Certiﬁcation of Nonclausal Connection Tableaux Proofs

. Nonclausal connection tableaux calculi enable proof search without performing clausiﬁcation. We give a translation of nonclausal connection proofs to Gentzen’s sequent calculus LK and compare it to an existing translation of clausal connection proofs. Furthermore, we implement the translation in the interactive theorem prover HOL Light, enabling certiﬁcation of nonclausal connection proofs as well as a new, complementary automation technique in HOL Light.


Introduction
Most automated theorem provers (ATPs) output only limited proof traces for performance reasons. This is in contrast to the LCF approach, which hinges on the correctness of a small, trusted kernel [13]. One way to certify the correctness of proofs produced by ATPs is to translate them to interactive theorem provers (ITPs) [15,17]. Certification of proofs given by ATPs is also important for the integration of ATPs into interactive theorem provers, providing automation in the form of proof tactics [5].
Most ATPs convert their input problems to clausal normal form as preprocessing step [23]. To reconstruct the resulting clausal proofs in an ITP, it is necessary to verify in the ITP the conversion to clausal normal form. The ATP nanoCoP has demonstrated that a connection prover not requiring clausification can be effectively implemented [27]. The reconstruction of nonclausal proofs eliminates the necessity of proving the correctness of the clausification, but on the other hand, translating the proofs is more involved.
In this paper, we describe the translation of clausal and nonclausal connection proofs to Gentzen's LK. To ease the translation, we introduce slightly modified versions of the clausal and nonclausal connection calculus in section 3. Using these calculi, we describe a translation method from clausal and nonclausal connection proofs to LK in section 4. Based on this translation, we develop in section 5 an automatic proof certification of clausal proofs from leanCoP as well as of nonclausal proofs from nanoCoP in the ITP HOL Light. We evaluate the performance of our implementations on HOL Light problem sets in section 6. This paper generalises work co-authored by the second author of this paper about the certification of clausal connection tableaux proofs [19]. Whereas [19] is concerned more with technical questions of implementing a clausal prover and a corresponding proof translation in a functional language, this paper abstracts more from technical details in order to treat the more involved nonclausal proof translation. This paper extends section 6.4 of the first author's PhD thesis [11], where a preliminary version of the nonclausal proof translation described in this paper was introduced.

Connection Calculi
In this section, we will give a brief overview of the clausal and the nonclausal connection tableaux calculus. For more details and examples, see [26,27]. 1 Let us start by fixing some notation. The transitive closure of a relation R is denoted by R + , and the transitive reflexive closure by R * . A term t is either a variable x, a constant a, or f (t 1 , . . . , t n ), where f is a function symbol of arity n and t 1 , . . . , t n are terms. An atom A is P (t 1 , . . . , t n ), where P is a predicate of arity n and t 1 , . . . , t n are terms. A (first-order) formula F is (A), where F 1 and F 2 are formulas, A is an atom, and x is a variable. We write a sequence of quantifiers ∀x 1 . . . x n .F as ∀x.F . The formula F [t/x] denotes the formula F with all unbound occurrences of x replaced by t. A literal L is either ¬A or A, where A is an atom. The complement L of a literal is A if L is of the shape ¬A, and ¬A otherwise. A substitution σ is a function from variables to terms.
In the clausal calculus, a clause C is ∀x.(L 1 ∨ · · · ∨ L n ) and a matrix M is C 1 ∧ · · · ∧ C n . In the nonclausal calculus, a clause C is ∀x.(X 1 ∨ · · · ∨ X n ), where X is either a literal or a matrix, and a matrix M is C 1 ∧ · · · ∧ C n . 2 We refer to matrices in the clausal calculus as clausal matrices and to matrices in the nonclausal calculus as nonclausal matrices.
We can write a clause ∀x.(L 1 ∨ · · · ∨ L n ) as a set {L 1 , . . . , L n } and we can write a matrix C 1 ∧· · ·∧C n as a set {C 1 , . . . , C n }. Alternatively, we write matrices as row vectors and clauses as column vectors.
For any formula F , there are equisatisfiable closed formulas M (F ) andM (F ), where M (F ) is a nonclausal matrix andM (F ) is a clausal matrix. We can convert any formula to a nonclausal matrix by conversion to negation normal form, Skolemisation (eliminating existential quantifiers), and pushing universal quantifiers inwards via ∀x.(F 1 ∧ F 2 ) ≡ (∀x.F 1 ) ∧ (∀x.F 2 ). Example 1. Consider the following equivalent formulas F andF . 1 We diverge from [26] by using a refutational point of view; that is, instead of proving formulas directly, we refute their negations. This shows up for example when we interpret clauses and matrices: In this paper, a clause (of a negated formula) represents a disjunction, whereas in [26], a clause (of an unnegated formula) represents a conjunction. Our refutational view is historically motivated by other proof certification methods, namely those for MESON [15] and leanCoP [19]. 2 We represent clauses with quantifiers to reduce the size of the translated proofs.
For brevity, we write sx for s(x) and s 2 x for s(s(x)). The nonclausal matrix M corresponds to F and the clausal matrixM toF : The words of the connection calculi treated in this paper are tuples C, M, P ath , where C is a clause, M is a matrix, and P ath is a set of literals and matrices called the active path. 3 In the calculus rules, σ is a global (or rigid) term substitution, i.e. it is applied to the whole derivation. We say that a (non)clausal connection proof of M is a derivation of ∅, M, ∅ in the (non)clausal connection calculus.
The rules of the clausal connection calculus are shown in Figure 1 [30]. For any closed formula F , we have that F is unsatisfiable iff there is a clausal connection proof ofM (F ) [3]. A clausal connection proof ofM from Example 1 is given in Figure 2. We now proceed to introduce definitions related to the nonclausal connection calculus.

Definition 1 (Clause Predicates).
A clause C recursively contains a literal or a matrix X iff X ∈ + C. 4  In a clausal matrixM , all clauses inM can potentially give rise to an extension step. In a nonclausal matrix M , however, we have clauses C for which C ∈ + M , but C / ∈ M . It depends on the active path which of these clauses may give rise to an extension step. Those clauses which do are called extension clauses. Definition 3 (Extension Clause). The clause C ∈ + M is an extension clause ( e-clause) of the matrix M with respect to a set P ath iff either (a) C recursively contains an element of P ath, or (b) C is α-related to all elements of P ath recursively contained in M and if C has a parent clause, that parent clause recursively contains an element of P ath.
Given an extension clause, its β-clause removes from the clause those parts that are irrelevant to the current subgoal. Definition 4 (β-clause). The β-clause of C with respect to L is C with L and all clauses that are α-related to L removed. Example 2. Consider the nonclausal matrix from Example 1. The extension clauses with respect to {Q} are all clauses C ∈ M . In particular, the first clause in M , {Q}, is an extension clause due to condition (a) of Definition 3, because it contains Q, and the other clauses in M are extension clauses due to condition (b), because they are α-related to Q and do not have parent clauses. Only one of the clauses in M recursively contains ¬Q, namely Let us now assume that σ(x) = a. The extension clauses with respect to {Q, P (sx)} ∪ P (s 2 a) are all clauses in M , plus C 4 due to condition (b) and C 5 due to condition (a). Two of these extension clauses recursively contain the literal ¬P (s 2 x) that can be unified with ¬P (s 2 a), namely C 3 and C 4 . The β-clause of Some β-clauses in this example will be used in a nonclausal proof in Figure 7.
The rules of the nonclausal calculus are shown in Figure 3. The difference in the calculus rules to the clausal variant is the addition of a decomposition rule, and the adaptation of the extension rule to the nonclausal setting. For any closed formula F , we have that F is unsatisfiable iff there is a nonclausal connection proof of M (F ) [26]. A nonclausal proof of M from Example 1 as well as a shorter clausal proof ofM from the same example will be given using slightly modified versions of the calculi in section 3.

Compressed Connection Calculi
In Otten's presentation of connection calculi [26], all proof rules have a fixed number of premises. To ease the presentation of proofs in this paper, we present slightly reformulated versions of Otten's calculi. We call these calculi compressed, because proofs in these calculi usually consist of fewer proof steps and take up less space. The compressed calculi can be considered a mixture between Otten's and Letz's presentation of connection tableaux [21]. We introduce the following notation for rules with an arbitrary number of premises:  We will now show how proofs can be translated between the compressed calculi in this section and the original calculi in section 2. Lemma 1. The sequent {X 1 , . . . , X n }, M, P ath has a proof in a connection calculus iff all sequents X 1 , M, P ath , . . . , X n , M, P ath have proofs in the corresponding compressed connection calculus. Proof. Any connection proof of {X 1 , . . . , X n } , M, P ath has the following shape: From such a proof, we can recursively construct proofs of X i , M, P ath in the corresponding compressed calculus by where P i is the translation of the proof P i to the compressed calculus. Similarly, we can translate proofs from the compressed to the original calculi.

Connection Proof Translation
In this section, we propose a translation method from connection proofs to Gentzen's sequent calculus LK [12]. A connection proof for a first-order formula F consists of a connection proof tree and a global substitution σ. Given this information, we want to construct a proof of F ⊥, which is written in LK as F . To more concisely present the proof translation, we omit the substitution σ in the LK translation; for example, instead of writing σ(L), σ(M ), σ(P ath) , we write L, M, P ath .
We translate connection proof trees recursively by distinguishing the different rules of the calculus. We denote by [Γ ] the LK translation of the connection proof for Γ . We write that C is in We use a rule ∧L to extract a conjunct from a conjunction while keeping the conjunction in the context, as well as a rule ⊥L to derive ⊥ from two complementary literals in the context: 5

Γ, A, A
We now describe the translation of connection proofs. Two rules of the connection calculi are translated the same way for clausal and nonclausal proofs, namely the start and the reduction rule. We show the translation of these rules in Figure 8. For the start rule, the translation obtains the formula corresponding to the clause C with the ∧L rule, and instantiates it with the ∀L rule. The substitution σ is used to determine the instantiations, where fresh names are invented when a variable is unbound in the substitution. As noted before, we omit σ in the LK translation, writing X 1 ∨ · · · ∨ X n , M to abbreviate σ(X 1 ∨ · · · ∨ X n ), σ(M ) . Then, the sequent is split into several proof trees [X i , M, {} ], which represent the translations of the connection proofs for X i , M, {} . 6

Clausal Proof Translation
The translation of the clausal extension rule (shown in Figure 4) is given in Figure 9.

Nonclausal Proof Translation
We now proceed with the translation of nonclausal connection proofs, using the calculus introduced in Figure 5. The LK context in the translation of nonclausal proofs now has the shape X, M , P ath, where M is a set of matrices instead of a single matrix M as in the clausal case. During translation, M is extended such that for each word L, M, P ath in the connection calculus and its corresponding sequent L, M , P ath in LK, the e-clauses of M with respect to P ath ∪ {L} are the clauses C for which C in M and M ∈ M . We will see this in detail in the explanation for the extension rule.
The LK translation of nonclausal proofs reuses the translations of the start and the reduction rules given in Figure 8 The decomposition rule of the nonclausal calculus can be seen as a generalisation of the start rule. We give its translation to LK in Figure 10. Let us now consider a nonclausal extension step applied to L, M, P ath . Let C 1 denote the e-clause of M with respect to P ath ∪ {L} that was used for the extension step. By construction of M mentioned above, C 1 is some clause in M 1 ∈ M . Furthermore, let β 1 be the β-clause of C 1 with respect to L. Then we can find some m such that M 1 , C 1 and β 1 can be written as in Figure 11.

Mi+1
. . . The translation of the nonclausal extension rule is shown in Figure 12. We first transform L, M , P ath to M 0 , P which is equivalent due to M 0 = M . We then determine M 1 ∈ M and put it into the context by contraction (CL). Now we recursively prove the sequent M i , M i−1 , P as follows: If M i is the literal L, we prove the sequent L, M m , P with the ⊥L rule. Otherwise, we proceed in the following way: First, we put the appropriate clause C i of M i that corresponds to β i into the context with the ∧L rule. In the same step, we merge M i with M i−1 , yielding M i . After the instantiation of C i with the ∀L rule, the clause elements X i,1 to X i,ni give rise to several proof branches where all but one are closed by translation of the proof branches of the connection proof. The one remaining clause element M i+1 gives rise to a sequent M i+1 , M i , P , which we translate by recursion. This concludes the translation of the extension rule. Example 4. Consider the nonclausal proof given in Figure 7. We show its translation to LK in Figure 13 The question might arise whether the proof translation necessarily needs to keep a set of matrices M containing potential extension clauses. Could one instead reconstruct extension clauses from the initial M and P ath? The next example shows that extending M with extension clauses is indeed necessary. Example 5. Consider the extension step that closes P (sx),M , {Q, P (sx )} in Figure 7. The extension clause used in this extension step is C 4 from Example 2. However, the closest to C 4 we can obtain from M and {Q,

Xi,n
As performed by our translation, extending M in the translation of the extension step for P (sx ), M , {Q} with the α-related clause [¬P (s 2 x )] corresponding to C 4 allows us to translate the extension step for P (sx) with precisely that clause.
The LK translation uses P ath only for reduction steps and M for extension steps, whereas the original calculus uses P ath for both. Future work might explore whether a calculus closer to the translation yields more efficient proof search. Proof. We distinguish the calculus rule to close X, M, P ath . The reduction rule is trivial because it has no premises.
Let us first consider the start rule in Figure 8. Finally we treat the extension rule shown in Figure 12. By hypothesis, M contains the extension clauses of M with respect to P ath ∪ {L}. We have to show that for each i and j, the extension clauses of M with respect to P ∪ {X i,j } correspond to the clauses in M i . For every i and j, we have that M i contains all clauses that recursively contain X i,j , which in addition to some clauses in M are the clauses C k (see Figure 11) with k ≤ i. This covers condition (a) of Definition 3. Furthermore, those clauses α-related to X i,j that are required by condition (b) and that are not contained in M are the clauses M k \ {C k } with k ≤ i, which are contained in M i . In four large test sets of nonclausal and clausal connection proofs, all translated proofs yielded by our implementations of the proof translations in this section are successfully verified by an interactive theorem prover, see section 6.

Implementation
HOL Light is an interactive theorem prover developed by Harrison in OCaml [16]. leanCoP and nanoCoP are clausal and nonclausal connection provers developed by Otten in Prolog [30,27]. We developed proof search tactics for HOL Light based on leanCoP/nanoCoP and the proof translation shown in section 4. 7 To ease integration with HOL Light, all parts of the tactics are written in OCaml, including functional implementations of leanCoP and nanoCoP using the compressed calculi in section 3.
The structure of the proof search tactics is shown in Figure 14: First, we convert given proof goals from higher-order logic to first-order logic. For this, we reuse a large part of the MESON [15] infrastructure, such as instantiation of higher-order axioms. This leaves us with first-order problems of the shape (A 1 ∧ · · · ∧ A n ) =⇒ C, on which we run leanCoP and nanoCoP in the same interpreter as HOL Light [11]. Finally, we translate the resulting connection proofs to HOL Light proofs: We implemented the proof translation shown in section 4 such that it directly yields HOL Light instead of LK proofs.

Evaluation
We compare the performance of our proof search tactics based on leanCoP 2.1 and nanoCoP 1.0 with the Metis [10] and MESON [15] tactics. Similarly to [19], we disable splitting for MESON. We evaluate the tactics on two kinds of problems derived from HOL Light: toplevel and MESON problems.
A toplevel problem results from any HOL Light theorem that is given a name on the OCaml toplevel. It consists of the conclusion of the theorem and the premises used to prove it. A MESON problem results from any call to the MESON tactic. It consists of the statement proven by MESON as well as the premises given to the MESON tactic. Note that toplevel problems are not necessarily solvable by first-order tactics, whereas MESON problems are, because the (first-order) tactic MESON is able to prove them.
We evaluate both toplevel and MESON problems with some tactic by letting the tactic find a proof of the problem conclusion using the problem premises. The problem counts as proven if the tactic finds a proof within a given time limit. We consider toplevel ("top") and MESON ("msn") problems from core HOL Light ("HL") and the Flyspeck project ("FS"), which finished in 2014 a formal proof of the Kepler conjecture [14]. We use the Git version 08f4461 of HOL Light from March 2017, running every tactic with a timeout of 10 seconds on each problem. We use a 48-core server with AMD Opteron 6174 2.2GHz CPUs, 320 GB RAM, ==> (!f. linear f /\ (!x y. f x = f y ==> x = y) ==> (!s. P (IMAGE f s) <=> P s)) ==> !P f s. (!g t. P t /\ linear g ==> P (IMAGE g t)) /\ linear f /\ (!x y. f x = f y ==> x = y) ==> (P (IMAGE f s) <=> P s) and 0.5 MB L2 cache per CPU. Each problem is always assigned one CPU. We run all provers with a timeout of 10 seconds per problem.
The results are shown in Table 1: Metis solves the largest number of problems among all considered datasets. The comparatively low performance of leanCoP/nanoCoP inside HOL Light is due to their heavy use of array operations for unification: Array access is more than 30 times faster in native OCaml programs compared to programs compiled in OCaml's toplevel (as used in HOL Light). When compiled as native OCaml programs, we have shown that lean-CoP/nanoCoP solve more problems than Metis on four out of six datasets that we evaluated [11]. Running leanCoP/nanoCoP outside HOL Light and translating the resulting proofs inside HOL Light would thus very likely increase the performance of the corresponding tactics.

Related Work
Certification of ATP found proofs has been especially important for the integration of ATPs into interactive proof assistants. Such components provide automation in the form of proof tactics for smaller steps. HOL Light includes the certified proof producing model elimination prover MESON [15]. The paramodulation-based prover Metis [17] was designed with a small certified proof core to simplify its integration with interactive theorem provers [10]. There exists a proof-certifying version of the intuitionistic first-order automated theorem prover JProver for Coq and Nuprl [33,20] as well as a proof certifying version of an ordered paramodulation prover for Matita [1]. Proofs from several SAT/SMT solvers can be certified in Coq [9] and Isabelle [4]. The logical framework Dedukti allows for the import of superposition proofs from iProver [6] as well as of tableaux proofs from Zenon [7]. The GAPT framework provides translations for a multitude of calculi and automated theorem provers, such as Vampire, E, Prover9, and leanCoP [8,31]. Among all provers whose proof certification is described in the cited work above, the only nonclausal one is JProver. However, its performance is far behind nanoCoP and the intuitionistic version of nanoCoP, nanoCoP-i, with nanoCoP and nanoCoP-i solving about three times as many problems as JProver on the TPTP and the ILTP benchmarks, respectively [27,28]. On the other hand, unlike for nanoCoP-i, there already exists a proof certification method for JProver in an intuitionistic proof assistant, namely in Coq. This leaves as future work the extension of the proof certification in this paper to an intuitionistic setting, in order to enable stronger automated proof search via nanoCoP-i in proof assistants like Coq.

Conclusion
We proposed a translation from clausal and nonclausal connection proofs to LK, yielding a sound proof certification and a proof search tactic for HOL Light. The tactic certifies every nanoCoP and leanCoP proof output in our evaluation.
Future work includes the improvement of the proof search tactics, for example by calling external instances of nanoCoP/leanCoP, but also by improved preprocessing of the tactics, for example by reordering the clauses in the ITP before proof search [29]. The proof search tactic could also be integrated into other ITPs, such as Isabelle [34] and Coq [2]. The latter being an intuitionistic system motivates the translation of nonclassical connection proofs, such as given by ileanCoP and nanoCoP-i [25,28]. Finally, we hope that the present article helps to prepare the ground for ITP-checked proofs of soundness/completeness of connection calculi as well as of their implementations.