Labelled Interpolation Systems for Hyper-Resolution, Clausal, and Local Proofs

Craig’s interpolation theorem has numerous applications in model checking, automated reasoning, and synthesis. There is a variety of interpolation systems which derive interpolants from refutation proofs; these systems are ad-hoc and rigid in the sense that they provide exactly one interpolant for a given proof. In previous work, we introduced a parametrised interpolation system which subsumes existing interpolation methods for propositional resolution proofs and enables the systematic variation of the logical strength and the elimination of non-essential variables in interpolants. In this paper, we generalise this system to propositional hyper-resolution proofs as well as clausal proofs. The latter are generated by contemporary SAT solvers. Finally, we show that, when applied to local (or split) proofs, our extension generalises two existing interpolation systems for first-order logic and relates them in logical strength.


Introduction
Craig interpolation [14] has proven to be an effective heuristic in applications such as model checking, where it is used as an approximate method for computing invariants of transition systems [39,54], and synthesis, where interpolants represent deterministic implementations of specifications given as relations [31]. The intrinsic properties of interpolants enable concise abstractions in verification and smaller circuits in synthesis. Intuitively, stronger interpolants provide more precision [29,46], and interpolants with fewer variables lead to smaller designs [7,31]. However, interpolation is mostly treated as a black box, leaving no room for a systematic exploration of the solution space. In addition, the use of different interpolation systems complicates a comparison of their interpolants. We present a novel framework which generalises a number of existing interpolation techniques and supports a systematic variation and comparison of the generated interpolants.

Contributions
We present a novel parametrised interpolation system which extends our previous work on propositional interpolation [16].
-The extended system supports hyper-resolution (see Sect. 3) and allows for systematic variation of the logical strength (with an additional degree of freedom over [16]) and the elimination of non-essential literals [15] in interpolants. -We generalise (in Sect. 4) our interpolation system for hyper-resolution steps to clausal refutations generated by contemporary SAT solvers such as PicoSAT [5], allowing us to avoid the generation of intermediate interpolants.
-When applied to local (or split) proofs [30], the extended interpolation system generalises the existing interpolation systems for first-order logic presented in [32,55] and relates them in logical strength (Sect. 5).
This paper is an extended version of [56], and includes novel results on interpolation for clausal proofs and empirical results (see Sect. 4).

Background
This section introduces our notation (Sect. 2.1) and restates the main results of our previous paper on labelled interpolation systems [16] in Sect. 2.2.

Formulae and Proofs
In our setting, the term formula refers to either a propositional logic formula or a formula in standard first-order logic.

Propositional Formulae
We work in the standard setting of propositional logic over a set X of propositional variables, the logical constants T and F (denoting true and false, respectively), and the standard logical connectives ∧, ∨, ⇒, and ¬ (denoting conjunction, disjunction, implication, and negation, respectively).
Moreover, let Lit X = {x, x | x ∈ X } be the set of literals over X , where x is short for ¬x. We write var(t) for the variable occurring in the literal t ∈ Lit X . A clause C is a set of literals. The empty clause contains no literals and is used interchangeably with F. The disjunction of two clauses C and D is their union, denoted C ∨ D, which is further simplified to C ∨ t if D is the singleton {t}. In clauses, we sometimes omit the disjunction ∨ to save space. A propositional formula in conjunctive normal form (CNF) is a conjunction of clauses, also represented as a set of clauses.

First-Order Logic
The logical connectives from propositional logic carry over into first-order logic. We fix an enumerable set of variables, function and predicate symbols over which formulae are built in the usual manner. The vocabulary of a formula A is the set of its function and predicate symbols. L( A) refers to the set of well-formed formulae which can be built over the vocabulary of A.
Variables may be universally (∀) or existentially (∃) quantified. A formula is closed if all its variables are quantified and ground if it contains no variables. As previously, conjunctions of formulae are also represented as sets.
Given a formula A in either first-order or propositional logic, we use Var(A) to denote the set of free (unquantified) variables in A.

Inference Rules and Proofs
We write A 1 , . . . , A n | A to denote that the formula A holds in all models of A 1 , . . . , A n (where n ≥ 0). An inference rule A 1 · · · A n A (1) associates zero or more premises (or antecedents) A 1 , . . . , A n with a conclusion A. The inference rule (1) is sound if A 1 , . . . , A n | A holds. A (sound) inference system I is a set of (sound) inference rules. The propositional resolution rule (Res), for example, is a sound inference rule stating that an assignment satisfying the clauses C ∨ x and D ∨ x also satisfies C ∨ D. The clauses C ∨ x and D ∨ x are the antecedents, x is the pivot, and the conclusion C ∨ D is called the resolvent. Res(C, D, x) denotes the resolvent of C and D with the pivot x. Definition 1 (Proof) A proof (or derivation) P in an inference system I P is a directed acyclic graph (V P , E P , P , s P ), where V P is a set of vertices, E P is a set of edges, P is a function mapping vertices to formulae, and s P ∈ V P is the sink vertex. An initial vertex has in-degree 0. All other vertices are internal and have in-degree ≥ 1. The sink has out-degree 0. Each internal vertex v with edges (v 1 , v), . . . , (v m , v) ∈ E P is associated with an inference rule Inf ∈ I P with antecedents P (v 1 ), . . . , P (v m ) and conclusion P (v).
The subscripts above are dropped if clear.
A proof P is a refutation if P (s P ) = F. Let A and B be conjunctive formulae. A refutation P of an unsatisfiable formula A ∧ B is an (A, B)-refutation (i.e., for each initial vertex v ∈ V P , The interpolant x 1 acts as a "separator" for the resolution refutation

Interpolation Systems and Labelling Functions
There are numerous variants and definitions of Craig's interpolation Theorem [14]. We use the definition of a Craig Intuitively, x 1 interpolant acts as a "separator" for the underlying refutation proof (the leftmost proof in Fig. 1). By setting x 1 to F we obtain a refutation of the Apartition, as illustrated in Fig. 1. Similarly, setting x 1 to T yields a refutation for B-the interpolant can be understood as a multiplexer. Equivalently, Numerous techniques to construct interpolants have been proposed (c.f. Sect. 6). In particular, there is a class of algorithms that derive interpolants from proofs; the first such algorithm for the sequent calculus is presented in Maehara's constructive proof [37] of Craig's theorem. In this paper, we focus on interpolation systems that construct an interpolant from an (A, B)-refutation by mapping the vertices of a resolution proof to a formula called the partial interpolant.
Formally, an interpolation system Itp is a function that given an (A, B)-refutation R yields a function, denoted Itp(R, A, B), from vertices in R to formulae over Var(A) ∩ Var(B). An interpolation system is correct if for every (A, B)-refutation R with sink s, it holds that [40].
In the following, we review the labelled interpolation systems we introduced in [16]. Labelled interpolation generalises several existing propositional interpolation systems presented by Huang [28], Krajíček [33], Pudlák [42], and McMillan [39]. A distinguishing feature of a labelled interpolation system is that it assigns an individual label c ∈ {⊥, a, b, ab} to each literal in the resolution refutation. Definition 4 (Labelling Function) Let (S, , , ) be the lattice below, where S = {⊥, a, b, ab} is a set of symbols and , and are defined by the Hasse diagram to the right. A labelling function L R : V R × Lit → S for a refutation R over a set of literals Lit satisfies that for all v ∈ V R and t ∈ Lit: Due to Condition (2) above, the labels of literals at initial vertices completely determine the labelling function for literals at internal vertices. The following condition ensures that a labelling function respects the locality of a literal t in accordance with (A, B). A literal t is A-local and therefore labelled a if var(t) ∈ Var(A)\Var(B). Conversely, t is B-local and therefore labelled b if var(t) ∈ Var(B)\Var(A). Literals t for which var(t) ∈ Var(A)∩Var(B) are shared and can be labelled a, b, or ab (which generalises existing interpolation systems).

Definition 5 (Locality) A labelling function L for an (A, B)-refutation R preserves locality
if for any initial vertex v and literal t in R 1. a L(v, t) implies that var(t) ∈ Var(A), and 2. b L(v, t) implies that var(t) ∈ Var(B).
For a given labelling function L, we define the downward projection of a clause at a vertex v with respect to c ∈ S as c} and the upward projection The subscript L is omitted if clear from the context. Definition 6 (Labelled Interpolation System for Resolution) Let L be a locality preserving labelling function for an (A, B)-refutation R. The labelled interpolation system Itp(L) maps vertices in R to partial interpolants as defined in Fig. 2.
Labelling functions provide control over the interpolants constructed from a resolution proof. Firstly, labelled interpolation systems support the elimination of non-essential (peripheral [50], respectively) variables from interpolants [15]. Secondly, labelled interpolation systems-and their respective interpolants-are ordered by logical strength. A labelled interpolation system Itp(L) is stronger than Itp(L ) if for all refutations R (for which L and L are locality preserving labelling functions), Itp(L , R) ⇒ Itp(L , R). The partial order on labelling functions (first introduced in [16]) guarantees an ordering in strength:

Definition 7 (Strength Order)
We define the total order on the lattice S = {⊥, a, b, ab} as b ab a (c.f. the Hasse diagram to the right). Let L and L be labelling functions for an (A, B)-refutation R. The function L is stronger than L , denoted L L , if for all v ∈ V R and t ∈ , L(v, t) L (v, t).
b ab a ⊥ Theorem 2 in [16] shows that if L is a stronger labelling function than L , the interpolant obtained from Itp(L) logically implies the one obtained from Itp(L ).

Interpolation for Hyper-Resolution
In this section, we extend labelled interpolation systems to a richer inference system, in particular, the inference system comprising (propositional) hyper-resolution [43]. Hyperresolution is a condensation of a derivation consisting of several resolutions and avoids the construction of intermediate clauses. Hyper-resolution has several applications in propositional satisfiability checking, such as pre-processing [21] of formulae or as an integral part of the solver (e.g., [2]).
Positive hyper-resolution combines a single clause (called the nucleus) containing n negative literals x 1 , . . . , x n and n satellite clauses each of which contains one of the corresponding non-negated literals x i (where 1 ≤ i ≤ n): In negative hyper-resolution the roles of x i and x i are exchanged.

Definition 8 (Hyper-Resolution Proof)
A hyper-resolution proof R is a proof using only the inference rule HyRes. Accordingly, R maps each vertex v ∈ V R to a clause, and all internal vertices have in-degree ≥ 2. Each internal vertex v has n ≥ 1 parents v + 1 , . . . , v + n such that The definition of labelling functions (Definition 4) readily applies to hyper-resolution proofs. Note that is not a total order on labelling functions. Lemma 1 (a generalisation of Lemma 3 in [16] to hyper-resolution proofs) enables a comparison of labelling functions based solely on the values at the initial vertices.

Lemma 1 Let L and L be labelling functions for an (A, B)-refutation R. If L(v, t) L (v, t) for all initial vertices v and literals t ∈ (v), then L L .
A proof of Lemma 1 is given in Appendix 1. In the following, we generalise labelled interpolation systems to hyper-resolution. The underlying intuition is to replace the multiplexer in the case AB-Res in Definition 6 with a general multiplexer controlled by the pivot literals of the hyper-resolution step. This idea is illustrated in Fig. 3 for the proof in Example 1 and formalised in the following definition: Definition 9 (Labelled Interpolation System for Hyper-Resolution) Let L be a locality preserving labelling function for an (A, B)-refutation R, where R is a hyper-resolution proof. The labelled interpolation system Itp(L) maps vertices in R to partial interpolants as defined in Fig. 4. [I] x 0 x 0 x 2 The interpolation system leaves us a choice for internal nodes AB-HyRes. We will use Itp 1 (Itp 2 , respectively) to refer to the interpolation system that always chooses case 1 (case 2, respectively). Note furthermore that Definitions 6 and 9 are equivalent in the special case where n = 1.

Fig. 3 Generalising labelled interpolation to hyper-resolution
Remark 1 Note that unlike the interpolation system for ordinary resolution proofs presented in Definition 6, Itp is not total for hyper-resolution proofs: the case split requires the pivots of the hyper-resolution step to be uniformly labelled, i.e., the rules A-HyRes, AB-HyRes, and B-HyRes to be a, ab, or b, respectively, for all i ∈ {1, . . . , n}. This limitation is addressed in Sect. 4.1.
In the following we present a conditional correctness result: For R (s) = , this establishes the correctness of the system. We emphasise that Theorem 1 does not constrain the choice for the case AB-HyRes. Since both Itp 1 (L , R) and Itp 2 (L , R) satisfy the conditions above, this choice does not affect the correctness of the interpolation system. In fact, it is valid to mix both systems by defining a choice function χ : V R → {1, 2} which determines which interpolation system is chosen at each internal node. We use Itp χ (L , R) to denote the resulting interpolation system. This modification, however, may have an impact on the logical strength of the resulting interpolant.
Theorem 2 Let the hyper-resolution proof R be an (A, B)-refutation and L be a locality preserving labelling function. Moreover, let Itp χ (L , R) and Itp χ (L , R) be labelled interpolation systems (defined for L , R) with the choice functions χ and χ , respectively. Then Proof sketch This follows (by structural induction over R) from Note that the converse implication does not hold; a simple counterexample for an internal vertex with n = 2 is the assignment x 1 = x 2 = F, I 1 = T, and I 2 = I 3 = F.
The final theorem in this section extends the result of Theorem 2 in [16] to hyper-resolution proofs:

Theorem 3 If L and L are labelling functions for an (A, B)-refutation R (R being a hyperresolution proof) and L
L such that Itp i (L , R) as well as Itp i (L , R) are defined, then The proof of Theorem 3, provided in Appendix 1, is led by structural induction over R. For any vertex v in R, let I v and I v be the partial interpolants due to Itp i (L , R) and Itp i (L , R), respectively. We show that Theorems 2 and 3 enable us to fine-tune the strength of interpolants, since the sets of all labelling and choice functions ordered by and ≤, respectively, form complete lattices (c.f. [16,Theorem 3]). Finally, we remark that the Theorems 2 and 3 are orthogonal. The former fixes the labelling function L, whereas the latter fixes the choice function χ.

Interpolation for Clausal Proofs
Contemporary SAT solvers such as MiniSAT [17] and PicoSAT [5] are based on conflictdriven clause learning (CDCL) [49]. The CDCL algorithm avoids the repeated exploration of conflicting variable assignments by caching the causes of failures in the form of learned clauses. To this end, the solver stores assignments (decisions) and their implications in an implication graph, from which it derives learned clauses in case of a conflict. We refrain from providing a description of CDCL, since numerous excellent expositions are available (e.g., [6,34]). The following example, borrowed from [38], illustrates the construction of resolution proofs in CDCL solvers. Figure 5 shows a partial implication graph for the clauses (x 4 x 10 x 6 ), (x 4 x 2 x 5 ), (x 5 x 6 x 7 ), and (x 6 x 7 ). Nodes represent assignments (annotated with the corresponding decision level, e.g., x 10 @2 indicates that x 10 was assigned F at level 2) and each edge represents an implication deriving from a clause in which all but one literal is assigned under 5 Implication graph and conflict analysis the current assignment. The final node indicates a conflict under the current assignment, and its incoming edges are annotated with the conflicting clause C 4 . This conflict stems from the fact that C 4 disagrees with C 1 and C 3 on the implied literals x 6 and x 7 , respectively. By subsequently resolving on the conflicting literals, we obtain

Example 2
The clause C 6 disagrees with C 2 on the implied literal x 5 . The resolvent of these clauses is assigned at decision level 6 while still conflicting with the current partial assignment. Accordingly, reverting the decision x 4 at level 6 and adding C 7 as learned clause prevents the solver from revisiting this part of the search space.
The learned clause in Example 2 is a consequence of clauses of the original instance and previously learned clauses. Each learned clause is the conclusion of a chain of resolution steps.
Definition 10 (Chain) A (resolution) chain of length n is a tuple consisting of an input clause D 0 and an ordered sequence of clause-pivot pairs C i , x i (where 1 ≤ i ≤ n). The final resolvent D n of a resolution chain is defined inductively as A resolution chain generated by a CDCL solver has the following properties [4]: -Regularity: each pivot variable is resolved upon at most once in the chain.
. -Tree-likeness: each derived clause is used exactly once in the chain.
A resolution derivation with these properties is called trivial [4]. For reasons of performance, proof-logging solvers discard all intermediate resolvents generated during the construction of a conflict clause and retain only resolution chains. Clausal proofs [22,25] and proofs stored in the TraceCheck-format 1 moreover omit the pivot literals as well as the order of the resolution steps, recording only the unordered set of clauses D 0 , C 1 , . . . , C n for each resolution chain.
If D 0 is a nucleus and C 1 , . . . , C n are suitable satellites, the chain can be replaced by a hyper-resolution step assuming its conclusion D n satisfies the HyRes rule. In general, this may not be the case: 4 } is a valid resolution chain (with conclusion {x 1 , x 4 }) that does not match the antecedents HyRes rule.
To address this problem, we introduce a more general inference rule which requires the existence of a resolution chain matching its premises and conclusion as a side condition. Each of the n premises contains a non-empty (sub-)set of pivot literals P i which occur in opposite phase in the other clauses of the premise. The clause learning algorithm illustrated in Example 2 results in resolution chains that satisfy the following properties: -The pivot literals n i=1 P i do not occur in the conclusion of the chain. Remark 2 The algorithm resolves upon pivot literals that are implied but not yet assigned at the respective node in the implication graph. Accordingly, the clauses preceding the node in the implication graph cannot contain the implied literal, since they would otherwise not be unit. Therefore, a pivot literal, once resolved, is never re-introduced in a resolution chain.
-The conjunction n i=1 P i is unsatisfiable (guaranteed by the existence of a resolution chain).
These properties are reflected in the following inference rule: Analogously to Definition 8, we introduce the notion of a clausal proof.

Definition 12 (Clausal Proof) A clausal proof R is a proof using only the inference rule
TCRes. Accordingly, R maps each vertex v ∈ V R to a clause and every internal vertex v has n ≥ 2 parents v 1 , . . . , v n such that R (v i ) = C i ∨ P i (as in Definition 11). Consequently, The following definition extends the interpolation system for hyper-resolution proofs presented in Sect. 3 to clausal proofs.

Definition 13 (Labelled Interpolation System for Clausal Proofs)
Let L be a locality preserving labelling function for an (A, B)-refutation R, where R is a clausal proof. The labelled interpolation system Itp(L) maps vertices in R to partial interpolants as defined in Fig. 6.
Note that the interpolation system in Definition 13 is a generalisation of the interpolation system for hyper-resolution (Definition 9). Its correctness is established using a similar argument as used for Theorem 1. The proof of the following theorem is provided in Appendix 1.

Theorem 4 (Correctness) For any (A, B)-refutation R (where R is a clausal proof) and locality preserving labelling function L, Itp(L , R) (if defined) is an interpolant for (A, B).
The results of Theorems 2 and 3 can be generalised to clausal proofs in a straight-forward manner. We omit the discussion of the details.

Splitting and Reordering Resolution Chains
Just like the interpolation system for hyper-resolution proofs, the interpolation system in Definition 13 has the deficiency that the function Itp(L) is not total: there are labelling functions L for which the result of Itp(L) is undefined. This problem arises whenever the pivots in a TraceCheck resolution step are not uniformly labelled, and therefore none of the rules in Fig. 6 is applicable. Instead of adapting the interpolation system, we address the problem by splitting the corresponding resolution chains. A single chain can be split into two consecutive chains, with the final resolvent of the first acting as the input clause of the second, without affecting the final result. By splitting resolution steps whose pivots are not uniformly labelled we can always generate a labelled refutation for which Itp is a total function. The example in Fig. 7 illustrates this transformation for a single hyper-resolution step.
Each hyper-resolution or TraceCheck resolution step may need to be rewritten into several subsequent uniformly labelled steps, thus changing the proof structure. Note that the results on the relative strength of interpolants in Sect. 3 naturally only apply if both proofs have the same structure. The effect of the order of resolution steps on the strength of interpolants is discussed in [16,Section 5.2] and exceeds the scope of this paper.
The number of resolution steps resulting from splitting depends on the order of the pivots in the given resolution chain, as demonstrated in the following example. Figure 8 shows two resolution chains (presented as trivial resolution proofs).

Example 3
In the left proof, the order of the pivots is x 3 , necessitating two splits to obtain a uniform labelling of the pivots. The proof to the right corresponds to a similar resolution chain in which the first two resolution steps have been swapped. The resulting split yields the following two TraceCheck resolution steps: Reordering in the presence of merge literals may invalidate the resolution chain Accordingly, the interpolation system Itp(L) is applicable to the corresponding clausal proof.
Example 3 shows that reordering the resolution steps in a chain can result in fewer uniformly labelled TraceCheck resolution steps. A swap ( ) of two subsequent resolution steps, formally defined in [16, Def. 10] and illustrated in Fig. 8, is allowed whenever it does not change the conclusion of the resolution chain. In the presence of merge literals [1] (i.e., literals t ∈ (v) such that t ∈ (v + ) and t ∈ (v − )) this is not guaranteed [16], as illustrated in Fig. 9.
The final resolvent of a chain may depend on the order of the ordinary resolution steps: literal x 2 is re-introduced after being eliminated in the modified chain, while it is merged and eliminated once and for all in the original chain.
In the absence of merge literals, this issue does not arise. For this reason, [56] prohibits merge literals in resolution chains (in addition to requiring that the premises match the HyRes rule). While this guarantees that a any permutation of the clause-pivot sequence still represents a valid resolution chain and leaves the final resolvent unaffected (an immediate consequence of [16,Lemma 4]), the requirement is overly restrictive. In the following, we discuss conditions under which reordering does not invalidate the proof even in the presence of merge literals.
Let R and R def = R[w v] be as in Figs. 10 and 11. According to [16], the clause label Fig. 11 differs from C = (v) in Fig. 10 in the following two cases: As explained in Remark 4, the former case does not occur in resolution chains generated by CDCL, since resolved literals are never reintroduced. In the second case, however, the swap introduces a literal into an (intermediate) resolvent. Since the resolution chain is regular, this literal propagates to the final resolvent of the chain, potentially invalidating the clausal proof.
Instead of prohibiting the transformation in general, however, it is possible to analyse the underlying resolution proof R to determine whether the literal introduced by the transformation is eliminated along all paths to the sink of the proof [3,9,19]. The set of literals eliminated along all paths from v ∈ V R to s R can be defined as the meet-over-all-paths in the terminology of data-flow analysis: Let v be the final vertex of the trivial resolution derivation that corresponds to a given resolution chain. A swap of two vertices of the chain that introduces a literal t in (v) is admissible iff t ∈ σ (v). Accordingly, the literal t is introduced in the conclusion (final resolvent, respectively) of the chain. The proof remains valid since t is subsequently eliminated. Figure 12 shows a refutation with two chains generated by a CDCL solver, where the vertex p marks the end of the first chain. As in Example 3, the pivot order

Example 4
x 3 of the first chain enforces a split resulting in the TraceCheck resolution steps on the right side in Fig. 12. Similarly to the example in Fig. 9, reordering of the vertices w and v results in the introduction of the literal b x 2 in ( p). The transformation is safe, however, since x 2 ∈ σ ( p). The transformation yields the following uniformly labelled TraceCheck resolution steps: Fig. 12 Two resolution chains and a corresponding clausal proof (after splitting) The interpolation system in Definition 13 remains applicable to the transformed clausal proof, since conclusions of TraceCheck resolution steps may always be weakened. The transformation may, however, affect the labelling of the pivots of the subsequent resolution steps. This might be undesirable, if it forces us to split subsequent chains. It is possible to avoid a change of the labelling by computing safe labels for the literals in a proof. Definition 4) is defined inductively as follows:

Definition 15 (Safe Labels) Given a refutation
Given a vertex v ∈ V R and a literal t ∈ (v), we call ς(v, t) the safe label of t.
The safe labels ς are computed in lockstep with σ (Definition 14). Whenever a literal t ∈ σ (v) introduced into (v) is labelled such that L(v, t) ς(v, t), then the labelling of the pivots in the subsequent resolution steps remains unchanged [9].
Example 5 For the resolution refutation in Fig. 12 we obtain ς(q, x 2 ) = ς( p, x 2 ) = ab. Swapping the vertices v and w introduces x 2 in ( p) with L( p, x 2 ) = a. Consequently, the labelling of the pivot in the final resolution step is preserved.
The empirical evaluation in the following section motivates the use of interpolation systems for clausal proofs.

Empirical Results
We implemented the labelled interpolation system for clausal proofs as an extension to the TraceCheck-tool. 2 TraceCheck's original purpose is the verification of the output of SAT solvers, based on proof certificates stored in the TraceCheck-format.
Our interpolation system can be easily incorporated into TraceCheck. The only significant change arises from splitting the resolution chains to establish that Itp(L) is defined for a given labelling function L, as described in Sect. 4.1. Our implementation currently does not try to reduce the number of splits by means of reordering. For the experimental evaluation of our implementation, we use benchmarks from reactive synthesis [8] obtained via the interpolation-based relation determinisation technique presented in [31]. We use PicoSAT 957 [5] to obtain clausal proofs in the TraceCheck-format. We limit the proofs to those with a file size between 100 kB and 10 MB, resulting in 133 benchmarks. We label the literals in A-clauses a and the literals in B-clauses b, which provably results in the introduction of fewer literals than other labellings [9,15]. All experiments were executed on an Intel Core i5 M560 at 2.67 GHz and with 8 GB of RAM.
To measure the impact of transforming a clausal proof for labelled interpolation, we look at proofs before (initial) and after (split) splitting (Fig. 13). Using TraceCheck's -b option (binary), we also compare the clausal interpolation system to the conventional interpolation system for binary resolution proofs (presented in Sect. 2.2). 3 Fig. 14 shows the average length of chains before and after splitting. On average, 44.86 % of the chains generated by TraceCheck need to be split to enable interpolation (Fig. 15). Figure 16 compares the number of Boolean operations in the interpolants generated by clausal interpolation and binary interpolation. The difference is negligible, since n-ary conjunctions are encoded by binary gates. Figure 17 shows the memory consumption of our interpolation systems (in megabytes). The plot for run-time has a similar shape. The average run-time for split proofs is 0.9 s and 5.49 s for binary proofs. The quantiles are as follows: We use the And-Inverter-Graph (AIG) library AIGER 4 to store interpolants. The library performs trivial simplifications and structural hashing to keep the circuit size small. The   Fig. 18 shows that the interpolants extracted from clausal proofs are consistently smaller than interpolants generated by the conventional interpolation technique. Finally, we use ABC [12] to gather statistics about the interpolant and to reduce the circuit size further with the following commands: strash; balance; fraig; refactor -z; rewrite -z; fraig;. After reduction, the sizes of the interpolants extracted from clausal proofs and from binary proofs are similar. We emphasise that interpolation based on clausal proofs is superior with respect to memory consumption and the intermediate size of interpolants.

Local Refutations and Hyper-Resolution
Jhala and McMillan demonstrate in [30,Theorem 3] that the applicability of propositional interpolation systems is not restricted to propositional logic. If a first-order refutation R has a certain structure, namely if for each inference step in R the antecedents as well as the conclusion are either entirely in L( A) or in L(B), then one can use a propositional interpolation system (such as the ones in Sects. 2.2 and 3) to construct an interpolant that is a Boolean combination of the formulae in R. Kovács and Voronkov subsequently arrived at a similar result [32].
We recapitulate the results from [30,32] before we proceed to show that our interpolation system from Definition 9 generalises the system of [32] as well as a variation of [32] presented in [55]. Refutation) An (A, B)-refutation R in a given inference system for first-order logic is local if there exists a total partitioning function π R :

Definition 16 (Local
While proofs in general do not have this property, there is a variety of decision procedures that yield local (ground) refutations. The construction of local proofs is addressed in [20,30,32,41], to name only a few.

B-premise(v) is defined analogously.
Intuitively, A-premise(v) comprises the leaves of the largest sub-derivation S rooted at v such that π(u) = A for all internal vertices u ∈ V S . 5 If the underlying inference system is sound, we have { (u) | u ∈ A-premise(v)} | (v). If, moreover, (v) as well as all formulae of A-premise(v) are closed, we make the following observation (c.f. related results in [32,

Lemma 1] and [20, Lemma 3]):
Corollary 1 Let R be a local closed refutation in a sound inference system, and let v ∈ V R an internal vertex such that π R (v) = A. Then, the following Horn clause is a tautology: A similar claim holds for the case in which π(v) = B.
Corollary 1 is a pivotal element in our proof of the following theorem:

. [30, Theorem 3]) Let R be a closed local (A, B)-refutation in a sound inference system. Then one can extract a Craig interpolant from R using a propositional interpolation system.
Proof Let v ∈ V R be such that π(v) = A. If v is initial, then either A or B contains the unit clause C v = (v). Otherwise, according to Corollary 1, the clause C v = ({¬ (u) | u ∈ 5 In particular, it is possible to choose π R in such a manner that S is the largest sub-derivation rooted at v in R such that R (u) ∈ L(A) for all u ∈ V S . This corresponds to the setting in [32,Lemma 8].
is tautological (and therefore implied by A). Moreover, it follows from By construction, the resulting set of clauses C v , v ∈ V R , is propositionally unsatisfiable [30,32]; also, each clause is implied by either A or B. Moreover, all literals with t ∈ L( A)\L(B) (t ∈ L(B)\L( A), respectively) are local to A (B, respectively). Accordingly, it is possible to construct an interpolant for (A, B) using the interpolation systems presented in Sects. 2.2 and 3. Figure 19 shows an (A, B)

Example 6
, where x, y, z are bit-vectors and & denotes bit-wise conjunction. Let vertex v be such that (v) = (z < x) and π(v) = A. The dashed line in Fig. 19 indicates the sub-proof rooted at v, whose leaves constitute the A-premise of v. Following the construction in the proof of Theorem 5, we obtain the following hyper-resolution step with conclusion (v).
Kovács and Voronkov avoid the explicit construction of a resolution proof by defining their interpolation system directly on the local proof [32,Theorem 11]: a local and closed (A, B)-refutation. The interpolation system Itp K V maps vertices v ∈ V R , for which R (v) ∈ L( A)∩L(B) holds, to partial interpolants as defined in Fig. 20.
Remark In addition to the condition in Definition 16, Kovács and Voronkov require that for for all i ∈ {1, . . . , n}. A local derivation satisfying this condition is symbol-eliminating, i.e., it does not introduce "irrelevant" symbols. This technical detail allows the leaves of R to be merely implied by A (or B) instead of being actual elements of A (B, respectively), while preserving the correctness of the interpolation system. This effectively enables interpolation for non-closed formulae (A, B).

Fig. 20 Interpolation system Itp K V for local proofs
We proceed to show one of the main results of this paper, namely that our interpolation system Itp from Definition 9 is able to simulate the interpolation system Itp K V .

Theorem 6 Let R be a local and closed (A, B)-refutation. Then we can construct a hyperresolution refutation H of (A, B) and a locality preserving labelling function L such that for
Proof sketch We demonstrate that it is possible to construct a hyper-resolution refutation H of (A, B) in which each internal step of Itp K V is simulated using two hyper-resolution steps. The induction hypothesis is that for each internal vertex v ∈ V R with {v 1 , . . . , v n } = π(v)-premise(v) and m as in Definition 18, we have vertices {u 1 , . . . , u n } ⊆ V H such that We add an auxiliary vertex labelled with the clause ¬ H (u 1 ) ∨ · · · ∨ ¬ H (u n ) ∨ R (v), which, by Corollary 1 and by Definition 16, can be regarded as element of formula π(v) (see proof of Theorem 5). The first hyper-resolution step eliminates the literals local to π(v); the interpolants and labels are indicated for π(v) = A: The second hyper-resolution step eliminates the shared literals H (u i ) (for 1 ≤ i ≤ m). Again, the labels and interpolants are for the case that π(v) = A: The sink of this resolution step is the vertex u ∈ V H such that H (u) = R (v) and We proceed to show that our system for hyper-resolution also generalises another existing interpolation system for local refutations. In [55], we introduced the following variation of the interpolation system in Definition 18:

Definition 19
Let Itp W be the interpolation system as described in Definition 18, except for the following modification: The following theorem states that the interpolation system in Definition 9 is powerful enough to simulate Itp W . H of (A, B) and a locality preserving labelling function L such that for

Theorem 7 Let R be a local and closed (A, B)-refutation. Then we can construct a hyperresolution refutation
The proof is essentially equivalent to the proof of Theorem 6. Moreover, as a consequence of Theorem 2, Itp K V is stronger than Itp W .

Related Work
There is a vastly growing number of different interpolation techniques; a recent survey of interpolation in decision procedures is provided by [10]. An exposition of interpolation techniques for SMT solvers can be found in [13]. The work of Yorsh and Musuvathi [58] enables the combination of theory-specific and propositional interpolation techniques [16,28,33,39,42]. The novel interpolation system presented in Sect. 3 extends our prior work on propositional interpolation systems [16]. The idea of using labelling functions (initially introduced in [50] in the context of LTL vacuity detection to determine the peripherality of variables in resolution proofs) is common to both approaches. In [16], the partial interpolants are determined by the labelling of the literals in the initial vertices, while the system presented in Sect. 3 adds an additional degree of freedom by allowing us to make a choice at each internal node.
Recent work by Vizel and Gurfinkel [24] addresses the construction of interpolants from clausal/DRUP proofs (whose size is reduced by means of trimming [25]). Their interpolation system splits partial interpolants into two components, one of which is kept in CNF. Their algorithm restructures the DRUP proof on-the-fly in order to increase the size of the component kept in CNF. Earlier work by Vizel et al. [53] targets the construction of interpolants in CNF by first constructing an over-approximation of an interpolant, which is then refined using inductive strengthening [11].
There is a number of techniques to reduce the size of resolution proofs [3,9,19]. These techniques target binary resolution proofs, however. The combination of labelled interpolation systems for binary resolution proofs and proof reduction has also been studied extensively by Rollini et al. [44,45].
A number of interpolation techniques rely on local proofs (e.g., [20,30,32,36,41]). Not all interpolation techniques are based on local proofs, though: McMillan's interpolating inference system for equality logic with uninterpreted functions and linear arithmetic [40], for instance, performs an implicit conversion of the proof. In [35], propositional proofs of bit-vector formulas are lifted to proofs in equality logic. The approach presented in [47] avoids the construction of proofs altogether and handles theory combination by reduction to a base theory as in [51] or [52]. InterHorn [23] extracts interpolants from first-order resolution proofs generated by a Horn-clause solver. Sharma et al. show how to compute interpolants without proofs using machine learning techniques [48].
Hoder et al. [26] present a technique that enables the variation of interpolants by finetuning the partitioning in Definition 16. In Example 6, for instance, changing π(w) = B to π(w) = A results in propositional proof that does not contain the literal (z < x). Accordingly, the term does not occur in the resulting interpolant. This approach can be combined with our interpolation system in a straight forward manner.
An extension of [16] to sequence interpolants is presented in [46]. A survey of interpolation-based model checking techniques is provided in [54]. Interpolation-based synthesis is discussed in [27,31]. Other applications of interpolation algorithms include fault localization [59] and error explanation [18,57], where the quality of interpolants can impact the utility of the diagnosis.

Consequences and Conclusion
We present a novel interpolation system for hyper-resolution proofs which generalises our previous work [16]. We subsequently generalise this interpolation system to clausal proofs, generated by contemporary SAT solvers. By defining a rule that addresses hyper-resolution or clausal resolution steps (introduced by pre-processing [21] or extracted from resolution chains), we avoid the construction of intermediate partial interpolants, resulting in reduced memory consumption and smaller intermediate interpolants. As future work, we will investigate whether proof restructuring [24] and heuristics based on proof analysis [9] can result in a further reduction of splitting.
By applying our technique to local proofs, we combine a number of first-order [32,55] and propositional interpolation techniques [28,33,39,42] into one uniform interpolation approach. As in [30], our approach avoids an explicit theory combination step [58]. Therefore, it enables the variation of interpolant strength and the elimination of non-essential literals across the theory boundary.
Acknowledgments Open access funding provided by Austrian Science Fund (FWF). We would like to thank Armin Biere and his co-authors for providing TraceCheck and AIGER as open source software under a permissive license. We thank Adrián Rebola-Pardo for his helpful comments.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix 1: Proofs
Remark The downward projection of a clause (v) = C at vertex v with respect to c ∈ S is defined as 2). It follows from condition 1 in Definition 4 that (v) ⊥,L = ∅ for all vertices v. Therefore, the following two equalities hold for any clause C = (v) in a refutation R: We make repeated use of these equalities in this section. Moreover, our proofs use the following propositions: Proof This follows from the fact that the conjunction x i is unsatisfiable (by hyper-resolution). Note that the implication in the other direction does not hold; a simple counterexample for the case n = 2 is the assignment x 1 = x 2 = F, I 1 = T, and I 2 = I 3 = F.
is a tautology.
Proof This follows from the fact that

Theorem 1 (Correctness) For any (A, B)-refutation R (where R is a hyper-resolution proof) and locality preserving labelling function L, Itp(L , R) (if defined) is an interpolant for (A, B).
Proof By induction over the structure of the (A, B)-refutation R. Let I be the partial interpolant at a vertex v labelled with a clause C = (v). We show that every such I and C satisfy the following conditions: For the sink v with (v) = , this establishes Theorem 1. The labelling function L, being unique in this proof, is omitted from subscripts.

Base case
Let v be an initial vertex and let C = R (v).

C ∈ A:
holds for a symbol c ∈ {a, b}. This is because for any Due to the requirement that Itp(L , R) is defined, we may assume that ∀i ∈ {1, . . . , n} · L(v + i , x i ) L(v − , x i ) = c (for a fixed c) and perform a case split on c: By applying hyper-resolution on the right-hand side of the implication we conclude that Similarly, we derive from the induction hypothesis that and thus The proof is symmetric to the first case.
for instance. We obtain the following induction hypothesis: In general, for an arbitrary labelling function L, this can always be extended to the induction hypothesis for From this, it follows immediately that and by applying the equality (4) we conclude that holds. This establishes the first condition for case 1 of AB-HyRes; case 2 is covered by applying Proposition 1. Similarly, we derive Note that this already establishes condition 2 for case 2 of AB-HyRes. By repeated application of resolution, one can further show that the right-hand side of this implication is inconsistent with n i=1 (x i ∨ I i ) ∧ (x 1 ∨ · · · ∨ x n ∨ I n+1 ). It follows that which covers case 1 of AB-HyRes.
Note that and Definition 5, and therefore Var( Base case If v in R is an initial vertex, L(v, t) L (v, t) holds by assumption.
Induction hypothesis For an internal vertex v and literal t: We consider two cases: Proof We prove Theorem 3 by structural induction over R. For any vertex v in R, let I v and I v be the partial interpolants due to Itp(L , R) and Itp(L , R), respectively. We show that for arbitrary locality preserving labelling functions L and L . We prove (5) by showing that any t contained in clause of the left-hand side of the implication must also be contained in (v)| ab,L ,L . This holds because for any u ∈ {v + 1 , . t). For the induction step, let v be an internal vertex in R and let Partial interpolants are indicated as before.

Induction hypothesis
For the induction step, let (for a fixed c) and perform a case split on c. I and I denote the partial interpolants due to Itp(L , R) and Itp(L , R), respectively.
and therefore, the induction hypothesis can be simplified to We derive , and by applying (5), We distinguish two cases for AB-HyRes.
In the first case, , and by applying the induction hypothesis we derive Note that the right-hand side of this implication is equivalent to By applying (5), we obtain , and by applying the induction hypothesis we derive  (6), we need to distinguish three cases: (a) ∀i ∈ {1, . . . , n}.L (v + i , x i ) L (v − , x i ) = b: Then, as in case 1, the induction hypothesis can be simplified to I v + i ⇒ I v + i ∨ C i | ab,L ,L (where 1 ≤ i ≤ n) and I v − ⇒ I v − ∨ D| ab,L ,L , and we obtain By an argument similar to the one made in case 2 we derive in the first case of AB-HyRes, and by applying the induction hypothesis we derive The right-hand side of the implication in turn implies and by further weakening (7) and applying (5) we derive Finally, (8) also establishes I v ⇒ I v ∨ ( n i=1 C ∨ D)| ab,L ,L for case 2 of AB-HyRes (by Proposition 1). (c) ∀i ∈ {1, . . . , n}.L (v + i , x i ) L (v − , x i ) = a: Since we have previously shown (8) and since For the sink v with (v) = , this establishes Theorem 4. The labelling function L, being unique in this proof, is omitted from subscripts.
Base case As in the proof of Theorem 1.

Induction step
We perform a case split for the labelling of the pivots: 1. (A-TCRes): ∀i ∈ {1, . . . , n} · t ∈ P i ⇒ L(v i , t) = a Induction hypothesis (for i ∈ {1, . . . , n}): In this case P i a = P i , so it follows that A ∧ ¬(C i a ) ⇒ (P i ∨ I i ) and therefore: Since n i=1 P i is unsatisfiable, we can apply chain resolution to the right and side to derive n i=1 (P i ∨ I i ) ≡ n i=1 I i . By furthermore rewriting the left hand side, we obtain satisfying the first condition. Similarly, we derive Note that for an arbitrary labelling function L, we have ¬(P i a ) ⇒ ¬P i and ¬(P i b ) ⇒ ¬P i . Therefore, we can strengthen the induction hypotheses to

It follows immediately that
establishing the first condition for case 1 of AB-TCRes. By applying Proposition 2 to weaken the right hand side (which yields A ∧ ¬( n i=1 C i a ) ⇒ n i=1 (¬P i ∧ I i )), we establish the condition 1 for case 2 of AB-TCRes. Analogously we derive which establishes the second condition for case 2 of AB-TCRes (B ∧ ¬ n i=1 C i b ⇒ ¬ n i=1 (¬P i ∧ I i )). By Proposition 2, ¬ n i=1 (¬P i ∧ I i ) implies ¬ n i=1 (P i ∨ I i ). Therefore, it follows that which establishes the second condition for case 1 of AB-TCRes. The third condition is established by the fact that all the pivot literals in P i are shared. R be a local and closed (A, B)-refutation. Then we can construct a hyperresolution refutation H of (A, B) and a locality preserving labelling function L such that for each v ∈ V R with R (v) ∈ L( A) ∩ L(B) there exists a corresponding vertex u ∈ V H such that Itp K V (R)(v) ⇔ Itp 1 (L , H )(u).

Theorem 6 Let
such that H (u) = R (v) and

(B-justified) π(v) = B.
Analogous to the first case, but I w 2 = T.