This paper proves the decidability of a non-Horn extension of the monadic shallow linear first-order fragment by using ordered resolution with dismatching constraints, enabling more expressive logical reasoning.
Contribution
It introduces a novel decidability result for the non-Horn monadic shallow linear fragment using ordered resolution with dismatching constraints.
Findings
01
Decidability of the non-Horn monadic shallow linear fragment established
02
Extension of ordered resolution with dismatching constraints demonstrated
03
Applications in security protocols and automata discussed
Abstract
The monadic shallow linear Horn fragment is well-known to be decidable and has many application, e.g., in security protocol analysis, tree automata, or abstraction refinement. It was a long standing open problem how to extend the fragment to the non-Horn case, preserving decidability, that would, e.g., enable to express non-determinism in protocols. We prove decidability of the non-Horn monadic shallow linear fragment via ordered resolution further extended with dismatching constraints and discuss some applications of the new decidable fragment.
S1(x1)σ,…,Sn(xn)σ→S(f(y1,…,yk)),Δ with σ={z1↦y1,…}.
(B)
S1(x1),…,Sn(xn)→S(f(y1,…,yk)),Δ.
(C)
S1(x1),…,Sn(xn)→S(y),Δ.
L′δ⇒D(L,r) if L′δ∈D and [r,L,(C;π),N]⇒A∗[ε,L′,(C′;π′),N′]
L′δ⇒D(L,r) if L′δ∈D and [r,L,(C;π),N]⇒A∗[ε,L′,(C′;π′),N′]
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsFormal Methods in Verification · Logic, programming, and type systems · semigroups and automata theory
Full text
11institutetext: Max-Planck Institut für Informatik, Saarland Informatics Campus,
66123 Saarbrücken
Germany 22institutetext: Graduate School of Computer Science, Saarbrücken, Germany
Decidability of the Monadic Shallow Linear First-Order Fragment with Straight Dismatching Constraints
Andreas Teucke
1122
Christoph Weidenbach
11
Abstract
The monadic shallow linear Horn fragment is well-known to be decidable and
has many application, e.g., in security protocol analysis, tree automata,
or abstraction refinement. It was a long standing open problem how to extend
the fragment to the non-Horn case, preserving decidability, that would, e.g., enable to express non-determinism
in protocols. We prove decidability of the non-Horn monadic shallow linear
fragment via ordered resolution further extended with dismatching constraints
and discuss some applications of the new decidable fragment.
1 Introduction
Motivated by the automatic analysis of security protocols,
the monadic shallow linear Horn (MSLH) fragment was shown to be decidable in [21].
In addition to the restriction to monadic Horn clauses, the main restriction of the fragment
is positive literals of the form S(f(x1,…,xn)) or S(x) where all xi are different, i.e., all terms are shallow
and linear. The fragment can be finitely saturated by superposition (ordered resolution) where negative literals
with non-variable arguments are always selected. As a result, productive clauses with respect to the
superposition model operator IN have the form S1(x1),…,Sn(xn)→S(f(x1,…,xn)).
Therefore, the models of saturated MSLH clause sets can both be represented by tree automata [6] and shallow linear
sort theories [8]. The models are typically infinite. The decidability result of MSLH clauses was rediscovered in the
context of tree automata research [7] where in addition DEXPTIME-completeness of the MSLH
fragment was shown. The fragment was further extended by disequality constraints [12, 13] still motivated
by security protocol analysis [14]. Although from a complexity point of view, the difference between
Horn clause fragments and the respective non-Horn clause fragments is typically reflected by membership in the deterministic vs. the
non-deterministic respective complexity fragment, for monadic shallow linear clauses so far there was no decidability
result for the non-Horn case.
The results of this paper close this gap. We show the monadic shallow linear non-Horn (MSL) clause fragment
to be decidable by superposition (ordered resolution). From a security protocol application point of view,
non-Horn clauses enable a natural representation of non-determinism. Our second extension to the fragment are
unit clauses with disequations of the form s≈t, where s and t are not unifiable. Due to the
employed superposition calculus, such disequations do not influence saturation of an MSL clause set, but have an effect
on potential models. They can rule out identification of syntactically different ground terms as it is, e.g., desired in the security
protocol context for syntactically different messages or nonces. Our third extension to the fragment
are straight dismatching constraints. These constraints are incomparable to the disequality constraints mentioned above [12, 13].
They do not strictly increase the expressiveness of the MSL theory, but enable up to exponentially more compact
saturations. For example, the constrained clause
(S(x),T(y)→S(f(x,y));y=f(x′,f(a,y′)))
over constants a,b describes the same set of ground clauses as the six unconstrained clauses
S(x),T(a)→S(f(x,a))S(x),T(b)→S(f(x,b))…
S(x),T(f(b,y′))→S(f(x,f(b,y′)))
S(x),T(f(f(x′′,y′′),y′))→S(f(x,f(f(x′′,y′′),y′)).
Furthermore, for a satisfiability equivalent transformation into MSL clauses,
the nested terms in the positive literals would have to be factored out by the introduction of further predicates and clauses.
E.g., the first clause is replaced by the two MSL clauses S(x),T(a),R(y)→S(f(x,y)) and R(a) where
R is a fresh monadic predicate. The constrained clause belongs to the MSL(SDC) fragment.
Altogether, the resulting MSL(SDC) fragment is shown to be decidable in Section 3.
The introduction of straight dismatching constraints (SDCs) enables an improved refinement step of our
approximation refinement calculus [18]. Before, several clauses were needed to rule
out a specific instance of a clause in an unsatisfiable core.
For example, if due to a linearity approximation from clause S(x),T(x)→S(f(x,x)) to
S(x),T(x),S(y),T(y)→S(f(x,y)) an instance {x↦f(a,x′), y↦f(b,y′)} is
used in the proof, before [18] several clauses were needed to replace S(x),T(x)→S(f(x,x)) in
a refinement step in order to rule out this instance. With straight dismatching constraints the clause
S(x),T(x)→S(f(x,x)) is replaced by the two clauses
S(f(a,x)),T(f(a,x))→S(f(f(a,x),f(a,x))) and (S(x),T(x)→S(f(x,x));x=f(a,y)).
For the improved approximation refinement approach (FO-AR) presented in this paper,
any refinement step results in just two clauses, see Section 4. The additional expressiveness of constraint clauses comes
almost for free, because necessary computations, like, e.g., checking emptiness of SDCs, can all be done in polynomial time,
see Section 2.
In addition to the extension of the known MSLH decidability result and the improved approximation refinement calculus FO-AR,
we discuss in Section 5 the potential of the MSL(SDC) fragment in the context of
FO-AR, Theorem 4.1, and its prototypical implementation in SPASS-AR (http://www.mpi-inf.mpg.de/fileadmin/inf/rg1/spass-ar.tgz).
It turns out that for clause sets containing certain structures, FO-AR
is superior to ordered resolution/superposition [1] and instance generating methods [10].
The paper ends with a discussion
on challenges and future research directions, Section 6.
2 First-Order Clauses with Straight Dismatching Constraints: MSL(SDC)
We consider a standard first-order language where
letters v,w,x,y,z denote variables, f,g,h functions, a,b,c constants, s,t terms, p,q,r positions and Greek letters σ,τ,ρ,δ are used for substitutions.
S,P,Q,R denote predicates, ≈ denotes equality, A,B atoms, E,L literals, C,D clauses, N clause sets and V sets of variables.
L is the complement of L.
The signature Σ=(F,P) consists of two disjoint, non-empty, in general infinite sets of function and predicate symbols
F and P, respectively.
The set of all terms over variables V is T(F,V).
If there are no variables, then terms, literals and clauses are called ground, respectively.
A substitutionσ is denoted by pairs {x↦t} and its update at x by σ[x↦t].
A substitution σ is a grounding substitution for V if xσ is ground for every variable x∈V.
The set of free variables of an atom A (term t) denoted by vars(A) (vars(t)).
A position is a sequence of positive integers, where ε denotes the empty position.
As usual t∣p=s denotes the subterm s of t at position p, which we also write as t[s]p,
and t[p/s′] then denotes the replacement of s with s′ in t at position p.
These notions are extended to literals and multiple positions.
A predicate with exactly one argument is called monadic.
A term is complex if it is not a variable and shallow if it has at most depth one.
It is called linear if there are no duplicate variable occurrences.
A literal, where every argument term is shallow, is also called shallow.
A variable and a constant are called straight.
A term f(s1,…,sn) is called straight, if s1,…,sn are different variables except for at most one straight term si.
A clause is a multiset of literals which we write as an implication Γ→Δ
where the atoms in the multiset Δ (the* succedent*) denote the positive literals and the atoms in the multiset Γ (the antecedent) the negative literals.
We write □ for the empty clause.
If Γ is empty we omit →, e.g., we can write P(x) as an alternative of →P(x).
We abbreviate disjoint set union with sequencing, for example, we write Γ,Γ′→Δ,L instead
of Γ∪Γ′→Δ∪{L}.
A clause E,E,Γ→Δ is equivalent to E,Γ→Δ and we call them equal modulo duplicate literal elimination.
If every term in Δ is shallow, the clause is called positive shallow.
If all atoms in Δ are linear and variable disjoint, the clause is called positive linear.
A clause Γ→Δ is called an MSL clause, if it is (i) positive shallow and linear, (ii) all occurring predicates are monadic,
(iii) no equations occur in Δ, and (iv) no equations occur in Γ or Γ={s≈t} and Δ is empty
where s and t are not unifiable.
MSL is the first-order clause fragment consisting of MSL clauses.
Clauses Γ,s≈t→Δ where Γ, Δ are non-empty and s,t are not unifiable
could be added to the MSL fragment without changing any of our results.
Considering the superposition calculus, it will select s≈t.
Since the two terms are not unifiable, no inference will take place on such a clause and the clause will not
contribute to the model operator.
In this sense such clauses do not increase the expressiveness of the fragment.
An atom ordering≺ is an irreflexive, well-founded, total ordering on ground atoms.
It is lifted to literals by representing A and ¬A as multisets {A} and {A,A}, respectively.
The multiset extension of the literal ordering induces an ordering on ground clauses.
The clause ordering is compatible with the atom ordering; if the maximal atom in C is greater than the maximal atom in D then D≺C.
We use ≺ simultaneously to denote an atom ordering and its multiset, literal, and clause extensions.
For a ground clause set N and clause C, the set N≺C={D∈N∣D≺C} denotes the clauses of N smaller than C.
A Herbrand interpretationI is a - possibly infinite - set of ground atoms.
A ground atom A is called true in I if A∈I and false, otherwise.
I is said to satisfy a ground clause C=Γ→Δ, denoted by I⊨C, if Δ∩I=∅ or Γ⊆I.
A non-ground clause C is satisfied by I if I⊨Cσ for every grounding substitution σ.
An interpretation I is called a model of N, I⊨N, if I⊨C for every C∈N.
A model I of N is considered minimal with respect to set inclusion, i.e., if there is no model I′ with I′⊂I and I′⊨N.
A set of clauses N is satisfiable, if there exists a model that satisfies N.
Otherwise, the set is unsatisfiable.
A disequation t=s is an atomic straight dismatching constraint
if s and t are variable disjoint terms and s is straight.
A straight dismatching constraint π is a conjunction of atomic straight dismatching constraints.
Given a substitution σ, πσ=⋀i∈Itiσ=si.
lvar(π):=⋃i∈Ivars(ti) are the left-hand variables of π
and the depth of π is the maximal term depth of the si.
A solution of π is a grounding substitution δ
such that for all i∈I, tiδ is not an instance of si,
i.e., there exists no σ such that tiδ=siσ.
A dismatching constraint is solvable if it has a solution and unsolvable, otherwise.
Whether a straight dismatching constraint is solvable, is decidable in linear-logarithmic time [19].
⊤ and ⊥ represent the true and false dismatching constraint, respectively.
We define constraint normalization π↓ as the normal form of the following rewriting rules over straight dismatching constraints.
π∧f(t1,…,tn)=y⇒⊥
π∧f(t1,…,tn)=f(y1,…,yn)⇒⊥
π∧f(t1,…,tn)=f(s1,…,sn)⇒π∧ti=si if si is complex
π∧f(t1,…,tn)=g(s1,…,sm)⇒π
π∧x=s∧x=sσ⇒π∧x=s
Note that f(t1,…,tn)=f(s1,…,sn) normalizes to ti=si for some i,
where si is the one straight complex argument of f(s1,…,sn).
Furthermore, the depth of π↓ is less or equal to the depth of π and both have the same solutions.
A pair of a clause and a constraint (C;π) is called a constrained clause.
Given a substitution σ, (C;π)σ=(Cσ;πσ).
Cδ is called a ground clause of (C;π) if δ is a solution of π.
G((C;π)) is the set of ground instances of (C;π).
If G((C;π))⊆G((C′;π′)), then (C;π) is an instance of (C′;π′).
If G((C;π))=G((C′;π′)), then (C;π) and (C′;π′) are called variants.
A Herbrand interpretation I satisfies (C;π), if I⊨G((C;π)).
A constrained clause (C;π) is called redundant in N
if for every D∈G((C;π)),
there exist D1,…,Dn in G(N)≺D such that D1,…,Dn⊨D.
A constrained clause (C′;π′) is called a condensation of (C;π) if C′⊂C and
there exists a substitution σ such that, πσ=π′, π′⊆π, and
for all L∈C there is an L′∈C′ with Lσ=L′.
A finite unsatisfiable subset of G(N) is called an unsatisfiable core of N.
An MSL clause with straight dismatching constraints is called an MSL(SDC) clause
with MSL(SDC) being the respective first-order fragment.
Note that any clause set N can be transformed into an equivalent constrained clause set
by changing each C∈N to (C;⊤).
3 Decidability of the MSL(SDC) fragment
In the following we will show that the satisfiability of the MSL(SDC) fragment is decidable.
For this purpose we will define ordered resolution with selection on constrained clauses [19] and
show that with an appropriate ordering and selection function, saturation of an MSL(SDC) clause set terminates.
For the rest of this section we assume an atom ordering ≺ such that a literal ¬Q(s) is not greater than a literal P(t[s]p),
where p=ε. For example, a KBO where all symbols have weight one
has this property.
Definition 1 (sel)
Given an MSL(SDC) clause (C;π)=(S1(t1),…,Sn(tn)→P1(s1),…,Pm(sm);π).
The Superposition Selection function sel is defined by Si(ti)∈sel(C) if
(1) ti is not a variable or
(2) t1,…,tn are variables and ti∈/vars(s1,…,sm) or
(3) {t1,…,tn}⊆vars(s1,…,sm) and for some 1≤j≤m, sj=ti.
The selection function sel (Definition 1) ensures that a clause Γ→Δ can only be resolved on a positive literal
if Γ contains only variables, which also appear in Δ at a non-top position.
For example:
Note that given an MSL(SDC) clause (C;π)=(S1(t1),…,Sn(tn)→P1(s1),…Pm(sm);π),
if some Si(ti) is maximal in C, then at least one literal is selected.
Definition 2
A literal A is called [strictly] maximal in a constrained clause (C∨A;π)
if and only if there exists a solution δ of π such that for all literals B in C,
Bδ⪯Aδ[Bδ≺Aδ].
Definition 3 (SDC-Resolution)
[TABLE]
[TABLE]
Definition 4 (SDC-Factoring)
[TABLE]
[TABLE]
Note that while the above rules do not operate on equations,
we can actually allow unit clauses that consist of non-unifiable disequations, i.e.,
clauses s≈t→ where s and t are not unifiable.
There are no potential superposition inferences on such clauses as long as there
are no positive equations. So resolution and factoring suffice for completeness.
Nevertheless, clauses such as s≈t→ affect the models of satisfiable problems.
Constrained Resolution and Factoring are sound.
Lemma 1 (Soundness)
SDC-Resolution and SDC-Factoring are sound.
Proof
Let (Γ1,Γ2→Δ1,Δ2)σδ be a ground instance of ((Γ1,Γ2→Δ1,Δ2)σ;(π1∧π2)σ).
Then, δ is a solution of (π1∧π2)σ and σδ is a solution of π1 and π2.
Hence, (Γ1→Δ1,A)σδ and (Γ2,B→Δ2)σδ are ground instances of (Γ1→Δ1,A;π1) and (Γ2,B→Δ2;π2), respectively.
Because Aσδ=Bσδ, if (Γ1→Δ1,A)σδ and (Γ2,B→Δ2)σδ are satisfied, then (Γ1,Γ2→Δ1,Δ2)σδ is also satisfied.
Therefore, SDC-Resolution is sound.
Let (Γ→Δ,A)σδ be a ground instance of ((Γ→Δ,A)σ;πσ).
Then, δ is a solution of πσ and σδ is a solution of π.
Hence, (Γ→Δ,A,B)σδ is a ground instance of (Γ→Δ,A,B;π).
Because Aσδ=Bσδ, if (Γ→Δ,A,B)σδ is satisfied, then (Γ→Δ,A)σδ is also satisfied.
Therefore, SDC-Factoring is sound.∎
Definition 5 (Saturation)
A constrained clause set N is called saturated up to redundancy, if for every inference between clauses in N
the result (R;π) is either redundant in N or G((R;π))⊆G(N).
Note that our redundancy notion includes condensation and the condition G((R;π))⊆G(N) allows ignoring variants
of clauses.
Lemma 2
Let constrained clause (C′;π′) be a condensation of constrained clause (C;π).
Then, (i)(C;π)⊨(C′;π′) and (ii)(C;π) is redundant in {(C′;π′)}.
Proof
Let σ be a substitution such that C′⊂C, πσ=π′,
π′⊆π, and for all L∈C there is a L′∈C′ with Lσ=L′.
(i) Let C′δ∈G((C′;π′)).
Then σδ is a solution of π and hence Cσδ∈G((C;π)).
Let I⊨Cσδ. Hence, there is a Lσδ∈I for some L∈C and thus L′δ∈I for some L′∈C′ with Lσ=L′.
Therefore, I⊨C′δ. Since I and C′δ were arbitrary, (C;π)⊨(C′;π′).
(ii) Let Cδ∈G((C;π)). Because π′⊆π, δ is a solution of π′ and hence, C′δ∈G((C′;π′)).
Therefore, since C′δ⊂Cδ, C′δ∈G({(C′;π′)})≺Cδ and C′δ⊨Cδ.∎
Definition 6 (Partial Minimal Model Construction)
Given a constrained clause set N, an ordering ≺ and the selection function sel, we construct an interpretation IN for N, called a partial model, inductively as follows:
[TABLE]
Clauses D with δD=∅ are called productive.
Lemma 3 (Ordered SDC Resolution Completeness)
Let N be a constrained clause set saturated up to redundancy by ordered SDC-resolution with selection.
Then N is unsatisfiable, if and only if □∈G(N). If □∈G(N) then IN⊨N.
Proof
Assume N is unsatisfiable but □∈G(N).
For the partial model IN, there exists a minimal false clause Cσ∈G((C;π)) for some (C;π)∈N.
Cσ is not productive, because otherwise IN⊨Cσ.
Hence, either sel(C)=∅ or no positive literal in Cσ is strictly maximal.
Assume C=Γ2,B→Δ2 with B∈sel(C) or ¬Bσ maximal.
Then, Bσ∈ICσ and there exists a ground instance (Γ1→Δ1,A)τ=Dτ≺Cσ of some clause (D;π′)∈N,
which produces Aτ=Bσ.
Therefore, there exists a ρ=mgu(A,B) and ground substitution δ
such that Cσ=Cρδ, Dτ=Dρδ.
Since ρδ=σ is a solution of π and π′, δ is a solution of (π∧π′)ρ.
Under these conditions, SDC-Resolution can be applied to (Γ1→Δ1,A;π′) and (Γ2,B→Δ2;π).
Their resolvent (R;πR)=((Γ1,Γ2→Δ1,Δ2)ρ;(π∧π′)ρ) is either redundant in N or G((R;πR))⊆G(N).
Its ground instance Rδ is false in IN and Rδ≺Cσ.
If (R;πR) is redundant in N, there exist C1,…,Cn in G(N)≺Rδ with C1,…,Cn⊨Rδ.
Because Ci≺Rδ≺Cσ, IN⊨Ci and hence IN⊨Rδ, which contradicts IN⊨Rδ.
Otherwise, if G((R;πR))⊆G(N), then Rδ∈G(N), which contradicts Cσ being minimal false.
Now, assume sel(C)=∅ and C=Γ→Δ,B with Bσ maximal.
Then, C=Γ→Δ′,A,B with Aσ=Bσ.
Therefore, there exists a ρ=mgu(A,B) and ground substitution δ
such that Cσ=Cρδ and ρδ is a solution of π.
Hence, δ is a solution of πρ.
Under these conditions, SDC-Factoring can be applied to (Γ→Δ′,A,B;π).
The result (R;πR)=((Γ→Δ′,A)ρ;πρ)
is either redundant in N or G((R;πR))⊆G(N).
Its ground instance Rδ is false in IN and Rδ≺Cσ.
If (R;πR) is redundant in N, there exist C1,…,Cn in G(N)≺Rδ with C1,…,Cn⊨Rδ.
Because Ci≺Rδ≺Cσ, IN⊨Ci and hence IN⊨Rδ, which contradicts IN⊨Rδ.
Otherwise, if G((R;πR))⊆G(N), then Rδ∈G(N), which contradicts Cσ being minimal false.
Therefore, if □∈G(N), no minimal false clause exists and IN⊨N. ∎
Lemma 4
*Let N be a set of MSL(SDC) clauses without variants or uncondensed clauses over a finite signature Σ.
N is finite if there exists an integer d such that for every (C;π)∈N, depth(π)≤d and
with t shallow and linear, and vars(t)∩vars(Δ)=∅.*
Proof
Let (C;π)∈N.
(C;π) can be separated into variable disjoint components (Γ1,…,Γn→Δ1,…,Δn;π1∧…∧πn),
where ∣Δi∣≤1 and lvar(πi)⊆vars(Γi→Δi).
For each positive literal P(s)∈Δ there is a fragment
[TABLE]
Since there are only finitely many terms s with depth(s)≤d modulo renaming,
there are only finitely many atomic constraints x=s for a given variable x different up to renaming s.
Thus, a normal constraint can only contain finitely many combinations of subconstraints ⋀i∈Ix=si without some si being an instance of another sj.
Therefore, for a fixed set of variables x1,…,xk, there are only finitely many constraints π=⋀i∈Izi=si with lvar(π)⊆{x1,…,xk} up to variants.
Since the number of predicates, function symbols, and their ranks is finite,
the number of possible shallow and linear atoms S(t) different up to variants is finite.
For a given shallow and linear t, there exist only finitely many clauses of the form (S1(t),…,Sn(t)→S(t);π) or (S1(t),…,Sn(t)→;π) with lvar(π)⊆vars(t) modulo condensation and variants.
For a fixed set of variables x1,…,xk, there exist only finitely many clauses of the form (S1(y1),…,Sk(yl)→;π) with {y1,…,yl}∪lvar(π)⊆{x1,…,xk} modulo condensation and variants.
Therefore, there are only finitely many distinct clauses of each form (A)-(D) without variants or condensations.
If in the clause (C;π)=(Γ1,…,Γn→Δ1,…,Δn;π1∧…∧πn) for some i=j, (Γi→Δi;πi) is a variant of (Γj→Δj;πj),
then (C;π) has a condensation and is therefore not part of N.
Hence, there can be only finitely many different (C;π) without variants or condensations and thus N is finite. ∎
Lemma 5 (Finite Saturation)
Let N be an MSL(SDC) clause set.
Then N can be finitely saturated up to redundancy by SDC-resolution with selection function sel.
Proof
The general idea is that given the way sel is defined the clauses involved in constrained resolution and factoring can only fall into certain patterns.
Any result of such inferences then is either strictly smaller than one of its parents by some terminating measure
or falls into a set of clauses that is bounded by Lemma 4.
Thus, there can be only finitely many inferences before N is saturated.
Let d be an upper bound on the depth of constraints found in N and Σ be the finite signature consisting of the function and predicate symbols occurring in N.
Let (Γ1→Δ1,S(t);π1) and (Γ2,S(t′)→Δ2;π2) be clauses in N where sdc-resolution applies with σ=mgu(S(t),S(t′)) and resolvent R=((Γ1,Γ2→Δ1,Δ2)σ;(π1∧π2)σ↓).
Because no literal is selected by sel, Γ1→Δ1,S(t) can match only one of two patterns:
[TABLE]
The literal S(t′) is selected by sel in Γ2,S(t′)→Δ2, and therefore Γ2,S(t′)→Δ2 can match only one of the following three patterns:
[TABLE]
This means that the clausal part (Γ1,Γ2→Δ1,Δ2)σ of R has one of six forms:
[TABLE]
In the constraint (π1∧π2)σ↓ the maximal depth of the subconstraints is less or equal to the maximal depth of π1 or π2.
Hence, d is also an upper bound on the constraint of the resolvent.
In each case, the resolvent is again an MSL(SDC) clause.
In the first and second case, the multiset of term depths of the negative literals in R is strictly smaller than for the right parent.
In both, the Γ is the same between the right parent and the resolvent.
Only the f(t1,…,tk) term is replaced by x1σ,…,xnσ and x1,…,xn respectively.
In the first case, the depth of the xiσ is either zero if xi∈/{y1,…,yk} or at least one less than f(t1,…,tk) since xiσ=ti.
In the second case, the xi have depth zero which is strictly smaller than the depth of f(t1,…,tk).
Since the multiset ordering on natural numbers is terminating, the first and second case can only be applied finitely many times by constrained resolution.
In the third to sixth case R is of the form
(S1(x1),…,Sl(xl),S1′(t),…,Sm′(t)→Δ;π) or
(S1(x1),…,Sl(xl),S1′(t),…,Sm′(t)→S(t)),Δ;π) with t=f(y1,…,yk).
By Lemma 4, there are only finitely many such clauses after condensation and removal of variants.
Therefore, these four cases can apply only finitely many times during saturation.
Let (Γ→Δ,S(t),S(t′);π) be a clause in N where sdc-factoring applies with σ=mgu(S(t),S(t′)) and R=((Γ→Δ,S(t))σ;πσ↓).
Because in Γ→Δ,S(t),S(t′) no literal is selected, Γ→Δ,S(t),S(t′) and (Γ→Δ,S(t))σ can only match one of three patterns.
[TABLE]
In the new constraint πσ↓ the maximal depth of the subconstraints is less or equal to the maximal depth of π.
Hence d is also an upper bound on the constraint of the resolvent.
In each case, the resolvent is again an MSL(SDC) clause.
Furthermore, in each case the clause is of the form (S1(x1),…,Sl(xl)→Δ;π).
By Lemma 4, there are only finitely many such clauses after condensation and removal of variants.
Therefore, these three cases can apply only finitely many times during saturation.∎
Theorem 3.1 (MSL(SDC) Decidability)
Satisfiability of the MSL(SDC) first-order fragment is decidable.
In the following, we show how decidability of the MSL(SDC) fragment can be used
to improve the approximation refinement calculus presented in [18].
Our approach is based on a counter-example guided abstraction refinement (CEGAR) idea.
The procedure loops trough four steps: approximation, testing (un)satisfiability, lifting, and refinement.
The approximation step transforms any first-order logic clause set
into the decidable MSL(SDC) fragment while preserving unsatisfiability.
The second step employs the decidability result for MSL(SDC), Section 3,
to test satisfiability of the approximated clause set.
If the approximation is satisfiable, the original problem is satisfiable as well and we are done.
Otherwise, the third step, lifting, tests whether the proof of unsatisfiability found for the approximated
clause set can be lifted to a proof of the original clause set.
If so, the original clause set is unsatisfiable and we are again done.
If not, we extract a cause for the lifting failure that always amounts to two different
instantiations of the same variable in a clause from the original clause set.
This is resolved by the fourth step, the refinement. The crucial clause in the
original problem is replaced and instantiated in a satisfiability preserving way
such that the different instantiations do not reoccur anymore in subsequent iterations of the loop.
As mentioned before, our motivation to use dismatching constraints is that for an unconstrained clause
the refinement adds quadratically many new clauses to the clause set.
In contrast, with constrained clauses the same can be accomplished with adding just a single new clause.
This extension is rather simple as constraints are treated the same as the antecedent literals in the clause.
Furthermore we present refinement as a separate transformation rule.
The second change compared to the previous version is the removal of the Horn approximation rule,
where we have now shown in Section 3 that a restriction to Horn clauses is not required for decidability anymore.
Instead, the linear and shallow approximations are extended to apply to non-Horn clauses instead.
The approximation consists of individual transformation rules N⇒N′ that are non-deterministically applied.
They transform a clause that is not in the MSL(SDC) fragment
in finite steps into MSL(SDC) clauses. Each specific property of MSL(SDC) clauses, i.e, monadic predicates,
shallow and linear positive literals, is generated by a corresponding rule: the Monadic transformation encodes non-Monadic predicates as functions,
the shallow transformation extracts non-shallow subterms by introducing fresh predicates and the linear transformation renames
non-linear variable occurrences.
Starting from a constrained clause set N the transformation is parameterized by a single monadic projection predicate T,
fresh to N and for each non-monadic predicate P a separate projection function fP fresh to N.
The clauses in N are called the original clauses while the clauses in N′ are the approximated clauses.
We assume all clauses in N to be variable disjoint.
Definition 7
Given a predicate P, projection predicate T, and projection function fP,
define the injective function μPT(P(t)):=T(fp(t))
and μPT(Q(s)):=Q(s) for P=Q.
The function is extended to [constrained] clauses, clause sets and interpretations.
Given a signature Σ with non-monadic predicates P1,…,Pn, define μΣT(N):=μP1T(…(μPnT(N))…) and μΣT(I):=μP1T(…(μPnT(I))…).
Monadic
N⇒MOμPT(N)
provided P is a non-monadic predicate in the signature of N.
Shallow
N∪˙{(Γ→E[s]p,Δ;π)}⇒SH
N∪{(S(x),Γl→E[p/x],Δl;π); (Γr→S(s),Δr;π)}
provided s is complex, ∣p∣=2, x and S fresh, Γl{x↦s}∪Γr=Γ, Δl∪Δr=Δ,
{Q(y)∈Γ∣y∈vars(E[p/x],Δl)}⊆Γl,
{Q(y)∈Γ∣y∈vars(s,Δr)}⊆Γr.
Linear 1
N∪˙{(Γ→Δ,E′[x]p,E[x]q;π)}⇒LI
N∪{(Γσ,Γ→Δ,E′[x]p,E[q/x′];π∧πσ)}
provided x′ is fresh and σ={x↦x′}.
Linear 2
N∪˙{(Γ→Δ,E[x]p,q;π)}⇒LI
N∪{(Γσ,Γ→Δ,E[q/x′];π∧πσ)}
provided x′ is fresh, p=q and σ={x↦x′}.
Refinement
N∪˙{(C,π)}⇒RefN∪{(C;π∧x=t),(C;π){x↦t}}
provided x∈vars(C), t straight and vars(t)∩vars((C,π))=∅.
Note that variables are not renamed unless explicitly stated in the rule.
This means that original clauses and their approximated counterparts share variable names.
We use this to trace the origin of variables in the approximation.
The refinement transformation ⇒Ref is not needed to eventually generate MSL(SDC) clauses, but can be
used to achieve a more fine-grained approximation of N, see below.
In the shallow transformation, Γ and Δ are separated into
Γl, Γr, Δl, and Δr, respectively.
The separation can be almost arbitrarily chosen as long as no atom from Γ, Δ is skipped.
However, the goal is to minimize the set of shared variables, i.e., the variables of (Γ→E[s]p,Δ;π) that are inherited by both approximation clauses, vars(Γr,s,Δr)∩vars(Γl,E[p/x],Δl).
If there are no shared variables, the shallow transformation is satisfiability equivalent.
The conditions on Γl and Γr ensure that S(x) atoms are not separated from the respective positive occurrence of x in subsequent shallow transformation applications.
Consider the clause Q(f(x),y)→P(g(f(x),y)).
The simple shallow transformation S(x′),Q(f(x),y)→P(g(x′,y));S(f(x)) is not satisfiability equivalent – nor with any alternative partitioning of Γ.
However, by replacing the occurrence of the extraction term f(x) in Q(f(x),y) with the fresh variable x′,
the approximation S(x′),Q(x′,y)→P(g(x′,y));S(f(x)) is satisfiability equivalent.
Therefore, we allow the extraction of s from the terms in Γl and require Γl{x↦s}∪Γr=Γ.
We consider Linear 1 and Linear 2 as two cases of the same linear transformation rule.
Their only difference is whether the two occurrences of x are in the same literal or not.
The duplication of literals and constraints in Γ and π is not needed if x does not occur in Γ or π.
Further, consider a linear transformation N∪{(C;π)}⇒LIN∪{(Ca;πa)},
where a fresh variable x′ replaces an occurrence of a non-linear variable x in (C;π).
Then, (Ca;πa){x′↦x} is equal to (C;π) modulo duplicate literal elimination.
A similar property can be observed of a resolvent of (Cl;π) and (Cr;π)
resulting from a shallow transformation N∪{(C;π)}⇒SHN∪{(Cl;π),(Cr;π)}.
Note that by construction, (Cl;π) and (Cr;π) are not necessarily variable disjoint.
To simulate standard resolution, we need to rename at least the shared variables in one of them.
Definition 8 (⇒AP)
We define ⇒AP as the priority rewrite system [3]
consisting of ⇒Ref, ⇒MO, ⇒SH and ⇒LI with
priority ⇒Ref>⇒MO>⇒SH>⇒LI,
where ⇒Ref is only applied finitely many times.
Lemma 6 (⇒AP is a Terminating Over-Approximation)
(i) ⇒AP∗ terminates,
(ii) if N⇒APN′ and N′ is satisfiable, then N is also satisfiable.
Proof
(i) The transformations can be considered sequentially, because of the imposed rule priority.
There are, by definition, only finitely many refinements at the beginning of an approximation ⇒AP∗.
The monadic transformation strictly reduces the number of non-monadic atoms.
The shallow transformation strictly reduces the multiset of term depths of the newly introduced clauses compared
to the removed parent clause.
The linear transformation strictly reduces the number of duplicate variable occurrences in positive literals.
Hence ⇒AP terminates.
(ii) Let N∪{(C;π)}⇒LIN∪{(Ca;πa)} where an occurrence of a variable x in (C;π) is replaced by a fresh x′.
As (Ca;πa){x′↦x} is equal to (C;π) modulo duplicate literal elimination,
I⊨(C;π) if I⊨(Ca;πa).
Therefore, the linear transformation is an over-approximation.
Let N∪{(C;π)}⇒SHN∪{(Cl;πl),(Cr;πr)}
and (Ca;πa)
be the shallow ρ-resolvent.
As (Ca;πa)ρ−1 equals (C;π) modulo duplicate literal elimination,
I⊨(C;π) if I⊨(Cl;πl),(Cr;πr).
Therefore, the shallow transformation is an over-approximation.
Let N⇒MOμP(N)=N′.
Then, N=μP−1(N′).
Let I be a model of N′ and (C;π)∈N.
Since μP((C;π))∈N′ , I⊨μP((C;π)) and thus, μP−1(I)⊨(C;π).
Hence, μP−1(I) is a model of N.
Therefore, the monadic transformation is an over-approximation. Actually, it
is a satisfiability preserving transformation.
Let N∪{(C;π)}⇒RefN∪{(C;π∧x=t),(C;π){x↦t}}.
Let Cδ∈G((C;π)).
If xδ is not an instance of t, then δ is a solution of π∧x=t and Cδ∈G((C;π∧x=t)).
Otherwise, δ={x↦t}δ′ for some substitution δ′.
Then, δ is a solution of π{x↦t} and thus, Cδ=C{x↦t}δ′∈G((C{x↦t};π{x↦t})).
Hence, G((C;π))⊆G((C;π∧x=t))∪G((C;π){x↦t}).
Therefore, if I is a model of N∪{(C;π∧x=t),(C;π){x↦t}}, then I is also a model of N∪{(C;π)}. ∎
Note that ⇒Ref and ⇒MO are also satisfiability preserving transformations.
Corollary 1
If N⇒AP∗N′ and N′ is satisfied by a model I,
then μΣ−1(I) is a model of N.
On the basis of ⇒AP we can define an ancestor relation ⇒A that relates
clauses, literal occurrences, and variables with respect to approximation.
This relation is needed in order to figure out the exact clause, literal, variable for
refinement.
Definition 9 (The Shallow Resolvent)
Let N∪{(C;π)}⇒SHN∪{(Cl;π),(Cr;π)} with C=Γ→E[s]p,Δ, Cl=S(x),Γl→E[p/x],Δl and Cr=Γr→S(s),Δr.
Let x1,…,xn be the variables shared between Cl and Cr and ρ={x1↦x1′,…,xn↦xn′} be a variable renaming with x1′,…,xn′ fresh in Cl and Cr.
We define (Γl{x↦sρ},Γrρ→E[p/sρ],Δl,Δrρ;π∧πρ) as the shallow ρ-resolvent.
Let (Ca;πa) be the shallow ρ-resolvent of N∪{(C;π)}⇒SHN∪{(Cl;π),(Cr;π)}.
Note that for any two ground instances Clδl and Crδr, their resolvent is a ground instance of (Ca;πa).
Furthermore, using the reverse substitution ρ−1={x1′↦x1,…,xn′↦xn},
(Ca;πa)ρ−1=(Γl{x↦s},Γr→E[s]p,Δl,Δr;π∧π) is equal to (C;π) modulo duplicate literal elimination.
This is because, Δl∪Δr=Δ and Γl{x↦s}∪Γr=Γ by definition of ⇒SH and π∧π is equivalent to π.
Next, we establish parent relations that link original and approximated clauses, as well as their variables and literals.
Together the parent, variable and literal relations will allow us to not only trace any approximated clause back to their origin,
but also predict what consequences changes to the original set will have on its approximations.
For the following definitions, we assume that clause and literal sets are lists and that μPT and substitutions act as mappings.
This means we can uniquely identify clauses and literals by their position in those lists.
Further, for every shallow transformation N⇒SHN′,
we will also include the shallow resolvent in the parent relation as if it were a member of N′.
Definition 10 (Parent Clause)
For an approximation step N⇒APN′ and two clauses (C;π)∈N and (C′;π′)∈N′,
we define [(C;π),N]⇒A[(C′;π′),N′] expressing that (C;π) in N is the parent clause of (C′;π′) in N′:
If N⇒MOμPT(N), then
[(C;π),N]⇒A[μPT((C;π)),μPT(N)] for all (C;π)∈N.
If N=N′′∪{(C;π)}⇒SHN′′∪{(Cl;πl),(Cr;πr)}=N′, then
[(D,π′),N]⇒A[(D,π′),N′] for all (D,π′)∈N′′ and
[(C,π),N]⇒A[(Cl;πl),N′],
[(C,π),N]⇒A[(Cr;πr),N′] and
[(C,π),N]⇒A[(Ca;πa),N′] for any shallow resolvent (Ca;πa).
If N=N′′∪{(C;π)}⇒LIN′′∪{(Ca;πa)}=N′, then
[(D,π′),N]⇒A[(D,π′),N′] for all (D,π′)∈N′′ and
[(C,π),N]⇒A[(Ca,πa),N′].
If N=N′′∪{(C;π)}⇒RefN′′∪{(C;π∧x=t),(C;π){x↦t}}=N′, then
[(D,π′),N]⇒A[(D,π′),N′] for all (D,π′)∈N′′ ,
[(C,π),N]⇒A[(C;π∧x=t),N′] and
[(C,π),N]⇒A[(C;π){x↦t},N′].
Definition 11 (Parent Variable)
Let N⇒APN′ be an approximation step and [(C;π),N]⇒A[(C′;π′),N′].
For two variables x and y,
we define [x,(C;π),N]⇒A[y,(C′;π′),N′] expressing that x∈vars(C) is the parent variable of y∈vars(C′):
If x∈vars((C;π))∩vars((C′;π′)), then
[x,(C;π),N]⇒A[x,(C′;π′),N′].
If N⇒SHN′ and (C′,π′) is the shallow ρ-resolvent,
[xi,(C;π),N]⇒A[xiρ,(C′;π′),N′] for each xi in the domain of ρ.
If N⇒LIN′, C=Γ→Δ[x]p,q and C′=Γ{x↦x′},Γ→Δ[q/x′], then
[x,(C;π),N]⇒A[x′,(C′;π′),N′].
Note that if N⇒SHN′ and x is the fresh extraction variable in (Cl;πl), then x has no parent variable.
For literals, we actually further specify the relation on the positions within literals of a clause (C;π) using pairs (L,r) of literals and positions.
We write (L,r)∈C to denote that (L,r) is a literal position in (C;π) if L∈C and r∈pos(L).
Note that a literal position (L,r) in (C;π) corresponds to the term L∣r.
Definition 12 (Parent literal position)
Let N⇒APN′ be an approximation step and [(C;π),N]⇒A[(C′;π′),N′].
For two literal positions (L,r) and (L′,r′),
we define [r,L,(C;π),N]⇒A[r′,L′,(C′;π′),N′] expressing that (L,r) in (C;π) is the parent literal position of (L′,r′) in (C′;π′):
If (C;π)=(C′;π′), then
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈C.
If N⇒RefN′ and (C′,π′)=(C;π∧x=t), then
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈C.
If N⇒RefN′ and (C′,π′)=(C;π){x↦t}, then
[r,L,(C;π),N]⇒A[r,L{x↦t},(C′;π′),N′] for all (L,r)∈C.
If N⇒MOμPT(N)=N′, then
[ε,P(t),(C;π),N]⇒A[ε,T(fp(t)),(C′;π′),N′] for all P(t)∈C and
[r,P(t),(C;π),N]⇒A[1.r,T(fp(t)),(C′;π′),N′] for all (P(t),r)∈C.
If N⇒SHN′, C=Γ→E[s]p,Δ and C′=S(x),Γl→E[p/x],Δl, then
[r,E[s]p,(C;π),N]⇒A[r,E[p/x],(C′;π′),N′] for all r∈pos(E[p/x]),
[p,E[s]p,(C;π),N]⇒A[r,S(x),(C′;π′),N′] for all r∈pos(S(x)),
[r,L{x↦s},(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Γl,
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Δl.
If N⇒SHN′, C=Γ→E[s]p,Δ and C′=Γr→S(s),Δr, then
[p,E[s]p,(C;π),N]⇒A[ε,S(s),(C′;π′),N′],
[pr,E[s]p,(C;π),N]⇒A[1.r,S(s),(C′;π′),N′] for all r∈pos(s), and
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Γr∪Δr.
If N⇒SHN′, C=Γ→E[s]p,Δ and (C′,π′) is the shallow ρ-resolvent, then
[r,E[s]p,(C;π),N]⇒A[r,E[p/sρ],(C′;π′),N′] for all r∈pos(E[p/sρ]),
[r,L{x↦s},(C;π),N]⇒A[r,L{x↦sρ},(C′;π′),N′] for all (L,r)∈Γl,
[r,L,(C;π),N]⇒A[r,Lρ,(C′;π′),N′] for all (L,r)∈Γr∪Δr, and
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Δl.
If N⇒LIN′, C=Γ→Δ,E′[x]p,E[x]q and C′=Γ{x↦x′},Γ→Δ,E′[x]p,E[q/x′],
[r,E′[x]p,(C;π),N]⇒A[r,E′[x]p,(C′;π′),N′] for all r∈pos(E′[x]p),
[r,E[x]q,(C;π),N]⇒A[r,E[q/x′],(C′;π′),N′] for all r∈pos(E[q/x′]),,
[r,L,(C;π),N]⇒A[r,L{x↦x′},(C′;π′),N′] for all (L,r)∈Γ,
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Γ, and
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Δ.
If N⇒LIN′, C=Γ→Δ,E[x]p,q and C′=Γ{x↦x′},Γ→Δ,E[q/x′], then
[r,E[x]p,q,(C;π),N]⇒A[r,E[q/x′],(C′;π′),N′] for all r∈pos(E[q/x′]),
[r,L,(C;π),N]⇒A[r,L{x↦x′},(C′;π′),N′] for all (L,r)∈Γ,
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Γ, and
[r,L,(C;π),N]⇒A[r,L,(C′;π′),N′] for all (L,r)∈Δ.
The transitive closures of each parent relation are called ancestor relations.
The over-approximation of a clause set N can introduce resolution refutations
that have no corresponding equivalent in N which we consider a lifting failure.
Compared to our previous calculus [18], the lifting process is identical
with the exception that there is no case for the removed Horn transformation.
We only update the definition of conflicting cores to consider constrained clauses.
Definition 13 (Conflicting Core)
A finite set of unconstrained clauses and a solvable constraint (N⊥;π) are a conflicting core if
N⊥δ is unsatisfiable for all solutions δ of π over vars(N⊥)∪lvar(π).
A conflicting core (N⊥;π) is a conflicting core of the constrained clause set N if for every C∈N⊥ there is a clause (C′,π′)∈N
such that (C;π) is an instance of (C′;π′) modulo duplicate literal elimination.
The clause (C′;π′) is then called the instantiated clause of (C;π) in (N⊥;π).
We call (N⊥;π) complete if for every clause C∈N⊥ and literal L∈C, there exists a clause D∈N⊥ with L∈D.
A conflicting core is a generalization of a ground unsatisfiability core that allows global variables to act as parameters.
This enables more efficient lifting and refinement compared to a simple ground unsatisfiable core.
We show some examples at the end of this section.
We discuss the potential lifting failures and the corresponding refinements only for the linear and shallow case
because lifting the satisfiability equivalent monadic and refinement transformations always succeeds.
To reiterate from our previous work:
in the linear case, there exists a clause in the conflicting core that is not an instance of the original clauses.
In the shallow case, there exists a pair of clauses whose resolvent is not an instance of the original clauses.
We combine these two cases by introducing the notion of a lift-conflict.
Definition 14 (Conflict)
Let N∪{(C,π)}⇒LIN∪{(Ca,πa)} and N⊥ be a complete ground conflicting core of N∪{(Ca,πa)}.
We call a conflict clause Cc∈N⊥ with the instantiated clause (Ca,πa) a lift-conflict if Cc is not an instance of (C,π) modulo duplicate literal elimination.
Then, Cc is an instance of (Ca,πa), which we call the conflict clause of Cc.
Let N∪{(C,π)}⇒SHN∪{(Cl,πl),(Cr,πr)}, (Ca;πa) be the shallow resolvent and N⊥ be a complete ground conflicting core of N∪{(Cl,πl),(Cr,πr)}.
We call the resolvent Cc of Clδl∈N⊥ and Crδr∈N⊥ a lift-conflict if Cc is not an instance of (C,π) modulo duplicate literal elimination.
Then, Cc is an instance of (Ca;πa), which we call the conflict clause of Cc.
The goal of refinement is to instantiate the original parent clause in such a way that is both satisfiability equivalent and prevents the lift-conflict
after approximation.
Solving the refined approximation will then either necessarily produce a complete saturation or a new refutation proof,
because its conflicting core has to be different.
For this purpose, we use the refinement transformation to segment the original parent clause (C;π) into two parts (C;π∧x=t) and (C;π){x↦t}.
For example, consider N and its linear transformation N′.
Because P(a,b) is not an instance of P(x,x), lifting fails.
P(a,b) is the lift-conflict.
Specifically, {x↦a} and {x↦b} are conflicting substitutions for the parent variable x.
We pick {x↦a} to segment P(x,x) into (P(x,x);x=a) and P(x,x){x↦a}.
Now, any descendant of (P(x,x);x=a) cannot have a at the position of the first x, and
any descendant of P(x,x){x↦a} must have an a at the position of the second x.
Thus, P(a,b) is excluded in both cases and no longer appears as a lift-conflict.
To show that the lift-conflict will not reappear in the general case, we use that the conflict clause and its ancestors
have strong ties between their term structures and constraints.
Definition 15 (Constrained Term Skeleton)
The constrained term skeleton of a term t under constraint π, skt(t,π), is defined as
the normal form of the following transformation:
\begin{array}[]{c}(t[x]_{p,q};\pi)\Rightarrow_{\mathrm{skt}}(t[q/x^{\prime}];\pi\wedge\pi\{x\mapsto x^{\prime}\}),\text{ where }p\neq q\text{ and x^{\prime} is fresh}.\end{array}
The constrained term skeleton of a term t is essentially a linear version of t where the restrictions on each variable position imposed by π are preserved.
For (t,π) and a solution δ of π, tδ is called a ground instance of (t,π).
Lemma 7
Let N0⇒AP∗Nk, (Ck;πk) in N with the ancestor clause (C0;π0)∈N0 and Nk⊥ be a complete ground conflicting core of Nk.
Let δ be a solution of πk such that Ckδ is in Nk⊥.
If (L′,q′) is a literal position in (Ck;πk) with the ancestor (L,q) in (C0,π0),
then (i) L′δ∣q′ is an instance of skt(L∣q,π0),
(ii) q=q′ if L and L′ have the same predicate, and
(iii) if L′∣q′=x and there exists an ancestor variable y of x in (C0,π0), then L∣q=y.
Proof
By induction on the length of the approximation N0⇒AP∗Nk.
The base case Nk=N0, is trivial.
Let N0=N∪{(C;π)}⇒SHN∪{(Cl;πl),(Cr;πr)}=Nk, (Ck;πk) be the shallow ρ-resolvent and Ckδ be the resolvent of two instances of (Cl;πl) and (Cr;πr) in Nk⊥.
Then, (Ck;πk)ρ−1 is equal to (C;π) modulo duplicate literal elimination.
Thus, by definition (L,q)=(L′,q′)ρ−1.
Therefore, (i) L′δ∣q′ is an instance of skt(L∣q,π0),
(ii) q=q′ if L and L′ have the same predicate, and
(iii) if L′∣q′=x and there exists an ancestor variable y of x in (C0,π0), then L∣q=y.
Now, let N0⇒APN1⇒AP∗Nk.
Since (L′,p) has an ancestor literal position in (C0,π0),
the ancestor clause of (Ck;πk) in N1, (C1,π1), contains the the ancestor literal position (L1,q1), which has (L,q) as its parent literal position.
By the induction hypothesis on N1⇒AP∗Nk,
(i) L′δ∣q′ is an instance of skt(L1∣q1,π1),
(ii) q1=q′ if L1 and L′ have the same predicate, and
(iii) if L′∣q′=x and there is an ancestor variable y1 of x in (C1,π1), then L1∣q1=y1.
Let N0=N∪{(C;π)}⇒RefN∪{(C;π∧x=t),(C;π){x↦t}}=N1.
If (C1,π1) is neither (C;π∧x=t) nor (C;π){x↦t}, then trivially (C0,π0)=(C1,π1).
Otherwise, (C1,π1)=(C;π∧x=t) or (C1,π1)=(C;π){x↦t}.
Then (L1,q1)=(L,q) or (L1,q1)=(L,q){x↦t}.
In either case,(i) L′δ∣q′ is an instance of skt(L∣q,π0),
(ii) q=q′ if L and L′ have the same predicate, and
(iii) if L′∣q′=x and there exists an ancestor variable y of x in (C0,π0), then L∣q=y.
Let N0⇒MOμP(N)=N1.
If P is not the predicate of L, then trivially (L,q)=(L1,q1).
If P is the predicate of L, then (L,q)=(P(t1,…,tn),q) and (L1,q1)=(T(fp(t1,…,tn)),1.q).
Thus, (i) L′δ∣q′ is an instance of skt(L∣q,π0)=skt(T(fp(t1,…,tn)∣1.q,π0).
(ii) The predicate of L′ is not P by definition.
(iii) Let L′∣q′=x and y be the ancestor variable of x in (C0,π0).
Then, y is also the ancestor variable of x in (C1,π1) and L1∣q1=y.
Therefore, L∣q=P(t1,…,tn)∣q=T(fp(t1,…,tn)∣1.q=L1∣q1=y.
Let N0=N∪{(C;π)}⇒LIN∪{(Ca;πa)}=N1 where an occurrence of a variable x is replaced by a fresh x′.
If (C1,π1)=(Ca;πa), then trivially (C0,π0)=(C1,π1).
Otherwise, (C1,π1)=(Ca;πa), (C0,π0)=(C,π).
By definition, (L,q)=(L1{x′↦x},q1) and π0=π1{x′↦x}.
Thus, skt(L∣q,π0)=skt(L1∣q1,π1). Therefore, L′δ∣q′ is an instance of skt(L∣q,π0).
Since L and L1 have the same predicate and q=q1, q=q′ if L and L′ have the same predicate.
Let L′∣q′=z and y be the ancestor variable of z in (C1,π1).
If y=x′, then y is the ancestor variable of z in (C0,π0) and L∣q=L1{x′↦x}∣q1=y1.
Otherwise, x is the ancestor variable of z in (C0,π0) and L∣q=L1{x′↦x}∣q1=x.
Let N0=N∪{(C;π)}⇒SHN∪{(Cl;πl),(Cr;πr)}=N1 where a term s is extracted from a positive literal Q(s′[s]p) via introduction of fresh predicate S and variable x.
If (C1,π1) is neither (Cl;πl) nor (Cr;πr), then trivially (C0,π0)=(C1,π1).
If (C1,π1)=(Cl;πl) and L1=S(x),
then (C0,π0)=(C;π), q1=1, (L′,q′)=(S(x),1) and (Q(s′[s]p),1.p) is the parent literal position of (S(x),1).
Let L′δ=S(t).
Because Nk⊥ is complete and ground, there is a clause Ck′δ′∈Nk⊥ that contains the positive literal S(t).
The ancestor of (Ck′,πk′)∈Nk in N1 is (Cr;πr) because it is the only clause in N1 with a positive S-literal.
Then, by the inductive hypothesis, (S(s),1) in (Cr;πr) is the ancestor literal position of (S(x),1) in (Ck′,πk′).
Thus, t is an instance of skt(S(s)∣1,πr)=skt(s,πr).
Therefore, t=L′δ∣q′ is an instance of skt(Q(s′[s]p)∣1.p,π)=skt(s,πr).
Further, Q and S are not the same predicate because S is fresh.
Since x has no parent variable, L′∣q′=x has no ancestor variable in (C0,π0).
If (C1,π1)=(Cl;πl) and L1=Q(s′[p/x]),
then (C0,π0)=(C;π) and (Q(s′[s]p),q1) in (C;π) is the parent literal position of (L1,q1) in (C1,π1) and ancestor literal position of (L′,q′) in (Ck,πk).
If q1 is not a position at or above p, the subterm at p is irrelevant and thus skt(Q(s′[s]p)∣q1,π)=skt(Q(s′[p/x])∣q1,πl).
Otherwise, let r be a position such that q1r=1.p.
Since ∣p∣=2, no following shallow transformation step extracts a subterm of s′[p/x] containing x.
Thus by definition of ⇒AP, L′=Q(t′[x]p) and Ck also contains the negative literal S(x).
Let S(x)δ=S(t).
Analogously to the previous case, t is an instance of skt(s,πr).
Combined with L′δ∣q′ being an instance of skt(L1∣q1,π1)=skt(Q(s′[p/x])∣q1,πl) and L′δ∣1.p=t,
L′δ∣q′ is an instance of skt(Q(s′[s]p)∣q,π).
Since L and L1 have the same predicate and q=q1, q=q′ if L and L′ have the same predicate.
Let L′∣q′=z and y in (C1,π1) be the ancestor variable of z in (Ck,πk).
Since x has no parent, y=x and y in (C0,π0) is the ancestor variable of z.
Therefore, Q(s′[s]p)∣q1=y because Q(s′[p/x])∣q1=y.
If (C1,π1)=(Cr;πr) and L1=S(s), let q1=1.q1′.
Then, (C0,π0)=(C;π) and (L,q)=(Q(s′[s]p),1.pq1′) in (C0,π0) is the parent literal position of (L1,q1) in (C1,π1).
Thus, L′δ∣q′ is an instance of skt((Q(s′[s]p)∣1.pq1′,π)=skt(s∣q1′,π)=skt(L1∣q1,πr).
Because S is fresh, Q is not the predicate of L′.
Let L′∣q′=z and y in (C1,π1) be the ancestor variable of z in (Ck,πk).
Then, y in (C0,π0) is the ancestor variable of z
and Q(s′[s]p)∣q=s∣q1′=y because s∣q1′=L1∣q1=y.
Otherwise, (L1,q1) in (C0,π0) is the parent literal position of (L1,q1) in (C1,π1), by definition.
Then, skt(L1,π)=skt(L1,πl) or skt(L1,π)=skt(L1,πr), respectively.∎
Next, we define the notion of descendants and descendant relations to connect lift-conflicts in ground conflicting cores with their corresponding ancestor clauses.
The goal, hereby, is that if a ground clause D is not a descendant of a clause in N, then it can never appear in a conflicting core of an approximation of N.
Definition 16 (Descendants)
Let N⇒AP∗N′, [(C;π),N]⇒A∗[(C′;π′),N′] and D be a ground instance of (C′;π′).
Then, we call D a descendant of (C;π) and define the [(C;π),N]⇒A∗[(C′;π′),N′]-descendant relation ⇒D that maps literals in D to literal positions in (C;π) using the following rule:
[TABLE]
For the descendant relations it is of importance to note that while there are potentially infinite ways that a lift-conflict Cc can be a descendant of an original clause (C;π),
there are only finitely many distinct descendant relations over Cc and (C;π).
This means, if a refinement transformation can prevent one distinct descendant relation without generating new distinct descendant relations (Lemma 8),
a finite number of refinement steps can remove the lift-conflict Cc from the descendants of (C;π) (Lemma 9).
Thereby, preventing any conflicting cores containing Cc from being found again.
A clause (C;π) can have two descendants that are the same except for the names of the S-predicates introduced by shallow transformations.
Because the used approximation N⇒AP∗N′ is arbitrary and therefore also the choice of fresh S-predicates,
if D is a descendant of (C;π), then any clause D′ equal to D up to a renaming of S-predicates is also a descendant of (C;π).
On the other hand, the actual important information about an S-predicate is which term it extracts.
Two descendants of (C;π) might be identical but their S-predicate extract different terms in (C;π).
For example, P(a)→S(f(a)) is a descendant of P(x),P(y)→Q(f(x),g(f(x))) but might extract either occurrence of f(x).
These cases are distinguished by their respective descendant relations.
In the example, we have either S(f(a))⇒D(Q(f(x),g(f(x))),1) or S(f(a))⇒D(Q(f(x),g(f(x))),2.1).
Lemma 8
Let N0=N∪{(C;π)}⇒RefN∪{(C;π∧x=t),(C;π){x↦t}}=N1 be a refinement transformation and D a ground clause.
If there is a [(C;π∧x=t),N1]⇒A∗[(C′;π′),N2]- or [(C;π){x↦t},N1]⇒A∗[(C′;π′),N2]-descendant relation ⇒D1,
then there is an equal [(C;π),N0]⇒A∗[(C′;π′),N2]-descendant relation ⇒D0.
Proof
Let LD be a literal of D and L′⇒D1(L,r).
If D is a descendant of (C;π∧x=t), then [r,L,(C;π∧x=t),N1]⇒A∗[ε,L′,(C′;π′),N2].
Because [r,L,(C;π),N0]⇒A[r,L,(C;π∧x=t),N1], L′⇒D0(L,r).
If D is a descendant of (C;π){x↦t}, the proof is analogous.∎
Lemma 9 (Refinement)
Let N⇒APN′ and N⊥ be a complete ground conflicting core of N′.
If Cc∈N⊥ is a lift-conflict, then there exists a finite refinement N⇒Ref∗NR
such that for any approximation NR⇒AP∗NR′ and ground conflicting core NR⊥ of NR′,
Cc is not a lift-conflict in NR⊥ modulo duplicate literal elimination.
Proof
Let (Ca,πa) be the conflict clause of Cc and (C;π)∈N be the parent clause of (Ca,πa).
Cc is a descendant of (C;π) with the corresponding [(C;π),N]⇒A[(Ca;πa),N′]-descendant relation ⇒Cc0.
We apply induction on the number of distinct [(C;π),N]⇒A∗[(C′;π′),N′′]-descendant relations ⇒Cc for arbitrary approximations N⇒AP∗N′′.
Since only the shallow and linear transformations can produce lift-conflicts,
the clause (C;π) is replaced by either a linearized clause (C′;π′) or
two shallow clauses (Cl;π) and (Cr;π).
Then, the conflict clause (Ca;πa) of Cc is either the linearized (C′;π′) or the resolvent of (Cl;π) and (Cr;π).
In either case, Cc=Caδ for some solution δ of πa.
Furthermore, there exists a substitution τ={x1′↦x1,…,xn′↦xn} such that (C;π) and (Ca;πa)τ are equal modulo duplicate literal elimination.
That is, τ={x′↦x} for a linear transformation and τ=ρ−1 for shallow transformation (Definition 9).
Assume Cc=Caτσ for some grounding substitution σ, where τσ is a solution of πa.
Thus, σ is a solution of πaτ, which is equivalent to π.
Then, Cc is equal to Cσ modulo duplicate literal elimination an instance of (C;π),
which contradicts with Cc being a lift-conflict.
Hence, Cc=Caδ is not an instance of Caτ and thus, xiδ=xi′δ for some xi in the domain of τ.
Because xiδ and xi′δ are ground, there is a position p where xiδ∣p and xi′δ∣p have different function symbols.
We construct the straight term t using the path from the root to p on xiδ with variables that are fresh in (C,π).
Then, we can use xi and t to segment (C;π) into (C;π∧xi=t) and (C;π){xi↦t} for the refinement N⇒RefNR.
Note, that xiδ is a ground instance of t, while xi′δ is not.
Let (L1′,r1′) and (L2′,r2′) in (Ca,πa) be literal positions of the variables xi and xi′ in Ca,
and (L1,r1) and (L2,r2) in (C,π) be the parent literal positions of (L1′,r1′) and (L2′,r2′), respectively.
Because (Ca,πa)τ is equal to (C;π) modulo duplicate literal elimination, L1∣r1=L2∣r2=xi.
Let N⇒RefN1 be the refinement where (C;π) is segmented into (C;π∧xi=t) and (C;π){xi↦t}.
By Lemma 8, all [(C;π∧xi=t),N1]⇒A∗[(Ca′;πa′),N2]- or [(C;π){xi↦t},N1]⇒A∗[(Ca′;πa′),N2]-descendant relations
correspond to an equal [(C;π),N]⇒A[(Ca′;πa′),N2]-descendant relation.
Assume there is a [(C;π∧xi=t),N1]⇒A∗[(Ca′;πa′),N2]-descendant relation ⇒Cc1 that is not distinct from ⇒Cc0.
Because L1′δ⇒Cc0(L1,r) for some literal position (L1,r) in (C;π), which is the parent literal position of (L1,r) in (C;π∧xi=t),
L1′δ⇒Cc1(L1,r).
However, this contradicts Lemma 7 because xiδ is not an instance of skt(L1∣r1,π∧xi=t)=skt(xi,π∧xi=t).
The case that there is a [(C;π){xi↦t},N1]⇒A∗[(Ca′;πa′),N2]-descendant relation that is not distinct from ⇒Cc0 is analogous using the argument that xi′δ is not an instance of skt(L2{xi↦t}∣r2,π)=skt(t,π).
Hence, there are strictly less distinct descendant relations over Cc and (C;π∧x=t) or (C;π){x↦t}
than there are distinct descendant relations over Cc and (C,π).
If there are no descendant relations, then Cc can no longer appear as a lift conflict.
Otherwise, by the inductive hypothesis, there exists a finite refinement N⇒RefN1⇒Ref∗NR
such that for any approximation NR⇒APNR′ and ground conflicting core NR⊥ of NR′,
Cc is not a lift-conflict in NR⊥ modulo duplicate literal elimination.∎
Theorem 4.1 (Soundness and Completeness of FO-AR)
Let N be an unsatisfiable clause set and N′ its MSL(SDC) approximation: (i) if N is unsatisfiable then there exists a conflicting
core of N′ that can be lifted to a refutation in N, (ii) if N′ is satisfiable, then N is satisfiable too.
Proof
(Idea)
By Lemma 6 and Lemma 9, where the latter can be used to show that a core of N′ that cannot
be lifted also excludes the respective instance for unsatisfiability of N.
Let (Ca,πa) be the conflict clause of Cc and (C;π)∈N be the parent clause of (Ca,πa).
Cc is a descendant of (C;π) with the corresponding [(C;π),N]⇒A[(Ca;πa),N′]-descendant relation ⇒Cc0.
We apply induction on the number of distinct [(C;π),N]⇒A∗[(C′;π′),N′′]-descendant relations ⇒Cc for arbitrary approximations N⇒AP∗N′′.
Since only the shallow and linear transformations can produce lift-conflicts,
the clause (C;π) is replaced by either a linearized clause (C′;π′) or
two shallow clauses (Cl;π) and (Cr;π).
Then, the conflict clause (Ca;πa) of Cc is either the linearized (C′;π′) or the resolvent of (Cl;π) and (Cr;π).
In either case, Cc=Caδ for some solution δ of πa.
Furthermore, there exists a substitution τ={x1′↦x1,…,xn′↦xn} such that (C;π) and (Ca;πa)τ are equal modulo duplicate literal elimination.
That is, τ={x′↦x} for a linear transformation and τ=ρ−1 for shallow transformation (Definition 9).
Assume Cc=Caτσ for some grounding substitution σ, where τσ is a solution of πa.
Thus, σ is a solution of πaτ, which is equivalent to π.
Then, Cc is equal to Cσ modulo duplicate literal elimination an instance of (C;π),
which contradicts with Cc being a lift-conflict.
Hence, Cc=Caδ is not an instance of Caτ and thus, xiδ=xi′δ for some xi in the domain of τ.
Because xiδ and xi′δ are ground, there is a position p where xiδ∣p and xi′δ∣p have different function symbols.
We construct the straight term t using the path from the root to p on xiδ with variables that are fresh in (C,π).
Then, we can use xi and t to segment (C;π) into (C;π∧xi=t) and (C;π){xi↦t} for the refinement N⇒RefNR.
Note, that xiδ is a ground instance of t, while xi′δ is not.
Let (L1′,r1′) and (L2′,r2′) in (Ca,πa) be literal positions of the variables xi and xi′ in Ca,
and (L1,r1) and (L2,r2) in (C,π) be the parent literal positions of (L1′,r1′) and (L2′,r2′), respectively.
Because (Ca,πa)τ is equal to (C;π) modulo duplicate literal elimination, L1∣r1=L2∣r2=xi.
Let N⇒RefN1 be the refinement where (C;π) is segmented into (C;π∧xi=t) and (C;π){xi↦t}.
By Lemma 8, all [(C;π∧xi=t),N1]⇒A∗[(Ca′;πa′),N2]- or [(C;π){xi↦t},N1]⇒A∗[(Ca′;πa′),N2]-descendant relations
correspond to an equal [(C;π),N]⇒A[(Ca′;πa′),N2]-descendant relation.
Assume there is a [(C;π∧xi=t),N1]⇒A∗[(Ca′;πa′),N2]-descendant relation ⇒Cc1 that is not distinct from ⇒Cc0.
Because L1′δ⇒Cc0(L1,r) for some literal position (L1,r) in (C;π), which is the parent literal position of (L1,r) in (C;π∧xi=t),
L1′δ⇒Cc1(L1,r).
However, this contradicts Lemma 7 because xiδ is not an instance of skt(L1∣r1,π∧xi=t)=skt(xi,π∧xi=t).
The case that there is a [(C;π){xi↦t},N1]⇒A∗[(Ca′;πa′),N2]-descendant relation that is not distinct from ⇒Cc0 is analogous using the argument that xi′δ is not an instance of skt(L2{xi↦t}∣r2,π)=skt(t,π).
Hence, there are strictly less distinct descendant relations over Cc and (C;π∧x=t) or (C;π){x↦t}
than there are distinct descendant relations over Cc and (C,π).
If there are no descendant relations, then Cc can no longer appear as a lift conflict.
Otherwise, by the inductive hypothesis, there exists a finite refinement N⇒RefN1⇒Ref∗NR
such that for any approximation NR⇒APNR′ and ground conflicting core NR⊥ of NR′,
Cc is not a lift-conflict in NR⊥ modulo duplicate literal elimination.∎
Actually, Lemma 9 can be used to define a fair strategy on refutations in N′ in order
to receive also a dynamically complete FO-AR calculus, following the ideas presented in [18].
In Lemma 9, we segment the conflict clause’s immediate parent clause.
If the lifting later successfully passes this point, the refinement is lost and will be possibly repeated.
Instead, we can refine any ancestor of the conflict clause as long as it contains the ancestor of the variable used in the refinement.
By Lemma 7-(iii), such an ancestor will contain the ancestor variable at the same positions.
If we refine the ancestor in the original clause set, the refinement is permanent because lifting the refinement steps always succeeds.
Only variables introduced by shallow transformation cannot be traced to the original clause set.
However, these shallow variables are already linear and the partitioning in the shallow transformation can be chosen such that they are not shared variables.
Assume a shallow, shared variable y, that is used to extract the term t, in the shallow transformation
of Γ→E[s]p,Δ into S(x),Γl→E[p/x],Δl and Γr→S(s),Δr.
Since Δl∪˙Δr=Δ is a partitioning, y can only appear in either E[p/x],Δl or S(s),Δr.
If y∈vars(E[p/x],Δl) we instantiate Γr with {y↦t} and Γl, otherwise.
Now, y is no longer a shared variable.
The refinement Lemmas only guarantee a refinement for a given ground conflicting core.
In practice, however, conflicting cores contain free variables.
We can always generate a ground conflicting core by instantiating the free variables with ground terms.
However, if we only exclude a single ground case via refinement, next time the new conflicting core will likely have overlaps with the previous one.
Instead, we can often remove all ground instances of a given conflict clause at once.
The simplest case is when unifying the conflict clause with the original clause fails because their instantiations differ at some equivalent positions.
For example, consider N={P(x,x);P(f(x,a),f(y,b))→}.
N is satisfiable but the linear transformation is unsatisfiable with conflict clause P(f(x,a),f(y,b))
which is not unifiable with P(x,x), because the two terms f(x,a) and f(y,b) have different constants at the second argument.
A refinement of P(x,x) is
P(f(x,a),f(y,b)) shares no ground instances with the approximations of the refined clauses.
Next, assume that again unification fails due to structural difference, but this time the differences lie at different positions.
For example, consider N={P(x,x);P(f(a,b),f(x,x))→}.
N is satisfiable but the linear transformation of N is unsatisfiable with conflict clause P(f(a,b),f(x,x))
which is not unifiable with P(x,x) because in f(a,b) the first an second argument are different but the same in f(x,x).
A refinement of P(x,x) is
P(f(a,b),f(x,x)) shares no ground instances with the approximations of the refined clauses.
It is also possible that the conflict clause and original clause are unifiable by themselves, but the resulting constraint has no solutions.
For example, consider N={P(x,x);(P(x,y)→;x=a∧x=b∧y=c∧y=d)} with signature Σ={a,b,c,d}.
N is satisfiable but the linear transformation of N is unsatisfiable with conflict clause (→P(x,y);x=a∧x=b∧y=c∧y=d).
While P(x,x) and P(x,y) are unifiable, the resulting constraint x=a∧x=b∧x=c∧x=d has no solutions.
A refinement of P(x,x) is
(P(x,y);x=a∧x=b∧y=c∧y=d) shares no ground instances with the approximations of the refined clauses.
Lastly, we should mention that there are cases where the refinement process does not terminate.
For example, consider the clause set N={P(x,x);P(y,g(y))→}.
N is satisfiable but the linear transformation of N is unsatisfiable with conflict clause P(y,g(y)),
which is not unifiable with P(x,x).
A refinement of P(x,x) based on the ground instance P(a,g(a)) is
While P(y,g(y)) is not an instance of the refined approximation,
it shares ground instances with P(g(x),g(x′)).
The new conflict clause is P(g(y),g(g(y))) and
the refinement will continue to enumerate all P(gi(x),gi(x)) instances of P(x,x) without ever reaching a satisfiable approximation.
Satisfiability of first-order clause sets is undecidable, so termination cannot be expected by any calculus, in general.
5 Experiments
In the following we discuss several first-order clause classes for which FO-AR implemented in SPASS-AR immediately
decides satisfiability but
superposition and instantiation-based methods fail.
We argue both according to the respective calculi and state-of-the-art implementations,
in particular SPASS 3.9 [22], Vampire 4.1 [11, 20],
for ordered-resolution/superposition,
iProver 2.5 [9] an implementation of Inst-Gen [10], and
Darwin v1.4.5 [4] an implementation of the model evolution calculus [5].
All experiments were run on
a 64-Bit Linux computer (Xeon(R) E5-2680, 2.70GHz, 256GB main memory).
For Vampire and Darwin we chose the CASC-sat and CASC settings, respectively.
For iProver we set the schedule to “sat” and SPASS, SPASS-AR were used in default mode.
Please note that Vampire and iProver are portfolio solvers including implementations of several different calculi including
superposition (ordered resolution), instance generation, and finite model finding.
SPASS, SPASS-AR, and Darwin only implement superposition, FO-AR, and model evolution, respectively.
For the first example
P(x,y)→P(x,z),P(z,y);P(a,a)
and second example,
Q(x,x);Q(v,w),P(x,y)→P(x,v),P(w,y);P(a,a)
the superposition calculus produces independently of the selection strategy and ordering
an infinite number of clauses of form
Using linear approximation, however, FO-AR replaces P(x,y)→P(x,z),P(z,y) and →Q(x,x) with
P(x,y)→P(x,z),P(z′,y) and →Q(x,x′), respectively.
Consequently, ordered resolution derives →P(a,z1),P(z2,a) which subsumes any further inferences →P(a,z1),P(z2,z3),P(z4,a).
Hence, saturation of the approximation terminates immediately.
Both examples belong to the Bernays-Schönfinkel fragment, so
model evolution (Darwin) and Inst-Gen (iProver) can decide them as well.
Note that the concrete behavior of superposition is not limited to the above examples
but potentially occurs whenever there are variable chains in clauses.
On the third problem
P(x,y)→P(g(x),z);P(a,a)
superposition derives all clauses of the form →P(g(…g(a)…),z).
With a shallow approximation of P(x,y)→P(g(x),z) into S(v)→P(v,z) and P(x,y)→S(g(x)),
FO-AR (SPASS-AR) terminates after deriving →S(g(a)) and S(x)→S(g(x)).
Again, model evolution (Darwin) and Inst-Gen (iProver) can also solve this example.
The next example
P(a);P(f(a))→;P(f(f(x)))→P(x);P(x)→P(f(f(x)))
is already saturated under superposition.
For FO-AR,
the clause P(x)→P(f(f(x))) is replaced by S(x)→P(f(x)) and P(x)→S(f(x)).
Then ordered resolution terminates after inferring S(a)→ and S(f(x))→P(x).
The Inst-Gen and model evolution calculi, however, fail.
In either, a satisfying model is represented by a finite set of literals, i.e,
a model of the propositional approximation for Inst-Gen
and the trail of literals in case of model evolution.
Therefore, there necessarily exists a literal P(fn(x)) or ¬P(fn(x)) with a maximal n in these models.
This contradicts the actual model where either P(fn(a)) or P(fn(f(a))) is true.
However, iProver can solve this problem using its built-in ordered resolution solver whereas
Darwin does not terminate on this problem.
Lastly consider an example of the form
f(x)≈x→;f(f(x))≈x→;…;fn(x)≈x→
which is trivially satisfiable, e.g., saturated by superposition, but any model has at least n+1 domain elements.
Therefore, adding these clauses to any satisfiable clause set containing f forces calculi that explicitly
consider finite models to consider at least n+1 elements. The performance of final model finders [15] typically degrades
in the number of different domain elements to be considered.
Combining each of these examples into one problem is then
solvable by neither superposition, Inst-Gen, or model evolution
and not practically solvable with increasing n via testing finite models.
For example, we tested
for n=20 against SPASS,
Vampire, iProver, and Darwin for more than one hour each without success.
Only SPASS-AR solved it in less than one second.
For iProver we added an artificial positive equation b≈c. For otherwise,
iProver throws away all disequations while preprocessing. This is a satisfiability
preserving operation, however, the afterwards found (finite) models are not models of the
above clause set due to the collapsing of ground terms.
6 Conclusion
The previous section showed FO-AR is superior to superposition,
instantiation-based methods on certain classes of clause sets. Of course,
there are also classes of clause sets where superposition and instantiation-based methods
are superior to FO-AR, e.g., for unsatisfiable clause sets where the structure
of the clause set forces FO-AR to enumerate failing ground instances
due to the approximation in a bottom-up way.
Our prototypical implementation SPASS-AR cannot compete with systems such as iProver
or Vampire on the respective CASC categories of the TPTP [17]. This
is already due to the fact that they
are all meanwhile portfolio solvers. For example, iProver contains an implementation
of ordered resolution and Vampire an implementation of Inst-Gen. Our results, Section 5, however,
show that these systems may benefit from FO-AR by adding it to their portfolio.
The DEXPTIME-completeness result for MSLH strongly suggest that both the MSLH and also our
MSL(SDC) fragment have the finite model property. However, we are not aware of
any proof. If MSL(DSC) has the finite model property, the finite model finding approaches are complete
on MSL(SDC). The models generated by FO-AR and superposition
are typically infinite.
It remains an open problem, even for fragments enjoying the finite model property,
e.g., the first-order monadic fragment, to design a calculus that combines explicit finite
model finding with a structural representation of infinite models.
For classes that have no finite models this problem seems to become even more
difficult. To the best of our knowledge, SPASS is currently the only prover
that can show satisfiability of the clauses R(x,x)→; R(x,y),R(y,z)→R(x,z);
R(x,g(x)) due to an implementation of chaining [2, 16].
Apart from the superposition calculus, it is unknown to us how the
specific inferences for transitivity can be combined with any of the other discussed calculi,
including the abstraction refinement calculus introduced in this paper.
Finally, there are not many results on calculi that operate with respect to
models containing positive equations. Even for fragments that are decidable
with equality, such as the Bernays-Schoenfinkel-Ramsey fragment or the monadic
fragment with equality, there seem currently no convincing suggestions compared
to the great amount of techniques for these fragments without equality. Adding
positive equations to MSL(SDC) while keeping decidability is, to the best of
our current knowledge, only possible for at most linear, shallow equations
f(x1,…,xn)≈h(y1,…,yn) [8]. However, approximation into
such equations from an equational theory with nested term occurrences typically
results in an almost trivial equational theory. So this does not seem to be
a very promising research direction.
Bibliography22
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] Leo Bachmair and Harald Ganzinger. Rewrite-based equational theorem proving with selection and simplification. Journal of Logic and Computation , 4(3):217–247, 1994. Revised version of Max-Planck-Institut für Informatik technical report, MPI-I-91-208, 1991.
2[2] Leo Bachmair and Harald Ganzinger. Ordered chaining calculi for first-order theories of transitive relations. Journal of the ACM , 45(6):1007–1049, 1998.
3[3] Jos C. M. Baeten, Jan A. Bergstra, Jan Willem Klop, and W. P. Weijland. Term-rewriting systems with rule priorities. Theor. Comput. Sci. , 67(2&3):283–301, 1989.
4[4] Peter Baumgartner, Alexander Fuchs, and Cesare Tinelli. Implementing the model evolution calculus. International Journal on Artificial Intelligence Tools , 15(1):21–52, 2006.
5[5] Peter Baumgartner and Cesare Tinelli. The model evolution calculus. In Franz Baader, editor, Automated Deduction - CADE-19, 19th International Conference on Automated Deduction Miami Beach, FL, USA, July 28 - August 2, 2003, Proceedings , volume 2741 of Lecture Notes in Computer Science , pages 350–364. Springer, 2003.
6[6] H. Comon, M. Dauchet, R. Gilleron, C. Löding, F. Jacquemard, D. Lugiez, S. Tison, and M. Tommasi. Tree automata techniques and applications. Available on: http://www.grappa.univ-lille 3.fr/tata , 2007. release October, 12th 2007.
7[7] Jean Goubault-Larrecq. Deciding ℋ 1 subscript ℋ 1 \mathcal{H}_{1} by resolution. Information Processing Letters , 95(3):401 – 408, 2005.
8[8] Florent Jacquemard, Christoph Meyer, and Christoph Weidenbach. Unification in extensions of shallow equational theories. In Tobias Nipkow, editor, Rewriting Techniques and Applications, 9th International Conference, RTA-98 , volume 1379 of LNCS , pages 76–90. Springer, 1998.