155 Pages
English

SAT-based finite model generation for higher-order logic [Elektronische Ressource] / Tjark Weber

-

Gain access to the library to view online
Learn more

Description

ff f ff f f ff ff f ff f f ff f fSAT-based Finite Model Generationfor Higher-Order LogicTjark WeberLehrstuhl fur Software & Systems EngineeringInstitut fur InformatikTechnische Universitat MunchenLehrstuhl fur Software & Systems EngineeringInstitut fur InformatikTechnische Universitat Munchen SAT-based Finite Model Generationfor Higher-Order LogicTjark WeberVollstandiger Abdruck der von der Fakultat fur Informatik der Technischen Universitat Munc henzur Erlangung des akademischen Grades einesDoktors der Naturwissenschaften (Dr. rer. nat.)genehmigten Dissertation.Vorsitzender: Univ.-Prof. F. J. Esparza EstaunPrufer der Dissertation: 1. Univ.-Prof. T. Nipkow, Ph. D.2. Univ.-Prof. Dr. H. Veith, Technische Universitat DarmstadtDie Dissertation wurde am 30. April 2008 bei der Technischen Universitat Munchen eingereicht und durch die Fakultat fur Informatik am 30. September 2008 angenommen.KurzfassungDiese Arbeit prasen tiert zwei Erweiterungen des Theorembeweisers Isabelle/HOL, einem aufLogik hoherer Stufe basierenden System.Der Hauptbeitrag ist ein Modellgenerator fur hoherstu ge Logik, der seine Eingabeformel inAussagenlogik ubersetzt, so dass ein herkommlicher SAT-Solver fur die eigentliche Modellsuche verwendet werden kann. Die Korrektheit der Ubersetzung wird gezeigt.

Subjects

Informations

Published by
Published 01 January 2008
Reads 20
Language English
Document size 1 MB

❢❢❢

❢❢❢❢

SAT-basedFiniteModelGeneration

rfo

LogicHigher-Order

❢❢❢❢

❢❢❢❢

rkTja

erebW

Lehrstuhlf¨urSoftware&SystemsEngineering
Institutf¨urInformatik
TechnischeUniversit¨atM¨unchen

Lehrstuhlf¨urSoftware&SystemsEngineering
Institutf¨urInformatik
TechnischeUniversit¨atM¨unchen

SAT-basedFiniteModelGeneration
LogicHigher-Orderrfo

erebWrkTja

Vollst¨andigerAbdruckdervonderFakult¨atf¨urInformatikderTechnischenUniversit¨atM¨unchen
zurErlangungdesakademischenGradeseines
DoktorsderNaturwissenschaften(Dr.rer.nat.)
Dissertation.genehmigten

Vorsitzender:Univ.-Prof.F.J.EsparzaEstaun

Pr¨uferderDissertation:1.Univ.-Prof.T.Nipkow,Ph.D.

2.Univ.-Prof.Dr.H.Veith,TechnischeUniversit¨atDarmstadt

DieDissertationwurdeam30.April2008beiderTechnischenUniversit¨atM¨uncheneingereicht
unddurchdieFakult¨atf¨urInformatikam30.September2008angenommen.

Kurzfassung

DieseArbeitpr¨asentiertzweiErweiterungendesTheorembeweisersIsabelle/HOL,einemauf
Logikh¨ohererStufebasierendenSystem.

DerHauptbeitragisteinModellgeneratorf¨urh¨oherstufigeLogik,derseineEingabeformelin
Aussagenlogik¨ubersetzt,sodasseinherk¨ommlicherSAT-Solverf¨urdieeigentlicheModellsuche
verwendetwerdenkann.DieKorrektheitder¨Ubersetzungwirdgezeigt.DerModellgeneratorist
indasIsabelle-Systemintegriertworden,unterst¨utztverschiedenedefinitorischeMechanismen,
wiesieinIsabelle/HOLzurVerf¨ugungstehen,undistaufmehrereFallstudienangewandt
orden.w

Darlogisc¨ubheerThinausautologiensindk¨SAonnenT-SolvvonerbeinemewSAeisgenerierendT-SolverbmitewiesIsabenwelleinerden,tegriertundwdervorden:ondemAussagen-Solver
ProblemsgefundeneerlaubtResolutionsbdieVewerifieiskationwirdvvononBewIsabeisenellevmiterifiziert.mehrerenEineg¨MillionenunstigeReprResolutionssc¨asentationhrittedesn.

i

ii

Abstract

ThisthesispresentstwoextensionstothetheoremproverIsabelle/HOL,alogicalframework
logic.higher-orderonbased

Themaincontributionisamodelgeneratorforhigher-orderlogicthatproceedsbytranslating
theinputformulatopropositionallogic,sothatastandardSATsolvercanbeemployedfor
theactualmodelsearch.Thetranslationisprovedcorrect.Themodelgeneratorhasbeen
integratedwiththeIsabellesystem,extendedtosupportsomeofthedefinitionalmechanisms
providedbyIsabelle/HOL,andappliedtovariouscasestudies.

Moreositionalver,SAtautologiesTsolvcanersbhaevperobveenedbinyategratedSATsolvwither,Isabandelletheinaresolutionproof-proproofducingfoundbfashion:ythepropsolvo-er
isverifiedbyIsabelle.Anadequaterepresentationoftheproblemallowstoverifyproofswith
steps.resolutionofmillions

iii

iv

tswledgemenknoAc

IwouldliketothankTobiasNipkow,mysupervisor,forhisinvaluablesupport,advice,and
patience.Thecurrentandformermembersofhisresearchgrouphavecontributedtoafruitful
workenvironment:ClemensBallarin,GertrudBauer,StefanBerghofer,AmineChaieb,Florian
Haftmann,GerwinKlein,FarhadMehta,StevenObua,NorbertSchirmer,SebastianSkalberg,
MartinStrecker,MarkusWenzel,andMartinWildmoser.IamparticularlyindebtedtoLars
EbertandMarcoHelmersforproof-readingmythesis,toMichaelFortleffforprovidingshelter,
andtoNorafordistractingme.IthankHelmutVeithforactingasareferee.
MythanksalsogotoHelmutSchwichtenberg,speakerofthe“GraduiertenkollegLogikinder
Informatik”,whichprovidedbothfinancialandintellectualsupport,andtotheothermembers
oftheGraduiertenkolleg—inparticulartoAndreasAbel,KlausAehlig,SteffenJost,andRalph
Matthesforinspiringdiscussionsandmore.
Manyotherpeoplehaveinfluencedthisthesisinonewayoranother.AmongthemareReinhold
Letz,GernotStenz,JanJ¨urjens,andManfredBroyfromTechnischeUniversit¨atM¨unchen,
MartinHofmannfromLudwig-Maximilians-Universit¨atM¨unchen,HasanAmjadandLarry
PaulsonfromtheUniversityofCambridge,SharadMalikandZhaohuiFufromPrincetonUni-
versity,PascalFontaine,StephanMerz,andAlwenTiufromINRIALorraine,JohnHarrison
fromIntelCorporation,JohnMatthewsfromGalois,Inc.,DavidAspinallfromtheUniver-
sityofEdinburgh,AnnabelleMcIverfromMacquarieUniversity,andMosheVardifromRice
.yersitUnivFinallyIwouldliketothankeveryonewhohasplayedapartinmakingthepastyearsin
Munichapleasantandsuccessfultimeforme.Friendsandfamilyhavebeenasteadysource
t.encouragemenof

v

vi

tstenCon

ductiontroIn11.1Motivation......................................
1.2Contributions.....................................
1.3RelatedWork.....................................
1.4Isabelle........................................
1.5Overview.......................................

GenerationdelMoFinite22.1Introduction......................................
2.2Higher-OrderLogic..................................
2.2.1Types.....................................
2.2.2Terms.....................................
2.2.3Satisfiability.................................
2.3TranslationtoPropositionalLogic.........................
2.3.1PropositionalLogic..............................
2.3.2InterpretationofTypes...........................
2.3.3InterpretationofTerms...........................
2.3.4Examples...................................
2.4ModelGeneration..................................
2.4.1FindingaSatisfyingAssignment......................
2.4.2TypeEnvironmentsandTypeModels...................
2.4.3TheAlgorithm................................
2.4.4BuildingtheHOLModel..........................
2.5Conclusion......................................

3ExtensionsandOptimizations
3.1Introduction......................................

vii

112346

778811141515162240414142434545

4747

viii

CONTENTS

3.2Optimizations.....................................48
3.3Isabelle’sMeta-Logic.................................52
3.4TypeandConstantDefinitions,Overloading....................52
3.4.1TypeDefinitions...............................52
3.4.2ConstantDefinitionsandOverloading...................53
3.4.3DefiniteDescriptionandHilbert’sChoice.................54
3.5AxiomaticTypeClasses...............................55
3.6DatatypesandRecursiveFunctions.........................56
3.6.1Non-RecursiveDatatypes..........................57
3.6.2RecursiveDatatypes.............................58
3.6.3RecursiveFunctions.............................64
3.7SetsandRecords...................................67
3.8HOLCF........................................68
3.9Conclusion......................................69

71StudiesCase44.1Introduction......................................71
4.2TheRSA-PSSSecurityProtocol..........................72
4.2.1AbstractProtocolFormalization......................72
4.2.2AvoidingConfusion.............................75
4.3ProbabilisticPrograms................................77
4.3.1TheProbabilisticModelLS.........................78
4.3.2TheAbstractModelKS...........................86
4.3.3MechanizationofCounterexampleSearch.................93
4.4ASAT-basedSudokuSolver.............................94
4.4.1ImplementationinIsabelle/HOL......................95
4.4.2TranslationtoPropositionalLogic.....................96
4.5Conclusion......................................98

5IntegrationofProof-producingSATSolvers99
5.1Introduction......................................99
5.2RelatedWork.....................................100
5.3SystemDescription..................................101
5.3.1Preprocessing.................................101
5.3.2ProofReconstruction.............................103

CONTENTS6

tationsRepresenClause5.3.3

5.4Evaluation............

5.5PersistentTheorems......

5.6Conclusion...........

Conclusion

6.1

6.2

Summary............

orkWutureF

..........

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

ix

110

112

115

117

119

119

120

x

CONTENTS

1Chapter

ductiontroIn

ationMotiv1.1

Allmenbynaturedesiretoknow.
B.C.350Aristotle,

Interactivetheoremprovingisaboutidentifyingfalseconjecturesalmostasmuchasitisabout
findingproofsfortheorems.Falseconjecturesmayoccurforanumberofreasons.Theycanbe
causedbyatrivialtypographicalerrorinaformalization,butalsobyapossiblysubtleflawin
thedesignofacomplexsystem.Duringinteractiveproof,falseconjecturesmaybeproduced
byproofstrategiesthatcanpotentiallyrenderagoalunprovable,e.g.bydroppinganessential
premise.Falseconjecturescanbeseenasintermediatestagesofavalidation.Atrueconjectureisoften
obtainedfromasequenceoffalseconjecturesandtheirdisproofs.Onceidentified,itisusually
clearhowafalseconjectureneedstobefixed.Determiningthataconjectureisfalsecan
howeverbeatime-consumingprocess.Interactivetheoremprovershavebeenenhancedwith
numerousautomaticproofproceduresforvariousapplicationdomainsoverthepastyears,but
failureofanautomaticproofattemptisfarfromsufficienttoconcludethatastatementisfalse.
Itmayjustbethatanadditionallemmaneedstobeproved,orthataninductionhypothesis
needstobegeneralized.Theusertypicallygetslittleusefulinformationaboutthesereasons,
anditmaytakehours(sometimesdayseven)offailedproofattemptsbeforeherealizesthat
theconjectureheistryingtoprovewasfalsetobeginwith.Insuchcasesanautomatictool
thatcanrefutenon-theoremscouldbehighlyuseful.
Oneparticularlyilluminativewaytoidentifyafalseconjectureisbyprovidingacounterexam-
ple.Morespecifically,whentheconjectureisalogicalformula,a(counter-)exampleisgiven
bya(counter-)model.Afinitemodelgeneratorisanautomatictoolthatattemptstofinda
finitemodelwhichsatisfies(or,equivalently,refutes)agivenformula.Finitemodelgenera-
tionisaninstanceoftheconstraintsatisfactionproblem,with—apartfromthegenerationof
counterexamples—numerousapplicationsinartificialintelligence[92],operationsresearch[34],
175].[102,mathematicsfiniteand

1

2

1.CHAPTERODUCTIONINTR

Thisthesispresents(inChapters2and3)afinitemodelgeneratorforhigher-orderlogic.A
translationtopropositionallogicisemployedandprovedcorrect,sothatastandardSAT
solvercanbeusedtosearchforasatisfyingmodel.Suchamodelconstitutesacounterexample
toafalseconjecture,whichcanbedisplayedtotheusertogetherwithasuitablediagnostic
message.Thisthesisisamongthefirsttoconsiderfinitemodelgenerationinthecontextof
interactivetheoremproving;seeSection1.3foradiscussionofrelatedwork.
InteractivetheoremproverscanbenefitfromefficientSATsolversinasecondway.Many
problemsthatoccurinhardwareorsoftwareverificationcanbeencodedinpropositionallogic.
Theperformanceofaninteractivetheoremproveronpropositionalformulaecantherefore
beofgreatpracticalsignificance,andtheuseofSATsolversformodelgenerationnaturally
raisesthequestioniftheycanbeusedforfindingproofsaswell.InChapter5wegivea
positiveanswerbyconsideringproof-generatingSATsolvers,whichoutputeitherasatisfying
assignmentforapropositionalformula,oraresolution-styleproofofunsatisfiability.Here
themainchallengeistoprovideanefficientsolutionwithintheLCF-styleframeworkthatis
underlyingIsabelle[134],ourtheoremproverofchoice.Thisframeworkensuressoundnessof
theproverbyrequiringthattheoremsaregeneratedviaafixedsetofsimplefunctionsonly,
whichcorrespondtotheinferencerulesoftheprover’slogic.
Thenextsection(1.2)presentsthecontributionsofthisthesis.Section1.3discussesrelated
work,andSection1.4givessomefactsabouttheIsabellesystemthatareworthknowing.
Section1.5containsabriefoverviewoftheremainingchapters.

tributionsCon1.2

Theprimarycontributionofthisthesisisafinitemodelgeneratorforhigher-orderlogic,inte-
gratedwiththeIsabellesystem.
•Thisthesispresentsindetailatranslationfromhigher-orderlogictopropositionallogic
suchthattheresultingpropositionalformulaissatisfiableifandonlyiftheHOLformula
hasamodelofagivenfinitesize.Aproofofthetranslation’scorrectnessisgiven.
•Basedontheabovetranslation,afinitemodelgeneratorforhigher-orderlogichasbeen
implementedinStandardML[115]andtightlyintegratedwithIsabelle.Themodelgen-
eratorsupportsdatatypes,recursivefunctions,typeclasses,records,andotherfeatures
[125].elle/HOLIsabof•Themodelgeneratorhasbeenappliedtoseveralcasestudieswhich,despitethedis-
couragingtheoreticalcomplexityoftheunderlyingalgorithm,demonstrateitspractical
utility.Foroneofthesecasestudies,anabstractmodelofprobabilisticprogramswas
developedthatissusceptibletocounterexamplesearchviafinitemodelgeneration.
ThesecondmajorcontributionisanLCF-style[61]integrationofstate-of-the-artSATsolvers
withIsabelle/HOL.Propositionaltautologies(orinstancesthereof)areprovedbytheSAT
solver,andtheresolutionprooffoundbythesolverisverifiedbyIsabelle.
•TheprooffoundbytheSATsolveristranslatedintotheinferencerulesprovidedby
Isabelle’skernel.Thisis,toourknowledge,thefirstLCF-styleintegrationofhighly
efficientSATsolverswithaninteractivetheoremprover.

TEDRELA1.3.ORKW

3

•TheSATsolverapproachdramaticallyoutperformstheautomaticproceduresthatwere
thatpreviouslywereavpreviouslyailableforoutpropoftheositionalscopelogicofinbuilt-inIsabtacticselle/HOL.tobItealprolovwsed—ormanyformrefuted—ulae
automatically,oftenwithinseconds.

•AprophighlyositionaloptimilogiczedtoscaleimplemenquitetationwellisevenpresetontedlargethatSATallowsproblemsproofandproofsreconstructionwithmil-for
lionsofresolutionsteps.OuroptimizationtechniquesareapplicabletootherLCF-style
theoremproversapartfromIsabelle.

•Aprototypeimplementationforpersistentproofsisdiscussed.Proofobjectsarestored
onprodofiskscriptsandthatre-imprelyortedonintoexternalthetotheoremols(sucprohvaseralater.SATThissolver,makoresathevfirst-ordererificationprover)of
possibleonsystemswhereeithertheexternaltoolortheproofobjectisavailable.

Chapter6containsamoredetaileddiscussionofthecontributions.

orkWRelated1.3

ThemodelgeneratorpresentedinthisthesiswasoriginallyinspiredbytheAlloyAnalyzer[82],
whichisdevelopedbytheSoftwareDesignGroup(headedbyDanielJackson)atMIT.In
contrasttotheworkpresentedherehowever,theAlloyAnalyzerisbasedonfirst-orderlogic,
usesitsowninputlanguage(incidentallycalledAlloy),and—unliketheIsabellesystem—has
nosupportfortheoremproving.
Variousotherfinitemodelgeneratorsexist,althoughnotmanyforhigher-orderlogic.SAT
solvers,whicharestillaveryactiveresearcharea(resultinginsubstantialperformanceim-
provementsoverthepastyears,seee.g.[178]),canbeseenasmodelgeneratorsforpropositional
logic.Finitemodelgeneratorsforfirst-orderlogicaretypicallyclassifiedintoMACE-stylegen-
erators(namedafterMcCune’stoolMACE[103,104]),whichuseatranslationtopropositional
logic,andintoSEM-stylegenerators(namedafterZhang’sandZhang’stoolSEM[177]),which
performthemodelsearchdirectlyonasetoffirst-orderclauses.Paradox[41]andKodkod[159]
(themodelgeneratorthatisusedinthemostrecentversionoftheAlloyAnalyzer)areMACE-
stylegenerators,whileFINDER[149]andFMSET[21]areSEM-stylegenerators,tonameonly
afew.ThemodelgeneratorpresentedinthisthesiscanbeclassifiedasaMACE-stylegenerator
(albeitforhigher-orderlogic).
Mostexistingmodelgeneratorsarestand-alonetoolsthatarenotinanywayintegrated
withtheoremprovers.McCune’sautomatedtheoremproverOtter[105]anditssuccessor
Prover9[106]areamongthefewsystemsthatsearchforaproofandacountermodel.Both
OtterandProver9arefirst-orderlogicprovers;theyemploytheMACEgeneratorformodel
forsearcreh.pairingBasedonnon-theorems,OtterandwhicMAhCE,automColtonaticallyandPalterseasehafalsevedevfirst-orderelopedtheconjecturesTMsystemtopro[43]v-
ablestatementsthatare(inacertainsense)relatedtotheconjecture.Earlierworkthat
arguesforanintegrationoffirst-orderfinitemodelgenerationandautomatedtheoremproving
includes[150],whichconsidersacombinationofOtterandFINDER.Morerecently,thePara-
doxmodelgeneratorhasbeenaugmentedbyanautomatedfirst-ordertheoremprovercalled

4

ODUCTIONINTR1.CHAPTER

Equinox[39].Weobservethattheoremprovingandmodelgenerationareincreasinglyseenas
s.eactivititarycomplemenKimorderbalogic,[92],bbutywithKonrad,aisslighamotlydelspecialgeneratorsyntaxforaandlingusemanisticallyticsinmotivorderatedtoavfragmenoidptoferformancehigher-
issues.MONA[89]implementsanautomaton-baseddecisionprocedurefortheweakmonadic
provabsecond-orderleformulae.theoryofMONAonehasbsuccessoreenin(WS1Stegrated)thatwithisanableearliertoprovvideersionofcounIsabelleterexamplesasafortrustedun-
proporacleosed[17].thatIn[12],enablesanMONAabstractiontoidenfromtifyfalsefirst-orderfirst-orderlogictoconjectures.monadicMoseconddelchecorderkers,logice.g.is
SPIN[72]orUPPAAL[19],cantypicallyprovidecounterexamples(intheformofexecution
traces)forunprovabletemporallogicformulae,wherethemodelhoweverisfixed.
Manyothertechniquesexisttoidentifyfalseconjectures.Tableaucalculiareamongthemost
popularproofproceduresforfirst-orderandmodallogics[66].Theyfrequentlyallowacounter-
mofinitedelmotobdeleobtainedgenerationandimmediatelytesting:fromKurshidafailedandproMariofnovattempt.usemoTheredelaregenerationconnetoctionsbobtainetweentest
tocasesolforforJarandomvaprogramstestingof[88].HaskOnelltheprograms,otherhand,forIsabBerghoferelle[24].hasTheadaptedIsabelleQuicquickchekCheckck[40],toola
instantiatesfreevariablesinaconjecturewithrandomintegervalues.Iftheresultingground
termevaluatestofalse,acounterexampleisfound.Supportforfunctionshasbeenadded
tomentquickcheofhighckeonlyr-orderrecenlogic.tlyhowBrucevker,erandandWinputolffuseformIsabulaemustelle/HOLbelongtotogenerateantestexecutablecasesfrag-for
specification-basedunittests[29,30].Steeletal.useamethodcalledproofbyconsistencyto
[90]findconcountainsaterexamplessurveytooftecinductivhniqueseforconjecturesthegeneration[152],withofinfinaniteemphasismodels.onsecurityprotocols.
Perhapsmostcloselyrelatedtotheintegrationofproof-producingSATsolversisJohnHar-
rison’sLCF-styleintegrationofSt˚almarck’salgorithmandBDDsintoHOLLightandHol90
100respectivtimeselyworse[68,69].(aftersevHarrisoneralfoundoptimizations)thatdoingthanBDDaCopimplemeerationsninsidetation.HOLperformedabout
Furtherafield,theintegrationofautomatedfirst-orderproverswithHOLprovershasbeen
byexploredthebyautomatedJoeHurdsystem[74,75],areJiaeitherMengverified[111],byandtheLainwrenceteractivPeaulsonprover[112,113].immediatelyProofs[74],foundor
translatedintoaproofscriptthatcanbeexecutedlater[112].
AisgivmoreeninextensivSectioneov5.2.erviewofworkrelatedtotheintegrationofproof-producingSATsolvers

elleIsab1.4

Isabelle[134]isapopularinteractivetheoremprover(beingdevelopedprimarilybyTobias
NipkowatTechnischeUniversit¨atM¨unchen,andbyLarryPaulsonatCambridgeUniver-
sity),whose(meta)logicisbasedonthesimplytypedλ-calculus.Isabelleisgeneric,inthe
sensethatdifferentobjectlogics—e.g.first-orderlogic,modalandlinearlogics,andZermelo-
Fraenkelsettheory—canbedefinedontopofthemetalogic.Thisthesismostlyconsiders
Isabelle/HOL[125],anincarnationofIsabelleforhigher-orderlogic,whichiscurrentlythe
best-developedobjectlogic.Isabelle/HOLprovidestheuserwithconvenientmeanstodefine

ISABELLE1.4.

5

datatypes,recursivefunctions,axiomatictypeclasses,setsandrecords,andmore.Thismakes
Isabelle/HOLaveryexpressivespecificationlanguage.Syntaxandsemanticsofthelogicare
presentedindetailinChapter2.
Withafewnotableexceptions,theIsabelle/HOLnotationfollowsstandardmathematical
conventions.Applicationiswrittenwithoutparentheses,e.g.f(x)isinsteadwrittenfx.
Applicationisleft-associative:fxyisthesameas(fx)y.Setcomprehensioniswrittenwith
adot“.”insteadofthemorecommonverticaldash“|”:{x.Px}denotesthesetofallx
thatsatisfyP.Inthisthesis,weusemathematicalnotationin(informal)definitionsand
proofs,whileIsabellenotationisusedonlyintermsandproofsthataremachine-checkedby
thetheoremprover.BasicfamiliaritywithZFCsettheory[84]isassumed.
IsabelleiswritteninStandardML[115](SMLforshort)andcanbeexecutedonanumberof
differentSMLimplementations/compilers.SMLisafunctionalprogramminglanguagewith
eagerevaluationandsomeimperativefeatures,e.g.references.Itsupportshigher-orderfunc-
tionsandanadvancedmodulesystem.Historically,SMLevolvedfromtheMLprogramming
language(MLstandsformetalanguage),whichwasusedinRobinMilner’sLCFtheoremprover
attheUniversityofEdinburghinthelate1970s[61].Nowadaystheterm“LCF-style”isused
todesignatetheoremproversthatallownewtheoremstobegeneratedviaafixedsetofsimple
functionsonly.Eachfunctioncorrespondstoaninferenceruleoftheunderlyinglogic.Isabelle
issuchanLCF-styleprover;itssoundnessthereforeonlydependsonarelativelysmallkernel,
andcannotbecompromisedbyprogrammingerrorsinadvanced(andpossiblycomplicated)
proofstrategies.ThisrestrictionmotivatestheworkpresentedinChapter5.
Isabellesupportsdifferentstylesofwritingformalproofs.Theycanbegivenastacticscripts,
ortheycanbewritteninahuman-readable(yetfullyformal)prooflanguagecalledIsar[171].
Variantsoftactic-styleproofdevelopmentarecurrentlyfoundinmostinteractivetheorem
provers.Conjecturesstatedbytheuserbecomeproofgoals.Tacticsarethenappliedin-
teractivelyinordertotransform,simplify,andultimatelysolvetheproofgoal.Tacticscan
implementsimplenaturaldeductionrulesorpowerfuldecisionprocedures,e.g.forPresburger
arithmetic[36].Applicationofatacticmayspawnseveralnewsubgoals,whichthenneedtobe
solvedaswell.Isabelle’stacticsareimplementedinSML,butthisisirrelevanttotheaverage
Isabelleuser,whousuallyworkswiththecollectionofprovidedtacticsonly,anddoesnotneed
toimplementhisown.
Sincetheeffectofpowerfultacticsontheproofstateisoftenhardtopredict,tacticscripts
areessentiallyincomprehensiblewithoutthetheoremproverathand.TheIsarprooflanguage
remediesthisdisadvantageoftactic-styleproofsbyprovidingalanguagethatiscloserto
mathematicaltextbookreasoning.Well-writtenIsarproofscanbefollowedbyahumanreader,
independentlyofthetheoremprover.Thefocusofthisthesishoweverisnotamachine-checked
formalizationofsometheoreminIsabelle,butanextensionofthetheoremproveritself,and
weareconcernedwithdisprovingmorethanwithproving.Thereforethisthesiscontainsonly
someminorIsabelleproofs,andwewillnotpresenteitherproofstyleinmoredetail.The
interestedreaderisreferredto[123]and[125].Theformercontainsatutorialintroduction
toIsar,whilethelatterisanextensiveoverviewofIsabelle/HOL,withvariousexamplesof
ofs.proyletactic-st

6

erviewOv1.5

CHAPTERTherestofthisthesisisstructuredintofivemorechaptersasfollows:

1.ODUCTIONINTRChaptercalculus)2presentotspropaositionaltranslationlogic,fromsuchthathigher-orderthelogicresulting(onproptopofositionaltheformsimplyulatisypedsatis-λ-
fiableifftheHOLformulahasamodelofagivenfinitesize.AstandardSATsolver
cantransformedthenbebacusedktointosearcahmofordelaforsatisfyithengHOLformassignmenula.t,Theandsucalgorhanithmhasassignmenbeenticanmpleb-e
mentedinIsabelle/HOL,whereitisusedtoautomaticallygeneratecountermodelsfor
non-theorems.

Chapter3discusseshowthetranslationtopropositionallogiccanbeaugmentedtocover
variousextensionsthattheactualIsabelle/HOLsystemoffersontopofthebasicHOL
logic,mostlytoimproveusability.Amongthemaredatatypesandrecursivefunctions,
axiomatictypeclasses,settypesandextensiblerecords.Wealsodiscusshowthetrans-
lationcanbeimprovedtogeneratesmallerpropositionalformulae.

Chapter4containsapresentationofthreecasestudies.WehaveappliedIsabelle’sfinite
modelgenerationtechniquestoobtainacorrectnessproofforasecurityprotocol,coun-
terexamplestoconjecturesaboutprobabilisticprograms,andaSudokusolver.

Chapterwith5Isabdescribelle/HOL.estheBinothtegrationSATofsolvzCershaffgenerateandMiniSat,resolution-stcurrenyletlytprowoofsleadingforSAT(instancessolvofers,)
propapproachositionalsignificantautologies.tlyimprovTheseesIsabproeofslle’sarepverifiederformancebytheonproptheoremositionalprover.Theproblems.presented

Chapter6summarizestheresultspresentedinthisthesis,andgivesdirectionsforpossible
ork.wfuture

2Chapter

Itisundesirabletobelieveapropositionwhenthere
isnogroundwhatsoeverforsupposingitistrue.
1872–1970.Russell,Bertrand

MoFiniteGenerationdel

Aproptrositionalanslationlofrgicomisprhigher-oresented,dersuchlogicthat(onthetopresuofltingthepropsimplyositionaltypedλ-cformulaalculus)issat-to
isfiableifftheHOLformulahasamodelofagivenfinitesize.AstandardSAT
mentsolverccananbethentrbeansformusededtobseackarchintoforaamodelsatisfyingfortheHOLassignment,formula.andsuchTheanalgorithmassign-
hasbeenimplementedinIsabelle/HOL,whereitisusedtoautomaticallygenerate
countermodelsfornon-theorems.

ductiontroIn2.1

freeThiscBoholeanapterformpresenulae)tsasuchtranslationthatthefromprophigher-orderositionalformlogiculatoispropsatisfiableositionaliflogicandonly(quaniftifier-the
HOLformulahasamodelofagivenfinitesize,i.e.involvingnomorethanagivennumber
ofindividuals.AstandardSATsolvercanthenbeusedtosearchforasatisfyingassignment,
andifsuchanassignmentisfound,itcaneasilybetransformedbackintoamodelfortheHOL
ula.formbAneenalgorithmimplementhattedinusesIsabthiselle/HOL.translationThistoalgorigeneratethmis(counnotater-)models(semi-)decisionforHOLproformcedure:ulaeifhasa
formuladoesnothaveamodelofagivensize,itmaystillhavelargerorinfinitemodels.The
algorithm’sapplicabilityisalsolimitedbyitscomplexity,whichisnon-elementaryforhigher-
orderlogic.Nevertheless,formulaethatoccurinpracticeoftenhavesmallmodels,andthe
usefulnessofasimilarapproachhasbeenconfirmede.g.in[81].
ofSectionhigher-order2.2intrologicducesonthetopsynoftaxtheandsimplysemantypticsedofλthe-calculus.logicTheconsideredintranslationthisctohapter,propaosvitiersiononal

7

8

CHAPTER2.FINITEMODELGENERATION

logicisdescribedandprovedcorrectinSection2.3,whiletheremainingdetailsofthemodel
generationalgorithmareexplainedinSection2.4.Weconcludewithsomefinalremarksin
2.5.Section

2.2LogicHigher-Order

ThetranslationpresentedinthischaptercanhandlethelogicthatisunderlyingtheHOL[64]
andIsabelle/HOLtheoremprovers.ThelogicisoriginallybasedonChurch’ssimpletheoryof
types[38].Inthissectionwepresentthesyntaxandaset-theoreticsemanticsoftherelevant
fragment.AcompleteaccountoftheHOLlogic,includingaproofsystem,canbefounde.g.
[63].in

esypT2.2.1tivWeely.Thedistinguishdefintypitionesofandtypesterms,isinrelativtendedetotoagivdenoteentypecertainstructure.setsandelementsofsetsrespec-
Definition2.1(TypeStructure).AtypestructureisatripleΩ=(TyVars,TyNames,TyArity),
TwhereyAritTy:yVTarsyNamesisaset→Nofgivtypeseeachvariablestype,cTonsyNamestructor’sisaaritydisjoin.tsetoftypeconstructors,and

Weuselowercasegreekletters,e.g.α,β,...,todenotetypevariables.
Definition2.2(HOLType).LetΩ=(TyVars,TyNames,TyArity)beatypestructure.The
setTypesΩoftypes(overΩ)isthesmallestsetsuchthat
1.TyVars⊆TypesΩ,and
2.ifc∈TyNames,TyArity(c)=n,andσi∈TypesΩforall1≤i≤n,then(σ1,...,σn)c∈
TypesΩ.IncaseTyArity(c)=0,wewritecinsteadof()c.
Thesetsoftypevariablesandtypeconstructors,respectively,thatoccurinatypearede-
finedbystraightforwardstructuralinduction.Wedistinguishtypeconstructorswithdifferent
ts.argumenDefinition2.3(TypeVariablesinaType).LetΩ=(TyVars,TyNames,TyArity)beatype
structure,andletσ∈TypesΩ.ThesetTyVars(σ)oftypevariablesinσisdefinedasfollows:
1.Ifσ∈TyVars,thenTyVars(σ):={σ}.
2.Ifσ=(σ1,...,σn)cwithc∈TyNames,thenTyVars(σ):=in=1TyVars(σi).
Definition2.4(TypeConstructorsinaType).LetΩ=(TyVars,TyNames,TyArity)bea
typestructure,andletσ∈TypesΩ.ThesetTyNames(σ)oftypeconstructorsinσisdefined
s:wfolloas

1.Ifσ∈TyVars,thenTyNames(σ):=∅.

9LOGICHIGHER-ORDER2.2.2.Ifσ=(σ1,...,σn)cwithc∈TyNames,thenTyNames(σ):={σ}∪in=1TyNames(σi).
Remark2.5.LetΩ=(TyVars,TyNames,TyArity)beatypestructure,andletσ∈TypesΩ.
TyVars(σ)isafinitesubsetofTyVars.Likewise,TyNames(σ)isafinitesubsetofTypesΩ.
Proof.Bystructuralinductiononσ.
Todefinethesemanticsoftypes,wefollow[63]andfixasetofsetsU,ourset-theoreticuniverse,
whichisassumedtohavethefollowingproperties.
InhabEachelementofUisanon-emptyset.
SubIfX∈Uand∅=Y⊆X,thenY∈U.
ProdIfX∈UandY∈U,thenthecartesianproductX×YisinU.
PowIfX∈U,thenP(X)={Y|Y⊆X}∈U.
InftyUcontainsadistinguishedinfinitesetI.
ChoiceThereisadistinguishedelementch∈ΠX∈UX.
OnecanshowtheexistenceofsuchauniverseUfromtheaxiomsofZermelo-Fraenkelset
theorytogetherwiththeAxiomofChoice(ZFC).Twoeasilyprovableconsequencesofthe
aboverequirementsareimportant.
Lemma2.6.Ucontainsatwo-elementset.
Proof.TheinfinitesetI∈Uhasatwo-elementsubset,whichisinUbecauseofSub.
Wedistinguishatwo-elementsetB={,⊥}∈U.
Lemma2.7.IfX∈UandY∈U,thenX→Y,i.e.thesetofalltotalfunctionsfromXto
Y,isinU.
Proof.LetX,Y∈U.Insettheoryfunctionsareidentifiedwiththeirgraphs,whicharecertain
setsoforderedpairs.ThereforeX→YisasubsetofP(X×Y),whichisinUduetoProd
andPow.FurthermoreX→Yisnon-emptysinceYisnon-emptybecauseofInhab.Hence
X→Y∈UbyvirtueofSub.
Wearenowreadytodefinethesemanticsoftypes.Typevariablesdenotearbitrarynon-empty
sets,whicharegivenbyatypeenvironment.Themeaningoftypeconstructorsisgivenbya
del.moeyptDefinition2.8(TypeEnvironment).LetΩ=(TyVars,TyNames,TyArity)beatypestruc-
ture.AtypeenvironmentforΩisafunctionE:TyVars→U.
Definition2.9(TypeModel).LetΩ=(TyVars,TyNames,TyArity)beatypestructure.A
typemodelMofΩassignstoeachtypeconstructorc∈TyNamesafunctionM(c):UTyArity(c)→
U.IncaseTyArity(c)=0,weidentifyM(c):U0→UwithM(c)()∈U.

10

CHAPTER2.FINITEMODELGENERATION

Definition2.10(SemanticsofTypes).LetΩ=(TyVars,TyNames,TyArity)beatypestruc-
ture.Themeaning[[σ]]E,Mofatypeσ∈TypesΩ(wrt.atypeenvironmentEandatypemodel
M)isdefinedasfollows:
1.Ifσ∈TyVars,then[[σ]]E,M:=E(σ).
2.Ifσ=(σ1,...,σn)cwithc∈TyNames,then[[σ]]E,M:=M(c)([[σ1]]E,M,...,[[σn]]E,M).
Remark2.11.[[σ]]E,M(forσatype)isanelementofU,i.e.[[∙]]E,M:TypesΩ→U.
Proof.Bystructuralinductiononσ.
Themeaningofatypeonlydependsonthemeaningofthosetypevariablesandtypeconstruc-
torsthatactuallyoccurinthetype.Forf:X→YafunctionandZ⊆X,wewritef|Zfor
therestrictionofftoZ,i.e.forthefunctionwithdomainZthatsendsx∈Ztof(x)∈Y.
Lemma2.12.LetΩ=(TyVars,TyNames,TyArity)beatypestructure,letE,E:TyVars→
UbetwotypeenvironmentsforΩ,andletM,MbetwotypemodelsofΩ.Letσ∈
TypesΩ.SupposeE|TyVars(σ)=E|TyVars(σ),andfurthermoreM(c)([[σ1]]E,M,...,[[σn]]E,M)=
M(c)([[σ1]]E,M,...,[[σn]]E,M)forall(σ1,...,σn)c∈TyNames(σ).Then
[[σ]]E,M=[[σ]]E,M.
Proof.Bystructuralinductiononσ.Forσ∈TyVars,wehave
[[σ]]E,M2.=10E(σ)=E(σ)2.=10[[σ]]E,M
sinceσ∈TyVars(σ).
Ifσ=(σ1,...,σn)cwithc∈TyNames(hence(σ1,...,σn)c∈TyNames(σ)),thenapplying
theinductionhypothesistoσ1,...,σnyields
10.2[[σ]]E,M=M(c)([[σ1]]E,M,...,[[σn]]E,M)
=M(c)([[σ1]]E,M,...,[[σn]]E,M)
=IHM(c)([[σ1]]E,M,...,[[σn]]E,M)
2.=10[[σ]]E,M.

Wecalltypestructuresthatcontaintwodistinguishedtypeconstructors,namelybooland→,
standard.Wesaythatatypemodelisstandardiffthesetypeconstructorsareinterpretedas
thetwo-elementset{,⊥}andasthefunctionspaceconstructor,respectively.
Definition2.13(StandardTypeStructure).AtypestructureΩ=(TyVars,TyNames,TyArity)
isstandardiff{bool,→}⊆TyNames,TyArity(bool)=0,andTyArity(→)=2.
Definition2.14(StandardTypeModel).AtypemodelMofastandardtypestructureis
standardiffM(bool)=BandM(→)(X,Y)=X→Y(thesetofalltotalfunctionsfromX
toY)forallX,Y∈U.

LOGICHIGHER-ORDER2.2.

11

Fromnowonweonlyconsiderstandardtypestructuresandstandardtypemodels,wherethe
meaningofbooland→isfixed.Weuseinfixnotationfor→,i.e.wewriteσ1→σ2insteadof
(σ1,σ2)→.Asusual,→associatestotheright:σ1→σ2→σ3isshortforσ1→(σ2→σ3).
Intheliterature,standardHOLtypestructuresaresometimesrequiredtocontainanother
nullarytypeconstructor,inf,whoseintendedinterpretationisaninfiniteset[126].Notethat
wedonotrequiresuchatypeconstructorhere,sinceitwouldimmediatelydisallowtofind
finitemodels.Westillrequiretheset-theoreticuniverseUtocontainaninfiniteset,somerely
the(type)syntaxofthelogicisaffectedbythisdeviation,whilemodel-theoreticissuesare
not.Apossibleapproachtoextendingfinitemodelgenerationtoformulaewithinfinitetypes
isdiscussedinChapter3.

ermsT2.2.2Justrelativlikeetotheagivendefinition(term)oftypessignature.isrelativetoagiventypestructure,thedefinitionoftermsis
NamesDefinition,Typ),2.15whereV(Signature)arsis.aAsetofsignaturevariables(over,aNamestypeisastructuredisjoinΩ)tissetaoftrcipleΣonstants=,(Varsand,
Typ:Names→TypesΩgivesthetypeofeachconstant.
Termsareexplicitlyannotatedwiththeirtype.Atermtσoftypeσiseitheran(explicitly
tonlyyped)needsvariable,tobeaanconstaninstancet,anoftheapplication,typegivorenabλythe-abstraction.signature,Thesowactualetneedypetoofadefineconstantypet
instancesbeforewecandefineterms.
TDefinitionyNames,T2.16yArity)(TisypaefunctionSubstitution)Θ:T.yVAarstyp→eTypessubstitutionΩ.foratypestructureΩ=(TyVars,
TheapplicationofatypesubstitutionΘtoatypeσ∈TypesΩ,writtenσΘ,isdefinedby
:σoninductionstructural1.Ifσ∈TyVars,thenσΘ:=Θ(σ).
2.Ifσ=(σ1,...,σn)cwithc∈TyNames,thenσΘ:=(σ1Θ,...,σnΘ)c.
Remark2.17.Forσ∈TypesΩandΘatypesubstitutionforΩ,σΘisagaininTypesΩ.In
otherwords,∙Θ:TypesΩ→TypesΩ.
Proof.Bystructuralinductiononσ.
σisDefinitionaninstanc2.18eof(Tσypeiffσ=Instance)σΘ.forLetΩsomebetaypteypesubstitutionstructure.ΘF.orσ,σ∈TypesΩ,wesaythat
typeDefinitionstructure2.19Ω.The(HOLsetTTerm)erms.LetofΣterms=(Voverars,ΣisNamesthe,Typ)smallestbeasetsucsignaturehthatoverastandard
Σ1.ifx∈Varsandσ∈TypesΩ,thenxσ∈TermsΣ,
2.ifc∈Names,Typ(c)=σandσ∈TypesΩisaninstanceofσ,thencσ∈TermsΣ,

12

CHAPTER2.FINITEMODELGENERATION

3.iftσ→σ∈TermsΣandtσ∈TermsΣ,then(tσ→σtσ)σ∈TermsΣ,and
4.ifx∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then(λxσ1.tσ2)σ1→σ2∈TermsΣ.
Termsoftypeboolarecalledformulae.Wefrequentlyomitthetypeannotationoftermswhen
itcanbededucedfromthecontext.
Thesetsofaterm’s(explicitlytyped)freevariablesandits(explicitlytyped)constants,re-
spectively,aredefinedasusual,bystructuralinductionontheterm.
Definition2.20(FreeVariablesinaTerm).LetΣ=(Vars,Names,Typ)beasignatureover
astandardtypestructureΩ.Lettσ∈TermsΣ.ThesetFreeVars(tσ)offreevariablesintσis
ws:folloasdefined1.Ift∈Vars,thenFreeVars(tσ):={tσ}.
2.Ift∈Names,thenFreeVars(tσ):=∅.
3.Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,thenFreeVars(tσ):=FreeVars(tσ1→σ)∪
FreeVars(t2σ).
4.Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then
FreeVars(tσ):=FreeVars(tσ2)\{xσ1}.
Definition2.21(ConstantsinaTerm).LetΣ=(Vars,Names,Typ)beasignatureovera
standardtypestructureΩ.Lettσ∈TermsΣ.ThesetNames(tσ)ofconstantsintσisdefined
ws:folloas1.Ift∈Vars,thenNames(tσ):=∅.
2.Ift∈Names,thenNames(tσ):={tσ}.
3.Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,thenNames(tσ):=Names(tσ1→σ)∪
Names(tσ2).
4.Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then
Names(tσ):=Names(tσ2).
Remark2.22.LetΣ=(Vars,Names,Typ)beasignatureoversomestandardtypestructure,
andlettσ∈TermsΣ.FreeVars(tσ)andNames(tσ)arefinitesubsetsofTermsΣ.
Proof.Bystructuralinductionontσ.
Havingdefinedthesyntaxofterms,wenowcometothedefinitionoftheirsemantics.The
analogueofatypeenvironmentatthetermlevelisavariableassignment,andtypemodels
correspondtotermmodels.
Definition2.23(VariableAssignment).LetΣ=(Vars,Names,Typ)beasignatureovera
typestructureΩ.AvariableassignmentA(forΣ)assignstoeachvariablex∈Varsafunction
A(x):U→UwhichsatisfiesA(x)(Y)∈YforeveryY∈U.

LOGICHIGHER-ORDER2.2.

13

Definition2.24(TermModel).LetΣ=(Vars,Names,Typ)beasignatureoveratype
M(c):U→UwhichsatisfiesM(c)(Y)∈YforeveryY∈U.
structureΩ.AtermmodelM(forΣ)assignstoeachconstantc∈Namesafunction
Toshortennotation,wewriteA(xσ)forA(x)([[σ]]E,M),andlikewiseM(cσ)forM(c)([[σ]]E,M),
whenthetypeenvironmentEandthetypemodelMareclearfromthecontext.
Forf:X→Yafunction,a∈Xandb∈Y,wewritef[a→b]forthefunctionthatsends
x∈Xtobifx=a,andtof(x)otherwise.Wecannowdefinethesemanticsofterms.The
semanticsofvariablesisgivenbyavariableassignment,andthesemanticsofconstantsisgiven
bya(term)model.Termapplicationcorrespondstofunctionapplication,andλ-abstractions
functions.denoteDefinition2.25(SemanticsofTerms).LetΣ=(Vars,Names,Typ)beasignatureovera
standardtypestructureΩ.LetEbeatypeenvironmentforΩ,andletMbeastandardtype
modelforΩ.LetAbeavariableassignmentandMbeatermmodelforΣ.Themeaning
[[tσ]]A,Mofatermtσ∈TermsΣwrt.AandMisdefinedasfollows:
1.Ift∈Vars,then[[tσ]]A,M:=A(tσ).
2.Ift∈Names,then[[tσ]]A,M:=M(tσ).
3.Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,then[[tσ]]A,M:=[[tσ1→σ]]A,M([[tσ2]]A,M)
application).(function4.Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then[[tσ]]A,M
isthefunctionthatsendseachd∈[[σ1]]E,Mto[[tσ2]]A[xσ1→d],M.
Remark2.26.[[tσ]]A,M(fortσaterm)isanelementofU,i.e.[[∙]]A,M:TermsΣ→U.
Proof.TheclaimfollowsfromLemma2.27below,where[[σ]]E,M∈UduetoRemark2.11.
Morespecifically,themeaningofatermisanelementofthemeaningoftheterm’stype.
Lemma2.27.LetΣ=(Vars,Names,Typ)beasignatureoverastandardtypestructureΩ.
LetEbeatypeenvironmentforΩ,andletMbeastandardtypemodelforΩ.LetAbea
variableassignmentandMbeatermmodelforΣ.Then[[tσ]]A,M∈[[σ]]E,Mforanyterm
tσ∈TermsΣ.
Proof.Bystructuralinductionontσ.Forthetwobasecasest∈Varsandt∈Names,theclaim
followsimmediatelyfromDef.2.23andDef.2.24,respectively,togetherwithRemark2.11.
ThetworemainingcasesareprovedusingthefactthatMisstandard,andhenceinterprets
σ1→σ2asthefullfunctionspacefrom[[σ1]]E,Mto[[σ2]]E,M.Wenotethatinthecaseofa
λ-abstraction,theupdatedassignmentA[xσ1→d]isagainavariableassignment.
Themeaningofatermonlydependsonthemeaningofitsfreevariablesandconstants.This
istheanalogueofLemma2.12(whichstatesthatthemeaningofatypeonlydependsonits
typevariablesandtypeconstructors)forterms.

14

CHAPTER2.FINITEMODELGENERATION

Lemma2.28.LetΣ=(Vars,Names,Typ)beasignatureoverastandardtypestructureΩ.
LetEbeatypeenvironmentforΩ,andletMbeastandardtypemodelforΩ.LetA,Abe
twovariableassignmentsandM,MbetwotermmodelsforΣ.Lettσ∈TermsΣ.Suppose
A|FreeVars(tσ)=A|FreeVars(tσ)andM|Names(tσ)=M|Names(tσ).Then
[[tσ]]A,M=[[tσ]]A,M.
Proof.Bystructuralinductionontσ.Forthetwobasecasest∈Varsandt∈Names,the
claimfollowsimmediatelyfromA|FreeVars(tσ)=A|FreeVars(tσ)andM|Names(tσ)=M|Names(tσ),
.elyectivrespIftσ=(tσ1→σtσ21)σforsome2tσ1→σ,tσ2∈TermsΣ,theclaimfollowsfromtheinductionhypoth-
esis,appliedtotσ→σandtσ.
Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,theclaimfollows
fromtheinductionhypothesis,appliedtotσ2.Notethatford∈[[σ1]]E,M,bothA[xσ1→
d]andA[xσ1→d]areagainvariableassignments,theyagreeonxσ1,andtherefore(since
FreeVars(tσ2)⊆FreeVars(tσ)∪{xσ1})theyagreeonFreeVars(tσ2).
Werequirethatsignaturescontaintwologicalconstants,namely=⇒and=,whichare
interpretedasimplicationandequality,respectively.
Definition2.29(StandardSignature).AsignatureΣ=(Vars,Names,Typ)overastandard
typestructureΩisstandardiff{=⇒,=}⊆Names,Typ(=⇒)=bool→bool→bool,and
Typ(=)=α→α→boolforsometypevariableα.
Definition2.30(StandardTermModel).LetΣ=(Vars,Names,Typ)beasignatureovera
standardtypestructureΩ.LetEbeatypeenvironmentforΩ,andletMbeastandardtype
modelforΩ.AtermmodelMforΣisstandardiff
⊥to⊥,,to
1.M(=⇒bool→bool→bool)isthefunctionthatmaps⊥,to,and
⊥,⊥to
2.foreveryσ∈TypesΩ,M(=σ→σ→bool)isthefunctionthatmapsx,y∈[[σ]]E,Mtoif
x=y,andto⊥otherwise.
Both=⇒and=areusuallywrittenininfixnotation,with=⇒associatingtotheright.
Thisparticularchoiceofconstantsisarbitrary.Otherlogicalconstantscanbedefinedinterms
ofthechosenones,e.g.Trueboolas(λxbool.xbool)=(λxbool.xbool),universalquantification
∀(α→bool)→boolasλPα→bool.Pα→bool=(λxα.Truebool),andFalseboolas∀(λxbool.xbool)[10].

ySatisfiabilit2.2.3AHOLformulaissatisfiableiffitsmeaningisinsomestandardmodel.
Definition2.31(HOLSatisfiability).LetΣbeastandardsignatureoverastandardtype
structureΩ,andlettbool∈TermsΣbeaformula.ForEatypeenvironmentforΩ,Ma

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

15

standardtypemodelforΩ,AavariableassignmentandMatermmodelforΣ,wesaythat
A,Msatisfiestbool,writtenA,M|=tbool,iff[[tbool]]A,M=.
ForEatypeenvironmentforΩandMastandardtypemodelforΩ,wesaythattboolis
satisfiablewrt.EandMiffthereexistavariableassignmentAandastandardtermmodel
MforΣsuchthatA,M|=tbool.
WesaythattboolissatisfiableiffthereexistatypeenvironmentEforΩandastandardtype
modelMofΩsuchthattboolissatisfiablewrt.EandM.
Itiswell-knownthatitisnotsemi-decidableingeneralifaHOLformulaissatisfiable.Even
satisfiabilityinfinitemodelsisnotsemi-decidable.Consequently,thealgorithmpresentedin
Section2.3isnotasemi-decisionalgorithm.Itishoweversoundandcompleteinthefollowing
sense:givenunboundedspaceandtime,thealgorithmwillfindafinitemodelforaHOL
formulaifandonlyifsuchamodelexists.

2.3TranslationtoPropositionalLogic
ThemodelgenerationforaHOLformulatboolproceedsinseveralsteps.Theinputformulais
firsttranslatedintoapropositionalformulathatissatisfiableifftboolhasamodelofagiven
size.

LogicositionalProp2.3.1Letusbrieflyrecallthebasicnotionsofpropositionallogic.WefixaninfinitesetBofBoolean
.variablesDefinition2.32(PropositionalFormula).ThesetPofpropositionalformulae(overB)isthe
smallestsetsuchthat
,P⊆B1.2.True∈P,False∈P,
3.ifϕ∈P,then(¬ϕ)∈P,
4.ifϕ,ψ∈P,then(ϕ∨ψ)∈Pand(ϕ∧ψ)∈P.
Asastandardconvention,¬bindsstrongerthan∧,whichinturnbindsstrongerthan∨.Using
thisconvention,wefrequentlyomitunnecessaryparentheses.Thesemanticsofpropositional
formulaeisdefinedwrt.atruthassignment.
Definition2.33(TruthAssignment).AtruthassignmentAisafunctionA:B→B.
Definition2.34(SemanticsofPropositionalFormulae).LetAbeatruthassignment.The
meaning[[ϕ]]Aofapropositionalformulaϕ∈Pwrt.Aisdefinedasfollows:
1.Ifϕ∈B,then[[ϕ]]A:=A(ϕ).

16

CHAPTER2.FINITEMODELGENERATION

2.[[True]]A:=,[[False]]A:=⊥.
3.[[¬ϕ]]A:=⊥if[[ϕ]otherwise.]A=⊥;
4.[[ϕ∨ψ]]A:=if[[ϕ]]A=or[[ψ]]A=;and
otherwise,⊥[[ϕ∧ψ]]A:=if[[ϕ]]A=and[[ψ]]A=;
otherwise.⊥Remark2.35.LetAbeatruthassignment,andletϕ∈P.Then[[ϕ]]A∈B,i.e.[[∙]]A:P→B.
Proof.Bystructuralinductiononϕ.
Definition2.36(PropositionalSatisfiability).LetAbeatruthassignment,andletϕ∈Pbe
apropositionalformula.Asatisfiesϕ,writtenA|=ϕ,iff[[ϕ]]A=.
WesaythatϕissatisfiableiffA|=ϕforsometruthassignmentA.

2.3.2InterpretationofTypes
Typesintheinputformulatboolareinterpretedasfinite,non-empty,mutuallydisjointsets.
(DisjointnessisjustifiedbecauseinHOL,onecannotexpressthatdifferenttypescontain
equalelements:equalityisonlyavailableforequaltypesinthefirstplace.Thereforethe
typealgebracanbeseenasfreelygenerated.)LetusfixastandardtypestructureΩ=
(TyVars,TyNames,TyArity)andastandardsignatureΣ=(Vars,Names,Typ)overΩsuch
thattbool∈TermsΣ.
WechooseatypeenvironmentEthatonlyassignsfinitesetstotypevariables,andastandard
typemodelMwhereeachM(c)(forcatypeconstructor)mapsfinitesetstofinitesets.
structure,Definitionand2.37letE(FinitebeaTtypypeeenEnvironmenvironmentt).forLetΩ.ΩWe=sa(TyyVthatars,ETisyNamesfinite,iffTEyArit(α)y)isbefiniteatypfore
everytypevariableα∈TyVars.
ture,Definitionandlet2.38Mbe(FiniteatypTeypemoModeldel)for.Ω.LetΩWe=sa(TyyVthatars,MTisyNamesfinite,Tiff,yAritfory)evbeaeryttypypeestruc-con-
structorc∈TyNames,M(c)(X1,...,Xn)isfinitewheneverX1,...,Xnarefinite(where
n=TyArity(c)).
Remark2.39.LetMbeastandardtypemodel.ThenM(bool)=Bisfinite,andM(→)(X,Y)=
X→Yisfinite|X|ifbothX∈UandY∈Uarefinite.(Moreprecisely,|B|=2,and
|X→Y|=|Y|.)
Proof.Immediate,usingDef.2.14.
Theneverytypedenotesafinitesetwrt.EandM.
Lemma2.40.LetΩbeatypestructure,letEbeafinitetypeenvironmentforΩ,andletM
beafinitetypemodelforΩ.Thenforeveryσ∈TypesΩ,[[σ]]E,Misfinite.

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

17

Proof.Byinductiononσ.Forσatypevariable,theclaimfollowsdirectlyfromthefactthat
finite.isEIncaseσ=(σ1,...,σn)c,wherecisatypeconstructor,weapplytheinductionhypothesisto
σ1,...,σntoobtainfinitenessof[[σ1]]E,M,...,[[σn]]E,M.ThelemmathenfollowssinceMis
finite.

BecauseofLemma2.12,itisdefactosufficienttodefineEandMforthose—finitelymany—
typevariablesandtypeconstructors,respectively,thatoccurinthetypingoftbool.Havingfixed
themeaningofrelevanttypevariablesandtypeconstructors,wewanttofindapropositional
formulathatis(propositionally)satisfiableifftboolis(HOL-)satisfiablewrt.EandM.But
beforewedescribethetranslationofHOLformulaetopropositionalformulaeinSection2.3.3,
afewmoreremarksconcerningtheinterpretationoftypesareinorder.

SetsOrderedWithoutlossofgeneralitywerequireeachfinitesetintherangeofEandMtobeequipped
withdenoteattotalypevorder,ariablesi.e.andwithtanypeanconstructorstisymmetric,othertransitivthane,boandolandtotal→,binarythisorderrelation.isForpresuppsetsosed.that
ForB,wemakeanarbitrarychoice.
Definition2.41(OrderonB).The(canonical)orderonB,written≤B,isgivenby<⊥.

GiventwototallyorderedfinitesetsXandY,weusethelexicographicorderasatotalorder
.Y→XonDefinition2.42(LexicographicOrder).Let(X,≤X)and(Y,≤Y)betotallyorderedfinite
sets.The(lexicographic)orderonX→Y,written≤X→Y,isgivenby
f≤X→Ygiff∃x∈X.(f(x)≤Yg(x)∧∀x<Xx.f(x)=g(x)).
Remark2.43.UsingfinitenessofX,oneverifiesthat≤X→YisinfactatotalorderonX→Y.
Thefunctionspaceisisomorphictothe|X|-foldcartesianproductofY.
AtotallyorderedfinitesetX={x1,x2,...,xn},wheretheorderonXisgivenbyx1<x2<
...<xn,canbeidentifiedwiththelist[x1,x2,...,xn]ofitselements.Wesaythatx1,x2,
...,xnisthefirst,second,...,n-thelementofX,respectively.
Afunctionf:X→Ycanbeidentifiedwithitsgraph,i.e.withthesetoforderedpairs
{(x,f(x))|x∈X}.Afunctionf:X→Y,whereX=[x1,...,xn]isfiniteandtotallyordered,
canbeidentifiedwiththelist[f(x1),...,f(xn)]ofitsvalues.Sincetheseidentificationsare
crucialinthecontextofourwork,wegiveaformaldefinitionoflists.
Definition2.44(List).LetXbeasetoflistelements.ThesetListXoflistswithelements
inXisthesmallestsetsuchthat
1.[]∈ListX,and
2.ifl∈ListXandx∈X,then(x#l)∈ListX.

18

CHAPTER2.FINITEMODELGENERATION

Wewrite[x1,...,xn]forthelist(x1#(...(xn#[])...)).
TheListoperatorismonotonicwrt.thesubsetrelation.
Lemma2.45.LetX⊆Y.ThenListX⊆ListY.
Proof.Letl∈ListX.Theproofisbystructuralinductiononl.
GivenatotallyorderedfinitecodomainY=[y1,...,ym]andthecardinality|X|ofadomainX,
wecandefineanauxiliaryfunctionpickthatcomputesthelistrepresentationofthefunction
spaceX→Y,equippedwiththelexicographicorder.Inotherwords,pickenumeratesall
functionsinX→Y(whereeachfunctionisrepresentedasthelistofitsvalues)intheorder
givenbyDef.2.42.
Definition2.46(pick).LetY=[y1,...,ym],m≥1.Define
pick(1,[y1,...,ym]):=[[y1],...,[ym]],
andforn>1define
pick(n,[y1,...,ym]):=[y1#f1,...,y1#fmn−1,...,ym#f1,...,ym#fmn−1],
where[f1,...,fmn−1]=pick(n−1,[y1,...,ym]).
Remark2.47.Forn,m≥1,pick(n,[y1,...,ym])isalistinListListYoflengthmn,andeach
listelement(whichisagainalist)haslengthn.
Proof.Byinductiononn.
Lemma2.48.Let|X|=n,Y=[y1,...,ym],wheren,m≥1.Then
pick(n,[y1,...,ym])=X→Y,
whereX→Yisequippedwiththelexicographicorder.
Proof.Byinductiononn,usingDef.2.42andDef.2.46.
Whiletheorderusedonthefunctionspaceandthedefinitionofpickareofcourseinterdepen-
dent,usingthelexicographicorderwasanarbitrarychoice.Itismerelyimportantthatwe
canenumeratetheelementsofthefunctionspace,basedonenumerationsforthedomainand
domain.cothe

esypTIsomorphicTtheypesizeenofvironmenthesetstsandthattheystandardassign;typethemonamesdelsareofindividualsdeterminedareuniquelyirrelevupant.toisomorphismby
Definition2.49(IsomorphicTypeEnvironments).LetΩbeatypestructure.Wesaythat
twthatotIyp(Ee(αen))=vironmenE(α)tsforE,EeveryfortΩypearevariableisomorphicα.IiffistherecalledanexistsaisomorphismbijectionI(b:Uetwe→enUEsucandh
.)E

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

19

typeDefinitionmodelsM2.50,Mof(IsomorphicΩareTypeisomorphicModels)iff.LetthereΩbexistseataypebijectionstructure.I:UW→eUsaysucthathtthatwo
I(M(c)(X1,...,Xn))=M(c)(I(X1),...,I(Xn))foreverytypeconstructorcandeveryX1,
...,Xn∈U(wheren=TyArity(c)).Iiscalledanisomorphism(betweenMandM).
Themeaningoftypeswrt.isomorphictypeenvironmentsandtypemodelsisgivenbythe
imageoftheiroriginalmeaningundertheisomorphism.
Lemma2.51(SemanticsofIsomorphicTypes).LetΩbeatypestructure.LetE,Ebetwo
typeenvironmentsforΩ,andletM,MbetwotypemodelsofΩ.SupposethatE,EandM,
Mareisomorphicwrt.thesameisomorphismI:U→U.Then
I([[σ]]E,M)=[[σ]]E,M
foreverytypeσ∈TypesΩ.
Proof.Bystructuralinductiononσ.Forσatypevariable,wehave
I([[σ]]E,M)2.=10I(E(σ))2.=49E(σ)2.=10[[σ]]E,M
sinceEandEareisomorphic.
Ifσ=(σ1,...,σn)cwithc∈TyNames,weapplytheinductionhypothesistoσ1,...,σnto
obtainI([[σ]]E,M)2.=10I(M(c)([[σ1]]E,M,...,[[σn]]E,M))
2.=50M(c)(I([[σ1]]E,M),...,I([[σn]]E,M))
=IHM(c)([[σ1]]E,M,...,[[σn]]E,M)
2.=10[[σ]]E,M.

Thisresultcanbe“lifted”tothesemanticsofterms.SupposethattheisomorphismIoperates
onelementsofsetsinU,ratherthanonsetsinU.Thenthemeaningoftermswrt.anisomorphic
variableassignmentandtermmodelisgivenbytheimageoftheiroriginalmeaningunderthe
isomorphism.Definition2.52(PointwiseIsomorphism).LetΩbeatypestructure.LetE,Ebetwotype
environmentsforΩ(letM,MbetwotypemodelsofΩ,respectively).ˆWesaythatE,E(M,
M(forXresp∈Uectiv)ely)definesareanisomorphicisomorphismwrt.Iˆ:aUbije→UctionbetI:weenUE→andUEiff(IM(X)and:=M{,I(xresp)|xectiv∈Xely).}
InthiscaseIiscalledapointwiseisomorphism(betweenEandE,orbetweenMandM).
Moregenerally,anyfunctionf:X→Ycanbe“lifted”toafunctionfˆ:P(X)→P(Y)inthe
obviousway,bydefiningfˆ(Z):={f(z)|z∈Z}ˆforZ⊆X.Wesimplywritef(Z)forfˆ(Z)
whenthereisnodangerofconfusion.Notethatfisbijectiveifandonlyiffisbijective.

20CHAPTER2.FINITEMODELGENERATION
Lemma2.53(IsomorphicVariableAssignmentandTermModel).LetΩbeastandardtype
Ω,structurande,letandM,letMΣbbeeatwostandarstandarddtypsignatureemodelsoverofΩ.ΩL.etESupp,EosebethattwoE,typEeenvirandM,onmentsMarfore
variableisomorphicwrt.assignmenttheforsameΣ,pandointwiseletMbeaisomorphismstandarId:termU→modelUforwithΣ.I()=.LetAbea
ThenA(x)(Y):=I(A(x)(I−1(Y)))
(forxavariable,Y∈U)definesavariableassignmentforΣ,and
M(c)(Y):=I(M(c)(I−1(Y)))
(forcaconstant,Y∈U)definesastandardtermmodelforΣ.
Proof.Letxbeavariable,letcbeaconstant,andletY∈U.ThenA(x)(I−1(Y))∈I−1(Y)
(Def.2.23),henceA(x)(Y)=I(A(x)(I−1(Y)))∈Y.Likewise,M(c)(I−1(Y))∈I−1(Y)
(Def.2.24),henceM(c)(Y)=I(M(c)(I−1(Y)))∈Y.ItremainstoshowthatMisstandard.
I(Since⊥)=M⊥)andandMI(areX→Ystandard,)=Iw(eX)hav→eII((BY))=forBX,(henceY∈I(U.)=DuetoandtheIidenbijectivetificationimpliesof
forafunctions,b∈withU,setsandIof(f)(Iordered(a))=pairsI(f(a(cf.))forLemmaf∈X2.7),→Ythe∈U,lattera∈Ximplies∈U.I(Tha,bus)=(I(a),I(b))
1.M(=⇒)([[bool→bool→bool]]E,M)
=I(M(=⇒)(I−1([[bool→bool→bool]]E,M)))
2.=51I(M(=⇒)(I−1(I([[bool→bool→bool]]E,M))))
2.=52I(M(=⇒)([[bool→bool→bool]]E,M))
2.=30I({(,{(,),(⊥,⊥)}),(⊥,{(,),(⊥,)})})
={(,{(,),(⊥,⊥)}),(⊥,{(,),(⊥,)})}

and2.foreveryσ∈TypesΩ,
M(=)([[σ→σ→bool]]E,M)
=I(M(=)(I−1([[σ→σ→bool]]E,M)))
2.=51I(M(=)(I−1(I([[σ→σ→bool]]E,M))))
52.2=I(M(=)([[σ→σ→bool]]E,M)),

xand=y,sinceandMto(=)([⊥[σ→otherwiseσ→bo(Def.ol]]E,M)2.30),isIthe(M(=)([function[σ→thatσ→bmapsool]]x,y))∈[is[σ]]Ethe,Mtofunctionif
,MEthatmapsx,y∈I([[σ]]E,M)=[[σ]]E,MtoI()=ifx=y,andtoI(⊥)=⊥otherwise
(againusingbijectivityofI),

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

21

asrequiredbyDef.2.30.
TheabovelemmamerelyshowsthatthepointwiseisomorphismIcanbeusedtodefinea
newvariableassignmentAandanewstandardtermmodelM.Wenowmaketherelation
betweenaterm’ssemanticswrt.theoriginalvariableassignmentAandtermmodelMonthe
onehand,anditssemanticswrt.AandMontheotherhandprecise.
Lemma2.54(SemanticsofTermswrt.IsomorphicTypes).LetΩbeastandardtypestructure,
andletΣbeastandardsignatureoverΩ.LetE,EbetwotypeenvironmentsforΩ,andlet
wrt.thesamepointwiseisomorphismI:U→UwithI()=.LetAbeavariable
M,MbetwostandardtypemodelsofΩ.SupposethatE,EandM,Mareisomorphic
assignmentforΣ,andletMbeastandardtermmodelforΣ.Defineavariableassignment
AandastandardtermmodelMasinLemma2.53.Thenforanytermtσ∈TermsΣ,
I([[tσ]]A,M)=[[tσ]]A,M.
Proof.Bystructuralinductionontσ.Fort∈Vars,wehave
[[tσ]]A,M2.=25A(t)([[σ]]E,M)2.=51A(t)(I([[σ]]E,M))2.=53I(A(t)([[σ]]E,M))2.=25I([[tσ]]A,M).
Likewisefort∈Names,
[[tσ]]A,M2.=25M(t)([[σ]]E,M)2.=51M(t)(I([[σ]]E,M))2.=53I(M(t)([[σ]]E,M))2.=25I([[tσ]]A,M).
Iftisanapplication,i.e.tσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,then
25.2[[tσ]]A,M=[[tσ1→σ]]A,M([[tσ2]]A,M)
=IHI([[tσ1→σ]]A,M)(I([[tσ2]]A,M))
Proof=of2.53I([[tσ1→σ]]A,M([[tσ2]]A,M))
2.=25I([[tσ]]A,M).
Iftisaλ-abstraction,i.e.tσ=(λxσ1.tσ2)σ1→σ2forsomevariablex,someσ1∈TypesΩ,and
sometσ2∈TermsΣ,then
25.2[[tσ]]A,M={(d,[[tσ2]]A[xσ1→d],M)|d∈[[σ]]E,M}
51.2={(I(d),[[tσ2]]A[xσ1→I(d)],M)|d∈[[σ]]E,M}
IH={(I(d),I([[tσ2]]A[xσ1→d],M))|d∈[[σ]]E,M}
Proofof2.53
=I({(d,[[tσ2]]A[xσ1→d],M)|d∈[[σ]]E,M})
2.=25I([[tσ]]A,M).

22

CHAPTER2.FINITEMODELGENERATION

Themainresultofthisparagraphisnowaneasycorollary.AHOLformulaissatisfiablewrt.
atypeenvironmentandastandardtypemodeliffitissatisfiablewrt.anyisomorphictype
environmentandstandardtypemodel.
Corollary2.55(Satisfiabilitywrt.IsomorphicTypes).LetΩbeastandardtypestructure,
andletΣbeastandardsignatureoverΩ.LetE,EbetwotypeenvironmentsforΩ,andlet
M,MbetwostandardtypemodelsofΩ.SupposethatE,EandM,Mareisomorphicwrt.
thesamepointwiseisomorphismI:U→UwithI()=.Lettbool∈TermsΣ.Then
tboolissatisfiablewrt.EandMifftboolissatisfiablewrt.EandM.
Proof.LetAbeavariableassignmentandMbeastandardtermmodelforΣsuchthat
[[tσ]]A,M=(wrt.EandM).ForEandM,defineavariableassignmentAandastandard
termmodelMasinLemma2.53.ThenusingLemma2.54,wehave
[[tσ]]A,M=I([[tσ]]A,M)=I()=.

ThereforesatisfiabilityofHOLformulaeneedstobetestedonlymodulopointwiseisomor-
phisms.Ifaformulaisnotsatisfiablewrt.onetypeenvironmentandstandardtypemodel,it
isnotsatisfiablewrt.anyisomorphictypeenvironmentandmodeleither.

2.3.3InterpretationofTerms
GivenatypeenvironmentEandastandardtypemodelM,ourtasknowistofindavariable
assignmentAandatermmodelMwith[[tbool]]A,M=.(Togenerateacountermodel
insteadofamodel,wecaneitherconsider¬tbool,or—equivalently—searchforAandMwith
[[tbool]]A,M=⊥.)Atthispointonecanalreadyviewfinitemodelgenerationasageneralization
ofsatisfiabilitychecking,wherethesearchtreeisnotnecessarilybinary,butstillfinite.
InprinciplewecouldsearchforAandMbyexplicitenumerationandevaluationoftboolunder
allpossiblecombinationsofvariableassignmentsandtermmodels.Thishoweverisinfeasible
forallbutthesmallestexamples.Wethereforetranslatetboolintoapropositionalformula,
leavingthesearchforasatisfyingvariableassignmentandtermmodeltoaSATsolver.Our
confidencethattheSATsolverismoreefficientthanabruteforceapproachisjustifiedby
significantadvancesintheareaofpropositionalsatisfiabilitysolvinginrecentyears[27].
ThetranslationToftermsintopropositionalformulaeisbystructuralinductionontheterm.
Althoughourfinalaimistotranslateatermoftypeboolintoasinglepropositionalformula,
amorecomplexintermediatedatastructureisneededtotranslatesubterms,whichmaybeof
arbitrarytype.Weusefinitetreeswhoseleafsarelabeledwithlistsofpropositionalformulae.
Theconstructionofthesetreesisdescribedindetailintheremainderofthissection.
Definition2.56(LabeledTree).LetXbeasetoflabels.ThesetTreeXoftreeswithlabels
inXisthesmallestsetsuchthat
1.ifx∈X,thenLeaf(x)∈TreeX,and
2.ift∈ListTreeX,thenNode(t)∈TreeX.

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

TheTreeoperatorismonotonicwrt.thesubsetrelation.
Lemma2.57.LetX⊆Y.ThenTreeX⊆TreeY.

Proof.Lett∈TreeX.Theproofisbystructuralinductionont,usingLemma2.45.

23

Thetranslationisthena(parameterized)functionfromTermsΣtoTreeListP.Aleafoflength
mcorrespondstoatermwhosetypeisgivenbyatypevariable,orbyatypeconstructorother
than→(denotingasetofsizem),whileann-aryfunctionorpredicateisgivenbyatreeof
levheigheltton+this1.inWetermewilldiateshowdatahowapplicationstructure.—Noteandλthatwe-abstractioncouldhacanvebechosen“lifted”TreefromPtheinsteadtermof
TreeListPforthecodomainofT,sinceeachleaflabeledwithalistcaneasilybeencodedas
atreeofheight2,withasmanylabeledleafsastheoriginallisthadelements.Thismakes
noreimmediatelyaldifference,correspondexcepttothatbasettheypes,currenandtnocdeshoiceiscorrespmoreondtonaturalfunctionforourtypes.application:leafs
Definition2.58(TreesforTypes).LetΩ=(TyVars,TyNames,TyArity)beastandardtype
structure.LetEbeafinitetypeenvironmentforΩ,andletMbeafinitestandardtypemodel
forΩ.Forσ∈TypesΩ,thesetTrees(σ)oftreesforσ(wrt.EandM)isdefinedasfollows:
1.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\{→},then
Trees(σ):=Leaf([ϕ1,...,ϕk])|ϕ1,...,ϕk∈P,k=|[[σ]]E,M|.
2.Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,then
Trees(σ):=Node([t1,...,tk])|t1,...,tk∈Trees(σ2),k=|[[σ1]]E,M|.
Notethatk≥1inbothcases,sincetypesareinterpretedasnon-emptysets.Alsonotethat
Trees(σ)=Trees(σ)doesnotimplyσ=σ.Theconditiont∈Trees(σ)merelyensuresthatt
hasthepropershapetodenoteanelementof[[σ]]E,M,accordingtothesemanticsoftreesgiven
w.elobRemark2.59.Letσ∈TypesΩ.ThenTrees(σ)⊆TreeListP.

Proof.Bystructuralinductiononσ.

Themeaningofatreedenotinganelementofsometypeσisdefinedwrt.atruthassignment
thatgivesthemeaningofpropositionalformulaeoccuringinthetree’slabels.Torefertothe
i-thfinitesetselementofrepresenatyptinge,typtheesindefinitionSectionmak2.3.2.esuseofthetotalordersthatwereintroducedfor
Definition2.60(SemanticsofTrees).LetΩ=(TyVars,TyNames,TyArity)beastandard
tmoypedelforstructure,Ω.FletEurthermore,beafiniteletσt∈ypeTenypes,vironmenandtletforAΩ,beandalettruthMbeaassignmenfinitet.Thestandardmetaningype
Ω[[t]]σ,Aofatreet∈Trees(σ)(wrt.σandA)isdefinedasfollows:

24

CHAPTER2.FINITEMODELGENERATION

1.Ifforσ∈someTyVϕ1,ars...or,σϕk=∈(σP1,,...where,σnk)c=|with[[σ]]c∈T|.LetyNames[d1,\...{→},d,k]=then[[σt]]=.LeafIn([ϕ1this,...,case,ϕk])
,ME,MEdi,if[[ϕi]]A=and[[ϕj]]A=⊥forallj=i
[[t]]σ,A:=(where1≤j≤k);
undefined,ifnosuchi(with1≤i≤k)exists.
2.Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,thent=Node([t1,...,tk])forsomet1,...,
tk∈Trees(σ2),wherek=|[[σ1]]E,M|.Let[d1,...,dk]=[[σ1]]E,M.Inthiscase[[t]]σ,Ais
definedasthe—possiblypartial—functionthatsendsdi∈[[σ1]]E,M(for1≤i≤k)to
[[ti]]σ2,A(ifthelatterisdefined).
Remark2.61.Lett∈Trees(σ).Then[[t]]σ,A∈[[σ]]E,Miff[[t]]σ,Aisdefinedor—incaseσisa
functiontype—[[t]]σ,Aisatotalfunction,andthesameholdsrecursivelyforeverysubtreeoft
(wrt.itscorrespondingtype).

Proof.Bystructuralinductiononσ.
Notethatforσ,σ∈TypesΩ,both[[t]]σ,Aand[[t]]σ,Amaybedefined(andmayormaynot
differ)ifTrees(σ)=Trees(σ).
AsonecanseefromDef.2.60,Booleanvariablesareusedinaunary,ratherthaninabinary
fashion.Thismeansthatweneednvariablestorepresentanelementofabasetypeofsize
n,ratherthanlog2nvariables.However,atmostoneofthesevariablesmaylaterbesetto
true(whichkeepsthesearchspacefortheSATsolversmallduetounitpropagation[178]),
andorderourencoapplication:ding—whiconlyhaissingleinspiredBobyoleanv[81]—allariableowsforneedsatorelativbeelyconsideredsimplewhentranslationwewofantfirst-to
theknowifrepresenatationfunction’sofargumenfunctionst(ofbybasetreestypstille)yieldsdenotesanaencoparticulardingthatvalue.islinearOntheintheothersizehand,ofa
domain.function’sThepreviousparagraphalreadyhintsatthetwosomewhatindependentchoicesthatmustbe
madewhenonedefinesthetranslationfromtermstopropositionalformulae.First,termsof
basetypeareencodedaslistsofBooleanvariables,whichcanbeusedeitherinaunaryor
inafunctionbinarycorrespfashiononds.toaSecond,tableoffunctionsitsvalues.canbeAlternativencodedelyas,treefunctionss,suppcouldortingbetheencoviewdedasthatlistsa
thejustlikefunctiontermsspacofeisbasetfiniteyp(ande—makingbytreesforgettingitscompletely“internal”unnecessary—,structure).merelybynoticingthat
Bothtranslationchoicesofaffectapplicationhowtheisinanapplicationycasebofasaedonfunctionthetoideaitsofanargumenexplicittmustcasebeencodistinctionded.ovTheer
thealsoknowfunction’swhichendomain:tryinifwtheeknotablewofwhichfunctionvaluevinaluesthegivesdomaintheisresultdenotedofthebytheapplication.argumenFt,romwe
thispointofview,itisbesttoencodethefunctionasatree(fromwhichwecanimmediately
readoffafunctionvaluebylookingatthecorrespondingsubtree),andtousethelinearlist
vencoalueofdingforsingletheBooleanargumenvtariables(since).aAncaseyotherdistinccomtionovbinationertheofdomainencodingsthenwdepouldendsresultontheinatruthfair
amountofarithmetichavingtobeusedintheencodingoftheapplication’sresult.

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

25

Inhigher-orderlogichowever,functionscanbeargumentsthemselves.Westillencodefunctions
astrees,butwhenafunctionoccursasanargumenttoanother(higher-order)function,wewill
needanadditionaltranslationsteptoturnthetreeencodingoftheargumentfunctionintoits
linearlistencoding.Theformaldetailsaregivenlaterinthissection,whenthetranslationT
applications.fordefinedis

Well-formedTruthAssignments
ThealertreaderwillnoticethatDef.2.60introducestwokindsofpartiality:aleafhasan
undefinedmeaningifnoneofthelabel’selementsevaluateto,orifmorethanonelabel
elementevaluatesto.Thefirstkindofundefinednesswillactuallyturnouttobeuseful
later,whenweconsiderdatatypesandrecursivefunctions(seeSection3.6).Neverthelessfor
thetimebeingwewanttoruleoutthiskindofundefinedness(tosimplifythecorrectnessproof
giveninthischapter),aswellasthesecondkind,whichcouldbeinterpretedas“aleafdenotes
two(ormore)ofthetype’selementsatthesametime”.Tothisendwell-formednessformulae
areintroducedthatimposerestrictionsonthetruthassignment.
Definition2.62(Well-formedTruthAssignment).Lett∈TreeListP.Atruthassignment
A:B→Biswell-formedwrt.tiffeverylabel[x1,...,xn]oftcontainsexactlyonepropositional
formulaxiwith[[xi]]A=.
LetT⊆TreeListPbeasetoftrees.AtruthassignmentA:B→Biswell-formedwrt.TiffA
iswell-formedwrt.eacht∈T.
Lemma2.63.Lett1,...,tn∈TreeListP.AtruthassignmentA:B→Biswell-formedwrt.
Node([t1,...,tn])iffAiswell-formedwrt.{t1,...,tn}.
Proof.l∈ListPisalabelofNode([t1,...,tn])ifflisalabelof(atleast)oneofthetreest1,
...,tn.
Definition2.64(Well-formednessFormula).Letl=[x1,...,xn]∈ListP.Thewell-formedness
formulaforl,writtenwf(l),isdefinedas
xi∧(¬xi∨¬xj).
nn
i=1ii,j=j=1
Lett∈TreeListP.Thesetofwell-formednessformulaefort,wf(t),isdefinedasthesetofall
well-formednessformulaewf(l)suchthatlisalabeloft.
ast∈Twf(t).
LetT⊆TreeListPbeasetoftrees.Thesetofwell-formednessformulaeforT,wf(T),isdefined
Lemma2.65.LetT⊆TreeListPbeasetoftrees.AtruthassignmentA:B→Biswell-formed
wrt.TiffA|=ϕforeveryϕ∈wf(T).
SupposeAiswell-formedwrt.T.Letϕ=in=1xi∧ni,j=1;i=j(¬xi∨¬xj)beinwf(T).
Proof.LetT⊆TreeListPbeasetoftrees,andletA:B→Bbeatruthassignment.
Then[x1,...,xn]isalabelofsometreeinT.Hencewell-formednessofAimpliesthatthere
isexactlyoneformulaxiwith[[xi]]A=.Thereforealso[[ϕ]]A=,i.e.A|=ϕ.

26

CHAPTER2.FINITEMODELGENERATION

Fortheotherdirectionoftheequivalence,suppose[[ϕ]]A=foreveryϕ∈wf(T).Let
l=[x1,...,xn]bealabelofatreeinT.Theninparticularwf(l)∈wf(T).Hence[[wf(l)]]A=,
andtherefore[[xi]]A=forexactlyonepropositionalformulaxi.
Thetruthassignmentbeingwell-formedisanecessaryandsufficientconditionforthemeaning
ofatreetobeanelementofthetree’scorrespondingtype.
Lemma2.66.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Furthermore,letσ∈TypesΩ,andletAbea
truthassignment.Lett∈Trees(σ).Then[[t]]σ,A∈[[σ]]E,MiffAiswell-formedwrt.t.
Proof.FromDef.2.60,usingRemark2.61.

Termsarevariablesandconstants,λ-abstractions,orapplications.Wewillnowconsidereach
ofthetheseendcofases,thebeforesection.weAsideputevfromerythingdescribingtogetherhowtotermsdefineareasingletranslatedtotranslationtreesinfunctioneachcase,near
wTheewillgeneralalsoproprepareofthestructurecorrectnessisasfolloproofws.byForexpltheainingbasewhycasetheofvtranslationariableswandorksasconstanints,tended.we
shothatwthatassign(undercertaincertainmeaningsisassumptions)equivalenthettotheexistenceofexistenceavofariablaewell-formedassignmenttruthandtermassignmenmodelt
thatassignsthesamemeaningstothetreesthatresultfromtranslatingthevariablesand
constanmeaningts.ofNeterms,xtwei.e.shoawλthat-abstractiontheistranslationtranslatedofλasa-abstractiontreewhichanddenotesapplicationacertainprefuservesnction,the
andanapplicationtermistranslatedasfunctionapplication.(Inparticular,ifthetreesfor
theterm.Inimmediateotherworsubtermsds,aoftaruthtermhaassignmenveatdefinedwhichismeaning,well-formedthensowrt.doesthethetreestreeforforatheterm’swhole
thefreeenvtireariablesterm.)andTconstanogethertsisthesealsopropwertiesell-formedimplywrt.thattheatreeHOLwhicfhormularesultsisfromsatisfiabletranslatingiffits
translation,undersomewell-formedtruthassignment,denotes.

tsConstanandariablesVWedefinetreeassignmentsandtreemodelsasanaloguesofvariableassignmentsandterm
models.Treeassignments(treemodels)mapeachexplicitlytypedvariable(constant)toa
oftreetermsoftheviavpropariableershape.assignmenTheytsalloandwustermtomoestablishdelsonatheoneconnectionhand,betandweenthetheininterpretationterpretationof
Booleanvariablesviatruthassignmentsontheotherhand.
Definition2.67(TreeAssignment).LetΣ=(Vars,Names,Typ)beasignatureoverastan-
dardtypestructureΩ.LetEbeafinite¯typeenvironmentforΩ,andletMbeafinitestandard
typemodelforΩ.AtreeassignmentTforΣ(wrt.EandM)assignstoeachexplicitlytyped
variablexσ∈TermsΣ(wherex∈Vars,σ∈TypesΩ)atreeT¯(xσ)∈Trees(σ).
Definition2.68(TreeModel).LetΣ=(Vars,Names,Typ)beasignatureoverastandard
ttypypeemodelstructureforΩ.Ω.LetAtrEeebemoadelfiniteM¯typforeΣen(wrt.vironmenEtandforMΩ,)andassignslettoMbeacehafiniteexplicitlystantypdarded
constantcσ∈TermsΣ(wherec∈Names,σ∈TypesΩ)atreeM¯(cσ)∈Trees(σ).

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

27

Aterm’svariablesandconstantsareinterpretedindependentlyofeachotherbyavariable
assignmentandtermmodel,respectively,withnorestrictionsotherthanthoseimposedon
standardtermmodelsinDef.2.30.Atreeassignmentandtreemodelontheotherhand
couldimposerestrictionsontheinterpretationofvariablesandconstantsbyusingproposi-
tionalformulae,ratherthanjustBooleanvariables,aslabelelements.Also,thesameBoolean
variablecouldbeusedinmorethanonelabel.Weruleoutsuchunwantedrestrictionsand
interdependencieswiththefollowingdefinitionofstandardtreeassignmentsandtreemodels.
Definition2.69(StandardTreeAssignment/TreeModel).LetΣ=(Vars,Names,Typ)bea
standardsignatureoverastandardtypestructureΩ.LetEbeafinitetypeenvironmentfor
Ω,andletMbeafinitestandardtypemodelforΩ.LetT¯andM¯beatreeassignmentand
atreemodel,respectively,forΣ(wrt.EandM).WesaythatT¯andM¯arestandard(wrt.
iffother)heac1.T¯(xσ)∈TreeListB,foreveryxσ∈TermsΣ(wherex∈Vars,σ∈TypesΩ);and
2.M¯(cσ)∈TreeListB,foreverycσ∈TermsΣ(wherec∈Names,σ∈TypesΩ),providedcσis
notequalto=⇒bool→bool→bool,andcσisnotequalto=σ→σ→boolforanyσ∈TypesΩ;
and3.M¯(=⇒bool→bool→bool)=Node([Node([Top,Bot]),Node([Top,Top])]),whereTopand
BotabbreviateLeaf([True,False])andLeaf([False,True]),respectively;and
4.foreveryσ∈TypesΩ,M¯(=σ→σ→bool)=Node([Node(UV1k),...,Node(UVkk)]),where
k=|[[σ]]E,M|andUVnkisdefinedasthelist[t1,...,tk]thatisgivenby
ti:=Topifi=n;
otherwise;Bot

and5.eachBooleanvariableoccursatmostonceastheelementofalabelintherangeofT¯and
M¯,i.e.nolabelcontainsthesameBooleanvariablemorethanonce,andnotwolabels
containthesameBooleanvariable.

ThefirstconditionstatesthattreesforvariablesmayonlyuseBooleanvariablesinlabels,
butnootherpropositionalformulae.Thesecondconditionimposesthesamerestrictionon
treesforconstants(otherthanimplicationandequality,whosemeaningsarefixed,andhence
thecorrespondingtreesarefixedbythethirdandfourthcondition,respectively).Thelast
conditionallowsustointerpretdifferentterms—andmoreoverafunction’svaluesfordifferent
arguments—independentlyofeachother.
Rtreeemarkmodels2.70for.ourWithoutfixedlossstandardofgeneralitsignatureyweΣma(ovyerasthesumefixedthatsstandardtandardtypetreestructurassignmeneΩ)tsexist.and

Proof.Regardingconditions1and2,notethatanyfunctionf:P→B,ifappliedtoevery
labelelementofatreeinTrees(σ),willyieldatreeinTreeListB∩Trees(σ).Inparticular,
TreeListB∩Trees(σ)=∅foranytypeσ∈TypesΩ.

28

CHAPTER2.FINITEMODELGENERATION

Conditions3and4aretriviallysatisfiable:Node([Node([Top,Bot]),Node([Top,Top])])∈
Trees(bool→bool→bool),andNode([Node(UV1k),...,Node(UVkk)])∈Trees(σ→σ→bool)
foranytypeσ∈TypesΩ(wherek=|[[σ]]E,M|).
Forcondition5,recallthatouronlyrequirementonΩ=(TyVars,TyNames,TyArity)and
Σ=(Vars,Names,Typ)sofar,asidefrombeingstandard,wasthattheinputformulatboolis
inTermsΣ.ThereforewecanchoosesufficientlysmallsetsforTyVars,TyNames,Varsand
NamestoallowtheBooleanvariablesusedaslabelelements(whicharedrawnfromtheinfinite
setB)tobedistinct.
TherationalebehindDef.2.69isthefollowing.Foranytreeassignmentandtreemodelthat
arestandardwrt.eachother,wewanttheexistenceofavariableassignmentandstandardterm
modelthatassigncertainmeaningstovariablesandconstants,respectively,tobeequivalent
totheexistenceofawell-formedtruthassignmentthatassignsthesamemeaningstothetrees
thatcorrespondtothesevariablesandconstants.Thispropertyindeedholds,asshownbythe
lemma.nextLemma2.71.LetΣ=(Vars,Names,Typ)beastandardsignatureoverastandardtype
structureΩ.LetEbeafinitetypeenvironmentforΩ,andletMbeafinitestandardtype
modelforΩ.LetT¯andM¯beatreeassignmentandatreemodel,respectively,forΣ(wrt.E
andM).AssumethatT¯andM¯arestandard(wrt.eachother).Lettσ∈TermsΣ.
ForeveryvariableassignmentAandstandardtermmodelM(forΣ)thereexistsatruthas-
signmentAthatiswell-formedwrt.T¯(FreeVars(tσ))∪M¯(Names(tσ))suchthat[[xσ]]A,M=
[[T¯(xσ)]]σ,Aforeveryxσ∈FreeVars(tσ),and[[cσ]]A,M=[[M¯(cσ)]]σ,Aforeverycσ∈
.)tNames(σAlso,foreverytruthassignmentAthatiswell-formedwrt.T¯(FreeVars(tσ))∪M¯(Names(tσ)),
thereexistavariableassignmentAandstandardtermmodelM(forΣ)suchthat[[xσ]]A,M=
[[T¯(xσ)]]σ,Aforeveryxσ∈FreeVars(tσ),and[[cσ]]A,M=[[M¯(cσ)]]σ,Aforeverycσ∈
.)tNames(σWeproveanauxiliarylemmafirst,namelythattreesofBooleanvariablessatisfyingthedis-
tinctnessconditionofDef.2.69candenoteanyparticularelementoftheircorrespondingtype’s
meaningifasuitabletruthassignmentischosen.Inaddition,wemayassumethatthistruth
ell-formed.wistassignmenLemma2.72.LetΩ=(TyVars,TyNames,TyArity)beastandardtypestructure,letEbea
finitetypeenvironmentforΩ,andletMbeafinitestandardtypemodelforΩ.Furthermore,
letσ∈TypesΩ,andlett∈Trees(σ)∩TreeListBsuchthattsatisfiescondition5ofDef.2.69.
Thenforanyd∈[[σ]]E,MthereexistsatruthassignmentA:B→Bthatiswell-formedwrt.t
suchthat[[t]]σ,A=d.
Proof.Bystructuralinductiononσ.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\
{→},thent=Leaf([x1,...,xk])forsomex1,...,xk∈B,wherek=|[[σ]]E,M|.Let[[σ]]E,M=
[d1,...,dk],andassumed=di(forsome1≤i≤k).Inthiscase,defineA:B→Bby
A(x):=,ifx=xi;
otherwise.,⊥

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

29

Notethatx1,...,xkaredistinctduetoDef.2.69.Inparticular,xj=xi(for1≤j≤k)if
andonlyifj=i.Usingthis,oneeasilyverifiesthatAiswell-formedwrt.t(Def.2.62),and
that[[t]]σ,A=diasrequired(Def.2.60).
Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,thent=Node([t1,...,tk])forsomet1,...,tk∈
Trees(σ2),wherek=|[[σ1]]E,M|.Let[d1,...,dk]=[[σ1]]E,M.Thend,asafunctionfrom[[σ1]]E,M
to[[σ2]]E,M,isgivenbyd={(d1,d(d1)),...,(dk,d(dk))},whered(d1),...,d(dk)∈[[σ2]]E,M.
InthiscasetheinductionhypothesisyieldstruthassignmentsA1,...,Ak:B→Bsuchthat
eachAi(for1≤i≤k)iswell-formedwrt.ti,[[ti]]σ,Ai=d(di),andwithoutlossofgenerality
Ai(x)=onlyforvariablesx∈Bthatoccuraslabelelementsofti.NowdefineA:B→B
ybkA(x):=Ai(x).
=1iAiswell-formedwrt.eachtibecauseDef.2.69impliesthatthelabelelementsofeachtreetj
(for1≤j≤k,j=i)aredisjointfromthoseofti;henceAj(x)=⊥foreachj=i,wherexisa
labelelementofti.ThereforeAiswell-formedwrt.t(Lemma2.63).Moreover,[[ti]]σ,A=d(di)
forthesamereason.Thisimmediatelyimplies[[t]]σ,A=d(Def.2.60).
TheproofofLemma2.71follows.
Proof.AssumethatAisavariableassignmentandMisastandardtermmodelforΣ.Since
T¯andM¯arestandard,wecanuseLemma2.72toobtainwell-formedtruthassignments
Axσ(foreveryxσ∈FreeVars(tσ))andAcσ(foreverycσ∈Names(tσ),providedcσisnot
equalto=⇒bool→bool→bool,andcσisnotequalto=τ→τ→boolforanyτ∈TypesΩ)suchthat
[[T¯(xσ)]]σ,Axσ=[[xσ]]A,Mand[[M¯(cσ)]]σ,Acσ=[[cσ]]A,M.NowdefineA:B→Bby
Axσ(v),ifvisalabelelementofT¯(xσ);
otherwise.,⊥A(v):=Acσ(v),ifvisalabelelementofM¯(cσ);
Condition5ofDef.2.69ensuresthatAiswell-defined.Aiswell-formedwrt.T¯(FreeVars(tσ))∪
M¯(Names(tσ))becauseeachtruthassignmentAxσandAcσiswell-formedwrt.T¯(xσ)and
M¯(cσ),respectively.Furthermore,[[xσ]]A,M=[[T¯(xσ)]]σ,Aforeveryxσ∈FreeVars(tσ),and
[[cσ]]A,M=[[M¯(cσ)]]σ,Aforeverycσ∈Names(tσ)(whereconditions3and4ofDef.2.69
areneededforimplicationandequalityterms,respectively).Thisprovesthefirstpartofthe
lemma.Next,assumeA:B→Bisatruthassignmentthatiswell-formedwrt.T¯(FreeVars(tσ))∪
M¯(Names(tσ)).Then[[T¯(xσ)]]σ,A∈[[σ]]E,Mforeveryxσ∈FreeVars(tσ),and[[M¯(cσ)]]σ,A∈
[[σ]]E,Mforeverycσ∈Names(tσ)byLemma2.66.Thuswecansimplydefinethevariable
assignmentAandthetermmodelMby
A(xσ):=[[T¯(xσ)]]σ,A
forxσ∈FreeVars(tσ),and
M(cσ):=[[M¯(cσ)]]σ,A

30

CHAPTER2.FINITEMODELGENERATION

forcσ∈Names(tσ)∪{=⇒bool→bool→bool}∪{=τ→τ→bool|τ∈TypesΩ}(whereweextend
AandMtoothervariablesandconstantsinanarbitraryfashion).Conditions3and4of
Def.2.69implythatMisstandard.Thisconcludestheproofofthelemma’ssecondpart.

Lemma2.71establishesthecloseconnectionbetweentheexistenceofHOLmodelsandpropo-
sitionalmodelsthatweneedtoshowsatisfiabilityequivalenceofourtranslationforthebase
casesofvariablesandconstants.

-AbstractionλTosimplifynotation,weintroduceanauxiliaryoperatormap(well-establishedinfunctional
programming)whichappliesanargumentfunctiontoeveryelementofalist.
Definition2.73(map).LetX,Ybesets.Forf:X→Yand[x1,...,xn]∈ListX,define
map(f,[x1,...,xn]):=[f(x1),...,f(xn)].
Remark2.74.Forf:X→Yafunctionandl∈ListX,wehavemap(f,l)∈ListY,i.e.
map(f,∙):ListX→ListY.Furthermore,landmap(f,l)havethesamelength.

Proof.Bystructuralinductiononl.

Lemma2.75.Letf:X→Y,g:Y→Zbetwofunctions,andletl∈ListX.Then
map(g,map(f,l))=map(g◦f,l).

Proof.Bystructuralinductiononl.

Wenowdefinetreeswhoseleafsarelabeledwithlistsofpropositionalconstants(i.e.Trueand
False)only,andwhereexactlyoneelementineachlabelisTrue,whileallothersareFalse.
Independentlyofthetruthassignment,thesetreesdenotespecific(i.e.thefirst,second,...)
elementsoftheircorrespondingtype.Moreover,wecandefineafunctionconstswhichreturns
treescorrespondingtoatype’selementsinthecorrectorder.Thisfunctionwillbeusedinthe
translationofλ-abstractions,whosebodyneedstobeevaluatedseparatelyforeachpossible
valueoftheboundvariable.
Definition2.76(PropositionalUnitVector).For1≤n≤k,uvnk,then-thpropositionalunit
vectoroflengthk,isdefinedasthelist[ϕ1,...,ϕk]∈List{True,False}thatisgivenby
ϕi:=Trueifi=n;
otherwise.alseFDefinition2.77(ConstantTrees).LetΩ=(TyVars,TyNames,TyArity)beastandardtype
structure,letEbeafinitetypeenvironmentforΩ,andletMbeafinitestandardtypemodel
forΩ.Forσ∈TypesΩ,theconstanttreesforσ(wrt.EandM),writtenconsts(σ),aredefined
s:wfolloas

31

2.3.TRANSLATIONTOPROPOSITIONALLOGIC31
1.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\{→},then
consts(σ):=[Leaf(uv1k),...,Leaf(uvkk)],
wherek=|[[σ]]E,M|.
2.Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,then
consts(σ):=map(Node,pick(k,consts(σ2))),
wherek=|[[σ1]]E,M|.
Example2.78.Asanexample,considertheconstanttreesforbool(wrt.anarbitraryfinite
typeenvironmentandfinitestandardtypemodel).UsingthecanonicalorderonB(Def.2.41),
thetreeforisgivenbyLeaf([True,False]),whilethetreefor⊥isgivenbyLeaf([False,True]).
Remark2.79.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Forσ∈TypesΩ,consts(σ)isalistoflength
|[[σ]]E,M|,whereeachlistelementisinTrees(σ)∩TreeList{True,False}.
Proof.Bystructuralinductiononσ.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\
{→},theclaimfollowsimmediatelyfromDef.2.76andDef.2.58.
Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,thenconsts(σ2)haslength|[[σ2]]E,M|bytheinduction
hypothesis.Henceconsts(σ)haslength|[[σ2]]E,M|k(Remark2.74andRemark2.47),whichis
equalto|[[σ]]E,M|=|[[σ1→σ2]]E,M|=|[[σ2]]E,M||[[σ1]]E,M|sinceMisstandard(Remark2.39).
ThateachlistelementisinTrees(σ)∩TreeList{True,False}alsofollowsfromtheinductionhypoth-
esis,togetherwithRemark2.74andRemark2.47(andofcourseDef.2.58).
Thekeypropertyofconsts(σ)isstatedandprovedbelow.
Lemma2.80.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Furthermore,letσ∈TypesΩ,andletAbe
anarbitrarytruthassignment.Then
map([[∙]]σ,A,consts(σ))=[[σ]]E,M.
Proof.Bystructuralinductiononσ.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\
{→},theclaimfollowsimmediatelybyunfoldingtherelevantdefinitions(i.e.Defs.2.77,2.76,
2.73,and2.60).NotethatthesemanticsofatreeinTreeList{True,False}isindependentofthe
.AtassignmentruthIfσ=σ1→σ2withσ1,σ2∈TypesΩ,then
map([[∙]]σ,A,consts(σ))2.=77map([[∙]]σ,A,map(Node,pick(|[[σ1]]E,M|,consts(σ2))))
2.=75map([[∙]]σ,A◦Node,pick(|[[σ1]]E,M|,consts(σ2)))
2.=48map([[∙]]σ,A◦Node,[[σ1]]E,M→consts(σ2))
2.=60[[σ1]]E,M→map([[∙]]σ2,A,consts(σ2))
=IH[[σ1]]E,M→[[σ2]]E,M
2.=14[[σ]]E,M,

32

CHAPTER2.FINITEMODELGENERATION

whereweagainidentifyfunctionsoverthe(finiteandtotallyordered)domain[[σ1]]E,Mwitha
alues.vtheiroflistLemma2.80showsthatconsts(σ)enumeratestreescorrespondingtotheelementsof[[σ]]E,M
inthecorrectorder.Moreover,sinceaconstanttreeonlycarriespropositionalunitvectorsas
leaflabels,anytruthassignmentiswell-formedwrt.thetree.
Lemma2.81.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Furthermore,letσ∈TypesΩ,lettbea
constanttreeforσ,andletAbeanarbitrarytruthassignment.ThenAiswell-formedwrt.t.
Proof.ThisisanimmediateconsequenceofLemma2.80withLemma2.66.
Alternatively,itcaneasilybeseendirectlyalso,bystructuralinductiononσ.

ApplicationFunctionsofaritynarerepresentedbytreesofheightn+1.Intuitively,whenafunctionis
appliedtothei-thelementofitsdomain,theresultisgivenbythei-thsubtreeofthetree
representingthefunction.Asmentionedearlier,thefunctionmaybehigher-order,i.e.its
argumentmaybeafunctionagain.Inthiscasetheargumentisitselfrepresentedbyatreeof
1.>theighWedefineafunctionenumthattellsusifatreedenotesthei-thelementofitscorresponding
type.Moreprecisely,enum(t)returnsalistofpropositionalformulae,wherethei-thformula
ofthelistevaluatestoiffthetreetdenotesthei-thelementofitscorrespondingtype.
Iftisatreerepresentingafunction,wewanttoemploypick(Def.2.46)todefineenum.Aminorn
complicationinthiscaseiscausedbythefactthatpick(n,Y)returns(anenumerationof)Y,
whileforthedefinitionofenum,weneedamoregeneralfunctionpickwithpick([Y1,...,Yn])=
Y1×∙∙∙×Yn(whereY1×∙∙∙×Ynisagainequippedwiththelexicographicorderobtainedfrom
theindividualordersonY1,...,Yn).Wedefinepickfirst.
ordered,Definitionwith2.82Y=(pic[yk,.)...,Lety]n≥(for1,someandletmY≥i1).(for1Define≤i≤n)befinite,non-emptyandtotally
m11pick([Y1]):=[[y1],...,[ym]],
andforn>1define
pick([Y1,Y2,...,Yn]):=[y1#f1,...,y1#fk,...,ym#f1,...,ym#fk],
where[f1,...,fk]=pick([Y2,...,Yn]).
pick([Y1,...,Yn])isalistinListListY(whereY:=in=1Yi)oflengthin=1|Yi|,andeachlist
Remark2.83.Forn≥1andYi(for1≤i≤n)finite,non-emptyandtotallyordered,
element(whichisagainalist)haslengthn.
Proof.Byinductiononn.

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

33

Lemma2.84.Letn≥1,andletYi(for1≤i≤n)finite,non-emptyandtotallyordered.
Thenpick([Y1,...,Yn])=Y1×∙∙∙×Ym,
whereY1×∙∙∙×Ymisequippedwiththelexicographicorder.
Proof.Byinductiononn,usingDef.2.42(adaptedforcartesianproducts),andDef.2.82of
course.Anotherauxiliaryfunction,whichreturnstheconjunctionofa(non-empty)listofformulae,
ell.wasneededisDefinition2.85().Forϕ1,...,ϕn∈P,n≥1,define
([ϕ1,...,ϕn]):=ϕ1∧∙∙∙∧ϕn.
Thedefinitionofenumfollows.
Definition2.86(enum).LetΩbeastandardtypestructure,letEbeafinitetypeenvi-
ronmentforΩ,andletMbeafinitestandardtypemodelforΩ.Letσ∈TypesΩ,andlet
t∈Trees(σ).Thenenum(t)isdefinedasfollows:
1.Ift=Leaf([ϕ1,...,ϕk])forsomeϕ1,...,ϕk∈P,then
enum(t):=[ϕ1,...,ϕk].
2.Ift=Node([t1,...,tk])forsomet1,...,tk∈Trees(σ)(whereσ∈TypesΩ),then
enum(t):=map,pick(map(enum,[t1,...,tk])).
Remark2.87.Lett∈Trees(σ).Thenenum(t)∈ListPisalistoflength|[[σ]]E,M|.
Proof.Bystructuralinductiononσ.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\
{→},theclaimfollowsimmediatelyfromDef.2.58.
Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,thenbytheinductionhypothesisenum(ti)∈ListP
(for1≤i≤k,wherek=|[[σ1]]E,M|byDef.2.58)isalistoflength|[[σ2]]E,M|.Hence
map(enum,[t1,...,tk])∈ListListPisalistoflengthkbyRemark2.74.NowRemark2.83
impliesthatpick(map(enum,[t1,...,tk]))∈ListListPisalistoflength|[[σ2]]E,M|k,andfrom
thisenum(t)∈ListPfollowswithRemark2.74,whileRemark2.39showsthatthelengthis
equalto|[[σ]]E,M|.
Thenextlemmashowsthatenumindeedbuildsthedesiredlistofformulae,wherethei-th
formulaistrueiffthecorrespondingtreedenotesthei-thelementofitstype.
Lemma2.88.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,and
letMbeafinitestandardtypemodelforΩ.Letσ∈TypesΩ,andlett∈Trees(σ).Assume
enum(t)=[ϕ1,...,ϕk],and[[σ]]E,M=[d1,...,dk](wherek=|[[σ]]E,M|).LetAbeatruth
assignmentthatiswell-formedwrt.t.Then,for1≤i≤k,
[[ϕi]]A=iff[[t]]σ,A=di.

34CHAPTER2.FINITEMODELGENERATION
Proof.Bystructuralinductiononσ.Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\
{→},the“⇐”directionoftheequivalencefollowsimmediatelyfromDef.2.60,whilethe“⇒”
directionusesthewell-formednessofA(Def.2.62).
Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,thent=Node([t1,...,tk])forsomet1,...,tk∈
Trees(σ2),wherek=|[[σ1]]E,M|.For1≤i≤k,letenum(ti)=[ϕ1i,...,ϕli]forsomeϕ1i,...,
ϕli∈P(wherel=|[[σ2]]E,M|).Inthiscase,
enum(t)2.=86map,pick(map(enum,[t1,...,tk]))
2.=73map,pick([enum(t1),...,enum(tk)])
2.=84map,enum(t1)×∙∙∙×enum(tk)
2.=42map,[[ϕ11,...,ϕ1k],...,[ϕl1,...,ϕlk]]
2.=73[([ϕ11,...,ϕ1k]),...,([ϕl1,...,ϕlk])]
2.=85[ϕ11∧∙∙∙∧ϕ1k,...,ϕl1∧∙∙∙∧ϕlk],

hencethelemmafollowswithDef.2.42andtheinductionhypothesis.
Todefinetheapplicationofonetreetoanother,weneedfurtherauxiliaryfunctions.An
analogueofthemapfunctionfortrees,treemap(f,t),returnsthetreethatresultsfromap-
plicationofftoeveryelementofeveryleafoft.merge(g,t1,t2)appliesabinaryfunctiong
tocorrespondingleafelementsintwotreest1andt2ofthesameshape.(Notethatwewill
needtreemapandmergeonlyfortreesthatarelabeledwithlists.Thefollowingdefinitionsare
thereforeadaptedtothisspecialcase.Theycaneasilybegeneralizedtotreeswitharbitraryla-
bels,butthiswouldrequiretheuseoftreemap(map(f,∙),t)inplaceoftreemap(f,t)—likewise
merge.)forDefinition2.89(treemap).LetX,Ybesets.Forf:X→Yandt∈TreeListX,define
treemap(f,t)asfollows:
1.Ift=Leaf([x1,...,xn])forsomex1,...,xn∈X,then
treemap(f,t):=Leaf([f(x1),...,f(xn)]).
2.Ift=Node([t1,...,tn])forsomet1,...,tn∈TreeListX,then
treemap(f,t):=Node([treemap(f,t1),...,treemap(f,tn)]).
Remark2.90.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,and
letMbeafinitestandardtypemodelforΩ.Letσ∈TypesΩ.Letf:P→Pandt∈Trees(σ).
Thentreemap(f,t)∈Trees(σ).
Proof.Bystructuralinductiononσ.
Definition2.91(merge).LetX,Ybesets.Forf:X×X→Yandt1,t2∈TreeListX,define
merge(f,t1,t2)asfollows:

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

35

1.Ift1=Leaf([a1,...,an])andt2=Leaf([b1,...,bn])forsomea1,...,an,b1,...,bn∈X,
thenmerge(f,t1,t2):=Leaf([f(a1,b1),...,f(an,bn)]).
2.Ift1=Node([u1,...,un])andt2=Node([v1,...,vn])forsomeu1,...,un,v1,...,
vn∈TreeListX,then
merge(f,t1,t2):=Node([merge(f,u1,v1),...,merge(f,un,vn)]).

3.Otherwise,merge(f,t1,t2)isundefined.

Weextendthedefinitionofmergetoanynon-emptylist[t1,...,tn]oftreesinTrees(σ)bydefin-
ingmerge(f,[t1]):=t1,andmerge(f,[t1,t2,...,tn]):=f(t1,merge(f,[t2,...,tn]))(providedf
hastypeX×X→X,forsomesetX).
Remark2.92.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentfor
Ω,andletMbeafinitestandardtypemodelforΩ.Letσ∈TypesΩ.Forf:P×P→P
andt1,t2∈Trees(σ),merge(f,t1,t2)is(definedand)inTrees(σ).Furthermore,fort1,...,
tn∈Trees(σ),n≥1,merge(f,[t1,...,tn])is(definedand)inTrees(σ).

Proof.Thefirstclaimfollowsbystructuralinductiononσ,whilethesecondclaimfollowsby
structuralinductiononthe(non-empty)list[t1,...,tn].

Finallywecandefineatranslationfunctionapplywhichcorrespondstofunctionapplication.
apply(t,u),wheretisatreerepresentingafunction,anduisatreeforthefunction’sargument,
isatreethatencodesthevalueofthefunctionwhenappliedtothisspecificargument.The
tree’sleafsarelabeledwithpropositionalformulaethatsimulateselectionofthecorrectsubtree
oft,basedonthevaluedenotedbytheargumenttreeu.
Definition2.93(apply).LetΩbeastandardtypestructure,letEbeafinitetypeenvi-
ronmentforΩ,andletMbeafinitestandardtypemodelforΩ.Letσ,σ∈TypesΩ.Let
t∈Trees(σ→σ)andu∈Trees(σ).Assumet=Node([t1,...,tk])witht1,...,tk∈Trees(σ),
andenum(u)=[ϕ1,...,ϕk](wherek=|[[σ]]E,M|).Defineapply(t,u)asfollows:
apply(t,u):=merge(∨,[treemap((ϕ1∧∙),t1),...,treemap((ϕk∧∙),tk)]).
Remark2.94.Lett∈Trees(σ→σ)andu∈Trees(σ).Thenapply(t,u)∈Trees(σ).

Proof.Immediate,usingRemark2.92andRemark2.90.

Thefollowinglemmashowsthatthemeaningofapplyisindeedthatoffunctionapplication.
Lemma2.95.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Letσ,σ∈TypesΩ.Lett∈Trees(σ→σ)
andu∈Trees(σ).LetAbeatruthassignmentthatiswell-formedwrt.tandu.Then
[[apply(t,u)]]σ,A=[[t]]σ→σ,A([[u]]σ,A).

36CHAPTER2.FINITEMODELGENERATION
Proof.Assumet=Node([t1,...,tk])witht1,...,tk∈Trees(σ),andenum(u)=[ϕ1,...,ϕk]
(wherek=|[[σ]]E,M|).Furthermore,assume[[σ]]E,M=[d1,...,dk],and[[u]]σ,A=dj(forsome
1≤j≤k).Then[[ϕj]]A=,andforeach1≤i≤kwithi=j,[[ϕi]]A=⊥(byLemma2.88).
Theproofisbystructuralinductiononσ.
Ifσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\{→},then(foreach1≤i≤k)
ti=Leaf([x1i,...,xli])forsomex1i,...,xli∈P,wherel=|[[σ]]E,M|.Inthiscase,
93.2[[apply(t,u)]]σ,A=[[merge(∨,[treemap((ϕ1∧∙),t1),...,treemap((ϕk∧∙),tk)])]]σ,A
2.=89[[merge(∨,
[Leaf([ϕ1∧x11,...,ϕ1∧xl1]),...,Leaf([ϕk∧xk1,...,ϕk∧xlk])])]]σ,A
=[[Leafϕi∧x1i,...,ϕi∧xli]]σ,A
2.91kk
=1i=1i60.2=[[Leaf([x1j,...,xlj])]]σ,A
=[[tj]]σ,A
60.2=[[Node([t1,...,tk])]]σ→σ,A(dj)
=[[t]]σ→σ,A([[u]]σ,A).
Ifσ=σ1→σ2withσ1,σ2∈TypesΩ,then(foreach1≤i≤k)ti=Node([t1i,...,tli])forsome
t1i,...,tli∈Trees(σ2),wherel=|[[σ1]]E,M|.Inthiscase,
[[apply(t,u)]]σ,A2.=93[[merge(∨,[treemap((ϕ1∧∙),t1),...,treemap((ϕk∧∙),tk)])]]σ,A
2.=89[[merge(∨,[Node([treemap((ϕ1∧∙),t11),...,treemap((ϕ1∧∙),tl1)]),...,
Node([treemap((ϕk∧∙),t1k),...,treemap((ϕk∧∙),tlk)])])]]σ,A
91.2=[[Node([merge(∨,[treemap((ϕ1∧∙),t11),...,treemap((ϕk∧∙),t1k)]),...,
merge(∨,[treemap((ϕ1∧∙),tl1),...,treemap((ϕk∧∙),tlk)])])
93.2=[[Node([apply(Node([t11,...,t1k]),u),...,
apply(Node([tl1,...,tlk]),u)])]]σ,A
jjIH=[[Node([t1,...,tl])]]σ,A
=[[tj]]σ,A
60.2=[[Node([t1,...,tk])]]σ→σ,A(dj)
=[[t]]σ→σ,A([[u]]σ,A).

Inparticular,[[apply(t,u)]]σ,A∈[[σ]]E,M.Thuseverytruthassignmentthatiswell-formedwrt.
tanduisalsowell-formedwrt.apply(t,u).
Lemma2.96.LetΩbeastandardtypestructure,letEbeafinitetypeenvironmentforΩ,
andletMbeafinitestandardtypemodelforΩ.Letσ,σ∈TypesΩ.Lett∈Trees(σ→σ)

2.3.TRANSLATIONTOPROPOSITIONALLOGIC37
andu∈Trees(σ).LetAbeatruthassignmentthatiswell-formedwrt.tandu.ThenAis
well-formedwrt.apply(t,u).

Proof.ThisisanimmediateconsequenceofLemma2.95andLemma2.66.

Alternatively,andsimilartoLemma2.81,itcanbeproveddirectlyalso,bystructuralinduction
.σon

reesTtoranslationTHavingconsideredvariables,constants,λ-abstractionandapplication,wearenowreadyto
definethetranslationTfromtermstotreesofpropositionalformulae.Thetranslationis
parameterizedbyatreeassignmentT¯,whichisupdatedwhenthetranslationdescendsinto
thebodyofaλ-abstractiontogivethetreefortheboundvariable.(Isabelleinternallyuses
deBruijnindices[47]torepresentboundvariables,sointheactualimplementationofour
translation,amappingfromindices—ratherthanvariables—totreesisextendedeverytime
aλisencountered.TermswithdeBruijnindiceshoweverarenotparticularlyeasytoreadfor
humans,andforthesakeofclarity,wehaveinsteadchosentousetermswithvariablenames
tation.)presenthisinDefinition2.97(TranslationfromTermstoTrees).LetΣ=(Vars,Names,Typ)beasigna-
tureoverastandardtypestructureΩ.LetEbeafinitetypeenvironmentforΩ,andletM
beafinitestandardtypemodelforΩ.LetT¯andM¯beatreeassignmentandatreemodel,
respectively,forΣ(wrt.EandM).ThetranslationTT¯,M¯(tσ)ofatermtσ∈TermsΣwrt.T¯
andM¯isdefinedasfollows:
1.Ift∈Vars,thenTT¯,M¯(tσ):=T¯(tσ).
2.Ift∈Names,thenTT¯,M¯(tσ):=M¯(tσ).
3.Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,then
TT¯,M¯(tσ):=apply(TT¯,M¯(tσ1→σ),TT¯,M¯(tσ2)).
4.Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then
TT¯,M¯(tσ):=Node([t1,...,tn]),
wheren=|[[σ1]]E,M|,consts(σ1)=[c1,...,cn],and(for1≤i≤n)
ti:=TT¯[xσ1→ci],M¯(tσ2).
WefirstprovethatthetranslationofatermtσisanelementofTrees(σ).
Remark2.98.Lettσ∈TermsΣ.ThenTT¯,M¯(tσ)∈Trees(σ).

38

CHAPTER2.FINITEMODELGENERATION

Proof.Theproofisbystructuralinductionontσ.Ift∈Varsort∈Names,theclaimfollows
immediatelyfromDef.2.67andDef.2.68,respectively.
Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,thenTT¯,M¯(tσ1→σ)∈Trees(σ→σ)and
TT¯,M¯(tσ2)∈Trees(σ)bytheinductionhypothesis.HenceTT¯,M¯(tσ)∈Trees(σ)byRemark2.94.
Iftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,thenT¯[xσ1→ci]
(for1≤i≤n,wheren=|[[σ1]]E,M|andconsts(σi)=[c1,...,cn])isatreeassignmentfor
Σ(wrt.EandM)duetoRemark2.79.HenceeachTT¯[xσ1→ci],M¯(tσ2)(for1≤i≤n)isin
Trees(σ2)bytheinductionhypothesis.ThusTT¯,M¯(tσ)∈Trees(σ1→σ2)(Def.2.58).
Nextweshowthatthetranslationpreservesthemeaningofterms(wrt.theirHOLsemantics,
whilethemeaningofthetranslationresultisgivenbyitstreesemantics).
Theorem2.99.LetΣ=(Vars,Names,Typ)beasignatureoverastandardtypestructure
Ω.LetEbeafinitetypeenvironmentforΩ,andletMbeafinitestandardtypemodelfor
Ω.LetAbeavariableassignmentandMbeatermmodelforΣ.LetT¯andM¯beatree
assignmentandatreemodel,respectively,forΣ(wrt.EandM).Lettσ∈TermsΣ.Suppose
Aisatruthassignmentsuchthat[[T¯(xσ)]]σ,A=A(xσ)foreveryxσ∈FreeVars(tσ),and
[[M¯(cσ)]]σ,A=M(cσ)foreverycσ∈Names(tσ).Then
[[TT¯,M¯(tσ)]]σ,A=[[tσ]]A,M.
Proof.Theproofisbystructuralinductionontσ.Ift=x∈Varsort=c∈Names,theclaim
followsimmediatelyfrom[[T¯(xσ)]]σ,A=A(xσ)or[[M¯(cσ)]]σ,A=M(cσ),respectively.
Iftσ=(tσ1→σtσ2)σforsometσ1→σ,tσ2∈TermsΣ,then[[TT¯,M¯(tσ1→σ)]]σ→σ,A=[[tσ1→σ]]A,Mand
[[TT¯,M¯(tσ2)]]σ,A=[[tσ2]]A,Mbytheinductionhypothesis.Hence
[[TT¯,M¯(tσ)]]σ,A=[[tσ1→σ]]A,M([[tσ2]]A,M)
2.95.LemmaybIftσ=(λxσ1.tσ2)σ1→σ2forsomex∈Vars,σ1∈TypesΩandtσ2∈TermsΣ,then[[TT¯,M¯(tσ)]]σ,A
isdefinedasthefunctionthatsendseachdi∈[[σ1]]E,M(for1≤i≤n,wheren=|[[σ1]]E,M|,
[[σ1]]E,M=[d1,...,dn],andconsts(σi)=[c1,...,cn])to[[TT¯[xσ1→ci],M¯(tσ2)]]σ2,A,whichisequal
to[[tσ2]]A[xσ1→di],MbytheinductionhypothesisandLemma2.80.
Wenowstatethemainresultofthissection:thereisawell-formedtruthassignmentunder
whichthetreethatresultsfromtranslatingtσdenotesd∈[[σ]]E,Mifandonlyifthereexista
variableassignmentAandastandardtermmodelMsuchthat[[tσ]]A,M=d.
Theorem2.100.LetΣ=(Vars,Names,Typ)beastandardsignatureoverastandardtype
structureΩ.LetEbeafinitetypeenvironmentforΩ,andletMbeafinitestandardtype
modelforΩ.LetT¯andM¯beatreeassignmentandatreemodel,respectively,forΣ(wrt.
EandM).AssumethatT¯andM¯arestandard(wrt.eachother).Lettσ∈TermsΣ,andlet
d∈[[σ]]E,M.
ThereexistavariableassignmentAandastandardtermmodelM(forΣ)suchthat
[[tσ]]A,M=d

2.3.TRANSLATIONTOPROPOSITIONALLOGIC

39

iffthereexistsatruthassignmentAthatiswell-formedwrt.T¯(FreeVars(tσ))∪M¯(Names(tσ))
thatsuch[[TT¯,M¯(tσ)]]σ,A=d.
Proof.AssumethatAisavariableassignmentandMisastandardtermmodelforΣsuch
that[[tσ]]A,M=d.ThenbyLemma2.71,thereexistsatruthassignmentAthatiswell-
formedwrt.T¯(FreeVars(tσ))∪M¯(Names(tσ))suchthat[[T¯(xσ)]]σ,A=A(xσ)foreveryxσ∈
FreeVars(tσ),and[[M¯(cσ)]]σ,A=M(cσ)foreverycσ∈Names(tσ).Hence[[TT¯,M¯(tσ)]]σ,A=d
byTheorem2.99.
Fortheotherdirectionoftheequivalence,assumethatAisatruthassignmentthatiswell-
formedwrt.T¯(FreeVars(tσ))∪M¯(Names(tσ))suchthat[[TT¯,M¯(tσ)]]σ,A=d.Then—againby
Lemma2.71—thereexistavariableassignmentAandastandardtermmodelM(forΣ)such
that[[T¯(xσ)]]σ,A=A(xσ)foreveryxσ∈FreeVars(tσ),and[[M¯(cσ)]]σ,A=M(cσ)forevery
cσ∈Names(tσ).Hence[[tσ]]A,M=dbyTheorem2.99.
Asanimmediatecorollary,aHOLformulaissatisfiableiffitstranslationdenotesunder
somewell-formedtruthassignment.
afiniteCorollarytype2.101.envirLonmentetΣbeforaΩ,standaranddletMsignaturbeaefiniteoverastandarstandarddtypetypemodelstructurforeΩ.Ω.LetLetT¯Eandbe
M¯beatreeassignmentandatreemodel,respectively,forΣ(wrt.EandM).AssumethatT¯
andM¯arestandard(wrt.eachother).Lettbool∈TermsΣ.
Thentboolissatisfiablewrt.EandMiffthereexistsatruthassignmentAthatiswell-formed
wrt.T¯(FreeVars(tσ))∪M¯(Names(tσ))suchthat[[TT¯,M¯(tbool)]]bool,A=.
Proof.Recallthataformulaissatisfiablewrt.EandMiffitsmeaning(wrt.somevariable
assignmentandstandardtermmodelforΣ)is.Chooseσ=boolandd=inTheo-
2.100.rem

TranslationtoPropositionalLogic
TTLeaf¯,M¯([(tϕbo,olϕ)])isforstillsomenotaformpropulaeϕositional,ϕ∈Pform.ula,ObtainingbutaatreesingleinTproprees(bositionalool),fi.e.ormofulathehowevformer
2121isarathersmallfinalstepnow.ByDef.2.60andDef.2.41,
[[Leaf([ϕ1,ϕ2])]]bool,A=iff[[ϕ1]]A=and[[ϕ2]]A=⊥.
Thismotivatesthefollowingdefinition.
typeDefinitionstructure,2.102letE(TbearanslationfinitetypfromeTenermsvironmentoProptforositiΩ,onalandFletormMulae)be.aLetfiniteΩbeastandardstandardtype
modelforΩ.LetΣbeasignatureoverΩ.LetT¯andM¯beatreeassignmentandatree
model,respectively,¯forΣ(wr¯t.EandM).ThepropositionalformulaφT¯,M¯(tbool)foraterm
tbool∈TermsΣwrt.TandMisdefinedasfollows:
φT¯,M¯(tbool):=ϕ1∧¬ϕ2∧wf(T¯(FreeVars(tbool)))∧wf(M¯(Names(tbool)))
whereTT¯,M¯(tbool)=Leaf([ϕ1,ϕ2]).

40

CHAPTER2.FINITEMODELGENERATION

AHOLformulatboolissatisfiable(wrt.afixedfinitetypeenvironmentandmodel)iffits
correspondingpropositionalformulaissatisfiable.
Corollary2.103.LetΣbeasignatureoverastandardtypestructureΩ.LetEbeafinite
typeenvironmentforΩ,andletMbeafinitestandardtypemodelforΩ.LetT¯andM¯bea
treeassignmentandatreemodel,respectively,forΣ(wrt.EandM).AssumethatT¯andM¯
arestandard(wrt.eachother).Lettbool∈TermsΣ.
Thentboolissatisfiablewrt.EandMiffφT¯,M¯(tbool)is(propositionally)satisfiable.
Proof.ThisisadirectconsequenceofCorollary2.101andLemma2.65.

Wpropehaveositionalthuslogic,definedwhic(andhisprovexactlyedwhatcorrect)weahadsetsatisfiabilitouttoy-equivdoatalenthetbeginningtranslationofthfromisHOLsection.to

Examples2.3.4Asanexample,considertheformula
tbool:=((λxα.xα)α→α=(α→α)→(α→α)→boolyα→α)bool
(with=writtenininfixnotation).Itsonlytypevariableisα,anditsonlyfreevariableisyα→α.
AssumeEisatypeenvironmentwithE(α)=[a1,a2],andletMbeanarbitrarystandard
typemodel(hence|[[α→α]]E,M|=22=4).ApossiblestandardtreeassignmentT¯isgivenby
T¯(yα→α):=Node([Leaf([y1,y2]),Leaf([y3,y4])]),
wherey1,y2,y3,y4arefourdistinctBooleanvariables.Furthermore,letM¯beanarbitrary
del.motreestandardThesubtermsoftboolarethentranslatedintothefollowingtrees:
TT¯,M¯((λxα.xα)α→α)=Node([Leaf([True,False]),Leaf([False,True])]),
TT¯,M¯(=(α→α)→(α→α)→bool)=Node([Node(UV14),...,Node(UV44)]),
TT¯,M¯(yα→α)=Node([Leaf([y1,y2]),Leaf([y3,y4])]).

Usingthetranslationruleforapplication(andsimplifyingtheresultingformulae),wethus
evhaTT¯,M¯(=(α→α)→(α→α)→bool(λxα.xα)α→α)=Node([Bot,Top,Bot,Bot])
(wherethepositionofTopreflectsthattheidentityfunction,duetotheuseofthelexicographic
order,isthesecondelementofthefunctionspace[[α→α]]E,M)and
TT¯,M¯(tbool)=Leaf([y1∧y4,(y1∧y3)∨(y2∧y3)∨(y2∧y4)]).
Additionallytwowell-formednessformulaeareconstructedforT¯(yα→α),namely
wf([y1,y2])=¬y1∨¬y2

TIONGENERAMODEL2.4.

Property/FormulaCountermodel
“Everyfunctionthatisontoisinvertible.”E(α)={a1,a2},E(β)={b1}
(∀y.∃x.fx=y)=⇒(∃g.∀x.g(fx)=x)f={(a1,b1),(a2,b1)}
“Thereexistsauniquechoicefunction.”E(α)={a1},E(β)={b1,b2}
(∀x.∃y.Pxy)=⇒(∃!f.∀x.Px(fx))P={(a1,{(b1,),(b2,)})}
“ThetransitiveclosureofA∩BisequaltoE(α)={a1,a2}
theintersectionofthetransitiveclosuresofA={(a1,a2),(a2,a1),(a2,a2)}
AandB.”B={(a1,a1),(a2,a1),(a2,a2)}

Table2.1:RefutableHOLformulae(examples)

41

andwf([y3,y4])=¬y3∨¬y4.
HencetheonlysatisfyingassignmentforφT¯,M¯(tbool)isgivenbyA(y1):=A(y4):=,A(y2):=
A(y3):=⊥.Thisassignmentcorrespondstoaninterpretationofyα→αasthefunctionthat
mapsa1toa1anda2toa2(i.e.astheidentityfunctionon{a1,a2},whichisofcoursejust
whattheoriginalformulastates:namelythatyα→αisequaltotheidentityfunction).On
theotherhand,therearethreewell-formedfalsifyingassignments;e.g.A(y1):=A(y3):=,
A(y2):=A(y4):=⊥.Thisparticularassignmentcorrespondstoaninterpretationofyα→α
asthefunctionthatmapsbotha1anda2toa1.
Table2.1showsafewexamplesofformulaeforwhichouralgorithmcanautomaticallyfinda
countermodel.Typeannotationsaresuppressed,andfunctionsinthecountermodelaregiven
bytheirgraphs.“∃!”denotesuniqueexistence,definedasusual:
(∃!x.Px):=(∃x.Px∧(∀y.Py=⇒y=x)).
Thecountermodelsarerathersmall,andwereallfoundwithinafewmillisecondsonacurrent
personalcomputer.Themainpurposeoftheseexamplesistoillustratetheexpressivepower
oftheunderlyinglogic.SomelargercasestudiesarediscussedinChapter4.

GenerationdelMo2.4TranslatingtheHOLinputformulatopropositionallogic,whilecrucial,isonlythefirstpartof
thetaskthatthemodelgenerationalgorithmmustaccomplish.Next,asatisfyingassignment
fortheresultingpropositionalformulamustbefound,andthisassignmentmustbetranslated
backintoaHOLmodel,whichisthendisplayedtotheuseroftheIsabellesystem.Ifno
satisfyingassignmentcanbefound,thetranslationisrepeatedforlargertypes.

2.4.1FindingaSatisfyingAssignment
Satisfiabilityoftheresultingpropositionalformulacanbetestedwithanoff-the-shelfSAT
solver.TothisendtranslationsintoDIMACSSATandDIMACSCNFformat[50]havebeen
implemented.ThetranslationintoSATformatistrivial,whereasCNFformat(supportedby
zChaff[119],BerkMin[59]andotherstate-of-the-artsolvers)requirestheBooleanformulato

42

CHAPTER2.FINITEMODELGENERATION

beinconjunctivenormalform.WetranslateintodefinitionalCNF[161]toavoidanexpo-
nentialblowupatthisstage,introducingauxiliaryBooleanvariableswherenecessary.Amore
sophisticatedCNFconversionmightfurtherenhancetheperformanceofourapproach[83].
Isabelle/HOLrunsonanumberofdifferentplatforms,andinstallationshouldbeassimple
aspossible.ThereforewehavealsoimplementedanaiveDPLL-based[45,178]SATsolverin
Isabelle.Thissolverisnotmeanttoreplacetheexternalsolverforseriousapplications,but
ithasprovedtobeefficientenoughforsmallexamples.Henceitallowsuserstoexperiment
withthecountermodelgenerationwithoutthemhavingtoworryabouttheinstallationand
configurationofanadditionaltoolthatisexternaltoIsabelle/HOL.
IftheSATsolvercannotfindasatisfyingassignment,thetranslationisrepeatedforalarger
typeenvironmentandstandardtypemodel.Detailsofthisloopareexplainedinthefollowing
paragraphs.

2.4.2TypeEnvironmentsandTypeModels
ThetranslationtopropositionallogicdefinedinSection2.3requiresthatwefixafinitetype
environmentEandafinitestandardtypemodelM,atleastforthose—finitelymany—type
variablesandtypeconstructors,respectively,thatoccurinthetypingoft.Rememberthat
typesdenotenon-emptysets.Initially,wefixEandMsuchthateacbhooltypevariableand
eachtypeconstructor(otherthanbooland→)ismappedtoasingletonset.Iftranslating
tboolwrt.thistypeenvironmentandmodelyieldsanunsatisfiablepropositionalformula,we
proceedbyemployingafunctionthatincrementallyassignslargersetstotypes.Afterthe
initialsingletonset,assignmenandtofthesingletonremainingsets,typewetotraytevweryo-elementassignmenset.tNext,whichevmapserybutassignmenonettypisetotrieda
whichremainingmapstypeseithertotswiotyngletonpestosets).twIno-elementhistwaysets,weorcanoneentypeumeratetoaallpthree-elemenossibletsetassignmen(andtsallof
and(finite,thentotalon-isomnumorberphic)ofsetsindividualstothet(i.e.ypesthethatsumoofccurtheintbsizesool:ofifsetsthereareassignedk≥to1ttheseypestypintes)boolis,
nbe≥k,assignedthentoaftertypesassigningfreely;onehencethereindividualtheretoareacehtype,therearen−kindividualswhichcan
n−1n−1(n−1)!
n−k=k−1=(k−1)!(n−k)!
assignmentstoconsider.Ifk=0,i.e.tboolcontainsnotypesotherthanbooland→,whose
interpretationisfixed,thentranslatingtbooloncewilldetermineitssatisfiability.
Notethatitwouldclearlynotbesufficienttoassignthesamesizetoeverytype.Considerthe
ulaform(∃xαyα.xα=yα)∧(∀xβyβ.xβ=yβ)
forexample,whichstatesthattypeαhassizeatleast2,whiletypeβhassize1.Thisformula
isobviouslysatisfiablewrt.afinitemodel,butusingequinumeroussetstointerpretαandβ
wouldnotfindthissatisfyingmodel.
forOnourthepuothrperoses.hand,Usinganyentheenumerationumerationofalldescribassignmenedabtsov(ofe,pwhicositivhesizesminimizestotypthees)sumwouofldthedo
sizesofallsetsthatareassignedtotypes,wasmerelyadesignchoice,drivenbyourdesireto
dels.mosmallobtain

TIONGENERAMODEL2.4.

funfindmodel(t:term):typeenvironment∗typemodel∗
treeassignment∗treemodel∗truthassignment=
telV=tyvarst
T=tynamest
F=freevarst
N=namest
E:=singletontypeenvironmentV
M:=singletontypemodelT
T¯:=treeassignment(F,!E,!M)
M¯:=treemodel(N,!E,!M)
sat:=satsolver(φT¯,M¯t)
niwhile(!sat=Unsatisfiable)do
((E,M):=nexttypeenvironmentandmodel(!E,!M)
T¯:=treeassignment(F,!E,!M);
M¯:=treemodel(N,!E,!M);
sat:=satsolver(φT¯,M¯t)
;)(!E,!M,!T¯,!M¯,!sat)

dne

Figure2.1:Modelgenerationalgorithm

43

Therealsoisapracticalneedhowevertoconsidersmallmodelsfirst,namelyperformance.
Translationtimeandmemoryrequirementstoalargeextenddependonthesizesofthetypes
involved,andassigninglargesetstotypesmaymakeatranslationoftheinputformulapracti-
callyinfeasible.Thereforeassigningthesamesizetoeverytypemaynotbeagoodideaeven
forthoseinputformulaeforwhichwecan(e.g.duetosyntacticalrestrictions)guaranteethat
thiswillintheorynotmissallsatisfyingmodels:itisnotunlikelythatthesmallestsatisfying
modelthatmeetsthesame-sizepropertyisbeyondthepracticallyfeasiblesearchspace,while
atthesametimeapracticallyfeasiblesatisfyingmodelwhichassignsdifferentsizestotypes
mayexist(butwouldnotbefound).Moresophisticatedanalyses(e.g.from[138])couldbe
usedtoobtainboundsonthenecessarysizeoftypes,butthishasn’tbeenimplementedyet.

AlgorithmThe2.4.3Figure2.1depictsasimplifiedversionoftheoverallmodelgenerationloopinSML-stylepseudo
cofindde.moWdeletknowillwfromreturnwithCorollaryatype2.103modelthatandthissatisfyingalgorithmtruthissoundassignmenandtifcomplete,andonlyi.e.ifthatthe
inputformulatissatisfiablewrt.afinitemodel,provided
•mofunctionsdel,resptreeectively;assignmenandtandtreemodelreturnastandardtreeassignmentandtree

44

CHAPTER2.FINITEMODELGENERATION

•functionnexttypeenvironmentandmodelimplementsanenumerationofallpossible
sizeassignmentstotypes,asdiscussedinSection2.4.2;and
•theunderlyingSATsolverissound(i.e.willnotclaimanunsatisfiableformulatobe
satisfiable)andcomplete(i.e.willfindasatisfyingassignmentfortheinputformulaif
theinputformulaissatisfiable);and
•thefunctionisgivenunboundedspaceandtime.
Iftisnotsatisfiablewrt.anyfinitemodel,thenfindmodeltwillloopforever.
Inpractice,neitherunboundedmemorynorunboundedtimeareavailable.Infact,Isabelle
isaninteractivesystem,andtheaverageuserhardlywantstowaitmorethanafewseconds
forfeedbackfromthe(counter-)modelsearch.Thereforeseveralterminationconditionscanbe
specified:aminimalandmaximalsizefortypes,alimitonthenumberofBooleanvariables
tobeused,andaruntimelimit.Assoonaseitherlimitisexceeded,theloopterminates.In
casetonlycontainstypesbooland→,theSATsolveriscalledatmostonce.
Thesearerathersimpleterminationconditions,andimplementingthemwasmostlystraight-
forward.Boundedtimeexecutionhoweverposedabitofatechnicalchallenge,andthere-
foredeservesamoredetaileddiscussion.ItisachievedviaafunctiontimeLimitofSML
typetime→(’a→’b)→’a→’b,whoseactualimplementationiscompiler-specific.Under
SML/NJ[56],theTimeLimitstructureprovidestheneededfunctionality.UnderPoly/ML[99],
nosuchstructureisavailable.Thereforewehadtoimplementthefunctionalityourselves.
Therearetwoessentiallydifferentapproachestoimplementingboundedtimeexecution:first,
thefunctiontobeexecutedcanrepeatedlycheckinaninnerloopwhetheritshouldterminate
prematurely.Second,thefunctiontobeexecutedisexecutedinparallelwithamonitor
function,whoseonlypurposeistoterminatetheformerwhenthespecifiedamountoftimehas
elapsed.Sincethefirst(cooperative)approachhasthedisadvantageofrelyingontheworker
functiontobemodifiedinaproperwaytosupportboundedtimeexecution,wedecidedto
implementthesecond(preemptive)approach,whichprovidesfunctionalitysimilartothatof
structure.TimeLimitSML/NJ’sGettingconcurrentapplicationsrightisnotoriouslyhardhowever,anddespiteourfinalim-
plementationofthetimeLimitfunctionconsistingofafewlinesofcodeonly,ourexperience
isnodifferent.First,wetriedinstallingahandlerfunctionforthePosix.Signal.alrmsignal
viaSignal.signalandcallingPosix.Process.alarmwiththedesiredtimeoutvalue.Severalat-
temptstoobtainastableimplementationthiswayfailedduetobugsrelatedtosignalhandling
inthePoly/MLruntimeimplementation.UnderPoly/ML5.0,wenowusetheProcessstruc-
ture(whoseprocessmodelisbasedonMilner’sCCS[114])tocreatetwoconsoleprocesses;
onewhichsleepsforthespecifiedamountoftimebeforesendingatimeoutflagtotheresult
channel,andonewhichperformsthecomputationoff(x),sendingtheresulttothesame
channelwhenitisavailable.AcalltoProcess.receiveinthemainprocessblocksuntileither
thetimeoutflagortheactualfunctionvaluehasbeensent.Functionfshouldnotmanipulate
thetimerusedbyPosix.Process.sleep.
VariousbugsinthePoly/MLruntimeimplementationwereuncoveredandsubsequentlyfixed
inthecourseofthiswork.Particularlyunpleasantwasaraceconditionbetweenprocesscre-
ation/terminationandgarbagecollection,whichwouldinfrequentlycauseourcodetoproduce
asegmentationfault.Duetoitssporadicnature,thisbugrequiredextensivetestingbefore

CONCLUSION2.5.

45

itcouldbereproducedandtrackeddown.IthasbeenfixedbyDavidMatthewsinPoly/ML
[98].5.0ersionVStill,minorproblemsremained:Poly/ML’sschedulingalgorithmdidnotalwaysassignenough
CPUtimetothetimerprocess,whichthencouldnotindicateatimeoutwhen(orsoonafter)
thespecifiedtimehadelapsed.Whilewecouldusefurthercommunicationbetweenthetimer
andtheworkerprocesstoensurethatthetimerprocessreceivessometimefromthescheduler,
therewasnowaytoguaranteethatthetimerprocesswasscheduledwithsufficientpriorityto
completeitstask.ThelatestversionofPoly/ML,Version5.1,thereforeabandonstheCCS-
basedprocessmodelinfavorofaThreadstructure[100]thatimplementsthePOSIXThreads
standard[78].ThisstructureprovidesnewprimitivesthatallowtoimplementthetimeLimit
functionwithouttheissuesmentionedabove.

2.4.4BuildingtheHOLModel
ThesatisfyingtruthassignmentreturnedbytheSATsolver(andthenbythefindmodel
function)assignstruthvaluestoBooleanvariablesthatwereintroducedonlyasintermediate
artifactsbythetranslationfromHOLtopropositionallogic.Thesevariableshavenomeaning
bythemselves.Hencethereislittlepointindisplayingthesatisfyingtruthassignmentto
theuserdirectly.Instead,fromthetruthassignment,thetypeenvironment/model,andthe
treeassignment/model,weshouldbuildthecorrespondingHOLvariableassignmentandterm
model,whichthenneedtoberenderedinahuman-readableform.
Thisisquitestraighforward,andessentiallyjustinvolvescomputingthemeaning(cf.Def.2.60)
ofthosetreesthatwereassignedtotheinputterm’svariablesandconstantsbythegiventree
assignmentandtreemodel,wrt.tothetruthassignmentreturnedbytheSATsolver.There
isatwisttothishowever.Insteadofmappingtermsto(stringrepresentationsof)semantic
values,wemaptermstotermsagain.Supposetypeαisgivenbytheset{a1,...,an}.Wethen
introduceconstantsaα1,...,aαnasactualIsabelleterms,andmapxαtothetermaiα(forsome
1≤i≤n).Likewise,variablesoftypeboolaremappedtoeitherTrueboolorFalsebool,rather
thantosemanticvaluesand⊥.Finallyfunctionsaremappedtoasetof(argument,value)
pairs,wheretheargumentrangesoverall(constantsfor)elementsofthefunction’sdomain,
andthecorrespondingvaluesaregivenbythemeaningofthefunction’stree.
InterpretingtermsastermsinparticularallowsustouseIsabelle’spretty-printingfacilitiesfor
termstodisplaythemodel.Thismayappeartobeasmalladvantageatthemoment,aswe
couldeasilyhaveimplementedpretty-printingforgroundtypes,bool,andfunctionsourselves.
Itwillturnouttobeveryusefulhoweverwhenweextendthetranslationtocoverdatatypes(see
Section3.6),elementsofwhichcanthenbeprintedwithanyuser-definedsyntaxthatmayexist
forthemintheIsabellesystem:e.g.listsas“[a,b,c]”insteadof“Consa(Consb(ConscNil))”,
orpairsas“(a,b)”insteadof“Pairab”.

2.5Conclusion

Wehavepresentedatranslationfromhigher-orderlogictopropositionalformulae,suchthat
theresultingpropositionalformulaissatisfiableifandonlyiftheHOLformulahasamodelof
agivenfinitesize.Acorrectnessproofforthetranslationwasgiveninthischapter.Aworking

46

CHAPTER2.FINITEMODELTIONGENERAavailablimplemeneintation,theIsabconsistingelle/HOLofroutheoremghlypro3,500ver.linesAofstandarcodedSAwrittenTsolvinercanStandardbeusedMLto[115],searcish
itforacanbesatisfyingtransformedassignmeninttoforamothedelpropfortheositionalHOLformformula,ula.andifThissuchalloanwsforassignmenthetisautomaticfound,
generationoffinitecountermodelsfornon-theoremsinIsabelle/HOL.Asimilartranslation
ahasprobofeenofitsdiscussedbcorrectness,efore[81];andourthemainseamlesscontribinutionstegrationarewithitsapextensionopulartointeractivhigher-orderetheoremlogic,
er.vpro

Theapplicabilityofthealgorithmislimitedbyitsnon-elementarycomplexity.Webelieve
thatthealgorithmcanstillbeusefulforpracticalpurposes,sincemanyformulaehavesmall
models(andsmallorder).Tosubstantiatethisclaim,somecasestudiesarecarriedoutin
Chapter4.Firsthowever,anumberofextensionstothebasicalgorithmthatwaspresented
herearediscussedinthefollowingChapter3.

3Chapter

Youknowyouwillnevergettotheendofthejourney.Butthis,so
farfromdiscouraging,onlyaddstothejoyandgloryoftheclimb.
1874–1965.hill,urcChWinston

ExtensionsOptimizationsand

TheactualIsabelle/HOLsystemoffersvariousextensionsontopofthebasicHOL
logic,mostlytoimproveusability.Amongthemaredatatypesandrecursivefunc-
tions,axiomatictypeclasses,settypesandextensiblerecords.Inthischapterwe
discusshowthetranslationtopropositionallogiccanbeaugmentedtocoverthese
extensions,andalsohowitcanbeimprovedtogeneratesmallerpropositionalfor-
mulae.

ductiontroIn3.1

ThebasicHOLlogicdescribedinChapter2,asimplementedintheIsabelle/HOLsystem,
conhasvbenieneentaugmenmeanstedtowithdefinesevdatateralypes,extensions.recursiveTherefunctions,arepackagesaxiomaticthattypproevideclasses,theseusertswithand
records,andmore.Figure3.1showsadependencygraphforsomeofthesepackages.
Theiraccessiblebasicandpurpsafeose,waaty,aandconceptualhandlelevtheel,isnecessimilar:sarytolettranslationtheuserfromdefinethisobdesjectscripintionaintoconcise,the
logic.definitionalTheandtranslationtheiinternaltselfcanapproacbeh.doneTheinvariousaxiomaticways.approacWehsimplydistinguishassertsthetheaxiomaticprop,ertiesthe
thattheuserhasstatedaboutanobjectasnewaxiomsofthetheoryunderconsideration.
Thisistheeasiestapproach(especiallyfromapackageimplementor’spointofview),butalso
themostdangerousone.Nologicalmeansensurethatanobjectwiththedesiredproperties
infactexists,whichmakesintroducinginconsistenciesalltooeasy.Thereforethedefinitional
greaterapproachisburdenusuallyonthethepacappkroacage.hofThischoiceapproacinhthereIsabquiresellenewsystem,obevjectsentothoubeghitdefinedputsinamtermsuch
ofexistingones,andtheirpropertiesderived(andproved),ratherthanjustasserted.The

47

48

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

Figure3.1:HOLpackagestructure

currentdatatypepackageforexampleusesthisapproach[25].Forsomeconceptshowever,
neitherapproachisfeasible,becausetheunderlyinglogicdoesnotallowtodefinethem.In
thiscasethelogicitselfneedstobeextended,andnewobjectsareencodedinternally,i.e.inthe
extendedlogic,ratherthanthroughaddedaxiomsordefinitions.Axiomatictypeclasses[170]
this.ofexampleanareThetranslationtopropositionallogicmustbeextendedbeforeitcanproperlydealwiththe
variousfeaturespresentintheIsabelle/HOLimplementationofhigher-orderlogic.Thisalso
canbedoneinseveralways,whichroughlycorrespondtotheaxiomatic,definitional,and
internalapproachesdescribedabove.Whenaformulacontainingcertainconstantsortypes
istranslated,itisoftensufficienttotranslateasetofrelevantaxioms,e.g.aconstant’sdefi-
nition,alongwiththegivenformulatosufficientlyrestrictthepossiblemodelsthattheSAT
solvermayfind.Thisstraightforwardsolutionmaynotalwaysworkhowever,perhapsbecause
thoserelevantaxiomsmentioninfinitetypes(whichwouldpreventusfromfindinganyfinite
modelsatall),orperhapsbecausetranslatingthoseaxiomsmightposeaperformanceissue.
Thereforesomefeaturesrequirethetranslationtobeextendedinamoredirect(andusually
moreinvolved)way,tointerpretHOLconceptsinpropositionallogicsuchthattheirrelevant
propertiesareimplicitlypreserved.Alsoacombinationofbothapproachescanbeused,where
somepropertiesarepreservedbythetranslationitself,whileothersareguaranteedbyadjoining
relevantaxioms.Finallyextensionstothelogicmustbereflectedincorrespondingextensions
tothetranslation.Inthefollowingsectionsofthischapter,wewillconsiderindividualfeatures
ofIsabelle/HOL,anddescribehowthetranslationisextendedtoaccommodatethem.First
however,wewilldiscusssomemodificationstothetranslationwhichcanreducethesizeofthe
ula.formositionalpropgenerated

Optimizations3.2

WthemeaffedescribctesomesoundnessoroptimizationscompletenessintheoftheimplemenalgorithmtationthatofthewasprovtranslationedcorrectφT¯,M¯in(∙).ChapterNone2.of

TIONSOPTIMIZA3.2.

49

Well-formedness.InChapter2,wehaddefinedφT¯,M¯(tbool)as
ϕ1∧¬ϕ2∧wf(T¯(FreeVars(tbool)))∧wf(M¯(Names(tbool)))
(Def.2.102),whereTT¯,M¯(tbool)=Leaf([ϕ1,ϕ2]).Weonlyconsiderwell-formedtruthassign-
mentshowever,i.e.truthassignmentswhichmakeexactlyoneformulaϕiineach(sub-)treeof
theformLeaf([ϕ1,...,ϕn])true.Onecaneasilyshow(andinfact,wehavealreadydoneso:
seeLemmas2.81and2.96)thatthispropertypropagatesfromtreesforvariablesandconstants
totreesforλ-abstractionsandapplications.Thusexactlyoneofthetwoformulaeϕ1andϕ2
istrue(providedthetruthassignmentiswell-formed),anditissufficienttorequire
ϕ1∧wf(T¯(FreeVars(tbool)))∧wf(M¯(Names(tbool))).
TheSATsolverneverneedstoconsider¬ϕ2.

Undefinedvalues.Wecanrelaxthenotionofwell-formednesstorequiretruthassignments
tomakeatmostoneformulaϕiineach(sub-)treeoftheformLeaf([ϕ1,...,ϕn])true,rather
inthanourmoexactlydels,onewhicformhwillula.beThisputtoamoungootsdtouseallowhenwingweundefinedconsidervrecursivalueseanddatatpartialypes(seefunctionsSec-
iftionand3.6).onlyifAppuhaslicationaofdefinedonetreemeaning,toandanother,t(whicapplyh(t,nouw),yieldsdenotesaatreepartiwithalfaunction)definedismeaningdefined
forthemeaningofu.Thusundefinednesspropagatesfromargumentstoapplicationterms.
Thecorrectnessproofgiveninthepreviouschaptercanbemodifiedtocoverthisdifferent
notionofwell-formednessaswell.Thenecessarymodificationsaresignificanthowever(because
well-formednessisnolongerequivalenttoadefinedmeaningfortrees),andwedonotspell
outthedetails.Wemerelynotethatthepropertyofatmostonelabelelementbeingtrue,just
likethepropertyofexactlyonebeingtrue,propagatesfromtreesforvariablesandconstants
totreesforλ-abstractionsandapplications.Thustheoptimizationdescribedintheprevious
paragraphonwell-formednessremainsvalid.
Animmediateconsequenceofthischangeinthenotionofwell-formednessisthatourwell-
formednessformulaebecomesimpler:letl=[x1,...,xn]∈ListP.Insteadof
wf(l)=xi∧(¬xi∨¬xj)
nn
i=1ii,j==1j
(Def.2.64),itisnowsufficienttodefine
nwf(l):=(¬xi∨¬xj),
ii,j==1j
i.e.totallytheclearfirsthoclausewever,canduebetotheomitted.complexitTheyeffectoftoofdathisy’scSAhangeTsolvonoers.verallWhilepeithererformanceisdefinitionnot
whereultimatelytheHOLrequiresformtheulatSAboTolissolvertrueto(thfindusaintruthparticularassignmendefined),tthatthecorrespformerondsdefitonitionamomadely
helptoreducethesearchspace.

50

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

Application.Thetranslationofapplicationisbasedontheideaofanexplicitcasedistinc-
tionovertheargument’spossiblevalues:tu(i.e.tappliedtou)isequaltodifuisequalto
u1andtmapsu1tod,orifuisequaltou2andtmapsu2tod,or....Thusapply(t,u)yields
atreewithlabelswhichcontaindisjunctionsofconjunctions.
ConvertingadisjunctionofconjunctionstoCNF(conjunctivenormalform,i.e.aconjunction
ofdisjunctions),thestandardinputformatofmostSATsolvers,isratherexpensiveandcauses
anincreaseinthesizeoftheformulaor(incaseadefinitionalCNFtransformationisused)in
thenumberofBooleanvariables.Theproblemisaggravatedbynestedapplications:e.g.t(uv)
firstrequiresuvtobetranslatedintoatreewhoselabelscontaindisjunctionsofconjunctions,
whileapplyingtthenyieldsatreewhoselabelscontaindisjunctionsofconjunctionsof(nested)
disjunctionsofconjunctions.Thusnestedapplicationsleadtoanunfavorablenestingofdis-
junctionsandconjunctionsatthepropositionallevel.Furthermore,nestedapplicationscause
aduplicationofsub-formulae:t(uv)isequaltod1ifuvisequaltou1andtmapsu1tod1;
t(uv)isequaltod2ifuvisequaltou1andtmapsu1tod2;....Thusthe(possiblycomplex)
formulawhichdescribesthatuvisequaltou1isduplicatedonceforeveryelementinthe
codomainoft,andlikewiseforeveryformulawhichisusedasalabelelementtodescribethat
uvisequaltoui,whereuiisinthedomainoft.
WecantackletheseproblemsattheHOLlevelalready(ratherthanatthepropositional
level)byintroducingnewvariablesasabbreviationsformorecomplexsubterms.Forexample,
insteadoftranslatingt(uv),wecanconsiderts(wheresisafreshvariableoftheappropriate
type),whileaddings=(uv)asanadditionalpremise.Thiscangreatlyreducethealternation
depthofnesteddisjunctionsandconjunctions,andinsteadofcomplexformulae,onlysingle
Booleanvariables(whichoccuraslabelsinthetreefors)stillneedtobeduplicated.

Propositionalsimplification.Thetranslationofimplication,equality,andboundvari-
ablesintroducespropositionalconstantsTrueandFalseaslabelelements,whichmaythenbe
combinedwithotherlabelelementstoproducemorecomplexpropositionalformulae.The
resultingformulaecanimmediatelybesimplified,usingthefollowingbasicalgebraiclawsof
¬,∨,∧,True,andFalse:
¬True≡FalseTrue∨ϕ≡TrueTrue∧ϕ≡ϕ
¬False≡Trueϕ∨True≡Trueϕ∧True≡ϕ
False∨ϕ≡ϕFalse∧ϕ≡False
ϕ∨False≡ϕϕ∧False≡False
DoingthisconsequentlyresultsinclosedHOLformulaewithoutconstants(otherthanimpli-
cationandequality)beingtranslatedsimplytoLeaf([True,False])orLeaf([False,True]).The
SATsolverisusedonlytosearchforaninterpretationoffreevariables.

Strippingoutermostquantifiers.Incontrasttowhatwejustsaid,outermostuniversal
quantifiersarestrippedbeforeaformulaistranslatedwhenwearesearchingforacountermodel,
e.g.∀x,y.PxyisinsteadtranslatedasPxy.(Likewise,outermostexistentialquantifierscan
wbeeavstrippoidedtranslatingwhenwethearebodysearcsevhingeralfortimaes:mounivdel.)Theersal/existenadvantialtageofquanthistificationistwiso-fold.inessenceFirst,
translatedasafiniteconjunction/disjunctionoverallpossiblevalues,whichcanleadtoa
combinatorialexplosioninthepresenceofnestedquantifiers.Second,weusetheSATsolver

3.2.TIONSOPTIMIZA

51

tosearchforaninterpretationofthenowfreevariables;ifamodelisfound,itcontainsactual
instantiationsforthesevariables,whichcanbedisplayedtotheuser.(Modelsofcoursedon’t
containinstantiationsforboundvariables.)

Smalltypes.Variablesofatypewithsize1canberepresentedbyLeaf([True]),using
noBooleanvariableatall(insteadofoneBooleanvariablextogetherwithawell-formedness
formulax).WhilethishaslittleeffectattheSATsolverlevelduetounitpropagation,itallows
amoreextensivesimplification(cf.theaboveparagraphonpropositionalsimplification)ofthe
resultingBooleanformulae.Alsovariablesofatypewithsize2,includingvariablesoftype
bool,canberepresentedbyatreeoftheformLeaf([x,¬x]),ratherthanbyatreeLeaf([x0,x1])
andacorrespondingwell-formednessformula(x0∨x1)∧(¬x0∨¬x1).

Unfoldingandspecialization.Moreimportantly,weavoidunfoldingthedefinitionof
logicalconstants(i.e.Truebool,Falsebool,¬bool→bool,∧bool→bool→bool,∨bool→bool→bool,andthe
arequantifiersreplaced∀(σ→bdirectlyool)→bboyol,∃their(σ→cboouol)n→boolterparts)asλin-termspropasositionalfarasplogic.ossible.SinceInsteadeveryttheseypeisconstanfinite,ts
quantifiersofarbitraryordercanbereplacedbyafiniteconjunctionordisjunction.
Thelatterleadstoamoregeneraloptimizationtechnique,applicablealsotootherfunctionsand
predicates(includinge.g.equality):namelyspecializationoftheruleforfunctionapplication
toparticularfunctions.Whileanygivenfunctioncanberepresentedbyatree,itisoften
moreefficienttoimplementaparticularfunction’sactiononitsarguments,assumingthese
argumentsaregivenastreesalready,thantotranslatethefunctionintoatreetowhichthe
ageneraltreewhosetranslationsizeisrulepropforortionalapplicationto|[[σ]nee]ds|2to,beandinapplied.steadForuses=σa→σ→bfunctionoolthisthatavopoidseratescreatingon
,MEtwotreesrepresentingelementsof[[σ]]E,MtoproduceatreeforaBooleanvalue.

Three-valuedlogic.Weapplythesamespecializationtechniquetothelogicalconstantsto
achieveatranslationthatcorrespondstoathree-valuedlogic,wherealogicalconstantapplied
topossiblyundefinedargumentsyieldsatreewithanundefinedmeaningifandonlyifthe
meaningoftheentireexpressiondependsonthetruthvalueofanundefinedargument.More
precisely,let∗denoteargumentsoftypeboolwhosetreehasanundefinedmeaning.Thenthe
specialrulesimplementedare
True∨∗≡TrueFalse∧∗≡False
∗∨True≡True∗∧False≡False,
andquantifiersareagaintreatedasfiniteconjunctionsordisjunctions.Inallothercases,
ourusualdefinitionofthetranslationofapplicationwillcauseundefinedargumentvaluesto
propagate.Ineffect,thisimplementsKleene’sthree-valuedlogic[57].TheSATsolveristhus
relievedfromassigningadefinedmeaningtoirrelevantpartsofaformula.
Equalitycanbeextendedtothisthree-valuedlogicaswell:treesareconsideredequalifthey
bothdenotethesametotalfunction,andnotequaliftheydenote(possiblypartial)functions
thatdisagreeforatleastoneargument.Itisundefined(i.e.unknown,neithertruenorfalse)
howeverwhetheratreewhosemeaningisapartialfunctionisequaltoanothertreewhose
meaningisanextensionofthispartialfunction.Thisdefinitionisappliedrecursivelyto
curriedfunctions,whichyieldvaluesoffunctiontype.

52

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

Meta-Logicelle’sIsab3.3

Asidefirst-orderfromlogicHOL,[130],avmoarietdalyofandotherlinearlogicslogicscan[18,be87],(andandhavebZermelo-Feen)raenkdefinedelinsetIsabtheoryelle,[131,e.g.
132,133].TheselogicsareformulatedwithinIsabelle’smetalogic[129],Isabelle/Pure.Isa-
belle/Pureoffersa2-elementtypePropofpropositions,andthreelogicalconstants:(meta)
implication,(meta)equality,and(meta)universalquantification.
TheseconstantsaretranslatedjustliketheirIsabelle/HOLcounterparts.Nodistinctionis
madebetweentypesPropandbool,andtheconstantTrueprop,whichconvertsaBoolean
bvalueelle/Pureintoareallypropisosition,justanistreatedimplemenastationtheidenoftitwhatywefunction.definedasDespitethehigher-orderdifferentlogicinnames,Chap-Isa-
ter2,whileIsabelle/HOLextendsthislogicsubstantially,asmentionedbeforeanddescribed
indetailinthefollowingsectionsofthischapter.
ThefactthatthetranslationcanhandleIsabelle’smetalogicallowsittobeappliedtoother
couldlogicseasilydefinedbeonturnedtopofintoIsabagenericelle/Pure,toolasidethatisfromnotIsabrestrictedelle/HOL.toaThesingle(counobjectter-)mologic.delfinder

3.4TypeandConstantDefinitions,Overloading

onlyWhensatiswefytsearch,forbutaalsomodeleveryofaaxiomHOLofformtheulatheorytbool,itunderisclearconsideration.thatthisThemodelaxiomsshouldofnotthe
olobbasicHOLtheoryarealreadyrespectedbythehard-wiredtranslationofthelogicalconstants
presentedearlier,buttheseaxiomscanbeaugmentedwitharbitraryuser-suppliedaxioms.
Thereforenotonlytbool,butalsoallaxiomsofthecurrenttheorywouldhavetobetranslated
topropositionallogicandpassedtotheSATsolver.
Astherecanbehundredsoreventhousandsofaxiomsinatheory,thisisusuallyinfeasible.
Luckily,andbecauseitisalltooeasytointroduceinconsistencieswiththeaxiomaticapproach,
theIsabellesystemprovidesmorecontrolledmeansofassertingaxiomstodefinenewtypes
and(describconstanedbts.elow),Userswhicharehasencourbeenageshodtowntodevbeeloptheirconsistency-preservingtheoriesviatheanddefinitionalmeta-safeappr[170],oachin
thesensethatadditionalaxiomsmerelydefinenewnamesasabbreviationsforpre-existing
synthattacticarerobelevantjects.Fwrt.orthesuchgiventheoriestermittbisools,uffiwhilecientalltoirrelevconsiderantaaxioms(usuallycansmall)safelybseteofignored.axioms

DefinitionseypT3.4.1Atypedefinitionintroducesanaxiomstatingthat(α1,...,αn)TisisomorphictoA,whereT
isatypeconstructorwitharityn,andAisatermrepresentingsomeset.Thereareseveralside
conditions:TmustbenewandnotoccurinA,Amustbeclosed,TyVars(A)⊆{α1,...,αn},
andnon-emptinessofthesetAmustbederivable.Thetypedefinitionthenintroducesthree
newconstantsRepT,AbsTandT(wheretheconstantTisjustdefinedtoabbreviatetheterm
A),andtheisomorphismaxiomtypedefinitionTisstatedasfollows:
(∀x.RepTx∈T)∧(∀x.AbsT(RepTx)=x)∧(∀y.y∈T=⇒RepT(AbsTy)=y).

3.4.TYPEANDCONSTANTDEFINITIONS,OVERLOADING

Figure3.2:HOLtypedefinition

53

Inotherwords,therangeofRepTiscontainedinA,AbsTisaleftinverseofRepT,andRepTis
aleftinverseofAbsTwhenthelatterisrestrictedtothesetA.Figure3.2providesagraphical
illustration.TheisomorphismaxiomtypedefinitionTisconsideredrelevantforagiventermtσifandonly
ifthetype(σ1,...,σn)Toccursin(asubtermof)tσ.(Notethatthisisautomaticallythe
caseifRepTorAbsToccurasconstants,i.e.if{RepT,AbsT}∩Names(tσ)=∅.)Inthiscase,
theaxiom—withalltypevariablesα1,...,αnreplacedbytheactualtypeparametersσ1,
...,σn—isconjoinedtotheHOLformulaunderconsideration,andtranslatedtopropositional
ell.waslogicsafe.IgnoringNotethethattypethisindefinitionturnTrequiresaxiomtheotherwiseinisterpretationjustifiedoftyppreciselyesfrombaecausetypsubset-closededefinitionsuniverseare
U(propertySubinSection2.2).Acounterexamplewhichshowsthattypedefinitionsbecome
unsafeifwedroptheSubrequirementonUissketchedin[170].

3.4.2ConstantDefinitionsandOverloading
Anoverloadedconstantdefinitionintroducesafinitesetofequationsoftheformcτi=ti,
iiisproclosed,videdthatandcTyVisaars(tnewi)=TconstanyVtars(ofτit).ypeFτ,τurthermoreisannotinstancewoofdifferenτt(forcτ1,evcτery2ima),yevhaeryveta
commoniinstance,andrecursiveoccurrencesofcτinsometirequireithatτisstrictlysimpler
thanτinawell-foundedsense.(Structuralcontainmentofτinτiscertainlysufficient,but
notnecessary.See[127]foradetaileddiscussion.)
iAnandeτquisationancτiinstance=tofisτi.considered(Nootherrelevanequationtforcaτjgiv=tenjwithtermitσ=ifjcanandbeonlyrelevifcanτtoinccursthisincase,tσ,
sinceτiandτjmaynothaveacommoninstance.)Inthiscase,therelevantequation—again
τwithisanalltypinstanevceofariablesτi—couldreplacedbebyconjoinedtheirtoimagetheunderHOLtheformtypulaeundersubstitutionconsideration,whichshowssimilarthatto
howwetreatedtypedefinitionsabove.
However,conjoiningadefinitionandtranslatingittopropositionallogiccanberatherineffi-
thecient,esptranslationeciallyinneedsthetocasebuildofafunctionfunctiontreedefinitionsbywithiteratingmovultipleerallp(curried)ossiblevaluesargumenforts,thewherear-

54

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

guments.Thisquicklyleadstoacombinatorialexplosion.Ourdefaultstrategytheforeisto
unfoldtherelevantdefinition,i.e.toreplacetheconstantcτintheinputformulabytheright-
handsidetiofthedefiningequation(withtypevariablesintireplacedasdescribedabove).
Thenβ-reductionisperformedifpossible,i.e.iftheright-handsideisaλ-abstractionthatis
appliedtooneormoreargumentsintσ.Theoreticallythiscancauseanon-elementaryblowup
inthelengthoftheinputterm,butsincemostdefinitionsarewell-behavedinpractice,the
unfoldingapproachhassofarprovedtobesuperiortoconjoiningrelevantdefinitions.
TheIsabelle/HOLimplementationforconvenienceallowsfunctiondefinitionstohavetheform
cτix1...xn=ti,whereeachxkisavariable,andFreeVars(ti)⊆{x1,...,xn}.Sincethere
maybelessthannactualparametersforcτintheinputformula,wefirstnormalizesuchan
equationtotheequivalentformcτi=λx1,...,xn.ti,beforesubstitutingthenewright-hand
sideforcτandpossiblyperformingβ-reductionasdescribedabove.
Constantdefinitionsthatadheretotheformatandrestrictionsdescribedherearesafe[170].
Thusirrelevantconstantdefinitions(justlikeirrelevanttypedefinitions)canbeignoredwhen
theaxiomsofatheoryaretranslatedtopropositionallogic.Inpractice,thiseliminatesthe
largestdealofallaxioms:Isabelle/HOL,atthetimeofwriting,contains3721axioms,out
ofwhich3672areconstantdefinitions.Theremainingaxiomsaremostlytypedefinitions,
classaxioms(seeSection3.5),ordefiningtherelationbetweenbasiclogicalconstantsinIsa-
elle/Pure.Isabandelle/HOLb

3.4.3DefiniteDescriptionandHilbert’sChoice
Hilbert’schoiceoperator,,isapolymorphicconstantoftype(σ→bool)→σ,satisfyingthe
axiomsomeI:(∃x.Px)=⇒P(P).

Similarly,The,alsoaconstantoftype(σ→bool)→σ,satisfies

theeqtrivial:(Thex.x=a)=a,

andarbitraryisacompletelyunspecifiedpolymorphicconstant.(Ofcourseonecannevertheless
provecertaintheoremsthatmentionarbitrary,e.g.arbitraryα=arbitraryαbyreflexivity.)Forthe
purposeofourtranslationT,wecantreattheselogicalconstantsjustlikeanyotherconstant,
andintroducetreeslabeledwithBooleanvariablesthatdeterminetheirinterpretation.For
andThe,wethentranslatetheconjunctionoftheinputformulatboolwiththerelevantaxiom
(i.e.someIortheeqtrivial,orbothaxiomsifbothandTheoccurintbool).Asusual,the
typevariableinsomeI(orintheeqtrivial)isinstantiatedtomatchthetypeof(orthetype
ofThe,respectively)intbool.
Notethatwehavetoaddmultiplecopiesoftherelevantaxiom(s),instantiatedtodifferent
types,whentherearemultipleoccurrencesof(orThe)intboolwhichdifferintype.This
issimilarforusualconstantdefinitions,andalsofortypedefinitionswhenatypeconstructor
(witharityatleast1)isappliedtodifferentargumenttypes.

CLASSESTYPETICAXIOMA3.5.

3.5AxiomaticTypeClasses

55

Axiomatictypeclassesextendthefirst-ordertypesystemofHOLintroducedinSection2.2
withorderedtypeclassesthatqualifytypes.Anaxiomatictypeclassistheclassofalltypes
thatsatisfycertainproperties,theclassaxioms.Asanexample,considertheHOLformula
∀xα,yα.xα=yα,whichhasonefreetypevariableα.Asaclassaxiom,itdescribestheclass
ofsingletontypes,i.e.typescontainingonlyoneelement.Typeclasseswereintroducedfor
Isabellein[122],andamorerecentdescriptionisfoundin[170].
TypeclassesareencodedinHOLbyaddinganewtypeconstructoritselfwitharity1to
thetypestructure,andanewpolymorphicconstantTYPEoftypeαitselftothesignature.
Furthermore,apolymorphicconstantCoftypeαitself→boolisintroducedforeverytype
typclasseCclass.NoC.wTtheoactermhieveCσthis,itself→btheoolTYPEmeaningσitselfofisitselfinistendedchosentotoencobedethethattypfunctioneσbthatelongsmapsto
A∈Utothesingletonset{A}(whichisassumedtobeinU),andconsequentlythemeaning
ofTYPEσitselfmustbethemeaningofσ.
AtypeclassdefinitionforaclassCwithclassaxiomsφ1,...,φn,asidefromintroducingthe
constantCmentionedabove,alsoassertsanaxiom
Cclassdef:CTYPEαitself=φ1∧∙∙∙∧φn,
providedthatFreeVars(φi)=∅(whichwecanalwaysachievebytakingtheuniversalclosure
overallfreevariablesotherwise)andTyVars(φi)⊆{α}for1≤i≤n.
Isabelle/HOLencouragesthedefinitionoftypeclasseswhichhaveoneormoresuperclasses
C1,...,Ck.Superclassesallowtoestablishaninclusionrelationontypeclasses,whichisa
necessaryprerequisiteforanorder-sortedtypesystem[122].Theirlogicalsignificanceisthat
everytypeinCsatisfiesnotonlytheclassaxiomsofC,butalsothoseofC’ssuperclasses
C1,...,Ck(andinturntheclassaxiomsoftheirsuperclasses,iftheyhaveany).Theaxiom
Cclassdefinthiscasehasthefollowingform:
CTYPEαitself=C1TYPEαitself∧∙∙∙∧CkTYPEαitself∧φ1∧∙∙∙∧φn.

Classaxiomsbecomerelevantforatermtσintwo(notnecessarilyrelated)cases:whentσ
toconthetainsclasstheC.constan(IsabtelleC,andannotatesalsotywhenpevtσconariablestainswithatypsortsev,ariwhicableharewhichfiniteissetsexplicitlyoftyperestrictedclasses.
Asortisunderstoodasanintersection,i.e.atypevariablethatbelongstoasortSbelongs
toeachtypeclassC∈S.Wewriteα::SforatypevariableαthatisannotatedwithsortS,
andweusuallyomittheemptysort:αisshortforα::∅.)
Inthefirstcase,theentireaxiomCclassdefisrelevant,andconjoinedwiththeinputterm
asactualusual,occurrafterenctheetofypCeinoftCσ.inMoretheclassneedstoaxiombehasdonebeehonwevinstaner.Isabtiatedelle’stomatcinferencehthetypsystemeofhasthe
beenenhancedtosupportsortannotationsontypevariables,andcontainstheaxiomscheme
classtriv:CTYPEα::{C}itself
(wherelogicalmCiseaninangofarbitrarysorttypannotations.eclass)asTheaaxiombasicscrule.heme,ItiswiththisCaxiominstansctiatedhemetothethatactualdefinesclassthe

56

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

constantintσ,isthereforeconjoinedasanotherrelevantterm.Notethattypeinstantiation
willfailifthedomainofclassconstantCintσisnotrestrictedtobeinthetypeclassC,i.e.
iftheactualdomaintypeisnotannotatedwithasortSthatcontainsclassC.Noinstanceof
theclasstrivaxiomschemeisconsideredrelevantthen.OfcoursetheCclassdefaxiommust
though.satisfiedebstillInthesecondcase,tσmerelycontainsatypevariableα::SwithC∈S.Wecouldconsider
thesamerelevantaxiomsasinthefirstcase(i.e.Cclassdefandclasstriv),butthiswould
unnecessarilyintroducetheconstantsCandTYPEinrelevantaxioms,whichcanbeavoided.
Instead,onlytheclassaxiomsφ1,...,φn(withtheirsingletypevariablereplacedbyα::S)are
consideredrelevant.Inaddition,wenowneedtokeeptrackofsuperclassrelationsourselves:
alsoallclassaxiomsof(directorindirect)superclassesofCareconsideredrelevant.

3.6DatatypesandRecursiveFunctions

Isabelle/HOLhaspackagesthateasethedefinitionofinductivedatatypes(e.g.lists,trees)
andsupportsrecursivaneumberfunctionsofadvoveranceddatatfeatures,ypes.Theincludingcurrentmutualversionandofindirtheectrdatateypcursionepac,kandagearbitr[22,ary25]
branchingoverexistingtypes.Ageneraldatatypespecificationlooksasfollows:
datatype(α1,...,αh)t1=C11σ11,1...σ11,m11|...|Ck11σk11,1...σk11,m1
and...k1
and(α1,...,αh)tn=C1nσ1n,1...σ1n,m1n|...|Cknnσknn,1...σknn,mknn
Hereα1,...,αharetypevariables,constructorsCijaredistinct,theyareannotatedwith
thetypesσi,j1,...,σji,mjoftheirarguments(wheremij≥0),andeachargumenttypeσji,i
iismustdefinedbeanin[25];admissibleitistyprequiredecontotaininrestrictgatmostrecursivetheotypeccurrencesvariablesoftypα1,es..in.,aαwha.ythatAdmissibilitensuresy
theexistenceofaset-theoreticmodelforthedatatype.Forexample,
datatypet=C(t→bool)
wouldnotbeavaliddatatypespecification,becauseamodelforthisdatatypewouldrequirean
alsoinjectionrulesCout:([[t]]heterE,Mogene→Bous)→[[datatt]]Eyp,M,eslikeviolatingthetypCaneoftor’spowerliststheorem[1],[32].whichAdmissibilitcouldyotherwisecurrenbtlye
asdefineddatatype(α)PList=Zeroα|Succ(α×α)PList.
isFguaranurthermore,teediffeacheachdatatdatatypeypmeust(α1b,e...,αnon-empth)tjy,(for1since≤jHOL≤ndo)eshasnotaadmitconstructoremptyCtjypsuces.hThisthat
ijjeacdatathypeargumen(α,t..t.,ypαe)σti,i(for(for1some≤i1≤≤jmi≤)n)whicishisnon-emptany.instanceofasimultaneouslydefined
jh1Intheternallyprop,ertiestheofdatataypdatateyppace,kagethefollonewwsdatattheypedefinitiandonalitsapproacconstructorsh.areInsteaddefinedofjustintermassertingsof

3.6.DATATYPESANDRECURSIVEFUNCTIONS

57

existingconcepts(usingHOL’stypeandconstantdefinitions,respectively).Theactualdefi-
nition(whichishiddenfromtheuser,whocanalwaysworkwiththemoreconvenientnotions
providedbythepackage)isfairlyelaborate.Startingfromatype(α,β)dtreeoftrees,the
representingsetforadatatypeiscutoutinductivelyastheleastset(usingtheKnaster-Tarski
theorem[157],whichjustifiesinductivedefinitions)thatcontainsrepresentingtreesforallof
thedatatype’selements.Morespecifically,thetype(α,β)dtreeisdefinedas(α,β)nodeset,
where(α,β)nodeisdefinedas(nat→(β+nat))×(α+bool).Forthistype,certaininjec-
tiveoperationscanbedefined(namelyLeafoftypeα→(α,β)dtree,In0,In1,bothoftype
(α,β)dtree→(α,β)dtree,Pairoftype(α,β)dtree→(α,β)dtree→(α,β)dtree,andLimoftype
(β→(α,β)dtree)→(α,β)dtree),whichallowtoembednon-recursiveoccurrencesoftypesina
datatypespecification(Leaf),tomodeldistinctconstructors(In0,In1),tomodelconstructors
withmultiplearguments(Pair),andtoembedfunctionstypes(Lim).Moredetailscanbefound
[25].inUsingadatatype’sinternaldefinitionisnotanoptionwhenwetranslateaHOLformulato
propositionallogic.Thetype(α,β)dtree,regardlessofαandβ,isinfinite.Thiswouldpro-
hibitfindingfinitemodelsevenfordatatypesthatonlyhaveafinitenumberofelements.We
couldalleviatetheproblembyconsideringsomefinitesubsetofdtreesonly.However,the
correspondencebetweendtreesandadatatype’selementsisnotveryintuitive,anddisallowing
certaindtreesmayleadtounexpectedmodelsatthedatatypelevel.Furthermore,expand-
ingtheinternaldefinitions—inparticularthedefinitionofadatatype’srepresentingsetasa
leastfixedpoint—wouldberatherinefficientatthepropositionallevel.Thereforewehavein-
steadextendedthetranslationtobeabletodealwithdatatypesdirectly.Inductivetypesare
fullydeterminedbyfreenessoftheirconstructors(whichguaranteesthatthedatatypeis“big
enough”)andstructuralinduction(whichguaranteesthattherearenot“toomany”elements).
Thesearethetwoimportantpropertiesthatmustbepreservedbythetranslation.

3.6.1Non-RecursiveDatatypes
Wedistinguishbetweenrecursiveandnon-recursivedatatypes.Thereasonisthatwesearch
forfinitemodels,andthuswecanaccommodateonlyfinitedatatypesoffhand.Anon-empty
datatype(α1,...,αh)tjisfiniteiffithasnorecursiveormutuallyrecursiveconstructor,and
everyargumenttypeofeachofitsconstructorsisfinite.Thelatterisensuredbythefact
thatwehavefixedafinitetypeenvironmentandmodelbeforetranslation(cf.Lemma2.40).
Thereforethefinitedatatypescoincidewiththenon-recursiveones.(Asasimpleexample,
considerthedatatype(α)option=None|Someα.Thistypeisfinitesince[[α]]E,Misfinitein
oursetting;itssizeis1+|[[α]]E,M|.)Freenessandstructuralinductionimplythatinthiscase
thedatatype’ssize,i.e.thenumberofelementsofthedatatype,isgivenby
jkjmij
|[[σi,i]]E,M|,
=1i=1ii.e.bythesumoverthedatatype’sconstructorsoftheproductovertheconstructor’sarguments
oftheirrespectivetype’ssize.
Thisimmediatelyleadsustotherepresentationofadatatype’selementsastreesofproposi-
tionalformulae.Withregardtothisrepresentation,adatatypeistreatedjustlikeaground

58

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

typeofthesamesize.Adatatype’selementisgivenbyaleaf,itslengthequaltothedatatype’s
size.Thetree-likestructurethatcanbeimposedonconstructortermsdenotingelementsofa
datatypeisnotreflectedinthetreestructureofthecorrespondingpropositionaltree,which
remainstobeusedfortheencodingoffunctiontypesonly.Itisclearthenthateachelement
ofadatatype(justlikeeachelementofagroundtype)hasexactlyonerepresentingconstant
tree.ositionalpropDatatypeconstructorsarefunctions,mappingtheirargumentstoanelementofthedatatype.
Anullaryconstructorisacertainelementofthedatatype,andhencetranslatedasaconstant
leaf.Constructorswhichtakenargumentsaretranslatedasconstantpropositionaltreesof
heightn+1,representingann-aryfunction.Totranslateadatatypeconstructor,itisnecessary
tohaveafixedorderfortheelementsofadatatype(andviceversa:aprecisedefinitionofthe
translationfordatatypeconstructorsimpliesafixedorderforthedatatypeelements).Fornon-
recursivedatatypes,thisorder—andhencethecorrespondingtranslationofconstructors—is
relativelysimple.The(user-supplied)datatypespecificationalreadyimposesanorderonthe
datatype’sconstructors,namelytheorderinwhichtheyaregiven(i.e.Cij1<Cij2iffi1<i2).
Assumingordersforalltheirargumenttypes,wecan“lift”thisordertothedatatypeelements.
Definition3.1(OrderonNon-RecursiveDatatypes).Let(α1,...,αh)tjbeanon-recursive
datatype,givenbythegeneraldatatypespecificationstatedatthebeginningofSection3.6.
The(datatype)order<tjon[[(α1,...,αh)tj]]E,Misgivenby
jj[[Ci1]]A,Mx1...xmij1<tj[[Ci2]]A,My1...ymij2iff
i1<i2∨i1=i2∧(x1,...,xmij)<(y1,...,ymij),
21wheretheargumenttuplesarecomparedwrt.thelexicographicorderon[[σi,j1]]E,M×∙∙∙×
[[σji,mij]]thatisinducedbytheindividual(presupposed)orderson[[σi,j1]]E,M,...,[[σji,mij]].
1E,M1E,M
Wemerelywrite<insteadof<tjwhenthedatatypeisclearfromcontext.—Asanexam-
ple,considerthetype(α)optionagain,withitsabovespecification.Supposethat[[α]]E,M=
[a1,...,an],i.e.a1<∙∙∙<an.BecauseNonecomesbeforeSomeinthedatatypespecification,
theorderon(α)option(whichisatypeofsizen+1inthiscase)isthengivenby
[[None]]A,M<[[Some]]A,Ma1<∙∙∙<[[Some]]A,Man.
ThetranslationofNoneisthetreeLeaf(uvn1+1)(recallDef.2.76),andSome,whichisa
functionoftypeα→(α)option,istranslatedasthefollowingtreeofheight2andwidth
n:Node([Leaf(uv2n+1),...,Leaf(uvnn+1+1)]).
Moregenerally,theorderofelementsforanon-recursivedatatypewithconstructorsC1,...,
Ck,whereC1takesargumentsoftypeσ1,...,σm(and[[σi]]E,M=[x1i,...,xini],for1≤i≤m)
isshowninFigure3.3.Def.3.1isgeneralizedtoinstances(τ1,...,τh)tjofanon-recursive
datatype(α1,...,αh)tjintheobviousway.

3.6.2RecursiveDatatypes
SucRecursivnat→nate),ordatat(αyp)eslist,liktheetnatyp,eoftheliststypewithofelemennaturaltsnofumtbypeersα(with(withitsconstructorsconstructorsNil(0α)natlistandand

3.6.DATATYPESANDRECURSIVEFUNCTIONS

C1...C2...Ck...
...m−11m−1
1
Cx...x...C1x...xn...
n111m−1..
1........
..
1m−1m1m−1m
Cx...xx...Cx...xx...............
1111111nm
lastfirst

Figure3.3:Elementorderfornon-recursivedatatypes

59

Consα→(α)list→(α)list),aswellasmorecomplexexamplesinvolvingmutualornestedrecursion,
requireaninfinitemodel.Hencetheycannotbetreatedinfullgeneralityinafinitemodel
ork.framewgenerationTobeabletotreatthematall,weconsiderfiniteapproximationsofsuchdatatypes.When
translatingaHOLformulatboolthatinvolvesrecursivedatatypes,weextendthetypemodel
(whichgivesusthesemanticsoftypeconstructorsintboolasfinitesets)toprovidefinitesetsfor
allrecursivedatatypesintboolaswell.Currentlythesesetscorrespondtoinitialfragmentsofa
datatype,i.e.toallelementsofthedatatypewhosecanonicalrepresentationcontainsatmost
acertainnumberofconstructorapplications.(Theelementsoftypenatthatcanbewritten
withatmost3constructorapplications,forexample,are0nat,Suc0,andSuc(Suc0).)When
thesearchforamodelfailsforagiveninitialfragment,thesizeofthefragmentisincreased,
similartohowthesizeofsetscorrespondingtoothertypesisincreased(cf.Section2.4.2).The
onlydifferenceisthatweincrementtheallowednumberofconstructorapplications,rather
thanthecardinalityofthefiniteapproximation.Thefollowingdefinitionalreadycoversthe
generalcaseof(instancesof)mutuallyrecursivedatatypes.
Definition3.2(InitialDatatypeFragment).Considerthegeneraldatatypespecification
statedatthebeginningofSection3.6.Letr=(r1,...,rn)∈Nn.Ther-thinitial(datatype)
fragmentofatypeσ,writtenσr,isdefinedasfollows:
1.Ifσ=(τ1,...,τh)tjisaninstanceof(α1,...,αh)tjforsome1≤j≤n,i.e.(τ1,...,τh)tj=
(α1,...,αh)tjΘforsometypesubstitutionΘ,then
∅ifrj=0;
σr:=[[Cij]]A,Mx1...xmij1≤i≤kj∧
xi∈(σji,iΘ)(r1,...,rj−1,...,rn)for1≤i≤mijotherwise.
2.σr:=[[σ]]E,Motherwise.
Lemma3.3.Letr=(r1,...,rn)∈Nn.Thenσrisafinitesubsetof[[σ]]E,M.
Proof.Byinductiononjn=1rj.Ifσisnotaninstanceofadatatype,thenσr=[[σ]]E,M.
FinitenessinthiscasefollowsfromLemma2.40.
Ifσ=(α1,...,αh)tjΘ,thenσr=∅ifrj=0.Inthiscasetheclaimistrivial.Otherwise,i.e.if
rj>0,theclaimfollowsfromtheinductionhypothesis,appliedto(σji,iΘ)(r1,...,rj−1,...,rn)(for
each1≤i≤kj,1≤i≤mij).

60

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

eralNotedatatthatyptheespproofecification.assumesThethatalactuallinfiniteIsabdatatelle/HOLypeswsysteeremdodeclaredesnotwithinimposethethissamerestric-gen-
tion.Thereforeifadatatypespecificationmentionsinstancesofpreviouslydeclaredinfinite
datatypes,thevectorrhastobeaugmentedaccordingly,toprovideboundsforallrelevant
es.ypdatatinfiniteLemma3.4.Letr=(r1,...,rn)∈Nn.Let1≤j≤n.Thenσr⊆σ(r1,...,rj+1,...,rn).
Proof.Byinductiononjn=1rj.Ifσisnotaninstanceofadatatype,thenσr=[[σ]]E,M=
σ(r1,...,rj+1,...,rn).
rIfσ=(α1,...,αh)tjΘ,thenσ=∅ifrj=0.Inthiscasetheclaimisjtrivial.(r1,...,rjOtherwise,−1,...,rn)i.e.if
rj>0,theclaimfollowsfromtheinductionhypothesis,appliedto(σi,iΘ)(for
each1≤i≤kj,1≤i≤mij).
Lemma3.5.Letr∈(N\{0})n.Thenσrisnon-empty.

Proof.Ifσisnotaninstanceofadatatype,thenclearly[[σ]]E,Misnon-emptybecauseHOL
doesnotpermitemptytypes(seeRemark2.11andpropertyInhab,Section2.2).
Ifσ=(α1,...,αh)tjΘisadatatypeinstance,non-emptinessofσrfollowsfromtherestric-
tionimposedondatatypespecifications(toenforcenon-emptinessofdatatypes),namelythat
(α1,...,αh)tjmusthaveatleastoneconstructorCijsuchthateachargumenttypeσji,iwhich
isaninstanceofasimultaneouslydefineddatatype(α1,...,αh)tjisnon-empty.
Wecaninfacteasilycomputetheexactsizeofaninitialdatatypefragment,bygeneralizing
theformula(givenearlierinthissection)forthesizeofnon-recursivedatatypes.
Lemma3.6.ConsiderthegeneraldatatypespecificationstatedatthebeginningofSection3.6.
Let1≤j≤n.Letr=(r1,...,rn)∈Nnsuchthatrj>0.LetΘbeatypesubstitution.Then
jmkji|((α1,...,αh)tjΘ)r|=|(σjΘ)(r1,...,rj−1,...,rn)|.
i=1i=1i,i
Proof.Byinductiononnj=1rj,usingDef.3.2.Freenessofconstructorsjustifiestheabove
sum,whilethefactthateachconstructorisaninjectivefunctionexplainsthenestedproduct.

Wehavethuseliminatedtheneedforinfinitemodelsforrecursivedatatypes,andinstead
replacedthembyfiniteapproximations,basedonalimitonthenumberofnestedconstructor
ccurrences.oTreatinginfinitedatatypesinthiswaycomesataprice:theresultingalgorithmisnotsound
anymore;spurious(counter-)modelsmaybereturned.Forexample,considertheformula
∀nnat.n=0nat.Thisformulaisclearlyfalse,butitbecomestruewhenweonlyconsiderthose
elementsoftypenatthatcanbewrittenwithatmost1constructorapplication(theonly
suchelementinfactbeing0natitself).Forthissimpleexample,thespuriousmodelcouldbe
ruledoutbyconsideringnat2insteadofnat1,butthatisnotalwaysthecase:e.g.theformula

3.6.DATATYPESANDRECURSIVEFUNCTIONS

61

∀nnat.n≤missatisfiableforanynatr(wherer≥1:takemtober−1),butfalseforthe
infinitetypenat.
Whatcanwesayaboutthealgorithmthen,ifitmaynotfind(infinite)modelsforsatisfiable
formulae,andifitmayreturnspuriousmodelsforunsatisfiableformulae?Atleastthat
itremainssoundifrecursive2datatypeso1ccuronlypositively.Formulaelike0nat<nnator
fxα=0nataresatisfiableinnatandnat,respectively.Thereforetheyarealsosatisfiablerin
natsimplybecauseofthesyntacticrestrictiononthedatatype’soccurrences.Afterall,natis
asubsetofnat(foranyr).Thereforeanyelementofnatralsoisanelementofnat,andany
functiontonatris(orrather,canbeseenas)afunctiontonataswell.
Thefactthatwesimply“cutoff”adatatypeatacertainnumberofnestedconstructorappli-
cationsalsoraisesanotherquestion:howshouldwetranslatetermsthatcannotbeinterpreted
intheinitialfragmentofthedatatypethatweconsider?WhatdoesSuc(Suc0)mean,for
example,whenweareworkingwithnat2(ornat1)insteadofnat?Weproposetotreatsuch
termsasundefined.AsexplainedearlierinSection3.2,thisundefinednesspropagateswhen
functionsorpredicatesareappliedtotheseterms.Recursivedatatypeconstructorsbecome
partialfunctionsthen.Beforewecanfocusontheirtranslationindetail,weneedtofixthe
orderofdatatypeelements.Ofcoursewehavequiteabitoffreedomhere;anyorderwilldoas
longaswelatertranslatedatatypeconstructorsandrecursionoperatorsaccordingly.Tokeep
theirtranslationassimpleaspossible,wechosetouseastraightforwardgeneralizationofthe
orderonnon-recursivedatatypes.Definition3.1isextendedtoinitialfragmentsofrecursive
datatypesasfollows.

Definition3.7(OrderonInitialDatatypeFragments).Let(α1,...,αh)tjbeadatatype,
givenbythegeneraldatatypespecificationstatedatthebeginningofSection3.6.Letr=
(r1,...,rn)∈Nnrsuchthatrj>0.Letr=(r1,...,rj−1,...,rn).The(datatype)order<trj
on(α1,...,αh)tjisgivenby

jrj[[Ci1]]A,Mx1...xmij1<tj[[Ci2]]A,My1...ymij2iff
i1<i2∨i1=i2∧(x1,...,xmj)<(y1,...,ymj),
ii21wheretheargumenttuplesarecomparedwrt.thelexicographicorderonσi,j1r×∙∙∙×σjjr
i,m
ithatisinducedbytheindividual(inductivelydefined)orders<r...onσi,j1r,...,σji,mjr.
1
i1Forσnotadatatype,wedefine<σrtomeantheusual(presupposed)orderon[[σ]]E,M.

Inductiononjn=1rjshowsthat<trjisinfactwell-defined.Wewrite<rorjust<insteadof
<trjwhentjandrareclearfromthecontext.Thisdefinitionisagaingeneralizedtoinstances
(τ1,...,τh)tjofadatatype(α1,...,αh)tjintheobviousway.
Asasimpleexample,considerthedatatype(α)list,givenbythespecification

datatype(α)list=Nil|Consα(α)list.

62

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

Supposethat[[α]]E,M=[a1,...,an],i.e.a1<∙∙∙<an.Then
(α)list1=[[Nil]]A,M,
(α)list3=[[Nil]]A,M,
(α)list2=[[Nil]]A,M,[[Cons]]A,Ma1[[Nil]]A,M,...,[[Cons]]A,Man[[Nil]]A,M,
[[Cons]]A,Ma1[[Nil]]A,M,[[Cons]]A,Ma1([[Cons]]A,Ma1[[Nil]]A,M),...,
[[Cons]]A,Ma1([[Cons]]A,Man[[Nil]]A,M),
,...[[Cons]]A,Man([[Cons]]A,Man[[Nil]]A,M),
[[Cons]]A,Man[[Nil]]A,M,[[Cons]]A,Man([[Cons]]A,Ma1[[Nil]]A,M),...,
andforarbitraryr∈N,|(α)listr|=kr−=01|[[α]]E,M|k,inaccordancewithLemma3.6.Wecan
seethat[[Nil]]A,Misalwaysthefirstelementof(α)listr.ThusthetranslationofNil,whichisa
non-recursiverconstructor(withoutanyargumentsatall),isstraightforward:itistranslatedas
Leaf(uv1|(α)list|).ThetranslationofConshoweverismorecomplicated.Wealreadymentioned
thatrecursiveconstructorsbecomepartialfunctions:e.g.ifwerestrictourselvestotheinitial
fragment(α)list1,thenConsxαisinterpretedasafunctionwithdomainandcodomain(α)list1,
but[[ConsxαNil]]A,Mclearlycannotbeequalto[[Nil]]A,M(whichhappenstobetheonlyelement
of(α)list1),asthiswouldviolatethefreenessassumptionondifferentconstructors.Ourbest
optionistoleave[[ConsxαNil]]A,Mundefined.Wetranslateanundefinedvalue(ofadatatype
orgroundtypeofsizek)asatreeLeaf([False,...,False])oflengthk.
Definition3.8(UndefinedLeaf).Theundefinedleafoflengthk,writtenundefk,isdefined
asthetreeLeaf([False,...,False]),where[False,...,False]∈List{False}isalistoflengthk.
Remark3.9.Letσ∈TyVarsorσ=(σ1,...,σn)cwithc∈TyNames\{→}.Letk=|[[σ]]E,M|.
Thenundefk∈Trees(σ).
Proof.Immediate,usingDef.2.58.
Remark3.10.Letundefk∈Trees(σ),andletAbeatruthassignment.Then[[undefk]]σ,Ais
undefined.Proof.Immediate,usingDef.2.60.
ThusCons,ifwerestrictourselvestotheinitialfragment(α)list1,istranslatedasthetree
Node([Node([undef1]),...,Node([undef1])]),wheretherootnodehasnchildren(oneforeach
elementof[[α]]E,M),andeachchildnodeinturnhasonechildleafoflength1(simplybecause
|(α)list1|=1).Ifweconsider(α)list2instead,Consisagaintranslatedasatreeofheight3and
widthnattheroot,butnoweachchildnodehas|(α)list2|=n+1childleafs,eachoflength
n+1.Allbutthefirstchildleafofeachnode(whichcorrespondsto[[Cons]]A,Mai[[Nil]]A,M,
fortherespective1≤i≤n)istheundefinedleaf.ThusConsinthiscaseistranslatedasthe
treeNode([Node([Leaf(uv2n+1),undefn+1,...,undefn+1]),
,...Node([Leaf(uvnn+1+1),undefn+1,...,undefn+1])]).

3.6.DATATYPESANDRECURSIVEFUNCTIONS63
Thecase(α)list3isstillmorecomplicated,sinceConsnowyieldsdefinedvaluesalsowhen
appliedtolistsoflength1,whicharethemselvesintherangeof[[Cons]]A,M.AgainConsis
translatedasatreeofheight3andwidthnattheroot.Eachofthenchildnodesnowhas
|(α)list3|=n2+n+1childleafs,eachoflengthn2+n+1.Thefirstchildleafineachnode
correspondstotheNilargument(whichwasmappedtoadefinedvaluebyConsalreadywhen
weconsidered(α)list2),andleafswithindex2+k(n+1),for0≤k≤n−1,correspondto
argumentlistsoflength1,whileallotherleafscorrespondtoargumentlistsoflength2(and
arethusmappedtoundefinedvalues).Moreprecisely,letN=n2+n+1.ThenConsis
treetheastranslatedNode([Node([Leaf(uv2N),Leaf(uv3N),undefN,...,undefN,...,
Leaf(uvnN+2),undefN,...,undefN]),
,...Node([Leaf(uvnN2+1),Leaf(uvnN2+2),undefN,...,undefN,...,
Leaf(uvNN),undefN,...,undefN])]).
Another,perhapsevenmoreinstructive,exampleisgivenbytwomutuallyrecursivedatatypes
datatypeX=A|BX|CY
andY=DX|EY|F.
HerefromDef.3.7itfollowsthatX(0,r)=Y(r,0)=∅foranyr∈N,and
X(1,0)=[[A]]A,M,
Y(0,1)=[[F]]A,M,
X(2,0)=[[A]]A,M,[[BA]]A,M,
Y(0,2)=[[EF]]A,M,[[F]]A,M,
X(1,1)=[[A]]A,M,[[CF]]A,M,
Y(1,1)=[[DA]]A,M,[[F]]A,M,
X(2,1)=[[A]]A,M,[[BA]]A,M,[[B(CF)]]A,M,[[C(DA)]]A,M,[[CF]]A,M,
Y(2,1)=[[DA]]A,M,[[D(BA)]]A,M,[[F]]A,M,
X(1,2)=[[A]]A,M,[[C(EF)]]A,M,[[CF]]A,M,
Y(1,2)=[[DA]]A,M,[[D(CF)]]A,M,[[E(DA)]]A,M,[[EF]]A,M,[[F]]A,M,
....ThedatatypeconstructorsAX,BX→X,CY→X,DX→Y,EY→Y,andFYmustbetranslatedto
.dinglyoracctreesOuralgorithmtoachievethisforanarbitraryconstructorCijwith(possiblyrecursive)argu-
menttypesσi,j1,...,σji,mijproceedsasfollows.Wefirstcomputethenumberofelementsofthe
datatypethataregeneratedbyconstructorsCij,withi<i,usingLemma3.6.Thisgivesthe
indexofthefirstelementgeneratedbyconstructorCij.Nextwecomputealistofallelements

64

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

ofσi,j1r,andalsoofσi,j1(r1,...,rj−1,...,rn),intheircanonicalrepresentation(similartothelists
shownintheaboveexample).Notethatwedonotneedtoknowthetranslationofdatatype
constructorstocomputetheselists(whichwouldleadtoinfiniterecursion),butwearemerely
workingwithHOLterms.Nevertheless,caremustbetakentoobtainanimplementationthat
alwaysterminates.Tocomputethelistofcanonicalrepresentationsofelementsofadatatype,
weconsiderthedatatype’sconstructors(togetherwiththeirargumenttypes),andformtheir
applicationtoallpossiblecombinationsofargumentterms(intheordergivenbyDef.3.7).The
argumenttermsareobtainedbyarecursiveapplicationoftheenumerationfunction,wherethe
sizeoftheinitialfragmentofthedatatypeunderconsiderationhasbeenreducedby1.(The
0-thinitialfragmentofeachdatatypeisempty.)TheconstructorCijnowmapsthoseelements
ofσi,j1rthatarealreadypresentinσi,j1(r1,...,rj−1,...,rn)tosubtreeswhichmaycontaindefined
values.Fortheseelements,weproceedrecursivelyovertheremainingargumenttypesσi,j2,...,
i,mσjj.Elementsofσi,j1rthatarenotpresentinσi,j1(r1,...,rj−1,...,rn)aremappedtosubtrees
whicihcontainundefinedvaluesonly.
WhentheSATsolverreturnsaBooleanmodel,weneedtoprintelementsofdatatypesthat
aregivenbytheirindex(accordingtoDef.3.7)inauser-readableform,i.e.intheircanonical
ofrepresenourentationumerationinvofolvingdatat(possypieblyelemennested)ts,i.e.theconstructororderthatapplications.weuseonOfdatatcourseypetheinfragmenternalsts,
shouldnotmattertotheuser.jToprinjtanelementofadatatype(α1,...,αh)tj,wetranslate
thewithdatattheypgive’senindex.constructorsSinceCev1,.ery..,Celemenkjtotoftrees,theanddatatypsearcehisforageneratedtreethatbysomeyieldstheconstructor,element
wewillfindsuchatree.Thepositionoftheelementwithinthetreedeterminesindicesforthe
givenbconstructor’syadatatypargumene,thists(inalgorithmtheirrespisectivappliedetypes).recursivToely.prinTterminationargumentsiswhoseguarantypteedeisbecauseagain
evcoulderydatatimplemenypettheelementprincantingbeofdatatwrittenypewithelemenatsfinitemnoreumberefficienoftly,byconstructorcomputingapplications.thecorrectWe
constructorandargumentindicesusinganalgorithmic“inverse”ofDef.3.7(whichallowsusto
hascomputetheadvananelementaget’sthatindexitisfromitscompletelycanonicalindeprepresenendentoftation),thebutorderthethatcurrenwetuseonimplemendatattationype
ts.fragmen

unctionsFeRecursiv3.6.3Isabelle/HOLprovidesconvenientwaystodefinefunctionsbyprimitiverecursionondatatypes:
e.g.theadditionfunctiononnaturalnumbersmaybedefinedas
constsadd::nat→nat→nat
primrecy=y0addadd(Sucx)y=Suc(addxy).
Internally,suchadefinitionisrecastintermsoftherecursionoperator(s)onthedatatype,
whichareprovidedbythedatatypepackage.Theabove,forexample,becomes
add=natrec(λynat.y)(λxnatfnat→natynat.Suc(fy)).

3.6.DATATYPESANDRECURSIVEFUNCTIONS

65

(Onasidenote,theabilitytoperformrecursionathigher-ordertypesallowsonetoeven
definefunctionswhicharenot(first-order)primitiverecursive.TheAckermannfunction[2],
forexample,maybedefinedas
constsAck::nat→nat→nat
primrecAck0y=Sucy
Ack(Sucx)y=(Ackx)ˆ(Sucy)(Suc0),
wherefˆnisdefinedasn-foldapplicationoff.)
Ingeneral,thedatatypespecificationstatedatthebeginningofSection3.6introducesrecursion
operatorsrec1,...,recnofrespectivetype
(σ11,1→∙∙∙→σ11,m1→τ11,1→∙∙∙→τ11,m1→β1)→∙∙∙→
11(σk11,1→∙∙∙→σk11,m1→τk11,1→∙∙∙→τk11,m1→β1)→
kk→∙∙∙→11
(σ1n,1→∙∙∙→σ1n,m11→τ1n,1→∙∙∙→τ1n,m11→βn)→∙∙∙→
nnnn(σkn,1→∙∙∙→σkn,mknn→τkn,1→∙∙∙→τkn,mknn→βn)→
(α1,...,αh)tj→βj
(for1≤j≤n),wheretypeτji,iispresentifandonlyifσji,icontainsamutuallyrecursive
datatype,andinthiscaseτji,i:=θ(σji,i),whereθisgivenby
1.θ((α1,...,αh)tj):=βj(for1≤j≤n),and
2.θ(σ1→σ2):=σ1→θ(σ2).
jAdmissibilityofσi,iensuresthatθeliminatesallrecursivedatatypeoccurrences.(Indirect
recursionisimplementedbythedatatypepackageviamutuallyrecursivedatatypes.)The
internaldefinitionoftherecursionoperatorsisbasedonaninductivedefinitionoftheirgraphs,
fromwhichtheoperatorfunctionsareobtainedusingHilbert’schoice[25].Usingthisinternal
definitionisagainprohibitivelyexpensive(intermsoftranslationtime),soinsteadwehave
implementedamoredirecttranslationwhichrespectstherelevantrecursionequationsforthese
operators.Therelevantequationsforoperatorrecjare
recjf11...fk11...f1n...fknn(C1jx1j,1...xjj)=f1jx1j,1...xjjy1j,1...yjj,
1,m11,m11,m1
...recjf11...fk11...f1n...fknn(Ckjjxkjj,1...xjj)=fkjjxkjj,1...xjjykjj,1...yjj,
kj,mkjkj,mkjkj,mkj
whereargumentyji,iispresentifandonlyiftypeτji,iispresentinthetypeoftherecursion
jjoperator,andinthiscaseyi,i:=Θ(xi,i),whereΘisgivenby
1.Θ(x(α1,...,αh)tj):=recjf11...fk11...f1n...fknnx(α1,...,αh)tj(for1≤j≤n),and

66

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

2.Θ(xσ1→σ2):=λzσ1.Θ((xσ1→σ2zσ1)σ2)..

NotethatΘ(xσ)hastypeθ(σ),asrequiredfortheaboverecursionequationstobetype-correct.
Weassumethattreesfortheargumentsf11,...,fk11,...,f1n,...,fknnaregiven(otherwise
weuseη-expansiontoobtainsufficientlymanyargumentstorecj),andfocusontranslating
recjf11...fk11...f1n...fknnasafunctionoftype(α1,...,αh)tj→βjthen.
Thecasewhere(α1,...,αh)tjisanon-recursivedatatypeissimple.BecauseofDef.3.7,leafs
(orsubtreesincaseβjisafunctiontype)inf1j,...,fkjjdirectlycorrespondtoresultsofthe
recursionoperatorappliedtoelementsofthedatatype,intheordergiven.When(α1,...,αh)tj
isarecursivedatatype,wehavetotakeinjtoaccountthatconstructorswithrecursivearguments
becomepartialfunctions.Subtreesinfithatareobtainedforacombinationofconstructor
argumentsxi,j1,...,xji,mjwhicharemappedto“undefined”byconstructorCij(ratherthanto
iadefinedelementofthedatatype)mustbeignored.
Thehardpartistoobtaintranslationsfortherecursiveargumentsyi,j1,...,yji,mj(asfarasthey
iarepresent).Thisrequiresthatwealreadyknowthetranslationofrecursionoperatorsrecj
ofmutuallyrecursivedatatypes,atleastfortheconstructor’sargumentsxi,j1,...,xji,mj.Now
iDef.3.7doesnot(ingeneral)implyxji,i<Cijxi,j1...xji,mj,wherexji,iisarecursiveargument.
iThereforecaremustbetakenagaintoobtainaterminatingimplementation.Werecursively
translaterecjf11...fk11...f1n...fknnxonlyforthoseargumentsxthatareofinterest,rather
thanrecjf11...fk11...f1n...fknninitsentirety.Terminationisguaranteedthenbecauseeach
recursiveinvocationremovesoneconstructorapplicationfromtheargument.
Notethatrecursivefunctions(likeadditionandmultiplicationonnat,orlistconcatenation
ontype(α)list),similartodatatypeconstructorswithrecursivearguments,willfrequently
becomepartialfunctionswhenwerestrictthemodeltosomeinitialfragmentfortheirrecursive
codomaintype.(E.g.addmnisdefinedinnatronlyifm+n<r,andundefinedotherwise.)In
thiscase,thetranslationofequalitythatwasdiscussedinSection3.2willcauseourtranslation
ofthedefiningequationfortherecursivefunctiontoyieldatreewhosemeaningiseither
undefinedorfalse,butnevertrue—regardlessofhowtheSATsolverchoosestointerpretthe
function.Thereforeifweaddthedefiningequationtothesetofrelevantaxioms,theSAT
solverwillunfortunatelynotbeabletofindamodelthatsatisfiesallrelevantaxioms.
Thisisnotaproblemwhenwesimplyunfoldthedefinitionofrecursivefunctions,replacing
thefunctionconstantbyitsdefinitionintermsoftherecursionoperators.Otherwisehowever,
itmakessensetotranslatedefiningequationswithadifferentnotionofequality.Incontrastto
whatwesaidaboutequalityinSection3.2,wenowconsidertwotreesfortheleft-handsideand
right-handsideofadefinitionequalifftheybothdenotethesame(possiblypartial)function.
(Thisistheusualnotionofequalityonthespaceofpartialfunctions.)Two“undefined”
elementsareconsideredequaltoeachother.Thisismoreinthespiritofadefinition,which
shouldallowonetousethe(treefor)theleft-handsideasanequivalentabbreviationfor
the(treefor)theright-handside,withoutchangingthemeaningofaformulafromtrueto
undefined.Notethatwemustusethisnotionofequalityfordefinitionsonly,butnotfor
equalityoperatorsingeneral:wedonotwante.g.Suc0=Suc(Suc0)toholdinanymodel,
notevenwhenweareconsideringnat1only(wherebothsidesofthisequationareundefined),
asthiswouldviolatefreenessofconstructors.

RECORDSANDSETS3.7.RecordsandSets3.7

67

Isabelle/HOLprovidesatype(α)set,containingsetswhoseelementsareoftypeα.This
typeisisomorphicto(and,wrt.tothetranslation,istreatedas)α→bool.Theconstant
Collect(setcomprehension)oftype(α→bool)→(α)setissimplyignoredwhenencountered
withanargument,andtranslatedastheidentityfunctionotherwise.Theconstantop:(set
membership)oftypeα→(α)set→bool,whentranslated,appliesitssecondargumenttoits
firstargument,i.e.x:PistranslatedasPx.Etaexpansionisusedwhenop:occurswithless
thantwoarguments.Thistranslationclearlysatisfiesthetworelevantaxioms

memCollecteq:(a:{x.Px})=Pa

andCollectmemeq:{x.x:A}=A,
whicharedeclaredinHOL/Set.thy.(Thenotation{x.Px}ismerelysyntacticsugarfor
Collect(λx.Px),andop:iswrittenininfixnotationasusual.)Allotheroperationsonsets,
e.g.union,intersection,andthepowersetoperator,aswellasrelatedconstants,e.g.{}(the
emptyset)andUNIV(thesetcontainingeveryelementoftheunderlyingtype)arederived
conceptsthatcanbetreatedbyconsideringtheirrespectivedefinitions.
Moreover,Isabelle/HOLoffersasimpleinterfacetodefineextensiblerecordswithstructural
subtyping[121].Ageneralrecorddefinitionhastheform

record(α1,...,αk)r=σ+
σ::F11...Fn::σn,

whereα1,...,αkaretypevariables,σisan(entirelyoptional)instanceofapreviouslydefined
paren(annotatedtrecordwithtypetheir(withrespTectivyVears(typσ)es⊆σ1{,α.1.,..,.σ.,n)αkof}),theandnewF1,.record..,tFnypearer.theEachfieldfieldtnamesype
σimayagaincontainatmostthetypevariablesα1,...,αk.
Internally,sucharecorddefinitionistranslatedintoasetoftypeandconstantdefinitions
(seeSection3.4).Thenewrecordtypeisdefinedtobeisomorphictothecartesianproduct
σadded×σ1for×∙∙tec∙×hnσicnal×unitreasons,.Theasanfinalunitinstancecompofaponenoltymor(denotingphicmorateypefieldwithtoacahisinevegleeleextensibilitment)yis
oftherecordtype.Inaddition,anaccessorfunctionFioftype(α1,...,αk)r→σiisdefined
foreachfieldoftherecordtype.
tions,Currentlywithoutwefurthertranslatespecialrecordstreatmensimplyt.byThisconsideringcouldbetheimprovgeneratededbytypmakingeandimmediateconstantusedefini-of
theprofactductsthatdirectlyrecordwtouldypesavareoidintroisomorphicducingtoancartesianisomorphicprotypducts.ecopTyreatingwithitsthemasabstractioncartesianand
representationfunctions,butthis—althoughsimpleintheory—isfuturework.

68

HOLCF3.8

CHAPTER3.EXTENSIONSANDOPTIMIZATIONS

ChHOLCFurch’s[120,Higher-Order141],asitLogichaswithbeenScott’simplemenLogictedforinIsabComputabelle,leisFtheunctions.definiThetionallogicextensionsupportsof
standarddomaintheory(inparticularfixed-pointreasoningandrecursivedomainequations),
butalsocoinductiveargumentsaboutlazydatatypes.Adetaileddescriptioncanbefound
[140].inbefore,HOLCF,inasaparticulardefinitionalofaxiomaticextensiontofypeHOL,classonlyes.makHenceesuseinofprincipleconceptsnothatspwecialehavetreatmendiscussedtis
triviallynecessary.holdHoforwever,everythefinitetreatmenmodel.tofCentralcertaintoclassHOLCFaxiomsarethecanbenotionsoptimizedofpartialborecausedertheyand
.chainDefinition3.11(PartialOrder).Afunctionisapartialorderiffisreflexive
(i.e.∀x.xx),antisymmetric(i.e.∀x,y.xyα∧→yα→boolx=⇒x=y),andtransitive(i.e.
∀x,y,z.xy∧yz=⇒xz).
(wrt.Definition)iff∀i.3.12fif(Chain)(Suc.i).Letα→α→boolbeapartialorder.Afunctionfnat→αisachain
Whenweconsideramodelwherethenaturalsarerestrictedtoaninitialfragment,e.g.
{0,...,r},werequirefif(Suci)toholdonlyforalliwhereSuciisdefined,i.e.for
alli∈{0,...,r−1}.
Definition3.13(ChainMaximum).Achainfcontainsitsmaximumatpositioniiff∀j.i≤
j=⇒fi=fj.
Definition3.14(FiniteChain).Achainisfiniteiffitcontainsitsmaximum(atsomeposi-
tion).Thefollowinglemmaisimmediateforthekindoffinitemodelsconsideredbyourtranslation
logic.ositionalproptoLemma3.15.Whenthemeaningofnatisgivenbyaninitialfragmentnatr={0,...,r−1}
(forsomer>0),everychainisfinite.

Proof.Insuchamodel,everychaincontainsitsmaximumatpositionr−1.

Furthermore,themaximumisalsothechain’sleastupperbound.
Definition3.16(UpperBound).Achainfhasupperboundxiff∀i.fix.
Definition3.17(LeastUpperBound).Achainfhasleastupperboundxifffhasupper
boundx,andwheneverfhasupperboundy,thenxy.
Lemma3.18.Achainfthatcontainsitsmaximumatpositionihasleastupperboundfi.

Proof.Forj<i,wehavefjfibecausefisachain,andistransitive.Fori≤j,fi=fj
becausefcontainsitsmaximumatpositioni.Hence∀j.fjfi,sofhasupperboundfi.
Nowsupposethatfhasupperboundy.Then∀j.fjy,henceinparticularfiy.

CONCLUSION3.9.

69

Apartialorderissaidtobecompleteiffeverychainhasaleastupperbound.
Definition3.19(CompletePartialOrder).Apartialorderα→α→booliscompleteiffevery
chainfnat→αhasaleastupperbound(wrt.).
Lemma3.20.Whenthemeaningofnatisgivenbyaninitialfragmentnatr={0,...,r−1}
(forsomer>0),everypartialorderiscomplete.

Proof.ThisisaneasycorollaryofLemma3.15andLemma3.18.

Likewisewecanshowthateverypartialorderinafinitemodelischain-finite.
Definition3.21(Chain-Finite).Apartialorderα→α→boolischain-finiteiffeverychain
fnat→αisfinite(wrt.).
Lemma3.22.Whenthemeaningofnatisgivenbyaninitialfragmentnatr={0,...,r−1}
(forsomer>0),everypartialorderischain-finite.

Proof.ThisisanimmediateconsequenceofLemma3.15.

TheseresultsperhapsraisethequestionofhowinterestingtheHOLCFsettingreallyiswhen
werestrictourselvestofinitemodels,butfirstandforemosttheyshowthattheclassaxioms
characterizingcompleteandchain-finitepartialordersdonotneedtobetranslatedtopropo-
sitionallogicandpassedtotheSATsolver.Theycansafelybeignored,eveniftheyhad
otherwisebeenrelevantforagivenformula:anymodelthattheSATsolvermayfindwill
automaticallysatisfytheseaxiomsanyway.

Conclusion3.9

WehavediscussedsomeoptimizationsofthetranslationfromHOLtopropositionallogicthat
waspresentedinChapter2,andwehaveshownhowthetranslationcanbeextendedfrom
thecoreHOLlanguage(whichisbasedonthesimplytypedλ-calculus)tothevariousdefini-
tionalmechanismsandlogicalfeaturesthatarepresentintheIsabelle/HOLimplementation
ofhigher-orderlogic.Bothaspectsareimportantstepstowardsapracticallyusefultoolfor
(counter-)modelgeneration,whichshouldideallycoverthefullinputlanguageofthetheorem
prover,whilebeingreasonablyefficient.

70

CHAPTER3.EXTENSIONSANDPTIMIZAOTIONS

4Chapter

StudiesCase

Itisnotenoughtoaim;youmusthit.
erb.vproItalian

WehaveappliedIsabelle’sfinitemodelgenerationtechniquestoobtainacorrect-
nessproofforasecurityprotocol,counterexamplestoconjecturesaboutprobabilistic
programs,andaSudokusolver.Thedetailsarepresentedinthischapter.

In4.1ductiontro

ThemodelgenerationalgorithmpresentedinChapters2and3,whenappliedtoformulaeof
higher-orderlogic,hasnon-elementarycomplexity.ConsiderforinstanceHOLtermsfσ→α,
whereσisoftheformbool,bool→bool,(bool→bool)→bool,etc.Letnbethetotal
numberofbooltypeconstructorsinσ.Thenthemeaningofσ(wrt.anystandardtypemodel,
cf.Def.2.14)isgivenbyasetofsize2↑↑n.(Here↑isKnuth’sarrownotation[91],i.e.
2∙∙∙n2↑↑n=22.)Consequently,fσ→αistranslatedasatreeofwidth2↑↑n(cf.Section2.3.3),
which(forn∈N)isaratherfastgrowingfunction:already2↑↑4=65,536,and2↑↑5has
19,729digits[151].ItisthereforeeasytogiveHOLformulaeforwhichthetranslationto
propositionallogicfailsduetotimeormemoryconstraints.
Moreover,evenifthetranslationsucceeds,theSATsolver’staskoffindingasatisfyingassign-
mentfortheresultingpropositionalformulaisofcourseNP-complete[44],henceofexponential
complexity(inthenumberofBooleanvariables)unlessP=NP.Itisthereforealsoquiteeasy
tofindHOLformulaeforwhichallcurrentSATsolverswillrunoutofresources,despitethe
translationtopropositionallogicbeingtrivial:anysufficientlycomplexpropositionalformula
do.willThismayseemdiscouraging,butitdoesnotnecessarilyrenderthemodelgenerationalgorithm
uselessforpracticalpurposes.Infact,higher-ordertypesliketheoneaboverarelyoccurin

71

72

CHAPTERSTUDIESCASE4.

practice.WedonotaimtomakeastrongcaseforDanielJackson’s“smallscopehypothesis”,
whichstatesthatmostdesignflawsinsystemmodelscanbeillustratedbysmallinstances[9],
butwewanttodemonstratetheutilityofouralgorithmfurtherbyapplyingittoseveral
(smalltomedium-sized)casestudies.Inthischapter,webrieflyconsidertheRSA-PSSsecurity
protocol(Section4.2),counterexamplesforprobabilisticprograms(Section4.3),andSudoku
4.4).(Sectionpuzzles

4.2TheRSA-PSSSecurityProtocol

Asignificantamountofresearchisconcernedwiththeformalmodelingandverificationof
securesystems,andsecurityprotocolsinparticular.InIsabelle,LarryPaulson’sinductive
approach[135]hasbeenusedtoverifyvariousprotocols,e.g.theTransportLayerSecurity
(TLS)protocol[137].Inthissection,weshalluseanencodingofprotocolsasfirst-orderclauses
thatisbasedonthepopularDolev-Yaothreatmodel[51].TheDolev-Yaomodelassumesa
worst-casescenario,wheretheattackercaninterceptandpossiblyalteranymessageinany
way(withinhiscomputationalpower).Centralisaunarypredicateknowsthatdescribesthe
attacker’sknowledge.J¨urjens[85,86]sketchesamechanictranslationofprotocols(givenas
UML[80]sequencediagrams)intothisfirst-orderencoding,andhediscusseshowautomated
first-ordertheoremproverscanbeusedtoobtainattacksonprotocols.Wewanttoshowhow
(counter-)modelgenerationcanbeusedtoproveprotocolssecure.

4.2.1AbstractProtocolFormalization
WeinvestigatetheRSA-PSSsecurityprotocol[145],adigitalsignatureschemethatfollows
theusual“hash-then-sign”paradigm.RSAreferstothe(nowclassic)algorithmforpublic-key
cryptographydevisedbyRonRivest,AdiShamir,andLeonardAdleman[142,143].PSSstands
for“ProbabilisticSignatureScheme”,firstdescribedbyMihirBellareandPhillipRogaway[20].
StartingwithamessageMthatistobesigned,theRSA-PSSprotocol—ataveryabstract
level—proceedsintwosteps:
1.Applyaone-wayhashfunctiontothemessageMtoproduceanencodedmessage
.Mhashpss2.Applyasignaturefunctiontotheencodedmessage,usingaprivatekeyk,toproducea
signaturesign(hashpssM)k.
ThemessageMisthensenttogetherwithitssignature,sign(hashpssM)k.Thesignaturecan
beverifiedbythereceiverusingthesender’spublickeyk−1.(RSA-PSSisnotanencryption
algorithm.IfthecontentsofMneedtobekeptsecret,anysuchalgorithmcanbeused
toencryptMbeforetransmission.Theciphertextisthendecryptedbythereceiverbefore
erification.)vsignatureAdetailedIsabelle/HOLformalizationoftheRSA-PSSprotocol(byChristinaLindenbergand
KaiWirt)isavailable[96].Forourpurposeshowever,itwillbesufficienttomodelhashing
andsigningasuninterpretedfunctions.Wetakethesefunctionsasprimitives,withoutaiming
toverifythemathematicsthatisunderlyingtheirimplementation.Athirdfunction,conc,
formstheconcatenationoftwomessages.Wewritea::bforconcab,and{M}kforsignMk.

4.2.THERSA-PSSSECURITYPROTOCOL

73

AnaiveimplementationoftheRSAsignaturefunctionsuffersfromanundesirablehomo-
morphismproperty,whichallowstocomputethesignatureofconcatenatedmessagesfrom
signaturesfortheircomponents(andviceversa)withoutknowledgeoftheprivatekeyk:
{a::b}k={a}k::{b}k.
Ourgoalisrathersimple:wewanttoshowthatPSShashing(whenconsideredaprimitive)
breaksthishomomorphismproperty,therebyimprovingsecurityofthesignaturescheme.An
earlyversionofthisanalysisisdescribedin[180].Thefirst-orderclausesthatmodelthe
RSA-PSSprotocolandtheabilitiesofapotentialDolev-Yaoattackerareasfollows.
1.Theattackercandecrypt,providedheknowsthedecryptionkey:
∀A,K.knows{A}K∧knowsK−1=⇒knowsA.

2.Weonlyassumethesignaturefunctiontobecryptographicallystrong,butnotthehash
function.Theattackercanrecoverhashedmessages:
∀A.knows(hashpssA)=⇒knowsA.

3.Theattackercanconcatenateandencrypt:
∀A,B.knowsA∧knowsB=⇒knowsA::B∧knows{A}B.

4.Theattackercandecomposemessages:
∀A,B.knowsA::B=⇒knowsA∧knowsB.

5.Theattackercanhash:

∀A.knowsA=⇒knows(hashpssA).

6.Thesignaturefunctionsatisfiesthehomomorphismpropertydiscussedabove(1):
∀A,B,K.knows{A::B}K=⇒knows{A}K∧knows{B}K.

7.Thesignaturefunctionsatisfiesthehomomorphismpropertydiscussedabove(2):
∀A,B,K.knows{A}K∧knows{B}K=⇒knows{A::B}K.

Weconsideraprotocolrunwherethemessagea::bissignedwithsomeprivatekeykaccording
totheRSA-PSSprotocolandthentransmittedoveraninsecureconnection,sotheattacker
alsohasinitialknowledgeofthismessageanditssignature.Inaddition,theattackerknows
thesender’spublickey.
8.

knows(a::b)::{hashpss(a::b)}k.

74

STUDIESCASE4.CHAPTER

9.knowsk−1.
Theknowspredicatecanbeseenasaninductivecharacterizationoftheattacker’sknowledge.
Startingfromsomeinitialknowledge,theattackercanextendhisknowledgewitheverymessage
exchangeoftheprotocol,andbycomputingnewfacts(withinhiscomputationalabilities)from
factsthatheknowsalready.However,wedonotensurethatknowsactuallydenotesaleast
fixedpoint.Theknowspredicateismerelyanupperboundontheattacker’sknowledge;an
interpretationwheretheattackerknowseverythingisallowed,butwouldbeuninteresting.
IfweconsideramodifiedprotocolwithoutPSShashing(byreplacingClause(8)withknows(a::
b)::{a::b}k),thenitiseasytoshowthattheattackercanforgethesignatureformessageb::a,
usingthehomomorphismpropertythatweassumedforthesignaturefunction.Amachine-
checkedversionofthisresultisshownbelow.
lemmaandassumesremove_hashpss:remove_sign:"∀"∀A.AK.knowsknows(hashpss(signAA)K)−→∧knowsknowsA"(invsK)−→knowsA"
andknows(concconstruct_msg:AB)"∧∀AknowsB.knows(signAA∧B)"knowsB−→
andandhashpss:deconstruct_msg:"∀A.knows"∀AAB.−→knowsknows(conc(hashpssAB)−A)"→knowsA∧knowsB"
andsign_hom_1:"∀ABK.knows(sign(concAB)K)−→
knows(signAK)∧knows(signBK)"
andsign_hom_2:"∀ABK.knows(signAK)∧knows(signBK)−→
knows(sign(concAB)K)"
andmodified_protocol_msg:"knows(conc(concab)(sign(concab)k))"
shoandws"knowspublic_key:(sign"knows(concb(invsa)k)"k)"
prooffrom-protocol_messagedeconstruct_msgsign_hom_1
havesign_b_k:"knows(signbk)"byblast
sign_hom_1deconstruct_msgmodified_protocol_msgfromhavesign_a_k:"knows(signak)"byblast
fromsign_b_ksign_a_ksign_hom_2show?thesisbyblast
qedHowever,fromClauses(1)–(9),canweconcludethattheattackerknows{hashpss(b::a)}k?
(Inourformalization,itiscertainlypossiblethattheattackerknowsthissignature—sincethe
knowspredicate,asdiscussedabove,maybetrueeverywhere—,butisitalsonecessary?)An
encodingofthisprobleminTPTPsyntax[155]isshowninFigure4.1.Variousfirst-order
provers,includingE-SETHEO[60]andSPASS[169],failtoprovidemeaningfuloutputforthis
problem.TheIsabelle/HOLencodingofthesameproblem(which,apartfromClause(8)and
theconjecture,isidenticaltotheproblemshownabove)canbeuseddirectlyasinputtothe
algorithm:generationdelmolemmaassumesremove_sign:"∀AK.knows(signAK)∧knows(invsK)−→knowsA"
andandconstruct_msg:remove_hashpss:""∀∀AA.B.knowsknowsA∧(hashpssknowsA)B−−→→knowsA"
andknows(concdeconstruct_msg:AB)∧"∀knowsAB.(signknowsAB)"(concAB)−→knowsA∧knowsB"

4.2.THERSA-PSSSECURITYPROTOCOL

75

andhashpss:"∀A.knowsA−→knows(hashpssA)"
andsign_hom_1:"∀ABK.knows(sign(concAB)K)−→
andknowssign_hom_2:(signA"K)∀A∧BK.knowsknows(signB(signK)"AK)∧knows(signBK)−→
andknows(signprotocol_msg:(concA"knowsB)K)"(conc(concab)(sign(hashpss(concab))k))"
k)"(invs"knowspublic_key:andshowsapply"knows(cut_tac(signprems)(hashpss(concba))k)"
refuteopso(Isabcase.)elle’sUsingoopszChaffcommand[119]asabtheortsuanderlyingfailedproSATofsolvattempt.er,ourNoIsabelletheoremisimplemenestablishedtationofinmothisdel
generationfindsacounterexamplewith4elementsinabout3secondsonacurrentpersonal
computer.(Thisimpliesthattherearenocounterexampleswithlessthan4elements,cf.
Section2.4.2.)Themodel—intextform,asrenderedbyIsabelle—isshowninFigure4.2.One
thecaneasilyconjecture.verifybOtheryhandmodelthatthegenerators,modele.g.indeedParadoxsatisfies[41],findClausessimilar(1)–(9)counandthterexameplesnegation.of

ConfusionoidingAv4.2.2Thereisasubtletypresentinourformalization.Theconcfunctionissupposedtodenote
theconcatenationofmessages;inthemodelhowever,concis(necessarily,sincethemodelis
thefinite)monotdel.injectivMoree.generallyThis,ifmeanswethatviewthecertaininfunctionstuitivelyhashpssdiff,erensigntmeandssagesconc,areasidenwelltifiedasthein
constantsaandb,asfreegeneratorsofatermalgebraofmessages,thenthemodelviolates
synthenotacticallyconfusionequal.propTosertolvye[70],thiswhichproblem,wouldwenoterequirethatittoClausesidentify(1)–(9)onlyarethoseallterms(equivthatalentareto
oneortwo)strictHornclauses.Thefollowingdefinitionsaretakenfrom[71].
Definition4.1(HornFormula).Aquantifier-freeformulaissaidtobeaHornformulaiffit
hasoneofthethreeforms
,ϕ1.2.ϕ1∧∙∙∙∧ϕn=⇒ϕ,
3.¬(ϕ1∧∙∙∙∧ϕn),
wheretheformulaeϕ1,...,ϕn,ϕareallatomic.
Definition4.2(HornClause).AHornclauseisaformulathatconsistsofuniversal(first-
order)quantifiersfollowedbyaquantifier-freeHornformula.
occursDefinitioninit,i.e.4.3iffit(StrictcomesHornfromClause)aHorn.AformHornulaofclausetheisfirstsaidortobesecondstrictkind.iffnonegationsign
TheoriesconsistingofstrictHornclausesalwayshaveaninitialmodel.Thisisknownasthe
initialmodeltheorem[70,71].

76

4.CHAPTER

axiom,input_formula(remove_sign,(![A,K]:((knows(sign(A,K))&knows(invs(K)))=>knows(A))
)).

(axiom,input_formula(remove_hashpss,![A]:(knows(hashpss(A))=>knows(A))
)).

(axiom,input_formula(construct_msg,!([A,B]:knows(conc(A,((knows(A)B))&&knows(B)knows(sign(A,)=>B))))
)).

(axiom,input_formula(deconstruct_msg,![A,B]:(knows(conc(A,B))=>(knows(A)&knows(B)))
)).

(axiom,input_formula(hashpss,![A]:(knows(A)=>knows(hashpss(A)))
)).

(axiom,input_formula(sign_hom_1,!([A,B,K]knows(sign(A,:(K))&knows(sign(conc(A,knows(sign(B,B),K))K)))=>)
)).

(axiom,input_formula(sign_hom_2,![A,B,K]:((knows(sign(A,K))&knows(sign(B,K)))=>
)K))B),knows(sign(conc(A,)).

knows(conc(conc(a,input_formula(protocol_msg,b),axiom,sign(hashpss(conc(a,(b)),k)))
)).

(axiom,input_formula(public_key,knows(invs(k)))).

input_formula(attack,knows(sign(hashpss(conc(b,conjecture,a)),(k))
)).

Figure4.1:TPTPencodingoftheRSA-PSSprotocol

STUDIESCASE

OGRAMSPROBABILISTICPR4.3.

***SizeofModeltypes:found:’a:***4
a2k:a0b:a3a:conc:(a1,{(a0,{(a0,a1),{(a0,(a1,a0),a1),(a1,(a2,a1),a2),(a2,(a3,a2),(a3,a1)}),a0)}),
(a2,{(a0,a2),(a1,a2),(a2,a2),(a3,a2)}),
(a3,hashpss:{(a0,{(a0,a3),a1),(a1,(a1,a1),a3),(a2,(a2,a2),a2),(a3,(a3,a0)})}a3)}
sign:invs:{(a0,{(a0,a2),{(a0,(a1,a1),a2),(a1,(a2,a1),a0),(a2,(a3,a0),a2)}(a3,a1)}),
(a1,{(a0,a1),(a1,a1),(a2,a2),(a3,a0)}),
(a3,(a2,{(a0,{(a0,a1),a0),(a1,(a1,a1),a0),(a2,(a2,a3),a2),(a3,(a3,a0)})}a1)}),
knows:{(a0,True),(a1,True),(a2,False),(a3,True)}

Figure4.2:ModelshowingsecurityofRSA-PSShashing

77

Theorem4.4(InitialModelTheorem).LetTbeatheoryconsistingofstrictuniversalHorn
uniquesentences.ThenhomomorphismThasfraommoAdeltoAB.with(SuchtheapropmoertydelAthatiscforalledeveryanmoinitialdelBmoofdelTofTther.eItisisa
isomorphism.)toupunique

Thegenerated)initialmotermdelalgebrasatisfiesofthemessnoages.confusiMoreoonver,propertsinceykno[70];wsi{tshashpssuniverse(b::isa)}kindeedfailstheinthe(freel4-y
elementmodelfoundbyIsabelle,existenceofahomomorphism(inthesenseof[71])fromthe
initialinitialmomodeldel.toThtheuswe4-elemehaventshomowndelthatimpliesalsowiththataknomorews{hashpsstradition(bal::a)}algebraickmustinalsoterpretationfailintheof
videdmessagetheactualconcatenation,implemenaDoletationsv-YofaoattachashingkerandcannotsigninggenerallydonothaforgeveRSA-PSScryptographicsignaturesweaknesses(pro-
thatwouldallowhimtodoso).

Probabilistic4.3Programs

Themechanizationofproofsforprobabilisticprogramsisparticularlychallengingduetothe
verificationofreal-valuedpropertiesthatareentailedbyprobability.Experiencehasshown
thattherearedifficultiesinautomatingreal-numberarithmeticinthecontextofotherprogram
features.Theinfinitedomainofrealsneededforquantitativeanalysisforexampleprevents
theprovisionofcounterexamplesearchviastateexploration[148].
Inthissection,wedescribeaframeworkforverificationofprobabilisticdistributedsystems
(developedjointlywithAnnabelleMcIver[108])basedonageneralizationofKleenealgebra
withtests[94].First,itisshownhowamodelforprobabilisticsystemsLScanbeinter-
pretedoveraKleene-styleprogramalgebra,sothatexplicitprobabilisticreasoningisreduced
significantly.Second,weproposeamodelofabstractpropabilitiesKSthatissusceptibleto
completesemanticexploration,yieldingcounterexamplesevenfortheprobabilisticmodelLS.

78

STUDIESCASE4.CHAPTER

TheabstractmodelhasbeenformalizedinIsabelle/HOL,therebymakingourimplementation
offinitemodelgenerationapplicabletoprobabilisticprograms.

4.3.1TheProbabilisticModelLS
Probabilisticsystemscanshowbothquantifiableandunquantifiablenon-deterministicbehav-
ior.Thechanceofwinninganautomatedlotteryisanexampleoftheformer,whilethe
preciseorderofconcurrenteventscanbeanexampleofthelatter.Thetransition-system
stylemodelthatisnowgenerallyacceptedforprobabilisticsystems[107]usesprobabilitydis-
tributionstomodelquantifiablebehavior,andsetsofdistributionstomodelunquantifiable
non-determinism.ThismodeliscloselyrelatedtoMarkovdecisionprocesses[174].
Definition4.5(DiscreteProbabilityDistribution).LetSbeaset.Afunctionf:S→[0,1]
ands∈Sf(s)=1.
iscalledadiscreteprobabilitydistribution(overS)iff{s∈S|f(s)=0}isatmostcountable,
Inthissection,weconsiderfinitestatespacesSonly.WewriteSforthesetofdiscrete
probabilitydistributionsoverS.Apointdistributioncenteredatpointkisdenotedbyδk,
i.e.δk(s):=1ifs=k,andδk(s):=0otherwise.The(p,1−p)-weightedaverageoftwo
ofS,anddisadiscreteprobabilitydistributionoverS,wewrited(K)fors∈Kd(s).
distributionsdandd,i.e.p∙d+(1−p)∙d(for0≤p≤1),iswrittendp⊕d.IfKisasubset
Thus,aprobabilisticsystemwithfinitestatespaceSismodelledbyafunctionfrominitial
statestosubsetsofdistributionsoverfinalstates,i.e.afunctionfromStoP(S).Forexample,
aprogramthatsimulatesafaircoinismodelledbyafunctionthatmapsanarbitrarystates
totheevenlyweightedaverageofthetwopointdistributionsrepresentingheadsandtails(but
w):elobsees→{δhead1/2⊕δtail}.
Thedetailsarestillabitmorecomplicated.WefollowMorganetal.[118]intakingadomain-
theoreticapproach,wheretheresultsetsofthesemanticfunctionsarerestrictedaccordingto
anunderlyingorderonthestatespace.Inaddition,wedistinguishspecial“miraculous”or
infeasiblebehavior.Miracles,whichwillbeassociatedwithaspecialstateinthesemantics,
havevariousapplicationsinprogramsemantics[94,116,117].Here,theywillworkparticularly
wellwithoursimpleKleene-styleprogramalgebra.WewriteSforS∪{},whereis
assumedtobenotinS.Theunderlyingorderischosensothatdominatesallstatesin
S,whichareotherwiseunrelated.
Definition4.6(ProbabilisticPowerDomain).Aprobabilisticpowerdomainisapair(S,D),
whereDistheorderonSthatisinducedfrom,i.e.
dDdiff∀s∈S.d(s)≥d(s).
Remark4.7.Letd,d∈S.ThendDdimpliesd()≤d().
Proof.UsingDef.4.5,wehaved()=1−d(S)≤1−d(S)=d().

Webutionsnowthatimposemaybecertainreturnedclosurebyprobabconditionsilistic(so-calleprograms.dhealthinessThesecconditions,onditions)onwhichthearesetsofmotivdistri-ated

PROBABILISTICPR4.3.OGRAMS

79

indetailin[107],reflectcharacteristicsthatareinherentinourmodelofnon-determinismand
tions),probabilitcy.onvexInclosurparticular,e(theweinclusionrequireofallup-closurconveex(thecominclusionbinationsofofallDdistributions),-dominatinganddistribu-Cauchy
closure(theinclusionofalllimitsofdistributions,wheredistributionsareviewedasvectors
inR|S|).Thisleadstothefollowingdefinition,whoseparticularprogrammodelwasfirst
Morgan.CarrollybsuggestedDefinition4.8(SpaceofProbabilisticPrograms).Thespaceofprobabilisticprogramsisgiven
by(LS,L),where
∧P(s)=∅∧P()={δ},
LS:=P∈S→P(S)|∀s∈S.P(s)isup-,convex-,andCauchy-closed
andtheorderbetweenprogramsisdefinedby
PLPiff∀s∈S.P(s)⊆P(s).

ForasetofdistributionsD⊆S,wewriteDforthesmallestup-,convex-,andCauchy-
closedsetofdistributionscontainingD.WewriteHconvex(D)fortheconvexhull(i.e.the
smallestconvex-closedsuperset)ofD,andHup(D)fortheup-closure(i.e.thesmallestup-
closedsuperset)ofD.
Definition4.9(Up-,Convex-,Cauchy-ClosedHull).ForD⊆S,let
D:={X⊇D|X⊆Sisup-,convex-,andCauchy-closed}.
Definition4.10(ConvexHull).ForD⊆S,let
kk
=1i=1iHconvex(D):=αidik∈N,k≥1,di∈D,αi∈R,αi≥0,αi=1.
Definition4.11(Up-Closure).ForD⊆S,let
Hup(D):={d∈S|∃d∈D.dDd}.
Remark4.12.LetD⊆S.Disthesmallestup-,convex-,andCauchy-closedsuperset
ofD.Hconvex(D)isthesmallestconvex-closedsupersetofD.Hup(D)isthesmallestup-closed
supersetofD.Hence∙,Hconvex,andHupareclosureoperators,i.e.extensive(D⊆D),
monotonicallyincreasing(D⊆D⊆SimpliesD⊆D),andidempotent(D=D,
likewiseforHconvexandHup).
Proof.Wenotethatanarbitraryintersectionofup-closedsubsetsofSisup-closedagain;
likewiseforanintersectionofconvex-closedandCauchy-closedsubsets,respectively.The
variousclaimsofRemark4.12nowhavestandardproofs.

Somebasiclemmasabouttheseclosureoperatorswillbeusefullater.
Lemma4.13.IfD⊆Sisup-closed,thenHconvex(D)isup-closed.

STUDIESCASE4.CHAPTER80αi∈R,αi≥0,andi=1αi=1.For1≤i≤k,definedi:S→[0,1]by
Proof.LetdDdwithkd∈Hconvex(D),i.e.d=ik=1αidiforsomek∈N,k≥1,di∈D,
di(s)+ddi((ss))(d(s)−d(s)),ifs∈Sandd(s)>0;
di(s):=0,ifs∈Sandd(s)=0;
1−u∈S,d(u)>0di(u)+ddi((uu))(d(u)−d(u)),otherwise(i.e.ifs=).
ik=1αidi∈Hconvex(D).
Clearlydi∈S,anddiDdi.Henceup-closureimpliesdi∈D.Consequently,d=
Lemma4.14.IfD⊆SisCauchy-closed,thenHconvex(D)isCauchy-closed.
Proof.Theproofisstandard.Let(dn)n∈NbeaconvergentsequenceinHconvex(D),with
d:=limn→∞dn.Let(foralln∈N)dn=ikn=1αindinforsomekn∈N,kn≥1,din∈D,
αin∈R,αin≥0,andikn=1αin=1.Letk:=|S|+1.ByCarath´eodory’stheorem[33,153],
wemayassumekn≤k(andhence,withoutlossofgenerality,kn=k)foralln∈N.Foreach
1≤i≤k,thesequences(αin)n∈Nand(din)n∈NhaveaconvergenitisubsequencebytheBolzano-
Wclosureeierstraßimpliestheorem;di∈Dcall(forthe1≤ilimits≤k).ofHencethesed=isubsequencesk=1αidiα∈Handconvexd(,D).respectively.Cauchy
CombiningtheselemmasandRemark4.12,weobtainthefollowingcharacterizationof∙.
Lemma4.15.IfD⊆SisCauchy-andup-closed,thenD=Hconvex(D).
Proclosedof.Hcon(Lemmavex(D)4.14)isansupersetup-closedofD.(LemmaHencewe4.13),haveconvDe⊆x-closedHconvex(D(Remark)by4.12),Remarkand4.12.CauchThey-
immediate.isinclusionother

Theup-closureofaCauchy-closedsetofprobabilitydistributionsisCauchy-closed.
Lemma4.16.IfD⊆SisCauchy-closed,thenHup(D)isCauchy-closed.
Proexistsof.aLet(sequencedn)n∈(Ndnb)en∈aNconwithvdnergen∈tDseqanduencedninDHdup(forD),allnwith∈Nd.:=Bylimthen→∞dBolzano-Wn.Theneierstraßthere
nclosuretheorem,(dimpliesn)n∈dN∈hasD.aconClearlyvergendtDd,subsequence;henced∈callHupthe(D).limitofthissubsequenced.Cauchy
TogetherwithLemma4.15,thepreviouslemmaimpliesD=Hconvex(Hup(D)),provided
D⊆SisCauchy-closed.
Lemma4.17.IfD⊆SisCauchy-closed,thenD=Hconvex(Hup(D)).
Proof.Hup(D)isaCauchy-closed(Lemma4.16)andup-closed(Remark4.12)supersetofD.
HenceD⊆Hup(D)=Hconvex(Hup(D))byLemma4.15andRemark4.12.Theother
immediate.isinclusion

OGRAMSPROBABILISTICPR4.3.

81

WewriteHCauchy(D)fortheCauchyclosureofD.Againweneedsomebasiclemmasrelating
HCauchytotheotherclosureoperators.First,theCauchyclosureofanup-closedsetisup-
closed.Lemma4.18.IfD⊆Sisup-closed,thenHCauchy(D)isup-closed.
Proof.LetdDdwithd∈HCauchy(D),i.e.d=limn→∞dnwithdn∈D(foralln∈N).For
n∈N,definedn:S→[0,1]by
min{dn(s),d(s)},ifs∈S;
dn(s):=1−u∈Smin{dn(u),d(u)},otherwise(i.e.ifs=).
Clearlydn∈S,anddnDdn.Henceup-closureimpliesdn∈D.Consequently,d=
limn→∞dn∈HCauchy(D).
Second,theCauchyclosureofaconvex-closedsetisconvex-closed.
Lemma4.19.IfD⊆Sisconvex-closed,thenHCauchy(D)isconvex-closed.
Proof.Theproofisstandard.Letk∈N,k≥1,di∈HCauchy(D)(for1≤i≤k),αi∈R,
αi≥0,andik=1αi=1.Thendi=limn→∞di,nforsomedi,n∈D(foralln∈N).Convex
closureimpliesik=1αidi,n∈D.Henceik=1αidi=limn→∞(ik=1αidi,n)∈HCauchy(D).
Theprevioustwolemmasleadtothefollowingalternativecharacterizationof∙.
Lemma4.20.IfD⊆Sisconvex-andup-closed,thenD=HCauchy(D).

Proof.HCauchy(D)isanup-closed(Lemma4.18),convex-closed(Lemma4.19),andCauchy-
closedsupersetofD.HencewehaveD⊆HCauchy(D)byRemark4.12.Theotherinclusion
immediate.is

VopariouseratorswillmathematicalbeneededoptoeratorsinonterpretthespaceKleeneofalgebraprobabilisticexpressions;programsthearedefineddefinitionsnext.aretakTheseen
[107].fromDefinition4.21(OperatorsonLS).Forarbitrarystatess∈S,programsP,P∈LS,and
0≤p≤1,wedefine
IdentityId(s):={δs},
Top(s):={δ},
Composition(P;P)(s):={u∈Sd(u)∙du|d∈P(s),∀u∈S.du∈P(u)},
Probability(Pp⊕P)(s):={dp⊕d|d∈P(s),d∈P(s)},
Non-determinism(P∗P)(s):=P(s)∪P(s),
IterationP:=νX.(P;X)Id,
whereνX.f(X)denotesthegreatestfixedpointofthefunctionf:LS→LS(withrespect
).toL

82

CHAPTERSTUDIESCASE4.

Remark4.22.LetP,P∈LS,and∗0≤p≤1.ThenId∈LS,∈LS,(P;P)∈LS,
Pp⊕P∈LS,PP∈LS,andP∈LS.
Proof.Wenotethatforarbitraryd∈S,δDdiffd=δ.Hence{δ}={δ}.
Lets∈S.ForId(s)and(s),allrelevantproperties(i.e.up-closure,convexclosure,Cauchy
closure,non-emptiness,andId()=()={δ})nowfollowimmediatelyfromDef.4.21.
Up-closureof(P;P)(s)followsfromup-closureofP(u)forallu∈S.Toproveconvex
closure,wenotethatforarbitraryprobabilitydistributionsd,du,e,eu∈S(whereuranges
overS)and0≤q≤1,wehave

d(u)∙duq⊕e(u)∙eu=(dq⊕e)(u)∙(du(dqq∙⊕de(u)()u)⊕eu),
u∈Su∈Su∈S
assuming(withoutlossofgenerality)(dq⊕e)(u)>0forallu∈S.Henceconvexclo-
sureof(P;P)(s)followsfromconvexclosureofP(s)andP(u)forallu∈S.Toprove
itydistributionssuchthatlimn→∞u∈Sdn(u)∙du,nexists.Wenotethat(dn)n∈Nand(for
Cauchyclosure,let(dn)n∈Nand(du,n)n∈N(whereurangesoverS)besequencesofprobabil-
arbitraryu∈S)(du,n)n∈NareboundedsequencesinR|S|,whichmustthereforehavecon-
vergentsubsequencesbytheBolzano-Weierstraßtheorem.Cauchyclosureof(P;P)(s)now
followsfromCauchyclosureofP(s)andP(u)forallu∈S.Non-emptinessof(P;P)(s)
and(P;P)()={δ}areimmediate.
Up-closureof(Pp⊕P)(s)followsfromup-closureofP(s)andP(s).Since(forarbitrary
probabilitydistributionsd,d,e,e∈S,and0≤q≤1)wehave(dp⊕d)q⊕(ep⊕e)=
(dq⊕e)p⊕(dq⊕e),convexclosureof(Pp⊕P)(s)followsfromconvexclosureofP(s)
andP(s).Cauchyclosureof(Pp⊕P)(s)followsfromCauchyclosureofP(s)andP(s),
withanargumentsimilartotheoneforCauchyclosureof(P;P)(s)above.Non-emptinessof
(Pp⊕P)(s)and(Pp⊕P)()={δ}areimmediate.
For(PP)(s),allrelevantpropertiesareimmediateagainfromDef.4.21.
lattice:Lisclearlyapartialorder(i.e.reflexive,antisymmetric,transitive),(L)(s):=
Finally,wenotethatX→(P;X)Idismonotonicwrt.toL,and(LS,L)isacomplete
P∈LP(s)definestheleastupperbound(join)ofL.ThereforeP∗exists(andisinLS)by
P∈LP(s)(fors∈S)definesthegreatestlowerbound(meet)ofL⊆LS,and(L)(s):=
[157].theoremarskiKnaster-TtheIterationisthemostintricateoftheseoperations.OperationallyP∗representstheprogram
thatcaniteratePanarbitrary(finite)numberoftimes.Thisgeneratesallresultsoffinite
iterationsofPId.Inaddition,impositionofCauchyclosureimpliesthatalsoalllimitsof
distributionsarecontained.NotethatP∗isingeneralnotthesameasIdP(P;P)....
Thelatterprogramrequiresthenumberofiterationstobechosenatthestart,whileP∗allows
thechoicebetweenPandIdtobemadeaftereachiteration.Foraconcretecounterexample,
consideragaintheprogramthatsimulatesafaircoin,now(morepreciselythanbefore)given
bys→{δhead1/2⊕δtail}.IfwetakePtobethisprogram,wehaveP=P;P=P;P;P=...,
sincetheprobabilitytobeinstate“head”isexactly1/2aftereachiteration(andlikewisefor
state“tail”).TheprogramP∗ontheotherhandallowsustoiteratePuntilweareina

OGRAMSPROBABILISTICPR4.3.

83

desiredstate;thismeansthatwecanreachbothstates“head”and“tail”withprobability
arbitrarilycloseto1.Cauchyclosurethenimpliesthatalsothelimitdistributionsδhead
andδtailarecontainedinP∗.ThenextlemmastatesthisoperationalcharacterizationofP∗
morenformally+1.WenwritePnforthen-folditerationofP,i.e.P0:=Id,and(forarbitrary
n∈N)P:=P;P.
Lemma4.23.LetP∈LS.Thenforalls∈S,P∗(s)=n∈N(PId)n(s).
Proof.ThelemmafollowsfromthedefinitionofP∗asthegreatestfixedpointofthefunction
f:LS→LS,givenbyf(X):=(P;X)Id.
Let(Xn)n∈Nbeadescending(wrt.L,i.e.Xn(s)⊆Xn+1(s)foralls∈S,n∈N)sequence
satisfiesf(n∈NXn)=n∈Nf(Xn):first,weshowthatforalls∈S,(P;n∈NXn)(s)=
inLS.Wenotethatf,asacompositionofprogramcompositionandnon-determinism,
{u∈Sd(u)∙du|d∈P(s),∀u∈S.du∈n∈NXn(u)}=n∈N{u∈Sd(u)∙du|d∈
thatn∈NXn(u)(foru∈S)isbothup-closed(sinceaunionofup-closedsetsisup-closed)
P(s),∀u∈S.du∈Xn(u)}=(n∈N(P;Xn))(s).Herethe“⊆”inclusionfollowsfromthefact
andconvex-closed(sincetheunionofanascending,wrt.⊆,sequenceofconvex-closedsets
isconvex-closed).Hencen∈NXn(u)=HCauchy(n∈NXn(u))byLemma4.20.Therefore
foranyd∈P(s),u∈Sd(u)∙du=u∈S(d(u)∙limk→∞du,k)=limk→∞(u∈Sd(u)∙du,k),
du∈n∈NXn(u)canbewrittenasdu=limk→∞du,kforsomedu,k∈n∈NXn(u).Now
andforanyk∈Nthereexistsnk∈Nsuchthatdu,k∈Xnk(u)forallu∈S(because
otherinclusionisimmediatefromRemark4.12.Second,forallL⊆LSands∈S,((L)
Xn(u)⊆Xn+1(u)foralln∈N).Thisproves(P;n∈NXn)(s)⊆(n∈N(P;Xn))(s).The
Id)(s)=X∈LX(s)∪Id(s)=X∈LX(s)∪Id(s)=(X∈L(XId))(s)followsalso
4.12.Remarkfromn∈N(fn())(s).
HencebytheKnaster-Tarskitheorem[157],P∗=n∈Nfn(LS),i.e.foralls∈S,P∗(s)=
Finallyfn+1()=(PId)nforalln∈Nbyinduction:itiseasytoshowf1()=Id=
(PId)0.Next,usingtheinductionhypothesisandmonotonicityoff,wehavefn+2()=
fn+2()fn+1()=(P;fn+1())Idfn+1()=(PId);(PId)n=(PId)n+1(see
theproofofTheorem4.26belowforthedetailedcalculations).
Thereforen∈N(fn())(s)=n∈N(PId)n(s)foralls∈S.
AKleenealgebra[93]isanalgebraicstructurethatgeneralizestheoperationsknownfrom
regularexpressions.Itconsistsofabinarysequentialcompositionoperator(writtenasmulti-
plication,∙),abinarychoiceoperator(writtenasaddition,+),andaunaryiterationoperator
(writtenasapostfixstar,∙∗).Termsareorderedby≤,whichisdefinedviabinarychoice.
Definition4.24(ProbabilisticKleeneAlgebra).AprobabilisticKleenealgebra(pKA)isa
setA(containingelements0and1)togetherwithtwobinaryoperations∙:A×A→Aand
+:A×A→Aandaunaryoperation∙∗:A→A,aswellasabinaryrelation≤overA,such
thatthefollowingaxiomsaresatisfied:
1.0+a=a,
2.a+b=b+a,

84

STUDIESCASE4.CHAPTER

3.a+a=a,
4.a+(b+c)=(a+b)+c,
5.a(bc)=(ab)c,
6.0a=a0=0,
7.1a=a1=a,
8.ab+ac≤a(b+c),
9.(a+b)c=ac+bc,
10.a≤biffa+b=b,
11.a∗=1+aa∗,
12.a(b+1)≤a=⇒ab∗=a,
13.ab≤b=⇒a∗b=b.
NotethatAxiom(8)isweakerthanthecorrespondingruleinstandardKleenealgebra[42];
thisisbecauseofthewell-documented([107,147],alsocomparetheabovediscussiononP∗
vs.IdP(P;P)...)interactionofprobabilityandnon-determinism.
ProbabilisticKleenealgebraexpressionsarebuiltfromvariables(x,y,z,...)andconstants(0
and1),usingthe(unaryorbinary)operations∙,+,and∙∗.Wecannowdefineaninterpretation
ofpKAexpressionsinthespaceofprobabilisticprograms.
Definition4.25(SemanticMappingofpKAExpressionstoLS).Thesemanticmapping
[[∙]]ρfrompKAexpressionstoLSisparameterizedbyamappingρfrompKAvariablesto
probabilisticprogramsinLS,anddefinedasfollows:
1.Ifxisavariable,then[[x]]ρ:=ρ(x).
2.[[0]]ρ:=,[[1]]ρ:=Id.
3.[[ab]]ρ:=[[a]]ρ;[[b]]ρ.
4.[[a+b]]ρ:=[[a]]ρ[[b]]ρ.
5.[[a∗]]ρ:=[[a]]ρ∗.
Ontheright-handsideofthedefiningequations,Def.4.25referstotheoperatorsonLSthat
wereintroducedinDef.4.21.Thefollowingtheoremshowsthatthesemanticmappingisa
validinterpretationforthepKAaxiomsgiveninDef.4.24.
Theorem4.26.LS,with0,1,∙,+and∙∗asgiveninDef.4.25(andwiththeadditional
definitionP≤PiffPLP),isaprobabilisticKleenealgebra.
Proof.UsingDef.4.25(andanumberofsimplelemmas),oneverifiesthatAxioms(1)–(13)
ofpKAaresatisfied.Leta,b,cbeprobabilisticKleenealgebraexpressions,letρbeamapping
frompKAvariablestoprobabilisticprogramsinLS,andlets∈S.

OGRAMSPROBABILISTICPR4.3.

85

1.[0[0++aa]]=ρ(sa):=We{δnote}∪[[thata]]ρ(evs)ery=[[a]]non-emptρ(s)y,=[[a]]ρup-closed(s).subsetofScontainsδ.Hence
2.a+b=b+a:[[a+b]]ρ(s)=[[a]]ρ(s)∪[[b]]ρ(s)=[[b]]ρ(s)∪[[a]]ρ(s)=[[b+a]]ρ(s).
3.a+a=a:[[a+a]]ρ(s)=[[a]]ρ(s)∪[[a]]ρ(s)=[[a]]ρ(s)=[[a]]ρ(s).
4.a+(b+c)=(a+b)+c:ItiseasytoshowthatforarbitraryD1,D2⊆S,D1∪D2=
[[b]]Dρ1(s)∪∪[[Dc]]2ρ(s.)=Hence[[a[][]ρa(s+)(∪b[[+b]]cρ)](]sρ)(s)∪[=[c]]ρ[[(as])]ρ(=s)[[(∪a[+[b]b]ρ)(+s)c]∪]ρ[([cs]]).ρ(s)=[[a]]ρ(s)∪
5.a(bc)=(ab)c:[[a(bc)]]ρ(s)={u∈Sd(u)∙(v∈Seu(v)∙fu,v)|d∈[[a]]ρ(s),∀u∈
Seu)(.evu)∙∈fv[[b]]|ρ(du),∈∀[u,[a]v]ρ(∈s),S∀u.f∈u,vS∈.[[ecu]]ρ(∈v)[}[,b]]ρ(andu),[[(∀vab)∈c]]ρS(s).f=v{∈[[vc∈]]Sρ(v()}.u∈SdBecause(u)∙
euv∈∈S[[b(]]ρ(uu)∈Sford(allu)∙ue∈u)(Sv),∙ffvv∈=[[c]]ρu(∈vS)dfor(u)all∙(v∈v∈SS),eu(thev)∙fv)inclusion(for[[da(∈bc)][[]aρ](]ρs()s),⊇
[[(ab)c]]ρ(s)isnowimmediate,bysettingfu,v:=fvforallu∈S.Toshowtheother
forallinclusion,u,vw∈eSnote)that(ford(ud)∈∙([[a]]ρ(s),eeuu(v∈)∙[[bf]]ρu,v()u)=forallu(∈S,dand(u)f∙u,veu∈)([v[c)]]∙ρ(fvv,)
whereu∈Sv∈Sv∈Su∈S
fv:=u∈dS(u)d∙(ueu)(∙v)eu(v)∙fu,v
S∈ubecause(assuming,thelatterwithoutislossconvofex-closed.generality,u∈Sd(u)∙eu(v)>0)isin[[c]]ρ(v)(forallv∈S)
6.0a=a0=0:[[0a]]ρ(s)={u∈Sd(u)∙du|d∈[[0]]ρ(s),∀u∈S.du∈[[a]]ρ(u)}=
[{[ad]]ρ(|s)d,∀u∈∈[[aS]]ρ.(du)}∈[=[0]]{ρδ(u)}}==[{[0]]ρ(us∈S).dLik(u)∙ewise,δ|[[da∈0]][ρ[(as]])ρ(s=)}{=u{∈δS}d=([u[0])]∙ρ(dsu).|d∈
7.1a=a1=a:Wenotethat{δs}={δsp⊕δ|0≤p≤1}.Hence[[1a]]ρ(s)=
{p≤u∈1S}=d([[ua)]]∙ρ(dsu).|dLik∈[[1]ewise,]ρ(s[)[,a∀1]]uρ(∈s)S=.{duu∈∈[[Sa]]ρd((uu))}∙d=u{|dsdp∈⊕[[δa]]ρ|(sd)s,∀∈u[[∈a]]ρS(s.),du0∈≤
[p[1]≤]ρ(1u})}=[=[a]{]ρ(su).∈Sd(u)∙(δup⊕δ)|d∈[[a]]ρ(s),0≤p≤1}={dp⊕δ|d∈[[a]]ρ(s),0≤
8.[[abb]]ρ+(uac)}∪≤{a(bu∈+Sc):d([u[)ab∙d+uac|]]dρ(∈s)[[a=]]ρ(s{),∀uu∈S∈Sd(.u)du∙d∈u[[|c]]ρd(u∈)[}[,a]]ρand(s),[[a∀(ub∈+cS)]]ρ.(dsu)=∈
[[{abu+∈Sac]]ρd((su))∙⊆d[[ua(|b+dc∈)]]ρ[[(as]])ρ(iss),no∀wu∈Simmediate.du∈from[[b]]ρ(uRemark)}∪[[c4.12.]]ρ(u)}.Theinclusion
9.(a[[a]+](bs))c∪=[[b]]ac(s+),bc:dLet∈[[dc]]∈(u[[()a+(forb)call]]ρ(us),∈i.e.S).d=Usingu∈SdLemma(u)∙d4.15,uforwesomecandshow∈
ρuρρ[[[[aca]]+ρ(sbc)]]ρ∪(s[[)b]]=ρ(s{)u=∈SHdcon(vuex)∙([[dau]]ρ|(ds)∈∪[[[[ab]]]]ρρ((ss),)).∀uIf∈Sd.∈du[[∈a]][[ρc(]]sρ)(u∪)[}[b∪]]ρ{(s),u∈Sthend(du)∈∙
dusome|dk∈∈[[Nb,]]ρk(s)≥,∀u1,∈diS∈.[[da]u](∈s)[[c∪]]ρ[[(b]u])(}s),isαi∈Rimmediate.,αi≥0,Next,andifdk=αiik==1α1,idithenfor
=1iρρ

STUDIESCASE4.CHAPTER86dThis=upro∈Sves([[(iak=1+αbi)dci]](u(s)))∙d⊆u[[=ac+ik=1bc]]α(i(s).u∈TheSdi(otheru)∙du)∈inclusionHconisvex([[ac]immediate]ρ(s)∪[[bcfrom]]ρ(sRe-)).
ρρ4.12.mark10.[[aa]]≤(biff)=a[+[bb]]=(b:)=By{δ}definitionforallof[[a]]L,,[[[[ba]]]]ρ∈≤L[[bS]].ρiffOn[[a]the]ρ(s)other⊆[[b]]ρhand,(s)[[fora+allb]]s∈=S[[.b]]Alsoiff
[[aρ]]ρ(s)∪[[b]]ρρ(s)=[[b]]ρ(s)forallsρ∈Sρ.Equivalenceisnowimmediate.ρρ
∗∗∗11.aX∈=L1S),+waae:haveSince[[a∗]][[ρa]]=ρ[[ais]]ρ∗a=fixed([[a]]ρp;[[oina]]tρ∗of)theId=[[1function+aa∗X]]ρ.→([[a]]ρ;X)Id(with
12.a(b∗+1)≤a=⇒ab∗=a:Since[[1]]ρ≤[[b∗]]ρ(byLemma4.23),[[a]∗]ρ=[[a1]]ρ≤
[[[[abab∗]]]]ρρ(s)follo⊆ws[[a]]ρ(froms)forallmonotonicits∈Sy.ofLetcompd∈[[abosition.∗]]ρ(sIt),i.e.remainsd=tou∈shoSwd[[(abu)]]∙ρdu≤[[fora]]ρ,somei.e.
d∈[[a]]ρ(s),du∈[[b∗]]ρ(u)forallu∈S.Usingsimilarargumentsasintheproofof
duLemma=limk4.23,→∞wdeu,khavewith[[b∗d]]ρu,k(u∈)=nH∈NCauc[[(bhy+(1)nn∈]]Nρ([[(ub)+for1)nall]]ρ(ku∈)).N.HenceSince,(forbyallu∈induction,S)
[[(b+1)n]]ρ≤[[(b+n1)kn+1]]ρforalln∈N,thereexists(foranyk∈N)nk∈Nsuch
limthatk→∞du,k(∈u∈[S[(bd+(1)u)∙]]dρ(u,ku))∈for[[a]]allρ(su)b∈Secause.(bNoywd=induction)u∈[S[a((bd+(u1))n∙]]ρlim≤k[[→∞a]]ρdu,kfor)all=
n∈N,andbecause[[a]]ρ(s)isCauchy-closed.
13.abfrom≤bm=on⇒a∗otonicitb=yb:ofSincecomp[[1]os]ρit≤ion.[[a∗It]]ρ(byremainsLemmatoshow4.23),[[a[∗[bb]]]]ρ=≤[[[1[bb]]]]ρ,≤i.e.[[a[[∗ab∗]]bρ]](follos)ws⊆
[[b]]ρ(s)foralls∈S.Letd∈[[a∗b]]ρ(s),i.e.d=u∈Sρd(u)∙ρduforsomeρd∈
∗n[[a]]Lemmaρ(s),d4.23,u∈we[[b]]haρ(vue)[[afor∗]]ρ(alls)u=∈HSCauc.hy(nUsing∈N[[(asimilar+1)n]]ρ(sargumen)).tsHenceasdin=thelimkpro→∞ofdofk
limwithk→∞dk(∈u∈Sn∈Nd[k[((au)+∙1)du)]]ρ(∈s)[[b]for]ρ(sall)bk∈ecauseN.(bNoywd=induction)u∈S[[(a(lim+k1)n→∞b]]ρdk)(≤u[)[b∙]]ρdufor=
[[allab]]nρ≤∈[[bN]]ρ),(whereandbtheecausecase[[b]]nρ(s=)is1,i.e.Cauc[h[(a+y-closed.1)b]]ρ≤[[b]]ρ,followsfromthepremise

ThefollowingcorollaryisanimmediateconsequenceofTheorem4.26.
fromCorollarypKA4.27.variablesIfato≤prbobisaabilistictheoremproofgramspKAin(asLS,[given[b]]inLDef.[[a]].4.24),thenforanymappingρ
ρρcounTheoremterexamples4.26andtoCorollaryconjectures4.27aboutenablepKAustouseexpressions.theprobabilisticUnfortunatemolydeholwLevSer,tomosearcdehlsforof
finitesizearenotsufficientforthereal-numberdomainneededtomodelprobabilitydistribu-
tions.yieldsIngenutheinelynextfinitesection,mowdels.eproposeanabstractionofLSwhichovercomesthisproblemand

4.3.2TheAbstractModelKS
Thebasicideaoftheabstractionistoreplaceaprobabilitydistributionbyasimpleset,in
.ortsuppitsfact

OBABILISTICPR4.3.OGRAMSPR

87

TheDefinitionset{s∈S4.28|d(s(Supp)=ort)0}.isLetcalledd:Sthe→supp[0,1]ortbeofad,discretewrittensuppprobabilitd.ydistributionoverS.

Thesupportonlycontainstheinformationofwhichtransitionsareprobabilistic,andtherange
overwhicheachtransitionextends.Notethatsuppdisnon-empty.
Remark4.29.Letd:S→[0,1]beadiscreteprobabilitydistributionoverS.Thensuppd=
.∅Proof.Theremarkfollowsimmediatelyfromd(S)=1(Def.4.5).

Wecallsuppdtheabstractdistributionassociatedwiththeprobabilitydistributiond.This
abstractioninducesanorderonsubsetsofS:twosubsets(i.e.twoabstractdistributions)
arecomparableiffthereexistcorrespondingprobabilitydistributionsthatarecomparableun-
derD.Thenextdefinitionreformulatesthisideawithoutreferringtoprobabilitydistributions
all.atDefinition4.30(OrderonAbstractDistributions).Leta,a⊆Sbetwoabstractdistribu-
Thentions.aAaiffa=a∨{}⊆a⊆{}∪a.
Withthisdefinition,theorderDonprobabilitydistributionsispreservedbytheabstraction.
Lemma4.31.Letd,d∈S.IfdDd,thensuppdAsuppd.
Proof.SupposedDd.Ifd=d,thentriviallysuppdAsuppd.Ifd=d,thend(s)≥d(s)
foralls∈Simpliesd()<d()(cf.Remark4.7).Thus∈suppd.Furthermore,
d(s)≥d(s)foralls∈SalsoimpliesS∩suppd⊆S∩suppd.Hencesuppd⊆{}∪suppd.
TheconverseofLemma4.31isnottrue:clearlysuppdAsuppddoesnot(ingeneral)
implydDd.(Foracounterexample,considere.g.d:=δap⊕δb,d:=δap⊕δb,witha,
b∈S,a=b,0<p<1,0<p<1,andp=p.)Thisshowsthatreplacingaprobability
distributionbyitsabstractcounterpartentailsacertainlossofinformation.However,wehave
thefollowing—onlyslightlyweaker—implication.
Lemma4.32.Leta,a⊆SbetwoabstractdistributionswithaAa.Supposea=suppd
forsomed∈S.Thena=suppdforsomed∈SwithdDd.
Proof.Ifa=a,takedtobeequaltod.Otherwisewehave{}⊆a⊆{}∪a.Define
d:S→[0,1]asfollows:
d(2s),ifs∈a\{};
d(s):=1−d(a2\{}),ifs=;
otherwise.,0Clearlys∈Sd(s)=1,a=suppd,andd(s)≥d(s)foralls∈S(hencedDdas
required).

88

STUDIESCASE4.CHAPTER

Thespaceofabstractprobabilisticprogramsnowusesabstractdistributions.Againweimpose
certainhealthinessconditions;thesearesuitableabstractionsofthoserequiredinDef.4.8.In
particularunionclosureisanabstractionofconvexclosure.Cauchyclosureontheotherhand
hasnocorrespondingconditionintheabstractmodel.
Definition4.33(SpaceofAbstractProbabilisticPrograms).Thespaceofabstractprobabilis-
ticprogramsisgivenby(KS,K),where
KS:=A∈S→P(P(S))|∀s∈S.A(s)isup-andunion-closed
∧A(s)=∅∧∅∈A(s)∧A()={{}},
andtheorderbetweenabstractprogramsisdefinedby
AKAiff∀s∈S.A(s)⊆A(s).

Basedontheassociationofabstractdistributionswithprobabilitydistributions,wedefinean
abstractionfunctionfromprobabilisticprogramstotheirabstractcounterparts.
KSisDefinitiongivenby4.34ε(P)(s)(Abstraction:={suppofd|d∈ProbabilisticP(s)}.Programs).Theabstractionprojectionε:LS→
Remark4.35.ε:LS→KSiswell-defined,i.e.ifPisaprobabilisticprogram,thenε(P)∈KS.
Proof.Lets∈S.Up-closureofε(P)(s)followsfromup-closureofP(s)(usingLemma4.32),
haandveunionsuppd∪closuresuppofdε(=P)(supps)(dfollo1/2ws⊕d)from).conNextvexP(s)closure=∅ofPimplies(s)ε(P(noting)(s)=that∅,forandd,dRemark∈S,4.29we
implies∅∈ε(P)(s).FinallyP()={δ}impliesε(P)()={{}}.
Theabstractionprojectionpreservestheorderonprograms.
Lemma4.36.LetP,P∈LS.IfPLP,thenε(P)Kε(P).
Proof.Thelemmafollowsimmediatelyfromthedefinitionsofε(Def.4.34),L(Def.4.8),and
4.33).(Def.KForasetofabstractdistributionsA⊆P(S),wewriteAforthesmallestup-andunion-
closedsetofabstractdistributionscontainingA.
Definition4.37(Up-,Union-ClosedHull).ForA⊆P(S),∅∈A,let
A:={X⊇A|X⊆P(S)isup-andunion-closed}.
Remark4.38.LetA⊆P(S),∅∈A.Aisthesmallestup-andunion-closedsuperset
ofA.Hence∙isaclosureoperator,i.e.extensive(A⊆A),monotonicallyincreasing
(A⊆A⊆P(S)impliesA⊆A),andidempotent(A=A).Moreover,∅∈A.
likProof.ewiseWaneinnotetersethatctionanofarbitraryunion-closedintersectionsubsetsofisup-closedunion-closed.subsetsofTheP(Sv)ariousisup-closedclaimsofagain;Re-
mark4.38nowhavestandardproofs.Toshow∅∈A,wenotethatA\{∅}isanup-closed,
union-closedsupersetofA.

OGRAMSPROBABILISTICPR4.3.

89

FromRemark4.38,characterizingAasthesmallestup-andunion-closedsupersetofA,we
deriveaninductionprinciplethatisusefulforproofs:leta∈A.IfPisapredicatethatis
(i)satisfiedbyeveryelementofA,and(ii)P(a1)anda1Aa2implyP(a2)(foreverypair
ofabstractdistributionsa1,a2⊆S),and(iii)P(a1)andP(a2)implyP(a1∪a2)(againfor
everypairofabstractdistributionsa1,a2⊆S),thenP(a)holds.
Thefollowinglemma,althoughslightlytechnical,statesanimportantfactabouttherelation-
shipbetween(up-,convex)closureofsetsofprobabilitydistributions,and(up-,union)closure
distributions.abstractofsetsofLemma4.39.IfD⊆SisCauchy-closed,then{suppd|d∈D}={suppd|d∈D}.
Proof.Firstweshow{suppd|d∈D}⊆{suppd|d∈D},usingtheinductionprinciple
thatfollowsfromRemark4.38.
1.Supposea⊆Sisanabstractdistributionwitha=suppdforsomed∈D.Then
clearlya∈{suppd|d∈D}(becauseD⊆DbyRemark4.12).
2.Supposea1,a2⊆Sareabstractdistributionswitha1=suppd1forsomed1∈D,
anda1Aa2.ByLemma4.32,a2=suppd2forsomed2∈Swithd1Dd2.Then
d2∈DbecauseDisup-closed.Hencea2∈{suppd|d∈D}.
3.Supposea1,a2⊆Sareabstractdistributionswithai=suppdiforsomedi∈D
(fori=1,2).Thend11/2⊕d2∈DbecauseDisconvex-closed.Hencea1∪a2=
supp(d11/2⊕d2)∈{suppd|d∈D}.
Secondweshow{suppd|d∈D}⊆{suppd|d∈D}.ByLemma4.17,wehave
D=Hconvex(Hup(D)).Nowsupposea⊆Sisanabstractdistributionwitha=suppdfor
somed∈Hconvex(Hup(D)).Thend=ik=1αidiforsomek∈N,k≥1,di∈Hup(D),αi∈R,
αi≥0,ik=1αi=1.Foreachdithereexistsdi∈DwithdiDdi.Clearly(for1≤i≤k)
suppdi∈{suppd|d∈D}(because{suppd|d∈D}⊆{suppd|d∈D}byRemark4.38).
Lemma4.31impliessuppdiAsuppdi.Hencealsosuppdi∈{suppd|d∈D}because
1≤i≤k)a=ik=1suppdi∈{suppd|d∈D}because{suppd|d∈D}isunion-
{suppd|d∈D}isup-closed.Now(assuming,withoutlossofgenerality,αi>0for
closed.Theabstractionprojectionmapsprobabilisticprogramstotheirabstractcounterparts,butwe
canalsogotheotherway.ForeveryabstractprogramA,thereexistsaprobabilisticprogramP
suchthatε(P)=A.Inotherwords,ε:LS→KSisonto.
Lemma4.40.ForeveryabstractprogramA∈KSexistsaprobabilisticprogramP∈LSwith
ε(P)=A.
Proof.Foreveryabstractdistributiona⊆S,letda:S→[0,1]denotetheuniformdistri-
butionovera(i.e.da(s):=|a1|ifs∈a,da(s):=0otherwise).Clearlysuppda=a.
DefineP:S→P(S)byP(s):={da|a∈A(s)}.P(s)isup-,convex-,andCauchy-closed
bydefinitionof∙,P(s)=∅becauseA(s)=∅,andA()={{}}impliesP()={δ}.
HenceP∈LS.

90

STUDIESCASE4.CHAPTER

Itremainstoshowε(P)=A.Lets∈S.Wenotethat{da|a∈A(s)}isfinite(sinceSis
finite),henceCauchy-closed.Therefore,usingLemma4.39,ε(P)(s)={suppd|d∈{da|a∈
A(s)}={suppda|a∈A(s)}=A(s)=A(s).

Weremarkthatiftwoprobabilisticprogramshavethesameabstraction,thentheiriterations
alsohavethesameabstraction.
Lemma4.41.LetP,P∈LS.Ifε(P)=ε(P),thenε(P∗)=ε(P∗).
Aproofofthisnon-triviallemmaisgivenin[108](seeinparticular[108,Lemma1]and[108,
4]).LemmaNext,wedefineoperatorsonKSthatcorrespondtotheoperatorsonLSgiveninDef.4.21.
Definition4.42(OperatorsonKS).Forarbitrarystatess∈SandabstractprogramsA,
A∈KS,wedefine
IdentityId(s):={{s}},
Composition(A;A)(s):={u∈aau|a∈A(s),∀u∈a.au∈A(u)},
Top(s):={{}},
Probability(A⊕A)(s):={a∪a|a∈A(s),a∈A(s)},
Non-determinism(AA)(s):=A(s)∪A(s),
IterationA∗(s):=ε(P∗)(s),foranarbitraryP∈LSwithε(P)=A.
Remark4.43.LetA,A∈KS.ThenId∈KS,∈KS,(A;A)∈KS,A⊕A∈KS,
AA∈KS,andA∗∈KS.
Proof.Wenotethatforeveryabstractdistributiona⊆S,{}Aaiffa={}.Hence
.{{}}={{}}Lets∈S.ForId(s)and(s),allrelevantproperties(i.e.up-closure,unionclosure,non-
emptiness,∅∈Id(s),∅∈(s),andId()=()={{}})nowfollowimmediatelyfrom
4.42.Def.Up-closureof(A;A)(s)followsfromup-closureofA(u)forallu∈a.Using(u∈aau)∪
(u∈bbu)=u∈a∪bxu(forarbitraryabstractdistributionsa,au,b,bu⊆S,wherexu:=au
ifu∈a\b,xu:=buifu∈b\a,andxu:=au∪buifu∈a∩b),unionclosureof(A;A)(s)
followsfromunionclosureofA(s)andunionclosureofA(u)forallu∈a∩b.Theremaining
properties,i.e.(A;A)(s)=∅,∅∈(A;A)(s),and(A;A)()={{}},areimmediate.
Up-closureof(A⊕A)(s)followsfromup-closureofA(s)andA(s).Unionclosureof(A⊕A)(s)
followsfromunionclosureofA(s)andA(s),using(a∪a)∪(b∪b)=(a∪b)∪(a∪b)(for
arbitraryabstractdistributionsa,a,b,b⊆S).Theremainingproperties,i.e.(A⊕A)(s)=
∅,∅∈(A⊕A)(s),and(A⊕A)()={{}},areimmediate.
For(AA)(s),allrelevantpropertiesareimmediateagainfromDef.4.42.
ForA∗,weonlyneedtoshowthatA∗(s)iswell-defined.Allrelevantpropertiesthenfollow
immediatelyfromRemark4.35.Lemma4.40impliestheexistenceofatleastoneprobabilistic
programP∈LSwithε(P)=A,andLemma∗4.41showsthatforanytwoprogramsP,P∈LS
withε(P)=ε(P)=A,wehaveε(P∗)=ε(P).

4.3.PROBABILISTICPROGRAMS91
TheabovedefinitionofA∗stillreferstotheprobabilisticmodelLS.In[108]weshowhowA∗
canbecomputedwithoutreferringtoanyunderlyingprobabilisticprogram,bydetermining
thesetsofstatesthatarereachablewithprobability1.Itiswell-knownthatthisispossible
usingtheinformationprovidedbytheabstracttransitionsalone;forexampledeAlfaroand
Henzinger[46]providesuchanalgorithmwithcomplexityquadraticinthesizeoftheunderlying
system.transitionFinallywecangiveaninterpretationofpKAexpressionsinthespaceofabstractprograms.
Definition4.44(SemanticMappingofpKAExpressionstoKS).Thesemanticmapping[[∙]]ρ
frompKAexpressionstoKSisparameterizedbyamappingρfrompKAvariablestoabstract
probabilisticprogramsinKS,anddefinedasfollows:
1.Ifxisavariable,then[[x]]ρ:=ρ(x).
2.[[0]]ρ:=,[[1]]ρ:=Id.
3.[[ab]]ρ:=[[a]]ρ;[[b]]ρ.
4.[[a+b]]ρ:=[[a]]ρ[[b]]ρ.
5.[[a∗]]ρ:=[[a]]ρ∗.
WhilethisdefinitionlooksverysimilartoDef.4.25(duetotheuseofoverloadednotation),
theoperatorsontheright-handsideoftheaboveequationsarenowofcoursethoseonKS,as
4.42.Def.inengivWedonotclaimthattheaxiomsofprobabilisticKleenealgebraaresatisfiedbythisinterpreta-
tion;infactAxiom(13)failstohold.Theabstractprograms0→{{s0,s1}},s1→{{s1}}
denotingbothaandbisacounterexample.ThusthereisnoanalogueofTheorem4.26forKS.
Thisisbecausetheabstractiondoesnot(ingeneral)preserveinequalities;seetheearlier
discussionontheconverseofLemma4.31.
ThenextlemmagivestherelationshipbetweeninterpretationsinLSandinKS:theycorre-
.homomorphicallyondspLemma4.45.LetebeapKAexpression,andletρbeamappingfrompKAvariablesto
probabilisticprogramsinLS.Then
ε([[e]]ρ)=[[e]]ε◦ρ.
Proof.Bystructuralinductionone.IfeisapKAvariable,then
ε([[e]]ρ)4.=25ε(ρ(e))=(ε◦ρ)(e)4.=44[[e]]ε◦ρ.
ervMoreoε([[0]]ρ)4.=25ε()=4.=44[[0]]ε◦ρ,
and44.439.425.4

4.254.44
ε([[0]]ρ)=ε()==[[0]]ε◦ρ,
ε([[1]])4.=25ε(Id)4.=39Id4.=44[[1]].
ρ◦ερ

STUDIESCASE4.CHAPTER

STUDIESCASE4.CHAPTER92Ife=abforpKAexpressionsaandb,thenforanys∈S,
ε([[e]]ρ)(s)4.=34{suppd|d∈[[ab]]ρ(s)}

4.=25suppa(u)∙bua∈[[a]]ρ(s),∀u∈S.bu∈[[b]]ρ(u)
u∈S
=suppbua∈[[a]]ρ(s),∀u∈suppa.bu∈[[b]]ρ(u)
u∈suppa
4.=34bua∈ε([[a]]ρ)(s),∀u∈a.bu∈ε([[b]]ρ)(u)
u∈a
a∈u=IHbua∈[[a]]ε◦ρ(s),∀u∈a.bu∈[[b]]ε◦ρ(u)
44.4=[[ab]]ε◦ρ(s).
Ife=a+bforpKAexpressionsaandb,thenforanys∈S,
34.4ε([[e]]ρ)(s)={suppd|d∈[[a+b]]ρ(s)}
25.4={suppd|d∈[[a]]ρ(s)∪[[b]]ρ(s)}
39.4={suppd|d∈[[a]]ρ(s)∪[[b]]ρ(s)}
34.4=ε([[a]]ρ)(s)∪ε([[b]]ρ)(s)
IH=[[a]]ε◦ρ(s)∪[[b]]ε◦ρ(s)
44.4=[[a+b]]ε◦ρ(s).
Ife=a∗forsomepKAexpressiona,then
4.254.42IH4.44
ε([[e]]ρ)=ε([[a]]ρ∗)=ε([[a]]ρ)∗=[[a]]ε◦ρ∗=[[a∗]]ε◦ρ.

Thuswehavesetupamodelforabstractprobabilisticprogramsinwhichthepreciseweights
attachedtoprobabilistictransitionshavebeensuppressed,whilethelimitpropertiesofprob-
abilitytheoryareretained.Nextweshowhowtheabstractmodelcanbeusedtoobtain
counterexamplesinLS.
Lemma4.46.LeteandfbepKAexpressions.Ife=fissatisfiableinKS,thenitisalso
.SLinsatisfiableProof.Supposee=fissatisfiableinKS,i.e.thereexistsamappingρfrompKAvariablesto
abstractprogramsinKSsuchthat[[e]]ρ=[[f]]ρ.
ByLemma4.40,thereexistsamappingρfrompKAvariablestoprobabilisticprogramsinLS
suchthatε◦ρ=ρ.Now
ε([[e]]ρ)4.=45[[e]]ε◦ρ=[[e]]ρ=[[f]]ρ=[[f]]ε◦ρ4.=45ε([[f]]ρ),

OGRAMSPROBABILISTICPR4.3.

hence[[e]]ρ=[[f]]ρinLS.

93

Finallythissection’smainresultfollows.IfacounterexampleexistsinKStoaconjectured
pKAequality,thentheequalityisnotprovableinpKA.
Corollary4.47.LeteandfbepKAexpressions.Ife=fissatisfiableinKS,thenthe
equalitye=fisnotprovablebyprobabilisticKleenealgebrarules.

Proof.ByLemma4.46,e=fissatisfiableinLS,andbyTheorem4.26,interpretationsinLS
satisfytherulesofprobabilisticKleenealgebra.

ThecorollaryimpliesthatautomatedcounterexamplesearchforequalitiesinpKAcanbebased
onstateexplorationoffinitemodelsinKS.

4.3.3MechanizationofCounterexampleSearch
WehavedefinedtheabstractmodelKSinIsabelle/HOL.ThetypeSoption→Soptionsetset
isfunctionsusedforinthisabstracttypethprograms,atsatisfywiththeNoneconstrainencotsdingof.Def.Aw4.33.Next,ell-formednesswehavepredicatedefinedtheselectsvariousthose
opiteration.eratorsonWithKSthe(seeexcepDefs.tionof4.42theanditeration4.44),opinerator,particular∙∗,formcompulaeosition,thatcontainnon-determinism,theseoperatorsand
canIterationbecouldtranslatedintoprinciplepropbeositionaltranslatedlogicasbywellthe(byalgorithmunfoldingipresentsIsabtedinelle/HOLChapters2definition,andas3.
itThatisthedonefortranslationtheotherofopiterationerators),iscbuthallengingthisalsounfortunatelyseemstobleadsethetocaseinunacceptableotherpsystemserformance.which
useSATsolvinginthecontextof∙∗-likeoperators[82].
WehavethereforeimplementeddedicatedSMLcodefortheiterationoperator,whichtranslates
thisoperatortoatreedirectly,withoutunfoldingitsdefinition.Thisisanapplicationof
thefirstoptimizationtechniquedescribedintheparagraphonunfoldingandspecialization
inSection3.2.Ourcodedoesnotactuallyimplementareachabilityalgorithm,butmerely
containsprecomputedresulttreesforsmallstatespaces.Duetotheexponentialgrowthof
Soption→Soptionsetset(inthesizeofS),wearestilllimitedtosmallstatespacesanyway,
despiteouroptimizations.Fortunately,counterexamplesinpracticedoappeartobeexhibited
withinverysmallstatespaces.
TwooftheperhapsmoreinterestingconjecturesaboutprobabilisticprogramsthatIsabelle
canrefuteautomaticallyare(i)P∗≤Pand(ii)P∗;P=P;P∗.Graphicalrepresentations
ofclaritthey,onlyabstract-minimalprogramsthatdistributionswerefoundareshoaswn,counandalsterexamplesothearetransitionshownin→{{Figure}}4.3.hasb(Feenor
Ahappomitted.)enstobBothetheprogramsabstractionuseaofttwhecoino-elementosststateexamplespaceSdiscussed={s0,searlier.1}.TheOnemasecondynoticeprogramthat
foreachtheoftthewotwoconjecturesprogramsisarefutesbcoincidence;othconjectures.ultimatelyThatitdepdifferenendstoncountheterexamplesunderlyingareSATreturnsolveerd
thatwasusedformodelgeneration.
Totiondeal3.2):withtheslighiterationtlylargeroperator,statespaces,althoughweitcouldmightuseoccurspwithoutecializationan(asargumendescribtinedainHOLSec-

94

4.CHAPTERSTUDIESCASE




s0s1s0s1



(i)P∗≤P(ii)P∗;P=P;P∗

Figure4.3:Abstractprobabilisticcounterexamples

formThereforeula,nevweerdodoesnotsoneedinatopKAbuildaexpression;treefortheinstead,entireitisalwfunctionaysappliedrepresenttoing∙some∗,butprogramweonlyP.
needthemuchsmallertreeforP∗.Ofcoursethiswouldrequirethe∗implementationofa
symbolicreachabilityalgorithm,whichcouldcomputethetreeforPfromatree(possibly
containingvariablesorcomplexpropositionalformulaeaslabelelements)forP.
labWithelsofthisthetectreehnique,forP∗the.EvmainenifbtheottlenectreekforwillPconthentainsbevtheariablessizeofonlyprop(andositionalnotmoreformulaecomplexin
formulae),formulaeinthetreeforP∗wouldquicklybecomehuge.Theproblemisaggravated
becauseatleastsomeoftheseformulaelaterneedtobetranslatedtoCNF.Ahybridapproach,
wheretheprogramPispartiallyknown(e.g.becauseofanearliercasedistinction),whileother
partsareonlygivensymbolically,couldsolvethisissue.Theknownpartsoftheprogram
couldbeusedtoimmediatelysimplifytheresultingpropositionalformulae,asdescribedin
theparagraphonpropositionalsimplificationinSection3.2,therebykeepingtheseformulae
small.reasonably

4.4ASAT-basedSudokuSolver
ThissectionpresentsaSAT-basedSudokusolver.ASudokuistranslatedintoapropositional
formulathatissatisfiableifandonlyiftheSudokuhasasolution.AstandardSATsolvercan
thenbeapplied,andasolutionfortheSudokucanbereadofffromthesatisfyingassignment
returnedbytheSATsolver.NocodingwasnecessarytoimplementthisSudokusolver:the
translationintopropositionallogicisprovidedbyouralgorithmforfinitemodelgeneration
thatwasdescribedinChapters2and3ofthisthesis.OnlytheconstraintsonaSudoku
solutionhavetobespecifiedinIsabelle/HOL.
Sudoku,alsoknownasNumberPlaceintheUnitedStates,isaplacementpuzzle.Givena
grid—mostfrequentlya9×9gridmadeupof3×3subgridscalledregions—withvariousdigits
giveninsomecells(thegivens),theaimistoenteradigitfrom1through9ineachcellofthe
gridsothateachrow,columnandregioncontainsonlyoneinstanceofeachdigit.Figure4.4
showsaSudokuontheleft,alongwithitsuniquesolutionontheright[172].Notethatother
symbols(e.g.letters,icons)couldbeusedinsteadofdigits,astheirarithmeticpropertiesare
irrelevantinthecontextofSudoku.Thisiscurrentlyaratherpopularpuzzlethatisfeatured
inanumberofnewspapersandpuzzlemagazines[5,49,158].
SeveralSudokusolversareavailablealready[97,163].Sincetherearemorethan6∙1021pos-

4.4.ASAT-BASEDSUDOKUSOLVER

537534678912
6195672195348
986198342567
863859761423
4831426853791
726713924856
628961537284
4195287419635
879345286179
Figure4.4:Sudokuexampleandsolution

95

sibleSudokugrids[55],anaivebacktrackingalgorithmwouldbeinfeasible.Sudokusolvers
agation.thereforeHerecomwbineepropbacosektracakingSAT-basedwith—sometimeapproach:saSudokucomplicated—methoistranslateddsforintoaconstrainproptositionalprop-
isformthenulathatpresenistedtosatisfiableaifstandardandSAonlyTifsolthever,SudokuandifhastheaSATsolution.solverThefindspropaositionalsatisfyingformassign-ula
menpresent,tedthistranslationassignmentincantoSATreadilyisbesimple,andtransformedrequiresintoaminimalsolutionforimplemtheentationoriginaleffortSudoku.sincewThee
canreuseourframeworkforfinitemodelgeneration.

4.4.1ImplementationinIsabelle/HOL
AnimplementationoftheSudokurulesinIsabelle/HOLisstraightforward.Digitsaremodelled
byadatatypewithnineelements1,...,9.Wesaythatninegridcellsx1,...,x9arevalidiff
theycontaineverydigit.
.alid)(v4.48Definition99valid(x1,x2,x3,x4,x5,x6,x7,x8,x9)≡xi=d.
=1i=1dLabelingthe81cellsofa9×9gridasshowninFigure4.5,wecannowdefinewhatitmeans
forthemtobeaSudokusolution:eachrow,columnandregionmustbevalid.
.(sudoku)4.49Definition9sudoku({xij}i,j∈{1,...,9})≡valid(xi1,xi2,xi3,xi4,xi5,xi6,xi7,xi8,xi9)
=1i9∧valid(x1j,x2j,x3j,x4j,x5j,x6j,x7j,x8j,x9j)
=1j∧valid(xij,xi(j+1),xi(j+2),x(i+1)j,x(i+1)(j+1),x(i+1)(j+2),
i,j∈{1,4,7}
x(i+2)j,x(i+2)(j+1),x(i+2)(j+2)).
Thenextsectiondescribesthetranslationofthesedefinitionsintopropositionallogic.

96

STUDIESCASE4.CHAPTER

x11x12x13x14x15x16x17x18x19
x21x22x23x24x25x26x27x28x29
x31x32x33x34x35x36x37x38x39
x41x42x43x44x45x46x47x48x49
x51x52x53x54x55x56x57x58x59
x61x62x63x64x65x66x67x68x69
x71x72x73x74x75x76x77x78x79
x81x82x83x84x85x86x87x88x89
x91x92x93x94x95x96x97x98x99
gridSudoku4.5:Figure

4.4.2TranslationtoPropositionalLogic
ThetranslationtopropositionallogicisanapplicationofthegeneraltranslationforHOL
formulaethatwasdescribedinSection2.3.WeencodeaSudokubyintroducing9Boolean
variablesforeachcellofthe9×9grid,i.e.93=729variablesintotal.EachBooleanvariablepijd
(with1≤i,j,d≤9)representsthetruthvalueoftheequationxij=d.Aclause
9dpij=1densuresthatthecellxijdenotesoneoftheninedigits,and36clauses
¬pijd∨¬pijd
1≤d<d≤9
makesurethatthecelldoesnotdenotetwodifferentdigitsatthesametime.
Sincetherearejustasmanydigitsascellsineachrow,column,andregion,Def.4.48is
equivalenttothefollowingcharacterizationofvalidity,statingthattheninegridcellsx1,...,
x9containdistinctvalues.
Lemma4.50(EquivalentCharacterizationofValidity).
valid(x1,x2,x3,x4,x5,x6,x7,x8,x9)⇐⇒xi=xj
91≤i<j≤9
⇐⇒xi=d∨xj=d.
1≤i<j≤9d=1
Thelattercharacterizationturnsouttobemuchmoreefficientthantheoriginaldefinition
9whenliteralseactranslatedh(onetoSAliteralT.forWhileeachDef.equation),4.48,whentheformtranslatedulagivenindirectly,Lemmaproduces4.50is9tranclausesslatedwittoh

4.4.ASAT-BASEDSUDOKUSOLVER

2126437958
63895621473
748374985126
32457193862
841983246517
65612578394
178269314785
59548769231
4731852649
Figure4.6:HardSudokuexampleandsolution

97

324Thisalloclauseswsf(9ormoreclausesunitforeachpropagationofthe36[178]byinequationstheSAxiT=solvxj),er,butwhiceachh—inclausetermsofoflengththe2originalonly.
thesearcSudoku—corresphspace.ondsTheto9clausescross-hatcobtainedhing[172]fromofadigits,directatrtechniqanslationueofthatDef.isessen4.48tialcouldtostillreducebe
usedaswell;unitpropagationontheseclauseswouldcorrespondtocountingthedigits1–9in
regions,rows,andcolumnstoidentifymissingnumbers.However,inourexperimentswedid
notexperienceanyspeedupbyincludingtheseclauses.
Thisencodingyieldsatotalof11745clauses:81definednessclausesoflength9,81∙36unique-
nessclausesoflength2,and27∙324validityclauses,1againoflength2.However,wedonot
needtointroduceBooleanvariablesforcellswhosevalueisgivenintheoriginalSudoku,and
wecanomitdefinednessanduniquenessclausesforthesecellsaswellassomeofthevalidity
withgivclauses—thereforeenswillbethelesstotalthann729umbanderofv11745,ariablesrespandectivelyclau.ses(TheusedimpintheortanceencoofthisdingofaoptimizationSudoku
forlargerSudokupuzzlesisemphasizedin[95],althoughtheauthors’claimthatwedonot
erroneous.)isiterformpNote(CNF).thatThereforeourencoconvdingersionalreadyintoyieDIMAldsaCSpropCNFositionalformatform[50]—theulainstandardconjunctivinpuetnormalformatusedform
bymostSATsolvers—istrivial.Isabellecansearchforasatisfyingassignmentusingeither
aninternalDPLL-based[45]SATsolver,orwritetheformulatoafileinDIMACSformat
andexecuteanexternalsolver.WehaveemployedzChaff[119]tofindthesolutiontovarious
Sudokuclassifiedas“hard”bytheirrespectiveauthors(seeFigure4.6foranexample),and
ineverycasetheruntimewasonlyafewmilliseconds.
TraditionallythegivensinaSudokuarechosensothatthepuzzle’ssolutionisunique.Nev-
erthelessincasedifferentsolutionsexist,ouralgorithmcanbeextendedtoenumerateallof
SAthemTsolv(byerthatexplicitlyallowsdisalloaddingwingallclausessolutionson-the-flyfoundtosoavoidfar,andsearcphingerhapsthroughusingtheansameincremensearctalh
times).ultiplemspacePcraftedarticularlySudokuremarksolvableers,issometheoffactwhicthathuseoursolvratherer,whilecomplexitcanpatternscertainlyandsearccompheteheuristics,withhand-re-

1Thisnumberincludessomeduplicates,causedbytheoverlapbetweenrows/columnsandregions:certain
cellsthatmustbedistinctbecausetheybelongtothesamerow(orcolumn)mustalsobedistinctbecausethey
belongtothesameregion.

98

STUDIESCASE4.CHAPTER

quiredverylittleimplementationeffort.AsidefromLemma4.50,nodomain-specificknowledge
wasused.TheimpressiveperformanceislargelyduetotheSATsolver.Eventhetranslation
intopropositionallogicwasnotwrittenbyhand,butismerelyanapplicationoftheframework
forfinitemodelgenerationthatisreadilyavailableinIsabelle/HOL.OnlytheSudokurules
hadtobedefinedinthetheoremprover’slogic,andthiswasatrouble-freetask.

Conclusion4.5

Infinitethismocdelhapter,generationwehavinegeneral,discussedandthreeofourcaseframewstudiesorkthatformodelillustratepgenerationossibleinIsabapplicationselle/HOLof
inparticular:theRSA-PSSsecurityprotocol,probabilisticprograms,andaSudokusolver.
InSection4.2,wehaveshownsecurityofanabstractformalizationoftheRSA-PSSsecurity
moprotodelcolwbasyprofinite,vidingbutathemowdelell-knothatwndoesinitialnotalmolowdelthetheoremattackerimpliestoforgethatseccertainurityalsosignatures.holdsThein
the(infinite)initialmodel,wherethefunctionsformessagegenerationareinterpretedinthe
usualalgebraicway.
Amodelforprobabilisticprogramsthatissusceptibletocounterexamplesearchviafinitemodel
wheregenerationitwashasusedbeentopresenobtaintedcouninSectionterexamples4.3.toThismoconjecturesdelhasabbouteenformalizedprobabilisticinIsabKleeneelle/HOL,algebra
expressions.Thereareperformanceissues(especiallywiththestaroperator,∙∗),butforsmall
statespaces,theapproachworksreasonablywell.
InSection4.4,wehavepresentedastraightforwardtranslationofaSudokuintoapropositional
formdimension.ula.TheItisptranslationolynomialincantheeasilysizebofethegeneralizedgrid,andfromsince9Su×9dokugridsistoNP-completegridsof[176]arbitrary,no
algorithmwithbettercomplexityisknown.Thetranslation,combinedwithastate-of-the-art
SATsolver,isalsopracticallysuccessful:9×9Sudokupuzzlesaresolvedwithinmilliseconds.
Tand3,ogetherdespitetheseitscasenon-elemenstudiesshotarywthatcomplexitthemoy,delcanbegenerationusefulformanalgorithmyinpresenterestingtedinproblemsChaptersthat2
occurinpractice.Thealgorithm’sintegrationintotheIsabelle/HOLtheoremproverallowsits
easyapplicationtoanyformaldevelopmentcarriedoutinthissystem.Higher-orderlogicisa
richspecificationlanguagethatpermittednaturalformalizationsofallthreecasestudies.Some
ofthelogic’s(higher-order)featuresposepotentialperformanceissuesformodelgeneration,
buttoremedythesituation,itissometimespossibletocarryoutformalization“withmodel
generationinmind”,avoidingastate-spaceexplosionthroughtheuseoflogicallyequivalent
(butcombinatoriallyharmless)encodingsinthetheoremprover.

5Chapter

Loveall,trustafew.
eare,espShakWilliam1564–1616.

IntegrationofProof-producingSAT
ersSolv

ThischapterdescribestheintegrationofzChaffandMiniSat,currentlytwoleading
SATsolvers,withIsabelle/HOL.BothSATsolversgenerateresolution-styleproofs
for(instancesof)propositionaltautologies.Theseproofsareverifiedbythetheorem
prover.ThepresentedapproachsignificantlyimprovesIsabelle’sperformanceon
oblems.prositionaloppr

In5.1ductiontro

SofarwehavediscussedthegenerationoffinitemodelsforHOLformulae,themainapplication
beingthegenerationofcountermodelsforunprovableconjectures.Butwhatifthesearchfora
finitecountermodelfails?Morespecifically,canweuseSATsolverstoprovetheoremsaswell?
Clearlythefailuretoproduceafinitecountermodeluptoacertainsizeforsomeformulaφ
doesnotimplyvalidityofthisformula.Theremightstillexistafinitecountermodellarger
thanthegivensize,orevenaninfinitecountermodel.Forexample,considerthefollowing
first-orderformula,whichonlyhasinfinitemodels:
(∀x∃y.Pxy)∧(∀xyz.Pxy=⇒Pyz=⇒Pxz)∧(∀x.¬Pxx).

Ingeneralitisundecidablealreadyforfirst-orderlogicifaformulaφhasamodelatall[37],
bandoundalsoonifitthehasmoadelfinitesizeismoeffdelectiv[160].elyIfφcomputable,hasthewfiniteecouldmodelusepropthisertbyound[26]tohowlimitever,theandsearctheh
foramodel.Sinceoursearchalgorithmiscomplete(providedtheunderlyingSATsolveris),

99

100CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

couldfailurebeintothisfindcasewitnessesdoesiforndeedimplymonomorphicvalidityexistenof¬tialφ.stateAnotherments,applicationtherebyproofvingouralgorithem.thm
Hencemodelgenerationcould—atleastinprinciple—beusedtoproveformulaefromcertain
fragmentsofHOL.However,thesemanticreasoningindicatedabovewouldbedifficultto
mustformalizebeinexpressedanLCF-stintermsyle[61]ofthetheoremlogic’sproverinferencelikerules.Isab(Evelle/HOL,enprovingwhereallexistenprotialofsinstatementheendts
wouldn’tbewithoutpracticalchallenges.Ifanincomplete,randomizedSATsolverwasused,
aproofscriptmightworkonetimeandfailanother—certainlynotadesirableproperty.)
Thereforeweonlyconsiderinstancesofpropositionaltautologiesinthischapter.Furthermore,
weuseproof-producingSATsolvers:theyarenotonlyabletofindasatisfyingassignmentif
oneexists,buttheyalsoreturna(resolution-style)proofofunsatisfiabilityincasetheinput
formulaisnotsatisfiable.CurrentlythemostsuccessfulSATsolversareDPLL-based[119],
andextendingsuchsolverswiththeabilitytoproduceunsatisfiabilityproofsisrelatively
.[179]ardtforwstraigh

Related5.2orkW

PgrationerhapsofmostSt˚almarccloselyk’srelatedalgorithmtotheandworkBDDsininthistocHOLhapterLighistandJohnHol90Harrison’srespectivLCF-stelyyle[68,in69].te-
HarrisonfoundthatdoingBDDoperationsinsideHOLperformedabout100timesworse(after
severaloptimizations)thanaCimplementation.
MichaelGordonimplementedHolSatLib[62]inHol98,aprecursortoHOL4.Thislibrary
InprothevidedcaseoffunctionstounsatisfiabilitconvyerthowHol98ever,termstheinusertoonlyCNF,hadandthetooptionanalyzetothemtrusttheusingaexternalSATsolvsolver.er.
Noproofreconstructiontookplace,“sincethereisnoefficientwaytocheckforunsatisfiability
usinginconsistencypureHol98inHol98.theoremTheproHOLving”4[62].implemenAbugintationtheofSAthisTsolvlibrarerycoulisdinsteadultimatelybasedleadontoideasan
hapter.cthisindiscussedAcustom-builtSATsolverhasbeenintegratedwiththeCVCLitesystem[15]byClarkBarrett
etal.[16].Whilethissolverproducesproofsthatcanbecheckedindependently,ourworkshows
thatinformationitispproossiblevidedtobinytegraterecentvexisting,ersionsofhighlyzChaffefficienandtsolvMiniSatersiswithsufficienantLCF-sttoproyleduceprovaer:protheof
objectinatheoremprover,nocustom-builtsolverisnecessary.
Furtherafield,theintegrationofautomatedfirst-orderproverswithHOLprovershasbeen
foundexploredbybtheyJoeautomatedHurd[74,syste75],mareJiaeitherMengv[111],erifiedbandytheLainwrenceteractivPeaulsonprover[112,immediately113].Pro[74],ofs
ortranslatedintoaproofscriptthatcanbeexecutedlater[112].AndreasMeier’sTRAMP
system[109]transformstheoutputofvariousautomatedfirst-orderproversintonaturalde-
inductionteractivperoproofs.ver’sThespmainfoecificationcusofthatlanguageworktohowefirst-orderverisonlogic.theInnecconessarytrastourtranslationapproacfromhistheso
farrestrictedtoinstancesofpropositionaltautologies,butwehavefocusedonperformance
(ratherthanondifficulttranslationissues),andweuseaSATsolver,ratherthanafirst-order
prover.Otherworkoncombiningproofandmodelsearchincludes[48].
Anearlierversionofthisworkwaspresentedin[167],andimprovedbyAlwenTiuetal.[58].

DESCRIPTIONSYSTEM5.3.

101

FurthermoreHasanAmjadhasrecentlyintegratedproof-generatingversionsofzChaffand
MiniSatwithHOL4inasimilarfashion[168].Herewediscussourmostrecentimplemen-
tation[166],whichalsoincorporatesideasbyJohnHarrison,JohnMatthews,andMarkus
Wenzel.Itconstitutesasignificantperformanceimprovementwhencomparedtoearlierim-
tations.plemen

DescriptionSystem5.3

ToMiniSat,provewaepropropceedositioninalseveraltautologysteps.φinFirsttheφisIsabnegated,elle/HOLandstheystemnegatiwithontheisconhelpvofertedinzChafftoanor
equivalentformulaφ∗inconjunctivenormalform.φ∗isthenwrittentoafileinDIMACSCNF
format[50],thestandardinputformatsupportedbymostSATsolvers.zChaffand∗MiniSat,
whenrunonthisfile,returneither“unsatisfiable”,orasatisfyingassignmentforφ.
Inthelattercase,thesatisfyingassignmentisdisplayedtotheuser.Theassignmentconstitutes
acounterexampletotheoriginal(unnegated)conjecture.Whenthesolverreturns“unsatisfi-
able”however,thingsaremorecomplicated.IfwehaveconfidenceintheSATsolver,wecan
simplytrustitsresultandacceptφasatheoreminIsabelle.Thetheoremistaggedwithan
an“oracle”externalflagtotool.Inindicatethisthatscenario,itwaasbuprgovinedthenotSATthroughsolverIsab(orinelle’sourowntranslationinferencerfromules,HOLbutbtoy
propositionallogic)couldpotentiallyallowustoderiveinconsistenttheoremsinIsabelle/HOL.
TheLCF-approachinsteaddemandsthatweverifythesolver’sclaimofunsatisfiabilitywithin
Isabincreasingelle/HOL.complexitWhileyofthisSAisTnotsolveasrshassimpbleefasoretheraisedvthealidationquestionofaofsuppsatisfyingortasforsignmenindepent,denthet
verificationoftheirresults,andin2003L.ZhangandS.Malik[179]extendedzChaffto
alsogeneratebeenacknoresolution-stwledgedylebyprothofseannthatualcanSAbTevComperifiedbetition,yanwhicindephinendentrotcducedheckaer.spThisecialtracissuekhason
wascertifiedreleased[53],“unsatisfiable”andJohnanswersMatthewsin2005.extendedMorethisrecenvtlyersion,atoproproduceof-logginghversiuman-readableonofproMiniSatofs
thatareeasytoparse[101],similartothoseproducedbyzChaff.
Onecoulduseanindependent(external)proofchecker(e.g.writteninC)toverifytheSAT
solver’sanswer.Thismightincreasethedegreeofconfidenceintheresult,butitstillsuffers
frompotentialsoundnessissues.Theindependentproofchecker,aswellasthetranslation
betweenthedifferenttools,wouldbecomepartofthetrustedcodebase.ThereforeintheLCF
frameworkourmaintaskboilsdowntousingIsabelle/HOLitselfasanindependentchecker
fortheresolutionproofsfoundbyzChaffandMiniSat.
BothlutionsolvstepsersarestorereplatheiryedproinofIsabinatextelle/HOL.filethatSectionisread5.3.1inbdescribyIsabeselle,theandnecessarytheindividpreproualcessingreso-
ofThetheoverallinputsystemformula,arcandhitecturedetailsissofhothewninproofFigure5.1.reconstructionareexplainedinSection5.3.2.

cessingPrepro5.3.1IsabmostSAelle/HOLTsolversoffersonlyhigher-ordersupportformlogiculae(onoftopofpropIsabositionalelle’smetalogicinlogic,cf.conjunctivSectione3.3)normal,whereasform.

102

CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

Figure5.1:Isabelle–SATsystemarchitecture

Thereforethe(negated)inputformulaφmustbepreprocessedbeforeitcanbepassedtothe
er.solvareFirstreplacedconnectivbyestheofthecorrespmetaondinglogic,HOLnamelyconnectivmetaes−implication→and(==.⇒)Thisandismetamerelyequivatecalence(hnical-≡),
ity.ThentheBooleanconstantsTrueandFalseareeliminatedfromφ,asareimplication,
−→,andequivalence,=.Theonlyremainingconnectivesareconjunction,disjunction,and
negation.Finallyφisconvertedintonegationnormalform,andthenintoconjunctivenormal
form(CNF).TwodifferentCNFconversionsarecurrentlyimplementedinIsabelle/HOL:a
naiveencodingthatmaycauseanexponentialblowupoftheformula,andaTseitin-styleen-
coding[162]thatmayintroduce(existentiallyquantified)auxiliaryBooleanvariables,cf.[62].
Quantifiedsubformulaeofφaretreatedasatomic.
Notethatitisnotsufficienttoconvertφintoanequivalentformulaφ∗inCNF.Rather,we
havetoprovethisequivalenceinsideIsabelle/HOL.Theresultisnotasingleformula,buta
theoremoftheformφ=φ∗.
ThefactthatourCNFtransformationmustbeproof-producingleavessomepotentialfor
optimization.Onecouldimplementanonproof-producing(andthereforemuchfaster)version
ofthesameCNFtransformation,anduseitforpreprocessinginstead.Applicationofthe
proof-producingversionwouldthenbenecessaryonlyiftheSATsolverhasshownaformula
tobeunsatisfiable.Thisschemecanbeimplementedusinglazyproofs[6],thusavoiding
thepenaltyfordoingtheconversiontwice:firstwithout,andlaterwithproofs.Thisway,
preprocessingtimesforunprovableformulaewouldimprove.In[168]wediscussfurtherideas
tospeeduptheCNFtransformation.Thebenchmarksusedtoevaluatetheperformanceof
proofreconstructioninSection5.4howeverarealreadygiveninconjunctivenormalform,so
theCNFtransformationdoesnotaffectthetimingsreportedthere.
UnlessoneofthepremisesisalreadysyntacticallyequaltoFalseafterCNFtransformation

DESCRIPTIONSYSTEM5.3.

datatypepropformula=
eurT|False
|BoolVarofint
|Notofpropformula
|Orofpropformula∗propformula
|Andofpropformula∗propformula

Figure5.2:SMLdatatypeofpropositionalformulae

103

to(inawhicfilehincaseDIMAweCScanproCNFvetheformat.Aconjectureclauseoutrighistrivialt),theifitisnon-trivialsyntacticpremisesallyarequaletothenTrue,writtenor
ifitcontainsbothanatomandtheatom’snegation.Filteringouttheseclausesiscrucial
tokeepourclausenumberingconsistentwiththeonemaintainedbyzChaff:zChaffremoves
trivialclausesduringitsownpreprocessing,withoutfurthernoticeinitsprooftrace.(This
isageneralissuewhenintegratingexternalproversinaproof-producingfashion.“Simple”
istopreproimplemecessingnstatepsproareof-prooftendnucingotpreprorecordedincessorthewhicprohofisattrace.leastAaspcommonowerfulsolutionastheinonethisincasethe
externalsystem,therebymakingtheexternalpreprocessingessentiallyredundant.)
inAntoinDIMAtermediateCSformat.SMLA[115]formdatatulaypofeprop(shownositionalinFigurelogicis5.2)iseitheremplTorue,yedFtoalse,atranslateBooleanHOLvariableterms
(withanumericalindexasitsname),thenegationofaformula,orthedisjunctionorconjunc-
tion,respectively,ofapairofformulae.ThetranslationofHOLtermsintothisdatatypeis
andstraighFalsetforw,ard:HOL’s¬HOL’,∨sTandrue∧andareFtralseanslatearedtranasslateNotd,asOrtheirandAnd,constructorrespectivcounely.terpartAllsTotherrue
izedtermsbyareatableconsidered(implemenatomictedandasareplacedbalancedbyBo2-3oleantreev[173]ariables.forThelogarithmictranslationtimeisinsertionparameter-and
lookup)whichmaintainsamappingfromatomictermstotheircorrespondingvariableindex.
Thistable,whichisinitiallyempty,isupdatedeverytimeanewatomictermisencountered.
α-equivalenttermsaremappedtothesameindex.
TranslationfromthisintermediatedatatypeofpropositionalformulaeintoDIMACSformat
islogicalalmostnegationtrivial.isEacmapphBoedtooleanunaryvmariableinus,ismappdisjunctionedto(asimplystringinsertsrepresenaspacetatbionetwof)eenitsliterals,index,
andthantoaindividualsingleclausesstring,aresincelistseparatedbyconcatenations“0”.Wearetranslategenerallyaformfasterulathantoalistofconcatenationsstrings,ofratherlong
stringsintoday’sSMLsystems.Furthermore,stringsinSMLhaveafixedmaximallength,
whichmaynotallowustorepresenttheresultofthetranslationasasinglestringanyway.
toaFinallyfileainDIMAproperCSDIMAproblemCSliCNFne[50]format.isprepTheendedSATtosolvtheerlistisinofvokedstrings,onthiswhichinputisthenfile.written

ReconstructionofPro5.3.2

WhenunsatisfiabilitzChaffyandandstoreMiniSattheproreturnofinatext“unsatisfiable”,file.Thistheyhappensgenerateonatherefly,solutitokon-seeptylememoryprooffreeof

104CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

typeproof=intlistInttab.table∗int

Figure5.3:SMLtypeofresolutionproofs

fortheSATalgorithmitself.Whilethepreciseformatofthisfilediffersbetweenthesolvers,
theessentialproofstructureisthesame.BothSATsolversusepropositionalresolutionto
derivenewclausesfromexistingones:

P∨xQ∨¬x
Q∨P

Itiswell-knownthatthissingleinferenceruleissoundandcompleteforpropositionallogic[144].
Asetofclausesisunsatisfiableifftheemptyclauseisderivableviaresolution.Forthepurpose
ofproofreconstruction,weareonlyinterestedintheproofreturnedbytheSATsolver,not
inthetechniquesandheuristicsthatthesolverusesinternallytofindthisproof.Therefore
theintegrationofzChaffandMiniSatisquitesimilar,andfurtherSATsolverscapableof
generatingresolution-styleproofscouldbeintegratedinthesamemanner.
Weassignauniqueidentifier—anon-negativeinteger—toeachclauseoftheoriginalCNF
formula.Furtherclausesderivedbyresolutionareassigneduniqueidentifiersbythesolver.
Weareusuallyinterestedintheresultofaresolutionchain,wheretwoclausesareresolved,
theresultisresolvedwithyetanotherclause,andsoon.Consequently,wedefineanSMLtype
ofpropositionalresolutionproofs(seeFigure5.3)asapairwhosefirstcomponentisatable
mappingintegers(tobeinterpretedastheidentifiersofclausesderivedbyresolution)tolists
ofintegers(tobeinterpretedastheidentifiersofpreviouslyderivedclausesthatarepartof
thedefiningresolutionchain).Thesecondcomponentoftheproofisjusttheidentifierofthe
e.sclauyemptThistypeisintendedasaninternalformattostoretheinformationcontainedinaresolution
proof.Therearemanyrestrictionsonvalidproofsthatarenotenforcedbythistype.For
example,itdoesnotensurethatitssecondcomponentindeeddenotestheemptyclause,that
everyresolutionstepislegal,orthattherearenocirculardependenciesbetweenderivedclauses.
Itisonlyimportantthateveryresolutionproofcanberepresentedasavalueoftypeproof,not
conversely.TheproofreturnedbyzChafforMiniSatistranslatedintothisinternalformat,
andpassedtotheactualproofreconstructionalgorithm.Thisalgorithmwilleithergenerate
anIsabelle/HOLtheorem,orfailincasetheproofisinvalid.Ofcoursethelattershouldnot
happen,unlesstheSATsolver—orourtranslationfromHOLtoDIMACS—containsabug.

ofProzChaffracesT

TheformatoftheprooftracegeneratedbyzChaffhasnotbeendocumentedbefore(asidefrom
ourownpresentationin[168]).Thereforeweexplainithere.Weuseversion2004.11.15of
zChaff;thisversionismostlyidenticaltothemorerecentversion2007.3.12.SeeSection5.3.2
belowforasimpleexampleofaprooftrace.
TheprooffilegeneratedbyzChaffconsistsofthreesections,thefirsttwoofwhichareoptional
(butpresentinanynon-trivialproof).AformaldefinitionofitssyntaxinExtendedBNF[79]

DESCRIPTIONSYSTEM5.3.

zChaffprooftrace={clauseline},{variableline},conflictclause;
clauseline=’CL:’,clauseid,’<=’,clauseidlist,newline;
variableline=’VAR:’,variableid,’L:’,integer,’V:’,(’0’|’1’),
’A:’,clauseid,’Lits:’,literalidlist,newline;
conflictclause=’CONF:’,clauseid,’==’,literalidlist,newline;
clauseidlist=clauseid,{’’,clauseid};
integer;=idclauseliteralidlist=literalid,{’’,literalid};
valiteralriableidid==integer;integer;
Figure5.4:EBNFsyntaxforzChaffprooftraces

105

isgivresolution.eninAFigutreypical5.4.lineThewouldfirstbesection“CL:7defines<=23clauses0”,derivmeaningedfromthattheaneworiginalclause,problemassignedby
thefreshidentifier7,wasderivedbyresolvingclauses2and3,andresolvingtheresultwith
clause0.Initialclausesareimplicitlyassignedidentifiersstartingfrom0,intheorderthey
occurintheDIMACSfile.Westoretheinformationcontainedinthefirstsectionoftheproof
fileinthetableofintegerliststhatconstitutesthefirstcomponentofourSMLprooftype.
Thesection,secondandbysectionotherofvtheariableprooffileassignmenrecordsts.Asvanariableexample,assignmenconsidertsthat“VAR:are3L:implied2bV:y0theA:first1
marksLits:4true7”.vThisariables)lineatstatesdecisionthatlevvelariable2,the3manteustcebedentfalsebeing(i.e.itsclausev1.aluemTheustanbe0teceden;“V:tis1”a
falseclausebinecausewhicofhevearliereryvliteralariableexceptassignmenforthetsone(orbconecausetainingthetheanassignedtecedentvisariablealreadymaustunitevaluateclause).to
Theantecedent’sliteralsaregivenexplicitlybyzChaff,usinganencodingthatmultiplieseach
vgivenariablebybny÷22.andTheaddsvariab1forleoccursnegativpeositivliterals.elyifn(Thmousd2the=v0,ariableandenconegativdedelybifynamoliterald2=n1.is
Hence“Lits:47”correspondstotheclausex2∨¬x3.)Ourinternalproofformatdoesnot
allowustorecordvariableassignmentsdirectly,butwecantranslatethembyobservingthat
theycorrespondtounitclauses.ForeachvariableassignmentinzChaff’strace,anewclause
identifierisgenerated(usingthenumberofclausesderivedinthefirstsectionasabasis,and
theclausesvbariableeginsitselfwithastheoffset)anandtecedent,addedandasconaktineyuestowiththeprotheof’sunittable.clausesThecorresassopciatedondingctohaintheof
explicitlygivenliterals.WeignoreboththevalueandthelevelinformationinzChaff’strace.
orThenegativformerely)is,andimplicittheinlattertheisderivedimplicitunitintheclauseoverall(whichproconoftainsstructure.thevariableeitherpositively
Theclauselastwhichsectionhasofonlythefalseprooffileliterals:consistse.g.“ofCONF:asin3gle==line46”whicsahysspthatecifiesclausethec3isonflicttheclauseconflict,a
clause.(Literalsareencodedthesamewayasinthesecondsection,soclause3wouldbe
x2∨x3inthiscase.)Wetranslatethislineintoourinternalproofformatbygeneratinga
newclauseidentifieriwhichisaddedtotheproof’stable,withtheconflictclauseitselfand
theunitclausesforeachofitsvariablesformingthechain.Finally,wesettheproof’ssecond
componenttoi.
Foreachresolution,weneedtodeterminethepivotliterals(i.e.theliteralstoberesolvedon)

106CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

MiniSatprooftrace={referenceline|clauseline|deleteline},conflictline;
referenceline=’R’,clauseid,’<=’,literalidlist,newline;
clauseline=’C’,clauseid,’<=’,clauseid,
{’’,variableid,’’,clauseid},newline;
deleteline=’D’,clauseid,newline;
conflictline=’X’,clauseid,’’,clauseid,newline;
integer;=idclauseliteralidlist=literalid,{’’,literalid};
valiteralriableidid==integer;integer;
Figure5.5:EBNFsyntaxforMiniSatprooftraces

beforeresolvingtwoclauses.Thiscouldbedonebydirectlycomparingthetwoclauses,and
searchingforatermthatoccursbothpositivelyandnegatively.Itturnsouttobeslightly
fasterhowever(andalsomorerobust,sincewemakefewerassumptionsabouttheactual
implementationofclausesinIsabelle)touseourowndatastructure.Witheachclause,we
associateatablethatmapsintegers—oneforeachliteralintheclause—totheproverterm
representationofaliteral.Thetableisaninverseofthemappingfromliteralstointegers
thatwasconstructedforthetranslationintoDIMACSformat,butrestrictedtotheliterals
thatactuallyoccurinaclause.Positiveintegersaremappedtopositiveliterals(atoms),and
negativeintegersaremappedtonegativeliterals(negatedatoms).Thiswaytermnegation
simplycorrespondstointegernegation.Thetableassociatedwiththeresultofaresolution
stepistheunionofthetwotablesthatwereassociatedwiththeresolvents,butwiththeentries
forthepivotsremoved.

MiniSatracesTofPro

Theproof-loggingversionofMiniSatgeneratesprooftracesinarathercompact(andagain
undocumented)binaryformat.ThisismostlikelybecauseSATcompetitionscurrentlysuggest
alimitof2GBonprooftraces.Weuseversion1.14pofMiniSat.JohnMatthews[101]has
thoseadaptedprothisducedvebyrsionsozChaff.thatWeitcandescribproetheduceprecisereadableproproofoftracetracesformat,inASCIandIitsformat,translationsimilarintoto
ourSMLprooftype.AnExtendedBNFsyntaxdefinitionisshowninFigure5.5.
MiniSat’sprooftraces,unlikezChaff’s,arenotdividedintosections.Theycontainfourdiffer-
“enDt”ttoypesdeleteofstatemenclauseststhat:“Rare”tonotreferenceneededanoriginalymore,clauses,and“X“”C”toforindicateclausesthederivendedofviaproof.resolution,Aside
from“X”,whichmustappearexactlyonceandattheendoftheprooftrace,theotherstate-
mentsmayappearinanynumberand(almost)anyorder.
MiniSatdoesnotimplicitlyassignidentifierstoclausesintheoriginalCNFformula.Instead,
“lineR”introstatemenducests,ae.g.clause“R0iden<=tifier-1304for”,aretheusedclauseto¬x1establish∨x3∨xclause4,whicidenhmtifiers.usthaThisvebeenparticularone
oftheoriginalclausesinthisexample.(NotethatMiniSat,unlikezChaff,usestheDIMACS
forencothedingoforiginalliteralsclauseins,itstheprooftranslationtrace.)ofSinceMinouriSat’sinproternalofptraceroofintoformattheinusesternaldifferenformattbidenecomestifiers

5.3.DESCRIPTIONSYSTEM

107

proofparameterizeditself,butbyitaextendsrenamingtheRofrenaming.clauseTheidengivtifiers.enliteralsAn“Rare”usedstatemetonlotokdoesupnottheidenaffecttifierthe
ofthecorrespondingoriginalclause,andtheclauseidentifierintroducedbythe“R”statement
ismappedtotheclause’soriginal(internal)identifier.
“CNew7<=clauses25are34deriv0”,edfmeaningromethatxistingaclaunewsesclauseviawithresolutionidenctifierhains.7wAastyderivpicaledlinebywouldresolvingbe
asclausesthe2pivotandv3ariable).(withx5InaszChaffthepiv’sotvnotation,ariable),thisandwouldresolvingcorresptheondresultto“CL:with7<=clause2030(with”.Wxe4
addidenthistifierslinecannottothbeeprousedof’sdirectlytable.justInstead,likeforwezChaff,generatebutawithnewinoneternaldifference:clauseidenMiniSat’stifierforclausethis
line,extendtherenamingRbymappingMiniSat’sclauseidentifier(7inthisexample)tothe
newlygeneratedidentifier,andapplyRtotheidentifiersofresolventsaswell.
idenClausestifier.thatCurrenarenottlyweneededignoreansucymorehscantatemenbets.indicatedMakingbyab“D”eneficialstatemenuseoft,follothemwwedouldbyarequirclausee
notonlyamodifiedproofformat,butalsoadifferentalgorithmforproofreconstruction.
Finallyalinelike“X017”indicatestheendofproof.Thenumbersaretheminimumand
maximum,respectively,identifiersofclausesusedintheproof.Weignorethefirstidentifier
(whichisusually0anyway),andusethesecondidentifier,mappedfromMiniSat’sidentifier
schemetoourinternalonebyapplyingR,astheidentifieroftheemptyclause,i.e.asthe
proof’ssecondcomponent.
ThereisonesignificantdifferencebetweenMiniSat’sandzChaff’sprooftracesthatshould
hapivvotevbecomeariableforeapparenachtfromresolutionthestepforegoinginitsdestrace,cripi.e.tion.thevariableMiniSat,thatunolikeccurszChaff,positivelyrecordsinonethe
clausepartakingintheresolution,andnegativelyintheother.Thisinformationisredundant,
asthepivotvariablecanalwaysbedeterminedfromthosetwoclauses:Iftwoclausescontaining
morethanonevariablebothpositivelyandnegativelyweretoberesolved,theresultingclause
wouldbetautological,i.e.containavariableanditsnegation.BothzChaffandMiniSatare
ignoresmarttheenoughpivottonotinformationderiveinsuchMiniSat’stautologicaltraces,sclausesinceinproofthefirstreconstructionplace.WeforhavzChaffedecidedrequiresto
themopivdifiedotvSMLariableprooftotbypee.determinedHencethereanywisay,minorandpusingotentialMiniSat’sforpivoptimizationotdatawwrt.ouldreplaneedyinga
MiniSatproofsinourcurrentimplementation.

ExampleSimpleA

Weuseasmallexampletoillustratetheproofreconstruction.Considerthefollowinginput
ulaformφ≡(¬x1∨x2)∧(¬x2∨¬x3)∧(x1∨x2)∧(¬x2∨x3).
Sinceφisalreadyinconjunctivenormalform,preprocessingsimplyyieldsthetheoremφ=φ.
ThecorrespondingDIMACSCNFfile,asidefromitsheader,containsonelineforeachclause
:φin

02-10-3-2

108CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

x1∨x2¬x1∨x2x1∨x2¬x1∨x2
¬x2∨x3x2¬x2∨¬x3x2
x¬x33⊥

02103-2

Figure5.6:ResolutionprooffoundbyzChaff

zChaffandMiniSateasilydetectthatthisproblemisunsatisfiable.zChaffcreatesatextfile
withthefollowingdata:

02<=4CL:VAR:2L:0V:1A:4Lits:4
VAR:3L:1V:0A:1Lits:57
65==3CONF:

Weseethatfirstanewclause,withidentifier4,isderivedbyresolvingclause2,x1∨x2,with
clause0,¬x1∨x2.Thepivotvariablewhichoccursbothpositively(inclause2)andnegatively
(inclause0)isx1;thisvariableiseliminatedbyresolution.
Nowthevalueofx2(VAR:2)canbededucedfromclause4(A:4).x2mustbetrue(V:1).
Clause4containsonlyoneliteral(Lits:4),namelyx2(since4÷2=2),occuringpositively
(since4mod2=0)—recalltheabovesectiononzChaffprooftracesforanexplanationofthe
encodingofliterals.Thisdecisionismadeatlevel0(L:0),beforeanydecisionathigher
els.levLikewise,thevalueofx3canthenbededucedfromclause1,¬x2∨¬x3.x3mustbefalse
).0V:(Finallyclause3isourconflictclause.Itcontainstwoliterals,¬x2(since5÷2=2,5mod2=1)
andx3(since6÷2=3,6mod2=0).Butwealreadyknowthatbothliteralsmustbefalse,
sothisclauseisnotsatisfiable.
InIsabelle,theresolutionproofcorrespondingtozChaff’sprooftraceisconstructedbackwards
fromtheconflictclause.Atree-likerepresentationoftheproofisshowninFigure5.6.Note
thatinformationconcerningthelevelofdecisions,theactualvalueofvariables,ortheliterals
thatoccurinaclauseisredundantinthesensethatitisnotneededbyIsabelletovalidate
zChaff’sproof.Theclausex2,althoughusedtwiceintheproof,isderivedonlyonceduring
resolution(andreusedthesecondtime),savingoneresolutionstepinthisexample.
TheprooftraceproducedbyMiniSatforthesameproblemhappenstoencodeadifferent
of:proresolution

RR01<=<=-2-12-3
RR32<=<=1-223

SYSTEM5.3.DESCRIPTION

¬x2∨x3¬x2∨¬x3¬x2∨x3¬x2∨¬x3
¬x1∨x2¬x2x1∨x2¬x2
xx¬11⊥

C4<=331
C5<=024
C6<=224
C7<=516
70X

Figure5.7:ResolutionprooffoundbyMiniSat

109

Thefirstfourlinesintroduceclauseidentifiersforallfourclausesintheoriginalproblem,in
totheirinorigiternalnalclauseorderasidenwelltifiers(effectivtheidenelytitymakinginthisthecase).renamingTheRnextfromfourMiniSat’slinesclausedefineidenfourntifiersew
clauses(oneclauseperline),derivedbyresolution.Clause4istheresultofresolvingclause3
(to¬x¬2x∨2.x3)Likwithewise,clauseclause1(5¬xis2∨the¬x3result),whereofx3resolvingisusedclausesaspiv0otandliteral.4,andHenceclauseclause6is4obtisainedequal
isbyassignedresolvingclauseclausesiden2andtifier4.7.TheFinallyfullproresolvingofiscsholauswnesin5andFigure65.7.yieldstheemptyclause,which

ProofTraceCompaction

Beforeproofreconstructionbegins,wecanremoveredundantandunusedinformationfrom
theprooftrace.Thiscanbedonewithoutproof,savingtime.
Anobviousoptimizationistheremovalofunusedclauses.Duringproofsearch,theSATsolver
mayderivemanyclausesthatareneverusedtoderivetheemptyclause.Sincetheproofis
loggedtofileonthefly,thesederivationsendupinthefinalprooftrace.Insteadofreplaying
thewholeprooftraceinchronologicalorder,weperform“backwards”proofreconstruction,
startingwiththeidentifieroftheemptyclause,andrecursivelyprovingonlytherequired
resolventsusingdepth-firstsearch.
Whilesomeclausesmaynotbeneededatall,othersmaybeusedmultipletimesinthe
resolutionproof.Itwouldbeinefficienttoprovetheseclausesmorethanonce.Thereforeall
clausesarestoredinanassociativearray,keyedontheirclauseidentifier,anduponfirstuse
convertedintothesequentrepresentationdescribedinSection5.3.3below.Reusingaclause
merelycausesanarraylookup.
Thissuggeststhatitcouldbebeneficialtoanalyzeresolutionchainsinmoredetail.Oftenvery
similarchainsoccurinaproof,differingonlyinaclauseortwo.Commonpartsofresolution
chainscouldbestoredasadditionallemmas(whichneedtobederivedonlyonce),thereby
reducingthetotalnumberofresolutionsteps.HasamAmjadreportsonsomepreliminary
resultsin[7],butweleaveadetailedevaluationofthisideaforfuturework.

110CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

tationsRepresenClause5.3.3ThetaskofproofreconstructionistoderiveFalsefromtheoriginalclauses,usinginformation
fromavalueoftypeproof(whichrepresentsaresolutionprooffoundbyaSATsolver).This
canbedoneinvariousways.Inparticularthepreciserepresentationoftheproblemasan
Isabelle/HOLtheorem(oracollectionofIsabelle/HOLtheorems)turnsouttobecrucialfor
erformance.p

tationRepresenHOLeNaivInanearlyimplementation[165],thewholeproblemwasrepresentedasasingletheorem
(φ∗=⇒False)=⇒(φ∗=⇒False),whereφ∗wascompletelyencodedinHOLasaconjunc-
tionofdisjunctions.Stepbystep,thistheoremwasthenmodifiedtoreducetheantecedent
φ∗=⇒FalsetoTrue,whichwouldeventuallyproveφ∗=⇒False.
Thiswasextremelyinefficientfortworeasons.First,everyresolutionsteprequiredmanip-
ulationofthewhole(possiblyhuge)problematonce.Second,andjustasimportant,SAT
solverstreatclausesassetsofliterals,makingimplicituseofassociativity,commutativityand
idempotenceofdisjunction.Likewise,CNFformulaearetreatedassetsofclauses,making
implicituseofthesamepropertiesforconjunction.TheencodinginHOLhoweverrequired
numerousexplicitrewrites(withtheoremslike(P∨Q)=(Q∨P))toreorderclausesand
literalsbeforeeachresolutionstep.Detailedperformancefiguresmaybefoundin[165].

tationRepresenClausesSeparate

AbsideredettertheoremsrepresenoftationtheofformtheφCNFinthisformculahapter,wasi.e.discussedwithnoinh[58].ypSootheses.farweThishavweasmostlymotivatedcon-
byplicationthe=normal⇒,ratheruser-levelthanviewhypoftothesesheor.ems,Isabellewhere’sasinferencesumptkionsernelarehowencoeverdedproviusingdesrules(meta)thatim-
letusconvertbetweenhypothesesandimplicationsaswelike:
ΓψΓφ=⇒ψΔφ
{φ}φAssumeΓ\φφ=⇒ψimpIΓ∪ΔψimpE

In[58],eachclausep1∨∙∙∙∨pnisencodedasanimplicationp1=⇒...=⇒pn=⇒False
(wherepidenotesthenegationnormalformof¬pi,for1≤i≤n),andturnedintoaseparate
theorem{p1∨...∨pn}[[p1;...;pn]]=⇒False.
Thisallowsresolutiontooperateoncomparativelysmallobjects,andresolvingtwoclauses
Γ[[p1;...;pn]]=⇒FalseandΔ[[q1;...;qm]]=⇒False,where¬pi=qjforsomeiand
j,essentiallybecomesanapplicationofthecutrule.ThefirstclauseisrewrittentoΓ
[[p1;...;pi−1;pi+1;...;pn]]=⇒¬pi.Aderivedtacticthenperformsthecuttoobtain
Γ∪Δ[[q1;...;qj−1;p1;...;pi−1;pi+1;...;pn;qj+1;...;qm]]=⇒False
fromthetwoclauses.Notethatthisrepresentation,whilebreakingapartthegivenclausesinto
separatetheoremsallowsustoviewtheCNFformulaasasetofclauses,stilldoesnotallow

SYSTEM5.3.DESCRIPTION

111

ustovieweachindividualclauseasasetofliterals.Somereorderingofliteralsisnecessary
beforecutscanbeperformed,andaftereachcut,duplicateliteralshavetoberemovedfrom
result.theThisrepresentationimprovedontheproofreplaytimesreportedin[165]byuptotwoorders
ofmagnitude.Detailednumbersaregivenin[58].

tationRepresentSequen

Wecanfurtherexploitthefactthattheinferencekerneltreatsatheorem’shypothesesas
asetofformulae,byencodingeachclauseusinghypothesesonly.Considerthefollowing
representationofaclausep1∨...∨pnasatheorem:
{p1∨...∨pn,p1,...,pn}False.
Resolvingtwoclausesp1∨...∨pnandq1∨...∨qm,where¬pi=qj,nowstartswithtwo
applicationsoftheimpIruletoobtaintheorems
{p1∨...∨pn,p1,...,pi−1,pi+1,...,pn}¬pi=⇒False
and{q1∨...∨qm,q1,...,qj−1,qj+1,...,qm}pi=⇒False.
Wetheninstantiateapreviouslyprovenlemma
(P=⇒False)=⇒(¬P=⇒False)=⇒False
(wherePisanarbitraryproposition)withpiforP.Instantiationisanotherbasicoperation
providedbyIsabelle’sinferencekernel.FinallytwoapplicationsofimpEyield
{p1∨...∨pn,p1,...,pi−1,pi+1,...,pn}∪{q1∨...∨qm,q1,...,qj−1,qj+1,...,qm}False.

Thisapproachrequiresnoexplicitreorderingofliteralsanymore,norremovalofduplicate
literalsafterresolution.Thatisallhandledbytheinferencekernelnow,whichtreatsatheo-
rem’shypothesesasasetofformulae(implementedasanorderedlistinternally).Thesequent
representationisasclosetoaSATsolver’sviewofclausesassetsofliteralsasispossiblein
Isabelle/HOL.Withthisrepresentation,wedonotrelyonderivedrulestoperformresolution,
butwegaveaprecisespecificationintermsofafewinferencerulesofnaturaldeduction.

tationRepresentSequenCNF

Thesequentrepresentationhasthedisadvantagethateachclausecontainsitselfasahypoth-
esis.Sincehypothesesareaccumulatedduringresolution,thisleadstolargerandlargersets
ofhindividualypotheses,term.Fwhichormingwilltheevenuniontuallyofconthesetainsetsevteryakesclausethekusedernelinathesignificanresolutitonamounprotofofastime.an
Itisthereforefastertouseaslightlydifferentclauserepresentation,whereeachclausecontains
UsingtheAssumerule,weobtainatheorem{ik=1Ci}ik=1Ci.Repeatedeliminationof
thewholeCNFformulaφ∗asahypothesis.Letφ∗≡ik=1Ci,wherekisthenumberofclauses.

112CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

conjunctionyieldsalistoftheorems{ik=1Ci}C1,...,{ik=1Ci}Ck.Eachofthese
theoremsisthenconvertedintothesequentformdescribedabove,withliteralsashypotheses
andFalseasthetheorem’sconclusion.Now,throughouttheentireproof,thesetofhypotheses
foreachclauseconsistsofasingletermik=1Ciandtheclause’sliteralsonly.Itistherefore
muchsmallerthanbefore,whichspeedsupresolution.
Furthermore,memoryrequirementsdonotincreasesignificantly:thetermik=1Cineedsto
bekeptinmemoryonlyonce,andcanbesharedbetweendifferentclauses.Thiscanalsobe
exploitedwhentheunionofhypothesesisformed(assumingthattheinferencekernelandthe
underlyingSMLsystemsupportit):asimplepointercomparisonissufficienttodeterminethat
boththeoremscontainik=1Ciasahypothesis(andhencethattheresultingtheoremneeds
tocontainitonlyonce);nolengthytermtraversalisrequired.Thus,eventhoughthesizeof
thesequentusingthisrepresentationincreasesintermsofthenumberofsymbols,thereisno
detrimentaleffectoneitherperformanceormemoryuse.
Weshouldmentionthatthisrepresentationofclauses,despiteitssuperiorperformance,has
asmalldownside.Theresultingtheoremalwayshaseverygivenclauseasapremise,while
thetheoremproducedbythesequentrepresentationonlyhasthoseclausesaspremisesthat
wereactuallyusedintheproof.Toobtainthelatter,logicallystrongertheorem,theresolution
proofcanbeanalyzedtoidentifytheclausesthatareusedintheproof,andtheunusedones
canbefilteredoutbeforeproofreconstruction.

aluationEv5.4

Isabelle/HOLoffersthreemajorautomaticprooftactics:auto,whichperformssimplification
andsplittingofagoal,blast[136],atableau-basedprover,andfast,whichsearchesforaproof
usingstandardIsabelleinference.Detailscanbefoundin[125].In[165],wecomparedthe
performanceofproofreconstructionwiththenaiveHOLrepresentationtothatofIsabelle’s
existingproofprocedures.Asbenchmarksweusedall42problemscontainedinversion2.6.0
oftheTPTPlibrary[155]thathavearepresentationinpropositionallogic.Theproblemswere
negated,sothatunsatisfiableproblemsbecameprovable.
Wefoundthat19ofthese42problemsarerathereasy,andweresolvedinlessthanasecond
eachbyboththeexistingtacticsandtheSATsolverapproach.Table5.1showsthetimes
(inseconds)thatIsabelle’sproceduresandourfirstimplementation—usingthenaiveHOL
encoding—requiredtosolvetheremaining23problems.Thesetimingswereobtainedona
machinewitha3GHzIntelXeonCPUand1GBofmainmemory.Anxindicatesthatthe
procedureranoutofmemoryorfailedtoterminatewithinanhour.ThetimingsintheSAT
columnincludepreprocessingtime,zChaffsolvingtime,andproofreconstructioninIsabelle.
Noneoftheexistingtacticscouldprovemorethan7ofthe16unsatisfiableproblemswiththe
giventimeandmemoryconstraints.TheSATsolverapproachhoweversolvedall,andonlythe
firstproblem,MSC007-1.008,tookasignificantamountoftimetoproveinIsabelle.Moreover,
allexistingtacticstimedoutonthe7satisfiableproblems(failingtonoticethattheirnegation
isunprovable),whilezChaffquicklyprovidedcounterexamplesforeachofthem.Weconclude
thatonpropositionalproblems,alreadyourfirst,ratherinefficientimplementationofSAT
proofreconstructionwasclearlysuperiortoIsabelle’sbuilt-inproofprocedures.
Thishasbecomeevenmoreobviouswiththenewsequentrepresentationsthatwerediscussed

ALUAEV5.4.TION

ProblemStatusautoblastfastSAT
MSC007-1.008unsat.xxx726.5
NUM285-1sat.xxx0.2
PUZ013-1unsat.0.5x5.00.1
PUZ014-1unsat.1.4x6.10.1
PUZ015-2.006unsat.xxx10.5
PUZ016-2.004sat.xxx0.3
PUZ016-2.005unsat.xxx1.6
PUZ030-2unsat.xxx0.7
PUZ033-1unsat.0.26.40.10.1
SYN001-1.005unsat.xxx0.4
SYN003-1.006unsat.0.9x1.60.1
SYN004-1.007unsat.0.3822.22.80.1
SYN010-1.005.005unsat.xxx0.4
SYN086-1.003sat.xxx0.1
SYN087-1.003sat.xxx0.1
SYN090-1.008unsat.13.8xx0.5
SYN091-1.003sat.xxx0.1
SYN092-1.003sat.xxx0.1
SYN093-1.002unsat.1290.816.21126.60.1
SYN094-1.005unsat.xxx0.8
SYN097-1.002unsat.x19.2x0.2
SYN098-1.002unsat.xxx0.4
SYN302-1.003sat.xxx0.4

Table5.1:Runtimes(inseconds)forTPTPproblems,naiveHOLrepresentation
TSAtationRepresenProblem726.5HOLeNaivSequenSeparatetClauses1.27.8
CNFSequent0.7

Table5.2:Runtimes(inseconds)forMSC007-1.008

113

pabove.erformance,TogivTeablean5.2impressionshowstheofthediffereneffectttimesthattherequireddifferentotprovclauseeproblemrepresenMSCtations007-1.008haveonin
aIsabproelle.ofwithThepro40,790offoundresolutionbyzChaffstepsforforthistheproblemsamehasproblem,8,705whichresolutionissteps.reconstructed(MiniSatinabfindsout
3.8secondstotalwiththesequentrepresentation,andin1.9secondstotalwiththeCNF
sequentrepresentation.)ThetimestoprovetheotherproblemsfromTable5.1havedecreased
inasimilarfashionandarewellbelowonesecondeachnow.
Thisenablesustoevaluatetheperformanceonsomesignificantlylargerproblems,suchas
pigeonholeinstancesandindustrialproblemstakenfromtheSATLIB[73]library.These
problemsdonotonlypushIsabelle’sinferencekerneltoitslimits,butalsoothercomponents
oftheprover;inparticularitstermparserandpretty-printer.TheTPTPproblemswere
convertedtoIsabelle’sinputsyntaxbyaPerl[164]script.Thisturnedouttobeinfeasiblefor
thelargerSATLIBproblems.Thescriptstillworksfinefortheseproblems,butIsabelle’sparser
files,(whichwhicishmainlyaresevineraltendedmegabforytessmall,large,inhand-craftedreasonableterms)istime.unableAlso,totheparseprovtheer’suserresultinginterfacetheory

114CHAPTER5.INTEGRATIONOFPROOF-PRODUCINGSATSOLVERS

ProblemVariablesClausesResolutionszChaffzChaff+zverifydfIsabelle
c7552mul.miter112826952924250945451.169
6pipe158003947393108131341373.7192
6pipe6ooo170645456127829032632655.1421
7pipe239107511184970194404406.5609

Table5.3:Runtimes(inseconds)forSATLIBproblems,CNFsequentrepresentation

ProblemVariablesClausesResolutionszChaffzChaff+zverifydfIsabelle
pigeon-7562048705<1<1<0.1<1
pigeon-87229725369<1<10.11
pigeon-9pigeon-10110905614152157187347251610.40.2103
pigeon-1113273860174523241.236
pigeon-1215694931867752422476.5315

Table5.4:Runtimes(inseconds)forpigeonholeinstances,CNFsequentrepresentation

iswhichunablebuitoldsdisplaSMLytermstheresultingdirectlyfromformulae.DIMAWeCShavfiles,eandthereforeweworkimplemenentirelytedatourtheownsystem’sparser,
SMLlevel,avoidingtheusualuserinterface,toproveunsatisfiability.
StatisticsforfourSATLIBproblems(chosenfromthosethatwereusedtoevaluatezChaff’s
performancein[179])areshowninTable5.3.Runtimesforselectedpigeonholeinstancesare
giveninTable5.4.ThetimeforzChaffistimetakentosolvetheproblem,without(zChaff)and
timewithspent(zChaff+)blockedproonofI/O.logging.Measu(NoteringwthatallwetimeismeasurepointlessCPUbtimeecauseonofly,otherwhichprodoescessesnotthatincludemay
berunningsimultaneously.)ThetimesreportedforIsabellearetotaltimesagain,including
zChaffsolvingtime,proofreplay,parsingofinputandoutputfiles,andanyotherintermediate
pre-andpost-processing.Thesetimingswereobtainedona1.87GHzPentiumMnotebook
runwithtimes1.5GBforofzChaffmain’smownemorypro.ofcTimingsheckerarezverifyroundeddfto[179]theareshonearestwnassecond.well,Forroundedcomparison,tothe
nearesttenthofasecond.1
Theexceptproofc7552mloggingul.miter.versionThisofisMiniSatprobably1.14becauseranoutMiniSofat1.14memorytendsonalltofindproblemslongerinproTofsablethan5.3
zChaff,whichbecomescostlywhenproofloggingisenabled.ThelatestversionofMiniSatoften
pbutuerformsbnfortunatelyetterthanitdidzChaffnotsupport(consideringprooftheloggingresultsatofthethetime2006ofSAwriting.T-RaceThereforecompetitionwedo[54]),not
giveperformancedataforreplayingMiniSatproofs.
inNeedlesstactics.tosaOnlyy,thenoneofsmallesttheSAoftheTLIBpigeonholeproblemscaninstancebessolvedsuccumbs,automaticallyandtakbesyfarIsablongerelle’stobuilt-do
so.Pigeonholeinstancesareknowntobepathologicallyhardproblemsforresolutionproof
systems[67].Isabelleranoutofmemoryonthepigeonholeproblemwith13holes,eventhough
zChafffoundaproofinabout10minutes.Itishardtodoafine-grainedmemoryanalysis,
1TheversionofzevrifydfthatcomeswithzChaff2004.11.15containsaminorbug(relatedtothedecision
levfixed.elofOurvbugariables)fixhaswhicbheenincreasesincorpitsoratedrunintimetothe2significan007.3.12tly.ThereleaseabofovezChaff.timingsweremeasuredwiththebug

THEOREMSPERSISTENT5.5.

115

butwecansafelysaythathavingtostoretermsratherthannumbersinmemorycontributed
.efailurthistoanProoforderchecofkingmagniintudeIsabslowelle/HOL,erthanprodespiteofvallerificationoptimizationswiththzChaffatw’seohawnveproofimplemechecnkerted,zviserifyaboutdf,
writteninC++.Thisadditionaloverheadistobeexpected;itisthepricethatwehaveto
paygearedfortowusingardsanpropLCF-stositionalyletheoremlogic.Hoprowveverer,forwealsohigher-orderseethatlogic,proofwhosereconstructioninferencekerinnelIsabisellenot
scalesquitewellwithourlatestimplementation,andthatitremainsfeasibleevenforlarge
problems.TSAIn[168],wereporttimingsforproofreconstructioninHOL4andHOLLight.Whilecomparing
thesevaluesdirectlyisoflimitedsignificance(becauseoffundamentaldifferenceslikethe
underlyingSMLsystemandthekernels’implementationoftheorems),itisstillworthnoting
thatourIsabelle/HOLimplementationperformsuptoanorderofmagnitudebetterthanthe
(conceptuallysimilar)implementationsofproofreconstructioninthoseprovers.

tersistenP5.5Theorems

forWeothhaveerseenautomatedthatSATtheoremsolversprocanvers,greatlye.g.forenhancefirst-orderIsabelle’slogicabili[113]tieors.TheSatisfiabilitsameyholdsModulotrue
Theories(SMT)[77].Verificationofproofscriptsbecomesmoredifficulthowever.Auser
whowantstoverifyanIsabelleproofscriptthatinvokesexternaltoolsnotonlyhastoinstall
Isabelleitself,butalsothoseadditionalprograms.Essentially,verificationofproofscriptsis
restrictedtosystemswhichhaveaverysimilarconfiguration,andsettingupasystemsothat
proofscriptswhichrelyonexternaltoolsbecomeverifiablecanbeacumbersometask.
Prosolutionofterms,tomakwhicehthewvereerificationimplemenoftedproforofIsabscriptsellebmoreyStefanindependenBerghofertofthe[23],presencesuggestaandsimplecon-
figurationofexternaltools.Prooftermsencodetheproofofatheoremintermsofprimitive
inferencerules.Theycanbesignificantlylargerthanproofscripts(sincetheinvocationofa
pourowSAerfulT-solverautomatedbasedtactictacticfromisaagooscriptdmaexampleyresultofinthis).alargeButnumwhilebertuofrningprimitivproeofscriptsinferences—into
theoremsrequiresnotonlyfullIsabelle,butpotentiallyalsoanumberofexternaltools,proof
termsontheotherhandcanbeverifiedbyaverysimpleproofchecker,whichcomprisesafew
dozenlinesofcodeonly.
Wehaveimplementedatactical(afunctionwhichtransformsprooftactics)inSMLthatturns
agiventactic,sayt,intoonethatpotentiallyusesproofterms.Ourimplementationproceeds
asfollows.Givent’sinputtheoremφ,wefirstattempttoreadaprooftermthatprovesthe
conclusionofφfromafileondisk.A32-bithashfunction(takenfrom[146])isusedtocompute
thefixed-lengthfilename.Chainingisemployedtodealwithpotentialhashcollisions.We
haveappliedthehashfunctiontoIsabelle’sentiretheoremlibraryhowever,andthereareno
hashcollisionsinthelibraryatthetimeofwriting.
Ifreadingtheproofterm(andturningitintoatheoremthatprovestheconclusionofφ,using
thesimpleproofcheckerthatisintegratedwithIsabelle)succeeds,wearedone.Inthiscase
wethatcanallowssimplyvreturnerificationtheofprotheorem,ofscriptwithsbnoyneethedtocoreapplyIsabellethesystemoriginal(andtacticint.factThisbyisthetheprocaseof

116

CHAPTER5.TIONINTEGRAOFOOF-PRPRFigure5.8:Persistenttheorems

ODUCINGTSAVERSSOLcheckercomponentonly),ifthenecessaryprooftermsaregiventogetherwiththeproofscript.
Readingtheprooftermfromdiskmayfailforseveralreasons.Perhapsthefiledoesnotexist,
oritdoesnotcontainavalidproof,ortheterminthefileprovesadifferenttheorem.Inthis
caseweapplythetactict(whichmaycallexternalprovers)tothegiveninputtheorem.This
yieldsasequenceofsuccessortheorems,ofwhichweonlyconsiderthefirst.(Wecansave
prooftermsforasingletheoremtodisk,butnotforapossiblyinfinitesequenceoftheorems—
atleastnoteasily.)Thistheorem’sprooftermisstoredintheaforementionedfile(asan
XML[28]documenttosimplifyparsingandenhanceportability),sothatfutureinvocations
oftheadaptedtacticcanretrieveitfromthere.Inaddition,thetheoremisreturnedasthe
result.tactic’sAflowchartdepictingthealgorithmandthedifferentdataformatsinvolvedisgiveninFig-

CONCLUSION5.6.

117

ure5.8.Tosubsume,thisapproachallowsustoeasilyturnatacticwhichmayrequireanumber
ofexternaltoolsintoonethatattemptstoreadaprooftermfromafilefirst,andperforms
theoriginalcomputationonlyifthisfails.Thesametacticcanbeusedbothtoproducethe
prooftermswhentheyarenotpresent(providedtherequiredexternaltoolsareavailable),and
toverifythemwhentheyare.Proofscriptsthatusesuchatacticcanbeverifiedonsystems
wherethenecessaryexternalproversareconfigured,andalsoonsystemswheretheyaren’t,if
theprooftermfilesareavailable.

Conclusion5.6

TheSATsolverapproachdramaticallyoutperformstheautomaticproceduresthatwereprevi-
ouslyavailableinIsabelle/HOL.WiththehelpofMiniSatorzChaff,manyformulaethatwere
oftenpreviouslywithinoutofseconds.thescopIsabeofelle’sbuilt-inapplicabilittacticsycanasanotowolbeforprovedformal—orverification,refuted—automaticallywherelarge,
propositionalproblemsoccurinpractice,hastherebyimprovedconsiderably.
Freconstructionurthermore,usforingproptheositionaldatalogicstructuresscalesandquitewelloptimizationseventodeslargecribedSATinthisproblemschapter,andproproofsof
prowithvertomillionscheckoftheproresolutionofobsteps.viouslyThecomesatadditionalaprice(inconfidencetermsofgainedrunnbyingusingtime),anbutLCF-stit’snotyle
nearlyasexpensiveasonemighthaveexpectedafterearlierimplementations.
WhileimplemenimprotationvingofthethepIsaberformanceellekernel.ofproofSubsequentlyreconstruction,theprowveerdiscoimplemenveredtationinefficiencieswasmoindified,the
andtheseinefficiencieswereremoved.Tuninganimplementationtotheextendpresented
hereresultsarerequiresaapplicablegreatbdealeyofondIsabfamiliarityelle/HOL,withtreheallytounderlyinganyprovertheoremthatprovsupper.ortsNevproperthelessositionalour
logicandisabletosimulatepropositionalresolution.
WedidnotfindanysoundnessbugsintheSATsolversduringproofreconstruction.Thisisnot
abovsurprising,e.WedidsincenotetheansolvoeddrshadcompletenessalreadybbugeenintestedtheverifierthoroughlybundledonallwiththezChaff,problemswhicevhaluatedrefuses
toverifyaproofofunsatisfiabilityiftheoriginalproblemcontainstrivialclauses.Definitional
thanCVFforconvtheersionsusualvoftenerificationgenerateoftrivialunsatisfiableclauses,SAsoinTLIBoursettingproblems.thisisperhapsmoreimportant
RegardingtheproofsproducedbySATsolvers,wewouldliketoemphasizetheimportanceof
havingawell-documentedstandard,similartowhattheDIMACSformatisforaSATsolver’s
input.Atpresent,themerefactthatdifferentsolversusedifferent(andpartiallyundocu-
wmenouldted)havproeoftofbe.ormatsAlso,maksolvesertheirdevineloperstegrationneedatobitbemoreawofareanthatevengineeringentrivialchallengepreprothancessingit
steps(likereorderingofclauses)mayneedtobereproducedintheproofchecker.Therefore
mtheseuststepsimplemenshouldtthe(psameerhapspreprooptionally)cessingbealgorithmloggedasinthethesolvproofer.traceaswell,orthechecker
Wehavealreadymentionedsomepossibledirectionsforfuturework.Thereisprobablynotvery
muchpotentiallefttooptimizetheimplementationofresolutionitselfatthispoint.However,
toresolutionfurtherproimproofvefoundthebpytheerformanceSATsolvoferproinofrecmoreonstrdetail.uction,itMergingcouldbsimilarebeneficialresolutiontochainsanalyzemathey

118

CHAPTER5.TIONINTEGRAOFOOF-PRPRODUCINGTSAVERSSOLreduceshortertheclausesoverallduringnumbtheerprofoof,resolutionswhichshouldrequired,improandvethepre-sortingerformanceresolutionsofimandividualyhelptoresolutionderive
steps.Somepreliminaryresultsalongtheselinesarereportedin[7].Alsopreprocessingof
CNFformulaeforSATsolvershasrecentlyshownverypromisingresults[52,8],soitmight
beworthwhiletointegrateapreprocessingSATsolverwithanLCF-styleprover.Notethat
thisisnotatrivialtask,asthepreprocessingmustbemimickedinsidetheHOLproverina
.fashionducingof-propro

Thedecisionapproacproblemhpresenfortericdherinthislogicsc(orhapterfragmenhastsapplicationsthereof)bcaneybondepropreducedositionaltoSAT[11,reasoning.154,The110,
139].Consequently,proofreconstructionforpropositionallogiccanserveasafoundation
formenprotationofofthereconstructionreductionforisotherneededlogics.toinBasedtegrateontheourmorework,powonlyerful,aypetroSAof-generatingT-baseddecisionimple-
prosolvercedurehaRVwitheyanwithLCF-stIsabelleyle[76,theorem77].prohaRvVer.ey,ThislikehasotheralreadySMTbeensystems,usedtouseinsvtegratearioustheSdecisionMT
procedures(e.g.congruenceclosureforuninterpretedfunctions)ontopofaSATsolver.

6Chapter

Conclusion

EverysolutionArthbrureedsBlocnewh,bprornoblems.1948.

Thischaptersummarizestheresultspresentedinthisthesis,andgivesdirections
forpossiblefuturework.

Summary6.1

Inthisthesis,wehavepresentedafinitemodelgenerationalgorithmforhigher-orderlogic.The
maintheoreticalcontributionisacorrectnessprooffortheunderlyingtranslationfromhigher-
orderlogictopropositionallogic.Onthepracticalside,wehaveachievedaseamlessintegration
ofthemodelgeneratorwithIsabelle/HOL.Inparticularitssupportformanyspecification
techniquesavailableinthislogic,includingdatatypes,recursivefunctions,typeclasses,records,
settypes,etc.,makesthemodelgeneratorapplicabletoawideclassofconjecturesstatedin
thetheoremprover.Ifacounterexampleisfound,itisdisplayedtotheuser,potentiallysaving
asignificantamountoftimeotherwisespentonfruitlessproofattempts.
Thesuccessfulapplicationofthemodelgeneratortothreecasestudies,namelytoobtaina
correctnessproofforanabstractversionoftheRSA-PSSsecurityprotocol,counterexamples
toconjecturesaboutprobabilisticprograms,andaSudokusolver,showsthatthealgorithmis
ofpracticalutility.Forthesecondcasestudy,anabstractmodelofprobabilisticprogramswas
developedthatissusceptibletocounterexamplesearchviafinitemodelgeneration,thereby
contributingtothetheoryofprobabilisticprograms.
TheLCF-styleintegrationofzChaffandMiniSatwithIsabelle/HOLthathasbeenpresented
inChapter5showsthataninteractivetheoremproverforhigher-orderlogiccanserveas
aviableproofcheckerforpropositionalresolutionproofswithmillionsofproofsteps.Our
optimizationtechniquesareapplicablealsotootherhigher-orderlogictheoremprovers,e.g.to
HOL4andHOLLight.Theuseofstate-of-the-artSATsolvershasgreatlyimprovedIsabelle’s
performanceonpropositionalproblems,therebyenhancingitsapplicabilityforhardwareand

119

120

CONCLUSION6.CHAPTER

softwareverification,wheremanyproblemscanbeencodedinpropositionallogic.Aprototype
implementationofpersistentproofsmakestheverificationofproofscriptsindepentofexternal
tools;thiscanfacilitatetheexchangeofproofscriptsbetweendifferentIsabelleinstallations.

F6.2orkWuture

Toconclude,wegivedirectionsforpossiblefuturework.Someofthefollowingresearchques-
tionsarosedirectlyfromtheworkpresentedinthisthesis,whileothersarelinkedtoalternative
approachesthatwedidnotinvestigateindetail.

IntegrationwithIsabelle.Themodelgeneratorthatwaspresentedinthisthesishasbeen
integratedwithIsabelle/HOL,anditsupportsvariousdefinitionalmechanismsandextensions
thatthislogicoffers,mostnotablyrecursivedatatypes.Isabelle/HOLcontinuestoevolve
however,andsupportforsomeofitsfeaturesiscurrentlylackingorincomplete.Inparticular
themodelgeneratorisnotyetcontext-aware.Thisappliesbothtotheorycontexts(called
localesinIsabelle[13])andproofcontexts[14],whichpermite.g.localdefinitionsinproofs.
ThemodelgeneratorcouldalsobeintegratedwithIsabelle’smetalogic,Isabelle/Pure(see
Section3.3),andconsequentlybemadeavailableforotherobjectlogics,e.g.Zermelo-Fraenkel
.theorysetBothissuesaremainlysoftwareengineeringtasks.Themodelgenerator,duetoitstightinte-
grationwithIsabelle,inevitablydependsontheinternalinterfacesofsomeofIsabelle/HOL’s
packages.Itwillthereforecontinuetoevolveastheseinterfaceschangeovertime.

Optimizations.OurfocushasbeentheintegrationofthemodelgeneratorwithIsabelle,
inparticularwithIsabelle/HOL.Thisallowsthemodelgeneratortobeappliedtoawide
classofformulae,anditsperformanceissufficientforinterestingcasestudies.Whilewehave
implementedsomeoptimizations(seeSection3.2),furtherworkisnecessarytoobtainatool
whoseperformanceisgenerallycompetitivetothatofexisting(first-order)modelgenerators.
Forfirst-orderlogic,techniqueshavebeendevelopedtoboundorestimatethesizeofthe
model[138],toreducethenumberofBooleanvariables,toreusesearchinformationbetween
consecutivemodelsizes,ortoperformsymmetryreductioninordertoreducethenumber
ofisomorphicmodels[41,156].Itshouldbeaworthwhileresearchprojecttotransferthese
techniquestohigher-orderlogic.

uate,Externalbothinmodeltermsofpgenerators.erformanceAnandorthogonalfeasibility,isapproacthehusethatofwouldexternalbein(first-order)terestingtomoevdelal-
workgenerators.byMengTheandPnecessaryaulsontrans[113]lation(whicfromhwHOLouldtoneedtofirst-orderbelogicadaptedcouldhowbeveer,basedasitontarrecengetst
automatedtheoremprovers,notmodelgenerators).Theintegrationofexternalproverswith
inmodelteractivegeneratorsproofcouldassistanhatsvehassimilarbeenbenefits.pursuedforMostalongnotably,time,Isabandellethecouldinprofittegrationdirecoftlyexternalfrom
advanced,highlyefficientalgorithmsimplementedinexternaltools.

ORKWFUTURE6.2.

121

niquesOtherexistmethothatdscanofbedisprousedvtoing.refuteAsidefalsefromconjectures.finitemodelBerghofergeneration,hasinvtegratedariousotherquickchetecckh-,
atoolbasedonrandomtesting,withIsabelle[24].Theperformanceofquickcheckissometimes
superiortofinitemodelgeneration,butthetoolislimitedtoanexecutablefragmentofHOL.
Itmightbepossibletocombinequickcheckwithfinitemodelgenerationtoobtainthebestof
bothworlds:anefficienttoolthatisapplicabletoawideclassofHOLformulae.
FIsabutureellewconorktainscouldbalsouilt-infocusdecisionontheprogenerationceduresofforvcounariousterexamplesfragmentsfromoffailedHOL,proe.g.ofquanattempts.tifier
someeliminationoftheseproalgorithmsceduresforoutputdensealinear(possiblyorders,realspurious)andincountegerterexamplelinearwhenarithmeticthey[124]cannot.Whilefind
aunptilronoof,w.counNotablyterexampleblast,Isabgenerationelle’swbuilt-inasgenerallytableaupronotverofhigh[136],prioritcurrenytlyindoestheirnotdevoutputelopmenanyt
fails.itwheninformationusefulformMethoulaedsforthatthehavenogenerationfiniteofcouninfinitetermomodels.delsThese(seetec[90]forhniquesasurvcouldey)againcouldbebeusedimplemetontedrefuteas
partofIsabelle,orinanexternaltoolthatisthenintegratedwithIsabelle.

SAproTofsolving.reconstructionBoththepresenMAtedinCE-stthisylethesisalgorithmcruciallyforfinitedepmoenddelongenerationefficientSAandTthesolvers.resolutionOur
modelgeneratorsupportsvariousstate-of-the-artSATsolvers,includingzChaffandMiniSat.
TheintegrationofotherSATsolversthatusetheDIMACSinputformatisstraightforward.
However,forconveniencewehavealsoimplementedourownSATsolverinStandardML.This
simple,DPLL-basedsolverisnowpartoftheIsabellesystem.Itwouldbeinterestingtosee
ifthattheofponeoferformancetheofcurrenantlyoptimizeleadindgSAsolvTerssolver(whichwrittenareinusuallyStandardwrittenMLincanCborecompC++),etitivandetoit
wouldbeusefultoextendIsabelle’sownSATsolverwiththeabilitytogenerateunsatisfiability
ofs.proRegardingtheproof-producingintegrationofSATsolverswithLCF-styletheoremprovers,we
haservveeasaalreadyfoundationmentionedforthesevineraldirtegrationectionsofproforof-futuregeneratinworkgindecisiSectiononpro5.6.ceduresOurinforrictegrationherlogicscan
thatarebasedonSAT,e.g.satisfiabilitymodulotheories(SMT),orfragmentsoffirst-order
logic.ThishasalreadybeenusedtointegratetheSMTsolverhaRVeywithIsabelle[77].
InresolutionChapter5prowofewhaasvefofoundcusedbyonaanSATefficiensolvter.Anothimplemenertationpromisingofprooflineofresearcreconstruction,hiswhereconcernedthe
withobtaininganefficient(compressed)representationoftheproof.Onecansometimesmerge
similarresolutionchainsandre-sortcertainresolutionstepstoobtainashorterproof;seee.g.
[7]forrecentwork.
AnalternativetoLCF-styleproofcheckingisreflection,atechniquewhereanalgorithmis
provedcorrectinthetheoremprover,andthencodeisgeneratedfromthealgorithm’sdefinition
dothatesnotproneedducestoprotrustedduceresultsLCF-st[35].yleproReflectionofs)andoffehighrsgooreliabilitdpy(aserformancethe(astrustedthecodereflectedbasemcoustde
includethecodegenerator,butnotanyreflectedproofprocedure).Itwouldbeinterestingto
compareourLCF-styleproofcheckertoareflection-basedapproach.Someinitialresultswere
recentlygivenin[31].

122

CHAPTER6.CONCLUSIONFormalization.Mosttheoremsinthisthesiswereprovedbytraditional“pen-and-paper”
proofsonly.WehavefocusedonextendingIsabelle,ratherthanonusingittoestablishfully
formaltheorems.Itseemsnaturalhowevertosuggestamachine-readableformalizationofour
results.Thisshouldbeastraightforward(albeitlaborious)taskfortheresultsaboutthemodel
ofprobabilisticprogramspresentedinSection4.3.Aformalizationofthemodelgenerator’s
correctness(Theorem2.100)ontheotherhandwouldbetechnicallychallenging,becausethe
set-theoreticsemanticsofhigher-orderlogiccannotbedefinedinIsabelle/HOLdirectly.HOL-
ST,anextensionofIsabelle/HOLproposedbyAgerholm[3,4]andGordon[65],couldbe
asuitableframeworkforsuchaformalization.HOL-ST,whichwaslatercalledHOLZFby
Obua[128],addsatypeV(fortheset-theoreticuniverse)andafunction∈:V×V→bool
(forsetmembership)toHOL.ThentheusualaxiomsofZFsettheoryareasserted.

FiguresofList

2.1

3.13.23.3

4.14.24.34.44.54.6

5.15.25.35.45.55.65.75.8

Modelgenerationalgorithm.............................

HOLpackagestructure................................
HOLtypedefinition.................................
Elementorderfornon-recursivedatatypes.....................

TPTPencodingoftheRSA-PSSprotocol.....................
ModelshowingsecurityofRSA-PSShashing...................
Abstractprobabilisticcounterexamples.......................
Sudokuexampleandsolution............................
Sudokugrid......................................
HardSudokuexampleandsolution.........................

Isabelle–SATsystemarchitecture.........................
SMLdatatypeofpropositionalformulae......................
SMLtypeofresolutionproofs............................
EBNFsyntaxforzChaffprooftraces........................
EBNFsyntaxforMiniSatprooftraces.......................
ResolutionprooffoundbyzChaff..........................
ResolutionprooffoundbyMiniSat.........................
Persistenttheorems..................................

123

43

485359

767794959697

102103104105106108109116

124

LISTOFFIGURES

List

2.1

5.1

5.2

5.3

5.4

of

ablesT

ulaeformHOLRefutable(examples)

......................

Runtimes(inseconds)forTPTPproblems,naiveHOLrepresentation...

Runtimes(inseconds)forMSC007-1.008....................

Runtimes(inseconds)forSATLIBproblems,CNFsequentrepresentation.

Runtimes(inseconds)forpigeonholeinstances,CNFsequentrepresentation

125

.

.

.

.

.

.

.

.

.

.

41

113

113

114

114

126

LISTOFABLEST

yBibliograph

[1]Andreashigher-orderAbel,andRalphnestedMatthes,datatypandes.TThearmooreticalUustalu.ComputerIterationSciencande,coiteration333(1–2):3–66,schemes2005.for

[2]WilhelmAckermann.ZumHilbertschenAufbauderreellenZahlen.Mathematische
Annalen,99:118–133,1928.

[3]StenAgerholm.Formalisingamodeloftheλ-calculusinHOL-ST.TechnicalReport
354,UniversityofCambridgeComputerLaboratory,1994.

[4]StenAgerholmandMichaelJ.C.Gordon.ExperimentswithZFsettheoryinHOLand
Isabelle.InE.ThomasSchubert,PhillipJ.Windley,andJimAlves-Foss,editors,Higher
OrderLogicTheoremProvingandItsApplications–8thInternationalWorkshop,Aspen
Grove,UT,USA,September11-14,1995,Proceedings,volume971ofLectureNotesin
ComputerScience,pages32–45.Springer,1995.

[5]ColAllan,editor.NewYorkPost.NewsCorporation,NewYorkCity,NY,USA,2005.

[6]HasanAmjad.Shallowlazyproofs.InJoeHurdandThomasF.Melham,editors,
The2005,oremOxforPrd,ovingUK,inAugustHigher22-25,OrderL2005,ogicsPro–cee18thdings,vInternationalolume3603ofConferLeenccture,eNotesTPHOLsin
ComputerScience,pages35–49.Springer,2005.

[7]HasanAmjad.Compressingpropositionalrefutations.InStephanMerzandTobiasNip-
koCriticw,aleditors,SystePrmsoc(AeeVdingsoCSof2006)the,v6tholumeInternational185ofElectrWorkshoponicNotesonAinutomateTheordeticValerCificationomputerof
Science,pages3–15.Elsevier,July2007.

[8]AnbulaganandJohnSlaney.MultiplepreprocessingforsystematicSATsolvers.In
C.WorkshopBenzm¨onuller,theB.Fischer,ImplementationandG.ofLoSutcliffe,gics,volumeeditors,212ProofceeCEURdingsoftheWorkshop6thProceInternationaledings,
pages100–116,PhnomPenh,Cambodia,2006.

[9]AlexandrAndoni,DumitruDaniliuc,SarfrazKhurshid,andDarkoMarinov.Evaluating
the“SmallScopeHypothesis”,September2002.Availablefromhttp://sdg.csail.
.mit.edu/pubs/2002/SSH.pdf

[10]PeterB.Andrews.AnIntroductiontoMathematicalLogicandTypeTheory:ToTruth
ThroughProof,volume27ofAppliedLogicSeries.KluwerAcademicPublishers,second
2002.Julyedition,

127

128

BIBLIOGRAPHY

[11]G.Audemard,P.Bertoli,A.Cimatti,A.Kornilowicz,andR.Sebastiani.ASATbased
approachforsolvingformulasoverBooleanandlinearmathematicalpropositions.In
AndreiVoronkov,editor,Proceedingsofthe18thInternationalConferenceonAutomated
Deduction(CADE-18),volume2392ofLectureNotesinArtificialIntelligence,pages
195–210,Copenhagen,Denmark,July2002.Springer.
[12]SergeAutexierandCarstenSch¨urmann.Disprovingfalseconjectures.InMosheY.
VardiandAndreiVoronkov,editors,LogicforProgramming,ArtificialIntelligence,and
Reasoning–10thInternationalConference,LPAR2003,Almaty,Kazakhstan,September
22-26,2003,Proceedings,volume2850ofLectureNotesinComputerScience,pages33–
2003.Springer,48.[13]ClemensBallarin.LocalesandlocaleexpressionsinIsabelle/Isar.InStefanoBerardi,
MarioCoppo,andFerruccioDamiani,editors,TypesforProofsandPrograms,Interna-
tionalWorkshop,TYPES2003,Torino,Italy,April30–May4,2003,RevisedSelected
Papers,volume3085ofLectureNotesinComputerScience,pages34–50.Springer,2003.
[14]ClemensBallarin.InterpretationoflocalesinIsabelle:Theoriesandproofcontexts.In
JonathanM.BorweinandWilliamM.Farmer,editors,MathematicalKnowledgeMan-
agement,5thInternationalConference,MKM2006,Wokingham,UK,August11-12,
2006,Proceedings,volume4108ofLectureNotesinArtificialIntelligence,pages31–43.
2006.Springer,[15]ClarkBarrettandSergeyBerezin.CVCLite:Anewimplementationofthecooperating
validitychecker.InProceedingsofthe16thInternationalConferenceonComputerAided
Verification(CAV2004),Boston,Massachusetts,USA,July2004.
[16]ClarkBarrett,SergeyBerezin,andDavidL.Dill.Aproof-producingBooleansearchen-
gine.InProceedingsoftheWorkshoponPragmaticsofDecisionProceduresinAutomated
Reasoning(PDPAR2003),Miami,Florida,USA,July2003.
[17]DavidBasinandStefanFriedrich.CombiningWS1SandHOL.InDovM.Gabbay
andMaartendeRijke,editors,FrontiersofCombiningSystems2,volume7ofStudies
inLogicandComputation,pages39–56.ResearchStudiesPress/Wiley,Baldock,Herts,
2000.ebruaryFUK,[18]DavidBasin,S´eanMatthews,andLucaVigan`o.Amodularpresentationofmodallogics
inalogicalframework.InIsabelleUsersWorkshop–Cambridge,England,September
18-19,1995,Proceedings,September1995.
[19]GerdBehrmann,AlexandreDavid,andKimG.Larsen.AtutorialonUppaal.In
MarcoBernardoandFlavioCorradini,editors,FormalMethodsfortheDesignofReal-
TimeSystems:4thInternationalSchoolonFormalMethodsfortheDesignofComputer,
Communication,andSoftwareSystems,SFM-RT2004,volume3185ofLectureNotesin
ComputerScience,pages200–236.Springer,September2004.
[20]MihirBellareandPhillipRogaway.Theexactsecurityofdigitalsignatures:Howtosign
withRSAandRabin.InU.Maurer,editor,AdvancesinCryptology–EUROCRYPT96,
volume1070ofLectureNotesinComputerScience,pages399–416.Springer,1996.

BIBLIOGRAPHY

129

[21]BelaidBenhamouandLaurentHenocque.Finitemodelsearchforequationaltheories
(FMSET).InJacquesCalmetandJanPlaza,editors,ArtificialIntelligenceandSymbolic
Computation,InternationalConference,AISC’98,Plattsburg,NewYork,USA,Septem-
ber1618,1998,Proceedings,volume1476ofLectureNotesinArtificialIntelligence,pages
1998.Springer,84–93.[22]StefanBerghofer.DefinitorischeKonstruktioninduktiverDatentypeninIsabelle/HOL.
Master’sthesis,Institutf¨urInformatik,TechnischeUniversit¨atM¨unchen,1998.
[23]StefanBerghoferandTobiasNipkow.Prooftermsforsimplytypedhigherorderlogic.In
MarkAagaardandJohnHarrison,editors,TheoremProvinginHigherOrderLogics–
13thInternationalConference,TPHOLs2000,Portland,Oregon,USA,August14-18,
2000,Proceedings,volume1869ofLectureNotesinComputerScience,pages38–52.
2000.Springer,[24]StefanBerghoferandTobiasNipkow.RandomtestinginIsabelle/HOL.InJorgeR.
CuellarandZhimingLiu,editors,2ndInternationalConferenceonSoftwareEngineering
andFormalMethods(SEFM2004),28-30September2004,Beijing,China,pages230–
239.IEEEComputerSociety,2004.Invitedpaper.
[25]StefanBerghoferandMarkusWenzel.InductivedatatypesinHOL–lessonslearned
informal-logicengineering.InY.Bertot,G.Dowek,A.Hirschowitz,C.Paulin,and
L.The´ry,editors,TheoremProvinginHigherOrderLogics,12thInternationalCon-
ference,TPHOLs’99,volume1690ofLectureNotesinComputerScience,pages19–36.
1999.Springer,[26]PaulBernaysandMosesSch¨onfinkel.ZumEntscheidungsproblemdermathematischen
Logik.MathematischeAnnalen,99(1):342–372,1928.
[27]DanielLeBerreandLaurentSimon,editors.TheSAT2005competitionsandevaluations,
volume2ofJournalonSatisfiability,BooleanModelingandComputation.IOSPress,
2005.[28]TimBray,JeanPaoli,C.M.Sperberg-McQueen,EveMaler,Fran¸coisYergeau,and
JohnCowan.ExtensibleMarkupLanguage(XML)1.1(SecondEdition),W3CRecom-
mendation16August2006,editedinplace29September2006,2006.Availablefrom
.20060816/xml11-http://www.w3.org/TR/2006/REC-[29]AchimD.BruckerandBurkhartWolff.Symbolictestcasegenerationforprimitivere-
cursivefunctions.InJensGrabowskiandBrianNielsen,editors,FormalApproaches
toSoftwareTesting–4thInternationalWorkshop,FATES2004,Linz,Austria,Septem-
ber21,2004,RevisedSelectedPapers,volume3395ofLectureNotesinComputerScience,
2005.Springer,16–32.pages[30]AchimD.BruckerandBurkhartWolff.InteractivetestingwithHOL-TestGen.InWolf-
gangGrieskampandCarstenWeise,editors,FormalApproachestoSoftwareTesting–
5thInternationalWorkshop,FATES2005,Edinburgh,UK,July11,2005,RevisedSe-
lectedPapers,volume3997ofLectureNotesinComputerScience,pages87–102.Springer,
2006.

130

BIBLIOGRAPHY

[31]LukasBulwahn,AlexanderKrauss,FlorianHaftmann,LeventErk¨ok,andJohn
Matthews.ImperativefunctionalprogrammingwithIsabelle/HOL.Toappearat
2008.TPHOLs[32]GeorgCantor.¨UbereineelementareFragederMannigfaltigkeitslehre.Jahresberichtder
DeutschenMathematiker-Vereinigung,1:75–78,1891.
[33]ConstantinCarath´eodory.¨UberdenVariabilit¨atsbereichderFourierschenKonstanten
vonpositivenharmonischenFunktionen.RendicontidelCircoloMatematicodiPalermo,
1911.32:193–217,[34]SerenellaCerritoandMartaCialdeaMayer.Usinglineartemporallogictomodeland
solveplanningproblems.InFaustoGiunchiglia,editor,ArtificialIntelligence:Method-
ology,Systems,andApplications,8thInternationalConference,AIMSA’98,Sozopol,
Bulgaria,September2123,1998,Proceedings,volume1480ofLectureNotesinArtificial
Intelligence,pages141–152.Springer,1998.
[35]AmineChaieb.Automatedmethodsforformalproofsinsimplearithmeticsandalgebra.
PhDthesis,Institutf¨urInformatik,TechnischeUniversit¨atM¨unchen,Germany,January
submitted.ersion,vPreliminary2008.[36]AmineChaiebandTobiasNipkow.Verifyingandreflectingquantifiereliminationfor
Presburgerarithmetic.InGeoffSutcliffeandAndreiVoronkov,editors,LogicforPro-
gramming,ArtificialIntelligence,andReasoning–12thInternationalConference,LPAR
2005,MontegoBay,Jamaica,December2-6,2005,Proceedings,volume3835ofLecture
NotesinComputerScience,pages367–380.Springer,2005.
[37]AlonzoChurch.AnoteontheEntscheidungsproblem.JournalofSymbolicLogic,1(1):40–
1936.41,[38]AlonzoChurch.Aformulationofthesimpletheoryoftypes.JournalofSymbolicLogic,
1940.5:56–68,[39]KoenClaessen.Equinox,anewtheoremproverforfullfirst-orderlogicwithequality.
PresentationatDagstuhlSeminar05431onDeductionandApplications,October2005.
[40]KoenClaessenandJohnHughes.QuickCheck:Alightweighttoolforrandomtestingof
Haskellprograms.InProceedingsoftheFifthACMSIGPLANInternationalConference
onFunctionalProgramming(ICFP’00),Montreal,Canada,September18-21,2000,
volume35(9)ofSIGPLANNotices,pages268–279.ACM,September2000.
[41]KoenClaessenandNiklasS¨orensson.NewtechniquesthatimproveMACE-stylefinite
modelfinding.InCADE-19,WorkshopW4,ModelComputation–Principles,Algo-
2003.,ationsApplicrithms,[42]ErnieCohen.Separationandreduction.InRolandCarlBackhouseandJose´Nuno
Oliveira,editors,MathematicsofProgramConstruction–5thInternationalConference,
MPC2000,PontedeLima,Portugal,July3-5,2000,Proceedings,volume1837ofLecture
NotesinComputerScience,pages45–59.Springer,2000.

BIBLIOGRAPHY

131

[43]SimonColtonandAlisonPease.TheTMsystemforrepairingnon-theorems.InWolfgang
Ahrendt,PeterBaumgartner,HansdeNivelle,SilvioRanise,andCesareTinelli,editors,
SelectedPapersfromtheWorkshopsonDisprovingandtheSecondInternationalWork-
shoponPragmaticsofDecisionProcedures(PDPAR2004),volume125(3)ofElectronic
NotesinTheoreticalComputerScience,pages87–101.Elsevier,July2005.
[44]StephenCook.Thecomplexityoftheoremprovingprocedures.InProceedingsofthe
ThirdAnnualACMSymposiumonTheoryofComputing,pages151–158.ACM,1971.
[45]M.Davis,G.Logemann,andD.Loveland.Amachineprogramfortheoremproving.
CommunicationsoftheACM,5:394–397,1962.
[46]LucadeAlfaroandThomasA.Henzinger.Concurrentomega-regulargames.In15thAn-
nualIEEESymposiumonLogicinComputerScience,26-29June2000,SantaBarbara,
California,USA,pages141–154.IEEEComputerSociety,2000.
[47]N.G.deBruijn.Lambdacalculusnotationwithnamelessdummies,atoolforautomatic
formulamanipulation,withapplicationtotheChurch-Rossertheorem.Indagationes
1972.34(5):381–392,,aeMathematic[48]HansdeNivelleandJiaMeng.Geometricresolution:Aproofprocedurebasedonfinite
modelsearch.InUlrichFurbachandNatarajanShankar,editors,AutomatedReasoning–
ThirdInternationalJointConference,IJCAR2006,Seattle,WA,USA,August2006,
Proceedings,volume4130ofLectureNotesinArtificialIntelligence,pages303–317,2006.
[49]GiovannidiLorenzo,editor.DieZeit.ZeitverlagGerdBuceriusGmbH&Co.KG,
Hamburg,Germany,2005.
[50]DIMACSsatisfiabilitysuggestedformat,1993.Availablefromftp://dimacs.rutgers.
.edu/pub/challenge/satisfiability/doc[51]D.DolevandA.C.Yao.Onthesecurityofpublickeyprotocols.InProceedingsofthe
IEEE22ndAnnualSymposiumonFoundationsofComputerScience,pages350–357,
1981.[52]NiklasE´enandArminBiere.EffectivepreprocessinginSATthroughvariableandclause
elimination.InFahiemBacchusandTobyWalsh,editors,TheoryandApplicationsof
SatisfiabilityTesting–8thInternationalConference,SAT2005,StAndrews,UK,June
19-23,2005,Proceedings,volume3569ofLectureNotesinComputerScience,pages
2005.Springer,61–75.[53]NiklasE´enandNiklasS¨orensson.MiniSat-p-v1.14–Aproof-loggingversionofMin-
iSat,September2006.Availablefromhttp://www.cs.chalmers.se/Cs/Research/
.FormalMethods/MiniSat/[54]CarstenSinzetal.SAT-Race2006–results,August2006.Availablefromhttp://fmv.
.2006/results.htmlrace-jku.at/sat-[55]BertramFelgenhauerandFrazerJarvis.EnumeratingpossibleSudokugrids,June2005.
Availablefromhttp://www.shef.ac.uk/~pm1afj/sudoku/.

132

BIBLIOGRAPHY

[56]TheSML/NJFellowship.StandardMLofNewJersey,June2007.Availablefrom
.http://www.smlnj.org/[57]MelvinFitting.Kleene’sthreevaluedlogicsandtheirchildren.FundamentaInformaticae,
1994.20(1–3):113–131,[58]PascalFontaine,Jean-YvesMarion,StephanMerz,LeonorPrensaNieto,andAlwen
Tiu.Expressiveness+automation+soundness:TowardscombiningSMTsolversand
interactiveproofassistants.InHolgerHermannsandJensPalsberg,editors,Toolsand
AlgorithmsfortheConstructionandAnalysisofSystems,12thInternationalConference,
TACAS2006,HeldasPartoftheJointEuropeanConferencesonTheoryandPracticeof
Software,ETAPS2006,Vienna,Austria,March25-April2,2006,Proceedings,volume
3920ofLectureNotesinComputerScience,pages167–181.Springer,2006.
[59]E.GoldbergandY.Novikov.BerkMin:AfastandrobustSATsolver.InDesign
AutomationandTestinEurope(DATE),pages142–149,2002.
[60]C.Goller,O.Ibens,R.Letz,K.Mayr,M.Moser,J.Schumann,andJ.Steinbach.The
modeleliminationproversSETHEOandE-SETHEO.JournalofAutomatedReasoning,
1997.18(2):237–246,

[61]M.andJ.MadsC.TGordon.ofte,Feditors,romPrLCFoof,toLHOL:anguage,AshandortInterhistory.actionIn.G.MITPlotkin,Press,Colin2000.P.Stirling,
[62]M.J.C.Gordon.HolSatLibdocumentation,version1.0b,June2001.Availablefrom
.mjcg/HolSatLib/HolSatLib.htmlhttp://www.cl.cam.ac.uk/~[63]M.envirJ.C.onmentGordonforandhigherT.orF.derlogicMelham,.Cameditors.bridgeIntrUnivoersitductionyPrtoess,HOL:1993.Atheoremproving

[64]M.J.C.GordonandA.M.Pitts.TheHOLlogicandsystem.InJ.Bowen,editor,
TowardsVerifiedSystems,volume2ofReal-TimeSafetyCriticalSystemsSeries,pages
1994.Elsevier,49–70.[65]MichaelJ.C.Gordon.Settheory,higherorderlogicorboth?InJoakimvonWright,
JimGrundy,andJohnHarrison,editors,TheoremProvinginHigherOrderLogics–9th
InternationalConference,TPHOLs’96,Turku,Finland,August26-30,1996,Proceed-
ings,volume1125ofLectureNotesinComputerScience,pages191–201.Springer,1996.
er.papvitedIn[66]ReinerH¨ahnle.Tableauxandrelatedmethods.InJohnAlanRobinsonandAndrei
Voronkov,editors,HandbookofAutomatedReasoning,pages100–178.ElsevierandMIT
2001.Press,

[67]ArminHaken.Theintractabilityofresolution.TheoreticalComputerScience,39:297–
1985.308,[68]JohnHarrison.BinarydecisiondiagramsasaHOLderivedrule.TheComputerJournal,
1995.38(2):162–170,

BIBLIOGRAPHY

133

[69]JohnHarrison.St˚almarck’salgorithmasaHOLderivedrule.InJoakimvonWright,Jim
Grundy,andJohnHarrison,editors,TheoremProvinginHigherOrderLogics,volume
1125ofLectureNotesinComputerScience,pages221–234.Springer,1996.
[70]WilfridHodges.ModelTheory.CambridgeUniversityPress,1993.
[71]WilfridHodges.First-ordermodeltheory.InEdwardN.Zalta,editor,TheStanford
EncyclopediaofPhilosophy.CenterfortheStudyofLanguageandInformation,Stan-
fordUniversity,Summer2005.Availablefromhttp://plato.stanford.edu/archives/
.fo/sum2005/entries/modeltheory-[72]GerardJ.Holzmann.TheSPINModelChecker,PrimerandReferenceManual.Addison-
Wesley,September2003.
[73]HolgerH.HoosandThomasSt¨utzle.SATLIB:AnonlineresourceforresearchonSAT.
InIanGent,HansvanMaaren,andTobyWalsh,editors,SAT2000,pages283–292.IOS
Press,2000.Availablefromhttp://www.satlib.org/.
[74]JoeHurd.IntegratingGandalfandHOL.InYvesBertot,GillesDowek,Andre´
Hirschowitz,ChristinePaulin,andLaurentTh´ery,editors,TheoremProvinginHigher
OrderLogics,12thInternationalConference,TPHOLs’99,volume1690ofLectureNotes
inComputerScience,pages311–321,Nice,France,September1999.Springer.
[75]JoeHurd.AnLCF-styleinterfacebetweenHOLandfirst-orderlogic.InAndrei
Voronkov,editor,Proceedingsofthe18thInternationalConferenceonAutomatedDeduc-
tion(CADE-18),volume2392ofLectureNotesinArtificialIntelligence,pages134–138,
Copenhagen,Denmark,July2002.Springer.
[76]Cl´ementHurlin.Proofreconstructionforfirst-orderlogicandset-theoreticalconstruc-
tions.InStephanMerzandTobiasNipkow,editors,SixthInternationalWorkshopon
AutomatedVerificationofCriticalSystems(AVoCS2006)–PreliminaryProceedings,
2006.157–162,pages[77]Cl´ementHurlin,AmineChaieb,PascalFontaine,StephanMerz,andTjarkWeber.Prac-
ticalproofreconstructionforfirst-orderlogicandset-theoreticalconstructions.InLucas
DixonandMoaJohansson,editors,ProceedingsoftheIsabelleWorkshop2007,pages
2–13,Bremen,Germany,July2007.
[78]InstituteofElectricalandElectronicsEngineers,Inc.IEEEStd1003.1c-1995,1995.
[79]InternationalOrganizationforStandardization.Informationtechnology–Syntacticmet-
alanguage–ExtendedBNF,1996.ISO/IEC14977:1996(E).
[80]InternationalOrganizationforStandardization.Informationtechnology–OpenDis-
tributedProcessing–UnifiedModelingLanguage(UML)Version1.4.2,2005.ISO/IEC
19501:2005.[81]DanielJackson.Automatingfirst-orderrelationallogic.InProc.ACMSIGSOFTConf.
FoundationsofSoftwareEngineering,pages130–139,SanDiego,November2000.
[82]DanielJackson.Alloy:Alightweightobjectmodellingnotation.ACMTransactionson
SoftwareEngineeringandMethodology(TOSEM),11(2):256–290,2002.

134

BIBLIOGRAPHY

[83]PaulJacksonandDanielSheridan.TheoptimalityofafastCNFconversionanditsuse
withSAT.TechnicalReportAPES-82-2004,APESResearchGroup,March2004.
[84]ThomasJech.SetTheory.SpringerMonographsinMathematics.Springer,3rdmillen-
2003.edition,nium[85]JanJu¨rjens.Soundmethodsandeffectivetoolsformodel-basedsecurityengineeringwith
UML.InGruia-CatalinRoman,WilliamG.Griswold,andBasharNuseibeh,editors,
27thInternationalConferenceonSoftwareEngineering(ICSE2005),May15-21,2005,
St.Louis,Missouri,USA,pages322–331.ACM,2005.
[86]JanJ¨urjens.Securityanalysisofcrypto-basedJavaprogramsusingautomatedtheorem
provers.InProceedingsofthe21stIEEE/ACMInternationalConferenceonAutomated
SoftwareEngineering(ASE2006),September18-22,2006,Tokyo,Japan,pages167–176.
IEEEComputerSociety,2006.
[87]SaraKalvalaandValeriadePaiva.Linearlogicinisabelle.InIsabelleUsersWorkshop–
Cambridge,England,September18-19,1995,Proceedings,September1995.
[88]SarfrazKhurshidandDarkoMarinov.TestEra:Specification-basedtestingofJavapro-
gramsusingSAT.AutomatedSoftwareEngineering,11(4):403–434,2004.
[89]NilsKlarlundandAndersMøller.MONAVersion1.4UserManual.BRICS,Depart-
mentofComputerScience,UniversityofAarhus,January2001.NotesSeriesNS-01-1.
Availablefromhttp://www.brics.dk/mona/.RevisionofBRICSNS-98-3.
[90]StefanKlingenbeck.CounterExamplesinSemanticTableaux.PhDthesis,Institutefor
Logic,ComplexityandDeductionSystems,UniversityofKarlsruhe,Karlsruhe,Germany,
1996.[91]DonaldE.Knuth.Mathematicsandcomputerscience:Copingwithfiniteness.Advances
inourabilitytocomputearebringingussubstantiallyclosertoultimatelimitations.
Science,194(4271):1235–1242,December1976.
[92]KarstenKonrad.ModelGenerationforNaturalLanguageInterpretationandAnalysis.
PhDthesis,TechnischeFakult¨at,Universit¨atdesSaarlandes,Saarbr¨ucken,Germany,
2000.[93]DexterKozen.OnKleenealgebrasandclosedsemirings.InBranislavRovan,editor,
MathematicalFoundationsofComputerScience1990–Bansk´aBystrica,Czechoslovakia,
August27-31,1990,Proceedings,volume452ofLectureNotesinComputerScience,
1990.Springer,26–47.pages[94]DexterKozen.Kleenealgebrawithtestsandcommutativityconditions.InTiziana
MargariaandBernhardSteffen,editors,ToolsandAlgorithmsfortheConstructionand
AnalysisofSystems–SecondInternationalWorkshop,TACAS’96,Passau,Germany,
March27-29,1996,Proceedings,volume1055ofLectureNotesinComputerScience,
1996.Springer,14–33.pages

BIBLIOGRAPHY135

[95]GihwonKwonandHimanshuJain.OptimizedCNFencodingforSudokupuzzles.InMiki
HermannandAndreiVoronkov,editors,LPAR-13,The13thInternationalConferenceon
LogicforProgramming,ArtificialIntelligence,andReasoning,ShortPaperProceedings,
November2006.
[96]ChristinaLindenbergandKaiWirt.SHA1,RSA,PSSandmore.InGerwinKlein,
TobiasNipkow,andLawrencePaulson,editors,TheArchiveofFormalProofs.http://
afp.sourceforge.net/entries/RSAPSS.shtml,May2005.Formalproofdevelopment.
[97]DeadMan’sHandleLtd.Sudokusolver,September2005.Availablefromhttp://www.
.solver.com/sudoku-[98]DavidMatthews.Poly/ML5.0release,December2006.Availablefrom
http://sourceforge.net/project/showfiles.php?group_id=148318&package_.id=163589&release_id=470957[99]DavidMatthews.Poly/MLhomepage,February2007.Availablefromhttp://www.
.polyml.org/[100]DavidMatthews.TheThreadstructureandsignature,November2007.Availablefrom
.http://www.polyml.org/docs/Threads.html[101]JohnMatthews.ASCIIprooftracesforMiniSat.Personalcommunication,August2006.
[102]WilliamMcCune.ADavis-Putnamprogramanditsapplicationtofinitefirst-order
modelsearch:quasigroupexistenceproblems.TechnicalReportANL/MCS-TM-194,
MathematicsandComputerScienceDivision,ArgonneNationalLaboratory,Argonne,
1994.IL,[103]WilliamMcCune.MACE2.0referencemanualandguide.TechnicalReportANL/MCS-
TM-249,MathematicsandComputerScienceDivision,ArgonneNationalLaboratory,
2001.yMaIL,Argonne,[104]WilliamMcCune.Mace4referencemanualandguide.TechnicalReportANL/MCS-
TM-264,MathematicsandComputerScienceDivision,ArgonneNationalLaboratory,
Argonne,IL,August2003.
[105]WilliamMcCune.Otter3.3referencemanual.TechnicalReportANL/MCS-TM-263,
MathematicsandComputerScienceDivision,ArgonneNationalLaboratory,Argonne,
2003.AugustIL,[106]WilliamMcCune.Prover9manual,version2008-04a,April2008.Availablefromhttp:
.04A/mccune/prover9/manual/2008-//www.cs.unm.edu/~[107]AnnabelleMcIverandCarrollMorgan.Abstraction,RefinementandProofforProba-
bilisticSystems.SpringerMonographsinComputerScience.Springer,2005.
[108]AnnabelleMcIverandTjarkWeber.Towardsautomatedproofsupportforprobabilis-
ticdistributedsystems.InGeoffSutcliffeandAndreiVoronkov,editors,LogicforPro-
gramming,ArtificialIntelligence,andReasoning–12thInternationalConference,LPAR
2005,MontegoBay,Jamaica,December2-6,2005,Proceedings,volume3835ofLecture
NotesinComputerScience,pages534–548.Springer,December2005.

136

BIBLIOGRAPHY

[109]AndreasMeier.TRAMP:Transformationofmachine-foundproofsintonaturaldeduc-
tionproofsattheassertionlevel.InDavidA.McAllester,editor,AutomatedDeduc-
tion–CADE-17,17thInternationalConferenceonAutomatedDeduction,Pittsburgh,
PA,USA,June17-20,2000,Proceedings,volume1831ofLectureNotesinArtificial
Intelligence,pages460–464.Springer,2000.
[110]AndreasMeierandVolkerSorge.ApplyingSATsolvinginclassificationoffinitealgebras.
JournalofAutomatedReasoning,35(1–3):201–235,October2005.
[111]JiaMeng.Integrationofinteractiveandautomaticprovers.InManuelCarroandJesus
Correas,editors,SecondCologNetWorkshoponImplementationTechnologyforCompu-
tationalLogicSystems,FME2003,September2003.
[112]JiaMengandLawrenceC.Paulson.Experimentsonsupportinginteractiveproofus-
ingresolution.InDavidBasinandMichae¨lRusinowitch,editors,AutomatedReasoning:
SecondInternationalJointConference,IJCAR2004,Cork,Ireland,July4-8,2004,Pro-
ceedings,volume3097ofLectureNotesinArtificialIntelligence,pages372–384.Springer,
2004.[113]JiaMengandLawrenceC.Paulson.Translatinghigher-orderproblemstofirst-order
clauses.InGeoffSutcliffe,RenateSchmidt,andStephanSchulz,editors,ESCoR:Empir-
icallySuccessfulComputerizedReasoning,volume192ofCEURWorkshopProceedings,
2006.70–80,pages[114]RobinMilner.ACalculusofCommunicatingSystems.Springer,October1980.
[115]RobinMilner,MadsTofte,RobertHarper,andDavidMacQueen.TheDefinitionof
StandardML-Revised.MITPress,May1997.
[116]CarrollMorgan.Thespecificationstatement.ACMTransactionsonProgrammingLan-
guagesandSystems,10(3):403–419,July1988.
[117]CarrollMorgan.ProgrammingfromSpecifications.InternationalSeriesinComputer
Science.PrenticeHall,2ndedition,1994.
[118]CarrollMorgan,AnnabelleMcIver,andKarenSeidel.Probabilisticpredicatetransform-
ers.ACMTransactionsonProgrammingLanguagesandSystems,18(3):325–353,May
1996.[119]M.Moskewicz,C.Madigan,Y.Zhao,L.Zhang,andS.Malik.Chaff:Engineeringan
efficientSATsolver.InProceedingsofthe38thDesignAutomationConference,Las
2001.Juneegas,V[120]OlafM¨uller,TobiasNipkow,DavidvonOheimb,andOskarSlotosch.HOLCF=HOL
+LCF.JournalofFunctionalProgramming,9:191–223,1999.
[121]WolfgangNaraschewskiandMarkusWenzel.Object-orientedverificationbasedonrecord
subtypinginhigher-orderlogic.InJ.GrundyandM.Newey,editors,TheoremProvingin
HigherOrderLogics–11thInternationalConference,TPHOLs’98,Canberra,Australia,
September27October1,1998,Proceedings,volume1479ofLectureNotesinComputer
Science,pages349–366.Springer,1998.

BIBLIOGRAPHY

137

[122]TobiasNipkow.Order-sortedpolymorphisminIsabelle.InG´erardHuetandGordon
Plotkin,editors,LogicalEnvironments,pages164–188.CambridgeUniversityPress,
1993.[123]TobiasNipkow.StructuredproofsinIsar/HOL.InHermanGeuversandFreekWiedijk,
editors,TypesforProofsandPrograms,SecondInternationalWorkshop,TYPES2002,
BergenDal,TheNetherlands,April24-28,2002,SelectedPapers,volume2646ofLecture
NotesinComputerScience,pages259–278.Springer,2002.
[124]TobiasNipkow.Linearquantifierelimination.InA.Armando,P.Baumgartner,and
G.Dowek,editors,AutomatedReasoning(IJCAR2008),volume?ofLectureNotesin
ComputerScience,pages?–?Springer,2008.
[125]TobiasNipkow,LawrenceC.Paulson,andMarkusWenzel.Isabelle/HOL–AProof
AssistantforHigher-OrderLogic,volume2283ofLectureNotesinComputerScience.
2002.Springer,[126]MichaelNorrishandKonradSlind.TheHOLSystemDescription,January2007.Avail-
.http://hol.sourceforge.net/documentation.htmlfromable[127]StevenObua.Checkingconservativityofoverloadeddefinitionsinhigher-orderlogic.In
FrankPfenning,editor,TermRewritingandApplications–17thInternationalConfer-
ence,RTA2006,Seattle,WA,USA,August12-14,2006,Proceedings,volume4098of
LectureNotesinComputerScience,pages212–226.Springer,2006.
[128]StevenObua.PartizangamesinIsabelle/HOLZF.InKamelBarkaoui,AnaCavalcanti,
andAntonioCerone,editors,TheoreticalAspectsofComputing–ICTAC2006,Third
InternationalColloquium,Tunis,Tunisia,November20-24,2006,Proceedings,volume
4281ofLectureNotesinComputerScience,pages272–286.Springer,2006.
[129]LarryPaulsonandMarkusWenzel.TheIsabellereferencemanual,October2005.Avail-
.http://isabelle.in.tum.de/dist/Isabelle/doc/ref.pdffromable[130]LarryPaulsonandMarkusWenzel.Isabelle/FOL—first-orderlogic,October2005.
.http://isabelle.in.tum.de/dist/library/FOL/document.pdffromailableAv[131]LawrenceC.Paulson.Settheoryforverification:I.fromfoundationstofunctions.
JournalofAutomatedReasoning,11:353–389,1993.
[132]LawrenceC.Paulson.Settheoryforverification:II.inductionandrecursion.Technical
Report312,UniversityofCambridgeComputerLaboratory,1993.
[133]LawrenceC.Paulson.Afixedpointapproachtoimplementing(co)inductivedefinitions.
InAlanBundy,editor,AutomatedDeduction–CADE-12–12thInternationalCon-
ferenceonAutomatedDeduction,Nancy,France,June26July1,1994,Proceedings,
volume814ofLectureNotesinComputerScience,pages148–161.Springer,1994.
[134]LawrenceC.Paulson.Isabelle:AGenericTheoremProver,volume828ofLectureNotes
inComputerScience.Springer,1994.
[135]LawrenceC.Paulson.Theinductiveapproachtoverifyingcryptographicprotocols.
JournalofComputerSecurity,6(1–2):85–128,1998.

138

BIBLIOGRAPHY

[136]LawrenceC.Paulson.AgenerictableauproveranditsintegrationwithIsabelle.Journal
ofUniversalComputerScience,5(3):73–83,1999.
[137]LawrenceC.Paulson.InductiveanalysisoftheinternetprotocolTLS.ACMTransactions
onInformationandSystemSecurity(TISSEC),2(3):332–351,1999.
[138]AmirPnueli,YoavRodeh,OferStrichman,andMichaelSiegel.Thesmallmodelprop-
erty:Howsmallcanitbe?InformationandComputation,178(1):279–293,2002.
[139]ErikReeberandWarrenA.Hunt,Jr.ASAT-baseddecisionprocedureforthesubclass
ofunrollablelistformulasinACL2(SULFA).InUlrichFurbachandNatarajanShankar,
editors,AutomatedReasoning–ThirdInternationalJointConference,IJCAR2006,
Seattle,WA,USA,August2006,Proceedings,volume4130ofLectureNotesinArtificial
Intelligence,pages453–467,2006.
[140]FranzRegensburger.HOLCF:EinekonservativeErweiterungvonHOLumLCF.PhD
thesis,TechnischeUniversit¨atM¨unchen,Germany,1994.
[141]FranzRegensburger.HOLCF:Higherorderlogicofcomputablefunctions.InE.Thomas
Schubert,PhillipJ.Windley,andJimAlves-Foss,editors,HigherOrderLogicTheorem
ProvingandItsApplications–8thInternationalWorkshop,AspenGrove,UT,USA,
September11-14,1995,Proceedings,volume971ofLectureNotesinComputerScience,
1995.Springer,293–307.pages[142]R.Rivest,A.Shamir,andL.Adleman.Ondigitalsignaturesandpublickeycryptosys-
tems.TechnicalReport82,MITLaboratoryforComputerScience,April1977.
[143]R.Rivest,A.Shamir,andL.Adleman.Amethodforobtainingdigitalsignaturesand
public-keycryptosystems.CommunicationsoftheACM,21(2):120–126,1978.
[144]JohnAlanRobinson.Amachine-orientedlogicbasedontheresolutionprinciple.Com-
municationsoftheACM,12(1):23–41,1965.
[145]RSALaboratories.PKCS#1:RSACryptographyStandardVersion2.1,June2002.
[146]RobertSedgewick.AlgorithmsinC,Parts1-4:Fundamentals,DataStructures,Sorting,
Searching.AddisonWesleyProfessional,3rdedition,September1997.
[147]RobertoSegala.ModelingandVerificationofRandomizedDistributedReal-TimeSys-
tems.PhDthesis,LaboratoryforComputerScience,MassachusettsInstituteofTech-
nology,June1995.AvailableasTechnicalReportMIT/LCS/TR-676.
[148]NatarajanShankar.Automatedverificationusingdeduction,exploration,andabstrac-
tion.InAnnabelleMcIverandCarrollMorgan,editors,ProgrammingMethodology.
2003.Springer,[149]JohnK.Slaney.FINDER:Finitedomainenumerator–systemdescription.InAlan
Bundy,editor,AutomatedDeduction–CADE-12–12thInternationalConferenceon
AutomatedDeduction,Nancy,France,June26July1,1994,Proceedings,volume814
ofLectureNotesinComputerScience,pages798–801.Springer,1994.

BIBLIOGRAPHY

139

[150]JohnK.SlaneyandTimothySurendonk.Combiningfinitemodelgenerationwiththe-
oremproving:Problemsandprospects.InFranzBaaderandKlausU.Schulz,editors,
FrontiersofCombiningSystems,FirstInternationalWorkshop,FroCos’96,Munich,
Germany,March26-29,1996,Proceedings,volume3ofAppliedLogicSeries,pages141–
155.KluwerAcademicPublishers,1996.
[151]NeilJ.A.Sloane.Theon-lineencyclopediaofintegersequences:A014221,December
2007.Availablefromhttp://www.research.att.com/~njas/sequences/A014221.
[152]GrahamSteel,AlanBundy,andEwenDenney.Findingcounterexamplestoinductive
conjecturesanddiscoveringsecurityprotocolattacks.AISBJournal,1(2),2002.
[153]ErnstSteinitz.BedingtkonvergenteReihenundkonvexeSysteme,I–IV.Journalf¨ur
reineundangewandteMathematik,143:128–175,1913.
[154]OferStrichman.OnsolvingPresburgerandlineararithmeticwithSAT.InM.D.
AagaardandJ.W.O’Leary,editors,FormalMethodsinComputer-AidedDesign–4th
InternationalConference,FMCAD2002,Portland,OR,USA,November6-8,2002,Pro-
ceedings,volume2517ofLectureNotesinComputerScience,pages160–169.Springer,
2002.[155]GeoffSutcliffeandChristianSuttner.TheTPTPproblemlibrary:CNFreleasev1.2.1.
JournalofAutomatedReasoning,21(2):177–203,1998.Availablefromhttp://www.cs.
.tptp/miami.edu/~[156]TanelTammet.Finitemodelbuilding:improvementsandcomparisons.InCADE-19,
WorkshopW4,ModelComputation–Principles,Algorithms,Applications,2003.
[157]AlfredTarski.Alattice-theoreticalfixpointtheoremanditsapplications.PacificJournal
1955.5(2):285–309,,Mathematicsof[158]RobertJamesThomson,editor.TheTimes.TimesNewspapersLtd.,London,UK,2005.
[159]EminaTorlakandDanielJackson.Kodkod:Arelationalmodelfinder.InOrnaGrum-
bergandMichaelHuth,editors,ToolsandAlgorithmsfortheConstructionandAnalysis
ofSystems,13thInternationalConference,TACAS2007,HeldasPartoftheJointEu-
ropeanConferencesonTheoryandPracticeofSoftware,ETAPS2007,Braga,Portugal,
March24-April1,2007,Proceedings,volume4424ofLectureNotesinComputerSci-
ence,pages632–647.Springer,2007.
[160]B.A.Trachtenbrot.Impossibilityofanalgorithmforthedecisionprobleminfinite
classes.DokladyAkademiiNaukSSSR,70:569–572,1950.
[161]G.Tseitin.Onthecomplexityofderivationinpropositionalcalculus.InA.Slisenko,
editor,StudiesinConstructiveMathematicsandMathematicalLogic,Part2,pages115–
1970.125,[162]G.S.Tseitin.Onthecomplexityofderivationinpropositionalcalculus.InJ.Siekmann
andG.Wrightson,editors,AutomationOfReasoning:ClassicalPapersOnComputa-
tionalLogic,Vol.II,1967–1970,pages466–483.Springer,1983.AlsoinStructuresin
ConstructiveMathematicsandMathematicalLogicPartII,ed.A.O.Slisenko,1968,
115–125.pp.

140

BIBLIOGRAPHY

[163]PeteWake.Sudokusolverbylogic,September2005.Availablefromhttp://www.
.sudokusolver.co.uk/[164]LarryWall,TomChristiansen,andJonOrwant.ProgrammingPerl.O’ReillyMedia,
Inc.,3rdedition,July2000.
[165]TjarkWeber.UsingaSATsolverasafastdecisionprocedureforpropositionallogicin
anLCF-styletheoremprover.InJoeHurd,EdwardSmith,andAshishDarbari,editors,
TheoremProvinginHigherOrderLogics–18thInternationalConference,TPHOLs
2005,Oxford,UK,August2005,EmergingTrendsProceedings,pages180–189,Oxford,
UK,August2005.OxfordUniversityComputingLaboratory,ProgrammingResearch
Group.ResearchReportPRG-RR-05-02.
[166]TjarkWeber.EfficientlycheckingpropositionalresolutionproofsinIsabelle/HOL.In
ChrisBenzm¨uller,BerndFischer,andGeoffSutcliffe,editors,Proceedingsofthe6th
InternationalWorkshopontheImplementationofLogics,volume212ofCEURWorkshop
Proceedings,pages44–62,November2006.
[167]TjarkWeber.IntegratingaSATsolverwithanLCF-styletheoremprover.InAlessandro
ArmandoandAlessandroCimatti,editors,ProceedingsoftheThirdWorkshoponPrag-
maticsofDecisionProceduresinAutomatedReasoning(PDPAR2005),volume144(2)of
ElectronicNotesinTheoreticalComputerScience,pages67–78.Elsevier,January2006.
[168]TjarkWeberandHasanAmjad.EfficientlycheckingpropositionalrefutationsinHOL
theoremprovers.JournalofAppliedLogic,July2007.Toappear.
[169]ChristophWeidenbach,BijanAfshordel,UweBrahm,ChristianCohrs,ThorstenEngel,
EnnoKeen,ChristianTheobalt,andDaliborTopic.Systemdescription:SPASSversion
1.0.0.InHaraldGanzinger,editor,AutomatedDeduction–CADE-16,16thInternational
ConferenceonAutomatedDeduction,Trento,Italy,July7-10,1999,Proceedings,volume
1632ofLectureNotesinArtificialIntelligence,pages314–318.Springer,1999.
[170]MarkusWenzel.Typeclassesandoverloadinginhigher-orderlogic.InElsaL.Gunter
andAmyFelty,editors,TheoremProvinginHigherOrderLogics–10thInternational
Conference,TPHOLs’97,MurrayHill,NJ,USA,August1922,1997,Proceedings,vol-
ume1275ofLectureNotesinComputerScience,pages307–322.Springer,1997.
[171]MarkusWenzel.Isabelle/Isar—aversatileenvironmentforhuman-readableformalproof
documents.PhDthesis,Institutf¨urInformatik,TechnischeUniversit¨atM¨unchen,Ger-
2002.,yman[172]Wikipedia.Sudoku–Wikipedia,thefreeencyclopedia,September2005.Availablefrom
.http://en.wikipedia.org/wiki/Sudoku[173]Wikipedia.2-3tree–Wikipedia,thefreeencyclopedia,October2007.Availablefrom
.3_tree&oldid=167942797http://en.wikipedia.org/w/index.php?title=2-[174]Wikipedia.Markovdecisionprocess–Wikipedia,thefreeencyclopedia,March2008.
http://en.wikipedia.org/w/index.php?title=Markov_decision_fromailableAv.process&oldid=193875137

BIBLIOGRAPHY141

[175]SteveWinker.Generationandverificationoffinitemodelsandcounterexamplesus-
inganautomatedtheoremproveransweringtwoopenquestions.JournaloftheACM,
1982.April29(2):273–284,

[176]TakayukiYatoandTakahiroSeta.Complexityandcompletenessoffindinganother
solutionanditsapplicationtopuzzles.InIPSJSIGNotes2002-AL-87-2.IPSJ,2002.

[177]JianZhangandHantaoZhang.SEM:asystemforenumeratingmodels.InMorganKauf-
Intelmann,ligenceditor,e,PrIJCAIocee95,dingsMontrof´theeal,FQuourte´ebec,enthCanada,InternationalAugustJoi20-25,ntConfer1995,enVceolumeonA1,rtificialpages
1995.298–303,

[178]LintaoZhangandSharadMalik.ThequestforefficientBooleansatisfiabilitysolvers.In
AideAndreidDeVoronkductionov,(CADEeditor,Pro2002)cee,vdingsoluofmethe23928thofLecturInternationaleNotesConferinenceComputeronComputerScience.
2002.Springer,

[179]LintaoZhangandSharadMalik.ValidatingSATsolversusinganindependentresolution-
basedchecker:Practicalimplementationsandotherapplications.InDesign,Automation
andTestinEurope(DATE2003),pages10880–10885.IEEEComputerSociety,2003.

[180]IrinaZhitomirskaja.Werkzeuggest¨utztemodellbasierteSicherheitsanalyse:RSAPSS
Signaturverfahren.Master’sthesis,Institutf¨urInformatik,TechnischeUniversit¨at
M¨unchen,Germany,October2005.