Mechanical certification of FOL_ID cyclic proofs

Abstract

Cyclic induction is a powerful reasoning technique that consists in blocking the proof development of certain subgoals already encountered during the proof process. In the setting of first-order logic with inductive definitions and equality (FOL_ID), cyclic proofs can be built automatically by the Cyclist prover, but their implementations are error-prone and the human validation may be tedious. On the other hand, cyclic induction is not yet integrated into certifying proof environments that support first-order logic and inductive definitions, such as Isabelle and Coq. We propose a solution to check, using Coq, the cyclic proofs produced by E-Cyclist, an extension of Cyclist that implements a more efficient soundness validation method, by using the general Noetherian induction principle integrated into Coq. Our work is based on a methodology for certifying first-order formula-based Noetherian induction proofs, such as those based on implicit induction. The advantages of our approach are threefold: - I) The certification of cyclic FOL_ID proofs is mechanical. Coq can validate every single step from the E-Cyclist proofs, as well as the induction arguments; also, it helps to identify errors in a very precise way. - II) There is a great potential for automation. The methodology has already been used to automatically convert to Coq scripts implicit induction proofs. - III) Cyclic induction can be directly performed in Coq. Coq functions are provided to manage the induction part.

Appendices

Appendix : A: The Coq proof of F_0 in the main lemma

intros. simpl. intros. rename H into Hind.

(* instantiate y from Q(x,y) *) inversionH1 as [|z]. - (* Q(x,0) *) rewrite \({\leftarrow }\) H. apply q1. - (* Q(x,s(z)) *) apply q2. split.

(* induction step for Q(x,z) *) -- apply (Hind F_0).

--- simpl. left. trivial.

--- rewrite \({\leftarrow }\) H2. unfold snd. unfold F_4. unfold F_0. rewrite_model. abstract solve_rpo_mul.

--- trivial.

--- trivial. (* instantiate x from P(x) *) --rewrite\({\leftarrow }\) H2 inHind. rewrite \({\leftarrow }\) H2 inH1. clearH2 y. inversionH0 as [|y].

---rewrite\({\leftarrow }\) H2. apply p1.

---applyp2. rewrite\({\leftarrow }\) H3in H0. (* instantiate P(s(y)) *)

inversion H0.

+ apply zero_different_from_succ in H4. contradiction.

+ rewrite H4.

++ assert (Q y y ∧ Py). (* induction step for Q y y /∖ P y *)

apply (Hind F_4).

+++ simpl. right. left. trivial.

+++ unfold snd. unfold F_4. unfold F_0. rewrite \({\leftarrow }\) H3. rewrite_model. abstract solve_rpo_mul.

+++ trivial.

+++ trivial.

+++ trivial.

+++ destruct H6. split; trivial. apply q2; trivial. split; trivial.

Appendix : B: The missing proofs from Section ??

1.1 B.1: Proof of Lemma 1

Proof

Let us assume two adjacent rb-paths \(r_{1} \rightarrow b_{1}\) and \(r_{2} \rightarrow b_{2}\) in a cycle such that r₂ is the companion of b₁, W(r₁) >_mulW(c(b₁)), and W(r₂) >_mulW(c(b₂)). We will try to prove that W(r₁) >_mulW(c(b₂)).

Since the roots/buds are repeated infinitely along the cycle, none of their weights should be empty. If, by contradiction, we assume that a weight is empty, there exists an rb-path \(r\rightarrow b\) in the cycle such that W(r) is empty. But there is no <_mul such that W(r) > W(c(b)).

We show that there should be a trace along the path [r₁,…,b₁,r₂,…,b₂]. Since W(c(b₂)) is not empty, let l₃ ∈ W(c(b₂)). By the definition of <_mul, there exists an IAA l₂ ∈ W(r₂) such that l₂ > l₃ or l₂ = l₃. Similar reasoning can be applied to l₂ as we have done for l₃ to conclude that there is l₁ ∈ W(r₁) such that l₁ > l₂ or l₁ = l₂. Hence, the trace is l₁,…,l₂,l₂,…,l₃.

Finally, we check whether W(r₁) >_mulW(c(b₂)). As previously, for each IAA l₃ ∈ W(c(b₂)) there is an IAA l₂ ∈ W(r₂) such that l₂ > l₃ or l₂ = l₃, and an IAA l₁ ∈ W(r₁) such that l₁ > l₂ or l₁ = l₂. We perform a case analysis on the comparison results between l₂ and l₃, as well as l₁ and l₂:

• if l₂ > l₃ and l₁ > l₂, then l₁ > l₃;

• if l₂ > l₃ and l₁ = l₂, then l₁ > l₃;

• if l₂ = l₃ and l₁ > l₂, then l₁ > l₃;

• if l₂ = l₃ and l₁ = l₂, then l₁ = l₃.

We show that W(r₁) >_mulW(c(b₂)) when there is at least one l₃ ∈ W(c(b₂)) for which there exists l₁ ∈ W(r₁) such that l₁ > l₃. After the pairwise deletion of equal IAAs from W(r₁) and W(c(b₂)), resulting W(r₁)^′ and W(c(b₂))^′, we have that l₃ ∈ W(c(b₂))^′, l₁ ∈ W(r₁)^′ and l₁ > l₃. By the definition of >_mul, we have that W(r₁) >_mulW(c(b₂)), because the same reasoning can be done for any other IAA from W(c(b₂))^′ as for l₃.

If for all l₃ ∈ W(c(b₂)), there exists l₁ ∈ W(r₁) such that l₃ = l₁, then there exists l₂ ∈ W(r₂) such that l₁ = l₂ and l₂ = l₃. Since W(r₂) >_mulW(c(b₂)), after the pairwise deletion of equal IAAs from W(r₂) and W(c(b₂)), resulting W(r₂)^′ and W(c(b₂))^′, we have that W(c(b₂))^′ is empty and W(r₂)^′ is not empty. Similarly, since W(r₁) >_mulW(c(b₁)), we have that W(c(b₁))^′ is empty and W(r₁)^′ is not empty. We conclude that after the pairwise deletion of equal IAAs from W(r₁) and W(c(b₂)), resulting W(r₁)^′ and W(c(b₂))^′, we have that W(c(b₂))^′ is empty and W(r₁)^′ is not empty. Hence W(r₁) >_mulW(c(b₂)), as required. □

1.2 B.2: Proof of Theorem 1

Proof

Let be a pre-proof whose normalized pre-proof is denoted by \(\mathcal {P}\) and for which every rb-path \(r\rightarrow b\) belonging to a cycle satisfies W(r) >_mulW(c(b)). Let also p₀ be an infinite path in \(\mathcal {P}\). Let p be the infinite path from \(\mathcal {P}\) built from p₀ by duplicating the nodes as shown during the normalization process from Section ??. By construction, the path p is built starting from some point only from the concatenations of rb-paths from cycles from \(\mathcal {P}\). Since the number of roots is finite in \(\mathcal {P}\), there is a root r in p that occurs infinitely often in p. Hence, there is an infinite sub-path p^′ of p of the form [r,…,r,…] which can be represented as the infinite concatenation of finite sub-paths [r,…,b], where r is the companion of b and r occurs only once in each sub-path. Each such sub-path is built from a finite number of concatenations of rb-paths of the form [r₁,…,b₁] for which W(r₁) >_mulW(c(b₁)). Since <_mul is transitive, by Lemma 1, we have that W(r) >_mulW(c(b)) for each sub-path [r,…,r,…,b]. Since W(r) is not empty, for the same reasons as presented in the proof of Lemma 1, there is a trace following \(p^{\prime }\).

By contradiction, we assume that the number of progress points in all the traces along \(p^{\prime }\) is finite. Since the cardinality of the weights for each root of the trace along \(p^{\prime }\) is finite, there is a sub-path [r,…,b] defined as above whose traces have no progress points and satisfies W(r) >_mulW(c(b)). After the pairwise deletion of equal IAAs from W(r) and W(c(b)), to get W(r)^′ and W(c(b))^′, we perform a case analysis by considering whether W(c(b))^′ is empty or not.

• W(c(b))^′ is not empty. By the definition of >_mul, there is an IAA l ∈ W(c(b))^′ for which there is an IAA \(l^{\prime }\in W(r)'\) such that \(l^{\prime }>l\). Hence, the trace leading \(l^{\prime }\) to l has at least one progress point. Contradiction.

• W(c(b))^′ is empty. By similar reasoning as given in the proof of Lemma 1, the cardinality of W(r) is greater than that of W(c(b)). But W(r) = W(c(b)) because r is the companion of b. Contradiction, again.

Since there is a trace along \(p^{\prime }\) that has an infinite number of progress points, p has also an infinitely progressing trace starting from some point. On the other hand, p₀ can be built from p by deleting the extra nodes added during the normalization process, so it has an infinitely progressing trace starting from some point.

We conclude that \(\mathcal {P}\) satisfies the global trace condition. □