Machine Checking Proof Theory: an application of logic to logic - - PowerPoint PPT Presentation

Machine Checking Proof Theory: an application of logic to logic

(Jeremy E Dawson and) Rajeev Gor´ e

Logic and Computation Group College of Engineering and Computer Science The Australian National University rajeev.gore@anu.edu.au

ICLA 2009: Indian Conference on Logic and Applications

Outline

Motivation Proof Theory: reasoning about derivations Problems with Proof Theory of Provability Logic GL Interactive Proof Assistants Method 1: Traditional Sequents Via Isabelle Method 2: Reasoning About Derivability Using Inductive Definitions Method 3: Explicitly Manipulating Derivations Machine-checked Mix Admissibility For GL

Motivation

◮ Proof Theory Is Error Prone

◮ Page Limits Force Shortcuts ◮ Many Similar Cases “the other cases are similar” ◮ Subtle Errors, Often Easily Repairable

◮ Proofs Typically Proceed Via Structural Induction ◮ Interactive Proof Assistants Now Quite Mature ◮ Can We Machine Check Proof Theory?

An Oath: Since I have Limited Time

I will tell the truth I may not tell the whole truth But I won’t lie So complain immediately if you see something blatantly incorrect!

Proof Theory: Purely Syntactic Calculi for L-Deduction

Γ: given finite “collection” of assumption L-formulae A: given single L-formula Γ ⊢L A: L-formula A is L-deducible from assumptions Γ Judgement: Γ ⊢L ∆ where Γ and ∆ are “collections” of formulae Calculus: a finite “collection” of rules built from judgements Rule: finite number of premises and single conclusion Γ1 ⊢L ∆1 · · · Γn ⊢L ∆n RuleName Condition Γ0 ⊢L ∆0 Rule Reading: if premises hold then conclusion holds Derivation of Γ ⊢L ∆: finite tree of judgements with root Γ ⊢L ∆ where parents are obtained from children by applying a rule Notation: will omit L from now on

Examples of Rules of Some Existing Calculi

Calculus Example Rule Collection LK Γ, B ⊢ ∆ Γ ⊢ A, ∆ (→ L) Γ, A → B ⊢ ∆ sets of formulae GHPC Γ, B ⊢ C Γ, A → B ⊢ A (→ L) Γ, A → B ⊢ C multisets + SOR ND Γ ⊢ {M}K Γ ⊢ K ({.}.E) Γ ⊢ M multisets + SOR NL ∆ ⊢ A Γ[B] ⊢ C (\L) Γ[(∆, A \ B)] ⊢ C trees with holes DL Γ ⊢ A B ⊢ ∆ (→ L) A → B ⊢ (∗Γ) ◦ ∆ complex trees

Structure of Collections Is Significant

Structural Rules Using Multisets: following rule is well-defined Γ, A, A ⊢ ∆ (Ctr) Γ, A ⊢ ∆ p0, p0 ⊢ q0 (Ctr) p0 ⊢ q0 Structural Lemma Using Multisets: following lemma is well-defined If Γ, A, A ⊢ ∆ is derivable then so is Γ, A ⊢ ∆ Sets: Neither makes sense p0, p0 ⊢ q0 (Ctr) p0 ⊢ q0 {p0} ⊢ {q0} identity {p0} ⊢ {q0} Sets: Γ ∪ {A} ∪ {A} ⊢ ∆ is the same as Γ ∪ {A} ⊢ ∆

Applying A Rule: Example Derivation In Gentzen’s LK

Collections: are sets (of formulae of FO classical logic) Id: Every instance of Γ, p ⊢ p, ∆ is a derivation and ... Example: where Γ, A means “Γ set-union {A}” Γ, A, B ⊢ ∆ (∧ ⊢) Γ, A ∧ B ⊢ ∆ Γ ⊢ A, ∆ Γ, B ⊢ ∆ (→⊢) Γ, A → B ⊢ ∆ p0 ⊢ p0, q0 p0, q0 ⊢ q0 (→⊢) p0, (p0 → q0) ⊢ q0 (∧ ⊢) p0 ∧ (p0 → q0) ⊢ q0 Decidability: via subformula property (for propositional part) Generalise: some measure decreases from conclusions to premises Automated Deduction: use rules backwards to find derivations TABLEAUX: International Conference on Automated Reasoning with Analytic Tableaux and Related Methods (Oslo 2009)

But Most Uses of Proof Theory Are Meta-Theoretic

Consistency: ∅ ⊢L A and ∅ ⊢L ¬A are not both derivable Disjunction Property: If ∅ ⊢Int A ∨ B then ∅ ⊢Int A or ∅ ⊢Int B Craig Interpolation: If Γ ⊢L ∆ holds then so do Γ ⊢L A and A ⊢L ∆ for some formula A with Vars(A) ⊆ Vars(Γ) ∩ Vars(∆) Normal Forms: Is there a (unique) normal form for derivations ? Curry-Howard: Do normal derivations correspond to well-typed terms of some λ-calculus ? Equality: When are two derivations of Γ ⊢L A equivalent ? Relative Strengths: Every derivation in ⊢1 can be simulated by a polynomially longer derivation in ⊢2

Typical Lemmas for Reasoning About Derivations

Identity: The judgement A ⊢ A is derivable for all A Monotonicity: If Γ ⊢ ∆ is derivable then so is Γ, Σ ⊢ ∆ Exchange: If Γ, A, B ⊢ ∆ is derivable then so is Γ, B, A ⊢ ∆ Contraction: If Γ, A, A ⊢ ∆ is derivable then so is Γ, A ⊢ ∆ Inversion: If the conclusion of a rule instance is derivable then so are the corresponding premise instances Cut-elimination (Cut-admissibility): If Γ ⊢ A, ∆ is (cut-free) derivable and Γ, A ⊢ ∆ is (cut-free) derivable then Γ ⊢ ∆ is cut-free derivable Γ ⊢ A, ∆ Γ, A ⊢ ∆ (cut) Γ ⊢ ∆

Proof Theory Is Error-Prone: Provability Logic GL

G¨

• del-L¨
• b logic: GL = K + (A → A) → A

Solovay 1976: A means “A is provable in Peano Arithmetic” Leivant 1981: cut-elimination for a set-based sequent calculus Valentini 1983: counter-example and new cut-elim proof using extra measure of “width” for set-based sequents Moen 2001: claim that Valentini’s transformations don’t terminate if the sequents Γ ⊢ ∆ are based on multisets Negri 2005: new cut-elim proof using labelled formulae w : A Mints 2005: new proof using traditional methods (draft) RG and Ramanayake 2007: Moen is incorrect, Valentini’s proof using multisets and “width” is mostly okay (AiML 2008) Not Isolated: Many such examples exist in the literature

Interactive Proof Assistants

Examples: Mizar, HOL, Coq, LEGO, NuPrl, NqThm, Isabelle, λ-Prolog, HOL-Lite, LF, ELF, Twelf · · · Implementation: Typically based upon a typed λ-calculus using a strongly typed functional programming language (ML) User User Interface Proof Assistant λ-calculus higher order logic (hol) Proof General Isabelle Small Core of (ML) Code (ML) Compiler Machine Code Trust: rests on strong typing and small core of (ML) code which is

• pen to public scrutiny by experts

Proof Transcripts: can be cross-checked using other assistants

Logical Frameworks: Proof Via Backward Chaining

Operation: backward chaining on “propositions” (like Prolog) [β1 ; β2 ; · · · ; βn] = ⇒ α β θ = match(β, α) β1θ , β2θ , · · · , βnθ Matching: usually (associative-commutative) higher order Assistant: keeps track of sub-goals and current proof state Object Logic: defines the syntax of α, β (propositions) Meta Logic: determines properties of “;” and “= ⇒” (hol)

Method 1: Isabelle’s LK Object Logic (shallow embedding)

Syntax of Object Logic Sequents: prop = sequence |- sequence sequence = elem (, elem)∗ | empty elem = $id | $var | formula formula = ∼ formula | formula & formula | · · · Sequent Rules Use Meta Logic: [β1 ; · · · ; βn] = ⇒ α Example: [| $G |- $D,P ; $G,P |- $D |] ==> $G |- $D Γ ⊢ ∆, P Γ, P ⊢ ∆ (cut) Γ ⊢ ∆ Embedding: by encoding the horizontal bar as = ⇒ Pros: Can create and check specific derivations Cons: Cannot reason about arbitrary or all derivations

Method 2: Change Object Logic (deep embedding)

Object Logic: Use hol expressions as Props in β1 ; · · · ; βn = ⇒ α Formula Type in hol: fml = FC string (fml list) (* fml connective *) | FV string (* fml variable *) | PP string (* prim prop *) Example: FC "/\" [FV "A", PP "q"] encodes A ∧ q Sequent Type: seq = fml multiset ⊢ fml multiset Rule Type: inf = (seq list , seq) (* ps/c *) Define Basic Rule Instances: rli :: inf set ( [ G ⊢ {A} + D , G ⊢ {B} + D ], G ⊢ {A ∧ B} + D ) ∈ rli Γ ⊢ A, ∆ Γ ⊢ B, ∆ (⊢ ∧) Γ ⊢ A ∧ B, ∆ G ⊢ {A} + D G ⊢ {B} + D rli G ⊢ {A ∧ B} + D

Method 2: Reasoning About Derivability

Define Basic Rule Instances: rli :: inf set ( [ ], G + { A } ⊢ { A } + D ) ∈ rli ( [ G ⊢ {A} + D , G ⊢ {B} + D ], G ⊢ {A ∧ B} + D ) ∈ rli · · · Use Inductively Defined Sets for Reasoning About Derivability: derrec rli pms “sequents derivable from pms using rli” dersrec rli pms “sequent lists derivable from pms using rli” Two Mutually Inductively Defined Sets: c ∈ pms = ⇒ c ∈ derrec rli pms (ps, c) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms c ∈ derrec rli pms ; cs ∈ dersrec rli pms = ⇒ c#cs ∈ dersrec rli pms

Derivability From Fixed Premises pms Using rli

c ∈ pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms (ps, c) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms c ∈ derrec rli pms ; cs ∈ dersrec rli pms = ⇒ c#cs ∈ dersrec rli pms

Derivability From Fixed Premises pms Using rli

c ∈ pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms [ p1, · · · , pk] rli c {pms1, · · · , pmsn} dersrec rli ...................... [ p1, · · · , pk ] (ps, c) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms {pms1, · · · , pmsn} derrec rli ...................... c {pms1, · · · , pmsn} derrec rli ...................... c {pms1, · · · , pmsn} dersrec rli ...................... [ c1, · · · , cm ] c ∈ derrec rli pms ; cs ∈ dersrec rli pms = ⇒ c#cs ∈ dersrec rli pms {pms1, · · · , pmsn} dersrec rli ...................... [ c, c1, · · · , cm ]

Inductive Proofs via Automated Inductive Principles

Induction Principles are generated automatically by Isabelle from the inductive definition of derrec and dersrec Heavily Simplified: for proving arbitrary property P of sequents ∀x.∀P. [ x ∈ derrec rli pms ; ∀c. c ∈ pms = ⇒ P(c) ; ∀c.∀ps.[ (ps, c) ∈ rli; ∀y ∈ (set ps). P(y) ] = ⇒ P(c) ] = ⇒ P(x) Translation: for all sequents x and all properties P, If x is derivable from premises pms using rules rli, and P holds for every premise in pms, and for each rule, if P of its premises implies P of its conclusion, then P holds of x Intuition: induction on structure of the derivation

Example Results About Recursive Derivability

Question marks indicate free (universally quantified) variables Lemma: ?c ∈ derrec ?rli (derrec ?rli ?pms) = ⇒ ?c ∈ derrec ?rli ?pms Translation: If sequent c is derivable from premises derivable from pms using rli using rli then c is derivable from pms using rli. Lemma: ?prs ⊆ derrec ?rli ?prems ; ?c ∈ derrec ?rli ?prs = ⇒ ?c ∈ derrec ?rli ?prems Translation: If each premise in prs is derivable from prems using rli, and conclusion c is derivable from prs using rli, then c is derivable from prems using rli.

Method 2: Summary

Defined our own syntax for sequents: FC "/\" [FV "A", PP "q"] encodes A ∧ q Sequent Type: seq = fml multiset ⊢ fml multiset Rule Type: inf = (seq list , seq) (* ps/c *) Inductively Define Set of Basic Rule Instances: rli :: inf set ( [ ], G + { A } ⊢ { A } + D ) ∈ rli ( [ G ⊢ {A} + D , G ⊢ {B} + D ], G ⊢ {A&B} + D ) ∈ rli · · · Pros: We can still check specific derivaions Pros: We can prove properties of our rule set rli Example: Lemmas about derrec rli pms Substitutions: taken care of by Isabelle via instantiation Cons: Still cannot reason or manipulate derivations per se

Method 3: Explicitly Representing Derivation Trees

Sequent Syntax and Rule Set: as before but name each rule Derivation Trees As Objects Over Base Type seq: datatype seq dertree = Der seq rule (seq dertree list) | Unf seq Substitution lists: kept and manipulated explicitly Example: writing p /\ A for FC "/\" [PP "p", FV "A"] Der (A |- p /\ A) ctr [Der (A, A |- p /\ A) andR [Unf (A |- p), Der (A |- A) idf [] ] ] A ⊢ p (idf) A ⊢ A (∧R) A, A ⊢ p ∧ A (ctr) A ⊢ p ∧ A

Moving Between the Two Deep Embeddings

Define: valid rls dt to hold when derivation dt uses rules from rls only and has no Unfinished leaves (not shown) Lemma: valid ?rls ?dt = ⇒ (conclDT ?dt) ∈ derrec ?rls {} For all derivations dt and all rule sets rls, if dt is a valid derivation w.r.t. rule set rls then the conclusion of dt is derivable from the empty set of premises using rules rls Lemma: ?c ∈ derrec ?rls {} = ⇒ EX dt. valid ?rls dt & conclDT dt = ?c For all sequents c and all rule sets rls, if c is derivable from the empty set of premises using rules rls then there exists derivation dt which is valid w.r.t. rule set rls and whose conclusion is c

Machine-checked Mix Admissibility for Provability Logic GL

glss: encoding of the sequent rules for GL without cut rule Goal: the desired statement of the mix rule or mix lemma Γ ⊢ A, ∆′ A, Π′ ⊢ Σ Γ, Π′ ⊢ ∆′, Σ Γ ⊢ ∆ Π ⊢ Σ Γ, ΠA ⊢ ∆A, Σ A ∈ ∆ and A ∈ Π ms delete {A} P: delete formula occurrence A from multiset P Theorem: machine-checked ( ?G ⊢ ?D ) ∈ derrec glss {} ; ( ?P ⊢ ?S ) ∈ derrec glss {} = ⇒ ( ?G + (ms delete {?A} ?P ) ⊢ ( ms delete {?A} ?D) + ?S ) ∈ derrec ?glss {} Cut-admissibility: can be obtained with a little more work

December 2008: Notices of the AMS