Other Classical Reasoning Methods in ISABELLE 1 Motivation 2 Tactics - Overview 3 Blast 4 Managing...

Other Classical Reasoning Methods in ISABELLE:“From Tactics and Tacticals to Automated Reasoning in Isabelle ”

Stephan Scheele1

1Informatics Theory Group (GdI)University of Bamberg

June 13, 2007

GdI (Projekt) Rules of the Game II Seminar & Reading Club 1 / 29

Outline

1 Motivation

2 Tactics - Overview

3 Blast

4 Managing Large Proofs

5 Tacticals the Isabelle-Style

Outline

1 Motivation

3 Blast

Outline

1 Motivation

3 Blast

Outline

1 Motivation

3 Blast

Outline

1 Motivation

3 Blast

Need for Automation

We have seen in Rules of the Game I that proving on a stepwise basis is

very tedious and yearns for automation.

Large proofs may contain several hundred steps

You have to consider a search strategy

A choice that proves one subgoal can render another impossible to

Efficiency considerations are also important for automation. The

non-determinacy in proof search may lead to deep backtracking which

should therefore be avoided.

Need for Automation

It is difficult to prove theorems on a stepwise basis, e.g. the proof

can become very long.

Tacticals are operations on Tactics and play an important role in the

automation of proofs.

Isabelle provides automated reasoning procedures to tackle substantial

examples.

The Classical Reasoner is a family of tools for automating proofs.

Imagine you want to verify the correctness of your brand-new revolutionary

processor design. Without automation this will become a bold venture.

Need for Automation

examples.

Need for Automation

examples.

Need for Automation

examples.

Need for Automation

examples.

Proof Procedures (Simplified)

Tactics in Isabelle are performed in order:

1 DEPTHSOLVE( REPEAT(rtac safe I rules ORELSE etac safe E rules))

2 canonize: propagate "x = t" throughout subgoal

3 rtac unsafe I rules ORELSE etac unsafe E rules

4 atac

In Isar: rtac is rule, etac is erule, atac is assumption, . . .

One elementary proof step consists of trying safe introduction rules

with rtac. If that is not possible a safe elimination rule will be

applied by etac. Both steps are repeated as long as possible.

Afterwards in the current subgoal any assumption of the form x = t

will be propagated throughout the subgoal.

Then Isabelle tries to apply an unsafe introduction rule, if not possible

a unsafe eliminination rule.

Finally she will use atac (which is a unsafe rule).

Working at the Isar-Level, the syntax for the commands to access

automated procedures look as follows:

Proof Procedures (Simplified) 526

Combined Proof Search Tactics in ISAROn the ISAR-level, the syntax for commands accessing the

“provers” looks as follows:blast

��

�fast��

��

�best��

��

�safe��

��

�clarify��

��

� !��

��

� clamod

clamod

intro��

��

�elim��

��

�dest��

��

!��

��

� ?��

��

�del��

��

:��

��thmrefs

Wolff: Isabelle: Automation by Proof Search; http://www.infsec.ethz.ch/education/permanent/csmr/ (rev. 16802)GdI (Projekt) Rules of the Game II Seminar & Reading Club 7 / 29

clamod allows for introducing new rules (theorems), which can be

introduction, elimination or destruction rules.

Rules classified with bang ”!” are applied earlier and more aggresively as

the ”safe rules”.

(Get more infos in the Isabelle Reference Manual [Pau03])

Recap: Safe rules vs unsafe rules

Safe rules preserve provability

conjI, impI, notI, iffI, refl, ccontr, classical, conjE,

Unsafe rules can turn a provable goal into an unprovable one

disjI1, disjI2, impE, iffD1, iffD2, notE

Apply safe rules before unsafe ones!

This is also important for automation!

Automatic Tactics in Isabelle

auto tac : Intended for solving mostly trivial subgoals

fast tac : Safe and unsafe steps using depth-first stategy

best tac : Safe and unsafe steps using breadth-first stategy

blast tac : Like fast tac, but more efficient and powerfull

force tac : Prove one subgoal completely by applying all known

tactics performing a rather exhaustive search

Semi-automatic Tactics in Isabelle

clarify tac : Performs all obvious reasoning steps without splitting

the goal

clarsimp tac : Like clarify tac, but also does simplification with

the given simpset. (Note: the simpset includes a splitter for the

premises, the subgoal may still be split)

safe tac : Safe and unsafe steps using breadth-first stategy

More details can be found in the Isabelle Reference Manual [Pau03].

the goal

Blast - Isabelles primary workhorse

Successor of fast tac (fast tac used

Isabelles inferences)

Blast is a standalone tableaux-reasoner

integrated into Isabelle (actually a

adapted Version of the LeanTap prover)

Decides for classical logic and set-theory

many tautologies

Based on tableau-methods which operate

on branches: Lists of formulae interpreted

conjunctively

Uses Iterative Deepening as Search

Strategy

Drawbacks

Blast ignores types → problems in HOL

No HO-Unification

Function variables may only be applied to parameters of the subgoal

Its proof strategy is more general than fast tac’s but can be slower

(if blast tac fails try fast tac)

Blast delivers no explanation when a proof fails (use clarify to see the

problem)

Drawbacks

No HO-Unification

problem)

Drawbacks

No HO-Unification

problem)

Drawbacks

No HO-Unification

problem)

Drawbacks

No HO-Unification

problem)

A look behind Blast

Tableau-provers use a refutation strategy: the objective is to show that the

negation of a formula cannot be satisfied.

Rules for handling each of the usual connectives

If any branch of a tableau leads to an evident contradiction (e.g.

A ∧ ¬A), the branch closes

If all branches close, the proof is complete and the original formula is

Tableau rules are of four types:

α-Rules: divide a conjunctive formula into parts on the branch

β-Rules: split a branch accordiong to the disjuncts of a formula

γ-Rules: instantiate a universal quantifier

δ-Rules: skolemize an existential quantifier

A look behind Blast

Tableau-provers use refutation strategy: the objective is to show that the

Generic Tableau rules

α-rules β-rules γ-rules δ-rules

φ ∧ ϕ

α ϕ ∨ φ

ϕ | φ.

β8x φ(x)

φ(?t).

γ9x φ(x)

φ(s).

A look behind Blast

Tableau rules for FOL

φ ∧ ϕ

α1¬(φ ∨ ϕ)

¬φ¬ϕ

α2¬(φ ⇒ ϕ)

φ¬ϕ

φ ∨ ϕ

φ | ϕ.

β1¬(φ ∧ ϕ)

¬φ | ¬ϕ.

β2φ ⇒ ϕ

¬φ | ϕ.

8xφ(x)

φ(?t).

γ9xφ(x)

φ(s).

A look behind Blast

φ ∧ ϕ

α1¬(φ ∨ ϕ)

¬φ¬ϕ

α2¬(φ ⇒ ϕ)

φ¬ϕ

φ ∨ ϕ

φ | ϕ.

β1¬(φ ∧ ϕ)

¬φ | ¬ϕ.

β2φ ⇒ ϕ

¬φ | ϕ.

8xφ(x)

φ(?t).

γ9xφ(x)

φ(s).

A look behind Blast

φ ∧ ϕ

α1¬(φ ∨ ϕ)

¬φ¬ϕ

α2¬(φ ⇒ ϕ)

φ¬ϕ

φ ∨ ϕ

φ | ϕ.

β1¬(φ ∧ ϕ)

¬φ | ¬ϕ.

β2φ ⇒ ϕ

¬φ | ϕ.

8xφ(x)

φ(?t).

γ9xφ(x)

φ(s).

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

¬((P → Q)→ (¬Q→ ¬P )) (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

¬((P → Q)→ (¬Q→ ¬P ))

(P → Q)

(2) α3 (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

¬((P → Q)→ (¬Q→ ¬P ))

(P → Q)

¬(¬Q→ ¬P )

(2) α3 (1)

(3) α3 (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

¬((P → Q)→ (¬Q→ ¬P ))

(P → Q)

¬(¬Q→ ¬P )

(2) α3 (1)

(4) β3 (2)

(3) α3 (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

(P → Q)

¬(¬Q→ ¬P )

¬((P → Q)→ (¬Q→ ¬P )) (1)

(2) α3 (1)

(4) β3 (2)

(5) α3 (3)

(6) α3 (3)

(3) α3 (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

(P → Q)

¬(¬Q→ ¬P )

(2) α3 (1)

¬((P → Q)→ (¬Q→ ¬P ))

(4) β3 (2)

(5) α3 (3)

(6) α3 (3)

(3) α3 (1)

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

(P → Q)

¬(¬Q→ ¬P )

(2) α3 (1)

(4) β3 (2)

(5) α3 (3)

(6) α3 (3)

¬((P → Q)→ (¬Q→ ¬P ))

(3) α3 (1)

¬QClash

F holds.

A look behind Blast

A simple example

Show: F := (P → Q) → (¬Q → ¬P)

F holds.

A look behind Blast

A more complex example

Show: F := 9y.(p(y) ∧ ¬q(y)) → 9z.(¬p(z) ∧ ¬q(z))

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z))) (1)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

(2) α3 (1)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

p(a) ∧ ¬q(a) (4) δ (2)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

p(a) ∧ ¬q(a) (4) δ (2)

p(a) (5) α1 (4)

¬q(a) (6) α1 (4)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

p(a) ∧ ¬q(a) (4) δ (2)

p(a) (5) α1 (4)

¬q(a) (6) α1 (4)

(7) γ (3)p(a) ∨ q(a)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

p(a) ∧ ¬q(a) (4) δ (2)

p(a) (5) α1 (4)

¬q(a) (6) α1 (4)

(7) γ (3)p(a) ∨ q(a)

q(a) (8) β1 (7)p(a)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

p(a) ∧ ¬q(a) (4) δ (2)

p(a) (5) α1 (4)

¬q(a) (6) α1 (4)

(7) γ (3)p(a) ∨ q(a)

q(a) (8) β1 (7)p(a)

F does not hold.

A look behind Blast

¬(∃y.(p(y) ∧ ¬q(y))→ ∃z.(¬p(z) ∧ ¬q(z)))

(∃y.(p(y) ∧ ¬q(y))

∀z.(p(z) ∨ q(z))

(2) α3 (1)

(3) α3 (1)

(4) δ (2)p(a) ∧ ¬q(a)

p(a) (5) α1 (4)

¬q(a) (6) α1 (4)

(7) γ (3)p(a) ∨ q(a)

q(a) (8) β1 (7)p(a)

I = ∆, ·I® ,∆ = {a}, pI = {a}, qI = ∅

Formula issatisfiable. Tableau

shows a model.

F does not hold.

A look behind Blast

F does not hold.

A look behind Blast

Demystify Blast

To understand blast actions toggle tracing for it:

( ML " set Blast.trace")

But not every proof is reconstructed by Blast!

If a proof by blast fails try clarify to see the problematic points

Managing Large Proofs

Subgoal Numbering

A problem in large proofs results from huge subgoals or many subgoals. If

each subgoal needs about 15 lines then prooving will become scrolling.

Isabelle offers some commands to cope with those situations:

By default Isabelle displays 10 subgoals.

pr n changes the limit to n subgoals

All methods apply to the first subgoal, sometimes you need to focus on

others subgoals first.

Commands defer or prefer let you cycle through the subgoals

defer n moves the nth subgoal into the last position

prefer n moves the nth subgoal into the first position

Subgoal Numbering

Tacticals and Control Structures

Large proofs can contain some regularity

Tacticals provide control structures which can be used to shorten the

Example

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

apply (drule mp)

apply (assumption)

apply (drule mp)

apply (assumption)

apply (drule mp)

apply (assumption)

Large proofs can contain some regularity

Tacticals provide control structures which can be used to shorten the

Example

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

apply (drule mp)

apply (assumption)

apply (drule mp)

apply (assumption)

apply (drule mp)

apply (assumption)

Isar provides simple control structures:

Applying rules in sequence by seperating them in a list, e.g.

apply (drule mp, assumption)

Suffixing a rule with symbol + expresses one or more repetitions

The symbol ? expresses zero or more repetitions

rule1/rule2 gives the effect of applying the rule1 first, and rule2 if

the latter fails

Define more complex tacticals by combining the operators, e.g.

apply (drule mp, (assumption|arith))+

Example . . . revisited

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

by (drule mp, assumption)+

the latter fails

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

the latter fails

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

the latter fails

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

the latter fails

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

the latter fails

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Isars Limitations

Isar only has very few control structures that are not sufficient for big

automation tasks. Furthermore the control structures give an implicit

ordering to the rules, which can cause problems. To unleash the full power

of Isabelles inferences we have to delve into the Isabelle language.

We can use Isabelle code directly in Isar by enclosing it in {� �}. This

way we can now use the greater subtlety of Isabelle, whilst we stay in the

more user-friendly and human-readable world of Isar.

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Corresponding tactic at the ML-Level

ML {* val MYTAC01 = REPEAT (FIRST[ mp tac 1, assume tac 1]) *}”Usage at the ISAR-Level:” apply (tactic MYTAC01)

Isars Limitations

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Isars Limitations

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Isars Limitations

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Isars Limitations

lemma " [P → Q; Q → R; R → S; P] ⇒ S"

Tacticals the Isabelle-Style

Joining a list of tactics

tac1 THEN tac2 is the sequential composition of the two tactics.

tac1 ORELSE tac2 makes a choice between the two tactics.

Applied to a state, it tries tac1 and returns the result if

non-empty; if tac1 fails then it uses tac2.

EVERY and FIRST are block structured versions of THEN and

ORELSE.

EVERY [tac1, ..., tacn] abbreviates tac1 THEN . . . THEN tacn. It is

useful for writing a series of tactics to be executed in

sequence.

FIRST [tac1, ..., tacn] abbreviates tac1 ORELSE . . . ORELSE tacn. It

is useful for writing a series of tactics to be attempted one

after another.

Repetition tacticals

TRY tac applies tac to the proof state and returns the resulting

sequence, if non-empty; otherwise it returns the original state.

REPEAT tac applies tac to the proof state and, recursively, to each element

of the resulting sequence. The resulting sequence consists of those

states that make tac fail.

A predicate on theorems can test whether a proof state fullfills some

desired properties, e.g. has no subgoals. The main search procedures are

depth-first, breadth-first and best-first, and are provided as tacticals. They

generate the search tree by repeatedly applying a given tactic.

Filtering tactics results

FILTER p tac applies tac to the proof state and returns a sequence

consisting of those result states that satisfy p.

CHANGED tac applies tac to the proof state and returns precisely those

states that differ from the original state. Thus, CHANGED tac

always has some effect on the state.

Search strategies

DEPTH FIRST satp tac returns the proof state if satp returns true.

Otherwise it applies tac, then recursively searches from each

element of the resulting sequence.

DEPTH SOLVE tac uses DEPTH FIRST to search for states having no

subgoals.

. . . more search strategies like BREADTH FIRST, BEST FIRST,

DETERM, etc. pp. are available

Next Steps?

The classical reasoner relies on a set of rules (so called claset), that

can be fully customized to change his behaviour, e.g. to try another

search strategy or to use additional inference rules.

The domain specific language of Isabelle at the ML-Level supplies a

wellfounded foundation to start implementing your own

(semi)automated reasoner in Isabelle. If this doesn’t yet fullfill your

needs you can unleash the full power of ML.

Have a look at the more advanced proof language of Isar that is more

compliant to the way humans think when doing a proof.

Next Steps?

Other Classical Reasoning Methods in ISABELLE 1 Motivation 2 Tactics - Overview 3 Blast 4 Managing...

Documents

Transcript of Other Classical Reasoning Methods in ISABELLE 1 Motivation 2 Tactics - Overview 3 Blast 4 Managing...