Formal Verification and Proof Assistants
Formal verification establishes, by machine-checked mathematical proof, that software meets its specification; proof assistants are the tools that build and check such proofs.
Definition
Formal verification is the construction of a rigorous, machine-checked proof that a system satisfies a formal specification, and a proof assistant is software that helps a user develop such proofs and mechanically checks their validity.
Scope
This topic covers deductive verification and interactive theorem proving: proof assistants based on type theory or higher-order logic (such as Coq, Isabelle, Lean, and Agda), the LCF approach to trustworthy proof, the propositions-as-types foundation, proof automation and tactics, and landmark verified artifacts including compilers and operating-system kernels.
Core questions
- How can full functional correctness be proved and machine-checked?
- Why are proof assistants trustworthy, and what is the trusted computing base?
- How does the Curry-Howard correspondence connect proofs and programs?
- What does it take to verify real systems like compilers and kernels?
Key theories
- LCF approach to trustworthy proof
- Gordon, Milner, and Wadsworth's Edinburgh LCF introduced a small trusted proof kernel through which all theorems must pass, so that even complex automation cannot produce unsound proofs.
- Verified compiler (CompCert)
- Leroy's CompCert is a C compiler proved correct in a proof assistant, with a machine-checked theorem that the generated code refines the semantics of the source program.
- Verified operating-system kernel (seL4)
- Klein and colleagues produced a machine-checked proof of functional correctness for the seL4 microkernel, demonstrating end-to-end verification of low-level systems software.
Clinical relevance
Mechanized verification delivers the highest assurance available for critical software, producing compilers, kernels, and cryptographic libraries with proven guarantees rather than testing-based confidence. Proof assistants are also increasingly used to formalize mathematics itself.
History
Interactive theorem proving began with Edinburgh LCF in the 1970s, whose ML metalanguage and trusted kernel shaped later systems. Type-theory-based assistants such as Coq and Agda and higher-order-logic systems such as Isabelle/HOL matured over following decades, culminating in landmark verified artifacts: the CompCert compiler (2009) and the seL4 kernel (2009).
Debates
- Cost of verification versus assurance gained
- Building machine-checked proofs of large systems requires enormous effort, prompting debate over where full verification is justified versus where lighter-weight methods suffice, and how much proof can be automated.
Key figures
- Robin Milner
- Michael Gordon
- Xavier Leroy
- Gerwin Klein
- Robert Harper
Related topics
Seminal works
- gordon1979
- leroy2009
- klein2009
- harper2016
Frequently asked questions
- What is a proof assistant?
- A proof assistant is software in which a user constructs formal proofs interactively while the system mechanically checks every step, so that a completed proof is trustworthy down to a small, well-scrutinized kernel.
- How is verifying a program different from testing it?
- Testing checks behavior on selected inputs and can only reveal the presence of bugs, while formal verification proves correctness for all inputs allowed by the specification, establishing the absence of the specified errors.