Formal Proof—Theory and Practice John Harrison formal proof is a proof written in a lacking obvious logical justification. Yet many precise artificial language that admits great mathematicians like Newton and Euler were only a fixed repertoire of stylized clearly self-conscious about a lack of rigor in steps. This formal language is usual- their work [24]. Following the waves of innovation, ly designed so that there is a purely there have always followed corresponding peri- Amechanical process by which the correctness of a ods of retrenchment, analyzing foundations and proof in the language can be verified. Nowadays, increasingly adopting a strict axiomatic-deductive there are numerous computer programs known as style, either to resolve apparent problems or just proof assistants that can check, or even partially to make the material easier to teach convincingly construct, formal proofs written in their preferred [11]; the “ǫ-δ” explanation of limits in calculus proof language. These can be considered as practi- is a classic example. Complete formalization is a cal, computer-based realizations of the traditional natural further step in this process of evolution systems of formal symbolic logic and set theory towards greater clarity and precision. To be more proposed as foundations for mathematics. concrete, our own hopes for formalization are Why should we wish to create formal proofs? focused on two specific goals: Of course, one may consider it just a harmless and • Supplementing, or even partly replacing, satisfying intellectual activity like solving cross- the process of peer review for mainstream words or doing Sudoku puzzles and not seek a mathematical papers with an objective and deeper justification. But we can identify two more mechanizable criterion for the correctness substantial reasons: of proofs. • Toestablish or refute a thesis about the na- • Extending rigorous proof from pure math- ture of mathematics or related questions ematics to the verification of computer sys- in philosophy. tems (programs, hardware systems, proto- • To improve the actual precision, explicit- cols, etc.), a process that presently relies ness, and reliability of mathematics. largely on testing. Philosophical goals played an important role in It is of course debatable whether, in either case, the development of logic and indeed of computer there is a serious problem with the existing status science too [7]. But we’re more interested in the quo and whether formal proofs can really offer actual use of formalization in mathematics, which a solution if so. But we will argue in this paper we think is not such a radical departure from that the answer is a resounding yes in both cases. existing practice as it might appear. In some of Recent decades have seen substantial advances, its most fertile periods, mathematics has been with proof assistants becoming easier to use and developed in speculative and imaginative ways more powerful and getting applied to ever more challenging problems. John Harrison is principal engineer at Intel Corporation A significant early milestone in formalization in Hillsboro, Oregon. His email address is johnh@ichips. of mathematics was Jutting’s 1970s formalization intel.com. of Landau’s very detailed proof of the complete December 2008 Notices of the AMS 1395 ordered field axioms for the real numbers con- differences can then be performed using quite sim- structed by Dedekind cuts. Today we can point to ple fixed procedures that require no mathematical formalizations starting from similarly basic foun- insight or understanding and are therefore even dations that reach nontrivial results in topology, amenable to automation in mechanical calculating analysis, and number theory such as the Jordan machines or their modern electronic counterparts. Curve Theorem, Cauchy’s integral theorem, and Symbolic logic extends the use of symbolism, the Prime Number Theorem. Perhaps most spec- featuring not only expressions called terms denot- tacularly, Gonthier has completely formalized the ing mathematical objects, but also formulas, which proof of the Four-Color Theorem, as described are corresponding expressions denoting mathe- elsewhere in this issue. matical propositions. Just as there are operators Similar progress can be discerned in formal like addition or set intersection on mathemati- proofs of computer systems. The first proof of cal objects, symbolic logic uses logical connectives compiler correctness by McCarthy and Painter like “and” that can be considered as operators from 1967 was for a compiler from a simple ex- on propositions. The most important have corre- pression language into an invented machine code sponding symbolic forms; for example as we write with four instructions. Recently, Leroy has pro- “x + y” to denote the mathematical object “x plus duced a machine-checked correctness proof for y”, we can use “p ∧q” to denote the proposition “p a compiler from a significant fragment of C to and q”. The basic logical connectives were already a real current microprocessor. In some parts of used by Boole, and modern symbolic logic also the computer industry, especially in critical areas features the universal quantifier “for all” and the such as avionics, formal methods are becoming an existential quantifier “there exists”, whose intro- increasingly important part of the landscape. duction is usually credited independently to Frege, The present author has been responsible for Peano, and Peirce. The following table summarizes developing the HOL Light theorem prover, with its one common notation for the logical constants, many special algorithms and decision procedures, connectives and quantifiers: and applying it to the formalization of mathemat- English Symbolic ics, pure and applied. In his present role, he has false ⊥ been responsible at Intel for the formal verifica- true ⊤ tion of a number of algorithms implementing basic not p ¬p floating-point operations [13]. Work of this kind p and q p ∧ q indicates that formalization of pure mathematics p or q p ∨ q and verification applications are not separate ac- p implies q p ⇒ q tivities, one undertaken for fun and the other for p iff q p ⇔ q profit, but are intimately connected. For example, for all x, p ∀x. p in order to prove quite concrete results about there exists x such that p ∃x. p floating-point operations, we need nontrivial re- For example, an assertion of continuity of a sults from mainstream real analysis and number function f : R → R at a point x, which we might theory, even before we consider all the special state in words as properties of floating-point rounding. For all ǫ > 0, there exists a δ > 0 ′ ′ Formal Symbolic Logic such that for all x with |x−x | < δ, we also have |f (x) − f (x′)| < ǫ The use of symbolic expressions denoting math- ematical objects (numbers, sets, matrices, etc.) is could be written as a logical formula well established. We normally write “(x+y)(x−y)” ∀ǫ.ǫ > 0 ⇒ ∃δ. δ > 0 ∧ ∀x′. |x − rather than “the product of, on the one hand the x′| < δ ⇒|f (x) − f (x′)| < ǫ sum of the first unknown and the second unknown, The use of logical symbolism is already bene- and on the other hand the difference of the first ficial for its brevity and clarity when expressing and the second unknown”. In ancient times such complicated assertions. For example, we can make longwinded natural-language renderings were the systematic use of bracketing, e.g., to distinguish norm, but over time more and more of mathemat- between “p ∧ (q ∨ r)” and “(p ∧ q) ∨ r”, while in- ics has come to be expressed in symbolic notation. dicating precedences in English is more awkward. Symbolism is usually shorter, is generally clear- But logical symbolism really comes into its own er in complicated cases, and avoids some of the in concert with formal rules of manipulation, i.e., clumsiness and ambiguity inherent in natural lan- symbolic transformations on formulas that can guage. Perhaps most importantly, a well-chosen be applied mechanically without returning to the notation can contribute to making mathematical underlying meanings. For example, one sees at a reasoning itself easier, or even purely mechanical. glance that x = 2y and x/2 = y are equivalent, The positional base-n representation of numbers and applies corresponding manipulations with- is a good example: problems like finding sums and out thinking about why. Logical notation creates a 1396 Notices of the AMS Volume 55, Number 11 new vista of such mechanical transformations, e.g., This idealized style of mathematical develop- from (∃x. P(x)) ⇒ q to ∀x. (P(x) ⇒ q). Symbolism ment was already established in Euclid’s Elements and formal rules of manipulation: of Geometry. However, its later critical examina- […] have invariably been intro- tion raised numerous philosophical difficulties. duced to make things easy. […] by If mathematics is a purely deductive discipline, the aid of symbolism, we can make what is its relationship with empirical reality? Are transitions in reasoning almost the axioms actually true of the real world? Can mechanically by the eye, which some axioms be deduced purely logically from otherwise would call into play the others, or are they all independent? Would it make higher faculties of the brain. […] sense to use different axioms that contradict the Civilization advances by extending usual ones? What are the incontrovertible logical the number of important oper- steps admissible in a mathematical proof, and how ations which can be performed are they to be distinguished from the substantial without thinking about them. [27] mathematical assumptions that we call axioms? Foundational questions of this sort have preoc- In modern formal logic, the emphasis on formal, cupied philosophers for millennia. Now and again, mechanical manipulation is taken to its natural ex- related worries have reached a broader communi- treme. We not only make use of logical symbolism, ty, often as a reaction to disquiet at certain mathe- but precisely circumscribe the permissible terms matical developments, such as irrational numbers, and formulas and define a precise counterpart infinitesimal calculus, and non-Euclidean geom- to the informal notion of proof based purely on etry.