Classifying and Solving Horn Clauses for Verification - Lab for ...

Classifying and Solving Horn Clauses for VerificationPhilipp Rümmer 1 , Hossein Hojjat 2 , and Viktor Kuncak 21 Uppsala University, Sweden2 Swiss Federal Institute of Technology Lausanne (EPFL)Abstract. As a promising direction to overcome difficulties of verification, researchershave recently proposed the use of Horn constraints as intermediate representation.Horn constraints are related to Craig interpolation, which is one of themain techniques used to construct and refine abstractions in verification, and tosynthesise inductive loop invariants. We give a classification of the different formsof Craig interpolation problems found in literature, and show that all of them correspondto natural fragments of (recursion-free) Horn constraints. For a logic thathas the binary interpolation property, all of these problems are solvable, but havedifferent complexity. In addition to presenting the theoretical classification andsolvability results, we present a publicly available collection of benchmarks toevaluate solvers for Horn constraints, categorized according to our classification.The benchmarks are derived from real-world verification problems. The behaviorwith our tools as well as with Z3 prover indicates the importance of Horn clausesolving as distinct from the general problem of solving quantified constraints byquantifier instantiation.1 IntroductionPredicate abstraction [14] has emerged as a prominent and effective way for modelchecking software systems. A key ingredient in predicate abstraction is analyzing thespurious counter-examples to refine abstractions [4]. The refinement problem saw asignificant progress when Craig interpolants extracted from unsatisfiability proofs wereused as relevant predicates [20]. While interpolation has enjoyed a significant progressfor various logical constraints [7–9,24], there have been substantial proposals for moregeneral forms of interpolation [1, 19, 24].As a promising direction to extend the reach of automated verification methods toprograms with procedures, and concurrent programs, among others, recently the useof Horn constraints as intermediate representation has been proposed [15, 16, 28]. Thispaper examines the relationship between various forms of Craig interpolation and syntacticallydefined fragments of recursion-free Horn clauses. We systematically examinebinary interpolation, inductive interpolant sequences, tree interpolants, restrictedDAG interpolants, and disjunctive interpolants, and show the recursion-free Horn clauseproblems to which they correspond. We present algorithms for solving each of theseclasses of problems by reduction to elementary interpolation problems. We also givea taxonomy of the various interpolation problems, and the corresponding systems ofHorn clauses, in terms of their computational complexity.The contributions of the paper are:

2 Rümmer, Hojjat, Kuncak– a systematic study of relevant recursion-free Horn fragments, their relationship toforms of Craig interpolation, and their computational complexity;– a library of recursion-free Horn problems, designed for benchmarking Horn solversand interpolation engines;– the generalisation of our results from recursion-free Horn clauses to general wellfoundedconstraints, i.e., to constraints without infinite resolution proofs.Organisation. Related work is surveyed in Sect. 2, following in Sect. 3 by an exampleof (recursive) Horn clauses. Sect. 4 formally introduces the concept of Horn clauses.Sect. 5 investigates the relationship between Horn fragments and Craig interpolation,and Sect. 6 their respective computational complexity. Sect. 7 presents our library ofHorn benchmarks. Sect. 8 generalises from Horn clauses to well-founded clauses.2 Related WorkHorn clauses have been used to represent analysis tasks in the context of constraint programmingfor a long time, for instance [29]. The authors of [16] propose Horn clausesfor verification of multi-threaded programs. The underlying procedure for solving setsof recursion-free Horn clauses, over the combined theory of linear integer arithmeticand uninterpreted functions, was presented in [17], and a solver in [18]. A range of furtherapplications of Horn clauses, including inter-procedural model checking, was givenin [15]. Horn clauses are also proposed as intermediate/exchange format for verificationproblems in [6], and are natively supported by the SMT solver Z3 [11].There is a long line of research on Craig interpolation methods, and generalisedforms of interpolation, tailored to verification. For an overview of interpolation in thepresence of theories, we refer the reader to [8, 9]. Binary Craig interpolation for implicationsA → C goes back to [10], was carried over to conjunctions A ∧ B in [25], andgeneralised to inductive sequences of interpolants in [20, 27]. The concept of tree interpolation,strictly generalising inductive sequences of interpolants, is presented in thedocumentation of the interpolation engine iZ3 [24]; the computation of tree interpolantsby computing a sequence of binary interpolants is also described in [19]. RestrictedDAG interpolants [1] and disjunctive interpolants [30] are further generalisations ofinductive sequences of interpolants, designed to enable the simultaneous analysis ofmultiple counterexamples or program paths.The use of Craig interpolation for solving Horn clauses is discussed in [28], concentratingon the case of tree interpolation. Our paper extends this work by giving asystematic study of the relationship between different forms of Craig interpolation andHorn clauses, as well as general results about solvability and computational complexity,independent of any particular calculus used to perform interpolation.Inter-procedural software model checking with interpolants has been an activearea of research for the last decade. In the context of predicate abstraction, it has beendiscussed how well-scoped invariants can be inferred [20] in the presence of functioncalls. Based on the concept of Horn clauses, a predicate abstraction-based algorithm forbottom-up construction of function summaries was presented in [15]. Generalisationsof the Impact algorithm [27] to programs with procedures are given in [19] (formulated

Classifying and Solving Horn Clauses for Verification 3def f (n : Int )returns rec : Int =if (n > 0) {tmp = f(n−1)rec = tmp + 1} else {rec = 1}def main() {var res : Inthavoc(x: Int ≥ 0)res = f (x)assert(res == x + 1)} q 1havoc (x) ∧ x ′ ≥ 0 q 2res ′ = f (x) q 3res=x + 1resx + 1 q 4 en>0 q 5 q 6tmp ′ = f (n − 1) q 7rec ′ =tmp + 1 q 9¬(n>0) q 8rec ′ =1Fig. 1. A recursive program and its control flow graph (see Sect. 3).(1) r1(X, Res) ← true(2) r2(X’, Res) ← r1(X, Res) ∧ X’ ≥ 0(3) r3(X, Res’) ← r2(X, Res) ∧ rf(X, Res’)(4) r4(X, Res) ← r3(X, Res) ∧ Res = X + 1(5) false ← r3(X, Res) ∧ Res X + 1(6) r5(N, Rec, Tmp) ← true(7) r6(N, Rec, Tmp) ← r5(N, Rec, Tmp) ∧ N > 0(8) r7(N, Rec, Tmp’) ← r6(N, Rec, Tmp) ∧ rf(N − 1, Tmp’)(9) r8(N, Rec, Tmp) ← r5(N, Rec, Tmp) ∧ N ≤ 0(10) r9(N, Rec’, Tmp) ← r7(N, Rec, Tmp) ∧ Rec’ = Tmp + 1(11) r9(N, Rec’, Tmp) ← r8(N, Rec, Tmp) ∧ Rec’ = 1(12) rf (N, Rec) ← r9(N, Rec, Tmp)Fig. 2. The encoding of the program in Fig. 1 into a set of recursive Horn clauses.using nested word automata) and [2]. Finally, function summaries generated using interpolantshave also been used to speed up bounded model checking [31].Several other tools handle procedures by increasingly inlining and performing underand/orover-approximation [22,32,33], but without the use of interpolation techniques.3 ExampleWe start with an example illustrating the use of Horn clauses to verify a recursive program.Fig. 1 shows an example of a recursive program, which is encoded as a set of(recursive) Horn constraints in Fig. 2. The encoding is done in such a way that the setof Horn constraints is satisfiable if and only if the program is safe, i.e., the assertionin function main cannot fail. We will use different subsets of the complete set of Hornconstraints as examples throughout the paper.

Classifying and Solving Horn Clauses for Verification 5clauses are usually extracted from recursive clauses by means of finite unwinding; examplesare given in Sect. 5.3 and 5.5.4 Formulae and Horn ClausesConstraint languages. Throughout this paper, we assume that a first-order vocabularyof interpreted symbols has been fixed, consisting of a set F of fixed-arity functionsymbols, and a set P of fixed-arity predicate symbols. Interpretation of F and P isdetermined by a class S of structures (U, I) consisting of non-empty universe U, anda mapping I that assigns to each function in F a set-theoretic function over U, andto each predicate in P a set-theoretic relation over U. As a convention, we assumethe presence of an equation symbol “=” in P, with the usual interpretation. Given acountably infinite set X of variables, a constraint language is a set Constr of firstorderformulae over F , P, X For example, the language of quantifier-free Presburgerarithmetic has F = {+, −, 0, 1, 2, . . .} and P = {=, ≤, |}).A constraint is called satisfiable if it holds for some structure in S and some assignmentof the variables X, otherwise unsatisfiable. We say that a set Γ ⊆ Constr ofconstraints entails a constraint φ ∈ Constr if every structure and variable assignmentthat satisfies all constraints in Γ also satisfies φ; this is denoted by Γ |= φ.fv(φ) denotes the set of free variables in constraint φ. We write φ[x 1 , . . . , x n ] to statethat a constraint contains (only) the free variables x 1 , . . . , x n , and φ[t 1 , . . . , t n ] for theresult of substituting the terms t 1 , . . . , t n for x 1 , . . . , x n . Given a constraint φ containingthe free variables x 1 , . . . , x n , we write Cl ∀ (φ) for the universal closure ∀x 1 , . . . , x n .φ.Craig interpolation is the main technique used to construct and refine abstractions insoftware model checking. A binary interpolation problem is a conjunction A ∧ B ofconstraints. A Craig interpolant is a constraint I such that A |= I and B |= ¬I, andsuch that fv(I) ⊆ fv(A) ∩ fv(B). The existence of an interpolant implies that A ∧ B isunsatisfiable. We say that a constraint language has the interpolation property if alsothe opposite holds: whenever A ∧ B is unsatisfiable, there is an interpolant I.4.1 Horn ClausesTo define the concept of Horn clauses, we fix a set R of uninterpreted fixed-arity relationsymbols, disjoint from P and F . A Horn clause is a formula C ∧ B 1 ∧ · · · ∧ B n → Hwhere– C is a constraint over F , P, X;– each B i is an application p(t 1 , . . . , t k ) of a relation symbol p ∈ R to first-order termsover F , X;– H is similarly either an application p(t 1 , . . . , t k ) of p ∈ R to first-order terms, or isthe constraint false.H is called the head of the clause, C∧B 1 ∧· · ·∧B n the body. In case C = true, we usuallyleave out C and just write B 1 ∧ · · · ∧ B n → H. First-order variables (from X) in a clauseare considered implicitly universally quantified; relation symbols represent set-theoretic

6 Rümmer, Hojjat, Kuncakrelations over the universe U of a structure (U, I) ∈ S. Notions like (un)satisfiability andentailment generalise straightforwardly to formulae with relation symbols.A relation symbol assignment is a mapping sol : R → Constr that maps each n-aryrelation symbol p ∈ R to a constraint sol(p) = C p [x 1 , . . . , x n ] with n free variables. Theinstantiation sol(h) of a Horn clause h is defined by:sol ( C ∧ p 1 (¯t 1 ) ∧ · · · ∧ p n (¯t n ) → p(¯t) ) = C ∧ sol(p 1 )[¯t 1 ] ∧ · · · ∧ sol(p n )[¯t n ] → sol(p)[¯t]sol ( C ∧ p 1 (¯t 1 ) ∧ · · · ∧ p n (¯t n ) → false ) = C ∧ sol(p 1 )[¯t 1 ] ∧ · · · ∧ sol(p n )[¯t n ] → falseDefinition 1 (Solvability). Let HC be a set of Horn clauses over relation symbols R.1. HC is called semantically solvable if for every structure (U, I) ∈ S there is aninterpretation of the relation symbols R as set-theoretic relations over U such theuniversally quantified closure Cl ∀ (h) of every clause h ∈ HC holds in (U, I).2. A HC is called syntactically solvable if there is a relation symbol assignment solsuch that for every structure (U, I) ∈ S and every clause h ∈ HC it is the case thatCl ∀ (sol(h)) is satisfied.Note that, in the special case when S contains only one structure, S = {(U, I)},semantic solvability reduces to the existence of relations interpreting R that extend thestructure (U, I) in such a way to make all clauses true. In other words, Horn clausesare solvable in a structure if and only if the extension of the theory of (U, I) by relationsymbols R in the vocabulary and by given Horn clauses as axioms is consistent.A set HC of Horn clauses induces a dependence relation → HC on R, definingp → HC q if there is a Horn clause in HC that contains p in its head, and q in thebody. The set HC is called recursion-free if → HC is acyclic, and recursive otherwise.In the next sections we study the solvability problem for recursion-free Horn clausesand then show how to use such results in general Horn clause verification systems.Definition 2 (Normal Form). A set HC of Horn clauses is in normal form [15] iff1. every relation symbol has a unique, pairwise distinct vector of arguments,2. every non-argument variable occurs in at most one clause.5 The Relationship between Craig Interpolation and Horn ClausesIt has become common to work with generalised forms of Craig interpolation, such asinductive sequences of interpolants, tree interpolants, and restricted DAG interpolants.We show that a variety of such interpolation approaches can be reduced to recursionfreeHorn clauses. Recursion-free Horn clauses thus provide a general framework unifyingand subsuming a number of earlier notions. As a side effect, we can formulatea general theorem about existence of the individual kinds of interpolants in Sect. 6,applicable to any constraint language with the (binary) interpolation property.An overview of the relationship between specific forms of interpolation and specificfragments of recursions-free Horn clauses is given in Table 1, and will be explained inmore detail in the rest of this section. Table 1 refers to the following fragments ofrecursion-free Horn clauses:

Classifying and Solving Horn Clauses for Verification 7Form of interpolationBinary interpolation [10, 25]A ∧ BInductive interpolant seq. [20, 27]T 1 ∧ T 2 ∧ · · · ∧ T nTree interpolants [19, 24]Restricted DAG interpolants [1]Disjunctive interpolants [30]Fragment of Horn clausesPair of Horn clausesA → p( ¯x), B ∧ p( ¯x) → false with { ¯x} = fv(A) ∩ fv(B)Linear tree-like Horn clausesT 1 → p 1 ( ¯x 1 ), p 1 ( ¯x 1 ) ∧ T 2 → p 2 ( ¯x 2 ), . . .with { ¯x i } = fv(T 1 , . . . , T i ) ∩ fv(T i+1 , . . . , T n )Tree-like Horn clausesLinear Horn clausesBody disjoint Horn clausesTable 1. Equivalence of interpolation problems and systems of Horn clauses.Definition 3 (Horn clause fragments). We say that a finite, recursion-free set HC ofHorn clauses1. is linear if the body of each Horn clause contains at most one relation symbol,2. is body-disjoint if for each relation symbol p there is at most one clause containingp in its body; furthermore, every clause contains p at most once;3. is head-disjoint if for each relation symbol p there is at most one clause containingp in its head;4. is tree-like [17] if it is body-disjoint and head-disjoint.Theorem 1 (Interpolation and Horn clauses). For each line of Table 1 it holds that:1. an interpolation problem of the stated form can be polynomially reduced to (syntactically)solving a set of Horn clauses, in the stated fragment;2. solving a set of Horn clauses (syntactically) in the stated fragment can be polynomiallyreduced to solving a sequence of interpolation problems of the stated form.5.1 Binary Craig Interpolants [10, 25]The simplest form of Craig interpolation is the derivation of a constraint I such that A |=I and I |= ¬B, and such that fv(I) ⊆ fv(A)∩fv(B). Such derivation is typically constructedby efficiently processing the proof of unsatisfiability of A ∧ B. To encode a binaryinterpolation problem into Horn clauses, we first determine the set ¯x = fv(A) ∩ fv(B) ofvariables that can possibly occur in the interpolant. We then pick a relation symbol p ofarity | ¯x|, and define two Horn clauses expressing that p( ¯x) is an interpolant:A → p( ¯x),B ∧ p( ¯x) → falseIt is clear that every syntactic solution for the two Horn clauses corresponds to an interpolantof A ∧ B.

Classifying and Solving Horn Clauses for Verification 91. for the root node v 0 ∈ V, it is the case that I(v 0 ) = false,2. for any node v ∈ V, the following entailment holds:∧φ(v) ∧ I(w) |= I(v) ,(v,w)∈E3. for any node v ∈ V, every non-logical symbol (in our case: variable) in I(v) occursboth in some formula φ(w) for w such that E ∗ (v, w), and in some formula φ(w ′ ) forsome w ′ such that ¬E ∗ (v, w ′ ). (E ∗ is the reflexive transitive closure of E).Since the case of tree interpolants is instructive for solving recursion-free sets ofHorn clauses in general, we give a result about the existence of tree interpolants. Theproof of the lemma computes tree interpolants by repeated derivation of binary interpolants;however, as for inductive sequences of interpolants, there are solvers that cancompute all formulae of a tree interpolant simultaneously [16, 17, 24].Lemma 1. Suppose the constraint language Constr that has the interpolation property.Then a tree (V, E) with labelling function φ : V → Constr has a tree interpolant I if andonly if ∧ v∈V φ(v) is unsatisfiable.Proof. “⇒” follows from the observation that every interpolant I(v) is a consequenceof the conjunction ∧ (v,w)∈E + φ(w).“⇐”: let v 1 , v 2 , . . . , v n be an inverse topological ordering of the nodes in (V, E), i.e.,an ordering such that ∀i, j. (E(v i , v j ) ⇒ i > j). We inductively construct a sequence offormulae I 1 , I 2 , . . . , I n , such that for every i ∈ {1, . . . , n} the following properties hold:1. the following conjunction is unsatisfiable:∧{I k | k ≤ i, ∀ j. (E(v j , v k ) ⇒ j > i)} ∧ ( φ(v i+1 ) ∧ φ(v i+2 ) ∧ · · · ∧ φ(v n ) ) (1)2. the following entailment holds:∧φ(v i ) ∧(v i ,v j )∈EI j|= I i3. every non-logical symbol in I i occurs both in a formula φ(w) with E ∗ (v i , w), and ina formula φ(w ′ ) with ¬E ∗ (v i , w ′ ).Assume that the formulae I 1 , I 2 , . . . , I i have been constructed, for i ∈ {0, . . . , n − 1}.We then derive the next interpolant I i+1 by solving the binary interpolation problem( ∧ )φ(vi+1 ) ∧ I j ∧E(v i+1 ,v j )( ∧{I k | k ≤ i, ∀ j. (E(v j , v k ) ⇒ j > i + 1)} ∧ φ(v i+2 ) ∧ · · · ∧ φ(v n ) ) (2)That is, we construct I i+1 so that the following entailments hold:∧φ(v i+1 ) ∧ I j |= I i+1 ,E(v i+1 ,v j )∧{I k | k ≤ i, ∀ j. (E(v j , v k ) ⇒ j > i + 1)} ∧ φ(v i+2 ) ∧ · · · ∧ φ(v n ) |= ¬I i+1

10 Rümmer, Hojjat, KuncakFurthermore, I i+1 only contains non-logical symbols that are common to the left and theright side of the conjunction.Note that (2) is equivalent to (1), therefore unsatisfiable, and a well-formed interpolationproblem. It is also easy to see that the properties 1–3 hold for I i+1 . Also, we caneasily verify that the labelling function I : v i ↦→ I i is a solution for the tree interpolationproblem defined by (V, E) and φ.⊓⊔Tree interpolation as tree-like Horn clauses. The encoding of a tree interpolation problemas a tree-like set of Horn clauses is very similar to the encoding for inductive sequencesof interpolants. We introduce a fresh relation symbol p v for each node v ∈ Vof a tree interpolation problem (V, E), φ, assuming that for each v ∈ V the vector ¯x v =⋃E ∗ (v,w) fv(φ(w)) ∩ ⋃ ¬E ∗ (v,w) fv(φ(w)) represents the set of variables that can occur in theinterpolant I(v). The interpolation problem is then represented by the following clauses:{ ∧p 0 ( ¯x 0 ) → false, φ(v) ∧ p w ( ¯x w ) → p v ( ¯x v ) } v∈V(v,w)∈ETree-like Horn clauses as tree interpolation. Suppose HC is a finite, recursion-free, andtree-like set of Horn clauses. We can solve the system of Horn clauses by computing atree interpolant for every connected component of the → HC -graph. As before, we firstnormalise the Horn clauses according to Def. 2. The interpolation graph (V, E) is thendefined by choosing the set V = R ∪ {false} of relation symbols as nodes, and the childrelation E(p, q) to hold whenever p occurs as head, and q within the body of a clause.The labelling function φ is defined by φ(p) = C whenever there is a clause with headsymbol p and constraint C, and φ(p) = false if p does not occur as head of any clause.Example 1. We consider a subset of the Horn clauses given in Fig. 2:(1) r1(X, Res) ← true(2) r2(X’, Res) ← r1(X, Res) ∧ X’ ≥ 0(3) r3(X, Res’) ← r2(X, Res) ∧ rf(X, Res’)(5) false ← r3(X, Res) ∧ Res X + 1(6) r5(N, Rec, Tmp) ← true(9) r8(N, Rec, Tmp) ← r5(N, Rec, Tmp) ∧ N ≤ 0(11) r9(N, Rec’, Tmp) ← r8(N, Rec, Tmp) ∧ Rec’ = 1(12) rf (N, Rec) ← r9(N, Rec, Tmp)Note that this recursion-free subset of the clauses is body-disjoint and head-disjoint,and thus tree-like. Since the complete set of clauses in Fig. 2 is solvable, also any subsetis; in order to compute a (syntactic) solution of the clauses, we set up the correspondingtree interpolation problem. Fig. 4 shows the tree with the labelling φ to be interpolated(in grey), as well as the head literals of the clauses generating the nodes of the tree.A tree interpolant solving the interpolation problem is given in Fig. 5. The tree interpolantcan be mapped to a solution of the original tree-like Horn, for instance we setr 8 (n 8 , rec 8 , tmp 8 ) = (n 8 ≤ 0) and r 9 (n 9 , rec 9 , tmp 9 ) = (n 9 ≤ −1 ∨ (rec 9 = 1 ∧ n 9 = 0)).Symmetric Interpolants A special case of tree interpolants, symmetric interpolants,was introduced in [26]. Symmetric interpolants are equivalent to tree interpolants with

Classifying and Solving Horn Clauses for Verification 11r 5 (n 5 , rec 5 , tmp 5 ):truer 8 (n 8 , rec 8 , tmp 8 ):n 8 = n 5 ∧ n 8 ≤ 0 ∧ rec 8 = rec 5 ∧ tmp 8 = tmp 5r 1 (x 1 , res 1 ):truer 9 (n 9 , rec 9 , tmp 9 ):n 9 = n 8 ∧ rec 9 = 1 ∧ tmp 9 = tmp 8r 2 (x 2 , res 2 ):x 2 ≥ 0 ∧ res 2 = res 1r f (n f , rec f ):n f = n 9 ∧ rec f = rec 9r 3 (x 3 , res 3 ):x 3 = x 2 ∧ x 3 = n f ∧ res 3 = rec ffalse:res 3 x 3 + 1Fig. 4. Tree interpolation problem for the clauses in Example 1a flat tree structure (V, E), i.e., V = {root, v 1 , . . . , v n }, where the nodes v 1 , . . . , v n are thedirect children of root.5.4 Restricted (and Unrestricted) DAG Interpolants [1]Restricted DAG interpolants are a further generalisation of inductive sequence of interpolants,introduced for the purpose of reasoning about multiple paths in a program simultaneously[1]. Suppose (V, E, en, ex) is a finite connected DAG with entry node en ∈V and exit node ex ∈ V, further L E : E → Constr a labelling of edges with constraints,and L V : V → Constr a labelling of vertices. A restricted DAG interpolant is a mappingI : V → Constr with1. I(en) = true, I(ex) = false,2. for all (v, w) ∈ E the entailment I(v) ∧ L V (v) ∧ L E (v, w) |= I(w) ∧ L V (w) holds, and3. for all v ∈ V it is the case that 4fv(I(v)) ⊆ ( ⋃fv(L E (a, v)) ) ∩ ( ⋃fv(L E (v, a)) ) .(a,v)∈E(v,a)∈E4 The definition of DAG interpolants in [1, Def. 4] implies that fv(I(v)) = ∅ for every interpolantI(v), v ∈ V, i.e., only trivial interpolants are allowed. We assume that this is a mistakein [1, Def. 4], and corrected the definition as shown here.

12 Rümmer, Hojjat, Kuncaktruen 8 ≤ 0n 9 ≤ −1 ∨ (rec 9 = 1 ∧ n 9 = 0)x 2 ≥ 0n f ≤ −1 ∨ (rec f = 1 ∧ n f = 0)res 3 = x 3 + 1falseFig. 5. Tree interpolant solving the interpolation problem in Fig. 4The UFO verification system [3] is able to compute DAG interpolants, based onthe interpolation functionality of MathSAT [9]. We can observe that DAG interpolants(despite their name) are incomparable in expressiveness to tree interpolation. This isbecause DAG interpolants correspond to linear Horn clauses, and might have sharedrelation symbol in bodies, while tree interpolants correspond to possibly nonlinear treelikeHorn clauses, but do not allow shared relation symbols in bodies.Encoding of restricted DAG interpolants as linear Horn clauses. For every v ∈ V, let{ ¯x v } = ( ⋃fv(L E (a, v)) ) ∩ ( ⋃fv(L E (v, a)) )(a,v)∈E(v,a)∈Ebe the variables allowed in the interpolant to be computed for v, and p v be a freshrelation symbol of arity | ¯x v |. The interpolation problem is then defined by the followingset of linear Horn clauses:For each (v, w) ∈ E: L V (v) ∧ L E (v, w) ∧ p v ( ¯x v ) → p w ( ¯x w ),L V (v) ∧ ¬L V (w) ∧ L E (v, w) ∧ p v ( ¯x v ) → false,For en, ex ∈ V: true → p en ( ¯x en ), p ex ( ¯x ex ) → falseEncoding of linear Horn clauses as DAG interpolants. Suppose HC is a finite, recursionfree,and linear set of Horn clauses. We can solve the system of Horn clauses by computinga DAG interpolant for every connected component of the → HC -graph. As inSect. 5.2, we normalise Horn clauses according to Def. 2. We also assume that multipleclauses C ∧ p( ¯x p ) → q( ¯x q ) and D ∧ p( ¯x p ) → q( ¯x q ) with the same relation symbols aremerged to (C ∨ D) ∧ p( ¯x p ) → q( ¯x q ).Let {p 1 , . . . , p n } be all relation symbols of one connected component. We then definethe DAG interpolation problem (V, E, en, ex), L E , L V by

Classifying and Solving Horn Clauses for Verification 13– the vertices V = {p 1 , . . . , p n } ∪ {en, ex}, including two fresh nodes en, ex,– the edge relationE ={(p, q) | there is a clause C ∧ p( ¯x p ) → q( ¯x q ) ∈ HC}∪ {(en, p) | there is a clause D → p( ¯x p ) ∈ HC}∪ {(p, ex) | there is a clause E ∧ p( ¯x p ) → false ∈ HC} ,– for each (v, w) ∈ E, the edge labelling⎧C ∧ ¯x v = ¯x v ∧ ¯x w = ¯x w⎪⎨L E (v, w) = D ∧ ¯x w = ¯x w⎪⎩ E ∧ ¯x v = ¯x vif C ∧ v( ¯x v ) → w( ¯x w ) ∈ HCif v = en and D → w( ¯x w ) ∈ HCif w = ex and E ∧ v( ¯x v ) → false ∈ HCNote that the labels include equations like ¯x v = ¯x v to ensure that the right variablesare allowed to occur in interpolants.– for each v ∈ V, the node labelling L V (v) = true.By checking the definition of DAG interpolants, it can be verified that every interpolantsolving the problem (V, E, en, ex), L E , L V is also a solution of the linear Horn clauses.5.5 Disjunctive Interpolants [30]Disjunctive interpolants were introduced in [30] as a generalisation of tree interpolants.Disjunctive interpolants resemble tree interpolants in the sense that the relationship ofthe components of an interpolant is defined by a tree; in contrast to tree interpolants,however, this tree is an and/or-tree: branching in the tree can represent either conjunctionsor disjunctions. Disjunctive interpolants correspond to sets of body-disjoint Hornclauses; in this representation, and-branching is encoded by clauses with multiple bodyliterals (like with tree interpolants), while or-branching is interpreted as multiple clausessharing the same head symbol. For a detailed account on disjunctive interpolants, werefer the reader to [30].The solution of body-disjoint Horn clauses can be computed by solving a sequenceof tree-like sets of Horn clauses:Lemma 2. Let HC be a finite set of recursion-free body-disjoint Horn clauses. HChas a syntactic/semantic solution if and only if every maximum tree-like subset of HChas a syntactic/semantic solution.Proof. We outline direction “⇐” for syntactic solutions. Solving the tree-like subsets ofHC yields, for each relation symbol p ∈ R, a set SC p of solution constraints. A globalsolution of HC can be constructed by forming a positive Boolean combination of theconstraints in SC p for each p ∈ R.⊓⊔Example 2. We consider a recursion-free unwinding of the Horn clauses in Fig. 2. Tomake the set of clauses body-disjoint, the clauses (6), (9), (11), (12) were duplicated,introducing primed copies of all relation symbols involved. The clauses are not headdisjoint,since (10) and (11) share the same head symbol:

14 Rümmer, Hojjat, Kuncak(1) r1(X, Res) ← true(2) r2(X’, Res) ← r1(X, Res) ∧ X’ ≥ 0(3) r3(X, Res’) ← r2(X, Res) ∧ rf(X, Res’)(5) false ← r3(X, Res) ∧ Res X + 1(6) r5(N, Rec, Tmp) ← true(7) r6(N, Rec, Tmp) ← r5’(N, Rec, Tmp) ∧ N > 0(8) r7(N, Rec, Tmp’) ← r6(N, Rec, Tmp) ∧ rf’(N − 1, Tmp’)(9) r8(N, Rec, Tmp) ← r5(N, Rec, Tmp) ∧ N ≤ 0(10) r9(N, Rec’, Tmp) ← r7(N, Rec, Tmp) ∧ Rec’ = Tmp + 1(11) r9(N, Rec’, Tmp) ← r8(N, Rec, Tmp) ∧ Rec’ = 1(12) rf (N, Rec) ← r9(N, Rec, Tmp)(6’) r5 ’( N, Rec, Tmp) ← true(6’’) r5’’(N, Rec, Tmp) ← true(9’) r8 ’( N, Rec, Tmp) ← r5’’(N, Rec, Tmp) ∧ N ≤ 0(11’) r9 ’( N, Rec’, Tmp) ← r8’(N, Rec, Tmp) ∧ Rec’ = 1(12’) rf ’( N, Rec) ← r9’(N, Rec, Tmp)There are two maximum tree-like subsets: T 1 = {(1), (2), (3), (5), (6), (9), (11), (12)},and T 2 = {(1), (2), (3), (5), (7), (8), (10), (12), (6 ′ ), (6 ′′ ), (9 ′ ), (11 ′ ), (12 ′ )}. The subset T 1has been discussed in Example 1. In the same way, it is possible to construct a solutionfor T 2 by solving a tree interpolation problem. The two solutions can be combined toconstruct a solution of T 1 ∪ T 2 :T 1 T 2 T 1 ∪ T 2r 1 (x, r) true true truer 2 (x, r) x ≥ 0 true x ≥ 0r 3 (x, r) r = x + 1 r = x + 1 r = x + 1r 5 (n, c, t) true true truer 6 (n, c, t) − n ≥ 1 n ≥ 1r 7 (n, c, t) − t = n t = nr 8 (n, c, t) n ≤ 0 − n ≤ 0r 9 (n, c, t) n ≤ −1 ∨ (c = 1 ∧ n = 0) c = n + 1 n ≤ −1 ∨ c = n + 1r f (n, c) n ≤ −1 ∨ (c = 1 ∧ n = 0) c = n + 1 n ≤ −1 ∨ c = n + 1r ′ 5r ′′5r ′ 8r ′ 9r ′ f(n, c, t) − true true(n, c, t) − true true(n, c, t) − n ≤ 0 n ≤ 0(n, c, t) − n ≤ −1 ∨ (c = 1 ∧ n = 0) n ≤ −1 ∨ (c = 1 ∧ n = 0)(n, c, t) − n ≤ −1 ∨ (c = 1 ∧ n = 0) n ≤ −1 ∨ (c = 1 ∧ n = 0)In particular, the disjunction of the two interpretations of r 9 (n, c, t) has to be used,in order to satisfy both (10) and (11) (similarly for r f (n, c)). In contrast, the conjunctionof the interpretations of r 2 (x, r) is needed to satisfy (3).6 The Complexity of Recursion-free Horn Clausesover Quantifier-free Presburger ArithmeticWe give an overview of the considered fragments of recursion-free Horn clauses, andthe corresponding interpolation problem, in Fig. 6. The diagram also shows the com-

Classifying and Solving Horn Clauses for Verification 15(Restricted) DAG interpolationDisjunctive interpolationTree interpolationGeneral recursion-freeHead-disjointLinearBody-disjointTree-likeco-NP co-NEXPTIMEInductive interpolant sequencesLinear tree-likeBinary interpolationCraig interpolationRecursion-free Horn clausesFig. 6. Relationship between different forms of Craig interpolation, and different fragments ofrecursion-free Horn clauses. An arrow from A to B expresses that problem A is (strictly) subsumedby B. The complexity classes “co-NP” and “co-NEXPTIME” refer to the problem ofchecking solvability of Horn clauses over quantifier-free Presburger arithmetic.plexity of deciding (semantic or syntactic) solvability of a set of Horn clauses, for Hornclauses over the constraint language of quantifier-free Presburger arithmetic. Most ofthe complexity results occur in [30], but in addition we use the following two observations:Lemma 3. Semantic solvability of recursion-free linear Horn clauses over the constraintlanguage of quantifier-free Presburger arithmetic is in co-NP.Proof. A set HC of recursion-free linear Horn clauses is solvable if and only if theexpansion exp(HC) is unsatisfiable [30]. For linear clauses, exp(HC) is a disjunction of(possibly) exponentially many formulae, each of which is linear in the size of exp(HC).Consequently, satisfiability of exp(HC) is in NP, and unsatisfiability in co-NP. ⊓⊔Lemma 4. Semantic solvability of recursion-free head-disjoint Horn clauses over theconstraint language of quantifier-free Presburger arithmetic is co-NEXPTIME-hard.Proof. The proof given in [30] for co-NEXPTIME-hardness of recursion-free Hornclauses over quantifier-free Presburger arithmetic can be adapted to only require headdisjointclauses. This is because a single execution step of a non-deterministic Turingmachine can be expressed as quantifier-free Presburger formula.⊓⊔

16 Rümmer, Hojjat, Kuncak7 Towards a Library of Interpolation BenchmarksIn order to support the development of interpolation engines, Horn solvers, and verificationsystems, we have started to collect relevant benchmarks of recursion-free Hornclauses, categorised according to the classes determined in the previous sections. 5 Thebenchmarks have been extracted from runs of the model checker Eldarica [30], whichprocesses systems of (usually recursive) Horn clauses by iteratively solving recursionfreeunwindings, as outlined in Sect. 3. For each recursive verification problem, in thisway a set of recursion-free systems of Horn clauses (of varying size) can be synthesised.The benchmarks can be used to evaluate both Horn solvers and interpolation engines,according to the correspondence in Fig. 6.At the moment, our benchmarks are extracted from the verification problems in [30],and formulated over the constraint language of linear integer arithmetic; in the future, itis planned to also include other constraint languages, including rational arithmetic andthe theory of arrays. The benchmarks are stored in SMT-LIB 2 format [5]. All of thebenchmarks can be solved by Eldarica, and by the Horn solving engine in Z3 [21].8 From Recursion-free Horn Clauses to Well-founded ClausesIt is natural to ask whether the considerations of the last sections also apply to clausesthat are not Horn clauses (i.e., clauses that can contain multiple positive literals), providedthe clauses are “recursion-free.” Is it possible, like for Horn clauses, to derivesolutions of recursion-free clauses by computing Craig interpolants?To investigate the situation for clauses that are not Horn, we first have to generalisethe concept of clauses being recursion-free: the definition provided in Sect. 4, formulatedwith the help of the dependence relation → HC , only applies to Horn clauses. Fornon-Horn clauses, we instead choose to reason about the absence of infinite propositionalresolution derivations. Because the proposed algorithms [30] for solving recursionfreesets of Horn clauses all make use of exhaustive expansion or inlining, i.e., the constructionof all derivations for a given set of clauses, the requirement that no infinitederivations exist is fundamental. 6Somewhat surprisingly, we observe that all sets of clauses without infinite derivationshave the shape of Horn clauses, up to renaming of relation symbols. This meansthat procedures handling Horn clauses cover all situations in which we can hope tocompute solutions with the help of Craig interpolation.Since constraints and relation symbol arguments are irrelevant for this observation,the following results are entirely formulated on the level of propositional logic:5 http://lara.epfl.ch/w/horn-nonrec-benchmarkshttps://svn.sosy-lab.org/software/sv-benchmarks/trunk/clauses/LIA/Eldarica/6 We do not take subsumption between clauses, or loops in derivations into account. This meansthat a set of clauses might give rise to infinite derivations even if the set of derived clauses isfinite. It is conceivable that notions of subsumption, or more generally the application of terminatingsaturation strategies [13], can be used to identify more general fragments of clausesfor which syntactic solutions can effectively be computed. This line of research is future work.

Classifying and Solving Horn Clauses for Verification 17– a propositional literal is either a Boolean variable p, q, r (positive literals), or thenegation ¬p, ¬q, ¬r of a Boolean variable (negative literals).– a propositional clause is a disjunction p ∨ ¬q ∨ p of literals. The multiplicity of aliteral is important, i.e., clauses could alternatively be represented as multi-sets ofliterals.– a Horn clause is a clause that contains at most one positive literal.– given a set HC of Horn clauses, we define the dependence relation → HC on Booleanvariables by setting p → HC q if and only if there is a clause in HC in which poccurs positively, and q negatively (like in Sect. 4). The set HC is called recursionfreeif → HC is acyclic.We can now generalise the notion of a set of clauses being “recursion-free” to non-Horn clauses:Definition 4. A set C of propositional clauses is well-founded if there is no infinitesequence c 0 , c 1 , c 2 , c 3 , . . . of clauses with the property that– c 0 ∈ C is an input clause, and– for each i ≥ 1, the clause c i is derived by means of binary resolution from c i−1 andan input clause, using the ruleC ∨ p D ∨ ¬pC ∨ DLemma 5. A finite set HC of Horn clauses is well-founded if and only if it is recursionfree.Proof. “⇐” The acyclic dependence relation → HC induces a strict well-founded order< on Boolean variables: q → HC p implies p < q. The order < induces a wellfoundedorder ≪ on Horn clauses:(p ∨ C) ≪ (q ∨ D) ⇔ p > q or (p = q and C < ms D)C ≪ (q ∨ D) ⇔ trueC ≪ D ⇔ C < ms Dwhere C, D only contain negative literals, and < ms is the (well-founded) multi-set extensionof < [12].It is easy to see that a clause C ∨ D derived from two Horn clauses C ∨ p and D∨¬pusing the resolution rule is again Horn, and (C ∨ D) ≪ (C ∨ p) and (C ∨ D) ≪ (D∨¬p).The well-foundedness of ≪ implies that any sequence of clauses as in Def. 4 is finite.“⇒” If the dependence relation → HC has a cycle, we can directly construct a nonterminatingsequence c 0 , c 1 , c 2 , . . . of clauses.⊓⊔Definition 5 (Renamable-Horn [23]). If A is a set of Boolean variables, and C is aset of clauses, then r A (C) is the result of replacing in C every literal whose Booleanvariable is in A with its complement. C is called renamable-Horn if there is some set Aof Boolean variables such that r A (C) is Horn.Theorem 2. If a finite set C of clauses is well-founded, then it is renamable-Horn..

18 Rümmer, Hojjat, KuncakProof. Suppose C is formulated over the (finite) set p 1 , p 2 , . . . , p n of Boolean variables.We construct a graph (V, E), with V = {p 1 , p 2 , . . . , p n , ¬p 1 , ¬p 2 , . . . , ¬p n } being the setof all possible literals, and (l, l ′ ) ∈ E if and only if there is a clause ¬l ∨ l ′ ∨ C ∈ C (thatmeans, a clause containing the literal l ′ , and the literal l with reversed sign). 7The graph (V, E) is acyclic. To see this, suppose there is a cycle l 1 , l 2 , . . . , l m , l m+1 =l 1 in (V, E). Then there are clauses c 1 , c 2 , . . . , c m ∈ C such that each c i contains the literals¬l i and l i+1 . We can then construct an infinite sequence c 1 = d 0 , d 1 , d 2 , . . . of clauses,where each d i (for i > 1) is obtained by resolving d i−1 with c (i mod m)+1 , contradicting theassumption that C is well-founded.Since (V, E) is acyclic, there is a strict total order < on V that is consistent with E,i.e., (l, l ′ ) ∈ E implies l < l ′ .Claim: if p < ¬p for every Boolean variable p ∈ {p 1 , p 2 , . . . , p n }, then C is Horn.Proof of the claim: suppose a non-Horn clause p i ∨ p j ∨ C ∈ C exists (with i j).Then (¬p i , p j ) ∈ E and (¬p j , p i ) ∈ E, and therefore ¬p i < p j and ¬p j < p i . Then also¬p i < p i or ¬p j < p j , contradicting the assumption that p < ¬p for every Booleanvariable p.In general, choose A = {p i | i ∈ {1, . . . , n}, ¬p i < p i }, and consider the set r A (C) ofclauses. The set r A (C) is Horn, since changing the sign of a Boolean variable p ∈ Ahas the effect of swapping the nodes p, ¬p in the graph (V, E). Therefore, the newgraph (V, E ′ ) has to be compatible with a strict total order < such that p < ¬p forevery Boolean variable p, satisfying the assumption of the claim above.⊓⊔Example 3. We consider the following set of clauses:C = {¬a ∨ s, a ∨ ¬p, p ∨ ¬b, b ∨ p ∨ r, ¬p ∨ q}By constructing all possible derivations, it can be shown that the set is well-founded.The graph (V, E), as constructed in the proof, is:sqaprb ¬b¬r¬p¬a¬qA strict total order that is compatible with the graph is:¬s¬s < ¬q < ¬r < ¬a < ¬p < b < ¬b < r < p < q < a < s7 This graph could equivalently be defined as the implication graph of the 2-sat problem introducedin [23], as a way of characterising whether a set of clauses is Horn.

Classifying and Solving Horn Clauses for Verification 19From the order we can read off that we need to rename the variables A = {s, q, r, a, p}in order to obtain a set of Horn clauses:r A (C) = {a ∨ ¬s, ¬a ∨ p, ¬p ∨ ¬b, b ∨ ¬p ∨ ¬r, p ∨ ¬q}9 ConclusionIn recent years there has been a growing interest in more general forms of interpolation,organising formulae in non-linear structures such as trees, hyper-trees or directedacyclic graphs. In this paper we showed that many forms of interpolation can be definedas subclasses of recursion-free Horn clauses, provided a taxonomy of the variousfragments, and investigated computational complexity. We believe that the results arevaluable for application domains of Horn constraints, in particular in program verificationand model checking.References1. A. Albarghouthi, A. Gurfinkel, and M. Chechik. Craig interpretation. In SAS, 2012.2. A. Albarghouthi, A. Gurfinkel, and M. Chechik. Whale: An interpolation-based algorithmfor inter-procedural verification. In VMCAI, pages 39–55, 2012.3. A. Albarghouthi, Y. Li, A. Gurfinkel, and M. Chechik. Ufo: A framework for abstractionandinterpolation-based software verification. In CAV, pages 672–678, 2012.4. T. Ball, A. Podelski, and S. K. Rajamani. Relative completeness of abstraction refinementfor software model checking. In TACAS’02, volume 2280 of LNCS, page 158, 2002.5. C. Barrett, A. Stump, and C. Tinelli. C.: The smt-lib standard: Version 2.0. Technicalreport, 2010.6. N. Bjørner, K. McMillan, and A. Rybalchenko. Program verification as satisfiabilitymodulo theories. In SMT Workshop at IJCAR, 2012.7. M. P. Bonacina and M. Johansson. On interpolation in automated theorem proving.(submitted), 2012.8. A. Brillout, D. Kroening, P. Rümmer, and T. Wahl. An interpolating sequent calculus forquantifier-free Presburger arithmetic. Journal of Automated Reasoning, 47:341–367, 2011.9. A. Cimatti, A. Griggio, and R. Sebastiani. Efficient generation of Craig interpolants insatisfiability modulo theories. ACM Trans. Comput. Log., 12(1):7, 2010.10. W. Craig. Linear reasoning. A new form of the Herbrand-Gentzen theorem. The Journal ofSymbolic Logic, 22(3):250–268, September 1957.11. L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, pages 337–340.Springer-Verlag, 2008.12. N. Dershowitz and Z. Manna. Proving termination with multiset orderings. Commun. ACM,22(8):465–476, 1979.13. C. Fermüller, A. Leitsch, U. Hustadt, and T. Tammet. Resolution decision procedures. InA. Robinson and A. Voronkov, editors, Handbook of Automated Reasoning, chapter 25,pages 1791–1850. Elsevier, 2001.14. S. Graf and H. Saidi. Construction of abstract state graphs with PVS. In CAV, pages 72–83,1997.15. S. Grebenshchikov, N. P. Lopes, C. Popeea, and A. Rybalchenko. Synthesizing softwareverifiers from proof rules. In PLDI, 2012.16. A. Gupta, C. Popeea, and A. Rybalchenko. Predicate abstraction and refinement forverifying multi-threaded programs. In POPL, 2011.

20 Rümmer, Hojjat, Kuncak17. A. Gupta, C. Popeea, and A. Rybalchenko. Solving recursion-free Horn clauses overLI+UIF. In APLAS, pages 188–203, 2011.18. A. Gupta, C. Popeea, and A. Rybalchenko. Generalised interpolation by solvingrecursion-free horn clauses. CoRR, abs/1303.7378, 2013.19. M. Heizmann, J. Hoenicke, and A. Podelski. Nested interpolants. In POPL, 2010.20. T. A. Henzinger, R. Jhala, R. Majumdar, and K. L. McMillan. Abstractions from proofs. InPOPL, pages 232–244. ACM, 2004.21. K. Hoder and N. Bjørner. Generalized property directed reachability. In SAT, pages157–171, 2012.22. A. Lal, S. Qadeer, and S. K. Lahiri. Corral: A solver for reachability modulo theories. InCAV, 2012.23. H. R. Lewis. Renaming a set of clauses as a Horn set. J. ACM, 25(1):134–135, Jan. 1978.24. K. L. McMillan. iZ3 documentation.http://research.microsoft.com/en-us/um/redmond/projects/z3/iz3documentation.html.25. K. L. McMillan. Interpolation and SAT-based model checking. In CAV, 2003.26. K. L. McMillan. Applications of craig interpolants in model checking. In N. Halbwachsand L. D. Zuck, editors, TACAS, volume 3440 of Lecture Notes in Computer Science, pages1–12. Springer, 2005.27. K. L. McMillan. Lazy abstraction with interpolants. In CAV, 2006.28. K. L. McMillan and A. Rybalchenko. Solving constrained Horn clauses using interpolation.Technical Report MSR-TR-2013-6, Jan. 2013.http://research.microsoft.com/apps/pubs/default.aspx?id=180055.29. M. Méndez-Lojo, J. A. Navas, and M. V. Hermenegildo. A flexible, (c)lp-based approach tothe analysis of object-oriented programs. In LOPSTR, pages 154–168, 2007.30. P. Rümmer, H. Hojjat, and V. Kuncak. Disjunctive Interpolants for Horn-Clause Verification(Extended Technical Report). ArXiv e-prints, Jan. 2013. http://arxiv.org/abs/1301.4973.31. O. Sery, G. Fedyukovich, and N. Sharygina. Interpolation-based function summaries inbounded model checking. In Haifa Verification Conference (HVC), Haifa, 2011. Springer.32. P. Suter, A. S. Köksal, and V. Kuncak. Satisfiability modulo recursive programs. In StaticAnalysis Symposium (SAS), 2011.33. M. Taghdiri and D. Jackson. Inferring specifications to detect errors in code. Autom. Softw.Eng., 14(1):87–121, 2007.