Hammering towards QED

ly, the translation module in Sledgehammer and HOLyHammer can be seen as a two-step process: (1) Eliminate the higher-order features of the formulas to produce a rst-order problem. (2) Encode the type information in the target logic. In practice, the two steps are intertwined, because this gives rise to opportunities for optimizations. Translation of Higher-Order Features. The higher-order features to eliminate are listed below, with an example of each. (1) Higher-order quanti cation: ∀x. ∃ f . f x = x; (2) Higher-order arguments: map f [x, y] = [ f x, f y]; (3) Partial function applications: f = g −→ f x = g x; (4) λ-abstractions: (λx y. y + x) = (λx y. x + y); (5) Formulas within terms: p (x = x) −→ p True; (6) Terms as formulas: hd [True]. Journal of Formalized Reasoning Vol. 9, No. 1, 2016. Hammering towards QED · 113 Early Sledgehammer prototypes classi ed the problem as purely rst-order or higher-order and treated the two situations independently. The presence of a single higher-order construct was enough to trigger a heavy, systematic translation of the problem. Eventually, the third author realized that it is possible to make a smooth transition from purely rst-order to heavily higher-order problems. To give a avor of the translation, here are the six examples above after their higher-order features have been eliminated, expressed in a TPTP-like syntax: (1) ∀X : α. ∃F : (α, α) fun . app(F, X) = X (2) map(F, cons(X, nil)) = cons(app(F, X), nil) (3) F = G −→ app(F, X) = app(G, X) (4) C(plus) = plus (5) p(equal(X, X)) −→ p(true) (6) boolify(hd(cons(true, nil))) The symbols app, boolify, C, equal, and true are uninterpreted symbols introduced by the translation. They are characterized by auxiliary axioms, such as equal(X, X) = true and app(app(C(F), X), Y) = app(app(F, Y), X), that can be used by the ATPs to perform some higher-order reasoning. More speci cally, the app function symbol serves as an explicit application operator. It takes a (curried) function and an argument and applies the former on the latter. It permits the application of a variable: If F is a variable, F(0) is illegal in rst-order logic, but app(F, 0) is legal. It also makes it possible to pass a variable number of arguments to a function, as is often necessary if the problem requires partial function applications. The boolify symbol is a predicate that yields true if and only if its Boolean term argument is true. Intuitively, boolify(t) is the same as t = true, where true is the uninterpreted constant corresponding to the Isabelle/ HOL constant True. The distinguished symbols app and boolify can hugely burden problems if introduced systematically for all arguments and predicates. To reduce clutter, Sledgehammer and HOLyHammer compute the minimum arity n needed for each symbol and pass the rst n arguments directly, falling back on app for additional arguments. This optimization works well in practice, but it sometimes makes problems unprovable. Translation of Types. After translating away the higher-order features of a problem, we are left with rst-order formulas in which polymorphic types (and, in Sledgehammer's case, type classes) are still present. Various type encoding schemes are possible, but the traditional schemes require burdening the formulas with so much information that the ATPs almost grind to a halt. Until 2011, Sledgehammer implemented a lightweight but unsound translation of types. Since proofs need to be reconstructed anyway, a mildly unsound translation could be used with some success, but this was not entirely satisfactory: (1) Finite exhaustion rules of the form X = c1 ∨ · · · ∨ X = cn must be left out because they lead to unsound cardinality reasoning in the absence of types [96, Ÿ2.8]. The inability to encode such rules prevents the discovery of proofs by case analysis on nite types. Journal of Formalized Reasoning Vol. 9, No. 1, 2016. 114 · Blanchette, Kaliszyk, Paulson, Urban (2) Spurious proofs are distracting and sometimes conceal sound proofs. The seasoned user eventually learns to recognize facts that lead to unsound reasoning and mark them with a special attribute to remove them from the scope of the relevance lter, but this remains a stumbling block for the novice. (3) In the longer run, it would be desirable to let the ATPs themselves perform relevance ltering, or even use a sophisticated system based on machine learning, such as MaLARea, where successful proofs guide subsequent ones. However, if unsound encodings are used, such approaches tend to quickly discover and exploit any inconsistencies in the large translated axiom set. Even in the monomorphic case, it is necessary to encode types, as the equality predicate implemented by ATPs is a polymorphic one. Encoding each type instance of equality as a di erent predicate together with an axiomatization of each of these predicates directly corresponds to the MESON reconstruction and has been used in the early versions of HOLyHammer. A recent discovery in hammer research is that it is possible to encode polymorphic types in a sound, complete, and e cient manner. Sledgehammer implements a whole family of lightweight encodings that exploit a semantic property called monotonicity to safely remove most of the type information that previously cluttered problems [22, 23, 41]. Informally, monotonic types are types whose domain can be extended with new elements while preserving satis ability. Such types can be merged by synchronizing their cardinalities. Nonmonotonic types can be made monotonic by encoding some typing information. As an example, consider the following Isabelle/HOL formulas: