The Abella Interactive Theorem Prover (System Description)

The Ab ella In teractiv e T heorem Pro v er (System Description) Andrew Gacek Department of Computer Science and Engineeri ng, Univ ersity of Minnesota 200 Union St reet SE, Minneap olis, MN 55455, USA 1 In tr o duction Abella [3] is an interactive system for reasoning ab out aspects of ob ject lan- guages that have b een forma lly presented throug h recursive rules bas ed on syn- tactic structure. Abella utilizes a tw o -level lo gic approach to sp e cification and reasoning . One le vel is defined by a specifica tion log ic which supp orts a trans- parent enco ding o f structural sema nt ics rules a nd also enables their ex ecution. The s e c ond level, calle d the rea s oning lo gic, embeds the sp ecification log ic and allows the development of pro ofs o f prop erties ab o ut sp ecifications. An imp or- tant c har acteristic of b oth lo gics is that they explo it the λ -tree s yntax approach to treating binding in ob ject la nguages. Amongst other things , Ab ella ha s b een used to pr ov e no rmalizability pr o p erties of the λ -ca lculus, cut admissibility for a sequent calculus a nd t yp e uniqueness and sub ject reductio n prop erties . This pap er discusses the lo gical founda tions of Ab ella, o utlines the st yle o f theorem proving that it supp orts and finally des crib es s ome of its recent a pplications. 2 The Logic Underlying Abella Abella is based on G , an in tuitionistic, predicative, higher-order logic with fixed- po int de finitio ns fo r atomic predicates a nd with natur a l num b er induction [4]. R epr esenting b inding. G uses the λ -tr e e syntax approach to representing syntactic structures [7 ], which allows ob ject level binding to be repr esented using meta- level abstrac tion. Th us common notions related to binding such as α -equiv alence and capture-avoiding substitution a re built into the logic, and the enco dings o f ob ject lang ua ges do not need to implement such features. T o r eason ov er λ -tre e syntax, G uses the ∇ quantifier which r epresents a notion of generic judgment [9]. A formula ∇ x.F is true if F is true for ea ch x in a generic way , i.e. , when nothing is assumed ab out any x . This is a stronger statement than ∀ x.F which says that F is true for all v alues for x but allows this to b e shown in different ways for different v alues. F or the log ic G , we a ssume the following t wo pr op erties of ∇ : ∇ x. ∇ y .F x y ≡ ∇ y . ∇ x.F x y ∇ x.F ≡ F if x not free in F A natural pro of-theor e tic trea tmen t for this quantifi er is to use nominal c onstants to instantiate ∇ -b o und v ar ia bles [16]. Sp e cifically , the pro of rules for ∇ ar e Γ, B [ a/x ] ⊢ C Γ, ∇ x.B ⊢ C ∇L Γ ⊢ C [ a/x ] Γ ⊢ ∇ x.C ∇R 1 where a is a no minal constant which do es not app ear in the formula under neath the ∇ quantifier. Due to the equiv alence of pe r mutin g ∇ quantifiers, nominal constants must be treated as p ermutable, which is captured by the initial r ule. π .B = B ′ Γ, B ⊢ B ′ id π Here π is a p ermutation of nominal co nstants. Definitions. The logic G supp orts fixed-p oint definitions of atomic pr edicates. These definitions ar e sp ecified as clauses o f the form ∀ x. ( ∇ z .H ) , B where the head H is an a tomic pr edicate. This notion o f definition is extended fro m pre- vious notions ( e.g. , see [9]) by admitting the ∇ -quantifier in the head. Ro ug hly , when such a definition is used, in wa ys to b e explained s o on, these ∇ - quantified v ariables b ec o me instantiated with nominal co nstants fro m the ter m on which the definition is used. The insta nt iations for the universal v ar iables x may co ntain any no minal constants not a ssigned to the v ariables z . Thus ∇ quantification in the head of a definition allows us to restric t certain pieces of syntax to b e nominal constants and to state dep endency information for thos e nominal constants. Two examples hin t a t the ex pressiveness o f our extended for m of definitions. First, we can define a predica te name E whic h ho lds only when E is a nominal constant. Seco nd, we can define a predicate fr esh X E which ho lds only when X is a nominal co nstant which do es not o ccur in E . ( ∇ x. name x ) , ⊤ ∀ E . ( ∇ x. fresh x E ) , ⊤ Note tha t the or der of qua nt ification in fresh enforces the freshness condition. Definitions ca n b e used in b oth a pos itive a nd neg ative fashio n. Positively , definitions ar e used to der ive an atomic judgment, i.e. , to show a predicate holds on particular v alues. This use c orresp o nds to unfolding a definition a nd is similar to back-chaining. Neg a tively , an atomic judgment can be dec omp osed in a c ase analysis-like wa y based on a closed-world r eading of definitions. In this case, the atomic judgment is unified with the head of each definitiona l cla use, where eigenv ariables are treated a s instan tiatable. Also, both the p ositive and negative uses o f definitions consider p ermutations of nomina l consta nt s in or der to allow the ∇ - b o und v ariables z to range over a ny nominal co nstants. A pr ecise presentation of these rules, which is provided in Gacek et al. [4], essentially amounts to introduction rules for atomic judgments on the r ight and left sides of s equents in a sequent c a lculus bas ed presentation of the lo gic. Induction. G supp orts induction over natural n umber s. By augmenting the pred- icates b e ing defined with a na tural num b e r a rgument, this induction ca n serve as a metho d o f pr o of ba sed on the length of a b ottom-up ev alua tio n of a definition. 3 The Structure of A b ella The architecture o f Ab ella has t wo dis tinguishing characteristics . First, Ab ella is orie nted to wards the use of a sp ecific (executable) sp ecification logic whose pro of-theor etic structure is enco ded v ia definitions in G . Second, Ab ella provides tactics for pro of c onstruction that e mbo dy sp ecial knowledge of the sp ecifica tion logic. W e discuss these asp ects and their impa c t in more deta il b elow. 2 ∀ m, n, a, b [ of m ( arr a b ) ∧ of n a ⊃ of ( app m n ) b ] ∀ r, a, b [ ∀ x [ of x a ⊃ of ( r x ) b ] ⊃ of ( abs a r ) ( arr a b )] Fig. 1. Second-order here dita ry Har rop formulas for typing 3.1 Sp ecification Logi c It is p os sible to enco de o b ject languag e descr iptions directly in definitions in G , but ther e a re tw o disadv antages to doing so : the resulting definitions may not b e executable and there ar e common patter ns in specific a tions with λ -tree syntax which we would like to take adv antage of. W e addr ess these issues by selecting a sp ecifica tion logic which has the fea tures that the G lacks, and embedding the ev aluation rules o f this sp ecificatio n lo gic instead into G . Ob ject la nguages are then enco ded thro ug h descr iptio ns in the sp ecifica tion log ic [6]. The sp ec ific a tion logic o f Abe lla is second-o rder heredita r y Har r op for mu - las [8] with support for λ -tree syntax. This allows a transparent enco ding of structural o p erational semantics rules which op erate on ob jects with binding. F or example, consider the simply-typed λ -ca lc ulus where t y pe s ar e either a base t yp e i o r ar row types constructed with arr . T erms ar e enco ded with the con- structors app and abs . The constr uc to r abs takes tw o arguments: the type of the v ariable b eing a bstracted and the b o dy of the function. Rather tha n having a constr uctor for v ariables, the b o dy argument to abs is an abs tr action in our sp ecification lo gic, thus ob ject level binding is re presented by the sp e cification logic binding . F or exa mple, the term ( λf : i → i. ( λx : i. ( f x ))) is enco ded as abs ( arr i i ) ( λf . abs i ( λx. app f x )) . In the latter ter m, λ denotes an a bstraction in the sp ecific a tion logic. Given this representation, the typing judgment of m t is defined in Figure 1. No te that these rules do not maintain an explicit context for typing assumptions, ins tea d using a hypothetical judgmen t to r epresent assumptions. Also, ther e is no side- condition in the rule for typing abs tr actions to ensur e the v ariable x do es not yet o ccur in the typing co ntext, since instead o f using a pa rticular x for r ecording a typing assumption, we quantify ov er all x . Our sp ecifica tion of typing assignment is executa ble . More g enerally , the Abella sp ecification logic is a subset of the languag e λ Pr o log [11] which ca n b e compiled and executed e fficie ntly [12]. This e nables the a nimation of sp ecifica- tions, which is conv enient for ass essing sp ecifica tions b efore a ttempting to prove prop erties over them. This also allows specifica tions to b e use d as testing ora cles when developing full implementations. The ev aluation r ules of our sp ecification logic can b e enco ded a s a definition in G . A particular sp ecificatio n is then enco ded in a separ a te definition which is used by the definition of ev aluation in order to realize ba ck-chaining over sp ecification clause s . Reas oning ov er a sp ecification is realized by reas oning ov er its ev aluation via the definition of the specifica tion logic. Ab ella takes this further and is customized tow ards the sp ecifica tion lo gic. F or example, the context of hypothetical judgmen ts in our sp ecification logic admits weak ening , contraction, and per mutation, all o f which a re prov able in G . Ab ella auto matically us es this meta-level prop erty of the sp ecificatio n lo gic during r e asoning. Details on the bene fits o f this appr o ach to reasoning are av a ilable in Gacek et al. [5]. 3 3.2 T ac ti cs The use r constructs pr o ofs in Ab ella by a pplying tactics which corresp ond to high-level r easoning steps. The collection of ta ctics can b e gro up ed in to those that ge nerically orchestrate the rules of G and those that corresp ond to meta- prop erties of the sp ecific a tion logic. W e discus s these classes in more detail be low. Generic tactics. The ma jority of tactics in Ab ella co rresp o nd dir ectly to infer - ence r ules in G . The mo st co mmon tactics from this group ar e the ones whic h per form induction, in tro duce v ariables and hypotheses , conduct case analysis, apply lemmas, and build results from h yp otheses. In the examples suite dis- tributed with Abella , these five tactics mak e up more than 90% of all tactic usages. The remaining generic tac tics a re for ta sks such as splitting a g oal of the form G 1 ∧ G 2 int o tw o separate g oals for G 1 and G 2 , or for insta nt iating the quantifier in a goa l of the for m ∃ x.G . Sp e cific ation lo gic tactics. Since our sp ecificatio n logic is enco ded in G , w e can formally prove meta -level proper ties for it. Once suc h prop erties a re proved, their use in pr o ofs can be built into tactics. Tw o imp ortant prop erties that Abella uses in this wa y are instantiation and cut admissibility . In detail, negative uses o f the sp ecification logic ∀ quantifier are represented in G as nominal constants ( i.e. , the ∇ quantifier), a nd the instantiation tactic allows such nominal cons tants to be instantiated with s p e cific terms. The cut tactic allows hypothetical judgments to be r elieved by s howing that they ar e themselves prov able. 4 Implemen tation Abella is implemented in OCaml. The most sophisticated component of this implemen tation is higher-or der unification which is a fundamental part of the logic G . It underlies how ca s e analysis is p erformed, and in the implement ation, unification is used to decide when tactics a pply a nd to deter mine their result. Thu s an efficient implemen tation of higher -order unifica tion is central to a n efficient prov er. F or this, Abella uses the the higher-order pattern unification pack age of Nadathur and Linnell [10]. W e hav e also extended this pa ck age to deal with the particular features and co nsequences of rea soning in G . T r e atment of nominal c onstant s . As their name sug gests, nominal constants can be treated very simila rly to constants for most of the unification algo rithm, but there are t wo key differences. First, while traditiona l constants ca n app ear in the instantiation o f v ar iables, nominal cons tants cannot app ear in the instantiation of v ar iables. Thus dep endency information on nomina l co nstants is track ed via explicit r aising of v a riables. Second, nominal co nstants can be p ermuted when determining unifiability . How ever, even in our mo st s ophisticated ex a mples the nu mber o f nominal constants app earing at the same time has b een at most tw o. Thu s, naiv e approaches to handling p ermutabilit y of nominal co nstants hav e sufficed and there has b een little nee d to develop sophisticated algor ithms. 4 Simple extensions. T he treatment o f case ana lysis via unification for eigenv a r i- ables creates unification problems which fall outside of the higher -order pattern unification fragment, yet still have mos t genera l unifiers. F or e x ample, consider the cla use for β -contraction in the λ -calculus : step ( app ( abs R ) M ) ( R M ) . Case analy sis o n a hypo theses of the form step A B will r esult in the attempt to solve the unification pr oblem B = R M wher e B , R , and M are all instantiatable. This is outside of the higher -order pattern unification fragment since R is applied to an insta nt iatable v aria ble, but there is a clea r most gener al unifier. When nominal cons ta nt s ar e pr esent, this situation is slightly more complicated with unification problems such a s B x = R M x or B x = R ( M x ), where x is a nominal constant. The re s ult is the s ame, how ever, that a most gener al unifier exists a nd is easy to find. 5 Examples This s ection briefly describ es sa mple re a soning tasks we have conducted in Abella . The deta ile d pro o fs are av aila ble in the distribution of Abe lla [3]. R esults fr om the λ -c alculus. O ver unt yp ed λ -terms, we hav e shown the equiv a- lence of big-step and s ma ll-step ev aluation, preserv ation of typing for b oth forms of ev a luation, and determinacy for b o th forms of ev aluation. W e have shown that the λ -terms can b e disjointly partitioned in to normal and non-normal for ms. Over simply- typed λ -terms, we have shown tha t typing ass ignments a re unique. Cut admissibility. W e hav e shown that the cut rule is admiss ible for a sequent calculus with implication and conjunction. The representation of sequents in our sp ecification logic used hypothetica l judgmen ts to represent hypotheses in the sequent. This allow ed the cut admissibility pro of to take a dv antage o f Ab ella’s built-in tr e a tment o f meta-pro p erties of the sp ecification logic. The POPLmark chal lenge. The PO PLmark challenge [1] is a selection of prob- lems which highlight the traditional difficulties in rea s oning ov er sys tems which manipulate ob jects with binding. The particular tasks of the ch allenge involv e reasoning about ev a lua tion, typing, and subtyping for F < : , a λ -calculus with bo unded subt y pe p olymor phism. W e hav e s olved par ts 1a and 2a of this chal- lenge using Ab ella, which represent the fundamental rea soning tasks in volving ob jects with binding. Pr oving normalizability ` a la T ait. W e have shown that a ll clo sed terms in the call-by-v a lue, simply-typed λ -calculus are nor malizable using the logical rela- tions ar gument in the st yle of T ait [14]. F undamental in this pro o f was the enco ding of arbitrar y cascading substitutions which allows one to cons ider all closed instantiations for an op en λ -ter m. Enco ding and reaso ning over this for m of s ubstitution ma kes essential use o f the extended form of definitions in G . 5 6 F uture and Related W ork Induction and c oinduction The log ic G currently supp o rts induction on natural nu mbers. Simila r logics hav e b een extended to supp or t structura l induction and coinduction on definitions [15]. Already , the implement ation of Abella has sup- po rt for these features. A pap er which descr ib es the extended logic supp or ting these features is in prepara tion. User pr o gr ammability. T actics-based theorem provers often s uppo rt tactic als which allow users to comp ose tactics in useful wa ys. Some systems ev en g o beyond this and o ffer a full pro gramming languag e for cr eating custom ta c tics . W e would like to extend Abella with such features. Pr o of se ar ch. Many pr o ofs in Abella follow a str a ightforw a rd pattern of ess en- tially induction, ca se analysis , a nd building fro m hypothes e s. W e would like to extend Ab ella to p erfor m these types of pr o ofs automatica lly . Recent results on fo cusing in similar lo g ics may offer some insight into a disciplined appro ach to automated pr o of sea rch [2]. R elate d work. A clos e ly rela ted system is Twelf [13] which is based on a dep en- dent ly typed λ -calculus fo r sp ecification. Co ntrolling fo r dep endent t yp es, the most significa nt difference is that o ur meta-logic is sig nificantly r icher than the one in Twelf. Also re la ted is the Nominal pack a ge [1 7] for Isa b e lle/HOL which allows for rea soning ov er α -eq uiv alence class es. This a pproach leverages on ex- isting theor em proving work, but do es not a ddress the full problem of reaso ning with binding. In particular , a ll work related to subs titution is left to the user. A more deta iled compar ison with these works is av aila ble in Gacek et al. [5]. Ac knowledgem en ts I a m gra teful to David B aelde, Dale Miller , Go palan Na da thur, Randy Pollack , and Alwen Tiu for their input and feedbac k o n the developmen t of Abella. Anonymous re v iewers provided helpful comments on an earlier version of this pap er. This work has b een supp orted by the NSF Grant CCR- 0 4295 72 and by a grant from Bos ton Scientific. O pinions, findings, a nd co nclusions or recommen- dations expr essed in this work a re those of the authors and do not necessarily reflect the views of the Na tional Science F ounda tion. References 1. Brian E. Aydemir, Aaron Bohann on, Matthew F airbairn, J. Nathan F oster, Ben- jamin C. Pierce, Peter Sewel l, Dimitrios Vytiniotis, Geoffrey W ash b urn, Stephanie W eirich, and Steve Zdancewic. Mec h anized metath eory for th e masses: The P oplMark c hallenge. In The or em Pr oving in Higher Or der L o gics: 18th Inter- national Confer enc e , number 3603 in LNCS, pages 50–65. Springer-V erlag, 2005. 2. David Baelde and D ale Miller. Least and greatest fixed p oints in linear logic. I n N. Dershowitz and A. V oronko v, editors, International Confer enc e on L o gic for Pr o gr amming and Aut omate d R e asoning (LP A R ) , volume 4790 of L e ctur e Notes in Computer Scienc e , pages 92–106, 2007. 6 3. Andrew Gacek. The Ab ella system. Av ailable in source co de from http://abe lla.cs.umn.edu/ , 2008. 4. Andrew Gacek, Dale Miller, and Gopalan Nadathur. Combining generic judgments with recursive definitions. In F. Pfenning, editor, 23th Symp. on L o gic i n Computer Scienc e . IEEE Comput er S ociety Press, 2008. T o app ear. 5. Andrew Gacek, Dale Miller, and Gopalan Nadathur. Reasoning in Ab ella ab out structural op erational semantics sp ecifications. Av ailable from http://a rxiv.org/abs/0804 .3914. T o app ear in LFMTP’08, 2008. 6. Raymond McDow ell and Dale Miller. Reasoning with higher-order abstract syntax in a logical framew ork. ACM T r ans. on Computational L o gic , 3(1):80–136, 2002. 7. Dale Miller. Abstract syn tax for v ariable binders: An o verview. In John Lloyd and et. al., editors, Computational L o gic - CL 2000 , number 1861 in LNAI, pages 239–253 . Sp ringer, 2000. 8. Dale Miller, Gopalan Nadathur, F rank Pfenning, and And re Scedrov. Uniform proofs as a foundation for logic programming. A nnals of Pur e and Applie d L o gic , 51:125– 157, 1991. 9. Dale Miller and Alwen Tiu. A pro of theory for generic judgments. ACM T r ans. on Computational L o gic , 6(4):749–783, Octob er 2005. 10. Gopalan Nadathur and Natalie Linn ell. Practical higher-order p attern unifica- tion with on- the-fly raising. In ICLP 2005: 21st I nternational L o gic Pr o gr ammi ng Confer enc e , volume 3668 of LNC S , pages 371–386, Sitges, Spain, October 2005. Springer. 11. Gopalan Nadathur and Dale Miller. An Overview of λ Prolog. In Fifth International L o gic Pr o gr amming Confer enc e , p ages 810–827, Seattle, August 1988. MIT Press. 12. Gopalan Nadathur and Dustin J. Mitchell. System description: T eyjus—A compiler and abstract mac h ine based implementation of Lambda Prolog. In H. Ganzinger, editor, Pr o c e e dings of the 16th International Confer enc e on Au tomate d De duction , pages 287–291, T ren to, It aly , July 1999. Springer-V erlag LNCS. 13. F rank Pfenning and Carsten Sch¨ urmann. Sy stem description: Twelf — A meta- logical framewo rk for deductive systems. In H. Ganzinger, editor, 16th Confer enc e on A utomate d De duction , number 1632 in LNAI, pages 202–206, T rento , 1999. Springer. 14. W. W. T ait. I ntensional interpretatio ns of functionals of fin ite typ e I. J. of Symb olic L o gic , 32(2):198– 212, 1967. 15. Alw en Tiu. A Lo gic al F r am ework for Re asoning ab out L o gic al Sp e cific ations . PhD thesis, Pennsylv ania State Un ivers ity , Ma y 2004. 16. Alw en Tiu. A logic for reasoning ab out generic jud gments. In A. Momigliano and B. Pientk a, editors, International Workshop on L o gi c al F r ameworks and Meta- L anguages:The ory and Pr actic e (LFMTP’06) , 2006. 17. Christian Urban and Christine T asson. Nominal techniques in Isab elle/HOL. In R. Nieuw en huis, editor, 20th Confer enc e on Automate d De duction (CADE) , v olume 3632 of LNCS , pages 38–53. Springer, 2005. 7