CompSci 102 Discrete Mathematics for CS Spring 2005 Forbes

Minesweeper

From Umesh Variranis notes!

CNF
CONJUNCTIVE NORMAL FORM

CLAUSE

In the area of logical reasoning systems, conjunctive normal form (CNF) is much more commonly used. In CNF, every expression is a conjunction of disjunctions of literals. A disjunction of literals is called a clause. For example, the following expression is in CNF: (A B) (B C) (A C D) We can easily show the following result: Theorem 25.1: For every Boolean expression, there is a logically equivalent CNF expression. Proof: Any Boolean expression B is logically equivalent to the conjunction of the negation of each row of its truth table with value F . The negation of each row is the negation of a conjunction of literals, which (by de Morgans law) is equivalent to a disjunction of the negations of literals, which is equivalent to a disjunction of literals. 2 Another way to nd a CNF expression logically equivalent to any given expression is through a recursive transformation process. This does not require constructing the truth table for the expression, and can result in much smaller CNF expressions. The steps are as follows: 1. Eliminate , replacing A B with (A B) (B A). 2. Eliminate , replacing it A B with A B. 3. Now we have an expression containing only , , and . The conversion of CN F (A) into CNF, where CN F (A) is the CNF equivalent of expression A, is extremely painful. Therefore, we prefer to move inwards using the following operations: (A) A (A B) (A B) (de Morgan) (A B) (A B) (de Morgan) Repeated application of these operations results in an expression containing nested and operators applied to literals. (This is an easy proof by induction, very similar to the NAND proof.) 4. Now we apply the distributivity law, distributing over wherever possible, resulting in a CNF expression. We will now prove formally that the last step does indeed result in a CNF expression, as stated. 1

Theorem 25.2: Let B be any Boolean expression constructed from the operators , , and , where is applied only to variables. Then there is a CNF expression logically equivalent to B. Obviously, we could prove this simply by appealing to Theorem 6.4; but this would leave us with an algorithm involving a truth-table construction, which we wish to avoid. Lets see how to do it recursively. Proof: The proof is by induction over Boolean expressions on the variables X. Let P (B) be the proposition that B can be expressed in CNF; we assume B contains only , , and , where is applied only to variables. Base case: prove P (T ), P (F ), and X X P (X) and X X P (X). These are true since a conjunction of one disjunction of one literal is equivalent to the literal. Inductive step (): prove B1 , B2 B [P (B1 ) P (B2 ) P (B1 B2 )]. 1. The inductive hypothesis states that B1 and B2 can be expressed in CNF. Let CN F (B1 ) and CN F (B2 ) be two such expressions. 2. To prove: B1 B2 can be expressed in CNF. 3. By the inductive hypothesis, we have B1 B2 CN F (B1 ) CN F (B2 )
1 m 1 n i (C1 . . . C1 ) (C2 . . . C2 ) (Cj s are clauses) 1 m 1 n (C1 . . . C1 C2 . . . C2 )

4. Hence, B1 B2 is equivalent to an expression in CNF. Inductive step (): prove B1 , B2 B [P (B1 ) P (B2 ) P (B1 B2 )]. 1. The inductive hypothesis states that B1 and B2 can be expressed in CNF. Let CN F (B1 ) and CN F (B2 ) be two such expressions. 2. To prove: B1 B2 can be expressed in CNF. 3. By the inductive hypothesis, we have B1 B2 CN F (B1 ) CN F (B2 )
1 m 1 n i (C1 . . . C1 ) (C2 . . . C2 ) (Cj s are clauses) n1 m n 1 1 1 2 m (C1 C2 ) (C1 C2 ) . . . (C1 C2 ) (C1 C2 ) j i 4. By associativity of , each expression of the form (C1 C2 ) is equivalent to a single clause containing all the literals in the two clauses. 5. Hence, B1 B2 is equivalent to an expression in CNF.

Hence, any Boolean expression constructed from the operators , , and , where is applied only to variables, is logically equivalent to an expression in CNF. 2 This process therefore attens the logical expression, which might have many levels of nesting, into two levels. In the process, it can enormously enlarge it; the distributivity step converting DNF into CNF can give an exponential blowup when applied to nested disjunctions (see below). As with the conversion to NAND-form, the proof gives a recursive conversion algorithm directly. Many problems of interest in CS can be converted into CNF representations; solved using theoremproving algorithms for CNF; and then the solution is translated back into the original language of the problem. Why would we do this?
CompSci 102, Spring 2005, Minesweeper 2

mines left: 6 4 3 2 1 1 2 3 4 (a)

4 3 2 1

mines left: 0 m 2 2 m 3 4 m 2 m m 2 1 m 3 1 0 1 2 3 4 (b)

mines left: 1 2 1 2 1

mines left: 2

1 1

1 2

1 3

1 1

1 2

1 3

1 4

1 5

(c)

(d)

Figure 1: Minesweeper examples. (a) Initial display for a 4 4 game. (b) Final display after successful discovery of all mines. (c) Simple case: only one solution. (d) Two possible solutions, but both have (3,1) blank. Because we can work on nding ecient algorithms for CNF instead of nding ecient algorithms for hundreds of dierent problems. Because we can take advantage of all the work other people have done in nding ecient algorithms for CNF. Because often we nd, once we reach CNF, that we have one or other special case of CNF for which very ecient (e.g., linear-time) algorithms are known. There are other canonical problem targets besides CNF, including matrix inversion and determinants, linear programming, and nding roots of polynomials. As one becomes a good computer scientists, one develops a mental web of interrelated standard computational problems and learns to map any new problem onto this web. Minesweeper is a good example.

LINEAR PROGRAMMING

Minesweeper
The rules of Minesweeper are as follows: The game is played by a single player on an X Y board. (We will use Cartesian coordinates, so that (1,1) is at bottom left and (X,1) is at bottom right.) The display is initially empty. The player is told the total number of mines remaining undiscovered; these are distributed uniformly at random on the board. (See Figure 1(a).) At each turn the player has three options: 1. Mark a square as a mine; the display is updated and the total mine count is decremented by 1 (regardless of whether the mine actually exists). 2. Unmark a square; the mine mark is removed from a square, returning it to blank. 3. Probe a square; if the square contains a mine, the player loses. Otherwise, the display is updated to indicate the number of mines in adjacent squares (adjacent horizontally, vertically, or diagonally). If this number is 0, the adjacent squares are probed automatically, recursing until non-zero counts are reached. The game is won when all mines have been correctly discovered and all non-mine squares probed. (See Figure 1(b).)

CompSci 102, Spring 2005, Minesweeper

SAFE

Let us dene a safe square as one that, given the available information, cannot contain a mine. Obviously, one would like to probe only safe squares, and to mark as mines only those squares that are certain to be there. Hence, the notion of logical proof is central to Minesweeper. Many steps in Minesweeper simply involve completing around a squarethe square is known to have k mines around it, and those k are already discovered, so all remaining adjacent squares are safe. (Some implementations oer to do this with a single click.) The dual case is where a square is known to have k adjacent mines and has k blank adjacent squares, so they must all be mines. The vast majority of turns involve one of these two kinds of steps. Some simple examples of nontrivial reasoning in Minesweeper: First, consider Figure 1(c). Starting with the 1 in (1,1); this implies theres a mine in (1,2) or (2,2). This mine satises the 1 in (2,1); hence (3,2) is safe (has no mine). Similarly, starting with the 1 in (3,1), we can show that (1,2) is safe. Hence, (2,2) has the mine. In Figure 1(d), we can repeat the reasoning above from either end to establish that (3,2) is safe. But there are two possible worlds consistent with all the information (i.e., the knowledge base has two models): mines in (1,2) and (4,2), or mines in (2,2) and (5,2). We cannot tell without more information; probing (3,2) will not help us. Playing Minesweeper as a human, one gradually learns to recognize a set of patterns with associated logical proofs of varying diculty. Each one seems rather ad hoc, and theyre certainly not systematic or complete, in the sense that we certainly miss some instances where a logical move can be made.

Minesweeper in CNF
Now were ready to formulate Minesweeper in CNF. We would like to be able to make logical moves given the information available. We formulate the problem as follows: The knowledge base contains the known facts: the facts revealed by probes, the total number of mines left, and the locations of marked mines. (We will assume that only guaranteed mines are marked.)
QUERY

The query to the knowledge base asks, for each unknown square, whether it is safe and whether it is a mine. The answers for each question can be yes or I dont know. Asking both questions therefore gives us all available information. This section deals with formulating the knowledge base. First, we decide on the variables. Well let Xx,y be true i (x, y) contains a mine. For example, X1,1 is true if (1, 1) contains a mine. Now consider a corner square (1,1) that has been probed and has 2 adjacent mines. Assume also that the contents of the adjacent squares (1, 2), (2, 1), and (2, 2) are unknown. That is, 2 1 2 1

CompSci 102, Spring 2005, Minesweeper

We know that Exactly two of the squares (1, 2), (2, 1), and (2, 2) contain a mine. This is logically equivalent to the conjunction of two sentences: L: At least two of the squares (1, 2), (2, 1), and (2, 2) contain a mine. U : At most two of the squares (1, 2), (2, 1), and (2, 2) contain a mine. Notice that L is equivalent to a sentence L with the same form as M : L : At most one of the squares (1, 2), (2, 1), and (2, 2) doesnt contain a mine. Lets translate U into CNF rst. CNF uses disjunctions of literals, and a disjunction means at least one. . . We can get an expression of this form as follows: U : For any three of the squares (1, 2), (2, 1), and (2, 2), at least one does not contain a mine. Thus, we construct all clauses using triples of negated variables. There is just one in this case: U U (X1,2 X2,1 X2,2 ) By a similar argument, L becomes L : L : For any two of the squares (1, 2), (2, 1), and (2, 2), at least one contains a mine. This gives us three clauses: L L L (X1,2 X2,1 ) (X2,1 X2,2 ) (X2,2 X1,2 ) Thus, our information from the square (1, 1) gives the conjunction of four clauses altogether. Let KN (k, n) be the proposition that k of n variables X1 to Xn are true. Then, by the above reasoning, we obtain KN (k, n) (L(k, n) U (k, n)) where L(k, n) is the set of clauses consisting of all possible disjunctions of n k + 1 literals from {X1 , . . . , Xn }. and U (k, n) is the set of clauses consisting of all possible disjunctions of k + 1 literals from {X1 , . . . , Xn }. (Note that these expressions are valid when k > 0 and k + 1 n. The case k = 0 simply means that KN (0, n) is the conjunction of the clauses Xi for all i. The case k + 1 > n can only arise if k = n, i.e., all n variables are mines; then we simply have the clauses Xi for all i. We can also generate a CNF expression recursively as follows: KN (k, n) ((Xn KN (k 1, n 1)) (Xn KN (k, n 1)))

CompSci 102, Spring 2005, Minesweeper

with base cases at k = n and k = 0, as before. Assuming KN (k 1, n 1) and KN (k, n 1) can be expressed in CNF, it is a simple distributivity step to express KN (k, n) in CNF. The expressions resulting from this recursion look slightly dierent from those obtained above, but are logically equivalent. In addition to the local constraints arising from squares, we also have the global constraint from the total number of remaining mines, M : G: Exactly M of the unknown squares on the board contain mines. If there are N remaining unknown squares, this is a set of clauses of the form KN (M, N ). Let |KN (n, k)| be the number of clauses in KN (n, k), using our rst construction. How many is clauses are there?

Probabilistic Minesweeper
Our nal application of probability is to Minesweeper. The rst step is to identify the set of random variables we need: As in the propositional logic case, we want one Boolean variable Xij which is true i square (i, j) actually contains a mine. Using N to refer to the total number of squares, we can also label these variables as X1 , . . . , XN , which will come in handy. Well also have variables Dij corresponding to the display contents for those k squares that have been probed or marked as mines. We can also label these variables D1 , . . . , Dk for simplicity. The domain for each of these variables is m, 1, 2, . . . , 8 . Well call these variables the N umbers, and the corresponding Xij variables will be called Known. (Note that N umbers includes marked mines; we assume that only logically guaranteed mines are marked.) Finally, well use and M to refer to the total number of mines. (Both N and M are constants.)

The probability space

Now we must write down our probability space, i.e., the joint distribution over all the variables. It turns out to be easiest to do this in two parts, using the chain rule: P (X1 , . . . , XN , D1 , . . . , Dk ) = P (D1 , . . . , Dk |X1 , . . . , XN )P (X1 , . . . , XN ) Why this way? Because (1) the prior distribution of mines, P (X1 , . . . , XN ), is easy to compute because mines are scattered uniformly at random, and (2) the display variables are determined by the underlying mines, so the conditional distribution P (D1 , . . . , Dk |X1 , . . . , XN ) is also relatively easy to describe. First, the prior P (X1 , . . . , XN ). One is tempted to write P (X1 , . . . , XN ) = P (X1 )P (X2 ) . . . P (Xn ) WRONG

because the mines are scattered uniformly at random, which suggests independence. Furthermore, the probabilities P (Xi ) are simply (M/N ), (1 M/N ) . But independence does not hold,
CompSci 102, Spring 2005, Minesweeper 6

because the total number of mines is xed! For example, if the rst M squares all get mines, then the next square has probability 0 of getting a mine. Instead, lets begin with the obvious fact that any sample point containing anything other than M mines must have probability 0. Using the notation #(x1 , . . . , xN ) to denote the number of trues in the sample point x1 , . . . , xN , we have, for all combinations of values x1 , . . . , xN , P (x1 , . . . , xN ) = 0 if #(x1 , . . . , xN ) = M

Now, by symmetry, all the remaining sample pointsthose with exactly M mineshave equal probability. There are C(N, M ) such sample points; their total probability must be 1; therefore, P (x1 , . . . , xN ) = 1 C(N, M ) if #(x1 , . . . , xN ) = M

Turning to the display variables, we know they are determined precisely according to the rules of Minesweeper, given the actual contents of all the squares. I.e., for all combinations of values d1 , . . . , dk , x1 , . . . , xN , P (d1 , . . . , dk |x1 , . . . , xN ) = 1 if d1 , . . . , dk correctly displays x1 , . . . , xN 0 otherwise

Finding safer squares

The strategy we choose to implement (which is not necessarily optimal), is to make logical moves where possible, and, if not, to play in the square that has the lowest probability of being a mine. Therefore we need to compute, for each unknown square (i, j), the quantity P (Xij |known, numbers). We develop a simple and computable expression for this probability in a series of steps. First, we need to massage the expression into a form containing the terms that we know aboutthe prior over all the X-variables, and the conditional probability of the display variables given those variables. The expression P (Xij |known, numbers) is missing the unknown variables other than Xij ; call these U nknown. So we introduce them by summing over them (the standard summation over constituent sample points for an event): P (Xij |e) = P (Xij |known, numbers) =
unknown

P (Xij , unknown|known, numbers)

Wed like to have an expression with numbers conditioned on X-variables, so we apply Bayes rule: P (Xij |e) =
unknown

P (numbers|known, Xij , unknown)P (known, Xij , unknown)

So far, so good; the variables known, Xij , unknown constitute all the X-variables, so we have terms here that we know how to compute. The only problem is that we have too many of them! The number of unknown variables could be as large as N , so the summation is over O(2N ) cases. The solution to this problem is to identify a subset of these variables that aect the display and to simplify the expressions using conditional independence so that the summation covers only this subset.

CompSci 102, Spring 2005, Minesweeper

Let F ringe denote those unknown variables (not including Xij ) that are adjacent to numbered squares. The idea is that the N umbers are completely determined just by Known, F ringe, and Xij (if it is adjacent to a number). Given these, the N umbers are conditionally independent of the remaining unknown variables, which we call Background. There are two cases to deal with, depending on whether Xij is adjacent to a number. Case 1: Xij is adjacent to a number. P (Xij |e) = = = P (numbers|known, f ringe, background, Xij )P (known, f ringe, background, Xij ) P (numbers|known, f ringe, Xij )P (known, f ringe, background, Xij ) P (numbers|known, f ringe, Xij )
f ringe f ringe,background

f ringe,background

P (known, f ringe, background, Xij )

background

where the second line is derived using conditional independence. Now, in this last expression, the term P (numbers|known, f ringe, Xij ) is 0 unless, to use our logical terminology, the assignment denoted by f ringe, Xij is a model of the CNF expression implied by the evidence. If it is a model, then the probability is 1. So the summation over f ringe reduces to a simpler summation over the models of the evidence: P (Xij |e) =
{f ringe: f ringe,Xij

P (known, f ringe, background, Xij )

background models(e)}

The sum over the background variables, which may still have a huge number of cases, can be simplied because the prior probability term P (known, f ringe, background, Xij ) is 1/C(N, M ) or 0, depending on whether #(known, f ringe, background, Xij ) = M . Therefore, we just have to count the number of cases where the background has the right number of mines. This is given by C(B, M L), where B is the size of the background and L is #(known, f ringe, Xij ) the number of mines not in the background. Finally, we obtain P (Xij |e) = C(B, M L)

{f ringe: f ringe,Xij models(e)}

which is simple to compute provided we can enumerate the models for the fringe variables. This costs O(2|F ringe| ), roughly the same as the logical algorithm. Case 2: Xij is not adjacent to a number. The derivation is very similar, but Xij acts like a background variable rather than a fringe variable: P (Xij |e) = = =

P (numbers|known, f ringe, background, Xij )P (known, f ringe, background, X P (numbers|known, f ringe)P (known, f ringe, background, Xij ) P (numbers|known, f ringe) P (known, f ringe, background, Xij )

f ringe,background

f ringe,background

f ringe

background

CompSci 102, Spring 2005, Minesweeper

Now the fringe variables constitute the entire model: P (Xij |e) = P (known, f ringe, background, Xij )

background f ringemodels(e)

and the nal expression is very similar. P (Xij |e) = C(B, M L)

f ringemodels(e)

It is clear that this expression is the same for all Xij that are not adjacent to a number, so we need only do this once to get the probability of safety for background squares. Each number-adjacent square must be evaluated separately. (Note: in the two derivations, the meaning of F ringe and Background is dierent. In the rst, F ringe includes all number-adjacent variables except Xij , while Background includes all other variables. In the second, F ringe includes all number-adjacent variables, while Background includes all other variables except Xij . This makes for somewhat simpler mathematical expressions.)

CompSci 102, Spring 2005, Minesweeper