ProofPeer: Collaborative Theorem Proving

ProofPeer We define the concept of collaborative theorem proving and outline our plan to make it a reality. We believe that a successful implementation of collaborative theorem proving is a necessary prerequisite for the formal verification of large systems. 1 The Challenge In today's computerised and scientific era, making our claims indefeasible is more critical and more relevant than ever. We need to make indefeasible claims about the stability of mission critical hardware and software components [29, 32]. We need to make indefeasible claims about technology used in medicine where mistakes literally kill [14]. And we are now entering an age where malware is transforming from a nuisance into a weapon of warfare [31]. In response to the challenge of making indefeasible claims, the fields of automated and interactive theorem proving have emerged. Automated theorem proving (ATP) is the mechanical checking of comput-erised proofs by mostly black box software components. Interactive theorem proving (ITP) builds on this by allowing human insight to guide and coordinate ATP systems in almost arbitrary ways as they struggle in non-trivial domains. ITP has had noteworthy successes. It has been used to prove the four colour theorem [33] in Coq [4], the correctness of the seL4 microkernel [45, 27] in Isabelle [8], the correctness of a (large subset of a) C compiler in Coq [49], and most recently, the proof of the Feit-Thompson odd order theorem [34] in Coq. Finally, the complete mechanisation of the formal proof of the Kepler conjecture in HOL Light [7] is the ongoing goal of the Flyspeck project [38]. With these projects, we already have evidence that we can indefeasibly verify claims of both industrially relevant software and deep mathematical problems, all using the same technology. Table 1 lists the mentioned projects together with their duration and a rough estimate of their size in terms of lines of 3 verification code. The scale here is impressive and might come as a surprise to those outside ITP circles. However, these are toy examples compared to serious problems such as the verification of a software system as large as, say, the Linux operating system kernel. Here, we would need to tackle a problem that is based on (as of Linux 3.2) about fifteen million lines of C code, contributed by over 1300 developers and over 200 companies. The following seems obvious to us: Linux itself is the result of a large collaborative …