Unification for Subformula Linking under Quantifiers

Subformula linking is a technique that allows one to simplify proof goals by identifying subformulas of hypotheses that share atoms with the goal. It has been used by recent prototypes for gesture-based interactive theorem proving, but also for theorem proving in separation logic. When linking formulas, we should avoid information loss, i.e., subformula linking should succeed precisely when a provable simplification can be generated. Avoiding information loss is challenging when quantifiers are involved. Existing approaches either generate simplifications that involve equalities, or determine substitutions for variables via unification. The first approach can produce unprovable simplifications, while the second approach can fail to find desired links. We propose a third approach, called Quantifying on the Uninstantiated (QU), which is also based on unification and lies between the two existing approaches. We show that QU has practical applications for proof automation, by improving tactics for resource framing in the Iris framework for separation logic in Coq.


Introduction
Suppose you are faced with the following proof obligation: (∀ . → ∃.) ⊢ ∃.∃. ( ). ( Unfortunately, previous work on subformula linking does not produce satisfactory solutions for these examples.In the realm of first-order logic, Actema [13] cannot establish a link for Equation (1) and thus fails.While ProfInt [5,6] can establish links, there are many candidate links, and not all of them are provable (i.e., some are equivalent to ⊥).We could backtrack on all candidate links, but that would be detrimental for performance when applied to proof automation for concurrent programs [27].In the realm of separation logic, the examples are simply out of scope of Iris's iFrame because it does not consider subterms of the hypothesis.
Quantifiers pose problems for existing approaches to subformula linking.To understand why, we briefly discuss the setup of existing approaches for linking under quantifiers.ProfInt and Actema have recursive procedures that traverse the hypothesis and goal to find a shared atom.When both the hypothesis and goal are a logical connective (i.e., not an atom), one needs to choose to either proceed in the hypothesis or goal.While this choice is unspecified in the mathematical presentation of these systems (as a non-deterministic inductive relation), an implementation needs to make a concrete choice.This choice matters-just like it matters in which order the ordinary proof rules for introduction and elimination are used-and might result in finding different links, or no links at all.As the paper on ProfInt [5, §2.1] remarks, this is a challenging problem: Resolving this ambiguity is going to be as hard as fully automated proof search, which will therefore not be recursively solvable as soon as we introduce quantifiers.Nonetheless, to make subformula linking usable-for example to develop better approaches for automated program verification-one should try to rule out as many useless or blatantly false linkings.We describe how ProfInt and Actema deal with this problem in the context of quantifiers, their limitations, and how we address these.
ProfInt establishes unwanted links due to scoping issues.ProfInt [5] links atoms by posing equality constraints.Syntactically equal predicates are linked by requiring the user to prove that all their arguments are equal, e.g.,   ⊢   will be reduced to  .Although this reduction seems innocent, it means that ProfInt can establish links under quantifiers regardless of whether the order of traversal respects variable scoping.For example, ProfInt can establish two links for ∃ .  ⊢ ∃. .The first link produces the tautology ∀ .∃.   as its simplification.The second link produces ∃.∀ . , which is logically equivalent to false (if the domain of quantification is non-trivial).To use subformula linking in automated theorem proving, it would be helpful if such unwanted links are simply ruled out altogether.In particular, if there are no sensible links at all, this means that the automation can immediately move on to the next hypothesis without having to backtrack.
Actema cannot establish desired links.Actema [13] rules out some of ProfInt's unwanted links, but it actually rules out too many links.Actema uses unification to determine the appropriate order to traverse below quantifiers.If two atoms are not unifiable, they cannot be linked:   ⊢   will thus not be reduced to   if  and  are different variables.When linking the previous example ∃ .  ⊢ ∃. , Actema will unify  on the right-hand side (i.e., introduce the ∃ in the goal) with the  obtained from the left-hand side (i.e., by eliminating the ∃ in the hypothesis).This can only be done if the ∃ in the hypothesis is eliminated first-which rules out the unwanted/ill-scoped linking ProfInt finds.
Actema uses unification whenever quantifiers need to be instantiated with a specific term (i.e., ∀-quantifiers in hypotheses/the 'left', and ∃-quantifiers in goals/the 'right').For example, Actema finds that  in Equation ( 1) must be of shape  ? for some unknown , since this causes the arguments of  to match syntactically.Actema has two rules available to derive a link: one for when  is unified with a concrete term , and one for when  does not get unified at all.Unfortunately, in Equation ( 1), neither rule is applicable-although  has been unified with  ?, it contains the uninstantiated ?, meaning  ? is not a concrete term.As such, Actema cannot establish a link for Equation (1).
Our approach: Quantifying on the Uninstantiated.We propose a new system called QU for linking subformulas under quantifiers.Like Actema, we use unification to rule out unwanted links due to scoping errors.However, QU improves upon Actema by being able to link subformulas with nontrivial quantifier instantiation, such as the examples in this section.Our approach is to Quantify on the Uninstantiated (QU).Consider Equation (1), where the  gets unified with  ?, and ? is uninstantiated.QU quantifies precisely on this , i.e., we produce the simplification ∃. ( ).On the implementation level, we use evars (existential variables) and convert these back into existential quantifiers.
Anti goals.QU does not specify if hypothesis-rules ('left' rules) or goal-rules ('right' rules) should be given priority when mixing quantifiers with the propositional connectives (conjunction, disjunction, implication)-this remains an open problem in general subformula linking.Both the Actema [13] and ProfInt [6] implementation use heuristics and/or backtracking to make this choice, and so do we.QU nevertheless helps in eliminating unwanted links from the search space.
Applications.Quantifiers are problematic for subformula linking regardless of the logic of the system-i.e., first-order, higher-order, and separation logic systems face essentially the same problem.The idea of QU is not tied to a specific logic, however.To demonstrate this, we use QU to improve Iris's iFrame tactic for higher-order separation logic-making it strictly more powerful, with comparable performance.We also explain how Diaframe makes use of QU.

Contributions and artifacts.
• We present the QU rules for linking subformulas under quantifiers ( § 3).We formally prove in Coq that our system lies between Actema and ProfInt, using a deep embedding of first-order logic by Kirst et al. [23].• We present a simple, shallowly embedded subformula linking procedure in Coq ( §4).This demonstrates that QU can be implemented and used inside Coq.• We extend and improve Iris's iFrame tactic with the QU rules ( §5.1), demonstrating the practical applicability of our approach.• We describe how Diaframe [30] uses the QU rules to verify Courtois et al. [8]'s readers-writer lock ( §5.2).We start with some background on subformula linking ( §2).We conclude with an evaluation of the improved iFrame ( §6) and a discussion of related work ( § 7).The Coq sources of these artifacts are in the supplementary material [28].

Background on Subformula Linking
To provide background on subformula linking and to compare existing systems, we give a uniform presentation of subformula linking ( §2.1), and formulate ProfInt ( §2.2) and Actema ( §2.3) as instances. 2Although many rules are shared by ProfInt and Actema, their differences are significant for the links they can derive.We give examples where ProfInt establishes unwanted links due to scoping issues with quantifiers, and where Actema cannot establish desired links, before presenting our system QU ( §3).

Subformula Linking Judgment
We consider first-order intuitionistic logic with equality (our implementations in § 4 and 5 scale to higher-order separation logic).Terms, atoms, propositions, and proof contexts are inductively defined as: Predicates  and functions  have an arity  and take a list of terms of length . ì  is just ⊤.We interpret the judgment Δ ⊢  as  ∈Δ  ⊢ , where  ⊢  is inductively defined using the usual rules for introduction and elimination of first-order intuitionistic logic.
To provide a uniform formulation of subformula linking, we consider the linking judgment  ⋏ [] , which says that given a hypothesis  and goal , it suffices to prove the simplification  instead of .

We call a derivation of 𝐻 ⋏ [𝑂]
a linkage.Each linkage should satisfy ,  ⊢ , which trivially gives us the following derivable inference rule: In ProfInt and Actema, the user initiates this rule graphically by pointing out the common subformulas in  and , or by dragging and dropping.ProfInt and Actema are then responsible for automatically finding a linkage with simplification , allowing the user to continue with obligation Δ ⊢ .
The inference rules for establishing  ⋏ []  in Profint and Actema will be given as inductively-defined relations in § 2.2 and 2.3.These relations should be interpreted as (non-deterministic) recursive 'procedures' that compute an appropriate  for a given  and .That is, the rules will follow the structure of the hypothesis  and goal .We use the convention to put 'outputs' of relations, such as , between brackets [ and ]; other parameters are 'inputs'.

Rules for ProfInt
The rules for ProfInt's linking judgment  ⋏ []  are given in Fig. 1a and 1b.Their purpose is to find a shared atom in  and  that can be linked.The base case is Cong-profint in Fig. 1b.This rule applies if the hypothesis and goal are the same predicate , resulting in a simplification that says their arguments should be equal.
The recursive rules in Fig. 1a traverse the formula in a non-deterministic fashion to reach the base case.They come in two categories: 'left' rules for the hypothesis  and 'right' rules for the goal .All rules compute a simplification  based on the simplification for the recursive call.
If the hypothesis is a conjunction  1 ∧ 2 , rule L∧ proceeds in either  1 or  2 and leaves the simplification  unchanged.If the hypothesis is a disjunction  1 ∨  2 , rule L∨ again proceeds in either  1 or  2 but adds the conjunct  1 →  or  2 →  to the simplification  in order to account for the other disjunct.If the hypothesis is an implication  1 →  2 , rule L→ adds the premise  1 as a conjunct to the simplification .If the hypothesis is a quantifier, rules L∃ and L∀ proceed under the quantifier.They add the opposite quantifier to the output , since we are in a negative position.The 'right' rules are mostly dual to the 'left' rules.
Let us demonstrate these rules on an example.Suppose we have hypothesis ( → ( ∧ )) and goal  ∧ , where , ,  and  are atoms (0-ary predicates), we have:  When using ProfInt's implementation [6], the user does not have to construct this derivation by hand.Instead, the user clicks on the occurrences of  in  and .This click instructs the implementation to derive the linking judgment, and to transform goal  ∧  into  ∧ (⊤ ∧ ) with link-apply.
(Both ProfInt and our implementation in § 5 remove the superfluous occurrence of ⊤, i.e., give  ∧ .We ignore these simplifications for brevity's sake.)This example shows that by clicking on the occurrences of  in  and , ProfInt essentially eliminates an implication and a conjunction.Non-determinism.Linking is non-deterministic, i.e., for the same hypothesis  and goal  one can find different simplifications  1 and  2 with  ⋏ [ 1 ]  and  ⋏ [ 2 ] .In the above derivation, we could have used R∧ 1 first, resulting in the simplification ((∧⊤) ∧).In this case, the choice is immaterial, since the simplifications are equiderivable, i.e., ( ∧ ⊤) ∧  ⊣⊢  ∧ (⊤ ∧ ).
Picking the right order of rules is non-trivial.In this example we see that R∨ (disjunction introduction) should take priority over L→ (implication elimination), but this does not hold in general.For many examples, one also wants to prioritize L∨ (disjunction elimination) over R∨ (disjunction introduction)-but what if the disjunction to eliminate resides in the conclusion of an implication?(For example, consider The implementations of Profint, Actema and QU use heuristics to determine the rule order.Our goal is not to improve these heuristics, but to design rules for quantifiers that exclude linkages that are blatantly false due to scoping issues. Problem: Profint establishes unwanted links due to scoping issues.Suppose we want to construct a linkage (∀ .∃. ) ⋏ [] ∃..Using the following derivation we find  = ∃ .∀. ∃.  ∧  : This is the desired simplification, since it is a tautology (pick  =  and  = ).In fact, ProfInt has additional simplification rules that can reduce  to just ⊤.
Unfortunately, the heuristics of ProfInt's implementation prioritize the 'right' rules, resulting in: This is problematic, since this simplification is logically equivalent to ⊥ (assuming the domain is non-trivial).There is no way we could pick a  that is equal to every .This is the result of a blatant scoping issue: we have mistakenly used existential introduction (R∃) before existential elimination (L∃).We would like this derivation to be ruled out.

Rules for Actema
Actema takes a different approach for linking subformulas under quantifiers than Profint.This approach avoids scoping issues, but results in a failure to find other desired links.
The rules for Actema's linking judgment  ⋏ []  are given in Fig. 1a and 1c.Instead of generating a simplification that involves equalities, Actema uses unification to determine appropriate ways to eliminate universal quantifiers, and introduce existential quantifiers.The base case Asmp-actema requires the atoms to match exactly.This requirement can be met under quantifiers since Actema has the rules L∀  -actema and R∃  -actema.The premises of these rules allow one to instantiate the quantifier with a specific term , which we are free to choose.For example, Actema can directly find   ⋏ [⊤] ∃ .  with R∃  -actema and Asmp-actema by instantiating  with .
This begs the question: how does one automatically find appropriate terms for R∃  -actema?This can be done using evars (existential variables), which we denote as ?.Instead of choosing a concrete term  in R∃  -actema upfront, evars allow one to postpone this choice.As soon as we learn an appropriate concrete term  for ?, we instantiate ? with and the derivation behaves as if we had chosen  all along.
The Asmp-actema rule prompts appropriate instantiations of evars.Crucially, an evar ? can only be instantiated with term  if the variables mentioned by  were in scope when ? was created-instantiation fails otherwise.Such failures are crucial for determining an appropriate rule order.It means that ill-scoped linkages are ruled out by construction.Let us reconsider the example from §2.2 of finding a linkage (∀ .∃. ) ⋏ [] ∃..If one were to start with R∃  -actema, one needs to instantiate the evar ? with a variable , which is not in scope when R∃  -actema was used.This fails, prompting Actema to try the correct rule order, i.e., prioritizing the 'left' rules, resulting in the desired simplification  = ∀.⊤.
Unification guides Actema in the search for an appropriate rule order.In some cases, unification rules out a bad linkage completely.Consider (∀ .∃.   ) ⋏ [] ∃.∀ ′ .  ′ .ProfInt would propose an unprovable simplification , while Actema fails to establish a linkage.From a proof automation point of view (e.g., for our applications in § 5), Actema's behavior of failing instead of finding an unprovable linkage is preferable.It prompts the automation to consider another hypothesis for finding a linkage.
Problem: Actema cannot establish desired links.We have seen that unification allows Actema to rule out inappropriate linkages.Unfortunately, it rules out linkages too aggressively-some linkages that one might expect to obtain are also ruled out.This can happen when the order of related quantifiers in hypothesis and goal do not match, like in: One would expect to find  = ∃ . ( ) for Equation ( 3), but this linkage is not derivable in Actema, and neither is any other .To see why, note that the desired  in the goal is obtained from the existentially quantified  in the hypothesis.This means we must start with a 'left' rule for the universal quantifier, choosing between L∀  -actema and L∀.A linkage does not exist for every , so L∀ fails.We would like to use L∀  -actema with some  =  ? ′ , but no appropriate instance for ? ′ is in scope.We can only get access to such an instance by first using R∃ twice-which means we have a circular dependency.
Note that ProfInt is able to derive a linkage for this example.However, similar to the example in the previous section, it might use rules in the wrong order and find unprovable simplifications  (i.e., a simplification that is logically equivalent to ⊥ if the domain is non-trivial).

Quantifying on the Uninstantiated
We present our system Quantifying on the Uninstantiated (QU).Compared to Actema, we do not choose between instantiation or quantification-rather, we quantify precisely on the parts that remain uninstantiated.We start by discussing the rules of QU ( §3.1) and explain how QU is used on examples ( § 3.2).We finally discuss the proof-theoretic properties of QU ( § 3.3)-we show that the strength of the linkages from QU lies between Actema and ProfInt.

Rules for QU
QU features the rules from Fig. 1a, except L∀ and R∃.We have Asmp-actema as a base case, and the following rules for existential and universal quantifiers: We write ì  for a (possibly empty) list of variables, and the term  can mention these variables.
To provide an intuition for these rules, let us show that our new rule L∀  generalizes Actema's L∀ and L∀  -actema (dually, R∃  generalizes R∃ and R∃  -actema): Similar to L∀, the premise of L∀  is quantified.Similar to L∀  -actema, we instantiate the quantifier with a term .We retain the expressivity of Actema.If we take ì  to be the empty list, L∀  reduces directly to L∀  -actema.If we take ì  to be the list with just  ′ , and  =  ′ , L∀  is precisely L∀.
The other quantifier rules L∃ and R∀ stay the same, since these correspond to reversible inference rules.

QU by Example
We show how QU goes beyond Actema by deriving the linkage from the example in §2.3: The full derivation is included in Fig. 2. The key step is the use of L∀  , where we pick ì  = [] and  =  .Intuitively, this choice makes the arguments of  in hypothesis and goal match precisely, so that the Asmp-actema can be applied in the base case.We also use R∃  twice with empty quantifier list (i.e., ì  = []), which simplifies to Actema's R∃  -actema.The application of L∀  with ì  = [] and  =   in Fig. 2 is not expressible in Actema, and crucial for getting the desired linkage in this example.However, it is reliant upon somehow making the correct choice for ì  and .Additionally, so far we have only seen cases where ì  is a list of length at most 1.We will consider another example to demonstrate how we can determine appropriate choices for ì  and , and that we sometimes need ì  to be a longer list.We will discuss the actual implementation that chooses ì  and  in Coq in §4.The example is as follows: Consider the following partial derivation of a linkage: We have chosen to instantiate  in L∀  with an evar ?, delaying the choice for a concrete term.We still have to choose the ì  over which L∀  should quantify.Whatever our choice, the next steps in the derivation of the linkage would be to apply R∃  three times.In the base case, Asmp-actema will produce two unification problems for the arguments of , the easy ? [] = , and the harder: Here, we write ? [ ì ] for an evar ? which has variables ì  in scope.We cannot instantiate ? to be  ? [] ? [], since the evars ? and ? have  in scope, and ? does not.To proceed, the unification algorithm now prunes the term on the righthand side [39, §4.We now want to quantify on the uninstantiated.That is, ì  will contain a variable for each evar that remained uninstantiated in . 3 Here we pick ì  to be the two-element list [ ′′ ;  ′′ ] and instantiate ? ′ [] =  ′′ and ? ′ [] =  ′′ .This results in the following derivation: We will explain how this can be done automatically in §4.3.

Comparison to ProfInt and Actema
We prove some results about the relative strength of Profint, Actema and QU.We have mechanized these results in Coq using the library for first-order logic by Kirst et al. [23].This library provides a deep embedding of terms, connectives, propositions, and proofs.We inductively define the three linking judgments, which we disambiguate using subscripts.For example,  ⋏ [] actema  is the inductively-defined linking judgment of Actema.
First, we prove that all linkage systems are sound: Next, we prove that all linkages that can be established by Actema, can also be established by our system QU.
This theorem holds because the quantifier rules R∃  and L∀  of QU generalize those of Actema ( §3.1).
Note that this theorem states that Actema linkages are expressible in QU, which does not guarantee that the procedure we informally describe in §3.2 actually finds Actema's solution.This would be harder to formalize because it depends on Coq's unification algorithm.We nevertheless think our solutions would agree with Actema.Actema only uses L∀  -actema if it can unify term  with a concrete term.Concrete terms do not contain evars/uninstantiated terms, so we find the same solution.If instead Actema uses L∀, the term  must have remained an evar, and so our approach chooses precisely that evar to quantify on.
The relation between QU and ProfInt is more difficult to formalize.Simplifications  produced by a ProfInt linkage  ⋏ [] profint  involve equalities, which are absent in the simplifications produced by QU.This means that the linkage systems do not produce syntactically equal simplifications .
To properly relate two linkages with different simplifications, we furthermore need to ensure that ProfInt and QU apply rules in the same order.We will write a superscript  to indicate that a linking judgment is derived by applying the rules in  in order.For example: We can then relate the linkages from QU and ProfInt.In other words, for a given rule order, if QU can derive a linkage, then ProfInt can also derive a linkage.Additionally, QU's simplification  is at least as hard to prove as ProfInt's simplification  ′ .Another way to read Theorem 3.3 is that the instantiations made by QU are guaranteed to satisfy the equalities from ProfInt.
However, we would rather have something stronger: that the simplifications produced by QU are not harder than those produced by ProfInt, i.e.,  ⊣⊢  ′ .When L∀  and R∃  are used as intended (i.e., they quantify precisely on the uninstantiated terms), we conjecture that this is indeed the case.The way that L∀  is currently stated does not guarantee this.Indeed, by picking a particular constant for the term , we could derive a linkage that is too specialized, and thus harder to prove.Formally proving this conjecture would require a verified unification algorithm for the deeply embedded logic we consider, and a corresponding restriction on the terms  in L∀  .We leave this endeavor for future work.
Completeness.Chaudhuri [5] showed that the full ProfInt linkage system is complete.The full ProfInt system differs from the presentation in §2.2 in two regards: one can link two hypotheses, and one can also link within formulas.Subformula linking within formulas allows ProfInt to prove entailments such as since  → ⊥ and ⊥ can be linked within the left disjunct.This entailment is out of reach for our linkage system, since no subformula of the hypothesis  ∨  can be linked to a subformula of the goal (note that our system only considers subformulas of the right-hand side of an implication).This incompleteness is acceptable for the application we have in mind, i.e., proof automation for (higher-order) separation logic-implications do not frequently occur inside disjunctions in this setting [27].

Implementation
We demonstrate that QU can be effectively implemented in the Coq proof assistant.We start by defining linkages and linkage rules for the propositions Prop of Coq's higher-order logic ( § 4.1).(This makes it different from § 3.3 where we performed meta-theoretic reasoning on a deep embedding of first-order logic.)We then define simple telescopes ( §4.2), which form a building block for representing -ary functions and -ary quantification.Telescopes allow us to state the L∀  and R∃  rules properly and to implement custom Ltac [11] code that assists in solving the unification problems arising in QU ( §4.3).Finally, we make the link-apply inference rule available as a Coq tactic ( §4.4).

Linkages in Coq
We start by defining linkages semantically in Coq: This defines a type class [36] called Link, for which we will define the notation

soundness).
A semantic definition like this makes it particularly easy to define linkage rules as type class instances: Remember that the term  can mention the variables ì .We will first express the rule in a form where we allow  to depend on exactly one variable : G. Proof.unfold Link; firstorder eauto.Qed.
We have to address two issues to turn this 1-ary lemma into an instance that produces good simplifications and can be applied automatically by type class search.
The first issue is that while the -ary version can be derived from 1-ary function through currying, this results in a complicated simplification.We want the resulting simplification to be an -ary existential quantification, instead of a unary quantification on a product  .In particular, we want to avoid a useless quantification over u : unit if no variables are needed.Generating an -ary existential quantification is important to show readable goals to the user and to aid automation in making further progress.We address this issue using telescopes to write an -ary rule ( §4.2).
The second issue is that of determining appropriate terms for Y, t and O.We can use evars ?Y, ?t and ?O when applying this lemma, but instantiating these evars is challenging.At some point we want to unify e.g., ?t y with a concrete term-while also instantiating the type ?Y of y.We do not know of any existing unification algorithm that supports this kind of problem.Indeed, Coq's default unification algorithm rightfully refuses to solve this problem.We address this issue using a custom tactic written in Ltac ( §4.3).

Simple Telescopes in Coq
Telescopes [10] can represent (the type of) sequences of variables with possibly dependent types.For the applications in § 5, we use the formalization of (dependent) telescopes provided by the coq-std++ library [38]. 4For brevity, the telescopes in this section do not allow dependent types.
We can treat such lists themselves as a Type, by taking the product of all the Types in the list.We can construct this product by folding over the list: The function type T → Prop with T : tele corresponds to an uncurried -ary function.We can do -ary quantification on such functions by recursion on the list T: Lemma tele ex exists {T : tele} (g : T → Prop) : tele ex g ↔ ∃ (a : T), g a.
We have included some type annotations in tele ex to illuminate what is going on.In the 0-ary case, we simply pass the unit element to the function of type unit → Prop.In the ( + 1)-ary case, we existentially quantify on the first projection of the pair, and recursively call tele ex to existentially quantify on the second projection.Lemma tele ex exists shows that tele ex is equivalent to regular existential quantification.Remember that to formalize R∃  and L∀  we want to avoid a regular (unary) existential quantification on a complicated type like T : tele, and instead generate  nested existential quantifiers.

Quantifying on the Uninstantiated with Ltac
We are now ready to state a version of L∀  with proper -ary quantification: This lemma differs from link l forall qu v1 in §4.1 in its use of Y : tele and tele ex.
Furthermore, to address the problem of unifying ?t y with a concrete term, we swap t y with a new variable t', and require these two to be equal (and similarly for O).This means that when we use Coq's type class search to establish the LINK premise, it does not need to worry about (and is in fact oblivious of) the fact that t' and t y should be equal.This change also allows us to solve the unification problem for Y manually: we can determine an appropriate value for Y with some meta-programming in Ltac when proving t' = t y.
Let us consider the proof obligations spawned by applying link l forall qu v2.Suppose we would like to prove LINK (∀ a, H a) ⋏ [ ?O ] G.To proceed, we apply the lemma, introduce y and make fresh evars for t' and O' with tactic: eapply link l forall qu v2; intros; do 2 eexists.
After the application of this tactic, our goal is: Since the argument to H is a simple evar ?t', the first conjunct can be handled by a recursive call to the linking procedure (i.e., type class search).In particular, in the base case Asmp-actema can instantiate ?t' with an appropriate term if necessary.This would not be possible for ?t y.
Let us now repeat Equation ( 4) from §3.2 and consider our proof obligations.We are trying to derive: The combination of tactics discussed previously will fill in an evar ?t' for .The linking procedure will (recursively) establish LINK (H ?t') ⋏ [?O'] G and in the process unify ?t' with  ?u ?v.The equality we thus wish to prove is where y is of type ?Y.The full unification problem we face is ∃( : Type).∃( :  → ).∀( :  ).∃   .   =  .
We want to quantify on the uninstantiated, so our goal is to infer Y = [tele U; V].Evars ?u and ?v should be unified with projections of y, so that the remaining unification problem can be solved by Coq.This is what the Ltac script solve evar tele equality from Fig. 3 does.
If we call solve evar tele equality on Equation ( 5), line 3 in Fig. 3 will store the left-hand side of the equality in l, and y in arg.We then read the telescope Y into variable T' (line 16), and call retcon tele arg T'.This will 'retcon' (for retroactive continuity) the telescope T' to be a list of the types of all uninstantiated evars in l.Additionally, it will unify all evars with projections of arg.The recursive retcon tele achieves this by scanning l for evars (lines 4-6), 5 and then unifying T' to be a list that starts with the type of this evar (lines 8-10).
We then unify the evar with a projection of arg (line 11), and repeat the process until no more evars are found (line 12 and 13).If we find an evar that does not have arg in scope, the unification on line 11 will fail and cause Ltac to backtrack and continue with the next evar.This is desired: it means such evars should either not be quantified on, or be quantified on by some earlier application of L∀  .
We still need to prove the equality once this is finished.The equality in Equation ( 5) has been reduced to  (fst y) (fst (snd y)) = ?ty. and 'exact (eq refl )' 6 can make quick work of this: Coq's unification algorithm [39, step 4 on page 186] is able to infer an appropriate value for t now.

Linkage Tactic
We now have all ingredients in place to construct an instance for L∀  that Coq's type class search can understand.
To call the custom Ltac from § 4.3 we do not register link l forall qu v2 as a regular instance.Instead we add an external hint to the type class database: This hint applies our specially crafted lemma, runs type class search on LINK H ?t ⋏ [?O] G, and then quantifies on uninstantiated evars in ?t.The exact (eq refl ) tactic takes care of the remaining equality on ?O.
Putting it all together.With type class instances for all the linkage rules in place, we obtain a very simple implementation of a linkage system in Coq-in about 250 lines of code in total.This includes the straightforward implementation of a tactic link to that performs link-apply, omitted here.All linkages that were discussed before have the desired result.In the supplementary material [28], we have included solutions to some of the exercises in Actema's course on first-order logic, to demonstrate our linkage system.Non-determinism.We have not specified a heuristic that determines in what order the linkage rules should be applied.By implementing the linkage rules as type class Instances, we implicitly rely on the backtracking semantics of type class search-all orders will be considered.This means linking only fails after all possible orders of linking rules have been considered, which is not great from a performance perspective.Similar to ProfInt and Actema, we use heuristics to determine the rule order in our applications, and thereby avoid this inefficiency.We either have no 'left' rules (iFrame in §5.1), or we prioritize 'left' rules (Diaframe in §5.2).

Applications
We demonstrate that the QU approach has practical applications outside pure intuitionistic logic.First, we apply QU to the framing problem [1,22] from separation logic in the context of the Iris framework for concurrent separation logic in Coq [18,19,21,[24][25][26] ( §5.1).Second, we apply QU to the Iris-based proof automation framework Diaframe [27,29,30] ( §5.2), where we show that the automatic verification of a classical readers-writer lock crucially relies on the QU rules for subformula linking under quantifiers.

Framing under Quantifiers in Separation Logic
Separation logic [31] is an extension of Hoare logic that allows one to reason modularly about the correctness of stateful programs.We focus on the assertion language of separation logic, which extends ordinary logic with two logical connectives that enable this modular reasoning: the separating conjunction ( * ) and magic wand (− * ).Separating conjunction can be seen as a substructural version of conjunction (∧), which means that we cannot use separation logic propositions  more than once-in particular,  ⊢  *  does not hold in general.The introduction rule of separating conjunction thus requires one to split the list of hypotheses over the conjuncts: During program verification with separation logic, one often faces proof obligations of the form Δ,  ⊢  * .In this case, there is an obvious choice for splitting the environment: one 'frames'  away, and continues with Δ ⊢  (i.e., take Δ 1 =  and Δ 2 = Δ).In an interactive proof setting, one should not have to spell out the precise environments.
Iris comes with an interactive proof mode and accompanying tactics [24,26], whose iFrame tactic can be used to frame away hypotheses in the goal.This tactic is implemented with a type class Frame, exactly like Link from §4.1.The (slightly simplified) definition of Frame is: Compared to Link, the Frame class involves the separating conjunction ( * ) instead of the regular conjunction (∧).Furthermore, Frame works in a generic object logic PROP of type bi.This makes the Frame type class applicable in any Bunched Implication logic [32,33], i.e., logics that satisfy the relevant axioms for * and − * .
When trying to frame resource H in goal G, Iris runs a type class search for Frame H G O. If successful, it removes resource H from the environment, and replaces the goal with O. Instances of the Frame type class are 'just' subformula linking rules in separation logic.This is evident by comparing the following instances to Asmp-actema and R∧: Framing under existential quantification.To frame beneath quantifiers, one faces problems similar to those described in §2.However, there are also some differences that we discuss first.When framing, we only look for hypotheses that appear (nearly) verbatim in the goal-meaning there are only right rules for Frame.The existing implementation for framing under existential quantifiers only provides R∃ and not R∃  -actema.This means that framing could not instantiate quantifiers, and so framing fails on e.g.,  1 ⊢ (∃. ) * .
Having a single instance was a conscious design choice of the Iris Proof Mode: by having two applicable Instances when the goal is existentially quantified, (failing) type class search would run twice on very similar subgoals.An -ary existential quantification would do this 2  times, which becomes unacceptably slow.
By quantifying on the uninstantiated, we can allow framing to instantiate quantifiers without this exponential slowdown.Additionally, remember that the QU rule R∃  is strictly more general than having both R∃  -actema and R∃.We use the following Frame instance, similar to the linking instance link l forall qu v2 from §4.3.The main difference is the use of bi texist, which does -ary existential quantification in PROP.We also reuse the tactics from §4.3 for proving the equalities on t' and O'.

Automatic Verification of a Readers-Writer Lock
The proof automation provided by Diaframe also relies on subformula linking, and as such faces the same problems regarding quantifiers.Diaframe has been using the QU approach since before this paper, but the technique and its use were not described anywhere.
Let us consider the automatic verification of the classic readers-writer lock by Courtois et al. [8] in Diaframe.A lock is a data structure from concurrent programming, in charge of sharing access to a resource  among multiple threads.It guarantees that at all times, at most a single thread can access resource .A readers-writer lock generalizes a regular lock: it guarantees that either there are zero or more 'readers', i.e., threads with read-only access to , or there is a single 'writer' thread that can mutate .
The classic readers-writer lock implementation by Courtois et al. [8] is built from two regular locks.We shall consider the verification of allocating a new readers-writer lock, which first allocates two regular locks.Let us first consider two specifications for allocating a regular (spin) lock: 7{} new lock() {.∃ . is lock   } (6a) {True} new lock() {.(∀. − * ∃ . is lock   )} (6b) Specification (6a) states that executing new lock() is safe, and returns a value  for which ∃ . is lock    holds-if we have given up resource  before executing new lock.
Parameter  ensures we can distinguish between different locks.The is lock predicate is part of the precondition of the other lock methods.Specification (6b) differs from (6a) in that one does not have to give up resource  directly.Rather, it returns a more complicated proposition, which allows clients to choose and hand in  at a later point in the program execution.
Although (6a) is the standard lock specification [12,16], (6b) is strictly stronger.One can (manually) verify the readerswriter lock with (6a), but (6b) is more useful for proof automation.When an automated verifier symbolically executes new lock with specification (6a), it does not have any syntactic indication for an appropriate choice for resource .A wrong choice can easily lead to a failing verification [9].With specification (6b), the automation can wait for a proof obligation with shape is lock    to choose  equal to .
This is precisely what happens when verifying the allocation of Courtois et al. [8]'s readers-writer lock.The allocation function first allocates two regular locks, for which we will use specification (6b).To prove that the readers-writer lock is successfully allocated, we are faced with goal: Here,   2 encodes the protocol for accessing the readerswriter lock.Since Diaframe uses the QU rules, it can simplify this entailment to ∃ 2 .  2 , which Diaframe's automation can subsequently discharge.The QU rules are crucial: during subformula linking,  will be unified with  ? 2 , where ? 2 remains uninstantiated.By quantifying precisely on this  2 , we obtain the desired linkage.Finally, note that the readers-writer lock verification involves quantification over propositions .This shows that the QU approach scales to higher-order logic.

Evaluation of iFrame
We evaluate the scalability of QU by testing our improved iFrame tactic.We test the improved tactic on four Iris projects to verify it does not cause performance regressions or introduce failures where it succeeded before ( §6.1).We report on the results of a more artificial benchmark that compares the performance of the new ∃ rule to the rules for other connectives ( § 6.2).This benchmark shows that the Ltac implementation from § 4.3 has acceptable complexity.We cannot conduct an evaluation of Diaframe, since there exists no baseline version of Diaframe without QU.

Subformula Linking with iFrame in Practice
Table 1 contains the results of our evaluation of the improved iFrame tactic.We investigate four Iris-based repositories of significant size: Iris itself, ReLoC [14,15], RustBelt [17], and Iris's 'examples' repository.We compare the total compilation time of each repository with and without the improved iFrame.We also report the total number of changed lines that were required to patch these repositories.Existing proofs might break because iFrame is more powerful in the sense that it can frame more hypotheses and even solve a goal entirely that was not solved before.Table 1.Evaluation data of iFrame.For each project, we list the total number of lines, the number of lines that use iFrame, and the number of lines that needed to be changed for the new iFrame.We also list the total compilation time of the project, and the change in compilation time with the new iFrame.repository total lines iFrame lines lines changed total time time changed % Iris [18] 60156 We find that overall, the effect on compilation time (0.7% faster) is hardly distinguishable from noise.This is a positive result because the improved iFrame is strictly stronger, without being noticeably slower.The 2% speedup in ReLoC may be due to the fact that the QU instance uses a Hint Extern with a pattern, meaning the framed goal must be an existential quantification syntactically.The previous Instance for framing under existential quantifiers would also trigger on goals that are not syntactically an existential quantification, but can be unfolded to one.
The lines of code reduction by the improved iFrame are modest, but not insignificant: a reduction of 54 lines on a total of about 2700 lines using iFrame.(Note that we have omitted the addition of ±150 lines of implementation of the QU rule in Iris.)These numbers can be improved-we have only fixed broken proofs, not optimized existing proofs.In some of the changed lines, a single call to the improved iFrame has replaced a combination of five tactics.
We have not investigated the effect of the improved iFrame on writing new proofs.However, our impression is that the additional strength of the tactic makes it easier for users to write proofs: more parts can be automatically discharged.A frequently occurring pattern is a proof obligation of shape Δ,   ⊢ ∃.  *  with Δ ⊢  requiring a manual proof.Such situations were typically tackled with the combination 'iExists ;iFrame', but a single call to the improved iFrame now suffices.

Comparing Performance of Linkage Rules
We conduct a more artificial benchmark to check that the QU rule for ∃ performs acceptably in comparison to the linkage rules for other connectives-even in the presence of large terms or many quantifiers.We consider the following framing problem in which we vary the number : Here, ∃  is an -ary existential quantification (ì  has length ), and  has  arguments.We consider two variants (1) frame (small)  away, which preserves all  existential quantifiers in the goal; and (2) frame (large)   . . . away, which instantiates all quantifiers in the goal.These cover the frequent use cases of keeping a quantifier and instantiating it.
In the second variant we must also unify  ?ì  with   . . ..The previous problem is thus very similar to this one, apart from the connectives being framed under.
We pick  to be a term of significant size, and test the performance with  being a large and small term.This means we compare the performance of four framing problems in total: framing (small) hypothesis  or (large) hypothesis  in a goal with a small or large .
Results.The benchmarks show that the performance of the QU rules for ∃ are as fast as those for other connectives in 3/4 problems, namely when framing large  and/or large .When framing small  in large  and  < 60, the performance is about equal to that of ∧, and up to four times as slow as − * (the fastest connective).At  = 150, the QU rules for ∃ are twice as slow as ∧, and seven times slower than − * .We have included some of the running times for the small hypothesis, small goal framing under ∃ and ∧ below:  6 12 30 60 150 runtime for ∃ (seconds) 0.07 0.15 0.33 0.9 5.5 runtime for ∧ (seconds) 0.07 0.13 0.32 0.76 2.8 This shows that the QU rules perform acceptably, even with -ary existential quantification for large  (the authors have not seen  > 10 in existing Iris projects).There is an observable difference in performance only when  ≥ 60, but we conjecture that the time Coq spends on proof checking is a much more influential factor than the runtime of iFrame.

Related Work
Subformula linking.The notion of subformula linking has been introduced introduced as part the Profound system by Chaudhuri [4].Profound is a predecessor of ProfInt [5,6] that involves first-order classical linear logic instead of firstorder intuitionistic logic.
Prior works on subformula linking differ mostly from this work in their application.The ProfInt [5,6] and Actema [13] gesture-based interactive theorem provers use subformula linking to simplify proof states by letting the user graphically indicate what subformulas to link.(A further predecessor of gesture-based theorem proving is 'proof by pointing' by Bertot et al. [2].)Aside from the difference in applications, there are some notable differences in the formal systems: • Besides hypothesis-goal links, ProfInt and Actema also consider hypothesis-hypothesis links.ProfInt even considers links within a single formula.We do not consider such links, because hypothesis-goal links are the only relevant links for our application of backwardchaining proof search-which always takes the goal as starting point.Hypothesis-hypothesis links are essential for the completeness of ProfInt.• The original presentation of Profint [5] uses a weaker subformula linking rule than R∨.This weaker rule makes the rule order immaterial for the propositional fragment, but sometimes produces links that are harder to prove than links with R∨.The rule order still matters when two hypotheses are linked.• Actema supports 'rewriting' through subformula linking with an additional linkage rule   ⋏ [ ]  .Such a rule can be added as an instance to a QU-based system.It would be interesting to explore applications of such linkages, especially in combination Coq's generalized rewriting [35], which is used extensively in Iris to rewrite with relations other than equality.
Framing in separation logic.Various approaches have been proposed to (automatically) solve the 'framing' or 'frame inference' problem [1,22] in separation logic.We focus on approaches that are implemented in proof assistants.
The VST framework in Coq [3] comes with a cancel tactic for frame inference, which contrary to Iris's iFrame does not proceed below existential quantifiers in the goal.VST also provides the more powerful entailer tactic, which is aimed at fully solving an entailment rather than making partial progress in an interactive proof.
The automation of the Bedrock [7, §3, step 6] and RefinedC [34, §4, step 5] frameworks in Coq instantiates existentially quantified goals with evars after having eliminated existentials in hypotheses.This is an effective approach for the verification of sequential problems.However, in the context of the verification of concurrent programs in Iris, existentials require a more careful treatment, as also argued in Diaframe [30].We achieve this through subformula linking.

Future Work
We have presented QU, an approach for subformula linking under quantifiers using unification, and demonstrated its use by improving Iris's iFrame tactic for resource framing.We see several possible directions for future work.
Both Actema and ProfInt come with prototypes for graphical interactive theorem proving.It would be interesting to build such a prototype for QU, or to change an existing prototype to use the QU rules for quantifiers.
All systems we have considered here (Actema, ProfInt, and QU) leave the order of linking rules unspecified, while these are crucial for the quality of the resulting simplification.In particular, the systems use a heuristic to decide whether to prioritize left-or right-rules.It would be interesting to design a formal inference system that rules out information loss entirely.

Figure 2 .
Figure 2.An example linkage in QU.
If ì  =  1 , . . .,   and ì  =  1 , . . .,   are lists of the same length, we write ì  ì  for  1  1 ∧ . . .∧     .If both lists are empty, ì After registering tele arg as a Coercion, the preceding Check indeed goes through.This relies on Coq doing a type-level computation: it checks that tele arg [nat; bool] is convertible to the type nat * (bool * unit).Therefore, we have that (1, (false, tt)) is of type tele arg [nat; bool].