Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2 Reiner Hahnle
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 3Abstract of the Course<strong>Tableau</strong>-based approaches to automated deduction have gained a lot of ground inrecent years after many years during which they have been mainly considered forteaching and in proof theoretic studies. One reason for this development is thatcompetitive implementations of rst-order logic tableau provers are now available,but another reason for the renewed interest is the large number of applications fordeduction in non-classical in linguistics, intelligent agents, knowledge representationto name just a few elds. I will present various tableau-related calculi in auniform, modern framework with new, concise completeness proofs. Important implementationsas well as basic techniques for accommodating non-classical aspectsare discussed as well. A brief introduction into the required concepts of computationallogic is included.1. IntroductionReasoning methods based on tableaux and their relatives gained a lot of attention inthe past decade after a long period of near stagnation. One reason is that theoreticaland implementational progress nally permitted to build tableau-based theoremprovers [23, 42] that can compete [60] with state-of-the-art resolution-based systems.Another reason is the increased need for deduction in various non-classical logicsfor which tableau calculi are particularly well suited.Today, a large number of renements of tableau-like calculi aimed at ecientautomated proof search are available. In fact, there are so many of them that it hasbecome quite dicult for the non-specialist keep track of the main developments.The diculty of this task is incrased by the plethora of names for closely related systems:connection tableaux, connection method, hypertableaux, matrices, matings,model elimination, model generation, near-Horn logic programming, SL-resolutionall are relatives of each other.In this paper I introduce the main lines of development of tableau-like calculi,as far as they are relevant for automated reasoning, in a uniform framework. Atthe same time I work out their mutual relationships and I classify the renementsaccording to various properties.Most renements of tableau calculi are dened and implemented only for clausenormal form. Accordingly, after a brief treatment of tableaux for full rst-order logicin Section 3, the bulk of the material is presented on the clause level. In Section 4the main types of renements of tableau-like calculi are dened and discussed. Thehistory of tableaux-like proof methods is long and vined. Many key ideas werediscovered several times independently. I trace the major developments in a verybrief historical Section 5.
4 Reiner Hahnle2. PreliminariesHere some basic ingredients of computational logic are collected. This section cannotreplace a proper introduction into logic and elementary issues of theorem proving.I recommend Fitting's book [18] as a background.2.1. SyntaxA rst-order signature =hP ;F i consists of a non-empty set P of predicatesymbols and a set F of function symbols. For skolemization we do not use symbolsfrom F but from a special innite set F sko of Skolem function symbols that isdisjoint from F ; the extended signature hP ;F [ F sko i is denoted with . Thesymbols in P , F and F sko may be used with any non-negative arity. In addition,there is an innite set Var of object variables.Given a signature , the sets T of terms and A of atoms over are inductivelydened by:(i) Object variables and 0-ary function symbols from are terms.(ii) If t 1 ;:::;t n are terms, f is a n-ary function symbol from , and p is a n-arypredicate symbol from , then f(t 1 ;:::;t n ) is a term and p(t 1 ;:::;t n ) is an atomover .The logical operators are the connectives _ (disjunction), ^ (conjunction) and: (negation), the quantier symbols 8 and 9, and the constant operators true andfalse.Given a signature , the set L of formulas 1 over is inductively dened by:(i) true, false and atoms over are formulas.(ii) If is a formula, then : is a formula.(iii) If 1 ;:::; n , n>1, are formulas none of which is a conjunction (disjunction),then 1 ^ :::^ n (resp. 1 _ :::_ n ) is a formula.(iv) If is a formula and x 2 Var, then (8x) and (9x) are formulas. is calledthe scope of the quantier.Formulas that are identical up to associativity of_ and ^ are identied. A literalis an atom or a negated atom.A ground term (atom, literal, formula) is a term (atom, literal, formula) thatcontains no object variables. The set of ground terms is abbreviated with T 0 .Nodierence is made between ground rst-order formulas and propositional formulas.The complement of a formula is dened by: = if is of the form : ,and = : otherwise.An occurrence of an object variable x in a formula is called bound if x occurs inthe scope of a quantier over x, it is called free otherwise. A formula without freevariable occurrences is a sentence.A clause is a sentence of the form (8x 1 ) (8x n )L 1 __L m , where L i areliterals. For sake of readability the quantier prex of rst-order clauses is usually1 Implication and equivalence are considered to be dened operators, i.e., ! is the same as: _ , and $ is the same as ( ^ ) _ (: _: ).
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 5not written (but assumed to be present). Note that clauses are particular formulas.When C, D are ground clauses C D means that every literal of C occurs also inD; L 2 D expresses that the literal L occurs in clause D. A clause is a tautology ifit contains p and :p for some atom p.A substitution is a mapping :Var !T . It is extended to terms and (sets of)formulas as usual:{ (c) =c, (true) = true, (false) =false{ (s(t 1 ;:::;t n )) = s((t 1 );:::;(t n )) for s 2 F [ P { (A B) =(A) (B) for 2f:; ^; _g{ (QxA) =Qx 0 (A) for Q 2f8; 9g, where 0 = nfx=tjt 2Tg{ (fA 1 ;:::;A n g)=f(A 1 );:::;(A n )gIf (x) =x for all but nitely many x 2 Var it is denoted = fx 1 =t 1 ;:::;x n =t n g.Application of substitutions is usually written postx (note that () =() =). Without loss of generality we assume that the range of substitutions nevercontains object variables that occur bound in a formula to which is applied.When the t i are ground terms one has a ground substitution. Arenaming is asubstitution which isapermutation such that the variables in its range are newin the context, where appears.If T is a non-empty set of terms and jTj = 1, then is a unier of T .Itisamost general unier (MGU) if for all uniers of T there is a substitution suchthat = .Proposition 2.1. Uniability of a nite set of terms can be decided and, whenpositive, an idempotent MGU computed in linear time.An instance of a clause C = 8x 1 8x n L 1 __L m is an expression (L 1 __L m ), where is a renaming. When is a ground substitution one has a groundinstance of C.A substring of a formula which is itself a formula is called a subformula of. If is a subformula of and 6= then is a proper subformula of . Ifis a proper subformula of such that there is no proper subformula of with being a proper subformula of , then is an immediate subformula of .As we deal with arbitrary formulas we have to account for the fact that a disjunctivesubformula may occur negated and thus is implicitly a conjunctive formulaetc. Also, the sign of a literal may be implicitly complemented.Denition 2.1. An occurrence of a subformula of 2L is(i) positive if = ,(ii) negative ( positive) if is of the form : and the occurrence of is positive(negative) in ,(iii) positive ( negative) if is an immediate subformula of , but 6= : , andthe occurrence of is positive (negative) in .
6 Reiner Hahnle2.2. SemanticsGiven a rst-order signature a rst-order structure M = hD; Ii consists of a nonemptyset D called domain and an interpretation I that assigns to each f 2 F amapping I(f) :D (f) ! D and to each p 2 P a relation I(p) 2 D(p) .A variable assignment is a mapping :Var ! D. The d-variant of at x is d x(y) =(d if x = y(y) otherwiseIn any rst-order structure M avariable assignment is extended to terms:x M; = (x) for x 2 Varf(t 1 ;:::;t n ) M; = I(f)(t M;1;:::;tnM; ) for f(t 1 ;:::;t n ) 2TSatisability of formulas in M and , written (M;) j= is dened as follows:(M;) j= true(M;) j= false(M;) j= p(t 1 ;:::;t n )(M;) j= :(M;) j= 1 ^^ n(M;) j= 1 __ n(M;) j= 8x(M;) j= 9xfor all M and for no M and i (t M;1;:::;t M;n ) 2 I(p) for p(t 1 ;:::;t n ) 2Ai not (M;) j= i (M;) j= i for all i 2f1;:::;ngi (M;) j= i for at least one i 2f1;:::;ngi (M; d x) j= for all d 2 Di (M; d x ) j= for at least one d 2 DA rst-order -structure M is a model of a set of formulas M L , denotedM j= M,if(M;) j= for all 2 M and variable assignment . is a logicalconsequence of M, denoted M j= if each model of M is also a model of . isvalid, written j= , when each -structure M is a model of .A rst-order -structure M = hD; Ii is a term structure if D = T 0 .Proposition 2.2. For all 2L and sets of L -sentences M: M j= i M [f:g is unsatisable.<strong>Theorem</strong> 2.1. If a sentence 2L is satisable, then it has a -term model.Assume f contains at least one constant, then T 0 6= ;. A structure hT 0 ; Ii,where I(f)(t 1 ;:::;t n )=f(t 1 ;:::;t n ) for all f 2 F , is called Herbrand structure.<strong>Theorem</strong> 2.2 (Clausal Version of Herbrand's <strong>Theorem</strong>). Let S be a nite, unsatisableset of clauses. Then there is a nite set S of ground instances of S suchthat S is unsatisable.A proof is, for example, in [58].
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 73. The <strong>Tableau</strong> Method3.1. Informal IntroductionIt is common to view the tableau method as a proof by contradiction and casedistinction (this view was already stressed by pioneers Beth [10] and Hintikka [30]).More precisely, it allows one to systematically generate subcases until elementarycontradictions are reached. Let us go through a small example:Assume we want to prove the following simple theorem from elementary settheory: for any sets P; Q; R; S, if(1)S \Q = ;, (2) P Q[R, (3) P = ;!Q 6= ;,and (4) Q [ R S, then P \ R = ;.We give a proof by contradiction, therefore, assume P \R 6= ;. From (3) we knowthat there is an element c 2 P (case 1) or there is an element d 2 Q (case 2). Weproceed with case 1. The assumption applied to c yields that c 62 P (case 1.1) orc 62 R (case 1.2). Case 1.1 is contradictory. In case 1.2 apply (2) to c: ifc 2 P thenc 2 Q or c 2 R. But we know already that c 2 P and c 62 R which leaves case 1.2.2,c 2 Q, to consider. Using (1) similarly as the assumption yields case 1.2.2.1, c 62 S.Finally, from (4) we have: if c 2 Q [ R then c 2 S. Again, the second possibility isa contradiction, and case 1.2.2.1.1, c 62 Q [ R, remains. Thus, c 62 Q, contradiction.The remaining case 2 is similar.This proof is easier to follow if the case distinctions are displayed tree-like asin Figure 1. We observe that case distinctions could be generated schematicallydepending on the form of their premiss. At several points, premisses had to besuitably instantiated. (1), (2) and (4) are universally quantied, for instance, (1)says that for all elements x, x cannot be both an element of S and of Q. In automatedtheorem proving nding instances is done by unication|one tries to nda substitution that produces a contradiction in the current branch of the proof(in the example this is fx=cg). In general one needs, of course, to apply a premissmore than once during a proof. This multiplicity cannot be computed in advance(otherwise, rst-order logic would be decidable). One of the problems that tableaumethods must solve is to systematically enumerate \enough" (this is made preciselater) instances of universally quantied formulas.From premiss (3) one obtains existentially quantied expressions saying that atleast one of P and Q must contain an element. In automated theorem provingsuch witness elements are produced by Skolemization: the existentially quantiedvariable is replaced by a \new" (again, this is made precise later) term.3.2. Non-clausal <strong>Tableau</strong>x with Unication3.2.1. Unifying NotationThe rst step in formalizing the considerations in the previous section is to supplyformal rules that tell in which way a formula is analyzed according to its leadingconnective. Smullyan [58] observed that some work can be saved if non-literalformulas are grouped into types which are treated identically: for formulas of
8 Reiner Hahnle1.1c 62 PP 6= ;c 2 P1.2.1c 62 P11.2.2.1.1c 62 Q [ Rc 62 Qc 62 R(1){(4) & Ass.1.2c 62 R1.2.2c 2 Q1.2.2.1c 62 S1.2.3c 2 R1.2.2.2c 62 Q 1.2.2.1.2c 2 S 2Q 6= ;d 2 QFigure 1. Structure of an informal proof by contradiction and case distinction.conjunctive type, for formulas of disjunctive type, for quantied formulas ofuniversal, and for quantied formulas of existential type. Correspondence betweenformulas and their types is summarized in Table 1.The letters , , , and are used to denote formulas of (and only of) theappropriate type. In the case of - and -formulas the variable x bound by the (topmost)quantier is made explicit by writing (x) and 1 (x) (resp. (x) and 1 (x));accordingly 1 (t) denotes the result of replacing all occurrences of x in 1 by t.Associativity of^ and _ justies conjunctive and disjunctive formulas with anindenite number of arguments.Some authors [37, 58] prefer to work with signed formulas. These are expressionsof the form T , F , where is a formula. Signed formula tableaux relate moredirectly to sequent calculi, because T-signed formulas play the r^ole of formulasstanding left of a sequent arrow while F-signed formulas are on the right (see alsoSection 4.7.1 below). In classical logic theorem proving there is no particular gainfrom signs, but in non-classical logics their use is indispensable [6, 24].3.2.2. <strong>Tableau</strong> RulesWith unifying notation decomposition rules for arbitrary formulas can be given ina concise way.In Table 2 expansion rule schemata for the various formula types are given. Premissesand conclusions are separated by a horizontal bar, while vertical bars in theconclusion denote dierent extensions. The formulas in an extension are implicitlyconjunctively connected, and dierent extensions are implicitly disjunctively con-
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 9 1 ;:::; n 1 ;:::; n 1 ^ :::^ n:( 1 _ :::_ n ):: 1 ;:::; n: 1 ;:::;: n 1 _ :::_ n:( 1 ^ :::^ n ) 1 ;:::; n: 1 ;:::;: n:falsetrue:truefalse 1(8x)((x)) (x):(9x)((x)) :(x)Table 1Correspondence of formulas and their types. 1:(8x)((x)) :(x)(9x)((x)) (x)nected. We use n-ary - and -rules, i.e., when the -rule is applied to a formula= 1 _ :::_ n , then is broken up into n subformulas (instead of splitting itinto two formulas 1 _ :::_ r and r+1 _ :::_ n ,0 is an arbitrary but xed ordering on F sko , and (b) for all ; 0 2L the symbols sko and 0 sko are identical if and only if and 0 are identical up tovariable renaming (including renaming of the bound variables).The purpose of condition (a) in the above denition of sko is to avoid cycles like:sko occurs in 0 and 0 sko occurs in .Both improvements of the -rule together have the consequence that its conclusioncan be computed locally to the formula |no \global" information is required.
10 Reiner Hahnle 1. . 1 n(x) 1 (y)y 2 Var is newto the tableau. nTable 2Rule schemata for tableaux with unication.(x) 1 (sko(x 1 ;:::;x n ))x 1 ;:::;x n are thefree variables in .3.2.3. <strong>Tableau</strong> ProofsAs was hinted at already, tableau proofs are trees whose nodes are formulas that are(sub)goals in the proof and the tree structure gives the logical dependence betweenthem. Assume we wanttoprove that a set of sentences logically implies a sentence. By Proposition 2.2 this amounts to checking that the set of sentences [f: gis unsatisfable.Denition 3.2. Let be a rst-order signature. A tableau (over ) is a nitelybranching tree whose nodes are formulas from L .Abranch in a tableau T isa maximal path in T . 2 Given a set of sentences from L ,atableau for isconstructed bya(possibly innite) sequence of applications of the following rules:(i) The tree consisting of a single node true is a tableau for (initializationrule).(ii) Let T be a tableau for , B abranch of T , and a formula in B [ . If thetree T 0 is constructed by extending B by as many new linear subtrees as an instanceof a tableau rule schema in Table 2 with premiss has extensions, and the nodesof the new subtrees are the formulas in the extensions of the rule instance, then T 0is a tableau for (expansion rule).(iii) Let T be a tableau for , B abranch of T , and and 0 literals in B [ .If and 0 are uniable with MGU , and T 0 is constructed by applying to allformulas in T (i.e., T 0 = T), then T 0 is a tableau for (closure rule).The last item of the previous denition incorporates two simplications: rst,MGUs are used instead of arbitrary substitutions; second, and 0 are literals,not arbitrary formulas. The former is crucial, because there are only nitely manyMGUs of (complemented) formulas on a nite tableau. If is nite this impliesthat there are systematic procedures for enumerating the (nite) tableaux for .The branches in a tableau correspond to dierent subcases in a proof. Obviously,Def. 3.2(iii) is a means to produce a contradiction in a subcase/branch. Atableau proof is nished when this has been achieved for all branches. The followingterminology is standard:Denition 3.3. In a tableau T for a set of sentences a branch B is closed iB [ contains a pair ; : 2L of complementary formulas, or false; otherwise,it is open. A tableau is closed if all its branches are closed.2 When no confusion can arise, branches are frequently identied with the set of their nodes(formulas).
12 Reiner Hahnleto one by adding a copy of the subtableau with root node 17 below node25andinstantiating the free variables in that copy with d (instead of c).3.2.4. <strong>Tableau</strong> Semantics and SoundnessSince our goal is to use tableaux as a framework for formal proofs, we require toextend semantics from formulas to tableaux. Our guideline here is to ensure thata tableau for is closed i is unsatisable. We xed already that a tableau isthought of as the disjunction of its branches which in turn are considered as conjunctionsof their labels. By a standard argument then, the equivalence above isreduced to the question whether the tableau construction rules leave tableau satisabilityunaltered. This is a routine matter for all but the -rule which requires somecare. Recall that two optimizations were incorporated into this rule (Section 3.2.2):(i) the variables of the Skolem term are restricted to the free variables of , (ii) theleading function symbol sko of the Skolem term is not unique in a tableau proof.<strong>Tableau</strong> semantics must be carefully chosen to reect these restrictions. To meet (i)it suces to treat free variables in a tableau essentially as if they were universallyquantied.Denition 3.4. A tableau T for L is satisable if there is a structure M of such that for every variable assignment there isabranch B of T with (M;) j= B.In that case we say that M is a model of T , denoted byM j= T .For (ii) it is important that Skolem function symbols are interpreted in the \right"way. The most elegant way toachieve this, is to dene formula semantics withrespect to only such interpretations|let us call them canonical interpretations. Ofcourse, one needs to show then that each satisable formula can be satised by acanonical interpretation.Denition 3.5. A term structure M = hD; Ii is canonical i for all variable assignments and (x) 2L :if(M;) j= (x) then (M;) j= 1 (sko(x 1 ;:::;x n )),where x 1 ;:::;x n are the free variables in .Lemma 3.1 ([7]). Given a signature , if the set L of sentences is satisable,then there isacanonical structure M over such that M j=.Corollary 3.1. Let M beacanonical structure over , a variable assignment,and 2L ; and let 0 beconstructed from by (a) replacing a positive occurrenceof some (x) in by 1 (sko(x)(x 1 ;:::;x n )), orby(b)replacing a negative occurrenceof(x) in by 1 (sko(x)(x 1 ;:::;x n ), where x 1 ;:::;x n are the free variablesin (x). Then (M ;) j= implies (M ;) j= 0 .Lemma 3.2. Any tableau for a satisable set of L -sentences is satisable.Proof. By denition of tableaux there is a sequence T 1 ;:::;T m (m>0), whereT = T m and T 1 is the initial tableau whose single node is true, and where T i+1
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 13is constructed from T i by applying a single tableau expansion or closure rule. ByLemma 3.1, the input set is satised by a canonical structure M over .Byinduction on m one proves that M satises all of T 1 ;:::;T m and hence T . Theinduction step is trivial and all cases, but the -rule case are straightforward (see[18] for a detailed proof). The latter, however, follows from the corollary.Now assume we have a closed tableau T for a set of L -sentences . Obviously,nostructure and variable assignment can satisfy a closed branch, so T is unsatisable.By the preceding lemma, is unsatisable as well. This proves:<strong>Theorem</strong> 3.1 (Soundness). If there is a tableau proof for a set L of sentences,then is unsatisable.3.3. From Calculus to Proof Procedure<strong>Tableau</strong> soundness gives the desirable property of tableaux with unication that aclosed tableau for signies validity of. Remains the question whether for allvalid sentences a tableau proof exists and, if this is the case, how it can be found.While the rst question is answered armatively in Section 3.4, for the second onea fully satisfactory answer is not yet available. Let me point out why it is a dicultproblem.It is straightforward to derive a tableau proof procedure from Denition 3.2, butnote that such a procedure is indeterministic: usually, a great number of rules isapplicable to any given tableau. More precisely, one rst must select a branch B,where a rule is applied, then decide whether an expansion rule or a closure rule isused; in the rst case one must choose a formula 2 B[, in the second case a pairof literals on B. Let us refer to these kinds of indeterminism with the phrases selectbranch, select formula, select pair, and select mode in the following. Making thesechoices deterministic in an arbitrary way almost certainly results in an incompleteproof procedure.In Figure 3, for example, the -formula is always preferred for expansion ruleapplication, delaying expansion of the inconsistent second formula indenitely. Inan obvious way, the formula Q ^:Q is treated unfair. This motivates the followingdenition.=fQ ^:Q;(8x)P (x)g-ruletrueP (x 1 )P (x 2 ).-ruleFigure 3. Incompleteness caused by unfair select formula.
14 Reiner HahnleDenition 3.6. The construction of a sequence (T n ) n>0 of tableaux for L ,where T n is obtained from T n,1 by applying a tableau expansion rule, is fair if thefollowing holds for all branches B in the innite tableau that is approximated bythat sequence: (1) all , , and occurring on B or in were used to expand B(by applying the appropriate expansion rule); (2) all occurring on B or in wereused innitely often to expand B (by applying the -rule).One may construct a fair sequence of tableaux for any set of sentences. Combiningfair application of the expansion rule with fair application of the closure rule,however, is a dicult problem, because tableaux with unication are destructive:Denition 3.7. A tableau calculus is non-destructive if all tableaux that can beconstructed from a given tableau T contain T as an initial subtree; otherwise thecalculus is destructive.For example, at rst sight it might seem to be a good idea to apply the closurerule in a \greedy" manner that is as early as possible. Not so. One problem is thatseveral pairs of closure literals (with incompatible MGUs) may compete, but this isnot all. In Figure 4, independently from which branch is closed rst, the variable x 1gets \used up" by a substitution that blocks closure of the other branch. Of course,a second free variable instance of the -formula may be created, but then the samehappens one level below etc.=((P (b) ^ P (c)) ! P (x)) !:(Q(x) ! (Q(b) _ Q(c)))=f(8x) ;P(a); :Q(d)gpossibleclosuretruepossibleclosure:((P (b) ^ P (c)) ! P (x 1 ))P (b) ^ P (c):P (x 1 ):(Q(x 1 ) ! (Q(b) _ Q(c)))Q(x 1 ):(Q(b) _ Q(c))Figure 4. Incompleteness caused by unfair select mode.A non-destructive tableau procedure does not suer from this problem, becauseit is (trivially) proof conuent:Denition 3.8. A tableau proof procedure isproof conuent if from every tableaufor an unsatisable set of sentences a closed tableau can be constructed.A destructive tableau proof procedure still might be proof conuent, but as witnessedby the previous example, it might aswell be not. A deterministic tableauproof procedure which is not proof conuent is incomplete. At the present time,no practical, proof conuent destructive tableau proof procedure is known (there is
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 15hope, however, see the discussion at the end of Section 3.3). Therefore, it is worthdiscussing possible ways around the problem. 3An obvious way to enforce proof conuency of tableaux with unication consistsin delaying any application of the closure until all tableau branches can be closedsimultaneously by a suitable substitution. This is the path chosen in Fitting's textbook [18]|it has its inecencies: rst, one cannot discard closed branches untilthe proof is essentially nished which might lead to storage problems, and second,after each expansion rule the whole tableau must be tested for closure which isveryredundant.Another option for obtaining a complete tableau proof procedure comes fromthe observation that its indeterminism is locally nite|from each tableau only anite number of successors can be constructed. Thus one can turn each tableauinto a nitely branching OR node of an AND-OR search tree which may then besearched in a breadth rst manner. This approach is impractical because of spacerequirements.Stickel [59] suggested to replace breadth rst search by depth f irst search withbacktracking and iterative deepening of the search depth (DFID search) which hasonly a small overhead in run time as compared to breadth rst search, but is a lotmore space ecient [33]. <strong>Tableau</strong> proof search procedures based on DFID turn outto be elegantly and eciently implementable in logic programming languages [59,3, 8].To increase eciency of search it is important to get rid of as many OR nodes aspossible. In the DFID setup this means to minimize the amount of backtracking. Itis obvious that one may choose any deterministic strategy for select branch as allbranches need to be closed eventually. In addition, it is not dicult to implementafair strategy for select formula [18]. This leaves the|destructive|branch closure.Ideally, one would liketohave a fair selection rule not only for formula selection, butfor closure selection as well, thus yielding a proof conuent proof search procedurefor tableaux with unication.3.4. <strong>Tableau</strong> CompletenessThe preceding discussion shows that it is dicult to ensure completeness of tableauxwith unication for a deterministic proof search procedure. On the other hand, itis not too dicult to show mere existence of a closed tableau for each unsatisableset of sentences. The presentation of the latter result closely follows [7].It is convenient towork with a data structure that slightly abstracts from tableaubranches: so-called Hintikka sets (named after their inventor [30]) may contain aninnite number of formulas whose order is irrelevant. A model can be immediatelyconstructed for any Hintikka set.3 Another reason is that some of the more important renements of the tableau calculus are notproof conuent already on the propositional level. This discussed in Section 4.3 below.
16 Reiner HahnleDenition 3.9. A set H L of sentences is a Hintikka set if it satises thefollowing conditions: (1) false 62 H and there arenocomplementary literals in H.(2) If 2 H, then all i are inH. (3) If 2 H, then some i is in H. (4) If(x) 2 H, then 1 (t) 2 H for all ground -terms t. (5) If (x) 2 H, then 1 (t) 2 Hfor some ground -term t.Lemma 3.3 (Hintikka). Every Hintikka set is satisable.Proof. A term model M = hD; Ii of H is dened by: t I = t for all t 2 D, andp I (t 1 ;:::;t k )= true i p(t 1 ;:::;t k ) 2 H for ground atoms p(t 1 ;:::;t k )over .Byinduction on the structure of formulas in H it is easy to prove that M j= H.<strong>Theorem</strong> 3.2 (Completeness). If the set L of sentences is unsatisable, thenthere is a tableau proof for .Proof. Let (T n ) n>0 be a fair sequence of tableaux for starting with the tableauconsisting of the single node true; this sequence approximates the innite tree T 1 .We dene a particular ground substitution 1 as follows: let (B k ) k>0 be an enumerationof the branches of T 1 and ( i ) i>0 an enumeration of the -formulas in T 1 .For every -formula i ,if i occurs on B k let x ijk be the new variable introduced bythe j-th application of the -rule to i on B k . Finally, let (t j ) j>0 be an enumerationof all -ground terms.To ensure that B k denes a model, the instances of i on B k 1 must \cover"all ground terms t j . It suces to choose 1 (x ijk )=t j for all i; j; k > 0.By construction of 1 and fairness of T 1 ,ifB is a branch inT 1 and B 1is open, then B 1 [ isaHintikka set and so is satisable. This contradictsthe assumption, hence T 1 1 is closed. T 1 is a nitely branching tree and thedistance of all formulas involved in closures to the root node is nite. Then, byKonig's Lemma 4 , there is an n>0 such that the nite tableau T n 1 is closed.In general, 1 is not a most general unier of complementary literals used inclosures and cannot be used in an MGU closure rule application to T n . Therefore, itremains to show that 1 can be suitably decomposed: 1 = r r,1 1 ,where i is a most general closing substitution for the instance B i 1 2 ::: i,1 ofthe i-th branch inT n (0
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 17It suces to apply the appropriate expansion rule exactly once to each , , orformulaon each branch to obtain a Hintikka set from a fairly constructed sequenceof tableaux. This has the practically relevant consequence that only to -formulasmust a rule be applied more than once per branch.4. Clause <strong>Tableau</strong>xIn the present section a number of renements of the tableau procedure are introduced.Foranumber of reasons, these renements are merely discussed on theclause level:{ Simplied notation leads to easier detection of new renements{ Ecient implementability{ Completeness proofs stay managable{ Comparability (most deduction procedures implemented on clause level)Restricting attention to the clause level implies some limitations as well:{ Some applications (such as software verication) expect proofs on non-clausallevel: backtranslation from clauses can be tricky{ For some non-classical logics a clause normal form is unknownSo there is considerable incentive to generalize the following results (partially thishas been done, for example, in [25]), but I think the material is more accessible inthe present, syntactically limited form.4.1. Normal Form ComputationHow rst-order sentences are eciently transformed into clause sets is shown, forexample, in [49, 43].4.2. Clause <strong>Tableau</strong> Proofs, Soundness, Completeness4.2.1. Clause <strong>Tableau</strong>xLet us start by stating suitably simplied versions of Denition 3.2 and 3.3.Denition 4.1. Let be a rst-order signature. A clause tableau (over ) isanitely branching tree whose nodes are literals from L . Given a clause set Sfrom L , a clause tableau for S is constructed bya(possibly innite) sequence ofapplications of the following rules:(i) The tree consisting of a single node labeled with true is a tableau for S(initialization rule).(ii) Let T be a tableau for S, B abranch of T , and L 1 _ _L r an instanceof C 2 S. If the tree T 0 is constructed by extending B with r new subtrees and thenodes of the new subtrees are labeled with L i , then T 0 is a tableau for S (extensionrule).
18 Reiner Hahnle(iii) Let T be a tableau for S, B abranch of T , and L and L 0 literals in S. IfLand L 0 are uniable with MGU , and T 0 is constructed by applying to all literalsin T (i.e., T 0 = T), then T 0 is a tableau for S (closure rule).Denition 4.2. In a clause tableau T for a set S abranch B is closed i Bcontains a pair of complementary literals; otherwise, it is open. A tableau is closedif all its branches are closed.A clause tableau proof for (the unsatisability of) a clause set S L is a closedclause tableau T for S.Example 4.1. A clause form of the formula set in Example 3.1 consists of clauses(1) :s(x)_:q(x), (2) :p(x)_q(x)_r(x), (3) p(c)_q(d), (4) :q(x)_s(x), (5) :r(x)_s(x), (6) :p(x)_:r(x). Observe that the nodes are a subset of the nodes in Figure 2.Clause (5) is not used.[7;{] true[8;3] p(c)[9;3] q(d)fx 1=cg[10;6] :p(x 1 )fx2=cg[11;6] :r(x 1 )idfx 4=cg[12;2] :p(x 2 )[13;2] q(x 2 )[15;1] :s(x 3 )[16;1] :q(x 3 )fx3=cg[16;4] :q(x 4 ) [17;4] s(x 4 )[14;2] r(x 2 )idFigure 5. Partial clause tableau proof for S from Example 4.1.Clause tableaux mainly constitute a syntactic simplication of full rst-ordertableaux. The main properties of the calculus are the same, in particular the discussionin Section 3.3 applies to them as well.In contrast to the full rst-order case the extension and closure rule only useliterals and clauses from the input set. This simplies some denitions.4.2.2. Soundness and CompletenessSoundness of clause tableaux follows immediately from <strong>Theorem</strong> 3.1 by observingthat clauses are particular rst-order formulas and extension rule 4.1.(ii) can becomposed of several applications of rule 3.2.(ii).
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 19Completeness could be obtained easily by suitable simplication of the proof of<strong>Theorem</strong> 3.2, but in the clausal case a more modular approach is useful. FollowingRobinson [52], lifting a ground proof to a rst-order proof is separated from provingground completeness of a calculus. The advantage is that the lifting part is similarfor all following tableau renements and must at most be sketched each time. Soit is sucient to concentrate on ground completeness. Abstraction from rst-orderissues greatly simplies completeness proofs of the more complicated calculi thatfollow.<strong>Theorem</strong> 4.1 (Lifting). Let S be an unsatisable clause set, S an unsatisable setof ground instances of S and T a closed clause tableau for S. Then there is a closedclause tableau T for S and a substitution such that T = T.Proof. The main technical diculty of this proof is that in Denition 4.1.(iii) onlyMGUs are to be used whereas S may contain arbitrary ground instances of clauses.The following property of MGUs is needed:If T 0 is a clause tableau, a substitution such that T 0 is closed,and an MGU that closes any branch ofT 0 , then T 0 = T 0 .(4.1)Proof of (4.1): by denition of an MGU and as closes T 0 , there is 0 with 0 = .MGUs can be assumed to be idempotent, so T 0 = T 0 0 = T 0 0 = T 0 .Back to the main proof, let T 0 be constructed exactly as T but for each extensionstep with C 2 S used in T , take instead an instance of the clause C 2 S of whichC is a ground instance. Obviously, T 0 = T for a suitable ground substitution .If B is an arbitrary open branch ofT 0 , then it is closed by , so there is an MGU that closes B and rule 4.1.(iii) is applicable to obtain a clause tableau T 1 = T 0 .By (4.1), T 1 = T 0 = T . Repeating this argument in a straightforward inductionover the number n of open branches in T 0 yields a closed clause tableau T = T nsuch that T = T .In the proof the sequence of branch closures was arbitrary which shows independenceof the select branch strategy. 5In the following it is sucient to prove ground completeness for various instancesX of clause tableau restrictions:<strong>Theorem</strong> 4.2 (Ground Completeness Schema). If the nite ground clause set S isunsatisable, then there is a X-tableau proof for S.We could proceed to prove ground completeness of unrestricted clause tableauxright now, but in following sections ground completeness of various restrictions ofclause tableaux is proven of which completeness of the unrestricted calculus is animmediate consequence.5 When select clause is arbitrary, but fair, the theorem still holds in the weakened form that thereis a clause tableau T for S such that T can be homeomorphically embedded into T .
20 Reiner Hahnle<strong>Theorem</strong> 4.3 (Completeness). If the clause set S is unsatisable, then there isaclause tableau proof for S.Proof. Herbrand's <strong>Theorem</strong> 2.2 provides a nite, unsatisable set S of groundinstances of S. By <strong>Theorem</strong> 4.2 there is a closed ground clause tableau T for S and,by <strong>Theorem</strong> 4.1, there is a closed clause tableau for S.As announced already, the next goal is to nd complete restrictions of clausetableaux. It is sucient toprovide a suitable instance of <strong>Theorem</strong> 4.2, whenevera ground X-tableau proof T lifts to a rst-order X-tableau proof T . It is usuallysucient tocheck that the proof of <strong>Theorem</strong> 4.1 can be used unaltered.From the point of proof search, restricting the tableau calculus means to excludecertain choices in select clause and select pair and to x select branch in some way.4.3. ConnectionsConnection conditions have been pioneered by Davydov [17], Bibel [11, 12], andAndrews [1].4.3.1. Strong ConnectionsA major drawback of the tableau calculus is that the extension rule 4.1.(ii) is appliedcompletely unguided which can clutter up tableaux with many nodes that do notcontribute to a proof.Example 4.2. Consider the two clause tableaux for S = fp(x) _ q(x); r(x) _s(x); :p(a); :q(a); :r(b); :s(b)g displayed in Figure 6. The tableau on the rightconstitutes a minimal proof, while the second extension step in the tableau on theleft is completely unrelated to the initial step.true:p(a)true:p(a)r(x 1 )s(x 1 )p(x 1 )q(x 1 ):r(b)x 1 =bp(x 2 ).q(x 2 ).x 1 =a:q(a)idFigure 6. Redundant nodes in a tableau.Denition 4.3 ([36]). A connection tableau is a clause tableau in which every nonleafnode L (except true) has L as one of its immediate successors.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 21The tableau on right in Figure 6 is a connection tableau, the tableau on the leftis not. It is excluded by the connection restriction.Connection tableaux are complete, but the proof is deferred until the next section.The denition of connection tableaux implies that when T 6= true at least oneof the new branches generated by the tableau extension rule can be closed. This suggestsan implementation-oriented denition of connection tableaux obtained fromDenition 4.1 by changing the rst two rules:(i 0 )For any instance L 1 _ _L r of C 2 S the tree constructed by extendingtrue with r new subtrees with nodes L i is a connection tableau for S.(ii 0 ) Let T be a tableau for S, B a branch ofT ending with L, L 1 _ _L r aninstance of C 2 S. IfL, L i (where i 2f1;:::;rg) are uniable with MGU andthe tree T 0 is constructed by extending B with r new subtrees, where the nodes ofthe new subtrees are L i , then T 0 is a connection tableau for S. This is called anextension step.Closures of open branches are unchanged and called reduction step. It is importantto note that while clause tableaux are independent of select clause, connectiontableaux are not:Proposition 4.1. Ground connection tableaux are not proof conuent.Proof. Consider S = fp; :p; qg and let q be the initial clause. It impossible tomake any further extension step, although S is clearly unsatisable. (Examplesindependent of the initial clause can be found in [35].)4.3.2. Weak ConnectionsThe extension rule (ii 0 ) of connection tableaux has a natural weakening:(ii 00 ) Let T be a tableau for S, B a branch ofT containing L, L 1 _ _L r aninstance of C 2 S. IfL, L i (where i 2f1;:::;rg) are uniable with MGU andthe tree T 0 is constructed by extending B with r new subtrees, where the nodes ofthe new subtrees are L i , then T 0 is a clause tableau for S. (This is called a weaklyconnected extension step.)Let us call the resulting calculus weak connection tableaux.Denition 4.4. A clause set is minimally unsatisable (mu) when it is unsatisableand each of its proper subsets is satisable. A clause is relevant in S when itis contained in a mu subset of S.It can be shown that weak connection tableaux are proof conuent provided thatselect clause is implemented in a fair manner and the initial clause is relevant.Unfortunately, testing for membership in a mu set is as expensive as testing unsatisabilityitself. This limits the usefulness of weak connection tableaux in practice,but in Section 4.5 a slight relaxation will build the basis of a whole class of interestingcalculi which are proof conuent regardless of the initial clause.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 23<strong>Theorem</strong> 4.4. If the nite ground clause set S is unsatisable, then there isaregular connection tableau proof for S.Proof. We show by induction on the number k of literal occurrences in S: for anyrelevant non-unit clause C j 2 S, there is a closed regular connection tableau for Swhose initial step uses C j . When there is no such clause there must be a mu subsetof unit clauses in S; it is trivial to nd a regular connection tableau proof for sucha set.k 2f0; 1; 2g : either S is satisable or it contains only unit clauses or the emptyclause and the claim is trivially satised.k>2 : (see Figure 8) let C j = L 1 __L i __L n be a relevant non-unit clausein S and let T be the regular connection tableau resulting from an initial step withC j .For all i 2f1;:::;ng let S Li =(S ,fC j g) [fL i g. By Lemma 4.1.(i), C 0 j = L i iscontained in an mu subset S 0 i of S i. Hence, L i occurs in a clause C i of S 0 i . Moreover,S 0 i contains less literals than S.If C i is a unit clause, then the i-th branch ofT can be closed immediately, resultingin a regular connection tableau. Otherwise, applying the induction hypothesison C i and S 0 i yields a closed regular connection tableau T i for S i S 0 i , where therst extension step uses C i .By Lemma 4.1.(ii), L i occurs at most in C 0 j and is therefore only used in unitextension steps in T i (highlighted by boldface type in the gure). As shown in thegure, each T i is glued together with T at L i maintaining connectedness. In theresulting tableau irregularity can at most occur with the L i . But as L i occurs ontop of each T i (circled occurrence) the unit extension steps with L i simply can bereplaced by reduction steps with the circled occurrence of L i .AsS i ,fCjgS,0the result is a regular connection tableau for S.4.5. Orderings and Selection Functions4.5.1. Redundancy and Saturation in <strong>Tableau</strong>xLet us take up the theme expressed in the regularity restriction, namely to avoidredundancy in tableau proofs.Any open branch B in a ground clause tableau T for S, or equivalently, anyconsistent set of ground literals B denes an interpretation I B on S via I B j= L iL 2 B. A natural notion of redundancy then would be the following: Clause C 2 S isredundant onB when I B j= C. The idea is that tableaux being a refutation calculusit is not interesting to use clauses that are already modelled by branch B. Suchclauses are not used in extension steps. Irregular extension steps and tautologousclauses are redundant in this sense, but a stronger notion of redundancy is desirable.Denition 4.6. An open clause tableau branch B has a saturation wrt S i it hasan extension B B such that I Bj= S.It is, of course, not realistic to consider all possible extensions of a branch (theempty branch, for example, always has a saturation when S is satisable), so we
24 Reiner Hahnle8S> :C1. .Cj = L1 __Li __Ln. ..CmSLi8> :C1. .C 0 j = L i. ..C i = _Li _. .CmtrueL1 LitrueLiLi Lnwith C iLitrueL1 Li LnLiLi Li Figure 8. Illustration of the proof of <strong>Theorem</strong> 4.4.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 25check only one of them to guide tableau extension. Informally, we will considerextensions of B that contain literals from all clauses of S not yet satised by I B .4.5.2. <strong>Tableau</strong>x with Selection FunctionLet f be a selection function on clauses: a function mapping each clause into a(possibly empty) subset of its literals.I BfB f = B [ff(C) j C 2 S; I B 6j= Cg (4.2)If B f is consistent and all clauses with no selected literals were used on B, thenj= S by construction and proof search can be stopped here. In general, however,B f does not induce an interpretation, because it may contain complementaryliterals. In this case, one of the clauses not yet satised by I B is selected for extensionwhose selected literal(s) contribute to a contradiction in B f .Formally, letf(C) denote the set of complements of literals selected by f in C. Then extensionsteps (Denition 4.1.(ii)) are restricted to clauses infC j C 2 S; I B 6j= C and (f(C) \ B f 6= ; or f(C) =;)g (4.3)By denition, if L 2 f(C) \ B f , either L 2 B or L 2 f(D) for some clauseD 2 S. In the rst case the extension is a weak connection step in the sense of(ii 00 ) on page 21. The second case and when no literal is selected is called a restartstep (and C a restart clause) to emphasize that the tableau proof bears no directconnection with the current branch. The rst clause used in a tabelau is always arestart step. No new restart clauses are added once f is xed, they can be computedin advance.Example 4.4. Consider the clause set S = f:q _:s; :r _ s; p_ q _ r; :pg inwhich the lexicographically largest literal is selected (these are underlined). Initially,B = ftrueg and B f = f:s; s; r; :pg. The rst two clauses are the only restartclauses of which the rst is selected (see Figure 9). Branch B = f:qg impliesB f = B [fs; r; :pg which models S. On the other branch B = f:sg one hasB f = B [fs; r; :pg, so an extension step (the only one) with the second clause ispossible. The only open branch isnow B = f:s; :rg with B f = B [fr; :pg andonly extension with the third clause is allowed. The rst open branch, f:s; :r;pgis closed by a further extension while the last open branch B = f:s; :r;qg yieldsB f = B [f:pg and thus the second model of S.<strong>Theorem</strong> 4.5. If the nite ground clause set S is unsatisable, then for any selectionfunction f there is a tableau proof with selection function f for S.Proof. Assume there is a tableau with selection function f and an open branchB in which all possible extension steps were made. As S is nite, B is nite as
26 Reiner Hahnletrue:q:sB f =B[fs;r;:pg:rs,p qB:pf =, B[f:pgr,Figure 9. <strong>Tableau</strong> with selection function.well. We claim that B f is consistent from which B f j= S follows by construction(in particular, all clauses with no selected literal are satised). If B f is inconsistentthere is a literal L 2ff(C) j C 2 S; I B 6j= Cg such that L occurs (I) in B or (II)in f(D) for some clause D not yet satised by B. In case (I) a weakly connectedextension step is possible on B in case (II) a restart step is admissible. Either way,the assumption that all possible extension steps were made on B is contradicted.The proof is independent of the sequence of extension steps chosen, so tableauxwith selection function are proof conuent. Moreover, a slight generalization of theproof shows that completeness is retained even when f is changed during tableauconstruction.4.5.3. Related CalculiAnumber of recently suggested restrictions of clause tableaux can be consideredas special cases of tableaux with selection function, for example, ordered tableaux[32, 25].Denition 4.7. Aground atom (A-)ordering is a binary relation < on atomswhich is irreexive and transitive.A-orderings give a complete tableau restriction which can be expressed via selectionfunctions as follows: simply use f < (C) =fL j L maximal in C wrt 0 gives the version of tableaux with selection function discussed in[27]. On the other hand, [46] show that tableaux with selection functions can bemodied to accomodate strongly connected extension steps.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 274.5.4. First-Order IssuesLifting is straightforward for tableaux with selection function f provided that f lifts.Call f stable wrt substitutions if f(C) f(C) for all clauses C and substitutions. For A-orderings this translates into the requirement p
28 Reiner Hahnle<strong>Theorem</strong> 4.6. If the nite ground clause set S is unsatisable, then for any consistentselection function f there isahyper tableau proof with selection function ffor S.Proof. The proof is very similar to the proof of <strong>Theorem</strong> 4.5. Consider a maximal,open branch B in a hyper tableau for S and B f . B f , B is consistent, because f isconsistent, so when B f is inconsistent there are literals L 2ff(C) j C 2 S; I B 6j= Cgsuch that L occurs in B. Obtain B 0 by removing all such literals from B f .NowB 0 is consistent and we claim I B0 j= S. By construction B 0 B, so it suces toprove I B0 j= C for clauses C not used on B (this implies jf(C)j > 0). This holds,because at least one literal in f(C) is still present inB 0 , otherwise f(C) B andahyper extension step is possible with C on B contradicting the assumption thatall possible extension steps were made on B.4.6.1. Positive Hyper <strong>Tableau</strong>xMany hyper tableau calculi focus on one specic selection function f N which selectsexactly the negative literals in a clause. This suggests a notation of clauses as rulesof the formp 1 ;:::;p n ! q 1 ;:::;q m (4.5)where p i , q j are atoms. All literals in the premiss are selected. The ensuing calculiare called positive hyper tableaux, because negative literals occur only as leaves ofclosed branches in a hyper tableau with f N . Therefore, reduction steps cannot occurand are not required. It is also easy to see that a maximal open branch B has asaturation B 0 = B [f:p j p 2 (A,B)g.4.6.2. First-Order IssuesAs before, selection functions should be liftable. On the rst-order level for a hyperextension step of branch B with clause C, a set B 0 B as well as a simultaneousMGU of ffL; L 0 gjL 2 B 0 ;L 0 2 f(C)g must be computed. This is easily seento be an instance of the rst-order clause subsumption problem which is NP-hard[20]. This complexity is implicitly present in proof search without hyper steps aswell, although on a dierent level. It certainly does not indicate inferiority ofhypertableaux.A more interesting question is: how is dealt with completeness problems arisingfrom diculty of fair substitution selection in destructive calculi? For positivehypertableaux, several strategies can be found in the literature:The rst option is to x a heuristics for formula selection and trade incompletenessfor success in certain problem domains [13, 54]. Another form of incompleteness(in expressivity) ensues from restriction to range-restricted sets of clauses:Denition 4.8. A rst-order clause of the form (4.5) is range-restricted when allvariables occurring in the premiss occur also in the conclusion.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 29Observe that positive range-restricted clauses are ground. If S is range-restricted,then a positive hyper tableau for S is ground. As an immediate consequence, fairselection of clauses used in extension steps yields a proof conuent calculus of whichecient implementations were realized [41, 19, 29, 28].Let us call variables occurring in more than one literal of the conclusion andnot in the premiss critical. In [4] ground instances of clauses restricted to criticalvariables are enumerated to obtain a proof conuent calculus which is somewhatbetter than enumerating all ground instances.Baumgartner [2] improves on that: like in the range-restricted case, a tableauis treated as if it were ground: substitutions are only applied to instances of inputclauses (matching). If an instance L (with critical variables) of a literal occurrenceL on a tableau branch is required, then is applied to an instance of the clausecontaining L and the result is added to the input clause set. The latter possibilityregains completeness. Needless to say, lifting is not trivial in such a calculus.This version of rst-order hyper tableaux is not destructive as only input clausesare instantiated. The destructive part of the substitution of the closure rule isrecorded \outside" of the tableau as additional instances of input clauses. They canbe arranged in a fair manner easily. This can also be seen as a kind of constrainton substitutions to guide the proof search.In principle, a proof conuent, destructive calculus could be obtained if one couldcompile these \outside" clauses (and their fair selection) into the selection rule.Consequences for such a calculus would be: (i) clause selection is probably notdened branch-local, because \outside" clauses touch on several branches; (ii) oneneeds to work up to renamability of clauses; (iii) a suitable ordering might be usedto enumerate required instances of literals fairly. All three ingredients are actuallycontained in a very recent suggestion for a proof conuent destructive calculus byBeckert [5].4.7. <strong>Tableau</strong>x with Cuts and LemmasSo far we discussed restrictions of tableau calculi aimed at diminishing the searchspace. Some problems, however, have extremely long tableau proofs. Already onthe ground level there exist classes of formulas S n such that the smallest tableauproof is exponential in the size of S n whereas short resolution proofs exist [14].The reason is that resolution incorporates an analytic cut rule or (and this is justanother name) lemma generation.Example 4.5. Let fp 1 ;:::;p n g be dierent ground atoms. Consider the clause setS n = fL 1 __L n j L i 2fp i ; :p i g;i2f1;:::;ngg (4.6)Obviously, S n is unsatisable. D'Agostino [15] proved that the smallest closedclause tableau for S n has at least n! inner nodes, whereas S n contains merely n2 nliterals. Even simple truth table checking has linear cost in the size of S n .
30 Reiner HahnleNow consider the clause set T n = fp i _:p i j i 2f1;:::;ngg. S n [ T n has ashort proof (displayed for n = 3 in Figure 10). The point is that the tautologiesin T n can be used to enumerate all interpretations over fp 1 ;:::;p n g. Then eachclause in S n is contradicted by exactly one interpretation. The resulting tableauhas n2 n +2 n+1 , 1 2O(jS n [ T n j) nodes.truep 1:p 1p 2:p 2p 3:p 3 p 3 :p 3 :p 1 :p 2 :p 3 :p 1 :p 2 p 3p 3p 2:p 3p 3:p 2:p 3p 1 p 2 p 3Figure 10. Clause tableau proof for S3 [ T3.The eect of the clauses T n can also be achieved by adding a new tableau extensionrulep :p(4.7)called atomic cut rule. It is closely related the well-known cut rule part of sequentcalculi [21].4.7.1. <strong>Tableau</strong>x and Sequent CalculiA propositional clausal sequent is an expression of the form , ) , where , isaVtuple of clauses and is a tuple of atoms. , ) isvalid i the formulaG2, G ! W D2D is valid. Hence, a clause set S is unsatisable if the sequentS ) is valid. The propositional clausal sequent calculus consists of only three rules:,;L 1 ; , 0 ) ,;L n ; , 0 ) ,;L 1 __L n ; , 0 _ -left) ,; , 0 (4.8)) P; ,; :P; , 0 ) :-left ,;P;, 0 ) ;P; 0 axiomIt is straightforward to show that a sequent isvalid i it has a proof tree in whichall leaves are marked with a . Moreover, there is a strong duality between clausetableaux and clausal sequent calculi, summarized in Table 3. 77 This duality extends to the non-clausal and rst-order case, see [58].
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 31Clausal SequentsAxiom rule_-left ruleAtoms/unit clauses left of )Atoms right of)sequent proofs interpreted as logicalconjunction of their endsequentssequents interpreted as logicaldisjunction of their elementsValidity proofDuality between sequent and tableau calculi.Clause <strong>Tableau</strong>xClosed branch<strong>Tableau</strong> extensionpositive branch literalsnegative branch literalstableaux interpreted as logicaldisjunction of their branchesbranches interpreted as logicalconjunction of their literalsUnsatisability proofTable 3While literal occurrences can be shared among several tableau branches, theyare duplicated in sequents. In the light of this and the duality between sequent andtableau proofs, rule (4.7) is exactly the same as the usual cut rule of sequent calculi,where the cut formula is restricted to atomic formulas:,; , 0 ) ;; 0 ,;;, 0 ) ; 0,; , 0 ) ; 0 (4.9)4.7.2. <strong>Tableau</strong>x with LemmasThe main problem of the atomic cule (4.7) is that its application is completelyunrestricted. A rst restriction is obtained by allowing its application only if thefollowing extension rule constitutes a strong connection step:.L iL iL 1 L i L nThis way no more branches are generated if one had applied the extension stepimmediately. On the other hand, in n,1 of the new branches the literal L i is present.Applying n,1 atomic cuts before an extension step and writing the resulting proof
32 Reiner Hahnletree as a \macro rule" yields the extension rule with local lemmas:L 1 L 1 L 1 L 1L 2 L 2 L 2L 3 L 3..L 1 __L n 2 S (4.10). .. Ln,1The complemented literals are called local lemmas: for example, L i is obtainedas a lemma after the current branch B is closed with the help of L i . (Recall thatclosed branches are unsatisable, so this amounts to B j= L i .) The lemma is localto certain branches as opposed to being global (on the whole tableau).4.7.3. <strong>Tableau</strong>x with Folding UpDepending on the sequence of branch closures, there are n! dierent local lemmaversions of an extension with an n-literal clause. Not all of these are equally useful.To remedy this situation, a version of local lemma generation called folding up rulehas been suggested. It can be seen as \lazy lemma generation".Example 4.6. Consider the clause set S = fp _ t; p _:t; :p _ q _ s; :q _ r; :r _:p; :s_rg and the partial tableau proof for S displayed in Figure 11. After closureof branch B = fp; q; r; :pg one knows that S [fp; qg j= :r. This lemma is useless,though, because branch fp; q; r; :rg to the left is closed anyway. But inspection ofthe proof obtained so far shows that in fact S [fpgj= :r holds, because q was notused to close B.truep:p q:r:q r:r :ps:s rtp :tFigure 11. Illustration of Example ex:fold-up.In clause tableaux with folding up rule each local lemma maybemoved up in thetableau until the lowest literal that was used in its proof [35, 34] and it can be usedto close any branch below its new position.
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 33With the folding up rule, in the previous example lemma :r may bemoved upto p and lemma :p from the right subtree is moved up to true (the latter is alsopossible with a suitable variant of the local lemma rule). In Figure 12 new lemmapositions are boxed, moves are indicated by dashed arrows, while additional closuresthrough new lemmas are indicated by solid arrows.:rptrue:pt:pqsp :t:q r:s r:r :pFigure 12. <strong>Tableau</strong> with folding up rule.One can show that folding up does not change the indeterministic power oftableau with local lemmas that is the length of shortest proofs does not change.In a deterministic implementation folding up can nevertheless be very benecial,because an ill choice of select clause can be remedied.4.7.4. <strong>Tableau</strong>x with Factoring<strong>Tableau</strong>x with factoring (also called tableaux with merging) are closely related tothe subsumption rule in resolution theorem proving [52]. Assume branch B is notyet closed, but there is a \more general" branch B 0 that has been closed already.Formally, a branch B 0 is more general than a branch B i B 0 B. Instead oftrying to close B, one may simply refer to B 0 then, apply to B and consider itas closed. Soundness of tableaux with factoring is straightforward to prove; on theother hand it is sucient to observe that tableaux with factoring can be simulatedby tableaux with local lemmas: assume B was closed by referring to a more generalbranch B 0 and that L is the top-most literal on B 0 not on B. Now replace theextension rule that produced L with a local lemma version putting L on B. AsB 0 is more general than B, there must be L 0 2 B and substitution such thatL 0 = L, soB can be closed with .An improvement of tableaux with factoring called tableaux with regressive mergingwas introduced in [63] and is essentially the same as tableaux with the foldingup rule; details can be found in [62].4.7.5. Problems of Strengthening <strong>Tableau</strong>xStrengthening of tableau procedures at rst seems a sure win, because length ofproofs can be drastically reduced. On the propositional level this holds without
34 Reiner Hahnlereservation and it can safely be claimed that any competitive propositional proofprocedure embodies some variant of cut. On the rst-order level, however, additionalliterals introduced as cuts or lemmas create additional possibilities for branch closure.The negative eects from this increase of the search space can easily outweighthe possibility of nding shorter proofs.Example 4.7. Let S = f:p(x)_q(x)_r(x); p(a); :q(a); p(b); :q(b); :r(b)g. In thepartial connection tableau in Figure 13 the left branch was closed rst by extensionwith p(a) (where only p(b) leads to success). This forces extension with q(a) in themiddle branch and generation of some lemmas (framed literals). The lemmas allowto extend the right branch with another instance of the rst clause which wouldhave been impossible without them. Detection of the wrong rst extension is thuspossibly delayed a long time.In the example, a regularity check would help (r(a) becomes irregular on therightmost branch) and also restriction of lemma usage to reduction steps. Althoughthis helps somewhat, more complex examples create the same problems as before.true:p(x)q(x)r(x)p(a)p(x)p(x)fx=ag:q(a)id:p(y)fy=xg:q(x)q(y)idr(y).Figure 13. Search space increase caused by local lemmas.On the other hand, local lemmas are not strong enough on the rst-order level.In the clause tableau in Figure 5, for example, the lemma :q(c) can be folded upto the true node, but is useless to close the open branch on the right, because adierent instance is required. But in fact it is justied to derive even (8x):q(x)as a lemma. This is always possible when the proof of (that is: the tableau below)the lemma does not instantiate any variables that occur outside of it. It remains tobe seen whether such an optimization can be eciently implemented and does notblow up the search space beyond any usefulness.4.8. <strong>Tableau</strong>x and Logic ProgrammingSome calculi for extensions of logic programs have a natural interpretation as variantsof clause tableaux. This includes [47, 48, 40, 51, 3]. Their treatment isbeyond
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 35the scope of this course.5. Historical RemarksDespite their recent ourishing, the history of tableau methods is much older thanthat of resolution. They can be traced back to the cut-free version of Gentzen'ssequent calculus [21]. Hintikka [30] and Beth [10] abstracted from structural rules insequent calculi (essentially treating sequents as sets of formulas), improved the proofrepresentation, and introduced signed formulas. They also stressed the semanticview of tableaux as a procedure that tries systematically to nd a counter examplefor a given formula (a model in which its negation is true) as opposed to Gentzen'spurely proof theoretical motivation. 8 Further improvements were made by Schutte[53]; Smullyan's elegant formulation [58], employing unifying notation which greatlysimplied matters, became very popular while similar contributions by Lis [37]unfortunately went unnoticed.Many important improvements directed to automated proof search in sequent/tableau/modelelimination calculi were made quite early: free variables[31, 50], unication [38, 11, 1], proof representation and connection renements[17, 11, 1].The relative success of resolution-based theorem proving, however, eclipsed thisprogress and serious implementations of tableau-like calculi are spurious before thelate 1980s [13, 44].In the last decade tableau-like calculi became focal points of research again,spurred by the success of ecient implementations and the demand for a computationaltreatment of non-classical logics. The tableau community gathers in aninternational conference, 9 where many of the relevant results are now published.The Handbook of <strong>Tableau</strong> Methods [16] contains extensive and fairly up-to-dateinformation, not only with respect to automated reasoning.References[1] Peter B. Andrews. <strong>Theorem</strong> proving through general matings. JACM, 28:193{214, 1981.[2] Peter Baumgartner. Hyper <strong>Tableau</strong>x | The Next Generation. In Harrie de Swart, editor,Proc. International Conference onAutomated Reasoning with Analytic <strong>Tableau</strong>x and RelatedMethods, Oosterwijk, The Netherlands, number 1397 in LNCS, pages 60{76. Springer-Verlag,1998.[3] Peter Baumgartner and Uli Furbach. Model Elimination without Contrapositives and itsApplication to PTTP. Journal of Automated Reasoning, 13:339{359, 1994.[4] Peter Baumgartner, Ulrich Furbach, and Ilkka Niemela. Hyper tableaux. Technical Report8/96, Institute for Computer Science, University of Koblenz, Germany, 1996. http://www.unikoblenz.de/universitaet/fb4/publications/GelbeReihe/RR-8-96.ps.gz.8 The proof theoretic tradition is very much alive today as witnessed, for example, by Girard'swork [22], but it is not really relevant for automated deduction.9 http://www.cs.albany.edu/ nvm/tab99/
36 Reiner Hahnle[5] Bernhard Beckert. Integrating and Unifying Methods of <strong>Tableau</strong>-based <strong>Theorem</strong> <strong>Proving</strong>. PhDthesis, University of Karlsruhe, Department of Computer Science, July 1998.[6] Bernhard Beckert and Rajeev Gore. Free variable tableaux for propositional modal logics.In Proc. International Conference on <strong>Theorem</strong> <strong>Proving</strong> with Analytic <strong>Tableau</strong>x and RelatedMethods, Pont-a-Mousson, France, volume 1227 of LNCS, pages 91{106. Springer-Verlag,1997.[7] Bernhard Beckert and Reiner Hahnle. Analytic tableaux. In W. Bibel and P. Schmitt, editors,Automated Deduction: A Basis for Applications, volume I, chapter 1. Kluwer, 1998. Toappear.[8] Bernhard Beckert and Joachim Posegga. leanT A P : Lean tableau-based deduction. Journal ofAutomated Reasoning, 15(3):339{358, 1995.[9] Karel Berka and Lothar Kreiser, editors. Logik-Texte. Kommentierte Auswahl zur Geschichteder modernen Logik. Akademie-Verlag, Berlin, 1986.[10] Evert W. Beth. Semantic entailment and formal derivability. Mededelingen van de KoninklijkeNederlandse Akademie van Wetenschappen, Afdeling Letterkunde, N.R., 18(13):309{342,1955. Partially reprinted in [9].[11] Wolfgang Bibel. Tautology testing with a generalized matrix method. Theoretical ComputerScience, 8:31{44, 1979.[12] Wolfgang Bibel. Automated <strong>Theorem</strong> <strong>Proving</strong>. Vieweg, Braunschweig, second revised edition,1987.[13] Frank Malloy Brown. Towards the automation of set theory and its logic. Articial Intelligence,10(3):281{316, 1978.[14] Stephen Cook and Robert Reckhow. The relative eciency of propositional proof systems.Journal of Symbolic Logic, 44:36, 1979.[15] Marcello D'Agostino. Are tableaux an improvement on truth tables? Cut-free proofs andbivalence. Journal of Logic, Language and Information, 1:235{252, 1992.[16] Marcello D'Agostino, Dov Gabbay, Reiner Hahnle, and Joachim Posegga, editors. Handbookof <strong>Tableau</strong> Methods. Kluwer, Dordrecht, to appear in 1998.[17] Gennady V. Davydov. Synthesis of the resolution method with the inverse method. Journalof Soviet Mathematics, 1:12{18, 1973. Translated from Zapiski Nauchnykh SeminarovLeningradskogo Otdeleniya Mathematicheskogo Instituta im. V. A. Steklova Akademii NaukSSSR, vol. 20, pp. 24{35, 1971.[18] Melvin C. Fitting. First-Order Logic and Automated <strong>Theorem</strong> <strong>Proving</strong>. Springer-Verlag, NewYork, second edition, 1996.[19] Hiroshi Fujita and Ryuzo Hasegawa. A model generation theorem prover in KL1 using aramied-stack algorithm. In Koichi Furukawa, editor, Proceedings 8th International ConferenceonLogic Programming, Paris/France, pages 535{548. MIT Press, 1991.[20] M. R. Garey and D. S. Johnson. Computers and Intractability. Freeman, San Francisco, 1979.[21] Gerhard Gentzen. Untersuchungen uber das Logische Schliessen. Mathematische Zeitschrift,39:176{210, 405{431, 1935. English translation [61].[22] Jean-Yves Girard. Linear logic. Theoretical Computer Science, 50:1{102, 1987.[23] Christian Goller, Reinhold Letz, Klaus Mayr, and Johann Schumann. SETHEO V3.2: recentdevelopments. In Alan Bundy, editor, Proc. 12th Conference onAutomated Deduction CADE,Nancy/France, LNAI 814, pages 778{782. Springer-Verlag, 1994.[24] Reiner Hahnle and Gonzalo Escalada-Imaz. Deduction in many-valued logics: a survey. Mathware& Soft Computing, IV(2):69{97, 1997.[25] Reiner Hahnle and Stefan Klingenbeck. A-ordered tableaux. Journal of Logic and Computation,6(6):819{834, 1996.[26] Reiner Hahnle, Neil Murray, and Erik Rosenthal. Completeness for linear regular negationnormal form inference systems. In Zbigniew W. Ras and Andrzej Skowron, editors, Foundationsof Intelligent Systems, 10th International Symposium, ISMIS'97, Charlotte, NorthCarolina, USA, number 1325 in LNCS, pages 590{599. Springer-Verlag, 1997.[27] Reiner Hahnle and Christian Pape. Ordered tableaux: Extensions and applications. In Didier
<strong>Tableau</strong>-<strong>Based</strong> <strong>Theorem</strong> <strong>Proving</strong> 37Galmiche, editor, Proc. International Conference on Automated Reasoning with Analytic<strong>Tableau</strong>x and Related Methods, Pont-a-Mousson, France, volume 1227 of LNCS, pages 173{187. Springer-Verlag, 1997.[28] Ryuzo Hasegawa, Hiroshi Fujita, and Miyuki Koshimura. MGTP: a model generation theoremprover|its advanced features and applications. In Didier Galmiche, editor, Proc. InternationalConference onAutomated Reasoning with Analytic <strong>Tableau</strong>x and Related Methods,Pont-a-Mousson, France, volume 1227 of LNCS, pages 1{15. Springer-Verlag, 1997.[29] Ryuzo Hasegawa, Miyuki Koshimura, and Hiroshi Fujita. MGTP: A parallel theorem proverbased on lazy model generation. In Deepak Kapur, editor, Proc. 11 th International ConferenceonAutomated Deduction, LNAI 607, pages 776{780. Springer-Verlag, 1992.[30] K. J. J. Hintikka. Form and content in quantication theory. Acta Philosohica Fennica, 8:7{55, 1955.[31] Stig Kanger. Provability in Logic, volume 1 of Acta Universitatis Stockholmiensis. Almqvist& Wiksell, Stockholm, 1957.[32] Stefan Klingenbeck and Reiner Hahnle. Semantic tableaux with ordering restrictions. In AlanBundy, editor, Proc. 12th Conference onAutomated Deduction CADE, Nancy/France, volume814 of LNCS, pages 708{722. Springer-Verlag, 1994.[33] R. E. Korf. Depth-rst iterative deepening: an optimal admissible tree search. Articial Intelligence,27:97{109, 1985.[34] R. Letz, K. Mayr, and C. Goller. Controlled integration of the cut rule into connection tableaucalculi. Journal of Automated Reasoning,, 13(3):297{338, December 1994.[35] Reinhold Letz. First-Order Calculi and Proof Procedures for Automated Deduction. PhDthesis, TH Darmstadt, June 1993.[36] Reinhold Letz, Johann Schumann, Stephan Bayerl, and Wolfgang Bibel. SETHEO: A highperfomancetheorem prover. Journal of Automated Reasoning, 8(2):183{212, 1992.[37] Z. Lis. Wynikanie semantyczne a wynikanie formalne (logical consequence, semantic andformal. Studia Logica, 10:39{60, 1960. Polish, with Russian and English abstracts.[38] Donald W. Loveland. A simplied format for the model elimination procedure. Journal ofthe ACM, 16(3):233{248, July 1969.[39] Donald W. Loveland. Automated <strong>Theorem</strong> <strong>Proving</strong>. A Logical Basis,volume 6 of FundamentalStudies in Computer Science. North-Holland, 1978.[40] Donald W. Loveland. Near-Horn Prolog and beyond. Journal of Automated Reasoning, 7:1{26, 1991.[41] Rainer Manthey and Francois Bry. SATCHMO: A theorem prover implemented in Prolog.In Proceedings 9th Conference onAutomated Deduction, LNCS, New York, pages 415{434.Springer-Verlag, 1988.[42] Max Moser, Ortrun Ibens, Reinhold Letz, Joachim Steinbach, Christoph Goller, Johann Schumann,and Klaus Mayr. SETHEO and E-SETHEO|the CADE-13 systems. Journal of AutomatedReasoning, 18(2):237{246, April 1997.[43] Andreas Nonnengart, Georg Rock, and Christoph Weidenbach. On generating small clausenormal forms. In Helene Kirchner and Claude Kirchner, editors, Proc. 15th InternationalConference onAutomated Deduction, Lindau, Germany, number 1421 in LNCS, pages 397{411. Springer-Verlag, 1998.[44] F. Oppacher and E. Suen. Controlling deduction with proof condensation and heuristics.In Jorg H. Siekmann, editor, Proc. 8th International Conference onAutomated Deduction,pages 384{393, 1986.[45] Christian Pape. Vergleich und Analyse von Ordnungseinschrankungen fur freie Variablen<strong>Tableau</strong>. (In German). Interner Bericht 30/96, Universitat Karlsruhe, Fakultat fur Informatik,1996.[46] Christian Pape and Reiner Hahnle. Restart tableaux with selection function. In Georg Gottlob,Alexander Leitsch, and Daniele Mundici, editors, Fifth Kurt-Godel-Colloquium, KGC'97,Vienna, volume 1289 of LNCS, pages 219{232. Springer-Verlag, 1997.[47] David A. Plaisted. Non-Horn clause logic programming without contrapositives. Journal of
38 Reiner HahnleAutomated Reasoning, 4:287{325, 1988.[48] David A. Plaisted. A sequent-style model elimination strategy and a positive renement.Journal of Automated Reasoning, 6:389{402, 1990.[49] David A. Plaisted and Steven Greenbaum. A structure-preserving clause form translation.Journal of Symbolic Computation, 2:293{304, 1986.[50] Dag Prawitz. An improved proof procedure. Theoria, 26:102{139, 1960. Reprinted in [55].[51] David W. Reed and Donald W. Loveland. A comparison of three prolog extensions. Journalof Logic Programming, 12:25{50, 1992.[52] J. A. Robinson. A machine-oriented logic based on the resolution principle. JACM, 12(1):23{41, January 1965. Reprinted in [55].[53] Kurt Schutte. Beweistheorie, volume 103 of Die Grundlehren der mathematischen Wissenschaftenin Einzeldarstellungen mit besonderer Berucksichtigung der Anwendungsgebiete.Springer-Verlag, 1960.[54] Benjamin Shults. A framework for using knowledge in tableau proofs. In Didier Galmiche,editor, Proc. International Conference onAutomated Reasoning with Analytic <strong>Tableau</strong>x andRelated Methods, Pont-a-Mousson, France, volume 1227 of LNCS, pages 328{342. Springer-Verlag, 1997.[55] Jorg Siekmann and Graham Wrightson, editors. Automation of Reasoning: Classical Papersin Computational Logic 1957{1966, volume 1. Springer-Verlag, 1983.[56] Jorg Siekmann and Graham Wrightson, editors. Automation of Reasoning: Classical Papersin Computational Logic 1967{1970, volume 2. Springer-Verlag, 1983.[57] James R. Slagle. Automatic theorem proving with renamable and semantic resolution. Journalof the ACM, 14(4):687{697, 1967. Reprinted in [56].[58] Raymond M. Smullyan. First-Order Logic. Dover Publications, New York, second correctededition, 1995. First published 1968 by Springer-Verlag.[59] Mark E. Stickel. A Prolog technology theorem prover: A new exposition and implementationin Prolog. Theoretical Computer Science, 104(1):109{129, 1992.[60] Geo Sutclie and Christian Suttner. The results|of the CADE-13 ATP system competition.Journal of Automated Reasoning, 18(2):271{286, April 1997.[61] M. E. Szabo, editor. The Collected Papers of Gerhard Gentzen. North-Holland, Amsterdam,1969.[62] Kevin Wallace. Proof Truncation Techniques in Model Elimination <strong>Tableau</strong>x. PhD thesis,University of Newcastle, Australia, December 1994.[63] Kevin Wallace and Graham Wrightson. Regressive merging in model elimination tableaubasedtheorem provers. Journal of the Interest Group in Pure and Applied Logics, 3(6):921{938, October 1995. Special Issue: Selected Papers from <strong>Tableau</strong>x'94.
Change language