papers/bib/bib-joehurd.bib

@INPROCEEDINGS{aagaard1998,
  AUTHOR = {Mark D. Aagaard and Robert B. Jones and Carl-Johan H. Seger},
  TITLE = {Combining Theorem Proving and Trajectory Evaluation in an Industrial Environment},
  PAGES = {538--541},
  BOOKTITLE = {Proceedings of the 1998 Conference on Design Automation ({DAC}-98)},
  MONTH = JUN,
  PUBLISHER = {ACM/IEEE},
  ADDRESS = {Los Alamitos, CA},
  YEAR = 1998
}

@ARTICLE{abadi1994,
  AUTHOR = {Martin Abadi and Joseph Y. Halpern},
  TITLE = {Decidability and expressiveness for first-order logics of probability},
  JOURNAL = {Information and Computation},
  YEAR = 1994
}

@BOOK{ackermann1954,
  AUTHOR = {Wilhelm Ackermann},
  TITLE = {Solvable Cases of the Decision Problem},
  PUBLISHER = {North-Holland},
  SERIES = {Studies in Logic and the Foundations of Mathematics},
  ADDRESS = {Amsterdam},
  YEAR = 1954
}

@INCOLLECTION{ahrendt1998,
  AUTHOR = {Wolfgang Ahrendt and Bernhard Beckert and Reiner H{\"a}hnle and Wolfram Menzel and Wolfgang Reif and Gerhard Schellhorn and Peter H. Schmitt},
  TITLE = {Integration of Automated and Interactive Theorem Proving},
  PUBLISHER = {Kluwer},
  BOOKTITLE = {Automated Deduction: A Basis for Applications},
  EDITOR = {W. Bibel and P. Schmitt},
  YEAR = 1998,
  VOLUME = {II},
  CHAPTER = {4},
  PAGES = {97--116},
  URL = {http://i11www.ira.uka.de/~ahrendt/papers/intDfgPaper.ps.gz},
  ABSTRACT = {In this chapter we present a project to integrate interactive and
automated theorem proving. Its aim is to combine the advantages of the
two paradigms. We focus on one particular application domain, which is
deduction for the purpose of software verification. Some of the
reported facts may not be valid in other domains. We report on the
integration concepts and on the experimental results with a prototype
implementation.}
}

@INPROCEEDINGS{armando1998,
  AUTHOR = {A. Armando and S. Ranise},
  TITLE = {From Integrated Reasoning Specialists to ``Plug-and-Play'' Reasoning Components},
  PAGES = {42--54},
  CROSSREF = {aisc1998}
}

@ARTICLE{armando2002,
  AUTHOR = {Alessandro Armando and Silvio Ranise and Michael Rusinowitch},
  TITLE = {A Rewriting Approach to Satisfiability Procedures},
  JOURNAL = {Information and Computation},
  NOTE = {To appear},
  URL = {http://www.loria.fr/~rusi/pub/longcsl01.ps}
}

@INPROCEEDINGS{astrachan1992,
  AUTHOR = {Owen L. Astrachan and Mark E. Stickel},
  TITLE = {Caching and Lemmaizing in Model Elimination Theorem Provers},
  PAGES = {224--238},
  CROSSREF = {cade1992},
  URL = {http://www.cs.duke.edu/~ola/meteor.html}
}

@ARTICLE{astrachan1997,
  TITLE = {The Use of Lemmas in the Model Elimination Procedure},
  AUTHOR = {O. L. Astrachan and Donald W. Loveland},
  JOURNAL = {Journal of Automated Reasoning},
  PAGES = {117--141},
  MONTH = AUG,
  YEAR = 1997,
  VOLUME = 19,
  NUMBER = 1,
  URL = {http://www.cs.duke.edu/~ola/meteor.html}
}

@BOOK{baader1998,
  AUTHOR = {Franz Baader and Tobias Nipkow},
  TITLE = {Term Rewriting and All That},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1998
}

@BOOK{baker1984,
  AUTHOR = {Alan Baker},
  TITLE = {A Concise Introduction to the Theory of Numbers},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1984
}

@INPROCEEDINGS{baker1992,
  AUTHOR = {Siani Baker and Andrew Ireland and Alan Smaill},
  TITLE = {On the Use of the Constructive Omega-Rule Within Automated Deduction},
  PAGES = {214--225},
  CROSSREF = {lpar1992},
  URL = {http://www.dai.ed.ac.uk/papers/documents/rp560.html},
  ABSTRACT = {The cut elimination theorem for predicate calculus states that every
proof may be replaced by one which does not involve use of the cut
rule. This theorem no longer holds when the system is extended with
Peano's axioms to give a formalisation for arithmetic. The problem of
generalisation results, since arbitrary formulae can be cut in. This
makes theorem-proving very difficult - one solution is to embed
arithmetic in a stronger system, where cut elimination holds. This
paper describes a system based on the omega rule, and shows that
certain statements are provable in this system which are not provable
in Peano arithmetic without cut. Moreover, an important application is
presented in the form of a new method of generalisation by means of
"guiding proofs" in the stronger system, which sometimes succeeds in
producing proofs in the original system when other methods fail. The
implementation of such a system is also described.}
}

@ARTICLE{bancerek1989,
  AUTHOR = {Grzegorz Bancerek},
  TITLE = {The Fundamental Properties of Natural Numbers},
  JOURNAL = {Journal of Formalized Mathematics},
  VOLUME = {1},
  YEAR = 1989
}

@BOOK{bardell1987,
  AUTHOR = {Paul H. Bardell and W. H. McAnney and J. Savir},
  TITLE = {Built In Test for {VLSI}: Pseudorandom Techniques},
  PUBLISHER = {John Wiley},
  MONTH = OCT,
  YEAR = 1987,
  URL = {http://www.wiley.com/Corporate/Website/Objects/Products/0,9049,65654,00.html},
  ABSTRACT = {This handbook provides ready access to all of the major concepts,
techniques, problems, and solutions in the emerging field of
pseudorandom pattern testing. Until now, the literature in this area
has been widely scattered, and published work, written by
professionals in several disciplines, has treated notation and
mathematics in ways that vary from source to source. This book opens
with a clear description of the shortcomings of conventional testing
as applied to complex digital circuits, revewing by comparison the
principles of design for testability of more advanced digital
technology. Offers in-depth discussions of test sequence generation
and response data compression, including pseudorandom sequence
generators; the mathematics of shift-register sequences and their
potential for built-in testing. Also details random and memory testing
and the problems of assessing the efficiency of such tests, and the
limitations and practical concerns of built-in testing.}
}

@TECHREPORT{barras1997,
  TITLE = {The {Coq} Proof Assistant Reference Manual: Version 6.1},
  AUTHOR = {Bruno Barras and Samuel Boutin and Cristina Cornes and Judicael Courant and Jean-Christophe Filliatre and Eduardo Gimenez and Hugo Herbelin and G{\'e}rard Huet and C{\'{e}}sar A. Mu{\~{n}}oz and Chetan Murthy and Catherine Parent and Christine Paulin-Mohring and Amokrane Saibi and Benjamin Werner},
  TYPE = {Technical Report},
  INSTITUTION = {INRIA (Institut National de Recherche en Informatique et en Automatique), France},
  NUMBER = {RT-0203},
  YEAR = 1997
}

@INPROCEEDINGS{barras2000,
  AUTHOR = {Bruno Barras},
  TITLE = {Programming and Computing in {HOL}},
  PAGES = {17--37},
  CROSSREF = {tphols2000}
}

@ARTICLE{beckert1995,
  AUTHOR = {Bernhard Beckert and Joachim Posegga},
  TITLE = {{leanTAP}: Lean Tableau-based Deduction},
  JOURNAL = {Journal of Automated Reasoning},
  VOLUME = 15,
  NUMBER = 3,
  PAGES = {339--358},
  MONTH = DEC,
  YEAR = 1995,
  URL = {ftp://i12ftp.ira.uka.de/pub/posegga/LeanTaP.color.ps.Z},
  ABSTRACT = {  prove((E,F),A,B,C,D) :- !,prove(E,[F|A],B,C,D).

   prove((E;F),A,B,C,D) :- !,prove(E,A,B,C,D),prove(F,A,B,C,D).

   prove(all(I,J),A,B,C,D) :- !,
      \+length(C,D),copy_term((I,J,C),(G,F,C)),
      append(A,[all(I,J)],E),prove(F,E,B,[G|C],D).

   prove(A,_,[C|D],_,_) :-
       ((A= -(B);-(A)=B) -> (unify(B,C);prove(A,[],D,_,_))).

   prove(A,[E|F],B,C,D) :- prove(E,F,[A|B],C,D).

implements a first-order  theorem prover based on  free-variable semantic
tableaux. It is complete, sound, and efficient.}
}

@BOOK{beeson1985,
  AUTHOR = {Michael J. Beeson},
  TITLE = {Foundations of Constructive Mathematics},
  PUBLISHER = {Springer},
  YEAR = 1985
}

@INPROCEEDINGS{beeson1998,
  AUTHOR = {Michael Beeson},
  TITLE = {Unification in {Lambda-Calculi} with if-then-else},
  PAGES = {103--118},
  CROSSREF = {cade1998},
  URL = {http://link.springer-ny.com/link/service/series/0558/bibs/1421/14210103.htm},
  ABSTRACT = {A new unification algorithm is introduced, which (unlike previous
algorithms for unification in $lambda$-calculus) shares the pleasant
properties of first-order unification. Proofs of these properties are
given, in particular uniqueness of the answer and the
most-general-unifier property. This unification algorithm can be used
to generalize first-order proof-search algorithms to second-order
logic, making possible for example a straighforward treatment of
McCarthy's circumscription schema.}
}

@BOOK{bell1930,
  AUTHOR = {Eric T. Bell},
  TITLE = {Debunking Science},
  PUBLISHER = {University of Washington Book Store},
  YEAR = 1930
}

@PHDTHESIS{benzmuller1999,
  AUTHOR = {C. Benzmuller},
  TITLE = {Equality and Extensionality in Higher-Order Theorem Proving},
  SCHOOL = {Saarland University},
  MONTH = APR,
  YEAR = 1999,
  URL = {http://www.ags.uni-sb.de/~chris/papers/diss.ps.gz}
}

@ARTICLE{berlekamp1970,
  AUTHOR = {E. R. Berlekamp},
  TITLE = {Factoring polynomials over large finite fields},
  JOURNAL = {Math. Comput.},
  VOLUME = 24,
  YEAR = 1970,
  PAGE = {713--735},
  ABSTRACT = {"This paper presents algorithms for root-finding and factorization,
two problems in finite fields. The latter problem is reduced to the
root-finding problem, for which a probabilistic algorithm is
given. This paper is a precursor of Rabin (1980)."}
}

@INPROCEEDINGS{bezem2000,
  AUTHOR = {Marc Bezem and Dimitri Hendriks and Hans de Nivelle},
  TITLE = {Automated Proof Construction in Type Theory Using Resolution},
  PAGES = {148--163},
  CROSSREF = {cade2000},
  URL = {http://www.phil.uu.nl/~hendriks/}
}

@ARTICLE{bialas1990,
  AUTHOR = {J\'ozef Bia{\l}as},
  TITLE = {The $\sigma$-additive Measure Theory},
  JOURNAL = {Journal of Formalized Mathematics},
  YEAR = {1990},
  URL = {http://mizar.uwb.edu.pl/JFM/Vol2/measure1.html}
}

@ARTICLE{bialas1992,
  AUTHOR = {J\'ozef Bia{\l}as},
  TITLE = {Properties of {Caratheodor}'s Measure},
  JOURNAL = {Journal of Formalized Mathematics},
  YEAR = {1992},
  URL = {http://mizar.uwb.edu.pl/JFM/Vol4/measure4.html}
}

@BOOK{bierce1911,
  AUTHOR = {Ambrose Bierce},
  TITLE = {The Devil's Dictionary},
  PUBLISHER = {Dover},
  EDITION = {Dover thrift},
  YEAR = 1993
}

@INBOOK{biere2003,
  AUTHOR = {Armin Biere and Alessandro Cimatti and Edmund M. Clarke and Ofer Strichman and Yunshun Zhu},
  TITLE = {Bounded Model Checking},
  CHAPTER = {},
  SERIES = {Advances in Computers},
  VOLUME = 58,
  PUBLISHER = {Elsevier},
  YEAR = 2003,
  NOTE = {To appear},
  URL = {http://www-2.cs.cmu.edu/~ofers/advances.pdf}
}

@BOOK{billingsley1986,
  AUTHOR = {P. Billingsley},
  TITLE = {Probability and Measure},
  EDITION = {2nd},
  PUBLISHER = {John Wiley \& Sons, Inc.},
  ADDRESS = {New York},
  YEAR = 1986
}

@UNPUBLISHED{bishop2004,
  AUTHOR = {Steven Bishop and Matthew Fairbairn and Michael Norrish and Peter Sewell and Keith Wansbrough},
  TITLE = {The {TCP} Specification: A Quick Introduction},
  NOTE = {Available from Peter Sewell's web site},
  MONTH = MAR,
  YEAR = 2004,
  URL = {http://www.cl.cam.ac.uk/~pes20/Netsem/quickstart.ps}
}

@BOOK{boole1847,
  AUTHOR = {George Boole},
  TITLE = {The Mathematical Analysis of Logic, Being an Essay Toward a Calculus of Deductive Reasoning},
  ADDRESS = {Cambridge},
  PUBLISHER = {Macmillan},
  YEAR = 1847,
  PAGES = 82
}

@ARTICLE{boulton1993,
  AUTHOR = {Richard J. Boulton},
  TITLE = {Lazy Techniques for Fully Expansive Theorem Proving},
  JOURNAL = {Formal Methods in System Design},
  YEAR = 1993,
  VOLUME = 3,
  NUMBER = {1/2},
  PAGES = {25--47},
  MONTH = AUG
}

@INPROCEEDINGS{boulton1995,
  AUTHOR = {Richard J. Boulton},
  TITLE = {Combining Decision Procedures in the {HOL} System},
  PAGES = {75--89},
  CROSSREF = {tphols1995}
}

@ARTICLE{boyer1984,
  AUTHOR = {Robert S. Boyer and J Strother Moore},
  TITLE = {Proof checking the {RSA} public key encryption algorithm},
  JOURNAL = {American Mathematical Monthly},
  VOLUME = 91,
  NUMBER = 3,
  PAGES = {181--189},
  YEAR = 1984,
  URL = {http://www.cs.utexas.edu/users/boyer/rsa.ps.Z}
}

@ARTICLE{boyer1988,
  AUTHOR = {Robert S. Boyer and J Strother Moore},
  TITLE = {Integrating Decision Procedures into Heuristic Theorem Provers: A Case Study of Linear Arithmetic},
  JOURNAL = {Machine Intelligence},
  VOLUME = {11},
  PUBLISHER = {Oxford University Press},
  YEAR = 1988,
  PAGES = {83-124}
}

@INPROCEEDINGS{boyer1994,
  AUTHOR = {Robert S. Boyer and N. G. de Bruijn and G{\'e}rard Huet and Andrzej Trybulec},
  TITLE = {A mechanically proof-checked encyclopedia of mathematics: Should we build one? Can we?},
  PAGES = {237--251},
  CROSSREF = {cade1994}
}

@UNPUBLISHED{bundy1996,
  AUTHOR = {Alan Bundy},
  TITLE = {Artificial Mathematicians},
  NOTE = {Available from the author's web site},
  MONTH = MAY,
  YEAR = 1996,
  URL = {http://www.dai.ed.ac.uk/homes/bundy/tmp/new-scientist.ps.gz}
}

@INPROCEEDINGS{debruijn1970,
  AUTHOR = {N. de Bruijn},
  TITLE = {The Mathematical language {AUTOMATH}, its usage, and some of its extensions},
  BOOKTITLE = {Symposium on Automatic Demonstration},
  ORGANIZATION = {Lecture Notes in Mathematics, 125},
  PUBLISHER = {Springer},
  PAGES = {29--61},
  YEAR = 1970
}

@ARTICLE{buffon1777,
  AUTHOR = {G. Buffon},
  TITLE = {Essai d'arithm\'etique morale},
  JOURNAL = {Suppl\'ement \`a l'Histoire Naturelle},
  VOLUME = 4,
  YEAR = 1777
}

@BOOK{bundy1983,
  AUTHOR = {Alan Bundy},
  TITLE = {The Computer Modelling of Mathematical Reasoning},
  PUBLISHER = {Academic Press},
  YEAR = 1983
}

@ARTICLE{burrows1990,
  AUTHOR = {Michael Burrows and Mart{\'\i}n Abadi and Roger Needham},
  TITLE = {A Logic of Authentication},
  JOURNAL = {ACM Transactions on Computer Systems},
  VOLUME = 8,
  YEAR = 1990,
  PAGES = {18--36},
  NUMBER = 1,
  MONTH = FEB,
  URL = {http://www.acm.org/pubs/articles/journals/tocs/1990-8-1/p18-burrows/p18-burrows.pdf},
  ABSTRACT = {Authentication protocols are the basis of security in many
distributed systems, and it is therefore essential to ensure that
these protocols function correctly.  Unfortunately, their design has
been extremely error prone. Most of the protocols found in the
literature contain redundancies or security flaws. A simple logic has
allowed us to describe the beliefs of trustworthy parties involved in
authentication protocols and the evolution of these beliefs as a
consequence of communication. We have been able to explain a variety
of authentication protocols formally, to discover subtleties and
errors in them, and to suggest improvements. In this paper we present
the logic and then give the results of our analysis of four published
protocols, chosen either because of their practical importance or
because they serve to illustrate our method.}
}

@ARTICLE{burstall1977,
  AUTHOR = {Rod Burstall and John Darlington},
  TITLE = {A transformation system for developing recursive programs},
  JOURNAL = {Journal of the Association for Computing Machinery},
  VOLUME = {1},
  MONTH = JAN,
  YEAR = 1977
}

@INPROCEEDINGS{busch1994,
  AUTHOR = {H. Busch},
  TITLE = {First-Order Automation for Higher-Order-Logic Theorem Proving},
  CROSSREF = {tphols1994}
}

@ARTICLE{caprotti2001,
  AUTHOR = {O. Caprotti and M. Oostdijk},
  TITLE = {Formal and Efficient Primality Proofs by use of Computer Algebra Oracles},
  JOURNAL = {Journal of Symbolic Computation},
  VOLUME = 32,
  NUMBER = {1--2},
  PAGES = {55--70},
  YEAR = 2001,
  EDITOR = {T. Recio and M. Kerber},
  NOTE = {Special Issue on Computer Algebra and Mechanized Reasoning}
}

@BOOK{chang1973,
  AUTHOR = {Chin-Liang Chang and Richard Char-Tung Lee},
  TITLE = {Symbolic Logic and Mechanical Theorem Proving},
  PUBLISHER = {Academic Press},
  ADDRESS = {New York},
  YEAR = 1973
}

@ARTICLE{church1940,
  AUTHOR = {Alonzo Church},
  TITLE = {A Formulation of the Simple Theory of Types},
  JOURNAL = {Journal of Symbolic Logic},
  YEAR = 1940,
  VOLUME = 5,
  PAGES = {56--68}
}

@ARTICLE{claessen2000,
  AUTHOR = {Koen Claessen and John Hughes},
  TITLE = {{QuickCheck}: a lightweight tool for random testing of {Haskell} programs},
  JOURNAL = {ACM SIG{\-}PLAN Notices},
  VOLUME = {35},
  NUMBER = {9},
  PAGES = {268--279},
  MONTH = SEP,
  YEAR = {2000},
  URL = {http://www.md.chalmers.se/~rjmh/QuickCheck/}
}

@BOOK{clarke1999,
  AUTHOR = {E. M. Clarke and O. Grumberg and D. A. Peled},
  TITLE = {{M}odel {C}hecking},
  PUBLISHER = {The MIT Press},
  YEAR = {1999}
}

@INPROCEEDINGS{colwell2000,
  AUTHOR = {Bob Colwell and Bob Brennan},
  TITLE = {Intel's Formal Verification Experience on the {Willamette} Development},
  PAGES = {106--107},
  CROSSREF = {tphols2000}
}

@PHDTHESIS{compagnoni1995,
  AUTHOR = {Adriana B. Compagnoni},
  TITLE = {Higher-Order Subtyping with Intersection Types},
  YEAR = 1995,
  MONTH = JAN,
  SCHOOL = {Catholic University, Nigmegen}
}

@INPROCEEDINGS{cook1971,
  AUTHOR = {Stephen A. Cook},
  TITLE = {The complexity of theorem-proving procedures},
  PAGES = {151--158},
  EDITOR = {{ACM}},
  BOOKTITLE = {Third annual {ACM} Symposium on Theory of Computing},
  ADDRESS = {Shaker Heights, Ohio, USA},
  MONTH = MAY,
  YEAR = 1971,
  PUBLISHER = {ACM Press}
}

@UNPUBLISHED{cook2000,
  AUTHOR = {Stephen A. Cook},
  TITLE = {The {P} Versus {NP} Problem},
  MONTH = APR,
  YEAR = 2000,
  NOTE = {Manuscript prepared for the Clay Mathematics Institute for the Millennium Prize Problems},
  URL = {http://www.claymath.org/prizeproblems/pvsnp.htm}
}

@BOOK{cormen1990,
  AUTHOR = {Thomas H. Cormen and Charles Eric Leiserson and Ronald L. Rivest},
  TITLE = {Introduction to Algorithms},
  PUBLISHER = {MIT Press/McGraw-Hill},
  ADDRESS = {Cambridge, Massachusetts},
  YEAR = 1990
}

@TECHREPORT{curzon1994,
  AUTHOR = {Paul Curzon},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  MONTH = MAR,
  NUMBER = {328},
  TITLE = {The formal verification of the {Fairisle} {ATM} switching element: an overview},
  YEAR = 1994
}

@INPROCEEDINGS{cyrluk1996,
  AUTHOR = {David Cyrluk and Patrick Lincoln and Natarajan Shankar},
  TITLE = {On {Shostak}'s Decision Procedure for Combinations of Theories},
  CROSSREF = {cade1996}
}

@INPROCEEDINGS{dahn1997,
  AUTHOR = {Ingo Dahn and Christoph Wernhard},
  TITLE = {First Order Proof Problems Extracted from an Article in the {MIZAR} Mathematical Library},
  CROSSREF = {ftp1997},
  URL = {http://www-irm.mathematik.hu-berlin.de/~ilf/papers/index.html}
}

@INPROCEEDINGS{dahn1998,
  TITLE = {Interpretation of a {Mizar}-like logic in first-order logic},
  AUTHOR = {Ingo Dahn},
  PAGES = {116--126},
  CROSSREF = {ftp1998}
}

@BOOK{davenport1992,
  AUTHOR = {Harold Davenport},
  TITLE = {The Higher Arithmetic},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1992,
  EDITION = {Sixth}
}

@BOOK{degroot1989,
  AUTHOR = {Morris DeGroot},
  TITLE = {Probability and Statistics},
  PUBLISHER = {Addison-Wesley},
  EDITION = {2nd},
  YEAR = 1989
}

@INCOLLECTION{deleeuw1955,
  AUTHOR = {K. de Leeuw and E. F. Moore and C. E. Shannon and N. Shapiro},
  TITLE = {Computability by probabilistic machines},
  PAGES = {183--212},
  BOOKTITLE = {Automata Studies},
  EDITOR = {C. E. Shannon and J. McCarthy},
  YEAR = 1955,
  PUBLISHER = {Princeton University Press},
  ADDRESS = {Princeton, NJ}
}

@TECHREPORT{denzinger1997,
  AUTHOR = {J{\"o}rg Denzinger and Dirk Fuchs},
  TITLE = {Knowledge-based Cooperation between Theorem Provers by {TECHS}},
  YEAR = 1997,
  TYPE = {SEKI-Report},
  NUMBER = {SR-97-11},
  INSTITUTION = {University of Kaiserslautern},
  URL = {http://agent.informatik.uni-kl.de/seki/1997/Fuchs.SR-97-11.ps.gz}
}

@BOOK{dijkstra1976,
  AUTHOR = {E. W. Dijkstra},
  TITLE = {A Discipline of Programming},
  PUBLISHER = {Prentice Hall},
  YEAR = 1976
}

@MISC{euclid300bc,
  AUTHOR = {Euclid},
  TITLE = {Elements},
  YEAR = {300B.C.},
  URL = {http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Euclid.html}
}

@BOOK{euclid1956,
  AUTHOR = {Euclid},
  TITLE = {Elements},
  PUBLISHER = {Dover},
  YEAR = 1956,
  NOTE = {Translated by Sir Thomas L. Heath}
}

@ARTICLE{farmer1993,
  AUTHOR = {William M. Farmer and Joshua D. Guttman and F. Javier Thayer},
  TITLE = {{IMPS}: An Interactive Mathematical Proof System},
  JOURNAL = {Journal of Automated Reasoning},
  YEAR = 1993,
  VOLUME = 11,
  PAGES = {213--248},
  URL = {http://imps.mcmaster.ca/wmfarmer/publications.html},
  ABSTRACT = {IMPS is an Interactive Mathematical Proof System intended as a
general purpose tool for formulating and applying mathematics in a
familiar fashion.  The logic of IMPS is based on a version of simple
type theory with partial functions and subtypes.  Mathematical
specification and inference are performed relative to axiomatic
theories, which can be related to one another via inclusion and theory
interpretation.  IMPS provides relatively large primitive inference
steps to facilitate human control of the deductive process and human
comprehension of the resulting proofs.  An initial theory library
containing almost a thousand repeatable proofs covers significant
portions of logic, algebra and analysis, and provides some support for
modeling applications in computer science.}
}

@ARTICLE{feldman1984,
  AUTHOR = {V. A. Feldman and D. Harel},
  TITLE = {A probabilistic dynamic logic},
  JOURNAL = {Journal of Computer and System Sciences},
  VOLUME = {28},
  NUMBER = {2},
  PAGES = {193--215},
  YEAR = 1984
}

@ARTICLE{fidge2003,
  AUTHOR = {C. Fidge and C. Shankland},
  TITLE = {But what if {I} don't want to wait forever?},
  JOURNAL = {Formal Aspects of Computing},
  YEAR = {to appear in 2003}
}

@BOOK{fishman1996,
  AUTHOR = {George S. Fishman},
  TITLE = {Monte Carlo: Concepts, Algorithms and Applications},
  PUBLISHER = {Springer},
  YEAR = 1996
}

@BOOK{fleuriot2001,
  AUTHOR = {J. D. Fleuriot},
  TITLE = {A Combination of Geometry Theorem Proving and Nonstandard Analysis, with Application to Newton's Principia},
  PUBLISHER = {Springer},
  SERIES = {Distinguished Dissertations},
  YEAR = {2001}
}

@INPROCEEDINGS{gabbay1992,
  AUTHOR = {Dov M. Gabbay and Hans J{\"u}rgen Ohlbach},
  TITLE = {Quantifier elimination in second--order predicate logic},
  BOOKTITLE = {Principles of Knowledge Representation and Reasoning (KR92)},
  YEAR = 1992,
  EDITOR = {Bernhard Nebel and Charles Rich and William Swartout},
  PAGES = {425--435},
  PUBLISHER = {Morgan Kaufmann},
  URL = {http://www.pms.informatik.uni-muenchen.de/mitarbeiter/ohlbach/homepage/publications/PL/abstracts.shtml#scan},
  ABSTRACT = {An algorithm is presented which eliminates second--order quantifiers
over predicate variables in formulae of type exists P1,...,PnF where F
is an arbitrary formula of first--order predicate logic. The resulting
formula is equivalent to the original formula -- if the algorithm
terminates. The algorithm can for example be applied to do
interpolation, to eliminate the second--order quantifiers in
circumscription, to compute the correlations between structures and
power structures, to compute semantic properties corresponding to
Hilbert axioms in non classical logics and to compute model theoretic
semantics for new logics.}
}

@MISC{gathercole1997,
  AUTHOR = {Chris Gathercole and Peter Ross},
  TITLE = {Small Populations over Many Generations can beat Large Populations over Few Generations in Genetic Programming},
  HOWPUBLISHED = {http://www.dai.ed.ac.uk/students/chrisg/},
  YEAR = 1997
}

@ARTICLE{gill1977,
  AUTHOR = {J. T. Gill},
  TITLE = {Computational complexity of probabilistic {Turing} machines},
  JOURNAL = {SIAM Journal on Computing},
  VOLUME = 6,
  NUMBER = 4,
  PAGES = {675--695},
  MONTH = DEC,
  YEAR = 1977,
  ABSTRACT = {"This paper defines the basic notion of a probabilistic Turing machine
(PTM). A PTM computes a partial function that assigns to each input
the output which occurs with a probability greater than half. It is
shown that a NDTM can be simulated by a PTM in the same space but with
a small error probability. Gill also considers the complexity classes
RP, PP, and BPP for polynomial-time PTMs (see Section 4.1). He shows
that $\mbox{P} \subseteq \mbox{RP} \subseteq \mbox{BPP} \subseteq
\mbox{PP} \subseteq \mbox{PSPACE}$ and that $\mbox{RP} \subseteq
\mbox{NP} \subseteq \mbox{PP}$."}
}

@BOOK{girard1989,
  AUTHOR = {Jean-Yves Girard},
  SERIES = {Cambridge tracts in theoretical computer science},
  SUBJECT = {Electronic digital computers--Programming Proof theory Type theory},
  VOLUME = {7},
  CAMLIB = {[Univ. Lib.] 348:8.b.95.262 South Front 4},
  PUBLISHER = {Cambridge University Press},
  PAGES = {xi,176p},
  YEAR = 1989,
  CITY = {Cambridge},
  SIZE = {26cm},
  TITLE = {Proofs and types}
}

@ARTICLE{godel1931,
  AUTHOR = {K. G{\"o}del},
  JOURNAL = {Monatshefte f{\"u}r Mathematik und Physik},
  PAGES = {173--198},
  TITLE = {{\"U}ber formal unentscheidbare {S}{\"a}tze der {P}rincipia {M}athematica und verwandter {S}ysteme},
  VOLUME = 38,
  YEAR = 1931
}

@BOOK{godel1962,
  AUTHOR = {K. G{\"o}del},
  TITLE = {On Formally Undecidable Propositions of Principia Mathematica and Related Systems},
  YEAR = 1962,
  PUBLISHER = {Oliver and Boyd},
  NOTE = {Translated by B. Meltzer},
  ADDRESS = {London}
}

@BOOK{goguen1996,
  AUTHOR = {J. Goguen and G. Malcolm},
  TITLE = {Algebraic Semantics of Imperative Programs},
  EDITION = {1st},
  PUBLISHER = {MIT Press},
  ADDRESS = {Cambridge, Mass.},
  YEAR = 1996,
  ISBN = {0-262-07172-X}
}

@INPROCEEDINGS{goldberg2002,
  AUTHOR = {E. Goldberg and Y. Novikov},
  TITLE = {{BerkMin}: {A} Fast and Robust {SAT}-Solver},
  BOOKTITLE = {Design, Automation, and Test in Europe (DATE '02)},
  MONTH = MAR,
  YEAR = 2002,
  PAGES = {142--149},
  URL = {http://www.ece.cmu.edu/~mvelev/goldberg_novikov_date02.pdf}
}

@BOOK{goldie1991,
  AUTHOR = {Charles M. Goldie and Richard G. E. Pinch},
  TITLE = {Communication theory},
  SERIES = {LMS Student Texts},
  VOLUME = 20,
  PUBLISHER = {Cambridge University Press},
  YEAR = 1991
}

@BOOK{gordon1979,
  AUTHOR = {M. Gordon and R. Milner and C. Wadsworth},
  TITLE = {Edinburgh {LCF}},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 78,
  YEAR = 1979
}

@TECHREPORT{gordon1985,
  AUTHOR = {Mike Gordon},
  TITLE = {Why {H}igher-{O}rder {L}ogic is a Good Formalism For Specifying and Verifying Hardware},
  YEAR = 1985,
  INSTITUTION = {Computer Laboratory, The University of Cambridge},
  NUMBER = 77
}

@BOOK{gordon1988,
  AUTHOR = {M. J. C. Gordon},
  TITLE = {Programming Language Theory and its Implementation},
  PUBLISHER = {Prentice Hall},
  YEAR = 1988
}

@INCOLLECTION{gordon1988a,
  AUTHOR = {Michael J. C. Gordon},
  TITLE = {{HOL}: A proof generating system for higher-order logic},
  BOOKTITLE = {{VLSI} Specification, Verification and Synthesis},
  EDITOR = {Graham Birtwistle and P. A. Subrahmanyam},
  YEAR = 1988,
  PAGES = {73--128},
  PUBLISHER = {Kluwer Academic Publishers},
  ADDRESS = {Boston}
}

@INCOLLECTION{gordon1989,
  AUTHOR = {M. J. C. Gordon},
  TITLE = {Mechanizing Programming Logics in Higher Order Logic},
  BOOKTITLE = {Current Trends in Hardware Verification and Automated Theorem Proving},
  EDITOR = {G. Birtwistle and P. A. Subrahmanyam},
  PUBLISHER = {Springer-Verlag},
  YEAR = 1989,
  PAGES = {387--439},
  URL = {ftp://ftp.cl.cam.ac.uk/hvg/papers/Banffpaper.dvi.gz}
}

@BOOK{gordon1993,
  EDITOR = {M. J. C. Gordon and T. F. Melham},
  TITLE = {Introduction to HOL (A theorem-proving environment for higher order logic)},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1993
}

@TECHREPORT{gordon1994,
  AUTHOR = {Mike Gordon},
  TITLE = {Merging {HOL} with Set Theory: preliminary experiments},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  NUMBER = 353,
  MONTH = NOV,
  YEAR = 1994,
  URL = {http://www.cl.cam.ac.uk/users/mjcg/papers/holst},
  ABSTRACT = {Set theory is the standard foundation for mathematics, but the
majority of general purpose mechanized proof assistants support
versions of type theory (higher order logic). Examples include Alf,
Automath, Coq, Ehdm, HOL, IMPS, Lambda, LEGO, Nuprl, PVS and
Veritas. For many applications type theory works well and provides,
for specification, the benefits of type-checking that are well-known
in programming. However, there are areas where types get in the way or
seem unmotivated. Furthermore, most people with a scientific or
engineering background already know set theory, whereas type theory
may appear inaccessable and so be an obstacle to the uptake of proof
assistants based on it. This paper describes some experiments (using
HOL) in combining set theory and type theory; the aim is to get the
best of both worlds in a single system. Three approaches have been
tried, all based on an axiomatically specified type V of ZF-like sets:
(i) HOL is used without any additions besides V; (ii) an embedding of
the HOL logic into V is provided; (iii) HOL axiomatic theories are
automatically translated into set-theoretic definitional
theories. These approaches are illustrated with two examples: the
construction of lists and a simple lemma in group theory.}
}

@UNPUBLISHED{gordon1996,
  AUTHOR = {M. J. C. Gordon},
  TITLE = {Notes on {PVS} from a {HOL} perspective},
  YEAR = 1996,
  NOTE = {Available from the author's web page},
  URL = {http://www.cl.cam.ac.uk/~mjcg/PVS.html},
  ABSTRACT = {During the first week of July 1995 I visited SRI Menlo Park to find
out more about PVS (Prototype Verification System). The preceding week
I attended LICS95, where I had several talks with Natarajan Shankar
accompanied by demos of the system on his SparcBook laptop. This note
consists of a somewhat rambling and selective report on some of the
things I learned, together with a discussion of their implications for
the evolution of the HOL system.}
}

@ARTICLE{gordon2002,
  AUTHOR = {Michael J. C. Gordon},
  TITLE = {Programming combinations of deduction and {BDD}-based symbolic calculation},
  JOURNAL = {LMS Journal of Computation and Mathematics},
  VOLUME = 5,
  PAGES = {56--76},
  MONTH = AUG,
  YEAR = 2002,
  URL = {http://www.lms.ac.uk/jcm/5/lms2000-001},
  ABSTRACT = {A generalisation of Milner's `LCF approach' is described. This allows
algorithms based on binary decision diagrams (BDDs) to be programmed
as derived proof rules in a calculus of representation judgements. The
derivation of representation judgements becomes an LCF-style proof by
defining an abstract type for judgements analogous to the LCF type of
theorems. The primitive inference rules for representation judgements
correspond to the operations provided by an efficient BDD package
coded in C (BuDDy). Proof can combine traditional inference with steps
inferring representation judgements. The resulting system provides a
platform to support a tight and principled integration of theorem
proving and model checking. The methods are illustrated by using them
to solve all instances of a generalised Missionaries and Cannibals
problem.}
}

@INPROCEEDINGS{gordon2003,
  AUTHOR = {Mike Gordon and Joe Hurd and Konrad Slind},
  TITLE = {Executing the formal semantics of the {Accellera} {Property} {Specification} {Language} by mechanised theorem proving},
  BOOKTITLE = {Correct Hardware Design and Verification Methods},
  PAGES = {200--215},
  MONTH = OCT,
  YEAR = 2003,
  EDITOR = {Daniel Geist and Enrico Tronci},
  VOLUME = 2860,
  SERIES = {Lecture Notes in Computer Science},
  PUBLISHER = {Springer},
  URL = {http://www.cl.cam.ac.uk/users/jeh1004/research/papers/sugar.html},
  ABSTRACT = {The Accellera Property Specification Language (PSL) is designed for
the formal specification of hardware. The Reference Manual contains a
formal semantics, which we previously encoded in a machine readable
version of higher order logic. In this paper we describe how to
`execute' the formal semantics using proof scripts coded in the HOL
theorem prover's metalanguage ML. The goal is to see if it is feasible
to implement useful tools that work directly from the official
semantics by mechanised proof. Such tools will have a high assurance
of conforming to the standard. We have implemented two experimental
tools: an interpreter that evaluates whether a finite trace $w$, which
may be generated by a simulator, satisfies a PSL formula $f$ (i.e.~$w
\models f$), and a compiler that converts PSL formulas to checkers in
an intermediate format suitable for translation to HDL for inclusion
in simulation test-benches. Although our tools use logical deduction
and are thus slower than hand-crafted implementations, they may be
speedy enough for some applications. They can also provide a reference
for more efficient implementations.}
}

@TECHREPORT{gunter1989,
  AUTHOR = {Elsa Gunter},
  TITLE = {Doing Algebra in Simple Type Theory},
  YEAR = 1989,
  INSTITUTION = {Department of Computer and Information Science, University of Pennsylvania},
  NUMBER = {MS-CIS-89-38, Logic \&\ Computation 09}
}

@BOOK{hajek1998,
  AUTHOR = {Petr H\'ajek},
  TITLE = {Metamathematics of Fuzzy Logic},
  MONTH = AUG,
  YEAR = 1998,
  SERIES = {Trends in Logic},
  VOLUME = 4,
  PUBLISHER = {Kluwer Academic Publishers},
  ADDRESS = {Dordrecht},
  URL = {http://www.wkap.nl/prod/b/0-7923-5238-6},
  ABSTRACT = {This book presents a systestematic treatment of deductive aspects and
structures of fuzzy logic understood as many valued logic sui
generis. Some important systems of real-valued propositional and
predicate calculus are defined and investigated. The aim is to show
that fuzzy logic as a logic of imprecise (vague) propositions does
have well-developed formal foundations and that most things usually
named `fuzzy inference' can be naturally understood as logical
deduction.

There are two main groups of intended readers. First, logicians: they
can see that fuzzy logic is indeed a branch of logic and may find
several very interesting open problems. Second, equally important,
researchers involved in fuzzy logic applications and soft
computing. As a matter of fact, most of these are not professional
logicians so that it can easily happen that an application, clever and
successful as it may be, is presented in a way which is logically not
entirely correct or may appear simple-minded. (Standard presentations
of the logical aspects of fuzzy controllers are the most typical
example.) This fact would not be very important if only the bon ton of
logicians were harmed; but it is the opinion of the author (who is a
mathematical logician) that a better understanding of the strictly
logical basis of fuzzy logic (in the usual broad sense) is very useful
for fuzzy logic appliers since if they know better what they are
doing, they may hope to do it better. In addition, a better mutual
understanding between (classical) logicians and researchers in fuzzy
logic, promises to lead to deeper cooperation and new results.

Audience: mathematicians, logicians, computer scientists, specialists
in artificial intelligence and knowledge engineering, developers of
fuzzy logic.}
}

@ARTICLE{halpern1990,
  AUTHOR = {Joseph Y. Halpern},
  TITLE = {An analysis of first-order logics of probability},
  JOURNAL = {Artificial Intelligence},
  YEAR = 1990,
  URL = {http://www.cs.cornell.edu/home/halpern/abstract.html#journal25},
  ABSTRACT = {We consider two approaches to giving semantics to first-order logics
of probability. The first approach puts a probability on the domain,
and is appropriate for giving semantics to formulas involving
statistical information such as ``The probability that a randomly
chosen bird flies is greater than .9.'' The second approach puts a
probability on possible worlds, and is appropriate for giving
semantics to formulas describing degrees of belief, such as ``The
probability that Tweety (a particular bird) flies is greater than
.9.'' We show that the two approaches can be easily combined, allowing
us to reason in a straightforward way about statistical information
and degrees of belief. We then consider axiomatizing these logics. In
general, it can be shown that no complete axiomatization is
possible. We provide axiom systems that are sound and complete in
cases where a complete axiomatization is possible, showing that they
do allow us to capture a great deal of interesting reasoning about
probability.}
}

@ARTICLE{hansell1971,
  AUTHOR = {R. W. Hansell},
  TITLE = {Borel Measurable Mappings for Nonseparable Metric Spaces},
  JOURNAL = {Transactions of the American Mathematical Society},
  YEAR = 1971,
  VOLUME = 161,
  PAGES = {145--169},
  MONTH = NOV,
  URL = {http://uk.jstor.org/cgi-bin/jstor/listjournal/00029947/di970179},
  ABSTRACT = {"One of the key papers in non-separable theory. [To show that f IN
measurable E U implies countable range] One may use Section 2,
Corollary 7, with the observation that [0,1] satisfies the assumptions
and, in your situation, the collection f^(-1)(x), x\in X is even
completely additive-Borel"}
}

@BOOK{hardy1993,
  AUTHOR = {G. H. Hardy},
  TITLE = {A Mathematician's Apology, reprinted with a foreword by C. P. Snow},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1993
}

@TECHREPORT{harrison1995,
  AUTHOR = {John Harrison},
  TITLE = {Metatheory and Reflection in Theorem Proving: A Survey and Critique},
  INSTITUTION = {SRI Cambridge},
  ADDRESS = {Millers Yard, Cambridge, UK},
  YEAR = 1995,
  TYPE = {Technical Report},
  NUMBER = {CRC-053},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/reflect.html},
  ABSTRACT = {One way to ensure correctness of the inference performed by computer
theorem provers is to force all proofs to be done step by step in a
simple, more or less traditional, deductive system. Using techniques
pioneered in Edinburgh LCF, this can be made palatable. However, some
believe such an approach will never be efficient enough for large,
complex proofs. One alternative, commonly called reflection, is to
analyze proofs using a second layer of logic, a metalogic, and so
justify abbreviating or simplifying proofs, making the kinds of
shortcuts humans often do or appealing to specialized decision
algorithms. In this paper we contrast the fully-expansive LCF approach
with the use of reflection. We put forward arguments to suggest that
the inadequacy of the LCF approach has not been adequately
demonstrated, and neither has the practical utility of reflection
(notwithstanding its undoubted intellectual interest). The LCF system
with which we are most concerned is the HOL proof assistant.

The plan of the paper is as follows. We examine ways of providing user
extensibility for theorem provers, which naturally places the LCF and
reflective approaches in opposition. A detailed introduction to LCF is
provided, emphasizing ways in which it can be made efficient. Next, we
present a short introduction to metatheory and its usefulness, and,
starting from Gödel's proofs and Feferman's transfinite
progressions of theories, look at logical `reflection principles'. We
show how to introduce computational `reflection principles' which do
not extend the power of the logic, but may make deductions in it more
efficient, and speculate about their practical usefulness.
Applications or proposed applications of computational reflection in
theorem proving are surveyed, following which we draw some
conclusions. In an appendix, we attempt to clarify a couple of other
notions of `reflection' often encountered in the literature.

The paper questions the too-easy acceptance of reflection principles
as a practical necessity.  However I hope it also serves as an
adequate introduction to the concepts involved in reflection and a
survey of relevant work. To this end, a rather extensive bibliography
is provided.}
}

@ARTICLE{harrison1995a,
  AUTHOR = {John Harrison},
  TITLE = {Binary Decision Diagrams as a {HOL} Derived Rule},
  JOURNAL = {The Computer Journal},
  YEAR = 1995,
  VOLUME = 38,
  PAGES = {162--170},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/bdd1.html},
  ABSTRACT = {Binary Decision Diagrams (BDDs) are a representation for Boolean
formulas which makes many operations, in particular
tautology-checking, surprisingly efficient in important practical
cases. In contrast to such custom decision procedures, the HOL theorem
prover expands all proofs out to a sequence of extremely simple
primitive inferences. In this paper we describe how the BDD algorithm
may be adapted to comply with such strictures, helping us to
understand the strengths and limitations of the HOL approach.}
}

@INPROCEEDINGS{harrison1996,
  AUTHOR = {John Harrison},
  TITLE = {Optimizing Proof Search in Model Elimination},
  PAGES = {313--327},
  CROSSREF = {cade1996},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/me.html},
  ABSTRACT = {Many implementations of model elimination perform proof search by
iteratively increasing a bound on the total size of the proof. We
propose an optimized version of this search mode using a simple
divide-and-conquer refinement. Optimized and unoptimized modes are
compared, together with depth-bounded and best-first search, over the
entire TPTP problem library. The optimized size-bounded mode seems to
be the overall winner, but for each strategy there are problems on
which it performs best. Some attempt is made to analyze why. We
emphasize that our optimization, and other implementation techniques
like caching, are rather general: they are not dependent on the
details of model elimination, or even that the search is concerned
with theorem proving. As such, we believe that this study is a useful
complement to research on extending the model elimination calculus.}
}

@TECHREPORT{harrison1996b,
  AUTHOR = {John Harrison},
  TITLE = {Formalized Mathematics},
  INSTITUTION = {Turku Centre for Computer Science (TUCS)},
  ADDRESS = {Lemmink{\"a}isenkatu 14 A, FIN-20520 Turku, Finland},
  YEAR = 1996,
  TYPE = {Technical Report},
  NUMBER = 36,
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/form-math3.html},
  ABSTRACT = {It is generally accepted that in principle it's possible to formalize
completely almost all of present-day mathematics. The practicability
of actually doing so is widely doubted, as is the value of the
result. But in the computer age we believe that such formalization is
possible and desirable.  In contrast to the QED Manifesto however, we
do not offer polemics in support of such a project.  We merely try to
place the formalization of mathematics in its historical perspective,
as well as looking at existing praxis and identifying what we regard
as the most interesting issues, theoretical and practical.}
}

@INPROCEEDINGS{harrison1996c,
  AUTHOR = {John Harrison},
  TITLE = {A {Mizar} Mode for {HOL}},
  PAGES = {203--220},
  CROSSREF = {tphols1996},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/mizar.html},
  ABSTRACT = {The HOL theorem prover is implemented in the LCF style, meaning that
all inference is ultimately reduced to a collection of very simple
(forward) primitive inference rules. By programming it is possible to
build alternative means of proving theorems on top, while preserving
security. Existing HOL proofs styles are, however, very different from
those used in textbooks. Here we describe the addition of another
proof style, inspired by Mizar. We believe the resulting system
combines some of the best features of both HOL and Mizar.}
}

@INPROCEEDINGS{harrison1996d,
  AUTHOR = {John Harrison},
  TITLE = {Proof Style},
  PAGES = {154--172},
  CROSSREF = {types1996},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/style.html},
  ABSTRACT = {We are concerned with how computer theorem provers should expect
users to communicate proofs to them. There are many stylistic choices
that still allow the machine to generate a completely formal proof
object. The most obvious choice is the amount of guidance required
from the user, or from the machine perspective, the degree of
automation provided. But another important consideration, which we
consider particularly significant, is the bias towards a `procedural'
or `declarative' proof style. We will explore this choice in depth,
and discuss the strengths and weaknesses of declarative and procedural
styles for proofs in pure mathematics and for verification
applications. We conclude with a brief summary of our own experiments
in trying to combine both approaches.}
}

@TECHREPORT{harrison1997,
  AUTHOR = {John Harrison},
  TITLE = {Floating point verification in {HOL} Light: the exponential function},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  YEAR = 1997,
  NUMBER = 428,
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/tang.html}
}

@BOOK{harrison1998,
  AUTHOR = {John Harrison},
  TITLE = {Theorem Proving with the Real Numbers (Distinguished dissertations)},
  PUBLISHER = {Springer},
  YEAR = 1998
}

@MANUAL{harrison1998b,
  AUTHOR = {John Harrison},
  TITLE = {The {HOL} Light Manual (1.0)},
  MONTH = MAY,
  YEAR = 1998,
  URL = {http://www.cl.cam.ac.uk/users/jrh/hol-light/}
}

@INPROCEEDINGS{harrison1998c,
  AUTHOR = {John Harrison},
  TITLE = {Formalizing {D}ijkstra},
  PAGES = {171--188},
  CROSSREF = {tphols1998},
  URL = {http://www.cl.cam.ac.uk/users/jrh/papers/dijkstra.html}
}

@ARTICLE{hart1983,
  AUTHOR = {Sergiu Hart and Micha Sharir and Amir Pnueli},
  TITLE = {Termination of Probabilistic Concurrent Programs},
  JOURNAL = {ACM Transactions on Programming Languages and Systems (TOPLAS)},
  VOLUME = 5,
  NUMBER = 3,
  PAGES = {356--380},
  MONTH = JUL,
  YEAR = 1983
}

@ARTICLE{he1997,
  AUTHOR = {Jifeng He and K. Seidel and A. McIver},
  TITLE = {Probabilistic models for the guarded command language},
  JOURNAL = {Science of Computer Programming},
  VOLUME = 28,
  NUMBER = {2--3},
  PAGES = {171--192},
  MONTH = APR,
  YEAR = 1997
}

@MISC{heitkotter1998,
  AUTHOR = {J{\"o}rg Heitk{\"o}tter and David Beasley},
  TITLE = {The Hitch-Hiker's Guide to Evolutionary Computation: A list of Frequently Asked Questions (FAQ)},
  HOWPUBLISHED = {USENET: comp.ai.genetic},
  YEAR = 1998,
  URL = {ftp://rtfm.mit.edu/pub/usenet/news.answers/ai-faq/genetic/}
}

@ARTICLE{herman1990,
  AUTHOR = {Ted Herman},
  TITLE = {Probabilistic self-stabilization},
  JOURNAL = {Information Processing Letters},
  VOLUME = 35,
  NUMBER = 2,
  PAGES = {63--67},
  DAY = 29,
  MONTH = JUN,
  YEAR = 1990
}

@INPROCEEDINGS{hoang2003,
  AUTHOR = {Thai Son Hoang and Z. Jin and K. Robinsion and A. K. McIver and C. C. Morgan},
  TITLE = {Probabilistic invariants for probabilistic machines},
  BOOKTITLE = {Proceedings of the 3rd International Conference of B and Z users},
  PAGES = {240--259},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2651,
  YEAR = 2003,
  PUBLISHER = {Springer}
}

@UNPUBLISHED{hoare2002,
  AUTHOR = {Tony Hoare},
  TITLE = {The Verifying Compiler},
  NOTE = {Sample submission for the Workshop on Grand Challenges for Computing Research},
  MONTH = NOV,
  YEAR = 2002,
  URL = {http://umbriel.dcs.gla.ac.uk/NeSC/general/esi/events/Grand_Challenges/verifying_compiler.pdf}
}

@ARTICLE{homeier1995,
  AUTHOR = {Peter V. Homeier and David F. Martin},
  TITLE = {A Mechanically Verified Verification Condition Generator},
  JOURNAL = {The Computer Journal},
  YEAR = 1995,
  VOLUME = 38,
  NUMBER = 2,
  MONTH = JUL,
  PAGES = {131--141},
  URL = {http://www.cis.upenn.edu/~homeier/publications/vcg-bcj.pdf}
}

@TECHREPORT{huet1980,
  AUTHOR = {G{\'e}rard Huet and Derek Oppen},
  TITLE = {Equations and Rewrite Rules: A Survey},
  INSTITUTION = {SRI International},
  MONTH = JAN,
  YEAR = 1980,
  NUMBER = {CSL-111}
}

@ARTICLE{hughes1989,
  AUTHOR = {J. Hughes},
  TITLE = {Why Functional Programming Matters},
  JOURNAL = {Computer Journal},
  VOLUME = {32},
  NUMBER = {2},
  PAGES = {98--107},
  YEAR = 1989,
  URL = {http://www.md.chalmers.se/~rjmh/Papers/whyfp.html}
}

@PHDTHESIS{huisman2001,
  AUTHOR = {Marieke Huisman},
  TITLE = {Reasoning about {Java} Programs in higher order logic with {PVS} and {Isabelle}},
  SCHOOL = {University of Nijmegen, Holland},
  YEAR = 2001,
  MONTH = FEB
}

@MANUAL{hurd1998,
  AUTHOR = {Joe Hurd},
  TITLE = {The Real Number Theories in hol98},
  MONTH = NOV,
  YEAR = 1998,
  NOTE = {Part of the documentation for the hol98 theorem prover},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/realdoc.html},
  ABSTRACT = {A description of the hol98 reals library, ported partly from the
reals library in HOL90 and partly from the real library in hol-light.}
}

@INPROCEEDINGS{hurd1999,
  AUTHOR = {Joe Hurd},
  TITLE = {Integrating {Gandalf} and {HOL}},
  CROSSREF = {tphols1999},
  PAGES = {311--321},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/gandalf.html},
  ABSTRACT = {Gandalf is a first-order resolution theorem-prover, optimized for
speed and specializing in manipulations of large clauses. In this
paper I describe GANDALF_TAC, a HOL tactic that proves goals by
calling Gandalf and mirroring the resulting proofs in HOL. This call
can occur over a network, and a Gandalf server may be set up servicing
multiple HOL clients. In addition, the translation of the Gandalf
proof into HOL fits in with the LCF model and guarantees logical
consistency.}
}

@TECHREPORT{hurd1999a,
  AUTHOR = {Joe Hurd},
  TITLE = {Integrating {Gandalf} and {HOL}},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  ISSN = {1476-2986},
  NUMBER = 461,
  MONTH = MAY,
  YEAR = 1999,
  NOTE = {Second edition},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/gandalf.html}
}

@INPROCEEDINGS{hurd2000,
  AUTHOR = {Joe Hurd},
  TITLE = {Congruence Classes with Logic Variables},
  PAGES = {87--101},
  CROSSREF = {tphols2000a},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/congruence.html}
}

@INPROCEEDINGS{hurd2000a,
  AUTHOR = {Joe Hurd},
  TITLE = {Lightweight Probability Theory for Verification},
  PAGES = {103--113},
  CROSSREF = {tphols2000a},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/probability.html},
  ABSTRACT = {There are many algorithms that make use of probabilistic choice, but
a lack of tools available to specify and verify their operation.  The
primary contribution of this paper is a lightweight modelling of such
algorithms in higher-order logic, together with some key properties
that enable verification. The theory is applied to a uniform random
number generator and some basic properties are established. As a
secondary contribution, all the theory developed has been mechanized
in the hol98 theorem-prover.}
}

@MANUAL{hurd2000b,
  AUTHOR = {Joe Hurd},
  TITLE = {The Probability Theories in hol98},
  MONTH = JUN,
  YEAR = 2000,
  NOTE = {Part of the documentation for the hol98 theorem prover},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/probdoc.html},
  ABSTRACT = {A description of the hol98 probability library.}
}

@ARTICLE{hurd2001,
  AUTHOR = {Joe Hurd},
  TITLE = {Congruence Classes with Logic Variables},
  JOURNAL = {Logic Journal of the {IGPL}},
  PAGES = {59--75},
  VOLUME = 9,
  NUMBER = 1,
  MONTH = JAN,
  YEAR = 2001,
  URL = {http://www3.oup.co.uk/igpl/Volume_09/Issue_01/#Hurd},
  ABSTRACT = {We are improving equality reasoning in automatic theorem-provers, and
congruence classes provide an efficient storage mechanism for terms,
as well as the congruence closure decision procedure. We describe the
technical steps involved in integrating logic variables with
congruence classes, and present an algorithm that can be proved to
find all matches between classes (modulo certain equalities). An
application of this algorithm makes possible a percolation algorithm
for undirected rewriting in minimal space; this is described and an
implementation in hol98 is examined in some detail.}
}

@INPROCEEDINGS{hurd2001a,
  AUTHOR = {Joe Hurd},
  TITLE = {Predicate Subtyping with Predicate Sets},
  PAGES = {265--280},
  CROSSREF = {tphols2001},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/subtypes.html},
  ABSTRACT = {We show how PVS-style predicate subtyping can be simulated in HOL
using predicate sets, and explain how to perform subtype checking
using this model. We illustrate some applications of this to
specification and verification in HOL, and also demonstrate some
limits of the approach. Finally we show preliminary results of a
subtype checker that has been integrated into a contextual rewriter.}
}

@INPROCEEDINGS{hurd2001b,
  AUTHOR = {Joe Hurd},
  TITLE = {Verification of the {Miller-Rabin} Probabilistic Primality Test},
  PAGES = {223--238},
  CROSSREF = {tphols2001a},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/miller.html}
}

@PHDTHESIS{hurd2002,
  AUTHOR = {Joe Hurd},
  TITLE = {Formal Verification of Probabilistic Algorithms},
  SCHOOL = {University of Cambridge},
  YEAR = 2002,
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/thesis.html},
  ABSTRACT = {This thesis shows how probabilistic algorithms can be formally
verified using a mechanical theorem prover.

We begin with an extensive foundational development of probability,
creating a higher-order logic formalization of mathematical measure
theory. This allows the definition of the probability space we use to
model a random bit generator, which informally is a stream of
coin-flips, or technically an infinite sequence of IID Bernoulli(1/2)
random variables.

Probabilistic programs are modelled using the state-transformer monad
familiar from functional programming, where the random bit generator
is passed around in the computation. Functions remove random bits from
the generator to perform their calculation, and then pass back the
changed random bit generator with the result.

Our probability space modelling the random bit generator allows us to
give precise probabilistic specifications of such programs, and then
verify them in the theorem prover.

We also develop technical support designed to expedite verification:
probabilistic quantifiers; a compositional property subsuming
measurability and independence; a probabilistic while loop together
with a formal concept of termination with probability 1. We also
introduce a technique for reducing properties of a probabilistic while
loop to properties of programs that are guaranteed to terminate: these
can then be established using induction and standard methods of
program correctness.

We demonstrate the formal framework with some example probabilistic
programs: sampling algorithms for four probability distributions; some
optimal procedures for generating dice rolls from coin flips; the
symmetric simple random walk. In addition, we verify the Miller-Rabin
primality test, a well-known and commercially used probabilistic
algorithm. Our fundamental perspective allows us to define a version
with strong properties, which we can execute in the logic to prove
compositeness of numbers.}
}

@INPROCEEDINGS{hurd2002b,
  AUTHOR = {Joe Hurd},
  TITLE = {A Formal Approach to Probabilistic Termination},
  PAGES = {230--245},
  CROSSREF = {tphols2002},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/termination.html},
  ABSTRACT = {We present a probabilistic version of the while loop, in the context
of our mechanized framework for verifying probabilistic programs. The
while loop preserves useful program properties of measurability and
independence, provided a certain condition is met. This condition is
naturally interpreted as ``from every starting state, the while loop
will terminate with probability 1'', and we compare it to other
probabilistic termination conditions in the literature. For
illustration, we verify in HOL two example probabilistic algorithms
that necessarily rely on probabilistic termination: an algorithm to
sample the Bernoulli(p) distribution using coin-flips; and the
symmetric simple random walk.}
}

@INPROCEEDINGS{hurd2002c,
  AUTHOR = {Joe Hurd},
  TITLE = {{HOL} Theorem Prover Case Study: Verifying Probabilistic Programs},
  PAGES = {83--92},
  CROSSREF = {avocs2002},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/holprob.html},
  ABSTRACT = {The focus of this paper is the question: ``How suited is the HOL
theorem prover to the verification of probabilistic programs?'' To
answer this, we give a brief introduction to our model of
probabilistic programs in HOL, and then compare this approach to other
formal tools that have been used to verify probabilistic programs: the
Prism model checker, the Coq theorem prover, and the B method.}
}

@INPROCEEDINGS{hurd2002d,
  AUTHOR = {Joe Hurd},
  TITLE = {Fast Normalization in the {HOL} Theorem Prover},
  CROSSREF = {arw2002},
  NOTE = {An extended abstract},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/defcnf.html}
}

@INPROCEEDINGS{hurd2002e,
  AUTHOR = {Joe Hurd},
  TITLE = {An {LCF}-Style Interface between {HOL} and First-Order Logic},
  PAGES = {134--138},
  CROSSREF = {cade2002},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/hol2fol.html}
}

@ARTICLE{hurd2003,
  AUTHOR = {Joe Hurd},
  TITLE = {Verification of the {Miller-Rabin} Probabilistic Primality Test},
  JOURNAL = {Journal of Logic and Algebraic Programming},
  MONTH = {May--August},
  YEAR = {2003},
  VOLUME = 50,
  NUMBER = {1--2},
  PAGES = {3--21},
  NOTE = {Special issue on Probabilistic Techniques for the Design and Analysis of Systems},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/miller.html},
  ABSTRACT = {Using the HOL theorem prover, we apply our formalization of
probability theory to specify and verify the Miller-Rabin
probabilistic primality test. The version of the test commonly found
in algorithm textbooks implicitly accepts probabilistic termination,
but our own verified implementation satisfies the stronger property of
guaranteed termination.  Completing the proof of correctness requires
a significant body of group theory and computational number theory to
be formalized in the theorem prover.  Once verified, the primality
test can either be executed in the logic (using rewriting) and used to
prove the compositeness of numbers, or manually extracted to Standard
ML and used to find highly probable primes.}
}

@TECHREPORT{hurd2003a,
  AUTHOR = {Joe Hurd},
  TITLE = {Using Inequalities as Term Ordering Constraints},
  MONTH = JUN,
  YEAR = 2003,
  INSTITUTION = {University of Cambridge Computer Laboratory},
  ISSN = {1476-2986},
  NUMBER = 567,
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/ordering.html},
  ABSTRACT = {In this paper we show how linear inequalities can be used to
approximate Knuth-Bendix term ordering constraints, and how term
operations such as substitution can be carried out on systems of
inequalities. Using this representation allows an off-the-shelf linear
arithmetic decision procedure to check the satisfiability of a set of
ordering constraints. We present a formal description of a resolution
calculus where systems of inequalities are used to constrain clauses,
and implement this using the Omega test as a satisfiability
checker. We give the results of an experiment over problems in the
TPTP archive, comparing the practical performance of the resolution
calculus with and without inherited inequality constraints.}
}

@UNPUBLISHED{hurd2003b,
  AUTHOR = {Joe Hurd and Annabelle McIver and Carroll Morgan},
  TITLE = {Probabilistic Guarded Commands Mechanized in {HOL}},
  MONTH = APR,
  YEAR = 2003,
  NOTE = {Available from the author's web site},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/pgcl.html}
}

@TECHREPORT{hurd2003c,
  AUTHOR = {Joe Hurd},
  TITLE = {Formal Verification of Probabilistic Algorithms},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  ISSN = {1476-2986},
  MONTH = MAY,
  YEAR = 2003,
  NUMBER = 566,
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/thesis.html},
  ABSTRACT = {This thesis shows how probabilistic algorithms can be formally
verified using a mechanical theorem prover.

We begin with an extensive foundational development of probability,
creating a higher-order logic formalization of mathematical measure
theory. This allows the definition of the probability space we use to
model a random bit generator, which informally is a stream of
coin-flips, or technically an infinite sequence of IID Bernoulli(1/2)
random variables.

Probabilistic programs are modelled using the state-transformer monad
familiar from functional programming, where the random bit generator
is passed around in the computation. Functions remove random bits from
the generator to perform their calculation, and then pass back the
changed random bit generator with the result.

Our probability space modelling the random bit generator allows us to
give precise probabilistic specifications of such programs, and then
verify them in the theorem prover.

We also develop technical support designed to expedite verification:
probabilistic quantifiers; a compositional property subsuming
measurability and independence; a probabilistic while loop together
with a formal concept of termination with probability 1. We also
introduce a technique for reducing properties of a probabilistic while
loop to properties of programs that are guaranteed to terminate: these
can then be established using induction and standard methods of
program correctness.

We demonstrate the formal framework with some example probabilistic
programs: sampling algorithms for four probability distributions; some
optimal procedures for generating dice rolls from coin flips; the
symmetric simple random walk. In addition, we verify the Miller-Rabin
primality test, a well-known and commercially used probabilistic
algorithm. Our fundamental perspective allows us to define a version
with strong properties, which we can execute in the logic to prove
compositeness of numbers.}
}

@INPROCEEDINGS{hurd2003d,
  AUTHOR = {Joe Hurd},
  TITLE = {First-Order Proof Tactics in Higher-Order Logic Theorem Provers},
  PAGES = {56--68},
  CROSSREF = {strata2003},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/metis.html},
  ABSTRACT = {In this paper we evaluate the effectiveness of first-order proof
procedures when used as tactics for proving subgoals in a higher-order
logic interactive theorem prover. We first motivate why such
first-order proof tactics are useful, and then describe the core
integrating technology: an `LCF-style' logical kernel for clausal
first-order logic. This allows the choice of different logical
mappings between higher-order logic and first-order logic to be used
depending on the subgoal, and also enables several different
first-order proof procedures to cooperate on constructing the proof.
This work was carried out using the HOL4 theorem prover; we comment on
the ease of transferring the technology to other higher-order logic
theorem provers.}
}

@INPROCEEDINGS{hurd2004,
  AUTHOR = {Joe Hurd and Annabelle McIver and Carroll Morgan},
  TITLE = {Probabilistic Guarded Commands Mechanized in {HOL}},
  CROSSREF = {qapl2004},
  PAGES = {95--111},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/pgcl.html},
  ABSTRACT = {The probabilistic guarded-command language pGCL contains both demonic
and probabilistic nondeterminism, which makes it suitable for
reasoning about distributed random algorithms Proofs are based on
weakest precondition semantics, using an underlying logic of real-
(rather than Boolean-) valued functions.

We present a mechanization of the quantitative logic for pGCL using
the HOL4 theorem prover, including a proof that all pGCL commands
satisfy the new condition sublinearity, the quantitative
generalization of conjunctivity for standard GCL.

The mechanized theory also supports the creation of an automatic proof
tool which takes as input an annotated pGCL program and its partial
correctness specification, and derives from that a sufficient set of
verification conditions. This is employed to verify the partial
correctness of the probabilistic voting stage in Rabin's
mutual-exclusion algorithm.}
}

@INPROCEEDINGS{hurd2004a,
  AUTHOR = {Joe Hurd},
  TITLE = {Compiling {HOL4} to Native Code},
  CROSSREF = {tphols2004a},
  URL = {http://www.cl.cam.ac.uk/~jeh1004/research/papers/fasthol.html}
}

@INPROCEEDINGS{huth2000,
  AUTHOR = {Michael Huth},
  TITLE = {The Interval Domain: A Matchmaker for {aCTL} and {aPCTL}},
  BOOKTITLE = {US - Brazil Joint Workshops on the Formal Foundations of Software Systems},
  YEAR = 2000,
  EDITOR = {Rance Cleaveland and Michael Mislove and Philip Mulry},
  SERIES = {Electronic Notes in Theoretical Computer Science},
  VOLUME = 14,
  PUBLISHER = {Elsevier},
  URL = {http://www.elsevier.nl/locate/entcs/volume14.html}
}

@TECHREPORT{hutton1996,
  AUTHOR = {Graham Hutton and Erik Meijer},
  TITLE = {Monadic Parser Combinators},
  INSTITUTION = {Department of Computer Science, University of Nottingham},
  NUMBER = {NOTTCS-TR-96-4},
  YEAR = 1996,
  URL = {http://www.cs.nott.ac.uk/~gmh//bib.html#monparsing},
  ABSTRACT = {In functional programming, a popular approach to building recursive
descent parsers is to model parsers as functions, and to define
higher-order functions (or combinators) that implement grammar
constructions such as sequencing, choice, and repetition. Such parsers
form an instance of a monad, an algebraic structure from mathematics
that has proved useful for addressing a number of computational
problems. The purpose of this report is to provide a step-by-step
tutorial on the monadic approach to building functional parsers, and
to explain some of the benefits that result from exploiting monads. No
prior knowledge of parser combinators or of monads is assumed. Indeed,
this report can also be viewed as a first introduction to the use of
monads in programming.}
}

@INPROCEEDINGS{jackson1996,
  AUTHOR = {Paul B. Jackson},
  TITLE = {Expressive Typing and Abstract Theories in {Nuprl} and {PVS} (tutorial)},
  CROSSREF = {tphols1996},
  URL = {http://www.dcs.ed.ac.uk/home/pbj/papers/tphols96.ps.gz},
  ABSTRACT = {This 90min tutorial covered two of the more novel aspects of the
Nuprl and PVS theorem provers:

Expressive type systems. These make specifications more consise and
accurate, but good automation is needed to solve proof obligations
that arise during type-checking.

Support for abstract theories. These have uses in supporting
mechanical proof developments, and in the domains of program
specification refinement and mathematics. Key issues are whether types
can be formed for classes of abstract theories and the need for
automatic inference of theory interpretations.

The tutorial assumed some familiarity with HOL-like theorem provers,
but did not assume familiarity with either PVS or Nuprl in
particular. The issue of Nuprl's constructivity was orthogonal to the
issues discussed and was therefore glossed over.}
}

@ARTICLE{jamnik1999,
  AUTHOR = {Mateja Jamnik and Alan Bundy and Ian Green},
  TITLE = {On Automating Diagrammatic Proofs of Arithmetic Arguments},
  JOURNAL = {Journal of Logic, Language and Information},
  VOLUME = 8,
  NUMBER = 3,
  PAGES = {297--321},
  YEAR = 1999,
  NOTE = {Also available as Department of Artificial Intelligence Research Paper No. 910},
  URL = {http://www.cs.bham.ac.uk/~mxj/papers/pub910.jolli-camera.ps}
}

@INCOLLECTION{johnson1990,
  AUTHOR = {D. S. Johnson},
  TITLE = {A Catalog of Complexity Classes},
  BOOKTITLE = {Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity},
  PUBLISHER = {Elsevier and The MIT Press (co-publishers)},
  YEAR = 1990,
  EDITOR = {J. van Leeuwen},
  CHAPTER = 9,
  PAGES = {67--161},
  ABSTRACT = {"Johnson presents an extensive survey of computational complexity
classes. Of particular interest here is his discussion of randomized,
probabilistic, and stochastic complexity classes."}
}

@BOOK{johnstone1987,
  AUTHOR = {Peter T. Johnstone},
  TITLE = {Notes on logic and set theory},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1987
}

@PHDTHESIS{jones1990,
  AUTHOR = {Claire Jones},
  TITLE = {Probabilistic Non-Determinism},
  SCHOOL = {University of Edinburgh},
  YEAR = 1990,
  URL = {http://www.lfcs.informatics.ed.ac.uk/reports/90/ECS-LFCS-90-105/}
}

@INPROCEEDINGS{jones1997,
  AUTHOR = {Michael D. Jones},
  TITLE = {Restricted Types for {HOL}},
  CROSSREF = {tphols1997a},
  URL = {http://www.cs.utah.edu/~mjones/my.papers.html}
}

@ARTICLE{kammuller1999,
  AUTHOR = {F. Kamm{\"u}ller and L. C. Paulson},
  TITLE = {A Formal Proof of {Sylow's} First Theorem -- An Experiment in Abstract Algebra with {Isabelle} {HOL}},
  YEAR = 1999,
  JOURNAL = {Journal of Automated Reasoning},
  VOLUME = 23,
  NUMBER = {3-4},
  PAGES = {235--264}
}

@INPROCEEDINGS{karger1993,
  AUTHOR = {David R. Karger},
  TITLE = {Global Min-cuts in {RNC}, and Other Ramifications of a Simple Min-Cut Algorithm},
  PAGES = {21--30},
  BOOKTITLE = {Proceedings of the 4th Annual {ACM}-{SIAM} Symposium on Discrete Algorithms ({SODA} '93)},
  ADDRESS = {Austin, TX, USA},
  MONTH = JAN,
  YEAR = 1993,
  PUBLISHER = {SIAM}
}

@INCOLLECTION{karp1976,
  AUTHOR = {R. M. Karp},
  TITLE = {The Probabilistic Analysis of some Combinatorial Search Algorithms},
  PAGES = {1--20},
  CROSSREF = {traub1976}
}

@ARTICLE{kaufmann1997,
  AUTHOR = {Matt Kaufmann and J Strother Moore},
  TITLE = {An Industrial Strength Theorem Prover for a Logic Based on {Common} {Lisp}},
  JOURNAL = {IEEE Transactions on Software Engineering},
  VOLUME = 23,
  NUMBER = 4,
  PAGES = {203--213},
  MONTH = APR,
  YEAR = 1997,
  URL = {http://www.cs.utexas.edu/users/moore/publications/acl2-papers.html#Overviews}
}

@MISC{kaufmann1998,
  AUTHOR = {Matt Kaufmann and J Strother Moore},
  TITLE = {A Precise Description of the {ACL2} Logic},
  YEAR = 1998,
  URL = {http://www.cs.utexas.edu/users/moore/publications/km97a.ps.Z}
}

@BOOK{kaufmann2000,
  AUTHOR = {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
  TITLE = {Computer-Aided Reasoning: An Approach},
  PUBLISHER = {Kluwer Academic Publishers},
  MONTH = JUN,
  YEAR = 2000
}

@BOOK{kaufmann2000a,
  EDITOR = {Matt Kaufmann and Panagiotis Manolios and J Strother Moore},
  TITLE = {Computer-Aided Reasoning: ACL2 Case Studies},
  PUBLISHER = {Kluwer Academic Publishers},
  MONTH = JUN,
  YEAR = 2000
}

@INCOLLECTION{kelly1996,
  AUTHOR = {F. P. Kelly},
  TITLE = {Notes on effective bandwidths},
  BOOKTITLE = {Stochastic Networks: Theory and Applications},
  EDITOR = {F.P. Kelly and S. Zachary and I.B. Ziedins},
  PAGES = {141--168},
  PUBLISHER = {Oxford University Press},
  YEAR = 1996,
  SERIES = {Royal Statistical Society Lecture Notes Series},
  NUMBER = 4
}

@ARTICLE{king2000,
  AUTHOR = {Steve King and Jonathan Hammond and Rod Chapman and Andy Pryor},
  TITLE = {Is Proof More Cost-Effective Than Testing?},
  JOURNAL = {IEEE Transactions on Software Engineering},
  VOLUME = 26,
  NUMBER = 8,
  MONTH = AUG,
  YEAR = 2000,
  PAGES = {675-686},
  ABSTRACT = {This paper describes the use of formal development methods on an
industrial safety-critical application. The Z notation was used for
documenting the system specification and part of the design, and the
SPARK1 subset of Ada was used for coding. However, perhaps the most
distinctive nature of the project lies in the amount of proof that was
carried out: proofs were carried out both at the Z level-approximately
150 proofs in 500 pages-and at the SPARK code level-approximately
9,000 verification conditions generated and discharged. The project
was carried out under UK Interim Defence Standards 00-55 and 00-56,
which require the use of formal methods on safety-critical
applications. It is believed to be the first to be completed against
the rigorous demands of the 1991 version of these standards. The paper
includes comparisons of proof with the various types of testing
employed, in terms of their efficiency at finding faults. The most
striking result is that the Z proof appears to be substantially more
efficient at finding faults than the most efficient testing
phase. Given the importance of early fault detection, we believe this
helps to show the significant benefit and practicality of large-scale
proof on projects of this kind.}
}

@INCOLLECTION{knuth1970,
  AUTHOR = {D. E. Knuth and P. B. Bendix},
  TITLE = {Simple word problems in universal algebra},
  BOOKTITLE = {Computational problems in abstract algebra},
  EDITOR = {J. Leech},
  PUBLISHER = {Pergamon Press},
  ADDRESS = {Elmsford, N.Y.},
  YEAR = 1970,
  PAGES = {263--297}
}

@INCOLLECTION{knuth1976,
  AUTHOR = {Donald E. Knuth and Andrew C. Yao},
  TITLE = {The Complexity of Nonuniform Random Number Generation},
  CROSSREF = {traub1976}
}

@BOOK{knuth1997,
  AUTHOR = {Donald E. Knuth},
  NOTE = {Third edition},
  PUBLISHER = {Addison-Wesley},
  TITLE = {The Art of Computer Programming: Seminumerical Algorithms},
  YEAR = 1997
}

@BOOK{kolmogorov1950,
  AUTHOR = {Andrei N. Kolmogorov},
  YEAR = 1950,
  TITLE = {Foundations of the Theory of Probability},
  PUBLISHER = {Chelsea},
  ADDRESS = {New York}
}

@INPROCEEDINGS{korovin2001,
  AUTHOR = {Konstantin Korovin and Andrei Voronkov},
  TITLE = {{Knuth-Bendix} Constraint Solving Is {NP}-Complete},
  CROSSREF = {icalp2001},
  PAGES = {979--992}
}

@INPROCEEDINGS{kozen1979,
  AUTHOR = {Dexter Kozen},
  TITLE = {Semantics of Probabilistic Programs},
  PAGES = {101--114},
  BOOKTITLE = {20th Annual Symposium on Foundations of Computer Science},
  MONTH = OCT,
  PUBLISHER = {IEEE Computer Society Press},
  ADDRESS = {Long Beach, Ca., USA},
  YEAR = 1979
}

@INPROCEEDINGS{kozen1983,
  AUTHOR = {Dexter Kozen},
  TITLE = {A probabilistic {PDL}},
  BOOKTITLE = {Proceedings of the 15th ACM Symposium on Theory of Computing},
  YEAR = 1983
}

@TECHREPORT{kozen1998,
  AUTHOR = {Dexter Kozen},
  TITLE = {Efficient Code Certification},
  INSTITUTION = {Cornell University},
  NUMBER = {98-1661},
  MONTH = JAN,
  YEAR = 1998
}

@INCOLLECTION{keisler1985,
  AUTHOR = {H. J. Keisler},
  TITLE = {Probability Quantifiers},
  YEAR = 1985,
  BOOKTITLE = {Model-Theoretic Logics},
  EDITOR = {J. Barwise and S. Feferman},
  PUBLISHER = {Springer},
  ADDRESS = {New York},
  PAGES = {509--556}
}

@INPROCEEDINGS{kumar1991,
  AUTHOR = {R. Kumar and T. Kropf and K. Schneider},
  TITLE = {Integrating a First-Order Automatic Prover in the {HOL} Environment},
  PAGES = {170--176},
  CROSSREF = {tphols1991}
}

@INPROCEEDINGS{kushilevitz1992,
  AUTHOR = {Eyal Kushilevitz and Michael O. Rabin},
  TITLE = {Randomized Mutual Exclusion Algorithms Revisited},
  PAGES = {275--283},
  EDITOR = {Maurice Herlihy},
  BOOKTITLE = {Proceedings of the 11th Annual Symposium on Principles of Distributed Computing},
  ADDRESS = {Vancouver, BC, Canada},
  MONTH = AUG,
  YEAR = 1992,
  PUBLISHER = {ACM Press},
  ANNOTE = {Contains a corrected version of Rabin's probabilistic mutual exclusion algorithm~\cite{rabin1982}}
}

@INPROCEEDINGS{kwiatkowska1999,
  AUTHOR = {Marta Kwiatkowska and Gethin Norman and Roberto Segala and Jeremy Sproston},
  TITLE = {Automatic Verification of Real-Time Systems with Discrete Probability Distributions},
  PAGES = {75--95},
  CROSSREF = {arts1999},
  URL = {ftp://ftp.cs.bham.ac.uk/pub/authors/M.Z.Kwiatkowska/arts99.ps.gz},
  ABSTRACT = {We consider the timed automata model of [3], which allows the analysis
of real-time systems expressed in terms of quantitative timing
constraints. Traditional approaches to real-time system description
express the model purely in terms of nondeterminism; however, we may
wish to express the likelihood of the system making certain
transitions. In this paper, we present a model for real-time systems
augmented with discrete probability distributions. Furthermore, using
the algorithm of [5] with fairness, we develop a model checking method
for such models against temporal logic properties which can refer both
to timing properties and probabilities, such as, ``with probability
0.6 or greater, the clock x remains below 5 until clock y exceeds 2''.}
}

@INPROCEEDINGS{kwiatkowska2001,
  AUTHOR = {M. Kwiatkowska and G. Norman and D. Parker},
  TITLE = {PRISM: Probabilistic Symbolic Model Checker},
  BOOKTITLE = {Proceedings of PAPM/PROBMIV 2001 Tools Session},
  MONTH = SEP,
  YEAR = 2001,
  URL = {http://www.cs.bham.ac.uk/~dxp/prism/papers/PROBMIV01Tool.ps.gz}
}

@MISC{lamport1993,
  AUTHOR = {Leslie Lamport},
  TITLE = {How to Write a Proof},
  MONTH = FEB,
  YEAR = 1993,
  URL = {http://www.research.compaq.com/SRC/personal/lamport/pubs/pubs.html#lamport-how-to-write},
  ABSTRACT = {A method of writing proofs is proposed that makes it much harder to
prove things that are not true. The method, based on hierarchical
structuring, is simple and practical.}
}

@BOOK{lamport1994,
  AUTHOR = {Leslie Lamport},
  TITLE = {Latex: A document preparation system},
  PUBLISHER = {Addison-Wesley},
  YEAR = 1994,
  EDITION = {2nd}
}

@ARTICLE{lamport1999,
  AUTHOR = {Leslie Lamport and Lawrence C. Paulson},
  TITLE = {Should Your Specification Language Be Typed?},
  JOURNAL = {ACM Transactions on Programming Languages and Systems},
  VOLUME = 21,
  NUMBER = 3,
  PAGES = {502--526},
  MONTH = MAY,
  YEAR = 1999,
  URL = {http://www.research.compaq.com/SRC/personal/lamport/pubs/pubs.html#lamport-types},
  ABSTRACT = {Most specification languages have a type system. Type systems are
hard to get right, and getting them wrong can lead to
inconsistencies. Set theory can serve as the basis for a specification
languuage without types. This possibility, which has been widely
overlooked, offers many advantages. Untyped set theory is simple and
is more flexible than any simple typed formalism. Polymorphism,
overloading, and subtyping can make a type system more powerful, but
at the cost of increased complexity,and such refinements can never
attain the flexibility of having no types at all. Typed formalisms
have advantages too, stemming from the power of mechanical type
checking. While types serve little purpose in hand proofs, they do
help with mechanized proofs. In the absence of verification, type
checking can catch errors in specifications. It may be possible to
have the best of both worlds by adding typing annotations to an
untyped specification language. We consider only specification
languages, not programming languages.}
}

@INPROCEEDINGS{launchbury1994,
  AUTHOR = {John Launchbury and Simon L. Peyton Jones},
  TITLE = {Lazy functional state threads},
  BOOKTITLE = {SIGPLAN Symposium on Programming Language Design and Implementation (PLDI'94), Orlando},
  MONTH = JUN,
  YEAR = 1994,
  PAGES = {24--35}
}

@MISC{lawson1999,
  AUTHOR = {Jeff Lawson},
  TITLE = {Operational Code Authentication},
  YEAR = 1999,
  URL = {http://www.distributed.net/source/specs/opcodeauth.html}
}

@BOOK{lewis1918,
  AUTHOR = {Clarence Irving Lewis},
  TITLE = {A Survey of Symbolic Logic},
  YEAR = 1918,
  PAGES = {vi+406},
  PUBLISHER = {Univ.\ of California Press, Berkeley},
  ADDRESS = {Berkeley},
  NOTE = {Reprint of Chapters I--IV by Dover Publications, 1960, New York}
}

@ARTICLE{loveland1968,
  AUTHOR = {Donald W. Loveland},
  JOURNAL = {Journal of the {ACM}},
  MONTH = APR,
  NUMBER = 2,
  PAGES = {236--251},
  TITLE = {Mechanical Theorem Proving by Model Elimination},
  VOLUME = 15,
  YEAR = 1968
}

@INPROCEEDINGS{lynch2001,
  AUTHOR = {Christopher Lynch and Barbara Morawska},
  TITLE = {Goal-Directed {E}-Unification},
  PAGES = {231--245},
  CROSSREF = {rta2001},
  URL = {http://people.clarkson.edu/~clynch/PAPERS/goal_short_final.ps},
  ABSTRACT = {We give a general goal directed method for solving the E-unification
problem. Our inference system is a generalization of the inference
rules for Syntactic Theories, except that our inference system is
proved complete for any equational theory. We also show how to easily
modify our inference system into a more restricted inference system
for Syntactic Theories, and show that our completeness techniques
prove completeness there also.}
}

@INPROCEEDINGS{lynch2001a,
  AUTHOR = {Christopher Lynch and Barbara Morawska},
  TITLE = {Goal-Directed {E}-Unification},
  PAGES = {231--245},
  CROSSREF = {rta2001},
  URL = {http://people.clarkson.edu/~clynch/PAPERS/goal_short_final.ps},
  ABSTRACT = {We give a general goal directed method for solving the -unification
problem. Our inference system is a generalization of the inference
rules for Syntactic Theories, except that our inference system is
proved complete for any equational theory. We also show how to easily
modify our inference system into a more restricted inference system
for Syntactic Theories, and show that our completeness techniques
prove completeness there also.}
}

@INPROCEEDINGS{mairson1990,
  AUTHOR = {Harry G. Mairson},
  TITLE = {Deciding {ML} Typability is Complete for Deterministic Exponential Time},
  BOOKTITLE = {Conference Record of the Seventeenth Annual {ACM} Symposium on Principles of Programming Languages},
  YEAR = 1990,
  ORGANIZATION = {ACM SIGACT and SIGPLAN},
  PUBLISHER = {ACM Press},
  PAGES = {382--401}
}

@BOOK{manin1977,
  AUTHOR = {Yu I. Manin},
  TITLE = {A Course in Mathematical Logic},
  PUBLISHER = {Springer},
  ADDRESS = {New York},
  YEAR = 1977
}

@INPROCEEDINGS{mcallester1992,
  AUTHOR = {David McAllester},
  TITLE = {Grammar Rewriting},
  YEAR = 1992,
  PAGES = {124--138},
  CROSSREF = {cade1992}
}

@TECHREPORT{mciver1996,
  AUTHOR = {Annabelle McIver and Carroll Morgan},
  TITLE = {Probabilistic predicate transformers: Part 2},
  INSTITUTION = {Programming Research Group, Oxford University Computer Laboratory},
  YEAR = 1996,
  NUMBER = {PRG-TR-5-96},
  MONTH = MAR,
  URL = {http://web.comlab.ox.ac.uk/oucl/publications/tr/tr-5-96.html},
  ABSTRACT = {Probabilistic predicate transformers guarantee standard (ordinary)
predicate transformers to incorporate a notion of probabilistic choice
in imperative programs. The basic theory of that, for finite state
spaces, is set out in [5], together with a statements of their
`healthiness conditions'. Here the earlier results are extended to
infinite state spaces, and several more specialised topics are
explored: the characterisation of standard and deterministic programs;
and the structure of the extended space generated when `angelic
choice' is added to the system.}
}

@INPROCEEDINGS{mciver1998,
  AUTHOR = {Annabelle McIver and Carroll Morgan and Elena Troubitsyna},
  TITLE = {The probabilistic steam boiler: a case study in probabilistic data refinement},
  BOOKTITLE = {Proceedings of the International Refinement Workshop and Formal Methods Pacific},
  ADDRESS = {Canberra},
  YEAR = 1998,
  URL = {http://www.tucs.abo.fi/publications/techreports/TR173.html},
  ABSTRACT = {Probabilistic choice and demonic nondeterminism have been combined in
a model for sequential programs in which program refinement is defined
by removing demonic nondeterminism. Here we study the more general
topic of data refinement in the probabilistic setting, extending
standard techniques to probabilistic programs. We use the method to
obtain a quantitative assessment of safety of a (probabilistic)
version of the steam boiler.}
}

@ARTICLE{mciver2001,
  AUTHOR = {A. K. McIver and C. Morgan},
  TITLE = {Demonic, angelic and unbounded probabilistic choices in sequential programs},
  JOURNAL = {Acta Informatica},
  VOLUME = 37,
  NUMBER = {4/5},
  PAGES = {329--354},
  YEAR = 2001
}

@ARTICLE{mciver2001b,
  AUTHOR = {A. K. McIver and C. C. Morgan},
  TITLE = {Partial correctness for probabilistic programs},
  JOURNAL = {Theoretical Computer Science},
  VOLUME = 266,
  NUMBER = {1--2},
  PAGES = {513--541},
  YEAR = 2001
}

@BOOK{mciver2004,
  AUTHOR = {Annabelle McIver and Carroll Morgan},
  TITLE = {Abstraction, Refinement and Proof for Probabilistic Systems},
  PUBLISHER = {Springer},
  YEAR = 2004,
  URL = {http://www.cse.unsw.edu.au/~carrollm/arp}
}

@INPROCEEDINGS{miller1975,
  AUTHOR = {Gary L. Miller},
  TITLE = {Riemann's Hypothesis and Tests for Primality},
  BOOKTITLE = {Conference Record of Seventh Annual {ACM} Symposium on Theory of Computation},
  YEAR = 1975,
  MONTH = MAY,
  PAGES = {234--239},
  ADDRESS = {Albuquerque, New Mexico}
}

@ARTICLE{milner1978,
  AUTHOR = {R. Milner},
  TITLE = {A theory of type polymorphism in programming},
  JOURNAL = {Journal of Computer and System Sciences},
  VOLUME = 17,
  MONTH = DEC,
  PAGES = {348--375},
  YEAR = 1978
}

@INPROCEEDINGS{mogul1987,
  AUTHOR = {J. C. Mogul and R. F. Rashid and M. J. Accetta},
  TITLE = {The Packet Filter: An Efficient Mechanism for User-level Network Code},
  BOOKTITLE = {ACM Symposium on Operating Systems Principles},
  MONTH = NOV,
  YEAR = 1987
}

@INPROCEEDINGS{mokkedem2000,
  AUTHOR = {Abdel Mokkedem and Tim Leonard},
  TITLE = {Formal Verification of the {Alpha} 21364 Network Protocol},
  PAGES = {443--461},
  CROSSREF = {tphols2000}
}

@INPROCEEDINGS{monniaux2000,
  AUTHOR = {David Monniaux},
  TITLE = {Abstract Interpretation of Probabilistic Semantics},
  BOOKTITLE = {Seventh International Static Analysis Symposium (SAS'00)},
  SERIES = {Lecture Notes in Computer Science},
  YEAR = 2000,
  PUBLISHER = {Springer},
  NUMBER = {1824},
  URL = {http://www.di.ens.fr/~monniaux/biblio/David_Monniaux.html},
  ABSTRACT = {Following earlier models, we lift standard deterministic and
nondeterministic semantics of imperative programs to probabilistic
semantics. This semantics allows for random external inputs of known
or unknown probability and random number generators.  We then propose
a method of analysis of programs according to this semantics, in the
general framework of abstract interpretation. This method lifts an
ordinary abstract lattice, for non-probabilistic programs, to one
suitable for probabilistic programs.  Our construction is highly
generic. We discuss the influence of certain parameters on the
precision of the analysis, basing ourselves on experimental results.}
}

@INPROCEEDINGS{monniaux2001,
  AUTHOR = {David Monniaux},
  TITLE = {An Abstract {Monte-Carlo} Method for the Analysis of Probabilistic Programs (extended abstract)},
  BOOKTITLE = {28th Symposium on Principles of Programming Languages (POPL '01)},
  YEAR = 2001,
  ORGANIZATION = {Association for Computer Machinery},
  URL = {http://www.di.ens.fr/~monniaux/biblio/David_Monniaux.html},
  ABSTRACT = {We introduce a new method, combination of random testing and abstract
interpretation, for the analysis of programs featuring both
probabilistic and non-probabilistic nondeterminism. After introducing
ordinary testing, we show how to combine testing and abstract
interpretation and give formulas linking the precision of the results
to the number of iterations. We then discuss complexity and
optimization issues and end with some experimental results.}
}

@TECHREPORT{morgan1995,
  AUTHOR = {Carroll Morgan and Annabelle McIver and Karen Seidel and J. W. Sanders},
  TITLE = {Probabilistic predicate transformers},
  INSTITUTION = {Oxford University Computing Laboratory Programming Research Group},
  NUMBER = {TR-4-95},
  MONTH = FEB,
  YEAR = 1995,
  URL = {http://web.comlab.ox.ac.uk/oucl/publications/tr/tr-4-95.html},
  ABSTRACT = {Predicate transformers facilitate reasoning about imperative
programs, including those exhibiting demonic non-deterministic
choice. Probabilistic predicate transformers extend that facility to
programs containing probabilistic choice, so that one can in principle
determine not only whether a program is guaranteed to establish a
certain result, but also its probability of doing so.  We bring
together independent work of Claire Jones and Jifeng He, showing how
their constructions can be made to correspond; from that link between
a predicate-based and a relation-based view of probabilistic execution
we are able to propose "probabilistic healthiness conditions",
generalising those of Dijkstra for ordinary predicate transformers.
The associated calculus seems suitable for exploring further the
rigorous derivation of imperative probabilistic programs.}
}

@INPROCEEDINGS{morgan1996,
  AUTHOR = {Carroll Morgan},
  TITLE = {Proof Rules for Probabilistic Loops},
  BOOKTITLE = {Proceedings of the BCS-FACS 7th Refinement Workshop},
  YEAR = 1996,
  EDITOR = {He Jifeng and John Cooke and Peter Wallis},
  PUBLISHER = {Springer},
  SERIES = {Workshops in Computing},
  URL = {http://web.comlab.ox.ac.uk/oucl/publications/tr/tr-25-95.html}
}

@ARTICLE{morgan1996a,
  AUTHOR = {Carroll Morgan and Annabelle McIver and Karen Seidel},
  TITLE = {Probabilistic predicate transformers},
  JOURNAL = {ACM Transactions on Programming Languages and Systems},
  YEAR = 1996,
  VOLUME = 18,
  NUMBER = 3,
  PAGES = {325--353},
  MONTH = MAY
}

@ARTICLE{morgan1999,
  AUTHOR = {Carroll Morgan and Annabelle McIver},
  TITLE = {{pGCL}: formal reasoning for random algorithms},
  JOURNAL = {South African Computer Journal},
  YEAR = 1999,
  URL = {http://web.comlab.ox.ac.uk/oucl/research/areas/probs/pGCL.ps.gz}
}

@UNPUBLISHED{moser1996,
  AUTHOR = {Max Moser and Christopher Lynch and Joachim Steinbach},
  TITLE = {Model Elimination with Basic Ordered Paramodulation},
  MONTH = JAN,
  YEAR = 1996,
  URL = {http://people.clarkson.edu/~clynch/PAPERS/me.ps.gz},
  ABSTRACT = {We present a new approach for goal-directed theorem proving with
equality which integrates Basic Ordered Paramodulation into a Model
Elimination framework.  In order to be able to use orderings and to
restrict the applications of equations to non-variable positions, the
goal-directed tableau construction is combined with bottom-up
completion where only positive literals are overlapped.  The resulting
calculus thus keeps the best properties of completion while giving up
only part of the goal-directedness.}
}

@ARTICLE{moser1997,
  AUTHOR = {Max Moser and Ortrun Ibens and Reinhold Letz and Joachim Steinbach and Christoph Goller and Johannes Schumann and Klaus Mayr},
  TITLE = {{SETHEO} and {E-SETHEO} -- The {CADE}-13 Systems},
  JOURNAL = {Journal of Automated Reasoning},
  YEAR = 1997,
  VOLUME = 18,
  PAGES = {237--246},
  URL = {http://wwwjessen.informatik.tu-muenchen.de/~goller/PAPERS/jar97.ps.gz},
  ABSTRACT = {The model elimination theorem prover SETHEO (version V3.3) and its
equational extension E-SETHEO are presented. SETHEO employs
sophisticated mechanisms of subgoal selection, elaborate iterative
deepening techniques, and local failure caching methods.  Its
equational counterpart E-SETHEO transforms formulae containing
equality (using a variant of Brand's modification method) and
processes the output with the standard SETHEO system. The paper gives
an overview of the theoretical background, the system architecture,
and the performance of both systems.}
}

@BOOK{motwani1995,
  AUTHOR = {Rajeev Motwani and Prabhakar Raghavan},
  TITLE = {Randomized Algorithms},
  PUBLISHER = {Cambridge University Press},
  ADDRESS = {Cambridge, England},
  MONTH = JUN,
  YEAR = 1995
}

@TECHREPORT{necula1996,
  AUTHOR = {George C. Necula and Peter Lee},
  TITLE = {Proof-Carrying Code},
  INSTITUTION = {Computer Science Department, Carnegie Mellon University},
  NUMBER = {CMU-CS-96-165},
  MONTH = SEP,
  YEAR = 1996
}

@ARTICLE{nedzusiak1989,
  AUTHOR = {Andrzej N\c{e}dzusiak},
  TITLE = {$\sigma$-Fields and Probability},
  JOURNAL = {Journal of Formalized Mathematics},
  YEAR = {1989},
  URL = {http://mizar.uwb.edu.pl/JFM/Vol1/prob_1.html}
}

@ARTICLE{nedzusiak1990,
  AUTHOR = {Andrzej N\c{e}dzusiak},
  TITLE = {Probability},
  JOURNAL = {Journal of Formalized Mathematics},
  YEAR = {1990},
  URL = {http://mizar.uwb.edu.pl/JFM/Vol2/prob_2.html}
}

@ARTICLE{nelson1979,
  AUTHOR = {Greg Nelson and Derek C. Oppen},
  TITLE = {Simplification by Cooperating Decision Procedures},
  JOURNAL = {ACM Transactions on Programming Languages and Systems},
  VOLUME = 1,
  NUMBER = 2,
  PAGES = {245--257},
  MONTH = OCT,
  YEAR = 1979
}

@ARTICLE{nelson1980,
  AUTHOR = {Greg Nelson and Derek C. Oppen},
  TITLE = {Fast Decision Procedures Bases on Congruence Closure},
  JOURNAL = {Journal of the Association for Computing Machinery},
  YEAR = 1980,
  VOLUME = {27},
  NUMBER = {2},
  PAGES = {356--364},
  MONTH = APR
}

@BOOK{nederpelt1994,
  AUTHOR = {R. P. Nederpel and J. H. Geuvers and R. C. De Vrijer},
  TITLE = {Selected Papers on Automath (Studies in Logic and the Foundations of Mathematics: Volume 133)},
  PUBLISHER = {North-Holland},
  YEAR = 1994
}

@ARTICLE{nieuwenhuis1995,
  AUTHOR = {Robert Nieuwenhuis and Albert Rubio},
  TITLE = {Theorem Proving with Ordering and Equality Constrained Clauses},
  JOURNAL = {Journal of Symbolic Computation},
  VOLUME = 19,
  NUMBER = 4,
  PAGES = {321--351},
  MONTH = APR,
  YEAR = 1995
}

@INCOLLECTION{nieuwenhuis2001,
  AUTHOR = {R. Nieuwenhuis and A. Rubio},
  TITLE = {Paramodulation-Based Theorem Proving},
  BOOKTITLE = {Handbook of Automated Reasoning},
  CHAPTER = 7,
  PUBLISHER = {Elsevier Science},
  EDITOR = {A. Robinson and A. Voronkov},
  YEAR = 2001,
  VOLUME = {I},
  PAGES = {371--443},
  CROSSREF = {robinson2001}
}

@ARTICLE{nilsson1986,
  AUTHOR = {Nils J. Nilsson},
  TITLE = {Probabilistic Logic},
  JOURNAL = {Artificial Intelligence},
  YEAR = 1986,
  VOLUME = 28,
  NUMBER = 1,
  PAGES = {71--87}
}

@INPROCEEDINGS{nipkow1993,
  TITLE = {Functional Unification of Higher-Order Patterns},
  AUTHOR = {Tobias Nipkow},
  PAGES = {64--74},
  BOOKTITLE = {Proceedings, Eighth Annual {IEEE} Symposium on Logic in Computer Science},
  YEAR = 1993,
  ORGANIZATION = {IEEE Computer Society Press},
  ABSTRACT = {Higher-order patterns (HOPs) are a class of lambda-terms which behave
almost like first-order terms w.r.t. unification: unification is
decidable and unifiable terms have most general unifiers which are
easy to compute. HOPs were first discovered by Dale Miller and
subsequently developed and applied by Pfenning and Nipkow. This paper
presents a stepwise development of a functional unification algorithm
for HOPs. Both the usual representation of lambda-terms with
alphabetic bound variables and de Bruijn's notation are treated. The
appendix contains a complete listing of an implementation in Standard
ML.}
}

@INPROCEEDINGS{nipkow2002,
  AUTHOR = {Tobias Nipkow},
  TITLE = {Hoare Logics in {Isabelle/HOL}},
  BOOKTITLE = {Proof and System-Reliability},
  EDITOR = {H. Schwichtenberg and R. Steinbr\"uggen},
  PUBLISHER = {Kluwer},
  YEAR = 2002,
  PAGES = {341-367},
  URL = {http://www4.informatik.tu-muenchen.de/~nipkow/pubs/MOD2001.html}
}

@INPROCEEDINGS{nivela1993,
  AUTHOR = {Pilar Nivela and Robert Nieuwenhuis},
  TITLE = {Saturation of first-order (constrained) clauses with the {{\em Saturate}} system},
  PAGES = {436--440},
  EDITOR = {Claude Kirchner},
  BOOKTITLE = {Proceedings of the 5th International Conference on Rewriting Techniques and Applications ({RTA}-93)},
  MONTH = JUN,
  YEAR = 1993,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 690,
  PUBLISHER = {Springer}
}

@PHDTHESIS{norrish1998,
  AUTHOR = {Michael Norrish},
  TITLE = {{C} formalised in {HOL}},
  SCHOOL = {University of Cambridge Computer Laboratory},
  YEAR = 1998
}

@BOOK{okasaki1998,
  AUTHOR = {Chris Okasaki},
  TITLE = {Purely Functional Data Structures},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1998,
  ADDRESS = {Cambridge, UK},
  ABSTRACT = {Data structures and efficiency analysis for functional
programming. Code in ML and Haskell. Many references.}
}

@TECHREPORT{owre1997,
  AUTHOR = {Sam Owre and Natarajan Shankar},
  TITLE = {The Formal Semantics of {PVS}},
  NUMBER = {SRI-CSL-97-2},
  MONTH = AUG,
  YEAR = 1997,
  INSTITUTION = {Computer Science Laboratory, SRI International},
  ADDRESS = {Menlo Park, CA},
  URL = {http://pvs.csl.sri.com/manuals.html}
}

@MANUAL{owre1999,
  AUTHOR = {S. Owre and N. Shankar and J. M. Rushby and D. W. J. Stringer-Calvert},
  TITLE = {{PVS} System Guide},
  MONTH = SEP,
  YEAR = 1999,
  ORGANIZATION = {Computer Science Laboratory, SRI International},
  ADDRESS = {Menlo Park, CA}
}

@MISC{paulin2002,
  AUTHOR = {Christine Paulin and Philippe Audebaud and Richard Lassaigne},
  TITLE = {Randomized Algorithms in Type Theory},
  HOWPUBLISHED = {Slides from a talk delivered at Dagstuhl seminar 01341: Dependent Type Theory meets Practical Programming},
  MONTH = AUG,
  YEAR = 2001,
  URL = {http://www.lri.fr/~paulin/ALEA/dagstuhl.ps.gz}
}

@ARTICLE{paulson83,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {A Higher-Order Implementation of Rewriting},
  JOURNAL = {Science of Computer Programming},
  VOLUME = 3,
  PAGES = {119-149},
  YEAR = 1983,
  URL = {http://www.cl.cam.ac.uk/users/lcp/papers/TR035-lcp-rewriting.pdf},
  ABSTRACT = {Many automatic theorem-provers rely on rewriting. Using theorems as
rewrite rules helps to simplify the subgoals that arise during a
proof. LCF is an interactive theorem-prover intended for reasoning
about computation. Its implementation of rewriting is presented in
detail. LCF provides a family of rewriting functions, and operators to
combine them. A succession of functions is described, from pattern
matching primitives to the rewriting tool that performs most
inferences in LCF proofs. The design is highly modular. Each function
performs a basic, specific task, such as recognizing a certain form of
tautology. Each operator implements one method of building a rewriting
function from sim- pler ones. These pieces can be put together in
numerous ways, yielding a variety of rewriting strategies. The
approach involves programming with higher-order functions. Rewriting
functions are data val- ues, produced by computation on other
rewriting functions. The code is in daily use at Cambridge, demon-
strating the practical use of functional programming.}
}

@ARTICLE{paulson1993,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Set Theory for Verification: {I}. {From} Foundations to Functions},
  JOURNAL = {Journal of Automated Reasoning},
  VOLUME = 11,
  NUMBER = 3,
  PAGES = {353-389},
  YEAR = 1993,
  URL = {http://www.cl.cam.ac.uk/users/lcp/papers/Sets/set-I.pdf},
  ABSTRACT = {A logic for specification and verification is derived from the axioms
of Zermelo-Fraenkel set theory. The proofs are performed using the
proof assistant Isabelle. Isabelle is generic, supporting several
different logics. Isabelle has the flexibility to adapt to variants of
set theory. Its higher-order syntax supports the definition of new
binding operators. Unknowns in subgoals can be instantiated
incrementally. The paper describes the derivation of rules for
descriptions, relations and functions, and discusses interactive
proofs of Cantor's Theorem, the Composition of Homomorphisms challenge
[9], and Ramsey's Theorem [5]. A generic proof assistant can stand up
against provers dedicated to particular logics.}
}

@ARTICLE{paulson1994,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {{Isabelle}: A Generic Theorem Prover},
  JOURNAL = {Lecture Notes in Computer Science},
  VOLUME = {828},
  PAGES = {xvii + 321},
  YEAR = 1994
}

@ARTICLE{paulson1995,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Set Theory for Verification: {II}.  {Induction} and Recursion},
  JOURNAL = JAR,
  VOLUME = 15,
  NUMBER = 2,
  PAGES = {167-215},
  YEAR = 1995,
  URL = {http://www.cl.cam.ac.uk/users/lcp/papers/Sets/set-II.pdf},
  ABSTRACT = {A theory of recursive definitions has been mechanized in Isabelle's
Zermelo-Fraenkel (ZF) set theory. The objective is to support the
formalization of particular recursive definitions for use in
verification, semantics proofs and other computational
reasoning. Inductively defined sets are expressed as least
fixedpoints, applying the Knaster-Tarski Theorem over a suitable
set. Recursive functions are defined by well-founded recursion and its
derivatives, such as transfinite recursion. Recursive data structures
are expressed by applying the Knaster-Tarski Theorem to a set, such as
$V_{\omega}$, that is closed under Cartesian product and disjoint
sum. Worked examples include the transitive closure of a relation,
lists, variable-branching trees and mutually recursive trees and
forests. The Schr\"oder-Bernstein Theorem and the soundness of
propositional logic are proved in Isabelle sessions.}
}

@INPROCEEDINGS{paulson1997,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Proving Properties of Security Protocols by Induction},
  PAGES = {70-83},
  CROSSREF = {csfw1997},
  URL = {http://www.cl.cam.ac.uk/ftp/papers/reports/TR409-lcp-Proving-Properties-of-Security-Protocols-by-Induction.ps.gz}
}

@ARTICLE{paulson1997a,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Mechanizing Coinduction and Corecursion in Higher-Order Logic},
  JOURNAL = {Journal of Logic and Computation},
  YEAR = 1997,
  VOLUME = 7,
  NUMBER = 2,
  MONTH = MAR,
  PAGES = {175-204},
  URL = {http://www.cl.cam.ac.uk/Research/Reports/TR304-lcp-coinduction.ps.gz}
}

@MANUAL{paulson1998,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {The {Isabelle} Reference Manual},
  MONTH = OCT,
  YEAR = 1998,
  NOTE = {With contributions by Tobias Nipkow and Markus Wenzel}
}

@ARTICLE{paulson1999,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Inductive Analysis of the {Internet} Protocol {TLS}},
  JOURNAL = {TISSEC},
  MONTH = AUG,
  YEAR = 1999,
  VOLUME = 2,
  NUMBER = 3,
  PAGES = {332-351}
}

@ARTICLE{paulson1999a,
  AUTHOR = {L. C. Paulson},
  TITLE = {A Generic Tableau Prover and its Integration with {Isabelle}},
  JOURNAL = {Journal of Universal Computer Science},
  VOLUME = 5,
  NUMBER = 3,
  MONTH = MAR,
  YEAR = 1999,
  URL = {http://www.jucs.org/jucs_5_3/a_generic_tableau_prover}
}

@ARTICLE{paulson2000,
  AUTHOR = {Lawrence C. Paulson},
  TITLE = {Mechanizing {UNITY} in {Isabelle}},
  JOURNAL = {ACM Transactions on Computational Logic},
  YEAR = 2000,
  NOTE = {In press.}
}

@INPROCEEDINGS{pfenning1999,
  AUTHOR = {F. Pfenning and C. Sch{\"u}rmann},
  TITLE = {System Description: Twelf --- {A} Meta-Logical Framework for Deductive Systems},
  CROSSREF = {cade1999}
}

@BOOK{pirsig,
  AUTHOR = {Robert M. Pirsig},
  TITLE = {Zen and the Art of Motorcycle Maintenance},
  PUBLISHER = {Morrow},
  MONTH = MAY,
  YEAR = 1974,
  EDITION = {10th},
  URL = {http://www.aoe.vt.edu/~ciochett/lit/zen.html}
}

@ARTICLE{pollack1995,
  AUTHOR = {R. Pollack},
  TITLE = {On Extensibility of Proof Checkers},
  JOURNAL = {Lecture Notes in Computer Science},
  VOLUME = {996},
  PAGES = {140--161},
  YEAR = 1995,
  URL = {ftp://ftp.cs.chalmers.se/pub/users/pollack/extensibility.ps.gz}
}

@BOOK{polya1948,
  AUTHOR = {George P\'olya},
  TITLE = {How to Solve It},
  PUBLISHER = {Princeton University Press},
  ADDRESS = {Princeton},
  YEAR = 1948
}

@ARTICLE{pugh1992,
  AUTHOR = {William Pugh},
  TITLE = {A Practical Algorithm for Exact Array Dependence Analysis},
  JOURNAL = {Communications of the ACM},
  VOLUME = 35,
  NUMBER = 8,
  PAGES = {102--114},
  MONTH = AUG,
  YEAR = 1992,
  ABSTRACT = {The Omega test is an integer programming algorithm that can determine
whether a dependence exists between two array references, and if so,
under what conditions.  Conventional wisdom holds that integer
programming techniques are far too expensive to be used for dependence
analysis, except as a method of last resort for situations that cannot
be decided by simpler methods. We present evidence that suggests this
wisdom is wrong, and that the Omega test is competitive with
approximate algorithms used in practice and suitable for use in
production compilers. The Omega test is based on an extension of
Fourier-Motzkin variable elimination to integer programming, and has
worst-case exponential time complexity. However, we show that for many
situations in which other (polynomial) methods are accurate, the Omega
test has low order polynomial time complexity. The Omega test can be
used to simplify integer programming problems, rather than just
deciding them. This has many applications, including accurately and
efficiently computing dependence direction and distance vectors.}
}

@ARTICLE{rabin1963,
  AUTHOR = {M. O. Rabin},
  TITLE = {Probabilistic Automata},
  JOURNAL = {Information and Control},
  VOLUME = 6,
  YEAR = 1963,
  PAGES = {230--245},
  ABSTRACT = {"This is a seminal paper on the theory of probabilistic
automata. Rabin defined the notion of a language being accepted by a
probabilistic automaton relative to a cutpoint lambda. One of his key
results was to show that there exist finite state probabilistic
automata that define non-regular languages."}
}

@INCOLLECTION{rabin1976,
  AUTHOR = {M. O. Rabin},
  TITLE = {Probabilistic Algorithms},
  PAGES = {21--39},
  CROSSREF = {traub1976}
}

@ARTICLE{rabin1982,
  AUTHOR = {Michael O. Rabin},
  TITLE = {{$N$}-Process Mutual Exclusion with Bounded Waiting by {$4\log_2(N)$}-Valued Shared Variable},
  PAGES = {66--75},
  JOURNAL = {Journal of Computer and System Sciences},
  VOLUME = 25,
  NUMBER = 1,
  MONTH = AUG,
  YEAR = 1982
}

@INPROCEEDINGS{ramsey2002,
  AUTHOR = {Norman Ramsey and Avi Pfeffer},
  TITLE = {Stochastic Lambda Calculus and Monads of Probability Distributions},
  CROSSREF = {popl2002},
  URL = {http://www.eecs.harvard.edu/~nr/pubs/pmonad-abstract.html},
  ABSTRACT = {Probability distributions are useful for expressing the meanings of
probabilistic languages, which support formal modeling of and
reasoning about uncertainty. Probability distributions form a monad,
and the monadic definition leads to a simple, natural semantics for a
stochastic lambda calculus, as well as simple, clean implementations
of common queries. But the monadic implementation of the expectation
query can be much less efficient than current best practices in
probabilistic modeling. We therefore present a language of measure
terms, which can not only denote discrete probability distributions
but can also support the best known modeling techniques. We give a
translation of stochastic lambda calculus into measure terms. Whether
one translates into the probability monad or into measure terms, the
results of the translations denote the same probability distribution.}
}

@ARTICLE{ray1993,
  AUTHOR = {T. S. Ray},
  TITLE = {An evolutionary approach to synthetic biology, Zen and the art of creating life.},
  JOURNAL = {Artificial Life},
  YEAR = 1993,
  VOLUME = {1},
  NUMBER = {1},
  URL = {ftp://tierra.slhs.udel.edu/doc/Zen.tex}
}

@ARTICLE{reiter1999,
  AUTHOR = {M. K. Reiter and A. D. Rubin},
  TITLE = {Anonymous web transactions with Crowds},
  JOURNAL = {Communications of the ACM},
  YEAR = 1999,
  VOLUME = 42,
  NUMBER = 2,
  MONTH = FEB,
  PAGES = {32--38},
  ABSTRACT = {The authors describe how the Crowds system works -- essentially, a
group of users act as web forwarders for each other in a way that
appears random to outsiders.  They analyse the anonymity properties of
the system and compare it with other systems. Crowds enables the
retrieval of information over the web with only a small amount of
private information leakage to other parties.}
}

@ARTICLE{robinson1965,
  AUTHOR = {J. A. Robinson},
  TITLE = {A Machine-Oriented Logic Based on the Resolution Principle},
  JOURNAL = {Journal of the ACM},
  VOLUME = 12,
  NUMBER = 1,
  PAGES = {23--49},
  MONTH = JAN,
  YEAR = 1965
}

@ARTICLE{robinson1965a,
  AUTHOR = {J. A. Robinson},
  JOURNAL = {International Journal of Computer Mathematics},
  PAGES = {227--234},
  TITLE = {Automatic Deduction with Hyper-Resolution},
  VOLUME = 1,
  YEAR = 1965
}

@ARTICLE{robinson1970,
  AUTHOR = {J. A. Robinson},
  TITLE = {A note on mechanizing higher order logic},
  JOURNAL = {Machine Intelligence},
  YEAR = {1970},
  VOLUME = {5},
  PAGES = {121--135}
}

@BOOK{robinson1996,
  AUTHOR = {Abraham Robinson},
  TITLE = {Non-standard Analysis},
  PUBLISHER = {Princeton University Press},
  YEAR = 1996
}

@UNPUBLISHED{rudnicki1992,
  AUTHOR = {Piotr Rudnicki},
  TITLE = {An Overview of the {Mizar} Project},
  NOTE = {Notes to a talk at the workshop on Types for Proofs and Programs},
  ADDRESS = {B{\aa}stad, Sweden},
  YEAR = 1992,
  MONTH = JUN,
  URL = {http://www.cs.ualberta.ca/~piotr/Mizar/index.html}
}

@BOOK{russell1968,
  AUTHOR = {Bertrand Russell},
  TITLE = {The Autobiography of Bertrand Russell},
  PUBLISHER = {George Allen \& Unwin},
  NOTE = {3 volumes},
  ADDRESS = {London},
  YEAR = 1968
}

@ARTICLE{russinoff1985,
  AUTHOR = {David M. Russinoff},
  TITLE = {An Experiment with the {Boyer-Moore} Theorem Prover: A Proof of {Wilson's} Theorem},
  JOURNAL = {Journal of Automated Reasoning},
  YEAR = 1985,
  PAGES = {121--139},
  VOLUME = 1
}

@INPROCEEDINGS{saaltink1997,
  AUTHOR = {Mark Saaltink},
  TITLE = {Domain Checking {Z} Specifications},
  PAGES = {185--192},
  BOOKTITLE = {LFM' 97: Fourth NASA Langley Formal Methods Workshop},
  YEAR = 1997,
  EDITOR = {C. Michael Holloway and Kelly J. Hayhurst},
  ADDRESS = {Hampton, VA},
  MONTH = SEP,
  URL = {http://atb-www.larc.nasa.gov/Lfm97/proceedings}
}

@INPROCEEDINGS{schumann1994,
  AUTHOR = {Johann Ph. Schumann},
  TITLE = {{DELTA} --- {A} bottom-up processor for top-down theorem provers (system abstract)},
  CROSSREF = {cade1994},
  URL = {http://wwwjessen.informatik.tu-muenchen.de/~schumann/delta-cade.html}
}

@ARTICLE{schumann1994a,
  AUTHOR = {Johann Schumann},
  JOURNAL = {Journal of Automated Reasoning},
  PAGES = {409--421},
  TITLE = {Tableaux-based Theorem Provers: Systems and Implementations},
  VOLUME = 13,
  YEAR = 1994,
  URL = {http://wwwjessen.informatik.tu-muenchen.de/~schumann/tableau-jar.html},
  ABSTRACT = {The following list of tableaux-based theorem provers was assembled in
the Spring and Summer 1993 as the result of a wide-spread enquiry via
e-mail. It is intended to provide a short overview of the field and
existing implementations. For each system, a short description is
given. Additionally, useful information about the system is presented
in tabular form. This includes the type of logic which can be handled
by the system (input), the implementation language, hardware and
operating systems requirements (implementation). Most of the systems
are available as binaries or as sources with documentation and can be
obtained via anonymous ftp or upon request. The descriptions and
further information have been submitted by the individuals whose names
are given as contact address. The provers are ordered alphabetically
by their name (or the author's name).}
}

@ARTICLE{schwartz1980,
  AUTHOR = {J. T. Schwartz},
  TITLE = {Fast probabilistic algorithms for verification of polynomial identities},
  JOURNAL = {Journal of the ACM},
  VOLUME = 27,
  YEAR = 1980,
  PAGES = {701--717},
  NUMBER = 4,
  MONTH = OCT,
  URL = {http://www.acm.org/pubs/articles/journals/jacm/1980-27-4/p701-schwartz/p701-schwartz.pdf}
}

@TECHREPORT{seger1992,
  AUTHOR = {Carl-Johan Seger},
  TITLE = {Introduction to Formal Hardware Verification},
  INSTITUTION = {Department of Computer Science, University of British Columbia},
  MONTH = JUN,
  YEAR = 1992,
  NUMBER = {TR-92-13},
  URL = {http://www.cs.ubc.ca/cgi-bin/tr/1992/TR-92-13},
  ABSTRACT = {Formal hardware verification has recently attracted considerable
interest. The need for ``correct'' designs in safety-critical
applications, coupled with the major cost associated with products
delivered late, are two of the main factors behind this. In addition,
as the complexity of the designs increase, an ever smaller percentage
of the possible behaviors of the designs will be simulated. Hence, the
confidence in the designs obtained by simulation is rapidly
diminishing. This paper provides an introduction to the topic by
describing three of the main approaches to formal hardware
verification: theorem-proving, model checking and symbolic
simulation. We outline the underlying theory behind each approach, we
illustrate the approaches by applying them to simple examples and we
discuss their strengths and weaknesses. We conclude the paper by
describing current on-going work on combining the approaches to
achieve multi-level verification approaches.}
}

@TECHREPORT{seidel1996,
  AUTHOR = {Karen Seidel and Carroll Morgan and Annabelle McIver},
  TITLE = {An introduction to probabilistic predicate transformers},
  INSTITUTION = {Oxford Programming Research Group Technical Report},
  NUMBER = {TR-6-96},
  YEAR = 1996
}

@INPROCEEDINGS{seidel1997,
  AUTHOR = {Karen Seidel and Carroll Morgan and Annabelle McIver},
  TITLE = {Probabilistic imperative programming: a rigorous approach},
  CROSSREF = {fmp1997}
}

@INPROCEEDINGS{shankar1999,
  AUTHOR = {Natarajan Shankar and Sam Owre},
  TITLE = {Principles and Pragmatics of Subtyping in {PVS}},
  BOOKTITLE = {Recent Trends in Algebraic Development Techniques, {WADT '99}},
  EDITOR = {D. Bert and C. Choppy and P. D. Mosses},
  PAGES = {37--52},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1827,
  MONTH = SEP,
  YEAR = 1999,
  ADDRESS = {Toulouse, France},
  URL = {http://www.csl.sri.com/reports/html/wadt99.html}
}

@INPROCEEDINGS{shield2001,
  AUTHOR = {Jamie Shield and Ian J. Hayes and David A. Carrington},
  TITLE = {Using Theory Interpretation to Mechanise the Reals in a Theorem Prover},
  BOOKTITLE = {Electronic Notes in Theoretical Computer Science},
  VOLUME = 42,
  PUBLISHER = {Elsevier},
  EDITOR = {Colin Fidge},
  YEAR = 2001,
  URL = {http://citeseer.nj.nec.com/shield98mechanising.html}
}

@MANUAL{slind1999,
  AUTHOR = {Konrad Slind},
  TITLE = {{HOL98} Draft User's Manual, Athabasca Release, Version 2},
  MONTH = JAN,
  YEAR = 1999,
  NOTE = {Part of the documentation included with the hol98 theorem-prover}
}

@PHDTHESIS{slind1999a,
  AUTHOR = {Konrad Slind},
  TITLE = {Reasoning about Terminating Functional Programs},
  SCHOOL = {TU Munich},
  YEAR = 1999
}

@MANUAL{slind2001,
  AUTHOR = {Konrad Slind and Michael Norrish},
  TITLE = {The {HOL} System Tutorial},
  MONTH = FEB,
  YEAR = 2001,
  NOTE = {Part of the documentation included with the hol98 theorem-prover}
}

@INPROCEEDINGS{slind2003,
  AUTHOR = {Konrad Slind and Joe Hurd},
  TITLE = {Applications of Polytypism in Theorem Proving},
  PAGES = {103--119},
  CROSSREF = {tphols2003},
  URL = {http://www.cl.cam.ac.uk/users/jeh1004/research/papers/polytypism.html},
  ABSTRACT = {Polytypic functions have mainly been studied in the context of
functional programming languages. In that setting, applications of
polytypism include elegant treatments of polymorphic equality,
prettyprinting, and the encoding and decoding of high-level datatypes
to and from low-level binary formats. In this paper, we discuss how
polytypism supports some aspects of theorem proving: automated
termination proofs of recursive functions, incorporation of the
results of metalanguage evaluation, and equivalence-preserving
translation to a low-level format suitable for propositional methods.
The approach is based on an interpretation of higher order logic types
as terms, and easily deals with mutual and nested recursive types.}
}

@ARTICLE{solovay1977,
  AUTHOR = {R. Solovay and V. Strassen},
  TITLE = {A Fast {Monte-Carlo} Test for Primality},
  JOURNAL = {SIAM Journal on Computing},
  VOLUME = 6,
  NUMBER = 1,
  MONTH = MAR,
  YEAR = 1977,
  PAGES = {84--85},
  ABSTRACT = {"Another test for primality based on the abundance of witnesses to
compositeness of $n$ is presented. The test entails picking a random
number $a$ ($1 \leq a < n$) and computing $\varepsilon = a^{(n-1)/2}
(\pmod n)$, where $-1 \leq \varepsilon < n-2$. If the Jacobi symbol
$\delta = (a/n)$ equals $\varepsilon$ then $n$ is prime, else, if
either $gcd(a, n) > 1$ or $\delta \not = \varepsilon$, decide $n$ to
be composite. The second decision has less than $\frac{1}{2}$
probability of being wrong."}
}

@MISC{stirling1997,
  AUTHOR = {Colin Stirling},
  TITLE = {Bisimulation, model checking and other games},
  MONTH = JUN,
  YEAR = 1997,
  NOTE = {Notes for a Mathfit instructional meeting on games and computation, held in Edinburgh, Scotland},
  URL = {http://www.dcs.ed.ac.uk/home/cps/mathfit.ps}
}

@BOOK{stirzaker1994,
  AUTHOR = {David Stirzaker},
  TITLE = {Elementary Probability},
  YEAR = 1994,
  PUBLISHER = {Cambridge University Press}
}

@TECHREPORT{suttner1997,
  AUTHOR = {Christian B. Suttner and Geoff Sutcliffe},
  TITLE = {The {TPTP} Problem Library --- v2.1.0},
  INSTITUTION = {Department of Computer Science, James Cook University},
  NUMBER = {JCU-CS-97/8},
  MONTH = DEC,
  YEAR = 1997,
  URL = {www.cs.jcu.edu.au/ftp/pub/techreports/97-8.ps.gz}
}

@PHDTHESIS{syme1998,
  AUTHOR = {Donald Syme},
  TITLE = {Declarative Theorem Proving for Operational Semantics},
  SCHOOL = {University of Cambridge},
  YEAR = 1998
}

@MANUAL{syme1998b,
  AUTHOR = {Donald Syme},
  TITLE = {A Simplifier/Programmable Grinder for hol98},
  MONTH = JAN,
  YEAR = 1998,
  NOTE = {Part of the documentation included with the hol98 theorem-prover}
}

@INPROCEEDINGS{tammet1996,
  AUTHOR = {Tanel Tammet},
  TITLE = {A Resolution Theorem Prover for Intuitionistic Logic},
  CROSSREF = {cade1996}
}

@MANUAL{tammet1997,
  AUTHOR = {Tanel Tammet},
  TITLE = {Gandalf version c-1.0c Reference Manual},
  MONTH = OCT,
  YEAR = 1997,
  URL = {http://www.cs.chalmers.se/~tammet/gandalf/}
}

@ARTICLE{tammet1997a,
  AUTHOR = {Tanel Tammet},
  TITLE = {Gandalf},
  JOURNAL = {Journal of Automated Reasoning},
  PAGES = {199--204},
  MONTH = APR,
  YEAR = 1997,
  VOLUME = 18,
  NUMBER = 2
}

@INPROCEEDINGS{tammet1998,
  AUTHOR = {Tanel Tammet},
  TITLE = {Towards Efficient Subsumption},
  CROSSREF = {cade1998}
}

@MISC{thery1999,
  AUTHOR = {Laurent Th\'ery},
  TITLE = {A Quick Overview of {HOL} and {PVS}},
  MONTH = AUG,
  YEAR = 1999,
  NOTE = {Lecture Notes from the Types Summer School '99: Theory and Practice of Formal Proofs, held in Giens, France},
  URL = {http://www-sop.inria.fr/types-project/lnotes/types99-lnotes.html}
}

@BOOK{touretzky1990,
  AUTHOR = {David S. Touretzky},
  TITLE = {Common Lisp: A Gentle Introduction to Symbolic Computation},
  PUBLISHER = {Benjamin Cummings},
  YEAR = 1990,
  URL = {http://www.cs.cmu.edu/~dst/LispBook/index.html}
}

@INPROCEEDINGS{trybulec1985,
  AUTHOR = {A. Trybulec and H. A. Blair},
  TITLE = {Computer Aided Reasoning},
  PAGES = {406--412},
  BOOKTITLE = {Proceedings of the Conference on Logic of Programs},
  EDITOR = {Rohit Parikh},
  MONTH = JUN,
  YEAR = 1985,
  ADDRESS = {Brooklyn, NY},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 193
}

@INPROCEEDINGS{trybulec1985a,
  AUTHOR = {Andrzej Trybulec and Howard Blair},
  TITLE = {Computer Assisted Reasoning with {MIZAR}},
  PAGES = {26--28},
  BOOKTITLE = {Proceedings of the 9th International Joint Conference on Artificial Intelligence},
  EDITOR = {Aravind Joshi},
  MONTH = AUG,
  YEAR = 1985,
  ADDRESS = {Los Angeles, CA},
  PUBLISHER = {Morgan Kaufmann}
}

@INPROCEEDINGS{turing1949,
  AUTHOR = {Alan M. Turing},
  TITLE = {Checking a Large Routine},
  PAGES = {67--69},
  BOOKTITLE = {Report of a Conference on High Speed Automatic Calculating Machines},
  MONTH = JUN,
  YEAR = 1949,
  ADDRESS = {Cambridge, England},
  PUBLISHER = {University Mathematical Laboratory}
}

@ARTICLE{turner1979,
  AUTHOR = {D. A. Turner},
  TITLE = {A New Implementation Technique for Applicative Languages},
  JOURNAL = {Software -- Practice and Experience},
  VOLUME = 9,
  NUMBER = 1,
  PAGES = {31--49},
  MONTH = JAN,
  YEAR = 1979,
  ABSTRACT = {Combinators, a "curried" version of lambda calculus that eliminates
the need for symbol binding. Combinators can be reduced (evaluated)
locally and in parallel, so they make an interesting model of parallel
computation. Combinator hackers: this paper introduces some new
combinators, besides S-K-I, that help keep the translation from
blowing up in space.}
}

@ARTICLE{tymoczko1979,
  AUTHOR = {Thomas Tymoczko},
  TITLE = {The Four Color Problems},
  JOURNAL = {Journal of Philosophy},
  VOLUME = {76},
  YEAR = 1979
}

@TECHREPORT{vardi1997,
  AUTHOR = {Moshe Y. Vardi},
  TITLE = {Why Is Modal Logic So Robustly Decidable?},
  NUMBER = {TR97-274},
  INSTITUTION = {Rice University},
  MONTH = APR,
  YEAR = 1997,
  ABSTRACT = {In the last 20 years modal logic has been applied to numerous areas
of computer science, including artificial intelligence, program
verification, hardware verification, database theory, and distributed
computing. There are two main computational problems associated with
modal logic. The first problem is checking if a given formula is true
in a given state of a given structure. This problem is known as the
model-checking problem. The second problem is checking if a given
formula is true in all states of all structures. This problem is known
as the validity problem. Both problems are decidable. The
model-checking problem can be solved in linear time, while the
validity problem is PSPACE-complete. This is rather surprising when
one considers the fact that modal logic, in spite of its apparent
propositional syntax, is essentially a first-order logic, since the
necessity and possibility modalities quantify over the set of possible
worlds, and model checking and validity for first-order logic are
computationally hard problems. Why, then, is modal logic so robustly
decidable? To answer this question, we have to take a close look at
modal logic as a fragment of first-order logic. A careful examination
reveals that propositional modal logic can in fact be viewed as a
fragment of 2-variable first-order logic. It turns out that this
fragment is computationally much more tractable than full first-order
logic, which provides some explanation for the tractability of modal
logic. Upon a deeper examination, however, we discover that this
explanation is not too satisfactory. The tractability of modal logic
is quite and cannot be explained by the relationship to two-variable
first-order logic. We argue that the robust decidability of modal
logic can be explained by the so-called tree-model property, and we
show how the tree-model property leads to automata-based decision
procedures.}
}

@INCOLLECTION{vonneumann1963,
  AUTHOR = {John von Neumann},
  TITLE = {Various techniques for use in connection with random digits},
  BOOKTITLE = {von Neumann's Collected Works},
  VOLUME = 5,
  PUBLISHER = {Pergamon},
  YEAR = 1963,
  PAGES = {768--770}
}

@PHDTHESIS{vos2000,
  AUTHOR = {Tanja E. J. Vos},
  YEAR = 2000,
  SCHOOL = {Utrecht University},
  TITLE = {{UNITY} in Diversity: {A} Stratified Approach to the Verification of Distributed Algorithms}
}

@INPROCEEDINGS{wadler1992,
  AUTHOR = {Philip Wadler},
  TITLE = {The essence of functional programming},
  BOOKTITLE = {19th Symposium on Principles of Programming Languages},
  PUBLISHER = {ACM Press},
  YEAR = 1992,
  MONTH = JAN
}

@ARTICLE{wadler1992a,
  AUTHOR = {Philip Wadler},
  TITLE = {Comprehending monads},
  JOURNAL = {Mathematical Structures in Computer Science},
  PAGES = {461--493},
  YEAR = 1992,
  VOLUME = 2,
  URL = {http://www.research.avayalabs.com/user/wadler/topics/monads.html},
  ABSTRACT = {Category theorists invented \emph{monads} in the 1960's to concisely
express certain aspects of universal algebra. Functional programmers
invented \emph{list comprehensions} in the 1970's to concisely express
certain programs involving lists. This paper shows how list
comprehensions may be generalised to an arbitrary monad, and how the
resulting programming feature can concisely express in a pure
functional language some programs that manipulate state, handle
exceptions, parse text, or invoke continuations. A new solution to the
old problem of destructive array update is also presented. No
knowledge of category theory is assumed.}
}

@BOOK{wagon1993,
  AUTHOR = {Stan Wagon},
  TITLE = {The Banach-Tarski Paradox},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1993
}

@UNPUBLISHED{wansbrough2001,
  AUTHOR = {Keith Wansbrough and Michael Norrish and Peter Sewell and Andrei Serjantov},
  TITLE = {Timing {UDP}: mechanized semantics for sockets, threads and failures},
  NOTE = {Draft},
  YEAR = 2001,
  URL = {http://www.cl.cam.ac.uk/users/pes20/Netsem/}
}

@BOOK{weaver1987,
  AUTHOR = {Jefferson Hane Weaver},
  TITLE = {The World of Physics},
  VOLUME = {II},
  PUBLISHER = {Simon and Schuster},
  ADDRESS = {New York},
  YEAR = 1987
}

@INPROCEEDINGS{weidijk2001,
  AUTHOR = {Freek Weidijk},
  TITLE = {{Mizar} Light for {HOL} Light},
  CROSSREF = {tphols2001}
}

@INPROCEEDINGS{welinder1995,
  AUTHOR = {Morten Welinder},
  TITLE = {Very Efficient Conversions},
  CROSSREF = {tphols1995},
  PAGES = {340--352},
  URL = {http://www.diku.dk/forskning/topps/bibliography/1995.html#D-248},
  ABSTRACT = {Using program transformation techniques from the field of partial
evaluation an automatic tool for generating very efficient conversions
from equality-stating theorems has been implemented. In the situation
where a Hol user would normally employ the built-in function
GEN\_REWRITE\_CONV, a function that directly produces a conversion of
the desired functionality, this article demonstrates how producing the
conversion in the form of a program text instead of as a closure can
lead to significant speed-ups. The Hol system uses a set of 31
simplifying equations on a very large number of intermediate terms
derived, e.g., during backwards proofs. For this set the conversion
generated by the two-step method is about twice as fast as the method
currently used. When installing the new conversion, tests show that
the overall running times of Hol proofs are reduced by about 10\%.
Apart from the speed-up this is completely invisible to the user. With
cooperation from the user further speed-up is possible.}
}

@ARTICLE{white1991,
  AUTHOR = {Arthur White},
  TITLE = {Limerick},
  PAGES = 91,
  JOURNAL = {Mathematical Magazine},
  VOLUME = 64,
  NUMBER = 2,
  MONTH = APR,
  YEAR = 1991
}

@BOOK{whitehead1910,
  AUTHOR = {Alfred North Whitehead and Bertrand Russell},
  YEAR = 1910,
  TITLE = {Principia Mathematica},
  PUBLISHER = {Cambridge University Press},
  ADDRESS = {Cambridge}
}

@BOOK{whitehead1911,
  AUTHOR = {A. N. Whitehead},
  YEAR = 1911,
  TITLE = {An Introduction to Mathematics},
  PUBLISHER = {Williams and Northgate},
  ADDRESS = {London}
}

@BOOK{williams1991,
  AUTHOR = {David Williams},
  TITLE = {Probability with Martingales},
  PUBLISHER = {Cambridge University Press},
  YEAR = 1991
}

@MASTERSTHESIS{witty,
  AUTHOR = {Carl Roger Witty},
  TITLE = {The {Ontic} Inference Language},
  SCHOOL = {MIT},
  MONTH = JUN,
  YEAR = 1995,
  URL = {http://www.ai.mit.edu/~cwitty/cwitty.html},
  ABSTRACT = {OIL, the Ontic Inference Language, is a simple bottom-up logic
programming language with equality reasoning. Although intended for
use in writing proof verification systems, OIL is an interesting
general-purpose programming language. In some cases, very simple OIL
programs can achieve an efficiency which requires a much more
complicated algorithm in a traditional programming language. This
thesis gives a formal semantics for OIL and some new results related
to its efficient implementation. The main new result is a method of
transforming bottomup logic programs with equality to bottom-up logic
programs without equality.  An introduction to OIL and several
examples are also included.}
}

@MANUAL{wong1993,
  AUTHOR = {Wai Wong},
  TITLE = {The {HOL} \verb^res_quan^ library},
  YEAR = 1993,
  NOTE = {HOL88 documentation},
  URL = {http://www.ftp.cl.cam.ac.uk/ftp/hvg/hol98/libraries/library-docs.html}
}

@INPROCEEDINGS{wong1995,
  AUTHOR = {W. Wong},
  TITLE = {Recording and Checking {HOL} Proofs},
  PAGES = {353--368},
  CROSSREF = {tphols1995},
  ABSTRACT = {Formal proofs generated by mechanized theorem proving systems may
consist of a large number of inferences. As these theorem proving
systems are usually very complex, it is extremely difficult if not
impossible to formally verify them. This calls for an independent
means of ensuring the consistency of mechanically generated
proofs. This paper describes a method of recording HOL proofs in terms
of a sequence of applications of inference rules. The recorded proofs
can then be checked by an independent proof checker. Also described in
this paper is an efficient proof checker which is able to check a
practical proof consisting of thousands of inference steps.}
}

@TECHREPORT{wong1996,
  AUTHOR = {Wai Wong},
  TITLE = {A Proof Checker for {HOL}},
  INSTITUTION = {University of Cambridge Computer Laboratory},
  NUMBER = {389},
  MONTH = MAR,
  YEAR = 1996
}

@BOOK{wos1992,
  AUTHOR = {Larry Wos and Ross Overbeek and Ewing Lusk and Jim Boyle},
  YEAR = 1992,
  TITLE = {Automated Reasoning: Introduction and Applications},
  PUBLISHER = {McGraw-Hill},
  ADDRESS = {New York},
  EDITION = {2nd}
}

@PHDTHESIS{xi1998,
  AUTHOR = {Hongwei Xi},
  TITLE = {Dependent Types in Practical Programming},
  SCHOOL = {Carnegie Mellon University},
  MONTH = SEP,
  YEAR = 1998,
  URL = {http://www.ececs.uc.edu/~hwxi/DML/DML.html}
}

@ARTICLE{zadeh1965,
  AUTHOR = {Lotfi A. Zadeh},
  JOURNAL = {Information and Control},
  PAGES = {338--353},
  TITLE = {Fuzzy Sets},
  VOLUME = 8,
  YEAR = 1965
}

@PHDTHESIS{zammit1999,
  AUTHOR = {Vincent Zammit},
  TITLE = {On the Readability of Machine Checkable Formal Proofs},
  SCHOOL = {University of Kent at Canterbury},
  MONTH = MAR,
  YEAR = 1999
}

@INPROCEEDINGS{zhang2002,
  AUTHOR = {Lintao Zhang and Sharad Malik},
  TITLE = {The Quest for Efficient Boolean Satisfiability Solvers},
  PAGES = {295--313},
  CROSSREF = {cade2002},
  URL = {http://www.ee.princeton.edu/~chaff/publication/cade_cav_2002.pdf}
}

@INPROCEEDINGS{qed1994,
  AUTHOR = {Anonymous},
  TITLE = {The {QED} Manifesto},
  CROSSREF = {cade1994}
}

@BOOK{ieee2001,
  TITLE = {IEEE Standard for Verilog Hardware Description Language},
  AUTHOR = {{IEEE Standards Department}},
  PUBLISHER = {IEEE},
  YEAR = 2001,
  SERIES = {IEEE Standards},
  NUMBER = {1364-2001},
  ABSTRACT = {The Verilog Hardware Description Language (HDL) is defined in this
standard. Verilog HDL is a formal notation intended for use in all
phases of the creation of electronic systems. Because it is both
machine readable and human readable, it supports the development,
verification, synthesis, and testing of hardware designs; the
communication of hardware design data; and the maintenance,
modification, and procurement of hardware. The primary audiences for
this standard are the implementors of tools supporting the language
and advanced users of the language.}
}

@BOOK{traub1976,
  TITLE = {Algorithms and Complexity: New Directions and Recent Results},
  BOOKTITLE = {Algorithms and Complexity: New Directions and Recent Results},
  YEAR = 1976,
  EDITOR = {J. F. Traub},
  ADDRESS = {New York},
  PUBLISHER = {Academic Press},
  ABSTRACT = {"This book provides a record of a conference, and contains many
novel ideas for probabilistic algorithms."}
}

@BOOK{robinson2001,
  TITLE = {Handbook of Automated Reasoning},
  BOOKTITLE = {Handbook of Automated Reasoning},
  EDITOR = {A. Robinson and A. Voronkov},
  YEAR = 2001,
  PUBLISHER = {Elsevier Science}
}

@PROCEEDINGS{aisc1998,
  TITLE = {Artificial Intelligence and Symbolic Computation (AISC '98)},
  BOOKTITLE = {Artificial Intelligence and Symbolic Computation (AISC '98)},
  EDITOR = {Jacques Calmet, Jan Plaza},
  MONTH = SEP,
  YEAR = 1998,
  ADDRESS = {Plattsburgh, New York, USA},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = {1476},
  URL = {http://link.springer-ny.com/link/service/series/0558/tocs/t1476.htm}
}

@PROCEEDINGS{arw2002,
  TITLE = {Ninth Workshop on Automated Reasoning: Bridging the Gap between Theory and Practice},
  BOOKTITLE = {Ninth Workshop on Automated Reasoning: Bridging the Gap between Theory and Practice},
  EDITOR = {Toby Walsh},
  MONTH = APR,
  YEAR = 2002,
  ADDRESS = {Imperial College, London, UK},
  PUBLISHER = {The Society for the Study of Artificial Intelligence and Simulation of Behaviour},
  ISBN = {1902956264}
}

@PROCEEDINGS{arts1999,
  EDITOR = {Joost-Pieter Katoen},
  TITLE = {Formal Methods for Real-Time and Probabilistic Systems},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1601,
  MONTH = MAY,
  YEAR = 1999,
  ADDRESS = {Bamberg, Germany},
  PUBLISHER = {Springer},
  URL = {http://link.springer-ny.com/link/service/series/0558/tocs/t1601.htm}
}

@TECHREPORT{avocs2002,
  TITLE = {{AVoCS} 2002: Second Workshop on Automated Verification of Critical Systems},
  BOOKTITLE = {{AVoCS} 2002: Second Workshop on Automated Verification of Critical Systems},
  EDITOR = {Gethin Norman and Marta Kwiatkowska and Dimitar Guelev},
  MONTH = APR,
  YEAR = 2002,
  INSTITUTION = {School of Computer Science, University of Birmingham},
  SERIES = {University of Birmingham Technical Report},
  NUMBER = {CSR-02-6}
}

@PROCEEDINGS{csfw1997,
  TITLE = {10th Computer Security Foundations Workshop},
  BOOKTITLE = {10th Computer Security Foundations Workshop},
  YEAR = 1997,
  PUBLISHER = {IEEE Computer Society Press}
}

@PROCEEDINGS{cade1992,
  TITLE = {Proceedings of the 11th International Conference on Automated Deduction (CADE-11)},
  BOOKTITLE = {Proceedings of the 11th International Conference on Automated Deduction (CADE-11)},
  EDITOR = {Deepak Kapur},
  ADDRESS = {Saratoga Springs, NY, USA},
  MONTH = JUN,
  YEAR = 1992,
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 607,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{cade1994,
  TITLE = {12th International Conference on Automated Deduction (CADE-12)},
  BOOKTITLE = {12th International Conference on Automated Deduction (CADE-12)},
  EDITOR = {Alan Bundy},
  MONTH = JUN,
  YEAR = 1994,
  ADDRESS = {Nancy, France},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 814
}

@PROCEEDINGS{cade1996,
  TITLE = {13th International Conference on Automated Deduction (CADE-13)},
  BOOKTITLE = {13th International Conference on Automated Deduction (CADE-13)},
  EDITOR = {Michael A. McRobbie and John K. Slaney},
  ADDRESS = {New Brunswick, NJ, USA},
  MONTH = JUL,
  YEAR = 1996,
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 1104
}

@PROCEEDINGS{cade1998,
  TITLE = {Proceedings of the 15th International Conference on Automated Deduction (CADE-15)},
  BOOKTITLE = {Proceedings of the 15th International Conference on Automated Deduction (CADE-15)},
  EDITOR = {Claude Kirchner and H{\'e}l{\`e}ne Kirchner},
  MONTH = JUL,
  YEAR = 1998,
  ADDRESS = {Lindau, Germany},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 1421,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{cade1999,
  TITLE = {Proceedings of the 16th International Conference on Automated Deduction (CADE-16)},
  BOOKTITLE = {Proceedings of the 16th International Conference on Automated Deduction (CADE-16)},
  EDITOR = {H. Ganzinger},
  MONTH = JUL,
  YEAR = 1999,
  ADDRESS = {Trento, Italy},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 1632,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{cade2000,
  TITLE = {Proceedings of the 17th International Conference on Automated Deduction (CADE-17)},
  BOOKTITLE = {Proceedings of the 17th International Conference on Automated Deduction (CADE-17)},
  EDITOR = {David A. McAllester},
  MONTH = JUN,
  YEAR = 2000,
  ADDRESS = {Pittsburgh, PA, USA},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1831,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{cade2002,
  TITLE = {Proceedings of the 18th International Conference on Automated Deduction (CADE-18)},
  BOOKTITLE = {Proceedings of the 18th International Conference on Automated Deduction (CADE-18)},
  EDITOR = {Andrei Voronkov},
  MONTH = JUL,
  YEAR = 2002,
  ADDRESS = {Copenhagen, Denmark},
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 2392,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{fmp1997,
  TITLE = {Formal Methods Pacific '97},
  BOOKTITLE = {Formal Methods Pacific '97},
  EDITOR = {Lindsay Groves and Steve Reeves},
  MONTH = JUL,
  YEAR = 1997,
  ADDRESS = {Wellington, New Zealand},
  PUBLISHER = {Springer},
  URL = {http://www.cs.auckland.ac.nz/CDMTCS/docs/fmp97.html}
}

@PROCEEDINGS{ftp1997,
  TITLE = {International Workshop on First-Order Theorem Proving (FTP '97)},
  BOOKTITLE = {International Workshop on First-Order Theorem Proving (FTP '97)},
  EDITOR = {Maria Paola Bonacina and Ulrich Furbach},
  MONTH = OCT,
  YEAR = 1997,
  ADDRESS = {Schloss Hagenberg, Austria},
  SERIES = {RISC-Linz Report Series},
  NUMBER = {97-50},
  ORGANIZATION = {Johannes Kepler Universit\"at Linz},
  URL = {http://www.logic.at/ftp97}
}

@PROCEEDINGS{ftp1998,
  TITLE = {International Workshop on First-Order Theorem Proving (FTP '98)},
  BOOKTITLE = {International Workshop on First-Order Theorem Proving (FTP '98)},
  EDITOR = {Ricardo Caferra and Gernot Salzer},
  MONTH = NOV,
  YEAR = 1998,
  SERIES = {Technical Report E1852-GS-981},
  ORGANIZATION = {Technische Universit\"at Wien},
  ADDRESS = {Vienna, Austria},
  URL = {http://www.logic.at/ftp98}
}

@PROCEEDINGS{icalp2001,
  TITLE = {Automata, Languages and Programming},
  BOOKTITLE = {Automata, Languages and Programming},
  EDITOR = {F. Orejas and P. G. Spirakis and J. van Leeuwen},
  MONTH = JUL,
  YEAR = 2001,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2076,
  PUBLISHER = {Springer},
  ADDRESS = {Crete, Greece},
  URL = {http://link.springer-ny.com/link/service/series/0558/tocs/t2076.htm}
}

@PROCEEDINGS{lpar1992,
  TITLE = {Proceedings of the International Conference on Logic Programming and Automated Reasoning (LPAR '92)},
  BOOKTITLE = {Proceedings of the International Conference on Logic Programming and Automated Reasoning (LPAR '92)},
  EDITOR = {A. Voronkov},
  ADDRESS = {St. Petersburg, Russia},
  MONTH = JUL,
  YEAR = 1992,
  SERIES = {Lecture Notes in Artificial Intelligence},
  VOLUME = 624,
  PUBLISHER = {Springer}
}

@PROCEEDINGS{popl2002,
  TITLE = {{POPL} 2002: The 29th {ACM} SIGPLAN-SIGACT Symposium on Principles of Programming Languages},
  BOOKTITLE = {{POPL} 2002: The 29th {ACM} SIGPLAN-SIGACT Symposium on Principles of Programming Languages},
  MONTH = JAN,
  YEAR = 2002,
  ADDRESS = {Portland, OR, USA},
  PUBLISHER = {ACM Press}
}

@PROCEEDINGS{qapl2004,
  TITLE = {{Proceedings of the 2nd Workshop on Quantitative Aspects of Programming Languages (QAPL 2004)}},
  BOOKTITLE = {{Proceedings of the 2nd Workshop on Quantitative Aspects of Programming Languages (QAPL 2004)}},
  EDITOR = {A. Cerone and A. Di Pierro},
  MONTH = JAN,
  YEAR = 2005,
  PUBLISHER = {Elsevier},
  VOLUME = 112,
  SERIES = {Electronic Notes in Theoretical Computer Science (ENTCS)},
  ADDRESS = {Barcelona, Spain},
  URL = {http://www.sciencedirect.com/science/journal/15710661}
}

@PROCEEDINGS{rta2001,
  TITLE = {Rewriting Techniques and Applications},
  BOOKTITLE = {Rewriting Techniques and Applications},
  MONTH = MAY,
  YEAR = 2001,
  ADDRESS = {Utrecht, The Netherlands},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2051,
  PUBLISHER = {Springer},
  URL = {http://link.springer-ny.com/link/service/series/0558/tocs/t2051.htm}
}

@TECHREPORT{strata2003,
  TITLE = {Design and Application of Strategies/Tactics in Higher Order Logics},
  BOOKTITLE = {Design and Application of Strategies/Tactics in Higher Order Logics},
  EDITOR = {Myla Archer and Ben Di Vito and C{\'{e}}sar Mu{\~{n}}oz},
  MONTH = SEP,
  YEAR = 2003,
  INSTITUTION = {{NASA}},
  SERIES = {{NASA} Technical Reports},
  NUMBER = {NASA/CP-2003-212448},
  URL = {http://techreports.larc.nasa.gov/ltrs/PDF/2003/cp/NASA-2003-cp212448.pdf}
}

@PROCEEDINGS{tphols1991,
  TITLE = {Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications (HOL '91), August 1991},
  BOOKTITLE = {Proceedings of the 1991 International Workshop on the HOL Theorem Proving System and its Applications (HOL '91), August 1991},
  EDITOR = {Myla Archer and Jeffrey J. Joyce and Karl N. Levitt and Phillip J. Windley},
  ADDRESS = {Davis, CA, USA},
  PUBLISHER = {IEEE Computer Society Press},
  YEAR = 1992
}

@PROCEEDINGS{tphols1994,
  TITLE = {Higher Order Logic Theorem Proving and Its Applications, 7th International Workshop},
  BOOKTITLE = {Higher Order Logic Theorem Proving and Its Applications, 7th International Workshop},
  EDITOR = {Tom Melham and Juanito Camilleri},
  MONTH = SEP,
  YEAR = 1994,
  ADDRESS = {Valletta, Malta},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 859
}

@PROCEEDINGS{tphols1995,
  TITLE = {Proceedings of the 8th International Workshop on Higher Order Logic Theorem Proving and Its Applications},
  BOOKTITLE = {Proceedings of the 8th International Workshop on Higher Order Logic Theorem Proving and Its Applications},
  EDITOR = {E. T. Schubert and P. J. Windley and J. Alves-Foss},
  MONTH = SEP,
  YEAR = 1995,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 971,
  PUBLISHER = {Springer},
  ADDRESS = {Aspen Grove, UT, USA}
}

@PROCEEDINGS{tphols1996,
  TITLE = {Theorem Proving in Higher Order Logics, 9th International Conference, TPHOLs '96},
  BOOKTITLE = {Theorem Proving in Higher Order Logics, 9th International Conference, TPHOLs '96},
  EDITOR = {Joakim von Wright and Jim Grundy and John Harrison},
  MONTH = AUG,
  YEAR = 1996,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1125,
  PUBLISHER = {Springer},
  ADDRESS = {Turku, Finland}
}

@PROCEEDINGS{tphols1997,
  TITLE = {Theorem Proving in Higher Order Logics, 10th International Conference, TPHOLs '97},
  BOOKTITLE = {Theorem Proving in Higher Order Logics, 10th International Conference, TPHOLs '97},
  EDITOR = {Elsa L. Gunter and Amy Felty},
  MONTH = AUG,
  YEAR = 1997,
  ADDRESS = {Murray Hill, NJ, USA},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1275
}

@PROCEEDINGS{tphols1997a,
  TITLE = {Supplemental Proceedings of the 10th International Conference on Theorem Proving in Higher Order Logics, TPHOLs '97},
  BOOKTITLE = {Supplemental Proceedings of the 10th International Conference on Theorem Proving in Higher Order Logics, TPHOLs '97},
  EDITOR = {Elsa L. Gunter},
  MONTH = AUG,
  YEAR = 1997,
  ADDRESS = {Murray Hill, NJ, USA}
}

@PROCEEDINGS{tphols1998,
  TITLE = {Theorem Proving in Higher Order Logics, 11th International Conference, {TPHOLs} '98},
  BOOKTITLE = {Theorem Proving in Higher Order Logics, 11th International Conference, {TPHOLs} '98},
  EDITOR = {Jim Grundy and Malcolm Newey},
  MONTH = SEP,
  YEAR = 1998,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1497,
  PUBLISHER = {Springer},
  ADDRESS = {Canberra, Australia}
}

@PROCEEDINGS{tphols1999,
  TITLE = {Theorem Proving in Higher Order Logics, 12th International Conference, {TPHOLs} '99},
  BOOKTITLE = {Theorem Proving in Higher Order Logics, 12th International Conference, {TPHOLs} '99},
  EDITOR = {Yves Bertot and Gilles Dowek and Andr\'e Hirschowitz and Christine Paulin and Laurent Th\'ery},
  MONTH = SEP,
  YEAR = 1999,
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1690,
  PUBLISHER = {Springer},
  ADDRESS = {Nice, France},
  URL = {http://link.springer.de/link/service/series/0558/tocs/t1690.htm}
}

@PROCEEDINGS{tphols2000,
  TITLE = {Theorem Proving in Higher Order Logics, 13th International Conference: {TPHOLs} 2000},
  BOOKTITLE = {Theorem Proving in Higher Order Logics, 13th International Conference: {TPHOLs} 2000},
  MONTH = AUG,
  YEAR = 2000,
  EDITOR = {Mark Aagaard and John Harrison},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1869,
  ADDRESS = {Portland, OR, USA}
}

@TECHREPORT{tphols2000a,
  TITLE = {{TPHOLs} 2000: Supplemental Proceedings},
  BOOKTITLE = {{TPHOLs} 2000: Supplemental Proceedings},
  EDITOR = {Mark Aagaard and John Harrison and Tom Schubert},
  MONTH = AUG,
  YEAR = 2000,
  INSTITUTION = {Oregon Graduate Institute},
  SERIES = {Oregon Graduate Institute Technical Reports},
  NUMBER = {CSE-00-009}
}

@PROCEEDINGS{tphols2001,
  TITLE = {14th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
  BOOKTITLE = {14th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
  YEAR = 2001,
  EDITOR = {Richard J. Boulton and Paul B. Jackson},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2152,
  MONTH = SEP,
  ADDRESS = {Edinburgh, Scotland},
  URL = {http://link.springer.de/link/service/series/0558/tocs/t2152.htm}
}

@TECHREPORT{tphols2001a,
  TITLE = {{TPHOLs} 2001: Supplemental Proceedings},
  BOOKTITLE = {{TPHOLs} 2001: Supplemental Proceedings},
  EDITOR = {Richard J. Boulton and Paul B. Jackson},
  MONTH = SEP,
  YEAR = 2001,
  INSTITUTION = {Division of Informatics, University of Edinburgh},
  SERIES = {University of Edinburgh Informatics Report Series},
  NUMBER = {EDI-INF-RR-0046},
  URL = {http://www.informatics.ed.ac.uk/publications/report/0046.html}
}

@PROCEEDINGS{tphols2002,
  TITLE = {15th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2002},
  BOOKTITLE = {15th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2002},
  YEAR = 2002,
  EDITOR = {V{\'{i}}ctor A. Carre{\~{n}}o and C{\'{e}}sar A. Mu{\~{n}}oz and Sofi{\`{e}}ne Tahar},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2410,
  MONTH = AUG,
  ADDRESS = {Hampton, VA, USA},
  URL = {http://link.springer.de/link/service/series/0558/tocs/t2410.htm}
}

@PROCEEDINGS{tphols2003,
  TITLE = {16th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2003},
  BOOKTITLE = {16th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2003},
  YEAR = 2003,
  EDITOR = {David Basin and Burkhart Wolff},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 2758,
  MONTH = SEP,
  ADDRESS = {Rome, Italy},
  URL = {http://link.springer.de/link/service/series/0558/tocs/t2758.htm}
}

@PROCEEDINGS{tphols2004,
  TITLE = {17th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2004},
  BOOKTITLE = {17th International Conference on Theorem Proving in Higher Order Logics: {TPHOLs} 2004},
  YEAR = 2004,
  EDITOR = {Konrad Slind and Annette Bunker and Ganesh Gopalakrishnan},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 3223,
  MONTH = SEP,
  ADDRESS = {Park City, Utah, USA}
}

@TECHREPORT{tphols2004a,
  TITLE = {{TPHOLs} 2004: Emerging Trends},
  BOOKTITLE = {{TPHOLs} 2004: Emerging Trends},
  EDITOR = {Konrad Slind},
  MONTH = SEP,
  YEAR = 2004,
  INSTITUTION = {School of Computing, University of Utah},
  SERIES = {School of Computing, University of Utah},
  NUMBER = {UUCS-04},
  URL = {http://www.cs.utah.edu/techreports}
}

@PROCEEDINGS{types1996,
  TITLE = {Types for Proofs and Programs: International Workshop {TYPES' 96}},
  BOOKTITLE = {Types for Proofs and Programs: International Workshop {TYPES' 96}},
  EDITOR = {Eduardo Gim{\'e}nex and Christine Pausin-Mohring},
  MONTH = SEP,
  YEAR = 1996,
  ADDRESS = {Aussois, France},
  PUBLISHER = {Springer},
  SERIES = {Lecture Notes in Computer Science},
  VOLUME = 1512
}