Reflective Decomposition & Iterative Proof Repair

• Reflective decomposition is the process of reifying complex proof obligations into modular, internal representations to enable systematic and verified reasoning.
• Iterative proof repair incrementally refines incomplete proofs by integrating feedback, automated hint packages, and error-driven cycles to correct and enhance verification.
• These techniques are widely applied in proof assistants and automated program repair pipelines to improve scalability, efficiency, and reliability in formal verification.

Reflective decomposition and iterative proof repair are foundational concepts in modern formal verification and automated theorem proving, underpinning a broad range of methods that transform the task of constructing, analyzing, or repairing formal proofs into manageable, modular steps. At their core, these ideas unite techniques from computational reflection, symbolic computation, model learning, program analysis, and feedback-driven proof and program development, with key implementations spanning proof assistants, program verifiers, and LLMs. The following sections survey this landscape, emphasizing precise methodological frameworks and technical details as documented in recent research.

1. Foundations of Reflective Decomposition

Reflective decomposition refers to the process of systematically reifying complex proof obligations or reasoning tasks into syntactic representations inside a formal system, breaking them into primitive subgoals, and invoking verified procedures to manipulate these representations. The methodology is exemplified by frameworks like MirrorShard (Malecha et al., 2013), where verification obligations—such as separation logic assertions—are first mirrored as inductive data types (e.g., expr for expressions, sexpr for separation logic formulas). Symbolic computation over these reified structures decomposes a verification task into atomic proof obligations.

An archetypal reflective decomposition proceeds by:

• Reification: Translating object-level formulas, predicates, or program states into an internal syntactic representation.
• Symbolic decomposition: Applying reflective, verified computation to reduce the high-level obligation into a set of subgoals. For example, when reasoning about abstract predicates in separation logic, an unfolding step may produce concrete heaplets and additional pure side conditions.
• Soundness transfer: Employing meta-theorems (proved within the logic of the proof assistant) that transfer correctness from the subgoals back to the original, unreified obligation. For example:

$$\text{Theorem } f\_eq\_correct : \forall a\, b\, ty,\; \text{Forall}\; (t,x,y)\in f\_eq\, a\,b\,ty,\; \text{denote}\; x\; t = \text{denote}\; y\; t \implies \text{denote}\; a\; ty = \text{denote}\; b\; ty.$$

In algebraic domains, reflective decomposition is extended by preprocessing steps that push down structure-preserving maps (such as homomorphisms) to yield normalized, comparable syntactic forms (Sakaguchi, 2022). This expands the scope of internal, automated proof search by enabling robust support for overloaded and canonical structures, e.g., in the context of Coq's Mathematical Components.

2. Iterative Proof Repair: Methodology and Mechanisms

Iterative proof repair is a layered process in which repairable proof artifacts—either formal proofs, programs, or verification obligations—are incrementally refined based on feedback, intermediate computation, or model-driven diagnosis. Iterative repair is crucial when initial proof attempts are incomplete, erroneous, or incompletely aligned with evolving specifications.

Key features include:

• Incremental refinement cycles: Partial proof attempts are iteratively repaired by applying verified hint packages, automated patching, or feedback integration derived from failed proof attempts or counterexamples (Malecha et al., 2013, Qu et al., 2022, First et al., 2023, Zhou et al., 21 Jul 2025).
• Hint architectures: In reflective frameworks like MirrorShard, repair leverages "hints"—modular, externally provided knowledge in the form of:
  • Refinement lemmas (e.g., unfolding predicates under side conditions),
  • Base theory provers (e.g., decision procedures for linear arithmetic),
  • Memory evaluators handling heap and pointer reasoning.
• Feedback loops and error-driven repair: In agentic or language-model-based settings, such as Delta Prover (Zhou et al., 21 Jul 2025) or Baldur (First et al., 2023), proof candidates are checked in the kernel; failure triggers a repair prompt, incorporating error messages and relevant context, to guide the LLM toward revised attempts.

In program repair (APR), iterative repair exploits program execution feedback—failed tests or compilation errors—to further prompt LLMs until a plausible patch is generated, as formalized in looped pseudocode and finite patch budgets (Ruiz et al., 5 May 2025).

3. Tooling, Integration, and Modularity

Reflective decomposition and iterative repair are most impactful when deeply integrated with formal proof infrastructure. Approaches differ depending on the setting:

• Inside Proof Assistants: MirrorShard and related Coq frameworks run reflective computations as Gallina functions, invoked from within user-created Ltac tactics. Reification, reflective reduction, and hint-driven repair loop seamlessly with Coq's unification engine and tactic language, permitting two-way transfer of variable instantiations and subgoal management (Malecha et al., 2013). Setoid-based repair strategies allow for quotient type changes to be addressed in proof repair, even in the absence of native quotient types in Coq (Viola et al., 2023).
• Plug-in Architecture: Example: Pumpkin Pi extends the Pumpkin Patch suite for Coq (Ringer et al., 2020, Viola et al., 2023), featuring configurable proof term transformations and engines for script decompilation and proof repair.
• Domain-Specific Languages (DSLs) for Proof Management: Delta Prover (Zhou et al., 21 Jul 2025) layers a custom DSL atop Lean 4 (via the PlayM monad), introducing tactics such as "Suppose", "ShowBy", and "Conclude" to formally represent and manipulate proof subgoals. This enables agent-based orchestration of decomposed subproblems and consolidation of solutions into end-to-end proofs.

The table below summarizes architectural constituents in several systems:

Framework	Decomposition Mechanism	Iterative Repair Mechanism
MirrorShard (Coq)	Reflective reification, Gallina functions	Verified hint packages, Ltac glue
Pumpkin Pi (Coq)	Proof-term transformation via type equivalence	Automated patching, script decompilation
Delta Prover (Lean 4)	LLM-generated informal plans, DSL sketch	Kernel feedback loop, LLM repair via error messages
Baldur (Isabelle/HOL)	LLM whole-proof generation	Repair via error-driven LLM prompt
IBR (QA) (Qu et al., 2022)	Node/edge decomposition of proof graph	Iterative parent-child prediction, repair on-the-fly

4. Applications and Case Studies

Reflective decomposition and iterative proof repair are applied in a diversity of domains:

• Separation Logic Verification: MirrorShard automates proofs about linked data structures (lists, trees, queues) and larger imperative components (thread libraries, web servers) through reified symbolic execution and iterative repair based on hints (Malecha et al., 2013).
• Algebraic Reasoning: By reflecting packed class operations and supporting homomorphisms, modern reflexive tactics automate and repair algebraic arguments (e.g., in formal proofs of Apéry's theorem), affording significant checking-time improvements and modular extension (Sakaguchi, 2022).
• Program and Proof Porting across Equivalences: Tools like Pumpkin Pi facilitate the migration of proofs across changes in data representation, such as refactoring unary to binary numbers, or transporting queue implementations between one-list and quotient representations, leveraging deeply configurable transformations (Ringer et al., 2020, Viola et al., 2023).
• Formal Math with General-Purpose LLMs: Delta Prover showcases that an agentic wrapper, combining decomposition and iterative repair, allows general LLMs (Gemini 2.5 Pro) to achieve 95.9% accuracy on miniF2F, surpassing both specialized 72B parameter theorem-provers and prior approaches (Zhou et al., 21 Jul 2025). Iterative repair and decomposition together enable robust scaling to complex mathematic inference.
• Automated Program Repair (APR): Instruction-tuned LLMs (DeepSeekCoder-Instruct, Codellama-Instruct, Llama3.1-Instruct) are deployed in feedback- and iteration-driven program repair pipelines, producing significantly higher plausible patch rates, especially when balancing iterations and outputs under fixed budgets (Ruiz et al., 5 May 2025).

5. Formal Underpinnings and Theoretical Context

Reflective decomposition in formal logic often aligns with hierarchies of reflection and consistency. For instance:

• In proof theory, iterated transfinite reflection and consistency principles decompose the totality of provable $\Pi_1$-consequences into ordinal-indexed stages (e.g., $$T_\alpha = \mathrm{PRA} + \forall_{\gamma<\alpha} \mathrm{Con}_\gamma(\mathrm{PRA})$$), with each transfinite stage encoding a proof-theoretic "repair" of the theory's reliability (Freund, 2017, Frittaion, 12 Nov 2024).
• Infinite (ω-)proof analysis, ordinal characterizations, and cut-elimination processes each exemplify reflective decomposition by partitioning global reasoning into localized repairable transformations.

The key LaTeX formula capturing the iterative consistency construction is:

$$T_\alpha = \text{PRA} + \forall_{\gamma<\alpha} \mathrm{Con}_\gamma(\text{PRA})$$

and, for uniform reflection in intuitionistic arithmetic:

$$\text{Urf}(T): \quad \forall x\; ( \mathrm{Pr}(\ulcorner \varphi(\dot{x}) \urcorner) \rightarrow \varphi(x) )$$

These frameworks provide the formal basis upon which automated and agentic proof repair systems are constructed.

6. Performance, Scalability, and Impact

Empirical evaluations underscore:

• Reflective agentic systems outperform traditional best-of-N sampling for automated proof synthesis. Delta Prover achieves 95.9% on miniF2F-test, outperforming specialized models by several percentage points (Zhou et al., 21 Jul 2025).
• Iterative repair delivers improved success rates and efficiency in both proof and program repair. For instance, in Baldur, incorporating error-driven repair raises the automatic proof rate by an additional 1.5%, and in APR, plausible patch rates improve by up to 78% with judicious fine-tuning and iterative generation (First et al., 2023, Ruiz et al., 5 May 2025).
• Overfitting poses challenges in iterative settings; there is a documented trade-off between model specialization and the utility of iteration for accommodating feedback, especially in complex code or proof domains.

7. Open Directions and Broader Implications

The ongoing development and integration of reflective decomposition and iterative proof repair have far-reaching consequences:

• Unified agent-based reasoning systems offer the promise of open-ended automation in formal verification without requiring extensive model specialization, training, or heuristics-heavy search.
• Advances in proof repair across quotient type equivalences, leveraging setoid machinery or native quotient types (as in Cubical Agda), highlight the evolution of both automation and internal correctness verification in proof assistants (Viola et al., 2023).
• The compositional, modular view of verification under reflective decomposition aligns with compositional model checking, program synthesis, and knowledge-based AI agent architectures.
• Trends point to the synthesis of repair mechanisms, retrieval-augmented reasoning, evolutionary search, and reinforcement learning within agentic frameworks, with the objective of further scaling automated theorem proving and software correctness.

Reflective decomposition and iterative proof repair thus constitute both foundational theory and practical methodology, reshaping the landscape of automated reasoning and formal verification at scale in proof assistants and beyond.