As you read this column, you will be traveling a path in history -- a path that begins with M. Stone in 1936 with his monumental result about Boolean algebra, passes through a point in 2000 marked by the successful research of Robert Verofff and William McCune in their search for single axioms for the area of mathematics, takes you past an earlier column of mine (I believe published in 2014), and comes now to the present with some challenges for you. (Marshal Stone, with the Stone Representation Theorem, proved that every Boolean algebra is isomorphic to all closed and open subsets of a certain topological space.) What is common to these points in history is a focus on Boolean algebra -- one of the areas of mathematics that has been studied from widely different views. Boolean algebra can be explored in Terms of relations. That emphasizing union and intersection is more familiar, but here it is studied in terms of the Sheffer stroke.
The Sheffer stroke, denoted by the function f, of A and B is the logical nand of A and B, the not of the and of A and b. Veroff and his colleagues successfully showed that the following equation is a single axiom for Boolean algebra.
f(f(x,f(f(y,x),x)),f(y,f(z,x))) = y. % second candidate
The denial used, and that I suggest to be used in this column, is the following, where | denotes logical or.
f(f(a,a),f(a,a)) != a | f(a,f(b,f(b,b))) != f(a,a) | f(f(f(b,b),a),f(f(c,c),a)) != f(f(a,f(b,c)),f(a,f(b,c))).
This denial corresponds to the negation of a 3-basis for Boolean algebra in terms of the Sheffer stroke.
Your first challenge is to prove that each of the following three equations is also a single axiom in addition to the equation just given.
f(f(f(x,y),z),f(f(x,f(x,z)),x)) = z. % candidate 1 f(f(f(x,y),z),f(x,f(f(x,z),x))) = z. % candidate 3 f(f(f(x,f(y,x)),x),f(y,f(z,x))) = y. % candidate four
Yes, Veroff and McCune proved each of the three, candidates 1, 3, and 4, to be a single axiom. Of course, as is typical of my challenges, I recommend that you do not browse in the literature. I conjecture that many, or most, of you will rely on a Knuth-Bendix approach.
Your second challenge, which some may have already met, is to find for each of the three (1, 3, and 4) a forward proof that is free of demodulation, of course excluding the second of the four offered in an earlier column.
Possibly, the proofs of each of the three deducing the 3-basis, should you obtain them, may vary quite a bit in nature and length. If so, do you have a theory about why such differences occur, a theory based on one or more properties of each of the cited three?
But a far more difficult challenge, if my own research is a model, is the following. When asked to prove that some given equation or formula is a single axiom, in essence you are being asked to prove that the item is powerful enough that a proof can be found from it that derives some known basis. That proof might be one of contradiction; the proof you obtain may not actually derive the members of the basis. You must also prove that the item in focus is a theorem of the area under study, that it can be proved from some basis. Obtaining such a proof can be most difficult.
I have proofs for each of the cited four single axioms, proofs that each is a theorem, derived by using as an axiom set the cited 3-basis. I might not have found these proofs were it not for the substantial guidance provided by my colleague Veroff. So, for your third challenge, you are asked to prove that each of the four is in fact a theorem by starting with the 3-basis as the set of axioms.
The fourth challenge is to produce forward proofs, deriving the 3-basis, each free of the use of demodulation; in other words, you are asked not to rely on Knuth-Bendix.
In the Editor's Corner of AAR Newsletter No. 124, July 2018, Sophie Tourret reported on the Matryoshka workshop that focused on ongoing work in higher-order automated reasoning, its challenges and applications. Given my interest in this topic and my own experience in developing theorem proving software for Extensional Type Theory (ExTT), it is exciting for me to see increasingly many groups and projects working on various aspects of higher-order automation. In addition to the names that usually come to mind when talking about higher-order reasoning, that is e.g. TPS, Satallax, agsyHOL, and the Leo prover family, there is ongoing work on extending first-order provers such as Zipperposition, E and Vampire, and SMT solvers including CVC4, veriT to higher-order reasoning. Input-output standards for formulating higher-order problem statements and system results were included into the TPTP portfolio in 2008 (THF format), and there is ongoing work on a new version of the SMT-LIB standard and library which will address higher-order language features, too. In this column I highlight some of the challenges that I encountered when developing Leo-III, a higher-order theorem prover for ExTT, as part of my PhD studies.
There is a saying that laws are like sausages: It is better not to see them being made. In my opinion this also applies to higher-order automated theorem provers – at least to some extent. While, in contrast, it might be interesting to see how these provers are being made, there is still some truth to the point that not all of their ingredients are pleasing to the eye. This is because there are several complications to ExTT automation stemming from an intricate meta-theory. I will outline some of these complications in the context of practical system development in more detail below, each with a short description about how they are currently addressed within Leo-III. Leo-III is a refutational theorem prover that implements a higher-order paramodulation calculus. The input axioms and the negated conjecture (if any) are clausified and subsequently saturated until an empty clause is found. The proof search is organized as a sequential loop that is inspired by the given-clause algorithm implemented in Stephan Schulz' E prover.
Let's start with higher-order unification. It is generally known
that the unification problem is undecidable for higher-order terms of ExTT.
From a pragmatic perspective, this situation is unpleasant but not too bad;
the usual question is when to stop searching for unifiers during proof search.
What is done in most higher-order systems is that either a certain
search depth D
is fixed (the number of nodes taken in the branching
search tree) for ensuring termination, or that full higher-order
is replaced with a routine for the decidable pattern fragment. Both approaches
sacrifice completeness in general, however it seems that often both ways work
quite well in practice. In Leo-III, pattern unification is applied whenever possible. If the unification
problem is outside of the pattern fragment, a fixed-depth search using
a variant of higher-order unification is invoked. Evaluation results suggest
that a depth of D = 8
is usually sufficient for higher-order problems
from the TPTP library.
To my mind, the more difficult aspect of higher-order unification is that it is
not unitary: There might be infinitely many most-general unifiers for a given pair of
ExTT terms. The question is how to proceed searching in the branching unification search tree,
and how many and which unifiers to take of those that are found within the search depth D
If too few are picked, the unsatisfiable set might not be refutable. If too many
are picked, the search space is growing even more and we might also not find a refutation
within reasonable resource limits.
I do not know of any well-studied approach to select unifiers in a meaningful way.
When multiple unifiers are found, Leo-III will currently
pick at most N
unifiers, at least one from every top-level branch
of the search tree (if possible).
By default, Leo-III takes at most N = 4
unifiers for any unification
task during proof search.
Lowering the number of maximal unifiers to
N = 1
drastically lowers the number of solved problems in my experience,
whereas a higher number does not change the outcome significantly.
The next point might cause acute abdominal pain to those unprepared:
From the previous paragraph it is apparent that higher-order unification cannot in general be used as a
meta-operation for filtering possible inferences; even if employed with a termination
condition and sacrificing completeness. Instead, the individual unification
transformation rules are interpreted as calculus rules in their own right and they
may need to be applied even though the respective pair of terms is known to be non-unifiable.
There are cases in which inferences need to be generated and inserted into the search space
although the terms involved in the inference are evidently not unifiable.
This is due to the intricate relationship between unifiability
and equality modulo Boolean
extensionality; as ExTT equality (=
) and equivalence
, if and only if)
coincide for Boolean-typed terms. One can easily imagine the implications
on the search space's size.
As an example, consider the three clauses
, p(b)
and ~p(a & b)
, where
, b
are formulas (atomic propositions)
and p
is a predicate on formulas. The set
containing these clauses is unsatisfiable in ExTT. However,
every inference between the first two and the last clause will be
disregarded if the system restricts generating inferences to unifiable terms only.
In contrast, resolving and applying the decomposition rule of Huet's unification procedure
produces the new clauses a != (a & b)
and b != (a & b)
from which a refutation can be found (after applying further rules handling Boolean
extensionality and clausification).
Simply taking all type-correct inferences is infeasible in practice,
so Leo-III uses heuristics to determine whether to disregard or keep an inference result,
even if unification fails.
This heuristic will keep inference results where at least one of the simplifying unification rules
can be applied, or results that have Boolean-typed subterms. This behavior can
be disabled if required, but it seems a passable trade-off at the current state.
I could now go on about issues involving primitive substitutions (blind guessing of top-level predicate variable instantiations), equality reasoning (lack of powerful redundancy methods, semantically definable equality predicates), re-clausification, lack of indexing techniques, etc, but let me stop here. The important aspect is that there are hardly any results available that guide the implementation of a higher-order theorem prover for ExTT. Leo-III tries to carefully balance between completeness and effectivity using various heuristics and trade-offs, and recent evaluations seem to confirm that this is indeed a fruitful approach. All of this is still merely a remedy for the symptoms of deeper and more fundamental problems, and I certainly hope that this is not the end of it.
What I learned from developing Leo-III is that efficiency as such is not of primary importance when it comes to ExTT reasoning. If the system does the wrong things very fast it will get you nowhere; but if it does the right thing slow, it will still produce results. There are, in my experience, usually only few genuine higher-order reasoning steps involved (the "Eureka-steps") in the whole process. So, if these steps are addressed appropriately, the remaining proof search can hopefully be done by faster and more efficient reasoning tools e.g. for first-order logic. Cooperation between higher-order and first-order systems is one of the underlying ideas of the Leo-III prover and the reason why Leo-III is intended to be used in combination with a first-order ATP system (such as E, iProver, Vampire, etc.) as a sub-system.
Honestly, I am not genuinely satisfied with the state of the art in automated higher-order reasoning and with Leo-III for that matter. There are quite a few aspects in Leo's source code that feel like trial-and-error, finger-crossing and magic. There is certainly need for more sophisticated proof calculi, practically oriented implementation techniques and well-grounded heuristics and I am excited to see what we will come up with in the next years and decades. If you have ideas on how to address the above sketched issues in Leo-III, I'd be happy to hear them!
Thanks to Jasmin Blanchette for proof-reading this column :-)
The 2019 Herbrand Award for distinguished contributions to automated reasoning will be presented to
Nikolaj Bjørner and Leonardo de Moura
in recognition of their numerous and important contributions to SMT
solving, including its theory, implementation, and application to a
wide range of academic and industrial needs.
The affairs of CADE are managed by its Board of Trustees.
Nominations for four CADE trustee positions are being sought, in preparation for the elections to be held after CADE-27.
The current members of the board of trustees are (in alphabetical order):
The terms of Jasmin Blanchette, Laura Kovács, Renate Schmidt, and Christoph Weidenbach end. All of them may be nominated for a second term.
The term of office of Pascal Fontaine as CADE-27 program chair also ends; he is replaced by IJCAR 2020 program co-chair Nicolas Peltier. As outgoing ex-officio trustee, Pascal Fontaine is eligible to be nominated as elected trustee.
In summary, we are seeking to elect four trustees.
Nominations can be made by any CADE member, either by e-mail or in person at the CADE business meeting at CADE-27 in Natal. Two members, a principal nominator and a second, are required to make a nomination, and it is their responsibility to ask people's permission before nominating them. A member may nominate or second only one candidate. Nominees must be CADE members, i.e., they must have participated at any of the CADE or IJCAR conferences in the years 2016-2019. For further details please see the CADE Inc. bylaws at the CADE web site.
E-mail nominations can be provided up to the upcoming CADE business meeting, via email to
Christoph Weidenbach, President of CADE Inc.with copies to
Philipp Rümmer, Secretary of CADE Inc.
Jean-Marie Hullot, a computer scientist with a substantial scientific and industrial career, including early contributions to automated reasoning, has passed away. His eulogy (in french), written by Gérard Berry et Gérard Huet, can be found here.