An Inductive Theorem Prover Based on Narrowing Ulrich Fraus Bavarian Research Center for Knowledge Based Systems (FORWISS) Universit~ Passau, Posffach 2540, W-8390 Passau, Germany E-mail:
[email protected] Heinrich Hussmann Institut ftir Irfformatik,Technische UniversitiitMtinchen, Postfach 20 24 20, W-8000 Mtinchen 2, Germany E-mail:
[email protected]
Abstract. This work presents a theorem prover for inductive proofs within an equational theory which supports the verification of universally quantified equations. This system, called TIP, is based on a modification of the well-known narrowing algorithm. Particulars of the implementation are stated and practical experiences are summarized. Finally some remarks on further extensions of the system are given.
1 Introduction Equational axiomatic specifications [5] are a promising tool for the early phases of software development. The special style of equational specifications is interesting for the intermediate stage in which the first detailed formal description of the intended product is given. The main advantage of an axiomatic approach to software specification is formal reasoning: Axioms, together with a good calculus, allow computer-assisted verification of propositions about the specified piece of software. Within the software development process, such a tool helps, for instance, to check whether a first operational formulation of a system meets more informal requirements which have been formulated without any consideration for the operationality. It is the aim of the system presented here to contribute to such a verification of software in a very early phase of the development. In our approach, we try to develop an alternative to the so-called "inductionless induction" method, which has been developed based on early work by Knuth/Bendix, Goguen, Huet/ Hullot and others [1]. The aim is here, to keep the proof method rather "natural", i.e. very similar to the method a human being uses when performing a proof with paper and pencil. A successful proof achieved by our system is understandable to everybody who knows the basic mathematical facts of equational reasoning and induction. Moreover, the situation in which a new (usually more general) lemma has to be invented looks more familiar to the user - therefore it is easier to use human intuition. And human intuition will be necessary anyway for mastering a non-trivial proof - regardless of the proof method that is used. 2
The Theorem P r o v e r
The TIP system (Term Induction Prover) presented in this paper, is restricted to so-called constructor-based specifications, i.e. every ground term has to be equivalent to a construc-
476
tor ground term (sufficient completeness, see [3]). Therefore, all axioms specify the behavior of a function symbol w.r.t, constructor parameters, i.e. the axioms have the form: f(c t . . . . . c,,) --->t
where f is a function symbol, the c i are conslructor terms (with variables) and t is an arbitrary term.
The basic idea of our variant of term induction is to "misuse" the case analysis which is normally given in the left hand sides of the rules for one function symbol. Such cases analyses can then be used within an inductive proof. This idea allows us to make extensive use of the algorithms that are already available in an implementation of narrowing. Since narrowing enumerates all alternatives for the unification of a subterm of a goal with all patterns of the rules, it automatically generates an appropriate case analysis (when using a conslructor-eomplete specification). Thereby the case analysis is often done over several variables simultaneously. In many proofs this means that there, are fewer case analysis steps and each step has a larger number of (suitable) cases. The proofs addressed by TIP follow inductively some noetherian and stable orderings on terms. For this ordering standard techniques from term rewriting are reused (termination orderings). Besides, the TIP system allows the user to work on several theorems in parallel. So, while proving a difficult theorem one can start to prove an auxiliary lemma whenever one recognizes the need for it. After finishing such a subproof, this lemma can be applied immediately within other proofs. In difference to some other theorem provers TIP works with strictly typed specifications. This allows things like static type checking and completeness tests for case analyses. But on the other hand there is no support for higher order functions. The Proof Algorithm
Here is a short glance at the central proof algorithm of the TIP system. The two main tasks of this algorithm are to find possible prove steps to go further and to check which branches of a proof are already solved. Given any goal 1 G: IfG is not simplified then simplify G by rewriting and decomposition steps; If G contains only trivial equations now (i.e. all equations have syntactically identical sides) then goal G is solved; else make a complete case analysis 2 (several new child goals) or apply any existing Induction hypothesis3 (only one new child goal) or apply any existing lemma (only one new child goal) or generalize any subterm of the goal G; (only one new child goal) If G is not solved then apply this proof algorithm recursively to all new child goals; If all child goals of one proof step are solved then goal G is solved too; 1. G o a l m e a n s one ore more equations which have to be solved. 2. A case analysis includes the generation of a new induction hypothesis. 3. If the application is a smaller instance of the hypothesis w.r.t, the used induction ordering.
477 The behavior of the TIP system, in particular the degree of its automation, can be influenced by the user, if some system parameters are adjusted appropriately. Also it is possible to choose one of the four induction orderings, which are implemented in the system. But for nearly all examples the recursive path ordering was found to be sufficient.
3 Conclusion The theorem prover TIP is quite easy to use, because most parts of the tiresome work are done by the system automatically. So the user can concentrate on choosing the most promising proof steps. EaSy proofs (like the commutativity of the addition) are found without any user interaction, but normally human intuition is needed to find the central idea(s) of a proof. All the standard examples for theorem proving can be done with the TIP system, too. More difficult examples solved with the TIP system were taken from the area of software verification (based on formal specifications). The main differences between the "inductionless induction" provers and TIP are the possibility of interactive work and a readable result output. The advantage of doing a difficult proof (partly) interactive is that the user recognizes the cases which cause trouble. Therefore, it is possible to detect missing axioms, promising lemmas or undesired loops. Another advantage of the "natural" proof method in TIP is the automatic generation of a nice listing for any complete proof. Such a listing is easy to read and understand, because the structure of the inductive proof is the same as used by humans. The user can even select how detailed the listing of a proof should be. For a more technical discussion of the differences between both inductive proof methods see [4]. Up to now TIP can prove only unconditional goals, but we are planning to extend the proof algorithm (with small changes) to conditional goals. This step is very important for solving interesting problems in the area of software verification, because one always has to deal with restrictions or constraints. And conditions which are coded in a boolean function are mostly too weak for dealing with real life problems. Other planned improvements are the extension to AC unification, the possibility to generate LaTeX files of the proof listings and a comfortable X-Window user interface. If you are interested in using the TIP system then contact one of the authors. If you have interesting examples for inductive theorem proving then feel free to contact the authors, too.
References 1. 2. 3. 4. 5.
D. Duffy: Principles of Automated Theorem Proving. Wiley, 1991. U. Fraus, H. HuBmann: A Narrowing-Based Theorem Prover, in: Proceedings of the IMAKICL Conference, C. Rattray & R. Clark (eds.), Oxford University Press, 1992. J.V. Guttag: The specification and application to programming of abstract data types. Ph. D. thesis, University of Toronto, Toronto, 1975. U . S . Reddy: Term Rewriting Induction. CADE 10, Lecture Notes in Computer Science 249, Springer, 1990, pp. 162-177. M. Wirsing, E Pepper, H. Partsch, W. Dosch, M. Broy: On hierarchies of abstract data types. Acta Informatica 20, 1983, pp. 1-33
