Deciding Combined Theories Presented by Adi Sosnovich Based on presentation from: Decision Procedures An Algorithmic Point of View Daniel Kroening and Ofer Strichman

Outline Introduction  The Theory Combination Problem The Nelson-Oppen Combination Procedure  Combining convex theories  Combining nonconvex theories  Correctness proof Abstract version of the procedure Extensions Summary

Introduction The decision procedures we studied so far focus on one specific theory (equality and UF, bit-vectors) Examples for other common theories: linear arithmetic, arrays, pointer logic. Verification conditions frequently mix expressions from several theories: f (a[32], b[1]) = f (b[32], a[1]) Æ a[32] = b[32] bit vectors and uninterpreted functions ( x 2 ¸ x 1 ) Æ ( x 1 - x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) - f ( x 2 ))  f ( x 3 ) linear arithmetic and uninterpreted functions

Combining theories Approach #1: Reduce all theories to a common logic, if possible (e.g. Propositional Logic). Approach #2: Combine decision procedures of the individual theories.  How? we will learn the Nelson-Oppen method* * Greg Nelson and Derek Oppen, simplification by cooperating decision procedures, 1979

Reminders: theories and signatures First order logic –  Symbols (Boolean connectives and quantifiers over variables), Syntax (wff-s ).  Axioms, inference rules. First order theories –  Additional axioms and symbols characterizing the theory.  The signature  of a theory T holds the set of functions and predicates of the theory. “First order quantifier-free theories with equality” – the equality predicate must be part of the signature.

Additional reminders Let  be a signature. A  interpretation A with domain A over a set of variables V is a map which interprets:  Each variable as a domain element  Each constant as a domain element  Each function symbol as a function of the same arity in the domain  Each predicate symbol of arity n as a subset of A n.

Additional reminders A formula  is satisfied by an interpretation A if it evaluates to true under A. If  is satisfied by A, we say that A is a model of . A formula  over a set of V variables is satisfiable if it is satisfied by some interpretation over V.

Additional reminders Given a  theory, a T-model is a interpretation that satisfies all axioms in T. A formula over a set of V variables is T-satisfiable, if it is satisfied by some T-model over V.

The Theory-Combination problem Given theories T 1 and T 2 with signatures  1 and  2, the combined theory T 1 © T 2  has signature  1 [  2 and  the union of their axioms. Let  be a  1 [  2 formula. The problem: Does T 1 © T 2 ² 

The problem The Theory-Combination problem is undecidable (even when the individual theories are decidable). Under certain restrictions, it becomes decidable. We will assume the following restrictions:  T  and T  are quantifier-free first-order theories with equality.  Disjoint signatures (other than equality):   Å   = ;  There is a decision procedure for each of the theories  T  and T  are theories that are interpreted over an infinite domain (e.g. Linear arithmetic over R, but not finite-width bit vectors). There are extensions to the basic N.O. procedure that overcome each of these restrictions.

The Nelson-Oppen method The Nelson-Oppen combination procedure solves the theory combination problem for theories that comply with the restrictions. The input formula must be a conjunction of literals.

The Nelson-Oppen method (1) Purification: validity-preserving transformation of the formula after which predicates from different theories are not mixed. 1. Replace an `alien’ sub-expression  with a new auxiliary variable a 2. Constrain the formula with a =  Transform x  ·  f  x   … into x  ·  a   Æ  a   f  x   Arithmetic Uninterpreted Functions Pure expressions, shared variables

Purification in more details (formal description) For term t, let hd ( t ) be the root symbol.  For example: hd(f(x)) = f Then for i, j ∈ {1,2} and i  j, repeat the following transformations as long as possible:  If function f ∈  i and hd(t) ∈  j  If predicate p ∈  i and hd(t) ∈  j  If hd(s) ∈  i and hd(t) ∈  j

Purification – detailed example F: x ¸ 1 Æ 2 ¸ x Æ f ( x )  f ( 1 ) Æ f ( x )  f ( 2 ) Theories involved:  EUF and  Z Since f  ∈  EUF and 1  ∈  Z, replace f ( 1 ) by f ( w 1 ) and add w 1 =1. Similarly, replace f ( 2 ) by f ( w 2 ) and add w 2 =2. Now, the literals x ¸ 1, 2 ¸ x, w 1 =1, w 2 =2, are  Z –literals, and the literals f ( x )  f ( w 1 ), f ( x )  f ( w 2 ) are  EUF –literals Formula after purification: x ¸ 1 Æ 2 ¸ x Æ f ( x )  f ( w 1 ) Æ f ( x )  f ( w 2 ) Æ w 1 =1 Æ w 2 =2

Purification – another example F: f ( x )= x + y Æ z + y ¸ x Æ y ¸ x + z Æ y =1 Æ f ( x )  f ( 2 ) In the first literal hd ( f ( x ))=  f ∈  EUF and hd ( x + y ) =+ ∈  Z, Thus, replace the literal with: w 1 = x + y Æ w 1 = f ( x ) In the last literal, f ∈  EUF but 2 ∈  Z, therefore replace it by f ( x )  f ( w 2 ) Æ w 2 =2 Formula after purification: w 1 = x + y Æ z + y ¸ x Æ y ¸ x + z Æ y =1 Æ w 2 =2 Æ w 1 = f ( x ) Æ f ( x )  f ( w 2 )

The Nelson-Oppen method (2) After purification we are left with several sets of pure expressions F 1,…, F n such that:  F i belongs to some ‘pure’ theory which we can decide.  Shared variables are allowed, i.e. it is possible that for some i, j: vars ( F i ) Å vars ( F j )  ;.   is satisfiable $ F 1 Æ … Æ F n is satisfiable  If sat i reports that any F i is unsat, then  is unsat  But the converse is not true in general  We need a way for the decision procedures to communicate with each other about shared variables

The Nelson-Oppen method* (3) 1. Purify  into F 1 Æ … Æ F n. 2. If 9 i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9 i, j. F i implies an equality not implied by F j, add it to F j and goto step Return `satisfiable’. * So far only for ‘convex’ theories – to be explained

Example(1) f ( x 1,0) ¸ x 3 Æ f ( x 2,0) · x 3 Æ ( x 1 ¸ x 2 ) Æ ( x 2 ¸ x 1 ) Æ ( x 3 – f ( x 1,0) ¸ 1) Purification: a 1 ¸ x 3 Æ a 2 · x 3 Æ ( x 1 ¸ x 2 ) Æ ( x 2 ¸ x 1 ) Æ ( x 3 – a 1 ¸ 1) Æ a 0 = 0 Æ a 1 = f ( x 1, a 0 ) Æ a 2 = f ( x 2, a 0 ) Neither F 1 nor F 2 is contradictory, thus we proceed to step (3)

Example (1) – cont’d Linear ArithmeticEUF a 1 ¸ x 3 a 2 · x 3 x 1 ¸ x 2 x 2 ¸ x 1 x 3 – a 1 ¸ 1 a 0 =0 a 1 = f ( x 1, a 0 ) a 2 = f ( x 2, a 0 ) x 1 = x 2 a 1 = a 2 x 1 = x 2 False a 1 = x 3

Example(2) ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0) Æ f ( f ( x 1 ) – f ( x 2 ))  f ( x 3 ) Purification: ( x 2 ¸ x 1 ) Æ ( x 1 – x 3 ¸ x 2 ) Æ ( x 3 ¸ 0 ) Æ f ( a 1 )  f ( x 3 ) Æ a 1 = a 2 – a 3 Æ a 2 = f ( x 1 ) Æ a 3 = f ( x 2 ) Æ

Example (2) – cont’d ArithmeticEUF x 2 ¸ x 1 x 1 – x 3 ¸ x 2 x 3 ¸ 0 a 1 = a 2 – a 3 f (a 1 )  f ( x 3 ) a 2 = f ( x 1 ) a 3 = f ( x 2 ) x 3 = 0 x 1 = x 2 a 2 = a 3 a 1 = 0 a 1 = x 3 False a 1 = x 3

Wait, it’s not so simple… Consider:  : 1 · x Æ x · 2 Æ p ( x ) Æ : p (1) Æ : p (2 ) x2Zx2Z Neither theories imply an equality, and both are satisfiable. But  is unsatisfiable! Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) : p (1) : p (2)

Some theories have it, some don’t Definition: A theory T is convex if for all conjunctions  it holds that (  ! Ç i=1.. n x i = y i for some finite n > 1 )  (  ! x i = y i for some i 2 {1.. n }) Convex: Linear Arithmetic over R, EUF Non-convex: Almost anything else…

Convexity: examples Linear arithmetic over R is convex  : x 1 · 1 Æ x 1 ¸ 0 implies an infinite disjunction of equalities,  : x 1 · 1 Æ x 1 ¸ 1 ! x 1 = 1 implies a singleton  : x 1 · 1 Æ x 1 ¸ 2implies everything Linear arithmetic over Z is not convex  : 1 · x 1 Æ x 1 · 2 Æ u = 1 Æ v = 2 Although  ! ( x 1 = u Ç x 1 = v ) It is not the case that  ! x 1 = u Ç  ! x 1 = v

Convexity: examples The conjunctive fragment of equality logic is convex  : x 1 = x 2 Æ x 2 = x 3 Æ x 5 = x 3 ! x 5 = x 2 Ç x 5 = x 1  ! x 5 = x 2 and  ! x 5 = x 1 Many theories used in practice are in fact nonconvex. It makes them computaionally harder to combine with other theories.

So why is convexity important ? Recall:  : 1 · x Æ x · 2 Æ p ( x ) Æ : p (1) Æ : p (2) x 2Z Neither theories imply an equality, and both are satisfiable. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) : p (1) : p (2)

So why is convexity important ? (cont’d) But: 1 · x Æ x · 2 imply the disjunction x = 1 Ç x = 2 Since the theory is non-convex we cannot propagate either x =1 or x =2. We can only propagate the disjunction itself.

So why is convexity important ? (cont’d) Propagate the disjunction and perform case-splitting. Arithmetic over Z Uninterpreted predicates 1 · x x · 2 p ( x ) : p (1) Æ: p (2) x = 1 Ç x = 2 h¢i Æ x = 1 False h¢i Æ x = 2 False Split!

So why is convexity important? (cont’d) Conclusion: when the theory is non-convex, we must case-split. This adds a splitting step in Nelson-Oppen. As a result:  Convex theories: Polynomial  Non-Convex theories: Exponential

The (full) Nelson-Oppen method 1. Purify  into  ’: F 1 Æ … Æ F n. 2. If 9 i. F i is unsatisfiable, return `unsatisfiable’. 3. If 9 i, j. F i implies an equality not implied by F j, add it to F j and goto step If 9 i. F i ! ( x 1 = y 1 Ç … Ç x k = y k ) but 8 j F i 9 x j = y j, apply recursively to  ’ Æ x 1 = y 1, …,  ’ Æ x k = y k. If any of them is satisfiable, return ‘satisfiable’. Otherwise return ‘unsatisfiable’. 5. Return `satisfiable’.

Example(3) Consider the (  E [  Z )-formula : ( x ¸ 1) Æ ( 3 ¸ x ) Æ ( f ( x )  f ( 1 )) Æ ( f ( x )  f ( 3 )) Æ ( f ( 1 )  f ( 2 )) Purification: ( x ¸ 1) Æ ( 3 ¸ x ) Æ a 1 =1 Æ a 2 =2 Æ a 3 =3 Æ ( f ( x )  f ( a 1 )) Æ ( f ( x )  f ( a 3 )) Æ ( f ( a 1 )  f ( a 2 ))

Example(3) Arithmetic over Z Uninterpreted functions 1 · x x · 3 a 1 =1 a 2 =2 a 3 =3 f ( x )  f ( a 1 ) f ( x )  f ( a 3 ) f ( a 2 )  f ( a 1 ) x = a 1 Ç x = a 2 Ç x = a 3 h¢i Æ x = a 1 False h¢i Æ x = a 2 Split! Neither decision procedure discovers any contradiction or new equality Thus F is satisfiable in the combined theory

Equality Propagation For a convex theory:  It is sufficient to test each equality possible of the form x=y.  Any equality implied should be propagated to the other theories. For a non-convex theory:  The procedure must find disjunction of equalities implied by some F k.  The disjunctions should be as small as possible since the N.O method must branch on each disjunct  A disjunction is minimal if it is implied by F k and each smaller disjunction is not implied by F k.

Equality Propagation Simple procedure to find minimal disjunction:  Observation: any disjunction that contains a minimal disjunction implied by F k - is also implied by F k.  The idea: strip off extra disjuncts one-by-one Start with the disjunction of all equalities at once Remove disjuncts that their removal preserves the implication.

Correctness is hard to prove… Theorem: N.O. returns unsatisfiable if and only if its input formula  is unsatisfiable. We will prove this theorem for the case of combining two convex theories. The generalization is not hard.

Correctness Proof (  )  is satisfiable ! N.O. returns ‘satisfiable’ (That’s the simple side)  Assume  is satisfiable and let  be a satisfying assignment of .  Let A = { a 1,…, a n } be the purification (auxiliary) variables.  Claim: there exists an assignment to the A variables such that  extended with this assignment satisfies F 1 Æ F 2. (because F 1 Æ F 2 and  are equisatisfiable)  Let  ’ be this extended assignment.

Example for the assignment extension f ( x 1,0) ¸ x 3 Æ f ( x 2,0) · x 3 Æ ( x 1 ¸ x 2 ) Æ ( x 2 ¸ x 1 ) Æ ( x 3 – f ( x 1,0) ¸ 0) Purification: a 1 ¸ x 3 Æ a 2 · x 3 Æ ( x 1 ¸ x 2 ) Æ ( x 2 ¸ x 1 ) Æ ( x 3 – a 1 ¸ 0) Æ a 0 = 0 Æ a 1 = f ( x 1, a 0 ) Æ a 2 = f ( x 2, a 0 ) Satisfying assignment for  :   { x1 ! 1, x2 ! 1, x3 ! 1 } Extended satisfying assignment:   ’  {a0 ! 0, a1 ! 1,a2 ! 1, x1 ! 1, x2 ! 1, x3 ! 1 }

Correctness Proof Lemma 1: Let  be satisfiable. After Each loop iteration F 1 Æ F 2 is satisfiable in the combined theory.  Proof by induction on the number of loop iterations.  Base: for iteration #0: F 1, 0 Æ F 2, 0 is satisfiable (  ’ is the satisfying assignment)  Induction Step: assuming correctness up to iteration j, and we shall prove for j+1: For any x=y added in step (3) there exists i s.t F i, j ! x=y in T i.

Correctness Proof   ’ |= F i, j in T i by the Induction Hypothesis.  F i, j ! x=y and  ’ |= F i, j implies that  ’ |= x=y.   ’ |= F i, j for all i, therefore  ’ |= F i, j Æ (x=y), in T i, for all i.   ’ |= F i, j + 1, in T i, for all i. Conclusion: The algorithm will not return unsat in step (2).

Proof (  ) (  ) If N.O. returns ‘satisfiable’,  is satisfiable. (This will require several definition and lemmas) Observation: The algorithm always terminates  There are only finitely many equalities over the variables in the formula Lemma 2: Let F i ‘ denote the formula F i upon termination of the algorithm. Upon termination with the answer ‘satisfiable’, any equality between  ‘ variables that is implied by any of the F i ‘ is also implied by all F j ‘ for any j.

Proof (  ) Assume falsely that  is unsat, and the algorithm returnes ‘sat’. Let E 1, …, E m be a set of equivalence classes of the variables in  s.t x,y are in the same class iff F 1 ’ ! x=y in T 1 From Lemma 2, x,y are in the same class E i iff F 2 ’ ! x=y in T 2 Let r i for i in { 1, …, m } be a representative element of the class E i. We define a constraint ∆ as follows: ∆ = Æ i ≠ j ( r i ≠ r j )

Proof (  ) Lemma 3 Given that both T 1 and T 2 have an infinite domain and are convex, ∆ is T 1 –consistent with F 1 ’ and T 2 -consistent with F 2 ’. Proof Sketch  Let x and y be two variables that are not implied to be equal.  Owing to convexity, they do not have to be equal to satisfy F i ’.  As the domain is infinite, there are always values left in the domain that we can choose in order to make x and y different.

Owing to convexity, they do not have to be equal to satisfy F i ’  If the theory was non-convex, it wouldn’t be necessarily true  For example:  : z · x Æ x · y Æ p ( x ) Æ : p (y) Æ : p (z) Æ y=2 Æ z=1 Adding ∆ to F 1 ’ will cause a conflict That is because the theory is not convex and a finite disjunction is implied by F 1 ’

 As the domain is infinite, there are always values left in the domain that we can choose in order to make x and y different.  If the domain was finite, it wouldn’t be necessarily true  For example: F 1 ’ : g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) Adding x 1  x 2 to F 1 ’ will cause a conflict in the given theory That is because the domain size is finite and its size is up to 2. Consider a theory T 1 :   1 : A function g,  Axioms that only allow solutions with 2 distinct values.

Proof (  ) Conclusion from the Lemma:  There are satisfying assignments  1 and  2 for F 1 ’ Æ ∆ and F 2 ’ Æ ∆ in T 1 and T 2, respectively.  These assignments are maximally diverse Two variables assigned equal values by them, must be equal.  Note that  1 |= x=y iff  2 |= x=y, for every pair of variables x,y. Given this property, it is easy to build a mapping M (an isomorphism) from domain elements to domain elements such that  2 (x) is mapped to  1 (x) for any variable x.  Not necessarily possible unless the assignments are maximally diverse.

Example ( x ¸ y ) Æ ( y ¸ x ) Æ ( z ¸ y ) Æ ( w ¸ z ) Æ ( f ( z )  f ( y )) Æ ( f ( x )  f ( w )) Assignments that satisfy F1’ and F2’ that are not maximally diverse: α1 = {x→1, y→1, z→1, w→1} α2 = {x→5, y→5, z→3, w→4} We cannot build here the mapping M E1 x,y E2 z E3 w

Example ( x ¸ y ) Æ ( y ¸ x ) Æ ( z ¸ y ) Æ ( w ¸ z ) Æ ( f ( z )  f ( y )) Æ ( f ( x )  f ( w )) Assignments that satisfy F 1 ’ Æ ∆ and F 2 ’ Æ ∆ are maximally diverse: α1 = {x→1, y→1, z→2, w→3} α2 = {x→5, y→5, z→3, w→4} We can build here a mapping M: M(1)=5, M(2)=3, M(3)=4,… E1 x,y E2 z E3 w

Example ( x ¸ y ) Æ ( y ¸ x ) Æ ( z ¸ y ) Æ ( w ¸ z ) Æ ( f ( z )  f ( y )) Æ ( f ( x )  f ( w )) Defining an interpretation that satisfies both F 1 ’ Æ ∆ and F 2 ’ Æ ∆ based on the isomorphism M: Option 1: If we choose the mapping : M: M(5)=1, M(3)=2, M(4)=3,… α2 = {x→5, y→5, z→3, w→4} z ¸ y iff M(z) ¸ M(y) Option 2: the mapping M: M(1)=5, M(2)=3, M(3)=4,… α1 = {x→1, y→1, z→2, w→3} f(z) = M -1 (f(M(z)) Note that we rely on the fact that the signatures are disjoint

Proof (  ) Using the mapping M, we can obtain a model α’ for F 1 ’ Æ F 2 ’ in the combined theory. As F i ’ implies F i, α’ is also a model for F 1 Æ F 2 in the combined theory, which contradicts our assumption that  is unsatisfiable.

Proof - More details Theorem 1  Let  1 and  2 be signatures with  1 ∩  2 = Ø, and for i =1,2 let F i be a set of  i –formulas, and V i the set of variables appearing in F i. Let V = V 1 ∩  V 2. Then F 1 Æ F 2 is satisfiable iff there exists an interpretation A satisfying F 1 and an interpretation B satisfying F 2 such that : |A|=|B| x A =y A iff x B =y B for every pair of variables x,y in V  The proof is based on an isomorphism and obtaining an interpretation satisfying F 1 Æ F 2  There is another theorem in logic saying that formula is satisfiable iff there exist isomorphic interpretations satisfying the sub-formulas

Proof - More details There exist A and B which are interpretations over infinite domains since the theories are restricted to infinite domains How can we be sure that we can obtain interpretations of the same cardinality?

Proof - More details Theorem 2 - Löwenheim–Skolem theorem  The theorem states that if a countable first-order theory has an infinite model, then for every infinite cardinal number κ it has a model of size κ. The result implies that first-order theories are unable to control the cardinality of their infinite models.theorymodelcardinal number  Therefore we can obtain interpretations of the same cardinality for infinite domains

Proof (  ) Proof sketch summary:  Based on Lemma 3 there are interpretations A, B over infinite domains satisfying F1 and F2 respectively  The assignments of the interpretations are maximally diverse and therefore  1 |= x=y iff  2 |= x=y, for every pair of variables x,y.  Based on Theorem 2 there exist interpretations A, B of the same infinite cardinality : |A|=|B|  Based on Theorem 1, F 1 Æ F 2 is satisfiable

Correctness for convex and non-convex theories  On the case-splitting: If on all branches the conjunction is unsatisfiable, then the original formula is necessarily unsatisfiable. If there exists a branch on which the conjunction is satisfiable, then the original formula is satisfiable and no other branches need to be checked.

Abstract (non-deterministic) version for the Nelson-Oppen procedure Let V be the set of variables used in F 1, …, F n. A partition P of V induces equivalence classes Every assignment to V’s variables induces such a partition Denote by R the equivalence relation corresponding to these classes The arrangement corresponding to P is: ar (P) = [ Æ viRv j, i<j ( v i = v j ) ] Æ [ Æ ¬viRv j, i<j ( v i ≠ v j ) ]

Abstract (non-deterministic) version for the Nelson-Oppen procedure For example, if V={x1,x2,x3}, and P = {{x1,x2},{x3}}  ar (P) := x1=x2 Æ x1 ≠ x3 Æ x2 ≠ x3

Abstract (non-deterministic) version for the Nelson-Oppen procedure The abstract version of the Nelson-Oppen procedure: 1. Purification – the same as in the deterministic version. 2. Choose nondeterministically a partition P of V’s variables. 3. If one of F i Æ ar (P) is unsatisfiable, return unsat. Otherwise, return sat.

Abstract version - example Consider the (  E [  Z )-formula : F: ( x ¸ 1) Æ ( 2 ¸ x ) Æ ( f ( x )  f ( 1 )) Æ ( f ( x )  f ( 2 )) After purification we have: F1: ( f ( x )  f ( y )) Æ ( f ( x )  f ( z )) F2: ( x ¸ 1) Æ ( 2 ¸ x ) Æ ( y = 1) Æ ( z = 2 ) 1. { x = y, x = z, y = z } 2. { x = y, x  z, y  z } 3. { x  y, x = z, y  z } 4. { x  y, x  z, y = z } 5. { x  y, x  z, y  z } Inconsistent with F1 Inconsistent with F2

Abstract (non-deterministic) version for the Nelson-Oppen procedure The nondeterministic step can be replaced with a deterministic one, by trying all such partitions possible. The requirement in the N.O. procedure for sharing implied equalities can be understood as optimization over an exhaustive search, rather then a necessity for correctness.

Abstract (non-deterministic) version for the Nelson-Oppen procedure Advantages of the abstract presentation:  Abstracting implementation details (typically by nondeterminism) is helpful for clarity, generality, simplicity of proofs.  Can help in designing concrete procedures in a more modular way

Practical efficiency of the non-deterministic method Phase 2 is formulated as “guess and check” The number of equivalence relations increases significantly with the number of shared variables. The number of equivalence relations is given by the sequence of Bell numbers which grows super- exponentially  For example: 12 shared variables induce over 4 million equivalence relations

Practical efficiency of the non-deterministic method In fact, there is no need to guess the entire equivalence relation at once Instead it can be constructed incrementally In practice, implementations are based on the deterministic method

Example for incremental “optimization” of the nondeterministic method ( a1 = x + y ) Æ ( y + z ¸ x ) Æ ( y ¸ x + z ) Æ ( y = 1 ) Æ ( a2 = 2 ) Æ ( a1 = f ( x )) Æ ( f ( x )  f ( a2 )) Shared variables: x,a1,a2 We attempt to construct an arrangement incrementally  Suppose x=a1 => from F1, a1 = x + y implies y = 0 which contradicts ( y = 1 ) in F1. => x  a1  F1 Æ (x  a1) and F2 Æ (x  a1) are satisfiable  Suppose x=a2 => from F2 ( f ( x )  f ( a2 )) thus contradiction => x  a2  F1 Æ (x  a1) Æ (x  a2) and F2 Æ (x  a1) Æ (x  a2) are satisfiable  Suppose a1=a2 => no contradiction exists. We discovered the arrangement {{a1,a2},{x}}, so F is satisfiable in the combined theory

Stably Infinite Theories Definition: A  -theory T is Stably-infinite if for every quantifier-free  -formula   is satisfiable,  can be satisfied by an interpretation with an infinite domain. The requirement that T i has an infinite domain can be generalized to the requirement that T i is stably- infinite.  Correctness of N.O. procedure is preserved for stably infinite theories

Stably Infinite Theories Example 1:  Consider the theory T a, b with the signature {a,b,=} a,b are constants The axiom: for all x : (x=a) or (x=b)  For every T-interpretation, the domain has at most 2 elements.  Hence, T a, b is not stably infinite

Stably Infinite Theories Example 2:  The theory T E is stably infinite  Proof: Let F be a formula with arbitrary satisfying T E -interpretation I: ( D I, α I ). Let A be any infinite set disjoint from D I Then construct a new interpretation J ( D J, α J ) :  D J = D I ∪ A J is a T E -interpretation satisfying F with infinite domain. Hence, T E is stably infinite.

The problem with a non-stably infinite theory Definition: A  -theory T is Stably-infinite if for every quantifier-free  -formula   is satisfiable,  can be satisfied by an interpretation with an infinite domain. Specifically, this means that no theory with a finite domain is stably infinite.

Problem: non-stably infinite theories Consider a theory T 1 :   1 : A function f,  Axioms that only allow solutions with 2 distinct values. And a theory T 2 :   2 : A function g,  Domain: N So this formula is unsatisfiable:  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) Recall that the combined theory T 1 © T 2 has the union of the axioms. Hence the solution to any formula  2 T 1 © T 2 cannot have more than 2 distinct values.

Problem: non-stably infinite theories  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) T1T1 T2T2 f ( x 1 )  f ( x 2 ) g ( x 1 )  g ( x 3 ) g ( x 2 )  g ( x 3 ) No equalities to propagate: Satisfiable !

Solution to non-stable infinite theories Nelson-Oppen method cannot be used. Recently a solution to this problem was suggested by Tinelli & Zarba [TZ05]

Extension 1: Shiny Theory with non-stably infinite theory Tinelli & Zarba [TZ05] Smooth Theory  T is smooth if for every quantifier free formula  for every T-model A satisfying , and for every cardinal number k > |A|, there exists a T-model B satisfying  s.t |B|=k. Minimal cardinality  mincard T (  ) – the smallest cardinality of a T-model satisfying   If T is stably-finite, then for every satisfiable formula mincard T (  ) is a natural number

Extension 1: Shiny Theory with non-stably infinite theory Shiny Theory  A theory T is shiny if: T is smooth T is stably finite mincard T is computable  Examples for some shiny theories: equality (over an arbitrary signature), partial orders, total orders The combination method  Assume that T 1 is shiny and T 2 is some theory (not necessarily stably infinite)

Extension 1: Shiny Theory with non-stably infinite theory - The combination method 1. Purification 2. Choose nondeterministically a partition P of V’s variables. 3. If F 1 Æ ar (P) is satisfiable go to the next step. Otherwise output fail. 4. Compute n = mincard T1 ( F 1 Æ ar (P) ) 5. Construct a set δ n of literals whose purpose is to force models with cardinality at least n. Generate n new variables w 1,…, w n not occurring in F 1 Æ F 2 Let δ n ={ w i ≠ w j | 1≤ i<j ≤ n } 6. If F 2 Æ ar (P) Æ δ n is satisfiable, output succeed. Otherwise output fail.

Extension 1: Shiny Theory with non-stably infinite theory If there exists an equivalence relation for which the check phase outputs succeed then the formula is satisfiable in the combined theory, otherwise it is unsatisfiable In N.O we assume that T2 is stably infinite, and therefore the constraint δ n is guaranteed to hold. In this extended variant of N.O there is a propagation of certain cardinality constraints in addition to propagating equality constraints.

Back to the example  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) T1T1 T2T2 f ( x 1 )  f ( x 2 ) g ( x 1 )  g ( x 3 ) g ( x 2 )  g ( x 3 ) If x 1 x 2 ∈ E i in the partition, then we will output fail because F 1 is unsat

Back to the example  f ( x 1 )  f ( x 2 ) Æ g ( x 1 )  g ( x 3 ) Æ g ( x 2 )  g ( x 3 ) T1T1 T2T2 f ( x 1 )  f ( x 2 ) g ( x 1 )  g ( x 3 ) g ( x 2 )  g ( x 3 ) If x 1 x 2 ∉ E i in the partition, then F2 is satisfiable. In addition, we have mincard(F 2 Æ ( x 1 ≠ x 2 ))=3 In the third step: F 1 Æ ( x 1 ≠ x 2 ) Æ δ 3 is T 1 -unsatisfiable We therefore declare that  is unsat.

Extension 2: combining stably-finite theories Assuming all combined theories are stably-finite (in particular, it has a small model property), it computes, if possible, the upper bound on the minimal satisfying assignment, and propagates this information between the theories.

Extension 2: combining stably-finite theories  Assume all combined theories are stably finite (i.e. have a small model property), and one has only finite models. The bound N i on the minimal satisfying assignment of formulas in theory T i is computable.  Transfer N i between theories.  If there is no solution to theory j with cardinality at least N_i (for all i), return unsatisfiable.  …

Summary The N.O. combination method provides a general means of reasoning simultaneously about several theories using the individual decision procedures. In practice, the main application of N.O. procedure is the combination of equality logic with UF with other theories, for example linear arithmetic. It is implemented in this way in most state-of-the-art solvers.