1 Introduction

Many applications of automated reasoning require to combine the decidability of satisfiability with an expressive logic. Since first-order theorem proving is only semidecidable, the quest for decidable fragments of first-order logic is key in advancing the field, and many classes of formulæ were shown decidable. Without claiming completeness (see [15, 18, 22] for surveys), we mention: the Bernays-Schönfinkel class, also known as EPR for effectively propositional [3, 8, 19, 37, 39]; the Ackermann class [2, 23]; the monadic class with and without equality [2, 5, 23]; the positive variable dominated (PVD) fragment [17]; the two-variable fragment (\(\mathsf{FO}^2\)) [21]; the guarded fragment [4, 20]; the modal fragment [9, 31], which is included in the EPR [22], \(\mathsf{FO}^2\) [32], and guarded [4] fragments; and the stratified fragment [1, 25, 36], which generalizes EPR. However, many theorem proving problems from the practice fall in none of these classes.

Example 1

Problem HWV036-2 from TPTP 7.3.0 [41] specifies a full-adder in 51 clauses, including for instance:

figure a

This set is satisfiable, which means that termination of a theorem prover is a priori not guaranteed. However, it is neither EPR (\(\exists ^*\forall ^*\varphi \) formulæ with \(\varphi \) quantifier- and function-free), nor Ackermann (\(\exists ^*\forall \exists ^*\varphi \) formulæ with \(\varphi \) as above) nor \(\mathsf{FO}^2\) (only two variables, no functions), nor monadic (only unary predicates, no functions). One can also check that it is neither guarded nor stratified.

As refutational completeness guarantees termination on unsatisfiable inputs, if one can prove termination of an inference system on satisfiable inputs in a certain class, any strategy given by that inference system and a fair search plan is a decision procedure for satisfiability in that class. Here we consider Semantically-Guided Goal-Sensitive reasoning (SGGS) [13, 14], that is a refutationally complete instance-based theorem-proving method especially suitable for decision procedures: SGGS is model-based (it searches for a model by building candidates), semantically guided (the search is guided by a fixed initial interpretation), conflict-driven (it applies inferences such as resolution only to explain conflicts), proof confluent (it never needs to undo inferences), and model complete in the limit (if the input is satisfiable, the limit of the derivation represents a model), so that model generation is guaranteed if termination is.

This paper shows that SGGS decides the stratified fragment [1], which includes EPR and finds application in verification [1, 25, 36], and the PVD fragment. Then, we discover a new decidable class named the restrained fragment, and show that SGGS, ordered resolution, and hyperresolution all decide it. Since it is possible to compute bounds on the size of SGGS-generated models, this new class enjoys the small model property. We give a sufficient condition for membership in the restrained fragment that can be tested automatically by termination tools for rewriting. The relevance of this new class is evaluated empirically by applying this test to problems in TPTP. For instance, the axiomatization in Example 1, as well as all the TPTP problems including it, turn out to be restrained. We also summarize the outcomes of experiments with an SGGS prototype, named Koala, built reusing code from Konstantin Korovin’s iProver [24, 26].

The paper is structured as follows. Since the stratified fragment has sorts, Sect. 2 presents SGGS for a language with sorts. Section 3 shows that SGGS decides the stratified fragment. In Sect. 4 we define the restrained fragment, establish the small model property, and prove that SGGS decides both this class and PVD. Ordered resolution and hyperresolution also decide restrained sets (Sect. 5). The experimental results are reported in Sect. 6, and Sect. 7 concludes the paper.

2 Preliminaries: SGGS for Many-Sorted Logic

Let S be a set of clauses in many-sorted logic with non-empty sorts (there is a ground term for every sort). We use \(\mathsf {a}, \mathsf {b}\) for constants, \(\mathsf {P}, \mathsf {Q}\) for predicates, \(\mathsf {f}, \mathsf {g}\) for functions, wxyz for variables, tu for terms, LM for literals, at(L) for L’s atom, CD for clauses, \(\mathcal Var(C)\) for the set of variables in C, \(\alpha , \sigma \) for substitutions, IJ for interpretations, and we extend the at notation to sets of literals, clauses, and sets of clauses. \(C^+\) and \(C^-\) are the disjunctions of the positive and negative literals in C, respectively; C is positive if \(C=C^+\) and negative if \(C=C^-\).

In SGGS, a clause C may have a constraint A, written \(A\rhd C\). An atomic SGGS constraint is \( true \), \( false \), \(t\,{\equiv }\,u\), and \( top (t)\, {=}\, f\), where \(\equiv \) is syntactic identity, and \( top (t)\) is the top symbol of term t. The negation, conjunction, and disjunction of constraints is a constraint. Constraints in standard form are \( true \), \( false \), and conjunctions of distinct atomic constraints \(x\,\not \equiv \,y\) and \( top (x)\ne f\). Substitutions are sort-preserving (\(x\sigma \) has the same sort as x) so that instantiation respects sorts. The set \(Gr(A\rhd C)\) of constrained ground instances (cgi) of \(A \rhd C\) is the set of ground instances of C that satisfy A. Literals \(A \rhd L\) and \(B \rhd M\) intersect if \(at(Gr(A \rhd L)) \cap at(Gr(B \rhd M)) \ne \emptyset \), and are disjoint otherwise.

Example 2

In a signature with sorts \(\{s_1, s_2\}\) and symbols \(\mathsf {a}{:}s_1\), \(\mathsf {b}{:}s_2\), \(\mathsf {f}{:}s_1 {\rightarrow }\, s_2\), and \(\mathsf {P} \subseteq s_2 \times s_2\), the only term of sort \(s_1\) is \(\mathsf {a}\), and \(\mathsf {b}\) and \(\mathsf {f}(\mathsf {a})\) are the only terms of sort \(s_2\). Thus, \(Gr(\mathsf {P}(x, y)) \,{=}\, \{ \mathsf {P}(\mathsf {b},\mathsf {b}), \mathsf {P}(\mathsf {f}(\mathsf {a}),\mathsf {b}), \mathsf {P}(\mathsf {b},\mathsf {f}(\mathsf {a})), \mathsf {P}(\mathsf {f}(\mathsf {a}),\mathsf {f}(\mathsf {a}))\}\). For \(\mathsf {P}(\mathsf {f}(x), y)\), with \(x{:}s_1\) and \(y{:}s_2\), constraint \(top(x) \ne \mathsf {a}\) is unsatisfiable, while \(top(y) \ne \mathsf {a}\) is valid. Then, \(top(x) \ne \mathsf {a} \rhd \mathsf {P}(\mathsf {f}(x), y)\) is equivalent to \( false \rhd \mathsf {P}(\mathsf {f}(x), y)\) and has no cgi’s, while \(top(y) \ne \mathsf {a} \rhd \mathsf {P}(\mathsf {f}(x), y)\) is equivalent to \( true \rhd \mathsf {P}(\mathsf {f}(x), y)\), or simply \(P(\mathsf {f}(x), y)\), and has all cgi’s, namely \(P(\mathsf {f}(\mathsf {a}),\mathsf {b})\) and \(P(\mathsf {f}(\mathsf {a}),\mathsf {f}(\mathsf {a}))\).

SGGS is semantically guided by an initial interpretation I: unless \(I\models S\), SGGS seeks a model of S, by building candidate partial interpretations different from I, and using I as default to complete them. If the empty clause \(\bot \) arises in the process, unsatisfiability is reported. If I is the all-negative interpretation \(I^-\) that makes all negative literals true, SGGS tries to discover which positive literals need to be true to satisfy S, and dually if I is the all-positive interpretation \(I^+\). While I can be any Herbrand interpretation, \(I^+\) and \(I^-\) suffice in this paper.

SGGS works with a trail of clauses \(\varGamma = A_1 \rhd C_1[L_1],\ldots , A_n \rhd C_n[L_n]\), where C[L] means that literal \(L\in C\) is selected in C. The length of \(\varGamma \) and its prefix of length j are denoted \(\vert \varGamma \vert \) and \(\mathop {\varGamma \vert _{j}}\), respectively. An SGGS-trail \(\varGamma \) represents a partial interpretation \(I^p(\varGamma )\): if \(\varGamma \) is empty, denoted \(\varepsilon \), \(I^p(\varGamma ) = \emptyset \); otherwise, \(I^p(\varGamma ) {=} I^p(\mathop {\varGamma \vert _{n-1}}) \cup pcgi(A_n \rhd L_n, \varGamma )\), where pcgi abbreviates proper constrained ground instances. A pcgi of \(A_n \rhd C_n[L_n]\) is a cgi C[L] that is not satisfied by \(I^p(\mathop {\varGamma \vert _{n-1}})\) (i.e., \(I^p(\mathop {\varGamma \vert _{n-1}}) \cap C[L] = \emptyset \)) and can be satisfied by adding L as \(\lnot L\not \in I^p(\mathop {\varGamma \vert _{n-1}})\). For the selected literal, \(pcgi(A_n \rhd L_n, \varGamma ) = \{L \mathop {\,:}\ C[L] \in pcgi(A_n \rhd C_n[L_n],\varGamma )\}\). \(I^p(\varGamma )\) is completed into an interpretation \(I[\varGamma ]\) by consulting I for the truth value of any literal undefined in \(I^p(\varGamma )\).

A literal L is uniformly false in an interpretation J, if all \(L^\prime {\in } Gr(L)\) are false in J. Then, L is said to be I-false if it is uniformly false in I, and I-true if it is true in I. SGGS requires that if a clause in \(\varGamma \) has I-false literals, one is selected, so as to differentiate \(I[\varGamma ]\) from I. A clause whose literals are all I-true is an I-all-true clause, and only in such a clause an I-true literal is selected.

A conflict clause is one whose literals are all uniformly false in \(I[\varGamma ]\). SGGS ensures that every I-all-true clause C[L] in \(\varGamma \) is either a conflict clause or the justification of its selected literal L, meaning that all literals of C[L] except L are uniformly false in \(I[\varGamma ]\), so that L must be true in \(I[\varGamma ]\) to satisfy C[L]. In the latter case C[L] is in the disjoint prefix of \(\varGamma \), denoted \(dp(\varGamma )\), which is the longest prefix such that \(pcgi(A \rhd C[L],\varGamma ) = Gr(A \rhd C[L])\) for all its clauses \(A \rhd C[L]\).

An SGGS-derivation is a series of trails \(\varGamma _0\vdash \varGamma _1\vdash \ldots \varGamma _j\vdash \ldots \), where \(\varGamma _0\,{=}\,\varepsilon \), and \(\forall j\), \(j\,{>}\,0\), an SGGS-inference generates \(\varGamma _j\) from \(\varGamma _{j-1}\) and S. If \(\bot \not \in \varGamma \) and \(I[\varGamma ]\not \models S\), SGGS has two ways to make progress. If \(\varGamma \,{=}\,dp(\varGamma )\), the trail is in order, but \(I[\varGamma ]\not \models C^\prime \) for some \(C^\prime \,{\in }\,Gr(C)\) and \(C\,{\in }\,S\). Then, SGGS applies SGGS-extension to generate from C and \(\varGamma \) a clause \(A \rhd E\), such that E is an instance of C and \(C^\prime \,{\in }\,Gr(A \rhd E)\). If \(\varGamma \,{\ne }\,dp(\varGamma )\), the trail needs repair: either there is a conflict, or there are intersections between selected literals to be removed by SGGS-splitting. The SGGS-extension rules specialize the SGGS-extension scheme ([14, Def. 12]) of which we give here the instance for I based on sign:

Definition 1

Given input clause set S and trail \(\varGamma \), if there is a clause \(C\,{\in }\,S\) such that for all its I-true literals \(L_1, \ldots , L_n\) (\(n\,{\ge }\,0\)) there are clauses \(B_1 \rhd D_1[M_1], \ldots ,B_n \rhd D_n[M_n]\) in \(dp(\varGamma )\), such that literals \(M_1, \ldots , M_n\) are I-false, and \(\forall j\), \(1\,{\leqslant }\,j\,{\leqslant }\,n\), \(L_j\alpha \,{=}\,\lnot M_j\alpha \) with simultaneous most general unifier (mgu) \(\alpha \), then SGGS-extension adds \(A \rhd E = (\bigwedge _{j=1}^n B_j\alpha ) \rhd C\alpha \) to \(\varGamma \).

SGGS-splitting decomposes a clause into instances to isolate and remove intersections between literals, and it is the only rule that introduces constraints. Splitting a ground clause is trivial and never done. Let \(A \rhd C[L]\) be a clause where A is satisfiable. Roughly speaking (see [14, Sect. 3.2]), a partition of \(A \rhd C[ L]\) is a set \(\{A_i \rhd C_i [L_i] \}_{i=1}^n\) such that \(Gr(A \rhd C) = \bigcup _{i=1}^n\{Gr(A_i \rhd C_i)\}\) and the literals \(A_i \rhd L_i\) are pairwise disjoint. Adding predicate symbol \(\mathsf {Q} \subseteq s_1 \times s_2\) to Example 2, a partition of \([\mathsf {P}(\mathsf {f}(x), y)] \vee \mathsf {Q}(x,y)\) is \(\{[\mathsf {P}(\mathsf {f}(x), \mathsf {b})] \vee \mathsf {Q}(x,\mathsf {b}),\ [\mathsf {P}(\mathsf {f}(x), \mathsf {f}(\mathsf {a}))] \vee \mathsf {Q}(x,\mathsf {f}(\mathsf {a}))\}\). Given trail clauses \(A \rhd C[L]\) and \(B \rhd D[M]\), a splitting of C by D, denoted \( split (C,D)\), is a partition of \(A \rhd C[L]\) such that \(at(Gr(A_j \rhd L_j))\) for some j is the intersection of \(A \rhd L\) and \(B \rhd M\), and all other \(A_i \rhd L_i\) are disjoint from \(B \rhd M\). SGGS-splitting replaces \(A \rhd C [L]\) with \( split (C,D)\). Not all clauses in \( split (C,D)\) need to be kept for completeness (see [14, Sect. 4.2]).

Clause \(A_n \rhd C_n[L_n]\) is disposable, if \(I^p(\mathop {\varGamma \vert _{n-1}})\models A_n \rhd C_n[L_n]\), and SGGS-deletion removes all disposable clauses from the trail. The following example shows that SGGS halts, if applied to the EPR set used to show that another semantically-guided method, hyperresolution, cannot decide EPR.

Example 3

The set S consists of four clauses ([18, Ex. 4.8] and [15, Ex. 3.17]):

figure b

SGGS with all-negative initial interpretation \(I^-\) yields the following derivation:

$$\begin{aligned} \varGamma _0 :\varepsilon \ \vdash \varGamma _1 :&[\mathsf {P}(x,x,\mathsf {a}) ]&\mathsf {extend}\ (i)\\ \vdash \varGamma _2 :&[\mathsf {P}(x,x,\mathsf {a}) ],\ \mathsf {P}(x,y,\mathsf {a}) \vee [\mathsf {P}(y,x, \mathsf {a})] \vee \lnot \mathsf {P}(x,x,\mathsf {a})&\mathsf {extend}\ (ii)\\ \vdash \varGamma _3 :&[\mathsf {P}(x,x,\mathsf {a}) ],\ \mathsf {P}(x,x,\mathsf {a}) \vee [\mathsf {P}(x,x, \mathsf {a})] \vee \lnot \mathsf {P}(x,x,\mathsf {a}), \\&y \ne x \rhd \mathsf {P}(x,y,\mathsf {a}) \vee [\mathsf {P}(y,x, \mathsf {a})] \vee \lnot \mathsf {P}(x,x,\mathsf {a})&\mathsf {split}\\ \vdash \varGamma _4 :&[\mathsf {P}(x,x,\mathsf {a}) ],\ \\&y \ne x \rhd \mathsf {P}(x,y,\mathsf {a}) \vee [\mathsf {P}(y,x, \mathsf {a})] \vee \lnot \mathsf {P}(x,x,\mathsf {a})&\mathsf {delete}\end{aligned}$$

Since \(I^-\not \models P(x,x,\mathsf {a})\), SGGS-extension puts it on the trail. As \(I[\varGamma _1]\) satisfies \(P(x,x,\mathsf {a})\), but no other positive literal, \(I[\varGamma _1]\not \models (ii)\). Thus, SGGS-extension unifies the third literal of clause (ii) with \([\mathsf {P}(x,x,\mathsf {a}) ]\) on the trail, producing \(\varGamma _2\), where an \(I^-\)-false (i.e., positive) literal is selected in the added clause (choosing the other makes no difference). As the selected literals intersect, the second clause gets split, yielding \(\varGamma _3\). The second clause in \(\varGamma _3\) is disposable and SGGS-deletion removes it. Since \(I[\varGamma _4]\models S\), the derivation halts reporting satisfiable. In contrast, hyperresolution generates infinitely many clauses of the form \(\mathsf {P}(x_1,x_2,\mathsf {a}) \vee \mathsf {P}(x_2,x_3,\mathsf {a}) \vee \dots \vee \mathsf {P}(x_{n-1},x_n,\mathsf {a})\vee \mathsf {P}(x_{n},x_1,\mathsf {a})\).

If a clause \(A \rhd C[L]\) added by SGGS-extension is in conflict with \(I[\varGamma ]\) and C[L] contains I-false literals, SGGS-resolution explains the conflict by resolving \(A \rhd C[L]\) with a justification in \(dp(\varGamma )\): the resolvent is also a conflict clause that replaces \(A \rhd C[L]\). As SGGS-extension (see [14, Def. 19]) ensures that all I-false literals of a conflict clause can be resolved away, conflict explanation generates either \(\bot \) or an I-all-true conflict clause \(B \rhd D[M]\). The conflict represented by \(B \rhd D[M]\) is solved by moving (SGGS-move) \(B \rhd D[M]\) to the left of the clause in \(dp(\varGamma )\) whose selected literal makes M uniformly false in \(I[\varGamma ]\): the effect is to flip M from being uniformly false to being an implied literal.

Fairness of an SGGS-derivation involves several properties: SGGS-deletion and other clause removals are applied eagerly; trivial splitting is avoided; progress is made whenever possible; every SGGS-extension generating a conflict clause is bundled with explanation and conflict-solving inferences to eliminate the conflict before new extensions occur; and inferences applying to shorter prefixes of the trail are never neglected in favor of others applying to longer prefixes (see [14, Defs. 32, 37, and 39]). The limit of a fair derivation \(\varGamma _0 \vdash \varGamma _1 \vdash \ldots \varGamma _j \vdash \varGamma _{j+1} \vdash \ldots \) is the longest trail \(\varGamma _\infty \) such that \(\forall i\), \(i \leqslant \vert \varGamma _\infty \vert \), there is an \(n_i\) such that \(\forall j\), \(j \geqslant n_i\), if \(\vert \varGamma _j \vert \ge i\) then \(\mathop {\varGamma _j\vert _{i}}\) is equivalent to \(\mathop {\varGamma _\infty \vert _{i}}\) (see [14, Def. 50]). In words, all prefixes of the trail stabilize eventually. Both derivation and \(\varGamma _\infty \) may be infinite, but if the derivation halts at stage k, \(\varGamma _\infty = \varGamma _k\). The following results employ an SGGS-suitable (i.e., total and extending the size ordering, hence well-founded) ordering on ground atoms (see [14, Def. 16]) and a convergence ordering \(>^c\) on SGGS-trails (see [14, Def. 46]):

  • Completeness: For all input clause sets S, initial interpretations I, and fair SGGS-derivations, if S is satisfiable, \(I[\varGamma _\infty ]\models S\), and if S is unsatisfiable, \(\bot \in \varGamma _k\) for some k (see [14, Thm. 9 and 11]).

  • Descending chain theorem: A fair SGGS-derivation forms a descending chain \(\varGamma _0>^c \varGamma _1>^c \ldots>^c \varGamma _j >^c \varGamma _{j+1} \ldots \) (see [14, Thm. 8]).

  • Finiteness of descending chains of length-bounded trails: A chain \(\varGamma _0>^c \varGamma _1>^c \ldots \varGamma _j >^c \varGamma _{j+1} \ldots \) where \(\forall j\), \(j\ge 0\), \(\vert \varGamma _j\vert \leqslant n\), for some \(n\ge 0\), is finite (see [14, Thm. 6 and Cor. 2]).

The gist of this paper is to find fragments where the length of SGGS-trails is bounded so that termination of fair derivations is guaranteed.

3 SGGS Decides the Stratified Fragment

A way to ensure termination is to restrict an inference engine to produce only terms or atoms from a finite set \(\mathcal{B}\), usually called a basis. For SGGS, let \(\mathcal{B}\) be a finite subset of the Herbrand base \(\mathcal{A}\) of the input clause set S.

Definition 2

An SGGS-trail \(\varGamma = A_1 \rhd C_1[L_1],\ldots , A_n \rhd C_n[L_n]\) is in \(\mathcal{B}\) if for all i, \(1\,{\leqslant }\,i\,{\leqslant }\,n\), \(at(Gr(A_i \rhd C_i))\subseteq \mathcal{B}\).

An SGGS-derivation is in \(\mathcal{B}\) if all its trails are.

Lemma 1

If a fair SGGS-derivation \(\varGamma _0 \vdash \varGamma _1 \vdash \ldots \varGamma _j \vdash \varGamma _{j+1} \vdash \ldots \) is in a finite basis \(\mathcal{B}\), then for all j, \(j\,{\geqslant }\,0\), \(\vert \varGamma _j\vert \leqslant \vert \mathcal{B}\vert {+}1\), and if the derivation halts at stage k, \(k\,{\geqslant }\,0\), then \(\vert \varGamma _k\vert \leqslant \vert \mathcal{B}\vert \).

Proof

SGGS cannot do worse than generating a ground trail where every atom in \(\mathcal{B}\) appears selected with either sign: any trail with non-ground clauses will be shorter, because a non-ground clause covers many (possibly infinitely many) ground instances. By fairness, if the trail contains an intersection given by clauses C[L] and D[L], or C[L] and \(D[\lnot L]\) with \(L\,{\in }\,\mathcal B\), the clause on the right is either deleted eagerly by SGGS-deletion, or replaced with a resolvent by SGGS-resolution before SGGS-extension applies. Thus, there can be at most one such intersection, and the first claim follows. The second claim holds, because the intersection is removed by fairness prior to termination.    \(\square \)

By the descending chain theorem and the finiteness of descending chains of length-bounded trails, the following general result follows:

Theorem 1

A fair SGGS-derivation in a finite basis is finite.

In order to apply this result, we need to find fragments that admit a finite basis. We begin with the stratified fragment. A signature is stratified, if there is a well-founded ordering \(<_s\) on sorts, and for all functions \(f:s_1 \times \dots \times s_n \,{\rightarrow }\, s\), it holds that \(s\, {<_s}\, s_i\) for all \(1\,{\leqslant }\,i\,{\leqslant }\,n\) [1, 25, 36]. Thus, there are no cycles over sorts when applying functions. The signature from Example 2 is stratified with ordering \(s_1 >_ss_2\). If a sentence over a stratified signature belongs to the \(\exists ^*\forall ^*\) fragment, Skolemization only introduces constants and preserves stratification [25]. If there is only one sort, this fragment reduces to EPR, because stratification over a single sort implies that there are no function symbols. However, also stratified sentences with a prefix other than \(\exists ^*\forall ^*\) can yield stratified clauses [33].

Example 4

Assume a stratified signature with sorts \(s_1\) and \(s_2\) such that \(s_1 <_ss_2\), and symbols \(\mathsf {f}:s_1{\rightarrow } s_2\), and \(\mathsf {P}\subseteq s_2\times s_2\). The Skolemization of \(\forall x \exists y.\, \mathsf {P}(\mathsf {f}(x),y)\) preserves stratification, as clause \(\mathsf {P}(\mathsf {f}(x),\mathsf {g}(x))\) with Skolem symbol \(\mathsf {g}:s_1{\rightarrow } s_2\) is still stratified. On the other hand, the Skolemization of \(\forall x \exists y.\, \mathsf {P}(\mathsf {f}(y),x)\) yields \(\mathsf {P}(\mathsf {f}(\mathsf {g}(x)),x)\) with Skolem symbol \(\mathsf {g}:s_2{\rightarrow } s_1\), so that stratification is lost.

Given a set S of clauses whose signature is stratified, or stratified clause set for short, the Herbrand universe \(\mathcal{H}\) and the Herbrand base \(\mathcal{A}\) are finite, because stratification prevents building terms of unbounded depth [1]. Therefore, it suffices to pick \(\mathcal{A}\) itself as the finite basis for Theorem 1.

Theorem 2

Any fair SGGS-derivation from a stratified clause set S halts, is a refutation if S is unsatisfiable, and constructs a model of S if S is satisfiable.

However, SGGS-derivations can get exponentially long.

Example 5

Consider the following clause set \(S_k\) describing a k-digits binary counter [38, Def. 2.4.10]. Let \(\mathsf {Q}\) be a predicate symbol of arity k, and for all i, \(1\,{\leqslant }\,i\,{\leqslant }\,k\), let \(\overline{\mathsf {0}}_i\), \(\overline{\mathsf {1}}_i\), and \(\overline{x}_i\) be i-tuples of \(\mathsf {0}\)’s, \(\mathsf {1}\)’s, and distinct variables \(x_1,\dots , x_i\), respectively. \(S_k\) consists of the \(k + 2\) clauses, for \(1\,{\leqslant }\,m\,{\leqslant }\,k\),

figure c

so that it is in EPR. Guided by \(I^-\), SGGS generates a derivation

that simulates binary counting by adding a clause in each of these \(2^k{+}1\) steps till a conflict emerges. Then it takes another \(2^{k+1}\) steps to detect unsatisfiability:

$$\begin{aligned}&\vdash \varGamma _{2^k+2} :\dots , [\lnot \mathsf {Q}(\overline{\mathsf {1}}_k)],\ \lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-1}, \mathsf {0}) \vee [\mathsf {Q}(\overline{\mathsf {1}}_k)]&\mathsf {move}\\&\vdash \varGamma _{2^k+3} :\dots , [\lnot \mathsf {Q}(\overline{\mathsf {1}}_k)],\ [\lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-1}, \mathsf {0})]&\mathsf {resolve}\\&\vdash \varGamma _{2^k+2} :\dots , [\lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-1}, \mathsf {0})],\ \lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-2}, \mathsf {0}, \mathsf {1}) \vee [\mathsf {Q}(\overline{\mathsf {1}}_{k-1}, \mathsf {0})],\ [\lnot \mathsf {Q}(\overline{\mathsf {1}}_k)]&\mathsf {move}\\&\vdash \varGamma _{2^k+3} :\dots , [\lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-1}, \mathsf {0})],\ [\lnot \mathsf {Q}(\overline{\mathsf {1}}_{k-2}, \mathsf {0}, \mathsf {1})],\ [\lnot \mathsf {Q}(\overline{\mathsf {1}}_k)]&\mathsf {resolve}\\&\dots&\dots \\&\vdash \varGamma _{2^{k+2}} :[\lnot \mathsf {Q}(\overline{\mathsf {0}}_k)],\ [\mathsf {Q}(\overline{\mathsf {0}}_k)],\ \dots&\mathsf {move}\\&\vdash \varGamma _{2^{k+2}+1} :\bot , \dots&\mathsf {resolve}\end{aligned}$$

Similar to positive resolutionFootnote 1 [38, Thm. 2.4.12] or SCL [19], SGGS behaves exponentially, whereas resolution offers a refutation in \(2k{+}1\) steps [38, Thm. 2.4.11], which shows that in EPR ground resolution (same as positive resolution for \(S_k\)) can do exponentially worse than resolution [34]. Encoding \(S_k\) in propositional logic requires exponentially many clauses, as each clause \(C_m\), \(1\,{\leqslant }\,m\,{\leqslant }\,k\), has \(2^m\) ground instances that need to be modeled as distinct propositional clauses. This indicates that generating instances is not good for this example.

4 SGGS Decides the Restrained Fragment

We begin with the notion of ground-preserving clause, which is convenient for sign-based semantic guidance.

Definition 3

A clause C is positively ground-preserving if \(\mathcal Var(C)\,{\subseteq }\, \mathcal Var(C^-)\), and negatively ground-preserving if \(\mathcal Var(C)\subseteq \mathcal Var(C^+)\). A set of clauses is positively/negatively ground-preserving if all its clauses are, and ground-preserving if it is positively or negatively ground-preserving.

For example, \(\lnot \mathsf {P}(x,y,z) \vee \mathsf {Q}(y) \vee \mathsf {Q}(\mathsf {f}(z))\) and \(\lnot \mathsf {Q}(x) \vee \lnot \mathsf {Q}(y)\) are positively ground-preserving, while the clauses in Example 5 are both positively and negatively ground-preserving. We say that I is suitable for a ground-preserving set S if either I is \(I^-\) and S is positively ground-preserving, or I is \(I^+\) and S is negatively ground-preserving. If S is positively ground-preserving, its positive clauses are ground, positive hyperresolution only generates ground clauses ([12], Lem. 3), and similarly for the negative variant. We show that this also holds for SGGS.

Lemma 2

If the input clause set S is ground-preserving and the initial interpretation is suitable for S, any fair SGGS-derivation from S is ground.

Proof

We consider S positively ground-preserving and \(I^-\) (for the dual case one exchanges the signs). The proof is by induction on the length n of the derivation. The base case (\(n\,=\,0\)) is vacuously true. The induction hypothesis is that the claim holds for a derivation of length n producing trail \(\varGamma \). Let \(\varGamma \vdash \varGamma ^\prime \) be the \((n{+}1)\)-th step. Since \(\varGamma \) is ground, \(\varGamma \vdash \varGamma ^\prime \) cannot be a splitting step, because any splitting of a ground clause yields the clause itself, and fairness excludes such trivial splittings ([14, Defs. 32, 47, and 49]). If \(\varGamma \vdash \varGamma ^\prime \) is an SGGS-resolution step, it is a ground resolution step, and also \(\varGamma ^\prime \) is ground. If \(\varGamma \vdash \varGamma ^\prime \) is an SGGS-extension step, it adds an instance \(C\alpha \) of a clause \(C\,{\in }\,S\), where \(\alpha \) is the simultaneous mgu of all \(I^-\)-true (i.e., negative) literals \(L_1, \dots , L_n\) in C with as many \(I^-\)-false (i.e., positive) selected literals \(M_1,\ldots , M_n\) in \(\varGamma \) (see Def. 1). Since \(\varGamma \) is ground by induction hypothesis, the clauses containing \(M_1, \ldots , M_n\) are ground and do not have constraints. Thus, \(L_1\alpha , \ldots , L_n\alpha \) are also ground. The \(I^-\)-false literals of \(C\alpha \) are ground, because C is positively ground-preserving (i.e., \(\mathcal Var(C)\subseteq \mathcal Var(C^-)\)), so that all its variables get grounded by \(\alpha \). Hence \(C\alpha \) and \(\varGamma ^\prime \) are ground.    \(\square \)

The next example illustrates Lemma 2 and gives the intuition for restrainedness.

Example 6

Assume a positively ground-preserving set S which includes:

figure d

and \(I^-\) is the initial interpretation. SGGS starts with an extension that puts the positive clause on the trail, where we write \(\mathsf {n}\) for . Subsequent extensions unify the negative literal in clause (ii) with some positive ground literal on the trail, so that new literals in added clauses are positive:

The positive literals have decreasing number of symbols, matching the fact that in (ii) for \(\succ \) any lexicographic path ordering (LPO).

This suggests to strengthen ground-preservingness with an ordering (unrelated to the SGGS-suitable ordering of Sect. 2) to get a finite basis.

Definition 4

A quasi-ordering \(\succeq \) on terms and atoms is restraining, if (i) it is stable under substitution, (ii) the strict ordering \({\succ } = {{\succeq } \setminus {\preceq }}\) is well-founded, and (iii) the equivalence \({\approx } = {{\succeq } \cap {\preceq }}\) has finite equivalence classes.

Note that Condition (i) implies that \(\succ \) and \(\approx \) are stable under substitution. From now on, \(\succeq \) is a restraining quasi-ordering. Let \(\mathcal A_{S}\) be the set of ground atoms occurring in S, and \(\mathcal A_{S}^{\preceq }\) the subset of the Herbrand base \(\mathcal{A}\) of ground atoms upper-bounded by \(\mathcal A_{S}\), so \(\mathcal A_{S}^{\preceq } = \{L \mathop {\,:}L\in \mathcal{A}, \exists M \in \mathcal A_{S}\text { with } M \succeq L\}\). By Conditions (ii) and (iii) in Definition 4, \(\mathcal A_{S}^{\preceq }\) is finite and thus can serve as basis.

Definition 5

A clause C is (strictly) positively restrained if it is positively ground preserving, and for all non-ground literals \(L \in C^+\) there is a literal \(M\in C^-\) such that \(at(M)\succeq at(L)\) (\(at(M) \succ at(L)\)). A set of clauses is positively restrained if all its clauses are.

Negatively restrained clauses and clause sets are defined similarly, and a set of clauses is restrained if it is positively or negatively restrained. The set in Example 6 is strictly positively restrained. We see next the role of the quasi-ordering.

Example 7

Problem PLA030-1 in TPTP is neither stratified, nor monadic, nor guarded. Its clause \(\mathsf {differ}(x,y) \vee \lnot \mathsf {differ}(y,x)\) cannot be shown strictly restrained. Let \(\succ _{\mathsf {acrpo}}\) be an AC-compatible [40] recursive path ordering with \(\mathsf {differ}\) as an AC-symbol, meaning associative-commutative. The quasi-ordering \(\succeq _{\mathsf {acrpo}}\), built from \(\succ _{\mathsf {acrpo}}\) and the AC-equivalence \(\approx _{\mathsf {AC}}\) that has finite equivalence classes, satisfies \(\mathsf {differ}(x,y){\succeq _{\mathsf {acrpo}}}\mathsf {differ}(y,x)\), and shows that PLA030-1 is negatively restrained.

Restrainedness is undecidable in general, but decidable for fixed, suitable orderings. If S is restrained, a fair SGGS-derivation will be in \(\mathcal A_{S}^{\preceq }\).

Lemma 3

If the input clause set S is restrained and the initial interpretation is suitable for S, any fair SGGS-derivation from S is in \(\mathcal A_{S}^\preceq \).

Proof

We consider S positively ground-preserving and \(I^-\) (for the dual case one exchanges the signs). Since the set is restrained hence ground-preserving, the derivation is ground by Lemma 2 (\(\dag \)). The proof is by induction on the length n of the derivation, and it follows the same pattern as that of Lemma 2. Let \(\varGamma \vdash \varGamma ^\prime \) be the \((n{+}1)\)-th step. By induction hypothesis, \(\varGamma \) is in \(\mathcal A_{S}^\preceq \). If \(\varGamma \vdash \varGamma ^\prime \) is an SGGS-resolution step, it is a ground resolution step which does not generate new atoms, and also \(\varGamma ^\prime \) is in \(\mathcal A_{S}^\preceq \). If \(\varGamma \vdash \varGamma ^\prime \) is an SGGS-extension step, it adds an instance \(C\alpha \) of a clause \(C\,{\in }\,S\), where \(\alpha \) is the simultaneous mgu of all \(I^-\)-true (i.e., negative) literals \(\lnot L_1, \dots , \lnot L_n\) in C with as many \(I^-\)-false (i.e., positive) selected literals \(M_1,\ldots , M_n\) in \(\varGamma \). The literals \(M_1, \ldots , M_n\) are ground by (\(\dag \)), and by induction hypothesis they are in \(\mathcal A_{S}^\preceq \). We have to show \(at(C\alpha )\subseteq \mathcal A_{S}^\preceq \).

  • For the negative literals \(\lnot L_1\alpha , \dots , \lnot L_n\alpha \) we have \(L_i\alpha = M_i\alpha = M_i \in \mathcal A_{S}^\preceq \).

  • Let L be a literal in \(C^+\). If L is ground, then \(L\alpha =L\in \mathcal A_{S} \subseteq \mathcal A_{S}^\preceq \). If L is not ground, by positive restrainedness there exists a \(\lnot L_i\), \(1\,{\leqslant }\,i\,{\leqslant }\,n\), such that \(L_i \succeq L\). By stability, \(L_i\alpha \succeq L\alpha \). Since for all i, \(1\,{\leqslant }\,i\,{\leqslant }\,n\), \(M_i \in \mathcal A_{S}^\preceq \) and \(M_i = M_i\alpha = L_i\alpha \succeq L\alpha \), we have \(L\alpha \in \mathcal A_{S}^\preceq \).    \(\square \)

Therefore, as \(\mathcal A_{S}^\preceq \) is finite, Theorem 1 applies.

Theorem 3

Any fair SGGS-derivation from a restrained clause set S with a suitable initial interpretation for S halts, is a refutation if S is unsatisfiable, and constructs a model of S if S is satisfiable.

Restrainedness also makes it possible to derive an upper bound on the cardinality of a single-sorted model, defined as the cardinality of its domain. Let \(\smash {\mathcal H_{S}^{\preceq }}\) be the set \(\smash {\mathcal H_{S}^{\preceq }} = \{ t \mathop {\,:}t \text { is a strict subterm of }L \text { for some } L\in \mathcal A_{S}^{\preceq }\}\).

Theorem 4

A restrained satisfiable clause set S has a model of cardinality at most \(|\mathcal H_{S}^{\preceq }| + 1\) that can be extracted from the limit of any fair SGGS-derivation from S with suitable initial interpretation I.

Proof

By Theorem 3 the derivation halts with some trail \(\varGamma \), and by Lemmas 2 and 3, \(\varGamma \) contains only ground clauses whose atoms are in \(\mathcal A_{S}^{\preceq }\). Since SGGS is model complete, \(I[\varGamma ] \models S\). Consider the following interpretation J with domain \(\smash {\mathcal H_{S}^{\preceq }} \uplus \{u\}\), where \(u\) is a new constant symbol: for every constant symbol c we set \(c^J = c\) if \(c \in \mathcal H_{S}^{\preceq }\), and \(c^J = u\) otherwise. For every n-ary (\(n \geqslant 1\)) function symbol f, we set \(\smash {f^J({t_1},\dots ,{t_{n}}) = f(t_1^J, \dots , t_n^J)}\) if \(f({t_1},\dots ,{t_{n}}) \in \smash {\mathcal H_{S}^{\preceq }}\), and \(f^J({t_1},\dots ,{t_{n}}) = u\) otherwise. For every predicate symbol P, \(({t_1},\dots ,{t_{n}}) \in P^J\) if \(I[\varGamma ] \models P({t_1},\dots ,{t_{n}})\). Note that J is well-defined because if \(f({t_1},\dots ,{t_{n}}) \in \smash {\mathcal H_{S}^{\preceq }}\) then \({t_1},\dots ,{t_{n}}\) are also, hence all terms are interpreted in \(\smash {\mathcal H_{S}^{\preceq }} \uplus \{u\}\). As J agrees with \(I[\varGamma ]\) on all atoms, \(J \models S\), and it has cardinality \(|\smash {\mathcal H_{S}^{\preceq }}| + 1\) by construction.    \(\square \)

Therefore the restrained fragment also enjoys the small model property.

Example 8

The satisfiable clause set S (PUZ054-1 in TPTP) extending Example 6:

figure e

is neither in EPR, nor in \(\mathsf{FO}^2\), nor in the monadic class. However, it can be shown strictly positively restrained by a Knuth-Bendix ordering (KBO) \(\succ \) with empty precedence and weights \(w(\mathsf {P}) = 0\) and \(w_0=w(\mathsf {s})=w(\mathsf {0})=1\), where \(w_0\) is the weight of variables. The largest atom in \(\mathcal A_{S}= \{ \mathsf {P}(\mathsf {s}^{10}(\mathsf {0}), \mathsf {s}^9(\mathsf {0})),\ \mathsf {P}(\mathsf {s}(\mathsf {0}), \mathsf {0})\}\) has weight \(w(\mathsf {P}(\mathsf {s}^{10}(\mathsf {0}), \mathsf {s}^9(\mathsf {0})))=21\). No atom L of the form \(\mathsf {P}(\mathsf {s}^n(\mathsf {0}), \mathsf {s}^m(\mathsf {0}))\) in \(\smash {\mathcal A_{S}^{\preceq }}\) can have a subterm \(\mathsf {s}^k(\mathsf {0})\) with \(k>19\), because otherwise \(w(L) > w(\mathsf {P}(\mathsf {s}^{10}(\mathsf {0}), \mathsf {s}^9(\mathsf {0})))\). Therefore, we have \(\smash {\mathcal H_{S}^{\preceq }} = \{\mathsf {s}^i(\mathsf {0}) \mathop {\,:}0\,{\leqslant }\,i\,{\leqslant }\,19\}\) and there is a model of cardinality at most 21 by Theorem 4.

We next consider PVD  [17]. Let \(\text {depth}(C)\) be the maximum depth of an atom in clause C, and \(\text {depth}_x(C)\) the maximum occurrence depth in C of \(x\in \mathcal Var(C)\).

Definition 6

A clause set S is in PVD if every clause \(C\,{\in }\,S\) is positively ground-preserving and \(\forall x \in Var(C^+)\) it holds that \(\text {depth}_x(C^+) \leqslant \text {depth}_x(C^-)\).

Let \(\mathcal{A}_d\) be the subset of the Herbrand base \(\mathcal{A}\) containing all ground atoms whose depth does not exceed d.

Lemma 4

If the input clause set S is in PVD and has maximal depth d then any fair SGGS-derivation from S using \(I^-\) is in \(\mathcal{A}_d\).

Proof

Since S is in PVD and hence ground-preserving, by Lemma 2 the derivation is ground (\(\dag \)). The proof is by induction on the length n of the derivation, and follows that of Lemma 3 except for the extension case in the inductive step. Let \(\varGamma \vdash \varGamma ^\prime \) be an SGGS-extension step as described in the proof of Lemma 3. The positive literals \(M_1, \ldots , M_n\) are ground by (\(\dag \)) and by induction hypothesis in \(\mathcal{A}_d\). Since \(L_i\alpha = M_i\alpha = M_i\) for all i, \(1\leqslant i \leqslant n\), the atoms \(L_i\alpha \) in \(C^-\alpha \) are ground and in \(\mathcal{A}_d\). Let L be a literal in \(C^+\). Since S is in PVD, every variable in L occurs at a lower or equal depth in some \(L_i\) (\(1\leqslant i \leqslant n\)). Therefore, \(L\alpha \) is ground and its depth cannot exceed that of \(L_i\alpha \), so that \(L\alpha \in \mathcal{A}_d\).    \(\square \)

Since \(\mathcal{A}_d\) is a finite basis, termination follows from Theorem 1.

Theorem 5

Any fair SGGS-derivation using \(I^-\) from a PVD set S halts, is a refutation if S is unsatisfiable, and constructs a model of S if S is satisfiable.

5 Ordered Resolution Decides the Restrained Fragment

In this section we work with the positively restrained fragment; the case for the negatively restrained one is symmetric. Let > be a stable and well-founded ordering on literals, such that positive literals are maximal only in positive clauses, so that ordered resolution is positive ordered resolution. In this way, the ordering embeds the suitable sign-based semantic guidance for the positively restrained fragment. The ordering > could be the extension of the restraining ordering \(\succ \) (see Definition 5) to literals, but does not have to be. We use the following notations [18]: \(Res_>(S)\) denotes the set of ordered resolvents generated from parents in S; \(R_{>}^0(S) = S\), \(R_{>}^{k+1}(S) = R_{>}^{k}(S) \,\cup \, Res_{>}(R_{>}^{k}(S))\), and \(R_{>}^{*}(S) = \bigcup _{k{\geqslant }0} R_{>}^k(S)\). We begin with an auxiliary lemma.

Lemma 5

If S is positively restrained, then for all \(C \in R_{>}^*(S)\), for all \(L \in C^+\) either (i) \(L \in \mathcal A_{S}^{\preceq }\), or (ii) \(at(M) \succeq at(L)\) for some \(M \in C^-\).

Proof

The proof is by induction on the stage k of the construction of \(R_{>}^*(S)\). For \(k\,{=}\,0\), the clauses in \(R_{>}^0(S)=S\) satisfy the claim by the definitions of restrainedness, \(\mathcal A_{S}\), and \(\mathcal A_{S}^\preceq \). The induction hypothesis is that all clauses in \(R_{>}^{k}(S)\) satisfy the claim. For the inductive step, let \(C\sigma \vee D\sigma \) be a resolvent in \(Res_{>}(R_{>}^{k}(S))\) generated from parents \(\lnot L \vee C\) and \(L' \vee D\), where \(\lnot L\sigma \) and \(L'\sigma \) are >-maximal literals, and \(L\sigma =L'\sigma \) for mgu \(\sigma \). The clause \(L' \vee D\) must be positive, otherwise \(L'\sigma \) cannot be >-maximal. Since \(L' \vee D \in R_{>}^{k}(S)\), by induction hypothesis \(at(L' \vee D) \subseteq \mathcal A_{S}^{\preceq }\) (\(\dag \)), which means \(L' \vee D\) is ground, \((L' \vee D)\sigma = L' \vee D\), and all atoms in \(D\sigma \) are in \(\mathcal A_{S}^{\preceq }\). For the positive literals in \(C\sigma \), let \(M\sigma \) be one of them, so \(M \in C^+\). Since \(\lnot L \vee C\) is in \(R_{>}^{k}(S)\), by induction hypothesis, either (i) \(M \in \mathcal A_{S}^{\preceq }\), or (ii) \(M' \succeq M\) for some negative literal \(\lnot M'\) in \(\lnot L \vee C\). In case (i), M is ground, \(M\sigma = M\), and \(M\sigma \in \mathcal A_{S}^{\preceq }\). In case (ii), if \(\lnot M'\) occurs in C then \(\lnot M'\sigma \in C\sigma \), and \(M'\sigma \succeq M\sigma \) holds by stability, so that the claim holds. Otherwise, \(\lnot M'\) is the resolved-upon literal \(\lnot L\) with \(L\sigma = L'\sigma \). Thus, \(L = M' \succeq M\), which implies \(L\sigma \succeq M\sigma \) by stability, and since \(L'\) is ground, \(L'\sigma = L'\). By (\(\dag \)), \(L' \in \mathcal A_{S}^{\preceq }\). Since \(L' = L'\sigma = L\sigma \succeq M\sigma \), we have \(M\sigma \in \mathcal A_{S}^{\preceq }\) by definition of \(\mathcal A_{S}^{\preceq }\).    \(\square \)

Theorem 6

Any fair ordered resolution derivation using > from a restrained clause set S terminates, and is a refutation if S is unsatisfiable.

Proof

Let S be positively restrained. We show that \(R_>^*(S)\) is finite. The claim then follows from refutational completeness of ordered resolution. We first show the following \((\dag )\): for every ordered resolvent \(C\sigma \vee D\sigma \) in \(R_>^*(S)\) from parents \(\lnot L \vee C\) and \(L' \vee D\) and mgu \(\sigma \), \(L' \vee D\) is ground and positive, and \(C\sigma \vee D\sigma \) has strictly fewer negative literals than \(\lnot L \vee C\). Indeed, by the definition of ordered resolution, \(\lnot L\sigma \) and \(L'\sigma \) are >-maximal in \((\lnot L \vee C)\sigma \) and \((L' \vee D)\sigma \), respectively. The clause \(L' \vee D\) must be positive, otherwise \(L'\sigma \) cannot be >-maximal. By Lemma 5, every positive literal in a positive clause is in \(\mathcal A_{S}^{\preceq }\), and therefore it is ground. Thus, in the resolvent \(C\sigma \vee D\sigma \) the literals in \(D\sigma \) are positive, hence \(C\sigma \vee D\sigma \) has fewer negative literals than \(\lnot L \vee C\).

Now suppose that \(R_>^*(S)\) is infinite. Observation \((\dag )\) reveals that the number of negative literals decreases with every resolution step. Hence, if \(R_>^*(S)\) is infinite, it must contain infinitely many positive clauses. By Lemma 5, these positive clauses are ground, and all their atoms are in the finite basis \(\mathcal A_{S}^{\preceq }\). As repeated literals in ground clauses disappear by merging, the number of ground clauses that can be built from \(\mathcal A_{S}^{\preceq }\) is finite. This contradicts \(R_{>}^*(S)\) being infinite.    \(\square \)

This result extends to other positive resolution strategies.

Corollary 1

Hyperresolution and >-ordered resolution with negative selection decide the positively restrained fragment.

The next example shows that SGGS can be exponentially more efficient than these saturation-based resolution strategies because it is model-based.

Example 9

Consider the following parametric clause set \(S_n\) consisting of \(n+1\) clauses, using \(i{+}1\)-ary predicates \(\mathsf {P}_i\) and constants \(\mathsf {c}_i\), for all i, \(0\,{\leqslant }\,i\,{\leqslant }\,n\):

$$\begin{aligned}&\mathsf {P}_0(\mathsf {c}_0) \vee \mathsf {P}_0(\mathsf {c}_1) \vee \dots \vee \mathsf {P}_0(\mathsf {c}_n)&(C_0),\\&\lnot \mathsf {P}_0(x_1) \vee \mathsf {P}_1(x_1, \mathsf {c}_0) \vee \mathsf {P}_1(x_1,\mathsf {c}_1) \vee \dots \vee \mathsf {P}_1(x_1,\mathsf {c}_n)&(C_1),\\&\lnot \mathsf {P}_1(x_1, x_2) \vee \mathsf {P}_2(x_1, x_2, \mathsf {c}_0) \vee \dots \vee \mathsf {P}_2(x_1, x_2,\mathsf {c}_n)&(C_2),\\&\dots&\dots \\&\lnot \mathsf {P}_{n-1}(x_1, \dots ,x_{n}) \vee \mathsf {P}_n(x_1, \dots , x_n, \mathsf {c}_0) \vee \dots \vee \mathsf {P}_n(x_1, \dots , x_n,\mathsf {c}_n)&(C_n). \end{aligned}$$

The set \(S_n\) is positively restrained by an LPO with precedence \(\mathsf {P}_0> \dots> \mathsf {P}_n > \mathsf {c}_i\) for all i, \(0{\leqslant }i{\leqslant }n\). SGGS with \(I^-\) simply selects one positive literal per clause and detects satisfiability after \(n+1\) SGGS-extension steps, producing for instance the model where \(\mathsf {P}_0(\mathsf {c}_0), \mathsf {P}_1(\mathsf {c}_0, \mathsf {c}_0), \dots , \mathsf {P}_n(\mathsf {c}_0, \dots , \mathsf {c}_0)\) are true and all other atoms are false. A saturation by any of the above positive resolution strategies produces exponentially many clauses, because for all i, \(0{\leqslant }i{\leqslant }n\), all n positive literals in \(C_i\) unify with the negative literal in \(C_{i+1}\), generating \(n^{i+1}\) positive clauses, so that the clause count is given by \(\sum \nolimits _{k=1}^n n^k\).

6 Experiments

We begin by reducing positive restrainedness (the negative case is similar) to termination of rewrite systems, so that termination tools can yield a partial practical test. Since restrainedness employs a quasi-ordering, we consider unsorted rewrite systems \(\mathcal R\) and \(\mathcal E\), and rewriting modulo \(\rightarrow _{\mathcal R/\mathcal E}\) defined by \(\leftrightarrow _\mathcal E^{*}\circ \rightarrow _{\mathcal R} \circ \leftrightarrow _\mathcal E^{*}\).

Definition 7

Given a clause set S, a pair of rewrite systems \((\mathcal R_S, \mathcal E_S)\) is positively restraining for S if for all clauses \(C\,{\in }\,S\) and all non-ground literals \(L\in C^+\), there is a rule \(at(M) \rightarrow at(L)\) in \(\mathcal R_S \cup \mathcal E_S\) for some literal \(M\in C^-\).

Let \((\mathcal R_S, \mathcal E_S)\) be positively restraining for S. For instance, for Example 8, \(\mathcal R_S\) will consist of \(\mathsf {P}(\mathsf {s}(\mathsf {s}(x)),y) \rightarrow \mathsf {P}(x,\mathsf {s}(y))\), \(\mathsf {P}(x, \mathsf {s}(\mathsf {s}(y))) \rightarrow \mathsf {P}(x,\mathsf {s}(y))\), and \( \mathsf {P}(\mathsf {s}(x), \mathsf {s}(y)) \rightarrow \mathsf {P}(\mathsf {s}(x),y)\), while \(\mathcal E_S=\emptyset \). A common situation is that \(\mathcal E_S\) has permutative rules, as in Example 7 where \(\mathsf {differ}(x,y) \rightarrow \mathsf {differ}(y,x)\) will be in \(\mathcal E_S\).

Lemma 6

(1) If \(\rightarrow _{\mathcal R_S}\) is terminating and \(\mathcal E_S=\emptyset \), clause set S is strictly positively restrained. (2) If \(\rightarrow _{\mathcal R_S/\mathcal E_S}\) is terminating, \(\mathcal Var(t) = \mathcal Var(u)\) for all \(t\rightarrow u\) in \(\mathcal E_S\), and \(\leftrightarrow _{\mathcal E}^*\) has finite equivalence classes, S is positively restrained.

Proof

(1) Since \(\rightarrow _{\mathcal R_S}\) is terminating, for all \(t\rightarrow u\) in \(\mathcal R_S\), \(\mathcal Var(u)\subseteq \mathcal Var(t)\), so that S is positively ground-preserving. S is strictly positively restrained by the quasi-ordering \(\rightarrow _{\mathcal R_S}^*\): indeed, \(\rightarrow _{\mathcal R_S}^*\) is stable, \(\rightarrow _{\mathcal R_S}^+\) is well-founded, and the equivalence classes of , which is identity, are finite. (2) Since \(\smash {\rightarrow _{\mathcal R_S/\mathcal E_S}}\) is terminating, for all \(t\rightarrow u\) in \(\mathcal R_S\), \(\mathcal Var(u)\subseteq \mathcal Var(t)\), and for all \(t\rightarrow u\) in \(\mathcal E_S\), \(\mathcal Var(u) = \mathcal Var(t)\) by hypothesis, so that S is positively ground-preserving. S is positively restrained by \(\rightarrow _{\mathcal R_S/\mathcal E_S}^*\): indeed, \(\smash {\rightarrow _{\mathcal R_S/\mathcal E_S}^*}\) is stable, \(\smash {\rightarrow _{\mathcal R_S/\mathcal E_S}^+}\) is well-founded, and the equivalence classes of are finite by hypothesis.    \(\square \)

For the experiments, given a clause set S, a script named StoR generates rewrite systems \(\mathcal R_S\) and \(\mathcal E_S\) that can be fed to a termination tool. The source of clause sets is TPTP 7.2.0 and the termination tool is  [27]. All problems in the FOF category are transformed into conjunctive normal form, excluding those with equality (whether sets with equality can be restrained is a topic for future work). Besides 1,539 inputs where either StoR or timed out, out of the remaining 3,462 problems, found 313 restrained ones. For those still undetermined, we tested whether it is sufficient to flip the sign of all literals with a certain predicate to get a restrained problem, which succeeded in 36 cases, for a total of 349 restrained problems. Of these, 277 are positively restrained, 181 negatively restrained, and 109 are both; 74 are ground, 232 are PVD, 277 are stratified, 252 are EPR, 169 are monadic, 204 are \(\mathsf{FO}^2\), 209 are guarded, but 43 problems do not fall in any of these classes, and therefore, to the best of our knowledge, they are proved decidable here for the first time. The average TPTP rating of the 349 problems is 0.1, and that of the 43 problems is 0.015, where 0.1 means that the problem can be solved by most provers. However, the group of 349 includes hard problems such as instances of the binary counter problem in Example 5 (MSC015-1.n), and Rubik’s cube problems (e.g., PUZ052-1). For example, MSC015-1.030 is restrained and has rating 1.00, that is, no theorem prover could solve it so far within the timeout allowed in the CASC competition.

Example 10

Problem HWV036-2 (cf. Example 1) is a set of axioms with no ground atoms, so that \(\smash {\mathcal H_{S}^{\preceq }}\) is empty, and the model constructed according to Theorem 4 is trivial. Several other problems combine this set with ground clauses to prove theorems from those axioms. For example, HWV008-2.002 adds 23 ground clauses. As we found a terminating positively restraining rewrite system for HWV008-2.002, this problem, as well as HWV036-2, is strictly restrained.

An SGGS prototype named Koala was built reusing code for basic data structures, term indexing, and type inference from iProver [24, 26]. In Koala, the SGGS-trail is represented as a list of constrained clauses, with constraints maintained in standardized form (see Sect. 2 and [14, Sect. 7]), and selected literals stored in a discrimination tree, since SGGS-extension requires to find selected literals that unify with literals in an input clause (cf. Definition 1). Koala takes sorts into account when checking satisfiability of constraints (e.g., Example 2), and implements a fair search plan which ensures that all derivations are fair (see Sect. 2). The SGGS-suitable ordering is a KBO with built-in precedence, \(w_0=1\), and weight 1 for all function and predicate symbols in order to extend the size ordering. Koala also sorts by this ordering the clauses in a splitting, according to the SGGS notion of preferred clause in a splitting [14, Def. 22]).

Koala picks either \(I^-\) or \(I^+\) as initial interpretation, based on whether the problem is positively or negatively ground-preserving, which overapproximates positively or negatively restrained. Koala implements the above mentioned sign-flipping test to obtain more ground-preserving sets. In order to recognize stratified input problems, one can compute the sort dependency graph and check for acyclicity [25], or let Koala apply type inference. For all experiments with Koala, the time-out was 300 sec of wall clock time. Out of the above 349 restrained problems, Koala shows that 50 are satisfiable and 283 unsatisfiable. Of 351 PVD problems, not including the 232 ones in the set of 349 restrained problems, Koala discovers 232 unsatisfiable and 76 satisfiable instances. Of the 1,246 stratified problems found in the FOF category by the above acyclicity test, Koala solves 643 unsatisfiable and 277 satisfiable instances. The list of the 349 restrained sets with their properties and restraining rewrite systems, as well as detailed results of the experiments with Koala are available.Footnote 2

7 Discussion

SGGS [13, 14] is an attractive candidate for decision procedures, because it is conflict-driven and it builds models. In this paper, we showed that if the generated clauses are in a finite basis, SGGS is guaranteed to terminate, and we instantiated this result to yield SGGS decision procedures for the stratified fragment, PVD, and the newly introduced restrained fragment, all without equality.

While also Inst-Gen [24] and the model evolution calculus (MEC) [7] decide the stratified fragment [25], this is not the case for the restrained fragment: for instance, if Inst-Gen uses an unfortunate literal selection in Example 8, it does not halt. SGGS avoids this phenomenon thanks to semantic guidance. Since MEC starts with \(I^+\) as candidate model, it may not terminate on satisfiable negatively restrained sets such as Example 7. Indeed, E-Darwin [6] does not halt on this example that Koala solves in a few seconds.

However, it is generally difficult to tame a refutationally complete first-order inference system to yield decision procedures. For instance, SGGS does not halt given the following set of clauses that belongs to several decidable fragments.Footnote 3

Example 11

The following set is in the Ackermann, monadic, and \(\mathsf{FO}^2\) classes:

figure i

where membership in the Ackermann class stems from the Skolemization of \(\exists v \forall x \exists y. P(v) \wedge (P(x) \vee P(y)) \wedge (\lnot P(x) \vee \lnot P(y))\). It has the finite model property, as witnessed by model \(\mathcal I\) with domain \(\{0,1\}\), \(\mathsf {f}^\mathcal I(x) = 1 - x\), \(\mathsf {0}^\mathcal I= 0\), and \(\mathsf {P}^\mathcal I= \{0\}\). With \(I^-\), SGGS performs an infinite series of non-conflicting extensions:

It can be shown that SGGS does not terminate with \(I^+\) either. Inst-Gen may terminate if appropriate candidate models are constructed, but not in general. Ordered resolution terminates if the ordering satisfies \(\lnot \mathsf {P}(\mathsf {f}(x)) > \lnot \mathsf {P}(x)\).

The stratified fragment was presented as the first of three fragments of increasing expressivity, named \(St_0\), \(St_1\), and \(St_2\), and suitable to capture Alloy specifications [1]. If the generic predicate symbols P of Example 4 is replaced with equality for sort \(s_2\), the second sentence of Example 4 becomes , which states that x is in the image of f: this formula separates \(St_0\) and \(St_1\), since it is allowed in \(St_1\), but not in \(St_0\). The LISBQ logic for the verification of unbounded data structures [29] can be translated into \(St_0\) with equality [1].

The restrained fragment is defined starting from a notion of ground-preservingness, which is convenient for positive or negative strategies. Negative ground-preservingness was used for Horn theories with equality [28] and [10, Sect. 5.2]. Positive ground-preservingness, also named range restrictedness [15], is implicit in PVD and recent extensions [30]. Unlike these settings, the restrained fragment does not limit literal depth. Positive ground-preservingness was used to show that DPLL(\(\varGamma \!+\!\mathcal{T}\)), where \(\varGamma \) is an inference system including hyperresolution, superposition with negative selection, and simplification, decides essentially finite (only one monadic function f with finite range) and positively ground-preserving axiomatizations, provided that speculative axioms \(f^j(x)\,{\simeq }\,f^k(x)\) (\(j\,{>}\,k\)) are tried for increasing values of j and k ([12], Thm. 7 and Lem. 3). Simplification applies the speculative axioms to limit the depth of generated terms. Without this feature, it is not surprising that SGGS does not halt.

Example 12

Consider a positively ground-preserving variant of Example 11:

figure j

The finite model property implies that it is essentially finite. SGGS terminates with neither \(I^-\) nor \(I^+\) as initial interpretation. With \(I^-\) it generates:

Positive hyperresolution generates the series \(\{\mathsf {P}(\mathsf {f}^{2k}(0))\}_{k\ge 0}\), which is essentially the same behavior as SGGS. DPLL(\(\varGamma \!+\!\mathcal{T})\) tries \(\mathsf {f}(x)\simeq x\), detects a conflict, backtracks, tries \(\mathsf {f}^2(x)\simeq x\), and halts reporting satisfiability.

Ensuring termination by restricting new (i.e., non-input) terms to come from a finite basis is common for conflict-driven decision procedures [11, 16]. A major direction for future work towards decision procedures for richer languages is the integration of SGGS with CDSAT [11], in order to endow SGGS with equality and CDSAT with quantifiers. Speculative inferences and initial interpretations not based on sign are additional leads. For the restrained fragment, one may consider its relations with other decidable fragments and its relevance to applications beyond TPTP. While positive clauses in a restrained set are ground, one may study the decidability of sets where positive clauses are not necessarily ground, but admit a restraining rewrite system (Definition 7) such that narrowing halts. Techniques to detect the termination of narrowing are known [35].

Although Koala is only a prototype, the experiments show potential and allow us to identify critical issues for the performance of an SGGS prover. For example, instance generation by SGGS-extension is a bottleneck for problems with many input clauses, and forms of caching should be considered to avoid repeating computations. Further development of Koala and more experiments may contribute to discover classes of first-order problems where the conflict-driven style of SGGS reasoning is especially rewarding.