Global variables and invariants

In this section we declare the global variables of LS4 and state the algorithm’s main invariants. We assume we are given a temporal satisfiability task _{T = (Σ, I, T, G) to} serve as an input of the algorithm. To simplify our subsequent analysis, we make sure that the input TST _{T and its constituent parts are considered read-only by LS4 and} thus maintain only one value throughout the run of the algorithm.

Marking the input clauses

The individual sets I, T , and G of initial, step, and goal clauses, respectively, do not directly enter the computation, but are first preprocessed and equipped with markers

for tracking proof dependencies. We mark the initial clauses with a single marker_{◦ and} denote the resulting set I:

I← {C{◦} | C ∈ I}.

We split the set of step clauses T into two subsets, based on whether the respective clauses are or are not simple, i.e. only over the basic signature Σ. The simple step clauses are called universal clauses and go into set U, and the remaining “proper” step clauses form the set T. We mark both kind of step clauses with an empty set of markers.

U← {C∅ | C ∈ T, C simple}, T← {C∅ | C ∈ T, C not simple},

We also declare a variable G for storing the goal clauses. Variable G is just an interme- diate repository and does not directly participate on forming queries to the SAT solver. That is why we use a dummy marker “ ” for the clauses in G:

G← {C{ } | C ∈ G}.

While the sets I and T remain constant during the run of the algorithm, LS4 adds new universal clauses into U when learning from (certain) unsuccessful extensions and new goal clauses into G during the Leap inference. Clause are, however, never deleted from the sets, which means their logical strength is non-decreasing during the run.

This monotonicity property of the values of I, T, U and G with respect to time helps to simplify reasoning about LS4. For instance, as we later show, when LS4 learns a new universal clause C∅, the clause satisfies

T∧ (U)0 |= C∅, (3.1)

with respect to the original value of U. Thanks to monotonicity, relation (3.1) also holds after C∅ _{is added to U and, in general, from that point on. We will rely on monotonicity}

when proving correctness of LS4. The partial model

Our algorithm stores the partial model it has built so far in the variable _{V. Mathe-} matically, _{V is a finite sequence (V}i)0≤i<|V| of valuations Vi : Σ→ {0, 1} over the given

signature Σ. We denote by |V| the length of the sequence and also use this expression for indexing. For example, V|V|−1 stands for the current last valuation in the sequence.

Initially, the partial model is empty. There are operations add and remove for adding an element to the end and removing an element from the end of the sequence.

The configuration of blocks

The configuration of blocks in LS4 determines the current set of time points where the goal clauses are supposed to be satisfied. The algorithm maintains a finite set _{B of} currently allocated blocks and assigns to each block b_{∈ B the following two numbers:}

• the block’s size sb ∈ N+ and

• the index of the block’s goal clauses ib ∈ N.

The indexes are unique across blocks, which means that they impose a natural ordering. This allows us to treat_{B also as a finite sequence B = (b}j)0≤j<|B|, where

ibj < ibj+1

for every 0 ≤ j < |B|. The indexes and sizes of the blocks are related by the following two equations:

ib0 = sb0 − 1,

ibj = sbj + ibj−1,

where the second equation holds for every 0 < j <|B|. LS4 initializes the configuration of blocksB to contain just one block b of size sb = 1, positioned at index ib= 0.

Associated layers

LS4 collects clauses derived (transitively) from the goal clauses within so called layers. Each block b_{∈ B is associated with two sequences of sets of marked clauses, the proper} layers Lb

i or simply layers, and the dirty layers Dbi. For convenience of notation, the

index i formally ranges over the whole set of integers Z. However, during computation only finitely many of these sets are non empty and, in particular, Lb

i and Dbi are always

empty for i < 0. Each layer Lb

i is a set of clauses marked by a single marker, the block b itself. For each

block b, LS4 maintains that the layer Lb

0 contains exactly the goal clauses marked with

the marker b:

Lb0 ={C {b}

| C{ }∈ G}. (3.2)

To preserve (3.2), the layer Lb

0 is updated after each Leap inference. The layers Lbi for

i > 0 are initialized empty and the algorithm gradually adds clauses to these layers when learning from (certain) unsuccessful extensions.

Semantically, the proper layers satisfy the following two properties

G|= Lb0, (3.3)

T∧ (U ∧ Lbi)0 |= Lbi+1. (3.4)

We call (3.3) and (3.4) the initial and progress layer property, respectively. While the initial property is an immediate consequence of (3.2), the progress property depends on the learning process and we will justify it in full later on. Similarly to I, T, U and G the values of layers change only monotonically during the run of the algorithm.2

A dirty layer Db

i contains clauses marked not only by b, but also by some other blocks.

Those other blocks always have an index smaller than b. Formally, every element of Db i is 2_{Unless a block is deleted, in which case its layers are destroyed.}

Lb2 0 Lb1 0 Lb0 0 I b0 b1 b2 sb0 ib0 ib1 sb1 Lb0 1 Lb0 2 Lb1 1 . . . Lb2 1 Lb2 2 Lb2 3 Lb2 4 . . . sb2 ib2 T T T T T 0 1 2 3 4 5 6 B V V0 V1 V2 U U U U U . . . U U T T _{. . .} T F_

Figure 3.2: Alignment between the clauses of the given TST T , the partial model V, and the blocks _{B in LS4. The goal clauses G reside within L}b

0 of every block b ∈ B,

marked by the respective block. The dirty layers Db

i follow the same pattern as Lbi and

are not shown. LS4 will next attempt to compute valuation V3. If the attempt fails and

the derived conflict clause depends on both b1 and b2, it will be inserted into Db42.

a marked clause Cm _{such that 1) m⊆ B, 2) b ∈ m, 3) |m| > 1, and 4) max}

b0_∈mi_b0 = i_b.

Dirty layers of a new block start empty and get populated when new clauses are learned. The semantics of dirty layers is more complex than that of the proper layers as it also depends on the current configuration of blocks. Because the dirty layers only serve to guide the search of the partial model, but do not directly influence the correctness of LS4, we refrain from explicitly formulating their semantics at this point.

In Figure 3.2, a more elaborate version of Figure 3.1 from the introduction, we can see the intended alignment between the configuration of blocks _{B, the partial model V, and} the sets of marked clauses operated by LS4. The figure shows that the indexes of layers are meant to be interpreted in reversed order to those of the individual valuations of the partial model_{V. This means that a step from V}i to Vi+1 in the model corresponds to a

step from Lb

j+1 to Lbj in the layers. This interpretation reflects the flow of information

inside LS4: either the partial model gets extended from Vi to Vi+1 or the model is

backtracked and a new clause derived from Lb

j is learned and added to Lbj+1.

Two key invariants

We close this section by stating two invariants, which will later help us show that LS4 is correct. The first invariant relates the constructed partial model to the input TST. Invariant 3.1. LetT = (Σ, I, T, G) be the input TST, V = (Vi)0≤i<|V| the partial model,

and _{B the current configuration of blocks at any moment during the run of LS4. Then} 1. V0 |= I, provided V is not empty,

3. Vib |= G for every b ∈ B for which ib <|V|.

Invariant 3.1 expresses the standard requirements on any model of a TST restricted in range to the currently constructed part of_{V. Notice how the configuration of blocks} B dictates (item 3) at what indexes are the goal clauses are supposed to be satisfied.

The second invariant captures a relation between the marked clauses maintained by LS4 and an arbitrary (hypothetical) model of the given TST T . Essentially, it claims that the learned clauses are logically entailed (in their respective contexts) and, therefore, LS4 never discards a potential model by learning them.

Invariant 3.2. Let T = (Σ, I, T, G) be the input TST, B a configuration of blocks, and I, T, U, G, Lb

i, and Dbi the values of the respective global variables of LS4 at any moment

during the run of the algorithm. Moreover, let W = (Wi)i∈N be any model ofT . Then

1. W0 |= I,

2. [Wi, Wi+1]|= T for every i ∈ N,

3. Wi |= U for every i ∈ N,

4. Wi |= C for every C{b}∈ Lbj and every i∈ N such that Wi+j |= G, and

5. Wi |= C for every C{b1,...,bk} ∈ Dbj and every i∈ N such that Wi+j+(i_bl−ib)|= G for

l = 1, . . . , k.

Items 1 and 2 follow trivially from how LS4 initializes the sets I and T and from the fact that the sets are never modified. Item 3 expresses soundness of learning universal clauses and can be easily derived from relation (3.1). Item 4 states that any clause C{b} from a layer Lb

j is bound to hold j steps before the set of goal clauses G in any model. This

follows (by induction on j) from the layer properties (3.3) and (3.4) relying on item 3 and on monotonicity. Analogically, we learn from item 5 that any clause C{b1,...,bk} ∈ Db j

must hold at an appropriate distance to a set of indexes at which the goal clauses hold, where the respective indexes correspond to the involved blocks b1, . . . , bk. Item 5 is not

needed for showing correctness of LS4 and is mentioned here only for completeness.