Conference PaperPDF Available

Automated reasoning with quantified formulae

Authors:

Abstract

ACL2 allows users to define predicates whose logical behavior mimics that of universally or existentially quantified formulae. Proof support for such quantification, however, is quite limited. We present an ACL2 framework that employs tables, computed hints and clause processing to identify quantified formulae and to skolemize or instantiate them when possible. We demonstrate how the framework can be used to prove automatically the forall-p-append example presented in the ACL2 documentation.
Automated Reasoning With Quantified Formulae
David Greve
Rockwell Collins Advanced Technology Center
Cedar Rapids, IA
dagreve@rockwellcollins.com
ABSTRACT
ACL2 allows users to define predicates whose logical be-
havior mimics that of universally or existentially quantified
formulae. Proof support for such quantification, however,
is quite limited. We present an ACL2 framework that em-
ploys tables, computed hints and clause processing to iden-
tify quantified formulae and to skolemize or instantiate them
when possible. We demonstrate how the framework can be
used to prove automatically the forall-p-append example
presented in the ACL2 documentation.
Categories and Subject Descriptors
F.4.1 [Mathematical Logic]: Mechanical Theorem Prov-
ing
General Terms
Quantification
Keywords
ACL2, Skolemization, Instantiation
1. QUANTIFICATION IN ACL2
Quantification in ACL2 is a second class citizen in a first
order world. It suffers from deficiencies in both expression
and reasoning support. ACL2 is commonly referred to as
being “quantifier-free” in deference to the fact that the logic
of ACL2 does not include explicit quantification constructs.
Rather, ACL2 exploits that fact that it is possible to use a
choice principle in conjunction with the definitional princi-
ple to introduce a predicate whose logical behavior mimics
that of a quantified formula. This approach, however, pre-
cludes the introduction of locally quantified formulae dur-
ing function or theorem definition and makes it difficult to
mix quantification and recursion[4]. There is no support for
automated reasoning about quantified formulae built in to
ACL2, a condition exacerbated by the lack of explicit quan-
tification constructs. Because quantification is necessarily
hidden in the properties of various function symbols, it is
very difficult for a user to examine a failed proof attempt
and discern how quantified formulae might be manipulated
to achieve a desired result. Over the years such factors have
conspired to help ensure that the majority of ACL2 proof
efforts remain quantifier-free.
ACL2 does, however, provide a number of means by which
sufficiently motivated users may soundly extend the rea-
soning power of the system without modifying the trusted
core. In this paper we discuss how tables, computed hints
and clause processing have been combined to construct a
reasoning infrastructure that enables ACL2 to identify and
automatically skolemize or instantiate quantified formulae
appearing in the goal of a proof effort. We demonstrate
how the framework can be used to prove automatically the
forall-p-append example presented in the ACL2 documen-
tation and suggest some possible future enhancements.
2. INTRODUCTION
The macro defun-sk may be used to introduce a quantified
formula in ACL2. Note that, as in this case, quantified
formulae in ACL2 may have formal parameters in addition
to quantified variables.
(defun-sk forall-p (x)
(forall (a) (implies (member a x) (p a))))
Under the hood this macro generates a sequence of ACL2
events. The first is a defchoose event that employs a choice
principle to witness the function (forall-p-witness x) with
the property that, if there is a value for athat makes the
predicate (implies (member a x) (p a))) false, this func-
tion will too. This function symbol is then employed as
the quantified variable in the definition of the (forall-p x)
predicate. The final theorem, in this case forall-p-necc,
is the quantification theorem which captures the logical be-
havior of the quantified formula.
(defchoose forall-p-witness (a) (x)
(not (implies (member a x) (p a))))
(defun forall-p (x)
(let ((a (forall-p-witness x)))
(implies (member a x) (p a))))
(defthm forall-p-necc
(implies (forall-p x) (implies (member a x) (p a))))
The procedure for existential quantifiers is similar except
that the hypothesis and conclusion of the resulting quantifi-
cation theorem are swapped. Note that because defun-sk
is a top-level event (actually a sequence of events) it cannot
be used to introduce quantification in the body of a function
or theorem definition.
Instantiation is the name given to the process of deriving a
new formula from a universally quantified formula by replac-
ing each occurrence of a quantified variable with a specific
instance. In ACL2, instantiation is performed by way of a
:use hint applied to the quantification theorem governing
the behavior of the terms involved.
(defthm instantiation-example
(implies
(and (forall-p y) (member b y)) (p b))
:hints (("Goal" :use (:instance forall-p-necc
(x y) ;; Formal Parameter
(a b))))) ;; Quantifier Instantiation
Skolemization, as implemented in this library, is the process
of deriving a new formula from a quantified formula by re-
placing each occurrence of the quantified variable with a new
variable that is free in the current context. Since quantified
variables already appear as function symbols in ACL2, what
we call skolemization is actually just generalization. Our
implementation of skolemization is sound for any quantified
formula but it is typically used only to simplify existentially
quantified formulae.
The sense in which a quantified formula appears in the goal,
either true or negated, is important. Negated existentially
quantified formulae in the hypothesis act like universally
quantified formulae in that they may be soundly instanti-
ated. Negated universally quantified formulae in the hypoth-
esis, however, are susceptible only to skolemization. The
converse is true for quantified formulae in the conclusion.
3. IDENTIFICATION
Consider the results of a failed proof in which the universally
quantified formula forall-p is a hypothesis.
ACL2 !> (defthm forall-p-proof
(implies (forall-p y) (implies (member b y) (p b))))
Subgoal 2
(IMPLIES
(AND (NOT (MEMBER (FORALL-P-WITNESS Y) Y))
(MEMBER B Y)) (P B))
Subgoal 1
(IMPLIES
(AND (P (FORALL-P-WITNESS Y))
(MEMBER B Y)) (P B))
Evident in this example are several of the challenges that
must be overcome in order to automate reasoning about
quantification in ACL2. The first challenge is recognizing
specific quantified predicates. Each quantified predicate is
associated with a unique witness function that is used in
place of the quantified variable. In forall-p the function
(forall-p-witness Y) replaces the quantified variable A.
Then quantified predicates must be recognized from their
constituent components. The structure of a quantified for-
mula is likely to change dramatically under simplification.
In this case, the (member a x) portion of the quantified
formula appears in Subgoal 2 while the (p a) portion ap-
pears in Subgoal 1. The fact that each subgoal implicitly
contains (forall (a) (implies (member a x) (p a))) as
a hypothesis is not at all obvious from casual observation.
Finally, the polarity (either true or negated form) of the
quantified predicate must be established. While the appear-
ance of a quantification witness is often an indication of
the presence of a quantified formula, the witness itself does
not establish the polarity in which the quantified formula
appears. This is important because the polarity of the for-
mula determines whether it is susceptible to instantiation or
skolemization.
Overcoming each of these challenges requires intimate knowl-
edge of the various quantified predicates that might be present
in a goal. Automating this process requires that this knowl-
edge be available dynamically at proof time. To solve this
problem we employ ACL2 tables. Tables allow us to store
information in the ACL2 logical world from the time the
quantification is introduced to the time it is used in a sub-
sequent proof effort. Additionally, tables are available to
computed hints so the information can be queried dynami-
cally as the proof progresses.
The framework that we have developed records informa-
tion about quantified formulae at the time of their creation
through a macro called def::un-sk which is a wrapper around
ACL2’s defun-sk. The macro is capable of processing any
defun-sk compliant quantification and honors all of the defun-
-sk keywords. The information we record about a quantified
formula includes the name of the quantified predicate, the
kind of quantification (existential or universal), the quan-
tified variable list, the formal parameter list, the name of
the quantification theorem (-necc or -suff), the name of
a skolemization rule, the body of the quantified formula,
and the witness function name. A list is used to aggregate
this data and each time a new quantifier is introduced using
def::un-sk the information about that quantified predicate
is added to the list. The macros TABLE::GET and TABLE::-
SET simplify access and updating of table entries.
(TABLE::SET
’QUANT::QUANT-LIST
(CONS (NEW-QUANT
:NAME ’FORALL-P
:TYPE ’:FORALL
:BOUND ’(A)
:FORMALS ’(X)
:INSTANTIATE ’FORALL-P-NECC
:SKOLEMIZE ’FORALL-P-SKOLEMIZATION
:BODY ’(IMPLIES (MEMBER A X) (P A))
:WITNESS ’(FORALL-P-WITNESS X))
(TABLE::GET ’QUANT::QUANT-LIST)))
Quantification specific computed hints query this table at
proof time to secure a list of candidate quantified formulae.
The list is used to search for quantified formulae in the cur-
rent goal. A goal is said to contain a quantified formula if
it contains a logical instance of that formula. In the case of
forall-p we search for logical instances of (forall-p x).
The failed proof above contained the instance (forall-p
y), but (forall-p y) was rewritten into (implies (member
(forall-p-witness y) y) (p (forall-p-witness y)))))
and the result was simplified propositionally to produce two
subgoals. Consequently the process of searching for for-
mulae instances involves more than just pattern matching
against the goal. The process must, at a minimum, take into
consideration propositional simplification and in practice it
must also consider the impact of rewriting. Bash[2] is used
to simplify formulae before and during pattern matching.
This method is strictly more powerful than that employed
by Davis’ pick-a-point strategy[1], though perhaps similar
to the method employed by Moore in his :consider hints
library[3].
4. INSTANTIATION
Discovering an instance of a quantified expression is equiva-
lent to discovering a unifying binding for its formal param-
eters[5]. Instantiation requires that suitable bindings also
be found for the free (quantified) variables appearing in the
quantification theorem. The quantification theorem for the
forall-p predicate appears as follows:
(implies (forall-p x) (implies (member a x) (p a))))
Given a binding for the formal x, a suitable instance of a
must also be identified. This may be done by searching the
goal for the term of the form (member a x) for the given
value of x. However, an instance of the pattern (not (p a))
would also satisfy the (contrapositive form of the) formula:
(implies (forall-p x)
(implies (not (p a)) (not (member a x))))
Since the form of quantified formulae is unconstrained we
are compelled to search for every such logical permutation
of a formula. This in addition to the issues of simplification
and rewriting discussed above. Finally, to ensure that each
instantiation adds information to the goal, we drop any in-
stantiations in which the conclusion of the fully instantiated
formula already appears the goal.
It is possible that this process will identify several viable
instantiations. To avoid overwhelming ACL2, instantiations
are introduced one at a time, with time for the goal to sta-
bilize between each one. It is further possible that instan-
tiation will be needed multiple times within a single proof.
Such re-entrant hints are made possible thru the use of the
computed hint replacement feature which can be used to en-
sure that the process continues for the duration of the proof
effort. Access to this automated instantiation infrastructure
is made available to the user through the computed hint
macro: (quant::inst?)1.
1Inspired by and named for a PVS[6] proof command
5. SKOLEMIZATION
As mentioned above, our implementation of skolemization is
nothing more than the generalization of quantification func-
tion symbols. While it is not possible to extend ACL2’s
built-in generalization facility, ACL2 does support the con-
struction of verified clause processors which can be used
to perform arbitrary generalizations. We have developed
a clause processor that generalizes expressions of the form
(gensym::generalize ..). To induce the generalization of
the function symbol (p a x) it is sufficient to rewrite it into
(gensym::generalize (p a x)) which the clause processor
will then replace with a new symbol.
Support for skolemization in our framework involves three
components. First, the construction of appropriate skolem-
ization rewrite rules to wrap quantification witnesses with
(gensym::generalize ..). Such rules are constructed au-
tomatically by the def::un-sk macro. Next, a clause pro-
cessor that recognizes generalization instances in the goal
and replaces them with unique symbols. Finally, a com-
puted hint capable of detecting existentially quantified for-
mulae instances in a goal and enabling the skolemization
rules for those specific instances.
It is possible for skolemization to prepare the way for in-
duction by replacing a function call with a symbol. Usually,
however, skolemization is useful only as a means of reducing
proof clutter by eliminating irrelevant details. Access to au-
tomated skolemization is provided to the user through the
use of the computed hint macro: (quant::skosimp)2.
6. APPLICATION
The theorem forall-p-append3can be proven automati-
cally using our infrastructure assuming forall-p is intro-
duced using def::un-sk. The complete automated proof of
the theorem contains 15 Subgoals, 15 skolemizations (not
required but retained to demonstrate the feature), and 20
instantiations. The abridged output from one particularly
illustrative subgoal is presented here. The proof itself begins
as follows, with hints suggesting skolemization and instanti-
ation.
(defthm forall-p-append
(equal (forall-p (append x1 x2))
(and (forall-p x1) (forall-p x2)))
:hints ((quant::skosimp) (quant::inst?)))
The (quant::skosimp) hint fires first, finds a skolemizable
formula in the goal and reports this to the user. Note that
the skolemizable formula is actually a universally quantified
formula that appears in the conclusion (in effect, negated).
This is indicated in the comment window by square brackets
around the name of the formula. A hint is constructed that
enables the skolemization rule that will rewrite the specific
instance (forall-p-witness X2) into (gensym::generalize
(hide (forall-p-witness X2))), where the hide term is
included to inhibit recursive applications of the rule.
2Also named in honor of a PVS proof command
3See the ACL2 documentation topic QUANTIFIERS-
USING-DEFUN-SK-EXTENDED
Subgoal 10
(IMPLIES
(AND
(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)
(P (FORALL-P-WITNESS (APPEND X1 X2)))
(MEMBER (FORALL-P-WITNESS X2) X2))
(P (FORALL-P-WITNESS X2))).
Skolemizable Formula In Goal:
[FORALL-P]: (EXISTS (A)
(NOT (IMPLIES (MEMBER A X2) (P A))))
Computed Hint:
(:DO-NOT ’(PREPROCESS)
:IN-THEORY (ENABLE FORALL-P-SKOLEMIZATION)
:RESTRICT ((FORALL-P-SKOLEMIZATION ((X X2)))))
The skolemization rewrite rule fires and the appearance of
(gensym::generalize ..) in the goal triggers the invoca-
tion of the generalization clause processor which replaces
(gensym::generalize ..) with the new symbol HIDE10.
This simplifies, using the :rewrite rule
FORALL-P-SKOLEMIZATION, to
Subgoal 10’
(IMPLIES
(AND
(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)
(P (FORALL-P-WITNESS (APPEND X1 X2)))
(MEMBER (GENSYM::GENERALIZE
(HIDE (FORALL-P-WITNESS X2))) X2))
(P (GENSYM::GENERALIZE
(HIDE (FORALL-P-WITNESS X2))))).
We now apply the verified :CLAUSE-PROCESSOR
function GENERALIZE-CLAUSE-PROCESSOR-WRAPPER to
produce one new subgoal.
Subgoal 10’’
(IMPLIES
(AND
(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)
(P (FORALL-P-WITNESS (APPEND X1 X2)))
(MEMBER HIDE10 X2))
(P HIDE10)).
The (quant::inst?) hint now detects the presence of an
instantiable formula in the goal and reports it to the user.
An instance of this formula is also found and a :use hint is
generated. Note, however, that the goal does not actually
contain the expression instance (member HIDE10 (binary-
-append X1 X2)) as implied by the instantiation. Rather, it
contains the more specific (member HIDE10 X2) which was
generated by ACL2 from that expression via the application
of the rewrite rule member-append. Our ability to detect
such instances requires a tight interaction between pattern
matching and simplification by rewriting.
Instantiable Formula In Goal:
FORALL-P : (FORALL (A)
(IMPLIES (MEMBER A (BINARY-APPEND X1 X2)) (P A)))
Computed Hint:
(:USE (:INSTANCE FORALL-P-NECC
(A HIDE10) (X (BINARY-APPEND X1 X2))))
Simplification of the instantiated formula is now sufficient
to prove the goal.
We augment the goal with the hypothesis provided
by the :USE hint. The hypothesis can be derived
from FORALL-P-NECC via instantiation. We are
left with the following subgoal.
Subgoal 10’’’
(IMPLIES
(AND (IMPLIES
(FORALL-P (APPEND X1 X2))
(IMPLIES (MEMBER HIDE10 (APPEND X1 X2))
(P HIDE10)))
(MEMBER (FORALL-P-WITNESS (APPEND X1 X2)) X2)
(P (FORALL-P-WITNESS (APPEND X1 X2)))
(MEMBER HIDE10 X2))
(P HIDE10)).
But simplification reduces this to T using the
:rewrite rules MEMBER-APPEND ...
7. CONCLUSION
While ACL2 does not provide automated support for rea-
soning about quantified formulae, it does provide mecha-
nisms that enable suitably motivated users to add such func-
tionality in a sound fashion. An ACL2 framework based
on tables, computed hints and clause processing has been
described that identifies quantified formulae and skolem-
izes or instantiates them automatically when possible. This
framework has been employed to prove automatically the
forall-p-append example presented in the ACL2 documen-
tation.
8. REFERENCES
[1] Jared Davis. Finite set theory based on fully ordered
lists. In Fifth International Workshop on the ACL2
Theorem Prover and Its Applications (ACL2 ’04),
November 2004.
[2] Matt Kaufmann. Bash facility. ACL2 System Book
/misc/bash.lisp, 2006.
[3] J Moore. Essay on the design of consider hints. ACL2
System Book /hints/consider-hints.lisp, 2007.
[4] S. Ray. Quantification in Tail-recursive Function
Definitions. In P. Manolios and M. Wilding, editors,
Proceedings of the 6th International Workshop on the
ACL2 Theorem Prover and Its Applications (ACL2
2006), volume 205 of ACM International Conference
Series, pages 95–98, Seattle, WA, August 2006. ACM.
[5] J. A. Robinson. A machine-oriented logic based on the
resolution principle. J. ACM, 12(1):23–41, January
1965.
[6] N. Shankar, S. Owre, and J. M. Rushby. The PVS
Proof Checker: A Reference Manual (Beta Release).
Computer Science Laboratory, SRI International,
Menlo Park, CA, February 1993.
... This facility extends ACL2's computed hints with a pattern matching expression language that is evaluated against sub-goals. For each pattern match found, the resulting bindings are used to instantiate hints that are passed to the theorem prover [3]. The bindings are then cached to avoid generating duplicate hints and a computed hint replacement allows the process to continue to subsequent sub-goals. ...
Preprint
Full-text available
The decentralized perimeter surveillance system (DPSS) seeks to provide a decentralized protocol for evenly distributing surveillance of a perimeter over time across an ensemble of unmanned aerial vehicles (UAVs) whose members may communicate only when in close proximity to each other. The protocol must also converge to an even distribution of the perimeter in bounded time. Two versions of the DPSS protocol presented in the original paper seem to converge in bounded time but only informal proofs and arguments are given. A later application of model checking to these protocols found an error in one of the key lemmas, invalidating the informal proof for one and casting doubt on the other. Therefore, a new hand proof of the convergence time for the simpler version of the DPSS protocol or algorithm, Algorithm A or DPSS-A, was developed by Jeremy Avigad and Floris van Doorn. This paper describes a mechanization of that hand proof in the logic of ACL2 and discusses three specific ACL2 utilities that proved useful for expressing and reasoning about the DPSS model.
... Wrapping existing events to record information for later use (as done by SOFT's defunvar, defun2, defchoose2, and defun-sk2) has precedents. For example, the def:un-sk tool [11] is a wrapper of defun-sk that records information to help prove theorems involving quantifiers. It may be useful to combine def:un-sk with SOFT's defun-sk2 wrapper. ...
Article
SOFT ('Second-Order Functions and Theorems') is a tool to mimic second-order functions and theorems in the first-order logic of ACL2. Second-order functions are mimicked by first-order functions that reference explicitly designated uninterpreted functions that mimic function variables. First-order theorems over these second-order functions mimic second-order theorems universally quantified over function variables. Instances of second-order functions and theorems are systematically generated by replacing function variables with functions. SOFT can be used to carry out program refinement inside ACL2, by constructing a sequence of increasingly stronger second-order predicates over one or more target functions: the sequence starts with a predicate that specifies requirements for the target functions, and ends with a predicate that provides executable definitions for the target functions.
... To reason about AIGEQUIV in ACL2, we use the witness 1 clause processor, which is much like Greve's quant system [19] for automatically Skolemizing and instantiating quantified formulas. When ACL2 tries to prove a conclusion of the form AIGEQUIV(a, b), this clause processor reduces the problem to showing that a and b have the same evaluation under a particular env, similar to the pick-apoint strategy used in Davis' osets library [13]. ...
Article
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented with optimized C or C++ routines with no guarantee of correctness. Meanwhile, many interactive theorem provers can now employ SAT or SMT solvers to automatically solve finite goals, but no theorem prover makes use of these advanced, AIG-based approaches. We have developed two ways to represent AIGs within the ACL2 theorem prover. One representation, Hons-AIGs, is especially convenient to use and reason about. The other, Aignet, is the opposite; it is styled after modern AIG packages and allows for efficient algorithms. We have implemented functions for converting between these representations, random vector simulation, conversion to CNF, etc., and developed reasoning strategies for verifying these algorithms. Aside from these contributions towards verifying AIG algorithms, this work has an immediate, practical benefit for ACL2 users who are using GL to bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf SAT solver to carry out the proof, instead of using the built-in BDD package. Looking to the future, it is a first step toward implementing verified AIG simplification algorithms that might further improve GL performance.
Article
We present a new finite set theory implementation for ACL2 wherein sets are implemented as fully ordered lists. This order unifies the notions of set equality and element equality by creating a unique represen-tation for each set, which in turn enables nested sets to be trivially supported and eliminates the need for congruence rules. We demonstrate that ordered sets can be reasoned about in the traditional style of membership argu-ments. Using this technique, we prove the classic properties of set operations in a natural and effort-less manner. We then use the exciting new MBE feature of ACL2 to provide linear-time implementa-tions of all basic set operations. These optimizations are made "behind the scenes" and do not adversely impact reasoning ability. We finally develop a framework for reasoning about quantification over set elements. We also begin to provide common higher-order patterns from func-tional programming. The net result is an efficient library that is easy to use and reason about.
Conference Paper
We investigate the logical issues behind axiomatizing equations that contain both recursive calls and quantifiers in ACL2. We identify a class of such equations, named extended tail-recursive equations, that can be uniformly introduced in the logic. We point out some potential benefits of this axiomatization, and discuss the logical impediments behind introducing more general quantified formulas.
Bash facility. ACL2 System Book /misc/bash.lisp
  • Matt Kaufmann
Matt Kaufmann. Bash facility. ACL2 System Book /misc/bash.lisp, 2006.
Essay on the design of consider hints. ACL2 System Book /hints/consider-hints.lisp
  • J Moore
J Moore. Essay on the design of consider hints. ACL2 System Book /hints/consider-hints.lisp, 2007.
ACL2 System Book /hints/consider-hints.lisp
  • J Moore
J Moore. Essay on the design of consider hints. ACL2 System Book /hints/consider-hints.lisp, 2007.