A Superposition Calculus for Abductive Reasoning
We present a modification of the Superposition calculus that is meant to generate consequences of sets of first-order axioms. This approach is proven to be sound and deductive-complete in the presence of redundancy elimination rules, provided the considered consequences are built on a given finite set of ground terms, represented by constant symbols. In contrast to other approaches, most existing results about the termination of the Superposition calculus can be carried over to our procedure. This ensures in particular that the calculus is terminating for many theories of interest to the SMT community.
The verification of complex systems is generally based on proving the validity, or, dually, the satisfiability of a logical formula. A standard practice consists in translating the behavior of the system to be verified into a logical formula, and proving that the negation of the formula is unsatisfiable. These formulæ may be domain-specific, so that it is only necessary to test the satisfiability of the formula modulo some background theory, whence the name Satisfiability Modulo Theories problems, or SMT problems. If the formula is actually satisfiable, this means the system is not error-free, and any model can be viewed as a trace that generates an error. The models of a satisfiable formula can therefore help the designers of the system guess the origin of the errors and deduce how they can be corrected; this is the main reason for example why state-of-the-art SMT solvers feature automated model building tools (see for instance Caferra, Leitsch, and Peltier, 2004). However, this approach is not always satisfactory. First, there is the risk of an information overkill: indeed, the generated model may be very large and complex, and discovering the origin of the error may require a long and difficult analysis. Second, the model may be too specific, in the sense that it only corresponds to one particular execution of the system and that dismissing this single execution may not be sufficient to fix the system. Also, there are generally many interpretations on different domains that satisfy the formula. In order to understand where the error(s) may come from, it is generally necessary to analyze all of these models and to identify common patterns. This leaves the user with the burden of having to infer the general property that can rule out all the undesired behaviors. A more useful and informative solution would be to directly infer the missing axioms, or hypotheses, that can be added in order to ensure the unsatisfiability of the input formula. These axioms can be viewed as sufficient conditions ensuring that the system is valid. Such conditions must be plausible and economical: for instance, explanations that contradict the axioms of the considered theories are obviously irrelevant.
In this paper, we present what is, to the best of our knowledge, a novel approach to this debugging problem: we argue that rather than studying one or several models of a formula, more valuable information can be extracted from the properties that hold in all the models of the formula. For example, consider the theory of arrays, which is axiomatized as follows (as introduced by McCarthy, 1962):
These axioms state that if element is inserted into array at position , then the resulting array contains at position , and the same elements as in elsewhere. Assume that to verify that the order in which elements are inserted into a given array does not matter, the satisfiability of the following formula is tested (see also Figure 1):
This formula asserts that there is a position that holds different values in the array obtained from by first inserting element at position and then element at position , and in the array obtained from by first inserting element at position and then element at position . It turns out that this formula is actually satisfiable, which in this case means that some hypotheses are missing. State-of-the-art SMT solvers such as Yices (Dutertre and de Moura, 2006) or Z3 (de Moura and Bjørner, 2008) can help find out what hypotheses are missing by outputting a model of the formula. In this case, Yices outputs (= b 1) (= c 3) (= i 2) (= k 2) (= j 2), and for this simple example, such a model may be sufficient to quickly understand where the error comes from. However, a simpler and more natural way to determine what hypotheses are missing would be to have a tool that, when fed the formula above, outputs , stating that the formula can only be true when elements and are distinct, and are inserted at the same position in array . This information permits to know immediately what additional hypotheses must be made for the formula to be unsatisfiable. In this example, there are two possible hypotheses that can be added: or .
We investigate what information should be provided to the user and how it can be obtained, by distinguishing a set of ground terms on which additional hypotheses are allowed to be made. These terms may be represented by a particular set of constant symbols, called abducible constants or simply abducibles, and the problem boils down to determining what ground clauses containing only abducible constants are logically entailed by the formula under consideration, since the negation of any of these clauses can be viewed as a set of additional hypotheses that make the formula unsatisfiable. Indeed, by duality, computing implicants (or explanations) of a formula is equivalent to computing implicates (i.e., logical consequences) of . In order to compute such implicates, we devise a variant of the Superposition calculus (Bachmair and Ganzinger, 1994; Nieuwenhuis and Rubio, 2001) that is deductive-complete for the considered set of abducible constants, i.e., that can generate all the clauses built on abducible constants using finite set of predicate symbols including that are logical consequences of the input clause set (up to redundancy). Our procedure is defined by enriching the standard calculus with some new mechanisms allowing the assertion of relevant hypotheses during the proof search. These additional hypotheses are stored as constraints associated with the clauses and are propagated along the derivations. If the empty clause can be generated under a conjunction of hypotheses , then the conjunction of the original formula and is unsatisfiable. An essential feature of this approach is that the conditions are not asserted arbitrarily or eagerly, using a generate-and-test approach (which would be inefficient): instead they are discovered on a need basis, either by considering residual equations of unification failures (for positive hypotheses) or by negating some of the literals occurring in the clauses (for negative hypotheses).
The generation of implicants (or, by duality, of implicates) of logical formulæ has many applications in system verification and artificial intelligence, and this problem has been thoroughly investigated in the context of propositional logic. The earlier approaches use refinements of the resolution method (Tison, 1967; Kean and Tsiknis, 1990; De Kleer, 1992; Simon and Del Val, 2001), while more recent and more efficient proposals use decomposition-based procedures (Jackson and Pais, 1990; Henocque, 2002; Matusiewicz et al, 2009, 2011). These methods mainly focus on the efficient representation of information, and develop compact ways of storing and manipulating huge sets of implicates.
In contrast, the approaches handling abductive reasoning in first-order or equational logic are very scarce. Implicates can be generated automatically from sets of first-order clauses by using the resolution rule (Marquis, 1991). However, when dealing with equational clause sets, the addition of equality axioms leads to inefficiency and divergence in almost all but trivial cases. Knill, Cox, and Pietrzykowski (1992) use a proof technique called surface resolution for generating implicates of Horn clauses in equational logic. The proposed approach, based on a systematic flattening of the terms and on the application of the resolution principle with substitutivity axioms, is very general and has some nice theoretical properties, but it is also very inefficient. The search space is huge, because the systematic abstraction of every subterm destroys all ordering or unifiability constraints, and termination is very rare. Mayer and Pirri (1993) describe a tableaux-based (or, dually, a sequent-based) proof procedure for abductive reasoning. The intuitive idea is to apply the usual decomposition rules of propositional logic, and then compute the formulæ that force the closure of all open branches in the tableaux, thus yielding sufficient conditions ensuring unsatisfiability. The approach can be extended to first-order logic, by relying on reverse skolemization techniques in order to eliminate the Skolem symbols introduced inside the branches for handling existential quantifiers. Again, this approach is not well-suited for handling equality, and no termination results are presented. Tran, Ringeissen, Ranise, and Kirchner (2010) show that the Superposition calculus can be used to generate positive and unit implicates for some specific theories. This approach is closer to ours, since it is based on the Superposition calculus, hence handles equality in an efficient way; however it is very focused: indeed, it is well-known that the Superposition calculus is not deductive-complete in general, for instance it cannot generate the clause from the clause , although .
While the previous approaches rely on usual complete proof procedures for first-order logic, more recent work builds on the recent developments and progresses in the field of Satisfiability Modulo Theories by devising algorithms relying on theory-specific decision procedures. Sofronie-Stokkermans (2010, 2013) devises a technique for generating abductive explanations in local extensions of decidable theories. The approach reduces the considered problem to a formula in the basic theory by instantiating the axioms of the extension. Dillig, Dillig, McMillan, and Aiken (2012) generate an incomplete set of implicants of formulæ interpreted in decidable theories by combining quantifier-elimination (for discarding useless variables) with model building tools (to construct sufficient conditions for satisfiability). In contrast to these approaches, our method is proof-theoretic, hence it is generic and self-sufficient. The drawback is that it requires the adaptation of usual theorem provers instead of using them as black boxes (see also Example 52 for a comparison of our method with the simplification technique devised by Dillig et al (2012)).
Wernhard (2013) proposes a method to derive abductive explanations from first-order logical programs, under several distinct non-classical semantics, using a reduction to second-order quantifier-elimination. Both the considered framework and the proposed techniques completely depart from our work.
Organization of the Paper
The rest of the paper is structured as follows. In Section 2 we review basic definitions and adapt usual results to our framework. In Section 3 the new Superposition calculus is presented, and it is shown in Section 4 that it is deductive-complete for ground clauses built on the set of abducible constants. In Section 5 some refinements of the calculus are presented, aiming at more efficiency. In Section 6, we show that most termination results holding for the usual Superposition calculus also apply to . The present paper is a thoroughly expanded and revised version of (Echenim and Peltier, 2012). See Section 5.2 for more details on the relationship of with the calculus in (Echenim and Peltier, 2012).
2.1 Basic Definitions
The set of terms is built as usual on a set of function symbols including a set of predicate symbols , containing in particular a special constant , and a set of variables . Every symbol is mapped to a unique arity . The set is the set of function symbols of arity ; an element of is a constant. A term whose head is in is boolean.
An atom (or equation) is an unordered pair of terms, written , where and are terms. A literal is either an atom or the negation of an atom (i.e., a disequation), written . For every literal , we denote by the complementary literal of , which is defined as follows: and . We use the notation to denote a literal of the form or , and then denotes the complementary literal of . As usual, a non-equational atom where is encoded as an equation . For readability, such an equation is sometimes written , and can be written . A clause is a finite multiset of literals, sometimes written as a disjunction. The empty clause is denoted by . For technical reasons, we assume that the predicate symbols only occur in atoms of the form , where (literals of the form can be removed from the clauses and clauses containing a literal can be dismissed; equations of the form with are forbidden). For every clause , denotes the set of unit clauses and for every set of unit clauses , denotes the clause . Throughout the paper, we assume that denotes some fixed reduction ordering on terms (see, e.g., Baader and Nipkow, 1998) such that , for all terms , extended to atoms, literals and clauses as usual111The literals and are ordered as and , respectively..
The set of variables occurring in an expression (term, atom, literal, clause) is denoted by . If then is ground. A substitution is a function mapping variables to terms. For every term and for every substitution , we denote by the term obtained from by replacing every variable by its image w.r.t. . The domain of a substitution is the set of variables such that . A substitution is ground if for every in the domain of , is ground.
A position is a finite sequence of positive integers. A position occurs in a term if either or if , with and is a position in . If is a position in , the terms and are defined as follows: , , and .
Given a set of constants , a literal is -flat if either or , and . A clause is -flat if all its literals are -flat. The set of -flat clauses is denoted by . A clause is flat if it is -flat and elementary if it is -flat and contains no symbol in (in other words, every literal is of the form with ).
An interpretation is a congruence relation on ground terms. An interpretation validates a clause if for all ground substitutions of domain there exists such that either and , or and .
2.2 Abducible Constants and -Sets
In this section we introduce the notion of an -set, that provides a convenient way of representing partial interpretations defined on a particular set of constant symbols. Let be a set of constants, called the abducible constants. The set is fixed by the user and contains all constants on which the abducible formulæ can be constructed. We assume that , for all and , and that if , are predicate symbols and .
An -set is a set of -flat literals satisfying the following properties.
If and is not ground then is negative or of the form .
If , where , then .
, for all .
An -set is positive if it only contains positive literals, and complete if for every ground -flat atom , contains either or .
Note that all elementary positive literals in must be ground whereas negative or non elementary literals possibly contain variables. . Informally, a satisfiable -set can be viewed as a partial interpretation on the constant symbols in . The positive elementary literals in define an equivalence relation between elements on and the negative elementary literals specify the equivalence classes that are known to be distinct. Literals of the form specify the interpretation of predicate symbols on constants of . Variables correspond to unknown (or unspecified) constant symbols in . Complete -sets are total interpretations on .
This definition of -sets is given for theoretical purposes only: in practice, they can be more conveniently represented by a set of oriented equations of the form , where , and , together with a set of irreducible literals of the form or , where , . When convenient, we may represent an -set by a set of equations and disequations, with the intended meaning that we are actually referring to the smallest -set that contains .
Let and . Then the set
is an -set. Assuming an ordering such that , it can be more concisely represented by . defines a partial interpretation in which are known to be equal and distinct from , while is distinct from some unspecified constant ( can represent or – if represents then the set is unsatisfiable). The interpretation is only partial since it can be extended into a total interpretation that satisfies either or .
For every -set and for every expression (term, atom, literal, clause or clause set) , we denote by the expression obtained from by replacing every constant in by the smallest (according to ) constant in such that . We write iff and iff there exists an -set such that . This definition is extended to substitutions: we write if and if for all , .
Let be a clause, be a substitution and be an -set. If is -flat (resp. elementary), then so is .
The contrapositive is obvious: if is not -flat, then it contains a non-boolean term that is not in . But then, neither nor can be in , and cannot be -flat. The reasoning is similar for elementary clauses.
-unification is an extension of unification that, given two terms and , aims at computing a substitution such that , meaning that and are equal up to a renaming of constants in . The set of necessary constant renamings is collected and stored in a positive -set. This set corresponds exactly to residual (non-solvable) equations obtained when applying standard unification algorithms.
The terms and are not unifiable in the standard sense, but they are -unifiable. The substitution is an -unifier of these two terms, together with the -set .
An -substitution is a pair where is a substitution and is an -set containing only equations between elements of . An -substitution is an -unifier of an equation iff . Two terms admitting an -unifier are -unifiable.
Intuitively, if is an -unifier of an equation , then the equations in can be used to reduce and to terms that are unifiable in the standard sense.
An -substitution is more general than an -substitution , written , if there exists a (standard) substitution such that the two following conditions hold:
For every , .
We write if and .
Let , and consider the following substitutions and -sets:
By letting , it is simple to verify that .
Note that most general -unifiers are not unique modulo variable renamings. For example, the equation admits several most general unifiers, including , , …which are of course all -equivalent. -unifiers can be computed by a slight adaptation of the usual unification algorithm (see Appendix A for details).
3 A-Superposition Calculus
In this section we define an extension of the standard Superposition calculus (Bachmair and Ganzinger, 1994; Nieuwenhuis and Rubio, 2001) with which it is possible to generate all -flat implicates of a considered clause set. The calculus handles constrained clauses, called -clauses, the constraint part of an -clause being an -set containing all the equations and disequations needed to derive the corresponding non-constraint part from the original clause set. Unification is replaced by -unification, and the -set of the generated -unifier is appended to the constraint of the conclusion of the rule. Furthermore, an additional inference rule, called the -Assertion rule, is introduced in order to add disequations to the constraints.
An -clause is a pair where is a clause and is an -set. If , then we may write instead of .
In what follows, we first define the ordering and selection function the calculus is based upon before presenting the inference rules and redundancy criterion of the -Superposition calculus. We conclude this section by showing that the calculus is sound.
3.1 Ordering and Selection Function
We begin by introducing some additional notations and terminology.
For all terms , , we write if for every -set and ground substitution , we have . This ordering is extended to atoms, literals and clauses in a similar way to .
Intuitively means that is always greater than , regardless of the names of the constants in .
If and , then we have , but , since .
A substitution is -pure if for all variables , is either a variable or a constant in .
A function sel is a selection function for an ordering iff sel maps every clause to a set of literals in such that either contains a negative literal or contains all literals that are -maximal in .
We consider a selection function sel for the ordering , that satisfies the following assumptions.
The function sel is stable under -substitutions, i.e., for every clause , for every literal and for every -substitution , if , then .
For every -clause , if contains a literal of the form then contains no negative literal of the form with .
Assumption 15 can always be fulfilled since negative literals can be selected arbitrarily.
3.2 Inference Rules
The calculus is defined by the rules below. The standard Superposition calculus (denoted by ) coincides with if .
Following our convention, in all rules, if , are two -sets, then does not denote the mere union of and , but rather the smallest -set containing both and (it is obtained by transitive closure from the union of and ). For example, if with , and , then denotes the -set . Similarly, if is an -set and is an -pure substitution, then denotes the smallest -set containing . For instance, if and , then .
If , is an -pure most general -unifier of and , , , and if is a variable then occurs in .
We shall refer to the left and right premises of the inference rule as the into and from premises, respectively. The main difference with the usual Superposition rule (besides the replacement of by and of unifiers by -unifiers) is that superposition into a variable is permitted, provided the considered variable occurs in the constraint part of the clause. The reason is that these do not actually represent variables in the usual sense, but rather placeholders for (unknown) constants (see also Example 41).
By definition of the calculus, variables can only occur in the constraints if the -Assertion rule (see below) is applied on a non-ground literal. This is the case because, by definition of -unification, the other rules add only ground equations into the constraints. Furthermore, by definition, a non-ground literal can be added to the constraints only if the considered clause is variable-eligible, i.e. contains a selected literal of the form , where . This cannot happen if the clause set is variable-inactive (Armando et al, 2009). However, there exist theories of interest that are not variable-inactive, for instance the theory of arrays with axioms for constant arrays (e.g., ).
Note that the rule applies if and are of the form and (with ), in which case is of the form . If is then the -clause is a tautology and can be deleted, and if is then the literal is deleted from the clause as explained before. The rule is essentially equivalent to Ordered Resolution in this case (see for instance Leitsch, 1997).
If is an -pure most general -unifier of and and .
If is an -pure most general -unifier of and , , and .
For technical convenience, we assume that is omitted in the conclusion if .
If , and .
If , and .
The rule can be applied also by replacing some of the premisses by variants of the Reflexivity axiom (note that if all premisses are of this form then the conclusion is a tautology).
The interpretation of an -clause is defined as a logical implication:
An interpretation validates an -clause iff for every -pure ground substitution of domain , either or .
If for all interpretations , then is a tautology. In particular, this property holds if is unsatisfiable, if contains two complementary literals or a literal of the form , or if all the literals in occurs in .
Let be a set of -clauses. If is generated from by one of the rules of then .
It suffices to prove that all the rules are sound, i.e., that the conclusion of the rule is a logical consequence of the premises. This is due to the fact that if is an -unifier of , then the -clause is valid in all interpretations. Then the proof follows by a straightforward inspection of the rules, as in the usual case.
We now adapt the standard redundancy criterion to -clauses. An -clause is quasi-positive if the only negative literals occurring in it are of the form .
An -clause is -redundant in a set of -clauses if either is a tautology, or for every ground substitution of the variables in such that is a satisfiable -set, one of the following conditions hold.
There exists an -clause and a substitution such that and .
If or is not both -flat and quasi-positive, then there exist -clauses and substitutions (), such that:
for all ,
It is easy to check that the standard redundancy detection rules such as subsumption, tautology deletion or equational simplification, are particular cases of this redundancy criterion. Note that the second item in Definition 19 is similar to the usual redundancy criterion of the Superposition calculus (see, e.g, Bachmair and Ganzinger, 1994), with the following differences: (i) the entire constraint part of the considered -clause may be used to infer the clausal part, disregarding any ordering condition, (ii) the condition only applies to clauses that are not both -flat and quasi-positive. For the clauses that are -flat and quasi-positive, redundancy testing is limited to tautology deletion and subsumption (this is necessary to ensure completeness, see Remark 27).
Let . The -clause is -redundant in any set , since for all ground substitutions , .
The -clause is -redundant in . Indeed, let , then and .
The following result is a straightforward consequence of Definition 19.
If is redundant in a set , then for any -substitution , is also redundant in .
A set is -saturated if every -clause that can be derived from -clauses in by a rule in is redundant in .
We provide simple application examples.
Let . Assume that . By applying the -Superposition rule on the terms and , we derive the clause (note that this application of the rule is equivalent to the usual one). Then the -Superposition rule can be applied again on the terms and . The unification yields the constraints , hence the following -clause is derived: . The Assertion rule cannot be applied on , since this literal is not -flat. Instead,the application of the -Superposition rule on the term (note that we must have since and ) yields: . Finally, the Assertion rule can be applied on since this literal is -flat, thus generating . This -clause is equivalent to the clause , and we have .
The second example involves predicate symbols.
We consider two functions and such that and are increasing, together with abducible constants , , and . The aim is to determine under which conditions the property holds. The problem is formalized as follows (where stands for and , ): . For conciseness, the axioms corresponding to (e.g., transitivity) are omitted since they play no r le in our context.
The Superposition rule applies on the first and last clauses, yielding . Then the rule applies again from the latter clause into the second one, and it generates: . Finally the -Assertion rule yields the -clause: , meaning that the desired property is fulfilled if and hold.
The -Assertion rule is necessary to guarantee deductive completeness, as shown in the example below.
Consider the (satisfiable) clause set: , where and are variables. It is simple to verify that , and the calculus is designed to generate from a clause of the form , where . In order to generate such a clause, it is clear that one has to unify and , since the unification of and leads to an immediate failure, so that the Reflection rule is not applicable. This is feasible only if the condition is added to the constraints of the obtained clause, yielding a constrained clause of the form: . The literal is deleted using the -Assertion rule, by appending the disequation to the constraints, thus obtaining the required -clause: .
The last example shows that the -Substitutivity rule is also needed for completeness.
Consider the clause set: . It is clear that for any predicate symbol of arity , but cannot be generated without the help of the -Substitutivity rule. The above implicate is indeed obtained as follows: The -Substitutivity rule generates the -clause , then the -Superposition rule applies from , yielding , and the desired result is obtained by applying the -Assertion rule. Note that the equation does not need to be inferred in our context since predicate symbols are allowed only in atoms of the form . Considering implicates built on arbitrary function symbols (with nested applications) would lead to divergence since, e.g., an infinite number of clauses of the form (with ) could be derived from the above clause.
The previous example also shows the importance of the restriction on the redundancy criterion. Indeed, if the criterion is relaxed by removing the condition “ is not -flat and quasi-positive” in the second item of Definition 19, then the -clause is redundant in (since and ). Consequently no non redundant inferences apply on and the implicate cannot be generated.
4 Deductive Completeness
We show in this section that is deduction-complete for the clauses in . More precisely, we prove that for any -saturated set and clause , if then contains an -clause of the form where . The result is obtained in the following way. Given such a set and clause , we consider the smallest -set that contains , and construct a set of standard ground clauses such that:
contains all ground instances of clauses in , as well as a set of unit clauses equivalent to .
is saturated under a slightly adapted version of the Superposition calculus which is refutationally complete.
Since is unsatisfiable and the considered calculus is refutationally complete, these two properties together will entail that contains the empty clause. Finally, we show that this is possible only if contains an -clause of the required form.
First, we formally define the notions of -implicates and prime -implicates.
Let be a set of -clauses. A clause is an -implicate of if it satisfies the following conditions.
is -flat and ground.
is not a tautology.
is a prime -implicate of if, moreover, holds for every -implicate of such that . We denote by the set of -implicates of .
We denote by the set of clauses of the form , where and maps each variable in to some constant symbol in such a way that is satisfiable222In other words, is such that for every , .. We write if for every clause , there exists such that .
Our goal is to prove that when is -saturated, i.e., that every prime implicate of occurs in (up to equivalence).
4.1 Definition of
Let and be two arbitrarily chosen function symbols not occurring in , where and . We assume that and that .
For every clause and clause set , denotes the set inductively defined as follows.
If and is obtained by applying the standard Superposition rule into from a positive and elementary clause in , then .
A clause set is non-redundant iff for every clause , is not redundant in . For every clause set , it is easy to obtain a non-redundant subset of that is equivalent to by recursively removing from every clause that is redundant in .
We define the set of standard ground clauses as well as a selection function as follows.
Let be a set of -clauses and let be an -set. We denote by the set
where for , is defined as follows:
is the set of clauses of the form , where , is a ground substitution of domain such that and for all , and is defined as follows:
if is -flat and quasi-positive;
The selection function is defined on as follows: contains all literals such that and one of the following holds:
is positive and is -maximal in .
is the set of unit clauses of the form , where and . The selection function is defined on by: .
is the set of non-redundant clauses in
and for all , contains all negative literals in .
is the set of non-redundant clauses in
and for all , contains all literals of the form in . Note that the symbol occurring in the generated clause is the same as the one in the corresponding literal of .
. We let , and .
It is easy to verify that the sets with are disjoint. The type of a clause is the number such that .
Let , and be the reflexive-transitive closure of , where . Consider the set of clauses
Then is decomposed as follows:
This set consists of , , and , where ranges over the set of all ground terms. The constants and occurring in are respectively replaced by and in . The -clause generates no clauses in , since .