Keywords

1 Introduction

Constrained Horn Clauses (CHCs) combine logical formulas with constraints over various domains, e.g. linear real arithmetic, linear integer arithmetic, equalities of uninterpreted functions [15]. This formalism has gained widespread attention in recent years due to its applications in a variety of fields, including program analysis and verification: safety, liveness, and termination [17, 38], complexity and resource analysis [33], intermediate representation [22], and software testing [35]. Technical controls, so called Supervisors, like an electronic engine control unit, or a lane change assistant in a car [8, 9] can be modelled, run, and proven safe. Moreover, there exist many different approaches for reasoning in CHCs and associated first-order logic fragments extended with theories [2, 5, 7, 10, 15, 23,24,25, 28, 29, 34, 37]. Thus, CHCs are a powerful tool for reasoning about complex systems that involve logical constraints, and they have been used to solve a wide range of problems.

A failed proof attempt of some conjecture or undesired run points to a bug. In this case investigation of the cause of the unexpected result or behavior is crucial. Building a model of the situation that can then be effectively queried is an important means towards a repair. However, some algorithms for CHCs, e.g. hierarchic superposition, which boils down to hierarchic ordered resolution in the context of CHCs, do not return a model that can be effectively queried if a proof attempt fails, in general. If so, queries are still restricted to ground clauses [4].

The contribution of our paper can be seen as an extension for these saturation based algorithms that produces models and not just saturated clause sets. In fact, we show how to build symbolic models out of any saturated CHC clause set over linear arithmetic. This fragment is equivalent to Horn clause sets of linear arithmetic combined with the Bernays-Schönfinkel fragment. Recall that although satisfiability in this fragment is undecidable [16, 26], in general, for a finitely saturated set we can construct such a representation in finite time.

Our models fulfill all important properties postulated in the literature for automated model building in first-order logic [13, 20]. First, they can be effectively constructed, i.e., each model is represented by one linear arithmetic formula of finite size for each of its predicates and it can be constructed in finite time. Second, they are unique, i.e., the model representation specifies exactly one interpretation; in our case the least model. Third, they can be effectively queried, i.e., we provide decision procedures that evaluate whether an atom, clause, or formula is entailed/satisfied by the model. Fourth, it is possible to test the equivalence of two models. The approach we present does not exploit features of linear arithmetic beyond equality, the existence of a well-founded order for the theories’ universe, and decidability of the theory. The results may therefore be adapted to other constraint domains. Model representation that can be effectively constructed and queried like ours are also called effective model representations. Moreover, our method is the first effective model construction approach for ordered resolution (or its extension to superposition) that is based on saturation, goes beyond ground clauses, and includes theory constraints. In the future, we plan to use this approach as the basis for a more general model construction approach that also works on more expressive fragments of first-order logic modulo theories.

Our model construction is inspired by the model construction operator used in the proof for refutational completeness of hierarchic superposition [3, 6, 30]. The main difference is that the model construction operator from the refutational completeness proof is restricted to ground clauses and executed on the potentially infinite ground instances of the saturated clause set (in addition to an infinite axiomatization of the background theory as ground clauses). As a result, the model construction operator from the refutational completeness proof cannot effectively construct a model because iterating over a potentially infinite set means it may diverge. Moreover, in contrast to our model construction, the original model operator cannot effectively evaluate non-ground atoms, clauses, or formulas. It is, however, sufficient, to show the existence of a model if the clause set is saturated and does not contain the empty clause [3, 6, 30]. In our version of the model construction operator, we managed to lift the restriction to ground clause sets by restricting the input logic to the Horn Bernays-Schönfinkel fragment instead of full first-order logic. This enables us to define a strict propagation/production order for our non-ground clauses instead of just for ground clauses. As a result, we can construct the model one clause at a time.

The paper is organized as follows. In Sect. 2 we clarify notation and preliminaries. The main contribution is presented in Sect. 3. At the end of this section, we also explain how our models satisfy the postulates (see [13, Section 5.1, p. 234]) by Fermüller and Leitsch for automated model building. We conclude in Sect. 4. Proofs were elided in favor of explanations and examples. An extended version, which includes proofs, can be found at [12].

2 Preliminaries and Notation

We briefly recall the basic logical formalisms and notations we build upon [9]. Our starting point is a standard first-order language with variables (denoted xyz), predicates (denoted PQ) of some fixed arity, and terms (denoted ts). An atom (denoted A) is an expression for a predicate P of arity \(n = {\text {arity}}(P)\). When the terms in are not relevant in some context, we also write \(P(*)\). A positive literal is an atom A and a negative literal is a negated atom \(\lnot A\). We define \({\text {comp}}(A)=\lnot A\), \({\text {comp}}(\lnot A)=A\), \(|A|=A\) and \(|\lnot A|=A\). Literals are usually denoted LK. We sometimes write literals as \([\lnot ]P(*)\), meaning that the sign of the literal is arbitrary, often followed by a case distinction. Formulas are defined in the usual way using quantifiers \(\forall \), \(\exists \) and the boolean connectives (in order of decreasing binding strength) \(\lnot \), \(\vee \), \(\wedge \), \(\rightarrow \), and \(\leftrightarrow \). The logic we consider does not feature a first-order equality predicate.

A clause (denoted CD) is a universally closed disjunction of literals . We may equivalently write . A clause is Horn if it contains at most one positive literal, i.e. \(n \le 1\). In Sect. 3, all clauses considered are Horn clauses. If Y is a term, formula, or a set thereof, \({\text {vars}}(Y)\) denotes the set of all variables in Y, and Y is ground if \({\text {vars}}(Y) = \emptyset \). Analogously, \(\varPi (Y)\) is the set of predicate symbols occurring in Y.

The Bernays-Schönfinkel Clause Fragment (\({\text {BS}}\)) in first-order logic consists of first-order clauses where all terms are either variables or constants. The Horn Bernays-Schönfinkel Clause Fragment (\({\text {HBS}}\)) is further restricted to Horn clauses.

A substitution \(\sigma \) is a function from variables to terms with a finite domain and codomain. We denote substitutions by \(\sigma , \tau \). The application of substitutions is often written postfix, as in \(x\sigma \), and is homomorphically extended to terms, atoms, literals, clauses, and quantifier-free formulas. A substitution is ground if its codomain is ground. Let Y denote some term, literal, clause, or clause set. A substitution \(\sigma \) is a grounding for Y if \(Y\sigma \) is ground, and \(Y\sigma \) is a ground instance of Y in this case. We denote by \({\text {gnd}}(Y)\) the set of all ground instances of Y. The most general unifier \({\text {mgu}}(Z_1,Z_2)\) of two terms/atoms/literals \(Z_1\) and \(Z_2\) is defined as usual, and we assume that it does not introduce fresh variables and is idempotent.

2.1 Horn Bernays-Schönfinkel with Linear Arithmetic

The class \({\text {HBS}}({\text {LRA}})\) is the extension of the Horn Bernays-Schönfinkel fragment with linear real arithmetic (\({\text {LRA}}\)). Analogously, the classes \({\text {HBS}}({\text {LQA}})\) and \({\text {HBS}}({\text {LIA}})\) are the extensions of the Horn Bernays-Schönfinkel fragment with linear rational arithmetic (\({\text {LQA}}\)) and linear integer arithmetic (\({\text {LIA}}\)), respectively. The only difference between the three classes are the sort \({\text {LA}}\) their variables and terms range over and the universe \(\mathcal {U}\) over which their interpretations range. As the names already imply \({\text {LA}}= {\text {LRA}}\) and \(\mathcal {U} = \mathbb {R}\) for \({\text {HBS}}({\text {LRA}})\), \({\text {LA}}= {\text {LQA}}\) and \(\mathcal {U} = \mathbb {Q}\) for \({\text {HBS}}({\text {LQA}})\), and \({\text {LA}}= {\text {LIA}}\) and \(\mathcal {U} = \mathbb {Z}\) for \({\text {HBS}}({\text {LIA}})\). The results presented in this paper hold for all three classes and by \({\text {HBS}}({\text {LA}})\) we denote that we are talking about an arbitrary one of them.

Linear arithmetic terms are constructed from a set \(\mathcal {X}\) of variables, the set of constants \(c\in \mathbb {Q}\) (if in \({\text {HBS}}({\text {LRA}})\) or \({\text {HBS}}({\text {LQA}})\)) or \(c\in \mathbb {Z}\) (if in \({\text {HBS}}({\text {LIA}})\)), and binary function symbols \(+\) and − (written infix). Additionally, we allow multiplication \(\cdot \) if one of the factors is a constant. Multiplication only serves us as syntactic sugar to abbreviate other arithmetic terms, e.g., \(x + x + x\) is abbreviated to \(3 \cdot x\). Atoms in \({\text {HBS}}({\text {LA}})\) are either first-order atoms (e.g., P(13, x)) or (linear) arithmetic atoms (e.g., \(x < 42\)). Arithmetic atoms are denoted by \(\lambda \) and may use the predicates \(\le , <, \approx , \not \approx , >, \ge \), which are written infix and have the expected fixed interpretation. We use \(\approx \) instead of \(=\) to avoid confusion between equality in \({\text {LA}}\) and equality on the meta level. While we do not permit quantifiers in the syntax of clauses, the notion of symbolic interpretations that we will develop does require this, denoted as usual. By \({{\,\textrm{atoms}\,}}(Y)\)/\({{\,\textrm{quants}\,}}(Y)\) we denote the linear arithmetic atoms/quantifiers in a formula or set of formulas Y. First-order literals and related notation is defined as before. Arithmetic literals coincide with arithmetic atoms, since the arithmetic predicates are closed under negation, e.g., \(\lnot (x \ge 42)\) is equivalent to \(x < 42\).

\({\text {HBS}}({\text {LA}})\) clauses are defined as for \({\text {HBS}}\) but using \({\text {HBS}}({\text {LA}})\) atoms. We often write clauses in the form \(\varLambda {\,\Vert \,}C\) where C is a clause solely built of free first-order literals and \(\varLambda \) is a multiset of \({\text {LA}}\) atoms called the constraint of the clause. A clause of the form \(\varLambda {\,\Vert \,}C\) is therefore also called a constrained clause. Since the interpretation of linear arithmetic relations is fixed, we set \(\varPi (\varLambda {\,\Vert \,}C) {:}{=}\varPi (C)\).

The fragment we consider in Sect. 3 is restricted even further to abstracted clauses: For any clause \(\varLambda {\,\Vert \,}C\), all terms in C must be variables. Put differently, we disallow any arithmetic function symbols, including numerical constants, in C. Variable abstraction, e.g. rewriting \(x \ge 3{\,\Vert \,}P(x,1)\) to \(x \ge 3, y \approx 1{\,\Vert \,}P(x,y)\), is always possible. Hence, the restriction to abstracted clauses is not a theoretical limitation, but allows us to formulate our model construction operator in a more concise way. We assume abstracted clauses for theory development, but we prefer non-abstracted clauses in examples for readability, e.g., a unit clause P(3, 5) is considered in the development of the theory as the clause \(x\approx 3, y\approx 5{\,\Vert \,}P(x,y)\).

In contrast to other works, e.g. [11], we do not permit first-order constants, and consequently also no variables that range over the induced Herbrand universe. All variables are arithmetic in the sense that they are interpreted by \(\mathcal {U}\). Since we only allow equalities in the arithmetic constraint, it is possible to simulate variables over first-order constants, by e.g. numbering them, i.e. defining a bijection between \(\mathbb {N}\) and constant symbols. So this again not a theoretical limitation.

The semantics of \(\varLambda {\,\Vert \,}C\) is as follows:

$$\varLambda {\,\Vert \,}C \quad \text {iff} \quad \big (\bigwedge _{\lambda \in \varLambda }\lambda \big ) \rightarrow C \quad \text {iff} \quad \big (\bigvee _{\lambda \in \varLambda } \lnot \lambda \big ) \vee C$$

For example, the clause \(x >1 \vee y \not \approx 5 \vee \lnot Q(x) \vee R(x, y)\) is also written \(x\le 1, y \approx 5{\,\Vert \,}\lnot Q(x) \vee R(x, y)\). The negation \(\lnot (\varLambda {\,\Vert \,}C)\) of a constrained clause \(\varLambda {\,\Vert \,}C\) where is thus equivalent to . Note that since the neutral element of conjunction is \(\top \), an empty constraint is thus valid, i.e. equivalent to true. In analogy to the empty clause in settings without constraints, we write \(\square \) to mean any and all clauses \(\varLambda {\,\Vert \,}\bot \) where \(\varLambda \) is satisfiable, which are all unsatisfiable.

An assignment for a constraint \(\varLambda \) is a substitution (denoted \(\beta \)) that maps all variables in \({\text {vars}}(\varLambda )\) to values in \(\mathcal {U}\). An assignment is a solution for a constraint \(\varLambda \) if all atoms \(\lambda \in (\varLambda \beta )\) evaluate to true. A constraint \(\varLambda \) is satisfiable if there exists a solution for \(\varLambda \). Otherwise it is unsatisfiable.

We assume pure input clause sets because otherwise satisfiability is undecidable for impure \({\text {HBS}}({\text {LA}})\) [21]. This means the only constants of our sort \({\text {LA}}\) are concrete rational numbers. Irrational numbers are not allowed by the standard definition of the theory. Fractions are not allowed if \({\text {LA}}= {\text {LIA}}\). Satisfiability of pure \({\text {HBS}}({\text {LA}})\) clause sets is semi-decidable, e.g., using hierarchic superposition [3] or SCL(T) [10]. Note that pure \({\text {HBS}}({\text {LA}})\) clauses correspond to constrained Horn clauses (CHCs) with \({\text {LA}}\) as background theory.

All arithmetic predicates and functions are interpreted in the usual way denoted by the interpretation \(\mathcal {A}^{{\text {LA}}}\). An interpretation of \({\text {HBS}}({\text {LA}})\) coincides with \(\mathcal {A}^{{\text {LA}}}\) on arithmetic predicates and functions, and freely interprets non-arithmetic predicates. For pure clause sets this is well-defined [3]. Logical satisfaction and entailment is defined as usual, and uses similar notation as for \({\text {HBS}}\).

Example 1

The clause \(y \ge 5,\,x' \approx x + 1{\,\Vert \,}S_0(x,y) \rightarrow S_1(x', 0)\) is part of a timed automaton with two clocks x and y modeled in \({\text {HBS}}({\text {LA}})\). It represents a transition from state \(S_0\) to state \(S_1\) that can be traversed only if clock y is at least 5 and that resets y to 0 and increases x by 1.

2.2 Ordering Literals and Clauses

In order to define redundancy for constrained clauses, we need an order: Let \(\prec _{\varPi }\) be a total, well-founded, strict ordering on predicate symbols and let \(\prec _{\mathcal {U}}\) be a total, well-founded, strict ordering on the universe \(\mathcal {U}\). (Note that \(\prec \) cannot be the standard ordering < because it is not well-founded for \(\mathbb {Z}\), \(\mathbb {Q}\), or \(\mathbb {R}\). In the case of \(\mathbb {R}\), the existence of such an order is even dependent on whether we assume the axiom of choice [18].) We extend these orders step by step. First, to atoms, i.e., \(P(\vec {a}) \prec Q(\vec {b})\) if \(P \prec _{\varPi } Q\) or \(P = Q\), \(\vec {a}, \vec {b} \in \mathcal {U}^{|\vec {a}|}\), and \(\vec {a} \prec _{\text {lex}} \vec {b}\), where \(\prec _{\text {lex}}\) is the lexicographic extension of \(\prec _{\mathcal {U}}\). Next, we extend the order to literals with a strict precedence on the predicate and the polarity, i.e.,

$$\begin{aligned} P(\vec {t}) \prec \lnot P(\vec {s}) \prec Q(\vec {u}) \qquad \text {if }P \prec Q \end{aligned}$$

independent of the arguments of the literals. Then, take the multiset extension to order clauses. To handle constrained clauses extend the relation such that constraint literals (in our case arithmetic literals) are always smaller than first-order literals. We conflate the notation of all extensions into the symbol \(\prec \) and define \(\preceq \) as the reflexive closure of \(\prec \). Note that \(\prec \) is only total for ground atoms/literals/clauses, which is sufficient for a hierarchic superposition order [6].

Definition 2

(\(\prec \)-maximal Literal). A literal L is called \(\prec \)-maximal in a clause C if there exists a grounding substitution \(\sigma \) for C, such that there is no different \(L' \in C\) for which \(L\sigma \prec L'\sigma \). The literal L is called strictly \(\prec \)-maximal if there is no different \(L' \in C\) for which \(L\sigma \preceq L'\sigma \).

Proposition 3

If \(\prec \) is a predicate-based ordering, C is a Horn clause, C has a positive literal L, and L is \(\prec \)-maximal in C, then L is strictly \(\prec \)-maximal in C.

Definition 4

(\(\prec \)-maximal Predicate in Clause). A predicate symbol P is called (strictly) \(\prec \)-maximal in a clause C if there is a literal \([\lnot ]P(*) \in C\) that is (strictly) \(\prec \)-maximal in C.

Definition 5

Let N be a set of clauses, \(\prec \) a clause ordering, C a clause, and P a predicate symbol. Then \(N^{\prec C} {:}{=}\{ C' \in N \mid C' \prec C \}\) and \(N^{\preceq P} {:}{=}\{ C \in N \mid Q \text { is }\prec \text {-maximal in } C \text { and } Q \preceq P\}\).

2.3 Hierarchic Superposition, Redundancy and Saturation

For pure \({\text {HBS}}({\text {LA}})\) most rules of the (hierarchic) superposition calculus become obsolete or can be simplified. In fact, in the \({\text {HBS}}({\text {LA}})\) case (hierarchic) superposition boils down to (hierarchic) ordered resolution. For a full definition of (hierarchic) superposition calculus in the context of linear arithmetic, consider SUP(LA) [1]. Here, we will only define its simplified version in the form of the hierarchic resolution rule.

Definition 6

(Hierarchic \(\prec \)-Resolution). Let \(\prec \) be an order on literals and \(\varLambda _1{\,\Vert \,}L_1 \vee C_1\), \(\varLambda _2{\,\Vert \,}L_2 \vee C_2\) be constrained clauses. The inference rule of hierarchic \(\prec \)-resolution is:

figure h

where \(L_1\) is \(\prec \)-maximal in \(C_1\) and \(L_2\) is \(\prec \)-maximal in \(C_2\).

Note that in the resolution rule we do not enforce explicitly that the positive literal is strictly maximal. This is possible because in the Horn case any positive literal is strictly maximal if it is maximal in the clause.

For saturation, we need a termination condition that defines when the calculus under consideration cannot make any further progress. In the case of superposition, this notion is that any new inferences are redundant.

Definition 7

(Clause Redundancy). A ground clause \(\varLambda {\,\Vert \,}C \in N\) is redundant with respect to a set N of ground clauses and order \(\prec \) if \(N^{\prec \varLambda {\,\Vert \,}C} \vDash \varLambda {\,\Vert \,}C\). A potentially non-ground clause \(\varLambda {\,\Vert \,}C \in N\) is redundant with respect to a potentially non-ground clause set N and order \(\prec \) if for all \(\varLambda '{\,\Vert \,}C' \in {\text {gnd}}(\varLambda {\,\Vert \,}C)\) the clause \(\varLambda '{\,\Vert \,}C'\) is redundant with respect to \({\text {gnd}}(N)\).

If a clause \(\varLambda {\,\Vert \,}C \in N\) is redundant with respect to a clause set N, then it can be removed from N without changing its semantics. If \(\varLambda {\,\Vert \,}C\) is newly inferred, then we also call it redundant if \(\varLambda {\,\Vert \,}C\) is already part of N. The same cannot be said for clauses in N or all clauses in N would be redundant. Determining clause redundancy is an undecidable problem [10, 40]. However, there are special cases of redundant clauses that can be easily checked, e.g., tautologies and subsumed clauses. Redundancy also means that \(\mathcal {I}\vDash N^{\prec \varLambda {\,\Vert \,}C}\) implies \(\mathcal {I}\vDash \varLambda {\,\Vert \,}C\) if \(\varLambda {\,\Vert \,}C\) is redundant w.r.t. N. We will exploit this fact in the model construction.

Definition 8

(Saturation). A set of clauses N is saturated up to redundancy with respect to some set of inference rules, if application of any rules to clauses in N yields a clause that is redundant with respect to N or is contained in N.

2.4 Interpretations

In our context, models are interpretations that satisfy (sets of) clauses. The standard notion of an interpretation is fairly opaque and interprets a predicate P as the potentially infinite set of ground arguments that satisfy P.

Definition 9

(Interpretation). Let P be a predicate symbol with \({\text {arity}}(P) = n\). Then, \(P^{\mathcal {I}}\) denotes the subset of \(\mathcal {U}^n\) for which the interpretation \(\mathcal {I}\) maps the predicate symbol P to true.

Since our model construction approach manipulates interpretations directly, we need a notion of interpretations that always has a finite representation and for which it is possible to decide (in finite time) whether a clause is satisfied by the interpretation. Therefore, we rely on the notion of symbolic interpretations:

Definition 10

(Symbolic Interpretation). Let \(x_1, x_2, \ldots \) be an infinite sequence of distinct variables, i.e. \(x_i \ne x_j\) for all \(1 \le i < j\). (We assume the same sequence for all symbolic interpretations in order to prevent conflicts when we later combine multiple symbolic interpretations into one.) A symbolic interpretation \(\mathcal {S}\) is a function that maps every predicate symbol P with \({\text {arity}}(P) = n\) to a formula denoted \(P^\mathcal {S}(\vec {x})\) of finite size, constructed using the usual boolean connectives over \({\text {LA}}\) atoms, where the only free variables appear in \(\vec {x} = (x_1, \dots , x_n)\). The interpretation \(\mathcal {I}_{\mathcal {S}}\) corresponding to \(\mathcal {S}\) is defined by \(P^{\mathcal {I}_{\mathcal {S}}} = \{ (\vec {x})\beta \mid \beta \vDash P^\mathcal {S}(\vec {x}) \}\) and maps the predicate symbol P to true for the subset of \(\mathcal {U}^n\) which corresponds to the solutions of \(P^\mathcal {S}(\vec {x})\).

Example 11

Let N be a clause set consisting of the clauses \(0 \le x \le 2, 0 \le y \le 2 \Vert P(x,y)\) and \(x_Q \ge x_P + 1, y_Q \ge y_P + 1 \Vert \lnot P(x_P,y_P) \vee Q(x_Q,y_Q)\). An example of a symbolic interpretation \(\mathcal {S}\) that satisfies N, would be the function that maps P to \(P^\mathcal {S}(x_1,x_2) = 0 \le x_1 \le 2 \wedge 0 \le x_2 \le 2\) and \(Q^\mathcal {S}(x_1,x_2) = 1 \le x_1 \wedge 1 \le x_2\). It corresponds to the interpretation \(\mathcal {I}_{\mathcal {S}}\) where \(P^{\mathcal {I}_{\mathcal {S}}} = \{(a_1,a_2) \in \mathcal {U} \mid 0 \le a_1 \le 2 \wedge 0 \le a_2 \le 2 \}\) and \(Q^{\mathcal {I}_{\mathcal {S}}} = \{(a_1,a_2) \in \mathcal {U} \mid 1 \le a_1 \wedge 1 \le a_2\}\).

The notion of symbolic interpretations is closely related to \(\mathcal {A}\)-definable models [7, Definition 7] and constrained atomic representations [13, Definition 5.1, pp. 236–237]. Each symbolic interpretation \(\mathcal {S}(\vec {x})\) is equivalent to a constrained atomic representation that consists of one constraint atom \([[P(\vec {x}) : P^\mathcal {S}(\vec {x})]]\) (written in the notation from [13]) for every predicate P. Note that in this context the constraint is not just a quantifier-free conjunction of linear arithmetic atoms, but a linear arithmetic formula potentially containing quantifiers (although those can be eliminated with quantifier elimination techniques).

Due to the fact that each symbolic interpretation consists of a finite set of formulas of finite size, symbolic interpretations can be considered as finite representations. In contrast, the standard representation of an interpretation as a potentially infinite set of ground atoms is not a finite representation. However, this also means that there are some interpretations for which no corresponding symbolic interpretation exists, for instance the set of prime numbers is a satisfying interpretation for \(y \approx 2{\,\Vert \,}P(y)\), but not expressible as a symbolic interpretation (in \({\text {LA}}\)). As we will later see, at least any saturated set of \({\text {HBS}}({\text {LA}})\) clauses either is unsatisfiable or has a symbolic interpretation that satisfies it (Theorem 29).

The top interpretation, denoted \({\mathcal {I}_{\top }}\), is defined as \(P^{{\mathcal {I}_{\top }}} {:}{=}\mathcal {U}^n\) for all predicate symbols P with \({\text {arity}}(P) = n\) and corresponds to the top symbolic interpretation, denoted \({\mathcal {S}_{\top }}\), defined as \(P^{{\mathcal {S}_{\top }}} {:}{=}\top \) for all predicate symbols P. The bottom interpretation (or empty interpretation), denoted \({\mathcal {I}_{\bot }}\), and the bottom symbolic interpretation (or empty symbolic interpretation), denoted \({\mathcal {S}_{\bot }}\), are defined analogously. The interpretation of P under \(\mathcal {I}\cup \mathcal {J}\) is defined as \(P^{\mathcal {I}\cup \mathcal {J}} {:}{=}P^\mathcal {I}\cup P^\mathcal {J}\) for every predicate P. In the symbolic case, \(\mathcal {S}\cup \mathcal {R}\) is defined as \(P^{\mathcal {S}\cup \mathcal {R}}(\vec {x}) {:}{=}P^\mathcal {S}(\vec {x}) \vee P^\mathcal {R}(\vec {x})\) for every predicate P. We write \(\mathcal {I}\subseteq \mathcal {J}\) or \(\mathcal {I}\) is included in \(\mathcal {J}\) (resp. \(\mathcal {I}\subset \mathcal {J}\) or \(\mathcal {I}\) is strictly included in \(\mathcal {J}\)) if \(P^{\mathcal {I}} \subseteq P^{\mathcal {J}}\) (resp. \(P^{\mathcal {I}} \subset P^{\mathcal {J}}\)) for all predicate symbols P.

Definition 12

(Entailment of Literal). Let \(\mathcal {I}\) be an interpretation. Given a ground literal , where \(a_i \in \mathcal {U}\), we write if . Conversely, we write if . For a non-ground literal L, we write \(\mathcal {I}\vDash L\) if for all grounding substitutions \(\sigma \) for L, we have \(\mathcal {I}\vDash L\sigma \). Conversely, we write \(\mathcal {I}\nvDash L\), if there exists a grounding substitution \(\sigma \) for L, such that \(\mathcal {I}\nvDash L\sigma \).

We overload \(\vDash \) for symbolic interpretations, i.e. we write \(\mathcal {S}\vDash L\) and mean \(\mathcal {I}_{\mathcal {S}} \vDash L\). The following function encodes a clause as an \({\text {LA}}\) formula for evaluation under a given symbolic interpretation.

Definition 13

(Clause Evaluation Function).Let \(\varLambda {\,\Vert \,}C\) be a constrained clause where , and let \(\mathcal {S}\) be a symbolic interpretation. Then the clause evaluation function \((\varLambda {\,\Vert \,}C\big )^{\mathcal {S}}\) is defined as follows based on the definitions for \(\sigma _i\) and \(\phi _i\) (for \(1 \le i \le m\)):

figure p
$$\begin{aligned} \big (\varLambda {\,\Vert \,}C\big )^{\mathcal {S}} {:}{=}\big (\bigwedge _{\lambda \in \varLambda } \lambda \big ) \rightarrow \big (\bigvee _{i = 1}^{m} \phi _i\sigma _i \big ) \end{aligned}$$

Note that the free variables of \((\varLambda {\,\Vert \,}C)^\mathcal {S}\) are exactly the free variables of \((\varLambda {\,\Vert \,}C)\). Moreover, the substitutions \(\sigma _i\) are necessary in the above definition in order to map the variables in the symbolic interpretation for the predicates \(P_i^\mathcal {S}\) to the variables that appear as arguments in the literals .

Proposition 14

Given a constrained clause \(\varLambda {\,\Vert \,}C\) with grounding \(\beta \), we have

$$\vDash \big (\varLambda {\,\Vert \,}C\big )^\mathcal {S}\beta \qquad \text {if and only if} \qquad \mathcal {S}\vDash \big (\varLambda {\,\Vert \,}C\big )\beta $$

As a corollary of the previous proposition, the entailment \(\mathcal {S}\vDash \varLambda {\,\Vert \,}C\) holds if and only if the universal closure of the formula \((\varLambda {\,\Vert \,}C)^\mathcal {S}\) is valid. This means that for a symbolic interpretation \(\mathcal {S}\) it is always computable whether a clause is entailed by \(\mathcal {S}\) because there are decision procedures for quantified \({\text {LRA}}\), \({\text {LQA}}\), and \({\text {LIA}}\) formulas of finite size.

We require two functions that manipulate \({\text {LA}}\)-formulas directly to express our model construction (cf. Definition 17), i.e. to map solutions for a clause defined by a formula \({\text {vars}}(\phi )\) to one atom inside the clause. This requires from us to project away all variables in \(\phi \) that appear in the clause but not in the atom.

Definition 15

(Projection). Let V be a set of variables and \(\phi \) be an \({\text {LA}}\)-formula. The projection function \(\pi \) is defined as follows:

figure r

\(\pi (V, \phi )\) is a standard projection function that binds a subset V of the variables in the formula \(\phi \) with existential quantifiers. Note that we also know that \(\pi (V, \phi )\) is equivalent to a quantifier-free \({\text {LA}}\) formula just over the variables because there exist quantifier elimination algorithms for \({\text {LRA}}\), \({\text {LQA}}\), and \({\text {LIA}}\) [14, 32].

A further function \(\curlyvee \) is needed when we encounter literals of the form \(P(x, x, \dots )\), i.e., where one variable is shared among two arguments. In this case, we use \(\curlyvee \) to express in our symbolic interpretation that the equivalent argument positions must also be equivalent in our interpretation.

Definition 16

(Sharing). Let and be tuples of variables with the same length. The sharing function \(\curlyvee \), which encodes variable sharing across different argument positions, is defined as follows:

figure v

2.5 Consequence and Least Model

The notion of a least model is common in logic programming. Horn logic programs admit a least model, which is the intersection of all models of the program (see [31, § 6, p. 36]). In our context, the least model of a set of clauses N is the intersection of all models of N. An alternative characterization of the least model of N is through the least fixed point of the one-step consequence operator, which we define as \(T_N\) for the context of \({\text {LA}}\) constraints analogously to [27, Section 4]. The one-step consequence operator \(T_N\) takes a set of clauses N and an interpretation \(\mathcal {I}\) as input and returns an interpretation:

figure w

The least fixed point of this operator exists by Tarski’s Fixed Point Theorem [39]: Interpretations form a complete lattice under inclusion (supremum given by union, infimum given by intersection), and \(T_N\) is monotone.

3 Model Construction

In this section we address construction of models for \({\text {HBS}}({\text {LA}})\). Throughout this section, we consider a set of constrained Horn clauses N and an order \(\prec \) to be given. Our aim is to define an interpretation \(\mathcal {I}_{N}\), such that

$$\mathcal {I}_{N}\vDash N \qquad \text {if }N\text { is saturated and}\ \square \not \in N$$

Towards that goal, we define the operator \(\delta (\mathcal {S}, \varLambda {\,\Vert \,}C' \vee P(\vec {y}))\). It takes a symbolic interpretation \(\mathcal {S}\), and a Horn clause with maximal literal \(P(\vec {y})\). It results in a symbolic interpretation that accounts for \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\).

Definition 17

(Production Operator).Let \(\varLambda {\,\Vert \,}C\) be a constrained Horn clause, where \(C = C' \vee P(\vec {y})\), \(P(\vec {y}) \succ C'\), and . Let \(\mathcal {S}\) be a symbolic interpretation, where the free variables of \(P^{\mathcal {S}}\) are \(\vec {x}\) and the free variables of \(P_i^\mathcal {S}\) are \(\vec {x_i}\) (for \(1 \le i \le m\)). Note that \(n = |\vec {y}| = |\vec {x}| = {\text {arity}}(P)\).

The production operator \(\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)\) results in a new symbolic interpretation

figure y

where, to map variables from literal arguments to the variables appearing in the symbolic interpretation \(\mathcal {S}\) and back, we have the substitutions

figure z

The goal of the operator \(\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)\) is to define an extension of the symbolic interpretation \(\mathcal {S}\) such that \(\mathcal {S}\cup \delta (\mathcal {S}, \varLambda {\,\Vert \,}C)\) satisfies \(\varLambda {\,\Vert \,}C\). Note that \(\delta \) only extends the interpretation over the strictly maximal predicate P. Moreover, due to our predicate order, it only needs to consider the interpretation \(\mathcal {S}\) for predicates Q with \(Q \prec P\). \(\delta \) also satisfies the following two symmetrical properties: On the one hand, every grounding \(\tau \) of \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\) that is not yet satisfied by \(\mathcal {S}\) must correspond to solution \(\beta \) of \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C' \vee P(\vec {y}))}\) that satisfies \(P(\vec {y}) \tau \). On the other hand, every solution \(\beta \) of \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C' \vee P(\vec {y}))}\) must correspond to a grounding of \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\) that is not yet satisfied by \(\mathcal {S}\). The first property is needed so \(\mathcal {S}\cup \delta (\mathcal {S}, \varLambda {\,\Vert \,}C' \vee P(\vec {y}))\) satisfies \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\). The second property is needed so we do not accidentally extend our interpretation by any solutions not needed to satisfy \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\).

Note that in the above statements \(\beta \) and \(\tau \) are generally not the same because the variables \(\vec {x}\) used to define \(P^{\mathcal {S}}\) are not necessarily the same as the variables appearing in the clause \(\varLambda {\,\Vert \,}C\) and literal \(P(\vec {y})\). There are three reasons for this that are handled by three different methods in our model construction:

  1. 1.

    The variables in \(\mathcal {S}\) and \(\varLambda {\,\Vert \,}C\) simply do not match, e.g. in \(P^{\mathcal {S}} {:}{=}x_1 \approx 0\) and \(\varLambda {\,\Vert \,}C {:}{=}\ y_1 > 0{\,\Vert \,}P(y_1)\). This is handled by the substitution \(\sigma \) in \(\delta \) that maps all variables in \(P(\vec {y})\) to their appropriate variables in \(P^{\mathcal {S}}\), e.g. in the previous example \(\sigma = \{y_1 \mapsto x_1\}\) and \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)} = (y_1> 0)\sigma = x_1 > 0\).

  2. 2.

    Not all variables in \(\varLambda {\,\Vert \,}C\) also appear in \(P(\vec {y})\), e.g. in \(P^{\mathcal {S}} {:}{=}x_1 \approx 0\) and \(\varLambda {\,\Vert \,}C {:}{=}\ x_1 \approx y_1 + 1 \wedge y_1 \approx 0{\,\Vert \,}P(x_1)\). This is handled in \(\delta \) by the projection operator \(\pi \) (Definition 15) that binds all variables that appear in \(\varLambda {\,\Vert \,}C\) but not in \(P(\vec {y})\), e.g. in the previous example \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)} {:}{=}\ \pi (\{y_1\}, x_1 \approx y_1 + 1 \wedge y_1 \approx 0)\), where \(\pi (\{y_1\}, x_1 \approx y_1 + 1 \wedge y_1 \approx 0) = \exists y_1. \ x_1 \approx y_1 + 1 \wedge y_1 \approx 0\), which is equivalent to \(x_1 \approx 1\).

  3. 3.

    Some variables might occur in multiple argument positions, e.g. in \(\varLambda {\,\Vert \,}C {:}{=}\ \top {\,\Vert \,}P(y_1,y_1)\). This case is covered in \(\delta \) by the sharing function \(\curlyvee \) (c.f. Definition 16) that expresses which variables in \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)}\) must map to the same value. Continuing the example, \(\curlyvee ((y_1, y_1),(x_1, x_2)) = x_1 \approx x_2\) and \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)}(x_1, x_2) = \curlyvee ((y_1, y_1),(x_1, x_2))\).

The parts of \(P^{\delta (\mathcal {S}, \varLambda {\,\Vert \,}C)}\) that we have not yet discussed are based on the fact that any constrained Horn clause \(\varLambda {\,\Vert \,}C' \vee P(\vec {y})\) can also be written as an implication of the form \(\phi \rightarrow P(\vec {y})\), where and \(\mathcal {S}\nvDash \varLambda {\,\Vert \,}C' \tau \) if and only if \(\mathcal {S}\vDash \phi \tau \). This means the groundings \(\tau \) of \(\varLambda {\,\Vert \,}C'\) not satisfied by \(\mathcal {S}\) are also the groundings of \(\phi \) satisfied by \(\mathcal {S}\). It is straightforward to express these groundings with a conjunctive formula based on \(\varLambda \) and the \(P_i^\mathcal {S}\). The only challenge is the reverse problem from before, i.e. mapping the variables of \(P_i^\mathcal {S}\) to the variables in the literals . This mapping is done in \(\delta \) by the substitution \(\sigma _i\).

Now, based on the production operator \(\delta \) for one clause, we can use an inductive definition over the order \(\prec \) to define an interpretation \(\mathcal {S}_{N}\) for all clauses in N. We distinguish the following auxiliary symbolic interpretations: \(\mathcal {S}_{\prec P}\) which captures progress up to but excluding the predicate P, \(\varDelta _P\) which captures how P should be interpreted considering \(\mathcal {S}_{\prec P}\), and \(\mathcal {S}_{\preceq P}\) which captures progress up to and including the predicate P. The symbolic interpretation \(\varDelta _{P}^{\varLambda {\,\Vert \,}C}\) is the extension of \(\mathcal {S}_{\prec P}\) w.r.t. the single clause \(\varLambda {\,\Vert \,}C\).

Definition 18

(Model Construction). Let N be a finite set of constrained Horn clauses. We define symbolic interpretations \(\mathcal {S}_{\prec P}\), \(\mathcal {S}_{\preceq P}\) and \(\varDelta _{P}\) for all predicates \(P \in \varPi (N)\) by mutual induction over \(\prec \):

$$\mathcal {S}_{\preceq P} {:}{=}\mathcal {S}_{\prec P} \cup \varDelta _P \qquad \mathcal {S}_{\prec P} {:}{=}\bigcup _{Q \prec P} \varDelta _{Q} \qquad \varDelta _{P} {:}{=}\bigcup _{\varLambda {\,\Vert \,}C' \vee P(*) \in N} \varDelta _{P}^{\varLambda {\,\Vert \,}C' \vee P(*)}$$
$$ \varDelta _{P}^{\varLambda {\,\Vert \,}C} {:}{=}{\left\{ \begin{array}{ll} \delta (\mathcal {S}_{\prec P}, \varLambda {\,\Vert \,}C) &{} \text {if} \ P(\vec {y})\ \text {maximal in}\ C,\ \text {and}\ \mathcal {S}_{\prec P} \nvDash \varLambda {\,\Vert \,}C \\ {\mathcal {S}_{\bot }}&{} \text {otherwise} \end{array}\right. } $$

Finally, based on the above inductive definition of \(\mathcal {S}_{\prec P}\) for every predicate symbol \(P \in \varPi (N)\), we arrive at an overall interpretation for N.

Definition 19

(Candidate Interpretation). The candidate interpretation for N (w.r.t \(\prec \)), denoted \(\mathcal {I}_{N}\), is the interpretation associated with the symbolic interpretation \(\mathcal {S}_{N}= \bigcup _{P \in \varPi (N)} \varDelta _P\) where P ranges over all predicate symbols occurring in N.

Note that \(\mathcal {S}_{N}= \mathcal {S}_{\preceq P}\) where P is \(\prec \)-maximal in \(\varPi (N)\). Obviously, we intend that \(\mathcal {S}_{N}\vDash N\) if N is saturated (Theorem 29). Otherwise, i.e. \(\mathcal {S}_{N}\nvDash N\), we can use our construction to find a non-redundant inference (Corollary 30). Consider the following two examples, demonstrating how \(\delta \) sits at the core of the aforementioned inductive definitions of symbolic interpretations.

Example 20

(Dependent Interpretation).Assume \(P \prec Q\) and consider the following set of clauses:

$$\begin{aligned} N&{:}{=}\left\{ \begin{array}{lcll} 0 \le y_1 \le 2, 0 \le y_2 \le 2 &{}\Vert &{} \underline{P(y_1,y_2)} &{}\quad (C_1),\\ y_3 \ge y_1 + 1, y_4 \ge y_2 + 1 &{}\Vert &{} P(y_1,y_2) \rightarrow \underline{Q(y_3,y_4)} &{}\quad (C_2) \end{array} \right\} \end{aligned}$$

Maximal literals are underlined. Since the maximal literals of \(C_1\) and \(C_2\) are both positive, ordered resolution cannot be applied. The set is saturated. Since P is the \(\prec \)-smallest predicate we have \(\mathcal {S}_{\prec P} = {\mathcal {S}_{\bot }}\). Applying the \(\delta \) operator yields the following interpretation for P:

$$P^{\mathcal {S}_{\preceq P}} = P^{\delta (\mathcal {S}_{\prec P}, C_1)}(x_1, x_2) = 0 \le x_1 \le 2 \wedge 0 \le x_2 \le 2$$

Then, Q is interpreted relative to P. Consider the clause \(C_2\): For all solutions of its constraint \(y_3 \ge y_1 + 1, y_4 \ge y_2 + 1\) our model must also satisfy its logical part \(P(y_1,y_2) \rightarrow Q(y_3,y_4)\). The intuition that Q depends on P arises from the implication in the logical part. Whenever the constraint of \(C_2\) and \(P(y_1,y_2)\) are satisfied, \(Q(y_3,y_4)\) must be satisfied. These are exactly the points defined through \(\delta (\mathcal {S}_{\prec Q}, C_2)\), based on \(\mathcal {S}_{\prec Q} = \mathcal {S}_{\preceq P} = \delta (\mathcal {S}_{\prec P}, C_1)\):

$$\begin{aligned} Q^{\delta (\mathcal {S}_{\prec Q}, C_2)}(x_1, x_2)&= \exists z_1, z_2.\ x_1 \ge z_1 + 1 \wedge x_2 \ge z_2 + 1 \wedge 0 \le z_1 \le 2 \wedge 0 \le z_2 \le 2\\&= x_1 \ge 1 \wedge x_2 \ge 1 \end{aligned}$$

Whenever the conjuncts \(0 \le y_1 \le 2\) and \(0 \le y_2 \le 2\) are satisfied, the premise of the implication is true, thus there must be a solution to the interpretation of Q, additionally abiding the constraint of the clause. Since Q is \(\prec \)-maximal in N, we arrive at \(\mathcal {S}_{N}= \mathcal {S}_{\preceq Q} = \mathcal {S}_{\preceq P} \cup \delta (\mathcal {S}_{\prec Q}, C_2) = \delta (\mathcal {S}_{\bot }, C_1) \cup \delta (\mathcal {S}_{\preceq P}, C_2)\). See Fig. 1a for a visual representation of \(\mathcal {S}_{N}\).

Example 21

(Unsaturated Clause Set).Assume \(P \prec Q\) and consider the following set of clauses:

$$\begin{aligned} N&{:}{=}\left\{ \begin{array}{llll} y_1< 0{\,\Vert \,}\underline{P(y_1)} &{}\quad (C_1),&{}\qquad \quad y_1 < 1{\,\Vert \,}\underline{Q(y_1)} &{}\quad (C_3),\\ y_1 > 0{\,\Vert \,}\underline{P(y_1)} &{}\quad (C_2),&{}\qquad \quad y_1 \le 0{\,\Vert \,}\underline{Q(y_1)} \rightarrow P(y_1) &{}\quad (C_4)\\ \end{array} \right\} \end{aligned}$$

Maximal literals are underlined. Note that a resolution inference is possible, since the maximal literals of \(C_3\) and \(C_4\) have opposite polarity, use the same predicate symbol, and are trivially unifiable. Thus, in this example we consider the effect of applying our model construction to a clause set that is not saturated. Since P is \(\prec \)-minimal, we start with the following steps:

$$\begin{aligned} \mathcal {S}_{\prec P}&= {\mathcal {S}_{\bot }}&P^{\delta (\mathcal {S}_{\prec P}, C_1)}(x_1)&= x_1< 0\\{} & {} P^{\delta (\mathcal {S}_{\prec P}, C_2)}(x_1)&= x_1> 0&P^{\mathcal {S}_{\preceq P}}(x_1)&= x_1 < 0 \vee x_1 > 0 \end{aligned}$$

Next, we obtain the following results for Q:

$$\begin{aligned} \mathcal {S}_{\prec Q}&= \mathcal {S}_{\preceq P}&Q^{\delta (\mathcal {S}_{\prec Q}, C_3)}(x_1)&= x_1< 1&\\{} & {} Q^{\delta (\mathcal {S}_{\prec Q}, C_4)}(x_1)&= \bot&Q^{\mathcal {S}_{\preceq Q}}(x_1)&= x_1< 1 \vee \bot = x_1 < 1 \end{aligned}$$

See Fig. 1b for a visual representation of \(\mathcal {S}_{N}= \mathcal {S}_{\preceq Q}\). Note that \(\mathcal {S}_{N}\nvDash C_4\), since we have \(\mathcal {S}_{N}\vDash Q(0)\) but \(\mathcal {S}_{N}\nvDash P(0)\). Thus, by using the constructed model, we can pinpoint clauses that contradict that N is saturated. Applying resolution to \(C_3\) and \(C_4\) leads to the clause \(y_1 \le 0{\,\Vert \,}P(y_1)\) labelled \(C_5\). If we then add \(C_5\) to N, we instead get \(P^{\mathcal {S}_{\preceq P}}(x_1) = x_1 < 0 \vee x_1 > 0 \vee x_1 \le 0 = \top \).

Fig. 1.
figure 1

Visual representation of the models resulting from Examples 20 and 21.

Full size image

In the following, we clarify some properties of the construction. We provide an upper bound for the number of \({\text {LA}}\) atoms and quantifiers in the symbolic model for \({\text {LRA}}\) and \({\text {LQA}}\). Although we do not state it explicitly, the estimate for \({\text {LIA}}\) works in a similar way, but due to the higher complexity of \({\text {LIA}}\) quantifier elimination, the size of the symbolic model grows triple exponentially [36].

Proposition 22

If N is a finite set of \({\text {LRA}}\)/\({\text {LQA}}\) constrained Horn clauses, and \(\mathcal {S}_{N}'\) the result of applying quantifier elimination to \(\mathcal {S}_{N}\) then, for every predicate symbol \(P \in \varPi (N)\), the number of \({\text {LA}}\) atoms in \(P^{\mathcal {S}_{N}'}\) is in \(O(m^{2 \cdot q^{p-1}} \cdot n^{2 \cdot q^{p-1}} \cdot (l+a^2)^{q^p})\) where n is the max. number of clauses with the same max. predicate, m is the max. number of non-arithmetic literals in a clause, l is the max. number of arithmetic literals in a clause, a is the max. arity of any predicate, \(p = |\varPi (N)|\), q is the max. difference of variables in any clause and its positive maximal literal.

Corollary 23

(Effective Construction). If N is a finite set of constrained Horn clauses then for every predicate \(P \in \varPi (N)\), \(P^{\mathcal {S}_{N}}\) is a linear arithmetic formula of finite size, and can be computed in a finite number of steps.

We show that all points in \(P^\mathcal {I}_{N}\) are necessary and justified in some sense, that \(\mathcal {I}_{N}\) is indeed a model of N, and that \(\mathcal {I}_{N}\) is also the least model of N if N is saturated. The notion of whether a clause is productive captures whether it contributes something to the symbolic interpretation.

Definition 24

(Productive Clause). Let P be a predicate symbol with \({\text {arity}}(P) = n\). We say that \(\varLambda {\,\Vert \,}C\) produces if .

Next, we want to formally express that every element of the resulting interpretation is justified. Firstly, we express that the operator \(\delta \) will produce points such that every clause is satisfied whenever necessary, i.e. whenever the maximal literal of the clause is \(P(*)\) and the maximal literal not satisfied by \(\mathcal {S}_{\prec P}\).

Proposition 25

Let \(\varLambda _{C}{\,\Vert \,}C\) where \(C = C' \vee P(\vec {y})\) and \(C' \prec P(\vec {y})\). Let \(\tau \) be a grounding substitution for \(\varLambda _{C}{\,\Vert \,}C\). If \(\mathcal {S}_{\prec P} \nvDash (\varLambda _{C}{\,\Vert \,}C)\tau \), then \(\vDash \varLambda _C\tau \) and \(\mathcal {S}_{\preceq P} \vDash P(\vec {y})\tau \), thus \(\mathcal {S}_{\preceq P} \vDash (\varLambda _{C}{\,\Vert \,}C)\tau \).

Secondly, we express that for every point in \(P^\mathcal {I}_{N}\), it is justified in the sense that there is a clause that produced the point, i.e. this clause would otherwise not be satisfied by the resulting interpretation.

Proposition 26

If \(\mathcal {S}_{\preceq P} \vDash P(\vec {a})\), then there exists a clause \(\varLambda _{C}{\,\Vert \,}C\) where \(C = C' \vee P(\vec {y})\) and \(C' \prec P(\vec {y})\), and there exists a grounding \(\tau \) for \(\varLambda _{C}{\,\Vert \,}C\), such that \(P(\vec {a}) = P(\vec {y})\tau \) and \(\mathcal {S}_{\prec P} \nvDash (\varLambda _{C}{\,\Vert \,}C)\tau \).

Also, observe that once the maximal predicate P of a given clause is interpreted by \(\mathcal {S}_{\preceq P}\), the interpretation of the clause does not change for \(\mathcal {S}_{\preceq Q}\) where \(Q \succ P\).

Corollary 27

Let \(P \prec Q \preceq R\), and P be maximal in clause C. If \(\mathcal {S}_{\preceq P} \vDash \varLambda _{C}{\,\Vert \,}C\) or \(\mathcal {S}_{\prec Q} \vDash \varLambda _{C}{\,\Vert \,}C\), then \(\mathcal {S}_{\prec R} \vDash \varLambda _{C}{\,\Vert \,}C\) and \(\mathcal {S}_{\preceq R} \vDash \varLambda _{C}{\,\Vert \,}C\).

As a result, we know that the full model satisfies N, i.e., \(\mathcal {I}_{N}\vDash N\) if every clause is satisfied at the point of the construction, where the interpretation of its maximal predicate P stays fixed.

Proposition 28

For every clause \(\varLambda _{C}{\,\Vert \,}C \in N\) with maximal predicate P, if \(\mathcal {S}_{\preceq P} \vDash \varLambda _{C}{\,\Vert \,}C\), then \(\mathcal {I}_{N}\vDash N\).

With the above propositions (and some auxiliary properties that can be found in [12]) we show that indeed \(\mathcal {I}_N \vDash N\) if N is saturated and does not contain the empty clause.

Theorem 29

Let \(\prec \) be a clause ordering and N be a set of constrained Horn clauses. If (1.) N is saturated w.r.t. \(\prec \)-resolution, and (2.) \(\square \not \in N\), then \(\mathcal {I}_{N}\vDash N\).

For clauses with positive maximal literal, the fact that they are satisfied by \(\mathcal {I}_{N}\) follows from Proposition 25. For clauses with maximal literal \(\lnot P(*)\), we prove this theorem by contradiction: If there is a minimal clause \(\varLambda _{C}{\,\Vert \,}C\) such that \(\mathcal {S}_{N}\nvDash \varLambda _{C}{\,\Vert \,}C\). We can then exploit Proposition 26 to find the smallest clause \(\varLambda _{D}{\,\Vert \,}D\) that produced the respective instance \(P(\vec {a})\). Applying hierarchic \(\prec \)-resolution to \(\varLambda _{C}{\,\Vert \,}C\) and \(\varLambda _{D}{\,\Vert \,}D\) then yields a non-redundant clause. This idea then leads to the following theorem.

Corollary 30

Let \(\prec \) be a clause ordering and N be a set of constrained Horn clauses. If (1.) \(\mathcal {I}_{N}\nvDash N\), and (2.)\(\square \not \in N\), then there exist two clauses \(\varLambda _{C}{\,\Vert \,}C\), \(\varLambda _{D}{\,\Vert \,}D \in N\) such that: (1.) \(\varLambda _{C}{\,\Vert \,}C\) is the smallest clause not satisfied by \(\mathcal {I}_{N}\), i.e. there exists a grounding \(\tau \) such that \(\mathcal {I}_{N}\nvDash (\varLambda _{C}{\,\Vert \,}C)\tau \), but there does not exist a clause \(\varLambda _{C'}{\,\Vert \,}C' \in N\) with grounding \(\tau '\), such that \(\mathcal {I}_{N}\nvDash (\varLambda _{C'}{\,\Vert \,}C')\tau '\) and \((\varLambda _{C'}{\,\Vert \,}C')\tau ' \prec (\varLambda _{C}{\,\Vert \,}C)\tau \), (2.)\(\lnot P(\vec {a})\) is the maximal literal of \((\varLambda _{C}{\,\Vert \,}C)\tau \), (3.)\(\varLambda _{D}{\,\Vert \,}D\) is the minimal clause that produces \(P(\vec {a})\), (4.)\(\prec \)-resolution is applicable to \(\varLambda _{C}{\,\Vert \,}C\) and \(\varLambda _{D}{\,\Vert \,}D\), and (5.)the resolvent of \(\varLambda _{C}{\,\Vert \,}C\) and \(\varLambda _{D}{\,\Vert \,}D\) is not redundant w.r.t. N.

Additionally, we show that \(\mathcal {I}_N\) is the least model of N, establishing a connection between our approach and the literature on constrained Horn clauses (see [27, Section 4] and [15, Section 2.4.1]) and logic programming (see [31, § 6, p. 37]).

Theorem 31

\(\mathcal {I}_{N}\) is the least model of N.

Fermüller and Leitsch define four postulates (see [19] as cited in [13, Section 5.1, p. 234]) regarding automated model building. In the following, we instantiate the postulates for our setting. By \(\mathfrak {S}(N)\) we denote the set of all symbolic interpretations of the set of constrained Horn clauses N. We argue how our approach satisfies all postulates, one by one:

  • Uniqueness. Each element of \(\mathfrak {S}(N)\) specifies a single interpretation of N.

    We have shown (cf. Theorem 31) that \(\mathcal {I}_N\), the model represented by \(\mathcal {S}_N\), is the least model of N, which is unique.

  • Atom Test. There exists a fast procedure to evaluate arbitrary ground atoms over \(\varPi (N)\) in the interpretation defined by a \(\mathcal {S}\) in \(\mathfrak {S}(N)\).

    This is a special case of clause evaluation (cf. Proposition 14): A ground atom \(P(\vec {t})\) is true in \(\mathcal {S}\) if and only if \(\vDash P^{\mathcal {S}}(\vec {x})\{ x_i \mapsto t_i \mid 1 \le i \le |\vec {x}| = |\vec {t}|\}\). Fulfillment of this property thus hinges on the meaning of “fast”. We consider methods for evaluating formulas of \({\text {LA}}\) against points to be fast.

  • Formula Evaluation. There exists an algorithm deciding the truth values of arbitrary formulas in interpretations defined by \(\mathcal {S}\in \mathfrak {S}(N)\).

    Proposition 14 states that evaluating a constrained clause \(\varLambda {\,\Vert \,}C\) is achieved by evaluating the universal closure of \((\varLambda {\,\Vert \,}C)^{\mathcal {S}}\), which is decided by quantifier elimination algorithms for \({\text {LRA}}\), \({\text {LQA}}\), and \({\text {LIA}}\) [14, 32]. For sets of clauses, evaluate each clause individually and combine the results conjunctively.

  • Equivalence Test. There exists an algorithm which decides whether two representations \(\mathcal {S}_1\) and \(\mathcal {S}_2\) in \(\mathfrak {S}(N)\) describe the same interpretation.

    \(\mathcal {S}_1\) and \(\mathcal {S}_2\) describe the same interpretation if and only if for each predicate \(P \in \varPi (N)\) of arity n, we have \(\forall x_1 \dots \forall x_n . \, P^{\mathcal {S}_1}(\vec {x}) \leftrightarrow P^{\mathcal {S}_2}(\vec {x})\).

4 Conclusion

We have presented the first model construction approach to Horn clauses with linear arithmetic constraints based on hierarchic ordered resolution, (cf. Definition 19). The linear arithmetic constraints may range over the reals, rationals, or integers. The computed model is the canonical least model of the saturated Horn clause set (cf. Theorem 31). Clauses can be effectively evaluated with respect to the model (cf. Proposition 14). This offers a way to explore the properties of a saturated clause set, e.g., if the set represents a failed refutation attempt.

Future Work. It is straightforward to see that any symbolic \({\text {LQA}}\) model is also a symbolic \({\text {LRA}}\) model. (This holds due to convexity of conjunctions of ground \({\text {LQA}}\) atoms.) So even if the axiom of choice is not assumed, there is an alternative way to obtain a model for a \({\text {HBS}}({\text {LRA}})\) clause set: Simply treat it as an \({\text {HBS}}({\text {LQA}})\) clause set, saturate it and construct its model based on \({\text {HBS}}({\text {LQA}})\).

In this work, we restrict ourselves to only one sort \({\text {LA}}\) per set of clauses. An extension to a many-sorted setup, e.g. including first-order variables with sort \(\mathcal {F}\) is possible. This can even be simulated, by encoding first-order constants as concrete natural numbers via a bijection to \(\mathbb {N}\), since \(\mathbb {N} \subset \mathcal {U}\). By not placing any arithmetic constraints on the variables used for the encoding, it can be read off and mapped back from the resulting model.

One obvious challenge is relaxation of the restriction to Horn clauses. With respect to ordered resolution saturation there is typically no difference in the sense that if a Horn fragment can always be finitely saturated, so can the non-Horn fragment be. However, our proposed ordering for the model construction at the granularity of predicate symbols will not suffice in this general case, and the key to overcome this challenge seems to be the appropriate treatment of clauses with maximal literals of the same predicate. Backtracking on the selection of literals might also be sufficient.

The approach we presented does not exploit features of linear arithmetic beyond equality and the existence of a well-founded order for the underlying universe \(\mathcal {U}\). The results may therefore be adapted to other constraint domains such as non-linear arithmetic.