Such function would be useful to recommend arguments for the induct_tac method, I guess.

Should be something like:

(* Exercise 2.8 *)
fun intersperse  :: "'a ⇒ 'a list ⇒ 'a list" where
  "intersperse  a [] = []"|
  "intersperse  a [x1] = [x1]"|
  "intersperse  a (x1 # (x2 # xs)) = x1 # (a # (intersperse  a (x2 # xs)))"

When looking up a recommendation in regression trees, we do not have to apply assertions that are not used in any regression tree. Identify them, and skip them when providing recommendations to users.

we need slightly different mechanisms for constants defined with different Isar keywords.

• fun
• function
• definition
• inductive
• inductive_set
• other

The following proof methods appeared in the ITP2018 evaluation results, but PaMpeR failed to produce valuable recommendations. However, I think I can write good assertions for them.

• algebra -> used at least 43 times in the AFP
• abstraction -> not used in the AFP? (e1ff4ad)
• noiminal_induct (10d3461)
• cut_tac
• presburger -> variables of type Nat?
• sos -> used more than 50 time in the AFP (cfd9584)
• ind_cases -> used about 38 times in the AFP -> (8188c6c)
• vector -> used more than 30 times. (97b228b)
• atomize_elim -> (552fead) Maybe checking the existence of meta universal quantifier in the premise of meta implication would be good as well.
• hypsubst_thin
• satx
• vcg (7401fb1)
• approximation -> used about 5 times in the AFP (cfd9584)
• linarith -> about 550 times in the AFP. (7c2650e)

The following proof methods appear in Isabelle's standard library. Maybe I can do something about them.

• countable_datatype -> used twice in the AFP (a28ddc6).
• corec_unique
• cooper -> not used in the AFP
• descending -> does not appear in AFP often. (439324f)
• disentangle -> does not appear in AFP.
• dlo -> not used in the AFP.
• enabled -> not used in the AFP
• ensures_tac -> not used in the AFP
• fixrec_simp -> used about 102 times in the AFP (1c2c34c)
• ferrack -> not used in the AFP
• field -> used about 124 times in the AFP (7401fb1)
• hoare -> used more than 90 times in the AFP (466cbca)
• hypsubst -> used about 158 times in the AFP (053ff5f)
• invariant -> not used in the AFP
• lifting -> used 6 times in the AFP (439324f)
• mir -> not used in the AFP. (f20bc6a)
• mkex_induct -> not used in the AFP. (f367037)
• ns_induct -> not used in the AFP.
• oghoare -> at least 13 times in the AFP. (5680e6c)
• pair -> probably not used in the AFP (dcd7735).
• pair_induct -> probably not used in the AFP (dcd7735).
• parts_prepare -> not used in the AFP
• perm_simp -> used about 150 times in the AFP (This is defined outside of Isabelle's standard library -> out of scope for now)
• rawsat -> not used in the AFP
• reify -> probably not used in the AFP, but I found reify_floatariths
• reflection -> probably not used in the AFP
• rename_client_map
• rewrite -> used at least 102 times in the AFP
• ring -> used in the AFP
• rferrack -> not used in the AFP
• sat -> used at least 49 times in the AFP
• Seq_case -> not used in the AFP (dcd7735)
• Seq_case_simp -> not used in the AFP (dcd7735)
• Seq_Finite_induct -> not used in the AFP (dcd7735)
• Seq_induct -> not used in the AFP (dcd7735)
• size_change -> used about three times in the AFP
• split_idle
• vcg_simp -> used in the AFP (7401fb1)
• valid_certificate_tac
• measurable (3266396)

It looks like when paths to certain files contain spaces, PaMpeR cannot open appropriate files.

These overwritten commands should

• Ignore combined proof methods.
• Reuse some programs from PaMpeR.
• Be combined Dynamic (Induct) in PSL.
• List all observationally equivalent combinations of list of results of assertions.
  • The data format should be something along the line of
  • ( line number, proof method, [ [ bool ] ] )
• Store each data point in a separate file to handle concurrent writes.
  • I can use lock.

Suppose we have the following proof obligation: P (Q x y) (Q x y) = Q (P x y) (P x y) and

• P is defined in recursion in the first parameter and
• Q is defined in recursion in the second parameter.

on which variable/term should one conduct mathematical induction?

• x in P x y
• y in Q x y
• Q x y in P (Q x y) (Q x y)
• P x y in Q (P x y) (P x y)

Since MiLkMaId assertions have to be able to access values of the type modifier within Smart_Induct, one cannot define those assertions in modules before Smart_Induct. Since we want to call these assertion methods from Smart_Induct, these assertions have to be defined before or within Smart_Induct.

This means Smart_Induct is the only place one can define these assertions. However, I would like to keep Smart_Induct as close as Dynamic_Induct.

Having a submodule within Smart_Induct would be a decent compromise?

Use the standard library and the AFP entries as target data.

Currently, all assertions are stored in a list, and they are indexed according to the number in the list. This makes it very hard to remove or add new assertions without affecting other parts because assertions' numbering is used in the assert_nth_true and assert_nth_false commands.

It should be based on RSS rather than simply the number of elements in each branch.

write assertions to recommend arguments for Dynamic (Induct), Dynamic (Induction), Dynamic (Coinduction).

add Dynamic( Insert ) to PSL. Note that the insert method is not useful without arguments.

Two possible approaches:

1. create a database for each assertion.
   • pros: we can find out which assertion causes problems.
   • pros: Isabelle is less likely to run out of memory since for each build we use only one assertion.
   • cons: we have to repeat the normal operations of each proof method many times (= the number of assertions.)
   • cons: Building the entire AFP took about 24 hours on 4-8 CPU machines (100 - 200 CPU hours). So, if we have 3000 assertions it becomes 300,000 - 600,000 hours = 12500 CPU days.
     • Maybe not that bad. Assertions about the constants themselves are pretty inexpensive. We can run 2000 of them at once and be more careful about other assertions that involve context-lookup.
   • cons: probably automatically generated assertions are similar to each other when it comes to the chance of making Isabelle crash. (maybe not. The reason Isabelle crashes is )
   • cons: preprocessing becomes trickier.
2. create a database for each theory file/session.
   • pros: we do not have to repeat the same computation many times.
   • cons: it's hard to find out which assertion makes Isabelle stops, when one of many assertions causes problems.
   • cons: probably Isabelle is more likely to run out of memory if we use 3000 assertions in each apply/by command.

induct, induction, and induct_tac take up each others' share.
We can generate these proof methods automatically using PSL and see in which cases they behave as the same proof method or not.

Currently, each point has only three fields: cname, utyp, and level. Therefore, it is possible that a syntax tree has multiple points of the same value. We should avoid such situation.

See, for example, proof (induct s rule:reachable.induct) in Abortable_Linearizable_Modules/IOA.thy.

implement the tree pruning algorithm for our decision tree implementation.

Currently, we have many assertions that

• first extracts term names and type names that appear in the proof obligation at hand
• check if the underlying proof context has theorems of names that have these type names or constant names as substring with certain strings that indicate the type of the theorem.

For example, has_thms_with_suffixes in Assert_Util does this.
However, we probably should distinguish constant names and type names more explicitly.

re-implement / integrate the incremental tactic specialization for auto, simp, clarsimp.

• The README.md in the PaMpeR branch should talk about PaMpeR.
• The comments in PaMpeR/PaMpeR.thy is outdated and still discussing the Python script we no longer use.

In the evaluation results for ITP2018, it was clear that PaMpeR's recommendations for coinduct and coinduction was suffering form over-fitting.

We can fix this by pruning based on cross-validation.

In stead of constructing database using hand-written proof scripts only, we should check all the inductions produced by PSL and consider those inductions observationally equivalent to the human written induction as the right choices.

This is an enhancement. We should work on this issue only after we manage to construct a database from the human written proof scripts.

-> No. Actually, it is easier if we work on the PSL generated induction methods directly because we can handle arguments using the data-type (modifier) defined by me.

So, assertions should take the triple of (pre_thm, modifier, post_thm).

And probably it should be implemented in Smart_Induct.ML.

Currently, PaMpeR's database construction component ignores the proof component. A reviewer from ITP2018 suggested we should not omit these.

Having so many files of such a small size is bad. Merge them in one file and read the file.

add Dynamic( Subgoal_Tac ) to PSL. Note that the subgoal_tac method is not useful without arguments.

To improve Dynamic (Induct_tac), we should be able to produce the string representation of bound variables Bound of int.

We need a function trm_to_udbi_trm that maps a term to a term that has the type of UDBI_Bound of (string * int). udbi and UDBI stand for "Un-De-Bruijn Index", in which de-Bruijn indices are tagged with the variable names representing those bound variables corresponding to each de-Bruijn index.

We also need a function that maps udbi_trm to uc_udbi_trm, where uc_udbi_trm stands "Un-Curried Un-De-Bruijn-Indexed term".

So, we need

• val trm_to_udbi_trm: term -> udbi_trm, and

• val udbi_trm_to_uc_udbi_trm: udbi_trm -> uc_udbi_trm, where

• type udbi_trm = UDBI_Bound of (string * int) (and similar to term for other cases), and

• type uc_udbi_trm = UC_UDBI_App of (uc_udbi_trm * uc_udbi_trm list) (and similar to udbi_trm for other cases).

This becomes useful only when we want to predict arguments of the induct_tac method. As long as we work on the induct method, this is not a serious issue.

Printing sub-terms correctly is not a trivial task. See this discussion, for example. For the moment, I give up producing a string that represents a sub-term that includes bound variables that are bound outside this sub-term.

write unit tests for each assertion using @{assert}.

The faster feature extractor thinks the 56th assertion is not used in any regression tree, even though it is used in the regression tree for eventually_elim.

Something similar is happening to the 13th assetion.

Other parts seem to be okay.

When the data extraction code is applied to MiLkMaId_Test.thy, it cannot determine the location of apply/by/proof commands. And it returns "PANIC_SOMETHING_WENT_WRONG".

For apply/by commands used in the standard library, I do not see this problem.
I did not face this problem when developing PaMpeR.

re-design the syntax of PSL: users should be able to specify how tactics are generated during proof search in more detail.

Probably, we can guess how many times we should use the back command after apply (rule meta_allI) by counting the numbers of constants appearing in the first sub-goals before and after back.

Note that after using the back command appropriate time, the number of constants in the first sub-goal should be larger than the number of constants in the first-subgoal before applying the back command by one.

Given a proof obligation (PO) and its surrounding proof context and state, the proof_advice command

1. convert the PO and its surrounding context and state into an array of boolean.
2. investigate how likely an ideal proof engineer uses each method for proof obligations abstracted into the same array, by looking up the corresponding branch in the decision tree for each method.
3. pick up the 5 most promising methods.

Having constant names like, "point = {cname = "0", level = 3, utyp = UB}}", does not help machine learning algorithms to recommend how to apply mathematical induction much.

In case, none of the induct, induction, and induct_tac methods can handle mathematical induction on lambda abstracted variables, this question is not very meaningful. However, I guess that induct_tac can handle such cases.

PaMpeR's feature extractor has become too large and too slow. We should omit some assertions that do not contribute to producing valuable recommendations.

For further optimization, I would imagine that a bit of data sharing among assertions might be necessary.

When no-assertion belongs to a set, the current implementation returns NaN probably because it tries to divide a real number by 0.0.

When PaMpeR looks up relevant derived lemmas in proof contexts, often it only uses constants and types that appear in the first subgoal. But probably PaMpeR should also use constants and types that appear in chained facts.

Probably, this is one reason the tree shape for the transfer method in the ITP2018 version is a bit strange.

When invoked within a proof script with a name of a proof method, why_method should return

• the expectation of an ideal proof engineer to use that method for that proof obligation in that context, and
• qualitative explanation as to why PaMpeR provides the above expectation by printing the messages tagged with each assertion used to reach that node in the corresponding decision tree.

Currently, PaMpeR's feature vector is of fixed length (60).

We should produce more assertions automatically.

For example, we have the following three assertions:

1. the first subgoal has a constant that is defined in List.
2. the outermost constant of the first subgoal is HOL.All.
3. the underlying proof context has a pinduct rule related to a constant in the first subgoal.

They should be automatically generated because

1. we have finite number of constants defined in Isabelle's standard library.
2. we have finite theory files in Isabelle's standard library.
3. we have finitely many postfixes in theorems in Isabelle's standard library.

In lambda x y . f x y, x and y should be on the same level.

Currently, PSL does not create a version of induction method that uses the "and" keyword between two "arbitrary" variables.

This limits the power of PSL.

See, for example, this entry to the Isabelle mailing list.

The check in this line always returns NONE.

So, assertions always return 0.

A quick (but not so robust) fix would be to use Term.add_const_names instead.

Usually the last or second from the last are what users see as the outermost constants.

If what users see is a constant from meta-logic, we should check the last term name,
if what users see is a constant defined in HOL or user defined constant, we should check the second from the last.

When tested against the dataset generated from Isabelle's standard library, Regression_Tree.get_big_tree failed for criterionN=100.