Consider the following functions and theorems:

def f (a : Nat) : Nat := a + 1 def g (a : Nat) : Nat := a - 1 @[grind =] theorem gf (x : Nat) : g (f x) = x := byx:Nat⊢ g (f x) = x simp [f, g]All goals completed! 🐙

The theorem gf asserts that g (f x) = x for all natural numbers x. The attribute grind = instructs grind to use the left-hand side of the equation, g (f x), as a pattern for heuristic instantiation via E-matching.

This proof goal does not include an instance of g (f x), but grind is nonetheless able to solve it:

example {a b} (h : f b = a) : g a = b := byx:Nata✝:Natb✝:Nata:Natb:Nath:f b = a⊢ g a = b grindAll goals completed! 🐙

Although g a is not an instance of the pattern g (f x), it becomes one modulo the equation f b = a. By substituting a with f b in g a, we obtain the term g (f b), which matches the pattern g (f x) with the assignment x := b. Thus, the theorem gf is instantiated with x := b, and the new equality g (f b) = b is asserted. grind then uses congruence closure to derive the implied equality g a = g (f b) and completes the proof.

The grind = attribute uses the left side of the equality as the E-matching pattern for gf:

def f (a : Nat) : Nat := a + 1 def g (a : Nat) : Nat := a - 1 @[grind =] theorem gf (x : Nat) : g (f x) = x := byx:Nat⊢ g (f x) = x simp [f, g]All goals completed! 🐙

For example, the pattern g (f x) is too restrictive in the following case: the theorem gf will not be instantiated because the goal does not even contain the function symbol g.

In this example, grind fails because the pattern is too restrictive: the goal does not contain the function symbol g.

example (h₁ : f b = a) (h₂ : f c = a) : b = c := byb:Nata:Natc:Nath₁:f b = ah₂:f c = a⊢ b = c `grind` failed grindb a c:Nath₁:f b = ah₂:f c = ah:¬b = c⊢ False

[grind] Goal diagnostics

• [facts] Asserted facts

  • [prop] f b = a
  • [prop] f c = a
  • [prop] ¬b = c
• [eqc] False propositions

  • [prop] b = c
• [eqc] Equivalence classes

  • [eqc] {a, f b, f c}

grindb:Nata:Natc:Nath₁:f b = ah₂:f c = a⊢ b = c

`grind` failed
grindb a c:Nath₁:f b = ah₂:f c = ah:¬b = c⊢ False
[grind] Goal diagnostics
[facts] Asserted facts
[prop] f b = a
[prop] f c = a
[prop] ¬b = c
[eqc] False propositions
[prop] b = c
[eqc] Equivalence classes
[eqc] {a, f b, f c}

Using just f x as the pattern allows grind to solve the goal automatically:

grind_pattern gf => f x example {a b c} (h₁ : f b = a) (h₂ : f c = a) : b = c := bya:Natb:Natc:Nath₁:f b = ah₂:f c = a⊢ b = c grindAll goals completed! 🐙

Enabling trace.grind.ematch.instance makes it possible to see the equalities found by E-matching:

example (h₁ : f b = a) (h₂ : f c = a) : b = c := byb:Nata:Natc:Nath₁:f b = ah₂:f c = a⊢ b = c set_option trace.grind.ematch.instance true in [grind.ematch.instance] gf: g (f c) = c[grind.ematch.instance] gf: g (f b) = bgrindAll goals completed! 🐙

[grind.ematch.instance] gf: g (f c) = c[grind.ematch.instance] gf: g (f b) = b

After E-matching, the proof succeeds because congruence closure equates g (f c) with g (f b), because both f b and f c are equal to a. Thus, b and c must be in the same equivalence class.

R is a transitive binary relation over Int:

opaque R : Int → Int → Prop axiom Rtrans {x y z : Int} : R x y → R y z → R x z

To use the fact that R is transitive, grind must already be able to satisfy both premises. This is represented using a multi-pattern:

grind_pattern Rtrans => R x y, R y z example {a b c d} : R a b → R b c → R c d → R a d := bya:Intb:Intc:Intd:Int⊢ R a b → R b c → R c d → R a d grindAll goals completed! 🐙

The multi-pattern R x y, R y z instructs grind to instantiate Rtrans only when both R x y and R y z are available in the context. In the example, grind applies Rtrans to derive R a c from R a b and R b c, and can then repeat the same reasoning to deduce R a d from R a c and R c d.

When attempting to prove that a⁻¹ = b, grind uses inv_eq due to the @[grind ←=] annotation.

@[grind ←=] theorem declaration uses 'sorry'inv_eq [One α] [Mul α] [Inv α] {a b : α} (w : a * b = 1) : a⁻¹ = b := sorry

grind does not automatically apply the η-equality rule for structures. Point is a structure with two fields:

structure Point where x : Int y : Int

By default, grind can't solve goals like this one:

example (p : Point) : p = ⟨p.x, p.y⟩ := byp:Point⊢ p = { x := p.x, y := p.y } `grind` failed grindp:Pointh:¬p = { x := p.x, y := p.y }⊢ False

[grind] Goal diagnostics

• [facts] Asserted facts

  • [prop] ¬p = { x := p.x, y := p.y }
• [eqc] False propositions

  • [prop] p = { x := p.x, y := p.y }

grindp:Point⊢ p = { x := p.x, y := p.y }

`grind` failed
grindp:Pointh:¬p = { x := p.x, y := p.y }⊢ False
[grind] Goal diagnostics
[facts] Asserted facts
[prop] ¬p = { x := p.x, y := p.y }
[eqc] False propositions
[prop] p = { x := p.x, y := p.y }

This kind of goal may come up when proving theorems like the fact that swapping the fields of a point twice is the identity:

def Point.swap (p : Point) : Point := ⟨p.y, p.x⟩ theorem swap_swap_eq_id : Point.swap ∘ Point.swap = id := by⊢ Point.swap ∘ Point.swap = id unfold Point.swap⊢ ((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id `grind` failed grindh:¬((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = idw:Pointh_1:¬{ x := w.x, y := w.y } = id w⊢ False

[grind] Goal diagnostics

• [facts] Asserted facts

  • [prop] ¬((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id
  • [prop] ∃ x, ¬{ x := x.x, y := x.y } = id x
  • [prop] ¬{ x := w.x, y := w.y } = id w
  • [prop] id w = w
• [eqc] True propositions

  • [prop] ∃ x, ¬{ x := x.x, y := x.y } = id x
• [eqc] False propositions

  • [prop] ((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id
  • [prop] { x := w.x, y := w.y } = id w
• [eqc] Equivalence classes

  • [eqc] {w, id w}
• [cases] Case analyses

  • [cases] [1/1]: ∃ x, ¬{ x := x.x, y := x.y } = id x

    • [cases] source: Extensionality funext
• [ematch] E-matching patterns

  • [thm] id.eq_1: [@id #1 #0]

[grind] Diagnostics

• [thm] E-Matching instances

  • [thm] id.eq_1 ↦ 1

grind⊢ ((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id

`grind` failed
grindh:¬((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = idw:Pointh_1:¬{ x := w.x, y := w.y } = id w⊢ False
[grind] Goal diagnostics
[facts] Asserted facts
[prop] ¬((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id
[prop] ∃ x, ¬{ x := x.x, y := x.y } = id x
[prop] ¬{ x := w.x, y := w.y } = id w
[prop] id w = w
[eqc] True propositions
[prop] ∃ x, ¬{ x := x.x, y := x.y } = id x
[eqc] False propositions
[prop] ((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id
[prop] { x := w.x, y := w.y } = id w
[eqc] Equivalence classes
[eqc] {w, id w}
[cases] Case analyses
[cases] [1/1]: ∃ x, ¬{ x := x.x, y := x.y } = id x
[cases] source: Extensionality funext
[ematch] E-matching patterns
[thm] id.eq_1: [@id #1 #0]

[grind] Diagnostics
[thm] E-Matching instances
[thm] id.eq_1 ↦ 1

Adding the @[grind ext] attribute to Point enables grind to solve both the original example and prove this theorem:

attribute [grind ext] Point example (p : Point) : p = ⟨p.x, p.y⟩ := byp:Point⊢ p = { x := p.x, y := p.y } grindAll goals completed! 🐙 theorem swap_swap_eq_id' : Point.swap ∘ Point.swap = id := by⊢ Point.swap ∘ Point.swap = id unfold Point.swap⊢ ((fun p => { x := p.y, y := p.x }) ∘ fun p => { x := p.y, y := p.x }) = id grindAll goals completed! 🐙

In order to use this proof that divisibility is transitive with grind, it requires E-matching patterns:

theorem div_trans {n k j : Nat} : n ∣ k → k ∣ j → n ∣ j := byn:Natk:Natj:Nat⊢ n ∣ k → k ∣ j → n ∣ j intro ⟨d₁, p₁⟩ ⟨d₂, p₂⟩n:Natk:Natj:Natd₁:Natp₁:k = n * d₁d₂:Natp₂:j = k * d₂⊢ n ∣ j exact ⟨d₁ * d₂, byn:Natk:Natj:Natd₁:Natp₁:k = n * d₁d₂:Natp₂:j = k * d₂⊢ j = n * (d₁ * d₂) rw [p₂, p₁, Nat.mul_assoc]All goals completed! 🐙⟩

The right attribute to use is @[grind →], because there should be a pattern for each premise. Using @[grind? →], it is possible to see which patterns are generated:

attribute [div_trans: [@Dvd.dvd `[Nat] `[Nat.instDvd] #4 #3, @Dvd.dvd `[Nat] `[Nat.instDvd] #3 #2]grind? →] div_trans

There are two:

div_trans: [@Dvd.dvd `[Nat] `[Nat.instDvd] #4 #3, @Dvd.dvd `[Nat] `[Nat.instDvd] #3 #2]

Arguments are numbered from right to left, so #0 is the assumption that k ∣ j, while #4 is n. Thus, these two patterns correspond to the terms n ∣ k and k ∣ j.

axiom p : Nat → Nat axiom q : Nat → Nat @[h₁: [q #1]grind? →] theorem declaration uses 'sorry'h₁ (w : 7 = p (q x)) : p (x + 1) = q x := sorry

h₁: [q #1]

The pattern is q x. Counting from the right, parameter #0 is the premise w and parameter #1 is the implicit parameter x.

Why did @[grind →]? select q #1? The attribute @[grind →] finds patterns by traversing the hypotheses (that is, parameters whose types are propositions) from left to right. In this case, there's only a single hypothesis: 7 = p (q x). The heuristic described above says that grind will search for a minimal indexable subexpression which covers a previously uncovered parameter. There's just one uncovered parameter, namely x. The whole hypothesis p (q x) = 7 can't be used because grind will not index on equality. The right-hand side 7 is not helpful, because it doesn't determine the value of x. p (q x) is not suitable because it is not minimal: it has q x inside of it, which is indexable (its head is the constant q), and it determines the value of x. The expression q x itself is minimal, because x is not indexable. Thus, q x is selected as the pattern.

In this example, the Lean.Parser.Attr.grindMod← modifier indicates that the pattern should be found in the conclusion:

set_option trace.grind.debug.ematch.pattern true in @[[grind.debug.ematch.pattern] place: p (x + 1) = q x[grind.debug.ematch.pattern] collect: p (x + 1) = q x[grind.debug.ematch.pattern] arg: Nat, support: true[grind.debug.ematch.pattern] arg: p (x + 1), support: false[grind.debug.ematch.pattern] collect: p (x + 1)[grind.debug.ematch.pattern] candidate: p (x + 1)[grind.debug.ematch.pattern] found pattern: p (#1 + 1)[grind.debug.ematch.pattern] found full coverage[grind.debug.ematch.pattern] arg: q x, support: falseh₂: [p (#1 + 1)]grind? ←] theorem declaration uses 'sorry'h₂ (w : 7 = p (q x)) : p (x + 1) = q x := sorry

The left side of the equality is used because Eq is not indexable and HAdd.hAdd has lower priority than p.

h₂: [p (#1 + 1)]

In this example, two separate E-matching patterns are generated from the equality conclusion. One matches the left-hand side, and the other matches the right-hand side.

@[h₃: [q #1]h₃: [p (#1 + 1)]grind? _=_] theorem declaration uses 'sorry'h₃ (w : 7 = p (q x)) : p (x + 1) = q x := sorry

h₃: [q #1]

The entire left side of the equality is used instead of just x + 1 because HAdd.hAdd has lower priority than p.

h₃: [p (#1 + 1)]

Without any modifiers, @[grind] produces a multipattern by first checking the conclusion and then the premises:

@[h₄: [p (#2 + 2), q #1]grind?] theorem declaration uses 'sorry'h₄ (w : p x = q y) : p (x + 2) = 7 := sorry

Here, argument x is #2, y is #1, and w is #0. The resulting multipattern contains the left-hand side of the equality, which is the only minimal indexable subexpression of the conclusion that covers an argument (namely x). It also contains q y, which is the only minimal indexable subexpression of the hypothesis w that covers an additional argument (namely y).

h₄: [p (#2 + 2), q #1]

In this example, pattern generation fails because the theorem's conclusion doesn't mention the the argument y.

@[`@[grind ←] theorem h₅` failed to find patterns in the theorem's conclusion, consider using different options or the `grind_pattern` commandgrind? ←] theorem declaration uses 'sorry'h₅ (w : p x = q y) : p (x + 2) = 7 := sorry

`@[grind ←] theorem h₅` failed to find patterns in the theorem's conclusion, consider using different options or the `grind_pattern` command

In this example, the pattern is generated by traversing the premises from left to right, followed by the conclusion:

@[h₆: [q (#3 + 2), p (#2 + 2)]grind? =>] theorem declaration uses 'sorry'h₆ (_ : q (y + 2) = q y) (_ : q (y + 1) = q y) : p (x + 2) = 7 := sorry

In the patterns, y is argument #3 and x is argument #2, because automatic implicit parameters are inserted from left to right and y occurs before x in the theorem statement. The premises are arguments #1 and #0. In the resulting multipattern, y is covered by a subexpression of the first premise, and z is covered by a subexpression of the conclusion:

h₆: [q (#3 + 2), p (#2 + 2)]

E-matching can generate too many theorem instances. Some patterns may even generate an unbounded number of instances.

In this example, s_eq is added to the index with the pattern s x:

def s (x : Nat) := 0 @[s_eq: [s #0]grind? =] theorem s_eq (x : Nat) : s x = s (x + 1) := rfl

s_eq: [s #0]

Attempting to use this theorem results in many facts about s applied to concrete values being generated. In particular, s_eq is instantiated with a new Nat in each of the five rounds. First, grind instantiates s_eq with x := 0, which generates the term s 1. This matches the pattern s x, and is thus used to instantiate s_eq with x := 1, which generates the term s 2, and so on until the round limit is reached.

example : s 0 > 0 := by⊢ s 0 > 0 `grind` failed grindh:s 0 = 0⊢ False

[grind] Goal diagnostics

• [facts] Asserted facts

  • [prop] s 0 = 0
  • [prop] s 0 = s 1
  • [prop] s 1 = s 2
  • [prop] s 2 = s 3
  • [prop] s 3 = s 4
  • [prop] s 4 = s 5
• [eqc] Equivalence classes

  • [eqc] {s 0, 0, s 1, s 2, s 3, s 4, s 5}
• [ematch] E-matching patterns

  • [thm] s_eq: [s #0]
• [cutsat] Assignment satisfying linear constraints

  • [assign] s 0 := 0
  • [assign] s 1 := 0
  • [assign] s 2 := 0
  • [assign] s 3 := 0
  • [assign] s 4 := 0
  • [assign] s 5 := 0
• [limits] Thresholds reached

  • [limit] maximum number of E-matching rounds has been reached, threshold: `(ematch := 5)`

[grind] Diagnostics

• [thm] E-Matching instances

  • [thm] s_eq ↦ 5

grind⊢ s 0 > 0

`grind` failed
grindh:s 0 = 0⊢ False
[grind] Goal diagnostics
[facts] Asserted facts
[prop] s 0 = 0
[prop] s 0 = s 1
[prop] s 1 = s 2
[prop] s 2 = s 3
[prop] s 3 = s 4
[prop] s 4 = s 5
[eqc] Equivalence classes
[eqc] {s 0, 0, s 1, s 2, s 3, s 4, s 5}
[ematch] E-matching patterns
[thm] s_eq: [s #0]
[cutsat] Assignment satisfying linear constraints
[assign] s 0 := 0
[assign] s 1 := 0
[assign] s 2 := 0
[assign] s 3 := 0
[assign] s 4 := 0
[assign] s 5 := 0
[limits] Thresholds reached
[limit] maximum number of E-matching rounds has been reached, threshold: `(ematch := 5)`

[grind] Diagnostics
[thm] E-Matching instances
[thm] s_eq ↦ 5

Increasing the round limit to 20 causes E-matching to terminate due to the default generation limit of 8:

example : s 0 > 0 := by⊢ s 0 > 0 `grind` failed grindh:s 0 = 0⊢ False

[grind] Goal diagnostics

• [facts] Asserted facts

  • [prop] s 0 = 0
  • [prop] s 0 = s 1
  • [prop] s 1 = s 2
  • [prop] s 2 = s 3
  • [prop] s 3 = s 4
  • [prop] s 4 = s 5
  • [prop] s 5 = s 6
  • [prop] s 6 = s 7
  • [prop] s 7 = s 8
• [eqc] Equivalence classes

  • [eqc] {s 0, 0, s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 8}
• [ematch] E-matching patterns

  • [thm] s_eq: [s #0]
• [cutsat] Assignment satisfying linear constraints

  • [assign] s 0 := 0
  • [assign] s 1 := 0
  • [assign] s 2 := 0
  • [assign] s 3 := 0
  • [assign] s 4 := 0
  • [assign] s 5 := 0
  • [assign] s 6 := 0
  • [assign] s 7 := 0
  • [assign] s 8 := 0
• [limits] Thresholds reached

  • [limit] maximum term generation has been reached, threshold: `(gen := 8)`

[grind] Diagnostics

• [thm] E-Matching instances

  • [thm] s_eq ↦ 8

grind (ematch := 20)⊢ s 0 > 0

`grind` failed
grindh:s 0 = 0⊢ False
[grind] Goal diagnostics
[facts] Asserted facts
[prop] s 0 = 0
[prop] s 0 = s 1
[prop] s 1 = s 2
[prop] s 2 = s 3
[prop] s 3 = s 4
[prop] s 4 = s 5
[prop] s 5 = s 6
[prop] s 6 = s 7
[prop] s 7 = s 8
[eqc] Equivalence classes
[eqc] {s 0, 0, s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 8}
[ematch] E-matching patterns
[thm] s_eq: [s #0]
[cutsat] Assignment satisfying linear constraints
[assign] s 0 := 0
[assign] s 1 := 0
[assign] s 2 := 0
[assign] s 3 := 0
[assign] s 4 := 0
[assign] s 5 := 0
[assign] s 6 := 0
[assign] s 7 := 0
[assign] s 8 := 0
[limits] Thresholds reached
[limit] maximum term generation has been reached, threshold: `(gen := 8)`

[grind] Diagnostics
[thm] E-Matching instances
[thm] s_eq ↦ 8