SAT-Based Proof Search in Intermediate Propositional Logics

Abstract

We present a decision procedure for intermediate logics relying on a modular extension of the SAT-based prover \(\texttt {intuitR} \) for \(\mathrm {IPL} \) (Intuitionistic Propositional Logic). Given an intermediate logic L and a formula \(\alpha \), the procedure outputs either a Kripke countermodel for \(\alpha \) or the instances of the characteristic axioms of L that must be added to \(\mathrm {IPL} \) in order to prove \(\alpha \). The procedure exploits an incremental SAT-solver; during the computation, new clauses are learned and added to the solver.

1 Introduction

Recently, Claessen and Rosén have introduced intuit  [4], an efficient decision procedure for Intuitionistic Propositional Logic (\(\mathrm {IPL} \)) based on the Satisfiability Modulo Theories (SMT) approach. The prover language consists of (flat) clauses of the form \(\bigwedge A_1\rightarrow \bigvee A_2\) (with \(A_i\) a set of atoms), which are fed to the SAT-solver, and implication clauses of the form \((a\rightarrow b)\rightarrow c\) (a, b, c atoms); thus, we need an auxiliary clausification procedure to preprocess the input formula. The search is performed via a proper variant of the DPLL(\(\mathcal T\)) procedure [16], by exploiting an incremental SAT-solver; during the computation, whenever a semantic conflict is thrown, a new clause is learned and added to the SAT-solver. As discussed in [9], there is a close connection between the intuit approach and the known proof-theoretic methods. Actually, the decision procedure mimics the standard root-first proof search strategy for a sequent calculus strongly connected with Dyckhoff’s calculus \(\mathrm {LJT}\) [5] (alias \(\mathrm {G4ip}\)). To improve performances, we have re-designed the prover by adding a restart operation, thus obtaining intuitR  [8] (intuit with Restart). Differently from intuit, the intuitR procedure has a simple structure, consisting of two nested loops. Given a formula \(\alpha \), if \(\alpha \) is provable in \(\mathrm {IPL} \) the call intuitR( \(\alpha \) ) yields a derivation of \(\alpha \) in the sequent calculus introduced in [8], a plain calculus where derivations have a single branch. If \(\alpha \) is not provable in \(\mathrm {IPL} \), the outcome of intuitR( \(\alpha \) ) is a (typically small) countermodel for \(\alpha \), namely a Kripke model falsifying \(\alpha \). We stress that intuitR is highly performant: on the basis of a standard benchmarks suite, it outperforms intuit and other state-of-the-art provers (in particular, fCube  [6] and intHistGC  [12]).

In this paper we present intuitRIL, an extension of intuitR to Intermediate Logics, namely propositional logics extending \(\mathrm {IPL} \) and contained in \(\mathrm {CPL} \) (Classical Propositional Logic). Specifically, let \(\alpha \) be a formula and L an axiomatizable intermediate logic having Kripke semantics; the call intuitRIL( \(\alpha \),L) tries to prove the validity of \(\alpha \) in L. To this aim, the prover searches for a set \(\varPsi \) containing instances of \(\mathrm {Ax}(L)\), the characteristic axioms of L, such that \(\alpha \) can be proved in \(\mathrm {IPL} \) from \(\varPsi \). Note that this is different from other approaches, where the focus is on the synthesis of specific inference rules for the logic at hand (see, e.g., [17]). Basically, intuitRIL( \(\alpha \),L) searches for a countermodel \(\mathcal {K}\) for \(\alpha \), exploiting the search engine of intuitR: whenever we get \(\mathcal {K}\), we check whether \(\mathcal {K}\) is a model of L. If this is the case, we conclude that \(\alpha \) is not valid in L (and \(\mathcal {K}\) is a witness to this). Otherwise, the prover selects an instance \(\psi \) of \(\mathrm {Ax}(L)\) falsified in \(\mathcal {K}\) (there exists at least one); \(\psi \) is acknowledged as learned axiom and, after clausification, it is fed to the SAT-solver. We stress that a naive implementation of the procedure, where at each iteration of the main loop the computation restarts from scratch, would be highly inefficient: each time the SAT-solver should be initialized by inserting all the clauses encoding the input problem and all the clauses learned so far. Instead, we exploit an incremental SAT-solver, where clauses can be added but never deleted (hence, all the simplifications and optimisations performed by the solver are preserved); note that this prevents us from exploiting strategies based on standard sequent/tableaux calculi, where backtracking is required.

If the call intuitRIL( \(\alpha \),L) succeeds, by tracking the computation we get a derivation \(\mathcal {D}\) of \(\alpha \) in the sequent calculus \(C_{L}\) (see Fig. 1); from \(\mathcal {D}\) we can extract all the axioms learned during the computation. We stress that the procedure is quite modular: to handle a logic L, one has only to implement a specific learning mechanism for L (namely: if \(\mathcal {K}\) is not a model of L, pick an instance of \(\mathrm {Ax}(L)\) falsified in \(\mathcal {K}\)). The main drawback is that there is no general way to bound the learned axioms, thus termination must be investigated on a case-by-case basis. We guarantee termination for some relevant intermediate logics, such as Gödel-Dummett Logic \(\mathrm {GL} \), the family \(\mathrm {GL}_{n}\) (\(n\ge 1\)) of Gödel-Dummett Logics with depth bounded by n (\(\mathrm {GL}_{1}\) coincides with Here and There Logic, well known for its applications in Answer Set Programming [15]) and Jankov Logic (for a presentation of such logics see [2]). As a corollary, for each of the mentioned logic L we get a bounding function [3], namely: given \(\alpha \), we compute a bounded set \(\varPsi _\alpha \) of instances of \(\mathrm {Ax}(L)\) such that \(\alpha \) is valid in L iff \(\alpha \) is provable in \(\mathrm {IPL} \) from assumptions \(\varPsi _\alpha \); in general we improve the bounds in [1, 3]. The intuitRIL Haskell implementation and other additional material (e.g., the omitted proofs) can be downloaded at https://github.com/cfiorentini/intuitRIL.

2 Basic Definitions

Formulas, denoted by lowercase Greek letters, are built from an enumerable set of propositional variables \(\mathcal {V}\), the constant \(\bot \) and the connectives \(\wedge \), \(\vee \), \(\rightarrow \); moreover, \(\lnot \alpha \) stands for \(\alpha \rightarrow \bot \) and \(\alpha \leftrightarrow \beta \) stands for \((\alpha \rightarrow \beta )\wedge (\beta \rightarrow \alpha )\). Elements of the set \(\mathcal {V}\cup \{\bot \}\) are called atoms and are denoted by lowercase Roman letters, uppercase Greek letters denote sets of formulas. By \(\mathcal {V}_{\alpha }\) we denote the set of propositional variables occurring in \(\alpha \). The notation is extended to sets: \(\mathcal {V}_{\varGamma }\) is the union of \(\mathcal {V}_{\alpha }\) such that \(\alpha \in \varGamma \); \(\mathcal {V}_{\varGamma ,\varGamma '}\) and \(\mathcal {V}_{\varGamma ,\alpha }\) stand for \(\mathcal {V}_{\varGamma \cup \varGamma '}\) and \(\mathcal {V}_{\varGamma \cup \{\alpha \}}\) respectively. A substitution is a map from propositional variables to formulas. By \([p_1\mapsto \alpha _1,\dots ,p_n\mapsto \alpha _n]\) we denote the substitution \(\chi \) such that \(\chi (p)=\alpha _i\) if \(p=p_i\) and \(\chi (p)=p\) otherwise; the set \(\{p_1,\dots ,p_n\}\) is the domain of \(\chi \), denoted by \(\mathrm {Dom}(\chi )\); \(\epsilon \) is the substitution having empty domain. The application of \(\chi \) to a formula \(\alpha \), denoted by \(\chi (\alpha )\), is defined as usual; \(\chi (\varGamma )\) is the set of \(\chi (\alpha )\) such that \(\alpha \in \varGamma \). The composition \(\chi _1\cdot \chi _2\) is the substitution mapping p to \(\chi _1(\chi _2(p))\).

A (classical) interpretation M is a subset of \(\mathcal {V}\), identifying the propositional variables assigned to true. By \(M\models \alpha \) we mean that \(\alpha \) is true in M; \(M\models \varGamma \) iff \(M\models \alpha \) for every \(\alpha \in \varGamma \). Classical Propositional Logic (\(\mathrm {CPL} \)) is the set of formulas true in every interpretation. We write \({\varGamma }\,\vdash _{\mathrm {c}}\, \alpha \) iff \(M\models \varGamma \) implies \(M\models \alpha \), for every M. Note that \(\alpha \) is \(\mathrm {CPL} \)-valid (namely, \(\alpha \in \mathrm {CPL} \)) iff \({\emptyset }\,\vdash _{\mathrm {c}}\, \alpha \).

A (rooted) Kripke model is a quadruple \(\langle W, \le , r, \vartheta \rangle \) where W is a finite and non-empty set (the set of worlds), \(\le \) is a reflexive and transitive binary relation over W, the world r (the root of \(\mathcal {K}\)) is the minimum of W w.r.t. \(\le \), and \(\vartheta : W \mapsto 2^{\mathcal {V}}\) (the valuation function) is a map obeying the persistence condition: for every pair of worlds \(w_1\) and \(w_2\) of \(\mathcal {K}\), \(w_1 \le w_2\) implies \(\vartheta (w_1)\subseteq \vartheta (w_2)\); the triple \(\langle W,\le ,r \rangle \) is called (Kripke) frame. The valuation \(\vartheta \) is extended to a forcing relation between worlds and formulas as follows:

$$\begin{aligned}&w \Vdash p \text { iff } p \in \vartheta (w), \forall p\in \mathcal {V}\quad \;\;\; w\nVdash \bot \quad \;\; w \Vdash \alpha \wedge \beta \text { iff } w \Vdash \alpha \text { and }w \Vdash \beta \\&w \Vdash \alpha \vee \beta \text { iff } w \Vdash \alpha \text { or }w \Vdash \beta \quad \;\; w \Vdash \alpha \rightarrow \beta \text { iff } \forall w' \ge w, w' \Vdash \alpha \text { implies }w' \Vdash \beta . \end{aligned}$$

By \(w\Vdash \varGamma \) we mean that \( w\Vdash \alpha \) for every \(\alpha \in \varGamma \). A formula \(\alpha \) is valid in the frame \(\langle W,\le ,r \rangle \) iff for every valuation \(\vartheta \), \(r\Vdash \alpha \) in the model \(\langle W,\le ,r,\vartheta \rangle \). Propositional Intuitionistic Logic (\(\mathrm {IPL} \)) is the set of formulas valid in all frames. Accordingly, if there is a model \(\mathcal {K}\) such that \(r\nVdash \alpha \) (here and below r designates the root of \(\mathcal {K}\)), then \(\alpha \) is not \(\mathrm {IPL} \)-valid; we call \(\mathcal {K}\) a countermodel for \(\alpha \). We write \({\varGamma }\,\vdash _{\mathrm {i}}\, \delta \) iff, for every model \(\mathcal {K}\), \(r\Vdash \varGamma \) implies \(r\Vdash \delta \); thus, \(\alpha \) is \(\mathrm {IPL} \)-valid iff \({\emptyset }\,\vdash _{\mathrm {i}}\, \alpha \).

Let L be one of the logics \(\mathrm {IPL} \) and \(\mathrm {CPL} \); then, L is closed under modus ponens (\(\{\alpha ,\alpha \rightarrow \beta \}\subseteq L\) implies \(\beta \in L\)) and under substitution (for every \(\chi \), \(\alpha \in L\) implies \(\chi (\alpha )\in L\)). An intermediate logic is any set of formulas L such that \(\mathrm {IPL} \subseteq L\subseteq \mathrm {CPL} \), L is closed under modus ponens and under substitution. A model \(\mathcal {K}\) is an L-model iff \(r\Vdash L\); if \(r\nVdash \alpha \), we say that \(\mathcal {K}\) is an L-countermodel for \(\alpha \). An intermediate logic L can be characterized by a set of \(\mathrm {CPL} \)-valid formulas, called the L-axioms and denoted by \(\mathrm {Ax}(L)\). An L-axiom \(\psi \) of \(\mathrm {Ax}(L)\) must be understood as a schematic formula, representing all the formulas of the kind \(\chi (\psi )\); we call \(\chi (\psi )\) an instance of \(\psi \). Formally, \(\mathrm {IPL} +\mathrm {Ax}(L)\) is the intermediate logic collecting the formulas \(\alpha \) such that \({\varPsi }\,\vdash _{\mathrm {i}}\, \alpha \), where \(\varPsi \) is a finite set of instances of L-axioms from \(\mathrm {Ax}(L)\). A bounding function for L is a map that, given \(\alpha \), yields a finite set \(\varPsi _\alpha \) of instances of L-axioms such that \({\varPsi _\alpha }\,\vdash _{\mathrm {i}}\, \alpha \). If L admits a computable bounding function, we can reduce L-validity to \(\mathrm {IPL} \)-validity (see [3] for an in-depth discussion). Let \(\mathcal {F}\) be a class of frames and let \(\mathrm {Log}(\mathcal {F})\) be the set of formulas valid in all frames of \(\mathcal {F}\); then, \(\mathrm {Log}(\mathcal {F})\) is an intermediate logic. A logic L has Kripke semantics iff there exists a class of frames \(\mathcal {F}\) such that \(L=\mathrm {Log}(\mathcal {F})\); we also say that L is characterized by \(\mathcal {F}\). Henceforth, when we mention a logic L, we leave understood that L is an axiomatizable intermediate logic having Kripke semantics.

Example 1

(\(\mathrm {GL} \)). A well-known intermediate logic is Gödel-Dummett logic \(\mathrm {GL} \) [2], characterized by the class of linear frames. An axiomatization of \(\mathrm {GL} \) is obtained by adding the linearity axiom \(\mathbf {lin} =(a\rightarrow b)\vee (b\rightarrow a)\) to \(\mathrm {IPL} \). Using the terminology of [3], \(\mathrm {GL} \) is formula-axiomatizable: a bounding function for \(\mathrm {GL} \) is obtained by mapping \(\alpha \) to the set \(\varPsi _\alpha \) of instances of \(\mathbf {lin} \) where a and b are replaced with subformulas of \(\alpha \). In [1] it is proved that it is sufficient to consider the subformulas of \(\alpha \) of the kind \(p\in \mathcal {V}_{\alpha }\), \(\lnot \beta \), \(\beta _1\rightarrow \beta _2\). In Lemma 4 we further improve this bound tacking as bounding function the following map:

$$ \begin{array}{lcl} \mathrm {Ax}_{\mathrm {GL}}(\alpha ) &{}\;=\;&{} \{\, (a\rightarrow b) \vee (b\rightarrow a)~|~a,b\in \mathcal {V}_{\alpha }\,\} \;\cup \; \{\, (a\rightarrow \lnot a) \vee (\lnot a\rightarrow a)~|~a\in \mathcal {V}_{\alpha }\,\} \\ &{}&{} \cup \; \{\, (a\rightarrow (a\rightarrow b)) \vee ((a\rightarrow b)\rightarrow a))~|~a,b\in \mathcal {V}_{\alpha }\,\} \end{array} $$

Thus, if \(\mathcal {V}_{\alpha }=\{a\}\), the only instance of \(\mathbf {lin} \) to consider is \((a\rightarrow \lnot a)\vee (\lnot a\rightarrow a)\), independently of the size of \(\alpha \) (the other instances are \(\mathrm {IPL} \)-valid and can be omitted). As pointed out in [3], \(\mathrm {GL} \) is not variable-axiomatizable, namely: it is not sufficient to consider instances of \(\mathbf {lin} \) obtained by replacing a and b with variables from \(\mathcal {V}_{\alpha }\). As an example, let \(\alpha =\lnot a\vee \lnot \lnot a\); \(\alpha \) is \(\mathrm {GL} \)-valid, the only variable-replacement instance of \(\mathbf {lin} \) is \(\psi _\alpha =(a\rightarrow a) \vee (a\rightarrow a)\) and \({\psi _\alpha }\,\nvdash _{\mathrm {i}}\, \alpha \).    \(\Diamond \)

We review the main concepts about the clausification procedure described in [4]. Clauses \(\varphi \) and implication clauses \(\lambda \) are defined as

$$\begin{aligned} \begin{array}{llll} \varphi &{} {:}{=}&{} \bigwedge A_1\rightarrow \bigvee A_2~|~\bigvee A_2 &{} \qquad \qquad \;\;\; \emptyset \subset A_k \,\subseteq \, \mathcal {V}\cup \{\bot \}, for k\in \{1,2\} \\ \lambda &{} {:}{=}&{} (a \rightarrow b) \rightarrow c &{}\qquad \qquad \;\;\; a\in \mathcal {V},\;\{b,c\} \,\subseteq \, \mathcal {V}\cup \{\bot \} \end{array} \end{aligned}$$

where \(\bigwedge A_1\) and \(\bigvee A_2\) denote the conjunction and the disjunction of the atoms in \(A_1\) and \(A_2\) respectively (\(\bigwedge \{a\}=\bigvee \{a\}=a\)). Henceforth, \(\bigwedge \emptyset \rightarrow \bigvee A_2\) must be read as \(\bigvee A_2\); R, \(R_1\), ...denote sets of clauses, X, \(X_1\), ...sets of implication clauses. Given a set of implication clauses X, the closure of X, denoted by \((X)^\star \), is the set of clauses \(b\rightarrow c\) such that \((a\rightarrow b)\rightarrow c\in X\).

The following lemma states some properties of clauses and closures.

Lemma 1

1. (i)

   \({R}\,\vdash _{\mathrm {i}}\, g\) iff \({R}\,\vdash _{\mathrm {c}}\, g\), for every set of clauses R and every atom g.

2. (ii)

   \({X}\,\vdash _{\mathrm {i}}\, b\rightarrow c\), for every \(b\rightarrow c\in (X)^\star \).

3. (iii)

   \({\varGamma }\,\vdash _{\mathrm {i}}\, \alpha \) iff \({\alpha \leftrightarrow g,\varGamma }\,\vdash _{\mathrm {i}}\, g\), where \(g\not \in \mathcal {V}_{\varGamma ,\alpha }\).

Clausification. We assume a procedure Clausify that, given a formula \(\alpha \), computes sets of clauses R and X equivalent to \(\alpha \) w.r.t. \(\mathrm {IPL} \). Formally, let \(\alpha \) be a formula and let V be a set of propositional variables such that \(\mathcal {V}_{\alpha }\subseteq V\). The procedure Clausify( \(\alpha \),V) computes a triple \((R,X,\chi )\) satisfying:

1. (C1)

   \({\varGamma ,\alpha }\,\vdash _{\mathrm {i}}\, \delta \) iff \({\varGamma ,R,X}\,\vdash _{\mathrm {i}}\, \delta \), for every \(\varGamma \) and \(\delta \) such that \(\mathcal {V}_{\varGamma ,\delta }\subseteq V\).

2. (C2)

   \(\mathrm {Dom}(\chi )= \mathcal {V}_{R,X}\,\setminus V\) and \(\mathcal {V}_{\chi (p)}\subseteq V\) for every \(p\in \mathrm {Dom}(\chi )\).

3. (C3)

   \({R,X}\,\vdash _{\mathrm {i}}\, p\leftrightarrow \chi (p) \) for every \(p\in \mathrm {Dom}(\chi )\).

Basically, clausification introduces new propositional variables to represent subformulas of \(\alpha \); as a result we obtain a substitution \(\chi \) which tracks the mapping on the new variables. Condition (C1) states that \(\alpha \) can be replaced by \(R\cup X\) in \(\mathrm {IPL} \) reasoning. By (C2) the domain of \(\chi \) consists of the new variables introduced in the clausification process. The following properties easily follow by (C1)–(C3):

We exploit a Clausify procedure essentially similar to the one described in [4], with slight modifications in order to match (C3). As discussed in [4], in \(\mathrm {IPL} \) we can use a weaker condition (either \({R,X}\,\vdash _{\mathrm {i}}\, p\rightarrow \chi (p)\) or \({R,X}\,\vdash _{\mathrm {i}}\, \chi (p)\rightarrow p\) according to the case). It is not obvious whether the weaker condition should be more efficient; in many cases strong equivalences are more performant, maybe because they trigger more simplifications in the SAT-solver.

Example 2

Let \(\alpha =(a\rightarrow b)\vee (b\rightarrow a)\) and \(V=\{a,b\}\). The call Clausify( \(\alpha \),V) introduces the new variables \(\tilde{p}_{0}\) and \(\tilde{p}_{1}\) associated with the subformulas \(a\rightarrow b\) and \(b\rightarrow a\) respectively. Accordingly, the obtained sets R and X must satisfy \({R,X}\,\vdash _{\mathrm {i}}\, \tilde{p}_{0}\leftrightarrow (a\rightarrow b)\) and \({R,X}\,\vdash _{\mathrm {i}}\, \tilde{p}_{1}\leftrightarrow (b\rightarrow a)\). We get:

$$ \begin{array}{lcl} R&{}\;=\;&{}\{\,\tilde{p}_{0} \vee \tilde{p}_{1},\;\tilde{p}_{0}\wedge a \rightarrow b,\;\tilde{p}_{1}\wedge b \rightarrow a\,\} \qquad \chi \;=\;[\,\tilde{p}_{0}\mapsto a\rightarrow b,\; \tilde{p}_{1}\mapsto b\rightarrow a\,] \\ X&{}\;=\;&{}\{\, (a\rightarrow b)\rightarrow \tilde{p}_{0},\; (b\rightarrow a)\rightarrow \tilde{p}_{1}\,\} \end{array} $$

   \(\Diamond \)

Fig. 1.

The sequent calculus \(C_{L}\).

3 The Calculus \(C_{L}\)

Let L be an intermediate logic; we introduce the sequent calculus \(C_{L}\) to prove L-validity. We assume that L is axiomatized by a set \(\mathrm {Ax}(L)\) of L-axioms; by \(\mathrm {Ax}(L,V)\) we denote the set of instances \(\psi \) of L-axioms such that \(\mathcal {V}_{\psi }\subseteq V\). The calculus relies on a clausification procedure Clausify satisfying conditions (C1)–(C3) and acts on sequents \({\varGamma }\Rightarrow \delta \) such that:

• either \(\varGamma =\emptyset \) or \(\varGamma =R\cup X\) and \((X)^\star \subseteq R\) and \(\delta \) is an atom.

Fig. 2.

A \(C_{L}\)-derivation of \({}\Rightarrow \alpha \).

Rules of \(C_{L}\) are displayed in Fig. 1. Rule \(\mathrm {cpl}_0\) (initial rule) can only be applied if the condition \({R}\,\vdash _{\mathrm {c}}\, g\) holds; if this is the case, the conclusion \({R,X}\Rightarrow g\) is an initial sequent, namely a top sequent of a derivation. The other rules depend on parameters that are made explicit in the rule name. A bottom-up application of \(\mathrm {cpl}_1\) requires the choice of an implication clause \(\lambda =(a\rightarrow b)\rightarrow c\) from X, we call the main formula, and the selection of a set of atoms \(A\subseteq \mathcal {V}_{R,X,g}\) such that \({R,A}\,\vdash _{\mathrm {c}}\, b\), where b is the middle variable in \(\lambda \). As discussed in [8, 9], \(\mathrm {cpl}_1\) is a sort of generalization of the rule \(L\rightarrow \rightarrow \) of the sequent calculus \(\mathrm {LJT}/\mathrm {G4ip}\) for \(\mathrm {IPL} \) [5, 18]. Rules \(\mathrm {Claus}_0\) and \(\mathrm {Claus}_1\) exploit the clausification procedure. Rule \(\mathrm {Claus}_0\) requires the clausification of the formula \(\alpha \leftrightarrow g\), with g a new atom (\(g\not \in \mathcal {V}_{\alpha }\)); in rule \(\mathrm {Claus}_1\), the clausified formula \(\psi \) is selected from \(\mathrm {Ax}(L,\mathcal {V}_{R,X,g})\). In both cases, the clauses returned by Clausify are stored in the premise of the applied rule and the computed substitution \(\chi \) is displayed in the rule name; moreover, \(\mathrm {Claus}_0\) is annotated with the new atom g and \(\mathrm {Claus}_1\) with the chosen L-axiom \(\psi \). To recover the relevant information associated with the application of a rule \(\rho \), in Fig. 1 we define the pair \(\pi (\rho )=\langle \varPsi ,\chi \rangle \), where \(\varPsi \) is a set of instances of L-axioms and \(\chi \) is a substitution. \(C_{L}\)-trees and \(C_{L}\)-derivations are defined as usual (see e.g. [18]); a sequent \(\sigma \) is provable in \(C_{L}\) iff there exists a \(C_{L}\)-derivation having root sequent \(\sigma \). Let us consider a \(C_{L}\)-derivation \(\mathcal {D}\) of \({}\Rightarrow \alpha \) (see Fig. 2). Reading the derivation bottom-up, the first applied rule is \(\mathrm {Claus}_0\). After such an application, the obtained sequents have the form \(\sigma _k={R_k,X_k}\Rightarrow g\), where \(R_k\cup X_k\) is non-empty, thus rule \(\mathrm {Claus}_0\) cannot be applied any more; the rule applied at the top is \(\mathrm {cpl}_0\). Note that \(\mathcal {D}\) contains a unique branch, consisting of the sequents \({}\Rightarrow \alpha ,\,\sigma _0,\dots ,\sigma _{n-1}\). In Fig. 2 we also define the pair \(\pi (\mathcal {D})=\langle \varPsi ,\chi \rangle \): \(\varPsi \) collects the (instances of) L-axioms selected by rule \(\mathrm {Claus}_1\), \(\chi \) is obtained by composing the substitutions associated with the applied rules. The definition of \(\pi (\mathcal {T})\), with \(\mathcal {T}\) a \(C_{L}\)-tree, is similar. By \(\mathcal {T}(\alpha ;{R,X}\Rightarrow g)\) we denote a \(C_{L}\)-tree having root \({}\Rightarrow \alpha \) and leaf \({R,X}\Rightarrow g\). Given a \(C_{L}\)-tree \(\mathcal {T}\), \(\mathcal {V}_{\mathcal {T}}\) is the set of variables occurring in \(\mathcal {T}\). We state some properties about \(C_{L}\)-trees:

Lemma 2

Let \(\mathcal {T}=\mathcal {T}(\alpha ; {R,X}\Rightarrow g)\) and let \(\pi (\mathcal {T}) =\langle \varPsi ,\chi \rangle \).

1. (i)

   \(\mathcal {V}_{\chi (p)}\subseteq \mathcal {V}_{\alpha }\), for every \(p\in \mathcal {V}_{\mathcal {T}}\).

2. (ii)

   \({ R, X}\,\vdash _{\mathrm {i}}\, \beta \leftrightarrow \chi (\beta )\), for every formula \(\beta \).

3. (iii)

   If \({R, X,\varGamma }\,\vdash _{\mathrm {i}}\, g\) and \(\mathcal {V}_{\varGamma }\subseteq \mathcal {V}_{\alpha }\), then \({\varGamma ,\chi (\varPsi )}\,\vdash _{\mathrm {i}}\, \alpha \).

Proposition 1

Let \(\mathcal {D}\) be a \(C_{L}\)-derivation of \({}\Rightarrow \alpha \) and let \(\pi (\mathcal {D})=\langle \varPsi ,\chi \rangle \). Then, \(\mathcal {V}_{\chi (\varPsi )}\subseteq \mathcal {V}_{\alpha }\) and \({\chi (\varPsi )}\,\vdash _{\mathrm {i}}\, \alpha \).

Proof

Since \(\mathcal {D}\) is a \(C_{L}\)-derivation, \(\mathcal {D}\) has the form depicted on the right where \(\mathcal {T}=\mathcal {T}(\alpha ;{R,X}\Rightarrow g)\); note that \(\pi (\mathcal {T})=\pi (\mathcal {D})=\langle \varPsi ,\chi \rangle \). Since \({R}\,\vdash _{\mathrm {c}}\, g\), by Lemma 1(i) we get \({R}\,\vdash _{\mathrm {i}}\, g\), hence \({R,X}\,\vdash _{\mathrm {i}}\, g\). We can apply Lemma 2 and claim that \(\mathcal {V}_{\chi (\varPsi )}\subseteq \mathcal {V}_\alpha \) and \({\chi (\varPsi )}\,\vdash _{\mathrm {i}}\, \alpha \).    \(\square \)

Given a \(C_{L}\)-derivation \(\mathcal {D}\) of \({}\Rightarrow \alpha \), Prop. 1 exhibits how to extract a set of instances \(\varPsi _\alpha \) of the L-axioms such that \({\varPsi _\alpha }\,\vdash _{\mathrm {i}}\, \alpha \). If \(\mathcal {D}\) does not contain applications of rule \(\mathrm {Claus}_1\), \(\varPsi _\alpha \) is empty, and this ascertains that \(\alpha \) is \(\mathrm {IPL} \)-valid; actually, \(\mathcal {D}\) can be immediately embedded into the calculus for \(\mathrm {IPL} \) introduced in [8]. As an immediate consequence of Prop. 1, we get the soundness of \(C_{L}\): if \({{}\Rightarrow \alpha }\) is provable in \(C_{L}\), then \(\alpha \) is L-valid.

Even though \(C_{L}\)-derivations have a simple structure, the design of a root-first proof search strategy for \(C_{L}\) is far from being trivial. After having applied rule \(\mathrm {Claus}_0\) to the root sequent \({}\Rightarrow \alpha \), we enter a loop where at each iteration k we search for a derivation of \(\sigma _k={R_k,X_k}\Rightarrow g\). It is convenient to firstly check whether \({R_k}\,\vdash _{\mathrm {c}}\, g\) so that, by applying rule \(\mathrm {cpl}_0\), we immediately close the derivation at hand. To check classical provability, we exploit a SAT-solver; each time the solver is invoked, the set \(R_k\) has increased, thus it is advantageous to use an incremental SAT-solver. If \({R_k}\,\nvdash _{\mathrm {c}}\, g\), we have to apply either rule \(\mathrm {cpl}_1\) or rule \(\mathrm {Claus}_1\), but it is not obvious which strategy should be followed. First, we have to select one between the two rules. If rule \(\mathrm {cpl}_1\) is chosen, we have to guess proper \(\lambda \) and A; otherwise, we have to apply \(\mathrm {Claus}_1\), and this requires the selection of an instance \(\psi \) of an L-axiom. In any case, if we followed a blind choice, the procedure would be highly inefficient. To guide proof search, we follow a different approach based on countermodel construction; to this aim, we introduce a representation of Kripke models where worlds are classical interpretations ordered by inclusion.

Countermodels. Let W be a finite set of interpretations with minimum \(M_0\), namely: \(M_0\subseteq M\) for every \(M\in W\). By \(\mathcal {K}(W)\) we denote the Kripke model \(\langle W,\le ,M_0,\vartheta \rangle \) where \(\le \) coincides with the subset relation \(\subseteq \) and \(\vartheta \) is the identity map, thus \(M\Vdash p\) (in \(\mathcal {K}(W)\)) iff \(p\in M\). We introduce the following realizability relation \(\triangleright _{W}\) between elements of W and implication clauses:

$$\begin{aligned}&M\triangleright _{W} (a\rightarrow b)\rightarrow c \text { iff } (a\in M)\text { or }(b\in M)\text { or }(c\in M)\text { or }\\&\qquad \qquad \qquad \qquad \quad \;\; \left( \; {\exists M'\in W\text { s.t. }M\subset M'\text { and } a\in M'\text { and }b\not \in M'} \;\right) . \end{aligned}$$

By \(M\triangleright _{W} X\) we mean that \(M\triangleright _{W}\lambda \) for every \(\lambda \in X\). We state the crucial properties of the model \(\mathcal {K}(W)\):

Proposition 2

Let \(\mathcal {K}(W)\) be the model generated by W and let \(w\in W\). Let \(\varphi \) be a clause and \(\lambda =(a\rightarrow b)\rightarrow c\) an implication clause.

1. (i)

   If \(w'\models \varphi \), for every \(w'\in W\) such that \(w\le w'\), then \(w\Vdash \varphi \).

2. (ii)

   If \(w'\models b\rightarrow c\) and \(w'\triangleright _{W} \lambda \), for every \(w'\in W\) such that \(w\le w'\), then \(w\Vdash \lambda \).

Let \(\mathcal {K}(W)\) be a model with root r, and assume that every interpretation w in W is a model of R; our goal is to get \(r\Vdash R\cup X\) (where \((X)^*\subseteq R\)), possibly by filling W with new worlds. To this aim, we exploit Prop. 2. By our assumption and point (i), we claim that \(r\Vdash R\). Suppose that there is \(w\in W\) and \(\lambda =(a\rightarrow b)\rightarrow c\in X\) such that \(w{\ntriangleright }_{W}\lambda \); is it possible to amend \(\mathcal {K}(W)\) in order to match (ii) and conclude \(r\Vdash X\)? By definition of \(\triangleright _{W}\), none of the atoms a, b, c belongs to w; moreover \(\mathcal {K}(W)\) lacks a world \(w'\) such that \(w \subset w'\) and \(a\in w'\) and \(b\not \in w'\). We can try to fix \(\mathcal {K}(W)\) by inserting the missing world \(w'\); to preserve (i), we also need \(w'\models R\). Accordingly, such a \(w'\) exists if and only if \({R,w,a}\,\nvdash _{\mathrm {c}}\, b\). This can be checked by querying a SAT-solver; moreover, if \({R,w,a}\,\nvdash _{\mathrm {c}}\, b\), the solver also computes the required \(w'\). This completion process must be iterated until \(\mathcal {K}(W)\) has been saturated with all the missing worlds or we get stuck. It is easy to check that the process eventually terminates. This is one of the key ideas beyond the procedure intuitRIL we present in next section.

Fig. 3.

Computation of intuitRIL( \(\alpha \), L).

4 The Procedure intuitRIL

We present the procedure intuitRIL (intuit with Restart for Intermediate Logics) that, given a formula \(\alpha \) and a logic \(L=\mathrm {IPL} +\mathrm {Ax}(L)\), returns either a set of L-axioms \(\varPsi _ \alpha \) or a model \(\mathcal {K}(W)\) with the following properties:

1. (Q1)

   If intuitRIL( \(\alpha \),L) returns \(\varPsi _\alpha \), then \(\varPsi _\alpha \subseteq \mathrm {Ax}(L,\mathcal {V}_{\alpha })\) and \({\varPsi _\alpha }\,\vdash _{\mathrm {i}}\, \alpha \).

2. (Q2)

   If intuitRIL( \(\alpha \),L) returns \(\mathcal {K}(W)\), then \(\mathcal {K}(W)\) is an L-countermodel for \(\alpha \).

Thus, \(\alpha \) is L-valid in the former case, not L-valid in the latter. If intuitRIL( \(\alpha \),L) returns \(\varPsi _\alpha \), by tracing the computation we can build a \(C_{L}\)-derivation \(\mathcal {D}\) of \({}\Rightarrow \alpha \) such that \(\varPsi _\alpha =\chi (\varPsi )\), where \(\langle \varPsi ,\chi \rangle =\pi (\mathcal {D})\); this certificates that \({\varPsi _\alpha }\,\vdash _{\mathrm {i}}\, \alpha \).

The procedure is described by the flowchart in Fig. 3 and exploits a single incremental SAT-solver s: clauses can be added to s but not removed; by \(\mathrm {R}(s)\) we denote the set of clauses stored in s. The SAT-solver is required to support the following operations:

• newSolver(R) creates a new SAT-solver initialized with the clauses in R.

• addClauses(s, R) adds the clauses in R to the SAT-solver s.

• satProve(s, A, g) calls s to decide whether \({\mathrm {R}(s),A}\,\vdash _{\mathrm {c}}\, g\) (A is a set of propositional variables). The solver outputs one of the following answers:

  • \(\mathrm {Yes}(A')\): thus, \(A'\subseteq A\) and \({\mathrm {R}(s),A'}\,\vdash _{\mathrm {c}}\, g\);

  • \(\mathrm {No}(M)\): thus, \(A \subseteq M \subseteq \mathcal {V}_{\mathrm {R}(s)}\cup A\) and \(M \models \mathrm {R}(s)\) and \(g\not \in M\).

  In the former case it follows that \({\mathrm {R}(s),A}\,\vdash _{\mathrm {c}}\, g\), in the latter \({\mathrm {R}(s),A}\,\nvdash _{\mathrm {c}}\, g\).

The computation of intuitRIL( \(\alpha \),L) consists of the following steps:

1. (S0)

   The formula \(\alpha \leftrightarrow g\), with g new propositional variable, is clausified. The outcome \((R',X',\chi ')\) is used to create a new SAT-solver s and to properly initialize the global variables X (set of implication clauses), \(\varPsi \) (set of L-axiom instances), V (set of propositional variables) and \(\chi \) (substitution).

2. (S1)

   A loop starts (main loop). The SAT-solver s is called to check whether \({\mathrm {R}(s)}\,\vdash _{\mathrm {c}}\, g\). If the answer is \(\mathrm {Yes}(\emptyset )\), the computation stops yielding \(\chi (\varPsi )\). Otherwise, the output is \(\mathrm {No}(M)\) and the computation continues at Step (S2).

3. (S2)

   We set \(r=M\) (the root of \(\mathcal {K}(W)\)) and \(W=\{r\}\).

4. (S3)

   A loop starts (inner loop). We have to select a pair \(\langle w,\lambda \rangle \) such that \(w\in W\), \(\lambda \in X\) and \(w{\ntriangleright }_{W} \lambda \). If such a pair does not exist, the inner loop ends and next step is (S4), otherwise the inner loop continues at Step (S6).

5. (S4)

   As we show in Lemma 3, at this point \(\mathcal {K}(W)\) is a countermodel for \(\alpha \). If all the axioms in \(\mathrm {Ax}(L,V)\) are forced at the root r of \(\mathcal {K}(W)\), then \(\mathcal {K}(W)\) is an L-countermodel for \(\alpha \) and the computation ends returning \(\mathcal {K}(W)\). Otherwise, we select \(\psi \) from \(\mathrm {Ax}(L,V)\) such that \(r\nVdash \psi \) and the computation continues at Step (S5); we call \(\psi \) the learned axiom.

6. (S5)

   We clausify \(\psi \) and we update the global variables. The computation restarts from Step (S1) with a new iteration of the main loop (semantic restart).

7. (S6)

   Let \(\langle w,(a\rightarrow b)\rightarrow c \rangle \) be the pair selected at Step (S3). The SAT-solver s is called to check whether \({\mathrm {R}(s),w,a}\,\vdash _{\mathrm {c}}\, b\). If the result is \(\mathrm {No}(M)\), the inner loop continues at step (S7). Otherwise, the answer is \(\mathrm {Yes}(A)\); the inner loop ends and the computation continues at Step (S8).

8. (S7)

   The interpretation M is added to W and the computation continues at Step (S3) with a new iteration of the inner loop.

9. (S8)

   The clause \(\varphi \) (learned basic clause) is added to the SAT-solver s and the computation restarts from Step (S1) (basic restart).

Intuitively, intuitRIL( \(\alpha \),L) searches for an L-countermodel \(\mathcal {K}(W)\) for \(\alpha \). In the construction of \(\mathcal {K}(W)\), whenever a conflict arises, a restart operation is triggered. A basic restart happens when it is not possible to fill the set W with a missing world (see the discussion after Prop. 2). A semantic restart is thrown when \(\mathcal {K}(W)\) is a countermodel for \(\alpha \) but it fails to be an L-model. In either case, the construction of \(\mathcal {K}(W)\) restarts from scratch. However, to prevent that the same kind of conflict shows up again, new clauses are learned and fed to the SAT-solver (this complies with DPLL(\(\mathcal T\)) with learning computation paradigm [16]). If the outcome is \(\chi (\varPsi )\), by tracing the computation we can build a \(C_{L}\)-derivation \(\mathcal {D}\) of \({}\Rightarrow \alpha \) such that \(\pi (\mathcal {D})=\langle \varPsi ,\chi \rangle \). The derivation is built bottom-up. The initial Step (S0) corresponds to the application of rule \(\mathrm {Claus}_0\) to the root sequent \({}\Rightarrow \alpha \); basic and semantic restarts bottom-up expand the derivation by applying rule \(\mathrm {cpl}_1\) and \(\mathrm {Claus}_1\) respectively. We stress that the procedure is quite modular; to treat a specific logic L one has only to provide a concrete implementation of Step (S4). For \(L=\mathrm {IPL} \), Step (S4) is trivial, since the set \(\mathrm {Ax}(\mathrm {IPL},V)\) is empty. Actually, intuitRIL applied to \(\mathrm {IPL} \) has the same behaviour as the procedure intuitR introduced in [8].

Example 3

Let us consider Jankov axiom \(\mathbf {wem} =\lnot {a}\vee \lnot \lnot {a}\) [2, 13] (aka weak excluded middle), which holds in all frames having a single maximal world (thus, \(\mathbf {wem} \) is \(\mathrm {GL} \)-valid). The trace of the execution of intuitRIL( \(\mathbf {wem} \),\(\mathrm {GL} \) ) is shown in Fig. 4. The initial clausification yields \((R_0,X_0,\tilde{g})\), where \(X_0\) consists of the implication clauses \(\lambda _0,\lambda _1\) in Fig. 4 and \(R_0\) contains the 7 clauses below:

$$\begin{aligned} \tilde{g}\rightarrow \tilde{p}_{2},~~ \tilde{p}_{0}\rightarrow \tilde{p}_{2},~~ {a}\wedge \tilde{p}_{0}\rightarrow \bot ,~~ \tilde{p}_{1}\rightarrow \tilde{p}_{2},~~ \tilde{p}_{0}\wedge \tilde{p}_{1}\rightarrow \bot ,~~ \tilde{p}_{2}\rightarrow \tilde{g},~~ \tilde{p}_{2}\rightarrow \tilde{p}_{0}\vee \tilde{p}_{1}. \end{aligned}$$

Each row in Fig. 4 displays the validity tests performed by the SAT-solver and the computed answers. If the result is \(\mathrm {No}(M)\), the last two columns show the worlds \(w_k\) in the current set W and, for each \(w_k\), the list of \(\lambda \) such that \(w{\ntriangleright }_{W} \lambda \); the pair selected for the next step is underlined. For instance, after call (1) we have \(W=\{w_0\}\), \(w_0{\ntriangleright }_{W} \lambda _0\) and \(w_0{\ntriangleright }_{W} \lambda _1\); the selected pair is \(\langle w_0,\lambda _0 \rangle \). After call (2), the set W is updated by adding the world \(w_1\); we have \(w_1\triangleright _{W} \lambda _0\), \(w_1\triangleright _{W} \lambda _1\), \(w_0\triangleright _{W} \lambda _0\) and \(w_0{\ntriangleright }_{W} \lambda _1\). Whenever the SAT-solver outputs \(\mathrm {Yes}(A)\), we display the learned clause \(\psi _k\). The SAT-solver is invoked 18 times and there are 6 restarts (1 semantic, 5 basic). After (3), we get \(W=\{w_0,w_1,w_2\}\) and no pair \(\langle w,\lambda \rangle \) can be selected, hence the model \(\mathcal {K}(W)\) (displayed in the figure) is a countermodel for \(\mathbf {wem} \). However, \(\mathcal {K}(W)\) is not a \(\mathrm {GL} \)-model (indeed, it is not linear), hence we choose an instance of the linearity axiom not forced at \(w_0\), namely \(\psi _0\), and we force a semantic restart. The clausification of \(\psi _0\) produces 6 new clauses and the new implication clauses \(\lambda _2\), \(\lambda _3\), \(\lambda _4\). After each restart, the sets \(R_j\) are:

$$\begin{aligned} \begin{array}{lcl} R_{1}&{}\;=\;&{}R_{0}\cup \{\, \tilde{p}_{3}\rightarrow \tilde{p}_{4},\, {a}\rightarrow \tilde{p}_{5},\, \tilde{p}_{3}\wedge \tilde{p}_{5}\rightarrow {a},\, {a}\wedge \tilde{p}_{4}\rightarrow \tilde{p}_{3},\, {a}\wedge \tilde{p}_{3}\rightarrow \bot ,\, \tilde{p}_{4}\vee \tilde{p}_{5}\,\} \\ R_j&{}=&{}R_{j-1}\cup \{\psi _{j-1}\} \quad \text {for }2\le j \le 6\text { (the }\psi _j'\text {s are defined in Fig.}~4). \end{array} \end{aligned}$$

The \(C_{\mathrm {GL}}\)-derivation of \({}\Rightarrow \lnot {a}\vee \lnot \lnot {a}\) extracted from the computation is:

   \(\Diamond \)

Fig. 4.

Computation of intuitRIL( \(\lnot {a}\vee \lnot \lnot {a}\), \(\mathrm {GL} \) ).

Now, we discuss partial correctness and termination of \(\texttt {intuitRIL} \). Let us denote with \(\sim _\mathrm {c}\) classical equivalence (\(\alpha \sim _\mathrm {c}\beta \) iff \({}\,\vdash _{\mathrm {c}}\, \alpha \leftrightarrow \beta \)) and with \(\sim _\mathrm {i}\) intuitionistic equivalence (\(\alpha \sim _\mathrm {i}\beta \) iff \({}\,\vdash _{\mathrm {i}}\, \alpha \leftrightarrow \beta \)). We introduce some notation.

(†):

The following terms refer to the configuration at the beginning of iteration k (\(k\ge 0\)), just after the execution of Step (S2):

–:

\(\varPhi _k\) is the set collecting all the learned basic clauses;

–:

\(R_k\) is the set of clauses stored in the SAT-solver s;

–:

\(X_k\), \(\varPsi _k\), \(V_k\), \(\chi _k\), \(r_k\) are the values of the corresponding global variables.

In Fig. 5 we inductively define the \(C_{L}\)-tree \(\mathcal {T}_k\), having the form \(\mathcal {T}(\alpha ; {R_k,X_k}\Rightarrow g)\). In the application of rule \(\mathrm {Claus}_0\), g and \(\chi '\) are defined as in Step (S0). In rule \(\mathrm {cpl}_1\), \(\lambda \) is the implication clause selected at iteration \(k-1\) (of the main loop) in the last execution of Step (S3); A is the value computed at Step (S6) of iteration \(k-1\). In the application of rule \(\mathrm {Claus}_1\), \(\psi \) and \(\chi '\) are defined as in the execution of Step (S4) and (S5) of iteration \(k-1\). One can easily check that the applications of the rules are sound. If Step (S1) yields \(\mathrm {Yes}(\emptyset )\), we can turn \(\mathcal {T}_k\) into a \(C_{L}\)-derivation by applying rule \(\mathrm {cpl}_0\).

Fig. 5.

Definition of \(\mathcal {T}_k\) (\(k\ge 0\)).

Next lemma states some relevant properties of the computations of intuitRIL.

Lemma 3

Let us consider the execution of iteration k of the main loop (\(k\ge 0\)).

1. (i)

   \((X_k)^\star \cup \varPhi _k\subseteq R_k\).

2. (ii)

   \(V_k= \mathcal {V}_{\mathcal {T}_k}\) and \(\varPsi _k\subseteq \mathrm {Ax}(L,V_k)\) and \(\pi (\mathcal {T}_k)=\langle \varPsi _k,\chi _k \rangle \).

3. (iii)

   \(\mathcal {V}_{\chi _k(p)}\subseteq \mathcal {V}_{\alpha }\), for every \(p\in V_k\), and \({R_k,X_k}\,\vdash _{\mathrm {i}}\, \beta \leftrightarrow \chi _k(\beta )\), for every \(\beta \).

4. (iv)

   At every step after (S2), \(w\models R_k\), for every \(w\in W\).

5. (v)

   At every step after (S2), \(r_k\) is the root of \(\mathcal {K}(W)\) and \(r_k\Vdash R_k\) and \(r_k\nVdash g\).

6. (vi)

   At Step (S4), \(r_k\Vdash R_k\cup X_k\cup \varPsi _k\) and \(r_k\nVdash g\) (in \(\mathcal {K}(W)\)).

7. (vii)

   Assume that iteration k ends with a basic restart and let \(\varphi \) be the learned basic clause. For every \(\varphi '\in \varPhi _k\), \(\varphi \not \sim _\mathrm {c}\varphi '\).

8. (viii)

   Assume that iteration k ends with a semantic restart and let \(\psi \) be the learned axiom. For every \(\psi '\in \varPsi _k\), \(\chi _k(\psi )\not \sim _\mathrm {i}\chi _k(\psi ')\).

Proof

We only sketch the proof of the non-trivial points.

(iii). By Lemma 2 applied to \(\mathcal {T}_k\).

(v). Every interpretation M generated at Step (S6) is a superset of \(r_k\), thus after Step (S2) \(r_k\) is the minimum element of W and the root of \(\mathcal {K}(W)\). By (iv) and Prop. 2(i), \(r_k\Vdash R_k\). Since \(g\not \in r_k\), we get \(r_k\nVdash g\).

(vi). At Step (S4), \(w\triangleright _{W} \lambda \) for every \(w\in W\) and \(\lambda \in X_{k}\). Since \((X_{k})^\star \subseteq R_{k}\), by Prop. 2(ii) we get \(r_k\Vdash X_{k}\). Let \(\psi \in \varPsi _k\); then, \(\psi \) has been learned at some iteration \(k'< k\). Let \((R',X',\chi ')\) be the output of Clausify( \(\psi \),V) at Step (S5) of iteration \(k'\) . Since \(R'\subseteq R_k\) and \(X'\subseteq X_k\), it holds that \(r_k\Vdash R'\cup X'\). By (P1) \({R',X'}\,\vdash _{\mathrm {i}}\, \psi \), hence \(r_k\Vdash \psi \), which proves \(r_k\Vdash \varPsi _k\).

(vii). Let \(\varphi '\in \varPhi _{k}\); we show that \(\varphi \not \sim _\mathrm {c}\varphi '\). Let \(\varphi =\bigwedge (A\setminus \{a\}) \rightarrow c\); then, there are \(w\in W\) and \(\lambda =(a\rightarrow b)\rightarrow c\in X_{k}\) such that \(\langle w,\lambda \rangle \) has been selected at Step (S3) and the outcome of satProve(s,\(w\cup \{a\}\),b) at Step (S6) is \(\mathrm {Yes}(A)\). Note that \(w{\ntriangleright }_{W}\lambda \), hence \(c\not \in w\); since \(A\subseteq w\cup \{a\}\), we get \(w\not \models \varphi \). On the other hand, \(w\models \varphi '\), since \(\varphi '\in \varPhi _{k}\) and \(\varPhi _k\subseteq R_k\). We conclude \(\varphi \not \sim _\mathrm {c}\varphi '\).

(viii). Let \(\psi '\in \varPsi _{k}\) and let \(\mathcal {K}(W)\) be the model obtained at Step (S4) of iteration k. By (iii) \({R_k,X_k}\,\vdash _{\mathrm {i}}\, \psi \leftrightarrow \chi _k(\psi )\) and \({R_k,X_k}\,\vdash _{\mathrm {i}}\, \psi '\leftrightarrow \chi _k(\psi ')\). Since \(r_k\nVdash \psi \) and \(r_k\Vdash \psi '\) (indeed, \(\psi '\in \varPsi _{k}\) and \(r_k\Vdash \varPsi _k\)) and \(r_k\Vdash R_k\cup X_k\), we get \(r_k\nVdash \chi _k(\psi )\) and \(r_k\Vdash \chi _k(\psi ')\). We conclude \(\chi _k(\psi )\not \sim _\mathrm {i}\chi _k(\psi ')\).    \(\square \)

The following proposition proves the partial correctness of intuitRIL:

Proposition 3

intuitRIL( \(\alpha \),L) satisfies properties (Q1) and (Q2).

Proof

Let us assume that the computation ends at iteration k with output \(\varPsi _\alpha \). Then, the call to the SAT-solver at Step (S0) yields \(\mathrm {Yes}(\emptyset )\), meaning that \({R_k}\,\vdash _{\mathrm {c}}\, g\). We can build the following \(C_{L}\)-derivation \(\mathcal {D}\) of \({}\Rightarrow \alpha \):

Note that \(\varPsi _\alpha =\chi _k(\varPsi _k)\). Accordingly, by Prop. 1 we get (Q1).

Let us assume that the output is the model \(\mathcal {K}(W)\), having root r. Then, \(\mathcal {K}(W)\) is an L-model (otherwise, Step (S4) should have forced a semantic restart). By Lemma 3(vi) we get \(r\Vdash R_0\cup X_0\) and \(r\nVdash g\). Since at Step (S0) we have clausified the formula \(\alpha \leftrightarrow g\), by (P1) we get \({R_0,X_0}\,\vdash _{\mathrm {i}}\, \alpha \leftrightarrow g\), which implies \(r\Vdash \alpha \leftrightarrow g\). We conclude that \(r\nVdash \alpha \), hence (Q2) holds.    \(\square \)

It seems challenging to provide a general proof of termination, and each logic must be treated apart. We can only state some general properties about the termination of the inner loop and of consecutive basic restarts.

Proposition 4

1. (i)

   The inner loop is terminating.

2. (ii)

   The number of consecutive basic restarts is finite.

Proof

Let us assume, by absurd, that the inner loop is not terminating. For every \(j\ge 0\), by \(W_j\) we denote the value of W at Step (S3) of iteration j of the inner loop; note that the value of the variable V does not change during the iterations. We show that \(W_j\subset W_{j+1}\), for every \(j\ge 0\). At iteration j, the outcome of Step (S6) is \(\mathrm {No}(M)\). Thus, there are \(w\in W_j\) and \(\lambda =(a\rightarrow b)\rightarrow c\in X\) such that the pair \(\langle w,\lambda \rangle \) has been selected at Step (S3); accordingly, \(w{\ntriangleright }_{W_j} \lambda \) and \(w\cup \{a\}\subseteq M\) and \(b\not \in M\). We have \(M\not \in W_j\), otherwise we would get \(w\triangleright _{W_j} \lambda \), a contradiction. Since \(W_{j+1}= W_j\cup \{M\}\), this proves that \(W_j\subset W_{j+1}\). We have shown that \(W_0\subset W_1\subset W_2 \dots \). This leads to a contradiction since, for every \(j\ge 0\) and every \(w\in W_j\), w is a subset of V and V is finite. We conclude that the inner loop is terminating, and this proves (i).

Let us assume, by contradiction, that there is an infinite sequence of consecutive basic restarts. Then, there is \(n\ge 0\) such that, for every \(k\ge n\), the iteration k of the main loop ends with a basic restart. Let \(\varphi _k\) be the clause learned at iteration k. Note that an iteration ending with a basic restart does not introduce new atoms, thus \(\mathcal {V}_{\varphi _k}\subseteq V_n\) for every \(k\ge n\) (where \(V_n\) is defined as in (†)). We get a contradiction, since \(V_n\) is finite and, by Lemma 3(vi), the clauses \(\varphi _k\) are pairwise non \(\sim _\mathrm {c}\)-equivalent; this proves (ii).    \(\square \)

Lemma 3(vii) guarantees that the learned axioms are pairwise distinct, but this is not sufficient to prove termination since in general we cannot set a bound on the size and on the number of learned axioms. In next section we present some relevant logics where the procedure is terminating.

5 Termination

Let \(\mathrm {GL} =\mathrm {IPL} +\mathbf {lin} \) be the Gödel-Dummett logic presented in Ex. 1; we show that every call intuitRIL( \(\alpha \),\(\mathrm {GL} \)) is terminating. To this aim, we exploit the bounding function \(\mathrm {Ax}_{\mathrm {GL}}(\alpha )\) presented in the mentioned example.

Lemma 4

Let us consider the computation of intuitRIL( \(\alpha \),\(\mathrm {GL} \)) and assume that at iteration k of the main loop Step (S4) is executed and that the obtained model \(\mathcal {K}(W)\) is not linear. Then, there exists \(\psi \in \mathrm {Ax}_{\mathrm {GL}}(\alpha )\) such that \(r_k\nVdash \psi \).

Proof Let us assume that \(\mathcal {K}(W)\) has two distinct maximal worlds \(w_1\) and \(w_2\); note that \(w_1\subseteq V_k\) and \(w_2\subseteq V_k\) (with \(V_k\) defined as in (†)). We show that:

1. (a)

   \(w_1\cap \mathcal {V}_{\alpha } \ne w_2\cap \mathcal {V}_{\alpha }\).

Suppose by contradiction \(w_1\cap \mathcal {V}_{\alpha } = w_2\cap \mathcal {V}_{\alpha }\); let \(p\in V_k\) and \(\beta =\chi _k(p)\) (with \(\chi _k\) defined as in (†)). By Lemma 3(iii), \({R_k,X_k}\,\vdash _{\mathrm {i}}\, p\leftrightarrow \beta \); by Lemma 3(vi) we get \(w_1\Vdash p\leftrightarrow \beta \) and \(w_2\Vdash p\leftrightarrow \beta \). Since \(\mathcal {V}_{\beta }\subseteq \mathcal {V}_{\alpha }\) (see Lemma 3(iii)) and we are assuming \(w_1\cap \mathcal {V}_{\alpha } = w_2\cap \mathcal {V}_{\alpha }\), it holds that \(w_1\Vdash \beta \) iff \(w_2\Vdash \beta \), thus \(w_1\Vdash p\) iff \(w_2\Vdash p\), namely \(p\in w_1\) iff \(p\in w_2\). Since p is any element of \(V_k\), we get \(w_1=w_2\), a contradiction; this proves (a). By (a) there is \(a\in \mathcal {V}_{\alpha }\) such that either \(a\in w_1\setminus w_2\) or \(a\in w_2\setminus w_1\). We consider the former case (the latter one is symmetric), corresponding to Case 1 in Fig. 6. We have \(w_1\Vdash a\) and \(w_2\Vdash \lnot a\); setting \(\psi = (a\rightarrow \lnot a) \vee (\lnot a\rightarrow a)\), we conclude \(r_k\nVdash \psi \).

Assume that \(\mathcal {K}(W)\) has only one maximal world; since it is not linear, there are three distinct worlds \(w_1\), \(w_2\), \(w_3\) as in Case 2 in Fig. 6, namely: \(w_1\) is an immediate successor of \(w_2\) and \(w_3\) (i.e., for \(j\in \{2,3\}\), \(w_j< w_1\) and, if \(w_j< w\), then \(w_1\le w\)), \(w_2\not \le w_3\), \(w_3\not \le w_2\). Reasoning as in (a), we get:

By (b) there is \(a\in \mathcal {V}_{\alpha }\) such that either \(a\in w_2\setminus w_3\) or \(a\in w_3\setminus w_2\). Let us consider the former case (the latter one is symmetric). By (c), there is \(b\in \mathcal {V}_{\alpha }\) such that \(b\in w_1\setminus w_2\). If \(b\in w_3\) (Case 2.1 in Fig. 6), we get \(a\in w_2\), \(b\not \in w_2\), \(a\not \in w_3\), \(b\in w_3\). Setting \(\psi =(a\rightarrow b)\vee (b\rightarrow a)\), we conclude \(r_k\nVdash \psi \). Finally, let us assume \(b\not \in w_3\) (Case 2.2). We have \(\{a,b\}\subseteq w_1\), \(a\in w_2\), \(b\not \in w_2\), \(a\not \in w_3\) and \(b\not \in w_3\). It is easy to check that \(w_3 \Vdash a\rightarrow b\) (recall that \(w_3 < w\) implies \(w_1\le w\)), thus \(w_3 \nVdash (a\rightarrow b)\rightarrow a\). On the other hand \(w_2\nVdash a\rightarrow (a\rightarrow b)\). Setting \(\psi =(a\rightarrow (a\rightarrow b))\vee ((a\rightarrow b)\rightarrow a)\), we get \(r_k\nVdash \psi \).    \(\square \)

Fig. 6.

Proof of Lemma 4, case analysis.

We exploit Lemma 4 to implement Step (S4). If \(\mathcal {K}(W)\) is linear, then \(\mathcal {K}(W)\) is a \(\mathrm {GL} \)-model and we are done. Otherwise, the proof of Lemma 4 hints an effective method to select an instance \(\psi \) of \(\mathbf {lin} \) from \(\mathrm {Ax}_{\mathrm {GL}}(\alpha )\).

Proposition 5

The computation of intuitRIL( \(\alpha \),\(\mathrm {GL} \) ) is terminating.

Proof

Assume that intuitRIL( \(\alpha \),\(\mathrm {GL} \) ) is not terminating. Since the number of iterations of the inner loop and of the consecutive basic restarts is finite (see Prop. 4), Step (S4) must be executed infinitely many times. This leads to a contradiction, since the axioms selected at Step (S4) are pairwise distinct (see Lemma 3(vii)) and such axioms are chosen from the finite set \(\mathrm {Ax}_{\mathrm {GL}}(\alpha )\).    \(\square \)

As a corollary, we get that \(\mathrm {Ax}_{\mathrm {GL}}(\alpha )\) is a bounding function for \(\mathrm {GL} \):

Proposition 6

If \(\alpha \) is \(\mathrm {GL} \)-valid, there is \(\varPsi _\alpha \subseteq \mathrm {Ax}_{\mathrm {GL}}(\alpha )\) such that \({\varPsi _\alpha }\,\vdash _{\mathrm {i}}\, \alpha \).

Other proof-search strategies for \(\mathrm {GL} \) are discussed in [10, 14]. This technique can be extended to other notable intermediate logics. Among these, we recall the logics \(\mathrm {GL}_{n}\) (Gödel Logic of depth n), obtained by adding to \(\mathrm {GL} \) the axioms \(\mathbf {bd}_{n}\) (bounded depth) where: \(\mathbf {bd}_{0}=a_0\vee \lnot a_0\), \(\mathbf {bd}_{n+1}=a_{n+1}\vee (a_{n+1}\rightarrow \mathbf {bd}_{n})\). Semantically, \(\mathrm {GL}_{n}\) is the logic characterized by linear frames having depth at most n. We are not able to prove termination for the logics \(\mathrm {IPL} +\mathbf {bd}_{n}\), but we can implement the following terminating strategy for \(\mathrm {GL}_{n}\). Let \(\mathcal {K}(W)\) be the model obtained at Step (S4) of the computation of intuitRIL( \(\alpha \),\(\mathrm {GL}_{n}\) ):

• If \(\mathcal {K}(W)\) is not linear, we select the axiom \(\psi \) from \(\mathrm {Ax}_{\mathrm {GL}}(\alpha )\).

• Otherwise, assume that \(\mathcal {K}(W)\) is linear but not a \(\mathrm {GL}_{n}\)-model. Then, \(\mathcal {K}(W)\) contains a chain of worlds \(w_0\subset w_1\subset \dots \subset w_{n+1}\). The crucial point is that \(w_{j+1}\setminus w_{j}\) contains at least a propositional variable from \(\mathcal {V}_{\alpha }\), for every \(0\le j \le n\). Thus, we can choose a proper renaming of \(\mathbf {bd}_{n}\) as \(\psi \).

Another terminating logic is the Jankov Logic (see Ex. 3); actually, also in this case the learned axiom can be chosen by renaming the \(\mathbf {wem} \) axiom. In general, all the logics \(\mathrm {BTW}_{n}\) (Bounded Top Width, at most n maximal worlds, see [2]) are terminating. An intriguing case is Scott Logic \(\mathrm {ST} \) [2]: even though the class of \(\mathrm {ST} \)-frames is not first-order definable, we can implement a learning procedure for \(\mathrm {ST} \)-axioms arguing as in [7] (see Sec. 2.5.2). Some of the mentioned logics have been implemented in intuitRIL¹.

One may wonder whether this method can be applied to other non-classical logics or to fragments of predicate logics (these issues have been already raised in the seminal paper [4]). A significant work in this direction is [11], where the procedure has been applied to some modal logics. However, the main difference with the original approach is that it is not possible to use a single SAT-solver, but one needs a supply of SAT-solvers. This is primarily due to the fact that forcing relation of modal Kripke models is not persistent; thus worlds are loosely related and must be handled by independent solvers.