A Proof System and a Decision Procedure for Equality Logic

A Proof System and a Decision Procedure for Equality Logic Olga Tveretina and Hans Zantema Department of Computer Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands o.tveretina@tue.nl, h.zantema@tue.nl Abstract. We give an approach for deciding satisfiability of equality logic formulas (E-SAT) in conjunctive normal form. Central in our approach is a single proof rule called equality resolution (ER). For this single rule we prove soundness and completeness. Based on this rule we propose a complete procedure for E-SAT and prove its correctness. Applying our procedure on a variation of the pigeon hole formula yields a polynomial complexity contrary to earlier approaches to E-SAT. Parts of the theory we developed for proving completeness of the proof rule and the algorithm are of interest in itself: we give techniques for removing clauses preserving unsatisfiability, and we give a general theorem globalizing a local commutation criterion for different proof systems. Keywords: equality logic, satisfiability, resolution. 1 Introduction The logic of equality with uninterpreted functions (UIFs) has been proposed for verifying hardware [5]. This type of logic is mainly used for proving equivalence between systems. When verifying equivalence between two formulas it is often possible to abstract away functions replacing them with UIFs. In [1] Ackermann showed that the problem of deciding the validity of the formula in equality logic with UIFs can be reduced to checking satisfiability of equality formulas. The abstraction process does not preserve validity and may transform a valid formula into the invalid formula. However, in some application domains the process of abstraction is justified. Bryant et al. [3] presented a different approach to transform a formula containing functions into a equality logic formula which can exploit the maximal diversity property, while Ackermann method cannot. An equality formula is a formula consisting of equalities between a given set of variables and usual propositional connectives. The meaning of such a formula is given by interpreting the variables in any domain and the equality has its usual meaning. In the past several years various procedures for checking satisfiability of such formulas have been suggested. Barrett at al. [2] proposed a decision procedure based on computing congruence closure in combination with case splitting. Many approaches use transformation of equality logic to propositional logic. Having such a transformation Ψ then checking satisfiability of an equality formula φ proceeds as follows: compute Ψ (φ) and apply a standard satisfiability checker for propositional formulas. Goel et al. [6] and Bryant et al. [4] reduce an equality formula to a propositional one by adding transitivity constraints. In this approach it is analyzed which transitivity properties may be relevant. A different approach is called range allocation [8, 11]. In this approach a formula structure is analyzed to define a small domain for each variable. Then a standard BDD based tool is used to check satisfiability of the formula under the domain. Another approach is given in [7]. This approach is based on BDD computation, with some extra rules for dealing with transitivity. Unfortunately unicity of reduced BDDs is lost, but for E-SAT a full argorithm is given. The main problem dealt with in this paper is: given an equality formula, decide whether it is satisfiable or not. This problem is called E-SAT, similar to the way propositional satisfiability is called SAT. Similar to propositional logic every equality formula can be transformed to an equality formula in conjunctive normal form (E-CNF ) such that the original formula is satisfiable if and only if the E-CNF is satisfiable. Hence we may, and shall, concentrate on satisfiability of E-CNFs. In this paper we propose a resolution-based approach to deal with equality formulas. One of the problem that our method must deal with is detecting inconsistent combinations of atoms, such as x1 ≈ x2 , . . . , xn−1 ≈ xn , x1 6≈ xn . We give a single proof rule called equality resolution (ER): {x1 ≈ x2 } ∪ C1 , . . . , {xn−1 ≈ xn } ∪ Cn−1 , {x1 6≈ xn } ∪ Cn C1 ∪ · · · ∪ Cn Here we write ‘≈’ for equality rather than ‘=’ to avoid confusion with other applications of the symbol ‘=’ and we use the notation x 6≈ y as an abbreviation of ¬(x ≈ y). We consider clauses as sets of literals, hence using set theory notation for joining clauses. It is well-known that by the combination of paramodulation and resolution the empty clause can be deduced from unsatisfiable set of clauses [9]. However, earlier resolution-based proof systems for logics with equality can either generate numerous useless resolvents or generate clauses containing new literals. Our system has a number of advantages, for instance by our proof system in the newly generated clause only literals occur that already occur in the original formula. We will prove that the ER rule is sound and complete using completeness of paramodulation together with resolution. A decision procedure is an essential component of formal verification systems. Since checking satisfiability of equality formula is NP-hard no general efficient algorithm exists. Our procedure for checking satisfiability given E-CNF is a variant of the classical Davis-Putnam procedure for propositional logic . In order to prove soundness and completeness of our procedure we develop some theory that is of interest itself. 2 The search space in saturation-based procedures can grow very rapidly. The procedure is more efficient when redundant clauses are removed during search. We give criteria for redundancy and we optimize our procedure by using these criteria. As an example we apply this procedure to a formula parameterized by n that is a variation of the well-known pigeon hole formula. It turns out that our procedure will prove unsatisfiability of this formula very efficiently, even quadratic in n, while standard approaches fail to efficiently prove unsatisfiability of this formula. Our paper is organized as follows. In Section 2 we give basic definitions. In Section 3 we introduce ER rule and and we present a general theorem globalizing a local commutation criterion for different proof systems. We give approaches to remove redundant clauses from given E-CNF in Section 4. In Section 5 the basic and optimized procedures are described and some examples are given. Some concluding remarks are in Section 6. 2 Basic Definitions and Preliminaries Any formula in equality logic can be straightforwardly converted to an equivalent E-CNF just like this can be done in propositional logic. In worst case the size of the result is exponential in the size of the original formula. This can be avoided by adding extra variables. The well-known Tseitin transformation transforms an arbitrary propositional formula to a CNF in such a way that the original formula is satisfiable if and only if the CNF is satisfiable. Both the size of the resulting CNF and the complexity of the transformation procedure is linear in the size of the original formula. In this transformation new propositional are introduced, so applying it directly to equality formulas will yield a CNF in which the atoms are both equalities and propositional variables. However, if we have n propositional variables p1 , . . . , pn we can introduce n + 1 fresh domain variables a, x1 , . . . xn and replace every propositional variable pi by the equality xi ≈ a. In this way satisfiability is easily seen to be maintained. Hence we may and shall restrict to satisfiability of E-CNFs. An E-CNF F is a conjunction of clauses. A clause C is a disjunction of literals. The empty clause is denoted by ⊥. A literal l is a an atom x ≈ y or a negated atom x 6≈ y, where x and y belong to a set of variables V . We consider x ≈ y and y ≈ x as the same atom. Since conjunction and disjunction are associative and commutative an E-CNF can be viewed as a set of literals sets. A domain D is defined to be a non-empty set. For any domain we define an assignment as a function A : V → D. For an assignment A we define the corresponding interpretation IA on literals by: IA (x ≈ y) = true if A(x) = A(y) IA (x ≈ y) = false if A(x) 6= A(y) IA (x 6≈ y) = ¬IA (x ≈ y) An assignment A satisfies a literal l on some domain D if IA (l) = true. An assignment satisfies a clause if an interpretation of at least one of its literals 3 yields true. An assignment satisfies an E-CNF F if and only if it satisfies each of its clauses and we say that F is mapped to true. An E-CNF F on a set of variables S is called satisfiable if there is a domain D and an assignment A such that F is mapped to true. If there is no assignment that maps an E-CNF F to true then F is called unsatisfiable. For an E-CNF F we write VF for the set of all variables contained in F and LF for the set of all literals contained in F . Definition 1. A set of clauses is called minimally unsatisfiable if it is unsatisfiable and each of its subsets is satisfiable. Lemma 2. The set of clauses {{x1 ≈ x2 }, . . . , {xn−1 ≈ xn }, {x1 6≈ xn }} is minimally unsatisfiable. Proof. Obviously, this set of clauses is unsatisfiable. We shall show that removing any clause does this set of clause satisfiable. Any subset of satisfiable set of clauses is also satisfiable. There exists an assignment A : V → N such that A(x1 ) = · · · = A(xn ). The assignment satisfies {x1 ≈ x2 }, . . . , {xn−1 ≈ xn }. For i ∈ {1, . . . , n} there exists an assignment A : V → N such that A(x1 ) = · · · = A(xi ) 6= A(xi+1 ) = · · · = A(xn ) satisfying {x1 ≈ x2 }, . . . , {xi−1 ≈ xi }, {xi+1 ≈ xi+1 }, . . . , {xn−1 ≈ xn }, {x1 6≈ xn }. ⊓ ⊔ An important notion in this paper is contradictory cycle. Definition 3. A contradictory cycle θ is defined to be a set of literals x1 ≈ x2 , . . . , xn−1 ≈ xn , x1 6≈ xn , where x1 , . . . , xn are distinct variables. A contradictory cycle θ is called a contradictory cycle of an E-CNF F if all literals in θ are contained in LF . When drawing a graph consisting of the variables from an E-CNF F as nodes, and equalities from LF as solid edges and inequalities from LF as dashed edges, then a contradictory cycle of F corresponds exactly to a cycle in this graph in which one edge is dashed and all other edges are solid. For a given E-CNF such a graph is easily made and such cycles are easily established by looking for solid paths from the one end of a dashed edge to the other end. In Theorems 13 and 15 we will see that unsatisfiability of an E-CNF is preserved by removing clauses containing literals that are not on a contradictory cycle. 3 Proof Systems In this section we present the proof systems that play a role in this paper, and we derive a fruitful commutation theorem. 3.1 ER Rule It is well-known that in first order logic the combination of resolution and paramodulation is complete, see [9]. This means that a formula is unsatisfiable 4 if and only if the empty clause can be derived. In our particular case of equality logic paramodulation boils down to the following transitivity rule. Transitivity rule: {x ≈ y} ∪ C, {y ≈ z} ∪ D {x ≈ z} ∪ C ∪ D For equality logic the resolution rule can be presented as following. Resolution rule: {x ≈ y} ∪ C, {x 6≈ y} ∪ D C ∪D For F ′ = F ∪ {C} we shall use the notation F →t F ′ if C was derived from F by the transitivity rule and F →r F ′ if C was derived by the resolution rule. Completeness of the combination of paramodulation and resolution now implies that an E-CNF is unsatisfiable if and only if the empty clause can be derived by only using the transitivity rule and the resolution rule. Instead of these two rules we now introduce one single rule, the equality resolution rule (ER), that is complete in its own, and has a number of advantages. ER rule: {x1 ≈ x2 } ∪ C1 , . . . , {xn−1 ≈ xn } ∪ Cn−1 , {x1 6≈ xn } ∪ Cn C1 ∪ · · · ∪ Cn Clearly the contradictory cycle θ = {x1 ≈ x2 , . . . , xn−1 ≈ xn , x1 6≈ xn } is closely related to this rule; in fact for every contradictory cycle we have corresponding instance of the ER rule. If a new clause C is derived from an E-CNF F by the ER rule using the contradictory cycle θ then we write F →θer F ′ for F ′ = F ∪ {C}. In case the involved contradictory cycle θ is not relevant we shortly write F →er Fe . We write F →θ Fe if ER rule is applied for a fixed contradictory cycle θ. 3.2 Commutation of Proof Systems In order to prove completeness of the ER rule based on completeness of the combination of resolution and transitivity we will need a commutation property between the proof systems of resolution and transitivity. Later on in proving correctness of our procedure we will need a quite similar commutation property in another setting. Therefore we now develop the desired commutation results for arbitrary proof systems. Here a proof system may be anything by which new statements, e.g. clauses, may be deduced from existing statements. For such a proof system s we use the notation F →s G for G = F ∪ {C}, where C is a statement deduced from F by the proof system s. 5 For any relation → we write →∗ for its reflexive transitive closure, i.e., we write F →∗ G if F0 , . . . , Fn exist for n ≥ 0 satisfying F = F0 → F1 → · · · → Fn = G. Definition 4. We write F ⊑ G if for any C ∈ G there is D ∈ F such that D ⊆ C. A proof system is ⊑-monotonic if from F →∗s F ′ follows that for any G ⊑ F there is G′ such that G →∗s G′ and G′ ⊑ F ′ . Definition 5. Let s1 and s2 are proof systems and F →s1 F ′ →s2 F ′′ . We say that a proof system s1 commutes over a proof system s2 if for some finite n there exist G1 , . . . , Gn , G such that 1. F →s2 Gi for any i ∈ {1, . . . , n}. n S Gi →∗s1 G, where G ⊑ F ′′ . 2. i=1 Lemma 6. Let s1 and s2 are ⊑-monotonic proof systems such that s1 commutes over s2 , and F →∗s1 F ′ →s2 F ′′ . Then there are G′ , G′′ such that F →∗s2 G′ →∗s1 G′′ , where G ⊑ F ′′ . Proof. Let F = F0 →s1 F1 →s1 · · · →s1 Fn = F ′ . The proof by induction on n. Base case. n = 0. The lemma trivially holds. Inductive step. Let the lemma hold for n−1. By definition there are G1 , . . . , Gm for some finite m such that 1. Fn−1 →s2 Gi for any i ∈ {1, . . . , m} m S 2. Gi →s1 G, where G ⊑ F ′′ . i=1 By induction hypothesis for any i ∈ {1, . . . , m} there are G′1 , . . . , G′m , G′′1 , . . . , G′′m such that F →∗s2 G′i →∗s1 G′′i , where G′′i ⊑ Gi . m S As G′′i ⊑ Gi then by Definition 4 there is G′′ such that G′′i →∗s1 G′′ , where G′′ ⊑ G. We choose G′ = i=1 m S i=1 G′i . Then F →∗s2 G′ →∗s1 G′′ , where G′′ ⊑ F ′′ . ⊓ ⊔ Now we are ready to prove the theorem stating that any derivation consisting of any mix of s1 -steps and s2 -steps, can be rearranged in such a way that first only s2 -steps are applied and then only s1 -steps. Theorem 7. Let s1 and s2 are ⊑-monotonic proof systems such that s1 commutes over s2 . Let s be the union of s1 and s2 . If F →∗s F ′ then there are G, G′ such that F →∗s2 G →∗s1 G′ , where G′ ⊑ F ′ . 6 Proof. Let F = F0 →s F1 →s · · · →s Fn = F ′ . The proof by induction on n. Base case. n = 0. The theorem trivially holds. Inductive step. Let the theorem hold for n − 1. Then by induction hypothesis there are F1′ , F2′ such that F →∗s2 F1′ →∗s1 F2′ , where F2′ ⊑ Fn−1 . If Fn−1 →s1 Fn then the theorem holds by Definition 4. If Fn−1 →s2 Fn then the theorem holds by Lemma 6. ⊓ ⊔ The next theorem is a further generalization of Theorem 7: now not only two proof systems are involved but an arbitrary number. Theorem 8. Let s be the union of ⊑-monotonic proof systems s1 , . . . , sn . Let for any i > j si commutes over sj . If F →∗s F ′ then there are F1 , . . . , Fn such that F →∗s1 F1 →∗s2 · · · →∗sn Fn , where Fn ⊑ F ′ . Proof. The proof by induction on n. Base case. k = 1. Trivially holds. Inductive step. Let the theorem hold for n − 1. Let s′ be the union of systems s2 , . . . , sn . By Theorem 7 there are F1 , F1′ such that F →∗s1 F1 →∗s′ F1′ , F1′ ⊑ F ′ . By induction hypothesis there are F2 , . . . , Fn such that F1 →∗s2 · · · →∗sn Fn , where Fn ⊑ F1′ . Then F1 , . . . , Fn satisfy the theorem. ⊓ ⊔ 3.3 Soundness and Completeness of ER Theorem 9. (Soundness of ER rule) Let F →er Fe . Then F is satisfiable iff Fe is satisfiable. Proof. Let Fe = F ∪ {C1 ∪ · · · ∪ Cn }, where C1 ∪ {x1 ≈ x2 }, . . . , Cn−1 ∪ {xn−1 ≈ xn }, Cn ∪ {x1 6≈ xn } ∈ F . Let Fe be satisfiable. Then F is satisfiable as a subset of satisfiable set of clauses. Let F be satisfiable. The set {{x1 ≈ x2 }, . . . , {xn−1 ≈ xn }, {x1 6≈ xn }} is minimally unsatisfiable by Lemma 2. Then an assignment satisfying F satisfies Ci for some i ∈ {1, . . . , n}. The same assignment satisfies C1 ∪ · · · ∪ Cn and Fe . ⊓ ⊔ In order to prove completeness we will use a commutation property and Theorem 7. Lemma 10. The transitivity rule commutes over the ER rule. Proof. It is easily observed that transitivity and ER rules are ⊑-monotonic. We have to prove that transitivity and ER proof systems satisfy Definition 5. Let F →t F ′ →er F ′′ , where F ′ = F ∪ {C}, F ′′ = F ′ ∪ {D}. n S Di , Let C = C1 ∪C2 ∪{x ≈ z}, where C1 ∪{x ≈ y}, C2 ∪{y ≈ z} ∈ F ; D = i=1 where Di ∪ {li } ∈ F ′ for any i ∈ {1, . . . , n}, {l1 , . . . , ln } be a contradictory cycle. 7 If C 6= Di for any i ∈ {1, . . . , n} then let us choose G1 = F ∪ {D}, G = G1 ∪ {C}. In this case G = F ′′ . Let C = Di for some i ∈ {1, . . . , n}. W.l.o.g. we can assume that i = 1. Then one of the following holds. 1. l1 is equal to x ≈ z. We have D = C1 ∪ C2 ∪ n S Di . i=2 Literals x = y, y = z, l2 , . . . , ln form a contradictory cycle. Then D can be derived from F by ER rule. Let G1 = F ∪ {D}, G = G1 ∪ {C}. In this case G = F ′′ . 2. l1 ∈ C1 ∪ C2 . n S Let C1′ = C1 ∪ {x ≈ y}, C2′ = C2 ∪ {y ≈ z}, Dj = Cj′ \{l1 } ∪ Di . i=2 If l1 ∈ C1 or l1 ∈ C2 then D1 or D2 can be derived from F by ER rule. Assume that Gi = F ∪ {Di } for i ∈ {1, 2}. If a literal l1 is not equal neither to = 6 x ≈ y nor to y ≈ z then D can be derived from D1 and D2 by transitivity rule. If a literal l1 is equal to x ≈ y then D1 ⊆ D. If a literal l1 is equal to y ≈ z then D2 ⊆ D. If l1 ∈ C1 and l1 ∈ C2 then there are G1 , G2 , G satisfying Definition 5. If l1 ∈ C1 or l1 ∈ C1 then there are G1 , G or G2 , G satisfying Definition 5. In all cases we are done. ⊓ ⊔ Theorem 11. (Completeness of ER rule) An E-CNF is unsatisfiable iff the empty clause can be derived by ER rule. Proof. Assume that the empty clause can be derived from the E-CNF by ER. Then by Theorem 9 the original set of clauses is unsatisfiable. Assume that the original set F of clauses is unsatisfiable. Then according to the well-known paramodulation result by transitivity and resolution the empty clause can be derived from it. Since resolution is a particular case of the ER rule we conclude that F →s F ′ for some F ′ containing ⊥, where s is the combination of transitivity and the ER rule. Let F →s F ′ , where ⊥ ∈ F ′ . Then by Lemma 10 and Theorem 7 there are G, G′ such that F →∗er G →∗t G′ , G′ ⊑ F ′ . Since ⊥ ∈ F ′ then ⊥ ∈ G′ . By the transitivity rule ⊥ cannot be derived so ⊥ ∈ G. ⊓ ⊔ 4 Removing Redundant Clauses Given an E-CNF F . For a literal l ∈ LF let F |l denote the E-CNF obtained from F by deleting all clauses that contain l. In the following we will use the fact that F is satisfiable if and only if it is satisfiable on the set of natural numbers N. So w.l.o.g. we may and shall assume that D = N. 8 4.1 Removing disequalities Definition 12. Let F be an E-CNF . The relation =F on VF is defined by x =F y if and only if x ≈ y ∈ LF . The relation ∼F is defined to be the equivalence relation generated by =F , i.e., the reflexive, symmetric, transitive closure of the relation =F . By EFx we denote the equivalence class of x with respect to ∼F . Theorem 13. Let x ≁F y. Then F is satisfiable iff F |x 6≈ y is satisfiable. Proof. Let F is satisfiable then F |x 6≈ y is satisfiable as a subset of satisfiable set of clauses. Since F |x 6≈ y is e-satisfiable there is a satisfying assignment A : VF → N for F |x 6≈ y. We define a new assignment A′ in such a way that it preserves satisfiability of F |x 6≈ y but also satisfies x 6≈ y. Choose number N satisfying N > A(x′ ) −½A(y ′ ) for all x′ , y ′ ∈ VF . We define A′ : VF → N as follows. A(z) + N, z ∈ EFx A′ (z) = A(z), z ∈ VF \EFx Since A is a satisfying assignment for F |x 6≈ y then for any C ∈ F |x 6≈ y there is l ∈ C such that IA (l) = true. We check that IA′ (l) = true. 1. A literal l is equal to x′ ≈ y ′ for some x′′ , y ′′ ∈ VF . If x′ 6∼F x then A′ (x′′ ) = A(x′′ ) = A(y ′′ ) = A′ (y ′′ ). If x′′ ∼F x than A′ (x′′ ) = A(x′′ ) + N = A(y ′′ ) + N = A′ (y ′′ ). In both cases IA′ (l) = true. 2. A literal l is equal to x′′ 6≈ y ′′ for some x′′ , y ′′ ∈ VF . (a) x′′ ∼F y ′′ . If x′′ ∼F x then A′ (x′′ ) = A(x′′ ) + N 6= A(y ′′ ) + N = A′ (y ′′ ). If x′′ 6∼F x then A′ (x′′ ) = A(x′′ ) 6= A(y ′′ ) = A′ (y ′′ ). (b) x′′ 6∼F y ′′ . Using that N > A(x′ ) − A(y ′ ) for all x′ , y ′ ∈ VF we have: If x′′ ∼F x and y ′′ 6∼F x then A′ (x′′ ) = A(x′′ ) + N > A(y ′′ ) = A′ (y ′′ ). If x′′ 6∼F x and y ′′ ∼F x then A′ (x′′ ) = A(x′′ ) < A(y ′′ ) + N = A′ (y ′′ ). If x′′ 6∼F x and y ′′ 6∼F x then A′ (x′′ ) = A(x′′ ) 6= A(y ′′ ) = A′ (y ′′ ). In all cases IA′ (l) = true. Since N > A(x′ ) − A(y ′ ) for all x′ , y ′ ∈ VF and y 6∼F x we have A′ (x) = A(x) + N > A(y) = A′ (y). So IA′ (x 6= y) = true. ⊓ ⊔ Example 14. As an example we have taken the formula from [8] raised during the process of translation validation. After abstracting concrete functions, performing the Ackermann reduction the following E-CNF is obtained: F1 = (x1 6≈ x2 ∨ x3 6≈ x4 ∨ y1 ≈ y2 ) ∧ (y1 6≈ y3 ∨ y2 6≈ y4 ∨ z1 ≈ z2 ) ∧ y1 ≈ y3 ∧ y2 ≈ y4 ∧ z1 ≈ z3 ∧ z2 6≈ z3 . 9 x1 x3 y1 y3 z1 z3 x2 x4 y2 y4 z2 Fig. 1. The graph corresponding to F1 As sketched before we may draw a graph consisting of the variables from F1 as nodes, and equalities from LF1 as solid edges and inequalities from LF1 as dashed edges. The result is given in Figure 1. In this graph notation x ∼ y means that there is a path from node x to node y purely consisting of solid edges. Hence in this example we clearly have x1 ≁ x2 . Hence by Theorem 13 we may remove all clauses containing the literal x1 6≈ x2 without changing satisfiability behavior. Hence we may remove the first clause, resulting in F2 = (y1 6≈ y3 ∨ y2 6≈ y4 ∨ z1 ≈ z2 ) ∧ y1 ≈ y3 ∧ y2 ≈ y4 ∧ z1 ≈ z3 ∧ z2 6≈ z3 We see that variables x1 , x2 , x3 and x4 do not occur in F2 , and the resulting graph for F2 is given in Figure 2. y1 y3 z1 z3 y2 y4 z2 Fig. 2. The graph corresponding to F2 4.2 Removing Equalities Theorem 15. Let F be an E-CNF and let x ≈ y ∈ LF not be contained in any contradictory cycle of F . Then F is satisfiable iff F |x ≈ y is satisfiable. Proof. Let F is satisfiable then F |x ≈ y is satisfiable as a subset of a satisfiable set of clauses. 10 Conversely assume that F |x ≈ y is satisfiable. Then there is a satisfying assignment A : VF → N for F |x ≈ y. We will show that there is a satisfying assignment for F . We define the set Px as follows: – x ∈ Px . – z ∈ Px if z ≈ z ′ ∈ LF and A(z) = A(z ′ ) for some z ′ ∈ Px . Let N > max A(x). Then we may define a new assignment as follows: ½x∈VF N, z ∈ Px ∪ Py A′ (z) = A(z), z ∈ VF \(Px ∪ Py ) As A is a satisfying assignment for F |x ≈ y then for any C ∈ F |x ≈ y there exists l ∈ C such that IA (l) = true. We will show that IA′ (l) = true. Let us take an arbitrary clause C from F |x ≈ y. Then one of the following holds: 1. A literal l is equal to x′ ≈ y ′ . Then either x′ , y ′ ∈ Px ∪ Py and A′ (x′ ) = N = A′ (y ′ ) or x′ , y ′ ∈ VF \(Px ∪ Py ) and A′ (x′ ) = A(x′ ) = A(y ′ ) = A′ (y ′ ). 2. A literal l is equal to x′ 6≈ y ′ . We consider the case when x′ , y ′ ∈ Px ∪ Py . If x′ ∈ Px and y ′ ∈ Py or vise versa then x ≈ y is contained in a contradictory cycle of F , contradicting the assumption of the theorem. If x′ , y ′ ∈ Px then A(x′ ) = A(y ′ ) and IA (l) 6= true. In this case we also have a contradiction. By symmetry in case when x′ , y ′ ∈ Py we have a contradiction. Then one of the following holds: (a) x′ 6∈ Px ∪ Py , y ′ 6∈ Px ∪ Py . Then A′ (x′ ) = A(x′ ) 6= A(y ′ ) = A′ (y ′ ). (b) x′ ∈ Px ∪ Py , y ′ 6∈ Px ∪ Py . Then A′ (x′ ) = N > A(y ′ ) = A′ (y ′ ) as N > max A(x). x∈VF (c) x′ 6∈ Px ∪ Py , y ′ ∈ Px ∪ Py . Then A′ (y ′ ) = N > A(x′ ) = A′ (x′ ) as N > max A(x). x∈VF In all cases IA′ (l) = true. We take an arbitrary C such that x ≈ y ∈ C. By definition of A′ , A′ (x) = A (y). Then IA′ (x = y) = true. ′ The assignment A′ preserves satisfiability of F |x ≈ y and satisfies clauses containing x ≈ y. ⊓ ⊔ In the graph representation Theorem 15 states that every clause may be removed containing an equality corresponding to a solid edge for which no path between the end points of the edge exists containing exactly one dashed edge. 11 Example 16. Consider the formula F1 from Example 14. By applying Theorem 15 we may remove all clauses containing the equality y1 ≈ y2 . As a result we again obtain F2 , of which the graph is given in Figure 2. The fact that by applying Theorem 13 and Theorem 15 in this particular example the same clause is removed, is a coincidence; in more complicated examples one sees that the combination of both theorems is more powerful than applying only one of them. 5 5.1 The E-SAT Procedure The Basic E-SAT Procedure We shall describe the basic E-SAT procedure for the purpose proving the approach completeness. Based on this we shall present in the following subsection a modified version which is more efficient. Given a nonempty E-CNF containing nonempty clauses the E-SAT procedure forms the set of all contradictory cycles Θ and then repeats the following steps. – Choose a contradictory cycle θ ∈ Θ and remove θ from Θ. – Add all possible clauses derived from V by ER rule over θ. We give a precise version of the procedure. Procedure E-SAT(F); begin Θ := ContrCycle(F ); while (Θ 6= ∅) do begin choose θ ∈ Θ; Θ := Θ\{θ}; if ⊥ ∈ F return(unsatisfiable); F := F ∪ ER(F, θ); end return(satisfiable); end Fig. 3. The basic E-SAT procedure In this procedure the function ContrCycle(F ) forms the set of all possible contradictory cycles. The function ER(F, θ) forms the set of clauses derived from F by all possible θ-steps. The procedure ends when either the empty clause derived or no contradictory cycles left. If the empty clause is derived the output the procedure ”satisfiable”. If the empty clause is not derived during the procedure the output is ”satisfiable”. 12 5.2 Soundness and Completeness of the Procedure We shall prove the completeness of the basic procedure. Let θ1 , . . . , θn be contradictory cycles of an unsatisfiable E-CNF F0 . Based on the completeness of ER rule we shall show that there is a finite sequence F1 , . . . , Fn such that for any i ∈ {1, . . . , n} Fi consists of all clauses contained in Fi−1 and clauses derived from Fi−1 in one θi -step, and Fn contains the empty clause. Lemma 17. Let for i ∈ {1, 2} θi -step be a proof system si . Then s1 commutes over s2 . Proof. We shall prove that s1 and s2 satisfy Definition 5. Let F →θ1 F1 →θ2 F2 . m S Let F1 = F ∪ {C}, F2 = F1 ∪ {D}, D = Di \{li } for some D1 , . . . , Dn ∈ F1 i=1 . Then one of the following holds. 1. C 6= Di for any i ∈ {1, . . . , m}. We choose G1 = F ∪ {D}, G = G1 ∪ {C}. The lemma holds. 2. C = Di for some i ∈ {1, . . . , m}. W.l.o.g. we can assume that i = 1. r S Let C = Ci \{li′ } for some C1 , . . . , Cr ∈ F . i=1 W.l.o.g we can assume that l1 ∈ {Ci1 for some i ∈ {1, . . . , k}. We define m S (a) For any i ∈ {1, . . . , k} Gi = F ∪{Ci∗ }, where Ci∗ = Ci \{l1 }∪ Dj \{lj }. j=2 (b) G = k S ∗ ∗ Gi ∪ {C} ∪ {D }, where D = i=1 k S i=1 ′ Ci∗ \{li } ∪ r S ′ Ci \{li }. i=k+1 ∗ We shall show that D ⊆ D. D∗ = k [ Ci∗ \{li } ∪ k [ (Ci \{l1 } ∪ ′ i=1 = = ′ Ci \{li } i=k+1 i=1 k [ r [ m [ ′ Dj \{lj })\{li } ∪ j=2 ′ (Ci \{li })\{l1 } ∪ i=1 = C\{l1 } ∪ m [ j=2 r [ Ci \{li } m [ Dj \{lj } ′ i=k+1 r [ ′ Ci \{li } ∪ i=k+1 m [ Dj \{lj } = j=2 Dj \{lj } ⊆ D. j=1 Then for any i ∈ {1, . . . , k} Gi consists of clauses from F and a clause derived k S from F by θ2 -step, C and D∗ can be derived from Gi by θ1 -step. It can be i=1 easily checked that G ⊑ F2 . ⊓ ⊔ 13 Theorem 18. Let {θ1 , . . . , θn } be the set of all contradictory cycles in F . Let F →∗er G. Then F →∗θ1 F1 →∗θ2 · · · →∗θm Fm , where Fm ⊑ G for some F1 , . . . , Fm . Proof. The theorem follows from Theorem 8. ⊓ ⊔ Theorem 19. Let {θ1 , . . . , θn } be the set of all contradictory cycles in F . Let F →∗er G. Then F →∗θ1 F1 →∗θ2 · · · →∗θm Fm , where Fm ⊑ G for some F1 , . . . , Fm . Proof. The theorem follows from Theorem 8. ⊓ ⊔ Theorem 20. Let F and G be an E-CNFs, θ be a contradictory cycle, and G = F ∪ ER(F, θ). If G →θ G′ then G ⊑ G′ . Proof. If any C ∈ G\F does not contain a literal from θ then the theorem trivially holds. We shall show that for any C ∪ {l} ∈ G\F , where l ∈ θ there is D ∪ {l} ∈ F such that D ⊆ C. Let θ = {l1 , . . . , ln }; C ∪ {li } ∈ G\F for some i ∈ {1, . . . , n}; C ∪ {li } = D1 ∪ · · · ∪ Dn , where D1 ∪ {l1 }, . . . , Dn ∪ {ln } ∈ F . Then Di ⊆ C. Let G′ = G ∪ {C}. We shall show that there is D ∈ G such that D ⊆ C. Let C = C1 ∪ · · · ∪ Cn , where C1 ∪ {l1 }, . . . , Cn ∪ {ln } ∈ G; C1 ∪ {l1 }, . . . , Cr ∪ {lr } ∈ G\F for some 1 ≤ r ≤ n. As it was shown above for any i ∈ {1, . . . , r} there is Di ∪{li } ∈ F such that Di ⊆ Ci . Then D = D1 ∪· · ·∪Dr ∪Cr+1 ∪· · ·∪Cn can be derived by θ-step, D ⊆ C and D1 , . . . , Dr , Cr+1 , . . . , Cn ∈ F . So D ∈ G. ⊓ ⊔ Theorem 21. (Soundness and completeness of the basic E-SAT procedure) Let F be an E-CNF. Then F is unsatisfiable iff the output of the basic procedure is the empty clause. Proof. If there is a derivation of the empty clause by ER rule then F is unsatisfiable by Theorem 9. If F is unsatisfiable then by Theorem 11 there is a derivation of the empty clause from F by ER rule. Let {θ1 , . . . , θn } be the set of all contradictory cycles in F . Then by Theorem 19 there are F1 , . . . , Fm such that F →∗θ1 F1 →∗θ2 · · · →∗θm Fm and ⊥ ∈ Fm . By Theorem 20 Fi = Fi−1 ∪ ER(Fi−1 , θi ) for any i ∈ {1, . . . , m}. It implies that the empty clause can be derived by the E-SAT procedure. ⊓ ⊔ 5.3 The Optimized Procedure The search space of the saturation-based procedures can grow very rapidly. The procedure becomes more efficient when we have criteria to remove redundant clauses from the search space. In the optimized procedure we use subsumption introduced by Robinson [10] for general resolution. Additional criteria to remove redundant clauses we obtain by means of the theorems proved in section 4. 14 The potential source of inefficiency is exponential in the size of a formula number of contradictory cycles. To avoid this problem an optimized procedure does not collect as first step the set of all contradictory cycles. The optimized procedure repeats the following steps. – Choose a contradictory cycle θ of the shortest length not contained in Θ and add it to Θ. – Remove redundant clauses. – Add all possible clauses derived from V by ER rule over θ. – Remove clauses containing literals which are not in contradictory cycles not contained in Θ. Procedure E-SAT(F); begin Θ := ∅; while (F 6= ∅) do begin RemoveRedundant (F ); θ := ShortestContrCycle (F, Θ); Θ := Θ ∪ {θ}; if ⊥ ∈ F return(unsatisfiable); F := F ∪ ER(F ); end return(satisfiable); end Fig. 4. The optimized E-SAT procedure The procedure ShortestContrCycle (F, Θ) chooses a contradictory cycle of the shortest length not contained in Θ. The procedure RemoveRedundant(F ) repeatedly removes clauses from F by the following rules: – if a clause C is a subclause of a clause C ′ then C ′ is removed (subsumption); – remove a clause containing x 6≈ y for which x ≁ y, see Theorem 13; – remove a clause containing x ≈ y for which x ≈ y is not contained in any contradictory cycle, see Theorem 15; until nothing can be removed any more. The function ER(F, θ) forms the set of clauses derived from F by all possible θ-steps. The procedure ends if either the set of clauses is empty or the empty clauses is derived. If the empty clause is derived then the output is ”unsatisfiable”. If the set of clauses is empty then the output is ”satisfiable”. Theorem 22. (Soundness and completeness of the optimized E-SAT procedure) Let F be an E-CNF. Then F is unsatisfiable iff the output of the E-SAT procedure is the empty clause. 15 Proof. If there is a derivation of the empty clause by ER rule then F is unsatisfiable by Theorem 9. If F is unsatisfiable then the empty clause can be derived by optimized procedure by Theorem 13, Theorem 15, and Theorem 21. ⊓ ⊔ Example 23. Consider the formula F1 from Example 14. Removing redundant clauses yields the E-CNF F2 . F2 = (y1 6≈ y3 ∨ y2 6≈ y4 ∨ z1 ≈ z2 ) ∧ y1 ≈ y3 ∧ y2 ≈ y4 ∧ z1 ≈ z3 ∧ z2 6≈ z3 The contradictory cycles contained in F2 are following: θ1 = {y1 ≈ y3 , y1 6≈ y3 }, θ2 = {y2 ≈ y4 , y2 6≈ y4 }, θ3 = {z1 ≈ z2 , z1 ≈ z3 , z2 6≈ z3 }. The empty clause is derived by the optimized procedure. (1) y1 6≈ y3 ∨ y2 6≈ y4 ∨ z1 ≈ z2 (2) y1 ≈ y3 (3) y2 ≈ y4 (4) z1 ≈ z3 (5) z2 6≈ z3 (6) y2 6≈ y4 ∨ z1 ≈ z2 (1,2) (7) z1 ≈ z2 (2,6) (8) ⊥ (4,5,7) 6 Example As an example we consider a formula that is related to the pigeon hole formula in proposition calculus. Just like the pigeon hole formula our formula is parameterized by a number n, it is easily seen to be contradictory by a meta argument, and its shape is the conjunction of two subformulas. In our formula there are n + 1 variables x1 , . . . , xn , y. The first subformula states that all values of x1 , . . . , xn are different. The second subformula states that the value of y occurs in every subset of size n − 1 of {x1 , . . . , xn }, hence it will occur at least twice in {x1 , . . . , xn }, contradicting the property of the first subformula. Hence the total formula Φn ≡ ^ xi 6≈ xj ∧ 1≤i<j≤n n ^ ( _ xi ≈ y) j=1 i∈{1,...,n},i6=j is unsatisfiable as an E-CNF . It is easy to see that Φn is minimally unsatisclauses have to be used. fiable, hence in any proof of unsatisfiability all n(n+1) 2 The goal now is to prove unsatisfiability of Φn automatically. We applied the bitVvector encoding to this formula, i.e., in this formula every z ≈ w is replaced by i (zi ↔ wi ) for i running from 1 to ⌈log(n + 1)⌉ and then a standard SAT approach is applied for the resulting propositional formula. It turned out that both for a BDD-based approach and a resolution based approach this is a hard job. For n = 50 or even lower a combinatory explosion comes up. 16 However, by applying the approach introduced in this paper proving unsatisfiability of Φn can be done polynomial in n. It turns out that all contradictory cycles in Φn are of length 3 and are of the shape θij = {xi ≈ y, xj ≈ y, xi 6≈ xj } for 1 ≤ i < j ≤ n; the total number of these contradictory cycles is n(n−1) . 2 Now we will study the behavior of our procedure consecutively proceeding all W these contradictory cycles. Write Cj for the clause i∈{1,...,n},i6=j xi ≈ y for j = 1, . . . , n, and write Cjn for the clause obtained from Cj by removing xn ≈ y, for j = 1, . . . , n − 1. As a first contradictory cycle choose θ1,n . Then by applying a θ1,n -step on C1 , Cn and x1 6≈ xn we obtain the new clause C1n . Another number of θ1,n -steps is possible, but each of them yields a clause in which C1n is contained, hence will be removed. Also C1 and Cn are supersets of C1n and will be removed. So after treating this first contradictory cycle apart from the inequalities only the following n − 1 clauses remain: C2 , . . . , Cn−1 , C1n . As a second contradictory cycle choose θ2,n . Applying a corresponding step on C2 , C1n and x2 6≈ xn yields the new clause C2n . Since this is a subclause of all other clauses generated by θ2,n -steps, and also of C2 , after treating this second contradictory cycle apart from the inequalities only the following n − 1 clauses remain: C3 , . . . , Cn−1 , C1n , C2n . This pattern continues after choosing the n − 1-th contradictory cycle θn−1,n apart from the inequalities only the following n − 1 clauses remain: C1n , C2n , . . . , Cn−1,n . Since now no equality occurs any more involving the variable xn , there is no contradictory cycle any more containing the inequalities xi 6≈ xn for i = 1, . . . , n − 1. It turns out that the remaining E-CNF is exactly Φn−1 . Continuing with consecutively choosing θ1,n−1 , θ2,n−1 , . . ., after n−2 steps the remaining E-CNF is exactly Φn−2 . This goes on until the remaining E-CNF is exactly Φ2 consisting of the three unit clauses x1 ≈ y, x2 ≈ y, x1 6≈ x2 from which the empty clause is derived in one single θ12 -step. We conclude that all n(n−1) contradictory cycles were proceeded before the 2 empty clause was derived. Surprisingly, after removing redundant clauses, in intermediate steps the total number of clauses was never greater than the original number of clauses. 7 Concluding Remarks and Further Research We developed a new rule for reasoning with E-CNFs. We proved its soundness and completeness. We proposed an algorithm based on this rule for satisfiability of E-CNFs, and also proved soundness and completeness of this procedure. Until now we have this procedure only in a high-level pseudo-code. Many implementation details have not yet been considered. However, on a theoretical level we analyzed the complexity of our procedure when applied to a particular formula, yielding a polynomial complexity, while standard approaches applied to this formula show up an exponential behavior. This is quite hopeful for our new approach, and as a next step we will implement our procedure and will do experiments with real benchmarks. 17 References 1. Ackermann, W. Solvable cases of the decision problem. Studies in Logic and the Foundations of Mathematics. North-Holland, Amsterdam, 1954. 2. Barrett, C. W., Dill, D., and Levitt, J. Validity checking for combinations of theories with equality. In Formal Methods in Computer-Aided Design (FMCAD’96) (November 1996), M. Srivas and A. Camilleri, Eds., vol. 1166 of LNCS, SpringerVerlag, pp. 187–201. 3. Bryant, R., German, S., , and Velev, M. Processor verification using efficient reductions of the logic of uninterpreted functions to propositional log. ACM Transactions on Computational Logic 2, 1 (January 2001), 93–134. 4. Bryant, R., and Velev, M. Boolean satisfiability with transitivity constraints. ACM Transactions on Computational Logic 3, 4 (October 2002), 604–627. 5. Burch, J., and Dill, D. Automated verification of pipelined microprocesoor control. In Computer-Aided Verification (CAV’94) (June 1994), D. Dill, Ed., vol. 818 of LNCS, Springer-Verlag, pp. 68–80. 6. Goel, A., Sajid, K., Zhou, H., Aziz, A., and Singhal, V. BDD based procedures for a theory of equality with uninterpreted functions. In Computer-Aided Verification (CAV’98) (1998), A. J. Hu and M. Y. Vardi, Eds., vol. 1427 of LNCS, Springer-Verlag, pp. 244–255. 7. Groote, J., and van de Pol, J. Equational binary decision diagrams. In Logic for Programming and Reasoning (LPAR’2000) (2000), M. Parigot and A. Voronkov, Eds., vol. 1955 of LNAI, pp. 161–178. 8. Pnueli, A., Rodeh, Y., Shtrichman, O., and Siegel, M. Deciding equality formulas by small domains instantiations. In Computer Aided Verification (CAV’99) (1999), vol. 1633 of LNCS, Springer-Verlag, pp. 455–469. 9. Robinson, G., and Wos, L. Paramodulation and theorem-proving in first-order theories with equality. Machine inteligence 4 (1969), 135–150. 10. Robinson, J. A machine-oriented logic based on the resolution principle. Journal of the ACM 12(1) (1965), 23–41. 11. Rodeh, Y., and Shtrichman, O. Finite instantiations in equivalence logic with uninterpreted functions. In Computer Aided Verification (CAV’01) (July 2001), vol. 2102 of LNCS, Springer-Verlag, pp. 144–154. 18