Reflective Reasoning with and between a Declarative Metatheory and the Implementation Code

The goal of this paper is to present a theorem prover where the underlying code has been wr i t ten to behave as the p r o c e d u r a l m e t a leve l of the object logic. We have then defined a logical d e c l a r a t i v e m e t a t h e o r y MT which can be put in a one-to-one relation w i th the code and automatically generated from i t . MT is proved correct and complete in the sense that , for any object level deduction, the wff representing it is a theorem of M T , and viceversa. Such theorems can be translated back in the underlying code. This opens up the possibili ty of deriving control strategies automatically by metatheoretic theorem proving, of mapping them into the code and thus of extending and modifying the system itself. This seems a first step towards "real ly" self-reflective systems, it. systems able to reason deductively about and modify their underlying computation mechanisms. We show that the usual logical reflect ion rules (so called reflection up and down) are derived inference rules of the system. 1 I n t r o d u c t i o n Reflective and metatheoretic reasoning are well known techniques applied in knowledge representation and automated deduction (see for instance [Bundy, 1988 , [Constable et al., 1986], [Bowen and Kowalski, 1982], [Smith, 1983], [Gordon et al., 1979]). Roughly speaking, in the past, metareasoning has been performed according to two different paradigms. In the f irst, f rom now on called p r o c e d u r a l , the metalevel consists of a programming language and metareasoning is performed by computation in i t . One example in AI is [Smith, 1983], another in theorem proving is LCF and its metalanguage ML [Gordon et al., 1979]. In LCF the user can write control strategies as programs (usually called tactics) in ML to guide the search for a proof of a theorem. In the second paradigm, f rom now on called dec la ra t i ve , the metalevel is a logical metatheory and metareasoning is performed by deduction on metalevel statements. One example in AI is [Weyhrauch, 1980], one in theorem proving is [Howe, 1988]. Both approaches are sometimes incorporated and alternatively used; thus, for instance, in NuPr l [Constable et al., 1986] and lsabelle [Paulson, 1989] both ML and a declarative logical metatheory can be used to bui ld derived inference rules. In logic programming, metainterpreters [Bowen and Kowalski, 1982] can be seen both procedurally and declaratively. In this paper, we present a system (called GETFOL ) wi th both a procedural and a declarative metalevel. In this respect GETFOL is similar to NuPr l and lsabelle; on the other hand GETFOL has features which make it very different from any other system proposed so far: (1) the metalevel programming language is the same as the underlying implementation language and the code implementing the object logic has been wr i t ten to be its procedural metalevel. (2) the logical declarative metatheory MT can be put in a one-to-one relation w i th the code and automatically generated from it (and viceversa). (3) MT is correct and complete in the sense that , for any object level deduction (performed by running the code implementing the object level logic), the wff representing it is a theorem of M T 2 . Such theorems, possibly proved automatically by metatheoretic theorem proving, can be "mapped back" into the underlying code as new reasoning modules. These modules, if executed, wi l l produce the proof represented by the theorem they have been translated from. As a consequence of these three facts, it is possible to generate (parts of) MT automatically f rom the implementation language, to prove in MT "certain" theorems and then to " t ransform" them into new code. The result is an extension or, possibly, a modification of the system itself. The GETFOL underlying code is not a "black box", fixed once and for all at the t ime of the development, but can change over t ime. This seems a first step towards "really" self-reflective systems, it. systems able to reason deductively about and thus, possibly, modify, their 1 GETFOL is a reimplementation/ extension of the FOL system [Weyhrauch, 1980]. GETFOL has, with minor variations, all the functionalities of FOL plus extensions, some of which described here, to allow metatheoretic theorem proving. The notions of correctness and completeness here involved are sometimes called adequacy and faithfulness, respectively. Giunchiglia and Traverso 111 underlying reasoning strategies. As a side effect of this "reflective" relation existing between computation and deduction, the usual logical reflection rules (reflection up and reflection down) [Giunchiglia and Smaill, 1989] can be proved to be (a form of) derived inference rules. The paper is structured as follows. Section 2 describes how the implementation has been constructed to behave as the procedural metalevel of the system. Section 3 describes MT and how it can be automatically generated from the implementation code. In section 4, it is proved that MT represents all the object level deductions and that deduction in MT is the analogous operation of wr i t ing tactics in the implementation language. This is the fundamental property that allows the interpretation of theorems of MT in terms of the underlying code (section 5) via the use of reflection up and down. Finally, section 6 gives some conclusions and a short discussion of the related work. is then added (by p roo f -add theo rem) to the current proof. Notice that , even if the underlying code has been wr i t ten to treat errors (tg. the application of (AE) to a disjunction), this issue is not dealt w i t h in this paper. Figure 2: GETFOL implementation of Ae, VJ and VE. Strategies and derived inference rules can be defined in a metalevel functional language, GET, which is a subset of the implementation language of GETFOL. To preserve correctness, the development environment is such that the user can wri te tactics which fail but that never assert a non-theorem. For instance, considering the code in figure 2, p roo f -add theo rem, andefun , a l l i f u n and a l l e f u n are not available to the user. In this respect, GET is similar to ML as used in LCF, Nupr l or Isabelle. For instance, the GET code implementing the (simple) derived inference rule that corresponds to the deduction 112 Automated Reasoning of x1, otherwise exhaustively apply t a c t i c 2 " , where t a c t i c 2 is a previously defined tactic. Wha t has been described so far suggests that GET can be used as the procedural metalevel of GETFOL, analogously to what happens w i th ML in LCF, NuPr l or Isabelle, or even wi th metainterpreters in Prolog. This is, in fact, the case when wr i t ing tactics. The difference comes f rom the fact that (exploit ing that GET is also GETFOL's implementation language), the bui l t in GET functions to perform logic inference are exactly those used to implement the basic inference rules, eg. those in figure 2. More generally, all the GETFOL code has been carefully written to allow the identification of the procedural metalanguage with the implementation language. Thus, for instance, the implementation provides GET wi th all the syntax manipulation routines (such as FORALL, CONJ, ande), w i th all the proof manipulation routines (such as IS-A-THEQREM), w i th all the theory manipulation routines and so on. Not only must the code produce extensionally the r ight behaviour (satisfying the usual correctness criteria), but it must also be wri t ten to be at the same t ime the procedural metalevel of the logic it implements. In other words, it must have the r ight function and predicate symbols, the internal structure of the function and predicate definitions must be such that they can be put in a one-to-one relation w i th the axioms describing their behavior (all of this is described in section 3), and far harder, it must be such that computat ion can be directly mapped into the metathereotic "representation" of the deduction it produces (described in section 4). We call the production of code satisfying the requirements above, " t h e m e c h a n i z a t i o n of the logic" (to distinguish it f rom the process of producing an implementation of the logic). Mechanizing a logic is far harder than implementing i t . On the other hand, as the rest of the paper wi l l show, the mechanization of the logic can be exploited to bui ld really self-reflective systems, it. systems able to reason deductively about and modify their computat ion mechanisms. In fact it becomes then possible to generate automatically a logical metatheory MT from the code and, viceversa, to compile certain theorems of MT as system implementation code. Modification of the system's underlying computation mechanism is achieved by re-wri t ing already existing (parts of) procedures. Note that this is not done in any of the existing theorem provers or metainterpreters. From this perspective, the work which most closely resembles ours is Br ian Smith's [Smith, 1983]. The fundamental difference is that our metalanguage is a logical metatheory; this allows us to generate provably correct computation procedures automatically by metatheoretic theorem proving. 3 The declarat ive metatheory MT MT's set of inference rules is fixed, being 7v. We need to define MT 's language MC and axioms MAx. MC, has names for the elements of OT (axioms and assumptions s, formulas w, variables x and so on); this is achieved by having for any such element an individual constant ("s", "w" , "x" and so on) as part of MC. These constants are the "quotation mark names" [Giunchiglia and Traverso, 1990] of the objects of O T . Figure 3: mup mapping from the code to the metatheory. Each inference rule of OT gets "mapped up" to a distinct axiom of MAx. This mapping, called "mup", performs a one-to-one translation from the code into elements of MT (see figure 3, rnup(x) is wr i t ten as [x]) Thus, for instance, the axioms generated by applying mup to the GET code implementing AE, V7 and VE (see figure 2) are listed in figure 4. A complete definition of rnup and the code over which it can operate is outside the goals of this paper. The important point to notice is the fact that mup (and its inverse) can be implemented to do the translation in either direction automatically. Figure 4: Metatheoretic axioms mapped from the code. We can observe in figure 3 that the two GET operations of testing if something is a theorem already asserted in the object theory (performed by IS-A-THEOREM) and of asserting a proved theorem (performed by p roo f -addtheorem) are translated into the same metatheoretic predicate T. This is because OT , as 3 Notice that this seems to contradict our previous stateGiunchiglia and Traverso 113 114 Automated Reasoning the procedural metalanguage the user can theorem prove them in M T . The user can thus wr i te the hardest steps and, interact ively, generate tactics by theorem proving. Th is amounts to g iv ing the user the possibi l i ty to derive not only the object level proofs but also the tactics ( this idea has some resemblance w i t h the work on proof plann ing [Bundy, 1988], see [Giunchigl ia and Traverso, 1990] for a more in depth discussion). A different mat ter is whether the strategy is successfu l . In the programming language, a defined strategy may generate an object level proof or fa i l . Similar ly, the sequent tree may or may not be a proof. For instance, a twf f whose sequent tree te rm is ande("A AB") corresponds to a proof, bu t tha t whose te rm is ande("A VB") does not . In metalevel programming languages (l ike ML [Gordon et al.,1979]), given two simple tactics corresponding to the ones above, they need to be executed in order to know tha t the former succeeds whereas the latter fails. In M T , the derivabiliiy of preconditions determines whether twffs correspond to proofs: distinguish three parts: the preconditions P, the predicate T and the sequent tree te rm t. The assertion of the theorem in OT can be seen as the sequence of three steps: ( i ) prove V and obta in T(t) (subsection 5.1), ( i i ) f rom t generate the name of the endsequent s of I I , "s" (not described as very similar, in pr inciple, to step ( i ) ) , f inal ly ( i i i ) , f rom T ( V ) assert s in OT (subsection 5.2). 5 .1 P r o v i n g V Theorem 3 tells us tha t the preconditions of any twf f representing an object level proof can be proved by theorem proving in M T . This is the "usual" approach taken so far in theorem prov ing. A problem w i th this approach may be the size of the search space in MT which, even dropping the completeness requirement, can explode when complex metareasoning is required. The correspondence exist ing between MT and the GET code provides us wi th an alternative technique for proving in MT facts about O T . The idea is to avoid the expl ici t axiomatizat ion of parts of OT and to perform computat ion instead of deduct ion. As shown above, having a mechanization of the logic gives us a one-to-one mapping between elements of the signature of MT and GET functions (section 3, figure 3) and opens up the possibi l i ty to see deductions in MT in terms of computat ion in GET (section 4, theorems 1,2). For how twffs are defined, their syntactic structure expl ic i t ly resembles the structure of the computat ion tree they represent. As a consequence we can compute in GET fol lowing the syntax of the twff. Let us consider, as an example, the case where one of the conjuncts of P is Conj("A B"). Conj has been mapped up f rom the code funct ion CONJ and "A B" is the metatheoretic constant which denotes the theorem A B. Executing (CONJ A B) gives TRUE, this means that the metatheoretic sentence Conj("A B") is t rue and can be rewr i t ten to the constant for t r u t h , True. Notice tha t , in order to implement the machinery described above, GETFOL must keep track of the l ink between the funct ions and predicates of the signature of MT and the GET funct ions they have been mapped from (by mup). It must also remember which elements of OT the constants in MC are names of. GETFOL has in its code a data s t ructure where it memorizes the pairs ( "o " ,o ) , where "o " is an MT constant, name of o, a syntact ic object in O T . The possibi l i ty to create pairs ( name, object ) is implemented by the semantic attachment funct ional i ty [Weyhrauch, 1980] shown in figure 1. Let us give the formal def ini t ion of the interpreter implemented in GETFOL, I , which maps twffs in to computat ion. Let us restrict ourselves to terms and atomic wffs. Let us suppose tha t , for any object in O T , "o" is a constant in M T . Then 1 can be defined as follows : means function composition. The notation should be made precise, by explaining how to denote function composition wi th functions with more than one argument. Since not relevant in this context, this issue is not faced. Giunchiglia and Traverso 115 Notice that for any atomic wff or term wt, I(wt) is the execution of the code c such that rnup(c) = wt. Supposing that , for any n-ary function and predicate symbol / p , fp computes the r ight extension (w i th nary function symbols, the (n + l)-element of their set theoretic definit ion; w i th predicate symbols, either TRUE or FALSE) then J performs exactly the interpretation of terms and atomic wffs in a first order model. This result can be generalized to twffs and, more in general, to any sentence in M T . Thus the correctness and completeness of this translation of deduction in to computat ion can be proved f rom the correctness and completeness results for first order logic. What said above amounts to saying that OT is the standard model for M T . This is, we th ink, a correct way to see things and very much in agreement w i th Tarski's original definit ion of interpretat ion [Tarski, 1956]. More on seeing interpretat ion, from a computational point of view (in terms of the recursive definition of J ) , as the process of extract ing objects f rom (quotation-mark and structuraldescriptive) names is in section 4 of [Giunchiglia an d Traverso, 1990]). 5.2 M T O T i n t e r a c t i o n v i a r e f l e c t i o n We can prove the fol lowing lemma: are (a sort of) derived inference rules between theories in the mult i theory system M T O T . Notice that the procedural dist inction between "being an already asserted By (CON J Ai AB i,) we mean the result of the application of the GET function CONJ to its arguments. Note that truth is tested in the standard model. It is well known that the set of wffs true in a model is larger than the set of valid wffs. On the other hand it can be proved that, the interpretation in GETFOL restricted to atomic ground wffs (the elements of V) returns TRUE iff the wff is valid in all models of MT and thus provable in MT. theorem" and " being a theorem to be asserted", lost by m u p , is brought back by the reflection rules. In fact, Rup can be executed only on theorems already asserted in OT, while, viceversa, Rdown can be executed to assert new theorems in O T . Occurrences of T that in the compi lat ion down from MT to GET would be translated into IS-A-THEOREM correspond to applying RuP ; viceversa, the occurrences of T that would be compiled down into p roo f -add t heo rem correspond to applying R d o w n . The use of reflection up and down allows us to give a declarat ive explanation of the interact ion between reasoning in OT and reasoning in MT and, in part icular, of how (and why) it is possible to assert theorems in OT as a result o f deduction in M T . 5.3 D e d u c i n g i n O T v i a r e a s o n i n g i n M T In this section we show how a twff can be interpreted to prove a theorem in O T . As a prototypical example, let us consider the fol lowing twff: The code performing the above steps is implemented in GETFOL and can be run by the command REFLECT [Giunchiglia and Smail l , 1989]. Notice that running the code compiled by the "mapping down" would give the same result as running REFLECT. The inverse of mup is to REFLECT exactly what compilat ion is to interpretat ion: execution of code generated by the inverse of m u p produces the same results as interpret ing metalevel theorems via REFLECT. 6 Conc lus ions a n d re l a ted w o r k In this paper we have presented a theorem prover, GETFOL, where the underlying code has been wr i t ten to 116 Automated Reasoning behave as the procedural rnetalevel of the logic it im plements. Th is approach seems a f irst step towards the development of systems able to modi fy deductively and automat ica l ly their under ly ing computat ion machinery. In fact: (a ) a logical metatheory MT can be automat ical ly generated f rom the code; ( b ) (some o f ) the theorems of MT represent object level computat ions; ( c ) these theorems can be automat ical ly compiled back in the system code to extend or to modi fy i t (mod i f icat ion is achieved by redefining GET funct ion symbols); ( d ) these theorems can be automat ical ly interpreted to assert object level theorems. In this case, as a side effect, we have a proven correct way to mix , at run time, object and rnetalevel theorem prov ing v ia the use of reflection up and down. More on th is issue can be found in [Giunchigl ia and Traverso, 1990] which also has a long section on the related work , in part icular w i t h [Bundy, 1988; Weyhrauch, 1980]. As far as we know, this approach is new and has never been proposed before. However, some comparisons w i t h exist ing systems can nevertheless be made. The idea of a metatheory mapped direct ly f rom the system code is somehow simi lar to the idea underlying the work on metafunct ions [Boyer and Moore, 1981] ( in the Boyer and Moore theorem prover the code is the metatheory) . In [Boyer and Moore, 1981], user defined term-rewr i t ing funct ions can be checked to verify whether they preserve the "meaning" of terms. Aside f rom the technical differences, a fundamental difference is tha t we provide a metatheory in which we can perform automatic deduct ion to build correct control strategies, while Boyer and Moore verify the correctness of the user defined strategies. Besides Boyer and Moore's work [Boyer and Moore, 1981], none of the exist ing theorem provers, has the possibi l i ty of using the results of deduct ion in the metatheory to produce modif icat ions of the under ly ing system code. Th is is, for instance, the case also in NuPr l [Constable et a l . , 1986; Howe, 1988], even if in NuPr l the synthesis of new tactics can be obtained by metatheoretic theorem prov ing (v ia the "proposit ions-as-types" paradigm). Analogously, metainterpreters can control the Prolog search strategy but cannot modify i t . T h a t is, the user can wr i te a metainterpreter for any desired search strategy, however the metainterpreter w i l l be executed by using the Prolog bu i l t in search strategy. For what concerns the issue of self-modif icat ion, the work which most closely resembles ours is Br ian Smith 's [Smi th, 1983]. The substant ial difference is tha t , in GETFOL, metatheoret ic statements are generated by rnetalevel deduct ion and not by computat ion and tha t the tactics derived are provably correct. No non-theorems