A Sequent Based Theorem Prover for Propositional Intuitionistic Logic

Transcription

1 A Sequent Based Theorem Prover for Propositional Intuitionistic Logic Jesse Wu Supervisors: Rajeev Goré and Jimmy Thomson Australian National University Abstract. We describe a theorem prover based on a new sequent calculus for Intuitionistic Propositional Logic. We discuss the effects of various optimisations, and analyse its performance compared to current state of the art theorem provers. We find that the prover produces competitive results on many classes of formulae. 1 Introduction Theorem proving is an important area for research, with applications in various fields. Automated Theorem Provers (ATPs) have wide-ranging uses both in theory and practice. Traditionally, strategies in artificial intelligence have made heavy use of logical systems and provers [17]. Provers have also made an impact in mathematics, with a notable example in the proof of the Four Colour Theorem [10]. Furthermore, in industry, verification of both hardware and software systems often relies upon ATPs and system formalisation [4]. Such provers have generally been based on Classical Logics. However, there are alternative logics which are worth investigating. As a formal system, Classical Logic has various limitations: for example, it fails to capture temporal information, cannot quantify the truth of statements and relies on the assumption that a proposition can only be true or false [8]. Intuitionistic Logic addresses one of these issues: namely it disregards Double Negation and the Law of the Excluded Middle. Instead, statements are considered true if a proof is found, otherwise they are merely not true rather than explicitly false. While developed mainly from a theoretical perspective, Intuitionistic Logic has also been employed for a number of practical purposes. Research has found uses in linguistics, programming and verification [14, 15, 5]. The latter two of which are particularly suited for the use of ATPs. Like Classical Logic, Intuitionistic Logic consists of formulae which are recursively defined. At the lowest level there are atomic propositions, from which larger expressions are built using logical connectives. In Backus-Naur form, the syntax for an atom p and formula ϕ can be defined as follows: p ::= p 0 p 1 p 2... ϕ ::= p ϕ ϕ ϕ ϕ ϕ ϕ ϕ

2 1.1 Kripke Models The idea of truth presented in Intuitionistic Logic can be formally expressed using Kripke models. An intuitionistic Kripke Model is a triple, M = W,, ϑ, where W is a non-empty set of worlds, is a binary relation over W and ϑ is a function mapping worlds and atomic variables to truth values. The relation is required to be both reflexive and transitive. The valuation ϑ takes a world w and an atom p and outputs t, f where t is understood to be true and f is not true. Persistence of truth is required within the valuation: if p is an atomic proposition and we have worlds w, v W with w v then if ϑ(w, p) t holds, so must ϑ(v, p) t. With such a model, a forcing relation is defined recursively as follows: For a model M, world w W and proposition p, let M, w p if ϑ(w, p) t M, w M, w does not hold M, w ϕ ψ iff w ϕ and w ψ M, w ϕ ψ iff w ϕ or w ψ M, w ϕ ψ iff v W, w v and v ϕ implies v ψ Furthermore M ϕ if for every w we have M, w ϕ and for a set of formulae Γ we say that M Γ if M ϕ for all ϕ Γ. In terms of global logical consequences we define Γ = ϕ if for all models M, M = Γ implies M = ϕ. Classical Propositional Logic can be described by such a Kripke Model with only one world; the difference between the former and Intuitionistic Propositional Logic (Int) lies in the definition of the operation. Intuitionistic implication is the only operator which explicitly involves future worlds as defined by the relation. This notion of future worlds captures the key concept of the logic, where conjectures may eventually be proven true and thereafter remain true for all further worlds. 1.2 Challenges While logic has many potential uses, efficiently deciding the validity of logical formulae is difficult. The satisfiability of Classical Propositional Logic is known to be NP-complete. For Int the decision problem is potentially harder in terms of computational complexity. Int has been proven to be PSPACE-complete [19], and so is at least as hard as any NP-complete problem. Due to the difficulty of deciding Intuitionistic formulae, significant optimisations must be made in order for ATPs to solve problems of larger sizes. While there exist very efficiently implemented provers for Classical Logics, the development of ATPs for Intuitionistic Logic has seen far less research. In this paper we describe the theory and optimisations behind a new implementation of a theorem prover for Int, based on a new sequent calculus for Int.

3 2 A Sequent Calculus for Intuitionistic Logic In the literature there are two main notations used in Int systems. Gentzen and Beth introduced, respectively, syntactic and semantically based formal systems for logic [9, 2]. These form the foundations for sequent and tableaux calculi. In this paper, we use the notation introduced by Gentzen. In this section we define the syntax and semantics of sequent calculi and introduce the particular calculus used by our prover. A sequent is an expression Γ where Γ and are sets of formulae. Γ is called the antecedent, while is the succedent. A rule r, applicable upwards to a sequent, has the following form: Γ 1 1 Γ 2 2 r Γ 0 0 where any sequents above the line, in this case Γ 1 1 and Γ 2 2, are called the premises of r and Γ 0 0 is the conclusion. A rule may have zero or more premises, but always one conclusion. A sequent calculus is a system of rules. A derivation using a sequent calculus is a tree, with a conclusion as root and where each internal node is an instance of a rule. A sequent proof is a derivation where every leaf has zero premises. Generally in a proof search, rules are applied backwards, starting with a sequent as a conclusion and resulting in the premises. Branching occurs whenever a rule is applied with more than one premise. 2.1 Semantics of Sequents and Rules In relation to Kripke models, a sequent Γ is falsifiable if there exists a model W,, ϑ and a world w W where every element of Γ is true at w and every member of is not true at w. From a simplified perspective, a sequent Γ can be considered valid when a conjunction of all formulae in Γ implies a disjunction of all formulae in. A rule is sound if whenever the premises are not falsifiable, then the conclusion is not falsifiable. That is, if the premises are valid, then the conclusion must be also. Alternatively, if the conclusion is falsifiable, then at least one of the premises must also be falsifiable. A rule is semantically invertible if the conclusion is falsifiable whenever any premise is falsifiable. On the other hand, for non-invertible rules a conclusion may be valid although some non-deterministic choice of premise is falsifiable. In a derivation, this requires backtracking. Backtracking occurs when a choice due to a non-invertible rule r does not lead to a proof. This is undesirable as search must then continue for other possible choices in r. The conclusion is unprovable only if it can be shown that all potential premises are unprovable. A sequent calculus is complete for Int if every valid consequence in Int can be derived using the rules of that calculus. That is, for all Γ ϕ, Γ ϕ can be proved using the rules of the calculus.

4 Γ, ϕ ϕ, id Γ Γ, -left Γ, -right Γ, -left Γ Γ, -right Γ, ϕ, ψ -left Γ, ϕ ψ Γ ϕ, Γ ψ, -right Γ ϕ ψ, Γ, ϕ Γ, ψ -left Γ, ϕ ψ Γ, ϕ ψ ϕ, Γ, ψ -left Γ, ϕ ψ Γ ϕ, ψ, Γ ϕ ψ, Γ, ϕ ψ Γ ϕ ψ, -right -right Fig. 1: Basic sequent calculus rules. 2.2 Sequent Rules The first sequent calculus for Int was introduced by Gentzen in 1934 [9]. Named LJ, the system is sound and complete with respect to Int but restricts sequents to allow only a single formula in the succedent. Explicitly, sequents have the form Γ ϕ where Γ is a set of formulae and ϕ is a single formula. Figure 1 presents a slight modification of this system, allowing for sets of formulae on the right-hand side. These rules form the basic elements of the calculus used in our implementation. Notation: Γ, ϕ will be used as shorthand for Γ ϕ. Note that there are no rules for negation, as we assume ϕ := (ϕ ). Lemma 1. All rules in Figure 1 are sound. Proof. Rule -right: To be falsifiable at any world w we require ϕ to be true and ψ to be not true in the conclusion. All formulae in Γ must also be true. However, under these restrictions the premise will also be falsifiable. Thus the rule is sound, as the conclusion can be falsifiable only if the premise is falsifiable. Rule -left: For the conclusion to be falsifiable, it must be the case that all formulae of are not true while all formulae of Γ and the implication ϕ ψ are true. We now have two cases: if ψ is true in the conclusion, then the second premise Γ, ψ is falsifiable. If ψ is not true, then ϕ must not be true in order to have ϕ ψ true in the conclusion. In this second case the first premise is then falsifiable. Thus the rule is sound, as at least one of the premises must be falsifiable if the conclusion is falsifiable. The proofs for the other rules follow similarly.

5 ϕ ψ ϕ ψ ϕ -left ϕ ψ ϕ ψ -left ϕ ψ Fig. 2: An example of infinite rule application. Lemma 2. All rules except the -right rule are invertible. Proof. Vacuously true for rules with no premises. Rule -left: The first premise is falsifiable when Γ, ϕ are true and is not true. In the conclusion, ϕ true means the disjunction ϕ ψ will be true and hence the conclusion is falsifiable as Γ and will be true and not true respectively. Similarly, for the second premise, ψ must be true for the premise to be falsifiable. Once again this makes ϕ ψ true and so the conclusion is falsifiable. Rule -left: If the first premise is falsifiable then Γ and ϕ ψ must be true, while is not true. This gives exactly the conclusion, which must then also be falsifiable. If the second premise is falsifiable, then in addition ψ must be true. Thus ϕ ψ will also be true, and so the conclusion is falsifiable. The proofs for the other rules are similar. To show that -right is not an invertible rule, consider an instance of the rule with premise Γ, p q and conclusion Γ p q, r r. While the premise Γ, p q may be falsifiable, clearly the conclusion is not as it includes r r, which is true in every world. 2.3 Termination of Backwards Proof Search The basic rules of Figure 1 may result in infinite looping, as illustrated in Figure 2. During backwards proof search, the -left rule maintains a copy of the principal formula ϕ ψ in one branch of the premise. This allows an infinite number of future applications of the same rule. Restrictions beyond the basic rules must be enforced to produce a sequent calculus with a terminating backwards proof search procedure. One technique to prevent non-termination is by introducing explicit loopchecking. In this case, a rule is prevented from being applied to the same sequent twice in any branch. However, this requires that every branch keep track of all previously applied rules. To avoid the drawback of tracking previous rule applications, Dyckhoff developed an alternative to the basic -left rule [3] based upon a method by Vorob ev [20]. Rather than a single rule, an implication ϕ ψ on the left of a sequent is divided into separate cases. Different rules are applied depending on the structure of ϕ, and each application of this case-by-case ruleset results in diminishing sequent size. Due to this monotonic decrease in sequent size, the calculus is guaranteed to terminate in finite time. These rules are shown in Figure 3.

6 Γ, p, ψ Γ, p ψ, p -left 1 (p being atomic) Γ, ϕ 0 (ϕ 1 ψ) -left2 Γ, (ϕ 0 ϕ 1) ψ Γ, ϕ 0 ψ, ϕ 1 ψ -left3 Γ, (ϕ 0 ϕ 1) ψ Γ, ϕ 1 ψ ϕ 0 ϕ 1 Γ, ψ -left4 Γ, (ϕ 0 ϕ 1) ψ Fig. 3: Contraction-free sequent calculus rules. We take a different approach, by modifying the basic -left and -right rules. Specifically, the -left rule is replaced by a blocking version which prevents any further applications until unblocked by a -right-first rule. The new rules are shown in Figure 4. Note that -right-rest can only (and must) be applied in branches which have previously applied the -right-first rule to the same implication. An example is shown in Figure 5. Importantly, we see that a - right-first rule can only be applied once to the same formula within a branch. Rules in this new calculus either delete a connective or block an implication. Implications are only unblocked after the use of a -right-first rule, which is prevented from being applied to the same formula twice. Hence there cannot be an infinite sequence of blocking and unblocking. As a result a sequent proof using this calculus is guaranteed to terminate. In the non-terminating example given in Figure 2 the second application of the -left rule would no longer be applicable. Γ, ϕ b ψ ϕ, Γ, ψ -left-blocking Γ, ϕ ψ p, ϕ 1 ψ 1,, ϕ n ψ n, ϕ ψ p, ϕ 1 b ψ 1,, ϕ n b ψ n ϕ ψ, q, ϕ n+1 ψ n+1,, ϕ n+m ψ n+m -right-first Γ ψ, Γ ϕ ψ, -right-rest Fig. 4: Modified rules p and q represent sets of atomic propositions.

7 (p 0 p 1) b p 2, p 0 p 1, p 1 -right-rest (p 0 p 1) b p 2, p 0 p 1, p 0 p 1 p 0, p 2 p 1 -left-blocking (p 0 p 1) p 2, p 0 p 1 -right-first (p 0 p 1) b p 2 p 0 p 1 p 2 -left-blocking (p 0 p 1) p 2 Fig. 5: Example derivation using modified rules. Lemma 3. All modified rules are sound. Proof. Rule -left-blocking: Exactly the same as the previous proof for -left. The blocked implication still exists, it merely prevents further rule applications. Rule -right-first: For the conclusion to be falsifiable, ϕ ψ is required to be not true. In particular this means ϕ must be true, while ψ is not true. All other formulae in the premise exist in the conclusion, and hence the premise is also falsifiable. Rule -right-rest: As above, the conclusion is falsifiable only if ψ is not true. Γ and are the same in both the premise and conclusion, and hence if the conclusion is falsifiable so is the premise. Lemma 4. -left-blocking and -right-rest are invertible. Proof. -left-blocking: the first premise contains the conclusion (albeit blocked), so whenever it is falsifiable, then so is the conclusion. If the second premise is falsifiable then ψ must be true, and so ϕ ψ will also be true. Meanwhile all formulae in Γ and remain true and not true respectively, so the conclusion is also falsifiable. -right-rest: The invertibility of this rule relies upon the context under which it is applied. For the rule to be considered, -right-first must have been applied previously, so ϕ, or a decomposition of ϕ (produced after applying one or more left sequent rules on ϕ) must exist in Γ. Thus whenever the premise is falsifiable, either ϕ or a decomposition of it must be true. We note that all rules are sound, and all left rules only affect the antecedents of sequents, with the exception of the first premise of -left-blocking, which is a non-issue as its premise contains the entirety of the conclusion. So if we start with a sequent ϕ, and apply rules which eventually lead to a premise Γ in some branch, then setting all of Γ to true is enough to ensure that ϕ is true. Hence, if the premise of the -right-rest rule is falsifiable we have Γ, ϕ true and, ψ not true, and so the conclusion is also falsifiable. 2.4 Backwards Proof Search Strategy Our proof strategy using the modified calculus can be described as follows:

8 (1) Saturate: Apply all invertible rules. These are: id, -left, -right, -left, -right, -left, -right, -left, -right, -left-blocking and -right-rest. (2) Choose: a leaf Γ and a formula ϕ ψ (3) Jump: and apply the -right-first rule to ϕ ψ Go to (1) Note that backtracking is required at -right-first jumps, as the rule only chooses one particular implication from potentially many candidates. Theorem 1. This strategy is sound and complete with respect to Int. Proof. Soundness follows using an inductive argument, by noting from the preceding lemmas that all rules are sound. The proof for completeness is significantly more involved, and is beyond the scope for this report Analysis While the decidability of Intuitionistic Propositional Logic is PSPACE-complete, our particular sequent calculus admits polynomial depth proofs. Theorem 2. Our backwards proof search strategy produces O(n 2 ) depth proofs. Proof. Within each saturation step, the -left-blocking rule prevents a rule from being applied to the same formula twice. Furthermore, all other rules strictly reduce formula size. As a result each saturation step can at most require a linear number of rule applications. Due to the nature of the calculus itself, the -right-first rule can only be applied once for each particular implication. Then the number of possible jumps is similarly linearly limited by input size. The combination of saturation and - right jumps forms the entirety of the proof procedure, which gives O(n 2 ) depth in the size of input formula. Note, however, that the breadth of a proof remains exponential in size. Other calculi have been developed with similar depth properties. Indeed, decision procedures with better bounds of O(nlogn) have been discovered and implemented [1, 6]. However the implementations of such calculi generally require a significantly more involved search procedure. We note that our calculus and search strategy are simpler in comparison. 3 Related Work Current research can be broadly generalised into two categories: efficient calculi and improved implementations. The former focuses on reducing the search space during a proof process, while the latter utilises data structures and heuristics to improve search speed. State of the art provers generally combine both approaches in order to maximise performance. This section describes the main underlying techniques behind three state of the art theorem provers for Int. 1 As agreed with supervisors

9 BDDIntKt - This prover checks the validity of a formula ϕ 0 by constructing the closure cl(ϕ 0 ) and checking if any of the subsets in the closure can lead to a model which falsifies ϕ 0 [11]. While the closure generally contains exponentially many subsets, by using Binary Decision Diagrams (BDDs) many of these do not necessarily have to be explicitly created. In terms of optimisations, BDDIntKt places a heavy focus on the ordering of variables within the underlying BDD data structure. The initial order of variables, along with various reordering approaches at different points of program execution are all considered in the pursuit of performance. The implementation also considers structure sharing - allowing the representation of multiple formulae using the same BDD. There are two main versions of the prover, in C++ and Ocaml respectively, for the performance evaluation we use results from a C++ configuration. fcube - Based on a tableaux calculus for Int, fcube is a Prolog prover which makes heavy use of simplification techniques [6]. The calculus used, Tab, is based on a tableaux version of Dyckhoff s calculus which we presented in Section 2 but has extended rules dealing specifically with negation as well as a few other special rules for implications. The efficiency behind fcube stems from a number of simplification rules, which replace formulae in order to reduce search space. Simplification, and many of the rules used in fcube are described in greater detail in Section 4.1. While the most modern incarnation of fcube has evolved slightly from the relatively basic rules which we introduce later on, the core concepts and reasoning behind the optimisations remain the same. Imogen - Imogen uses polarity of formulae to restrict applicable inference rules [13]. Formally, the prover is based on a focused inverse method which reduces the search space in a sequent calculus based on the polarity of connectives and atomic propositions. Positive formulae A + ::= P + A + A + A + A + A Negative formulae A ::= P A + A A A A + Notice that immediate subformulae have the same polarity, except in the case of shift operators and. Imogen uses a heuristic to convert an input formula into a polarised form with as few shifts as possible. Proof search itself is applied in a forward manner, unlike the backwards proof strategy in Section 2.4. Two databases of sequents are used: a kept and an active database. During inference a sequent is selected from the kept database, and matched against applicable sequent rules. Once all possible rules have been applied, the sequent is moved into the active database. This process produces sequents until the goal (input) sequent is found, or the kept database is empty. All three ATPs listed above use some form of pre-processing, similar to that described in Section 4.1.

10 4 Implementation The sequent rules described in Section 2, and the general search strategy of 2.4, were implemented in Ocaml. Search is conducted in a depth-first manner, fully exploring one branch before considering others. While breadth-first search is also possible, a depth-first strategy allows for a natural implementation of caching as described in Section 4.1. For efficient performance, non-branching rules are given priority over branching rules. Without this heuristic, a branching rule may lead to two applications of the same non-branching rule in both branches. The naïve implementation also expands formulae in a lazy fashion: only the top-most connective of a formula is ever considered. By doing so, the prover can avoid some issues involved with bi-implications, interpreted as ϕ ψ := (ϕ ψ) (ψ ϕ). The expansions of formulae with a large number of bi-implications are exponential in size, and would require vast amounts of memory. This naïve implementation is used as a baseline for comparison against further implementations with various optimisation techniques. 4.1 Optimisations Pre-processing - A simple processing function which replaces inputs with equivalent formulae can significantly reduce the complexity of a proof. By imposing a standard ordering on all formulae, one can completely remove any complications due to variable ordering at commutative operators. For example, the formula (ϕ ψ) (ψ ϕ) can be rewritten as (ϕ ψ) (ϕ ψ) which can then be further simplified to using simplification rules in Figure 7. Note that any arbitrary ordering can be imposed on formulae, as long as it is consistent. Backjumping and Caching - The application of sequent rules often leads to proofs which only require a subset of formulae within a sequent. If two valid sequents differ only by formulae which are not necessary for a proof of validity, then the proof for one is sufficient to prove the other. Thrashing occurs during search when branches with the same important formulae are redundantly explored. Backjumping is an optimisation technique which avoids this phenomenon, by backtracking to the last point which contains all formulae relevant for a proof [12]. Figure 6 gives an example. After proving the left-most branch, the essential elements of the proof itself can be determined to be c d c, d. These same formulae are found in the right-most branch, and hence there is no need to continue search - the relevant sections of the previous proof can be substituted. We extend backjumping by using dependency-directed backtracking [18]. Useful formulae within a sequent, as in backjumping, are placed in a cache. Thereafter, if any sequent contains formulae which are a superset of a cached sequent, then it can be proved using the previous application of rules. This removes the need to search for a proof within that branch, and so the prover can return to the latest backtracking point.

11 (id) (id) a, c c, d a, d c, d -left a, c d c, d a b, c d c, d b, c d c, d -left Fig. 6: An example of backjumping. In addition to a cache for provable sequents, we also implement a cache for unprovable sequents. In contrast to the minimal sequents constructed for the provable cache, here we include as many formulae as possible; as long as the overall sequent is still not provable. We note that if any sequent is a subset of a previously unproven sequent, then it also cannot be proven. At best, all the same rules will be applied, which we know from previous experience cannot lead to a proof. Both caches are global and thus search time can potentially be reduced along all branches, by substituting previous proofs. However, caching introduces its own problems. Caching sequents at all rule applications results in an exponential growth in cache size. In addition to rapidly consuming memory, cache lookup time also becomes a significant factor in performance. To somewhat mitigate unnecessary growth in cache size, caching is only considered at -right-first jumps. Caching itself is done utilising a binary tree structure, providing on average O(logn) lookup time. Simplification - Simplification is a process where formulae are replaced with other formulae, so long as the result remains equivalent to the original. For example, ϕ is equivalent to ϕ. A variety of such rules is shown in Figure 7. ϕ = ϕ = ϕ ϕ = ϕ = ϕ = ϕ = ϕ = ϕ = ϕ = ϕ = ϕ ϕ = ϕ = Fig. 7: Basic boolean simplification rules. Simplification via substitution is a stronger technique used to restrict search space. This form of simplification in Int has seen considerable research in recent years, with demonstrable improvements in ATP efficiency [1, 6, 7]. The core concept of this technique can be generalised as follows: depending on the sequent side in which a formula occurs, it can be replaced with or (under certain additional constraints). Figure 8 shows three basic substitution rules discussed in [1]. Γ[ψ/ϕ] denotes the replacement of all occurrences (including subformulae) of ϕ in Γ by ψ. An additional constraint is required for the third rule, Replace-F - due to the nature of Intuitionistic implication, only partial substitution is valid. Compared to full

12 ϕ, Γ[ /ϕ] [ /ϕ] Γ, ϕ Replace-T ϕ, Γ[ /ϕ] [ /ϕ] ϕ, Γ Replace- T Γ[ /ϕ] ϕ, [ /ϕ] Γ ϕ, Replace-F Fig. 8: Replacement rules. substitution, subformulae with implication as a connective may not be replaced. Note that in all replacement rules one copy of the original formula is always preserved. In this manner only one copy of the formula must be considered during proof search. In addition to the above rules, Ferrari et al. introduce the concept of permanence rules [7]. If an atom always has the same polarity in a given sequent, then, as before, it may be replaced with or depending on its polarity. Denote a positive occurrence of p in a sequent Γ by p + Γ, and for negative polarity. For either polarity, we use l with l {+, }, and we denote an empty set of formulae by ε. The polarity of an atom p is then defined recursively: p + p ε and p ε p p l q ε and p l ε q where q is an atom other than p (or or ) p l ϕ ψ iff p l ϕ and p l ψ where {, } p l Γ ϕ ψ iff p l Γ ϕ and p l Γ ψ where {, } p l ϕ ψ iff p l ϕ and p l Γ ψ p l Γ ϕ ψ iff p l Γ ϕ and p l ψ The permanence rules based on this polarity notion are defined in Figure 9. All simplification rules were implemented, with options to use only the replacement or the permanence rules. We note that a successful application of formula substitution through the replacement or permanence rules generally leads to the possibility of further reduction by re-applying simplification techniques; especially as substitution always produces an instance of or. Γ[ /p] [ /p] Γ T-permanence with p + Γ Γ[ /p] [ /p] Γ T-permanence with p Γ Fig. 9: Permanence rules.

13 Class naïve simp simp+ cache+ cache- cs all BDD fcube Imogen Out of LCL SYN SYJ10* SYJ SYJ SYJ SYJ SYJ SYJ SYJ SYJ SYJ SYJ SYJ SYJ Total Fig. 10: Performance on the ILTP benchmark. Heuristics - Some branches within a derivation are inherently easier to prove (or disprove) than others. For example, by changing the order of branch choice in our naïve depth-first search, formulae of the form 2 ( ( a 1 ) a 2 ) (a 2 a 1 )) can either be solved in a few milliseconds or more than ten minutes. Such choices thus have a significant impact on prover efficiency. Implementations which selected branches based on sequent size, and previous proof depths were investigated. Interestingly, empirical results on the ILTP library (see Section 5) and a number of randomly generated inputs, generally favoured an approach based on formula order as defined in the pre-processing stage. In addition to branching, the choice of branching rule type was also found to have a moderate effect on proof sizes. There are three branching rules in the calculus; namely -right, -left and -left-blocking. For the results presented in Section 5 -right is prioritised; applying -left rules first was found to perform poorly in practice, while -left necessitates greater memory usage (due to the storing of the blocked implication). 5 Experimental Results The performance of our prover was evaluated using the Intuitionisitic Logic Theorem Proving (ILTP) Library [16]. First introduced in 2005, this library is the standard benchmark for both first order and propositional Intuitionisitic Logic. The propositional element of the benchmark consists of 274 problems, with 12 distinct classes of 20 problems each and 34 miscellaneous problems. 2 The SYJ212 class of the ILTP library

14 We present results in Figure 10 for our prover with varying levels of optimisation, along with results for BDDIntKt, fcube and Imogen. Performance is indicated by the number of problems solved, allowing a maximum of 10 minutes for each individual problem. All tests were conducted on a machine with an Intel Core 2 Duo E8400 with 8GB memory. The configurations for our prover are as follows: Configuration Optimisations involved naïve The baseline prover as described in Section 4 simp Extends naïve with replacement rules simp+ Extends simp with permanence rules cache+ Extends naïve with caching of entire sequents cache- Extends naïve with dependency directed caching cs Extends simp with dependency directed caching all Extends naïve with all optimisations Note that all configurations except the naïve prover use pre-processing rules, and the heuristics as described in Section 4.1. The different between cache+ and cache- lies in the addition of sequents to a cache. Cache+ stores entire sequents, without considering the usefulness of formulae. Meanwhile cache- implements the dependency directed backtracking as discussed in Section 4.1. Overall, it can be seen that optimisations play a very large role in the efficiency of our theorem prover. They manage to increase a baseline implementation from 148 problems solved to 259. In comparison, state of the art provers solve a similar number of problems, ranging from 259 to 262. Cache- produces the greatest individual improvement, solving all problems except those of SYJ202. SYJ202 is a logical formulation of the Pigeonhole Principle, and is essentially a problem for Classical Logic as it only contains a single top-level implication. Furthermore, our implementation of caching only produces unnecessary overhead for this class, as sequents are only added to the cache at to-right-first jumps. While the performance of all configurations of our prover is poor on this class, it is also the case that no current provers are able to solve all 20 instances. BDDIntKt does significantly better compared to all other provers, due to its BDD representation and associated formula reduction process. Other interesting classes include SYJ201, SYJ207 and SYJ206. SYJ206 is trivialised by pre-processing techniques, whereby the entire class of formulae are re-written to. For the other two classes, pre-processing and simplification seem to have had little effect, while cache- manages to do very well. Unprovable problems (classes SYJ207-SYJ212) generally allow better performance, due to the invertibility of most rules in our sequent calculus. Except for the non-invertible -right-first jumps, once some application of rules leads to an open (not-true) branch then there is no longer any need to attempt to prove other branches true. This allows for early termination in a saturation phase, and often prunes much of the search tree. For example, SYJ208 is an invalid encoding of the Pigeonhole Principle and contains a number of implications due to

15 our interpretation of p as p. Here caching is no longer redundant, and in combination with early termination allows the prover to solve all 20 instances. This is an highly significant improvement over the similar but valid encodings of SYJ202. Note that BDDIntKt is unlike all other provers, as it does not allow such early termination. While the simplification configurations improve performance, they do so less markedly than caching. Nevertheless, unlike caching, simplification improves upon the naïve implementation on SYJ202. The use of permanence rules in addition to replacement allows the prover to solve more problems in SYJ205 and SYJ211, but performance is at best equal or worse in all other classes. As described in the original paper [7] such rules are not applicable to many classes, but slow down performance due to the overhead in determining applicability. Although the prover seems to produce its best overall results with combinations of caching and simplification, there are additional considerations to be made. The use of simplification can introduce new formulae, which were not original subformulae of some given input. This then conflicts with caching. While two sequents may have had the same useful formulae at some point, simplification may change formulae such that caching is no longer applicable. The realisation of better performance with all optimisations (259 problems solved, compared to 257) can be considered an artifact of the ten-minute timeout. In fact, the times required for all problems except those in SYJ202 are similar to cache-, or considerably worse. Figure 11 shows an example on the SYJ212 family of problems. While cache- has comparable performance to the state of the art provers, all barely manages to complete the last problem in the class within the time limit. 6 Conclusion We have introduced a sequent calculus, which in combination with various optimisations leads to an ATP which competes with state of the art provers. In comparison with other terminating calculi, we require fewer rules and have a simpler search strategy. Nevertheless, the calculus allows for similar performance guarantees. We also find that various optimisation techniques make a significant difference in terms of performance. In particular, caching was extremely effective on the ILTP benchmark. To our knowledge, there are no other ATPs for Int which similarly utilize caching. There are a few possible approaches in order to further improve our implementation efficiency. Currently when caching, the cache size is unbounded, which leads to poor memory-usage and lookup performance for very large input formulae. While no problem in the standard ILTP library (with the exception of SYJ202) requires more than 20 seconds to solve using cache-, experiments on an unofficial extended set of the ILTP problem classes 3 have managed to timeout and use more than 8GB of memory. These issues can be circumvented by con- 3

16 Fig. 11: Run time comparisons on the SYJ212 class of formulae. trolling cache size, potentially by randomly removing elements after a certain cache size is reached, or by deleting sequents which have seen the fewest hits. Only a basic set of simplification rules are described and implemented in this paper. Ferrari et al. actually introduce a number of further rules which were noted to have little performance benefits on the ILTP library, but were better on randomly generated formulae [7]. Extending our prover with such rules is a possibility in the future. Further research into the interaction between simplification and caching techniques also merits investigation. Perhaps with an improved implementation of simplification or caching some of the issues involved with cache misses might be avoided. Alternatively, the development of a technique which allows caching and simplification techniques to fully complement each other should have a significant impact in the field. Such a technique should theoretically lead to large improvements in prover efficiency.

17 Bibliography [1] Alessandro Avellone, Guido Fiorino, and Ugo Moscato. Optimization techniques for propositional intuitionistic logic and their implementation. Theoretical Computer Science, 409(1):41 58, [2] Evert W. Beth. Remarks on natural deduction. Indagationes Mathematicae, 17: , [3] Roy Dyckhoff. Contraction-free sequent calculi for intuitionistic logic. J. Symb. Log., 57(3): , [4] Avner Engel. Verification, Validation and Testing of Engineered Systems. Wiley Series in Systems Engineering and Management. Wiley, 1 edition, Wertvoll wegen den verschiedenen Black-Box-Testing Methoden fr komplexe Systeme. [5] Matt Fairtlough and Michael Mendler. An intuitionistic modal logic with applications to the formal verification of hardware. In Leszek Pacholski and Jerzy Tiuryn, editors, CSL, volume 933 of Lecture Notes in Computer Science, pages Springer, [6] Mauro Ferrari, Camillo Fiorentini, and Guido Fiorino. fcube: An efficient prover for intuitionistic propositional logic. In LPAR, volume 6397 of Lecture Notes in Computer Science, pages Springer, [7] Mauro Ferrari, Camillo Fiorentini, and Guido Fiorino. Simplification rules for intuitionistic propositional tableaux. ACM Trans. Comput. Log., 13(2):14, [8] L. T. F. Gamut. Logic, Language, and Meaning, Volume 1: Introduction to Logic. University of Chicago Press, [9] Gerhard Gentzen. Untersuchungen über das logische schließen. Mathematische Zeitschrift, 39, [10] Georges Gonthier. The four colour theorem: Engineering of a formal proof. In Deepak Kapur, editor, ASCM, volume 5081 of Lecture Notes in Computer Science, page 333. Springer, [11] Rajeev Goré and Jimmy Thomson. Bdd-based automated reasoning for propositional bi-intuitionistic tense logics. In IJCAR, volume 7364 of Lecture Notes in Computer Science, pages Springer, [12] Ullrich Hustadt and Renate A. Schmidt. Simplification and backjumping in modal tableau. In TABLEAUX, volume 1397 of Lecture Notes in Computer Science, pages Springer, [13] Sean McLaughlin and Frank Pfenning. Imogen: Focusing the polarized inverse method for intuitionistic propositional logic. In LPAR, volume 5330 of Lecture Notes in Computer Science, pages Springer, [14] Richard Moot and Mario Piazza. Linguistic applications of first order intuitionistic linear logic. Journal of Logic, Language and Information, 10(2): , 2001.

18 [15] Mauricio Osorio, Juan Antonio Navarro Prez, and Jos Arrazola. Applications of intuitionistic logic in answer set programming. CoRR, cs.lo/ , [16] Thomas Raths, Jens Otten, and Christoph Kreitz. The iltp problem library for intuitionistic logic. J. Autom. Reasoning, 38(1-3): , [17] Stuart J. Russell, Peter Norvig, John F. Candy, Jitendra M. Malik, and Douglas D. Edwards. Artificial intelligence: a modern approach. Prentice- Hall, Inc., Upper Saddle River, NJ, USA, [18] Richard M. Stallman and Gerald J. Sussman. Forward reasoning and dependency-directed backtracking in a system for computer-aided circuit analysis. Artificial Intelligence, 9(2): , [19] Richard Statman. Intuitionistic propositional logic is polynomial-space complete. Theor. Comput. Sci., 9:67 72, [20] Nikolai N. Vorob ev. The derivability problem in the constructive propositional calculus with strong negation. Doklady Akademii Nauk SSSR, 85: , 1952.