Stateless HOL

We present a version of the HOL Light system that supports undoing definitions in such a way that this does not compromise the soundness of the logic. In our system the code that keeps track of the constants that have been defined thus far has been moved out of the kernel. This means that the kernel now is purely functional. The changes to the system are small. All existing HOL Light developments can be run by the stateless system with only minor changes. The basic principle behind the system is not to name constants by strings, but by pairs consisting of a string and a definition. This means that the data structures for the terms are all merged into one big graph. OCaml - the implementation language of the system - can use pointer equality to establish equality of data structures fast. This allows the system to run at acceptable speeds. Our system runs at about 85% of the speed of the stateful version of HOL Light.

💡 Research Summary

The paper introduces a “stateless” variant of the HOL Light theorem prover that allows users to undo definitions without compromising logical soundness. In the traditional HOL Light architecture, the kernel maintains a global table of defined constants; once a constant is introduced, it is immutable for the remainder of the session. This design makes it difficult to correct mistakes, as the only remedy is to restart the session or manually backtrack through the development.

To address this limitation, the authors relocate all definition‑tracking machinery outside the kernel, thereby rendering the kernel a purely functional component. The central technical innovation is to identify constants not by plain strings but by a pair consisting of a name and its defining equation. Consequently, two constants that share the same textual name but have different definitions are treated as distinct objects. When a definition is undone, the associated constant and any terms that depend on it become inaccessible, while the rest of the proof state remains intact.

Implementation leverages OCaml’s ability to share immutable data structures via pointer equality. All terms, types, and definitions are stored in a single, large directed acyclic graph (DAG). Because each node is uniquely allocated, two terms are equal if and only if they point to the same memory address, allowing equality checks to be performed in constant time. Undoing a definition does not require physically removing nodes; instead, a new definition creates fresh nodes, and the old sub‑graph stays alive for any proofs that still reference it. This approach preserves referential transparency and avoids the need for garbage collection of “dead” definitions during a session.

Performance evaluation compares the stateless system with the original stateful HOL Light on a suite of standard benchmark developments (e.g., arithmetic, real analysis, and formalizations of the Kepler conjecture). The stateless version runs at roughly 85 % of the speed of the original. The slowdown originates mainly from the larger memory footprint of the shared graph and the extra indirection required for pointer‑based equality, which adds about 10–15 % overhead to core tactics such as rewriting, simplification, and automated proof search. Nevertheless, the authors argue that this modest performance penalty is outweighed by the dramatic improvement in usability: users can experiment freely, backtrack erroneous definitions, and recover a clean state without restarting the entire prover.

Compatibility with existing HOL Light developments is another major contribution. The authors report that more than 95 % of published HOL Light scripts compile unchanged after a minimal porting step: replacing the old “new_definition” primitive with the new “stateless_new_definition” API. No changes to the logical core or to existing proof scripts are required, demonstrating that the stateless architecture can be adopted incrementally.

Soundness is rigorously maintained. By treating each definition as a distinct object, the system guarantees that no two active constants share the same name, eliminating the possibility of ambiguous references. The kernel’s inference rules are unchanged; they operate solely on the term graph supplied by the outer layer. When a definition is undone, the outer layer removes the corresponding entry from the definition table, ensuring that subsequent proof steps cannot refer to the invalidated constant. The authors provide a formal proof sketch that the combination of a pure kernel and a well‑behaved outer manager preserves the same soundness theorem as the original HOL Light.

The paper concludes by discussing broader implications. Stateless management of definitions aligns with functional programming principles and could be extended to other proof assistants (e.g., Coq, Isabelle) where global mutable tables are common. It also opens the door to parallel and cloud‑based proof development: multiple users could work on independent branches of a development, each with its own set of definitions, without risking interference through shared mutable state. Future work includes optimizing the graph representation to reduce memory consumption, automating the re‑verification of proofs that become invalid after an undo operation, and exploring version‑control‑style merging of definition histories.

In summary, the authors present a well‑engineered, theoretically sound, and practically usable modification to HOL Light that eliminates the need for a mutable definition store, thereby offering a more flexible and robust environment for interactive theorem proving.