||
Tom Ridge
April 12, 2005
Contents
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
3 Current Automation in Interactive Provers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4 Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.1 Proof Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
4.1.1 Logical System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1.2 Intro Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
4.2 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .8
4.2.1 Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
4.2.2 Conditional Simplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2.3 Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2.4 Dynamic Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
4.2.5 Equational Unification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
5 Interface and Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
6 Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.1 Assessment wrt. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.2 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
6.3 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
6.4 In Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
7 Alternative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
1 IntroductionAutomation can be key to successful mechanisation. In some situations, mechanisation is feasible without automation. Indeed, in highly abstract mathematical areas, most mechanised reasoning consists of the user spelling out complicated arguments which are far beyond those which can currently be tackled by automation. In this setting, automation, if it is used at all, is directed at easily solvable, tightly defined subproblems. A typical example of such a mechanisation is our formalisation of Ramsey's Theorem [Rid04]. On the other hand, automation can be fruitfully applied in verification style proofs, where the reasoning is relatively restricted, but the sheer level of detail makes a non-automated mechanisation infeasible.
Many man years have been spent developing fully automatic systems such as Vampire[VR] and Otter [McC]. It would be foolish to imagine that we could compete with such systems. Their performance is way beyond that of systems currently implemented in interactive theorem provers. Projects are underway [MP04] to link such systems to interactive theorem provers. This is extremely valuable work: if one knows that a first order statement is provable, then one should probably expect that the machine can provide a proof.
In this section, we outline some techniques we have applied in various case studies. Naturally we do not seek to solve the problem of automated reasoning once and for all. Rather we focus on the problems that typically arise in the case studies we have been involved with. We start by outlining the functionality we require of the automated engine. We then describe the techniques we applied, and how they were integrated. We evaluate the resulting engine qualitatively in terms of our requirements, and quantitatively with respect to a sizable case study. Few of these techniques are novel, rather, we seek to combine existing techniques in a suitable fashion.
These procedures were developed in the HOL Light theorem prover, which we found to be an excellent vehicle for prototyping different approaches.
2 Requirements
What do we require of our automation? Let us distinguish between automation for fully automatic use, and automation for interactive use, the requirements for each being considerably different.
Perhaps unexpectedly, failure of the automated proof engine is the norm, is the sense that when interactively developing complex proofs we spend most of our time on obligations that are "almost" provable. Thus we would like the prover to give us excel lent feedback as to why obligations could not be discharged. [Sym98]
This quote emphasizes an important difference between automatic and interactive proof. In automatic pro of, one typically knows that the goal is provable (or at least, suspects very strongly, and is prepared to wait a considerable amount of time before terminating a proof search). Indeed, automatic provers are judged on how many provable goals they can actually prove. In interactive pro of, "we spend most of our time on obligations that are almost provable". This is the difference between interactive and automatic proof. If we spend most of the time trying to prove goals that are simply not provable, then completeness of the proof search becomes less important. This is not to say that it loses importance altogether: if a system lacks completeness, then it will fail to prove some provable goals. It is vitally important to know what sort of goals one is giving up on, in order that one can understand what it means when a prover fails to prove a goal. Such knowledge is also useful when combining systems: in order to understand the behaviour of the system as a whole one
should first understand the behaviour of the parts.
What properties might be preferred, in an interactive setting, over completeness? For us, the most important aspect of automation is simplicity. By this we do not mean implementation simplicity (how many lines did it take to implement the system? etc.), but conceptual simplicity. For instance, simplification is used ubiquitously in interactive theorem proving. If the set of rewrite rules is not confluent, then to understand the behaviour of the simplifier, one has to understand the order in which the rules are applied. Needless to say, this is an extremely complex thing to understand, and proofs which depend on these properties are presumably extremely fragile. Conceptual simplicity for a simplifier is closely bound up with confluence and termination of the simpset. Conceptual simplicity is important if a user is to understand the system. If a system is conceptually simple, it will hopefully be simple to use.
In an interactive setting, we expect automation to fail. In order to make progress, we must understand why a proof attempt fails: the prover must provide feedback. Resolution based systems can provide feedback, but they are destructive (in the sense that the goal is converted into a normal form before the proof attempt starts, destroying the original logical structure), so that the feedback can be difficult to understand (the point where the proof fails may lo ok very different to the original goal). A better approach is to conduct the proof in a way that is as close as possible to how a human might conduct the proof. We require the proof system to be natural in some sense. In this case, if a proof attempt fails, the failing branch can often be returned directly to the user for inspection.
Feedback is related to visibility. Often a user wishes to inspect a failed proof, but only a proof trace is available, which can cause a conceptual mismatch: the user is focused on sequents, whereas the trace may be of a different nature altogether. If there are many unproved branches, then a user might not inspect them all, but might wish to step through the proof. Automatic methods, such as John Harrison's implementation of mo del elimination[Har96], often search for a pro of in a tree making use of global information about nodes visited previously. If this global information is not present in the sequent the user has access to, it will be difficult to step through the automatic pro of by simply invoking the automatic prover a step at a time: the automatic prover will not make the same decisions it made when conducting the search using global information because it only has access to the local sequent.
Many methods currently employed by interactive theorem provers, such as Isabelle's blast, leave the goal unchanged if they fail to prove it. Natural methods of proof search expect to make at least some progress in all situations, so that they can assist even if the goal is not provable. For instance, safe steps (such as∧E in many systems) should be performed, simplification steps applied and so on.
Automation should also be stable. In large proofs, one frequently mixes interactive and automatic proof. If the goals returned by automation are apt to change radically with slight variations in the goal, then the dependent interactive proofs can be rendered useless, and must be rewritten. For this reason, unsolvable subgoals returned by automation should be stable under small changes to the original goal.
If a proof can be found, then one begins to focus on aspects that make the pro of more maintainable, such as robustness. Efficiency is the icing on the cake. Completeness is also important, although not necessarily completeness in the full first order sense, but rather there should be a clear notion of the class of problems a given procedure solves. At any rate, it is vital to have some theoretical understanding of the behaviour of the system, if it is to approach the goal of being simple.
Let us summarize these points:
• Automation should be simple: it should be theoretically well understood, and predictable in use.
• Automation should also provide feedback, so that the user can assess why a proof attempt failed.
• An even stronger requirement is that automation be visible, in that one can directly inspect the execution of the automation e.g. by stepping though the pro of search.
• Automation should be natural, in order to minimise the conceptual gap between the prover and the user. For instance, automation should execute in standard logical systems that are close to, or identical with, the tactic level at which the user conducts proofs.
• Often, there are many safe steps that the user would make to progress a proof. Automation that simply returns "provable" or "not provable" is less useful than automation that at least makes progress before returning.
• Automation should be stable, so that small changes to theories do not produce large changes in the behaviour of the automation. This is important because interactive proofs contain large sections of interleaved user/automation steps.
• Automation should also be robust, in the sense that small changes do not affect automatic provability.
• We would like automation to be efficient for obvious reasons.
•Finally, we would like automation to be complete wrt. well defined classes of problems.
3 Current Automation in Interactive Provers
The current methods of automated proof in interactive theorem provers do not meet the requirements of the previous section.
Isabelle/HOL is representative of current HOL implementations as regards automation. The main automatic techniques that are used are a tableaux prover blast, and the simplifier simp. These are combined in the single auto tactic. Isabelle also includes a model elimination procedure which is similar in use to blast.
Simp is widely used, but is not a complete first order proof method. However, the fact that it does meet many of the requirements of the previous section explains why it is so popular in interactive proof. The blast method performs well on simple problems of predicate logic and sets, but it is hard to understand exactly what its properties are. It is based on a prover, leanTAP [BP95], that is complete for first order logic. On the other hand, the following goal is trivially provable in first order logic, but blast fails.
f (g a) = a┝ Зy .g(f y ) = y
This is even more upsetting when one realises that the term g a, occurring in the sequent itself, is a witness to the existential. To make matters worse, when expressed in a typed logic such as HOL, g a is the only term occurring in the sequent of the correct type that could be used! This failure to deal adequately with equational logic is a general failing of tableaux style procedures incorporating unification. The auto method is almost never used in the middle of interactive proofs because it is so unconstrained. Moreover, it is unstable, in that the subgoals it generates can be wildly different under minor changes to the goal, which renders is unusable except in tightly controlled areas.
The work [MP04] to integrate Vampire, a modern resolution prover, into Isabelle will not necessarily rectify these failings. Resolution based methods provide little support for interactive theorem proving, because the reduction to clause form means that the user has little visibility into the proof search, and little understanding of why a particular lemma failed. The proof search is a local forward synthetic search as opposed to a global backwards analytic search typical of tableaux presentations and the tactic level of Isabelle. Thus, resolution is an unnatural system for the user. In general the feedback from such systems is poor or at worst non-existent. Furthermore, whereas many steps should be considered safe(apply a terminating and confluent set of rewrites, perform a ∧E step), because the system is being used as a black box, either the goal is solved outright or, more usually, not solved at all, and information that is contained in the system about which steps can be safely applied is lost, leaving the user having to apply such steps manually. The problem here is that the system fails to make progress on goals that it is unable to prove outright.
Let us also make the following observation about first order theorem provers. These provers are designed to find large quantifier instantiations, optionally modulo equality reasoning. Yet the failure of automation in interactive theorem provers is not the failure to guess large quantifier instantiations.
4 Techniques
In the following sections, we describe how we built up the automation. First, we are trying to find proofs, so that we will need (at least) a proof search engine. Next, we wish to model, to a large extent, the way the proofs were done by hand. Apart from proof search, the other main method employed during the hand proofs was simplification. We describe how we augment the simplifier.
Conditional simplification is a form of simplification where the simplifier is invoked recursively in an attempt to solve conditions on rewrites that may be applicable to the current goal. We argue that invoking simplification on these goals is often not the best way to proceed, and suggest an alternative.
Next, when using simplification, it is a good idea to ensure that the simpset is confluent and terminating. We describe an implementation of completion. When using simplification, however, one also wants to utilise assumptions that arise during the course of a proof as rewrites. To ensure the set of rewrite rules are still confluent and terminating, one must provide some form of dynamic completion during the proof search itself. We discuss how we tackled these issues.
4.1 Proof Search
In this section, we describe our basic system for proof search. This is a single conclusion, intuitionistic system suitable for backwards proof search. We eschew unification in favour of term enumeration. This has several interesting consequences when combining proof search with other methods. Note that we are only interested in the automation of an essentially
first order system.
4.1.1 Logical System
Two main systems of proof search are resolution and tableaux. For automation in an interactive setting, resolution is too unnatural. For this reason, tableaux are more promising. We therefore restrict our attention to tableaux based systems. Tableaux systems typically proceed by negating the goal and searching for a contradiction. We even consider that this is to o unnatural. We therefore focus on tableaux systems that execute directly in standard logical systems.
Using such a system has significant advantages in terms of implementation complexity, since we can simply search at the level of HOL goals using more-or-less standard tactics. This also has advantages in terms of naturality, since the user is already familiar with proof in such a system, and feedback, since we can present failing branches directly to the user, who does not have to translate the results from some alternative proof system.
Single conclusion systems are unsuited to classical pro of, which is much better supported by multiple conclusion systems. However multiple conclusion systems are unnatural. If we are interested in classical proof, we must admit that our single conclusion system has disadvantages. On the other hand, we believe that the large scale structure of proofs is mostly intuitionistic: typically we are focussed on one goal, and our lemmas serve as intermediate points in the proof, i.e. ├ A٨ B→ C as a lemma is not typically equivalent to ├ ┑(A ٨ B ) ٧C, since we expect to reach a point in the proof where A 。ト B is provable, not to do a disjunctive split. Certainly for the domains we are interested in, all proofs were essentially intuitionistic, with classical reasoning restricted to small areas which could be dealt with by simplification or other constrained techniques.
4.1.2 Intro Rules
There is one more improvement we wish to make. Although the procedure outlined above is complete, it is rather one sided. Since most proofs make heavy use of lemmas, the antecedent of a corresponding goal tends to become rather crowded. Moreover, many lemmas are naturally viewed as introduction rules, that is, are intended to be used to refine the conclusion C rather than used to chain forward fromГ . For these reasons, we also utilize intro rules à la Paulson [PNW03]. These are typically unsafe, but again, completeness can be preserved if we backtrack, and take other precautions. These intro rules are implemented in the same way as lemmas, but are marked as intro rules. During proof search, the conclusions of such lemmas are matched against the current goal. If the conclusion matches the current goal, the goal is replaced with the condition of the intro rule, and backtracking is employed in the event that these assumptions cannot be proved. If an intro rule is marked safe, then backtracking does not occur. Note that this improvement is unnecessary from a theoretical view, and its sole motivation is to model natural forms of proof.
If completeness is considered in a certain way, then this can be seen to preserve completeness. In the presence of simplification, one needs equational unification if these rules are to behave as expected. However, currently we simulate uses of equational unification by hand.
Failure of completeness for intro rules: if we use a rule as an intro rule, then we can fail to be complete? but this is not true- either the rule is safe, in which case we are fine, or unsafe, in which case we backtrack. the requirement of unification means that we can avoid using the rule as an additional assumption. however, this only works if at some stage we can use the rule as an intro rule- there are situations where an intro rule was intended to be used, but there was no connecting chain, whereas considered as an extra assumption there would have been no problem. eunification
Moreover, since we are not utilizing such a rule as a standard lemma, it is not even clear what notion of completeness to use. Let us define completeness wrt. an intro rule to mean that if there is a proof using the rule as a lemma, then there is a proof using the rule as an intro rule. In the presence of equality, we must therefore use eunification to ensure that our intro rule can be applied wherever possible. Since at every stage we have a finite set of ground terms, and a terminating and confluent rewrite order, such an approach can be made feasible, although at this stage we manually simulate such steps.
The use of intro rules brings complications because it is not clear what notion of completeness is appropriate. If the intro rule were used as a normal lemma, then completeness is preserved, since the lemma is handled just as it would be in normal predicate logic. The idea behind an intro rule is to balance the proof search, which would otherwise operate mainly on the left. The difference between a rule ├ A → B as a lemma, and as an intro rule, is that the automation can apply→ L with the rule as a lemma, whereas as an intro rule, we expect the goal to eventually become B, and to replace this with A.
4.2 Equality
4.2.1 Rewriting
Rewriting is the process of transforming a term by replacing subterms with equal subterms. For example, we might use the lemma f (a) = a to rewrite Q f (f (a)) to Q f (a) and then to Q a. In this section, we are informal about various rewriting notions. For more information the reader may consult the excellent [BN98].
A note on terminology: a simplification order is a restriction of a rewrite order, used to prove termination of a term rewriting system. However, the word "simplification" is often used informally to refer to rewriting, and the word "simpset" is often used to refer to the system of rewrite rules. We follow this informal usage.
Two key properties of simplification are termination and confluence. Without confluence, to understand the behaviour of the simplifier one must understand the order in which rewrites are applied. This is too much to expect of the user. Termination is useful in an interactive setting, for instance, to allow feedback. Moreover, termination allows simplification to be integrated with the main proof search. If we have both confluence and termination, then each term has a unique normal form, and equality testing becomes decidable. This is an extremely useful property of a simpset.
Our basic strategy is to apply simplification eagerly,
after each step of the proof search, using assumptions to simplify other
assumptions and the conclusion. We work with a terminating and confluent
simpset. We check termination and confluence manually using completion. We
apply simplification at the types of individuals. If the simpset is terminating
and confluent, then this preserves completeness of the proof search. We also
apply simplification at boolean type, which is not a possibility in first order
logic. For instance, we employ higher order rewrites to miniscope quantifiers.
It is not too difficult to argue that this also preserves completeness of the
proof search. Assumptions resembling rewrites often arise during proof, and
these may be incorporated into the simpset. Given an assumption
x. P x, and
an assumption P t, one could simplify P t = , which is again a simplification
at Boolean type, and so not a first order operation. We do not use assumptions
of this form as rewrites:our basic approach to quantifier instantiation is via
term enumeration, and using these simplifications would destroy the
completeness of this approach. We do use assumptions of the form x = y
(possibly quantified) as rewrites. In order to retain confluence and
termination we complete the simpset wrt. these dynamically arising rewrites.
Because completion is not guaranteed to terminate, completion is limited to a
certain number of steps, although in our applications, completion always
succeeds.
4.2.2 Conditional Simplification
In this section, we describe conditional simplification, and note that the standard approach to solving the conditions -recursive invocation of the simplifier- may not be desirable. We suggest some other approaches, and discuss other problems with conditional simplification. We conclude that conditional simplification is, at present, too complicated to count as a "simple" technique, and certainly too complicated to be linked with proof search in a reasonable way. We suggest the alternative of considering conditional rewrites just as ordinary lemmas.
Simplification works with rewrites of the form a = b, rewriting a to b anywhere in the goal. Conditional simplification works with conditional rewrites of the form ├A→a = b(where A is typically a conjunction). In a sequent Г├ C, we are justified in rewriting a to b in the goal C if we can prove A from ﹃C, Г.
How should we attempt to prove the condition A? Suppose we are linking a complete proof search system with simplification. In this case, very good (from a theoretical standpoint) behaviour would be obtained by requiring that, if A is provable, then it is actually proved. Because the search for a proof of A is potentially non-terminating, we would then have to orchestrate a complicated process of interleaving the main proof search, with the subproof searches attempting to solve the conditions on conditional rewrites. Such an approach is unpalatable not only for efficiency reasons.
One of the benefits of simplification is that, unlike proof search, it is terminating. If we wish to preserve this terminating behaviour, whilst employing conditional simplification, we must tame the non-termination involved when attempting to prove the conditions. One way would be to employ our main proof search to prove the conditions, but limit the search to a particular depth. This is unpalatable too. In order to keep simplification running in a reasonable amount of time, it is likely that this depth would have to be very small, because conditions arise very frequently. It is likely that this small depth would not permit the solution of many more conditions than other simple approaches. Limiting proof search to a small depth means that its theoretical limitations also become practical limitations: any limited proof search will be incomplete, but with large depth we could hopefully ignore such incompleteness. Small depth means that we would probably encounter situations where it was clear to the user that the condition could be solved, but that the restricted depth of the search meant that the condition was not solved. In our experience, the depth would have to be at least 10 logical steps (∨E etc.), coupled with intermediate effective equality reasoning(we imagine a scenario where we have an proof search which handles equality effectively). In experiments, performance with this approach became impractical in terms of response times from the simplifier, after a depth of around 4. It is possible that this approach will be feasible for computers in the (distant?) future. At the moment it is not.
An alternative to using limited proof search to solve the conditions is to fix a decidable class of conditions, and accept that there will be some conditions that may be provable, but that will fall outside the given class. The obvious choice is propositional logic. However, the problems with conditional simplification extend much deeper than the occasional failure to prove a propositionally valid condition, as we discuss later, so that this approach would not yield any great practical benefit, although the behaviour would at least be theoretically well understood.
The current approach taken in HOL, HOL Light, and Isabelle, is to invoke the simplifier itself on the conditions. This recursive calling is potentially non-terminating (conditional simplification is extremely prone to looping), so that the number of times the simplifier is recursively invoked is limited. This restriction of the depth of search when solving conditions suffers from the same problems as those discussed in the previous paragraph. The approach is in many ways worse than that above because the exact properties of simplification, which are necessary if one is to understand its behaviour when solving conditions, may be unclear even on propositional conditions, let alone conditions involving predicates. For a typical goal, we only require that simplification makes progress in a way that is simple to understand. For conditions, our requirement is usually that the condition is solved if possible. Simplification is not a complete form of proof, so we are hoping that our conditions will be such that the simplifier usually performs well. However, the simplifier cannot prove all prepositional conditions so that its behaviour even at the propositional level is hard to understand. On quantifier reasoning, even at the most basic level, failure is the norm.
So, current approaches fail to deal adequately with the problem of non-termination when proving conditions. Moreover the class of conditions solvable by simplification is hard to characterize, and so will not qualify as "simple" for the user to understand.
4.2.3 Completion
Completion is a process that can ensure a simpset is confluent and terminating. Confluence and termination are the two main properties that we require of a simpset, so that completion is clearly a useful tool for when employing simplification. We discuss our use of completion.
The standard example of using completion on the axioms of group theory, to derive a set of terminating and confluent rewrite rules that constitute a canonical rewrite system for this theory, show that completion is a powerful technique. In our work, such power was never needed. We implemented basic completion which we found to be very useful. Because our needs were limited, we did not implement the full completion procedure of Huet, although in different settings this would be desirable. We leave this for future work.
Our completion procedure also permits conditional completion. When working in a typed setting, one often wishes to refer to a subset of the individuals at a given type. Then one introduces a predicate subtype, and restricts statements to talk about members of the subtype only.
4.2.4 Dynamic Completion
We mentioned previously that it is often the case that one wishes to use assumptions as rewrites. Clearly, the assumptions are dynamic and change throughout the course of a proof. Although we may start off with a confluent and terminating set of simplification rules, if we use assumptions as rewrites, it may very well be that our base simpset, augmented with assumptions, is no longer confluent and terminating. If we wish to preserve the properties that accompany a terminating and confluent simpset, then we must perform some sort of completion during the course of a proof. We call such completion dynamic, since it must be performed on the fly during the course of a proof.
Unfortunately, completion is a rather costly process. Moreover, it is in general nonterminating. Yet, when one looks at the kind of rules that are being used, typically they are of a very simple form. For instance, we often derive assumptions similar to
a = b ٧ a = c, then proceed to do a disjunctive elimination. The resulting goals have assumptions a = b and a = c which we wish to use as simplification rules. The majority of these simplification rules are ground. In this case, completion is guaranteed to terminate, and one feels that there should be a way of short-circuiting the completion procedure to get an equivalent procedure that perhaps runs faster. Hopefully, if we can reduce completion to mere rewriting of one rule by another, then one can hope that the rewriting procedures are relatively highly optimised (certainly this is the case for Isabelle's fantastically good simplifier, and HOL Light's simplifier is optimised to some extent also), and that the performance will be acceptable.
There are several papers covering completion with ground terms. We looked at [GNP +93]. This algorithm takes a set of ground rewriting rules, and produces a reduced canonical rewriting system in polynomial time. Unfortunately, although the procedure operates in polynomial time, it makes use of congruence closure. Congruence closure is not implemented in HOL Light or Isabelle, and it is likely that an unoptimised version would be relatively slow (that is, although the algorithm from [GNP+93] is polynomial in time, there would be a high constant of proportionality). Of course, during a proof one is making incremental changes to the set of equalities, so one might hope to improve on this somewhat, but still there was a feeling that we should be able to do better.
Looking at the assumptions we use as rewrites, it was clear that beyond being ground, they were of an even simpler nature: no subterm of a left hand side was used in any other rewrite rule (for instance, with assumption a = b, there were no proper subterms of the left hand side at all, and we never had occasion that another assumption of the form a = d occurred at the same time). In this instance, it sufficed to rewrite all the other simplification rules with this rule in order to maintain confluence and termination. If we require online completion where these conditions are not satisfied, we would fall back on our (time limited) completion procedure, but in our case study this does not happen. When considered in the context of the proof of correctness of basic completion, this result is clear. However, during our case studies there were a number of tricky scenarios which, without this optimisation, caused our prover to take extraordinarily longer.
4.2.5 Equational Unification
Our top level proof search is based on enumerating terms up to a fixed term depth. Unification is not present at all in such a procedure. We introduce intro rules, à la Paulson, into our search procedure. Currently this is accomplished simply by matching conclusions of intro rules against the current goal.
The intro rules are treated like other lemmas, in that they are incorporated into the
sequent as additional assumptions. However, they are marked as intro rules. We instantiate them with terms from the enumeration just like other lemmas. The conclusions get rewritten by the simplifier. At each stage of the proof search, we check whether the conclusion of any intro rule matches the current goal, and if so we replace the goal with the condition of the intro rule, backtracking over unsafe intro rules. This has the effect of simulating equational unification.
5 Interface and Integration
In this section we describe how the techniques outlined in the previous section are integrated into a single tactic, and the interface between this tactic and the user.
Our automation consists of a tableaux proof search, with quantifier instantiation to a fixed term depth, interspersed with calls to the simplifier. How should these be integrated? If simplification is terminating and confluent, then the obvious strategy of applying simplification after every step of proof search preserves completeness. This is the essential observation behind the integration of these two techniques.
The tactic provides an interface to the user. To use the procedure the user must specify a set of terminating and confluent rewrite rules and a set of introduction rules. In fact, the user also specifies a set of lemmas that should be considered during the pro of, and these are simply incorporated into the goal statement as described previously. Proof search proceeds, with safe rules and simplification applied eagerly, and with backtracking over unsafe rules. If proof is unsuccessful, the failing branch is returned to the user at the point where no safe rules, or simplification steps, could be applied. A downside to our approach is that the sequent can get rather large, since we are instantiating quantifiers with all (type-correct) terms below a certain depth. It would be trivial to adapt the user interface so that these instantiations are not directly presented to the user, but are viewable on demand. We leave this to further work.
6 Assessment
In this section, we discuss how our proof procedure fairs in terms of the criteria outlined in Sect. 2. We then discuss the issue of completeness. We do not claim to have a formal proof for completeness wrt. some class of problems, but we do argue that the procedure has good properties. We assess the efficiency by locating our technique wrt. other theorem proving techniques such as resolution. We then assess the practical use of the procedure by giving examples of its success, and by describing the "feel" of the procedure.
6.1 Assessment wrt. Requirements
Our procedure was designed with the criteria of Sect. 2 in mind. We feel that it meets the requirement of simplicity. Conceptually, we are performing a standard intuitionistic proof search. We incorporate safe and unsafe rules. We use simplification, both at the logical level (type boolean) and at domain specific types. Our simplification rules should be confluent and terminating. We ensure that any assumptions used as rewrites do not destroy this important property. We use simplification, and conditional simplification rules only in restricted instances where they are well behaved. All these notions are readily comprehensible.
Conceptual simplicity leads to simplicity when using the procedure. We must only decide on our simpset, our set of intro rules, and the lemmas relevant to the goal. The tactic executes at the tactic level, so we can step through a failed proof attempt by invoking the tactic a step at a time. Since the procedure is non-destructive (in the sense that we search directly using the rules of natural deduction, rather than converting to normal form), we have a high level of visibility into the proof search. Failing branches are typically immediately comprehensible. The notion of safe steps means that even if we fail to find a proof, we return to the user having performed a considerable amount of work i.e. we make progress. Incompleteness manifests itself as a failure to guess large quantifier instantiations. Incompleteness can also arise as a failure of completion, which the user invokes prior to proof search. Incompleteness
also arises during pro of search, with the failure of dynamic completion.
Simplicity leads to stability. One of the properties we would claim is that the prover is monotonic, in that adding lemmas, simplification rules, or unsafe rules does not cause the procedure to fail when before it had succeeded. Likewise the prover is robust in the face of minor changes to definitions and so on. We would not claim that the procedure is efficient.
6.2 Completeness
There are several sources of incompleteness in our automation. Provability in FOL is in general undecidable. We restrict to a depth limited subset of the term universe. Whether there is a pro of involving only depth restricted terms is now decidable, but we will inevitably fail to find proofs that involve terms lying outside our restricted subset. This is a source of incompleteness. However, we may successively increase the term depth and in this way regain completeness at a cost to decidability.
FOL can be embedded in equational reasoning [McK75], so that one expects that equality reasoning manifests similar problems to general proof search. Our approach is to restrict ourselves to terminating and confluent sets of rewrite rules. Since completion may fail, or may not terminate, this is a source of incompleteness. Moreover, we employ completion dynamically, which can similarly fail, although in practice this was not a problem. However, completion is largely handled interactively by the user. If the user ensures that the set of rewrite rules is confluent and terminating, and if dynamic completion during proof search always succeeds, then our equality handling will be complete.
6.3 Efficiency
The current success of automatic methods rests largely on unification, whereas we use unification only trivially, when handling intro rules. In terms of proof search, our procedure will be broadly similar to pre-unification procedures, such as Gilmour's procedure, in terms of performance. For instance, the following goal5 is decidable:
(
xyz.P x y →P y z →P x z)
→ (
xyz.Q x y → Q y z → Q x z)
→ (
xy.P x y→P y x)
→ (
xy.P x y ∨ Q x y)
→ (
xy.P x y) ∨ (
xy.Q x y)
Indeed, the truth or falsity of such a formula can be evaluated in a model with just four elements. However, even though such a goal is decidable, even some modern resolution based provers struggle. Sadly, our procedure is doomed to take an extremely long time. In defense, such goals are rarely met in interactive theorem proving. If they are met, the user is of course free to call a resolution prover interactively to solve them.
In addition to basic pro of search, we pay special attention to equality reasoning. Our approach to equality rests on completion, and so is suitable only in case various conditions are satisfied. However, if these conditions hold, this approach to equality is probably as effective as exists elsewhere. Modern resolution provers employ unfailing completion, which will presumably behave not more efficiently than completion in case a complete set of rewrites exists.
6.4 In Practice
Because it is conceptually simple, the prover is very easy to use. One typically moves from one theorem to the next, and invokes the prover with the simpset and the set of previous lemmas to use, often unchanged from the previous theorem. If a proof is not found, we see the failing branch. This branch is usually readily comprehensible. Almost always (in our case study, always) one needs to add either a simp rule, or a non-trivial lemma. If the lemma is not already proved one must break out and prove it. Having added the necessary rule, the process is repeated, usually with success. Generally, we do not tailor the sets of simplification rules and lemmas to each theorem: these rules are utilised depending on the context, and it is always a good idea to use them if available, by their very nature. Against this, too many rules can cause the performance to degrade, but generally one is working in a given theory, where the number of lemmas is relatively restricted.
Occasionally one must instantiate a quantifier with a clever term, but these are naturally difficult steps. The ability to step through the proof at the user level (rather than inspecting some representation of the failed branch) is very useful, and provides great visibility if something is not working correctly.
We argued that completeness was not of overriding importance, but clearly the aim of automation is to assist the user in proving lemmas. If the automation can prove the lemmas outright, we will not complain.
In our case study we carried out many proofs. One of the main results consisted of over 250 lines of interactive proof script. These proof scripts were not transcriptions of the original proofs, so that automation could feasibly reproduce them. Our automation was able to solve each of the lemmas. We give statistics for a section of the proof concerning a lemma theorem_ 3_ nes_Mup, which is representative of the other lemmas. This lemma in turn consists of a sublemma, theorem_ 3_ nes _ Mup _3. In the following table, we record the theorem name, the lines of tactic script without our automation, the lines with our automation, and the time taken. The sublemma theorem_3_nes_Mup_3 was fed to the automation when proving theorem_3_nes_Mup.We also record what happened when this sublemma was omitted, and the main lemma attempted without this assistance, theorem_3_nes_Mup'. This involved the prover reproving the sublemma during the proof of the main lemma. In this case, a pro of was also found, although this took over 5 minutes. However, we believe this was due to inefficient implementation of the automation tactic, and we intend to reimplement this in future work. These lemmas are representative of the effect of the automation on the other lemmas in the case study. Moreover, we have applied such techniques in other areas, with similar success.
Even though the performance is poor, coordinating these pro of procedures so that such
Tactic Automated Automated
Theorem Name Lines Tactic Lines Time/s
theorem3_ nes_Mup _3 28 1 66
theorem3_ nes_ Mup 12 1 24
theorem3_ nes_Mup' n/a 1 305
lemmas could be proved is a major achievement. The fact that we are able to do so in a general way provides evidence that the procedure has good theoretical properties.
7 Alternative
The automation we developed was motivated by the problems we met during our case study. However, the fact that we were always able to complete our simpset must be counted a lucky accident. In general we can expect completion to fail e.g. for rules expressing commutativity, so that an approach to testing equality of two terms via a canonical set of rewrites appears too strong. There are ways of handling problematic situations, such as rules for commutativity, e.g. by ordered rewriting, but we would like to take this opportunity to consider an alternative general approach to equality handling.
So far, our pro of search limits the depth of terms considered. It seems very reasonable to likewise limit equality reasoning to a subset of the term universe, and employ congruence closure within this restricted subset. This introduces incompleteness of course.
Proving s = t using the axioms for equality requires, in general, terms of arbitrarily large depth. If we restrict the depth of the terms we consider, our equality reasoning will be incomplete. For instance, suppose we prove an equality s = t by a transitivity chain s = u = v = x = y = t. One can picture such a proof as shown in Fig. 1. If we restrict the depth of terms we consider to d or less, the picture might resemble Fig. 2. In such a situation, the equalities s = u = v will be derived, but the equalities x = y and y = t will not be. If no proof of s = t exists within the restricted term universe, we will not be able to deduce s = t.
Thus at any given stage of our pro of search, our equality reasoning will be incomplete. However, if we successively increase the depth of terms we consider, we regain completeness for equality reasoning.
In this setting, equational unification, wrt. the restricted set of terms, becomes decidable, and moreover can be implemented very efficiently.
Another advantage of this approach is that the representative for the equivalence class can be chosen in a user specified manner. For example, the user might choose the smallest member of the equivalence class as representative, or the smallest wrt. some lexicographic path order. This can help to keep sequents readable.
Another advantage of this approach is that it is simple for the user to understand, and moreover dovetails well with our approach to pro of search. The focus on a single measure of complexity, i.e. term depth, over several procedures, is a unifying step. Moreover, the disadvantages and incompleteness of the approach via completion are absent here. We leave the implementation of this alternative to future work.
Term depth
s u v x y t
Term
Figure 1: Equality Proof by Transitivity
d
Term depth
s u v x y t
Term
Figure 2: Equality Pro of by Transitivity, with Depth Restriction
8 Conclusion
We have presented the automation we developed to tackle a large case study. The automation is tailored to interactive use. The automation is based on the integration of a pro of search engine and simplification, relying essentially on completion.
The contributions of this section are to address the failings of current automation in an interactive setting, in terms of basic pro of search, and its integration with simplification. Our techniques do not step outside the realm of predicate logic with equality, but even in this very restricted domain, we encountered numerous problems. On the other hand, having solved these problems, we had no requirement for domain specific automation. We do not deny that in areas like linear arithmetic, such procedures are necessary for effective automation. However, our experience suggests that simplification and proof search are a very effective combination. This may be an instance of the phenomenon in logic that "a little goes a long way".
In the previous sections we noted several possibilities for future work, which we here summarize.
• The theoretical issue of completeness of intro rules should be addressed, although this is unlikely to have much of a practical impact.
• The issue of how lemmas are incorporated during proof search should be addressed. Craig's Interpolation Lemma suggests the naive approach based on syntactic features
shared between the current goal and a lemma: if a lemma and the current goal are expressed in different languages, then the lemma is not useful in order to prove the current goal. Craig's Interpolation Lemma holds for FOL, but it may be possible to extend the idea to richer theories.
• Completion may be extended to full completion ` a la Huet. Conditional completion should also be implemented so that it copes with common cases, and supporting theory should be developed. Further, the implementation of completion should be parameterised by a notion of equality which is not identical with HOL's inbuilt equality, in order to support different equality notions. An additional task is to integrate good automatic termination provers, such as AProVE [GTSKF04] with the completion procedure, so that user interaction is minimised.
• The interface for the automation should be extended so that the user is not swamped with to o much information.
• The automation as a whole needs reimplementing in order to increase the efficiency of the tactic.
• We intend to implement the alternative approach to handling equality via congruence closure and link this with proof search.
This covers future work arising as a direct consequence of this work. We now consider other opportunities which this work has uncovered.
Although we believe our approach largely solve the problem of proof for a given lemma, still the choice of lemmas and definitions is largely a matter of art. In the case of lemmas, we typically accumulate them on the boundaries of theories, then look for general lemmas that cover several of these as instances. This strengthening is reminiscient of the strengthening of inductive hypotheses.
We also found that in some areas, there was an explosion of non-trivial lemmas on the boundaries between theories, which could not be reduced by generalising. This typically occurs for common mathematical objects, such as trees. Many of the lemmas are intuitively immediately plausible, but their proofs often involve considerable e ort. In this case, it seems hard to control the spread of the subtheory into the main theory, since the lemmas of the subtheory are used so pervasively in the main theory. So here we have three related problems, namely
• Explosion of non-trivial and independent lemmas required from a subtheory.
• Lemmas intuitively plausible, hard to prove.
• Lemmas permeate main theory, reducing modularity and making the main theory
heavily dependent on the subtheory.
There seems to be no way to reduce the explosion in the number of lemmas. In terms of proof, we note that the difficulty arises from the need to state induction lemmas carefully, so that this is primarily a failure of automation of inductive proof. We also note that most of the definitions in this area are implicitly executable, so that there is scope for some form of model checking via execution of the definitions. This in turn could be used to tip off an inductive prover as to the truth or otherwise of conjectured lemmas.
We have not touched on the subject of automating induction, or other higher order
features. We have more to say about induction in Sect. ??, but suffice it to say this seems like a difficult area.
We would also like to note the difficulty in reasoning about combinations of tactics. We feel that recent moves [?] towards a calculus of tactics could prove interesting. We suggest that relatively trivial steps, such as ensuring that tactic scripts are tree structured rather than linearly structured, and incorporating proper handling of parameters in proofs via lambda binding at the ML level, can improve robustness of scripts. However, beyond this the way is unclear.
There is much related work. Automatic theorem proving is already a vast field, and we cannot hope to survey it in a reasonable space. Our primary source was the two volumes of the Handbook of Automated Reasoning [RV01]. We note the prevalence of model theoretic methods over proof theoretic methods, which can make implementing some techniques problematic. Our work is aimed at addressing the needs of automation in an interactive setting. Relevant here is the PhD of Syme [Sym98] who addresses the needs of automation in a declarative setting. Much of his conclusions apply in an interactive setting. Our analysis of the problems of automation in an interactive setting draws on his work.
編號:
畢業(yè)設(shè)計英文翻譯譯文
題 目: Automation
院 (系): 計算機系
專 業(yè): 自動化
學(xué)生姓名: 李 林
學(xué) 號: 201300022
指導(dǎo)教師: 王 超
職 稱: 實驗師
2005 年 6 月 3日
自動化
湯姆里治
2005 年四月 12 日
目 錄
1 介紹 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
2 需求. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
3 目前交互式證明器的自動化. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
4 技術(shù). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.1 證明的搜尋. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
4.1.1邏輯系統(tǒng). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
4.1.2引進規(guī)則. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
4.2 等式. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
4.2.1改寫. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
4.2.2條件的簡單化. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
4.2.3完成. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2.4動態(tài)的完成. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
4.2.5方程式的統(tǒng)一. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
5 連接與整合. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
6 評估. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.1 評估生產(chǎn)需求. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.2 完整性. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.3 效率. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
6.4 實際應(yīng)用. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7 替代選擇. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8 結(jié)論. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
1 介紹
