Superposition for Fixed Domains
A formula is entailed by a clause set with respect to the standard first-order semantics, written , if holds in all models of over all possible domains. For a number of applications, this semantics is not sufficient to prove all properties of interest. In some cases, properties with respect to models over the fixed given domain of are required. These models are isomorphic to Herbrand models of over the signature , i.e. models whose domains consist only of terms build over . We denote this by . Even stronger, the validity of often needs to be considered with respect to a minimal model of the clause set , written or alternatively . For the sets of formulas that are valid with respect to these three different semantics, the following relations hold: .
The different semantics are of relevance, for example, in proving properties of computer systems. Very often, such systems can be naturally modeled by first-order formulas over a fixed domain. Consider the simple example of a building with three floors, Figure ?.
The bottom ()round floor and the top ()estaurant floor of the building are open to the public whereas the middle floor is occupied by a ()ompany and only open to its employees. In order to support this setting, there are two elevators and in the building. Elevator is for the employees of the company and stops on all three floors whereas elevator is for visitors of the restaurant, stopping solely on the ground and restaurant floor. Initially, there is a person in elevator and a person in elevator , both on the ground floor. We model the system by three predicates , , for the different floors, respectively, where, e.g., means that person sits in elevator on the ground floor. The initial state of the system and the potential upward moves are modeled by the following clauses: , , , , . Let us assume that the above predicates accept in their first argument elevators and in their second persons, e.g. implemented via a many-sorted discipline.
The intended semantics of the elevator system coincides with the minimal model of . Therefore, in order to prove properties of the system, we need to consider the semantics in general. Nevertheless, some structural properties are valid with respect to , for example the property that whenever a person (not necessarily or ) sits on the ground floor in elevator or , they can reach the restaurant floor, i.e. . In order to prove properties with respect to the specific domain of the system, we need to consider , for our example . With respect to this semantics, the state is reachable for all elevators, i.e. . This property is not valid for as there are models of with more elevators than just and . For example, there could be an elevator for the managers of the company that does not stop at the restaurant floor. Of course, such artificially extended models are not desired for analyzing the scenario. For the above elevator system, the company floor is not reachable by elevator . This can only be proven with respect to , i.e. , but not with respect to nor because there are models of over where e.g. holds.
In this simple example, all appearing function symbols are constants and the Herbrand universe is finite. Hence we could code the quantification over the Herbrand universe explicitly as . A property extended in this way is valid in all models of if and only if it is valid in all Herbrand models of , i.e. fixed domain reasoning can be reduced to first-order reasoning in this case. This reduction is, however, not possible when the Herbrand universe is infinite.
Inductive () and fixed-domain () theorem proving are more difficult problems than first-order () theorem proving: It follows from Gödels incompleteness theorem that inductive validity is not semi-decidable, and the same holds for fixed-domain validity.
Consider the following small example, demonstrating again the differences of the three semantics with respect to the minimal term generated model induced by the superposition calculus. The clause set is finitely saturated by superposition. The model in this example consists of all atoms where is a term over the signature and . So the domain of is isomorphic to the naturals and the interpretation of in is the “one greater than” relation. Now for the different entailment relations, the following holds:
Superposition is a sound and refutationally complete calculus for the standard semantics . In this paper, we develop a sound and refutationally complete calculus for . Given a clause set and a purely existentially quantified conjecture, standard superposition is also complete for . The problem arises with universally quantified conjectures that become existentially quantified after negation. Then, as soon as these existentially quantified variables are Skolemized, the standard superposition calculus applied afterwards no longer computes modulo , but modulo , where are the introduced Skolem functions. This approach is incomplete: In the example above, , but the ground clause does not hold in , where is the Skolem constant introduced for .
The idea behind our new calculus is not to Skolemize existentially quantified variables, but to treat them explicitly by the calculus. This is represented by an extended clause notion, containing a constraint for the existentially quantified variables. For example, the above conjecture results after negation in the clause with existential variable . In addition to standard first-order equational reasoning, the inference and reduction rules of the new calculus also take care of the constraint (see Section 3).
A unsatisfiability proof of a constrained clause set with our calculus in general requires the computation of infinitely many empty clauses, i.e. we lose compactness. This does not come as a surprise because we have to show that an existentially quantified clause cannot be satisfied by a term-generated infinite domain. For example, proving the unsatisfiability of the set over the signature amounts to the successive derivation of the clauses , , , and so on. In order to represent such an infinite set of empty clauses finitely, a further induction rule, based on the minimal model semantics , can be employed. We prove the new rule sound in Section 4 and show its potential.
In general, our calculus can cope with (conjecture) formulas of the form and does not impose special conditions on (except saturation for ), which is beyond any known result on superposition-based calculi proving properties of or . This, together with potential extensions and directions of research, is discussed in the final Section 5.
This article is a significantly extended version of .
We build on the notions of  and shortly recall here the most important concepts as well as the specific extensions needed for the new superposition calculus.
Terms and Clauses
Let be a signature, i.e. a set of function symbols of fixed arity, and an infinite set of variables, such that , and are disjoint and is finite. Elements of are called universal variables and denoted as , and elements of are called existential variables and denoted as . We denote by the set of all terms over and and by the set of all ground terms over . For technical reasons, we assume that there is at least one ground term, i.e. that contains at least one function symbol of arity .
We will define equations and clauses in terms of multisets. A multiset over a set is a function . We use a set-like notation to describe multisets, e.g. denotes the multiset where and for all in . An equation is a multiset of two terms, usually written as . A (standard universal) clause is a pair of multisets of equations, written , interpreted as the conjunction of all equations in the antecedent implying the disjunction of all equations in the succedent . A clause is Horn if contains at most one equation. The empty clause is denoted by .
We denote the subterm of a term at position by . The term that arises from by replacing the subterm at position by the term is . A substitution is a map from a finite set of variables to , and is called its domain.
A constrained clause consists of a conjunctively interpreted sequence of equations , called the constraint, and a clause , such that
for , and
neither the clause nor the terms contain existential variables.
Intuitively, constraint equations are just a different type of antecedent literals. The constrained clause is called ground if and are ground, i.e. if it does not contain any non-existential variables. A constraint induces a substitution mapping to for all , which we will denote by .
Constrained clauses are considered equal up to renaming of non-existential variables. For example, the constrained clauses and are considered equal ( and have been exchanged), but they are both different from the constrained clause , where and have been exchanged. We regularly omit constraint equations of the form , where is a variable, if does not appear elsewhere in the constrained clause, e.g. when , we write for . A constrained clause is called unconstrained. As constraints are ordered, the notion of positions lift naturally to constraints.
One of the strengths of superposition relies on the fact that only inferences involving maximal literals in a clause have to be considered, and that the conclusion of an inference is always smaller than the maximal premise. To state such ordering conditions, we extend a given ordering on terms to literal occurrences inside a clause, and to clauses.
Any ordering on a set can be extended to an ordering on multisets over as follows: if and whenever there is such that then for some .
Considering this, any ordering on terms can be extended to clauses in the following way. We consider clauses as multisets of occurrences of equations. The occurrence of an equation in the antecedent is identified with the multiset ; the occurrence of an equation in the succedent is identified with the multiset . Now we lift to equation occurrences as its twofold multiset extension, and to clauses as the multiset extension of this ordering on equation occurrences. If, for example, , then the equation occurrences in the clause are ordered as , because . Observe that an occurrence of an equation in the antecedent is strictly bigger than an occurrence of the same equation in the succedent, because .
An occurrence of an equation is maximal in a clause if there is no occurrence of an equation in that is strictly greater with respect to than the occurrence . It is strictly maximal in if there is no occurrence of an equation in that is greater than or equal to the occurrence with respect to .
Moreover, we extend to constraints pointwise
An ordering is well-founded if there is no infinite chain , it has the subterm property if for all where , and it is stable under substitutions if implies for all and all substitutions . A reduction ordering is a well-founded ordering that has the subterm property and is stable under substitutions.
A binary relation on is a rewrite relation if implies for all terms and all substitutions . By we denote the symmetric closure of , and by (and , respectively) we denote the reflexive and transitive closure of (and ).
A set of equations is called a rewrite system with respect to a term ordering if or for each equation . Elements of are called rewrite rules. We also write instead of if . By we denote the smallest rewrite relation for which whenever . A term is reducible by if there is a term such that , and irreducible or in normal form (with respect to ) otherwise. The same notions also apply to constraints instead of terms.
The rewrite system is ground if all equations in are ground. It is terminating if there is no infinite chain , and it is confluent if for all terms such that and there is a term such that and .
A Herbrand interpretation over the signature is a congruence on the ground terms , where the denotation of a term is the equivalence class of .
We recall the construction of the special Herbrand interpretation derived from a set of (unconstrained) clauses . Let be a well-founded reduction ordering that is total on ground terms. We use induction on the clause ordering to define ground rewrite systems , and for ground clauses over by , and , i.e. is the reflexive, transitive closure of . Moreover, if is a ground instance of a clause from such that
is a strictly maximal occurrence of an equation in and ,
is irreducible by ,
In this case, we say that is productive or that produces . Otherwise . Finally, we define a ground rewrite system as the set of all produced rewrite rules and define the interpretation over the domain as . The rewrite system is confluent and terminating. If is consistent and saturated with respect to a complete inference system then is a minimal model of with respect to set inclusion.
We will extend this construction of to constrained clauses in Section 3.2.
Constrained Clause Sets and Their Models
If and is a set of constrained clauses, then the semantics of is that there is a valuation of the existential variables, such that for all valuations of the universal variables, the constraint of each constrained clause in implies the respective clausal part: An interpretation models , written , iff there is a map from the set of existential variables to the universe of ,
For example, every Herbrand interpretation over the signature is a model of , because instantiating to falsifies the constraint. On the other hand, the set does not have any Herbrand models over because each instantiation of to a ground term over this signature validates one of the constraints, so that the corresponding constrained clause is falsified.
Note that the existential quantifiers range over the whole constrained clause set instead of each single constrained clause. The possibly most surprising effect of this is that two constrained clause sets may hold individually in a given interpretation while their union does not. As an example, note that the interpretation models both constrained clause sets (namely for ) and (namely for ). However, the union is not modeled by because there is no instantiation of that is suitable for both constrained clauses.
Let and be two (constrained) clause sets. We write if each model of is also a model of . We write if the same holds for each Herbrand model of over , and if . A constrained clause set is satisfiable if it has a model, and it is satisfiable over if it has a Herbrand model over .
Inference Rules and Redundancy
An inference rule is a relation on constrained clauses. Its elements are called inferences and are written as
The constrained clauses are called the premises and the conclusion of the inference. An inference system is a set of inference rules. An inference rule is applicable to a constrained clause set if the premises of the rule are contained in .
A ground constrained clause is called redundant with respect to a set of constrained clauses if there are ground instances (with the common constraint ) of constrained clauses in such that for all and .
A constrained clause set is saturated (with respect to a given inference system) if each inference with premises in is redundant with respect to .
Our notion of (constrained) clauses does not natively support predicative atoms. However, predicates can be included as follows: We consider a many-sorted framework with two sorts and , where the predicative sort is separated from the sort of all other terms. The signature is extended by a new constant of the predicative sort, and for each predicate by a function symbol of sort . We then regard a predicative atom as an abbreviation for the equation . As there are no variables of the predicative sort, substitutions do not introduce symbols of this sort and we never explicitly express the sorting, nor do we include predicative symbols when writing down signatures.
A given term ordering is extended to the new symbols such that is minimal.
3First-Order Reasoning in Fixed Domains
In this section, we will present a saturation procedure for sets of constrained clauses over a domain and show how it is possible to decide whether a saturated constrained clause set possesses a Herbrand model over . The calculus extends the superposition calculus of Bachmair and Ganzinger .
Before we come to the actual inference rules, let us review the semantics of constrained clauses by means of a simple example. Consider the constrained clause set
over the signature .
This constrained clause set corresponds to the formula . In each Herbrand interpretation over , this formula is equivalent to the formula , which corresponds to the following constrained clause set:
Hence these two constrained clause sets are equivalent in every Herbrand interpretation over the signature .
An aspect that catches the eye is that, although the clausal part of the last constrained clause is empty, this does not mean that the constrained clause set is unsatisfiable over . The clause is constrained by , which means that, e.g., it is not satisfiable under the instantiation and . In fact, the instantiated formula is unsatisfiable. On the other hand, the clause set is satisfiable under the instantiation and .
Derivations using our calculus will usually contain multiple, potentially infinitely many, constrained clauses with empty clausal parts. We explore in Theorem ? how the unsatisfiability of a saturated set of constrained clauses over depends on a covering property of the constraints of constrained clauses with empty clausal part. In Theorem ?, we prove that this property is decidable for finite constrained clause sets. Furthermore, we show how to saturate a given set of constrained clauses (Theorem ?). Finally, we present in Section 3.3 an extension of the calculus that allows to deduce a wider range of Herbrand models of -satisfiable constrained clause sets.
3.1The Superposition Calculus for Fixed Domains
We consider the following inference rules, which are defined with respect to a reduction ordering on that is total on ground terms. Most of the rules are quite similar to the usual superposition rules , just generalized to constrained clauses. However, they require additional treatment of the constraints to avoid inferences like
the conclusion of which contains the existential variable more than once in its constraint and hence is not a constrained clause. In addition, there are two new rules that rewrite constraints.
To simplify the presentation below, we do not enrich the calculus by the use of a negative literal selection function as in , although this is also possible. As usual, we consider the universal variables in different appearing constrained clauses to be renamed apart. If and are two constraints, we write for the equations , and for the most general simultaneous unifier of . Note that does not contain any existential variables.
This inference system contains the standard universal superposition calculus as the special case when there are no existential variables at all present, i.e. and all constraints are empty: The rules equality resolution, equality factoring, and superposition right and left reduce to their non-constrained counterparts and the constraint superposition and equality elimination rules become obsolete.
While the former rules are thus well-known, a few words may be in order to explain the idea behind constraint superposition and equality elimination. They have been introduced to make the calculus refutationally complete, i.e. to ensure that constrained clause sets that are saturated with respect to the inference system and that do not have a Herbrand model over the given signature always contain “enough” constrained empty clauses (cf. Definition ? and Theorem ?).
A notable feature of constraint superposition is how the information of both premise constraints is combined in the conclusion. Classically, the existential variables would be Skolemized and the constraint of a constrained clause would be regarded as part of its antecedent. In this setting, superpositions into the constraint part as considered here would not even require a specialized rule but occur naturally in the following form:
Translated into the language of constrained clauses, the conclusion would, however, not be a well-formed constrained clause. In most inference rules, we circumvent this problem by forcing a unification of the constraints of the premises, so that we can use an equivalent and admissible conclusion. For constraint superposition, this approach turns out to be too weak to prove Proposition ?. Therefore, we instead replace by in this inference rule to regain an admissible constrained clause.
The resulting constraint superposition rule alone is not sufficient to obtain refutational completeness. Abstractly speaking, it only transfers information about the equality relation from the clausal part into the constraint part. For completeness, we also need a transfer the other way round. Once we find terms that cannot be solutions to the existentially quantified variables, we have to propagate this information through the respective equivalence classes in the clausal part. The result is the rule equality elimination, which deletes equations that are in conflict with the satisfiability of constrained empty clauses.
The rules constraint superposition and equality elimination are the main reason why can manage theories that are not constructor-based, i.e. where the calculus cannot assume the irreducibility of certain terms.
When we work with predicative atoms in the examples, we will not make the translation into the purely equational calculus explicit. If, e.g., is a predicate symbol that is translated into the function symbol , we write a derivation
consisting of a superposition into a predicative atom and the subsequent resolution of the atom in the following condensed form:
3.2Model Construction and Refutational Completeness
By treating each constraint as a part of the antecedent, constrained clauses can be regarded as a special class of unconstrained clauses. Because of this, the construction of a Herbrand interpretation for a set of constrained clauses is strongly connected to the one for universal clause sets . The main difference is that we now have to account for existential variables before starting the construction. To define a Herbrand interpretation of a set of constrained clauses, we proceed in two steps: First, we identify an instantiation of the existential variables that does not contradict any constrained clauses with empty clausal part, and then we construct the model of a set of unconstrained clause instances.
Note that even if is not covering, is usually not uniquely defined. E.g. for the constrained clause set over , it holds that and both and are valid choices. When necessary, this ambiguity can be avoided by using an ordering on the existential variables as a tie breaker.
While it is well known how the construction of works once is given, it is not that obvious that it is decidable whether is covering and, if it is not, effectively compute . This is, however, possible for finite :
Consider the formula
and let be the set of universal variables occurring in . The set is not covering if and only if the formula is satisfiable in . Such so-called disunification problems have been studied among others by Comon and Lescanne , who gave a terminating algorithm that eliminates the universal quantifiers from and transforms the initial problem into a formula , , such that each is of the shape
where occur only once in each , the are variables and . This is done in such a way that (un-)satisfiability in is preserved. The formula is satisfiable in if and only if the disjunction is not empty. All solutions can easily be read off from the formula.
For saturated sets, the information contained in the constrained empty clauses is already sufficient to decide whether Herbrand models exist: Specifically, we will now show that a saturated constrained clause set has a Herbrand model over (namely ) if and only if is not covering. In this case, is a minimal model of , and we will also call it the minimal model of (with respect to ). Observe, however, that for other choices of there may be strictly smaller models of with respect to set inclusion: For , we have and , and strictly contains the model of that corresponds to the constraint .
Since is defined via a set of unconstrained clauses, it inherits all properties of minimal models of unconstrained clause sets. Above all, we will use the property that the rewrite system constructed in parallel with is confluent and terminating.
Assume contrary to the proposition that is not covering and is reducible. Then there are a position and a rule produced by a ground instance of a constrained clause , such that .
Because of the minimality of and because , there must be a constrained clause and a substitution such that . Since by definition is not an instance of , the position is a non-variable position of . Since furthermore and is a unifier of and and , there is an equality elimination inference as follows:
Because of the saturation of , the ground instance
of this derivation is redundant. The first premise cannot be redundant because it is productive; the second one cannot be redundant because there are no clauses that are smaller than . This means that the constrained clause follows from ground instances of constrained clauses in all of which are smaller than the maximal premise . But then the same ground instances imply , which means that this constrained clause cannot be productive. A contradiction.
Let . By definition of entailment, implies that , or equivalently . We have already seen in Lemma ? that is irreducible. Because of the confluence of , either or must be reducible.
Assume the latter, i.e. that for a position and a rule that has been produced by the ground instance of a constrained clause . If is a variable position in or not a position in at all, then the rule actually reduces , which contradicts the minimality of . Otherwise, there is a constraint superposition inference
Consider the ground instance of the conclusion. This constrained clause is not modeled by . On the other hand, that is saturated implies that the ground inference
is redundant. The premises cannot be redundant, because is productive and is minimal, so the constrained clause follows from ground instances of constrained clauses of all of which are smaller than . Since moreover , all these ground instances hold in , hence by minimality of . This is a contradiction to .
Assume, contrary to the proposition, that is saturated, is not covering, and . Then there is a minimal ground instance of a constrained clause that is not modeled by . We will refute this minimality. We proceed by a case analysis of the position of the maximal literal in . As usual, we assume that the appearing constrained clauses do not share any non-existential variables.
Since we obtained a contradiction in each case, the initial assumption must be false, i.e. the proposition holds.
For the construction of , we chose to be minimal. For non-minimal , the proposition does not hold:
On the other hand, whenever has any Herbrand model over then is not covering:
Let be a Herbrand model of over .
Then , i.e. there is a substitution , such that for all and all , implies . Since the latter is false, for all , and so . The same holds for the Herbrand model over where is interpreted as syntactic equality, i.e. . But then the constraint is not an instance of the constraint of any constrained clause of the form , so is not covering.
A constrained clause set for which is covering may nevertheless have both non-Herbrand models and Herbrand models over an extended signature: If and then is covering, but any standard first-order interpretation with a universe of at least two elements is a model of .
Propositions ? and ? constitute the following theorem:
Moreover, the classical notions of (first-order) theorem proving derivations and fairness from  carry over to our setting.
Due to the semantics of constrained clauses and specifically the fact that all constrained clauses in a set are connected by common existential quantifiers, it does not suffice to require that (or , respectively). E.g. for the signature and , the constrained clause is modeled by every Herbrand interpretation over , but .
Our calculus is sound, i.e. we may employ it for deductions in both types of theorem proving derivations:
This proof relies on the soundness of paramodulation, the unordered correspondent to (unconstrained) superposition .
Let be the conclusion of an inference from . Then is (modulo (unconstrained) equality resolution) an instance of the conclusion of a paramodulation inference from and . Because of the soundness of the paramodulation rules, we have .
This follows directly from Lemma ?.
A or theorem proving derivation is fair if every inference with premises in the constrained clause set is redundant with respect to . As usual, fairness can be ensured by systematically adding conclusions of non-redundant inferences, making these inferences redundant.
As it relies on redundancy and fairness rather than on a concrete inference system (as long as this system is sound), the proof of the next theorem is exactly as in the unconstrained case:
3.3Other Herbrand Models of Constrained Clause Sets
A so far open question in the definition of the minimal model is whether there is the alternative of choosing a non-minimal constraint . We have seen in Example ? that this is in general not possible for sets that are saturated with respect to our present calculus, but we have also seen after Theorem ? that models corresponding to non-minimal constraints may well be of interest. Such a situation will occur again in Example ?, where knowledge about all models allows to find a complete set of counterexamples to a query.
To include also Herbrand models arising from non-minimal constraints, we now change our inference system. The trade-off is that we introduce a new and prolific inference rule that may introduce constrained clauses that are larger than the premises. This makes even the saturation of simple constrained clause sets non-terminating. E.g. a derivation starting from will successively produce the increasingly large constrained clauses , and so on.
The following two changes affect only this section.
Note that in a purely predicative setting, i.e. when all equations outside constraints are of the form , the separation of base sort and predicative sort prevents the application of both the original and the new equality elimination rule. So the calculi and coincide in this case.
Since the proof of Lemma ? depends strongly on the minimality of , we have to change our proof strategy and cannot rely on previous results.
Let be the minimal ground instance of a constrained clause in such that . We first show that we can restrict ourselves to the case where rewrites to using and then solve this case.
implies , thus by confluence of
where is the normal form of under . We show that .
If , then there is a rule that was produced by the ground instance of a constrained clause such that .
If is a variable position in or not a position in at all, then the rule actually reduces , which contradicts the minimality of .
So must be a non-variable position of . Let . Then there is a constraint superposition inference as follows:
The ground instance of the conclusion is not modeled by . On the other hand, because is saturated, the ground instance
of the above inference is redundant. The first premise cannot be redundant because it is productive; the second one cannot be redundant because of the minimality of . This means that the conclusion follows from ground instances of constrained clauses in all of which are smaller than the maximal premise . All these ground instances are modeled by , and so .
So whenever , there is a ground instance of a constrained clause in such that and . In particular .
Let be the minimal number for which there is a ground instance of a constrained clause in such that and rewrites to via in steps, written . We have to show that .
Assume . Then the last step of the derivation is of the form , where the rule has been produced by a constrained clause with .
If is a variable position in or not a position in at all, we write such that is a variable. Let be the substitution that coincides with except that . Then and contradicts the minimality of .
Otherwise there is an equality elimination inference as follows:
The ground instance of the conclusion is not modeled by . In particular, and .
Since the inference, and hence also the constrained clause is redundant, there are constrained clauses together with substitutions , such that for all and . This implies that for at least one of the constrained clause instances . Since , this contradicts the minimality of .
With this preparatory work done, we can reprove Proposition ? and Theorem ? in this new setting:
The proof is almost identical to the proof of Proposition ?. The only difference is that, instead of reasoning about the minimal ground instance of a constrained clause that is not modeled by , we consider the minimal such instance that additionally satisfies . Lemma ? states that this is sufficient.
4Fixed Domain and Minimal Model Validity of Constrained Clauses
Given a constrained or unconstrained clause set , we are often not only interested in the (un)satisfiability of (with or without respect to a fixed domain), but also in properties of Herbrand models of a over , especially of . These are not always disjoint problems: We will show in Proposition ? that, for some and queries of the form