Keywords

1 Introduction

Given a first-order theory \(\mathcal{S}\) and a sentence \(\varphi \), finding a model \(\mathcal{{A}}\) of \(\mathcal{S}\,\cup \,\{\lnot \varphi \}\), i.e., such that \(\mathcal{{A}}\models \mathcal{S}\cup \{\lnot \varphi \}\) holds, shows indeed that \(\varphi \) is not a logical consequence of \(\mathcal{S}\): there is at least one model of \(\mathcal{S}\) (e.g., \(\mathcal{{A}}\)) which does not satisfy \(\varphi \) (as it satisfies \(\lnot \varphi \)). Provability of \(\varphi \) in \(\mathcal{S}\), i.e., \(\mathcal{S}\vdash \varphi \), implies (by correctness of the proof calculus) that \(\varphi \) is a logical consequence of \(\mathcal{S}\) (written \(\mathcal{S}\models \varphi \)). Thus, \(\mathcal{{A}}\models \mathcal{S}\cup \{\lnot \varphi \}\) disproves \(\varphi \) regarding \(\mathcal{S}\); this can be written \(\lnot (\mathcal{S}\vdash \varphi )\) by using some metalevel notation. In general, this does not allow us to conclude that \(\lnot \varphi \) is proved, i.e., \(\mathcal{S}\vdash \lnot \varphi \), or is a logical consequence of \(\mathcal{S}\), i.e., \(\mathcal{S}\models \lnot \varphi \). What can be concluded about \(\lnot \varphi \) regarding \(\mathcal{S}\) from the fact that \(\mathcal{{A}}\models \mathcal{S}\cup \{\lnot \varphi \}\) holds? Can this be advantageously used in a ‘logic-based’ approach to program analysis?

In [14], some answers to these questions are given: a sentence \(\varphi \) which is an Existentially Closed Boolean Combination of Atoms (ECBCA for short) does not hold in the initial model \(\mathcal{I}_\mathcal{S}\) of a theory \(\mathcal{S}\) consisting of a set of ground atoms if we find a model \(\mathcal{{A}}\) of \(\mathcal{S}\cup \{\lnot \varphi \}\) [14, Corollary 2]. This is useful in program analysis when considering programs P that are given a theory \(\overline{P}\) representing its operational semantics so that the execution of P is described as a set \(\mathcal{I}_P\) of (ground) atoms A which can be proved from \(\overline{P}\) (i.e., \(\mathcal{I}_P\) is the initial model of \(\overline{P}\) in the usual first-order sense; in the following, we often refer to it as its canonical model [11, Sect. 1.5]). Actually, rather than being logical consequences of \(\overline{P}\), the intended meaning of first-order sentences \(\varphi \) that represent properties of P is that they hold in the initial model of \(\overline{P}\), see [4, Chap. 4], for instance.

In [14, 16] we applied this approach to prove computational properties of rewriting-based systems in practice. This includes Term Rewriting Systems (TRSs [1]) and more general rewriting-based formalisms [3, 9, 18, 19].

Example 1

Consider the following TRS \(\mathcal{R}\) with the well-known rules defining the addition and product of natural numbers in Peano’s notation:

$$\begin{aligned} \mathsf {add}(\mathsf {0},x)\rightarrow & {} x\end{aligned}$$
(1)
$$\begin{aligned} \mathsf {add}(\mathsf {s}(x),y)\rightarrow & {} \mathsf {s}(\mathsf {add}(x,y)) \end{aligned}$$
(2)
$$\begin{aligned} \mathsf {mul}(\mathsf {0},x)\rightarrow & {} \mathsf {0}\end{aligned}$$
(3)
$$\begin{aligned} \mathsf {mul}(\mathsf {s}(x),y)\rightarrow & {} \mathsf {add}(y,\mathsf {mul}(x,y)) \end{aligned}$$
(4)

The associated theory \(\overline{\mathcal{R}}\) is the following:

figure a
Table 1. Some properties about rewriting-based systems
Full size table

The first sentence in the first column represents reflexivity of many-step rewriting, with predicate symbol \(\rightarrow ^*\); the second sentence shows how one-step rewriting, with predicate symbol \(\rightarrow \), contributes to \(\rightarrow ^*\). The next sentences describe the propagation of rewriting steps to (arguments of) symbols \(\mathsf {s}\), \(\mathsf {add}\) and \(\mathsf {mul}\). The second column describes the rules of \(\mathcal{R}\). More details can be found in [14, Sect. 4]. In the initial or least Herbrand model \(\mathcal{I}_\mathcal{R}\) of \(\overline{\mathcal{R}}\), \(\rightarrow \) and \(\rightarrow ^*\) are interpreted as the sets \((\rightarrow )^{\mathcal{I}_\mathcal{R}}\) and \((\rightarrow ^*)^{\mathcal{I}_\mathcal{R}}\) of all pairs (st) of ground terms s and t such that \(s\rightarrow _\mathcal{R}t\) and \(s\rightarrow ^*_\mathcal{R}t\), respectively. Now, we can express the property “the double of some natural number can be an odd number” as an ECBCA:

$$\begin{aligned} (\exists x) (\exists y) (\exists z)~\mathsf {add}(x,x) \rightarrow ^*z\wedge \mathsf {s}(\mathsf {mul}(\mathsf {s}(\mathsf {s}(\mathsf {0})),y))\rightarrow ^*z \end{aligned}$$
(5)

With the automatic model generator Mace4 [17] we find a model of \(\overline{\mathcal{R}}\,\cup \,\{\lnot (5)\}\) with domain \(\mathcal{{A}}=\{0,1\}\). Function symbols are interpreted as follows: \(\mathsf {0}^\mathcal{{A}}= 0\); \(\mathsf {s}^\mathcal{{A}}(x)=1-x\); \(\mathsf {add}^\mathcal{{A}}(x,y)\) returns 0 if \(x=y\) and 1 otherwise; \(\mathsf {mul}^\mathcal{{A}}(x,y)\) returns 1 if \(x=y=1\) and 0 otherwise. Predicates \(\rightarrow \) and \(\rightarrow ^*\) are both interpreted as the Aphequality. Thus, we have proved that (5) does not hold for \(\mathcal{R}\).

Our approach in [14] relies on the notion of preservation of a formula under homomorphisms h between interpretations. Roughly speaking, a homomorphism h preserves a formula \(\varphi \) if \(\varphi \) is satisfied in the target interpretation of h whenever \(\varphi \) is satisfied in its domain interpretation [11, Sect. 2.4]. Homomorphisms preserve ECBCA [11, Theorem 2.4.3(a)]; the results in [14] rely on this fact. In this paper we extend [14] to deal with more general program properties. Homomorphisms preserve other first-order sentences if further requirements are imposed: (i) positive sentences (where connective ‘\(\lnot \)’ is absent) are preserved under surjective homomorphisms and (ii) arbitrary sentences are preserved under embeddings [11, Theorem 2.4.3]. In contrast to [14] (and [11]), here we focus on many-sorted logic [23] (see Sect. 2). This has an important advantage: since homomorphisms in many-sorted logic with set of sorts S are actually a family \(h_s\) of homomorphisms between components of sort s for each \(s\in S\), the preservation requirements for \(h_s\) depend on the specific quantification of variables x : s for such a sort. In Sect. 3 we provide a unique preservation theorem that subsumes the results in [14], and even improves [11]. Section 4 investigates how to guarantee surjectivity of homomorphisms. Section 5 shows several application examples taken from Table 1, which shows some properties of rewriting-based systems that could not be captured in [14] but we are able to handle now. Here, \(t({\varvec{x}})\) is a term with variables \({\varvec{x}}\) (or just t if it is ground), \({\mathcal{C}}\) (and \({\mathcal{D}}\)) are the constructor (resp. defined) symbols in the TRS, and \({\mathop {\rightarrow }\limits ^{\varLambda }}\) is topmost rewriting. Section 6 discusses the possibility of providing more information about disproved properties by means of refutation witnesses, i.e., (counter)examples of sentences which are synthesized from the models that are used to disprove the property. Section 7 shows how to deal with completely general sentences by means of a simple example. Section 8 discusses some related work. Section 9 concludes.

2 Many-Sorted First-Order Logic

Given a set of sorts S, a (many-sorted) signature (with predicates) \({\varOmega }=(S,{\varSigma },{\varPi })\) consists of a set of sorts S, an \(S^{*} \times S\)-indexed family of sets \(\varSigma = \{\varSigma _{w,s}\}_{(w,s) \in S^* \times S}\) containing function symbols \(f \in \varSigma _{s_{1}\cdots s_{k},s}\), with a rank declaration \(f: s_{1}\cdots s_{k} \rightarrow s\) (constant symbols c have rank declaration \(c:\lambda \rightarrow s\), where \(\lambda \) denotes the empty sequence), and an \(S^+\)-indexed family of sets \({\varPi }=\{{\varPi }_w\}_{w\in S^+}\) of ranked predicates P : w. Given an S-sorted set \({\mathcal{X}}=\{{\mathcal{X}}_s\mid s\in S\}\) of mutually disjoint sets of variables (which are also disjoint from \({\varSigma }\)), the set \({{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_s\) of terms of sort s is the least set such that \({\mathcal{X}}_{s}\subseteq {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_s\) and for each \(f: s_{1}\ldots s_{k} \rightarrow s\) and \(t_i\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_{s_i}\), \(1\le i\le k\), \(f(t_1,\ldots ,t_k)\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_s\). If \({\mathcal{X}}=\emptyset \), we write \({{\mathcal{T}_{{\varSigma }}}}\) rather than \({\mathcal{T}_{{\varSigma }}(\emptyset )}\) for the set of ground terms. The set \({{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}\) of many-sorted terms is \({{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}=\bigcup _{s\in S}{{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_s\). For \(w=s_1\cdots s_n\in S^+\), we write \({{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_w\) rather than \({{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_{s_1}\times \cdots \times {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_{s_n}\) and even write \({\varvec{t}}\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_w\) rather than \(t_i\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_{s_i}\) for each \(1\le i\le n\). The formulas \(\varphi \in Form _{{\varOmega }}\) of a signature \({\varOmega }\) are built up from atoms \(P({\varvec{t}})\) with \(P\in \varPi _{w}\) and \({\varvec{t}}\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_{w}\), logic connectives (\(\lnot \), \(\wedge \), and also \(\vee \), \(\Rightarrow \),...) and quantifiers (\(\forall \) and \(\exists \)) in the usual way. A closed formula, i.e., one whose variables are all universally or existentially quantified, is called a sentence. In the following, substitutions \(\sigma \) are assumed to be S-sorted mappings such that for all sorts \(s\in S\), we have \(\sigma (x)\in {{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}_s\).

An \({\varOmega }\)-structure \(\mathcal{{A}}\) consists of (i) a family \(\{\mathcal{{A}}_s\mid s\in S\}\) of sets called the carriers or domains together with (ii) a function \(f^\mathcal{{A}}_{w,s}\in \mathcal{{A}}_w\rightarrow \mathcal{{A}}_s\) for each \(f\in {\varSigma }_{w,s}\) (\(\mathcal{{A}}_w\) is a one point set when \(w=\lambda \) and hence \(\mathcal{{A}}_w\rightarrow \mathcal{{A}}_s\) is isomorphic to \(\mathcal{{A}}_s\)), and (iii) an assignment to each \(P\in \varPi _w\) of a subset \(P^\mathcal{{A}}_w\subseteq \mathcal{{A}}_{w}\); if the identity predicate \(\_=\_:ss\) is in \(\varPi _{ss}\), then \((=)^{\mathcal{{A}}}_{s\,s}=\{(a,a)\mid a\in \mathcal{{A}}_s\}\), i.e., \(\_=\_:ss\) is interpreted as the identity on \(\mathcal{{A}}_s\).

Let \(\mathcal{{A}}\) and \(\mathcal{{A}}'\) be \({\varOmega }\)-structures. An \({\varOmega }\)-homomorphism \(h:\mathcal{{A}}\rightarrow \mathcal{{A}}'\) is an S-sorted function \(h=\{h_s:\mathcal{{A}}_s\rightarrow \mathcal{{A}}'_s\mid s\in S \}\) such that for each \(f\in {\varSigma }_{w,s}\) and \(P\in {\varPi }_w\) with \(w=s_1,\ldots ,s_k\), (i) \(h_s(f^\mathcal{{A}}_{w,s}(a_1,\ldots ,a_k))=f^{\mathcal{{A}}'}_{w,s}(h_{s_1}(a_1),\ldots ,h_{s_k}(a_k))\) and (ii) if \({\varvec{a}}\in P^{\mathcal{{A}}}_w\), then \(h({\varvec{a}})\in P^{\mathcal{{A}}'}_w\). Given an S-sorted valuation mapping \(\alpha :{\mathcal{X}}\rightarrow \mathcal{{A}}\), the evaluation mapping \([\_]^\alpha _\mathcal{{A}}:{{\mathcal{T}_{{\varSigma }}({\mathcal{X}})}}\rightarrow \mathcal{{A}}\) is the unique \((S,{\varSigma })\)-homomorphism extending \(\alpha \). Finally, \([\_]^\alpha _\mathcal{{A}}: Form _{{\varOmega }}\rightarrow Bool \) is given by:

  1. 1.

    \([P(t_1,\ldots ,t_n)]^\alpha _\mathcal{{A}}= true \) (with \(P\in {\varPi }_w\)) if and only if \(([t_1]^\alpha _\mathcal{{A}},\ldots ,[t_n]^\alpha _\mathcal{{A}})\in P^\mathcal{{A}}_w\);

  2. 2.

    \([\lnot \varphi ]^\alpha _\mathcal{{A}}= true \) if and only if \([\varphi ]^\alpha _\mathcal{{A}}= false \);

  3. 3.

    \([\varphi \wedge \psi ]^\alpha _\mathcal{{A}}= true \) if and only if \([\varphi ]^\alpha _\mathcal{{A}}= true \) and \([\psi ]^\alpha _\mathcal{{A}}= true \); and

  4. 4.

    \([(\forall x:s)\,\varphi ]^\alpha _\mathcal{{A}}= true \) if and only if for all \(a\in \mathcal{{A}}_s\), \([\varphi ]^{\alpha [x\mapsto a]}_\mathcal{{A}}= true \).

A valuation \(\alpha \in {\mathcal{X}}\rightarrow \mathcal{{A}}\) satisfies \(\varphi \) in \(\mathcal{{A}}\) (written \(\mathcal{{A}}\models \varphi \,[\alpha ]\)) if \([\varphi ]^\alpha _\mathcal{{A}}= true \). We then say that \(\varphi \) is satisfiable. If \(\mathcal{{A}}\models \varphi \,[\alpha ]\) for all valuations \(\alpha \), we write \(\mathcal{{A}}\models \varphi \) and say that \(\mathcal{{A}}\) is a model of \(\varphi \) or that \(\varphi \) is true in \(\mathcal{{A}}\). We say that \(\mathcal{{A}}\) is a model of a set of sentences \(\mathcal{S}\subseteq Form _{{\varOmega }}\) (written \(\mathcal{{A}}\models \mathcal{S}\)) if for all \(\varphi \in \mathcal{S}\), \(\mathcal{{A}}\models \varphi \). Given a sentence \(\varphi \), we write \(\mathcal{S}\models \varphi \) iff \(\mathcal{{A}}\models \varphi \) holds for all models \(\mathcal{{A}}\) of \(\mathcal{S}\).

3 Preservation of Many-Sorted First-Order Sentences

Every set \(\mathcal{S}\) of ground atoms has an initial model \(\mathcal{I}_\mathcal{S}\) (or just \(\mathcal{I}\) if no confusion arises) which consists of the usual (many-sorted) Herbrand Domain of ground terms modulo the equivalence \(\sim \) generated by the equations in \(\mathcal{S}\). There is a unique homomorphism \(h:\mathcal{I}\rightarrow \mathcal{{A}}\) from \(\mathcal{I}\) to any model \(\mathcal{{A}}\) of \(\mathcal{S}\) [9, Sect. 3.2]. In the following, h refers to such a homomorphism. If \(\mathcal{S}\) contains no equation, then \(\mathcal{I}\) is the (many-sorted) Least Herbrand Model of \(\mathcal{S}\) and \(\mathcal{I}_s\) is \({{\mathcal{T}_{{\varSigma }}}}_s\) for each sort \(s\in S\). In the following, we consider sentences in prenex form as follows:

$$\begin{aligned} (Q_1 x_1:s_1)\cdots (Q_k x_k:s_k) \bigvee _{i=1}^m\bigwedge _{j=1}^{n_i} L_{ij} \end{aligned}$$
(6)

where (i) for all \(1\le i\le m\) and \(1\le j\le n_i\), \(L_{ij}\) are literals, i.e., \(L_{ij}=A_{ij}\) or \(L_{ij}=\lnot A_{ij}\) for some atom \(A_{ij}\) (in the first case, we say that \(L_{ij}\) is positive; otherwise, it is negative), (ii) \(x_1,\ldots ,x_k\) for some \(k\ge 0\) are the variables occurring in those literals (of sorts \(s_1,\ldots ,s_k\), respectively), and (iii) \(Q_1,\ldots ,Q_k\) are universal/existential quantifiers. A sentence \(\varphi \) (equivalent to) (6) is said to be positive if all literals are.

Theorem 1

Let \({\varOmega }\) be a signature, \(\mathcal{S}\) be a set of ground atoms, \(\varphi \) be a sentence (6), and \(\mathcal{{A}}\) be a model of \(\mathcal{S}\) such that (a) for all q, \(1\le q\le k\), if \(Q_q=\forall \) then \(h_{s_q}\) is surjectiveFootnote 1 and (b) for all negative literals \(L_{ij}=\lnot P({\varvec{t}})\), with \(P\in {\varPi }_w\), and substitutions \(\sigma \), if \(h(\sigma ({\varvec{t}}))\in P^\mathcal{{A}}\) then \(\sigma ({\varvec{t}})\in P^\mathcal{I}\). Then, \(\mathcal{I}_\mathcal{S}\models \varphi \Longrightarrow \mathcal{{A}}\models \varphi \).

In order to achieve condition (b) in Theorem 1, given \(P\in {\varPi }_w\), let \(N(P)=\mathcal{I}_w-P^\mathcal{I}\) be the complement of the (Herbrand) interpretation of P. Let \(\mathcal{N}(P)=\{\lnot P({\varvec{t}})\mid {\varvec{t}}\in N(P)\}\) (cf. Reiter’s Closed World Assumption [20]). In general, \(\mathcal{N}(P)\) is infinite and incomputable. In some simple cases, though, we can provide a finite description of \(\mathcal{N}(P)\) for the required predicates P (see Sect. 7).

Proposition 1

Let \({\varOmega }\) be a signature, \(\mathcal{S}\) be a set of ground atoms, \(\varphi \) be a sentence (6), \(\mathcal{{A}}\) be a model of \(\mathcal{S}\), and \(\mathcal{N}=\bigcup _{L_{ij}=\lnot P({\varvec{t}})}\mathcal{N}(P)\) be such that \(\mathcal{{A}}\models \mathcal{N}\). Let \(L_{ij}=\lnot P({\varvec{t}})\) be a negative literal and \(\sigma \) be a substitution. If \(h(\sigma ({\varvec{t}}))\in P^\mathcal{{A}}\), then \(\sigma ({\varvec{t}})\in P^\mathcal{I}\).

Consider a theory \(\mathcal{S}\) and let \(\mathcal{S}^\vdash \) be the set of ground atoms obtained as the deductive closure of \(\mathcal{S}\), i.e., the set of atoms \(P(t_1,\ldots ,t_n)\) for each n-ary predicate symbol P and ground terms \(t_1,\ldots ,t_n\), such that \(\mathcal{S}\vdash P(t_1,\ldots ,t_n)\). The following result is the basis of the practical applications discussed in the following sections.

Corollary 1

(Semantic criterion). Let \({\varOmega }\) be a signature, \(\mathcal{S}_0\) be a theory, \(\mathcal{S}=\mathcal{S}^\vdash _0\), \(\varphi \) be a sentence (6), and \(\mathcal{{A}}\) be a model of \(\mathcal{S}_0\) such that (a) for all q, \(1\le q\le k\), if \(Q_q=\forall \) then \(h_{s_q}\) is surjective and (b) for all negative literals \(L_{ij}=\lnot P({\varvec{t}})\), with \(P\in {\varPi }_w\) and substitutions \(\sigma \), if \(h(\sigma ({\varvec{t}}))\in P^\mathcal{{A}}\) then \(\sigma ({\varvec{t}})\in P^\mathcal{I}\). If \(\mathcal{{A}}\models \lnot \varphi \), then \(\mathcal{I}_\mathcal{S}\models \lnot \varphi \).

In the following, we will not distinguish between theories \(\mathcal{S}\) and their ground deductive closure \(\mathcal{S}^\vdash \); we rather use \(\mathcal{S}\) in both cases.

Remark 1

(Proofs by satisfiability). We can prove an arbitrary sentence \(\varphi \) valid in \(\mathcal{I}_\mathcal{S}\) by satisfiability in some model \(\mathcal{{A}}\) of \(\mathcal{S}\). First define \(\overline{\varphi }\) as the negation \(\lnot \varphi \) of \(\varphi \). Then, find an appropriate structure \(\mathcal{{A}}\) satisfying (a) and (b) (with regard to \(\overline{\varphi }\)) and such that \(\mathcal{{A}}\models \mathcal{S}\cup \{\lnot \overline{\varphi }\}\). By Corollary 1, \(\mathcal{I}\models \lnot \overline{\varphi }\) holds. Since \(\lnot \overline{\varphi }\) is equivalent to \(\varphi \), \(\mathcal{I}\models \varphi \) holds.

Models \(\mathcal{{A}}\) to be used in Corollary 1 can be automatically generated from the theory \(\mathcal{S}\) and sentence \(\varphi \) by using a tool like AGES [10] or Mace4. In the following section, we investigate how to ensure surjectivity when required in Corollary 1.

4 Surjective Homomorphisms

Given \({\varOmega }=(S,{\varSigma },{\varPi })\), \(s\in S\) and \(T\subseteq {{\mathcal{T}_{{\varSigma }}}}_s\), consider the following sentences:

$$\begin{aligned} (\forall x:s)\bigvee _{t\in T} x=t\end{aligned}$$
(7)
$$\begin{aligned} \bigwedge _{t,u\in T, t\ne u}\lnot (t=u) \end{aligned}$$
(8)

In the following, we write \((7)_s\) to make sort s referred in (7) explicit. We do the same in similar formulas below.

Proposition 2

Let \({\varOmega }\) be a signature, \(\mathcal{S}\) be a theory, \(\mathcal{{A}}\) be a model of \(\mathcal{S}\), \(s\in S\), and \(T\subseteq {{\mathcal{T}_{{\varSigma }}}}_s\). (a) If \(T\ne \emptyset \) and \(\mathcal{{A}}\models (7)_s\), then \(h_s\) is surjective and \(|\mathcal{{A}}_s|\le |T|\). (b) If \(\mathcal{{A}}_s\ne \emptyset \) and \(\mathcal{{A}}\models (8)\), then \(|\mathcal{{A}}_s|\ge |T|\).

In view of Proposition 2(a), denote \((7)_s\) as \(\mathsf{SuH}^T_s({\varOmega })\) (or just \(\mathsf{SuH}^T_s\) or \(\mathsf{SuH}^T\) if no confusion arises). Whenever T is finite, Proposition 2(a) imposes that the interpretation domain \(\mathcal{{A}}_s\) for sort s is finite. This is appropriate for tools like Mace4 which generate structures with finite domains only. However, the choice of T in Proposition 2, when used together with a theory \(\mathcal{S}\) imposing further requirements on symbols, can be crucial for Corollary 1 to succeed. Restricting the attention to finite domains can also be a drawback. In the following, we investigate a different approach which avoids any choice of terms T and is valid for infinite structures as well. Consider the following sentence:

$$\begin{aligned} (\forall x:s)(\exists n: Nat )~ term_s(x,n) \end{aligned}$$
(9)

where \( Nat \) is a new sort, to be interpreted as the set \(\mathbb {N}\) of natural numbers, and \(term_s:s\, Nat \) is a new predicate for each \(s\in S\). The intended meaning of \((9)_s\) is that, for all \(x\in \mathcal{{A}}_s\), there is \(t\in {{\mathcal{T}_{{\varSigma }}}}_s\) of height at most n such that \(x=t^\mathcal{{A}}\). We substantiate this, for each sort \(s\in S\), by means of two (families of) formulas:

(10)
(11)

Thus, by \((10)_s\), values x satisfying \(term_s(x,0)\) will be represented by some constant symbol c of sort s. Similarly, by \((11)_s\), values x satisfying \(term_s(x,n)\) for some \(n>0\) will be represented by some ground term s of height m for some \(m<n\), or by a term \(t=f(t_1,\ldots ,t_k)\), where f has rank \(w\rightarrow s\) for some \(w\in S^+\) and \(t_1,\ldots ,t_k\) have height m at most.

The set K(s) of s-relevant sorts is the least set satisfying: (i) \(s\in K(s)\) and (ii) if \(f\in {\varSigma }_{s_1\cdots s_k,s'}\) and \(s'\in K(s)\), then \(\{s_{1},\ldots ,s_{n}\}\subseteq K(s)\). Let \({\varOmega }_{ Nat ,s}=(S_ Nat ,{\varSigma }_ Nat ,{\varPi }_ Nat ,K(s) )\) be an extension of \({\varOmega }\) where \(S_ Nat =S\cup \{ Nat \}\), \({\varSigma }_ Nat \) extends \({\varSigma }\) with a new constant \(\mathsf {0}:\lambda \rightarrow Nat \), and \({\varPi }_{ Nat ,K(s)}\) extends \({\varPi }\) with \(>\,: Nat \, Nat \) and a predicate \(term_{s'}:s'\, Nat \) for each \(s'\in K(s)\). We let

(12)

Proposition 3

Let \({\varOmega }\) be a signature, \(\mathcal{S}\) be a theory, \(s\in S\), and \(\mathcal{{A}}\) be an \({\varOmega }_{ Nat ,s}\)-structure which is a model of \(\mathcal{S}\). Assume that \(\mathcal{{A}}_ Nat =\mathbb {N}\), \(\mathsf {0}^\mathcal{{A}}=0\), and \(\mathsf{m}>^\mathcal{{A}}\mathsf{n}\Leftrightarrow \mathsf{m}>_\mathbb {N}\mathsf{n}\) for all \(\mathsf{m},\mathsf{n}\in \mathcal{{A}}_ Nat \). If \(\mathcal{{A}}\models \mathsf{SuH}_s\), then \(h_{s'}\) is surjective for all \(s'\in K(s)\).

Given an extension \({\varOmega }'\) of a signature \({\varOmega }\), every \({\varOmega }'\)-structure \(\mathcal{{A}}'\) defines an \({\varOmega }\)-structure \(\mathcal{{A}}\): just take \(\mathcal{{A}}_s=\mathcal{{A}}'_s\) for all \(s\in S\), and then \(f^\mathcal{{A}}_{w,s}=f^{\mathcal{{A}}'}_{w,s}\) and \(P^\mathcal{{A}}_w=P^{\mathcal{{A}}'}_{w}\) for all \(w\in S^*\), \(s\in S\), \(f\in {\varSigma }_{w,s}\), and \(P\in {\varPi }_w\). Thus, Proposition 3 is used to guarantee surjectivity of \(h:{{\mathcal{T}_{{\varSigma }}}}_{s'}\rightarrow \mathcal{{A}}_{s'}\), rather than \(h:{\mathcal{T}_{{\varSigma }_ Nat }}_{s'}\rightarrow \mathcal{{A}}_{s'}\).

5 Examples of Application with Positive Sentences

In this section we exemplify the use of Corollary 1 together with the approach in Sect. 4 to deal with positive sentences (6), i.e., all literals are positive.

5.1 Complete Definedness and Commutativity

Consider the following Maude specification (hopefully self-explained, but see [5]) for the arithmetic operations in Example 1 together with function \(\mathtt {head}\), which returns the head of a list of natural numbers:

figure b
  1. (1)

    Complete definedness. We claim to be completely defined as follows:

    $$\begin{aligned} (\forall xs:\mathtt {LN})(\exists x:\mathtt {N})~\mathtt {head}(xs)\rightarrow x \end{aligned}$$
    (13)

    We disprove (13) by using Corollary 1. Due to the universal quantification of xs in (13), we need to ensure that \(h_\mathtt {LN}:{{\mathcal{T}_{{\varSigma }}}}_\mathtt {LN}\rightarrow \mathcal{{A}}_\mathtt {LN}\) is surjective for any structure \(\mathcal{{A}}\) we may use. We use Proposition 3. Since \(K(\mathtt {LN})=\{\mathtt {N},\mathtt {LN}\}\) due to \(\mathtt {cons}\), whose first argument is of sort \(\mathtt {N}\), \(\mathsf{SuH}_\mathtt {LN}\) consists of the following sentences:

    $$ \begin{array}{l@{}c} (\forall x:\mathtt {N}) (\exists n: Nat )~ term_\mathtt {N}(x,n) &{} (9)_{\mathtt {N}}\\ (\forall x:\mathtt {N})~term_\mathtt {N}(x,0) \Rightarrow x=\mathtt {Z} &{} (10)_{\mathtt {N}}\\ (\forall x:\mathtt {N})(\forall n: Nat )(\exists m: Nat )(\exists y:\mathtt {N})(\exists z:\mathtt {N}) (\exists ys:\mathtt {LN}) &{} (11)_{\mathtt {N}}\\ \quad n> 0 \wedge term_\mathtt {N}(x,n) \Rightarrow n> m \wedge [term_\mathtt {N}(x,m)~ \vee \\ \qquad (term_\mathtt {N}(y,m) \wedge term_\mathtt {N}(z,m) \wedge term_\mathtt {LN}(ys,m)~\wedge \\ \qquad \quad (x=\mathtt {suc}(y) \vee x=\mathtt {add}(y,z) \vee x=\mathtt {mul}(y,z) \vee x=\mathtt {head}(ys) ) ) ]\\ (\forall xs:\mathtt {LN}) (\exists n: Nat )~ term_\mathtt {LN}(xs,n) &{} (9)_{\mathtt {LN}}\\ (\forall xs:\mathtt {LN})~term_\mathtt {LN}(xs,0) \Rightarrow xs=\mathtt {nil} &{} (10)_{\mathtt {LN}}\\ (\forall xs:\mathtt {LN})(\forall n: Nat )(\exists m: Nat )(\exists y:\mathtt {N}) (\exists ys:\mathtt {LN})&{} (11)_{\mathtt {LN}}\\ \qquad n> 0 \wedge term_\mathtt {N}(x,n) \Rightarrow n > m \wedge [term_\mathtt {N}(x,m)~ \vee \\ \qquad \quad (term_\mathtt {N}(y,m) \wedge term_\mathtt {LN}(ys,m)\wedge xs=\mathtt {cons}(y,ys) ) ] \end{array} $$

    We obtain a model \(\mathcal{{A}}\) of \(\overline{\mathtt {ExAddMulHead}}\cup \mathsf{SuH}_\mathtt {LN}\cup \{\lnot (13)\}\) with AGES. Sorts are interpreted as follows: \(\mathcal{{A}}_\mathtt {N}=\mathcal{{A}}_\mathtt {LN}=\{-1,0\}\) and \(\mathcal{{A}}_ Nat =\mathbb {N}\). For function symbols:

    $$\begin{array}{c@{}c@{}c@{}c@{}c} \mathtt {Z}^\mathcal{{A}}= -1 &{} \mathtt {nil}^\mathcal{{A}}= 0 &{} \mathtt {suc}^\mathcal{{A}}(x)=x &{} \mathtt {add}^\mathcal{{A}}(x,y)=0\\ \mathtt {mul}^\mathcal{{A}}(x,y)=0 &{} \mathtt {cons}^\mathcal{{A}}(x,xs)=-1 &{} \mathtt {head}^\mathcal{{A}}(xs) = -xs-1 \end{array} $$

    For predicates, \(x\rightarrow ^\mathcal{{A}}_\mathtt {N} y \Leftrightarrow x\ge y\wedge x\ge 0\), \(x\rightarrow ^\mathcal{{A}}_\mathtt {LN} y \Leftrightarrow x=y=-1\), and both \(x(\rightarrow ^*_\mathtt {N})^\mathcal{{A}}y\) and \(x(\rightarrow ^*_\mathtt {LN})^\mathcal{{A}}y\) are true. We can check surjectivity of \(h_s:{{\mathcal{T}_{{\varSigma }}}}_s\rightarrow \mathcal{{A}}_s\) (for \(s\in \{\mathtt {N},\mathtt {LN}\}\)). For instance, we have:

    $$ \begin{array}{rcl@{}rcl@{}l} {}[\mathtt {Z}]_\mathcal{{A}}&{} = &{} -1 &{} [\mathtt {add(Z,Z)}]_\mathcal{{A}}&{} = &{} 0 &{} \text {for sort }\mathtt {N}\\ {}[\mathtt {cons(Z,nil)}]_\mathcal{{A}}&{} = &{} -1 &{} [\mathtt {nil}]_\mathcal{{A}}&{} = &{} 0 &{} \text {for sort }\mathtt {LN}\\ \end{array} $$
  2. (2)

    Commutativity. It is well-known that both \(\mathsf {add}\) and \(\mathsf {mul}\) as defined by the rules of \(\mathcal{R}\) in Example 1 are commutative on ground terms, i.e., for all ground terms s and t, \(\mathsf {add}(s,t)=_\mathcal{R}\mathsf {add}(t,s)\) and \(\mathsf {mul}(s,t)=_\mathcal{R}\mathsf {mul}(t,s)\), where \(=_\mathcal{R}\) is the equational theory induced by the rules \(\ell \rightarrow r\) in \(\mathcal{R}\) treated as equations \(\ell =r\). Actually, by using Birkhoff’s theorem and the fact that \(\mathcal{R}\) is confluent, we can rephrase commutativity of \(\mathsf {add}\) as joinability as follows:

    $$\begin{aligned} (\forall x)(\forall y) (\exists z)~ \mathsf {add}(x,y)\rightarrow ^*z\wedge \mathsf {add}(y,x)\rightarrow ^*z \end{aligned}$$
    (14)

Remark 2

Proving commutativity of \(\mathsf {add}\) and \(\mathsf {mul}\) when defined by \(\mathcal{R}\) in Example 1 by using Corollary 1 is possible (see Remark 1) but unlikely. We should first define \(\overline{\varphi }\) as \(\lnot (14)\), i.e., \(\overline{\varphi }\) is

$$\begin{aligned} (\exists x)(\exists y) (\forall z)~ \lnot (\mathsf {add}(x,y)\rightarrow ^*z)\vee \lnot (\mathsf {add}(y,x)\rightarrow ^*z) \end{aligned}$$
(15)

Since (15) contains two negative literals, Corollary 1 requires the use of \(\mathcal{N}(\rightarrow ^*)\).

Since \(\mathtt {head}\) is not completely defined, and are not commutative in \(\mathtt {ExAddMulHead}\). We prove this fact by disproving the sorted version of (14), i.e.,

$$\begin{aligned} (\forall x:\mathtt {N})(\forall y:\mathtt {N}) (\exists z:\mathtt {N})~ \mathtt {add}(x,y)\rightarrow ^*z\wedge \mathtt {add}(y,x)\rightarrow ^*z \end{aligned}$$
(16)

Due to the universal quantification of x and y in (16), we need to ensure that \(h_\mathtt {N}:{{\mathcal{T}_{{\varSigma }}}}_\mathtt {N}\rightarrow \mathcal{{A}}_\mathtt {N}\) is surjective. Since \(K(\mathtt {N})=\{\mathtt {N},\mathtt {LN}\}\) due to \(\mathtt {head}\), we have \(\mathsf{SuH}_\mathtt {N}=\mathsf{SuH}_{\mathtt {LN}}\) as above. AGES obtain a model \(\mathcal{{A}}\) of \(\overline{\mathtt {ExAddMulHead}}\cup \mathsf{SuH}_\mathtt {N}\cup \{\lnot (16)\}\) as follows: \(\mathcal{{A}}_\mathtt {N}=\{0,1\}\), \(\mathcal{{A}}_\mathtt {LN}=\{-1,0\}\) and \(\mathcal{{A}}_ Nat =\mathbb {N}\). Also,

$$\begin{array}{c@{}c@{}c@{}c@{}c} \mathtt {Z}^\mathcal{{A}}= 1 &{} \mathsf {nil}^\mathcal{{A}}= -1 &{} \mathtt {suc}^\mathcal{{A}}(x)=x &{} \mathtt {add}^\mathcal{{A}}(x,y)=y\\ \mathtt {mul}^\mathcal{{A}}(x,y)=x &{} \mathtt {cons}^\mathcal{{A}}(x,xs)=x-1 &{} \mathtt {head}^\mathcal{{A}}(xs) = xs+1 \\ x\rightarrow ^\mathcal{{A}}_\mathtt {N} y \Leftrightarrow x=y &{} x(\rightarrow ^*_\mathtt {N})^\mathcal{{A}}y \Leftrightarrow x=y &{} x\rightarrow ^\mathcal{{A}}_\mathtt {LN} y \Leftrightarrow x=y &{} x(\rightarrow ^*_\mathtt {LN})^\mathcal{{A}}y \Leftrightarrow true \end{array} $$

5.2 Top-Termination

A TRS \(\mathcal{R}\) is top-terminating if no infinitary reduction sequence performs infinitely many rewrites at topmost position \(\varLambda \) [7]. From a computational point of view, top-termination is important in the semantic description of lazy languages as it is an important ingredient to guarantee that every initial expression has an infinite normal form [7, 8]. Accordingly, given a dummy sort \(\mathtt {S}\), the negation of

$$\begin{aligned} (\exists x:\mathtt {S})(\forall n\in \mathbb {N})(\exists y:\mathtt {S})~x(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^ny \end{aligned}$$
(17)

(which claims for the existence of a term with infinitely many rewriting steps at top) captures top-termination. We introduce a new predicate \(\rightarrow _{\star ,\varLambda }\) for the composition \(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }}\) of the many-step rewriting relation \(\rightarrow ^*\) (defined as usual, i.e., by the whole theory \(\overline{\mathcal{R}}\) associated to \(\mathcal{R}\)) and topmost rewriting \({\mathop {\rightarrow }\limits ^{\varLambda }}\) defined by a theory \(\mathcal{R}_\varLambda =\{(\forall {\varvec{x}}:\mathtt {S})~\ell {\mathop {\rightarrow }\limits ^{\varLambda }}r\mid \ell \rightarrow r\in \mathcal{R}\}\). Sequences \(s\rightarrow ^{n}_{\star ,\varLambda }t\) meaning that s \(\rightarrow _{\star ,\varLambda }\)-reduces into t in \(n+1\) \(\rightarrow _{\star ,\varLambda }\)-steps are defined as follows:

$$\begin{aligned} (\forall x,y,z:\mathtt {S})&x \rightarrow ^*y\wedge y{\mathop {\rightarrow }\limits ^{\varLambda }}z \Rightarrow x \rightarrow ^0_{\star ,\varLambda } z\end{aligned}$$
(18)
$$\begin{aligned} (\forall x,y,z:\mathtt {S}) (\forall n\in \mathbb {N})&x\rightarrow ^0_{\star ,\varLambda } y \wedge y\rightarrow ^n_{\star ,\varLambda } z\Rightarrow x \rightarrow ^{n+1}_{\star ,\varLambda } z \end{aligned}$$
(19)

Overall, the sentence \(\varphi \) to be disproved is:

$$\begin{aligned} (\exists x:\mathtt {S})(\forall n: Nat )(\exists y:\mathtt {S})~x\rightarrow _{\star ,\varLambda }^ny \end{aligned}$$
(20)

Remark 3

We use \(\mathbb {N}\) in (17) but \( Nat \) in (20). Indeed, (17) is not a valid sentence because \(\mathbb {N}\) is not first-order axiomatizable, see, e.g. [11, Sect. 2.2]. This is consistent with the well-known fact that termination (or top-termination) cannot be encoded in first-order logic [22, Sect. 5.1.4]. We can use (20) together with Corollary 1 provided that \( Nat \) is interpreted as \(\mathbb {N}\). This is possible with AGES.

Example 2

Consider the following (nonterminating) TRS \(\mathcal{R}\) [8, Sect. 9.5]:

$$\begin{aligned} \mathsf {non}\rightarrow & {} \mathsf {f}(\mathsf {g},\mathsf {f}(\mathsf {non},\mathsf {g})) \end{aligned}$$
(21)
$$\begin{aligned} \mathsf {g}\rightarrow & {} \mathsf {a}\end{aligned}$$
(22)
$$\begin{aligned} \mathsf {f}(\mathsf {a},x)\rightarrow & {} \mathsf {a}\end{aligned}$$
(23)
$$\begin{aligned} \mathsf {f}(\mathsf {b},\mathsf {b})\rightarrow & {} \mathsf {b}\end{aligned}$$
(24)
$$\begin{aligned} \mathsf {f}(\mathsf {b},\mathsf {a})\rightarrow & {} \mathsf {b} \end{aligned}$$
(25)

The associated theory \(\mathcal{R}_ topT \) is \(\mathcal{R}_ topT =\overline{\mathcal{R}}\cup \mathcal{R}_\varLambda \cup \{(18),(19)\}\), where \(\mathcal{R}_\varLambda \) is

$$\begin{aligned} \mathsf {non}~&{\mathop {\rightarrow }\limits ^{\varLambda }}&\mathsf {f}(\mathsf {g},\mathsf {f}(\mathsf {non},\mathsf {g})) \end{aligned}$$
(26)
$$\begin{aligned} \mathsf {g}~&{\mathop {\rightarrow }\limits ^{\varLambda }}&\mathsf {a} \end{aligned}$$
(27)
$$\begin{aligned} (\forall x:\mathtt {S})~ \mathsf {f}(\mathsf {b},x)~&{\mathop {\rightarrow }\limits ^{\varLambda }}&\mathsf {b} \end{aligned}$$
(28)
$$\begin{aligned} \mathsf {f}(\mathsf {b},\mathsf {b})~&{\mathop {\rightarrow }\limits ^{\varLambda }}&\mathsf {b} \end{aligned}$$
(29)
$$\begin{aligned} \mathsf {f}(\mathsf {b},\mathsf {a})~&{\mathop {\rightarrow }\limits ^{\varLambda }}&\mathsf {b} \end{aligned}$$
(30)

Note that (20) only requires that the homomorphism mapping terms of sort \( Nat \) to \(\mathbb {N}\) is surjective, which is automatically achieved by AGES. The structure \(\mathcal{{A}}\) with \(\mathcal{{A}}_\mathtt {S}=\{-1,0,1\}\), \(\mathcal{{A}}_{ Nat }=\mathbb {N}\), function symbols interpreted by: \(\mathsf {a}^\mathcal{{A}}= 1\), \(\mathsf {b}^\mathcal{{A}}= 1\), \(\mathsf {g}^\mathcal{{A}}= 0\), \(\mathsf {non}^\mathcal{{A}}= -1\), and \(\mathsf {f}^\mathcal{{A}}(x) = 0\); and predicate symbols as follows:

is a model of \(\mathcal{R}_{ topT }\cup \{\lnot (20)\}\) and proves top-termination of \(\mathcal{R}\).

6 Refutation Witnesses

In logic, a witness for an existentially quantified sentence \((\exists x)\varphi (x)\) is a specific value b to be substituted by x in \(\varphi (x)\) so that \(\varphi (b)\) is true (see, e.g., [2, p. 81]). Similarly, we can think of a value b such that \(\lnot \varphi (b)\) holds as a witness of \((\exists x)\lnot \varphi (x)\) or as a refutation witness for \((\forall x)\varphi (x)\); we can also think of b as a counterexample to \((\forall x)\varphi (x)\) [13, p. 284]. Note, however, that witnesses that are given as values b belonging to an interpretation domain \(\mathcal{{A}}\) can be meaningless for the user who is acquainted with the first-order language \({\varOmega }\) but not so much with abstract values from \(\mathcal{{A}}\) (which is often automatically synthesized by using some tool). Users can be happier to deal with terms t which are somehow connected to witnesses b by a homomorphism, so that \(t^\mathcal{{A}}=b\). Corollary 1 permits a refutation of \(\varphi \) by finding a model \(\mathcal{{A}}\) of \(\lnot \varphi \) to conclude that \(\mathcal{I}\models \lnot \varphi \). We want to obtain instances of \(\varphi \) to better understand unsatisfiability of \(\varphi \). In this section we investigate this problem.

The negation \(\lnot (6)\) of (6), i.e., of \((Q_1 x_1:s_1)\cdots (Q_k x_k:s_k) \bigvee _{i=1}^m\bigwedge _{j=1}^{n_i} L_{ij}\) is

$$\begin{aligned} (\overline{Q}_1 x_1:s_1)\cdots (\overline{Q}_k x_k:s_k) \bigwedge _{i=1}^m\bigvee _{j=1}^{n_i} \lnot L_{ij}(x_1,\ldots ,x_k) \end{aligned}$$
(31)

where \(\overline{Q}_i\) is \(\forall \) whenever \(Q_i\) is \(\exists \) and \(\overline{Q}_i\) is \(\exists \) whenever \(Q_i\) is \(\forall \). We assume \(\eta \le k\) universal quantifiers in (31) with indices \(U=\{\upsilon _1,\ldots ,\upsilon _\eta \}\subseteq \{1,\ldots ,k\}\) and hence \(k-\eta \) existential quantifiers with indices \(E=\{\epsilon _1,\ldots ,\epsilon _{k-\eta }\}=\{1,\ldots ,k\}-U\). In the following \(\overline{\eta }\) denotes \(k-\eta \). For each \(\epsilon \in E\), we let \(U_\epsilon =\{\upsilon \in U\mid \upsilon <\epsilon \}\) be the (possibly empty) set of indices of universally quantified variables in (31) occurring before \(x_\epsilon \) in the quantification prefix of (31). Let \(\eta _\epsilon =|U_\epsilon |\). Note that \(U_{\epsilon _1}\subseteq U_{\epsilon _2}\subseteq \cdots \subseteq U_{\epsilon _{\overline{\eta }}}\). Let \(U_{\exists }\) be the set of indices of universally quantified variables occurring before some existentially quantified variable in the quantification prefix of (31). Note that \(U_{\exists }\) is empty whenever \(\upsilon _1>\epsilon _{k-\eta }\) (no existential quantification after a universal quantification); otherwise, \(U_{\exists }=\{\upsilon _1,\ldots ,\upsilon _{\exists }\}\) for some \(\upsilon _{\exists }\le \upsilon _\eta \). Accordingly, \(U_\forall =U-U_\exists =\{\epsilon _{\overline{\eta }}+1,\ldots ,k\}\) is the set of indices of universally quantified variables occurring after all existentially quantified variables in the quantification prefix of (31). Note that \(U_\forall \) is empty whenever \(\epsilon _1>\upsilon _\eta \) (no universal quantification after an existential quantification).

Most theorem provers transform sentences into universally quantified formulas by Skolemization (see, e.g., [12]). Thus, if \(k>\eta \), i.e., (31) contains existential quantifiers, we need to introduce Skolem function symbols \(sk_\epsilon :w_\epsilon \rightarrow s_\epsilon \) for each \(\epsilon \in E\), where \(w_\epsilon \) is the (possibly empty) sequence of \(\eta _\epsilon \) sorts indexed by \(U_\epsilon \). Note that \(sk_\epsilon \) is a constant if \(\eta _\epsilon =0\). The Skolem normal form of (31) is

$$\begin{aligned} (\forall x_{\upsilon _1}:s_{\upsilon _1})\cdots (\forall x_{\upsilon _\eta }:s_{\upsilon _\eta })\bigwedge _{i=1}^m\bigvee _{j=1}^{n_i} \lnot L_{ij}(e_1,\ldots ,e_k) \end{aligned}$$
(32)

where for all \(1\le q\le k\), (i) \(e_q\equiv x_q\) if \(q\in U\) and (ii) \(e_q\equiv sk_q({\varvec{x}}_{\eta _q})\) if \(q\in E\), where \({\varvec{x}}_{\eta _q}\) is the sequence of variables \(x_{\nu _1},\ldots ,x_{\nu _{\eta _q}}\). If \(E\ne \emptyset \) (i.e., (31) and (32) differ), then (32) is a sentence of an extended signature \({\varOmega }^{sk}=(S,{\varSigma }^{sk},{\varPi })\) where \({\varSigma }^{sk}\) extends \({\varSigma }\) with skolem functions. Since (32) logically implies (31) [2, Sect. 19.2], every model \(\mathcal{{A}}\) of (33) is a model of (32) as well.

Definition 1

(Set of refutation witnesses). Using the notation developed in the previous paragraphs, let \(\mathcal{{A}}\) be an \({\varOmega }^{sk}\)-structure such that \(h_{s_q}\) is surjective for all \(q\in U_\exists \cup E\). The \({\varOmega }^{sk}\)-sentence (32) is given a set of refutation witnesses \(\varPhi \) consisting of \({\varOmega }\)-sentences \(\phi _\alpha \) for each valuation \(\alpha \) of the variables \(x_{\upsilon _1},\ldots ,x_{\upsilon _{\exists }}\) indexed by \(U_\exists \); each \(\phi _\alpha \) is (nondeterministically) defined as follows:

$$\begin{aligned} (\forall x_{\epsilon _{\overline{\eta }}+1}:s_{\epsilon _{\overline{\eta }}+1})\cdots (\forall x_k:s_k)\bigwedge _{i=1}^m\bigvee _{j=1}^{n_i} \lnot L_{ij}(e'_1,\ldots ,e'_k) \end{aligned}$$
(33)

where for all \(1\le q\le k\), (i) \(e'_q\equiv x_q\) if \(q\in U_\forall \) and (ii) \(e'_q\equiv t\) if \(q\in U_\exists \cup E\) and \(t\in {{\mathcal{T}_{{\varSigma }}}}_{s_q}\) is such that \([t]_\mathcal{{A}}=[e_q]^\alpha _\mathcal{{A}}\).

Note that, in Definition 1 we could emphfail to find the necessary terms \(t\in {{\mathcal{T}_{{\varSigma }}}}_{s_q}\) if \(h_{s_q}\) is not surjective. Note also that, whenever E is empty, \(\varPhi \) is a singleton consisting of (33) which coincides with (32). We have the following:

Proposition 4

For every \({\varOmega }^{sk}\)-structure \(\mathcal{{A}}\), \(\mathcal{{A}}\models (33)\) if and only if \(\mathcal{{A}}\models \varPhi \).

Refutation witnesses are built from symbols in the original signature \({\varOmega }\) only. We can use them as more intuitive counterexamples to the refuted property \(\varphi \).

Proposition 5

Let \({\varOmega }\) be a signature, \(\mathcal{S}\) be a theory, \(\varphi \) be a sentence (6), and \(\mathcal{{A}}\) be a model of \(\mathcal{S}\) such that for all negative literals \(L_{ij}=\lnot P({\varvec{t}})\) with \(P\in {\varPi }_w\) and substitutions \(\sigma \), if \(h(\sigma ({\varvec{t}}))\in P^\mathcal{{A}}\) then \(\sigma ({\varvec{t}})\in P^\mathcal{I}\). For all \(\phi \in \varPhi \), \(\mathcal{I}\models \phi \).

Corollary 2

If (6) is positive, then for all refutation witnesses \(\phi \in \varPhi \), \(\mathcal{I}\models \phi \).

Example 3

Consider \(\mathtt {ExAddMulHead}\) in Sect. 5. The refutation of (13) using AGES actually proceeds by skolemization of the negation of (13), i.e., of

$$\begin{aligned} (\exists xs:\mathtt {LN})(\forall x:\mathtt {N})\,\,\lnot (\mathtt {head}(xs)\rightarrow x) \end{aligned}$$
(34)

With regard to (34), we have \(E=\{1\}\), \(U_\exists =\emptyset \) and \(U_\forall =\{2\}\), where 1 and 2 refer to variables xs and x, respectively. Accordingly, \(\upsilon _\exists =0\). The only sort involved in the variables indexed by \(U_\exists \cup E\) is \(\mathtt {LN}\). Since variables of sort \(\mathtt {LN}\) are universally quantified in (13), the application of Corollary 1 in Sect. 5 already required surjectivity of \(h_\mathtt {LN}\). The Skolem normal form of (34) is:

$$\begin{aligned} (\forall x:\mathtt {N})\,\,\lnot (\mathtt {head}(\mathsf {sk}_{xs})\rightarrow x) \end{aligned}$$
(35)

where \(\mathsf {sk}_{xs}\) is a new constant of sort \(\mathtt {LN}\). The structure \(\mathcal{{A}}\) computed by AGES is actually a model of \(\overline{\mathcal{R}}\cup \mathsf{SuH}_\mathtt {LN}\cup \{(36)\}\), for \(\mathsf{SuH}_\mathtt {LN}\) in Sect. 5. For \(\mathsf {sk}_{xs}\), we have \(\mathsf {sk}^\mathcal{{A}}_{xs}=0\). There is a single (empty) valuation \(\alpha \) of variables indexed by \(U_\exists \) (which is empty). Hence, \(\varPhi =\{\phi _\alpha \}\) is a singleton. According to Definition 1, since \([\mathtt {nil}]_\mathcal{{A}}=0=[\mathsf {sk}_{xs}]_\mathcal{{A}}\), the following sentence could be associated to the refutation witness \(\phi _\alpha \): \((\forall x:\mathtt {N})\,\,\lnot (\mathtt {head}(\mathtt {nil})\rightarrow x)\).

Example 4

With regard to the computation of refutation witnesses for \(\mathcal{R}\) in Example 2, we start with the negation of (17), i.e.,

$$\begin{aligned} (\forall x:\mathtt {S})(\exists n: Nat )(\forall y:\mathtt {S})\,\,\lnot (x(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^ny) \end{aligned}$$
(36)

We have \(E=\{2\}\), \(U_\exists =\{1\}\) and \(U_\forall =\{3\}\). The Skolem normal form of (36) is

$$\begin{aligned} (\forall x:\mathtt {S})(\forall y:\mathtt {S})\,\,\lnot (x(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^{\mathsf {sk}_n(x)}y) \end{aligned}$$
(37)

where \(\mathsf {sk}_n:\mathtt {S}\rightarrow Nat \) is a new (monadic) function symbol. Since the sorts for variables indexed by \(U_\exists \cup E\) are \(\mathtt {S}\) and \( Nat \), we require surjectivity of \(h_\mathtt {S}\) and \(h_ Nat \). This is achieved by using \(\mathsf{SuH}_\mathtt {S}\) and interpreting \( Nat \) as \(\mathbb {N}\) as done in AGES. The structure \(\mathcal{{A}}\) in Example 2 is a model of \(\mathcal{R}_{ topT }\cup \mathsf{SuH}_\mathtt {S}\cup \{(38)\}\). The interpretation obtained for \(\mathsf {sk}_n\) is

$$\begin{aligned} \mathsf {sk}^\mathcal{{A}}_n(x)=1-x \end{aligned}$$

Now we can compute refutation witnesses for (37). Since \(U_\epsilon =\{1\}\) is a singleton whose index refers to a variable x of sort \(\mathtt {S}\) and \(\mathcal{{A}}_\mathtt {S}=\{-1,0,1\}\), we have to deal with three valuation functions for the only variable x to be considered:

$$\begin{aligned} \alpha _{-1}(x) = -1 \qquad \alpha _0(x) = 0 \qquad \alpha _1(x) = 1 \end{aligned}$$

We have \(\varPhi = \{\phi _{\alpha _{-1}},\phi _{\alpha _0},\phi _{\alpha _1}\}\), where \(\phi _{\alpha _{-1}}\) is \((\forall y:\mathtt {S}) \lnot (\mathsf {non}(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^2y)\), \(\phi _{\alpha _{0}}\) is \((\forall y:\mathtt {S}) \lnot (\mathsf {g}(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^{1}y)\), and \(\phi _{\alpha _{1}}\) is \((\forall y:\mathtt {S}) \lnot (\mathsf {a}(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^{0}y)\).

Note that, since \(\mathsf {f}^\mathcal{{A}}(x)=0\), we could also write \(\phi _{\alpha _{0}}\) as \((\forall y:\mathtt {S})~\lnot (\mathsf {f}(t)(\rightarrow ^*\circ {\mathop {\rightarrow }\limits ^{\varLambda }})^{1}y)\) for every ground term t. This gives additional, complementary information.

7 Example of Application with General Sentences

Consider a well-known example of a locally confluent but nonconfluent TRS \(\mathcal{R}\):

$$\begin{aligned} \mathsf {b}\rightarrow \mathsf {a}\qquad \mathsf {b}\rightarrow \mathsf {c}\qquad \mathsf {c}\rightarrow \mathsf {b}\qquad \mathsf {c}\rightarrow \mathsf {d}\end{aligned}$$

Example 5

(Local confluence of \(\mathcal{R}\)). Local confluence corresponds to \(\varphi _{WCR}\) in Table 1. As explained in Remark 1, we start with \(\overline{\varphi }_{ WCR }=\lnot \varphi _{ WCR }\) i.e.,

$$\begin{aligned} (\exists x,y,z:\mathtt {S})(\forall u:\mathtt {S})~(x\rightarrow y\wedge x\rightarrow z \wedge \lnot (x\rightarrow ^*u))\vee (x\rightarrow y\wedge x\rightarrow z \wedge \lnot (z\rightarrow ^*u)) \end{aligned}$$
(38)

Due to the universal quantifier, \(h_\mathtt {S}:{{\mathcal{T}_{{\varSigma }}}}_\mathtt {S}\rightarrow \mathcal{{A}}_\mathtt {S}\) must be surjective. We can achieve this by adding the following sentence \(\mathsf{SuH}^T_\mathtt {S}\) for \(T=\{\mathsf {a},\mathsf {b},\mathsf {c},\mathsf {d}\}\):

$$\begin{aligned} (\forall x:\mathtt {S})~x=\mathsf {a}\vee x=\mathsf {b}\vee x=\mathsf {c}\vee x=\mathsf {d}\end{aligned}$$
(39)

Due to the negative literals \(\lnot (x\rightarrow ^*u)\) and \(\lnot (z\rightarrow ^*u)\), we consider \(\mathcal{N}\), representing the forbidden many-step rewriting steps, explicitly given by:

$$\mathcal{N}=\{ \begin{array}{c@{}c@{}c@{}c@{}c@{}c@{}c} \lnot (\mathsf {a}\rightarrow ^* \mathsf {b}),&\lnot (\mathsf {a}\rightarrow ^* \mathsf {c}),&\lnot (\mathsf {a}\rightarrow ^* \mathsf {d}),&\lnot (\mathsf {d}\rightarrow ^* \mathsf {a}),&\lnot (\mathsf {d}\rightarrow ^* \mathsf {b}),&\lnot (\mathsf {d}\rightarrow ^* \mathsf {c}) \end{array} \} $$

We apply Corollary 1 to prove that \(\lnot \overline{\varphi }_{ WCR }\) (i.e., \(\varphi _{ WCR }\)) holds by obtaining a model of \(\overline{\mathcal{R}}\cup \mathsf{SuH}^T_\mathtt {S}\cup \mathcal{N}\cup \{\varphi _{ WCR }\}\) with Mace4.Footnote 2 The structure has domain \(\mathcal{{A}}_\mathtt {S}=\{0,1,2,3\}\); constants are interpreted as follows: \(\mathsf {a}^\mathcal{{A}}= 0\), \(\mathsf {b}^\mathcal{{A}}= 1\), \(\mathsf {c}^\mathcal{{A}}=3\), and \(\mathsf {d}^\mathcal{{A}}=2\). With regard to predicate symbols, we have:

$$\begin{array}{c@{}c@{}c@{}c@{}c} x\rightarrow ^\mathcal{{A}}y = \{(1,0),(1,3),(3,1),(3,2)\}&x(\rightarrow ^*)^\mathcal{{A}}y = \{(1,x),(3,x)\mid x\in \mathcal{{A}}_\mathtt {S}\} \end{array} $$

This proves \(\mathcal{R}\) locally confluent.

Example 6

(Nonconfluence of \(\mathcal{R}\)). In order to disprove confluence of \(\mathcal{R}\), which is represented by \(\varphi _{CR}\) in Table 1, we first write \(\varphi _{CR}\) in the form (6), i.e.,

$$\begin{aligned} (\forall x,y,z:\mathtt {S})(\exists u:\mathtt {S})~\lnot (x\rightarrow ^*y)\vee \lnot (x\rightarrow ^*z)\vee (y \rightarrow ^*u\wedge z\rightarrow ^*u)~ \end{aligned}$$
(40)

Due to the universal quantification and negative literals, we use \(\mathsf{SuH}^T_\mathtt {S}\) and \(\mathcal{N}\) as in Example 5. We obtain a model \(\mathcal{{A}}\) of \(\overline{\mathcal{R}}\cup \mathsf{SuH}^T_\mathtt {S}\cup \mathcal{N}\cup \{\lnot \varphi _{ CR }\}\) with Mace4. The domain is \(\mathcal{{A}}_\mathtt {S}=\{0,1,2\}\) and symbols are interpreted by: \(\mathsf {a}^\mathcal{{A}}= 0\), \(\mathsf {b}^\mathcal{{A}}=\mathsf {c}^\mathcal{{A}}= 1\), \(\mathsf {d}^\mathcal{{A}}=2\), \(x\rightarrow ^\mathcal{{A}}y \Leftrightarrow x = 1\), and \(x(\rightarrow ^*)^\mathcal{{A}}y \Leftrightarrow x = y\vee x=1\). This proves nonconfluence of \(\mathcal{R}\). With regard to the refutation witnesses, \(\lnot \varphi _{CR}\) is

$$\begin{aligned} (\exists x,y,z:\mathtt {S})(\forall u:\mathtt {S})~x\rightarrow ^*y\wedge x\rightarrow ^*z\wedge \lnot (y \rightarrow ^*u\wedge z\rightarrow ^*u)~ \end{aligned}$$
(41)

and its Skolem normal form is

$$\begin{aligned} (\forall u:\mathtt {S})~\mathsf {sk}_x\rightarrow ^*\mathsf {sk}_y\wedge \mathsf {sk}_x\rightarrow ^*\mathsf {sk}_z\wedge \lnot (\mathsf {sk}_y \rightarrow ^*u\wedge \mathsf {sk}_z\rightarrow ^*u)~ \end{aligned}$$
(42)

\(\mathsf{Mace4}\) yields \(\mathsf {sk}_x^\mathcal{{A}}=1\), \(\mathsf {sk}_y^\mathcal{{A}}=0\) and \(\mathsf {sk}_z^\mathcal{{A}}=2\); \(\varPhi \) consists of a single sentence; e.g.,

$$\begin{aligned} (\forall u:\mathtt {S})~\mathsf {b}\rightarrow ^*\mathsf {a}\wedge \mathsf {b}\rightarrow ^*\mathsf {d}\wedge \lnot (\mathsf {a}\rightarrow ^*u\wedge \mathsf {d}\rightarrow ^*u)~ \end{aligned}$$
(43)

but also: \((\forall u:\mathtt {S})~\mathsf {c}\rightarrow ^*\mathsf {a}\wedge \mathsf {c}\rightarrow ^*\mathsf {d}\wedge \lnot (\mathsf {a}\rightarrow ^*u\wedge \mathsf {d}\rightarrow ^*u)\). Indeed, they represent the two possible cases of nonconfluent behavior in \(\mathcal{R}\).

Example 7

(Normalizing TRS). \(\mathcal{R}\) is not terminating, but we can prove it normalizing (i.e., every term has a normal form) by disproving \(\overline{\varphi }_{ WN }\), for \(\varphi _{ WN }\) in Table 1. Therefore, \(\overline{\varphi }_{ WN }\) is \((\exists x:\mathtt {S})(\forall y:\mathtt {S})(\exists z:\mathtt {S})\,(\lnot (x\rightarrow ^* y)\vee y\rightarrow z)\). We guarantee surjectivity by using \(\mathsf{SuH}^T_\mathtt {S}\) in Example 5; we also use \(\mathcal{N}\) in Example 5. Mace4 obtains a model \(\mathcal{{A}}\) of \(\overline{\mathcal{R}}\cup \mathsf{SuH}^T_\mathtt {S}\cup \mathcal{N}\cup \{\varphi _{ WN }\}\) with \(\mathcal{{A}}_\mathtt {S}=\{0,1,2\}\), \(\mathsf {a}^\mathcal{{A}}= 0\), \(\mathsf {b}^\mathcal{{A}}=\mathsf {c}^\mathcal{{A}}= 1\), \(\mathsf {d}^\mathcal{{A}}=2\), \(x\rightarrow ^\mathcal{{A}}y \Leftrightarrow x = 1\), and \(x(\rightarrow ^*)^\mathcal{{A}}y \Leftrightarrow x = y\vee x=1\).

8 Related Work

In [14, Sect. 6] we already compared our approach to existing techniques and tools for the so-called First-Order Theory of Rewriting [6], which applies to restricted classes of TRSs and formulas. In [16], we show that our semantic approach is practical when applied to arbitrary (Conditional) TRSs.

McCune’s Prover9/Mace4 are popular automated systems for theorem proving in first-order and equational logic. Given a theory \(\mathcal{S}\) and a goal or statement \(\varphi \), Prover9 tries to prove that \(\mathcal{S}\vdash \varphi \) holds. The generator of models Mace4 complements Prover9 as follows: “If the statement is the denial of some conjecture, any structures found by Mace4 are counterexamples to the conjecture”.Footnote 3 Accordingly, the user introduces \(\varphi \) in the goal section of Mace4, but the system seeks a model of \(\mathcal{S}\cup \{\lnot \varphi \}\). Indeed, as discussed in Sect. 1, if \(\mathcal{{A}}\models \mathcal{S}\cup \{\lnot \varphi \}\) holds, then \(\mathcal{S}\vdash \varphi \) does not hold. But, unless \(\varphi \) is an ECBCA, this does not necessarily mean that \(\varphi \) does not hold of a program P with \(\mathcal{S}=\overline{P}\)! Consider the following ‘misleading’ session with Mace4 that ‘disproves’ commutativity of the addition.

Example 8

Consider \(\mathcal{R}\) in Example 1. Mace4 obtains a model \(\mathcal{{A}}\) of \(\overline{\mathcal{R}}\cup \{\lnot (14)\}\) with domain \(\mathcal{{A}}=\{0,1\}\), and function and predicate symbols as follows: \(\mathsf {0}^\mathcal{{A}}= 0\), \(\mathsf {s}^\mathcal{{A}}(x) = x\), \(\mathsf {add}^\mathcal{{A}}(x,y) = \left\{ \begin{array}{cl} 1 &{} \text {if } x = 0 \wedge y=1\\ 0 &{} \text {otherwise} \end{array} \right. \), \(\mathsf {mul}^\mathcal{{A}}(x,y) = 0\), and \(\rightarrow ^\mathcal{{A}}\) and \((\rightarrow ^*)^\mathcal{{A}}\) both interpreted as the equality. Additionally, Mace4 also displays the following: and . These and are new Skolem symbols (but unexpected for most users!). In practice, Mace4 finds a model for the Skolem normal form of \(\lnot (14)\), which is

(44)

Indeed, \(\mathcal{{A}}\) is a model of \(\overline{\mathcal{R}}\cup \{(45)\}\). But we should not conclude (as suggested by the aforementioned sentences in Mace4 manual) that \(\mathsf {add}\) is not commutative!

The problem in Example 8 is that \(h:\mathcal{I}_{\overline{\mathcal{R}}}\rightarrow \mathcal{{A}}\) is not surjective. For instance, no ground term \(t\in {{\mathcal{T}_{{\varSigma }}}}\) satisfies \(t^\mathcal{{A}}=1\); note that . Since proving validity in \(\mathcal{I}_\mathcal{S}\) is not the main purpose of \(\mathsf{Mace4}\), no warning in its documentation prevents the prospective user to give credit to the ‘refutation’ of (ground) commutativity for the addition computed by Mace4. We believe that our work is helpful to clarify the use of such tools, and even improve it by adding (for instance) sentences reinforcing surjectivity to avoid the problem discussed above. For instance, Mace4 obtains no model of \(\overline{\mathcal{R}}\cup \mathsf{SuH}^T\cup \{(45)\}\) with, e.g., \(T=\{\mathsf {0},\mathsf {s}(\mathsf {0})\}\).

Proofs by Satisfiability vs. Theorem Proving. In order to further clarify the differences between our approach and the use of first-order theorem proving tools, consider the CTRS \(\mathcal{R}\) in [14, Example 1], consisting of the rules

$$\begin{aligned} \mathsf {b}\rightarrow \mathsf {a}\end{aligned}$$
(45)
$$\begin{aligned} \mathsf {a}\rightarrow \mathsf {b}\Leftarrow \mathsf {c}\rightarrow \mathsf {b} \end{aligned}$$
(46)

Its associated Horn theory \(\overline{\mathcal{R}}\) is:

$$\begin{aligned} (\forall x)\, x \rightarrow ^* x\end{aligned}$$
(47)
$$\begin{aligned} (\forall x,y,z)\, x \rightarrow y \wedge y \rightarrow ^* z \Rightarrow x \rightarrow ^* z\end{aligned}$$
(48)
$$\begin{aligned} \mathsf {b}\rightarrow \mathsf {a}\end{aligned}$$
(49)
$$\begin{aligned} \mathsf {c}\rightarrow ^* \mathsf {b}\Rightarrow \mathsf {a}\rightarrow \mathsf {b} \end{aligned}$$
(50)

We consider some simple tests regarding goals \(\mathsf {b}\rightarrow \mathsf {a}\) and \(\mathsf {a}\rightarrow \mathsf {b}\) and their negations. We tried such four goals with the following theorem provers: Alt-Ergo,Footnote 4 Prover9/Mace4, PDL-tableau,Footnote 5 and PrincessFootnote 6 (most of them with a web-interface). Besides attempting a proof of each goal with respect to \(\overline{\mathcal{R}}\), tools Alt-Ergo, Mace4, and Princess can also generate models of the negation of the tested goal when the proof attempt fails. The following table summarizes the results of our test:

#

Goal

 

Alt-Ergo

Mace4

PDL-tableau

Princess

\(\varphi \)

\(\mathcal{I}_\mathcal{R}\models \varphi \)

\(\overline{\mathcal{R}}\!\vdash \!\varphi \)

\(\mathcal{{A}}\!\models \!\lnot \varphi \)

\(\overline{\mathcal{R}}\!\vdash \!\varphi \)

\(\mathcal{{A}}\!\models \!\lnot \varphi \)

\(\overline{\mathcal{R}}\!\vdash \!\varphi \)

\(\mathcal{{A}}\!\models \!\lnot \varphi \)

\(\overline{\mathcal{R}}\!\vdash \!\varphi \)

\(\mathcal{{A}}\!\models \!\lnot \varphi \)

1

\(\mathsf {b}\rightarrow \mathsf {a}\)

true

Y

N

Y

N

Y

Y

N

2

\(\lnot (\mathsf {b}\rightarrow \mathsf {a})\)

false

N

Y

N

Y

N

N

Y

3

\(\mathsf {a}\rightarrow \mathsf {b}\)

false

N

Y

N

Y

N

N

Y

4

\(\lnot (\mathsf {a}\rightarrow \mathsf {b})\)

true

N

Y

N

Y

N

N

Y

Goal \(\lnot (\mathsf {a}\rightarrow \mathsf {b})\) in row 4 is not directly proved by any tool. Indeed, since \(\lnot (\mathsf {a}\rightarrow \mathsf {b})\) is not a logical consequence of \(\overline{\mathcal{R}}\) (see [14, Example 2]), \(\overline{\mathcal{R}}\vdash \lnot (\mathsf {a}\rightarrow \mathsf {b})\) does not hold. Our satisfiability approach can be used to formally prove that \(\mathcal{R}\) cannot reduce \(\mathsf {a}\) into \(\mathsf {b}\), i.e., that \(\mathcal{I}_\mathcal{R}\models \lnot (\mathsf {a}\rightarrow \mathsf {b})\) (or \(\mathsf {a}\not \rightarrow _\mathcal{R}\mathsf {b}\)) holds: from row 3 we see that \(\mathcal{{A}}\models \lnot (\mathsf {a}\rightarrow \mathsf {b})\) holds for the models \(\mathcal{{A}}\) of \(\overline{\mathcal{R}}\) computed by some of the tools. By Corollary 1, the desired conclusion \(\mathsf {a}\not \rightarrow _\mathcal{R}\mathsf {b}\) follows. Note also that row 4 reports on the ability of some tools to obtain models of \(\mathsf {a}\rightarrow \mathsf {b}\). However, Corollary 1 cannot be used to conclude that \(\mathsf {a}\rightarrow _\mathcal{R}\mathsf {b}\) holds (which is obviously wrong): since \(\varphi \) in row 4 is a negative literal, condition (b) in Corollary 1 must be fulfilled before being able to conclude \(\mathcal{I}_\mathcal{R}\models \mathsf {a}\rightarrow \mathsf {b}\) from \(\mathcal{{A}}\models \mathsf {a}\rightarrow \mathsf {b}\) for some model \(\mathcal{{A}}\) of \(\overline{\mathcal{R}}\). But this is not the case in our test set.

Although Remark 1 explains how an arbitrary program property \(\varphi \) can be proved by using Corollary 1 (see also Sect. 7), from a practical point of view we better think of our approach as complementary to the use of first-order proof techniques and tools. Provability of \(\varphi \) (i.e., \(\mathcal{S}\vdash \varphi \)) implies that \(\mathcal{I}_\mathcal{S}\models \varphi \) holds. Thus, as usual, a proof of \(\varphi \) with respect to \(\mathcal{S}\) implies that a program P with \(\mathcal{S}=\overline{P}\) has property \(\varphi \). However, as discussed above, showing that \(\mathcal{S}\vdash \varphi \) or \(\mathcal{S}\vdash \lnot \varphi \) holds is often impossible. We can try to prove \(\mathcal{I}_\mathcal{S}\models \lnot \varphi \) by using Corollary 1, though. For positive sentences \(\varphi \), this is often affordable.

9 Conclusions and Future Work

We have shown how to prove properties \(\varphi \) of computational systems whose semantics can be given as a first-order theory \(\mathcal{S}\). Our proofs by satisfiability proceed (see Remark 1) by just finding a model \(\mathcal{{A}}\) of \(\mathcal{S}\cup \mathcal{Z}\cup \{\varphi \}\) where \(\mathcal{Z}\) is an auxiliary theory representing the requirements (a) and (b) in Corollary 1 (referred to \(\lnot \varphi \)), so that \(\mathcal{{A}}\models \mathcal{S}\cup \mathcal{Z}\cup \{\varphi \}\) implies \(\mathcal{I}_\mathcal{S}\models \varphi \). Surjectivity of the interpretation homomorphisms (requirement (a) in Corollary 1) is ensured if \(\mathcal{Z}\) includes the appropriate theory \(\mathsf{SuH}\) (see Sect. 4); and requirement (b), for dealing with negative literals, is fulfilled if \(\mathcal{Z}\) includes \(\mathcal{N}\) in Proposition 1. Our results properly subsume the ones in [14], which concern existentially closed boolean combinations of atoms only. We have also introduced the notion of refutation witness which is useful to obtain counterexamples by using the symbols in the first-order language rather than values of the computed model.

From a theoretical point of view, the idea of proving program properties as satisfiability (see Remark 1) is appealing as it emphasizes the role of abstraction (introduced by semantic structures) in theorem proving and logic-based program analysis. However, the requirement of surjectivity of the interpretation homomorphisms and the use of theories \(\mathcal{N}\) with negative information about some of the predicates introduce additional difficulties in the model generation process. Investigating methods for the practical implementation of our techniques, and also finding specific areas of application where our approach can be useful (as done in [16], for instance) is an interesting subject for future work.

Also, our research suggests that further investigation on the generation of models for many-sorted theories that combines the use of finite and infinite domains is necessary. For instance, [15] explains how to generate such models by interpreting the sort, function, and predicate symbols by using linear algebra techniques. This is implemented in AGES. Domains are defined as the solutions of matrix inequalities, possibly restricted to an underlying set of values (e.g., \(\mathbb {Z}\)); thus, finite and infinite domains can be obtained as particular cases of the same technique. Since piecewise definitions are allowed, we could eventually provide fully detailed descriptions of functions and predicates by just adding more pieces to the interpretations. However, such a flexibility is expensive. In contrast, Mace4 is based on a different principle (similar to [12]) and it is really fast, but only finite domains can be generated. This is a problem, for instance, when using Proposition 3 to guarantee surjectivity of homomorphisms \(h_s:{{\mathcal{T}_{{\varSigma }}}}_s\rightarrow \mathcal{{A}}_s\). Even though \(\mathcal{{A}}_s\) is finite, we still need to be able to interpret \( Nat \) as \(\mathbb {N}\), which is not possible with Mace4. For this reason, the examples in Sect. 5 (where the computed structures \(\mathcal{{A}}\) have finite domains for the ‘proper’ sorts , , and \(\mathtt {S}\), and only \( Nat \) is interpreted as an infinite set) could not be handled with Mace4, or with similar tools that are able to deal with sorts (e.g., SEM [24] or the work in [21]) but which generate finite domains only.