Alternatively,youcandownloadtheIsabelle-awareCVC3,CVC4,E,SPASS,andZ3b - PDF document

HammeringAwayAUser'sGuidetoSledgehammerforIsabelle/HOLJasminBlanchetteInstitutfürInformatik,TechnischeUniversitätMünchenwithcontributionsfromLawrenceC.PaulsonComputerLaboratory,UniversityofCambridgeApril15,2020Contents1Introduction22Installation33FirstSteps54Hints64.1Presimplifythegoal........................64.2Familiarizeyourselfwiththemainoptions...........61 5FrequentlyAskedQuestions75.1Whichfactsarepassedtotheautomaticprovers?.......75.2WhydoesMetisfailtoreconstructtheproof?..........85.3HowcanItellwhetherasuggestedproofissound?.......95.4Whatarethefull_types,no_types,andmono_tagsargumentstoMetis?.............................95.5Andwhataretheliftingandhide_lamsargumentstoMetis?.105.6Arethegeneratedproofsminimal?................105.7AstrangeerroroccurredwhatshouldIdo?..........105.8AutocansolveitwhynotSledgehammer?...........105.9Whyaretheresomanyoptions?.................116CommandSyntax116.1Sledgehammer...........................116.2Metis................................127OptionReference137.1ModeofOperation........................147.2RelevanceFilter..........................187.3ProblemEncoding........................207.4OutputFormat..........................237.5RegressionTesting........................247.6Timeouts.............................241IntroductionSledgehammerisatoolthatappliesautomatictheoremprovers(ATPs)andsatisability-modulo-theories(SMT)solversonthecurrentgoal.1Thesup-portedATPsareagsyHOL[11],Alt-Ergo[4],E[13],iProver[10],LEO-II[3],Leo-III[14],Satallax[7],SNARK[15],SPASS[17],Vampire[12],Waldmeis-ter[9],andZipperposition[8].TheATPsareruneitherlocallyorremotelyviatheSystemOnTPTPwebservice[16].ThesupportedSMTsolversareCVC3[2],CVC4[1],veriT[6],andZ3[18].Thesearealwaysrunlocally.Theproblempassedtotheexternalprovers(orsolvers)consistsofyourcur-rentgoaltogetherwithaheuristicselectionofhundredsoffacts(theorems)fromthecurrenttheorycontext,lteredbyrelevance. 1ThedistinctionbetweenATPsandSMTsolversisconvenientbutmostlyhistorical.2 Theresultofasuccessfulproofsearchissomesourcetextthatusually(butnotalways)reconstructstheproofwithinIsabelle.ForATPs,therecon-structedprooftypicallyreliesonthegeneral-purposemetisproofmethod,whichintegratestheMetisATPinIsabelle/HOLwithexplicitinferencesgoingthroughthekernel.Thusitsresultsarecorrectbyconstruction.ForIsabelle/jEditusers,SledgehammerprovidesanautomaticmodethatcanbeenabledviatheAutoSledgehammeroptionunderPlugins�PluginOptions�Isabelle�General.Inthismode,areducedversionofSledge-hammerisrunoneverynewlyenteredtheoremforafewseconds.TorunSledgehammer,youmustmakesurethatthetheorySledgehammerisimportedthisisrarelyaprobleminpracticesinceitispartofMain.Exam-plesofSledgehammerusecanbefoundinIsabelle'ssrc/HOL/Metis_Examplesdirectory.CommentsandbugreportsconcerningSledgehammerorthisman-ualshouldbedirectedtotheauthoratblanNOSPAMchette@in.tum.de.2InstallationSledgehammerispartofIsabelle,soyoudonotneedtoinstallit.However,itreliesonthird-partyautomaticprovers(ATPsandSMTsolvers).AmongtheATPs,agsyHOL,Alt-Ergo,E,LEO-II,Leo-III,Satallax,SPASS,Vampire,andZipperpositioncanberunlocally;inaddition,agsyHOL,Alt-Ergo,E,iProver,LEO-II,Leo-III,Satallax,SNARK,Vampire,Waldmeister,andZipperpositionareavailableremotelyviaSystemOnTPTP[16].TheSMTsolversCVC3,CVC4,veriT,andZ3canberunlocally.Therearethreemainwaystoinstallautomaticproversonyourmachine:IfyouinstalledanocialIsabellepackage,itshouldalreadyincludeproperlysetupexecutablesforCVC4,E,SPASS,Vampire,andZ3,readytouse.TouseVampire,youmustconrmthatyouareanon-commercialuser,asindicatedbythemessagethatisdisplayedwhenSledgehammerisinvokedthersttime.Alternatively,youcandownloadtheIsabelle-awareCVC3,CVC4,E,SPASS,Vampire,andZ3binarypackagesfromhttps://isabelle.in.tum.de/components/.Extractthearchives,thenaddalinetoyour$ISABELLE_HOME_USER/etc/components2lewiththeabsolute 2Thevariable$ISABELLE_HOME_USERissetbyIsabelleatstartup.ItsvaluecanberetrievedbyexecutingisabellegetenvISABELLE_HOME_USERonthecommandline.3 pathtoCVC3,CVC4,E,SPASS,Vampire,orZ3.Forexample,ifthecomponentsledoesnotexistyetandyouextractedSPASSto/usr/local/spass-3.8ds,createitwiththesingleline/usr/local/spass-3.8dsinit.IfyouprefertobuildagsyHOL,Alt-Ergo,E,LEO-II,Leo-III,orSa-tallaxmanually,settheenvironmentvariableAGSYHOL_HOME,E_HOME,LEO2_HOME,LEO3_HOME,orSATALLAX_HOMEtothedirectorythatcon-tainstheagsyHOL,eprover(and/oreprooforeproof_ram),leo,leo3,orsatallaxexecutable;forAlt-Ergo,settheenvironmentvari-ableWHY3_HOMEtothedirectorythatcontainsthewhy3executable.SledgehammerhasbeentestedwithagsyHOL1.0,Alt-Ergo0.95.2,E1.6to2.0,LEO-II1.3.4,Leo-III1.1,andSatallax2.7.SincetheATPs'outputformatsareneitherdocumentednorstable,otherver-sionsmightnotworkwellwithSledgehammer.Ideally,youshouldalsosetE_VERSION,LEO2_VERSION,LEO3_VERSION,orSATALLAX_VERSIONtotheprover'sversionnumber(e.g.,2.7);thismighthelpSledge-hammerinvoketheproveroptimally.Similarly,ifyouwanttoinstallCVC3,CVC4,veriT,orZ3,settheenvironmentvariableCVC3_SOLVER,CVC4_SOLVER,VERIT_SOLVER,orZ3_SOLVERtothecompletepathoftheexecutable,includingthelename.SledgehammerhasbeentestedwithCVC32.2and2.4.1,CVC41.5-prerelease,veriTsmtcomp2019,andZ34.3.2.SinceZ3'sout-putformatissomewhatunstable,otherversionsofthesolvermightnotworkwellwithSledgehammer.Ideally,alsosetCVC3_VERSION,CVC4_VERSION,VERIT_VERSION,orZ3_VERSIONtothesolver'sversionnumber(e.g.,4.4.0).Tocheckwhethertheproversaresuccessfullyinstalled,tryouttheexampleinŸ3.Iftheremoteversionsofanyoftheseproversisused(identiedbytheprexremote_),orifthelocalversionsfailtosolvetheeasygoalpresentedthere,somethingmustbewrongwiththeinstallation.RemoteproverinvocationrequiresPerlwiththeWorldWideWebLibrary(libwww-perl)installed.IfyoumustuseaproxyservertoaccesstheInter-net,setthehttp_proxyenvironmentvariabletotheproxy,eitherintheenvi-ronmentinwhichIsabelleislaunchedorinyour$ISABELLE_HOME_USER/etc/settingsle.Hereareafewexamples:http_proxy=http://proxy.example.org4 http_proxy=http://proxy.example.org:8080http_proxy=http://joeblow:pAsSwRd@proxy.example.org3FirstStepsToillustrateSledgehammerincontext,letusstartatheoryleandattempttoproveasimplelemma:theoryScratchimportsMainbeginlemma[a]=[b]=)a=bsledgehammerInsteadofissuingthesledgehammercommand,youcanalsousetheSledge-hammerpanelinIsabelle/jEdit.Sledgehammerproducesthefollowingout-putafterafewseconds:Prooffound...e:Trythis:bysimp(0.3ms)cvc4:Trythis:bysimp(0.4ms)z3:Trythis:bysimp(0.5ms)spass:Trythis:bysimp(0.3ms)SledgehammerranCVC4,E,SPASS,andZ3inparallel.Dependingonwhichproversareinstalledandhowmanyprocessorcoresareavailable,someoftheproversmightbemissingorpresentwitharemote_prex.Foreachsuccessfulprover,Sledgehammergivesaone-linemetisorsmtmethodcall.Roughtimingsareshowninparentheses,indicatinghowfastthecallis.Youcanclicktheprooftoinsertitintothetheorytext.Inaddition,youcanaskSledgehammerforanIsartextproofbyenablingtheisar_proofsoption(Ÿ7.4):sledgehammer[isar_proofs]WhenIsarproofconstructionissuccessful,itcanyieldproofsthataremorereadableandalsofasterthanthemetisorsmtone-lineproofs.ThisfeatureisexperimentalandisonlyavailableforATPs.5 4HintsThissectionpresentsafewhintsthatshouldhelpyougetthemostoutofSledgehammer.FrequentlyaskedquestionsareansweredinŸ5.4.1PresimplifythegoalForbestresults,rstsimplifyyourproblembycallingautooratleastsafefollowedbysimp_all.TheSMTsolversprovidearithmeticdecisionproce-dures,buttheATPstypicallydonot(oriftheydo,Sledgehammerdoesnotuseityet).ApartfromWaldmeister,theyarenotparticularlygoodatheavyrewriting,butbecausetheyregardequationsasundirected,theyoftenprovetheoremsthatrequirethereverseorientationofasimprule.Higher-orderproblemscanbetackled,butthesuccessrateisbetterforrst-orderprob-lems.Hence,youmaygetbetterresultsifyourstsimplifytheproblemtoremovehigher-orderfeatures.4.2FamiliarizeyourselfwiththemainoptionsSledgehammer'soptionsarefullydocumentedinŸ6.Manyoftheoptionsareveryspecialized,butserioususersofthetoolshouldatleastfamiliarizethemselveswiththefollowingoptions:provers(Ÿ7.1)speciestheautomaticprovers(ATPsandSMTsolvers)thatshouldberunwheneverSledgehammerisinvoked(e.g.,provers=cvc4espassvampire).Forconvenience,youcanomitprovers=andsimplywritetheprovernamesasaspace-separatedlist(e.g.,cvc4espassvampire).max_facts(Ÿ7.2)speciesthemaximumnumberoffactsthatshouldbepassedtotheprovers.Bydefault,thevalueisprover-dependentbutvariesbetweenabout50and1000.Iftheproverstimeout,youcantryloweringthisvalueto,say,25or50andseeifthathelps.isar_proofs(Ÿ7.4)speciesthatIsarproofsshouldbegenerated,inadditiontoone-linemetisorsmtproofs.ThelengthoftheIsarproofscanbecontrolledbysettingcompress(Ÿ7.4).timeout(Ÿ7.6)controlstheprovers'timelimit.Itissetto30secondsbydefault.6 Optionscanbesetgloballyusingsledgehammer_params(Ÿ6).Thecom-mandalsoprintsthelistofallavailableoptionswiththeircurrentvalue.Factselectioncanbeinuencedbyspecifying(add:my_facts)afterthesledgehammercalltoensurethatcertainfactsareincluded,orsimply(my_facts)toforceSledgehammertorunonlywithmy_facts(andanyfactschainedintothegoal).5FrequentlyAskedQuestionsThissectionsanswersfrequently(andinfrequently)askedquestionsaboutSledgehammer.Itisagoodideatoskimoveritnowevenifyoudonothaveanyquestionsatthisstage.Andifyouhaveanyfurtherquestionsnotlistedhere,sendthemtotheauthoratblanNOSPAMchette@in.tum.de.5.1Whichfactsarepassedtotheautomaticprovers?Sledgehammerheuristicallyselectsafewhundredrelevantlemmasfromthecurrentlyloadedlibraries.Thecomponentthatperformsthisselectioniscalledrelevancelter(Ÿ7.2).Thetraditionalrelevancelter,calledMePo(Me ngPau lson),assignsascoretoeveryavailablefact(lemma,theorem,denition,oraxiom)baseduponhowmanyconstantsthatfactshareswiththeconjecture.Thisprocessiteratestoincludefactsrelevanttothosejustaccepted.Theconstantsareweightedtogiveunusualonesgreatersignicance.MePocopesbestwhentheconjecturecontainssomeunusualconstants;ifalltheconstantsarecommon,itisunabletodiscriminateamongthehundredsoffactsthatarepickedup.Thelterisalsomemoryless:Ithasnoinformationabouthowmanytimesaparticularfacthasbeenusedinaproof,anditcannotlearn.AnalternativetoMePoisMaSh(Ma chineLearnerforS ledgeh ammer).Itappliesmachinelearningtotheproblemofndingrelevantfacts.TheMeShltercombinesMePoandMaSh.Thisisthedefault.Thenumberoffactsincludedinaproblemvariesfromprovertoprover,sincesomeproversgetoverwhelmedmoreeasilythanothers.Youcanshowthenumberoffactsgivenusingtheverboseoption(Ÿ7.4)andtheactualfactsusingdebug(Ÿ7.4).7 Sledgehammerisgoodatndingshortproofscombiningahandfulofexistinglemmas.Ifyouarelookingforlongerproofs,youmusttypicallyrestrictthenumberoffacts,bysettingthemax_factsoption(Ÿ7.2)to,say,25or50.Youcanalsoinuencewhichfactsareactuallyselectedinanumberofways.Ifyousimplywanttoensurethatafactisincluded,youcanspecifyitusingthe(add:my_facts)syntax.Forexample:sledgehammer(add:hd.simpstl.simps)Thespeciedfactsthenreplacetheleastrelevantfactsthatwouldotherwisebeincluded;theotherselectedfactsremainthesame.Ifyouwanttodirecttheselectioninaparticulardirection,youcanspecifythefactsviausing:usinghd.simpstl.simpssledgehammerThefactsarethenmorelikelytobeselectedthanotherwise,andiftheyareselectedatiterationjtheyalsoinuencewhichfactsareselectedatiterationsj+1,j+2,etc.Togivethemevenmoreweight,tryusinghd.simpstl.simpsapplysledgehammer5.2WhydoesMetisfailtoreconstructtheproof?Therearemanyreasons.IfMetisrunsseeminglyforever,thatisasignthattheproofistoodicultforit.Metis'ssearchiscompleteforrst-orderlogicwithequality,soiftheproofwasfoundbyasuperposition-basedATPsuchasE,SPASS,orVampire,Metisshouldeventuallyndit,butthatislittleconsolation.Insomerarecases,metisfailsfairlyquickly,andyougettheerrormessageOne-lineproofreconstructionfailed.ThisindicatesthatSledgehammerdeterminedthatthegoalisprovable,buttheproofis,fortechnicalreasons,beyondmetis'spower.Youcanthentryagainwiththestrictoption(Ÿ7.3).Ifthegoalisactuallyunprovableandyoudidnotspecifyanunsoundencod-ingusingtype_enc(Ÿ7.3),thisisabug,andyouarestronglyencouragedtoreportthistotheauthoratblanNOSPAMchette@in.tum.de.8 5.3HowcanItellwhetherasuggestedproofissound?EarlierversionsofSledgehammeroftensuggestedunsoundproofseitherproofsofnontheoremsorsimplyproofsthatrelyontype-unsoundinferences.Thisisathingofthepast,unlessyouexplicitlyspecifyanunsoundencod-ingusingtype_enc(Ÿ7.3).Ocially,theonlyformofunsoundnessthatlurksinthesoundencodingsisrelatedtomissingcharacteristictheoremsofdatatypes.Forexample,lemma9xs:xs6=[]sledgehammer()suggestsanargumentlessmetiscallthatfails.However,theconjecturedoesactuallyhold,andthemetiscallcanberepairedbyaddinglist.distinct.WehopetoaddressthisprobleminafutureversionofIsabelle.Inthemeantime,youcanavoiditbypassingthestrictoption(Ÿ7.3).5.4Whatarethefull_types,no_types,andmono_tagsargumentstoMetis?Themetis(full_types)proofmethodanditscousinmetis(mono_tags)arefully-typedversionsofMetis.Itissomewhatslowerthanmetis,buttheproofsearchisfullytyped,anditalsoincludesmorepowerfulrulessuchastheax-iomx=True_x=Falseforreasoninginhigher-orderplaces(e.g.,insetcomprehensions).Themethodisautomaticallytriedasafallbackwhenmetisfails,anditissometimesgeneratedbySledgehammerinsteadofmetisiftheproofobviouslyrequirestypeinformationorifmetisfailedwhenSledge-hammerpreplayedtheproof.(Bydefault,Sledgehammertriestorunmetiswithvarioussetsofoptionforupto1secondeachtimetoensurethatthegeneratedone-lineproofsactuallyworkandtodisplaytiminginformation.Thiscanbeconguredusingthepreplay_timeoutanddont_preplayoptions(Ÿ7.6).)Attheotherendofthesoundnessspectrum,metis(no_types)usesnotypeinformationatallduringtheproofsearch,whichismoreecientbutoftenfails.Callstometis(no_types)areoccasionallygeneratedbySledge-hammer.Seethetype_encoption(Ÿ7.3)fordetails.Incidentally,ifyoueverseewarningssuchasMetis:Fallingbackonmetis(full_types)forasuccessfulmetisproof,youcanadvantageouslypassthefull_typesop-tiontometisdirectly.9 5.5Andwhataretheliftingandhide_lamsargu-mentstoMetis?Orthogonallytotheencodingoftypes,itisimportanttochooseanappropri-atetranslationof-abstractions.Metissupportsthreetranslationschemes,indecreasingorderofpower:Currycombinators(thedefault),-lifting,andahidingschemethatdisablesallreasoningunder-abstractions.Themorepowerfulschemesalsogivetheautomaticproversmoreropetohangthemselves.Seethelam_transoption(Ÿ7.3)fordetails.5.6Arethegeneratedproofsminimal?Automaticproversfrequentlyusemanymorefactsthanarenecessary.Sledge-hammerincludesaminimizationtoolthattakesasetoffactsreturnedbyagivenproverandrepeatedlycallsaproverorproofmethodwithsubsetsofthosefactstondaminimalset.Reducingthenumberoffactstypicallyhelpsreconstruction,whilealsoremovingsuperuousclutterfromtheproofscripts.InearlierversionsofSledgehammer,generatedproofsweresystematicallyaccompaniedbyasuggestiontoinvoketheminimizationtool.Thisstepisnowperformedbydefaultbutcanbedisabledusingtheminimizeoption(Ÿ7.1).5.7AstrangeerroroccurredwhatshouldIdo?Sledgehammertriestogiveinformativeerrormessages.PleasereportanystrangeerrortotheauthoratblanNOSPAMchette@in.tum.de.5.8AutocansolveitwhynotSledgehammer?Problemscanbeeasyforautoanddicultforautomaticprovers,butthereverseisalsotrue,sodonotbediscouragedifyourrstattemptsfail.BecausethesystemreferstoalltheoremsknowntoIsabelle,itisparticularlysuitablewhenyourgoalhasashortproofbutrequireslemmasthatyoudonotknowabout.10 5.9Whyaretheresomanyoptions?Sledgehammer'sphilosophyshouldworkoutofthebox,withoutuserguid-ance.ManyoftheoptionsaremeanttobeusedmostlybytheSledgehammerdevelopersforexperiments.Ofcourse,feelfreetotrythemoutifyouaresoinclined.6CommandSyntax6.1SledgehammerSledgehammercanbeinvokedatanypointwhenthereisanopengoalbyenteringthesledgehammercommandinthetheoryle.Itsgeneralsyntaxisasfollows:sledgehammerhsubcommandi?hoptionsi?hfacts_overridei?hnumi?Inthegeneralsyntax,thehsubcommandimaybeanyofthefollowing:run(thedefault):RunsSledgehammeronsubgoalnumberhnumi(1bydefault),withthegivenoptionsandfacts.supported_provers:PrintsthelistofautomaticproverssupportedbySledgehammer.SeeŸ2andŸ7.1formoreinformationonhowtoinstallautomaticprovers.refresh_tptp:RefreshesthelistofremoteATPsavailableatSystem-OnTPTP[16].Inaddition,thefollowingsubcommandsprovidenercontrolovermachinelearningwithMaSh:unlearn:ResetsMaSh,erasinganypersistentstate.learn_isar:InvokesMaShonthecurrenttheorytoprocessalltheavailablefacts,learningfromtheirIsabelle/Isarproofs.ThishappensautomaticallyatSledgehammerinvocationsifthelearnoption(Ÿ7.2)isenabled.learn_prover:InvokesMaShonthecurrenttheorytoprocessalltheavailablefacts,learningfromproofsgeneratedbyautomaticprovers.Theprovertouseanditstimeoutcanbesetusingtheprover(Ÿ7.1)11 andtimeout(Ÿ7.6)options.Itisrecommendedtoperformlearningusingarst-orderATP(suchasE,SPASS,andVampire)asopposedtoahigher-orderATPoranSMTsolver.relearn_isar:Sameasunlearnfollowedbylearn_isar.relearn_prover:Sameasunlearnfollowedbylearn_prover.Sledgehammer'sbehaviorcanbeinuencedbyvarioushoptionsi,whichcanbespeciedinbracketsafterthesledgehammercommand.Thehoptionsiarealistofkeyvaluepairsoftheform[k1=v1;:::;kn=vn].ForBooleanoptions,=trueisoptional.Forexample:sledgehammer[isar_proofs,timeout=120]Defaultvaluescanbesetusingsledgehammer_params:sledgehammer_paramshoptionsiThesupportedoptionsaredescribedinŸ7.Thehfacts_overrideiargumentletsyoualterthesetoffactsthatgothroughtherelevancelter.Itmaybeoftheform(hfactsi),wherehfactsiisaspace-separatedlistofIsabellefacts(theorems,localassumptions,etc.),inwhichcasetherelevancelterisbypassedandthegivenfactsareused.Itmayalsobeoftheform(add:hfacts1i),(del:hfacts2i),or(add:hfacts1idel:hfacts2i),wheretherelevancelterisinstructedtoproceedasusualexceptthatitshouldconsiderhfacts1ihighly-relevantandhfacts2ifullyirrelevant.IfyouuseIsabelle/jEdit,SledgehammeralsoprovidesanautomaticmodethatcanbeenabledviatheAutoSledgehammeroptionunderPlugins�PluginOptions�Isabelle�General.Forautomaticruns,onlytherstproversetusingprovers(Ÿ7.1)isconsidered(typicallyE),slice(Ÿ7.1)isdisabled,fewerfactsarepassedtotheprover,fact_lter(Ÿ7.2)issettomepo,strict(Ÿ7.3)isenabled,verbose(Ÿ7.4)anddebug(Ÿ7.4)aredisabled,andtimeout(Ÿ7.6)issupersededbytheAutoTimeLimitoptioninjEdit.Sledgehammer'soutputisalsomoreconcise.6.2MetisThemetisproofmethodhasthesyntaxmetis(hoptionsi)?hfactsi?12 wherehfactsiisalistofarbitraryfactsandhoptionsiisacomma-separatedlistconsistingofatmostonetranslationschemespecicationwiththesamesemanticsasSledgehammer'slam_transoption(Ÿ7.3)andatmostonetypeencodingspecicationwiththesamesemanticsasSledgehammer'stype_encoption(Ÿ7.3).Thesupportedtranslationschemesarehide_lams,lifting,andcombs(thedefault).AlltheuntypedtypeencodingslistedinŸ7.3aresupported.Forconvenience,thefollowingaliasesareprovided:full_types:Aliasforpoly_guards_query.partial_types:Aliasforpoly_args.no_types:Aliasforerased.7OptionReferenceSledgehammer'soptionsarecategorizedasfollows:modeofoperation(Ÿ7.1),problemencoding(Ÿ7.3),relevancelter(Ÿ7.2),outputformat(Ÿ7.4),re-gressiontesting(Ÿ7.5),andtimeouts(Ÿ7.6).Thedescriptionsbelowrefertothefollowingsyntacticquantities:hstringi:Astring.hbooli:trueorfalse.hsmart_booli:true,false,orsmart.hinti:Aninteger.hoati:Aoating-pointnumber(e.g.,2.5or60)expressinganumberofseconds.hoat_pairi:Apairofoating-pointnumbers(e.g.,0.60.95).hsmart_inti:Anintegerorsmart.Defaultvaluesareindicatedincurlybrackets({}).Booleanoptionshaveanegativecounterpart(e.g.,minimizevs.dont_minimize).WhensettingBooleanoptionsortheirnegativecounterparts,=truemaybeomitted.13 7.1ModeofOperationhprovers=ihstringiSpeciestheautomaticproverstouseasaspace-separatedlist(e.g.,cvc4espassvampire).Proverscanberunlocallyorremotely;seeŸ2forinstallationinstructions.Thefollowinglocalproversaresupported:agsyhol:agsyHOLisanautomatichigher-orderproverdevelopedbyFredrikLindblad[11].TouseagsyHOL,settheenvironmentvariableAGSYHOL_HOMEtothedirectorythatcontainstheagsyHOLexecutable.Sledgehammerhasbeentestedwithversion1.0.alt_ergo:Alt-ErgoisapolymorphicATPdevelopedbyBobotetal.[4].ItsupportstheTPTPpolymorphictypedrst-orderformat(TF1)viaWhy3[5].TouseAlt-Ergo,settheenvironmentvariableWHY3_HOMEtothedirectorythatcontainsthewhy3executable.SledgehammerrequiresAlt-Ergo0.95.2andWhy30.83.cvc3:CVC3isanSMTsolverdevelopedbyClarkBarrett,CesareTinelli,andtheircolleagues[2].TouseCVC3,settheenvironmentvariableCVC3_SOLVERtothecompletepathoftheexecutable,includingthelename,orinstalltheprebuiltCVC3packagefromhttps://isabelle.in.tum.de/components/.Sledgeham-merhasbeentestedwithversions2.2and2.4.1.cvc4:CVC4[1]isthesuccessortoCVC3.TouseCVC4,settheenvironmentvariableCVC4_SOLVERtothecompletepathoftheexecutable,includingthelename,orinstalltheprebuiltCVC4packagefromhttps://isabelle.in.tum.de/components/.Sledgehammerhasbeentestedwithversion1.5-prerelease.e:Eisarst-orderresolutionproverdevelopedbyStephanSchulz[13].TouseE,settheenvironmentvariableE_HOMEtothedirec-torythatcontainstheeproofexecutableandE_VERSIONtotheversionnumber(e.g.,1.8),orinstalltheprebuiltEpackagefromhttps://isabelle.in.tum.de/components/.Sledgeham-merhasbeentestedwithversions1.6to1.8.e_par:E-ParisanexperimentalmetaproverdevelopedbyJosefUrbanthatimplementsstrategyschedulingontopofE.TouseE-Par,settheenvironmentvariableE_HOMEtothedirec-torythatcontainstherunepar.plscriptandtheeproverand14 epclextractexecutables,orusetheprebuiltEpackagefromhttps://isabelle.in.tum.de/components/.BeawarethatE-Parisexperimentalsoftware.Ithasbeenknowntogeneratezom-bieprocesses.Useatyourownrisks.ehoh:EhohisanexperimentalversionofEthatsupportsa-freefragmentofhigher-orderlogic.Useatyourownrisks.iprover:iProverisapureinstantiation-basedproverdevelopedbyKonstantinKorovin[10].TouseiProver,settheenviron-mentvariableIPROVER_HOMEtothedirectorythatcontainstheiproveroptexecutable.Sledgehammerhasbeentestedwithver-sion2.8.iProverdependsonEtoclausifyproblems,somakesurethatEisinstalledaswell.leo2:LEO-IIisanautomatichigher-orderproverdevelopedbyChristophBenzmülleretal.[3],withsupportfortheTPTPtypedhigher-ordersyntax(TH0).TouseLEO-II,settheenvironmentvariableLEO2_HOMEtothedirectorythatcontainstheleoexe-cutable.Sledgehammerrequiresversion1.3.4orabove.leo3:Leo-IIIisanautomatichigher-orderproverdevelopedbyAlexanderSteen,MaxWisniewski,ChristophBenzmülleretal.[14],withsupportfortheTPTPtypedhigher-ordersyntax(TH0).TouseLeo-III,settheenvironmentvariableLEO3_HOMEtothedi-rectorythatcontainstheleo3executable.Sledgehammerrequiresversion1.1orabove.satallax:Satallaxisanautomatichigher-orderproverdevelopedbyChadBrownetal.[7],withsupportfortheTPTPtypedhigher-ordersyntax(TH0).TouseSatallax,settheenvironmentvariableSATALLAX_HOMEtothedirectorythatcontainsthesatallaxexe-cutable.Sledgehammerrequiresversion2.2orabove.spass:SPASSisarst-orderresolutionproverdevelopedbyChristophWeidenbachetal.[17].TouseSPASS,settheen-vironmentvariableSPASS_HOMEtothedirectorythatcontainstheSPASSexecutableandSPASS_VERSIONtotheversionnum-ber(e.g.,3.8ds),orinstalltheprebuiltSPASSpackagefromhttps://isabelle.in.tum.de/components/.Sledgehammerre-quiresversion3.8dsorabove.vampire:Vampireisarst-orderresolutionproverdevelopedbyAndreiVoronkovandhiscolleagues[12].TouseVampire,settheenvironmentvariableVAMPIRE_HOMEtothedirectorythat15 containsthevampireexecutableandVAMPIRE_VERSIONtotheversionnumber(e.g.,4.2.2).Sledgehammerhasbeentestedwithversions1.8to4.2.2(inthepost-2010numberingscheme).verit:veriT[6]isanSMTsolverdevelopedbyDavidDéharbe,PascalFontaine,andtheircolleagues.Itisspecicallydesignedtoproducedetailedproofsforreconstructioninproofassistants.TouseveriT,settheenvironmentvariableVERIT_SOLVERtothecompletepathoftheexecutable,includingthelename.Sledge-hammerhasbeentestedwithversionsmtcomp2019.z3:Z3isanSMTsolverdevelopedatMicrosoftResearch[18].TouseZ3,settheenvironmentvariableZ3_SOLVERtothecompletepathoftheexecutable,includingthelename.Sledgehammerhasbeentestedwithapre-releaseversionof4.4.0.z3_tptp:ThisversionofZ3pretendstobeanATP,exploitingZ3'ssupportfortheTPTPtypedrst-orderformat(TF0).Itisincludedforexperimentalpurposes.Itrequiresversion4.3.1ofZ3orabove.Touseit,settheenvironmentvariableZ3_TPTP_HOMEtothedirectorythatcontainsthez3_tptpexecutable.zipperposition:Zipperposition[8]isarst-orderresolutionproverdevelopedbySimonCruanesandcolleagues.TouseZip-perposition,settheenvironmentvariableZIPPERPOSITION_HOMEtothedirectorythatcontainsthezipperpositionexecutable.Moreover,thefollowingremoteproversaresupported:remote_agsyhol:TheremoteversionofagsyHOLrunsonGeoSutclie'sMiamiservers[16].remote_alt_ergo:TheremoteversionofAlt-ErgorunsonGe-oSutclie'sMiamiservers[16].remote_e:TheremoteversionofErunsonGeoSutclie'sMiamiservers[16].remote_iprover:TheremoteversionofiProverrunsonGeoSutclie'sMiamiservers[16].remote_leo2:TheremoteversionofLEO-IIrunsonGeoSut-clie'sMiamiservers[16].remote_leo3:TheremoteversionofLeo-IIIrunsonGeoSut-clie'sMiamiservers[16].16 remote_pirate:Pirateisahighlyexperimentalrst-orderres-olutionproverdevelopedbyDanielWand.TheremoteversionofPiraterunonaprivateserverhegenerouslysetup.remote_snark:SNARKisarst-orderresolutionproverdevel-opedbyStickeletal.[15].TheremoteversionofSNARKrunsonGeoSutclie'sMiamiservers.remote_vampire:TheremoteversionofVampirerunsonGeoSutclie'sMiamiservers.remote_waldmeister:WaldmeisterisaunitequalityproverdevelopedbyHillenbrandetal.[9].Itcanbeusedtoproveuni-versallyquantiedequationsusingunconditionalequations,cor-respondingtotheTPTPCNFUEQdivision.TheremoteversionofWaldmeisterrunsonGeoSutclie'sMiamiservers.remote_zipperposition:TheremoteversionofZipperpositionrunsonGeoSutclie'sMiamiservers.Bydefault,SledgehammerrunsasubsetofCVC4,E,SPASS,Vampire,veriT,andZ3inparallel,eitherlocallyorremotelydependingonthenumberofprocessorcoresavailableandonwhichproversareactuallyinstalled.Itisgenerallydesirabletorunseveralproversinparallel.prover=hstringiAliasforprovers.sliceh=hboolii{true}(neg.:dont_slice)Specieswhetherthetimeallocatedtoaprovershouldbeslicedintoseveralsegments,eachofwhichhasitsownsetofpossiblyprover-dependentoptions.ForSPASSandVampire,therstslicetriesthefastbutincompleteset-of-support(SOS)strategy,whereasthesecondslicerunswithoutit.ForE,uptothreeslicesaretried,withdierentweightedsearchstrategiesandnumberoffacts.ForSMTsolvers,sev-eralslicesaretriedwiththesameoptionseachtimebutfewerandfewerfacts.Accordingtobenchmarkswithatimeoutof30seconds,slicingisavaluableoptimization,andyoushouldprobablyleaveitenabledunlessyouareconductingexperiments.Seealsoverbose(Ÿ7.4).minimizeh=hboolii{true}(neg.:dont_minimize)17 Specieswhethertheminimizationtoolshouldbeinvokedautomati-callyafterproofsearch.Seealsopreplay_timeout(Ÿ7.6)anddont_preplay(Ÿ7.6).spyh=hboolii{false}(neg.:dont_spy)SpecieswhetherSledgehammershouldrecordstatisticsin$ISABELLE_HOME_USER/spy_sledgehammer.ThesestatisticscanbeusefultothedevelopersofSledgehammer.Ifyouarewillingtohaveyourinterac-tionsrecordedinthenameofscience,pleaseenablethisfeatureandsendthestatisticsleeverynowandthentotheauthorofthismanual(blanNOSPAMchette@in.tum.de).Tochangethedefaultvalueofthisoptionglobally,settheenvironmentvariableSLEDGEHAMMER_SPYtoyes.Seealsodebug(Ÿ7.4).overlordh=hboolii{false}(neg.:no_overlord)SpecieswhetherSledgehammershouldputitstemporarylesin$ISA-BELLE_HOME_USER,whichisusefulfordebuggingSledgehammerbutalsounsafeifseveralinstancesofthetoolarerunsimultaneously.Thelesareidentiedbytheprexesprob_andmash_;youmaysafelyremovethemafterSledgehammerhasrun.Warning:Thisoptionisnotthread-safe.Useatyourownrisks.Seealsodebug(Ÿ7.4).7.2RelevanceFilterfact_lter=hstringi{smart}Speciestherelevanceltertouse.Thefollowingltersareavailable:mepo:ThetraditionalmemorylessMePorelevancelter.mash:TheMaShmachinelearner.Threelearningalgorithmsareprovided:nbisanimplementationofnaiveBayes.knnisanimplementationofk-nearestneighbors.nb_knn(alsocalledyesandsml)isacombinationofnaiveBayesandk-nearestneighbors.Inaddition,thespecialvaluenoneisusedtodisablemachinelearningbydefault(cf.smartbelow).18 Thedefaultalgorithmisnb_knn.ThealgorithmcanbeselectedbysettingtheMaShoptionunderPlugins�PluginOptions�Isabelle�GeneralinIsabelle/jEdit.Persistentdataforbothalgorithmsisstoredinthedirectory$ISABELLE_HOME_USER/mash.mesh:TheMeShlter,whichcombinestherankingsfromMePoandMaSh.smart:AcombinationofMePo,MaSh,andMeSh.Ifthelearningalgorithmissettobenone,smartbehaveslikeMePo.max_facts=hsmart_inti{smart}Speciesthemaximumnumberoffactsthatmaybereturnedbytherelevancelter.Iftheoptionissettosmart(thedefault),iteectivelytakesavaluethatwasempiricallyfoundtobeappropriatefortheprover.Typicalvaluesliebetween50and1000.fact_thresholds=hoat_pairi{0.450.85}Speciesthethresholdsabovewhichfactsareconsideredrelevantbytherelevancelter.Therstthresholdisusedfortherstiterationoftherelevancelterandthesecondthresholdisusedforthelastiteration(ifitisreached).Theeectivethresholdisquadraticallyinterpolatedfortheotheriterations.Eachthresholdrangesfrom0to1,where0meansthatalltheoremsarerelevantand1onlytheoremsthatrefertopreviouslyseenconstants.learnh=hboolii{true}(neg.:dont_learn)SpecieswhetherMaShshouldberunautomaticallybySledgeham-mertolearntheavailabletheories(andhenceprovidemoreaccurateresults).LearningtakesplaceonlyifMaShisenabled.max_new_mono_instances=hinti{smart}Speciesthemaximumnumberofmonomorphicinstancestogeneratebeyondmax_facts.Thehigherthislimitis,themoremonomorphicinstancesarepotentiallygenerated.Whethermonomorphizationtakesplacedependsonthetypeencodingused.Iftheoptionissettosmart(thedefault),ittakesavaluethatwasempiricallyfoundtobeappro-priatefortheprover.Formostprovers,thisvalueis100.Seealsotype_enc(Ÿ7.3).max_mono_iters=hinti{smart}Speciesthemaximumnumberofiterationsforthemonomorphization19 xpointconstruction.Thehigherthislimitis,themoremonomor-phicinstancesarepotentiallygenerated.Whethermonomorphizationtakesplacedependsonthetypeencodingused.Iftheoptionissettosmart(thedefault),ittakesavaluethatwasempiricallyfoundtobeappropriatefortheprover.Formostprovers,thisvalueis3.Seealsotype_enc(Ÿ7.3).7.3ProblemEncodinglam_trans=hstringi{smart}SpeciesthetranslationschemetouseinATPproblems.Thesup-portedtranslationschemesarelistedbelow:hide_lams:Hidethe-abstractionsbyreplacingthembyun-speciedfreshconstants,eectivelydisablingallreasoningunder-abstractions.lifting:Introduceanewsupercombinatorcforeachclusterofn-abstractions,denedusinganequationcx1:::xn=t(-lifting).combs:RewritelambdastotheCurrycombinators(I,K,S,B,C).CombinatorsenabletheATPstosynthesize-termsbuttendtoyieldbulkierformulasthan-lifting:Thetranslationisquadraticintheworstcase,andtheequationaldenitionsofthecombinatorsareveryprolicinthecontextofresolution.combs_and_lifting:Introduceanewsupercombinatorcforeachclusterof-abstractionsandcharacterizeitbothusingaliftedequationcx1:::xn=tandviaCurrycombinators.combs_or_lifting:Foreachclusterof-abstractions,heuristi-callychoosebetween-liftingandCurrycombinators.keep_lams:Keepthe-abstractionsinthegeneratedproblems.ThisisavailableonlywithproversthatsupporttheTH0syntax.smart:TheactualtranslationschemeuseddependsontheATPandshouldbethemostecientschemeforthatATP.ForSMTsolvers,thetranslationschemeisalwayslifting,irrespectiveofthevalueofthisoption.20 uncurried_aliasesh=hsmart_boolii{smart}(neg.:no_uncurried_aliases)SpecieswhetherfreshfunctionsymbolsshouldbegeneratedasaliasesforapplicationsofcurriedfunctionsinATPproblems.type_enc=hstringi{smart}SpeciesthetypeencodingtouseinATPproblems.Someofthetypeencodingsareunsound,meaningthattheycangiverisetospuriousproofs(unreconstructibleusingmetis).Thetypeencodingsarelistedbelow,withanindicationoftheirsoundnessinparentheses.Anasterisk(*)indicatesthattheencodingisslightlyincompleteforreconstructionwithmetis,unlessthestrictoption(describedbelow)isenabled.erased(unsound):NotypeinformationissuppliedtotheATP,noteventoresolveoverloading.Typesaresimplyerased.poly_guards(sound):Typesareencodedusingapredicateg(;t)thatguardsboundvariables.Constantsareannotatedwiththeirtypes,suppliedasextraarguments,toresolveoverloading.poly_tags(sound):Eachtermandsubtermistaggedwithitstypeusingafunctiont(;t).poly_args(unsound):Likeforpoly_guardsconstantsarean-notatedwiththeirtypestoresolveoverloading,butotherwisenotypeinformationisencoded.Thisisthedefaultencodingusedbythemetisproofmethod.raw_mono_guards,raw_mono_tags(sound);raw_mono_args(unsound):Similartopoly_guards,poly_tags,andpoly_args,respectively,buttheproblemisadditionallymonomorphized,meaningthattypevariablesareinstantiatedwithheuristicallychosengroundtypes.Monomorphizationcansimplifyreasoningbutalsoleadstolargerfactbases,whichcanslowdowntheATPs.mono_guards,mono_tags(sound);mono_args(unsound):Similartoraw_mono_guards,raw_mono_tags,andraw_mono_args,respectivelybuttypesaremangledinconstantnamesinsteadofbeingsuppliedasgroundtermarguments.Thebinarypredicateg(;t)becomesaunarypredicateg_(t),andthebinaryfunctiont(;t)becomesaunaryfunctiont_(t).mono_native(sound):Exploitsnativerst-ordertypesiftheproversupportstheTF0,TF1,TH0,orTH1syntax;otherwise,21 fallsbackonmono_guards.Theproblemismonomorphized.mono_native_higher(sound):Exploitsnativehigher-ordertypesiftheproversupportstheTH0syntax;otherwise,fallsbackonmono_nativeormono_guards.Theproblemismonomor-phized.poly_native(sound):Exploitsnativerst-orderpolymorphictypesiftheproversupportstheTF1orTH1syntax;otherwise,fallsbackonmono_native.poly_guards?,poly_tags?,raw_mono_guards?,raw_mono_tags?,mono_guards?,mono_tags?,mono_native?(sound*):Thetypeencodingspoly_guards,poly_tags,raw_mono_guards,raw_mono_tags,mono_guards,mono_tags,andmono_nativearefullytypedandsound.Foreachofthese,Sledgehammeralsopro-videsalightervariantidentiedbyaquestionmark(`?')thatdetectsanderasesmonotonictypes,notablyinnitetypes.(Formono_native,thetypesarenotactuallyerasedbutratherre-placedbyashareduniformtypeofindividuals.)Asargumenttothemetisproofmethod,thequestionmarkisreplacedbya_querysux.poly_guards??,poly_tags??,raw_mono_guards??,raw_mono_tags??,mono_guards??,mono_tags??(sound*):Evenlighterversionsofthe`?'encodings.Asargumenttothemetisproofmethod,the`??'suxisreplacedby_query_query.poly_guards@,poly_tags@,raw_mono_guards@,raw_mono_tags@(sound*):Alternativeversionsofthe`??'encodings.Asargumenttothemetisproofmethod,the`@'suxisreplacedby_at.poly_args?,raw_mono_args?(unsound):Lighterversionsofpoly_argsandraw_mono_args.smart:TheactualencodinguseddependsontheATPandshouldbethemostecientsoundencodingforthatATP.ForSMTsolvers,thetypeencodingisalwaysmono_native,irrespectiveofthevalueofthisoption.Seealsomax_new_mono_instances(Ÿ7.2)andmax_mono_iters(Ÿ7.2).22 stricth=hboolii{false}(neg.:non_strict)SpecieswhetherSledgehammershouldruninitsstrictmode.Inthatmode,soundtypeencodingsmarkedwithanasterisk(*)abovearemadecompleteforreconstructionwithmetis,atthecostofsomeclutterinthegeneratedproblems.Thisoptionhasnoeectiftype_encisdeliberatelysettoanunsoundencoding.7.4OutputFormatverboseh=hboolii{false}(neg.:quiet)Specieswhetherthesledgehammercommandshouldexplainwhatitdoes.debugh=hboolii{false}(neg.:no_debug)SpecieswhetherSledgehammershoulddisplayadditionaldebugginginformationbeyondwhatverbosealreadydisplays.Enablingdebugalsoenablesverbosebehindthescenes.Seealsospy(Ÿ7.1)andoverlord(Ÿ7.1).isar_proofsh=hsmart_boolii{smart}(neg.:no_isar_proofs)SpecieswhetherIsarproofsshouldbeoutputinadditiontoone-lineproofs.TheconstructionofIsarproofisstillexperimentalandmaysometimesfail;however,whentheysucceedtheyareusuallyfasterandmoreintelligiblethanone-lineproofs.Iftheoptionissettosmart(thedefault),Isarproofsareonlygeneratedwhennoworkingone-lineproofisavailable.compress=hinti{smart}SpeciesthegranularityofthegeneratedIsarproofsifisar_proofsisexplicitlyenabled.AvalueofnindicatesthateachIsarproofstepshouldcorrespondtoagroupofuptonconsecutiveproofstepsintheATPproof.Iftheoptionissettosmart(thedefault),thecompressionfactoris10iftheisar_proofsoptionisexplicitlyenabled;otherwise,itis1.dont_compressh=trueiAliasforcompress=1.23 try0h=hboolii{true}(neg.:dont_try0)SpecieswhetherstandardproofmethodssuchasautoandblastshouldbetriedasalternativestometisinIsarproofs.Thecollectionofmeth-odsisroughlythesameasforthetry0command.smt_proofsh=hsmart_boolii{smart}(neg.:no_smt_proofs)SpecieswhetherthesmtproofmethodshouldbetriedinadditiontoIsabelle'sotherproofmethods.Iftheoptionissettosmart(thedefault),thesmtmethodisusedforone-lineproofsbutnotinIsarproofs.7.5RegressionTestingexpect=hstringiSpeciestheexpectedoutcome,whichmustbeoneofthefollowing:some:Sledgehammerfoundaproof.none:Sledgehammerfoundnoproof.timeout:Sledgehammertimedout.unknown:Sledgehammerencounteredsomeproblem.Sledgehammeremitsanerroriftheactualoutcomediersfromtheexpectedoutcome.Thisoptionisusefulforregressiontesting.Seealsotimeout(Ÿ7.6).7.6Timeoutstimeout=hoati{30}Speciesthemaximumnumberofsecondsthattheautomaticproversshouldspendsearchingforaproof.Thisexcludesproblempreparationandisasoftlimit.preplay_timeout=hoati{1}Speciesthemaximumnumberofsecondsthatmetisorotherproofmethodsshouldspendtryingtopreplaythefoundproof.Ifthisoptionissetto0,nopreplayingtakesplace,andnotiminginformationisdisplayednexttothesuggestedproofmethodcalls.Seealsominimize(Ÿ7.1).24 dont_preplayh=trueiAliasforpreplay_timeout=0.References[1]C.Barrett,C.L.Conway,M.Deters,L.Hadarean,D.Jovanovic,T.King,A.Reynolds,andC.Tinelli.CVC4.InG.GopalakrishnanandS.Qadeer,editors,CAV2011,volume6806ofLectureNotesinComputerScience,pages171177.Springer,2011.[2]C.BarrettandC.Tinelli.CVC3.InW.DammandH.Hermanns,editors,CAV,volume4590ofLectureNotesinComputerScience,pages298302.Springer,2007.[3]C.Benzmüller,L.C.Paulson,F.Theiss,andA.Fietzke.LEO-IIacooperativeautomatictheoremproverforhigher-orderlogic.InA.Ar-mando,P.Baumgartner,andG.Dowek,editors,AutomatedReasoning:IJCAR2008,volume5195ofLectureNotesinComputerScience,pages162170.Springer-Verlag,2008.[4]F.Bobot,S.Conchon,E.Contejean,andS.Lescuyer.ImplementingpolymorphisminSMTsolvers.InC.BarrettandL.deMoura,editors,SMT'08,ICPS,pages15.ACM,2008.[5]F.Bobot,J.-C.Filliâtre,C.Marché,andA.Paskevich.Why3:Shepherdyourherdofprovers.InK.R.M.LeinoandM.Moskal,editors,Boogie2011,pages5364,2011.[6]T.Bouton,D.C.B.deOliveira,D.Déharbe,andP.Fontaine.veriT:Anopen,trustableandecientSMT-solver.InR.A.Schmidt,editor,AutomatedDeductionCADE-22,volume5663ofLectureNotesinComputerScience,pages151156.Springer,2009.[7]C.E.Brown.Reducinghigher-ordertheoremprovingtoasequenceofSATproblems.InN.BjørnerandV.Sofronie-Stokkermans,editors,AutomatedDeductionCADE-23,volume6803ofLectureNotesinComputerScience,pages147161.Springer-Verlag,2011.[8]S.Cruanes.Logtk:ALogicToolKitforautomatedreasoning,anditsimplementation.In4thWorkshoponPracticalAspectsofAutomatedReasoning,PAAR@IJCAR2014,Vienna,Austria,2014,2014.PresentedatthePracticalAspectsofAutomatedReasoning(PAAR)workshop.25 [9]T.Hillenbrand,A.Buch,R.Vogt,andB.Löchner.Waldmeister:High-performanceequationaldeduction.JournalofAutomatedReasoning,18(2):265270,1997.[10]K.Korovin.Instantiation-basedautomatedreasoning:Fromtheorytopractice.InR.A.Schmidt,editor,AutomatedDeductionCADE-22,volume5663ofLNAI,pages163166.Springer,2009.[11]F.Lindblad.agsyHOL.https://github.com/frelindb/agsyHOL.[12]A.RiazanovandA.Voronkov.ThedesignandimplementationofVam-pire.JournalofAICommunications,15(2/3):91110,2002.[13]S.Schulz.Eabrainiactheoremprover.JournalofAICommunications,15(2/3):111126,2002.[14]A.Steen,M.Wisniewski,andC.Benzmüller.Agent-basedHOLrea-soning.InG.-M.Greuel,T.Koch,P.Paule,andA.Sommese,editors,MathematicalSoftwareICMS2016,volume9725ofLNCS,pages7581.Springer,2016.[15]M.Stickel,R.Waldinger,M.Lowry,T.Pressburger,andI.Under-wood.Deductivecompositionofastronomicalsoftwarefromsubrou-tinelibraries.InA.Bundy,editor,AutomatedDeductionCADE-12InternationalConference,LNAI814,pages341355.Springer,1994.[16]G.Sutclie.Systemdescription:SystemOnTPTP.InD.McAllester,editor,AutomatedDeductionCADE-17InternationalConference,volume1831ofLectureNotesinArticialIntelligence,pages406410.Springer-Verlag,2000.[17]C.Weidenbach,D.Dimova,A.Fietzke,R.Kumar,M.Suda,andP.Wischnewski.SPASSversion3.5.http://www.spass-prover.org/publications/spass.pdf.[18]Z3:AnecientSMTsolver.http://research.microsoft.com/en-us/um/redmond/projects/z3/.26