SAT Solver verification

Size: px

Start display at page:

Download "SAT Solver verification"

Griselda Theodora Young
5 years ago
Views:

1 SAT Solver verification By Filip Marić April 17, 2016 Abstract This document contains formall correctness proofs of modern SAT solvers. Two different approaches are used state-transition systems shallow embedding into HOL. Formalization based on state-transition systems follows [1, 3]. Several different SAT solver descriptions are given their partial correctness termination is proved. These include: 1. a solver based on classical DPLL procedure (based on backtracksearch with unit propagation), 2. a very general solver with backjumping learning (similiar to the description given in [3]), 3. a solver with a specific conflict analysis algorithm (similiar to the description given in [1]). Formalization based on shallow embedding into HOL defines a SAT solver as a set or recursive HOL functions. Solver supports most state-of-the art techniques including the two-watch literal propagation scheme. Within the SAT solver correctness proofs, a large number of lemmas about propositional logic CNF formulae are proved. This theory is self-contained could be used for further exploring of properties of CNF based SAT algorithms. Contents 1 MoreList last butlast - last element of list elements before it removeall - element removal uniq - no duplicate elements firstpos - first position of an element precedes - ordering relation induced by firstpos isprefix - prefixes of list list-diff - the set difference operation on two lists remdups - removing duplicates Levi s lemma Single element lists

2 2 CNF Syntax Basic datatypes Membership Variables Opposite literals Tautological clauses Semantics Valuations True/False literals True/False clauses True/False formulae Valuation viewed as a formula Consistency of valuations Totality of valuations Models satisfiability Tautological clauses Entailment Equivalency Remove false duplicate literals of a clause Resolution Unit clauses Reason clauses Last asserted literal of a list Trail datatype its properties Trail elements Marked trail elements Prefix before/upto a trail element Marked elements upto a given trail element Last marked element in a trail Level of a trail element Current trail level Prefix to a given trail level Number of literals of every trail level Prefix before last marked element Verification of DPLL based SAT solvers Literal Trail Invariants Auxiliary lemmas Transition rules preserve invariants Different characterizations of backjumping Termination Trail ordering Conflict clause ordering ConflictFlag ordering Formulae ordering Properties of well-founded relations

3 5 BasicDPLL Specification Invariants Soundness Termination Completeness Transition system of Nieuwenhuis, Oliveras Tinelli Specification Invariants Soundness Termination Completeness Transition system of Krstić Goel Specification Invariants Soundness Termination Completeness Functional implementation of a SAT solver with Two Watch literal propagation Specification Total correctness theorem MoreList theory MoreList imports Main /src/hol/library/multiset begin Theory contains some additional lemmas functions for the List datatype. Warning: some of these notions are obsolete because they already exist in List.thy in similiar form. 1.1 last butlast - last element of list elements before it lemma listequalsbutlastappendlast: list [] list = (butlast [last list] lemma lastlistinlist [simp]: list [] last list set list 3

4 lemma butlastissubset: set (butlast list) set list lemma setlistissetbutlastandlast: set list set (butlast list) {last list} lemma butlastappend: butlast list2 ) = (if list2 = [] then butlast list1 else butlast list2 )) 1.2 removeall - element removal lemma removeall-multiset: distinct a x set a mset a = {#x#} + mset (removeall x a) lemma removeall-map: x y. x y f x f y removeall (f x) (map f a) = map f (removeall x a) 1.3 uniq - no duplicate elements. uniq list holds iff there are no repeated elements in a list. Obsolete: same as distinct in List.thy. primrec uniq :: a list => bool uniq [] = True uniq (h#t) = (h / set t uniq t) lemma uniqdistinct: uniq l = distinct l lemma uniqappend: uniq l2 ) uniq l1 uniq l2 lemma uniqappendiff : uniq l2 ) = (uniq l1 uniq l2 set l1 set l2 = {}) (is?lhs =?rhs) lemma uniqappendelement: 4

5 uniq l e / set l = uniq [e]) lemma uniqimpliesnotlastmembutlast: uniq l last l / set (butlast l) lemma uniqbutlastnotuniqlistimplieslastmembutlast: uniq (butlast l) uniq l last l set (butlast l) lemma uniqremdups: uniq (remdups x) lemma uniqheadtailset: uniq l set (tl l) = (set l) {hd l} lemma uniqlengtheqcardset: uniq l length l = card (set l) lemma lengthgtonetwodistinctelements: uniq l length l > 1 l [] a1 a2. a1 set l a2 set l a1 a2 1.4 firstpos - first position of an element firstpos returns the zero-based index of the first occurrence of an element int a list, or the length of the list if the element does not occur. primrec firstpos :: a => a list => nat firstpos a [] = 0 firstpos a (h # t) = (if a = h then 0 else 1 + (firstpos a t)) lemma firstposequalzero: (firstpos a (m # M ) = 0 ) = (a = m) 5

6 lemma firstposlelength: a set l firstpos a l < length l lemma firstposappend: a set l firstpos a l = firstpos a l ) lemma firstposappendnonmemberfirstmembersecond: a / set l1 a set l2 firstpos a l2 ) = length l1 + firstpos a l2 lemma firstposdomainforelements: (0 firstpos a l firstpos a l < length l) = (a set l) (is?lhs =?rhs) lemma firstposequal: a set l b set l (firstpos a l = firstpos b l) = (a = b) (is?lhs =?rhs) lemma firstposlast: l [] uniq l (firstpos x l = length l 1 ) = (x = last l) 1.5 precedes - ordering relation induced by firstpos precedes :: a => a => a list => bool precedes a b l == (a set l b set l firstpos a l <= firstpos b l) lemma noelementsprecedesfirstelement: a b precedes a b (b # list) lemma lastprecedesnoelement: uniq l ( a. a last l precedes (last l) a l) lemma precedesappend: precedes a b l 6

7 precedes a b l ) lemma precedesmemberheadmembertail: a set l1 b / set l1 b set l2 precedes a b l2 ) lemma precedesreflexivity: a set l precedes a a l lemma precedestransitivity: precedes a b l precedes b c l precedes a c l lemma precedesantisymmetry: a set l b set l precedes a b l precedes b a l a = b lemma precedestotalorder: a set l b set l a=b precedes a b l precedes b a l lemma precedesmap: precedes a b list x y. x y f x f y precedes (f a) (f b) (map f list) lemma precedesfilter: precedes a b list f a f b precedes a b (filter f list) precedesorder list == {(a, b). precedes a b list a b} lemma transprecedesorder: trans (precedesorder list) 7

8 lemma wellfoundedprecedesorder: wf (precedesorder list) 1.6 isprefix - prefixes of list. Check if a list is a prefix of another list. Obsolete: similiar notion is defined in List prefixes.thy. isprefix :: a list => a list => bool isprefix p t = ( s. s = t) lemma prefixissubset: isprefix p l set p set l lemma uniqlistimpliesuniqprefix: isprefix p l uniq l uniq p lemma firstposprefixelement: isprefix p l a set p firstpos a p = firstpos a l lemma laterinprefixretainsprecedes: isprefix p l precedes a b l b set p precedes a b p 1.7 list-diff - the set difference operation on two lists. primrec list-diff :: a list a list a list list-diff x [] = x list-diff x (y#ys) = list-diff (removeall y x) ys lemma [simp]: list-diff [] y = [] 8

9 lemma [simp]: list-diff (x # xs) y = (if x set y then list-diff xs y else x # list-diff xs y) lemma listdiffiff : (x set a x / set b) = (x set (list-diff a b)) lemma listdiffdoubleremoveall: x set a list-diff b a = list-diff b (x # a) lemma removealllistdiff [simp]: removeall x (list-diff a b) = list-diff (removeall x a) b lemma listdiffremoveallnonmember: x / set a list-diff a b = list-diff a (removeall x b) lemma listdiffmap: x y. x y f x f y map f (list-diff a b) = list-diff (map f a) (map f b) 1.8 remdups - removing duplicates lemma remdupsremoveallcommute[simp]: remdups (removeall a list) = removeall a (remdups list) lemma remdupsappend: remdups b) = remdups (list-diff a remdups b lemma remdupsappendset: set (remdups b)) = set (remdups remdups (list-diff b a)) lemma remdupsappendmultiset: mset (remdups b)) = mset (remdups remdups (list-diff b a)) lemma remdupslistdiff : 9

10 remdups (list-diff a b) = list-diff (remdups a) (remdups b) multiset-le a b r == a = b (a, b) mult r lemma multisetemptylei : multiset-le {#} a r lemma multisetunionlessmono2 : trans r = (b1, b2 ) mult r = (a + b1, a + b2 ) mult r lemma multisetunionlessmono1 : trans r = (a1, a2 ) mult r = (a1 + b, a2 + b) mult r lemma multisetunionlemono2 : trans r multiset-le b1 b2 r multiset-le (a + b1 ) (a + b2 ) r lemma multisetunionlemono1 : trans r multiset-le a1 a2 r multiset-le (a1 + b) (a2 + b) r lemma multisetletrans: trans r multiset-le x y r multiset-le y z r 10

11 multiset-le x z r lemma multisetunionlemono: trans r multiset-le a1 a2 r multiset-le b1 b2 r multiset-le (a1 + b1 ) (a2 + b2 ) r lemma multisetlelistdiff : trans r multiset-le (mset (list-diff a b)) (mset a) r 1.9 Levi s lemma Obsolete: these two lemmas are already proved as append-eq-append-conv2 append-eq-cons-conv. lemma FullLevi: y = w) = (x = z y = w ( t. t = x y = w) ( t. t = z w = y)) (is?lhs =?rhs) lemma SimpleLevi: s = a # list) = ( p = [] s = a # list ( t. p = a # t s = list)) 1.10 Single element lists lemma lengthonecharacterisation: (length l = 1 ) = (l = [hd l]) lemma lengthoneimpliesonlyelement: length l = 1 a : set l a. a : set l a = a 11

12 end 2 CNF theory CNF imports MoreList begin Theory describing formulae in Conjunctive Normal Form. 2.1 Syntax Basic datatypes type-synonym Variable = nat datatype Literal = Pos Variable Neg Variable type-synonym Clause = Literal list type-synonym Formula = Clause list Notice that instead of set or multisets, lists are used in s of clauses formulae. This is done because SAT solver implementation usually use list-like data structures for representing these datatypes Membership Check if the literal is member of a clause, clause is a member of a formula or the literal is a member of a formula consts member :: a b bool (infixl el 55 ) overloading literalelclause member :: Literal Clause bool begin [simp]: ((literal::literal) el (clause::clause)) == literal set clause end overloading clauseelformula member :: Clause Formula bool begin [simp]: ((clause::clause) el (formula::formula)) == clause set formula end overloading el-literal op el :: Literal Formula bool begin primrec el-literal (literal::literal) el ([]::Formula) = False 12

13 ((literal::literal) el ((clause # formula)::formula)) = ((literal el clause) (literal el formula)) end lemma literalelformulacharacterization: fixes literal :: Literal formula :: Formula (literal el formula) = ( (clause::clause). clause el formula literal el clause) Variables The variable of a given literal primrec var :: Literal Variable var (Pos v) = v var (Neg v) = v Set of variables of a given clause, formula or valuation primrec varsclause :: (Literal list) (Variable set) varsclause [] = {} varsclause (literal # list) = {var literal} (varsclause list) primrec varsformula :: Formula (Variable set) varsformula [] = {} varsformula (clause # formula) = (varsclause clause) (varsformula formula) consts vars :: a Variable set overloading vars-clause vars :: Clause Variable set begin [simp]: vars (clause::clause) == varsclause clause end overloading vars-formula vars :: Formula Variable set begin [simp]: vars (formula::formula) == varsformula formula end overloading vars-set vars :: Literal set Variable set begin 13

14 [simp]: vars (s::literal set) == {vbl. l. l s var l = vbl} end lemma clausecontainsitsliteralsvariable: fixes literal :: Literal clause :: Clause literal el clause var literal vars clause lemma formulacontainsitsliteralsvariable: fixes literal :: Literal formula::formula literal el formula var literal vars formula lemma formulacontainsitsclausesvariables: fixes clause :: Clause formula :: Formula clause el formula vars clause vars formula lemma varsappendformulae: fixes formula1 :: Formula formula2 :: Formula vars formula2 ) = vars formula1 vars formula2 lemma varsappendclauses: fixes clause1 :: Clause clause2 :: Clause vars clause2 ) = vars clause1 vars clause2 lemma varsremoveliteral: fixes literal :: Literal clause :: Clause vars (removeall literal clause) vars clause lemma varsremoveliteralsuperset: fixes literal :: Literal clause :: Clause vars clause {var literal} vars (removeall literal clause) lemma varsremoveallclause: fixes clause :: Clause formula :: Formula vars (removeall clause formula) vars formula lemma varsremoveallclausesuperset: fixes clause :: Clause formula :: Formula 14

15 vars formula vars clause vars (removeall clause formula) lemma varinclausevars: fixes variable :: Variable clause :: Clause variable vars clause = ( literal. literal el clause var literal = variable) lemma varinformulavars: fixes variable :: Variable formula :: Formula variable vars formula = ( literal. literal el formula var literal = variable) (is?lhs formula =?rhs formula) lemma varssubsetformula: fixes F :: Formula F :: Formula c::clause. c el F c el F vars F vars F lemma varsclausevarsset: fixes clause :: Clause vars clause = vars (set clause) Opposite literals primrec opposite :: Literal Literal opposite (Pos v) = (Neg v) opposite (Neg v) = (Pos v) lemma oppositeidempotency [simp]: fixes literal::literal opposite (opposite literal) = literal lemma oppositesymmetry [simp]: fixes literal1 ::Literal literal2 ::Literal (opposite literal1 = literal2 ) = (opposite literal2 = literal1 ) lemma oppositeuniqueness [simp]: fixes literal1 ::Literal literal2 ::Literal (opposite literal1 = opposite literal2 ) = (literal1 = literal2 ) 15

16 lemma oppositeisdifferentfromliteral [simp]: fixes literal::literal opposite literal literal lemma oppositeliteralshavesamevariable [simp]: fixes literal::literal var (opposite literal) = var literal lemma literalswithsamevariableareequaloropposite: fixes literal1 ::Literal literal2 ::Literal (var literal1 = var literal2 ) = (literal1 = literal2 opposite literal1 = literal2 ) (is?lhs =?rhs) The list of literals obtained by negating all literals of a literal list (clause, valuation). Notice that this is not a negation of a clause, because the negation of a clause is a conjunction not a disjunction. oppositeliterallist :: Literal list Literal list oppositeliterallist clause == map opposite clause lemma literalellistiffoppositeliteraleloppositeliterallist: fixes literal :: Literal literallist :: Literal list literal el literallist = (opposite literal) el (oppositeliterallist literallist) lemma oppositeliterallistidempotency [simp]: fixes literallist :: Literal list oppositeliterallist (oppositeliterallist literallist) = literallist lemma oppositeliterallistremove: fixes literal :: Literal literallist :: Literal list oppositeliterallist (removeall literal literallist) = removeall (opposite literal) (oppositeliterallist literallist) lemma oppositeliterallistnonempty: fixes literallist :: Literal list (literallist []) = ((oppositeliterallist literallist) []) 16

17 lemma varsoppositeliterallist: vars (oppositeliterallist clause) = vars clause Tautological clauses Check if the clause contains both a literal its opposite primrec clausetautology :: Clause bool clausetautology [] = False clausetautology (literal # clause) = (opposite literal el clause clausetautology clause) lemma clausetautologycharacterization: fixes clause :: Clause clausetautology clause = ( literal. literal el clause (opposite literal) el clause) 2.2 Semantics Valuations type-synonym Valuation = Literal list lemma valuationcontainsitsliteralsvariable: fixes literal :: Literal valuation :: Valuation literal el valuation var literal vars valuation lemma varssubsetvaluation: fixes valuation1 :: Valuation valuation2 :: Valuation set valuation1 set valuation2 vars valuation1 vars valuation2 lemma varsappendvaluation: fixes valuation1 :: Valuation valuation2 :: Valuation vars valuation2 ) = vars valuation1 vars valuation2 lemma varsprefixvaluation: fixes valuation1 :: Valuation valuation2 :: Valuation isprefix valuation1 valuation2 vars valuation1 vars valuation2 17

18 2.2.2 True/False literals Check if the literal is contained in the given valuation literaltrue :: Literal Valuation bool literaltrue-def [simp]: literaltrue literal valuation == literal el valuation Check if the opposite literal is contained in the given valuation literalfalse :: Literal Valuation bool literalfalse-def [simp]: literalfalse literal valuation == opposite literal el valuation lemma variabledefinedimpliesliteraldefined: fixes literal :: Literal valuation :: Valuation var literal vars valuation = (literaltrue literal valuation literalfalse literal valuation) (is (?lhs valuation) = (?rhs valuation)) True/False clauses Check if there is a literal from the clause which is true in the given valuation primrec clausetrue :: Clause Valuation bool clausetrue [] valuation = False clausetrue (literal # clause) valuation = (literaltrue literal valuation clausetrue clause valuation) Check if all the literals from the clause are false in the given valuation primrec clausefalse :: Clause Valuation bool clausefalse [] valuation = True clausefalse (literal # clause) valuation = (literalfalse literal valuation clausefalse clause valuation) lemma clausetrueiffcontainstrueliteral: fixes clause :: Clause valuation :: Valuation clausetrue clause valuation = ( literal. literal el clause literaltrue literal valuation) 18

19 lemma clausefalseiffallliteralsarefalse: fixes clause :: Clause valuation :: Valuation clausefalse clause valuation = ( literal. literal el clause literalfalse literal valuation) lemma clausefalseremove: clausefalse clause valuation clausefalse (removeall literal clause) valuation lemma clausefalseappendvaluation: fixes clause :: Clause valuation :: Valuation valuation :: Valuation clausefalse clause valuation clausefalse clause valuation ) lemma clausetrueappendvaluation: fixes clause :: Clause valuation :: Valuation valuation :: Valuation clausetrue clause valuation clausetrue clause valuation ) lemma emptyclauseisfalse: fixes valuation :: Valuation clausefalse [] valuation lemma emptyvaluationfalsifiesonlyemptyclause: fixes clause :: Clause clause [] clausefalse clause [] lemma valuationcontainsitsfalseclausesvariables: fixes clause::clause valuation::valuation clausefalse clause valuation vars clause vars valuation True/False formulae Check if all the clauses from the formula are false in the given valuation primrec 19

20 formulatrue :: Formula Valuation bool formulatrue [] valuation = True formulatrue (clause # formula) valuation = (clausetrue clause valuation formulatrue formula valuation) Check if there is a clause from the formula which is false in the given valuation primrec formulafalse :: Formula Valuation bool formulafalse [] valuation = False formulafalse (clause # formula) valuation = (clausefalse clause valuation formulafalse formula valuation) lemma formulatrueiffallclausesaretrue: fixes formula :: Formula valuation :: Valuation formulatrue formula valuation = ( clause. clause el formula clausetrue clause valuation) lemma formulafalseiffcontainsfalseclause: fixes formula :: Formula valuation :: Valuation formulafalse formula valuation = ( clause. clause el formula clausefalse clause valuation) lemma formulatrueassociativity: fixes f1 :: Formula f2 :: Formula f3 :: Formula valuation :: Valuation formulatrue f2 f3 ) valuation = formulatrue f3 )) valuation lemma formulatruecommutativity: fixes f1 :: Formula f2 :: Formula valuation :: Valuation formulatrue f2 ) valuation = formulatrue f1 ) valuation lemma formulatruesubset: fixes formula :: Formula formula :: Formula valuation :: Valuation formulatrue: formulatrue formula valuation subset: (clause::clause). clause el formula clause el formula formulatrue formula valuation 20

21 lemma formulatrueappend: fixes formula1 :: Formula formula2 :: Formula valuation :: Valuation formulatrue formula2 ) valuation = (formulatrue formula1 valuation formulatrue formula2 valuation) lemma formulatrueremoveall: fixes formula :: Formula clause :: Clause valuation :: Valuation formulatrue formula valuation formulatrue (removeall clause formula) valuation lemma formulafalseappend: fixes formula :: Formula formula :: Formula valuation :: Valuation formulafalse formula valuation formulafalse formula ) valuation lemma formulatrueappendvaluation: fixes formula :: Formula valuation :: Valuation valuation :: Valuation formulatrue formula valuation formulatrue formula valuation ) lemma formulafalseappendvaluation: fixes formula :: Formula valuation :: Valuation valuation :: Valuation formulafalse formula valuation formulafalse formula valuation ) lemma trueformulawithsingleliteralclause: fixes formula :: Formula literal :: Literal valuation :: Valuation formulatrue (removeall [literal] formula) [literal]) formulatrue formula [literal]) Valuation viewed as a formula Converts a valuation (the list of literals) into formula (list of single member lists of literals) primrec 21

22 val2form :: Valuation Formula val2form [] = [] val2form (literal # valuation) = [literal] # val2form valuation lemma val2formel: fixes literal :: Literal valuation :: Valuation literal el valuation = [literal] el val2form valuation lemma val2formaresingleliteralclauses: fixes clause :: Clause valuation :: Valuation clause el val2form valuation ( literal. clause = [literal] literal el valuation) lemma val2formofsingleliteralvaluation: length v = 1 val2form v = [[hd v]] lemma val2formremoveall: fixes literal :: Literal valuation :: Valuation removeall [literal] (val2form valuation) = val2form (removeall literal valuation) lemma val2formappend: fixes valuation1 :: Valuation valuation2 :: Valuation val2form valuation2 ) = (val2form val2form valuation2 ) lemma val2formformulatrue: fixes valuation1 :: Valuation valuation2 :: Valuation formulatrue (val2form valuation1 ) valuation2 = ( (literal :: Literal). literal el valuation1 literal el valuation2 ) Consistency of valuations Valuation is inconsistent if it contains both a literal its opposite. primrec inconsistent :: Valuation bool inconsistent [] = False inconsistent (literal # valuation) = (opposite literal el valuation inconsistent valuation) 22

23 [simp]: consistent valuation == inconsistent valuation lemma inconsistentcharacterization: fixes valuation :: Valuation inconsistent valuation = ( literal. literaltrue literal valuation literalfalse literal valuation) lemma clausetrueandclausefalseimpliesinconsistent: fixes clause :: Clause valuation :: Valuation clausetrue clause valuation clausefalse clause valuation inconsistent valuation lemma formulatrueandformulafalseimpliesinconsistent: fixes formula :: Formula valuation :: Valuation formulatrue formula valuation formulafalse formula valuation inconsistent valuation lemma inconsistentappend: fixes valuation1 :: Valuation valuation2 :: Valuation inconsistent valuation2 ) inconsistent valuation1 inconsistent valuation2 ( literal. literaltrue literal valuation1 literalfalse literal valuation2 ) lemma consistentappendelement: consistent v literalfalse l v consistent [l]) lemma inconsistentremoveall: fixes literal :: Literal valuation :: Valuation inconsistent (removeall literal valuation) inconsistent valuation lemma inconsistentprefix: isprefix valuation1 valuation2 inconsistent valuation1 inconsistent valuation2 lemma consistentprefix: isprefix valuation1 valuation2 consistent valuation2 consistent valuation1 23

24 2.2.7 Totality of valuations Checks if the valuation contains all the variables from the given set of variables total [simp]: total valuation variables == variables vars valuation lemma totalsubset: fixes A :: Variable set B :: Variable set valuation :: Valuation A B total valuation B total valuation A lemma totalformulaimpliestotalclause: fixes clause :: Clause formula :: Formula valuation :: Valuation clauseel: clause el formula totalformula: total valuation (vars formula) totalclause: total valuation (vars clause) lemma totalvaluationforclausedefinesallitsliterals: fixes clause :: Clause valuation :: Valuation literal :: Literal totalclause: total valuation (vars clause) literalel: literal el clause trueorfalse: literaltrue literal valuation literalfalse literal valuation lemma totalvaluationforclausedefinesitsvalue: fixes clause :: Clause valuation :: Valuation totalclause: total valuation (vars clause) clausetrue clause valuation clausefalse clause valuation lemma totalvaluationforformuladefinesallitsliterals: fixes formula::formula valuation::valuation totalformula: total valuation (vars formula) literalelformula: literal el formula literaltrue literal valuation literalfalse literal valuation lemma totalvaluationforformuladefinesallitsclauses: fixes formula :: Formula valuation :: Valuation clause :: Clause totalformula: total valuation (vars formula) clauseelformula: clause el formula 24

25 clausetrue clause valuation clausefalse clause valuation lemma totalvaluationforformuladefinesitsvalue: totalformula: total valuation (vars formula) formulatrue formula valuation formulafalse formula valuation lemma totalremoveallsingleliteralclause: fixes literal :: Literal valuation :: Valuation formula :: Formula varliteral: var literal vars valuation totalremoveall: total valuation (vars (removeall [literal] formula)) total valuation (vars formula) Models satisfiability Model of a formula is a consistent valuation under which formula/clause is true consts model :: Valuation a bool overloading modelformula model :: Valuation Formula bool begin [simp]: model valuation (formula::formula) == consistent valuation (formulatrue formula valuation) end overloading modelclause model :: Valuation Clause bool begin [simp]: model valuation (clause::clause) == consistent valuation (clausetrue clause valuation) end Checks if a formula has a model satisfiable :: Formula bool satisfiable formula == valuation. model valuation formula lemma formulawithemptyclauseisunsatisfiable: fixes formula :: Formula ([]::Clause) el formula satisfiable formula lemma satisfiablesubset: fixes formula0 :: Formula formula :: Formula subset: (clause::clause). clause el formula0 clause el formula 25

26 satisfiable formula satisfiable formula0 lemma satisfiableappend: fixes formula1 :: Formula formula2 :: Formula satisfiable formula2 ) satisfiable formula1 satisfiable formula2 lemma modelexp: fixes formula :: Formula literal :: Literal valuation :: Valuation model valuation formula var literal / vars valuation model [literal]) formula Tautological clauses lemma tautologynotfalse: fixes clause :: Clause valuation :: Valuation clausetautology clause consistent valuation clausefalse clause valuation lemma tautologyintotalvaluation: clausetautology clause vars clause vars valuation clausetrue clause valuation lemma modelappendtautology: model valuation F clausetautology c vars valuation vars F vars c model valuation [c]) lemma satisfiableappendtautology: satisfiable F clausetautology c satisfiable [c]) lemma modelappendtautologicalformula: 26

27 fixes F :: Formula F :: Formula model valuation F c. c el F clausetautology c vars valuation vars F vars F model valuation F ) lemma satisfiableappendtautologicalformula: satisfiable F c. c el F clausetautology c satisfiable F ) lemma satisfiablefiltertautologies: satisfiable F = satisfiable (filter (% c. clausetautology c) F ) lemma modelfiltertautologies: model valuation (filter (% c. clausetautology c) F ) vars F vars valuation model valuation F Entailment Formula entails literal if it is true in all its models formulaentailsliteral :: Formula Literal bool formulaentailsliteral formula literal == (valuation::valuation). model valuation formula literaltrue literal valuation Clause implies literal if it is true in all its models clauseentailsliteral :: Clause Literal bool clauseentailsliteral clause literal == (valuation::valuation). model valuation clause literaltrue literal valuation Formula entails clause if it is true in all its models formulaentailsclause :: Formula Clause bool formulaentailsclause formula clause == 27

28 (valuation::valuation). model valuation formula model valuation clause Formula entails valuation if it entails its every literal formulaentailsvaluation :: Formula Valuation bool formulaentailsvaluation formula valuation == literal. literal el valuation formulaentailsliteral formula literal Formula entails formula if it is true in all its models formulaentailsformula :: Formula Formula bool formulaentailsformula-def : formulaentailsformula formula formula == (valuation::valuation). model valuation formula model valuation formula lemma singleliteralclausesentailitsliteral: fixes clause :: Clause literal :: Literal length clause = 1 literal el clause clauseentailsliteral clause literal lemma clauseentailsliteralthenformulaentailsliteral: fixes clause :: Clause formula :: Formula literal :: Literal clause el formula clauseentailsliteral clause literal formulaentailsliteral formula literal lemma formulaentailsliteralappend: fixes formula :: Formula formula :: Formula literal :: Literal formulaentailsliteral formula literal formulaentailsliteral formula ) literal lemma formulaentailsliteralsubset: fixes formula :: Formula formula :: Formula literal :: Literal formulaentailsliteral formula literal (c::clause). c el formula c el formula formulaentailsliteral formula literal lemma formulaentailsliteralremoveall: fixes formula :: Formula clause :: Clause literal :: Literal formulaentailsliteral (removeall clause formula) literal 28

29 formulaentailsliteral formula literal lemma formulaentailsliteralremoveallappend: fixes formula1 :: Formula formula2 :: Formula clause :: Clause valuation :: Valuation formulaentailsliteral ((removeall clause formula1 formula2 ) literal formulaentailsliteral formula2 ) literal lemma formulaentailsitsclauses: fixes clause :: Clause formula :: Formula clause el formula formulaentailsclause formula clause lemma formulaentailsclauseappend: fixes clause :: Clause formula :: Formula formula :: Formula formulaentailsclause formula clause formulaentailsclause formula ) clause lemma formulaunsatiffimpliesemptyclause: fixes formula :: Formula formulaentailsclause formula [] = ( satisfiable formula) lemma formulatrueextendwithentailedclauses: fixes formula :: Formula formula0 :: Formula valuation :: Valuation formulaentailed: (clause::clause). clause el formula formulaentailsclause formula0 clause consistent valuation formulatrue formula0 valuation formulatrue formula valuation lemma formulaentailsformulaiffentailsallitsclauses: fixes formula :: Formula formula :: Formula formulaentailsformula formula formula = ( clause::clause. clause el formula formulaentailsclause formula clause) (is?lhs =?rhs) lemma formulaentailsformulathatentailsclause: fixes formula1 :: Formula formula2 :: Formula clause :: Clause 29

30 formulaentailsformula formula1 formula2 formulaentailsclause formula2 clause formulaentailsclause formula1 clause lemma fixes formula1 :: Formula formula2 :: Formula formula1 :: Formula literal :: Literal formulaentailsliteral formula2 ) literal formulaentailsformula formula1 formula1 formulaentailsliteral formula2 ) literal lemma formulafalseinentailedvaluationisunsatisfiable: fixes formula :: Formula valuation :: Valuation formulafalse formula valuation formulaentailsvaluation formula valuation satisfiable formula lemma formulafalseinentailedorpurevaluationisunsatisfiable: fixes formula :: Formula valuation :: Valuation formulafalse formula valuation literal. literal el valuation formulaentailsliteral formula literal opposite literal el formula satisfiable formula lemma unsatisfiableformulawithsingleliteralclause: fixes formula :: Formula literal :: Literal satisfiable formula [literal] el formula formulaentailsliteral (removeall [literal] formula) (opposite literal) lemma unsatisfiableformulawithsingleliteralclauses: fixes F ::Formula c::clause satisfiable val2form (oppositeliterallist c)) clausetautology c formulaentailsclause F c lemma satisfiableentailedformula: fixes formula0 :: Formula formula :: Formula formulaentailsformula formula0 formula satisfiable formula0 satisfiable formula 30

31 lemma val2formisentailed: formulaentailsvaluation val2form F ) valuation Equivalency Formulas are equivalent if they have same models. equivalentformulae :: Formula Formula bool equivalentformulae formula1 formula2 == (valuation::valuation). model valuation formula1 = model valuation formula2 lemma equivalentformulaeiffentaileachother: fixes formula1 :: Formula formula2 :: Formula equivalentformulae formula1 formula2 = (formulaentailsformula formula1 formula2 formulaentailsformula formula2 formula1 ) lemma equivalentformulaereflexivity: fixes formula :: Formula equivalentformulae formula formula lemma equivalentformulaesymmetry: fixes formula1 :: Formula formula2 :: Formula equivalentformulae formula1 formula2 = equivalentformulae formula2 formula1 lemma equivalentformulaetransitivity: fixes formula1 :: Formula formula2 :: Formula formula3 :: Formula equivalentformulae formula1 formula2 equivalentformulae formula2 formula3 equivalentformulae formula1 formula3 lemma equivalentformulaeappend: fixes formula1 :: Formula formula1 :: Formula formula2 :: Formula equivalentformulae formula1 formula1 equivalentformulae formula2 ) formula2 ) lemma satisfiableequivalent: 31

32 fixes formula1 :: Formula formula2 :: Formula equivalentformulae formula1 formula2 satisfiable formula1 = satisfiable formula2 lemma satisfiableequivalentappend: fixes formula1 :: Formula formula1 :: Formula formula2 :: Formula equivalentformulae formula1 formula1 satisfiable formula2 ) satisfiable formula2 ) lemma replaceequivalentbyequivalent: fixes formula :: Formula formula :: Formula formula1 :: Formula formula2 :: Formula equivalentformulae formula formula equivalentformulae formula2 ) formula2 ) lemma clauseorderirrelevant: equivalentformulae F2 ) F2 ) lemma extendequivalentformulawithentailedclause: fixes formula1 :: Formula formula2 :: Formula clause :: Clause equivalentformulae formula1 formula2 formulaentailsclause formula2 clause equivalentformulae formula1 [clause]) lemma entailsliteralrelpacepartwithequivalent: equivalentformulae F F formulaentailsliteral F2 ) l formulaentailsliteral F2 ) l Remove false duplicate literals of a clause removefalseliterals :: Clause Valuation Clause removefalseliterals clause valuation = filter (λ l. literalfalse l valuation) clause 32

33 lemma clausetrueremovefalseliterals: consistent v clausetrue c v = clausetrue (removefalseliterals c v) v lemma clausetrueremoveduplicateliterals: clausetrue c v = clausetrue (remdups c) v lemma removeduplicateliteralsequivalentclause: equivalentformulae [remdups clause] [clause] lemma falseliteralscanberemoved: fixes F ::Formula F ::Formula v::valuation equivalentformulae val2form F2 ) F equivalentformulae val2form [removefalseliterals c F2 ) [c]) (is equivalentformulae?lhs?rhs) lemma falseandduplicateliteralscanberemoved: equivalentformulae val2form F2 ) F equivalentformulae val2form [remdups (removefalseliterals c F2 ) [c]) (is equivalentformulae?lhs?rhs) lemma satisfiedclausecanberemoved: equivalentformulae val2form v) F clausetrue c v equivalentformulae val2form v) [c]) lemma formulaentailsclauseremoveentailedliteralopposites: formulaentailsclause F clause formulaentailsvaluation F valuation formulaentailsclause F (list-diff clause (oppositeliterallist valuation)) Resolution 33

34 resolve clause1 clause2 literal == removeall literal removeall (opposite literal) clause2 lemma resolventisentailed: fixes clause1 :: Clause clause2 :: Clause literal :: Literal formulaentailsclause [clause1, clause2 ] (resolve clause1 clause2 literal) lemma formulaentailsresolvent: fixes formula :: Formula clause1 :: Clause clause2 :: Clause formulaentailsclause formula clause1 formulaentailsclause formula clause2 formulaentailsclause formula (resolve clause1 clause2 literal) lemma resolvefalseclauses: fixes literal :: Literal clause1 :: Clause clause2 :: Clause valuation :: Valuation clausefalse (removeall literal clause1 ) valuation clausefalse (removeall (opposite literal) clause2 ) valuation clausefalse (resolve clause1 clause2 literal) valuation Unit clauses Clause is unit in a valuation if all its literals but one are false, that one is undefined. isunitclause :: Clause Literal Valuation bool isunitclause uclause uliteral valuation == uliteral el uclause (literaltrue uliteral valuation) (literalfalse uliteral valuation) ( literal. literal el uclause literal uliteral literalfalse literal valuation) lemma unitliteralisentailed: fixes uclause :: Clause uliteral :: Literal formula :: Formula valuation :: Valuation isunitclause uclause uliteral valuation formulaentailsclause formula uclause formulaentailsliteral val2form valuation) uliteral lemma isunitclauseremoveallunitliteralisfalse: fixes uclause :: Clause uliteral :: Literal valuation :: 34

35 Valuation isunitclause uclause uliteral valuation clausefalse (removeall uliteral uclause) valuation lemma isunitclauseappendvaluation: isunitclause uclause uliteral valuation l uliteral l opposite uliteral isunitclause uclause uliteral [l]) lemma containstruenotunit: l el c literaltrue l v consistent v ( ul. isunitclause c ul v) lemma unitbecomesfalse: isunitclause uclause uliteral valuation clausefalse uclause [opposite uliteral]) Reason clauses A clause is reason for unit propagation of a given literal if it was a unit clause before it is asserted, became true when it is asserted. isreason::clause Literal Valuation bool (isreason clause literal valuation) == (literal el clause) (clausefalse (removeall literal clause) valuation) ( literal. literal el (removeall literal clause) precedes (opposite literal ) literal valuation opposite literal literal) lemma isreasonappend: fixes clause :: Clause literal :: Literal valuation :: Valuation valuation :: Valuation isreason clause literal valuation isreason clause literal valuation ) lemma isunitclauseisreason: 35

36 fixes uclause :: Clause uliteral :: Literal valuation :: Valuation isunitclause uclause uliteral valuation uliteral el valuation isreason uclause uliteral valuation ) lemma isreasonholdsinprefix: fixes prefix :: Valuation valuation :: Valuation clause :: Clause literal :: Literal literal el prefix isprefix prefix valuation isreason clause literal valuation isreason clause literal prefix Last asserted literal of a list lastassertedliteral from a list is the last literal from a clause that is asserted in a valuation. islastassertedliteral::literal Literal list Valuation bool islastassertedliteral literal clause valuation == literal el clause literaltrue literal valuation ( literal. literal el clause literal literal precedes literal literal valuation) Function that gets the last asserted literal of a list - specified only by its postcondition. getlastassertedliteral :: Literal list Valuation Literal getlastassertedliteral clause valuation == last (filter (λ l::literal. l el clause) valuation) lemma getlastassertedliteralcharacterization: clausefalse clause valuation clause [] uniq valuation islastassertedliteral (getlastassertedliteral (oppositeliterallist clause) valuation) (oppositeliterallist clause) valuation 36

37 lemma lastassertedliteralisuniq: fixes literal :: Literal literal :: Literal literallist :: Literal list valuation :: Valuation lastl: islastassertedliteral literal literallist valuation lastl : islastassertedliteral literal literallist valuation literal = literal lemma islastassertedcharacterization: fixes literal :: Literal literallist :: Literal list v :: Valuation islastassertedliteral literal (oppositeliterallist literallist) valuation opposite literal el literallist literaltrue literal valuation lemma islastassertedliteralsubset: islastassertedliteral l c M set c set c l el c islastassertedliteral l c M lemma lastassertedlastinvaluation: fixes literal :: Literal literallist :: Literal list valuation :: Valuation literal el literallist literaltrue literal valuation islastassertedliteral literal literallist [literal]) end 3 Trail datatype its properties theory Trail imports MoreList begin Trail is a list in which some elements can be marked. type-synonym a Trail = ( a bool) list abbreviation element :: ( a bool) a element x == fst x 37

38 abbreviation marked :: ( a bool) bool marked x == snd x 3.1 Trail elements Elements of the trail with marks removed primrec elements :: a Trail a list elements [] = [] elements (h#t) = (element h) # (elements t) lemma elements t = map fst t lemma eithermarkedornotmarkedelement: a = (element a, True) a = (element a, False) lemma eithermarkedornotmarked: e set (elements M ) (e, True) set M (e, False) set M lemma elementmemelements [simp]: x set M element x set (elements M ) lemma elementsappend [simp]: elements b) = elements elements b lemma elementsemptyifftrailempty [simp]: (elements list = []) = (list = []) lemma elementsbutlasttrailisbutlastelementstrail [simp]: elements (butlast M ) = butlast (elements M ) lemma elementlasttrailislastelementstrail [simp]: M [] element (last M ) = last (elements M ) 38

39 lemma isprefixelements: isprefix a b isprefix (elements a) (elements b) lemma prefixelementsaretrailelements: isprefix p M set (elements p) set (elements M ) lemma uniqelementstrailimpliesuniqelementsprefix: isprefix p M uniq (elements M ) uniq (elements p) lemma [simp]: (e, d) set M e set (elements M ) lemma uniqimpliesexclusivetrueorfalse: (e, d) set M uniq (elements M ) (e, d) set M 3.2 Marked trail elements primrec markedelements :: a Trail a list markedelements [] = [] markedelements (h#t) = (if (marked h) then (element h) # (markedelements t) else (markedelements t)) lemma markedelements t = (elements (filter snd t)) lemma markedelementismarkedtrue: (m set (markedelements M )) = ((m, True) set M ) lemma markedelementsappend: 39

40 markedelements M2 ) = markedelements markedelements M2 lemma markedelementsareelements: m set (markedelements M ) m set (elements M ) lemma markedandmemberimpliesismarkedelement: marked m m set M (element m) set (markedelements M ) lemma markedelementsprefixaremarkedelementstrail: isprefix p M m set (markedelements p) m set (markedelements M ) lemma markedelementstrailmemprefixaremarkedelementsprefix: uniq (elements M ) isprefix p M m set (elements p) m set (markedelements M ) m set (markedelements p) 3.3 Prefix before/upto a trail element Elements of the trail before the first occurrence of a given element - not incuding it primrec prefixbeforeelement :: a a Trail a Trail prefixbeforeelement e [] = [] prefixbeforeelement e (h#t) = (if (element h) = e then [] else (h # (prefixbeforeelement e t)) ) lemma prefixbeforeelement e t = takewhile (λ e. element e e) t lemma prefixbeforeelement e t = take (firstpos e (elements t)) t 40

41 Elements of the trail before the first occurrence of a given element - incuding it primrec prefixtoelement :: a a Trail a Trail prefixtoelement e [] = [] prefixtoelement e (h#t) = (if (element h) = e then [h] else (h # (prefixtoelement e t)) ) lemma prefixtoelement e t = take ((firstpos e (elements t)) + 1 ) t lemma isprefixprefixtoelement: isprefix (prefixtoelement e t) t lemma isprefixprefixbeforeelement: isprefix (prefixbeforeelement e t) t lemma prefixtoelementcontainstrailelement: e set (elements M ) e set (elements (prefixtoelement e M )) lemma prefixbeforeelementdoesnotcontaintrailelement: e set (elements M ) e / set (elements (prefixbeforeelement e M )) lemma prefixtoelementappend: prefixtoelement e M2 ) = (if e set (elements M1 ) then prefixtoelement e M1 else prefixtoelement e M2 ) lemma prefixtoelementtoprefixelement: isprefix p M e set (elements p) 41

42 prefixtoelement e M = prefixtoelement e p 3.4 Marked elements upto a given trail element Marked elements of the trail upto the given element (which is also included if it is marked) markedelementsto :: a a Trail a list markedelementsto e t = markedelements (prefixtoelement e t) lemma markedelementstoareprefixofmarkedelements: isprefix (markedelementsto e M ) (markedelements M ) lemma markedelementstoaremarkedelements: m set (markedelementsto e M ) m set (markedelements M ) lemma markedelementstononmemberareallmarkedelements: e / set (elements M ) markedelementsto e M = markedelements M lemma markedelementstoappend: markedelementsto e M2 ) = (if e set (elements M1 ) then markedelementsto e M1 else markedelements markedelementsto e M2 ) lemma markedelementsemptyimpliesmarkedelementstoempty: markedelements M = [] markedelementsto e M = [] lemma markedelementismemberofitsmarkedelementsto: uniq (elements M ) marked e e set M element e set (markedelementsto (element e) M ) lemma markedelementstoprefixelement: isprefix p M e set (elements p) 42

43 markedelementsto e M = markedelementsto e p 3.5 Last marked element in a trail lastmarked :: a Trail a lastmarked t = last (markedelements t) lemma lastmarkedismarkedelement: markedelements M [] lastmarked M set (markedelements M ) lemma removelastmarkedfrommarkedelementstolastmarkedareall- MarkedElementsInPrefixLastMarked: markedelements M [] removeall (lastmarked M ) (markedelementsto (lastmarked M ) M ) = markedelements (prefixbeforeelement (lastmarked M ) M ) lemma markedelementstolastmarkedareallmarkedelements: uniq (elements M ) markedelements M [] markedelementsto (lastmarked M ) M = markedelements M lemma lasttrailelementmarkedimpliesmarkedelementstolastelementare- AllMarkedElements: marked (last M ) last (elements M ) / set (butlast (elements M )) markedelementsto (last (elements M )) M = markedelements M lemma lastmarkedismemberofitsmarkedelementsto: uniq (elements M ) markedelements M [] lastmarked M set (markedelementsto (lastmarked M ) M ) lemma lasttrailelementnotmarkedimpliesmarkedelementstolaremarkedelementstolinbutlasttrail: 43

44 marked (last M ) markedelementsto e M = markedelementsto e (butlast M ) 3.6 Level of a trail element Level of an element is the number of marked elements that precede it elementlevel :: a a Trail nat elementlevel e t = length (markedelementsto e t) lemma elementlevelmarkedgeq1 : uniq (elements M ) e set (markedelements M ) elementlevel e M >= 1 lemma elementlevelappend: a set (elements M ) elementlevel a M = elementlevel a M ) lemma elementlevelprecedesleq: precedes a b (elements M ) elementlevel a M elementlevel b M lemma elementlevelprecedesmarkedelementlt: uniq (elements M ) e d d set (markedelements M ) precedes e d (elements M ) elementlevel e M < elementlevel d M lemma differentmarkedelementshavedifferentlevels: uniq (elements M ) a set (markedelements M ) b set (markedelements M ) 44

45 a b elementlevel a M elementlevel b M 3.7 Current trail level Current level is the number of marked elements in the trail currentlevel :: a Trail nat currentlevel t = length (markedelements t) lemma currentlevelnonmarked: currentlevel M = currentlevel [(l, False)]) lemma currentlevelprefix: isprefix a b currentlevel a <= currentlevel b lemma elementlevelleqcurrentlevel: elementlevel a M currentlevel M lemma elementoncurrentlevel: a / set (elements M ) elementlevel a [(a, d)]) = currentlevel d)]) [(a, 3.8 Prefix to a given trail level Prefix is made or elements of the trail up to a given element level primrec prefixtolevel-aux :: a Trail nat nat a Trail (prefixtolevel-aux [] l cl) = [] (prefixtolevel-aux (h#t) l cl) = (if (marked h) then (if (cl >= l) then [] else (h # (prefixtolevel-aux t l (cl+1 )))) else (h # (prefixtolevel-aux t l cl)) ) prefixtolevel :: nat a Trail a Trail 45

Part 1: Propositional Logic

Part 1: Propositional Logic Literature (also for first-order logic) Schöning: Logik für Informatiker, Spektrum Fitting: First-Order Logic and Automated Theorem Proving, Springer 1 Last time 1.1 Syntax