Keywords

1 Introduction

Dependent types introduce the powerful concept of types depending on terms. Lists of fixed length are an easy but interesting example. Instead of having a simple type \(\textsf{lst}\) we may have a type \(\mathrm {\Pi }n:\textsf{nat}.\, \textsf{lst}\, n\) which takes a natural number as argument and returns the type of a list with length n. More generally, lambda terms \(\lambda x.s\) now have a dependent type \(\mathrm {\Pi }x:A. B\) which makes the type of \((\lambda x.s)\, t\) dependent on t. With that, it is possible for example to specify an unfailing version of the tail function by declaring its type to be \(\mathrm {\Pi }n:\textsf{nat}.\, \textsf{lst}\, (\textsf{s}\, n) \rightarrow \textsf{lst}\, n\). Many interactive theorem provers for dependent type theory are available [3, 10, 14, 16], most of them implement intensional type theories, i.e., they distinguish between a decidable judgmental equality (given by conversions) and provable equality (inhabiting an identity type). Notable exceptions are PVS [19] and F\(^{\star }\) [21] which implement an extensional type theory. In the context of this paper, we say a type theory is extensional if judgmental equality and provable equality coincide, as in [12]. The typing judgment in such type theories is usually undecidable, as shown in [8].

The broader topic of this paper is automated reasoning support for extensional type theories with dependent types. Not much has been done to this end, but last year Rothgang et al. [17] introduced an extension of HOL to dependent types which they dub DHOL. In contrast to dependent type theory, automated theorem proving in HOL has a long history and led to the development of sophisticated provers [2, 4, 20]. Rothgang et al. defined a natural extension of HOL and equipped it with automation support by providing a sound and complete translation from DHOL into HOL. Their translation has been implemented and can be used as a preprocessing step to any HOL prover in order to obtain an automated theorem prover for DHOL. Hence, by committing to DHOL, automated reasoning support for extensional dependent type theories does not have to be invented from scratch but can benefit from the achievements of the automated theorem proving community for HOL.

In this paper, we build on top of the translation from Rothgang et al. to develop a tableau calculus which is sound and complete for DHOL. In addition, dedicated inference rules for DHOL are defined and their soundness is proved. The tableau calculus is implemented as an extension of Lash [6]. The remainder of this paper is structured as follows: Sect. 2 sets the stage by defining DHOL and the erasure from DHOL to HOL due to Rothgang et al. before Sect. 3 defines the tableau calculus and provides soundness and completeness proofs. The implementation is described in Sect. 4. Finally, we report on experimental results in Sect. 5.

2 Preliminaries

2.1 HOL

We start by giving the syntax of higher-order logic (HOL) which goes back to Church [9]. In order to allow for a graceful extension to DHOL, we define it with a grammar based on [17].

figure a

A theory consists of base type declarations \(a:\textsf{tp}\), typed variable or constant declarations \(x:A\) and axioms. Contexts are like theories but without base type declarations. In the following, we will often write \(s \in T,\varGamma \) to denote that s occurs in the combination of T and \(\varGamma \). Furthermore, note that \(\circ \) and \(\cdot \) denote the empty theory and context, respectively. Types are declared base types a, the base type of booleans o or function types \(A \rightarrow B\). As usual, the binary type constructor \(\rightarrow \) is right-associative. Terms are simply-typed lambda-terms (modulo \(\alpha \)-conversion) enriched by the connectives \(\bot \), \(\lnot \), \(\Rightarrow \), \(=_{A}\) as well as the typed binding operator for \(\forall \). All connectives yield terms of type o (formulas). By convention, application associates to the left, so \(s\, t\, u\) means \((s\, t)\, u\) with the exception that \(\lnot \, s\, t\) always means \(\lnot (s\, t)\). Moreover, we abbreviate \(\lnot (s =_{A} t)\) by \(s \ne _{A} t\) and sometimes omit the type subscript of \(=_{A}\) when it is either clear from the context or irrelevant. We write \(s[x_1/t_1,\dots ,x_n/t_n]\) to denote the simultaneous capture-avoiding substitution of the \(x_i\)’s by the \(t_i\)’s. The set of free variables of a term s is denoted by \(\mathcal {V}s\).

A theory T is well-formed if all types are well-formed and axioms have type o with respect to its base type declarations. In that case, we write \(\vdash ^{\textsf{s}} T\,\textsf{Thy}\) where the superscript \(\textsf{s}\) indicates that we are in the realm of simple types. Given a well-formed theory T, the well-formedness of a context \(\varGamma \) is defined in the same way and denoted by \(\vdash ^{\textsf{s}}_T \varGamma \,\textsf{Ctx}\). Given a theory T and a context \(\varGamma \), we write \(\varGamma \vdash ^{\textsf{s}}_T A\,\textsf{tp}\) to state that A is a well-formed type and \(\varGamma \vdash ^{\textsf{s}}_T s:A\) to say that s has type A. Furthermore, \(\varGamma \vdash ^{\textsf{s}}_{T} s\) denotes that s has type o and is provable from \(\varGamma \) and T in HOL. Finally, we use \(\varGamma \vdash ^{\textsf{s}}_T A \equiv B\) to state that A and B are equivalent well-formed types. For HOL this is trivial as it corresponds to syntactic equivalence, but this will change drastically in DHOL.

2.2 DHOL

The extension from HOL to DHOL consists of two crucial ingredients:

  • the type constructor \(A \rightarrow B\) is replaced by the constructor \(\mathrm {\Pi }x:A. B\) which potentially makes the return type B dependent on the actual argument x; we stick to the usual arrow notation if B does not contain x

  • base types a can now take term arguments; for an n-ary base type we write \(a:\mathrm {\Pi }x_1:A_1.\,\cdots \, \mathrm {\Pi }x_n:A_n.\,\textsf{tp}\)

Thus, the grammar defining the syntax of DHOL is given as follows:

figure b

If a base type a has arity 0, it is called a simple base type. Note that HOL is the fragment of DHOL where all base types have arity 0. Allowing base types to have term arguments makes type equality a highly non-trivial problem in DHOL. For example, if \(\varGamma \vdash ^{\textsf{d}}_T s:\mathrm {\Pi }x:A.B\) (the \(\textsf{d}\) in \(\vdash ^{\textsf{d}}\) indicates that we are speaking about DHOL) and \(\varGamma \vdash ^{\textsf{d}}_T t :A'\) we still want \(\varGamma \vdash ^{\textsf{d}}_T (s\, t):B[x/t]\) to hold if \(\varGamma \vdash ^{\textsf{d}}_T A \equiv A'\), so checking whether two types are equal is a problem which occurs frequently in DHOL. Intuitively, we have \(\varGamma \vdash ^{\textsf{d}}_T A \equiv A'\) if and only if their simply-typed skeleton consisting of arrows and base types without their arguments is equal and given a base type \(a:\mathrm {\Pi }x_1:A_1.\,\cdots \, \mathrm {\Pi }x_n:A_n.\,\textsf{tp}\), an occurrence \(a\, t_1\, \dots \, t_n\) in A and its corresponding occurrence \(a\, t_1'\, \dots \, t_n'\) in \(A'\), we have \(\varGamma \vdash ^{\textsf{d}}_T t_i =_{A_i[x_1/t_1,\dots ,x_{i-1}/t_{i-1}]} t_i'\) for all \(1 \leqslant i \leqslant n\). This makes DHOL an extensional type theory where already type checking is undecidable as it requires theorem proving. Another difference from HOL is the importance of the chosen representation of contexts and theories: Since the well-typedness of a term may depend on other assumptions, the order of the type declarations and formulas in a context \(\varGamma \) or theory T is relevant. A formal definition of the judgments \(\varGamma \vdash ^{\textsf{d}}_T A\,\textsf{tp}\), \(\varGamma \vdash ^{\textsf{d}}_T s:A\), \(\varGamma \vdash ^{\textsf{d}}_T s\) and \(\varGamma \vdash ^{\textsf{d}}_T A \equiv B\) via an inference system is given in [17]. Since we use more primitive connectives, a minor variant is presented in Fig. 1.

Fig. 1.
figure 1

Natural Deduction Calculus for DHOL

Full size image

Example 1

Consider the simple base types \(\textsf{nat}:\textsf{tp}\) and \(\textsf{elem}:\textsf{tp}\) as well as the dependent base type \(\textsf{lst}:\mathrm {\Pi }x:\textsf{nat}.\,\textsf{tp}\). The constants and functions

$$\begin{aligned} \textsf{0}:& \textsf{nat}& \textsf{s}:& \textsf{nat}\rightarrow \textsf{nat}\\ \textsf{nil}:& \textsf{lst}\,\textsf{0}& \textsf{cons}:& \mathrm {\Pi }n:\textsf{nat}.\, \textsf{elem}\rightarrow \textsf{lst}\, n \rightarrow \textsf{lst}\, (\textsf{s}\, n) \end{aligned}$$

provide means to represent their inhabitants. Additionally, we define functions \(\textsf{plus}:\textsf{nat}\rightarrow \textsf{nat}\rightarrow \textsf{nat}\)

$$\begin{aligned} \forall n:\textsf{nat}.\, \textsf{plus}\,\textsf{0}\, n &=_{\textsf{nat}} n & \forall n,m:\textsf{nat}.\, \textsf{plus}\, (\textsf{s}\, n)\, m &=_{\textsf{nat}} \textsf{s}\,(\textsf{plus}\, n\, m) \end{aligned}$$

and \(\textsf{app}:\mathrm {\Pi }n:\textsf{nat}.\,\mathrm {\Pi }m:\textsf{nat}.\,\textsf{lst}\,n \rightarrow \textsf{lst}\,m \rightarrow \textsf{lst}\, (\textsf{plus}\,n\,m)\):

$$\begin{aligned} & \forall n:\textsf{nat},x:\textsf{lst}\, n.\, \textsf{app}\,\textsf{0}\, n\,\textsf{nil}\, x =_{\textsf{lst}\, n} x \\ & \forall n,m:\textsf{nat},z:\textsf{elem},x:\textsf{lst}\, n,y:\textsf{lst}\, m. \\ & \quad \,\, \textsf{app}\, (\textsf{s}\, n)\, m\, (\textsf{cons}\, n\, z\, x)\, y =_{\textsf{lst}\, (\textsf{s}\, (\textsf{plus}\, n\, m))} \textsf{cons}\, (\textsf{plus}\, n\, m)\, z\, (\textsf{app}\, n\, m\, x\, y) \end{aligned}$$

In the defining equations of \(\textsf{app}\), we annotated the equality sign with the dependent type of the term on the right-hand side. In all cases, the simply-typed skeleton is just \(\textsf{lst}\) but for a type check we need to prove the two equalities

$$\begin{aligned} \forall n:\textsf{nat}.\, \textsf{plus}\,\textsf{0}\, n &=_{\textsf{nat}} n & \forall n,m:\textsf{nat}.\, \textsf{plus}\, (\textsf{s}\, n)\, m &=_{\textsf{nat}} \textsf{s}\, (\textsf{plus}\, n\, m) \end{aligned}$$

which are exactly the corresponding axioms for \(\textsf{plus}\). Type checking the conjecture

$$\begin{aligned} \forall n:\textsf{nat}, x:\textsf{lst}\, n.\, \textsf{app}\, n\, \textsf{0}\, x\, \textsf{nil}=_{\textsf{lst}\, n} x \end{aligned}$$

would require proving \(\forall n:\textsf{nat}.\,\textsf{plus}\,\, n\,\, \textsf{0}=_{\textsf{nat}} n\) which can be achieved by induction on natural numbers if we include the Peano axioms.

2.3 Erasure

The following definition presents the translation from DHOL to HOL due to Rothgang et al. [17]. Intuitively, the translation erases dependent types to their simply typed skeletons by ignoring arguments of base types. The thereby lost information on concrete base type arguments is restored with the help of a partial equivalence relation (PER) \(A^*\) for each type A. A PER is a symmetric, transitive relation. The elements on which it is also reflexive are intended to be the members of the original dependent type, i.e., \(\varGamma \vdash ^{\textsf{d}}_T s:A\) if and only if \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} A^*\, \overline{s}\, \overline{s}\).

Definition 1

The translation from DHOL to HOL is given by the erasure function \(\overline{s}\) as well as \(A^*\) which computes the formula representing the corresponding PER of a type A. The functions are mutually defined by recursion on the grammar of DHOL. The erasure of a theory (context) is defined as the theory (context) which consists of its erased components.

$$\begin{aligned} \overline{o} \,&=\, o & \overline{a\, t_1 \,\dots \, t_n} \,&=\, a \\ \overline{\mathrm {\Pi }x:A.B} \,&=\, \overline{A} \rightarrow \overline{B} & \overline{x} \,&=\, x \\ \overline{\lambda x :A.s} \,&=\, \lambda x:\overline{A}.\,\overline{s} & \overline{s\, t} \,&=\, \overline{s}\, \overline{t} \\ \overline{\bot } \,&=\, \bot & \overline{\lnot s} \,&=\, \lnot \overline{s} \\ \overline{s \Rightarrow t} \,&=\, \overline{s} \Rightarrow \overline{t} & \overline{s =_{A} t} \,&=\, A^*\, \overline{s}\, \overline{t} \\ \overline{\forall x:A.s} \,&=\, \forall x:\overline{A}.\, A^*\, x\, x \Rightarrow \overline{s} & \overline{x:A} \,&=\, x:\overline{A}, A^*\, x\, x \end{aligned}$$
$$\begin{aligned} \overline{a:\mathrm {\Pi }x_1:A_1.\,\cdots \, \mathrm {\Pi }x_n:A_n.\,\textsf{tp}} \,&=\, a:\textsf{tp}, a^*:\overline{A_1} \rightarrow \cdots \rightarrow \overline{A_n} \rightarrow a \rightarrow a \rightarrow o, a_{\textsf{per}} \\ o^*\, s\, t \,&=\, s =_o t \\ (a\, t_1 \,\dots \, t_n)^*\, s\, t \,&=\, a^*\, \overline{t_1}\, \dots \, \overline{t_n}\, s\, t \\ (\mathrm {\Pi }x:A.B)^*\, s\, t \,&=\, \forall x,y:\overline{A}.\, A^*\, x\, y \Rightarrow B^*\, (s\, x)\, (t\, y) \end{aligned}$$

Here, \(a_{\textsf{per}}\) is defined as follows:

$$\begin{aligned} a_{\textsf{per}} = \forall x_1:\overline{A_1}.\, \dots \forall x_n:\overline{A_n}.\, \forall u,v:a.\, a^*\,x_1\,\dots \,x_n\,u\,v \Rightarrow u =_a v \end{aligned}$$

Theorem 1

(Completeness [17]).

  • if \(\varGamma \vdash ^{\textsf{d}}_T A:\textsf{tp}\) then \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \overline{A}:\textsf{tp}\) and \(A^*\) is a PER over \(\overline{A}\)

  • if \(\varGamma \vdash ^{\textsf{d}}_T A \equiv B\) then \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \forall x,y:\overline{A}.\, A^*\, x\, y =_o B^*\, x\, y\)

  • if \(\varGamma \vdash ^{\textsf{d}}_T s:A\) then \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \overline{s}:\overline{A}\) and \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} A^*\, \overline{s}\, \overline{s}\)

  • if \(\varGamma \vdash ^{\textsf{d}}_T s\) then \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \overline{s}\)

Theorem 2

(Soundness [17]).

  • if \(\varGamma \vdash ^{\textsf{d}}_T s:o\) and \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \overline{s}\) then \(\varGamma \vdash ^{\textsf{d}}_T s\)

  • if \(\varGamma \vdash ^{\textsf{d}}_T s:A\) and \(\varGamma \vdash ^{\textsf{d}}_T t:A\) and \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} A^*\, \overline{s}\, \overline{t}\) then \(\varGamma \vdash ^{\textsf{d}}_T s =_{A} t\)

Note that the erasure treats simple types and dependent types in the same way. In the following, we define a post-processing function \(\varPhi \) on top of the original erasure [17] which allows us to erase to simpler but equivalent formulas. The goal of \(\varPhi \) is to replace \(A^*\, s\, t\) where A is a simple type by \(s =_{A} t\). As a consequence, the guard \(A^*\, x\, x\) in \(\overline{\forall x:A.s}\) for simple types A can be removed. The following definition gives a presentation of \(\varPhi \) as a pattern rewrite system [13].

Definition 2

Given a HOL term s, we define \(\varPhi (s)\) to be the HOL term which results from applying the following pattern rewrite rules exhaustively to all subterms in a bottom-up fashion:

$$\begin{aligned} a^*\, F\, G \quad &\rightarrow \quad F =_{a} G \\ \forall x,y:A.\, (x =_{A} y) \Rightarrow (F\, x =_{B} G\,y) \quad &\rightarrow \quad F =_{A \rightarrow B} G \\ \forall x:A.\, (x =_{A} x) \Rightarrow F\, x \quad &\rightarrow \quad \forall x:A.\, F\, x \end{aligned}$$

Here, FG are free variables for terms, \(a^*\) denotes the constant for the PER of a simple base type a and AB are placeholders for simple types. Given a HOL theory T, there are finitely many instances for \(a^*\) but infinite choices for A and B, so the pattern rewrite system is infinite.

Lemma 1

Assume \(\varGamma \vdash ^{\textsf{d}}_T s:o\). \(\varGamma \vdash ^{\textsf{d}}_T s\) if and only if \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \varPhi (\overline{s})\).

Proof

Since the erasure is sound and complete (Theorem 2 and Theorem 1), it suffices to show that \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \varPhi (\overline{s})\) if and only if \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} \overline{s}\). Consider the rules from Definition 2. \(\varPhi (\overline{s})\) is well-defined: Clearly, the rules terminate and confluence follows from the lack of critical pairs [13]. Hence, it is sufficient to prove \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} l\) if and only if \(\smash {\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} r}\) for every rule in Definition 2. For the first rule, assume \(\smash {\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} a^*\, F\, G}\). Since \({a_{\textsf{per}} \in \overline{T}}\), we have \(\smash {\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} F =_a G}\). Now assume \(\smash {\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} F =_a G}\). Since F has type a, we obtain \(\varGamma \vdash ^{\textsf{d}}_T F =_a F\). Completeness of the erasure yields \(\smash {\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} a^*\, F\,F}\). Now, the assumption allows us to replace equals by equals, so we conclude \(\overline{\varGamma } \vdash ^{\textsf{s}}_{\overline{T}} a^*\, F\, G\). The desired result for the second rule follows from extensionality. Finally, the third rule is an easy logical simplification.    \(\square \)

Given a theory T (context \(\varGamma \)) we write \(\varPhi (\overline{T})\) (\(\varPhi (\overline{\varGamma })\)) to denote its erased version where formulas have been simplified with \(\varPhi \).

Corollary 1

Assume \(\varGamma \vdash ^{\textsf{d}}_T s:o\). \(\varGamma \vdash ^{\textsf{d}}_T s\) if and only if \(\varPhi (\overline{\varGamma }) \vdash ^{\textsf{s}}_{\varPhi (\overline{T})} \varPhi (\overline{s})\).

Example 2

Consider again the axiom recursively defining \(\textsf{app}\) from Example 1

$$\begin{aligned} & \forall n,m:\textsf{nat},z:\textsf{elem},x:\textsf{lst}\, n,y:\textsf{lst}\, m. \\ & \quad \,\, \textsf{app}\, (\textsf{s}\, n)\, m\, (\textsf{cons}\, n\, z\, x)\, y =_{\textsf{lst}\, (\textsf{s}\, (\textsf{plus}\, n\, m))} \textsf{cons}\, (\textsf{plus}\, n\, m)\, z\, (\textsf{app}\, n\, m\, x\, y) \end{aligned}$$

which we refer to as \(s_{\textsf{app}}\). Its post-processed erasure \(\varPhi (\overline{s_{\textsf{app}}})\) is given by the following formula which is simpler than \(\overline{s_{\textsf{app}}}\):

$$\begin{aligned} & \forall n,m:\textsf{nat},z:\textsf{elem}, x:\textsf{lst}.\, \textsf{lst}^*\, n\, x\, x \Rightarrow \forall y:\textsf{lst}.\, \textsf{lst}^*\, m\, y\, y \Rightarrow {} \textsf{lst}^*\, \bigl (\textsf{s}\, (\textsf{plus}\, n\, m)\bigr )\\ & \quad \,\, \bigl (\textsf{app}\, (\textsf{s}\, n)\, m\, (\textsf{cons}\, n\, z\, x)\, y\bigr )\, \bigl (\textsf{cons}\, (\textsf{plus}\, n\, m)\, z\, (\textsf{app}\, n\, m\, x\, y)\bigr ) \end{aligned}$$

3 Tableau Calculus for DHOL

3.1 Rules

The tableau calculus from [1, 7] is the basis of Satallax [4] and its fork Lash [6]. We present an extension of this calculus from HOL to DHOL by extending the rules to DHOL as well as providing tableau rules for the translation from DHOL to HOL. A branch is a 3-tuple \((T,\varGamma ,\varGamma ')\) which is well-formed if \(\vdash ^{\textsf{d}} T\,\textsf{Thy}\), \(\vdash ^{\textsf{d}}_T \varGamma \,\textsf{Ctx}\) and \(\vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} \varGamma '\,\textsf{Ctx}\). Intuitively, the theory contains the original problem and remains untouched while the contexts grow by the application of rules. Furthermore, DHOL and HOL are represented separately: For DHOL, the theory T and context \(\varGamma \) are used while HOL has a separate context \(\varGamma '\) with respect to the underlying theory \(\varPhi (\overline{T})\). In particular, each rule in Fig. 2 really stands for two rules: one that operates in DHOL and the original version that operates in HOL. Except for the erasure rules \(\mathcal {T}_{\textrm{ER}_1}\) and \(\mathcal {T}_{\textrm{ER}_2}\) which add formulas to the HOL context based on information from the DHOL theory and context, the rules always stay in DHOL or HOL, respectively. More formally, a step is an \(n+1\)-tuple \(\langle (T,\varGamma ,\varGamma '),(T,\varGamma _1,\varGamma '_1),\dots ,(T,\varGamma _n,\varGamma '_n) \rangle \) of branches where \(\bot \not \in T,\varGamma ,\varGamma '\) and either \(\varGamma \subset \varGamma _i\) and \(\varGamma ' = \varGamma _i'\) for all \(1 \leqslant i \leqslant n\) or \(\varGamma = \varGamma _i\) and \(\varGamma ' \subset \varGamma _i'\) for all \(1 \leqslant i \leqslant n\). Given a step \(\langle A, A_1,\dots ,A_n \rangle \), the branch A is called its head and each \(A_i\) is an alternative.

A rule is a set of steps defined by a schema. For example, the rule \(\mathcal {T}_{\Rightarrow }\) from Fig. 2 indicates the set of steps \(\langle (T,\varGamma ,\varGamma '),(T,\varGamma _1,\varGamma '_1),(T,\varGamma _2,\varGamma '_2) \rangle \) where \(\bot \not \in T,\varGamma ,\varGamma '\) and either \(s \Rightarrow t \in T,\varGamma \) or \(s \Rightarrow t \in \varPhi (\overline{T}),\varGamma '\). In the former case, we have \(\varGamma _1 = \varGamma ,\lnot s\) and \(\varGamma _2 = \varGamma ,t\) as well as \(\varGamma ' = \varGamma '_1 = \varGamma '_2\). The latter case is the same but with the primed and unprimed variants swapped.

In the original tableau calculus [1, 7], normalization is defined with respect to an axiomatized generic operator \([\cdot ]\). As one would expect, one of these axioms states that the operator does not change the semantics of a given term. Since there is no formal definition of DHOL semantics yet, we simply use [s] to denote the \(\beta \eta \)-normal form of s which is in accordance with our implementation.

A rule applies to a branch A if some step in the rule has A as its head. A tableau calculus is a set of steps. Let \(\mathcal {T}\) be the tableau calculus defined by the rules in Fig. 2. The side condition of freshness in \(\mathcal {T}_{\lnot \forall }\) means that for a given step with head \((T,\varGamma ,\varGamma ')\) there is no type A such that \(y:A \in T,\varGamma \) or \(y:A \in \varPhi (\overline{T}),\varGamma '\) and we additionally require that there is no name x such that \(\lnot [s\, x] \in T,\varGamma \) or \(\lnot [s\, x] \in \varPhi (\overline{T}),\varGamma '\). In practice, this means that to every formula, \(\mathcal {T}_{\lnot \forall }\) can be applied at most once. Furthermore, the side condition \(t:A\) in the rule \(\mathcal {T}_{\forall }\) means that either \(\varGamma \vdash ^{\textsf{d}}_T t:A\) or \(\varGamma ' \vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} t:A\) depending on whether the premise is in \(T,\varGamma \) or \(\varPhi (\overline{T}),\varGamma '\). The side condition \(\overline{s}:o\) in the rule \(\mathcal {T}_{\textrm{ER}_1}\) means that \(\varGamma ' \vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} \overline{s}:o\). This is to prevent application of \(\mathcal {T}_{\textrm{ER}_1}\) before the necessary type information is obtained by applying \(\mathcal {T}_{\textrm{ER}_2}\).

The set of \(\mathcal {T}\)-refutable branches is defined inductively: If \(\bot \in T,\varGamma ,\varGamma '\), then \((T,\varGamma ,\varGamma ')\) is refutable. If \(\langle A,A_1,\dots ,A_n \rangle \) is a step in \(\mathcal {T}\) and every alternative \(A_i\) is refutable, then A is refutable.

Fig. 2.
figure 2

Tableau rules for DHOL

Full size image

The rules in Fig. 2 strongly resemble the tableau calculus from [1]. In order to support DHOL, we replaced simple types by their dependent counterparts. To that end, we tried to remain as simple as possible by only allowing syntactically equivalent types in \(\mathcal {T}_{\forall }\) and \(\mathcal {T}_{\textrm{CON}}\): Adding a statement like \(A \equiv A'\) as a premise would change the tableau calculus as well as the automated proof search significantly, so these situations are handled by the erasure for which the additional rules \(\mathcal {T}_{\textrm{ER}_1}\), \(\mathcal {T}_{\textrm{ER}_2}\) are responsible.

It is known that the restriction of \(\mathcal {T}\) to HOL (without \(\mathcal {T}_{\textrm{ER}_1}\) and \(\mathcal {T}_{\textrm{ER}_2}\)) is sound and complete with respect to Henkin semantics [1, 7]. Furthermore, due to Corollary 1, the rules \(\mathcal {T}_{\textrm{ER}_1}\) and \(\mathcal {T}_{\textrm{ER}_2}\) define a sound and complete translation from DHOL to HOL with respect to Rothgang et al.’s definition of provability in DHOL [17].

3.2 Soundness and Completeness

In general, a soundness result based on the refutability of a branch \((T,\varGamma ,\varGamma ')\) is desirable. If there were a definition of semantics for DHOL which is a conservative extension of Henkin semantics, the proof could just refer to satisfiability of \(T,\varGamma ,\varGamma '\). Unfortunately, this is not the case. Note that an appropriate definition of semantics is out of the scope of this paper: In addition to its conception, we would have to prove soundness and completeness of \(\vdash ^{\textsf{d}}\) on top of the corresponding proofs for our novel tableau calculus. Therefore, soundness and completeness of the tableau calculus will be established with respect to provability in DHOL or HOL. Unfortunately, this requirement complicates the proof tremendously as a refutation can contain a mixture of DHOL, erasure and HOL rules. Therefore, we have to consider both HOL and DHOL and need to establish a correspondence between \(\varGamma \) and \(\varGamma '\) which is difficult to put succinctly and seems to be impossible without further restricting the notion of a well-formed branch. Therefore, we prove soundness and completeness with respect to a notion of refutability which has three stages: At the beginning, only DHOL rules are applied, the second stage is solely for the erasure and in the last phase, only HOL rules are applied. Note that this notion of refutability includes the sound but incomplete strategy of only using native DHOL rules as well as the sound and complete strategy of exclusively working with the erasure.

Definition 3

A branch \((T,\varGamma ,\varGamma ')\) is s-refutable if it is refutable with respect to the HOL rules.

Lemma 2

A well-formed branch \((T,\varGamma ,\varGamma ')\) is s-refutable \(\iff \) \(\varGamma ' \vdash ^{\textsf{s}}_{\varPhi (\overline{T})} \bot \).

Proof

Immediate from soundness and completeness of the original HOL calculus as well as soundness and completeness of \(\vdash ^{\textsf{s}}\).    \(\square \)

Definition 4

The set of e-refutable branches is inductively defined as follows: If \((T,\varGamma ,\varGamma ')\) is s-refutable and \(\varGamma ' \subseteq \varPhi (\overline{\varGamma })\), then it is e-refutable. If \(\langle A,A_1 \rangle \in \mathcal {T}_{\textrm{ER}_1}\cup \mathcal {T}_{\textrm{ER}_2}\) and \(A_1\) is e-refutable, then A is e-refutable.

Lemma 3

If \((T,\varGamma ,\varGamma ')\) is well-formed and e-refutable then \(\varPhi (\overline{\varGamma }) \vdash ^{\textsf{s}}_{\varPhi (\overline{T})} \bot \).

Proof

Let \((T,\varGamma ,\varGamma ')\) be well-formed and e-refutable. We proceed by induction on the definition of e-refutability. If \((T,\varGamma ,\varGamma ')\) is s-refutable then \(\varGamma ' \vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} \bot \) by Lemma 2. Since \(\varGamma ' \subseteq \varPhi (\overline{\varGamma })\) we also have \(\varPhi (\overline{\varGamma }) \vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} \bot \). For the induction step, let \(\langle (T,\varGamma ,\varGamma '),(T,\varGamma ,\varGamma '_1)\rangle \) be a step with either \(\mathcal {T}_{\textrm{ER}_1}\) or \(\mathcal {T}_{\textrm{ER}_2}\) and assume that the branch \((T,\varGamma ,\varGamma '_1)\) is e-refutable. Since well-formedness of \((T,\varGamma ,\varGamma '_1)\) follows from the well-formedness of \((T,\varGamma ,\varGamma ')\), the induction hypothesis yields \(\varPhi (\overline{\varGamma }) \vdash ^{\textsf{s}}_{\smash {\varPhi (\overline{T})}} \bot \) as desired.    \(\square \)

Definition 5

The set of d-refutable branches is inductively defined as follows: If \((T,\varGamma ,\cdot )\) is e-refutable or \(\bot \in T,\varGamma \), then it is d-refutable. If \(\langle A,A_1,\dots ,A_n \rangle \in \mathcal {T}\setminus (\mathcal {T}_{\textrm{ER}_1}\cup \mathcal {T}_{\textrm{ER}_2})\) and every alternative \(A_i\) is d-refutable, then A is d-refutable.

Next, we have to prove soundness of every DHOL rule. For most of the rules, this is rather straightforward. We show soundness of \(\mathcal {T}_{\textrm{FE}}\), \(\mathcal {T}_{\textrm{FQ}}\) and \(\mathcal {T}_{\textrm{DEC}}\) as representative cases and start with an auxiliary lemma.

Lemma 4

Assume \(\varGamma \vdash ^{\textsf{d}}_T s:o\). We have \(\varGamma \vdash ^{\textsf{d}}_T s\) if and only if \(\varGamma \vdash ^{\textsf{d}}_T [s]\).

Proof

By the beta and eta rules, we have \(\varGamma \vdash ^{\textsf{d}}_T s =_o [s]\). Using cong\(\vdash \) we obtain the desired result in both directions.    \(\square \)

Lemma 5

(\(\mathcal {T}_{\textrm{FE}}\)). Let \((T,\varGamma ,\varGamma ')\) be a well-formed branch. Choose x such that \(x \not \in \mathcal {V}s \cup \mathcal {V}t\) and assume \(s \ne _{\mathrm {\Pi }x:A.B} t \in T,\varGamma \). If \(\varGamma ,\lnot [\forall x:A. sx = tx] \vdash ^{\textsf{d}}_T \bot \) then \(\varGamma \vdash ^{\textsf{d}}_T \bot \).

Proof

From the assumptions and Lemma 4, we obtain \(\varGamma \,\vdash ^{\textsf{d}}_T s\, \ne _{\mathrm {\Pi }x:A.B} t\) and \(\varGamma \, \vdash ^{\textsf{d}}_T \forall x:\, A. sx =_B tx\). Furthermore, an application of \(\forall \)e yields \(\varGamma ,\, x:A \vdash ^{\textsf{d}}_T sx =_B tx\). Using cong\(\lambda \), we get \(\varGamma \vdash ^{\textsf{d}}_T (\lambda x:A.sx) =_{\mathrm {\Pi }x:A.B} (\lambda x:A.tx)\). Hence, we can apply eta (\(x \not \in \mathcal {V}s \cup \mathcal {V}t\)), sym and the admissible rule trans [18] which says that equality is transitive to get \(\varGamma \, \vdash ^{\textsf{d}}_T s =_{\mathrm {\Pi }x:A.B} t\) and therefore \(\varGamma \,\vdash ^{\textsf{d}}_T \bot \).    \(\square \)

Lemma 6

(\(\mathcal {T}_{\textrm{FQ}}\)). Let \((T,\varGamma ,\varGamma ')\) be a well-formed branch. Assume \(s =_{\mathrm {\Pi }x:A.B} t \in T,\varGamma \) and \(x \not \in \mathcal {V}s \cup \mathcal {V}t\). If \(\varGamma ,[\forall x:A. sx = tx] \vdash ^{\textsf{d}}_T \bot \) then \(\varGamma \vdash ^{\textsf{d}}_T \bot \).

Proof

From the assumptions, \(\varGamma \vdash ^{\textsf{d}}_T \lnot [s] =_o [\lnot s]\), cong\(\vdash \) and Lemma 4, we obtain \(\varGamma \vdash ^{\textsf{d}}_T s =_{\mathrm {\Pi }x:A.B} t\) and \(\varGamma \vdash ^{\textsf{d}}_T \lnot \forall x:A. sx =_B tx\). Furthermore, we have \(\varGamma , x:A \vdash ^{\textsf{d}}_T sx =_B tx\) by refl and congAppl. Hence, \(\forall \)i yields \(\varGamma \vdash ^{\textsf{d}}_T \forall x:A. sx =_B tx\) and we conclude by an application of \(\lnot \)e.    \(\square \)

Lemma 7

(\(\mathcal {T}_{\textrm{DEC}}\)). Let \((T,\varGamma ,\varGamma ')\) be a well-formed branch. Assume

$$x\, s_1 \,\dots \, s_n \ne _{a u_1\dots u_m} x\, t_1 \,\dots \, t_n \in T,\varGamma $$

and \(\varGamma \vdash ^{\textsf{d}}_T x:\mathrm {\Pi }y_1:A_1 \cdots \mathrm {\Pi }y_n :A_n.a\, u_1' \,\dots \, u_m'\) where \(u_i = u_i'[y_1/s_1 \dots y_n/s_n]\) for \(1 \leqslant i \leqslant m\). If \(\varGamma ,s_i \ne _{A_i[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]} t_i \vdash ^{\textsf{d}}_T \bot \) for all \(1 \leqslant i \leqslant n\) then \(\varGamma \vdash ^{\textsf{d}}_T \bot \).

Proof

From the assumptions, we obtain \(\varGamma \vdash ^{\textsf{d}}_T s_i =_{A_i[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]} t_i\) for all \(1 \leqslant i \leqslant n\) and \(\varGamma \vdash ^{\textsf{d}}_T x =_{\mathrm {\Pi }y_1:A_1 \cdots \mathrm {\Pi }y_n :A_n.a u_1' \dots u_m'} x\). Hence, n applications of the congruence rule for application yield \(\varGamma \vdash ^{\textsf{d}}_T x\, s_1 \,\dots \, s_n =_{a u_1 \dots u_m} x\, t_1 \,\dots \, t_n\). Since we also have \(\varGamma \vdash ^{\textsf{d}}_T x\, s_1 \,\dots \, s_n \ne _{a u_1\dots u_m} x\, t_1 \,\dots \, t_n\), we obtain \(\varGamma \vdash ^{\textsf{d}}_T \bot \).    \(\square \)

Now we are ready to prove the soundness result for \(\mathcal {T}\).

Theorem 3

If \((T,\varGamma ,\cdot )\) is well-formed and d-refutable then \(\varGamma \vdash ^{\textsf{d}}_T \bot \).

Proof

Let \((T,\varGamma ,\cdot )\) be well-formed and d-refutable. We proceed by induction on the definition of d-refutability. If \((T,\varGamma ,\cdot )\) is e-refutable, the result follows from Lemma 3 together with Corollary 1. If \(\bot \in T,\varGamma \) then clearly \(\varGamma \vdash ^{\textsf{d}}_T \bot \). For the inductive case, consider a step \(\langle (T,\varGamma ,\cdot ),(T,\varGamma _1,\cdot ),\dots ,(T,\varGamma _n,\cdot ) \rangle \) with some DHOL rule. Since \((T,\varGamma ,\cdot )\) is d-refutable, all alternatives must be d-refutable. If we manage to show well-formedness of every alternative, we can apply the induction hypothesis to obtain \(\varGamma _i \vdash ^{\textsf{d}}_T \bot \) for all \(1 \leqslant i \leqslant n\). Then, we can conclude \(\varGamma \vdash ^{\textsf{d}}_T \bot \) by soundness of the DHOL rules. Hence, it remains to prove well-formedness of the alternatives. In most cases, this is straightforward. We only show one interesting case, namely \(\mathcal {T}_{\textrm{DEC}}\).

Instead of proving \(\varGamma ,s_i \ne _{A_i[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]} t_i \vdash ^{\textsf{d}}_T \bot \) for all \(1 \leqslant i \leqslant n\) we show that \(\varGamma \vdash ^{\textsf{d}}_T s_i =_{A_i[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]} t_i\) for all \(1 \leqslant i \leqslant n\). Since \((T,\varGamma ,\cdot )\) is a well-formed branch, both \(s_1\) and \(t_1\) have type \(A_1\). Hence, \((T,(\varGamma ,s_1 \ne _{A_1} t_1),\cdot )\) is well-formed and our original induction hypothesis yields \(\varGamma , s_1 \ne _{A_1} t_1 \vdash ^{\textsf{d}}_T \bot \) from which we obtain \(\varGamma \vdash ^{\textsf{d}}_T s_1 =_{A_1} t_1\). Now let \(i \leqslant n\) and assume we have \(\varGamma \vdash ^{\textsf{d}}_T s_j =_{A_j[x_1/s_1,\dots ,x_{j-1}/s_{j-1}]} t_j\) for all \(j < i\) (\(*\)). This is only possible if \(\varGamma \vdash ^{\textsf{d}}_T t_j:A_j[x_1/s_1,\dots ,x_{j-1}/s_{j-1}]\) for all \(j < i\). Since \((T,\varGamma ,\cdot )\) is a well-formed branch, it is clear that \(\varGamma \vdash ^{\textsf{d}}_T s_{i}:A_{i}[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]\) and \(\varGamma \vdash ^{\textsf{d}}_T t_{i}:A_{i}[x_1/t_1,\dots ,x_{i-1}/t_{i-1}]\). From (\(*\)), we obtain

$$\begin{aligned} \varGamma \vdash ^{\textsf{d}}_T t_{i}:A_{i}[x_1/s_1,\dots ,x_{i-1}/s_{i-1}], \end{aligned}$$

so \((T,(\varGamma ,s_i \ne _{A_i[x_1/s_1,\dots ,x_{i-1}/s_{i-1}]} t_i),\cdot )\) is well-formed. Hence, the original induction hypothesis yields \(\varGamma \vdash ^{\textsf{d}}_T s_i =_{A_i[x_1/s_1,\dots ,x_i/s_{i-1}]} t_i\) as desired.    \(\square \)

In the previous proof, we can see that for \(\mathcal {T}_{\textrm{DEC}}\), well-formedness of an alternative depends on refutability of all branches to the left. Note that the same holds for \(\mathcal {T}_{\textrm{MAT}}\) and \(\mathcal {T}_{\Rightarrow }\). This is a distinguishing feature of DHOL as in tableaux, branches are usually considered to be independent.

Finally, completeness is immediate from the completeness of the HOL tableau calculus and the erasure:

Theorem 4

If \(\varGamma \vdash ^{\textsf{d}}_T \bot \) then \((T,\varGamma ,\cdot )\) is d-refutable.

Proof

Let \(\varGamma \vdash ^{\textsf{d}}_T \bot \). Using Corollary 1 and Lemma 2 we conclude s-refutability of \((T,\varGamma ,\varPhi (\overline{\varGamma }))\). By definition, \((T,\varGamma ,\varPhi (\overline{\varGamma }))\) is also e-refutable. Furthermore, by inspecting \(\mathcal {T}_{\textrm{ER}_1}\) and \(\mathcal {T}_{\textrm{ER}_2}\) we conclude that \((T,\varGamma ,\cdot )\) is also e-refutable and therefore d-refutable.    \(\square \)

4 Implementation

We implemented the tableau calculus for DHOL as an extension of Lash [6] which is a fork of Satallax, a successful automated theorem prover for HOL [4]. By providing an efficient C implementation of terms with perfect sharing as well as other important data structures and operations, Lash outperforms Satallax when it comes to the basic ground tableau calculus which both of them implement. However, Lash removes a lot of the additional features beyond the basic calculus that was implemented in Satallax. Nevertheless, this was actually beneficial for our purpose as we could concentrate on adapting the core part. Note that Lash and Satallax do not just implement the underlying ground tableau calculus but make heavy use of SAT-solving and a highly customizable priority queue to guide the proof search [4, 5].

For the extension of Lash to DHOL, the data structure for terms had to be changed to support dependent function types as well as quantifiers and lambda abstractions with dependent types. Of course, it would be possible to represent everything in the language of DHOL but the formulation of DHOL suggests that the prover should do as much as possible in the HOL fragment and only use “proper” DHOL when it is really necessary. With this in mind, the parser first always tries to produce simply-typed terms and only resorts to dependent types when it is unavoidable. Therefore, the input problem often looks like a mixture of HOL and DHOL even though everything is included in DHOL. A nice side effect of this design decision is that our extension of Lash works exactly like the original version on the HOL fragment except for the fact that it is expected to be slower due to the numerous case distinctions between simple types and dependent types which are needed in this setting.

Although DHOL is not officially part of TPTP THF, it can be expressed due to the existence of the \(\texttt {!>}\)-symbol which is used for polymorphism. Hence, a type \(\mathrm {\Pi }x:A. B\) is represented as !>[X:A]:B. For simplicity and efficiency reasons, we did not implement dependent types by distinguishing base types from their term arguments but represent the whole dependent type as a term. When parsing a base type a, Lash automatically creates an eponymous constant of type \(\textsf{tp}\) to be used in dependent types as well as a simple base type \(a_0\) for the erasure and a constant \(a^*\) for its PER. The flags DHOL_RULES_ONLY and DHOL_ERASURE_ONLY control the availability of the erasure as well as the native DHOL rules, respectively. Note that the implementation is not restricted to d-refutability but allows for arbitrary refutations. In the standard flag setting, however, only the native DHOL rules are used. Clearly, this constitutes a sound strategy. It is incomplete since the confrontation rule only considers equations with syntactically equivalent types. We have more to say about this in Sect. 4.2.

4.1 Type Checking

By default, problems are only type-checked with respect to their simply-typed skeleton. If the option exactdholtypecheck is set, type constraints stemming from the term arguments of dependent base types are generated and added to the conjecture. The option typecheckonly discards the original conjecture, so Lash just tries to prove the type constraints. Since performing the type check involves proper theorem proving, we added the new SZS ontology statuses TypeCheck and InexactTypecheck to the standardized output of Lash. Here, the former one means that a problem type checks while the latter one just states that it type checks with respect to the simply-typed skeleton.

For the generation of type constraints, each formula of the problem is traversed like in normal type checking. In addition, every time a type condition \(a\, t_1 \,\dots \, t_n \equiv a\, s_1 \,\dots \, s_n\) comes up and there is some i such that \(s_i\) and \(t_i\) are not syntactically equivalent, a constraint stating that \(s_i = t_i\) is provable is added to the set of type constraints. Note that it does not always suffice to just add \(s_i = t_i\) as this equation may contain bound variables or only hold in the context in which the constraint appears. To that end, we keep relevant information about the term context when generating these constraints. Whenever a forall quantifier or lambda abstraction comes up, it is translated to a corresponding forall quantifier in the context since we want the constraint to hold in any case. While details like applications can be ignored, it is important to keep left-hand sides of implications in the context as it may be crucial for the constraint to be met. In general, any axiom may contribute to the typechecking proof.

Example 3

The conjecture

$$\begin{aligned} \forall n:\textsf{nat},x:\textsf{lst}\,n.\, n =_{\textsf{nat}} 0 \Rightarrow \textsf{app}\, n\, n\, x\, x = x \end{aligned}$$

is well-typed if the type constraint

$$\begin{aligned} \forall n:\textsf{nat},x:\textsf{lst}\, n.\, n =_{\textsf{nat}} 0 \Rightarrow \textsf{plus}\,n\, n =_{\textsf{nat}} n \end{aligned}$$

is provable. Lash can generate this constraint and finds a proof quickly using the axiom \(\forall n:\textsf{nat}.\,\textsf{plus}\, \textsf{0}\, n =_{\textsf{nat}} n\).

Since conjunctions and disjunctions are internally translated to implications, it is important to note that we process formulas from left to right, i.e. for \(x:\textsf{lst}\, n\) and \(y:\textsf{lst}\, m\), the proposition \(m \ne n \vee x = y\) type checks because we can assume \(m = n\) to process \(x = y\). Consequently, \(x = y \vee m \ne n\) does not type check. As formulas are usually read from left to right, this is a natural adaption of short-circuit evaluation in programming languages. Furthermore, it is in accordance with the presentation of Rothgang et al. [17] as well as the corresponding implementation in PVS [19]. As a matter of fact, PVS handles its undecidable type checking problem in essentially the same way as our new version of Lash by generating so called type correctness conditions (TCCs).

4.2 Implementation of the Rules

Given the appropriate infrastructure for dependent types, the implementation of most rules in Fig. 2 is a straightforward extension of the original HOL implementation. For \(\mathcal {T}_{\forall }\), the side condition \(\varGamma \vdash ^{\textsf{d}}_T t:A\) is undecidable in general. It has been chosen to provide a simple characterization of the tableau calculus. Furthermore, it emphasizes that we do not instantiate with terms whose type does not literally match with the type of the quantified variable. In the implementation, we keep a pool of possible instantiations for types A which occur in the problem. The pool gets populated by terms of which we know that they have a given type because this information was available during parsing or proof search. Hence, we only instantiate with terms t for which we already know that \(\varGamma \vdash ^{\textsf{d}}_T t:A\) holds.

Given an equation \(s =_A t\), there are many candidate representations of A modulo type equality. When we build an equation in the implementation, we usually use the type of the left-hand side. Since all native DHOL rules of the tableau calculus enforce syntactically equivalent types, the ambiguity with respect to the type of an equation leads to problems. For example, consider a situation where \(\varGamma \vdash ^{\textsf{d}}_T s:A\), \(\varGamma \vdash ^{\textsf{d}}_T t:B\) and \(\varGamma \vdash ^{\textsf{d}}_T s =_A t\) which implies \(\varGamma \vdash ^{\textsf{d}}_T A \equiv B\). During proof search, it could be that \(\varGamma \vdash ^{\textsf{d}}_T t \ne s\) is established. Clearly, this is a contradiction which leads to a refutation, but usually the inequality annotated with the type B which makes the refutation inaccessible for our native DHOL rules. Therefore, we implemented rules along the lines of

$$\begin{aligned} \mathcal {T}_{\textrm{SYMCAST}_1}\ \frac{s =_{A} t}{t =_{B} s}\ t:B \qquad \mathcal {T}_{\textrm{SYMCAST}_2}\ \frac{s \ne _{A} t}{t \ne _{B} s}\ t:B \end{aligned}$$

which do not only apply symmetry but also change the type of the equality in a sound way. Like in \(\mathcal {T}_{\forall }\), the side condition should be read as \(\varGamma \vdash ^{\textsf{d}}_T t:B\) which makes it undecidable. However, in practice, we can compute a representative of the type of t given the available type information. While experimenting with the new DHOL version of Lash, the implementation of these rules proved to be very beneficial for refutations which only work with the DHOL rules. For the future, it is important to note that \(\mathcal {T}_{\textrm{SYMCAST}_1}\) and \(\mathcal {T}_{\textrm{SYMCAST}_2}\) are not sound for the extension of DHOL to predicate subtypes as \(\varGamma \vdash ^{\textsf{d}}_T s =_{A} t\) and \(\varGamma \vdash ^{\textsf{d}}_T t:B\) do not imply \(\varGamma \vdash ^{\textsf{d}}_T A \equiv B\) anymore.

4.3 Generating Instantiations

Since Lash implements a ground tableau calculus, it does not support higher-order unification. Therefore, the generation of suitable instantiations is a major issue. In the case of DHOL, it is actually beneficial that Lash already implements other means of generating instantiations since the availability of unification for DHOL is questionable: There exist unification procedures for dependent type theories (see for example [11]) but for DHOL such a procedure would also have to address the undecidable type equality problem.

For simple base types, it suffices to consider so-called discriminating terms to remain complete [1]. A term s of simple base type a is discriminating in a branch A if \(s \ne _{a} t \in A\) or \(t \ne _{a} s \in A\) for some term t. For function terms, completeness is guaranteed by enumerating all possible terms of a given type. Of course, this is highly impractical, and there is the important flag INITIAL_SUBTERMS_AS_INSTANTIATIONS which adds all subterms of the initial problem as instantiations. This heuristic works very well in many cases.

For dependent types, we do not check for type equality when instantiating quantifiers but only use instantiations with the exact same type (c.f. \(\mathcal {T}_{\forall }\) in Fig. 2) and let the erasure handle the remaining cases.

An interesting feature of this new version of Lash is the possibility to automatically generate instantiations for induction axioms. Given the constraints of the original implementation, the easiest way to sneak a term into the pool of instantiations is to include it into an easily provable lemma and then use the flag INITIAL_SUBTERMS_AS_INSTANTIATIONS. However, this adds unnecessary proof obligations, so we modified the implementation such that initial subterms as instantiations also include lambda-abstractions corresponding to forall quantifiers.

Example 4

Consider the induction axiom for lists:

$$\begin{aligned} &\forall p:(\mathrm {\Pi }n:\textsf{nat}.\,\textsf{lst}\,n \rightarrow o).\, p\,\textsf{0}\,\textsf{nil}\\ & \quad \,\,\, \Rightarrow {} (\forall n:\textsf{nat},x:\textsf{elem},y:\textsf{lst}\, n.\, p\, n\, y \Rightarrow p\,(\textsf{s}\, n)\, (\textsf{cons}\, n\, x\, y)) \\ & \quad \,\,\, \Rightarrow {} (\forall n:\textsf{nat}, x:\textsf{lst}\, n.\, p\, n\, x) \end{aligned}$$

Even though it works for arbitrary predicates p, it is very hard for an ATP system to guess the correct instance for a given problem without unification in general. However, given the conjecture \(\forall n:\textsf{nat},x:\textsf{lst}\, n.\, \textsf{app}\, n\, \textsf{0}\, x\, \textsf{nil}=_{\textsf{lst}\, n} x\) we can easily read off the correct instantiation for p where \(\forall \) is replaced by \(\lambda \).

5 Case Study: List Reversal Is an Involution

Consider the following equational definition of the list reversal function \(\textsf{rev}\):

$$\begin{aligned} & \textsf{rev}\,\textsf{0}\,\textsf{nil}=_{\textsf{lst}\,\textsf{0}} \textsf{nil}\\ & \forall n:\textsf{nat}, x:\textsf{elem}, y:\textsf{lst}\, n. \\ & \quad \,\, \textsf{rev}\, (\textsf{s}\, n)\, (\textsf{cons}\, n\, x\, y) =_{\textsf{lst}\, (\textsf{s}n)} \textsf{app}\, n\, (\textsf{s}\, \textsf{0})\, (\textsf{rev}\, n\, y)\, (\textsf{cons}\,\textsf{0}\, x\,\textsf{nil}) \end{aligned}$$

The conjecture

figure c

is very easy to state, but turns out to be hard to prove automatically. The proof is based on the equational definitions of \(\textsf{plus}\) and \(\textsf{app}\) given in Example 1 as well as several induction proofs on lists using the axiom from Example 4. In particular, some intermediate goals are needed to succeed:

figure d
Table 1. Amount of problem files per (intermediate) goal
Full size table

Note that for polymorphic lists, this is a standard example of an induction proof with lemmas (see e.g. [15, Section 2.2]). In the dependently-typed case, however, many intermediate equations would be ill-typed in interactive theorem provers like Coq or Lean. In order to succeed in automatically proving these problems, we had to break them down into separate problems for the instantiation of the induction axiom, the base case and the step case of the induction proofs. Often, we further needed to organize these subproblems in manageable steps. Overall, we created 34 TPTP problem files which are distributed over the intermediate goals as shown in Table 1. Note that already type checking these intermediate problems is not trivial: All type constraints are arithmetic equations, and given the Peano axioms, many of them need to be proven by induction themselves. Since we are mainly interested in the dependently-typed part, we added the needed arithmetical facts as axioms. Overall, the problem files have up to 18 axioms including the Peano axioms, selected arithmetical results, the defining equations of \(\textsf{plus}\), \(\textsf{app}\) and \(\textsf{rev}\) as well as the list induction axiom. We left out unnecessary axioms in many problem files to make the proof search feasible.

With our new modes for DHOL which solely work with the native DHOL rules, Lash can type check and prove all problems easily. If we turn off the native DHOL rules and only work with the erasure using the otherwise same modes with a 60 s timeout, Lash can still typecheck all problems but it only manages to prove 7 out of 34 problems. In order to further evaluate the effectiveness of our new implementation, we translated all problems from DHOL to HOL using the Logic Embedding ToolFootnote 1, which performs the erasure from [17]. We then tested 16 other HOL provers available on SystemOnTPTPFootnote 2 on the translated problems with a 60 s timeout (without type checking). We found that 5 of the 34 problems could only be solved by the DHOL version of Lash, including one problem where it only needs 5 inference steps. Detailed results as well as means to reproduce them are available on Lash’s websiteFootnote 3 together with its source code.

6 Conclusion

Starting from the erasure from DHOL to HOL by Rothgang et al. [17], we developed a sound and complete tableau calculus for DHOL which we implemented in Lash. To the best of our knowledge, this makes it the first standalone automated theorem prover for DHOL. According to the experimental results, configurations where the erasure is performed as a preprocessing step for a HOL theorem prover can be outperformed by our new prover by solely using the native DHOL rules. We hope that this development will raise further interest in DHOL. Possible further work includes theoretical investigations such as the incorporation of choice operators into the erasure as well as a definition of the semantics of DHOL. Furthermore, it is desirable to officially define the TPTP syntax for DHOL which then opens the possibility of establishing a problem data set on which current and future tools can be compared. Finally, we would like to extend Lash to support predicate subtypes. Rothgang et al. already incorporated this into the erasure but there is no corresponding syntactic support in TPTP yet. In particular, this would get us much closer to powerful automation support for systems like PVS.