Machine Checking Proof Theory: an application of logic to logic - PowerPoint PPT Presentation

Machine Checking Proof Theory: an application of logic to logic (Jeremy E Dawson and) Rajeev Gor´ e Logic and Computation Group College of Engineering and Computer Science The Australian National University rajeev.gore@anu.edu.au ICLA 2009: Indian Conference on Logic and Applications

Outline Motivation Proof Theory: reasoning about derivations Problems with Proof Theory of Provability Logic GL Interactive Proof Assistants Method 1: Traditional Sequents Via Isabelle Method 2: Reasoning About Derivability Using Inductive Definitions Method 3: Explicitly Manipulating Derivations Machine-checked Mix Admissibility For GL

Motivation ◮ Proof Theory Is Error Prone ◮ Page Limits Force Shortcuts ◮ Many Similar Cases “the other cases are similar” ◮ Subtle Errors, Often Easily Repairable ◮ Proofs Typically Proceed Via Structural Induction ◮ Interactive Proof Assistants Now Quite Mature ◮ Can We Machine Check Proof Theory?

An Oath: Since I have Limited Time I will tell the truth I may not tell the whole truth But I won’t lie So complain immediately if you see something blatantly incorrect!

Proof Theory: Purely Syntactic Calculi for L -Deduction Γ: given finite “collection” of assumption L -formulae A : given single L -formula Γ ⊢ L A : L -formula A is L -deducible from assumptions Γ Judgement: Γ ⊢ L ∆ where Γ and ∆ are “collections” of formulae Calculus: a finite “collection” of rules built from judgements Rule: finite number of premises and single conclusion Γ 1 ⊢ L ∆ 1 · · · Γ n ⊢ L ∆ n RuleName Condition Γ 0 ⊢ L ∆ 0 Rule Reading: if premises hold then conclusion holds Derivation of Γ ⊢ L ∆: finite tree of judgements with root Γ ⊢ L ∆ where parents are obtained from children by applying a rule Notation: will omit L from now on

Examples of Rules of Some Existing Calculi Calculus Example Rule Collection Γ , B ⊢ ∆ Γ ⊢ A , ∆ LK sets of formulae ( → L ) Γ , A → B ⊢ ∆ Γ , B ⊢ C Γ , A → B ⊢ A GHPC ( → L ) multisets + SOR Γ , A → B ⊢ C Γ ⊢ { M } K Γ ⊢ K ND multisets + SOR ( { . } . E ) Γ ⊢ M ∆ ⊢ A Γ[ B ] ⊢ C NL ( \ L ) trees with holes Γ[(∆ , A \ B )] ⊢ C Γ ⊢ A B ⊢ ∆ ( → L ) A → B ⊢ ( ∗ Γ) ◦ ∆ DL complex trees

Structure of Collections Is Significant Structural Rules Using Multisets: following rule is well-defined Γ , A , A ⊢ ∆ p 0 , p 0 ⊢ q 0 (Ctr) (Ctr) Γ , A ⊢ ∆ p 0 ⊢ q 0 Structural Lemma Using Multisets: following lemma is well-defined If Γ , A , A ⊢ ∆ is derivable then so is Γ , A ⊢ ∆ Sets: Neither makes sense p 0 , p 0 ⊢ q 0 (Ctr) { p 0 } ⊢ { q 0 } identity p 0 ⊢ q 0 { p 0 } ⊢ { q 0 } Sets: Γ ∪ { A } ∪ { A } ⊢ ∆ is the same as Γ ∪ { A } ⊢ ∆

Applying A Rule: Example Derivation In Gentzen’s LK Collections: are sets (of formulae of FO classical logic) Id: Every instance of Γ , p ⊢ p , ∆ is a derivation and ... Example: where Γ , A means “Γ set-union { A } ” Γ , A , B ⊢ ∆ Γ ⊢ A , ∆ Γ , B ⊢ ∆ ( ∧ ⊢ ) Γ , A ∧ B ⊢ ∆ ( →⊢ ) Γ , A → B ⊢ ∆ p 0 ⊢ p 0 , q 0 p 0 , q 0 ⊢ q 0 ( →⊢ ) p 0 , ( p 0 → q 0 ) ⊢ q 0 ( ∧ ⊢ ) p 0 ∧ ( p 0 → q 0 ) ⊢ q 0 Decidability: via subformula property (for propositional part) Generalise: some measure decreases from conclusions to premises Automated Deduction: use rules backwards to find derivations TABLEAUX: International Conference on Automated Reasoning with Analytic Tableaux and Related Methods (Oslo 2009)

But Most Uses of Proof Theory Are Meta-Theoretic Consistency: ∅ ⊢ L A and ∅ ⊢ L ¬ A are not both derivable Disjunction Property: If ∅ ⊢ Int A ∨ B then ∅ ⊢ Int A or ∅ ⊢ Int B Craig Interpolation: If Γ ⊢ L ∆ holds then so do Γ ⊢ L A and A ⊢ L ∆ for some formula A with Vars ( A ) ⊆ Vars (Γ) ∩ Vars (∆) Normal Forms: Is there a (unique) normal form for derivations ? Curry-Howard: Do normal derivations correspond to well-typed terms of some λ -calculus ? Equality: When are two derivations of Γ ⊢ L A equivalent ? Relative Strengths: Every derivation in ⊢ 1 can be simulated by a polynomially longer derivation in ⊢ 2

Typical Lemmas for Reasoning About Derivations Identity: The judgement A ⊢ A is derivable for all A Monotonicity: If Γ ⊢ ∆ is derivable then so is Γ , Σ ⊢ ∆ Exchange: If Γ , A , B ⊢ ∆ is derivable then so is Γ , B , A ⊢ ∆ Contraction: If Γ , A , A ⊢ ∆ is derivable then so is Γ , A ⊢ ∆ Inversion: If the conclusion of a rule instance is derivable then so are the corresponding premise instances Cut-elimination (Cut-admissibility): If Γ ⊢ A , ∆ is (cut-free) derivable Γ ⊢ A , ∆ Γ , A ⊢ ∆ and Γ , A ⊢ ∆ is (cut-free) derivable (cut) Γ ⊢ ∆ then Γ ⊢ ∆ is cut-free derivable

Proof Theory Is Error-Prone: Provability Logic GL G¨ odel-L¨ ob logic: GL = K + � ( � A → A ) → � A Solovay 1976: � A means “A is provable in Peano Arithmetic” Leivant 1981: cut-elimination for a set-based sequent calculus Valentini 1983: counter-example and new cut-elim proof using extra measure of “width” for set-based sequents Moen 2001: claim that Valentini’s transformations don’t terminate if the sequents Γ ⊢ ∆ are based on multisets Negri 2005: new cut-elim proof using labelled formulae w : A Mints 2005: new proof using traditional methods (draft) RG and Ramanayake 2007: Moen is incorrect, Valentini’s proof using multisets and “width” is mostly okay (AiML 2008) Not Isolated: Many such examples exist in the literature

Interactive Proof Assistants Examples: Mizar, HOL, Coq, LEGO, NuPrl, NqThm, Isabelle, λ -Prolog, HOL-Lite, LF, ELF, Twelf · · · Implementation: Typically based upon a typed λ -calculus using a strongly typed functional programming language (ML) higher order logic (hol) User Proof General User Interface Isabelle Proof Assistant λ -calculus Small Core of (ML) Code (ML) Compiler Machine Code Trust: rests on strong typing and small core of (ML) code which is open to public scrutiny by experts Proof Transcripts: can be cross-checked using other assistants

Logical Frameworks: Proof Via Backward Chaining Operation: backward chaining on “propositions” (like Prolog) [ β 1 ; β 2 ; · · · ; β n ] = ⇒ α β β 1 θ , β 2 θ , · · · , β n θ θ = match ( β, α ) Matching: usually (associative-commutative) higher order Assistant: keeps track of sub-goals and current proof state Object Logic: defines the syntax of α , β (propositions) Meta Logic: determines properties of “;” and “= ⇒ ” (hol)

Method 1: Isabelle’s LK Object Logic (shallow embedding) Syntax of Object Logic Sequents: prop = sequence |- sequence elem ( , elem ) ∗ | empty sequence = = $ id | $ var | formula elem formula = ∼ formula | formula & formula | · · · [ β 1 ; · · · ; β n ] = ⇒ α Sequent Rules Use Meta Logic: Example: [| $G |- $D,P ; $G,P |- $D |] ==> $G |- $D Γ ⊢ ∆ , P Γ , P ⊢ ∆ (cut) Γ ⊢ ∆ ⇒ Embedding: by encoding the horizontal bar as = Pros: Can create and check specific derivations Cons: Cannot reason about arbitrary or all derivations

Method 2: Change Object Logic (deep embedding) Object Logic: Use hol expressions as Props in β 1 ; · · · ; β n = ⇒ α Formula Type in hol: fml = FC string (fml list) (* fml connective *) | FV string (* fml variable *) | PP string (* prim prop *) Example: FC "/\" [FV "A", PP "q"] encodes A ∧ q Sequent Type: seq = ⊢ fml multiset fml multiset Rule Type: inf = ( seq list , seq ) (* ps / c *) Define Basic Rule Instances: rli :: inf set ( [ G ⊢ { A } + D , G ⊢ { B } + D ] , G ⊢ { A ∧ B } + D ) ∈ rli Γ ⊢ A , ∆ Γ ⊢ B , ∆ G ⊢ { A } + D G ⊢ { B } + D ( ⊢ ∧ ) rli Γ ⊢ A ∧ B , ∆ G ⊢ { A ∧ B } + D

Method 2: Reasoning About Derivability Define Basic Rule Instances: rli :: inf set ( [ ] , G + { A } ⊢ { A } + D ) ∈ rli ( [ G ⊢ { A } + D , G ⊢ { B } + D ] , G ⊢ { A ∧ B } + D ) ∈ rli · · · Use Inductively Defined Sets for Reasoning About Derivability: “sequents derivable from pms using rli ” derrec rli pms dersrec rli pms “sequent lists derivable from pms using rli ” Two Mutually Inductively Defined Sets: c ∈ pms = ⇒ c ∈ derrec rli pms ( ps , c ) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms c ∈ derrec rli pms ; cs ∈ dersrec rli pms = ⇒ c # cs ∈ dersrec rli pms

Derivability From Fixed Premises pms Using rli c ∈ pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms ( ps , c ) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms c ∈ derrec rli pms ; cs ∈ dersrec rli pms ⇒ c # cs ∈ dersrec rli pms =

Derivability From Fixed Premises pms Using rli c ∈ pms = ⇒ c ∈ derrec rli pms [ ] ∈ dersrec rli pms { pms 1 , · · · , pms n } [ p 1 , · · · , p k ] dersrec rli ...................... rli c [ p 1 , · · · , p k ] ( ps , c ) ∈ rli ; ps ∈ dersrec rli pms = ⇒ c ∈ derrec rli pms { pms 1 , · · · , pms n } derrec rli ...................... c { pms 1 , · · · , pms n } { pms 1 , · · · , pms n } dersrec rli ...................... derrec rli ...................... c [ c 1 , · · · , c m ] c ∈ derrec rli pms ; cs ∈ dersrec rli pms = ⇒ c # cs ∈ dersrec rli pms { pms 1 , · · · , pms n } dersrec rli ...................... [ c , c 1 , · · · , c m ]