Coinduction in Uniform: Foundations for Corecursive Proof Search with Horn Clauses

We establish proof-theoretic, constructive and coalgebraic foundations for proof search in coinductive Horn clause theories. Operational semantics of coinductive Horn clause resolution is cast in terms of coinductive uniform proofs; its constructive content is exposed via soundness relative to an intuitionistic first-order logic with recursion controlled by the later modality; and soundness of both proof systems is proven relative to a novel coalgebraic description of complete Herbrand models.


Introduction
Horn clause logic is a Turing complete and constructive fragment of rst-order logic, that plays a central role in veri cation [21], automated theorem proving [52,57,53] and type inference. Examples of the latter can be traced from the Hindley-Milner type inference algorithm [55,74], to more recent uses of Horn clauses in Haskell type classes [51,25] and in re nement types [42,27]. Its popularity can be attributed to well-understood xed point semantics and an e cient semi-decidable resolution procedure for automated proof search.
According to the standard xed point semantics [78,52], given a set of Horn clauses, the least Herbrand model for is the set of all ( nite) ground atomic formulae inductively entailed by . For example, the two clauses below de ne the set of natural numbers in the least Herbrand model. nat0 : nat 0 nat : ∀ . nat → nat ( ) Formally, the least Herbrand model for the above two clauses is the set of ground atomic formulae obtained by taking a (forward) closure of the above two clauses. The model for nat is given by N = {nat 0, nat ( 0), nat ( ( 0)), . . .}.
We can also view Horn clauses coinductively. The greatest complete Herbrand model for a set of Horn clauses is the largest set of nite and in nite ground atomic formulae coinductively entailed by . For example, the greatest complete Herbrand model for the above two clauses is the set N ∞ = N ∪ {nat ( ( (· · · )))}, obtained by taking a backward closure of the above two inference rules on the set of all nite and in nite ground atomic formulae. The greatest Herbrand model is the largest set of nite ground atomic formulae coinductively entailed by . In our example, it would be given by N already. Finally, one can also consider the least complete Hebrand model, which interprets entailment inductively but over potentially in nite terms. In the case of nat, this interpretation does not di er from N . However, nite paths in coinductive structures like transition systems, for example, require such semantics.
The need for coinductive semantics of Horn clauses arises in several scenarios: the Horn clause theory may explicitely de ne a coinductive data structure or a coinductive relation. However, it may also happen that a Horn clause theory, which is not explicitly intended as coinductive, nevertheless gives rise to in nite inference by resolution and has an interesting coinductive model. This commonly happens in type inference. We will illustrate all these cases by means of examples.
Horn clause theories as coinductive data type declarations The following clause de nes, together with nat0 and nat , the type of streams over natural numbers.
This Horn clause does not have a meaningful inductive, i.e. least xed point, model. The greatest Herbrand model of the clauses is given by S = N ∞ ∪ {stream(scons 0 (scons 1 · · · )) | nat 0 , nat 1 , . . . ∈ N ∞ } In trying to prove, for example, the goal (stream ), a goal-directed proof search may try to nd a substitution for that will make (stream ) valid relative to the coinductive model of this set of clauses. · · · , thereby generating a stream of zeros via composition of the computed substitutions: = (scons 0 ) [scons 0 / ] · · · . Above, we annotated each resolution step with the label of the clause it resolves against and the computed substitution. A method to compute an answer for this in nite sequence of reductions was given by Gupta et al. [40] and Simon et al. [70]: the underlined loop gives rise to the circular uni er = scons 0 that corresponds to the in nite term . It is proven that, if a loop and a corresponding circular uni er are detected, they provide an answer that is sound relative to the greatest complete Herbrand model of the clauses. This approach is known under the name of CoLP.
Horn Clause Theories in Type Inference Below clauses give the typing rules of the simply typed -calculus, and may be used for type inference or type checking: Horn clauses 1 : ∀ .  It is well known that the -combinator is not typable in the simply-typed -calculus and, in particular, self-application .
is not typable either. However, by switching o the occurs-check in Prolog or by allowing circular uni ers in CoLP [40,70], we can resolve the goal "typed [] ( (app )) " and would compute the circular substitution: = → , = → suggesting that an in nite, or circular, type may be able to type this -term. A similar trick would provide a typing for the -combinator. Thus, a coinductive interpretation of the above Horn clauses yields a theory of in nite types, while an inductive interpretation corresponds to the standard type system of the simply typed -calculus.
Horn Clause Theories in Type Class Inference Haskell type class inference does not require circular uni ers but may require a cyclic resolution inference [51,35]. Consider, for example, the following mutually de ned data structures in Haskell.

data O d d L i s t a = OCons a ( E v e n L i s t a ) data E v e n L i s t a = N i l | ECons a ( O d d L i s t a )
This type declaration gives rise to the following equality class instance declarations, where we leave the, here irrelevant, body out.
i n s t a n c e ( Eq a , Eq ( E v e n L i s t a ) ) => Eq ( O d d L i s t a ) where i n s t a n c e ( Eq a , Eq ( O d d L i s t a ) ) => Eq ( E v e n L i s t a ) where The above two type class instance declarations have the shape of Horn clauses. Since the two declarations mutually refer to each other, an instance inference for, e.g., Eq (OddList Int) will give rise to an in nite resolution that alternates between the subgoals Eq (OddList Int) and Eq (EvenList Int).
The solution is to terminate the computation as soon as the cycle is detected [51], and this method has been shown sound relative to the greatest Herbrand models in [34]. We will demonstrate this later in the proof systems proposed in this paper. The diversity of these coinductive examples in the existing literature shows that there is a practical demand for coinductive methods in Horn clause logic, but it also shows that no unifying proof-theoretic approach exists to allow for a generic use of these methods. This causes several problems. Problem 1. The existing proof-theoretic coinductive interpretations of cycle and loop detection are unclear, incomplete and not uniform.
To see this, consider Tab. 1, which exempli es three kinds of circular phenomena in Horn clauses: The clause 1 is the easiest case. Its coinductive models are given by the nite set { }. On the other extreme is the clause 3 that, just like stream , admits only an in nite formula in its coinductive model. The intermediate case is 2 , which could be interpreted by an in nite set of nite formulae in its greatest Herbrand model, or may admit an in nite formula in its greatest complete Herbrand model.
Examples like 1 appear in Haskell type class resolution [51], and examples like 2 in its experimental extensions [35]. Cycle detection would only cover computations for 1 , whereas 2 , 3 require some form of loop detection 1 . However, CoLP's loop detection gives confusing results here. It correctly fails to infer from 3 (no uni er for subgoals and ( ) exists), but incorrectly fails to infer from 2 (also failing to unify and ( )). The latter failure is misleading bearing in mind that is in fact in the coinductive model of 2 . Vice versa, if we interpret the CoLP answer = as a declaration of an in nite term ( . . .) in the model, then CoLP's answer for 3 and is exactly correct, however the same answer is badly incomplete for the query involving and 2 , because 2 in fact admits other, nite, formulae in its models. And in some applications, e.g. in Haskell type class inference, a nite formula would be the only acceptable answer for any query to 2 .
This set of examples shows that loop detection is too coarse a tool to give an operational semantics to a diversity of coinductive models.
Problem 2. Constructive interpretation of coinductive proofs in Horn clause logic is unclear. Horn clause logic is known to be a constructive fragment of FOL. Some applications of Horn clauses rely on this property in a crucial way. For example, inference in Haskell type class resolution is constructive: when a certain formula is inferred, the Haskell compiler in fact constructs a proof term that inhabits seen as type. In our earlier example Eq (OddList Int) of the Haskell type classes, Haskell in fact captures the cycle by a xpoint term and proves that inhabits the type Eq (OddList Int). Although we know from [34] that these computations are sound relative to greatest Herbrand models of Horn clauses, the results of [34] do not extend to Horn clauses like 3 or stream , or generally to Horn clauses modelled by the greatest complete Herbrand models. This shows that there is not just a need for coinductive proofs in Horn clause logic, but constructive coinductive proofs.
Problem 3. Incompleteness of circular uni cation for irregular coinductive data structures. Table 1 already showed some issues with incompleteness of circular uni cation. A more famous consequence of it is the failure of circular uni cation to capture irregular terms. This is illustrated by the following Horn clause, which de nes the in nite stream of successive natural numbers.
The reductions for from 0 consist only of irregular (non-uni able) formulae: The composition of the computed substitutions would suggest as answer an in nite term that is given by from 0 (scons 0 (scons ( 0) . . .)). However, circular uni cation no longer helps to compute this answer, and CoLP fails. Thus, there is a need for more general operational semantics that allows irregular coinductive structures.

A New Theory of Coinductive Proof Search in Horn Clause Logic
In this paper, we aim to give a principled and general theory that resolves the three problems above. This theory establishes a constructive foundation for coinductive resolution and allows us to give proof-theoretic characterisations of the approaches that have been proposed throughout the literature.
To solve Problem 1, we follow the footsteps of the uniform proofs by Miller et al. [53,54], who gave a general proof-theoretic account of resolution in rst-order Horn clause logic (fohc) and three co-hohc x co-hohh x co-hohc co-hohh co-fohc x co-fohh x co-fohc co-fohh Figure 1: Cube of logics covered by CUP extensions: rst-order hereditary Harrop clauses (fohh), higher-order Horn clauses (hohc), and higherorder hereditary Harrop clauses (hohh). In Sec. 3, we extend uniform proofs with a general coinduction proof principle. The resulting framework is called coinductive uniform proofs (CUP). We show how the coinductive extensions of the four logics of Miller et al., which we name co-fohc, co-fohh, co-hohc and co-hohh, give a precise proof-theoretic characterisation to the di erent kinds of coinduction described in the literature. For example, coinductive proofs involving the clauses 1 and 2 belong to co-fohc and co-fohh, respectively. However, proofs involving clauses like 3 or stream require in addition xed point terms to express in nite data. These extentions are denoted by co-fohc x , co-fohh x , co-hohc x and co-hohh x . Sec. 3 shows that this yields the cube in Fig. 1, where the arrows show the increase in logical strength. The invariant search for regular in nite objects done in CoLP is fully described by the logic co-fohc x , including proofs for clauses like 3 and stream . An important consequence is that CUP is complete for 1 , 2 , and 3 , e.g.
is provable from 2 in CUP, but not in CoLP. In tackling Problem 3, we will nd that the irregular proofs, such as those for from , can be given in co-hohh x . The stream of successive numbers can be de ned as a higher-order xed point term fr = x . . scons ( ( )), and the proposition ∀ . from ( fr ) is provable in co-hohh x . This requires the use of higher-order syntax, xed point terms and the goals of universal shape, which become available in the syntax of Hereditary Harrop logic.
In order to solve Problem 2 and to expose the constructive nature of the resulting proof systems, we present in Sec. 4 a coinductive extension of rst-order intuitionistic logic and its sequent calculus. This extension (iFOL ) is based on the so-called later modality (or Löb modality) known from provability logic [15,72], type theory [58,7] and domain theory [19]. However, our way of using the later modality to control recursion in rst-order proofs is new and builds on [12,13]. In the same section we also show that CUP is sound relative to iFOL , which gives us a handle on the constructive content of CUP. This yields, among other consequences, a constructive interpretation of CoLP proofs. Section 5 is dedicated to showing soundness of both coinductive proof systems relative to complete Herbrand models [52]. The construction of these models is carried out by using coalgebras and category theory. This frees us from having to use topological methods and will simplify future extensions of the theory to, e.g., encompass typed logic programming. It also makes it possible to give original and constructive proofs of soundness for both CUP and iFOL in Section 5. We nish the paper with discussion of related and future work.

Originality of the contribution
The results of this paper give a comprehensive characterisation of coinductive Horn clause theories from the point of view of proof search (by expressing coinductive proof search and resolution as : ∈ Σ Γ : : ∈ Γ Γ : x . : Figure 2: Well-Formed Terms ( : 1 → · · · → → ) ∈ Π Γ 1 : 1 · · · Γ :  coinductive uniform proofs), constructive proof theory (via a translation into an intuitionistic sequent calculus), and coalgebraic semantics (via coinductive Herbrand models and constructive soundness results). Several of the presented results have never appeared before: the coinductive extension of uniform proofs; characterisation of coinductive properties of Horn clause theories in higher-order logic with and without xed point operators; coalgebraic and brational view on complete Herbrand models; and soundness of an intuitionistic logic with later modality relative to complete Herbrand models.

Preliminaries: Terms and Formulae
In this section, we set up notation and terminology for the rest of the paper. Most of it is standard, and blends together the notation used in [53] and [10].
De nition 1. We de ne the sets T of types and P of proposition types by the following grammars, where and are the base type and base proposition type.
We adapt the usual convention that → binds to the right.
De nition 2. A term signature Σ is a set of pairs : , where ∈ T, and a predicate signature is a set Π of pairs : with ∈ P. The elements in Σ and Π are called term symbols and predicate symbols, respectively. Given term and predicate signatures Σ and Π, we refer to the pair (Σ, Π) as signature. Let Var be a countable set of variables, the elements of which we denote by , , . . . We call a nite list Γ of pairs : of variables and types a context. The set Λ Σ of (well-typed) terms over Σ is the collection of all with Γ : for some context Γ and type ∈ T, where Γ : is de ned inductively in Fig. 2 We will use in the following that the above calculus features subject reduction and con uence, cf. [61]: if Γ : and ≡ , then Γ : ; and ≡ i there is a term , such that and . The order of a type ∈ T is given as usual by ord( ) = 0 and ord( → ) = max{ord( ) + 1, ord( )}. If ord( ) ≤ 1, then the arity of is given by ar( ) = 0 and ar( → ) = ar( ) + 1. A signature Σ is called rst-order, if for all : ∈ Σ we have ord( ) ≤ 1. We let the arity of then be ar( ) and denote it by ar( ).
De nition 5. The set of guarded base terms over a rst-order signature Σ is given by the following type-driven rules.
: ∈ Γ ord( ) ≤ 1 Γ : : ∈ Σ Γ : : General guarded terms are terms , such that all x-subterms are guarded base terms, which means that they are generated by the following grammar.
Finally, is a rst-order term over Σ with Γ : if ord( ) ≤ 1 and the types of all variables occurring in Γ are of order 0. We denote the set of guarded rst-order terms with Γ : by Λ ,1 Σ (Γ) and the set of guarded terms in Γ by Λ Σ (Γ). If Γ is empty, we just write Λ ,1 Σ and Λ Σ , respectively.
Note that an important aspect of guarded terms is that no free variable occurs under a x-operator. Guarded base terms should be seen as speci c xed point terms that we will be able to unfold into potentially in nite trees. Guarded terms close guarded base terms under operations of the simply typed -calculus.
1. Let fr = x . . scons ( ( )) be the function that computes the streams of numerals starting at the given argument. It is easy to show that fr : → and so fr 0 ∈ Λ ,1 Σ .
3. We have : The purpose of guarded terms is that these are productive, that is, we can reduce them to a term that either has a function symbol at the root or is just a variable. In other words, guarded terms have head normal forms: We say that a term is in head normal form, if = #for some ∈ Σ or if = for some variable . The following lemma is a technical result that is needed to show in Lem. 8 that all guarded terms have a head normal form.
Proof. The term with Γ : can have either of the following three shapes: #with Γ, : , 1 : , . . . , ar( ) : : for = 1, . . . , ar( ) and Γ : for = 1, . . . , ar( ), because variables can only occur in argument position due to the order restriction of the types in Γ. In the rst two cases we are done immediately. For the third case, we let = x . #-.
#and then nd that Lemma 7 gives us now that each / , #-/ #is guarded. Finally, if #-, then #-≡ #by con uence of the reduction relation.
In Lem. 7 we have shown that guarded base terms are stable under substitution, that is, substituting a guarded base term into another results into a guarded base term. The following lemma shows that the same is true for guarded terms. This result is necessary to de ne substitution for formulae over guarded terms, see Def. 10.
Proof. By an easy induction on .
We end this section by introducing the notion of an atom and re nements thereof. This will enable us to de ne the di erent logics and thereby to analyse the strength of coinduction hypotheses, which we promised in the introduction.
De nition 10. A formula of the shape or 1 · · · is an atom and a • rst-order atom, if and all the terms are rst-order; • guarded atom, if all terms are guarded; and • simple atom, if all terms are non-recursive, that is, are in Λ − Σ .
First-order, guarded and simple atoms are denoted by At 1 , At and At . We denote conjunctions of these predicates by At 1 = At 1 ∩ At and At 1 = At 1 ∩ At .
Note that the restriction for At only applies to xed point terms. Hence, any formula that contains terms without x is already in At and At ∩ At = At . Since these notions are rather subtle, we give a few examples Example 11. We list three examples of rst-order atoms.
1. For : we have stream ∈ At 1 , but there are also "garbage" formulae like "stream ( x . )" in At 1 . Examples of atoms that are not rst-order are , where : ( → ) → or : → : .
2. Our running example "from 0 ( fr 0)" is a rst-order guarded atom in At 1 .
3. The formulae in At 1 may not contain recursion and higher-order features. However, the atoms of Horn clauses in a logic program t in here.

Coinductive Uniform Proofs
This section introduces the eight logics of the coinductive uniform proof framework announced and motivated in the introduction. The major di erence of uniform proofs with, say, a sequent calculus is the "uniformity" property, which means that the choice of the application of each proof rule is deterministic and all proofs are in normal form (cut free). This subsumes the operational semantics of resolution, in which the proof search is always goal directed. Hence, the main challenge, that we set out to solve in this section, is to extend the uniform proof framework with coinduction, while preserving this valuable operational property. We begin by introducing the di erent goal formulae and de nite clauses that determine the logics that were presented in the cube for coinductive uniform proofs in the introduction. These clauses and formulae correspond directly to those of the original work on uniform proofs [53] with the only di erence being that we need to distinguish atoms with and without xed point terms. The general idea is that goal formulae ( -formulae) occur on the right of a sequent, thus are the goal to be proved. De nite clauses ( -formulae), on the other hand, are selected from the context as assumptions. This will become clear once we introduce the proof system for coinductive uniform proofs.
The sets of de nite clauses ( -formulae) and goals ( -formulae) of the four logics co-fohc, co-fohh, co-hohc, co-hohh are the well-formed formulae of the corresponding shapes de ned in Tab. 2. For the variations co-fohh x etc. of these logics with xed point terms, we replace upper index " " with " " everywhere in Tab. 2. A -formula of the shape ∀ #-. 1 ∧ · · · ∧ → 0 is called -formula or Horn clause if ∈ At 1 , and -formula if ∈ At 1 . Finally, a logic program (or program) is a set of -formulae. Note that any set of -formulae in fohc can be transformed into an intuitionistically equivalent set of -formulae [53].
We are now ready to introduce the coinductive uniform proofs. Such proofs are composed of two parts: an outer coinduction that has to be at the root of a proof tree, and the usual the usual uniform proofs by Miller et al. [54]. The latter are restated in Fig. 4. Of special notice is the rule that mimics the operational behaviour of resolution in logic programming, by choosing a clause from the given program to resolve against. The coinduction is started by the rule in Fig. 5. Our proof system mimics the typical recursion with a guard condition found in coinductive programs and proofs [7,5,18,30,38]. This guardedness condition is formalised by applying the guarding modality _ on the formula being proven by coinduction and the proof rules that allow us to distribute the guard over certain logical connectives, see Fig. 5. The guarding modality may be discharged only if the guarded goal was resolved against a clause in the initial program or any hypothesis, except for the coinduction hypotheses. This is re ected in the rule , where we may only pick a clause from , and is in contrast to the rule , in which we can pick any hypothesis. The proof may only terminate with the step if the goal is no longer guarded. Note that the rule introduces a goal as a new hypothesis. Hence, we have to require that this goal is also a de nite clause. Since coinduction hypotheses play such an important role, they deserve a separate de nition.
De nition 13. Given a language from Tab. 2, a formula is a coinduction goal of if simultaneously is a -and a -formula of .
Note that the coinduction goals of co-fohc and co-fohh can be transformed into equivalent -or -formulae, since any coinduction goal is a -formula. Let us now formally introduce the coinductive uniform proof system.

De nition 14.
Let and Δ be nite sets of, respectively, de nite clauses and coinduction goals, over the signature Σ, and suppose that is a goal and is a coinduction goal. A sequent is either a uniform provability sequent of the form Σ; ; Δ =⇒ or Σ; ; Δ = = ⇒ as de ned in Fig. 4, or it is a coinductive uniform provability sequent of the form Σ; as de ned in Fig. 5. Let be a language from Tab. 2. We say that is coinductively provable in , if is a set of -formulae in , is a coinduction goal in and Σ; holds.
The logics we have introduced impose di erent syntactic restrictions on -and -formulae, and will therefore admit coinduction goals of di erent strength. This ability to explicitly use stronger Figure 5: Coinductive Uniform Proof Rules coinduction hypotheses within a goal-directed search was missing in CoLP, for example. And it allows us to account for di erent coinductive properties of Horn clauses as described in the introduction. We nish this section by illustrating this strengthening.
The rst example is one for the logic co-fohc, in which we illustrate the framework on the problem of type class resolution.
Example 15. Let us restate the Haskell type class inference problem discussed in the introduction in terms of Horn clauses: i : eq i odd : ∀ . eq ∧ eq (even ) → eq (odd ) even : ∀ . eq ∧ eq (odd ) → eq (even ) To prove eq (odd i) for this set of Horn clauses, it is su cient to use this formula directly as coinduction hypothesis, as shown in Fig. 6. Note that this formula is indeed a coinduction goal of eq (odd i) Figure 6: The co-fohc proof for Horn clauses arising from Haskell Type class examples. abbreviates the coinduction hypothesis eq (odd i). Note its use in the branch ♠.
co-fohc, hence we nd ourselves in the simplest scenario of coinductive proof search. In Tab. 1, 1 is a representative for this kind of coinductive proofs with simplest atomic goals. It was pointed out in [35] that Haskell's type class inference can also give rise to irregular corecursion. Such cases may require the more general coinduction hypothesis (e.g. universal and/or implicative) of co-fohh or co-hohh. The below set of Horn clauses is a simpli ed representation of a problem given in [35]: Trying to prove eq ( i) by using eq ( i) directly as a coinduction hypothesis is deemed to fail, as the coinductive proof search is irregular and this coinduction hypothesis would not be applicable in any guarded context. But it is possible to prove eq ( i) as a corollary of another theorem: ∀ . (eq ) → eq ( ). Using this formula as coinduction hypothesis leads to a successful proof, which we omit here. From this more general goal, we can derive the original goal by instantiating the quanti er with i and eliminating the implication with i . This second derivation is sound with respect to the models, as we show in Thm. 39.
We encounter 2 from Tab. 1 in a similar situation: To prove , we rst have to prove ∀ . in co-fohh, and then obtain as a corollary by appealing to Thm. 39. The next example shows that we can cover all cases in Tab. 1 by providing a proof in co-hohh x that involves irregular recursive terms.
Example 16. Recall the clause ∀ . from ( ) → from (scons ) that we named from in the introduction. Proving ∃ . from 0 is again not possible directly. Instead, we can use the term fr = x . . scons ( ( )) from Ex. 6 and prove ∀ . from ( fr ) coinductively, as shown in Fig. 7. This formula gives a coinduction hypothesis of su cient generality. Note that the correct coinduction hypothesis now requires the xed point de nition of an in nite stream of successive , Σ; ; Figure 7: The co-hohh x proof for = ∀ . from ( fr ). Note that the last step of the leftmost branch involves from (scons ( fr ( ))) ≡ from ( fr ).
numbers and universal quanti cation in the goal. Hence the need for the richer language of co-hohh x . From this more general goal we can derive our initial goal ∃ .from 0 by instantiating with fr 0.
There are examples of coinductive proofs that require a xed point de nition of an in nite stream, but do not require the syntax of higher-order terms or hereditary Harrop formulae. Such proofs can be performed in the co-fohc x logic. A good example is a proof that the stream of zeros satis es the Horn clause theory de ning the predicate stream in the introduction. The goal (stream 0 ), with 0 = x . scons 0 can be proven directly by coinduction. Similarly, one can type self-application with the in nite type = x . → for some given type . The proof for typed [ : ] (app ) is then in co-fohc x . Finally, the clause 3 is also in this group. More generally, circular uni ers obtained from CoLP's [40] loop detection yield immediately guarded xed point terms, and thus CoLP corresponds to coinductive proofs in the logic co-fohc x . A general discussion of Horn clause theories that describe in nite objects was given in [47], where the above logic programs were identi ed as being productive.

Coinductive Uniform Proofs and Intuitionistic Logic
In the last section, we introduced the framework of coinductive uniform proofs, which gives an operational account to proofs for coinductively interpreted logic programs. Having this framework at hand, we need to position it in the existing ecosystem of logical systems. The goal of this section is to prove that coinductive uniform proofs are in fact constructive. We show this by rst introducing an extension of intuitionistic rst-order logic that allows us to deal with recursive proofs for coinductive predicates. Afterwards, we show that coinductive uniform proofs are sound relative to this logic by means of a proof tree translation. The model-theoretic soundness proofs for both logics will be provided in Section 5.
We begin by introducing an extension of intuitionistic rst-order logic with the so-called later modality, written . This modality is the essential ingredient that allows us to equip proofs with a controlled form of recursion. The later modality stems originally from provability logic, which characterises transitive, well-founded Kripke frames [29,73], and thus allows one to carry out induction without an explicit induction scheme [15]. Later, the later modality was picked up by the type-theoretic community to control recursion in coinductive programming [7,8,20,56,58], mostly with the intent :  Formally, the logic iFOL is given by the following de nition.
De nition 17. The formulae of iFOL are given by Def. 3 and the rule: Γ Γ Conversion extends to these formulae in the obvious way. Let be a formula and Δ a sequence of formulae in iFOL . We say is provable in context Γ under the assumptions Δ in iFOL , if Γ | Δ holds. The provability relation is thereby given inductively by the rules in Fig. 8 and Fig. 9.
The rules in Fig. 8 are the usual rules for intuitionistic rst-order logic and should come at no surprise. More interesting are the rules in Fig. 9, where the rule (Löb) introduces recursion into the proof system. Furthermore, the rule (Mon) allows us to to distribute the later modality over implication, and consequently over conjunction and universal quanti cation. This is essential in the translation in Thm. 20 below. Finally, the rule (Next) gives us the possibility to proceed without any recursion, if necessary.
Note that so far it is not possible to use the assumption introduced in the (Löb)-rule. The idea is that the formulae of a logic program provide us the obligations that we have to prove, possibly by recursion, in order to prove a coinductive predicate. This is cast in the following de nition.
( 1 ∧ · · · ∧ ) → . For a logic program , we de ne its guarding by guarding each formula in .
The following admissible rules are easily derivable in the logic iFOL and are essential in showing soundness of co-hohh x with respect to iFOL . Proof.
• Preservation of well-formed formulae under conversion follows by induction on formulae from type preservation of reductions.
• The well-formedness of follows from provability by induction on .
• Weakening is also given by induction on .
• The other rules follow from implication introduction and elimination, and monotonicity of .
The translation given in Def. 18 of a logic program into formulae that admit recursion corresponds unfolding a coinductive predicate, cf. [13]. We show now how to transform a coinductive uniform proof tree into a proof tree in iFOL , such that the recursion and guarding mechanisms in both logics match up.
Theorem 20. If is a logic program over a rst-order signature Σ and the sequent Σ; is provable in co-hohh x , then is provable in iFOL .
To prove this theorem, one uses that each coinductive uniform proof tree starts with an initial tree that has an application of the -rule at the root and that eliminates the guard by using the rules in Fig. 5. At the leaves of this tree, one nds proof trees that proceed only by means of the rules in Fig. 4. The initial tree is then translated into a proof tree in iFOL that starts with an application of the (Löb)-rule, which corresponds to the -rule, and that simultaneously transforms the coinduction hypothesis and applies introduction rules for conjunctions etc. This ensures that we can match the coinduction hypothesis with the guarded formulae of the program .
Proof. We provide a sketch of the proof. First, we note that the coinduction goal in co-hohh x is given by the following grammar.

CG
At | CG → CG | CG ∧ CG | ∀ : . CG Thus, a coinduction goal is the restriction of FOL to implication, conjunction and universal quanti cation. Note that such a coinduction goal is intuitionistically equivalent to a conjunction of Horn-clauses. Assume that we are given a uniform proof tree . We translate this tree into a proof tree in iFOL . The proof proceeds in the following steps.

The rst step of a proof tree starting in Σ;
must be an application of the rule to a proof tree 1 ending in Σ; ; =⇒ . This step can be directly translated into an application of the Löb rule. Hence, if 1 is the translation of 1 with conclusion , , then is given by applying (Löb) to 1 , thereby obtaining a proof tree ending in the desired sequent .
2. The next step must then be either ∀ , ∧ , → or . To prove this by induction on the proof tree, we need to de ne coinduction goal contexts. These are contexts [−] with a hole [−], such that plugging an atom from At into the hole yields a coinduction goal. More generally, we will need contexts with multiple holes [−] that are indexed from 0 to for some ∈ N. Formally, such contexts are given by the following grammar.

For the cases ∧
and → , one proceeds similarly as for ∀ by appealing to the fact that preserves conjunction and implication, respectively. The only things to be taken care of are the multi-contexts in the conjunction and the extension of Δ in the implication case. Finally, the rule is dealt with in the next step.
3. For an application of either of the decide rules, there are generally two cases to consider: either the clause is selected from ∪ Δ by or , or selects [ #-]. In both cases, we proceed by induction to analyse of the proof tree for Σ, Γ; ; We then obtain the following cases from the fact that and are Horn-clauses with the later modality in speci c places.

a)
∈ is selected. Then the proof tree in iFOL will have at its root Γ | , , Δ and at its leaves sequents of the form Γ | , , Δ for some atoms .

b) [
#-] is selected. Then the resulting proof tree in iFOL will have at its root Γ | , , Δ for some , and as its leaves sequents of the form Γ | , , Δ for some .
Our goal is now to combine such proof trees. The only mismatch might occur when we have a proof tree that has Γ | , as root ( rst case) that has to be attached to a leaf of another  proof tree (from either case), which will be of the form Γ | , for some atom . Since this match arises from a uniform proof, we have that = . Hence, we can combine these two trees by appealing to the (Next) rule: . . .
In all the other cases, the trees can be combined directly.
In Ex. 16, we provided the CUP proof for ∀ . from ( fr ). In this example, we show how that proof is translated in a proof in iFOL .
The guarding of clause (1) is given by the clause (2).
To save space, when we build a proof in iFOL using (∀-I), (∀-E) or (Conv), etc., we may omit the condition branch, which is : ∉ Γ, Γ : or ≡ respectively, if and only if we know that the condition holds. Now let denote the singleton set of clause (2). In Fig. 10 we display the iFOL proofs for ∀ . from ( fr ) that arises from the CUP proof.
The results of this section show that it is irrelevant whether the guarding modality is used on the right (CUP-style) or on the left (iFOL -style), as the former can be translated into the latter. However, CUP uses the guarding on the right to preserve proof uniformity, whereas iFOL extends a general sequent calculus. Thus, to obtain the reverse translation, we would have to have an admissible cut rule in CUP. The main ingredient to such a cut rule is the ability to prove several coinductive statements simultaneously. This is possible in CUP by proving the conjunction of these statements. Unfortunately, we cannot eliminate such a conjunction into one of its components, since this would require nondeterministic guessing in the proof construction, which in turn breaks uniformity. Thus, we leave a solution of this problem for future work.

Herbrand Models and Soundness
In Sec. 4 we showed that coinductive uniform proofs are sound relative to the intuitionistic logic iFOL . This gives us a handle on the constructive nature of coinductive uniform proofs. Since iFOL is a non-standard logic, we still need to provide semantics for that logic. We do this by interpreting in Sec. 5.4 the formulae of iFOL over the well-known (complete) Herbrand models and prove the soundness of the accompanying proof system with respect to these models. Although we obtain soundness of coinductive uniform proofs over Herbrand models from this, this proof is indirect and does not give a lot of information about the models captured by the di erent calculi co-fohc etc. For this reason, we will give in Sec. 5.3 a direct soundness proof for coinductive uniform proofs. We also obtain coinduction invariants from this proof for each of the calculi, which allows us to describe their proof strength.

Coinductive Herbrand Models and Semantics of Terms
Before we come to the soundness proofs, we introduce in this section (complete) Herbrand models by using the terminology of nal coalgebras. We then utilise this description to give operational and denotational semantics to guarded terms. These semantics show that guarded terms allow the description and computation of potentially in nite trees.
The coalgebraic approach has been proven very successful both in logic and programming [1,76,77]. We will only require very little category theoretical vocabulary and assume that the reader is familiar with the category Set of sets and functions, and functors, see for example [11,24,50]. The terminology of algebras and coalgebras [4,46,65,66] is given by the following de nition.

De nition 22.
A coalgebra for a functor : Set → Set is a map : → . Given coalgebras : → and : → , we say that a map ℎ : → is a homomorphism → if ℎ • = • ℎ. We call a coalgebra : → nal, if for every coalgebra there is a unique homomorphism ℎ : → . We will refer to ℎ as the coinductive extension of .
The idea of (complete) Herbrand models is that a set of Horn clauses determines for each predicate symbol a set of potentially in nite terms. Such terms are (potentially in nite) trees, whose nodes are labelled by function symbols and whose branching is given by the arity of these function symbols. To be able to deal with open terms, we will allow such trees to have leaves labelled by variables. Such trees are a nal coalgebra for a functor determined by the signature.
De nition 23. Let Σ be rst-order signature. The extension of a rst-order signature Σ is a (polynomial) functor [36] Σ : Set → Set given by where ar : Σ → N is de ned in Sec. 2 and is the -fold product of . We de ne for a set a functor Σ + : Set → Set by ( Σ + ) ( ) = Σ ( ) + , where + is the coproduct (disjoint union) in Set.
To make sense of the following de nition, we note that we can view Π as a signature and we thus obtain its extension Π . Moreover, we note that the nal coalgebra of Σ + exists because Σ is a polynomial functor.
The construction Σ ∞ ( ) gives rise to a functor Σ ∞ : Set → Set, called the free completely iterative monad [5]. If there is no ambiguity, we will drop the injections when describing elements of Σ ∞ ( ). Note that Σ ∞ ( ) is nal with property that for every ∈ Σ ∞ ( ) either there are ∈ Σ and #-∈ (Σ ∞ ( )) ar( ) with root ( ) = ( #-), or there is ∈ with root ( ) = . Finality allows us to specify unique maps into Σ ∞ ( ) by giving a coalgebra → Σ ( ) + . In particular, one can de ne for each : → Σ ∞ the substitution [ ] of variables in the coterm by as the coinductive extension of the following coalgebra.
Now that we have set up the basic terminology of coalgebras, we can give semantics to guarded terms from Def. 5. The idea is that guarded terms guarantee that we can always compute with them so far that we nd a function symbol in head position, see Lem. 8. This function symbol determines then the label and branching of a node in the tree generated by a guarded term. If the computation reaches a constant or a variable, then we stop creating the tree at the present branch. This idea is captured by the following lemma. Proof. We de ne a coalgebra : Λ ,1 Σ (Γ)/≡ → Σ Λ ,1 Σ (Γ)/≡ + Γ on the quotient of guarded terms by convertibility as follows.
This is a well-de ned map by Lem. 8. By nality of Σ ∞ (Γ), we obtain a unique homomorphism ℎ : Λ ,1 Σ (Γ)/≡ → Σ ∞ (Γ). This allows us to de ne − 1 = ℎ • [−], which gives us immediately for ≡ that Finally, assume that we are given a map : Λ ,1 Σ (Γ) → Σ ∞ (Γ) with the above two properties. The rst allows us to lift to a map : Due to the second property we know that is then a coalgebra homomorphism and by nality = ℎ. Hence, we obtain from Let us illustrate the semantics of guarded terms on our running example.

Interpretation of Basic Intuitionistic First-Order Formulae
In this section, we give an interpretation of the formulae in Def. 3, in which we restrict ourselves to guarded terms. This interpretation will be relative to models in the complete Herbrand universe. Since we later extend these models to Kripke models to be able to handle the later modality, we formulate these models already now in the language of brations [16,45].
De nition 27. Let : E → B be a functor. Given an object ∈ B, the bre E above is the category of objects ∈ E with ( ) = and morphisms : → with ( ) = id . The functor is a (split) bration if for every morphism : → in B there is functor * : E → E , such that id * = Id E and ( • ) * = * • * . We call * the reindexing along .
To give an interpretation of formulae, consider the following category Pred. Pred = objects: ( , ) with ∈ Set and ⊆ morphisms: The functor P : Pred → Set with P( , ) = and P( ) = is a split bration, see [45], where the reindexing functor for : → is given by taking preimages: * ( ) = −1 ( ). Note that each bre Pred is isomorphic to the complete lattice of predicates over ordered by set inclusion. Thus, we refer to this bration as the predicate bration.
Let us now expose the logical structure of the predicate bration. This will allow us to conveniently interpret rst-order formulae over this bration, but it comes at the cost of having to introduce a good amount of category theoretical language. However, doing so will pay o in Sec. 5.4, where we will construct another bration out of the predicate bration. We can then use category theoretical results to show that this new bration admits the same logical structure and allows the interpretation of the later modality.
The rst notion we need is that of bred products, coproducts and exponents, which will allow us to interpret conjunction, disjunction and implication.
The bration P is a so-called rst-order bration, which allows us to interpret rst-order logic, see [45,Def. 4
A rst-order -bration is a rst-order bration with Cartesian closed base B.
The bration P : Pred → Set is a rst-order -bration, as all its bres are posets and Set is Cartesian closed; P has bred nite products ( , ∩), given by = and intersection; bred distributive coproducts (∅, ∪); bred exponents ⇒, given by ( ⇒ ) = { #-| if #-∈ , then #-∈ }; and universal and existential quanti ers given for ∈ Pred × by The purpose of rst-order brations is to capture the essentials of rst-order logic, while the -part takes care of higher-order features of the term language. In the following, we interpret types, contexts, guarded terms and formulae in the bration P : Pred → Set: We de ne for types and context Γ sets and Γ ; for guarded terms with Γ : we de ne a map : Γ → in Set; and for a formula Γ we give a predicate ∈ Pred Γ .
Remark. It should be noted that we give in the following an interpretation over concrete brations with their base over Set. However, the interpretations could also be given over general rst-order -brations : E → B. The main issues is to get an interpretation of guarded terms over a nal coalgebra for Σ in a general category B. Currently, this interpretation crucially requires the category of sets as base category, see Lem. 25.
The semantics of types and contexts are given inductively in the Cartesian closed category Set, where the base type is interpreted as coterms, as follows.
Proof. Immediate by induction on .
Since P : Pred → Set is a rst-order bration, we can interpret inductively all logical connectives of the formulae from Def. 3 in this bration. The only case that is missing is the base case of predicate symbols. Their interpretation will be given over a Herbrand model that is constructed as the largest xed point of an operator over all predicate interpretations in the Herbrand base. Both the operator and the xed point are the subjects of the following de nition.
De nition 31. We let the set of interpretations I be the powerset P (B ∞ ) of the complete Herbrand base. For ∈ I and ∈ Π, we denote by | the interpretation of in (the bre of above ) Given a set of -formulae, we de ne a monotone map Φ : I → I by where − 1 [ ] is the extension of semantics and substitution from coterms to the Herbrand base by functoriality of Π . The (complete) Herbrand model M of is the largest xed point of Φ , which exists because I is a complete lattice.
Remark. Note that if is a set of Horn clauses (logic program), then the de nition of the operator Φ in Def. 31 just becomes as we do not have to unfold xed point terms. Thus, in most cases, except in the proof of Thm. 39, we will drop the semantic brackets − 1 .
Given a formula with Γ that contains only guarded terms, we de ne the semantics of in Pred from an interpretation ∈ I inductively as follows. Γ The mapping − is a well-de ned function from formulae to predicates, such that Γ implies ⊆ Γ or, equivalently, ∈ Pred Γ .
Proof. Immediate by induction on .
Let us demonstrate the interpretation of formulae on an example.
Example 33. Recall the formula ∀ . from ( ) → from ( ), which we introduced as clause from0 . We spell out the interpretation of this formula. Note that root( ) = = . Abusing notation, we write for [ / ], and analogously for the terms , and . We then have Using similar calculations for the other terms in the clause from0 , we obtain This concludes the semantics of types, terms and formulae. We now turn to show that coinductive uniform proofs are sound for this interpretation.

Soundness of Coinductive Uniform Proofs for Herbrand Models
In this section, we give a direct proof of soundness for the coinductive uniform proof system from Sec. 3. Later, we will obtain another soundness result by combining the proof translation from Thm. 20 with the soundness of iFOL (Thm. 44 and 47). The purpose of giving a direct soundness proof for uniform proofs is that it allows the extraction of a coinduction invariant, see Lem. 37.
The main idea is as follows. Given a formula and a uniform proof for Σ; , we construct an interpretation ∈ I that validates , i.e.
= , and that is contained in the complete Herbrand model M . Combining these two facts, we obtain that M = , and thus the soundness of uniform proofs.
To show that the constructed interpretation is contained in M , we use the usual coinduction proof principle: De nition 34. An invariant for ∈ I is a set ∈ I, such that ⊆ and is a Φ -invariant, that is, ⊆ Φ ( ). If ∈ B ∞ , we also say that is an invariant for , if it is an invariant for { }.
Since M is the largest xed point of Φ , we immediately have that, if has an invariant, then ⊆ M , see also [49].
In the remainder of this section, we will often have to refer to substitutions by coterms and their composition. The following de nition will make dealing with this easier by organising these substitutions into a (Kleisli-)category. These notations are derived from the monad (Σ ∞ , , ) with : Id ⇒ Σ ∞ and : Σ ∞ Σ ∞ ⇒ Σ ∞ , cf. [5]: De nition 35. A (Kleisli-)substitution from to , written : , is a map → Σ ∞ ( ).

Composition of :
and : is given by In what follows, we extract, for any instance of a formula , an explicit invariant from a proof of Σ; , which then yields the soundness of CUP. More precisely, let be an -formula with = ∀ #-. 1 ∧ · · · ∧ → 0 and let be the set of variables in #-. Given a substitution : ∅, we need to show that if for all 1 ≤ ≤ we have 1  We note that a uniform proof for Σ; starts with , and the eigenvariables #are all distinct. Let the set of variables in #and Σ the signature #-: , Σ. For brevity, we de ne Note that from here, the further proof of the given goal will only be based on the signature Σ , that is, no new eigenvariables will be introduced higher in the proof. Thus, we can focus on 0 in our construction of an invariant: Given a substitution 0 : ∅, we need to construct an invariant for 0 1 [ 0 ], given that we already have an invariant for the assumptions We need to refer to the levels of the proof , which is the distance from the root sequent Σ; . For example, the above proof tree displays levels 0 to 3 of the proof . Having considered this simple case, we will now analyse the case when a chosen is of the form ∀ #-. → , and 0 ≡ [ ] for some substitution . In this case, applications of and → and will eventually deliver the subgoal: . .
We will refer to this stage in the proof as the level in . We now consider the rest of the proof tree above level , i.e. we consider the proof for [ ]. This is where the non-trivial part of the invariant construction will be obtained. In general, [ ] will be given by 1 ∧ . . . ∧ , and the rule ∧ will require subproofs for each of . Let us consider a sub-proof of for an arbitrary such .
The proof can only proceed here by applying the rule , in which case there are three options: to choose a program clause from , or choose ℎ or . Only the latter case is interesting for the invariant construction, as this is where the coinductive goal is instantiated, giving rise to a substitution that we will use in the invariant construction: Generally, may be used with di erent substitutions multiple times within the proof tree . However, itself is uniquely determined by the only use of the rule in the root of . The above fragment of the proof for gives rise to a substitution 1 = [ #-/ #-] that we can extend to a substitution 1 : by de ning 1 ( ) = 1 ( ) , where is the eigenvariable that was initially substituted for . Since is the goal of the coinductive proof , we are lead to use 1 and its iterations in the invariant that will prove coinduction goal .
The notions in the following de nition will allow us to easily organise and iterate the substitutions that occur in a uniform proof. Recall that in general, can be used times in the proof , giving rise to substitutions 1 , . . . , . The following abstract de nition is motivated by this observation.
De nition 36. Let be a set with = {1, . . . , } for some ∈ N. We call the set * of lists over the set of substitution identi ers. Suppose that we have substitutions 0 : ∅ and : for each ∈ . Then we can de ne a map Θ : * → (Σ ∞ ) , which turns each substitution identi er into a substitution, by iteration from the right: which arises from a use of in the proof tree , a substitution : by ( ) = ( ) . Note that each in has only variables from , that is, Σ : . We call an agent of . We let ⊆ At 1 be the set of atoms that are proven in : From the agents and atoms in we extract an invariant for the goal formula. In the following lemma we take = {1, . . . , } to be the set of identi ers for the uses of in the given proof .
Lemma 37. Suppose that is an -formula of the form ∀ #-. 1 ∧ · · · ∧ → 0 and that there is a proof for Σ; . Let be the proven atoms in , 1 , . . . , be the agents of and 0 : ∅ some initial substitution. De ne = [ #-/ #-] and suppose further that 1 is an invariant for Proof. This proof refers to the notation and the construction of the proof as given above.
Consider the case when ∈ 2 , i.e. when ∈ 1 [Θ( )] for some , and therefore = 1 [Θ( )] for some atom proven in . We have to show that ∈ Φ ( ), that is, we have to show that there is a clause ∀ #-.

=1
→ and a substitution : | #-| ∅ such that = 1 [ ] and for all 1 ≤ ≤ we have 1 [ ] ∈ . We show that by case analysis on the proof of and induction on .
As discussed in the outline of proof , only the rules or are applicable to an atomic goal, and there are 3 possibilities of choosing a formula via these: it may be a program clause from , the hypothesis ℎ or . When one of these options is taken in a proof, we will say is resolved against a clause from , ℎ or , respectively. Moreover, chosing an atomic clause in gives us the base case, for which the proof has been given already. The remaining cases are: a) Suppose is resolved against a clause ∀ #-.

=1
→ in , that is, we have [ ] ≡ for some substitution . Note that if we de ne = Θ( ) 1 , then Since for all 1 ≤ ≤ the atom [ ] must have a proof somewhere in , we have [ ] ∈ . Thus, also 1 [ ] ∈ 2 and so ∈ Φ ( ) with the initial program clause and the substitution . b) If is resolved against , then this can only occur above the level in the proof tree . By the already given schematic analysis of , we also know that this case requires that ≡ 0 [ ] for some , and moreover this substitution is already incorporated in the construction of Θ, as gives rise to an agent . Thus, we have the latter equality follows from the de nition of Θ( : ) and of substitution composition.
Note that 0 was initially, below level , resolved against a program clause ∀ #-.  Putting this all together, we have that ∈ Φ ( ) by using the initial program clause and the substitution . c) is resolved against ℎ . Once again, this can only occur above the level in the proof tree .
i) = . In this case, = 1 [Θ( )] is already in 1 , and because 1 is an invariant for 1 [Θ( )] 1 ≤ ≤ , we have ∈ Φ ( 1 ) and hence ∈ Φ ( ). ii) = : for some ∈ and ∈ * . Let be the syntactic substitution from which the agent arises. Then we have that This induction and case analysis shows that for any ∈ , we have ∈ Φ ( ). Thus, is an invariant.
Once we have Lem. 37 the following soundness theorem is easily proven.
Finally, we show that extending logic programs with coinductively proven lemmas is sound. This follows easily by coinduction. Now we use the soundness of a so-called up-to-technique [62]. Speci cally, let be the monotone map on I given by It follows [62] for every ∈ I that whenever ⊆ Φ ( ( )) then ⊆ M. By the above calculation, we have that M ⊆ Φ ( (M )). Thus, M ⊆ M as we wanted to show. Altogether, this gives us that M = M , .
As a corollary we obtain that, if there is a proof for Σ; , then a proof for Σ; , is sound with respect to M . Indeed, by Thm. 39 we have that M = M ∪{ } and by Thm. 38 that Σ; , is sound with respect to M ∪{ } . Thus, the proof of Σ; , is also sound with respect to M . We use this property implicitely in our running examples, and refer the reader to [14,49,48] for proofs, further examples and discussion.

Soundness of iFOL over Herbrand Models
In this section, we demonstrate how the logic iFOL can be interpreted over Herbrand models. Recall that we obtained a xed point model from the monotone map Φ on interpretations. In what follows, it is crucial that we construct the greatest xed point of Φ by iteration, c.f. [6,31,79]: Let Ord be the class of all ordinals equipped with their (well-founded) order. We denote by Ord op the class of ordinals with their reversed order and de ne a monotone function ← − − Φ : Ord op → I, where we write the argument ordinal in the subscript, by Note that this de nition is well-de ned because < is well-founded and because Φ is monotone, see [13]. Since I is a complete lattice, there is an ordinal such that In what follows, we will utilise this construction to give semantics to iFOL .
The bration P : Pred → Set gives rise to another bration as follows. We let Pred be the category of functors (monotone maps) with xed predicate domain: : Ord op → Pred, such that P • is constant morphisms: → are natural transformations : ⇒ , such that P : P • ⇒ P • is the identity The bration P : Pred → Set is de ned by evaluation at any ordinal (here 0), i.e. by P( ) = P( (0)) and P( ) = (P ) 0 , and reindexing along : → by applying the reindexing of P point-wise, i.e. by # ( ) = * ( ).
Note that there is a (full) embedding : Pred → Pred that is given by ( , ) = ( , ) with = . One can show [13] that P is again a rst-order bration and that it models the later modality, as in the following theorem.
Theorem 40. The bration P is a rst-order bration. If necessary, we denote the rst-order connectives by , ∧ etc. to distinguish them from those in Pred. Otherwise, we drop the dots. Finite (co)products and quanti ers are given point-wise, while for ∈ Set and , ∈ Pred exponents are given by There is a bred functor : Pred → Pred with • = given on objects by ( ) = < and a natural transformation next : Id ⇒ from the identity functor to . The functor preserves reindexing, products, exponents and universal quanti cation: Finally, for all ∈ Set and ∈ Pred , there is l ob : ( ⇒ ) → in Pred .
Intuitively, the later modality shifts a given sequence by one position and concatenates it with the terminal object. This can be seen if we have a description ordinals through successor and limit ordinals. Given ∈ Pred , we can visualise the beginning of and as follows. : Using the above theorem, we can extend the interpretation of formulae to iFOL as follows. Let : Ord op → I be a descending sequence of interpretations. As before, we de ne the restriction of to a predicate symbol ∈ Π by | = | = #-#-∈ . The semantics of formulae in iFOL as objects in Pred is given by the following iterative de nition.
The following lemma is the analogue of Lem. 32 for the interpretation of formulae without the later modality.
Lemma 41. The mapping − is a well-de ned map from formulae in iFOL to sequences of predicates, such that Γ implies ∈ Pred Γ .
Proof. Immediate by induction on .
Lemma 42. All rules of iFOL are sound with respect to the interpretation − of formulae in Pred, that is, if Γ | Δ , then ∈Δ ⇒ = . In particular, Γ implies = .
Proof. The soundness for the rules of rst-order logic in Fig. 8 is standard for the given interpretation over a rst-order bration as in Thm. 40, see [45,Sec. 4.3]. Soundness of the rules for the rules of the later modality in Fig. 9 follows from the existence of the morphisms next and l ob, and functoriality of that were proved in Thm. 40, cf. [12,Sec. 5.2] and [13].
The following lemma shows that the guarding of a set of formulae is valid in the chain model that they generate.
To this end, suppose < . Then Hence, =1,..., Combining this with soundness from Lem. 42, we obtain that provability in iFOL relative to a logic program is sound for the model of . Proof. Combine Lem. 42 and Lem. 43.
The nal result of this section is to show that the descending chain model, which we used to interpret formulae of iFOL , is sound and complete for the xed point model, which we used to interpret the formulae of coinductive uniform proofs. This will be proved in Thm. 47 below. The easiest way to prove this result is by establishing a functor Pred → Pred that maps the chain ← − − Φ to the model M , and that preserves and re ects truth of rst-order formulae (Prop. 46). We will phrase the preservation of truth of rst-order formulae by a functor by appealing to the following notion of brations maps, cf. Let us now construct a rst-order -bration map Pred → Pred. We note that since every bre of the predicate bration is a complete lattice, for every chain ∈ Pred there exists an ordinal at which stabilises. This means that there is a limit lim of in Pred , which is the largest subset of , such that ∀ . lim ⊆ . This allows us to de ne a map : Pred → Pred by In the following proposition, we show that gives us the ability to express rst-order properties of limits equivalently through their approximating chains. This, in turn, provides soundness and completeness for the interpretation of the logic iFOL over descending chains with respect to the largest Herbrand model. Proposition 46. The functor : Pred → Pred, as de ned above, is a map of brations and preserves bred (co)products, and existential and universal quanti cation. Furthermore, is right-adjoint to the embedding : Pred → Pred. Finally, for each ∈ Π and ∈ Pred B ∞ , we have | = ( )| .
Proof. First, we show that if : ( , ) → ( , ), then is indeed a morphism ( , lim ) → ( , lim ). This means that we have to show that (lim ) ⊆ lim . By the limit property, it su ces to show for all ∈ Ord that (lim ) ⊆ : (lim ) ⊆ ( ) lim ⊆ and image of monotone ⊆ is morphism ( , ) → ( , ) That preserves identities and composition is evident, as is the preservation if indices: = • . Next, we show that Cartesian morphisms are preserved as well. Let : ( , ) → ( , ) be Cartesian in Pred, and suppose we are given and ℎ as in the lower triangle in the following diagram in Set and ( , ) in Pred.
Showing that is preserves coproducts and existential quanti ers is somewhat nasty, while products and universal quanti cation are straightforward. First, we prove that conjunction is preserved, that is, we want to prove that lim( ∨ ) = lim ∨ lim . We note now that, because and are descending, that there are ordinals , , such that lim( ∨ ) = ( ∨ ) and lim ∨ lim = ∨ . Let now = be the least upper bound of these ordinals. Then we have by the above assumptions that This proves that also existential quanti cation is preserved by .
Finally, to show that there is an adjunction , we have to show for all ( , ) ∈ Pred and ( , ) ∈ Pred that there is a natural isomorphism Hom Pred (( , ), ( , lim )) Hom Pred (( , ), ( , )). This boils down to showing that for any map : → we have ( ) ⊆ lim ⇐⇒ ∀ . ( ) ⊆ . In turn, this is immediately given by the limit property of lim .
We get from Prop. 46 soundness of ← − − Φ for Herbrand models. More precisely, if is a goal formula that has only implication-free formulas on the left of an implication ( rst-order goal), then its interpretation in the coinductive Herbrand model is true if its interpretation over the chain approximation of the Herbrand model is true. Proof. First, we show for an implication-free -formula that by induction on and using Prop. 46 as follows. For atoms, we have that The cases for universal quanti cation and conjunction are given by using that preserves these connectives (again Prop. 46). From this, we obtain for a rst-order goal that ( ← − − Φ ) ⊆ M by induction on and using again Prop. 46.
To show that the semantics over Pred and Pred coincide, that is, that we have the following correspondence.

Conclusion, Related Work and the Future
In this paper, we provided a comprehensive theory of resolution in coinductive Horn-clause theories and coinductive logic programs. This theory comprises of a uniform proof system that features a form of guarded recursion and that provides operational semantics for proofs of coinductive predicates. Further, we showed how to translate proofs in this system into proofs for an extension of intuitionistic FOL with guarded recursion, and we provided sound semantics for both proof systems in terms of coinductive Herbrand models. The Herbrand models and semantics were thereby presented in a modern style that utilises coalgebras and brations to provide a conceptual view on the semantics.
Related Work. It may be surprising that automated proof search for coinductive predicates in rstorder logic does not have a coherent and comprehensive theory, even after three decades [3,60], despite all the attention that it received as programming [2,28,41,43] and proof [32,33,37,38,44,59,65,66,67,68] method. The work that comes close to algorithmic proof search is the system CIRC [64], but it cannot handle general coinductive predicates and corecursive programming. Inductive and coinductive data types are also being added to SMT solvers [23,63]. However, both CIRC and SMT solving are inherently based on classical logic and are therefore not suited to situations where proof objects are relevant, like programming, type class inference or (dependent) type theory. Moreover, the proposed solutions, just like those in [40,70] can only deal with regular data, while our approach also works for irregular data, as we saw in the from-example.
This paper subsumes Haskell type class inference [51,35] and exposes that the inference presented in those papers corresponds to coinductive proofs in co-fohc and co-hohh. Given that the proof systems proposed in this paper are constructive and that uniform proofs provide proofs (type inhabitants) in normal form, we could give a propositions-as-types interpretation to all eight coinductive uniform proof systems. This was done for co-fohc and co-hohh in [35], but we leave the remaining cube from the introduction for future work.
Future Work. There are several directions that we wish to pursue in the future. First, we know that CUP is incomplete for the presented models, as it is intuitionistic and it lacks an admissible cut rule. The rst can be solved by moving to Kripke/Beth-models, as done by Clouston and Goré [29] for the propositional part of iFOL . However, the admissible cut rule is more delicate. To obtain such a rule one has to be able to prove several propositions simultaneously by coinduction, as discussed at the end of Sec. 4. In general, completeness of recursive proof systems depends largely on the theory they are applied to, see [71] and [17]. However, techniques from cyclic proof systems [26,69] may help. We also aim to extend our ideas to other situations like higher-order Horn clauses [42,27] and interactive proof assistants [39,9,30,22], typed logic programming, and logic programming that mix inductive and coinductive predicates.