Three Tactic Theorem Proving

We describe the key features of the proof description language of Declare, an experimental theorem prover for higher order logic. We take a somewhat radical approach to proof description: proofs are not described with tactics but by using just three expressive outlining constructs. The language is \declarative" because each step speci es its logical consequences, i.e. the constants and formulae that are introduced, independently of the justi cation of that step. Logical constants and facts are lexically scoped in a style reminiscent of structured programming. The style is also heavily \inferential", because Declare relies on an automated prover to eliminate much of the detail normally made explicit in tactic proofs. Declare has been partly inspired by Mizar, but provides better automation. The proof language has been designed to take advantage of this, allowing proof steps to be both large and controlled. We assess the costs and bene ts of this approach, and describe its impact on three areas of theorem prover design: speci cation, automated reasoning and interaction. 1 Declarative Theorem Proving Interactive theorem provers combine aspects of formal speci cation, manual proof description and automated reasoning, and they allow us to develop machine checked formalizations for problems that do not completely succumb to fully automated techniques. In this paper we take the position that the role of proof description in such a system is relatively simple: it must allow the user to describe how complex problems decompose to simpler ones, which can, we hope, be solved automatically. This article examines a particular kind of declarative proof, which is one technique for describing problem decompositions. The proof description language we present is that of Declare, an experimental theorem prover for higher order logic. The language provides the functionality described above via three simple constructs which embody rst-order decomposition, second-order proof techniques and automated reasoning. The actual implementation of Declare provides additional facilities such as a speci cation language, an automated reasoning engine, a module system, an interactive development environment (IDE), and other proof language constructs that translate to those described here. We describe these where relevant, but focus on the essence of the outlining constructs. In this section we describe our view of what constitutes a declarative proof language and look at the pros and cons of a declarative approach. We also make a distinction between \declarative" and \inferential" aspects of proof description, both of which are present in the language we describe. In Section 2 we describe the three constructs used in Declare, and present a longer example of proof decomposition, and Section 3 discusses the language used to specify hints. Section 4 compares our proof style with tactic proof, and summarizes related issues such as automated reasoning and the IDE. Space does not permit extensive case studies to be presented here. However, Declare has been applied to a formalization of the semantics of a subset of the Java language and a proof of type soundness for this subset [Sym99]. The purpose of Declare is to explore mechanisms of speci cation, proof and interaction that may eventually be incorporated into other theorem proving systems, and thus complement them.