A tableau-based decision procedure for a fragment of set theory ...

A tableau-based decision procedure for a fragment of set theory involving a restricted form of quanti cation? Domenico Cantone1 and Calogero G. Zarba2 1

Universita di Catania, Dipartimento di Matematica, Viale A. Doria 6, I-95125 Catania, Italy, e-mail: [email protected]

Telephone: +39 095 7383052 (o.), +39 095 439640 (home) 2 Stanford University, Computer Science Department, Gates Building, Stanford CA 94305, USA, e-mail: [email protected]

Telephone: +39 095 7890758

Abstract. We extend the unquanti ed set-theoretic fragment discussed

in [1] with a restricted form of quanti cation, we prove decidability of the resulting fragment by means of a tableau calculus and we address the eciency problem of the underlying decision procedure, by showing that the model-checking steps used in [1] are not necessary.

1 Introduction In Computable Set Theory, a \core" decidable fragment is Multi-Level Syllogistic (in short MLS), namely the unquanti ed set-theory involving the constant ; (empty set), the operators [ (union), \ (intersection) and n (set dierence), and the predicates 2 (membership), = (equality) and  (set inclusion). Its satis ability decision problem was rst solved in [7], the paper which started the research eld of computable set theory. Several extensions of MLS were proved decidable, among them Multi-Level Syllogistic with Singleton (in short MLSS), which extends MLS with the singleton operator fg. A decision procedure for MLSS was rst stated as a tableau calculus in [4]. However, it was not until 1997 that the problem of eciently deciding fragments of set-theory was seriously tackled, when a fast saturation strategy based on interleaving model-checking steps with saturation ones was introduced in [3] for a tableau calculus for MLSS. In [1] another tableau calculus for MLSS, still based on the model-checking approach, was presented where formulae do not need to be expressed in a normalized form, in contrast to [3], where formulae need a preprocessing normalization phase. The same paper presented also a complete tableau calculus for the ? This work has been partially supported by the C.N.R. of Italy, coordinated project SETA, by M.U.R.S.T. Project \Tecniche speciali per la speci ca, l'analisi, la veri ca, la sintesi e la trasformazione di programmi", and by project \Deduction in Set Theory: A Tool for Software Veri cation" under the 1998 Vigoni Program. 1

fragment MLSSF, resulting from the extension of MLSS with uninterpreted function symbols. However, the tableau calculus for MLSSF presented in [1] is not a decision procedure, though a promising optimization based on the concept of rigid E -uni cation was given. Recently, in [5] we have proposed a more ecient strategy which does not require the model-checking steps, though limited to the fragment MLSS. In this paper we apply and further improve the same idea of [5] to the larger fragment MLSSF8 , which is obtained by extending MLSSF with a restricted form of quanti cation. In contrast with [1], we not only provide a sound and complete tableau calculus for MLSSF8 , but even a practical saturation strategy which is guaranteed to terminate. MLSSF8 is related to the theory presented in [2]. However, the decision procedure described there, which is not stated as a tableau calculus, is highly non-deterministic and not suitable for automation. The paper is organized as follows. In Section 2 we introduce the syntax and semantics of MLSSF8 and we give also some examples to illustrate its expressive power. In Section 3 we present a tableau calculus for MLSSF8 and introduce some restrictions to the applicability of some of its rules to enforce termination. Total correctness of the MLSSF8 -tableau calculus is proved in Section 4. In Section 5 we discuss some optimizations of the MLSSF8 -tableau calculus and make comparisons with those presented in [1] and [3]. Finally, in Section 6 we hint at some directions for future research.

2 Syntax and Semantics The basic elements of the language of MLSSF8 are:

{ denumerable many variables { { { {

x1 ; x2 ; : : :, denumerable many uninterpreted constants c1 ; c2 ; : : :, and denumerable many uninterpreted unary function symbols f1 ; f2 ; : : :, the interpreted constant ; (empty set), and the interpreted function symbols t (union), u (intersection), ? (set dierence) and [] (singleton), the interpreted predicate symbols @ ? (membership) and  (equality), the logical connectives : and ^,1 the universal quanti er symbol 8.

To simplify notation, we use the abbreviations s 6@ ? t and s 6 t to denote :(s @? t) and :(s  t), respectively. Next we de ne the fragment MLSSF8 . De nition 1. An MLSSF8-formula ' is a logical formula constructed with the elements of the language MLSSF8 such that each subformula of ' of type 8x @? t : 1

In our treatment, ::p is considered to be a syntactic variation of p.

2

has a positive polarity2 and moreover satis es the following conditions: { t is ground, and { the variable x cannot be a proper subterm of a term t0 in such that 0  t involves some interpreted symbols, or  t0 occurs on the left-hand side of a membership literal. Thus, for instance, if s and t are ground terms, then 8x @ ? t : f (x)  s and s  t are MLSSF8 -formulae, whereas 8x @ ? t : [x]  s, 8x @? t : f (x) @? s, and 8x @? t : 8y @? x : ' are not MLSSF8 -formulae. De nition 2. The degree d of MLSSF8-formulae is recursively de ned by d(`) = 0 d(' ^ ) = d(:(' ^ )) = d(') + d( ) + 1 d(8x @ ? t : ') = d(') + 1 ; where ` stands for a literal. Semantics of MLSSF8 is based upon the von Neumann standard cumulative hierarchy V of sets de ned by: V0 = ; V+1 = PS(V ) ; for each ordinal  V = S 0 in either cases. For the inductive step, without lost of generality let s @ ? t1 and s 6@? t2 be in  (their occurrence is due to saturation with respect to rule (13)), for some s. Then R s 2 R t1 , which implies R s 2 R t2 , so that by construction of R there exists s0 such that R s = R s0 and s0 @ ? t2 occurs in . Notice that s0 6= s (otherwise  would be closed). Since by Lemma 4 we have h(s) = h(s0 ) < h(t1 ), we can apply the inductive hypothesis and obtain the contradiction R s 6= R s0 . (iv) Let s 6@ ? t be in  but R s 2 R t. Then there exists s0 dierent from s such that R s = R s0 and s0 @ ? t occurs in . By saturation s 6 s0 is in , and by 0 (iii) R s 6= R s , a contradiction.

Next we show that even operators are correctly modeled by R (and therefore by M ), for an open and saturated branch .

Lemma 7. Let  be an open and saturated branch in a tableau for '. Then the realization R is coherent.

Proof. Let  be an open and saturated branch. We prove that R t = M t, for each t in P [ T', by structural induction on t. The base case is trivial for

12

uninterpreted constants. Concerning ;, notice that trivially M ; = ; and that R ; = ;, since  is open. For the inductive step we prove only that R (t1 u t2 ) = M (t1 u t2 ) and R (f (t)) = M (f (t)) (other cases are similar). Concerning u, suppose that a 2 R (t1 u t2 ). Then there exists a term s such that R s = a and s @ ? t1 u t2 occurs in , and since  is saturated both s @? t1 and s@ ? t2 occur in . By Lemma 6 R s 2 R t1 and R s 2 R t2 , and by inductive hypothesis a 2 M t1 \ M t2 = M (t1 u t2 ). Conversely, if a 2 M (t1 u t2 ) then a 2 M t1 \ M t2 , and by inductive hypothesis a 2 R t1 \ R t2 . After noticing that, because of the restrictions imposed to the application of the rules, it must be the case that t1 ; t2 2 T0 , it follows that there exist s0 ; s00 such that R s0 = R s00 = a and both s0 @ ? t and s00 @? t occur in . By saturation, either 0s @? t2 or s0 6@? t2 occurs in . In1 the former 2case s0 @? t1 u t2 occurs in , and therefore a 2 R (t1 u t2 ). In the latter case s0 6 s00 occurs in , and therefore R s0 6= R s00 , a contradiction. Now, suppose that a 2 R (f (t)). If a = uf (t) (which may happen only if f (t) 2 P0 ) then, by construction of f M , a 2 f M (R t), and by inductive hypothesis a 2 f M (M t) = M (f (t)). Otherwise, there exists a term s such that R s = a and s @ ? f (t) occurs in . By de nition of f M , a 2 f M (R t) and again by inductive hypothesis a 2 f M (M t) = M (f (t)). Conversely, if a 2 M (f (t)) then a 2 f M (M t), and by inductive hypothesis a 2 f M (R t). Now there are two cases to consider: (a) there exists a term t0 such that R t = R t0 and a = uf (t ) , and (b) there exist terms s; t0 such that R s = a; R t = R t0 and the literal s @ ? f (t0 ) is in . In case (a), by saturation, either t  t0 occurs in  (and the claim would hold since uf (t) = uf (t ) and uf (t) 2 R f (t)), or t 6 t0 occurs in  (which would lead to a contradiction). In case (b), by saturation either t  t0 or t 6 t0 occurs in . In the former case f (t)  f (t0 ) is in , as well as s @ ? f (t), and therefore a 2 R (f (t)). In the latter case R t 6= R t0 , a contradiction. The following lemma concludes the proof of completeness. Lemma 8. If  is an open and saturated branch in a tableau for ', then it is satis able, and indeed it is satis ed by M . Proof. First notice that, by combining together Lemma 6 and 7, it follows that M j= `, for each literal ` occurring in . Proceeding by induction on the degree of formulae in , it is easy to see that even formulae of the form p ^ q and :(p ^ q) are satis ed by M . Therefore, it remains to show that each formula of the form 8x @? t : ' is satis ed by M (notice that formulae of the form :(8x @? t : ') cannot occur in ). Thus, suppose by contradiction that a formula 8x @ ? t : is in , but M 6j= 8x @? t : . Then there exists a set a 2 M t such that Mfx7!ag 6j= .5 Since by Lemma 7 R is coherent, we have a 2 R t and therefore there exists a term s such that R s = a and the literal s @ ? t occurs in . Without lost of generality we can suppose that s 2 T' [ T(13) (otherwise, by Lemma 5 there would be a term 0

0

5

With M fx7!ag we denote the set model identical to M with the possible exception for x, which is modeled by a.

13

s in T' [ T(13) such that the literal s  s0 would be in , and s0 would play the role of s in the following discussion). By saturation 'sx is in  and by inductive hypothesis M j= 'sx . But this is a contradiction since basic model properties and the fact that M s = a say us that Mfx7!ag 6j= ' and M j= 'sx cannot both

hold simultaneously.

Summing up, we have proved

Theorem 1. The tableau calculus for MLSSF8 is complete, even if subject to restrictions R1{R6.

5 Eciency Issues We rst start presenting some possible optimizations to the tableau calculus presented in the previous sections. Then, we compare our approach with those used in [1] and [3].

5.1 Minimizing the Branching Factor It is possible to lower the branching factor of a tableau constructed by means of the rules (1)-(18) of Table 3 by noticing the asymmetry of the part relative to u in restriction R4: if a term t1 u t2 is in a branch , and a literal s @? t1 is in , then the application of a cut rule is required; if instead s @ ? t2 is in the  nothing in required. Now, one could have made the opposite choice, requiring a cut when a literal s @ ? t2 is in , and nothing when s @? t1 is in . This basic observation allows the promised optimization. Speci cally, it is possible to adapt the proofs in Section 4 in order to prove that if a term t1 u t2 is in  and either R t1 or R t2 is empty then no cut is needed. If instead both R t1 and R t2 are non-empty, then one can choose whether splits are triggered by s @ ? t1 occurrences or by s@ ? t2 occurrences, provided the choice is always the same in all the history of saturation of  for the speci c term t1 u t2 (a dierent choice might be done for another term t01 u t02 ). But the best improvement is achivied by adopting the KE calculus. From [6] it is known that Smullyan's tableaux suer some anomalies, but that they can be solved by adopting an approach based on the calculus KE, which forces branches to be mutually exclusive and attains an exponential speed-up with respect Smullyan's tableaux. Let us now show how the splitting rules (1), (13), and (17) in Table 3 can be redesigned, in order to make branches mutually exclusive (notice that cut rules (14) and (15) do not need to be changed). It is not dicult to x rule (1), by substituting it with the rules s@ ? t 1 t t2 s 6@ ? t2 s@ ? t1

s@ ? t 1 t t2 s 6@ ? t1 s@ ? t2

14

and by requiring the application of the cut rule (15) when a formula of the form s @ ? t1 t t2 is in a branch , but neither s @? t1 nor s @? t2 is in . While rule (17) can be handled in a similar way, rule (13) is more challenging. In the subfragment MLSSF there is no clear way of how to solve the problem in a simple and elegant manner. In fact, one could think to substitute rule (13) with, for instance,

t1 6 t2 c@ ? t1 c 6@? t1 c 6@ ? t2 c @? t2 t1 t t2  t2 But doing so a new term t1 t t2 is introduced, and termination would be in

jeopardy (or, at least, more dicult to prove). Instead, using the expressiveness of MLSSF8 , one can substitute rule (13) with t1 6 t2 c@ ? t1 c 6@ ? t1 c@ ? t2 c 6@ ? t2 8x @? t1 : x @? t2

without generating new terms, therefore ensuring termination, and fully achieving our purposes to solve the anomalies of Smullyan's tableaux in the spirit of the KE calculus.

5.2 Model Checking or Exhaustive Saturation? A legitimate question about the comparison between the interleaving modelchecking approach used in [1, 3] and the exhaustive approach used in this paper and in [5] is \does the new approach really do less work than the previous one?" We claim that the new approach does not require more applications of split rules than the previous one. Moreover, useful cuts can be decided more eciently. In fact, notice that

{ the applications of rule (1), (or the corresponding cut rules required if one wishes to use the KE approach) correspond to rule (R7) in [1], and to rule (3) in [3]; { the applications of rule (17) correspond to the -propositional scheme given

in [1]. There is no corresponding in [3], since there only conjunctions of normalized literals were considered; { the applications of rule (13) hinted by restriction R3 (cf. Section 3.1) correspond to rule (R12) in [1] and to rule (12) in [3]; { literals of the form s 6@? t1 u t2 and s 6@? t1 ? t2 do not trigger any split rule, in contrast to rules (R8) and (R9) in [1].

Roughly, the cuts that in the previous approach were triggered by the modelchecking steps, correspond to the applications of the cut rule (14) hinted by 15

restriction R4. (The part relative to the set dierence operator ? closely reminds rule (11) in [3]). Therefore, we can expect that the size of the tableau built with the new approach is not greater than the size of the tableau built with the old approach. Now, which is the new cost for deciding cuts? In the previous approach, deciding a cut is very costly, since one has to build a model and verify that the model satis es the branch. Instead, in the new approach it is possible to decide more eciently which cut to apply, provided that suitable information is collected in the linear saturation phase.6 For instance, it could be enough to maintain a list L of pending cuts of the form { t1 6 t2, for rule (13), { s @?? t, for rule (14), { t1 ? t2, for rule (15), and then the following high-level code

if s @? t is in  or s @? t is in  then skip else if s 6@? t is in  then  :=  [ (s @ ?t ) else if s 6@? t is in  then  :=  [ (s @ ?t ) else L := L [ (s @ ?? t ) end if 1

2

1

2

2

1

1

could be called during the linear saturation phase when a literal s @ ? t 1 t t2 occurs in a branch  (other types of literals could be handled similarly). When  is linearly saturated, and possibly after a closure check, it is enough to choose arbitrarily an element from L and apply the relative cut rule (of course implementation details might be trickier, but the basic idea should be clear).

6 Conclusion and Future Developments We have presented a sound and complete tableau calculus for the fragment MLSSF8, which extends MLSSF with a restricted form of quanti cation. We have also provided a saturation strategy which is guaranteed to terminate. The basic idea is the same as in [5], but applied to a more general case. We plan to extend our approach to admit also the constants N and O, which allow one to state interesting facts about natural numbers and ordinals (cf. [2]). We also plan to extend our approach to other fragments of set theory (cf. [4]). 6

The linear saturation phase consists in the exhaustive application of all the rules in Table 3 except the splitting ones.

16

Acknowledgments The authors wish to thank Tomas E. Uribe for helpful comments, and Nikolaj S. Bjrner for insightful discussion. The second author wishes to thank Prof. Zohar Manna for having given him the opportunity to visit his REACT group.

References 1. B. Beckert and U. Hartmer. A tableau calculus for quanti er-free set theoretic formulae. In Harrie de Swart, editor, Proceedings of the International Conference on Automated Reasoning with Analytic Tableaux and Related Methods, Oisterwijk, The Netherlands, volume 1397 of LNAI, pages 93{107. Springer-Verlag, 1998. 2. M. Breban, A. Ferro, E. G. Omodeo, and J. T. Schwartz. Decision procedures for elementary sublanguages of set theory. I. Formulas involving restricted quanti ers, together with ordinals, integer, map and domain notions. Comm. Pure Appl. Math., 34:177{195, 1981. 3. D. Cantone. A fast saturation strategy for set-theoretic tableaux. In Didier Galmiche, editor, Proceedings of the International Conference on Automated Reasoning with Analytic Tableaux and Related Methods, volume 1227 of LNAI, pages 122{137. Springer-Verlag, May 1997. 4. D. Cantone and A. Ferro. Techniques of computable set theory with applications to proof veri cation. Comm. Pure Appl. Math., XLVIII:1{45, 1995. 5. D. Cantone and C. G. Zarba. A new fast decision procedure for an unquanti ed fragment of set theory. In International Workshop in First-Order Theorem Proving FTP '98, 1998. 6. M. D'Agostino and M. Mondadori. The taming of the cut. Classical refutations with analytic cut. Journal of Logic and Computation, 4(3):285{319, June 1994. 7. A. Ferro, E. G. Omodeo, and J. T. Schwartz. Decision procedures for elementary sublanguages of set theory. II. Multilevel syllogistic and some extensions. Comm. Pure Appl. Math., 33:599{608, 1980. 8. D. C. Oppen. Complexity, convexity and combinations of theories. Theoretical Computer Science, 12(3):291{302, November 1980.

17