Systematic Assertion Level Tableau - Soundness and Completeness

7.2 Soundness and Completeness

7.2.3 Systematic Assertion Level Tableau

In this section, we define a special calculus which is close to the assertion level and show its completeness. The main difference to the systematic block tableau defined above is that several decomposition steps are performed in a row, but only a copy of the top-level formula is kept. This will give us exactly our assertion level derivations, where each such sequence can be replaced by a derived rule. Due to the fact that formulas have been skolemized beforehand, there are no issues concerning the δ-rule. However, let us point out that if the skolemization is performed at runtime, a liberalized version of the δ-rule (see [BHS93]) is needed, as the following example illustrates.

Example 7.2.14. The following example illustrates the importance of the liberalization of the δ-rule. Because we do not keep intermediate formulas, the following proof cannot be performed at the assertion level without the liberalization of the δ-rule

P (c, a),_{∀y.P (c, y) ⊢ P (c, a)} ∀y.P (c, y) ⊢ P (c, a) P (c, b),_{∀y.P (c, y) ⊢ P (c, b)} ∀y.P (c, y) ⊢ P (c, b) ∀y.P (c, y) ⊢ P (c, a) ∧ P (c, b) ∀y.P (c, y) ⊢ ∃z.P (z, a) ∧ P (z, b) ∃x.∀y.P (x, y) ⊢ ∃z.P (z, a) ∧ P (z, b)

Removing the intermediate formula _{∀y.P (c, y) requires the expansion of the formula} ∃x.∀y.P (x, y) twice. However, in order to close both branches the same parameter for x is needed. The liberalized δ-rule allows for the following proof2_:

P (c, a)_{⊢ P (?z, a)} ∀y.P (c, y) ⊢ P (?z, a) ∃x.∀y.P (x, y) ⊢ P (?z, a) P (c, b)_{⊢ P (?z, b)} ∀y.P (c, y) ⊢ P (?z, b) ∃x.∀y.P (x, y) ⊢ P (?z, b) ∃x.∀y.P (x, y) ⊢ P (?z, a) ∧ P (?z, b) ∃x.∀y.P (x, y) ⊢ ∃z.P (z, a) ∧ P (z, b)

In particular, the liberalized δ-rule ensures that a single parameter is used for the same formula.

Even with skolemized formulas, there is still the problem of producing all possible instances for the γ-rules of a branch in a systematic way. Suppose first the case that all quantifiers are at top-level. In this case, a suitable enumeration of all possible terms can be achieved by the use of the Cantor pairing function3_.

Definition 7.2.15 (Cantor Pairing Function).

π(k): Nk₀ → N0, π(1)(x) = x, π(n)(x) = π(π(n−1)(k1, . . . , kn−1), kn) (7.6)

where

π(k1, k2) =

2(k1+ k2)(k1+ k2 + 1) + k2 (7.7) The Cantor pairing function visits all points of the Nk _{in a systematic way, as illus-}

trated in Figure 7.3 for the case k = 2. The Cantor pairing function is invertible:

Theorem 7.2.16 (Invertibility). The Cantor pairing function is invertible. Its inverse is given by the function

π(k)−1 : N→ Nk _(7.8)

The ith component of the inverse is denoted by

π_i(k): N_{→ N} (7.9)

Note that instead of using the meta-variable, we can also directly use c as the skolem constant is local to the formula

as in the proof of reducing the denumerability of N2

0 1 2 3 0 1 2 3 b b b b b b b b b b b

Figure 7.3: Illustration of the Cantor pairing function for k = 2 which is defined by πi(k)= pr (k) i ◦ π(k)−1 (7.10)

where is the ith projection: pr_i(k)(x1, . . . , xk) = xi.

For the systematic assertion level tableau, each formula on the tableau is labeled with an integer. In addition, there are distinguished formulas, called focused formula, denoted by F , which are never duplicated and need to be fully processed before another formula on the branch can be expanded. The only purpose of the focus is to avoid to copy the formula in the case of γ formulas. The more complex enumeration of terms is incorporated by labeling focused formulas with a triple (i, j, k). Intuitively, i corresponds to the number instances that have already been produced for a given assertion, j_{−1 to the quantifiers that} have already been processed while the formula was in the focus, and k the overall number of the γ-quantifiers of the assertion which keeps unchanged during the processing. The purpose of the last two components is to select the corresponding enumeration function and projection. We illustrate the enumeration process with an example:

Example 7.2.17. Figure 7.3 illustrates the systematic enumeration of all pairs of integers graphically, as generated by the Cantor pairing function.

k1 k2 π(k1, k2) π(2)−1_(π(k 1, k2)) 0 0 0 (0, 0) 1 0 1 (1, 0) 0 1 2 (0, 1) 2 0 3 (1, 1)

π(2)−1_{: (0, 0), (1, 0), (0, 1), (2, 0). For a formula} _{∀x.∀y.P (x, y) this results in the}

following derivation under the ordering ξ(0) = a, ξ(1) = b: ∀x.∀y.P (x, y)

∀x.∀y.P (x, y), ∀x.∀y.P (x, y) ∀y.P (a, y), ∀x.∀y.P (x, y)

P (a, a),∀x.∀y.P (x, y)

P (a, a),∀x.∀y.P (x, y), ∀x.∀y.P (x, y) P (a, a),_{∀x.∀y.P (x, y), ∀x.∀y.P (x, y)}

P (b, a),_{∀y.P (a, y), ∀x.∀y.P (x, y)}

(0,1,2) (0,2,2) (0,3,2) (1,1,2) (1,2,2) (1,3,2)

Definition 7.2.18 (Systematic Assertion Level Tableau). Let ξ be a mapping from N0

The systematic assertion level tableau sequence of S w.r.t. π is the following sequence _T of tableau for S:

• The one-node tableau T0 with root S where each formula is labeled with the number

0 is an element of T .

• If Tnis the n-th element inT , let N be the leftmost leaf of Tnwhich is not atomically

closed, i.e. does not contain complementary literals. – If no formula attached to N is focused, i.e.,

N = l1, . . . , ln, G1, . . . , Gm (7.11)

focus the leftmost non-literal by expanding the node N to

l1, . . . , ln, G1, G2, . . . , Gn, G1 (7.12)

where G1 gets the label (i, 1, k) if G1 has label i, where k denotes the number

of γ-quantifiers in G1. In addition, add a copy of the formula G1 at the end of

the sequence and assign the label i + 1 to it. If all formulas are literals, then stop.

– Otherwise the block attached to N is of the form

l1, . . . , ln, G1, G2, . . . , Gm (7.13)

where li are literals (i.e. G1 is the leftmost formula which is not a literal). Now

expand N as follows:

1. if G1 is of type α with label (i, j, k), extend N by the node

l1, . . . , ln, α1, α2, G2, . . . , Gn (7.14)

where both αi have label (i, j, k).

2. if G1 is of type β with label (i, j, k), extend N by the following two branches:

l1, . . . , ln, β1, G2, . . . , Gm | l1, . . . , ln, β2, G2, . . . , Gm (7.15)

where βi have label (i, j, k).

3. if G1 is of type γ, then extend N by the node

l1, . . . , ln, γ(ξ(π(j)i (k))), G2, . . . , Gm (7.16)

where (i, j, k) is the label of G1, γ(ξ(π(j)i (k))) has label (i, j + 1, k).

4. if G1 is of type δ, then extend N by the node

l1, . . . , ln, δ(c), G2, . . . , Gm (7.17)

where c is the skolem constant corresponding to the formula δ. Remove all foci on literal formulas.

Figure 7.4 summarizes the rules graphically, where the context Γ is used to collect literal formulas. Moreover, we allow the instantiation with any ground term t in the γ-rule, but require that all terms are eventually generated.

Γ; α, S α1, α2, S

Γ; β, S Γ; β1, S | Γ; β2, S

Γ; γ, S

Γ; γ(t) for any ground term t

Γ; δ, S Γ; δ(fδ), S Γ; s1, S Γ, s1; S s1 atomic,¬s1 ∈ Γ/ Γ; s1, S s1 atomic,¬s1 ∈ Γ Γ; s1, S Γ; s1, S, s1

Figure 7.4: Assertion Level Tableau

Definition 7.2.19 (Saturated systematic assertion level tableau). Let _{T be a systematic} block tableau sequence for a set of first order formulas S. With T∗ _{we denote the smallest}

tree containing all tableau T as initial segments; T∗ _{is called a saturated systematic}

assertion level tableau for S.

As before, we can show that each assertion is considered infinitely many often in an open branch:

Lemma 7.2.20 (Fairness Systematic Assertion Level Tableau). Let B be an open branch of a saturated systematic assertion level tableau and. Let N be a node of B and F be a non-atomic formula of the block of N . Then the assertion corresponding to F occurs infinitely many often as first formula on the branch B.

Proof. For the case that F is unfocused, the proof is similar to the proof of Lemma 7.2.9. The interesting case is that F is already focused. Then consider the first focus step above N , which focuses a formula F′_{. F is a subformula of F}′ _{and N contains a copy of F}′_{, and}

F′ _{is copied by the focusing step.}

What remains to be shown to be able to reuse the completeness argument of the block tableau is to show that there is an open branch that is a Hintikka set. In the case of a systematic assertion level tableau, this is also the case if all quantifiers are at top-level, which can always be achieved by transformation rules and in which the completeness proof from the previous section can be reused. However, for general assertions, this needs not necessarily be the case, as the following example shows:

Example 7.2.21. Consider the proof attempt of a formula δ using the assertion φ := (_{∀x.Q(x)) ∨ (∀z.P (z)), as shown below. Every branch is open. However, by selecting the} left branch at the first branching, the right branch at the second branch, and then always the left branch for subsequent branchings we obtain an open branch which is not a Hintikka set, as it contains _{∀z.P (z) but not all instances of it.}

... Q(a),∀x.Q(x), ϕ ⊢ δ ... Q(a),∀z.P (z), ϕ ⊢ δ Q(a),∀x.Q(x) ∨ ∀z.P (z), ϕ ⊢ δ Q(a), ϕ_{⊢ δ} ∀x.Q(x), ϕ ⊢ δ ... P (a), ϕ_{⊢ δ} ∀z.P (z), ϕ ⊢ δ ∀x.Q(x) ∨ ∀z.P (z), ϕ ⊢ δ ∀x.Q(x) ∨ ∀z.P (z) ⊢ δ

Definition 7.2.22 (Assertion). Let F be a formula. Then F is called assertion if it does not contain a subformula of type β that contains a γ quantifier.

Remark 7.2.23. Note that all formulas can always be transformed to an equivalent form in which they satisfy the assertion property.

Lemma 7.2.24. For any open branch B of a saturated systematic assertion level tableau for S, where each s ∈ S is an assertion. Then the set of formulas on B is a Hintikka set. Proof. Let B be an open branch on which F occurs, say on node N . Without loss of generality we can assume that F is the first focused formula on N (Lemma 7.2.20).

1. F is of type α. If F is the first focused formula, then its successor N′ is of the form (7.14), and both αi occur on N′.

2. F is of type β. If F is the first focused formula, then its successor N′ is of the form (7.14), and either β1 or β2 occurs on N′.

3. F is of type δ. If F is the first focused formula, then its successor N′ _{is of the form}

(7.17) and δ(c) is on B for some c.

4. F is of type γ. Then the assertion F′ _{corresponding to F occurs infinitely many}

often on B. Moreover, as no γ-formulas are β-related, they always appear on the same branch.

Theorem 7.2.25 (Completeness of Systematic Assertion Level Tableau). If S is an unsatisfiable set of assertions. Then there exists a finite atomically closed systematic assertion level tableau for S.

Proof. As the proof of Theorem 7.2.12.

By construction, a systematic assertion level tableau automatically constructs an assertion level derivation.

Theorem 7.2.26 (Assertion Level Derivation). Let S1, . . . , Sn be assertions and G be a

conjecture to be shown. Let Π be a systematic assertion level derivation for¬G, S1, . . . , Sn.

Then Π is an assertion level derivation.

Proof. By induction over the length of the derivation.

Moreover, it is now easy to replace each focused derivation by a rule application of the corresponding assertion. While the goal in the presentation above is also treated like an assertion, it is also possible to restrict the focusing to assumptions and to treat the goal separately and to switch between assertion applications and rule applications on the remaining formulas. As long as fairness is guaranteed, our considerations above remain valid.

Remark 7.2.27. Each focused derivation can be seen as the application of a new inference rule to which it corresponds. Within our setting above, we required an assertion to be always decomposed completely. This way we obtain a maximal caching of such derivations in inferences. Note however that stopping the decomposition earlier does not destroy completeness, as long as the formulas are further decomposed later.

We now want to go one step further and consider the typical case that a consistent theory of assertions is given, where consistency is defined as follows:

Definition 7.2.28 (Consistency). Let Γ be a set of formulas. Γ is called consistent if there is no formula ϕ such that Γ _{⊢ ϕ and Γ ⊢ ¬ϕ.}

The question we want to explore next is whether we can further restrict the application of assertions. The following theorem establishes a connection between a goal literal G and a consistent set of formulas Γ:

Theorem 7.2.29 (Existence of positive subformulas). Let Γ be a consistent set of formulas, let G be a literal and let Γ⊢ G be provable. Then there exists a positive occurrence of G in Γ.

Proof. Let Π1 be a proof of Γ ⊢ G. Every axiom in Π1 is of the form Γ, A ⊢ A, ∆ for

some proposition A. Suppose that Γ does not contain a positive occurrence of G. Let Π2

be a partial derivation involving formulas of Γ followed by the application of the axiom rule. As G does not occur as positive occurrence of G, Π2 will not generate the literal G

on the left-hand side of the sequent. Thus G is not used within the axiom rule. We can therefore obtain a proof Π′ _{in which all occurrences of G on the right-hand side have been}

replaced by ¬G. However, this contradicts the assumption that Γ is consistent.

The property means always an inference rule where some conclusion is instantiated is applicable, i.e., that we can require that at least one inference node is instantiated.

7.3 Summary

In this chapter we gave a proof theoretic characterization of assertion level derivations by introducing the notion of a systematic assertion level tableau and showed soundness and completeness with respect to first order logic (Contribution A1(ii), Section 1.1). The relation between assertion level derivations and block tableaux has not been studied before and shows that for the first order fragment redundancy can be avoided by committing to assertion level operations. Moreover, it identifies the assertion level to be a rather calculus independent layer.

8

Proof Plans

The organization of the proof search on top of a calculus is an essential task in the design of a powerful theorem proving system. To combine interaction and automation into a synergetic interplay and to bridge the gap between abstract level proof explanation and low-level proof verification, we provide an abstract proof data structure to maintain a proof attempt, including possible alternatives, called a proof plan. Alternatives can be both horizontal and vertical : Horizontal alternatives correspond to different reductions of a proof state, while vertical alternatives correspond to a subproof of a step at a different level of granularity. The explicit support of hierarchies, gaps and their refinement, as well as the information how to refine gaps, and the handling of meta-variables are the features that distinguish proof plans from other proof representations.

To communicate proof plans to the user, we exploit the relationship between proof plans and declarative proof scripts by the possibility to render a particular alternative of a proof plan as a declarative proof script. Similarly, we use underspecified declarative proof scripts as input representation for proof plans and show how they can be refined automatically.

Our proof language combines features of Mizar and Isar, with the difference that meta-variables are supported. This has the advantage that also proof plans that have been generated automatically can be translated into proof scripts. Moreover, we will extend the language later to support the specification of reasoning procedures and annotated inferences as a means to extend and adapt the power of the underlying system at runtime. This will result in a declarative proof language that fully supports the document-centric approach.

8.1 Textbook Proofs, Proof Plans, and Declarative

Proofs

Before turning to the details of our approach, let us motivate the concepts by the cor- respondence between textbook proofs, proof plans, and declarative proof scripts. The following example is a textbook proof reproduced from [BS82]:

Proof. Let x be an element of A_{∩ (B ∪ C), then x ∈ A and x ∈ B ∪ C. This means that} x_{∈ A, and either x ∈ B or x ∈ C. Hence we either have (i) x ∈ A and x ∈ B, or we have} (ii)x ∈ A and x ∈ C. Therefore, either x ∈ A ∩ B or x ∈ A ∩ C, so x ∈ (A ∩ B) ∪ (A ∩ C). This shows that A _{∩ (B ∪ C) is a subset of (A ∩ B) ∪ (A ∩ C). Conversely, let y be} an element of (A_{∩ B) ∪ (A ∩ C). Then, either (iii) y ∈ A ∩ B, or (iv) y ∈ A ∩ C. It} follows that y ∈ A, and either y ∈ B or y ∈ C. Therefore, y ∈ A and y ∈ B ∪ C so that y_{∈ A ∩ (B ∪ C). Hence (A ∩ B) ∪ (A ∩ C) is a subset of A ∩ (B ∪ C). In view of Definition} 1.1.1, we conclude that the sets A_{∩ (B ∪ C) and (A ∩ B) ∪ (A ∩ C) are equal.}

From a formal point of view, the proof consists of a sequence of statements that are hierarchically structured. For example, the main statement A_{∩(B∪C) = (A∩B)∪(A∩C)} is proved in two blocks, one for each set inclusion. Within a declarative proof language, these hierarchical structures are made explicit. Indeed, it is not difficult to translate this textbook proof to a (partial) declarative proof script, as shown on the left in Figure 8.1. Within the figure, the hierarchical structure is visualized by indentation. The partiality of the proof script results from the fact that information that is needed for a (formal) verification is still missing, even though the proof is already very detailed. This leads to the notion of a proof sketch (see [Wie04]) or a proof plan1_{. Here, we want to understand a}

proof plan as a data structure that supports the representation of proof outlines including gaps, as well as their mechanization, that is their refinement. Proof plans are directed, acyclic graphs, consisting of nodes representing the current context, and justifications, representing proof commands. Thus, declarative proof scripts can be seen as a particular rendering of a proof plan. In particular, it is easy to generate a proof plan from a declarative proof script. Figure 8.1 shows on the right the proof plan corresponding to the example proof script. In the proof plan, each hierarchy corresponds to a tree in a forest, which are linked together via forest edges (indicated by the dotted lines). Note that it would also be possible to represent a proof script as a single tree; however, we found the separate management of independent blocks in independent trees convenient. Even though proof plans and proof scripts are quite similar, let us stress the main advantages of proof plans over proof scripts:

• In a proof plan, the available context is made explicit.

• In a proof plan, each proof state is enriched with additional contextual information, such as labels for terms, or annotations such as needed for Rippling [BBHI03]. • The verification of reductions can be postponed, resulting in proof gaps. This allows

the integration of external systems, such as computer algebra systems.

• Proof plans can represent multiple proof attempts in parallel, as well as on different levels of granularity. Thus, it is possible to represent the initial proof plan as well as its expanded form which can all be verified within one data structure.

• Proof plans support asynchronous proof checking.

In this sense, a proof plan is used for processing of declarative proof scripts, while a declarative proof script is used as input and output representation. Let us point out that by exploiting the relationship between declarative proof scripts and proof plans, it

Note that within the interactive setting, the proof plan is not generated automatically by a proof planner, but manually written by a human. Historically, proof plans were developed before declarative proof scripts.

theorem A_{∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C)} proof assume x_{∈ A ∩ (B ∪ C)} x_{∈ A ∧ (x ∈ B ∨ x ∈ C)} (x∈ A ∧ x ∈ B) ∨ (x ∈ A ∧ x ∈ C) (x_{∈ A ∩ B) ∨ (x ∈ A ∩ C)} thus x_{∈ (A ∩ B) ∪ (A ∩ C)} A∩ (B ∪ C) ⊂ (A ∩ B) ∪ (A ∩ C) assume y_{∈ (A ∩ B) ∪ (A ∩ C).} y_{∈ A ∩ B ∨ y ∈ A ∩ C.} y∈ A ∧ (y ∈ B ∨ y ∈ C) y∈ A ∧ y ∈ B ∪ C thus y_{∈ A ∩ (B ∪ C)} (A∩ B) ∪ (A ∩ C) ⊂ A ∩ (B ∪ C) qed by Definition 1.1.1 Γ⊢ ∆ have ϕ _{⊢ ∆} have Γ1 ⊢ ∆ have Γ3 ⊢ ∆ qed Γ_{⊢ ∆} assume ϕ_{⊢ ∆} have Γ1 ⊢ ∆ assume Γ2 ⊢ ∆ have Γ3 ⊢ ∆ qed Γ⊢ ∆ have ϕ_{⊢ ∆} have Γ1 ⊢ ∆ have Γ3 ⊢ ∆ qed

Figure 8.1: Partial declarative proof script obtained from the textbook proof will become possible to synthesize declarative proof scripts from proof plans that have been constructed automatically. This is in particular useful in combination with our abstract assertion level reasoning, as the individual proof steps will be of an appropriate granularity, keeping the proof scripts readable.

In document Assertion level proof planning with compiled strategies (Page 142-153)