Keywords

1 Introduction

The SCL (“Clause Learning from Simple Models” or simply “Simple Clause Learning”) family of calculi lifts a conflict-driven clause learning (CDCL) approach to first-order logic: SCL(FOL) is for first-order logic without equality [8, 10], SCL(T) is for first-order logic with theories [6], SCL(EQ) is for first-order logic with equality [12], and HSCL is for exhaustive partial models exploration in first-order logic without equality [7]. In its original formulation [10], SCL(FOL) required exhaustive propagation and a precise strategy for the application of the rules in order to learn non-redundant clauses. This was improved upon by SCL(T) [6] by dropping exhaustive propagation and weakening the strategy, i.e., any run according to the strategy in [10] is also a run according to the strategy in [6]. The SCL(FOL) version presented in Bromberger et al. [8] integrates those changes and additionally refines the Backtrack rule.

We present an Isabelle/HOL formalization of the non-executable specification of SCL(FOL) based on and developed in parallel to Bromberger et al. The main results are soundness, non-redundancy of learned clauses, termination, and refutational completeness. In contrast to the goal of Bromberger et al. to guide toward an implementation, our goal is to be as simple and general as possible. For that, we (i) simplified the calculus (e.g., no more explicity tracking of decision levels), (ii) generalized the calculus (e.g., multiple acceptable positions in the Backtrack rule), (iii) strengthened existing theorems (e.g., Theorem 11 on non-redundancy), and (iv) proved new theorems (e.g., Corollary 12 on non-subsumption).

This work is part of the IsaFoL (Isabelle Formalization of Logic) effort [2], which aims at developing a library of results about logical calculi. The Isabelle theory files are available in the Archive of Formal Proofs (AFP) [9] and amount to more than 11 000 lines of source text. They build heavily upon many other entries of the AFP: (i) First_Order_Terms [17] for first-order terms, term substitutions, and MGU; (ii) Ordered_Resolution_Prover [14,15,16] for the clausal calculus, clause substitutions, Herbrand interpretation, and compactness of first-order logic; and (iii) Saturation_Framework_Extensions [5, 18] for entailment of the clausal calculus. We contributed many lemmas and definitions back to both the Isabelle distribution and the aforementioned AFP entries (e.g., over 50 to First_Order_Terms). We made heavy use of the Isar language [19] to write structured proofs, the Sledgehammer tool [13] for proof automation, and locales [1]—Isabelle’s parameterized module system—to structure our development and reuse existing components from the AFP entries. To ease associating the main results in this paper with their counterparts in the Isabelle development, names in monospace are taken verbatim from the formalization.

The formalization follows the basic ideas of the existing formalizations of the first-order resolution calculus [16] and propositional CDCL calculi [3, 4]. Compared to propositional logic, first-order logic adds a number of challenges: the extra term level requires to consider variables, substitutions, groundings, and the concept of factorization. To preserve completeness, propagation of ground literals must not be exhaustive anymore, resulting in a level-wise exploration w.r.t. a bounding atom. Inside this bound, the calculus always terminates. If one level does not suffice to find a refutation, the bound can be increased and exploration can be continued. For unsatisfiable formulas, we prove the existence of a bound sufficient to derive \(\bot \), which guarantees that only finitely many levels need to be explored.

The paper is now organized as follows. Section 2 recaps the SCL(FOL) calculus from Bromberger et al. as the basis of our formalization presented in Sect. 3. We first present the Isabelle formalization of the abstract rules of the SCL(FOL) calculus. Then we prove invariants preserved by the rules starting from the initial state, Lemma 1. Subsequently, we prove soundness, Theorem 7, non-redundancy of learned clauses, Theorem 11, termination with respect to a fixed bound, Theorem 18, and finally refutational completeness with respect to an appropriate bound, Theorem 20. We discuss important aspects of the formalization and proof ideas here and refer the reader to the formalization for more details. The paper ends with a short conclusion of the obtained results.

2 The SCL(FOL) Calculus

We shortly repeat basic first-order logic notions and the SCL(FOL) calculus presented in Bromberger et al. We consider an untyped, first-order logic without equality. A term is defined inductively as either a variable x or a function application \(f(\overrightarrow{t})\) for a constant f and a (possibly-empty) list of terms \(\overrightarrow{t}\). An atom is a predicate symbol applied to a list of term arguments. A literal is either a positive atom \(A\) or a negative atom \({\lnot }A\). For literals we write L or K. The atom of a literal may be selected with \(\text {atom}(A) = A\) and \(\text {atom}({\lnot }A) = A\). The complement of a literal is defined as \(\text {comp}(A) = {\lnot }A\) and \(\text {comp}({\lnot }A) = A\). A disjunctive clause is a finite multiset of literals. For clauses we write C or D. We use the syntax \(L \vee C\) and \(C \vee D\) synonymously with the multiset sums \(\{L\} + C\) and \(C + D\) respectively. We also use the syntax \(\bot \) synonymously with the empty multiset \(\{\}\). All variables in clauses are to be understood as universally quantified.

Substitutions are total unary functions from variables to terms. A substitution \(\sigma \) may be applied to a variable x, a term t, an atom A, a literal L, or a clause C, denoted \(x\sigma \), \(t\sigma \), \(A\sigma \), \(L\sigma \), or \(C\sigma \) respectively. Substitution application is left-associative, i.e., \(C\sigma _1\sigma _2 = (C\sigma _1)\sigma _2\). The domain of a substitution \(\sigma \) is defined as \(\text {dom}(\sigma ) = \{x \, | \, x\sigma \ne x\}\). The composition of two substitutions \(\sigma _1\) and \(\sigma _2\) is defined as the function \(\sigma _1 \circ \sigma _2 = (\lambda x. \, x\sigma _1\sigma _2)\). A substitution \(\gamma \) is a grounding for a term t, an atom A, a literal L, or a clause C if \(t\gamma \), \(A\gamma \), \(L\gamma \), or \(C\gamma \) are respectively ground, i.e., if they do not contain variables. A substitution \(\rho \) is a renaming if it is injective and \(x\rho \) is a variable for all variables x. The inverse of a renaming \(\rho \) is any function \(\rho ^{-1}\) from terms to variables such that \(\rho ^{-1} \, (x\rho ) = x\) for all variables x. The restriction of a substitution \(\sigma \) to a set of variables V is defined as the function \((\lambda x. \, \text {if } x \in V \text { then } x\sigma \text { else } x)\). A substitution \(\sigma \) is idempotent if \(\sigma \circ \sigma = \sigma \). A substitution \(\upsilon \) is a unifier for a set of terms T if \(t_1\upsilon = t_2\upsilon \) for all terms \(t_1 \in T\) and \(t_2 \in T\). A substitution \(\mu \) is a most general unifier (MGU) for a set of terms T if \(\mu \) is a unifier for T and there exists a substitution \(\sigma \) such that \(\mu \circ \sigma = \upsilon \) for all unifiers \(\upsilon \) for T. A substitution \(\mu \) is an idempotent, most general unifier (IMGU) for a set of terms T if \(\mu \) is a unifier for T and \(\mu \circ \upsilon = \upsilon \) for all unifiers \(\upsilon \) for T; note that \(\mu \) is an IMGU iff it is both idempotent and a MGU.

When formalizing logical calculi, IMGUs are preferable because they allow to apply groundings to a term both directly and after applying an IMGU, i.e., \(t\gamma = t\mu \gamma \) for all terms t, groundings \(\gamma \), and IMGU \(\mu \). Non-idempotent MGU do not have this property as the following counter-example shows. Consider the terms \(t_1 = f(x, y, z)\) and \(t_2 = f(w, y, z)\), the grounding \(\gamma = \{x \mapsto a,\, y \mapsto b, \, z \mapsto c, \, w \mapsto a\}\), and the non-idempotent MGU \(\mu = \{x \mapsto w, \, y \mapsto z, \, z \mapsto y\}\) where x, y, z, w are variables and a, b, c are ground constants, then we have \(t_1\gamma = f(a, b, c) \ne f(a, c, b) = t_1\mu \gamma \). In published literature, an IMGU is often meant instead of an MGU; the idempotency requirement is often kept implicit because standard implementations for computing MGUs actually produce IMGUs.

The function \(\text {gnd}(C) = \{C\gamma \, | \, C\gamma \text { is ground}\}\) expresses the set of all groundings of a clause C. The function \(\text {gnd}(N) = (\bigcup C \in N. \; \text {gnd}(C))\) expresses the set of all groundings of a set of clauses N; its subset whose clauses are restricted to atoms less than or equal to a bound \(\beta \) w.r.t. an order \(\prec _B\) is defined as \(\text {gnd}^{\preceq _B \beta }(N) = \{C \in \text {gnd}(N) \, | \, \forall L \in C. \; \text {atom}(L) \preceq _B \beta \}\). Note that \(\text {gnd}(\text {gnd}(N)) = \text {gnd}(N)\). The strict order \(\prec _B\) is total on ground literals and is such that for each \(\beta \) there are only finitely many literals L with \(L \prec _B \beta \). An example of such an order could be KBO without zero-weight symbols. Note that LPO does not satisfy the last condition of a \(\prec _B\) order although it is a well-founded and total order.

Herbrand entailment is defined as \((I \models _{\mathcal {H}} N \longleftrightarrow (\forall C \in N. \; I \models _{\mathcal {H}} C))\) for a set of clauses N, \((I \models _{\mathcal {H}} C \longleftrightarrow (\exists L \in C. \; I \models _{\mathcal {H}} L))\) for a clause C, \((I \models _{\mathcal {H}} A \longleftrightarrow A \in I)\), and \((I \models _{\mathcal {H}} {\lnot }A \longleftrightarrow A \notin I)\) for a literal with atom A; note that the symbol \(\models _{\mathcal {H}}\) is overloaded. Ground entailment is defined as \((N_1 \models _{\mathcal {G}} N_2 \longleftrightarrow (\forall I. \, I \models _{\mathcal {H}} N_1 \longrightarrow I \models _{\mathcal {H}} N_2))\). First-order entailment is defined as \((N_1 \models N_2 \longleftrightarrow \text {gnd}(N_1) \models _{\mathcal {G}} \text {gnd}(N_2))\). A set of ground clauses N is satisfiable if there exists a Herbrand interpretation I such that \(I \models _{\mathcal {H}} N\); otherwise, it is unsatisfiable.

An annotated literal is the pairing of a literal with an annotation. We call it a decision literal when the annotation is a natural number n indicating the literal’s level (i.e., that it is the nth decision) and a propagation literal when the annotation is a closure of the clause the literal originated from. The literal of an annotated literal \(\mathcal {K}\) is denoted \(\text {lit}(\mathcal {K})\) and the annotation is denotated \(\text {ann}(\mathcal {K})\). The level of a clause is the maximum level of its literals. A trail is a finite sequence of annotated ground literals: it grows from left to right. The empty trail is written \(\epsilon \) and appending a new annotated literal \(\mathcal {K}\) to a trail \(\varGamma \) is written \(\varGamma ,\mathcal {K}\). The concatenation of two trails \(\varGamma _1\) and \(\varGamma _2\) is written \(\varGamma _2, \varGamma _1\). A trail \(\varGamma \) can be converted to a set with \(\text {set}(\varGamma )\).

A literal L is true under trail \(\varGamma \) if \(L \in \{\text {lit}(\mathcal {K}) \, | \, \mathcal {K} \in \text {set}(\varGamma )\}\). A literal L is false under trail \(\varGamma \) if \(\text {comp}(L) \in \{\text {lit}(\mathcal {K}) \, | \, \mathcal {K} \in \text {set}(\varGamma )\}\). A literal L is defined in a trail \(\varGamma \) if L is true or false under \(\varGamma \); otherwise, it is undefined. A clause C is true under trail \(\varGamma \) if \((\exists L \in C. \; L \text { is true under } \varGamma )\). A clause C is false under trail \(\varGamma \) if \((\forall L \in C. \; L \text { is false under } \varGamma )\). A clause C is defined in a trail \(\varGamma \) if \((\forall L \in C. \; L \text { is defined in } \varGamma )\); otherwise, it is undefined.

The SCL(FOL) calculus is defined as a transition system operating on states \((\varGamma ;N;U;\beta ;k;\mathcal {C})\) where \(\varGamma \) is a trail, N is a finite set of initial clauses, U is a finite set of learned clauses, \(\beta \) is a bounding atom restricting the considered ground literals, k is a natural number counting the number of decisions taken in \(\varGamma \), and \(\mathcal {C}\) is either \(\top \) or a clause closure \((C; \gamma )\) such that \(C\gamma \) is ground and false in \(\varGamma \). The initial state is \((\epsilon ;N;\emptyset ;\beta ;0;\top )\) for some initial clause set N and bound \(\beta \).

The transition relation \(\Rightarrow _{\text {SCL}}\) is a mapping between states. The rules below are from Bromberger et al. and serve as a reference for the Isabelle formalization described in Sect. 3.

Propagate \((\varGamma ;N;U;\beta ;k;\top )\) \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma , L\gamma ^{((C_0\vee L){\mu }; \gamma )};N;U;\beta ;k;\top )\)

if \((C\vee L) \in (N\cup U)\), \(C = C_0 \vee C_1\), \(C_1\gamma = L\gamma \vee \dots \vee L\gamma \), \(C_0\gamma \) does not contain \(L\gamma \), \(\mu \) is the IMGU of the literals in \(C_1\) and L, \((C\vee L)\gamma \) is ground, \((C\vee L)\gamma \prec _B \{\beta \}\), \(C_0\gamma \) false under \(\varGamma \), and \(L\gamma \) is undefined in \(\varGamma \).

Decide \((\varGamma ;N;U;\beta ;k;\top )\) \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma ,L\gamma ^{k+1};N;U;\beta ;k+1;\top )\)

if \(L\in C\) for a \(C \in (N\cup U)\), \(L\gamma \) is a ground literal undefined in \(\varGamma \), and \(L\gamma \prec _B \beta \).

Conflict \((\varGamma ;N;U;\beta ;k;\top )\) \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma ;N;U;\beta ;k;(C; \gamma ))\)

if \(C\in (N\cup U)\), \(C\gamma \) is false under \(\varGamma \) for a grounding substitution \(\gamma \).

These rules construct a (partial) model via the trail \(\varGamma \) for \(N\cup U\) until a conflict, i.e., a clause false under \(\varGamma \) is found. The above rules always terminate, because there are only finitely many ground literals L with \(L \prec _B \beta \). It might be necessary to successively increase \(\beta \) for full refutational completeness.

Skip \((\varGamma , K;N;U;\beta ;k;(C; \gamma ))\) \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma ;N;U;\beta ;k-i;(C; \gamma ))\)

if \(\text {comp}(K)\) does not occur in \(C\gamma \), if K is a decision literal then \(i=1\); otherwise, \(i=0\).

Factorize \((\varGamma ;N;U;\beta ;k;(C\vee L \vee L'; \gamma ))\) \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma ;N;U;\beta ;k;((C\vee L)\mu ; \gamma ))\)

if \(L\gamma = L'\gamma \) and \(\mu ={\text {IMGU}}(L,L')\).

Note that this rule may be used multiple times if the conflicting clause contains more than two duplicates of a given literal or if multiple distinct literals have duplicates.

Resolve \((\varGamma , {K\gamma _D}^{(D\vee K; \gamma _D)};N;U;\beta ;k;(C\vee L; \gamma _C))\)

        \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma , {K\gamma _D}^{(D\vee K; \gamma _D)};N;U;\beta ;k;((C\vee D)\mu ; \gamma _C \circ \gamma _D))\)

if \(K\gamma _D = {\text {comp}}(L\gamma _C)\), \(\mu ={\text {IMGU}}(K,{\text {comp}}(L))\).

The clauses \(D \vee K\) and \(C \vee L\) are assumed to have disjoint variables.

Backtrack \((\varGamma _0,K,\varGamma _1,{\text {comp}}(L\gamma )^k;N;U;\beta ;k;(C \vee L; \gamma ))\)

        \(\;\Rightarrow _{\text {SCL}}\;\) \((\varGamma _0;N;U\cup \{C\vee L\};\beta ;j;\top )\)

if \(C\gamma \) is of level \(i'<k\), and \(\varGamma _0,K\) is the minimal trail subsequence such that there is a grounding substitution \(\gamma '\) with \((C \vee L)\gamma '\) is false under \(\varGamma _0,K\) but not in \(\varGamma _0\), and \(\varGamma _0\) is of level j.

The clause \(C\vee L\) added by the rule Backtrack to U is called a learned clause. The empty clause \(\bot \) can only be generated by rule Resolve or be already present in N, hence, as usual for CDCL-style calculi, the generation of \(\bot \) together with the clauses in \(N\cup U\) represent a resolution refutation.

A sequence of SCL rule applications is called a reasonable run if the rule Decide does not enable an immediate application of rule Conflict. A sequence of SCL rule applications is called a regular run if it is a reasonable run and the rule Conflict has precedence over all other rules.

3 Formalization of the SCL(FOL) Calculus

The formalization introduces some new concepts absent from Sect. 2. A multiset C can be converted to a set, i.e., without duplicates, with \(\text {set}(C)\). The multiplicity of an element x in a multiset C is denoted by \(\text {count}(C, x)\). The cardinality of a multiset—the sum of the multiplicities of its elements—is denoted by \(|C|\). The multiset whose only element is x with multiplicity n is denoted by \(\text {repeat}(n, x)\); note that \(\text {count}(\text {repeat}(n, x), x) = n\), and \(\text {set}(\text {repeat}(n, x)) = \{x\}\) if \(n > 0\). The multiset extension of an order on literals extends the order to multisets containing literals; we use the Huet-Oppen specification [11], one of several equivalent alternatives for this extension. The adaptation of a substitution \(\sigma \) to a renaming \(\rho \) is a function whose domain is the renamed domain of \(\sigma \) and whose codomain is the same as \(\sigma \); it is defined as the function \((\lambda x. \, \text {if } x \in \{y\rho \, | \, y \in \text {dom}(\sigma )\} \text { then } (\rho ^{-1} \, x)\sigma \text { else } x)\). A substitution \(\gamma \) is a merged grounding of a grounding \(\gamma _A\) for a set of variables A and a grounding \(\gamma _B\) for a set of variables B if \((A \cap B = \{\} \longrightarrow (\forall x \in A. \; x\gamma _A \text { is ground}) \longrightarrow (\forall x \in B. \; x\gamma _B \text { is ground}) \longrightarrow (\forall x \in A. \; x\gamma = x\gamma _A) \wedge (\forall x \in B. \; x\gamma = x\gamma _B))\); an example of a function that fulfills this specification is \((\lambda x. \, \text {if } x \in A \text { then } x\gamma _A \text { else } x\gamma _B)\). The length of a trail \(\varGamma \) is denoted by \(|\varGamma |\). The nth right-most element of a trail \(\varGamma \) is denoted by \(\varGamma [n]\); we use zero-based indexing where the right-most element is the 0th element. The Herbrand interpretation of a trail \(\varGamma \) is defined as \(\mathcal{H}\mathcal{I}(\varGamma ) = (\bigcup \mathcal {K} \in \text {set}(\varGamma ). \; \text {case } \text {lit}(\mathcal {K}) \text { of } A \Rightarrow \{A\} \; | \; {\lnot }A \Rightarrow \{\})\).

The formalization also changes some existing concepts. No distinction is made between atoms and terms, so first-order terms are used everywhere in place of atoms. The level annotation of a decision literal is not required anymore and replaced by a \(\dagger \) marker, it is now written \(K = (K; \dagger )\) for some literal K. A propagation literal is written \((K\gamma _D)^{(K; D; \gamma _D)} = (K\gamma _D; (D; K; \gamma _D))\) for some literal K, clause D, and grounding \(\gamma _D\). Note that the propagated literal is explicitly separated from its clause in the closure annotation; this eases the formulation of the additional invariants 5 and 6 of Lemma 1., that the respective clause is always false under the respective trail. For the trail \(\varGamma ,\mathcal {K}\), the Isabelle formalization uses the constructor \(\texttt {List.Cons} \, \mathcal {K} \, \varGamma \) which actually grows from right to left. However, we keep the well-established left-to-right convention in this paper because it significantly eases the presentation. An state is a tuple \((\varGamma ; U; \mathcal {C})\) where \(\varGamma \) is a trail, U is a finite set of learned clauses, and \(\mathcal {C}\) is an optional clause closure. The individual components can be selected with \(\text {trail}((\varGamma ; U; \mathcal {C})) = \varGamma \), \(\text {learned}((\varGamma ; U; \mathcal {C})) = U\), and \(\text {conflict}((\varGamma ; U; \mathcal {C})) = \mathcal {C}\). The initial state is \((\epsilon ; \{\}; \top )\), i.e., empty trail, no learned clauses, and no conflicting closure. The finite set of initial clauses N and the bounding atom \(\beta \) are no longer stored in the state but are rather parameters of the transition relation; this was done to highlight the fact that they are never modified by any rule. The natural number k counting the number of decisions, used in Sect. 2 to determine an appropriate backtracking point, turned out not to be necessary and was dropped entirely. We assume the existence of a binary relation on atoms \(\prec _B\) such that \((\forall \beta . \, \{t \, | \, t \prec _B \beta \} \text { is finite})\) but dropped the requirement for \(\prec _B\) to be a strict order total on ground terms. We also don’t lift \(\prec _B\) to literals and clauses, but always use it at the atom level. We define the relation \(\preceq _B\) as the reflexive closure of \(\prec _B\).

The transition relation \( \, \Rightarrow _{\text {SCL}}^{N,\beta } \, \) is a binary predicate between states and is parameterized by the finite set N of initial clauses and the bounding atom \(\beta \). It is defined as the disjunction of the following rules. Following each rule, we highlight the main differences from Sect. 2 not already covered.

Propagate    \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Propagate}}^{N,\beta } \, (\varGamma ,(L\mu \gamma )^{(L\mu ; C_0\mu ; \gamma )}; U; \top )\)

if \((L \vee C) \in (N \cup U)\), \(\gamma \) is a grounding for \(L \vee C\), \((\forall K \in (L \vee C). \; \text {atom}(K\gamma ) \preceq _B \beta )\), \(C_0 = \{K \in C \, | \, K\gamma \ne L\gamma \}\), \(C_1 = \{K \in C \, | \, K\gamma = L\gamma \}\), \(C_0\gamma \) is false under \(\varGamma \), \(L\gamma \) is undefined in \(\varGamma \), and \(\mu \) is an IMGU for all terms in \(\{\text {atom}(K) \, | \, K \in (L \vee C_1)\}\).

Compared to Sect. 2, we express the splitting of C into \(C_0\) and \(C_1\) formally as set operations and replace \(\prec _B\) with \(\preceq _B\). This replacement has no effect on the results but allowing the bound \(\beta \) to be in \(\text {gnd}^{\preceq _B \beta }(N)\) eases the proof of Lemma 21, where the largest element of the (finite) unsatisfiable core is directly used as new bound. There are also situations where the maximal element of a signature is required to derive a contradiction: a non-strict bound requires to artificially extend the signature while a non-strict bound does not.

Decide    \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Decide}}^{N,\beta } \, (\varGamma ,(L\gamma ); U; \top )\)

if \((L \vee C) \in N\), \(\gamma \) is a grounding for L, \(L\gamma \) is undefined in \(\varGamma \), and \(\text {atom}(L\gamma ) \preceq _B \beta \).

Compared to Sect. 2, we replace \(\prec _B\) with \(\preceq _B\) and take the decision literal from N instead of \(N \cup U\). The ground instances of literals of U are a subset of the ground instances of literals of N so it is redundant to also consider U here.

Conflict    \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, (\varGamma ; U; (C; \gamma ))\)

if \(C \in (N \cup U)\), \(\gamma \) is a grounding for C, and \(C\gamma \) is false under \(\varGamma \).

Skip    \((\varGamma ,\mathcal {K}; U; (C; \gamma )) \, \Rightarrow _{\text {Skip}}^{N,\beta } \, (\varGamma ; U; (C; \gamma ))\)

if \(\text {comp}(\text {lit}(\mathcal {K})) \notin C\gamma \).

Factorize    \((\varGamma ; U; (L' \vee L \vee C; \gamma )) \, \Rightarrow _{\text {Factorize}}^{N,\beta } \, (\varGamma ; U; ((L \vee C)\mu ; \gamma ))\)

if \(L\gamma = L'\gamma \) and \(\mu \) is the IMGU for the terms \(\text {atom}(L)\) and \(\text {atom}(L')\).

Resolve    \((\varGamma ; U; (L \vee C; \gamma _C)) \, \Rightarrow _{\text {Resolve}}^{N,\beta } \, (\varGamma ; U; ((C\rho _C \vee D\rho _D)\mu ; \gamma ))\)

if \(\varGamma = \varGamma ',(K\gamma _D)^{(K; D; \gamma _D)}\), and \(K\gamma _D = \text {comp}(L\gamma _C)\), \(\rho _C\) and \(\rho _D\) are renamings such that the variables of \((L \vee C)\rho _C\) and \((K \vee D)\rho _D\) are disjoint, \(\mu \) is the IMGU for the terms \(\text {atom}(L)\rho _C\) and \(\text {atom}(K)\rho _D\), \(\gamma _C'\) and \(\gamma _D'\) are adaptations of \(\gamma _C\) and \(\gamma _D\) to the renamings \(\rho _C\) and \(\rho _D\) respectively, and \(\gamma \) is a merged grounding of \(\gamma _C'\) for the variables of \((L \vee C)\rho _C\) and \(\gamma _D'\) for the variables of \((K \vee D)\rho _D\).

Note that the definition of merged grounding implies the following equalities: \(\mu \circ \gamma = \gamma \), \(L\rho _C\gamma = L\gamma _C\), \(C\rho _C\gamma = C\gamma _C\), \(K\rho _D\gamma = K\gamma _D\), and \(D\rho _D\gamma = D\gamma _D\).

Compared to Sect. 2, we explicitly rename the merged clauses to avoid variable-name clashes instead of assuming disjoint variables, and use an abstract specification for the merged grounding instead of forcing substitution composition. The latter makes our rule more general by allowing more freedom to an implementation.

Backtrack    \((\varGamma , \varGamma ',K; U; (L \vee C; \gamma )) \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, (\varGamma ; \{L \vee C\} \cup U; \top )\)

if \(K = \text {comp}(L\gamma )\) and \((\not \exists \gamma '. \, (L \vee C)\gamma ' \text { is ground and false under } \varGamma )\).

Compared to Sect. 2, we allow backtracking to any non-conflicting trail instead of specifying the position. This makes our rule more general by, again, allowing more freedom to an implementation. The minimally backtracking strategy introduced in Definition 4 brings back equivalence to the Backtrack rule of Sect. 2.

Isabelle Technicalities. We define the SCL rules in the scl_fol_calculus locale. It fixes an abstract binary relation \(\prec _B\) as a locale parameter and assumes that it bounds a finite number of atoms. It also fixes an abstract function to generate variable renamings as a locale parameter and assumes its correctness; this function is not required for the specification of the calculus but is required in multiple proofs. Most of the following definitions and theorems are in the context of this locale. Each SCL rule is defined separately as an inductive predicate. Having separate definitions allows to refer to the rules individually in subsequent definitions and theorems. Using inductive predicates, as opposed to plain definitions, is convenient because Isabelle automatically generates some useful introduction and elimination lemmas, and configures structured Isar syntax for case analysis.

From the SCL rules, we can prove a number of invariants about states. Most of them are intuitive while few are technicalities of the Isabelle formalization. We will use the invariants as hypotheses for many of the main lemmas and theorems.

Lemma 1

(scl_state_invariants). Let \((\varGamma ; U; \mathcal {C})\) be an state w.r.t. \( \, \Rightarrow _{\text {SCL}}^{N,\beta } \, \). The following invariants hold for the initial state \((\epsilon ; \{\}; \top )\) and are each individually preserved by the SCL rules.

  1. 1.

    All annotated literals in \(\varGamma \) are ground.

    • \(\forall K \in \{\text {lit}(\mathcal {K}) \, | \, \mathcal {K} \in \text {set}(\varGamma )\}. \; K \text { is a ground literal}\)

  2. 2.

    The atoms of all annotated literals in \(\varGamma \) are \(\preceq _B \beta \).

    • \(\forall K \in \{\text {lit}(\mathcal {K}) \, | \, \mathcal {K} \in \text {set}(\varGamma )\}. \; \text {atom}(K) \preceq _B \beta \)

  3. 3.

    All annotated literals in \(\varGamma \) are undefined in their respective subtrail of \(\varGamma \).

    • \(\forall \varGamma ' \, \mathcal {K} \, \varGamma ''. \, \varGamma = \varGamma ',\mathcal {K}, \varGamma '' \longrightarrow \text {lit}(\mathcal {K}) \text { is undefined in } \varGamma '\)

  4. 4.

    All closures in \(\varGamma \) and \(\mathcal {C}\) are ground.

    • \(\forall \mathcal {K} \in \text {set}(\varGamma ). \; \forall D \, K \, \gamma . \; \mathcal {K} = (K\gamma )^{(K; D; \gamma )} \longrightarrow D\gamma \text { is ground}\)

    • \(\forall C \, \gamma . \; \mathcal {C}= (C; \gamma ) \longrightarrow C\gamma \text { is ground}\)

  5. 5.

    All closures in \(\varGamma \) and \(\mathcal {C}\) are false under their respective subtrail of \(\varGamma \).

    • invariant holds

    • \(\forall D \, K \, \gamma \, \varGamma ' \, \varGamma ''. \, \varGamma = \varGamma ',(K\gamma )^{(K; D; \gamma )}, \varGamma '' \longrightarrow D\gamma \text { is false under } \varGamma '\)

    • \(\forall C \, \gamma . \, \mathcal {C}= (C; \gamma ) \longrightarrow C\gamma \text { is false under } \varGamma \)

  6. 6.

    All propagated literals in \(\varGamma \) are the grounding of the non-ground literal in their closure annotations.

    • \(\forall \mathcal {K} \in \text {set}(\varGamma ). \; \forall D \, K \, \gamma . \; \text {ann}(\mathcal {K}) = (D; K; \gamma ) \longrightarrow \text {lit}(\mathcal {K}) = K\gamma \)

  7. 7.

    The complements of all propagated literals in \(\varGamma \) are absent from their closure annotation.

    • \(\forall \mathcal {K} \in \text {set}(\varGamma ). \; \forall D \, K \, \gamma . \; \mathcal {K} = (K\gamma )^{(K; D; \gamma )} \longrightarrow \text {comp}(K\gamma ) \notin D\gamma \)

  8. 8.

    All literals of the clauses in \(\varGamma \)’s propagating clauses, U, and \(\mathcal {C}\) have a corresponding, more general literal in N.

    • \(\forall D \in \{D \, | \, (K\gamma )^{(K; D; \gamma )} \in \text {set}(\varGamma )\} \cup U \cup (\text {if } \mathcal {C}= (C; \gamma ) \text { then } \{C\} \text { else } \{\}). \; \)

      \({\forall K \in D. \; \exists D' \in N. \; \exists K' \in D'. \; \exists \sigma . \, K'\sigma = K}\)

  9. 9.

    All annotated literals in \(\varGamma \) have a corresponding more general literal either in N or in U.

    • \(\forall \mathcal {K} \in \text {set}(\varGamma ). \; \exists L \in N \cup U. \; \exists \sigma . \, L\sigma = \text {lit}(\mathcal {K})\)

  10. 10.

    All clauses in \(\varGamma \), U, and \(\mathcal {C}\) are entailed by N.

    • \(\forall \mathcal {K} \in \text {set}(\varGamma ). \; \forall D \, K \, \gamma . \; \mathcal {K} = (K\gamma )^{(K; D; \gamma )} \longrightarrow N \models \{K \vee D\}\)

    • \(N \models U\)

    • \(\forall C \, \gamma . \; \mathcal {C}= (C; \gamma ) \longrightarrow N \models \{C\}\)

The SCL calculus is defined as a transition system where many decisions are deferred to strategies. A strategy specifies a transition system whose transitions are a subset of those from an existing transition system. We say that a strategy \(\mathcal {S}\) restricts a transition system \(\mathcal {T}\) (or symmetrically that \(\mathcal {T}\) is restricted by \(\mathcal {S}\)) if (\(\forall x \, y. \; \mathcal {S} \, x \, y \; \longrightarrow \; \mathcal {T} \, x \, y\)). Note that strategies can be chained to iteratively apply more restrictions.

We define the reasonable and regular strategies restricting the \( \, \Rightarrow _{\text {SCL}}^{N,\beta } \, \) relation in order to prove the main results of this paper.

Definition 2

The reasonable strategy \( \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, \) restricts the SCL calculus by preventing decisions that immediately lead to a conflict. Such situations could be replaced by a propagation. Formally:

$$\begin{aligned} S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S' \;\; \longleftrightarrow \;\; S \, \Rightarrow _{\text {SCL}}^{N,\beta } \, S' \wedge (S \, \Rightarrow _{\text {Decide}}^{N,\beta } \, S' \longrightarrow (\not \exists S''. \, S' \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S'')) \end{aligned}$$

Definition 3

The regular strategy \( \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, \) restricts the reasonable strategy by prioritizing the conflict rule to any other. Formally:

$$\begin{aligned} S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S' \;\; \longleftrightarrow \;\; S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S' \wedge ((\exists S''. \, S \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S'') \longrightarrow S \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S') \end{aligned}$$

While not required for the coming results, we also define the minimally backtracking strategy to express the constraint on the backtracking position found in Sect. 2.

Definition 4

The minimally backtracking strategy \( \, \Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta } \, \) restricts the regular strategy by requiring that backtracking removes the shortest possible suffix of the trail. Formally:

All three strategies build on one-another and ultimately restrict the SCL relation. We can express this formally as implications, of which the first can be used to show that coming results (e.g., Corollaries 13 and 19) also hold for the minimally backtracking strategy.

Lemma 5

(strategy_restrictions). The minimally backtracking strategy restricts the regular strategy, which restricts the reasonable strategy, which restricts the SCL calculus. Formally:

  • \(\forall N \, \beta \, S \, S'. \; S \, \Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S'\)

  • \(\forall N \, \beta \, S \, S'. \; S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S'\)

  • \(\forall N \, \beta \, S \, S'. \; S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {SCL}}^{N,\beta } \, S'\)

The bounding atom \(\beta \) restricts the calculus to only consider the finitely many ground atoms less than or equal to \(\beta \) w.r.t. \(\prec _B\); this will play an important role in the termination proof. When SCL terminates, it either derived a contradiction, or it found a model for the bounded groundings of the initial clauses. Because \(\beta \) is usually chosen heuristically, the model might be unsatisfactory for the considered use case and one may want to continue execution with a bigger bound. This is allowed if the new bound properly extends the previous bound \(\beta \) w.r.t. \(\preceq _B\).

Theorem 6

(monotonicity_wrt_bound). If the ground atoms bound by \(\beta \) are a subset of the ground atoms bound by \(\beta '\), formally if \((\forall A. \, A \text { is ground } \longrightarrow A \preceq _B~\beta \longrightarrow A \preceq _B \beta ')\), then the SCL, reasonable SCL, regular SCL, and minimally backtracking transitions w.r.t. \(\beta \) are also transitions w.r.t. \(\beta '\), formally

  • \(\forall N \, S \, S'. \; S \, \Rightarrow _{\text {SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {SCL}}^{N,\beta '} \, S'\),

  • \(\forall N \, S \, S'. \; S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta '} \, S'\),

  • \(\forall N \, S \, S'. \; S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta '} \, S'\), and

  • \(\forall N \, S \, S'. \; S \, \Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta } \, S' \; \longrightarrow \; S \, \Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta '} \, S'\).

Theorem 6 implies that all properties w.r.t. a bound \(\beta \) also hold w.r.t. a compatible bound \(\beta '\). Its hypothesis is fulfilled if \(\preceq _B\) is transitive on ground atoms, \(\beta \) and \(\beta '\) are ground atoms, and \(\beta \preceq _B \beta '\). The bounding atom could even be increased at any point in an SCL run, not just when the calculus terminated.

The different rules and strategies considered so far express a single step of computation for the SCL calculus; they offer a good level of granularity to both understand and mechanize the details of the calculus. But many results of the following sections ought to express properties of the calculus as a whole. We express such results in terms of a run from the initial state. A run is the reflexive, transitive closure of a rule or strategy, e.g. \(S \, (\Rightarrow _{\text {SCL}}^{N,\beta })^* \, S'\) is an SCL run from the state S to the state \(S'\).

The soundness of the individual SCL rules is shown by invariant 10. We now consider the soundness of terminating runs of the SCL calculus as a whole.

Theorem 7

(correct_termination). Let \(S = (\varGamma ; U; \mathcal {C})\) be a state w.r.t. \( \, \Rightarrow _{\text {SCL}}^{N,\beta } \, \). If invariants 2, 3, 5, 6 and 10 hold for S, and if S is a stuck state with some restrictions, formally if

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Propagate}}^{N,\beta } \, S'\),

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Decide}}^{N,\beta } \, S' \wedge (\not \exists S''. \, S' \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S'')\),

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S'\),

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Skip}}^{N,\beta } \, S'\),

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Resolve}}^{N,\beta } \, S'\),

  • \(\not \exists S'. \, S \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, S'\) and the backtracking is minimal,

then either the conflicting clause \(\bot \) has been derived and the groundings \(\text {gnd}(N)\) of the initial clauses N are unsatisfiable, or there is no conflicting clause and the groundings \(\text {gnd}^{\preceq _B \beta }(N)\) of the initial clauses N are satisfiable by the trail, formally either

  • \( (\exists \gamma . \; \mathcal {C}= (\bot ; \gamma )) \, \wedge \, (\not \exists I. \; I \models _{\mathcal {H}} \text {gnd}(N))\), or

  • \( \mathcal {C}= \top \, \wedge \, \mathcal{H}\mathcal{I}(\varGamma ) \models _{\mathcal {H}} \text {gnd}^{\preceq _B \beta }(N)\).

Note that no hypothesis restricts the usage of the Factorize rule because it is an optional step of conflict resolution that has no impact on satisfiability.

Theorem 7 holds for a family of strategies, in contrast to Theorem 5 from Bromberget et al., which was only shown for what is here called the minimally backtracking strategy. This family of strategies contains any strategy that preserves the required invariants and is restricted by the minimally backtracking strategy. From Lemma 5 we know that these two requirements are fulfilled by the SCL relation but also by the reasonable, regular, and minimally backtracking strategies. This leads to a more intuitive corollary based on runs.

Corollary 8

(correct_termination_strategies). If an SCL, reasonable SCL, regular SCL, or minimally backtracking SCL run starting from the initial state \((\epsilon ; \{\}; \top )\) terminates in a state \(S = (\varGamma ; U; \mathcal {C})\), formally any of

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {SCL}}^{N,\beta })^* \, S \; \wedge \; (\not \exists S'. \, S \, \Rightarrow _{\text {SCL}}^{N,\beta } \, S')\),

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Rea-SCL}}^{N,\beta })^* \, S \; \wedge \; (\not \exists S'. \, S \, \Rightarrow _{\text {Rea-SCL}}^{N,\beta } \, S')\),

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, S \; \wedge \; (\not \exists S'. \, S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S')\), or

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta })^* \, S \; \wedge \; (\not \exists S'. \, S \, \Rightarrow _{\text {Min-Bac-SCL}}^{N,\beta } \, S')\),

then the conclusion of Theorem 7 holds.

Note that each strategy is used with positive polarity in the “run” hypothesis and negative polarity in the “no-more-step” hypothesis. For this reason, it is impossible to provide a corollary with a single requirement to restrict or be restricted by any known strategy.

Traditional saturation-based calculi for first-order logic, e.g. Resolution and Superposition, can learn redundant clauses and thus their implementations require costly checks for non-redundancy. SCL(FOL) learns only non-redundant clauses. Thus, an implementation would not need to check for (forward) non-redundancy. We first repeat the definition of standard redundancy as found in [18].

Definition 9

A clause C is redundant w.r.t. a set of clauses N and a strict order on clauses \(\prec \) if \((\forall C' \in \text {gnd}(C). \; \{D' \in \text {gnd}(N) \, | \, D' \prec C'\} \models _{\mathcal {G}} C')\).

We first prove non-redundancy w.r.t. a trail-induced dynamic order and then lift this result to non-redundancy w.r.t. a static order.

Definition 10

A trail \(\varGamma \) induces a well-founded, strict partial order \( \prec ^{\varGamma } \), total on all atoms in \(\varGamma \)’s literals. Assuming \(\varGamma \) has the form \(L_n^*,\dots ,L_2^*,L_1^*,L_0^*\) for all \(* \in \{\dagger , (D, \gamma _D)\) for some D and \(\gamma _D\}\), we have the following ordering.

$$\begin{aligned} \text {atom}(L_n) \prec ^{\varGamma } \cdots \prec ^{\varGamma } \text {atom}(L_2) \prec ^{\varGamma } \text {atom}(L_1) \prec ^{\varGamma } \text {atom}(L_0) \end{aligned}$$

In other words, “older” elements on the left are smaller than “newer” elements on the right. Formally:

$$t_1 \, \prec ^{\varGamma } \, t_2 \longleftrightarrow (\exists i< |\varGamma |. \; \exists j < i. \; t_1 = \text {atom}(\text {lit}(\varGamma [i])) \wedge t_2 = \text {atom}(\text {lit}(\varGamma [j])))$$

Compared to Bromberger et al., the trail-induced order is defined on atoms instead of literals and non-redundancy is proven for any lifting to literals.

Theorem 11

(dynamic_non_redundancy_regular_scl). Following conflict resolution in a regular run, formally if

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, (\varGamma ; U; \top )\),

  • \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S_1\),

  • \(S_1 \; (\Rightarrow _{\text {Skip,Factorize,Resolve}}^{N,\beta })^+ \; S_n\), and

  • \(S_n \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, S_{1 + n}\),

then neither is the learned clause \(C = \text {conflict}(S_n)\) generalized by any initial or learned clause, formally \((\not \exists D \in N \cup U. \, \exists \sigma . \, D\sigma = C)\), nor is it redundant w.r.t. \(N \cup U\) and the order we get by first lifting the trail-induced order \( \prec ^{\varGamma } \) from atoms to literals and then taking its multiset extension.

Dynamic non-redundancy with respect to the trail-induced order does not by itself release an implementation from performing backward non-redundancy checks, but it is a strong guarantee on the quality of learned clauses. For backward redundancy checks an order needs to be used that encompasses all dynamic trail-induced orders. An order based on a strict multiset relation has this property. So for backward redundancy we can, e.g., delete subsumed clauses.

Corollary 12

(static_non_subsumption_regular_scl). If a regular run starting from the initial state \((\epsilon ; \{\}; \top )\) learns a clause C, formally if

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, (\varGamma ; U; (C; \gamma ))\) and

  • \((\varGamma ; U; (C; \gamma )) \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, S\),

then C is not subsumed by any of the initial or learned clauses, formally

\(\not \exists D \in N \cup U. \, \exists \sigma . \, D\sigma \subseteq C\).

All non-redundancy results can be generalized to an arbitrary strategy restricting the regular strategy. We only show one example here and refer the reader to the formalization for the others.

Corollary 13

(dynamic_non_redundancy_strategy). Following conflict resolution in the run of a strategy restricting regular SCL, formally if

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Strategy}}^{N,\beta })^* \, (\varGamma ; U; \top )\),

  • \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S_1\),

  • \(S_1 \; (\Rightarrow _{\text {Skip,Factorize,Resolve}}^{N,\beta })^+ \; S_n\),

  • \(S_n \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, S_{1 + n}\), and

  • \(\forall S \, S'. \, S \, \Rightarrow _{\text {Strategy}}^{N,\beta } \, S' \longrightarrow S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S'\),

then neither is the learned clause generalized by any initial or learned clause, formally \((\not \exists D \in N \cup U. \, \exists \sigma . \, D\sigma = C)\), nor is it redundant w.r.t. \(N \cup U\) and the order we get by first lifting the trail-induced order \( \prec ^{\varGamma } \) from atoms to literals and then taking its multiset extension.

During the development of this formalization, we discovered that the original Backtrack rule found in [6] allows to learn a duplicate of the last learned clause, which violates the stated non-redundancy of learned clauses. The original Backtrack rule ensures that the conflict closure is not false under the new trail, but the learned clause could still be in conflict w.r.t. another grounding. Following this conflict, the Backtrack rules would be immediately applicable and would learn the same clause again. This could only happen a finite number of times as backtracking reduces the length of the (finite) trail. As an example, consider the set of clauses \(N = \{ P(x), Q(y), {\lnot }Q(z) \vee R(z), {\lnot }R(w) \vee S(w), {\lnot }P(v) \vee {\lnot }S(v) \}\), and a big enough \(\beta \). The following SCL run was valid with the original Backtrack rule. Note that the notation for the trail was shortened to save space.

This counterexample was only discovered when we failed to prove Theorem 11 in Isabelle. Note that this formalization is based on and was developed simultaneously to Bromberger et al., which originally inherited the Backtrack rule from [10]. The solution, which was promptly integrated into this formalization and Bromberger et al., is for the Backtrack rule to find a position without conflict w.r.t. the learned clause. Note that the original Backtrack rule reaches such a state after having learned the same clause finitely often, which has no effect on the set of learned clauses because sets ignore duplicates. Thus, the original Backtrack rule did not invalidate the other properties of the SCL calculus. This discovery is strong evidence of the usefulness of mechanized formalization for both published work and ongoing research: the Isabelle formalization lead to the discovery of a previously unknown bug and it guided the development of the refinement.

A calculus expressed as a state machine terminates if the transition relation starting from the initial state is well-founded following the arrow direction. We prove well-foundedness of regular SCL in three steps: (1) we first prove well-foundedness of SCL without backtracking, denoted \( \, \Rightarrow _{\text {SCL-no-Back}}^{N,\beta } \, \); (2) we then prove that a regular run can only learn finitely many clauses; and (3) from these two results we finally prove well-foundedness of regular SCL. Step 1 is novel to the formalization. Prior work in Bromberger et al. focuses exclusively on the Backtrack rule (step 2) in order to prove termination of regular SCL (step 3). Also novel to the formalization are decreasing measuring functions for steps 1 and 2.

Definition 14

The measuring function \(\mathcal {M}_3(N, \beta , S)\) for SCL without backtracking maps a set of initial clauses N, a bounding atom \(\beta \), and a state S to a 4-tuple. The tuple elements are (1) a boolean identifying whether the state is conflict-free, (2) a (finite) set overapproximating the literals that could be added to the trail, (3) a (finite) list overapproximating the numbers of resolution steps that could be performed at each position in the trail, and (4) the (finite) cardinality of the conflicting clause. Formally:

$$\begin{aligned} \mathcal {M}_1(\beta , \varGamma ) \;= \;\{L \, | \, \text {atom}(L) \preceq _B \beta \} - \{\text {lit}(\mathcal {K}) \, | \, \mathcal {K} \in \text {set}(\varGamma )\} \end{aligned}$$
$$\begin{aligned} \mathcal {M}_2(\epsilon , C) \;= \;&\epsilon \\ \mathcal {M}_2((\varGamma ,K), C) \;= \;&\mathcal {M}_2(\varGamma , C),0 \\ \mathcal {M}_2((\varGamma ,(K\gamma )^{(K; D; \gamma )}), C) \;= \;&\text {let } n = \text {count}(C, \text {comp}(K\gamma )) \text { in } \\&\mathcal {M}_2(\varGamma , C \vee \text {repeat}(n, D\gamma )),n \end{aligned}$$
$$\begin{aligned} \mathcal {M}_3(N, \beta , (\varGamma ; U; \top )) \;= \;&(\text {True}; \, \mathcal {M}_1(\beta , \varGamma ); \, \epsilon ; \, 0) \\ \mathcal {M}_3(N, \beta , (\varGamma ; U; (C; \gamma ))) \;= \;&(\text {False}; \, \{\}; \, \mathcal {M}_2(\varGamma , C); \, |C|) \end{aligned}$$

With this, we can prove termination of SCL without backtracking (step 1).

Theorem 15

(termination_scl_without_back). SCL without backtracking is well-founded on all states reachable by an SCL-without-backtracking run starting from the initial state, formally on \(\{S \, | \, (\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {SCL-no-Back}}^{N,\beta })^* \, S\}\).

We now turn to proving termination of regular SCL with backtracking by first defining an appropriate measuring function.

Definition 16

The measuring function \(\mathcal {M}_4(\beta , S)\) for the rule Backtrack maps a bounding atom \(\beta \) and a state S to a finite set of clauses without duplicates. It computes an over-approximation of the set of clauses that could still be learned modulo duplicates. Formally:

$$\begin{aligned} \mathcal {M}_4(\beta , S) \;= \;2^{\{L \, | \, \text {atom}(L) \preceq _B \beta \}} - \{\text {set}(C) \, | \, C \in \text {gnd}(\text {learned}(S))\} \end{aligned}$$

We then prove that it decreases every time we learn a new clause (step 2).

Lemma 17

(\(\mathcal {M}\)_back_after_regular_backtrack). Following conflict resolution in a regular run, formally if

  • \((\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, (\varGamma ; U; \top )\),

  • \((\varGamma ; U; \top ) \, \Rightarrow _{\text {Conflict}}^{N,\beta } \, S_1\),

  • \(S_1 \; (\Rightarrow _{\text {Skip,Factorize,Resolve}}^{N,\beta })^+ \; S_n\), and

  • \(S_n \, \Rightarrow _{\text {Backtrack}}^{N,\beta } \, S_{1 + n}\), then

  1. 1.

    the ground conflict is distinct from all groundings of initial and learned clauses modulo duplicates, formally \((\exists C \, \gamma . \, \text {conflict}(S_n) = (C; \gamma ) \wedge \text {set}(C\gamma ) \notin \{\text {set}(D) \, | \, D \in \text {gnd}(N \cup U)\})\), and

  2. 2.

    the set of clauses that could potentially be learned strictly diminishes, formally \(\mathcal {M}_4(\beta , S_{1 + n}) \subset \mathcal {M}_4(\beta , S_n)\).

Lemma 17 is novel to the formalization. Together with Theorem 15 it allows us to prove termination of regular SCL with backtracking (step 3).

Theorem 18

(termination_regular_scl). Regular SCL is well-founded on all states reachable by a regular-SCL run starting from the initial state, formally on \(\{S \, | \, (\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, S\}\).

All termination results can be generalized to an arbitrary strategy restricting the regular strategy. We only show one example here and refer the reader to the formalization for the others.

Corollary 19

(termination_strategy). If a strategy restricts regular SCL, formally if \((\forall S \, S'. \, S \, \Rightarrow _{\text {Strategy}}^{N,\beta } \, S' \longrightarrow S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S')\), then it is well-founded on all states reachable by a run using this strategy and starting from the initial state, formally on \(\{S \, | \, (\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Strategy}}^{N,\beta })^* \, S\}\).

All theorems until now were first expressed and proven using invariants and then the versions expressed using runs were derived. However, Theorem 18 posed an interesting problem because its proof requires the backtracking step to have knowledge of the trail when a conflict last occurred. But this information is lost in the SCL state due to the Skip rule shrinking the trail. We did define an invariant that expresses the historical form of the trail and its properties derived from the regular strategy, but it is complex and the added value compared to working directly on a regular run is questionable. For simplicity, we chose not to present this invariant in this paper.

Together, soundness and termination allow us to prove refutational completeness of the regular SCL calculus w.r.t. a fixed bound.

Theorem 20

(completeness_wrt_bound). If the groundings \(\text {gnd}^{\preceq _B \beta }(N)\) of the initial clauses N are unsatisfiable, then all regular SCL runs starting from the initial state terminate and derive the conflicting clause \(\bot \), formally

  1. 1.

    there is no infinite regular run starting from the initial state, and

  2. 2.

    \((\forall S. \; (\epsilon ; \{\}; \top ) \, (\Rightarrow _{\text {Reg-SCL}}^{N,\beta })^* \, S \; \wedge \; (\not \exists S'. \, S \, \Rightarrow _{\text {Reg-SCL}}^{N,\beta } \, S') \longrightarrow \) \((\exists \gamma . \; \text {conflict}(S) = (\bot ; \gamma )))\).

Theorem 20 is only defined w.r.t. a bound, but fortunately we can prove that there must always exist an appropriate bound.

Lemma 21

(ex_bound_if_unsat). If the relation \(\prec _B\) is a well-founded, strict order, total on ground atoms and the groundings \(\text {gnd}(N)\) of the initial clauses N are unsatisfiable, then there exists a bound \(\beta \) such that the groundings \(\text {gnd}^{\preceq _B \beta }(N)\) are unsatisfiable.

Note that while Lemma 21 proves the existence of an appropriate bound, it provides no constructive way of finding one. What one can do is follow along Theorem 6 and iteratively increase a heuristically chosen bound until an appropriate one is found; if the set of initial clauses is unsatisfiable, this will terminate.

Isabelle Technicalities. Lemma 21’s hypothesis that \(\prec _B\) is a well-founded, total, strict order cannot be expressed as a theorem-local hypothesis. The reason is that the compactness theorem for clausal first-order logic requires terms to be an instance of the wellorder type class, which is not the case in the scl_fol_calculus locale, where the assumptions on the \(\prec _B\) relation are kept minimal. Because Isabelle does not allow to instantiate a type class with a concrete type inside a locale or theorem, we define a new locale that extends scl_fol_calculus and adds a type class requirement on the first-order term constants. This enables the type-class system to automatically instantiate the wellorder type class for terms using the previously registered Knuth-Bendix order. We then instantiate the \(\prec _B\) relation of scl_fol_calculus with the Knuth-Bendix order. This type class and locale gymnastic could be avoided if the formalization of the compactness theorem was refactored to offer a predicate-based version alongside the existing type-class-based version.

4 Conclusion

We generalized and formalized the SCL(FOL) calculus in Isabelle/HOL. The main results are formal proofs of soundness, non-redundancy of learned clauses, termination, and refutational completeness. Because the formalization was performed simultaneously to Bromberger et al., they could benefit from each other. A mechanized formalization must consider low-level details, but it is also the opportunity to identify the most import aspects of the theory and abstract over details needed in the context of an actual implementation. For example, we abstracted from the level of a state to define the Backtracking rule and replaced it with an abstract specification of the result. A level was used in all pen-an-paper presentations of the calculus in order to have a constructive way of going back to the maximal trail where the learned clause propagates. The abstraction supports investigation of several Backtrack rule versions and to base the soundness result on a version with a minimal requirement, i.e., the learned clause is no longer false with respect to the trail.

The formalization did uncover a small bug in the calculus, but also showed that its effect was very localized and naturally lead to a solution. Another benefit of the formalization is how much it supports refactoring and exploratory experimentation. When making a change to a definition or a conjecture, Isabelle immediately and exhaustively points to the parts that need to be adapted. Very often, proofs can automatically be adapted using proof automation tools such as Sledgehammer. This was invaluable to quickly try out ideas or change subtle parts of the calculus. One such example is in the Resolve rule, where the formalization first used substitution composition as found in the original calculus and latter replaced it by an abstract specification of merged grounding. This idea came from a private discussion sketching an eventual C implementation where it became clear that substitution composition would be a costly operation. We then introduced the abstract specification of merged grounding and fixed the formalization by following the mistakes reported by Isabelle.