APPLICATION OP AUTOMATIC

APPLICATION OP AUTOMATIC TRANSFORMATIONS TO PROGRAM VERIFICATION*

R. L. V e r o f f A p p l i e d Mathematics D i v i s i o n Argonne N a t i o n a l Laboratory Argonne, IL 60439

L. J. Henschen E l e c t r i c a l Eng. and Computer S c l . Northwestern U n i v e r s i t y Evanston, IL 60201

ABSTRACT

1.

A technique for incorporating automatic transformations into processes such as the a p p l i c a t i o n of i n f e r e n c e r u l e s , subsumptlon, and demodulation provides a mechanism f o r improving search s t r a t e g i e s f o r theorem proving problems a r i s i n g from the f i e l d o f program v e r i f i c a t i o n . The i n c o r p o r a t i o n of automatic t r a n s f o r m a t i o n s i n t o the i n f e r e n c e process can a l t e r the aearch space f o r a given problem and is p a r t i c u l a r l y u s e f u l f o r problems having "broad" r a t h e r than "deep" p r o o f s . The technique can a l s o be used to permit the g e n e r a t i o n of inferences t h a t might otherwise be blocked and to b u i l d some commutatlvlty or associativity into the unification process* Appropriate choice of t r a n s f o r m a t i o n s and new l i t e r a l c l a s h i n g and u n i f i c a t i o n a l g o r i t h m s f o r a p p l y i n g them showed s i g n i f i c a n t improvement on several r e a l problems according t o several d i s t i n c t criteria.

U n i f i c a t i o n in the presence of an e q u a t i o n a l theory ( [ 1 ] , [4], [5], [10], and [ 1 3 ] ) S i m p l i f i c a t i o n w i t h complete reductions ( [ 2 ] , [3] and [ 4 ] )

3.

set 8

of

Special r u l e s o f inference ( [ 6 ] , [ 7 ] , [ 8 ] , [11] and [ 1 5 ] )

The technique presented in t h i s paper allows some theory to be b u i l t i n t o the inference process but d i f f e r s s i g n i f i c a n t l y from the above three approaches. Unlike the f i r s t approach, our technique does not attempt to f i n d the f u l l set of u n i f i e r s when used In the context of a u n i f i c a t i o n algorithm. Unlike the second approach, the t r a n s f o r m a t i o n concept can apply to predicates and l i t e r a l s as w e l l as to terms and is not o r i e n t e d towards complete sets of reductions ( w h i c h , in f a c t , do not always e x i s t ) . And u n l i k e the t h i r d approach, the process is guided by the u s e r ' s choice o f e l i g i b l e t r a n s f o r m a t i o n s .

INTRODUCTION

We f e e l t h a t it is important to r e i t e r a t e our p e r s p e c t i v e and point of view. Complete methods ( e . g . , uniform s t r a t e g i e s and complete sets of reductions) have many I n t e r e s t i n g t h e o r e t i c a l p r o p e r t i e s . U n f o r t u n a t e l y , 15 years of experience has shown t h a t such methods do not y i e l d u s e f u l theorem provers by themselves. In order to a c t u a l l y prove theorems, i t i s necessary t o i n c l u d e many h e u r i s t i c s t h a t not only make the program Incomplete, but o f t e n make it too complex even to analyze. We f e e l t h a t the technique presented in t h i s paper Is important and u s e f u l in s p i t e of the lack of completeness. Although we do prove some r e s u l t s about the o p e r a t i o n a l c h a r a c t e r i s t i c s of our proposals, we are not o v e r l y concerned about p r o p e r t i e s such as c o n f l u e n c e , completeness, or m i n i m a l i t y of the various expanded versions of our algorithms.

In t h i s paper we provide a technique f o r improving the proof search strategy for a p a r t i c u l a r class of problems, namely, those in which the concept of t r a n s f o r m a t i o n of a l i t e r a l or term plays a l a r g e r o l e . The technique i n v o l v e s i n c o r p o r a t i n g automatic t r a n s f o r m a t i o n s I n t o the i n f e r e n c e process by modifying the existing u n i f i c a t i o n and c l a s h i n g a l g o r i t h m s . I n a d d i t i o n t o s i g n i f i c a n t l y r e o r d e r i n g the proof search space f o r these problems, the i n c o r p o r a t i o n of automatic t r a n s f o r m a t i o n s allows many d e s i r a b l e inferences t h a t might otherwise be blocked ( e . g . , by demodulation or by o r d e r i n g the arguments of e q u a l i t y l i t e r a l s in a canonical way). The automatic t r a n s f o r m a t i o n concept presented in t h i s paper is a p p l i c a b l e to any area t h a t has "rewrite" .relations (e.g., commutatlvlty, a s s o c i a t i v i t y , or o r d e r i n g r e l a t i o n s ) . The new literal clashing and expanded unification a l g o r i t h m s are p a r t i c u l a r l y e f f e c t i v e i n areas t h a t tend to have "broad" r a t h e r than "deep" p r o o f s . Program v e r i f i c a t i o n is one such area.

This pai e r i s d i v i d e d i n t o f i v e s e c t i o n s . Section I I discusses the m o t i v a t i o n f o r I n c l u d i n g automatic t r a n s f o r m a t i o n s in the Inference process. Section I I I presents the new l i t e r a l c l a s h i n g and u n i f i c a t i o n a l g o r i t h m s . Section I V evaluates t e s t r e s u l t s from the new a l g o r i t h m s . F i n a l l y , Section V summarises our ideas and suggests areas r e q u i r i n g further investigation.

Various methods f o r b u i l d i n g a theory i n t o an automated theorem proving system have been considered i n the l i t e r a t u r e . Most f a l l i n t o one or more of three l o o s e l y d e f i n e d approaches:

It is assumed t h a t the reader has some basic knowledge of l o g i c , automated theorem proving and program v e r i f i c a t i o n . In particular, familiarity w i t h the concepts of subsumptlon and demodulation and w i t h the i n f e r e n c e r u l e s resolution and paramodulatlon is assumed.

* This work was supported by the Applied Mathe­ m a t i c a l Sciences Research Program (KC-04-02) of the O f f i c e of Energy Research of the U.S. Department of Energy under Contract W~31-iOt-Eng~38.

472

II.

MOTIVATION

In t h i s s e c t i o n we motivate our technique. Subsection A discusses the nature of program v e r i f i c a t i o n p r o o f s , and Subsection B discusses b u i l t - i n Incompleteness. A.

Nature of Program V e r i f i c a t i o n Proofs

Program v e r i f i c a t i o n proofs o f t e n have a p o t e n t i a l l y u s e f u l property w i t h respect to the graph t h a t represents the search space. A proof o f t e n e x i s t s t h a t i s "broad" rather than "deep." That i s , the l a s t step is a hyper-resolvent of clauses CI through Cn, where each Ci is d e r i v a b l e from the Input clauses w i t h a r e l a t i v e l y low l e v e l deduction. F u r t h e r , many of the CI d i f f e r from t h e i r parents only in the form or sign of a l i t e r a l or term. For example, a l i t e r a l LT(A,B) in an input clause may have to be transformed i n t o ~LT(B,A) before i t w i l l clash w i t h the d e n i a l o f the theorem. This t r a n s f o r m a t i o n is c u r r e n t l y accomplished by r e s o l v i n g w i t h one of the many clauses t h a t give the p r o p e r t i e s of LT, EQUAL, GT, etc. U n f o r t u n a t e l y , these axioms produce huge numbers of other resolvents at the same l e v e l s as the C i . These clauses and t h e i r descendants o f t e n s i g n i f i c a n t l y delay progress to a p r o o f . We propose to Incorporate c e r t a i n r e l a t i o n s (such as LT(X,Y) ~LT(Y,X) and commutativity of a function) into the literal clashing and u n i f i c a t i o n processes. The r e l a t i o n s w i l l behave l i k e l i t e r a l and term transformations i n t h i s context. The new a l g o r i t h m s have two d i s t i n c t e f f e c t s : 1.

More general clauses are generated sooner by a l l o w i n g the r e s o l u t i o n of more l i t e r a l s . The e a r l i e r generation of more general clauses can have a s i g n i f i c a n t e f f e c t on a proof search by preventing the generation of many less general clauses and t h e i r corresponding descendants.

2.

C e r t a i n clauses t h a t previously were at a high l e v e l in the graph that represents the search space may now have a r e l a t i v e l y low l e v e l . Because many of the clauses t h a t are required in the proof may be generated at a lower l e v e l than b e f o r e , s t r a t e g i e s t h a t are o r i e n t e d towards breadth f i r s t search may be more e f f e c t i v e than they were w i t h o u t the automatic t r a n s f o r m a t i o n process.

It has been found extremely u s e f u l in p r a c t i c e to keep every e q u a l i t y l i t e r a l , EQUAL(T1,T}), in a s i n g l e canonical form, e i t h e r EQUAL(T1,T2) or EQUAL(T2,T1) but not b o t h . ( L i t e r a l s of the form ~EQUAL(T1,T2) are handled the same way). This p r a c t i c e can s i g n i f i c a n t l y reduce the size of the clause space but can, In general, lead to incompleteness in a way s i m i l a r to that caused by demodulation. The new algorithms presented in t h i s paper overcome both of these problems, at l e a s t to some extent.

III.

AUTOMATIC TRANSFORMATIONS

A t r a n s f o r m a t i o n is an o p e r a t i o n performed on a literal or term. We study two types of transformations: l i t e r a l transformations, which correspond to r e s o l u t i o n s w i t h clauses c o n t a i n i n g e x a c t l y two l i t e r a l s , and term t r a n s f o r m a t i o n s , which correspond to demodulation w i t h e q u a l i t y u n i t s . The d i f f e r e n c e between the t r a n s f o r m a t i o n process and the usual a p p l i c a t i o n s of the inference rules is that transformations are applied a u t o m a t i c a l l y d u r i n g the c l a s h i n g and u n i f i c a t i o n processes when the b l o c k i n g p r o p e r t i e s of other operations such as demodulation and e q u a l i t y o r d e r i n g are not in e f f e c t . Because each automatic transformation corresponds to a v a l i d l o g i c a l o p e r a t i o n , the new clashing and unification operations are also v a l i d i n f e r e n c e s . We w i l l present the new l i t e r a l c l a s h i n g and u n i f i c a t i o n a l g o r i t h m s and comment on c o n t r o l l i n g t h e i r use. We assume t h a t the reader is f a m i l i a r w i t h the standard t e r m i n o l o g y , I n c l u d i n g ground term, composite term, major f u n c t i o n symbol, s e t , bag, and WFF ( l i t e r a l or t e r m ) . D e f i n i t i o n 1. A ground subterm of a term, T, is maximal in T If it is not the subterm of any ground term other than i t s e l f . D e f i n i t i o n 2. COM(WFF) • number of maximal ground subterms in WFF plus the number of composite subterms ( i n c l u d i n g the term i t s e l f ) that are not ground. Note that In t h i s measure of the complexity of a WFF each maximal ground term counts as one i t e m , namely, the s i n g l e domain element that the term names.

Note that the a l g o r i t h m w i l l not prevent the generation of what would have been the intermediate clauses to inferences made w i t h the new a l g o r i t h m ; i t only reorders the search space, e f f e c t i v e l y d e l a y i n g the generation of these clauses. The delay of these clauses u n t i l a f t e r a proof has been found is more l i k e l y when the proof is broad r a t h e r than deep. For t h i s reason, the a l g o r i t h m is p a r t i c u l a r l y w e l l s u i t e d f o r a p p l i c a t i o n t o program v e r i f i c a t i o n problems. B.

Although our experience shows that demodulation is v i r t u a l l y necessary f o r theorem p r o v e r s , i t I s r a r e l y p r a c t i c a l t o attempt t o f i n d a complete r e d u c t i o n system f o r every new problem. T h e r e f o r e , demodulating clauses can block necessary deductions. For example, If EQUAL(G(A),G(B)) were a demodulator and P(F(A,G(A))) were generated, it would be changed to P(F(A,G(B))) and would not clash w i t h the clause ~ P ( F ( X , G ( X ) ) ) .

Examples: COM(F(X,J(Y,X))) - 0 + 2 C0M(F(X,J(Y,A))) - 1 ^ - 2 C0M(F(X,J(A,B))) - 1 + 1 C0M(F(A,J(B,C))) - 1 + 0 •

B u i l t - i n Incompleteness

B u i l d i n g automatic transformations i n t o a theorem proving system can help undo some of the Incompleteness caused by other very useful strategies such as demodulation (when the demodulator set is not a complete reduction s e t ) and o r d e r i n g of terms in e q u a l i t y l i t e r a l s .

2 3 2 1

Note that the l a s t example Is the l e a s t complex in the above sense because it names a s i n g l e constant element of the r e l e v a n t domain. D e f i n i t i o n 3. Two l i t e r a l s , LI and L 2 , p r e - c l a a h if they have the same major f u n c t i o n symbol and are

473

opposite i n s i g n . Note t h a t two l i t e r a l s c l a s h ( r e s o l v e ) if they p r e - c l a s h and t h e i r atoms u n i f y *

We follows:

D e f i n i t i o n 4 . A l i s t o f clauses i s f u l l y clashed if every r e s o l v e n t , C3 t of clauses CI and c2 on tne l i s t i s e i t h e r already o n the l i s t o r i s subsumed by a clause on the l i s t .

1.

In a p p l y i n g t r a n s f o r m a t i o n LI L2 to a l i t e r a l L, no s u b s t i t u t i o n s may be made to L I t s e l f .

2.

LI and L2 c o n t a i n e x a c t l y the same set of variables.

3.

The major f u n c t i o n symbols of LI and have exactly the same number arguments.

4.

COM(Ll) - C0M(L2)

5.

LCLASH2 is f u l l y clashed. Also, the union of LCLASHl and LCLASH2 is f u l l y clashed subject to the q u a l i f i c a t i o n s :

Definition5. A list of clauses is fully paramodulated if every paramodulant, C3, of clauses C1 and C2 on the l i s t is e i t h e r already on the l i s t or Is subsumed by a clause on the l i s t . D e f i n i t i o n 6. A literal (or term), T, is transformable b y a l i s t o f t r a n s f o r m a t i o n s i f there e x i s t s at l e a s t one t r a n s f o r m a t i o n , T r , on the l i s t such t h a t T r ( T ) = T. A.

L i t e r a l Clashing A l g o r i t h m

The basic step of r e s o l u t i o n is the c l a s h i n g of l i t e r a l s . The usual n o t i o n i s t h a t two l i t e r a l s c l a s h ( r e s o l v e ) i f they are opposite i n s i g n and have a common i n s t a n c e . The new n o t i o n is t h a t two l i t e r a l s claah i f there are transformed versions o f the l i t e r a l s t h a t c l a s h i n the usual sense. The s p i r i t of the new concept is to automate the "obvious** t r a n s f o r m a t i o n s by i n c o r p o r a t i n g them i n t o the l i t e r a l c l a s h i n g process. The "obvious** t r a n s f o r m a t i o n s would include r e l a t i o n e t h a t are i n some sense r e w r i t e r u l e s such as LT(X,Y) —> ~LT(Y,X), where LT represents the " l e s s t h a n " r e l a t i o n . The a l l o w a b l e t r a n s f o r m a t i o n s have a very r e s t r i c t e d form which we describe below. These r e s t r i c t i o n s are h e u r i s t i c in nature and r e s u l t in a more e f f i c i e n t and e f f e c t i v e theorem prover than would otherwise be p o s s i b l e . We d i s t i n g u i s h these r e s t r i c t e d t r a n s f o r m a t i o n s from t r a n s f o r m a t i o n s t h a t have more deductive power, such as LT(X,Y) —> L T ( X , S ( Y ) ) , where S(X) stands f o r the successor of X. The d i s t i n c t i o n is i n f o r m a l and c l e a r l y subject t o i n t e r p r e t a t i o n . A l i t e r a l t r a n s f o r m i n g clause ( t r a n s f o r m a t i o n ) i s a clause w i t h e x a c t l y two l i t e r a l s , L I and L 2 . The mechanism f o r a p p l y i n g these t r a n s f o r m a t i o n s is resolution. Note t h a t each such clause in f a c t represents two t r a n s f o r m a t i o n s , - L I —> L2 and H-2 —> L I .

use

two

several

restrictions

as

L2 of

a.

Tautologies generated by resolving clauses in LCLASHl need not be added.

b.

A f t e r the union of l i s t s LCLASHl and LCLASH2 is f u l l y c l a s h e d , consider the set o f a l l t r a n s f o r m a t i o n s , L I L2, o n LCLASHl such t h a t e x a c t l y one of the l i t e r a l s , L I o r L2, I s transformable by LCLASH2. If there are two t r a n s f o r m a t i o n s i n t h i s subset that d i f f e r only by a s i n g l e a p p l i c a t i o n of a t r a n s f o r m a t i o n in LCLASH2 ( t h a t i s , the clauses are permutation v a r i a n t s of each other where the permutation is an e l i g i b l e t r a n s f o r m a t i o n ) , then o n l y one of the t r a n s f o r m a t i o n s need be kept on LCLASHl. Keeping a l l such permutation v a r i a n t s w i l l not a f f e c t the r e s u l t s of the a l g o r i t h m but might cause some unnecessary d u p l i c a t i o n of work.

Although omitting the qualification to r e s t r i c t i o n 5 would r e s u l t I n l i s t s w i t h n i c e t h e o r e t i c a l p r o p e r t i e s (see Lemma 1 below), removal of redundant and I n e f f e c t i v e t r a n s f o r m a t i o n s is c o n s i s t e n t w i t h the goal of keeping the set of applicable transformations small.

A t r a n s f o r m a t i o n ( s e t of t r a n s f o r m a t i o n s ) is not eligible If i t i n d i r e c t l y v i o l a t e s the above r e s t r i c t i o n s , even i f the t r a n s f o r m a t i o n clause I t s e l f Is e l i g i b l e . For example, the p a i r o f t r a n s f o r m a t i o n clauses --Q(A) R(A) and - * ( A ) Q(B) would not be e l i g i b l e because the f u l l y clashed p r o p e r t y would r e q u i r e the t r a n s f o r m a t i o n clause -*Q(A) Q(B) to be p r e s e n t . This t r a n s f o r m a t i o n clause Is not e l i g i b l e because It does not correspond to a t r a n s f o r m a t i o n t h a t changes s i g n and/or p r e d i c a t e symbol ( f o r LCLASHl) or to a t r a n s f o r m a t i o n t h a t permutes arguments of a l i t e r a l ( f o r LCLASH2).

distinct

LCLASHl - those t h a t change s i g n and/or f u n c t i o n symbol LCLASH2 - those t h a t permute arguments

impose

Note, t o o , t h a t restriction 5 is not prohibitive if the number o f clauses Involved i s s m a l l . I n p a r t i c u l a r , note that the r e s u l t i n g set w i l l be f i n i t e because of the r e s t r i c t i o n s placed on the complexity of the t r a n s f o r m a t i o n s ( f o r example, -P(X) P(F(X)) is not a l l o w e d ) .

To be of any v a l u e , a t r a n s f o r m a t i o n clause c l e a r l y must be deduclble from the clause space r e p r e s e n t i n g the problem to be s o l v e d . We assume that this property i s s a t i s f i e d i n a l l f u r t h e r discussions o f t r a n s f o r m a t i o n s . For ease and e f f i c i e n c y we l i s t s of tranaformations:

also

major

R e s t r i c t i n g the set of t r a n s f o r m a t i o n s t h a t can f i r s t be a p p l i e d to those t h a t change s i g n and/or p r e d i c a t e symbol o f a l i t e r a l provides a n e f f i c i e n t sieve f o r l i t e r a l s t h a t are not c l a s h a b l e . That I s , no attempt w i l l ever be made to u n i f y the atoms of two l i t e r a l s unless they have transformed versions t h a t p r e - c l a s h . Although having a s i n g l e f u l l y clashed l i s t o f t r a n s f o r m a t i o n s would lend I t s e l f to a very simple a l g o r i t h m f o r a p p l y i n g the t r a n s f o r m a t i o n s , we f e e l t h a t the t r a d e - o f f between the computational e f f i c i e n c y o f having two H a t s and the simple o r g a n i s a t i o n of the a l g o r i t h m j u s t i f i e s having the two l i s t s .

Most of the r e s t r i c t i o n s above put l i m i t s on the set of t r a n s f o r m a t i o n s and the way they can a p p l y . A few however, l i k e the f u l l y clashed p r o p e r t i e s , make the o p e r a t i o n of the a l g o r i t h m simple and e f f i c i e n t in that at most two transformation steps w i l l be r e q u i r e d on any l i t e r a l , one from LCLASHl and one from LCLASH2. Although these r e s t r i c t i o n s may seem to make the

474

set of t r a n s f o r m a t i o n s on l i s t s LCLASH1 and LCLASH2 very c o m p l i c a t e d , most of the r e s t r i c t i o n s are necessary only to cover s p e c i a l cases that w i l l not commonly a r i s e in p r a c t i c e . On one set of r e a l problems t h a t was tested (see Section I V ) , the e n t i r e set of t r a n s f o r m a t i o n s consisted of the following: ~LT(X,Y)

~LT(Y,X)

-LT(X,Y)

-EQUAL(X.Y)

~LT(X,NUM1) HLT(CN.X) HEQUAL(X,Y)

that remain. Now replace CI w i t h C I ' which ' i s constructed from CI as f o l l o w s : For each clause in C I , add the clause t o C I ' unless i t i s the resolvent of a clause In C2 and a clause already in C I 1 and exactly one of its literals is transformable by C2. In other words, the omitted clauses are clauses t h a t can be derived by a p p l y i n g a t r a n s f o r m a t i o n from C2 to one of the l i t e r a l s of a t r a n s f o r m a t i o n clause I n C I ' . Note that C I ' may not be by C I . The order t h a t the may determine which clauses in CI'. This has no bearing theorems t h a t f o l l o w .

-IB(CC.X) ~IB(CC,X)

Lemma 2. Let a l , a2, . . . an be u n i t clauses such TTial ST* |—> a2 |—> . . . |— > an w i t h respect to C I ' and C2. At l e a s t one of the f o l l o w i n g must hold:

EQUAL(Y,X)

HBQUALARR(X,Y)

uniquely determined clauses are inspected CI are omitted from on the lemmas and

EQUALARR(Y,X)

These clauses were formulated under an i n t e r p r e t a t i o n in which IB(X,Y) represents the f a c t t h a t index Y is in bounds f o r array X; CC is an a r r a y ; NUM1 and CN are Integer constants; and EQUALARR represents e q u a l i t y between a r r a y s . The f o l l o w i n g lemmas and theorems help motivate an a l g o r i t h m that e f f e c t i v e l y makes use of the l i s t s of t r a n s f o r m a t i o n clauses defined above. The two theorems i l l u s t r a t e the t r a d e - o f f between techniques t h a t can be shown to have nice t h e o r e t i c a l p r o p e r t i e s and those that are u s e f u l in practice. Theorem 1 c h a r a c t e r i z e s the l i t e r a l clashing p r o p e r t i e s of the l i s t s iXLASHl and LCLASH2 when t r a n s f o r m a t i o n s can be applied without a substitution restriction (e.g., restriction 1 above). Theorem 2 c h a r a c t e r i z e s the t r a n s f o r m a t i o n p r o p e r t i e s of the l i s t s when the s u b s t i t u t i o n restriction is In effect.

(1)

There e x i s t s a u n i t c l a u s e , b, such t h a t al I—> b w i t h respect to C I ' and b |—> an w i t h respect to C2.

(2)

There e x i s t s a u n i t clause, b, such t h a t al I—> b w i t h respect to C2 and b I—> an w i t h respect t o C I ' .

P r o o f . Because C is f u l l y clashed, al I—> an w i t h respect to C. Let c be the clause in C t h a t resolves w i t h a l t o produce an. If c is in either C2 or C I ' , then there is nothing to show because the i d e n t i t y t r a n s f o r m a t i o n I s i m p l i c i t l y i n C I ' ( b - a l ) and C2 (b - a n ) . I f c i s not i n C2 or C I ' then it must be the resolvent of a clause in C I ' w i t h a clause in C2, and the lemma f o l l o w s . Lemma 3. Let a l , a2, . . . an be as in Lemma 2. If "ail Is transformable by C2, then outcome (1) of Lemma 2 h o l d s .

Note that the identity transformation (represented by t a u t o l o g i e s ) is i m p l i c i t l y (but not explicitly) i n every set of transformations (clauses). That i s , w h i l e the reference to the existence of a transformation with certain p r o p e r t i e s includes the p o s s i b i l i t y of the i d e n t i t y t r a n s f o r m a t i o n , the reference to l i t e r a l s that are transformable by a c e r t a i n set does n o t .

Proof. Because C is f u l l y clashed and CI and C2 p a r t i t i o n C, it follows that al |—> a n w i t h respect to e i t h e r CI or C2. If al and an have the same sign and predicate symbol, then al I—> an w i t h respect to C2. In t h i s case both (1) and ( 2 ) of Lemma 2 hold because the relevant t r a n s f o r m a t i o n from C I ' i s the i d e n t i t y t r a n s f o r m a t i o n .

Notation:

If al and an d i f f e r in sign and/or predicate symbol, then al I—> an w i t h respect to C I . If both al and an can c l a s h against clauses in C2, then al I—> an w i t h respect to C I ' because C I ' contains a l l clauses from CI In which both l i t e r a l s are transformable by C2. In t h i s case, both (1) and (2) hold as the r e l e v a n t clause from C2 is the identity transformation. If al cannot clash against any clauses in C2, then (2) cannot hold unless the relevant clause from C2 is the i d e n t i t y t r a n s f o r m a t i o n . The f a c t t h a t outcome (1) must hold then f o l l o w s from Lemma 2.

C I— c if clause c is deducible from clause space C w i t h ordinary r e s o l u t i o n (without a substitution restriction). a |—> b w i t h respect to a set of clauses C if u n i t clause b is deducible from u n i t clause a with a single ordinary resolution step. Lemma 1. Let a and b be l i t e r a l s t r e a t e d as u n i t clauses. Let C be a set of t r a n s f o r m a t i o n clauses ( e x a c t l y two l i t e r a l s ) that i s f u l l y clashed. If the c o n j u n c t i o n of b and C is s a t l s f l a b l e , but the c o n j u n c t i o n of a, b, and C is u n s a t l s f i a b l e , then a I—> ~b' w i t h respect to C, where b and ~b' c l a s h .

F i r s t , assume t h a t the t r a n s f o r m a t i o n process uses o r d i n a r y r e s o l u t i o n . That i s , s u b s t i t u t i o n i s not r e s t r i c t e d to the t r a n s f o r m a t i o n c l a u s e s . Theorem 1. Consider the c o n j u n c t i o n of the clauses Tn LCLASH1, the clauses in LCLASH2, and two l i t e r a l s , LITERALA and LITERALB as u n i t c l a u s e s . If the r e s u l t i n g clause space Is u n s a t l s f l a b l e but i s s a t l s f l a b l e w i t h o u t e i t h e r o f the two literals, then there e x i s t s a t r a n s f o r m a t i o n , T r l , from LCLASH1 and a t r a n s f o r m a t i o n , T r 2 , from LCLASH2 such t h a t e i t h e r Tr2(Trl(LITERALA)) clashes w i t h LITERALB or Tr2(Trl(LITERALB)) clashes with LITERALA. I n p a r t i c u l a r , the f o l l o w i n g hold t r u e :

P r o o f . Because a must c l e a r l y p a r t i c i p a t e in the d e r i v a t i o n of the empty clause, the f u l l y clashed property i m p l i e s that if a and C I b ' , where b and - b ' c l a s h , then a I—> M>'. The lemma then f o l l o w s from C o r o l l a r y 3 on page 539 of [ 9 ] . Let C above be p a r t i t i o n e d i n t o two s e t s , CI and C2, such that CI c o n s i s t s of those clauses which (when thought of as t r a n s f o r m a t i o n s ) change sign and/or predicate symbol, and C2 those clauses

47 5

( 1 ) If LITERAL* is transformable by LCLASH2, then there exist Trl and Tr2 such that Tr2(Trl(LITERALS)) clashes w i t h LITERALA.

Theorem 1 and Theorem 2 imply t h a t although it is s u f f i c i e n t to transform only one l i t e r a l when attempting to clash two literals with transformations, it may be necessary to choose the appropriate l i t e r a l to transform. Theorem 1 , in effect, says that without the s u b s t i t u t i o n r e s t r i c t i o n the choice is based on a simple inspection of the t r a n s f o r m a t i o n s on LCLASH2. Theorem 2, which r e f e r s only to the t r a n s f o r m a t i o n process I t s e l f and not to the u n d e r l y i n g goal of c l a s h i n g l i t e r a l s , gives no i n f o r m a t i o n about making the c h o i c e .

( 2 ) If LITERALB is transformable by LCLASH2, then there exist Trl and Tr2 such t h a t Tr2(Trl(LITERALA)) clashes w i t h LITERALB. (3) If n e i t h e r LITERALA nor LITERALB is transformable by LCLASH2, then there e x i s t T r l and Tr2 such t h a t Tr2(Trl(LITERALB)) clashes with LITERALA. Proof. R e c a l l t h a t LCLASHl c o n s i s t s o n l y of t r a n s f o r m a t i o n s t h a t change sign and/or p r e d i c a t e symbol and that LCLASH2 consists only of transformations that permute arguments of a literal. R e c a l l also t h a t LCLASH2 is fully clashed, and t h a t the c o n j u n c t i o n of the two l i s t s is f u l l y clashed up to d e l e t i o n of t a u t o l o g i e s and clauses t h a t can be d e r i v e d by the r e s o l u t i o n of a clause on LCLASHl w i t h a clause on LCLASH2.

This d i f f i c u l t y can be overcome in a program by a t t e m p t i n g t r a n s f o r m a t i o n s in both d i r e c t i o n s . A l t e r n a t i v e l y , a program might attempt to analyse the two l i t e r a l s and the set of t r a n s f o r m a t i o n s . In our program, however, we have found it adequate to choose, by simple i n s p e c t i o n as above, one l i t e r a l to transform. algorithm

Because the clause space is u n s a t l s f l a b l e , there must e x i s t a sequence of u n i t ( s i n g l e l i t e r a l ) clauses aO, a l , . . . an such t h a t LITERALB - aO |— > al |— > a2 |— > . . . |— > an - M-ITERALA* where -LITERALA' and LITERALA c l a s h (see [ 9 ] ) . Similarly, there must e x i s t a sequence of u n i t clauses bO, b l t . . . bm such t h a t LITERALA - bO | - - > bl I— > b2 I— > . . . I—> bm - -LITERALB' where -LITERALB' and LITERALB c l a s h .

The a l g o r i t h m used in our program is as f o l l o w s : Let LITERAL1 and LITERAL2 be the l i t e r a l s to clash. STEP 1:

If LITERAL2 is transformable by LCLASH2, then transform LITERAL1, else transform LITERAL2.

The f i r s t two p a r t s of the theorem f o l l o w immediately from Lemma 2 and Lemma 3. The t h i r d part f o l l o w s from Lemma 2 and the observation t h a t outcome (1) of Lemma 2 must hold when al of Lemma 2 is not transformable by C2.

Let LITERALB be the l i t e r a l chosen to be transformed, and l e t LITERALA be the l i t e r a l t h a t remains unchanged.

Now, consider the t r a n s f o r m a t i o n process as defined o r i g i n a l l y . That i s , s u b s t i t u t i o n i s now allowed only i n t o the transformation clauses themselves. Notation: Let a and b be l i t e r a l s . a —> b

a

-l->

(a - 2 - > b) if there exists a transformation Tr on LCLASHl (LCLASH2) such t h a t T r ( a ) - b.

a - ( k ) - > b i f there e x i s t s a l , a2, . . . a k such t h a t a —> al —> «2 —> . . . —> ak - b. ( I f k - 0 then a - b.)

only

if

-b

Find a t r a n s f o r m a t i o n from LCLASHl to apply to LITERALB to make it p r e - c l a s h w i t h LITERALA.

STEP 3:

For each p r e - c l a s h a b l e p a i r , f i n d a t r a n s f o r m a t i o n on LCLASH2 that makes the l i t e r a l s u n i f i a b l e .

It is important to note t h a t the new l i t e r a l c l a s h i n g a l g o r i t h m is not a "pre*theorem p r o v e r . " That i s , it is not the case t h a t the a l g o r i t h m corresponds to using the theorem prover ( o r theorem prover search s t r a t e g i e s ) to f i n d a proof t h a t two l i t e r a l s are i n c o n s i s t e n t . The process is a d i r e c t and f i n i t e search through the two l i s t s , LCLASHl and LCLASH2.

a - ( * ) - > b if a - ( k ) - > b f o r some k >_ 0. Lemma 4. a - l - > b if and ( s i m i l a r l y f o r LCLASH2).

STEP 2:

In our program, we h a l t when the f i r s t clash i s found r a t h e r than f i n d i n g a l l p o s s i b l e c l a s h e s . It follows that the completeness property is s a c r i f i c e d unless t r a n s f o r m a t i o n s are a v a i l a b l e f o r normal inference. Because the automatic t r a n s f o r m a t i o n concept was designed f o r performance in an a p p l i e d environment, however, completeness is not of l a r g e concern. A l s o , because many clauses t h a t p a r t i c i p a t e i n program v e r i f i c a t i o n proofs are ground (and so can clash in at most one way) [ 1 2 ] , the f i r s t clash i s very o f t e n the only c l a s h .

if there e x i s t s a t r a n s f o r m a t i o n Tr on e i t h e r LCLASHl or LCLASH2 such t h a t T r ( a ) - b. b

Choose which l i t e r a l to t r a n s f o r m .

■l->

Proof, a - l - > b if and o n l y if there e x i s t s a t r a n s f o r m a t i o n c l a u s e , LI L2, and a s u b s t i t u t i o n , S, such t h a t L1(S) - -a and L2(S) - b (because substitutions are allowed only into the transformation clauses).

Let m be the number of t r a n s f o r m a t i o n s on LCLASHl t h a t can apply to LITERALB, and l e t n be the number of t r a n s f o r m a t i o n s on LCLASH2 t h a t can apply to the major f u n c t i o n symbol of LITERALA. It f o l l o w s t h a t at most mn t r a n s f o r m a t i o n s can be a p p l i e d i n the a l g o r i t h m t o t e s t the clash o f LITERAL1 and LITERAL2. In g e n e r a l , m and n w i l l be small. This f a c t is important because each a p p l i c a t i o n of a transformation requires a u n i f i c a t i o n t e s t , which can s i g n i f i c a n t l y add to the cost of the a l g o r i t h m .

Theorem 2. a - ( * ) - > b i m p l i e s t h a t there e x i s t s a' "sucE ETiaT e i t h e r a - l - > a' - 2 - > b or -b - l - > a' -2-> - a . P r o o f . This proof f o l l o w s from Lemma 2 and Lemma 4 where al and an in Lemma 2 are thought of as ground l i t e r a l s (so no s u b s t i t u t i o n s are p o s s i b l e ) .

476

It is important to choose an effective transformation set. Some t r a n s f o r m a t i o n s can c a u s e u n n e c e s s a r y r e d u n d a n c i e s and inefficiencies. For example, it might be better to have the u n i t c l a u s e s Q ( A , B ) and Q ( B , A ) b o t h i n t h e c l a u s e space than t o have t h e s i n g l e u n i t c l a u s e Q ( A , B ) and t h e transformation clause -Q(X,Y) Q(Y,X), which might a p p l y a t many u n n e c e s s a r y p l a c e s .

Notation: L e t r and s be t e r m s * r —>

s

Theorem 3 . B

"

Expanded

Unification Algorithm

7.

Tl (T2) (Tl).

8.

The set of transformations should be f u l l y paramodulated.

is not a

in Tl

proper

and

T2

subterm

of

r —>

8 if

and

only if

s —>

r.

The following theorem helps justify the recursive orientation o f t h e expanded u n i f i c a t i o n algorithm. In general, it is possible that the transformation of a term, T, might be blocked u n l e s s some t r a n s f o r m a t i o n i s f i r s t applied to a proper subterm of T. The t h e o r e m shows t h a t t h i s p r o b l e m does n o t a r i s e w i t h i n t h e context of the expanded u n i f i c a t i o n a l g o r i t h m . Theorem 4 . L e t T be a term w i t h p r o p e r subterm R, "IH3 let Trl and Tr2 be two transformations r e p r e s e n t e d b y t r a n s f o r m a t i o n c l a u s e s , EQUAL(T1,T2) and EQUAL(T3,T4), respectively. Assume t h a t T r l and T r 2 a r e o n a l i s t t h a t i s f u l l y paramodulated. If T* is the term t h a t is generated by s u b s t i t u t i n g R w i t h T r l ( R ) i n T , and T ' • - T r 2 ( T f ) , then there exists a transformation, Tr3, such that Tr3(T) subsumes T 1 ' .

We again p a r t i t i o n the transformations into two l i s t s , UNIFY1 and UNIFY2, t h a t change t h e m a j o r f u n c t i o n symbol o f a t e r m and permute arguments, respectively. We have t h e same r e s t r i c t i o n s on t h e c o m p l e x i t y o f t e r m s and v a r i a b l e s u b s t i t u t i o n s t h a t we had In the literal clashing algorithm. In a d d i t i o n , w e have t h e f o l l o w i n g r e s t r i c t i o n s : The bag8 o f v a r i a b l e s identical.

t h e r e e x i s t s a t r a n s f o r m a t i o n Tr on either UNIPYl o r UNIFY2 s u c h t h a t Tr(r) - s.

Proof, r —> s if and only if there exists a transformation clause, EQUAL(T1,T2), and a s u b s t i t u t i o n , S, s u c h t h a t T 1 ( S ) - r and T 2 ( S ) ■ s (because substitutions are allowed o n l y i n t o the transformation clauses).

A similar transformation process has been developed for u n i f i c a t i o n o f terms u s i n g e q u a l i t y l i t e r a l s EQUAL(T1,T2) i n place of transformation clauses and paramodulation in place of r e s o l u t i o n (again with a substitution r e s t r i c t i o n ) . Although ve consider the concept of l i t e r a l t r a n s f o r m a t i o n s t o b e t h e most u s e f u l and important proposal In this paper, we present the following for two reasons. F i r s t , t h e r e are some similarities but also some Important differences between the t r a n s f o r m a t i o n o f l i t e r a l s and t e r m s . And second, the h e u r i s t i c s c i t e d b e l o w may h e l p o f f s e t some o f the impractical aspects of various complete u n i f i c a t i o n systems t h a t b u i l d i n s i r o p l i f i e r s .

6.

if

Proof. The fact that Trl is applicable to R implies t h a t t h e r e e x i s t s a s u b s t i t u t i o n , S I , such t h a t e i t h e r T 1 ( S 1 ) - R or T 2 ( S 1 ) - R. Without loss o f g e n e r a l i t y , assume t h a t T i ( S i ) - R . Then T ' has subterm T 2 ( S 1 ) . The f a c t t h a t T r 2 i s a p p l i c a b l e t o T* implies that there e x i s t s a s u b s t i t u t i o n , S2, such t h a t e i t h e r T3(S2) Tf or T4(S2) T*. Without loss of g e n e r a l i t y , assume t h a t T 3 ( S 2 ) T'. Now, because T 3 ( S 2 ) has subterm, T2(S1), it follows that EQUAL(T3*,T4) is a paramodulant of some i n s t a n c e s of EQUAL(T1,T2) and EQUAL(T3,T4), where T3' is the r e s u l t of r e p l a c i n g the subterm, T 2 ( S 1 ) , i n T3(S2) w i t h T 1 ( S 1 ) . Because t h e l i s t o f transformations is fully paramodulated (and the functional reflexivity axioms are implicitly present), Tr3 is the transformation that Is represented by e i t h e r c l a u s e , EQUAL(T3*,T4), or by a c l a u s e t h a t subsumes E Q U A L ( T 3 * , T 4 ) .

are T2

(ideally)

P r a c t i c a l c o n s i d e r a t i o n s l i m i t the a p p l i c a t i o n of last p r o p e r t y . For e x a m p l e , t h e p a i r o f c l a u s e s EQUAL(F(X,Y),F(Y,X)) and EQUAL(F(X,F(Y,Z)),F(F(X,Y),Z)) can generate an i n f i n i t e set o f e l i g i b l e t r a n s f o r m a t i o n s . Although the elimination of any such t r a n s f o r m a t i o n s can cause b l o c k s i n t h e expanded u n i f i c a t i o n algorithm given below, i t i s reasonable t o r e s t r i c t the l i s t t o a s m a l l s e t o f t h e most s i m p l e and r o o s t g e n e r a l transformations.

Because the fully paramodulated property accounts for applications of transitivity of e q u a l i t y , a t any p o i n t i n t h e expanded unification algorithm, it suffices to apply at most one t r a n s f o r m a t i o n to a t e r m .

Note t h a t the f u l l y c l a s h e d property implies that all instances of application of t r a n s i t i v i t y of equality will be present. That is, if EQUAL(T1,T2) and EQUAL(T2,T3) are eligible transformations, t h e n EQUAL(T1,T3) must be an eligible transformation.

algorithm

Note also that the requirement COM(Tl) C0M(T2) and r e s t r i c t i o n s 6 and 7 p r e v e n t i n f i n i t e s e q u e n c e s of e x p a n d i n g t r a n s f o r m a t i o n s such as A —> F(F(A)) —> . . . .

The new u n i f i c a t i o n a l g o r i t h m can b e d e s c r i b e d as a simple recursive process. At the o u t e r l e v e l i t i s s i m i l a r t o the l i t e r a l c l a s h i n g a l g o r i t h m in t h a t i t f i r s t uses t h e t r a n s f o r m a t i o n s o n UNIFY1 t o m a t c h m a j o r f u n c t i o n s y m b o l s and t h e n uses t h e the transformations on UN1FY2 to get unlfiable sequences o f a r g u m e n t s . The recursion comes to play, o f c o u r s e , when u n i f i c a t i o n i s t o b e a p p l i e d t o each p a i r o f ( p e r m u t e d ) a r g u m e n t s .

The f u n c t i o n a l r e f l e x i v i t y axioms (instances of EQUAL(X.X)), which act as identity t r a n s f o r m a t i o n s , w i l l b e assumed t o be implicitly on all l i s t s , b u t need n o t b e e x p l i c i t l y p r e s e n t . T h i s assumption corresponds to the assumption about tautologies in the discussion of the literal clashing algorithm.

Term t r a n s f o r m a t i o n s can b e I n c o r p o r a t e d into any process that uses unification including clashing, demodulation and subsumption. Our experience i s t h a t t h e s e t r a n s f o r m a t i o n s w i l l have

477

less impact in c e r t a i n a p p l i c a t i o n s , such as program v e r i f i c a t i o n , than l i t e r a l t r a n s f o r m a t i o n s .

XV.

TESTING AMD EVALUATION

Two sets of problems were used to t e s t the new literal clashing a l g o r i t h m w i t h the expanded u n i f i c a t i o n a l g o r i t h m included as the u n i f i c a t i o n step: 1.

Eleven r e a l problems c u r r e n t l y being tested by B. T. Smith on the environmental theorem proving system [12]

2.

Slight variations probles

of

the

eleven

The second set of problems was designed to help c h a r a c t e r i s e the c o n d i t i o n s in which the new l i t e r a l c l a s h i n g a l g o r i t h m has the most favorable e f f e c t s on the proof search space.

version, percent.

Reductions

ranged

up

to

40

Depth of empty c l a u s e : The value f o r the t r a n s v e r s i o n was less than or equal to the value f o r the notrans v e r s i o n in a l l but one of the problems t e s t e d , w i t h reductions of up to 50 p e r c e n t . In the one e x c e p t i o n , the t r a n s v e r s i o n Increased the depth of the notrans v e r s i o n from 2 to 3. This behavior is possible because there can be more than one proof to a problem, and because the search s t r a t e g i e s used are not e x a c t l y breadth f i r s t searches. In the problem In which the depth was higher in the t r a n s v e r s i o n than in the notrans v e r s i o n , a longer path to the empty clause (deeper p r o o f ) was found before the s h o r t e r path ( l e s s deep p r o o f ) was d i s c o v e r e d . In a second set of experiments, noise (extraneous l i t e r a l s and complications of terms) was added to the r e a l problems. The negative effect of adding noise was c o n s i s t e n t l y and s i g n i f i c a n t l y worse in the problems run w i t h o u t t r a n s f o r m a t i o n s than in the problems run w i t h transformations.

The eleven r e a l problems were tested w i t h v a r i o u s search s t r a t e g i e s , i n c l u d i n g those most commonly used by B. T. Smith [ 1 2 J . The problems run w i t h t r a n s f o r m a t i o n s and those run w i t h o u t t r a n s f o r m a t i o n s w i l l be r e f e r r e d to as the " t r a n s " and "notrans" versions, respectively. The f o l l o w i n g observations have been made:

SUMMARY

Finding proofs; In no case d i d the notrans v e r s i o n f i n d a proof when the trans v e r s i o n d i d n o t . In one case the trans v e r s i o n found a proof when the notrans v e r s i o n d i d not.

The modified real problems tested indicate t h a t the automatic t r a n s f o r m a t i o n does have the potential to become a extension to a r e s o l u t i o n - b a s e d automated proving system. Except f o r i s o l a t e d cases

above concept powerful theorem program

verification problems run with automatic t r a n s f o r m a t i o n s d i d no worse than problems run without transformations, and sometimes, the performance was s i g n i f i c a n t l y b e t t e r .

T o t a l number of clauses In search space ( i n cases In which a proof was f o u n d ) : The notrans v e r s i o n tended to have fewer clauses than the trans v e r s i o n . This result is reasonable because the t r a n s f o r m a t i o n process has the e f f e c t of producing more clauses at e a r l i e r l e v e l s In the graph t h a t represents the search space. Because a l l of the search s t r a t e g i e s used have some element of breadth f i r s t search in them, the general effect of the t r a n s f o r m a t i o n process is a net increase in the t o t a l number of clauses added to the clause space. There were i s o l a t e d cases in which the trans v e r s i o n a c t u a l l y had up to 40 percent fewer clauses than the notrans v e r s i o n , and a few cases in which the trans v e r s i o n had as many as 40 percent more clauses than the notrans v e r s i o n , but on the average, the t r a n s v e r s i o n produced approximately 18 percent more clauses than the notrans v e r s i o n .

The r e s u l t s , however, were not as promising as expected. This suggests t h a t although the concept may be q u i t e u s e f u l , b e t t e r search s t r a t e g i e s p u t t i n g more emphasis on breadth f i r s t search might be developed to c a p i t a l i s e on the power of the t r a n s f o r m a t i o n process. At present the user must pick a subset of t r a n s f o r m a t i o n clauses to become automatic t r a n s f o r m a t i o n s . Work needs to be done to provide general r u l e s f o r making these c h o i c e s . Various m o d i f i c a t i o n s to the new literal c l a s h i n g and expanded u n i f i c a t i o n a l g o r i t h m s might also be i n v e s t i g a t e d , i n c l u d i n g r e l a x a t i o n of some of the r u l e s f o r e l i g i b i l i t y of t r a n s f o r m a t i o n s and r