BOYMOR.QLE QL.REP] - Stacksxk898wv6983/xk898wv6983.pdf · 15 jun 1978 6:55 boymor.qle ql,rep] page 1-1 (cont.) (cont.) (cont.) (cont.) (cont.) (cont.) prover prover (cont.) 5 comment

.

Name: Avron Barr

Project: 1 Programmer: AB

File Name: BOYMOR.QLE QL.REP]

File Last Written: 10:05 5 Jun 1978

Time: 6:55 Date: 15 Jun 1978

Stanford UniversityArtificial Intelligence Laboratory

Computer Science Department "

Stanford,

California

15 Jun 1978 6:55 BOYMOR.QLE QL, REP] PAGE 1-1

(cont.)(cont. )(cont. )(cont. )(cont. )(cont. )

PROVERPROVER (cont.)

5

COMMENT ® VALID 00018 PAGESC REC PAGE DESCRIPTIONDESCRIPTIONCOOOOl 00001COOOO3 00002 INTRODUCTIONCOOBll 00003 THE THEORYCOOO l6 00004 THE THEORY (cont.)COOO2l 00005 THE SHELL MECHANISMC00023 00006 AN OVERVIEW OF THE THEOREM PROVERCOOO2B 00007 AN OVERVIEW OF THE THEOREM PROVERC00032 00008 AN OVERVIEW OF THE THEOREM PROVERC00034 00009 AN OVERVIEW OF THE THEOREM PROVERC00039 00010 AN OVERVIEW OF THE THEOREM PROVERC00044 00011 AN OVERVIEW OF THE THEOREM PROVERC00049 00012 AN OVERVIEW OF THE THEOREM PROVERCOOO5l 00013 IMPLEMENTATION DETAILSC00064 00014 THEMES OF THE BOYER-MOORE THEOREMCOOO7l 00015 THEMES OF THE BOYER-MOORE THEOREMC00877 00016 AN EXAMPLECOOOBl 00017 AN EXAMPLE (cont.)COOOB2 00018 BIBLIOGRAPHYCOOOB4 ENDMK

15 Jun 1978 6:55 BOYMOR.QLE QL, REP] PAGE 2-1

INTRODUCTION

The Boyer-Moore Theorem Prover (Boyer & Moore 78) embodies an extensiblemathematical theory (recursive function theory) in which theorems can be statedand automatically proved. The system is designed to prove theorems bycontinuously rewriting the current formula (Bledsoe 71,77) without the need toever backtrack and alter a decision. While each rewriting rule is sound, formalequivalence is not necessarily preserved thus the system is not complete. Butheuristics are employed to guide the rewriting process, applying rules which thesystem believes will allow retention of the ' theoremness' of a formula. Thetheory can be extended by the addition of new function definitions and new datatypes. Novel features include the automatic use of structural induction(Burstall 69) and recursive quantification (Skolem 67). The relationshipsbetween recursion, termination, and the inductively defined data objects allowthe BMTP to automatically produce induction proofs. Recursive functions, usedas an alternative to quantification, offer a powerful form of expression whendealing with finitely constructed objects such as the discrete mathematicalstructures used by computer programs.

Lets take a look at two examples of theorems that can be stated and provedwithin the theory if the appropriate functions are defined. The naturalnumbers are a built in data type. If the user supplied the recursivedefinitions of ADD and TIMES then the user could direct the system to try andprove:

(EQUAL (TIMES A (ADD B C)) (ADD (TIMES A B) (TIMES B C)))

All free variables are assumed universally quantified so the above theoremjust states that multiplication distributes over addition. Likewise, the usercould write a predicate called ORDERED which determined if a list of numberswere in numerical order. A function SORT could be written which takes any listof numbers and puts it into numerical order. To verify the function works theuser can ask the system to prove:

(ORDERED (SORT X))*

The system automatically proves the theorems it is presented with, possiblyusing rewrite lemmas which have been retained from the proofs of previoustheorems or axioms which have been added by the introduction of new data types.Most theorems cannot be proved from first principles so the user must structurethe desired proof by intuiting what lemmas will be necessary. The user thenproves these lemmas (as theorems in their own right) and instructs the system tosave them. Since lemmas must be proved before they can be automatically usedthe BMTP is assured of the validity of the proof of the final theorem. Eventheorems that can be proved without lemmas can have their proofs speeded up bythe use of lemmas. If the BMTP fails to prove the desired result the user canobserve the resultant proof attempt (the system provides a very readable trace)as an aid to determining where the proof went awry and as an aid in formulatingnew lemmas which might allow the proof to complete. Thus we characterize thesystem as an 'automatic' theorem prover since we only specify what to prove, nothow to prove it. But we must observe that if a proof fails the user provides abit of the 'how' by formulating an appropriate lemma.

The present system is experimental and being continually tested andimproved. The system has already proven approxiamtely 400 theorems whichincludes the soundness and completeness of a tautology checker for propositionalcalculus, the equivalence of interpreted and optimized compiled code for asimple arithmetic language, the correctness of the Boyer-Moore fast stringsearching algorithm, and the prime factorization theorem.

15 Jun 1978 6:55 BOYMOR.QLE QL.REP] PAGE 2-2

* The system should also prove that SORT permutes the elements of X.

15 Jun 1978 6:55 BOYMOR.QL[ QL,REP] PAGE 3-1

THE THEORY

The syntax of the theory is closely related to the prefix notation used inLISP. Terms are variables or specified by (f xl ... xn) where f is an n-aryfunction symbol and all the xi's are terms. Constants are represented as 0-aryfunctions (e.g. (TRUE), (FALSE), (ZERO), etc.). The variables in any formulaare implicitly under universal quantification.

Functions are introduced by adding the equality axiom (f xl ... xn) =<function body>. In order to retain consistency the BMTP requires that eachnewly defined function be either non-recursive or recursive with the BMTP ableto prove the function is total. The proof of totality is based on the notion ofmeasure functions and well-founded relations*. The system can automaticallycreate composite lexicographic orders from primitive well-founded relations.Well-foundedness is impossible to state (or prove) within the theory. So thesystem is initialized with LESSP (less than defined on the natural numbers) asa well-founded function and the Shell mechanism allows the introduction ofothers.

When making function definitions it is often necessary to include testswhich allow the returned value of a function to be one of a set of terms. Theusual treatment of logic does not allow for the embedding of propositions withinterms so the BMTP recreates the effects of propositions at the term level. Theycreate four axioms to define the functions of EQUAL and IF which form the coreof the BMTP. We abbreviate (TRUE) as T, (FALSE) as F and add the axiom that Tand F are distinct.

Thus, the term (EQUAL X V) has value T if the proposition X=Y is true andit has value F if X=Y is false. BM define no predicates and instead deal withina theory of functions. They talk about proving a function is a theorem as ashort-hand for proving the value of a function is not F.

Functional versions of common logical connectives are defined with IF.These definitions capture the semantics of the common logical connectives.

1) (NOT P) = (IF P F T)2) (AND P Q) = (IF P (IF Q T F) F)

4) (IMPLIES P Q) = (IF P (IF Q T F) T)

Besides augmenting the theory by adding functions the BMTP allows thecreation of arbitrary data types. These data types are typically definedinductively and made known to the system by the use of the Shell mechanism.This mechanism adds additional axioms to the system which are guarenteed toleave the theory consistent. Data objects are considered to be finitelyconstructed. Data types are mutually exclusive yet not assummed to beexhaustive. This guarentees that the subsequent addition of new data types willnot invalidate previously proved theorems.

1) T*F2) X=Y => (EQUAL X Y)=T3) X/Y => (EQUAL X Y)=F4) X=F => (IF X V Z)=Z5) X*F => (IF X V Z)=Y

3) (OR P Q) = (IF P T (IF Q T F))


THE THEORY (cont.)

Proofs Within the system are accomplished by absorbtion, idempotency, thelaw of excluded middle (e.g. T v X ■» T, F v X "» X, X v ~X -♦ T, and theircommutative counterparts), and induction principles. Recursion as a controlstructure is analogous to inductively defined data types as a data structure.The proof theoretic counterpart of these two is the Generalized Principle ofInduction or Noetherian Induction. A consistent induction mechanism is presentedwithin the theory. It allows a base case as well as k remaining induction stepseach which can contain several induction hypotheses. It requires a relationwhich is well-founded on a measured set of variables over all substitutionsrequired to instantiate the k+l cases. Heuristic methods are employed in theBMTP to formulate this schema.

* A well-founded relation r is one that admits no infinitely decreasingsequences. That is, there can not exist an infinite sequence 1,2,... suchthat (r Xi + 1 Xi). A simple well-founded relation is < on the non-negativeintegers. For any XI we can not find an infinite sequence of Xis such that

Two examples of non-well-founded relations are < over all the integers (sincewe can always get smaller negative integers) and

_.

over the non-negativeintegers (since we can use the same number repeatedly) 4 An intuitiveillustration for proving termination by using well-founded relations goes asfollows. Consider the classic recursive factorial function defined for thenon-negative integers. Its definition is

f is immediately able to compute an answer for 0 while it recursively computesthe answer for bigger numbers. Each time f is recursively called it is givena number which is < the current number. This is known by the fact that if Xis a non zero number then X-l < X (remember we all dealing only withnon-negative numbers with 8-1 undefined or just 6). From our knowledge ofwell-founded relations we can see that f cannot recur forever since that wouldimply that there is an infinite sequence of non-negative integers each < theprevious.

In general recursive functions normally compute answers immediately for smalldata objects but must recur for larger composite objects. Each recursiontypically operates on only a part of the composite data object. The BMTPcreates axioms for each defined data object stating that the parts are eachsmaller that the whole (under some well-founded relation). The BMTP provestermination by proving that each recursive function call is performing

Xi+l < Xi < Xi-1 < ... < XI

f(x)=(if x=o then 1 else x*f(x-l))


computations on a smaller (by some well-founded relation) object.

15 Jun 1978 6:55

THE SHELL MECHANISM

The Shell mechanism is used to introduce new data types. It is just asyntactic form from which consistent and complete type axioms are created.As an illustration the definition of lists by the shell mechanism follows:

add the shell CONS, of 2 argumentsrecognizer LISTP

PAGE 5-1BOYMOR.QL[ QL.REP]

accessors CAR, CDRdefault values "NIL", "NIL"

A few of the important axioms added (with symmetric CDR axioms):

(LISTP (CONS x y)) -- a CONS of two things is always a list

(EQUAL (CAR (CONS x y) x)) -- definition of the CAR accessing function

(IMPLIES (LISTP x) (LESSP (CAR x) x)) -- a measure property used in proving termination

(EQUAL (EQUAL (CONS a b) (CONS x y)) -- two CONS's are equal if their parts(AND (EQUAL a x) (EQUAL by))) are equal

(IMPLIES (LISTP x) -- system can trade CARs and CDRs for(EQUAL (CONS (CAR x) (CDR x)) CONSes

x)

15 Jun 1978 6:55 BOYMOR.QL[ QL.REP] PAGE 6-1

AN OVERVIEW OF THE THEOREM PROVER

The BMTP proves a formula is a theorem by continually rewriting theformula until it is reduced to T. The BMTP operates in a strictly linearmanner without the need of backtracking. This strategy leads to astratification of the classes of rewrite rules, in which the moreconservative transformations (i.e. those which guarentee equivalence) areattempted to be applied first. Induction rewrite rules are applied lastsince they are the least conservative transformations and it is importantthat induction be applied to the simpliest and most general form of aformula. As a consequence, many of the rewrite rules have been designed toproduce a formula which is more amenable to inductive arguments. A. list; qf therewrite rule classes is now presented. Rules at level i+l are tried only whenall rules at level i fail to be applicable. If a rewrite rule applies at anylevel of the hierarchy the formula is rewritten and the entire TP is recursivelyinvoked on the new formula.

1) Simplification: The formula is rewritten by the logical proof rules, theinitial axioms, the axioms added by function and data typedefinitions, and retained lemmas which were previously proved astheorems. The formula is also rewritten to conjunctive normal form(see implementation) which splits the formula into several independentformulas. All these rewriting rules retain truth valueequivalence. The Simplifier is a small theorem prover in its ownright. Example information known to the Simplifier is:

a) Logical Proof Rule: X v T = T

c) Function Axiom: (APPEND x y) = (IF (LISTP x)(CONS (CAR x) (APPEND (CDR x) y))y)

c) Lemma: (APPEND (APPEND x y ) z) = (APPEND x (APPEND y z))

Simplification is sufficient to prove the following formula which isthe base case of the induction needed to prove that APPEND is associative:

(IMPLIES (NOT (LISTP A))(EQUAL (APPEND (APPEND A B) C)

(APPEND A (APPEND B C))))

Knowing that A is not a list allows the APPEND functions to open-upand return their second arguments. The formula simplifies to:

(IMPLIES (NOT (LISTP A))(EQUAL (APPEND B C)

(APPEND BC)))

Which, since the two APPEND terms are identical, simplifies to

(IMPLIES (NOT (LISTP A)) T)

and finally simplifies to T (since the formula is equivalent to theclause (LISTP A) v T Which by the above proof rule is rewritten to T.

If simplification cannot determine the truth value of a formula we

b) Initial Axiom: x=y => (IF x y z) = y

d) Data Type Axiom: (CDR (CONS x y)) = y

15 Jun 1978 6:55 BOYMOR.QL[ QL,REPJ PAGE 6-2

probably will have to apply the induction rewriting rules. The nextfour cases are useful in cleaning up the formula as much as possible.


AN OVERVIEW OF THE THEOREM PROVER (cont.)

2) Eliminate Undesirable Concepts: Frequently it is useful to restate a formulatrading some functions for others. This is plausible since certainfunctions are easier to rewrite or have more lemmas involving them.This type of rule is a special sub-class of the general simplificationrules and is handled seperately since it requires special processing.An example rule (added by the Shell mechanism for lists) is:

(p x) = (p (CONS A B)) if x is known to be a list

which instantiated during the induction proof that the function REVERSEis its own inverse looks like:

(IMPLIES(AND (LISTP X)

(EQUAL (REVERSE (REVERSE (CDR X))) (CDR X))(PLISTP (CDR X)))

(EQUAL (REVERSE (APPEND (REVERSE (CDR X))(CONS (CAR X) "NIL")))

X))

( IMPLIES(AND (LISTP (CONS A B))

(EQUAL (REVERSE (REVERSE (CDR (CONS A B)))) (CDR (CONS A B)))(PLISTP (CDR (CONS A B))))

(EQUAL (REVERSE (APPEND (REVERSE B)(CONS A "NIL")))

(CONS A B)))

Here we have traded a CAR and CDR for a CONS. Note that this transformationwas applicable since X was known to be a list from the hyposthesis of theimplication. A and B are new variable names.

While this looks fairly complicated, the formula is passed back to theSimplifier which rewrites the formula (using the list axioms added inthe Shell mechanism section) to:

(IMPLIES(AND (EQUAL (REVERSE (REVERSE B)) B)

(PLISTP B))(EQUAL (REVERSE (APPEND (REVERSE B)

(CONS A "NIL")))(CONS A B))

3) Using Equalities: The BMTP uses equalities by substituting equals for equalsand then usually removes the equality term from the formula. This is notguarenteed to be complete but a heuristic decision procedure which decideswhich terms to substitute performs excellently. The reason the equalityterm is removed is to simplify the statement of the formula (which hopefullyis still a theorem). Two distinct classes of substitutions are performed;

dun 1978 6:55 BOYMOR.QL[ QL.REP] PAGE 8-115

AN

B>)

OVERVIEW OF THE THEOREM PROVER (cont.)

a) Uniform Substitution: If the term (EQUAL x cv) is found, where x isa term and cv is an explicit value, then cv is uniformly substitutedfor x within the rest of the formula. The symmetric case applies.

b) Cross Fertilization: If the term (EQUAL xy) is found, where bothx and y are not explicit values, and another term of the form (p <anyterm> <term which contains y>) is found then x is substituted for yonly in the right hand side of p, and the equality is removed fromthe formula. The symmetric case applies. This heuristic is closelycorrelated with the way induction is performed. It is designed toallow maximal use of the induction hypothesis. The connection is abit subtle and the reader is referred to Boyer & Moores' sdescription.

Continuing the above example the antecedent has an equality of the form(EQUAL x B) and the consequent term is of the form (p <term> <term withso we cross-ferilize. The resultant formula is:

(IMPLIES(PLISTP B))(EQUAL (REVERSE (APPEND (REVERSE B)

(CONS A "NIL")))(CONS A (REVERSE (REVERSE B))))



4) Generalization: A further simplification can be accomplished by replacinga term in the formula by a variable, thus generalizing the formula andallowing an induction on the newly variabl ized position in the formula.Hopefully by the time we reach this point the internal structure of theterm has already contributed its significance to the proof and can beignored. The BMTP can add certain typing restrictions to the variableintroduced to prevent the formula from becomming over generalized. TheREVERSE example that we have been following does not adequately illustrategeneralizationso We move temprorarily to a different example:

(EQUAL (APPEND (FLATTEN Z)(APPEND (FLATTEN V) ANS))

(APPEND (APPEND (FLATTEN Z) (FLATTEN V))ANS))

(IMPLIES (AND (LISTP A) (LISTP B))(EQUAL (APPEND A (APPEND B ANS))

(APPEND (APPEND A B) ANS))

Here (FLATTEN Z) and (FLATTEN V) have been generalized to A and Brespectively. Typing information has been added showing that both A andB are list data types since the system is aware of a theorem stating thatFLATTEN always produces a list. The formula now is just the statementthat APPEND is associative.

5) Elimination of Irrelevant Terms: While performing the above transformationsit is often the case that irrelevant terms are left in a formula. Theremoval of these terms helps the TP by cleaning up the upcomming inductionor by quickly detecting the attempt to prove a non-theorem. Whilethese are difficult to spot in general, there are two special cases whichfrequently occur. First all the terms of a formula are partitioned intoequivalence classes with terml in the same class as term 2if they sharea common variable.

a) If a class contains only non-recursive functions, all terms in the classare removed from the formula. If these formulas were always non-F thenthe Simplifier should have been able to prove this fact. Passing theseterms on to the Induction mechanism will not help since the terms arenot recursively defined.

b) If a class contains a single recursive function it is removed. A singlefunction which can not be shown to be always non-F by the Simplifierprobably can assume non-F values

Continuing our example of the proof that (EQUAL (REVERSE (REVERSE X)) X)the theorem is generalized to:

(IMPLIES(PLISTP B))(EQUAL (REVERSE (APPEND X (CONS A "NIL")))

(CONS A (REVERSE X)))

by relplacing all occurences of (REVERSE B) with X. No extra typinginformation is added during generalization. The antecedent is eliminatedby rule (b) leaving the formula:

BOYMOR.QL[ QL,REP] PAGE 9-215 Jun 1978 6:55

(EQUAL (REVERSE (APPEND X (CONS A "NIL"))(CONS A (REVERSE X))))

which is a statement asserting that reversing the concatenation of X and Ais equivalent to concatenating A with the reverse of X.

BOYMOR.QLC QL,REP] PAGE 18-115 Jun 1978 6:55

AN

6)


Perform an Induction: When all else has failed the BMTP automaticallyformulates a valid induction argument to try to prove the theorem. Theheuristics employed here represent the heart of the BMTP. Inductionsare formulated by using information collected at the time the functionis defined and the time the actual induction is needed.

a) Function Definition Time: When a function is defined, the systemmust prove that the function terminates before allowing thedefinition. Termination is proved by finding a well-foundedfunction which decreases when applied to a subset (measured set)of the arguments used in all recursive calls. The systemexhaustively searches through all lexicographic orders of allwell-founded functions (LESSP is initially the only one but othersare added by the shell mechanism) applied to all subsets andpermutations of a function's arguments.

These are all collected in a set of induction templates which areassociated with the newly defined function. These templates includethe form of the induction to be performed and all of the variablesubstitutions which will need to be made.

The following illustrates the creation of induction templatesat function definition time for REVERSE which is defined as:

(REVERSE X) = (IF (LISTP X)(APPEND (REVERSE (CDR X)) (CONS (CAR X) "NIL"))(CONS X "NIL"))

The proof of termination is fairly simple Since REVERSE is monadicand there is only one recursive function call within its body. TheBMTP utilizes the information that the recursive function call isonly executed if X is known to be a list. Thus to prove REVERSE,terminates it tries to proye the theqrem: "

(IMPLIES (LISTP X) (LESSP (CDR X) X))

The system proves this theorem (it recursively calls itself) bynoticing that this formula is equivalent to an axiom added by theShell mechanism during the definition of lists (see Shell mechanismsection). This is the only way the system can prove termination sothe only induction template produced is:

(AND (IMPLIES (NOT (LISTP. x)) (p X))(IMPLIES (AND (LISTP x)

(P (CDR x)))(P x)))

Which states that to prove the formula (p x) where p involves theREVERSE function it is sufficient for the BMTP to prove that:

1) If x is not a list (the base case) then (p x) can be proved.2) if x is a list and (p (CDR x)) is assumed to be true (the

induction hypothesis) then (p x) can be proved.

Typically the formula p will also involve other recursive functionswhich have their own induction templates. The problem of whichinduction template to use cannot be handled at function definition time(since the BMTP has no way to determine how a newly defined function


will be used) and is handled at the time the Induction rewrite rulesare trying to rewrite the formula.

BOYMOR.QL[ QL,REP] PAGE 11-115 Jun 1978 6:55


b) Instantiation Time: When an induction rewrite rule is attempted theinduction templates for all recursive functions in the formula areretrieved. These templates are then sifted by the following rules.

1) Only legal templates (those with valid substitution instances)are retained. Substitutions may be invalid for a multitude ofreasons, the most common being that the template requires anon-variable argument be used as an induction variable. TheREVERSE induction template could not be used if the formulap involved only terms like (REVERSE (f x)). Hopefully thegeneralizationheuristics will variablize (f x).

2) Induction schemata are obtained when the legal templates areinstantiated by performing the required substitutions.All subsumed induction schemata are discarded. This means thatthe system will discard weaker induction arguments for oneswith a richer case structure (duplicates are removed by thismethod also).

3) The remaining templates are then merged together. Two templatesare merged if they contain a common induction variable. Thisallows for the final induction scheme to contain inductionhypotheses for every relevant induction variable. Thus if oneinduction scheme requires induction on the variables x and y andanother requires induction on the variables y and z it wouldseem plausible to require simultaneous induction on all of x, y,and z.

4) If more than one scheme still exists and there is one 'unflawed'scheme then all 'flawed' schemes are discarded. An inductionscheme is unflawed if every occurence of an induction variableis in a position where it is decomposed (see the Example sectionfor an application of this rule),

5) Finally, if more than one scheme still exists, a scoringfunction determines which one to use.

6) The final scheme is then instantiated for the specific formulathat is to be proven.

It should be noted that Boyer & Moore report that 90% of allinductions arguments yield only one unflawed scheme and of theremaining 10%, half have no unique correct scheme (i.e. the theoremsare symmetric in some variables).

Continuing the REVERSE example the BMTP is about to create an inductionargument for proving:

(EQUAL (REVERSE (APPEND X (CONS A "NIL"))(CONS A (REVERSE X))))

It determines the induction schemata for REVERSE and APPEND (see theSimplifier for the definition of APPEND), and since both functionsperform CDR recursions on X their schemata are merged to create theunique induction schema which is finally used:

(AND (IMPLIES (NOT (LISTP X)) (p X A))(IMPLIES (AND (LISTP X)


(p (CDR X) A))(P X A)))

15

AN

An

1

and Moore

Jun 1978 6:55 BOYMOR.QLt QL,REP] PAGE 12-


appropriate way to view the entire process is stated by Boyer

"A good metaphor for the organization of theseheuristics is an initially dry waterfall. One pours ina clause at the top. It trickles down and is splitinto pieces. Some pieces evaporated as they areproved. Others are further split up and simplified.Eventually at the bottom forms a pool of clauses whoseconjunction implies the original formula. We nextchoose a clause, remove it from the pool, invent aninduction scheme for it, and generate a conjunction ofnew clauses to prove(the base case and the inductionsteps). We then try to prove each of the new clausesby pouring each of them over the waterfall."


IMPLEMENTATION DETAILS

The TP represents formulas in conjunctive normal form (CNF). Using thismethod each formula is represented as a list of clauses. Each clause is a setof literals with the clause representing the disjuction of all the literals. Torepresent (IF p 1 r) in conjuctive normal form we note that proving the IFstatement is equivalent to proving (~p v 1) a (p v r). Thus the conjunctivenormal form is {~p , 1} {p , r}. Note that resolution theorem proving is notused here. The clauses are not resolved against each other, they are provedindependently (we are not trying to produce the null clause). The motivationfor representing conditionals this way is due to the inherent asymetry of theIF term. If we are trying to prove that (IF pT r) is always true then either pis true or, given p is false r must be true (they are probably related). Butthe previous IF statement is equivalent to (IF r T p) in which case we couldassume that r was false and try to prove p. If r in the first example happenedto also be and IF term then the asymetry would have multiplied. Thus werewrite the IF to clause form and use the following rules, which makes thingssymmetrical. When attempting to prove a literal in a clause we can assume allother literals rewrite to F (if any other literal was true, the whole clausewould be true). If a literal is rewritten to a non-F value the clause has beenproved, if it is rewriten to F then that literal may be removed from the clause.If an empty clause develops (like resolution) the entire theorem is false and ifall clauses rewrite to non-F the theorem is proved.

The general form for rewrite rules is

(IMPLIES (AND (pi x) (p2 x) ... (pn x))(EQUAL . x y))

which states that x can be rewritten to y if the predicates pi throughpn are true. Rewrite rules are interpreted only in one direction. Theabove rule specifies when to replace x by y but not vice versa. Whenthe system attempts to use this rule it recursively calls itself to try toprove the rewrite rule's preconditions. Heuristics are included to avoidinfinite recursions.

When the user proves a theorem which is to be retained as a lemma, theUser tells the system what type of lemma the theorem is. Lemmas arecategorized as rewrite, elimination, generalization, or induction. Theseclassifications determine within which rewrite rule strata the lemma can beused.


THEMES OF THE BOYER-MOORE THEOREM PROVER

Proof by Induction: The most outstanding feature of the BMTP is its abilityto automate induction proofs. Since most of the common data types are definedinductively (integers, lists, trees, formulas) it is imperative that theoremprovers that are employed to prove properties of programs have the capability toperform inductive arguments (automatically or manually). The excellentperformance of the BMTP is in a large part due to the heuristic methods used inconstructing induction proofs. These heuristics form the core contribution theBMTP has made to Artificial Intelligence research.

The Referencing Problem: A key problem in current theorem proving systemsis the performance degradation due to increased knowledge. While increasedknowledge should improve a system's performance it typically just expands thepossible solution space causing excess searching. This has been named thereferencing problem by Bledsoe, i.e. among a plethora of remembered results,which should be referenced when given a new problem. Resolution theorem proverssuffer greatly from this problems. High powered methods such as proof byanalogy (Kling 71) have been used to restrict the reference set, but thesemethods have met with little success. The BMTP does not address this issue withany more sophistication than trying the rewrite rules in reverse chronologicalorder (complex results first). This simple strategy has proven effective evenwhen operating within an envirornment which contains approximately 400 theorems.

The Language of the Theorem Prover: Since the main application of the BMTPhas been to prove properties of programs, a possbile misconception should beavoided. There is a difference between the language used to express formalstatements whose validity is being proven and the language used to express aprogram. The theory is just a mathematical tool for making precise assertionsabout the properties of discrete mathematical objects. The language used toexpress the theory is closely related to the pure LISP programming language andshould be considered as an alternative to the use of predicate calculus.Frequently programs can be written as functions within the theory (since thesemantics of a LISP like program can be easily captured within the language ofthe theory) just as it is possible to use predicate calculus as a programminglanguage (Kowalski ??). But a distinction should be made between the languageused to express theorems and the programming language used to describe analgorithm about which the BMTP is proving theorems. When proving propertiesabout programs the user applies a relevant theory of program semantics toderive formal statements whose validity imply that the program has the desiredproperties. These statements are then translated into the theory on which theBMTP operates. The BMTP can then be instructed to try to establish the validityof these statments. To illustrate this fact, the proof of the correctness ofthe compiler was expressed by McCarthy's functional method while the correctnesof the string searching algorithm is expressed by Floyd's method of inductiveassertions.

Performance: There are two performance measures that are relevant totheorem provers. The first is concerned with the system' s ability to representtypical facts and theorems in the domain of interest (epistomological adequecy).The second is the ability to prove theorems within a reasonable amount of time.Both performance measures contain ambiguity (e.g. ' typical' ,' reasonable' ) . Butit appears that many interesting facts and theorems can be represented (seeFuture Horizons for some problems here) and proof times are commensurate with auser's patience when debugging proofs interactively. The BMTP has been appliedto a large number of theorem proving tasks, some of which are very difficult byhuman standards (see the introduction). Most theorems are proved in well undera minute. Be careful to remember though that most proofs require lemmas to beproved previously and the total proof time should include the time taken toprove these results too. Still, by almost any standards, this is one of the

15 Jun 1978 6:55 BOYMOR.QLC QL.REP] PAGE 14-2

most powerful theorem provers available.

15 Jun 1978 6:55 BOYMOR.QLC QL,REP] PAGE 15-1

THEMES OF THE BOYER-MOORE THEOREM PROVER (cont.)

Future Horizons: To totally automate proofs (discover and prove necessarylemmas during the proof of a theorem) there are at least three areas in whichimprovements are needed. The first is the ability to generalize formulas priorto induction. Induction arguments achieve their power through the ability toassume versions of the conjecture within the proof of the conjecture. Thusstrengthening the conjecture by genralizationoften allows completion of anotherwise doomed proof. A proof of a more specific theorem is accomplished byshowing it is just an instantiation of the strengthed form. Although the BMTPdoes do some generalization a much more powerfully mechanisim is needed (Moore75, Aubin 77). For example, in the proof of equivalence between two programsthat compute the fringe of a binary tree, the statement of equivalence is

(EQUAL (MC.FLATTEN X "NIL") (FLATTEN X))

The BMTP cannot prove this as stated mainly because of the inability toeffectively use the statement in an induction proof. The key problem is theappearance of the constant "NIL". When the function recurs the second argumentwill be altered and thus will become useless as an induction hypothesis. Simplygeneralizing the formula by variablizing "NIL" yields a non-valid formula. BMstructure their proof of the above theorem by introducing the lemma:

(EQUAL (MC.FLATTEN X ANS) (APPEND (FLATTEN X) ANS))

which the BMTP can prove, effectively making use of the induction hypothesis.The first theorem can now be proved, the induction problems hidden by the use ofthe lemma. Manna and Waldinger are currently working on a similar problem ofgeneralization for Automatic Programming.

Another improvement to the BMTP would be the introduction of existential lyquantified variables. The proof that the Tautology Checker was completeinvolved showing that whenever the TC returned F then the formula wasfalsifyable. This involved actually writing a program (similar to the TCitself) which would return a list of variable bindings which would falsify theformula if it were falsifyable. The actual statement of the completeness of theTC is really was just concerned with the existence of this set of bindings. Butbecause the BMTP's language does not admit existential quantification, itseffect had to be simulated. This method is analogous to the use of skolemfunctions for existential quantification. One way to admit existentialquantifiers to the language would be to perform this simulation withautomatically constructed functions. This would be equivalent to augmenting theBMTP with an automatic programmer. Automatic program writing systems have takenadvantage of the analogy by extracting programs from resolution proofs whichcontain skolem functions (Green 69).

A third improvement would be the automation of non-standard terminationproofs. Since the induction proofs hinge on the ability to abstract therelevant information from termination proofs it is crucial to know the mostnatural way in which termination can be proven. It is also currently impossibleto define mutually recursive functions because of the methods used to provetermination. This makes it more difficult to define certain computations,(e.g. a mmi -max tree search).

15 Jun 1978 6:55 BOYMOR.QLE QL.REP] PAGE 16-1

AN EXAMPLE

DEFINE (APPEND X V) = (IF (LISTP X)(CONS (CAR X) (APPEND (CDR X) V))V)

To prove:

(EQUAL (APPEND (APPEND A B) C)(APPEND A (APPEND B C))

The first applicable rewrite rule is Induction which yields first the base case:

(IMPLIES (NOT (LISTP A))(EQUAL (APPEND (APPEND A B) C)

(APPEND A (APPEND B C)))

This simplifies by expanding all the definitions of APPEND and noting since Ais not a list the second IF branch is always taken. The formula is rewritten to

(IMPLIES (NOT (LISTP A))(EQUAL (APPEND B C) (APPEND B C)))

Which rerwites to T since the arguments to EQUAL are identical

Now the interesting induction case is:

(IMPLIES (AND (LISTP A)(EQUAL (APPEND (APPEND (CDR A) B) C)

(APPEND (CDR A) (APPEND B C))))(EQUAL (APPEND (APPEND A B) C)

(APPEND A (APPEND B C))

Notice that A was chosen as the induction variable. Since C is not decomposedby either APPEND it is obvious why it was not chosen. But how about B. It isdecomposed in one inner APPEND. Referring to the rules previously given toformulate induction arguments we see that the induction scheme with B as theinduction variable would be flawed since in one inner APPEND it appears in thesecond postion, which is never decomposed. On the other hand, A always appearsin a decomposed postion and hence the induction scheme involving A is unflawed.

Since the system knows that A is a list it can expand the definition of theAPPENDS in the consequent with A as their first variable to:

(IMPLIES. (AND (LISTP A)(EQUAL (APPEND (APPEND (CDR A) B) C)

(APPEND (CDR A) (APPEND B C))))(EQUAL (APPEND (CONS (CAR A) (APPEND (CDR A) B)) C)

(CONS (CAR A) (APPEND (CDR A) (APPEND B C)))))

It can open up the first APPEND in the consequent since its first argument isan explicit CONS to:


(APPEND (CDR A) (APPEND B C))))(EQUAL (CONS (CAR A) (APPEND (APPEND (CDR A) B) C))

(CONS (CAR A) (APPEND (CDR A) (APPEND B C)))))

15 Jun 1978 6:55 BOYMOR.QLE QL,REP] PAGE 17-1

their arguments arethe problem to:

by the antecedent

AN EXAMPLE (cont.)

Now it can use the rule that two CONSs are identical ifindentical (see the Shell mechanism section) to reduce


(APPEND (CDR A) (APPEND B C))))(EQUAL (APPEND (APPEND (CDR A) B) C)

(APPEND (CDR A) (APPEND B C))))

Which rewrites to T since the consequence is contained

i

15 Jun 1978 6:55 BOYMOR.QLE QL,REP] PAGE 18-1

BIBLIOGRAPHY

Aubin, R.Mechanizing Structural InductionUniversity of Edinburgh (1976)

Bledsoe, W.Splitting and Reduction Heuristics in Automatic Theorem ProvingArtificial Intelligence, Vol. 2 (1971), pp. 55-77

Bledsoe, W.Non-Resolution Theorem ProvingArtificial Intelligence, Vol. 9, No. 1 (1977), pp. 1-35

Boyer, B. and Moore, J.SA Computational LogicDraft, 1978

Burstall, R.Proving Properties of Programs by Structural InductionThe Computer Journal, Vol. 12, No. 1 (1969), pp. 41-48

Green, C.The Application of Theorem Proving to Question-Answering SystemsAIM-96, Stanford Artificial Intelligence Lab (1969)

Kling, R.A Paradigm for Reasoning by AnalogyArtificial Intelligence Vol. 2 (1971), pp 147-178

Moore, O.S.Introducing Interation into the Pure LISP Theorem ProverlEEE Transactions on Software Engineering, Vol. 1, No. 3 (1975) pp.328-338

Skolem, T.The Foundations of Elementary Arithmetic Established by Means of the Recursive

Mode of Thought, without the use of Apparent VAriables Ranging over InfiniteDomains

From Frege to Goedel, Harvard University Press (1967)

Documents

BOYMOR.QLE QL.REP] - Stacksxk898wv6983/xk898wv6983.pdf · 15 jun 1978 6:55 boymor.qle ql,rep] page 1-1 (cont.) (cont.) (cont.) (cont.) (cont.) (cont.) prover prover (cont.) 5 comment