Formalizing Bachmair and Ganzinger’s Ordered Resolution Prover

Abstract

We present an Isabelle/HOL formalization of the first half of Bachmair and Ganzinger’s chapter on resolution theorem proving, culminating with a refutationally complete first-order prover based on ordered resolution with literal selection. We developed general infrastructure and methodology that can form the basis of completeness proofs for related calculi, including superposition. Our work clarifies fine points in the chapter, emphasizing the value of formal proofs in the field of automated reasoning.

Appendix A: Errors and Imprecisions Discovered in the Chapter

In the chapter, we encountered several mathematical errors and imprecisions of various levels of severity. We also found lemmas that were stated but not explicitly applied afterwards. For reference, this appendix provides an exhaustive list of our findings. This list illustrates how difficult it is to write paper proofs correctly, and reminds us that we cannot rely on reviewers or second readers to catch all mistakes. We hope that our corrections will further increase the chapter’s value to the research community.

Regarding the errors and imprecisions, we have ignored infelicities that are not mathematical in nature, such as typos and LaTeX macros gone wrong (e.g., “by the defn[candidate model]candidate model for N” on page 34); for such errors, careful reading, not formalization, is the remedy. We have also ignored minor ambiguities if they can easily be resolved by appealing to the context and the reader’s common sense (e.g., whether the clause \(C \vee A \vee \cdots \vee A\) may contain zero occurrences of A).

• One of Lemma 3.4’s claims is that if clause C is true in \(I^D\), then C is also true in \(I_{ D '}\), where \(C \preceq D \preceq D '\). This does not hold if \(C = D = D '\) and C is productive. Similarly, the first sentence of the proof is wrong if \(D = D '\) and D is productive: “First, observe that \(I_D \subseteq I^D \subseteq I_{ D '} \subseteq I^{ D '} \subseteq I_N\), whenever \( D '\succeq D\).”

• The last occurrence of \( D '\) in the statement of Lemma 3.7 should be changed to C. In addition, it is not clear whether the phrase “another clause C” implies that \(C \not = D\), but the counterexample we gave in Sect. 4 works in both cases. Correspondingly, in the proof, the case distinction is incomplete, as can be seen by specializing the proof for the counterexample.

• In the chapter’s Figure 2, in Sect. 3, the selection function is wrongly applied: References to \( S (D)\) should be changed to \( S (\lnot \,A_1 \vee \cdots \vee \lnot \,A_n \vee D)\). Moreover, in condition (iii), it is not clear with respect to which clause the “selected atom” must be considered, the two candidates being \( S (\lnot \,A_1 \vee \cdots \vee \lnot \,A_n \vee D)\) and \( S (C_i \vee A_i \vee \cdots \vee A_i)\). We assume the latter is meant. Finally, phrases like “\(A_1\) is maximal with respect to D” (here and in Figure 4) are slightly ambiguous, because it is unclear whether \(A_1\) denotes an atom or a (positive) literal, and whether it must be maximal with respect to D’s atoms or literals. From the context, we infer that an atom-with-atom comparison is meant.

• Soundness is required in the chapter’s Sect. 4.1, even though it is claimed in Sect. 2.4 that only consistency-preserving inference systems will be considered.

• In Sect. 4.1, it is claimed that “a fair derivation can be constructed by exhaustively applying inferences to persisting formulas.” However, this construction is circular: The notion of persisting formula (i.e., the formulas that belong to the limit) depends itself on the derivation.

• In the proof of Theorem 4.3, the case where \(\gamma \in \smash {\mathcal {R}_{\scriptscriptstyle \mathcal {I}}}(N_\infty \setminus \smash {\mathcal {R}_{\scriptscriptstyle \mathcal {F}}}(N_\infty ))\) is not covered.

• In Sect. 4.2, the phrase “side premises that are true in N” must be understood as meaning that the side premises both belong to N and are true in \(I_N.\)

• Lemma 4.5 states the basic properties of the redundant clause operator \(\smash {\mathcal {R}_{\scriptscriptstyle \mathcal {F}}}\) (monotonicity and independence). Lemma 4.6 states the corresponding properties of the redundant inference operator \(\smash {\mathcal {R}_{\scriptscriptstyle \mathcal {I}}}\). As justification for Lemma 4.6, the authors tell us that “the proof uses Lemma 4.5,” but redundant inferences are a more general concept than redundant clauses, and we see no way to bridge the gap.

• Similarly, in the proof of Theorem 4.9, the application of Lemma 4.5 does not fit. What is needed is a generalization of Lemma 4.6.

• In condition (ii) of Figure 4, Sect. 4.2, \(A_{ii}\sigma \) should be changed to \(A_{i\!j}\sigma \).

• In the nth side premise of Figure 4, Sect. 4.2, \(A_{1n}\) should be changed to \(A_{n1}\).

• In Figure 4, Sect. 4.2, the same mistakes as in Figure 2 occur about the application of the selection function.

• Sect. 4.3 states “Subsumption defines a well-founded ordering on clauses.” A simple counterexample is an infinite sequence repeating some clause. “Subsumption” should be replaced by “proper subsumption.”

• In Lemma 4.10, it is not clear which selection function is used. When the lemma is applied in the proofs of Lemma 4.11 and Theorem 4.13, it must be \( S _{\mathcal {O}_\infty }\).

• In Lemma 4.10, \(G(\mathcal {S})\) and \(G(\mathcal {S'})\) are related by \(\mathrel {\rhd }^*\), but \(\rhd \) is needed in the proofs of Lemma 4.11 and Lemma 4.13 since then derivations in RP, which are possibly infinite, can be projected to theorem proving processes. However \(G(\mathcal {S}) \rhd G(\mathcal {S'})\) does not hold in one of the cases since a combination of deduction and deletion is required. A solution is to change the definition of \(\rhd \) to allow such combinations.

• In Lemma 4.10, it is not clear that the extension used should be the same between any considered pair of states. Otherwise, the lemma cannot be used to project derivations in RP to theorem proving processes.

• In Lemma 4.11, it is not clear which selection function is used. When the lemma is applied in the proofs of Theorem 4.13, it must be \( S _{\mathcal {O}_\infty }\).

• A step in the proof of Lemma 4.11 considers a clause \(D \in \mathcal {P}_l\) which has a nonredundant instance C. It is claimed that when D is removed from \(\mathcal {P}\), another clause \(D'\) with C as instance appears in some \(\mathcal {O}_l'\). That, however, does not follow if D was removed by backward subsumption. The problem can be resolved by choosing D as minimal, with respect to subsumption, among the clauses that generalize C in the derivation. This can be done since proper subsumption is well founded.

• In Lemma 4.11, a minor inconsistency is that the described first-order derivation is indexed from 1 instead of 0.

• In the proof of Theorem 4.13, the conclusion of Lemma 4.11 is stated as \(N_\infty \setminus \mathcal {R}(N_\infty ) \subseteq \mathcal {O}_\infty \), but it should have been \(N_\infty \setminus \mathcal {R}(N_\infty ) \subseteq G(\mathcal {O}_\infty )\). Furthermore, when Lemma 4.11 was first stated, the conclusion was \( N_\infty \setminus \smash {\mathcal {R}_{\scriptscriptstyle \mathcal {F}}}(N_\infty ) \subseteq G(\mathcal {S}_\infty ) \). The two are by fairness equivalent, but we find \(N_\infty \setminus \mathcal {R}(N_\infty ) \subseteq G(\mathcal {O}_\infty )\) more intuitive since it more clearly expresses that all nonredundant clauses become old.

Chief among the factors that contribute to making the chapter hard to follow is that many lemmas are stated (and usually proved) but not referenced later. We already mentioned the unfortunate Lemma 3.7. Sect. 4 contains several other specimens:

• Theorem 4.3 (fair_derive_saturated_upto) states a completeness theorem for fair derivations. However, in Sect. 4.3, fairness is defined differently, and neither the text nor the formalization applies this theorem.

• For the same reason, the property stated in the next-to-last sentence of Sect. 4.1 (standard_ redundancy_ criterion_ extension_fair_iff), which lifts fairness with respect to \((\smash {\mathcal {R}_{\scriptscriptstyle \mathcal {F}}}, \smash {\mathcal {R}_{\scriptscriptstyle \mathcal {I}}})\) to a standard extension \((\smash {\mathcal {R}_{\scriptscriptstyle \mathcal {F}}}, \smash {\mathcal {R}'_{\scriptscriptstyle \mathcal {}}})\), is not needed later.

• Lemma 4.2 (sat_deriv_Liminf_iff, Ri_limit_Sup, Rf_limit_Sup) is not referenced in the text, but we need it (sat_deriv_Liminf_iff, Ri_limit_Sup) to prove Theorem 4.13 (fair_state_seq_complete). We also need it (Rf_limit_Sup) to prove Lemma 4.11 (fair_imp_Liminf_minus_Rf_subset_ground_Liminf_state).

• Lemma 4.6 (saturated_upto_complete_if) is not referenced in the text, but we need it to prove Lemma 4.10 (resolution_prover_ground_derivation), Lemma 4.11 (fair_imp_ Liminf_minus_Rf_subset_ground_Liminf_state), and Theorem 4.13 (fair_state_seq_complete).

• Theorem 4.8 (Ri_effective) is not referenced in the text, but we need it to prove Theorem 4.13 (fair_state_seq_complete).

• Theorem 4.9 (saturated_upto_complete) is invoked implicitly in the next-to-last sentence in the proof of Theorem 4.13 (fair_state_seq_complete).