Session 3 Theorem Proving and Logic: IA MAN ... - Semantic Scholar
Session 3 Logic: I
Theorem Proving and A MAN-MACHINE THEOREM PROVING SYSTEM W. W. Bledsoe and Peter B r u e l l U n i v e r s i t y of Texas, A u s t i n
ABSTRACT: This paper describes a man-machine theorem proving system at the U n i v e r s i t y of Texas (Austin) which has been used to prove a few theorems in general topology. The theorem (or subgoal) being proved is presented on the scope in i t s n a t u r a l form so t h a t the user can e a s i l y comprehend it and, by a series of i n t e r a c t i v e commands, can help w i t h the proof when he d e s i r e s . A feature c a l l e d DETAIL is employed which allows the human to i n t e r a c t only when needed and only to the extent necessary f o r the p r o o f . The program is b u i l t around a modified form of IMPLY, a n a t u r a l - d e d u c t i o n - l i k e theorem proving technique which has been described e a r l i e r . A few examples of proofs are g i v e n .
1.
w i t h the mathematician. The theorem prover, which is described in Section 3, is w r i t t e n in LISP and is based on IMPLY (see Section 4 of [ 1 ] ) and the methods given i n [1] and [ 2 ] , I t has the a b i l i t y t o prove theorems on i t s own; human i n t e r v e n t i o n is used to increase i t s power and speed up p r o o f s . The DETAIL Feature. One of the p r i n c i p a l d i f f i c u l t i e s w i t h most manmachine provers is in knowing when and how the man should i n t e r v e n e . F i r s t l y the human may have t r o u b l e in reading and comprehending the t e x t on the scope, and secondly, he doesn't know when the machine should be helped, and how much he should do. He does not want to make a l o t of unneeded e n t r i e s , and if he makes a mistake he wants to e a s i l y recover. The f i r s t d i f f i c u l t y is solved in the system described here by employing the human oriented l a n guage IMPLY and in d i s p l a y i n g the theorem on the scope in a " p r e t t y - p r i n t " form. This i s f u r t h e r described below. The second d i f f i c u l t y is handled by a procedure which allows the computer by i t s e l f to f i r s t t r y to prove the theorem (or subgoal). If it succeeds, then a l l i s w e l l , but i f i t f a i l s w i t h i n a prescribed timel i m i t , it p r i n t s on the scope the statement of the theorem and the word "FAILURE" and awaits a command from the user. If he commands "DETAIL" then it w i l l proceed (again) w i t h i t s proof to the p o i n t where the current goal i s s p l i t i n t o subgoals. At that point it p r i n t s on the scope the statement of the new subgoal f o r which it f a i l e d and stops, and the whole process can be repeated. At any of these stops the user can employ a v a r i e t y of other commands such as DEFN, PUT, USE, e t c . (which are described below) to help w i t h the proof. In t h i s way he can e a s i l y i s o l a t e the d i f f i c u l t y and make only those e n t r i e s needed by the machine in i t s p r o o f . Indeed he can s t a r t the machine on the proof of a theorem w i t h o u t enough hypotheses (reference theorems) and supply them only when and if they are needed in the p r o o f . The f o l l o w i n g is a symbolic example f o r e x p l a i n ing the DETAIL process. Real examples are given in Section 4 .
Introduction.
Some workers in automatic theorem p r o v i n g , i n c l u d i n g the authors, b e l i e v e t h a t it w i l l be many years ( i f ever) before machines alone can prove d i f f i c u l t theorems in mathematics. Thus some, who hope to see machines used as p r a c t i c a l a s s i s t a n t s to pure mathematicians, have r e d i r e c t e d t h e i r a t t e n t i o n to man-machine theorem provers [ 3 , 4, 5] and theorem proof checking [ 6 , 7, B ] . The present paper describes a man-machine theorem proving system at the U n i v e r s i t y of Texas which has been used to prove a few theorems in general topology. Our system is organized in the same general way as those of Guard [ 3 ] , Luckham [ 4 ] , and Huet [ 5 ] , but w i t h many major d i f f e r e n c e s . For example, Luckham and Huet use v a r i a t i o n s of Resolution as t h e i r p r i n c i p a l r u l e s of inference whereas we use a modified form of IMPLY [ 1 ] , which is a natural-deduct i o n - t y p e method. Also our system displays formulas on the scope in a n a t u r a l , easy to read, manner and has a v a i l a b l e a v a r i e t y of i n t e r a c t i v e commands the user can employ to hel p w i t h the p r o o f . Among these is a feature c a l l e d DETAIL which allows the human to i n t e r a c t only when needed and only as much as is required f o r the proof. As yet t h i s system has proved no new theorem in topology. The program is s t i l l in the s t a t e of d e v e l opment and It w i l l be sometime before we can d e t e r mine whether It can m a t e r i a l l y help a mathematician prove new theorems. This paper describes the f a c i l i t y , the i n t e r a c t i v e commands a v a i l a b l e to the user mathematician, the modified v e r s i o n of IMPLY which is used, and gives a few examples of proofs of theorems. 2.
The F a c i l i t y and I n t e r a c t i v e Commands.
The f a c i l i t y consists of a Datapoint 3300 t e r minal connected to the CDC 6600 computer v i a the UT i n t e r a c t i v e ( t i m e - s h a r i n g ) system TAURUS [ 1 1 ] . A mathematician (the user) s i t s at the t e r m i n a l , types in a theorem to be proved and o c c a s i o n a l l y helps the program w i t h the proof by p r o v i d i n g i n f o r m a t i o n he feels is needed and answering questions the program poses. The computer program consists of a large automatic theorem prover and a subroutine f o r i n t e r a c t i n g 56
The other subgoals of (3) are handled s i m i l a r l y , using other hypotheses from H. Thus the very d i f f i c u l t problem (1) has been r e duced to a series of easier problems by the human a c t i o n (2) and some machine m a n i p u l a t i o n s . It is true t h a t the mathematician is required to provide the most d i f f i c u l t step in the proof but then the computer does the r e s t , proving a series of smaller theorems and v e r i f y i n g t h a t the mathematician's choice f o r G was indeed c o r r e c t , if he made a wrong choice at (2) he might want to intervene l a t e r , backup, and t r y a d i f f e r e n t value f o r G. The PUT f e a t u r e , though q u i t e simple, is a very powerful device. It alone makes a tremendous d i f f e r ence in the number of theorems the computer program can prove. 58
REDUCE helps convert expressions i n t o forms which are more e a s i l y provable by IMPLY. It also is a convenient place to store facts that can be used by the machine as they are needed. For example REDUCE returns "TRUE" when applied to such formulas as (Closed C1ST A ) , (Open X ) , (Open (Open i n t e r i o r A ) , etc. Forward Chaining. It seems t h a t unrestrained forward chaining is a poor idea in automatic theorem proving because it tends to produce an excessive number of useless hypotheses (lemmas). Consequently, our e a r l i e r versions of IMPLY r e l i e d h e a v i l y on backward chaining. However, the use of the man-machine system (especially the PUT f e a t u r e ) on theorems in topology has brought to our a t t e n t i o n the power of forward chaining in many p r o o f s , e s p e c i a l l y in cases where the chaining expression is a ground ( a l l constant) formula. We therefore have provided ground forward chaining as a new r u l e in IMPLY. RULE (forward c h a i n i n g ) . If P O is a ground expression ( i . e . , contains no v a r i a b l e s ) which is an instance of P ( i . e . , there is a s u b s t i t u t i o n T for which P O = P T ) then the goal
to be p r i n t e d . HISTORY. If commanded the program keeps a record ( h i s t o r y ) of each step it has taken in the proof of a theorem, i n c l u d i n g steps where the human intervenes but excluding unproductive steps. This h i s t o r y can be used by the mathematician l a t e r , upon the command "RUN HISTORY N", to rerun a l l or p a r t of the proof without i n t e r r u p t i o n , and to t r y if desired a d i f f e r e n t l i n e of proof at any step. 3. The. Machine Prover The prover used by t h i s system consists mainly of a modified form of IMPLY (Section 4 of [ 1 ] ) , w i t h the a d d i t i o n of REDUCE (see p. 57 of [ 2 ] ) , and other concepts from [2] and [ 1 7 ] . Two of the p r i n c i p a l differences in the present v e r s i o n is t h a t IMPLY is now the main r o u t i n e (instead of CYCLE), and REDUCE is now applied i n s i d e IMPLY. The SPLIT functions (p. 56 of [ 2 ] ) are an i n t e g r a l part of IMPLY i t s e l f . Also IMPLY has been given a b r e a d t h - f i r s t search capacity (see below), and the back-up feature (see Footnote 11 of [ 1 ] ) has been removed and replaced by a human back-up c a p a b i l i t y . IMPLY. IMPLY is a n a t u r a l deduction type system which processes formulas in t h e i r " n a t u r a l " form (see also [9, 10]). It consists p a r t i a l l y of a few r e w r i t e rules such as
is converted to the new goal
This r u l e need only be applied at the time somet h i n g new is added to the hypothesis, such as when an expression (H (A B)) is converted to (H A B), or when another forward chaining step has j u s t been completed. This r u l e has been f u r t h e r extended in the system to provide f o r so-called "PEEK forward c h a i n i n g " , which works as f o l l o w s : RULE (PEEK forward c h a i n i n g ) . If P is a ground expression, P. = A has the d e f i n i t i o n (P Q), then the goal
which convert the expression being proved from one form to another. I t s main f u n c t i o n is to s p l i t a goal i n t o subgoals
backchain, s u b s t i t u t e equals, and forward chain (new a d d i t i o n ) . A fundamental part of IMPLY is a matching r o u t i n e ( u n i f i c a t i o n ) : if T is a most general u n i f i e r of A and A' then the subgoal
is converted to the new goal is judged "TRUE" w i t h T being returned to be applied to f u r t h e r subgoals. REDUCE. REDUCE consists wholly of a set of r e w r i t e r u l e s which converts parts of formulas. It contains special h e u r i s t i c s f o r set theory, topology, e t c . For example
Note t h a t the machine "peeks" at the d e f i n i t i o n of A to see if forward chaining is p o s s i b l e , but then returns A to i t s o r i g i n a l form. This v a r i a t i o n is very u s e f u l (see Example 2, (111 H 1 ) ) . Returning A to I t s o r i g i n a l form makes the theorem much easier to comprehend for the mathematician reading the d i s p l a y on the scope. Forward chaining s t i l l tends to c l u t t e r up the scope w i t h useless hypotheses, and the user occasiona l l y f i n d s It u s e f u l to remove some of them by the command DELETE. More importantly the user, when he gives the computer a theorem to prove, need not l i s t a l l required lemmas but can give them only as they are aeeded In the proof, and thereby can e l i m i n a t e much i r r e l e v a n t forward c h a i n i n g . B r e a d t h - F i r s t - S e a r c h . One of the d i f f i c u l t i e s w i t h the previous v e r s i o n of IMPLY was t h a t i t s search was e s s e n t i a l l y " d e p t h - f i r s t . " For example, in proving
*Since REDUCE is now c a l l e d from i n s i d e IMPLY, it (REIt would back chain o f f of DUCE) must e l i m i n a t e q u a n t i f i e r s and skolemize in the course of reducing formulas. As was explained in Sect i o n 2 under DEFN, the exact form of t h i s skolemization depends on the p o s i t i o n of the expression in the theorem. 59
and t r y to prove H(x ), before f i n a l l y g e t t i n g around to the t r i v i a l proof (P(x O ) -> P(x ) ) . A human, a c t i n g more i n t e l l i g e n t l y , would casually glance across the hypotheses, and n o t i c e P(xo.) before t r y i n g to e s t a b l i s h H ( x O ) . A more serious d i f f i c u l t y is encountered in i n s t a n t i a t i n g d e f i n i t i o n s , i n t h a t not enough d i r e c t i o n is provided as to which d e f i n i t i o n to i n s t a n t i a t e f i r s t . As a general r u l e , an expression such as " r e g " should not be replaced by i t s d e f i n i t i o n unless it w i l l "do some good." Otherwise a g l u t of new symbols hamper both man and machine. Also it is u s u a l l y b e t t e r t o i n s t a n t i a t e d e f i n i t i o n s i n the conclusion before those in the hypothesis, and to i n s t a n t i a t e d e f i n i t i o n s of " s t r a n g e " terms such as "paracompact" before those of ordinary terms such as " c l o s e d " or We have attempted to remedy these two d i f f i c u l t i e s and have also added another feature c a l l e d "PAIRS" which t r i e s if possible to apply t h a t hypothesis which is l i k e the desired conclusion, even when a complete match cannot be made. The f o l l o w i n g is a r a t h e r sketchy d e s c r i p t i o n of the revised IMPLY program, which gives only the f l a v o r o f I t . A d e t a i l e d d e s c r i p t i o n i s given i n [12]. When a theorem (or subgoal)
is given for IMPLY to prove, it f i r s t c a l l s REDUCE, then applies i t s own r e w r i t e r u l e s , and SPLITS it if a p p r o p r i a t e . Next it does a b r e a d t h - f i r s t search by t r y i n g the f o l l o w i n g seven steps In the order indicated. I f any step f a i l s i t goes t o the n e x t ; the success of a step u s u a l l y r e s u l t s in another c a l l to the f u n c t i o n IMPLY.
These are described in more d e t a i l below. With the exception of step 5 each of the steps l i s t e d involves a c a l l from IMPLY to a f u n c t i o n c a l l e d HOA. What b a s i c a l l y happens is t h a t IMPLY s p l i t s the theorem i n t o subgoals on the basis of the OR-AND s t r u c t u r e of C , and HOA attempts to use the hypotheses to prove these subgoals. 1. Try matching the conjuncts of H w i t h C. That is if H is of the form H 1 - H 2 - H 3 it t r i e s to match C w i t h one or the H . . 2. Same as 1 . , except t h a t backchaining is allowed. For example, in
60
4. Examples. The examples we have explored are mostly from K e l l e y ' s General topology [13], though in f a c t any reasonably precise t e x t would do. We have taken examples from various parts of the book. Example 2 is a theorem about paracompactness. The examples t r i e d so f a r have been about j u s t one topology. This i s convenient since i t allows f i x e d symbols T and X f o r the topology T on the space X. The space X is assumed to be non-empty. The d e f i n i t i o n s used by the computer are stored (perma n e n t l y ) i n i t s memory. The theorem labels used in the f o l l o w i n g examples are also those used by the computer. They help inform the user where he is in the proof. For example, if a goal has theorem l a b e l (1 2) and it SPLITS, then the two parts w i l l be labeled (1 2 1) and ( 1 2 2 ) . If back chaining is used on a theorem labeled L, then the two steps are labeled (LB) and (LH). The presentation on the scope is always in the " p r e t t y - p r i n t " format depicted on page 1 1 . But to conserve space we have here shown our examples in a more compact form, and some l i n e s of the proof are omitted. I n t h i s p r e s e n t a t i o n , a n " h " a t the l e f t i n d i cates a human i n p u t , an " E d " i n d i c a t e s an e d i t o r i a l comment, and an "m" indicates machine output. The m's are omitted in our d e s c r i p t i o n a f t e r the f i r s t few l i n e s of each example. In the examples
61
62
Ed
In t h i s writeup we have denoted by G O the skolem expression G ( F ' ) . The machine r e t a i n s i t s complete skolem expressions but p r i n t s only (G) on the scope f o r ease of reading.
Ed
Since the new entry [->] in the hypothesis is an i m p l i c a t i o n , and since F' has been given a value, the machine f i r s t t r i e s proving OcF' before proceeding. This is done in (111 H) below. If It succeeds i t w i l l then r e t a i n the hypothesis
0
63
This work was supported in p a r t by NSF Grant GJ-32269 and NIH Grant 5801 GM 157-69-05. References
Many of the a b i l i t i e s which are b u i l t i n t o t h i s man-machine f a c i l i t y have been developed only a f t e r a period of t r i a l and e r r o r . In f a c t the reason f o r many of these is to provide for more ease in checking out and changing the program. We expect the program to continue to change as it is t r i e d on more and more examples, h o p e f u l l y e v o l v i n g i n t o a system which w i l l be u s e f u l to the researcher in topology. So f a r t h i s is not the case, we have handled only w e l l known theorems. Our next step involves work on the system by some p r a c t i c i n g t o p o l o g i s t . This should help determine whether such a system might have any p r a c t i c a l value in the near f u t u r e . An i n t e r e s t i n g point is t h i s - Even though the mathematician is able to intervene at any p o i n t in the proof, he is nevertheless very annoyed when he has to do so in a t r i v i a l way. When, f o r example, he PUTS the values f o r F' and G in Example 2, he feels he has done enough and r i g h t f u l l y expects the computer to do the r e s t . Thus even in a man-machine system, the theorems t h a t the machine alone is required to prove are f a r from t r i v i a l . In f a c t experience so f a r shows t h a t they are on a par w i t h the hardest theorems being proved today by automatic theorem p r o v e r s . Therefore, i t i s f e l t t h a t any improvement i n machine-alone programs is t r u l y worthwhile to the man-machine e f f o r t . Acknowledgment. Various people both at U.T. and elsewhere have g r e a t l y influenced our t h i n k i n g about automatic theorem proving and i n t e r a c t i v e systems. We want to e s p e c i a l l y thank B i l l Hemneman, Robert Anderson, Dave Luckham, Vesko Marinov, B i l l Bennett, Mike B a l l e n t y n e , and Howard Ludwig. 65
1.
W. W. Bledsoe, R. S. Boyer, and W. H. Henneman, Computer Proofs of L i m i t Theorems, A r t i f i c i a l I n t e l l i g e n c e 3 (1972), 27-60.
2.
W. W. Bledsoe, S p l i t t i n g and Reduction H e u r i s t i c s in Automatic Theorem Proving, A r t i f i c i a l I n t e l l i g e n c e 2 (1971), 55-77.
3.
J. R. Guard, F. C. Oglesby, J. H. Bennett, and L. G. S e t t l e , Semi-automated Mathematics, JACM 16 (1969), 49-62.
4.
John A l l e n and David Luckham, An I n t e r a c t i v e Theorem-Proving Program, Machine I n t e l l i g e n c e 5 (1970), 321-336.
5.
G. P. Huet, Experiments w i t h an I n t e r a c t i v e Prover f o r Logic w i t h E q u a l i t y , Report 1106, Jennings Computing Center, Case Western Reserve U n i v e r s i t y .
6.
John McCarthy, Computer Programs for Checking Mathematical Proofs, Proc. Aroer ■ Math. Soc. on Recursive f u n c t i o n Theory, held in Ney York, A p r i l , 1961.
7.
Paul W. Abrahams, Machine V e r i f i c a t i o n of Mathe m a t i c a l Proof, Doctoral D i s s e r t a t i o n i n Mathematics, MIT, May, 1963.
8.
W. W. Bledsoe and E.J . G i l b e r t , Automatic Theorem Proof-Checking in Set Theory: A Preliminary Report, Sandia Corp. Report SC-RR-67-525, J u l y , 1967.
9.
Arthur J. Nevins, A Human Oriented Logic f o r Automatic Theorem Proving, MIT AI Memo No. 268, October, 1972.
10.
Raymond R e i t e r , The Use of Models in Automatic Theorem Proving, Dept. of Computer Science, U n i v e r s i t y of B r i t i s h Columbia, September, 1972.
11.
TAURUS, described in Users Manual, Computation Center, U n i v e r s i t y of Texas, A u s t i n .
12.
Peter B r u e l l , A D e s c r i p t i o n of the Functions of The Man-Machine Topology Theorem Prover, (under p r e p a r a t i o n ) .
13.
John L. K e l l e y , General Topology, van Nostrand, 1955.
14.
James R. S l a g l e , Automatic Theorem Proving w i t h B u i l t - i n Theories I n c l u d i n g E q u a l i t y , P a r t i a l Ordering, and Sets, JACM 19 (1972), 120-135.
15.
Robert Boyer, L o c k i n g : A R e s t r i c t i o n on Resolution, Ph.D. D i s s e r t a t i o n , Mathematics Dept., U n i v e r s i t y of Texas, A u s t i n , 1971.
16.
Dallas S. Lankford, E q u a l i t y Atom Term Locking, Ph.D. D i s s e r t a t i o n , Mathematics D e p t . , U n i v e r s i t y of Texas, A u s t i n , 1972.
17.
George E r n s t , The U t i l i t y of independent subgoals in Theorem Proving, I n f o r m a t i o n and C o n t r o l , v o l . 18, 3, 1971.
Theorem Proving and A MAN-MACHINE THEOREM PROVING SYSTEM W. W. Bledsoe and Peter B r u e l l U n i v e r s i t y of Texas, A u s t i n
ABSTRACT: This paper describes a man-machine theorem proving system at the U n i v e r s i t y of Texas (Austin) which has been used to prove a few theorems in general topology. The theorem (or subgoal) being proved is presented on the scope in i t s n a t u r a l form so t h a t the user can e a s i l y comprehend it and, by a series of i n t e r a c t i v e commands, can help w i t h the proof when he d e s i r e s . A feature c a l l e d DETAIL is employed which allows the human to i n t e r a c t only when needed and only to the extent necessary f o r the p r o o f . The program is b u i l t around a modified form of IMPLY, a n a t u r a l - d e d u c t i o n - l i k e theorem proving technique which has been described e a r l i e r . A few examples of proofs are g i v e n .
1.
w i t h the mathematician. The theorem prover, which is described in Section 3, is w r i t t e n in LISP and is based on IMPLY (see Section 4 of [ 1 ] ) and the methods given i n [1] and [ 2 ] , I t has the a b i l i t y t o prove theorems on i t s own; human i n t e r v e n t i o n is used to increase i t s power and speed up p r o o f s . The DETAIL Feature. One of the p r i n c i p a l d i f f i c u l t i e s w i t h most manmachine provers is in knowing when and how the man should i n t e r v e n e . F i r s t l y the human may have t r o u b l e in reading and comprehending the t e x t on the scope, and secondly, he doesn't know when the machine should be helped, and how much he should do. He does not want to make a l o t of unneeded e n t r i e s , and if he makes a mistake he wants to e a s i l y recover. The f i r s t d i f f i c u l t y is solved in the system described here by employing the human oriented l a n guage IMPLY and in d i s p l a y i n g the theorem on the scope in a " p r e t t y - p r i n t " form. This i s f u r t h e r described below. The second d i f f i c u l t y is handled by a procedure which allows the computer by i t s e l f to f i r s t t r y to prove the theorem (or subgoal). If it succeeds, then a l l i s w e l l , but i f i t f a i l s w i t h i n a prescribed timel i m i t , it p r i n t s on the scope the statement of the theorem and the word "FAILURE" and awaits a command from the user. If he commands "DETAIL" then it w i l l proceed (again) w i t h i t s proof to the p o i n t where the current goal i s s p l i t i n t o subgoals. At that point it p r i n t s on the scope the statement of the new subgoal f o r which it f a i l e d and stops, and the whole process can be repeated. At any of these stops the user can employ a v a r i e t y of other commands such as DEFN, PUT, USE, e t c . (which are described below) to help w i t h the proof. In t h i s way he can e a s i l y i s o l a t e the d i f f i c u l t y and make only those e n t r i e s needed by the machine in i t s p r o o f . Indeed he can s t a r t the machine on the proof of a theorem w i t h o u t enough hypotheses (reference theorems) and supply them only when and if they are needed in the p r o o f . The f o l l o w i n g is a symbolic example f o r e x p l a i n ing the DETAIL process. Real examples are given in Section 4 .
Introduction.
Some workers in automatic theorem p r o v i n g , i n c l u d i n g the authors, b e l i e v e t h a t it w i l l be many years ( i f ever) before machines alone can prove d i f f i c u l t theorems in mathematics. Thus some, who hope to see machines used as p r a c t i c a l a s s i s t a n t s to pure mathematicians, have r e d i r e c t e d t h e i r a t t e n t i o n to man-machine theorem provers [ 3 , 4, 5] and theorem proof checking [ 6 , 7, B ] . The present paper describes a man-machine theorem proving system at the U n i v e r s i t y of Texas which has been used to prove a few theorems in general topology. Our system is organized in the same general way as those of Guard [ 3 ] , Luckham [ 4 ] , and Huet [ 5 ] , but w i t h many major d i f f e r e n c e s . For example, Luckham and Huet use v a r i a t i o n s of Resolution as t h e i r p r i n c i p a l r u l e s of inference whereas we use a modified form of IMPLY [ 1 ] , which is a natural-deduct i o n - t y p e method. Also our system displays formulas on the scope in a n a t u r a l , easy to read, manner and has a v a i l a b l e a v a r i e t y of i n t e r a c t i v e commands the user can employ to hel p w i t h the p r o o f . Among these is a feature c a l l e d DETAIL which allows the human to i n t e r a c t only when needed and only as much as is required f o r the proof. As yet t h i s system has proved no new theorem in topology. The program is s t i l l in the s t a t e of d e v e l opment and It w i l l be sometime before we can d e t e r mine whether It can m a t e r i a l l y help a mathematician prove new theorems. This paper describes the f a c i l i t y , the i n t e r a c t i v e commands a v a i l a b l e to the user mathematician, the modified v e r s i o n of IMPLY which is used, and gives a few examples of proofs of theorems. 2.
The F a c i l i t y and I n t e r a c t i v e Commands.
The f a c i l i t y consists of a Datapoint 3300 t e r minal connected to the CDC 6600 computer v i a the UT i n t e r a c t i v e ( t i m e - s h a r i n g ) system TAURUS [ 1 1 ] . A mathematician (the user) s i t s at the t e r m i n a l , types in a theorem to be proved and o c c a s i o n a l l y helps the program w i t h the proof by p r o v i d i n g i n f o r m a t i o n he feels is needed and answering questions the program poses. The computer program consists of a large automatic theorem prover and a subroutine f o r i n t e r a c t i n g 56
The other subgoals of (3) are handled s i m i l a r l y , using other hypotheses from H. Thus the very d i f f i c u l t problem (1) has been r e duced to a series of easier problems by the human a c t i o n (2) and some machine m a n i p u l a t i o n s . It is true t h a t the mathematician is required to provide the most d i f f i c u l t step in the proof but then the computer does the r e s t , proving a series of smaller theorems and v e r i f y i n g t h a t the mathematician's choice f o r G was indeed c o r r e c t , if he made a wrong choice at (2) he might want to intervene l a t e r , backup, and t r y a d i f f e r e n t value f o r G. The PUT f e a t u r e , though q u i t e simple, is a very powerful device. It alone makes a tremendous d i f f e r ence in the number of theorems the computer program can prove. 58
REDUCE helps convert expressions i n t o forms which are more e a s i l y provable by IMPLY. It also is a convenient place to store facts that can be used by the machine as they are needed. For example REDUCE returns "TRUE" when applied to such formulas as (Closed C1ST A ) , (Open X ) , (Open (Open i n t e r i o r A ) , etc. Forward Chaining. It seems t h a t unrestrained forward chaining is a poor idea in automatic theorem proving because it tends to produce an excessive number of useless hypotheses (lemmas). Consequently, our e a r l i e r versions of IMPLY r e l i e d h e a v i l y on backward chaining. However, the use of the man-machine system (especially the PUT f e a t u r e ) on theorems in topology has brought to our a t t e n t i o n the power of forward chaining in many p r o o f s , e s p e c i a l l y in cases where the chaining expression is a ground ( a l l constant) formula. We therefore have provided ground forward chaining as a new r u l e in IMPLY. RULE (forward c h a i n i n g ) . If P O is a ground expression ( i . e . , contains no v a r i a b l e s ) which is an instance of P ( i . e . , there is a s u b s t i t u t i o n T for which P O = P T ) then the goal
to be p r i n t e d . HISTORY. If commanded the program keeps a record ( h i s t o r y ) of each step it has taken in the proof of a theorem, i n c l u d i n g steps where the human intervenes but excluding unproductive steps. This h i s t o r y can be used by the mathematician l a t e r , upon the command "RUN HISTORY N", to rerun a l l or p a r t of the proof without i n t e r r u p t i o n , and to t r y if desired a d i f f e r e n t l i n e of proof at any step. 3. The. Machine Prover The prover used by t h i s system consists mainly of a modified form of IMPLY (Section 4 of [ 1 ] ) , w i t h the a d d i t i o n of REDUCE (see p. 57 of [ 2 ] ) , and other concepts from [2] and [ 1 7 ] . Two of the p r i n c i p a l differences in the present v e r s i o n is t h a t IMPLY is now the main r o u t i n e (instead of CYCLE), and REDUCE is now applied i n s i d e IMPLY. The SPLIT functions (p. 56 of [ 2 ] ) are an i n t e g r a l part of IMPLY i t s e l f . Also IMPLY has been given a b r e a d t h - f i r s t search capacity (see below), and the back-up feature (see Footnote 11 of [ 1 ] ) has been removed and replaced by a human back-up c a p a b i l i t y . IMPLY. IMPLY is a n a t u r a l deduction type system which processes formulas in t h e i r " n a t u r a l " form (see also [9, 10]). It consists p a r t i a l l y of a few r e w r i t e rules such as
is converted to the new goal
This r u l e need only be applied at the time somet h i n g new is added to the hypothesis, such as when an expression (H (A B)) is converted to (H A B), or when another forward chaining step has j u s t been completed. This r u l e has been f u r t h e r extended in the system to provide f o r so-called "PEEK forward c h a i n i n g " , which works as f o l l o w s : RULE (PEEK forward c h a i n i n g ) . If P is a ground expression, P. = A has the d e f i n i t i o n (P Q), then the goal
which convert the expression being proved from one form to another. I t s main f u n c t i o n is to s p l i t a goal i n t o subgoals
backchain, s u b s t i t u t e equals, and forward chain (new a d d i t i o n ) . A fundamental part of IMPLY is a matching r o u t i n e ( u n i f i c a t i o n ) : if T is a most general u n i f i e r of A and A' then the subgoal
is converted to the new goal is judged "TRUE" w i t h T being returned to be applied to f u r t h e r subgoals. REDUCE. REDUCE consists wholly of a set of r e w r i t e r u l e s which converts parts of formulas. It contains special h e u r i s t i c s f o r set theory, topology, e t c . For example
Note t h a t the machine "peeks" at the d e f i n i t i o n of A to see if forward chaining is p o s s i b l e , but then returns A to i t s o r i g i n a l form. This v a r i a t i o n is very u s e f u l (see Example 2, (111 H 1 ) ) . Returning A to I t s o r i g i n a l form makes the theorem much easier to comprehend for the mathematician reading the d i s p l a y on the scope. Forward chaining s t i l l tends to c l u t t e r up the scope w i t h useless hypotheses, and the user occasiona l l y f i n d s It u s e f u l to remove some of them by the command DELETE. More importantly the user, when he gives the computer a theorem to prove, need not l i s t a l l required lemmas but can give them only as they are aeeded In the proof, and thereby can e l i m i n a t e much i r r e l e v a n t forward c h a i n i n g . B r e a d t h - F i r s t - S e a r c h . One of the d i f f i c u l t i e s w i t h the previous v e r s i o n of IMPLY was t h a t i t s search was e s s e n t i a l l y " d e p t h - f i r s t . " For example, in proving
*Since REDUCE is now c a l l e d from i n s i d e IMPLY, it (REIt would back chain o f f of DUCE) must e l i m i n a t e q u a n t i f i e r s and skolemize in the course of reducing formulas. As was explained in Sect i o n 2 under DEFN, the exact form of t h i s skolemization depends on the p o s i t i o n of the expression in the theorem. 59
and t r y to prove H(x ), before f i n a l l y g e t t i n g around to the t r i v i a l proof (P(x O ) -> P(x ) ) . A human, a c t i n g more i n t e l l i g e n t l y , would casually glance across the hypotheses, and n o t i c e P(xo.) before t r y i n g to e s t a b l i s h H ( x O ) . A more serious d i f f i c u l t y is encountered in i n s t a n t i a t i n g d e f i n i t i o n s , i n t h a t not enough d i r e c t i o n is provided as to which d e f i n i t i o n to i n s t a n t i a t e f i r s t . As a general r u l e , an expression such as " r e g " should not be replaced by i t s d e f i n i t i o n unless it w i l l "do some good." Otherwise a g l u t of new symbols hamper both man and machine. Also it is u s u a l l y b e t t e r t o i n s t a n t i a t e d e f i n i t i o n s i n the conclusion before those in the hypothesis, and to i n s t a n t i a t e d e f i n i t i o n s of " s t r a n g e " terms such as "paracompact" before those of ordinary terms such as " c l o s e d " or We have attempted to remedy these two d i f f i c u l t i e s and have also added another feature c a l l e d "PAIRS" which t r i e s if possible to apply t h a t hypothesis which is l i k e the desired conclusion, even when a complete match cannot be made. The f o l l o w i n g is a r a t h e r sketchy d e s c r i p t i o n of the revised IMPLY program, which gives only the f l a v o r o f I t . A d e t a i l e d d e s c r i p t i o n i s given i n [12]. When a theorem (or subgoal)
is given for IMPLY to prove, it f i r s t c a l l s REDUCE, then applies i t s own r e w r i t e r u l e s , and SPLITS it if a p p r o p r i a t e . Next it does a b r e a d t h - f i r s t search by t r y i n g the f o l l o w i n g seven steps In the order indicated. I f any step f a i l s i t goes t o the n e x t ; the success of a step u s u a l l y r e s u l t s in another c a l l to the f u n c t i o n IMPLY.
These are described in more d e t a i l below. With the exception of step 5 each of the steps l i s t e d involves a c a l l from IMPLY to a f u n c t i o n c a l l e d HOA. What b a s i c a l l y happens is t h a t IMPLY s p l i t s the theorem i n t o subgoals on the basis of the OR-AND s t r u c t u r e of C , and HOA attempts to use the hypotheses to prove these subgoals. 1. Try matching the conjuncts of H w i t h C. That is if H is of the form H 1 - H 2 - H 3 it t r i e s to match C w i t h one or the H . . 2. Same as 1 . , except t h a t backchaining is allowed. For example, in
60
4. Examples. The examples we have explored are mostly from K e l l e y ' s General topology [13], though in f a c t any reasonably precise t e x t would do. We have taken examples from various parts of the book. Example 2 is a theorem about paracompactness. The examples t r i e d so f a r have been about j u s t one topology. This i s convenient since i t allows f i x e d symbols T and X f o r the topology T on the space X. The space X is assumed to be non-empty. The d e f i n i t i o n s used by the computer are stored (perma n e n t l y ) i n i t s memory. The theorem labels used in the f o l l o w i n g examples are also those used by the computer. They help inform the user where he is in the proof. For example, if a goal has theorem l a b e l (1 2) and it SPLITS, then the two parts w i l l be labeled (1 2 1) and ( 1 2 2 ) . If back chaining is used on a theorem labeled L, then the two steps are labeled (LB) and (LH). The presentation on the scope is always in the " p r e t t y - p r i n t " format depicted on page 1 1 . But to conserve space we have here shown our examples in a more compact form, and some l i n e s of the proof are omitted. I n t h i s p r e s e n t a t i o n , a n " h " a t the l e f t i n d i cates a human i n p u t , an " E d " i n d i c a t e s an e d i t o r i a l comment, and an "m" indicates machine output. The m's are omitted in our d e s c r i p t i o n a f t e r the f i r s t few l i n e s of each example. In the examples
61
62
Ed
In t h i s writeup we have denoted by G O the skolem expression G ( F ' ) . The machine r e t a i n s i t s complete skolem expressions but p r i n t s only (G) on the scope f o r ease of reading.
Ed
Since the new entry [->] in the hypothesis is an i m p l i c a t i o n , and since F' has been given a value, the machine f i r s t t r i e s proving OcF' before proceeding. This is done in (111 H) below. If It succeeds i t w i l l then r e t a i n the hypothesis
0
63
This work was supported in p a r t by NSF Grant GJ-32269 and NIH Grant 5801 GM 157-69-05. References
Many of the a b i l i t i e s which are b u i l t i n t o t h i s man-machine f a c i l i t y have been developed only a f t e r a period of t r i a l and e r r o r . In f a c t the reason f o r many of these is to provide for more ease in checking out and changing the program. We expect the program to continue to change as it is t r i e d on more and more examples, h o p e f u l l y e v o l v i n g i n t o a system which w i l l be u s e f u l to the researcher in topology. So f a r t h i s is not the case, we have handled only w e l l known theorems. Our next step involves work on the system by some p r a c t i c i n g t o p o l o g i s t . This should help determine whether such a system might have any p r a c t i c a l value in the near f u t u r e . An i n t e r e s t i n g point is t h i s - Even though the mathematician is able to intervene at any p o i n t in the proof, he is nevertheless very annoyed when he has to do so in a t r i v i a l way. When, f o r example, he PUTS the values f o r F' and G in Example 2, he feels he has done enough and r i g h t f u l l y expects the computer to do the r e s t . Thus even in a man-machine system, the theorems t h a t the machine alone is required to prove are f a r from t r i v i a l . In f a c t experience so f a r shows t h a t they are on a par w i t h the hardest theorems being proved today by automatic theorem p r o v e r s . Therefore, i t i s f e l t t h a t any improvement i n machine-alone programs is t r u l y worthwhile to the man-machine e f f o r t . Acknowledgment. Various people both at U.T. and elsewhere have g r e a t l y influenced our t h i n k i n g about automatic theorem proving and i n t e r a c t i v e systems. We want to e s p e c i a l l y thank B i l l Hemneman, Robert Anderson, Dave Luckham, Vesko Marinov, B i l l Bennett, Mike B a l l e n t y n e , and Howard Ludwig. 65
1.
W. W. Bledsoe, R. S. Boyer, and W. H. Henneman, Computer Proofs of L i m i t Theorems, A r t i f i c i a l I n t e l l i g e n c e 3 (1972), 27-60.
2.
W. W. Bledsoe, S p l i t t i n g and Reduction H e u r i s t i c s in Automatic Theorem Proving, A r t i f i c i a l I n t e l l i g e n c e 2 (1971), 55-77.
3.
J. R. Guard, F. C. Oglesby, J. H. Bennett, and L. G. S e t t l e , Semi-automated Mathematics, JACM 16 (1969), 49-62.
4.
John A l l e n and David Luckham, An I n t e r a c t i v e Theorem-Proving Program, Machine I n t e l l i g e n c e 5 (1970), 321-336.
5.
G. P. Huet, Experiments w i t h an I n t e r a c t i v e Prover f o r Logic w i t h E q u a l i t y , Report 1106, Jennings Computing Center, Case Western Reserve U n i v e r s i t y .
6.
John McCarthy, Computer Programs for Checking Mathematical Proofs, Proc. Aroer ■ Math. Soc. on Recursive f u n c t i o n Theory, held in Ney York, A p r i l , 1961.
7.
Paul W. Abrahams, Machine V e r i f i c a t i o n of Mathe m a t i c a l Proof, Doctoral D i s s e r t a t i o n i n Mathematics, MIT, May, 1963.
8.
W. W. Bledsoe and E.J . G i l b e r t , Automatic Theorem Proof-Checking in Set Theory: A Preliminary Report, Sandia Corp. Report SC-RR-67-525, J u l y , 1967.
9.
Arthur J. Nevins, A Human Oriented Logic f o r Automatic Theorem Proving, MIT AI Memo No. 268, October, 1972.
10.
Raymond R e i t e r , The Use of Models in Automatic Theorem Proving, Dept. of Computer Science, U n i v e r s i t y of B r i t i s h Columbia, September, 1972.
11.
TAURUS, described in Users Manual, Computation Center, U n i v e r s i t y of Texas, A u s t i n .
12.
Peter B r u e l l , A D e s c r i p t i o n of the Functions of The Man-Machine Topology Theorem Prover, (under p r e p a r a t i o n ) .
13.
John L. K e l l e y , General Topology, van Nostrand, 1955.
14.
James R. S l a g l e , Automatic Theorem Proving w i t h B u i l t - i n Theories I n c l u d i n g E q u a l i t y , P a r t i a l Ordering, and Sets, JACM 19 (1972), 120-135.
15.
Robert Boyer, L o c k i n g : A R e s t r i c t i o n on Resolution, Ph.D. D i s s e r t a t i o n , Mathematics Dept., U n i v e r s i t y of Texas, A u s t i n , 1971.
16.
Dallas S. Lankford, E q u a l i t y Atom Term Locking, Ph.D. D i s s e r t a t i o n , Mathematics D e p t . , U n i v e r s i t y of Texas, A u s t i n , 1972.
17.
George E r n s t , The U t i l i t y of independent subgoals in Theorem Proving, I n f o r m a t i o n and C o n t r o l , v o l . 18, 3, 1971.
