A Generalization of Shostaks Metho d for

Combining Decision Pro cedures

Clark W Barrett David L Dill and Aaron Stump

Stanford University Stanford CA USA

httpverifystanfordedu

c

SpringerVerlag

Abstract Consider the problem of determining whether a quantier

free formula is satisable in some rstorder theory T Shostaks al

gorithm decides this problem for a certain class of theories with b oth

interpreted and uninterpreted function symbols We present two new

algorithms based on Shostaks metho d The rst is a simple subset of

Shostaks algorithm for the same class of theories but without uninter

preted function symbols This simplied algorithm is easy to understand

and prove correct providing insight into how and why Shostaks algo

rithm works The simplied algorithm is then used as the foundation for

a generalization of Shostaks metho d based on a variation of the Nelson

Opp en metho d for combining theories

Introduction

In Shostak introduced a clever and subtle algorithm which decides the

satisability of quantierfree formulas in a combined theory which includes a

rstorder theory or combination of rstorder theories with certain prop erties

and the theory of with uninterpreted function symbols But despite

the fact that Shostaks metho d is less general than its predecessor the Nelson

Opp en metho d it has generated considerable interest and is the basis for

decision pro cedures found in several to ols including PVS STeP and

SVC

There are several go o d reasons for this First of all it is easier to implement

the NelsonOpp en metho d provides a framework for combining decision pro ce

dures but gives no help on how to construct the individual decision pro cedures

But as we show in the next section at the core of Shostaks pro cedure is a

simple metho d for generating decision pro cedures for a large class of theories

A second reason for the success of Shostaks metho d is that despite requiring

more restrictive conditions in order to accommo date a theory a wide variety

of useful theories have b een shown to satisfy these conditions Finally

empirical studies have shown that Shostaks metho d is an order of magnitude

more ecient than the NelsonOpp en metho d

Unfortunately the original pap er is dicult to follow due in part to the fact

that it contains several errors and despite an ongoing eort to understand and

clarify the metho d it remains dicult to understand

In this pap er we take a new approach to explaining Shostaks algorithm

We rst present a subset of the original algorithm in particular the subset

which decides formulas without uninterpreted function symbols This algorithm

is surprisingly simple and straightforward and gives considerable insight into

how Shostaks algorithm works

This algorithm then forms the basis for a more general algorithm that lies at

an abstraction level somewhere b etween the general NelsonOpp en framework

and the highlysp ecialized Shostak pro cedure The purp ose is to describ e an

algorithm which is abstract enough that it can b e understo o d and proved correct

but sp ecic enough that it is not hard to see how to sp ecialize it further to recover

Shostaks original algorithm The correctness pro of of this algorithm relies on

a new variation of the NelsonOpp en pro cedure and new theorem which relates

convexity a requirement for Shostak and stableinniteness a requirement for

NelsonOpp en

It is our hop e that this exercise will not only shed light on how Shostaks

metho d can b e seen as an ecient renement of the NelsonOpp en metho d

but also provide a generalization which can b e used to achieve other ecient

renements Indeed one such p ossible renement is describ ed in the rst authors

dissertation

In Section b elow some preliminary denitions and notation are given

The simple algorithm without uninterpreted function symbols is presented in

Section Section reviews the NelsonOpp en metho d in preparation for the

generalized algorithm which is presented in Section Finally Section compares

our approach to other work on Shostaks algorithm and describ es the renements

necessary to recover Shostaks original algorithm

Preliminary Concepts

Some Notions from Logic

A theory is a set of closed formulas For the purp oses of this pap er all theories

are assumed to b e rstorder and to include the axioms of equality The sig

nature of a theory is the set of function predicate other than equality and

constant symbols app earing in those sentences A literal is an atomic formula or

its To avoid confusion with the logical equality symbol we use the

symbol to indicate that two logical expressions are syntactically identical

For a given mo del M a variable assignment is a function which assigns to

each variable an element of the domain of M We write M j if is true in

the mo del M with variable assignment If is a set of formulas then M j

indicates that M j for each In general whenever sets of formulas are

used as logical formulas the intended meaning is the conjunction of the formulas

in the set A formula is satisable if there exists some mo del M and variable

assignment such that M j If is a set of formulas and is a formula

then j means that whenever a mo del and variable assignment satisfy

they also satisfy A set S of literals is convex in a theory T if T S do es not

entail any disjunction of equalities b etween variables without entailing one of

the equalities itself A theory T is convex if every set of literals in the language

of the theory is convex in T

Equations in Solved Form

Denition A set S of equations is said to be in solved form i the lefthand

side of each equation in S is a variable which appears only once in S We refer

to the variables which appear only on the lefthand sides as solitary variables

A set S of equations in solved form denes an idemp otent substitution the one

which replaces each solitary variable with its corresp onding righthand side If

S is an expression or set of expressions we denote the result of applying this

substitution to S by S S Another interesting prop erty of equations in solved

form is that the question of whether such a set S entails some formula in a

theory T can b e answered simply by determining the validity of S in T

Prop osition If T is a theory with signature and S is a set of equations

in solved form then T S j i T j S

Proof Clearly T S j i T S j S Thus we need only show that

T S j S i T j S The if direction is trivial To show the other

direction assume that T S j S Any mo del of T can b e made to satisfy

T S by assigning any value to the nonsolitary variables of S and then choosing

the value of each solitary variable to match the value of its corresp onding right

hand side Since none of the solitary variables o ccur anywhere else in S this

assignment is welldened and satises S By assumption then this mo del and

assignment also satisfy S but none of the solitary variables app ear in S

so the initial arbitrary assignment to nonsolitary variables must b e sucient to

satisfy S Thus it must b e the case that every mo del of T satises S with

every variable assignment ut

Corollary If T is a satisable theory with signature and S is a set of

equations in solved form then T S is satisable

Algorithm S

In this section we present an algorithm based on a subset of Shostaks algorithm

for deciding satisability of quantierfree formulas in a theory T which meets

certain conditions We call such a theory a Shostak theory

Denition A satisable theory T with signature is a Shostak theory if the

fol lowing conditions hold

does not contain any predicate symbols

T is convex

There exists a canonizer canon a computable function from terms to

terms with the property that T j a b i canona canonb

There exists a solver solve a computable function from equations to sets

of formulas dened as fol lows

a If T j a b then solve a b ffalse g

b Otherwise solve a b returns a set S of equations in solved form such

that T j a b x S where x is the set of variables which appear

in S but not in a or b Each of these variables must be fresh

These requirements are slightly dierent from those given by Shostak and others

These dierences are discussed in Section b elow In the rest of this section

T is assumed to b e a Shostak theory with signature canonizer canon and

solver solve As we will show the solver can b e used to convert an arbitrary

set of equations into a set of equations in solved form The canonizer is used to

determine whether a sp ecic equality is entailed by a set of equations in solved

form as shown by the following prop osition

Prop osition If S is a set of equations in solved form then T S j a b

i canonS a canonS b

Proof By Prop osition T S j a b i T j S a S b But T j S a

S b i canonS a canonS b by the denition of canon ut

S canon solve

S

WHILE DO BEGIN

Remove some equality a b from

 

a S a b S b

  

S solve a b



IF S ffalse g THEN RETURN

 

S S S S

END

IF canon S a canon S b for some a b THEN RETURN FALSE

RETURN TRUE

Fig Algorithm S based on a simple subset of Shostaks algorithm

Algorithm S shown in Fig makes use of the prop erties of a Shostak theory to

check the joint satisability of an arbitrary set of equalities and an arbitrary

set of disequalities in a Shostak theory with canonizer canon and solver

solve Since the satisability of any quantierfree formula can b e determined by

rst converting it to it suces to have a satisability

pro cedure for a conjunction of literals Since contains no predicate symbols all

literals are either equalities or disequalities Thus Algorithm S is sucient

for deciding the satisability of quantierfree formulas Termination of the

algorithm is trivial since each step terminates and each time line is executed the

size of is reduced The following lemmas are needed b efore proving correctness

0

Lemma If T is a theory and are sets of formulas and S is a set

0

of equations in solved form then for any formula T S j i

0

T S S j

Proof Follows trivially from the fact that S and S S are satised by

exactly the same mo dels and variable assignments ut

Lemma If is any set of formulas then for any formula and terms a

and b

T fa bg j i T solve a b j

Proof

Given that T fa bg j supp ose that M j T solve a b

It is easy to see from the denition of solve that M j a b and hence by the

hypothesis M j

Given that T solve a b j supp ose that M j T fa bg

Then since T j a b xsolve a b there exists a mo died assignment



which assigns values to all the variables in x and satises solve a b but is



But the variables otherwise equivalent to Then by the hypothesis M j

in x are new variables so they do not app ear in meaning that changing their

values cannot aect whether is true Thus M j ut

Lemma If fa bg and S are sets of formulas with S in solved form

 

and if S solve S a b then if S ffalseg then for every formula

 

T fa bg S j i T S S S j

Proof

T fa bg S j T fS a bg S j Lemma



T S S j Lemma

 

T S S S j Lemma

ut

Lemma During the execution of Algorithm S S is always in solved form

Proof Clearly S is in solved form initially Consider one iteration By construc

 

tion a and b do not contain any of the solitary variables of S and thus by

 

the denition of solve S do esnt either Furthermore if S ffalseg then the



algorithm terminates at line Thus at line S must b e in solved form Ap

 

plying S to S guarantees that none of the solitary variables of S app ear in S

so the new value of S is also in solved form ut

Lemma Let and S be the values of and S after the while loop in

n n

Algorithm S has been executed n times Then for each n and any formula

the fol lowing invariant holds T j i T S j

0 n n

Proof The pro of is by induction on n For n the invariant holds trivially

Now supp ose the invariant holds for some k Consider the next iteration

T j T S j Induction Hyp othesis

0 k k

T fa bg S j Line

k +1 k

 

T S S S j Lemmas and

k +1 k

T S j Line

k +1 k +1

ut

Now we can show the correctness of Algorithm S

Theorem Suppose T is a Shostak theory with signature canonizer canon

and solver solve If is a set of equalities and is a set of disequalities

then T is satisable i S canon solve TRUE

Proof Supp ose S canon solve FALSE If the algorithm terminates at

line then canonS a canonS b for some a b It follows from

Prop osition and Lemma that T j a b so clearly T is

not satisable The other p ossibility is that the algorithm terminates at line

Supp ose the lo op has b een executed n times and that and S are the values

n n

 

of and S at the end of the last lo op It must b e the case that T j a b so

   

T fa b g is unsatisable Clearly then T fa b g S is unsatisable so

n

by Lemma T fa bg S is unsatisable But fa bg is a subset of so

n n

T S must b e unsatisable and thus by Lemma T is unsatisable

n n

Supp ose on the other hand that S canon solve TRUE Then the

b e algorithm terminates at line By Lemma S is in solved form Let

the disjunction of equalities equivalent to Since the algorithm do es not

Because T is convex terminate at line T S do es not entail any equality in

it follows that T S j Now since T S is satisable by Corollary it follows

that T S is satisable But by Lemma T j i T S j so in

particular T S j Thus T S is satisable and hence T

is satisable ut

An Example

Perhaps the most obvious example of a Shostak theory is the theory of linear

rational arithmetic A simple canonizer for this theory can b e obtained by im

p osing an order on all variables lexicographic or otherwise and combining like

terms For example canonz y x z x y z Similarly a

solver can b e obtained simply by solving for one of the variables in an equation

Consider the following system of equations

x y z

x y z

x y z



The following table shows values for S S a b and S at each iteration of

Algorithm S starting with fx y z x y z x y z g



S S a b S

x y z x y z x y z

x y z

x y z

x y z x y z y z y z y z

x y z

x y z x z z z z false

y z

The solver detects an inconsistency when it tries to solve the equation obtained

after applying the substitution from S The solver indicates this by returning

ffalseg which results in the algorithm returning FALSE

Combining Shostak Theories

In Shostak claims that two Shostak theories can always b e combined to

form a new Shostak theory A canonizer for the combined theory is obtained

simply by comp osing the canonizers from each individual theory A solver for

the combined theory is ostensibly obtained by rep eatedly applying the solver for

each theory treating terms in other theories as variables until a true variable

is on the lefthand side of each equation in the solved form This do es in fact

work for many theories providing a simple and ecient metho d for combining

Shostak theories However as p ointed out in and the construction of the

solver as describ ed is not always p ossible We do not address this issue here but

mention it as a question which warrants further investigation

The NelsonOpp en Combination Metho d

Nelson and Opp en describ ed a metho d for combining decision pro cedures

for theories which are stablyinnite and have disjoint signatures A theory T is

stablyinnite if any quantierfree formula is satisable in some mo del of T i

it is satisable in an innite mo del of T In this section we assume T and T

1 2

are two such theories with signatures and resp ectively the generalization

1 2

to more than two theories is straightforward Furthermore we let T T T

1 2

and The NelsonOpp en pro cedure decides the satisability in T

1 2

of a set of literals

Tinelli and Harandis Approach

There have b een many detailed presentations of the NelsonOpp en metho d

Tinelli and Harandis approach is particularly app ealing b ecause it is rigorous

and conceptually simple Here we give a brief review of the metho d based

on their approach First a few more denitions are required

Members of for i are called isymbols In order to asso ciate all terms

i

with some theory each variable is also arbitrarily asso ciated with either T or T

1 2

A variable is called an ivariable if it is asso ciated with T note that an ivariable

i

is not an isymbol as it is not a member of A term t is an iterm if it

i

is an ivariable a constant isymbol or an application of a functional isymbol

An ipredicate is an application of a predicate isymbol An atomic iformula

is an an ipredicate or an equality whose left term is an iterm An iliteral is

an atomic iformula or the negation of an atomic iformula An o ccurrence of

a j term t in either a term or a literal is ialien if i j and all sup erterms if

any of t are iterms An iterm or iliteral is pure if it contains only isymbols

ie its ialien subterms are all variables

Given an equivalence relation let dom b e the domain of the relation We



dene the following sets of formulas induced by

E fx y j x y dom and x y g

 

D fx y j x y dom and x y g

 

A E D

  

Let Ar b e a set of equalities and disequalities If Ar A for some equivalence



relation with domain V we call Ar an arrangement of V

The rst step in determining the satisability of is to transform into

an equisatisable formula where consists only of pure iliterals as

1 2 i

follows Let b e some iliteral in containing a nonvariable ialien j term t

Replace all o ccurrences of t in with a new j variable z and add the equation

z t to Rep eat until every literal in is pure The literals can then easily

b e partitioned into and It is easy to see that is satisable if and only

1 2

if is satisable

1 2

Now let V b e the set of all variables which app ear in b oth and A

1 2

simple version of the NelsonOpp en pro cedure simply guesses an equivalence

relation on V nondeterministically and then checks whether T A is

i i 

satisable The correctness of the pro cedure is based on the following theorem

from

Theorem Let T and T be two stablyinnite signaturedisjoint theories and

1 2

let be a set of pure iliterals for i Let V be the set of variables which

i

appear in both and Then T T is satisable i there exists an

1 2 1 2 1 2

arrangement Ar of V such that T Ar is satisable for i

i i

A Variation of the NelsonOpp en Pro cedure

The rst step in the version of the NelsonOpp en pro cedure describ ed ab ove

changes the structure and number of literals in However it is p ossible to give

a version of the pro cedure which do es not change the literals in by instead

treating alien terms as variables This simplies the algorithm by eliminating the

need for the purication step But more imp ortantly this variation is required

for the combination of Shostak and NelsonOpp en describ ed next

First we introduce a purifying op erator which formalizes the notion of treat

ing alien terms as variables Let v b e a mapping from terms to variables such

that for i each iterm t is mapp ed to a fresh ivariable v t Then for

some formula or term dene to b e the result of replacing all ialien

i

o ccurrences of terms t by v t It is easy to see that as a result is ipure

i

Since simply replaces terms with unique placeholders it is injective We will

i

1

We will also denote by the result of replacing denote its inverse by

0

i

each maximal term ie terms without any sup erterms t in by v t Thus

the only terms in are variables

0

Our variation on the NelsonOpp en pro cedure works as follows Given a set

of literals rst partition into two sets and where is exactly the

1 2 i

set of iliterals in Let V b e the set of all terms which are ialien for some

i in some literal in or in some subterm of some literal in V consists of

exactly those terms that would end up b eing replaced by variables in the original

NelsonOpp en metho d V will also b e referred to as the set of shared terms As

b efore an equivalence relation on V is guessed If T A is satisable

i i i 

for each i then T is satisable as shown by the following theorem

Theorem Let T and T be two stablyinnite signaturedisjoint theories

1 2

and let be a set of literals in the combined signature If is the set of

i

al l iliterals in and V is the set of shared terms in then T T is

1 2

satisable i there exists an equivalence relation on V such that for i

T A is satisable

i i i 

Proof

Supp ose M j T Let a b i a b V and M j a b Then clearly

for i M j T A It is then easy to see that T A is

i i  i i i 

satisable by choosing a variable assignment which assigns to each variable v t

the corresp onding value of the term t which it replaces

Supp ose that for each i T A is satisable Consider i Let

i i i 

b e the set of all equations v t t where t V is a term Consider

1 1 1

Since never replaces terms and each v t is a new variable it follows that

1

is in solved form and its solitary variables are exactly the variables which

1 1

are used to replace terms Thus by Corollary T is satisable Fur

1 1 1

thermore since none of the solitary variables of app ear in A

1 1 1 1 

a satisable assignment for T can b e constructed from the satisfying

1 1 1

assignment for T A which exists by hypothesis so that the result

1 1 1 

ing assignment satises T A Now each term in A is the

1 1 1  1 1 

righthand side of some equation in so by rep eatedly applying equations

1 1

from as substitutions A can b e transformed into A and thus

1 1 1  0 

T A must also b e satisable Applying the same argument

1 1 1 1 0 

with i we conclude that T A is satisable But for each

2 2 2 2 0 

i is a set of iliterals Furthermore A is an arrangement of the

i i i 0 

variables shared by these two sets so Theorem can b e applied to conclude that

T and thus T is satisable ut

1 2

Combining the metho ds

Let T T T and b e dened as in the previous section with the

1 2 1 2

additional assumptions that T is a Shostak theory and that neither T nor T

1 1 2

admits trivial mo dels typically theories of interest do not admit trivial mo dels

or can b e easily mo died so that this is the case The following theorem shows

that b oth theories are also stablyinnite

Theorem Every convex rstorder theory with no trivial models is stably

innite

Proof Supp ose U is a rstorder theory which is not stablyinnite Then there

exists some quantierfree set of literals which is satisable in a nite mo del

of U but not in an innite mo del of U Let x b e the existential closure of

x is true in some nite mo del but not in any innite mo del of U Then

It follows that U fxg is a theory with no innite mo dels By rstorder

compactness there must b e some nite cardinality n such that there is a mo del

of U f xg of cardinality n but none of cardinality larger than n Clearly

U is satisable in some mo del of size n but not in any mo dels larger than

n It follows by the pigeonhole principle that if y i n are fresh variables

i

W

y y but b ecause U has no trivial mo dels ie mo dels of then U j

i j

i6=j

size U j y y for any i j with i j Thus U is not convex ut

i j

The Combined Algorithm

Supp ose is a set of literals As in Section divide into and

1 2

where contains exactly the iliterals of Let V b e the set of shared terms

i

By Theorem T is satisable i there exists an equivalence relation

1 2

such that for i T A is satisable

i i i 

In order for the approach in Algorithm S to function in a multipletheory

environment it is necessary to generalize the denition of equations in solved

form to accommo date the notion of treating alien terms as variables A set S of

equations is said to b e in isolved form if S is in solved form If S is a set of

i

equations in isolved form and V is an expression or set of expressions in a mixed

language including then we dene S V to b e the result of replacing each left

i

hand side in S which o ccurs as an ialien in V with the corresp onding righthand

1

side Formally S V is redened to b e S V ie the application of S

i i

i

to V should b e equivalent to rst replacing all ialien terms with variables in b oth

S and V then doing the substitution and then nally restoring the ialien terms

to their places We similarly need to extend the denitions of canon and solve

1 1

Let canon denote canon and solve denote solve

1 1

1 1

Now let b e the set of equalities in and the set of disequalities in

1 1

Furthermore let Sat b e a decision pro cedure for satisability of literals in T

2 2

Sat TRUE i T j false

2 2 2

Algorithm S is a mo dication of Algorithm S which accommo dates the addi

tional theory T Essentially the algorithm is identical except for the addition

2

of lines through which check whether is consistent in theory T with an

2 2

arrangement A The equivalence relation on V is derived from S as follows 

S canon solve Sat

2 2

S

WHILE OR Sat A DO BEGIN

2 2 

IF Sat A THEN BEGIN

2 2 

IF Sat E THEN RETURN FALSE

2 2 

ELSE Choose a b D such that Sat E fa b g

 2 2 

END ELSE Remove some equality a b from

 

a S a b S b

  

S solve a b



IF S ffalse g THEN RETURN FALSE

 

S S S S

END

IF ab for some a b THEN RETURN FALSE

RETURN TRUE

Fig Algorithm S a generalization of Shostaks algorithm

a b i a b V and canonS a canonS b

In each iteration of the while lo op an equation is pro cessed and integrated

with S This equation is either the result of the current arrangement b eing

inconsistent in T lines through or simply an equation from line As

2

shown b elow the denition of ensures that S is consistent with A Similarly



equations are added to S until A is also consistent with Thus when the

 2

algorithm returns TRUE b oth and are known to b e consistent with the

1 2

arrangement A Line requires a little explanation If the algorithm reaches



line it means that E D is not satisable in T but E is It

2   2 2 

follows from convexity of T that there must b e a disequality a b in D such

2 

that E fa bg is not satisable in T

2  2

Algorithm S terminates b ecause each step terminates and in each iteration

either the size of is reduced by one or two equivalence classes in are merged

As b efore the correctness pro of requires a couple of preparatory lemmas

Lemma Suppose S is a set of formulas in solved form V is a set of

terms and is dened as above If is an equivalence relation on V such that

T A S is satisable then E A In other words every arrangement

1 1   

of V consistent with S must include E



Proof Consider an arbitrary equation a b b etween terms in V a b E



i canonS a canonS b i by Prop osition T S j a b

1 1 1

So a b must b e true in every mo del and assignment satisfying T S

1 1 1

In particular if T A S is satisable the corresp onding mo del and

1 1 

assignment must also satisfy a b Since either the equation a b or the

1

disequation a b must b e in A it must b e the case that a b A Thus

 

E A ut

 

Lemma Let and S be the values of and S after the loop in Algorithm

n n

S has been executed n times Then for each n the fol lowing invariant holds

T is satisable i there exists an equivalence relation on V such that

T A S is satisable and

1 1 n  n

T A is satisable

2 2 2 

Proof The pro of is by induction on n For the base case notice that by Theorem

T is satisable i there exists an equivalence relation such that and

hold with n

Before doing the induction case we rst show that for some xed equivalence

relation and hold when n k i and hold when n k

Notice that is indep endent of n so it is only necessary to consider There

are two cases to consider

First supp ose that the condition of line is true and line is executed We

rst show that holds when n k i the following holds

T A fa bg S is satisable

1 1 k +1  k

Since line is not executed The if direction is then trivial since the

k +1 k

formula in is a subset of the formula in To show the only if direction

rst note that it follows from line that T E j a b But

2 2 2  2

by Lemma E A so it follows that T A j a b Since

  2 2 2  2

either a b A or a b A it must b e the case that a b A and thus

  

follows trivially from Now by Lemma where is false if line is

reached then holds i

 

T A S S S is satisable

1 1 k +1  k

  

where S solve S a b But S S S S so is equivalent to

k +1 k

with n k

In the other case line is executed so that fa bg Thus

k +1 k

holds with n k i T fa bg A S is satisable which

1 1 k +1  k

is equivalent to As in the previous case it then follows from Lemma that

holds at k i holds at k

Thus given an equivalence relation and hold at k exactly when

they hold at k It follows easily that if an equivalence relation exists which

satises and at k then there exists an equivalence relation satisfying

and at k and viceversa Finally the induction case assumes that that

T is satisable i there exists an equivalence relation such that and

hold at k It follows from the ab ove argument that T is satisable i

there exists an equivalence relation such that and hold at k ut

Theorem Suppose that T is a Shostak theory with signature canonizer

1 1

canon and solver solve and that T is a convex theory with signature disjoint

2 2

from and satisability procedure Sat Suppose also that neither T nor T

1 2 1 2

admit trivial models and let T T T and Suppose is a set of

1 2 1 2

literals Let be the subset of which consists of equalities the subset

of which consists of disequalities and the remainder of the literals in

2

T is satisable i S canon solve Sat TRUE

2 2

Proof First note that by the same argument used in Lemma S is always in

solved form

Supp ose S canon solve Sat FALSE If the algorithm terminates

2 2

at line or then the pro of that is unsatisable is the same as that for

Algorithm S ab ove If it stops at line then supp ose there is an equivalence

relation satisfying condition of Lemma It follows from Lemma that

E A But since the algorithm terminates at line T A must

  2 2 2 

b e unsatisable Thus condition of Lemma cannot hold Thus by Lemma

T is unsatisable

Supp ose on the other hand that S canon solve Sat TRUE By

2 2

the denition of and Prop osition a b A i T S j a b

 1 1 1

It follows from the convexity of T and Corollary that T S A is

1 1 1 

satisable It then follows from the fact that S do es not terminate at line as

well as convexity again that T S A is satisable This is condition

1 1 

of Lemma Condition must hold b ecause the while lo op terminates

Thus by Lemma T is satisable ut

A Comparison with Shostaks Original Metho d

There are two main ways in which this work diers from Shostaks original

metho d which is b est represented by Ruess and Shankar in The rst is

in the set of requirements a theory must fulll The second is in the level of

abstraction at which the algorithm is presented

Requirements on the Theory

Of the four requirements given in our denition of a Shostak theory the rst two

are clarications which are either assumed or not addressed in other work and

the last two are similar to but slightly less restrictive than the requirements

listed by others The rst requirement is simply that the theory contain no

predicate symbols This is a minor p oint that is included simply to b e explicit

ab out an assumption which is implicit in other work Shostaks metho d do es not

give any guidance on what to do if a theory includes predicate symbols One

p ossible approach is to enco de predicates as functions but this only works if the

resulting enco ding admits a canonizer and solver

The second requirement is that the theory b e convex This may seem overly

restrictive since Shostak claims that nonconvex theories can b e handled

Consider however the following simple nonconvex theory with signature fa bg

fa b xx a x bg It is easy to see that this theory admits a trivial

canonizer and a solver However for the unsatisable set of formulas fx y y

z x z g any version of Shostaks algorithm will fail to detect the inconsistency

Ruess and Shankar avoid this diculty by restricting their attention to the

problem of whether T j a b for some set of equalities However the

ability to solve this problem do es not lead to a selfcontained decision pro cedure

unless the theory is convex

The third requirement on the theory is that a canonizer exist Shostak gave

several additional prop erties that must b e satised by the canonizer These are

not needed at the level of abstraction of our algorithms though some ecient

implementations may require the additional prop erties

A similar situation arises with the requirements on the solver only a subset

of the original requirements are needed Note that although we require the set

of equalities returned by the solver to b e equisatisable with the input set in

every mo del of T whereas Ruess and Shankar require only that it b e equisatis

1

able with the input set in every mo del it is not dicult to show that their

requirements on the canonizer imply that every mo del of T must b e a mo del

Level of Abstraction

Algorithm S lo oks very dierent from Shostaks original published algorithm as

well as most other published versions though these are in fact closely related

An algorithm equivalent to that found in can b e obtained by making a

number of renements We do not have the space to describ e these in detail

but we outline them briey b elow We also describ e some general principles they

exemplify which could b e used in other renements

The most obvious renement is to replace T by the theory of equality with

2

uninterpreted function symbols The data structure for S can b e expanded to

include all equations not just the equations obviating the need to track

separately The check for satisability in T is replaced by a simple check

2 2

for congruence closure over the terms in S The general principle here is that

if S can b e expanded to track the equalities in another theory then equality

information only needs to b e maintained in one place which is more ecient

Another renement is that a more sophisticated substitution can b e applied

at line of Algorithm S The more sophisticated substitution considers each

subterm t and if it is known to b e equivalent to a term u already app earing in

S then all instances of t are replaced with u For terms in the Shostak theory

this is essentially accomplished by applying the canonizer For uninterpreted

function terms it is a bit more subtle For example if x y S and f x

app ears in S then if f y is encountered it can b e replaced by f x As a result

fewer total terms are generated and thus fewer terms need to b e considered

when up dating S or when p erforming congruence closure The general principle

is that simplications and substitutions which reduce the total number of terms

can improve eciency This is esp ecially imp ortant in a natural generalization

of Algorithm S to accommo date nonconvex theories in which the search for an

appropriate arrangement of the shared terms can take time which is more than

exp onential in the number of shared terms

1

In the notation of Ruess and Shankar the canonizer is denoted by and a model

M is one where M j a a for any term a

Acknowledgments

We are esp ecially grateful to Natara jan Shankar for many helpful and pro ductive

conversations regarding Shostaks metho d We would also like to thank Cesare

Tinelli and the anonymous referees who provided imp ortant corrections and valu

able feedback This work was partially supp orted by the National Science Foun

dation Grant CCR and the DARPA PCES program DARPAAirForce

contract number FC

References

C Barrett D Dill and J Levitt Validity Checking for Combinations of Theories

with Equality In M Srivas and A Camilleri editors Formal Methods in Computer

Aided Design volume of Lecture Notes in Computer Science pages

SpringerVerlag

C Barrett D Dill and A Stump A Framework for Co op erating Decision Pro ce

dures In th International Conference on Automated Deduction Lecture Notes

in Computer Science SpringerVerlag

Clark W Barrett Checking Validity of QuantierFree Formulas in Combinations

of FirstOrder Theories PhD thesis Stanford University

Nikola j S Bjrner Integrating Decision Procedures for Temporal Verication PhD

thesis Stanford University

D Cyrluk P Lincoln and N Shankar On Shostaks Decision Pro cedure for Com

binations of Theories In M McRobbie and J Slaney editors th International

Conference on Computer Aided Deduction volume of Lecture Notes in Com

puter Science pages SpringerVerlag

Z Manna et al STeP DeductiveAlgorithmic Verication of Reactive and Real

time Systems In th International Conference on ComputerAided Verication

volume of Lecture Notes in Computer Science pages Springer

Verlag

Jeremy R Levitt Formal Verication Techniques for Digital Systems PhD thesis

Stanford University

G Nelson and D Opp en Simplication by Co op erating Decision Pro cedures

ACM Transactions on Programming Languages and Systems

Derek C Opp en Complexity Convexity and Combinations of Theories Theoretical

Computer Science

S Owre J Rushby and N Shankar PVS A Prototype Verication System

In D Kapur editor th International Conference on Automated Deduction vol

ume of Lecture Notes in Articial Intel ligence pages SpringerVerlag

H Ruess and N Shankar Deconstructing Shostak In th Annual IEEE Sympo

sium on Logic in Computer Science pages June

Rob ert E Shostak Deciding Combinations of Theories Journal of the Association

for Computing Machinery

C Tinelli and M Harandi A New Correctness Pro of of the NelsonOpp en Combi

nation Pro cedure In F Baader and K Schulz editors st International Workshop

on Frontiers of Combining Systems FroCoS volume of Applied Logic Series

Kluwer Academic Publishers

Ashish Tiwari Decision Procedures in Automated Deduction PhD thesis State

University of New York at Stony Bro ok