing Modules in the Coq System , 2003, TPHOLs.

[446]  Magnus O. Myreen,et al.  Proof-producing synthesis of ML from higher-order logic , 2012, ICFP.

[447]  B. Russell On Some Difficulties in the Theory of Transfinite Numbers and Order Types , 1907 .

[448]  Jean-Christophe Filliâtre,et al.  Functors for Proofs and Programs , 2004, ESOP.

[449]  Ahmet Çelik,et al.  piCoq: parallel regression proving for large-scale verification projects , 2018, ISSTA.

[450]  F. Dick A survey of the project Automath , 1980 .

[451]  Jia Deng,et al.  Learning to Prove Theorems via Interacting with Proof Assistants , 2019, ICML.

[452]  Russell O'Connor Essential Incompleteness of Arithmetic Verified by Coq , 2005, TPHOLs.

[453]  Carsten Schürmann,et al.  System Description: Delphin - A Functional Programming Language for Deductive Systems , 2008, LFMTP@LICS.

[454]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[455]  C. Flori,et al.  Homotopy Type Theory : Univalent Foundations of Mathematics , 2014 .

[456]  David R. Christiansen,et al.  Elaborator reflection: extending Idris in Idris , 2016, ICFP.

[457]  Amokrane Saïbi Typing algorithm in type theory with inheritance , 1997, POPL '97.

[458]  Douglas J. Howe Computational Metatheory in Nuprl , 1988, CADE.

[459]  ChlipalaAdam The bedrock structured programming system , 2013 .

[460]  Solomon Feferman,et al.  Predicativity , 2007, The Oxford Handbook of Philosophy of Mathematics and Logic.

[461]  Christian Doczkal,et al.  Regular Language Representations in the Constructive Type Theory of Coq , 2018, Journal of Automated Reasoning.

[462]  Thibault Gauthier,et al.  Sharing HOL4 and HOL Light Proof Knowledge , 2015, LPAR.

[463]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[464]  Adam Chlipala,et al.  The bedrock structured programming system: combining generative metaprogramming and hoare logic in an extensible program verifier , 2013, ICFP.

[465]  Dawn Xiaodong Song,et al.  GamePad: A Learning Environment for Theorem Proving , 2018, ICLR.

[466]  Holger Busch First-Order Automation for Higher-Order-Logic Theorem Proving , 1994, TPHOLs.

[467]  Nils Anders Danielsson Operational semantics using the partiality monad , 2012, ICFP '12.

[468]  Nada Amin,et al.  Type soundness proofs with definitional interpreters , 2017, POPL.

[469]  Burkhart Wolff,et al.  Pervasive Parallelism in Highly-Trustable Interactive Theorem Proving Systems , 2013, MKM/Calculemus/DML.

[470]  Amy P. Felty,et al.  Generalization and Reuse of Tactic Proofs , 1994, LPAR.

[471]  Combining Generative The Bedrock Structured Programming System , 2013 .

[472]  Bas Spitters,et al.  Type classes for mathematics in type theory† , 2011, Mathematical Structures in Computer Science.

[473]  Marc Pantel,et al.  Towards Formally Verified Optimizing Compilation in Flight Control Software , 2011, PPES.

[474]  Jeremy Avigad,et al.  A metaprogramming framework for formal verification , 2017, Proc. ACM Program. Lang..

[475]  Xavier Leroy,et al.  Formal certification of a compiler back - end , 2005 .

[476]  John W. Backus,et al.  Can programming be liberated from the von Neumann style?: a functional style and its algebra of programs , 1978, CACM.

[477]  Adam Chlipala,et al.  Verifying a high-performance crash-safe file system using a tree specification , 2017, SOSP.

[478]  Thibault Gauthier,et al.  Learning to Prove with Tactics , 2018, ArXiv.

[479]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[480]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[481]  Alasdair Urquhart Principia mathematica , 2015 .

[482]  Tobias Nipkow,et al.  Proof Synthesis and Reflection for Linear Arithmetic , 2008, Journal of Automated Reasoning.

[483]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[484]  Lars Birkedal,et al.  Impredicative Concurrent Abstract Predicates , 2014, ESOP.

[485]  Mark Adams,et al.  Refactoring Proofs with Tactician , 2015, SEFM Workshops.

[486]  Dominik Dietrich,et al.  Assertion level proof planning with compiled strategies , 2011 .

[487]  Frank Pfenning,et al.  Contextual modal type theory , 2008, TOCL.