Summary of New Lean Constructs 125 III Program Semantics 127 8 Operational Semantics 129 8.1 Formal Semantics ..... 129 8.2 A Minimalistic Imperative Language ..... 130 8.3 Big-Step Semantics ..... 203 ## Preface Formal proof assistants are software tools designed to help their users carry out computer-checked proofs in a logical calculus. We usually call them proof assistants, or interactive phase "proof-preventing beasts," and dictation software occasionally misunderstands "theorem prover" as "fear improver." Consider yourself warned. Rigorous and Formal Proofs Interactive

Universe Levels 99 3.33 With-Abstraction 99 3.34 Without K 109 4 Tools 111 4.1 Automatic Proof Search (Auto) 111 4.2 Command-line options 114 4.3 Compilers 118 4.4 Emacs Mode 120 4.5 Literate primFloatEquality primitive is intended to be used for decidable propositional equality. To enable proof carrying comparisons while preserving consistency, the following laws apply: nan=nan : primFloatEquality to lift the primitive boolean equality on built-in types like String to something that returns a proof object: eqString : (a b : String) → Maybe (a b) eqString a b = if primStringEquality a b then

Calculus of Inductive Constructions. The CIC is a formal language with a small and precise set of rules that governs the formation of expressions. In this formal system, moreover, every expression has a type expression may denote a mathematical object like a natural number, a data type, an assertion, or a proof. Lean has a small and carefully written kernel, which serves to check that an expression is well-formed ones that are true), we need a proof language. Fortunately, dependent type theory can play that role: proofs are nothing more than certain kinds of expressions in the formal language. In the encoding used

Quantifier 4.2 Equality 4.3 Calculational Proofs 4.4 The Existential Quantifier 4.5 More on the Proof Language 4.6 Exercises 5 Tactics 5.1 Entering Tactic Mode 5.2 Basic Tactics 5.3 More Tactics Middle ..... 163 Bibliography ..... 167 ## I NTRODUCTION ### 1.1 Computers and Theorem Proving Formal verification involves the use of logical and computational methods to establish claims that are expressed sharp distinction between verifying a piece of mathematics and verifying the correctness of a system: formal verification requires describing hardware and software systems in mathematical terms, at which point

requirements such as those of Common Criteria and beyond. From the beginning, development aimed for formal verification of the kernel. To ease meeting the sometimes conflicting requirements of performance security access control to enable formal reasoning about object accessibility. A formal proof of functional correctness was completed in 2009. $ ^{[17]} $ The proof provides a guarantee that the kernel's accelerate development and deployment of seL4. $ ^{[22]} $ The researchers state that the cost of formal software verification is lower than the cost of engineering traditional "high-assurance"

• Termination Checking • Universe Levels With-Abstraction ☐ Without K ## • Tools • Automatic Proof Search (Auto) Command-line options • Compilers ○ Emacs Mode • Literate Programming Generating Idris [http://idris-lang.org/]. Because of strong typing and dependent types, Agda can be used as a proof assistant, allowing to prove mathematical theorems (in a constructive setting) and to run such proofs algorithm. For example, a function of type $ (n : \text{Nat}) -> (\text{PrimRoot } n) $ is also a proof that every natural number has a primitive root. ## Prerequisites You need recent versions of the

• Termination Checking • Universe Levels With-Abstraction ☐ Without K ## • Tools • Automatic Proof Search (Auto) Command-line options • Compilers ○ Emacs Mode • Literate Programming Generating Idris [http://idris-lang.org/]. Because of strong typing and dependent types, Agda can be used as a proof assistant, allowing to prove mathematical theorems (in a constructive setting) and to run such proofs algorithm. For example, a function of type $ (n : \text{Nat}) -> (\text{PrimRoot } n) $ is also a proof that every natural number has a primitive root. ## Prerequisites You need recent versions of the

3.37 With-Abstraction ..... 128 3.38 Without K ..... 138 4 Tools ..... 141 4.1 Automatic Proof Search (Auto) ..... 141 4.2 Command-line options ..... 144 4.3 Compilers ..... 150 4.4 Emacs are Coq, Epigram, and Idris. Because of strong typing and dependent types, Agda can be used as a proof assistant, allowing to prove mathematical theorems (in a constructive setting) and to run such proofs For example, a function of type $ (n : \text{Nat}) \rightarrow (\text{PrimRoot } n) $ is also a proof that every natural number has a primitive root. ### 2.2 Prerequisites You need recent versions of

3.37 With-Abstraction ..... 128 3.38 Without K ..... 138 4 Tools ..... 141 4.1 Automatic Proof Search (Auto) ..... 141 4.2 Command-line options ..... 144 4.3 Compilers ..... 150 4.4 Emacs are Coq, Epigram, and Idris. Because of strong typing and dependent types, Agda can be used as a proof assistant, allowing to prove mathematical theorems (in a constructive setting) and to run such proofs For example, a function of type $ (n : \text{Nat}) \rightarrow (\text{PrimRoot } n) $ is also a proof that every natural number has a primitive root. ### 2.2 Prerequisites You need recent versions of

Termination Checking • Universe Levels • With-Abstraction • Without K • Tools • Automatic Proof Search (Auto) • Command-line options • Compilers • Emacs Mode • Literate Programming Idris [https://idrislang.org/]. Because of strong typing and dependent types, Agda can be used as a proof assistant, allowing to prove mathematical theorems (in a constructive setting) and to run such proofs algorithm. For example, a function of type $ (n : \text{Nat}) -> (\text{PrimRoot } n) $ is also a proof that every natural number has a primitive root. ## Prerequisites You need recent versions of the