Automated Reasoning (in First Order Logic) Andrei Voronkov. University of Manchester

Transcription

1 Automated Reasoning (in First Order Logic) Andrei Voronkov University of Manchester 1

2 Overview Automated reasoning in first-order logic. Completeness. Theory of Resolution and Redundancy. From Theory to Practice. Implementation Techniques. Future. Whatever you want. 2

3 Notions that I will use but not define Term. Bag (or finite multiset). Substitution: application of substitution; composition of substitutions; unifier, most general unifier. Ground term (or ground expression). Instance, ground instance; 3

4 Notions that I will use but not define: orderings Multiset extension of ordering. Well-founded, monotonic. Simplification ordering. Examples: Knuth-Bendix ordering, lexicographic path ordering. 4

5 Notions that I will use but not define: Term Rewriting Systems Rewriting systems. Irreducible terms, normal forms. Confluent, terminating and convergent rewrite systems. Non-overlapping systems. 5

6 Automated Theorem Proving. Example Group theory theorem: if a group satisfies the identity x 2 = 1, then it is commutative. More formally: in a group assuming that x 2 = 1 for all x prove that x y = y x holds for all x,y. What is implicit: axioms of the group theory. x(1 x = x) x(x 1 x = 1) x y z((x y) z = x (y z)) 6

7 Formulation in First-Order Logic x(1 x = x) Axioms (of group theory): x(x 1 x = 1) x y z((x y) z = x (y z)) Assumptions: x(x x = 1) Conjecture: x y(x y = y x) 7

8 In the TPTP Syntax TPTP library (Thousands of Problems for Theorem Provers), % * x = 1 fof(left_identity,axiom, mult(e,x) = X). %---- i(x) * x = 1 fof(left_inverse,axiom, mult(inverse(x),x) = e). %---- (x * y) * z = x * (y * z) fof(associativity,axiom, mult(mult(x,y),z) = mult(x,mult(y,z))). %---- x * x = 1 fof(group_of_order_2,hypothesis, mult(x,x) = e). %---- prove x * y = y * x fof(commutativity,conjecture, mult(x,y) = mult(y,x)). 8

9 Example: Proof by Vampire 9

10 Theorem Provers Theorem Prover: a system that can prove theorems automatically. Two kinds of provers: automatic provers; interactive provers, or proof assistants. Logics: in automatic provers mainly first-order logic (with built-in equality); in interactive provers higher-order logics or type theories. We will mainly speak about fully automatic theorem provers. 10

11 Main applications Software and hardware verification; Static analysis of programs; Query answering in first-order knowledge bases (ontologies); Theorem proving in mathematics, especially in algebra; Verification of cryptographic protocols; Retrieval of software components; Reasoning in non-classical logics; Program synthesis; Solving exercises at the Rewriting School in Obergurgl... 11

12 What we Expect of an Automatic Theorem Prover Input: a set of axioms (first order formulas) or clauses; a conjecture (first-order formula or set of clauses). Output: proof (hopefully). 12

13 Proof by Refutation Given a problem with axioms and assumptions F 1,...,F n and conjecture G, 1. negate the conjecture; 2. establish unsatisfiability of the set of formulas F 1,...,F n, G. We refute G. 13

14 Saturation-Based Theorem Proving Saturation: given a set S of formulas and an inference system I, saturate this set with respect to the inference system. That is, build a set of formulas that contains S and is closed under inferences in I. Resolution theorem provers use a variant of the resolution and superposition inference system in which inferences are performed on formulas of a special form, called clauses. 14

15 General Scheme Read a problem; Determine proof-search options to be used for this problem; Preprocess the problem; Convert it into CNF; Run a saturation algorithm on it; Report the result, maybe including a refutation. 15

16 Refutation found by Vampire [5, input] ( x 0 x 1 )x 0 x 1 = x 1 x 0 [5 16, cnf transformation] ( x 0 x 1 )x 0 x 1 = x 1 x 0 σ 0 σ 1 σ 1 σ 0 [1, input] ( x 0 )1 x 0 = x 0 [1 12, cnf transformation] ( x 0 )1 x 0 = x 0 1 x 0 = x 0 [4, input] ( x 0 )x 0 x 0 = 1 [4 15, cnf transformation] ( x 0 )x 0 x 0 = 1 x 0 x 0 = 1 16

17 Refutation found by Vampire [3, input] ( x 0 x 1 x 2 )(x 0 x 1 ) x 2 = x 0 (x 1 x 2 ) [3 14, cnf transformation] ( x 0 x 1 x 2 )(x 0 x 1 ) x 2 = x 0 (x 1 x 2 ) (x 0 x 1 ) x 2 = x 0 (x 1 x 2 ) [12, 15, 14 27, forward superposition, forward demodulation] 1 x 0 = x 0 x 0 x 0 = 1 (x 0 x 1 ) x 2 = x 0 (x 1 x 2 ) x 1 (x 1 x 2 ) = x 2 [15, 27 30, forward superposition] x 0 x 0 = 1 x 1 (x 1 x 2 ) = x 2 x 1 1 = x 1 17

18 Refutation found by Vampire [15, 14 28, forward superposition] x 0 x 0 = 1 (x 0 x 1 ) x 2 = x 0 (x 1 x 2 ) x 1 (x 2 (x 1 x 2 )) = 1 [30, 27, 28 34, backward superposition, forward demodulation] x 1 1 = x 1 x 1 (x 1 x 2 ) = x 2 x 1 (x 2 (x 1 x 2 )) = 1 x 1 (x 2 x 1 ) = x 2 [27, 34 36, backward superposition] x 1 (x 1 x 2 ) = x 2 x 1 (x 2 x 1 ) = x 2 x 1 x 2 = x 2 x 1 18

19 Refutation found by Vampire [16, 36 37, backward demodulation] σ 0 σ 1 σ 1 σ 0 x 1 x 2 = x 2 x 1 19

20 Inference System inference has the form F 1... F n G, where n 0 and F 1,...,F n,g are formulas. The formula G is called the conclusion of the inference; The formulas F 1,...,F n are called its premises. An inference rule R is a set of inferences. Every inference I R is called an instance of R. An Inference system I is a set of inference rules. Axiom: inference rule with no premises. 20

21 Derivation, Proof Derivation in an inference system I: a tree built from inferences in I. If the root of this derivation is E, then we say it is a derivation of E. Proof of E: a finite derivation whose leaves are axioms. Derivation of E from E 1,...,E m : a finite derivation of E whose every leaf is either an axiom or one of the expressions E 1,...,E m. 21

22 Inference System: Example ε = ε (ε) ε + x = x (+ 1) x = y x = y ( ) x + y = z x + y = z (+ 2) ε x = ε ( 1) x y = u y + u = z x y = z ( 2) 22

23 Proof in this Inference System Proof of ε ε = ε: ε + ε = ε (+ 1) ε ε = ε ( 1) ε + ε = ε (+ 2) ε + ε = ε (+ 2) ( 2) ε ε = ε ε ε = ε ε + ε = ε (+ 1) ε + ε = ε (+ 2) ε + ε = ε (+ 2) ( 2). 23

24 Derivation in this Inference System Derivation of ε ε = ε from ε + ε = ε ε + ε = ε (+ 1) ε ε = ε ( 1) ε + ε = ε (+ 2) ε + ε = ε (+ 2) ( 2) ε ε = ε ε ε = ε ε + ε = ε ε + ε = ε (+ 2) ε + ε = ε (+ 2) ( 2). 24

25 Propositional Clauses A set of propositional variables. The variables can be used as atoms, or atomic formulas. Literal: either an atom p or its negation p. Complementary literals: p and p. Clause: a disjunction L 1... L n of literals, where n 0. Empty clause, denoted by : clause with 0 literals, that is, when n = 0. The order of literals is not important, that it, we can consider a clause as a multiset of literals. 25

26 Propositional Logic: Interpretations An interpretation interprets any atom as true or false. The evaluation of atoms can be naturally extended to literals and clauses: A is true if A is false; L 1... L n is true if there exists at least one i 1,...,n such that L i is true. An interpretation satisfies a clause if the clause is true in the interpretation. A set of clauses is satisfiable if there is an interpretation that satisfies all clauses in this set (a model of this set of clauses). 26

27 Binary Resolution Inference System The binary resolution inference system, denoted by BR, consists of two inference rules: Binary resolution, denoted by BR p C 1 p C 2 C 1 C 2 (BR). Factoring, denoted by Fact: L L C L C (Fact). 27

28 Soundness An inference is sound if the conclusion of this inference is a logical consequence of its premises. An inference rule is sound if every inference of this rule is sound. An inference system is sound if every inference rule in this system is sound. BR is sound. 28

29 Consequence of Soundness Let S be a set of clauses. If can be derived from S in BR, then S is unsatisfiable. 29

30 Example Consider the following set of clauses { p q, p q, p q, p q}. The following derivation derives the empty clause from this set: p q p q p p (BR) p (Fact) p q p q p p (BR) p (Fact) (BR) Hence, this set of clauses is unsatisfiable. 30

31 Can this be used for checking (un)satisfiability 1. What happens when the empty clause cannot be derived from S? 2. How can one search for possible derivations of the empty clause? 31

32 Can this be used for checking (un)satisfiability 1. Completeness. Let S be an unsatisfiable set of clauses. Then there exists a derivation of from S in BR. 2. We have to formalize search for derivations. 32

33 Saturated Set of Clauses Let I be an inference system on formulas and S be a set of formulas. S is called saturated with respect to I, or simply I-saturated, if for every inference of I with premises in S, the conclusion of this inference also belongs to S. The closure of S with respect to I, or simply I-closure, is the smallest set S containing S and saturated with respect to I. 33

34 Inference Process Inference process: sequence of sets of formulas S 0,S 1,..., denoted by S 0 S 1 S 2... (S i S i+1 ) is a step of this process. We say that this step is an I-step if 1. there exists an inference F 1... F n F in I such that {F 1,...,F n } S i ; 2. S i+1 = S i {F }. An I-inference process is an inference process whose every step is an I-step. 34

35 Property Let S 0 S 1 S 2... be an I-inference process and a formula F belongs to some S i. Then S i is derivable in I from S 0. In particular, every S i is a subset of the I-closure of S 0. 35

36 Limit of a Process The limit of an inference process S 0 S 1 S 2... is the set of formulas i S i. 36

37 Fairness Let S 0 S 1 S 2... be an inference process with the limit S. The process is called fair if for every I-inference F 1... F n F, if {F 1,...,F n } S, then there exists i such that F S i. 37

38 Completeness, reformulated Theorem Let I be an inference system. The following conditions are equivalent. 1. I is complete. 2. For every unsatisfiable set of formulas S 0 and any fair I-inference process with the initial set S 0, the limit of this inference process contains. 38

39 Selection Function A literal selection function is any function σ on the set of clauses such that for every clause C 1. σ(c) is a submultiset of C; 2. σ(c) is non-empty whenever C is non-empty. If L is a literal in σ(c), we say that L is selected by σ in C. We denote selected literals by underlining them, e.g., p q Note: selection function does not have to be a function. It can be any oracle that selects literals. 39

40 Binary Resolution with Selection The binary resolution inference system, denoted by BR σ, consists of two inference rules: Binary resolution denoted by BR p C 1 p C 2 C 1 C 2 (BR). Positive factoring, denoted by Fact: p p C p C (Fact). 40

41 Exercise Show that binary resolution with selection may be incomplete even when factoring is unrestricted. That is, there exists an unsatisfiable set of clauses such that the empty clause cannot be derived from it using binary resolution with selection function and (unrestricted) factoring. 41

42 Automated Reasoning. II Andrei Voronkov University of Manchester 42

43 First-order logic: Notation Formulas: F, G. Terms: r,l,s,t. Variables: x,y,z,u,v,w. Constants: a,b,c,d,e. 43

44 First-order logic with equality Equality predicate:. Equality: l r. The order of literals in equalities does not matter, that is, we consider an equality l r as a multiset consisting of two terms l,r, and so consider l r and r l equal. 44

45 Theorem proving in first-order logic Given a set of formulas A 1,...,A n ( axioms ) and a formula G ( goal or conjecture ), check whether G is a logical consequence of A 1,...,A n, or is implied by A 1,...,A n. 45

46 First-order interpretations One of the key notions is that of interpretation, or first-order structure. An interpretation interprets every function symbol as a function and every predicate symbol as a relation on some domain. An interpretation satisfies a set of formula if it makes this formula true. A set S of formulas is called satisfiable if there is an interpretation that satisfies all formulas in S. Such an interpretation is called a model of S. 46

47 Theorem proving as unsatisfiability-checking Theorem proving can be reformulated as unsatisfiability-checking thanks to the completeness theorem: A formula G is a logical consequence of a set of formulas S if and only if every model of S is also a model of G, that is if and only if S { G} is unsatisfiable. 47

48 Literals and clauses Atom or atomic formula: formula p(t 1,...,t n ); notation: A, B. Literal: atom A or its negation A; notation: L,M,N. Clause: disjunction of literals L 1... L n ; notation: C, D. Empty clause: clause with n = 0; notation:. Note 1: An equality l r is a special case of atomic formula. Note 2: when we speak about clauses, we assume that their variables are implicitly universally quantified. For example, p(x) q(x) denotes x(p(x) q(x)). 48

49 Equality. An Axiomatisation reflexivity axiom: x x; symmetry axiom: x y y x; transitivity axiom: x y y z x z; function substitution axioms: x 1 y 1... x n y n f(x 1,...,x n ) f(y 1,...,y n ), for every function symbol f ; predicate substitution axioms: x 1 y 1... x n y n P(x 1,...,x n ) P(y 1,...,y n ) for every predicate symbol P. 49

50 Inference systems for logic with equality We will define a very simple inference system first. This system is complete but no theorem prover uses it since it has too many inferences. Moreover, we will define it only for ground clauses: Completeness is first proved for ground clauses only. It is then lifted to arbitrary clauses using a technique called lifting. Moreover, this way some notions (ordering, selection function) can first be defined for ground clauses only and then it will be easy to see how to generalise them for non-ground clauses. 50

51 Simple Ground Superposition Inference System Superposition: (right and left) l r C s[l] t D s[r] t C D (Sup), l r C s[l] t D s[r] t C D (Sup), Equality Resolution: s s C C (ER), Equality Factoring: s t s t C s t t t C (EF), 51

52 Example f(a) a g(a) a f(f(a)) a g(g(a)) a f(f(a)) a 52

53 Soundness This inference system is sound, that is the conclusion of every inference is a logical consequence of its premises. This implies that every model of set of clauses S is also a model of every clause derivable from S. Suppose that the empty clause can be derived from S. Then S is unsatisfiable. In fact, the inverse is also true: if S is unsatisfiable, then the empty clause can be derived from S. 53

54 Can this system be used for efficient theorem proving? Not really. It has too many inferences. For example, from the clause f(a) a we can derive any clause of the form where m,n 0. f m (a) f n (a) Worst of all, the derived clauses can be much larger than the original clause f(a) a. We will introduce several refinements of this system. 54

55 Literal Orderings Consider any total simplification ordering (that is, a total, well-founded, monotonic ordering) on ground terms and atoms. We want to extend it to ground literals. Let L 1 = ( )A 1 and L 2 = ( )A 2 be non-equality literals. We let L 1 lit L 2 if and only if one of the following conditions holds: 1. A 1 A 2 ; or 2. A 1 = A 2, L 1 is negative and L 2 is positive. 55

56 Bag Extension of Ordering Bag = finite multiset. Let > be any ordering on a set X. The bag extension of > is a binary relation > bag, on bags over X, defined as the smallest transitive relation on bags such that {x,y 1,...,y n } > bag {x 1,...,x m,y 1,...,y n } if x > x i for all i {1...m}, where m 0. Idea: a bag becomes smaller if we replace an element by any finite number of smaller elements. The following results are known about the bag extensions of orderings: 1. > bag is an ordering; 2. If > is total, then so is > bag ; 3. If > is well-founded, then so is > bag. 56

57 Atom and literal orderings on equalities Equality atom comparison treats equality as symmetric: we let (s t ) lit (s t) if {s,t } {s,t }. (s t ) lit (s t) if {s,t } {s,t }. Finally, we assert that all non-equality literals be greater than all equality literals. Properties: If is total, then lit is total too. If is well-founded, then lit is well-founded too. 57

58 Ground Superposition Inference System Sup,σ Let σ be a literal selection function. Superposition: (right and left) l r C s[l] t D s[r] t C D (Sup), l r C s[l] t D s[r] t C D (Sup), where (i) l r, (ii) s[l] t, (iii) l r is strictly greater than any literal in C, (iv) s[l] t is greater than or equal to any literal in D. Equality Resolution: s s C C (ER), Equality Factoring: s t s t C s t t t C (EF), where (i) s t t ; (ii) s t is greater than or equal to any literal in C. 58

59 Extension to arbitrary (non-equality) literals Consider a two-sorted logic in which equality is the only predicate symbol. Interpret terms as terms of the first sort and non-equality atoms as terms of the second sort. Add a constant of the second sort. Replace non-equality atoms p(t 1,...,t n ) by equalities of the second sort p(t 1,...,t n ). For example, the clause becomes p(a,b) q(a) a b p(a,b) q(a) a b. 59

60 Binary resolution inferences can be represented by inferences in the superposition system We ignore selection functions. A C 1 A C 2 C 1 C 2 (BR) A C 1 A C 2 (Sup) C 1 C 2 (ER) C 1 C 2 60

61 Exercise Positive factoring can also be represented by inferences in the superposition system. 61

62 Well-Behaved Selection Functions We say that a selection function respects an ordering if satisfies the following property: If only positive literals are selected in C, then all maximal (w.r.t. ) literals in C. are selected. In other words, either a negative literal is selected, or all maximal literals must be selected. 62

63 Superposition Calculus is Complete Theorem Let lit be a simplification ordering total on ground terms and a σ a selection function that respects this ordering. Then Sup,σ is complete, that is, for every unsatisfiable set of clauses S, one can derive the empty clause from S in Sup,σ. 63

64 Automated Reasoning. III Andrei Voronkov University of Manchester 64

65 Subsumption and Tautology Deletion A clause C subsumes a clause D if C is a submultiset of D. It was known since 1965 that subsumed clauses and propositional tautologies can be removed from the search space. Note: a clause is a propositional tautology if it is of the form p p C, that is, it contains a pair of complementary literals. There are also equational tautologies, for example a b b c f(c,c) f(a,a). Can they be removed? 65

66 Problem How can we prove that completeness is preserved if we remove subsumed clauses and tautologies from the search space? We will prove completeness for a very general concept of redundant clause that includes subsumed clauses and tautologies as special cases. 66

67 Clause Orderings From now on consider clauses also as bags of literals. Note: we can use lit to compare literals; a clause is a bag of literals. Hence we can compare clauses using the bag extension bag lit of lit. Let us denote from now on all orderings introduced so far by. 67

68 Redundancy Denote S C = {D S D C}. A clause C is called redundant w.r.t. S if S C = C. A clause C is called redundant in S if S C = C and C S. Redundant clauses can be removed from the search space. 68

69 Example Consider f(a) a f(f(a)) a f(f(f(a))) a Then both f(f(a)) a and f(f(f(a))) a are redundant. The clause f(a) a is a logical consequence of {f(f(a)) a,f(f(f(a))) a} but is not redundant. 69

70 Inference Process with Redundancy Let I be an inference system. Consider an inference process with two kinds of step S i S i+1 : 1. I-inference; 2. deletion of a clause redundant in S i, that is where C is redundant in S i. S i+1 = S i {C}, 70

71 Fairness: Persistent Clauses and Limit Consider an inference process S 0 S 1 S 2... A clause C is called persistent if i j i(c S j ). The limit S ω of the inference process is the set of all persistent clauses: S ω = S j. i=0,1,... j i 71

72 Fairness The process is called I-fair if every inference with persistent premises in S ω has been applied, that is, if C 1... C n C is an inference in I and {C 1,...,C n } S ω, then C S i for some i. 72

73 Completeness of Sup,σ Completeness Theorem. Let be a simplification ordering and σ a selection function respecting this ordering. Let also 1. S 0 be a set of clauses; 2. S 0 S 1 S 2... be a fair Sup,σ -inference process. Then S 0 is unsatisfiable if and only if S i for some i. 73

74 Saturation up to Redundancy A set S of clauses is called saturated up to redundancy if for every I-inference C 1... C n C with premises in S, either 1. C S; or 2. C is redundant w.r.t. S, that is, S C = C. 74

75 Proof of Completeness A trace of a clause C: a set of clauses {C 1,...,C n } S ω such that 1. C C i for all i = 1,...,n; 2. C 1,...,C n = C. Lemma. Every removed clause has a trace. Lemma. The limit S ω is saturated up to redundancy. Lemma. The limit S ω is logically equivalent to the initial set S 0. Lemma. A set S of clauses saturated up to redundancy is unsatisfiable if and only if S. 75

76 How to prove completeness from these lemmas? Easy... 76

77 Every Removed Clause has a Trace A trace of a clause C: a set of clauses {C 1,...,C n } S ω such that 1. C C i for all i = 1,...,n; 2. C 1,...,C n = C. Lemma. Every removed clause has a trace. Proof (Ideas). Use well-foundedness of the clause ordering. 77

78 The Limit is Saturated up to Redundancy A set S of clauses is called saturated up to redundancy if for every I-inference C 1... C n C with premises in S, either 1. C S; or 2. C is redundant w.r.t. S, that is, S C = C. Lemma. The limit S ω is saturated up to redundancy. Proof (Ideas). Use fairness and the property that every removed clause has a trace. 78

79 The limit is logically equivalent to the initial set That is, we have to prove that S 0 S ω and S ω S 0. Proof (Ideas). To prove S 0 S ω use soundness of Sup,σ. To prove S ω S 0 use the property that every removed clause has a trace. 79

80 A set of clauses saturated up to redundancy is unsatisfiable if and only if contains the empty clause Lemma. A set S of clauses saturated up to redundancy is unsatisfiable if and only if S. This is the key lemma!!! To prove it, we use definition of Sup,σ ; properties of σ; well-foundedness of. 80

81 Term Algebra Term algebra TA(Σ) of signature Σ: Domain: the set of all ground terms of Σ. Interpretation of any function symbol f or constant c is defined as follows:: f TA(Σ) (t 1,...,t n ) c TA(Σ) def f(t 1,...,t n ); def c. 81

82 Model Construction We build a convergent rewriting system R consisting of rules l r such that l r. The elements of the model I are the irreducible ground terms. We define the interpretation of any function symbol f as follows: We shall have R is non-overlapping. f I (t 1,...,t n ) = f(t 1,...,t n ). R will be defined by induction on the atom ordering. 82

83 Model Construction Using induction on the ordering on atoms we build two sequences of rewriting systems R A and R A R A = B A R B; R A = R A or R A = R A {A} and then define R = A R A We will consider R (and all rewriting systems R A, R A ) as equational interpretations by defining def t R t, where the normal form is taken with respect to R. 83

84 Model Construction Let A be l r. We put A into R A if there exists a clause l r C in the saturated set such that 1. R A = l r C; 2. l r; 3. (l r) C; 4. l is irreducible w.r.t. R A ; 5. If (l r ) C, then R A = r r. 84

85 Model Construction Define R def A R A. Properties: 1. R is terminating; 2. R is non-overlapping (and so confluent); 3. Therefore R is convergent and every term has a unique normal form. Define the interpretation of every term t in I as its normal form l. In particular, we have Then I = l r if and only if l = r. 85

86 Automated Reasoning. IV Andrei Voronkov University of Manchester 86

87 Compactness Compactness Theorem Let S be a countably infinite set of clauses. Then S is unsatisfiable if and only if contains a finite unsatisfiable subset. 87

88 Perfect Model Given a total well-founded ordering on atoms, define an ordering > on interpretations (that is, sets of atoms), as following: def I 1 > I 2 ( A I 1 I 2 )( B A)(B I 1 B I 2 ). In other words, I 1 > I 2 iff either I 2 I 1 or the smallest element in in I 1 I 2 is greater than the smallest element in I 2 I 1. A model I of a set of clauses is called perfect if it is the least model of this set w.r.t. >. Theorem For a set of clauses without equality or as set of Horn clauses the model built in the model construction is the perfect model of the initial set of clauses S 0. As a consequence, it does not depend on the inference process. Note. Equality factoring can be replaced by another rule so that this theorem becomes true for arbitrary clauses. 88

89 Ingredients Ordering. Selection function σ. Calculus Sup,σ. How can we use these ideas to design a first-order superposition calculus? 89

90 Herbrand s Theorem For a set of clauses S denote by S the set of ground instances of clauses in S. Theorem Let S be a set of clauses. The following conditions are equivalent. 1. S is unsatisfiable; 2. S is unsatisfiable; Note that by compactness the last condition is equivalent to 3. there exists a finite unsatisfiable set of ground instances of clauses in S. The theorem reduces the problem of checking unsatisfiability of sets of arbitrary clauses to checking unsatisfiability of sets of ground clauses... The only problem is that S can be infinite even if S is finite. 90

91 Note on Herbrand s Theorem I will not use Herbrand s theorem. In fact, I will prove it as a consequence of a completeness theorem. 91

92 Lifting Lifting is a technique for proving completeness theorems in the following way: 1. Prove completeness of the system for a set of ground clauses; 2. Lift the proof to the non-ground case. 92

93 Lifting, Example Consider two (non-ground) clauses p(x,a) q 1 (x) and p(y,z) q 2 (y,z). If the signature contains function symbols, then both clauses have infinite sets of instances: {p(r,a) q 1 (r) { p(s,t) q 2 (s,t) r is ground} s,t are ground} We can resolve such instances if and only if r = s and t = a. Then we can apply the following inference p(s,a) q 1 (s) p(s,a) q 2 (s,a) q 1 (s) q 2 (s,a) (BR) But there is an infinite number of such inferences. 93

94 Lifting, Idea The idea is to represent an infinite number of ground inferences of the form p(s,a) q 1 (s) p(s,a) q 2 (s,a) q 1 (s) q 2 (s,a) (BR) by a single non-ground inference p(x,a) q 1 (x) p(y,z) q 2 (y,z) q 1 (y) q 2 (y,a) (BR) Is this always possible? 94

95 Yes! p(x,a) q 1 (x) p(y,z) q 2 (y,z) q 1 (y) q 2 (y,a) (BR) Note that the substitution {x y,z a} is a solution of the equation p(x,a) = p(y,z). 95

96 What should we lift? Ordering ; Selection function σ; Calculus Sup,σ. Most importantly, for the lifting to work we should be able to solve equations s = t between terms and between atoms. This can be done using most general unifiers. 96

97 Properties Theorem Let C be a clause and E a set of equations. Then {D C θ(cθ = D and θ is a solution to E)} = (Cmgs(E)). In other words, to find a set of ground instances of a clause C that also satisfy an equation E, take the most general solution σ of E and use ground instances of Cσ. 97

98 How to lift orderings? A substitution θ is grounding for an expression or a set of expressions E if Eθ is ground. Suppose we have a well-founded ordering on ground atoms. We can extend it to an ordering on non-ground terms in the following way: s t def for all substitutions θ grounding for s,t we have sθ tθ. Note that for every ordering defined in this way we have that s t implies sθ tθ for all substitutions θ (stability under substitutions). 98

99 Lifting orderings: problems The ordering cannot be total. Example: p(x) and p(y) cannot be compared. Checking s t for non-ground terms can be very complex even for trivial orderings for ground terms. Some total orderings on ground terms result in non-ground orderings that can distinguish too few non-ground terms. Example: p(x) and q(y) can be distinguished by some orderings but not all of them. 99

100 Requirements on Orderings The only conditions we impose on the orderings are the following: is a total simplification ordering on ground terms. is stable under grounding substitutions: s t for all substitutions θ grounding for s,t we have sθ tθ. 100

101 Selection Function A literal selection function selects literals in a clause. If C is non-empty, then at least one literal is selected in C. A literal selection function is well-behaved if If all selected literals are positive, then all maximal (w.r.t. ) literals in C are selected. In other words, either a negative literal is selected, or all maximal literals must be selected. Note that now we sometimes must select more than one different literal in a clause. Example: p(x) p(y). 101

102 Redundancy A clause C is called redundant w.r.t. S if for every clause D C we have S D = D. A clause C is called redundant in S if C is redundant w.r.t. S {C}. 102

103 Some corollaries of completeness Theorem If C is a satisfiable set of clauses of a signature Σ then it has a model that is a factor-algebra of TA(Σ) (an extension of term algebra of TA(Σ) of clauses do not contain equality). Theorem Let S be a set of clauses. Then S is unsatisfiable if and only if so is S. By (ground) compactness we obtain. Herbrand s Theorem Let S be a set of clauses. Then S is unsatisfiable if and only if some finite subset of S is unsatisfiable. Theorem (Compactness) Let S be a set of clauses. Then S is unsatisfiable if and only if has an unsatisfiable finite subset. 103

104 Equality. Atom and Literal Orderings Comparison between a positive and a negative literal is slightly different from the non-equality case. In the non-equality case A L A is impossible. In the equality case the ordering is defined as follows. Suppose l r and s t. Then If l s, then If l = s, then (l r) (l r) (s t) (s t). (l r) (l t) and (l t) (l r). 104

105 The Non-Ground Superposition Inference System Superposition: l r C s[l ] t D (s[r] t C D)θ (Sup), l r C s[l ] t D (s[r] t C D)θ (Sup), where 1. θ is an mgu of l and l ; 2. l is not a variable; 3. rθ lθ; 4. tθ s[l ]θ. 105

106 The Non-Ground Superposition Inference System Equality Resolution: s s C Cθ (ER), where θ is an mgu of s and s. Equality Factoring: l r l r C (l r r r C)θ (EF), where θ is an mgu of l and l, rθ lθ, r θ lθ, and r θ rθ, 106

107 Completeness by Lifting? Use ground instances everywhere and the previously formulated property of most general unifiers. This would work for logic without equality, but for logic with equality a technical problem appears. 107

108 Example of Non-Liftable Inference Ground inference: a b f(a) g(a) f(b) g(a) (Sup) Non-ground inference: a b f(x) g(x)??? There is a problem when we apply superposition into a position obtained by instantiating a variable. 108

109 Lifting Argument In the non-equality case we can considered the set Sω = C. C S ω that is, the set of ground instances of clauses in the limit. For clauses with equality we consider the set of all irreducible ground instances of clauses in the limit. 109

110 From theory to practice Superposition system; Orderings;????? 110

111 From theory to practice Superposition system; Orderings; Selection functions; Fairness (saturation algorithms); Redundancy. 111

112 Fair Saturation Algorithms? search space 112

113 Saturation Algorithms: Inference Selection by Clause Selection given clause search space 113

114 Saturation Algorithms: Inference Selection by Clause Selection given clause candidate clauses search space 114

115 Saturation Algorithms: Inference Selection by Clause Selection children given clause candidate clauses search space 115

116 Saturation Algorithms: Inference Selection by Clause Selection children given clause candidate clauses search space 116

117 Saturation Algorithm Even when we implement inference selection by clause selection, there are too many inferences, especially when the search space grows. Solution: only apply inferences to the selected clause and the previously selected clauses. Thus, the search space is divided in two parts: active clauses, that participate in inferences; passive clauses, that do not participate in inferences. Observation: the set of passive clauses is usually considerably larger than the set of active clauses, often by 2-4 orders of magnitude (depending on the saturation algorithm). 117

118 Redundancy in the Non-Ground Case A clause C is redundant in S if every ground instance of C is redundant in (S {C}). Suppose that S contains no redundant clauses. How can a redundant clause appear in the inference process? Only when a new clause (a child of a selected clause) has been generated by an inference. Two cases: The child is redundant; The child makes one of the clauses in the search space redundant. 118

119 Checking Redundancy This classification of redundancy checks: The child is redundant; The child makes one of the clauses in the search space redundant. assumes that we use some fair strategy and perform these checks after every inference that generates a new clause. In fact, one can do better. 119

120 Demodulation, Ground Case Consider an example. l r L[l] D L[r] D (Dem), where l r and L[l] D (l r). Note that 1. L[r] D,l r = L[l] D; 2. L[l] D L[r] D; 3. L[l] D l r. That is, L[l] D becomes redundant after we add L[r] D to the search space. 120

121 Demodulation, Non-Ground Case l r L[l ] D L[rθ] D (Dem), where lθ = l, lθ rθ, and (L[l ] D)θ (lθ rθ). A more clear explanation: l r L[lθ] D L[rθ] D (Dem), where lθ rθ, and (L[l ] D)θ (lθ rθ). 121

122 Generating and Simplifying Inferences An inference C 1... C n C. is called simplifying if at least one premise C i becomes redundant after the addition of the conclusion C to the search space. We then say that C i is simplified into C. A non-simplifying inference is called generating. Note. The property of being simplifying is undecidable. So is the property of being redundant. So in practice we employ sufficient conditions for simplifying inferences and for redundancy. Idea: try to search for simplifying inferences bypassing the strategy for inference selection. 122

123 Generating and Simplifying Inferences Two main implementation principles: apply simplifying inferences checking for simplifying inferences eagerly; should pay off; apply generating inferences lazily. so it must be cheap. 123

124 Redundancy Checking Redundancy-checking occurs upon addition of a new clause C. It works as follows Retention test: check if C is redundant. Forward simplification: check if C can be simplified using a simplifying inference. Backward simplification: check if C simplifies or makes redundant an old clause. 124

125 Examples Retention test: tautology-check; subsumption. (A clause C subsumes a clause D if there exists a substitution θ such that Cθ is a submultiset of D.) Simplification: demodulation (forward and backward); subsumption resolution (forward and backward). 125

126 Some redundancy criteria are expensive Tautology-checking is based on congruence closure. Subsumption and subsumption resolution are NP-complete. 126

127 Observations There may be chains (repeated applications) of forward simplifications. After a chain of forward simplifications another retention test can (should) be done. Backward simplification is often expensive. In practice, the retention test may include other checks, resulting in the loss of completeness, for example, we may decide to discard too heavy clauses. 127

128 Saturation Algorithm A saturation algorithm tries to saturate a set of clauses with respect to a given inference system. In theory there are three possible scenarios: 1. At some moment the empty clause is generated, in this case the input set of clauses is unsatisfiable. 2. Saturation will terminate without ever generating, in this case the input set of clauses in satisfiable. 3. Saturation will run forever, but without generating. In this case the input set of clauses is satisfiable. 128

129 Saturation algorithm search space 129

130 Saturation algorithm given clause search space 130

131 Saturation algorithm given clause candidate clauses search space 131

132 Saturation algorithm children given clause candidate clauses search space 132

133 Saturation algorithm children given clause candidate clauses search space 133

134 Saturation algorithm search space 134

135 Saturation algorithm search space 135

136 Saturation algorithm search space goal (empty) clause 136

137 Most likely scenario search space 137

138 Saturation Algorithm in Practice In practice there are three possible scenarios: 1. At some moment the empty clause is generated, in this case the input set of clauses is unsatisfiable. 2. Saturation will terminate without ever generating, in this case the input set of clauses in satisfiable. 3. Saturation will run until we run out of resources, but without generating. In this case it is unknown whether the input set is unsatisfiable. 138

139 How to Design a Good Saturation Algorithm? A saturation algorithm must be fair: every possible generating inference must eventually be selected. Two main implementation principles: apply simplifying inferences checking for simplifying inferences eagerly; should pay off; apply generating inferences lazily. so it must be cheap. 139

140 Given Clause Algorithm (no Simplification) input: init: set of clauses; var active, passive, queue: sets of clauses; var current: clauses ; active := ; passive := init; while passive do * current := select(passive); (* clause selection *) move current from passive to active; * queue:=infer(current, active); (* generating inferences *) if queue then return unsatisfiable; passive := passive queue od; return satisfiable 140

141 Given Clause Algorithm (with Simplification) In fact, there is more than one

142 Otter vs. Discount Saturation Otter saturation algorithm: active clauses participate in generating and simplifying inferences; passive clauses participate in simplifying inferences. Discount saturation algorithm: active clauses participate in generating and simplifying inferences; passive clauses do not participate in inferences. 142

143 Otter vs. Discount Saturation, Newly Generated Clauses Otter saturation algorithm: active clauses participate in generating and simplifying inferences; new clauses participate in simplifying inferences; passive clauses participate in simplifying inferences. Discount saturation algorithm: active clauses participate in generating and simplifying inferences; new clauses participate in simplifying inferences; passive clauses do not participate in inferences. 143

144 Otter vs. Discount Saturation, Newly Generated Clauses Otter saturation algorithm: active clauses participate in generating inferences with the selected clause and simplifying inferences with new clauses; new clauses participate in simplifying inferences with all clauses; passive clauses participate in simplifying inferences with new clauses. Discount saturation algorithm: active clauses participate in generating inferences and simplifying inferences with the selected clause and simplifying inferences with the new clauses; new clauses participate in simplifying inferences with the selected and active clauses; passive clauses do not participate in inferences. 144

145 Otter Saturation Algorithm input: init: set of clauses; var active, passive, unprocessed : set of clauses; var given, new : clause; active := ; unprocessed := init; loop while unprocessed new:=pop(unprocessed); if new = then return unsatisfiable; * if retained(new) then (* retention test *) * simplify new by clauses in active passive ; (* forward simplification *) if new = then return unsatisfiable; * if retained(new) then (* another retention test *) * delete and simplify clauses in active and (* backward simplification *) passive using new ; move the simplified clauses to unprocessed ; add new to passive if passive = then return satisfiable or unknown * given := select(passive); (* clause selection *) move given from passive to active; * unprocessed:=infer(given, active); (* generating inferences *) 145

146 Discount Saturation Algorithm input: init: set of clauses; var active, passive, unprocessed : set of clauses; var given, new : clause; active := ; unprocessed := init; loop while unprocessed new:=pop(unprocessed); if new = then return unsatisfiable; * if retained(new) then (* retention test *) * simplify new by clauses in active ; (* forward simplification *) if new = then return unsatisfiable; * if retained(new) then (* retention test *) * delete and simplify clauses in active using new ; (* backward simplification *) move the simplified clauses to unprocessed ; add new to passive if passive = then return satisfiable or unknown * given := select(passive); (* clause selection *) * simplify given by clauses in active; (* forward simplification *) * if given = then return unsatisfiable; if retained(given) then (* retention test *) * delete and simplify clauses in active using given; (* backward simplification *) move the simplified clauses to unprocessed ; add given to active; unprocessed:=infer(given, active); (* generating inferences *) 146

147 Age-Weight Ratio and Limited Resource Strategy How to select clauses? use an age-weight ratio a : w: of each a + w clauses select a oldest and w lightest clauses. Limited Resource Strategy: try to approximate which clauses are unreachable by the end of the time limit and remove them from the search space. 147

148 Term Indexing Given a set L (the set of indexed terms), a binary relation R over terms (the retrieval condition) and a term t (called the query term), identify the subset M of L consisting of all of the terms l such that R(l,t) holds. 148

149 The anatomy of VAMPIRE Flatterms in constant memory for storing temporary clauses. Code trees for forward subsumption; Code trees with precompiled ordering constraints for forward simplification by unit equalities; Discrimination trees and perfectly shared terms for storing clauses; Shared terms with renaming lists for backward simplification by unit equalities; Path index with compiled database joins for backward subsumption. 149

150 General Overview of Implementation Things to implement: Preprocessing; Saturation algorithm(s); Generating inferences; Simplifying inferences. Selection function(s); Clause selection(s). 150

151 VAMPIRE s preprocessor 1. Rectify the formula. 2. If the formula contains any occurrence of or, simplify the formula. 3. Flatten the formula. 4. (*) Remove equality axioms. 5. (Optional) Remove unused predicate definitions. 6. Convert the formula into equivalence negation normal form. 7. Flatten the formula again. 8. Use a naming technique to replace some subformulas by their names. 9. Convert the formula into negation normal form. 10. Flatten the formula again. 11. (Optional) Miniscope the formula. 151

152 12. Skolemize the formula. 13. (*) Determine a literal ordering to be used. 14. Transform the formula into its conjunctive normal form. 15. (Optional) Perform function definition elimination. 16. Remove tautologies. 17. Apply pure literal elimination. 18. Remove clausal definitions. There are more... (*) Means that for CNF inputs there is a corresponding simplification on clauses. 152

153 Generating Inferences Resolution. Factoring. Forward superposition. Backward superposition. Equality resolution. Equality factoring. 153

154 Splitting Without Backtracking The idea is to simulate propositional splitting. Suppose that C D is a clause in the search space and the clauses C and D have no common variables. Introduce a new propositional symbol p and replace C D by C p D p 154

155 Splitting Without Backtracking as Naming Component: a clause without propositional symbols that cannot be split in two proper components without common variables. For each component C introduce a name (a new propositional symbol p C ). C D D p C C p C where C and D have no common variables and D has at least one non-propositional symbol. 155

156 Simplifying and Deletion Inferences Forward subsumption. Backward subsumption. Forward demodulation. Backward demodulation. Forward subsumption resolution. Backward subsumption resolution. Tautology-checking. 156

157 Selection Functions It turns out that using incomplete selection may solve lots of problems that cannot be solved using complete selection. 157

158 Clause Selection Still not understood properly. 158

159 Memory Management All the top first-order provers implement their own memory management. 159

160 Ordering used in VAMPIRE 1. KBO, by default: all symbol weights are 1; the symbol precedence is based on the arity of symbols (if arity(f) > arity(g), then f g) and in addition uses some information 2. LPO. about the number of their occurrences in the goal and axioms. In future instances of orderings will be selected automatically for known axiomatizations. 160

161 Future? 161

162 Built-in theories (Presburger) arithmetic; Real arithmetic; Temporal intervals, orders, common data types... ; AC. Libraries of axioms/theorems about commonly used data types and theories. Built-in inductively defined data types. Limited forms of induction. 162

163 Assisting Proof Assistants Limited forms of higher-order reasoning. Inductively defined data types and induction. 163

164 Ontology Reasoning Properties: Very large collections of formulas; (Most of) the formulas are of a special form; Both query answering and theorem proving are required. Solutions: Pre-filtering will be required; Processing of a huge amount of simple records: database technology; Built-in data types. 164

165 Literature Alan Robinson, Andrei Voronkov (eds). The Handbook of Automated Reasoning. Vol. I, II.. 165

166 VAMPIRE Chris Weidenbach: A dark side of theorem proving. Anonymous referee: VAMPIRE is not a glass of Tuborg. 166

167 That s all Thank you!