Linear Integer Arithmetic

Presburger Arithmeticis the language of arithmetic over the natural numbersNwith- out multiplication. Though lacking in expressivity, Presburger formulas arise fre- quently in software verification: simple while-loops can be modelled [BMS06], and both integer valued linear programming problems and constraint satisfaction prob- lems, can be expressed with Presburger Arithmetic formulas. Furthermore, the the- ory allowsquantifier elimination: each quantified formula is equivalent to a quantifier- free (ground) formula, and so the first-order theory is decidable.

The decidability of Presburger Arithmetic was shown by M. Presburger [PJ91], and the quantifier elimination procedure used today was given by Cooper [Coo72]. The latter procedure works in a language extended with multiplication and division by constant coefficients, whose theory is equivalent to Presburger Arithmetic.

The signature of Presburger Arithmetic isΣP= {0,s1,+2}, where 0 is a constant, s1is the 1-ary successor function and+2is addition, written infix. The only sort apart from Boolis S_N, the sort of natural numbers. The axioms for Presburger arithmetic are:

(1) s(x)6≈0 (2) s(x)≈ s(y)⇒x≈y

(3) x+0≈x (4) x+s(y)≈s(x+y) (5) (φ[0] ∧ ∀n.(φ[n]⇒φ[n+1]))⇒ ∀x.φ[x],

whereφis anyΣP-formula with one free variable.

The language of Presburger Arithmetic is too cumbersome for most applications in software verification. More common is Linear Integer Arithmetic (LIA) which has signature Σ_Z = {. . . ,−2,−1, 0, 1, 2, . . . ,−1_,+2_,<2_{}; the sort of integers S}

Z is the only sort. The axioms of LIA are those of a linearly ordered Abelian group where {0,−,+,<} have their expected roles. Its canonical model is Z with the natural addition function and order relation. The theory of LIA is equivalent to Presburger arithmetic asΣ_Z-formulas can be directly translated toΣP-formulas [BM07].

In order to better support the combination with other theories, it is useful to extendΣ_Zwith a countable infinite setΠof fresh constant symbols, calledparameters. The theory of LIA with parameters consists of interpretations in which the operators inΣ_Zhave their canonical interpretation and parameters inΠare always interpreted as members of Z. A formula with parameters is equivalent to a ΣZ-formula where the parameters are replaced with existentially quantified variables. However, LIA with parameters is non-compact: consider the infinite set of formulas {0 < α, 1 < α, . . .} where αis a parameter. Every finite subset is satisfiable, but there is clearly no interpretation satisfying the entire set in the theory of LIA with parameters, asα must be interpreted as an integer. This fact will become important in Section 4.

Cooper’s Algorithm: Cooper’s algorithm [Coo72] for quantifier elimination in LIA (and therefore, for deciding T_Z-validity of Σ_Z-formulas) is well known. Although formulas with arbitrary quantifier structure can be checked, the complexity of the procedure is very high: Oppen [Opp78] gives an upper bound time-complexity of 22cn for formulas of lengthnand some positive constantc, while Fischer and Rabin [FR74] show that for most lengthsnthere is some formula which will take at least 22dn steps to check validity, for some constant d. Despite this, Cooper’s algorithm has the advantage of being well understood, e. g. , optimizations are already described in Reddy and Loveland [RL78], and implementations including various optimizations are described elsewhere [Har09, PH15, BM07]. Moreover, it is advantageous to have a single algorithm that can discharge proof goals of varying complexity. Consider the use of Cooper’s algorithm in the Isabelle/HOL proof environment1: the well- known proofs of correctness allow for a verified implementation and the algorithm’s generality allows it to be used as a component solver in the proof assistant.

The relationship between complexity and quantifier structure for Peano Arith- metic formulas has also been investigated. Reddy and Loveland [RL78] show that for formulas of lengthnwithm>0 quantifier alternations, complexity is just 22cnm+4 for constant c > 0. More specifically, Haase [Haa14] shows that Presburger Arith- metic formulas with fixed quantifier alternations arecompletefor respective levels of the weak EXP hierarchy. Woods [Woo15] shows that sets described by Presburger formulas are exactly those sets which have rational generating functions.

Cooper’s algorithm is by no means the only approach to checking validity of Presburger Arithmetic formulas. Presburger Arithmetic formulas with fewer than two quantifier alternations are already similar to integer linear programming prob- lems, which are NP-hard, and NP, for one or no quantifier alternations respectively. For quantifier-free problems, the Boolean structure of the formula has a large ef- fect on performance. This can be addressed by specialized techniques that use SAT solvers to break the formula down into conjuncts. These techniques include projec- tion [Mon10] and abstraction [KOSS04]. Additionally, the Omega Test described by Pugh [Pug91] can be used for efficient solving of quantifier-free Presburger Arith- metic formulas. Yet further afield, Boudet and Comon [BC96] give an automata- based method for solving Presburger formulas, and give tight performance bounds (including for formulas with no quantifier alternations). Certain applications have been described which take advantage of automata-based methods [SKR98, CJ98].

The combination of Presburger Arithmetic with various theories has also been in- vestigated, and some combinations with data structure theories will be mentioned in the next section. Such combinations need to be carefully managed: Downey [Dow72] and, later, Halpern [Hal91] show that adding just one uninterpreted unary predicate toΣ_Z is sufficient to make the validity problemΠ1₁-complete.