# Tobias Nipkow's research while affiliated with Technische Universität München and other places

**What is this page?**

This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

## Publications (226)

In this paper we present the verification of an imperative implementation of the ubiquitous B\(^+\)-tree data structure in the interactive theorem prover Isabelle/HOL. The implementation supports membership test, insertion and range queries with efficient binary search for intra-node navigation. The imperative implementation is verified in two step...

In this paper we present the verification of an imperative implementation of the ubiquitous B+-tree data structure in the interactive theorem prover Isabelle/HOL. The implementation supports membership test, insertion and range queries with efficient binary search for intra-node navigation. The imperative implementation is verified in two steps: an...

We present the first formal verification of approximation algorithms for NP-complete optimization problems: vertex cover, independent set, set cover, center selection, load balancing, and bin packing. We uncover incompletenesses in existing proofs and improve the approximation ratio in one case. All proofs are uniformly invariant based.

We present the first verified implementation of a decision procedure for the quantifier-free theory of partial and linear orders. We formalise the procedure in Isabelle/HOL and provide a specification that is made executable using Isabelle’s code generator. The procedure is already part of the development version of Isabelle as a sub-procedure of t...

Isabelle is a generic theorem prover with a fragment of higher-order logic as a metalogic for defining object logics. Isabelle also provides proof terms. We formalize this metalogic and the language of proof terms in Isabelle/HOL, define an executable (but inefficient) proof term checker and prove its correctness w.r.t. the metalogic. We integrate...

We present the first formal verification of approximation algorithms for NP-complete optimization problems: vertex cover, independent set, set cover, load balancing, and bin packing. We uncover incompletenesses in existing proofs and improve the approximation ratio in one case.

We present the first verified implementation of a decision procedure for the quantifier-free theory of partial and linear orders. We formalise the procedure in Isabelle/HOL and provide a specification that is made executable using Isabelle's code generator. The procedure is already part of the development version of Isabelle as a sub-procedure of t...

Isabelle is a generic theorem prover with a fragment of higher-order logic as a metalogic for defining object logics. Isabelle also provides proof terms. We formalize this metalogic and the language of proof terms in Isabelle/HOL, define an executable (but inefficient) proof term checker and prove its correctness w.r.t. the metalogic. We integrate...

This article surveys the state of the art of verifying standard textbook algorithms. We focus largely on the classic text by Cormen et al. Both correctness and running time complexity are considered.

We present the first formal verification of approximation algorithms for NP-complete optimization problems: vertex cover, independent set, load balancing, and bin packing. We uncover incompletenesses in existing proofs and improve the approximation ratio in one case.

We verify two related divide-and-conquer algorithms solving one of the fundamental problems in Computational Geometry, the Closest Pair of Points problem. Using the interactive theorem prover Isabelle/HOL, we prove functional correctness and the optimal running time of \(\mathcal {O}(n \log n)\) of the algorithms. We generate executable code which...

This work is a case study of the formal verification and complexity analysis of some famous probabilistic algorithms and data structures in the proof assistant Isabelle/HOL. In particular, we consider the expected number of comparisons in randomised quicksort, the relationship between randomised quicksort and average-case deterministic quicksort, t...

Interactive theorem provers have developed dramatically over the past four decades, from primitive beginnings to today’s powerful systems. Here, we focus on Isabelle/HOL and its distinctive strengths. They include automatic proof search, borrowing techniques from the world of first order theorem proving, but also the automatic search for counterexa...

The goal of the LEDA project was to build an easy-to-use and extendable library of correct and efficient data structures, graph algorithms and geometric algorithms. We report on the use of formal program verification to achieve an even higher level of trustworthiness. Specifically, we report on an ongoing and largely finished verification of the bl...

Interactive theorem provers have developed dramatically over the past four decades, from primitive beginnings to today's powerful systems. Here, we focus on Isabelle/HOL and its distinctive strengths. They include automatic proof search, borrowing techniques from the world of first order theorem proving, but also the automatic search for counterexa...

A framework for the analysis of the amortized complexity of functional data structures is formalized in the proof assistant Isabelle/HOL and applied to a number of standard examples and to the following non-trivial ones: skew heaps, splay trees, splay heaps and pairing heaps. The proofs are completely algebraic and are presented in some detail.

We present a lightweight framework in Isabelle/HOL for the automatic verified (functional or imperative) memoization of recursive functions. Our tool constructs a memoized version of the recursive function and proves a correspondence theorem between the two functions. A number of simple techniques allow us to achieve bottom-up computation and space...

This work is a case study of the formal verification and complexity analysis of some famous probabilistic algorithms and data structures in the proof assistant Isabelle/HOL. In particular, we consider the expected number of comparisons in randomised quicksort, the relationship between randomised quicksort and average-case deterministic quicksort, t...

Many theorem provers can generate functional programs from definitions or proofs. However, this code generation needs to be trusted. Except for the HOL4 system, which has a proof producing code generator for a subset of ML. We go one step further and provide a verified compiler from Isabelle/HOL to CakeML. More precisely we combine a simple proof p...

We study three different Hoare logics for reasoning about time bounds of imperative programs and formalize them in Isabelle/HOL: a classical Hoare like logic due to Nielson, a logic with potentials due to Carbonneaux et al. and a separation logic following work by Atkey, Chaguérand and Pottier. These logics are formally shown to be sound and comple...

Andersson introduced general balanced trees, search trees based on the design principle of partial rebuilding: perform update operations naively until the tree becomes too unbalanced, at which point a whole subtree is rebalanced. We define and analyze a functional version of general balanced trees which we call root-balanced trees. Using a lightwei...

Recent accidents involving autonomous vehicles prompt us to consider how we can engineer an autonomous vehicle which always obeys traffic rules. This is particularly challenging because traffic rules are rarely specified at the level of detail an engineer would expect. Hence, it is nearly impossible to formally monitor behaviours of autonomous vehi...

Bei der Entwicklung von Software ist es aufgrund ihrer Komplexität erforderlich, automatisierte Verfahren zur Überprüfung der korrekten Funktion einzusetzen. Um die Integration und korrekte Zusammenarbeit verschiedener Komponenten großer Softwaresysteme sicherzustellen, entwickeln Forschergruppen an den Münchner Universitäten sowohl Modell-basierte...

In a new approach, functional correctness specifications of insert/update and delete operations on search trees are expressed on the level of lists by means of an inorder traversal function that projects trees to lists. With the help of a small lemma library, functional correctness and preservation of the search tree property are proved automatical...

A framework for the analysis of the amortized complexity of (functional) data structures is formalized in Isabelle/HOL and applied to a number of standard examples and to three famous non-trivial ones: skew heaps, splay trees and splay heaps.

The Archive of Formal Proofs is a vast collection of computer-checked proofs developed using the proof assistant Isabelle. We perform an in-depth analysis of the archive, looking at various properties of the proof developments, including size, dependencies, and proof style. This gives some insights into the nature of formal proofs.

Bhat et al. developed an inductive compiler that computes density functions for probability spaces described by programs in a prob-abilistic functional language. We implement such a compiler for a modified version of this language within the theorem prover Isabelle and give a formal proof of its soundness w. r. t. the semantics of the source and ta...

Monadic second-order logic on finite words is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g., automata). This paper presents a verified functional decision procedure f...

This article describes a formal proof of the Kepler conjecture on dense
sphere packings in a combination of the HOL Light and Isabelle proof
assistants. This paper constitutes the official published account of the now
completed Flyspeck project.

So far we have proved properties of IMP, like type soundness, or properties of tools for IMP, like compiler correctness, but almost never properties of individual IMP programs. The Isabelle part of the book has taught us how to prove properties of functional programs, but not of imperative ones.

This chapter introduces types into IMP, first a traditional programming language type system, then more sophisticated type systems for information flow analysis. Why bother with types? Because they prevent mistakes. They are a simple, automatic way to find obvious problems in programs before these programs are ever run.

In Chapter 10 we saw a number of automatic program analyses, and each one was hand crafted. Abstract Interpretation is a generic approach to automatic program analysis. In principle, it covers all of our earlier analyses. In this chapter we ignore the optimizing program transformations that accompany certain analyses.

To talk about semantics, we first need a programming language. This chapter defines one: a minimalistic imperative programming language called IMP. The main aim of this chapter is to introduce the concepts of commands and their abstract syntax, and to use them to illustrate two styles of defining the semantics of a programming language: big-step an...

Program analysis, also known as static analysis, describes a whole field of techniques for the static (i.e. compile-time) analysis of programs.

Apply-scripts are unreadable and hard to maintain. The language of choice for larger proofs is Isar. The two key features of Isar are (1) It is structured, not linear. (2) It is readable without its being run because you need to state what you are proving at any given point. Whereas apply-scripts are like assembly language programs, Isar proofs are...

This chapter introduces HOL as a functional programming language and shows how to prove properties of functional programs by induction.

The core syntax of formulas (form below) provides the standard logical constructs, in decreasing order of precedence.

This chapter presents a first application of programming language semantics: proving compiler correctness. To this end, we will define a small machine language based on a simple stack machine. Stack machines are common lowlevel intermediate languages; the Java Virtual Machine is one example. We then write a compiler from IMP to this language and pr...

So far we have worked exclusively with various operational semantics which are defined by inference rules that tell us how to execute some command. But those rules do not tell us directly what the meaning of a command is. This is what denotational semantics is about: mapping syntactic objects to their denotation or meaning. In fact, we are already...

This chapter introduces HOL as a functional programming language and shows how to prove properties of functional programs by induction.

The methods of the previous chapter suffice to define the arithmetic and Boolean expressions of the programming language IMP that is the subject of this book. In this chapter we define their syntax and semantics, write little optimizers for them and show how to compile arithmetic expressions to a simple stack machine. Of course we also prove the co...

Part I of this book is a practical introduction to working with the Isabelle proof assistant. It teaches you how to write functional programs and inductive definitions and how to prove properties about them in Isabelle’s structured proof language. Part II is an introduction to the semantics of imperative languages with an emphasis on applications l...

We report on our experience teaching a Haskell-based functional programming course to over 1100 students for two winter terms. The syllabus was organized around selected material from various sources. Throughout the terms, we emphasized correctness through QuickCheck tests and proofs by induction. The submission architecture was coupled with automa...

We report on our experience teaching a Haskell-based functional programming course to over 1100 students for two winter terms. The syllabus was organized around selected material from various sources. Throughout the terms, we emphasized correctness through QuickCheck tests and proofs by induction. The submission architecture was coupled with automa...

We formalize a unified framework for verified decision procedures for regular expression equivalence. Five recently published formalizations of such decision procedures (three based on derivatives, two on marked regular expressions) can be obtained as instances of the framework. We discover that the two approaches based on marked regular expression...

We present a uniform, top-down design method for security type systems
applied to a parallel while-language. The method takes the following
route: from a notion of end-to-end security via a collection
of stronger notions of anytime security targeting
compositionality to a matching collection of type-system-like
syntactic criteria. This method has e...

We present an Isabelle formalization of probabilistic noninterference for a multi-threaded language with uniform scheduling. Unlike in previous settings from the literature, here probabilistic behavior comes from both the scheduler and the individual threads, making the language more realistic and the mathematics more challenging. We study resumpti...

Monadic second-order logic on finite words (MSO) is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g. automata). This paper presents a verified functional decision proced...

Monadic second-order logic on finite words (MSO) is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g. automata). This paper presents a verified functional decision proced...

We survey a number of decision procedures for the equivalence of regular expressions that have been formalised with the help of interactive proof assistant over the past few years.

We develop a framework for expressing and analyzing the behavior of probabilistic schedulers. There, we define noninterfering schedulers by a probabilistic interpretation of Goguen and Meseguer’s seminal notion of noninterference. Noninterfering schedulers are proved to be safe in the following sense: if a multi-threaded program is possibilisticall...

The paper shows how the code generator of Isabelle/HOL supports data refinement, i.e., providing efficient code for operations on abstract types, e.g., sets or numbers. This allows all tools that employ code generation, e.g., Quickcheck or proof by evaluation, to compute with these abstract types. At the core is an extension of the code generator t...

We present an LTL model checker whose code has been completely verified using the Isabelle theorem prover. The checker consists of over 4000 lines of ML code. The code is produced using recent Isabelle technology called the Refinement Framework, which allows us to split its correctness proof into (1) the proof of an abstract version of the checker,...

We perform a formal analysis of compositionality techniques for proving possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninterference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ensur...

Probabilistic model checkers like PRISM only check probabilistic systems of a
fixed size. To guarantee the desired properties for an arbitrary size,
mathematical analysis is necessary. We show for two case studies how this can
be done in the interactive proof assistant Isabelle/HOL. The first case study
is a detailed description of how we verified...

We perform a formal analysis of compositionality techniques for prov-ing possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninter-ference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ens...

This paper formalizes a generic abstract interpreter for a while-language, including widening and narrowing. The collecting semantics and the abstract interpreter operate on annotated commands: the program is represented as a syntax tree with the semantic information directly embedded, without auxiliary labels. The aim of the paper is simplicity of...

We describe and verify an elegant equivalence checker for regular expressions. It works by constructing a bisimulation relation
between (derivatives of) regular expressions. By mapping regular expressions to binary relations, an automatic and complete
proof method for (in)equalities of binary relations over union, composition and (reflexive) transi...

These theories define NanoJava, a very small fragment of the programming language Java (with essentially just classes) derived from the one given in (1). For NanoJava, an operational semantics is given as well as a Hoare logic, which is proved both sound and (relatively) complete. The Hoare logic supports side-eecting expressions and implements a n...

Probabilistic model checkers like PRISM check the satisfiability of probabilistic CTL (pCTL) formulas against discrete-time Markov chains. We prove soundness and completeness of their underlying algorithm in Isabelle/HOL. We define Markov chains given by a transition matrix and formalize the corresponding probability measure on sets of paths. The f...

We describe a course on the semantics of a simple imperative programming language and on applications to compilers, type systems, static analyses and Hoare logic. The course is entirely based on the proof assistant Isabelle and includes a compact introduction to Isabelle. The overall aim is to teach the students how to write correct and readable pr...

We describe two formal proofs of the finite version of Hall's Marriage Theorem performed with the proof assistant Isabelle/HOL, one by Halmos and Vaughan and one by Rado. The distinctive feature of our formalisation is that instead of sequences (often found in statements of this theorem) we employ indexed families, thus avoiding tedious reindexing...

We investigate how to add coercive structural subtyping to a type system for simply-typed lambda calculus with Hindley-Milner polymorphism. Coercions allow to convert between different types, and their automatic insertion can greatly increase readability of terms. We present a type inference algorithm that, given a term without type information, co...

Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the counterexample generator Quickcheck uses the ML com...

Due to a recent revision of Hales’s proof of the Kepler Conjecture, the existing verification of the central graph enumeration
procedure had to be revised because it now has to cope with more than 109 graphs. This resulted in a new and modular design. This paper primarily describes the reusable components of the new design:
a while combinator for p...

This document shows how to typset mathematics in Isabelle-based documents in a style close to that in ordinary computer science papers. 1

1 Basic definitions of Lambda-calculus 4 1.1 Lambda-terms in de Bruijn notation and substitution.... 4 1.2 Beta-reduction.......................... 4

Sledgehammer, a component of the interactive theorem prover Isabelle, finds proofs in higher-order logic by calling the automated
provers for first-order logic E, SPASS and Vampire. This paper is the largest and most detailed empirical evaluation of such
a link to date. Our test data consists of 1240 proof goals arising in 7 diverse Isabelle theori...

Nitpick is a counterexample generator for Isabelle/HOL that builds on Kodkod, a SAT-based first-order relational model finder.
Nitpick supports unbounded quantification, (co)inductive predicates and datatypes, and (co)recursive functions. Fundamentally
a finite model finder, it approximates infinite types by finite subsets. As case studies, we cons...

We present the meta-theory behind the code generation fa- cilities of Isabelle/HOL. To bridge the gap between the source (higher- order logic with type classes) and the many possible targets (functional programming languages), we introduce an intermediate language, Mini- Haskell. To relate the source and the intermediate language, both are given a...

This article presents formalizations in higher-order logic of two proofs of Arrow’s impossibility theorem due to Geanakoplos. The Gibbard-Satterthwaite theorem is derived as a corollary. Lacunae found in the literature are discussed.

Diese Arbeit ist der zweite größere Beitrag zum Flyspeck-Projekt, dessen Ziel die vollständige maschinelle Verifikation des Beweises der Keplerschen Vermutung ist, den Thomas Hales 1998 gegeben hat.
Wir spezifizieren, generieren, und berechnen Schranken für die von Hales sogenannten elementaren linearen Programme , und zwar innerhalb des interaktiv...

The Kepler conjecture asserts that no packing of congruent balls in three-dimensional Euclidean space has density greater than that of the face-centered cubic packing. The original proof, announced in 1998 and published in 2006, is long and complex. The process of revision and review did not end with the publication of the proof. This article summa...

This paper presents verified quantifier elimination procedures for dense linear orders (two of them novel), for real and for
integer linear arithmetic. All procedures are defined and verified in the theorem prover Isabelle/HOL, are executable and
can be applied to HOL formulae themselves (by reflection). The formalization of the different theories...

We present a novel compiled approach to Normalization by Evaluation (NBE) for ML-like languages. It supports ecient normal- ization of open -terms w.r.t. -reduction and rewrite rules. We have implemented NBE and show both a detailed formal model of our imple- mentation and its verification in Isabelle. Finally we discuss how NBE is turned into a pr...

Isabelle, which is available from
http://isabelle.in.tum.de
, is a generic framework for interactive theorem proving. The Isabelle/Pure meta-logic allows the formalization of the syntax and inference rules of a broad range of object-logics following the general idea of natural deduction [32,33]. The logical core is implemented according to the well...

This article presents detailed implementations of quantifier elimination for both integer and real linear arithmetic for theorem provers. The underlying algorithms are those by Cooper (for Z) and by Ferrante and Racko (for R). Both algorithms are realized in two entirely dierent ways: once in tactic style, i.e. by a proof-producing functional progr...

The Milner-Damas typing algorithm W is one of the classic algorithms in Com- puter Science. In this paper we describe a formalised soundness and completeness proof for this algorithm. Our formalisation is based on names for both term and type variables, and is carried out in Isabelle/HOL using the Nominal Datatype Package. It turns out that in our...

This article formalizes two proofs of Arrow's impossibility theorem due to Geanakoplos and derives the Gibbard-Satterthwaite theorem as a corollary. One formalization is based on utility functions, the other one on strict partial orders. For an article about these proofs see http://www.in.tum.de/ nipkow/pubs/ arrow.pdf.

Using the theorem prover Isabelle/HOL we have formalized and proved correct an executable bytecode verifier in the style of
Kildall’s algorithm for a significant subset of the Java Virtual Machine. First an abstract framework for proving correctness
of data flow based type inference algorithms for assembly languages is formalized. It is shown that...

This volume contains the proceedings of the Sixth International Workshop on Automated Verification of Critical Systems (AVoCS 2006), which was held on September 18–19, 2006 in Nancy, France. The workshop is devoted to techniques and tools for the verification of critical systems, and applications thereof. It aims to being together researchers from...

Wir prasentieren eine operationelle Semantik mit Typsicherheitsbeweis f¨ ur Mehr- fachvererbung in C++, formalisiert im und maschinengepruft durch den Maschinen- beweiser Isabelle/HOL. Die Typsicherheit des Vererbungsmechanismus von C++ war lange offen. Der nun vorliegende Beweis erh¨ oht das Vertrauen in die Sprache, er- zeugt aber auch neue Einsi...

This talk presents reflected quantifier elimination procedures for both integer and real linear arithmetic. Reflection means that the algorithms are expressed as recursive functions on recursive data types inside some logic (in our case HOL), are verified in that logic, and can then be applied to the logic itself. After a brief overview of reflecti...

We present a simple method to formally prove termination of recursive functions by searching for lexicographic combinations of size measures. Despite its simplicity, the method turns out to be powerful enough to solve a large majority of termination problems encountered in daily theorem proving practice.

Two models of an electronic hotel key card system are contrasted: a state based and a trace based one. Both are dened, veried, and proved equivalent in the theorem prover Isabelle/HOL. It is shown that if a guest follows a certain safety policy regarding her key cards, she can be sure that nobody but her can enter her room.

This paper presents the first machine-checked verification of Milner‘s type inference algorithm W for computing the most general type of an untyped λ-term enriched with let-expressions. This term language is the core of most typed functional programming languages and is also known as Mini-ML. We show how to model all the concepts involved, in parti...

We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behaviour of method calls, field accesses, and two forms of casts in C++ class hierarchies exactly, and the type safety proof was formalized and machine-checked in Isabelle/HOL. Our semantics enables one, for the first time, to unders...

We present a verified enumeration of tame graphs as defined in Hales' proof of the Kepler Conjecture and confirm the completeness of Hales' list of all tame graphs while reducing it from 5128 to 2771 graphs.