1 \documentclass[runningheads]{llncs}
7 % \myincludegraphics{filename}{place}{width}{caption}{label}
8 \newcommand{\myincludegraphics}[5]{
11 \includegraphics[width=#3]{eps/#1.eps}
19 \usepackage{draftstamp}
21 \newcommand{\musing}{\texttt{musing}}
22 \newcommand{\musings}{\texttt{musings}}
23 \newcommand{\ws}{Web-Service}
24 \newcommand{\wss}{Web-Services}
25 \newcommand{\hbugs}{H-Bugs}
26 \newcommand{\helm}{HELM}
27 \newcommand{\Omegapp}{$\Omega$mega}
28 \newcommand{\OmegaAnts}{$\Omega$mega-Ants}
30 \title{Brokers and Web-Services for Automatic Deduction: a Case Study}
32 \author{Claudio Sacerdoti Coen \and Stefano Zacchiroli}
35 Department of Computer Science\\
36 University of Bologna\\
37 Mura Anteo Zamboni 7, 40127 Bologna, ITALY\\
38 \email{sacerdot@cs.unibo.it}
40 Department of Computer Science\\
41 \'Ecole Normale Sup\'erieure\\
42 45, Rue d'Ulm, F-75230 Paris Cedex 05, FRANCE\\
43 \email{zack@cs.unibo.it}
53 We present a planning broker and several Web-Services for automatic deduction.
54 Each Web-Service implements one of the tactics usually available in an
55 interactive proof-assistant. When the broker is submitted a "proof status" (an
56 unfinished proof tree and a focus on an open goal) it dispatches the proof to
57 the Web-Services, collects the successfull results, and send them back to the
58 client as "hints" as soon as they are available.
60 In our experience this architecture turns out to be helpful both for
61 experienced users (who can take benefit of distributing heavy computations)
62 and beginners (who can learn from it).
65 \section{Introduction}
66 The \ws{} approach at software development seems to be a working solution for
67 getting rid of a wide range of incompatibilities between communicating
68 software applications. W3C's efforts in standardizing related technologies
69 grant longevity and implementations availability for frameworks based on
70 \wss{} for information exchange. As a direct conseguence, the number of such
71 frameworks is increasing and the World Wide Web is moving from a disorganized
72 repository of human-understandable HTML documents to a disorganized repository
73 of applications working on machine-understandable XML documents both for input
76 The big challenge for the next future is to provide stable and reliable
77 services over this disorganized, unreliable and ever-evolving architecture.
78 The standard solution \ednote{zack: buhm! :-P} is providing a further level of
79 stable services (called \emph{brokers}) that behave as common gateway/address
80 for client applications to access a wide variety of services and abstract over
83 Since the \emph{Declaration of Linz}, the MONET Consortium
84 \cite{MONET}, is working on the development of a framework, based on the
85 \wss{}/brokers approach, aimed at providing a set of software tools for the
86 advertisement and the discovery of mathematical \wss{}.
87 %CSC This framework turns out to be strongly based on both \wss{} and brokers.
89 Several groups have already developed \wss{} providing both computational and
90 reasoning capabilities \cite{???,???,???}\ednote{trovare dei puntatori carini
91 dalle conferenze calculemus}: the formers are implemented on top of
92 Computer Algebra Systems; the latters provide interfaces to well-known
93 theorem provers. Proof-planners, proof-assistants, CAS and
94 domain-specific problem solvers are natural candidates to be client of these
95 services. Nevertheless, so far the number of examples in the literature has
96 been extremely low and the concrete benefits are still to be assessed.
98 In this paper we present an architecture, namely \hbugs{}, implementing a
99 \emph{suggestion engine} for the proof assistant developed on behalf of the
100 \helm{}\footnote{Hypertextual Electronic Library of Mathematics,
101 \url{http://helm.cs.unibo.it}} project
102 \cite{helm}. We provide several \wss{} (called \emph{tutors}) able to
103 suggest possible ways to proceed in a proof. The tutors are orchestrated
104 by a broker (a \ws{} itself) that is able to dispatch a proof
105 status from a client (the proof-assistant) to the tutors;
106 each tutor try to make progress in the proof and, in case
107 of success, notify the client that shows an \emph{hint} to the user.
108 The broker is an instance of the homonymous entity of the MONET framework.
109 The tutors are MONET services. Another \ws (which is not described in this
110 paper and which is called Getter \cite{}) is used to locate and download
111 mathematical entities; the Getter plays the role of the Mathematical Object
112 Manager in the MONET framework.
114 A precursor of \hbugs{} is the \OmegaAnts{} project \cite{???},
115 which provided similar functionalities to the
116 \Omegapp{} proof-planner \cite{Omega}. The main architectural difference
117 between \hbugs{} and \OmegaAnts{} are that the latter is based on a
118 black-board architecture and it is not implemented using \wss{} and
119 brokers. Other differences will be detailed in Sect. \ref{conclusions}
120 \ednote{CSC: che si fa di sta frase?}.
122 In Sect. \ref{architecture} we present the architecture of \hbugs{}.
123 Further implementation details are given in Sect. \ref{implementation}.
124 Sect. \ref{tutors} is an overview of the tutors that have been implemented.
125 As usual, the paper ends with the conclusions and future works.
128 {CSC: Non so se/dove mettere queste parti.
129 Zack: per ora facciamo senza e vediamo se/quanto spazio abbiamo, la prima parte
130 non e' molto utile, ma la seconda sugli usi tipici di proof assistant
133 Despite of that the proof assistant case seems to be well suited to
134 investigate the usage of many different mathematical \wss{}. Indeed: most
135 proof assistants are still based on non-client/server architectures, are
136 application-centric instead of document-centric, offer a scarce level of
137 automation leaving entirely to the user the choice of which macro (usually
138 called \emph{tactic}) to use in order to make progress in a proof.
140 The average proof assistant can be, for example, a client of a \ws{}\
141 interfacing a specific or generic purpose theorem prover, or a client of a
142 \ws{} interfacing a CAS to simplify expressions in a particular mathematical
146 \section{An \hbugs{} Bird'S Eye View\ednote{Zack: sono in vena di boiate
149 \myincludegraphics{arch}{t}{8cm}{\hbugs{} architecture}{\hbugs{} architecture}
151 The \hbugs{} architecture (depicted in Fig. \ref{arch}) is based on three
152 different kinds of actors: \emph{clients}, \emph{brokers}, and \emph{tutors}.
153 Each actor present one or more \ws{} interfaces to its neighbours \hbugs{}
156 In this section we will detail the role and requirements of each kind of
157 actors and discuss about the correspondencies between them and the MONET
158 entities described in \cite{MONET-Overview}.
161 An \hbugs{} client is a software component able to produce \emph{proof
162 status} and to consume \emph{hints}.
164 A proof status is a representation of an incomplete proof and is supposed to
165 be informative enough to be used by an interactive proof assistant. No
166 additional requirements exist on the proof status, but there should be an
167 agreement on its format between clients and tutors. An hint is a
168 representation\ednote{CSC: non c'\'e un sinonimo pi\'u carino? Zack: l'unico
169 decente sembra essere nuovamente "suggestion". CSC: chiamalo sinonimo!}
170 of a step that can be performed in order to proceed in an
171 incomplete proof. Usually it represents a reference to a tactic available
172 on some proof assistant along with an instantiation for its formal
173 parameters. More structured hints can also be used: an hint can be
174 as complex as a whole proof-plan.
176 \myincludegraphics{interfaces}{t}{10cm}{\hbugs{} \wss{} interfaces}{\hbugs{}
179 Using W3C's terminology \cite{ws-glossary}, clients act both as \ws{}
180 providers and requesters, see \ednote{Zack: va bene "see"?, "cfr" credo sia
181 solo italiano ...} Fig. \ref{interfaces}.
182 They act as providers for the broker (to receive hints)
183 and as requesters (to submit new status). Clients
184 additionally use broker service to know which tutors are available and to
185 subscribe to one or more of them.
187 Usually, when the role of client is taken by an interactive proof assistant,
188 new status are sent to the broker as soon as the proof change (e.g. when the
189 user applies a tactic or when a new proof is started) and hints are shown to
190 the user be the means of some effect in the user interface (e.g. popping a
191 dialog box or enlightening a tactic button).\ednote{CSC: questo \'e un
192 possibile posto dove mettere una mini-sessione interattiva. L'appendice
195 \hbugs{} clients act as MONET clients and ask brokers to provide access to a
196 set of services (the tutors). \hbugs{} has no actors corresponding to
197 MONET's Broker Locating Service (since the client is supposed to know the
198 URI of at least one broker). The \hbugs{} client and tutors contact the
199 Getter (a MONET Mathematical Object Manager) to locate and retrieve
200 mathematical items in the \helm{} library.
201 The proof status that are exchanged
202 by the \hbugs{} actors, instead, are built on the fly and are neither
203 stored nor are given an unique identifier (URI) to be managed by the
207 Brokers are the key actors of the \hbugs{} architecture since they
208 act as intermediaries between clients and tutors. They behave as \wss{}
209 providers and requesters for \emph{both} clients and tutors, see Fig.
212 With respect to client, a broker act as \ws{} provider, receiving the
213 proof status and forwarding it to one or more tutors.
214 It also acts as a \ws{} requester sending
215 hints to the client as soon as they are available from the tutors.
217 With respect to tutors, the \ws{} provider role is accomplished by receiving
218 hints as soon as they are produced; as a requester, it is accomplished
219 by asking for computations (\emph{musings} in \hbugs{} terminology) on
220 status received by clients and by stopping already late but still
222 \ednote{Zack: io intanto ho aggiunto una figura, vorrei pero' un tuo
223 commento sulla utilita'/quantita' delle figure ... CSC: vanno benissimo}
225 Additionally brokers keep track of available tutors and clients
228 \hbugs{} brokers act as MONET brokers implementing the following components:
229 Client Manager, Service Registry Manager (keeping track of available
230 tutors), Planning Manager (chosing the available tutors among the ones to
231 which the client is subscribed), Execution Manager. The Service Manager
232 component is not required since the session handler, that identifies
233 a session between a service and a broker, is provided to the service by
234 the broker instead of being received from the service when it is
235 initialized. In particular, a session is identified by an unique identifier
236 for the client (its URL) and an unique identifier for the broker (its
237 URL).\ednote{CSC: OK, sto barando: \hbugs{} non \'e ancora cos\'i
238 multi-sessione. Ma mi sembra la strada che prenderemmo, no?}
240 The MONET architecture specification does not state explicitely whether
241 the service and broker answers can be asyncronous. Nevertheless, the
242 described information flow implicitly suggests a syncronous implementation.
243 On the contrary, in \hbugs{} every request is asyncronous: the connection
244 used by an actor to issue a query is immediately closed; when a service
245 produces an answer, it gives it back to the issuer by calling the
246 appropriate actor's method.
249 Tutors are software component able to consume proof status producing hints.
250 \hbugs{} doesn't specify by which means hints should be produced: tutors can
251 use any means necessary (heuristics, external theorem prover or CAS, ...).
252 The only requirement is that there exists an agreement on the formats of
253 proof status and hints.
255 Tutors act both as \ws{} providers and requesters for the broker. As
256 providers, they wait for commands requesting to start a new \musing{} on
257 a given proof status or to stop an old, out of date, \musing{}. As
258 requesters, they signal to the broker the end of a \musing{} along with its
259 outcome (an hint in case of success or a notification of failure).
261 \hbugs{} tutors act as MONET services.
263 \section{Implementation's Highlights}
264 \label{implementation}
265 \ednote{Zack: l'aspetto grafico di questa parte e' un po' peso, possiamo
266 aggiungere varie immagini volendo, e.g.: schema dei thread di un tutor, sample
267 code di un tutor generato automaticamente}
268 In this section we present some of the most relevant implementation details of
269 the \hbugs{} architecture.
272 \paragraph{Proof status}
273 In our implementation of the \hbugs{} architecture we used the proof
274 assistant of the \helm{} project (codename ``gTopLevel'') as an \hbugs{}
275 client. Thus we have implemented serialization/deserialization capabilities
276 for its internal status. In order to be able to describe \wss{} that
277 exchange status in WSDL using the XML Schema type system, we have chosen an
278 XML format as the target format for the serialization.
280 A schematic representation of the gTopLevel internal status is depicted in
281 Fig. \ref{status}. Each proof is representated by a tuple of four elements:
282 \emph{uri}, \emph{metasenv}, \emph{proof}, \emph{thesis}.
284 \myincludegraphics{status}{t}{8cm}{gTopLevel proof status}{gTopLevel proof
288 \item[uri]: an URI chosen by the user at the beginning of the proof
289 process. Once (and if) proved, that URI will globally identify the term
290 inside the \helm{} library (given that the user decides to save it).
291 \item[thesis]: the thesis of the ongoing proof
292 \item[proof]: the current incomplete proof tree. It can contain
293 \emph{metavariables} (holes) that stands for the parts of the proof
294 that are still to be completed. Each metavariable appearing in the
295 tree references one element of the metavariables environment
297 \item[metasenv]: the metavariables environment is a list of
298 \emph{goals} (unproved conjectures).
299 In order to complete the proof, the user has to instantiate every
300 metavariable in the proof with a proof of the corresponding goal.
301 Each goal is identified by an unique identifier and has a context
302 and a type ( the goal thesis). The context is a list of named
303 hypotheses (declarations and definitions). Thus the context and the goal
304 thesis form a sequent, which is the statement of the proof that will
305 be used to instatiate the metavariable occurrences.
308 Each of these information is represented in XML as described in
309 \cite{csc-thesis}. Additionally, an \hbugs{} status carry the unique
310 identifier of the current goal, which is the goal the user is currently
311 focused on. Using this value it is possible to implement different client
312 side strategies: the user could ask the tutors to work on the goal
313 she is considering or to work on the other ``background'' goals.
316 An hint in the \hbugs{} architecture should carry enough information to
317 permit the client to progress in the current proof. In our
318 implementation each hint corresponds to either one of the tactics available
319 to the user in gTopLevel (together with its actual arguments) or a set
320 of alternative suggestions (a list of hints).
322 For tactics that don't require any particular argument (like tactics that
323 apply type constructors or decision procedures)
324 only the tactic name is represented in the hint. For tactics that need
325 terms as arguments (for example the \texttt{Apply} tactic that apply a
326 given lemma) the hint includes a textual representation of them, using the
327 same representation used by the interactive proof assistant when querying
328 user for terms. In order to be trasmitted between \wss{}, hints are
331 It is also possible for a tutor to return more hints at once,
332 grouping them in a particular XML element.
333 This feature turns out to be particulary useful for the
334 \emph{searchPatternApply} tutor (see Sect. \ref{tutors}) that
335 query a lemma database and return to the client a list of all lemmas that
336 could be used to complete the proof. This particular hint is encoded as a
337 list of \texttt{Apply} hints, each of them having one of the results as term
340 We would like to stress that the \hbugs{} architecture has no dependency
341 on either the hint or the status representation: the only message parts
342 that are fixed are those representing the administrative messages
343 (the envelops in the \wss{} terminology). In particular, the broker can
344 manage at the same time several sessions working on different status/hints
345 formats. Of couse, there must be an agreement between the clients
346 and the tutors on the format of the data exchanged.
348 In our implementation the client does not trust the tutors hints:
349 being encoded as references to available tactics imply
350 that an \hbugs{} client, on receipt of an hint, simply try to reply the work
351 done by a tutor on the local copy of the proof. The application of the hint
352 can even fail to type check and the client copy of the proof can be left
353 undamaged after spotting the error. Note, however, that it is still
354 possible to implement a complex tutor that looks for a proof doing
356 send back to the client an hint whose argument is a witness (a trace) of
357 the proof found: the client applies the hint reconstructing (and checking
358 the correctness of) the proof from the witness, without having to
359 re-discover the proof itself.
361 An alternative implementation where the tutors are trusted would simply
362 send back to the client a new proof-status. Upong receiving the
363 proof-status, the client would just override its current proof status with
364 the suggested one. In the case of those clients which are implemented
365 using proof-objects (as the Coq proof-assistant, for instance), it is
366 still possible for the client to type-check the proof-object and reject
367 wrong hints. The systems that are not based on proof-objects
368 (as PVS, NuPRL, etc.), instead, have to trust the new proof-status. In this
369 case the \hbugs{} architecture needs at least to be extended with
370 clients-tutors autentication.
372 \paragraph{Registries}
373 Being central in the \hbugs{} architecture, the broker is also responsible
374 of housekeeping operations both for clients and tutors. These operations are
375 implemented using three different data structures called \emph{registries}:
376 clients registry, tutors registry and \musings{} registry.
378 In order to use the suggestion engine a client should register itself to the
379 broker and subscribe to one or more tutors. The registration phase is
380 triggered by the client using the \texttt{Register\_client} method of the
381 broker to send him an unique identifier and its base URI as a
382 \ws{}. After the registration, the client can use broker's
383 \texttt{List\_tutors} method to get a list of available tutors.
384 Eventually\ednote{CSC: Vuoi veramente dire eventually qui? Zack: si, prima o
385 poi lo faranno ...} the
386 client can subscribe to one or more of these using broker's
387 \texttt{Subscribe} method. Clients can also unregister from brokers using
388 \texttt{Unregister\_client} method.
390 The broker keeps track of both registered clients and clients' subscriptions
391 in the clients registry.
393 In order to be advertised to clients during the subscription phase, tutors
394 should register to the broker using the broker's \texttt{Register\_tutor}
395 method. This method is really similar to \texttt{Register\_client}:
396 tutors are required to send an unique identify and a base URI for their
398 Additionally tutors are required to send an human readable description of
399 their capabilities; this information could be used by client's user to
400 decide which tutors he needs to subscribe to. Like clients, tutors can
401 unregister from brokers using \texttt{Unregister\_broker} method.
403 Each time the client status change, the status is sent to the
404 broker using its \emph{Status} method. Using both clients registry (to
405 lookup client's subscription) and tutors registry (to check if some tutors
406 has unsubscribed), the broker is able to decide to which tutors the
407 new status must be forwarded.\ednote{CSC: qui o nei lavori futuri parlare
408 della possibilit\'a di avere un vero brocker che multiplexi le richieste
409 del tutor localizzando i servizi, etc.}
411 The forwarding operation is performed using the \texttt{Start\_musing}
412 method of the tutors, that is a request to start a new computation
413 (\emph{\musing{}}) on a given status. The return value of
414 \texttt{Start\_musing} is a
415 \musing{} identifier that is saved in the \musings{} registry along with
416 the identifier of the client that triggered the \musing{}.
418 As soon as a tutor completes an \musing{}, it informs the broker
419 using its \texttt{Musing\_completed} method; the broker can now remove the
420 \musing{} entry from the \musings{} registry and, depending on its outcome,
421 inform the client. In case of success one of the \texttt{Musing\_completed}
422 arguments is an hint to be sent to the client, otherwise there's no need to
423 inform him and the \texttt{Musing\_completed} method is called
424 just to update the \musings{} registry.
426 Consulting the \musings{} registry, the tutor\ednote{CSC: ma \'e vero o
427 stai delirando? Zack: e' vero, non ti fidi? :-) Up to delay di rete
428 ovviamente ...} is able to know, at each time,
429 which \musings{} are in execution on which tutor. This peculiarity is
430 exploited by the broker on invocation of Status method. Receiving a new
431 status from the client implies indeed that the previous status no longer
432 exists and all \musings{} working on it should be stopped: additionally to
433 the already described behaviour (i.e. starting new \musings{} on the
434 received status), the tutor\ednote{CSC: Ma sei veramente veramente sicuro?}
435 takes also care of stopping ongoing computation invoking
436 \texttt{Stop\_musing} tutors' method.
439 As already discussed, all \hbugs{} actors act as \wss{} offering one or more
440 services to neighbour actors. To grant as most accessibility as possible to
441 our \wss{} we have chosen to bind them using the HTTP/POST bindings
442 described in \cite{????}\footnote{Given that our proof assistant was
443 entirely developed in the Objective Caml language, we have chosen to
444 develop also \hbugs{} in that language in order to maximize code reuse. To
445 develop \wss{} in Objective Caml we have developed an auxiliary generic
446 library (\emph{O'HTTP}) that can be used to write HTTP 1.1 Web servers and
447 abstract over GET/POST parsing. This library supports different kinds of Web
448 servers architecture, including multi-process and multi-threaded ones.}.
451 Each tutor expose a \ws{} interface and should be able to work, not only for
452 many different clients referring to a common broker, but also for many
453 different brokers. The potential high number of concurrent clients imposes
454 a multi-threaded or multi-process architecture.
456 Our current implementation is based on a multi threaded architecture
457 exploiting the capabilities of the O'HTTP library. Each tutor is composed
458 by two thread always running plus
459 an additional thread for each running \musing{}. One thread is devoted to
460 listening for incoming \ws{} request; upon correct receiving requests it
461 pass the control to the second always-running thread which handle the pool
462 of running \musings{}. When a new \musing{} is requested, a new thread is
463 spawned to work them out; when a request to interrupt an old \musing{} is
464 received, the thread actually running them is killed freeing its
465 resources.\ednote{CSC: A cosa dobbiamo questa architettura delirante? Se non
466 ricordo male al problema dell'uccisione dei thread. Ora o si spiega
467 il motivo di questa architettura o si glissa/bluffa. Zack: cosa ti sembra
468 delirante? che i thread vengono uccisi? ... non mi e' molto chiaro ...}
470 This architecture turns out to be scalable and allows the running threads
471 to share the cache of loaded (and type-checked) theorems.
472 As we will explain in Sect. \ref{tutors}, this feature turns out to be
473 really useful for tactics that rely on a huge but fixed set of lemmas,
474 as every reflexivite tactic.
476 The implementation of a tutor with the described architecture is not that
477 difficult having a language with good threading capabilities (as OCaml has)
478 and a pool of already implemented tactics (as gTopLevel has).
479 Still working with threads is known to be really error prone due to
480 concurrent programming intrinsic complexity. Moreover, there is a
481 non-neglectable part of code that needs to be duplicated in every tutor:
482 the code to register the tutor to the broker and to handle HTTP requests;
483 the code to manage the creation and termination of threads; and the code for
484 parsing the requests and serializing the answers. As a consequence we
485 have written a generic implementation of a tutor which is parameterized
486 over the code that actually propose the hint and some administrative
487 data (as the port the tutor will be listening to).
489 The generic tutor skeleton is really helpful in writing new tutors.
490 Nevertheless, the code obtained by converting existing tactics into tutors
491 is still quite repetitive: every tutor that wraps a tactic has to
492 instantiate its own copy of the proof-engine kernel and, for each request,
493 it has to override its status, guess the tactic arguments, apply the tactic
494 and, in case of success, send back an hint with the tactic name and the
495 chosen arguments. Of course, the complex part of the work is guessing the
496 right arguments. For the simple case of tactics that do not require
497 any argument, though, we are able to automatically generate the whole
498 tutor code given the tactic name. Concretely, we have written a
499 tactic-based tutor template and a script that parses an XML file with
500 the specification of the tutor and generates the tutor's code.
501 The XML file describes the tutor's port, the code to invoke the tactic,
502 the hint that is sent back upon successfull application and a
503 human readable explanation of the tactic implemented by the tutor.
505 \section{The Implemented \hbugs Tutors}
507 To test the \hbugs{} architecture and to assess the utility of a suggestion
508 engine for the end user, we have implemented several tutors. In particular,
509 we have investigated three classes of tutors:
511 \item \emph{Tutors for beginners}. These are tutors that implement tactics
512 which are neither computationally expensive nor difficult to understand:
513 an expert user can always understand if the tactic can be applied or not
514 withouth having to try it. For example, the following implemented tutors
515 belong to this class:
517 \item \emph{Assumption Tutor}: it ends the proof if the thesis is
518 equivalent\footnote{In our implementation, the equivalence relation
519 imposed by the logical framework is \emph{convertibility}. Two
520 expressions are convertible when they reduce to the same normal form.
521 Two ``equal'' terms depending on free variables can be non-convertible
522 since free variables stop the reduction. For example, $2x$ is convertible
523 with $(3-1)x$ because they both reduce to the same normal form
524 $x + x + 0$; but $2x$ is not convertible to $x2$ since the latter is
525 already in normal form.}
526 to one of the hypotheses\footnote{
527 In some cases, expecially when non-trivial computations are involved,
528 the user is totally unable to figure out the convertibility of two terms.
529 In these cases the tutor becomes handy also for expert users.}.
530 \item \emph{Contradiction Tutor}: it ends the proof by \emph{reductio ad
531 adsurdum} if one hypothesis is equivalent to $False$.
532 \item \emph{Symmetry Tutor}: if the goal thesis is an equality, it
533 suggests to apply the commutative property.
534 \item \emph{Left/Right/Exists/Split/Reflexivity/Constructor Tutors}:
535 the Constructor Tutor suggests to proceed in the proof by applying one
536 or more constructors when the goal thesis is an inductive type or a
537 proposition inductively defined according to the declarative
538 style\footnote{An example of a proposition that can be given in
539 declarative style is the $\le$ relation: $\le$ is the smallest relation
540 such that $n \le n$ for every $n$ and $n \le m$ for every $n,m$ such
541 that $n \le p$ where $p$ is the predecessor of $m$. Thus, a proof
542 of $n \le n$ is simply the application of the first constructor to
543 $n$ and a proof of $n \le m$ is the application of the second
544 constructor to $n,m$ and a proof of $n \le m$.}.
545 Since disjunction, conjunction, existential quantification and
546 Leibniz equality are particular cases of inductive propositions,
547 all the other tutors of this class are instantiations of the
548 the Constructor tactic. Left and Right suggest to prove a disjunction
549 by proving its left/right member; Split reduces the proof of a
550 conjunction to the two proof of its members; Exists suggests to
551 prove an existential quantification by providing a
552 witness\footnote{This task is left to the user.}; Reflexivity proves
553 an equality whenever the two sides are convertible.
555 Beginners, when first faced with a tactic-based proof-assistant, get
556 lost quite soon since the set of tactics is large and their names and
557 semantics must be remembered by heart. Tutorials are provided to guide
558 the user step-by-step in a few proofs, suggesting the tactics that must
559 be used. We believe that our beginners tutors can provide an auxiliary
560 learning tool: after the tutorial, the user is not suddendly left alone
561 with the system, but she can experiment with variations of the proof given
562 in the tutorial as much as she like, still getting useful suggestions.
563 Thus the user is allowed to focus on learning how to do a formal proof
564 instead of wasting efforts trying to remember the interface to the system.
565 \item{Tutors for Computationally Expensive Tactics}. Several tactics have
566 an unpredictable behaviour, in the sense that it is unfeasible to understand
567 wether they will succeed or they will fail when applied and what will be
568 their result. Among them, there are several tactics either computationally
569 expensive or resources consuming. In the first case, the user is not
570 willing to try a tactic and wait for a long time just to understand its
571 outcome: she would prefer to keep on concentrating on the proof and
572 have the tactic applied in background and receive out-of-band notification
573 of its success. The second case is similar, but the tactic application must
574 be performed on a remote machine to avoid overloading the user host
575 with several concurrent resource consuming applications.
577 Finally, several complex tactics and in particular all the tactics based
578 on reflexive techniques depend on a pretty large set of definitions, lemmas
579 and theorems. When these tactics are applied, the system needs to retrieve
580 and load all the lemmas. Pre-loading all the material needed by every
581 tactic can quickly lead to long initialization times and to large memory
582 footstamps. A specialized tutor running on a remote machine, instead,
583 can easily pre-load the required theorems.
585 As an example of computationally expensive task, we have implemented
586 a tutor for the \emph{Ring} tactic \cite{ring_bouting}.
587 The tutor is able to prove an equality over a ring by reducing both members
588 to a common normal form. The reduction, which may require some time in
590 is based on the usual commutative, associative and neutral element properties
591 of a ring. The tactic is implemented using a reflexive technique, which
592 means that the reduction trace is not stored in the proof-object itself:
593 the type-checker is able to perform the reduction on-the-fly thanks to
594 the conversion rules of the system. As a consequence, in the library there
595 must be stored both the algorithm used for the reduction and the proof of
596 correctness of the algorithm, based on the ring axioms. This big proof
597 and all of its lemmas must be retrieved and loaded in order to apply the
598 tactic. The Ring tutor loads and cache all the required theorems the
599 first time it is conctacted.
600 \item{Intelligent Tutors}. Expert users can already benefit from the previous
601 class of tutors. Nevertheless, to achieve a significative production gain,
602 they need more intelligent tutors implementing domain-specific theorem
603 provers or able to perform complex computations. These tutors are not just
604 plain implementations of tactics or decision procedures, but can be
605 more complex software agents interacting with third-parties software,
606 such as proof-planners, CAS or theorem-provers.
608 To test the productivity impact of intelligent tutors, we have implemented
609 a tutor that is interfaced with the \helm{}
610 Search-Engine\footnote{\url{http://mowgli.cs.unibo.it/library.html}} and that
611 is able to look for every theorem in the distributed library that can
612 be applied to proceed in the proof. Even if the tutor deductive power
613 is extremely limited\footnote{We do not attempt to check if the new goals
614 obtained applying a lemma can be authomatically proved or, even better,
615 auhomatically disproved to reject the lemma.}, it is not unusual for
616 the tutor to come up with precious hints that can save several minutes of
617 work that would be spent in proving again already proven results or
618 figuring out where the lemmas could have been stored in the library.
621 \section{Conclusions and Future Work}
623 In this paper we described a suggestion engine architecture for
624 proof-assistants: the client (a proof-assistant) sends the current proof
625 status to several distributed \wss{} (called tutors) that try to progress
626 in the proof and, in case of success, send back an appropriate hint
627 (a proof-plan) to the user. The user, that in the meantime was able to
628 reason and progress in the proof, is notified with the hints and can decide
629 to apply or ignore them. A broker is provided to decouple the clients and
630 the tutors and to allow the client to locate and invoke the available remote
631 services. The whole architecture is an instance of the MONET architecture
632 for Mathematical \wss{}.
634 A running prototype has been implemented as part of the
635 \helm{} project \cite{}
636 and we already provide several tutors. Some of them are simple tutors that
637 try to apply one or more tactics of the \helm{} Proof-Engine, which is also
638 our client. We also have a much more complex tutor that is interfaced
639 with the \helm{} Search-Engine and looks for lemmas that can be directly
642 We have many plan for further developing both the \hbugs{} architecture and
643 our prototype. Interesting results could be obtained
644 augmenting the informative content of each suggestion. We can for example
645 modify the broker so that also negative results are sent back to the client.
646 Those negative suggestions could be reflected in the user interface by
647 deactivating commands to narrow the choice of tactics available to the user.
648 This approach could be interesting expecially for novice users, but require
649 the client to trust other actors a bit more than in the current approach.
651 We plan also to add some rating mechanism to the architecture. A first
652 improvement in this direction could be to distinguish between hints that, when
653 applied, are able to completely close one or more goals and
654 tactics that progress in the proof by reducing one or more goals to new goals:
655 the new goals could be false and the proof can be closed only by backtraking.
657 Other heuristics and/or measures could be added to rate
658 hints and show them to the user in a particular order: an interesting one
659 could be a measure that try to minimize the size of the generated proof,
660 privileging therefore non-overkilling solutions \cite{ring}.
662 We are also considering to follow the \OmegaAnts{} path more closely adding
663 ``recursion'' to the system so that proof status resulting from the
664 application of old hints are cached somewhere and could be used as a starting
665 point for new hint searches. The approach is interesting, but it represents
666 a big shift towards automatic theorem proving: thus we must consider if it is
667 worth the effort given the increasing availability of automation in proof
668 assistants' tactics and the ongoing development of \wss{} based on
669 already existent and well developed theorem provers.
671 Even if not strictly part of the \hbugs{} architecture, the graphical user
672 interface (GUI) of our prototype needs a lot of improvement if we would like
673 it to be really usable by novices. In particular, the user is too easily
674 distracted by the tutor's hints that are ``pushed'' to her.
676 Our \wss{} still lack a real integration in the MONET architecture,
677 since we do not provide the different ontologies to describe our problems,
678 solutions, queries and services. In the short term, completing this task
679 could provide a significative feedback to the MONET consortium and would
680 enlarge the current set of available MONET actors on the Web. In the long
681 term, new more intelligent tutors could be developed on top of already
682 existent MONET \wss{}.
684 To conclude, \hbugs{} is a nice experiment meant to understand whether the
685 current \wss{} technology is mature enough to have a concrete and useful
686 impact on the daily work of users of proof-assistants. So far, only the tutor
687 that is interfaced with the \helm{} Search-Engine has effectively increased
688 the productivity of experts users. The usefullness of the tutors developed for
689 beginners, instead, need further assessment.
691 \begin{thebibliography}{01}
693 % \bibitem{ALF} The ALF family of proof-assistants:\\
694 % {\tt http://www.cs.chalmers.se/ComputingScience/Research/\\Logic/implementation.mhtml}
696 % \bibitem{Coq} The Coq proof-assistant:\\
697 % {\tt http://coq.inria.fr/}
699 % \bibitem{FORMAVIE} The Formavie project:\\
700 % {\tt http://http://www-sop.inria.fr/oasis/Formavie/}
702 % \bibitem{EHELM} The HELM project:\\
703 % {\tt http://www.cs.unibo.it/helm/}
705 % \bibitem{MATHWEB} The MathWeb project:\\
706 % {\tt http://www.mathweb.org/}
708 % \bibitem{PCOQ} The PCoq project:\\
709 % {\tt http://www-sop.inria.fr/lemme/pcoq/}
711 % \bibitem{HELM} A.Asperti, L.Padovani, C.Sacerdoti Coen, I.Schena.
712 % Towards a library of formal mathematics. Panel session of
713 % the 13th International Conference on Theorem Proving in Higher Order Logics (TPHOLS'2000),
714 % Portland, Oregon, USA.
716 % \bibitem{Ring} S. Boutin. Using reflection to build efficient and certified
717 % decision procedures. In Martin Abadi and Takahashi Ito, editors, TACS'97,
718 % volume 1281. LNCS, Springer-Verlag, 1997.
720 % \bibitem{YANNTHESIS} Y.Coscoy. \emph{Explication textuelle de preuves pour le
721 % Calcul des Constructions Inductives}, PhD. Thesis, Universit\'e de Nice-Sophia
724 % \bibitem{ALFA} T. Hallgreen, Aarne Ranta. An Extensible Proof Text Editor.
725 % Presented at LPAR2000.
727 % \bibitem{Necula} G. Necula, P. Lee. Safe Kernel Extensions Without Run-Time
728 % Checking. Presented at OSDI'96, October 1996.
730 % \bibitem{Necula2} G. Necula, P. Lee. Efficient Representation and Validation of Proofs. Presented at LICS'98, June 1998
732 % \bibitem{Werner} B. Werner. \emph{Une Th\'eorie des Constructions Inductives},
733 % PhD. Thesis, Universit\'e Paris VII, May 1994.
735 \end{thebibliography}