A new method for automated nite model building ... - Semantic Scholar

A new method for automated nite model building exploiting failures and symmetries Nicolas Peltier

LEIBNIZ-IMAG 46, Avenue Felix Viallet 38031 Grenoble Cedex FRANCE [email protected]

Abstract. A method for building nite models is proposed. It combines enumeration of the set

of interpretations on a nite domain with strategies in order to prune signi cantly the search space. The main new ideas underlying our method are to bene t from symmetries and from the information extracted from the structure of the problem and from failures of model veri cation tests. The algorithms formalizing the approach are given and the standard properties (termination, completeness, and soundness) are proven. The method can deal with rst-order logic with equality. In contrast to existing ones, it does not require to transform the initial problem into a normal form and can be easily extended to other logics. Experimental results and comparisons with related works are reported.

1. Introduction The capital importance of the notion of \model" in Logic was naturally inherited by Automated Deduction, where, since the very beginning, the use of models has been recognized as an useful technique, in particular to prune the search space of proof procedures. Counterexamples can also be used in Automated Reasoning, as they are used in Logic and Mathematics, i.e. as a technique for disproving conjectures. First-order theorem provers are not able in general to build counterexamples. Usually they do not terminate when the treated formula is not valid (since rst-order logic is not decidable). Moreover, a counter-example also gives a hint of why the formula is not a theorem, thus allowing a human user to understand and (possibly) to correct this error (see for example [11]). Models also have numerous applications in Arti cial Intelligence and Computer Science. Indeed, the idea of using models for guiding proof search has been already considered in the rst works in Automated Deduction [24, 21]. More recent works show the interest of combining methods for deduction and for model building [26, 10]. However (and certainly due to the diculty of the task) model building has received little attention compared with the huge amount of work devoted to the de nition or improvement of refutation procedures and adequate strategies. In this work we propose a method to build nite models of rst-order formulae with equality. As other existing approaches [26, 35] our method is based on enumeration of the interpretations of a given formula on a nite domain and test for satis ability of the formula in each interpretation. Very natural strategies are de ned in order to prune the search space, i.e. to reduce the number of interpretations to be tested. These strategies are based on two simple ideas. The rst one

is to use informations deduced from the \failure" of the previous model veri cation tests. This is done by recording { as long as the search for a model goes along { the assignments that are \responsible" for the failure of the interpretations already tested, and by using them to safely eliminate some interpretations. The second idea is to take advantage of the natural symmetry between the elements of the domain in order to avoid testing two isomorphic interpretations. It will be shown that these strategies allow to eliminate a large number of interpretations, potential candidates for models, and destined for failure. The algorithms corresponding to the method are presented in detail and their properties are proved. Our method is compared experimentally with related works in Section 4. Section 5 is devoted to a more abstract comparison with other approaches. The main advantages of our method w.r.t. existing ones can be summarized as follows. 1. It uses a new, more convenient way of keeping track of counter-models and pruning the search space (covering refutations). 2. It uses a new symmetry detection rule that makes a better use of the natural symmetry between the elements of the domain (see Section 5). This rule can eliminate interpretations that cannot be eliminated by using existing heuristics. Moreover it can be very easily combined with the use of refutations and covering refutations: to this aim, we introduce a notion of R-symmetry which takes into account both symmetries and information deduced from the failure of the previously tested interpretations. 3. It can deal with full rst-order logic and does not require any transformation of the formula (in particular it is not restricted to sets of clauses). This feature is especially important for nite model building since the transformation into clausal form either exponentially increases the size of the formula, or (if structural transformation is used) increases the number of predicate symbols in the signature hence increases the number of interpretations to be considered (see Section 5 for more details about this problem). 4. It is modular and can be easily extended to other logics. See Section 6.

2. Preliminaries In this section we introduce the notions and notations necessary for the understanding of our work. To make the paper self-contained we rstly recall the standard notions of rst-order terms and formulae (see for example [20]). 2

2.1. First order terms Let S be a set of sorts. Let  be a set of function symbols. Let p be a function mapping each symbols of  into a pro le of the form: s1 ; : : :; sn ! s where s1 ; : : :; sn; s 2 S . For all s 2 S , Vs is a in nite set of symbols. Let V = Ss2S Vs. V is the set of variables, Vs is the set of variables of sort s. Remark. We assume that the sets Vs (for s 2 S ) and  share no element. The set of terms of sort s built on the signature ; V is denoted by  (; V )s and is inductively de ned as follows:

? Vs   (; V )s. ? If 8i 2 [1::n], ti 2  (; V )si, f 2  and p(f ) = s ; : : :; sn ! s . then f (t ; : : :; tn) 2  (; V )s. 1

1

1

2.2. First order formulae For the sake of simplicity, we restrict ourselves to purely equational formulae i.e. we assume that the only predicate occurring in the formulae is the predicate \=". Obviously this is not a restrictive assumption: indeed, if the formula contains a predicate symbol P of pro le s1 ; : : :; sn , it is possible to translate it into a purely equational formula by adding a new functional symbol fP of pro le fP : s1 ; : : :; sn ! Boolean and replace each atomic formula P (t1; : : :; tn) by fP (t1; : : :; tn) = true2. Obviously, this transformation does not increase the size of the formula. Remark. This transformation will simplify a lot the presentation of our method. However it does not need to be explicitely performed in an implementation of the method. An equational formula is of one of the following forms: s = t, :F , F _G , F ^G , F , G , F ) G , 9x:F , 8x:F , where s and t are two terms of same sort, x 2 V , F and G are two equational formulae. The free variables occurring in a formula F are noted V ar(F ). The notion of interpretation and model of a rst-order formula are de ned as usual. 2.3. Finite model building In the following, we assume that interpretations (and models) are nite i.e. that for all sort symbols s, the domain of interpretation of s is nite. We also assume given a function size mapping each sort symbol to the cardinality of the domain if n = 0, f is a constant Boolean is a new sort symbol and true and false two functional symbols of pro le ! Boolean (with the axiom true 6= false). 1

2

3

of s. Without loss of generality the elements of the domain of the sort s can be noted 1; : : :; size(s). We note: Dom(s) = f1; : : :; size(s)g. We will keep the terminology of [25, 35]. The elements of a domain Dom(s) will also be considered as constants of sort s (i.e. members of  of pro le s). This allows to consider terms of the form: f (g (1); a; 2) or f (g (2); g (1); f (a; b; c)), where 1; 2 are elements of the domain. A term of the form f (i1; : : :; in) where f : s1 ; : : :; sn ! s is a functional symbol and 8j  n:ij 2 Dom(sj ) is called a cell. If p(f ) = s1 ; : : :; sn ! s, then the sort of a cell f (i1; : : :; in) is the sort s and is denoted by sort(f (i1; : : :; in)). For the sake of simplicity the domain of a cell c, i.e. the domain of the sort sort(c) will be noted Dom(c) and the size of Dom(c) will be denoted by size(c). The set of cells is denoted by C and the set of cells of sort s is denoted by Cs . Let < be a total order on C . If the cardinality of the domain of each sort symbol is given then an interpretation I of a given functional symbol f of pro le s1 ; : : :; sn ! s is entirely speci ed by giving the value of the function I (f ) for all tuples i1; : : :in 2 Dom(s1)  : : :  Dom(sn), i.e. by giving the value of each cell. Let us introduce some de nitions and notations. An equation is an expression c = v where c is a cell and v an element of Dom(c). A partial interpretation I is a partial function from C to N (i.e. the natural numbers) such that for all c, I (c) 2 Dom(c). cells(I ) denotes the domain of I . A partial interpretation is usually noted: fc = v=c 2 cells(I ); I (c) = v g. Remark. If cells(I ) = C , I is said to be total3. The set of partial interpretations on a given set of cells can be ordered by using the lexicographic extension of the ordering on C . More precisely, we say that I < J i cells(I ) = cells(J ) and there exists c 2 cells(I ) such that: I (c) < J (c) and for all c0 < c.I (c0) = J (c0). For any total interpretation I , we denote by succ(I ) the successor of I w.r.t. this ordering (i.e. the lowest element greater than I ), if it exists, otherwise succ(I ) is unde ned. Let us give some examples illustrating the notions just introduced. Example 1. Let S = fT g be a set of sorts. Let  = fa; f g with a :! T ,

f : T ! T.

Assume that size(T ) = 2. Therefore, we have: Dom(T ) = f1; 2g. The set of cells is: C = fa; f (1); f (2)g (we assume the order a < f (1) < f (2)). The set fa = 1; f (1) = 2; f (2) = 1g is an interpretation on C . The sets I1  fa = 1; f (1) = 1; f (2) = 1g, I2  fa = 1; f (1) = 2; f (2) = 2g are two interpretations on C . 3

This corresponds obviously to the usual de nition of interpretation (see for example [1])

4

Moreover, we have: I1 < I2. Indeed I1 is lower (w.r.t. to the lexicographic extension of the ordering on C ) than I2 , since we have I1 (f (1)) < I2 (f (1)) and I1(a) = I2(a). We have: succ(I1) = fa = 1; f (1) = 1; f (2) = 2g

and:

succ(I2) = fa = 2; f (1) = 1; f (2) = 1g

Let us introduce a few notations, used in the rest of the paper. Let E be a set of cells. Let I and J be two sets of equations such that E  cells(I ) and E  cells(J ). By IjE we denote the set: fc = v=I (c) = v; c 2 E g. We say that I <jE J if IjE < JjE . Similarly, I =jE J , i IjE = JjE . succE will denote the successor function w.r.t. the ordering <E , i.e. for any total interpretation I , succE (I ) is the rst total interpretation (w.r.t. I . (P2) If I 6j= F , and if (I ) exists, then for any interpretation J such that: (I ) > J  I , J 6j= F . (P3) If I 6j= F , and (I ) does not exists then for all interpretation J  I , J 6j= F . The basic algorithm for nite model building based on the use of such a jump function is described in Figure 1. Basically it is the naive method in which succ has been replaced by . In De nition 1, (P1) guarantees the termination of the algorithm and (P2) and (P3) ensure the completeness of the algorithm (i.e. ensure that all possible models can be found). The use of the function  reduces the number of interpretations to be considered. More precisely it avoids to consider the interpretations J such that: J > I and J < (I ), if I has been previously considered. Obviously, the objective is to nd a function  allowing to eliminate as many interpretations as possible, i.e. (I ) must be as great as possible, for each I . Figure 2 illustrates the eect of the jumping function. The circles represent interpretations. The full line represents the graph of the function succ and the dashed line represents the graph of the int-jump . The empty circles represent the interpretations eliminated by the use of the int-jump . 6

Fig. 2.

Theorem 1. (Soundness) Let  be an int-jump and F be a rst-order formula. FMC(; F ) terminates. If FMC returns an interpretation M then M j= F . If FMC returns \no model found" then there is no model of F on the given domain. Proof 1. I increases strictly (property (P1)). As the method deals with nite domains, FMC terminates. If FMC returns M, M is obviously a model of F . Assume that FMC returns \no model found". Let J be the greatest interpretation such that J  I and there exist an n such that: J = n(I0) (n exists since we have: I0  I and I0 = 0(I0)). We have J 6j= F (else FMC would stop at step n). Two cases must be considered:

1. Either (J ) exists. Then by de nition of J , J  I < (J ). By (P2), I 6j= F . 2. Or (J ) does not exist. Then by de nition of J , J  I and by (P3), I 6j= F . Dierent strategies can be de ned for the algorithm FMC, simply by changing the de nition of the int-jump . In the rest of this section, we give examples of int-jumps (respectively named ref ; cref ; 0cref ). For de ning them, we will take advantage of the information extracted from the failure of the interpretations previously tested. 3.2. Refutations in an interpretation The rst proposed int-jump is based on the notion of refutation of a closed formula

F w.r.t. an interpretation I . We introduce informally this notion via a motivating

example. Consider the formula F : 8x:x 6= f (x) on the domain: f1; 2g. The set of cells is: ff (1); f (2)g. The minimal interpretation (w.r.t. I , we have: H =jR I , hence H 6j= F . 3.3. A refined notion: covering refutations The very simple strategy ref can be improved by considering not only the refutation w.r.t. the current interpretation (generated by Evaluate) but the set of cells used since the beginning of the search, i.e. the union of all previously generated refutations. Example 2. Let F be the formula (u 6= a) _ (a 6= b ^ d = a ^ c 6= a ^ b 6= c). Assume that u < a < b < c < d. We rst try the interpretation I0 = fu = 0; a = 0; b = 0; c = 0; d = 0g. We have I0 6j= F (because of the sub-formula a 6= b). The corresponding refutation is fu; a; bg. Therefore we try the interpretation I1 = fu = 0; a = 0; b = 1; c = 0; d =

11

0g. Again I1 6j= F . The refutation is fu; a; cg. Hence we try I2 = fu = 0; a = 0; b = 1; c = 1; d = 0g. which fails again because of the value of cells b; c. Applying the function ref to I2 gives the interpretation I3 = fu = 0; a = 0; b = 1; c = 0; d = 1g. We have I3jfu;a;cg = I1, hence this refutation will fail again because of the value of cells fu; a; cg. The two interpretations I1 and I3 will therefore fail exactly for the same reason. A rst way to overcome this problem is to keep trace of all the refutations found during the search and check if these refutations belongs to the interpretations currently tested. This is what is done by the model builder Finder that, during the search for a model, builds a database containing the refutations previously found in order to avoid backtracking two times for the same reason. The drawback of this approach is that it can be very costly since the set of refutations will increase very quickly, which may reduce the performance of the method (notice that the adding of new refutations in the database is carefully controlled by Finder, see [25], page 43). Here, we propose to use another approach based on the concept of covering refutation. During the search for a model, we will record each cell belonging to a previously generated refutation. Intuitively, this set of cells will be the set of cells responsible for the failure of the previously tested interpretations to satisfy the given formula. To describe this idea in a more formal way we need to introduce the notion of covering refutation. Loosely speaking, covering refutation can be seen as an easy and compact way of recording sets of refutations. Let us introduce some notation. For a given cell c, we denote by c? the set [c0; c[ (i.e. the set of cells x such that: c0  x < c) and c+ the set: [c; cmax] (i.e. the set of cells x such that: c  x  cmax ). De nition 4. Let I be an interpretation. A set of cells R is said to be a covering refutation of F w.r.t. I , i for all cells c and for all interpretations J such that: I =jc?\R J and J <jc+ I then J 6j= F .

R is a set of cells responsible for the failure of all the previously tested interpretations. Remark. By de nition, a covering refutation is equivalent to the following set of formulae: _ _ f fi 6= I (i)=i 2 c?\Rg_ fi 6= I (i)=c  i < c0g_c0 6= k=c 2 C ; c0 2 C ; c0 > c; k < I (c0)g Example 3. fu; ag is a covering refutation of the formula F w.r.t. I2. Indeed, let c be a cell and J an interpretation satisfying I2 =jc? \fag J and J <jc+ I2. Then three cases may occur. ? c = u. We have by de nition J < I2. Hence J 6j= F . (since ref is an intjump).

12

? c = a. We have J (u) = 0 and J <ja+ I , hence J < I . Therefore J 6j= F . ? c > a. We have J (u) = J (a) = 0. Moreover J <ja+ I . Hence we have again J < I and J 6j= F . 2

2

2

2

This covering refutation is equivalent to the following set of refutations. 1 u 6= 0 _ a 6= 0 _ b 6= 0 2 u= 6 0 _ a 6= 0 _ c 6= 0 Refutation 2 allows to eliminate interpretation I3. Remark. In this case fa; bg is also a refutation of F w.r.t. I2.

Remark. If R is a covering refutation of F , w.r.t. I , then for all J < I , J 6j= F (it suces to take: c = c0 in the de nition 4). Clearly, the next task is to show how to build such covering refutations and how to use them for pruning the search space. The following lemmas state interesting properties of covering refutations. Let R be a covering refutation of F w.r.t. I and c = max(R). Assume that I (c) = size(c) (i.e. the value of c is the maximal element of the domain). Then, for all interpretation J such that J =jc? I , we have: ? either J (c) < I (c), hence J m. If J (m) = size(m), then: Jjc? \R = Ijc? \R . But since: J <jc+ I we would have: J 6j= F (since R is a covering refutation of F w.r.t. I ).

13

Hence J (m) = 6 size(m), i.e. J (m) < size(m). We have: J <jm+ I and J =jm? \R I , hence J 6j= F , which is impossible. Now assume that R is a refutation of F w.r.t. I . Assume that: J =jR0 I . Then either J (m) = I (m), and in this case J =jR I hence J 6j= F , or J <jm+ I (since I (m) = size(m)) hence J 6j= F . Hence we can assume without loss of generality that any covering refutation is normalized: indeed, if R is not normalized we can remove the element max(R) from R and get a new covering refutation. By repeating this process it is possible to get a normalized covering refutation, noted N (R). Example 4. Let F be a formula containing a symbol a of sort s. Assume that size(s) = 3. Let fag be a refutation of a formula F w.r.t. to an interpretation I such that I (a) = 3. Then the empty set ; is also a covering refutation of F w.r.t. I . Therefore we have, for all interpretation J and for all cell c:

J <jc+ I ) J 6j= I : We have

N (fag) = ;: If fag is also a refutation of F w.r.t. I then ; is a refutation of F , which means that F is unsatis able on the given domain. Similarly, Lemma 2 shows that it is possible to remove the last cell of a covering refutation, provided that the remaining cells are a refutation of the formula w.r.t. the current interpretation I . Lemma 2. If R is a covering refutation of F w.r.t. I , and if trunc(R) is a refutation of F w.r.t. I then trunc(R) is a covering refutation of F w.r.t. I . Proof 5. If R0 = trunc(R) is a refutation of F w.r.t. I : assume that R0 is not a covering refutation of F w.r.t. I . Then there exists an interpretation J and a cell c 2 R such that: J =jc? \R0 I , J <jc+ I and J j= F . If c  m, we have: c? \ R = c? \ R0 . Hence J =jc? \R I hence (since R is a covering refutation of F w.r.t. I ) J 6j= F . Hence c > m. R0 = R0 \ c? , hence R0 \ c? is a refutation of F w.r.t. I , hence J 6j= F .

Remark. Lemmas 1 and 2 state important properties of covering refutations, that allow to simplify refutations during the search. In order to be fully convinced of the interest of the notion of \covering refutation", it is enough to notice that 14

Lemma 1 obviously does not hold if we consider refutations instead of covering refutations. For practical uses of Lemma 2 we introduce the following operator: NR0 (R) = NR0 (trunc(R)) if R is not normalized or if R0  trunc(R). NR0 (R) = R otherwise Remark. Computation of NR0 obviously terminates for all R0; R. Lemma 3. If R is a covering refutation and R0 a refutation then NR0 (R) is a covering refutation. If moreover R is a refutation then NR0 (R) is a refutation. Proof 6. This lemma is a straightforward consequence of Lemmas 1 and 2. Lemma 4. If R is a covering refutation of F w.r.t I then for all set of cells E , R [ E is a covering refutation of F w.r.t I . Proof 7. (trivial) If J =jc? \(R[E ) I and J m, I 0 (c) = 1. Hence if c > m, then Ij0c+ = fc0 = 1=c0  cg, hence Ij0c+ is minimal w.r.t. to the order j]m;cmax ] I . Then we have J =R I and J 6j= F . 15

2. Since succR(I ) does not exists we must have, (since R is normalized), R = ;. Since R is a refutation of F w.r.t. I we deduce that for all interpretation J : J 6j= F . Lemmas 1 and 5 allows to compute { during the model search { a covering refutation R of F w.r.t. the current interpretation I . This covering refutation R will be noted . The refutation R0 generated by the procedure Evaluate is denoted by . The use of the covering refutation R allows us to eliminate some interpretations during the search. More precisely the interpretations between I and succ (I ) need not to be considered. The new algorithm is speci ed on Figure 5. We de ne the function cref as follows: De nition 6.

If I 6j= F ; cref (I ) = succ(I ), otherwise cref is unde ned

cref (I ) is the rst interpretation J greater than I such that J 6=j I . Theorem 4 (Termination, soundness, completeness). The algorithm FMC is terminating. Moreover if FMC returns M then M j= F and if FMC returns \no model found" then F is unsatis able on the given domain. Proof 9. By Theorem 2, is a refutation of F w.r.t. I . By Lemmas 1, 4 and 5, we know that at each step,  is a covering refutation of F w.r.t. I . Since I increases strictly, FMC must terminate. If FMC returns M then we have obviously M j= F . Assume that FMC returns no model found. Then, by de nition of succ we must have  = ;. Hence ; is a refutation of F hence F is unsatis able on the given domain. Example 5. Let us illustrate how our algorithm works with the formula considered in Example 2.

1. Initially we have I = fu = 0; a = 0; b = 0; c = 0; d = 0g.  = ;. Since I0 6j= F , Evaluate returns ? and a refutation fu; a; bg of F w.r.t. I . Then we have: = fu; a; bg. 2. Then we compute the new covering refutation  and the new interpretation I1. We have  = N ( [ ), i.e.  = fu; a; bg. Hence I1 = succ(I0) = fu = 0; a = 0; b = 1; c = 0; d = 0g. Again I1 6j= F . Evaluate returns ? and the refutation = fu; a; cg. 16

Procedure FMC f Finite Model Construction g INPUT: A formula F OUTPUT A model M of F or a message: \no model found" begin I = fv = 1=v 2 Cg  = ; f  is a covering refutation of F w.r.t I g (v; ) =Evaluate(F ; ;; I ) f is a refutation of F w.r.t. I g while v false 0 =   = N ( [ ) if succ(I ) exists then I = cref (I )  = trunc() else return \no model found" (v; ) =Evaluate(F ; ;; I ) endf while g return I end Fig. 5. Finite Model Construction

3. The new value of  is  =  [ = fu; a; b; cg. Hence I2 is fu = 0; a = 0; b = 1; c = 1; d = 0g. Here we have  = fu; a; b; cg. Hence  [ = fu; a; b; cg. However in this case  [ is not normalized since I2(c) = 1 and I2 (b) = 1. Hence N will delete this two values from the covering interpretation, which gives fu; ag. 4. Then the next interpretation is fu = 0; a = 1; b = 0; c = 0; d = 0g which is a model of F . 3.4. A more clever strategy By a deeper analysis of the proof of Lemma 5, we can de ne a more clever intjump 0cref allowing, for some particular (though non trivial) cases, to eliminate more interpretations than cref . The intuitive idea of this new int-jump is well illustrated by following example. Example 6. Let F be the formula G ^ a 6= b where a; b does not occur in G . Assume that a < b and for all cells c occurring in G , b < c. We have I0 = fa = 17

0; b = 0g [ I00 . The algorithm FMC will rst look for a model I 0 of the subformula G . Then we obtain the interpretation I = fa = 0; b = 0g[I 0. I will fail due to the sub-formula a 6= b. If we apply the int-jump cref we will try the interpretation fa = 0; b = 1g[I00 . Therefore we will have to recompute entirely the partial model I 0. This is due to the fact that the model of G is independent from the value of a and b. Hence in this case changing the values of the cells v > b is not useful since the new equation b = 1 does not aect the truth value of G . The new int-jump to be proposed is based on the following lemma. Lemma 6. Let F be a formula. Let I be an interpretation and R a covering refutation and a refutation of F w.r.t. I . Let R0 = trunc(R). Let m = max(R) Let J be the interpretation identical to I , excepted for the cell m where the value in increased by one, formally de ned as follows: J = IjCnfmg [ fm = I (m) + 1g Then if R0 is a covering refutation of F w.r.t. I then R0 is a covering refutation of F w.r.t. J . Proof 10. Let c be a cell. Let H be an interpretation such that: H <jc+ J and H =jc? \R0 J . Assume that H j= F . If c  m, then J =jc? \R0 I . Hence: H =jc? \R0 I . Moreover, H m, HR = IR. Hence H 6j= F . If c0  m, we have H =jc0? \R0 I and H m. If H <jc+ I , we must have: H 6j= F . (since R0 is a covering refutation of F w.r.t. I ). Similarly if H =jc+ I , we have: H =jR I , hence H 6j= F . Hence we have: J >jc+ H >jc+ I . But this is impossible, because J =jc+ I , since c > m. De nition 7. Let I be an interpretation. We de ne the function 0cref as follows (we denote by m the cell max(N ( [))):

? 0cref (I ) = IjCnfmg [ fm = I (m) + 1g if I 6j= F and if 0  trunc(). ? 0cref (I ) = cref (I ), if I 6j= F , and if I 6j= F , 0 6 trunc(). ? 0cref (I ) is unde ned if I j= F . where:  is a covering refutation and a refutation of F w.r.t. I , 0 is a covering refutation of F w.r.t. I . Now we denote by FMC the procedure obtained by replacing the function cref by 0cref in Figure 5. 18

Theorem 5. The new algorithm FMC is terminating. Moreover if FMC returns

M then M j= F and if FMC returns \no model found" then F is unsatis able on the given domain.

Proof 11. This is a straightforward consequence of Lemma 6 and Lemma 5.

Remark. for all I , we have: 0cref (I )  cref (I ). 3.5. Symmetry Detection Informal presentation The strategy that we propose in this section takes advantage of the natural symmetry existing between elements of the domain of a given sort s. Consider a sort s and a permutation  of Ds. We have: I  j= F  i I j= F . Hence, if no element of Ds occurs in the initial formula F , then for all interpretation I of F , I j= F i I  j= F This shows that for a given interpretation I , there exist many isomorphic interpretations, in which F has the same truth value as in I . When searching for a model of F , it is therefore useless to consider all these possibilities but only one of them. Let us illustrate this fact by a (deliberately trivial) example. Example 7. Let  be the signature: fa :! T; b :! T g. Let F be the formula:

a = b ^ a 6= b. Let size(T ) = 3.

The procedure FMC will consider the interpretations: I  fa = 1; b = 1g; I  fa = 1; b = 2g and I  fa = 1; b = 3g. Here I and I are obviously symmetric: 1

3

2

2

3

we just have to permute the elements 2 and 3. Hence it is useless to evaluate the formula F in the interpretation I3, one can conclude directly that I3 6j= F , since I2 6j= F and I3 =  (I2). Then FMC will check the interpretation: I4 = fa = 2; b = 1g. Again I4 and I2 are symmetric since we have: I4 = I2. (with (2) = 1 and (1) = 2). Hence I4 6j= F . Similarly all the remaining interpretations I5 = fa = 2; b = 2g I6 = fa = 2; b = 3g, I7 = fa = 3; b = 1g: : : are symmetric to previously considered interpretations I1 and I2 . Hence we can stop and return \no model found". Here we have considered only 2 interpretations, while a naive exploration of the search space would have given 3  3 = 9 possible interpretations. In order to present our method on a formal basis we need the following lemma: Lemma 7. Let  be a permutation of Dom. Let F be a formula. Let I be a model of F . Then  (I ) is a model of  (F ).

19

Proof 12.  (I ) is obviously an interpretation, since  is bijective. Moreover, we have for all term t: ( I )(t) =  (I (t)). We show by induction on the set of formulae that for all substitution  ,  (I ) j= (F ). 1. Assume that F is of the form: t = s. Then: I j= (t = s) i.e. I (t) = I (s), hence (I (t)) = (I (s)) i.e. (I ) j= (F ). 2. Assume that F is of the form: :F1. Then I 6j= F . Assume that  (I ) j=  (F1). By induction hypothesis (since  ?1 is a permutation) it means that I j= F , which is impossible. Hence  (I ) 6j=  (F1) hence  (I ) j=  (F ). 3. If F  F1 _F2 , then I is either a model of F1 or a model of F2. By induction hypothesis we have either  (I ) j= F1 or  (I ) j= F2, hence  (I ) j=  (F ). W 4. If F  9x:F1. Then F is equivalent Wto: c2Dom(x) F1fx ! cg. By case 3W above, we deduce that:  (I ) j=  ( c2Dom(x) F1 fx ! cg), i.e.  (I ) j= c2Dom(x)  (F1fx ! cg), i.e.  (I ) j= 9x: (F1). Therefore:  (I ) j=  (F ). Lemma 8.  (IjR) =  (I )j(R). Proof 13. c = e 2  (IjR). i  ?1(c) =  ?1 (e) 2 I and  ?1(c) 2 R i.e. c 2  (R). This is equivalent to: c = e 2  (I ) and c 2  (R) (by composition by  ), hence to c = e 2  (I )j(R).

We deduce the following: Theorem 6. If R is a refutation of F w.r.t. I then  (R) is a refutation of  (F ) w.r.t.  (I ). Proof 14. Let K be an interpretation such that: K =j(R)  (I ). i.e:  ?1(Kj(R)) = ? 1  ((I )j(R)). By Lemma 8 we deduce:  ?1 (K)jR = IjR, hence  ?1(K) 6j= F (since

R is a refutation of F w.r.t. I ). Therefore K 6j=  (F ) (by Theorem 7).

The notion of symmetry of interpretations is de ned as follows: De nition 8. Two interpretations I and J are said to be symmetric if there exists a permutation  such that:  (I ) = J and  (F ) = F .

This de nition can be modi ed to take advantage of our notion of refutation. Indeed one interesting feature of our method is that it is very easy to combine the use of refutations or covering refutations with the use of symmetries. This allows to weaken the conditions on the interpretation I and J . I and J will be said to be R-symmetric i their restriction to R are symmetric. More formally: 20

De nition 9. Two interpretations I and J are said to be R-symmetric if there exists a permutation  such that:  (I ) =jR J and  (F ) = F .

Notice that the notion of R-symmetry is weaker than the one of symmetry, since we restrict ourselves to a particular set of cells. The following Corollary is a straightforward consequence of Theorem 6: Corollary 1. If I and J are R-symmetric (w.r.t. a substitution  ) and if R is a refutation of F w.r.t. I , then  (R) is a refutation of F with respect to J . Practical use of symmetries According to Corollary 1, we know that if I and J are R-symmetric w.r.t. a permutation  , and if R is an refutation of F w.r.t. I , then J 6j= F and we can get a refutation of F w.r.t. I , simply by composing R with the permutation  . For the sake of eciency we do not try to identify all possible symmetries between the interpretations. Instead we try to nd simple criteria (that can be checked with very low computational cost) allowing to detect that a given interpretation is symmetric to a lower one. More precisely we introduce the notion of direct symmetry. De nition 10. Two interpretations are said to be directly R-symmetric i: ? There exists at most one cell c in R such that: I (c) 6=R J (c). ? I =jR (J ), where  is the permutation de ned by:  (I (c)) = J (c).  (J (c)) = I (c).  (e) = e, if e 6= I (c) and e 6= J (c). ? (R) = R. ? Neither I (c) nor J (c) occurs in F .

Obviously, if I and J are directly symmetric then I and J are symmetric. Moreover, checking whether two interpretations are directly R-symmetric can obviously be done easily during our algorithm FMC (in linear time w.r.t. the size of R). Using this simple test instead of the procedure Evaluate to detect that a given interpretation is R-symmetric to the previous one can signi cantly improve the performance of the method. Obviously by restricting ourselves to directly symmetric interpretations, we restrict the power of our symmetry-based strategy. However the corresponding test can be done in very low computational time which would not be the case in general. This approach is a rather simple way of dealing with symmetries and will be enhanced in the future. It should be mentioned that the 21

use of symmetries for solving propositional problems has been studied in [7] where a deep theoretical study of the complexity of computing syntactic symmetries can be found and in [6] where a method is given for exploiting semantic symmetries for solving propositional problems. In Section 5 we compare the power of our symmetry detection rule with the existing methods for exploiting symmetries. 3.6. The order In order to get a deterministic procedure, it remains to specify the order used on the cells. Several dierent orders are possible for a given problem and the performance of the procedure can heavily depend on the chosen order. Finding an order well adapted to a given problem seems to be a hard problem. Hence it must be chosen very carefully, and in general, experimentally. In the example below, the order has been chosen as follows: rst the functional symbols are ordered w.r.t. their arity (functional symbols with greater arity are considered rst). Then the arguments of the cells are ordered w.r.t. the lexicographic extension of the ordering on the domain. For example, if  = ff; g; ag, where f; g and a are of arity 2; 1; 0 respectively and if the size of the domain is 2, then the cells will be ordered as follows: f (0; 0) < f (0; 1) < f (1; 0) < f (1; 1) < g(0) < g(1) < a. Obviously other orders are possible, for example f (0; 0) < g(0) < a < f (0; 1) < f (1; 0) < f (1; 1) < g(1). 3.7. Choice of the refutation Let I be an interpretation and F a formula. Assume that I 6j= F . Then Evaluate will return a refutation of F w.r.t. I . Obviously for a given I , many dierent refutations are possible, depending on the order in which the elements of the domain are considered in the procedure Evaluate and on the order in which the subformulae of F are evaluated. These refutations are not equivalent in the sense that some of them may be better for pruning the search space than others. It is nevertheless dicult to predict which refutation will be better for a given interpretation I . Consider two refutations R and R0. Assume that the cells occurring in R are lower than those in R0. Then we will have (by de nition of succ): succR(I ) > succR0 (I ). Hence the interpretation I 0 considered after I if R is chosen, is greater (with respect to the order on the interpretations) than the one considered if R0 is chosen. Then R can be considered as \better" than R0, since it allows to eliminate more interpretations than R0. Therefore, in order to get \good" refutations, it is preferable to evaluate rst the sub-formulae with minimal cells. Hence the order in which the subformulae are evaluated must depend on the order on the cells. 22

4. Experiments 4.1. FMCATINF: a system for building finite models FMCAtinf is a running software implementing our approach. In its present state, it is a prototype whose main goal is to allow the evaluation of the practical interest of the proposed method. It is written in C++ and is part of our inference laboratory Atinf (see [9, 8]). Currently, we improve the performances of its key components. FMCAtinf allows the user to specify the problem as a set of rst-order formulae. Sort symbols are of course allowed. The algorithm is controlled by a set of parameters, allowing for example to specify the order on the cells, to switch o some of the strategies, or to de ne bounds to limit the search (time, number of interpretations tested, number of models generated: : : ). We list below some relevant examples (from dierent domains) in order to illustrate the usefulness of our approach. For each example we give a brief description of the problem with references to a more complete description and we show the computing time obtained with FMCAtinf.

Remark. Most of these problems are taken from [34], where a clear and rather complete description of several problems for nite model builders is provided (see also [32, 31] for further details about some of these problems). We have also taken several examples from the TPTP library [27]. 4.2. The Problems We give below a short description of the tested problems. They have been chosen because they are widely used as benchmarks. 4.2.1. Ternary Boolean Algebra (TPTP problem BOO019-1) A Ternary Boolean Algebra is a set satisfying the following axioms: (T1) 8x:f (x; x; y ) = x (T2) 8x; y:f (g (x); x; y ) = y (T3) 8x; y:f (x; y; g(y )) = x (T4) 8x; y; u; v:f (z; u; v) = f (f (x; y; z ); u; f (x; y; v)) (T5) 8x; y:f (x; y; y ) = y The problem is to prove independence of axiom T5 from the other axioms T1 T4, i.e. to build a model of T1-T4 that is not a model of T5, otherwise stated that satis es: :T5 : 9x; y:f (x; y; y ) 6= y . This problem was rst solved by Wos and Winker (see [30]) with assistance of a resolution-based theorem prover. Fully automated solutions of this problem were given later (see for example [4, 33]). 23

4.2.2. Group Theory The following formula is a single axiom for group theory [34, 23]: (G1) f (x; i(f (y; f (f (f (z; i(z )); i(f (u; y ))); x)))) = u The problem is to prove that the following axiom (which is an instance of G1, with x = u) is not a single axiom for group theory. (G2) f (u; i(f (y; f (f (f (z; i(z )); i(f (u; y ))); u)))) = u For doing that, it is enough to build a model of G2 that is not a model of G1. 4.2.3. The Equivalence Calculus The axioms of Equivalential Calculus [34, 32] are the following: (E1) 8x:P (e(x; x)) (E2) 8x; y:P (e(e(x; y ); e(y; x))) (E3) 8x; y; z:P (e(e(x; y ); e(e(y; z ); e(x; z )))) The only inference rule is the so-called condensed detachment expressed as follows: (CD) 8x; y:P (e(x; y )) ^ P (x) ! P (y ) The problem is to show that the following formula is not a single axiom for the equivalential calculus. (XBB ) P (e(x; e(e(e(x; e(y; z )); y ); z ))) For doing that it suces to build a model of (XBB ); (CD) that is not a model of (E1). 4.2.4. Heap arithmetic Heap arithmetic is precisely described in [25]. It is very similar to standard arithmetic except that there exists an element Heap that is its own successor, i.e. such that succ(Heap) = Heap. More precisely, Heap arithmetic is de ned by the following axioms: succ(Heap) = Heap x < Heap ! x < succ(x) x < y ! succ(x) = y _ succ(x) < y x+0 = x x + succ(y) = succ(x + y) x0 = 0 x  succ(y) = (x  y) + x x0 = succ(0) xsucc(y) = xy  x The rst two axioms de ne the successor relation succ, and the next ones recursively de ne addition, multiplication and exponentiation. The problem is to nd a nite model of this set of axioms. 24

4.2.5. Combinatory Logic Combinatory logic (for the needs of the present work see [34, 31]) is de ned by a set of combinators de ned by a set of axioms. For example: a(a(a(B; x); y); z) = a(x; a(y; z)) a(a(a(N1; x); y); z) = a(a(a(x; y); y); z) a(a(a(S; x); y); z) = a(a(x; z); a(y; z)) a(a(W; x); y) = a(a(x; y); y) a(a(K; x); y) = x a(a(L; x); y) = a(x; a(y; y)) a(a(a(Q; x); y); z) = a(y; a(x; z)) a(M; x) = a(x; x) The weak xed point property (WFP) is true (for a given set of combinators) i for all x there exists a combinator y such that: y = a(x; y ). The strong xed point property (SFP) holds i there exists a combinator y such that for all x, a(y; x) = a(x; a(y; x)). The problem is to determine which fragment of combinatory logic has these properties. To eliminate potential candidates, it is enough to exhibit models of combinatory logic that are not models of (WFP) or (SFP). Here we consider the problems: B; N1; :(SFP ) (noted Combinatory Logic 1), L; Q; :(SFP ) (Combinatory Logic 2) and S; W; :(WFP ) (Combinatory Logic 3). 4.2.6. Erdos-Szekeres conjecture The goal is to nd a mapping p from [1::n] into [1::n] such that: for all (i; j; k; l) 2 [1::n]4 such that: i < j < k < l, we have: :(p(i) < p(j ) < p(k) < p(l)) and :(p(l) < p(k) < p(j ) < p(i)). This problem has a solution for any n < 10. For n = 10 it does not have solutions. 4.2.7. Church's Problems In [14] numerous formulae to be tested for satis ability are proposed. Some of these formulae belong to the (decidable) Ackermann-Monadic class. This class can be decided for example by using a certain completeness-preserving ordering strategy (see [18, 28] for more details). Some of these problems are rather easy, but others can be considered as dicult. The TPTP library contains also several of them. Here we consider the problems SYN324-1 and SYN348-1 (in TPTP notation). They represent well the whole set of problems. 4.3. Example We give as example the Ternary Boolean Algebra. 25

% Specify the order on the function symbol order = 1. symbol_precedence = greater_arity. parameter_precedence = lex. % strategy set(detect_symmetry). set(record_refutations). set(prolog_style_variables). list(tba). f(X,X,Y) = X. f(g(Y),Y,X) = X. f(X,Y,g(Y)) = X. f(U,V,f(X,Y,Z)) = f(f(U,V,X),Y,f(U,V,Z)). (exists X,Y.f(X,Y,Y) != Y). end. set_size(3). fmc(tba). quit.

The program returns the following model: Model: g(0)=1 g(1)=0 g(2)=0 f(0,0,0)=0 f(0,0,1)=0 f(0,0,2)=0 f(0,1,0)=0 f(0,1,1)=1 f(0,1,2)=2 f(0,2,0)=0 f(0,2,1)=1 f(0,2,2)=2 f(1,0,0)=0 f(1,0,1)=1 f(1,0,2)=2

26

f(1,1,0)=1 f(1,1,1)=1 f(1,1,2)=1 f(1,2,0)=1 f(1,2,1)=1 f(1,2,2)=1 f(2,0,0)=0 f(2,0,1)=2 f(2,0,2)=2 f(2,1,0)=2 f(2,1,1)=2 f(2,1,2)=2 f(2,2,0)=2 f(2,2,1)=2 f(2,2,2)=2 a=1 b=2 Run Time:

0.04

4.4. Results Next gure summarizes the results obtained with our system. For the sake of comparison we also give the time obtained with the very ecient model builders Finder (Finder.3.0) and Sem (Sem 1.0.6), that are | as far as we know | the best available model builders in the public domain (see [26, 35], or Section 5). Default setting are used for each program (excepted for Finder on the Heap arithmetic problem). FMCAtinf use the algorithm FMC together with the Symmetry Detection Strategy. All times are given in seconds on a SUN-4.

Notes: 1. Finder is currently restricted to dyadic function symbol, hence cannot deal with this problem. 2. The lowest time is obtained with special setting: pre-test = 4. See [25] for more details. 3. For these problems, Sem returns: \Exit due to the limit of memory". The reason seems to be that these problems contain many dierent variables, hence 27

Problem Size model ? FMCAtinf Sem Finder Ternary Boolean Algebra 3 yes 0.06 0.04 -1 Ternary Boolean Algebra 4 yes 0.3 0.1 -1 Ternary Boolean Algebra 5 yes 1.18 0.33 -1 Ternary Boolean Algebra 6 yes 4.22 0.78 -1 Group Theory 2 yes 0.02 0.02 0.03 Group Theory 3 yes 0.44 0.65 1.02 Group Theory 4 yes 13.11 > 1000 Heap Arithmetic 10 yes 0.53 - 0.87 (114.822) Heap Arithmetic 15 yes 4.02 6.08 Equivalential Calculus (XBB ) 4 yes 0.78 2.82 Combinatory Logic 1 4 yes 2.36 0.04 12.45 Combinatory Logic 1 5 yes 24.5 0.04 267.55 Combinatory Logic 1 6 yes 239.79 0.07 > 12000 Combinatory Logic 1 7 yes 0.1 Combinatory Logic 2 4 yes 574.62 0.05 171.65 Combinatory Logic 2 5 yes 0.06 Combinatory Logic 3 5 yes 0.04 0.03 0.08 Combinatory Logic 3 10 yes 0.28 0.17 0.32 Combinatory Logic 3 20 yes 1.74 1.39 2.62 Church's Problem SYN324-1 10 yes 0.01 0.03 0.1 Church's Problem SYN324-1 20 yes 0.02 0.11 0.35 Church's Problem SYN324-1 40 yes 0.16 1.19 Church's Problem SYN348-1 6 yes 0.06 0.12 0.12 Church's Problem SYN348-1 8 yes 0.11 0.2 0.32 Church's Problem SYN348-1 12 yes 0.25 0.41 1.57 Church's Problem SYN348-1 18 yes 0.58 0.96 8.08 3 Erdos-Szekeres 5 yes 0.01 0.07 3 Erdos-Szekeres 6 yes 0.03 0.2 3 Erdos-Szekeres 7 yes 0.18 1.3 3 Erdos-Szekeres 8 yes 4.38 13.77 3 Erdos-Szekeres 9 yes 54.12 91.98 Where Size denotes the cardinality of the interpretation domain. \-" means that the program fails to nd the model in a \reasonable" amout of time (w.r.t. the times obtained with the other systems on the same problem). 28

the size of the formula obtained by instantiation grows beyond computer limits. As it could be expected none of the three systems has uniformly better performances on all the problems. Finder performs better than FMCAtinf on one benchmark of Combinatory Logic, while our system is equivalent or faster on the other considered problems. Sem outperforms the other systems on some problems (especially on problems that are conjunctions of equational literals: combinatory logic, ternary boolean algebra) but is not as powerful on other ones (Group Theory, Heap Arithmetic: : : ). According to [35], the power of Sem is closely related to the eciency of the constraints propagation algorithm. Some strategies seem to be particularly well-adapted to some particular problems. As usual, it is very dicult to identify a-priori the method adapted to the problem at hand. Much more theoretical studies and/or experiments are needed to precisely identify the advantages and drawbacks of the dierent approaches on dierent classes of problems. 4.5. Running the pigeonhole on FMCATINF It is worth observing the behavior of our system on an extensively studied problem: the pigeonhole principle. As well known, the problem is to show that there is no injective function from a set of cardinality n into a set of cardinality n ? 1. This can be expressed as the problem of nding a relation in from a set S1 into a set S2 such that:

8x:9y:in(x; y) ^ 8x; y; z:(in(x; y) ^ in(x; z)) ) y = z and card(S ) = n, card(S ) = n ? 1. Next gure gives the results obtained for dierent values of n. 1

2

When comparing our method with existing one on this problem, it should be recalled that existing systems without any special mechanism to handle symmetries cannot deal with the pigeonhole problem in a \reasonable" amount of time for n  15. It is experimentally shown in [2] that by exploiting the symmetries in the propositional problem, one can solve it for greater values of n. We compare below the results of FMCAtinf with those obtained by the method proposed in [2] (the run times are taken from [2], and the system of [2] (noted BS) was implemented on a SUN4/110). We also give the times obtained with the model builders Finder and Sem. The gain in time obtained by using FMCAtinf can be considered as impressive, especially with respect to BS. More striking still, BS is a specialized symmetryoriented system. The reason for this better behavior is that FMCAtinf takes advantage of the fact that the whole group of symmetries is known before the 29

n

5 10 14 16 18 20 22 24 26 28 30 40 50 75 100 150

FMCAtinf 0 0.02 0.04 0.06 0.08 0.11 0.15 0.18 0.23 0.30 0.34 0.81 1.52 4.35 11.13 38.39

Sem finder

0.01 0.05 0.1 0.15 0.22 0.29 0.38 0.49 0.67 0.83 1 2.46 -

0.03 0.17 0.63 1.02 1.52 2.3 3.12 4.3 5.9 8.42 10.35 -

BS 4.8 7.73 13.5 22.36 37.11 55.58 96.0 122.0 184.0 -

Remark. \-" means \not available" (for n  40, Finder stops and returns: \Search space too big to t in vector length."; for n  50, Sem returns \Exit due to the limit of memory").

beginning of the search [6], and thus need not to be computed during the model building process and also that the representation of the problem is very dierent.

5. Comparison with related works and discussion The rst published work in the eld of systematic model construction using resolution techniques is the one by Wos and Winker (see [30] and references therein). Wos and Winker used a resolution-based theorem prover in order to help the user in the search for a model. Since 1990, automated methods has been proposed to build nite models of rst-order formulae [12, 13, 17, 18]. Some methods using re nements of resolution as a decision procedure have been used to extract models from a saturated5 set of clauses. They rely on par5 A set of clauses is said to be saturated i Ro (S ) = S , where Ro is the resolution operator

restricted by the order o.

30

ticular techniques restricted to some particular classes of formulae: Monadic and Ackermann classes [28] and positively decomposed formulae [17]. The method in [17] uses hyperresolution to generate Herbrand models for a particular class of sets of clauses. Interpretations are represented by sets of (nonground) atoms. In some cases, nite models can then be extracted from these atomic representations (this is possible only if the atoms are linear, i.e. if they do not contain more than one occurrence of each variable). In contrast to our method, models of very large cardinality can be build. The method in [28] is closer to ours, since it directly builds nite models. It is based on the use of ordering strategies for resolution as decision procedure for the Ackermann-Monadic class. It builds nite models by adding to the set of clauses ground equational clauses of the form f (a1 ; : : :; an) = b (where a1; : : :; an; b are constant symbols). Ordered resolution is used (together with narrowing techniques) in order to check the compatibility of these clauses with the set of clauses. Hence, in contrast to our method, Tammet's method does not need backtracking. Experiments suggest that these proof theoretic methods behave better on problems belonging to speci c decidable classes (e.g. monadic class, Pvd etc.), due to the use of particular properties of the formulae in these classes (for example the use of decision procedures avoiding the exhaustive enumeration of the interpretations). However, our method seems better for dealing with other classes of problems, for example equational theories or rst-order formulae for which no general decision method is known. Propositional theorem provers (such as DDPP, SATO, MACE: : : ) can also be used to build nite models of rst-order formulae. Nevertheless, when the problem at hand contains axioms with deep terms and a lot of functional symbols, the size of the propositional problem considered grows to much and they become practically intractable. In [22] the model builder Satchmo is described. It is based on the use of hyperresolution, splitting of non Horn clauses and backtracking. A parallel and re ned version of Satchmo, called Mgtp, is presented in [19]. The three programs that are the closest to FMCAtinf are Finder, Sem, and Falcon (a former version of Sem) Finder [26] is a model generator based on enumeration and backtracking. Unlike FMCAtinf it does not use any strategy to prune the search space but instead builds as long as the search goes along a database containing the refutations previously obtained, in order to avoid backtracking twice for the same reasons. Results in Section 4 provide some elements of comparison between the two systems and show that FMCAtinf is faster than Finder on many examples. Falcon (previously known as Mod/E) [33, 34] and Sem [35] are also quite powerful programs generating nite models based on an enumeration of the search space. A simple heuristic, called the Least Number Heuristic (LNH) is used in order to prune the search space. The LNH is based on a similar (though less general) idea than the one of our Symmetry Detection Strategy, i.e. to avoid considering 31

two isomorphic interpretations. Our symmetry detection strategy is more general as shown in the next subsection i.e. can detect symmetries for a larger set of formulae. Comparison with the LNH Let us brie y recall the principle of the LNH (see [34, 35] for more details). Let F be a formula and let I be a partial interpretation. Let c = v be an equation such that v is greater than any element of I . Assume that J = I[fc = vg is a counter-model of F (i.e. this partial interpretation is not compatible with the formula F ). Then for all v 0 > v , J 0 = I [fc = v 0g is also a counter-model of F . Indeed J and J 0 are obviously symmetric (w.r.t. the permutation fv ! v 0; v 0 ! v g), since v and v 0 do not occur in I . Using this technique in order to detect symmetric interpretations allows to eliminate the interpretations of the form I [ fc = v 0g (for v 0 > v ). It is used by the model builders Falcon and Sem for pruning the search space. To the best of our knowledge Finder does not use such mechanism for rejecting isomorphic interpretations (see [25] and [35]) though the use of symmetry to prune the search space is suggested in [26] (in [26] axioms are added to some algebraic problems in order to avoid searching certain subspaces isomorphic to those already searched). This heuristic can be seen as a particular case of our symmetry detection rule. Indeed, I and J are obviously directly R-symmetric, for all refutation R. Our method is more general: 1. First LNH does not use refutations for strengthening the power of symmetries. Indeed it may be the case that a given element n which occurs in the interpretation I , does not occur in the refutation R of F w.r.t. I . In this case our symmetry detection rule will not consider this value, but the LNH will not be able to detect this kind of redundancy. This is well evidenced by the following example. Example 8. Let F be the formula f (x) 6= x ^ a 6= a and let I be the interpretation ff (0) = 1; f (1) = 0; a = 0g. fag is a refutation of F w.r.t. I . Not using symmetries would lead us to consider the interpretation J = ff (0) = 1; f (1) = 0; a = 1g. However J and I are obviously R-symmetric (it suces to permute the elements 0 and 1). Here the LNH cannot detect this fact since the element 1 belongs to the equation f (1) = 0. 2. Second, the LNH only check that a given element n does not belong to the current interpretation I . In our notation, this means that the restriction of  to the elements of I is the identity. Our symmetry detection rule only checks that R = R which is a weaker condition (because we can have R = R and  6= identity). Example 9. Let F be the formula 8x:f (x) 6= x _ f (a) = b. Let I be the interpretation fb = 0; f (0) = 1; f (1) = 1; a = 0g. R = fb; f (0); f (1); ag is

32

a refutation of F w.r.t. I . Let  be the permutation f0 ! 1; 1 ! 0g. Here the element 0 belongs to the equation f (0) = 1. Hence the LNH does not apply. However we have R = R hence our symmetry detection rule applies and eliminate the interpretation fb = 1; f (0) = 0; f (1) = 0; a = 0g which is R-symmetric to the previous one. 3. Finally it does not depend in contrast to the LNH on the order on the cells. Indeed it may be the case that a given element n smaller than the maximal element does not occur in the refutation R. In this case our method will not consider this cell but the LNH will, as illustrated by the following example. Example 10. Let F = a = b. Let I be the interpretation a = 2 ^ b = 0. Here our symmetry detection rule eliminates the interpretation fa = 2 ^ b = 1g, since 0; 1 do not occur in a = 2. This interpretation is not eliminated by the LNH because the elements 0 is not maximal (2 occurs in the interpretation).

Both Falcon and Sem are restricted to formulae on clausal form. They rely on ecient implementation techniques for constraints propagation. FMC and RAMC In [12, 13, 4] a method is presented for building automatically Herbrand models for rst-order formulae. This method called RAMC is a calculus devoted to the simultaneous search for refutations and models. Though sharing one capital feature, i.e. model building, they dier in several important points. Their basic principles are dierent: FMC is based on enumeration, and RAMC is a calculus. Consequently FMC is restricted to nite (and in practice \small") models, whereas RAMC is mainly devoted to the building of Herbrand (in general in nite) models. RAMC is in some sense far more powerful than FMC since it may build in nite models but FMC is far more ecient than RAMC on particular examples where the size of the model is small. Moreover, RAMC is refutationally complete, which is not the case of FMC.

The main weakness of our method is that its performances strongly depends on the chosen order on the cells, which must be xed before the beginning of the search and does not change during the model building process. In order to overcome this problem, some strategies or heuristics can be used in order to nd an order adapted to a particular problem (obviously some of the heuristics used for solving constraints satisfaction problems can be useful there), and to modify this order during the search. It is also useful to study heuristics for guiding the search for a refutation (in the procedure Evaluate), i.e. heuristics to guide the choice of the subformulae to be evaluated rst. 33

One of the most interesting features of our approach is that { unlike the existing ones (that require in general formulae in clausal form) { it is not restricted to a particular class of formulae. Hence our method does not need any translation into normal form. This is important because it is well known that transforming a given formula into clausal form may increase exponentially the size of the formula. One can of course use renaming [5] to get a quadratic transformation, but the drawback is that we introduce new predicate symbols, which increases the number of cells to be considered. This transformation (called structural transformation) is more ecient | from a deductive point of view | in practice that the usual one (see for example [16]). However nite model building methods are highly sensitive to the size of the signature. Introducing new predicate or function symbols into the signature will increase the number of cells to be considered thus decreasing the eciency of the method (which is not the case for proof theoretic model building method such as those presented in [17, 13]).

6. Beyond rst-order logic: some possibilities. We would like to point out in this section the generality of our approach. In order to extend our method to other logics we only have to modify the de nition of the procedure Evaluate that nds the truth value of a formula and that computes (if the truth value is false) the corresponding refutation. The main algorithm as well as the proposed strategies do not change. In particular our method can be very easily extended to more expressive logics such as higher-order logic, xpoint logic, etc, provided that an evaluation algorithm exists. This feature of our method is important since it is well known that rst logic is not expressive enough for a lot of applications: for example many problems in graph theory cannot be expressed by a rst-order formula. Methods for building models for these logics would therefore be a nice step forward in Automated Deduction because all existing nite model builders are currently restricted to rst-order logic hence cannot deal with these problems. In this section we show how the system FMC can be extended for dealing with formulae of logics more expressive than rst-order logic. For doing that, two approaches can be envisaged.

? First, we can develop an evaluation algorithm similar to the one of Figure 2

nding the truth value of a formula of the new logic in a given nite interpretation and returning a refutation of this formula (if it is false in the interpretation). The main problem is of course that the evaluation of the formula can become very costly in general (if the logic is \too expressive"). ? Second, we can develop speci c \ad-hoc" algorithms evaluating the formula at hand and returning the corresponding refutation. The drawback here is that we have to develop a new algorithm for each speci c formula. But the 34

advantage is that we can use more ecient algorithms, devoted to the evaluation of this particular formula. Particular optimizations can be performed, that could not have been performed in general. In this section we report some preliminary experiments done with an extension of FMC based on the second approach (chosen exclusively for eciency reasons). We experimented our system on some graph problems, not expressible in rst-order logic. The considered problems are taken from a report on a system for computeraided teaching on graph theory [15] where a database for invariants, theorems and non-theorems focusing on circuits and paths in graphs is described. Though we assume the reader is familiar with the basic notions of graph theory, we recall some necessary notions and notations of [15] (see also [3]). A graph is said to be connected i for any two vertices x and y , there is a path from x to y and a path from y to x. It is said to be k-connected if the deletion of fewer than k vertices always results in a connected graph. An hamiltonian circuit is a circuit where every vertex appears exactly once. A graph is hamiltonian i it contains an hamiltonian circuit. A graph is antisymmetric i it does not contain a circuit of length two. arc is the number of arcs in a graph and nodes the number of nodes. minimum is the minimum of the indegree and outdegree of nodes. Example 11. We rst consider the following assertion (noted assertion 22 in [15]). Any 1-connected antisymmetric graph verifying

minimum  arc ? 4 is hamiltonian. Assertion 22 is false. We use our system FMC for building a counter-model of 22. For doing that we must de ne a procedure Evaluate checking if the graph satis es the denial of 22 and returning a refutation of 22 (in the present case this is the set of vertices responsible for the truth value of assertion 22). The relation \antisymmetric" can be expressed in rst-order logic (by the formula 8x; y::V (x; y ) _ :V (y; x), where V (x; y ) is true i there is a vertex from x to y ). However it is not the case of the assertions 1-connected and hamiltonian that cannot be expressed by a rst-order formula. Hence we have to de ne speci c algorithms for checking these properties. Existing algorithms for graphs can be used (see for example [3]). They have been slightly modi ed in order to record the set of vertices responsible for the result of the evaluation. They have been implemented in BinProlog [29]. Prolog has been chosen instead of C++ in order to implement quickly a running prototype. The extension of FMC gives (in few seconds) the following model. r(1,1)=0 r(2,1)=0

35

Fig. 6. A counter-example for Assertion 22 r(3,1)=0 r(4,1)=1 r(1,2)=0 r(2,2)=0 r(3,2)=0 r(4,2)=1 r(1,3)=1 r(2,3)=1 r(3,3)=0 r(4,3)=0 r(1,4)=0 r(2,4)=0 r(3,4)=1 r(4,4)=0

The relation r(x,y) means \there is a vertex between x and y ". It corresponds to the graph depicted on Figure 6. The built model is dierent from the example given in [15]. We give below other examples of false assertions and the running time with FMC for various numbers of nodes. Description 1 ? connected ^ antisymmetric ^ minimum  arc ? 4 ) hamiltonian ?1) ? 2 antisymmetric ^ 1 ? connected ^ arc  nodes (nodes 2

) hamiltonian antisymmetric ^ minimum  nodes ? 1 ) hamiltonian 3

36

Assertion A22 A8 A38

Assertion Nodes Model ? Time (in s) A8 3 no 0.16 A8 4 yes 0.56 A22 3 no 0.1 A22 4 yes 1.58 A22 5 yes 45 A22 6 A38 3 yes 0.03 A38 4 yes 0.2 A38 5 yes 0.58

7. Conclusion We have presented a new method for nite model building. The method is implemented by the model builder FMCAtinf that is a running software for building nite models of rst-order formulae with equality. The ideas and algorithms formalizing our method have been presented in detail and examples of application has been given. In particular a practical comparison with the well known model builders Finder and Sem provide experimental evidence for the eciency of our method. Last but not least, as far as we know there are no other work about automated model building for formulae of logics more expressive than rst-order logic. Main lines of future work are the following:

? As told in Section 4.1 FMCAtinfis a prototype. We are presently working to

improve the eciency of our current implementation. In particular the use of indexing techniques would very probably allow to enhance the performances of the whole system. Much more implementation eort and experiments are needed before the interest of the presented techniques can be precisely evaluated.

? Recent works show evidence of the interest of combining (for example by using

parallelism) dierent deduction methods [26]. Combining our nite model building method FMC with our method for simultaneous search for refutations and models RAMC (or with other deductive methods such as the one by Fermuller and Leitsch [17]) is a very natural idea. This combination could very likely extend the power of our approach, both for refutation and for model building. The main problem is to nd good criteria in order to guide the choice between trying to build nite model with FMCAtinf or try to nd a refutation or a Herbrand model with RAMC (possibly changing during the running of the combined methods). 37

Acknowledgements We thank Thierry Boy de la Tour and Ricardo Caferra for a careful reading of the present paper, and Jian Zhang for giving us the possibility of using the nite model builder Sem.

38

References 1. J. Barwise. Handbook of Mathematical Logic. North Holland, 1977. 2. B. Benhamou and L. Sais. Tractability through symmetries in propositional calculus. Journal of Automated Reasoning, 12(1):89{102, 1994. 3. C. Berge. Graphes et hypergraphes. Dunod, second edition, 1970. 4. C. Bourely, R. Caferra, and N. Peltier. A method for building models automatically. Experiments with an extension of Otter. In Proceedings of CADE-12, pages 72{86. Springer, 1994. LNAI 814. 5. T. Boy de la Tour. An optimality result for clause form translation. Journal of Symbolic Computation, 14:283{301, 1992. 6. T. Boy de la Tour. Ground resolution with group computations on semantic symmetries. In Proc. of CADE-13, LNAI 1104, pages 478{492. Springer, 1996. 7. T. Boy de la Tour and S. Demri. On the complexity of extending ground resolution with symmetry rules. In Proceeding of IJCAI'95, pages 289{295. Morgan Kaufmann, 1995. 8. R. Caferra and M. Herment. A generic graphic framework for combining inference tools and editing proofs and formulae. Journal of Symbolic Computation, 19(2):217{243, 1995. 9. R. Caferra, M. Herment, and N. Zabel. User-oriented theorem proving with the ATINF graphic proof editor. In Fundamentals of Arti cial Intelligence Research, pages 2{10. Springer, LNCS 535, 1991. 10. R. Caferra and N. Peltier. Extending semantic resolution via automated model building: applications. In Proceeding of IJCAI'95, pages 328{334. Morgan Kaufman, 1995. 11. R. Caferra and N. Peltier. A new technique for verifying and correcting logic programs. To appear in the Journal of Automated Reasoning, 1997. 12. R. Caferra and N. Zabel. Extending resolution for model construction. In Logics in AI, JELIA'90, pages 153{169. Springer, LNAI 478, 1990. 13. R. Caferra and N. Zabel. A method for simultaneous search for refutations and models by equational constraint solving. Journal of Symbolic Computation, 13:613{641, 1992. 14. A. Church. Introduction to Mathematical Logic I. Princeton University Press, Princeton, USA, 1956. 15. C. Delorme, C. Guiac, D. Quiroz, and O. Ordaz. Tools for studying path and cycles in digraphs, october 1995. 16. U. Egly and T. Rath. On the practical value of dierent de nitional translations to normal form. In Proc. of CADE-13, LNAI 1104, pages 403{417. Springer, 1996. 17. C. Fermuller and A. Leitsch. Hyperresolution and automated model building. Journal of Logic and Computation, 6(2):173{203, 1996. 18. C. Fermuller, A. Leitsch, T. Tammet, and N. Zamov. Resolution Methods for the Decision Problem. LNAI 679. Springer, 1993. 19. M. Fujita and Hasegawa. A model generation theorem prover in KL1 using a rami ed stack algorithm. In Proceedings of 8th International Conference Symp. Logic Programming, pages 1070|1080, 1991. 20. J. H. Gallier. Logic for Computer Science. Harper & Row, 1986. 21. H. Gelernter, J. Hansen, and D. Loveland. Empirical explorations of the geometry theoremproving machine. In J. Siekmann and G. Wrightson, editors, Automation of Reasoning, vol. 1, pages 140{150. Springer, 1983. Originally published in 1960. 22. R. Manthey and F. Bry. SATCHMO: A theorem prover implemented in Prolog. In Proc. of CADE-9, pages 415{434. Springer, LNCS 310, 1988. 23. W. McCune. Single axioms for groups and abelian groups with various operations. Journal of Automated Reasoning, 10:1{13, 1993. 24. J. R. Slagle. Automatic theorem proving with renamable and semantic resolution. Journal of the ACM, 14(4):687{697, October 1967. 25. J. Slaney. Finder ( nite domain enumerator): Notes and guides. Technical report, Australian National University Automated Reasoning Project, Canberra, 1992. 26. J. Slaney. scott: a model-guided theorem prover. In Proceedings IJCAI-93, volume 1, pages 109{114. Morgan Kaufmann, 1993.

39

27. C. B. Suttner and G. Sutclie. The TPTP problem library. Technical report, TU Munchen / James Cook University, 1995. V-1.2.0. 28. T. Tammet. Using resolution for deciding solvable classes and building nite models. In Baltic Computer Science, pages 33{64. Springer, LNCS 502, 1991. 29. P. Tarau. Binprolog 3.45. Departement d'Informatique, Universite de Moncton, Canada, E1A 3E9, June 1995. 30. S. Winker. Generation and veri cation of nite models and counter-examples using an automated theorem prover answering two open questions. Journal of the ACM, 29(2):273{ 284, April 1982. 31. L. Wos. The kernel strategy and its use for the study of combinatory logic. Journal of Automated Reasoning, 10:287{343, 1993. 32. L. Wos, S. Winker, W. McCune, R. Overbeek, E. Lusk, R. Stevens, and R. Butler. Automated reasoning contributes to mathematics and logic. In Proc. of CADE-10, pages 485{499. Springer, 1990. LNAI 449. 33. J. Zhang. Search for models of equational theories. In Proceedings of ICYCS-93, pages 60{63, 1993. 34. J. Zhang. Problems on the generation of nite models. In Proc. of CADE-12, pages 753{757. Springer, 1994. LNAI 814. 35. J. Zhang and H. Zhang. SEM: a system for enumerating models. In Proc. IJCAI-95, volume 1, pages 298{303. Morgan Kaufmann, 1995.

40