## Introduction

Before doing anything, let's try to get a GPU instance!

This first cell needs to be executed to set up the environment and instantiate the client used to connect to a proof assistant.

In [None]:
# %pip install ollama
# %pip install colab-xterm

# !sudo apt-get update
# !sudo apt-get install pciutils lshw

# !curl -fsSL https://ollama.com/install.sh | sh
# url = "https://raw.githubusercontent.com/theostos/small-pytanque-tp/refs/heads/main/client.py"
# !wget --no-cache --backups=1 {url}
# url = "https://raw.githubusercontent.com/theostos/small-pytanque-tp/refs/heads/main/utils.py"
# !wget --no-cache --backups=1 {url}
# !pip install requests
# !pip install transformers

In [1]:
from client import ProofAssistantClientAPI, goals_to_str

client = ProofAssistantClientAPI("http://128.93.101.129:8765")

On the server side, there is a file containing some theorems. First, let's look at them.

In [2]:
for section in client.sections():
  print(f"Theorems in section: {section}")
  for k in range(client.num_thm(section)):
    thm = client.show_thm(section, k)
    print(f"Theorem {k}, {thm['name']} description: {thm['statement']}")
  print()


Theorems in section: introduction
Theorem 0, involution_injective description: forall x y, f x = f y -> x = y

Theorems in section: logic
Theorem 0, Modus_ponens description: forall P Q : Prop, P -> (P -> Q) -> Q
Theorem 1, Modus_tollens description: forall P Q : Prop, ~Q /\ (P -> Q) -> ~P
Theorem 2, Disjunctive_syllogism description: forall P Q : Prop, (P \/ Q) -> ~P -> Q
Theorem 3, DeMorgan1 description: forall P Q : Prop, ~P \/ ~Q -> ~(P /\ Q)
Theorem 4, DeMorgan2 description: forall P Q : Prop, ~P /\ ~Q -> ~(P \/ Q)
Theorem 5, DeMorgan3 description: forall P Q : Prop, ~(P \/ Q) -> ~P /\ ~Q
Theorem 6, NotNot_LEM description: forall P : Prop, ~ ~(P \/ ~P)

Theorems in section: math
Theorem 0, unique_max description: (A : R -> Prop) (x y : R) : x is_a_max_of A -> y is_a_max_of A -> x = y
Theorem 1, inf_lt description: (A : R -> Prop) (x : R) : x is_an_inf_of A -> forall y, x < y -> exists a, A a /\ a < y
Theorem 2, le_of_le_add_eps description: (x y : R) : (forall eps, eps > 0 -> y <=

### A case study: Lelarge's Theorem

We will start by proving the Lelarge's Theorem in the Introduction section.
Let's review it by selecting the first theorem (index = 0) in the "introduction" section.

Before doing so, we need to examine the current context (i.e. the available lemmas, definitions, and notations) to understand it.

In [3]:
thm =  client.show_thm("introduction", 0)
print("Context:")
print("\n".join(thm['premises']))
print("\n")
print(f"Theorem {thm['name']}: {thm['statement']}",)

Context:
Variable A : Type.
Variable f : A -> A.
Hypothesis Hinv : forall x, f (f x) = x.


Theorem involution_injective: forall x y, f x = f y -> x = y


Theorem involution_injective states that an arbitrary function f, satisfying Hinv (i.e. being an involution), is one-to-one.

To prove it, we will use the following tactics (read from left to right):

* "intros x y H." introduces two variables, x and y, associated with the forall quantifier, and the hypothesis H corresponding to f x = f y.
* "rewrite <- Hinv with (x := x)." rewrites the left-hand side of the current goal using the hypothesis specialized with x = x.
* "rewrite <- Hinv with (x := y)." rewrites the left-hand side of the current goal using the hypothesis specialized with x = y.
* "rewrite H." rewrites the current goal using the introduced hypothesis H (i.e. f x = f y).
* "reflexivity." discharges goals of the form a = a.

In [4]:
state, goals = client.start_thm("introduction", 0)
print("Started theorem session:")
print(goals_to_str(goals))

Started theorem session:
Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x : A, f (f x) = x
|-forall x y : A, f x = f y -> x = y



In [5]:
state, goals = client.run_tac(state, "intros x y H.")
print(goals_to_str(goals))

Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x0 : A, f (f x0) = x0
x, y  : A
H  : f x = f y
|-x = y



In [6]:
state, goals = client.run_tac(state, "rewrite <- Hinv with (x := x).")
print(goals_to_str(goals))

Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x0 : A, f (f x0) = x0
x, y  : A
H  : f x = f y
|-f (f x) = y



In [7]:
state, goals = client.run_tac(state, "rewrite <- Hinv with (x := y).")
print(goals_to_str(goals))

Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x0 : A, f (f x0) = x0
x, y  : A
H  : f x = f y
|-f (f x) = f (f y)



In [8]:
state, goals = client.run_tac(state, "rewrite H.")
print(goals_to_str(goals))

Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x0 : A, f (f x0) = x0
x, y  : A
H  : f x = f y
|-f (f y) = f (f y)



In [9]:
state, goals = client.run_tac(state, "reflexivity.")
print(goals_to_str(goals))

Status: finished



# Automation

## Sledge Hammer

Let's try to automate theorem proving. In deep learning our sledge hammer is big LLM, and one of them is chatGPT.
Is it able to prove Lelarge's theorem?

First, let's ask it to one of the best "reasoning" model: GPT o3-mini.
Extract the sequence of tactics from [this](https://chatgpt.com/share/67e9842e-7d18-8007-b394-d29b03d859cb) link, and try to submit it to the Rocq server ([petanque server](https://github.com/ejgallego/coq-lsp/tree/main/petanque)).

To do it, complete the following cell. You only need to add the remaining tactics

In [10]:
# complete the following list with the sequence of tactics provided by GPT o3-mini
tactics = ['intros x y H.', 'TO COMPLETE: SECOND TACTIC', 'AND SO ON']

state, goals = client.start_thm("introduction", 0)

for tactic in tactics:
    state, goals = client.run_tac(state, tactic)
    print(goals_to_str(goals))

Status: ongoing
Goal 1:
A  : Type
f  : A -> A
Hinv  : forall x0 : A, f (f x0) = x0
x, y  : A
H  : f x = f y
|-x = y



ClientError: (500, "(-32003, 'Coq: Syntax error: [ltac_use_default] expected after [tactic] (in [tactic_command]).')")

Remarkably, if we ask more modest model things get a bit more complex:
* Asking to GPT 4o model (see [here](https://chatgpt.com/share/67e986d3-6650-8007-b01c-b5dfe48468a5)), it is able to prove it after 5 attempts.
* Asking to GPT 4o-mini (see [here](https://chatgpt.com/share/67e9871d-9de8-8007-aaeb-04d48d61b525)) is not able to prove it in 8 attempts.

And even more remarkably, both non reasoning and reasoning model from [DeepSeek](https://chat.deepseek.com/) are able to solve this problem at the first attempt.

## Open-weight model

Now, let's try to do it with an open-weight locally run model. We choose Gemma 3 12b, since it has good performance while being able to run on a collab T4 instance.

First we need to start an inference engine (to serve our model locally).

In [None]:
import subprocess
subprocess.Popen(["ollama", "serve"])

Then, let's download gemma 3 12b.

In [None]:
!ollama pull gemma-3:12b

In [None]:
import ollama

def get_response(prompt):
  response = ollama.chat(
        model="gemma-3:12b",
        messages=[
            {"role": "user", "content": prompt},
        ]
    )
  return response["message"]["content"]

In [None]:
import re
from collections import defaultdict

def parse_output(output):
    # to avoid some parsing issue, we accept instruction to not end with a point as normally required.
    pattern = r'```coq\n(.*?)\.?\n'
    match_output = re.search(pattern, output)
    if match_output:
      output = match_output.group(1).strip()
      return output + '.'
    return ''


prompt_template = """You are an expert in Coq, a theorem-proving assistant. Your task is to help progress a formal proof by providing exactly one correct and effective Coq tactic to advance towards the goal.

Here is a brief explanation of tactics you may use:

- intros: Introduces hypotheses or variables into the context. (example: "intros P Q." introduces hypotheses P and Q.)
- apply: Applies a hypothesis or theorem to match the current goal. (example: "apply H0." If the goal is Q and you have a hypothesis H0: P -> Q, applying H0 changes the goal to P.)
- exact: Directly solves the current goal if you have an exact matching hypothesis. (example: "exact H." If the goal is P and you have a hypothesis H: P, then the goal is resolved.)
- contradiction: Resolves the goal if there is a contradiction in the hypotheses. (example: if you have hypotheses H1: P -> False and H2: P, using "contradiction." resolves the goal.)
- unfold not: Expands the definition of negation (~P becomes P -> False). (examples: "unfold not in H." applies it to hypothesis H, "unfold not." applies it to the goal.)
- inversion: Breaks apart hypotheses involving conjunctions (and), disjunctions (or), or existential quantifiers to reveal simpler components. (example: "inversion H." breaks hypothesis H into simpler parts.)
- split: Splits goals involving conjunctions into separate subgoals. (example: "split." transforms goal P /\ Q into two separate goals, P and Q.)
- left/right: Selects a side of a disjunction (or) goal to prove. (examples: "left." to prove the left side of a goal P \/ Q, "right." to prove the right side.)

Current proof state:
{goal}

Carefully analyze the current goal, consider available hypotheses, and propose the most logical and efficient next step in the proof.

Respond with ONLY ONE Coq tactic enclosed in a Coq code block. Ensure the tactic is syntactically correct and directly applicable. Don't write any comment, simple the code block.

Example of correct formatting:
```coq
tactic_1.
```

"""

prompt_remove = """Don't use any of the following instructions:
{remove}
"""
thm =  client.show_thm("logic", 5)
statement = f"Theorem {thm['name']}: {thm['statement']}"
premises = "\n".join(thm['premises'])

success = False
for _ in range(1):
  state, goals = client.start_thm("logic", 5)
  print("New try")
  tactics = []
  useless_tactics = defaultdict(list)
  failed_tactics = []
  for _ in range(100):
    to_prove_pp = goals_to_str(goals)
    to_prove = to_prove_pp.replace('|-', 'to prove: ')

    prompt = prompt_template.format(goal=to_prove)
    if failed_tactics:
      prompt += prompt_remove.format(remove="\n".join(failed_tactics))
    
    if useless_tactics[to_prove_pp]:
      prompt += prompt_remove.format(remove="\n".join(useless_tactics[to_prove_pp]))
  
    output = get_response(prompt)
    next_tactic = parse_output(output)
    try:
      state, goals = client.run_tac(state, next_tactic)
      new_to_prove_pp = goals_to_str(goals)
      if to_prove_pp == new_to_prove_pp:
        useless_tactics[new_to_prove_pp].append(next_tactic)
      print(next_tactic)
      tactics.append(next_tactic)
      failed_tactics = []
    except Exception as e:
      failed_tactics.append(next_tactic)
      pass
    if not goals:
      print("Finished!")
      success = True
      break
    
  if success:
    print("Found solution:\n" + "\n".join(tactics))
    break
  else:
    print("Failed")
    

Now, let's try to find better prompts!

In [24]:
prompt_bis = """You are an expert in Coq, a theorem-proving assistant. Your task is to help progress a formal proof involving real numbers, upper/lower bounds, limits, and other related concepts by providing exactly one correct and effective Coq tactic to advance towards the goal.

Here is a brief explanation of tactics you may use:

- intros: Introduces hypotheses or variables into the context. (example: "intros x y." introduces hypotheses x and y.)
- apply: Applies a hypothesis or theorem to match the current goal. (example: "apply H." If the goal is Q and you have a hypothesis H: P -> Q, applying H changes the goal to P.)
- exact: Directly solves the current goal if you have an exact matching hypothesis. (example: "exact H." If the goal is P and you have a hypothesis H: P, then the goal is resolved.)
- contradiction: Resolves the goal if there is a contradiction in the hypotheses. (example: if you have hypotheses H1: P -> False and H2: P, using "contradiction." resolves the goal.)
- unfold: Expands definitions. (examples: "unfold is_maximum in H." expands the definition of is_maximum in hypothesis H, "unfold limit." expands the definition of limit in the goal.)
- inversion: Breaks apart hypotheses involving conjunctions (and), disjunctions (or), or existential quantifiers to reveal simpler components. (example: "inversion H." breaks hypothesis H into simpler parts.)
- split: Splits goals involving conjunctions into separate subgoals. (example: "split." transforms goal P /\ Q into two separate goals, P and Q.)
- destruct: Breaks a hypothesis or goal involving existential quantifiers or logical connectives into simpler components. (example: "destruct H as [a Ha]." if H is "exists a, P a", creating hypothesis Ha: P a.)
- left/right: Selects a side of a disjunction (or) goal to prove. (examples: "left." to prove the left side of a goal P \/ Q, "right." to prove the right side.)
- specialize: Instantiates hypotheses with specific values or assumptions. (example: "specialize (H eps)." instantiates hypothesis H with eps.)
- assert: Introduces an intermediate statement to help advance the proof. (example: "assert (H : P)." creates a new subgoal to prove P.)
- lra: Automatically solves linear inequalities involving real numbers.
- lia: Automatically solves linear inequalities involving integers.

Current proof state:
{goal}

Carefully analyze the current goal, consider available hypotheses, and propose the most logical and efficient next step in the proof.

Respond with ONLY ONE Coq tactic enclosed in a Coq code block. Ensure the tactic is syntactically correct and directly applicable. Don't write any comment, simply the code block.

Example of correct formatting:
```coq
tactic_1.
```
"""

## Specialized open-weight model

In [11]:
from transformers import AutoModelForSeq2SeqLM, AutoTokenizer
from transformers import pipeline
model_name = "amitayusht/ProofWala-Multilingual"
model = AutoModelForSeq2SeqLM.from_pretrained(model_name)
tokenizer = AutoTokenizer.from_pretrained(model_name)
pipeline = pipeline("text2text-generation", model=model, tokenizer=tokenizer, device=0) # device=0 for GPU, -1 for CPU


  from .autonotebook import tqdm as notebook_tqdm


In [19]:
from enum import Enum
import re

import torch.nn.functional as F

class Keywords(Enum):
    GOALS = "[GOALS]"
    GOAL = "[GOAL]"
    HYPOTHESES = "[HYPOTHESES]"
    HYPOTHESIS = "[HYPOTHESIS]"
    STEPS = "[STEPS]"
    STEP = "[STEP]"
    INCORRECT_STEPS = "[INCORRECT STEPS]"
    DEFINITIONS = "[DEFINITIONS]"
    DEFINITION = "[DEFINITION]"
    THEOREMS = "[THEOREMS]"
    THEOREM = "[THEOREM]"
    ERROR = "[ERROR]"
    ERROR_MESSAGE = "[ERROR MESSAGE]"
    SUCCESS = "[SUCCESS]"
    END = "[END]"
    DESCRIPTION = "[DESCRIPTION]"
    LAST_STEP = "[LAST STEP]"
    INFORMAL_PROOF = "[INFORMAL-PROOF]"
    INFORMAL_THEOREM = "[INFORMAL-THEOREM]"

    def __str__(self) -> str:
            return self.value

def generate_prompt(goals, steps=[], incorrect_steps=[], theorems=[], definitions=[]):
    prompt = f"Goals to prove:\n{Keywords.GOALS}\n"

    for k, goal in enumerate(goals):
        prompt += f"{Keywords.GOAL} {k + 1}\n{goal['ty']}\n"
        if goal['hyps']:
            prompt += f"{Keywords.HYPOTHESES} {k + 1}\n"
        for hyp in goal['hyps']:
            names = ", ".join(hyp['names'])
            ty = hyp['ty']
            prompt += f"{Keywords.HYPOTHESIS} {names}: {ty}\n"

    if definitions:
        prompt += f"{Keywords.DEFINITIONS} 1\n"
        for definition in definitions:
            prompt += f"{Keywords.DEFINITION} {definition}\n"

    if theorems:
        prompt +=  f"{Keywords.THEOREMS} 1\n"
        for theorem in theorems:
            prompt += f"{Keywords.THEOREM} {theorem}\n"

    if steps:
        prompt += f"{Keywords.STEPS} {1}\n"
        for step in steps:
            prompt += f"{Keywords.STEP} {step}\n"

    if incorrect_steps:
        prompt += f"{Keywords.INCORRECT_STEPS} {1}\n"
        for step in incorrect_steps:
            prompt += f"{Keywords.STEP} {step}\n"
    
    prompt += f"{Keywords.END}"
    return prompt

def parsed_output(output):
    # to avoid some parsing issue, we accept instruction to not end with a point as normally required.
    pattern = r'\[RUN TACTIC\]\n(.*)\n\[END\]'
    match_output = re.search(pattern, output)
    if match_output:
      output = match_output.group(1).strip()
      return output
    return ''

def generate_tactics(beam_size, goals, steps=[], incorrect_steps=[], theorems=[], definitions=[]):
    device = 0
    prompt = generate_prompt(goals, steps=steps, incorrect_steps=incorrect_steps, theorems=theorems, definitions=definitions)
    prompt_tokenized = tokenizer(prompt, return_tensors='pt')
    output = pipeline(prompt, max_length=100, num_return_sequences=beam_size, do_sample=True, temperature=1.2)
    input_ids, attention_mask = prompt_tokenized.values()

    result_output = []
    result_scores = []
    done = set()
    for output_str in output:
        output_str = parsed_output(output_str['generated_text'])

        if output_str in done:
            continue
        decoder_input_ids, decoder_attention_mask = tokenizer(output_str, return_tensors='pt').values()
        scores = model.forward(input_ids=input_ids.to(device), attention_mask=attention_mask.to(device), decoder_input_ids=decoder_input_ids.to(device), decoder_attention_mask=decoder_attention_mask.to(device))['logits']
        
        shifted_logits = scores[:, :-1, :]

        # Shift decoder tokens to remove the first token (which is typically the start token)
        shifted_target = decoder_input_ids.to(scores.device)[:, 1:]
        logprobs = F.log_softmax(shifted_logits, dim=-1)
        token_logprobs = logprobs.gather(dim=-1, index=shifted_target.unsqueeze(-1)).squeeze(-1).mean(dim=-1)
        result_output.append(output_str)
        result_scores.append(float(token_logprobs))

        done.add(output_str)
    return result_output, result_scores


In [23]:
from utils import beam_search

NUM_TRY = 100
for section in ['introduction', 'logic', 'math']:
    for idx_thm in range(client.num_thm(section)):
        print(f"Trying to prove theorem {idx_thm} in section {section}.")
        for _ in range(NUM_TRY):
            result = beam_search(generate_tactics, client, section, idx_thm, max_depth=7, beam_size=32, timeout=60)
            if result:
                print("Solution found:")
                print("\n".join(result))
                print()
                print()
                break
            else:
                print("FAILED")




Trying to prove theorem 0 in section introduction.
Solution found:
intros.
rewrite <- (Hinv x).
rewrite H.
apply Hinv.


Trying to prove theorem 0 in section logic.
Solution found:
auto.


Trying to prove theorem 1 in section logic.
Solution found:
tauto.


Trying to prove theorem 2 in section logic.
FAILED
Solution found:
intros P Q [Px|Nz]; intros.
tauto.
apply Nz.


Trying to prove theorem 3 in section logic.
Solution found:
tauto.


Trying to prove theorem 4 in section logic.
Solution found:
tauto.


Trying to prove theorem 5 in section logic.
Solution found:
auto.


Trying to prove theorem 6 in section logic.
FAILED
FAILED
FAILED
FAILED
Solution found:
auto.
intros; red; intros.
tauto.


Trying to prove theorem 0 in section math.
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED


KeyboardInterrupt: 