Discovering state constraints for planning with conditional effects in Discoplan (part I)

Abstract

Discoplan is a durable and efficient system for inferring state constraints (invariants) in planning domains, specified in the PDDL language. It is exceptional in the range of constraint types it can discover and verify, and it directly allows for conditional effects in action operators. However, although various aspects of Discoplan have been previously described and its utility in planning demonstrated, the underlying methodology, the algorithms for the discovery and inductive verification of constraints, and the proofs of correctness of the algorithms and their complexity analysis have never been laid out in adequate detail. The purpose of this paper is to remedy these lacunae.

Appendix A: Proofs of Theorems

As a preliminary to the proofs of the theorems, we provide a formalization of the notion of reachable states, and of the notions on which this depends. We will use the term ground atom in the sense of a predication whose arguments are constants (i.e., we do not consider functional terms), and correspondingly a ground literal is an unnegated or negated ground atom.

Definition 6 (Planning domain)

A planning domain consists of a finite set of PDDL operators each of which represents a STRIPS operator possibly augmented with negated preconditions, EQ/NEQ-constraints, typed parameters, and conditional effects (as described and illustrated in Section 1.2).

Recall that operators have a primarywhen-clause and possibly one or more secondarywhen-clauses (representing conditional effects), each with its own preconditions and effects, and these preconditions may include EQ/NEQ-constraints. All preconditions and effects are function-free literals over constants and parameters of the operator, and EQ/NEQ-preconditions use only the positive forms of EQ and NEQ.

Definition 7 (Planning domain states)

A state of a planning domain is any finite set of ground atoms. The reserved predicates EQ/NEQ do not appear explicitly in states.

Note that EQ(c, c) (i.e., c = c) and NEQ(c, c^′) (i.e., c≠c^′) are regarded as tacitly present in every state for every constant c and every constant c^′ distinct from c. Also note that in principle we allow states to contain predicates that do not appear in any operator—these will simply remain invariant under any sequence of operator applications.

Definition 8 (Operator instance)

Let o be a planning domain operator with m parameters \(\underline {r}= r_{1},...,r_{m}\) and let \(\underline {d}=d_{1},...,d_{m}\) be an m-tuple of constants such that the substitution \(\underline {d}/\underline {r}\) for the parameters of o yields no primary preconditions of form NEQ(c, c) or EQ(c, c^′) for distinct constants c, c^′. Then the result of that substitution, written \(o(\underline {d})\), is an instance of operator o. Note that all preconditions and effects of \(o(\underline {d})\) are ground literals.

The non-violation of EQ/NEQ-preconditions required by Definition 8 removes from consideration operator “instances” that are not applicable in any state,

Definition 9 (Satisfaction of preconditions)

Let preconds(w)_u be a set of ground literals obtained by applying ground substitution \(u = \underline { d}/\underline {r}\) to the preconditions of when-clause w of an operator with parameters \(\underline {r}\). Then preconds(w)_u are satisfied by a state s iff every unnegated, non-EQ/NEQ literal of preconds(w)_u is in s, no complement (unnegated version) of a negated literal of preconds(w)_u is in s, and preconds(w)_u contains no literals NEQ(c, c) or EQ(c, c^′) for any distinct constants c, c^′.

Definition 10 (Operator application and resulting state)

Let s be a state and let \(o(\underline {d})\) be an operator instance obtained from o via substitution \(u = \underline {d}/\underline {r}\), where the primary preconditions of \(o(\underline {d})\) are satisfied by s. Then o (and \(o(\underline {d})\)) is applicable in state s and the result of its application, written \(o(\underline {d})(s)\), is given by the following additions to, and deletions from, s:

1. 1.

   For the primary when-clause w₁ of \(o(\underline {d})\),

   1. (a)

      add the positive effects of w₁ to s, and

   2. (b)

      delete the predications from s whose negations appear as effects of w₁;

2. 2.

   For each secondary when-clause w of \(o(\underline {d})\) such that preconds(w)_u are satisfied by (the original) s,

   1. (a)

      add the positive effects of w to s, and

   2. (b)

      delete from s the predications whose negations appear as effects of w.

There is the usual problem here that some “additions” and “deletions” might be in conflict, adding and taking away the same atom. We could assume that deletions are performed before additions, i.e., additions win over deletions. But we generally make the stronger assumption that operators are designed to entirely avoid such inconsistent effects. Obviously, our definition implements the familiar STRIPS assumption, that the only effects of an operator are those it explicitly asserts. We are now able to define reachable states:

Definition 11 (Reachable states)

A state s is reachable from a given initial state s₀ in a given planning domain O iff there is a sequence of operator instances \(o_{1}(\underline {d}^{(1)}), ..., o_{k}(\underline {d}^{(k)})\), where {o₁,..., o_k}⊆ O, and a corresponding sequence of states s₀,..., s_k, such that s = s_k, and for i = 1,..., k, o_i is applicable in s_i− 1 and \(o_{i}(\underline {d}^{(i)})(s_{i-1}) = s_{i}\).

We now turn to the proofs of the theorems. (Theorem 1 concerning Find-type-constraints was established in the main text.)

The following lemma establishes a relationship between unifiers obtained by matching hypothesis literals to operator effects or preconditions and the corresponding unifiers obtained by matching those literals to ground instances of the effects or preconditions. The lemma will facilitate the proof of correctness of the verification conditions for several types of constraints found by the hypothesize-and-test method. Where we speak of constrained unifiers, we refer tacitly to some given set of EQ/NEQ-constraints, relating the parameters occurring in an effect to each other or to constants. A constrained unifier must not equate two terms (directly, or through a chain of unifications) if either (i) these terms belong to two equality sets \(\mathcal {E}_{1}\), \(\mathcal {E}_{2}\) (as determined by the EQ-constraints) where for some \(\tau _{1}\in \mathcal {E}_{1}\) and \(\tau _{2}\in \mathcal {E}_{2}\), there is a NEQ-constraint between τ₁ and τ₂; or (ii) one of these terms is a constant, and the other equals another constant viaEQ-constraints. (Of course, if the terms are distinct constants, then even the unconstrained unification fails.)

Unification Lemma

Let \(\underline {X}\) be an m-tuple of variables and constants, \(\underline {x}\) be an m-tuple of parameters and constants, and \(\underline {b}\) be an m-tuple of constants.

Suppose \(\underline {x}\) and \(\underline {b}\) have constrained unifier v, and \(\underline {X}\) and \(\underline {b}\) have unifier v^′. Then \(\underline {X}\) and \(\underline {x}\) have constrained unifier u, the composition uv is also a constrained unifier, \(\underline {X}_{uv}=\underline {X}_{v^{\prime }}=\underline {b}\), and \(\underline {x}_{uv}=\underline { x}_{v}=\underline {b}\).

Remarks

We can interpret a unifier u as a set |u| of equivalence classes of size >1, where each u-equivalence class contains a set of directly or indirectly equated (unified) terms, distinct from the terms in other equivalence classes. Note that such an equivalence class may contain at most one constant, and any number of parameters and variables.¹ The composition uv of two unifiers can be thought of as the union of equations comprising u and v. Correspondingly, |uv| is obtained by repeatedly merging non-disjoint equivalence classes from |u| and |v| until we again have a set of (one or more) disjoint classes. However, if any of the resulting equivalence classes contain multiple constants, we say that uv does not exist (more accurately, is inconsistent). Note that a set of EQ-constraints also induces a set of equivalence classes on the equated terms, and so we can regard a unifier u constrained by a set \({\mathcal {C}}\) of EQ/NEQ-constraints as tacitly composed with the given EQ-constraints. But in this case consistency (existence) requires not only that each equivalence class of |u| contain at most one constant, but also that no two terms of an equivalence class be related by a NEQ-constraint. We will refer to such unifiers as \({\mathcal {C}}\)-consistent.

In these terms, the lemma states that whenever v and v^′ are \({\mathcal {C}}\)-consistent, so are u and uv; furthermore any variable X occurring in \(\underline {X}\) will be in the uv-equivalence class of a constant b occurring in \(\underline {b}\) just in case it is in the v^′-equivalence class of b; and any parameter x occurring in \(\underline {x}\) will be in the uv-equivalence class of a constant b occurring in \(\underline {b}\) just in case it is in the v-equivalence class of b.

Proof

Suppose that v and v^′ exist (are \({\mathcal {C}}\)-consistent). Consider vv^′. We claim this is \({\mathcal {C}}\)-consistent, since it merely adds certain variables of \(\underline {X}\) to the v-equivalence classes of certain constants; specifically, if X_i is a variable, then it is added to the v-equivalence class of b_i (since X_i and b_i are in the same v^′-equivalence class). It is not possible that the same variable is added to the equivalence classes of two different constants (thus forcing a merger of two v-equivalence classes) because this could only happen if the v^′-equivalence class of that variable contained two constants, which is impossible by the consistency of v^′. So, since furthermore EQ/NEQ-constraints don’t involve any variables, vv^′ is \({\mathcal {C}}\)-consistent.

We now claim further that |uv| = |vv^′|. This is because for each i (1 ≤ i ≤ m), uv contains just the equations X_i = x_i and x_i = b_i while vv^′ contains just the equations x_i = b_i and X_i = b_i, and this obviously leads to the same equivalence classes for uv and vv^′. From this the \({\mathcal {C}}\)-consistency of uv and the consistency of u follow (since |u| is a refinement, in a set-partitioning sense, of |uv|); it also follows that uv equates variables of \(\underline {X}\) to the same constants as v^′; and finally it follows that uv equates parameters of \(\underline {x}\) to the same constants as v (for the latter the \({\mathcal {C}}\)-consistency of uv suffices). □

Corollary 1

Let the premises be as in the Unification Lemma. Then for anysequence\(\underline {X}^{\prime }\)whose componentsare variables of\(\underline {X}\)andconstants,

$$ \underline{X}^{\prime}_{uv} = \underline{X}^{\prime}_{v^{\prime}}, $$

and for any\(\underline {x}^{\prime }\)whose components are parameters of\(\underline {x}\)and constants,

$$ \underline{x}^{\prime}_{uv} = \underline{x}^{\prime}_{v}. $$

Proof

Immediate from the Unification Lemma. □

The following corollary slightly strengthens the Unification Lemma.

Corollary 2

Let\(\underline {X}\),\(\underline {x}\)and\(\underline {b}\)beas in the Unification Lemma. Suppose thatvis a constrained unifier suchthat\(\underline {x}_{v}=\underline {b}\),wherevmay involve parameters other than those occurringin\(\underline {x}\)(butno variables), andv^′is a unifier such that\(\underline {X}_{v^{\prime }}=\underline {b}\),wherev^′may involve variables other than those occurring in\(\underline {X}\)(butno parameters). Then\(\underline {X}\)and\(\underline {x}\)havea constrained unifier u, the compositionuvis also a constrained unifier,and\(\underline {X}_{uv}=\underline {X}_{v^{\prime }}=\underline {x}_{uv}=\underline {x}_{v}=\underline {b}\).

Proof

Let v₁ be the result of reducing v to a substitution of constants for the parameters of \(\underline {x}\). (In terms of equivalence classes, we delete parameters occurring in v but not in \(\underline {x}\) from their equivalence classes in |v|, and then extract the substitutions of constants for the remaining parameters.) Similarly let \(v^{\prime }_{1}\) be the result of reducing v^′ to a substitution of constants for the variables of \(\underline {X}\). Clearly v₁ is still a constrained unifier and \(\underline {x}_{v}=\underline {b}\), and \(v^{\prime }_{1}\) is still a unifier and \(\underline {X}_{v^{\prime }_{1}}=\underline {b}\).

But then \(\underline {X}\), \(\underline {x}\), \(\underline {b}\), v₁, and \(v^{\prime }_{1}\) satisfy the conditions of the Lemma and so \(\underline {X}_{uv_{1}}=\underline {X}_{v^{\prime }_{1}}=\underline {x}_{uv_{1}}=\underline {x}_{v_{1}}=\underline {b}\). Since v differs from v₁ only in (potentially) involving parameters that do not occur in \(\underline {x}\), and since \(\underline {X}_{u}\) cannot involve parameters other than those occurring in \(\underline {x}\), \(\underline {X}_{uv_{1}}=\underline {X}_{uv}\). Also, since \(\underline {x}_{u}\) cannot involve parameters that do not occur in \(\underline {x}\), \(\underline {x}_{uv_{1}}=\underline {x}_{uv}\); and for similar reasons it is easy to see that \(\underline {X}_{v^{\prime }_{1}}=\underline {X}_{v^{\prime }}\) and \(\underline {x}_{v_{1}}=\underline {x}_{v}\). The conclusion follows. □

Preliminary remarks about correctness proofs

In the following correctness proof for the discovery of simple implicative constraints by Discoplan, we show in detail the role of the Unification Lemma and its corollaries. We will not normally go into this much detail, as there is a trade-off between intuitive transparency of the reasoning and the level of detail. Typically, our correctness arguments are structured in the following way. We consider an instance of an operator o applied in a particular state, where in that state the constraint Γ under consideration holds. We then consider the various specific ways in which the constraint might be violated in the result state. In each case, we argue that the violation would have to be produced by an effect or multiple effects of the operator instance, and that the verification conditions for Γ rule out such a violation.

These case-by-case arguments are intuitively quite clear, if one thinks about the instance of o under consideration as if the verification conditions applied directly to operator instances. But in fact, verification conditions apply to parametrized operators, and this leads to some hidden subtleties in this mode of argumentation. Strictly, we have to argue that the occurrence of certain ground literals as effects of an operator instance, applied in a state satisfying certain conditions, entails the existence of certain parametric precondition and effect literals in the operator; further, these precondition and effect literals will unify with certain literals of Γ, and hence specific verification conditions will come into play, and impose requirements on various unification instances of the preconditions and effects of o; and these unification instances in turn must be shown to reduce to ground literals relevant to the operator instance, allowing completion of the reductio argument. It is the “ascent” from specific ground literals to parametric operator literals, and the “descent” from unification instances of the latter back down to the ground level, that the Unification Lemma is designed to facilitate. These moves are nontrivial because of the subtleties of unification involving both Γ-variables and operator parameters, and EQ/NEQ-preconditions constraining the latter. Still, as mentioned, such details can be distracting and we will generally suppress them, except in the case of simple implicative constraints, sv-constraints discovered by the “dedicated” method, and n-ary disjunctive + sv-constraints. In the last of these constraint types, the complexity of the details is such as to motivate a Verification Lemma (for the particular verification conditions concerned) showing that we can in fact argue as if the verification conditions applied directly to operator instances.

Theorem 2

If a simple implicative constraintΓ holds initially, and the verification conditions of Definition 2 for such constraints are met, then Γ holds in all reachable states. (Hence simple implicative constraints found by Discoplanarecorrect.)

Proof

Assume for induction that Γ holds prior to the application of an instance \(o(\underline {d})\) of an operator \(o(\underline {r})\), where \(\underline {r}\) is the list of parameters of o. We will show that Γ still holds after application of \(o(\underline {d})\). For clarity in the use of the Unification Lemma, we abbreviate the substitution \(\underline {d}/\underline {r}\) as v. Note that v necessarily satisfies the EQ/NEQ-constraints of the primary when-clause w₁ of o, and of every other when-clause w whose preconditions are met when \(o(\underline {d})\) is applied. In other words, v is a constrained unifier relative to those EQ/NEQ-constraints.

Since Γ holds prior to application of o, therefore for every substitution v^′ of constants (in the planning domain) for variables of Γ, at least one of \(\overline {\phi }_{v^{\prime }}\), \(\psi _{v^{\prime }}\), \((\overline {\sigma }_{1})_{v^{\prime }}\), ..., \((\overline {\sigma }_{k})_{v^{\prime }}\) holds in the prior state. We show for each case in turn that \({\Gamma }_{v^{\prime }}\) holds in the resultant state.

Case 1: \(\overline {\phi }_{v^{\prime }}\) holds in the prior state. If \(\overline {\phi }_{v^{\prime }}\) still holds in the resultant state, then \({\Gamma }_{v^{\prime }}\) still holds as well. So assume \(\overline {\phi }_{v^{\prime }}\) is false in the resultant state, i.e., \(\phi _{v^{\prime }}\) is true in it. Then by the semantics of operators, there must be some when-clause w of o such that preconds⁺(w)_v hold in the prior state and which has an effect ϕ^′ such that \(\phi ^{\prime }_{v} = \phi _{v^{\prime }}\). Then with \(\underline {X} =\) argument list of ϕ and \(\underline {x} =\) argument list of ϕ^′, Corollary 2 of the Unification Lemma applies, so that ϕ^′ must be unifiable with ϕ with some unifier u (constrained by the EQ/NEQ-conditions of w and w₁) such that \(\phi ^{\prime }_{uv}=\phi ^{\prime }_{v}=\phi _{v^{\prime }}\), where uv is also a constrained unifier. Hence by verification condition (2) one of the following holds: w or w₁ has (a) an effect or (b) a w-persistent precondition ψ^′ such that \(\psi ^{\prime }_{u} \equiv _{w_{1},w} \psi _{u}\); or (c) o has a when-clause w₂ (≠w, w₁) such that (σ₁)_u,..., (σ_k)_u ⊧ preconds (w₂)_u and w₂ has an effect ψ^′ such that \(\psi ^{\prime }_{u} \equiv _{w_{1},w_{2}} \psi _{u}\); or (d) preconds⁺(w)_u⊧¬(σ_i)_u, for some i (1 ≤ i ≤ k). But then each of (a-d) maintains the truth of \({\Gamma }_{v^{\prime }}\). In particular the effect ψ^′ posited by (a) satisfies \(\psi ^{\prime }_{uv} = \psi _{uv}\), since all (ground) instances of two constrained-equivalent formulas are identical. But by Corollary 1 of the Unification Lemma \(\psi ^{\prime }_{uv}=\psi ^{\prime }_{v}\) and \(\psi _{uv}=\psi _{v^{\prime }}\), so that for the instance \(o(\underline {d})\) of o, the effect \(\psi ^{\prime }_{v}\) is identical with \(\psi _{v^{\prime }}\). This assures the truth of \({\Gamma }_{v^{\prime }}\) in the resultant state. For (b) the argument is similar, except that we also need to address the case where the persistence of \(\psi ^{\prime }_{v}\) is threatened by an effect \(\overline {\psi }^{\prime \prime }\) of some other secondary when-clause w₂, whose preconditions also happen to hold, and where \(\psi ^{\prime \prime }_{v}=\psi _{v^{\prime }}\). As already noted, \(\psi _{v^{\prime }}=\psi _{uv}\), so \(\psi ^{\prime \prime }_{v}=\psi _{uv}\); hence applying Corollary 2 of the Unification Lemma to the argument lists of ψ^″ and ψ_u (with v viewed as the unifier of both of those lists with the resulting identical lists of constants), we know that ψ^″ and ψ_u are unifiable, with some unifier u^′ (which also entails that uu^′ is a unifier constrained by the EQ/NEQ conditions of w and w₂); furthermore, u^′v is a unifier constrained by the EQ/NEQ conditions of w and w₂ (keeping in mind that v is a unifier constrained by the EQ/NEQ conditions of w), \(\psi ^{\prime \prime }_{u^{\prime }v}=\psi ^{\prime \prime }_{v}\), and \(\psi _{uu^{\prime }v}=\psi _{uv}=\psi _{v^{\prime }}\). So by the details of verification condition 2(b), preconds\(^{+}(w_{2})_{uu^{\prime }} \models \neg (\sigma _{i})_{uu^{\prime }}\), for some i (1 ≤ i ≤ k). Hence preconds\(^{+}(w_{2})_{uu^{\prime }v} \models \neg (\sigma _{i})_{uu^{\prime }v}\). But preconds\(^{+}(w_{2})_{uu^{\prime }v}\) = preconds⁺(w₂)_uv = preconds⁺(w₂)_v (by two applications of Corollary 1 of the Unification Lemma, first with the arguments of preconds⁺(w₂)_u in the role of \(\underline {x}^{\prime }\), then with the arguments of preconds⁺(w₂) in that role) and \(\neg (\sigma _{i})_{uu^{\prime }v}=\neg (\sigma _{i})_{v^{\prime }}\) (again by two applications of Corollary 1). Then preconds\(^{+}(w_{2})_{v} \models \neg (\sigma _{i})_{v^{\prime }}\), so that \({\Gamma }_{v^{\prime }}\) is again true in the resultant state. If (c) holds, we can argue much as for (a), except that we also need to ascertain that \((\sigma _{1})_{v^{\prime }},...,(\sigma _{k})_{v^{\prime }} \models \) preconds(w₂)_v. This is so since in this case (σ₁)_u,..., (σ_k)_u⊧ preconds(w₂)_u, and \((\sigma _{i})_{uv}=(\sigma _{i})_{v^{\prime }}\) (1 ≤ i ≤ k) (by Corollary 1, with the arguments of σ_i in the role of \(\underline {X}^{\prime }\)) and preconds(w₂)_uv = preconds(w₂)_v (by Corollary 1, with the arguments of preconds(w₂) in the role of \(\underline {x}^{\prime }\)). If (d) holds, then preconds⁺(w)_u⊧¬(σ_i)_u for some i; hence preconds\(^{+}(w)_{v} \models \neg (\sigma _{i})_{v^{\prime }}\), using preconds⁺(w)_uv = preconds⁺(w)_v and \((\sigma _{i})_{uv}=(\sigma _{i})_{uv^{\prime }}\), by uses of Corollary 1 much as in (b) and (c). So with \(\neg (\sigma _{i})_{v^{\prime }}\) true, \({\Gamma }_{v^{\prime }}\) again holds in the resultant state.

Case 2: \(\psi _{v^{\prime }}\) holds in the prior state. The argument for the truth of \({\Gamma }_{v^{\prime }}\) in the resultant state is completely analogous to that for case 1, using the verification conditions (3a-c) (which mirror those of (2a-c)).

Case 3: \((\overline {\sigma }_{i})_{v^{\prime }}\) holds in the prior state for some i (1 ≤ i ≤ k). Then since σ_i is a static condition, \((\overline {\sigma }_{i})_{v^{\prime }}\) still holds in the resultant state.

□

Theorem 3

The computation of simple implicative constraints in accordance withthe hypothesize-and-test scheme is completed in polynomial time for anybound max on the allowable number of supplementary conditions, specificallyin

$$ O\left ({\displaystyle {\sum}_{o\in O}}\left[ l_o^3 \left( \underset{o^{\prime}\in O}{\sum} l_{o^{\prime}}^2 + \frac{\textit{max}}{l_o}\cdot \underset{o^{\prime}\in O}{\sum}l_{o^{\prime}}^{\textit{max}+ 2} + l_o n_{init} \right) \right] \right) $$

steps, whereOis the set of planning operators, l_ois the size of operatoro, andn_initis the number of initial conditions.

Proof

The outer summation of the above complexity bound, and a part \({l_{o}^{2}}\) of the factor \({l_{o}^{3}}\), corresponds to the iteration over all effect-effect (or effect-precondition) combinations of all operators in the formation of hypotheses. The first inner summation reflects the checking of a hypothesis against all preconditions and effects (contributing \(l_{o^{\prime }}\)) and the collection of excuses for every apparent violation. The latter phase contributes a factor \(l_{o} l_{o^{\prime }}\) per violation. This collapses (i) a factor \(l_{o} l_{o^{\prime }}\) for singleton excuses that relate an operator precondition to the negation of a candidate supplementary condition, keeping in mind that candidate supplementary conditions originated in operator o; and (ii) a similar term \((l_{o} l_{o^{\prime }} + l_{o^{\prime }})\) for collection of groups of candidate supplementary conditions that entail the preconditions of a when-clause and thereby ensure the generation of a “missing effect”. (The \( l_{o} l_{o^{\prime }}\)-part comes from the pairwise matching of preconditions to supplementary conditions, and the \(l_{o^{\prime }}\)-part from the scan of effects for the “missing effect”.) The second inner summation comes from the search for minimal sets of supplementary conditions (see footnote 6) and the third element of the sum reflects the verification of the hypothesis in the initial conditions (see the discussion of the algorithm in Fig. 2, and note that l_c is bounded by l_o). □

Theorem 4

If the verification conditions of Definition 3 for sv-constraints hold for an sv-constraint(ϕ^∗σ₁...σ_k),then the constraint holds in all reachable states for all values of its variables. (Hencesv-constraints found by Discoplanby the “dedicated” method are correct.)

Proof

For clarity we consider the special case where (ϕ^∗σ₁...σ_k) is

$$ \texttt{((P ? X ?*Y) (S1 ? X ?*Y) ... (Sk ? X ?*Y))}. $$

The generalization to multiple “unstarred” and “starred” variables (and possibly constants) is fairly straightforward (think of ? X, ?⋆Y as sets of arguments); the remarks following the proof will provide some relevant specifics. The supplementary conditions (Si ? X ?⋆Y) of course need not depend on both ? X and ?⋆Y, but they may. In the absence of supplementary conditions, the notation (P ? X ?⋆Y) means that

$$ \forall x,y,z. P(x,y)\wedge P(x,z) \Rightarrow y=z~\text{(in all reachable states).} $$

Let us abbreviate S1(x, y) ∧ ... ∧ Sk(x, y) as S(x, y). Then the sv-constraint including supplementary conditions states that²

$$ \forall x,y,z. S(x,y)\wedge S(x,z)\wedge P(x,y)\wedge P(x,z) \Rightarrow y=z~\text{(in all reachable states).} $$

We can take the sv-constraint to be true in the initial state, since Discoplan straightforwardly verifies this, as per verification condition (1). Given any instance of any operator o, and a prior state s_prior in which the preconditions of the primary when-clause w₁ of that operator instance are true, we assume for induction that the constraint holds in s_prior. We want to show that it also holds in the resultant state s_result. Assume otherwise, i.e., for some constants a, b, c, where b≠c, we have

1. (C1)

   S(a, b), S(a, c), P(a, b), P(a, c) true in s_result.

   Since S is static, we also had

2. (C2)

   S(a, b), S(a, c) true in s_prior.

   But by the induction assumption, at least one of the literals in (C1) must have been false in s_prior, and so

3. (C3)

   either P(a, b) or P(a, c) was false in s_prior.

We consider the case where P(a, b) was false (and P(a, c) was true or false). The case where P(a, c) was false is completely symmetrical and need not be separately considered. If P(a, b) was false in s_prior, then its truth in s_result must be due to some effect P(h, k) of some when-clause w of o, where h, k were respectively instantiated to a, b (if not already equal to them) and where the preconditions of w are true for the operator instance under consideration. (We have already assumed the preconditions of the primary when-clause w₁ to be true.) We now show three things for the operator instance under consideration: (i) there is no additional effect P(a, c) of the operator instance, with c≠b; (ii) w or w₁ has a precondition P(q, r), which was true for q = a, r = d for some d≠b for the operator instance, and (iii) w₁, w, or some other secondary when-clause w₂ generated an effect ¬P(a, d), for the operator instance.

Concerning (i), if there were an effect P(a, c), there would be an effect literal P(q, r) of o in w or some other when-clause w₂ (which could be w₁ or a secondary when-clause) where we cannot prove that q≠h, or cannot prove that r = k. (Keep in mind we are assuming a w-effect P(h, k) instantiated as P(a, b).) But then in view of the way Discoplan tests (P ? X ?⋆Y) and adds supplementary conditions (i.e., by the contrapositive of verification conditions (2a,b)), there would be a supplementary condition which entails the falsity of a precondition of w, w₁, or w₂. (We will provide a more detailed version of this argument in the supplementary remarks following the proof.) But since we have assumed those preconditions to be true for the operator instance under consideration, S(a, b) or S(a, c) must be false in s_prior, contrary to (C2). So there is no effect P(a, c).

Concerning (ii), suppose neither w nor w₁ has such a precondition. Then they have no precondition of form P(q, r) at all, or if they do, it is not provable that q≠r, or it is not provable that r = k. Then again from the way Discoplan tests (P ? X ?⋆Y) and adds supplementary conditions (i.e., by the contrapositive of verification condition (3b)), there is a supplementary condition that entails the falsity of a precondition of w or w₁, and since these preconditions are true for the instance in question, S(a, b) or S(a, c) must be false in s_prior, contrary to (C2). So there is a precondition P(q, r) as specified in (ii).

Concerning (iii), suppose there is no such effect of w or w₁. Then there is no effect of w or w₁ of form ¬P(q^′, r^′) at all or for any such effect it is not provable that q^′ = q or it is not provable that r^′ = r (with q, r determined by (ii)). Then from verification condition (3a(ii)) (i.e., from the way Discoplan tests (P ? X ?⋆Y) and adds supplementary conditions to assure a “concomitant change”) and from (C2) (which precludes alternative verification condition (3b)), there is a subset of the supplementary conditions that entails the preconditions of some when-clause w₂ other than w or w₁, where that when-clause has an effect ¬P(q^′, r^′), and provably q^′ = q and r^′ = r. But then (iii) is true.

Having established the truth of (i-iii), we note that from (i) and (C1) it follows that P(a, c) was true in s_prior. Hence by the induction assumption P(a, y) was false for all y≠c in s_prior. Hence the constant d referred to in (ii) and (iii) is the same as c; so by (iii), ¬P(a, c) holds in s_result, contrary to (C1). □

Supplementary remarks concerning the proof of Theorem 5

In part (i) of the preceding proof, the appeal to verification condition (2) to infer the falsity of a precondition of w, w₁, or w₂ may seem clear enough. However, this is one of the places where some subtle details dependent on the Unification Lemma have been suppressed. It is instructive to take a closer look at this part of the argument, as an illustration of how such suppressed details may be filled in. Strictly, the existence of effect literals P(h, k) and P(q, r), where we cannot prove q≠h or cannot prove r = k, is insufficient to support the argument based on verification condition (2). This condition also requires that each of P(h, k) and P(q, r) be (constrained-) unifiable with (P ? X ?⋆Y), say with unifiers u and u^′ respectively, and the particularized relations \(q_{u^{\prime }}\neq h_{u}\), \(r_{u^{\prime }} = k_{u}\) (rather than q≠h, r = k) should not both be provable. Now, the existence of unifiers u and u^′ is obvious for the special case of ϕ^∗ assumed in the proof, but note that both EQ/NEQ-preconditions and generalization of the proof to predicates with more than 2 arguments can complicate matters. For example, unification of (P ? X ? X ?⋆Y) with an effect (P ?h ?k ?r) would fail if there is a precondition (NEQ ?h ?k). Of course, an instance of this effect, such as (P a b c), would then not create a threat to single-valuedness of (P ? X ? X ?⋆Y) in ?⋆Y. So only those instances of the effects of o that unify with ϕ^∗ create a threat to single-valuedness, and it suffices to ensure that the verification conditions apply to those instances. And that is precisely where the Unification Lemma helps out. Corollary 2 guarantees that if an effect literal \(P(\underline {r})\) yields ground instance \(P(\underline {b})\) under unifier v (where v instantiates the parameters of o), and at the same time hypothesis literal ϕ^∗ is unifiable with \(P(\underline {b})\), with unifier v^′, then the unifier u of ϕ^∗ with \(P(\underline {r})\) also exists; this guarantees that verification condition (2) applies to all relevant effect literals. Furthermore, Corollary 2 also assures us that we can compose u with v, and (returning to the special case considered in the proof) that h_uv = h_v; and similarly we have \(q_{u^{\prime }v}=q_{v}\) for the second effect literal P(q, r). So, since h_v = q_v = a, it follows that the relation \(h_{u} \neq q_{u^{\prime }}\) cannot be provable. Similarly we can argue that the relation \(k_{u}=r_{u^{\prime }}\) cannot be provable. At this point we have established incontrovertibly that (a) or (b) in verification condition (2) must hold. But it takes one more application of Corollary 2 to establish that a relevant instance of (a) or (b) holds. In the case of (a), i.e., if the truth of (σ_i)_u entails falsity of preconds⁺(w)_u, then \((\sigma _{i})_{v^{\prime }}\) (a ground instance of σ_i) entails falsity of the preconditions preconds⁺(w)_v of the instance of o under consideration, in virtue of the equivalence of (σ_i)_uv with \((\sigma _{i})_{v^{\prime }}\) and of preconds⁺(w)_uv with preconds\(^{+}(w)_{v^{\prime }}\). Similarly for case (b).

Parts (ii) and (iii) of the proof can be elaborated in the same way, but we will not belabor the matter further. Only in the correctness proof for n-ary disjunctive + sv-constraints (Theorem 12) will we again spell out some of the details involving the Unification Lemma.

Theorem 5

The “dedicated” computation of sv-constraints in accordance with the hypothesize-and-test scheme is completedin polynomial time for any bound max on the allowable number of supplementary conditions, specificallyin

$$ O\left( {\displaystyle {\sum}_{o\in O}}{l_{o}^{4}}\left[\underset{o^{\prime}\in O}{\sum}l_{o^{\prime}}^{3} + \frac{\textit{max}}{l_{o}}\cdot \underset{o^{\prime}\in O}{\sum}l_{o^{\prime}}^{\textit{max}+ 2} + n^{2}_{init} \right] \right) $$

steps, where O is the set of planning operators, l_o is the size of operator o, and n_init is the number of initial conditions.

Proof

The stated complexity bound is a simplification of

$$ O\left( {\sum}_{o\in O}{l_{o}^{3}}\left[ \underset{o^{\prime}\in O}{\sum} l_{o} l_{o}^{\prime3}{+} \underset{o^{\prime}\in O}{\sum}l_{o^{\prime}}\left[ l_{o^{\prime}}(l_{o^{\prime}} + l_{o} l_{o^{\prime}} + l_{o^{\prime}}) + l_{o} l_{o^{\prime}}\right]{ +} \textit{max}\cdot\underset{o^{\prime}\in O}{\sum}l_{o^{\prime}}^{\textit{max}+ 2}{+}l_{o} n^{2}_{init} \right] \right). $$

As in the proof of Theorem 3, the outer summation corresponds to the iteration over operators in the formation of hypotheses. The overall factor \(l_{o}^{3}\) derives from the iteration over an operator’s effects and concomitant changes (preconditions and effects) on which hypothesis formation is based. The first inner sum corresponds to verification condition (2), and reflects the iteration over pairs of effects threatening single-valuedness (factor \(l_{o}^{\prime 2}\)) and if appropriate the search for singleton excuses as per verification conditions (2a,b) (factor \(l_{o} l_{o^{\prime }}\)). In the second inner sum, corresponding to verification condition (3), the overall multiplier \(l_{o^{\prime }}\) comes from the iteration over effects. The term \(l_{o^{\prime }}(l_{o^{\prime }} + l_{o} l_{o^{\prime }} + l_{o^{\prime }})\) reflects (3a), with a multiplier \(l_{o^{\prime }}\) from the search for an appropriate precondition, and an embedded sum of three terms where the first, \(l_{o^{\prime }}\), corresponds to the search for a complementary effect (as per (3a(i))), and the second and third, \(l_{o^{\prime }}l_{o} + l_{o^{\prime }}\), correspond to the search for a when-clause whose preconditions are entailed by a subset of the candidate supplementary conditions, and the search for a complementary effect in such a when-clause (as per (3a(ii))). The remaining term \(l_{o} l_{o^{\prime }}\) derives from the search for a singleton excuse (verification condition (3b)) when verification condition (3a) fails. The inner sum max\(\cdot \underset {o^{\prime }\in O}{\Sigma } l{o^{\prime }}^{\textit {max}+ 2}\) corresponds to the selection of irredundant sets of up to max supplementary conditions. (This relies on set-cover complexity, as in Theorem 3.) The final term \(l_{o} n^{2}_{init}\) reflects the check of the hypothesis in the initial conditions; as discussed at the end of Section 3.5, this could be improved to l_on_init. □

Theorem 6

Any implicative + sv-constraint

$$ \text{\texttt{((IMPLIES (P ? X ?*Y) (NOT (Q ? X))) (S1 ? X)...(Sk ? X))}} $$

(i.e., with the consequent variables subsumed by the antecedent variables) produced byDiscoplanis correct.

The notation (Si ? X) as before means that the i th supplementary condition may (but need not) involve ? X. The theorem and its proof are easily generalized to the case where P and Q have several unstarred shared arguments, and P has several starred variables not occurring in the other. (Again, think of ? X, ?⋆Y as two sets of arguments.)

Remark: We use (S ? X) for the conjunction of all supplementary conditions. Then the simultaneous constraints of the theorem, including supplementary conditions, state that in all reachable states,

1. (C1)

   ∀x, y, y^′.S(x) ∧ P(x, y) ∧ P(x, y^′) ⇒ y = y^′,

2. (C2)

   ∀x, y.S(x) ∧ P(x, y) ⇒¬Q(x).

Proof

As in Theorems 3 and 5 the correctness proof is based on the sufficiency of the relevant verification conditions (as stated in Section 4.3.1). We can take both constraints to be true in the initial state, since Discoplan straightforwardly verifies them (verification condition 1). Given any instance of any operator o, and a prior state s_prior in which the preconditions of the primary when-clause w₁ of that operator instance are true, we assume for induction that the 2 constraints hold in s_prior. We want to show that they also hold in the resultant state s_result. Assume otherwise, i.e., assume that

1. (C3)

   for some constants a, b, c, where b≠c, S(a), P(a, b), and P(a, c) hold in s_result; or

2. (C4)

   for some constants a, b, c, S(a), P(a, b), and ¬Q(a) hold in s_result.

We derive a contradiction for each of the two cases. First consider case (C3). Since S is static, we also had

1. (C5)

   S(a) true in s_prior.

But by induction assumption (C1), at least one of the literals in (C3) must have been false in s_prior, and so

1. (C6)

   P(a, b) or P(a, c) was false in s_prior.

We now argue as follows. (A few details are added below.) (i) Since according to (C3) P(a, b) and P(a, c) are both true in s_result while according to (C6) one of them was false in s_prior, by the semantics of operators there must be an effect literal that was instantiated to P(a, b) or P(a, c). (ii) At least one of P(a, b), P(a, c) was true in s_prior, otherwise there would need to be multiple effects P(a, b), P(a, c) to render (C3) true, and this is ruled out by verification condition 2 (according to which a precondition of o would entail ¬S(a), contrary to (C3)). (Details can be filled in as in subargument (i) in the proof of Theorem 5.) (iii) Since there was an effect P(a, b) or P(a, c) by (i), verification condition 3(a) or (b) applies. 3(b) entails that ¬S(a) held in s_prior, contrary to assumption (C3); so 3(a) applies. Now by 3(a)(ii) we have a precondition ¬Q(a) or a change from P(a, d) to ¬P(a, d) for some value of d, compensating for effect P(a, b) or P(a, c). If the former were true, S(a) ∧ P(a, y) would be false for all values of y in s_prior, by the induction assumption. But S(a) is true so P(a, b) and P(a, c) would be false in s_prior, contrary to (ii). So we are left with the possibility of a compensating change from P(a, d) to ¬P(a, d) for some d≠b or ≠c depending on whether we have an effect P(a, b) or P(a, c). But if P(a, d) held in s_prior, then by induction assumption (C1) P(a, b) and P(a, c) were false in s_prior, contrary to (ii).

Now consider case (C4). We begin much as before by noting that since S is static, (C5) holds, and that by (C5) and induction assumption (C2),

1. (C7)

   either P(a, b) or ¬Q(a) was false in s_prior.

We argue that there is an effect literal that was instantiated to P(a, b) or ¬Q(a) (by (C4) and (C7) and the semantics of operators). For the possibility that P(a, b) was generated, verification condition 3(a) or 3(b) applies, but (b) implies ¬S(a), which cannot be true by (C5); so 3(a) applies. By 3(a)(i) there should then be an effect or persistent precondition Q(a), but this is contradicted by the assumption in (C4) that ¬Q(a) holds in s_result. This eliminates the possibility that P(a, b) was generated, so that

1. (C8)

   P(a, b) was true in s_prior,

and we are left with the possibility that ¬Q(a) was generated, and Q(a) was true in s_prior. This brings into play verification condition 4. Now 4(b) entails ¬S(a), contrary to (C5), leaving us with 4(a), requiring a concomitant change from P(a, d) to ¬P(a, d) for some d. But then by (C8) and induction assumption (C1), either S(a) was false in the prior state or d = b. The former is again ruled out by (C5); so with d = b, we have a concomitant change from P(a, b) to ¬P(a, b). But this contradicts (C4). □

Theorem 7

Any exclusive state constraint

$$ \text{\texttt{((IMPLIES (P ? X ?*Y) (NOT (Q ? X ?*Z))) (S1 ? X)...(Sk ? X))}} $$

produced by Discoplan is correct.

The notation (Si ? X) as before means that the i th supplementary condition may (but need not) involve ? X. The theorem and its proof are easily generalized to the case where P and Q have several unstarred shared arguments, and each has several starred arguments not occurring in the other. (Again, think of ? X, ?⋆Y, ?⋆Z as sets of arguments.)

Remark: We use (S ? X) for the conjunction of all supplementary conditions. Then the simultaneous constraints of the theorem, including supplementary conditions, state that in all reachable states,

1. (C1)

   ∀x, y, y^′.S(x) ∧ P(x, y) ∧ P(x, y^′) ⇒ y = y^′,

2. (C2)

   ∀x, z, z^′.S(x) ∧ Q(x, z) ∧ Q(x, z^′) ⇒ z = z^′, and

3. (C3)

   ∀x, y, z.S(x) ∧ P(x, y) ⇒¬Q(x, z).

Proof

As in Theorems 3, 5 and 7 the correctness proof is based on the sufficiency of the relevant verification conditions (as stated in Section 4.3.2). Much as in the previous proofs we can take all three constraints to be true in the initial state, since Discoplan straightforwardly verifies them (verification condition 1). Given any instance of any operator o, and a prior state in which the preconditions of the primary when-clause w₁ of that operator instance are true, we assume for induction that the 3 constraints hold in that prior state. We want to show that they also hold in the resultant state. Assume otherwise, i.e., assume that

1. (C4)

   for some constants a, b, c, where b≠c, S(a), P(a, b), and P(a, c) hold in the resultant state; or

2. (C5)

   for some constants a, b, c, where b≠c, S(a), Q(a, b), and Q(a, c) hold in the resultant state; or

3. (C6)

   for some constants a, b, c, S(a), P(a, b), and Q(a, c) hold in the resultant state.

We derive a contradiction for each of the three cases. First consider case (C4). Since S is static, we also had

1. (C7)

   S(a) true in the prior state.

But by the induction assumption, at least one of the literals in (C4) must have been false in the prior state, and so

1. (C8)

   P(a, b) or P(a, c) was false in the prior state.

We now argue, much as in the proof of Theorem 7, that (i) there is an effect literal that was instantiated to P(a, b) or P(a, c); (ii) at least one of P(a, b), P(a, c) was true in the prior state; (iii) by (i), and the way hypotheses are tested and augmented with supplementary conditions (verification condition 4a,b), Q(a, d) was true for some d in the prior state; (iv) so, by the induction assumption (C3) and by (C7), P(a, y) was false for all y in the prior state, contrary to (ii).

The details for steps (i) and (ii) of the argument are just as in the proof of Theorem 7, and we will not repeat them. Proceeding to (iii), we note that in testing the exclusion hypothesis under consideration, we ensure that whenever an effect of form P(x, y) is present, a precondition of form Q(x^′, z) is present in the corresponding when-clause or primary when-clause with x, x^′ provably equal (verification condition 4a), or else we introduce a supplementary condition that is false whenever the preconditions of effect P(x, y) hold (verification conditions 4b). But by (i) such an effect is indeed present, namely P(r, s), so either there is a precondition Q(r^′, z) of w or w₁, with r, r^′ provably equal, or else S(r) is false whenever the preconditions of w and w₁ hold. The latter is ruled out by (C7) (the truth of S(a)) and the presumed truth of the preconditions of w and w₁ in the prior state. Thus Q(a, d) holds for some d in the prior state. But then from induction assumption (C3) in the prior state, we have ∀y.¬S(a) ∨¬P(a, y) in the prior state; in particular, ¬S(a) ∨¬P(a, b) and ¬S(a) ∨¬P(a, c), but at least one of these is false by (C7) and (ii).

The derivation of a contradiction from (C5) is completely analogous to the previous argument for (C4) (with P and Q interchanged), so we proceed to (C6). We begin as before by noting that (C7) holds, and that by (C7) and the induction assumption,

1. (C9)

   either P(a, b) or Q(a, c) was false in the prior state.

We argue that (i) there is an effect literal that was instantiated to P(a, b) or Q(a, c); for the case where P(a, b) was generated, we argue further that (ii) Q(a, d) was verified as a precondition and ¬Q(a, d) was generated as an effect for some d, and (iii) consequently ¬Q(a, z) holds for all z in the resultant state, contrary to (C6); and (iv) an analogous argument holds for the case where Q(a, c) was generated.

(i) is immediate from (C6) and (C9). So assume that the effect P(a, b) was generated by an effect literal P(r, s) of some when-clause w (possibly w₁). Concerning (ii), in virtue of verification conditions (4a,b), either there exists a precondition Q(r^′, z) of w or w₁ where r and r^′ are provably identical, or else there is a supplementary condition among the conjuncts in S(r) whose falsity is entailed by the preconditions of w or w₁. The latter is impossible by the presumed truth of the preconditions of w and w₁ and by (C7) for the operator instance under consideration. So precondition Q(a, d) is verified in the prior state. Verification conditions (4a,b) further guarantee that either there is an effect ¬Q(r^″, z^′) of w or w₁, where r^′, r^″ are provably equal and z, z^′ are provably equal, or else there is such an effect of some other when-clause w₂, where the supplementary conditions of the hypothesis entail the truth of the preconditions of w₂. So in view of (C7), we do indeed have an effect ¬Q(a, d) for the operator instance in question. Concerning (iii), by induction assumption (C2) in the prior state, by (C7), and by the truth of Q(a, d) in the prior state we have ∀z.Q(a, z) ⇒ z = d in the prior state. But since we have an effect ¬Q(a, d), we will have ∀z.¬Q(a, z) in the resultant state, unless there is some additional effect of form Q(u, v) of some when-clause w₃ (not necessarily distinct from w, w₁, or w₂) with true preconditions and with u instantiated to a. But this latter possibility is ruled out by verification condition (6), i.e., if there were such an effect (given that there is an effect P(r, s)) there would be a supplementary condition whose falsity is entailed by the preconditions of w, w₁, or w₃. So since ∀z.¬Q(a, z) contradicts (C6) in the resultant state, we have established (iii). Finally the analogous argument for (iv) essentially just interchanges the roles of P and Q and of b and c. □

Theorem 8

The computation of exclusive state constraints in accordance with the hypothesize-and-testscheme is completed in polynomial time for any bound max on the allowable number ofsupplementary conditions.

Proof sketch

We omit details. The analysis here is very much as in Theorems 3 and 5. Verification conditions (1–6) for exclusive state constraints closely resemble those for simple implicative constraints and for (independently verifiable) sv-constraints, and lead to similar time bounds, polynomial in the sizes l_o of operators and the number n_init of initial conditions, for any fixed upper bound max on the number of supplementary conditions.