The Tinker tool for graphical tactic development

A goal type is a predicate over a goal. Each wire of a PSGraph is labelled by a goal type. The simplest goal types are predicates on the goal terms: e.g. the PSGraph of Fig. 1 has a wire with the goal type c(conj), which states that the conclusion of the goal is a conjunction (i.e. of the shape “\(\_ \wedge \_\)”).

The language used to express goal types was introduced in [28]. It combines atomic goal types, which are relations provided by the provers, with a Prolog-based language that combines them. Following Prolog convention, constants start with lower case (e.g. x, y, xs), and goal type variables start with upper case (e.g. X,Y, Xs). Two common constants are concl, which is the goal conclusion, and hyps, the list of hypotheses. Terms used by the prover can also be encoded in the goal types. In addition to goal type variables, there is another notion of variables, which are prefixed by “?” (e.g. ?x, ?y, ?xs). They are treated as constants (or terms) in goal types. We will return to them below.

A goal type is a non-empty list of (possibly negated) relations or defined goal types, written asTo declutter graphs and increase expressiveness, we can introduce new definitions through a goal type schema. It has the formwhere Body is a list of relations. To illustrate, consider the goal types of Fig. 1. Here, c(conj) and c(forall) are defined using c(X):This definition uses the atomic goal typewhich states that symbol S is the top symbol of term T. The \(\textit{can}\_\textit{simp}()\) goal type is defined in terms of the other goal types:Here, the definitions of is_simp_ex() are omitted. Each clause should be seen as a disjunction, meaning the goal type is satisfied if either of them are satisfied. Finally, in order to negate \(c_1(a_{01}, \ldots ,a_{n1})\) one writes \(!c_1(a_{01}, \ldots ,a_{n1}).\) This is illustrated by \(!\textit{can}\_\textit{simp}()\) in Fig. 1. We will see more advanced goal types in Sect. 6.

Figure 2 shows the types of boxes that a PSGraph may contain: an atomic tactic is a box that is labelled by a tactic of the underlying theorem prover or an environment tactic (discussed below); a graph tactic is a box labelled by a named nested graph, which is used to handle modularity; an identity tactic does not change the goal and is used to merge and split wires; a goal node contains an open goal to be proven. This can only be added or changed by tactic application; breakpoints are used to control evaluation, which we return to in Sect. 5.

A goal node in a graph will be labelled by a goal of the proof state. In addition, it contains an environment. The environment is a map from a named variable, which is prefixed by “?”, to a term, another named entity such as a named lemma or a list of them. It is used for communication between tactics, and to express global constraints in the goal types.

An identity box does not change the goal it evaluates. It is used to split and merge the paths a goal can take. Figure 1 illustrates both these features, where an identity box is used together with the goal type to send a goal to the correct destination (split) and then to merge the outputs again.

Modularity and scalability are achieved by nesting sub-graphs inside graph tactics. PSGraph keeps track of all named child graphs, and a graph tactic box in a graph is labelled by such a name together with arguments. The arguments have to be variables and are used to ensure local scoping. For example, consider a graph tacticThis will introduce a local scope in the graph nested by h, such that only ?x and ?y will be kept from the environment of a goal node entering this nested graph. On exit, only ?x and ?y will be changed from the environment of the goal that entered the nested graph.

Figure 1 contains two graph tactics, simp_ex and simp_forall. Figure 3 shows the graph nested by simp_ex, which corresponds to the (sub-)tactic:

The individual tactics work as follows: changes paired quantifiers to uncurried versions; removes the quantified variables if they are not used in the body; distribute quantifiers over \(\wedge \); simplifies goals with the one point rule [40] (see Sect. 6). These are attempted in the given order until one of the tactics succeeds. As simp_ex is prefixed by TRY, the tactic will do nothing if all the tactics fail. simp_forall is omitted as its encoding is similar.

In the PSGraph version of this code, shown in Fig. 3, the order does not matter: a goal will be applied to the tactic where the incoming goal type succeeds. These are therefore drawn in parallel. If there are multiple goal types that succeed then all of them are tried. For speed and maintainability, it is important to have as non-deterministic strategies as possible. One thus needs to take care when developing goal types. Note that we ignore the overall TRY tactical as the goal type on the input wire should ensure that a tactic is applicable.

Figure 3 uses the same tactics as the code. From PSGraph’s perspective, these tactics are the atoms, as they becomes “black boxes” that cannot be split further. We therefore call them atomic tactics. A box with an atomic tactic is labelled by the tactic name and optional arguments which we return to below. Figure 1 also contains a single tactic called \(\textit{strip}\_\wedge \); it will break a conjunction into a new goal for each of the conjuncts. As the feedback-loop label shows, this is applied as long as the conclusion is a conjunction (goal type c(conj)). The overall strategy is applied as long as one tactic is applicable, identified by the can_simp() goal type.

The other class of atomic tactics is the environment tactics. These are tactics that only update the environment in a goal node. This is the only way to change an environment. An environment tactic has a name that starts with “ENV_”. To illustrate,will bind variable ?v to t in the environment. Once bound, ?v can be used in a goal type:It can also be used by an atomic tactic. For example,will instantiate a witness with the value of ?v.

To give a formal account of PSGraph, we use a VDM-based mathematical notation [5]. In particular, note that: is the set of all subsets of P; is a sequence of type T, where [] is the empty sequence and adds element x to sequence xs; is the (set of) elements of sequence S; is the domain of relation R; domain subtraction is represented by , while its dual, domain restriction is written .

We do not provide the operational semantics for a goal type (\(PG\vdash g : G\)) as this is given in [28], where the goal type language was introduced.

We use the type Graph to describe an actual graph of a PSGraph, which is an instance of a string diagram [14]. We write \(G[L \hookrightarrow R]\) for the application of the rewrite rule \(L \hookrightarrow R\) to graph G. This will return a set of new graphs. We write \(G_1 \hookrightarrow _R G_2\) for applying a rule in the ruleset R to rewrite \(G_1\) into \(G_2\). Rewriting is achieved by matching L with the graphs we are rewriting. Then this matching sub-graph is removed from the graph and replaced by R.

We use two combinators to compose graphs:

\(\textit{THEN}_G\) is only defined when all outputs/inputs of \(G_1\)/ \(G_2\) are connected.

Horizontal composition is a result of putting the two graphs next to each other:

Details of the semantics underpinning both the rewriting and composition are beyond the scope of this paper, and we refer to [14] for details.

The evaluation relation \(\Downarrow \) is a relation over two pairs of a “before” PSGraph \(PG{}\) and proof state \(P{}\), and an “after” PSGraph \(PG{}'\) and proof state \(P{}'\):An alternative is to also provide a goal g (which exists in the proof state). This case is achieved by the \(\Downarrow _G\) relation, which is defined in terms of the \(\Downarrow _{G}^{*}\) relation:Figure 6 gives the evaluation semantics. The \(\Downarrow _{G}^{*}\) relation (EvalGraph) evaluates a goal g on a given graph G by first adding the goal to the input (AddInput) and then sets the current field to this graph. It then evaluates the graph until termination (Definition 2) using \(\Downarrow ^{*}\): the reflexive transitive closure of \(\Downarrow \). EvalGoal (\(\Downarrow _{G}^{*}\)) is a simpler version of EvalGraph, which uses the current graph instead of a given graph, and is used to initialise a PSGraph with a goal. It is straightforward to extend the semantics to support multiple input goals as well.

The \(\Downarrow \)-relation has two cases: Rewrite represents the steps handled by rewriting only with the ruleset R, given in Fig. 5. Step relates to a step of an atomic or a graph tactic, as illustrated by the rule schema in Fig. 4. The generation of the left-hand side L of the rewrite is handled by matching with the current graph of the PSGraph. This will produce all possible matches, i.e. all possible goal nodes that can be evaluated. This is denoted by lhs:The right-hand side R is generated by the \(\Downarrow _R\) relation, and the current graph is updated by rewriting L to R. As all goal nodes are unique, it is only one way to apply this rule (see Claim 3).

\(\Downarrow _R\) is captured by Right, and R is generated by first removing the goal g by rewriting and then applying the tactic T(Args) using the \(\Downarrow _{T}\) relation to get the new goals. From the output goal types, a valid goal type partition is created from the output goals:

The set of partitions is empty precisely when there is a goal in L that is not of type \(G_k\) for any k.

These are then horizontally composed and then sequentially composed with the left-hand side (with the input goal removed). Evaluation of an atomic box (Atomic) is achieved (\(\Downarrow _{T}\) relation) by a function eval that executes the function. This has to be provided by the underlying prover. We return to how this is achieved in § 4, when discussing the Tinker tool.

Let Vars be the set of all variables (which are prefixed by “?”). All variables in Args must be found in the environment of the goal. To apply a tactic with eval, the variables are first instantiated by the values in the environment:The tactic is then only given the named goal, and eval returns a set of proof states paired with a set of goal names. Each goal name is turned into a goal node with the same environment as the goal node it was generated from.

Environment tactics are used to change the environments; this class of tactics is represented by the set Env, which in practise is any atomic tactic starting with “ENV_”. These are in most cases theorem prover specific and evaluated by the eval_env function, which will return a set of new environments.

For a graph tactic (Graph), the environment is first constrained to the given arguments; then the child graph is evaluated by \(\Downarrow _{GG}^{*}\). On termination, the output goals of the child are returned, once the environment has been updated as previously discussed. AddInput is used to add an input goal to the graph. It follows the same approach as Right by using the two combinators and the gnds function.

We state four key properties, without proof, which follows directly from the semantics:

Figure 8 shows the Tinker GUI and its layout. Here, a user can draw a graph from the Graph panel by selecting the type of node from the Drawing and evaluation controls panel. Tactics are connected by dragging a line between them. When selecting an entity, the details are displayed in the Information panel, and they can be edited by double clicking¹⁰. It supports all the nodes of Fig. 2, albeit a user cannot draw a goal as this has to be created by the theorem prover.

Tinker allows “boxing” of sub-graphs into hierarchies, by a simple mouse click. Tinker also supports a range of features to work with hierarchies. In the Hierarchical node inspector, users can preview the internal structure of an hierarchical node. In the Hierarchy utilities panel (top right of Fig. 8), the hierarchical path of the current graph under edit is shown, as well as a tree view of the hierarchical structure of a PSGraph. It is also easy to move between and edit hierarchical nodes.

Graphical libraries Reuse of PSGraphs is supported by a library. This feature is provided in the Library panel. The items in the library are PSGraphs and stored in a special purpose folder. A new PSGraph can be added to the library by copying the relevant file to this directory. When importing an item from the library to the current PSGraph, Tinker will copy it to the graph that the user is currently editing and merge all the required information, such as defined tactics and goal types (see below).

Defining new tactics Using the “wrapper” function described in § 4, a label of an atomic tactic is just treated as ML code and executed as a tactic in the CORE. Some tactics can be very long, or, e.g. use higher-order features that one would like to hide. While one can define shorthand notation of these in the prover, we have also developed a tactic editor in the GUI, which is shown in Fig. 8 (centre right ((7)). It expects the syntaxAn atomic tactic box in the graph that is labelled by \(\langle name \rangle \) will then apply \(\langle ML code \rangle \). To illustrate, Isabelle supports higher-order resolution through a tactic called rtac, which in an Isabelle proof script (called Isabelle/Isar [39]) is written as rule. This tactic takes a theorem to resolve with as an argument. In the tactic editor, we can define this as:

Note that: fn is ML syntax for lambda abstraction in Isabelle; Isa_Tinker.Thm is a constructor of the arg_data type mentioned in § 4; while the last argument (fn _) refers to the proof context of Isabelle, which can be ignored for this tactic.

Defining new goal types Tinker requires that a set of atomic goal types are provided by the underlying prover and made available to the CORE. The GUI provides a goal type editor, as shown in Fig. 8 (right), which implements the Prolog-inspired goal type language described in § 2.1. To illustrate, assume that the atomic goal type top_symbol(S,T), discussed in § 2.1, is provided. We can then define c(X) in the editor as:

As is common in Prolog, we write “:-” for “\(\leftarrow \)”, and conj is Isabelle’s ASCII representation of conjunction.

Recording and replaying Tinker provides features to export PSGraphs and record proofs. A PSGraph can be exported to the SVG format. The recording feature can be switched on/off to start/pause the recording of changes made to a graph. These changes could have been made by the user or by the tool during evaluation. Once completed, such recording can be exported to a lightweight web application (written using HTML, CSS and JavaScript) via a generated JSON file. Examples of recordings can be found at [18].

One can think of three modes of applying a PSGraph:In the interactive mode, users can: (1) select which goal to apply; (2) choose between stepping into and stepping over the evaluation of graph tactics; (3) apply and complete the current graph tactic; (4) backtrack to the next branch in the search space; (5) apply and finish the whole proof strategy; (6) insert a breakpoint and evaluate a graph automatically until the breakpoint is reached by a goal. These options are illustrated in Drawing and evaluations controls panel of Fig. 8. The graph displayed there also shows a breakpoint.

Breakpoints A novel feature of Tinker is the support for breakpoints, which can be added/removed from wires by a simple mouse click. This was introduced in [28]. In presence of breakpoints in the debugging mode, we introduce a new definition of termination, with the difference from Definition 2 underlined:

The semantics is updated to handle this mode by removing the rewrite rule for breakpoints from R (see Fig. 5).

In case of failure, the debugging mode can be used to identify and rectify errors that have caused evaluation to fail, and breakpoints are used to support this and act as an interface between the automatic and interactive mode. When debugging a large proof strategy (see [29]), one may have an idea of where the problem is and would like to avoid having to go through all steps until that point is reached. This can be achieved by adding a breakpoint node at the point where one would like to start stepping through the graph. When a graph terminates in debug mode, it stops instead of reporting success/failure. A user can then manually step through evaluation using the GUI features described above. Logging To support debugging, an evaluation log, which shows the details of the current proof status, can be displayed. The log uses tags that can be used to filter the log to tags of interest. Tags include properties about: goals, goal types, tactics, environments (of goals) and failure information. An example of a log is

where ENV_DATA is a tag for the environment of the goal which is currently evaluated. We will see practical use of the logging mechanism in § 6.

The first pattern we address is from a proof discussed in [15] of a heap case study in VDM [20, Chapter 7]. The problem is a limited form of normalising into a disjunctive normal form (DNF), where we would like to turn a goal of the shapeinto the shape:The strategy needs to first distribute the disjunction over a conjunction, then over all the existential quantifiers. Isabelle has two rewrite rules that can be applied to achieve this by rewriting. The first is conj_disj_distribR:It distributes a disjunction over a conjunction. The other is ex_disj_distrib:which distributes a disjunction over an existential.

Figure 9 shows a PSGraph that implements a strategy to achieve this using these two theorems. It applies the Isabelle substitution tactic (subst_tac) in both cases. This tactic takes the rewrite rule to apply as an argument. It first distributes over the conjunction; then it repeatedly distributes over an existential until the disjunction is at the top, identified by the c(disj) goal type; its negation labels the feedback loop to indicate that it should continue. A feature of the strategy (and PSGraph) is that it is explicit about the termination condition of the loop. The most interesting thing is to identify when this strategy is applicable, represented by the \(need\_move\_disj\_up()\) goal type of the input wire:Here, \(into\_all\_ex(X,Y)\) steps over all the existential binders of term X so that Y will have the body of the last binder; in our case it will be \((?A \vee ?B) \wedge ?C\). This uses the atomic goal type \(into\_ex(X,Z)\) which takes a single step over an existential quantifier. It will fail if there is not an existential quantifier, which is the termination case for \(into\_all\_ex(X,Y)\). It uses recursion and two atomic goal types to achieve this:This simple, yet common, proof strategy illustrates how to directly and intuitively represent a high-level proof pattern in PSGraph; in this case, a strategy which automates some standard proof steps, in order to “get to the meat of the proof”. The strategy can easily be generalised, but for simplicity, the proof strategy has been tailored for a particular problem.

Here, we develop a proof strategy for instantiating existentially bound variables through a technique known as the one point rule[15, 40].

We will illustrate this through a type of proof obligation that is common in methods such as VDM [5, 20] and Z [40] called feasibility. This is used to show that operations can be executed, through the existence of a resulting “after” state. We will illustrate this with a feasibility proof obligations in Z for a case study of a telephone exchange system used in [27]:Note that R[X] is the image of R over the set X. The details are not important to follow the discussion; the key observation is that it starts with existential quantifiers and the bound variables appears alone in one side of an equality. For example, for \(callee'\) it is , meaning that we should, according to the one point rule, instantiate \(callee'\) to .

Version 0: debugging with Tinker The one point rule should first find the witness in the body of the quantifier and then instantiate the quantified variable with this witness. However, the quantifier in question may be prefixed by other existential variables (e.g. call’ is prefixed by callee’ in the above example). The overall proof strategy must therefore also be able to swap binders:Figure 10 shows an implementation of this technique in PSGraph. It has several new goal types:The proof strategy first finds the term of the conclusion to be used as a witness ?k by ENV_one_point_match. It then moves it to the top unless it is already at the top by move_up, before the witness is instantiated by rule_tac(exI,?k).

The move_up(?k) graph tactic takes a single argument ?k, which means that the environment of a goal entering or leaving this box will only contain ?k. It has two new environment tactics:The move_up graph tactic will first figure out the number of binders preceding the given binder ?k and bind this to ?n. It will then swap two existentials using the ex_comm rewrite rule:There are three possible outcomes from applying this rewrite rule, where two are wanted. The first wanted outcome is that the binder is now on top. The goal will then exit the graph tactic and then apply the \(rule(exI,?k) \) tactic. The second wanted case is that we have successfully moved the binder one step up but we are not at the top. This is achieved by the reduced(?k,?n) goal type, whose schema is defined asThe first literal states that X (?k) is not at the top of concl; we then find the (new) depth D of X (?k) and make sure it is reduced compared with the old depth N (?n)¹¹. The unwanted step is that we have either swapped two other binders or that we have swapped this binder the wrong way. This will not make any progress to the proof and is therefore discarded (as there is no output wire with a satisfying goal type).

When executing this strategy for our example, the proof strategy fails. We then use the interactive mode of Tinker and step through the proof to find the problem¹². In this case it first finds the witness for callee’, and binds ?k to . As \(callee'\) is at the top-level it will enter the rule_tac(exI,?k) box and fail. We can then inspect the Tinker logger, which prints:

From this we can see that the problem is to apply the underlying (atomic) tactic, given the argument for ?k. The problem is indeed the argument: ?k is bound to but \(call'\) itself is a bound variable with the binder missing (known as a “dangling variable”).

A correct one point rule To overcome this type of problems we update the strategy as shown in Fig. 11. The goal type \(has\_bound(X)\) checks if X contains any bound variables. If it does, then it enters the new sub-graph. There the first environment tactic, ENV_bound_var(?k, ?l), will bind ?l to the bound variable within ?k. For our example this is \(call'\). The second environment tactic, \(ENV\_bound\_one\_point\_match(concl,?k,?l)\), works in a similar way to ENV_one_point_match. It will find the term that ?l equals (using the “one point rule match”) and map ?k to this term. In our case, ?k will be mapped to as a result. As ?k may contain another bound variable this process will iterate¹³. In our case it will only make a single iteration and the variable will be instantiated. After two applications of the overall strategy, the conclusion of the goal becomes:

The last two conjuncts of the conclusion follow from reflexivity, which gives the goal:One can see that the conclusion is the same as one of the hypotheses, but with additional “stuff”. Formally, there is an embedding of this hypothesis into the conclusion [10]. A standard strategy for this type of goal is to rewrite the conclusion towards this hypothesis. This strategy is called rippling [10]. The second author’s Ph.D. thesis addressed rippling for similar types of proof obligations [27].

Figure 12 shows such an encoding of rippling in PSGraph. It is based upon [27] and extended with a limited form of a technique called piecewise fertilisation [3] (graph tactic pwf_forall_conj).

The hyp_embeds goal type expresses the “embedding” property and is a requirement to start rippling:Next, ENV_bind binds the conclusion to variable ?g. This box has three output wires. One of them is labelled by can_ripple(?g), which means rippling can be started:Note that we assume the existence of a set of valid rewrite rules, which are called wave rules in rippling. has_wrules(X) is an atomic goal type which checks that there is an applicable wave rule to apply to X. The second clause, \(!hyp\_bck\_res()\), checks that backward resolution with a hypothesis is not applicable. A key feature of rippling is that it guarantees termination. This is achieved by the measure_reduces(?g) goal type, which ensures that the current conclusion has reduced this measure compared with ?g (the conclusion before the step was made). We refer to [10] for more details of this measure. Any non-rippling goal (\(!hyp\_embeds()\)) is sent to Isabelle’s powerful sledgehammer tool [36]. After a few ripple steps, our goal becomes:Logical connectives and quantifiers are handled by the piecewise fertilisation graph tactic pwf_forall_conj. It will skolemise the universal quantifiers in the goal and instantiate the quantifiers in the hypothesis with the newly introduced skolem functions (intro_elim_forall graph tactic). It then breaks up the conjunction in the conclusion. This is the second output wire of ENV_bind and identified by the c(forall) goal type. This property holds for our goal. Piecewise fertilisation will generate two goals, where for the first there is no embedding and it sent to sledgehammer that discharges it. The second goal is:The third and final output of ENV_bind is labelled by the goal type:This means that the goal is fully rippled. The goal then enters the final step of rippling, which is called fertilisation. This is encoded in the fertilisation graph tactic of Fig. 12. Here, the hypothesis that was embedded in the conclusion is applied, and there are two cases. The first case, identified by the \(hyp\_bck\_res()\) goal type, is called strong fertilisation and applies the hypothesis as backward resolution. The other case, identified by the \(hyp\_subst()\) goal type, is called weak fertilisation and will rewrite the conclusion with the hypothesis. The strong_fert and weak_fert atomic tactics are minor extensions to Isabelle’s backward resolution and substitution tactics, respectively. These extensions ensure that the correct hypothesis is applied.

In our case, strong fertilisation will discharge the goal. This concludes rippling and illustrates how to represent a complex and well-known proof technique in PSGraph. We believe that the graphical view helps in explaining how this technique works.