Content uploaded by David Greve

Author content

All content in this area was uploaded by David Greve on Jan 07, 2015

Content may be subject to copyright.

Automated Reasoning With Quantiﬁed Formulae

David Greve

Rockwell Collins Advanced Technology Center

Cedar Rapids, IA

dagreve@rockwellcollins.com

ABSTRACT

ACL2 allows users to deﬁne predicates whose logical be-

havior mimics that of universally or existentially quantiﬁed

formulae. Proof support for such quantiﬁcation, however,

is quite limited. We present an ACL2 framework that em-

ploys tables, computed hints and clause processing to iden-

tify quantiﬁed formulae and to skolemize or instantiate them

when possible. We demonstrate how the framework can be

used to prove automatically the forall-p-append example

presented in the ACL2 documentation.

Categories and Subject Descriptors

F.4.1 [Mathematical Logic]: Mechanical Theorem Prov-

ing

General Terms

Quantiﬁcation

Keywords

ACL2, Skolemization, Instantiation

1. QUANTIFICATION IN ACL2

Quantiﬁcation in ACL2 is a second class citizen in a ﬁrst

order world. It suﬀers from deﬁciencies in both expression

and reasoning support. ACL2 is commonly referred to as

being “quantiﬁer-free” in deference to the fact that the logic

of ACL2 does not include explicit quantiﬁcation constructs.

Rather, ACL2 exploits that fact that it is possible to use a

choice principle in conjunction with the deﬁnitional princi-

ple to introduce a predicate whose logical behavior mimics

that of a quantiﬁed formula. This approach, however, pre-

cludes the introduction of locally quantiﬁed formulae dur-

ing function or theorem deﬁnition and makes it diﬃcult to

mix quantiﬁcation and recursion[4]. There is no support for

automated reasoning about quantiﬁed formulae built in to

ACL2, a condition exacerbated by the lack of explicit quan-

tiﬁcation constructs. Because quantiﬁcation is necessarily

hidden in the properties of various function symbols, it is

very diﬃcult for a user to examine a failed proof attempt

and discern how quantiﬁed formulae might be manipulated

to achieve a desired result. Over the years such factors have

conspired to help ensure that the majority of ACL2 proof

eﬀorts remain quantiﬁer-free.

ACL2 does, however, provide a number of means by which

suﬃciently motivated users may soundly extend the rea-

soning power of the system without modifying the trusted

core. In this paper we discuss how tables, computed hints

and clause processing have been combined to construct a

reasoning infrastructure that enables ACL2 to identify and

automatically skolemize or instantiate quantiﬁed formulae

appearing in the goal of a proof eﬀort. We demonstrate

how the framework can be used to prove automatically the

forall-p-append example presented in the ACL2 documen-

tation and suggest some possible future enhancements.

2. INTRODUCTION

The macro defun-sk may be used to introduce a quantiﬁed

formula in ACL2. Note that, as in this case, quantiﬁed

formulae in ACL2 may have formal parameters in addition

to quantiﬁed variables.

(defun-sk forall-p (x)

(forall (a) (implies (member a x) (p a))))

Under the hood this macro generates a sequence of ACL2

events. The ﬁrst is a defchoose event that employs a choice

principle to witness the function (forall-p-witness x) with

the property that, if there is a value for athat makes the

predicate (implies (member a x) (p a))) false, this func-

tion will too. This function symbol is then employed as

the quantiﬁed variable in the deﬁnition of the (forall-p x)

predicate. The ﬁnal theorem, in this case forall-p-necc,

is the quantiﬁcation theorem which captures the logical be-

havior of the quantiﬁed formula.

(defchoose forall-p-witness (a) (x)

(not (implies (member a x) (p a))))

(defun forall-p (x)

(let ((a (forall-p-witness x)))

(implies (member a x) (p a))))

(defthm forall-p-necc

(implies (forall-p x) (implies (member a x) (p a))))

The procedure for existential quantiﬁers is similar except

that the hypothesis and conclusion of the resulting quantiﬁ-

cation theorem are swapped. Note that because defun-sk

is a top-level event (actually a sequence of events) it cannot

be used to introduce quantiﬁcation in the body of a function

or theorem deﬁnition.

Instantiation is the name given to the process of deriving a

new formula from a universally quantiﬁed formula by replac-

ing each occurrence of a quantiﬁed variable with a speciﬁc

instance. In ACL2, instantiation is performed by way of a

:use hint applied to the quantiﬁcation theorem governing

the behavior of the terms involved.

(defthm instantiation-example

(implies

(and (forall-p y) (member b y)) (p b))

:hints (("Goal" :use (:instance forall-p-necc

(x y) ;; Formal Parameter

(a b))))) ;; Quantifier Instantiation

Skolemization, as implemented in this library, is the process

of deriving a new formula from a quantiﬁed formula by re-

placing each occurrence of the quantiﬁed variable with a new

variable that is free in the current context. Since quantiﬁed

variables already appear as function symbols in ACL2, what

we call skolemization is actually just generalization. Our

implementation of skolemization is sound for any quantiﬁed

formula but it is typically used only to simplify existentially

quantiﬁed formulae.

The sense in which a quantiﬁed formula appears in the goal,

either true or negated, is important. Negated existentially

quantiﬁed formulae in the hypothesis act like universally

quantiﬁed formulae in that they may be soundly instanti-

ated. Negated universally quantiﬁed formulae in the hypoth-

esis, however, are susceptible only to skolemization. The

converse is true for quantiﬁed formulae in the conclusion.

3. IDENTIFICATION

Consider the results of a failed proof in which the universally

quantiﬁed formula forall-p is a hypothesis.

ACL2 !> (defthm forall-p-proof

(implies (forall-p y) (implies (member b y) (p b))))

Subgoal 2

(IMPLIES

(AND (NOT (MEMBER (FORALL-P-WITNESS Y) Y))

(MEMBER B Y)) (P B))

Subgoal 1

(IMPLIES

(AND (P (FORALL-P-WITNESS Y))

(MEMBER B Y)) (P B))

Evident in this example are several of the challenges that

must be overcome in order to automate reasoning about

quantiﬁcation in ACL2. The ﬁrst challenge is recognizing

speciﬁc quantiﬁed predicates. Each quantiﬁed predicate is

associated with a unique witness function that is used in

place of the quantiﬁed variable. In forall-p the function

(forall-p-witness Y) replaces the quantiﬁed variable A.

Then quantiﬁed predicates must be recognized from their

constituent components. The structure of a quantiﬁed for-

mula is likely to change dramatically under simpliﬁcation.

In this case, the (member a x) portion of the quantiﬁed

formula appears in Subgoal 2 while the (p a) portion ap-

pears in Subgoal 1. The fact that each subgoal implicitly

contains (forall (a) (implies (member a x) (p a))) as

a hypothesis is not at all obvious from casual observation.

Finally, the polarity (either true or negated form) of the

quantiﬁed predicate must be established. While the appear-

ance of a quantiﬁcation witness is often an indication of

the presence of a quantiﬁed formula, the witness itself does

not establish the polarity in which the quantiﬁed formula

appears. This is important because the polarity of the for-

mula determines whether it is susceptible to instantiation or

skolemization.

Overcoming each of these challenges requires intimate knowl-

edge of the various quantiﬁed predicates that might be present

in a goal. Automating this process requires that this knowl-

edge be available dynamically at proof time. To solve this

problem we employ ACL2 tables. Tables allow us to store

information in the ACL2 logical world from the time the

quantiﬁcation is introduced to the time it is used in a sub-

sequent proof eﬀort. Additionally, tables are available to

computed hints so the information can be queried dynami-

cally as the proof progresses.

The framework that we have developed records informa-

tion about quantiﬁed formulae at the time of their creation

through a macro called def::un-sk which is a wrapper around

ACL2’s defun-sk. The macro is capable of processing any

defun-sk compliant quantiﬁcation and honors all of the defun-

-sk keywords. The information we record about a quantiﬁed

formula includes the name of the quantiﬁed predicate, the

kind of quantiﬁcation (existential or universal), the quan-

tiﬁed variable list, the formal parameter list, the name of

the quantiﬁcation theorem (-necc or -suff), the name of

a skolemization rule, the body of the quantiﬁed formula,

and the witness function name. A list is used to aggregate

this data and each time a new quantiﬁer is introduced using

def::un-sk the information about that quantiﬁed predicate

is added to the list. The macros TABLE::GET and TABLE::-

SET simplify access and updating of table entries.

(TABLE::SET

’QUANT::QUANT-LIST

(CONS (NEW-QUANT

:NAME ’FORALL-P

:TYPE ’:FORALL

:BOUND ’(A)

:FORMALS ’(X)

:INSTANTIATE ’FORALL-P-NECC

:SKOLEMIZE ’FORALL-P-SKOLEMIZATION

:BODY ’(IMPLIES (MEMBER A X) (P A))

:WITNESS ’(FORALL-P-WITNESS X))

(TABLE::GET ’QUANT::QUANT-LIST)))

Quantiﬁcation speciﬁc computed hints query this table at

proof time to secure a list of candidate quantiﬁed formulae.

The list is used to search for quantiﬁed formulae in the cur-

rent goal. A goal is said to contain a quantiﬁed formula if

it contains a logical instance of that formula. In the case of

forall-p we search for logical instances of (forall-p x).

The failed proof above contained the instance (forall-p

y), but (forall-p y) was rewritten into (implies (member

(forall-p-witness y) y) (p (forall-p-witness y)))))

and the result was simpliﬁed propositionally to produce two

subgoals. Consequently the process of searching for for-

mulae instances involves more than just pattern matching

against the goal. The process must, at a minimum, take into

consideration propositional simpliﬁcation and in practice it

must also consider the impact of rewriting. Bash[2] is used

to simplify formulae before and during pattern matching.

This method is strictly more powerful than that employed

by Davis’ pick-a-point strategy[1], though perhaps similar

to the method employed by Moore in his :consider hints

library[3].

4. INSTANTIATION

Discovering an instance of a quantiﬁed expression is equiva-

lent to discovering a unifying binding for its formal param-

eters[5]. Instantiation requires that suitable bindings also

be found for the free (quantiﬁed) variables appearing in the

quantiﬁcation theorem. The quantiﬁcation theorem for the

forall-p predicate appears as follows:

(implies (forall-p x) (implies (member a x) (p a))))

Given a binding for the formal x, a suitable instance of a

must also be identiﬁed. This may be done by searching the

goal for the term of the form (member a x) for the given

value of x. However, an instance of the pattern (not (p a))

would also satisfy the (contrapositive form of the) formula:

(implies (forall-p x)

(implies (not (p a)) (not (member a x))))

Since the form of quantiﬁed formulae is unconstrained we

are compelled to search for every such logical permutation

of a formula. This in addition to the issues of simpliﬁcation

and rewriting discussed above. Finally, to ensure that each

instantiation adds information to the goal, we drop any in-

stantiations in which the conclusion of the fully instantiated

formula already appears the goal.

It is possible that this process will identify several viable

instantiations. To avoid overwhelming ACL2, instantiations

are introduced one at a time, with time for the goal to sta-

bilize between each one. It is further possible that instan-

tiation will be needed multiple times within a single proof.

Such re-entrant hints are made possible thru the use of the

computed hint replacement feature which can be used to en-

sure that the process continues for the duration of the proof

eﬀort. Access to this automated instantiation infrastructure

is made available to the user through the computed hint

macro: (quant::inst?)1.

1Inspired by and named for a PVS[6] proof command

5. SKOLEMIZATION

As mentioned above, our implementation of skolemization is

nothing more than the generalization of quantiﬁcation func-

tion symbols. While it is not possible to extend ACL2’s

built-in generalization facility, ACL2 does support the con-

struction of veriﬁed clause processors which can be used

to perform arbitrary generalizations. We have developed

a clause processor that generalizes expressions of the form

(gensym::generalize ..). To induce the generalization of

the function symbol (p a x) it is suﬃcient to rewrite it into

(gensym::generalize (p a x)) which the clause processor

will then replace with a new symbol.

Support for skolemization in our framework involves three

components. First, the construction of appropriate skolem-

ization rewrite rules to wrap quantiﬁcation witnesses with

(gensym::generalize ..). Such rules are constructed au-

tomatically by the def::un-sk macro. Next, a clause pro-

cessor that recognizes generalization instances in the goal

and replaces them with unique symbols. Finally, a com-

puted hint capable of detecting existentially quantiﬁed for-

mulae instances in a goal and enabling the skolemization

rules for those speciﬁc instances.

It is possible for skolemization to prepare the way for in-

duction by replacing a function call with a symbol. Usually,

however, skolemization is useful only as a means of reducing

proof clutter by eliminating irrelevant details. Access to au-

tomated skolemization is provided to the user through the

use of the computed hint macro: (quant::skosimp)2.

6. APPLICATION

The theorem forall-p-append3can be proven automati-

cally using our infrastructure assuming forall-p is intro-

duced using def::un-sk. The complete automated proof of

the theorem contains 15 Subgoals, 15 skolemizations (not

required but retained to demonstrate the feature), and 20

instantiations. The abridged output from one particularly

illustrative subgoal is presented here. The proof itself begins

as follows, with hints suggesting skolemization and instanti-

ation.

(defthm forall-p-append

(equal (forall-p (append x1 x2))

(and (forall-p x1) (forall-p x2)))

:hints ((quant::skosimp) (quant::inst?)))

The (quant::skosimp) hint ﬁres ﬁrst, ﬁnds a skolemizable

formula in the goal and reports this to the user. Note that

the skolemizable formula is actually a universally quantiﬁed

formula that appears in the conclusion (in eﬀect, negated).

This is indicated in the comment window by square brackets

around the name of the formula. A hint is constructed that

enables the skolemization rule that will rewrite the speciﬁc

instance (forall-p-witness X2) into (gensym::generalize

(hide (forall-p-witness X2))), where the hide term is

included to inhibit recursive applications of the rule.

2Also named in honor of a PVS proof command

3See the ACL2 documentation topic QUANTIFIERS-

USING-DEFUN-SK-EXTENDED

Subgoal 10

(IMPLIES

(AND

(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)

(P (FORALL-P-WITNESS (APPEND X1 X2)))

(MEMBER (FORALL-P-WITNESS X2) X2))

(P (FORALL-P-WITNESS X2))).

Skolemizable Formula In Goal:

[FORALL-P]: (EXISTS (A)

(NOT (IMPLIES (MEMBER A X2) (P A))))

Computed Hint:

(:DO-NOT ’(PREPROCESS)

:IN-THEORY (ENABLE FORALL-P-SKOLEMIZATION)

:RESTRICT ((FORALL-P-SKOLEMIZATION ((X X2)))))

The skolemization rewrite rule ﬁres and the appearance of

(gensym::generalize ..) in the goal triggers the invoca-

tion of the generalization clause processor which replaces

(gensym::generalize ..) with the new symbol HIDE10.

This simplifies, using the :rewrite rule

FORALL-P-SKOLEMIZATION, to

Subgoal 10’

(IMPLIES

(AND

(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)

(P (FORALL-P-WITNESS (APPEND X1 X2)))

(MEMBER (GENSYM::GENERALIZE

(HIDE (FORALL-P-WITNESS X2))) X2))

(P (GENSYM::GENERALIZE

(HIDE (FORALL-P-WITNESS X2))))).

We now apply the verified :CLAUSE-PROCESSOR

function GENERALIZE-CLAUSE-PROCESSOR-WRAPPER to

produce one new subgoal.

Subgoal 10’’

(IMPLIES

(AND

(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)

(P (FORALL-P-WITNESS (APPEND X1 X2)))

(MEMBER HIDE10 X2))

(P HIDE10)).

The (quant::inst?) hint now detects the presence of an

instantiable formula in the goal and reports it to the user.

An instance of this formula is also found and a :use hint is

generated. Note, however, that the goal does not actually

contain the expression instance (member HIDE10 (binary-

-append X1 X2)) as implied by the instantiation. Rather, it

contains the more speciﬁc (member HIDE10 X2) which was

generated by ACL2 from that expression via the application

of the rewrite rule member-append. Our ability to detect

such instances requires a tight interaction between pattern

matching and simpliﬁcation by rewriting.

Instantiable Formula In Goal:

FORALL-P : (FORALL (A)

(IMPLIES (MEMBER A (BINARY-APPEND X1 X2)) (P A)))

Computed Hint:

(:USE (:INSTANCE FORALL-P-NECC

(A HIDE10) (X (BINARY-APPEND X1 X2))))

Simpliﬁcation of the instantiated formula is now suﬃcient

to prove the goal.

We augment the goal with the hypothesis provided

by the :USE hint. The hypothesis can be derived

from FORALL-P-NECC via instantiation. We are

left with the following subgoal.

Subgoal 10’’’

(IMPLIES

(AND (IMPLIES

(FORALL-P (APPEND X1 X2))

(IMPLIES (MEMBER HIDE10 (APPEND X1 X2))

(P HIDE10)))

(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)

(P (FORALL-P-WITNESS (APPEND X1 X2)))

(MEMBER HIDE10 X2))

(P HIDE10)).

But simplification reduces this to T using the

:rewrite rules MEMBER-APPEND ...

7. CONCLUSION

While ACL2 does not provide automated support for rea-

soning about quantiﬁed formulae, it does provide mecha-

nisms that enable suitably motivated users to add such func-

tionality in a sound fashion. An ACL2 framework based

on tables, computed hints and clause processing has been

described that identiﬁes quantiﬁed formulae and skolem-

izes or instantiates them automatically when possible. This

framework has been employed to prove automatically the

forall-p-append example presented in the ACL2 documen-

tation.

8. REFERENCES

[1] Jared Davis. Finite set theory based on fully ordered

lists. In Fifth International Workshop on the ACL2

Theorem Prover and Its Applications (ACL2 ’04),

November 2004.

[2] Matt Kaufmann. Bash facility. ACL2 System Book

/misc/bash.lisp, 2006.

[3] J Moore. Essay on the design of consider hints. ACL2

System Book /hints/consider-hints.lisp, 2007.

[4] S. Ray. Quantiﬁcation in Tail-recursive Function

Deﬁnitions. In P. Manolios and M. Wilding, editors,

Proceedings of the 6th International Workshop on the

ACL2 Theorem Prover and Its Applications (ACL2

2006), volume 205 of ACM International Conference

Series, pages 95–98, Seattle, WA, August 2006. ACM.

[5] J. A. Robinson. A machine-oriented logic based on the

resolution principle. J. ACM, 12(1):23–41, January

1965.

[6] N. Shankar, S. Owre, and J. M. Rushby. The PVS

Proof Checker: A Reference Manual (Beta Release).

Computer Science Laboratory, SRI International,

Menlo Park, CA, February 1993.