To be most useful, the THEORY of Σ needsto encompassvariousstrong statements of the additivity property. Writing
Φ(F)≡is map(F) & Finite(domain(F)) & range(F)⊆abel, Ψ(P, X)≡ X =
P & (∀b, v∈P)(b=v → b∩v=∅) for brevity, much of what iswanted can be specified e.g. asfollows:
THEORYgen sigma add(abel,+,u)
(∀x, y∈ abel)(x+y∈abel& --closure w.r.t. . . .
x+y=y+x) --. . . commutative operation u∈abel& (∀x ∈ abel)(x+u=x) --designated unit element (∀x, y, z ∈ abel)((x+y)+z=x+(y+z))--associativity
==>(Σ) --summation operation
Σ(∅) =u& (∀y∈abel)(Σ({[X, y]}) =y)
Φ(F) → Σ(F)∈abel
Φ(F)→Σ(F) =Σ(F ∩G)+Σ(F\G) --additivity Φ(F) &Ψ(P, F) → Σ(F) =Σ( {[g, Σ(g)] : g∈P} )
Φ(F) &Ψ(P,domain(F)) → Σ(F) =Σ( {[b, Σ(F|b)] : b∈P} )
Φ(F) &Svm(G) &domain(F) =domain(G) →
Σ(F) =Σ( {[x, Σ(F|G−1{x})] : x∈range(G)} )
ENDgen sigma add.
A proof of the last of these theorems, which states that Σ is insensitive to operand rearrangement and grouping, issketched below.
Generalized additivity is proved first: starting with the absurd hypothesis that specific f,pexist for which
Φ(f) &Ψ(p,f)&Σ(f)=Σ( {[g, Σ(g)] : g∈p} )
holds, one can choose an inclusion-minimal such p referring to the same fand included in thepchosen at first, by an invocation
APPLY(p0)finite induction(n→p,
P(Q)→Ψ(Q,f)&Σ(f)=Σ( {[g, Σ(g)] : g∈Q} ) )==>ã ã ã .
From this, a contradiction is easily reached.
The next theorem, namely
Φ(F) &Ψ(P,domain(F)) → Σ(F) =Σ( {[b, Σ(F|b)] : b∈P} )
followssinceΨ(P,domain(F))impliesΨ({F|b : b∈P}, F).
Proof of the summand rearrangement theorem seen above is now easy, be- cause
Svm(G) &D=domain(G) → Ψ( {G−1{x} : x∈range(G)}, D)
holdsfor anyD and hence in particular forD=domain(F).
The above line of proof suggests a useful preamble is to construct the follow- ing theory ofΨ:
THEORYis partition(p,s)
==>(flag) --this indicates whether or notsis partitioned byp flag ↔ s=
p& (∀b, v)(b=v → b∩v=∅) flag&Finite(s) → Finite(p)
flag&s=domain(F) &Q={F|b : b∈p} → F = Q &
(∀f, g∈Q)(f =g → f ∩g=∅) Svm(G) &s=domain(G) &p={G−1{y} : y∈range(G)} → flag ENDis partition.
6 Related Work
To support software design and specification, rapid prototyping, theorem prov- ing, user interface design, and hardware verification, various authors have pro- posed systems embodying constructs for modularization which are, under one respect or another, akin to ourTHEORYconstruct. Among such proposals lies the OBJ family of languages[15], which integratesspecification, prototyping, and verification into a system with a single underlying equational logic.
In the implementation OBJ3 of OBJ, a module can either be anobjector a theory: in either case it will have a set of equations as its body, but an object isexecutable and hasa fixed standard model whereasa theory describesnon- executable properties and has loose semantics, namely a variety of admissible models. Asearly asin 1985, OBJ2 [13] wasendowed with a generic module mechanism inspired by the mechanism for parameterized specifications of the Clear specification language [3]; the interface declarations of OBJ2 generics were not purely syntactic but contained semantic requirements that actual modules had to satisfy before they could be meaningfully substituted.
The use of OBJ for theorem-proving is aimed at providing mechanical assis- tance for proofsthat are needed in the development of software and hardware, more than at mechanizing mathematical proofs in the broad sense. This partly explainsthe big emphasiswhich the design of OBJ placeson equational reason- ing and the privileged role assigned to universal algebra: equational logic is in fact sufficiently powerful to describe any standard model within which one may want to carry out computations.
We observe that an equational formulation of set theory can be designed [11], and may even offer advantagesw.r.t. a more traditional formulation of Zermelo- Fraenkel in limited applicationswhere it isreasonable to expect that proofscan be found in fully automatic mode; nevertheless, overly insisting on equational reasoning in the realm of set theory would be preposterous in light of the highly interactive proof-verification environment which we envision.
We like to mention another ambitious project, closer in spirit to this paper although based on a sophisticated variant of Church’s typed lambda-calculus [6]: the Interactive Mathematical Proof System (IMPS) described in [10]. This
system manages a database of mathematics, represented as a collection of inter- connected axiomatic “little theories” which span graduate-level parts of analysis (about 25 theories: real numbers, partial orders, metric spaces, normed spaces, etc.), some algebra (monoids, groups, and fields), and also some theories more directly relevant to computer science (concerning state machines, domains for denotational semantics, and free recursive datatypes). The initial library caters for some fragments of set theory too: in particular, it contains theorems about cardinalities. Mathematical analysis is regarded as a significant arena for testing the adequacy of formalizations of mathematics, because analysis requires great expressive power for constructing proofs.
The authorsof [10] claim that IMPS supportsa view of the axiomatic method based on “little theories” tailored to the diverse fields of mathematics as well asthe “big theory” view in which all reasoning isperformed within a single powerful and highly expressive set theory. Greater emphasis is placed on the former approach, anyhow: with this approach, links —“conduits”, so to speak, to pass results from one theory to another— play a crucial role. To realize such links, a syntactic device named “theory interpretation” is used in a variety of ways to translate the language of a source theory to the language of a target theory so that the image of a theorem isalwaysa theorem: thismethod enables reuse of mathematical results “transported” from relatively abstract theories to more specialized ones.
One main difference of our approach w.r.t. that of IMPS isthat we are will- ing to invest more on the “big theory” approach and, accordingly, do not feel urged to rely on a higher-order logic where functionsare organized according to a type hierarchy. It may be contended that the typing discipline complies with everyday mathematical practice, and perhapsgiveshelpful cluesto the auto- mated reasoning mechanisms so as to ensure better performance; nevertheless, a well-thought type-free environment can be conceptually simpler.
Both OBJ and IMPS attach great importance to interconnectionsacross theories, inheritance to mention a most basic one, and “theory ensembles” to mention a nice feature of IMPS which enablesone to move, e.g., from the for- mal theory of a metric space to a family of interrelated replicas of it, which also caters for continuous mappings between metric spaces. As regards theory interconnections, the proposal we have made in this paper still awaits being enriched.
The literature on the OBJ family and on the IMPS system also stresses the kinship between the activity of proving theorems and computing in general;
even more so does the literature on systems, such as Nuprl [8] or the Calculus of Constructions [9], which rely on a constructive foundation, more or less close to Martin-L¨of’s intuitionistic type theory [19]. Important achievements, and in particular the conception of declarative programming languagessuch asProlog, stem in fact from the view that proof-search can be taken as a general paradigm of computation. On the other hand, we feel that too little hasbeen done, to date, in order to exploit a “proof-by-computation” paradigm aimed at enhanc- ing theorem-proving by meansof the ability to perform symbolic computations
efficiently in specialized contexts of algebra and analysis (a step in this direction was moved with [7]). Here is an issue that we intend to deepen in a forthcoming paper.
7 Conclusions
We view the activity of setting up detailed formalized proofs of important theo- rems in analysis and number theory as an essential part of the feasibility study that must precede the development of any ambitious proof-checker. In mathe- matics, set theory has emerged as the standard framework for such an enter- prise, and full computer-assisted certification of a modernized version of Prin- cipia Mathematica should now be possible. To convince ourselves of a verifier system’s ability to handle large-scale mathematical proofs —and such proofs cannot always be avoided in program-correctness verification—, it is best to follow the royal road paved by the work of Cauchy, Dedekind, Frege, Cantor, Peano, Whitehead–Russell, Zermelo–Fraenkel–von Neumann, and many others.
Only one facet of our work on large-scale proof scenarios is presented in this paper. Discussion on the nature of the basic inference steps a proof-verifier should (and reasonably can) handle has been omitted to focus our discussion on the issue of proof modularization. The obvious goal of modularization is to avoid repeating similar steps when the proofs of two theorems are closely analogous.
Modularization must also conceal the details of a proof once they have been fed into the system and successfully certified.
When coupled to a powerful underlying set theory, indefinitely expansible with new function symbols generated by Skolemization, the technical notion of “theory” proposed in this paper appears to meet such proof-modularization requirements. The examples provided, showing how often the THEORY con- struct can be exploited in proof scenarios, may convince the reader of the utility of thisconstruct.
Acknowledgements
We thank Ernst-Erich Doberkat (Universit¨at Dortmund, D), who brought to our attention the text by Frege cited in the epigraph of thispaper. We are indebted to Patrick Cegielski (Universit´e ParisXII, F) for helpful comments.
References
1. A. Blass and Y. Gurevich. The logic of choice.J. of Symbolic Logic, 65(3):1264–1310, 2000.
2. D. S. Bridges. Foundations of real and abstract analysis. Springer-Verlag, Graduate Texts in Mathematics vol.174, 1997.
3. R. Burstall and J. Goguen. Putting theories together to make specifications. In R. Reddy, ed, Proc. 5th International Joint Conference on Artificial Intelligence.
Cambridge, MA, pp. 1045–1058, 1977.
4. R. Caferra and G. Salzer, editors. Automated Deduction in Classical and Non- Classical Logics. LNCS 1761 (LNAI). Springer-Verlag, 2000.
5. P. Cegielski. Un fondement des math´ematiques. In M. Barbut et al., eds, La recherche de la v´erit´e. ACL – Les ´editions du Kangourou, 1999.
6. A. Church. A formulation of the simple theory of types. J. of Symbolic Logic, 5:56–68, 1940.
7. E. Clarke and X. Zhao. Analytica—A theorem prover in Mathematica. In D. Kapur, ed,Automated Deduction—CADE-11. Springer-Verlag, LNCS vol. 607, pp. 761–765, 1992.
8. R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing mathematics with the Nuprl devel- opment system. Prentice-Hall, Englewood Cliffs, NJ, 1986.
9. Th. Coquand and G. Huet. The calculus of constructions. Information and Com- putation, 76(2/3):95–120, 1988.
10. W. M. Farmer, J. D. Guttman, F. J. Thayer. IMPS: An interactive mathematical proof system. J. of Automated Reasoning, 11:213–248, 1993.
11. A. Formisano and E. Omodeo. An equational re-engineering of set theories. In Caferra and Salzer [4, pp. 175–190].
12. G. Frege. Logik in der Mathematik. InG. Frege, Schriften zur Logik und Sprach- philosophie. Aus dem Nachlaò herausgegeben von G. Gabriel. Felix Meiner Verlag, Philosophische Bibliothek, Band 277, Hamburg, pp. 92–165, 1971.
13. K. Futatsugi, J. A. Goguen, J.-P. Jouannaud, J. Meseguer. Principles of OBJ2. Proc. 12th annual ACM Symp. on Principles of Programming Languages (POPL’85), pp. 55-66, 1985.
14. R. Godement. Cours d’alg`ebre. Hermann, Paris, Collection Enseignement des Sciences, 3rd edition, 1966.
15. J. A. Goguen and G. Malcolm. Algebraic semantics of imperative programs. M IT, 1996.
16. T. J. Jech. Set theory. Springer-Verlag, Perspectives in Mathematical Logic, 2nd edition, 1997.
17. E. Landau. Foundation of analysis. The arithmetic of whole, rational, irrational and complex numbers. Chelsea Publishing Co., New York, 2nd edition, 1960.
18. A. Levy. Basic set theory. Springer-Verlag, Perspectives in Mathematical Logic, 1979.
19. P. Martin-L¨of. Intuitionistic type theory. Bibliopolis, Napoli, Studies in Proof Theory Series, 1984.
Completeness of R. Kowalski’s Connection Graph Proof Procedure
J¨org Siekmann1 and Graham Wrightson2
1 Universit¨at des Saarlandes, Stuhlsatzenhausweg, D-66123 Saarbr¨ucken, Germany.
siekmann@dfki.de
2 Department of Computer Science and Software Engineering, The University of Newcastle, NSW 2308, Australia.
graham@cs.newcastle.edu.au
Abstract. The connection graph proof procedure (or clause graph res- olution as it is more commonly called today) is a theorem proving tech- nique due to Robert Kowalski.It is a negative test calculus (a refutation procedure) based on resolution.Due to an intricate deletion mechanism that generalises the well-known purity principle, it substantially refines the usual notions of resolution-based systems and leads to a largely re- duced search space.The dynamic nature of the clause graph upon which this refutation procedure is based, poses novel meta-logical problems previously unencountered in logical deduction systems.Ever since its in- vention in 1975 the soundness, confluence and (strong) completeness of the procedure have been in doubt in spite of many partial results.This paper provides an introduction to the problem as well as an overview of the main results that have been obtained in the last twenty-five years.
1 Introduction to Clause Graph Resolution
We assume the reader to be familiar with the basic notions of resolution-based theorem proving (see, for example, Alan Robinson [1965], Chang, C.-L. and Lee, R.C.-T. [1973] or Don Loveland [1978]). Clause graphs introduced a new ingenious development into the field, the central idea of which is the following:
In standard resolution two resolvable literals must first be found in the set of sets of literals before a resolution step can be performed, where a set of literals represents a clause (i.e. a disjunction of these literals) and a statement to be refuted is represented as a set of clauses. Various techniques were developed to carry out this search. However, Robert Kowalski [1975] proposed an enhancement to the basic data structure in order to make possible resolution steps explicit, which — as it turned out in subsequent years — not only simplified the search, but also introduced new and unexpected logical problems. This enhancement was gained by the use of so-called links between complementary literals, thus turning the set notation into a graph-like structure. The new approach allowed in particular for the removal of a link after the corresponding resolution step and
A.C. Kakas, F. Sadri (Eds.): Computat. Logic (Kowalski Festschrift), LNAI 2408, pp. 231–252, 2002.
c Springer-Verlag Berlin Heidelberg 2002
a clause that contains a literal which is no longer connected by a link may be removed also (generalised purity principle). An important side effect was that this link removal had the potential to cause the disappearance of even more clauses from the current set of clauses (avalanche effect).
Although this effect could reduce the search space drastically it also had a significant impact on the underlying logical foundations. To quote Norbert Eisinger from his monograph on Kowalski’s clause graphs [1991]:
“LetSandSbe the current set of formulae before and after a deduction step S S. A step of a classical calculus and a resolution step both simply add a formula following from S. Thus, each interpreted as the conjunction of its members,S andS are always equivalent. For clause graph resolution, however,Smay contain formulae missing inS, and the removed formulae are not necessarily consequences of those still present in S. While this does not affect the forward implication, S does in general no longer ensue fromS. In other words, it is possible for S to possess more models thanS. But, whenSis unsatisfiable, so must beS, i.e.S must not have more models than S, if soundness, unsatisfiability and hence refutability, is to be preserved.”
This basic problem underlying all investigations of the properties of the clause graph procedure will be made more explicit in the following.
2 Clause Graph Resolution: The Problem
The standard resolution principle, calledset resolutionin the following, assumes the axioms and the negated theorem to be represented as a set of clauses. In contrast, the clause graph proof procedure represents the initial set of clauses as agraphby drawing a link between pairs of literal occurrences to denote that some relation holds between these two literals. If this relation is “complementarity”
(it may denote other relations as well, see e.g. Christoph Walter [1981], but this is the standard case and the basic point of interest in this paper) of the two literals, i.e. resolvability of the respective clauses, then an initial clause graph for the set
S={{ −P(z, c, z),−P(z, d, z)},{P(a, x, a),−P(a, b, c)},
{P(a, w, c), P(w, y, w)},{P(u, d, u),−P(b, u, d), P(u, b, b)}, {−P(a, b, b)},{−P(c, b, c), P(v, a, d), P(a, v, b)}}
is the graph in Figure 1. HereP is a ternary predicate symbol, letters from the beginning of the alphabet a, b, c, . . . denote constants, letters from the end of the alphabetx, y, z, v, . . . denote variables and−P(. . .) denotes the negation of P(. . .).
Example 1.
-Paxa -Pabc -Pawc -Pwyw -Pzcz -Pzdz
6 1
2 3
4
-Pcbc Pvad Pavb Pudu -Pbud Pavb
-Pabb 7
8 9
5 10
Fig. 1.
An appropriate most general unifier is associated with each link (not shown in the example of Figure 1). We use the now standard notation that adjacent boxes denote a clause, i.e. the conjunction of the literals in the boxes.
So far such a clause graph is just a data structure without commitment to a particular proof procedure and in fact there have been many proposals to base an automated deduction procedure on some graph-like notion (e.g. Andrews [1976], Andrews [1981], Bibel [1981b], Bibel [1982], Chang and Slagle [1979], Kowalski [1975], Shostak [1976], Shostak [1979], Sickel [1976], Stickel [1982], Yates and Raphael and Hart [1970], Omodeo [1982], Yarmush [1976], Murray and Rosenthal [1993], Murray and Rosenthal [1985]).
Kowalski’s procedure uses a graph-like data structure as well, but its impact is more fundamental since it operates now as follows: suppose we want to per- form the resolution step represented by link 6 in Figure 1 based on the unifier σ = {w → b}. Renaming the variables appropriately we obtain the resolvent {P(a, x, a), P(b, y, b)}which is inserted into the graph and if now all additional links are set this yields the graph:
-Paxa -Pabc -Pawc -Pwyw -Pzcz -Pzdz
Pax’a Pby’b 11 12 13 14
1
2 3
4
-Pcbc Pvad Pavb Pudu -Pbud Pavb
-Pabb 7
8 9
5 10
Fig. 2.
Now there are three essential operations:
1. The new links don’t have to be recomputed by comparing every pair of liter- als again for complementarity, but this information can instead be inherited from the given link structure.
2. The link resolved upon is deleted to mark the fact that this resolution step has already been performed,
3. Clauses that contain a literal with no link connecting it to the rest of the graph may be deleted (generalised purity principle).
While the first point is the essential ingredient for the computational attrac- tiveness of the clause graph procedure, the second and third points show the ambivalence between gross logical and computational advantages versus severe and novel theoretical problems. Let us turn to the above example again. After resolution upon link 6 we obtain the graph in Figure 2 above. Now since link 6 has been resolved upon we have it deleted it according to rule (2). But now the two literals involved become pure and hence the two clauses can be deleted as well leading to the following graph:
-Pzcz -Pzdz Pax’a Pby’b
11 12 13 14
-Pcbc Pvad Pavb Pudu -Pbud Pavb
-Pabb 7
8 10 9
Fig. 3.
But now the literal−P(c, b, c) in the bottom clause becomes pure as well and hence we have the graph:
-Pzcz -Pzdz Pax’a Pby’b
11 12 13 14
Pudu -Pbud Pavb
-Pabb 10 9
Fig. 4.
This removal causes the only literal−P(a, b, b) in the bottom clause to be- come pure and hence, after a single resolution step followed by all these purity deletions, we arrive at the final graph:
-Pzcz -Pzdz Pax’a Pby’b
11 12 13 14
Fig. 5.
It is this strong feature that reduces redundancy in the complementary set of clauses, that marks the fascination for this proof procedure (see Ohlbach [1985], Ohlbach [1983], Bl¨asius [1986] and [1987], Eisinger et al. [1989], Ohlbach and Siekmann [1991], Bl¨asius et al. [1981], Eisinger [1981], Eisinger and Siekmann and Unvericht [1979], Ohlbach [1987], Rameshet al.[1997], Murray and Rosen- thal [1993], Siekmann and Wrightson [1980]). It can sometimes even reduce the initial redundant set to its essential contradictory subset (subgraph). But this also marks its problematical theoretical status: how do we know that we have not deleted too many clauses? Skipping the details of an exact definition of the various inheritance mechanisms (see e.g. Eisinger [1991] for details) the following example demonstrates the problem.
Suppose we have the refutable setS={{P(a), P(a)},{−P a}}and its initial graph as in Figure 6, where PURmeans purity deletion and MERstands for merging two literals (Andrews [1968]), whilst RES stands for resolution.
Example 2.
-Pa
Pa Pa PUR PUR
?
Pa
-Pa -Pa
MER RES {2}
Fig. 6.
Thus in two steps we would arrive either at the empty set?, which stands for satisfiability, or in the lower derivation we arrive at the empty clause{}, which stands for unsatisfiability.
This example would seem to show that the procedure:
(i) is not confluent, as defined below (ii) is not sound (correct), and
(iii) is not refutation complete (at least not in the strong sense as defined below), and hence would be useless for all practical purposes.
But here we can spot the flaw immediately: the process did not start with the full initial graph, where all possible links are set. If, instead, all possible links are drawn in the initial graph, the example in Figure 6 fails to be a counterexample.
On the other hand, after a few initial steps we always have a graph with some links deleted, for example because they have been resolved upon. So how can we be sure that the same disastrous phenomenon, as in the above example, will not occur again later on in the derivation?
These problems have been called the confluence, the soundness and the (strong) completenessproblem of the clause graph procedure and it can be shown that for the original formulation of the procedure in Kowalski [1975] (with full