Theorem Proving

Dave Touretzky

Read R&N Ch. 9.5-9.6

Propositional resolution
● Proof by contradiction: to prove α, assume ~α and derive FALSE.
● Sound: only valid inferences are made.
● Complete: if a sentence is valid, the proof will be found.
● Formulas must be in CNF.
○ But conversion to CNF is straightforward.

2
Resolution in First-Order Logic
Resolution is more complicated in FOL due to:

● Functions — can generate infinite models

● Variables — must use unification to match literals

○ Requires standardization of variables (variable renaming) to avoid conflicts

● Quantifiers
○ Existential quantifiers require Skolemization
○ Nesting order of quantifiers matters

● Equality
○ Paramodulation and demodulation
3
○ Equational resolution
Converting an FOL Sentence to CNF
“Everyone who loves all animals is loved by someone.”

∀x [ [ ∀y Animal(y) ⇒ Loves(x,y) ] ⇒ ∃y Loves(y,x) ]

Scoping: y and y are different variables.

4
Step 1: Eliminate implications

∀x [ [ ∀y Animal(y) ⇒ Loves(x,y) ] ⇒ ∃y Loves(y,x) ]

∀x [ [¬ ∀y Animal(y) ⇒ Loves(x,y) ] ∨ ∃y Loves(y,x) ]

∀x [ [ ¬ ∀y ¬ Animal(y) ∨ Loves(x,y) ] ∨ ∃y Loves(y,x) ]

5
Step 2: Move ¬ inward
¬∀xp becomes ∃ x ¬p

¬∃xp becomes ∀x¬p

∀ x [ [ ∃ y ¬(¬Animal(y) ∨ Loves(x,y)) ] ∨ [ ∃y Loves(y,x) ] ]

∀ x [ [ ∃ y ¬¬Animal(y) ∧ ¬Loves(x,y)) ] ∨ [ ∃y Loves(y,x) ] ]

∀ x [ [ ∃ y Animal(y) ∧ ¬Loves(x,y)) ] ∨ [ ∃y Loves(y,x) ] ]

6
Step 3: standardize variables
Rename the second y to z:

∀ x [ [ ∃ y Animal(y) ∧ ¬Loves(x,y)) ] ∨ [ ∃z Loves(z,x) ] ]

7
Step 4: Skolemization
Create a unique constant for each existentially quantified variable.

But the constant is a function of all other variables in its scope, so we must use
Skolem functions to generate these constants.

∀x [ [ Animal(f(x)) ∧ ¬Loves(x, f(x)) ] ∨ Loves(g(x), x) ]

8
Step 5: Drop universal quantifiers

[ Animal(f(x)) ∧ ¬Loves(x, f(x)) ] ∨ Loves(g(x), x)

9
Step 6: Distribute ∨ over ∧

[ Animal(f(x)) ∨ Loves(g(x), x) ] ∧ [ ¬Loves(x, f(x)) ∨ Loves(g(x), x) ]

The sentence is now in CNF. But it’s not very readable.

10
The resolution inference rule

l1 ∨ … ∨ lk , m1 ∨ … ∨ mn
------------------------------------------------------------------------------------------------------------------------------------

SUBST(θ, l1 ∨ … ∨ li-1 ∨ li+1 ∨ … ∨ lk ∨ m1 ∨ … ∨ mj-1 ∨ mj+1 ∨ … ∨ mn )

where UNIFY(li , ¬mj) = θ

11
Applying the binary resolution rule
Unify: [ Animal(f(x)) ∨ Loves(g(x), x) ] with [ ¬Loves(u,v) ∨ ¬Kills(u,v) ]

Use the unifier θ = { u / g(x), v / x } to produce

[ Animal(f(x)) ∨ ¬Kills(g(x), x) ]

Tricky bits:

● For completeness, we must resolve all subsets of literals that are unifiable,
not just pairs of literals.
● Alternative is factoring: replacing two literals by one if they are unifiable.
12
 Prove that Colonel West is a criminal

Unified terms are

shown in boldface.

Straight-line
derivation because
this is a Horn
theory. There is a
contradiction but it
doesn’t mention West. 13
Did curiosity kill the cat?
1. Everyone who loves animals is loved by someone.
2. Anyone who kills an animal is loved by no one.
3. Jack loves all animals.
4. Either Jack or Curiosity killed the cat.
5. The cat is named Tuna.
6. Cats are animals.
7. Did Curiosity kill the cat?

14
Logically, did curiosity kill the cat?
1. ∀x [ ∀y Animal(y) ⇒ Loves(x,y) ] ⇒ ∃y Loves(y,x)
2. ∀x [ ∃z Animal(z) ∧ Kills(x,z) ] ⇒ ∀y ¬Loves(y,x)
3. ∀x Animal(x) ⇒ Loves(jack,x)
4. Kills(jack, tuna) ∨ Kills(curiosity, tuna)
5. Cat(tuna)
6. ∀x Cat(x) ⇒ Animal(x)
7. ¬Kills(curiosity, tuna)

15
Convert to CNF
1. Animal(f(x)) ∨ Loves(g(x), x)
¬Loves(x, f(x)) ∨ Loves(g(x), x)
2. ¬Loves(y,x) ∨ ¬Animal(z) ∨ ¬Kills(x,z)
3. ¬Animal(x) ∨ Loves(jack,x)
4. Kills(jack, tuna) ∨ Kills(curiosity, tuna)
5. Cat(tuna)
6. ¬Cat(x) ∨ Animal(x)
7. ¬Kills(curiosity, tuna)

16
 Did curiosity kill the cat?

Not a straight-line
derivation because
this is not a Horn
theory. 17
Who killed the cat?
Goal: ∃w Kills(w, tuna)

Negated, in CNF: ¬Kills(w, tuna)

Can unify with both Kills(jack, tuna) or Kills(curiosity, tuna), so we derive a

contradiction without knowing who killed tuna.

18
Who killed the cat?

Kills(jack, tuna) ∨ Kills(curiosity, tuna) ¬Kills(w,tuna)

{ w / curiosity }

Kills(jack, tuna)

{ w / jack }

19
Who killed the cat?
Solutions:

1. Don’t allow the query variable w to be bound more than once in a derivation.
Backtrack on w until we find a value that gives the desired contradiction.
Example: binding w to curiosity leaves us with Kills(jack, tuna), which resolves
with the other clauses to yield a contradiction.

2. Create an “answer literal” to use in the query: ¬Kills(w, tuna) ∧ Answer(w).

When we derive a clause containing only Answer(w) for some w, report that
value as an answer to the query.
20
How to handle equality
Three approaches:

1. Axiomatize

2. Inference rules

3. Extended unification

21
Axiomatizing equality
∀x x = x
∀x,y x=y ⇒ y=x
∀x,y,z x=y ∧ y=z ⇒ x=z This produces correct
equality reasoning, but it
For all predicates P, Q, ...: generates a huge number of
conclusions, most of which
∀x,y x=y ⇒ (P(x) ⇔ P(y)) will not be useful.
∀w,x,y,z w=x ∧ y=z ⇒ (Q(w,y) ⇔ Q(x,z))
...

For all functions f, g, ...:

∀x,y x=y ⇒ (f(x) = f(y))
∀w,x,y,z w=x ∧ y=z ⇒ (g(w,y) = g(x,z))
22
...
Inference rules for equality: demodulation
x=y , m1 ∨ … ∨ mn
-----------------------------------------------------
SUB(SUBST(θ,x), SUBST(θ,y), m1 ∨ … ∨ mn)

where UNIFY(x,z) = θ and z appears somewhere in mi.

SUB(x,y,m) means replace x with y everywhere that x occurs in m.

Example:
father(father(x)) = paternal_grandpa(x)
Birthdate(father(father(bella)), 1926)

Using θ = { x / bella } we can derive:

23
Birthdate(paternal_grandpa(bella), 1926)
Inference rules for equality: paramodulation
l1 ∨ … ∨ lk ∨ x=y , m1 ∨ … ∨ mn
----------------------------------------------------------------------
SUB(SUBST(θ,x), SUBST(θ,y), l1 ∨ … ∨ lk ∨ m1 ∨ … ∨ mn)

Handles non-unit clauses where one of the terms is an equality.

Example: from P(f(x,b), x) ∨ Q(x) and f(a,y)=y ∨ R(y)

We have θ = { x / a, y / b}

We derive: P(b,a) ∨ Q(a) ∨ R(b)

Paramodulation yields a complete inference procedure. 24

Equality via extended unification
The third way to handle equality is to modify the unification algorithm to allow
unification of expressions that are provably equal.

For example, equational unification could allow (1+2) to unify with (2+1) using
the empty substitution.

This approach is used in CLP (Constraint Logic Programming) systems.

25
Resolution strategies
1. Unit preference

2. Set of support

3. Input resolution

4. Subsumption

26
Unit preference strategy
Which clauses should we resolve first?

If we resolve a unit clause with another clause, the result is always a shorter
clause. Since we’re trying to derive a contradiction (empty clause), shorter is
better.

So choose unit clauses first.

Unit resolution requires a unit clause in every step. Incomplete in general, but
complete for Horn theories, where it resembles forward chaining.

27
“Set of support” strategy
Require that every resolution step involve at least one element from a special “set
of support”. New resolvents are added to this step.

Provides a way to focus attention on formulas relevant to the goal. Inference will
be incomplete if the set is not chosen carefully.

If the set of support starts out with just the negation of the query, it generates a
goal-directed proof tree that may be easier for humans to understand.

28
Input resolution strategy
The “input set” consists of the sentences of the KB plus the query.

The input resolution strategy requires every resolution step to include a sentence
from the input set.
● Complete for Horn theories.
● Incomplete in general.

In linear resolution we allow P and Q to be resolved together if either P is in the

original KB or P is an ancestor of Q in the proof tree.
● Linear resolution is complete.

29
Subsumption strategy
Eliminate all sentences that are subsumed by (i.e., are more specific than) a
sentence already in the KB.

If we have P(x) in the KB, don’t add P(a) or P(a) ∨ Q(b).

The goal is to keep the size of the KB small, which reduces the search space.

In HW4 we will explore a version of this idea.

30
Uses of theorem proving
● Prove mathematical theorems
● Design of digital circuits
● Verification of complex hardware, including entire CPUs.
● “Automatic programming”: synthesizing a program based on a formal
specification
○ Not practical for general programs
○ Works in specialized areas such as scientific computing code (e.g., vectorization)
○ “Hand-guided” synthesis has been used successfully for algorithm design

31
Theorem proving at Intel
These slides are based on a presentation by John Harrison of Intel:
https://www.cl.cam.ac.uk/~jrh13/slides/arw-04apr02/slides.pdf

● The 1994 FDIV (floating point division) bug in the Intel Pentium processor
cost the company $500 million.

● Today new products are developed more quickly: less time to find bugs.

32
Increased complexity makes bugs more likely
John Harrison (Intel):

● A 4-fold increase in pre-silicon bugs in Intel processor designs per generation.

● Approximately 8000 bugs introduced during design of the Pentium 4.

● Pre-silicon bug detection rates are now at least 99.7%.

But that still leaves ~ 24 uncaught bugs.

33
Approaches to formal verification of chips
1. Symbolic simulation

2. Temporal logic model checking (see Ed Clark’s Turing Award)

3. General theorem proving

Intel uses a combination of these techniques.

Hybrid theorem prover that includes mathematical knowledge about floating point
representations.

34