Unsatisfiability Proofs for Horn Solving

Given a CHC system \(\mathcal {S}\), we consider a proof system with a single derivation rule

where \(\forall V \cdot (B_1 \wedge \ldots \wedge B_k \wedge \varphi \implies H)\) is a clause from \(\mathcal {S}\), \(\sigma \) is a total assignment of all the variables from V that satisfies \(\varphi \), i.e., \(\sigma \models \varphi \), and \(\sigma (p(x_1,\ldots ,x_n))\) denotes \(p(\sigma (x_1),\ldots ,\sigma (x_n))\), i.e., the result of replacing each variable \(x \in V\) with its value assigned by \(\sigma \).

Intuitively, the rule says that, given an instantiation of an input clause using \(\sigma \) that satisfies the constraint \(\varphi \), if premises \(\sigma (B_1), \ldots , \sigma (B_k)\) have been derived, then the conclusion \(\sigma (H)\) can be derived. Note that the condition \(\sigma \models \varphi \) is necessary for the rule to be sound, and that if there are no uninterpreted predicates in the input clause, then there are no additional premises and any assignment \(\sigma \) that satisfies \(\varphi \) can be used to derive \(\sigma (H)\). A derivation of \( false \) from \(\mathcal {S}\) using repeated applications of this derivation rule forms a proof of unsatisfiability of \(\mathcal {S}\); we consider the height of a proof as the maximum number of rule applications on any path from the root to a leave.

While these coarse proofs could, in theory, be automatically checked, no checker currently exists for this format. Instead of developing our own specialized proof checker, we show how coarse proofs can be instantiated in the Alethe format and be automatically checked by the proof checker Carcara.

A high-level architecture of state-of-the-art Horn solvers typically contains two main components: a preprocessor and a backend solving engine. The goal of the preprocessor is to make it easier for the backend engine to handle the input, and it works by transforming the input CHC system into a different CHC system that is simpler and equisatisfiable. A preprocessor typically implements several transformations that are statically or dynamically assembled into a transformation pipeline, based on the properties of the input clauses or the chosen backend engine. The goal of the backend engine is to decide the satisfiability of the transformed CHCs generated by the preprocessor. Importantly, if the preprocessor applies only equisatisfiable transformations, the result computed by the backend engine will also be valid for the original input CHC system.

To add proof-production capabilities to Horn solvers, three extensions to the architecture just described are required:

Some solvers, e.g., Eldarica and Z3-Spacer, already implement the first two extensions, at least partially, but no official publication describing the process exists at present. Despite this, it is important to note that no solver currently produces independently checkable proofs.

Spacer is often described as an abstract transition system with rules that update its state, with an alternative description based on induction [51] offering additional insight into its inner workings. With the goal of producing proofs in mind, we give here a more procedural description of the algorithm. This allows us to pinpoint the additional bookkeeping required to produce proofs with minimal overhead. We follow the original description of Spacer by Komuravelli et al. [36], but use the CHC terminology introduced in Section 3.

For its operation, the algorithm maintains two mappings, both from predicates and bounds to a set of formulas (the must- and may-summaries in [36]). A must mapping U keeps track, for each predicate \(p\) and a bound k, of the ground instances of \(p\) known to have a derivation of height at most k. The ground instances are tracked symbolically, rather than individually, as formulas that we call must-derivations (must-summaries in [36]). Similarly, a may mapping O keeps track of the ground instances that still may be derived, which we call may-derivations (may-summaries in [36]). Intuitively, given a predicate \(p\) and a bound k, if a ground instance of \(p\) is not in \(\bigwedge O(p,k)\) then it cannot have a derivation of height at most k. Thus, U and O are, respectively, an underapproximation and an overapproximation of the ground instances that have bounded derivations.

The algorithm consists of two main parts: checking if a bounded derivation of \( false \) exists (BndSafety in [36]) and checking if a model has been discovered (CheckInvariance in [36]). The CheckInvariance part is responsible for pushing may-derivations to higher bounds and checking if a fixedpoint, i.e., a model, has been found. We skip the explanation of this procedure, since it is not relevant to proof production, and instead focus on how BndSafety can leverage must-derivations to produce proofs.

The core idea is to track dependencies between learned must-derivations and to build a concrete proof at the end of the algorithm’s execution based on the tracked information. The goal of BndSafety, shown in Figure 2, is to check if a derivation of \( false \) of height at most n exists, by using a priority queue of proof obligations. A proof obligation \(\langle p,k,\gamma \rangle \) represents a question asking if there is a derivation of height at most k of some ground instance of \(p\) that satisfies \(\gamma \). The initial proof obligation is \(\langle false ,n,true\rangle \) which represents the question asking if \( false \) has a derivation of size at most n. While some proof obligation \(\langle p,k,\gamma \rangle \) remains, the algorithm attempts to resolve it. For that, it examines all clauses with head \(p\) and then checks if some derivation satisfying \(\gamma \) exists (using known must-derivations) or if it can prove such a derivation cannot exist (using known may-derivations). If neither is the case, then it generates new proof obligations (with decreased bound) from the failures of disproving the existence of the desired derivation with known may-derivations.

We skip the details regarding the refutation of proof obligations with may-derivations as well as the computation of predecessors and new may-derivations, as these are independent of proof production. Instead, we focus on the procedure MustDerivable, which takes a clause c, a bound k and a constraint \(\gamma \) on the head H of c, i.e, a constraint over the variables of H, and determines if there is an instance of c such that

This amounts to checking the satisfiability of \(\gamma \) with the body of c where uninterpreted predicates have been replaced by the disjunction of their known must-derivations. If the answer is SAT, a new must-derivation \(\delta \) for p and bound k is computed using model-based projection (MBP) [10, 36]. As an efficient under-approximation of quantifier elimination, MBP guarantees that every ground instance of \(p\) that satisfies \(\delta \) can be derived in one step from some ground instances of \(p_1, \ldots , p_n\) that satisfy \(\bigvee U _{p_1}^{k-1}, \ldots , \bigvee U _{p_n}^{k-1}\), respectively. Thus, \(\delta \) can be safely added to \( U _{p}^{k}\).

In order to produce a proof of unsatisfiability, we only need to track which must-derivations of c’s body predicates were needed for the new must-derivation of the head. To keep track of these dependencies, the algorithm should maintain a directed hypergraph of must-derivations. Each node consists of a must-derivation \(\delta \) and a predicate symbol \(p\). Each hyperedge \([\langle v_1, \ldots , v_n \rangle , v]\) is labeled with a clause c and represents the fact that the derivation of v can be obtained by hyper-resolution on the derivations of \(v_1, \ldots , v_n\) and an appropriate instantiation of c. In the procedure MustDerivable, when a new must-derivation is learned, a new node with appropriate incoming edge is added to the graph. Note that each node will always have only a single incoming edge, but can participate in multiple outgoing edges. With the hypergraph of must-derivations to track dependencies, we can easily reconstruct a concrete proof after the algorithm finishes and determines that \( false \) can be derived.

The hypergraph of must-derivations already defines the structure of the unsatisfiability proof, we only have to concretise individual nodes to ground instances. Algorithm 3 presents the construction of the proof.

The construction proceeds from the root (the derivation of \( false \)) towards the leaves, keeping a worklist of open goals. An open goal is a ground instance for which a derivation has not yet been constructed, together with a corresponding hypergraph node. The worklist is initialised with the ground instance \( false \) and the node \(\langle true , false \rangle \). To avoid unnecessary multiple derivations of the same ground instance, the algorithm also keeps track of already encounted ground instances, i.e., instances that have already been derived or are already in the worklist. Then, while there is an open goal in the worklist, the algorithm closes it by constructing a derivation of the ground instance, possibly introducing new open goals. Each open goal \(\langle \langle \delta , p \rangle , p(c_1,\ldots ,c_n) \rangle \) from the worklist is processed as follows. From the graph, retrieve the single incoming edge labeled with clause \(c \equiv \varphi \wedge B_1 \wedge \ldots \wedge B_n \implies H\) (with body predicates \(p_1, \ldots ,p_n\) and a head predicate symbol \(p\)) and the edge’s source nodes \(\langle \delta _1, p_1 \rangle , \ldots , \langle \delta _n, p_n \rangle \). Compute a satisfying assignment \(\sigma \) for \(\varphi \wedge \delta _1 \wedge \ldots \wedge \delta _n\) such that \(\sigma (H) = p(c_1, \ldots , c_n)\). Note that this may, in general, require a call to an SMT solver, but such a satisfying assignment has to exist because of how \(\delta \) and its premises were computed in MustDerivable. \(\sigma \) determines the ground instances \(\sigma (B_1), \ldots , \sigma (B_n)\) for predicates \(p_1, \ldots , p_n\) that form the premises of the derivation of \(\sigma (H)\). Add the computed derivation of \(\sigma (H)\) to the proof. Finally, add new entries \(\langle \delta _i, p_i \rangle \) together with the corresponding ground instance \(\sigma (B_i)\) to the worklist if this is the first time this ground instance has been encountered. When the worklist becomes empty no open goals are left and a derivation of \( false \) from the input clauses, i.e., a coarse unsatisfiability proof, has been constructed.

In order to support proof production, each transformation pass in the preprocessor has to be coupled with a backtranslator, which is able to translate a proof for the transformed system back to a proof for the input system.

When a proof-producing Horn solver couples each preprocessing pass with the corresponding backtranslator, a proof computed from the backend engine can be fed backwards through the sequence of backtranslators to obtain a proof for the original system. This process is depicted in Figure 3. Each preprocessing step \(\tau _i\) provides the necessary information regarding the applied transformation to the coupled backtranslator \(\beta _i\). This enables the backtranslator to apply the necessary modifications to the proof.

There are many different transformations a solver can employ. We demonstrate the concept of a backtranslator for a common transformation technique that eliminates an uninterpreted predicate from the CHC system, and then briefly discuss some other transformations.

Eliminating predicates from the input CHC system (the unfold operation in [9]) is a common technique that can greatly improve the performance of the backend algorithm. Suppose that \(p\) is an uninterpreted predicate occurring in the system \(\mathcal {S}\) such that it is not present in both body and head of the same clause. Moreover, for simplicity, assume that \(p\) does not occur multiple times in the body of any clause. Then, \(\mathcal {S}\) can be transformed to an equisatisfiable system \(\mathcal {S}'\) without \(p\) by

Note that the second step may require variable renaming to ensure there are no clashes and that resolving on the occurrence of \(p\) is sound.

The backtranslator corresponding to a predicate elimination pass must remember, for each resolvent, which pair of clauses was used to derive the resolvent. Then, when the backtranslator receives a proof, it checks for existence of steps using an instantiation of some resolvent. Each such step is then replaced with two steps using instantiations of the two original clauses. For ease of presentation, we consider the case of linear clauses, i.e., clauses with a single predicate in their body. Suppose clauses \(Q \wedge \varphi _1 \implies P\) and \(P \wedge \varphi _2 \implies R\) were replaced by a clause \(Q \wedge \varphi _1 \wedge \varphi _2 \implies R\), and that this clause has been instantiated in the proof \(\pi '\) using assignment \(\sigma \), leading to a derivation of the ground instance \(\sigma (R)\). Then, \(\sigma \) defines the ground instance of P that can be derived from the first clause and resolving the obtained ground instance of P with the instantiation of the second clause (again using \(\sigma \)) yields the desired ground instance \(\sigma (R)\).

There are many possible transformation passes beyond predicate elimination, often with trivial or almost trivial backtranslators. For example, removing redundant clauses from the system has a trivial backtranslator that does nothing, as the proof for the transformed system is a valid proof for the original system. Similarly, rewriting a constraint of some clause to an equisatisfiable constraint does not require a backtranslator to make any structural changes to a proof. The backtranslator only needs to know how to adjust the satisfying assignment \(\sigma \) used for instantiation to obtain a satisfying assignment of the original constaint while yielding the same ground instances of the predicates.

We used all benchmarks of the two linear integer arithmetic (LIA) tracks of CHC-COMP 2024 [16], referred to here as LIA-lin, consisting of benchmarks containing only linear Horn clauses, and LIA-nonlin, consisting of benchmarks containing nonlinear Horn clauses; a clause is linear if it has at most one predicate in its body and is nonlinear otherwise. Each track had 300 benchmarks, making for a total of 600 benchmarks used in our evaluation.

For proof production, we instrumented the Golem solver with the changes described in the previous sections to be able to output both coarse and Alethe proofs for UNSAT results. We chose Golem because it is both a very efficient solver, performing very well in recent CHC-COMP editions, and has a codebase that can be easily extended. For checking the Alethe proofs produced, we used the latest stable code of the Carcara checker (commit 9053d18).

To answer our research questions, we executed the instrumented solver in three different modes for each benchmark: default mode, without proof production, coarse mode, with production of coarse proofs, and alethe mode, with production of coarse proofs and instantiation of them into the Alethe format. None of Golem’s optimisations or preprocessing passes had to be disabled for the proof-producing modes. A Linux machine with 64 AMD EPYC 7452 processors and 256 GB of memory was used for the evaluation. All individual tool executions had a timeout of 30 minutes and a memory limit of 10 gigabytes.

RQ1 The executions in default mode yielded 67 LIA-lin and 100 LIA-nonlin UNSAT results. The respective 167 benchmarks also all yielded UNSAT results in executions in alethe mode and produced Alethe proofs; no benchmark with an UNSAT result in default mode had a timeout in alethe mode. The proofs were forwarded to Carcara and were all successfully validated. This shows that the production and independent checking of unsatisfiability proofs can be made practical with off-the-shelf tools.

RQ2 We gathered the overhead, both in runtime and memory usage, of the coarse and alethe modes in relation to the default mode. The results can be seen in Figure 5. For the majority of benchmarks the overhead in both metrics was negligible, with the few outliers registered not surpassing a slowdown of 90 seconds and an increase of 800 MB of memory usage. The small negative overheads observed in runtime are likely due to process scheduling during the experiments. Also of note is the fact that, in addition to having a small overhead in relation to the default mode, the coarse and alethe modes had a small difference between themselves, indicating that the instantiation of coarse proofs into the Alethe format does not incur a significant computation cost. In regards to proof checking, it was very efficient, with the time taken to check all 167 proofs being 58 seconds and the average memory footprint of Carcara being 17 MB. This shows that the production and checking of unsatisfiability proofs does not significantly impact solver performance.

RQ3 We gathered the sizes of all proofs produced. They can be seen in Figure 6. As is to be expected, Alethe proofs are larger than coarse proofs, in most cases by an order of magnitude. Despite this difference, the absolute size of each proof is relatively small, never going over 100 MB. This shows that proof sizes are not likely to be a limiting factor in output validation.