(1) read(write(a,i,x),i)≈x (4) 1≤m∧m<1000
(2) read(write(a,i,x),j)≈read(a,j) ∨ i≈ j (5) read(a,m)<read(a,m+1) (3) read(a,i)≤read(a,j)∨ ¬(i< j)∨i∈/ [1..1000i]∨j∈/[1..1000j]
wherex ∈[l..h]abbreviates the formulal≤ x∧x≤h forl,h∈Z, andx ∈χZ. Notice that (1) and (2) are the axioms for non-extensional, integer-sorted arrays with integer indices, as introduced previously. Axiom (3) states that the array a is sorted within the domain[1..1000]foriand j. Annotating the upper bounds as 1000i and 1000j facilitates replacing them with different values for a given variable. The clauses of (4) constrain the integer constant m to the stated range. The goal is to confirm thatN isTZ-satisfiable.
In the example, sufficient completeness means that in every model of (1)-(5) w. r. t. pure first-order logic, every groundread-term must be equal to some concrete integer. Everywrite-term inside of aread-term can be eliminated with the axioms (1) and (2). The only problematic terms are applications ofreadto the array constant a. The clauses (3) and (5) constrain the interpretation of terms of the formread(a,t)but do notenforce sufficient completeness. Achieving sufficient completeness for ground clauses like (5) is easy: one just needs to add clauses defining free BG-sorted terms: (5b) read(a,m) ≈ n0 and (5c)read(a,m+1) ≈ n1 wheren0 andn1 are fresh integer- sorted parameters, then replace the clause (5) by (5a) n0 < n1. This is akin to the Denerule described in Chapter 2.
The more difficult part concerns the non-ground clause (3). The method of this section generalizes the action of theDenerule by creating definitions for non-ground clauses of the form described in Section 5.3. It begins with a default assignmentthat maps all read-terms of a particular shape to the same arbitrary symbolic constant. Applied to clause (3) this produces:
(3a) n3 ≤n4∨ ¬(i< j)∨i∈/ [1..1000i]∨j∈/[1..1000j]
(3b) read(a,i)≈n3∨i∈/[1..1000i] (3c) read(a,j)≈n4∨j∈/[1..1000j] Clauses (3b) and (3c) are the definitions for the default interpretation, one per occur-
rence of a read-term in (3), and clause (3a) is clause (3) after applying these defini- tions.
The new clause setN1 ={(1),(2),(3a)−(3c),(4),(5a)−(5c)}needs to be checked for satisfiability. As N1 has sufficient completeness1, a Hierarchic Superposition solver can be used to show that it is unsatisfiable. (Alternatively, one can remove all occurrences of theread-operator in the clauses (3a)-(5c) by exhaustive Superposition- like inferences, and then submit the resulting clause set to a suitable SMT-solver).
The unsatisfiability of N1 implies that N is not satisfied using the current con- straints on the interpretation of read (i. e. , definitions), however, it may be satisfied by less strict constraints. The next step is to refine the default interpretation specified by clauses (3a), (3b), (3c), at a critical point that is responsible for unsatisfiability. The heuristic, described in Section 4.2, determines that point by first finding a max- imal sub-domain for which the clause set is satisfiable. In the example, this is the sub-domain [1..999i] for the variableiand the point is 1000. Specifically, the set N2 obtained fromN1by replacing 999iby 1000ieverywhere is satisfiable. The refinement is made by excluding the point 1000 from the default interpretation and providing a separate definition for it:
(3a1) n31≤n4∨ ¬(i<j)∨i∈/[1..1000i]\ {1000} ∨j∈/[1..1000j]
(3a2) n32≤n4∨ ¬(1000< j)∨j∈/[1..1000j]
(3b1) read(a,i)≈n31∨i∈/[1..1000i]\ {1000}
(3b2) read(a, 1000)≈n32
(3c) read(a,j)≈n4∨j∈/[1..1000j]
Clauses (3b1) and (3b2) provide the modified definitions, and clauses (3a1) and (3a2) are the rewritten versions of (3). LetN3= {(1),(2),(3a1)−(3c),(4),(5a)−(5c)}be the result of the current transformation step; it remains unsatisfiable. In the next round, the new upper bounds defining the satisfiable subset of N3 are 999j and 1000i. Transforming clause (3) w. r. t. the points 1000 for j and 1000 for i from the previous step gives:
(3a1) n31≤n41∨ ¬(i< j)∨i∈/ [1..1000i]\ {1000} ∨j∈/[1..1000j]\ {1000} (3a2) n32≤n41∨ ¬(1000<j)∨j∈/[1..1000j]\ {1000} (3a3) n31≤n42∨ ¬(i<1000)∨i∈/[1..1000j]\ {1000} (3a4) n32≤n42∨ ¬(1000<1000) (3b1) read(a,i)≈n31∨i∈/[1..1000i]\ {1000} (3b2) read(a, 1000)≈n32 (3c1) read(a,j)≈n41∨j∈/[1..1000j]\ {1000} (3c2) read(a, 1000)≈n42 Let N4 = {(1),(2),(3a1)−(3c2),(4),(5a)−(5c)}be the result of the current trans- formation step. This time,N4 is satisfiable, and so isN, with the same models. If I is any such model, we have I(m) =999, I(read(a,i)) =k, for some integer kand all i=1..999, and I(read(a, 1000)) =lfor some integerl>k. The reasoning behind this procedure is formalized in Section 5.4.
The example is solved after two iterations of transformation steps. In general, each transformation step needsO(m·log(n))prover calls to determine the next point as explained above, where m is the number of FQ variables in the given clause set and n is the size of the largest domain. With m = 2 and n = 1000, this accounts for 2·(m·log(n))≤ 40 theorem prover calls, however, each one is rather simple. In contrast, the full ground instantiation of the clauses (3)-(5) has a size of nm = 106, which is far too large for current theorem provers or SMT-solvers.
When every default assignment is unsuitable, the given method also requires a full ground instantiation, as separate definitions are needed for each term instance in order to establish overall (un)satisfiability. Unfortunately, the naïve heuristic pre- sented in the example only permitssingleexception points to be added at each step. So not only is the fully instantiated clause set checked, but also every step-wise refinement on the way to reaching it. That is, one transformation step for each indi- vidual domain element followed by a prover run on the clause set instantiated over all finite quantifier domains.
A section in the next chapter will show how to identify clause sets which necessar- ily have this behaviour, and how to avoid them with a syntactic check. A specialized representation of introduced definitions for free BG-sorted terms is also given, which allows findingrangesfor exceptions rather than just single points.