Other Arithmetic Features

Linear Rational Arithmetics. The solver for LRA comprises a Fourier-Motzkin3 style QE procedure for eliminating BG variables. This eliminates variables from DNF T_Q-formulas by replacings_i ≤ x with s_i ≤ t_j for each literal x ≤ t_j appearing in the same disjunct as si ≤ x. The variable x is eliminated from a particular disjunct after all such pairs are added. However, this leads to a worst case double exponential growth in the size of formulas [Mon10], so once the formula has been reduced to a single quantifier alternation (i. e. , of the form ∃. F) a Simplex solver is used to eliminate the final varaibles.

This solver is an off-the-shelf implementation of the Simplex algorithm4. In order to support literals with strict inequalities, an extra variable is introduced. For exam- ple, ax+by+cz > k for a,b,c,k ∈ _Q and variables x,y,z, becomes ax+by+cz ≥ k+d assumingd > 0, where d is a new variable. The new variable d is reused for all inequalities, and to satisfy the constraintd>0 the value ofdis maximized by the Simplex algorithm. If a solution exists butd≤0 after maximizing, then the problem is unsolvable (T_Q-invalid), otherwise it is T_Q-valid.

The cautious simplification rules for LRA evaluate arithmetic subterms, and the aggressive simplification rules rewrite sub-terms towards a flat structure by exploit- ing AC-properties of the operators as for LIA. Syntactic differences between concrete numbers aside, linear real arithmetic is treated by additional lemmas that are valid in real arithmetic. Overall, the LRA solver is not as advanced as the LIA solver.

Non-linear Arithmetic. Beaglefeatures a simplistic treatment of non-linear arith- metic. During preprocessing, every occurrence of a non-linear multiplication sub- term s·t is replaced by prod(s, t), where prod is a dedicated foreground function

3_{Due to J. Fourier, 1824. A description of the method’s application as a decision procedure is in}

Monniaux [Mon10]

4_{Part of the Apache Commons math library. See http://commons.apache.org/proper/commons-}

symbol of the proper arity. As soon as s or t in prod(s,t) is replaced by a concrete number, the resulting term is turned into a (theory) multiplication term again. There are dedicated lemmas for each of the theoriesT_Z,T_Q,T_R, that define multiplication in terms of repeated addition and specify other difficult to prove properties of multipli- cation. See the previous section on lemmas in Section 3.2.1. An alternative, described in Chapter 4, is to attempt to prove that the input formula φ is B-unsatisfiable (as opposed to proving ¬φ unsatisfiable). If φ contains no uninterpreted terms other than non-linear product terms, then the fact that¬φisB-valid follows from the un- satisfiability of φ and the satisfiability of the axioms defining the product operator. This observation was useful in the competition, see Section 3.5.3, but requires some care to apply correctly.

Chaining. The optional chaining inference rules apply the transitivity property of

<. One of them ispositive chaining:

Positive chaining s <t ∨ C u<v ∨ D abstr((s< v ∨ C ∨ D)σ) ifσis an mgu of tandu.

Other chaining rules deal with negative inequations¬(u< v)in the right premise. Currently, the only restriction is that the literals selected for inferencing are not pure BG.

A variation on the chaining rule can be used to recover sufficient completeness in certain cases. Consider a problem of the form:

Example 3.2.3. Letx,ybeZ-sorted variables,asomeZ-sorted constant, and f :Z→ Z.

(1) a< f(x) (2) f(x)<a+4

(3) (0≤x ∧ x≤3)⇒ f(x)< f(x+1)

The set of (1), (2), and (3) is inconsistent, since (1) and (2) allow f to take at most three distinct values, while (3) requires four.

Unsatisfiability can be demonstrated in the Hierarchic Superposition calculus by introducing either of

(4.1) f(x)≈a+1 ∨ f(x)≈a+2 ∨ f(x)≈ a+3

(4.2){f(0)< f(1),f(1)< f(2),f(2)< f(3)}

Adding (4.1) to the clause set recovers sufficient completeness, as then any model must satisfy f(t) ≈ a+1, f(t) ≈ a+2, or f(t) ≈ a+2 where t is ground. On the other hand, adding (4.2) does not immediately give sufficient completeness, but it adds new instances of f to the clause set which may not otherwise occur. These instances enable the derivation of the required contradiction.

generalizes the LIA theorem ∃a:Z.(a< t ∧ t< a+k)⇔ k−1 _ j=1 t ≈a+j (3.1)

wherek >1∈N, andt is any integer sorted term.

There are two forms of this rule, corresponding to the left and right directions of (3.1).

Inst-Right r <s ∨ C t <u ∨ D

(s≈r+1 ∨ . . . ∨ s ≈r+ (k−1) ∨ C ∨ D)σ

Inst-Left ¬(r <s) ∨ ¬(t <u) ∨ C

(s6≈r+1 ∨ C)σ, . . . , (s6≈r+ (k−1) ∨ C)σ

where σ = mgu(s,t); (u−r)σ ≈_Z k ∈ N, k > 1; both r < s and t < u are not pure-BG.

Sufficient completeness (of a subset of clause instances) is recovered in the special case where bothC andDare empty in the premises ofInst-Right. As with theDene rule, Inst-Right is best applied eagerly in a derivation. The Inst-Left rule does not recover sufficient completeness, although it does introduce clause instances which could be useful in a derivation, as seen in the example.

This illustrates an interesting overlap of theory reasoning and sufficient complete- ness. Where a clause set has sufficient completeness already, Inst-RightandInst-Left are not necessary, as all clauses with free BG sorted terms are eventually equivalent to some BG clauses. On the other hand, for clause sets without sufficient complete- ness rules that implement theory reasoning for free BG terms can allow derivations which would otherwise not be possible. Theory reasoning, as a strategy for dealing with a lack of completeness, has the advantage of being applicable to all clause sets extending that particular background theory.

3.3

Linear Integer Arithmetic

As previously mentioned, the solver for the LIA theory inBeagleis a custom imple- mentation of Cooper’s algorithm. Satisfiability in the EA-fragment of Σ_Zis decided by two rounds of QE.

A high level description of the essentials of Cooper’s algorithm as implemented inBeagle, following Harrison [Har09], is given below:

Let ∃x. F be a formula in negation normal form, where F is quantifier-free. The aim of any QE algorithm is to produce fromFsome quantifier-free formula Gthat is equisatisfiable w. r. t. the given theory,T_Zin this case. Note that, in general, universal quantifiers are presumed to be eliminated using the equivalence∃x.F⇔ ¬∀x.¬F.

The following assumes primitive operators ≈,<,6≈,|, so all literals ofF must be translated to one of these, e. g. , s ≥ t becomes t < s ∨ t ≈ s. Every literal of F is assumed to be normalized into either of the forms

1. 0./c1x1+. . .+cnxn+k, where./∈ {≈,<,6≈}or, 2. d|c1x1+. . .+cnxn+k, ford∈Zand possibly negated.

where the coefficientsci andk are concrete integers whose greatest common divisor is 1

Definition 3.3.1(Cooper’s Algorithm). To eliminatexfrom∃x.F[x], do the following: 1. Letlbe the lcm of allx coefficients inFand replace literals as follows

• replace 0≈cx+twith 0≈ x+ (l/c)t

• replace 0<cx+twith 0< x+|l/c|t, or 0< −x+|l/c|t ifcis negative

• replaced|cx+twith d|x+ (l/c)t

Similar for negated versions of literals. Letunitx(F) = F0 ∧ l|x, where F0 isF with all literals transformed as above.

2. LetF−∞[x]be the formula that results from replacing literals 0≈x+t, 0< x+t

with⊥, and replacing literals 0<−x+t, 06≈x+t with>inunitx(F). 3. LetBxbe the set such that

(a) −t∈ Bx if either 0< x+t or 06≈x+toccurs inunitx(F), and (b) −(t+1)∈ Bx if 0≈x+t occurs inunitx(F)

LetFB[j]:=Wb∈Bxunitx(F)[b+j]for a fresh variable j.

4. LetDbe the lcm of all of the literalsd|x, or¬(d|x)inunit_x(F), or 1 otherwise. Cooper’s theorem establishes that

∃x. F[x]⇔

D _

j=1

(F−∞[j] ∨ FB[j]) (3.2)

The right-hand formula in the equivalence (3.2) is called the elimination formula forx.

Example 3.3.1. Consider the elimination ofxfrom

Note thatF is already in normal form. unit_x(F) =3|x ∧ 0< −x+y ∧ 06≈y−5 lx=3 FB= ⊥, since Bx= ∅ F−∞= (3| j ∧ >) ∧ 06≈y−5 Then F⇔ ∃y. 3 _ j=1 (3|j ∧ 06≈y−5)

Quantifier elimination. The built-in LIA solver is based on Cooper’s algorithm as given above, and includes improvements as introduced in Cooper [Coo72]. It accepts arbitrary BG formulas, in particular conjunctions of clauses. The code roughly fol- lows the algorithm described in Harrison [Har09]. The LIA solver is used for both deciding satisfiability of sets of BG clauses (Close rule) and for the elimination of variables as described above (QE-generalrule).

The implementation includes several improvements to Cooper’s algorithm to make it more practical:

• conjunctions such as x < 5 ∧ x < 3 are replaced by x < 3, a limited form of subsumption.

• variables that admit unbounded (above or below) solutions are eliminated, e. g. , ∃x.x 6≈0 ∧ F wherexdoes not occur in F, is equivalent to F.

• elimination of equations x≈ twhere xdoes not occur int, is accomplished by substitution oftforx.

Furthermore, if a conjunction contains the atomic formulas s1 < α, . . . ,sm < α and α < t1, . . . ,α < tn, given that α does not occur elsewhere, then α can be removed by exhaustive resolution. (Resolution of s < α and α < t yields s+1 < t.) If α does occur somewhere else, then this form of resolution can still be used to prove unsatisfiability when s+1 < t is false. This is similar to the first step of the Omega test for deciding Presburger arithmetic [Pug91].

The improvements mentioned above often help to solve problems much faster.5 However, most are effective only on conjunctions of literals. To maximize their util- ity, the implementation deviates from the standard Cooper algorithm by multiplying out disjunctions in the RHS of (3.2). This can avoid deeply structured ‘or-and’ for- mulas and, as a special case, disjunctive normal form is preserved by solving and multiplying out the conjunctions separately.

Specifically, input to the algorithm is assumed to be a disjunction F0 =∃x. G0 ∨ G1 ∨ . . . ∨ Gk where each Gi is a conjunction. Each disjunct Gi is treated separately,

this well-known block-eliminationenhancement reduces the lcm of the x coefficients. The simple elimination tests are applied first (for all variables, not just x), then the elimination formula for Gi is produced. Assume Gi = G_ix ∧ Gi0 such that G0i does not contain x and that the result of (3.2) is H0 ∨ H1 ∨ . . . ∨ Hl, then Gi = (H0 ∨ H1 ∨ . . . ∨ Hl)∧ G0i. This is the formula that is multiplied out, and Cooper is called recursively on(H0 ∧ Gi0) ∨ . . . ∨ (Hl ∧ Gi0).

The final step of Cooper’s algorithm involves instantiation over representatives of congruence classes of solutions for the target variable, which quite often leads to prohibitively large formulas. Using an improvement suggested in Harrison [Har09], Beagleoccasionally defers this instantiation (based on the expected number of in- stances) until a later round of quantifier elimination. This is done by substituting a fresh variable and terms that describe the solution range, as occasionally a shorter proof of satisfiability/unsatisfiability can be found using a different variable.

Simplification and arithmetic terms normalization. The cautious simplification rules for LIA comprise evaluation of arithmetic terms, e. g. , 3·5, 3<5,α+1<α+1 (equal LHS and RHS terms in inequations), and rules for TPTP-operators, e. g. , $to_rat(5), $is_int(3.5). For aggressive simplification, integer sorted subterms are brought into a polynomial-like form and are evaluated as much as possible. For ex- ample, the term 5·α+f(3+6,α·4)−α·3 becomes 2·α+f(9, 4·α). BG formulas always produce proper polynomials, which can be used directly by the QE procedure without further conversions.

Aggressive simplification does not always preserve sufficient completeness. For example, in the clause set N = {p(1+ (2+f(x))), ¬p(1+ (x+f(x)))}, the first clause is aggressively simplified, giving N0 = {p(3+f(x)), ¬p(1+ (x+f(x)))}. Notice that both N and N0 are T_Z-unsatisfiable, sgi(N) ∪ GndTh(T_Z) is unsatisfi- able, but sgi(N0_{)∪ GndTh(T}

Z)is satisfiable, since 1+ (2+ f(2))≈(1+2) +f(2)is not a theorem of GndTh(T_Z). Thus,N is (trivially) sufficiently complete whileN0 _is

not.

Aggressive simplification also includes heuristics for normalizing equations and inequations. Inequations are normalized by first eliminating the operators>,≥and ≤ in terms of <. The QE procedure treats < as a primitive, so this is a natural choice. Then, the monomials of the LHS and RHS polynomials are moved around so that only positive signs and only addition of monomials (not subtraction) results. The rationale is to normalize terms by removing unnecessary operators. Similar heuristics apply for equations, which attempt to produce orientable equations. For example, f(x) +1≈ g(y) +2 is not orientable, but f(x)−g(y)≈ 1 is, as 1 is smaller that any FG term in the term order. Normalizing (in)equations may remove or install sufficient completeness and destroy refutational completeness. Yet, experiments showed that aggressive simplification is far superior to cautious simplification in practice, hence it is enabled by default.