Symbolic Model Construction for Saturated Constrained Horn Clauses

Clause sets saturated by hierarchic ordered resolution do not offer a model representation that can be effectively queried, in general. They only offer the guarantee of the existence of a model. We present an effective symbolic model construction for saturated constrained Horn clauses. Constraints are in linear arithmetic, the first-order part is restricted to a function-free language. The model is constructed in finite time, and non-ground clauses can be effectively evaluated with respect to the model. Furthermore, we prove that our model construction produces the least model.


Introduction
Constrained Horn Clauses (CHCs) combine logical formulas with constraints over various domains, e.g.linear real arithmetic, linear integer arithmetic, equalities of uninterpreted functions [15].This formalism has gained widespread attention in recent years due to its applications in a variety of fields, including program analysis and verification: safety, liveness, and termination [38,17], complexity and resource analysis [33], intermediate representation [22], and software testing [35].Technical controls, so called Supervisors, like an electronic engine control unit, or a lane change assistant in a car [9,8] can be modelled, run, and proven safe.Moreover, there exist many different approaches for reasoning in CHCs and associated first-order logic fragments extended with theories [15,7,24,25,34,28,2,23,29,37,5,10].Thus, CHCs are a powerful tool for reasoning about complex systems that involve logical constraints, and they have been used to solve a wide range of problems.
A failed proof attempt of some conjecture or undesired run points to a bug.In this case investigation of the cause of the unexpected result or behavior is crucial.Building a model of the situation that can then be effectively queried is an important means towards a repair.However, some algorithms for CHCs, e.g.hierarchic superposition, which boils down to hierarchic ordered resolution in the context of CHCs, do not return a model that can be effectively queried if a proof attempt fails, in general.If so, queries are still restricted to ground clauses [4].
The contribution of our paper can be seen as an extension for these saturation based algorithms that produces models and not just saturated clause sets.In fact, we show how to build symbolic models out of any saturated CHC clause set over linear arithmetic.This fragment is equivalent to Horn clause sets of linear arithmetic combined with the Bernays-Schönfinkel fragment.Recall that although satisfiability in this fragment is undecidable [16,26], in general, for a finitely saturated set we can construct such a representation in finite time.
Our models fulfill all important properties postulated in the literature for automated model building in first-order logic [20,13].First, they can be effectively constructed, i.e., each model is represented by one linear arithmetic formula of finite size for each of its predicates and it can be constructed in finite time.Second, they are unique, i.e., the model representation specifies exactly one interpretation; in our case the least model.Third, they can be effectively queried, i.e., we provide decision procedures that evaluate whether an atom, clause, or formula is entailed/satisfied by the model.Fourth, it is possible to test the equivalence of two models.The approach we present does not exploit features of linear arithmetic beyond equality, the existence of a well-founded order for the theories' universe, and decidability of the theory.The results may therefore be adapted to other constraint domains.Model representation that can be effectively constructed and queried like ours are also called effective model representations.Moreover, our method is the first effective model construction approach for ordered resolution (or its extension to superposition) that is based on saturation, goes beyond ground clauses, and includes theory constraints.In the future, we plan to use this approach as the basis for a more general model construction approach that also works on more expressive fragments of firstorder logic modulo theories.
Our model construction is inspired by the model construction operator used in the proof for refutational completeness of hierarchic superposition [30,6,3].The main difference is that the model construction operator from the refutational completeness proof is restricted to ground clauses and executed on the potentially infinite ground instances of the saturated clause set (in addition to an infinite axiomatization of the background theory as ground clauses).As a result, the model construction operator from the refutational completeness proof cannot effectively construct a model because iterating over a potentially infinite set means it may diverge.Moreover, in contrast to our model construction, the original model operator cannot effectively evaluate non-ground atoms, clauses, or formulas.It is, however, sufficient, to show the existence of a model if the clause set is saturated and does not contain the empty clause [30,6,3].In our version of the model construction operator, we managed to lift the restriction to ground clause sets by restricting the input logic to the Horn Bernays-Schönfinkel fragment instead of full first-order logic.This enables us to define a strict propagation/production order for our non-ground clauses instead of just for ground clauses.As a result, we can construct the model one clause at a time.
The paper is organized as follows.In Section 2 we clarify notation and preliminaries.The main contribution is presented in Section 3. At the end of this section, we also explain how our models satisfy the postulates (see [13,Section 5.1,p. 234]) by Fermüller and Leitsch for automated model building.
We conclude in Section 4.

Preliminaries and Notation
We briefly recall the basic logical formalisms and notations we build upon [9].Our starting point is a standard first-order language with variables (denoted x, y, z), predicates (denoted P, Q) of some fixed arity, and terms (denoted t, s).
An atom (denoted A) is an expression P (t 1 , . . ., t n ) for a predicate P of arity n = arity(P ).When the terms t 1 , . . ., t n in P (t 1 , . . ., t n ) are not relevant in some context, we also write P ( * ).A positive literal is an atom A and a negative literal is a negated atom ¬A.We define comp(A) = ¬A, comp(¬A) = A, |A| = A and |¬A| = A. Literals are usually denoted L, K. We sometimes write literals as [¬]P ( * ), meaning that the sign of the literal is arbitrary, often followed by a case distinction.Formulas are defined in the usual way using quantifiers ∀, ∃ and the boolean connectives (in order of decreasing binding strength) ¬, ∨, ∧, →, and ↔.The logic we consider does not feature a first-order equality predicate.The Bernays-Schönfinkel Clause Fragment (BS) in first-order logic consists of first-order clauses where all terms are either variables or constants.The Horn Bernays-Schönfinkel Clause Fragment (HBS) is further restricted to Horn clauses.
A substitution σ is a function from variables to terms with a finite domain and codomain.We denote substitutions by σ, τ .The application of substitutions is often written postfix, as in xσ, and is homomorphically extended to terms, atoms, literals, clauses, and quantifier-free formulas.A substitution is ground if its codomain is ground.Let Y denote some term, literal, clause, or clause set.A substitution σ is a grounding for Y if Y σ is ground, and Y σ is a ground instance of Y in this case.We denote by gnd(Y ) the set of all ground instances of Y .The most general unifier mgu(Z 1 , Z 2 ) of two terms/atoms/literals Z 1 and Z 2 is defined as usual, and we assume that it does not introduce fresh variables and is idempotent.

Horn Bernays-Schönfinkel with Linear Arithmetic
The class HBS(LRA) is the extension of the Horn Bernays-Schönfinkel fragment with linear real arithmetic (LRA).Analogously, the classes HBS(LQA) and HBS(LIA) are the extensions of the Horn Bernays-Schönfinkel fragment with linear rational arithmetic (LQA) and linear integer arithmetic (LIA), respectively.The only difference between the three classes are the sort LA their variables and terms range over and the universe U over which their interpretations range.As the names already imply LA = LRA and U = R for HBS(LRA), LA = LQA and U = Q for HBS(LQA), and LA = LIA and U = Z for HBS(LIA).The results presented in this paper hold for all three classes and by HBS(LA) we denote that we are talking about an arbitrary one of them.
Linear arithmetic terms are constructed from a set X of variables, the set of constants c ∈ Q (if in HBS(LRA) or HBS(LQA)) or c ∈ Z (if in HBS(LIA)), and binary function symbols + and − (written infix).Additionally, we allow multiplication • if one of the factors is a constant.Multiplication only serves us as syntactic sugar to abbreviate other arithmetic terms, e.g., x+x+x is abbreviated to 3 • x.Atoms in HBS(LA) are either first-order atoms (e.g., P (13, x)) or (linear) arithmetic atoms (e.g., x < 42).Arithmetic atoms are denoted by λ and may use the predicates ≤, <, ≈, ≈, >, ≥, which are written infix and have the expected fixed interpretation.We use ≈ instead of = to avoid confusion between equality in LA and equality on the meta level.While we do not permit quantifiers in the syntax of clauses, the notion of symbolic interpretations that we will develop does require this, denoted as usual.By atoms(Y )/quants(Y ) we denote the linear arithmetic atoms/quantifiers in a formula or set of formulas Y .First-order literals and related notation is defined as before.Arithmetic literals coincide with arithmetic atoms, since the arithmetic predicates are closed under negation, e.g., ¬(x ≥ 42) is equivalent to x < 42.HBS(LA) clauses are defined as for HBS but using HBS(LA) atoms.We often write clauses in the form Λ C where C is a clause solely built of free firstorder literals and Λ is a multiset of LA atoms called the constraint of the clause.A clause of the form Λ C is therefore also called a constrained clause.Since the interpretation of linear arithmetic relations is fixed, we set Π(Λ C) := Π(C).
The fragment we consider in Section 3 is restricted even further to abstracted clauses: For any clause Λ C, all terms in C must be variables.Put differently, we disallow any arithmetic function symbols, including numerical constants, in C. Variable abstraction, e.g.rewriting x ≥ 3 P (x, 1) to x ≥ 3, y ≈ 1 P (x, y), is always possible.Hence, the restriction to abstracted clauses is not a theoretical limitation, but allows us to formulate our model construction operator in a more concise way.We assume abstracted clauses for theory development, but we prefer non-abstracted clauses in examples for readability, e.g., a unit clause P (3,5) is considered in the development of the theory as the clause x ≈ 3, y ≈ 5 P (x, y).
In contrast to other works, e.g.[11], we do not permit first-order constants, and consequently also no variables that range over the induced Herbrand universe.All variables are arithmetic in the sense that they are interpreted by U. Since we only allow equalities in the arithmetic constraint, it is possible to simulate variables over first-order constants, by e.g.numbering them, i.e. defining a bijection between N and constant symbols.So this again not a theoretical limitation.
The semantics of Λ C is as follows: For example, the clause x > 1∨y ≈ 5∨¬Q(x)∨R(x, y) is also written Note that since the neutral element of conjunction is ⊤, an empty constraint is thus valid, i.e. equivalent to true.In analogy to the empty clause in settings without constraints, we write to mean any and all clauses Λ ⊥ where Λ is satisfiable, which are all unsatisfiable.
An assignment for a constraint Λ is a substitution (denoted β) that maps all variables in vars(Λ) to values in U.An assignment is a solution for a constraint Λ if all atoms λ ∈ (Λβ) evaluate to true.A constraint Λ is satisfiable if there exists a solution for Λ.Otherwise it is unsatisfiable.
We assume pure input clause sets because otherwise satisfiability is undecidable for impure HBS(LA) [21].This means the only constants of our sort LA are concrete rational numbers.Irrational numbers are not allowed by the standard definition of the theory.Fractions are not allowed if LA = LIA.Satisfiability of pure HBS(LA) clause sets is semi-decidable, e.g., using hierarchic superposition [3] or SCL(T) [10].Note that pure HBS(LA) clauses correspond to constrained Horn clauses (CHCs) with LA as background theory.
All arithmetic predicates and functions are interpreted in the usual way denoted by the interpretation A LA .An interpretation of HBS(LA) coincides with A LA on arithmetic predicates and functions, and freely interprets nonarithmetic predicates.For pure clause sets this is well-defined [3].Logical satisfaction and entailment is defined as usual, and uses similar notation as for HBS.
Example 1.The clause y ≥ 5, x ′ ≈ x + 1 S 0 (x, y) → S 1 (x ′ , 0) is part of a timed automaton with two clocks x and y modeled in HBS(LA).It represents a transition from state S 0 to state S 1 that can be traversed only if clock y is at least 5 and that resets y to 0 and increases x by 1.

Ordering Literals and Clauses
In order to define redundancy for constrained clauses, we need an order: Let ≺ Π be a total, well-founded, strict ordering on predicate symbols and let ≺ U be a total, well-founded, strict ordering on the universe U. (Note that ≺ cannot be the standard ordering < because it is not well-founded for Z, Q, or R. In the case of R, the existence of such an order is even dependent on whether we assume the axiom of choice [18].)We extend these orders step by step.First, to atoms, i.e., P ( a and a ≺ lex b, where ≺ lex is the lexicographic extension of ≺ U .Next, we extend the order to literals with a strict precedence on the predicate and the polarity, i.e., independent of the arguments of the literals.Then, take the multiset extension to order clauses.To handle constrained clauses extend the relation such that constraint literals (in our case arithmetic literals) are always smaller than firstorder literals.We conflate the notation of all extensions into the symbol ≺ and define as the reflexive closure of ≺.Note that ≺ is only total for ground atoms/literals/clauses, which is sufficient for a hierarchic superposition order [6].
Definition 2 (≺-maximal Literal).A literal L is called ≺-maximal in a clause C if there exists a grounding substitution σ for C, such that there is no different Definition 5. Let N be a set of clauses, ≺ a clause ordering, C a clause, and P a predicate symbol.Then

Hierarchic Superposition, Redundancy and Saturation
For pure HBS(LA) most rules of the (hierarchic) superposition calculus become obsolete or can be simplified.In fact, in the HBS(LA) case (hierarchic) superposition boils down to (hierarchic) ordered resolution.For a full definition of (hierarchic) superposition calculus in the context of linear arithmetic, consider SUP(LA) [1].Here, we will only define its simplified version in the form of the hierarchic resolution rule.
Definition 6 (Hierarchic ≺-Resolution).Let ≺ be an order on literals and Note that in the resolution rule we do not enforce explicitly that the positive literal is strictly maximal.This is possible because in the Horn case any positive literal is strictly maximal if it is maximal in the clause.
For saturation, we need a termination condition that defines when the calculus under consideration cannot make any further progress.In the case of superposition, this notion is that any new inferences are redundant.

Definition 7 (Clause Redundancy). A ground clause Λ C ∈ N is redundant with respect to a set N of ground clauses and order
If a clause Λ C ∈ N is redundant with respect to a clause set N , then it can be removed from N without changing its semantics.If Λ C is newly inferred, then we also call it redundant if Λ C is already part of N .The same cannot be said for clauses in N or all clauses in N would be redundant.Determining clause redundancy is an undecidable problem [10,40].However, there are special cases of redundant clauses that can be easily checked, e.g., tautologies and subsumed clauses.Redundancy also means that I N ≺Λ C implies I Λ C if Λ C is redundant w.r.t.N .We will exploit this fact in the model construction.

Definition 8 (Saturation). A set of clauses N is saturated up to redundancy with respect to some set of inference rules, if application of any rules to clauses
in N yields a clause that is redundant with respect to N or is contained in N .

Interpretations
In our context, models are interpretations that satisfy (sets of) clauses.The standard notion of an interpretation is fairly opaque and interprets a predicate P as the potentially infinite set of ground arguments that satisfy P .Definition 9 (Interpretation).Let P be a predicate symbol with arity(P ) = n.Then, P I denotes the subset of U n for which the interpretation I maps the predicate symbol P to true.
Since our model construction approach manipulates interpretations directly, we need a notion of interpretations that always has a finite representation and for which it is possible to decide (in finite time) whether a clause is satisfied by the interpretation.Therefore, we rely on the notion of symbolic interpretations: Definition 10 (Symbolic Interpretation).Let x 1 , x 2 , . . .be an infinite sequence of distinct variables, i.e. x i = x j for all 1 ≤ i < j. (We assume the same sequence for all symbolic interpretations in order to prevent conflicts when we later combine multiple symbolic interpretations into one.)A symbolic interpretation S is a function that maps every predicate symbol P with arity(P ) = n to a formula denoted P S ( x) of finite size, constructed using the usual boolean connectives over LA atoms, where the only free variables appear in x = (x 1 , . . ., x n ).The interpretation I S corresponding to S is defined by P IS = {( x)β | β P S ( x)} and maps the predicate symbol P to true for the subset of U n which corresponds to the solutions of P S ( x).

Example 11. Let N be a clause set consisting of the clauses
An example of a symbolic interpretation S that satisfies N , would be the function that maps It corresponds to the interpretation I S where The notion of symbolic interpretations is closely related to A-definable models [7, Definition 7] and constrained atomic representations [13,Definition 5.1,.Each symbolic interpretation S( x) is equivalent to a constrained atomic representation that consists of one constraint atom [[P ( x) : P S ( x)]] (written in the notation from [13]) for every predicate P .Note that in this context the constraint is not just a quantifier-free conjunction of linear arithmetic atoms, but a linear arithmetic formula potentially containing quantifiers (although those can be eliminated with quantifier elimination techniques).
Due to the fact that each symbolic interpretation consists of a finite set of formulas of finite size, symbolic interpretations can be considered as finite representations.In contrast, the standard representation of an interpretation as a potentially infinite set of ground atoms is not a finite representation.However, this also means that there are some interpretations for which no corresponding symbolic interpretation exists, for instance the set of prime numbers is a satisfying interpretation for y ≈ 2 P (y), but not expressible as a symbolic interpretation (in LA).As we will later see, at least any saturated set of HBS(LA) clauses either is unsatisfiable or has a symbolic interpretation that satisfies it (Theorem 29).
The top interpretation, denoted I ⊤ , is defined as P I ⊤ := U n for all predicate symbols P with arity(P ) = n and corresponds to the top symbolic interpretation, denoted S ⊤ , defined as P S ⊤ := ⊤ for all predicate symbols P .The bottom interpretation (or empty interpretation), denoted I ⊥ , and the bottom symbolic interpretation (or empty symbolic interpretation), denoted S ⊥ , are defined analogously.The interpretation of P under I ∪ J is defined as P I∪J := P I ∪ P J for every predicate P .In the symbolic case, S ∪ R is defined as P S∪R ( x) := P S ( x) ∨ P R ( x) for every predicate P .We write I ⊆ J or I is included in J (resp.I ⊂ J or I is strictly included in J ) if P I ⊆ P J (resp.P I ⊂ P J ) for all predicate symbols P .
Definition 12 (Entailment of Literal).Let I be an interpretation.Given a ground literal P (a 1 , . . ., a n ), where a i ∈ U, we write I P (a 1 , . . ., a n ) if (a 1 , . . ., a n ) ∈ P I .Conversely, we write I P (a 1 , . . ., a n ) if (a 1 , . . ., a n ) ∈ P I .For a non-ground literal L, we write I L if for all grounding substitutions σ for L, we have I Lσ.Conversely, we write I L, if there exists a grounding substitution σ for L, such that I Lσ.
We overload for symbolic interpretations, i.e. we write S L and mean I S L. The following function encodes a clause as an LA formula for evaluation under a given symbolic interpretation.

. , y i,ni ) and let S be a symbolic interpretation. Then the clause evaluation function (Λ C
S is defined as follows based on the definitions for σ i and φ i (for 1 ≤ i ≤ m): Note that the free variables of (Λ C) S are exactly the free variables of (Λ C).Moreover, the substitutions σ i are necessary in the above definition in order to map the variables in the symbolic interpretation for the predicates P S i to the variables that appear as arguments in the literals P i (y 1,1 , . . ., y 1,ni ).

Proposition 14. Given a constrained clause Λ C with grounding β, we have
As a corollary of the previous proposition, the entailment S Λ C holds if and only if the universal closure of the formula (Λ C) S is valid.This means that for a symbolic interpretation S it is always computable whether a clause is entailed by S because there are decision procedures for quantified LRA, LQA, and LIA formulas of finite size.
We require two functions that manipulate LA-formulas directly to express our model construction (cf.Definition 17), i.e. to map solutions for a clause defined by a formula vars(φ) to one atom inside the clause.This requires from us to project away all variables in φ that appear in the clause but not in the atom.
Definition 15 (Projection).Let V be a set of variables and φ be an LA-formula.The projection function π is defined as follows: ) is a standard projection function that binds a subset V of the variables in the formula φ with existential quantifiers.Note that we also know that π(V, φ) is equivalent to a quantifier-free LA formula just over the variables x 1 , . . ., x n because there exist quantifier elimination algorithms for LRA, LQA, and LIA [32,14].
A further function is needed when we encounter literals of the form P (x, x, . . .), i.e., where one variable is shared among two arguments.In this case, we use to express in our symbolic interpretation that the equivalent argument positions must also be equivalent in our interpretation.
Definition 16 (Sharing).Let (y 1 , . . ., y n ) and (x 1 , . . ., x n ) be tuples of variables with the same length.The sharing function , which encodes variable sharing across different argument positions, is defined as follows:

Consequence and Least Model
The notion of a least model is common in logic programming.Horn logic programs admit a least model, which is the intersection of all models of the program (see [31, § 6, p. 36]).In our context, the least model of a set of clauses N is the intersection of all models of N .An alternative characterization of the least model of N is through the least fixed point of the one-step consequence operator, which we define as T N for the context of LA constraints analogously to [27, Section 4].The one-step consequence operator T N takes a set of clauses N and an interpretation I as input and returns an interpretation: The least fixed point of this operator exists by Tarski's Fixed Point Theorem [39]: Interpretations form a complete lattice under inclusion (supremum given by union, infimum given by intersection), and T N is monotone.

Model Construction
In this section we address construction of models for HBS(LA).Throughout this section, we consider a set of constrained Horn clauses N and an order ≺ to be given.Our aim is to define an interpretation I N , such that The production operator δ(S, Λ C) results in a new symbolic interpretation where, to map variables from literal arguments to the variables appearing in the symbolic interpretation S and back, we have the substitutions The goal of the operator δ(S, Λ C) is to define an extension of the symbolic interpretation S such that S ∪ δ(S, Λ C) satisfies Λ C. Note that δ only extends the interpretation over the strictly maximal predicate P .Moreover, due to our predicate order, it only needs to consider the interpretation S for predicates Q with Q ≺ P .δ also satisfies the following two symmetrical properties: On the one hand, every grounding τ of Λ C ′ ∨ P ( y) that is not yet satisfied by S must correspond to solution β of P δ(S,Λ C ′ ∨P ( y)) that satisfies P ( y)τ .On the other hand, every solution β of P δ(S,Λ C ′ ∨P ( y)) must correspond to a grounding of Λ C ′ ∨ P ( y) that is not yet satisfied by S. The first property is needed so S ∪ δ(S, Λ C ′ ∨ P ( y)) satisfies Λ C ′ ∨ P ( y).The second property is needed so we do not accidentally extend our interpretation by any solutions not needed to satisfy Λ C ′ ∨ P ( y).
Note that in the above statements β and τ are generally not the same because the variables x used to define P S are not necessarily the same as the variables appearing in the clause Λ C and literal P ( y).There are three reasons for this that are handled by three different methods in our model construction: 1.The variables in S and Λ C simply do not match, e.g. in P S := x 1 ≈ 0 and Λ C := y 1 > 0 P (y 1 ).This is handled by the substitution σ in δ that maps all variables in P ( y) to their appropriate variables in P S , e.g. in the previous example σ = {y 1 → x 1 } and P δ(S,Λ C) = (y 1 > 0)σ = x 1 > 0.
The parts of P δ(S,Λ C) that we have not yet discussed are based on the fact that any constrained Horn clause Λ C ′ ∨ P ( y) can also be written as an implication of the form φ → P ( y), where φ := Λ ∧ P 1 (y 1,1 , . . ., y 1,n1 ) ∧ • • • ∧ P m (y m,1 , . . ., y m,nm ) and S Λ C ′ τ if and only if S φτ .This means the groundings τ of Λ C ′ not satisfied by S are also the groundings of φ satisfied by S. It is straightforward to express these groundings with a conjunctive formula based on Λ and the P S i .The only challenge is the reverse problem from before, i.e. mapping the variables of P S i to the variables in the literals P i (y 1,1 , . . ., y 1,ni ).This mapping is done in δ by the substitution σ i .Now, based on the production operator δ for one clause, we can use an inductive definition over the order ≺ to define an interpretation S N for all clauses in N .We distinguish the following auxiliary symbolic interpretations: S ≺P which captures progress up to but excluding the predicate P , ∆ P which captures how P should be interpreted considering S ≺P , and S P which captures progress up to and including the predicate P .The symbolic interpretation ∆ Λ C P is the extension of S ≺P w.r.t. the single clause Λ C.

Definition 18 (Model Construction).
Let N be a finite set of constrained Horn clauses.We define symbolic interpretations S ≺P , S P and ∆ P for all predicates P ∈ Π(N ) by mutual induction over ≺: Finally, based on the above inductive definition of S ≺P for every predicate symbol P ∈ Π(N ), we arrive at an overall interpretation for N .

Definition 19 (Candidate Interpretation).
The candidate interpretation for N (w.r.t ≺), denoted I N , is the interpretation associated with the symbolic interpretation S N = P ∈Π(N ) ∆ P where P ranges over all predicate symbols occurring in N .
Note that S N = S P where P is ≺-maximal in Π(N ).Obviously, we intend that S N N if N is saturated (Theorem 29).Otherwise, i.e. S N N , we can use our construction to find a non-redundant inference (Corollary 30).Consider the following two examples, demonstrating how δ sits at the core of the aforementioned inductive definitions of symbolic interpretations.

Example 20 (Dependent Interpretation). Assume P ≺ Q and consider the following set of clauses:
Maximal literals are underlined.Since the maximal literals of C 1 and C 2 are both positive, ordered resolution cannot be applied.The set is saturated.Since P is the ≺-smallest predicate we have S ≺P = S ⊥ .Applying the δ operator yields the following interpretation for P : Then, Q is interpreted relative to P .Consider the clause C 2 : For all solutions of its constraint y 3 ≥ y 1 + 1, y 4 ≥ y 2 + 1 our model must also satisfy its logical part P (y 1 , y 2 ) → Q(y 3 , y 4 ).The intuition that Q depends on P arises from the implication in the logical part.Whenever the constraint of C 2 and P (y 1 , y 2 ) are satisfied, Q(y 3 , y 4 ) must be satisfied.These are exactly the points defined through δ(S ≺Q , C 2 ), based on S ≺Q = S P = δ(S ≺P , C 1 ): Whenever the conjuncts 0 ≤ y 1 ≤ 2 and 0 ≤ y 2 ≤ 2 are satisfied, the premise of the implication is true, thus there must be a solution to the interpretation of Q, additionally abiding the constraint of the clause.Since Q is ≺-maximal in N , we arrive at See Figure 1a for a visual representation of S N .
Example 21 (Unsaturated Clause Set).Assume P ≺ Q and consider the following set of clauses: Maximal literals are underlined.Note that a resolution inference is possible, since the maximal literals of C 3 and C 4 have opposite polarity, use the same predicate symbol, and are trivially unifiable.Thus, in this example we consider the effect of applying our model construction to a clause set that is not saturated.Since P is ≺-minimal, we start with the following steps: Next, we obtain the following results for Q: See Figure 1b for a visual representation of S N = S Q .Note that S N C 4 , since we have S N Q(0) but S N P (0).Thus, by using the constructed model, we can pinpoint clauses that contradict that N is saturated.Applying resolution to C 3 and C 4 leads to the clause y 1 ≤ 0 P (y 1 ) labelled C 5 .If we then add C 5 to N , we instead get In the following, we clarify some properties of the construction.We provide an upper bound for the number of LA atoms and quantifiers in the symbolic model for LRA and LQA.Although we do not state it explicitly, the estimate for LIA works in a similar way, but due to the higher complexity of LIA quantifier elimination, the size of the symbolic model grows triple exponentially [36].

Proposition 22. If N is a finite set of LRA/LQA constrained Horn clauses, and S ′
N the result of applying quantifier elimination to S N then, for every predicate symbol P ∈ Π(N ), the number of LA atoms in where n is the max.number of clauses with the same max.predicate, m is the max.number of non-arithmetic literals in a clause, l is the max.number of arithmetic literals in a clause, a is the max.arity of any predicate, p = |Π(N )|, q is the max.difference of variables in any clause and its positive maximal literal.Proof.We proceed in two steps: 1. We argue that, for is just a disjunction over these formulas (and possibly multiple other disjuncts that are ⊥) according to the definition of union for symbolic interpretatons.Next, we argue the number of atoms and quantifiers for each of these n disjuncts of the form δ(S ≺P1 , Λ C) separately: For the interpretation of P 1 , it results in a conjunction.The first l elements of the conjunction directly correspond to the elements of Λ, and since the number of atoms in Λ is bounded by l, this gives the first summand.Note that the second block of conjuncts, arising from conjunctively combining are all empty, since S ≺P1 = S ⊥ .To see that the number of conjuncts generated by is bounded by a 2 , assume that P 1 is of the maximal arity a, and all arguments of the literal P 1 ( * ) are the same.Then, will generate a 2 equality atoms among these a variables.Hence, | atoms(P )) and | quants(P Step.For the same reason as in Case 1.1.,P is a disjunction over at most n subformulas, one for each clause with maximal predicate P i+1 .We argue the number of atoms and quantifiers for each of these n disjuncts of the form δ(S ≺Pi+1 , Λ C) separately: The summands l and a 2 are justified like in the base.The additional summand is motivated by fact that, in contrast to the base, now S ≺Pi+1 = S Pi = S ⊥ .By the (strong) induction hypothesis, | atoms(P )) for all 1 ≤ i.We substitute using the hypothesis to get | atoms(P , drop the non-exponential summands and factor, which yields | atoms(P )|: The summand q is justified like in the base case.Like in the previous case, the additional summand m • max k≤i | quants(P )| motivated by the fact that, in contrast to the base case, now S ≺Pi+1 = S Pi = S ⊥ .For each of the literals in C that refer to a predicate symbol P j with j ≤ i, as many quantifiers as there are in P S≺P i+1 j are generated by δ.By the (strong) induction hypothesis, | quants(P We substitute using the hypothesis to get | quants(P After expansion and simplification, this yields that | quants P

Note that | atoms(P
(and the same is true for the number of quantifiers), which can be seen by Proposition 32.
2. We argue that by applying quantifier elimination to all P SN for P ∈ Π(N ), we obtain an S ′ N from S N , which represents an equivalent interpretation, and we arrive at the conclusion.Let e(q, n) := n q denote the number of atoms after eliminating q quantifiers from the top of a formula with n atoms (see [32,14]).The inductive argument is very similar to Step 1, just note that we eliminate quantifiers at the level of the disjuncts that form ∆.
2.1.Base.For P 1 we have max.q quantifiers for each of the (at most) n clauses with P 1 as maximal predicate.Thus, O(| atoms(P Step.By the induction hypothesis: For P i+1 we still have max.q quantifiers for each of the n clauses with P i+1 as maximal predicate.
O | atoms(P Corollary 23 (Effective Construction).If N is a finite set of constrained Horn clauses then for every predicate P ∈ Π(N ), P SN is a linear arithmetic formula of finite size, and can be computed in a finite number of steps.
Proof.Corollary of Proposition 22.The construction terminates, since it computes S N from N (which are both finite) by a simple recursion (cf.Definition 18).
We show that all points in P I N are necessary and justified in some sense, that I N is indeed a model of N , and that I N is also the least model of N if N is saturated.The notion of whether a clause is productive captures whether it contributes something to the symbolic interpretation.
Next, we want to formally express that every element of the resulting interpretation is justified.Firstly, we express that the operator δ will produce points such that every clause is satisfied whenever necessary, i.e. whenever the maximal literal of the clause is P ( * ) and the maximal literal not satisfied by S ≺P .Proposition 25.Let Λ C C where C = C ′ ∨ P ( y) and C ′ ≺ P ( y).Let τ be a grounding substitution for It remains to show that ∆ P P ( y)τ , i.e. ( y)τ ∈ P δ(S≺P ,ΛC C) , i.e. ((π({ y}, φ))σ ∧ ( y, x))β τ .We proceed in two steps, one per conjunct: By definition of , for each conjunct x i ≈ x j in ( y, x), there are two variables y i = y j from y.The conjunct x i ≈ x j is satisfied by β τ , since β τ and τ are functions, therefore 2. To see (π({ y}, φ))σβ τ : From S ≺P (Λ C C)τ , we know Λ C τ , thus λτ for all λ ∈ Λ C , and that S ≺P (L i )τ for all literals L i from C ′ .Given that P S≺P i encodes S ≺P L i it follows that P S≺P i σ i τ for all 1 ≤ i ≤ m.Thus, we may construct a potential witness for all existential quantifiers introduced by the application of π based on τ : By definition of σ and β τ , we have (y i )σβ τ = (y i )τ for all y i in y.Thus (φ)γ τ σβ τ is equivalent to (φ)τ .Again, reasoning from S ≺P (Λ C C)τ we arrive at (φ)τ , thus (π({ y}, φ))σβ τ with witness γ τ .
Hence ((π({ y}, φ))σ ∧ ( y, x))β τ , thus ∆ ΛC C P Λ C C, and by definition of S P , also Secondly, we express that for every point in P I N , it is justified in the sense that there is a clause that produced the point, i.e. this clause would otherwise not be satisfied by the resulting interpretation.Firstly, we argue that a ∈ P ∆P : For the construction of S ≺P only predicates Q s.t.Q ≺ P are considered, thus P S≺P = ∅.By definition of S P as S P as the union of S ≺P and ∆ P and thus P S P = P S≺P ∪ P ∆P .Together with P S≺P = ∅ we have P S P = P ∆P , hence a ∈ P ∆P .
Secondly, we argue for the existence of Λ C C: ∆ P is defined as the union of ∆ • λτ for all λ ∈ Λ C immediately gives Λ C τ .

• (P S
i σ i )τ for all 1 ≤ i ≤ m witnesses S ≺P L i τ , because the polarity of P S≺P i is opposite of the polarity of L i by definition of δ.
We have P S≺P = ∅, and that L is positive, thus S ≺P L. Together with the two above facts we arrive at S ≺P (Λ C C)τ .
To see that P ( y)τ = P ( a), consider that (y i )σ = x i , (x i )β x = a i , and γ has no effect on y by definition.Thus (y i )σβ x = (y i )τ = a i .In case there are two (or more, analoguously) variables y i , y j in y where y i = y j and i < j, a i = a j is guaranteed: (y i )τ = (x)β x = a i directly by definition of σ and β x .y j is not in the domain of σ, however the equalities generated by ( y, x) ensure that (x i )β x = (x j )β x .Also, observe that once the maximal predicate P of a given clause is interpreted by S P , the interpretation of the clause does not change for S Q where Q ≻ P .As a result, we know that the full model satisfies N , i.e., I N N if every clause is satisfied at the point of the construction, where the interpretation of its maximal predicate P stays fixed.Proof.Generally, for a predicate symbol S, we have P ∆ S = ∅ unless S = P by definition of ∆ S .S ≺Q is defined as the union of all ∆ S for S ≺ Q, thus P ∆P = P S P = P S≺Q .S Q is defined as the union of S ≺Q and ∆ Q .By definition of ∆ Q , the only predicate that ∆ Q may interpret as non-empty is Q.In particular, i.e. since P ≺ Q, we have P ∆Q = ∅ thus P S≺Q = P S Q .To see that P S Q = P S≺R = P S R , the same reasoning applies, i.e.P ∆R = ∅ unless P = R. Proof.Assume Premises 1 and 2. Let Λ C C ∈ N .We distinguish two cases: By Proposition 26 there is a clause Λ D D ∈ N where D = D ′ ∨ P ( y), D ′ ≺ P ( y), and Λ D is satisfiable, that produces P ( z)σ.Assume, without loss of generality, that the sets of variables occuring in Λ C C and Λ D D are disjoint, i.e. vars(Λ C C) ∩ vars(Λ D D) = ∅.Let τ be the subsitution that maps P ( y) to P ( z)σ.Since P ( y)τ = P ( z)σ, there exists a most general unifier between P ( y) and P ( z), which we call σ ′ .Then, since σ ′ is most general, there is a substitution τ ′ such that the substitution σ ′ τ ′ is equivalent to σ when restricted to vars(Λ C C) and equivalent to τ when restricted to vars(Λ D D).We have P ( y)σ ′ τ ′ = P ( y)τ = P ( z)σ.Consider the following ≺-resolution inference: With the above propositions we show that indeed I N N if N is saturated and does not contain the empty clause.Additionally, we show that I N is the least model of N , establishing a connection between our approach and the literature on constrained Horn clauses (see [27,Section 4] and [15,Section 2.4.1]) and logic programming (see [31, § 6, p. 37]).Fermüller and Leitsch define four postulates (see [19] as cited in [13, Section 5.1, p. 234]) regarding automated model building.In the following, we instantiate the postulates for our setting.By S(N ) we denote the set of all symbolic interpretations of the set of constrained Horn clauses N .We argue how our approach satisfies all postulates, one by one: Uniqueness Each element of S(N ) specifies a single interpretation of N .
We have shown (cf.Theorem 31) that I N , the model represented by S N , is the least model of N , which is unique.
Atom Test There exists a fast procedure to evaluate arbitrary ground atoms over Π(N ) in the interpretation defined by a S in S(N ).This is a special case of clause evaluation (cf.Proposition 14): A ground atom P ( t) is true in S if and only if Fulfillment of this property thus hinges on the meaning of "fast".We consider methods for evaluating formulas of LA against points to be fast.

Formula Evaluation
There exists an algorithm deciding the truth values of arbitrary formulas in interpretations defined by S ∈ S(N ).Proposition 14 states that evaluating a constrained clause Λ C is achieved by evaluating the universal closure of (Λ C) S , which is decided by quantifier elimination algorithms for LRA, LQA, and LIA [32,14].For sets of clauses, evaluate each clause individually and combine the results conjunctively.
Equivalence Test There exists an algorithm which decides whether two representations S 1 and S 2 in S(N ) describe the same interpretation.S 1 and S 2 describe the same interpretation if and only if for each predicate P ∈ Π(N ) of arity n, we have ∀x 1 . . .∀x n .P S1 ( x) ↔ P S2 ( x).

Conclusion
We have presented the first model construction approach to Horn clauses with linear arithmetic constraints based on hierarchic ordered resolution, (cf.Definition 19).The linear arithmetic constraints may range over the reals, rationals, or integers.The computed model is the canonical least model of the saturated Horn clause set (cf. Theorem 31).Clauses can be effectively evaluated with respect to the model (cf.Proposition 14).This offers a way to explore the properties of a saturated clause set, e.g., if the set represents a failed refutation attempt.
Future Work It is straightforward to see that any symbolic LQA model is also a symbolic LRA model.(This holds due to convexity of conjunctions of ground LQA atoms.)So even if the axiom of choice is not assumed, there is an alternative way to obtain a model for a HBS(LRA) clause set: Simply treat it as an HBS(LQA) clause set, saturate it and construct its model based on HBS(LQA).
In this work, we restrict ourselves to only one sort LA per set of clauses.An extension to a many-sorted setup, e.g.including first-order variables with sort F is possible.This can even be simulated, by encoding first-order constants as concrete natural numbers via a bijection to N, since N ⊂ U.By not placing any arithmetic constraints on the variables used for the encoding, it can be read off and mapped back from the resulting model.
One obvious challenge is relaxation of the restriction to Horn clauses.With respect to ordered resolution saturation there is typically no difference in the sense that if a Horn fragment can always be finitely saturated, so can the non-Horn fragment be.However, our proposed ordering for the model construction at the granularity of predicate symbols will not suffice in this general case, and the key to overcome this challenge seems to be the appropriate treatment of clauses with maximal literals of the same predicate.Backtracking on the selection of literals might also be sufficient.
The approach we presented does not exploit features of linear arithmetic beyond equality and the existence of a well-founded order for the underlying universe U.The results may therefore be adapted to other constraint domains such as non-linear arithmetic.
Horn if it contains at most one positive literal, i.e. n ≤ 1.In Section 3, all clauses considered are Horn clauses.If Y is a term, formula, or a set thereof, vars(Y ) denotes the set of all variables in Y , and Y is ground if vars(Y ) = ∅.Analogously, Π(Y ) is the set of predicate symbols occurring in Y .
saturated and ∈ N Towards that goal, we define the operator δ(S, Λ C ′ ∨P ( y)).It takes a symbolic interpretation S, and a Horn clause with maximal literal P ( y).It results in a symbolic interpretation that accounts for Λ C ′ ∨ P ( y).Definition 17 (Production Operator).Let Λ C be a constrained Horn clause, where C = C ′ ∨ P ( y), P ( y) ≻ C ′ , and C ′ = ¬P 1 (y 1,1 , . . ., y 1,n1 ) ∨ • • • ∨ ¬P m (y m,1 , . . ., y m,nm ).Let S be a symbolic interpretation, where the free variables of P S are x and the free variables of P S i are x i (for 1 ≤ i ≤ m).Note that n = | y| = | x| = arity(P ).

Figure 1 :
Figure 1: Visual representation of the models resulting from Examples 20 and 21.

Proposition 26 .
If S P P ( a), then there exists a clause Λ C C where C = C ′ ∨ P ( y) and C ′ ≺ P ( y), and there exists a grounding τ for Λ C C, such that P ( a) = P ( y)τ and S ≺P (Λ C C)τ .Proof.Assume S P P ( a).

Corollary 27 .
Let P ≺ Q R, and P be maximal in clause C. If S P Λ C C or S ≺Q Λ C C, then S ≺R Λ C C and S R Λ C C.Proof.Corollary of Proposition 32.

Proposition 28 .
For every clause Λ C C ∈ N with maximal predicate P , ifS P Λ C C, then I N N .Proof.Follows from Corollary 27 and the fact thatI N = S Q where Q is the ≺-maximal predicate symbol in N .Some auxiliary lemmas follow.Proposition 32.Let P , Q, and R be predicate symbols.If P ≺ Q and Q R, then P S P = P S≺Q = P S Q = P S≺R = P S R .

Corollary 33 .Proposition 34 .
Let P , Q, and R be predicate symbols.If 1. P ≺ Q, and 2. Q R, and 3. S P [¬]P ( x)σ or S ≺Q [¬]P ( x)σ, then I ≺R [¬]P ( x)σ and I R [¬]P ( x)σ.Proof.Corollary of Proposition 32.Let Λ D D be a constrained Horn clause with D = D ′ ∨ P ( y).If Λ D D produces P ( y)τ , then for all grounding substitutions σ, such thatS ≺P (Λ D D ′ )σ, for all Q such that P Q, we have S Q (Λ D D ′ )σ.Proof.Since Λ D D produces P ( y)τ , all literals in D ′ are strictly ≺-smaller than P ( y), and S ≺P Λ D D.Let σ be a grounding substitution such that S ≺P (Λ D D ′ )σ.Assume, towards a contradiction, that the proposition does not hold, i.e.P Q and S Q (Λ D D ′ )σ.Then we have Λ D σ and S Q ([¬]R( * ))σ for some literal [¬]R( * ) in D ′ .However, by assumption, all literals in D ′ are strictly ≺-smaller than P ( y), i.e.R ≺ P .Thus their respective interpretation is contained in S ≺P by construction, i.e.R S R = R S≺P = R S Q .This contradicts S ≺P (Λ D D ′ )σ.Proposition 35.Let ≺ be a clause ordering and N be a finite set of constrained Horn clauses.If (1.) N is saturated w.r.t.≺-resolution, and (2.) there is no Λ ⊥ ∈ N where Λ is satisfiable, then for every clause Λ C C ∈ N , Λ C C or P is maximal in C and S P Λ C C.

Theorem 29 .Corollary 30 .
Let ≺ be a clause ordering and N be a set of constrained Horn clauses.If (1.) N is saturated w.r.t.≺-resolution, and (2.) ∈ N , then I N N .Proof.By Proposition 35 and Proposition 28.For clauses with positive maximal literal, the fact that they are satisfied by I N follows from Proposition 25.For clauses with maximal literal ¬P ( * ), we prove this theorem by contradiction: If there is a minimal clause Λ C C such that S N Λ C C. We can then exploit Proposition 26 to find the smallest clause Λ D D that produced the respective instance P ( a).Applying hierarchic ≺-resolution to Λ C C and Λ D D then yields a non-redundant clause.This idea then leads to the following theorem.Let ≺ be a clause ordering and N be a set of constrained Horn clauses.If (1.)I N N , and (2.) ∈ N , then there exist two clauses Λ C C, Λ D D ∈ N such that: (1.) Λ C C is the smallest clause not satisfied by I N , i.e. there exists a grounding τ such that I N .) Λ D D is the minimal clause that produces P ( a), (4.) ≺-resolution is applicable to Λ C C and Λ D D, and (5.) the resolvent of Λ C C and Λ D D is not redundant w.r.t.N .Proof.Similar to Case 2.2. in the proof of Proposition 35.

Theorem 31 .
I N is the least model of N .Proof.Assume, towards a contradiction, that I N is not the least model of N , i.e. there exists an interpretation I such that I ⊂ I N and I N .Since I ⊂ I N , there is a predicate symbol P and a point a such that a ∈ P IN , i.e.I N P ( a) but a ∈ P I , i.e.I P ( a).Assume, w.l.o.g., that P is minimal, i.e.Q IN = Q I for all Q ≺ P .By Proposition 26 from I N P ( a) it follows that there is a clause Λ C C ∈ N such that C = C ′ ∨ P ( y), C ′ ≺ P ( y), τ is a grounding for Λ C C, P ( a) = P ( y)τ , and S ≺P (Λ C C)τ .From S ≺P (Λ C C)τ we know that S ≺P (Λ C C ′ )τ and by Proposition 32 we have I N (Λ C C ′ )τ .Since C ′ ≺ P ( y) and by minimality of P , we know that I N and I agree on Λ C C ′ , i.e.I (Λ C ′ )τ .However, I N , which implies I (Λ C C)τ , requires I P (a) which contradicts the assumption I P ( a).