LPAR-12The 12th International Conference on

Logic for Programming,Artificial Intelligence,and Reasoning

Short PaperProceedings

Edited by:

Geoff SutcliffeAndrei Voronkov

I

Preface

This volume contains the short papers presented at the 12th International Con-ference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR-12), held 2-6 December 2006, in Montego Bay, Jamaica.

November 2006 Geoff SutcliffeAndrei Voronkov

Table of Contents

Extensional Higher-Order Datalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Vassilis Kountouriotis, Panos Rondogiannis, William Wadge

Deciding Weak Monadic Second-order Logics using Complex-value Datalog 6Gulay Unel, David Toman

A SAT-based Sudoku Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Tjark Weber

Matchmaking and Personalization on Mobile Devices . . . . . . . . . . . . . . . . . . . 16Thomas Kleemann, Alex Sinner

A Sequent Calculus for a First-order Dynamic Logic with Trace Modalitiesfor Promela+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Florian Rabe, Steffen Schlager, Peter H. Schmitt

Designing Efficient Procedures for #2SAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Guillermo De Ita, Mireya Tovar, Erica Vera, Carlos Guilln

Exploring Hybrid Algorithms for SAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Olivier Fourdrinoy, Eric Gregoire, Bertrand Mazure, Lakhdar Sais

A Logical Language for Dominoes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Fernando Raymundo Velazquez-Quesada, Francisco Hernandez-Quiroz

Fregean Albebraic Tableaux: Automating Inferences in Fuzzy Proposi-tional Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Francis Jeffry Pelletier, Christopher Lepock

Title: Reasoning on Multimodal logic with the Calculus of Inductive Con-structions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Houda Anoun

A Hierarchical Logic for Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . 54Roger Villemaire, Sylvain Halle, Omar Cherkaoui, Rudy Deca

Extensional Higher-Order Datalog?

Vassilis Kountouriotis1, Panos Rondogiannis1, and William W. Wadge2

1 Department of Informatics & TelecommunicationsUniversity of Athens, Athens, Greecegrad0771,prondo@di.uoa.gr

2 Department of Computer ScienceUniversity of Victoria, Victoria, BC, Canada

wwadge@csr.uvic.ca

Abstract. We define a higher-order extension of Datalog based on theHorn fragment of higher-order logic introduced in [Wad91]. Programsof Higher-Order Datalog can be understood declaratively as formulas inextensional higher-order logic, in which (for example) a unary predicateof unary predicates is a set of sets of data objects. The language retainsall the basic principles of first-order logic programming. In particular,programs in this extended Datalog always have a minimum Herbrandmodel which can be computed in a bottom-up way. We present the syntaxand semantics of our extended Datalog, state the main result cited above,and describe an implementation of this new language.

1 Introduction

We define a higher-order extension of Datalog based on the Horn fragment ofhigher-order logic introduced in [Wad91]. Our system is extensional in the tra-ditional sense, in which a predicate denotes its extension (ie., the set of allarguments for which the predicate is true). Ordinary logic programming, basedas it is on first-order logic, has always been extensional: unary (say) predicatesdenote sets of data objects. Our system extends this concept to higher orders.For example, a unary predicate of unary predicates denotes a set of sets of dataobjects. Extensionality is a desirable feature since it gives an advantage whenone wants to reason about programs (for example, functional programming istraditionally extensional).

In this paper we define the syntax and the semantics of Higher-Order Datalog.Surprisingly, the minimum model property still holds and it can be proved usingthe same basic tools as in classical (first-order) logic programming (extendedto apply to the higher-order setting). Moreover, our construction of the mini-mum model immediately leads to a bottom-up proof procedure for Higher-OrderDatalog (based on an immediate consequence operator, as in ordinary Datalog).? This research is supported by EΠEAEK II under the task “ΠYΘAΓOPAΣ-II:

ENIΣXYΣH EPEYNHTIKΩN OMA∆ΩN ΣTA ΠANEΠIΣTHMIA”, Project title:Applications of Computational Logic to the Semantic Web, funded by the EuropeanSocial Fund (75%) and the Greek Ministry of Education (25%).

1

We conclude the paper by describing an actual implementation of Higher-OrderDatalog based on the ideas that are developed in the paper.

2 Higher-Order Logic: Syntax and Semantics

We start with the syntax and the semantics of the higher-order predicate logic(HOPL) underlying Higher-Order Datalog. We first specify the allowable types:

Definition 1. The set of expression types, tuple types, and predicate types areranged over by σ, τ and π respectively and are defined as follows:

σ ::= ι | πτ ::= (σ0, . . . , σn−1)π ::= o | τ → o

The vocabulary of HOPL allows for: bound predicate variables of every pred-icate type (denoted by Q,R,S, . . .); free predicate variables of every predicatetype (denoted by p, q, r, . . .); bound individual variables of ground type ι (de-noted by X, Y, Z, . . .); constants of type ι and of every predicate type (denoted bya, b, c, . . .). We will use V to denote arbitrary bound variables (either predicateor individual ones). We now specify the set of well-typed expressions of HOPL:

Definition 2. The set of well-typed expressions of HOPL is defined as follows:

1. A constant of type σ is an expression of type σ; an individual variable is anexpression of type ι; a predicate variable of type π is an expression of type π.

2. Let E be an expression of type (σ0, . . . , σn−1) → o and let E0, . . . , En−1 beexpressions of types σ0, . . . , σn−1 respectively. Then, E(E0, . . . , En−1) is anexpression of type o.

3. If E, E0 and E1 are expressions of type o and V is a bound (predicate orindividual) variable then (¬E), (E0 ∧ E1), (E0 ∨ E1), (E0 ← E1), (∀V E) and(∃V E) are expressions of type o.

In the following we write type(E) for the type of E. The semantics of HOPL issimilar to that of functional programming: the denotations of (non-ground type)variables and constant symbols of HOPL are monotonic relations; moreover, theexistential and universal quantifiers always quantify over monotonic relations.Of course, the denotation of negation is not monotonic; however, as we will see,the syntax of the fragment of HOPL that we will consider is guaranteed to havea unique minimum Herbrand model that is monotonic. In the following, it willoften be convenient to view relations as functions whose range is the set 0, 1.In this way, we can adopt for relations the usual definition of monotonicity:

Definition 3. Let (A,vA) and (B,vB) be partial orders. Then, f : A → B istermed monotonic if for all x, y ∈ A such that x vA y, it is f(x) vB f(y).

We write [A → B] for the set of all monotonic functions from A to B. We nowspecify the meaning of the types of the variables and the (non-logical) constantsof HOPL:

2

Definition 4. The denotation of a type with respect to a given nonempty set Uis recursively defined by the function [[ · ]]U as follows:

– [[ι]]U = U– [[o]]U = 0, 1– [[(σ0, . . . , σn−1)]]U = [[σ0]]U × · · · × [[σn−1]]U– [[τ → o]]U = [[[τ ]]U → 0, 1]

Now, to each set [[σ]]U (respectively [[τ ]]U ) of the above definition, we associatea partial order vσ (respectively vτ ) as follows:

– If σ = ι then vι relates every element of U to itself.– If σ = o then vo is the numerical ordering on 0, 1.– If σ = τ → o and f , g in [[σ]]U , then f vσ g if f(r) vo g(r) for all r in [[τ ]]U .– If τ = (σ0, . . . , σn−1) and r = (r0, . . . , rn−1) and r′ = (r′0, . . . , r

′n−1) with

r, r′ ∈ [[τ ]]U , then r vτ r′ if ri vσir′i, for all 0 ≤ i ≤ n− 1.

We will often write just v when the subscript is obvious from context. Wecan now define the notions of interpretation and state as follows:

Definition 5. An interpretation I of HOPL consists of: a nonempty set U ,called the domain of I; an assignment to each constant c of type σ of an elementcI of [[σ]]U ; and, an assignment to each free predicate variable of type π of anelement of [[π]]U . A state over I is a function that assigns to each bound (predicateor individual) variable an element from the appropriate domain (with respect tothe type of the variable).

We can now define the semantics of expressions of HOPL (the cases for ¬,∧, ∨ and ← are straightforward and omitted):

Definition 6. Let I be an interpretation and s be a state over I. Then, thesemantics of expressions of HOPL in a state s over I is defined as follows:

1. [[c]]s(I) = cI

2. [[p]]s(I) = I(p), where p is a free predicate variable3. [[V]]s(I) = s(V), where V is a bound (predicate or individual) variable4. [[E(E0, . . . , En−1)]]s(I) = [[E]]s(I)([[E0]]s(I), . . . , [[En−1]]s(I))5. [[(∀V E)]]s(I) = 1, if for all v ∈ [[type(V)]]U it is [[E]](s[V/v])(I) = 16. [[(∃V E)]]s(I) = 1, if there exists v ∈ [[type(V)]]U such that [[E]](s[V/v])(I) = 1

An interpretation I is a model of a formula F if for all states s over I, [[F]]s(I) = 1.

3 Higher-Order Datalog

The syntax of Higher-Order Datalog allows higher-order variables to be passedas parameters to predicates. For example, the following is a legitimate program:

closure(R,X,Y):-R(X,Y).closure(R,X,Y):-R(X,Z),closure(R,Z,Y).

3

We now formally define the syntax of the language:

Definition 7. A term is either a variable or a constant. An atom is eitheran expression of the form p(t0, . . . , tn−1), or P(t0, . . . , tn−1), or c(t0, . . . , tn−1),where t0, . . . , tn−1 are terms. An atom is a free-predicate one if it of the firstform above. A literal is an atom or the negation of an atom. A positive literal isan atom. A negative literal is the negation of an atom. A clause C is a formula:

∀V0 · · · ∀Vn−1(L0 ∨ · · · ∨ Lk−1)

where each Li is a literal and V0, . . . , Vn−1 are all the bound (predicate or indi-vidual) variables occurring in L0 ∨ · · · ∨ Lk−1.

Definition 8. A definite program clause is a clause that contains precisely onepositive free-predicate atom (called the head of the clause). A definite program(or simply program) is a set of definite program clauses.

As usual, definite program clauses are represented in the form A ← B0, . . . , Bk−1.In order for our language to preserve the properties of classical Datalog, we followthe proposal of [Wad91] and restrict our clauses so as to be definitional:

Definition 9. A clause C is called definitional iff a) all arguments of predicatetype in the head of C are bound predicate variables, and b) all these predicatevariables are distinct. A program is called definitional iff all its clauses are defi-nitional.

The semantics of Higher-Order Datalog is based on Herbrand interpretations.The Herbrand universe UP of a program P is the set of all constant symbols oftype ι that appear in P. Herbrand interpretations are interpretations that useUP as their underlying universe. The relation v generalizes in the obvious way toapply to Herbrand interpretations. We assume that HOPL has enough higher-order constant symbols to represent all monotonic relations. Given a higher-orderconstant c we will write c for the corresponding monotonic relation. Moreover,we assume that all Herbrand interpretations assign the same denotations to thehigher-order constant symbols of the language. We can now define the operatorTP associated with a given program P:

Definition 10. Let P be a Higher-Order Datalog program and let I be a Her-brand interpretation of P. Then, we define the operator TP as follows:

TP(I)(p) = (c0, . . . , cn−1) : p(c0, . . . , cn−1) ← A0, . . . , Ak−1 is a groundinstance of a clause in P and for every state s andfor all 0 ≤ i ≤ k − 1, [[Ai]]s(I) = 1

TP is called the immediate consequence operator for P.

Then, it is not hard to demonstrate the following theorem (which generalizesthe corresponding theorem for first-order Datalog):

Theorem 1. For every Higher-Order Datalog program P, TP has a least (withrespect to v) fixpoint MP = lfp(TP) = TP ↑ ω. Moreover, MP is a Herbrandmodel of P.

4

4 Implementation

The ideas that are presented in this paper have been used in order to undertakean implementation of Higher-Order Datalog. The implemented system is actuallybased on an implementation of the TP operator. The implementation is writtenin C (about 6500 lines of code), it has been tested with various small programsand is relatively stable. The current version of the system is available fromhttp://www.di.uoa.gr/∼grad0771.

There exists however a problem that the bottom-up implementation of Higher-order Datalog has to face. When the order of the program is high and the numberof constants is non-negligible, the bottom-up computation becomes impractical.This problem is also apparent in ordinary Datalog if the bottom-up computationis performed in a naive way. However, in our case the problem is more serioussince at each step the implementation may have to generate the set of all mono-tonic relations of a given type, and this set may be very big. It remains to beseen if one can develop techniques that can prune the search space.

5 Related and Future Work

The most popular higher-order logic programming systems are λ-Prolog [NM98]and Hilog [CKW93]. Both of these systems are powerful and have found inter-esting applications. These languages differ from our system in that they are bothintensional (ie., two predicates are not considered equal unless their names arethe same). Both intensional and extensional systems have their correspondingareas of applications and it would be interesting to compare their relative merits.

Work on extensional higher-order logic programming is very limited. Theonly work that has come to our attention is that of M. Bezem [Bez99], whichconsiders higher-order logic programming with syntax similar to that of [Wad91].However, the notion of extensionality that is adopted in [Bez99] is different thanthe classical one and the main ideas are more proof-theory oriented.

There are certain aspects of this work that we would like to further inves-tigate. The next step is to extend the semantics to apply to programs that use“currying” and that allow function symbols. Finally, a more long-term goal isthe investigation of the interplay between higher-order constructs and negation.

References

[Bez99] M. Bezem. Extensionality of Simply Typed Logic Programs. In InternationalConference on Logic Programming (ICLP), pages 395–410, 1999.

[CKW93] W.C. Chen, M. Kifer, and D.S. Warren. HILOG: A Foundation for Higher-Order Logic Programming. J. of Logic Programming, 15(3):187–230, 1993.

[NM98] G. Nadathur and D. Miller. Higher-Order Logic Programming. In D.M.Gabbay, C.J. Hogger, and J.A. Robinson, editors, Handbook of Logics forArtificial Intelligence and Logic Programming, pages 499–590, 1998.

[Wad91] W.W. Wadge. Higher-Order Horn Logic Programming. In Proceedings ofthe International Symposium on Logic Programming, pages 289–303, 1991.

5

Deciding Weak Monadic Second-order Logicsusing Complex-value Datalog

Gulay Unel and David Tomangunel,david@cs.uwaterloo.ca

Abstract. We use techniques developed for query evaluation of Complex-value Datalog queries for determining satisfiability of WS1S formulæ.We show that the use of these techniques—in particular the Magic Setrewriting of Datalog queries and the top-down resolution-based evalua-tion with memoing—can, in many cases, considerably improve the per-formance of decision procedures based on the connection between logicsand automata, such as the MONA system. While in this paper we fo-cus on the WS1S logic, a similar approach can be used for logics whosedecidability can be shown using automata-theoretic techniques.

1 IntroductionMonadic second-order logics provide means to specify regular properties of sys-tems in a succinct way. In addition, these logics are decidable by the virtue ofthe connection to automata theory [4, 10]. However, only recently tools basedon these ideas—in particular the MONA system [8]—have been developed andshown to be efficient enough for many applications [7].

This paper introduces a technique for implementing an automata-based de-cision procedure for WS1S based on techniques developed for query evaluationin deductive databases, in particular on Magic Set transformation [2] and SLGresolution, a top-down resolution-based approach augmented with memoing [5,6]. The main contribution of the paper is showing the connection between theautomata-based decision procedures for WS1S and efficient techniques for queryevaluation in Complex-value Datalog (Datalogcv).

2 DefinitionsFirst, we define the syntax and semantics of the weak second-order logic of onesuccessor:

Definition 1 (WS1S). Formulas of WS1S are constructed from atomic for-mulas s(x, y) and x ⊆ y, for x and y second-order variables, with the help ofBoolean connectives ∧ and ¬ and second-order existential quantifier ∃x.

The semantics of WS1S is defined w.r.t. the set of natural numbers (successorsof 0); second-order variables are interpreted as finite sets of natural numbers.The interpretation of the atomic formula s(x, y) is fixed to relating singleton setsn + 1 and n, n ∈ N.1 Truth and satisfiability of formulas are defined withthe help of valuations mapping variables to finite sets of natural numbers in astandard way.1 The atomic formula s(x, y) is often written as x = s(y) in literature, emphasizing its

nature as a successor function.6

Definition 2. A finite automaton is a 5-tuple A = (N,X, S, T, F ), where Nis the set of states (nodes), X is the alphabet, S is the initial (starting) state,T ⊆ N ×N ×X is the transition relation, and F is the set of final states.

Given a WS1S formula ϕ, there is a finite deterministic automaton Aϕ thataccepts all models of ϕ. For weak second-order logics, such as the WS1S, finiteautomata are sufficient [7, 8]. Aϕ can be effectively constructed from ϕ startingfrom automata for atomic formulæ and using automata-theoretic operations.

Complex Data Model. The complex-value data model is an extension of thestandard relational model that allows tuples and finite sets to serve as values inthe place of atomic values [1]. The extended data model induces extensions torelational query languages and leads to the definition of complex-value relationalcalculus (calccv) and a deductive language for complex values, Datalogcv[2, 11].

Definition 3 (Datalogcv). A Datalogcv atom is a predicate symbol with vari-ables or complex-value constants as arguments.A Datalogcv database (program) is a finite collection of Horn clauses of theform h← g1, . . . , gk, where h (called head) is an atom with an optional groupingspecification and g1, . . . , gk (called goals) are literals (atoms or their negations).The grouping is syntactically indicated by enclosing the grouped argument in a〈·〉 constructor; the values then range over the set type of the original argument.We require that in every occurrence of an atom the corresponding arguments havethe same finite type and that the clauses are stratified with respect to negation.A Datalogcv query is a clause of the form← g1, . . . , gk. Evaluation of a Datalogcv

query (with respect to a Datalogcv database P ) determines whether P |= g1, . . . , gk.

Query Evaluation. The naive technique for query evaluation in Datalogcv iscommonly based on a fixed-point construction of the minimal Herbrand model(for Datalogcv programs with stratified negation the model is constructed w.r.t.the stratification) and then testing whether a ground (instance of the) query iscontained in the model. The type restrictions guarantee that the fixpoint itera-tion terminates after finitely many steps. However, whenever a query is knownas part of the input, techniques that allow constructing only the relevant partsof the minimal Herbrand model have been developed. Among these, the mostprominent are the magic set rewriting (followed by subsequent fixed-point eval-uation) [3, 9] and the top-down resolution with memoing—the SLG resolution[12].

3 Automata and Datalog for Complex Values

In this section we present the main contribution of our approach: given a WS1Sformula ϕ we create a Datalogcv program Pϕ representing Aϕ such that theanswer to a reachability/transitive closure query w.r.t. this program proves sat-isfiability of ϕ.

7

3.1 Representation of AutomataFirst, we fix the representation for automata that capture models of WS1S for-mulæ.

Definition 4. Given a WS1S formula ϕ with free variables x1, . . . , xk we definea Datalogcv program Pϕ which represents the deterministic automaton Aϕ:

1. Nodeϕ(n) representing the nodes of Aϕ,2. Startϕ(n) representing the starting state,3. Finalϕ(n) representing the set of final states, and4. Transϕ(nf1, nt1, x) representing the transition relation.

where x = x1, x2, . . . , xk is the set of free variables of ϕ; concatenation of theirbinary valuations represents a letter of Aϕ’s alphabet Xϕ.

3.2 Automata-theoretic OperationsAutomata As(x,y) and Ax⊆y for atomic formulæ are directly represented by triv-ial programs Ps(x,y) and Px⊆y consisting of ground facts. Automata-theoreticoperations [8] are then represented as the following programs:

P¬α = Pα ∪ Node¬α(n)← Nodeα(n)Start¬α(n)← Startα(n)Final¬α(n)← Nodeα(n),¬Finalα(n)Trans¬α(nf1, nt1, x)← Transα(nf1, nt1, x)

Pα1∧α2 = Pα1 ∪ Pα1 ∪ Nodeα1∧α2([n1, n2])← Nodeα1(n1),Nodeα2(n2)Startα1∧α2([n1, n2])← Startα1(n1),Startα2(n2)Finalα1∧α2([n1, n2])← Finalα1(n1),Finalα2(n2)Transα1∧α2([nf1, nf2], [nt1, nt2], x, y, z) ←

Transα1(nf1, nt1, x, y), Transα2(nf2, nt2, y, z)

The sets of variables x, y represent the free variables of the formula Aα1 and y, zof the formula Aα2 .

The projection automaton which represents the existential quantification ofa given formula is defined as follows.

Pu∃x:α = Pα ∪ Nodeu

∃x:α(n)← Nodeα(n)Startu∃x:α(n)← Startα(n)Finalu∃x:α(n)← Finalα(n)Finalu∃x:α(n0)← Transα(n0, n1, x, o),Finalu∃x:α(n1)Transu

∃x:α(nf1, nt1, y)← Transα(nf1, nt1, x, y)

The sets of variables y and x represent the free variables of the formula α, ando = 0, 0, . . . , 0 where |o| = |y|.

Note that we need to add the states which have a path to a final state with astring of the form (x, o)∗ in the automaton for α as final states. The automatonwe get after the projection operation is nondeterministic. The following programcreates an equivalent deterministic automaton.8

P∃x:α = Pu∃x:α ∪ Node∃x:α(n)← Start∃x:α(n)

Node∃x:α(n)← Node∃x:α(n1),Trans∃x:α(n1, n, y)Start∃x:α(n)← Startu∃x:α(n)Final∃x:α(n)← Node∃x:α(n),Finalu∃x:α(n1), n1 ∈ nTrans∃x:α(n1, 〈n〉, y)← Node∃x:α(n1),Next∃x:α(n1, n, y)Next∃x:α(n1, n, y)← n2 ∈ n1,Transu

∃x:α(n2, n, y)

The determinization representation presented here is the Datalogcv version ofa well known subset construction algorithm. The nodes of the DFA are createdbeginning with the starting node and then constructing all nodes reachable fromthe starting node through the transition relation. To this end, the groupingconstruct of Datalogcv is used to create all the needed elements of the powersetof the original set of nodes.

Last, the test for emptiness of an automaton has to be defined: To findout whether the language accepted by Aα is non-empty and thus whether α issatisfiable, a reachability (transitive closure) query is used.

TCα : TransClosα(n, n)←TransClosα(nf1, nt1)← Transα(nf1, nt2, x),TransClosα(nt2, nt1)

Note that the use of magic sets and/or SLG resolution automatically trans-forms the transitive closure query into a reachability query. By induction on thestructure of ϕ we have:

Theorem 1. Let ϕ be a WS1S formula. Then ϕ is satisfiable if and only ifPϕ, TCϕ |= Startϕ(x),Finalϕ(y),TransClosϕ(x, y).

4 Experiments

We have compared our technique with the MONA system [7, 8], one of the mostefficient tools for reasoning in weak second-order logics (WS1S and WS2S). Incontrast to MONA, which constructs the whole automaton for a given formula,our method only constructs the nodes we need to answer the non-emptinessquery. For the experiments we use XSB [12], a deductive system that sup-ports top-down resolution with memoing. We also compare our results withCORAL [11], a deductive system that supports Datalogcv and Magic sets.

The performance results for a set of formulas similar to the ones in T98satisfiability test suite are given in Figures 1 and 2. The inputs we give to XSBand CORAL are the Datalogcv programs representing the formulas, and the timerequired to compute the Datalogcv representation of a formula is negligible. Theresponse times are measured in seconds; N/A means “Not Answered”.

5 Conclusions and Future Work

We have presented a technique that maps satisfiability questions for formulas inWS1S to query answering in Datalogcv and demonstrated how advanced queryevaluation techniques can provide an efficient decision procedure for WS1S. 9

#1 #2 #3 #4 #5 #6 #7 #8 #9 #10

MONA 4.37 N/A 13.33 N/A N/A 0.00 0.00 0.00 0.24 4.06CORAL 2.42 4.15 4.75 12.09 14.17 N/A N/A N/A N/A N/A

XSB 0.71 0.00 0.00 0.02 0.01 0.01 0.07 N/A 8.41 N/A

Fig. 1. Performance (secs) w.r.t. increasing number of quantifiers

#6 #7 #8 #10 #9 #1 #3 #2 #4 #5

MONA 0.00 0.00 0.00 4.06 0.24 4.37 13.33 N/A N/A N/ACORAL N/A N/A N/A N/A N/A 2.42 4.75 4.15 12.09 14.17

XSB 0.01 0.07 N/A N/A 8.41 0.71 0.00 0.00 0.02 0.01

Fig. 2. Performance (secs) w.r.t. increasing number of variables

Extensions of the proposed approach include extending the translation toother types of automata on infinite objects, e.g., to Rabin [10] and AlternatingAutomata [13], and on improving the upper complexity bounds by restricting theform of Datalogcv programs generated by the translation. In addition we planto study the impact of goal reordering and other query optimization techniqueson the performance of the decision procedure and to develop heuristics for thispurpose. We also consider the integration of the technique proposed in this paperwith more standard techniques such as BDDs.

References

1. S. Abiteoul and C. Beeri. The power of languages for the manipulation of complexvalues. VLDB Journal, 4(4):727–794, 1995.

2. C. Beeri, S. Naqvi, O. Shmueli, , and S. Tsur. Set construction in a logic databaselanguage. JLP, 10(3&4):181–232, 1991.

3. C. Beeri and R. Ramakrishnan. On the power of Magic. JLP, 10(1/2/3&4):255–299, 1991.

4. J. R. Buchi. Weak second-order arithmetic and finite automata. Z. Math. LogikGrundl. Math., 6:66–92, 1960.

5. W. Chen, T. Swift, and D.S Warren. Efficient top-down computation of queriesunder the well-founded semantics. JLP, 24(3):161–199, 1995.

6. W. Chen and D.S Warren. Query evaluation under the well-founded semantics. InPODS, pages 168–179, 1993.

7. J. G. Henriksen, J. L. Jensen, M. E. Jorgensen, N. Klarlund, R. Paige, T. Rauhe,and A. Sandholm. MONA: Monadic second-order logic in practice. In Proc.TACAS, pages 89–110, 1995.

8. N. Klarlund. MONA & FIDO: The logic-automaton connection in practice. InComputer Science Logic, pages 311–326, 1997.

9. I. S. Mumick. Query Optimization in Deductive and Relational Databases. PhDthesis, Department of Computer Science, Stanford University, 1991.

10. M. O. Rabin. Decidability of second-order theories and automata on infinite trees.Trans. Amer. Math. Soc., 141:1–35, 1969.

11. R. Ramakrishnan, D. Srivastava, S. Sudarshan, and P. Seshadri. The CORALdeductive system. VLDB Journal, 3(2):161–210, 1994.

12. K. F. Sagonas, T. Swift, and D. S. Warren. XSB as an efficient deductive databaseengine. In Proc. SIGMOD, pages 442–453, 1994.

13. M. Y. Vardi. Reasoning about the past with two-way automata. In Proc. ICALP,pages 628–641, 1998.

10

A SAT-based Sudoku Solver?

Tjark Weber

Institut fur Informatik, Technische Universitat MunchenBoltzmannstr. 3, D-85748 Garching b. Munchen, Germany

webertj@in.tum.de

Abstract. This paper presents a SAT-based Sudoku solver. A Sudoku istranslated into a propositional formula that is satisfiable if and only if theSudoku has a solution. A standard SAT solver can then be applied, anda solution for the Sudoku can be read off from the satisfying assignmentreturned by the SAT solver. No coding was necessary to implement thissolver: The translation into propositional logic is provided by a frame-work for finite model generation available in the Isabelle/HOL theoremprover. Only the constraints on a Sudoku solution had to be specified inthe prover’s logic.

1 Introduction

Sudoku, also known as Number Place in the United States, is a placement puzzle.Given a grid – most frequently a 9 × 9 grid made up of 3 × 3 subgrids called“regions” – with various digits given in some cells (the “givens”), the aim is toenter a digit from 1 through 9 in each cell of the grid so that each row, columnand region contains only one instance of each digit. Fig. 1 shows a Sudoku onthe left, along with its unique solution on the right [12]. Note that other symbols(e.g. letters, icons) could be used instead of digits, as their arithmetic propertiesare irrelevant in the context of Sudoku. This is currently a rather popular puzzlethat is featured in a number of newspapers and puzzle magazines [1, 3, 9].

Several Sudoku solvers are available already [6, 10]. Since there are morethan 6 · 1021 possible Sudoku grids [5], a naıve backtracking algorithm wouldbe infeasible. Sudoku solvers therefore combine backtracking with – sometimescomplicated – methods for constraint propagation. In this paper we propose aSAT-based approach: A Sudoku is translated into a propositional formula that issatisfiable if and only if the Sudoku has a solution. The propositional formula isthen presented to a standard SAT solver, and if the SAT solver finds a satisfyingassignment, this assignment can readily be transformed into a solution for theoriginal Sudoku. The presented translation into SAT is simple, and requiresminimal implementation effort since we can make use of an existing frameworkfor finite model generation [11] available in the Isabelle/HOL [8] theorem prover.

? This work was supported by the PhD program Logic in Computer Science of theGerman Research Foundation.

11

5 3 76 1 9 5

9 8 68 6 34 8 3 17 2 6

6 2 84 1 9 5

8 7 9

5 3 4 6 7 8 9 1 26 7 2 1 9 5 3 4 81 9 8 3 4 2 5 6 78 5 9 7 6 1 4 2 34 2 6 8 5 3 7 9 17 1 3 9 2 4 8 5 69 6 1 5 3 7 2 8 42 8 7 4 1 9 6 3 53 4 5 2 8 6 1 7 9

Fig. 1. Sudoku example and solution

2 Implementation in Isabelle/HOL

An implementation of the Sudoku rules in the interactive theorem prover Isa-belle/HOL is straightforward. Digits are modelled by a datatype with nine ele-ments 1, . . . , 9. We say that nine grid cells x1, . . . , x9 are valid iff they containevery digit.

Definition 1 (valid).

valid(x1, x2, x3, x4, x5, x6, x7, x8, x9) ≡

9∧

d=1

9∨

i=1

xi = d.

Labeling the 81 cells of a 9 × 9 grid as shown in Fig. 2, we can now definewhat it means for them to be a Sudoku solution: each row, column and regionmust be valid.

Definition 2 (sudoku).

sudoku(xiji,j∈1,...,9) ≡

9∧

i=1

valid(xi1, xi2, xi3, xi4, xi5, xi6, xi7, xi8, xi9)

∧

9∧

j=1

valid(x1j , x2j , x3j , x4j , x5j , x6j , x7j , x8j , x9j)

∧∧

i,j∈1,4,7

valid(xij , xi(j+1), xi(j+2), x(i+1)j , x(i+1)(j+1), x(i+1)(j+2),

x(i+2)j , x(i+2)(j+1), x(i+2)(j+2)).

The next section describes the translation of these definitions into proposi-tional logic.

3 Translation to SAT

We encode a Sudoku by introducing 9 Boolean variables for each cell of the9 × 9 grid, i.e. 93 = 729 variables in total. Each Boolean variable pd

ij (with

12

x11 x12 x13 x14 x15 x16 x17 x18 x19

x21 x22 x23 x24 x25 x26 x27 x28 x29

x31 x32 x33 x34 x35 x36 x37 x38 x39

x41 x42 x43 x44 x45 x46 x47 x48 x49

x51 x52 x53 x54 x55 x56 x57 x58 x59

x61 x62 x63 x64 x65 x66 x67 x68 x69

x71 x72 x73 x74 x75 x76 x77 x78 x79

x81 x82 x83 x84 x85 x86 x87 x88 x89

x91 x92 x93 x94 x95 x96 x97 x98 x99

Fig. 2. Sudoku grid

1 ≤ i, j, d ≤ 9) represents the truth value of the equation xij = d. A clause

9∨

d=1

pdij

ensures that the cell xij denotes one of the nine digits, and 36 clauses

∧

1≤d<d′≤9

¬pdij ∨ ¬pd′

ij

make sure that the cell does not denote two different digits at the same time.Since there are just as many digits as cells in each row, column, and region,

Def. 1 is equivalent to the following characterization of validity, stating that thenine grid cells x1, . . . , x9 contain distinct values.

Lemma 1 (Equivalent characterization of validity).

valid(x1, x2,x3, x4, x5, x6, x7, x8, x9) ⇐⇒∧

1≤i<j≤9

xi 6= xj

⇐⇒∧

1≤i<j≤9

9∧

d=1

xi 6= d ∨ xj 6= d.

The latter characterization turns out to be much more efficient when trans-lated to SAT. While Def. 1, when translated directly, produces 9 clauses with9 literals each (one literal for each equation), the formula given in Lemma 1 istranslated into 324 clauses (9 clauses for each of the 36 inequations xi 6= xj), buteach clause of length 2 only. This allows for more unit propagation [14] at theBoolean level, which – in terms of the original Sudoku – corresponds to cross-hatching [12] of digits, a technique that is essential to reduce the search space.

13

The 9 clauses obtained from a direct translation of Def. 1 could still be used aswell; unit propagation on these clauses would correspond to counting the digits1 – 9 in regions, rows, and columns to identify missing numbers. However, in ourexperiments we did not experience any speedup by including these clauses.

This gives us a total of 11745 clauses: 81 definedness clauses of length 9, 81·36uniqueness clauses of length 2, and 27 · 324 validity clauses,1 again of length 2.However, we do not need to introduce Boolean variables for cells whose valueis given in the original Sudoku, and we can omit definedness and uniquenessclauses for these cells as well as some of the validity clauses – therefore the totalnumber of variables and clauses used in the encoding of a Sudoku with givenswill be less than 729 and 11745, respectively.

Note that our encoding already yields a propositional formula in conjunctivenormal form (CNF). Therefore conversion into DIMACS CNF format [4] – thestandard input format used by most SAT solvers – is trivial. Isabelle can searchfor a satisfying assignment using either an internal DPLL-based [2] SAT solver,or write the formula to a file in DIMACS format and execute an external solver.We have employed zChaff [7] to find the solution to various Sudoku classified as“hard” by their respective authors (see Fig. 3 for an example), and in every casethe runtime was only a few milliseconds.

26 3

7 4 83 2

8 4 16 5

1 7 85 9

4

1 2 6 4 3 7 9 5 88 9 5 6 2 1 4 7 33 7 4 9 8 5 1 2 64 5 7 1 9 3 8 6 29 8 3 2 4 6 5 1 76 1 2 5 7 8 3 9 42 6 9 3 1 4 7 8 55 4 8 7 6 9 2 3 17 3 1 8 5 2 6 4 9

Fig. 3. hard Sudoku example and solution

4 Concluding Remarks

We have presented a straightforward translation of a Sudoku into a propositionalformula. The translation can easily be generalized from 9 × 9 grids to grids ofarbitrary dimension. It is polynomial in the size of the grid, and since Sudoku isNP-complete [13], no algorithm with better complexity is known. The transla-tion, combined with a state-of-the-art SAT solver, is also practically successful:9 × 9 Sudoku puzzles are solved within milliseconds.

Traditionally the givens in a Sudoku are chosen so that the puzzle’s solutionis unique; nevertheless our algorithm can be extended to enumerate all possi-

1 This number includes some duplicates, caused by the overlap between rows/columnsand regions: certain cells that must be distinct because they belong to the same row(or column) must also be distinct because they belong to the same region.

14

ble solutions (by explicitly disallowing all solutions found so far, and perhapsusing an incremental SAT solver that allows adding clauses on-the-fly to avoidsearching through the same search space multiple times).

Particularly remarkable is the fact that our solver, while it can certainlycompete with hand-crafted Sudoku solvers, some of which use rather complexpatterns and search heuristics, required very little implementation effort. Asidefrom Lemma 1, no domain-specific knowledge was used. The impressive perfor-mance is largely due to the SAT solver. Even the translation into propositionallogic was not written by hand, but is an instance of a framework for finite modelgeneration that is readily available in the Isabelle/HOL theorem prover. Onlythe Sudoku rules had to be defined in the prover, and this was a trouble-freetask.

References

[1] Col Allan, editor. New York Post. News Corporation, New York City, NY, USA,2005.

[2] M. Davis, G. Logemann, and D. Loveland. A machine program for theoremproving. Communications of the ACM, 5:394–397, 1962.

[3] Giovanni di Lorenzo, editor. Die Zeit. Zeitverlag Gerd Bucerius GmbH & Co.KG, Hamburg, Germany, 2005.

[4] DIMACS satisfiability suggested format, 1993. Available online at ftp://dimacs.rutgers.edu/pub/challenge/satisfiability/doc.

[5] Bertram Felgenhauer and Frazer Jarvis. Enumerating possible Sudoku grids, June2005. Available online at http://www.shef.ac.uk/∼pm1afj/sudoku/.

[6] DeadMan’s Handle Ltd. Sudoku solver, September 2005. Available online athttp://www.sudoku-solver.com/.

[7] M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: Engineeringan efficient SAT solver. In Proceedings of the 38th Design Automation Conference,Las Vegas, June 2001.

[8] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Isabelle/HOL – AProof Assistant for Higher-Order Logic, volume 2283 of Lecture Notes in ComputerScience. Springer, 2002.

[9] Robert James Thomson, editor. The Times. Times Newspapers Ltd., London,UK, 2005.

[10] Pete Wake. Sudoku solver by logic, September 2005. Available online at http://www.sudokusolver.co.uk/.

[11] Tjark Weber. Bounded model generation for Isabelle/HOL. In Wolfgang Ahrendt,Peter Baumgartner, Hans de Nivelle, Silvio Ranise, and Cesare Tinelli, editors,Selected Papers from the Workshops on Disproving and the Second InternationalWorkshop on Pragmatics of Decision Procedures (PDPAR 2004), volume 125(3)of Electronic Notes in Theoretical Computer Science, pages 103–116. Elsevier,July 2005.

[12] Wikipedia. Sudoku – Wikipedia, the free encyclopedia, September 2005. Availableonline at http://en.wikipedia.org/wiki/Sudoku.

[13] Takayuki Yato and Takahiro Seta. Complexity and completeness of finding an-other solution and its application to puzzles. In IPSJ SIG Notes 2002-AL-87-2.IPSJ, 2002.

[14] L. Zhang and S. Malik. The quest for efficient boolean satisfiability solvers. InAndrei Voronkov, editor, Proceedings of the 8th International Conference on Com-puter Aided Deduction (CADE 2002), volume 2392 of Lecture Notes in ComputerScience. Springer, 2002.

15

Matchmaking and Personalization on Mobile Devices

Thomas Kleemann and Alex Sinner

University of Koblenz-Landau, Department of Computer Sciencetomkl|sinner@uni-koblenz.de

Abstract. We describe in this paper how to perform description logic reasoningon mobile devices for personalization in a semantic mobile environment. In suchan environment, semantic messages are sent to nearby mobile users. The mobiledevices manage a semantic user profile, which is used to filter out unwanted mes-sages. The semantics of the messages and profile is formalized using descriptionlogic. A matchmaking process is performed on the mobile device by a first orderreasoner, Pocket KRHyper. The suitable definition of profiles and annotationsand the translation from description logic to first order logic including generalTBoxes is also described.1

1 Introduction

During the past few years mobile phones have become a ubiquitous companion. Theywere up to now mainly used for messaging and phone calls, but they have become pow-erful devices with much more potential. Our goal is to show how to use this potentialfor performing description logic (DL) based matchmaking for personalization on mo-bile devices in what we call a ’Semantic Mobile Environment’. In such an environment,so-called service nodes are installed at chosen points of interest. These nodes broadcastsemantically annotated messages to nearby mobile users using, for example, bluetoothwireless technology.

On the user’s mobile device, we manage aSemantic User Profiledescribing theusers interests and disinterests in a description logic formalization (see Sec.2.2). Thisuser profile is used to filter out unwanted messages by performing matchmaking be-tween the messages’ annotation and the user profile.

In the following, we describe the formalization of the annotations of messages andthe user profiles. Then we propose a matchmaking algorithm that requires, indepen-dently of the profile size, only two DL satisfiability tests. Finally, we present how thiscan be performed efficiently on mobile devices using the Pocket KRHyper mobile rea-soner.

2 Semantic Personalization

We are using a description logic of expressivenessSH I to describe semantic annota-tions and user profiles. In the following,U is the universal role,> the top concept, and⊥ the bottom concept. The syntax and semantics ofSH I are amply described in [1].

1 This work is part of the IASON project and is funded by the ”Stiftung Rheinland-Pfalz furInnovation”.

16

2.1 Message Annotation

Every message in our environment consists of some human-readable content and anannotation describing the semantics of the respective message. We distinguish betweenan ontologyTW for describing the concepts in the world and a service ontologyTS (seeFig. 1) that makes it possible to distinguish between producers and consumers of goodsand services. Additionally, social interests lacking a producer-consumer separation arepossible.TS is intentionally kept simple for clarity’s sake, but could easily be extended.

sharev Uofferv share

requestv share

Fig. 1.The Service OntologyTS

In general, annotations are of the form

annotation≡ ∃R.C

whereRv share, TW |= C, andTW ∪ TS |= annotation. To describe, for example, anoffer of a movie of genre SciFi on a DVD, we would use the following annotation:

∃offer.(Movieu∃hasGenre.SciFiu∃hasMedium.DVD)

2.2 User Profile

On the receiving end for semantic messages, we have a mobile device which managesa semantic user profile. This user profile stores the positively marked interests and thedisinterests determined by rejected topics. The interests and disinterests in the profileare defined as follows:

profile≡ interestsudisinterests (1)

interests≡nG

i=1

positivei (2)

positivei ≡ ∃Ri .Ci (3)

disinterests≡mG

i=1

negativei (4)

negativei ≡ ∃Ri .Ci (5)

Ri v share (6)

From the definition, we see that the interests and disinterests are a collection of DLconcepts that follow the definition of the annotations.

The user’s interests and disinterests are updated from his/her responses to messages,and allow for the use of ontological knowledge to generalize the annotation. The pro-cedure of these updates is beyond the scope of this paper.

17

2.3 Matchmaking

The main motivation behind the DL formalization was to be able to compare the se-mantic annotation of incoming messages with the interests and disinterests stored in thesemantic user profile. This is what we call matchmaking.

The decision whether a message matches a users interests is based on concept satis-fiability and subsumption of the DL in use. Because the mobile clients provide limitedcomputing power, the decision of a match is performed with only two queries.

profileuannotation6≡ ⊥ (7)

annotationv profile (8)

The first test (7) checks whether the annotation iscompatiblewith the profile. If thetest fails, the annotated message is considered amismatch. Otherwise, we perform thesecond test (8) to get a bettermatch degree. If it is satisfied, the annotated message iscalled amatch.

3 Mobile Reasoning

To perform the reasoning necessary for the matchmaking task, we are using the firstorder logic (FOL) theorem prover library Pocket KRHyper [9] for Java 2 Mobile Edition(J2ME2) enabled mobile devices. The reasoning engine is based on the hyper tableaucalculus [3] and can be considered as a resource optimized version of the KRHyper [11]system. Pocket KRHyper is currently the only FOL automated theorem prover runningon mobile devices that can tackle useful problems.

Since our matchmaking algorithm requires DL TBox reasoning, we use a trans-formation from description logic to FOL. The transformation into sets of clauses in-troduces subconcepts to reduce the complexity of the concept expression or axiom. Anaxiom∃R.Cv∀S.∀T.D is split into∃R.Cv subi andsubi v∀S.subj andsubj v∀T.D tocomply with the transformation primitives. Table1 gives the transformation primitivesin abstract DL syntax, a corresponding first order formula and the generated clauses.

The clauses marked with * are not range restricted, which may cause the reason-ing algorithm to consider all ground instances of the disjunctive head. Since this isvery time-consuming, such constructs are better avoided in the modeling. Decidabil-ity commonly requires the tableau procedure to engage a blocking technique to avoidthe infinite generation of role successors in clause **. This is neccessary for cyclicalterminologies whereD v C or D transitively has role successors inC. The blockingtechniques found in [6] may be adapted to the transformation as shown in [2].

The effective test for satisfiability of a conceptC inserts a single factC(a) into theknowledge base.C is satisfiable if the Pocket KRHyper finds a model for the knowledgebase. A refutation indicates the unsatisfiability of the concept. Subsumption of conceptsis reduced to satisfiability.

4 Resource Management and Evaluation

In order to reduce the workload introduced by the translation of DL axioms into clausalform, the knowledge base is split into three parts. The ontology is assumed to be stable

2 http://java.sun.com/j2me

18

description logicfirst order formula clausesCuD v E ∀x.C(x)∧D(x)→ E(x) e(x) :- c(x), d(x).CtD v E ∀x.C(x)∨D(x)→ E(x) e(x) :- c(x).

e(x) :- d(x).C v ¬D ∀x.C(x)→¬D(x) false :- c(x), d(x).

∃R.C v D ∀x∀y.R(x,y)∧C(y)→ D(x) d(x) :- c(y), r(x,y).∀R.C v D ∀x.(∀y.R(x,y)→C(y))→ D(x) d(x); r(x,fR−C(x)). *

d(x) :- c(fR−C(x)).C v DuE ∀x.C(x)→ D(x)∧E(x) e(x) :- c(x).

d(x) :- c(x).C v DtE ∀x.C(x)→ D(x)∨E(x) e(x); d(x) :- c(x).¬C v D ∀x.¬C(x)→ D(x) c(x); d(x). *

C v ∃R.D ∀x.C(x)→ (∃y.R(x,y)∧D(y)) d( fR−D(x)) :- c(x).r(x, fR−D(x)) :- c(x). **

C v ∀R.D ∀x.C(x)→ (∀y.R(x,y)→ D(y)) d(y) :- c(x), r(x,y).Rv S ∀x∀y.R(x,y)→ S(x,y) s(x,y) :- r(x,y)

R− ≡ S ∀x∀y.R(x,y)↔ S(y,x) s(y,x) :- r(x,y).r(x,y) :- s(y,x).

R+ ∀x∀y∀z.R(x,y)∧R(y,z)→ R(x,z) r(x,z) :- r(x,y), r(y,z).

Table 1.Translation Primitives

throughout the runtime of the application and is therefore transformed only once. Theprofile is transformed only when it is updated. Solely the annotations of messages andthe associated queries are transformed as they emerge. The knowledge base keeps trackof these parts by setting a mark at each such step, so it is possible to revert it to the stateit had before an update or query.

With respect to our matchmaking algorithm, the simplifications in Table2 yield thesame results, but reduce the number of clauses. The effect is a reduced memory con-sumption of the knowledge base itself and the hyper tableau generated for the tests. Totest the satisfiability ofannotationuprofile, it is sufficient to consider only thenegativeipart of the profile, if translated according to Table2. An annotation will fail this test ifit is subsumed by thedisinterests.

positivei v pro f ile i ∈ 1, ...,n (9)

negativei v⊥ i ∈ 1, ...,m (10)

annotationv ∃R.C (11)

Table 2.Resource Optimized Transformation of Profile and Annotation

A performance evaluation of Pocket KRHyper with respect to a selection of TPTP [10]problems can be found in [9]. First empirical tests of our matchmaking approach withontologies for three different real world scenarios (public transport, conference pro-gram, and cinema program) performed well on contemporary phones like e.g. Nokia6681. Matchmaking decisions took less than one second per incoming message.

19

5 Conclusions and Related Work

In this paper, we have described how to perform matchmaking on mobile devices forpersonalization in a semantic mobile environment using the Pocket KRHyper mobiletheorem prover and a corresponding DL transformation. To our knowledge, the use ofautomated reasoning on mobile devices for personalization in a semantic mobile en-vironment is new. A propositional tableaux-based theorem prover for JavaCard, Card-TAP [4], has been implemented before. But unlike Pocket KRHyper, this was consid-ered a toy system and was too slow for real applications.

Unlike other matchmaking approaches [7,8], we use at most two queries to calculatethe match degree for arbitrary profiles. A large profile containing many interests anddisinterests does not impose more tests. Thus our approach scales well even in thecontext of limited resources.

The capabilities of the presented DL transformation extend those of the DescriptionLogic Programs (DLP) [5] subset of DL and Logic Programs. Despite these extensions,reasoning is still empirically successful, even on mobile devices.

References

1. F. Baader, D. Calvanese, D. L. McGuinness, D. Nardi, and P. F. Patel-Schneider.The de-scription logic handbook: theory, implementation, and applications. Cambridge UniversityPress, 2003.

2. P. Baumgartner, U. Furbach, M. Gross-Hardt, and T. Kleemann. Model based deduction fordatabase schema reasoning. InKI 2004: Advances in Artificial Intelligence, volume 3238,pages 168–182. Springer Verlag, 2004.

3. P. Baumgartner, U. Furbach, and I. Niemela. Hyper Tableaux. Technical Report 8–96,Universitat Koblenz-Landau, 1996.

4. R. Gore, J. Posegga, A. Slater, and H. Vogt. System description: cardtap: The first theo-rem prover on a smart card. InCADE-15: Proc. of the 15th International Conference onAutomated Deduction, pages 47–50. Springer-Verlag, 1998.

5. B. N. Grosof, I. Horrocks, R. Volz, and S. Decker. Description logic programs: Combininglogic programs with description logic. InProc. of the 12th International World Wide WebConference (WWW 2003), pages 48–57. ACM, 2003.

6. V. Haarslev and R. Moller. Expressive ABox Reasoning with Number Restrictions, RoleHierarchies, and Transitively Closed Roles. InKR2000: Principles of Knowledge Represen-tation and Reasoning, pages 273–284. Morgan Kaufmann, 2000.

7. L. Li and I. Horrocks. A software framework for matchmaking based on semantic webtechnology. InProc. of the 12th International World Wide Web Conference (WWW’2003),pages 331–339. ACM, 2003.

8. T. D. Noia, E. D. Sciascio, F. M. Donini, and M. Mongiello. Abductive matchmaking usingdescription logics. InProc. of IJCAI’03, pages 337–342, 2003.

9. A. Sinner and T. Kleemann. Krhyper - in your pocket, system description. InProc. ofConference on Automated Deduction, CADE-20, 2005.

10. G. Sutcliffe and C. Suttner. The TPTP Problem Library: CNF Release v1.2.1.Journal ofAutomated Reasoning, 21(2):177–203, 1998.

11. C. Wernhard. System Description: KRHyper. Fachberichte Informatik 14–2003, UniversitatKoblenz-Landau, 2003.

20

A Sequent Calculus for a First-order DynamicLogic with Trace Modalities for Promela+

Florian Rabe1, Steffen Schlager2, and Peter H. Schmitt2

1 International University Bremen2 Universitat Karlsruhe

Abstract. In this paper we introduce the first-order dynamic logic DLPfor Promela+, a language subsuming the modelling language Promela ofthe Spin model checker. In DLP trace modalities can be used to rea-son about the temporal properties of programs. The definition of DLPincludes a formal semantics of the Promela+ language. A sound and rela-tively complete sequent calculus is given, which allows deductive theoremproving for Promela+. In contrast to the Spin model checker for Promela,this calculus allows to verify infinite state models. To demonstrate theusefulness of our approach we present two examples that cannot be han-dled with Spin but that can be derived in our calculus.

1 DLP—Dynamic Logic for Promela+

Dynamic Logic (DL) [4, 5] is an extension of first-order predicate logic withmodalities [π]F and 〈π〉F for each program π of some programming languageand DL formula F . DL allows to reason about the input/output behaviour of aprogram. However, sometimes it is desirable to reason about intermediate statesof a program as well. This becomes possible if DL is extended with additional,so-called trace modalities, as shown in [1].

The programming language we consider in this paper is Promela+ whosesyntax is essentially the same as of Promela [7], the modelling language of themodel checker Spin [6]. Besides the usual constructs like assignments, loops,etc. Promela offers dynamic process creation, synchronous and asynchronouscommunication through channels, and non-deterministic choice.

In contrast to Promela, Promela+ is not restricted to finite models. E.g., itis possible to create an unbounded number of processes, integer variables arenot range restricted, and, most important, the initial state of a system may be(partially) unknown. For an informal syntax and semantics of Promela programswe refer to [7, 6]. A detailed formal syntax and semantics Promela+ and thereforeof Promela and can be found in [8].

2 Promela+ and Limited Programs

In this section we give a very brief overview over the semantics of Promela+

as described in [8]. We also introduce limited programs, which are an extensionof [8].

21

Syntax. Promela+ is based on a many-sorted first-order logic over a fixed sig-nature containing all symbols to define syntax and semantics of Promela. It isextended with six temporal operators for each program π: [π], 〈π〉, [[π]], [〈π〉],〈[π]〉 and 〈〈π〉〉. Promela variables are modelled as function symbols and are dif-ferent from the logical variables.

The normal programs, which we call unlimited, are essentially the Promelaprograms. In addition we introduce limited programs which are defined by thefollowing clause: If t is a term of sort integer and π is an unlimited program,then πt is a limited program. Limited or unlimited programs may occur insidetemporal operators, e.g., for a formula F both [π]F and [πt]F are well-formedformulas.

Semantics. The semantic domain of DL are extended Kripke structures. Thestates are many-sorted first-order structures such that

– all states share the same universe,– some function and predicate symbols are rigid, i.e. have the same interpre-

tation in all states (e.g. arithmetics and list operation), and– the interpretation of non-rigid function symbols is depending on the state

encoding the values of the Promela variables and channels.

For each elementary command there is one transition relation reflecting thesemantics of the programming language. A trace of a program π for an initialstate s is the (possibly infinite) sequence of states of a possible run of π startingin s. If a trace is finite its last state is labelled with timeout or termination.Promela+ is non-deterministic, i.e., the semantics of a program is a set of tracesfor each initial state. Where applicable our semantics of Promela+ agrees withthe semantics of Promela used by Spin.

For a trace t and a natural number n let tn denote the initial segment oflength n of t; and for a set of traces T let Tn denote the set of all such segmentsof traces in T . For a given state s and an assignment α to the free logical variableslet valαs denote the interpretation function. Then the semantics of the limitedprogram πt is given by:

valαs (πt) =

valαs (π)n if valαs (t) = n, n > 0∅ if valαs (t) ≤ 0

That means that for a limited program only the first n − 1 computation stepsare relevant.

The formula [π]F (〈π〉F ) holds in state s iff for all (there exists a) possibleend state(s) of π labelled with termination when started in s the formula Fholds. The formula [[π]]F ([〈π〉]F ) holds iff for all (there exists a) state(s) onall traces of π the formula F holds. And the formula 〈[π]〉F (〈〈π〉〉F ) holds iffthere exists a trace of π on which for all (there exists a) state(s) F holds. If theprogram in the modal operator is a limited program the same semantics applieswith respect to the traces in the interpretation of πt. Formulas not containingmodalities are interpreted as usual in first-order logic.

22

E.g., suppose valαs1(π) = (s1, s2, termination s3), (s1, s2, s

′3, timeout s′4)

and F holds precisely in the states s1, s2, s3 and s′3. Then valαs1(〈[π]〉F ) = 1

because F holds in all states of the first trace; valαs1([[π]]F ) = 0 because F does

not hold in s′4; valαs1([[π3]]F ) = 1 because now only the first three states of each

trace are considered; and valαs1([π2]F ) = 1 because there is no final state within

the first two states of a trace, and the universal quantification over the emptyset is trivially true.

3 A Sequent Calculus for DLP

We use a sequent calculus to axiomatise DLP. As usual, the semantics of a ruleis that the validity of the premisses above the line implies the validity of theconclusion. A full account (except for limited programs) is given in [8]. The coreof the calculus are the rules for symbolic execution of Promela+ code.

The idea of the rules for symbolic execution is that first scheduling rulesintroduce tags. The semantics of a tagged program i : π is the same as of π withthe restriction that the next command to be executed is from the i-th processof π. Thus scheduling rules can be seen as case distinctions that have one casefor every possible scheduling decision.

Secondly, unwinding rules transform the program i : π by replacing composedcommands (selections, loops and sequences marked as atomic) with elementaryones. This is necessary since only elementary commands have a well-definedeffect on the global state (due to the non-deterministic interleaving of processes).Both scheduling and unwinding lead to branches or alternatives in the proof treereflecting the indeterminism of Promela.

Thirdly, an elementary command is executed. A typical example rule is:

ex(c) ` F ex(c) ` eff(c)[[remProg(π, i)]]F` [[i : π]]F

The purpose of this rule is to execute the first command c of the i-th process ofπ.

While tags are syntactic entities of DLP, ex, eff, and remProg are meta levelabbreviations that allow to state several rules in one compact rule scheme: ex(c)is a first-order formula that expresses the executability of c, eff(c) expresses thestate transitions caused by the execution of c and modifies the state in whichthe following formula is to be evaluated, and remProg(π, i) is the program thatremains to be executed after c has been executed. These abbreviations mustbe defined for all elementary commands c. E.g., if c spawns a new process,remProg(π, i) removes c from π and adds the new process instance to π.

Having the intuitive meaning of these functions in mind it is easy to under-stand the rule: If c is executable, the formula [[i : π]]F , which states that Fholds in all states on all traces, is reduced to F , which states that F holds inthe current state, and eff(c)[[remProg(π, i)]]F , which states that F holds in allstates on all traces that arise if the remaining program is executed in the next

23

state (characterised by the state updates eff(c)). If c is not executable, the proofgoal is closed immediately.

Note that the execution rule eliminates the tag and the scheduling rules areapplicable again. This cycle is repeated until the program is completely executedand can be discharged.

Rules for Limited Programs. In order to derive formulas with non-terminatingprograms we apply induction rules, usually on the length of the traces. However,this is only possible if the formula contains a term that encodes this length.Therefore, limited programs are introduced by the rules given in Fig. 1. Herethe rules in the right column are not necessary for completeness and are onlygiven for symmetry. After introduction of the limited programs induction on tcan be applied.

M ∈ [], [[]], [〈〉] M ∈ 〈〉, 〈[]〉, 〈〈〉〉` ∀t : int. t ≥ 1 → M(πt)F

` M(π)F

` ∃t : int. t ≥ 1 ∧M(πt)F

` M(π)F

Fig. 1. Introducing limited programs

Formulas that contain limited programs are treated by similar symbolic exe-cution rules as those with unlimited programs. In particular the scheduling andunwinding rules are the same. For command execution one detail is changed: Thelimit is decremented because one program step has been executed. For examplethe above execution rule corresponds to

t ≥ 2 , ex(c) ` F t ≥ 2 , ex(c) ` eff(c)[[remProg(π, i)t−1]]Ft ≥ 2 ` [[i : πt]]F

The rules for discharging limited programs when the limit is reached, i.e.,t = 1, and for the degenerate cases where t ≤ 0 are given in Fig. 2. If t = 1a special case must be distinguished: If the program is non-empty, i.e. π 6= ε,it has not terminated yet and no final state exists, which means that [πt]F isalways true and 〈πt〉F is always false. If t ≤ 0, formulas that contain operatorsthat quantify universally over the traces are always true.

3.1 Soundness and Relative Completeness

Soundness has to be shown separately for each rule. Most of the proofs aretechnical, but not difficult. Except for the rules for limited programs they canbe found in [8].

The soundness of the rules for limited programs either follows directly fromthe definition of the semantics or from the soundness of the corresponding rulefor unlimited programs—except for the introduction rules for limited programsfor the operators [〈〉] and 〈[]〉. For the soundness of these rules the followingtheorem.

24

π 6= ε, M = [] π 6= ε, M = 〈〉 otherwise

t = 1 ` M(πt)F

t = 1 `t = 1 ` M(πt)F

t = 1 ` F

t = 1 ` M(πt)F

M ∈ [], [[]], [〈〉] M ∈ 〈〉, 〈[]〉, 〈〈〉〉

t ≤ 0 ` M(πt)F

t ≤ 0 `t ≤ 0 ` M(πt)F

Fig. 2. Discharging limited programs

Theorem 1. For all unlimited programs π, all formulas F , all states s, and allassignments α:

valαs (M(π)F ) =

infn∈N∗

supn∈N∗

valαs (M(πn)F )

if M = 〈[]〉if M = [〈〉]

This theorem states that it is sufficient for the evaluation of formulas con-taining the modalities 〈[]〉 and [〈〉] to consider only finite prefixes of the traces.The proof is based on quite involved an induction and can be found in [8]. It isessential for this theorem that the number of indeterministic choices in Promelais always finite. That guarantees that the sets valαs (πn) are always finite whereasthe set valαs (π) may even be uncountable.

The idea of the proof of relative completeness is to discharge all programsby symbolic execution if possible and to introduce limited programs and use in-duction for non-terminating programs. Then the remaining first-order formulascan be handled by standard methods. Relative completeness means that all validformulas could be derived in the calculus if an oracle for arithmetic was available,i.e., a rule scheme providing all valid arithmetic formulas as axioms. Of course,in reality such a rule cannot exist but this is not harmful to “practical complete-ness”. Rule sets for arithmetic are available, which—as experience shows—allowto derive all valid first-order formulas that occur during the verification of actualprograms. Moreover, many arithmetic formulas can be automatically dischargedby external decision procedures like CVC [9] and the Simplify tool, which is partof ESC/Java [3].

It is possible to give further operators, e.g., Inf(π)F stating that F holdsinfinitely many times along every trace of π, for which the above theorem doesnot hold. Therefore the described technique cannot be extended to give a soundand relatively complete axiomatisation for these operators.

3.2 Examples

We now present two examples. Although they are extremely simple they cannotbe verified using the model checker Spin, whereas their deductive verificationcan be done in a standard way. This shows the fundamental advantages of thedeductive approach.

25

For these examples, note that in Promela do. . . od denotes a guarded non-deterministic choice, that is repeated until a break is encountered. Consider theprogram π defined as

do:: skip:: x=0; break

od

We now want to verify that x.= 0 holds in all possible final states of π. In DLP

this property is expressed as [π]x .= 0. Spin cannot handle this because infinitelymany and arbitrarily long runs exist for this model. However, using limitedprograms and induction on t in πt this model can be easily verified deductively.The induction hypothesis is ∀t : int. t ≥ 1 → [πt]x .= 0.

For the second example let π be defined as

do:: x != 0; x=x−1:: else ; break

od

where x is decreased as long as it is non-zero, and if x is zero, the loop terminates.We want to prove validity of the formula ∀x : int.x ≥ 0 → [π]x .= 0 expressingthat for every initial value of x greater than 0 and all terminating runs x

.= 0holds in the final state. This property cannot be verified with Spin since itdoes not allow arbitrary initial states. However, Spin can easily verify a similarproperty with a fixed value for x.

While arbitrary initial states are not provided for in Promela they naturallyoccur in many realistic scenarios, e.g., if a program is started in the final stateof another program or if it depends on some external input. The initial stateof a DLP verification is always arbitrary. If only certain initial states are to beconsidered restrictions must be included in the property to be verified.

The formal proof of this example is done by induction on x and can be foundin [8]. Note that the induction hypothesis has to be specified interactively whichcan be very hard to find in practice.

4 Related Work and Conclusions

There are some approaches to define the semantics of Promela formally, mostnotably [2]. But the semantics that is induced by our semantics for Promela+ isby far the most comprehensive one. Relative to this semantics we introduced acalculus that allows deductive theorem proving for Promela. No previous workin this direction exists for Promela or other non-deterministic multi-process lan-guages. We showed that it is—in principle—possible to approach such program-ming languages with methods from deductive theorem proving, thus preparingthe ground for implementations in automatic provers. The methods we used arevery general and can be easily applied to other languages.

26

The given examples show that DLP increases the set of verifiable Promelamodels significantly. As a minor drawback DLP has only six temporal operatorsto make statements about traces whereas Spin allows to specify arbitrary LTLformulas. E.g., in order to express the property “A holds for a while, and thenB holds forever” DLP must be extended by a specific modality whereas thiscan be easily expressed in LTL. We intend to extend our definitions to allowfor arbitrary modal operators, which would render our language as expressive asLTL. First approaches have shown that it is indeed possible to give rules for thecase where the modal operator is arbitrary.

References

1. B. Beckert and S. Schlager. A sequent calculus for first-order dynamic logic withtrace modalities. In International Joint Conference on Automated Reasoning, vol-ume 2083 of LNCS, pages 626–641, 2001.

2. M. del Mar Gallardo, P. Merino, and E. Pimentel. A generalized semantics ofPromela for abstract model checking. Formal Aspects of Computing, 16(3):166–193,2004.

3. ESC/Java (Extended Static Checking for Java). http://research.compaq.com/

SRC/esc/.4. D. Harel. First-order Dynamic Logic, volume 68 of LNCS. Springer, 1979.5. D. Harel, D. Kozen, and J. Tiuryn. Dynamic Logic. MIT Press, 2000.6. G. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-

Wesley, 2003.7. Promela Language Reference. Available at http://spinroot.com/spin/Man/

promela.html.8. F. Rabe. A dynamic logic with temporal operators for Promela. Master’s the-

sis, Universitat Karlsruhe, 2004. Available online at http://i12www.ira.uka.de/

~frabe/DLTP.pdf.9. A. Stump, C. W. Barrett, and D. L. Dill. CVC: A Cooperating Validity Checker. In

E. Brinksma and K. G. Larsen, editors, 14th International Conference on ComputerAided Verification (CA V), volume 2404 of Lecture Notes in Computer Science,pages 500–504. Springer-Verlag, 2002.

27

Designing Efficient Procedures for #2SAT

Guillermo De Ita1, Mireya Tovar2, Erica Vera2 and Carlos Guillen3

1 Universidad Politecnica de Puebla, deita@inaoep.mx2 Universidad Autonoma de Puebla, mtovar@cs.buap.mx, ee vc@cs.buap.mx

3 Instituto Nacional de Astrofısica Optica y Electronica, cguillen@inaoep.mx

Abstract. We present some advances on the design of efficient proce-dures for counting models of a Boolean formula Σ (#SAT(Σ) Problem).We show that if GΣ , the constraint graph of Σ, is acyclic or containsdisjointed cycles then #SAT (Σ) is computed in polynomial time, estab-lishing new polynomial classes of Conjunctive Forms for #SAT.Keywords: #SAT Problem, Counting models, Efficient Algorithms.

1. Introduction

The problem of counting models for a Boolean formula (#SAT problem) canbe reduced to several different problems in approximate reasoning. For example,for estimating the degree of reliability in a communication network, computingdegree of belief in propositional theories, for the generation of explanations topropositional queries, in Bayesian inference, in a truth maintenance systems, forrepairing inconsistent databases [1, 3, 6, 8].

#SAT is at least as hard as the decision problem SAT(determine if a Booleanformula is satisfiable), but in many cases, even when SAT is solved in polynomialtime, no computationally efficient method is known for #SAT. For example, the2-SAT problem, SAT restricted to consider a conjunction of (≤ 2)-clauses, itcan be solved in linear time. However, the corresponding “counting” problem#2-SAT is a #P-complete problem.

2. Notation and Preliminaries

Let X = x1, . . . , xn be a set of n Boolean variables. A literal is a variable x ora negated variable x. We will consider Boolean formulas in Conjunctive Forms(CF) which are conjunctions of clauses, and where each clause is a disjunction ofdifferent literals. For k ∈ IN , a k-clause is a clause consisting of exactly k literalsand, a (≤ k)-clause is a clause with k literals at most. We use υ(Y ) to indicatethe variable involved in the object Y (Y can be a literal, a clause or a CF). Asis usual, for each x ∈ X , x0 = x and x1 = x. We say that F is a monotonic CFif all of its variables appear in unnegated form. A k-CF is a CF containing only

This research is also supported by the Autonomous University of Puebla, via acad-emic scholarship license.

28

k-clauses. A (k, sµ)-CF is a k-CF such that each variable appears no more thans times. An assignment s for F is a function s : υ(F ) → 0, 1. A clause c issatisfied by the assignment s if and only if c ∩ s = ∅. A CF F is satisfied by anassignment s if each clause in F is satisfied by s. A model of F is an assigmentover υ(F ) that satisfies F . We will denote [[n]] = 1, 2, ..., n. Let SAT (F ) bethe set of models that F has over υ(F ). Let µυ(F )(F ) = #SAT (F ) = |SAT (F )|be the cardinality of SAT (F ).

The Graph Representation of a 2-CF. Let Σ be a 2-CF, the constraintgraph of Σ is the undirected graph GΣ = (V, E), with V = υ(Σ) and E =(υ(x), υ(y))|(x, y) ∈ Σ. Given a 2-CF Σ, a connected component of GΣ is amaximal subgraph of GΣ such that for every pair of vertices x, y ∈ V , thereis a path in GΣ from x to y. The set of connected components of Σ are thesubformulas corresponding to the connected components of GΣ . Let Σ be a2-CF, F = G1, . . . , Gr is a partition in connected components of Σ if V =υ(G1), . . . , υ(Gr) is a partition of υ(Σ).

Remark 1 If G1, . . . , Gr is a partition in connected components of Σ, then:

µυ(Σ)(Σ) =[µυ(G1)(G1)

] · . . . · [µυ(Gr)(Gr)]

(1)

In order to compute µ(Σ), we should first determine the set of connected com-ponents of Σ, and this procedure can be done in linear time [7]. From now on,we suppose that Σ is a connected component. We say that a 2-CF Σ is a cycle,a chain or a free tree if GΣ is it too.

3. Linear Procedures for #2SAT for subclasses of 2-CF

If GΣ is a linear chain with m edges: let us write down its associated formulaΣ, without a loss of generality (ordering the clauses and its literals, if it werenecessary), as: Σ = c1, c2, ..., cm, where |υ(ci)∩υ(ci+1)| = 1, i ∈ [[m−1]], thenΣ =

yε1

0 , yδ11 , yε2

1 , yδ22 , . . . , yεm

m−1, yδmm

, δi, εi ∈ 0, 1, i = 1, ..., m.

As Σ has m clauses then |υ(Σ)| = n = m + 1. The frequency of y0 and ym

is 1, while the other variables: yi, i = 2, ..., m − 1 appear twice in Σ.Let fi a family of clauses of Σ built as follows: fi = cjj≤i, i ∈ [[m]]. Note

that fi ⊂ fi+1, i ∈ [[m − 1]]. Let SAT (fi) = s : υ(fi) → 0, 1|s satisifies fi,Ai = s ∈ SAT (fi)|yi ∈ s, Bi = s ∈ SAT (fi)|yi ∈ s. Let αi = |Ai|; βi = |Bi|and µi = |SAT (fi)| = αi + βi. In general, we can calculate the values for thepairs: (αi, βi) associated to each node xi, for i = 1, .., m, according to the signs(εi, δi) of the literals in the clause ci, by the next recurrence:

(αi, βi) =

⎧⎪⎪⎨⎪⎪⎩

(βi−1 ,αi−1 + βi−1) if (εi, δi) = (0, 0)(αi−1 + βi−1,βi−1 ) if (εi, δi) = (0, 1)(αi−1 ,αi−1 + βi−1) if (εi, δi) = (1, 0)(αi−1 + βi−1,αi−1 ) if (εi, δi) = (1, 1)

(2)

As |SAT (fi)| = µi = αi + βi, then µi determines the number of models forfi = cjj≤i, i ∈ [[m]], and then µm =#SAT(Σ) is computed in time O(m).

29

Let Σ a 2-CF with n variables and m clauses and where GΣ = (V, E) isa free tree. We compute µ(Σ) while we are traversing GΣ in depth-first. Theinitial node v ∈ V for the search is any vertex with degree 1, and that node vwill be the root node of the tree AΣ defined by the depth-first search. As GΣ isa free tree then there are not back edges in AΣ . The associated pair to a node v(v ∈ AΣ) is denoted by (αv, βv). We denote with ′ →′ the application of one ofthe four rules of the recurrence ( 2).Algorithm Count Models for free trees(AΣ)Input: AΣ the tree defined by the depth-search over GΣ

Output: The number of models of ΣProcedure:Traversing AΣ in depth-first and, while a node v ∈ AΣ is visited, assign:

1. (αv, βv) = (1, 1) for any leaf node v ∈ AΣ .2. If v is a father node with a unique child node u, we apply the recurrence (2)

considering that (αi−1, βi−1) = (αu, βu) and then (αi−1, βi−1) → (αi, βi) =(αv, βv).

3. If v is a father node with a list of child nodes associated, i.e., u1, u2, ..., uk arethe child nodes of v, then as we have already visited all the child nodes, theneach pair (αuj , βuj ) j = 1, ..., k has been defined based on ( 2). (αvi , βvi) isobtained by apply (2) over (αi−1, βi−1) = (αuj , βuj ). This step is iterateduntil computes all the values (αvj , βvj ), j = 1, ..., k. And finally, let αv =∏k

j=1 αvj and βv =∏k

j=1 βvj .4. If v is the root node of AΣ then return(αv + βv).

This procedure return the number of models for Σ in time O(n + m) whichis the necessary time for traversing GΣ in depth-first.

3.1. The constraint Graph contains cycles

Let Σ a (2, 2µ)-CF such that GΣ = (V, E) is a simple cycle with m nodes, then|V | = m = n = |E|. Ordering the clauses in Σ: | υ(ci)∩υ(ci+1) |= 1, and ci1 = ci2

whenever i1 ≡ i2 mod m, hence y0 = ym, then Σ =ci = yεi

i−1, yδi

i m

i=1,

where δi, εi ∈ 0, 1. Decomposing Σ as Σ = Σ′ ∪ cm, where Σ′ = c1, ..., cm−1is a chain and cm = (yεm

m−1, yδm

0 ) is the edge which conforms with GΣ′ the simplecycle: y0, y1, ..., ym−1, y0. We can apply the linear procedure for chains in orderto compute µ(Σ′) since Σ′ is a chain.

Every model of Σ′ had determined logical values for the variables: ym−1

and y0 since those variables appear in υ(Σ′). Any model s of Σ′ satisfies cm

if and only if (y1−εmm−1 /∈ s and y1−δm

m /∈ s), this is, SAT (Σ′ ∪ cm) ⊆ SAT (Σ′),and SAT (Σ′ ∪ cm) = SAT (Σ′) − s ∈ SAT (Σ′) : s falsifies cm. Let Y =Σ′ ∪ (y1−εm

m−1 ) ∧ (y1−δmm ), and then:

#SAT (Σ) = µ(Σ) = µ(Σ′) − µ(Y ) = µ(Σ′) − µ(Σ′ ∧ (y1−εmm−1 ) ∧ (y1−δm

m ))

Note that this last equation can be generalized for computing #SAT (Σ) ifGΣ can be decomposed in a chain and in a set of cycles S = C1, C2, ..., Ckwhere there are not common edges between any two different cycles of S.

30

GΣ contains disjointed cycles: Let Σ′ ⊆ Σ be the set of clauses whereGΣ′ is a chain (with all the variables of Σ considered, i.e. υ(Σ′) = υ(Σ)).Σ′ = c1, ..., cm determines an order over its clauses and its literals given fori = 1, ..., m − 1, |υ(ci) ∩ υ(ci+1)| = 1.

Let Γ = Σ − Σ′ be the set of clauses such that for each clause d ∈ Γ ,it conforms a cycle in GΣ′ . We order the clauses in Γ = d1, ..., dk where ifi < j then the variables in di appear in clauses of Σ′ before of the clauses whereappear the variables of dj , and also order the literals for each di = (li1 , li2) ∈Γ, i = 1, . . . , k in such a way that i1 < i2, according of the induced order givenby the clauses in Σ′. Note that for each di = (li1 , li2), the node υ(li1) points outthe beginning of one cycle. While the node υ(li2) points out the end of the samecycle. Let Di = ci1 , ci1+1, ...., ci2−1, ci2 be the set of clauses of Σ′ involved bythe cycle signaled by di, each Ci = Di ∪ di, i = 1, . . . , k is a cycle formula.

For each di ∈ Γ, i = 1, . . . , k we conform the set of clauses Yi = (li1), (li2)∪Di which is a chain where the two extreme nodes of the chain have associatedthe unitary clauses (li1) and (li2). Then µ(Σ), where Σ contains the linear chainΣ′ and the k cycles: Ci, i = 1, . . . , k, and such that there are not common edgesbetween any two different cycles, is:

#SAT (Σ) = µ(Σ′) − (k∑

i=1

µ(Yi)) (3)

Example 1 Let Σ = (y1, y2), (y2, y3), (y3, y1), (y3, y4), (y4, y5), (y5, y6), (y4, y6),(y6, y7), (y7, y8), (y9, y8), (y9, y6) be a 2-CF which contains the monotonic chain;Σ′ = (yi, yi+1), i = 1, ..., 8, and Γ = d1, d2, d3 = (y1, y3), (y4, y6), (y6, y9).There are three cycles conformed by C1 = (y1, y2), (y2, y3), (y3, y1), C2 =(y4, y5), (y5, y6), (y4, y6) and C3 = (y6, y7), (y7, y8), (y8, y9), (y6, y9). And thesets of clauses Yi, i = 1, 2, 3, where Y1 = (y1), (y1, y2), (y2, y3), (y3), Y2 =(y4), (y4, y5), (y5, y6), (y6) and Y3 = (y6), (y6, y7), (y7, y8), (y8, y9), (y9).

We denote with (αi, βi)/G the corresponding pair (αi, βi) associated to thenode yi from the graph of the formula G. Note that as Σ′ is a monotonic chainwe have to apply ( 2) when we are traversing each node of the chain, and weapply ( 3) in order to compute µ(Σ). Showing the computing of (αi, βi)/Σ inparallel way with each series (αi, βi)/Yj

, for Y1, Y2, Y3, we have:

y1 y2 y3 y4 y5 y6 y7 y8 y9

d1 d2 d3

Fig. 1. The constraint graph for the formula of the example 1

y1 y2 y3 y3

µ(Σ′) : (1, 1) → (2, 1) → (3, 2)µ(Y1) : (0, 1) → (1, 0) → (1, 1) → (1, 0)

31

since (y1) ∈ Y1 and (y3) ∈ Y1. Thus, (α3, β3)/Σ = (α3, β3)/Σ′ − (α3, β3)/Y1 =(3, 2) − (1, 0) = (2, 2), then:

y3 y4 y5 y6 y6

µ(Σ′) : (2, 2) → (4, 2) → (6, 4) → (10, 6)µ(Y2) : (4, 0) → (4, 4) → (8, 4) → (0, 4)since (y4) ∈ Y2 and (y6) ∈ Y2.Then, (α6, β6)/Σ = (α6, β6)/Σ′ − (α6, β6)/Y2 =(10, 6)− (0, 4) = (10, 2). And,

y6 y7 y8 y9 y9

µ(Σ′) : (10, 2) → (12, 10) → (22, 12) → (34, 22)µ(Y3) : (10, 0) → (10, 10) → (20, 10) → (30, 20) → (30, 0)

since (y6) ∈ Y3 and (y9) ∈ Y3. (α9, β9)/Σ = (α9, β9)/Σ′ −(α9, β9)/Y3 = (34, 22)−(30, 0) = (4, 22). #SAT (Σ) = µ(Σ′) − (µ(Y1) + µ(Y2) + µ(Y3)) = 4 + 22 = 26.

Then, in base on the equation ( 3), we obtain that:

Theorem 1 If GΣ can be decomposed in a linear chain GΣ′ (where υ(Σ′) =υ(Σ)) and a set of cycles such that there are not common edges between any twodifferent cycles, then #SAT (Σ) is computed in polynomial time.

4. Conclusions

Let Σ be a 2-CF with n variables and m clause and such that GΣ (the con-straint undirected graph of Σ) is acyclic, then we show an efficient procedure tocompute #SAT (Σ) of time complexity O(n + m), which is the neccesary timefor traversing GΣ in depth-first.

We also present an efficient procedure to compute #SAT (Σ) being GΣ achain containing several cycles and such that there are not common edges be-tween any two different cycles of GΣ , which establish new polynomial classes for#2SAT.

References

1. Angelsmark O., Jonsson P., Improved Algorithms for Counting Solutions in Con-straint Satisfaction Problems, Int. Conf. on Constraint Programming, 2003.

2. Creignou N., Hermann M., Complexity of Generalized Satisfiability Counting Prob-lems, Information and Computation 125, (1996), 1-12.

3. Dahllof V., Jonsonn P., Wahlstrom M., Counting models for 2SAT and 3SAT for-mulae., Theoretical Computer Sciences 332,332(1-3): 265-291, 2005.

4. De Ita G., Polynomial Classes of Boolean Formulas for Computing the Degree ofBelief, Advances in Artificial Intelligence LNAI 3315, 2004, 430-440.

5. Greenhill Catherine , The complexity of counting colourings and independent setsin sparse graphs and hypergraphs”, Computational Complexity, 1999.

6. Roth D., On the hardness of approximate reasoning, Artificial Intelligence 82,(1996), 273-302.

7. Russ B., Randomized Algorithms: Approximation, Generation, and Counting, Dis-tingished dissertations Springer, 2001.

8. Vadhan Salil P., The complexity of Counting in Sparse, Regular, and Planar Graphs,SIAM Journal on Computing, Vol. 31, No.2, (2001), 398-427.

32

!" # $ # % &(' ) * & + & # , ) - . /(& # 01& 2 3 ) # & % . 45% & 6 & 7 , +897 : * & %7 , +;(7 < + = 7 &5> 7 ? @

ABDC E A FB5GHC BDA(C A IB(J KDL K M NG O J P Q M RG SUT VDW X Y Z [ \ ]5E K N ^AK _ K `W Q M N a Kb c O J Q _ Q d N O e f g Q K g O d Q K f hM R J Q K f ^ M d ^ i jUa Q d k l J N d P X M Q m O d ^ l c Q

no p q r s t q uC Nm v d ^w M w K Q f^ K P K Q M kw O ^ ^ d x k Kyd hw Q O P K hK N m ^ O cm v Kya O hx d N M m d O N^ a v K hK5O c^ e ^ m K hM m d a(z5S E EX k d K5M N _k O a M k ^ K M Q a vm K a v N d | J K ^c O Q(G Iw Q O w O ^ K _x e5~yM R J Q K5K m M k l M Q K5K ` w k O Q K _ l v Q K K5d hw O Q m M N m w M Q M hK m K Q ^ m v M m N K K _m O5x KDm J N K _M Q KDd N P K ^ m d g M m K _ l IN K K d g v m d N g5v K J Q d ^ m d aDd ^ _ K ^ a Q d x K _ l v K N f d m d ^ d N P K ^ m d g M m K _v O k O a M k ^ K M Q a v^ m Q M m K g d K ^ m v M m a O P K Q hO Q K5_ d P K Q ^ d c d K _w M Q m ^O c m v K^ K M Q a v^ w M a Ka M Nw Q O P KJ ^ K c J kd Nm v d ^5a O hx d N M m d O NU^ a v K hK l W d N M k k e f d m(d ^^ m J _ d K _5v K N k O a M k^ K M Q a vd ^ x K ^ m a M k k K _5d m v d Nm v d ^ v e x Q d _5z5S E E X k d K5M k g O Q d m v hl

( 5 ( (

7 & # ) * @> @ ) " $ % & @y= 7 $ % % % , & ) ) @ % +6 = % @ %" 7 @ 6- % 7 & @ ." % 7 + # , 36 )7+ & 7 7 6 # 0 & % 7 < 6 = & ) * 3 =y# ,y6 = % & 7 0 6 # 0 7 "(= 7 , + " # , 3U) 5" 7 & 3 %7 , + = 7 & +U# , @ 6 7 , 0 % @ 8) @ 6D) 56 = % 7 & % 7 @ % +U) ,y) , %) D6 = % ) " " ) # , 3U6 )U@ % 7 & 0 =U 7 & 7 + # 3 U@ @ - @ 6 % 7 6 # 0 ;(;D " # < % 57 , + " ) 0 7 "@ % 7 & 0 = 1> 5 " # < % D7 0 =) 6 = % @ %y@ % 7 & 0 =6 % 0 = , # * % @) * 6 % & ) & U@6 = %U) 6 = % &) , %# 6 =& % @ % 0 6 6 ) @ ) %0 " 7 @ @ % @5) # , @ 6 7 , 0 % @ (= %0 ) # , 7 6 # ) , ) 6 = % @ %@ % 7 & 0 = 6 % 0 = , # * % @0 7 , 6 = * @D %7 & ) # @ # , 3 7 -6 )# , 0 & % 7 @ %6 = %3 % , % & 7 " % & ) & 7 , 0 %) (6 = % @ %@ ) " $ % & @ ¡ , + % % + . = - & # + # @ # , 3 6 = % @ %@ % 7 & 0 =U % 6 = ) + @# @0 * & & % , 6 " - 7= ) 66 ) # 0) D& % @ % 7 & 0 =U# 6 = # ,U6 = %> 0 ) * , # 6 - ¡ ,¢ £ ¤ . " ) 0 7 "(@ % 7 & 0 =y ;5> D# @50 ) , @ # + % & % +7 @57 & 7 , 0 = # , 3= % * & # @ 6 # 0 ) &57 ;(;D " # < %7 " 3 ) & # 6 = y 8) & % & % 0 # @ % " - . 7 6 % 7 0 =, ) + %) 6 = % ;(;9+ % 0 # @ # ) , 6 & % % . 7;5># @ % & ) & % +) ,¥6 = %0 * & & % , 6 " -& % 7 # , # , 3> @ * & ) " % y* & # , 36 = # @9;5>¥@ 6 % .7% # 3 = 6 # @D0 ) * 6 % + ) &D% 7 0 =$ 7 & # 7 " % ¡ ;5> 7 # " @D6 ) & ) $ %0 ) , @ # @ 6 % , 0 -# 6 = # , 7 & % @ % 67 ) * , 6 ) 6 # % . 6 = % , ;(;@ % " % 0 6 @D6 = %$ 7 & # 7 " %# 6 = 6 = %= # 3 = % @ 6 % # 3 = 6 7 @(6 = % & 7 , 0 = # , 3) , % (= # @( 7 @ # 0= - & # +7 & ) 7 0 = & ) $ % +6 ) %% # 0 # % , 6 # 6 =& % @ % 0 6 6 )$ 7 & # ) * @5@ % 6 @) 5" 7 & 3 %7 , +U= 7 & +> # , @ 6 7 , 0 % @¢ £ ¤ ¦) % $ % & .# 6D0 ) * " +9@ 6 # " "( % # & ) $ % +y# ,y$ 7 & # ) * @7 - @ §¡ ,6 = # @9 7 % & .6 = & % % ) @ @ # " %# & ) $ % % , 6 @97 & %# , $ % @ 6 # 3 7 6 % + ' # & @ 6 .7, % % # 3 = 6 # , 3= % * & # @ 6 # 0# @D & ) ) @ % + D= % , . # 6 # @D% ¨ % & # % , 6 % += ) ;5> @ 6 & 7 6 % 3 # % @D6 = 7 6 0 ) $ % & ) & %+ # $ % & @ # # % + 7 & 6 @9) y6 = %@ % 7 & 0 =@ 7 0 %0 7 ,¥ & ) $ %* @ % * " # ,¥6 = # @90 ) # , 7 6 # ) ,@ 0 = % % ' # , 7 " " - .# 6# @9@ 6 * + # % += % ," ) 0 7 " @ % 7 & 0 =# @U % @ 60 7 " " % +# 6 = # ,6 = # @U= - & # + ;(;D " # < %7 " 3 ) & # 6 = U

©D(ª§« ¬(­5 ¬­« ® ®¯ DU¯ °(± ® ¯ « ± °(® « ®

" 6 = ) * 3 =9;5>y# @ -y# 6 @ % " 5* , 7 " %6 )U & ) $ % # , 0 ) , @ # @ 6 % , 0 - .# 6D0 7 ,9 & ) $ # + %* @# 6 =@ ) %* @ % * " # , ) & 7 6 # ) ,6 = 7 6 0 7 ,= % " # , 0 ) , @ # @ 6 % , 0 -6 ) %+ % 6 % 0 6 % + ;(% 6 * @D% " 7 ) & 7 6 %) ,6 = # @

33

! " # $# " % & ! # # ! ' (! $ " ) $ ( *) + $ + ,)! - % $ - . ! " # ) ( / 0 1 $ ( % ! '- ! - % # ! 2 ! $ ! % $ " !

324 5 6 7 6 8 6 9 7.:; <

Σ = > ? @ A > > BDC E F ? E G C G H I E H $ $

Σ 2 %$ 2 $

! Π ! (

Π ⊂ ΣΠ

J - ( #' " ( %.> ? F A > > B-C E KF ? E G C G H I E H L # 2, " .% $ ( $ 2 $NM I = O I I? P(> ? F A > C H B# L % % ( Q , $#% ' $# (" % $ %" %( - $ $# " R . S . $# 2 ! " $# %( ! $# # ! " Q %- ( S $ # T $ " ( ! " Q 2 %-C E F ? E G C G H I E HF ? O I G

324 5 6 7 6 8 6 9 7U*

Σ" ( # +

Π <C E F ? E G C G H I E H F ? O I $

Σ $ $

Π ⊆ Σ %

Π

Π (? V I O A > > C E F ? E G C G H I E H F ? O I $

Σ $ $

Π ⊆ Σ %

Π ' "

- # # Π $

Σ WC E C WA > > B)C E F ? E G C G H I E H# $ $$ # # Q

Ω $

Σ X

ΠX≤ XΩX

YZ 9 [ 4 Z 8 \:*

Σ" + N ( ] ^ ( , .L( $

Σ2

! $# . $Σ $ $ %

1 %) )_ , #` #$ 2 ) ! ! " 2 $ 2 2$ $ %-% ! '-$ %(*( (" ! %( ( , , , / 0 L % % ! $ .$ $ %( ! ! % ' $#" Q ' '( . % " %( . % ! ! R ! %. 0 a (*. # ." ' % $ b_ **D - % % % 2" ' " J 2" , , . (" $ %( - Q R ^ ! #*- $ ) ! 2( ,.% R - , ( ! " $2$ $ %) ! % ! ') ($ $ , L % % # ( ! " $2$ $ % ! $ 2 % + $ ) ! ) ' -" ( ' # L )' Q ! " 2 $$ $ %) ! 2% 2c ! d -% ! '- $ $ , L ! # . d. $ ) %-% ! '- ,.% # # ( )" . , %) - + (, * ! ' R% $ $ ' % % ! ( ( !

efgih jk l#hmon p2n mol#q r2ls t uos v w l#v t x#y

;$ % % ' NR ! %N N z+ %D R ! %N% $ + / ! " $$ $ %) ! ( ! '- ! (R ! %-" ( " %) + ! " $$ $ % ! ' % #" ! ! ' N ! D

34

! " $# %&' (" ) * + ( -, . / 0 1 ( ( ( ( 2 0 " " " ! " -3) 1 ( 41 0 "- "5" "5 - 6 76 4 6 8(( ( " " 4 1 ! 0 6 " 3) * ! 01 5 59 : 8 95 ( ( ( "5 4 ( 0 4 + 0 58 ; 5 " 6< 05" 1 5 5 5 ) ( 1 6%= ( > 5 ! - ? 1 " ( ( "? " ! " % -, @ /0 " 5 ( " 4 ! ( 4 &0 * ( ( " - 0 ( ! 5 -" " ; - ( * 1 " ' 5 1 - 4A 5 " ! ") 4% ) " 0 5 - " B - 0 , C / 6 ! ( 4% ) ) * " " 4&6 D( ( ( 5 5 5 ! " 4&6 ") 1 ! "5 5" 4 " E 9 F G 9 F @ 9 F D H 9 F D H H ")D I A 4 " 5 4 ! "5 ( " 4 "( # 6 " "( ; ( E J K LM N O O M N P O M Q R M S T U Q V ) " 0 0 " 0B ( * 6 (

W X Y Z [4\ ] W ^ _ [ ` ^ a Z bc a d e X _ f ` a g

h6i0jk4l)m6n o p(mqrk0n s-o t u0s n p t v t s ors w6x y k0n m4z t k6rk4vz |s-p s m0n |rp x m6 s

&6 " 1 4 6 " " , . /0 0 4 ! 5 4 "( 57# &6 4 ( ~ " 1 " * 4 5 A " " " 1 " * 4 5 "( A ), . / 4 5 "(7#( " ( (; " 47# " 5 E B B 767) 4 ! 4 1 7# I %0 " 1 + + - 1 )1 1 E ( " " 7676I # ' 0 5 "-( A 47#- ( 6 " 50 "

6i6z n m4z s 6t s pv k0n5 m6y y t )-

7# 0 0 "( 767 , . / 0 ( 0 "( 9 " 767 # 5 (7# "( * " 0 0 0 !

4 0 ¡ 0¢ £ ¤ - ¥¦¥§¥©¨©¥ª«¥¬ ­ ® ¡ ­6 ¯ ° ¥ ¨ ¨

35

!" # $ % % & !' ! & ( ) ( ) $ ! ! % * + , -. ! & # / # ( # $ ! ! % $ )+ 0 -0 ! &( # / # ( % ! 1 $ 2 / % !

3 4 56 7 8 9 : ; : < : = >? (# ( (# ! @# ( ) A # /( (# $ (# & $ ( ) ? & @1B+ C - $ 2D*ED &2 *+ F - !G ( H /# ( $ / ( ( ( I ! 1% ( ( J' @ " DK L " D*@M&*+ ' - $ ) A # # J @ " DN ) ( % A / ( ) !

. O J L ( + . - ! P # 0 Q Q2# R F2 # S Q2# TS Q $ ' Q Q $ ' S Q $. Q Q $ . S Q (0 Q Q $ # ) U ! 1% V ( ! 1% R W X 0 ! . S U % ) # ! 1 $ W XTY ! . S W XTY ! . S H H Z H $ # ) !1% / * Y ! . S ![ ) $%W X S ! . S2 ( ) ( 2 ! 1 ) ( 2 # ( ( R W X 0 ! . S U $ ( # 2 ( 2 ( % R W X*Y ! . S U $ ( )* T R W XTY ! . S U * / % ( R W X S ! . S U !

1 ( V0 . ! Y \ ] % A[ . !

^ _ ` a b c d ef gh_ i j%k _ i j l m2n i op q _ i r b p k b p s a q p

3 4 tu7 v w < 8 vx y;(z : 7 y 8 v

1% . ( % $ # ( % % / ! / & / @%$ / & / WP* / & / P% 1%|B # %/ J

• ( ) ( &+ , - • &Z # / # ( # • (&~ # / # R (S $ ) U% % $ / # # !

¡ ¢ £¤ ¥ ¡ ¦ § ¨¡ © ¡ ª § ¨ª ¡ ª¡ ¡ ¡ ª ¡ ¡ § ¨ª « ª ª ¡¡ ¬¡ ¡ § ¨ ­¡ ª® ¢¯ ¡ ¡

36

! " #$ % % & #$' ( ) ' * + -,- "% ./ # #0 ) ) " 1% ' 1 ' 0 + -! 0 2 342 2 4 560 + + 7 - + 2 " 342 2 -) + + 1 -

8-9:%;-<1= > ?1@ A ;-<1@ B-<1CED1F G @ D1F = H A IF @

! 0 1 1 ' J ' 0 LK M N ' J ,- ) % ' J O % & 2 " " ) ,- P) " +' ' + 1 ( ) 0 2 ) O + 2" "'% ) ( +% Q +' ( 1 ( ' + " ' + RJ + 7 " + ( +* 7 "* J * J J + * S J - R* " " ( 342 1 2 364 ,TE 2 - -

UV WX Y Z[ \ ] ^ \ _\ X ` aR* 7 + -

1 ,- - 7 + b1c d e f ghf i j k lm n o j p o qm r m e n

s \ t \ u \ X V \ av w x1yz | ~ z 1 - z ' 5 * , ! qr e p n Lqf r f i e g d Jm g j m e n e m e r e P p p f g j q ¡¢ r p ¡ p g m e f g q m r r p g d p £ ¤ ¥ z ¦ §1 ¨ . © $ ª « « ¬ ª ­ ® w ­ ­ § z

v ¦ x ¤ z ©~ ¯ ° ¥ -z $ ± ² ² ² 0 ~ ² ³ ´ ¥ ² |¨ 1 ² | ¥ µ ° ¶ · ¸ ¹ º » ¼· ½¾ ¿ ÀÁ1Â Ã)ª Ä Å ® Æ Ç « Ä ­ È « § É w ­ É É z

v ª xÊ z )z © 1¨ Ë # z . z 1µ ° ³ ´ ² ² ° ¥ ² | µ ¥ ° | ° ~ ²Ì | | ¯ ² -´ ° | ° | ¨ Í ¥ ° ´ Í ¥ ² | li f p p j e g d nf - 1 Î Ï Ð Ñ-Ò 2 Ñ M Ò Ó Ó Ô

v ® x ©z / z Õ ² | Ö1z $ ² ¥ ×z © ° 1 1Øz 1 µ ° ± z Ø ² ¯ ¬ ° ¥ ´ ~ ² ² | ° | ¨ Í ¥ ° 1 Ì | ° ° | ° | ¨ Ì ° ¶ · ¸ ¹ º » ¼ · ½Á1¸ ¾ · Ù» ¾ À ÚÛÀ » Ü · º Ý º Þ Ñ ß à Ò 2 Ñ á â ã M 2 Ò ä ä ¦ å å å z

v Ä x æz ص ° ° ² . z z . z ç ´ è | Øz Øz Ø1 | z $ Ì ¥ é / Í Í ¥ | ° Ì$ ° ~ é Ç ¨ ¨ Ì ² °. Ì# Ì ¥ $ ² Ì ~ ¨ $ ç êë¹ · ì ê · ½¾ ¿ ÀíÝ Þ ¿ ¾ ¿î º ¾ ê Â-· º ½ ê · ºë¹ Ý º ì Ý ï-¼ À Ü» º Ú1ë¹ » ì ¾ Ý ì À· ½Â· º Ü ¾ ¹ » Ý º ¾ ë¹ · Þ ¹ » ÙÙÝ º Þ # ² Ì ° µ ² × ° ² | ©- ´ µ ° ² $ Ì ² Ì ² ¯ ¥ z ¦ ® « å ¦ ª ª ¬ ¦ ® É ¦ å å ¦ z

v § x ð1z Ê z1Ê ² | ¥ JÊ z ñ% é $ ¥ ¯ é0´ ´ | ° ¥| ° | ¨ Í ¥ ° 0´ Í ¥ ² | g g m r n0f m p ¡ m e nm g j i e e e m r g p r r e d p g p -Ò â Ò ã M 2 Ò ò ò Ò Ó Ó ä

v « xÖ1z ± µ ² # z $ ó | ô-z Õ- õ é ² z Ö | ° é Ì ´ ¥ ² ° ² ° ² Ì ~ ö µ ² |-° ~ è |-° ¥ Ì ¥-| ² Ì ~ ² ° ~ | z g g m r nf m p ¡ m e nm g j i e e e m r g p r r e d p g p ¦ ¦ Ç ª w ­ ¬ ª ª w w ­ ­ É z

v É x ð1z ' | | ð1z ÷ ² Ì Ì ~ $ z 1 è ´ ° Ì è Ö1z $ ² ¥ # z ç | è z .1² ° ² é Ì ¬´ µ ° ° ¥ Ì ´ ¥ ² ³ ° 1¨ Ì ~ Ì ° ² | ° Ìø ´ ~ | ² ° | ° | ø ù» ¾ ¸ ¹ À w ª ª ¬ w ª « w ­ ­ ­ z

v ­ x-Ö1z $ ² ¥ Øz z 1 µ ° ± Ö1z ©- ~ ² z ú " "% 1 zli f p p j e g d nf - 1 Î Ï û ª ª « ¬ ª ® ª w ­ ­ ® z

37

A Logical Language for Dominoes

Fernando Raymundo Velazquez-Quesada1 and Francisco Hernandez-Quiroz2

1 Universidad Nacional Autonoma de Mexico, Instituto de Investigaciones enMatematicas Aplicadas y Sistemas, Circuito escolar, Ciudad Universitaria. C.P.

04510, Mexico D.F.frvq@uxmcc2.iimas.unam.mx

2 Universidad Nacional Autonoma de Mexico, Facultad de Ciencias,Circuito exterior, Ciudad Universitaria. C.P. 04510, Mexico D.F.

fhq@fciencias.unam.mx

Abstract. The mathematical theory of games does not allow explicitreasoning about the knowledge of the agents that interact in these com-petitive situations. In recent years there has been much work orientedtowards analyzing the flow of information in games using logical tools.The main point is to express explicitly the way the information (andtherefore, the knowledge) flows through the actions in a game. In thispaper we present a logical language that allows to express knowledgeof players and how actions modify this knowledge in the game of domi-noes. We define a language based on propositional epistemic logic forexpressing knowledge at a given stage of a dominoes match. Then weadd actions to it to describe how knowledge is modified by each actionthat occurs during the game. We describe the semantics of the languagein an informal way, and finally we present some examples of how thelanguage can express situations, knowledge of the players and how thisknowledge changes during a match.

1 Introduction

The mathematical theory of games, presented for the first time by J. von Neu-mann and O. Morgenstern [1], does not allow explicit reasoning about the knowl-edge of the agents that interact in these these competitive situations. We wouldlike to express explicitly the way the information (and therefore, the knowledge)flows through the actions in a game.

In recent years there has been much work oriented towards analyzing theflow of information in games using logical tools (see [2], [3] or [4]). A persistenttheme through these years has been “the pursuit of a broad conception of logic,oriented toward information structures and actions transforming these” [5]. Inour work, we use a logical language to express knowledge of players in a game,and how actions modify it. We focus in one particular game: dominoes.

The set of tiles for dominoes consists of all the possible pairs (28) taken fromnumbers 0 through 6. Four players sit around a table, partners sitting opposite.Each player takes 7 of the randomly shuffled closed tiles on the table. Any playerof the winning couple of the last match starts the next one playing any of her

38

tiles (in the first round, tile q6 6 starts) and the flow of the play moves tothe right. Each player must draw a tile in her turn, except when she cannot (inwhich case she passes: losses her turn). To draw a tile, it must match any of thetwo free-ends on the table. This tile is placed with its matching side next to thematching end on the table, leaving the other side of the tile as the new free-end.The winner is the couple to which belong the player that finishes playing all hertiles first. If no player can draw a tile and all still have tiles, then it is said thatthe match is closed and the winner is the couple whose tiles sums less points.

The idea of using logic to study dominoes comes from Eric Schwarz, whoanalyzed a partnership match using first order logic [6]. Our work is based inpropositional epistemic logic (EL) instead of first order logic. By using EL weavoid using a set of sentences to describe the properties of the knowledge weare modeling (as this description is implicit in the relations of the model). Asa modal (multimodal) logic, EL’s formulae are clean, transparent and compact.Most importantly, they are computationally solvable whereas first-order logicis undecidable. The goal of expressing the way knowledge changes is achievedby adding actions to the language (becoming propositional dynamic epistemiclogic). This also allows us to avoid sentences related to time.

2 Language DELD

Our language is based on the language of epistemic logic. The classical sourcefor epistemic logic is [7], in which J. Hintikka showed that a modal approachto single-agent epistemic attitudes could be informative and rewarding. Thislanguage comprises a set of atomic propositions, a set of logical connectives anda set of modal operators. Then it is possible to express the knowledge of a groupof agents about different situations, and even more, the knowledge they can haveabout the knowledge of other agents.

We define the set of players as J = a, b, c, d and the set of tiles as F = q0 0 , q0 1 , q0 2 , . . . , q5 5 , q5 6 , q6 6 . Our language is based on a set of atomicpropositions that expresses the basic facts about the game.

Definition 1 (Atomic propositions for dominoes ΦD). The set of atomicpropositions for dominoes (ΦD) is defined as

ΦD = qx y i

, qx y t, tilesi

n , tilestn , ptsi

n, ptst

n,

lesspointsi,j , turni , u. . . v , u. . . vqx y i

, qx y iu. . . v

where i, j ∈ J , qx y ∈ F and u, v are possible free-ends on the table. Eachproposition has the intuitive meaning shown in table 1.

For describing how actions modify the knowledge of the players, we need alanguage of actions in order to express that a formula holds after an action hasbeen executed. This language is built from a set of a basic actions of the gameusing sequential composition and non-deterministic choice.

39

Table 1. Intuitive meaning for atomic propositions

Proposition Intuitive meaningqx y iPlayer i has the tile qx y in her hand.qx y tThe tile qx y is on the table (has been played).

tilesin Player i has n tiles in her hand.

tilestn There are n tiles on the table.

ptsin

The tiles player i has in her hand sum n points.ptst

nThe tiles on the table sum n points.

lesspointsi,j The tiles of player i and player j sum less points than those of theother players.

turni It is player i’s turn.u. . . v The free-ends on the table are u and v.

u. . . vqx y i

The free-ends on the table were u and v before player i threw qx y .qx y iu. . . v The free-ends on the table were u and v after player i threw qx y .

Definition 2 (Action language for dominoes ALD). The actions α of theaction language for dominoes (ALD) are given by the following rule:

α ::= ε | αi px y | αiε | (α;β) | (α ∪ β)

where α, β ∈ ALD.The action ε is the “do nothing action”, αi px y has the intuitive meaning

“player i draws tile qx y on a free-end x on the table”, αiε means “player i

passes”, (α;β) represents the sequential composition of the actions α and β, and(α ∪ β) represents the non-deterministic choice between α and β.

Based on the atomic propositions on ΦD and the language of actions ALD, wedefine the dynamic epistemic logical language for dominoes. With this languagewe are able to express the situation at certain stage of a match, the knowledgeof the players and how actions modifies the situation and their knowledge.

Definition 3 (Language DELD). The formulae ϕ of the dynamic epistemiclogical language for dominoes (DELD) are given by the following rule:

ϕ ::= > | p | ¬ϕ | (ϕ ∨ ψ) | Kiϕ | CBϕ | [α]ϕ

where p ∈ ΦD, i ∈ J , B ⊆ J , ϕ,ψ ∈ DELD and α ∈ ALD.The logical connectives ¬ and ∨ have the usual meaning (> is the proposition

that is always true). The formula Kiϕ has the intended meaning “the agent iknows that ϕ”, the formula CBϕ means “it is common knowledge between agentsin B that ϕ (everybody in B knows ϕ, everybody in B knows that everybody in Bknows ϕ and so on.)” and [α]ϕ means “after the action α is executed, ϕ holds”.

3 Informal Semantics of DELD

Epistemic logic is a multimodal logic, and therefore the language has meaning instructures called Kripke models after Saul Kripke’s classical presentation [8]. For

40

epistemic logic, the intuitive idea behind Kripke models (also known as possibleworld models), as presented by Hintikka [7], is that there are a number of otherpossible worlds besides the real one. Given her current information, an agent maynot be able to distinguish between this real world and the other possible (but notreal) worlds. In the game of dominoes, these possible worlds have a concrete anddirect interpretation: all the possible distribution of the tiles among the players.

Usually, given a set of agents A and a set of atomic propositions Φ, a possibleworld model M is defined as a tuple M = (W,Ri, V ) where

– W 6= ∅ is the set of possible worlds.– Ri is a binary relation over W for each agent i ∈ A (Ri ⊆ (W ×W )).– V : Φ→ 2W assigns to every atomic proposition a subset of W .

For our purposes, we need to make modifications to the possible world model:

1. In a possible world given, each atomic proposition has a truth value indepen-dently of the truth value of the others atomic propositions. In dominoes, thetruth values of some atomic propositions are related (like q0 2

a and q0 2c, it

is not possible that two players have the same tile). We need to define truthvalues for an atomic proposition in a way that the truth values of its relatedpropositions are related.

2. Some of the atomic propositions (turni, u. . . v , u. . . vqx y i and qx y i

u. . . v ) cannot be given a truth value by just knowing distribution of the tiles at acertain stage. To give truth value to these propositions we need to keep arecord of the actions that have been executed during the match. A formaldescription of the possible world model for dominoes and the history of amatch (a sequence whose entries record an action and the free-ends thatresult from that action) will appear in a future paper.

3. To give a truth value to each formulae of the form [α]ϕ, we need also tospecify how each action modify the possible world-history of a match pair.Following ideas from [9], each action is then consider as a map that takesthe possible world model and the history that describes the situation of thegame before the action, and returns the possible world model and the historythat describes the situation of the game after the action. Again, a formaldefinition of these actions as a maps will appear in a future paper.

4 Examples of the Use of the Language

We give some examples of the use of the language on a dominoes match:

– qx y J ≡ qx y a ∨ qx y b ∨ qx y c ∨ qx y d: Tile qx y is in some player’s hand.– qx i ≡ qx 0

i ∨ qx 1i ∨ · · · ∨ qx 6

i: Player i has at least one tile with x.– Kc¬Kb

q1 6c: Player c knows that b does not know that she has q1 6 .

– tilesa7 → [αa px y ]tilesa

6 : If a has 7 tiles, then after she plays any tile, she willhave six of them.

– (turna ∧ 4. . . 6 ) → [αa p6 5]5. . . 4 : If it is a’s turn with 4 and 6 as free-ends, and

a plays q6 5 , then the free-ends will be 5 and 4.

41

– (0. . . 6 ∧ turnd) → [αdε ]CJ (¬ q0

d ∧¬ q6d): If it is d’s turn with 6 and 0 as

free-ends of the table, and d pass, then it will be common knowledge amongall the players that neither d has 0 nor 6.

– closed ≡ x. . . x ∧ ¬ qx J : The match is closed (no tile can be played).– tilesJ

−a

n ≡∨

i∈J−a (tilesin): Player b, c or d has n tiles (J−i = J − i).

– woni,j ≡ (tilesi0 ∧ ¬tilesJ

−i

0 ) ∨ (tilesj0 ∧ ¬tilesJ

−j

0 ) ∨ (closed ∧ lesspointsi,j): Thecouple i and j has won the match.

5 Conclusions and Further Work

We have defined a logical language DELD to describe situations during a gameof dominoes. Due to space constraints, we do not define here a formal semanticsfor the language. In a further paper a formal semantics will be offered.

As pointed by S. Druiven in [3], we can distinguish four kinds of knowledge ina game environment: game knowledge (knowledge players have about the rules ofthe game they are playing), definite knowledge (knowledge about the situationof the game that is developed as a consequence of the actions in the game),strategic knowledge (knowledge about strategies over the game) and historicalknowledge (knowledge about previous matches). For the time being, the languageDELD can only express definite knowledge. We expect to extend the languageand the semantic model to express not only definite knowledge but strategic andhistorical knowledge too. Most importantly, we are interested in the way strategicand historical knowledge influence the way definite knowledge of a single playerevolves during a match.

References

1. von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behavior.Princenton University Press (1944)

2. van Ditmarsch, H.P.: Knowledge games. PhD thesis, Institute for Logic, Languageand Computation (University of Amsterdam) (2000)

3. Druiven, S.: Knowledge development in games of imperfect information. Master’sthesis, Institute for Knowledge and Agent Technology (University Maastricht) &Artificial Intelligence (University of Groningen) (2002)

4. Kooi, B.P.: Knowledge, chance, and change. PhD thesis, Institute for Logic, Lan-guage and Computation (University of Amsterdam) (2003)

5. van Benthem, J., Dekker, P., van Eijk, J., de Rijke, M., Venema, Y.: Logic in action.Institute for Logic, Language and Computation (University of Amsterdam) (2001)

6. Schwarz, E.: An instance of a complete communication cycle within co-operativegames: the case of domino. Unpublished (2001)

7. Hintikka, J.: Knowledge and Belief. Ithaca, N.Y. Cornell University Press (1962)8. Kripke, S.: Semantical analysis of modal logic i. normal modal propositional calculi.

Zeitschrift fur Mathematische Logik und Grundlagen der Mathematik (1963) 67–969. Baltag, A., Moss, L.S., Solecki, S.: The logic of public announcements, common

knowledge and private suspicious. Technical Report SEN-R9922, CWI, Amsterdam(1999)

42

Fregean Algebraic Tableaux:

Automating Inferences in Fuzzy Propositional Logic

Christopher Lepock1 and Francis Jeffry Pelletier2

1 University of Alberta clepock@ualberta.ca2 Simon Fraser University jeffpell@sfu.ca

Abstract. We develop a tableau procedure for finding theorems andconsequence relations of RPL (i.e., Lℵ extended with constants and adeterminacy operator). RPL includes a large number of proposed truth-functions for fuzzy logic. Our procedure simplifies tableaux for infinite-valued systems by incorporating an insight of Frege’s. We take formulasof the language to be names for their truth-values, which permits themto be manipulated in the tableaux as if they were algebraic variables.

1 Fuzzy logic

The central idea of fuzzy logic is that the truth-values are the [0..1] interval,with 0 corresponding to classical falsity and 1, to classical truth. There is littleconsensus on how best to define infinite-valued connectives. A wide variety oftruth-functions have been proposed for different purposes in the literature. Ourresearch has focused on the system RPL, which is particularly interesting inthree ways. First, it contains the system L, arguably the most plausible fuzzyextension of the classical conditional (see [1], and the arguments of [2, pp. 114-8]and [3, pp. 366-7]). Second, it can talk about the truth-values of its formulas.Thus, it allows one to model approximately valid arguments and approximatelytrue sentences by allowing one to say just how truth-preserving an inferenceis or how true a sentence is. Third, in it, we can define a wide variety of theconnectives that have been proposed in the literature. It is particularly importantfor theorem-proving systems to have this breadth; the capacity to determineeasily what the tautologies of these new truth-functions are will make it mucheasier to determine their merits and demerits for the applications for which theywere proposed. Using 〚ϕ〛to be the truth-value of ϕ, RPL is defined as:

〚ϕ ⊃ ψ〛= min(1, 1-〚ϕ〛+〚ψ〛)〚¬ϕ〛= 1 -〚ϕ〛〚Ci〛= i, for each rational i ∈ [0..1]〚Jiϕ〛= 1 if 〚ϕ〛= i, 0 otherwise.

In the interests of space, we will only discuss a two other automated proce-dures in detail; but there are a number of others worth mentioning. There areseveral procedures that, like those of [4] or [5] apply just to the fragment of Lℵ43

having only the truth-functions ∧,∨,¬. [6] gives a procedure that can deter-mine theoremhood in any decidable propositional fuzzy logic. As the run timeof this algorithm is at least doubly exponential, its use is not practically feasi-ble. [7] outlines a procedure that finds a finite number of subintervals of [0..1]such that if the formula in question takes the value 1 on an arbitrarily chosenvalue from each subinterval, the formula takes the value 1 on the entire range oftruth-values. This procedure also appears to be quite complex in operation.

[8] and [9–12] describe methods which are closely related to one another andto the method we will outline below. Although these systems were designed forLℵ, they can be extended to cover the full RPL. Both are, in effect, tableau sys-tems. Hahnle’s constraint tableaux are extensions of signed tableaux to infinite-valued logics; Beavers’s procedure consists of decomposing a formula into a setof equations to be checked for satisfiability, although he does not present theseequations in tableau format. The central idea of Beavers’s procedure is that eachformula of Lℵ corresponds to a set of linear polynomial functions, determinedby the truth-functions corresponding to the connectives found in the formula.Each formula will exhaustively divide the [0..1] interval into a bunch of disjointsubintervals, where each of these subintervals is describable by a linear function.The formula as a whole is merely the piecewise combination of these functions.Therefore, to find whether a formula is a logical truth (always takes the value 1),the task is to determine whether this combination of functions ever takes a valueless than 1; and this amounts to determining whether any of the functions de-scribing the formula over a subinterval takes a value less than 1. Beavers reportsvarious implementations of an algorithm that makes use of a linear programmingpackage to evaluate the polynomials generated by the formulas.

Hahnle’s constraint tableaux are a variant on signed tableaux for finite-valuedlogics, which consist of formulas prefixed with signs indicating their truth values.In constraint tableaux, rather than representing individual truth values, the signsplace constraints on the truth values of their formulas. The decomposition rulesof constraint tableaux result in new constraints applied to the formulas of whichthe original was composed, and inequations (equations with inequality relations)representing the relations between the variables used in the signs. There are nobranching rules; instead, Hahnle uses binary variables (variables that can takeonly 0 and 1 as values), which represent the same information as new branchesof the tableau would contain. For instance, the decomposition rules for ⊃ are:

≤ i (A ⊃ B) ≥ i (A ⊃ B)

⇓ ⇓

≥ (1 − i+ jy) A (y ≤ i) ≤ (1 − i+ j) A

≤ (j + y) B ≥ j B

In the rule on the left, y is a binary variable. The information contained inthe signs can also be entered into the series of inequations; for instance, from

≤ k2 B we can infer 〚B〛≤ k2. To show that a formula A is a theorem of fuzzy

logic, we start a tableau with ≤ i A and decompose A fully. We then evaluate44

the resulting inequations, and say that A is a theorem if and only if the least ithat satisfies every inequation is 1.

Applying the decomposition rules for these tableaux is simple, particularlysince there are no branching rules. The difficult part is determining whethera branch is open or closed. To do this, Hahnle treats the series of inequationsassociated with a tableau as a problem in linear programming, and in his imple-mentation he passes these inequations off to a linear programming package.

2 Fregean Algebraic Tableaux

The use of signs in tableaux for infinite-valued logics is unnecessarily com-plicated. Each application of a conditional decomposition rule in constrainttableaux forces the introduction of a new variable (the variable j in the rule listedabove), in order to relate the constraints found in the signs for antecedent andconsequent to each other. This problem arises because, like classical tableaux,constraint tableaux permit only syntactic entities to occur in the tableau it-self. Frege argued that propositions designate their truth-valuesany true propo-sition designates an object called ‘the true’, and any false proposition designates‘the false’. (Different propositions have different “senses”; they designate theseobjects in different ways, like “the author of Uber Sinn und Bedeutung” and“Gottlob Frege” name the person in different ways.)

Fregean algebraic tableaux, or FAT, simplify constraint tableaux by takingformulas to designate their truth-values. On this approach, we can intelligiblymix logical formulas and arithmetical signs in the same expressions. This makesexpressions like p < k meaningful; this expression says that the truth-valuenamed by p is less than k. A formula containing a connective, however, canbe thought of as naming a truth-value that is a function of those named bythe subformulas it contains. Truth-functional constants can be thought of aspropositions that wear their truth-values on their sleeves; the constant C1 refersto the same thing as the number ‘1’, and so we need make no distinction betweenthem. This approach permits us to express all the information found in the signsof constraints in the lines of the tableau itself. The result is a system that cancombine the advantages of a tableau procedure with the efficiency of Beavers’spurely semantic procedure.

Part of our motivation in developing Fregean tableaux was to facilitate theteaching of fuzzy logic. The only way to really understand a logical system,especially one that understands truth in such an unusual way, is to work withinit, and thus learn not just what is tautologous, but why. Tableaux are familiarand intuitive, and the part of the task assigned to the linear programmer in anautomated procedure requires only high-school algebra to perform by hand (forfairly simple formulas, at any rate).

In the interests of space, we will present the procedure here for the basic con-nectives of RPL :⊃,¬, the constants, and the J-operators. As noted above, aplethora of further connectives can be defined in terms of these. The completesystem implemented in our automated prover. FLAT, uses separate rules for45

many of these connectives (which eliminates a number of duplicated branches).The procedure has been proven sound and complete.

We begin with a conclusion A, which we wish to prove, and a possibly emptyset of premises Γ . The procedure has three steps.Step 1. If one wants to prove that the conclusion takes the value 1 whenever thepremises do, the first line of the tableau should be A <1. Then, for any formulaφ ∈ Γ , a line of the form φ ≥ 1 should be entered in the tableau.

One may want to prove restrictions on the truth-values of one’s conclusion,or put restrictions on the truth-values of the premises, other than that they areabsolutely true. There are two ways to do this. One can state the restrictionsusing the language of RPL, and then use the rules applying to those connectivesto decompose the formulas in the tableau. It is easier, however, to enter suchrestrictions directly into the tableau as inequalities. So, if one wants to provethat 〚A〛≥ n for some n other than 1, the first line of the tableau would be A < n.To say that for some premise B, 〚B〛≥ k, one would enter the line B ≥ k. Thuswe could evaluate the correctness of the claim: “whenever each of the premisestakes a value greater than or equal to k, the conclusion must take a value ≥ n.(In the examples of this paper, we always use 1 as the “designated value.”)

Step 2. These two categories of rules may be applied anywhere in the derivation.(a) Replacement rules.

Rule C: A constant truth function may be replaced by the truth-value it signifies.Rule N: In any line of a tableau, any expression of the form ¬φ may be replacedwith 1 − φ. (E.g., from ¬p ≥ C0.5, infer the line ¬p ≥ 0.5 by rule C, and then1 − p ≥ 0.5 by rule N.)The justification of these rules (as should be obvious) is that, in keeping with ourFregean outlook, we take ¬φ and Ci to be names for 1−〚φ〛 and i, respectively.(b) Decomposition rules. These can be applied at any time to any formulas ofthe forms specified. Names are given above the rules for ease of reference.

⊃GE ⊃LEφ ⊃ ψ ≥ χ φ ⊃ ψ ≤ χ

↓ ւ ց

φ ≤ ψ − χ+ 1 φ ≥ ψ − χ+ 1 φ ≤ ψ

χ ≤ 1 χ ≥ 1

⊃SG ⊃SLφ ⊃ ψ > χ φ ⊃ ψ < χ

↓ ւ ց

φ < ψ − χ+ 1 φ > ψ − χ+ 1 φ ≤ ψ

χ < 1 χ > 1

JGE JLEJiφ ≥ χ Jiφ ≤ χ

ւ ↓ ց ւ ↓ ց

φ ≥ i φ > i φ < i φ > i φ < i φ ≥ i

φ ≤ i χ ≤ 0 χ ≤ 0 χ ≥ 0 χ ≥ 0 φ ≤ i

χ ≤ 1 χ ≥ 146

JSG JSLJiφ > χ Jiφ< χ

ւ ↓ ց ւ ↓ ց

φ ≥ i φ > i φ < i φ > i φ < i φ ≥ i

φ ≤ i χ < 0 χ < 0 χ > 0 χ > 0 φ ≤ i

χ < 1 χ > 1

Step 3. When no further decomposition or replacement rules can be applied,linear programming can determine whether the resulting set of inequations is fea-sible. When calculating by hand, this question can be resolved by simple algebra.(In a hand tableau, a branch closes if one can derive impossible inequalities orequations indicating that some formula must take a truth-values outside [0..1].The lines of any complete open branch containing no logical symbols exceptpropositional variables describe a set of valuations where all the premises take avalue greater than the designated value and the conclusion takes a lower value– i.e., a set of counterexamples to the inference or formula being investigated.)

3 A comparison of FAT and constraint tableaux

The chief advantage of FAT over constraint tableaux is that the former neverintroduce new variables to be calculated over; all information is represented usingsubformulas of the premises and conclusion at the head of the tableau. The rulesare also simpler (compare Hahnle’s ≤ i (A ⊃ B) rule with our ⊃LE), which canlead in some cases to drastically simpler tableaux. For example, consider

p ⊃ (p ⊃ (. . . .¬p) . . .),

with p repeated n times excluding the negated instance. Formulas of this form

take the value 1 for 〚p〛≤ n−1n

, and the value 1−[p]n

otherwise. Thus, none is atautology of Lℵ. When comparing the two systems, assume for simplicity thatthe procedure applies all possible decomposition rules and then checks the resultsfor feasibility, without checking for closed branches before all formulas have beendecomposed. This is obviously inefficient, but so is using the linear programmingmodule to check if branches that have not been fully decomposed are closed; sincethere are many ways of deciding which branches to continue to decompose andwhich not to, we will not assume any particular routine for doing so.

Under that scenario, the reader can easily verify the following statistics. Aconstraint tableau generated in that manner for a formula of the above formhas 2n branches (from the possible configurations of the n binary variables gen-erated); the FAT tableau has n + 1. Each branch of the constraint tableau has2n lines containing no logical operators (which are the lines that the linear pro-grammer must work with); the number of lines of that type in the FAT vary from1 to n on different branches. Each branch of the constraint tableau has n + 1distinct variables; each branch of the FAT has one (namely, p). The Fregeantableau allows the linear programming module to calculate the result from farless data and with far fewer possibilities to consider.

The moral of the story is: do less work; get FAT. 47

4 Conclusion

The FAT method has been implemented in Java and runs on the usual platforms(Linux/Unix, Mac, Windows). The user is allowed to vary the designated value,so that we can test whether, if all premises take at least the value r then sodoes the conclusion. There is also an option, for use with invalid arguments,to find the lowest value that the conclusion could take when the premises areall designated. (A test for what the ‘most invalid’ is for that the argument).The method of determining the validity of arguments in fuzzy logic is, we be-lieve, superior to the methods in the literature in various ways. To begin with,our procedure covers a wider range of operators than other theorem-provingprocedures (excepting [6]) Although Hahnle’s and Beavers’s methods could beextended to the class of connectives we describe, this has not been done so far.A more important improvement is that our rules are much more natural ex-tensions of finitely-many-valued tableau rules. Each tableau rule is a statementabout what truth-values the subformulas must name, which makes them easierto understand than Beavers’s “general polynomial formulas” or Hahnle’s signs.The Fregean insight our method uses allows linear programming to be used fordetermining validity in an ideal way both for pedagogy and for ease of under-standing in novel applications.

References

1. Hajek, P.: The Metamathematics of Fuzzy Logic. Kluwer, Dordrecht (1998)2. Williamson, T.: Vagueness. Routledge, London (1994)3. Paoli, F.: A really fuzzy approach to the sorites paradox. Synthese 134 (2001)

363–3874. Kenevan, J., Neapolitan, R.: A model theoretic approach to propositional fuzzy

logic using beth tableaux. In Zadeh, L., Kacprzyk, J., eds.: Fuzzy Logic for theManagement of Uncertainty. Wiley, NY (1992)

5. Lee, R., Chang, C.L.: Some properties of fuzzy logic. Info. and Contr. 19 (1971)417–431

6. Gehrke, M., Kreinovich, V., Buochon-Meunier, F.: Propositional fuzzy logics: De-cidable for some (algebraic) operators; undecidable for more complicated ones.Inter. Jour. Intel. Systems 14 (1999) 935–947

7. Morgan, C., Pelletier, F.: Some notes on fuzzy logic. Ling. and Phil. 1 (1977)79–97

8. Beavers, G.: Automated theorem proving for lukasiewicz logics. Studia Logica 52

(1993) 183–1969. Hahnle, R.: Automated Theorem Proving in Multiple-Valued Logics. Oxford UP,

Oxford (1993)10. Hahnle, R.: Many-valued logic and mixed integer programming. Annals of Math-

ematics and Artificial Intelligence 12 (1994) 231–26411. Hahnle, R.: Proof theory of many-valued logic – linear optimization – logic design:

Connections and interactions. Soft Computing 1 (1997) 107–11912. Hahnle, R.: Tableaux for many-valued logics. In D’Agostino, M., Gabbay, D.,

Hahnle, R., Posegga, J., eds.: Handbook of Tableaux Methods. Kluwer, Dordrecht(1999) 529–580

48

!#"$"&%' ())*,+-).#0/%'123.)

46587:9<;=?><5@7<>

ACBED#FHGJIKD#LEMON@P0BEQ@RTSUV@W XYV@Z\[EU]_^@`CaJbY^

cd-efg hjiEflknm Q8oqpsrutnL_N8BEo8v3BpsPxwlLEMsruBo8wMOBEtntBMsyCBMsP#B.zLEMstBEo|r|yt~#Po|o@yQ8rqpsP0NzLEMN@P0BEo|r|w~.rqpsps8Py@\pOBR_IJyPtB_psr|y6r|\psPxMzBPr|v#Lltn8Q8pOB psruLEjBoAr|8IwEQr|ypsr|y(8zLEMpsQ8jBpsPxo|)psPrqMPxR@8MsPyyr|YPL0~3PxMruyr|tnjBErqMsP0N\Bo|LlyyLEzr|\psQrqpsr|LlBENMsP0BENBr|o|r|pK\\PHru\pMsL_N@QPGOjB MOBpsPl8B6Llo|o|Pxpsr|LlLEzCpsL\LEo|y3zLEM@MsL_r|w?y@\pOBExpsr|BjNyPtBE\psr|(@MsLlPxMpsr|PyLz-P\psrqMsP(ouByyPyHLz-wMOBEtntBMsy~.8ruOBrutnyB pHzBEr|o|rqpOBpsr|wnpsPypsQN@LEz1ps8PyPouBEyyPxy<BENPxR@ouBEr|8ru8wN8rqzIzPxMsP\pour|8wlQr|ypsr|8PLEtnPjB_GOjBMOB psPr|y8Qr|oqpQLlB)zLMstBEo|r|0Bpsr|LELEztQoqpsr|tnL_NBEo:wEMOBtntBMsyr|ps8Pv3BEo|Qo|Q8y(LEzGKjN8Q8xpsr|YP?v#Ll8ypMsQxpsr|LEy(Q8yr|wv#L_ 8MsL\LzBEyyr|ypOBE\p0

¡ ¢£¤¥<¦§¨?©C¤<ªs¦£¬«®­¯¦¤<ªs°#±#¤<ªs¦£²

4?7<³;_>´;_>:µ@7:;@µ@¶n·¸;@>¶ ¹<º ·¼»½·><µ¾:7<¿¿E´¼¶8ÀCÁ7<Âx·¼><µ»½Ã<¶´;8¸s»Ä9¶EºE;@9¶l¸ÅC¸O¶EÆ@¶Â;_´ÇÈ5@½ɳÊ;@´¼·¸½³Ê¸Ã:;YÆ@¶ËC¶¶E>Ì9¶ Í:>:¶E9»½5γ59¶E´.Ãj7<³;_>̺5@µ@>:·u»x·¼58>Ï;@>:9»½5¶¹¾<´;@·¼>ϾC¶58¾<´¼¶8Ð ¸ÇJ;@º 7:´u»sÑ»x5´¼¶l;_Âx>Å<;_>;_´Ñ¿E¶;@>:9)7<>:9¶EÂx¸O»x;@>:9¶E;@¸½·´¼Ñ9·¼Ò-¶Âx¶>»6>:;\»x7<Â;_´1´;_><µ87:;_µ8¶E¸EÀ=6³Ê5@><µ¸s»n»xÃ<¶E¸½¶¾<Âx5@¾C58¸x;_´¸Å1Ó(¶ÊÍ:>:9ÔÌÀÔ5j5@½»½µ;\»EÐ ¸Ä³7:´u»x·¼³Ê59<;_´Hº;\»x¶µ85@Âx·;@´µ@Â;_³É³Ê;@Âx¸ÄÕ Ô5j5@½»½µ;\»Ö×ØÀ:ÙÚÃ<·¸³Ê5j9<¶´·¸Ë:;8¸O¶l95@>´¼58µ@·º;@´-»sѾC¶Ä»½Ã:¶5@ÂxÑT;@>:9¾<Âx5\Æ·9¶l¸(;@>¶E;@¸½ÑÛ¸½Ñj>»x;\¹Ü_¸O¶E³Ê;@>»½·º¸·¼>»x¶Â½ÇJ;@º ¶8Å.5\Ó·><µ»½5»xÃ<¶ÝH7<Âx½ÑÉ465\ÓÚ;_Â9̺ 58½Âx¶E¸½¾C5@>:9¶E>:º ¶8ÀÔ5@Âx¶5\Æ8¶ÂlÅj»½Ã<·¸ÇÈ58½³;_´·¸O³Þ·¸?¾5\Ó(¶Â½ÇÈ7<´¶><587<µ@ûx5T9¶E;@´Ó·¼»½Ãκ5@³Ê¾<´¶ ¹>:;\»x7<Â;_´´;_><ɵ@7:;@µ@¶(¾<Ã<¶>:5@³Ê¶>:;:À_ß6>ÇÈ58ÂO»x7<>:;_»½¶´Ñ@ÅY»xÃ<¶6¸O»½Âx¶><µ@»½Ã5_Ç-³7<´¼»½·³Ê5j9:;_´µ@Â;_³Ê³;_¸·¸.º5@7<><É»½¶ÂxË:;@´;@>:º ¶l9ËjÑ;_>Ê5@ËjÆj·¼587:¸´58¸x¸35_Ǹ½·¼³Ê¾<´·º·u»sÑÊ;_>9Âx¶E;89<;_Ë:·¼´·u»sÑ8À@ÙÚÃ<¶E½¶EËÑ8ÅY»½Ã<¶E½¶?·¸.;@>·¼³Ê¾C¶Âx·¼587:¸><¶E¶E9)ÇÈ5@ÂÚ»x558´¸6ÓÃ<·ºÃÇJ;8º ·´¼·¼»x;_»½¶Ä»½Ã:¶¸s»x7:9Ñ;_>:97:¸½¶n5_ǸO7ºÃº5@³Ê¾<´·ºE;\»½¶l9´¼·><µ@7:·¸O»½·ºÇÈ5@Âx³;_´·¸½³¸À:ÙÚÃ:¶;_³Ë:·u»x·¼587:¸¾<Âx5_às¶lº0»6;_·³Ê·¼><µ;_»6¾<Âx5j9<7:º ·><µ;_>;@7»½58³Ê;_»½·º»½5j5@´-ÇÈ58Â(³7<´¼»½·³59<;@´´5@µ@·º¸(·¸(><5_»6Âx¶E;@´¼·¿E;@Ë<´¼¶;@¸(»xÃ<¶Ä¾<½5j5@Çɸ½¶E;@ÂxºÃ¾:½58Ë<´¼¶E³á·¸Ú7:>:9¶ ɺ ·9<;_Ë<´¶@Àâ¶Ä˶E´¼·¶Æ8¶»½Ã:;_»(»xÃ<¶Ä7:¸½¶5@Ç#;¾<Âx55@Ç#;8¸½¸½·¸O»x;@>»(¸½7:ºÃ;8¸6ãäåÌÕ|ÝH5jæj=ç_è\ØÓ·´¼´´¼¶l;@9T»½5;ʸ½;_»½·¸sÇJ;8º0»x5@ÂxѺ 5@³Ê¾<Âx5@³Ê·¸O¶8ÀÙÚÃ<¶Âx¶ ÇÈ58½¶8Å<ÓH¶n¾:½58¾5¸O¶n;³Ê¶ »;\É´¼·><µ87<·¸O»½·º»½5j58´¼éj·¼»EÅ

ICHARAT EÅË<7<·´u»?7:¾58>ãäå

¾<½5j5@Ç#;@¸x¸½·¸O»x;@>8»6;@>:9)9<¶E9·º;_»½¶E9)»x5Ê»½Ã<¶¸O»½7:9<ÑT5_Ǹ½Ñ>»;@º0»x·ºÄ;@>:9¸O¶E³Ê;@>»½·º¾:½58¾¶EÂO»x·¼¶l¸5_Ç<³7:´u»x·¼³Ê59<;_´j´5@µ8·ºE¸À\ê7<»x558´¼éj·¼»·¸3;ÚÇÈÂx;@³Ê¶Ó(5@Âxé·>»½¶>9¶E9ÄÇÈ58ÂËC5_»xÃ><¶E5@¾<ÃjÑ»½¶l¸;@>:9¸O¶E><·¼58Â?Âx¶E¸½¶E;@ÂxºÃ<¶EÂx¸Ú·>κ5@³Ê¾<7»;\»½·5@>;_´´·><µ@7<·¸O»½·º¸EÀ1ê>»xÃ<¶58><¶Ã;_>:91Å»½Ã:¶º 58³Ë<·>:;_É»½·5@>ËC¶ »sÓ(¶¶E>T;_7»x5@³;\»x·º6¾<½5j5@Ǹs»x¶¾:¸(;_>:9³Ê;@>j7:;_´C¸s»x¶¾:¸H·¸HËC¶><¶Íº ·;_´-;@¸·u»ÚÓ·¼´´CÃ<¶´¾»½Ã<¶Ë¶Eµ@·><><¶EÂx¸H·¼³Ê¾<Âx5\Æ@¶6»½Ã<¶E·¼ÂÚº 58³¾:½¶EÃ<¶>:¸½·5@>;_>9·¼>»x7<·u»x·¼58>);@Ë587»»xÃ<¶E¸½¶´5@µ8·ºE¸Àê>»½Ã<¶5@»½Ã<¶EÂ.Ã:;_>91Å

ICHARAT E·¸.;@>¶l;@¸½·¼´Ñ¶ ¹j»x¶>:9<;@Ë<´¶ÚÇÈÂx;@³¶EÓH58½é-ëY·¼».·¸Ó(¶´´:¸½7<·¼»½¶E9

ÇÈ5@Â6Âx¶E¸½¶E;@ÂxºÃ<¶EÂx¸HÓÃ<5ÓÚ;_>»»½5Ê»x¶E¸O»6»½Ã:¶·Â6><¶Óì·9¶E;8¸5@ÂÇÈ58½³;@´¼´ÑTºÃ<¶lºé»½Ã<¶E·¼Âº 58>\às¶Eº É»½7<Âx¶E¸EÀÙÚÃ<¶TÆY;@½·5@7¸n¾<Âx55@ÇJ¸;_Âx¶Ê»½Ã:¶>,;@7»½58³Ê;_»½·º;@´¼´ÑÎÆ8¶Âx·uÍ:¶l9ËÑ»½Ã:¶T¾<Âx5j5_ÇɺÃ<¶Eºé8¶Â;_>:9)½¶lº 58Âx9¶l9T·>9·uÒ-¶Âx¶>»6´·¼Ë:Âx;@½·¶E¸(ÓÃ<¶E½¶»½Ã:¶Ñ)ºE;_>˶º5@>:¸½7<´¼»½¶l9);_»?;_>jÑ»½·³Ê¶@À

49

¥Oª ªO£6±3¥:ª²

Ô7<´¼»½·³59<;@´1´¼58µ@·º¸Ú;_Âx¶Äº 5@³Ê¾C58¸½¶E9T5_Ç»sÓ(5Ê9·¸O»½·>:º »6¾:;_½»x¸Eë;_>T·>jÆ\;_Âx·;@>8»Ú¾:;@ÂO»Ú>:;_³Ê¶E´¼Ñ»½Ã<¶º 5@Âx¶´5@µ8·ºJ·¼><ÇȶÂx¶>:º¶Âx7<´¼¶l¸ ÅC;@>:9;)¸s»x½7:º »½7<Â;_´¾:;_½»?ÓÃ<·ºÃÎ;@´¼´5\Ó6¸?;º5@>»½Âx5@´´¶E9³Ê;@>:;_µ8¶³Ê¶>»15_ÇÂx¶E¸½5@7<º ¶l¸ ȶ@À µ:ÀÅ ´5º;_´8;@¸x¸O5º ·;\»x·¼Æj·¼»sÑ@Å0´5º;_´\¾C¶Âx³7<»x;\»x·¼58>3Õ Ô5j5@½»½µ;\»xÖj× ØÀÁ?¶l97:º0»x·¼58> Âx7<´¼¶l¸T95,><5_»9¶¾C¶>:9 7<¾58> »½Ã:¶ÎÓ(5@Â9<¸È·À ¶@ÀÅHµ8Âx;@³³;@»½¶E½³Ê·>:;_´¸5_Ç»½Ã<¶ºÃ<5¸O¶E>>:;\»x7<Â;_´3´;@><µ@7;_µ@¶<»xÃ<¶ÑÂ;\»xÃ<¶Â¶ ¹¾<Âx¶E¸x¸?»½Ã<¶ÊÓÚ;YÑ·>ÎÓÃ:·ºÃ¸O7:ºÃÓH58Âx9:¸º;_>Ϻ 58³Ë<·><¶ÊËjÑ7:¸½·¼>:µ)»xÃ<¶·Â¸½Ñj>8»;@º »½·º»sÑj¾C¶E¸EÀ;@ºÃ»sÑj¾¶ºE;_>˶¶E·u»xÃ<¶Ân¾:½·³Ê·u»x·¼Æ8¶5@º 58³¾C58¸½·¼»½¶@À.ÙÚÃ:¶)ÍÂx¸O»º ´;@¸x¸º5@>»x;@·¼>¸;_»½58³·ºT»sѾC¶E¸ÊÓÃ:·ºÃ½¶E¾<Âx¶E¸½¶>»Êº5@³Ê¾<´¶ »x¶¶ ¹¾<Âx¶E¸x¸O·5@>:¸EÅÚ¸O7:ºÃì;@¸T»½Ã<¶»sÑj¾C¶È><587<>ì¾<Ã<Â;@¸½¶E¸0ÅJº 58³Ê³58> ><587<>:¸T;@>:9ÈÓ(¶´´uÉÇÈ5@Âx³Ê¶E9T¸½¶>»x¶>:º¶E¸0À:ÝH5@³Ê¾C58¸½·u»x¶ÄºE;\»x¶µ@58½·¶E¸H;_Âx¶Ë:7<·¼´¼»ÚÇȽ58³á¾<Âx·¼³Ê·¼»½·Æ@¶»sÑj¾¶l¸HËjÑ7:¸O·><µ)ÇJ;_³Ê·´¼·¶E¸5_Ç(Ë<·>:;_ÂxÑ»sѾC¶º 58>:¸s»x½7º0»½58Âx¸

/i

Å\i

Å•i

?;@>:97<>:;_ÂxÑ5@><¶l¸3j

Å2j

ÓÃ<¶Âx¶·¼>9¶ ¹¶E¸È³Ê59¶E¸5_Ǻ 58³¾C58¸½·¼»½·5@>:¸Ä;_Âx¶¶³Ê¾<´5\Ñ@¶l9λx5¶>º 59¶ÊÇȶE;_»½7<Âx¶E¸5@Ân»x5½¶l¸s»x½·º0»»xÃ<¶T;@¾<¾<´·ºE;\»½·5@>5@Ç6¸s»x½7:º »½7<Â;_´Â½7<´¶E¸TÕ Ô558ÂO»xµ8;_»xÖ× ØÀ! :5@·>:¸O»x;@>:º ¶8Å»½Ã:¶T·³É¾<½5\Æ8¶E9»sÑj¾¶#"$"

\a

&%/a

3to

'/a

ºE;_>nËC¶H;@¸x¸½·¼µ8><¶E9»x59·¼»½Â;_>:¸½·¼»½·Æ@¶Æ@¶E½˸(ȶ8À µÀ¼Å)+*-,/.10 Ð+ÓÃ<5¸O¶T·¼>:9<·¼Âx¶Eº »5@Ëàs¶lº0»¸;_Âx¶¾<Âx¶¾C58¸½·¼»½·5@>:;@´.¾<Ã<Â;@¸½¶E¸¸O»x;@ÂO»x·¼>:µ5@><´ÑÓ·u»xÃ32 4657ȶ@À µ:ÀÅ )98:*-,/.10;=<?>0A@A0$B 4C4D5EF 0 Ð ÀG ¶³;_>»x·ºE¸;_>9¸OÑj>»x;_¹Ï;@½¶·>»½¶Â9¶E¾¶E>:9¶>»·¼>̳7<´¼»½·³59<;@´HºE;\»½¶Eµ@58½·;_´µ8Âx;@³³;@Âx¸EÀ <5@´´5\Ó·¼><µ#H äI?JLKMIN!O¸O¶E³;_>»½·º¸ÚÕ+PÄ;_³7»xÖRQØÅ\»xÃ<¶Ú³Ê¶E;_>:·¼><µÄ5@ÇÓ(5@Â9<¸#·¸3Âx¶¾<Âx¶E¸½¶>»x¶E9ËѸO·³Ê¾<´Ñ»sÑj¾¶l9

λÉ»½¶E½³¸EÀ@ÙÚÃ<¶?¸½¶³;@>8»x·ºE¸35_Ç;_>ʶ¹j¾:½¶l¸½¸½·¼58>·¸.Ë<7:·¼´¼»·>¾;_Â;_´´¼¶E´<Ó·u»xÃ

·u»¸6¸OÑj>»x;8º0»x·ºÄ9¶E½·Æ\;\»½·5@>·>;º5@³Ê¾5¸O·¼»½·5@>;_´CÇJ;@¸½Ã<·5@>ÀÙÚÃ<¶¾<Âx5j5_Ç(»½¶Âx³¸n»xÃ:;\»»xÃ<¶T´5@µ8·ºE;_´.¸½Ñ¸s»x¶³ 5@¾C¶Â;\»½¶l¸n5@>Ì;@½¶¸½¶Eæ7<¶E>»x¸n5@Ç(»xÃ<¶ÇÈ58½³Γ ` S .

KRÓÃ<¶E½¶Γ·¸;º5@>»½¶¹j»TÈ·À ¶8À¼ÅC;¸O»½Âx7:º0»x7<½¶l9Ë<·>:;_ÂxÑT»x½¶E¶n»½Ã;\»?»;_é8¶n·¼>»½5

;@ºº5@7<>»Ë5@»½Ã´¼·><¶E;@Â58Âx9<¶Âx·¼><µ;_>:9,Ã<·¼¶EÂx;@ÂxºÃ:·ºE;_´µ8½587<¾<·><µÎ5@Ç?Âx¶E¸½5@7<º ¶l¸Ä5@Ç6»sÑj¾¶l9¸OÑj>»x;8º0»½·ºÄÆ\;_Âx·;@Ë<´¶E¸EÅ S ·¸?;»sѾC¶;@>:9UK·¸6;¸½·³¾:´¼ÑT»sѾC¶E9 λ

É»½¶Âx³ÞÓÃ<·ºÃ¶E>:º;@¾:¸O7<É´;_»½¶E¸?»½Ã:¶9¶E½·Æ\;\»x·¼58>:;_´3¸O¶E³;_>»½·º¸EÀâ¶Ê¸OÃ<5\Ó ËC¶´5\Ó ¸½5@³Ê¶¶¹;@³Ê¾<´¼¶l¸?5@dz7:´u»x·¼³Ê59<;_´9¶E97º0»½·5@>Âx7<´¶E¸EÀ

x : A ` A . xAx

Γ ` A/iB . f ∆ ` B . b

(Γ, ∆)i ` A . (f b)/iE

(Γ, x : B)i ` A . f

Γ ` A/iB . λx.f/iI

Γ ` A . a ∆ ` B . b

(Γ, ∆)i ` A •i B . (a, b)•iI

VWXZYA[-\X^]_[`-abYWc-de-XL\fg]hahia_jXlkmXAnpo\XLddahe-X^o[&qCX$\lrtsuj\X$vR`wjWx[-yzi|R]ja_i[pkcw]`-\cwii~cw\d|djX$i~dTy\[-ijWRX^oI[dda_ah]hajfj[c-kRkkpa_IXL\XLvujoc-Y&cw`XLd[-y\XARvXlkc-vRkYA[-vdj\c-a_vXlkgdj\YjR\c-]t\R]_Xld$r [\|XAnc-ioR]_XqCXY$c-vc-ddRiXjWRcwjYA[ii|pjc&jaheajfahd|]_[pY$c-]_]hfcY$Y$XLddah]hX~qWX$vjWX\XLd[-\YAXldcw\XYA[-iTahvXLkRda_vR`cUoRcw\jabYAR]hc-\i[kX r?VWX$\XAy[\XRqCX|cw\X|cwR]_Xj[c-YLYA[vuj:y[-\jWX|y\XLXLkp[i[-ytq[\k^[-\kpXL\\XLuah\Xlkfd[iXT]_ahv`ahdjabYYA[-vdjajX$vujd=dRYWc-d=c-k&vRYjdX-r `Rrhh-A6$- w&¡qW[dXjfoIX

s/cscw]h]_[&q:d:jWXkpX$\ahe1cwjah[-v[wytI[wjWdXLvujX$vYAXLd| ¢tXLdjX$\kc1fZ£:[Rkcd]hX$opj#oIXLc-Y$XAy]h]hfI¡c-vRk £[-Rkcd]_XLopj:oIXLc-Y$XAy]h]hff-XldjX$\kc1f?¡ ¤Ar¥Z[-\XToI[&qCX$\y]'dj\RYAj\cw] \]hXLd#Y$c-vIXkpXARvRXLkj[Ucw]h]_[&q¦jWX~YA[iiTvabY$cwjah[-vIXA§jqXLX$vZkpa_IXL\XLvj:i[pkpXld$rIVWX\R]_X¨ª©«¬­®w¯T\]_X|[wy'YA[-vuj\[]_]hXLk^YA[vj\cYja_[v¤ahd:c-vXAncwio]hX#[wy'dRYWU¬±°?²l³u´1µ ²L¬·¶°x¸!´&¬±° ¬±¸!¹·³uºr

Γ [((∆1, ∆3)j , (∆2, ∆3)

j)i] ` C . x

Γ [((∆1, ∆2)i, ∆3)

j ] ` C . xMC(i, j)

50

: ¢8©6±3¥<±#¤p ¤¦Ú¦(Úªs¤>ìÕ ¸x¸O´´·ç@è\ØÅÓH¶¾<Âx¶E¸½¶>»½¶l9,;Í:¸s»Æ8¶Â¸O·5@>,5_Ç»½Ã<¶³Ê¶ »;\É´¼·><µ87<·¸O»½·º

ICHARAT E»½5j5@´éj·u»lÀEÙÚÃ<·¸-Í:¸s»ÇÈ5@Âx³Ê;@´¼·¿E;_»½·5@>Ó(;8¸1Âx¶E¸O»½Âx·º »½¶E9»x5Ú»½Ã<¶¸½Ñj>»x;@º »½·º3´¼¶EÆ@¶E´_5_dz7:´u»x·¼³Ê59<;_´µ@Â;_³Ê³;_¸$C³Ê5@Âx¶5\Æ@¶EÂEÅ·u»¸½7Ò-¶Âx¶E9ÎÇȽ58³ ¸O¶EÆ@¶Â;_´3¸½Ã<5@½»xº5@³Ê·¼>:µ8¸È´58¸x¸5@ÇHÂx¶E;89<;_Ë<·´·u»sÑ8Å;_Ë:¸½¶>:º¶)5@Ç;7:¸½¶ÂÇȽ·¶>9´¼Ñ,·¼>»½¶EÂOÇJ;8º ¶À¼ÀÀ+0À>Û»½Ã<·¸Ê¾:;_¾C¶ÂlÅ3ÓH¶¾<Âx¶E¸½¶>»»½Ã<Âx¶¶³;_·>·¼³Ê¾<Âx5\Æ@¶E³¶E>»x¸(5_Ç35@7<Â(»x558´¼éj·¼»5\Æ8¶Â(»½Ã<¶n¾:½¶EÆ·5@7¸HÆ8¶Â¸O·5@>À

ä|KKJä·OOK\äK "!JEäLO# KR?J%$&â¶n7:¸½¶ãäåÎ;8¸(;³Ê¶ »;\É´;@><µ@7;_µ@¶·¼>5@Â9¶EÂH»x59¶¶E¾<´¼ÑT¶³ËC¶E9)5@7:Â5@Ëàs¶lº0»´;@><µ@7;_µ@¶8Å>:;_³Ê¶´Ñ³7<´u»x·¼³Ê59<;@´´¼58µ@·º_À1ÙÚÃ<·¸n9¶¶E¾¶E³ËC¶E9<9·><µ·¸Ä5@Ë»;_·><¶E9ËjÑÇÈ5@Âx³;_´·¼¿E·¼><µ)»½Ã:¶9<;\»;,¸O»½Âx7:º0»x7<½¶l¸Ã:;@>:9´¶E9 ËÑ ³7<´u»x·¼³Ê59<;@´´5@µ8·º J¶@À µ:ÀŸOÑj>»x;8º0»½·º»sÑj¾C¶E¸EÅÚº5@>»½¶¹j»x¸EŸs»x½7:º »½7<Â;_´1Âx7<´¶E¸EÅ<9¶E9<7:º0»x·¼58>)Âx7<´¶E¸EÅ

λÉ»½¶E½³¸(·¼>»½¶E½³¸Ú5@Ç#·>:97:º »½·Æ@¶»sÑj¾¶l¸À

â¶;@9<5@¾»;T»sÓH5@É´¶Æ8¶´3;_¾<¾<Âx58;8ºÃ»½5¸½¶³;_>»½·º¸EëC»½Ã<¶9<¶¶¾<ɶE³ËC¶E9<9·><µ;_´´¼5\Ó6¸7:¸»x5½¶l;@¸½5@>;@Ë587»»½Ã:¶?¸s»x½7º0»½7:½¶Ú5_Ç1¸½¶³;_>»½·º¸EÅ_ÓÃ<·´¶ÓH¶Âx¶´Ñ5@>»xÃ<¶6¸OÃ;_´´¼5\ÓÛ¶³ËC¶E9:9·¼>:µ»½5ʽ¶l;@¸½5@>;_ËC5@7»»xÃ<¶¸O¶E³;_>»½·ºÄº 5@>»x¶>»x¸Ú5@Ƕ ¹¾<Âx¶E¸x¸½·¼58>:¸Àâ¶)7:¸O¶;9¶E¶¾É¶³Ë¶l9<9¶E9

λɺ;@´º7<´¼7¸n»½5º 58³¾:7»½¶»xÃ<¶9¶Âx·¼Æ\;_»½·5@>:;@´¸O¶E³;_>»½·º¸5_Ç

;¸O¶E>8»x¶>:º¶nµ@·Æ@¶E>·¼»x¸¸OÑj>»x;8º0»x·ºn9¶E½·Æ\;\»x·¼58>À:ÙÚÃ<·¸?¸½¶³;_>»x·ºE¸Ú·¸º 5@³Ê¾<7<»½¶E9·>;º 58³É¾5¸O·¼»½·5@>:;@´1³;_><><¶EÂËjѳʶE;_>¸Ú5_Ç;Âx¶Eº7<¸O·Æ@¶?ÇÈ7<>:º0»x·¼58>ÓÃ<·ºÃ)³;_¾¸Ú¶E;@ºÃ9¶l97:º0»x·¼58>¸s»x¶¾·>8»x5;º5@³Ê¾<7»;\»½·5@>;_´:¸O»½¶E¾Ó·u»xÃ<·¼>»½Ã<¶¸O·³Ê¾<´¼Ñ»sÑj¾¶l9

λɺ;@´º7<´7:¸Àu <58Â.¶ ¹<;_³Ê¾<´¶@Å

»½Ã<¶·¼>»x½597:º »½·5@>5@ÇËC5_»½Ãº 58><><¶Eº »½·Æ@¶l¸/i

;_>9\i

·¸H¸½¶³;_>»x·ºE;_´´¼ÑÊ·>8»x¶Âx¾<Âx¶ »½¶l9;@¸»½Ã:¶;_Ë:¸O»½Â;@º »½·5@>5@ÇC;ÃjÑj¾5@»½Ã<¶»½·º;_´Âx¶E¸½5@7:Âxº¶@À\Á?¶E¶¾¶³Ë¶l9<9·><µn5_Ç

λÉ»½¶E½³¸3·¸3ÓH58ÂO»xÃÓÃ:·¼´¶

;@¸·¼»H;_´´5\Ó6¸37:¸»x5½¶l;@¸½5@>Ê;_ËC5@7»»xÃ<¶?¸½Ñj>8»;@º »½·º¸s»x½7:º »½7<Âx¶65@Ç»xÃ<¶?9¶E½·Æ\;\»½·5@>;_´:¸½¶³;_><É»½·º¸EÀ! :5@·¼>:¸O»x;@>:º ¶8ÅÓ(¶);@½¶T;@Ë<´¶»½5¾<Âx5\Æ@¶·>Û;ÇÈ58½³;_´(ÓÚ;YÑ»½Ã;\»»½Ã<¶9¶Âx·¼Æ\;_»½·5@>:;@´¸O¶E³Ê;@>»½·º¸5_ÇH;¸½¶>»½¶E>:º ¶Ê·¸´·><¶E;@ÂJ¶E;8ºÃÎË<·>:9¶EÂË:·¼>:9:¸Ä¶ ¹<;@º »½´Ñ5@><¶Æ\;_Âx·;@Ë<´¼¶16·¼ÇH·¼»x¸¸OÑj>»x;8º0»½·º69¶E½·Æ\;\»x·¼58>·¸H¶E¸O»x;@Ë<´·¸½Ã<¶E9Ê·>:¸½·9<¶;µ8Âx;@³Ê³Ê;@Â.Ó·¼»½Ã´·¼>:¶E;_Â(¸s»x½7º0»½7:Âx;@´Âx7<´¶E¸EÀÙÚÃ<¶¸OÃ;_´´¼5\Ó ¶³ËC¶E9:9·¼>:µº 5@ÂxÂx¶E¸½¾58>:9·><µ»x5;9¶¶E¾<´ÑT¶³Ë¶l9<9¶l9T»x¶Âx³ ·¸6º 58³Ê¾<7»½¶l9ËÑÊ;nÂx¶Eº7<Âx¸½·Æ@¶Ú»½Â;_>¸O´;\»x·¼58>ÇÈ7:>:º0»x·¼58>ÓÃ<·ºÃÊ»½Â;_>:¸½´;_»½¶l¸3»½Ã<·¸»½¶Âx³ ·¼>»½5Êãäå)·><Ã<¶E½¶E>»´¼58µ@·º_À@ÙÚÃ<·¸3»xÂx;@>:¸O´;\»x·¼58>ºE;_>;@º »H;@¸;ľ:½¶»O»sѾ<½·>»½¶EÂ.;@¸·¼»Âx¶¾<´;@º¶E¸;_´´<5ºº7<Âx½¶E>:º ¶l¸35_ÇÁ?¶('(Âx7<· às>·>:9·º ¶l¸Ó·¼»½Ã>:;@³¶l9ÆY;@½·;_Ë:´¼¶l¸À»?·¸6;_´¸½57¸O¶l9T»x5½¶l;@¸½5@>;_ËC5@7»6>;\»½7:Âx;@´´;@><µ@7:;@µ@¶l¸6¸O¶E³;_>»½·º¸6»½Ã:;@><鸻½5T»½Ã<¶¶ ¹·¸s»x·¼><µ»½5j5@´¸?5@Ç3»½Ã<¶³¶»x;_É´;_><µ87:;_µ8¶»;@º0»x·ºE¸Å·¼>:9<7:º0»x·¼58>Û¸xºÃ<¶³Ê¶E¸TÀ¼ÀÀ+0À' <58¶¹;@³Ê¾<´¼¶8ÅÓ(¶);@½¶;_Ë<´¶»½5¶E¸O»x;@Ë<´·¸½Ã·¼>;ÇÈ58½³;_´HÓ(;YÑ»½Ã<¶Æ\;@´¼·9·¼»sÑ)5@Ç3³Ê¶»x;\ɳ;\»xÃ<¶³;\»x·ºE;_´¸½¶>»x¶>:º¶E¸6¸½7:ºÃ;@¸ )*)C.&0$>+< 5 @, 4 ,/.&0,/B 4 06*0$>-,R;1@;=<I>0.0/0A@@ 5 > Ð:ÓÃ:58¸½¶»xÂx;@>:¸½´;_»½·5@>T·>»½5Tãäå3Ð ¸Ú´¼58µ@·ºÑj·¶´9<¸(»½Ã:¶n¾<½5\Æ\;@Ë<´¼¶ÇÈ58½³7<´;)∀ 0213 BI; 454"6 187:9 ⇒ ∃

+ 3 BI; 42; 1< +=?> ÐÀ

A@ B OKläIC$·MÏäI ãD·KLlOÊäEH NJF$&#ÌäGK IH81K#J# K&ãäå·¸Ë:;8¸O¶l95@>Ã<·µ@Ã<¶EÂ58Âx9¶E´5@µ8·º@Å:»xÃj7:¸5_Ò-¶Âx·¼><µ;_>;@9¶læ87;\»½¶¶>jÆj·Â½58><³Ê¶>»?ÇÈ58»½Ã<¶?¸½¾C¶Eº ·¼ÍºE;\»½·5@>Ê;_>9¾:½5j5_Ç-5_Ç-µ@¶E><¶Âx·º(¸½Ñj>»x;@º »½·ºÚ;_>:9ʸ½¶³;_>»½·ºÚ¾<Âx5@¾C¶Â½»½·¶E¸35@ÇC³7<´u»x·uɳ59<;@´µ8Âx;@³³;@Âx¸EÀ<Ô5@Âx¶5\Æ8¶ÂlÅ·u»¾<½5\Æj·9¶E¸?;ÊÇÈÂx;@³Ê¶Ó(5@ÂxéÓÃ<·ºÃÃ:;_Âx³Ê5@><·5@7:¸½´Ñ)º 58³ÉË<·¼>:¶E¸1»sÓ(5?º5@³Ê¾<´¶³Ê¶>»x;@½Ñ?¾:;_Â;@9·µ@³¸1>;_³Ê¶´ÑÂx¶E;8¸O58><·><µ;_>:9nº5@³Ê¾<7»;\»½·5@>ÀEÙÚÃ:;@><鸻½5TÂx¶LK¶Eº0»x·¼58>»½¶lºÃ<><·æ7<¶E¸Õ =6´ÆY;@Âx;8958çMØÅ-Ó(¶;_Âx¶;@Ë<´¶»½5ËC¶><¶Í<»ÇÈÂx5@³Þ»xÃ<¶º5@³Ê¾<´¶ »x¶NPO PQ@MMsP\p.YPxMsyr|LlLEz

ICHARAT EruyB0EBEr|ouBEo|P?BpRQ Q QSUT*V"WXY&S Z[X&\P]^V`_a%bc_F\edfghV%XiV`jk

51

;_7»x5@³;\»x·¼58>)5@Ç»½Ã:¶n´;_»O»½¶EÂÚ»½5j5@´À>5@Â9¶Â»x57<>:9<¶Â¸s»;_>:9»xÃ<¶ËC¶Ã:;YÆj·5@Â65@Ç.9·uÒ-¶Âx¶>»?·>»½¶EÂx;8º0»½·5@>¾<Âx·>:º ·¾<´¶E¸EÅ:Ó(¶><¶¶l9»½5¶><Ã:;@>:º ¶?»½Ã<¶Âx¶E¸O»½Âx·º »½¶E9T¸O¶»H5_Ç·¼>ÇȶE½¶E>:º ¶Âx7<´¼¶l¸ËjÑ;Â;_>:µ@¶?5@Ç9¶Âx·Æ@¶E9½7<´¶E¸HÓÃ<·ºÃº;_>T˶Ä;_¾<¾:´¼·¶E9Ê»x5¸½¾C¶Eº ·¼Íºº ´;@¸x¸O¶l¸5@ǵ@Â;_³Ê³;_¸:ȶ8À µÀ¼Åjµ@Â;_³Ê³;_¸.º5@>»x;@·¼><·><µ;¸O¾C¶ ɺ ·¼Íº¸s»x½7º0»½7:Âx;@´Â½7<´¶@Å1µ8Âx;@³Ê³Ê;@ÂÄÓÃ<58¸½¶¸s»x½7:º »½7<Â;_´3Âx7<´¶E¸ÄÆ@¶E½·¼ÇÈÑÎ;µ8·¼Æ8¶>ξ:½¶l9·ºE;\»x¶l0ÀÙÚÃ<¶E¸½¶9<¶Âx·¼Æ8¶E9Âx7<´¶E¸Ä;_Âx¶Æ\;@´¼7:;@Ë<´¶·>λxÃ:;\»Ä»xÃ<¶ÑκE;_>Ã<¶´¾7¸¸O»½79Ñ»½Ã:¶¶¹¾<½¶l¸½¸½·Æ@¶¾5\Ó(¶Â5_Ç<»xÃ<¶(9<·uÒ-¶Âx¶>»3·¼>»½¶EÂx;8º0»x·¼58>¾<Âx·¼>:º·¼¾:´¼¶l¸ÅE»½58µ@¶ »xÃ<¶Â#Ó·¼»½Ã»xÃ<¶·Â3;_Ë<·´¼·¼»sÑÄ»½5¶ ¹¾<´;_·>ÆY;@½·5@7¸Ä´¼·><µ@7:·¸O»½·º¾<Ã<¶E><5@³Ê¶E>:;<À

ICHARAT EÐ ¸´·¼Ë:Âx;@½Ñκ5@>»x;@·¼>¸;Ó·9<¶Âx;@><µ@¶Ê5@Ç

9¶Âx·¼Æ8¶E9ν7<´¶E¸Ä9¶l9·º;\»x¶E9λ½5»½Ã:¶¾:½5º ¶l¸½¸½·><µT5@ÇHÆ\;_Âx·¼587:¸´¼·><µ@7:·¸O»½·º¾<Ã<¶>:5@³Ê¶>:;¸½7:ºÃ;@¸(7<>jË587<>:9¶l9)9<¶¾C¶>:9¶E>:º ·¶E¸EÅ<º Âx58¸x¸½¶E99¶E¾¶E>:9¶E>:º ·¶E¸EÅj¶´´¼·¾:¸½·¸;@>:9¾:;@Âx;8¸O·¼»½·º6µ;_¾:¸ÀÀ¼ÀÕ Ô5j58ÂO»xµ8;\»Ö×ØÀ <58Ân·¼>¸s»;_>:º¶@Å1Ó(¶º;_>Ï;@ºEº 587<>»ÇÈ58¾:;@Âx;8¸O·¼»½·ºµ;_¾:¸ÄÓ·¼»½Ã:·¼>Ì;¸½¶ »O»x·¼>:µ»½Ã:;_»?º 5@>»;_·>:¸H»½Ã<¶¸O»½Âx7:º0»x7<Â;_´1Âx7<´¼¶H ã^"$1%7¸O·><µ»½Ã<¶ÄÇÈ58´¼´5\Ó·><µ9<¶Âx·¼Æ8¶E9)½7<´¶@ë

MC(i, j) ∈ R (a : A , c : C)iR

` D . f

(f1 : A/jB , f2 : C/jB)iR

` D/jB . λb.f [a := (f1 b), c := (f2 b)]

PG

ÙÚÃ<·¸.µ@¶>:¶Âx·ºH½7:´¼¶6¸½·¼³Ê¾<´·¼Í:¶E¸#»xÃ<¶69¶Âx·ÆY;_»½·5@>5_ÇC»½Ã<¶>:5@7<>¾<Ã<Â;@¸½¶U2 ; 5l5 ,,&/,;w>+.&,&.|>0A.l,±0 , 4 , 5wFp4 >0;h.&,/B* 7½ÓÃ<·ºÃ·´¼´7:¸O»½Â;\»x¶E¸»½Ã<¶¾;_Â;@¸½·u»x·ºHµ8;@¾:¸#¾<Ã<¶>:5@³Ê¶><58>ÈËC5_»½ÃÛ¶ ¹j»½Â;@º »½¶l9¶´¶³Ê¶>»¸;@½¶)¸O¶E³Ê;@>»½·º;_´´ÑÏ9<¶¾C¶>:9¶E>»0ÀÙÚÃ<¶³;_·>Û¸O»½¶E¾:¸5@Ç6»½Ã:¶Â½¶E´;_»½·Æ@¶Äº ´;_7:¸½¶@Ð ¸9¶Âx·ÆY;_»½·5@>;_Âx¶¸½7<³Ê³;_Âx·¼¿E¶E9)˶E´¼5\Ónë

(a : np\is, c : (np\is)\i(np\is))i ` np\is

(did review : (np\is)/jnp, without reading : ((np\is)\i(np\is))/jnp)i ` (np\is)/jnpPG

(Mary : np , (did review : (np\is)/jnp , without reading : ((np\is)\i(np\is))/jnp)i)i ` s/jnp

ÙÚÃ<¶6ÓÃ<58´¼¶?9<¶Âx·¼Æ\;\»x·¼58>:;_´¸O¶E³Ê;@>»½·º¸.¶E>:º;@¾:¸½7<´;_»½¶l9ËjÑ»½Ã<·¸(9¶Âx·¼Æ\;_»½·5@>Ê·¸><5_»xÃ<·><µ¶´¸½¶Ë<7»»½Ã:¶Ä»½¶Âx³ )

λ¹-À $±J%!#äNJ &OK $±!Mȹ-Å $& &Oh $·OUȹRA·H K0ÐÀ

ICHARAT EÐ ¸´·Ë<Âx;@½Ñ;_´¸O5º5@>»x;@·¼>¸;>j7<³ËC¶Â5_Ç6Âx¶ ÇÈ7»;\»½·5@>Ï´¶³Ê³;@¸ÓÃ<·ºÃ

;_·³¬;_»¾<Âx5\Æj·¼>:µÊ»½Ã<¶·¼´´¼ÉKÇÈ58½³Ê¶E9<><¶E¸x¸65@ǸO58³¶¸O¶E>8»x¶>:º¶E¸?Ó·u»xÃ<·¼>;µ8·¼Æ8¶>³7:´u»x·¼³Ê59<;_´¸O¶»O»½·><µÀ <5@ÂÚ¶¹;@³Ê¾<´¼¶8Å7:¸½·¼><µÊ;ʸO·³Ê¾<´¶¾C5@´;_Âx·¼»sÑʺ5@³Ê¾<7»;\»x·¼58>Õ ¸x¸O´´¼·ç_è_ØÓH¶n;_Âx¶;@Ë<´¶»½5?¾:½5\Æ8¶»xÃ:;\»»½Ã<¶H¶ ¹¾<Âx¶E¸x¸O·5@> ,,&/,;&>+ .w,&.=>0A.l,±0 4 ,0 5l5L·¸7<><µ@Â;_³Ê³;\»x·ºE;_´À LOFE^$±OCA?JlOhE6K O>5@Â9¶Â.»½5Ã;YÆ@¶?;nÃ;_>:9Ñ»½5j58´¼éj·¼»EÅÓH¶6¾:½5\Æj·9¶E9

ICHARAT EÓ·¼»½Ã);7:¸O¶EÂ.ÇÈÂx·¼¶E>:9´Ñ

·¼>»½¶EÂOÇJ;8º ¶6ÓÃ:·ºÃµ87:;_Â;_>»x¶¶E¸3ËC5_»xÃTÂx¶E;89<;_Ë<´¶><5@»x;\»x·¼58>:¸;@>:9¶l;@¸½¶5_Ç·>8»x¶Â;@º »½·Æ@¶6¾<Âx5j5_Ǻ 5@>¸s»x½7:º »½·5@>À6ÙÚÃ:¶E¸½¶Â½¶læ87:·¼Âx¶³Ê¶>»¸;_Âx¶Ï;8ºÃ<·¶Æ@¶l9 ËjÑ ³¶l;_>:¸5@Çãäå'·>»½¶Â½ÇJ;@º¶Õ '(¶Â½»½5@»xçRQØÀ@ÙÚÃ:·¸¸½Ñ¸s»x¶³ ¶>;_Ë<´¶E¸37:¸#»x5n9¶ Í:>:¶(Æ\;@½·5@7:¸#¾<Âx¶ »½»sÑɾ<Âx·>8»x¶Â¸»xÃ:;\».ºE;_>µ@¶><ɶÂ;\»½¶?³Ê;_»½Ã<¶E³;\»½·º;@´Âx¶E;89<;_Ë:´¼¶6>:5_»x;_»½·5@>:¸z

`Å•i

Å/i

Å3j

ÅÀ¼ÀÀ+0ÀÔ5@Âx¶5\Æ8¶ÂlÅ\·u»;_´´5\Ó6¸»½Ã:¶·¼>»½¶EÂx;8º0»x·¼Æ8¶Äº5@>:¸O»½Âx7:º »½·5@>5_Ç3¾<Âx55@ÇJ¸Ú»½Ã:½587<µ@óÊ5@7:¸½¶º ´·ºéj¸65@>¸O58³Ê¶n½¶E´¼¶EÆY;@>»6¾<´;8º ¶l¸ <I> 5L5 `+ < 5 ,/B 4 ,/Bu* »½¶lºÃ<><·æ87:¶l0À G 7:ºÃº ´·ºéj¸3Âx7<>;ĺ 58´¼´¶Eº »½·5@>Ê5_ÇC»x;8º0»x·ºE¸ÓÃ<·ºÃʸ½·³É¾<´¼·¼ÇÈÑÏ»½Ã:¶)º 7:½Âx¶>»µ858;@´Ëjѵ8¶><¶EÂx;_»½·><µÎ;ÎÂx;@><µ@¶5@Ç?¸O7:Ëɵ858;@´¸n¾C5_»x¶>»½·;_´´Ñ¶l;@¸½·¼¶E»x5¸O58´¼Æ8¶@À- #·µ@7<Âx¶Q·¼´´7:¸s»xÂx;_»½¶l¸»½Ã:¶67:¸½¶65_Ǹ½5@³Ê¶¾<Âx55@ÇÉËjÑɾ58·¼>»½·><µÄÂx7<´¼¶l¸·>Æ85@´Æ@¶l9·>»½Ã:¶¾<½5j5@Ç5_Ç;ʸO·³Ê¾<´¶Ä9<¶Âx·¼Æ8¶E9)½7<´¶ÄÓ·u»xÃ<·>»½Ã<¶n³7<´u»x·¼³Ê59<;@´¸O¶»O»½·><µÀ

52

kjk R8BEtn8o|PÚLEzN@PxMsr|lB psr|LlÊQ8yru8wÄ8MsL\LzIJ\_IKLEr|_psr|8w

¦H£?©O¨²jªs¦£²,«6¨¤<¨6¥R Ϧ.¥

ICHARAT E·¸;³Ê¶ »;\É´¼·><µ@7:·¸O»½·ºÄ»½5j58´¼éj·¼»9¶l9·ºE;\»x¶E9»x5»½Ã:¶¸O»½7:9Ñ5@Ç.³7<´¼»½·³Ê5j9:;_´

´¼58µ@·º¸EÀÙÚÃ<¶º 7<Âx½¶E>»?Æ@¶EÂx¸½·¼58>;_´´¼5\Ó6¸7¸O¶EÂx¸6»½5T·>»½¶EÂx;8º0»½·Æ@¶E´¼Ñ¾<Âx5\Æ@¶¸½Ñj>8»;@º »½·º;_>:9θO¶É³Ê;@>»½·º¾<Âx5@¾C¶Â½»½·¶E¸5_ÇH9<·uÒ-¶Âx¶>»º´;8¸½¸½¶E¸5_Ç.µ8Âx;@³Ê³Ê;@Âx¸EÀÙÚÃ:¶;@9<5@¾»x¶E9;@¾<¾<Âx58;@ºÃ¾:½5@ÉÆ·9¶l¸.»xÃ<¶?7:¸½¶ÂHÓ·u»xÃ);º 5@>jÆ8¶><·¶>».³Ê¶E;@>:¸5@ǽ¶l;@¸½5@><·><µ;@Ë587»HËC5_»xû½Ã<¶Ä¸O»½Âx7:º0»x7<½¶?5_ǸO¶E³Ê;@>»½·º¸;@>:9Ï·u»¸º5@>»½¶E>8»¸ÀÔ5@Âx¶5\Æ8¶ÂlÅ

ICHARAT Eº 58³Ê¶E¸nÓ·¼»½Ã,;@>Ï·¼³Ê¾C5@½»x;_>»

Âx;@><µ@¶5_Ç»x;8º0»½·º¸ÊÓÃ:·ºÃ ;_´´¼5\Ó!»½Ã<¶º5@³Ë:·¼>:;_»½·5@>5_dzÊ;@>j7:;_´6¸O»½¶E¾:¸;_>:9 ;@7»½58³Ê;_»½·º¸s»x¶¾:¸EÅ@»xÃj7:¸.ÇÈÂx¶¶E·¼>:µ7:¸½¶Â¸ÇÈÂx5@³ »½Ã<¶Ë<7<Â9¶>5@Ǻ;@½ÂxÑj·¼><µÄ587»»xÃ<¶?¾<Âx5j5_Ç15_Ǹ½5@³Ê¶»x¶EºÃÉ><·ºE;_´1µ858;_´¸EÀê7<Â3»½5j5@´éj·u»ºE;_>ÊËC¶¶ ¹j»½¶E>:9¶E9ËjÑÇÈ58½³;@´¼·¿·><µÄ5_»xÃ<¶Â´·¼>:µ@7<·¸s»x·ºÚ³Ê59¶E´¸.;@>:9»½ÂxÑj·¼><µ»x5Ë<7<·´9Ë:½·9µ@¶l¸ËC¶ »sÓ(¶¶>»xÃ<¶³ÀCâ¶;_´¸O5·>»½¶E>:9»½5)9¶ Í:>:¶³Ê5@Âx¶¾5\Ó(¶Â½ÇÈ7<´Âx¶ ÇÈ7<»x;\»x·¼58>»x;@º »½·º¸EÅ9¶lº ·¸O·5@>Ͼ<Âx5º ¶E9<7<½¶l¸n;_>:9;@7»½58³;\»½·5@>»½5j58´¸Ä»x5¶E;8¸O¶»xÃ<¶·>8»x¶Â;@º »½·5@>ÏÓ·u»xû½Ã<¶Ä»x558´¼éj·¼»

¥£?©?² ouEBMOBEN8L o|lB MOBlN@L8EvH@FPxR@r|Ll?LlQ8M-o¼B.M xMsrqpsQ@MsP3NBy-o|P3BEo|Qo@N@Py-LEypMsQ½psruLEy

r|N8Q½psrulPy"!$#ps8Pyr|y%!1B Msruy'&@QNHr|YPxMsyrqpK\)(HMsysB\+*,---. yyo|our/10- 8LlQ:32|v3BEyp½MOBE4!-u m L\Lp0#F65!1MsL\LEz Q8psLEtBpsr|LlzLM O @PxIKALEwlr|0BEo

6 MOBtntBMsy O POr|0Bo:MsPxLEMp0 &7&8ACA:G½98(BE½\1\pps :: Pyyo|our;1-0@ ouLMsruB@ zM0<*,-10=. D#P½MpsLEp>@S? tnPxM@EBlN< u:DPxMpsLEp0+A|+!-LEppsr|PxM0Au:FruN8P0BQ:A m Bps8PtBpsr|yÚBEjNB!1MsL\LEz

!1MsPyP\pOB psruLEÊr|C!L_ GD8HFHG FPyP0B½MsPxLEMp0*,-_S. v#L_ 10-DPxMpsLEp0EA|v3BEypxMOB)!1GK_psP½MOBExpsr|YP O PLMsPtF!MsL _r|wBEjNG!MsLEwEMOBtH#(PYPoqI

LEtnP\pI8v#L_ )J MpI O P?v#GvH4&_8Msr|wEPxMLKP½Mso¼Bw8*,---0=. 6 BtQ8p>M_S 6 m O -A O N# ACBE8wlQBEwlPBEN m P0Br|w@OKLloP=-GK_psPx_psr|LEjBEoALEwlr|BEN

A:LlwEruBEo 6 MOBtntBM(r|YP½Msyr|pKLEzv#8ruBEwlLQ!1MsPyyO*S MM_S. m L\LMpswYBp>MR m L\LEMpswlBp0 m /#v3B psPwlLMsr¼Bo O @PA:LlwEruv#jBE@psPxMr|SKBED#P\psPxtUTpsPxM

m PxQo|PV*P0N@y>.<2ÚBjN8L\L-@LEzALEwlr|6BENÊACBwEQjBEwEPl o|yP_r|PxMW*SIMMR.

53

A Hierarchical Logic for Network Configuration

Roger Villemaire, Sylvain Halle, Omar Cherkaoui, and Rudy Deca ⋆

Universite du Quebec a MontrealC. P. 8888, Succ. Centre-Ville, Montreal, Canada H3C 3P8

villemaire.roger,cherkaoui.omar@uqam.ca

Abstract. We describe ongoing work on a logic on trees aimed at de-scribing properties of configurations of network equipments. This logicgeneralises first-order logic to a setting where variables form a forest in-stead of a set. We describe the motivation and the formal approach takenby this logic. Finally be briefly present the kind of sentence for which ageneralised Herbrand universes construction leads to a finite structure.

1 Introduction

The configuration of a computer network naturally forms a forest of trees whosenodes contain parameter-value pairs, such as the one shown in Figure 1. Notethat a parameter’s name, such as router is fixed, since it depends on the struc-ture of the software running on the network equipment. On the other hand, thevalues, such as router1 (the name of the router), are configurable.

The main network configuration problem is to assure appropriate valuesfor the network equipments’ parameters. This hierarchical structure follows themode/sub-mode hierarchy of the command line interface used to configure de-vices.

Fig. 1. A portion of the configuration tree for a router

⋆ We gratefully acknowledge the financial support of the National Science and Engi-neering Council of Canada.

54

1.1 Two Simple Examples

Example 1: IP addresses A version-4 IP address is a string of four bytes thatuniquely identifies components in a network. According to the Classless Inter-Domain Routing (CIDR) scheme [7, 18], each IP address is described by twoattributes, its mask and prefix, that are linked by a relation. For instance, anaddress like 206.13.01.48/25, having a network prefix of 25 bits, must carrya mask of at least 255.255.255.128, while the same address with a networkprefix of 27 bits must not have a subnet mask under 255.255.255.224. Thisrelation must be verified for all IP addresses in all routers of a network such asthe one depicted in Figure 1.

Example 2: Virtual Private Networks While the first example showed aproperty between nodes of a single router, we now consider a property betweennodes of different routers.

A Virtual Private Network (VPN) service [17, 19, 20] is a private networkconstructed within a public network such as a service provider’s network. Usually,the VPN is used to link together several geographically dispersed sites of acustomer by a protected communication throughout the provider’s network.

Most of the configuration of a VPN is realised in routers placed at the borderbetween the client’s and the provider’s networks. On the client side, these routersare called customer edge (CE) routers, and on the provider side, they are calledprovider edges (PE).

An important issue is to ensure the transmission of routing information be-tween the sites forming a VPN without making this information accessible fromthe outside. One frequently used method consists in using the Border GatewayProtocol (BGP). This method involves the configuration of each PE to make ita “BGP neighbour” of the other PEs [17]; this entails that one interface in eachPE router must have its IP address declared as a BGP neighbour in each otherPE router. A typical VPN service involves tens of routers in which an averageof 10 dependencies must be checked at multiple locations in the tree.

1.2 Aim of a Configuration Logic

The above examples are representative of configuration situations that arisein network management. The usefulness of logic in this setting is to have aformalism not only to describe properties that must be fulfilled by a correctconfiguration but also to provide an algorithm to help automate the configurationtask.

Such a logic should first have decidable model checking in order to check thata configuration actually fulfills some necessary properties. Furthermore, in orderto help automate the configuration task, one should able to build a finite con-figuration satisfying some property. This last requirement includes an algorithmto find (if possible) acceptable values for new parameters of a configuration insuch a way that some conditions, assuring proper function of the network, are

55

satisfied. In logical terminology, this entails the logic should be decidable andhave the small model property.

A logic for configuration could be based on first-order logic, with a binaryrelation to encode the tree structure. But in order to get a decidable logic, onehas to restrict oneself to some fragment of first order logic.

Decidable fragments of first-order logic obtained by limiting the types andalternations of quantifiers have been thoroughly studied [6, 14]. But since [8]showed that the class of ∀2∃∗ (two ∀ followed by any number of ∃ in prenexform) with one binary predicate is undecidable, this considerably limits the ex-pressiveness of such fragments.

Another approach would be to consider the tree structure to be a part of thelogic. In the context of network configuration, quantifiers are needed to expressthings like, “for all routers r, there exists an interface i of r”; however, generalquantification on all nodes (as in “for all parameters”) is never necessary. Thesituation is therefore similar to multi-modal logics like LTL and CTL [5] wherethe operators 〈a〉 and [a] respectively denote “there exists an action a” and“for all actions a”. But for configurations, a would rather be a parameter (witha value) and contrary to multi-modal logics, relations on tuples of nodes areneeded.

Guarded logic is, as a matter of fact, a fragment of first-order logic allowingn-ary relations, which generalise multi-modal logic. Guarded logic and a furthergeneralisation called weakly-guarded logic have been showed to have the smallmodel property [1, 11]. Unfortunately, it has been shown in [21] that neitherguarded nor weakly guarded logics are sufficient for describing properties ofconfigurations.

Since a configuration is a set of trees, another possible approach is to usequery logics for tree-structured documents like the Tree Query Logic (TQL)[2, 3]. This logic was used in [9, 10] to verify configuration properties of networkservices, so the logic is appropriate, even if natural network properties tendto be somewhat cumbersome to express. Nevertheless, TQL is a very powerfulquery logic, which can express recursion (which is of no need in our setting) andtherefore has undecidable model checking [4]. Since in [9, 10] only a very smallfragment of TQL was used, it is interesting to look at a fragment of TQL whichwould be sufficient for describing properties of configurations. This was donein [21] where a configuration logic named CL was introduced.

There are many more applications of logic to configurations which have beenproposed in the literature, for instance [15], [22], [13], [16] or [12]. But neither [15],[16] nor [22] considers hierarchical parameter-value pairs, while [13] considers alogic on trees, but its quantifiers are general first-order quantifiers. Moreover,none of these works (except for [16]) considers model construction.

2 Recasting Configuration logic

Even if [21] shows that CL doesn’t have the small model property, one could askfor a reasonable fragment of it, expressive enough for usual network properties,

56

but allowing a small model construction. While the approach of [21] was sufficientto do model-checking, it was not clear how one could build models in that setting.

One possible way to construct a model is to generalise Skolem functions andHerbrand universes. While Herbrand universes do not have to be in generalfinite, one could expect a natural syntactic restriction on formulas which wouldbe sufficient for finiteness.

In order to generalise Skolem functions to CL one has to introduce a propernotion of function symbol in CL. The most natural way to do this is to considerCL as a logical language in which the set of variables forms a forest (set of trees).A variable x represents a couple formed of a parameter name (which if fixed)and a value (which has to be given by a valuation).

Consider a fixed set Names of possible parameter names (for short justnames). The variables in CL must be a structure of the following kind.

Definition 1. A named forest is a set of trees whose nodes are labelled bynames. If N is a node of a forest, we write label(N) for its label.

A valuation sending variables to nodes in a configuration has to preserve thehierarchical structure, so it must fulfill the following definition.

Definition 2. A named forest morphism (n.f.m. for short) α : F1 → F2 from anamed forest F1 to a named forest F2 is a partial function from the nodes of F1

to the nodes of F2 (with domain dom(α)) such that:

– dom(α) is a sub-forest (i.e. the parent of an element of dom(α) is also indom(α)).

– if N is a root, then α(N) is a root– label(α(N)) = label(N)– if N2 is a child of N1, then α(N2) is a child of α(N1).

The appropriate generalisation of function symbols to CL is to consider asymbol of the form v.f(w), where v is a variable and w a finite sequence ofvariables. A valuation ρ will interpret v.f(w) to be a descendant of ρ(v).

We have succeeded in generalising to this setting a formal definition of se-mantics and a sound notion of terms and substitutions. This opens the way to ageneralisation of Skolem functions and Herbrand universes constructions to CL.

The remaining question is: under which circumstances is such a Herbranduniverse finite? A complete characterisation is still the topic of ongoing work,but we succeeded in obtaining a sufficient condition which is true whenever anexistentially quantified variable is not in the scope of a universal variable ofthe same type. For instance in example 2, the neighbour entry depends on theexistence of an interface on another router and not on the existence of anotherneighbour entry in the same router.

References

1. Andreka, H., van Benthem, J., Nemeti, I.: Modal Languages and Bounded Fragmentof Predicate Logic. ILLC Research Report ML-96-03, 59 pages, 1996.

57

2. Cardelli, L.: Describing semistructured data. SIGMOD Record, vol. 30, no. 4, pp.80-85, 2001.

3. Cardelli, L., Ghelli, G.: TQL: A query language for semistructured data based onthe ambient logic. Mathematical Structures in Computer Science, vol. 14 , no. 3,pp. 285-327, 2004.

4. Charatonik, W., Talbot, J-M.: The Decidability of Model Checking Mobile Ambi-ents. Proceedings of the 15th International Workshop on Computer Science Logic,pp. 339-354, September 10-13, 2001.

5. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge,MA, 2000.

6. Dreben, B., Goldfarb W. D.: The Decision Problem: Solvable Classes of Quantica-tional Formulas. Addison-Wesley, Reading, MA, 1979.

7. Fuller, V., Li, T., Yu, J., Varadhan, K.: Classless Inter-Domain Routing (CIDR):an Address Assignment and Aggregation Strategy. RFC 1519, 1993.

8. Goldfarb, W. D.: The Unsolvability of the Godel Class. Journal of Symbolic Logic,vol. 49, pp. 1237-1252, 1984.

9. Halle, S., Deca, R., Cherkaoui, O., Villemaire, R.: Automated Validation of Ser-vice Configuration on Network Devices. Proceedings of Management of MultimediaNetworks and Services: 7th IFIP/IEEE International Conference, (MMNS 2004),San Diego, CA, USA, October 2004, LNCS 3271, pp. 176-188, 2004.

10. Halle, S., Deca, R., Cherkaoui, O., Villemaire, R., Puche, D.: A Formal ValidationModel for the Netconf Protocol. Proceedings of Utility Computing: 15th IFIP/IEEEInternational Workshop on Distributed Systems: Operations and Management,(DSOM 2004), Davis, CA, USA, November 15-17, LNCS 3278, pp. 147-158, 2004.

11. Hodkinson, I. M.: Loosely Guarded Fragment of First-Order Logic has the FiniteModel Property. Studia Logica, vol. 70, no. 2, pp. 205-240, 2002.

12. Jackson, D.: Automating First-Order Relational Logic. Proceedings of the 8th ACMSIGSOFT International Symposium on Foundations of Software Engineering, SanDiego, California, ACM Press, New York, NY, pp. 130-139, 2000.

13. Klarlund, N., Koistinen, J., Schwartzbach M. I.,: Formal Design Constraints, SIG-PLAN Notices, vol. 31, no. 10, pp. 370-383, ACM Press, New York, NY, 1996.

14. Lewis, H. R.: Unsolvable Classes of Quanticational Formulas. Addison-Wesley,Reading, MA, 1979.

15. Lowe, H.: Extending the Proof Plan Methodology to Computer Configuration Prob-lems. Applied Artificial Intelligence, vol. 5, no. 3, pp. 227-252, 1991.

16. Narain, S.: Network Configuration Management via Model Finding. ACM Work-shop On Self-Managed Systems, October 31-November 1, 2004, Newport Beach,CA.

17. Pepelnjak, I., Guichard, J.: MPLS VPN Architectures., Cisco Press, 2001.18. Rekhter, Y., Li, T.: An Architecture for IP Address Allocation with CIDR. RFC

1518, 1993.19. Rosen, E., Rekhter, Y.: BGP/MPLS VPNs. RFC 2547, 1999.20. Scott, C., Wolfe, P. Erwin, M.: Virtual Private Networks. O’Reilly, 1998.21. Villemaire, R., Halle, S., Cherkaoui, O.: Configuration Logic: A Multi-Site Modal

Logic. Proceedings of the 12th International Symposium on Temporal Representa-tion and Reasoning, TIME 2005, June 23-25, Burlington, Vermont, USA, 2005.

22. Zeller, A., Snelting, G.: Unified Versioning through Feature Logic, ACM Transac-tions on Software Engineering and Methodology, vol. 6, no. 4, pp. 398-441, ACMPress, New York, NY, 1997.

58

LPAROn a mission, to boldlygo where no reasonable

conference has gone before