Related Work

Many common formulas are not included in the array property fragment (Chapter 2, and also [BMS06]), for example an injectivity predicate for arrays, seedistinct in the previous section. Ghilardi et al. [GNRZ07] provide a decision procedure for an exten- sion of the array theory and demonstrate how decision procedures may be derived for extensions to this theory, many of which lie outside the array property fragment. This relies on the existence of a ‘standard model’ for the theory and extension, whose existence must be demonstrated a priori.

In contrast to these works, we do not provide decision procedures for specific fragments. This is intentionally so, in order to support disproving tasks in the pres- ence of liberally formulated additional axioms (the setHYPabove). Although we em- ploy Superposition based provers in the experiments, like some approaches above, our approach does not hinge on finite saturation. Claessen and Lillieström [CL11] present a method for showing that a set of formulas does not admit finite models. It does not answer whether infinite models exist, and so is complementary to the above. Suter et al. [SKK11b] give a semi-decision procedure for checking satisfiability of cor- rectness properties of recursive functional programs on algebraic data types, which overlaps with the given method on lists (Lemma 4.3.2) by imposing similar syntactic restrictions. Their method works differently, by partial unrolling of function defini- tions into quantifier-free logic, instead of theorem proving on (quantified) formulas.

Ge and de Moura [GdM09] describe macro definitions. A macro is a non-ground clauseg(x)≈t[x]wheregdoes not occur int. They suggest that the best way to deal with terms g(s)is to remove them entirely from the input formula, after which the clause defininggis equivalent to true. They generalize this to the concept of apseudo- macro which is a symbol g defined by a set of clauses Dg = {C1[x], . . . ,Cn[x]}such that allCicontaing(x)and are trivially true after replacingg(x)with some termtg[x]. Another simple form of pseudo macro is Dg = {C1[x] ∨ g(x) ./ tg[x], . . . ,Cn[x] ∨ g(x) ./ tg[x]}where ./ is≈,≤ or ≥. This concept is exploited to limit instantiation in the SMT scheme they describe. Note that macros fit the pattern of basic definitions described in Example 4.2.2, and so pseudo-macros could offer a generalization along the same lines.

Reynolds et al. [RBCT16] give an admissibility criterion for use in translating re- cursive function definitions for consumption by SMT solvers. This criterion identifies when the translation in question preserves unsatisfiability of the function definition. Although similar in intent, this definition of admissibility is semantic and requires an external proof of admissibility. Well-founded definitions are shown to be admissible, so only a termination proof is required for those definitions.

In particular, a definition is admissible in the sense of Reynolds et al. when ex- pansion with the terms of the definition does not affect T-satisfiability of a set of formulas that uses the definitions. It is likely that this is a more general account of admissibility than that given here, for example, definitions identified in Theorem 4.3.1 are (semantically) admissible, by virtue of being well-founded. Nevertheless, syntactic criteria are useful in that they give a short-cut method of proving the ad- missibility of the definition, although they may not cover all possible expressions of that property.

Finite Quantification in Hierarchic

Theorem Proving

5.1

Motivation

The previous chapter addressed the problem of disproving contradictory conjectures in the presence of background theories. This chapter considers the obvious next question: what to do when the conjecture is contingently true, in other words, when

HYP ∪ {¬Con} is B-satisfiable. In particular, under the assumption that there are only finitely many free BG-sorted subterms in the ground instances of the clause set (more specifically, the relevant terms are finite), then the hierarchic satisfiability problem can be solved using Superposition for hierarchic theories as described in Chapter 2.

This chapter also describes an algorithm for the hierarchic satisfiability problem that employs a conflict-guidedinstantiation strategy for producing formulas that are free of the completeness problems that can lead to an incorrect conclusion of satisfia- bility. Unlike traditional finite model finders, it avoids exhaustive instantiation, hence it is expected to scale better with the size of the problem domains. While aimed at demonstrating satisfiability, if the algorithm determines unsatisfiability w. r. t. finite domains, the given clause set is also unsatisfiable w. r. t. unbounded domains. Then this approach could be seen as an extension of quantifier instantiation heuristics that determines satisfiability w. r. t. finite domains.

The key results of the chapter are a correctness proof and experimental results that illustrate the performance characteristics of the algorithm. This updates results in Baumgartner et al. [BBW14] and places them in context of later developments.

Section 5.2 contains a step-by-step application of the satisfiability procedure to an example problem in the theory of arrays. Then the particular language fragment used to model the Ground Base-sorted Term (GBT)-fragment is introduced, as well as a (previously unpublished) technique for modelling quantification over arbitrary finite sets using finite integer sets. The satisfiability procedure is introduced in Section 5.4, as well as a heuristic that uses solvers to find terms for updating the equivalence relation. Section 5.5 contains a small set of experiments that illustrate the range of possible behaviours and the scalability of the algorithm. Finally, Section 5.6 places the

satisfiability procedure in the context of a selection of other satisfiability procedures that include theory reasoning.