Inductive Theorem Proving by Consistency for First ... - Semantic Scholar

Comment

Report 2 Downloads 62 Views

Inductive Theorem Proving by Consistency for First-Order Clauses y

Harald Ganzinger Jurgen Stuberz

Abstract. We show how the method of proof by consistency can be ex-

tended to proving properties of the perfect model of a set of rst-order clauses with equality. Technically proofs by consistency will be similar to proofs by case analysis over the term structure. As our method also allows to prove sucient-completeness of function de nitions in parallel with proving an inductive theorem we need not distinguish between constructors and de ned functions. Our method is linear and refutationally complete with respect to the perfect model, it supports lemmas in a natural way, and it provides for powerful simpli cation and elimination techniques.

1 Introduction For proving inductive theorems of equational theories \proof by consistency" is a particularly powerful method. The method has been engineered during the last decade by gradually removing restrictions on the speci cation side, by reducing the search space for inferences, and by including methods from term rewriting for the simpli cation and elimination of conjectures. Musser [15] requires the speci cations to contain a completely de ned equality predicate. During completion inconsistency results in the equation true false. Huet and Hullot [12] assume a signature to be divided into constructors and de ned functions. An equation between constructor terms signals an inconsistency. Jouannaud and Kounalis [13] admit arbitrary convergent rewrite system for presenting a theory. They introduce the notion of inductive reducibility to detect inconsistencies. Plaisted [18], among others, has shown that inductive reducibility is decidable for nite unconditional term rewriting systems. Fribourg [9] is the rst to notice that not all critical pairs need to be computed for inductive completion. It suces to consider only linear inferences for selected complete positions. Bachmair [1] re nes this method to cope with unorientable equations; as a result his method is refutationally complete. His method of proof orderings admits powerful techniqes of simpli cation and removal of redundant equations without loosing refutation completeness. The latter is essential for verifying nontrivial inductive properties in nite time.

This research was funded by the German Ministry for Research and Technology (BMFT) under grant ITS 9103. The responsibility for the contents of this publication lies with the authors. y A full version of this paper appeared in: Informatik|Festschrift zum 60. Geburtstag von Gunter Hotz , Teubner-Verlag, Stuttgart 1992 z Authors' address: Max-Planck-Institut f ur Informatik, Im Stadtwald, D-W-6600 Saarbrucken, Germany, fHarald.Ganzinger|[email protected]

More recently there have been some attempts to extend these techniques to Horn clauses. Orejas [16] places similar restrictions on speci cations as Huet and Hullot. Bevers and Lewi [6] build on inductive reducibility, which is a severe restriction as inductive reducibility is in general undecidable for Horn clauses [14]. In this paper we extend the method described by Stuber [20] from Horn clauses to full rst-order clauses with equality by adapting the method of Bachmair and Ganzinger [3, 5] for Knuth/Bendix-like completion for rst-order clauses. Completion |saturation up to redundancy, as we prefer to call this process from now on|serves an important purpose. It produces a representation of a certain minimal model of the given (consistent) rst-order theory and allows to prove the validity of ground equations in this model by conditional term rewriting with negation as failure. This distinguished minimal model is called the perfect model , and it depends on a given reduction ordering on terms. By inductive theorem proving for rst-order theories we mean to prove validity in the perfect model, and the method consists in showing that enriching a given theory by a given set of conjectures does not change the perfect model, hence the name proof by consistency. Unlike many other methods of inductive theorem proving [7, 11, 17], our method of proof by consistency does not require that constructors be given explicitly. Moreover we always generate a counterexample if the conjecture is false. In other words, our method is refutationally complete. It also is linear; neither inferences between axioms nor between conjectures have to be computed. The method is rather exible as it is based on a very general notion of fair inductive theorem proving derivations and allows for powerful simpli cation and elimination techniques. The latter is provided by the notion of redundancy as developed in [3, 5]. In fact we will show that redundancy and inductive validity of clauses are equivalent concepts. Technically the approach is based on the inference systems for rst-order refutation theorem proving presented by Bachmair and Ganzinger [5] and brie y summarized in the appendix.

2 The Method Clauses are implicitly universally quanti ed. We make quanti ers explicit and restrict them to generated values by adding a constraint gnd(x) for every variable x in the clause. We add clauses which de ne these type predicate s such that = gnd(t) if and only if t is (equivalent to) a ground term of the sort of x. More precisely, for each operator f of arity n a clause j

gnd(x1 ); : : : ; gnd(xn ) ! gnd(f (x1 ; : : : ; xn ))

is added, and a conjecture ?

containing variables x1 ; : : : ; xn becomes gnd(x1 ); : : : ; gnd(xn ); ? : !

!

A clause that is closed by explicit quanti ers in this way is valid if and only if it is valid in all generated models (Herbrand models over the given signature.) Validity in all generated models implies validity in the perfect model of a set of clauses, and is a key step towards second-order reasoning.

The perfect model of a set of clauses N is represented, in a sense that will become clear below, by a certain subset N 0 of N . These clauses de ne a canonical set R of ground rewrite rules such that the congruence generated by R is the perfect model of N . To prove the inductive validity of a conjecture H , we take its closed version H 0 and attempt to prove the validity of a set of instances of H 0 that covers all ground instances of H 0 , assuming that H 0 is true for all smaller instances. (Here, \smaller" refers to some well-founded ordering on clauses.) The key points of our method are as follows: (i) The covering set of instances of H 0 is generated by a narrowing-like process which enumerates the solutions to the antecedent of H 0 in the perfect model. By closing H we achieve that conjectures are either ground or else have a non-empty antecedent. (ii) We eliminate an instance of H 0 if it follows from N and from smaller instances of H 0 . In this case we call the particular instance of H 0 composite . (iii) We assume that for a ground instance of H 0 it is decidable whether or not H 0 is true in the perfect model. In particular, we assume that N 0 and R are eectively given in a certain technical sense. This restricts our method, but makes it refutationally complete. If validity of ground clauses were undecidable for a theory N , the problem of inductive theorem proving for N would be hopeless anyway. (iv) We saturate N H 0 by applying a positive superposition strategy. To enumerate the solutions of the antecedent of H 0 we allow to select an arbitrary atom A of the antecedent so as to guide the enumeration process to rst concentrate on the solutions of A. If A is a type predicate gnd(x), then the eect is to enumerate all ground substitutions for the variable x in H . It may happen that some type clause Cf = gnd(x1 ); : : : ; gnd(xn ) gnd(f (x1 ; : : : ; xn )) corresponding to some function f itself is an inductive consequence (with respect to N ) of some subset B of other type clauses. This is the case if f is a function symbol that is suciently completely de ned relative to the (in some sense more primitive) functions in B . In this case, the Cf needs not be superposed on A. In other words, only type clauses for constructors need to be considered for superposition. This optimization is implicitly built into our method as the inductive validity of Cf can be proved in parallel with H . No explicit distinction between constructor symbols and de ned symbols is required. Moreover, equalities between constructor terms pose no problem in our framework. For instance, consider the following speci cation for natural numbers. natbase = [

!

sorts nat ops

0 : nat s : nat nat The enrichment by type clauses yields natbaseg = natbase + gnd : nat !

!

axioms

8

n : nat

gnd(0) gnd(n) ! gnd(s(n))

(1) (2)

Consider the enrichment of the above speci cation by a de nition of . natleqg = natbaseg + : nat nat axioms m; n : nat 0 n m n s(m) s(n) Suppose we would like to prove that is total, i.e. that

8

!

(3) (4)

!

which becomes

m n; n m;

gnd(n); gnd(m) ! m n; n m

after closing, is inductively valid. In this particular case the theory is of Horn clause type so that the perfect model is the initial model. Whenever a clause is added during a consistency proof, an equation in its antecedent for which solutions are to be enumerated is selected. (The selection will below be indicated by underlining.) gnd(m); gnd(n) ! m n; n m

conjecture gnd(n) 0 n; n 0 selective resolution (1) on (5) composite because of (3) (6) gnd(m); gnd(n) s(m) n; n s(m) selective resolution (2) on (5) gnd(m) s(m) 0; 0 s(m) selective resolution (1) on (6) composite because of (3) gnd(m); gnd(n) s(m) s(n); s(n) s(m) selective resolution (2) on (6) composite because of (4) and (5) We have seen that all clauses that can be enumerated by superposition on selected atoms are composite, i.e. follow from the theory and from smaller instances of the conjecture. For instance, for all ground terms N and M , the clause C = gnd(M ); gnd(N ) s(M ) s(N ); s(N ) s(M ) follows from (4) and the instance D = gnd(M ); gnd(N ) M N; N M of (5). D is emdedded in C , hence smaller than C . The example demonstrates the strong analogy to classical methods of inductive theorem proving. Selecting one of the gnd(x) corresponds to the selection of an induction variable. Superposition with the type clauses results in a set of new instances representing the dierent cases to be proved. The elimination of a clause corresponds to an induction step for which the induction hypothesis may be used. Basis of the induction are well-founded orderings on terms which are extended to well-founded orderings on clauses. For a second example, consider the usual de nition of addition for natural numbers. (5)

!

!

!

!

!

!

natplus = natbase + ops + : nat nat nat axioms m; n : nat

!

8

0+n 0 s(m) + n s(m + n) Extending the speci cation by type clauses yields

(1) (2)

natplusg = natplus + ops gnd : nat axioms m; n : nat 8

gnd(0) gnd(m) ! gnd(s(m)) gnd(m); gnd(n) ! gnd(m + n)

(3) (4) (5)

We prove that + is a de ned operator, that is that (5) is an inductive consequence of (1){(4). We apply the same method and select the rst literal in the antecedent of (5). gnd(n) ! gnd(0 + n) gnd(m); gnd(n) ! gnd(s(m) + n)

selective resolution (3) on (5), composite because of (1) and (3) selective resolution (4) on (5), composite because of (2),(4) and (5)

Clauses which have been proved may be kept and used (as lemmas) for proving compositeness in a subsequent inductive proof. Moreover parallel induction is supported as we allow for arbitrary sets of conjectures to start with.

3 Preliminaries 3.1 Equational clauses A signature is a set of sorts together with a set of operator declarations f : s1 ; : : : ; sn s over these sorts. s1 ; : : : ; sn is called the arity, s the coarity of f . A -term is a term built according to the operator declarations in , possibly !

with variables. By a ground expression (i.e., a term, equation, formula, etc.) we mean an expression containing no variables. For simplicity we do not allow operator overloading and assume that all sorts are inhabited, i.e., admit ground terms. For the moment we will assume a xed signature . Where necessary, we will use the signature as a pre x, like in -term. We will de ne equations and clauses in terms of multisets. A multiset over X is an unordered collection with possible duplicate elements of X . Formally a multiset is given as a function M from X to the natural numbers. Intuitively, M (x) speci es the number of occurrences of x in M . An equation is an expression s t, which we identify with the multiset s; t . A clause is a pair of multisets of equations, written

f

g

? , where ? is the antecedent and the succedent. We usually write ?1 ; ?2 and A; ? instead of ?1 ?2 and ? A . A clause represents an implication A1 A m B1 Bm ; the empty clause, a contradiction. Clauses of the form ?; A A; or ? ; t t are called !

[

[ f

g

^ ^

_ _

!

!

tautologies. A speci cation is a set of clauses together with the signature the clauses are de ned over. An inference is a pair written as

C1 : : : C n C

where the premises C1 ; : : : ; Cn and the conclusion C are clauses. An inference system is a set of inferences. An instance of an inference in is any inference in with premises C1 ; : : : ; Cn and conclusion C. I

I

I

3.2 Clause Orderings

Any ordering on a set S can be extended to an ordering mul on nite multisets over S as follows: M mul N if (i) M = N and (ii) whenever N (x) > M (x) then M (y) > N (y), for some y such that y x. If is a total [well-founded] ordering, so is mul . Given a set (or multiset) S and an ordering on S , we say that x is maximal relative to S if there is no y in S with y x; and strictly maximal if there is no y in S with y x. If is an ordering on terms, then the corresponding multiset ordering mul is an ordering on equations, which we denote by e . We have de ned clauses as pairs of multisets of equations. Alternatively, clauses may also be thought of as multisets of occurrences of equations. We identify an occurrence of an equation s t in the antecedent of a clause with the multiset (of multisets) s; ; t; , and an occurrence in the succedent with the multiset s ; t , where is a new symbol.4 We identify clauses with nite multisets of occurrences of equations. By o we denote the twofold multiset ordering ( mul )mul of , which is an ordering on occurrences of equations; by c we denote the multiset ordering omul , which is an ordering on clauses. If is a well-founded [total] ordering, so are e , o, and c. From now on we will only consider orderings on terms which are reduction orderings and total on ground terms. We say that a clause C = ? s t; is reductive for s t if t s and s t is a strictly maximal occurrence of an equation in C . For example, if s t u and s v for every term v occurring in ? , then ? s t; s u is reductive for s t, but ?; s u s t is not. Since the ordering is total on ground terms, a ground clause is reductive if and only if s t and s t is greater than any other occurence of an equation. A nonreductive clause has no reductive ground instances.

6

ff

ff g f gg

?g f

?gg

?

!

6

!

!

3.3 Equality Herbrand Interpretations

We write A[s] to indicate that A contains s as a subexpression and (ambiguously) denote by A[t] the result of replacing a particular occurrence of s by t. By A we 4 The symbol ? is not part of the vocabulary of the given rst-order language. It is assumed to be minimal with respect to any given ordering. Thus t ?, for all terms t.

denote the result of applying the substitution to A and call A an instance of A. If A is ground, we speak of a ground instance. Composition of substitutions is denoted by juxtaposition. Thus, if and are substitutions, then x = (x ), for all variables x. An equivalence is a re exive, transitive, symmetric binary relation. An equivalence on terms is called a congruence if s t implies u[s] u[t], for all terms u, s, and t. If E is a set of ground equations, we denote by E the smallest congruence containing E . By an (equality Herbrand ) interpretation we mean a congruence on ground terms. An interpretation I is said to satisfy a ground clause ? if either ? I or else I = . We also say that a ground clause C is true in I , if I satis es C ; and that C is false in I , otherwise. An interpretation I is said to satisfy a non-ground clause ? if it satis es all ground instances ? . An interpretation I is called a (equality Herbrand ) model of N if it satis es all clauses of N . A set N of clauses is called consistent if it has a model; and inconsistent (or unsatis able ), otherwise. We say that N implies C , and write N = C , if every model of N satis es C .

!

\

6

6

;

!

!

j

3.4 Convergent Rewrite Systems

A binary relation on terms is called a rewrite relation if s t implies u[s] u[t], for all terms s, t and u, and substitutions . A transitive, well-founded rewrite )

)

)

relation is called a reduction ordering. By we denote the symmetric closure of ; by the transitive, re exive closure; and by the symmetric, transitive, re exive closure. Furthermore, we write s t to indicate that s and t can be rewritten to a common form: s v and t v, for some term v. A rewrite relation is said to be Church-Rosser if the two relations and are the same. A set of equations E is called a rewrite system with respect to an ordering if we have s t or t s, for all equations s t in E . If all equations in E are ground, we speak of a ground rewrite system. Equations in E are also called (rewrite ) rules. When we speak of \the rule s t" we implicitly assume that s t. By E (or simply E ) we denote the smallest rewrite relation for which s E t whenever s t is in E and s t. A term s is said to be in normal form (with respect to E ) if it can not be rewritten by E , i.e., if there is no term t such that s E t. A term is also called irreducible, if it is in normal form, and reducible, otherwise. A rewrite system E is said to be convergent if the rewrite relation E is well-founded and Church-Rosser. Convergent rewrite systems de ne unique normal forms. ,

)

)

,

+

)

)

)

,

+

)

)

)

)

)

)

3.5 Predicates

We allow that in addition to function symbols a signature may contain predicate symbols, which will be declared to have a special coarity pred. Thus we also consider expressions P (t1 ; : : : ; tn ), where P is some predicate symbol and t1 ; : : : ; tn are terms built from function symbols and variables. We then have equations s t between (non-predicate) terms, called function equations, and equations P (t1 ; : : : ; tn ) tt, called predicate equations, where tt is a distinguished unary predicate symbol that is taken to be minimal in the given reduction ordering . For simplicity, we usually abbreviate P (t1 ; : : : ; tn ) tt by P (t1 ; : : : ; tn ).

4 The Perfect Model The proof by consistency method proves properties of a standard model of a speci cation, which for unconditional equations and horn clauses is the initial model. The initial model can be characterized as the unique minimal (with respect to set inclusion) Herbrand interpretation satisfying N , and for Horn clause speci cations it always exists if N is consistent. In the case of rst-order clauses more than one minimal model may exist. For instance, if N consists of the single clause p; q then both p and q are minimal models of N . We will use the ordering e to single out one of the minimal models as the perfect model. Let p = ( e )?1 , then a model I is called preferable to J if J pmul I . A perfect model (corresponding to ) is a minimal model with respect to pmul . For instance, if we assume q p then p pmul q , i.e., q is the perfect model. It is important to see that dierent orderings may yield dierent perfect models. This is an essential dierence to the case of Horn clauses. For general clauses the ordering must be explicitly given in order to uniquely identify the standard model one has in mind. As e is well-founded and total, pmul is a total ordering [19]. Hence there exists at most one perfect model for a set of clauses N . Since pmul contains , a perfect model is also minimal. In the remainder of this section we present methods and techniques for constructing, given a consistent set of clauses and an ordering, the corresponding perfect model. We also explain how to compute in this model. The proofs of the lemmas which justify our techniques may be found in [4] and [5]. !

f g

f g

f g

f g

f g

4.1 Construction of the Perfect Model

Let N be a set of clauses and be a reduction ordering which is total on ground terms. We shall de ne an interpretation I for N by means of a convergent rewrite system R. For certain N , I will be the perfect model of N with respect to . First, we use induction on the clause ordering c to de ne sets of equations EC , RC and IC , for all ground clauses C over the given signature (not necessarily instances of N ). Let C be such a ground clause and suppose that EC 0 , RC 0 and IC0 have been de ned for all ground clauses C 0 for which C c C 0 . Then [ RC = EC 0 and IC = RC :

C c C 0

Moreover

EC = s t if C is a ground instance ? ; s t of N such that (i) C is reductive for s t, (ii) s is irreducible by RC , (iii) ? IC , and (iv) IC = . In that case, we also say that C produces the equation (or rule) s t. In all other S cases, EC = . Finally, we de ne I to be the equality interpretation R , where R = C EC is the set of all equations produced by ground instances of clauses in N . Instances of N that produce equations are also called productive. Note that a productive clause C is false in IC = RC , but true in (RC EC ) . The truth value of an equation can be determined by rewriting: u v I if and only if u R v. In f

!

g

\

;

;

[

2

+

many cases the truth value of an equation can already be determined by rewriting with RC . If C is true in IC then for D c C it is also true in ID and in I .

4.2 Superposition and Redundancy

The interpretation I will in general not be a model of N , unless N is closed under suciently many applications of certain inference rules. The inference system S which we consider in this paper is the one described in [4, 5] and is also brie y summarized in the appendix. It is based on and on a selection function S . By a selection function we mean a mapping S that assigns to each clause C a (possibly empty) multiset of negative occurrences of equations in C . The equations in S (C ) are called selected. If S (C ) = , then no equation is selected. Selected equations can be arbitrarily chosen and need not be maximal. Selection functions are assumed to be compatible with substitution, i.e. an occurrence of an equation is selected in C if and only if the corresponding occurrence is selected in C, for any substitution . S , for short , if and S are indicated by the context, consists mainly of paramodulation rules which are restricted by ordering constraints derived from or by selection constraints derived from S . Paramodulation aects maximal equations only, unless some atom of the antecedent of a clause is selected. If an equation is selected in (the antecedent of) a clause C , paramodulation on C always occurs into a maximal selected equation of C . An important feature is that clauses for which an equation is selected need not be considered for paramodulating into any other clause. They do not directly contribute to the construction of the perfect model. This is made more precise by a notion of redundancy. Redundancy is a key aspect which allows to saturate many nontrivial sets of clauses under in a nite number of steps. A ground clause C is said to be redundant (in N ) if C is true in IC . A clause is called redundant in N if all its ground instances are redundant in N . Redundant clauses are true in I . The interpretation I is completely determined by productive clauses, which are non-redundant instances of N . An inference from ground clauses is said to be redundant (in N ) if either one of its premises is redundant in N or else its conclusion is true in IC , where C is the maximal (the second, if the inference has two premises) premise of . An inference from arbitrary premises is redundant in N if all its ground instances are redundant in N . We say that N is saturated if every ground instance of an inference from premises in N is redundant in N . Lemma 1. Let N be a saturated set of clauses. If an instance C of a clause in N contains a selected equation, C is not productive. Theorem 2. Let N be a consistent and saturated set of clauses. Then I is the perfect model of N with respect to . These two lemmas are the key to our method. The rst shows that clauses C in N with selected equations do not contribute to the perfect model. In a saturated set of clauses N , C is therefore an inductive consequence of N C . The second lemma shows that any consistent set of clauses has a perfect model (with respect to any given complete reduction ordering). In particular, the construction of section 4.1 yields the perfect model, provided N is consistent and saturated. Fair theorem proving derivation are a means to saturate a given set of clauses, though the limit may not be reachable in a nite number of steps. All this gives hints of how to compute in the perfect model, an aspect which is made more precise below. S

;

S

S

S

n f

g

4.3 Saturation The next question we address is how to construct a saturated set of clauses. The notion of redundancy is not eectively usable as it is not stable under addition or deletion of clauses. Let N be a set of clauses and C be a ground clause (not necessarily a ground instance of N ). We call C composite with respect to N , if there exist ground instances C1 ; : : : ; Ck of N such that C1 ; : : : ; Ck = C and C c Cj , for all j with 1 j k. A non-ground clause is called composite if all its ground instances are composite. A ground inference with conclusion B is called composite (with respect to N ) if either some premise is composite with respect to N , or else there exist ground instances C1 ; : : : ; Ck of N such that C1 ; : : : ; Ck = B and C c Cj , for all j with 1 j k, where C is the maximal premise of . A non-ground inference is called composite if all its ground instances are composite. j

j

Lemma 3. For any saturated and consistent set of clauses N compositeness with

respect to N implies redundancy with respect to N |for clauses as well as for inferences. Moreover, compositeness is stable under addition of clauses to N and stable under deletion of composite clauses from N .

A theorem proving derivation is a ( nite or countably in nite) sequence N0 ; N1 ; N2 ; : : : of sets of clauses such that either (Deduction ) Ni+1 = Ni C and Ni = C , or (Deletion ) NSi+1T= Ni C and C is composite with respect to Ni C . The set N1 = j kj Nk is called the limit of the derivation. Clauses in N1 are [ f

nf

g

j

g

[ f

g

called persisting. Deduction adds clauses that logically follow from given clauses; deletion eliminates composite clauses. Simpli cation can be modeled as a sequence of deduction steps followed by a deletion step. A theorem proving derivation is called S fair if every inference in from premises in N1 is composite with respect to j Nj . A fair derivation can be constructed, for instance, by systematically adding conclusions of non-composite inferences in . As the maximal premise of a ground inference is always greater with respect to c than its conclusion, the inference becomes composite as soon as the conclusion has been added. A set of clauses N is called complete if all inferences from N are composite with respect to N . A complete set of clauses that does not contain the empty clause is saturated. Lemma 4. Let N = N0; N1; N2; : : : be a fair theorem S proving derivation. If N is inconsistent then the empty clause is contained in j Nj . Otherwise N and N1 are logically equivalent, and N1 is complete (and hence saturated). S

S

4.4 Computing in Perfect Models The rewrite system R which de nes I is canonical, hence constitutes a decision procedure for equality in the perfect model, provided the one-step rewrite relation R is computable. This need not be the case in general, not even for nite and )

complete sets of clauses. However, if the set of clauses is such that matching a ground term against the maximal term of a clause always results in a reductive ground clause, one can use a recursive algorithm to decide the word problem for I . A clause C = ? is called universally reductive if either the succedent is empty, or else can be written as 0 ; s t such that (i) all variables of C also occur in s, (ii) C is reductive for s t, for all ground substitutions . A set N of clauses is called universally reductive if any clause in N is either universally reductive, or else contains a selected atom. !

Lemma 5. Suppose is decidable, and let N be a saturated, nite and universally

reductive set of clauses. Then it is decidable whether a ground equation s t is valid in the perfect model for N .

An obvious consequence of the above lemma is the decidability of validity in the perfect model for ground clauses in the indicated case.

5 Proof by Consistency Inductive validity and redundancy are equivalent concepts. If C = ? is an inductive consequence of a consistent and saturated set N of clauses then the logically equivalent clause ; ? , with being a new constant of a new sort and maximal with respect to , is redundant in N . Conversely, if C is redundant in N is is true in IC and in I . In this case N and N C have the same perfect model. Therefore C is an inductive consequence of N C . Inductive theorem proving is proving redundancy, and vice versa. Lemmas 3 and 1 are the basis of the technique that we are going propose in this section. In simple cases a conjecture (or some derived clause) can be eliminated by a direct proof of compositeness using speci c techniques such contextual rewriting, cf. section 5.5. Otherwise one may attempt to make the clause become redundant in the limit of a saturation process. Closing conjectures by type predicates for their variables is a technical device to translate a non-ground clause into an equivalent one with a non-empty antecedent from which an equation can be selected for superposition. Selecting a type predicate of a variable corresponds to selecting that variable as the induction variable. !

> >

!

>

n f

n f

g

g

5.1 Type Predicates For each sort s in we add a predicate symbol gnds , and for each operator f : s1 ; : : : ; sn s in a clause G(f ) = gnds1 (x1 ); : : : ; gndsn (xn ) gnds (f (x1 ; : : : ; xn )): gnds is called the type predicate for s and G(f ) the type clause for f . A ground term t = f (t1 ; : : : ; tn ) over uniquely determines a ground instance gnd(t1 ); : : : ; gnd(tn ) gnd(f (t1 ; : : : ; tn )) of the clause G(f ), which we will denote by G(t). For a signature we de ne G( ) as the set of all G(f ) where f is an operator in . The union of N and G( ) will be !

!

!

denoted by N g , while the extended signature will be denoted by g . By Rg and I g we denote the set of rewrite rules and interpretation, respectively, constructed from N g according to section 4.1. G( ) encodes the notion of a \ground term", i.e., an atom gnd(t) is provable if and only if t is equal (modulo N ) to a ground term. We assume that the given complete reduction ordering over is arbitrarily extended to a complete reduction ordering over the extended signature g . Such an extension always exists.

Lemma 6. Letg t be a ground term over of form f (t ; : : : ; tn). Then gnd(t) is true g 1

in (RG(t) [ EG(t) ) and hence in I g .

Lemma 7. Let N be a saturated set of clauses. Then N g is also saturated. Lemma 8. Let C be a ground instance of a clause in N g . RCg restricted to rules not containing any type predicates is equal to RC .

Lemma 9. Let C be a ground instance of a clause in N . Then C is true in I g if and only if C is true in I .

Let C = ? be a -clause and var(C ) = x1 ; : : : ; xn . Then we de ne G(C ) to be the g -clause gnd(x1 ); : : : ; gnd(xn ); ? . G(C ) is called the closed form of C . For a set of clauses H , we de ne G(H ) as G(C ) C H . !

f

g

!

f

j

2

g

Lemma 10. C is true in I if and only if G(C ) is true in I g . Let us summarize the contents of this section. If we have a saturated set of clauses

N , we can transform it to N g , which is still saturated. A clause C is valid in I if and only if C is valid in N g if and only if G(C ) is valid in N g . For inductive theorem proving we may hence we may use N g in place of N , and we may replace conjectures H by the closed forms G(H ).

5.2 Inductive Theorem Proving Derivations From now on we shall assume to be given a consistent, nite, complete and universally reductive set of clauses N with perfect model I . By an inductive theorem proving derivation for N we mean a nite or countably in nite sequence H0 ; H1 ; : : : of sets of clauses C such that (Deduction ) Hi+1 = Hi C and N Hi = C , or (Deletion ) NSi+1T= Ni C and C is composite with respect to N Hi C The set H1 = j kj Hk is called the limit of the derivation. Clauses in H1 are called persisting. An inductive theorem proving derivation is called fair if every inference by selective equality resolution on a clause in H1 and every inference by selective S superposition of a clause in N on a clause in H1 is composite with respect to j Hj . Given a selection function S , an inductive S theorem proving derivation is called failed , if there exists a ground clause in j Hj which is false in I (failure with \disproof"), or else there exists a clause in H1 for which no equation is selected by S (failure with \don't know"). [ f

nf

g

g

[

j

[

[ f

g

Theorem 11. Let H ; H ; : : : be a fair inductive theorem proving derivation for N . 0

1

(i) If the derivation is non-failed then the clauses in H0 are inductive theorems of N , i.e., valid in I . (ii) If the derivation fails with \disproof", then H0 is not valid in I . Proof. (i) If H0 ; H1 ; : : : is fair and non-failed, the sequence N [ H0 ; N [ H1 ; : : : is a theorem proving derivation (with respect to S ). Inferences with premises all in N are composite in N as N is complete. Inferences with at least one premise in H1 are composite in N [ H1 as the derivation is fair and as there is no clause in H1 for which no equation is selected by S . Therefore the sequence N [ H0 ; N [ H1 ; : : : is a fair theorem proving derivation with limit N [ H1 , hence N [ H1 is complete. As the clauses in H1 have selected equations, they are not productive. Therefore the perfect models of N and N [ H1 (and hence N [ H0 ) are identical. (ii) follows immediately from the soundness of deduction. 2

Note that the fairness requirement for inductive derivations does not imply the need for computing any non-linear inferences with premises all in N or with two premises both not in N . To achieve refutation completeness of the method the production of non-ground clauses with an empty antecedent has to be avoided. Using type predicates is a technique to achieve this goal.

5.3 Refutation Completeness Retutation completeness in this context means to avoid failure with \don't know" in inductive theorem proving derivations. For that purpose we can assume without loss of generality that the given theory presentation N includes all type predicates and type clauses, i.e., N = N~ g , as this does not aect completeness, consistency, niteness, and universal reductivity. Similarly, we can assume the initial set of conjectures H0 to be closed. Suppose that we only admit selection functions which always select some type atom of form gnd(x), x a variable, and only such atoms, if there are any in a given clause. Furthermore assume that in an inductive theorem provingSthe only deductions one makes are by selective equality resolutionS on a clause in j Hj or by superposition of a clause in N on a clause in j Hj . Then any clause in S selective H is closed, hence either is a ground clause, for which validity is decidable, or j j else contains a selected equation, Therefore failure with \don't know" is impossible. In practice, however, one would not want to restrict selection functions to always select type predicates only, nor to limit deductions to what is required by fairness. Otherwise one might not detect situations in which the antecedent is false for certain substitutions. Also simpli cation, e.g., by demodulation, would not be allowed. Failure with \don't know" will only occur in extreme cases cases anyway, and there are other ways of achieving refutation completeness. Superposition of a type clause on a selected type atom in a conjecture is a principal kind of inferences to be computed in inductive theorem proving derivations. The more type clauses one can be prove redundant, the less such inferences one needs to consider. This problem will be addressed in the next section.

5.4 Sucient Completeness A type clause for a function f is redundant, if the function is suciently completely de ned with respect to the remaining functions. More generally, we consider subsignatures B , called base signatures, of the given signature . A set of -clauses N (together with an ordering ) is called suciently complete with respect to B if for any -ground term s there exists a B -ground term t such that s t is true in the perfect model I of N . Again, this property is de ned with respect to the perfect model rather than all minimal models. Furthermore, we assume that ground terms over B are smaller in the reduction ordering than ground terms containing function symbols not in B .

Lemma 12. N is suciently complete with respect to B if and only if the type clauses G(f ), for f in n B , are redundant. Corollary 13. Let N be a saturated set of clauses, and let S be a selection function such that each clause in G( nB ) either contains a selected equation if its antecedent is nonempty or else is redundant. Then N is suciently complete with respect to B if and only if N g is saturated. The inductive proof procedure outlined above can be used to prove sucientcompleteness by starting with the theory N G(B ) and proving the inductive validity of the clauses in G( B ). If this is successful in nite time, the result is a complete presentation N G(B ) G0 where all clauses in G0 have a selected atom. In later inductive proofs no inferences from G0 , in particular no inferences from any type clause G(f ), with f in B , need to be computed. With these remarks, the reader may want to take another look at the proof of sucient-completeness of addition that we presented in section 2. Proving the sucient completeness of a function de nition is a particular case in which a lemma is produced that makes subsequent proofs go through or at least makes them more ecient. In general, clauses which have been proved may be kept and used for proving compositeness in a subsequent inductive proof, without the need of superposing such a lemma on some conjecture. [

n

[

[

n

5.5 Proofs of Compositeness Inductive validity is reduced to proving compositeness of certain clauses that are derived from the conjectures. For the method to be applicable in practice one needs to have powerful methods available for verifying compositeness. Moreover, a failure in proving compositeness often gives an indication of what kind of lemma would be required in order to make the proof go through. It is here that generalization and lemma suggestion techniques should be incorporated. In this paper we shall only scratch the surface by making a few technical remarks on the subject related to orderings and rst-order clauses. In proofs of compositeness, one may assume that instances of the given theory presentation N are smaller (with respect to c) than any \new" clause that is introduced during an inductive theorem proving derivation (including the initial conjectures). Formally this can be justi ed by assuming that a new clause ?

!

actually represents the logically equivalent clause ; ? , where is a new constant of a new sort which is the maximal term with respect to . For rst-order clauses a technique for obtaining compositeness proofs, called contextual reductive rewriting in [2, 3], that has proven to be useful in practice. Let C be a clause and let N be a set of clauses. NC denotes the set of instances C 0 of N such that C c C 0 . Let be a skolemizing substitution, i.e., a substitution that replaces variables by new constants. Let C = ?; u[l] v (or C = ? ; u[l] v ) be a clause in N . Suppose there exists an instance D of a clause D = ; l r in N such that (i) l r, (ii) C c D, (iii) NC = ? A for all equations A in and NC = A for all equations A in . Then C can be contextually rewritten to ?; u[r] v (or ? ; u[r] v). After this the clause C becomes composite in N ?; u[r] v and may be eliminated. We may also do several steps of contextual rewriting in a row; in this case the bound on the complexity is provided by the rst clause. If we eventually arrive at a clause that is composite, we have proved that the rst clause is composite. Or we may use the method to prove inferences composite; in this case the bound is provided by the maximal premise of the inference. More liberal ways of rewriting where a term is sometimes replaced by a larger term (as long as the instances of clauses which are involved in the rewriting are still suciently small) are suggested by the \rippling-out" method of [8] and can be extended without problems to our framework. > >

!

>

!

!

!

j

j

!

!

[ f

!

!

!

g

6 Conclusion We have described a method of proof by consistency for rst-order clauses with equality. Inductive theorem proving was de ned as proving validity in the perfect model of a theory. We have built on methods for saturating sets of clauses and shown that inductive validity and redundancy are equivalent concepts. Selection strategies for superposition provide means to make clauses become redundant in the limit of a successful saturation process. For this idea to always be applicable an explicit closing of clauses by type predicates has been suggested As a side-eect our method allows for proofs of sucient-completeness of function de nitions, a property that is essential in other contexts too, e.g., for hierarchical speci cations. We have shown that the concepts of proof by consistency for the purely equational case can be appropriately extended retaining most of their characteristic properties. We have implemented this method for the restricted case of horn clauses in the CEC system for conditional equational completion [10] and some encouraging, initial practical experience has been made.

References 1. Leo Bachmair. Proof by consistency in equational theories. In Proc. 3rd IEEE Symp. on Logic in Computer Science, pages 228{233, Edinburgh, July 1988. 2. Leo Bachmair and Harald Ganzinger. On restrictions of ordered paramodulation with simpli cation. In Proc. 10th Int. Conf. on Automated Deduction, Kaiserslautern, July 1990. Springer LNCS 449.

3. Leo Bachmair and Harald Ganzinger. Completion of rst-order clauses with equality by strict superposition. In Proc. 2nd Int. Workshop on Conditional and Typed Rewriting Systems, Montreal, June 1990. Springer LNCS 516. 4. Leo Bachmair and Harald Ganzinger. Perfect model semantics for logic programs with equality. In Proc. 8th Int. Conf. on Logic Programming. MIT Press, 1991. 5. Leo Bachmair and Harald Ganzinger. Rewrite-based equational theorem proving with selection and simpli cation. Technical Report MPI-I-91-208, Max-Planck-Institut fur Informatik, Saarbrucken, August 1991. 6. Eddy Bevers and Johan Lewi. Proof by consistency in conditional equational theories. In Proc. 2nd Int. Workshop on Conditional and Typed Rewriting Systems, Montreal, June 1990. Springer LNCS 516. 7. Robert S. Boyer and J. Strother Moore. A Computational Logic. Academic Press, New York, 1979. 8. A. Bundy, F. van Harmelen, A. Smail, and A. Ireland. Extensions to the rippling-out tactic for guiding inductive proofs. In Proc. 10th Int. Conf. on Automated Deduction, pages 132{146, Kaiserslautern, July 1990. Springer LNCS 449. 9. Laurent Fribourg. A strong restriction of the inductive completion procedure. In Proc. 13th Int. Coll. on Automata, Languages and Programming, pages 105{115, Rennes, France, July 1986. Springer LNCS 226. 10. H. Ganzinger and R. Schafers. System support for modular order-sorted Horn clause speci cations. Proc. 12th Int. Conf. on Software Engineering, Nice, pages 150{163, 1990. 11. Stephen J. Garland and John V. Guttag. Inductive methods for reasoning about abstract data types. In Proc. 15th Annual ACM Symp. on Principles of Programming Languages, pages 219{228, San Diego, January 1988. 12. Gerard Huet and Jean-Marie Hullot. Proofs by induction in equational theories with constructors. Journal of Computer and System Sciences, 25:239{266, 1982. 13. Jean-Pierre Jouannaud and Emmanuel Kounalis. Proofs by induction in equational theories without constructors. In Proc. Symp. on Logic in Computer Science, pages 358{366, Cambridge, Mass., June 1986. 14. Stephane Kaplan and Marianne Choquer. On the decidability of quasi-reducibility. EATCS Bulletin, 28:32{34, 1986. 15. David R. Musser. On proving inductive properties of abstract data types. In Proc. 7th Annual ACM Symp. on Principles of Programming Languages, pages 154{162, Las Vegas, January 1980. 16. Fernando Orejas. Theorem proving in conditional-equational theories. Draft. 17. Peter Padawitz. Inductive expansion: A calculus for verifying and synthesizing functional and logic programs. Journal of Automated Reasoning, 7(1):27{103, March 1991. 18. David A. Plaisted. Semantic con uence tests and completion methods. Information and Control, 65:182{215, 1985. 19. T. C. Przymusinski. On the declarative semantics of deductive databases and logic programs. In J. Minker, editor, Foundations of Deductive Data Bases and Logic Programming, pages 193{216. Morgan Kaufmann Publishers, Los Altos, 1988. 20. Jurgen Stuber. Inductive theorem proving for horn clauses. Master's thesis, Universitat Dortmund, April 1991.

Recommend Documents

Analogy in Inductive Theorem Proving - Semantic Scholar

External Analogy in Inductive Theorem Proving - Semantic Scholar