Deductive System: Calculus of axioms and inference rules dening judgments. Used in the presentation of logics and programming derivable Logical Framew

Transcription

1 Paris, France PPDP'99, 30, 1999 September Logical and Meta-Logical Frameworks Frank Pfenning 1. Introduction 2. Logical Frameworks 3. Meta-Logical Frameworks 4. Conclusion (see also: upcoming article in Handbook of Automated Reasoning) 1

2 Deductive System: Calculus of axioms and inference rules dening judgments. Used in the presentation of logics and programming derivable Logical Framework: Meta-language for the formalization of deductive systems. Meta-Logical Framework: Meta-language for reasoning about systems. deductive Some Terminology languages. 2

3 Logical Frameworks Factor the eort required to implement various logics. Support common concepts in deductive systems. Provide generic tools for proof search. Characterized by 1. underlying formalism, 2. meta-programming language, 3. theorem proving environment. 3

4 Formalisms: hereditary Harrop formulas (HHF), dependently typed (LF), inductive denitions, rewriting logic. -calculus Meta-Programming Languages: functional (ML, rewriting), relational Elf). (Prolog, Theorem Proving Environments: tactics and tacticals, logic proof checking. programming, Implementations: Isabelle, Prolog, Elf, linear LF, Maude, Elan, Pi, : : : Agda, More Information: General Mathematical Reasoning Systems: HOL, Coq, LEGO, Nuprl, Nqthm, : : : PVS, Some Logical Frameworks 4

5 Support common proof techniques in the study of logic and programming languages: Meta-Logical Frameworks Require means for representing logics. (A logical framework!) 1. structural induction (over derivations), 2. inversion, 3. interpretations, 4. logical relations. Characterized by 1. underlying logical framework, 2. formalism for meta-reasoning, 3. automation techniques. 5

6 General-purpose reasoning systems used as meta-logical frameworks HOL, Coq, LEGO, Nuprl, Isabelle/HOL, : : :): (Nqthm, Some Meta-Logical Frameworks 1. logics dened inductively, 2. meta-reasoning by (structural) induction, 3. automation by tactics (or inductive theorem proving). Maude [Basin, Clavel & Meseguer'99]: { based on rewriting logic, { meta-reasoning by reection and induction, { automation by rewriting. 6

7 More Meta-Logical Frameworks FOLDN[McDowell & Miller'97] [McDowell'97]: 1. based on hereditary Harrop formulas (typically), 2. meta-reasoning by denitional reection and induction over N, 3. interactive. Twelf [Schurmann & Pf.'98,'99] 1. based on LF logical framework, 2. meta-reasoning via total functional programs (termination, coverage), 3. automation by inductive theorem proving. 7

8 This Talk 1. Inductive vs. non-inductive representations of logics. 2. Reasoning about non-inductive denitions. 3. Techniques for automation. 4. Further development (speculative). 8

9 Terms t ::= a j x j f (t 1 ; : : : ; t n ) The Example: Axiomatic Formulation of Intuitionistic Logic Abstract syntax Propositions A ::= p(t 1 ; : : : ; t n ) j A 1 A 2 j 8x: A Assumptions ::= j ; A Judgments Truth ` A Entailment ` A Meta-theorem If ; A ` C then ` A C. 9

10 ` A (B A) ` (A (B C)) ((A B) (A C)) ` (8x: A) [t=x]a (F 1 ) ` (8x: (B A)) (B 8x: A) (F 2 ) [a=x]a ` a UG 8x: A ` Axioms and Inference Rules Axioms (K) (S) (F 2 ) : x not free in B Rule of inference ` A MP ` A B ` B 10

11 variables in the object language by variables in the Represent meta-language. Higher-Order Abstract Syntax Use (simply typed) -calculus to represent language. Key idea: Technique employed in HHF, LF. In general not inductive. 11

12 pf (t 1 ; : : : ; t k )q = f pt 1 q : : : pt k q f : i!! i pp(t 1 ; : : : ; t k )q = p pt 1 q : : : pt k q p : i!! o pa 1 A 2 q = imp pa 1 q pa 2 q imp : o! o! o p8x: Aq = forall (x:i: paq) forall : (i! o)! o Representation Function pxq = x x:i p:aq = not paq not : o! o Constant declarations form signature in the framework. Variable declarations form context in the framework. 12

13 Types A ::= a j A 1! A 2 Objects M ::= c j x j x:a: M j M 1 M 2 The Framework, Simply Typed Fragment Simply typed -calculus. Signatures ::= j ; a:type j ; c:a Contexts ::= j ; x:a Shared by HHF and LF. Typing `! M : A. Canonical (-normal, -long) forms `! M * A. Suppress signature. 13

14 Theorem [Adequacy] For x = x 1 :i; : : : ; x n :i and terms t and A with free variables among x 1 ; : : : ; x n, propositions Adequacy Theorem 1. x `! M * i i M = ptq, 2. x `! M * o i M = paq. 3. The representation function pq is a compositional bijection: [ptq=x]psq = p[t=x]sq and [ptq=x]paq = p[t=x]aq: 14

15 { if ` { if ` M * o then M = paq for some A Weak vs. Strong Frameworks! o. Recall: p8x: Aq = forall (x:i: paq) where forall : (i! o) {z }!! Requires function space to be parametric! As soon as function space is too rich, either M : o then ` M 0 * o for M 0 denitionally to M, or will fail. Invalidates or complicates reasoning and meta-reasoning. Prohibits case analysis and recursion in LF objects. Also: [ptq=x]paq = p[t=x]aq means variables are \invisible". 15

16 Variables by name: inductive, must axiomatize variable renaming and substitution. but Variables as de Bruijn indices: inductive, variable renaming, must axiomatize substitution. captures Variables as meta-language variables: not inductive, variable renaming, substitution. captures p8x: p(x) q(x)q = forall (x:i: imp (p x) (q x)) p8x: Aq = forall (x:i: paq) Properties of Representations = forall (y:i: imp (p y) (q y)) = p8y: p(y) q(y)q p[t=x]aq = [ptq=x]paq = (x:i: paq) ptq 16

17 judgments of the object language by types in the Represents meta-language. Judgments as Types Use (dependently typed) -calculus to represent derivations. Key idea: Technique employed in LF, variations in HHF. In general not inductive. 17

18 then phq : hil paq; so hil : o! type Representation of Axiomatic Derivations I H If ` A p q K ` A (B A) = k paq pbq k : A:o: B:o: hil (imp A (imp B A)) p q G H ` A B ` A MP = mp paq pbq pgq phq ` B mp : A:o: B:o: hil (imp A B)! hil A! hil B 18

19 (F 2 F 1 F 2 Representation of Axiomatic Derivations II p q = f 1 (x:i: paq) ptq (8x: A) [t=x]a f 1 : A:i! o: t:i: hil (imp (forall (x:i: A x)) (A t)) p q (8x: (B A)) (B 8x: A) = f 2 (x:i: paq) pbq f 2 : A:i! o: B:o: hil (imp (forall (x:i: imp B (A x))) (imp B (forall (x:i: A x)))) ) x not free in B. Note how side condition is enforced in the representation. 19

20 UG a Representation of Axiomatic Derivations III p q H ` [a=x]a = ug (x:i: paq) (a:i: phq) ` 8x: A ug : A:i! o: (a:i: hil (A a))! hil (forall (x:i: A x)) Again, side condition enforced in logical framework. 20

21 Families A ::= a j A M j x:a 1 : A 2 [ j A 1! A 2 ] Objects M ::= c j x j x:a: M j M 1 M 2 The Framework II: LF Type Theory Dependently typed -calculus [Harper, Honsell & Plotkin'93]. Kinds K ::= type j x:a: K Signatures ::= j ; a:k j ; c:a Contexts ::= j ; x:a Core Judgments (similar ones at other levels): ` M : A M has type A ` M = N : A M is equal to N at type A ` M * A M is canonical of type A 21

22 ` ` M : A ` A = B : type LF Type Theory Characteristic rules: M : x:a: B ` N : A ` M N : [N=x]B ` M : B Type checking and conversion is decidable. Every well-typed object has a unique canonical form. 22

23 Theorem [Adequacy] For a = a 1 :i; : : : ; a n :i and deductions H of ` A free parameters among a 1 ; : : : ; a n, with Proof-checking in object logic is reduced to type-checking in logical framework. Adequacy Theorem 1. a ` M * hilpaq i M = phq 2. The representation is a compositional bijection: p[t=a]hq = [ptq=a]phq Made practical through type reconstruction and redundancy elimination. 23

24 Parametric judgments as dependent function types. hil (p[a=x]aq) : type a:i: Properties of Representations Generally not inductive. Judgment forms as type families. hil : o! type Judgments as types. hil paq : type Deductions as objects. phq : hil paq Parametric derivations as functions. 24

25 Some Alternative Representations Hereditary Harrop formulas (Prolog, Isabelle) { Judgments as propositions in meta-logic. { No internal notion of deduction (logic vs. type theory) Inductive denitions (FS 0, many others) { No higher-order abstract syntax. { Deductions as objects (sometimes). 25

26 ` [a=x]a UG a Hypothetical Judgments Would like to prove Hilbert's deduction theorem: If ; A ` C then ` A C. (Note: considered modulo permutations) Relies on hypothetical judgment ` C. Systematically extend rules. For example: hyp ` 8x: A ; A ` A where a does not occur in or A. 26

27 Characteristic Properties of Hypothetical Judgments Substitution property: If ` A and 0 ; A ` C then 0 ; ` C. Realized by substitution into derivations. Exchange. Weakening. Contraction. 27

28 Modeling assumptions in object language by hypotheses in meta-language. Theorem [Extended Adequacy] For a = a 1 :i; : : : ; a n :i, H = u 1 :hil pa 1 q; : : : ; u k :hil pa k q, and deductions H of A 1 ; : : : ; A k ` A p hyp ; A ` A Extending the Representation with free parameters among a 1 ; : : : ; a n, 1. a ; H ` M * hil paq i phq = M. 2. The representation is a compositional bijection: p[t=a]hq = [ptq=a]phq and p[g=u]hq = [pgq=u]phq q = u where u:hil paq in context. 28

29 Proof-carrying code and theorem proving the value of proof terms! (LF, but not HHF.) On Logical Frameworks Assessment Concise, elegant, eective in many cases. Examples in programming languages and logics. Meta-programming via ML (Isabelle). Constraint logic programming (Prolog, Elf). Applications with state much easier in linear frameworks. Some applications call for general constraint systems. 29

30 Higher-order abstract syntax captures variable renaming, substitution, conditions. occurrence Contextual representation of parametric and hypothetical judgments substitution, exchange, weakening, and contraction. captures Representation of judgments as types allows deductions as objects with validity conditions. internal Logical Frameworks Summary Inductive representations allow induction. 30

31 Can we take advantage of the immediate nature of logical framework to automate meta-theory? encodings Alternative: use inductive encodings and develop theories of substitution, etc. assumptions, Meta-Logical Frameworks Four approaches: 1. Relational meta-theory, plus schema-checking [Rohwedder & Pf'96] 2. Reection, consistent via modality [Despeyroux, Schurmann & Pf'97] 3. (Meta-)meta-logic constructed over logical framework. 4. Denitional reection and induction over logical framework. Alternative: reection in rewriting logic. 31

32 Design a logic or type theory to reason about deductive systems encoded LF. in Impractical to simply dene LF as an inductive theory. is simple, but its theory is complex!) (LF Reasoning About Deductive Systems Represented in LF Goals: { Conservative preserve present LF representation techniques. { Natural informal proofs can be expressed directly. { General allow many meta-theorems and meta-proof techniques. { Automatable support ecient automation of meta-proof search. Inherit as much as possible from the logical framework! 32

33 Example: The Deduction Theorem, Propositional Case Theorem: If H then D. ` A C C ` A Proof: By induction on H (see following slides). Recall: Hypothetical judgments as functions types. p q H = u:hil paq: phq u : hil paq! hil pcq A ` C Representation, Hypothesis: p q hyp = u:hil paq: u : hil paq! hil paq A ` A 33

34 H 1 H 2 Hypothetical Judgments, Revisited Representation, Modus Ponens: q p A ` B C A ` B MP A ` C = u:hil paq: mp pbq pcq (ph 1 q u)(ph 2 q u) : hil paq! hil pcq 34

35 Representation of Meta-Proofs Attempt: Represent proof of deduction theorem as function hil (imp A C) : A:o: C:o: (hil A! hil C) ded {z }! {z } in LF outside LF fails, because outer function is dened inductively. Solution: introduce separate level with 8, 9, >. ded 2 8A:o: 8C:o: 8H:(hil A! hil C): 9D:hil (imp A C): > Suppress propositional arguments for deductions. ded 2 8H:(hil A! hil C): 9D:hil (imp A C): > 35

36 H = Proof of Deduction Theorem, Hypothesis Case: hyp A ` A 1 (A ((A A) A)) ((A (A A)) (A A)) S 2 (A ((A A) A)) K 3 (A (A A)) (A A) MP A (A A) K 5 A A MP 3 4 ded (u:hil A: u) = mp (mp s k) k 36

37 H = A ` C 1 (C 2 C 1 ) Proof of Deduction Theorem, Axiom Case: K 1 ` (C 1 (C 2 C 1 )) (A (C 1 (C 2 C 1 ))) K 2 ` C 1 (C 2 C 1 ) K 3 ` A (C 1 (C 2 C 1 )) MP 1 2 ded (u:hila: k) = mp k k Case: Axiom (S) similar. 37

38 H = A ` C 2 A ` C 1 1 ` A (C 1 C 2 ) Ind. hyp. on H 1 4 ` A C 1 Ind. hyp. on H 2 Proof of Deduction Theorem, Modus Ponens Case: H 1 A ` C 1 C 2 H 2 MP 2 ` (A (C 1 C 2 )) ((A C 1 ) (A C 2 )) S 3 ` (A C 1 ) (A C 2 ) MP ` A C 2 MP 3 4 ded (u:hil A: mp (H 1 u) (H 2 u)) = mp(mp s (ded H 1 )) (ded H 2 ) 38

39 ded is a total function of the given type, therefore represents proof. meta-theoretic Proof of Deduction Theorem, Summary Implicational fragment [ ded : (hil A! hil C) ) hil (imp A C) ] ded 2 8H:(hil A! hil C): 9D:hil (imp A C): > ded (u:hil A: u) = mp (mp s k) k ded (u:hila: k) = mp k k ded (u:hila: s) = mp k s ded (u:hil A: mp (H 1 u) (H 2 u)) = mp (mp s (ded H 1 )) (ded H 2 ) 39

40 The Meta-Logic Trade o generality vs. automation. Exploit LF as much as possible. Formulas F ::= 8x:A: F j 9x:A: F j > At present, restricted to 8 : : : 89 : : : 9 prex. Validity of meta-logic. j= 8x:A: F i j= [M=x]F for all M s.t. ` M : A j= 9x:A: F i j= [M=x]F for some M s.t. ` M : A j= > Implementation is, of course, incomplete. 40

41 Excursion: How to Exploit LF Represent falsehood by void : type and no constructors. Represent :A(x) by A(x)! void. Represent disjunction of types A(x) and :A(x) by disj : i! type injl : x:i: A x! disj x injr : x:i: (A x! void)! disj x Prove decidability as 8x: A(x) _ :A(x): 8x:i: 9D:disj x: > 41

42 Meta-Functions P ::= x:a: P j P M (8x:A: F ) j hm; P i j let hx; pi = P 1 in P 2 (9x:A: F ) j h i j let h i = P 1 in P 2 (>) j p:f: P j p (recursion) j case x of (cases) j (M ) P j ) (case) Meta-Logic via Realizability j= F if there is a total function P such that P 2 F. ::= Standard (non-deterministic) operational semantics. 42

43 Checking Realizors Check three conditions. Type Correctness: Returned values have expected type. 1. dependent type checking. Standard Termination: Function always succeeds with a value or fails nitely 2. each computation branch. along simultaneous and lexicographic extensions of higher-order Currently, ordering, given explicitly [Rohwedder & Pf '96]. subterm Coverage: Functions never fail. 3. higher-order pattern unication, check that all cases for closed Using terms of a given type a covered syntactically. Functions may be don't-care non-deterministic. (Many proofs are.) Both termination and coverage are in principle undecidable. Termination is open-ended in practice. 43

44 Filling (=) Type-checking): CLP-style iterative deepening search in LF. Simple Recursion (=) Termination-checking): legal appeals to induction hypothesis given a termination order. Generate Splitting (=) Coverage): possible cases for variable by unication (one step backward Generate Generating Realizors = Meta-Theorem Proving Uses signature and results of induction hypothesis. search). 44

45 Must generalize to allow proof of deduction theorem in rst-order logic or with arbitrary assumptions (hypotheses). (parameters) Objects With Parameters Above relies crucially on closed terms. j= 8x:A: F i j= [M=x]F for all M s.t. ` M : A j= 9x:A: F i j= [M=x]F for some M s.t. ` M : A j= > If ; A ` C then ` A C. 45

46 H = Informal Proof New Case: hyp 0 ; C {z } ; A ` C = 1 0 ; C ` C (A C) (K) 2 0 ; C ` C (hyp) 3 0 ; C ` A C MP 1 2 ded (u:hil A: w) = mp k w where w:hil pcq in context? 46

47 then pq ` all of the form u 1 :hil A 1 ; : : : ; u n :hil A n and objects H such For ` H : hil A! hil C, there exists an object D such that that Formulation in LF Recall: Contexts are mapped to contexts. For = A 1 ; : : : ; A n, pq = u 1 :pa 1 q; : : : ; u n :pa n q H If phq : hil paq! hil pcq. ; A ` C As a statement about encoding: ` D : hil (imp A C). 47

48 j= F i j= F for all 2 X Extension of Meta-Logic Inductive description of classes of contexts. Example: H = j H ; u:hil A (for some A). Write 2 H. Allow outermost quantication over inductively dened contexts. Fix signature and context class X. j= 8x:A: F i j= [M=x]F for all M s.t. ` M : A j= 9x:A: F i j= [M=x]F for some M s.t. ` M : A j= > 48

49 Cannot use parameters x at the top-level, because the context may be empty! Extension of Realizors Two ways to introduce parameters 1. In the case that a given term is a parameter. 2. Explicit x:a. 49

50 Proof of Deduction Theorem Revisited H ::= j H ; w:a ded (u:hil A: w) = mp k w ded (u:hil A: u) = mp (mp s k) k ded (u:hila: k) = mp k k ded (u:hila: s) = mp k s ded (u:hil A: mp (H 1 u) (H 2 u)) = mp (mp s (ded H 1 )) (ded H 2 ) At run-time, w will match one of many possible parameters w i. Need to cross-reference parameters with context-class denition. 50

51 Type-checking. Verify that any parameters introduced lie within the context class. Context class inclusion when using lemmas. specied Coverage. Verify that in addition to signature elements, all possible cases are covered. parameter Treats only context properties stable under exchange, weakening, (hypothetical judgments). contraction Impact on Verication Termination. Not aected. 51

52 H = H 1 ; A ` [a=x]c 1 UG a ; A ` 8x: C 1 1 ` A [a=x]c 1 Ind. hyp. on H 1 3 ` (8x: A C 1 ) (A 8x: C 1 ) F 2 Deduction Theorem in First-Order Logic Case: where a not in, A, or C. 2 ` 8x: A C 1 UG a 1 4 ` A 8x: C 1 MP

53 Representation in Meta-Logic Recall: ug : C 1 :i! o: (a:i: hil (C 1 a))! hil (forall (x:i: C 1 x)). Declare D = j D ; w:hil A j D ; a:i New case: ded (u:hil A: ug (a:i: C 1 u a)) = ug (a:i: mp f 2 (ded (u:hil A: C 1 u a))) Evaluation of x:a: P 1. creates a new actual parameter x for x, 2. evaluates [x=x]p to V, 3. returns the abstraction x:a: V. 53

54 Slightly more complicated when several LF objects are returned : : : 89 : : : 9) (8 The Operator Final complication: subordination. We do not abstract, if the -bound variable cannot occur in the result. 54

55 a ::= j a ; a:i Example: Counting Axiom Occurrences nat : type: zero : nat: one : nat: plus : nat! nat! nat [or D ::= j D ; a:i j D ; w:hil A]. cnt 2 8H:hil A: 9N :nat: >. cnt k = one... (other axioms) : : : cnt (mp H 1 H 2 ) = plus (cnt H 1 ) (cnt H 2 ) cnt (ug (a:i: H a)) = a:i: cnt (H a) [ cnt w = zero ] 55

56 If A / B then a term of type B can not occur as a subterm of a canonical of type A. term Also important in termination checking [Rohwedder & Pf'96] < 8x:i: A in rst-order logic (i / o) [t=x]a Subordination Extracted statically from signature. Determines if -abstraction is constructed from. [B=p]A 6< 8p:i: A in higher-order logic (o 6/ o) Also needed for equational reasoning in LF [Virga'99]. In (predicative) inductive theories, given by the order of denition. 56

57 Status and Implementation Theory of meta-logic recently completed [Schurmann '00]. Prototype of theorem prover exists (not yet released, but available). No tactics(!), development in denition/lemma/theorem style. Work on various extensions in progress. 57

58 theorem Deduction to natural deductions Axiomatic Natural deduction to sequent calculus Church-Rosser theorem Some Twelf Experiments Experiment Time to -calculus CCC completeness CPM LP soundness (Horn) LP completeness (Horn) type preservation Mini-ML evaluation/reduction Mini-ML to axiomatic deductions Natural cut elimination Intuitionistic cut elimination Classical calculus to natural deduction Sequent Linux 2.30, SML/NJ 110, Twelf 1.2 ( Twelf 1.5) on Pentium II (300 Mhz) 58

59 More Information: Assessment I Must provide: induction order, search depth. Derives its power from dependent types and separation of powers. Excellent, if you know the proof ahead of time. 59

60 Assessment II Not robust with respect to failure. Naive strategy (lling! splitting! recursion). Filling sometimes a bottle-neck (anticipate lemmas). Too dependent on number of expression constructors (orthogonality?). Inecient implementation (bottom-up vs. top-down). More termination orders and reduction properties. Proof terms (separate checking, interactive vs. automatic). 60

61 Other Future Work Constraints (currently, only in operational semantics of Twelf). [Virga'99] Linearity (reason about state). [Cervesato & Pf.'96] Order (reasoning about sequencing). [Polakow & Pf.'99] Proof compression. [Necula'98] [Schurmann & Pf.'98] Compilation. [Nadathur'99] 61

62 Related Work: FOLDN FOLDN [McDowell & Miller'97] [McDowell'97] Logical framework exible (HHF, linear HHF). Meta-logic richer, less automation (at present). Induction over natural numbers (rather than termination). Denitional reection (rather than splitting). Does not inherit HHF theorem proving. Does not inherit reasoning about hypotheses (modeled as lists). Does not inherit reasoning about parameters (nested abstractions?) 62

63 Related Work: Maude Maude [Basin, Clavel & Meseguer'99]. Logical framework based on rewriting logic. Encodings are rst-order. Use as meta-logical framework from { reection (representation of system in itself), { initiality (satises inductive properties). Not yet as deeply explored. 63

64 Related Work: Inductive Encodings FS 0, Isabelle/HOL, Coq, LEGO, HOL, Nuprl, Agda. Except for FS 0, not explicitly designed as meta-logical framework. Only inductive encodings and reasoning { No higher-order abstract syntax. { No hypothetical or parametric meta-reasoning. Theorem proving generally based on tactics. Less automation, dierent \look & feel". Numerous experiments. 64

65 Summary Presented principles underlying LF and similar logical frameworks. { Higher-order abstract syntax. { Judgments as types. { Hypothetical and parametric judgments. Explored design of meta-logical framework of LF encodings. { Reasoning about closed objects. { Reasoning about hypotheses and parameters. Sketched automation techniques in Twelf. 65