Proof Automation in the Theory of Finite Sets and Finite Set Relation Algebra
aa r X i v : . [ c s . L O ] J a n Proof Automation in the Theory ofFinite Sets and Finite Set RelationAlgebra
Maximiliano Cristi´a , Ricardo D. Katz and GianfrancoRossi Universidad Nacional de Rosario and CIFASIS, Argentina CIFASIS-CONICET, Argentina Universit`a di Parma, ItalyEmail: [email protected], [email protected], [email protected] { log } (‘setlog’) is a satisfiability solver for formulas of the theory of finite setsand finite set relation algebra ( FS&RA ). As such, it can be used as an automatedtheorem prover (ATP) for this theory. { log } is able to automatically prove anumber of FS&RA theorems, but not all of them. Nevertheless, we have observedthat many theorems that { log } cannot automatically prove can be divided into afew subgoals automatically dischargeable by { log } . The purpose of this work is topresent a prototype interactive theorem prover (ITP), called { log } -ITP, providingevidence that a proper integration of { log } into world-class ITP’s can deliver agreat deal of proof automation concerning FS&RA . An empirical evaluation basedon 210 theorems from the TPTP and Coq’s SSReflect libraries shows a noticeablereduction in the size and complexity of the proofs with respect to Coq.
Keywords: { log } ; Set theory; Automated proofs; Constraint logic programming
1. INTRODUCTION
Interactive theorem proving (ITP) [1] is increasinglyused in the formalization and proof of results ofmathematics and logic, and also a widely used approachto formal verification of hardware and software. ITP’ssuch as Coq [2], Isabelle/HOL [3] and HOL Light [4]vary in the level of expressivity and automation, buttypically support rich specification languages includinghigher-order logic or dependent type theory. Sinceinteractive theorem proving is labor intensive, thuscostly and limited, much research has been devoted tothe development of automated reasoning.SMT solvers [5] implement decision procedures forthe satisfiability problem of formulas of specific theories.Since they have significantly improved their power inthe last decades, it has become increasingly commonfor ITP’s the use of SMT solvers as efficient automatedtheorem provers (ATP) for the corresponding theories.As a consequence, users of mainstream ITP’s can callATP’s [6, 7] and SMT solvers [8, 9] to automaticallyadvance their proofs. These ad-ons exploit the ideaof mixing interactive and automated proof steps. Ourproposal fits in this line of work as we propose tointegrate { log } as a special purpose ATP into ITP’s. { log } is a satisfiability solver accepting an inputlanguage at least as expressive as the class of full setrelation algebras on finite sets ( FS&RA ) [10].
FS&RA essentially corresponds to the first-order fragment offormal notations such as Alloy [11], B [12] and Z [13]restricted to finite sets. In consequence, this inputlanguage can be used as a specification language fora large class of software systems and { log } as a tool toreason about them. { log } can automatically prove
97% of the theoremson Boolean algebra (BOO), relation algebra (REL) andset theory (SET) gathered in the TPTP library [14]that can be expressed in its input language (in .3 seach in average), see [15]. Since the equational theoryof
FS&RA is undecidable [16], { log } cannot decide thesatisfiability of all the formulas it accepts. Moreover, { log } can take too long to decide the satisfiability ofsome formulas. For example, it takes a long time toprove the following result: f ∈ A → B ∧ ran f = B ∧ g ∈ B → C ∧ h ∈ B → C ∧ f ◦ g = f ◦ h = ⇒ g = h (T1)where A , B and C denote any finite sets, A → B denotes the set of all (finite) functions from A to B (in this context a function is a binary relation where notwo ordered pairs have the same first component) andran f is the range of f . Nevertheless, since g = h ⇐⇒ By an abuse of language, from now on we will say that { log } can or cannot prove a theorem to mean that it can decide or notthe satisfiability of its negation (see Remark 2 below). The Computer Journal , Vol. ??, No. ??, ????
Cristi´a, Katz and Rossi g ⊆ h ∧ h ⊆ g , the proof of (T1) can be reduced to theproofs of the following two implications, on which { log } spends a few seconds: f ∈ ⋆ → ⋆ ∧ ran f = B ∧ g ∈ B → ⋆ ∧ h ∈ ⋆ → ⋆ ∧ f ◦ g = f ◦ h = ⇒ g ⊆ hf ∈ ⋆ → ⋆ ∧ ran f = B ∧ g ∈ ⋆ → ⋆ ∧ h ∈ B → ⋆ ∧ f ◦ g = f ◦ h = ⇒ h ⊆ g Here ⋆ means that the corresponding hypotheses can bedropped (for example, f ∈ ⋆ → ⋆ says that it does notmatter what the domain and range of f are). Thus,by dividing the proof of (T1) into subgoals and by dropping the appropriate hypotheses in each, { log } canautomatically do the rest.We have noticed that in practice the approachabove succeeds on proving many results that { log } cannot automatically prove. As a consequence, in thispaper we present { log } -ITP, a prototype interactivetheorem prover where users can enter any { log } formula and interactively prove it. More precisely, in { log } -ITP users can divide the proof into subgoals,drop hypotheses and call { log } to perform the actualmathematical steps. This follows the way other tools,such as Atelier B [17] and the Coq’s why3 [18] tactic,work. We point out that { log } -ITP is just a vehicleto provide evidence that a proper integration of { log } ’srewriting system into world-class ITP’s can deliver agreat deal of proof automation concerning FS&RA .In order to validate our proposal in practice weperform a number of proofs with { log } -ITP and Coq.On these theorems { log } either does not terminate ortakes a very long time to do it. This comparison showspromising results as Coq proofs are harder and longerthan { log } -ITP’s (see Section 4 for details).As SMT solvers, { log } generates a solution whenit determines that a formula is satisfiable. Indeed, { log } provides a finite representation of all the (possiblyinfinitely many) solutions [10]. In the context ofintegrating { log } into an ITP, this means that if { log } is called to advance a proof but it happens that the goalis not provable from the premises, a counterexample isgenerated. This counterexample might help the userto adjust the theorem or the theory which contains it.QuickChick has been proposed as a tool to decrease thenumber of failed proof attempts in Coq by generatingcounterexamples before a proof is attempted [19]. Thistool relies on a random counterexample generator.Although { log } counterexamples are generated in adeductive fashion, it is also more limited as it worksonly for a specific theory.Let us finally mention that traditional ATP’s suchas E prover [20] and Vampire [21] can automate proofsof FS&RA . Since they can efficiently solve many FOLproblems, they work by encoding set theory in (mostoften) untyped first-order logic. One of the simplestencodings applies extensionality and rewrites away alldefinitions, thus arriving at formulas based on set membership. However, these encodings must deal withtyping information when sets do not have the same setsupport. The easiest way to deal with this issue is toomit all type information, but this approach is unsound.Another way to deal with types is to annotate termswith type tags or guards. This considerably increasesthe size of the problems passed to generic ATP, witha dramatic impact on their performance [22, 23].Another approach to proof automation in set theoryis to use polymorphic provers. Our work follows thisapproach as { log } can be seen as a specialized proverfor polymorphic set theory. The empirical assessmentpresented in this paper confirms the results reported byother polymorphic provers [23, 24, 25, 26, 27].This paper is structured as follows. The logiclanguage supported by { log } and some of its mainfeatures are presented in Section 2. Section 3 describes { log } -ITP which is empirically evaluated in Section 4.We give our final conclusions in Section 5. { LOG } : A SATISFIABILITY SOLVERFOR FINITE SETS AND RELATIONS In this section we provide a brief, informal introductionto the { log } system [29]. A formal presentation of { log } ’s language can be found in Appendix A; deeperpresentations can be found elsewhere [10, 15, 28]. { log } language { log } [29] is a satisfiability solver implemented in Prologwhose input language is denoted L BR . This is a multi-sorted first-order predicate language with two distinctsorts: the sort Set of all the terms which denote sets(including binary relations) and the sort O of all theother terms. Thus, we do not introduce distinct sortsfor sets and binary relations. Binary relations are justsets of ordered pairs. This allows sets and relationsto be freely mixed; in particular all set operators aredirectly applicable to binary relations. Note . Let R and S be binary relations, and A a set. Then, we definefollowing relational operators: relational composition, R ◦ S = { ( x, z ) | ∃ y (( x, y ) ∈ R ∧ ( y, z ) ∈ S ) } ; converse(or inverse) of R , R ` = { ( y, x ) | ( x, y ) ∈ R } ; theidentity relation on A , id A = { ( x, x ) | x ∈ A } ;domain of R , dom R = { x | ∃ y (( x, y ) ∈ R ) } ; rangeof R , ran R = dom R ` ; domain restriction of R on A , A ⊳ R = id( A ) ◦ R ; range restriction of R on A , R ⊲ A = R ◦ id( A ); domain anti-restriction of R on A , A − ⊳ R = R \ ( A ⊳ R ); range anti-restriction of R on A , R − ⊲ A = R \ ( R ⊲ A ); relational image of A through R , R [ A ] = ran( A ⊳ R ); and relational overriding of R by S , R ⊕ S = (dom S − ⊳ R ) ∪ S . A binary relation isa (partial) function if no two of its ordered pairs havethe same first component. Given that functions are justbinary relations, all relational operators can be appliedto functions. The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra L BR set operators are encoded as constraintsover the domain of finite hybrid sets. For example: un ( A, B, C ) is a constraint interpreted as C = A ∪ B . { log } implements a wide range of set and relationaloperators (cf. Note 2). For instance, ∈ is a constraintinterpreted as set membership; = is set equality; dom ( R, D ) corresponds to dom R = D ; A ⊆ B corresponds to the subset relation; comp ( R, S, T ) isinterpreted as T = R ◦ S ; and apply ( F, X, Y ) isequivalent to pfun ( F ) ∧ [ X, Y ] ∈ F , where pfun ( F )constrains F to be a (partial) function. Formulasin { log } are conjunctions ( ∧ ) and disjunctions ( ∨ ) ofconstraints. Negation is introduced by means of so-called negated constraints . For example nun ( A, B, C )is interpreted as C = A ∪ B and / ∈ as the negation of / ∈ . In general, if π is a constraint, nπ corresponds toits negated form. For formulas to fit inside the decisionprocedures implemented in { log } , users must only usethis form of negation.In turn, terms can be either uninterpreted Herbrandterms (as in Prolog) or set terms, i.e., terms with thefollowing form and interpretation: ∅ to denote theempty set; { x ⊔ A } , called extensional set , which isinterpreted as { x } ∪ A , where A is a set term; and A × B to represent the Cartesian product between thesets denoted by set terms A and B .In { log } sets are always finite and untyped and theyare allowed as set elements (i.e., sets can be nested).As the second argument of an extensional set can be avariable, sets in { log } can be unbounded. Note . L BR turns out to be at least as expressive as the classof full set relation algebras on finite sets . A full setrelation algebra [16] over a base set A , denoted R ( A ),is the relation algebra where relations are subsets of A × A . A mapping from formulas of a R ( A ) with A finite to L BR formulas can be easily defined [10]. Theclass of full set relation algebras on finite sets is theclass of relation algebras R ( A ) where A is a finite set.Further, L BR allows for the definition of the class offull set heterogeneous relation algebras on finite sets.An heterogeneous relation algebra deals with relationsbetween two arbitrary sets A and B , i.e. with subsetsof A × B [33]. We use the acronym FS&RA to denotesuch a class, for any A and B finite.The class of full set heterogeneous relation algebrasroughly corresponds to the first-order fragment offormal notations such as Alloy [11], B [12] and Z[13]. A large class of programs can be specified withinthis fragment. The limitation of L BR to finite setsis not so severe as many programs operate only onfinite data structures. Therefore, L BR can be used asa specification language for a large class of softwaresystems and { log } as a tool to reason about them[31, 34, 35, 30, 32]. L BR { log } implements a rewriting system for L BR formulas,called SAT BR , whose global organization is shown inAlgorithm 1. Basically, SAT BR uses two procedures: sort infer and STEP . Algorithm 1
The solver
SAT BR . Φ is the inputformula.Φ ← sort infer (Φ); repeat Φ ′ ← Φ;Φ ← STEP (Φ) until
Φ = Φ ′ ; return Φ L BR does not provide variable declarations. For thisreason, sort infer (Φ) automatically adds either a set or a rel constraint for each variable X in Φ which isrequired to represent, respectively, either a set or abinary relation according to the intended interpretationof the terms or constraints where X occurs. STEP applies specialized rewriting procedures tothe current formula Φ and returns either false or amodified formula. Each rewriting procedure applies afew non-deterministic rewrite rules which reduce thesyntactic complexity of L BR constraints of one kind.The execution of STEP is iterated until a fixpoint isreached, i.e., the formula is irreducible.
STEP returns false whenever (at least) one of the procedures in itrewrites Φ to false .The rewriting procedures implemented in { log } canbe divided into two classes: those for set constraintsand those for relational constraints. The former wereintroduced in [36] and extensively discussed from thenon. They constitute the base for a decision procedurefor finite sets based on set unification and set constraintsolving. The latter were introduced more recently[10, 15]. Roughly, there are 50 rewriting proceduresadding up 175 rewrite rules.Here we just show some of the most representativerewrite rules in Figure 1 (the reader can find acomprehensive list online [37]). Note that these rulesare recursive. Rule (1) finds all possible solutions forthe equality between two non-empty extensional sets.The second and third disjuncts take care of duplicatesin the right- and left-hand side terms, respectively, whilethe last disjunct takes care of permutativity of the setconstructor {· ⊔ ·} . Specifically, the last disjunct can beread as ‘ y must belong to A , x must belong to B andthere exists a set N containing the remaining elementsof both A and B ’. In turn, rule (2) finds all possiblesolutions of a set union operation when the result is anon-empty extensional set, where N , N and N arenew variables (implicitly existentially quantified). Notethat set unification is used to avoid possible repetitionsof t in C . Also observe that the disjunction capturesthe three possible solutions: t belongs to A , t belongs The Computer Journal , Vol. ??, No. ??, ????
Cristi´a, Katz and Rossi { x ⊔ A } = { y ⊔ B } → x = y ∧ A = B ∨ x = y ∧ { x ⊔ A } = B ∨ x = y ∧ A = { y ⊔ B }∨ A = { y ⊔ N } ∧ { x ⊔ N } = B (1) un ( A, B, { t ⊔ C } ) →{ t ⊔ C } = { t ⊔ N } ∧ t / ∈ N ∧ ( A = { t ⊔ N } ∧ un ( N , B, N ) ∨ B = { t ⊔ N } ∧ un ( A, N , N ) ∨ A = { t ⊔ N }∧ B = { t ⊔ N } ∧ un ( N , N , N )) (2) inv ( R, { ( y, x ) ⊔ S } ) → R = { ( x, y ) ⊔ N } ∧ inv ( N, S ) (3)
FIGURE 1.
Representative rewriting rules to B and t belongs to A and B . Finally, rule (3)finds the binary relation whose converse is a non-emptyextensional relation in a very simple way.The rewriting system implemented by { log } has beenproved to be a semi-decision procedure [10]. Moreprecisely, it has been proved that: a) when Algorithm 1terminates, the returned formula preserves the setof solutions of the input formula; b) the returnedformula is false if and only if the input formula isunsatisfiable; and c) if the returned formula is not false it is trivial to calculate one of its solutions (basicallyby substituting all set variables by the empty set). Inthis context, a ‘solution’ is an assignment of valuesto all the free variables of the formula. Furthermore,when { log } terminates, it has the ability to producea finite representation of all the (possibly infinitelymany) solutions of the input formula, in the form ofa finite disjunction of L BR formulas. In other words,whenever { log } terminates, it either produces a proofof unsatisfiability or a finite representation of all thesolutions. { log } Users interact with { log } by simply entering a formula;there are no user commands. If the formula isunsatisfiable { log } will simply return false and if it issatisfiable it will return a finite representation of all itssolutions. Example . For example, the following is asatisfiable formula (note that binary relations can befreely combined with extensional sets, and set operatorscan take relations as arguments): un ( A, B, { (1 , , ( h, ⊔ C × D } ) ∧ id ( E, A ) ∧ inv ( B, B ) ∧ / ∈ E (4) The relevant part of a solution returned by { log } is: A = { (3 , ⊔ N } , B = { (1 , ⊔ N } ,h = 3 , E = { ⊔ N } Constraint: / ∈ C, un ( N , N , C × D ) , id ( N , N ) ,inv ( N , N ) , . . . where N i are fresh variables. That is, each solutionis composed of a (possibly empty) conjunction ofequalities between variables and terms and a (possiblyempty) conjunction of constraints. The conjunction ofconstraints is guaranteed to be trivially satisfiable.In this context, { log } can be used as a set-based,constraint-based programming language. Users cangive values to what they consider to be input variablesin the formula and { log } will return values for theremaining variables. For instance, if (4) is thought asa program where A and B are inputs and the userenters (4) conjoined with A = { (2 , , (3 , } ∧ B = { (1 , , (1 , , (2 , } , the answer will be h = 3 , C = D = { , } , E = { , } . In { log } , formulas are programs .Given that { log } is a satisfiability solver we can useit also as an automated theorem prover. To provethat formula Φ is a theorem, { log } has to be calledon ¬ Φ waiting an false answer, meaning that ¬ Φ isunsatisfiable (and thus Φ is a theorem).
Example . We can prove that set intersection iscommutative by asking { log } to prove the followingformula is unsatisfiable: inters ( A, B, C ) ∧ inters ( B, A, D ) ∧ C = D As there are no finite sets satisfying this formula, { log } returns false . The formula can also be written as: inters ( A, B, C ) ∧ ninters ( B, A, C )All these properties along with programming facilitiesnot discussed in this paper [29], make { log } a versatileverification tool [31, 34, 35, 30, 32].
3. AUTOMATING COMPLEX
FS&RA
PROOFS
As we have pointed out, { log } may not terminate ormay take a very long time when it is used to provesome theorems of FS&RA . However, we have observedthat in practice the proofs of many of such theoremscan be divided into a few subgoals each of which canbe automatically and quickly discharged by { log } . Infact, these proofs follow a recurring pattern: divide theproof by introducing some assumptions, drop zero ormore hypotheses in each subgoal and call { log } to do thehard, annoying mathematical work. This would implythat complex theorems of FS&RA can be easily provedby calling { log } at the right points.In order to provide evidence of these observations, wehave developed a proof-of-concept ITP on top of { log } The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra { log } -ITP. This is a freely available +500LOC Prolog program [38] that allows users to declarea { log } formula as a theorem and attempt to prove itinteractively through some proof commands. First, wewill show a typical proof using { log } -ITP, and then wewill give technical details about the proof system. Remark . It is important to bear inmind that { log } -ITP is intended to be an ITP only fortheorems of FS&RA and only to empirically validateour proposal. This means that it cannot be comparedin no way with general-purpose ITP’s such as Coq orIsabelle/HOL. (T1) is declared as a { log } -ITP theorem with the theorem command: theorem ( T1 , pfun ( f ) ∧ f ⊆ A × B ∧ dom ( f, A ) ∧ ran ( f, B ) ∧ pfun ( g ) ∧ g ⊆ B × C ∧ dom ( g, B ) ∧ pfun ( h ) ∧ h ⊆ B × C ∧ dom ( h, B ) ∧ comp ( f, g, N ) ∧ comp ( f, h, N ) ,g = h )where the first parameter is just a name for the theorem,the second one is a (possibly empty) conjunction ofhypotheses and the third one is the thesis, both enteredas { log } formulas. Note that f ∈ A → B is encodedin { log } as pfun ( f ) ∧ f ⊆ A × B ∧ dom ( f, A ) and that f ◦ g = f ◦ h is encoded as two comp constraints yieldingthe same result ( N ).As we have said, an automated proof of (T1) wouldtake a long time. However, the interactive proof shownin Figure 2 takes only a few seconds of computing time.There, Γ represents the hypotheses of (T1). The proofstarts with the rewrite command which splits the proofinto the two subgoals shown in Figure 2. Attemptingto use { log } to prove these subgoals by means of thecommand prove would consume as much time as theproof of the initial goal because they are essentially thesame. As the proof of these two subgoals is symmetric,we will explain in detail only the first one. In this casethe user can use the following drop command, whichexpects a list of { log } constraints: drop ([ f ⊆ A × B, dom ( f, A ) ,g ⊆ B × C, h ⊆ B × C, dom ( h, B )]) (5)These constraints are expected to be part of Γ inwhich case they are removed from it, thus yielding thefollowing hypotheses: pfun ( f ) ∧ ran ( f, B ) ∧ pfun ( g ) ∧ dom ( g, B ) ∧ pfun ( h ) ∧ comp ( f, g, N ) ∧ comp ( f, h, N )called Γ in Figure 2. Now, prove discharges the currentsubgoal in a few seconds. Since in this case { log } succeeds in proving the goal, the system shows to theuser the remaining subgoal. A similar course of actionis taken to discharge the remaining subgoal, where adifferent list of constraints is passed in to the drop command.In Section 3.3 we discuss some aspects of this proofand present the complete proof script in (6). In this section we present in detail the main proofcommands of { log } -ITP (see Figure 3). Some of themare direct implementations of well-known inference ruleswhile others implement a few such rules in a single proofstep. Remark { log } ) . As we alreadysaid, as { log } is a satisfiability solver, it can be usedas an ATP. Indeed, if { log } finds that formula ϕ isunsatisfiable in FS&RA , then ¬ ϕ is a theorem (in FS&RA ). Thus, when { log } is used as a back-endsystem for an ITP, formulas must be negated beforesending them from the ITP to { log } . However, withthe intention to simplify the presentation, we are notgoing to mention this negation process in the remainingof the paper. This implies that, for example, whenin the command called prove (Figure 3) we say thatΓ = ⇒ ∆ is sent to { log } it actually means that itsnegation Γ ∧ ¬ ∆ is sent to it.Concerning Figure 3, the assume command can beseen as the implementation of a special case of theCut rule; cases corresponds to conjunction introduction;and drop is a specialized version of the Weakening rulewhere the antecedent is weakened in order to deliver to { log } exactly the necessary hypotheses that yield theconsequent. define waits for a constraint π ∈ { un , inv , id , comp } .The last argument of π is expected to be a new variableand all the others must be variables in the current scope(of the proper sort). For instance, if in the currentscope R is a binary relation then the user can issue define ( inv ( R, S )), where S is a new variable, in whichcase inv ( R, S ) is added as a new hypothesis. Thisis sound because what we are doing is no more thanasserting that the converse of R is called S . Nowthe user can make assumptions on S . For example, assume ( pfun ( S )), which means that S (i.e., the converseof R ) is a function. Without such a command it wouldbe impossible to consider assumptions on expressionsassembled from variables in the current scope, as in { log } -ITP set and relational operations are representedas predicates.The prove command simply calls { log } on the currentsubgoal. In this case, there are three possible behaviors: a ) { log } answers that the current subgoal is indeedvalid and so it is proved and the next one (if any) isshown to the user; b ) { log } answers that there is acounterexample (for instance if too many hypotheses The Computer Journal , Vol. ??, No. ??, ????
Cristi´a, Katz and Rossi rewrite drop prove { log } Γ ⊢ g ⊆ h Γ ⊢ g ⊆ h drop prove { log } Γ ⊢ g ⊆ h Γ ⊢ h ⊆ g Γ ⊢ g = h FIGURE 2. { log } -ITP proof of theorem T1 or (T1) assume ( ϕ ) Γ , ϕ ⊢ ∆ Γ ⊢ ϕ Γ ⊢ ∆ cases Γ ⊢ ϕ, ∆ Γ ⊢ ξ, ∆Γ ⊢ ϕ ∧ ξ, ∆ drop ( ϕ ) Γ ⊢ ∆Γ , ϕ ⊢ ∆ define ( π ) Γ , π ( . . . , n ) ⊢ ∆Γ ⊢ ∆ prove setlog (Γ = ⇒ ∆)Γ ⊢ ∆ rewrite Γ , ( v = t )[ n/x ] ⊢ ϕ [ n/x ]Γ ⊢ ( v = t = ⇒ ϕ )[ n/x ]Γ ⊢ ∀ x : v = t = ⇒ ϕ Γ , ( w = u )[ n/x ] ⊢ ξ [ n/x ]Γ ⊢ ( w = u = ⇒ ξ )[ n/x ]Γ ⊢ ∀ x : w = u = ⇒ ξ Γ ⊢ ( ∀ x : v = t = ⇒ ϕ ) ∧ ( ∀ x : w = u = ⇒ ξ )Γ ⊢ π ( v, w ) FIGURE 3.
Main { log } -ITP proof commands as inference rules have been dropped) in which case a proper errormessage is printed; and c ) { log } takes too long and theuser decides to interrupt the command. In b and c theproof is unchanged. In b users can execute command counterex to get a counterexample witnessing why thegoal failed (recall the discussion on the generation ofcounterexamples in the introduction). rewrite calls { log } to rewrite the thesis; that is { log } is called to apply a rewrite rule to the thesis (eg. one ofthe rules of Figure 1) thus generating one or more newgoals to prove—this last case occurs when the rewriterule is nondeterministic. The thesis is assumed to bea single constraint. Each of these new goals should besimpler to prove than the orginal one. For each new goalgenerated by the rewrite rule, rewrite performs threeproof steps in one (see Figure 3):1. It applies conjunction introduction to the goal. Ifthe subgoal is a conjunction of constraints, thenthe user will prove one after the other.2. It applies universal introduction on each subgoalgenerated in step 1. As the new goal will ingeneral be a universally quantified formula, thesequantified variables are ‘introduced’.3. It applies conditional introduction on each subgoalgenerated in step 1. As in the previous step, thenew goal will in general be a conditional and sohypotheses are ‘introduced’ as well.For example, if Γ ⊢ pfun ( f ) is the current goal, the neteffect of rewrite is shown in Figure 4, where x , y , z , v and N are new variables. If, for instance, { log } doesnot terminate on Γ ⊢ pfun ( f ), after rewrite the user hastwo simpler goals to prove. In particular, the one onthe right most often can be automatically and quicklydischarged with prove . In Figure 4 rewrite produces those two subgoals because in L BR we have: pfun ( f ) ⇔ ( ∀ v : v ∈ f ⇒ pair ( v )) ∧ ( ∀ x, y, z : ( x, y ) ∈ f ∧ ( x, z ) ∈ f ⇒ y = z )where v ∈ f is equivalent to f = { v ⊔ N } for some newvariable N , which yields the equalities seen in Figure 4.Then, when conjunction, universal quantification andimplication are introduced as in Figure 3, we get theresult shown in Figure 4.Actually, the inference rule given for rewrite inFigure 3 is a simplification of the real rule. Herewe assume that the current thesis is a constraint π depending on two variables ( v and w ), whichwhen rewritten by { log } delivers a conjunction of twouniversal formulas (in the real case it can be any numberof them). These formulas have all the same form equalities = ⇒ predicate , where equalities is a (possiblyempty) conjunction of equalities of the form var = term where var is one of the variables on which π depends on;and predicate is a (possibly empty) conjunction of L BR constraints. In Figure 3 we assume that the equalities in each conjunct have exactly one equality.It is important to remark that { log } -ITP does notneed a command, for instance, to perform equalitysubstitution because this is performed by { log } when prove is executed. In effect, if prove is issued, forexample, on Γ , f = { v ⊔ N } ⊢ pair ( v ), then { log } willsubstitute f by { v ⊔ N } in Γ. As can be seen in Figure 3, many { log } -ITP’s proofcommands correspond to standard inference rulespresent in ITP’s. Then, they can be easily replacedby the proof commands present in a particular ITP.As concerns proof automation, the drop command The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra , f = { ( x, y ) , ( x, z ) ⊔ N } ⊢ y = z Γ , f = { v ⊔ N } ⊢ pair ( v )Γ ⊢ pfun ( f ) FIGURE 4.
Example of a rewrite step plays a central role. In effect, it allows to call { log } with the minimal set of hypotheses as to prove thegoal. This implies a reduction of the proof term andconsequently of the computing time. As opposed to theusual fact that the more hypotheses are available duringan interactive proof, the better, dropping hypotheses isdecisive to the success of our approach. Indeed, whenan ATP is called to perform a proof step, unnecessaryhypotheses may make it walk through many actuallyuseless proof paths (and, in the case of tools like { log } ,that might not terminate in some cases, they can takean infinite proof path). Hence, by dropping unnecessaryhypotheses the prover has fewer proof paths to walkthrough, thus augmenting the chances to end the proofand to do it faster.On the downside, the key role of drop sensibly changesthe proof style as now the user must determine whichhypotheses are superfluous to prove a subgoal insteadof using them to prove it.We also note that our approach tends to reduce theinfluence of a good lemma engineering . That is, usersusually plan which lemmas go first and which follow,so as to use the former in the proofs of the latter. Forexample, the Coq proof of (T1) is the following : move=>is_function_F is_function_Gis_function_H range_F_eq_B rel_comp_eq.apply/eqP; rewrite eqEsubset; apply/andP;split.- exact: (auxT is_function_F is_function_Grange_F_eq_B rel_comp_eq).- symmetry in rel_comp_eq.exact: (auxT is_function_F is_function_Hrange_F_eq_B rel_comp_eq). where auxT is a helper lemma whose importance wasmade evident after the first proof attempt (T1). Indeed, auxT states that g ⊆ h holds if the hypotheses of (T1)are satisfied. Its proof is the following: move=>[fun_cond_F _ _] [_ domain_G_eq_B _]range_F_eq_domain_G rel_comp_eq;apply/subsetP => p p_in_G.have: p.1 \in range F.rewrite range_F_eq_domain_G -domain_G_eq_B.apply/in_domainP; exists p.2.by rewrite -[(p.1,p.2)]surjective_pairing.move=> /in_range_restP [a [_ pair_in_F]].have: (a,p.2) \in rel_comp F H.by rewrite -rel_comp_eq;apply/in_rel_compP;exists p.1; split; The reader does not need to understand the proofs, just tohave an idea of their length and complexity. [exact: pair_in_F |rewrite -[(p.1,p.2)]surjective_pairing].move=> /in_rel_compP [b [in_F in_H]].have p1_eq_b: p.1 = b by apply:((((fun_cond_F (a,p.1)) (a,b)) pair_in_F)in_F).by rewrite [p]surjective_pairing p1_eq_b.
Now, compare Coq’s proof of (T1) with { log } -ITP’s(cf. Section 3.1): rewrite . (6) − drop ([ f ⊆ A × B, dom ( f, A ) ,g ⊆ B × C, dom ( g, B ) , h ⊆ B × C ]) , prove . − drop ([ f ⊆ A × B, dom ( f, A ) ,g ⊆ B × C, h ⊆ B × C, dom ( h, B )]) , prove . where no helper lemma is necessary and the complexproof of auxT is replaced by dropping hypotheses andthen calling { log } . On the other hand, as in Coq, theuser still needs to guide the proof by splitting the initialgoal into g ⊆ h and h ⊆ g and the symmetry used inthe Coq proof (i.e., symmetry ) is still present in the { log } -ITP proof, when symmetric drop commands areexecuted. Hence, were { log } available in Coq the proofof (T1) would not need the helper lemma and it wouldstill be compact and semi-automatic.However, there is still room for further automation.CoqHammer [6] uses external ATPs to automate Coqproofs. CoqHammer helps in automating the proof of(T1): move=> is_function_F is_function_Gis_function_H range_F_eq_B rel_comp_eq.apply/eqP; rewrite eqEsubset; apply/andP;split.- hammer.- hammer. where hammer needs lemma auxT to prove bothsubgoals. However, hammer cannot prove auxT automatically . Then, were CoqHammer and { log } available, the Coq proof of (T1) could be almost automatic: first use drop and prove to prove auxT ; andthen use hammer to prove (T1) as above.CoqHammer depends on a good lemma engineering.Conversely, { log } does not depend on such engineeringbut it can only prove results of FS&RA . A combinationbetween a general tool like CoqHammer with special-ized provers such as { log } , seems to be a promisingstrategy towards proof automation. The Computer Journal , Vol. ??, No. ??, ????
Cristi´a, Katz and Rossi
4. EMPIRICAL ASSESSMENT
As we have said, our intention is to provideevidence that integrating { log } ’s rewriting system intomainstream ITP’s will yield a noticeable increment inproof automation concerning FS&RA . This is { log } -ITP’s single purpose. To this end, we performed 210proofs with { log } -ITP and Coq in order to comparetheir complexity and length. In an attempt to avoid asmuch as possible a bias towards { log } -ITP, 21 proofscorrespond to problems listed in the REL and SETcollections of the TPTP library ((T1) is an example)which satisfy that { log } either does not terminate ortakes a very long time to do it when it is applied toprove them . The remaining 189 proofs correspond tolemmas included in Coq’s SSReflect finite set library, finset [39]. We chose finset for three reasons: a )it has been designed as to make it easy to prove thoselemmas in Coq; b ) a fragment of finset ’s set theorykeeps a clear relationship with respect to { log } ’s; and c ) it would provide evidence that proof automation ofreal Coq results can be achieved with our proposal.Finally, the Coq proofs were performed by one of theauthors (with experience in working with SSReflect),while { log } -ITP’s were done by another author.As concerns the TPTP problems, they are encodedin Coq by extending SSReflect’s finset . SSReflectis a proof language extending Coq with additionaltactics oriented to support long mathematical proofs. finset defines a type for sets over a finite type. Itincludes definitions such as set membership, union,Cartesian product, etc. However, it does not includeset relation algebra definitions such as the identityrelation, converse (or inverse), composition, and(partial) function. Since these are necessary to reasonabout L BR formulas, we defined them in Coq. Forexample, our Coq set-based definition of function from A to B (i.e., f ∈ A → B ) is the following: Definition is_function_from_to(S1 S2:finType) (R:{set (S1 * S2)})(A:{set S1}) (B:{set S2}) :=[/\ is_function R, domain R = A& (range R) \subset B]. where is_function , domain and range are defined in asimilar fashion, but where \subset is part of SSReflect’sfinite type interface (on which finset is based on).We also give a set-based definition of the relationalcomposition of two binary relations: Definition rel_comp (S1 S2 S3:finType)(R1:{set (S1 * S2)}) (R2:{set (S2 * S3)}) :=[set p | [ exists u, ((p.1, u) \in R1)&& ((u, p.2) \in R2)]]. { log } automatically and quickly proves all the other problemsof TPTP.SET and TPTP.REL expressible in its input language[10]. The remaining 147 lemmas of finset are not expressible inthe input language of { log } as they include operators such asgeneralized union or powerset. These extensions to finset lead to the followingencoding of theorem (T1):
Theorem T1 A B C (F:{set (S1 * S2)})(G H:{set (S2 * S3)}) :is_function_from_to F A B ->is_function_from_to G B C ->is_function_from_to H B C ->range F = B ->rel_comp F G = rel_comp F H -> G = H.
A similar encoding was used to state the 189 lemmasof finset , as { log } -ITP theorems. For example, thefollowing finset lemma: Lemma setCU A B :~: (A :|: B) = ~: A :&: ~: B where ~: is complement ( − ), :|: is ∪ and :&: is ∩ , isencoded as the following { log } -ITP theorem: theorem ( setCU ,A ⊆ T ∧ B ⊆ T ∧ un ( A, B, M ) ∧ un ( M , M , T ) ∧ M k M ∧ un ( A, M , T ) ∧ A k M ∧ un ( B, M , T ) ∧ B k M , inters ( M , M , M ))where T corresponds to the variable T of type finType declared in the section containing Lemma setCU (i.e., allsets of this section are subsets of T ).Table 1 summarizes the results of the evaluation. Aswe have said, { log } is unable to automatically proveany of the 21 TPTP theorems (thus, for the TPTPtheorems, the Auto entry is set to zero). On the otherhand, Coq needs 690 proof commands to prove them,while { log } -ITP can do it with 219, of which only 146are other than the prove command. This is a reductionof about 68% in the number of proof commands (andabout 79% if prove is not counted). By ‘proof command’we understand all the characters accommodated in thesame line (which intend to represent basic mathematicalproof steps). For example, for us, this is a singleCoq proof command: by move=> a; apply/setP=>x; rewrite inE; case: eqP => -> . In this sense, { log } -ITP proof commands tend to be simpler thanCoq’s. Actually, the 690 proof commands used in Coqto prove the TPTP problems are composed of about1030 applications of SSReflect tactics, which represent35,014 characters while those used in { log } -ITP just3,662 characters. Then, apart from the gain in thenumber of proof commands, there is notable gain intheir complexity ( ≈ prove commands consume 55 s of computing time whichmeans that the automated part of each theorem isexecuted in 2.6 s in average. On the other hand, thecompletion of all the Coq proofs took around 10 man-hour; while completing all the { log } -ITP took around1 man-hour.As concerns the problems taken from finset , Table 1indicates that { log } -ITP automatically proves 97% ofthem (in 1 s in average). In this case the gain in the The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra Collection { log } non- prove TPTP 21 0 0 690 219 146 55 s 2.6 sSSReflect finset
189 183 97 223 195 6 182 s 1 s
Summary
210 183 87 913 435 158 237 s 1.1 s
TABLE 1.
Summary of the empirical evaluation number of proof commands is minimal. However, itshould be noted that in { log } -ITP 183 problems areproved via the same command ( prove ), while the Coqproofs require, roughly, 214 different commands. Inother words, a Coq user needs to reason on how to prove183 theorems, while a { log } -ITP user does not. Thisfact can be quantified if only the non- prove commandsare considered, as they amount to only 2% of the Coqcommands.The Coq proofs present in these experiments arethe result of some degree of lemma engineering. Forinstance, in the TPTP Coq proofs we first proved21 helper lemmas and then the 21 theorems usedas experiment. The helper lemmas correspond toproperties that are used several times in the proofsof the 21 theorems. These can be simple properties,such as the characterization of the fact that an orderedpair belongs to the relational composition of two binaryrelations, or more complex ones, such as the helperlemma auxT described in Section 3.3 (which is appliedtwice in the proof of (T1) thanks to the use ofsymmetry). Without this lemma engineering, proofswould be longer and more complex. As usual, manyof these helper lemmas make themselves evident aftersome of the main theorems are proved. In { log } -ITP nolemma engineering was used (actually, there is no wayto use or apply a previous lemma in the current proof).This is another indication of a gain in simplicity when { log } -ITP is used.This evaluation suggests that an integration of { log } into Coq would produce more fully automated FS&RA proofs and would semi-automate many others.The full data set of our ex-periments can be found online at: .They were performed on a Dell Latitude E7470 (06DC)laptop with a 4 core Intel(R) Core ™ i7-6600U CPU at2.60GHz with 8 Gb of main memory, running LinuxUbuntu 18.04.2 LTS 64-bit with kernel 4.15.0-56-generic. The following software versions were used: { log }
5. CONCLUSIONS
We have proposed { log } as a special purpose ATP forthe theory of finite sets and finite set relation algebra,that can be integrated into ITPs to semi-automateproofs of this theory. We have also empirically evaluated the approach by implementing a prototypeITP where users can call { log } as a proof command.The prototype was assessed on 210 theorems andcompared with Coq. The assessment shows goodresults in: a ) the number of automated proofs; b ) thecomputing times needed to complete them; and c ) thereduction in the length and complexity of interactiveproofs that call { log } to discharge subgoals.Concerning future work, in the case of Coq wesee two possible integration strategies. The mostobvious one is to use { log } as an external ATP, alongthe lines of SMTCoq [8] or CoqHammer [6]. Inthis case proof reconstruction might be difficult orinfeasible. A second integration strategy may consist inimplementing { log } ’s rewriting system as a Coq tactic.The first steps of this approach have already been doneby Dubois and Weppe [40]. Depending on the way thisis done, as a side effect, this approach might yield aformal verification of { log } . It remains as open issues,though, whether the size of the proof term producedby the new tactic will be more manageable than in thefirst strategy and whether or not the tactic will be fastenough as to be worth it. REFERENCES [1] Harrison, J., Urban, J., and Wiedijk, F. (2014) Historyof interactive theorem proving. In Siekmann, J. H.(ed.),
Computational Logic , Handbook of the Historyof Logic, , pp. 135–214. Elsevier.[2] Bertot, Y. and Cast´eran, P. (2004) InteractiveTheorem Proving and Program Development - Coq’Art:The Calculus of Inductive Constructions
Texts inTheoretical Computer Science. An EATCS Series.Springer, Berlin.[3] Nipkow, T., Paulson, L. C., and Wenzel, M. (2002)
Isabelle/HOL - A Proof Assistant for Higher-OrderLogic , Lecture Notes in Computer Science, .Springer, Berlin.[4] Harrison, J. (1996) HOL light: A tutorial introduction.In Srivas, M. K. and Camilleri, A. J. (eds.),
Formal Methods in Computer-Aided Design, FirstInternational Conference, FMCAD ’96, Palo Alto,California, USA, November 6-8, 1996, Proceedings ,Lecture Notes in Computer Science, , pp. 265–269. Springer, Berlin.[5] Nieuwenhuis, R., Oliveras, A., and Tinelli, C.(2006) Solving SAT and SAT modulo theories:From an abstract Davis–Putnam–Logemann–Lovelandprocedure to DPLL(T).
J. ACM , , 937–977.[6] Czajka, L. and Kaliszyk, C. (2018) Hammer for coq:Automation for dependent type theory. J. Autom.
The Computer Journal , Vol. ??, No. ??, ????0
Cristi´a, Katz and Rossi
Reasoning , , 423–453.[7] Paulson, L. C. and Blanchette, J. C. (2010) Threeyears of experience with sledgehammer, a practical linkbetween automatic and interactive theorem provers.In Sutcliffe, G., Schulz, S., and Ternovska, E. (eds.), The 8th International Workshop on the Implementationof Logics, IWIL 2010, Yogyakarta, Indonesia, October9, 2011 , EPiC Series in Computing, , pp. 1–11.EasyChair.[8] Ekici, B., Mebsout, A., Tinelli, C., Keller, C., Katz,G., Reynolds, A., and Barrett, C. W. (2017) Smtcoq:A plug-in for integrating SMT solvers into Coq. InMajumdar, R. and Kuncak, V. (eds.), ComputerAided Verification - 29th International Conference,CAV 2017, Heidelberg, Germany, July 24-28, 2017,Proceedings, Part II , Lecture Notes in ComputerScience, , pp. 126–133. Springer, Berlin.[9] Blanchette, J. C., B¨ohme, S., and Paulson, L. C. (2013)Extending Sledgehammer with SMT solvers.
J. Autom.Reasoning , , 109–128.[10] Cristi´a, M. and Rossi, G. (2020) Solving quantifier-free first-order constraints over finite sets and binaryrelations. J. Autom. Reasoning , , 295–330.[11] Jackson, D. (2006) Software Abstractions: Logic,Language, and Analysis . The MIT Press.[12] Abrial, J.-R. (1996)
The B-book: Assigning Programsto Meanings . Cambridge University Press, New York,NY, USA.[13] Spivey, J. M. (1992)
The Z notation: a referencemanual . Prentice Hall International (UK) Ltd.,Hertfordshire, UK, UK.[14] Sutcliffe, G. (2009) The TPTP Problem Library andAssociated Infrastructure: The FOF and CNF Parts,v3.5.0.
J. Autom. Reasoning , , 337–362.[15] Cristi´a, M. and Rossi, G. (2018) A set solverfor finite set relation algebra. In Desharnais, J.,Guttmann, W., and Joosten, S. (eds.), Relationaland Algebraic Methods in Computer Science - 17thInternational Conference, RAMiCS 2018, Groningen,The Netherlands, October 29 - November 1, 2018,Proceedings , Lecture Notes in Computer Science, , pp. 333–349. Springer, Berlin.[16] Andr´eka, H., Givant, S. R., and N´emeti, I. (1997)
Decision problems for equational theories of relationalgebras . American Mathematical Society, Providence,Rhode Island, USA.[17] Mentr´e, D., March´e, C., Filliˆatre, J.-C., and Asuka,M. (2012) Discharging proof obligations from AtelierB using multiple automated provers. In Derrick, J.,Fitzgerald, J. A., Gnesi, S., Khurshid, S., Leuschel,M., Reeves, S., and Riccobene, E. (eds.),
ABZ ,Lecture Notes in Computer Science, , pp. 238–251. Springer, Berlin.[18] Bobot, F., Filliˆatre, J.-C., March´e, C., and Paskevich,A. (2011) Why3: Shepherd your herd of provers.
Boogie2011: First International Workshop on IntermediateVerification Languages , Wroc law, Poland, August.[19] D´en`es, M., Hritcu, C., Lampropoulos, L.,Paraskevopoulou, Z., and Pierce, B. C. (2014)Quickchick: Property-based testing for Coq.
The CoqWorkshop . [20] Schulz, S. (2002) E - a brainiac theorem prover.
AICommun. , , 111–126.[21] Riazanov, A. and Voronkov, A. (2002) The design andimplementation of VAMPIRE. AI Commun. , , 91–110.[22] Blanchette, J. C., B¨ohme, S., Popescu, A., andSmallbone, N. (2016) Encoding monomorphic andpolymorphic types. Logical Methods in ComputerScience , , 1–52.[23] Bury, G., Delahaye, D., Doligez, D., Halmagrand, P.,and Hermant, O. (2015) Automated deduction in theB set theory using typed proof search and deductionmodulo. In Fehnker, A., McIver, A., Sutcliffe, G., andVoronkov, A. (eds.), , EPiC Series inComputing, , pp. 42–58. EasyChair.[24] Bury, G., Cruanes, S., Delahaye, D., and Euvrard,P. (2018) An automation-friendly set theory for theB method. In Butler, M. J., Raschke, A., Hoang,T. S., and Reichl, K. (eds.), Abstract State Machines,Alloy, B, TLA, VDM, and Z - 6th InternationalConference, ABZ 2018, Southampton, UK, June 5-8,2018, Proceedings , Lecture Notes in Computer Science, , pp. 409–414. Springer, Berlin.[25] Conchon, S. and Contejean, E. Alt-Ergo. last access:November 2011.[26] Bury, G. and Delahaye, D. ArchSat. last access:October 2019.[27] Cruanes, S. Zipperposition. last access: October 2019.[28] Cristi´a, M. and Rossi, G. (2016) A decision procedurefor sets, binary relations and partial functions. InChaudhuri, S. and Farzan, A. (eds.),
ComputerAided Verification - 28th International Conference,CAV 2016, Toronto, ON, Canada, July 17-23, 2016,Proceedings, Part I , Lecture Notes in ComputerScience, , pp. 179–198. Springer, Berlin.[29] Rossi, G. (2008). { log } .http://people.dmi.unipr.it/gianfranco.rossi/setlog.Home.html.[30] Cristi´a, M., Rossi, G., and Frydman, C. (2017)Using a set constraint solver for program verification. Proceedings 4th Workshop on Horn Clauses forVerification and Synthesis, HCVS at CADE 2017,Gothenburg, Sweden, 7th August 2017. [31] Cristi´a, M., Rossi, G., and Frydman, C. S. (2013) { log } as a test case generator for the Test TemplateFramework. In Hierons, R. M., Merayo, M. G., andBravetti, M. (eds.), SEFM , Lecture Notes in ComputerScience, , pp. 229–243. Springer, Berlin.[32] Cristi´a, M. and Rossi, G. (2014) Rapid prototypingand animation of Z specifications using { log } . , pp. 4–18. Informal proceedings: http://sets2014.cnam.fr/papers/sets2014.pdf .[33] Schmidt, G., Hattensperger, C., and Winter, M. (1997)Heterogeneous Relation Algebra. In Brink, C., Kahl,W., and Schmidt, G. (eds.), Relational Methods inComputer Science . Springer Vienna, Vienna.[34] Cristi´a, M. and Rossi, G. (2020) Automated proofof Bell–LaPadula security properties.
J. Autom.Reasoning , n/a . The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra [35] Cristi´a, M. and Rossi, G. (2020) An automatically ver-ified prototype of the Tokeneer ID station specification. CoRR , abs/2009.00999 .[36] Dovier, A., Piazza, C., Pontelli, E., and Rossi, G.(2000) Sets and constraint logic programming. ACMTrans. Program. Lang. Syst. , , 861–931.[37] Cristi´a, M. and Rossi, G. (2019). Rewrite rules for asolver for sets, binary relations and partial functions.[38] Cristi´a, M. (2019). { log } -ITP source code andexperimental data.[39] Gonthier, G. and Mahboubi, A. (2010) An introductionto small scale reflection in Coq. J. FormalizedReasoning , , 95–152.[40] Dubois, C. and Weppe, S. (2018) Towards Coqformalisation of { log } set constraints resolution. InCristi´a, M., Delahaye, D., and Dubois, C. (eds.), Proceedings of the 3rd International Workshop on Setsand Tools co-located with the 6th International ABZConference, SETS@ABZ 2018, Southamptom, UK,June 5, 2018. , CEUR Workshop Proceedings, ,pp. 32–37. CEUR-WS.org.
APPENDIX A. SYNTAX AND SEMANTICSOF L BR In this appendix we provide a formal, detailedintroduction of the syntax and semantics of L BR .The input constraint language accepted by { log } , L BR , is a first-order predicate language with termsof two sorts: terms designating sets (including binaryrelations), and terms designating ur-elements. Termsof either sort are allowed to enter in the formationof set terms (in this sense, the designated sets arehybrid), no nesting restrictions being enforced (inparticular, membership chains of any finite length canbe modeled). In a term which is not a variableand designates an ur-element, the main functor (beit a constant or a function symbol) will act as afree (‘uninterpreted’) Herbrand constructor; a specialset constructor, and a handful of reserved predicatesymbols endowed with a pre-designated set-theoreticmeaning, are also available. Formulas are built inthe usual way by using conjunction, disjunction andnegation of atomic predicates. A number of complexoperators (in the form of predicates) are defined as L BR formulas, thus making it simpler for the user to writecomplex formulas. Appendix A.1. Syntax
The syntax of L BR is defined primarily by giving thesignature upon which terms and formulas are built. Definition
A.1 . The signature Σ BR of L BR is atuple hF , Π , Set , O , Vi where: • F is the set of function symbols partitioned as F b = F S ∪ F X , where F S b = {∅ , {· ⊔ ·} , · × ·} and F X is aset of uninterpreted constant and function symbols,including at least the binary function symbol ( · , · ) . • Π is the set of predicate symbols partitioned as Π b = Π S ∪ Π T ∪ Π R , where Π S b = { = , = , ∈ , / ∈ , un , k} , Π T b = { set , nset , rel , nrel , pair , npair } and Π R b = { id , comp , inv } . • { Set , O } is the set of sorts. • V is a denumerable set of variables partitioned as V b = V S ∪ V O , where V S and V O contain variablesof sort Set and O , respectively. To complete the definition of L BR , in addition to thesignature it is necessary to specify the sorts of functionand predicate symbols: if f ∈ F (resp., π ∈ Π) is ofarity n , then its sort is an n + 1-tuple h s , . . . , s n +1 i (resp., an n -tuple h s , . . . , s n i ) of non-empty subsets ofthe set of sorts { Set , O } . This notion is denoted by f : h s , . . . , s n +1 i (resp., by π : h s , . . . , s n i ). Definition
A.2 . The sorts of the function symbolsin F are as follows: • ∅ : h{ Set }i ; • {· ⊔ ·} : h{ Set , O } , { Set } , { Set }i ; • · × · : h{ Set } , { Set } , { Set }i ; • ( · , · ) : h{ Set , O } , { Set , O } , { O }i ; • f : h{ O } , . . . , { O }i ∈ ( { O } ) n +1 if f ∈ F X is ofarity n .The sorts of the predicate symbols in Π are as follows(symbols = , = , ∈ , / ∈ and k are infix; all other symbolsin Π are prefix): • pair , npair , set , nset : h{ Set , O }i ; • = , =: h{ Set , O ) } , { Set , O }i ; • ∈ , / ∈ : h{ Set , O } , { Set }i ; • un , comp : h{ Set } , { Set } , { Set }i ; • k , id , inv : h{ Set } , { Set }i ; • rel , nrel : h{ Set }i . We can now define the set of admissible (i.e., well-sorted) L BR terms. Definition
A.3 . All BR -terms and their sorts arebuild inductively as follows: • each variable v ∈ V is a BR -term of sort h{ Set }i if v ∈ V S or sort h{ O }i if v ∈ V O . • if f ∈ F is a function symbol of sort h s , . . . , s n +1 i , and for each i = 1 , . . . , n , t i is a BR -term of sort h s ′ i i with s ′ i ⊆ s i , then f ( t , . . . , t n ) is a BR -term of sort h s n +1 i . Note that the sort of any BR -term t is always of theform h{ Set }i or h{ O }i . In the former case we simplysay that t is of sort Set , or a set term , and in the lattercase that t is of sort O . In particular, BR -terms of theform {· ⊔ ·} are called extensional set terms. The firstparameter of an extensional set term is called elementpart and the second is called set part . Observe that onecan write terms representing sets which are nested atany level.The following notation is introduced to make readingof set terms simpler: { t , t , . . . , t n ⊔ t } as a shorthand The Computer Journal , Vol. ??, No. ??, ????2
Cristi´a, Katz and Rossi for { t ⊔ { t ⊔ · · · { t n ⊔ t } · · · }} and the notation { t , t , . . . , t n } as a shorthand for { t , t , . . . , t n ⊔ ∅} . Example . The following are set terms:- ∅ - { a, ( b, c ) } , i.e., { a ⊔ { ( b, c ) ⊔ ∅}} , where a , b and c are constants of sort O - { x ⊔ A × { y ⊔ B }} , where x, y are variables of sort Set or O , and A, B are variables of sort
Set .- { x ⊔ A } , where x is a variable of sort Set or O , and A is a variable of sort Set .On the opposite, { x ⊔ ( a, b ) } is not a set term because( a, b ) is not of sort Set .Finally, from L BR terms, we define L BR formulas. Definition
A.4 . All BR -formulas are build induc-tively as follows: • if π ∈ Π is a predicate symbol of sort h s , . . . , s n i ,and for each i = 1 , . . . , n , t i is a BR -term ofsort h s ′ i i with s ′ i ⊆ s i , then π ( t , . . . , t n ) is a BR -constraint, a particular case of BR -formula. • if α and β are BR -formulas, then so are α ∧ β and α ∨ β . Example . The following are BR -formulas: a ∈ A ∧ a / ∈ B ∧ un ( A, B, C ) ∧ C = { x } un ( A, B, C ) ∧ A k C ∧ inv ( R, A ) ∧ R = ∅ where a is a constant of sort O , x is a variable of sort Set or O , and A , B , C and R are variables of sort Set .On the contrary, un ( A, B, ( x, y )) is not a BR -formulabecause un ( A, B, ( x, y )) is not a BR -constraint (( x, y )is not of sort Set as required by the sort of un ). Appendix A.2. Semantics
Semantics of BR -formulas is given by defining a suitableinterpretation structure for L BR .Sorts and symbols in Σ BR are interpreted accordingto the interpretation structure R b = h D, ( · ) R i , where D and ( · ) R are defined as follows. Definition
A.5 (Interpretation domain) . The inter-pretation domain D , of the interpretation structure R ,is partitioned as D b = D Set ∪ D O where: • D Set is the collection of all hereditarily finitehybrid sets built from elements in D ; and • D O is a collection of other objects, includingordered pairs of elements in D . Hereditarily finite sets are those sets that admit(hereditarily finite) sets as their elements. Note that,finite binary relations and functions, as defined inNote 2, belong to D Set . Definition
A.6 (Interpretation function) . The in-terpretation function ( · ) R , of the interpretation struc-ture R , is defined as follows. • Each sort S ∈ { Set , O } is mapped to the domain D S . • For each sort S ∈ { Set , O } , each variable x of sort S is mapped to an element x R in D S .The constant and function symbols in F S are inter-preted as follows: • ∅ as the empty set; • { x ⊔ A } as the set { x R } ∪ A R ; and • A × B as the set A R × B R .The predicate symbols in Π are interpreted as follows: • x = y as x R = y R ; • x ∈ A as x R ∈ A R ; • un ( A, B, C ) as C R = A R ∪ B R ; • A k B as A R ∩ B R = ∅ ; • set ( x ) as x R ∈ D Set ; • pair ( x ) as x R ∈ { ( a, b ) : a, b ∈ D } ; • rel ( R ) as R R ⊂ { ( a, b ) : a, b ∈ D } ; • id ( A, R ) as R R = id A R ; • inv ( R, S ) as S R = ( R R ) ` ; • comp ( R, S, T ) as T R = R R ◦ S R ; and • any symbol π ′ in {6 = , / ∈ , nrel , nset , npair } isinterpreted as ¬ π for the corresponding symbol π in { = , ∈ , rel , set , pair } , where ¬ is logicalnegation. The interpretation structure R is used to evaluateeach RIS -formula Φ into a truth value Φ R = { true , false } in the following way: RIS -constraints areevaluated by ( · ) R according to the meaning of thecorresponding predicates in set theory as defined above; RIS -formulas are evaluated by ( · ) R according to therules of propositional logic.In particular, observe that equality between twoset terms is interpreted as the equality in D Set ; thatis, as set equality between hereditarily finite hybridsets. Such equality is regulated by the standard extensionality axiom , which has been proved to beequivalent, for hereditarily finite sets, to the followingequational axioms [36]: { x, x ⊔ A } = { x ⊔ A }{ x, y ⊔ A } = { y, x ⊔ A } . Note . L BR can be extended to support other setand relational operators definable by means of suitable L BR formulas. Dovier et al. [36] proved that symbolsin Π S are sufficient to define constraints implementingthe set operators ∩ , ⊆ and \ . Cristi´a and Rossi extendthat result in [10] showing that symbols in Π S ∪ Π R are sufficient to define constraints implementing all theoperators defined in Note 2.As any of these constraints can be replaced by itsdefinition, we can completely ignore the presence ofthem in L BR formulas. Note . The negated versions of bothset and relational constraints can be introduced as L BR The Computer Journal , Vol. ??, No. ??, ???? roof Automation in the Theory of Finite Sets and Finite Set Relation Algebra ¬ R = S ` is introducedas the following BR -formula:(( x, y ) ∈ R ∧ ( y, x ) / ∈ S ) ∨ (( x, y ) / ∈ R ∧ ( y, x ) ∈ S ) ∨ nrel ( R ) ∨ nrel ( S )( x and y are implicitly existentially quantified). Thanksto the availability of negative constraints, (general)logical negation is not strictly necessary in L BR . Data Availability Statement
The data un-derlying this article are available in Dropbox at ,and can be accessed with the URL just given.