A formal proof and simple explanation of the QuickXplain algorithm

In his seminal paper of 2004, Ulrich Junker proposed the QuickXplain algorithm, which provides a divide-and-conquer computation strategy to find within a given set an irreducible subset with a particular (monotone) property. Beside its original application in the domain of constraint satisfaction problems, the algorithm has since then found widespread adoption in areas as different as model-based diagnosis, recommender systems, verification, or the Semantic Web. This popularity is due to the frequent occurrence of the problem of finding irreducible subsets on the one hand, and to QuickXplain’s general applicability and favorable computational complexity on the other hand. However, although (we regularly experience) people are having a hard time understanding QuickXplain and seeing why it works correctly, a proof of correctness of the algorithm has never been published. This is what we account for in this work, by explaining QuickXplain in a novel tried and tested way and by presenting an intelligible formal proof of it. Apart from showing the correctness of the algorithm and excluding the later detection of errors (proof and trust effect), the added value of the availability of a formal proof is, e.g., (i) that the workings of the algorithm often become completely clear only after studying, verifying and comprehending the proof (didactic effect), (ii) that the shown proof methodology can be used as a guidance for proving other recursive algorithms (transfer effect), and (iii) the possibility of providing “gapless” correctness proofs of systems that rely on (results computed by) QuickXplain, such as numerous model-based debuggers (completeness effect).


Introduction
The task of finding within a given universe an irreducible subset with a specific monotone property is referred to as the MSMP (Minimal Set subject to a Monotone Predicate) problem (Marques-Silva et al. 2007. Take the set of clauses S :¼ f:C; A _ :B; C _ :B; :A; Bg as an example. This set is obviously unsatisfiable. One task of interest expressible as an MSMP problem is to find a minimal unsatisfiable subset (MUS) of these clauses (which can help, e.g., to understand the cause of the clauses' inconsistency). At this, S is the universe, and the predicate that tells whether a given set of clauses is satisfiable is monotone, i.e., any superset (subset) of an unsatisfiable (satisfiable) clause set is unsatisfiable (satisfiable). In fact, there are two MUSes for S, i.e., f:C; C _ :B; Bg and fA _ :B; :A; Bg. We call a task, such as MUS, that can be formulated as an MSMP problem a manifestation of the MSMP problem.
Numerous algorithms to solve manifestations of the MSMP problem have been suggested in literature, e.g., Marques-Silva et al. (2013), Rodler (2015), Junker (2001), Junker (2004), Bradley and Manna (2007), Bradley and Manna (2008), Rodler et al. (2017), Shchekotykhin et al. (2014), Shchekotykhin et al. (2015), Felfernig et al. (2012), Belov andMarques-Silva (2012). For instance, the algorithm proposed by Felfernig et al. (2012) addresses the problem of the computation of minimal correction subsets (diagnoses), and the one suggested by Rodler et al. (2017) computes minimal oracle queries that preserve some optimality property. In general, an algorithm A for a specific manifestation of the MSMP problem can be used to solve arbitrary manifestations of the MSMP problem if (i) the procedure used by A to decide the monotone predicate is used as a black-box (i.e., given a subset of the universe as input, the procedure outputs 1 if the predicate is true for the subset and 0 otherwise; no more and no less), and (ii) no assumptions or additional techniques are used in A which are specific to one particular manifestation of the MSMP problem.
Not all algorithms meet these two criteria. For instance, there are algorithms that rely on additional outputs beyond the mere evaluation of the predicate (e.g., certificate-refinementbased algorithms (Marques-Silva et al. 2013)), or glass-box approaches that use non-trivial modifications of the predicate decision procedure to solve the MSMP problem (e.g., theorem provers that record the axioms taking part in the deduction of a contradiction while performing a consistency check (Kalyanpur 2006)). These methods violate (i). Moreover, e.g., algorithms geared to the computation of minimal unsatisfiable subsets that leverage a technique called model rotation (Marques-Silva and Lynce 2011) are not applicable, e.g., to the problem of finding minimal correction subsets, since there is no concept equivalent to model rotation for minimal correction subsets (Marques-Silva et al. 2013). Thus, such algorithms violate (ii).
Among the general MSMP algorithms that satisfy (i) and (ii), QUICKXPLAIN (Junker 2004) (QX for short), proposed by Ulrich Junker in 2004, is one of the most popular and most frequently adopted. 1 Likely reasons for the widespread use of QX are its mild theoretical complexity in terms of the number of (usually expensive 2 ) predicate evaluations required (Marques-Silva et al. 2013;Junker 2004), as well as its favorable practical performance for important problems (such as conflict (Shchekotykhin et al. 2008) or diagnosis (Shchekotykhin et al. 2014) computation for model-based diagnosis). In literature, QX is utilized in different ways; it is (a) (re)used as is for suitable manifestations of MSMP (Felfernig et al. 2004), (b) adapted in order to solve other manifestations of MSMP (Rodler 2015), as well as (c) modified or extended, respectively, e.g., to achieve a better performance for a particular MSMP manifestation (Marques-Silva et al. 2013), to solve extensions of the MSMP problem (Rodler et al. 2017), or to compute multiple minimal subsets of the universe in a single run (Shchekotykhin et al. 2015).
Despite its popularity and common use, from the author's experience and a recently conducted structured survey 3 , QX appears to be quite poorly understood by reading and thinking through the algorithm, and, for most people, requires significant and time-consuming attention until they are able to properly explain the algorithm. In particular, people often complain they do not see why it correctly computes a minimal subset of the universe. This is not least because no proof of QX has yet been published.
In this work, we account for this by (1) explaining QX by means of an alternative tried and tested ''flat'' notation that proved to convey the intuition behind the algorithm well and to be more accessible to people than the usually adopted tree notation in our experience, and by (2) presenting a clear and intelligible proof of QX. The public availability of a proof comes with several benefits and serves i.a. the following purposes: 1 Judged by taking the citation tally on Google Scholar as a criterion; as of October 2021, the QUICKXPLAIN paper boasts 510 citations. 2 In many manifestations of the MSMP problem, predicate decision procedures are implemented by theorem provers, e.g., SAT-solvers (Marques-Silva et al. 2013) or description logic reasoners (Rodler 2015). 3 In our research and teaching on model-based diagnosis, we frequently discuss and analyze QX-one of the core algorithms used in our works and prototypes-with students as well as other faculty (including highly proficient university professors specialized in, e.g., algorithms and data structures). The feedback of people is usually that they cannot fully grasp the workings of QX before they take significant time to go through a particular example thoroughly and noting down all single steps of the algorithm. According to people's comments, the main obstacle appears to be the recursive nature of the algorithm. A recent structured survey among computer science researchers and university teachers in this regard made these experiences even more explicit and concrete (the results of the survey can be accessed at http://isbi.aau.at/ ontodebug/evaluation).
Proof Effect (a) It shows QX's correctness and makes it verifiable for everyone in a straightforward step-by-step manner (without the need to accomplish the non-trivial task of coming up with an own proof). (b) It creates compliance with common scientific practice. That is, every proposal of an algorithm should be accompanied with a (full and public) formal proof of correctness. This demand is even more vital for a highly influential algorithm like QX. Didactic Effect (a) It promotes (proper and full) understanding (Hanna and Jahnke 1996) of the workings of QX, which is otherwise for many people only possible in a laborious way (e.g., by noting down and exercising through examples and attempting to verify QX's soundness on concrete cases). (b) It provides the basis for understanding (hundreds of) other works or algorithms that use, rely on, adapt, modify or extend QX. Completeness Effect It is necessary to establish and prove the full correctness of other algorithms that rely on (the correctness of) QX, such as a myriad of algorithms in the field of model-based diagnosis. Trust and Sustainability Effect It excludes the possibility of the (later) detection of flaws in the algorithm, and is thus the only basis for placing full confidence in the properfunctioning of QX. 4 Transfer Effect It showcases a proof template for recursive algorithms and may thus provide guidance to researchers when approaching the (often challenging task of formulating a) proof of other recursive algorithms.
The rest of this paper is organized as follows. We discuss related work in Sect. 2, before we briefly introduce the theoretical concepts required for the understanding and proof of QX in Sect. 3. Then, in Sect. 4, we state the QX algorithm in a (slightly) more general formulation than originally published in Junker (2004), i.e., we present QX as a general method to tackle the MSMP problem. 5 In addition, we explain the functioning of QX, and present an illustrative example using a notation that proved particularly comprehensible in our experience. 6 The proof is given in Sect. 5. In Sect. 6 we explain the proof template we adopted in our proof, which may serve as a reference point for proving other recursive algorithms as well. Concluding remarks are made in Sect. 7. Bradley andManna (2007, 2008) discuss and prove an MSMP algorithm dubbed MIN. As a side note in Bradley and Manna (2008), they mention that MIN is equivalent to an algorithm also called QUICKXPLAIN which was proposed earlier in Junker (2001) (we refer to this latter 4 A prominent example which shows that even seminal papers are not charmed against errors in absence of formal proofs, and thus underscores the importance of (public) proofs, is the highly influential paper of Raymond Reiter from 1987(Reiter 1987. It proposes the hitting set algorithm for model-based diagnosis, but omits a formal proof of correctness. And, indeed, a critical error in the algorithm was later found (and corrected) by Greiner et al. (1989). 5 The original algorithm was depicted specifically as a searcher for explanations or relaxations for overconstrained constraint satisfaction problems (CSPs). Although the proper interpretation of the original formulation to address arbitrary MSMP problems different from CSPs may be relatively straightforward (for people familiar with CSPs), we believe that our more general depiction (cf. Marques-Silva et al. (2013)) can help readers non-familiar with the domain of CSPs to understand and correctly use QX without needing to properly re-interpret concepts from an unknown field. 6 We (informally) experimented with different variants how to explain QX, and found out (through the feedback of discussion partners, e.g., students) that the shown representation was more accessible than others. algorithm by QX old ). Apart from the fact that there is no proof that MIN is indeed equivalent to QX old (which is not clear from the descriptions in Bradley andManna (2007, 2008)), both of these algorithms, MIN and QX old , are different to QX.

Related work
First, QX old , although returning the same output, is not equal to QX. A critical difference, e.g., is the algorithm part consisting of lines 5-11 in QX old (Junker 2001, Fig. 3), which is not used in QX and which affects the algorithm's complexity. Also, note that no public proof is available for QX old . Second, MIN, although being similar to QX and having the same worst-case complexity given that QX uses a divide-and-conquer strategy that splits sets into equally-sized subsets, works in fact differently from QX. To see this, consider a universe of elements f1; 2; 3; 4; 5; 6g which subsumes exactly the two minimal subsets X 1 ¼ f1; 2; 4g and X 2 ¼ f4; 6g subject to a monotone predicate p. In this case, MIN would return X 2 , whereas QX would output X 1 . Table 1 summarizes the discussed differences between our work and related ones (Junker 2001(Junker , 2004Bradley andManna 2007, 2008).
Consequently, the correctness proof of MIN given in Bradley andManna (2007, 2008) proves an algorithm that is different from QX. Moreover, the proof of MIN does not appear to be of great help to better understand the related QX algorithm, as the reader needs to become familiar with the notation and concepts used in Bradley andManna (2007, 2008) in the first place, and needs to map the pseudocode notation of Bradley andManna (2007, 2008) to the largely different one adopted by Junker in the original QX-paper (Junker 2004).
In contrast, our proof does show the correctness of the QX algorithm, and we present the algorithm in a very similar notation as used in Junker's original paper (Junker 2004). Beyond that, the intention of our proof is to prove and explain QX (Hanna 2000(Hanna , 1990, rather than to solely prove it. To this end, e.g., we (1) segment our proof into small, intuitive, and easily digestible chunks, thus putting a special focus on its clarity, elucidation, and didactic value, (2) provide visualizations of the interrelations between and of the sequence and meaning of the individual proof steps by means of diagrams (cf. Figs. 1 and 2), (3) organize the proof in a way it is illustrative and amenable to a mental ''tracking'' in that it can be viewed as directly traversing the algorithm's call-recursion-tree while verifying the correctness of all transitions in the tree (cf. Fig. 1), and (4) explicate the proof template adopted in our proof in order to promote the reader's comprehension of Table 1 Comparison of the present work with related works wrt. the discussed algorithm and proof. By min we refer to the algorithm stated in (Bradley and Manna 2007, Fig. 2) as well as in (Bradley and Manna 2008, Fig. 3), by QX old to the algorithm also named QUICKXPLAIN given in (Junker 2001, Fig. 3), and by QX to the algorithm given in (Junker 2004, Fig. 1). The U ðÃÞ holds under the condition that the SPLIT function (which rules the divide-and-conquer mechanism, cf. Sect. 4) used in QX is defined to partition sets into equallysized subsets the underlying general proof principle and to provide them with well-founded justifications for the individual proof steps (cf. Sect. 6).

Basics
QX can be employed to find, for an input set U, a minimal 7 subset X U that has a certain monotone property p. An example would be an (unsatisfiable) knowledge base (set of logical sentences) U for which we are interested in finding a minimal unsatisfiable subset (MUS) X.  Fig. 1 Call-recursion-tree produced by QX (cf. Sect. 4). The grayscale part of the figure provides a schematic illustration of the procedure calls executed in a single run of QX (where the recursion is entered, i.e., no trivial case applies). Each node (ellipse) represents one call of the procedure named within the ellipse. Edge labels (7,16,17) refer to the lines in Alg. 1 where the respective call is made. White ellipses (non-leaf nodes) are calls that issue further recursive calls (in lines 16 and 17), whereas gray ellipses (leaf nodes) are calls that directly return (i.e., in line 10 or 12). The colored part of the figure visualizes the meaning and consequences of the theorem (T1) and the various propositions (Pi, for i 2 f3; 4; 5; 6; 7; 8g) that constitute the proof (cf. Sect. 5). Red arrows indicate proven propagations of the invariant property Invar (see Definition 4) between calls. Green arrows and labels indicate that respective calls return correct outputs. Start to read the colored illustrations from the top, just like QX proceeds. That is, due to P3, direct returns yield correct outputs. If QX 0 is called, Invar holds by P4. If Invar holds for some call, then it is always propagated downwards to the left subtree because of P5. At the first leaf node, a correct output is returned, also due to P5. If the output of a left subtree is correct, then Invar propagates to the right subtree (P6). If the output of both the left and the right subtree is correct, then the output of the root is correct (P7). If Invar holds at the root call of some (sub)tree, then this root call returns a correct output (P8). Note how these propositions guarantee that Invar, and thus correct outputs, can be derived for all nodes of the call-recursiontree. Intuitively, red arrows propagate Invar downwards through the tree, which then ensures correct outcomes at the leafs, from where these correct outputs enable further propagation of Invar to the right, from where the inferred correct outputs are recursively propagated upwards until the root node is reached 7 Throughout this paper, minimality always refers to minimality wrt. set-inclusion.
Definition 1 (Monotone Property) Let U be the universe (a set of elements) and p : 2 U ! f0; 1g be a function where pðXÞ ¼ 1 iff property p holds for X U. Then, p is a monotone property iff pð;Þ ¼ 0 and 8X 0 ; X 00 U : X 0 & X 00 )pðX 0 Þ pðX 00 Þ So, p is monotone iff, given that p holds for some set X 0 , it follows that p also holds for any superset X 00 of X 0 . An equivalent definition is: If p does not hold for some set X 00 , p does not hold for any subset X 0 of X 00 either.
In practical applications it is often a requirement that (a) some elements of the universe must not occur in the sought minimal subset, or (b) the minimal subset of the universe should be found in the context of some reference set. Both cases (a) and (b) can be subsumed as searching for a minimal subset of the analyzed set A given some background B. In case (a), B is defined as a subset of the universe U (e.g., in a fault localization task, those sentences of a knowledge base U that are assumed to be correct) and A is constituted by all other elements of the universe U n B (those sentences in U that are possibly faulty); in case (b), B is some additional set of relevance to the universe (e.g., a knowledge base of general medical knowledge), whereas A is the universe itself (e.g., a knowledge base describing a medical sub-discipline). For example, the problem of finding a MUS wrt. A given background B would be to search for a minimal set X of elements in A such that X [ B is unsatisfiable.
Definition 2 (p-Problem-Instance) Let A (analyzed set) and B (background) be (related) finite sets of elements where A \ B ¼ ;, and let p be a monotone predicate. Then we call the tuple A; B h i a p-problem-instance (p-PI).
Definition 3 (Minimal p-Set (given some Background)) Let A; B h i be a p-PI. Then, we call X a p-set wrt.
Immediate consequences of Definitions 1 and 3 are:

Brief review and simple explanation of QX
The QX algorithm is depicted by Alg. 1. It gets as input a p-PI A; B h iand assumes a sound and complete oracle that answers queries of the form p(X) for arbitrary X A [ B. 9 If existent, QX returns a minimal p-set wrt. A; B h i; otherwise, 'no p-set' is output. Note, in order to not overload the discussion, we focus in this work on QX's property of computing a minimal p-set (instead of a preferred one, as in the original paper (Junker 2004)). That is, Alg. 1 does not include line 6 of the original algorithm. The minimality property of QX is key to solving the general MSMP problem which has numerous manifestations in a wide variety of research and application fields, as outlined in Sect. 1. In a nutshell, QX works as follows: Trivial Cases: Before line 7 is reached, the algorithm checks if trivial cases apply, i.e., if either no p-set exists (line 2; cf. Proposition 1.(1)) or a p-set does exist and the analyzed set A is empty (line 4), and returns according outputs. In case the execution reaches line 7, the recursive procedure QX 0 is called. In the very first execution of QX 0 , the presence of two other trivial cases for the original input p-PI A; B h i is checked in lines 9 and 11. 10 (Line 9): If pðBÞ ¼ 1, then the empty set, the only minimal p-set in this case (cf. Proposition 1.(2)), is directly returned and QX terminates. 11 Otherwise, we know the empty set is not a p-set, i.e., every (minimal) p-set is non-empty. (Line 11): If the analyzed set A is a singleton, then A is directly returned and QX terminates. Recursion: Subsequently, the recursion is started. The principle is to partition the analyzed set A ¼ fa 1 ; . . .; a jAj g into two non-empty (e.g., equal-sized) subsets A 1 ¼ fa 1 ; . . .; a k g and A 2 ¼ fa kþ1 ; . . .; a jAj g (SPLIT and GET functions; lines 13-15), and to analyze these subsets recursively (divide-and-conquer). In this vein, a binary call-recursion-tree is built (as sketched by the grayscale part of Fig. 1), including the root QX 0 -call made in line 7 and two subtrees, the left one rooted at the call of QX 0 in line 16 which analyzes A 2 , and the right one rooted at the call of QX 0 in line 17 which analyzes A 1 . Let the finally returned minimal p-set be denoted by X, and let us call all elements of X relevant, all others irrelevant. Then, the left subtree (finally) returns the subset of those elements (X 2 ) from A 2 that belong to X, and the right subtree (finally) returns the subset of those elements (X 1 ) from A 1 that belong to X.
-Arguments of the recursive procedure QX 0 : The arguments D; A; B h i passed to the procedure QX 0 can be intuitively understood as follows. A; B h iis the p-PI analyzed by the respective QX 0 -call. D is (only 12 ) relevant when QX 0 was called in line 17 and essentially indicates whether some relevant element was found while analyzing A 2 in the left subtree (QX 0 -call in line 16). If so (D ¼ X 2 6 ¼ ;), then D ''activates'' the test (pðBÞ ¼ 1?) in line 9 that checks if an exploration of the right subtree (A 1 ) is superfluous (or, in other words, if a full minimal p-set is already contained in A 2 ). Otherwise (D ¼ X 2 ¼ ;; no relevant element in A 2 ), D ''deactivates'' this check since a relevant element must be included in A 1 (because at least one of A 1 and A 2 must include a relevant element), and therefore returning ; in line 10 as a result for A 1 must be precluded.
-Left subtree (recursive QX 0 -call in line 16): The first question is: Are all elements of A 2 irrelevant? Or, equivalently: Does B [ A 1 already contain a minimal p-set, i.e., pðB [ A 1 Þ ¼ 1? This is evaluated in line 9; note: D ¼ A 1 6 ¼ ;. If positive, ; is returned and the subtree is not further expanded. Otherwise, we know there is some relevant element in A 2 . Hence, the analysis of A 2 is started. That is, in line 11, the singleton test is performed for A 2 . In the affirmative case, we have proven that the single element in A 2 is relevant. The reason is that pðB [ A 1 Þ ¼ 0, as verified in line 9 just before, and that adding the single element in A 2 makes the predicate true, 13 i.e., pðB [ A 1 [ A 2 Þ ¼ pðB [ AÞ ¼ 1, as verified in line 2 at the very beginning. If A 2 is a non-singleton, it is again partitioned and the subsets are analyzed recursively, which results in two new subtrees in the call-recursion-tree. -Right subtree (recursive QX 0 -call in line 17): Here, we can distiguish between two possible cases, i.e., either the set X 2 returned by the left subtree is (i) empty or (ii) nonempty. Given (i), we know that A 1 must include a relevant element. Reason: B [ A 1 contains a minimal p-set (as verified in the left subtree before returning the empty set) and every p-set is non-empty (as verified in line 9 in the course of checking the Trivial Cases, see above). Hence, A 1 is further analyzed in lines 11 et seqq. (which might lead to a direct return if A 1 is a singleton and thus relevant, or to further recursive subtrees otherwise). For (ii), the question is: Given the subset X 2 of the p-set, are all elements of A 1 irrelevant? Or, equivalently: Does B [ X 2 already contain a minimal p-set, i.e., pðB [ X 2 Þ ¼ 1? This is answered in line 9; note: D ¼ X 2 6 ¼ ; due to case (ii). In the affirmative case, the empty set is returned, i.e., no elements of A 1 are relevant and the final p-set X found by QX is equal to X 2 . If the answer is negative, A 1 does include some relevant element and is thus further analyzed in lines 11 et seqq. (which might lead to a direct return if A 1 is a singleton and thus relevant, or to further recursive subtrees otherwise).
Finally, the union of the outcomes of left (X 2 ) and right (X 1 ) subtrees is a minimal p-set wrt. A; B h i and returned in line 18.
Example 1 We illustrate the functioning of QX by means of a simple example.
Input Problem and Parameter Setting: Assume the analyzed set A ¼ f1; 2; 3; 4; 5; 6; 7; 8g, the initial background B ¼ ;, and that there are two minimal p-sets wrt. A; B h i, X ¼ f3; 4; 7g and Y ¼ f4; 5; 8g. Further, suppose that QX pursues a splitting strategy where a set is always partitioned into equal-sized subsets in each iteration, i.e., splitðnÞ returns d n 2 e (note: this leads to the best worst-case complexity of QX, cf. Junker (2004)). Notation: Below, we show the workings of QX on this example by means of a tried and tested ''flat'' notation. 14 In this notation, the single-underlined subset denotes the current input to the function p in line 9, the double-underlined elements are those that are already fixed elements of the returned minimal p-set, and the grayed out elements those that are definitely not in the returned minimal p-set. Finally, À signifies that the tested set (singleunderlined along with double-underlined elements) is a p-set (function p in line 9 returns 1); 0 means it is no p-set (function p in line 9 returns 0). 15 How QX Proceeds: After verifying that there is a non-empty p-set wrt. A; B h i and that jAj [ 1 (i.e., after the checks in lines 2 and 4 are negative, QX 0 is called in line 7, and the checks in the first execution of lines 9 and 11 are negative), QX performs the following actions: 14 We intentionally abstain from a notation which is guided by the call-recursion-tree or which lists all variables and their values (which we found was often perceived difficult to understand, e.g., since same variable names are differently assigned in all the recursive calls). The reason is: While explaining QX to people (mostly computer scientists) using various representations, we found out via people's feedback that the presented ''flat'' notation could best convey the intuition behind QX; moreover, it enabled people to correctly solve new examples on their own. 15 An example of a different notation that describes the workings of QX based on the call-recursion-tree can be found, e.g., in Fig. 4.1 in Rodler (2015).
Explanation: After splitting A into two subsets of equal size, in step (1), QX tests if there is a p-set in the left half f1; 2; 3; 4g. Since negative, the right half f5; 6; 7; 8g is again split into equal-sized subsets, and the left one f5; 6g is added to the left half f1; 2; 3; 4g of the original set. Because this larger set f1; 2; 3; 4; 5; 6g still does not contain any p-set, the right subset f7; 8g is again split and the left part (7) added to the tested set, yielding f1; 2; 3; 4; 5; 6; 7g. Due to the positive predicate-test for this set, 7 is confirmed as an element of the found minimal p-set, and 8 is irrelevant. From now on, 7, as a fixed element of the p-set, takes part in all further executed predicate tests.
In step (4), the goal is to figure out whether the left half f5; 6g of f5; 6; 7; 8g also contains relevant elements. To this end, the left half f1; 2; 3; 4g of A, along with 7, is tested, and positive. Therefore, a p-set is included in f1; 2; 3; 4; 7g and f5; 6g is irrelevant. At this point, the output of the left subtree of the root, the one that analyzed f5; 6; 7; 8g, is determined and fixed, i.e., is given by 7. The next task is to find the relevant elements in the right subtree, i.e., among f1; 2; 3; 4g. As a consequence, in step (5), 7 alone is tested to check if all elements of f1; 2; 3; 4g are irrelevant. The result is negative, which is why the left half is split, and the left subset f1; 2g is tested along with 7, also negative. Thus, f3; 4g does include relevant elements. In step (7), QX finds that the element 3 alone from the set f3; 4g does not suffice to produce a p-set, i.e., the test for f1; 2; 3; 7g is negative. This lets us conclude that 4 must be in the p-set. So, 4 is fixed. To check the relevance of 3, f1; 2; 4; 7g is tested, yielding a negative result, which proves that 3 is relevant. The final test in step (9) if f1; 2g includes relevant elements as well, is negative, and 1,2 marked irrelevant. The set f3; 4; 7g is finally returned, which coincides with X, one of our minimal p-sets. h

Proof of QX
In this section, we give a formal proof 16 of the termination and soundness of the QX algorithm depicted by Alg. 1. By ''soundness'' we refer to the property that QX outputs a minimal p-set wrt. the p-PI it gets as an input, if a p-set exists, and 'no p-set' otherwise. While reading and thinking through the proof, the reader might consider it insightful to 16 In the proof, we will often talk about different calls of QX 0 ðD; A; B h iÞwhile QXð A; B h iÞexecutes. To account for the facts that (a) the actual parameters passed to QX 0 will generally differ at each call, and (b) the actual parameters passed to QX 0 will generally not be equal to the original A; B (passed to QX), we (have to) use different designators X 0 ; X; _ X and € X for these parameters X 2 fD; A; Bg for each discussed QX 0 -call. keep track of the meaning, implications, and interrelations of the various propositions in the proof by means of Fig. 1. Moreover, Fig. 2 summarizes the steps of the proof in a flowchart-like diagram. Now, assume an infinite sequence of nested recursive calls of QX 0 . Since A is finite (Definition 2), this means that there must be a call QX 0 ð D; A; B Þ in this sequence where j Aj ¼ 1 and lines 16 and 17 (next nested recursive call in the infinite sequence) are reached. This is a contradiction to the fact that the test in line 11 enforces a return in line 12 given that j Aj ¼ 1. Consequently, every sequence of nested recursive calls during the execution of QX 0 ðB; A; B h iÞ is finite (i.e., the depth of the call tree is finite). Finally, there can only be a finite number of such nested recursive call sequences because no more than two recursive calls are made in any execution of QX 0 (i.e., the branching factor of the call tree is 2). This completes the proof. h

Proposition 2 (Termination) Let
The following proposition witnesses that QX is sound in case the sub-procedure QX 0 is never called.

Proposition 3 (Correctness of QX When Trivial Cases Apply)
( h We now characterize an invariant which applies to every call of QX 0 throughout the execution of QX. Given the invariant of Definition 4 holds for some call of QX 0 , we next demonstrate that the output returned by QX 0 is sound (i.e., a minimal p-set) when it returns in line 10 or 12 (i.e., if this call of QX 0 represents a leaf node in the call-recursion-tree). Moreover, we show that the invariant is ''propagated'' to the recursive call of QX 0 in line 16 (i.e., this invariant remains valid as long as the algorithm keeps going downwards in the callrecursion-tree).
Proof of (1): '')'': We assume that QX 0 ðD; A; B h iÞ returns in line 10. By the test performed in line 9, this can only be the case if pðBÞ ¼ 1. By Proposition 1.(2), this implies that ; is a (minimal) p-set wrt. A; B h i. ''('': We assume that ; is a (minimal) p-set wrt. A; B h i. To show that a return takes place in line 10, we have to prove that the condition tested in line 9 is true. First, we observe that pðBÞ ¼ 1 must hold due to Proposition 1.(2). Since InvarðD; A; BÞ holds (see Definition 4), we can infer from pðBÞ ¼ 1 that D 6 ¼ ;. Hence, the condition in line 9 is satisfied. Proof of (2): Proposition 5.(1) shows that line 11 is reached iff ; is not a p-set wrt. A; B h i which is the case iff pðBÞ ¼ 0 due to Proposition 1.(2). Proof of (3): A return in line 12 can only occur if the test in line 11 is positive, i.e., if line 11 is reached and jAj ¼ 1. Moreover, since InvarðD; A; BÞ holds, it follows that pðA [ BÞ ¼ 1.
First, pðA [ BÞ ¼ 1 is equivalent to the existence of a p-set wrt. A; B h i. Second, by Definition 3, a p-set wrt. A; B h iis a subset of A. Third, jAj ¼ 1 means that ; and A are all possible subsets of A. Fourth, since line 11 is reached, we have that pðBÞ ¼ 0 by statement (2) of this Proposition, which implies that ; is not a p-set wrt. A; B h i according to Proposition 1.(2). Consequently, A must be a minimal p-set wrt. A; B h i. Proof of (4): Consider the call QX 0 ð D; A; B Þ at line 16. Due to the definition of the SPLIT and GET functions (1 k jAj À 1, A 1 includes the first k, A 2 the last jAj À k elements of A) and the fact that D ¼ A 1 , the property D 6 ¼ ; must hold. Moreover, Due to InvarðD; A; BÞ, however, we know that pðA [ BÞ ¼ 1. Therefore, pð A [ BÞ ¼ 1 must be true. According to Definition 4, it follows that Invarð D; A; BÞ holds. h Note, immediately before line 17 is first reached during the execution of QX, it must be the case that, for the first time, a recursive call QX 0 ðD; A; B h iÞmade in line 16 returns (i.e., we reach a leaf node in the call-recursion-tree for the first time and the first ''backtracking'' takes place). By Proposition 5.(1)?(3), the output of this call QX 0 ðD; A; B h iÞ, namely X 2 in line 16, is a minimal p-set wrt. A; B h i. We now prove that the invariant property given in Definition 4 in this case ''propagates'' to the first-ever call of QX 0 in line 17. Proof As per Definition 4, we have to show that ð € It remains to be shown that ð € D 6 ¼ ; _ pð € BÞ ¼ 0Þ holds, which is equivalent to ðX 2 6 ¼ ; _ pðB [ X 2 Þ ¼ 0Þ. If X 2 6 ¼ ;, we are done. So, let us assume that X 2 ¼ ;. In this case, however, we have pðB [ X 2 Þ ¼ pðBÞ. As InvarðD; A; B h iÞ holds and line 17 is reached during the execution of QX 0 ðD; A; B h iÞ, we know by Proposition 5.(2) that Overall, we have demonstrated that Invarð € D; h € A; € BiÞ holds. h At this point, we know that the invariant property of Definition 4 remains valid up to and including the first recursive call of QX 0 in line 17 (i.e., until immediately after the first leaf in the call-recursion-tree is encountered, a single-step ''backtrack'' is made, and the first branching to the right is executed). From then on, as long as only ''downward'' calls of QX 0 in line 16, possibly interleaved with single calls of QX 0 in line 17, are performed, the validity of the invariant is preserved. Due to the fact that QX terminates (Proposition 2), the call-recursion-tree must be finite. Hence, the situation must occur, where QX 0 called in line 16 directly returns (i.e., in line 10 or 12) and the immediately subsequent call of QX 0 in line 17 directly returns (i.e., in line 10 or 12) as well (i.e., we face the situation where both the left and the right branch at one node in the call-recursion-tree consist only of a single leaf node). As the invariant holds in this right branch, the said call of QX 0 in line 17 must indeed return a minimal p-set wrt. its p-PI given as an argument, due to Proposition 5.(1)?(3).
The next proposition evidences-as a special case-that the combination (set-union) of the two outputs X 2 (left leaf node) and X 1 (right leaf node) returned in line 18 in fact constitutes a minimal p-set for the p-PI given as an input argument to the call of QX 0 which executes line 18. More generally, the proposition testifies that, given the calls in line 16 and line 17 each return a minimal p-set wrt. their given p-PIs-whether or not these calls directly return-the combination of these p-sets is again a minimal p-set for the respective p-PI at the call that executed lines 16 and 17. Proof The statement is a direct consequence of Lemma 1 below. h Proof We first show that X 1 [ X 2 is a p-set, and then we show its minimality. p-Set Property: First, by Definition 3, X 1 A 1 due to (a), and X 2 A 2 due to (b), which is why In addition, the -relation in (1) or (2) must be a &-relation, i.e., X 0 1 ¼ X 1 and X 0 2 ¼ X 2 cannot both hold. Let us first assume that & holds in (1). Then, Second, assume that & holds in (2). Then, By monotonicity of p, and since X 0 A; B is returned, which follows from Proposition 5.(1)?(3). Induction Assumption: Let the statement of the proposition be true for d ¼ k. We will now show that, in this case, the statement holds for d ¼ k þ 1 as well. 18 Cf. Proposition 6.2 (unproven) in Junker (2004). 19 That is, additional calls made, not taking into account the running routine QX 0 ð D; A; B Þ that we consider in the proposition. To devise the proof presented in Sect. 5, we adhered to a specific proof template. Although several textbooks, e.g., Cormen et al. (2009), Velleman (2006, Edmonds (2008), Kleinberg and Tardos (2006), provide general hints and techniques helpful for proving (recursive) algorithms, we briefly outline the specific template we used in the proof next. The reasons for making this explicit are that knowing the underlying proof template can both promote the understanding of the given proof and serve as a reference point when confronted with the problem of showing the correctness of other recursive procedures. The foundation for our used template is provided by the proof principle for (nonrecursive) algorithms based on loop invariants detailed in Cormen et al. (2009). The idea underlying their framework (which we shall call L-INV) is to prove that a loop invariant, i.e., a predicate that is always true while a loop executes, (1) holds when the loop is entered (L-initialization), (2) remains true for the next loop iteration if it is true for the current iteration (L-maintenance), and (3) yields a property at termination of the loop that is useful to prove the algorithm's correctness (L-termination). 21 The template (which we will refer to as R-INV) adopted in our proof is an adaptation of L-INV to recursive algorithms. It -relies on a recursion invariant, i.e., a predicate that is true for every recursive call of a procedure, and -involves the proof that this invariant -holds for the first call of the recursive procedure (R-initialization), -remains true for any further (recursive) call of the procedure (R-maintenance), and -entails correctness of the procedure's output (R-termination).
In spite of the resemblance between R-INV and L-INV, it is essential to understand the different nature of the proof when considering a recursive as opposed to a non-recursive procedure. Whereas R-initialization, similarly as L-initialization, will often be quite easily shown due to its independence from the recursion, addressing R-maintenance and R-termination is more elaborate than L-maintenance and L-termination in general. The reasons are as follows: 1. There is only one entry point into a loop, whereas there may be multiple different places where a recursive procedure can be called. Consequence: There is one case to be analyzed for L-maintenance, whereas there can be multiple cases to be distinguished for R-maintenance. 2. For a loop, there is no return value and often 22 only one termination condition, whereas there are multiple termination conditions 23 for a recursion, and for each such condition a different value can be returned. In particular, a recursive procedure can return due to some trivial case that applies (no nested recursive calls) or after recursively processing a non-trivial case (nested recursive calls). Consequence: There is usually one case to be analyzed for L-termination, whereas multiple cases need to be considered for R-termination. Moreover, demonstrating R-termination when a non-trivial case is processed by the recursive procedure requires an induction proof. 3. In case the recursion implements a divide-and-conquer approach, there can be combine-steps where partial solutions are integrated to a complete solution (cf. Alg. 1, line 18). Consequence: These combine-steps need to be addressed when proving R-termination.
As an illustration, the following table shows how the building blocks of our proof are assigned to the three different proof phases of R Finally, two remarks: (1) The finding of a ''right'' invariant can be tricky and will often represent the key to success in proving a recursive algorithm by means of the R-INV template. However, once an appropriate invariant has been determined, the rest of the proof can be relatively straightforward provided that the systematic steps suggested by R-INV are followed.
(2) There can be multiple (logically non-equivalent) invariants that allow to prove one and the same algorithm by means of the R-INV template. Indeed, also in the case of QX, a second possible invariant exists and is given by:

Conclusion
QUICKXPLAIN (QX) is a very popular, highly cited, and frequently employed, adapted, and extended algorithm to solve the MSMP problem, i.e., to find a subset of a given universe such that this subset is irreducible subject to a monotone predicate (e.g., logical consistency). MSMP is an important and common problem and its manifestations occur in a wide range of computer science disciplines. Since QX has in practice turned out to be hardly understood by many-experienced academics included-and was published without a proof, we account for that by providing for QX an intelligible proof that explains. The availability and accessibility of a formal proof is instrumental in various regards. Beside allowing the verification of QX's correctness (proof effect), it fosters proper and full understanding of QX and of other works relying on QX (didactic effect), it is a necessary foundation for ''gapless'' correctness proofs of numerous algorithms, e.g., in model-based diagnosis, that rely on (results computed by) QX (completeness effect), it makes the intuition of QX's correctness bullet-proof and excludes the later detection of algorithmic errors, as was already experienced even for seminal works in the past (trust and sustainability effect), as well as it might be used as a template for devising proofs of other recursive algorithms (transfer effect). Since (i) we exemplify the workings of QX using a novel tried and tested well-comprehensible notation, and (ii) we put a special emphasis on the clarity and didactic value of the given proof (e.g., by segmenting the proof into small, intuitive, and easily-digestible chunks, by showing how our proof can be ''directly traced'' using the recursive call tree produced by QX, and by explaining the underlying proof template with the intention to make it reusable for other proofs), we believe that this work can decisively contribute to a better understanding of QX, which we expect to be of great value for both practitioners and researchers.