2 Basic notions

The programs and the properties we consider in this paper are expressed as sets of constrained Horn clauses written in a many-sorted first-order language $\mathcal{L}$ with equality (=). Constraints are expressions of the linear integer arithmetic (LIA) and the boolean algebra (Bool). The theories of LIA and Bool will be collectively denoted by $\mathit{LIA\cup Bool}$ . The equality symbol = will be used both for integers and booleans. In particular, a constraint is a quantifier-free formula $c$ , where LIA constraints may occur as subexpressions of boolean constraints, according to the SMT approach (Barrett et al., Reference Barrett, Sebastiani, Seshia and Tinelli2009). The syntaxes of a constraint $c$ and an elementary LIA constraint $d$ are as follows:

\begin{align*}c\,::=\,&d\,\,|\,\,{B}\,\,|\,\,\mathit{true}\,\,|\,\,\mathit{false}\,\,|\,\sim \!c\,\,|\,\,c_1 \,{\&}\,c_2\,\,|\,\,c_1{\vee }\, c_2\,\,|\,\,c_1\!\Rightarrow \!c_2\,|\,\,c_1\!=\!c_2\,\,|\\ &{ite}(c, c_1, c_2)\,\,|\,\,t\!=\!\mathit{ite}(c, t_1, t_2)\\d\,::=\,&t_1 < t_2\,\,|\,\,t_1 \leq t_2\,\,|\,\,t_1 = t_2\,\,|\,\,t_1 \geq t_2\,\,|\,\,t_1 \gt t_2 \end{align*}

where:(i) $B$ is a boolean variable, (ii) $\sim$ , &, $\vee$ , and $\Rightarrow$ denote negation, conjunction, disjunction, and implication, respectively, (iii) the ternary function ite denotes the if-then-else operator (i.e. $\mathit{ite}(c, c_1, c_2)$ has the following semantics: if $c$ then $c_{1}$ else $c_{2}$ ), and (iv) $t$ , possibly with subscripts, $t$ , $t_{1}$ and $t_{2}$ is a LIA term of the form $a_0+a_1X_1+\ldots +a_nX_n$ with integer coefficients $a_0,\dots, a_n$ and integer variables $X_1,\ldots, X_n$ .

The integer and boolean sorts are said to be basic sorts. A recursively defined sort (such as the sort of lists and trees) is said to be an algebraic data type (ADT, for short).

An atom is a formula of the form $p(t_{1},\ldots, t_{m})$ , where $p$ is a predicate symbol not occurring in $\textit{LIA}\cup \textit{Bool}$ , and $t_{1},\ldots, t_{m}$ are first-order terms in $\mathcal{L}$ . A constrained Horn clause (CHC), or simply, a clause, is an implication of the form $H\leftarrow c, G$ . The conclusion $H$ , called the head, is either an atom or false, and the premise, called the body, is the conjunction of a constraint $c$ and a conjunction $G$ of zero or more atoms. $G$ is said to be a goal. A clause is said to be a query if its head is false, and a definite clause, otherwise. Without loss of generality, at the expense of introducing suitable equalities, we assume that every atom of the body of a clause has distinct variables (of any sort) as arguments. Given an expression $e$ , by $\textit{vars}(e)$ we denote the set of all variables occurring in $e$ . By $\mathit{bvars(e)}$ (or $\mathit{adt}$ - $\mathit{vars}(e)$ ) we denote the set of variables in $e$ whose sort is a basic sort (or an ADT sort, respectively). The universal closure of a formula $\varphi$ is denoted by $\forall (\varphi )$ .

A $\mathbb{D}$ -interpretation for a set $S$ of CHCs is an interpretation where the symbols of $\textit{LIA}\cup \textit{Bool}$ are interpreted as usual. A $\mathbb{D}$ -interpretation $I$ is said to be a $\mathbb{D}$ -model of $S$ if all clauses of $S$ are true in $I$ . A set $S$ of CHCs is said to be $\mathbb{D}$ -satisfiable (or satisfiable, for short) if it has a $\mathbb{D}$ -model, and it is said to be $\mathbb{D}$ -unsatisfiable (or unsatisfiable, for short), otherwise.

Given a set $P$ of definite clauses, there exists a least $\mathbb{D}$ -model of $P$ , denoted $M(P)$ (Jaffar and Maher, Reference Jaffar and Maher1994). Let $P$ be a set of definite clauses and for $i=1,\ldots, n$ , $Q_i$ be a query. Then $P \cup \{Q_1,\ldots, Q_n\}$ is satisfiable if and only if, for $i=1,\dots, n$ , $M(P)\models Q_i$ .

The catamorphisms we consider in this paper are defined by first-order, relational recursive schemata as we now indicate. Similar definitions are introduced also in (higher-order) functional programming (Meijer et al., Reference Meijer, Fokkinga and Paterson1991; Hinze et al., Reference Hinze, Wu and Gibbons2013).

Let $f$ be a predicate symbol with $m + n$ arguments (for $m\!\geq \! 0$ and $n\!\geq \! 0$ ) with sorts $\alpha _1,\ldots, \alpha _m,$ $\beta _1,\ldots, \beta _n$ , respectively. We say that $f$ is a functional predicate from sort $\alpha _1\!\times \!\ldots \!\times \!\alpha _m$ to sort $\beta _1\!\times \!\ldots \!\times \!\beta _n$ , with respect to a given set $P$ of definite clauses that define $f$ , if $M(P)\! \models \! \forall X,\!Y,\! Z.\ f(X,\!Y) \wedge f(X,\!Z) \rightarrow Y\!=\!Z$ , where $X$ is an $m$ -tuple of distinct variables, and $Y$ and $Z$ are $n$ -tuples of distinct variables. In this case, when we write the atom $f(X,Y)$ , we mean that $X$ and $Y$ are the tuples of the input and output variables of $f$ , respectively. We say that $f$ is a total predicate if $M(P) \models \forall X \exists Y.\ f(X,Y)$ . In what follows, a ‘total, functional predicate’ $f$ from a tuple $\alpha$ of sorts to a tuple $\beta$ of sorts is said to be a ‘total function’ in $\mbox{[}\alpha \rightarrow \beta \mbox{]}$ , and it is denoted by $f \in \mbox{[}\alpha \rightarrow \beta \mbox{]}$ .

Now we introduce the notions of a list catamorphism and a binary tree catamorphism. We leave to the reader the task of introducing, the definitions of similar catamorphisms for recursively defined algebraic data types that may be needed for expressing the properties of interest. Let $\alpha$ , $\beta$ , $\gamma$ , and $\delta$ be (products of) basic sorts. Let $\mathit{list}(\beta )$ be the sort of lists with elements of sort $\beta$ , and $\mathit{btree}(\beta )$ be the sort of binary trees with values of sort $\beta$ .

Instances of the schemas of the list catamorphisms and the binary tree catamorphisms (see Definition1 above) may lack some components, such as the parameter $X$ of basic sort $\alpha$ , or the catamorphisms $f$ or $g$ . The possible presence of these components makes the class of catamorphisms considered in this paper strictly larger than the ones used by other CHC-based approaches (Govind V. K. et al., 2022; Hojjat and Rümmer, Reference Hojjat and Rümmer2018; Kostyukov et al., Reference Kostyukov, Mordvinov and Fedyukovich2021; Gurfinkel, Reference Gurfinkel2022).

3 An introductory example

Let us consider a set of CHCs for doubling lists of integers (see clauses 1–4 in Figure 1). We have that: (i) $\mathit{double}(\mathit{Xs},\mathit{Zs})$ holds if and only if list Zs is the concatenation of two copies of the same list Xs of integers, (ii) $\mathit{eq(Xs,\!Ys)}$ holds if and only if list $\mathit{Xs}$ is equal to list $\mathit{Ys}$ , and (iii) $\mathit{append(Xs,Ys,Zs)}$ holds if and only if list Zs is the result of concatenating list Ys to the right of list Xs.

Let us assume that we want to verify the following Even property: if $\mathit{double}(\mathit{Xs},\mathit{Zs})$ holds, then for any integer $X$ , the number of occurrences of $X$ in Zs is an even number. In order to do so, we use the list catamorphism $\mathit{listcount(X,Zs,M)}$ (see clauses 5–6 in Figure 1) that holds if and only if $M$ is the number of occurrences of $X$ in list $\mathit{Zs}$ . Note that $\mathit{listcount(X,Zs,M)}$ is indeed a list catamorphism because clauses 5–6 are instances of clauses $L1$ – $L2$ in Definition1, when: (i) $\ell$ is listcount, (ii) $Y$ is $N$ , (iii) $\mathit{\ell \, us basis}(X,Y)$ is the LIA constraint $N\!=\!0$ , (iv) $f(X,T,\mathit{Rf})$ is absent, and (v) $\mathit{\ell \, us combine}(X,H,R,\mathit{Rf},Y)$ is the LIA constraint $N\!=\mathit{ite}(X\!=\!H, \mathit{NT}\!+\!\textrm{1},\mathit{NT})$ .

Our verification task can be expressed as query 7 in Figure 1, whereby we derive $\mathit{false}$ if the number $M$ of occurrences of $X$ in $\mathit{Zs}$ is odd (recall that we assume that $M \!=\! 2\,N\!+\!1$ is a $\mathit{LIA}$ constraint).

Fig. 1. The initial set of CHCs (clauses 1–6) and query 7 that specifies that the number of occurrences of an element $X$ in the list $\mathit{Zs}$ is even.

Now, neither the CHC solver Eldarica nor Z3 is able to prove the satisfiability of clauses 1–7 and thus, those solvers are not able to show the Even property. By the transformation technique we will propose in this paper, we get a new set of clauses whose satisfiability can be shown by Z3 and thus, the Even property is proved.

To perform this transformation, we use the information that the property to be verified is expressed through the catamorphism $\mathit{listcount}$ . However, in contrast to previous approaches (De Angelis et al., Reference De Angelis, Fioravanti, Gallagher, Hermenegildo, Pettorossi and Proietti2022, Reference De Angelis, Fioravanti, Pettorossi and Proietti2023), we need not specify any property of the catamorphism $\mathit{listcount}$ when it acts upon the predicates $\mathit{double}$ , $\mathit{eq}$ , and $\mathit{append}$ . For instance, we need not specify that if Zs is the concatenation of Xs and Ys, then for any $X$ , the number of occurrences of $X$ in Zs is the sum of the numbers of occurrences of $X$ in $\mathit{Xs}$ and $\mathit{Ys}$ . Indeed, in the approach we propose in this paper, we have only to specify the association of every ADT sort with a suitable catamorphism or, in general, a conjunction of catamorphisms. In particular, in our double example, we associate the sort of integer lists, denoted $\mathit{list(int)}$ , with the catamorphism $\mathit{listcount}$ . Then, we rely on the CHC solver for the discovery, after the transformation described in the following sections, of suitable relations between the variables that represent the output of the listcount catamorphism atoms. Thus, by applying the technique proposed in this paper, much less ingenuity is required on the part of the programmer for verifying program correctness with respect to the previously proposed approaches.

Our transformation technique introduces, for each predicate $p$ occurring in the initial set of CHCs, a new predicate $\textit{newp}$ defined by the conjunction of a $p$ atom and, for each argument of $p$ with ADT sort $\tau$ , the catamorphism atom(s) with which $\tau$ has been associated. In particular, in the case of our double example, for the predicate $\mathit{double}$ we introduce the new predicate $\mathit{new}1$ (for simplicity, we call it $\mathit{new}1$ , instead of $\mathit{newdouble}$ ) whose definition is clause $D1$ in Figure 2. The body of that clause is the conjunction of the atom $\mathit{double}(B,E)$ and two listcount catamorphism atoms, one for each of the integer lists $B$ and $E$ , as listcount is the catamorphism with which the sort of integer lists has been associated. Similarly, for the predicates $\mathit{append}$ and $\mathit{eq}$ whose definitions are respectively clauses $D2$ and $D3$ listed in Figure 2.

Fig. 2. Clauses $D1$ – $D4$ are the predicate definitions introduced during transformation. Clauses 11–23 are the clauses derived after transformation from clauses 1–6 and query 7 of Figure 1.

Thus, we derive a new version of the initial CHCs where each predicate $p$ has been replaced by the corresponding newp. Then, by applying variants of the fold/unfold transformation rules, we derive a final, transformed set of CHCs. When the CHC solver looks for a model of this final set of CHCs, it is guided by the fact that suitable constraints, inferred from the query, must hold among the arguments of the newly introduced predicates, such as newp, and thus, the solver can often be more effective.

In our transformation we also introduce, for each predicate newp, a predicate called $\mathit{newp\, us woADTs}$ whose definition is obtained by removing the ADT arguments from the definition of newp. For the CHC solvers, it is often easier to find a model for $\mathit{newp\, us woADTs}$ , rather than for $\textit{newp}$ , because the solvers need not handle ADTs at all. However, since each $\mathit{newp\, us woADTs}$ is an overapproximation of $\textit{newp}$ , by using the clauses with the ADTs removed, one could wrongly infer unsatisfiability in cases when, on the contrary, the initial set of CHCs is satisfiable.

Now, in order to make it easier for the solvers to show satisfiability of sets of CHCs and, at the same time, to guarantee the equisatisfiability of the derived set of clauses with respect to the initial set, we add to every atom in the body of every derived clause for $\mathit{newp}$ the corresponding atom without ADT arguments (see Theorem1 for the correctness of these atom additions). By performing these transformation steps starting from clauses 1–6 and query 7 (listed in Figure 1) together with the specification that every variable of sort $\mathit{list}(\mathit{int})$ should be associated with a listcount atom, we derive using our transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ (see Section 4) clauses 11–23 listed in Figure 2. These derived clauses are indeed shown to be satisfiable by the Z3 solver, and thus the Even property is proved.

4 CHC transformation via catamorphic abstractions

In this section we present our transformation algorithm, called ${\mathcal{T}}_{\mathit{abs}}$ , whose input is: (i) a set $P$ of definite clauses, (ii) a query $Q$ expressing the property to be verified, and (iii) for each ADT sort, a conjunction of catamorphisms whose definitions are included in $P$ . Algorithm ${\mathcal{T}}_{\mathit{abs}}$ introduces a set of new predicates, which incorporate as extra arguments some information coming from the catamorphisms, and transforms $P\cup \{Q\}$ into a new set $P'\cup \{Q'\}$ such that $P\cup \{Q\}$ is satisfiable if and only if so is $P'\cup \{Q'\}$ .

The transformation is effective when the catamorphisms used in the new predicate definitions establish relations that are useful to solve the query. In particular, it is often helpful to use in the new definitions catamorphisms that include the ones occurring in the query, such as the catamorphism $\mathit{listcount}$ of our introductory $\mathit{double}$ example. However, as we will see later, there are cases in which it is important to consider catamorphisms not present in the query (see Example2). The choice of the suitable catamorphisms to be used in the transformation rests upon the programmer’s ingenuity and on her/his understanding of the program behavior. The problem of chosing the most suitable catamorphisms in a fully automatic way is left for future research.

4.3 The transformation algorithm ${\mathcal{T}}_{abs}$

The set of the new predicate definitions needed during the execution of the transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ is not given in advance. In general, that set depends on: (i) the initial set $P$ of CHC clauses, (ii) the given query $Q$ specifying the property of interest to be proved, and (iii) the given catamorphic abstraction specification $\alpha$ for $P$ . As we will see, we may compute that set of new definitions as the least fixpoint of an operator, called $\tau _{P\cup \{Q\},\alpha }$ , which transforms a given set $\Delta$ of predicate definitions into a new set $\Delta '$ of predicate definitions. First, we need the following notions.

Two definitions $D_1$ and $D_2$ are said to be equivalent, denoted $D_1\equiv D_2,$ if they can be made identical by performing the following transformations: (i) renaming of the head predicate, (ii) renaming of the variables, (iii) reordering of the variables in the head, and (iv) reordering of the atoms in the body. We leave it to the reader to check that the results presented in this section are indeed independent of the choice of a specific definition in its equivalence class.

A set $\Delta$ of definitions is said to be monovariant if, for each program predicate $p$ , in $\Delta$ there is at most one definition having an occurrence of $p$ in its body. The transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ and the operator $\tau _{P\cup \{Q\},\alpha }$ work on monovariant sets of definitions and are defined by means of the $\mathit{Define}$ , $\mathit{Unfold}$ , $\mathit{AddCata}$ , $\mathit{Fold}$ , and $\mathit{AddErasure}$ functions defined in Figure 3.

In the definition of the Define function we assume that, for each clause $C$ in Cls and each catamorphism atom $\textit{Cata}$ in the body of $C$ , there is a program atom $A$ in the body of $C$ such that $\mathit{adt\mbox{-}vars}(\textit{Cata}) \subseteq \mathit{adt\mbox{-}vars}(A)$ . If $A$ is absent for a catamorphism atom having the ADT variable $X$ of sort $\tau$ , in order to comply with our assumption, we add to the body of $C$ a program atom $\textit{true}_\tau (X)$ that is defined on the (possibly recursive) structure of sort $\tau$ and holds for every $X$ of sort $\tau$ . For instance, for the sort $\mathit{list(int)}$ , the program atom $\textit{true}_{\mathit{list(int)}}(X)$ will be defined by the two clauses $\textit{true}_{\mathit{list(int)}}([\,])$ and $\textit{true}_{\mathit{list(int)}}([H|T]) \leftarrow \textit{true}_{\mathit{list(int)}}(T)$ , where $H$ is an integer variable. Note that, by adding to clause $C$ the atom $\textit{true}_\tau (X)$ , we get a clause equivalent to $C$ .

Fig. 3. The $\mathit{Define}$ , $\mathit{Unfold}$ , $\mathit{AddCata}$ , $\mathit{Fold}$ , and $\mathit{AddErasure}$ functions.

Definition 3 (Domain of Definitions). We denote by $\mathcal D$ a maximal set of definitions such that

1. (D1) for every definition $\mathit{newp}(X_1,\ldots, X_k)\leftarrow{Catas}, A$ in $\mathcal D$ , for every ADT variable $X_i$ occurring in the program atom $A$ , for each catamorphism predicate cata in the conjunction Catas of catamorphism atoms, at most one catamorphism atom of the form $\mathit{cata}(\ldots, X_i,\dots )$ occurs in Catas, and

2. (D2) $\mathcal D$ does not contain equivalent definitions.

   It follows directly from our assumptions that $\mathcal D$ is a finite set.

Now we define a partial order ( $\sqsubseteq$ ), a join operation ( $\sqcup$ ) and a meet operation ( $\sqcap$ ) for definitions and also for monovariant subsets of definitions in $\mathcal D$ .

Definition 4. Let $D_1$ : $\mathit{newp}1(U_1) \leftarrow \mathit{Catas}_1, \mathit{Catas}, A$ and $D_2$ : $\mathit{newp}2(U_2) \leftarrow \mathit{Catas}_2, \mathit{Catas}, A$ be two definitions in $\mathcal D$ for the same program atom $A$ , where $\mathit{Catas}, \mathit{Catas}_1$ , and $\mathit{Catas}_2$ are conjunctions of catamorphism atoms. We assume that the variables in $D_1$ and $D_2$ have been renamed and the atoms in their bodies have been reordered so that $(\mathit{Catas}, A)$ is the maximal common subconjunction of atoms in their bodies, that is, there exists no atom $\mathit{Cata}$ in $\mathit{Catas}_1$ and no variant of $D_2$ of the form $\mathit{newp}2(U^{\prime}_2) \leftarrow \mathit{Catas}^{\prime}_2, \mathit{Catas}, A$ , such that $\mathit{Cata}$ is an atom in $\mathit{Catas}^{\prime}_2$ .

1. (i) $D_2$ is an extension of $D_1$ , written $D_1\sqsubseteq D_2$ , if $\mathit{Catas}_1$ is the empty conjunction;

2. (ii) By $D_1 \sqcup D_2$ we denote the definition $D_3$ : $\mathit{newp}3(U_3) \leftarrow \mathit{Catas}_1, \mathit{Catas}_2, \mathit{Catas}, A$ , where $U_3$ is a tuple consisting of the distinct variables occurring in $(U_1,U_2)$ ;

3. (iii) By $D_1 \sqcap D_2$ we denote the definition $D_3$ : $\mathit{newp}3(U_3) \leftarrow \mathit{Catas}, A$ , where $U_3$ is a tuple consisting of the variables occurring in both $U_1$ and $U_2.$

Let $\Delta _1$ and $\Delta _2$ be two monovariant subsets of $\mathcal D$ .

1. (iv) $\Delta _2$ is an extension of $\Delta _1$ , written $\Delta _1\sqsubseteq \Delta _2$ , if for each $D_1$ in $\Delta _1$ there exists $D_2$ in $\Delta _2$ such that $D_1\sqsubseteq D_2$ ;

2. (v) $\Delta _1 \sqcup \Delta _2 = \{D \mid D$ is the only definition in $\Delta _1\cup \Delta _2$ for some program atom in

   $\Delta _1\cup \Delta _2 \}\ \cup$

   $\{D_1\sqcup D_2 \mid D_1$ and $D_2$ are definitions for the same program atom in

   $\Delta _1$ and $\Delta _2$ , respectively $\}$ ;

3. (vi) $\Delta _1 \sqcap \Delta _2 = \{D_1 \sqcap D_2 \mid D_1$ and $D_2$ are the definitions for the same program atom in

   $\Delta _1$ and $\Delta _2$ , respectively $\}.$

Let $\mathcal P_m(\mathcal D)$ denote the set of monovariant subsets of $\mathcal D$ . We have that $(\mathcal P_m(\mathcal D), \sqsubseteq, \sqcup, \sqcap )$ is a lattice and, since $\mathcal D$ is a finite set, it is also a complete lattice. We define the operator $\tau _{P\cup \{Q\},\alpha }\!: \mathcal P_m (\mathcal D) \rightarrow \mathcal P_m (\mathcal D)$ as follows:

$\tau _{P\cup \{Q\},\alpha }(\Delta ) =_{\mathit{def}} \mathit{Define}\big (\mathit{AddCata}\big (\mathit{Unfold}(\Delta, P) \cup \{Q\},\alpha \big ),\Delta \big )$

Now, we show that the operator $\tau _{P\cup \{Q\},\alpha }$ is a well defined function from $\mathcal P_m (\mathcal D)$ to itself, that is, for any $\Delta \in \mathcal P_m (\mathcal D)$ , the set $\Delta ' = \tau _{P\cup \{Q\},\alpha }(\Delta )$ is an element of $\mathcal P_m (\mathcal D)$ .

First, note that: (i) the Define function introduces (see the (Add) case) a new definition for a program predicate only if no definition for that predicate already belongs to $\Delta$ , and (ii) Define replaces (see the (Extend) case) a definition for a program predicate by a new definition for the same predicate. Thus, if $\Delta$ is monovariant, so is $\Delta '$ . Moreover, no two equivalent clauses will belong to $\Delta '$ (see Point (D2) of Definition3).

Note also that, due to the definition of function AddCata (see, in particular, Point (ii) of Rule R3 applied by that function), Point (D1) of Definition3 holds, and in particular, for every ADT variable $X_i$ in the body of any new definition in $\Delta '$ , and for every catamorphism predicate $cata$ , there is at most one catamorphism atom of the form $\mathit{cata}(\ldots, X_i,\ldots )$ .

Lemma 1 (Existence and Uniqueness of the Fixpoint of $\tau _{P\cup \{Q\},\alpha }$ ). The operator $\tau _{P\cup \{Q\},\alpha }$ is monotonic on the finite lattice $\mathcal P_m(\mathcal D)$ . Thus, it has a least fixpoint $\textit{lfp}(\tau _{P\cup \{Q\},\alpha })$ , also denoted $\tau _{\mathit{fix}}$ , which is equal to $\tau _{P\cup \{Q\},\alpha }^n(\emptyset )$ , for some natural number $n$ .

Proof. In order to prove the monotonicity of $\tau _{P\cup \{Q\},\alpha }$ , let us assume that $\Delta _1$ and $\Delta _2$ are two sets of monovariant definitions in $\mathcal P_m (\mathcal D)$ , with $\Delta _1 \sqsubseteq \Delta _2$ . Let $D_1\in \tau _{P\cup \{Q\},\alpha }(\Delta _1)$ be a definition for program atom $A$ . We consider two cases.

(Case 1) There is no definition for $A$ in $\Delta _1$ . Then, by construction, according to the Define function (see Figure 3), $D_1$ can be viewed as the result of a sequence of join operations of the form: $E_0\sqcup E_1 \sqcup \ldots \sqcup E_n$ , with $n\!\geq \!0$ , where: (1) clause $E_0$ has been obtained by the (Add) case of Define, and (2) for $i\!=\!1,\ldots, n$ , clause $E_0\sqcup \ldots \sqcup E_{i}$ is a clause obtained by the (Extend) case of Define from clause $E_0\sqcup \ldots \sqcup E_{i-1}$ . In particular, for all $i\!=\!0,\ldots, n$ , clause $E_i$ is a clause of the form $\mathit{newp}_i(V_i) \leftarrow \mathit{Catas_i}, A$ obtained from a clause $H\leftarrow c, G$ (here and below in this proof $H$ may be false) in $\mathit{AddCata}(\mathit{Unfold}(\Delta _1,P) \cup \{Q\},\alpha )$ such that $A$ is a program atom in $G$ and $\mathit{Catas_i}$ is the conjunction of all catamorphism atoms  $F$ in $G$ with $\mathit{adt\mbox{-}vars}(F)\subseteq \mathit{adt\mbox{-}vars}(A)$ .

(Case 2) There is a definition $E_0$ for $A$ in $\Delta _1$ . Then, similarly to Case 1, by construction, $D_1 = E_0\sqcup \ldots \sqcup E_n$ , where, for $i\!=\!1,\ldots, n$ , with $n\!\geq \!0$ , $E_0\sqcup \ldots \sqcup E_i$ is a clause obtained by the (Extend) case of Define.

Now, since $\Delta _1 \sqsubseteq \Delta _2$ , for each clause $H\leftarrow c, G$ in $\mathit{AddCata}(\mathit{Unfold}(\Delta _1,P)\cup \{Q\},\alpha )$ , there exists a clause $H\leftarrow c, C, G$ in the set of clauses $\mathit{AddCata}(\mathit{Unfold}(\Delta _2,P) \cup \{Q\},\alpha )$ , where $C$ is a conjunction of catamorphism atoms, and then, by construction, $\textit{Define} (\mathit{AddCata}(\mathit{Unfold}(\Delta _2,P)\cup \{Q\},\alpha ),\Delta _2)$ contains, for $i\!=\!1,\ldots, n$ , a clause $E^{\prime}_i$ , with $E_i\sqsubseteq E^{\prime}_i$ . Then, there exists $D_2 \in \tau _{P\cup \{Q\},\alpha }(\Delta _2)$ such that $D_1\! =\! (E_0\sqcup \ldots \sqcup E_n) \sqsubseteq (E^{\prime}_0\sqcup \ldots \sqcup E^{\prime}_n) \sqsubseteq (E^{\prime}_0\sqcup \ldots \sqcup E^{\prime}_n \sqcup F_{1}\sqcup \ldots \sqcup F_r) = D_2$ , with $r\geq 0$ . (Note that, since $\Delta _1\sqsubseteq \Delta _2$ , in $\mathit{AddCata}(\mathit{Unfold}(\Delta _2,P) \cup \{Q\},\alpha )$ there may be clauses that are derived from definitions in $\Delta _2$ that are not extensions of definitions in $\Delta _1$ . In the bodies of those clauses there may be some variants of $A$ that determine $r$ extra applications of the (Extend) case of Define.) Therefore, by Definition4, $\tau _{P\cup \{Q\},\alpha }(\Delta _1) \sqsubseteq \tau _{P\cup \{Q\},\alpha }(\Delta _2)$ .

Thus, $\tau _{P\cup \{Q\},\alpha }$ is monotonic with respect to $\sqsubseteq$ . Since $\mathcal P_m(\mathcal D)$ is a finite, hence complete, lattice, $\tau _{P\cup \{Q\},\alpha }$ has a least fixpoint $\textit{lfp}(\tau _{P\cup \{Q\},\alpha })$ , which can be computed as $\tau _{P\cup \{Q\},\alpha }^n(\emptyset )$ , for some natural number $n$ .

Now, we define our transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ as follows:

${\mathcal{T}}_{\mathit{abs}}$ $(P\cup \{Q\},\alpha ) = \mathit{AddErasure}\big (\mathit{Fold}\big (\mathit{AddCata}\big (\mathit{Unfold}(\tau _{\mathit{fix}},P) \cup \{Q\},\,\alpha \big ),\tau _{\mathit{fix}}\big ) \big )$

The termination of ${\mathcal{T}}_{\mathit{abs}}$ follows immediately from the fact that the functions Unfold, AddCata, Fold, and AddErasure terminate and the least fixpoint $\tau _{\mathit{fix}}$ is computed in a finite number of steps (see Lemma1). Thus, by the correctness of the transformation rules (see Theorem1), we get the following result.

Theorem 3 (Total Correctness of Algorithm ${\mathcal{T}}_{\mathit{abs}}$ ). ${\mathcal{T}}_{\mathit{abs}}$ terminates for any set $\mathit{P}$ of definite clauses, query $Q$ , and catamorphic abstraction specification $\alpha$ . Also, $P \cup \{Q\}$ is satisfiable if and only if ${\mathcal{T}}_{\mathit{abs}}$ $(P\cup \{Q\},\alpha )$ is satisfiable.

Finally, we would like to comment on the fact that our transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ introduces a monovariant set of definitions. Other definition introduction policies could have been considered. In particular, one could introduce more than one definition for each program predicate, thus producing a polyvariant set of definitions. The choice between monovariant and polyvariant sets of definitions has been subject to ample discussion in the literature (De Angelis et al., Reference De Angelis, Fioravanti, Gallagher, Hermenegildo, Pettorossi and Proietti2022) and both have advantages and disadvantages. We will show in the next section that our technique performs quite well in our benchmark. However, we leave a more accurate experimental evaluation to future work.

5 Implementation and experimental evaluation

In this section we provide some details on the implementation of algorithm ${\mathcal{T}}_{\mathit{abs}}$ , and on its experimental evaluation.

Implementation. We have implemented algorithm ${\mathcal{T}}_{\mathit{abs}}$ in a tool, called VeriCaT $_{\!\mathit{abs}}$ , based on VeriMAP (De Angelis et al., Reference De Angelis, Fioravanti, Pettorossi and Proietti2014), which is a system for transforming CHCs. In order to check satisfiability of sets of CHCs (before and after their transformation) we have used the following two solvers: (i) Eldarica (v. 2.0.9) (Hojjat and Rümmer, Reference Hojjat and Rümmer2018), and (ii) Z3 (v. 4.12.2) (de Moura and Bjørner, Reference de Moura and Bjørner2008) with the SPACER engine (Komuravelli et al., Reference Komuravelli, Gurfinkel and Chaki2016) and the global guidance option (Krishnan et al., Reference Krishnan, Chen, Shoham and Gurfinkel2020).

The tool VeriCaT $_{\!\mathit{abs}}$ manipulates clauses as indicated in the following three phases.

(Phase 1) A pre-processing phase. In this phase VeriCaT $_{\!\mathit{abs}}$ produces a catamorphic abstraction specification $\alpha$ starting from: (i) a given set $P$ of CHCs, and (ii) the catamorphic abstractions for the ADTs occurring in $P$ . For instance, in the case of our introductory example double (see Figure 1), Phase 1 produces the catamorphic abstraction specifications for $\mathit{double}$ , $\mathit{eq}$ , and $\mathit{append}$ we have listed in Example1, starting from clauses 1–6 and the catamorphic abstraction $\mathit{cata}_{\mathit{list}(\mathit{int})} =_{\mathit{def}}{\mathit{listcount}(X,L,N)}$ ,

In the following example, referring to a treesort algorithm, we present the VeriCaT $_{\!\mathit{abs}}$ syntax for representing: (i) the catamorphic abstractions given in input, using the directive cata_abs, and (ii) the catamorphic abstraction specifications produced in output, after Phase 1, using the directive spec.

(Phase 2) A fold/unfold transformation phase. In this phase VeriCaT $_{\!\mathit{abs}}$ computes the fixpoint $\tau _{\mathit{fix}}$ and the set $T_w$ of clauses, which is $\mathit{Fold}\big (\!\mathit{AddCata}\big (\!\mathit{Unfold}(\tau _{\mathit{fix}},P)\! \cup\! \{Q\},\,\alpha \big ),\tau _{\mathit{fix}})$ . For the double introductory example (see Figure 1), we have that $P$ is the set $\{1,\ldots, 6\}$ of clauses, query $Q$ is clause 7, and $\alpha$ is the set of catamorphic abstraction specifications produced at Phase 1 (see Example1). Now, $\tau _{\mathit{fix}}$ is the set $\{D1,D2,D3,D4\}$ of definitions listed in Figure 2 and the set $T_w$ is as follows:

$\mathit{false} \leftarrow C\!=\!2D+1,\ \mathit{new}1(A,E,F,G,C)$

$\mathit{new}1(A,B,C,E,F) \leftarrow \mathit{new}2(A,M,K,E,F,B,C),\ \mathit{new}3(A,M,K,B,C)$

$\mathit{new}2(A,B,C,B,C,[\,],G) \leftarrow G\!=\!0,\ \mathit{new}4(A,B,C)$

$\mathit{new}2(A,B,C,[E|F],G,[E|J],K) \leftarrow G\!=\!\mathit{ite}(A\!=\!E,N\!+\!1,N),\ K\!=\!\mathit{ite}(A\!=\!E,P\!+\!1,P),$

$\mathit{new}2(A,B,C,F,N,J,P)$

$\mathit{new}3(A,B,C,B,C) \leftarrow \mathit{new}4(A,B,C)$

$\mathit{new}4(A,[\,],B) \leftarrow B\!=\!0$

$\mathit{new}4(A,[B|C],D) \leftarrow D\!=\!\mathit{ite}(A\!=\!B,F\!+\!1,F),\ \mathit{new}4(A,C,F)$

(Phase 3) A post-processing phase. In this phase, VeriCaT $_{\!\mathit{abs}}$ produces the following two additional sets of clauses by applying the $\mathit{AddErasure}$ function to $T_w$ :

1. (i) $T_{\mathit{wo}}=\{\chi _{\mathit{wo}}(C) \mid C$ is a clause in $T_w\}$ , that is, $T_{\mathit{wo}}$ is made out of the clauses in $T_w$ where every atom with ADT arguments has been replaced by its corresponding atom without ADT arguments, and

2. (ii) $T_{\mathit{w\&wo}}=\{\chi _{\mathit{w\&wo}}(C) \mid C$ is a clause in $T_w\} \cup \overline{T}_{\mathit{wo}}$ , that is, $T_{\mathit{w\&wo}}$ is made out of the clauses in either (ii.1) $T_w$ , where every atom in the body with ADT arguments is paired with its corresponding atom without ADT arguments, or (ii.2) $\overline{T}_{\!\mathit{wo}} = \{\chi _{\mathit{wo}}(C) \mid C$ is a clause in $T_{\mathit{w}}$ whose head is not false}.

$T_{\mathit{w\&wo}}$ is, indeed, the set of clauses computed by our transformation algorithm ${\mathcal{T}}_{\mathit{abs}}$ . The other two sets $T_{\mathit{w}}$ and $T_{\mathit{wo}}$ , produced by VeriCaT $_{\!\mathit{abs}}$ , will be used for comparing and analyzing the features of $T_{\mathit{w\&wo}}$ , as we do in the experimental evaluation below.

For our introductory example double (see Figure 1), at the end of Phase 3, VeriCaT $_{\!\mathit{abs}}$ produces the following two sets of clauses (clause numbers refer to Figure 2):

${T}_{\mathit{wo}}\!=\! \{\mathit{false} \leftarrow C\!=\!2D\!+\!1,{\mathit{new}1\, us \mathit{woADTs}}(A,\!F,\!C)\}$ $ \cup \ \{18,\ldots, 23\}$ , and

$T_{\mathit{w\&wo}} = \{11,\ldots, 23\}$ .

The set $\{18,\ldots, 23\}$ of clauses is $\overline{{T}}_{\mathit{wo}}$ of Point (ii.2) above.

Experimental evaluation. Our benchmark consists of 228 sets of CHCs that encode properties of various sorting algorithms (such as bubblesort, heapsort, insertionsort, mergesort, quicksort, selectionsort, and treesort), and simple list and tree manipulation algorithms (such as appending and reversing lists, constructing permutations, deleting copies of elements, manipulating binary search trees). Properties of those algorithms are expressed via catamorphisms. Here is a non-exhaustive list of the catamorphisms we used: (i) $\mathit{size(L,S)}$ , (ii) $\mathit{listmin(L,Min)}$ , (iii) $\mathit{listmax(L,Max)}$ , and (iv) $\mathit{sum(L,Sum)}$ computing, respectively, the size $S$ of list $L$ , the minimum Min, the maximum Max, and the sum Sum of the elements of list $L$ , (v) $\mathit{is\, us asorted}(L,\mathit{BL})$ , which holds with $\mathit{BL\!=\!true}$ if and only if list $L$ is ordered in weakly ascending order, (vi) allpos $(L,B)$ , which holds with $\mathit{B\!=\!true}$ if and only if list $L$ is made out of all positive elements, (vii) $\mathit{member}(X,L,B)$ , which holds with $\mathit{B\!=\!true}$ if and only if $X$ is an element of the list  $L$ , and (viii) $\mathit{listcount}(X,L,N)$ , which holds if and only if $N$ is the number $(\geq \!0)$ of occurrences of $X$ in the list $L$ . For some properties, we have used more than one catamorphism at a time and, in particular, for lists of integers, we have used the conjunction of $\mathit{member}$ and $\mathit{listcount}$ , and for different properties, we have also used the conjunction of $\mathit{listmin, listmax}$ , and $\mathit{\textit{is\, us asorted}}$ , as already indicated in the paper.

A property holds if and only if its CHC encoding via a query $Q$ is satisfiable, and a verification task consists in using a CHC solver to check the satisfiability of $Q$ . When the given property holds for a set $P$ of clauses, the solver should return sat and the property is said to be a sat property. Analogously, when a property does not hold, the solver should return unsat and the property is said to be an unsat property. In our benchmark, for each verification task of a sat property, we have considered a companion verification task whose CHCs have been modified so that the associated property is unsat. In particular, we have 114 sat properties and 114 unsat properties.

We have performed our experiments on an Intel(R) Xeon(R) Gold 6238R CPU 2.20 GHz with 221 GB RAM under CentOS with a timeout of 600s per verification task. The results of our experiments are reported in Table 1. The VeriCaT $_{\!\mathit{abs}}$ tool and the benchmarks are available at https://fmlab.unich.it/vericatabs.

Table 1. Properties proved by the solvers Eldarica and Z3 before and after the transformation performed by algorithm ${\mathcal{T}}_{\mathit{abs}}$ . In the before case, the input to the solver is the source set of clauses (src-columns), and in the after case, the input is $T_{\mathit{w\&wo}}$ ( $T_{\mathit{w{\&} wo}}$ -columns). The columns occur in pairs referring to the sat properties ( $s$ -columns) and the unsat properties ( $u$ -columns), respectively. The two $T_w$ -columns and the two $T_{\mathit{wo}}$ -columns refer to the input $T_{\mathit{w}}$ and $T_{\mathit{wo}}$ , respectively. The last column shows the time (in seconds) taken by ${\mathcal{T}}_{\mathit{abs}}$ as implemented by VeriCaT $_{\!\mathit{abs}}$ .

Table 1 shows that, for each verification task, the transformation of the CHCs allows a very significant improvement of the performance of the Z3 solver and also an overall improvement of the Eldarica solver (notably for sat properties).

In particular, before CHC transformation, Z3 did not prove any of the 114 sat properties of our benchmark. After CHC transformation, Z3 proved 109 of them to be sat (see columns $Z_{1}$ and $Z_{3}$ of Table 1). The time cost of this improvement is very small. Indeed, most CHC transformations take well below 1.5s and only one of them takes a little more than 2s (for details, see column $T$ , where each entry is the sum of the times taken for the individual transformation tasks of each row). The times taken by the solvers after transformation (not shown in Table 1) are usually quite small. In particular, for the 109 properties proved sat by Z3, the verification time was almost always below 1s. Only for 13 of them, it was between 1s and 4s. For the remaining five sat properties, Z3 exceeded the timeout limit.

Out of the 114 sat properties, Eldarica proved 9 sat properties (all relative to list size) before transformation and 59 sat properties (relative also to catamorphisms different from list size) after transformation (see columns $E_{1}$ and $E_{3}$ ). However, one property that was proved sat before transformation, was not proved sat after transformation. This is the only example where the built-in size function of Eldarica has been more effective than our transformation-based approach.

Given the 114 unsat properties, Z3 proved all of them to be unsat before transformation and also after transformation (see columns $Z_{2}$ and $Z_{4}$ ). The proofs before transformation took well-below 1s in almost all examples, and after transformation took an equal or shorter time for more than half of the cases.

Given the 114 unsat properties, Eldarica proved 110 of them to be unsat before transformation, and only 99 of them after transformation (see columns $E_{2}$ and $E_{4}$ ). This is the only case where we experienced a degradation of performance after transformation. This degradation may be related to the facts that: (i) the number of clauses in the transformed set $T_{\mathit{w\&wo}}$ is larger than the number of clauses in the source set, and (ii) the clauses in $T_{\mathit{w\&wo}}$ have often more atoms in their bodies with respect to the source clauses.

If we consider the set $T_{\mathit{w}}$ , instead of $T_{\mathit{w\&wo}}$ , we have a significant decrease in the number of clauses and the number of atoms in the bodies of clauses. In this case, Z3 proved 83 properties to be sat (less than for $T_{\mathit{w\&wo}}$ , see columns $Z_3$ and $Z_5$ ) and all 114 properties to be unsat (as for all other input sets of clauses, see columns $Z_2$ , $Z_4$ , and $Z_6$ ). Eldarica proved 59 properties to be sat (the same as for $T_{\mathit{w\&wo}}$ , see columns $E_3$ and $E_5$ ) and 109 properties to be unsat (almost the same as for the source clauses, see columns $E_2$ and $E_6$ ).

Finally, we have considered the set $T_{\mathit{wo}}$ , instead of $T_{\mathit{w\& wo}}$ . For the 114 sat properties, Eldarica proved 87 of them (see column $E_7$ ), while Z3 proved 104 of them (see column  $Z_7$ ). For the unsat properties both Eldarica and Z3 proved all of them (see columns $E_8$ and $Z_8$ ). However, since $T_{\mathit{wo}}$ computes an overapproximation with respect to $T_{\mathit{w\& wo}}$ (and also with respect to $T_{\mathit{w}}$ ), when the solver returns the answer unsat, one cannot conclude that the property at hand is indeed unsat. Both solvers, in fact, wrongly classified 10 sat properties as unsat.

In summary, our experimental evaluation shows that VeriCaT $_{\!\mathit{abs}}$ with Z3 as back-end solver outperforms the other CHC solving tools we have considered. Indeed, our tool shows much higher effectiveness than the others when verifying sat properties, while it retains the excellent performance of Z3 for unsat properties.