We present an interpolation procedure for quantified formulas in the theory of equality with uninterpreted functions. Interpolants have various applications in model checking, for example, during abstraction refinement or invariant generation [ 1, 2, 3, 4 ]. For the analysis of sequential programs, sequence interpolants [ 2 ] that are computed from infeasible error paths, are of particular interest. For each point of a program path, a sequence interpolant provides a reason why an error is unreachable from this point on. Often, the interpolant is general enough to exclude several paths at once.

Many verification problems require the ability to reason about quantifiers, which are, among others, needed in user-added assertions, for the modeling of unsupported theories or memory modeling [ 5, 6 ]. However, the support of interpolation in the presence of quantified formulas is limited. A major challenge are mixed terms that are introduced in the context of quantifier instantiations. Most interpolation algorithms are either restricted to quantifier-free input formulas [ 7, 8, 9, 10, 11, 12, 13 ], require proof modifications [ 14 ], or require syntactical restrictions on the generated proof trees [ 15, 16, 17 ].

Our method is based on the proof tree preserving interpolation approach [ 12, 13 ] which allows for interpolation of quantifier-free formulas in the presence of mixed literals without the need for proof modifications or solver restrictions. In particular, sequence or tree interpolants can be computed from one single proof of unsatisfiability. We extend this procedure to handle instantiation-based resolution proofs of quantified formulas similar to [ 14 ]. However, we simplify the presented quantifier introduction step and perform all necessary modifications only virtually such that the proof tree preserving character is restored.

The contributions of this paper are a proof tree and satisfiability preserving scheme for the virtual modification of mixed terms, a scheme to interpolate instantiation clauses generated by a quantifier solver, and modifications of interpolation rules for theory lemmas and resolvents to generate valid inductive sequences of interpolants from a single proof tree.

Related Work. Interpolation goes back to Craig [ 18 ] who proved that for a valid implication → in first-order logic, there always exists an interpolant (Craig called it “intermediate”), i.e., a formula that is implied by and implies , and that contains only symbols that and share. Since then, several methods for computing interpolants from proofs of unsatisfiability have been presented both for quantifier-free and quantified problems. We focus our presentation on some of the most recent and some of the closest related works, and refer to [ 15, 19 ] for an overview of existing work before 2015. Most work on interpolation in the presence of quantified formulas has been done in the context of automated theorem proving.

Gleiss et al. [ 17 ] present an interpolation method based on splitting the proof of unsatisfiability into local subproofs. Their method can be applied to arbitrary first-order theories, but requires local proofs, i.e., proofs where each inference can be assigned to one partition as all occurring symbols lie in one partition. Each subproof that only uses inferences assigned to is then summarized in an intermediant. For local proofs, the conjunction of these intermediants is an interpolant. The method is implemented in the Vampire theorem prover [ 20 ].

Bonacina and Johansson [ 15 ] present a method for interpolation in first-order logic with equality in the context of the superposition calculus which first computes provisional interpolants and then quantifies over constants that are not shared between and . Their method does not require local proofs, but only yields interpolants if the only non-shared symbols in the provisional interpolants are constants. The authors also discuss how the method can be used in the DPLL(Γ + ) calculus [ 21 ], but to our knowledge, there does not exist an implementation.

The method presented by Kovács and Voronkov [ 16 ] does not require local proofs either. They also follow a two-step approach, first computing relational interpolants and then quantifying over non-shared symbols. In contrast to [ 15 ], their method can deal with non-shared function symbols in the relational interpolants, but is restricted to logic without equality.

A basis for our work is the interpolation method by Christ and Hoenicke [ 14 ] for instantiationbased proofs in SMT solvers. It relies on proof transformations to obtain a purified proof where all instances of quantified formulas are local. This is achieved by introducing variables and auxiliary equations relating the variables to the terms they replace. To obtain an interpolant, these variables are bound by quantifiers once the terms they replace are resolved from the proof.

Finally, Christ et al. [ 12 ] present a framework that allows for computing quantifier-free interpolants for quantifier-free problems from a given proof of unsatisfiability without modifying the proof. In particular, it deals with mixed literals containing non-shared terms from both and by auxiliary variables and more complex interpolation rules. We describe this method in more detail in Section 3.

We assume the usual notions of first-order logic. A theory is defined by a signature that contains interpreted and uninterpreted constant, function, and predicate symbols, and by a set of axioms that settle the meaning for its interpreted symbols. We consider the theory of equality (with uninterpreted functions), whose axioms state reflexivity, symmetry, and transitivity for the single interpreted symbol, the equality predicate =, and congruence for each uninterpreted function symbol.

As usual, a term is a variable, a constant, or an application of an -ary function symbol to terms. An atom is the formula that is always true (⊤), an equality between two terms, or the application of an -ary predicate to terms. A literal is an atom or its negation. A clause is a disjunction of literals, and a formula is in conjunctive normal form (CNF) if it is a conjunction of clauses. We assume that formulas are in CNF where each clause can be preceded by universal quantifiers only. This can be accomplished by Skolemization.

We usually denote functions by , , ℎ, terms by , , , , variables by , , , , literals by ℓ, clauses by , the empty clause by ⊥, and formulas by , , , , . For two formulas and , we use |= to denote that is a logical consequence of in the theory of equality. Formula is unsatisfiable if and only if |= ⊥. We denote the equivalence of two formulas by ≡ . A formula is said to be ground if it does not contain any variable.

A substitution maps variables to terms. We denote the result of substituting the terms ¯ for the variables ¯ in a formula (¯) by (¯). We call a substitution ground if the terms ¯ are ground. By [ℓ] we denote a formula in negation normal form where the literal ℓ only occurs positively, and by [ ] the same formula where all occurrences of ℓ are replaced by the formula .

The basis for our interpolation procedure is an instantiation-based resolution proof for the unsatisfiability of a given formula. We shortly describe the structure of such proofs and how interpolants can be computed from ground resolution proofs.

the result of applying a ground substitution for the variables ¯ to the body , i.e., the formula (¯) for ground terms ¯. Most SMT solvers treat problems containing quantified formulas by successively adding instances of the quantified formulas to the ground part which is then solved in the usual way (e.g., with the DPLL( )/CDCL algorithm). This approach is mainly suitable to show unsatisfiability of a formula, but it can also show satisfiability in some restricted fragments.

A resolution proof for the unsatisfiability of a formula in CNF is a derivation of the empty clause ⊥ using the rule 1 ∨ ℓ 2 ∨ ¬ℓ

1 ∨ 2 where 1 and 2 are clauses, and ℓ is a literal called the pivot (literal). A resolution proof can be represented by a tree. For a formula in a theory that contains quantified subformulas, the tree has three types of leaves: input clauses, theory lemmas, i.e., clauses that are valid in the theory , and instantiation clauses of the form ¬(∀¯.(¯)) ∨ (¯). Note that we treat the quantified formula as a literal which also occurs positively as an input clause. The inner nodes are clauses obtained by resolution, and the unique root node is the empty clause ⊥. Interpolation. A Craig interpolant [ 18 ] for an unsatisfiable conjunction ∧ is a formula that is implied by , contradicts , and contains only symbols that occur in both and .1 The notion of a Craig interpolant extends to formulas in a theory , in this case, symbols interpreted by the theory may occur in the interpolant. The notion of binary interpolants can be generalized to sequences of formulas. Given such a sequence of formulas 1, . . . , that together are unsatisfiable, a sequence interpolant [ 2 ] 0, . . . , has the following properties: 1. the formulas 0 and are ⊤ and ⊥, respectively, 2. the sequence of interpolants is inductive, i.e., for = 0, . . . , , the interpolant together with the formula +1 implies the next interpolant +1, and 3. for = 1, . . . , , each interpolant contains only symbols that occur both in some of the formulas 1, . . . , and in some of the formulas +1, . . . .

We call the formulas the partitions2 of the interpolation problem. If a symbol occurs in two partitions and , we can assume that it also occurs in all partitions between and without changing the symbol condition of the sequence interpolants. Therefore, we say a symbol virtually occurs in if it occurs in some with ≤ and in some with ≤ .

Each interpolant in a sequence interpolant is also a binary interpolant of :≡ 1 ∧ · · · ∧ and :≡ +1 ∧ · · · ∧ . Note that not every sequence of binary interpolants obtained by such partitioning is a sequence interpolant. A literal is mixed if there is no partition where all symbols of the literal virtually occur. All literals of the input problem are obviously not mixed, but mixed literals can be introduced by Nelson-Oppen equality propagation.

Interpolants can be computed from resolution proofs, e.g., with the interpolation systems by Pudlák [ 7 ] or by McMillan [ 8 ]. The general idea is to compute so-called partial interpolants for every formula proved in the intermediate steps. For resolution proofs such a formula is a clause . The conjunction ¬ is split and added to the input formulas to obtain a sequence interpolation problem. First, each term and literal is given one or more colors that correspond to the partitions where it occurs. A term that occurs in multiple partitions can be given multiple colors, or a color can be chosen arbitrarily. If a term has multiple colors, we require that the set of colors forms an interval [, ]. We define the projection ¬ ⇂ as the conjunction of all literals in ¬ that have color . In particular, ℓ ⇂ is ℓ if ℓ has color , and ⊤ otherwise. Then the partial interpolant of is a sequence interpolant of 1 ∧ ¬ ⇂ 1, . . . , ∧ ¬ ⇂ . The interpolation systems of Pudlák and McMillan only difer in the way they define the coloring: for Pudlák a shared literal is colored with all partitions it occurs in, for McMillan a shared literal is colored with only the last partition it occurs in. Both systems require that each literal has at 1As mentioned in the related work, Craig originally defined an interpolant for a valid implication → , i.e., as a formula implied by and contradictory to . The notion we use is also known as reverse interpolant [ 22 ].

2The word partition can be used in English for the sections, or the boundaries, or the whole partitioning. In this paper we use the word partition for one section of the partitioning. least one color and that all symbols in the literal occur in the corresponding partition. Mixed literals require a diferent interpolation scheme where projections ℓ ⇂ are defined diferently. Proof Tree Preserving Interpolation. The proof tree preserving interpolation framework allows for computing binary [ 12 ] and sequence or tree interpolants [ 13 ] in the presence of mixed equality literals without modifying a given proof tree. It works with equality interpolating theories [ 9, 23 ].

A mixed equality literal = or ̸= is a literal where is colored with [′, ] and is colored with [, ′] where these intervals are disjoint. W.l.o.g., we assume that < . We also say that this literal is , -mixed. The basic idea is to use a fresh auxiliary variable for each mixed equality literal. When projecting a , -mixed literal, we split it into two literals using the auxiliary variable.

( = ) ⇂ :≡ ( = ) ( = ) ⇂ :≡ ( = ) ( = ) ⇂ :≡ ⊤ ( ̸= ) ⇂ :≡ EQ (, ) ( ̸= ) ⇂ :≡ ¬ EQ (, ) ( ̸= ) ⇂ :≡ ⊤ for ̸= , for ̸= , Here, EQ is an uninterpreted predicate that forces the interpolant to have a certain shape. The interpolation procedure treats EQ and as shared symbols, which may occur in the interpolant. Note that ℓ ⇂ ∧ ℓ ⇂ is equisatisfiable to ℓ and has the same models for the symbols in ℓ.

Again, we define the partial interpolants of a clause as the sequence interpolant for the sequence 1 ∧ ¬ ⇂ 1, . . . , ∧ ¬ ⇂ . If the negation ¬ of a clause contains a mixed equality = , the partial interpolants for with ≤ < may contain the auxiliary variable . If ¬ contains ̸= , we require that the variable in the interpolant only occurs in atoms of the form EQ (, ) which must occur positively in . This is not really a restriction as interpolants naturally have this shape. The are shared terms, which are closely related to equality-interpolating terms in the sense of [ 9 ].

As mentioned earlier, an interpolant is computed by annotating each clause in the proof tree, starting with the leaves, by a partial interpolant 0, . . . , . We denote this by : 1, . . . , − 1 (we omit 0 ≡ ⊤ and ≡ ⊥ ). Resolution combines the partial interpolants of the involved clauses. To resolve on a mixed literal = , we combine the partial interpolants of the input clauses using the following function that replaces all occurrences of EQ (, ) in by a copy of ′ where all occurrences of are replaced by .

ruleEq ( = , [EQ (, 1)]...[EQ (, )], ′()) :≡ [′(1)]...[′()] The following rule is used to compute the partial interpolants for the resolvent of a resolution rule from the partial interpolants of the antecedents.

1 ∨ ℓ : 1, . . . , − 1

2 ∨ ¬ℓ : 1′, . . . , ′− 1 1 ∨ 2 : ′′, . . . , ′′− 1 1 with ′′ :≡ ⎧ ⎪ ∨ ′ ⎪ ⎪ ⎪⎨ ∧ (resolution) ⎪ruleEq (ℓ, , ′) ⎪ ⎪ ⎪⎩( ∨ ℓ) ∧ (′ ∨ ¬ℓ) if ℓ has colors [, ] with ≤ < .

if ℓ has only colors ≤ , if ℓ has only colors > , if ℓ is , -mixed, ≤ < , Example 1 (Mixed Literals). Consider the following two (tautological) clauses :≡ = ∨ ̸= ∨ ̸=

′ :≡ ̸= ∨ ̸= () ∨ = (), where is 1-local, is 2-local, and the remaining symbols are shared. A partial interpolant of is the formula EQ (, ), since it is an interpolant of ¬ ⇂ 1 ≡ EQ (, ) ∧ = and ¬ ⇂ 2 ≡ ¬

EQ (, ) ∧ = .

This interpolant can be obtained by using well-known interpolation techniques for the theory of equality. Note that EQ (, ) captures the equality-interpolating term of = in the sense of [ 9 ]. For the second clause ′, the formula = () is a partial interpolant, i.e., it is an interpolant of ¬′ ⇂ 1 ≡ = ∧ = () and ¬′ ⇂ 2 ≡ = ∧ ̸= () .

The interpolant for the resolvent of and ′ can now be obtained using the resolution rule: = ∨ ̸= ∨ ̸= : EQ (, ) ̸= ∨ ̸= () ∨ = () : = () ̸= ∨ ̸= () ∨ ̸= ∨ = () : = () The interested reader is invited to check that the annotated partial interpolant is correct.

One obstacle to use proof tree preserving interpolation in the presence of quantifiers are mixed terms. To illustrate the problem, let us consider the following example.

Example 2 (Running Example). Take the sequence of formulas 1, 2, 3 with 1 : ∀.(ℎ()) = 2 : ∀. (()) ̸= 3 : ∀. () = .

The conjunction of the three formulas is unsatisfiable, which can be seen as follows. Instantiating 1 with gives (ℎ()) = . Instantiating 2 with ℎ() gives ((ℎ())) ̸= . Substituting (ℎ()) using the first equality yields () ̸= , which is clearly a contradiction to 3.

A mixed term is a term that uses symbols from at least two diferent partitions. In the example above, a mixed term is ℎ(), because ℎ only occurs in 1 and only occurs in 2. Mixed terms may be generated during the instantiation process of quantified formulas. They can thus appear in a resolution proof within instantiation clauses and theory lemmas but not in input clauses. A resolution node may contain a mixed term if it was already contained in one of its antecedents. Interpolation algorithms based on resolution proofs usually rely upon non-mixed terms. We do not want to restrict the instantiation procedure to local terms as this would negatively efect the performance of the solver. Transforming the proofs into localized proofs in the context of sequence interpolation can break the inductivity property if not done in a consistent manner. So it would require to either localize the proof for all partitions at once or to compute the interpolants by repeated binary interpolation, which requires a new proof for each interpolant.

We propose a method to handle mixed terms, simply by coloring them with some input partition. This partition does not contain all symbols occurring in the term. Thus, we replace subterms of the wrong color by fresh variables to purify the term. Each variable is defined by adding an auxiliary equation to all partitions where the subterm’s outer function symbol occurs.

In this section, we show how to compute partial sequence interpolants for the diferent clause types involved in a proof of unsatisfiability for quantified input formulas. The overall algorithm follows a simple common theme: first compute the interpolants using only the colors we assigned to literals and ignore the symbol condition. Then introduce the fresh variable for every term that violates the symbol condition. Finally, introduce quantifiers for each variable that is unsupported by the current clause, as outlined in Section 4.2. In the following, we concretize this for the diferent kind of clauses in the resolution proof.

Input Clauses. Input clauses cannot contain mixed terms. The interpolant of an input clause is either ¬(¬ ∖ ) if the clause is part of , or ¬ ∖ if is part of . Here ¬ ∖ removes all literals from that do not have any color from . For Pudlák’s algorithm where each literal is colored with all partitions it occurs in, all literals are removed and the interpolants are always either ⊤ or ⊥. Instantiation Clauses. We say that an instantiation clause originates from the partition in which its quantified formula occurs in. We extend the definition of ¬ ∖ to handle a , -mixed equality = as follows: if both , are in , then (ℓ ∖ ) ≡ ⊤ , if both are in , then (ℓ ∖ ) ≡ ℓ, and if is in and in , then ( = ∖ ) ≡ = and ( ̸= ∖ ) ≡ ¬ EQ (, ). Analogously, we define ¬ ∖ . The partial sequence interpolant is then computed in three steps.

1. Set to ¬(¬ ∖ ) if originates from , and to ¬ ∖ , otherwise. 2. Replace every subterm in that must not occur in according to the symbol condition by its corresponding fresh variable .

3. Introduce quantifiers for each variable that is not supported by .

Theory Lemmas. Our proof tree can contain theory lemmas for transitivity and congruence. 1 ̸= 2 ∨ · · · ∨ 1 ̸= ′1 ∨ · · · ∨ − 1 ̸= ∨ 1 = ̸= ′ ∨ (1, . . . , ) = (′1, . . . , ′) (transitivity) (congruence) Transitivity lemmas are interpolated by summarizing equality chains involving -colored literals in the negation of the lemma. If the single equality of the transitivity lemma is mixed, the chain EQ (, 1) ∧ 1 = · · · = is summarized by EQ (, ). As the ends of the -colored chains are also -colored (the boundary terms appear in -colored literals), this satisfies the symbol condition except when a mixed term contains a subterm from a diferent partition. To ifx the interpolant, all subterms from the wrong partition are replaced by their corresponding variable . Our construction guarantees that these variables are supported by .

For congruence lemmas, the interpolant depends on the color of the equality (1, . . . , ) = (′1, . . . , ′). If it is colored with a partition from , the interpolant is ¬(¬ ∖ ) and if it is colored with a partition from , the interpolant is ¬ ∖ . If the equality is a mixed equality where (1, . . . , ) is from , then is shared and the interpolant is EQ (, (1, . . . , )) where is the variable for the projection of the mixed equality, and for = 1, . . . , the term is the auxiliary variable of = ′ , if that equality is mixed, or if the equality is colored with , or ′ if it is colored with . Again, the subterms from the wrong partition are replaced by their corresponding variable , which is supported by .

Resolution Clauses. The partial interpolant for a resolution node is computed by the rule (resolution) in Section 3. Since the resolution rule removes a literal from both antecedent clauses, the resolvent may no longer support all variables occurring in the interpolant. So in the last step, we add quantifiers for all unsupported variables as outlined in Section 4.2. Example 4. We illustrate the algorithm on our running example (Example 2).

1 : ∀.(ℎ()) = 2 : ∀. (()) ̸= 3 : ∀. () = The symbol occurs in partitions 2–3, in 1–2, ℎ in 1, in 2. Our goal is to compute sequence interpolants 1, 2 where 1 implies 1, and 1 and 2 imply 2, and 2 and 3 imply ⊥. Also 1 may only contain the symbol and 2 only the symbol . ⊤ The first input clause on the top left of the proof tree is from 1, i.e., it is in 1 and 2. By the rule for input clauses its interpolants are ⊥, ⊥. The projections of the negated instantiation clause Inst on the top right are ¬Inst ⇂ 1 ≡ (1∧EQ (, (ℎ()))) ¬Inst ⇂ 2 ≡ (¬ EQ (, )∧ = ) ¬Inst ⇂ 3 ≡ ⊤ .

For 1, the quantified formula is in 1, and the interpolant is first set to ¬(¬ ∖ 1). Since (ℎ()) = is 1, 2-mixed, ((ℎ()) ̸= ∖ 1) is ¬ EQ (, ) and 1 is set to EQ (, ). In the ifnal step, the forbidden symbol is replaced by its shared variable yielding EQ (, ). The variable is supported by the clause and therefore not quantified. The interpolant 2 is just ⊥ as it contains only literals with colors 1–2. Resolving the first two clauses builds the disjunction of the corresponding interpolants, because the literal is colored with partition 1.

The equality in the congruence lemma, in the second row in Figure 1, is colored with partition 2. Therefore, interpolant 1 is first set to ¬ ∖ 1, which is (ℎ()) = . As the function symbol ℎ may not occur in the interpolant, the term ℎ() is replaced by its auxiliary variable ℎ. The interpolant 2 is set to ⊥ since the lemma involves no literal colored with partition 2. The result is (ℎ) = , ⊥, which is indeed a sequence interpolant of ℎ = ℎ() ∧ (ℎ()) = , ((ℎ)) ̸= () ∧ = ∧ = , ⊤. The next resolution step involves a 1, 2-mixed literal. Therefore, we use the third case (ruleEq ) of rule (resolution). The first interpolants of the antecedents are combined by replacing EQ (, ) with (ℎ) = , yielding (ℎ) = . All literals in the transitivity lemma (third row) are colored with partition 2. Therefore the resulting interpolants are ⊤, ⊥. The resolution step combines the interpolants with conjunction or disjunction, respectively, as the literal is colored with partition 2.

The second instantiation clause is completely colored with partition 2 as is the corresponding input clause. The interpolants are just ⊤, ⊥ and resolving them with the other branch does not change the previous interpolants. However, since the literal ((ℎ())) ̸= gets removed in the resolution step, ℎ and are no longer supported. Therefore, quantifiers are introduced: the inner existential quantifier for the 1-colored outermost term ℎ = ℎ() and the outer universal quantifier for the 2-colored inner term = . Note that although the clause still contains in the literal () ̸= , this literal is not mixed and therefore does not support .

The last instantiation clause is originating from 3, hence 1 is set to ¬ ∖ 1 (which is ⊤) and 2 is set to ¬ ∖ 2. Since () ̸= is colored with partition 2, the second interpolant is ∀.(ℎ()) = ⊥, ⊥

¬(∀.(ℎ()) = ), (ℎ()) = EQ(, ), ⊥ (ℎ()) = EQ(, ), ⊥

(ℎ()) ̸= , ((ℎ())) = () (ℎ) = , ⊥ ((ℎ())) = () (ℎ) = , ⊥

((ℎ())) ̸= (), () ̸= , ((ℎ())) = ⊤, ⊥ () ̸= , ((ℎ())) = (ℎ) = , ⊥ ∀. (()) ̸= ⊤, ⊥

¬(∀. (()) ̸= ), ((ℎ())) ̸= ⊤, ⊥ ((ℎ())) ̸= ⊤, ⊥ () ̸= ∀.∃ℎ.(ℎ) = , ⊥

Input Clause Instantiation Clause

Theory Lemma

Resolvent ∀. () = ⊤, ⊤

¬(∀. () = ), () = ⊤, ∃. () ̸= () = ⊤, ∃. () ̸= ⊥ ∀.∃ℎ.(ℎ) = , ∃. () ̸= () ̸= . In the next step, is replaced by its auxiliary variable and since this is not supported by the clause, an existential quantifier must be introduced. So the partial sequence interpolant is ⊤, ∃. () ̸= . This is indeed a valid interpolant for the sequence ⊤, () ̸= , ∀. () = .

In the last two resolution steps, the interpolants are combined with conjunction or disjunction. Since for each resolution step one of the interpolants is ⊤ or ⊥, the other interpolant is not changed. The final sequence interpolant, i.e., ∀∃ℎ.(ℎ) = , ∃. () ̸= , can be found in the annotation of the empty clause.

We presented an algorithm to obtain inductive sequences of interpolants from instantiationbased refutation proofs of quantified formulas in the theory of equality. In contrast to most existing algorithms that allow for interpolation of quantified formulas, our approach works on non-local proofs. It neither requires to restrict the inference done by the SMT solver, nor does it require transformations of the proof tree. Mixed terms occurring in a proof tree due to quantifier instantiations are directly treated using virtual purification. To obtain (partial) interpolants satisfying the symbol condition, local terms are replaced by auxiliary variables that are eventually bound by quantifiers.

Our algorithm computes sequence interpolants from a single proof of unsatisfiability instead of repeatedly performing binary interpolation on several proof trees. Implementation of the algorithm in SMTInterpol [ 24 ] is ongoing work. We plan to extend our algorithm to tree interpolants as well as to other theories including linear arithmetic.

This work was partially supported by the German Research Council (DFG) under HO 5606/1-2.