A Focusing Inverse Method Theorem Prover for First-Order Linear Logic

. We present the theory and implementation of a theorem prover for ﬁrst-order intuitionistic linear logic based on the inverse method. The central proof-theoretic insights underlying the prover concern resource management and focused derivations, both of which are traditionally understood in the domain of backward reasoning systems such as logic programming. We illustrate how resource management, focusing, and other intrinsic properties of linear connectives a ﬀ ect the basic forward operations of rule application, contraction, and forward subsumption. We also present some preliminary experimental results obtained with our implementation.


Introduction
Linear logic [1] extends classical logic by internalizing state.This is achieved by forcing linear assumptions to be used exactly once during a proof.Introducing or using a linear assumption then corresponds to a change in state.This alters the fundamental character of the logic so that, for example, even the propositional fragment is undecidable.The expressive power of linear logic has been exploited to provide a logical foundation for phenomena in a number of diverse domains, such as planning, concurrency, functional programming, type systems, and logic programming.
Despite this wide range of potential applications, there has been relatively little effort devoted to theorem proving for linear logic.One class of prior work consists of fundamental proof-theoretic studies of the properties of linear logic [2][3][4].Most of these are concerned with backward reasoning, that is, with analyzing the structure of proof search starting from a given goal sequent.The most important results, such as the discovery of focusing [2] and solutions to the problem of resource management [5,6] have made their way into logic programming languages [7,8], but not implemented theorem provers.The term resource management in this context refers to the problem of efficiently ensuring that the single-use semantics of linear assumptions is respected during proof search.
Another class of prior work is directly concerned with theorem proving for linear logic in the forward direction.Here, we are only familiar with Mints's theoretical study necessary for a first-order prover.In sections 5 and 6 we present the main points in the design of an efficient implementation and some experimental results.In sect.7 we conclude with remarks regarding the scope of our methods and future work.

Backward Sequent Calculus and the Subformula Property
We use a backward cut-free sequent calculus for propositions constructed out of the linear connectives {⊗, 1, , &, , !, ∀, ∃}.To simplify the presentation slightly we leave out ⊕ and 0, though the implementation supports them and some of the experiments in Sec.6 use them.Propositions are written using uppercase letters A, B, C, with P standing for atomic propositions.Atomic propositions contain terms t, which can be term variables x, parameters a, b, or function applications f (t 1 , . . ., t n ).As usual, term constants are treated as nullary functions.The sequent calculus is a standard fragment of JILL [15], containing dyadic two-sided sequents of the form Γ ; ∆ =⇒ C: the zone Γ contains the unrestricted hypotheses, and ∆ contains the linear hypotheses.Both Γ and ∆ are unordered.For the rules of this calculus we refer the reader to [15, page 14]; the missing quantifier rules are below: The superscript in ∀R and ∃L indicates the proviso that a may not occur in the conclusion.Also in [15] are the standard structural properties for the unrestricted hypotheses and admissibility of cut, which extend naturally to the first-order setting.

Definition 1 (subformulas).
A decorated formula is a tuple A, s, w where A is a proposition, s is a sign (+ or −) and w is a weight (h or l).The subformula relation ≤ is the smallest reflexive and transitive relation between decorated subformulas to satisfy the following conditions.
A, s, h ≤ !A, s, w A, s, l ≤ A B, s, w B, s, l ≤ A B, s, w where s is the opposite of s.The notation * can stand for either h or l, as necessary.Decorations and the subformula relation are lifted to (multi)sets in the obvious way.We also need the notion of free subformula which is precisely as above, except that we use A instead of [t/x]A for subformulas of positive existentials and negative universals.

Property 2 (strong subformula property). In any sequent
For the rest of the paper, all rules are to be understood as being restricted to decorated subformulas of the goal sequent.A right rule is only applicable if the principal formula A is a positive decorated subformula of the goal sequent (i.e., A, +, * ≤ goal); similarly, a left rule only applies to A if A, −, * ≤ goal.Of the judgmental rules, init is restricted to atomic subformulas that are both positive and negative decorated subformulas, and the copy rule is restricted to cases where the copied formula A is a heavy negative decorated subformula, i.e., A, −, h ≤ goal.

Forward Sequent Calculus and Resource Management
Following the "recipe" for the inverse method outlined in [16], we first present a forward sequent calculus in a ground form (containing no term variables), and then lift it to free subformulas containing term and parameter variables and explicit unification.
As mentioned before, backward proof-search in linear logic suffers from certain kinds of nondeterminism peculiar to the nature of linear hypotheses.A binary multiplicative rule like ⊗R as indicated is actually deceptive as it hides the fact that the split ∆ 1 , ∆ 2 of the linear zone is not structurally obvious.Linearity forces the division to be exact, but there are an exponential number of such divisions, which is an unreasonable branching factor for proof-search.This form of resource non-determinism is typical in backward search, but is of course entirely absent in a forward reading of multiplicative rules where the parts ∆ 1 and ∆ 2 are inputs.The nature of resource nondeterminism in forward and backward search is therefore significantly different.
To distinguish forward from backward sequents, we shall use a single arrow (−→), but keep the names of the rules the same.In the forward direction, the primary context management issue concerns rules where the conclusion cannot be simply assembled from the premisses.The backward R rule has an arbitrary linear context ∆, and the unrestricted context Γ is also unknown in several rules such as init and R. For the unrestricted zone, this problem is solved in the usual (non-linear) inverse method by collecting only the needed unrestricted assumptions and remembering that they can be weakened if needed [16].We adapt the solution to the linear zone, which may either be precisely determined (as in the case for initial sequents) or subject to weakening (as in the case for R).We therefore differentiate sequents whose linear context can be weakened and those who can not.

Definition 3 (forward sequents).
A forward sequent is of the form Γ ; ∆ −→ w C, with w a Boolean (0 or 1) called the weak-flag.The correspondence between forward and backward sequents is governed by the following conditions: Sequents with w = 1 are called weakly linear or simply weak, and those with w = 0 are strongly linear or strong.
It is easy to see that weak sequents model affine logic, which is familiar from embeddings into linear logic that translate affine implications A → B as A (B ⊗ ).Initial sequents are always strong, since their linear context cannot be weakened.On the other hand, R always produces a weak sequent.The collection of inference rules for the forward calculus is in Fig. 1. judgmental rules For binary rules, the unrestricted zones are simply juxtaposed.We can achieve the effect of taking their union by applying the explicit contraction rule (which is absent, but admissible in the backward calculus).The situation is not as simple for the linear zone.As shown above, in the backward direction the same linear zone is copied into both premisses of the &R rule: This rule is easily adapted to the forward direction when both premisses are strong: If one premiss is weak and the other strong, the weak zone must be a subset of the strong zone: If both premisses are weak, then the conclusion is also weak, but what resources are present in the conclusion?In the ground case, we can simply take the maximal multiplicity for each proposition on the two premisses.To see that this is sound, simply apply weakening to add the missing copies, equalizing the linear contexts in the premisses.
It is also complete because the maximum represents the least upper bound.In the free variable calculus this analysis breaks down, because the two propositions in the linear contexts in weak premisses may also be equalized by substitution.In preparation, we therefore introduce a non-deterministic additive contraction judgment which is used in the &R rule to generate multiple valid merges of the linear contexts of the premisses.

Definition 4.
The additive contraction judgement is of the form ∆/w + ∆ /w ∆ where ∆, ∆ and ∆ are linear contexts, and w and w are weak-flags.∆, ∆ , w, and w are inputs, and ∆ is the output.The rules are as follows: Note that is non-deterministic because the fourth and fifth rule overlap.Note further that ∆/1 + ∆ /0 ∆ iff ∆ ⊆ ∆ , and for any The conclusion of a binary multiplicative rule is weak if either of the premisses is weak; thus, the weak-flag of the conclusion is a Boolean-or of those of the premisses.Most unary rules are oblivious to the weakening decoration, which simply survives from the premiss to the conclusion.The exception is !R, for which it is unsound to have a weak conclusion; there is no derivation of • ; =⇒ !, for example.
Left rules with weak premisses require some attention.It is tempting to write the "weak" ⊗L rules as: However, these rules would admit redundant inferences such as the following: We might as well have consumed both A and B to form the conclusion, and obtained a stronger result.The sensible strategy is: when A and B are both present, they must both be consumed.Otherwise, only apply the rule when one operand is present in a weak sequent.A similar observation can be made about all such rules: there is one weaknessagnostic form, and some possible refined forms to account for weak sequents.
Proof (sketch).Structural induction on the forward derivation F :: Γ ; ∆ −→ w C. The induction hypothesis is applicable for smaller derivations modulo α-renamings of parameters.
For the completeness theorem we note that the forward calculus infers a possibly stronger form of the goal sequent.

Lifting to Free Variable Sequents
The calculus of the previous section uses only ground initial sequents, which is impossible for an implementation of the forward calculus.Continuing with the "recipe" from [16], in this section we present a lifted version of the calculus with explicit unification.We begin, as usual, by fixing a goal sequent Γ g ; ∆ g −→ w C g and considering only the free subformulas of this goal.In the presentation, the quantified propositions are silently α-renamed as necessary.In this calculus, every proposition on the left and right is accompanied by a substitution for some of its parameters or free term variables.These substitutions are built according the following grammar: A minor novel aspect of our formulation is that we distinguish parameters (which can be substituted only for each other) and variables (for which we can substitute arbitrary terms, including parameters).The distinction arises from the notion of subformula, since positive universal and negative existential formulas can only ever be instantiated with parameters in a cut-free backward sequent derivation.This sharpening sometimes removes unreachable initial sequents from consideration.Fortunately, the standard notion of most general unifier (written mgu(σ, σ )) carries over in a straightforward way to this slightly more general setting.We make the customary assumption that substitutions are idempotent.We write ) for the application of the substitution σ to the free subformula A (resp. term t).Sequents in the free calculus contain formula/substitution pairs, written A • σ.The composition of σ and ξ, written σξ, has the property . The composition of θ with every substitution in a zone Γ or ∆ (now containing formula/substitution pairs) is written Γθ or ∆θ. Figure 2 contains the rules of this calculus; we use a double-headed arrow (−→ −→) to distinguish it from the ground forward calculus.The definition of additive contraction needs to be lifted to free subformulas also.
Proof (sketch).Structural induction on the given ground derivation.

Design of the Implementation
Representation of Sequents and Contraction Linear hypotheses can occur more than once in the linear zone, so for each substitution we also store the multiplicity of that substitution; we write this as A • σ n where n is the multiplicity of A • σ.In the common case of a variable-free proposition, this not only makes the representation of sequents more efficient, but also greatly reduces the non-determinism involved in matching a hypothesis in a premiss.Contraction in the presence of multiplicities is not much different from before; the only change is that we can perform a number of contractions together as a unit.
In the implementation we perform contractions eagerly, that is, after every rule application we calculate the possible contractions in the conclusion of the rule.This allows us to limit contractions to binary rules, and furthermore, consider only the contractions between propositions that originate in different premisses.This is complete because if two hypotheses were to be contractible in the same premiss, then we would already have generated the sequent corresponding to that contraction earlier.
The special case of contracting two weak zones, i.e., ∆ 1 /1 + ∆ 2 /1, can be greatly improved by first eagerly contracting propositions that have an invertible unifier.This is complete because a weak ∆, A • σ, A • σρ is subsumed by a weak ∆, A • σ.

Rule Generation
The subformula property gives us the core of the inverse method procedure.We start with all initial sequents of the form • ; P • ρθ −→ 0 P • θ, where P is a negative, and P a positive free atomic subformula of the goal sequent, ρ renames them apart, and θ = mgu(P[ρ], P ).Next, we name all free subformulas of the goal sequent with unique propositional labels.Then, we specialize all inference rules to these labels as principal formulas before starting the main search procedure.
Subsumption and Indexing Our prover performes forward, but currently not backward subsumption.Subsumption has to account for linearity and the notion of weak sequent.

Definition 12 (free subsumption). The free subsumption relation between free forward sequents is the smallest relation satisfying:
for some θ such that Γθ ⊆ Γ , ∆θ ⊆ ∆ , and ξθ = ξ The full subsumption check is far too expensive to perform always.Subsumption is usually implemented as a sequence of phases of increasing complexity; Tammet called them hierarchical tests [17].These hierarchical tests are designed to fail as early as possible, as the overwhelming majority of subsumption queries are negative.

Definition 13 (hierarchical tests). To check if s
then FAIL; similarly for ∆ and ∆ ; 6. otherwise attempt the full subsumption test s s .[17], particularly tests that consider the depth of terms and statistics such as the number of constants, but we have not so far (for pragmatic reasons) considered them in the linear setting.

Tammet gives examples of other possible tests in
For the index we use a global forest of substitution trees [18].Each inserted sequent is indexed into the substitution tree corresponding to the label of the principal literal, indexed by its corresponding substitution.The leaves of the substitution tree contain the sequents where the indexed formula was the principal formula.To check if a given sequent is subsumed, we look up every formula in the sequent in the index to obtain a collection of subsumption candidates, which are then tested for subsumption using the hierarchical tests above.
Focusing and Lazy Rule Application Efficient indexing and subsumption algorithms, though important, are not as critical to the design of the prover as the use of derived big-step rules.The inference rules of Fig. 2 take tiny steps and thereby produce too many sequents.In our implementation we use a version of focusing [19,2] tailored for forward reasoning to construct derived inference rules with many premisses.The essential insight of focusing is that every proof can be converted to one that alternates between two phases-active and focused.Thinking in the backward direction, during the active phase we break down all connectives whose left or right rules are invertible.This phase has no essential non-determinism.This leads to a so-called neutral sequent where we have to choose a formula to focus on, which is then successively decomposed by chaining together non-invertible rules on this particular focus formula.It turns out that in the forward direction we only need to keep neutral sequents if we construct bigstep forward rules by analyzing those frontier propositions which can occur in neutral sequents and which are also subformulas of the goal.Essentially we simulate a backward focusing phase followed by a backward active phase by inferences in the forward direction.This construction is detailed in [12] for the propositional fragment and can easily be extended to the first-order setting.
We implement a derived rule as a curried function from sequents (premisses) to the conclusion of the rule.Each application of a rule to a sequent first tests if the sequent can match the corresponding premiss of the rule; if the match is successful, then the application produces a new partially instantiated rule, or if there are no remaining premisses then it produces a new sequent.The order of arguments of this curried function fixes a particular ordering of the premisses of the rule; the search procedure is set up so that any ordering guarantees completeness.
We use a lazy variant of the OTTER loop as the main loop of the search procedure.We maintain two global sets of derived sequents: -the active set containing sequents to be considered as premisses of rules; and -the inactive set (sometimes referred to as the set of support) that contains all facts that have not yet been transferred to the active set.The inner loop of the search procedure repeats the following lazy activation step until either the goal sequent is subsumed (in which case the search is successful), or no further rules are applicable to the sequents in the active set and the inactive set is exhausted (in which case the search saturates).

Definition 14 (lazy activation).
To activate the sequent s, i.e., to transfer it from the inactive to the active set, the following steps are performed: 1.After renaming, s is inserted into the active set.

All available rules are applied to s. If these applications produce new rules, R, then
the following two steps are performed in a loop until there are no additions to R. (a) For every sequent s in the active set, every rule in R is applied to s , and (b) any new rules generated are added to R. 3. The collection of rules R is added to the set of rules.4. All sequents generated during the above applications are tested for subsumption, and the un-subsumed sequents and all their associated contractions are added to the inactive set.
A sequent is added to the inactive set if it is not globally subsumed by some other sequent derived earlier.In fact, if it is subsumed, then none of its contracts need to be computed.We use the following heuristic for the order of insertion of the contracts of a given sequent: if s is the result of a sequence of contractions from s , then s is considered for insertion in the inactive set before s .
The initial inactive set and rules are produced uniformly by focusing on the frontier literals of the goal sequent.The collection of (partially applied) rules grows at run-time; this is different from usual implementations of the OTTER loop where the rules are fixed before-hand.On the other hand, rule application is much simpler when each rule is treated as a single-premiss rule (producing sequents or other rules, possibly nothing).Furthermore, the same rule is never applied more than once to any sequent, because a previously derived rule is applied only to newly activated sequents (which were not in the active set before).Thus, the lazy activation strategy implicitly memoizes earlier matches.
Globalization The final unrestricted zone Γ g is shared in all branches in a proof of Γ g ; ∆ g =⇒ C g .One thus thinks of Γ g as part of the ambient state of the prover, instead of representing it explicitly as part of the current goal.Hence, there is never any need to explicitly record Γ g or portions of it in the sequents themselves.This gives us the following global and local versions of the copy rule:

Some Experimental Results
For our experiments we compared a few internal versions of the prover and two provers in the Gandalf family.For comparison purposes, we implemented a purely propositional version of our prover, which performs some additional optimizations that are not possible in the first-order case.The main differences are: contraction in the propositional case always produces exactly one sequent, as opposed to (potentially) exponentially many sequents in the first-order case; furthermore, subsumption is simply a matter of comparing the multiplicities, which is linear instead of quadratic.These properties greatly simplify rule generation and application.The internal versions of the prover are named L followed by a selection of P (propositional), F (big-step rules using focusing) and G (globalization) as suffixes.The default prover is named L (first-order, small-step rules, no globalization); LPF, for example, is the purely propositional prover with focused big-step rules, but no globalization.In total there are six internal versions, though for space reasons we do not list the running times for every version.These provers are written in Standard ML and are available from the first author's website. 1or our experiments the internal versions were compiled using MLTon version 20041119 with the default optimization flags.All time measurements are wall-clock times measured on an unloaded computer with a 2.80GHz Pentium 4 processor with a 512KB L1 cache and 1GB of main memory.Time measurements of less than 0.01 seconds should be taken as unreliable; " " means no solution was found within around 20 minutes. 2or external provers we concentrate on Tammet's Gandalf "nonclassical" distribution (version 0.2), compiled using a packaged version of the Hobbit Scheme compiler.This prover is limited to the propositional fragment of classical linear logic, but comes in two flavors: resolution (Gr) and tableau (Gt).Neither version incorporates focusing or globalization, and we did not attempt to bound the search for either prover.Another tableau prover for classical propositional multiplicative-exponential linear logic is Lin-TAP [20]; it cannot handle the majority of our examples using & and , and on the examples that are in the MELL fragment (bw-prop and coins), it does not terminate.For comparatively simpler problems [20, p.14], our prover LPF finishes in cumulative time of 0.003 seconds, while LinTAP's total time is 3.30 seconds.Finally, llprover [21] is a demonstration prover for classical first-order linear logic based on the sequent calculus, but it cannot solve any of the examples in table 1.
Purely Propositional Problems The comparisons of this section are restricted to the propositional fragment.They include: simple theorems in linear logic (basic), blocksworld problems for a fixed collection of blocks (bw-prop), a change machine encoding (coins), several affine logic problems encoded in linear logic (affine1 and affine2), and a few hard examples of quantified Boolean formulas compiled to multiplicative-additive linear logic (qbf1, qbf2 and qbf3, in order of increasing complexity) that implement the algorithm of [22].The results are shown in table 1 (a).
It is evident that focusing greatly speeds up both the propositional and first-order cases.For the propositional case, the speedup from the focusing prover to the nonfocusing one is between 1.33 (basic) and 597.5 (affine2); for the first-order case, the speedups range from 1.57 (basic) to 408.7 (affine2).Except for bw-prop, these examples were all within the realm of possibility for the small-step provers, though some of them like affine2 severely strain the provers.In the affine1 case the focusing prover LF appears to take longer than the small-step prover L; this is because this example contains an unprovable proposition for which the inverse method procedure fails to saturate.The test is run for 1000 iterations of the lazy OTTER loop.The focusing prover gets much further than the small-step prover in 1000 iterations, and the delay is due entirely to the fact that the sequents it works with, after even a few dozen iterations, are far more complex than the small-step prover generates in 1000 iterations.
Comparing to Gandalf, the small-step prover L is generally competitive with Gr: it is slower on some examples (coins), but succeeds on a wider range of problems.Gt was uniformly the slowest, taking a long time on even simple problems.
First-Order Problems Our first-order problems include the following: a first-order blocks world planning example (bw-fo), Dijkstra's urn game (urn), simple intuitionistic first-order propositions encoded as linear propositions, using either Girard's translation (int-gir), or a focusing-aware translation (int-foc) outlined in [12].
The results are shown in table 1 (b).Again, it is fairly obvious that focusing is the dramatic winner, making some problems tractable, and being several orders of magnitude faster for the rest.Adding globalization also seems to have a significant effect here for the examples that are not constructed in an ad-hoc fashion (bw-fo and urn).

Conclusion
We have presented a theorem prover for first-order intuitionistic linear logic based on the inverse method which is already practical for a range of examples and significantly improves on prior, more restricted provers.The design is based on general principles that are applicable to both classical linear logic (which is simpler because it admits a one-sided sequent formulation with more symmetries) and affine logic (via weak sequents).Both of these can also be treated by uniform translations to intuitionistic linear logic [15], as can (ordinary) intuitionistic logic [12].A generalization from a first-order logic to a type theory such as CLF [11] would seem to require mostly a proper treatment of linear higher-order unification constraints, but otherwise be relatively straightforward.
Our prover also leaves room for further high-level and low-level optimizations.In particular, we plan to investigate how to limit the multiplicities of linear hypotheses, either a priori or as a complete heuristic.Some manual experiments seem to indicate that this could have a significant impact on a certain class of problems.The implementation of the prover is certifying-it produces independently verifiable proof terms in a type-theory-but the algorithm used to extract these proofs currently lacks a formal presentation and a correctness proof.

Table 1 .
Some experimental results