An Instantiation-Based Theorem Prover for First-Order ...

855

An Instantiation-Based Theorem Prover for First-OrderProgramming

Erik P. Zawadzki Geoffrey J. Gordon Andre PlatzerComputer Science Department

Carnegie Mellon UniversityPittsburgh,PA

[email protected]

Machine DepartmentCarnegie Mellon University

Pittsburgh,[email protected]

Computer Science DepartmentCarnegie Mellon University

Pittsburgh,[email protected]

Abstract

First-order programming (FOP) is a newrepresentation language that combines thestrengths of mixed-integer linear program-ming (MILP) and first-order logic (FOL).In this paper we describe a novel feasibil-ity proving system for FOP formulas thatcombines MILP solving with instance-basedmethods from theorem proving. This proverallows us to perform lifted inference by re-peatedly refining a propositional MILP. Weprove that this procedure is sound and refu-tationally complete: if a formula is infeasibleour solver will demonstrate this fact in finitetime. We conclude by demonstrating an im-plementation of our decision procedure on asimple first-order planning problem.

1 INTRODUCTION

Mixed integer linear programming (MILP) is a ubiq-uitous framework for specifying optimization and de-cision problems. For example, MILPs are frequentlyused to solve problems in operations research and ar-tificial intelligence. MILPs are reasonably expressiveand can represent any NP-complete problem. Theyadmit natural formulations of many scheduling, re-source allocation, VLSI, and planning problems (see,for example, Nemhauser and Wolsey [1988]).

While MILPs are excellent for dealing with problems ofa propositional nature, they lack the machinery neces-sary for handling information about first-order classesand relations. One cannot claim in a MILP that “Allcars follow the speed limit” without explicitly enumer-ating every car and separately claiming that every par-ticular car follows the speed limit.

Appearing in Proceedings of the 14th International Con-ference on Artificial Intelligence and Statistics (AISTATS)2011, Fort Lauderdale, FL, USA. Volume 15 of JMLR:W&CP 15. Copyright 2011 by the authors.

While macro-languages like AMPL [Fourer et al., 2002]can automate the tedious task of “unrolling” formulasfor a given finite number of objects, they still cannotaccommodate truly first-order statements. These rep-resentations are first-order but the reasoning is not.This is unfortunate for several reasons. First, even ifa problem can be specified as a propositional programthere may be a computational benefit with first-orderreasoning. As an example, to verify the tautology:

All humans are mortal ∧ All students are human (1)

→ All students are mortal

we do not want to enumerate every student (or worse,all 6.9 billion humans known at the time of writing) tolook for a counterexample.

Second, there are problems that cannot be expressedby any finite set of propositional statements. Forexample, in a planning problem, both time and re-source limits are potentially unbounded quantities.Planners often side-step this question by insisting onupper bounds on time and resources, but failing tosolve a bounded-horizon or bounded-resource trunca-tion proves nothing about the actual unbounded prob-lem. It is always possible that with one more time step,or one additional vehicle, every goal in the plan can besatisfied. Along with demonstrating good plans, beingable to prove nonexistence of suitable plans in deci-sion problems is one of the high-level goals of artifi-cial intelligence—this is something that purely propo-sitional models cannot always capture.

These limitations in MILP can be addressed by switch-ing to a more expressive language like first-order logic(FOL). FOL lets us specify a problem in terms ofclasses and relations, and reason about these classesand relations directly—we can do lifted reasoning.Lifted reasoning lets us work with statements about in-finite or unknown numbers of objects (e.g., entity res-olution problems), and may also have computationalbenefits. For example, we can prove the validity of (1)in a small number of steps, independent of the numberof students or humans. Unlike MILP, however, FOL

856

An Instantiation-Based Theorem Prover for First-Order Programming

itself is strictly boolean and has no built-in arithmetic.

First-order programming is a new representation sug-gested in Gordon et al. [2009] that combines the ex-pressive power of FOL with MILP’s ability to representlinear functions of real and integer-valued predicates.These real and integer-valued predicates allow somestatements to be more compactly represented in FOPthan in FOL.

For example, if one had n atoms and wanted at leastk of them to be true (i.e., have value 1), then thiscan be stated in a FOP formula of length O(n). Anequivalent formula in FOL would require a disjunctionof(nk

)conjunctions of length k. This is exponentially

longer in FOL than FOP, yet no properties have ashorter representation in FOL than FOP as there arestraightforward translations from FOL into FOP thatdo not increase formula length [Gordon et al., 2009].

However, a language like FOP has no use if we can-not perform inference in it. Up until now there wasno implemented lifted reasoning procedure for FOP.(One was proposed, but not implemented, in the orig-inal FOP paper). So, we suggest a new simple way todo lifted inference in the integer fragment of FOP.

Our new approach is radically different than the onepreviously suggested. The previous approach useslifted Gomory cuts, a technique that generalizes reso-lution in FOL. Our approach, on the other hand, neverrecombines clauses to form either a Gomory cut or re-solvent. We therefore expect our procedure to yieldsmaller proofs than methods based on lifted Gomorycuts as it will not duplicate clause instances (see, forexample, Lee and Plaisted [1992]). Our algorithm isalso easier to implement than methods based on liftedGomory cuts. (Our current solver, however, is not au-tomated and requires a human to control search.)

Our inference procedure for FOP draws on ideasfrom instantiation-based methods in theorem prov-ing [Ganzinger and Korovin, 2003, Korovin, 2009] andMILP. It aggressively propositionalizes a FOP formula,solves the resulting propositional formula, attempts tolift a model of the propositional formula, and instan-tiates clauses of the FOP formula to refine the propo-sitional formula. We use a MILP solver to find propo-sitional models and check termination conditions.

In this paper we make the following contributions:first, we suggest a new algorithm for performing liftedinference in the integer fragment of FOP; second, weimplement this solver and demonstrate its behavioron an example problem; third, we prove the soundnessand completeness of our approach. More generally,our work connects theorem proving principles for FOLwith modern optimization techniques—we are revisit-ing some traditional artificial intelligence goals armedwith more recent tools and results.

We describe our inference procedure as follows. Firstwe look at related work that inspired our approach.Next, we briefly discuss the syntax and semantics ofan important normal form of FOP. Then we state theFOP inference problem that we are interested in—checking whether a formula is feasible or not. Afterthis background material, we present our main result:the algorithm and proof that our algorithm is bothsound and refutationally complete. After giving theseresults we demonstrate an inference problem that canbe solved with our solver. We finish by indicatingpromising directions for future work.

2 RELATED WORK

We are not the first to describe an instantiation-basedtheorem prover for lifted reasoning. Indeed our ap-plication of instantiation-based methods in FOP is in-spired by work on instantiation-based provers in FOLand its fragments. Such solvers take advantage of Her-brand’s theorem: a conjoined set of first-order formu-las is unsatisfiable iff there exists a finite set of groundinstances of these formulas that is also unsatisfiable.

The naıve procedure of sweeping through all possiblefinite ground sets is sound and refutationally complete,but impractical. In particular the naıve procedure ig-nores the interesting class and relational structure ofthe original formula. Most automated instantiation-based solvers use features of the instantiated sets ofclauses and their propositional models to guide whichadditional instantiations should be generated. Thesesolvers combine effective instance generation heuristicswith redundancy criteria to efficiently reason abouthow to instantiate the formula.

There are two broad families of lifted instantiation-based solvers. The first class tightly integrates propo-sitional reasoning with instance generation in a singlesolver. Examples of these tightly-integrated solversinclude model evolution calculus [Baumgartner andTinelli, 2003, 2008], its precursor first-order DPLL[Baumgartner, 2000], and disconnection tableaux [Letzand Stenz, 2001, 2007].

The second class—to which the solver described inthis paper is most closely related—treats a proposi-tional SAT solver as a black-box oracle for determin-ing the satisfiability of a propositional formula, andperhaps also for providing a propositional model to se-mantically guide further instantiation. An advantageof this class of solvers is that the latest and fastestpropositional solver can always be plugged into thesolver—implementations of this second class of solverget faster every year without even touching them be-cause SAT solvers are improving. Additionally, solversin this second category tend to be simple and flexiblesince they delegate all propositional issues to the black-box solver. However, these solvers are—by design—

857

Erik P. Zawadzki, Geoffrey J. Gordon, Andre Platzer

uninterested in applying fine-grained control to propo-sitional model finding. As a result they do not havethe same level of information or design freedom as thefirst class of solvers.

Examples of this second class of solver includeJeroslow’s algorithm [Jeroslow, 1988], Hooker’s im-provement of it [Hooker et al., 2002], and the relatedInst-Gen line of work [Ganzinger and Korovin, 2003,Korovin, 2009]. Our algorithm adapts Inst-Gen-stylereasoning to FOP. However, unlike algorithms forFOL, the black-box oracle that we use is an ILP solverand not a SAT solver.

FOP is tailored for first-order optimization and plan-ning problems, but it has deep connections to theoryreasoning in FOL—a first-order variant of satisfiabilitymodulo theories (e.g., Nieuwenhuis et al. [2006]). Inthese languages FOL is enriched by (e.g., arithmetical)background decision procedures. Of particular interestis FOL augmented by the theory of linear integer arith-metic and uninterpreted functions—FOL(UFLIA). Wehope that our approach will help theory reasoning inFOL, and we expect to draw inspiration from their re-search (e.g., Ganzinger and Korovin [2006], Korovinand Voronkov [2007], and Baumgartner et al. [2008]).

For example, model evolution (ME) calculus was ex-tended to reason about a fragment of the theory of lin-ear arithmetic, forming theME(LIA) calculus [Baum-gartner et al., 2008]. ME(LIA) is especially relevantto us since FOP also integrates linear arithmetic.

The most important difference betweenME(LIA) andFOP is that predicates in the ME(LIA) fragmentare binary valued while predicates in FOP can takeany value in a bounded continuous or discrete inter-val. While both logics do linear arithmetic, they oc-cur in entirely different places: integers are objects inME(LIA), and values in FOP. Indeed, one couldimagine FOP modulo LIA, where linear arithmeticcould occur at both the value (predicate) level andthe object (function) level.

Researchers have also investigated SAT modulo LIA(e.g., Faure et al. [2008]). The discussion above aboutME(LIA) applies to SAT modulo LIA as well: lineararithmetic occurs at the object level and not the valuelevel. However, unlike ME(LIA), SAT modulo LIA ispurely propositional and unable to do lifted reasoning.

3 FIRST-ORDER PROGRAMMING

In this paper we will assume that the FOP formulathat we wish to reason about is given in a special for-mat known as ∧-normal form (∧NF). This is not arestriction, since every FOP formula has an equivalent∧NF representation, but focusing on ∧NF formulassimplifies our analysis and the description of FOP.

We describe FOP briefly in this section; see Gordonet al. [2009] for a complete description.

3.1 Syntax

Just as in FOL, FOP has terms that represent objectsand formulas that represent values. Each FOP pred-icate can take values in some compact interval of thereals or integers. This interval is called the range ofthe predicate and is denoted RangeP . We restrict tointeger FOP, so RangeP ⊂ Z. A predicate applied tozero or more objects is an atom. Like in FOL, thereare n-ary functions that map objects to objects. InFOP, scalars are literals with a predefined value and,just as in FOL, 0-arity functions are called constants.To avoid technicalities, we assume there is at least oneconstant symbol.

There are four binary operators and one quantifier in a∧NF formula. The binary operators are scalar multi-plication (denoted ·), addition (+), maximization (∨),and minimization (∧), and the quantifier is minimiza-tion over variables (

∧x).

A generic ∧NF formula looks like:

F =∧Var

(C1 ∧ . . . ∧ Cn)

Ci = Σi1 ∨ . . . ∨ ΣimΣij = κij1 · Pij1 + . . .+ κijk · Pijk

The top level formula is called a ∧-clause, the second-level formulas are ∨-clauses, then we have Σ-clauseswhich are linear combinations of literals. Here κijk ∈Q is an optional scalar, Pijk is an atomic proposition,and Var is the set of free variables in the ∨-clausesC1, . . . Cn. We call formula without variables ground.

Because ∨, ∧, and + commute and associate withthemselves, we use notation for the clauses as if theywere sets. So Ci∩Cj will denote all the Σ-clauses thatare in both ∨-clauses Ci and Cj .

3.2 Semantics

A model is a triple M = 〈O,F, V 〉, where O is a non-empty list of objects, F is a list of function tables, andV is list of tables of predicate values. Here V assignsa total map VP : On → RangeP to each predicatesymbol P with arity n. F defines a similar assignmentof total maps to every function symbol.

A model for a formula maps every ground atom to avalue in its range, and the values of compound for-mulas are built from these values. In every model ofa ground ∧-clause it has the value of the least-valued∨-clause; each ground ∨-clause takes the value of thegreatest-valued Σ-clause; and each ground Σ-clause isjust a linear combination of the values of its atoms.

A formula that is∧

-quantified for some variable xtakes the minimum value over all substitutions of anobject in the domain O for x. This means that inevery model a ∧NF formula takes the value of its

858


least-valuable grounding. We call this grounding theminimal instance of a formula for a particular model.This minimal instance might not exist when predicatescan take on real values—there might be no minimum,only a convergent sequence. However, this minimalinstance always exists in FOP’s integer fragment.

We denote the value of a formula F in a modelM by value(F,M). We will denote the quantitysupM value(F,M) as value(F).

As an example of a FOP formula in ∧NF, considerthe following definition of the equivalence predicate‘=’ with range {0, 1}. We can do this by construct-ing a formula that is non-negative iff the predicate isreflexive, symmetric, and transitive. Indeed, the ideaof non-negativity is important to our notion of infer-ence and we will introduce some shorthand notion toexpress it. By P (x) ≥ c we will mean P (x) − c (thelatter FOP formula is non-negative iff the former con-dition is met) and by P (x) ≤ c we will mean c−P (x).Therefore, we can insist that ‘=’ is an equivalence re-lation with following subformula:

(i = i) ≥ 1 (2)

(i = j) + (j = i) ≤ 0 ∨ (i = j) + (j = i) ≥ 2 (3)

(i = j) + (j = k) + (i = k) ≤ 1 (4)

∨ (i = j) + (j = k) + (i = k) ≥ 3.Here, each labeled line is a ∨-clause; we join themimplicitly by ∧ to form a ∧NF formula.

Since (i = i) ∈ {0, 1}, the first ∨-clause asserts that(i = i) must be 1 if the formula as a whole is to benon-negative. The second asserts that it is symmetricsince either both (i = j) and (j = i) must have value 1,or neither can. The final clause asserts transitivity—either they are all equal or at most one is.

Since a ∨-clause is a maximum over Σ-clauses, in everymodel there is at least one Σ-clause that has the samevalue as the ∨-clause. Covering sets—sets that con-tain at least one Σ-clauses for every ∨-clauses—playan important role in how we think about the value ofthe formula. As a result we define some special termi-nology for them.

Definition 1 (Covering sets, active atoms, and tight-ness). Let C be a set of ∨-clauses. If S is a set ofΣ-clauses such that for every C ∈ C it is the case thatS ∩ C 6= ∅, then S is a covering set. A covering setfor a ground formula is tight with respect to a modelM if the value (in M) of each Σ-clause is equal to thevalue of the ∨-clause that contains it.

The set of all atomic propositions in a formula or setof formulas F is denoted by A(F). For a covering set Swe will refer to all atoms in A(S ) as the active atoms.

4 INFERENCE

Given a formula F in ∧NF, there are a number ofquestions that can be asked about its value. One of

the most basic is whether the formula has a modelwith a non-negative value. We call any such formulafeasible or satisfiable, and this notion generalizes theFOL notion of satisfiability. Using feasibility testingas a primitive, we can define FOP notions of entail-ment (see Gordon et al. [2009]). We can also checkif a formula F has a particular value V by checking ifF− V ∧ V − F is feasible.

For any finite ground FOP formula F, we can find itsvalue by encoding it as a MILP—e.g. the followingformulation—and giving it to a MILP solver.

max V

s.t.

∑k∈IΣij

κijk · pijk

+ U(1− dij) ≥ V∑j∈ICi

dij ≥ 1

pijk ∈ Rangeijk, dij ∈ {0, 1}

The MILP, denoted MILP(F), for finding the value ofa ground formula F. The MILP variable V ∈ R repre-sents value(F). The first type of constraint representseach Σij . The Ix are sets that index the elements xcontains so IΣij

indexes all of its constituent literalsκijk · pijk. The κijk are scalars, and so are coefficientsof the predicate variables (the pijk), which can be as-signed any value in their range. The constant U issome sufficiently large number such that the binaryfresh MILP variable dij can be set to 0 and make thebound on V for any particular Σij trivial regardless ofthe (bounded!) values of the other variables. The dijindicate a covering set for the maximal model.

While we cannot determine the value of a non-groundFOP formula F directly by submitting it to an ILPsolver, we can show that the value for any instantiationof F—and in particular any ground instance—is anupper-bound on the value of the original formula.

Definition 2 (Instantiation, renaming). A formula Finstantiates another formula F ′, written F ′ � F , ifF = F ′θ for some substitution θ. We also say F ′

generalizes F . We write F � F ′ if F � F ′ but F ′ � F( strict instantiation). Non-strict instantiation is alsocalled renaming.

If F is a set of formulas then a most specific general-ization (MSG) of F in F , denoted msg(F,F), is a setG of all elements G ∈ F such that G � F and thereis no more specific element G′ ∈ F such that G′ � Fand G � G′. MSGs are unique up to renaming.

Proposition 1 (Instance upper-bounding). Forall formulas F, instantiations Fθ and models M,value(F,M) ≤ value(Fθ,M).

Proof. All free variables of F are∧

-quantified. Instan-tiation can only restrict which objects the variables canrefer to, so by definition of

∧, instantiation can only

increase the value of F.

859


It is also easy to show that adding more clauses to thetop-level ∧-clause can only drive down its value.

Proposition 2 (Subproblem upper-bounding). Forall formulas F, C, value(F,M) ≥ value(F ∧ C,M).

Proof. Since the model M is fixed, adding an addi-tional clause to the top-level minimization (∧) cannotincrease the value of the formula.

While every instance is an upper-bound, we will fre-quently consider a particular grounding instantiation,[, where [ is overloaded to mean both some fresh con-stant not in F and the substitution where all variablesare replaced with [. A corollary of Proposition 1 isthat the value of the special ground instance F[ is anupper bound on the value of value(F).

Corollary 1. For all formula F, value(F) ≤value(F[).

The corollary shows us that we can bound the valueof the first-order formula by the value of its instancesand, in particular, the instance generated by the sub-stitution [. An arbitrary model that maximizes thevalue of F[ will be frequently used in the followingsections, and we will denote this special model M[; wecan find it using a MILP encoding.

F[ is interesting since provides a template for con-structing a first-order model of F. We do this by em-ploying a lifting procedure: in a lifted model M we as-sign, to each of the (infinitely many) ground atoms, thevalue that its most specific generalization in F takesin M[. So if we consider the ground atom P , it takesvalue I(P ) = value(Q[,M[) where Q = msg(P,A(F)).

For example, suppose F = P (x) ≥ 1 ∧ P (x) ≤ 1.The maximal ground model P ([) = 1 suggests thatwe set P (x) = 1, and this is a maximal model for F.Indeed we will show in Lemma 1 that under certainconditions the lifted model M has the same value asthe M[. This is an attractive observation since we canfind M[ efficiently.

In general, the [-grounding lacks some of the con-straints that the minimal instance has. Thisis because, unlike in F[, a formula’s minimizingground instances may force unifiable—but syntacti-cally distinct—terms to take the same value. For ex-ample, consider the formula F = P (a) ≥ 1∧P (x) ≤ 0,where P ’s range is {0, 1}. The maximizing model forF[ sets P (a) = 1 and P ([) = 0, but there is no way tolift this model to a non-negative model of F becauseunder the substitution [x 7→ a] we seem to want bothP (a) = 0 and P (a) = 1.

Whenever M[ assigns unifiable atoms different values,one has to be careful about the value of these atoms inany instantiation that does unify them. Such unifiablepairs of atoms play an important role in both the aboveexample and our actual inference procedure. We callthese pairs discordant.

Definition 3 (Discordant pairs, witnesses). Let F bea formula and S be a tight covering set w.r.t. a modelM[ of F[. A discordant pair in F is a pair of propo-sitions P,Q ∈ A(F ) such that P[,Q[ ∈ A(S ), P andQ unify, but value(P[,M[) 6= value(Q[,M[).

The mgu θ of P and Q is the witness of this pair.

The basic intuition of our approach is as follows.Whenever we have a discordant pair (P,Q) inspiredby M[, then the grounding F[ must have missed thefact that P and Q can be forced to assume the samevalue in some instantiations. We remedy this problemby ensuring that F mentions their unification Pθ ex-plicitly: then when we try to lift M[, any atom thatunifies with both P and Q will take its value from themore specific Pθ[ instead of from P[ or Q[. To takeadvantage of this intuition, we present the semanticinstance generation rule, which generates additionalclauses to eliminate the connection of a discord.

4.1 Semantic instance generation

We can resolve discordant pairs by generating addi-tional clauses that ensure that any instance that unifiesthe discordant atoms assigns them consistent values inthe [-model. For example, consider

F = Q(b) = 0 ∧ [Q(x) = 0 ∨Q(x) = 1 ∨Q(x) = 2] ,

where Q’s range is {0, 1, 2}. Suppose thatvalue(Q([),M[) = 2 and value(Q(b),M[) = 0; thenif we take Q(x)’s value to be the same as Q([)’swe can no longer guarantee that we have a maxi-mal value for F since the special case when [x 7→ b]may not be properly handled. However, we can becompletely confident after generating a new instanceQ(b) = 0 ∨Q(b) = 1 ∨Q(b) = 2 that forces the propo-sitional solver to consider the special case explicitly.Semantic instance generation is an inference rule thataccomplishes this.

Definition 4 (Semantic instance generation rule).The semantic instance generation rule (SIG) is

Ci ∨ Σi Cj ∨ Σj

(Ci ∨ Σi)θ (Cj ∨ Σj)θ.The clauses on the top are the premises of this infer-ence rule, and the clauses on the bottom are the con-clusions. Both premises must be ∨-clauses in F, whereCi and Cj are the (possibly empty) sets containingthe remaining Σ-clauses in their respective ∨-clauses.Σi[ and Σj[ must be members of a covering set Sthat is tight with respect to a maximal model M[ =arg maxM value(F[,M). Additionally, there must ex-ist propositions in the intersection of each of these Σ-clauses and the covering set, say P ∈ A(Σi)∩A(S) andP ′ ∈ A(Σj) ∩ A(S), that are discordant in M[ with θas their witness—i.e. value(P[,M[) 6= value(P ′[,M[)and Pθ = P ′θ.

For any two premises Q and R, we will denote theirset of conclusions as SIG(Q,R).

860


A simple consequence of this definition is that at leastone of the conclusions must say something new (theconclusion is not just a renaming of its premise).

Proposition 3. At least one conclusion must strictlyinstantiate its premise and cannot just be a renaming.

Proof. If not then the mgu of P and P ′ is a renaming,and so P[ = P ′[. Therefore they have the same valuein the maximal model and cannot be discordant.The conclusions say something new, but they are stilla consequence of the respective premises. Adding theconclusions of SIG to the original formula never altersthe formulas value, so it is safe to apply. Intuitivelythis is because SIG is merely explicitly stating a prop-erty that was already implied by the original formula.

Proposition 4 (SIG preserves value). Let Cθ and Dθbe the conclusions of an application of SIG to the FOPformula F. Then value(F) = value(F ∧ Cθ ∧Dθ).

Proof. Let F′ be F∧Cθ∧Dθ. The value of F′ cannotbe greater than that of F by Proposition 2.

The value for F′ cannot be less, since Cθ (or Dθ) is justan instantiation of some ∨-clause C of F: suppose thevalue of F′ in model M attains its minimal value in Cθafter applying some grounding substitution σ. Thenthere is a model for F with the same value obtainedafter applying grounding substitution θσ.Note while the value of F is unchanged, the value ofF[ can drop, but does not have to.

4.2 FOP Feasibility Algorithm

With SIG, our results about the ground instance F[,and our ILP for finding the maximal value of anyground formula we can construct an algorithm for de-termining the feasibility of a FOP formula. It is de-scribed in Algorithm 1.

Algorithm 1 Feasibility algorithm

1: while true do2: M[ = solution of MILP(F[)3: {Hence M[ = arg maxM value(F[,M)}4: if value(F[,M[) < 0 then5: return value(F) < 0 ;6: end if7: Using M[, obtain a covering set S8: and list of discordant atoms A;9: if A = ∅ then

10: return value(F) ≥ 0 ;11: end if12: I = ∅ ;13: for (P,Q) ∈ A do14: Gather new instances I = I ∪ SIG(P,Q);15: end for16: Select a non-empty subset I ′ of I17: using a fair selection rule;18: F = F ∧ I ′;19: end while

We require that our instance selection policy is fair—itcannot ignore a potential instance in I forever. This

restriction is required for the completeness results thatwe present in the next section.

Definition 5 (Fairness). A selection rule is fair if noapplication of SIG is possible infinitely often.

Fairness is not a particularly onerous requirement andthere are simple policies that are fair. An exampleof a fair policy is the chronological selection policywhere we select the oldest available option. (The ageof an option is the first time-step that it occurs as anoption).

We will now show that Algorithm 1 is both sound andrefutationally complete.

Definition 6 (Soundness and refutational complete-ness). A feasibility procedure for FOP is sound if itnever reports the wrong sign for a formula.

A procedure is refutationally complete if it eventuallydeclares that a formula with negative values is negative.

4.3 Soundness

We will first prove that our algorithm is sound. Thistheorem relies on two properties: the first is that thevalue for F[ is always an upper-bound on the value ofF, and the second is that if M[ is free of discord thenit can be used as a template for constructing a liftedmodel of F—in this case it is lower-bound and so thebounds are tight. We already proved the first propertyin Corollary 1. We will now prove the second property.

Lemma 1 (Lifting). If there are no new discordantatoms in some tight covering set S , then value(F[) =value(F).

The above lemma is proved in our supplemental mate-rial. With this result we can finish the proof that ouralgorithm is sound.

Theorem 1 (Soundness of inference). Algorithm 1never reports an incorrect sign for the value for a for-mula.

Proof. By Proposition 4, every application of SIG pre-serves the value of the formula, and this is the only waythat we modify the original formula. By Proposition 1we can safely conclude that the value of a formula isnegative if the value for F[ is ever negative. Sinceline 5 is the only time that we declare the value of aformula to be negative, the inference procedure neverdeclares a non-negative formula to be negative.

We only declare a formula to be non-negative whenthere is a non-negative model for F[ and there are nonew discordant atoms. By Lemma 1, when there areno novel discordant atoms the value of F[ is a lowerbound. Since line 10 is the only time that we declareour formula to be non-negative, our algorithm neverdeclares a negative formula to be non-negative.

861


4.4 Completeness

In this section we will demonstrate that our solver isrefutationally complete. The key property that we useis this: if value(F) < 0 and yet value(F[) ≥ 0, thenthere is some discordant pair that has not yet beenused to generate an instance. As long as we have a fairway of selecting these discordant pairs, we will showthat the procedure only needs a finite number of SIGinferences to find a refutation—our algorithm eventu-ally finds an application of SIG that drives value(F[)below zero.

Lemma 2 (Locality of subproblem discord). If S isa ground subproblem of F such that value(S) < 0,and if value(F[) ≥ 0, then the MSG of S in F, S′ =msg(S,F), has a novel discordant pair (P,Q).

Additionally, the conclusions (CP θ, CQθ) of SIG onthis pair are members of S′′ = msg(S,F∧CP θ∧CQθ),the MSG of S in the augmented formula.

A proof of this lemma is in our supplemental material.

This proves that there is always a discordant pair thatwe can try. We now show that there is a finite sequenceof these discordant pairs that eventually drive downthe value of F[ below zero.

Lemma 3. If S is a finite and ground subproblem ofF that has negative value, then there exists a finitesequence of MSG 〈S0, . . . , Sn〉 obtained by SIG suchthat Si is the MSG of S in F after i rounds of SIGand value(Sn[) < 0.A proof of this lemma is in our supplemental material.

Putting these two lemmas together proves that ouralgorithm is complete.

Theorem 2 (Refutational completeness of inference).If value(F) < 0, the inference procedure will reportthat after finite fair applications of SIG.

Proof. Suppose that a formula F has negative value.Then, by the completeness of the naıve algorithm forFOP [Gordon et al., 2009] there is a finite subset ofground instances, namely S, that exhibits this negativevalue. Since they are ground instances S = S[ sovalue(S[) < 0.

By Lemma 3 there exists a finite sequence of SIG ap-plications that eventually generates a subproblem S′

such that value(S′[) < 0. Therefore, if the policy forapplying SIG is fair our inference procedure will even-tually report that value(F) < 0.

5 EXAMPLES OF REASONING

In this section we present a sample of reasoning in oursystem given a simple vehicle planning problem1. In a

1For a more extensive example, see our supplementalmaterial.

vehicle planning problem there are three major compo-nents. The first description of the world (e.g. obstaclesand physical dynamics), the second is a list of N ve-hicles with different characteristics (e.g. accelerationand turn radius), and the final is a description of thegoals. The goals could be a number of waypoints withlogical, vehicle and temporal constraints over them.For example, waypoint ωi could be only satisfied by asubset of vehicles (say ones equipped with a winch),and it must be visited before ωj .

We present a simplified version of this general vehi-cle planning problem. In our specific instance we havea single vehicle and an uncertain description of theworld, due to (say) extremely noisy satellite informa-tion. We are able to determine that there are at leasteight equivalence classes. Again, because of noisy in-formation we do not know which locations are accessi-ble from other locations, but we do have some concreteinformation about which nodes are not accessible. Wehave a single goal: to go from one location to another.

This is not just propositional connectivity problem oneight nodes since the FOP formula given actually de-scribes non-empty equivalence classes and some rela-tionships between them. In the special case of a finitemodel with only eight objects it is easy to show thatthis formula is negative using a standard connectivityalgorithm. However, we prove something more sophis-ticated: that there cannot exist any model—even ofinfinite size—that makes the formula non-negative.

There are eight representative objects denoted by con-stants a,b, c,d, e, f ,g, and h. Each constant is dis-tinct (e.g. −(a = b)). We refer to the equivalenceclass of h—the set of all objects equivalent to h—as[h]. There are additional clauses in the formula thatensures that all relations have consistent value moduloequivalence, so Link(i,b) must have the same value asLink(a,b) if (i = a). The domain is not exhaustivelypartitioned into these eight classes and objects are notcompelled to be a member of them.

After these preliminary clauses, we give two more in-teresting predicates. Link is a binary predicate be-tween objects in the classes, and Path is a 3-ary pred-icate built on top of Link that describes the lengthshortest path between two classes.

Link is underspecified in our problem. The only thingthat we know about it is that all links to objects in [g]and [h] must have come from [g] or [h]:

−Link(i,g) ∨ (i = g)− 1 ∨ (i = h)− 1 (5)

−Link(i,h) ∨ (i = g)− 1 ∨ (i = h)− 1. (6)

If there is a shortest path between two classes, theyeither must be in the same class (and takes no linksto get there) or there must be a decomposition of thatpath that involving one of these links:

862


−Path(i, j, t) (7)

∨ (t = z) + (i = j)− 2

∨ Path (i, pN (j, t), pT (t)) + Link (pN (j, t), j)− 2

pN (j, t) = a ∨ . . . ∨ pN (j, t) = h. (8)

Here, pN (i, t) and pT (t) are Skolem functions. SopN (i, t) is allowed to be any object that is linked to thedestination and has a shortest path itself. The tem-poral Skolem function pT (t) refers to the time objectbefore—e.g. time step t − 1. z is the ‘zero’ time con-stant that represents needing no links. We establishbinary relation ‘≥’ that represents a standard partialordering over z and pT (t).

Finally, we need to eliminate the possibility of a nodegiving a circular explanation of its position—we barinfinite cycles. We do this by insisting that all shortestpaths between two objects must have the same length.

(t ≥ t′) + (t′ ≥ t)− 2 (9)

∨ 1− Path(i, j, t)− Path(i, j, t′).

Now we add the contradictory ground fact: we canconnect a to h in T time.

Path(a,h,T)− 1 (10)A sketch of our human-guided proof:

1. Instantiate line 7 to insist that if we are in h, wecame from somewhere, namely pN (h,T)

2. From line 6 we force pN (h,T) to be g or h3. From line 9 show that h’s shortest path cannot be

both T and pT (T). This forces pN (h,T) = g.4. From line 7 we insist that g has a predecessorpN (g, pT (T)).

5. From line 5 we force pN (g, pT (T)) = g orpN (g, pT (T)) = h

6. From line 9 we exclude pN (g, pT (T)) = g as apossibility since pT (T) ≥ pT (pT (T)).

7. From line 9 we exclude pN (g, pT (T)) = h as apossibility since T ≥ pT (pT (T)). Therefore thereare no consistent values for pN (g, pT (T)) and weare done.

There are additional clauses and proof steps omittedfor brevity.

This proves that there are no non-negative models ofthis formula. Notice that our proof applies for anypredicates that satisfy the given properties, not justones that the representation has explicitly declared tobe nodes and edges. This is powerful, because thehuman encoder might not realize that their problem isreducible to showing that a graph is partitioned.

This simple planning example shows that our methodof reasoning works in FOP. This is important, be-cause infeasibility (negativity) may manifest in non-obvious ways that may be difficult to detect with apurely propositional planner. For example, if a plan-ning problem had been a more complicated planning

problem with multiple vehicles, many constrained way-points and links that were transient (rather than miss-ing), it is difficult or impossible to prove that a solutiondoes not exist using a propositional planner.

This approach can even be useful in problems thathave reasonable bounds on its domains—we may onlywant to consider plans with fewer than V vehicles andT time-steps. However if there are enough of these di-mensions, and they each have a large enough reason-able bound, then the problem may still be too large tobe solved by blindly propositionalizing. Our methodmay find a proof of infeasibility that ignores much ofthe problem and therefore scales better.

6 CONCLUSIONS AND FUTUREWORK

In this paper we developed a new instantiation-basedinference method for determining whether a FOP for-mula is feasible. We proved that this procedure is bothsound and refutationally complete. Future directionsfor work on this reasoning system include improvingheuristics for instance selections, investigating redun-dancy criteria for added clauses, and seeing if we can‘warm-start’ propositional ILP solving based on thework done in previous iterations. Other promising di-rections include supporting object theories (such asequality, time, and fragments of arithmetic).

One major goal for us is to fully automate our infer-ence procedure—our algorithm is currently an open-loop system that requires a human to select SIG ap-plications. These selection decisions are critical be-cause in the worst case, every two ∨-clauses could bethe premises for a SIG application. Adding all possi-ble applications (O(n2) if there are n clauses ) would

create a formula that has length O(22i

) after i itera-tions. Good selection heuristics are therefore essentialfor tractable inference. We intend to start our searchfor heuristics by adapting, evaluating and modifyingboth heuristics and restriction criteria from FOL reso-lution and instantiation-based theorem provers. Initialexperiments also indicate that the policy of randomlyselecting a single application induces a heavy-tailedruntime distribution, and this indicates that restart-ing policies will be a fruitful direction for research.

Acknowledgements

This project is supported by the Pittsburgh Sci-ence of Learning Center which is funded by theNational Science Foundation award number SBE-0836012, the National Science Foundation by NSFCAREER Award CNS-1054246, NSF EXPEDITIONCNS-0926181, CNS-0931985, CNS-1035800, by ONRN00014-10-1-0188, and DARPA FA8650-10C-7077.

863


References

P. Baumgartner. FDPLL–a first-order Davis-Putnam-Logeman-Loveland procedure. CADE, 2000.

P. Baumgartner and C. Tinelli. The model evolutioncalculus. CADE, pages 350–364, 2003.

P. Baumgartner and C. Tinelli. The model evolutioncalculus as a first-order DPLL method. Artificial In-telligence, 172(4-5):591–632, 2008. ISSN 0004-3702.

P. Baumgartner, A. Fuchs, and C. Tinelli. ME (LIA)-Model Evolution With Linear Integer ArithmeticConstraints. In LPAR, page 258. Springer, 2008.

G. Faure, R. Nieuwenhuis, A. Oliveras, andE. Rodrıguez-Carbonell. SAT modulo the theoryof linear arithmetic: Exact, inexact and commercialsolvers. In H. Kleine Buning and X. Zhao, editors,SAT, volume 4996 of LNCS. Springer, 2008.

R. Fourer, D. Gay, and B.W. Kernighan. The AMPLbook. Duxbury Press, Pacific Grove, 2002.

H. Ganzinger and K. Korovin. New directions ininstantiation-based theorem proving. In LICS, 2003.

H. Ganzinger and K. Korovin. Theory instantiation. InLogic for Programming, Artificial Intelligence, andReasoning, pages 497–511. Springer, 2006.

G.J. Gordon, S.A. Hong, and M. Dudık. First-ordermixed integer linear programming. In Proceedings ofthe 25 Conference on Uncertainty in Artificial Intel-ligence, pages 213–222. AUAI Press, 2009.

J.N. Hooker, G. Rago, V. Chandru, and A. Shrivas-tava. Partial instantiation methods for inference infirst-order logic. J. Autom. Reas., 28(4), 2002.

R.G. Jeroslow. Computation-oriented reductions ofpredicate to propositional logic. Decision SupportSystems, 4(2):183–197, 1988. ISSN 0167-9236.

K. Korovin. An invitation to instantiation-based rea-soning: From theory to practice. Volume in memo-riam of Harald Ganzinger, LNCS. Springer, 2009.

K. Korovin and A. Voronkov. Integrating linear arith-metic into superposition calculus. In Computer Sci-ence Logic, pages 223–237. Springer, 2007.

S.J. Lee and D.A. Plaisted. Eliminating duplicationwith the hyper-linking strategy. Journal of Auto-mated Reasoning, 9(1):25–42, 1992. ISSN 0168-7433.

R. Letz and G. Stenz. Proof and model generationwith disconnection tableaux. In LPAR, pages 142–156. Springer, 2001.

R. Letz and G. Stenz. The disconnection tableau cal-culus. J. Autom. Reason., 38(1-3):79–126, 2007.

G.L. Nemhauser and L.A. Wolsey. Integer and combi-natorial optimization. Wiley New York, 1988.

R. Nieuwenhuis, A. Oliveras, and C. Tinelli. Solv-ing SAT and SAT Modulo Theories: From an

abstract Davis–Putnam–Logemann–Loveland pro-cedure to DPLL (T). Journal of the ACM (JACM),53(6):937–977, 2006. ISSN 0004-5411.

An Instantiation-Based Theorem Prover for First-Order ...

Documents