Proof Checking the Proof

2a) Summary. It is considered a fact of life that all serious computer programs contain errors, so-called ‘bugs’. Empirical data indicates that production software has around two bugs per thousand lines of source code, and even programs used on space missions by NASA are believed to have around 0.1 bugs per thousand lines of code [26]. Interactive theorem proving is a technology for building programs that almost certainly have zero bugs per thousand lines of code. Already some significant programs have been shown to be fully correct. For instance both the certified C compiler of Xavier Leroy [25, 8] and the programs from the proof of the Four Color Theorem by Georges Gonthier [13] have been formally shown – with a fully computer-checked proof – to do precisely what they should do, and therefore are guaranteed to be bug-free. This technology of interactive theorem proving for software correctness is on the verge of becoming widely applicable. A sign that this moment has not yet arrived is that currently it is not even used by the very people who build tools for it. Thus far, no system for interactive theorem proving has been formally proved bug-free. The Proof Checking the Proof Checker project will change this situation. At the end of this project one of the best systems for interactive theorem proving will have used its own technology to establish that it is completely sound. Furthermore not just a model, but the actual source code of the program will have been proved correct.